From 60285a5f9267d032820c42423b33497831d0835b Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Thu, 11 Jan 2024 18:36:56 -0500 Subject: [PATCH 1/2] Repoint baselines to the raw version of the SP 800-53 catalog. --- .../baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml | 8 ++++---- .../xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml | 8 ++++---- .../baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml | 8 ++++---- .../xml/FedRAMP_rev5_MODERATE-baseline_profile.xml | 8 ++++---- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml index 69c566e7d..6df08ba80 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml @@ -1,11 +1,11 @@ - + FedRAMP Rev 5 High Baseline 2023-08-31T00:00:00Z - 2023-12-18T16:22:48Z - 5.1.1+fedramp-20231218-0 + 2024-01-11T23:40:17Z + 5.1.1+fedramp-20240111-0 1.1.1 Document creator @@ -3805,7 +3805,7 @@ NIST Special Publication (SP) 800-53 - + diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml index de4e87a34..e8e100ac2 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml @@ -1,11 +1,11 @@ - + FedRAMP Rev 5 Tailored Low Impact Software as a Service (LI-SaaS) Baseline 2023-08-31T00:00:00Z - 2023-12-18T16:22:48Z - 5.1.1+fedramp-20231218-0 + 2024-01-11T23:40:17Z + 5.1.1+fedramp-20240111-0 1.1.1 Document creator @@ -2952,7 +2952,7 @@ NIST Special Publication (SP) 800-53 - + diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml index 66370a40d..1b73644ba 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml @@ -1,11 +1,11 @@ - + FedRAMP Rev 5 Low Baseline 2023-08-31T00:00:00Z - 2023-12-18T16:22:48Z - 5.1.1+fedramp-20231218-0 + 2024-01-11T23:40:17Z + 5.1.1+fedramp-20240111-0 1.1.1 Document creator @@ -2252,7 +2252,7 @@ NIST Special Publication (SP) 800-53 - + diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml index c3b4e54a8..2c66aa0d8 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml @@ -1,11 +1,11 @@ - + FedRAMP Rev 5 Moderate Baseline 2023-08-31T00:00:00Z - 2023-12-18T16:22:48Z - 5.1.1+fedramp-20231218-0 + 2024-01-11T23:40:17Z + 5.1.1+fedramp-20240111-0 1.1.1 Document creator @@ -3481,7 +3481,7 @@ NIST Special Publication (SP) 800-53 - + From bd782cddf008df01fa5718d0dd7bec2ffafc6dc1 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Thu, 11 Jan 2024 18:51:00 -0500 Subject: [PATCH 2/2] Added generated resolved profiles to fix validation errors. --- ...baseline-resolved-profile_catalog-min.json | 116272 ++++++++++++++- ...IGH-baseline-resolved-profile_catalog.json | 116272 ++++++++++++++- ...edRAMP_rev5_HIGH-baseline_profile-min.json | 2 +- .../FedRAMP_rev5_HIGH-baseline_profile.json | 2 +- ...baseline-resolved-profile_catalog-min.json | 42368 +++++- ...aaS-baseline-resolved-profile_catalog.json | 42368 +++++- ...AMP_rev5_LI-SaaS-baseline_profile-min.json | 2 +- ...FedRAMP_rev5_LI-SaaS-baseline_profile.json | 2 +- ...baseline-resolved-profile_catalog-min.json | 64756 +++++++- ...LOW-baseline-resolved-profile_catalog.json | 64756 +++++++- ...FedRAMP_rev5_LOW-baseline_profile-min.json | 2 +- .../FedRAMP_rev5_LOW-baseline_profile.json | 2 +- ...baseline-resolved-profile_catalog-min.json | 100596 ++++++++++++- ...ATE-baseline-resolved-profile_catalog.json | 100596 ++++++++++++- ...MP_rev5_MODERATE-baseline_profile-min.json | 2 +- ...edRAMP_rev5_MODERATE-baseline_profile.json | 2 +- ...HIGH-baseline-resolved-profile_catalog.xml | 44119 +++++- .../FedRAMP_rev5_HIGH-baseline_profile.xml | 2 +- ...SaaS-baseline-resolved-profile_catalog.xml | 16682 ++- .../FedRAMP_rev5_LI-SaaS-baseline_profile.xml | 2 +- ..._LOW-baseline-resolved-profile_catalog.xml | 23451 ++- .../xml/FedRAMP_rev5_LOW-baseline_profile.xml | 2 +- ...RATE-baseline-resolved-profile_catalog.xml | 37615 ++++- ...FedRAMP_rev5_MODERATE-baseline_profile.xml | 2 +- ...IGH-baseline-resolved-profile_catalog.yaml | 87547 ++++++++++- .../FedRAMP_rev5_HIGH-baseline_profile.yaml | 2 +- ...aaS-baseline-resolved-profile_catalog.yaml | 29572 +++- ...FedRAMP_rev5_LI-SaaS-baseline_profile.yaml | 2 +- ...LOW-baseline-resolved-profile_catalog.yaml | 46198 +++++- .../FedRAMP_rev5_LOW-baseline_profile.yaml | 2 +- ...ATE-baseline-resolved-profile_catalog.yaml | 74592 ++++++++- ...edRAMP_rev5_MODERATE-baseline_profile.yaml | 2 +- 32 files changed, 1007744 insertions(+), 48 deletions(-) diff --git a/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog-min.json b/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog-min.json index d0c5b13df..2bcface39 100644 --- a/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog-min.json +++ b/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog-min.json @@ -1,10 +1,10 @@ { "catalog": { - "uuid": "2c9e809f-1740-44a6-b1f2-3abfe11a0dfc", + "uuid": "e07ece0d-7f46-4cc4-b7e2-fdf109d5541f", "metadata": { "title": "FedRAMP Rev 5 High Baseline", "published": "2023-08-31T00:00:00Z", - "last-modified": "2023-12-18T20:27:34.203593-05:00", + "last-modified": "2024-01-11T18:06:26.711765-05:00", "version": "5.1.1+fedramp-20231218-0", "oscal-version": "1.1.1", "links": [ @@ -99,8 +99,116276 @@ } ] }, + "groups": [ + { + "id": "ac", + "class": "family", + "title": "Access Control", + "controls": [ + { + "id": "ac-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ac-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ac-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the access control policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ac-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the access control procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ac-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ac-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the access control policy and procedures is defined;" + } + ] + }, + { + "id": "ac-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current access control policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ac-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current access control policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ac-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current access control procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ac-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-1" + }, + { + "name": "label", + "value": "AC-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ia-1", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-24", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-1_smt", + "name": "statement", + "parts": [ + { + "id": "ac-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:", + "parts": [ + { + "id": "ac-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ac-01_odp.03 }} access control policy that:", + "parts": [ + { + "id": "ac-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ac-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ac-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the access control policy and the associated access controls;" + } + ] + }, + { + "id": "ac-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and" + }, + { + "id": "ac-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current access control:", + "parts": [ + { + "id": "ac-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and" + }, + { + "id": "ac-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ac-1_gdn", + "name": "guidance", + "prose": "Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ac-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an access control policy is developed and documented;", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ac-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;", + "links": [ + { + "href": "#ac-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};", + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};", + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};", + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.", + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ac-2", + "class": "SP800-53", + "title": "Account Management", + "params": [ + { + "id": "ac-02_odp.01", + "label": "prerequisites and criteria", + "guidelines": [ + { + "prose": "prerequisites and criteria for group and role membership are defined;" + } + ] + }, + { + "id": "ac-02_odp.02", + "label": "attributes (as required)", + "guidelines": [ + { + "prose": "attributes (as required) for each account are defined;" + } + ] + }, + { + "id": "ac-02_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles required to approve requests to create accounts is/are defined;" + } + ] + }, + { + "id": "ac-02_odp.04", + "label": "policy, procedures, prerequisites, and criteria", + "guidelines": [ + { + "prose": "policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;" + } + ] + }, + { + "id": "ac-02_odp.05", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified is/are defined;" + } + ] + }, + { + "id": "ac-02_odp.06", + "label": "time period", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when accounts are no longer required is defined;" + } + ] + }, + { + "id": "ac-02_odp.07", + "label": "time period", + "constraints": [ + { + "description": "eight (8) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when users are terminated or transferred is defined; " + } + ] + }, + { + "id": "ac-02_odp.08", + "label": "time period", + "constraints": [ + { + "description": "eight (8) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when system usage or the need to know changes for an individual is defined;" + } + ] + }, + { + "id": "ac-02_odp.09", + "label": "attributes (as required)", + "guidelines": [ + { + "prose": "attributes needed to authorize system access (as required) are defined;" + } + ] + }, + { + "id": "ac-02_odp.10", + "label": "frequency", + "constraints": [ + { + "description": "monthly for privileged accessed, every six (6) months for non-privileged access" + } + ], + "guidelines": [ + { + "prose": "the frequency of account review is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2" + }, + { + "name": "label", + "value": "AC-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#53df282b-8b3f-483a-bad1-6a8b8ac00114", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ac-24", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2_smt", + "name": "statement", + "parts": [ + { + "id": "ac-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Define and document the types of accounts allowed and specifically prohibited for use within the system;" + }, + { + "id": "ac-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Assign account managers;" + }, + { + "id": "ac-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Require {{ insert: param, ac-02_odp.01 }} for group and role membership;" + }, + { + "id": "ac-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Specify:", + "parts": [ + { + "id": "ac-2_smt.d.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Authorized users of the system;" + }, + { + "id": "ac-2_smt.d.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Group and role membership; and" + }, + { + "id": "ac-2_smt.d.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;" + } + ] + }, + { + "id": "ac-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;" + }, + { + "id": "ac-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};" + }, + { + "id": "ac-2_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Monitor the use of accounts;" + }, + { + "id": "ac-2_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Notify account managers and {{ insert: param, ac-02_odp.05 }} within:", + "parts": [ + { + "id": "ac-2_smt.h.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;" + }, + { + "id": "ac-2_smt.h.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": " {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and" + }, + { + "id": "ac-2_smt.h.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;" + } + ] + }, + { + "id": "ac-2_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Authorize access to the system based on:", + "parts": [ + { + "id": "ac-2_smt.i.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "A valid access authorization;" + }, + { + "id": "ac-2_smt.i.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Intended system usage; and" + }, + { + "id": "ac-2_smt.i.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ac-02_odp.09 }};" + } + ] + }, + { + "id": "ac-2_smt.j", + "name": "item", + "props": [ + { + "name": "label", + "value": "j." + } + ], + "prose": "Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};" + }, + { + "id": "ac-2_smt.k", + "name": "item", + "props": [ + { + "name": "label", + "value": "k." + } + ], + "prose": "Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and" + }, + { + "id": "ac-2_smt.l", + "name": "item", + "props": [ + { + "name": "label", + "value": "l." + } + ], + "prose": "Align account management processes with personnel termination and transfer processes." + } + ] + }, + { + "id": "ac-2_gdn", + "name": "guidance", + "prose": "Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training." + }, + { + "id": "ac-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "account types allowed for use within the system are defined and documented;", + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "account types specifically prohibited for use within the system are defined and documented;", + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02b.", + "class": "sp800-53a" + } + ], + "prose": "account managers are assigned;", + "links": [ + { + "href": "#ac-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-02_odp.01 }} for group and role membership are required;", + "links": [ + { + "href": "#ac-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.d.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.01", + "class": "sp800-53a" + } + ], + "prose": "authorized users of the system are specified;", + "links": [ + { + "href": "#ac-2_smt.d.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.02", + "class": "sp800-53a" + } + ], + "prose": "group and role membership are specified;", + "links": [ + { + "href": "#ac-2_smt.d.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.d.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03[01]", + "class": "sp800-53a" + } + ], + "prose": "access authorizations (i.e., privileges) are specified for each account;", + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-02_odp.02 }} are specified for each account;", + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02e.", + "class": "sp800-53a" + } + ], + "prose": "approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;", + "links": [ + { + "href": "#ac-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[01]", + "class": "sp800-53a" + } + ], + "prose": "accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[02]", + "class": "sp800-53a" + } + ], + "prose": "accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[03]", + "class": "sp800-53a" + } + ], + "prose": "accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[04]", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[05]", + "class": "sp800-53a" + } + ], + "prose": "accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02g.", + "class": "sp800-53a" + } + ], + "prose": "the use of accounts is monitored; ", + "links": [ + { + "href": "#ac-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.h.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.01", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;", + "links": [ + { + "href": "#ac-2_smt.h.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.02", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;", + "links": [ + { + "href": "#ac-2_smt.h.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.03", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;", + "links": [ + { + "href": "#ac-2_smt.h.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.i.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.01", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on a valid access authorization;", + "links": [ + { + "href": "#ac-2_smt.i.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.02", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on intended system usage;", + "links": [ + { + "href": "#ac-2_smt.i.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.03", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};", + "links": [ + { + "href": "#ac-2_smt.i.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.i", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.j", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02j.", + "class": "sp800-53a" + } + ], + "prose": "accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};", + "links": [ + { + "href": "#ac-2_smt.j", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.k", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.k-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;", + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.k-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.[02]", + "class": "sp800-53a" + } + ], + "prose": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;", + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.l", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.l-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.[01]", + "class": "sp800-53a" + } + ], + "prose": "account management processes are aligned with personnel termination processes;", + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.l-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.[02]", + "class": "sp800-53a" + } + ], + "prose": "account management processes are aligned with personnel transfer processes.", + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\npersonnel termination policy and procedure\n\npersonnel transfer policy and procedure\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of recently disabled system accounts and the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications of recent transfers, separations, or terminations of employees\n\naccess authorization records\n\naccount management compliance reviews\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security and privacy responsibilities" + } + ] + }, + { + "id": "ac-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for account management on the system\n\nmechanisms for implementing account management" + } + ] + } + ], + "controls": [ + { + "id": "ac-2.1", + "class": "SP800-53-enhancement", + "title": "Automated System Account Management", + "params": [ + { + "id": "ac-02.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to support the management of system accounts are defined; " + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(1)" + }, + { + "name": "label", + "value": "AC-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.1_smt", + "name": "statement", + "prose": "Support the management of system accounts using {{ insert: param, ac-02.01_odp }}." + }, + { + "id": "ac-2.1_gdn", + "name": "guidance", + "prose": "Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications." + }, + { + "id": "ac-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(01)", + "class": "sp800-53a" + } + ], + "prose": "the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}.", + "links": [ + { + "href": "#ac-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-2.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms for implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.2", + "class": "SP800-53-enhancement", + "title": "Automated Temporary and Emergency Account Management", + "params": [ + { + "id": "ac-02.02_odp.01", + "constraints": [ + { + "description": "Selection: disables" + } + ], + "select": { + "choice": [ + "remove", + "disable" + ] + } + }, + { + "id": "ac-02.02_odp.02", + "label": "time period", + "constraints": [ + { + "description": "no more than 24 hours from last use" + } + ], + "guidelines": [ + { + "prose": "the time period after which to automatically remove or disable temporary or emergency accounts is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(2)" + }, + { + "name": "label", + "value": "AC-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.2_smt", + "name": "statement", + "prose": "Automatically {{ insert: param, ac-02.02_odp.01 }} temporary and emergency accounts after {{ insert: param, ac-02.02_odp.02 }}." + }, + { + "id": "ac-2.2_gdn", + "name": "guidance", + "prose": "Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation." + }, + { + "id": "ac-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(02)", + "class": "sp800-53a" + } + ], + "prose": "temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}.", + "links": [ + { + "href": "#ac-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of temporary accounts removed and/or disabled\n\nsystem-generated list of emergency accounts removed and/or disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms for implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.3", + "class": "SP800-53-enhancement", + "title": "Disable Accounts", + "params": [ + { + "id": "ac-02.03_odp.01", + "label": "time period", + "constraints": [ + { + "description": "24 hours for user accounts" + } + ], + "guidelines": [ + { + "prose": "time period within which to disable accounts is defined;" + } + ] + }, + { + "id": "ac-02.03_odp.02", + "label": "time period", + "constraints": [ + { + "description": "thirty-five (35) days (See additional requirements and guidance.)" + } + ], + "guidelines": [ + { + "prose": "time period for account inactivity before disabling is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(3)" + }, + { + "name": "label", + "value": "AC-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.3_smt", + "name": "statement", + "prose": "Disable accounts within {{ insert: param, ac-02.03_odp.01 }} when the accounts:", + "parts": [ + { + "id": "ac-2.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Have expired;" + }, + { + "id": "ac-2.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Are no longer associated with a user or individual;" + }, + { + "id": "ac-2.3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Are in violation of organizational policy; or" + }, + { + "id": "ac-2.3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Have been inactive for {{ insert: param, ac-02.03_odp.02 }}." + }, + { + "id": "ac-2.3_fr", + "name": "item", + "title": "AC-2 (3) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-2.3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available." + }, + { + "id": "ac-2.3_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d) Requirement:" + } + ], + "prose": "The service provider defines the time period of inactivity for device identifiers." + }, + { + "id": "ac-2.3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/." + } + ] + } + ] + }, + { + "id": "ac-2.3_gdn", + "name": "guidance", + "prose": "Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system." + }, + { + "id": "ac-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;", + "links": [ + { + "href": "#ac-2.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)(b)", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;", + "links": [ + { + "href": "#ac-2.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)(c)", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;", + "links": [ + { + "href": "#ac-2.3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)(d)", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}.", + "links": [ + { + "href": "#ac-2.3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures for addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of accounts removed\n\nsystem-generated list of emergency accounts disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-2.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms for implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.4", + "class": "SP800-53-enhancement", + "title": "Automated Audit Actions", + "props": [ + { + "name": "label", + "value": "AC-2(4)" + }, + { + "name": "label", + "value": "AC-02(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2.4_smt", + "name": "statement", + "prose": "Automatically audit account creation, modification, enabling, disabling, and removal actions." + }, + { + "id": "ac-2.4_gdn", + "name": "guidance", + "prose": "Account management audit records are defined in accordance with [AU-2](#au-2) and reviewed, analyzed, and reported in accordance with [AU-6](#au-6)." + }, + { + "id": "ac-2.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2.4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[01]", + "class": "sp800-53a" + } + ], + "prose": "account creation is automatically audited;", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[02]", + "class": "sp800-53a" + } + ], + "prose": "account modification is automatically audited;", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[03]", + "class": "sp800-53a" + } + ], + "prose": "account enabling is automatically audited;", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[04]", + "class": "sp800-53a" + } + ], + "prose": "account disabling is automatically audited;", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[05]", + "class": "sp800-53a" + } + ], + "prose": "account removal actions are automatically audited.", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nnotifications/alerts of account creation, modification, enabling, disabling, and removal actions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.5", + "class": "SP800-53-enhancement", + "title": "Inactivity Logout", + "params": [ + { + "id": "ac-02.05_odp", + "label": "time period of expected inactivity or description of when to log out", + "constraints": [ + { + "description": "inactivity is anticipated to exceed Fifteen (15) minutes" + } + ], + "guidelines": [ + { + "prose": "the time period of expected inactivity or description of when to log out is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(5)" + }, + { + "name": "label", + "value": "AC-02(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + }, + { + "href": "#ac-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2.5_smt", + "name": "statement", + "prose": "Require that users log out when {{ insert: param, ac-02.05_odp }}.", + "parts": [ + { + "id": "ac-2.5_fr", + "name": "item", + "title": "AC-2 (5) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-2.5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Should use a shorter timeframe than AC-12." + } + ] + } + ] + }, + { + "id": "ac-2.5_gdn", + "name": "guidance", + "prose": "Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by [AC-11](#ac-11)." + }, + { + "id": "ac-2.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(05)", + "class": "sp800-53a" + } + ], + "prose": "users are required to log out when {{ insert: param, ac-02.05_odp }}.", + "links": [ + { + "href": "#ac-2.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity violation reports\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nusers that must comply with inactivity logout policy" + } + ] + } + ] + }, + { + "id": "ac-2.7", + "class": "SP800-53-enhancement", + "title": "Privileged User Accounts", + "params": [ + { + "id": "ac-02.07_odp", + "select": { + "choice": [ + "a role-based access scheme", + "an attribute-based access scheme" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(7)" + }, + { + "name": "label", + "value": "AC-02(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.7_smt", + "name": "statement", + "parts": [ + { + "id": "ac-2.7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Establish and administer privileged user accounts in accordance with {{ insert: param, ac-02.07_odp }};" + }, + { + "id": "ac-2.7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Monitor privileged role or attribute assignments;" + }, + { + "id": "ac-2.7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Monitor changes to roles or attributes; and" + }, + { + "id": "ac-2.7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Revoke access when privileged role or attribute assignments are no longer appropriate." + } + ] + }, + { + "id": "ac-2.7_gdn", + "name": "guidance", + "prose": "Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes." + }, + { + "id": "ac-2.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2.7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)(a)", + "class": "sp800-53a" + } + ], + "prose": "privileged user accounts are established and administered in accordance with {{ insert: param, ac-02.07_odp }};", + "links": [ + { + "href": "#ac-2.7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)(b)", + "class": "sp800-53a" + } + ], + "prose": "privileged role or attribute assignments are monitored;", + "links": [ + { + "href": "#ac-2.7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)(c)", + "class": "sp800-53a" + } + ], + "prose": "changes to roles or attributes are monitored;", + "links": [ + { + "href": "#ac-2.7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)(d)", + "class": "sp800-53a" + } + ], + "prose": "access is revoked when privileged role or attribute assignments are no longer appropriate.", + "links": [ + { + "href": "#ac-2.7_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged user accounts and associated roles\n\nrecords of actions taken when privileged role assignments are no longer appropriate\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing account management functions\n\nmechanisms monitoring privileged role assignments" + } + ] + } + ] + }, + { + "id": "ac-2.9", + "class": "SP800-53-enhancement", + "title": "Restrictions on Use of Shared and Group Accounts", + "params": [ + { + "id": "ac-02.09_odp", + "label": "conditions", + "constraints": [ + { + "description": "organization-defined need with justification statement that explains why such accounts are necessary" + } + ], + "guidelines": [ + { + "prose": "conditions for establishing shared and group accounts are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(9)" + }, + { + "name": "label", + "value": "AC-02(09)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.9_smt", + "name": "statement", + "prose": "Only permit the use of shared and group accounts that meet {{ insert: param, ac-02.09_odp }}.", + "parts": [ + { + "id": "ac-2.9_fr", + "name": "item", + "title": "AC-2 (9) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-2.9_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Required if shared/group accounts are deployed." + } + ] + } + ] + }, + { + "id": "ac-2.9_gdn", + "name": "guidance", + "prose": "Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts." + }, + { + "id": "ac-2.9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(09)", + "class": "sp800-53a" + } + ], + "prose": "the use of shared and group accounts is only permitted if {{ insert: param, ac-02.09_odp }} are met.", + "links": [ + { + "href": "#ac-2.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(09)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of shared/group accounts and associated roles\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(09)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(09)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing management of shared/group accounts" + } + ] + } + ] + }, + { + "id": "ac-2.11", + "class": "SP800-53-enhancement", + "title": "Usage Conditions", + "params": [ + { + "id": "ac-02.11_odp.01", + "label": "circumstances and/or usage conditions", + "guidelines": [ + { + "prose": "circumstances and/or usage conditions to be enforced for system accounts are defined;" + } + ] + }, + { + "id": "ac-02.11_odp.02", + "label": "system accounts", + "guidelines": [ + { + "prose": "system accounts subject to enforcement of circumstances and/or usage conditions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(11)" + }, + { + "name": "label", + "value": "AC-02(11)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.11_smt", + "name": "statement", + "prose": "Enforce {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }}." + }, + { + "id": "ac-2.11_gdn", + "name": "guidance", + "prose": "Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, such as by restricting usage to certain days of the week, time of day, or specific durations of time." + }, + { + "id": "ac-2.11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(11)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }} are enforced.", + "links": [ + { + "href": "#ac-2.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(11)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of system accounts and associated assignments of usage circumstances and/or usage conditions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(11)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-2.11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(11)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.12", + "class": "SP800-53-enhancement", + "title": "Account Monitoring for Atypical Usage", + "params": [ + { + "id": "ac-02.12_odp.01", + "label": "atypical usage", + "guidelines": [ + { + "prose": "atypical usage for which to monitor system accounts is defined;" + } + ] + }, + { + "id": "ac-02.12_odp.02", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to report atypical usage is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(12)" + }, + { + "name": "label", + "value": "AC-02(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2.12_smt", + "name": "statement", + "parts": [ + { + "id": "ac-2.12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Monitor system accounts for {{ insert: param, ac-02.12_odp.01 }} ; and" + }, + { + "id": "ac-2.12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Report atypical usage of system accounts to {{ insert: param, ac-02.12_odp.02 }}." + }, + { + "id": "ac-2.12_fr", + "name": "item", + "title": "AC-2 (12) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-2.12_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "Required for privileged accounts." + }, + { + "id": "ac-2.12_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "Required for privileged accounts." + } + ] + } + ] + }, + { + "id": "ac-2.12_gdn", + "name": "guidance", + "prose": "Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan." + }, + { + "id": "ac-2.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(12)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2.12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(12)(a)", + "class": "sp800-53a" + } + ], + "prose": "system accounts are monitored for {{ insert: param, ac-02.12_odp.01 }}; ", + "links": [ + { + "href": "#ac-2.12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(12)(b)", + "class": "sp800-53a" + } + ], + "prose": "atypical usage of system accounts is reported to {{ insert: param, ac-02.12_odp.02 }}.", + "links": [ + { + "href": "#ac-2.12_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring records\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nprivacy impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.13", + "class": "SP800-53-enhancement", + "title": "Disable Accounts for High-risk Individuals", + "params": [ + { + "id": "ac-02.13_odp.01", + "label": "time period", + "constraints": [ + { + "description": "one (1) hour" + } + ], + "guidelines": [ + { + "prose": "time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;" + } + ] + }, + { + "id": "ac-02.13_odp.02", + "label": "significant risks", + "guidelines": [ + { + "prose": "significant risks leading to disabling accounts are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(13)" + }, + { + "name": "label", + "value": "AC-02(13)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2.13_smt", + "name": "statement", + "prose": "Disable accounts of individuals within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}." + }, + { + "id": "ac-2.13_gdn", + "name": "guidance", + "prose": "Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals." + }, + { + "id": "ac-2.13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(13)", + "class": "sp800-53a" + } + ], + "prose": "accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.", + "links": [ + { + "href": "#ac-2.13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(13)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of disabled accounts\n\nlist of user activities posing significant organizational risk\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(13)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(13)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing account management functions" + } + ] + } + ] + } + ] + }, + { + "id": "ac-3", + "class": "SP800-53", + "title": "Access Enforcement", + "props": [ + { + "name": "label", + "value": "AC-3" + }, + { + "name": "label", + "value": "AC-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#ac-24", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-6", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pm-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-3_smt", + "name": "statement", + "prose": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." + }, + { + "id": "ac-3_gdn", + "name": "guidance", + "prose": "Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family." + }, + { + "id": "ac-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-03", + "class": "sp800-53a" + } + ], + "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.", + "links": [ + { + "href": "#ac-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy" + } + ] + } + ] + }, + { + "id": "ac-4", + "class": "SP800-53", + "title": "Information Flow Enforcement", + "params": [ + { + "id": "ac-04_odp", + "label": "information flow control policies", + "guidelines": [ + { + "prose": "information flow control policies within the system and between connected systems are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-4" + }, + { + "name": "label", + "value": "AC-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#a2590922-82f3-4277-83c0-ca5bee06dba4", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-24", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-4", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-4_smt", + "name": "statement", + "prose": "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}." + }, + { + "id": "ac-4_gdn", + "name": "guidance", + "prose": "Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see [CA-3](#ca-3) ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.\n\nOrganizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS)." + }, + { + "id": "ac-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04", + "class": "sp800-53a" + } + ], + "prose": "approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.", + "links": [ + { + "href": "#ac-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsecurity architecture documentation\n\nprivacy architecture documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem baseline configuration\n\nlist of information flow authorizations\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing information flow enforcement policy" + } + ] + } + ], + "controls": [ + { + "id": "ac-4.4", + "class": "SP800-53-enhancement", + "title": "Flow Control of Encrypted Information", + "params": [ + { + "id": "ac-04.04_odp.01", + "label": "information flow control mechanisms", + "constraints": [ + { + "description": "intrusion detection mechanisms" + } + ], + "guidelines": [ + { + "prose": "information flow control mechanisms that encrypted information is prevented from bypassing are defined;" + } + ] + }, + { + "id": "ac-04.04_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "decrypting the information", + "blocking the flow of the encrypted information", + "terminating communications sessions attempting to pass encrypted information", + " {{ insert: param, ac-04.04_odp.03 }} " + ] + } + }, + { + "id": "ac-04.04_odp.03", + "label": "organization-defined procedure or method", + "guidelines": [ + { + "prose": "the organization-defined procedure or method used to prevent encrypted information from bypassing information flow control mechanisms is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-4(4)" + }, + { + "name": "label", + "value": "AC-04(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-04.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-4", + "rel": "required" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-4.4_smt", + "name": "statement", + "prose": "Prevent encrypted information from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}.", + "parts": [ + { + "id": "ac-4.4_fr", + "name": "item", + "title": "AC-4 (4) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-4.4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf)." + } + ] + } + ] + }, + { + "id": "ac-4.4_gdn", + "name": "guidance", + "prose": "Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms." + }, + { + "id": "ac-4.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04(04)", + "class": "sp800-53a" + } + ], + "prose": "encrypted information is prevented from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}.", + "links": [ + { + "href": "#ac-4.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-4.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-04(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-4.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-04(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-4.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-04(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing information flow enforcement policy" + } + ] + } + ] + }, + { + "id": "ac-4.21", + "class": "SP800-53-enhancement", + "title": "Physical or Logical Separation of Information Flows", + "params": [ + { + "id": "ac-4.21_prm_1", + "label": "organization-defined mechanisms and/or techniques" + }, + { + "id": "ac-04.21_odp.01", + "label": "mechanisms and/or techniques", + "guidelines": [ + { + "prose": "mechanisms and/or techniques used to logically separate information flows are defined (if selected);" + } + ] + }, + { + "id": "ac-04.21_odp.02", + "label": "mechanisms and/or techniques", + "guidelines": [ + { + "prose": "mechanisms and/or techniques used to physically separate information flows are defined (if selected);" + } + ] + }, + { + "id": "ac-04.21_odp.03", + "label": "required separations", + "guidelines": [ + { + "prose": "required separations by types of information are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-4(21)" + }, + { + "name": "label", + "value": "AC-04(21)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-04.21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-4", + "rel": "required" + }, + { + "href": "#sc-32", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-4.21_smt", + "name": "statement", + "prose": "Separate information flows logically or physically using {{ insert: param, ac-4.21_prm_1 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}." + }, + { + "id": "ac-4.21_gdn", + "name": "guidance", + "prose": "Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths that are not otherwise achievable. Types of separable information include inbound and outbound communications traffic, service requests and responses, and information of differing security impact or classification levels." + }, + { + "id": "ac-4.21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04(21)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-4.21_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04(21)[01]", + "class": "sp800-53a" + } + ], + "prose": "information flows are separated logically using {{ insert: param, ac-04.21_odp.01 }} to accomplish {{ insert: param, ac-04.21_odp.03 }};", + "links": [ + { + "href": "#ac-4.21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-4.21_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04(21)[02]", + "class": "sp800-53a" + } + ], + "prose": "information flows are separated physically using {{ insert: param, ac-04.21_odp.02 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}.", + "links": [ + { + "href": "#ac-4.21_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-4.21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-4.21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-04(21)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Information flow enforcement policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of required separation of information flows by information types\n\nlist of mechanisms and/or techniques used to logically or physically separate information flows\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-4.21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-04(21)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-4.21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-04(21)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing information flow enforcement functions" + } + ] + } + ] + } + ] + }, + { + "id": "ac-5", + "class": "SP800-53", + "title": "Separation of Duties", + "params": [ + { + "id": "ac-05_odp", + "label": "duties of individuals", + "guidelines": [ + { + "prose": "duties of individuals requiring separation are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-5" + }, + { + "name": "label", + "value": "AC-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-12", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-5_smt", + "name": "statement", + "parts": [ + { + "id": "ac-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify and document {{ insert: param, ac-05_odp }} ; and" + }, + { + "id": "ac-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define system access authorizations to support separation of duties." + }, + { + "id": "ac-5_fr", + "name": "item", + "title": "AC-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "CSPs have the option to provide a separation of duties matrix as an attachment to the SSP." + } + ] + } + ] + }, + { + "id": "ac-5_gdn", + "name": "guidance", + "prose": "Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in [AC-2](#ac-2) , access control mechanisms in [AC-3](#ac-3) , and identity management activities in [IA-2](#ia-2), [IA-4](#ia-4) , and [IA-12](#ia-12)." + }, + { + "id": "ac-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-05a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-05_odp }} are identified and documented;", + "links": [ + { + "href": "#ac-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-05b.", + "class": "sp800-53a" + } + ], + "prose": "system access authorizations to support separation of duties are defined.", + "links": [ + { + "href": "#ac-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\nsystem configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\nsystem access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing separation of duties policy" + } + ] + } + ] + }, + { + "id": "ac-6", + "class": "SP800-53", + "title": "Least Privilege", + "props": [ + { + "name": "label", + "value": "AC-6" + }, + { + "name": "label", + "value": "AC-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6_smt", + "name": "statement", + "prose": "Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks." + }, + { + "id": "ac-6_gdn", + "name": "guidance", + "prose": "Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems." + }, + { + "id": "ac-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06", + "class": "sp800-53a" + } + ], + "prose": "the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.", + "links": [ + { + "href": "#ac-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ], + "controls": [ + { + "id": "ac-6.1", + "class": "SP800-53-enhancement", + "title": "Authorize Access to Security Functions", + "params": [ + { + "id": "ac-6.1_prm_2", + "label": "organization-defined security functions (deployed in hardware, software, and firmware)", + "constraints": [ + { + "description": "all functions not publicly accessible" + } + ] + }, + { + "id": "ac-06.01_odp.01", + "label": "individuals and roles", + "guidelines": [ + { + "prose": "individuals and roles with authorized access to security functions and security-relevant information are defined;" + } + ] + }, + { + "id": "ac-06.01_odp.02", + "label": "security functions (deployed in hardware)", + "guidelines": [ + { + "prose": "security functions (deployed in hardware) for authorized access are defined;" + } + ] + }, + { + "id": "ac-06.01_odp.03", + "label": "security functions (deployed in software)", + "guidelines": [ + { + "prose": "security functions (deployed in software) for authorized access are defined;" + } + ] + }, + { + "id": "ac-06.01_odp.04", + "label": "security functions (deployed in firmware)", + "guidelines": [ + { + "prose": "security functions (deployed in firmware) for authorized access are defined;" + } + ] + }, + { + "id": "ac-06.01_odp.05", + "label": "security-relevant information", + "constraints": [ + { + "description": "all security-relevant information not publicly available" + } + ], + "guidelines": [ + { + "prose": "security-relevant information for authorized access is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(1)" + }, + { + "name": "label", + "value": "AC-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.1_smt", + "name": "statement", + "prose": "Authorize access for {{ insert: param, ac-06.01_odp.01 }} to:", + "parts": [ + { + "id": "ac-6.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": " {{ insert: param, ac-6.1_prm_2 }} ; and" + }, + { + "id": "ac-6.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": " {{ insert: param, ac-06.01_odp.05 }}." + } + ] + }, + { + "id": "ac-6.1_gdn", + "name": "guidance", + "prose": "Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users." + }, + { + "id": "ac-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-6.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-6.1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};", + "links": [ + { + "href": "#ac-6.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};", + "links": [ + { + "href": "#ac-6.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};", + "links": [ + { + "href": "#ac-6.1_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-6.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}.", + "links": [ + { + "href": "#ac-6.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.2", + "class": "SP800-53-enhancement", + "title": "Non-privileged Access for Nonsecurity Functions", + "params": [ + { + "id": "ac-06.02_odp", + "label": "security functions or security-relevant information", + "constraints": [ + { + "description": "all security functions" + } + ], + "guidelines": [ + { + "prose": "security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(2)" + }, + { + "name": "label", + "value": "AC-06(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.2_smt", + "name": "statement", + "prose": "Require that users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} use non-privileged accounts or roles, when accessing nonsecurity functions.", + "parts": [ + { + "id": "ac-6.2_fr", + "name": "item", + "title": "AC-6 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-6.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions." + } + ] + } + ] + }, + { + "id": "ac-6.2_gdn", + "name": "guidance", + "prose": "Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account." + }, + { + "id": "ac-6.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(02)", + "class": "sp800-53a" + } + ], + "prose": "users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions.", + "links": [ + { + "href": "#ac-6.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information assigned to system accounts or roles\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.3", + "class": "SP800-53-enhancement", + "title": "Network Access to Privileged Commands", + "params": [ + { + "id": "ac-06.03_odp.01", + "label": "privileged commands", + "constraints": [ + { + "description": "all privileged commands" + } + ], + "guidelines": [ + { + "prose": "privileged commands to which network access is to be authorized only for compelling operational needs are defined;" + } + ] + }, + { + "id": "ac-06.03_odp.02", + "label": "compelling operational needs", + "guidelines": [ + { + "prose": "compelling operational needs necessitating network access to privileged commands are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(3)" + }, + { + "name": "label", + "value": "AC-06(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.3_smt", + "name": "statement", + "prose": "Authorize network access to {{ insert: param, ac-06.03_odp.01 }} only for {{ insert: param, ac-06.03_odp.02 }} and document the rationale for such access in the security plan for the system." + }, + { + "id": "ac-6.3_gdn", + "name": "guidance", + "prose": "Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device)." + }, + { + "id": "ac-6.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-6.3_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(03)[01]", + "class": "sp800-53a" + } + ], + "prose": "network access to {{ insert: param, ac-06.03_odp.01 }} is authorized only for {{ insert: param, ac-06.03_odp.02 }};", + "links": [ + { + "href": "#ac-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.3_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(03)[02]", + "class": "sp800-53a" + } + ], + "prose": "the rationale for authorizing network access to privileged commands is documented in the security plan for the system.", + "links": [ + { + "href": "#ac-6.3_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of operational needs for authorizing network access to privileged commands\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-6.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.5", + "class": "SP800-53-enhancement", + "title": "Privileged Accounts", + "params": [ + { + "id": "ac-06.05_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to which privileged accounts on the system are to be restricted is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(5)" + }, + { + "name": "label", + "value": "AC-06(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.5_smt", + "name": "statement", + "prose": "Restrict privileged accounts on the system to {{ insert: param, ac-06.05_odp }}." + }, + { + "id": "ac-6.5_gdn", + "name": "guidance", + "prose": "Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk." + }, + { + "id": "ac-6.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(05)", + "class": "sp800-53a" + } + ], + "prose": "privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}.", + "links": [ + { + "href": "#ac-6.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.7", + "class": "SP800-53-enhancement", + "title": "Review of User Privileges", + "params": [ + { + "id": "ac-06.07_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at a minimum, annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review the privileges assigned to roles or classes of users is defined;" + } + ] + }, + { + "id": "ac-06.07_odp.02", + "label": "roles and classes", + "constraints": [ + { + "description": "all users with privileges" + } + ], + "guidelines": [ + { + "prose": "roles or classes of users to which privileges are assigned are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(7)" + }, + { + "name": "label", + "value": "AC-06(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ca-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.7_smt", + "name": "statement", + "parts": [ + { + "id": "ac-6.7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Review {{ insert: param, ac-06.07_odp.01 }} the privileges assigned to {{ insert: param, ac-06.07_odp.02 }} to validate the need for such privileges; and" + }, + { + "id": "ac-6.7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs." + } + ] + }, + { + "id": "ac-6.7_gdn", + "name": "guidance", + "prose": "The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions." + }, + { + "id": "ac-6.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(07)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-6.7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(07)(a)", + "class": "sp800-53a" + } + ], + "prose": "privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;", + "links": [ + { + "href": "#ac-6.7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(07)(b)", + "class": "sp800-53a" + } + ], + "prose": "privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.", + "links": [ + { + "href": "#ac-6.7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-6.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated roles or classes of users and assigned privileges\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation reviews of privileges assigned to roles or classes or users\n\nrecords of privilege removals or reassignments for roles or classes of users\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing review of user privileges" + } + ] + } + ] + }, + { + "id": "ac-6.8", + "class": "SP800-53-enhancement", + "title": "Privilege Levels for Code Execution", + "params": [ + { + "id": "ac-06.08_odp", + "label": "software", + "constraints": [ + { + "description": "any software except software explicitly documented" + } + ], + "guidelines": [ + { + "prose": "software to be prevented from executing at higher privilege levels than users executing the software is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(8)" + }, + { + "name": "label", + "value": "AC-06(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-6.8_smt", + "name": "statement", + "prose": "Prevent the following software from executing at higher privilege levels than users executing the software: {{ insert: param, ac-06.08_odp }}." + }, + { + "id": "ac-6.8_gdn", + "name": "guidance", + "prose": "In certain situations, software applications or programs need to execute with elevated privileges to perform required functions. However, depending on the software functionality and configuration, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications or programs, those users may indirectly be provided with greater privileges than assigned." + }, + { + "id": "ac-6.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(08)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-06.08_odp }} is prevented from executing at higher privilege levels than users executing the software.", + "links": [ + { + "href": "#ac-6.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of software that should not execute at higher privilege levels than users executing software\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ac-6.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions for software execution" + } + ] + } + ] + }, + { + "id": "ac-6.9", + "class": "SP800-53-enhancement", + "title": "Log Use of Privileged Functions", + "props": [ + { + "name": "label", + "value": "AC-6(9)" + }, + { + "name": "label", + "value": "AC-06(09)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.9_smt", + "name": "statement", + "prose": "Log the execution of privileged functions." + }, + { + "id": "ac-6.9_gdn", + "name": "guidance", + "prose": "The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat." + }, + { + "id": "ac-6.9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(09)", + "class": "sp800-53a" + } + ], + "prose": "the execution of privileged functions is logged.", + "links": [ + { + "href": "#ac-6.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(09)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(09)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ac-6.9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(09)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms auditing the execution of least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.10", + "class": "SP800-53-enhancement", + "title": "Prohibit Non-privileged Users from Executing Privileged Functions", + "props": [ + { + "name": "label", + "value": "AC-6(10)" + }, + { + "name": "label", + "value": "AC-06(10)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-6.10_smt", + "name": "statement", + "prose": "Prevent non-privileged users from executing privileged functions." + }, + { + "id": "ac-6.10_gdn", + "name": "guidance", + "prose": "Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by [AC-3](#ac-3)." + }, + { + "id": "ac-6.10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(10)", + "class": "sp800-53a" + } + ], + "prose": "non-privileged users are prevented from executing privileged functions.", + "links": [ + { + "href": "#ac-6.10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(10)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(10)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-6.10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(10)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions for non-privileged users" + } + ] + } + ] + } + ] + }, + { + "id": "ac-7", + "class": "SP800-53", + "title": "Unsuccessful Logon Attempts", + "params": [ + { + "id": "ac-07_odp.01", + "label": "number", + "guidelines": [ + { + "prose": "the number of consecutive invalid logon attempts by a user allowed during a time period is defined;" + } + ] + }, + { + "id": "ac-07_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;" + } + ] + }, + { + "id": "ac-07_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "lock the account or node for {{ insert: param, ac-07_odp.04 }} ", + "lock the account or node until released by an administrator", + "delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ", + "notify system administrator", + "take other {{ insert: param, ac-07_odp.06 }} " + ] + } + }, + { + "id": "ac-07_odp.04", + "label": "time period", + "guidelines": [ + { + "prose": "time period for an account or node to be locked is defined (if selected);" + } + ] + }, + { + "id": "ac-07_odp.05", + "label": "delay algorithm", + "guidelines": [ + { + "prose": "delay algorithm for the next logon prompt is defined (if selected);" + } + ] + }, + { + "id": "ac-07_odp.06", + "label": "action", + "guidelines": [ + { + "prose": "other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-7" + }, + { + "name": "label", + "value": "AC-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-9", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-7_smt", + "name": "statement", + "parts": [ + { + "id": "ac-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and" + }, + { + "id": "ac-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded." + }, + { + "id": "ac-7_fr", + "name": "item", + "title": "AC-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "In alignment with NIST SP 800-63B." + } + ] + } + ] + }, + { + "id": "ac-7_gdn", + "name": "guidance", + "prose": "The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need." + }, + { + "id": "ac-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07a.", + "class": "sp800-53a" + } + ], + "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;", + "links": [ + { + "href": "#ac-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07b.", + "class": "sp800-53a" + } + ], + "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.", + "links": [ + { + "href": "#ac-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy for unsuccessful logon attempts" + } + ] + } + ] + }, + { + "id": "ac-8", + "class": "SP800-53", + "title": "System Use Notification", + "params": [ + { + "id": "ac-08_odp.01", + "label": "system use notification", + "constraints": [ + { + "description": "see additional Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "system use notification message or banner to be displayed by the system to users before granting access to the system is defined;" + } + ] + }, + { + "id": "ac-08_odp.02", + "label": "conditions", + "constraints": [ + { + "description": "see additional Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "conditions for system use to be displayed by the system before granting further access are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-8" + }, + { + "name": "label", + "value": "AC-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-8_smt", + "name": "statement", + "parts": [ + { + "id": "ac-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:", + "parts": [ + { + "id": "ac-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Users are accessing a U.S. Government system;" + }, + { + "id": "ac-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "System usage may be monitored, recorded, and subject to audit;" + }, + { + "id": "ac-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and" + }, + { + "id": "ac-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Use of the system indicates consent to monitoring and recording;" + } + ] + }, + { + "id": "ac-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and" + }, + { + "id": "ac-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "For publicly accessible systems:", + "parts": [ + { + "id": "ac-8_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;" + }, + { + "id": "ac-8_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and" + }, + { + "id": "ac-8_smt.c.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Include a description of the authorized uses of the system." + } + ] + }, + { + "id": "ac-8_fr", + "name": "item", + "title": "AC-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO." + }, + { + "id": "ac-8_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO." + }, + { + "id": "ac-8_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO." + }, + { + "id": "ac-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided." + } + ] + } + ] + }, + { + "id": "ac-8_gdn", + "name": "guidance", + "prose": "System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content." + }, + { + "id": "ac-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-08_odp.01 }} is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "parts": [ + { + "id": "ac-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.01", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that users are accessing a U.S. Government system;", + "links": [ + { + "href": "#ac-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.02", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that system usage may be monitored, recorded, and subject to audit;", + "links": [ + { + "href": "#ac-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.03", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and", + "links": [ + { + "href": "#ac-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.04", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that use of the system indicates consent to monitoring and recording;", + "links": [ + { + "href": "#ac-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08b.", + "class": "sp800-53a" + } + ], + "prose": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;", + "links": [ + { + "href": "#ac-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-8_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.01", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;", + "links": [ + { + "href": "#ac-8_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.02", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;", + "links": [ + { + "href": "#ac-8_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.03", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, a description of the authorized uses of the system is included.", + "links": [ + { + "href": "#ac-8_smt.c.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of system use notification messages or banners\n\nsystem audit records\n\nuser acknowledgements of notification message or banner\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem use notification messages\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment report\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem developers" + } + ] + }, + { + "id": "ac-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system use notification" + } + ] + } + ] + }, + { + "id": "ac-10", + "class": "SP800-53", + "title": "Concurrent Session Control", + "params": [ + { + "id": "ac-10_odp.01", + "label": "account and/or account types", + "guidelines": [ + { + "prose": "accounts and/or account types for which to limit the number of concurrent sessions is defined;" + } + ] + }, + { + "id": "ac-10_odp.02", + "label": "number", + "constraints": [ + { + "description": "three (3) sessions for privileged access and two (2) sessions for non-privileged access" + } + ], + "guidelines": [ + { + "prose": "the number of concurrent sessions to be allowed for each account and/or account type is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-10" + }, + { + "name": "label", + "value": "AC-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-23", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-10_smt", + "name": "statement", + "prose": "Limit the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} to {{ insert: param, ac-10_odp.02 }}." + }, + { + "id": "ac-10_gdn", + "name": "guidance", + "prose": "Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts." + }, + { + "id": "ac-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-10", + "class": "sp800-53a" + } + ], + "prose": "the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} is limited to {{ insert: param, ac-10_odp.02 }}.", + "links": [ + { + "href": "#ac-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing concurrent session control\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy for concurrent session control" + } + ] + } + ] + }, + { + "id": "ac-11", + "class": "SP800-53", + "title": "Device Lock", + "params": [ + { + "id": "ac-11_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "initiating a device lock after {{ insert: param, ac-11_odp.02 }} of inactivity", + "requiring the user to initiate a device lock before leaving the system unattended" + ] + } + }, + { + "id": "ac-11_odp.02", + "label": "time period", + "constraints": [ + { + "description": "fifteen (15) minutes" + } + ], + "guidelines": [ + { + "prose": "time period of inactivity after which a device lock is initiated is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-11" + }, + { + "name": "label", + "value": "AC-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-11_smt", + "name": "statement", + "parts": [ + { + "id": "ac-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and" + }, + { + "id": "ac-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain the device lock until the user reestablishes access using established identification and authentication procedures." + } + ] + }, + { + "id": "ac-11_gdn", + "name": "guidance", + "prose": "Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays." + }, + { + "id": "ac-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-11a.", + "class": "sp800-53a" + } + ], + "prose": "further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};", + "links": [ + { + "href": "#ac-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-11b.", + "class": "sp800-53a" + } + ], + "prose": "device lock is retained until the user re-establishes access using established identification and authentication procedures.", + "links": [ + { + "href": "#ac-11_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy for session lock" + } + ] + } + ], + "controls": [ + { + "id": "ac-11.1", + "class": "SP800-53-enhancement", + "title": "Pattern-hiding Displays", + "props": [ + { + "name": "label", + "value": "AC-11(1)" + }, + { + "name": "label", + "value": "AC-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-11", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-11.1_smt", + "name": "statement", + "prose": "Conceal, via the device lock, information previously visible on the display with a publicly viewable image." + }, + { + "id": "ac-11.1_gdn", + "name": "guidance", + "prose": "The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed." + }, + { + "id": "ac-11.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-11(01)", + "class": "sp800-53a" + } + ], + "prose": "information previously visible on the display is concealed, via device lock, with a publicly viewable image.", + "links": [ + { + "href": "#ac-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-11.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-11(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-11.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-11(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-11.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-11(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System session lock mechanisms" + } + ] + } + ] + } + ] + }, + { + "id": "ac-12", + "class": "SP800-53", + "title": "Session Termination", + "params": [ + { + "id": "ac-12_odp", + "label": "conditions or trigger events", + "guidelines": [ + { + "prose": "conditions or trigger events requiring session disconnect are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-12" + }, + { + "name": "label", + "value": "AC-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-12_smt", + "name": "statement", + "prose": "Automatically terminate a user session after {{ insert: param, ac-12_odp }}." + }, + { + "id": "ac-12_gdn", + "name": "guidance", + "prose": "Session termination addresses the termination of user-initiated logical sessions (in contrast to [SC-10](#sc-10) , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user\u2019s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use." + }, + { + "id": "ac-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-12", + "class": "sp800-53a" + } + ], + "prose": "a user session is automatically terminated after {{ insert: param, ac-12_odp }}.", + "links": [ + { + "href": "#ac-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing session termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms implementing user session termination" + } + ] + } + ] + }, + { + "id": "ac-14", + "class": "SP800-53", + "title": "Permitted Actions Without Identification or Authentication", + "params": [ + { + "id": "ac-14_odp", + "label": "user actions", + "guidelines": [ + { + "prose": "user actions that can be performed on the system without identification or authentication are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-14" + }, + { + "name": "label", + "value": "AC-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-14_smt", + "name": "statement", + "parts": [ + { + "id": "ac-14_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and" + }, + { + "id": "ac-14_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication." + } + ] + }, + { + "id": "ac-14_gdn", + "name": "guidance", + "prose": "Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" " + }, + { + "id": "ac-14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-14_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;", + "links": [ + { + "href": "#ac-14_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-14_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.[01]", + "class": "sp800-53a" + } + ], + "prose": "user actions not requiring identification or authentication are documented in the security plan for the system;", + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.[02]", + "class": "sp800-53a" + } + ], + "prose": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.", + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-14-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-14-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "ac-17", + "class": "SP800-53", + "title": "Remote Access", + "props": [ + { + "name": "label", + "value": "AC-17" + }, + { + "name": "label", + "value": "AC-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "rel": "reference" + }, + { + "href": "#d17ebd7a-ffab-499d-bfff-e705bbb01fa6", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-17", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17_smt", + "name": "statement", + "parts": [ + { + "id": "ac-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and" + }, + { + "id": "ac-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize each type of remote access to the system prior to allowing such connections." + } + ] + }, + { + "id": "ac-17_gdn", + "name": "guidance", + "prose": "Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)." + }, + { + "id": "ac-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[01]", + "class": "sp800-53a" + } + ], + "prose": "usage restrictions are established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17b.", + "class": "sp800-53a" + } + ], + "prose": "each type of remote access to the system is authorized prior to allowing such connections.", + "links": [ + { + "href": "#ac-17_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing remote access connections\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-17_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Remote access management capability for the system" + } + ] + } + ], + "controls": [ + { + "id": "ac-17.1", + "class": "SP800-53-enhancement", + "title": "Monitoring and Control", + "props": [ + { + "name": "label", + "value": "AC-17(1)" + }, + { + "name": "label", + "value": "AC-17(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17.1_smt", + "name": "statement", + "prose": "Employ automated mechanisms to monitor and control remote access methods." + }, + { + "id": "ac-17.1_gdn", + "name": "guidance", + "prose": "Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a)." + }, + { + "id": "ac-17.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "automated mechanisms are employed to monitor remote access methods;", + "links": [ + { + "href": "#ac-17.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "automated mechanisms are employed to control remote access methods.", + "links": [ + { + "href": "#ac-17.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-17.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms monitoring and controlling remote access methods" + } + ] + } + ] + }, + { + "id": "ac-17.2", + "class": "SP800-53-enhancement", + "title": "Protection of Confidentiality and Integrity Using Encryption", + "props": [ + { + "name": "label", + "value": "AC-17(2)" + }, + { + "name": "label", + "value": "AC-17(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "required" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17.2_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions." + }, + { + "id": "ac-17.2_gdn", + "name": "guidance", + "prose": "Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions." + }, + { + "id": "ac-17.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(02)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.", + "links": [ + { + "href": "#ac-17.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-17.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions" + } + ] + } + ] + }, + { + "id": "ac-17.3", + "class": "SP800-53-enhancement", + "title": "Managed Access Control Points", + "props": [ + { + "name": "label", + "value": "AC-17(3)" + }, + { + "name": "label", + "value": "AC-17(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "required" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17.3_smt", + "name": "statement", + "prose": "Route remote accesses through authorized and managed network access control points." + }, + { + "id": "ac-17.3_gdn", + "name": "guidance", + "prose": "Organizations consider the Trusted Internet Connections (TIC) initiative [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces." + }, + { + "id": "ac-17.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(03)", + "class": "sp800-53a" + } + ], + "prose": "remote accesses are routed through authorized and managed network access control points.", + "links": [ + { + "href": "#ac-17.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nlist of all managed network access control points\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-17.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms routing all remote accesses through managed network access control points" + } + ] + } + ] + }, + { + "id": "ac-17.4", + "class": "SP800-53-enhancement", + "title": "Privileged Commands and Access", + "params": [ + { + "id": "ac-17.4_prm_1", + "label": "organization-defined needs" + }, + { + "id": "ac-17.04_odp.01", + "label": "needs requiring remote access", + "guidelines": [ + { + "prose": "needs requiring execution of privileged commands via remote access are defined;" + } + ] + }, + { + "id": "ac-17.04_odp.02", + "label": "needs requiring remote access", + "guidelines": [ + { + "prose": "needs requiring access to security-relevant information via remote access are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-17(4)" + }, + { + "name": "label", + "value": "AC-17(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "required" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17.4_smt", + "name": "statement", + "parts": [ + { + "id": "ac-17.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ insert: param, ac-17.4_prm_1 }} ; and" + }, + { + "id": "ac-17.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Document the rationale for remote access in the security plan for the system." + } + ] + }, + { + "id": "ac-17.4_gdn", + "name": "guidance", + "prose": "Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability." + }, + { + "id": "ac-17.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17.4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;", + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;", + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};", + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};", + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "the rationale for remote access is documented in the security plan for the system.", + "links": [ + { + "href": "#ac-17.4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-17.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing remote access management" + } + ] + } + ] + } + ] + }, + { + "id": "ac-18", + "class": "SP800-53", + "title": "Wireless Access", + "props": [ + { + "name": "label", + "value": "AC-18" + }, + { + "name": "label", + "value": "AC-18", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "rel": "reference" + }, + { + "href": "#03fb73bc-1b12-4182-bd96-e5719254ea61", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-18_smt", + "name": "statement", + "parts": [ + { + "id": "ac-18_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and" + }, + { + "id": "ac-18_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize each type of wireless access to the system prior to allowing such connections." + } + ] + }, + { + "id": "ac-18_gdn", + "name": "guidance", + "prose": "Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication." + }, + { + "id": "ac-18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration requirements are established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[02]", + "class": "sp800-53a" + } + ], + "prose": "connection requirements are established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18b.", + "class": "sp800-53a" + } + ], + "prose": "each type of wireless access to the system is authorized prior to allowing such connections.", + "links": [ + { + "href": "#ac-18_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nwireless access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Wireless access management capability for the system" + } + ] + } + ], + "controls": [ + { + "id": "ac-18.1", + "class": "SP800-53-enhancement", + "title": "Authentication and Encryption", + "params": [ + { + "id": "ac-18.01_odp", + "select": { + "how-many": "one-or-more", + "choice": [ + "users", + "devices" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "AC-18(1)" + }, + { + "name": "label", + "value": "AC-18(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-18", + "rel": "required" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-18.1_smt", + "name": "statement", + "prose": "Protect wireless access to the system using authentication of {{ insert: param, ac-18.01_odp }} and encryption." + }, + { + "id": "ac-18.1_gdn", + "name": "guidance", + "prose": "Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies." + }, + { + "id": "ac-18.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};", + "links": [ + { + "href": "#ac-18.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "wireless access to the system is protected using encryption.", + "links": [ + { + "href": "#ac-18.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-18.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing wireless access protections to the system" + } + ] + } + ] + }, + { + "id": "ac-18.3", + "class": "SP800-53-enhancement", + "title": "Disable Wireless Networking", + "props": [ + { + "name": "label", + "value": "AC-18(3)" + }, + { + "name": "label", + "value": "AC-18(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-18", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-18.3_smt", + "name": "statement", + "prose": "Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment." + }, + { + "id": "ac-18.3_gdn", + "name": "guidance", + "prose": "Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies." + }, + { + "id": "ac-18.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(03)", + "class": "sp800-53a" + } + ], + "prose": "when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.", + "links": [ + { + "href": "#ac-18.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-18.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing the disabling of wireless networking capabilities internally embedded within system components" + } + ] + } + ] + }, + { + "id": "ac-18.4", + "class": "SP800-53-enhancement", + "title": "Restrict Configurations by Users", + "props": [ + { + "name": "label", + "value": "AC-18(4)" + }, + { + "name": "label", + "value": "AC-18(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-18", + "rel": "required" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-18.4_smt", + "name": "statement", + "prose": "Identify and explicitly authorize users allowed to independently configure wireless networking capabilities." + }, + { + "id": "ac-18.4_gdn", + "name": "guidance", + "prose": "Organizational authorizations to allow selected users to configure wireless networking capabilities are enforced, in part, by the access enforcement mechanisms employed within organizational systems." + }, + { + "id": "ac-18.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18.4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(04)[01]", + "class": "sp800-53a" + } + ], + "prose": "users allowed to independently configure wireless networking capabilities are identified;", + "links": [ + { + "href": "#ac-18.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(04)[02]", + "class": "sp800-53a" + } + ], + "prose": "users allowed to independently configure wireless networking capabilities are explicitly authorized.", + "links": [ + { + "href": "#ac-18.4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-18.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms authorizing independent user configuration of wireless networking capabilities" + } + ] + } + ] + }, + { + "id": "ac-18.5", + "class": "SP800-53-enhancement", + "title": "Antennas and Transmission Power Levels", + "props": [ + { + "name": "label", + "value": "AC-18(5)" + }, + { + "name": "label", + "value": "AC-18(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-18", + "rel": "required" + }, + { + "href": "#pe-19", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-18.5_smt", + "name": "statement", + "prose": "Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries." + }, + { + "id": "ac-18.5_gdn", + "name": "guidance", + "prose": "Actions that may be taken to limit unauthorized use of wireless communications outside of organization-controlled boundaries include reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be captured outside of the physical perimeters of the organization, employing measures such as emissions security to control wireless emanations, and using directional or beamforming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such mitigating actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational systems as well as other systems that may be operating in the area." + }, + { + "id": "ac-18.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18.5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(05)[01]", + "class": "sp800-53a" + } + ], + "prose": "radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;", + "links": [ + { + "href": "#ac-18.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(05)[02]", + "class": "sp800-53a" + } + ], + "prose": "transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.", + "links": [ + { + "href": "#ac-18.5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-18.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Calibration of transmission power levels for wireless access\n\nradio antenna signals for wireless access\n\nwireless access reception outside of organization-controlled boundaries" + } + ] + } + ] + } + ] + }, + { + "id": "ac-19", + "class": "SP800-53", + "title": "Access Control for Mobile Devices", + "props": [ + { + "name": "label", + "value": "AC-19" + }, + { + "name": "label", + "value": "AC-19", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-19" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-11", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-19_smt", + "name": "statement", + "parts": [ + { + "id": "ac-19_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and" + }, + { + "id": "ac-19_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize the connection of mobile devices to organizational systems." + } + ] + }, + { + "id": "ac-19_gdn", + "name": "guidance", + "prose": "A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled." + }, + { + "id": "ac-19_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-19_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-19_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[02]", + "class": "sp800-53a" + } + ], + "prose": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19b.", + "class": "sp800-53a" + } + ], + "prose": "the connection of mobile devices to organizational systems is authorized.", + "links": [ + { + "href": "#ac-19_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-19_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-19-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-19_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-19-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel using mobile devices to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-19_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-19-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control capability for mobile device connections to organizational systems\n\nconfigurations of mobile devices" + } + ] + } + ], + "controls": [ + { + "id": "ac-19.5", + "class": "SP800-53-enhancement", + "title": "Full Device or Container-based Encryption", + "params": [ + { + "id": "ac-19.05_odp.01", + "select": { + "choice": [ + "full-device encryption", + "container-based encryption" + ] + } + }, + { + "id": "ac-19.05_odp.02", + "label": "mobile devices", + "guidelines": [ + { + "prose": "mobile devices on which to employ encryption are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-19(5)" + }, + { + "name": "label", + "value": "AC-19(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-19.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-19", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-19.5_smt", + "name": "statement", + "prose": "Employ {{ insert: param, ac-19.05_odp.01 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}." + }, + { + "id": "ac-19.5_gdn", + "name": "guidance", + "prose": "Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields." + }, + { + "id": "ac-19.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19(05)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.", + "links": [ + { + "href": "#ac-19.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-19(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access control for mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nencryption mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-19.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-19(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access control responsibilities for mobile devices\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-19.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-19(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Encryption mechanisms protecting confidentiality and integrity of information on mobile devices" + } + ] + } + ] + } + ] + }, + { + "id": "ac-20", + "class": "SP800-53", + "title": "Use of External Systems", + "params": [ + { + "id": "ac-20_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "establish {{ insert: param, ac-20_odp.02 }} ", + "identify {{ insert: param, ac-20_odp.03 }} " + ] + } + }, + { + "id": "ac-20_odp.02", + "label": "terms and conditions", + "guidelines": [ + { + "prose": "terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" + } + ] + }, + { + "id": "ac-20_odp.03", + "label": "controls asserted", + "guidelines": [ + { + "prose": "controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" + } + ] + }, + { + "id": "ac-20_odp.04", + "label": "prohibited types of external systems", + "guidelines": [ + { + "prose": "types of external systems prohibited from use are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-20" + }, + { + "name": "label", + "value": "AC-20", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-20_smt", + "name": "statement", + "parts": [ + { + "id": "ac-20_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:", + "parts": [ + { + "id": "ac-20_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Access the system from external systems; and" + }, + { + "id": "ac-20_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Process, store, or transmit organization-controlled information using external systems; or" + } + ] + }, + { + "id": "ac-20_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit the use of {{ insert: param, ac-20_odp.04 }}." + }, + { + "id": "ac-20_fr", + "name": "item", + "title": "AC-20 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-20_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:\n\nAC-20 describes system access to and from external systems.\n\nCA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.\n\nSA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3." + } + ] + } + ] + }, + { + "id": "ac-20_gdn", + "name": "guidance", + "prose": "External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems." + }, + { + "id": "ac-20_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-20_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-20_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.01", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);", + "links": [ + { + "href": "#ac-20_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.02", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);", + "links": [ + { + "href": "#ac-20_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20b.", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).", + "links": [ + { + "href": "#ac-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-20_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-20-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nexternal systems terms and conditions\n\nlist of types of applications accessible from external systems\n\nmaximum security categorization for information processed, stored, or transmitted on external systems\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-20_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-20-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-20_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-20-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing terms and conditions on the use of external systems" + } + ] + } + ], + "controls": [ + { + "id": "ac-20.1", + "class": "SP800-53-enhancement", + "title": "Limits on Authorized Use", + "props": [ + { + "name": "label", + "value": "AC-20(1)" + }, + { + "name": "label", + "value": "AC-20(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-20.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-20", + "rel": "required" + }, + { + "href": "#ca-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-20.1_smt", + "name": "statement", + "prose": "Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:", + "parts": [ + { + "id": "ac-20.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Verification of the implementation of controls on the external system as specified in the organization\u2019s security and privacy policies and security and privacy plans; or" + }, + { + "id": "ac-20.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Retention of approved system connection or processing agreements with the organizational entity hosting the external system." + } + ] + }, + { + "id": "ac-20.1_gdn", + "name": "guidance", + "prose": "Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations." + }, + { + "id": "ac-20.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-20.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization\u2019s security and privacy policies and security and privacy plans (if applicable);", + "links": [ + { + "href": "#ac-20.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).", + "links": [ + { + "href": "#ac-20.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-20.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-20(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-20.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-20(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-20.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-20(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing limits on use of external systems" + } + ] + } + ] + }, + { + "id": "ac-20.2", + "class": "SP800-53-enhancement", + "title": "Portable Storage Devices \u2014 Restricted Use", + "params": [ + { + "id": "ac-20.02_odp", + "label": "restrictions", + "guidelines": [ + { + "prose": "restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-20(2)" + }, + { + "name": "label", + "value": "AC-20(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-20.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-20", + "rel": "required" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#sc-41", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-20.2_smt", + "name": "statement", + "prose": "Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ insert: param, ac-20.02_odp }}." + }, + { + "id": "ac-20.2_gdn", + "name": "guidance", + "prose": "Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used." + }, + { + "id": "ac-20.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20(02)", + "class": "sp800-53a" + } + ], + "prose": "the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}.", + "links": [ + { + "href": "#ac-20.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-20(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-20.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-20(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for restricting or prohibiting the use of organization-controlled storage devices on external systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-20.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-20(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing restrictions on the use of portable storage devices" + } + ] + } + ] + } + ] + }, + { + "id": "ac-21", + "class": "SP800-53", + "title": "Information Sharing", + "params": [ + { + "id": "ac-21_odp.01", + "label": "information-sharing circumstances", + "guidelines": [ + { + "prose": "information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information\u2019s access and use restrictions are defined;" + } + ] + }, + { + "id": "ac-21_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-21" + }, + { + "name": "label", + "value": "AC-21", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sc-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-21_smt", + "name": "statement", + "parts": [ + { + "id": "ac-21_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information\u2019s access and use restrictions for {{ insert: param, ac-21_odp.01 }} ; and" + }, + { + "id": "ac-21_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ {{ insert: param, ac-21_odp.02 }} to assist users in making information sharing and collaboration decisions." + } + ] + }, + { + "id": "ac-21_gdn", + "name": "guidance", + "prose": "Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions." + }, + { + "id": "ac-21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-21", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-21_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-21a.", + "class": "sp800-53a" + } + ], + "prose": "authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information\u2019s access and use restrictions for {{ insert: param, ac-21_odp.01 }};", + "links": [ + { + "href": "#ac-21_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-21_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-21b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions.", + "links": [ + { + "href": "#ac-21_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-21-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of users authorized to make information-sharing/collaboration decisions\n\nlist of information-sharing circumstances requiring user discretion\n\nnon-disclosure agreements\n\nacquisitions/contractual agreements\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nsecurity and privacy risk assessments\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-21-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for information-sharing/collaboration decisions\n\norganizational personnel with responsibility for acquisitions/contractual agreements\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ac-21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-21-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms or manual process implementing access authorizations supporting information-sharing/user collaboration decisions" + } + ] + } + ] + }, + { + "id": "ac-22", + "class": "SP800-53", + "title": "Publicly Accessible Content", + "params": [ + { + "id": "ac-22_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least quarterly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review the content on the publicly accessible system for non-public information is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-22" + }, + { + "name": "label", + "value": "AC-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-22_smt", + "name": "statement", + "parts": [ + { + "id": "ac-22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Designate individuals authorized to make information publicly accessible;" + }, + { + "id": "ac-22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;" + }, + { + "id": "ac-22_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and" + }, + { + "id": "ac-22_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered." + } + ] + }, + { + "id": "ac-22_gdn", + "name": "guidance", + "prose": "In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible." + }, + { + "id": "ac-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22a.", + "class": "sp800-53a" + } + ], + "prose": "designated individuals are authorized to make information publicly accessible;", + "links": [ + { + "href": "#ac-22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22b.", + "class": "sp800-53a" + } + ], + "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;", + "links": [ + { + "href": "#ac-22_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22c.", + "class": "sp800-53a" + } + ], + "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;", + "links": [ + { + "href": "#ac-22_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-22_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};", + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.[02]", + "class": "sp800-53a" + } + ], + "prose": "non-public information is removed from the publicly accessible system, if discovered.", + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing management of publicly accessible content" + } + ] + } + ] + } + ] + }, + { + "id": "at", + "class": "family", + "title": "Awareness and Training", + "controls": [ + { + "id": "at-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "at-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "at-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "at-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "at-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "at-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the awareness and training policy and procedures is defined;" + } + ] + }, + { + "id": "at-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current awareness and training policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "at-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current awareness and training policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "at-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current awareness and training procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "at-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-1" + }, + { + "name": "label", + "value": "AT-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-1_smt", + "name": "statement", + "parts": [ + { + "id": "at-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:", + "parts": [ + { + "id": "at-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, at-01_odp.03 }} awareness and training policy that:", + "parts": [ + { + "id": "at-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "at-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "at-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;" + } + ] + }, + { + "id": "at-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and" + }, + { + "id": "at-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current awareness and training:", + "parts": [ + { + "id": "at-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and" + }, + { + "id": "at-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "at-1_gdn", + "name": "guidance", + "prose": "Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "at-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an awareness and training policy is developed and documented; ", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and", + "links": [ + { + "href": "#at-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;", + "links": [ + { + "href": "#at-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ", + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};", + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};", + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.", + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "at-2", + "class": "SP800-53", + "title": "Literacy Training and Awareness", + "params": [ + { + "id": "at-2_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually" + } + ] + }, + { + "id": "at-2_prm_2", + "label": "organization-defined events" + }, + { + "id": "at-02_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" + } + ] + }, + { + "id": "at-02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" + } + ] + }, + { + "id": "at-02_odp.03", + "label": "events", + "guidelines": [ + { + "prose": "events that require security literacy training for system users are defined;" + } + ] + }, + { + "id": "at-02_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events that require privacy literacy training for system users are defined;" + } + ] + }, + { + "id": "at-02_odp.05", + "label": "awareness techniques", + "guidelines": [ + { + "prose": "techniques to be employed to increase the security and privacy awareness of system users are defined;" + } + ] + }, + { + "id": "at-02_odp.06", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update literacy training and awareness content is defined;" + } + ] + }, + { + "id": "at-02_odp.07", + "label": "events", + "guidelines": [ + { + "prose": "events that would require literacy training and awareness content to be updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-2" + }, + { + "name": "label", + "value": "AT-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#89f2a08d-fc49-46d0-856e-bf974c9b1573", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-13", + "rel": "related" + }, + { + "href": "#pm-21", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-2_smt", + "name": "statement", + "parts": [ + { + "id": "at-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):", + "parts": [ + { + "id": "at-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and" + }, + { + "id": "at-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes or following {{ insert: param, at-2_prm_2 }};" + } + ] + }, + { + "id": "at-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};" + }, + { + "id": "at-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and" + }, + { + "id": "at-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques." + } + ] + }, + { + "id": "at-2_gdn", + "name": "guidance", + "prose": "Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "at-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[04]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};", + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};", + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;", + "links": [ + { + "href": "#at-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};", + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};", + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02d.", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.", + "links": [ + { + "href": "#at-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community" + } + ] + }, + { + "id": "at-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing information security and privacy literacy training" + } + ] + } + ], + "controls": [ + { + "id": "at-2.2", + "class": "SP800-53-enhancement", + "title": "Insider Threat", + "props": [ + { + "name": "label", + "value": "AT-2(2)" + }, + { + "name": "label", + "value": "AT-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#at-2", + "rel": "required" + }, + { + "href": "#pm-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-2.2_smt", + "name": "statement", + "prose": "Provide literacy training on recognizing and reporting potential indicators of insider threat." + }, + { + "id": "at-2.2_gdn", + "name": "guidance", + "prose": "Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations." + }, + { + "id": "at-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on recognizing potential indicators of insider threat is provided;", + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on reporting potential indicators of insider threat is provided.", + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "at-2.3", + "class": "SP800-53-enhancement", + "title": "Social Engineering and Mining", + "props": [ + { + "name": "label", + "value": "AT-2(3)" + }, + { + "name": "label", + "value": "AT-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#at-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "at-2.3_smt", + "name": "statement", + "prose": "Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining." + }, + { + "id": "at-2.3_gdn", + "name": "guidance", + "prose": "Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures." + }, + { + "id": "at-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2.3_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)[01]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on recognizing potential and actual instances of social engineering is provided;", + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.3_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)[02]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on reporting potential and actual instances of social engineering is provided;", + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.3_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)[03]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on recognizing potential and actual instances of social mining is provided;", + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.3_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)[04]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on reporting potential and actual instances of social mining is provided.", + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "at-3", + "class": "SP800-53", + "title": "Role-based Training", + "params": [ + { + "id": "at-3_prm_1", + "label": "organization-defined roles and responsibilities" + }, + { + "id": "at-03_odp.01", + "label": "roles and responsibilities", + "guidelines": [ + { + "prose": "roles and responsibilities for role-based security training are defined;" + } + ] + }, + { + "id": "at-03_odp.02", + "label": "roles and responsibilities", + "guidelines": [ + { + "prose": "roles and responsibilities for role-based privacy training are defined;" + } + ] + }, + { + "id": "at-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;" + } + ] + }, + { + "id": "at-03_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update role-based training content is defined;" + } + ] + }, + { + "id": "at-03_odp.05", + "label": "events", + "guidelines": [ + { + "prose": "events that require role-based training content to be updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-3" + }, + { + "name": "label", + "value": "AT-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-13", + "rel": "related" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ps-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-3_smt", + "name": "statement", + "parts": [ + { + "id": "at-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:", + "parts": [ + { + "id": "at-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and" + }, + { + "id": "at-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes;" + } + ] + }, + { + "id": "at-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and" + }, + { + "id": "at-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Incorporate lessons learned from internal or external security incidents or breaches into role-based training." + } + ] + }, + { + "id": "at-3_gdn", + "name": "guidance", + "prose": "Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "at-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[04]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};", + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};", + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03c.", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training.", + "links": [ + { + "href": "#at-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities" + } + ] + }, + { + "id": "at-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing role-based security and privacy training" + } + ] + } + ] + }, + { + "id": "at-4", + "class": "SP800-53", + "title": "Training Records", + "params": [ + { + "id": "at-04_odp", + "label": "time period", + "constraints": [ + { + "description": "five (5) years or 5 years after completion of a specific training program" + } + ], + "guidelines": [ + { + "prose": "time period for retaining individual training records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-4" + }, + { + "name": "label", + "value": "AT-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-4_smt", + "name": "statement", + "parts": [ + { + "id": "at-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and" + }, + { + "id": "at-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain individual training records for {{ insert: param, at-04_odp }}." + } + ] + }, + { + "id": "at-4_gdn", + "name": "guidance", + "prose": "Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies." + }, + { + "id": "at-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;", + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;", + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04b.", + "class": "sp800-53a" + } + ], + "prose": "individual training records are retained for {{ insert: param, at-04_odp }}.", + "links": [ + { + "href": "#at-4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy training record retention responsibilities" + } + ] + }, + { + "id": "at-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting the management of security and privacy training records" + } + ] + } + ] + } + ] + }, + { + "id": "au", + "class": "family", + "title": "Audit and Accountability", + "controls": [ + { + "id": "au-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "au-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "au-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "au-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "au-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "au-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the audit and accountability policy and procedures is defined;" + } + ] + }, + { + "id": "au-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current audit and accountability policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "au-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current audit and accountability policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "au-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current audit and accountability procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "au-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require audit and accountability procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-1" + }, + { + "name": "label", + "value": "AU-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-1_smt", + "name": "statement", + "parts": [ + { + "id": "au-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:", + "parts": [ + { + "id": "au-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, au-01_odp.03 }} audit and accountability policy that:", + "parts": [ + { + "id": "au-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "au-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "au-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;" + } + ] + }, + { + "id": "au-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and" + }, + { + "id": "au-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current audit and accountability:", + "parts": [ + { + "id": "au-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and" + }, + { + "id": "au-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "au-1_gdn", + "name": "guidance", + "prose": "Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "au-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an audit and accountability policy is developed and documented;", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#au-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;", + "links": [ + { + "href": "#au-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};", + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};", + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};", + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.", + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "au-2", + "class": "SP800-53", + "title": "Event Logging", + "params": [ + { + "id": "au-2_prm_2", + "label": "organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type", + "constraints": [ + { + "description": "organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event." + } + ] + }, + { + "id": "au-02_odp.01", + "label": "event types", + "constraints": [ + { + "description": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes" + } + ], + "guidelines": [ + { + "prose": "the event types that the system is capable of logging in support of the audit function are defined;" + } + ] + }, + { + "id": "au-02_odp.02", + "label": "event types (subset of AU-02_ODP[01])", + "guidelines": [ + { + "prose": "the event types (subset of AU-02_ODP[01]) for logging within the system are defined;" + } + ] + }, + { + "id": "au-02_odp.03", + "label": "frequency or situation", + "guidelines": [ + { + "prose": "the frequency or situation requiring logging for each specified event type is defined;" + } + ] + }, + { + "id": "au-02_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "annually and whenever there is a change in the threat environment" + } + ], + "guidelines": [ + { + "prose": "the frequency of event types selected for logging are reviewed and updated;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-2" + }, + { + "name": "label", + "value": "AU-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pm-21", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-2_smt", + "name": "statement", + "parts": [ + { + "id": "au-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};" + }, + { + "id": "au-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" + }, + { + "id": "au-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};" + }, + { + "id": "au-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and" + }, + { + "id": "au-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}." + }, + { + "id": "au-2_fr", + "name": "item", + "title": "AU-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO." + }, + { + "id": "au-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(e) Guidance:" + } + ], + "prose": "Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO." + } + ] + } + ] + }, + { + "id": "au-2_gdn", + "name": "guidance", + "prose": "An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures." + }, + { + "id": "au-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;", + "links": [ + { + "href": "#au-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02b.", + "class": "sp800-53a" + } + ], + "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;", + "links": [ + { + "href": "#au-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-02_odp.02 }} are specified for logging within the system;", + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};", + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02d.", + "class": "sp800-53a" + } + ], + "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;", + "links": [ + { + "href": "#au-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02e.", + "class": "sp800-53a" + } + ], + "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.", + "links": [ + { + "href": "#au-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system auditing" + } + ] + } + ] + }, + { + "id": "au-3", + "class": "SP800-53", + "title": "Content of Audit Records", + "props": [ + { + "name": "label", + "value": "AU-3" + }, + { + "name": "label", + "value": "AU-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-8", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-3_smt", + "name": "statement", + "prose": "Ensure that audit records contain information that establishes the following:", + "parts": [ + { + "id": "au-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "What type of event occurred;" + }, + { + "id": "au-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "When the event occurred;" + }, + { + "id": "au-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Where the event occurred;" + }, + { + "id": "au-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Source of the event;" + }, + { + "id": "au-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Outcome of the event; and" + }, + { + "id": "au-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Identity of any individuals, subjects, or objects/entities associated with the event." + } + ] + }, + { + "id": "au-3_gdn", + "name": "guidance", + "prose": "Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage." + }, + { + "id": "au-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03a.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes what type of event occurred;", + "links": [ + { + "href": "#au-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03b.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes when the event occurred;", + "links": [ + { + "href": "#au-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03c.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes where the event occurred;", + "links": [ + { + "href": "#au-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03d.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the source of the event;", + "links": [ + { + "href": "#au-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03e.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the outcome of the event;", + "links": [ + { + "href": "#au-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03f.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.", + "links": [ + { + "href": "#au-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system auditing of auditable events" + } + ] + } + ], + "controls": [ + { + "id": "au-3.1", + "class": "SP800-53-enhancement", + "title": "Additional Audit Information", + "params": [ + { + "id": "au-03.01_odp", + "label": "additional information", + "constraints": [ + { + "description": "session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands" + } + ], + "guidelines": [ + { + "prose": "additional information to be included in audit records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-3(1)" + }, + { + "name": "label", + "value": "AU-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "au-3.1_smt", + "name": "statement", + "prose": "Generate audit records containing the following additional information: {{ insert: param, au-03.01_odp }}.", + "parts": [ + { + "id": "au-3.1_fr", + "name": "item", + "title": "AU-3 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-3.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry." + } + ] + } + ] + }, + { + "id": "au-3.1_gdn", + "name": "guidance", + "prose": "The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy." + }, + { + "id": "au-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03(01)", + "class": "sp800-53a" + } + ], + "prose": "generated audit records contain the following {{ insert: param, au-03.01_odp }}.", + "links": [ + { + "href": "#au-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing content of audit records\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "system audit capability" + } + ] + } + ] + } + ] + }, + { + "id": "au-4", + "class": "SP800-53", + "title": "Audit Log Storage Capacity", + "params": [ + { + "id": "au-04_odp", + "label": "audit log retention requirements", + "guidelines": [ + { + "prose": "audit log retention requirements are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-4" + }, + { + "name": "label", + "value": "AU-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-4_smt", + "name": "statement", + "prose": "Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}." + }, + { + "id": "au-4_gdn", + "name": "guidance", + "prose": "Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability." + }, + { + "id": "au-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-04", + "class": "sp800-53a" + } + ], + "prose": "audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.", + "links": [ + { + "href": "#au-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for system components\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit record storage capacity and related configuration settings" + } + ] + } + ] + }, + { + "id": "au-5", + "class": "SP800-53", + "title": "Response to Audit Logging Process Failures", + "params": [ + { + "id": "au-05_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles receiving audit logging process failure alerts are defined;" + } + ] + }, + { + "id": "au-05_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period for personnel or roles receiving audit logging process failure alerts is defined;" + } + ] + }, + { + "id": "au-05_odp.03", + "label": "additional actions", + "constraints": [ + { + "description": "overwrite oldest record" + } + ], + "guidelines": [ + { + "prose": "additional actions to be taken in the event of an audit logging process failure are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-5" + }, + { + "name": "label", + "value": "AU-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-5_smt", + "name": "statement", + "parts": [ + { + "id": "au-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and" + }, + { + "id": "au-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Take the following additional actions: {{ insert: param, au-05_odp.03 }}." + } + ] + }, + { + "id": "au-5_gdn", + "name": "guidance", + "prose": "Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel." + }, + { + "id": "au-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};", + "links": [ + { + "href": "#au-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.", + "links": [ + { + "href": "#au-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system response to audit processing failures" + } + ] + } + ], + "controls": [ + { + "id": "au-5.1", + "class": "SP800-53-enhancement", + "title": "Storage Capacity Warning", + "params": [ + { + "id": "au-05.01_odp.01", + "label": "personnel, roles, and/or locations", + "guidelines": [ + { + "prose": "personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity." + } + ] + }, + { + "id": "au-05.01_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period for defined personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity is defined;" + } + ] + }, + { + "id": "au-05.01_odp.03", + "label": "percentage", + "constraints": [ + { + "description": "75%, or one month before expected negative impact" + } + ], + "guidelines": [ + { + "prose": "percentage of repository maximum audit log storage capacity is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-5(1)" + }, + { + "name": "label", + "value": "AU-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "au-5.1_smt", + "name": "statement", + "prose": "Provide a warning to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity." + }, + { + "id": "au-5.1_gdn", + "name": "guidance", + "prose": "Organizations may have multiple audit log storage repositories distributed across multiple system components with each repository having different storage volume capacities." + }, + { + "id": "au-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05(01)", + "class": "sp800-53a" + } + ], + "prose": "a warning is provided to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity.", + "links": [ + { + "href": "#au-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy system configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit storage limit warnings" + } + ] + } + ] + }, + { + "id": "au-5.2", + "class": "SP800-53-enhancement", + "title": "Real-time Alerts", + "params": [ + { + "id": "au-05.02_odp.01", + "label": "real-time period", + "constraints": [ + { + "description": "real-time" + } + ], + "guidelines": [ + { + "prose": "real-time period requiring alerts when audit failure events (defined in AU-05(02)_ODP[03]) occur is defined;" + } + ] + }, + { + "id": "au-05.02_odp.02", + "label": "personnel, roles, and/or locations", + "constraints": [ + { + "description": "service provider personnel with authority to address failed audit events" + } + ], + "guidelines": [ + { + "prose": "personnel, roles, and/or locations to be alerted in real time when audit failure events (defined in AU-05(02)_ODP[03]) occur is/are defined;" + } + ] + }, + { + "id": "au-05.02_odp.03", + "label": "audit logging failure events requiring real-time alerts", + "constraints": [ + { + "description": "audit failure events requiring real-time alerts, as defined by organization audit policy" + } + ], + "guidelines": [ + { + "prose": "audit logging failure events requiring real-time alerts are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-5(2)" + }, + { + "name": "label", + "value": "AU-05(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-05.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "au-5.2_smt", + "name": "statement", + "prose": "Provide an alert within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when the following audit failure events occur: {{ insert: param, au-05.02_odp.03 }}." + }, + { + "id": "au-5.2_gdn", + "name": "guidance", + "prose": "Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less)." + }, + { + "id": "au-5.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05(02)", + "class": "sp800-53a" + } + ], + "prose": "an alert is provided within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when {{ insert: param, au-05.02_odp.03 }} occur.", + "links": [ + { + "href": "#au-5.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-05(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-5.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-05(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + } + ] + } + ] + }, + { + "id": "au-6", + "class": "SP800-53", + "title": "Audit Record Review, Analysis, and Reporting", + "params": [ + { + "id": "au-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "frequency at which system audit records are reviewed and analyzed is defined;" + } + ] + }, + { + "id": "au-06_odp.02", + "label": "inappropriate or unusual activity", + "guidelines": [ + { + "prose": "inappropriate or unusual activity is defined;" + } + ] + }, + { + "id": "au-06_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to receive findings from reviews and analyses of system records is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-6" + }, + { + "name": "label", + "value": "AU-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", + "rel": "reference" + }, + { + "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6_smt", + "name": "statement", + "parts": [ + { + "id": "au-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;" + }, + { + "id": "au-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report findings to {{ insert: param, au-06_odp.03 }} ; and" + }, + { + "id": "au-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." + }, + { + "id": "au-6_fr", + "name": "item", + "title": "AU-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented." + } + ] + } + ] + }, + { + "id": "au-6_gdn", + "name": "guidance", + "prose": "Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received." + }, + { + "id": "au-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06a.", + "class": "sp800-53a" + } + ], + "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;", + "links": [ + { + "href": "#au-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06b.", + "class": "sp800-53a" + } + ], + "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};", + "links": [ + { + "href": "#au-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06c.", + "class": "sp800-53a" + } + ], + "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.", + "links": [ + { + "href": "#au-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews/analyses of audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ], + "controls": [ + { + "id": "au-6.1", + "class": "SP800-53-enhancement", + "title": "Automated Process Integration", + "params": [ + { + "id": "au-06.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-6(1)" + }, + { + "name": "label", + "value": "AU-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-6", + "rel": "required" + }, + { + "href": "#pm-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6.1_smt", + "name": "statement", + "prose": "Integrate audit record review, analysis, and reporting processes using {{ insert: param, au-06.01_odp }}." + }, + { + "id": "au-6.1_gdn", + "name": "guidance", + "prose": "Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits." + }, + { + "id": "au-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(01)", + "class": "sp800-53a" + } + ], + "prose": "audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}.", + "links": [ + { + "href": "#au-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms integrating audit review, analysis, and reporting processes" + } + ] + } + ] + }, + { + "id": "au-6.3", + "class": "SP800-53-enhancement", + "title": "Correlate Audit Record Repositories", + "props": [ + { + "name": "label", + "value": "AU-6(3)" + }, + { + "name": "label", + "value": "AU-06(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-6", + "rel": "required" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6.3_smt", + "name": "statement", + "prose": "Analyze and correlate audit records across different repositories to gain organization-wide situational awareness." + }, + { + "id": "au-6.3_gdn", + "name": "guidance", + "prose": "Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness." + }, + { + "id": "au-6.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(03)", + "class": "sp800-53a" + } + ], + "prose": "audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.", + "links": [ + { + "href": "#au-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records across different repositories\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-6.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-06(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting the analysis and correlation of audit records" + } + ] + } + ] + }, + { + "id": "au-6.4", + "class": "SP800-53-enhancement", + "title": "Central Review and Analysis", + "props": [ + { + "name": "label", + "value": "AU-6(4)" + }, + { + "name": "label", + "value": "AU-06(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-6", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6.4_smt", + "name": "statement", + "prose": "Provide and implement the capability to centrally review and analyze audit records from multiple components within the system." + }, + { + "id": "au-6.4_gdn", + "name": "guidance", + "prose": "Automated mechanisms for centralized reviews and analyses include Security Information and Event Management products." + }, + { + "id": "au-6.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-6.4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(04)[01]", + "class": "sp800-53a" + } + ], + "prose": "the capability to centrally review and analyze audit records from multiple components within the system is provided;", + "links": [ + { + "href": "#au-6.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(04)[02]", + "class": "sp800-53a" + } + ], + "prose": "the capability to centrally review and analyze audit records from multiple components within the system is implemented.", + "links": [ + { + "href": "#au-6.4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-6.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "au-6.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-06(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System capability to centralize review and analysis of audit records" + } + ] + } + ] + }, + { + "id": "au-6.5", + "class": "SP800-53-enhancement", + "title": "Integrated Analysis of Audit Records", + "params": [ + { + "id": "au-06.05_odp.01", + "constraints": [ + { + "description": "vulnerability scanning information; performance data; information system monitoring information; penetration test data; {{ insert: param, au-06.05_odp.02 }} " + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "vulnerability scanning information", + "performance data", + "system monitoring information", + " {{ insert: param, au-06.05_odp.02 }} " + ] + } + }, + { + "id": "au-06.05_odp.02", + "label": "data/information collected from other sources", + "guidelines": [ + { + "prose": "data/information collected from other sources to be analyzed is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-6(5)" + }, + { + "name": "label", + "value": "AU-06(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-6", + "rel": "required" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6.5_smt", + "name": "statement", + "prose": "Integrate analysis of audit records with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity." + }, + { + "id": "au-6.5_gdn", + "name": "guidance", + "prose": "Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial-of-service attacks or other types of attacks that result in the unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations." + }, + { + "id": "au-6.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(05)", + "class": "sp800-53a" + } + ], + "prose": "analysis of audit records is integrated with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity.", + "links": [ + { + "href": "#au-6.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information, and associated documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-6.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-06(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing the capability to integrate analysis of audit records with analysis of data/information sources" + } + ] + } + ] + }, + { + "id": "au-6.6", + "class": "SP800-53-enhancement", + "title": "Correlation with Physical Monitoring", + "props": [ + { + "name": "label", + "value": "AU-6(6)" + }, + { + "name": "label", + "value": "AU-06(06)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06.06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "au-6.6_smt", + "name": "statement", + "prose": "Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.", + "parts": [ + { + "id": "au-6.6_fr", + "name": "item", + "title": "AU-6 (6) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-6.6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO." + } + ] + } + ] + }, + { + "id": "au-6.6_gdn", + "name": "guidance", + "prose": "The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual\u2019s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred may be useful in investigations." + }, + { + "id": "au-6.6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(06)", + "class": "sp800-53a" + } + ], + "prose": "information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.", + "links": [ + { + "href": "#au-6.6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06(06)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing physical access monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing evidence of correlated information obtained from audit records and physical access monitoring records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6.6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06(06)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-6.6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-06(06)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing the capability to correlate information from audit records with information from monitoring physical access" + } + ] + } + ] + }, + { + "id": "au-6.7", + "class": "SP800-53-enhancement", + "title": "Permitted Actions", + "params": [ + { + "id": "au-06.07_odp", + "constraints": [ + { + "description": "information system process; role; user" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "system process", + "role", + "user" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "AU-6(7)" + }, + { + "name": "label", + "value": "AU-06(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "au-6.7_smt", + "name": "statement", + "prose": "Specify the permitted actions for each {{ insert: param, au-06.07_odp }} associated with the review, analysis, and reporting of audit record information." + }, + { + "id": "au-6.7_gdn", + "name": "guidance", + "prose": "Organizations specify permitted actions for system processes, roles, and users associated with the review, analysis, and reporting of audit records through system account management activities. Specifying permitted actions on audit record information is a way to enforce the principle of least privilege. Permitted actions are enforced by the system and include read, write, execute, append, and delete." + }, + { + "id": "au-6.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(07)", + "class": "sp800-53a" + } + ], + "prose": "the permitted actions for each {{ insert: param, au-06.07_odp }} associated with the review, analysis, and reporting of audit record information are specified.", + "links": [ + { + "href": "#au-6.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing process, role and/or user permitted actions from audit review, analysis, and reporting\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-6.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-06(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting permitted actions for the review, analysis, and reporting of audit information" + } + ] + } + ] + } + ] + }, + { + "id": "au-7", + "class": "SP800-53", + "title": "Audit Record Reduction and Report Generation", + "props": [ + { + "name": "label", + "value": "AU-7" + }, + { + "name": "label", + "value": "AU-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-7_smt", + "name": "statement", + "prose": "Provide and implement an audit record reduction and report generation capability that:", + "parts": [ + { + "id": "au-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and" + }, + { + "id": "au-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Does not alter the original content or time ordering of audit records." + } + ] + }, + { + "id": "au-7_gdn", + "name": "guidance", + "prose": "Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient." + }, + { + "id": "au-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-7_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;", + "links": [ + { + "href": "#au-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07a.[02]", + "class": "sp800-53a" + } + ], + "prose": "an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;", + "links": [ + { + "href": "#au-7_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;", + "links": [ + { + "href": "#au-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.", + "links": [ + { + "href": "#au-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit reduction and report generation capability" + } + ] + } + ], + "controls": [ + { + "id": "au-7.1", + "class": "SP800-53-enhancement", + "title": "Automatic Processing", + "params": [ + { + "id": "au-07.01_odp", + "label": "fields within audit records", + "guidelines": [ + { + "prose": "fields within audit records that can be processed, sorted, or searched are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-7(1)" + }, + { + "name": "label", + "value": "AU-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "au-7.1_smt", + "name": "statement", + "prose": "Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ insert: param, au-07.01_odp }}." + }, + { + "id": "au-7.1_gdn", + "name": "guidance", + "prose": "Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component." + }, + { + "id": "au-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-7.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;", + "links": [ + { + "href": "#au-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented.", + "links": [ + { + "href": "#au-7.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "au-7.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-07(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit reduction and report generation capability" + } + ] + } + ] + } + ] + }, + { + "id": "au-8", + "class": "SP800-53", + "title": "Time Stamps", + "params": [ + { + "id": "au-08_odp", + "label": "granularity of time measurement", + "constraints": [ + { + "description": "one second granularity of time measurement" + } + ], + "guidelines": [ + { + "prose": "granularity of time measurement for audit record timestamps is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-8" + }, + { + "name": "label", + "value": "AU-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#sc-45", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-8_smt", + "name": "statement", + "parts": [ + { + "id": "au-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Use internal system clocks to generate time stamps for audit records; and" + }, + { + "id": "au-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." + } + ] + }, + { + "id": "au-8_gdn", + "name": "guidance", + "prose": "Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities." + }, + { + "id": "au-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08a.", + "class": "sp800-53a" + } + ], + "prose": "internal system clocks are used to generate timestamps for audit records;", + "links": [ + { + "href": "#au-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08b.", + "class": "sp800-53a" + } + ], + "prose": "timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.", + "links": [ + { + "href": "#au-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing timestamp generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing timestamp generation" + } + ] + } + ] + }, + { + "id": "au-9", + "class": "SP800-53", + "title": "Protection of Audit Information", + "params": [ + { + "id": "au-09_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-9" + }, + { + "name": "label", + "value": "AU-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#au-15", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-9_smt", + "name": "statement", + "parts": [ + { + "id": "au-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and" + }, + { + "id": "au-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information." + } + ] + }, + { + "id": "au-9_gdn", + "name": "guidance", + "prose": "Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls." + }, + { + "id": "au-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09a.", + "class": "sp800-53a" + } + ], + "prose": "audit information and audit logging tools are protected from unauthorized access, modification, and deletion;", + "links": [ + { + "href": "#au-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.", + "links": [ + { + "href": "#au-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\naudit tools\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit information protection" + } + ] + } + ], + "controls": [ + { + "id": "au-9.2", + "class": "SP800-53-enhancement", + "title": "Store on Separate Physical Systems or Components", + "params": [ + { + "id": "au-09.02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "the frequency of storing audit records in a repository is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-9(2)" + }, + { + "name": "label", + "value": "AU-09(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-09.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-9", + "rel": "required" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-9.2_smt", + "name": "statement", + "prose": "Store audit records {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited." + }, + { + "id": "au-9.2_gdn", + "name": "guidance", + "prose": "Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records." + }, + { + "id": "au-9.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09(02)", + "class": "sp800-53a" + } + ], + "prose": "audit records are stored {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited.", + "links": [ + { + "href": "#au-9.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-09(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem or media storing backups of system audit records\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-9.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-09(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-9.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-09(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing the backing up of audit records" + } + ] + } + ] + }, + { + "id": "au-9.3", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "props": [ + { + "name": "label", + "value": "AU-9(3)" + }, + { + "name": "label", + "value": "AU-09(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-09.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-9", + "rel": "required" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-9.3_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.", + "parts": [ + { + "id": "au-9.3_fr", + "name": "item", + "title": "AU-9 (3) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-9.3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)" + } + ] + } + ] + }, + { + "id": "au-9.3_gdn", + "name": "guidance", + "prose": "Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash." + }, + { + "id": "au-9.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09(03)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented.", + "links": [ + { + "href": "#au-9.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-09(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem hardware settings\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-9.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-09(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-9.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-09(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms protecting the integrity of audit information and tools" + } + ] + } + ] + }, + { + "id": "au-9.4", + "class": "SP800-53-enhancement", + "title": "Access by Subset of Privileged Users", + "params": [ + { + "id": "au-09.04_odp", + "label": "subset of privileged users or roles", + "guidelines": [ + { + "prose": "a subset of privileged users or roles authorized to access management of audit logging functionality is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-9(4)" + }, + { + "name": "label", + "value": "AU-09(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-09.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#au-9", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-9.4_smt", + "name": "statement", + "prose": "Authorize access to management of audit logging functionality to only {{ insert: param, au-09.04_odp }}." + }, + { + "id": "au-9.4_gdn", + "name": "guidance", + "prose": "Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges." + }, + { + "id": "au-9.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09(04)", + "class": "sp800-53a" + } + ], + "prose": "access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}.", + "links": [ + { + "href": "#au-9.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-09(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged users with access to management of audit functionality\n\naccess authorizations\n\naccess control list\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-9.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-09(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-9.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-09(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing access to audit functionality" + } + ] + } + ] + } + ] + }, + { + "id": "au-10", + "class": "SP800-53", + "title": "Non-repudiation", + "params": [ + { + "id": "au-10_odp", + "label": "actions", + "constraints": [ + { + "description": "minimum actions including the addition, modification, deletion, approval, sending, or receiving of data" + } + ], + "guidelines": [ + { + "prose": "actions to be covered by non-repudiation are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-10" + }, + { + "name": "label", + "value": "AU-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-17", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-10_smt", + "name": "statement", + "prose": "Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}." + }, + { + "id": "au-10_gdn", + "name": "guidance", + "prose": "Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts." + }, + { + "id": "au-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-10", + "class": "sp800-53a" + } + ], + "prose": "irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}.", + "links": [ + { + "href": "#au-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing non-repudiation capability" + } + ] + } + ] + }, + { + "id": "au-11", + "class": "SP800-53", + "title": "Audit Record Retention", + "params": [ + { + "id": "au-11_odp", + "label": "time period", + "constraints": [ + { + "description": "a time period in compliance with M-21-31" + } + ], + "guidelines": [ + { + "prose": "a time period to retain audit records that is consistent with the records retention policy is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-11" + }, + { + "name": "label", + "value": "AU-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-11_smt", + "name": "statement", + "prose": "Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.", + "parts": [ + { + "id": "au-11_fr", + "name": "item", + "title": "AU-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-11_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements." + }, + { + "id": "au-11_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)" + }, + { + "id": "au-11_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The service provider is encouraged to align with M-21-31 where possible" + } + ] + } + ] + }, + { + "id": "au-11_gdn", + "name": "guidance", + "prose": "Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention." + }, + { + "id": "au-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-11", + "class": "sp800-53a" + } + ], + "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.", + "links": [ + { + "href": "#au-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + } + ] + }, + { + "id": "au-12", + "class": "SP800-53", + "title": "Audit Record Generation", + "params": [ + { + "id": "au-12_odp.01", + "label": "system components", + "constraints": [ + { + "description": "all information system and network components where audit capability is deployed/available" + } + ], + "guidelines": [ + { + "prose": "system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;" + } + ] + }, + { + "id": "au-12_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-12" + }, + { + "name": "label", + "value": "AU-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-12_smt", + "name": "statement", + "parts": [ + { + "id": "au-12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};" + }, + { + "id": "au-12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and" + }, + { + "id": "au-12_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)." + } + ] + }, + { + "id": "au-12_gdn", + "name": "guidance", + "prose": "Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records." + }, + { + "id": "au-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12a.", + "class": "sp800-53a" + } + ], + "prose": "audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};", + "links": [ + { + "href": "#au-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;", + "links": [ + { + "href": "#au-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12c.", + "class": "sp800-53a" + } + ], + "prose": "audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.", + "links": [ + { + "href": "#au-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of auditable events\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit record generation capability" + } + ] + } + ], + "controls": [ + { + "id": "au-12.1", + "class": "SP800-53-enhancement", + "title": "System-wide and Time-correlated Audit Trail", + "params": [ + { + "id": "au-12.01_odp.01", + "label": "system components", + "constraints": [ + { + "description": "all network, data storage, and computing devices" + } + ], + "guidelines": [ + { + "prose": "system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined;" + } + ] + }, + { + "id": "au-12.01_odp.02", + "label": "level of tolerance", + "guidelines": [ + { + "prose": "level of tolerance for the relationship between timestamps of individual records in the audit trail is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-12(1)" + }, + { + "name": "label", + "value": "AU-12(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-12.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-12", + "rel": "required" + }, + { + "href": "#au-8", + "rel": "related" + }, + { + "href": "#sc-45", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-12.1_smt", + "name": "statement", + "prose": "Compile audit records from {{ insert: param, au-12.01_odp.01 }} into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}." + }, + { + "id": "au-12.1_gdn", + "name": "guidance", + "prose": "Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances." + }, + { + "id": "au-12.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12(01)", + "class": "sp800-53a" + } + ], + "prose": "audit records from {{ insert: param, au-12.01_odp.01 }} are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}.", + "links": [ + { + "href": "#au-12.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-12(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-wide audit trail (logical or physical)\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-12.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-12(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-12.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-12(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit record generation capability" + } + ] + } + ] + }, + { + "id": "au-12.3", + "class": "SP800-53-enhancement", + "title": "Changes by Authorized Individuals", + "params": [ + { + "id": "au-12.03_odp.01", + "label": "individuals or roles", + "constraints": [ + { + "description": "service provider-defined individuals or roles with audit configuration responsibilities" + } + ], + "guidelines": [ + { + "prose": "individuals or roles authorized to change the logging on system components are defined;" + } + ] + }, + { + "id": "au-12.03_odp.02", + "label": "system components", + "constraints": [ + { + "description": "all network, data storage, and computing devices" + } + ], + "guidelines": [ + { + "prose": "system components on which logging is to be performed are defined;" + } + ] + }, + { + "id": "au-12.03_odp.03", + "label": "selectable event criteria", + "guidelines": [ + { + "prose": "selectable event criteria with which change logging is to be performed are defined;" + } + ] + }, + { + "id": "au-12.03_odp.04", + "label": "time thresholds", + "guidelines": [ + { + "prose": "time thresholds in which logging actions are to change is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-12(3)" + }, + { + "name": "label", + "value": "AU-12(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-12.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-12", + "rel": "required" + }, + { + "href": "#ac-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-12.3_smt", + "name": "statement", + "prose": "Provide and implement the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }}." + }, + { + "id": "au-12.3_gdn", + "name": "guidance", + "prose": "Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed (e.g., near real-time, within minutes, or within hours)." + }, + { + "id": "au-12.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-12.3_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12(03)[01]", + "class": "sp800-53a" + } + ], + "prose": "the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is provided;", + "links": [ + { + "href": "#au-12.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12.3_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12(03)[02]", + "class": "sp800-53a" + } + ], + "prose": "the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is implemented.", + "links": [ + { + "href": "#au-12.3_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-12.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-12(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of individuals or roles authorized to change auditing to be performed\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-12.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-12(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-12.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-12(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit record generation capability" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "ca", + "class": "family", + "title": "Assessment, Authorization, and Monitoring", + "controls": [ + { + "id": "ca-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ca-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ca-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ca-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ca-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ca-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the assessment, authorization, and monitoring policy and procedures is defined;" + } + ] + }, + { + "id": "ca-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ca-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ca-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ca-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-1" + }, + { + "name": "label", + "value": "CA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#62ea77ca-e450-4323-b210-e0d75390e785", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-1_smt", + "name": "statement", + "parts": [ + { + "id": "ca-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:", + "parts": [ + { + "id": "ca-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:", + "parts": [ + { + "id": "ca-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ca-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ca-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;" + } + ] + }, + { + "id": "ca-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and" + }, + { + "id": "ca-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current assessment, authorization, and monitoring:", + "parts": [ + { + "id": "ca-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and" + }, + { + "id": "ca-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ca-1_gdn", + "name": "guidance", + "prose": "Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ca-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an assessment, authorization, and monitoring policy is developed and documented;", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ca-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;", + "links": [ + { + "href": "#ca-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ", + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};", + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ", + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.", + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-2", + "class": "SP800-53", + "title": "Control Assessments", + "params": [ + { + "id": "ca-02_odp.01", + "label": "assessment frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to assess controls in the system and its environment of operation is defined;" + } + ] + }, + { + "id": "ca-02_odp.02", + "label": "individuals or roles", + "constraints": [ + { + "description": "individuals or roles to include FedRAMP PMO" + } + ], + "guidelines": [ + { + "prose": "individuals or roles to whom control assessment results are to be provided are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-2" + }, + { + "name": "label", + "value": "CA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-2_smt", + "name": "statement", + "parts": [ + { + "id": "ca-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Select the appropriate assessor or assessment team for the type of assessment to be conducted;" + }, + { + "id": "ca-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Develop a control assessment plan that describes the scope of the assessment including:", + "parts": [ + { + "id": "ca-2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Controls and control enhancements under assessment;" + }, + { + "id": "ca-2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Assessment procedures to be used to determine control effectiveness; and" + }, + { + "id": "ca-2_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Assessment environment, assessment team, and assessment roles and responsibilities;" + } + ] + }, + { + "id": "ca-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;" + }, + { + "id": "ca-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;" + }, + { + "id": "ca-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Produce a control assessment report that document the results of the assessment; and" + }, + { + "id": "ca-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}." + }, + { + "id": "ca-2_fr", + "name": "item", + "title": "CA-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Reference FedRAMP Annual Assessment Guidance." + } + ] + } + ] + }, + { + "id": "ca-2_gdn", + "name": "guidance", + "prose": "Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)." + }, + { + "id": "ca-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02a.", + "class": "sp800-53a" + } + ], + "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;", + "links": [ + { + "href": "#ca-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.01", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;", + "links": [ + { + "href": "#ca-2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.02", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;", + "links": [ + { + "href": "#ca-2_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.b.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[03]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02c.", + "class": "sp800-53a" + } + ], + "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;", + "links": [ + { + "href": "#ca-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.[01]", + "class": "sp800-53a" + } + ], + "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;", + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.[02]", + "class": "sp800-53a" + } + ], + "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;", + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02e.", + "class": "sp800-53a" + } + ], + "prose": "a control assessment report is produced that documents the results of the assessment;", + "links": [ + { + "href": "#ca-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02f.", + "class": "sp800-53a" + } + ], + "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.", + "links": [ + { + "href": "#ca-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting" + } + ] + } + ], + "controls": [ + { + "id": "ca-2.1", + "class": "SP800-53-enhancement", + "title": "Independent Assessors", + "props": [ + { + "name": "label", + "value": "CA-2(1)" + }, + { + "name": "label", + "value": "CA-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-2.1_smt", + "name": "statement", + "prose": "Employ independent assessors or assessment teams to conduct control assessments.", + "parts": [ + { + "id": "ca-2.1_fr", + "name": "item", + "title": "CA-2 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-2.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "For JAB Authorization, must use an accredited 3PAO." + } + ] + } + ] + }, + { + "id": "ca-2.1_gdn", + "name": "guidance", + "prose": "Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.\n\nIndependent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.\n\nWhen organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments." + }, + { + "id": "ca-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02(01)", + "class": "sp800-53a" + } + ], + "prose": "independent assessors or assessment teams are employed to conduct control assessments.", + "links": [ + { + "href": "#ca-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\nprevious control assessment plan\n\nprevious control assessment report\n\nplan of action and milestones\n\nexisting authorization statement\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-2.2", + "class": "SP800-53-enhancement", + "title": "Specialized Assessments", + "params": [ + { + "id": "ca-02.02_odp.01", + "label": "specialized assessment frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to include specialized assessments as part of the control assessment is defined;" + } + ] + }, + { + "id": "ca-02.02_odp.02", + "select": { + "choice": [ + "announced", + "unannounced" + ] + } + }, + { + "id": "ca-02.02_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "in-depth monitoring", + "security instrumentation", + "automated security test cases", + "vulnerability scanning", + "malicious user testing", + "insider threat assessment", + "performance and load testing", + "data leakage or data loss assessment", + " {{ insert: param, ca-02.02_odp.04 }} " + ] + } + }, + { + "id": "ca-02.02_odp.04", + "label": "other forms of assessment", + "guidelines": [ + { + "prose": "other forms of assessment are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-2(2)" + }, + { + "name": "label", + "value": "CA-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-2", + "rel": "required" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-2.2_smt", + "name": "statement", + "prose": "Include as part of control assessments, {{ insert: param, ca-02.02_odp.01 }}, {{ insert: param, ca-02.02_odp.02 }}, {{ insert: param, ca-02.02_odp.03 }}.", + "parts": [ + { + "id": "ca-2.2_fr", + "name": "item", + "title": "CA-2 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-2.2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "To include 'announced', 'vulnerability scanning'" + } + ] + } + ] + }, + { + "id": "ca-2.2_gdn", + "name": "guidance", + "prose": "Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle (e.g., during initial design, development, and unit testing)." + }, + { + "id": "ca-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02(02)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ca-02.02_odp.01 }} {{ insert: param, ca-02.02_odp.02 }} {{ insert: param, ca-02.02_odp.03 }} are included as part of control assessments.", + "links": [ + { + "href": "#ca-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting control assessment" + } + ] + } + ] + }, + { + "id": "ca-2.3", + "class": "SP800-53-enhancement", + "title": "Leveraging Results from External Organizations", + "params": [ + { + "id": "ca-02.03_odp.01", + "label": "external organization(s)", + "constraints": [ + { + "description": "any FedRAMP Accredited 3PAO" + } + ], + "guidelines": [ + { + "prose": "external organization(s) from which the results of control assessments are leveraged are defined;" + } + ] + }, + { + "id": "ca-02.03_odp.02", + "label": "system", + "guidelines": [ + { + "prose": "system on which a control assessment was performed by an external organization is defined;" + } + ] + }, + { + "id": "ca-02.03_odp.03", + "label": "requirements", + "constraints": [ + { + "description": "the conditions of the JAB/AO in the FedRAMP Repository" + } + ], + "guidelines": [ + { + "prose": "requirements to be met by the control assessment performed by an external organization on the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-2(3)" + }, + { + "name": "label", + "value": "CA-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-2", + "rel": "required" + }, + { + "href": "#sa-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-2.3_smt", + "name": "statement", + "prose": "Leverage the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} when the assessment meets {{ insert: param, ca-02.03_odp.03 }}." + }, + { + "id": "ca-2.3_gdn", + "name": "guidance", + "prose": "Organizations may rely on control assessments of organizational systems by other (external) organizations. Using such assessments and reusing existing assessment evidence can decrease the time and resources required for assessments by limiting the independent assessment activities that organizations need to perform. The factors that organizations consider in determining whether to accept assessment results from external organizations can vary. Such factors include the organization\u2019s past experience with the organization that conducted the assessment, the reputation of the assessment organization, the level of detail of supporting assessment evidence provided, and mandates imposed by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Accredited testing laboratories that support the Common Criteria Program [ISO 15408-1](#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73) , the NIST Cryptographic Module Validation Program (CMVP), or the NIST Cryptographic Algorithm Validation Program (CAVP) can provide independent assessment results that organizations can leverage." + }, + { + "id": "ca-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02(03)", + "class": "sp800-53a" + } + ], + "prose": "the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} are leveraged when the assessment meets {{ insert: param, ca-02.03_odp.03 }}.", + "links": [ + { + "href": "#ca-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\ncontrol assessment requirements\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel performing control assessments for the specified external organization" + } + ] + } + ] + } + ] + }, + { + "id": "ca-3", + "class": "SP800-53", + "title": "Information Exchange", + "params": [ + { + "id": "ca-03_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "interconnection security agreements", + "information exchange security agreements", + "memoranda of understanding or agreement", + "service level agreements", + "user agreements", + "non-disclosure agreements", + " {{ insert: param, ca-03_odp.02 }} " + ] + } + }, + { + "id": "ca-03_odp.02", + "label": "type of agreement", + "guidelines": [ + { + "prose": "the type of agreement used to approve and manage the exchange of information is defined (if selected);" + } + ] + }, + { + "id": "ca-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and on input from JAB/AO" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update agreements is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-3" + }, + { + "name": "label", + "value": "CA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#c3a76872-e160-4267-99e8-6952de967d04", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-3_smt", + "name": "statement", + "parts": [ + { + "id": "ca-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};" + }, + { + "id": "ca-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and" + }, + { + "id": "ca-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the agreements {{ insert: param, ca-03_odp.03 }}." + } + ] + }, + { + "id": "ca-3_gdn", + "name": "guidance", + "prose": "System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks." + }, + { + "id": "ca-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03a.", + "class": "sp800-53a" + } + ], + "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};", + "links": [ + { + "href": "#ca-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the interface characteristics are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "security requirements are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[03]", + "class": "sp800-53a" + } + ], + "prose": "privacy requirements are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[04]", + "class": "sp800-53a" + } + ], + "prose": "controls are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[05]", + "class": "sp800-53a" + } + ], + "prose": "responsibilities for each system are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[06]", + "class": "sp800-53a" + } + ], + "prose": "the impact level of the information communicated is documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03c.", + "class": "sp800-53a" + } + ], + "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.", + "links": [ + { + "href": "#ca-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies" + } + ] + } + ], + "controls": [ + { + "id": "ca-3.6", + "class": "SP800-53-enhancement", + "title": "Transfer Authorizations", + "props": [ + { + "name": "label", + "value": "CA-3(6)" + }, + { + "name": "label", + "value": "CA-03(06)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-03.06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-3", + "rel": "required" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-3.6_smt", + "name": "statement", + "prose": "Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data." + }, + { + "id": "ca-3.6_gdn", + "name": "guidance", + "prose": "To prevent unauthorized individuals and systems from making information transfers to protected systems, the protected system verifies\u2014via independent means\u2014 whether the individual or system attempting to transfer information is authorized to do so. Verification of the authorization to transfer information also applies to control plane traffic (e.g., routing and DNS) and services (e.g., authenticated SMTP relays)." + }, + { + "id": "ca-3.6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03(06)", + "class": "sp800-53a" + } + ], + "prose": "individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.", + "links": [ + { + "href": "#ca-3.6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3.6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-03(06)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontrol assessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-3.6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-03(06)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing connections to external systems\n\nnetwork administrators\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-3.6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-03(06)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing restrictions on external system connections" + } + ] + } + ] + } + ] + }, + { + "id": "ca-5", + "class": "SP800-53", + "title": "Plan of Action and Milestones", + "params": [ + { + "id": "ca-05_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-5" + }, + { + "name": "label", + "value": "CA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-5_smt", + "name": "statement", + "parts": [ + { + "id": "ca-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and" + }, + { + "id": "ca-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities." + }, + { + "id": "ca-5_fr", + "name": "item", + "title": "CA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "POA&Ms must be provided at least monthly." + }, + { + "id": "ca-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Reference FedRAMP-POAM-Template" + } + ] + } + ] + }, + { + "id": "ca-5_gdn", + "name": "guidance", + "prose": "Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB." + }, + { + "id": "ca-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05a.", + "class": "sp800-53a" + } + ], + "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;", + "links": [ + { + "href": "#ca-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05b.", + "class": "sp800-53a" + } + ], + "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.", + "links": [ + { + "href": "#ca-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms for developing, implementing, and maintaining plan of action and milestones" + } + ] + } + ] + }, + { + "id": "ca-6", + "class": "SP800-53", + "title": "Authorization", + "params": [ + { + "id": "ca-06_odp", + "label": "frequency", + "constraints": [ + { + "description": "in accordance with OMB A-130 requirements or when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "frequency at which to update the authorizations is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-6" + }, + { + "name": "label", + "value": "CA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-6_smt", + "name": "statement", + "parts": [ + { + "id": "ca-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assign a senior official as the authorizing official for the system;" + }, + { + "id": "ca-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;" + }, + { + "id": "ca-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensure that the authorizing official for the system, before commencing operations:", + "parts": [ + { + "id": "ca-6_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Accepts the use of common controls inherited by the system; and" + }, + { + "id": "ca-6_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Authorizes the system to operate;" + } + ] + }, + { + "id": "ca-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;" + }, + { + "id": "ca-6_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Update the authorizations {{ insert: param, ca-06_odp }}." + }, + { + "id": "ca-6_fr", + "name": "item", + "title": "CA-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(e) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO." + } + ] + } + ] + }, + { + "id": "ca-6_gdn", + "name": "guidance", + "prose": "Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions." + }, + { + "id": "ca-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06a.", + "class": "sp800-53a" + } + ], + "prose": "a senior official is assigned as the authorizing official for the system;", + "links": [ + { + "href": "#ca-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06b.", + "class": "sp800-53a" + } + ], + "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;", + "links": [ + { + "href": "#ca-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-6_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.01", + "class": "sp800-53a" + } + ], + "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;", + "links": [ + { + "href": "#ca-6_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.02", + "class": "sp800-53a" + } + ], + "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;", + "links": [ + { + "href": "#ca-6_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06d.", + "class": "sp800-53a" + } + ], + "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;", + "links": [ + { + "href": "#ca-6_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06e.", + "class": "sp800-53a" + } + ], + "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}.", + "links": [ + { + "href": "#ca-6_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms that facilitate authorizations and updates" + } + ] + } + ] + }, + { + "id": "ca-7", + "class": "SP800-53", + "title": "Continuous Monitoring", + "params": [ + { + "id": "ca-7_prm_4", + "label": "organization-defined personnel or roles", + "constraints": [ + { + "description": "to include JAB/AO" + } + ] + }, + { + "id": "ca-7_prm_5", + "label": "organization-defined frequency" + }, + { + "id": "ca-07_odp.01", + "label": "system-level metrics", + "guidelines": [ + { + "prose": "system-level metrics to be monitored are defined;" + } + ] + }, + { + "id": "ca-07_odp.02", + "label": "frequencies", + "guidelines": [ + { + "prose": "frequencies at which to monitor control effectiveness are defined;" + } + ] + }, + { + "id": "ca-07_odp.03", + "label": "frequencies", + "guidelines": [ + { + "prose": "frequencies at which to assess control effectiveness are defined;" + } + ] + }, + { + "id": "ca-07_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the security status of the system is reported are defined;" + } + ] + }, + { + "id": "ca-07_odp.05", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which the security status of the system is reported is defined;" + } + ] + }, + { + "id": "ca-07_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the privacy status of the system is reported are defined;" + } + ] + }, + { + "id": "ca-07_odp.07", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which the privacy status of the system is reported is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-7" + }, + { + "name": "label", + "value": "CA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pe-14", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-6", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#pm-31", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-7_smt", + "name": "statement", + "prose": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:", + "parts": [ + { + "id": "ca-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};" + }, + { + "id": "ca-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;" + }, + { + "id": "ca-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ongoing control assessments in accordance with the continuous monitoring strategy;" + }, + { + "id": "ca-7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;" + }, + { + "id": "ca-7_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Correlation and analysis of information generated by control assessments and monitoring;" + }, + { + "id": "ca-7_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" + }, + { + "id": "ca-7_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}." + }, + { + "id": "ca-7_fr", + "name": "item", + "title": "CA-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually." + }, + { + "id": "ca-7_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight." + }, + { + "id": "ca-7_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan." + } + ] + } + ] + }, + { + "id": "ca-7_gdn", + "name": "guidance", + "prose": "Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)." + }, + { + "id": "ca-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07[01]", + "class": "sp800-53a" + } + ], + "prose": "a system-level continuous monitoring strategy is developed;", + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07a.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};", + "links": [ + { + "href": "#ca-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;", + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;", + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07c.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07d.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07e.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;", + "links": [ + { + "href": "#ca-7_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07f.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;", + "links": [ + { + "href": "#ca-7_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.[01]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};", + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.", + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting" + } + ] + } + ], + "controls": [ + { + "id": "ca-7.1", + "class": "SP800-53-enhancement", + "title": "Independent Assessment", + "props": [ + { + "name": "label", + "value": "CA-7(1)" + }, + { + "name": "label", + "value": "CA-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-7.1_smt", + "name": "statement", + "prose": "Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis." + }, + { + "id": "ca-7.1_gdn", + "name": "guidance", + "prose": "Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services." + }, + { + "id": "ca-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(01)", + "class": "sp800-53a" + } + ], + "prose": "independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.", + "links": [ + { + "href": "#ca-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-7.4", + "class": "SP800-53-enhancement", + "title": "Risk Monitoring", + "props": [ + { + "name": "label", + "value": "CA-7(4)" + }, + { + "name": "label", + "value": "CA-07(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-7.4_smt", + "name": "statement", + "prose": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:", + "parts": [ + { + "id": "ca-7.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Effectiveness monitoring;" + }, + { + "id": "ca-7.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Compliance monitoring; and" + }, + { + "id": "ca-7.4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Change monitoring." + } + ] + }, + { + "id": "ca-7.4_gdn", + "name": "guidance", + "prose": "Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk." + }, + { + "id": "ca-7.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)", + "class": "sp800-53a" + } + ], + "prose": "risk monitoring is an integral part of the continuous monitoring strategy;", + "parts": [ + { + "id": "ca-7.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(a)", + "class": "sp800-53a" + } + ], + "prose": "effectiveness monitoring is included in risk monitoring;", + "links": [ + { + "href": "#ca-7.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "compliance monitoring is included in risk monitoring;", + "links": [ + { + "href": "#ca-7.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(c)", + "class": "sp800-53a" + } + ], + "prose": "change monitoring is included in risk monitoring.", + "links": [ + { + "href": "#ca-7.4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-7.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-07(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting risk monitoring" + } + ] + } + ] + } + ] + }, + { + "id": "ca-8", + "class": "SP800-53", + "title": "Penetration Testing", + "params": [ + { + "id": "ca-08_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct penetration testing on systems or system components is defined;" + } + ] + }, + { + "id": "ca-08_odp.02", + "label": "system(s) or system components", + "guidelines": [ + { + "prose": "systems or system components on which penetration testing is to be conducted are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-8" + }, + { + "name": "label", + "value": "CA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-8_smt", + "name": "statement", + "prose": "Conduct penetration testing {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", + "parts": [ + { + "id": "ca-8_fr", + "name": "item", + "title": "CA-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Reference the FedRAMP Penetration Test Guidance." + } + ] + } + ] + }, + { + "id": "ca-8_gdn", + "name": "guidance", + "prose": "Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).\n\nOrganizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing." + }, + { + "id": "ca-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-08", + "class": "sp800-53a" + } + ], + "prose": "penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", + "links": [ + { + "href": "#ca-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting penetration testing" + } + ] + } + ], + "controls": [ + { + "id": "ca-8.1", + "class": "SP800-53-enhancement", + "title": "Independent Penetration Testing Agent or Team", + "props": [ + { + "name": "label", + "value": "CA-8(1)" + }, + { + "name": "label", + "value": "CA-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-8", + "rel": "required" + }, + { + "href": "#ca-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-8.1_smt", + "name": "statement", + "prose": "Employ an independent penetration testing agent or team to perform penetration testing on the system or system components." + }, + { + "id": "ca-8.1_gdn", + "name": "guidance", + "prose": "Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. [CA-2(1)](#ca-2.1) provides additional information on independent assessments that can be applied to penetration testing." + }, + { + "id": "ca-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-08(01)", + "class": "sp800-53a" + } + ], + "prose": "an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.", + "links": [ + { + "href": "#ca-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nsecurity assessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-8.2", + "class": "SP800-53-enhancement", + "title": "Red Team Exercises", + "params": [ + { + "id": "ca-08.02_odp", + "label": "red team exercises", + "guidelines": [ + { + "prose": "red team exercises to simulate attempts by adversaries to compromise organizational systems are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-8(2)" + }, + { + "name": "label", + "value": "CA-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-8.2_smt", + "name": "statement", + "prose": "Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: {{ insert: param, ca-08.02_odp }}.", + "parts": [ + { + "id": "ca-8.2_fr", + "name": "item", + "title": "CM-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-8.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See the FedRAMP Documents page> Penetration Test Guidance\n\nhttps://www.FedRAMP.gov/documents/" + } + ] + } + ] + }, + { + "id": "ca-8.2_gdn", + "name": "guidance", + "prose": "Red team exercises extend the objectives of penetration testing by examining the security and privacy posture of organizations and the capability to implement effective cyber defenses. Red team exercises simulate attempts by adversaries to compromise mission and business functions and provide a comprehensive assessment of the security and privacy posture of systems and organizations. Such attempts may include technology-based attacks and social engineering-based attacks. Technology-based attacks include interactions with hardware, software, or firmware components and/or mission and business processes. Social engineering-based attacks include interactions via email, telephone, shoulder surfing, or personal conversations. Red team exercises are most effective when conducted by penetration testing agents and teams with knowledge of and experience with current adversarial tactics, techniques, procedures, and tools. While penetration testing may be primarily laboratory-based testing, organizations can use red team exercises to provide more comprehensive assessments that reflect real-world conditions. The results from red team exercises can be used by organizations to improve security and privacy awareness and training and to assess control effectiveness." + }, + { + "id": "ca-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-08(02)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ca-08.02_odp }} are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement.", + "links": [ + { + "href": "#ca-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nprocedures addressing red team exercises\n\nassessment plan\n\nresults of red team exercises\n\npenetration test report\n\nassessment report\n\nrules of engagement\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting the employment of red team exercises" + } + ] + } + ] + } + ] + }, + { + "id": "ca-9", + "class": "SP800-53", + "title": "Internal System Connections", + "params": [ + { + "id": "ca-09_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components or classes of components requiring internal connections to the system are defined;" + } + ] + }, + { + "id": "ca-09_odp.02", + "label": "conditions", + "guidelines": [ + { + "prose": "conditions requiring termination of internal connections are defined;" + } + ] + }, + { + "id": "ca-09_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review the continued need for each internal connection is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-9" + }, + { + "name": "label", + "value": "CA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-9_smt", + "name": "statement", + "parts": [ + { + "id": "ca-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;" + }, + { + "id": "ca-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;" + }, + { + "id": "ca-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and" + }, + { + "id": "ca-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection." + } + ] + }, + { + "id": "ca-9_gdn", + "name": "guidance", + "prose": "Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions." + }, + { + "id": "ca-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09a.", + "class": "sp800-53a" + } + ], + "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;", + "links": [ + { + "href": "#ca-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the interface characteristics are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the security requirements are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[03]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the privacy requirements are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[04]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the nature of the information communicated is documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09c.", + "class": "sp800-53a" + } + ], + "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};", + "links": [ + { + "href": "#ca-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09d.", + "class": "sp800-53a" + } + ], + "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.", + "links": [ + { + "href": "#ca-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting internal system connections" + } + ] + } + ] + } + ] + }, + { + "id": "cm", + "class": "family", + "title": "Configuration Management", + "controls": [ + { + "id": "cm-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "cm-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cm-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the configuration management policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "cm-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "cm-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "cm-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the configuration management policy and procedures is defined;" + } + ] + }, + { + "id": "cm-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current configuration management policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "cm-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current configuration management policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "cm-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current configuration management procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "cm-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require configuration management procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-1" + }, + { + "name": "label", + "value": "CM-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-1_smt", + "name": "statement", + "parts": [ + { + "id": "cm-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:", + "parts": [ + { + "id": "cm-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cm-01_odp.03 }} configuration management policy that:", + "parts": [ + { + "id": "cm-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "cm-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "cm-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;" + } + ] + }, + { + "id": "cm-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and" + }, + { + "id": "cm-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current configuration management:", + "parts": [ + { + "id": "cm-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and" + }, + { + "id": "cm-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "cm-1_gdn", + "name": "guidance", + "prose": "Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "cm-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a configuration management policy is developed and documented;", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#cm-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;", + "links": [ + { + "href": "#cm-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ", + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};", + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ", + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.", + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records" + } + ] + }, + { + "id": "cm-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "cm-2", + "class": "SP800-53", + "title": "Baseline Configuration", + "params": [ + { + "id": "cm-02_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "the frequency of baseline configuration review and update is defined;" + } + ] + }, + { + "id": "cm-02_odp.02", + "label": "circumstances", + "constraints": [ + { + "description": "to include when directed by the JAB" + } + ], + "guidelines": [ + { + "prose": "the circumstances requiring baseline configuration review and update are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2" + }, + { + "name": "label", + "value": "CM-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-1", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-12", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-2_smt", + "name": "statement", + "parts": [ + { + "id": "cm-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and maintain under configuration control, a current baseline configuration of the system; and" + }, + { + "id": "cm-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the baseline configuration of the system:", + "parts": [ + { + "id": "cm-2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cm-02_odp.01 }};" + }, + { + "id": "cm-2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required due to {{ insert: param, cm-02_odp.02 }} ; and" + }, + { + "id": "cm-2_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "When system components are installed or upgraded." + } + ] + }, + { + "id": "cm-2_fr", + "name": "item", + "title": "CM-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b)(1) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + } + ] + } + ] + }, + { + "id": "cm-2_gdn", + "name": "guidance", + "prose": "Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture." + }, + { + "id": "cm-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a current baseline configuration of the system is developed and documented;", + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "a current baseline configuration of the system is maintained under configuration control;", + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.01", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};", + "links": [ + { + "href": "#cm-2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.02", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};", + "links": [ + { + "href": "#cm-2_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.03", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.", + "links": [ + { + "href": "#cm-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration" + } + ] + } + ], + "controls": [ + { + "id": "cm-2.2", + "class": "SP800-53-enhancement", + "title": "Automation Support for Accuracy and Currency", + "params": [ + { + "id": "cm-02.02_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms for maintaining baseline configuration of the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2(2)" + }, + { + "name": "label", + "value": "CM-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-2", + "rel": "required" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-2.2_smt", + "name": "statement", + "prose": "Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ insert: param, cm-02.02_odp }}." + }, + { + "id": "cm-2.2_gdn", + "name": "guidance", + "prose": "Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of [CM-8(2)](#cm-8.2) for organizations that combine system component inventory and baseline configuration activities." + }, + { + "id": "cm-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};", + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};", + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.2_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)[03]", + "class": "sp800-53a" + } + ], + "prose": "the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};", + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.2_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)[04]", + "class": "sp800-53a" + } + ], + "prose": "the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}.", + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nconfiguration change control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations\n\nautomated mechanisms implementing baseline configuration maintenance" + } + ] + } + ] + }, + { + "id": "cm-2.3", + "class": "SP800-53-enhancement", + "title": "Retention of Previous Configurations", + "params": [ + { + "id": "cm-02.03_odp", + "label": "number", + "constraints": [ + { + "description": "organization-defined number of previous versions of baseline configurations of the previously approved baseline configuration of IS components" + } + ], + "guidelines": [ + { + "prose": "the number of previous baseline configuration versions to be retained is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2(3)" + }, + { + "name": "label", + "value": "CM-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-2.3_smt", + "name": "statement", + "prose": "Retain {{ insert: param, cm-02.03_odp }} of previous versions of baseline configurations of the system to support rollback." + }, + { + "id": "cm-2.3_gdn", + "name": "guidance", + "prose": "Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, configuration records, and associated documentation." + }, + { + "id": "cm-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(03)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is/are retained to support rollback.", + "links": [ + { + "href": "#cm-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations" + } + ] + } + ] + }, + { + "id": "cm-2.7", + "class": "SP800-53-enhancement", + "title": "Configure Systems and Components for High-risk Areas", + "params": [ + { + "id": "cm-02.07_odp.01", + "label": "systems or system components", + "guidelines": [ + { + "prose": "the systems or system components to be issued when individuals travel to high-risk areas are defined;" + } + ] + }, + { + "id": "cm-02.07_odp.02", + "label": "configurations", + "guidelines": [ + { + "prose": "configurations for systems or system components to be issued when individuals travel to high-risk areas are defined;" + } + ] + }, + { + "id": "cm-02.07_odp.03", + "label": "controls", + "guidelines": [ + { + "prose": "the controls to be applied when the individuals return from travel are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2(7)" + }, + { + "name": "label", + "value": "CM-02(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-2", + "rel": "required" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-2.7_smt", + "name": "statement", + "parts": [ + { + "id": "cm-2.7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Issue {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} to individuals traveling to locations that the organization deems to be of significant risk; and" + }, + { + "id": "cm-2.7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Apply the following controls to the systems or components when the individuals return from travel: {{ insert: param, cm-02.07_odp.03 }}." + } + ] + }, + { + "id": "cm-2.7_gdn", + "name": "guidance", + "prose": "When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the [MP](#mp) (Media Protection) family." + }, + { + "id": "cm-2.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(07)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2.7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(07)(a)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;", + "links": [ + { + "href": "#cm-2.7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(07)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel.", + "links": [ + { + "href": "#cm-2.7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the system\n\nprocedures addressing system component installations and upgrades\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nrecords of system baseline configuration reviews and updates\n\nsystem component installations/upgrades and associated records\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations" + } + ] + } + ] + } + ] + }, + { + "id": "cm-3", + "class": "SP800-53", + "title": "Configuration Change Control", + "params": [ + { + "id": "cm-03_odp.01", + "label": "time period", + "guidelines": [ + { + "prose": "the time period to retain records of configuration-controlled changes is defined;" + } + ] + }, + { + "id": "cm-03_odp.02", + "label": "configuration change control element", + "guidelines": [ + { + "prose": "the configuration change control element responsible for coordinating and overseeing change control activities is defined;" + } + ] + }, + { + "id": "cm-03_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, cm-03_odp.04 }} ", + "when {{ insert: param, cm-03_odp.05 }} " + ] + } + }, + { + "id": "cm-03_odp.04", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which the configuration control element convenes is defined (if selected);" + } + ] + }, + { + "id": "cm-03_odp.05", + "label": "configuration change conditions", + "guidelines": [ + { + "prose": "configuration change conditions that prompt the configuration control element to convene are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-3" + }, + { + "name": "label", + "value": "CM-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pt-6", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-3_smt", + "name": "statement", + "parts": [ + { + "id": "cm-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine and document the types of changes to the system that are configuration-controlled;" + }, + { + "id": "cm-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;" + }, + { + "id": "cm-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document configuration change decisions associated with the system;" + }, + { + "id": "cm-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Implement approved configuration-controlled changes to the system;" + }, + { + "id": "cm-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Retain records of configuration-controlled changes to the system for {{ insert: param, cm-03_odp.01 }};" + }, + { + "id": "cm-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Monitor and review activities associated with configuration-controlled changes to the system; and" + }, + { + "id": "cm-3_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Coordinate and provide oversight for configuration change control activities through {{ insert: param, cm-03_odp.02 }} that convenes {{ insert: param, cm-03_odp.03 }}." + }, + { + "id": "cm-3_fr", + "name": "item", + "title": "CM-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO." + }, + { + "id": "cm-3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(e) Guidance:" + } + ], + "prose": "In accordance with record retention policies and procedures." + } + ] + } + ] + }, + { + "id": "cm-3_gdn", + "name": "guidance", + "prose": "Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also [SA-10](#sa-10)." + }, + { + "id": "cm-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03a.", + "class": "sp800-53a" + } + ], + "prose": "the types of changes to the system that are configuration-controlled are determined and documented;", + "links": [ + { + "href": "#cm-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "proposed configuration-controlled changes to the system are reviewed;", + "links": [ + { + "href": "#cm-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;", + "links": [ + { + "href": "#cm-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03c.", + "class": "sp800-53a" + } + ], + "prose": "configuration change decisions associated with the system are documented;", + "links": [ + { + "href": "#cm-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03d.", + "class": "sp800-53a" + } + ], + "prose": "approved configuration-controlled changes to the system are implemented;", + "links": [ + { + "href": "#cm-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03e.", + "class": "sp800-53a" + } + ], + "prose": "records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};", + "links": [ + { + "href": "#cm-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03f.[01]", + "class": "sp800-53a" + } + ], + "prose": "activities associated with configuration-controlled changes to the system are monitored;", + "links": [ + { + "href": "#cm-3_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03f.[02]", + "class": "sp800-53a" + } + ], + "prose": "activities associated with configuration-controlled changes to the system are reviewed;", + "links": [ + { + "href": "#cm-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03g.[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};", + "links": [ + { + "href": "#cm-3_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03g.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration control element convenes {{ insert: param, cm-03_odp.03 }}.", + "links": [ + { + "href": "#cm-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nchange control records\n\nsystem audit records\n\nchange control audit and review reports\n\nagenda/minutes/documentation from configuration change control oversight meetings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessments\n\nsystem of records notices\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for configuration change control\n\nmechanisms that implement configuration change control" + } + ] + } + ], + "controls": [ + { + "id": "cm-3.1", + "class": "SP800-53-enhancement", + "title": "Automated Documentation, Notification, and Prohibition of Changes", + "params": [ + { + "id": "cm-03.01_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "mechanisms used to automate configuration change control are defined;" + } + ] + }, + { + "id": "cm-03.01_odp.02", + "label": "approval authorities", + "guidelines": [ + { + "prose": "approval authorities to be notified of and request approval for proposed changes to the system are defined;" + } + ] + }, + { + "id": "cm-03.01_odp.03", + "label": "time period", + "constraints": [ + { + "description": "organization agreed upon time period" + } + ], + "guidelines": [ + { + "prose": "the time period after which to highlight changes that have not been approved or disapproved is defined;" + } + ] + }, + { + "id": "cm-03.01_odp.04", + "label": "personnel", + "constraints": [ + { + "description": "organization defined configuration management approval authorities" + } + ], + "guidelines": [ + { + "prose": "personnel to be notified when approved changes are complete is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-3(1)" + }, + { + "name": "label", + "value": "CM-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-3.1_smt", + "name": "statement", + "prose": "Use {{ insert: param, cm-03.01_odp.01 }} to:", + "parts": [ + { + "id": "cm-3.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Document proposed changes to the system;" + }, + { + "id": "cm-3.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;" + }, + { + "id": "cm-3.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};" + }, + { + "id": "cm-3.1_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Prohibit changes to the system until designated approvals are received;" + }, + { + "id": "cm-3.1_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e)" + } + ], + "prose": "Document all changes to the system; and" + }, + { + "id": "cm-3.1_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "(f)" + } + ], + "prose": "Notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed." + } + ] + }, + { + "id": "cm-3.1_gdn", + "name": "guidance", + "prose": "None." + }, + { + "id": "cm-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(01)(a)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to document proposed changes to the system;", + "links": [ + { + "href": "#cm-3.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(01)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;", + "links": [ + { + "href": "#cm-3.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(01)(c)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};", + "links": [ + { + "href": "#cm-3.1_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.1_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(01)(d)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to prohibit changes to the system until designated approvals are received;", + "links": [ + { + "href": "#cm-3.1_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.1_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(01)(e)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to document all changes to the system;", + "links": [ + { + "href": "#cm-3.1_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.1_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(01)(f)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed.", + "links": [ + { + "href": "#cm-3.1_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nautomated configuration control mechanisms\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nchange approval requests\n\nchange approvals\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for configuration change control\n\nautomated mechanisms implementing configuration change control activities" + } + ] + } + ] + }, + { + "id": "cm-3.2", + "class": "SP800-53-enhancement", + "title": "Testing, Validation, and Documentation of Changes", + "props": [ + { + "name": "label", + "value": "CM-3(2)" + }, + { + "name": "label", + "value": "CM-03(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-03.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-3.2_smt", + "name": "statement", + "prose": "Test, validate, and document changes to the system before finalizing the implementation of the changes." + }, + { + "id": "cm-3.2_gdn", + "name": "guidance", + "prose": "Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in [CM-6](#cm-6) . Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls." + }, + { + "id": "cm-3.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are tested before finalizing the implementation of the changes;", + "links": [ + { + "href": "#cm-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are validated before finalizing the implementation of the changes;", + "links": [ + { + "href": "#cm-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.2_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(02)[03]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are documented before finalizing the implementation of the changes.", + "links": [ + { + "href": "#cm-3.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-03(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing system configuration change control\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ntest records\n\nvalidation records\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-3.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-03(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-3.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-03(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for configuration change control\n\nmechanisms supporting and/or implementing, testing, validating, and documenting system changes" + } + ] + } + ] + }, + { + "id": "cm-3.4", + "class": "SP800-53-enhancement", + "title": "Security and Privacy Representatives", + "params": [ + { + "id": "cm-3.4_prm_1", + "label": "organization-defined security and privacy representatives" + }, + { + "id": "cm-03.04_odp.01", + "label": "security representatives", + "guidelines": [ + { + "prose": "security representatives required to be members of the change control element are defined;" + } + ] + }, + { + "id": "cm-03.04_odp.02", + "label": "privacy representatives", + "guidelines": [ + { + "prose": "privacy representatives required to be members of the change control element are defined;" + } + ] + }, + { + "id": "cm-03.04_odp.03", + "label": "configuration change control element", + "constraints": [ + { + "description": "Configuration control board (CCB) or similar (as defined in CM-3)" + } + ], + "guidelines": [ + { + "prose": "the configuration change control element of which the security and privacy representatives are to be members is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-3(4)" + }, + { + "name": "label", + "value": "CM-03(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-03.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-3.4_smt", + "name": "statement", + "prose": "Require {{ insert: param, cm-3.4_prm_1 }} to be members of the {{ insert: param, cm-03.04_odp.03 }}." + }, + { + "id": "cm-3.4_gdn", + "name": "guidance", + "prose": "Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in [CM-3g](#cm-3_smt.g)." + }, + { + "id": "cm-3.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3.4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(04)[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};", + "links": [ + { + "href": "#cm-3.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(04)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}.", + "links": [ + { + "href": "#cm-3.4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-03(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-3.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-03(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-3.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-03(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for configuration change control" + } + ] + } + ] + }, + { + "id": "cm-3.6", + "class": "SP800-53-enhancement", + "title": "Cryptography Management", + "params": [ + { + "id": "cm-03.06_odp", + "label": "controls", + "constraints": [ + { + "description": "All security safeguards that rely on cryptography" + } + ], + "guidelines": [ + { + "prose": "controls provided by cryptographic mechanisms that are to be under configuration management are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-3(6)" + }, + { + "name": "label", + "value": "CM-03(06)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-03.06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-3.6_smt", + "name": "statement", + "prose": "Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: {{ insert: param, cm-03.06_odp }}." + }, + { + "id": "cm-3.6_gdn", + "name": "guidance", + "prose": "The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates." + }, + { + "id": "cm-3.6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(06)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms used to provide {{ insert: param, cm-03.06_odp }} are under configuration management.", + "links": [ + { + "href": "#cm-3.6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-03(06)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-3.6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-03(06)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-3.6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-03(06)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for configuration change control\n\ncryptographic mechanisms implementing organizational security safeguards (controls)" + } + ] + } + ] + } + ] + }, + { + "id": "cm-4", + "class": "SP800-53", + "title": "Impact Analyses", + "props": [ + { + "name": "label", + "value": "CM-4" + }, + { + "name": "label", + "value": "CM-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-4_smt", + "name": "statement", + "prose": "Analyze changes to the system to determine potential security and privacy impacts prior to change implementation." + }, + { + "id": "cm-4_gdn", + "name": "guidance", + "prose": "Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required." + }, + { + "id": "cm-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;", + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation.", + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem/network administrators\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses" + } + ] + } + ], + "controls": [ + { + "id": "cm-4.1", + "class": "SP800-53-enhancement", + "title": "Separate Test Environments", + "props": [ + { + "name": "label", + "value": "CM-4(1)" + }, + { + "name": "label", + "value": "CM-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-4", + "rel": "required" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-4.1_smt", + "name": "statement", + "prose": "Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice." + }, + { + "id": "cm-4.1_gdn", + "name": "guidance", + "prose": "A separate test environment requires an environment that is physically or logically separate and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment and that information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not implemented, organizations determine the strength of mechanism required when implementing logical separation." + }, + { + "id": "cm-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-4.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed in a separate test environment before implementation in an operational environment;", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed for security impacts due to flaws;", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed for privacy impacts due to flaws;", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[04]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed for security impacts due to weaknesses;", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[05]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed for privacy impacts due to weaknesses;", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[06]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed for security impacts due to incompatibility;", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_obj-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[07]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed for privacy impacts due to incompatibility;", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_obj-8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[08]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed for security impacts due to intentional malice;", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_obj-9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[09]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed for privacy impacts due to intentional malice.", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nanalysis tools and associated outputs system design documentation\n\nsystem architecture and configuration documentation\n\nchange control records\n\nprocedures addressing the authority to test with PII\n\nsystem audit records\n\ndocumentation of separate test and operational environments\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and/or implementing security and privacy impact analyses of changes" + } + ] + } + ] + }, + { + "id": "cm-4.2", + "class": "SP800-53-enhancement", + "title": "Verification of Controls", + "props": [ + { + "name": "label", + "value": "CM-4(2)" + }, + { + "name": "label", + "value": "CM-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-4", + "rel": "required" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-4.2_smt", + "name": "statement", + "prose": "After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system." + }, + { + "id": "cm-4.2_gdn", + "name": "guidance", + "prose": "Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls." + }, + { + "id": "cm-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-4.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[03]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[04]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[05]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[06]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nprivacy risk assessment documentation\n\nconfiguration management plan\n\nsecurity and privacy impact analysis documentation\n\nprivacy impact assessment\n\nanalysis tools and associated outputs\n\nchange control records\n\ncontrol assessment results\n\nsystem audit records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsecurity and privacy assessors" + } + ] + }, + { + "id": "cm-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and/or implementing security and privacy impact analyses of changes" + } + ] + } + ] + } + ] + }, + { + "id": "cm-5", + "class": "SP800-53", + "title": "Access Restrictions for Change", + "props": [ + { + "name": "label", + "value": "CM-5" + }, + { + "name": "label", + "value": "CM-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-5_smt", + "name": "statement", + "prose": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system." + }, + { + "id": "cm-5_gdn", + "name": "guidance", + "prose": "Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals\u2019 privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)." + }, + { + "id": "cm-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are defined and documented;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are approved;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[03]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are enforced;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[04]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are defined and documented;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[05]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are approved;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[06]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are enforced.", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system" + } + ] + } + ], + "controls": [ + { + "id": "cm-5.1", + "class": "SP800-53-enhancement", + "title": "Automated Access Enforcement and Audit Records", + "params": [ + { + "id": "cm-05.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "mechanisms used to automate the enforcement of access restrictions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-5(1)" + }, + { + "name": "label", + "value": "CM-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#cm-5", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-5.1_smt", + "name": "statement", + "parts": [ + { + "id": "cm-5.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Enforce access restrictions using {{ insert: param, cm-05.01_odp }} ; and" + }, + { + "id": "cm-5.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Automatically generate audit records of the enforcement actions." + } + ] + }, + { + "id": "cm-5.1_gdn", + "name": "guidance", + "prose": "Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes." + }, + { + "id": "cm-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "access restrictions for change are enforced using {{ insert: param, cm-05.01_odp }};", + "links": [ + { + "href": "#cm-5.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "audit records of enforcement actions are automatically generated.", + "links": [ + { + "href": "#cm-5.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing access restrictions to change\n\nautomated mechanisms implementing the enforcement of access restrictions for changes to the system\n\nautomated mechanisms supporting auditing of enforcement actions" + } + ] + } + ] + }, + { + "id": "cm-5.5", + "class": "SP800-53-enhancement", + "title": "Privilege Limitation for Production and Operation", + "params": [ + { + "id": "cm-5.5_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least quarterly" + } + ] + }, + { + "id": "cm-05.05_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to review privileges is defined;" + } + ] + }, + { + "id": "cm-05.05_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to reevaluate privileges is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-5(5)" + }, + { + "name": "label", + "value": "CM-05(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-05.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-5", + "rel": "required" + }, + { + "href": "#ac-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-5.5_smt", + "name": "statement", + "parts": [ + { + "id": "cm-5.5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Limit privileges to change system components and system-related information within a production or operational environment; and" + }, + { + "id": "cm-5.5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Review and reevaluate privileges {{ insert: param, cm-5.5_prm_1 }}." + } + ] + }, + { + "id": "cm-5.5_gdn", + "name": "guidance", + "prose": "In many organizations, systems support multiple mission and business functions. Limiting privileges to change system components with respect to operational systems is necessary because changes to a system component may have far-reaching effects on mission and business processes supported by the system. The relationships between systems and mission/business processes are, in some cases, unknown to developers. System-related information includes operational procedures." + }, + { + "id": "cm-5.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5.5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5.5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "privileges to change system components within a production or operational environment are limited;", + "links": [ + { + "href": "#cm-5.5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "privileges to change system-related information within a production or operational environment are limited;", + "links": [ + { + "href": "#cm-5.5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5.5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5.5_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "privileges are reviewed {{ insert: param, cm-05.05_odp.01 }};", + "links": [ + { + "href": "#cm-5.5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.5_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "privileges are reevaluated {{ insert: param, cm-05.05_odp.02 }}.", + "links": [ + { + "href": "#cm-5.5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5.5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-05(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nuser privilege reviews\n\nuser privilege recertifications\n\nsystem component inventory\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-5.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-05(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-5.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-05(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms supporting and/or implementing access restrictions for change" + } + ] + } + ] + } + ] + }, + { + "id": "cm-6", + "class": "SP800-53", + "title": "Configuration Settings", + "params": [ + { + "id": "cm-06_odp.01", + "label": "common secure configurations", + "guidelines": [ + { + "prose": "common secure configurations to establish and document configuration settings for components employed within the system are defined;" + } + ] + }, + { + "id": "cm-06_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which approval of deviations is needed are defined;" + } + ] + }, + { + "id": "cm-06_odp.03", + "label": "operational requirements", + "guidelines": [ + { + "prose": "operational requirements necessitating approval of deviations are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-6" + }, + { + "name": "label", + "value": "CM-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#98498928-3ca3-44b3-8b1e-f48685373087", + "rel": "reference" + }, + { + "href": "#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", + "rel": "reference" + }, + { + "href": "#aa66e14f-e7cb-4a37-99d2-07578dfd4608", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-6_smt", + "name": "statement", + "parts": [ + { + "id": "cm-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};" + }, + { + "id": "cm-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement the configuration settings;" + }, + { + "id": "cm-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and" + }, + { + "id": "cm-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." + }, + { + "id": "cm-6_fr", + "name": "item", + "title": "CM-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement 1:" + } + ], + "prose": "The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available." + }, + { + "id": "cm-6_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement 2:" + } + ], + "prose": "The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available)." + }, + { + "id": "cm-6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP\u2019s Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.\n\nDuring monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests." + } + ] + } + ] + }, + { + "id": "cm-6_gdn", + "name": "guidance", + "prose": "Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings." + }, + { + "id": "cm-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06a.", + "class": "sp800-53a" + } + ], + "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};", + "links": [ + { + "href": "#cm-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06b.", + "class": "sp800-53a" + } + ], + "prose": "the configuration settings documented in CM-06a are implemented;", + "links": [ + { + "href": "#cm-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};", + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;", + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;", + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures.", + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and/or control system configuration settings\n\nmechanisms that identify and/or document deviations from established configuration settings" + } + ] + } + ], + "controls": [ + { + "id": "cm-6.1", + "class": "SP800-53-enhancement", + "title": "Automated Management, Application, and Verification", + "params": [ + { + "id": "cm-6.1_prm_2", + "label": "organization-defined automated mechanisms" + }, + { + "id": "cm-06.01_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which to manage, apply, and verify configuration settings are defined;" + } + ] + }, + { + "id": "cm-06.01_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to manage configuration settings are defined;" + } + ] + }, + { + "id": "cm-06.01_odp.03", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to apply configuration settings are defined;" + } + ] + }, + { + "id": "cm-06.01_odp.04", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to verify configuration settings are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-6(1)" + }, + { + "name": "label", + "value": "CM-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-6", + "rel": "required" + }, + { + "href": "#ca-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-6.1_smt", + "name": "statement", + "prose": "Manage, apply, and verify configuration settings for {{ insert: param, cm-06.01_odp.01 }} using {{ insert: param, cm-6.1_prm_2 }}." + }, + { + "id": "cm-6.1_gdn", + "name": "guidance", + "prose": "Automated tools (e.g., hardening tools, baseline configuration tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization." + }, + { + "id": "cm-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are managed using {{ insert: param, cm-06.01_odp.02 }};", + "links": [ + { + "href": "#cm-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are applied using {{ insert: param, cm-06.01_odp.03 }};", + "links": [ + { + "href": "#cm-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are verified using {{ insert: param, cm-06.01_odp.04 }}.", + "links": [ + { + "href": "#cm-6.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing configuration settings\n\nautomated mechanisms implemented to manage, apply, and verify system configuration settings" + } + ] + } + ] + }, + { + "id": "cm-6.2", + "class": "SP800-53-enhancement", + "title": "Respond to Unauthorized Changes", + "params": [ + { + "id": "cm-06.02_odp.01", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be taken upon an unauthorized change are defined;" + } + ] + }, + { + "id": "cm-06.02_odp.02", + "label": "configuration settings", + "guidelines": [ + { + "prose": "configuration settings requiring action upon an unauthorized change are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-6(2)" + }, + { + "name": "label", + "value": "CM-06(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-06.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-6", + "rel": "required" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-6.2_smt", + "name": "statement", + "prose": "Take the following actions in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}: {{ insert: param, cm-06.02_odp.01 }}." + }, + { + "id": "cm-6.2_gdn", + "name": "guidance", + "prose": "Responses to unauthorized changes to configuration settings include alerting designated organizational personnel, restoring established configuration settings, or\u2014in extreme cases\u2014halting affected system processing." + }, + { + "id": "cm-6.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(02)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-06.02_odp.01 }} are taken in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}.", + "links": [ + { + "href": "#cm-6.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-06(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nconfiguration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts/notifications of unauthorized changes to system configuration settings\n\nsystem component inventory\n\ndocumented responses to unauthorized changes to system configuration settings\n\nchange control records\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-6.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-06(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-6.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-06(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for responding to unauthorized changes to system configuration settings\n\nmechanisms supporting and/or implementing actions in response to unauthorized changes" + } + ] + } + ] + } + ] + }, + { + "id": "cm-7", + "class": "SP800-53", + "title": "Least Functionality", + "params": [ + { + "id": "cm-7_prm_2", + "label": "organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services" + }, + { + "id": "cm-07_odp.01", + "label": "mission-essential capabilities", + "guidelines": [ + { + "prose": "mission-essential capabilities for the system are defined;" + } + ] + }, + { + "id": "cm-07_odp.02", + "label": "functions", + "guidelines": [ + { + "prose": "functions to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.03", + "label": "ports", + "guidelines": [ + { + "prose": "ports to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.04", + "label": "protocols", + "guidelines": [ + { + "prose": "protocols to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.05", + "label": "software", + "guidelines": [ + { + "prose": "software to be prohibited or restricted is defined;" + } + ] + }, + { + "id": "cm-07_odp.06", + "label": "services", + "guidelines": [ + { + "prose": "services to be prohibited or restricted are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7" + }, + { + "name": "label", + "value": "CM-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#38f39739-1ebd-43b1-8b8c-00f591d89ebd", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7_smt", + "name": "statement", + "parts": [ + { + "id": "cm-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and" + }, + { + "id": "cm-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, cm-7_prm_2 }}." + }, + { + "id": "cm-7_fr", + "name": "item", + "title": "CM-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available." + } + ] + } + ] + }, + { + "id": "cm-7_gdn", + "name": "guidance", + "prose": "Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))." + }, + { + "id": "cm-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07a.", + "class": "sp800-53a" + } + ], + "prose": "the system is configured to provide only {{ insert: param, cm-07_odp.01 }};", + "links": [ + { + "href": "#cm-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[03]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[04]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[05]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services\n\nmechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services" + } + ] + } + ], + "controls": [ + { + "id": "cm-7.1", + "class": "SP800-53-enhancement", + "title": "Periodic Review", + "params": [ + { + "id": "cm-7.1_prm_2", + "label": "organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure" + }, + { + "id": "cm-07.01_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review the system to identify unnecessary and/or non-secure functions, ports, protocols, software, and/or services is defined;" + } + ] + }, + { + "id": "cm-07.01_odp.02", + "label": "functions", + "guidelines": [ + { + "prose": "functions to be disabled or removed when deemed unnecessary or non-secure are defined;" + } + ] + }, + { + "id": "cm-07.01_odp.03", + "label": "ports", + "guidelines": [ + { + "prose": "ports to be disabled or removed when deemed unnecessary or non-secure are defined;" + } + ] + }, + { + "id": "cm-07.01_odp.04", + "label": "protocols", + "guidelines": [ + { + "prose": "protocols to be disabled or removed when deemed unnecessary or non-secure are defined;" + } + ] + }, + { + "id": "cm-07.01_odp.05", + "label": "software", + "guidelines": [ + { + "prose": "software to be disabled or removed when deemed unnecessary or non-secure is defined;" + } + ] + }, + { + "id": "cm-07.01_odp.06", + "label": "services", + "guidelines": [ + { + "prose": "services to be disabled or removed when deemed unnecessary or non-secure are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7(1)" + }, + { + "name": "label", + "value": "CM-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#cm-7", + "rel": "required" + }, + { + "href": "#ac-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7.1_smt", + "name": "statement", + "parts": [ + { + "id": "cm-7.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Review the system {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and" + }, + { + "id": "cm-7.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Disable or remove {{ insert: param, cm-7.1_prm_2 }}." + } + ] + }, + { + "id": "cm-7.1_gdn", + "name": "guidance", + "prose": "Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking." + }, + { + "id": "cm-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:", + "links": [ + { + "href": "#cm-7.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7.1_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and/or non-secure are disabled or removed;", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and/or non-secure are disabled or removed;", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and/or non-secure are disabled or removed;", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and/or non-secure is disabled or removed;", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[05]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and/or non-secure are disabled or removed.", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\ndocumented reviews of functions, ports, protocols, and/or services\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-7.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for reviewing or disabling functions, ports, protocols, and services on the system\n\nmechanisms implementing review and disabling of functions, ports, protocols, and/or services" + } + ] + } + ] + }, + { + "id": "cm-7.2", + "class": "SP800-53-enhancement", + "title": "Prevent Program Execution", + "params": [ + { + "id": "cm-07.02_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, cm-07.02_odp.02 }} ", + "rules authorizing the terms and conditions of software program usage" + ] + } + }, + { + "id": "cm-07.02_odp.02", + "label": "policies, rules of behavior, and/or access agreements regarding software program usage and restrictions", + "guidelines": [ + { + "prose": "policies, rules of behavior, and/or access agreements regarding software program usage and restrictions are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7(2)" + }, + { + "name": "label", + "value": "CM-07(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#cm-7", + "rel": "required" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7.2_smt", + "name": "statement", + "prose": "Prevent program execution in accordance with {{ insert: param, cm-07.02_odp.01 }}.", + "parts": [ + { + "id": "cm-7.2_fr", + "name": "item", + "title": "CM-7 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-7.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "This control refers to software deployment by CSP personnel into the production environment. The control requires a policy that states conditions for deploying software. This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. allow-listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run." + } + ] + } + ] + }, + { + "id": "cm-7.2_gdn", + "name": "guidance", + "prose": "Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time." + }, + { + "id": "cm-7.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(02)", + "class": "sp800-53a" + } + ], + "prose": "program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}.", + "links": [ + { + "href": "#cm-7.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nspecifications for preventing software program execution\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-7.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes preventing program execution on the system\n\norganizational processes for software program usage and restrictions\n\nmechanisms preventing program execution on the system\n\nmechanisms supporting and/or implementing software program usage and restrictions" + } + ] + } + ] + }, + { + "id": "cm-7.5", + "class": "SP800-53-enhancement", + "title": "Authorized Software \u2014 Allow-by-exception", + "params": [ + { + "id": "cm-07.05_odp.01", + "label": "software programs", + "guidelines": [ + { + "prose": "software programs authorized to execute on the system are defined;" + } + ] + }, + { + "id": "cm-07.05_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least quarterly or when there is a change" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update the list of authorized software programs is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7(5)" + }, + { + "name": "label", + "value": "CM-07(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#cm-7", + "rel": "required" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7.5_smt", + "name": "statement", + "parts": [ + { + "id": "cm-7.5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Identify {{ insert: param, cm-07.05_odp.01 }};" + }, + { + "id": "cm-7.5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and" + }, + { + "id": "cm-7.5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Review and update the list of authorized software programs {{ insert: param, cm-07.05_odp.02 }}." + } + ] + }, + { + "id": "cm-7.5_gdn", + "name": "guidance", + "prose": "Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in [CA-3(5)](#ca-3.5) and [SC-7](#sc-7)." + }, + { + "id": "cm-7.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7.5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(05)(a)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.05_odp.01 }} are identified;", + "links": [ + { + "href": "#cm-7.5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(05)(b)", + "class": "sp800-53a" + } + ], + "prose": "a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;", + "links": [ + { + "href": "#cm-7.5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(05)(c)", + "class": "sp800-53a" + } + ], + "prose": "the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}.", + "links": [ + { + "href": "#cm-7.5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of software programs authorized to execute on the system\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nreview and update records associated with list of authorized software programs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for identifying software authorized to execute on the system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-7.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for identifying, reviewing, and updating programs authorized to execute on the system\n\norganizational process for implementing authorized software policy\n\nmechanisms supporting and/or implementing authorized software policy" + } + ] + } + ] + } + ] + }, + { + "id": "cm-8", + "class": "SP800-53", + "title": "System Component Inventory", + "params": [ + { + "id": "cm-08_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information deemed necessary to achieve effective system component accountability is defined;" + } + ] + }, + { + "id": "cm-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update the system component inventory is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-8" + }, + { + "name": "label", + "value": "CM-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#70402863-5078-43af-9a6c-e11b0f3ec370", + "rel": "reference" + }, + { + "href": "#996241f8-f692-42d5-91f1-ce8b752e39e6", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8_smt", + "name": "statement", + "parts": [ + { + "id": "cm-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and document an inventory of system components that:", + "parts": [ + { + "id": "cm-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Accurately reflects the system;" + }, + { + "id": "cm-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Includes all components within the system;" + }, + { + "id": "cm-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Does not include duplicate accounting of components or components assigned to any other system;" + }, + { + "id": "cm-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Is at the level of granularity deemed necessary for tracking and reporting; and" + }, + { + "id": "cm-8_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and" + } + ] + }, + { + "id": "cm-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}." + }, + { + "id": "cm-8_fr", + "name": "item", + "title": "CM-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "must be provided at least monthly or when there is a change." + } + ] + } + ] + }, + { + "id": "cm-8_gdn", + "name": "guidance", + "prose": "System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components." + }, + { + "id": "cm-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.01", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that accurately reflects the system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.02", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that includes all components within the system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.03", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.04", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.05", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.5", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08b.", + "class": "sp800-53a" + } + ], + "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.", + "links": [ + { + "href": "#cm-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing the system component inventory\n\nmechanisms supporting and/or implementing system component inventory" + } + ] + } + ], + "controls": [ + { + "id": "cm-8.1", + "class": "SP800-53-enhancement", + "title": "Updates During Installation and Removal", + "props": [ + { + "name": "label", + "value": "CM-8(1)" + }, + { + "name": "label", + "value": "CM-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-8", + "rel": "required" + }, + { + "href": "#pm-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8.1_smt", + "name": "statement", + "prose": "Update the inventory of system components as part of component installations, removals, and system updates." + }, + { + "id": "cm-8.1_gdn", + "name": "guidance", + "prose": "Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated as part of component installations or removals or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components." + }, + { + "id": "cm-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "the inventory of system components is updated as part of component installations;", + "links": [ + { + "href": "#cm-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "the inventory of system components is updated as part of component removals;", + "links": [ + { + "href": "#cm-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "the inventory of system components is updated as part of system updates.", + "links": [ + { + "href": "#cm-8.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\ninventory reviews and update records\n\nchange control records\n\ncomponent installation records\n\ncomponent removal records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory updating responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for updating the system component inventory\n\nmechanisms supporting and/or implementing system component inventory updates" + } + ] + } + ] + }, + { + "id": "cm-8.2", + "class": "SP800-53-enhancement", + "title": "Automated Maintenance", + "params": [ + { + "id": "cm-8.2_prm_1", + "label": "organization-defined automated mechanisms" + }, + { + "id": "cm-08.02_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to maintain the currency of the system component inventory are defined;" + } + ] + }, + { + "id": "cm-08.02_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to maintain the completeness of the system component inventory are defined;" + } + ] + }, + { + "id": "cm-08.02_odp.03", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to maintain the accuracy of the system component inventory are defined;" + } + ] + }, + { + "id": "cm-08.02_odp.04", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to maintain the availability of the system component inventory are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-8(2)" + }, + { + "name": "label", + "value": "CM-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-8.2_smt", + "name": "statement", + "prose": "Maintain the currency, completeness, accuracy, and availability of the inventory of system components using {{ insert: param, cm-8.2_prm_1 }}." + }, + { + "id": "cm-8.2_gdn", + "name": "guidance", + "prose": "Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of [CM-2(2)](#cm-2.2) for organizations that combine system component inventory and baseline configuration activities." + }, + { + "id": "cm-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(02)[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.02_odp.01 }} are used to maintain the currency of the system component inventory;", + "links": [ + { + "href": "#cm-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(02)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.02_odp.02 }} are used to maintain the completeness of the system component inventory;", + "links": [ + { + "href": "#cm-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.2_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(02)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.02_odp.03 }} are used to maintain the accuracy of the system component inventory;", + "links": [ + { + "href": "#cm-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.2_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(02)[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.02_odp.04 }} are used to maintain the availability of the system component inventory.", + "links": [ + { + "href": "#cm-8.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for maintaining the system component inventory\n\nautomated mechanisms supporting and/or implementing the system component inventory" + } + ] + } + ] + }, + { + "id": "cm-8.3", + "class": "SP800-53-enhancement", + "title": "Automated Unauthorized Component Detection", + "params": [ + { + "id": "cm-8.3_prm_1", + "label": "organization-defined automated mechanisms", + "constraints": [ + { + "description": "automated mechanisms with a maximum five-minute delay in detection" + } + ] + }, + { + "id": "cm-08.03_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to detect the presence of unauthorized hardware within the system are defined;" + } + ] + }, + { + "id": "cm-08.03_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to detect the presence of unauthorized software within the system are defined;" + } + ] + }, + { + "id": "cm-08.03_odp.03", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to detect the presence of unauthorized firmware within the system are defined;" + } + ] + }, + { + "id": "cm-08.03_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "continuously" + } + ], + "guidelines": [ + { + "prose": "frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined;" + } + ] + }, + { + "id": "cm-08.03_odp.05", + "select": { + "how-many": "one-or-more", + "choice": [ + "disable network access by unauthorized components", + "isolate unauthorized components", + "notify {{ insert: param, cm-08.03_odp.06 }} " + ] + } + }, + { + "id": "cm-08.03_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified when unauthorized components are detected is/are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-8(3)" + }, + { + "name": "label", + "value": "CM-08(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-8", + "rel": "required" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + }, + { + "href": "#sc-44", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8.3_smt", + "name": "statement", + "parts": [ + { + "id": "cm-8.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ insert: param, cm-8.3_prm_1 }} {{ insert: param, cm-08.03_odp.04 }} ; and" + }, + { + "id": "cm-8.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Take the following actions when unauthorized components are detected: {{ insert: param, cm-08.03_odp.05 }}." + } + ] + }, + { + "id": "cm-8.3_gdn", + "name": "guidance", + "prose": "Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see [CM-7(9)](#cm-7.9) ). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as \"sandboxing.\" " + }, + { + "id": "cm-8.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};", + "links": [ + { + "href": "#cm-8.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};", + "links": [ + { + "href": "#cm-8.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};", + "links": [ + { + "href": "#cm-8.3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;", + "links": [ + { + "href": "#cm-8.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;", + "links": [ + { + "href": "#cm-8.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(b)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected.", + "links": [ + { + "href": "#cm-8.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nalerts/notifications of unauthorized components within the system\n\nsystem monitoring records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized system component detection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-8.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for detection of unauthorized system components\n\norganizational processes for taking action when unauthorized system components are detected\n\nautomated mechanisms supporting and/or implementing the detection of unauthorized system components\n\nautomated mechanisms supporting and/or implementing actions taken when unauthorized system components are detected" + } + ] + } + ] + }, + { + "id": "cm-8.4", + "class": "SP800-53-enhancement", + "title": "Accountability Information", + "params": [ + { + "id": "cm-08.04_odp", + "constraints": [ + { + "description": "position and role" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "name", + "position", + "role" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "CM-8(4)" + }, + { + "name": "label", + "value": "CM-08(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-8", + "rel": "required" + }, + { + "href": "#ac-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8.4_smt", + "name": "statement", + "prose": "Include in the system component inventory information, a means for identifying by {{ insert: param, cm-08.04_odp }} , individuals responsible and accountable for administering those components." + }, + { + "id": "cm-8.4_gdn", + "name": "guidance", + "prose": "Identifying individuals who are responsible and accountable for administering system components ensures that the assigned components are properly administered and that organizations can contact those individuals if some action is required (e.g., when the component is determined to be the source of a breach, needs to be recalled or replaced, or needs to be relocated)." + }, + { + "id": "cm-8.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(04)", + "class": "sp800-53a" + } + ], + "prose": "individuals responsible and accountable for administering system components are identified by {{ insert: param, cm-08.04_odp }} in the system component inventory.", + "links": [ + { + "href": "#cm-8.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-8.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing the system component inventory\n\nmechanisms supporting and/or implementing the system component inventory" + } + ] + } + ] + } + ] + }, + { + "id": "cm-9", + "class": "SP800-53", + "title": "Configuration Management Plan", + "params": [ + { + "id": "cm-09_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to review and approve the configuration management plan is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-9" + }, + { + "name": "label", + "value": "CM-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-9_smt", + "name": "statement", + "prose": "Develop, document, and implement a configuration management plan for the system that:", + "parts": [ + { + "id": "cm-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Addresses roles, responsibilities, and configuration management processes and procedures;" + }, + { + "id": "cm-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;" + }, + { + "id": "cm-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Defines the configuration items for the system and places the configuration items under configuration management;" + }, + { + "id": "cm-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, cm-09_odp }} ; and" + }, + { + "id": "cm-9_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protects the configuration management plan from unauthorized disclosure and modification." + }, + { + "id": "cm-9_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide" + } + ] + }, + { + "id": "cm-9_gdn", + "name": "guidance", + "prose": "Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.\n\nConfiguration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.\n\nOrganizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control." + }, + { + "id": "cm-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09[01]", + "class": "sp800-53a" + } + ], + "prose": "a configuration management plan for the system is developed and documented;", + "links": [ + { + "href": "#cm-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09[02]", + "class": "sp800-53a" + } + ], + "prose": "a configuration management plan for the system is implemented;", + "links": [ + { + "href": "#cm-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan addresses roles;", + "links": [ + { + "href": "#cm-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan addresses responsibilities;", + "links": [ + { + "href": "#cm-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan addresses configuration management processes and procedures;", + "links": [ + { + "href": "#cm-9_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;", + "links": [ + { + "href": "#cm-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan establishes a process for managing the configuration of the configuration items;", + "links": [ + { + "href": "#cm-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09c.[01]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan defines the configuration items for the system;", + "links": [ + { + "href": "#cm-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan places the configuration items under configuration management;", + "links": [ + { + "href": "#cm-9_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09d.", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};", + "links": [ + { + "href": "#cm-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#cm-9_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan is protected from unauthorized modification.", + "links": [ + { + "href": "#cm-9_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing the configuration management plan\n\norganizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration management plan\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for developing and documenting the configuration management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nmechanisms implementing the configuration management plan\n\nmechanisms for managing configuration items\n\nmechanisms for protecting the configuration management plan" + } + ] + } + ] + }, + { + "id": "cm-10", + "class": "SP800-53", + "title": "Software Usage Restrictions", + "props": [ + { + "name": "label", + "value": "CM-10" + }, + { + "name": "label", + "value": "CM-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-10_smt", + "name": "statement", + "parts": [ + { + "id": "cm-10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Use software and associated documentation in accordance with contract agreements and copyright laws;" + }, + { + "id": "cm-10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and" + }, + { + "id": "cm-10_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work." + } + ] + }, + { + "id": "cm-10_gdn", + "name": "guidance", + "prose": "Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements." + }, + { + "id": "cm-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-10_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10a.", + "class": "sp800-53a" + } + ], + "prose": "software and associated documentation are used in accordance with contract agreements and copyright laws;", + "links": [ + { + "href": "#cm-10_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10b.", + "class": "sp800-53a" + } + ], + "prose": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;", + "links": [ + { + "href": "#cm-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10c.", + "class": "sp800-53a" + } + ], + "prose": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.", + "links": [ + { + "href": "#cm-10_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel operating, using, and/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology" + } + ] + } + ] + }, + { + "id": "cm-11", + "class": "SP800-53", + "title": "User-installed Software", + "params": [ + { + "id": "cm-11_odp.01", + "label": "policies", + "guidelines": [ + { + "prose": "policies governing the installation of software by users are defined;" + } + ] + }, + { + "id": "cm-11_odp.02", + "label": "methods", + "guidelines": [ + { + "prose": "methods used to enforce software installation policies are defined;" + } + ] + }, + { + "id": "cm-11_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "Continuously (via CM-7 (5))" + } + ], + "guidelines": [ + { + "prose": "frequency with which to monitor compliance is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-11" + }, + { + "name": "label", + "value": "CM-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-11_smt", + "name": "statement", + "parts": [ + { + "id": "cm-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;" + }, + { + "id": "cm-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and" + }, + { + "id": "cm-11_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Monitor policy compliance {{ insert: param, cm-11_odp.03 }}." + } + ] + }, + { + "id": "cm-11_gdn", + "name": "guidance", + "prose": "If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods." + }, + { + "id": "cm-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;", + "links": [ + { + "href": "#cm-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11b.", + "class": "sp800-53a" + } + ], + "prose": "software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};", + "links": [ + { + "href": "#cm-11_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11c.", + "class": "sp800-53a" + } + ], + "prose": "compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.", + "links": [ + { + "href": "#cm-11_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes governing user-installed software on the system\n\nmechanisms enforcing policies and methods for governing the installation of software by users\n\nmechanisms monitoring policy compliance" + } + ] + } + ] + }, + { + "id": "cm-12", + "class": "SP800-53", + "title": "Information Location", + "params": [ + { + "id": "cm-12_odp", + "label": "information", + "guidelines": [ + { + "prose": "information for which the location is to be identified and documented is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-12" + }, + { + "name": "label", + "value": "CM-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-23", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-4", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-12_smt", + "name": "statement", + "parts": [ + { + "id": "cm-12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify and document the location of {{ insert: param, cm-12_odp }} and the specific system components on which the information is processed and stored;" + }, + { + "id": "cm-12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Identify and document the users who have access to the system and system components where the information is processed and stored; and" + }, + { + "id": "cm-12_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document changes to the location (i.e., system or system components) where the information is processed and stored." + }, + { + "id": "cm-12_fr", + "name": "item", + "title": "CM-12 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-12_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to FedRAMP Authorization Boundary Guidance" + } + ] + } + ] + }, + { + "id": "cm-12_gdn", + "name": "guidance", + "prose": "Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) ). The location of the information and system components is also a factor in the architecture and design of the system (see [SA-4](#sa-4), [SA-8](#sa-8), [SA-17](#sa-17))." + }, + { + "id": "cm-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-12_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the location of {{ insert: param, cm-12_odp }} is identified and documented;", + "links": [ + { + "href": "#cm-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;", + "links": [ + { + "href": "#cm-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;", + "links": [ + { + "href": "#cm-12_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-12_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;", + "links": [ + { + "href": "#cm-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;", + "links": [ + { + "href": "#cm-12_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-12_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12c.[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;", + "links": [ + { + "href": "#cm-12_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12c.[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented.", + "links": [ + { + "href": "#cm-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\naudit records\n\nlist of users with system and system component access\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing information location and user access to information\n\norganizational personnel with responsibilities for operating, using, and/or maintaining the system\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes governing information location\n\nmechanisms enforcing policies and methods for governing information location" + } + ] + } + ], + "controls": [ + { + "id": "cm-12.1", + "class": "SP800-53-enhancement", + "title": "Automated Tools to Support Information Location", + "params": [ + { + "id": "cm-12.01_odp.01", + "label": "information by information type", + "constraints": [ + { + "description": "Federal data and system data that must be protected at the High or Moderate impact levels" + } + ], + "guidelines": [ + { + "prose": "information to be protected is defined by information type;" + } + ] + }, + { + "id": "cm-12.01_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components where the information is located are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-12(1)" + }, + { + "name": "label", + "value": "CM-12(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-12.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-12", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-12.1_smt", + "name": "statement", + "prose": "Use automated tools to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure controls are in place to protect organizational information and individual privacy.", + "parts": [ + { + "id": "cm-12.1_fr", + "name": "item", + "title": "CM-12 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-12.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to FedRAMP Authorization Boundary Guidance." + } + ] + } + ] + }, + { + "id": "cm-12.1_gdn", + "name": "guidance", + "prose": "The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions." + }, + { + "id": "cm-12.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12(01)", + "class": "sp800-53a" + } + ], + "prose": "automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy.", + "links": [ + { + "href": "#cm-12.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-12(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-12.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-12(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing information location\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-12.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-12(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes governing information location\n\nautomated mechanisms enforcing policies and methods for governing information location\n\nautomated tools used to identify information on system components" + } + ] + } + ] + } + ] + }, + { + "id": "cm-14", + "class": "SP800-53", + "title": "Signed Components", + "params": [ + { + "id": "cm-14_prm_1", + "label": "organization-defined software and firmware components" + }, + { + "id": "cm-14_odp.01", + "label": "software components", + "guidelines": [ + { + "prose": "software components requiring verification of a digitally signed certificate before installation are defined;" + } + ] + }, + { + "id": "cm-14_odp.02", + "label": "firmware components", + "guidelines": [ + { + "prose": "firmware components requiring verification of a digitally signed certificate before installation are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-14" + }, + { + "name": "label", + "value": "CM-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-14_smt", + "name": "statement", + "prose": "Prevent the installation of {{ insert: param, cm-14_prm_1 }} without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.", + "parts": [ + { + "id": "cm-14_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized." + } + ] + }, + { + "id": "cm-14_gdn", + "name": "guidance", + "prose": "Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication." + }, + { + "id": "cm-14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-14_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-14[01]", + "class": "sp800-53a" + } + ], + "prose": "the installation of {{ insert: param, cm-14_odp.01 }} is prevented unless it is verified that the software has been digitally signed using a certificate recognized and approved by the organization;", + "links": [ + { + "href": "#cm-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-14_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-14[02]", + "class": "sp800-53a" + } + ], + "prose": "the installation of {{ insert: param, cm-14_odp.02 }} is prevented unless it is verified that the firmware has been digitally signed using a certificate recognized and approved by the organization.", + "links": [ + { + "href": "#cm-14_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-14-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing digitally signed certificates for software and firmware components\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-14-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for verifying digitally signed certificates for software and firmware component installation\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-14_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-14-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes governing information location\n\nmechanisms enforcing policies and methods for governing information location\n\nautomated tools supporting or implementing digitally signatures for software and firmware components\n\nautomated tools supporting or implementing verification of digital signatures for software and firmware component installation" + } + ] + } + ] + } + ] + }, + { + "id": "cp", + "class": "family", + "title": "Contingency Planning", + "controls": [ + { + "id": "cp-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "cp-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cp-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "cp-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "cp-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "cp-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the contingency planning policy and procedures is defined;" + } + ] + }, + { + "id": "cp-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current contingency planning policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "cp-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current contingency planning policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "cp-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current contingency planning procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "cp-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-1" + }, + { + "name": "label", + "value": "CP-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-1_smt", + "name": "statement", + "parts": [ + { + "id": "cp-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:", + "parts": [ + { + "id": "cp-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cp-01_odp.03 }} contingency planning policy that:", + "parts": [ + { + "id": "cp-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "cp-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "cp-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" + } + ] + }, + { + "id": "cp-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and" + }, + { + "id": "cp-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current contingency planning:", + "parts": [ + { + "id": "cp-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and" + }, + { + "id": "cp-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "cp-1_gdn", + "name": "guidance", + "prose": "Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "cp-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency planning policy is developed and documented;", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#cp-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;", + "links": [ + { + "href": "#cp-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};", + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};", + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};", + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.", + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "cp-2", + "class": "SP800-53", + "title": "Contingency Plan", + "params": [ + { + "id": "cp-2_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cp-2_prm_2", + "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" + }, + { + "id": "cp-2_prm_4", + "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" + }, + { + "id": "cp-02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to review a contingency plan is/are defined;" + } + ] + }, + { + "id": "cp-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to approve a contingency plan is/are defined;" + } + ] + }, + { + "id": "cp-02_odp.03", + "label": "key contingency personnel", + "guidelines": [ + { + "prose": "key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;" + } + ] + }, + { + "id": "cp-02_odp.04", + "label": "organizational elements", + "guidelines": [ + { + "prose": "key contingency organizational elements to which copies of the contingency plan are distributed are defined;" + } + ] + }, + { + "id": "cp-02_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency of contingency plan review is defined;" + } + ] + }, + { + "id": "cp-02_odp.06", + "label": "key contingency personnel", + "guidelines": [ + { + "prose": "key contingency personnel (identified by name and/or by role) to communicate changes to are defined;" + } + ] + }, + { + "id": "cp-02_odp.07", + "label": "organizational elements", + "guidelines": [ + { + "prose": "key contingency organizational elements to communicate changes to are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-2" + }, + { + "name": "label", + "value": "CP-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", + "rel": "reference" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-11", + "rel": "related" + }, + { + "href": "#cp-13", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-2_smt", + "name": "statement", + "parts": [ + { + "id": "cp-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a contingency plan for the system that:", + "parts": [ + { + "id": "cp-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Identifies essential mission and business functions and associated contingency requirements;" + }, + { + "id": "cp-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Provides recovery objectives, restoration priorities, and metrics;" + }, + { + "id": "cp-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Addresses contingency roles, responsibilities, assigned individuals with contact information;" + }, + { + "id": "cp-2_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;" + }, + { + "id": "cp-2_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;" + }, + { + "id": "cp-2_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Addresses the sharing of contingency information; and" + }, + { + "id": "cp-2_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};" + } + ] + }, + { + "id": "cp-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};" + }, + { + "id": "cp-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Coordinate contingency planning activities with incident handling activities;" + }, + { + "id": "cp-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};" + }, + { + "id": "cp-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;" + }, + { + "id": "cp-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};" + }, + { + "id": "cp-2_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and" + }, + { + "id": "cp-2_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Protect the contingency plan from unauthorized disclosure and modification." + }, + { + "id": "cp-2_fr", + "name": "item", + "title": "CP-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "For JAB authorizations the contingency lists include designated FedRAMP personnel." + }, + { + "id": "cp-2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx)." + } + ] + } + ] + }, + { + "id": "cp-2_gdn", + "name": "guidance", + "prose": "Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family." + }, + { + "id": "cp-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.01", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;", + "links": [ + { + "href": "#cp-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides recovery objectives;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides restoration priorities;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides metrics;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses contingency roles;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses contingency responsibilities;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[03]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses assigned individuals with contact information;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.04", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;", + "links": [ + { + "href": "#cp-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.05", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;", + "links": [ + { + "href": "#cp-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.06", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses the sharing of contingency information;", + "links": [ + { + "href": "#cp-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.7-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};", + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.7-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};", + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};", + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};", + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02c.", + "class": "sp800-53a" + } + ], + "prose": "contingency planning activities are coordinated with incident handling activities;", + "links": [ + { + "href": "#cp-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02d.", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};", + "links": [ + { + "href": "#cp-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is updated to address changes to the organization, system, or environment of operation;", + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;", + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.[01]", + "class": "sp800-53a" + } + ], + "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};", + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.[02]", + "class": "sp800-53a" + } + ], + "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};", + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.[01]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;", + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.[02]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;", + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is protected from unauthorized modification.", + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nevidence of contingency plan reviews and updates\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency plan development, review, update, and protection\n\nmechanisms for developing, reviewing, updating, and/or protecting the contingency plan" + } + ] + } + ], + "controls": [ + { + "id": "cp-2.1", + "class": "SP800-53-enhancement", + "title": "Coordinate with Related Plans", + "props": [ + { + "name": "label", + "value": "CP-2(1)" + }, + { + "name": "label", + "value": "CP-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-2.1_smt", + "name": "statement", + "prose": "Coordinate contingency plan development with organizational elements responsible for related plans." + }, + { + "id": "cp-2.1_gdn", + "name": "guidance", + "prose": "Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Data Breach Response Plans, Cyber Incident Response Plans, Breach Response Plans, and Occupant Emergency Plans." + }, + { + "id": "cp-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(01)", + "class": "sp800-53a" + } + ], + "prose": "contingency plan development is coordinated with organizational elements responsible for related plans.", + "links": [ + { + "href": "#cp-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans" + } + ] + } + ] + }, + { + "id": "cp-2.2", + "class": "SP800-53-enhancement", + "title": "Capacity Planning", + "props": [ + { + "name": "label", + "value": "CP-2(2)" + }, + { + "name": "label", + "value": "CP-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "required" + }, + { + "href": "#pe-11", + "rel": "related" + }, + { + "href": "#pe-12", + "rel": "related" + }, + { + "href": "#pe-13", + "rel": "related" + }, + { + "href": "#pe-14", + "rel": "related" + }, + { + "href": "#pe-18", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-2.2_smt", + "name": "statement", + "prose": "Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations." + }, + { + "id": "cp-2.2_gdn", + "name": "guidance", + "prose": "Capacity planning is needed because different threats can result in a reduction of the available processing, telecommunications, and support services intended to support essential mission and business functions. Organizations anticipate degraded operations during contingency operations and factor the degradation into capacity planning. For capacity planning, environmental support refers to any environmental factor for which the organization determines that it needs to provide support in a contingency situation, even if in a degraded state. Such determinations are based on an organizational assessment of risk, system categorization (impact level), and organizational risk tolerance." + }, + { + "id": "cp-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;", + "links": [ + { + "href": "#cp-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;", + "links": [ + { + "href": "#cp-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.2_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(02)[03]", + "class": "sp800-53a" + } + ], + "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support.", + "links": [ + { + "href": "#cp-2.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\ncapacity planning documents\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel responsible for capacity planning\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-2.3", + "class": "SP800-53-enhancement", + "title": "Resume Mission and Business Functions", + "params": [ + { + "id": "cp-02.03_odp.01", + "constraints": [ + { + "description": "all" + } + ], + "select": { + "choice": [ + "all", + "essential" + ] + } + }, + { + "id": "cp-02.03_odp.02", + "label": "time period", + "constraints": [ + { + "description": "time period defined in service provider and organization SLA" + } + ], + "guidelines": [ + { + "prose": "the contingency plan activation time period within which to resume mission and business functions is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-2(3)" + }, + { + "name": "label", + "value": "CP-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-2.3_smt", + "name": "statement", + "prose": "Plan for the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation." + }, + { + "id": "cp-2.3_gdn", + "name": "guidance", + "prose": "Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure." + }, + { + "id": "cp-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(03)", + "class": "sp800-53a" + } + ], + "prose": "the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation.", + "links": [ + { + "href": "#cp-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother related plans\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions" + } + ] + }, + { + "id": "cp-2.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-02(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for resumption of missions and business functions" + } + ] + } + ] + }, + { + "id": "cp-2.5", + "class": "SP800-53-enhancement", + "title": "Continue Mission and Business Functions", + "params": [ + { + "id": "cp-02.05_odp", + "constraints": [ + { + "description": "essential" + } + ], + "select": { + "choice": [ + "all", + "essential" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "CP-2(5)" + }, + { + "name": "label", + "value": "CP-02(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-2.5_smt", + "name": "statement", + "prose": "Plan for the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites." + }, + { + "id": "cp-2.5_gdn", + "name": "guidance", + "prose": "Organizations may choose to conduct the contingency planning activities to continue mission and business functions as part of business continuity planning or business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency." + }, + { + "id": "cp-2.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2.5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(05)[01]", + "class": "sp800-53a" + } + ], + "prose": "the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity is planned for;", + "links": [ + { + "href": "#cp-2.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(05)[02]", + "class": "sp800-53a" + } + ], + "prose": "continuity is sustained until full system restoration at primary processing and/or storage sites.", + "links": [ + { + "href": "#cp-2.5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nprimary processing site agreements\n\nprimary storage site agreements\n\nalternate processing site agreements\n\nalternate storage site agreements\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-2.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-02(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for continuing missions and business functions" + } + ] + } + ] + }, + { + "id": "cp-2.8", + "class": "SP800-53-enhancement", + "title": "Identify Critical Assets", + "params": [ + { + "id": "cp-02.08_odp", + "select": { + "choice": [ + "all", + "essential" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "CP-2(8)" + }, + { + "name": "label", + "value": "CP-02(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "required" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-2.8_smt", + "name": "statement", + "prose": "Identify critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions." + }, + { + "id": "cp-2.8_gdn", + "name": "guidance", + "prose": "Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing [CP-2(7)](#cp-2.7) as a control enhancement." + }, + { + "id": "cp-2.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(08)", + "class": "sp800-53a" + } + ], + "prose": "critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified.", + "links": [ + { + "href": "#cp-2.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "cp-3", + "class": "SP800-53", + "title": "Contingency Training", + "params": [ + { + "id": "cp-03_odp.01", + "label": "time period", + "constraints": [ + { + "description": "\\*See Additional Requirements" + } + ], + "guidelines": [ + { + "prose": "the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;" + } + ] + }, + { + "id": "cp-03_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide training to system users with a contingency role or responsibility is defined;" + } + ] + }, + { + "id": "cp-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update contingency training content is defined;" + } + ] + }, + { + "id": "cp-03_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events necessitating review and update of contingency training are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-3" + }, + { + "name": "label", + "value": "CP-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-3_smt", + "name": "statement", + "parts": [ + { + "id": "cp-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide contingency training to system users consistent with assigned roles and responsibilities:", + "parts": [ + { + "id": "cp-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;" + }, + { + "id": "cp-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes; and" + }, + { + "id": "cp-3_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, cp-03_odp.02 }} thereafter; and" + } + ] + }, + { + "id": "cp-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}." + }, + { + "id": "cp-3_fr", + "name": "item", + "title": "CP-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact." + } + ] + } + ] + }, + { + "id": "cp-3_gdn", + "name": "guidance", + "prose": "Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements." + }, + { + "id": "cp-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.01", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;", + "links": [ + { + "href": "#cp-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.02", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#cp-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.03", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;", + "links": [ + { + "href": "#cp-3_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};", + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.", + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\ncontingency training records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency training" + } + ] + } + ], + "controls": [ + { + "id": "cp-3.1", + "class": "SP800-53-enhancement", + "title": "Simulated Events", + "props": [ + { + "name": "label", + "value": "CP-3(1)" + }, + { + "name": "label", + "value": "CP-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cp-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-3.1_smt", + "name": "statement", + "prose": "Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations." + }, + { + "id": "cp-3.1_gdn", + "name": "guidance", + "prose": "The use of simulated events creates an environment for personnel to experience actual threat events, including cyber-attacks that disable websites, ransomware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures." + }, + { + "id": "cp-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03(01)", + "class": "sp800-53a" + } + ], + "prose": "simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations.", + "links": [ + { + "href": "#cp-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency training\n\nmechanisms for simulating contingency events" + } + ] + } + ] + } + ] + }, + { + "id": "cp-4", + "class": "SP800-53", + "title": "Contingency Plan Testing", + "params": [ + { + "id": "cp-4_prm_2", + "label": "organization-defined tests", + "constraints": [ + { + "description": "functional exercises" + } + ] + }, + { + "id": "cp-04_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency of testing the contingency plan for the system is defined;" + } + ] + }, + { + "id": "cp-04_odp.02", + "label": "tests", + "guidelines": [ + { + "prose": "tests for determining the effectiveness of the contingency plan are defined;" + } + ] + }, + { + "id": "cp-04_odp.03", + "label": "tests", + "guidelines": [ + { + "prose": "tests for determining readiness to execute the contingency plan are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-4" + }, + { + "name": "label", + "value": "CP-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-4_smt", + "name": "statement", + "parts": [ + { + "id": "cp-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}." + }, + { + "id": "cp-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review the contingency plan test results; and" + }, + { + "id": "cp-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Initiate corrective actions, if needed." + }, + { + "id": "cp-4_fr", + "name": "item", + "title": "CP-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing." + }, + { + "id": "cp-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report)." + } + ] + } + ] + }, + { + "id": "cp-4_gdn", + "name": "guidance", + "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions." + }, + { + "id": "cp-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04b.", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan test results are reviewed;", + "links": [ + { + "href": "#cp-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04c.", + "class": "sp800-53a" + } + ], + "prose": "corrective actions are initiated, if needed.", + "links": [ + { + "href": "#cp-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and/or contingency plan testing" + } + ] + } + ], + "controls": [ + { + "id": "cp-4.1", + "class": "SP800-53-enhancement", + "title": "Coordinate with Related Plans", + "props": [ + { + "name": "label", + "value": "CP-4(1)" + }, + { + "name": "label", + "value": "CP-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cp-4", + "rel": "required" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-4.1_smt", + "name": "statement", + "prose": "Coordinate contingency plan testing with organizational elements responsible for related plans." + }, + { + "id": "cp-4.1_gdn", + "name": "guidance", + "prose": "Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements." + }, + { + "id": "cp-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04(01)", + "class": "sp800-53a" + } + ], + "prose": "contingency plan testing is coordinated with organizational elements responsible for related plans.", + "links": [ + { + "href": "#cp-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan testing responsibilities\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-4.2", + "class": "SP800-53-enhancement", + "title": "Alternate Processing Site", + "props": [ + { + "name": "label", + "value": "CP-4(2)" + }, + { + "name": "label", + "value": "CP-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cp-4", + "rel": "required" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-4.2_smt", + "name": "statement", + "prose": "Test the contingency plan at the alternate processing site:", + "parts": [ + { + "id": "cp-4.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "To familiarize contingency personnel with the facility and available resources; and" + }, + { + "id": "cp-4.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "To evaluate the capabilities of the alternate processing site to support contingency operations." + } + ] + }, + { + "id": "cp-4.2_gdn", + "name": "guidance", + "prose": "Conditions at the alternate processing site may be significantly different than the conditions at the primary site. Having the opportunity to visit the alternate site and experience the actual capabilities available at the site can provide valuable information on potential vulnerabilities that could affect essential organizational mission and business functions. The on-site visit can also provide an opportunity to refine the contingency plan to address the vulnerabilities discovered during testing." + }, + { + "id": "cp-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-4.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04(02)(a)", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;", + "links": [ + { + "href": "#cp-4.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04(02)(b)", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.", + "links": [ + { + "href": "#cp-4.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and/or contingency plan testing" + } + ] + } + ] + } + ] + }, + { + "id": "cp-6", + "class": "SP800-53", + "title": "Alternate Storage Site", + "props": [ + { + "name": "label", + "value": "CP-6" + }, + { + "name": "label", + "value": "CP-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-36", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-6_smt", + "name": "statement", + "parts": [ + { + "id": "cp-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and" + }, + { + "id": "cp-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Ensure that the alternate storage site provides controls equivalent to that of the primary site." + } + ] + }, + { + "id": "cp-6_gdn", + "name": "guidance", + "prose": "Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems." + }, + { + "id": "cp-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-6_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an alternate storage site is established;", + "links": [ + { + "href": "#cp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06a.[02]", + "class": "sp800-53a" + } + ], + "prose": "establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;", + "links": [ + { + "href": "#cp-6_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06b.", + "class": "sp800-53a" + } + ], + "prose": "the alternate storage site provides controls equivalent to that of the primary site.", + "links": [ + { + "href": "#cp-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for storing and retrieving system backup information at the alternate storage site\n\nmechanisms supporting and/or implementing the storage and retrieval of system backup information at the alternate storage site" + } + ] + } + ], + "controls": [ + { + "id": "cp-6.1", + "class": "SP800-53-enhancement", + "title": "Separation from Primary Site", + "props": [ + { + "name": "label", + "value": "CP-6(1)" + }, + { + "name": "label", + "value": "CP-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-6", + "rel": "required" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-6.1_smt", + "name": "statement", + "prose": "Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats." + }, + { + "id": "cp-6.1_gdn", + "name": "guidance", + "prose": "Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant." + }, + { + "id": "cp-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(01)", + "class": "sp800-53a" + } + ], + "prose": "an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.", + "links": [ + { + "href": "#cp-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-6.2", + "class": "SP800-53-enhancement", + "title": "Recovery Time and Recovery Point Objectives", + "props": [ + { + "name": "label", + "value": "CP-6(2)" + }, + { + "name": "label", + "value": "CP-06(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-06.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-6.2_smt", + "name": "statement", + "prose": "Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives." + }, + { + "id": "cp-6.2_gdn", + "name": "guidance", + "prose": "Organizations establish recovery time and recovery point objectives as part of contingency planning. Configuration of the alternate storage site includes physical facilities and the systems supporting recovery operations that ensure accessibility and correct execution." + }, + { + "id": "cp-6.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-6.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;", + "links": [ + { + "href": "#cp-6.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives.", + "links": [ + { + "href": "#cp-6.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-6.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-06(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nalternate storage site configurations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-6.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-06(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with responsibilities for testing related plans\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-6.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-06(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency plan testing\n\nmechanisms supporting recovery time and point objectives" + } + ] + } + ] + }, + { + "id": "cp-6.3", + "class": "SP800-53-enhancement", + "title": "Accessibility", + "props": [ + { + "name": "label", + "value": "CP-6(3)" + }, + { + "name": "label", + "value": "CP-06(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-06.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-6", + "rel": "required" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-6.3_smt", + "name": "statement", + "prose": "Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions." + }, + { + "id": "cp-6.3_gdn", + "name": "guidance", + "prose": "Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted." + }, + { + "id": "cp-6.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-6.3_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(03)[01]", + "class": "sp800-53a" + } + ], + "prose": "potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;", + "links": [ + { + "href": "#cp-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6.3_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(03)[02]", + "class": "sp800-53a" + } + ], + "prose": "explicit mitigation actions to address identified accessibility problems are outlined.", + "links": [ + { + "href": "#cp-6.3_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-06(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-6.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-06(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "cp-7", + "class": "SP800-53", + "title": "Alternate Processing Site", + "params": [ + { + "id": "cp-07_odp.01", + "label": "system operations", + "guidelines": [ + { + "prose": "system operations for essential mission and business functions are defined;" + } + ] + }, + { + "id": "cp-07_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-7" + }, + { + "name": "label", + "value": "CP-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-11", + "rel": "related" + }, + { + "href": "#pe-12", + "rel": "related" + }, + { + "href": "#pe-17", + "rel": "related" + }, + { + "href": "#sc-36", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-7_smt", + "name": "statement", + "parts": [ + { + "id": "cp-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;" + }, + { + "id": "cp-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and" + }, + { + "id": "cp-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Provide controls at the alternate processing site that are equivalent to those at the primary site." + }, + { + "id": "cp-7_fr", + "name": "item", + "title": "CP-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider defines a time period consistent with the recovery time objectives and business impact analysis." + } + ] + } + ] + }, + { + "id": "cp-7_gdn", + "name": "guidance", + "prose": "Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems." + }, + { + "id": "cp-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07a.", + "class": "sp800-53a" + } + ], + "prose": "an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;", + "links": [ + { + "href": "#cp-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;", + "links": [ + { + "href": "#cp-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;", + "links": [ + { + "href": "#cp-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07c.", + "class": "sp800-53a" + } + ], + "prose": "controls provided at the alternate processing site are equivalent to those at the primary site.", + "links": [ + { + "href": "#cp-7_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for contingency planning and/or alternate site arrangements\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for recovery at the alternate site\n\nmechanisms supporting and/or implementing recovery at the alternate processing site" + } + ] + } + ], + "controls": [ + { + "id": "cp-7.1", + "class": "SP800-53-enhancement", + "title": "Separation from Primary Site", + "props": [ + { + "name": "label", + "value": "CP-7(1)" + }, + { + "name": "label", + "value": "CP-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-7", + "rel": "required" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-7.1_smt", + "name": "statement", + "prose": "Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.", + "parts": [ + { + "id": "cp-7.1_fr", + "name": "item", + "title": "CP-7 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-7.1_fr_smt.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant." + } + ] + } + ] + }, + { + "id": "cp-7.1_gdn", + "name": "guidance", + "prose": "Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant." + }, + { + "id": "cp-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(01)", + "class": "sp800-53a" + } + ], + "prose": "an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.", + "links": [ + { + "href": "#cp-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-7.2", + "class": "SP800-53-enhancement", + "title": "Accessibility", + "props": [ + { + "name": "label", + "value": "CP-7(2)" + }, + { + "name": "label", + "value": "CP-07(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-7", + "rel": "required" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-7.2_smt", + "name": "statement", + "prose": "Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions." + }, + { + "id": "cp-7.2_gdn", + "name": "guidance", + "prose": "Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk." + }, + { + "id": "cp-7.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-7.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;", + "links": [ + { + "href": "#cp-7.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "explicit mitigation actions to address identified accessibility problems are outlined.", + "links": [ + { + "href": "#cp-7.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-7.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-7.3", + "class": "SP800-53-enhancement", + "title": "Priority of Service", + "props": [ + { + "name": "label", + "value": "CP-7(3)" + }, + { + "name": "label", + "value": "CP-07(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-7.3_smt", + "name": "statement", + "prose": "Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives)." + }, + { + "id": "cp-7.3_gdn", + "name": "guidance", + "prose": "Priority of service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning." + }, + { + "id": "cp-7.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(03)", + "class": "sp800-53a" + } + ], + "prose": "alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.", + "links": [ + { + "href": "#cp-7.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" + } + ] + } + ] + }, + { + "id": "cp-7.4", + "class": "SP800-53-enhancement", + "title": "Preparation for Use", + "props": [ + { + "name": "label", + "value": "CP-7(4)" + }, + { + "name": "label", + "value": "CP-07(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-7", + "rel": "required" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-7.4_smt", + "name": "statement", + "prose": "Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions." + }, + { + "id": "cp-7.4_gdn", + "name": "guidance", + "prose": "Site preparation includes establishing configuration settings for systems at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and logistical considerations are in place." + }, + { + "id": "cp-7.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(04)", + "class": "sp800-53a" + } + ], + "prose": "the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions.", + "links": [ + { + "href": "#cp-7.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nalternate processing site configurations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-7.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-07(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing recovery at the alternate processing site" + } + ] + } + ] + } + ] + }, + { + "id": "cp-8", + "class": "SP800-53", + "title": "Telecommunications Services", + "params": [ + { + "id": "cp-08_odp.01", + "label": "system operations", + "guidelines": [ + { + "prose": "system operations to be resumed for essential mission and business functions are defined;" + } + ] + }, + { + "id": "cp-08_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-8" + }, + { + "name": "label", + "value": "CP-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-11", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-8_smt", + "name": "statement", + "prose": "Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.", + "parts": [ + { + "id": "cp-8_fr", + "name": "item", + "title": "CP-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-8_fr_gdn.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider defines a time period consistent with the recovery time objectives and business impact analysis." + } + ] + } + ] + }, + { + "id": "cp-8_gdn", + "name": "guidance", + "prose": "Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for [CP-8](#cp-8) . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements." + }, + { + "id": "cp-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08", + "class": "sp800-53a" + } + ], + "prose": "alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.", + "links": [ + { + "href": "#cp-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" + } + ] + }, + { + "id": "cp-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting telecommunications" + } + ] + } + ], + "controls": [ + { + "id": "cp-8.1", + "class": "SP800-53-enhancement", + "title": "Priority of Service Provisions", + "props": [ + { + "name": "label", + "value": "CP-8(1)" + }, + { + "name": "label", + "value": "CP-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-8.1_smt", + "name": "statement", + "parts": [ + { + "id": "cp-8.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and" + }, + { + "id": "cp-8.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier." + } + ] + }, + { + "id": "cp-8.1_gdn", + "name": "guidance", + "prose": "Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority of service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program, and the Department of Homeland Security manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program." + }, + { + "id": "cp-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-8.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-8.1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;", + "links": [ + { + "href": "#cp-8.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;", + "links": [ + { + "href": "#cp-8.1_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-8.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.", + "links": [ + { + "href": "#cp-8.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" + } + ] + }, + { + "id": "cp-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting telecommunications" + } + ] + } + ] + }, + { + "id": "cp-8.2", + "class": "SP800-53-enhancement", + "title": "Single Points of Failure", + "props": [ + { + "name": "label", + "value": "CP-8(2)" + }, + { + "name": "label", + "value": "CP-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-8.2_smt", + "name": "statement", + "prose": "Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services." + }, + { + "id": "cp-8.2_gdn", + "name": "guidance", + "prose": "In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services." + }, + { + "id": "cp-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(02)", + "class": "sp800-53a" + } + ], + "prose": "alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.", + "links": [ + { + "href": "#cp-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-8.3", + "class": "SP800-53-enhancement", + "title": "Separation of Primary and Alternate Providers", + "props": [ + { + "name": "label", + "value": "CP-8(3)" + }, + { + "name": "label", + "value": "CP-08(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-08.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-8.3_smt", + "name": "statement", + "prose": "Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats." + }, + { + "id": "cp-8.3_gdn", + "name": "guidance", + "prose": "Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services that meet the separation needs addressed in the risk assessment." + }, + { + "id": "cp-8.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(03)", + "class": "sp800-53a" + } + ], + "prose": "alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats.", + "links": [ + { + "href": "#cp-8.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-08(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nalternate telecommunications service provider site\n\nprimary telecommunications service provider site\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-8.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-08(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-8.4", + "class": "SP800-53-enhancement", + "title": "Provider Contingency Plan", + "params": [ + { + "id": "cp-8.4_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "annually" + } + ] + }, + { + "id": "cp-08.04_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to obtain evidence of contingency testing by providers is defined;" + } + ] + }, + { + "id": "cp-08.04_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to obtain evidence of contingency training by providers is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-8(4)" + }, + { + "name": "label", + "value": "CP-08(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-08.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-8", + "rel": "required" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-8.4_smt", + "name": "statement", + "parts": [ + { + "id": "cp-8.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Require primary and alternate telecommunications service providers to have contingency plans;" + }, + { + "id": "cp-8.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and" + }, + { + "id": "cp-8.4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Obtain evidence of contingency testing and training by providers {{ insert: param, cp-8.4_prm_1 }}." + } + ] + }, + { + "id": "cp-8.4_gdn", + "name": "guidance", + "prose": "Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security and state and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training." + }, + { + "id": "cp-8.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-8.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(04)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-8.4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(04)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "primary telecommunications service providers are required to have contingency plans;", + "links": [ + { + "href": "#cp-8.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(04)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "alternate telecommunications service providers are required to have contingency plans;", + "links": [ + { + "href": "#cp-8.4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-8.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;", + "links": [ + { + "href": "#cp-8.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(04)(c)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-8.4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(04)(c)[01]", + "class": "sp800-53a" + } + ], + "prose": "evidence of contingency testing by providers is obtained {{ insert: param, cp-08.04_odp.01 }}.", + "links": [ + { + "href": "#cp-8.4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(04)(c)[02]", + "class": "sp800-53a" + } + ], + "prose": "evidence of contingency training by providers is obtained {{ insert: param, cp-08.04_odp.02 }}.", + "links": [ + { + "href": "#cp-8.4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-8.4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-8.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-08(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprovider contingency plans\n\nevidence of contingency testing/training by providers\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-8.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-08(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning, plan implementation, and testing responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" + } + ] + } + ] + } + ] + }, + { + "id": "cp-9", + "class": "SP800-53", + "title": "System Backup", + "params": [ + { + "id": "cp-09_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which to conduct backups of user-level information is defined;" + } + ] + }, + { + "id": "cp-09_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9" + }, + { + "name": "label", + "value": "CP-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#3653e316-8923-430e-8943-b3b2b2562fc6", + "rel": "reference" + }, + { + "href": "#2494df28-9049-4196-b233-540e7440993f", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9_smt", + "name": "statement", + "parts": [ + { + "id": "cp-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};" + }, + { + "id": "cp-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};" + }, + { + "id": "cp-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and" + }, + { + "id": "cp-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Protect the confidentiality, integrity, and availability of backup information." + }, + { + "id": "cp-9_fr", + "name": "item", + "title": "CP-9 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-9_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check." + }, + { + "id": "cp-9_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative." + }, + { + "id": "cp-9_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative." + }, + { + "id": "cp-9_fr_smt.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative." + } + ] + } + ] + }, + { + "id": "cp-9_gdn", + "name": "guidance", + "prose": "System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." + }, + { + "id": "cp-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09a.", + "class": "sp800-53a" + } + ], + "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};", + "links": [ + { + "href": "#cp-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09b.", + "class": "sp800-53a" + } + ], + "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};", + "links": [ + { + "href": "#cp-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09c.", + "class": "sp800-53a" + } + ], + "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};", + "links": [ + { + "href": "#cp-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the confidentiality of backup information is protected;", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the integrity of backup information is protected;", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the availability of backup information is protected.", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "cp-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" + } + ] + } + ], + "controls": [ + { + "id": "cp-9.1", + "class": "SP800-53-enhancement", + "title": "Testing for Reliability and Integrity", + "params": [ + { + "id": "cp-9.1_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least monthly" + } + ] + }, + { + "id": "cp-09.01_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to test backup information for media reliability is defined;" + } + ] + }, + { + "id": "cp-09.01_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to test backup information for information integrity is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9(1)" + }, + { + "name": "label", + "value": "CP-09(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-9", + "rel": "required" + }, + { + "href": "#cp-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9.1_smt", + "name": "statement", + "prose": "Test backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity." + }, + { + "id": "cp-9.1_gdn", + "name": "guidance", + "prose": "Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance." + }, + { + "id": "cp-9.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;", + "links": [ + { + "href": "#cp-9.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity.", + "links": [ + { + "href": "#cp-9.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-9.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" + } + ] + } + ] + }, + { + "id": "cp-9.2", + "class": "SP800-53-enhancement", + "title": "Test Restoration Using Sampling", + "props": [ + { + "name": "label", + "value": "CP-9(2)" + }, + { + "name": "label", + "value": "CP-09(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-9", + "rel": "required" + }, + { + "href": "#cp-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9.2_smt", + "name": "statement", + "prose": "Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing." + }, + { + "id": "cp-9.2_gdn", + "name": "guidance", + "prose": "Organizations need assurance that system functions can be restored correctly and can support established organizational missions. To ensure that the selected system functions are thoroughly exercised during contingency plan testing, a sample of backup information is retrieved to determine whether the functions are operating as intended. Organizations can determine the sample size for the functions and backup information based on the level of assurance needed." + }, + { + "id": "cp-9.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(02)", + "class": "sp800-53a" + } + ], + "prose": "a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.", + "links": [ + { + "href": "#cp-9.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with contingency planning/contingency plan testing responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-9.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" + } + ] + } + ] + }, + { + "id": "cp-9.3", + "class": "SP800-53-enhancement", + "title": "Separate Storage for Critical Information", + "params": [ + { + "id": "cp-09.03_odp", + "label": "critical system software and other security-related information", + "guidelines": [ + { + "prose": "critical system software and other security-related information backups to be stored in a separate facility are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9(3)" + }, + { + "name": "label", + "value": "CP-09(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-9", + "rel": "required" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9.3_smt", + "name": "statement", + "prose": "Store backup copies of {{ insert: param, cp-09.03_odp }} in a separate facility or in a fire rated container that is not collocated with the operational system." + }, + { + "id": "cp-9.3_gdn", + "name": "guidance", + "prose": "Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire rated containers." + }, + { + "id": "cp-9.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(03)", + "class": "sp800-53a" + } + ], + "prose": "backup copies of {{ insert: param, cp-09.03_odp }} are stored in a separate facility or in a fire rated container that is not collocated with the operational system.", + "links": [ + { + "href": "#cp-9.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup configurations and associated documentation\n\nsystem backup logs or records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-9.5", + "class": "SP800-53-enhancement", + "title": "Transfer to Alternate Storage Site", + "params": [ + { + "id": "cp-9.5_prm_1", + "label": "organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives", + "constraints": [ + { + "description": "time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA." + } + ] + }, + { + "id": "cp-09.05_odp.01", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09.05_odp.02", + "label": "transfer rate", + "guidelines": [ + { + "prose": "transfer rate consistent with recovery time and recovery point objectives is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9(5)" + }, + { + "name": "label", + "value": "CP-09(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-9", + "rel": "required" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#mp-3", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9.5_smt", + "name": "statement", + "prose": "Transfer system backup information to the alternate storage site {{ insert: param, cp-9.5_prm_1 }}." + }, + { + "id": "cp-9.5_gdn", + "name": "guidance", + "prose": "System backup information can be transferred to alternate storage sites either electronically or by the physical shipment of storage media." + }, + { + "id": "cp-9.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9.5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(05)[01]", + "class": "sp800-53a" + } + ], + "prose": "system backup information is transferred to the alternate storage site for {{ insert: param, cp-09.05_odp.01 }};", + "links": [ + { + "href": "#cp-9.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(05)[02]", + "class": "sp800-53a" + } + ], + "prose": "system backup information is transferred to the alternate storage site {{ insert: param, cp-09.05_odp.02 }}.", + "links": [ + { + "href": "#cp-9.5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup logs or records\n\nevidence of system backup information transferred to alternate storage site\n\nalternate storage site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-9.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for transferring system backups to the alternate storage site\n\nmechanisms supporting and/or implementing system backups\n\nmechanisms supporting and/or implementing information transfer to the alternate storage site" + } + ] + } + ] + }, + { + "id": "cp-9.8", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "cp-09.08_odp", + "label": "backup information", + "constraints": [ + { + "description": "all backup files" + } + ], + "guidelines": [ + { + "prose": "backup information to protect against unauthorized disclosure and modification is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9(8)" + }, + { + "name": "label", + "value": "CP-09(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-9", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9.8_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.", + "parts": [ + { + "id": "cp-9.8_fr", + "name": "item", + "title": "CP-9 (8) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-9.8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)" + } + ] + } + ] + }, + { + "id": "cp-9.8_gdn", + "name": "guidance", + "prose": "The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. Cryptographic protection applies to system backup information in storage at both primary and alternate locations. Organizations that implement cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions." + }, + { + "id": "cp-9.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(08)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.", + "links": [ + { + "href": "#cp-9.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-9.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic protection of backup information" + } + ] + } + ] + } + ] + }, + { + "id": "cp-10", + "class": "SP800-53", + "title": "System Recovery and Reconstitution", + "params": [ + { + "id": "cp-10_prm_1", + "label": "organization-defined time period consistent with recovery time and recovery point objectives" + }, + { + "id": "cp-10_odp.01", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;" + } + ] + }, + { + "id": "cp-10_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-10" + }, + { + "name": "label", + "value": "CP-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-10_smt", + "name": "statement", + "prose": "Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure." + }, + { + "id": "cp-10_gdn", + "name": "guidance", + "prose": "Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning." + }, + { + "id": "cp-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-10_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10[01]", + "class": "sp800-53a" + } + ], + "prose": "the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;", + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10[02]", + "class": "sp800-53a" + } + ], + "prose": "a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.", + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and/or implementing system recovery and reconstitution operations" + } + ] + } + ], + "controls": [ + { + "id": "cp-10.2", + "class": "SP800-53-enhancement", + "title": "Transaction Recovery", + "props": [ + { + "name": "label", + "value": "CP-10(2)" + }, + { + "name": "label", + "value": "CP-10(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-10.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-10", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-10.2_smt", + "name": "statement", + "prose": "Implement transaction recovery for systems that are transaction-based." + }, + { + "id": "cp-10.2_gdn", + "name": "guidance", + "prose": "Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling." + }, + { + "id": "cp-10.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10(02)", + "class": "sp800-53a" + } + ], + "prose": "transaction recovery is implemented for systems that are transaction-based.", + "links": [ + { + "href": "#cp-10.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-10(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem transaction recovery records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-10.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-10(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-10.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-10(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing transaction recovery capability" + } + ] + } + ] + }, + { + "id": "cp-10.4", + "class": "SP800-53-enhancement", + "title": "Restore Within Time Period", + "params": [ + { + "id": "cp-10.04_odp", + "label": "restoration time periods", + "constraints": [ + { + "description": "time period consistent with the restoration time-periods defined in the service provider and organization SLA" + } + ], + "guidelines": [ + { + "prose": "restoration time period within which to restore system components to a known, operational state is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-10(4)" + }, + { + "name": "label", + "value": "CP-10(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-10.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-10", + "rel": "required" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-10.4_smt", + "name": "statement", + "prose": "Provide the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components." + }, + { + "id": "cp-10.4_gdn", + "name": "guidance", + "prose": "Restoration of system components includes reimaging, which restores the components to known, operational states." + }, + { + "id": "cp-10.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10(04)", + "class": "sp800-53a" + } + ], + "prose": "the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.", + "links": [ + { + "href": "#cp-10.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-10(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nevidence of system recovery and reconstitution operations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-10.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-10(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-10.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-10(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the recovery/reconstitution of system information" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "ia", + "class": "family", + "title": "Identification and Authentication", + "controls": [ + { + "id": "ia-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ia-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ia-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the identification and authentication policy is to be disseminated are defined;" + } + ] + }, + { + "id": "ia-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ia-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ia-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the identification and authentication policy and procedures is defined;" + } + ] + }, + { + "id": "ia-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current identification and authentication policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ia-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current identification and authentication policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ia-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current identification and authentication procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ia-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require identification and authentication procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-1" + }, + { + "name": "label", + "value": "IA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ac-1", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-1_smt", + "name": "statement", + "parts": [ + { + "id": "ia-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:", + "parts": [ + { + "id": "ia-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ia-01_odp.03 }} identification and authentication policy that:", + "parts": [ + { + "id": "ia-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ia-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ia-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;" + } + ] + }, + { + "id": "ia-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and" + }, + { + "id": "ia-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current identification and authentication:", + "parts": [ + { + "id": "ia-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and" + }, + { + "id": "ia-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ia-1_gdn", + "name": "guidance", + "prose": "Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ia-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an identification and authentication policy is developed and documented;", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ia-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;", + "links": [ + { + "href": "#ia-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};", + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};", + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};", + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.", + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\nlist of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ia-2", + "class": "SP800-53", + "title": "Identification and Authentication (Organizational Users)", + "props": [ + { + "name": "label", + "value": "IA-2" + }, + { + "name": "label", + "value": "IA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#d9e036ba-6eec-46a6-9340-b0bf1fea23b4", + "rel": "reference" + }, + { + "href": "#e8552d48-cf41-40aa-8b06-f45f7fb4706c", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", + "rel": "reference" + }, + { + "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "rel": "reference" + }, + { + "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-1", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.", + "parts": [ + { + "id": "ia-2_fr", + "name": "item", + "title": "IA-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B." + }, + { + "id": "ia-2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate." + }, + { + "id": "ia-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "\\\"Phishing-resistant\\\" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system." + } + ] + } + ] + }, + { + "id": "ia-2_gdn", + "name": "guidance", + "prose": "Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)." + }, + { + "id": "ia-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational users are uniquely identified and authenticated;", + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02[02]", + "class": "sp800-53a" + } + ], + "prose": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.", + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan, system design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ia-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for uniquely identifying and authenticating users\n\nmechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ], + "controls": [ + { + "id": "ia-2.1", + "class": "SP800-53-enhancement", + "title": "Multi-factor Authentication to Privileged Accounts", + "props": [ + { + "name": "label", + "value": "IA-2(1)" + }, + { + "name": "label", + "value": "IA-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.1_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for access to privileged accounts.", + "parts": [ + { + "id": "ia-2.1_fr", + "name": "item", + "title": "IA-2 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL)." + }, + { + "id": "ia-2.1_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Multi-factor authentication to subsequent components in the same user domain is not required." + } + ] + } + ] + }, + { + "id": "ia-2.1_gdn", + "name": "guidance", + "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." + }, + { + "id": "ia-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(01)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication is implemented for access to privileged accounts.", + "links": [ + { + "href": "#ia-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" + } + ] + } + ] + }, + { + "id": "ia-2.2", + "class": "SP800-53-enhancement", + "title": "Multi-factor Authentication to Non-privileged Accounts", + "props": [ + { + "name": "label", + "value": "IA-2(2)" + }, + { + "name": "label", + "value": "IA-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.2_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for access to non-privileged accounts.", + "parts": [ + { + "id": "ia-2.2_fr", + "name": "item", + "title": "IA-2 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL)." + }, + { + "id": "ia-2.2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Multi-factor authentication to subsequent components in the same user domain is not required." + } + ] + } + ] + }, + { + "id": "ia-2.2_gdn", + "name": "guidance", + "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." + }, + { + "id": "ia-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(02)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication for access to non-privileged accounts is implemented.", + "links": [ + { + "href": "#ia-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" + } + ] + } + ] + }, + { + "id": "ia-2.5", + "class": "SP800-53-enhancement", + "title": "Individual Authentication with Group Authentication", + "props": [ + { + "name": "label", + "value": "IA-2(5)" + }, + { + "name": "label", + "value": "IA-02(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.5_smt", + "name": "statement", + "prose": "When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources." + }, + { + "id": "ia-2.5_gdn", + "name": "guidance", + "prose": "Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators." + }, + { + "id": "ia-2.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(05)", + "class": "sp800-53a" + } + ], + "prose": "users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.", + "links": [ + { + "href": "#ia-2.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an authentication capability for group accounts" + } + ] + } + ] + }, + { + "id": "ia-2.6", + "class": "SP800-53-enhancement", + "title": "Access to Accounts \u2014separate Device", + "params": [ + { + "id": "ia-02.06_odp.01", + "constraints": [ + { + "description": "local, network and remote" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "local", + "network", + "remote" + ] + } + }, + { + "id": "ia-02.06_odp.02", + "constraints": [ + { + "description": "privileged accounts; non-privileged accounts" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "privileged accounts", + "non-privileged accounts" + ] + } + }, + { + "id": "ia-02.06_odp.03", + "label": "strength of mechanism requirements", + "constraints": [ + { + "description": "FIPS-validated or NSA-approved cryptography" + } + ], + "guidelines": [ + { + "prose": "the strength of mechanism requirements to be enforced by a device separate from the system gaining access to accounts is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-2(6)" + }, + { + "name": "label", + "value": "IA-02(06)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.6_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that:", + "parts": [ + { + "id": "ia-2.6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "One of the factors is provided by a device separate from the system gaining access; and" + }, + { + "id": "ia-2.6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "The device meets {{ insert: param, ia-02.06_odp.03 }}." + }, + { + "id": "ia-2.6_fr", + "name": "item", + "title": "IA-2 (6) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials." + }, + { + "id": "ia-2.6_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See SC-13 Guidance for more information on FIPS-validated or NSA-approved cryptography." + } + ] + } + ] + }, + { + "id": "ia-2.6_gdn", + "name": "guidance", + "prose": "The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multi-factor authentication is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process." + }, + { + "id": "ia-2.6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(06)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-2.6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(06)(a)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that one of the factors is provided by a device separate from the system gaining access;", + "links": [ + { + "href": "#ia-2.6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(06)(b)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that the device meets {{ insert: param, ia-02.06_odp.03 }}.", + "links": [ + { + "href": "#ia-2.6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-2.6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(06)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(06)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(06)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing multi-factor authentication capability" + } + ] + } + ] + }, + { + "id": "ia-2.8", + "class": "SP800-53-enhancement", + "title": "Access to Accounts \u2014 Replay Resistant", + "params": [ + { + "id": "ia-02.08_odp", + "constraints": [ + { + "description": "privileged accounts; non-privileged accounts" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "privileged accounts", + "non-privileged accounts" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "IA-2(8)" + }, + { + "name": "label", + "value": "IA-02(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.8_smt", + "name": "statement", + "prose": "Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}." + }, + { + "id": "ia-2.8_gdn", + "name": "guidance", + "prose": "Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators." + }, + { + "id": "ia-2.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(08)", + "class": "sp800-53a" + } + ], + "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.", + "links": [ + { + "href": "#ia-2.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nMechanisms supporting and/or implementing replay-resistant authentication mechanisms" + } + ] + } + ] + }, + { + "id": "ia-2.12", + "class": "SP800-53-enhancement", + "title": "Acceptance of PIV Credentials", + "props": [ + { + "name": "label", + "value": "IA-2(12)" + }, + { + "name": "label", + "value": "IA-02(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.12_smt", + "name": "statement", + "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials.", + "parts": [ + { + "id": "ia-2.12_fr", + "name": "item", + "title": "IA-2 (12) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.12_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12." + } + ] + } + ] + }, + { + "id": "ia-2.12_gdn", + "name": "guidance", + "prose": "Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential." + }, + { + "id": "ia-2.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(12)", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified.", + "links": [ + { + "href": "#ia-2.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing acceptance and verification of PIV credentials" + } + ] + } + ] + } + ] + }, + { + "id": "ia-3", + "class": "SP800-53", + "title": "Device Identification and Authentication", + "params": [ + { + "id": "ia-03_odp.01", + "label": "devices and/or types of devices", + "guidelines": [ + { + "prose": "devices and/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;" + } + ] + }, + { + "id": "ia-03_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "local", + "remote", + "network" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "IA-3" + }, + { + "name": "label", + "value": "IA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-3_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate {{ insert: param, ia-03_odp.01 }} before establishing a {{ insert: param, ia-03_odp.02 }} connection." + }, + { + "id": "ia-3_gdn", + "name": "guidance", + "prose": "Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number/type of devices based on mission or business needs." + }, + { + "id": "ia-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-03", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection.", + "links": [ + { + "href": "#ia-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\nsystem configuration settings and associated documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing device identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-4", + "class": "SP800-53", + "title": "Identifier Management", + "params": [ + { + "id": "ia-04_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO (or similar role within the organization)" + } + ], + "guidelines": [ + { + "prose": "personnel or roles from whom authorization must be received to assign an identifier are defined;" + } + ] + }, + { + "id": "ia-04_odp.02", + "label": "time period", + "constraints": [ + { + "description": "at least two (2) years" + } + ], + "guidelines": [ + { + "prose": "a time period for preventing reuse of identifiers is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-4" + }, + { + "name": "label", + "value": "IA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ia-12", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-4_smt", + "name": "statement", + "prose": "Manage system identifiers by:", + "parts": [ + { + "id": "ia-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;" + }, + { + "id": "ia-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Selecting an identifier that identifies an individual, group, role, service, or device;" + }, + { + "id": "ia-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Assigning the identifier to the intended individual, group, role, service, or device; and" + }, + { + "id": "ia-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}." + } + ] + }, + { + "id": "ia-4_gdn", + "name": "guidance", + "prose": "Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices." + }, + { + "id": "ia-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04a.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;", + "links": [ + { + "href": "#ia-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04b.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;", + "links": [ + { + "href": "#ia-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04c.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;", + "links": [ + { + "href": "#ia-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04d.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.", + "links": [ + { + "href": "#ia-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identifier management" + } + ] + } + ], + "controls": [ + { + "id": "ia-4.4", + "class": "SP800-53-enhancement", + "title": "Identify User Status", + "params": [ + { + "id": "ia-04.04_odp", + "label": "characteristics", + "constraints": [ + { + "description": "contractors; foreign nationals" + } + ], + "guidelines": [ + { + "prose": "characteristics used to identify individual status is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-4(4)" + }, + { + "name": "label", + "value": "IA-04(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-04.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-4.4_smt", + "name": "statement", + "prose": "Manage individual identifiers by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}." + }, + { + "id": "ia-4.4_gdn", + "name": "guidance", + "prose": "Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor." + }, + { + "id": "ia-4.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04(04)", + "class": "sp800-53a" + } + ], + "prose": "individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}.", + "links": [ + { + "href": "#ia-4.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-04(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nlist of characteristics identifying individual status\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-4.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-04(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ia-4.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-04(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identifier management" + } + ] + } + ] + } + ] + }, + { + "id": "ia-5", + "class": "SP800-53", + "title": "Authenticator Management", + "params": [ + { + "id": "ia-05_odp.01", + "label": "time period by authenticator type", + "guidelines": [ + { + "prose": "a time period for changing or refreshing authenticators by authenticator type is defined;" + } + ] + }, + { + "id": "ia-05_odp.02", + "label": "events", + "guidelines": [ + { + "prose": "events that trigger the change or refreshment of authenticators are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5" + }, + { + "name": "label", + "value": "IA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "rel": "reference" + }, + { + "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5_smt", + "name": "statement", + "prose": "Manage system authenticators by:", + "parts": [ + { + "id": "ia-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;" + }, + { + "id": "ia-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishing initial authenticator content for any authenticators issued by the organization;" + }, + { + "id": "ia-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensuring that authenticators have sufficient strength of mechanism for their intended use;" + }, + { + "id": "ia-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;" + }, + { + "id": "ia-5_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Changing default authenticators prior to first use;" + }, + { + "id": "ia-5_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;" + }, + { + "id": "ia-5_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Protecting authenticator content from unauthorized disclosure and modification;" + }, + { + "id": "ia-5_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and" + }, + { + "id": "ia-5_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Changing authenticators for group or role accounts when membership to those accounts changes." + }, + { + "id": "ia-5_fr", + "name": "item", + "title": "IA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3" + }, + { + "id": "ia-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE)." + } + ] + } + ] + }, + { + "id": "ia-5_gdn", + "name": "guidance", + "prose": "Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed." + }, + { + "id": "ia-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05a.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;", + "links": [ + { + "href": "#ia-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05b.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;", + "links": [ + { + "href": "#ia-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05c.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;", + "links": [ + { + "href": "#ia-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05d.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;", + "links": [ + { + "href": "#ia-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05e.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change of default authenticators prior to first use;", + "links": [ + { + "href": "#ia-5_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05f.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;", + "links": [ + { + "href": "#ia-5_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05g.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;", + "links": [ + { + "href": "#ia-5_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.[01]", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;", + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.[02]", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;", + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05i.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.", + "links": [ + { + "href": "#ia-5_smt.i", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\naddressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system authenticator types\n\nchange control records associated with managing system authenticators\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ia-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing authenticator management capability" + } + ] + } + ], + "controls": [ + { + "id": "ia-5.1", + "class": "SP800-53-enhancement", + "title": "Password-based Authentication", + "params": [ + { + "id": "ia-05.01_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;" + } + ] + }, + { + "id": "ia-05.01_odp.02", + "label": "composition and complexity rules", + "guidelines": [ + { + "prose": "authenticator composition and complexity rules are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5(1)" + }, + { + "name": "label", + "value": "IA-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ia-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.1_smt", + "name": "statement", + "prose": "For password-based authentication:", + "parts": [ + { + "id": "ia-5.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;" + }, + { + "id": "ia-5.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);" + }, + { + "id": "ia-5.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Transmit passwords only over cryptographically-protected channels;" + }, + { + "id": "ia-5.1_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Store passwords using an approved salted key derivation function, preferably using a keyed hash;" + }, + { + "id": "ia-5.1_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e)" + } + ], + "prose": "Require immediate selection of a new password upon account recovery;" + }, + { + "id": "ia-5.1_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "(f)" + } + ], + "prose": "Allow user selection of long passwords and passphrases, including spaces and all printable characters;" + }, + { + "id": "ia-5.1_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "(g)" + } + ], + "prose": "Employ automated tools to assist the user in selecting strong password authenticators; and" + }, + { + "id": "ia-5.1_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h)" + } + ], + "prose": "Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}." + }, + { + "id": "ia-5.1_fr", + "name": "item", + "title": "IA-5 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users." + }, + { + "id": "ia-5.1_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h) Requirement:" + } + ], + "prose": "For cases where technology doesn\u2019t allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.\n\nFor emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used." + }, + { + "id": "ia-5.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13)." + } + ] + } + ] + }, + { + "id": "ia-5.1_gdn", + "name": "guidance", + "prose": "Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof." + }, + { + "id": "ia-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;", + "links": [ + { + "href": "#ia-5.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);", + "links": [ + { + "href": "#ia-5.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(c)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, passwords are only transmitted over cryptographically protected channels;", + "links": [ + { + "href": "#ia-5.1_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(d)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;", + "links": [ + { + "href": "#ia-5.1_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(e)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, immediate selection of a new password is required upon account recovery;", + "links": [ + { + "href": "#ia-5.1_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(f)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;", + "links": [ + { + "href": "#ia-5.1_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(g)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;", + "links": [ + { + "href": "#ia-5.1_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(h)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.", + "links": [ + { + "href": "#ia-5.1_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing password-based authenticator management capability" + } + ] + } + ] + }, + { + "id": "ia-5.2", + "class": "SP800-53-enhancement", + "title": "Public Key-based Authentication", + "props": [ + { + "name": "label", + "value": "IA-5(2)" + }, + { + "name": "label", + "value": "IA-05(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#sc-17", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.2_smt", + "name": "statement", + "parts": [ + { + "id": "ia-5.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "For public key-based authentication:", + "parts": [ + { + "id": "ia-5.2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(1)" + } + ], + "prose": "Enforce authorized access to the corresponding private key; and" + }, + { + "id": "ia-5.2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(2)" + } + ], + "prose": "Map the authenticated identity to the account of the individual or group; and" + } + ] + }, + { + "id": "ia-5.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "When public key infrastructure (PKI) is used:", + "parts": [ + { + "id": "ia-5.2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(1)" + } + ], + "prose": "Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and" + }, + { + "id": "ia-5.2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(2)" + } + ], + "prose": "Implement a local cache of revocation data to support path discovery and validation." + } + ] + } + ] + }, + { + "id": "ia-5.2_gdn", + "name": "guidance", + "prose": "Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network." + }, + { + "id": "ia-5.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(a)(01)", + "class": "sp800-53a" + } + ], + "prose": "authorized access to the corresponding private key is enforced for public key-based authentication;", + "links": [ + { + "href": "#ia-5.2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(a)(02)", + "class": "sp800-53a" + } + ], + "prose": "the authenticated identity is mapped to the account of the individual or group for public key-based authentication;", + "links": [ + { + "href": "#ia-5.2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(b)(01)", + "class": "sp800-53a" + } + ], + "prose": "when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;", + "links": [ + { + "href": "#ia-5.2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(b)(02)", + "class": "sp800-53a" + } + ], + "prose": "when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.", + "links": [ + { + "href": "#ia-5.2_smt.b.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with PKI-based, authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-5.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing PKI-based, authenticator management capability" + } + ] + } + ] + }, + { + "id": "ia-5.6", + "class": "SP800-53-enhancement", + "title": "Protection of Authenticators", + "props": [ + { + "name": "label", + "value": "IA-5(6)" + }, + { + "name": "label", + "value": "IA-05(06)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ra-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.6_smt", + "name": "statement", + "prose": "Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access." + }, + { + "id": "ia-5.6_gdn", + "name": "guidance", + "prose": "For systems that contain multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process." + }, + { + "id": "ia-5.6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(06)", + "class": "sp800-53a" + } + ], + "prose": "authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.", + "links": [ + { + "href": "#ia-5.6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(06)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity categorization documentation for the system\n\nsecurity assessments of authenticator protections\n\nrisk assessment results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(06)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel implementing and/or maintaining authenticator protections\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ia-5.6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(06)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing authenticator management capability\n\nmechanisms protecting authenticators" + } + ] + } + ] + }, + { + "id": "ia-5.7", + "class": "SP800-53-enhancement", + "title": "No Embedded Unencrypted Static Authenticators", + "props": [ + { + "name": "label", + "value": "IA-5(7)" + }, + { + "name": "label", + "value": "IA-05(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-5.7_smt", + "name": "statement", + "prose": "Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.", + "parts": [ + { + "id": "ia-5.7_fr", + "name": "item", + "title": "IA-5 (7) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5.7_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "In this context, prohibited static storage refers to any storage where unencrypted authenticators, such as passwords, persist beyond the time required to complete the access process." + } + ] + } + ] + }, + { + "id": "ia-5.7_gdn", + "name": "guidance", + "prose": "In addition to applications, other forms of static storage include access scripts and function keys. Organizations exercise caution when determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators." + }, + { + "id": "ia-5.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(07)", + "class": "sp800-53a" + } + ], + "prose": "unencrypted static authenticators are not embedded in applications or other forms of static storage.", + "links": [ + { + "href": "#ia-5.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlogical access scripts\n\napplication code reviews for detecting unencrypted static authenticators\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-5.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing authenticator management capability\n\nmechanisms implementing authentication in applications" + } + ] + } + ] + }, + { + "id": "ia-5.8", + "class": "SP800-53-enhancement", + "title": "Multiple System Accounts", + "params": [ + { + "id": "ia-05.08_odp", + "label": "security controls", + "constraints": [ + { + "description": "different authenticators in different user authentication domains" + } + ], + "guidelines": [ + { + "prose": "security controls implemented to manage the risk of compromise due to individuals having accounts on multiple systems are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5(8)" + }, + { + "name": "label", + "value": "IA-05(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ps-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.8_smt", + "name": "statement", + "prose": "Implement {{ insert: param, ia-05.08_odp }} to manage the risk of compromise due to individuals having accounts on multiple systems.", + "parts": [ + { + "id": "ia-5.8_fr", + "name": "item", + "title": "IA-5 (8) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5.8_fr_gdn.x", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "If a single user authentication domain is used to access multiple systems, such as in single-sign-on, then only a single authenticator is required." + } + ] + } + ] + }, + { + "id": "ia-5.8_gdn", + "name": "guidance", + "prose": "When individuals have accounts on multiple systems and use the same authenticators such as passwords, there is the risk that a compromise of one account may lead to the compromise of other accounts. Alternative approaches include having different authenticators (passwords) on all systems, employing a single sign-on or federation mechanism, or using some form of one-time passwords on all systems. Organizations can also use rules of behavior (see [PL-4](#pl-4) ) and access agreements (see [PS-6](#ps-6) ) to mitigate the risk of multiple system accounts." + }, + { + "id": "ia-5.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(08)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ia-05.08_odp }} are implemented to manage the risk of compromise due to individuals having accounts on multiple systems.", + "links": [ + { + "href": "#ia-5.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nlist of individuals having accounts on multiple systems\n\nlist of security safeguards intended to manage risk of compromise due to individuals having accounts on multiple systems\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ia-5.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing safeguards for authenticator management" + } + ] + } + ] + }, + { + "id": "ia-5.13", + "class": "SP800-53-enhancement", + "title": "Expiration of Cached Authenticators", + "params": [ + { + "id": "ia-05.13_odp", + "label": "time period", + "guidelines": [ + { + "prose": "the time period after which the use of cached authenticators is prohibited is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5(13)" + }, + { + "name": "label", + "value": "IA-05(13)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-5.13_smt", + "name": "statement", + "prose": "Prohibit the use of cached authenticators after {{ insert: param, ia-05.13_odp }}.", + "parts": [ + { + "id": "ia-5.13_fr", + "name": "item", + "title": "IA-5 (13) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5.13_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For components subject to configuration baseline(s) (such as STIG or CIS,) the time period should conform to the baseline standard." + } + ] + } + ] + }, + { + "id": "ia-5.13_gdn", + "name": "guidance", + "prose": "Cached authenticators are used to authenticate to the local machine when the network is not available. If cached authentication information is out of date, the validity of the authentication information may be questionable." + }, + { + "id": "ia-5.13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(13)", + "class": "sp800-53a" + } + ], + "prose": "the use of cached authenticators is prohibited after {{ insert: param, ia-05.13_odp }}.", + "links": [ + { + "href": "#ia-5.13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(13)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(13)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-5.13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(13)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing authenticator management capability" + } + ] + } + ] + } + ] + }, + { + "id": "ia-6", + "class": "SP800-53", + "title": "Authentication Feedback", + "props": [ + { + "name": "label", + "value": "IA-6" + }, + { + "name": "label", + "value": "IA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-6_smt", + "name": "statement", + "prose": "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals." + }, + { + "id": "ia-6_gdn", + "name": "guidance", + "prose": "Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it." + }, + { + "id": "ia-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-06", + "class": "sp800-53a" + } + ], + "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.", + "links": [ + { + "href": "#ia-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication" + } + ] + } + ] + }, + { + "id": "ia-7", + "class": "SP800-53", + "title": "Cryptographic Module Authentication", + "props": [ + { + "name": "label", + "value": "IA-7" + }, + { + "name": "label", + "value": "IA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-7_smt", + "name": "statement", + "prose": "Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication." + }, + { + "id": "ia-7_gdn", + "name": "guidance", + "prose": "Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role." + }, + { + "id": "ia-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-07", + "class": "sp800-53a" + } + ], + "prose": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.", + "links": [ + { + "href": "#ia-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing cryptographic module authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic module authentication" + } + ] + } + ] + }, + { + "id": "ia-8", + "class": "SP800-53", + "title": "Identification and Authentication (Non-organizational Users)", + "props": [ + { + "name": "label", + "value": "IA-8" + }, + { + "name": "label", + "value": "IA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#a1555677-2b9d-4868-a97b-a1363aff32f5", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#2100332a-16a5-4598-bacf-7261baea9711", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-10", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-8_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." + }, + { + "id": "ia-8_gdn", + "name": "guidance", + "prose": "Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors\u2014including security, privacy, scalability, and practicality\u2014when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk." + }, + { + "id": "ia-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08", + "class": "sp800-53a" + } + ], + "prose": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.", + "links": [ + { + "href": "#ia-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ], + "controls": [ + { + "id": "ia-8.1", + "class": "SP800-53-enhancement", + "title": "Acceptance of PIV Credentials from Other Agencies", + "props": [ + { + "name": "label", + "value": "IA-8(1)" + }, + { + "name": "label", + "value": "IA-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + }, + { + "href": "#pe-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-8.1_smt", + "name": "statement", + "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies." + }, + { + "id": "ia-8.1_gdn", + "name": "guidance", + "prose": "Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)." + }, + { + "id": "ia-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;", + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.", + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials" + } + ] + } + ] + }, + { + "id": "ia-8.2", + "class": "SP800-53-enhancement", + "title": "Acceptance of External Authenticators", + "props": [ + { + "name": "label", + "value": "IA-8(2)" + }, + { + "name": "label", + "value": "IA-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-8.2_smt", + "name": "statement", + "parts": [ + { + "id": "ia-8.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Accept only external authenticators that are NIST-compliant; and" + }, + { + "id": "ia-8.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Document and maintain a list of accepted external authenticators." + } + ] + }, + { + "id": "ia-8.2_gdn", + "name": "guidance", + "prose": "Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level." + }, + { + "id": "ia-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(a)", + "class": "sp800-53a" + } + ], + "prose": "only external authenticators that are NIST-compliant are accepted;", + "links": [ + { + "href": "#ia-8.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "a list of accepted external authenticators is documented;", + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "a list of accepted external authenticators is maintained.", + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials" + } + ] + } + ] + }, + { + "id": "ia-8.4", + "class": "SP800-53-enhancement", + "title": "Use of Defined Profiles", + "params": [ + { + "id": "ia-08.04_odp", + "label": "identity management profiles", + "guidelines": [ + { + "prose": "identity management profiles are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-8(4)" + }, + { + "name": "label", + "value": "IA-08(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-8.4_smt", + "name": "statement", + "prose": "Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}." + }, + { + "id": "ia-8.4_gdn", + "name": "guidance", + "prose": "Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." + }, + { + "id": "ia-8.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(04)", + "class": "sp800-53a" + } + ], + "prose": "there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.", + "links": [ + { + "href": "#ia-8.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms supporting and/or implementing conformance with profiles" + } + ] + } + ] + } + ] + }, + { + "id": "ia-11", + "class": "SP800-53", + "title": "Re-authentication", + "params": [ + { + "id": "ia-11_odp", + "label": "circumstances or situations", + "guidelines": [ + { + "prose": "circumstances or situations requiring re-authentication are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-11" + }, + { + "name": "label", + "value": "IA-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-11_smt", + "name": "statement", + "prose": "Require users to re-authenticate when {{ insert: param, ia-11_odp }}.", + "parts": [ + { + "id": "ia-11_fr", + "name": "item", + "title": "IA-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-11_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:\n\n* AAL3 (high baseline) * 12 hours or * 15 minutes of inactivity \n" + } + ] + } + ] + }, + { + "id": "ia-11_gdn", + "name": "guidance", + "prose": "In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically." + }, + { + "id": "ia-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-11", + "class": "sp800-53a" + } + ], + "prose": "users are required to re-authenticate when {{ insert: param, ia-11_odp }}.", + "links": [ + { + "href": "#ia-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user and device re-authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of circumstances or situations requiring re-authentication\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-12", + "class": "SP800-53", + "title": "Identity Proofing", + "props": [ + { + "name": "label", + "value": "IA-12" + }, + { + "name": "label", + "value": "IA-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#9099ed2c-922a-493d-bcb4-d896192243ff", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ia-1", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-6", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-12_smt", + "name": "statement", + "parts": [ + { + "id": "ia-12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;" + }, + { + "id": "ia-12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Resolve user identities to a unique individual; and" + }, + { + "id": "ia-12_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Collect, validate, and verify identity evidence." + }, + { + "id": "ia-12_fr", + "name": "item", + "title": "IA-12 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-12_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "In accordance with NIST SP 800-63A Enrollment and Identity Proofing" + } + ] + } + ] + }, + { + "id": "ia-12_gdn", + "name": "guidance", + "prose": "Identity proofing is the process of collecting, validating, and verifying a user\u2019s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3](#737513fa-6758-403f-831d-5ddab5e23cb3) and [SP 800-63A](#9099ed2c-922a-493d-bcb4-d896192243ff) . Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." + }, + { + "id": "ia-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12a.", + "class": "sp800-53a" + } + ], + "prose": "users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;", + "links": [ + { + "href": "#ia-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12b.", + "class": "sp800-53a" + } + ], + "prose": "user identities are resolved to a unique individual;", + "links": [ + { + "href": "#ia-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-12_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12c.[01]", + "class": "sp800-53a" + } + ], + "prose": "identity evidence is collected;", + "links": [ + { + "href": "#ia-12_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12c.[02]", + "class": "sp800-53a" + } + ], + "prose": "identity evidence is validated;", + "links": [ + { + "href": "#ia-12_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_obj.c-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12c.[03]", + "class": "sp800-53a" + } + ], + "prose": "identity evidence is verified.", + "links": [ + { + "href": "#ia-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ], + "controls": [ + { + "id": "ia-12.2", + "class": "SP800-53-enhancement", + "title": "Identity Evidence", + "props": [ + { + "name": "label", + "value": "IA-12(2)" + }, + { + "name": "label", + "value": "IA-12(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-12", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-12.2_smt", + "name": "statement", + "prose": "Require evidence of individual identification be presented to the registration authority." + }, + { + "id": "ia-12.2_gdn", + "name": "guidance", + "prose": "Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risks to the systems, roles, and privileges associated with the user\u2019s account." + }, + { + "id": "ia-12.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12(02)", + "class": "sp800-53a" + } + ], + "prose": "evidence of individual identification is presented to the registration authority.", + "links": [ + { + "href": "#ia-12.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-12.3", + "class": "SP800-53-enhancement", + "title": "Identity Evidence Validation and Verification", + "params": [ + { + "id": "ia-12.03_odp", + "label": "methods of validation and verification", + "guidelines": [ + { + "prose": "methods of validation and verification of identity evidence are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-12(3)" + }, + { + "name": "label", + "value": "IA-12(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-12", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-12.3_smt", + "name": "statement", + "prose": "Require that the presented identity evidence be validated and verified through {{ insert: param, ia-12.03_odp }}." + }, + { + "id": "ia-12.3_gdn", + "name": "guidance", + "prose": "Validation and verification of identity evidence increases the assurance that accounts and identifiers are being established for the correct user and authenticators are being bound to that user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risks to the systems, roles, and privileges associated with the users account." + }, + { + "id": "ia-12.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12(03)", + "class": "sp800-53a" + } + ], + "prose": "the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}.", + "links": [ + { + "href": "#ia-12.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-12.4", + "class": "SP800-53-enhancement", + "title": "In-person Validation and Verification", + "props": [ + { + "name": "label", + "value": "IA-12(4)" + }, + { + "name": "label", + "value": "IA-12(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-12", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-12.4_smt", + "name": "statement", + "prose": "Require that the validation and verification of identity evidence be conducted in person before a designated registration authority." + }, + { + "id": "ia-12.4_gdn", + "name": "guidance", + "prose": "In-person proofing reduces the likelihood of fraudulent credentials being issued because it requires the physical presence of individuals, the presentation of physical identity documents, and actual face-to-face interactions with designated registration authorities." + }, + { + "id": "ia-12.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12(04)", + "class": "sp800-53a" + } + ], + "prose": "the validation and verification of identity evidence is conducted in person before a designated registration authority.", + "links": [ + { + "href": "#ia-12.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-12.5", + "class": "SP800-53-enhancement", + "title": "Address Confirmation", + "params": [ + { + "id": "ia-12.05_odp", + "select": { + "choice": [ + "registration code", + "notice of proofing" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "IA-12(5)" + }, + { + "name": "label", + "value": "IA-12(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-12", + "rel": "required" + }, + { + "href": "#ia-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-12.5_smt", + "name": "statement", + "prose": "Require that a {{ insert: param, ia-12.05_odp }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record.", + "parts": [ + { + "id": "ia-12.5_fr", + "name": "item", + "title": "IA-12 (5) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-12.5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "In accordance with NIST SP 800-63A Enrollment and Identity Proofing" + } + ] + } + ] + }, + { + "id": "ia-12.5_gdn", + "name": "guidance", + "prose": "To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to ensure that the individual associated with an address of record is the same individual that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts is obtained from records and not self-asserted by the user. The address can include a physical or digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses." + }, + { + "id": "ia-12.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12(05)", + "class": "sp800-53a" + } + ], + "prose": "a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user\u2019s address (physical or digital) of record.", + "links": [ + { + "href": "#ia-12.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "ir", + "class": "family", + "title": "Incident Response", + "controls": [ + { + "id": "ir-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ir-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ir-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the incident response policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ir-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the incident response procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ir-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ir-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the incident response policy and procedures is defined;" + } + ] + }, + { + "id": "ir-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current incident response policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ir-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current incident response policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ir-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current incident response procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ir-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the incident response procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-1" + }, + { + "name": "label", + "value": "IR-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-1_smt", + "name": "statement", + "parts": [ + { + "id": "ir-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:", + "parts": [ + { + "id": "ir-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ir-01_odp.03 }} incident response policy that:", + "parts": [ + { + "id": "ir-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ir-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ir-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;" + } + ] + }, + { + "id": "ir-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and" + }, + { + "id": "ir-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current incident response:", + "parts": [ + { + "id": "ir-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and" + }, + { + "id": "ir-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ir-1_gdn", + "name": "guidance", + "prose": "Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ir-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident response policy is developed and documented;", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ir-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;", + "links": [ + { + "href": "#ir-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};", + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};", + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};", + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.", + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ir-2", + "class": "SP800-53", + "title": "Incident Response Training", + "params": [ + { + "id": "ir-02_odp.01", + "label": "time period", + "constraints": [ + { + "description": "ten (10) days for privileged users, thirty (30) days for Incident Response roles" + } + ], + "guidelines": [ + { + "prose": "a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;" + } + ] + }, + { + "id": "ir-02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide incident response training to users is defined;" + } + ] + }, + { + "id": "ir-02_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update incident response training content is defined;" + } + ] + }, + { + "id": "ir-02_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events that initiate a review of the incident response training content are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-2" + }, + { + "name": "label", + "value": "IR-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-2_smt", + "name": "statement", + "parts": [ + { + "id": "ir-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide incident response training to system users consistent with assigned roles and responsibilities:", + "parts": [ + { + "id": "ir-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;" + }, + { + "id": "ir-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes; and" + }, + { + "id": "ir-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ir-02_odp.02 }} thereafter; and" + } + ] + }, + { + "id": "ir-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}." + } + ] + }, + { + "id": "ir-2_gdn", + "name": "guidance", + "prose": "Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "ir-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.01", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;", + "links": [ + { + "href": "#ir-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.02", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#ir-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.03", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;", + "links": [ + { + "href": "#ir-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};", + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.", + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ], + "controls": [ + { + "id": "ir-2.1", + "class": "SP800-53-enhancement", + "title": "Simulated Events", + "props": [ + { + "name": "label", + "value": "IR-2(1)" + }, + { + "name": "label", + "value": "IR-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ir-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-2.1_smt", + "name": "statement", + "prose": "Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations." + }, + { + "id": "ir-2.1_gdn", + "name": "guidance", + "prose": "Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations." + }, + { + "id": "ir-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02(01)", + "class": "sp800-53a" + } + ], + "prose": "simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations.", + "links": [ + { + "href": "#ir-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-2.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-02(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms that support and/or implement simulated events for incident response training" + } + ] + } + ] + }, + { + "id": "ir-2.2", + "class": "SP800-53-enhancement", + "title": "Automated Training Environments", + "params": [ + { + "id": "ir-02.02_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used in an incident response training environment are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-2(2)" + }, + { + "name": "label", + "value": "IR-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ir-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-2.2_smt", + "name": "statement", + "prose": "Provide an incident response training environment using {{ insert: param, ir-02.02_odp }}." + }, + { + "id": "ir-2.2_gdn", + "name": "guidance", + "prose": "Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues, selecting more realistic training scenarios and environments, and stressing the response capability." + }, + { + "id": "ir-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02(02)", + "class": "sp800-53a" + } + ], + "prose": "an incident response training environment is provided using {{ insert: param, ir-02.02_odp }}.", + "links": [ + { + "href": "#ir-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nautomated mechanisms supporting incident response training\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms that provide a thorough and realistic incident response training environment" + } + ] + } + ] + } + ] + }, + { + "id": "ir-3", + "class": "SP800-53", + "title": "Incident Response Testing", + "params": [ + { + "id": "ir-03_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least every six (6) months, including functional at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to test the effectiveness of the incident response capability for the system is defined;" + } + ] + }, + { + "id": "ir-03_odp.02", + "label": "tests", + "guidelines": [ + { + "prose": "tests used to test the effectiveness of the incident response capability for the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-3" + }, + { + "name": "label", + "value": "IR-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-3_smt", + "name": "statement", + "prose": "Test the effectiveness of the incident response capability for the system {{ insert: param, ir-03_odp.01 }} using the following tests: {{ insert: param, ir-03_odp.02 }}.", + "parts": [ + { + "id": "ir-3_fr", + "name": "item", + "title": "IR-3-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing." + } + ] + } + ] + }, + { + "id": "ir-3_gdn", + "name": "guidance", + "prose": "Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes." + }, + { + "id": "ir-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-03", + "class": "sp800-53a" + } + ], + "prose": "the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.", + "links": [ + { + "href": "#ir-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ], + "controls": [ + { + "id": "ir-3.2", + "class": "SP800-53-enhancement", + "title": "Coordination with Related Plans", + "props": [ + { + "name": "label", + "value": "IR-3(2)" + }, + { + "name": "label", + "value": "IR-03(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-03.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ir-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-3.2_smt", + "name": "statement", + "prose": "Coordinate incident response testing with organizational elements responsible for related plans." + }, + { + "id": "ir-3.2_gdn", + "name": "guidance", + "prose": "Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans." + }, + { + "id": "ir-3.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-03(02)", + "class": "sp800-53a" + } + ], + "prose": "incident response testing is coordinated with organizational elements responsible for related plans.", + "links": [ + { + "href": "#ir-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-3.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-03(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-3.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-03(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "ir-4", + "class": "SP800-53", + "title": "Incident Handling", + "props": [ + { + "name": "label", + "value": "IR-4" + }, + { + "name": "label", + "value": "IR-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", + "rel": "reference" + }, + { + "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "rel": "reference" + }, + { + "href": "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#31ae65ab-3f26-46b7-9d64-f25a4dac5778", + "rel": "reference" + }, + { + "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-4_smt", + "name": "statement", + "parts": [ + { + "id": "ir-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;" + }, + { + "id": "ir-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Coordinate incident handling activities with contingency planning activities;" + }, + { + "id": "ir-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and" + }, + { + "id": "ir-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization." + }, + { + "id": "ir-4_fr", + "name": "item", + "title": "IR-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The FISMA definition of \\\"incident\\\" shall be used: \\\"An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.\\\"" + }, + { + "id": "ir-4_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system." + } + ] + } + ] + }, + { + "id": "ir-4_gdn", + "name": "guidance", + "prose": "Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes." + }, + { + "id": "ir-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes preparation;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes detection and analysis;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes containment;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[05]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes eradication;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[06]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes recovery;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04b.", + "class": "sp800-53a" + } + ], + "prose": "incident handling activities are coordinated with contingency planning activities;", + "links": [ + { + "href": "#ir-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.[01]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;", + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;", + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the rigor of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the intensity of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the scope of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[04]", + "class": "sp800-53a" + } + ], + "prose": "the results of incident handling activities are comparable and predictable across the organization.", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident handling capability for the organization" + } + ] + } + ], + "controls": [ + { + "id": "ir-4.1", + "class": "SP800-53-enhancement", + "title": "Automated Incident Handling Processes", + "params": [ + { + "id": "ir-04.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to support the incident handling process are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-4(1)" + }, + { + "name": "label", + "value": "IR-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-4.1_smt", + "name": "statement", + "prose": "Support the incident handling process using {{ insert: param, ir-04.01_odp }}." + }, + { + "id": "ir-4.1_gdn", + "name": "guidance", + "prose": "Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis." + }, + { + "id": "ir-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04(01)", + "class": "sp800-53a" + } + ], + "prose": "the incident handling process is supported using {{ insert: param, ir-04.01_odp }}.", + "links": [ + { + "href": "#ir-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms that support and/or implement the incident handling process" + } + ] + } + ] + }, + { + "id": "ir-4.2", + "class": "SP800-53-enhancement", + "title": "Dynamic Reconfiguration", + "params": [ + { + "id": "ir-04.02_odp.01", + "label": "types of dynamic reconfiguration", + "guidelines": [ + { + "prose": "types of dynamic reconfiguration for system components are defined;" + } + ] + }, + { + "id": "ir-04.02_odp.02", + "label": "system components", + "constraints": [ + { + "description": "all network, data storage, and computing devices" + } + ], + "guidelines": [ + { + "prose": "system components that require dynamic reconfiguration are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-4(2)" + }, + { + "name": "label", + "value": "IR-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-4", + "rel": "required" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-4.2_smt", + "name": "statement", + "prose": "Include the following types of dynamic reconfiguration for {{ insert: param, ir-04.02_odp.02 }} as part of the incident response capability: {{ insert: param, ir-04.02_odp.01 }}." + }, + { + "id": "ir-4.2_gdn", + "name": "guidance", + "prose": "Dynamic reconfiguration includes changes to router rules, access control lists, intrusion detection or prevention system parameters, and filter rules for guards or firewalls. Organizations may perform dynamic reconfiguration of systems to stop attacks, misdirect attackers, and isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include specific time frames for achieving the reconfiguration of systems in the definition of the reconfiguration capability, considering the potential need for rapid response to effectively address cyber threats." + }, + { + "id": "ir-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04(02)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-04.02_odp.01 }} for {{ insert: param, ir-04.02_odp.02 }} are included as part of the incident response capability.", + "links": [ + { + "href": "#ir-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nmechanisms supporting incident handling\n\nlist of system components to be dynamically reconfigured as part of incident response capability\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms that support and/or implement the dynamic reconfiguration of components as part of incident response" + } + ] + } + ] + }, + { + "id": "ir-4.4", + "class": "SP800-53-enhancement", + "title": "Information Correlation", + "props": [ + { + "name": "label", + "value": "IR-4(4)" + }, + { + "name": "label", + "value": "IR-04(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-4.4_smt", + "name": "statement", + "prose": "Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response." + }, + { + "id": "ir-4.4_gdn", + "name": "guidance", + "prose": "Sometimes, a threat event, such as a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations." + }, + { + "id": "ir-4.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04(04)", + "class": "sp800-53a" + } + ], + "prose": "incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.", + "links": [ + { + "href": "#ir-4.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\nprivacy plan\n\nmechanisms supporting incident and event correlation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nincident management correlation logs\n\nevent management correlation logs\n\nsecurity information and event management logs\n\nincident management correlation reports\n\nevent management correlation reports\n\nsecurity information and event management reports\n\naudit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with whom incident information and individual incident responses are to be correlated" + } + ] + }, + { + "id": "ir-4.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for correlating incident information and individual incident responses\n\nmechanisms that support and or implement the correlation of incident response information with individual incident responses" + } + ] + } + ] + }, + { + "id": "ir-4.6", + "class": "SP800-53-enhancement", + "title": "Insider Threats", + "props": [ + { + "name": "label", + "value": "IR-4(6)" + }, + { + "name": "label", + "value": "IR-04(06)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04.06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-4.6_smt", + "name": "statement", + "prose": "Implement an incident handling capability for incidents involving insider threats." + }, + { + "id": "ir-4.6_gdn", + "name": "guidance", + "prose": "Explicit focus on handling incidents involving insider threats provides additional emphasis on this type of threat and the need for specific incident handling capabilities to provide appropriate and timely responses." + }, + { + "id": "ir-4.6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04(06)", + "class": "sp800-53a" + } + ], + "prose": "an incident handling capability is implemented for incidents involving insider threats.", + "links": [ + { + "href": "#ir-4.6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4.6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04(06)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nmechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\naudit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4.6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04(06)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-4.6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04(06)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident handling capability for the organization" + } + ] + } + ] + }, + { + "id": "ir-4.11", + "class": "SP800-53-enhancement", + "title": "Integrated Incident Response Team", + "params": [ + { + "id": "ir-04.11_odp", + "label": "time period", + "guidelines": [ + { + "prose": "the time period within which an integrated incident response team can be deployed is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-4(11)" + }, + { + "name": "label", + "value": "IR-04(11)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04.11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-4", + "rel": "required" + }, + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-4.11_smt", + "name": "statement", + "prose": "Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}." + }, + { + "id": "ir-4.11_gdn", + "name": "guidance", + "prose": "An integrated incident response team is a team of experts that assesses, documents, and responds to incidents so that organizational systems and networks can recover quickly and implement the necessary controls to avoid future incidents. Incident response team personnel include forensic and malicious code analysts, tool developers, systems security and privacy engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. For some organizations, the incident response team can be a cross-organizational entity.\n\nAn integrated incident response team facilitates information sharing and allows organizational personnel (e.g., developers, implementers, and operators) to leverage team knowledge of the threat and implement defensive measures that enable organizations to deter intrusions more effectively. Moreover, integrated teams promote the rapid detection of intrusions, the development of appropriate mitigations, and the deployment of effective defensive measures. For example, when an intrusion is detected, the integrated team can rapidly develop an appropriate response for operators to implement, correlate the new incident with information on past intrusions, and augment ongoing cyber intelligence development. Integrated incident response teams are better able to identify adversary tactics, techniques, and procedures that are linked to the operations tempo or specific mission and business functions and to define responsive actions in a way that does not disrupt those mission and business functions. Incident response teams can be distributed within organizations to make the capability resilient." + }, + { + "id": "ir-4.11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04(11)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4.11_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04(11)[01]", + "class": "sp800-53a" + } + ], + "prose": "an integrated incident response team is established and maintained;", + "links": [ + { + "href": "#ir-4.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4.11_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04(11)[02]", + "class": "sp800-53a" + } + ], + "prose": "the integrated incident response team can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}.", + "links": [ + { + "href": "#ir-4.11_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4.11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04(11)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4.11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04(11)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of the integrated incident response team" + } + ] + } + ] + } + ] + }, + { + "id": "ir-5", + "class": "SP800-53", + "title": "Incident Monitoring", + "props": [ + { + "name": "label", + "value": "IR-5" + }, + { + "name": "label", + "value": "IR-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-5_smt", + "name": "statement", + "prose": "Track and document incidents." + }, + { + "id": "ir-5_gdn", + "name": "guidance", + "prose": "Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring." + }, + { + "id": "ir-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05[01]", + "class": "sp800-53a" + } + ], + "prose": "incidents are tracked;", + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05[02]", + "class": "sp800-53a" + } + ], + "prose": "incidents are documented.", + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident monitoring capability for the organization\n\nmechanisms supporting and/or implementing the tracking and documenting of system security incidents" + } + ] + } + ], + "controls": [ + { + "id": "ir-5.1", + "class": "SP800-53-enhancement", + "title": "Automated Tracking, Data Collection, and Analysis", + "params": [ + { + "id": "ir-5.1_prm_1", + "label": "organization-defined automated mechanisms" + }, + { + "id": "ir-05.01_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to track incidents are defined;" + } + ] + }, + { + "id": "ir-05.01_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to collect incident information are defined;" + } + ] + }, + { + "id": "ir-05.01_odp.03", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to analyze incident information are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-5(1)" + }, + { + "name": "label", + "value": "IR-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ir-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-5.1_smt", + "name": "statement", + "prose": "Track incidents and collect and analyze incident information using {{ insert: param, ir-5.1_prm_1 }}." + }, + { + "id": "ir-5.1_gdn", + "name": "guidance", + "prose": "Automated mechanisms for tracking incidents and collecting and analyzing incident information include Computer Incident Response Centers or other electronic databases of incidents and network monitoring devices." + }, + { + "id": "ir-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-5.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "incidents are tracked using {{ insert: param, ir-05.01_odp.01 }};", + "links": [ + { + "href": "#ir-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "incident information is collected using {{ insert: param, ir-05.01_odp.02 }};", + "links": [ + { + "href": "#ir-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "incident information is analyzed using {{ insert: param, ir-05.01_odp.03 }}.", + "links": [ + { + "href": "#ir-5.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nsystem security plan\n\nincident response plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident monitoring capability for the organization\n\nautomated mechanisms supporting and/or implementing the tracking and documenting of system security incidents" + } + ] + } + ] + } + ] + }, + { + "id": "ir-6", + "class": "SP800-53", + "title": "Incident Reporting", + "params": [ + { + "id": "ir-06_odp.01", + "label": "time period", + "constraints": [ + { + "description": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)" + } + ], + "guidelines": [ + { + "prose": "time period for personnel to report suspected incidents to the organizational incident response capability is defined;" + } + ] + }, + { + "id": "ir-06_odp.02", + "label": "authorities", + "guidelines": [ + { + "prose": "authorities to whom incident information is to be reported are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-6" + }, + { + "name": "label", + "value": "IR-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#40b78258-c892-480e-9af8-77ac36648301", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-6_smt", + "name": "statement", + "parts": [ + { + "id": "ir-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and" + }, + { + "id": "ir-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report incident information to {{ insert: param, ir-06_odp.02 }}." + }, + { + "id": "ir-6_fr", + "name": "item", + "title": "IR-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Reports security incident information according to FedRAMP Incident Communications Procedure." + } + ] + } + ] + }, + { + "id": "ir-6_gdn", + "name": "guidance", + "prose": "The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products." + }, + { + "id": "ir-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06a.", + "class": "sp800-53a" + } + ], + "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};", + "links": [ + { + "href": "#ir-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06b.", + "class": "sp800-53a" + } + ], + "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}.", + "links": [ + { + "href": "#ir-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users" + } + ] + }, + { + "id": "ir-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident reporting\n\nmechanisms supporting and/or implementing incident reporting" + } + ] + } + ], + "controls": [ + { + "id": "ir-6.1", + "class": "SP800-53-enhancement", + "title": "Automated Reporting", + "params": [ + { + "id": "ir-06.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used for reporting incidents are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-6(1)" + }, + { + "name": "label", + "value": "IR-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-6", + "rel": "required" + }, + { + "href": "#ir-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-6.1_smt", + "name": "statement", + "prose": "Report incidents using {{ insert: param, ir-06.01_odp }}." + }, + { + "id": "ir-6.1_gdn", + "name": "guidance", + "prose": "The recipients of incident reports are specified in [IR-6b](#ir-6_smt.b) . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs." + }, + { + "id": "ir-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06(01)", + "class": "sp800-53a" + } + ], + "prose": "incidents are reported using {{ insert: param, ir-06.01_odp }}.", + "links": [ + { + "href": "#ir-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident reporting\n\nautomated mechanisms supporting and/or implementing the reporting of security incidents" + } + ] + } + ] + }, + { + "id": "ir-6.3", + "class": "SP800-53-enhancement", + "title": "Supply Chain Coordination", + "props": [ + { + "name": "label", + "value": "IR-6(3)" + }, + { + "name": "label", + "value": "IR-06(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-06.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-6", + "rel": "required" + }, + { + "href": "#sr-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-6.3_smt", + "name": "statement", + "prose": "Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident." + }, + { + "id": "ir-6.3_gdn", + "name": "guidance", + "prose": "Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident." + }, + { + "id": "ir-6.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06(03)", + "class": "sp800-53a" + } + ], + "prose": "incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.", + "links": [ + { + "href": "#ir-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-06(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council\n\nacquisition policy\n\nacquisition contracts\n\nservice-level agreements\n\nincident response plan\n\nsupply chain risk management plan\n\nsystem security plan\n\nplans of other organizations involved in supply chain activities\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-6.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-06(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganization personnel with acquisition responsibilities" + } + ] + }, + { + "id": "ir-6.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-06(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident reporting\n\norganizational processes for supply chain risk information sharing\n\nmechanisms supporting and/or implementing the reporting of incident information involved in the supply chain" + } + ] + } + ] + } + ] + }, + { + "id": "ir-7", + "class": "SP800-53", + "title": "Incident Response Assistance", + "props": [ + { + "name": "label", + "value": "IR-7" + }, + { + "name": "label", + "value": "IR-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pm-22", + "rel": "related" + }, + { + "href": "#pm-26", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#si-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-7_smt", + "name": "statement", + "prose": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents." + }, + { + "id": "ir-7_gdn", + "name": "guidance", + "prose": "Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required." + }, + { + "id": "ir-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;", + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.", + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident response assistance\n\nmechanisms supporting and/or implementing incident response assistance" + } + ] + } + ], + "controls": [ + { + "id": "ir-7.1", + "class": "SP800-53-enhancement", + "title": "Automation Support for Availability of Information and Support", + "params": [ + { + "id": "ir-07.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to increase the availability of incident response information and support are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-7(1)" + }, + { + "name": "label", + "value": "IR-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-7.1_smt", + "name": "statement", + "prose": "Increase the availability of incident response information and support using {{ insert: param, ir-07.01_odp }}." + }, + { + "id": "ir-7.1_gdn", + "name": "guidance", + "prose": "Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support." + }, + { + "id": "ir-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07(01)", + "class": "sp800-53a" + } + ], + "prose": "the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}.", + "links": [ + { + "href": "#ir-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response support and assistance responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-7.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-07(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident response assistance\n\nautomated mechanisms supporting and/or implementing an increase in the availability of incident response information and support" + } + ] + } + ] + } + ] + }, + { + "id": "ir-8", + "class": "SP800-53", + "title": "Incident Response Plan", + "params": [ + { + "id": "ir-8_prm_5", + "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements", + "constraints": [ + { + "description": "see additional FedRAMP Requirements and Guidance" + } + ] + }, + { + "id": "ir-08_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles that review and approve the incident response plan is/are identified;" + } + ] + }, + { + "id": "ir-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and approve the incident response plan is defined;" + } + ] + }, + { + "id": "ir-08_odp.03", + "label": "entities, personnel, or roles", + "guidelines": [ + { + "prose": "entities, personnel, or roles with designated responsibility for incident response are defined;" + } + ] + }, + { + "id": "ir-08_odp.04", + "label": "incident response personnel", + "constraints": [ + { + "description": "see additional FedRAMP Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;" + } + ] + }, + { + "id": "ir-08_odp.05", + "label": "organizational elements", + "guidelines": [ + { + "prose": "organizational elements to which copies of the incident response plan are to be distributed are defined;" + } + ] + }, + { + "id": "ir-08_odp.06", + "label": "incident response personnel", + "guidelines": [ + { + "prose": "incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;" + } + ] + }, + { + "id": "ir-08_odp.07", + "label": "organizational elements", + "guidelines": [ + { + "prose": "organizational elements to which changes to the incident response plan are communicated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-8" + }, + { + "name": "label", + "value": "IR-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-8_smt", + "name": "statement", + "parts": [ + { + "id": "ir-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop an incident response plan that:", + "parts": [ + { + "id": "ir-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Provides the organization with a roadmap for implementing its incident response capability;" + }, + { + "id": "ir-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Describes the structure and organization of the incident response capability;" + }, + { + "id": "ir-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Provides a high-level approach for how the incident response capability fits into the overall organization;" + }, + { + "id": "ir-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;" + }, + { + "id": "ir-8_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Defines reportable incidents;" + }, + { + "id": "ir-8_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Provides metrics for measuring the incident response capability within the organization;" + }, + { + "id": "ir-8_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Defines the resources and management support needed to effectively maintain and mature an incident response capability;" + }, + { + "id": "ir-8_smt.a.8", + "name": "item", + "props": [ + { + "name": "label", + "value": "8." + } + ], + "prose": "Addresses the sharing of incident information;" + }, + { + "id": "ir-8_smt.a.9", + "name": "item", + "props": [ + { + "name": "label", + "value": "9." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and" + }, + { + "id": "ir-8_smt.a.10", + "name": "item", + "props": [ + { + "name": "label", + "value": "10." + } + ], + "prose": "Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}." + } + ] + }, + { + "id": "ir-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};" + }, + { + "id": "ir-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;" + }, + { + "id": "ir-8_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and" + }, + { + "id": "ir-8_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protect the incident response plan from unauthorized disclosure and modification." + }, + { + "id": "ir-8_fr", + "name": "item", + "title": "IR-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel." + }, + { + "id": "ir-8_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d) Requirement:" + } + ], + "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel." + } + ] + } + ] + }, + { + "id": "ir-8_gdn", + "name": "guidance", + "prose": "It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly." + }, + { + "id": "ir-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.01", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.02", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.03", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;", + "links": [ + { + "href": "#ir-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.04", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;", + "links": [ + { + "href": "#ir-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.05", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that defines reportable incidents;", + "links": [ + { + "href": "#ir-8_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.06", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;", + "links": [ + { + "href": "#ir-8_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.07", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.08", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that addresses the sharing of incident information;", + "links": [ + { + "href": "#ir-8_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.09", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};", + "links": [ + { + "href": "#ir-8_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.10", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.", + "links": [ + { + "href": "#ir-8_smt.a.10", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};", + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.[02]", + "class": "sp800-53a" + } + ], + "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};", + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08c.", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;", + "links": [ + { + "href": "#ir-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.[01]", + "class": "sp800-53a" + } + ], + "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};", + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.[02]", + "class": "sp800-53a" + } + ], + "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};", + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is protected from unauthorized modification.", + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational incident response plan and related organizational processes" + } + ] + } + ] + }, + { + "id": "ir-9", + "class": "SP800-53", + "title": "Information Spillage Response", + "params": [ + { + "id": "ir-09_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles assigned the responsibility for responding to information spills is/are defined;" + } + ] + }, + { + "id": "ir-09_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted of the information spill using a method of communication not associated with the spill is/are defined;" + } + ] + }, + { + "id": "ir-09_odp.03", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be performed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-9" + }, + { + "name": "label", + "value": "IR-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#pm-26", + "rel": "related" + }, + { + "href": "#pm-27", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-9_smt", + "name": "statement", + "prose": "Respond to information spills by:", + "parts": [ + { + "id": "ir-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assigning {{ insert: param, ir-09_odp.01 }} with responsibility for responding to information spills;" + }, + { + "id": "ir-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Identifying the specific information involved in the system contamination;" + }, + { + "id": "ir-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Alerting {{ insert: param, ir-09_odp.02 }} of the information spill using a method of communication not associated with the spill;" + }, + { + "id": "ir-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Isolating the contaminated system or system component;" + }, + { + "id": "ir-9_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Eradicating the information from the contaminated system or component;" + }, + { + "id": "ir-9_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Identifying other systems or system components that may have been subsequently contaminated; and" + }, + { + "id": "ir-9_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Performing the following additional actions: {{ insert: param, ir-09_odp.03 }}." + } + ] + }, + { + "id": "ir-9_gdn", + "name": "guidance", + "prose": "Information spillage refers to instances where information is placed on systems that are not authorized to process such information. Information spills occur when information that is thought to be a certain classification or impact level is transmitted to a system and subsequently is determined to be of a higher classification or impact level. At that point, corrective action is required. The nature of the response is based on the classification or impact level of the spilled information, the security capabilities of the system, the specific nature of the contaminated storage media, and the access authorizations of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated." + }, + { + "id": "ir-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09_odp.01 }} is/are assigned the responsibility to respond to information spills;", + "links": [ + { + "href": "#ir-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09b.", + "class": "sp800-53a" + } + ], + "prose": "the specific information involved in the system contamination is identified in response to information spills;", + "links": [ + { + "href": "#ir-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09_odp.02 }} is/are alerted of the information spill using a method of communication not associated with the spill;", + "links": [ + { + "href": "#ir-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09d.", + "class": "sp800-53a" + } + ], + "prose": "the contaminated system or system component is isolated in response to information spills;", + "links": [ + { + "href": "#ir-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09e.", + "class": "sp800-53a" + } + ], + "prose": "the information is eradicated from the contaminated system or component in response to information spills;", + "links": [ + { + "href": "#ir-9_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09f.", + "class": "sp800-53a" + } + ], + "prose": "other systems or system components that may have been subsequently contaminated are identified in response to information spills;", + "links": [ + { + "href": "#ir-9_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09g.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09_odp.03 }} are performed in response to information spills.", + "links": [ + { + "href": "#ir-9_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nrecords of information spillage alerts/notifications\n\nlist of personnel who should receive alerts of information spillage\n\nlist of actions to be performed regarding information spillage\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for information spillage response\n\nmechanisms supporting and/or implementing information spillage response actions and related communications" + } + ] + } + ], + "controls": [ + { + "id": "ir-9.2", + "class": "SP800-53-enhancement", + "title": "Training", + "params": [ + { + "id": "ir-09.02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide information spillage response training is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-9(2)" + }, + { + "name": "label", + "value": "IR-09(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-09.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-9", + "rel": "required" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-9.2_smt", + "name": "statement", + "prose": "Provide information spillage response training {{ insert: param, ir-09.02_odp }}." + }, + { + "id": "ir-9.2_gdn", + "name": "guidance", + "prose": "Organizations establish requirements for responding to information spillage incidents in incident response plans. Incident response training on a regular basis helps to ensure that organizational personnel understand their individual responsibilities and what specific actions to take when spillage incidents occur." + }, + { + "id": "ir-9.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09(02)", + "class": "sp800-53a" + } + ], + "prose": "information spillage response training is provided {{ insert: param, ir-09.02_odp }}.", + "links": [ + { + "href": "#ir-9.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-09(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing information spillage response training\n\ninformation spillage response training curriculum\n\ninformation spillage response training materials\n\nincident response plan\n\nsystem security plan\n\ninformation spillage response training records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-9.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-09(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response training responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "ir-9.3", + "class": "SP800-53-enhancement", + "title": "Post-spill Operations", + "params": [ + { + "id": "ir-09.03_odp", + "label": "procedures", + "guidelines": [ + { + "prose": "procedures to be implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-9(3)" + }, + { + "name": "label", + "value": "IR-09(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-09.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-9", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-9.3_smt", + "name": "statement", + "prose": "Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: {{ insert: param, ir-09.03_odp }}." + }, + { + "id": "ir-9.3_gdn", + "name": "guidance", + "prose": "Corrective actions for systems contaminated due to information spillages may be time-consuming. Personnel may not have access to the contaminated systems while corrective actions are being taken, which may potentially affect their ability to conduct organizational business." + }, + { + "id": "ir-9.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09(03)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09.03_odp }} are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.", + "links": [ + { + "href": "#ir-9.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-09(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-9.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-09(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-9.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-09(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for post-spill operations" + } + ] + } + ] + }, + { + "id": "ir-9.4", + "class": "SP800-53-enhancement", + "title": "Exposure to Unauthorized Personnel", + "params": [ + { + "id": "ir-09.04_odp", + "label": "controls", + "guidelines": [ + { + "prose": "controls employed for personnel exposed to information not within assigned access authorizations are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-9(4)" + }, + { + "name": "label", + "value": "IR-09(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-09.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-9", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-9.4_smt", + "name": "statement", + "prose": "Employ the following controls for personnel exposed to information not within assigned access authorizations: {{ insert: param, ir-09.04_odp }}." + }, + { + "id": "ir-9.4_gdn", + "name": "guidance", + "prose": "Controls include ensuring that personnel who are exposed to spilled information are made aware of the laws, executive orders, directives, regulations, policies, standards, and guidelines regarding the information and the restrictions imposed based on exposure to such information." + }, + { + "id": "ir-9.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09(04)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09.04_odp }} are employed for personnel exposed to information not within assigned access authorizations.", + "links": [ + { + "href": "#ir-9.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-09(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nsecurity safeguards regarding information spillage/exposure to unauthorized personnel\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-9.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-09(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-9.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-09(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for dealing with information exposed to unauthorized personnel\n\nmechanisms supporting and/or implementing safeguards for personnel exposed to information not within assigned access authorizations" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "ma", + "class": "family", + "title": "Maintenance", + "controls": [ + { + "id": "ma-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ma-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ma-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the maintenance policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ma-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ma-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ma-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the maintenance policy and procedures is defined;" + } + ] + }, + { + "id": "ma-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current maintenance policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ma-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current maintenance policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ma-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current maintenance procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ma-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the maintenance procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-1" + }, + { + "name": "label", + "value": "MA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-1_smt", + "name": "statement", + "parts": [ + { + "id": "ma-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:", + "parts": [ + { + "id": "ma-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ma-01_odp.03 }} maintenance policy that:", + "parts": [ + { + "id": "ma-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ma-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ma-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;" + } + ] + }, + { + "id": "ma-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and" + }, + { + "id": "ma-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current maintenance:", + "parts": [ + { + "id": "ma-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and" + }, + { + "id": "ma-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ma-1_gdn", + "name": "guidance", + "prose": "Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ma-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a maintenance policy is developed and documented;", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ma-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;", + "links": [ + { + "href": "#ma-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};", + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};", + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};", + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.", + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ma-2", + "class": "SP800-53", + "title": "Controlled Maintenance", + "params": [ + { + "id": "ma-02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined;" + } + ] + }, + { + "id": "ma-02_odp.02", + "label": "information", + "guidelines": [ + { + "prose": "information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;" + } + ] + }, + { + "id": "ma-02_odp.03", + "label": "information", + "guidelines": [ + { + "prose": "information to be included in organizational maintenance records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-2" + }, + { + "name": "label", + "value": "MA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-2_smt", + "name": "statement", + "parts": [ + { + "id": "ma-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;" + }, + { + "id": "ma-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;" + }, + { + "id": "ma-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;" + }, + { + "id": "ma-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};" + }, + { + "id": "ma-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and" + }, + { + "id": "ma-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}." + } + ] + }, + { + "id": "ma-2_gdn", + "name": "guidance", + "prose": "Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems." + }, + { + "id": "ma-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;", + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;", + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;", + "links": [ + { + "href": "#ma-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02d.", + "class": "sp800-53a" + } + ], + "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;", + "links": [ + { + "href": "#ma-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02e.", + "class": "sp800-53a" + } + ], + "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;", + "links": [ + { + "href": "#ma-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02f.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.", + "links": [ + { + "href": "#ma-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components" + } + ] + } + ], + "controls": [ + { + "id": "ma-2.2", + "class": "SP800-53-enhancement", + "title": "Automated Maintenance Activities", + "params": [ + { + "id": "ma-2.2_prm_1", + "label": "organization-defined automated mechanisms" + }, + { + "id": "ma-02.02_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to schedule maintenance, repair, and replacement actions for the system are defined;" + } + ] + }, + { + "id": "ma-02.02_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to conduct maintenance, repair, and replacement actions for the system are defined;" + } + ] + }, + { + "id": "ma-02.02_odp.03", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to document maintenance, repair, and replacement actions for the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-2(2)" + }, + { + "name": "label", + "value": "MA-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-2", + "rel": "required" + }, + { + "href": "#ma-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-2.2_smt", + "name": "statement", + "parts": [ + { + "id": "ma-2.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Schedule, conduct, and document maintenance, repair, and replacement actions for the system using {{ insert: param, ma-2.2_prm_1 }} ; and" + }, + { + "id": "ma-2.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed." + } + ] + }, + { + "id": "ma-2.2_gdn", + "name": "guidance", + "prose": "The use of automated mechanisms to manage and control system maintenance programs and activities helps to ensure the generation of timely, accurate, complete, and consistent maintenance records." + }, + { + "id": "ma-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2.2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02.02_odp.01 }} are used to schedule maintenance, repair, and replacement actions for the system;", + "links": [ + { + "href": "#ma-2.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2.2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02.02_odp.02 }} are used to conduct maintenance, repair, and replacement actions for the system;", + "links": [ + { + "href": "#ma-2.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2.2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02.02_odp.03 }} are used to document maintenance, repair, and replacement actions for the system;", + "links": [ + { + "href": "#ma-2.2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2.2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced.", + "links": [ + { + "href": "#ma-2.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2.2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced.", + "links": [ + { + "href": "#ma-2.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2.2_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)(b)[03]", + "class": "sp800-53a" + } + ], + "prose": "up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced.", + "links": [ + { + "href": "#ma-2.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nautomated mechanisms supporting system maintenance activities\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms supporting and/or implementing controlled maintenance\n\nautomated mechanisms supporting and/or implementing the production of records of maintenance and repair actions" + } + ] + } + ] + } + ] + }, + { + "id": "ma-3", + "class": "SP800-53", + "title": "Maintenance Tools", + "params": [ + { + "id": "ma-03_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review previously approved system maintenance tools is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-3" + }, + { + "name": "label", + "value": "MA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-3_smt", + "name": "statement", + "parts": [ + { + "id": "ma-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve, control, and monitor the use of system maintenance tools; and" + }, + { + "id": "ma-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review previously approved system maintenance tools {{ insert: param, ma-03_odp }}." + } + ] + }, + { + "id": "ma-3_gdn", + "name": "guidance", + "prose": "Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools." + }, + { + "id": "ma-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of system maintenance tools is approved;", + "links": [ + { + "href": "#ma-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of system maintenance tools is controlled;", + "links": [ + { + "href": "#ma-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the use of system maintenance tools is monitored;", + "links": [ + { + "href": "#ma-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03b.", + "class": "sp800-53a" + } + ], + "prose": "previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}.", + "links": [ + { + "href": "#ma-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for approving, controlling, and monitoring maintenance tools\n\nmechanisms supporting and/or implementing the approval, control, and/or monitoring of maintenance tools" + } + ] + } + ], + "controls": [ + { + "id": "ma-3.1", + "class": "SP800-53-enhancement", + "title": "Inspect Tools", + "props": [ + { + "name": "label", + "value": "MA-3(1)" + }, + { + "name": "label", + "value": "MA-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-3", + "rel": "required" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-3.1_smt", + "name": "statement", + "prose": "Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications." + }, + { + "id": "ma-3.1_gdn", + "name": "guidance", + "prose": "Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor\u2019s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling." + }, + { + "id": "ma-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(01)", + "class": "sp800-53a" + } + ], + "prose": "maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.", + "links": [ + { + "href": "#ma-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for inspecting maintenance tools\n\nmechanisms supporting and/or implementing the inspection of maintenance tools" + } + ] + } + ] + }, + { + "id": "ma-3.2", + "class": "SP800-53-enhancement", + "title": "Inspect Media", + "props": [ + { + "name": "label", + "value": "MA-3(2)" + }, + { + "name": "label", + "value": "MA-03(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-03.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-3", + "rel": "required" + }, + { + "href": "#si-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-3.2_smt", + "name": "statement", + "prose": "Check media containing diagnostic and test programs for malicious code before the media are used in the system." + }, + { + "id": "ma-3.2_gdn", + "name": "guidance", + "prose": "If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures." + }, + { + "id": "ma-3.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(02)", + "class": "sp800-53a" + } + ], + "prose": "media containing diagnostic and test programs are checked for malicious code before the media are used in the system.", + "links": [ + { + "href": "#ma-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-03(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-3.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-03(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-3.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-03(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for inspecting media for malicious code\n\nmechanisms supporting and/or implementing the inspection of media used for maintenance" + } + ] + } + ] + }, + { + "id": "ma-3.3", + "class": "SP800-53-enhancement", + "title": "Prevent Unauthorized Removal", + "params": [ + { + "id": "ma-03.03_odp", + "label": "personnel or roles", + "constraints": [ + { + "description": "the information owner" + } + ], + "guidelines": [ + { + "prose": "personnel or roles who can authorize removal of equipment from the facility is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-3(3)" + }, + { + "name": "label", + "value": "MA-03(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-03.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-3", + "rel": "required" + }, + { + "href": "#mp-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-3.3_smt", + "name": "statement", + "prose": "Prevent the removal of maintenance equipment containing organizational information by:", + "parts": [ + { + "id": "ma-3.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Verifying that there is no organizational information contained on the equipment;" + }, + { + "id": "ma-3.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Sanitizing or destroying the equipment;" + }, + { + "id": "ma-3.3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Retaining the equipment within the facility; or" + }, + { + "id": "ma-3.3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility." + } + ] + }, + { + "id": "ma-3.3_gdn", + "name": "guidance", + "prose": "Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards." + }, + { + "id": "ma-3.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-3.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or", + "links": [ + { + "href": "#ma-3.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)(b)", + "class": "sp800-53a" + } + ], + "prose": "the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or", + "links": [ + { + "href": "#ma-3.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)(c)", + "class": "sp800-53a" + } + ], + "prose": "the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or", + "links": [ + { + "href": "#ma-3.3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)(d)", + "class": "sp800-53a" + } + ], + "prose": "the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility.", + "links": [ + { + "href": "#ma-3.3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-3.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-03(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nequipment sanitization records\n\nmedia sanitization records\n\nexemptions for equipment removal\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-3.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-03(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization" + } + ] + }, + { + "id": "ma-3.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-03(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for preventing unauthorized removal of information\n\nmechanisms supporting media sanitization or destruction of equipment\n\nmechanisms supporting verification of media sanitization" + } + ] + } + ] + } + ] + }, + { + "id": "ma-4", + "class": "SP800-53", + "title": "Nonlocal Maintenance", + "props": [ + { + "name": "label", + "value": "MA-4" + }, + { + "name": "label", + "value": "MA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#736d6310-e403-4b57-a79d-9967970c66d7", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-4_smt", + "name": "statement", + "parts": [ + { + "id": "ma-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve and monitor nonlocal maintenance and diagnostic activities;" + }, + { + "id": "ma-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;" + }, + { + "id": "ma-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;" + }, + { + "id": "ma-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Maintain records for nonlocal maintenance and diagnostic activities; and" + }, + { + "id": "ma-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Terminate session and network connections when nonlocal maintenance is completed." + } + ] + }, + { + "id": "ma-4_gdn", + "name": "guidance", + "prose": "Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators." + }, + { + "id": "ma-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "nonlocal maintenance and diagnostic activities are approved;", + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "nonlocal maintenance and diagnostic activities are monitored;", + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;", + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;", + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04c.", + "class": "sp800-53a" + } + ], + "prose": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;", + "links": [ + { + "href": "#ma-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04d.", + "class": "sp800-53a" + } + ], + "prose": "records for nonlocal maintenance and diagnostic activities are maintained;", + "links": [ + { + "href": "#ma-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.[01]", + "class": "sp800-53a" + } + ], + "prose": "session connections are terminated when nonlocal maintenance is completed;", + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.[02]", + "class": "sp800-53a" + } + ], + "prose": "network connections are terminated when nonlocal maintenance is completed.", + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nremote access policy\n\nremote access procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nrecords of remote access\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing nonlocal maintenance\n\nmechanisms implementing, supporting, and/or managing nonlocal maintenance\n\nmechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nmechanisms for terminating nonlocal maintenance sessions and network connections" + } + ] + } + ], + "controls": [ + { + "id": "ma-4.3", + "class": "SP800-53-enhancement", + "title": "Comparable Security and Sanitization", + "props": [ + { + "name": "label", + "value": "MA-4(3)" + }, + { + "name": "label", + "value": "MA-04(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-04.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-4", + "rel": "required" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-4.3_smt", + "name": "statement", + "parts": [ + { + "id": "ma-4.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or" + }, + { + "id": "ma-4.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system." + } + ] + }, + { + "id": "ma-4.3_gdn", + "name": "guidance", + "prose": "Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced." + }, + { + "id": "ma-4.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04(03)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4.3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04(03)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;", + "links": [ + { + "href": "#ma-4.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4.3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04(03)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or", + "links": [ + { + "href": "#ma-4.3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04(03)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4.3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04(03)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;", + "links": [ + { + "href": "#ma-4.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4.3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04(03)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "the component to be serviced is sanitized (for organizational information);", + "links": [ + { + "href": "#ma-4.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4.3_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04(03)(b)[03]", + "class": "sp800-53a" + } + ], + "prose": "the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system.", + "links": [ + { + "href": "#ma-4.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-04(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nservice provider contracts and/or service-level agreements\n\nmaintenance records\n\ninspection records\n\naudit records\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-4.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-04(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\nsystem maintenance provider\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-4.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-04(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for comparable security and sanitization for nonlocal maintenance\n\norganizational processes for the removal, sanitization, and inspection of components serviced via nonlocal maintenance\n\nmechanisms supporting and/or implementing component sanitization and inspection" + } + ] + } + ] + } + ] + }, + { + "id": "ma-5", + "class": "SP800-53", + "title": "Maintenance Personnel", + "props": [ + { + "name": "label", + "value": "MA-5" + }, + { + "name": "label", + "value": "MA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-5_smt", + "name": "statement", + "parts": [ + { + "id": "ma-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;" + }, + { + "id": "ma-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and" + }, + { + "id": "ma-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations." + } + ] + }, + { + "id": "ma-5_gdn", + "name": "guidance", + "prose": "Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel\u2014such as information technology manufacturers, vendors, systems integrators, and consultants\u2014may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods." + }, + { + "id": "ma-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process for maintenance personnel authorization is established;", + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": "a list of authorized maintenance organizations or personnel is maintained;", + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05b.", + "class": "sp800-53a" + } + ], + "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;", + "links": [ + { + "href": "#ma-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05c.", + "class": "sp800-53a" + } + ], + "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.", + "links": [ + { + "href": "#ma-5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and/or implementing authorization of maintenance personnel" + } + ] + } + ], + "controls": [ + { + "id": "ma-5.1", + "class": "SP800-53-enhancement", + "title": "Individuals Without Appropriate Access", + "params": [ + { + "id": "ma-05.01_odp", + "label": "alternate controls", + "guidelines": [ + { + "prose": "alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed, or disconnected from the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-5(1)" + }, + { + "name": "label", + "value": "MA-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-5", + "rel": "required" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-5.1_smt", + "name": "statement", + "parts": [ + { + "id": "ma-5.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:", + "parts": [ + { + "id": "ma-5.1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(1)" + } + ], + "prose": "Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and" + }, + { + "id": "ma-5.1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(2)" + } + ], + "prose": "Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and" + } + ] + }, + { + "id": "ma-5.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Develop and implement {{ insert: param, ma-05.01_odp }} in the event a system component cannot be sanitized, removed, or disconnected from the system." + } + ] + }, + { + "id": "ma-5.1_gdn", + "name": "guidance", + "prose": "Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems." + }, + { + "id": "ma-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5.1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)(a)(01)", + "class": "sp800-53a" + } + ], + "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;", + "links": [ + { + "href": "#ma-5.1_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5.1_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)(a)(02)", + "class": "sp800-53a" + } + ], + "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;", + "links": [ + { + "href": "#ma-5.1_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-05.01_odp }} are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.", + "links": [ + { + "href": "#ma-5.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nsystem media protection policy\n\nphysical and environmental protection policy\n\nlist of maintenance personnel requiring escort/supervision\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing maintenance personnel without appropriate access\n\nmechanisms supporting and/or implementing alternative security safeguards\n\nmechanisms supporting and/or implementing information storage component sanitization" + } + ] + } + ] + } + ] + }, + { + "id": "ma-6", + "class": "SP800-53", + "title": "Timely Maintenance", + "params": [ + { + "id": "ma-06_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which maintenance support and/or spare parts are obtained are defined;" + } + ] + }, + { + "id": "ma-06_odp.02", + "label": "time period", + "constraints": [ + { + "description": "a timeframe to support advertised uptime and availability" + } + ], + "guidelines": [ + { + "prose": "time period within which maintenance support and/or spare parts are to be obtained after a failure are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-6" + }, + { + "name": "label", + "value": "MA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-6_smt", + "name": "statement", + "prose": "Obtain maintenance support and/or spare parts for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure." + }, + { + "id": "ma-6_gdn", + "name": "guidance", + "prose": "Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place." + }, + { + "id": "ma-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-06", + "class": "sp800-53a" + } + ], + "prose": "maintenance support and/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure.", + "links": [ + { + "href": "#ma-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for ensuring timely maintenance" + } + ] + } + ] + } + ] + }, + { + "id": "mp", + "class": "family", + "title": "Media Protection", + "controls": [ + { + "id": "mp-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "mp-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "mp-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the media protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "mp-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the media protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "mp-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "mp-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the media protection policy and procedures is defined;" + } + ] + }, + { + "id": "mp-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current media protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "mp-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current media protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "mp-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current media protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "mp-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require media protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-1" + }, + { + "name": "label", + "value": "MP-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-1_smt", + "name": "statement", + "parts": [ + { + "id": "mp-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:", + "parts": [ + { + "id": "mp-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, mp-01_odp.03 }} media protection policy that:", + "parts": [ + { + "id": "mp-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "mp-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "mp-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;" + } + ] + }, + { + "id": "mp-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and" + }, + { + "id": "mp-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current media protection:", + "parts": [ + { + "id": "mp-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and" + }, + { + "id": "mp-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "mp-1_gdn", + "name": "guidance", + "prose": "Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "mp-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a media protection policy is developed and documented;", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#mp-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.", + "links": [ + { + "href": "#mp-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ", + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};", + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ", + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.", + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "mp-2", + "class": "SP800-53", + "title": "Media Access", + "params": [ + { + "id": "mp-2_prm_1", + "label": "organization-defined types of digital and/or non-digital media", + "constraints": [ + { + "description": "all types of digital and/or non-digital media containing sensitive information" + } + ] + }, + { + "id": "mp-2_prm_2", + "label": "organization-defined personnel or roles" + }, + { + "id": "mp-02_odp.01", + "label": "types of digital media", + "guidelines": [ + { + "prose": "types of digital media to which access is restricted are defined;" + } + ] + }, + { + "id": "mp-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles authorized to access digital media is/are defined;" + } + ] + }, + { + "id": "mp-02_odp.03", + "label": "types of non-digital media", + "guidelines": [ + { + "prose": "types of non-digital media to which access is restricted are defined;" + } + ] + }, + { + "id": "mp-02_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles authorized to access non-digital media is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-2" + }, + { + "name": "label", + "value": "MP-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-2_smt", + "name": "statement", + "prose": "Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}." + }, + { + "id": "mp-2_gdn", + "name": "guidance", + "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media." + }, + { + "id": "mp-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02[01]", + "class": "sp800-53a" + } + ], + "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};", + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02[02]", + "class": "sp800-53a" + } + ], + "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.", + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for restricting information media\n\nmechanisms supporting and/or implementing media access restrictions" + } + ] + } + ] + }, + { + "id": "mp-3", + "class": "SP800-53", + "title": "Media Marking", + "params": [ + { + "id": "mp-03_odp.01", + "label": "types of media exempted from marking", + "constraints": [ + { + "description": "no removable media types" + } + ], + "guidelines": [ + { + "prose": "types of system media exempt from marking when remaining in controlled areas are defined;" + } + ] + }, + { + "id": "mp-03_odp.02", + "label": "controlled areas", + "constraints": [ + { + "description": "organization-defined security safeguards not applicable" + } + ], + "guidelines": [ + { + "prose": "controlled areas where media is exempt from marking are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-3" + }, + { + "name": "label", + "value": "MP-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#34a5571f-e252-4309-a8a1-2fdb2faefbcd", + "rel": "reference" + }, + { + "href": "#91f992fb-f668-4c91-a50f-0f05b95ccee3", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-3_smt", + "name": "statement", + "parts": [ + { + "id": "mp-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and" + }, + { + "id": "mp-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Exempt {{ insert: param, mp-03_odp.01 }} from marking if the media remain within {{ insert: param, mp-03_odp.02 }}." + }, + { + "id": "mp-3_fr", + "name": "item", + "title": "MP-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) Guidance:" + } + ], + "prose": "Second parameter not-applicable" + } + ] + } + ] + }, + { + "id": "mp-3_gdn", + "name": "guidance", + "prose": "Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." + }, + { + "id": "mp-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-03a.", + "class": "sp800-53a" + } + ], + "prose": "system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;", + "links": [ + { + "href": "#mp-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-03b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}.", + "links": [ + { + "href": "#mp-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nlist of system media marking security attributes\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection and marking responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "mp-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for marking information media\n\nmechanisms supporting and/or implementing media marking" + } + ] + } + ] + }, + { + "id": "mp-4", + "class": "SP800-53", + "title": "Media Storage", + "params": [ + { + "id": "mp-4_prm_1", + "label": "organization-defined types of digital and/or non-digital media", + "constraints": [ + { + "description": "all types of digital and non-digital media with sensitive information" + } + ] + }, + { + "id": "mp-4_prm_2", + "label": "organization-defined controlled areas", + "constraints": [ + { + "description": "see additional FedRAMP requirements and guidance" + } + ] + }, + { + "id": "mp-04_odp.01", + "label": "types of digital media", + "guidelines": [ + { + "prose": "types of digital media to be physically controlled are defined (if selected);" + } + ] + }, + { + "id": "mp-04_odp.02", + "label": "types of non-digital media", + "guidelines": [ + { + "prose": "types of non-digital media to be physically controlled are defined (if selected);" + } + ] + }, + { + "id": "mp-04_odp.03", + "label": "types of digital media", + "guidelines": [ + { + "prose": "types of digital media to be securely stored are defined (if selected);" + } + ] + }, + { + "id": "mp-04_odp.04", + "label": "types of non-digital media", + "guidelines": [ + { + "prose": "types of non-digital media to be securely stored are defined (if selected);" + } + ] + }, + { + "id": "mp-04_odp.05", + "label": "controlled areas", + "guidelines": [ + { + "prose": "controlled areas within which to securely store digital media are defined;" + } + ] + }, + { + "id": "mp-04_odp.06", + "label": "controlled areas", + "guidelines": [ + { + "prose": "controlled areas within which to securely store non-digital media are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-4" + }, + { + "name": "label", + "value": "MP-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-4_smt", + "name": "statement", + "parts": [ + { + "id": "mp-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Physically control and securely store {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }} ; and" + }, + { + "id": "mp-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures." + }, + { + "id": "mp-4_fr", + "name": "item", + "title": "MP-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider defines controlled areas within facilities where the information and information system reside." + } + ] + } + ] + }, + { + "id": "mp-4_gdn", + "name": "guidance", + "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection." + }, + { + "id": "mp-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-04_odp.01 }} are physically controlled;", + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-04_odp.02 }} are physically controlled;", + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};", + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};", + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04b.", + "class": "sp800-53a" + } + ], + "prose": "system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.", + "links": [ + { + "href": "#mp-4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "mp-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for storing information media\n\nmechanisms supporting and/or implementing secure media storage/media protection" + } + ] + } + ] + }, + { + "id": "mp-5", + "class": "SP800-53", + "title": "Media Transport", + "params": [ + { + "id": "mp-5_prm_2", + "label": "organization-defined controls", + "constraints": [ + { + "description": "prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or NSA approved cryptography (see SC-13.); for non-digital media, secured in locked container" + } + ] + }, + { + "id": "mp-05_odp.01", + "label": "types of system media", + "constraints": [ + { + "description": "all media with sensitive information" + } + ], + "guidelines": [ + { + "prose": "types of system media to protect and control during transport outside of controlled areas are defined;" + } + ] + }, + { + "id": "mp-05_odp.02", + "label": "controls", + "guidelines": [ + { + "prose": "controls used to protect system media outside of controlled areas are defined;" + } + ] + }, + { + "id": "mp-05_odp.03", + "label": "controls", + "guidelines": [ + { + "prose": "controls used to control system media outside of controlled areas are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-5" + }, + { + "name": "label", + "value": "MP-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#mp-3", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-5_smt", + "name": "statement", + "parts": [ + { + "id": "mp-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Protect and control {{ insert: param, mp-05_odp.01 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};" + }, + { + "id": "mp-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain accountability for system media during transport outside of controlled areas;" + }, + { + "id": "mp-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document activities associated with the transport of system media; and" + }, + { + "id": "mp-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Restrict the activities associated with the transport of system media to authorized personnel." + }, + { + "id": "mp-5_fr", + "name": "item", + "title": "MP-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO." + } + ] + } + ] + }, + { + "id": "mp-5_gdn", + "name": "guidance", + "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records." + }, + { + "id": "mp-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};", + "links": [ + { + "href": "#mp-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};", + "links": [ + { + "href": "#mp-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05b.", + "class": "sp800-53a" + } + ], + "prose": "accountability for system media is maintained during transport outside of controlled areas;", + "links": [ + { + "href": "#mp-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05c.", + "class": "sp800-53a" + } + ], + "prose": "activities associated with the transport of system media are documented;", + "links": [ + { + "href": "#mp-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-5_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05d.[01]", + "class": "sp800-53a" + } + ], + "prose": "personnel authorized to conduct media transport activities is/are identified;", + "links": [ + { + "href": "#mp-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05d.[02]", + "class": "sp800-53a" + } + ], + "prose": "activities associated with the transport of system media are restricted to identified authorized personnel.", + "links": [ + { + "href": "#mp-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nauthorized personnel list\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for storing information media\n\nmechanisms supporting and/or implementing media storage/media protection" + } + ] + } + ] + }, + { + "id": "mp-6", + "class": "SP800-53", + "title": "Media Sanitization", + "params": [ + { + "id": "mp-6_prm_1", + "label": "organization-defined system media", + "constraints": [ + { + "description": "techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware" + } + ] + }, + { + "id": "mp-6_prm_2", + "label": "organization-defined sanitization techniques and procedures" + }, + { + "id": "mp-06_odp.01", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to disposal is defined;" + } + ] + }, + { + "id": "mp-06_odp.02", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to release from organizational control is defined;" + } + ] + }, + { + "id": "mp-06_odp.03", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to release for reuse is defined;" + } + ] + }, + { + "id": "mp-06_odp.04", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to disposal are defined;" + } + ] + }, + { + "id": "mp-06_odp.05", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;" + } + ] + }, + { + "id": "mp-06_odp.06", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-6" + }, + { + "name": "label", + "value": "MP-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#91f992fb-f668-4c91-a50f-0f05b95ccee3", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pm-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#si-18", + "rel": "related" + }, + { + "href": "#si-19", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-6_smt", + "name": "statement", + "parts": [ + { + "id": "mp-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and" + }, + { + "id": "mp-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information." + } + ] + }, + { + "id": "mp-6_gdn", + "name": "guidance", + "prose": "Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques\u2014including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction\u2014prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information." + }, + { + "id": "mp-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06b.", + "class": "sp800-53a" + } + ], + "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.", + "links": [ + { + "href": "#mp-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media sanitization\n\nmechanisms supporting and/or implementing media sanitization" + } + ] + } + ], + "controls": [ + { + "id": "mp-6.1", + "class": "SP800-53-enhancement", + "title": "Review, Approve, Track, Document, and Verify", + "props": [ + { + "name": "label", + "value": "MP-6(1)" + }, + { + "name": "label", + "value": "MP-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#mp-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "mp-6.1_smt", + "name": "statement", + "prose": "Review, approve, track, document, and verify media sanitization and disposal actions.", + "parts": [ + { + "id": "mp-6.1_fr", + "name": "item", + "title": "MP-6 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-6.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Must comply with NIST SP 800-88" + } + ] + } + ] + }, + { + "id": "mp-6.1_gdn", + "name": "guidance", + "prose": "Organizations review and approve media to be sanitized to ensure compliance with records retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken and personnel who performed the verification, and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal." + }, + { + "id": "mp-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "media sanitization and disposal actions are reviewed;", + "links": [ + { + "href": "#mp-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "media sanitization and disposal actions are approved;", + "links": [ + { + "href": "#mp-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "media sanitization and disposal actions are tracked;", + "links": [ + { + "href": "#mp-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6.1_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(01)[04]", + "class": "sp800-53a" + } + ], + "prose": "media sanitization and disposal actions are documented;", + "links": [ + { + "href": "#mp-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6.1_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(01)[05]", + "class": "sp800-53a" + } + ], + "prose": "media sanitization and disposal actions are verified.", + "links": [ + { + "href": "#mp-6.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nmedia sanitization and disposal records\n\nreview records for media sanitization and disposal actions\n\napprovals for media sanitization and disposal actions\n\ntracking records\n\nverification records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media sanitization and disposal responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media sanitization\n\nmechanisms supporting and/or implementing media sanitization\n\nmechanisms supporting and/or implementing verification of media sanitization" + } + ] + } + ] + }, + { + "id": "mp-6.2", + "class": "SP800-53-enhancement", + "title": "Equipment Testing", + "params": [ + { + "id": "mp-6.2_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least every six (6) months" + } + ] + }, + { + "id": "mp-06.02_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency with which to test sanitization equipment is defined;" + } + ] + }, + { + "id": "mp-06.02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency with which to test sanitization procedures is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-6(2)" + }, + { + "name": "label", + "value": "MP-06(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-06.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#mp-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "mp-6.2_smt", + "name": "statement", + "prose": "Test sanitization equipment and procedures {{ insert: param, mp-6.2_prm_1 }} to ensure that the intended sanitization is being achieved.", + "parts": [ + { + "id": "mp-6.2_fr", + "name": "item", + "title": "MP-6 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-6.2_fr_smt.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Equipment and procedures may be tested or validated for effectiveness" + } + ] + } + ] + }, + { + "id": "mp-6.2_gdn", + "name": "guidance", + "prose": "Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities, including federal agencies or external service providers." + }, + { + "id": "mp-6.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "sanitization equipment is tested {{ insert: param, mp-06.02_odp.01 }} to ensure that the intended sanitization is being achieved;", + "links": [ + { + "href": "#mp-6.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "sanitization procedures are tested {{ insert: param, mp-06.02_odp.02 }} to ensure that the intended sanitization is being achieved.", + "links": [ + { + "href": "#mp-6.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-06(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nprocedures addressing testing of media sanitization equipment\n\nresults of media sanitization equipment and procedures testing\n\nsystem audit records\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-6.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-06(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "mp-6.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-06(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media sanitization\n\nautomated mechanisms supporting and/or implementing media sanitization\n\nautomated mechanisms supporting and/or implementing media sanitization procedures\n\nsanitization equipment" + } + ] + } + ] + }, + { + "id": "mp-6.3", + "class": "SP800-53-enhancement", + "title": "Nondestructive Techniques", + "params": [ + { + "id": "mp-06.03_odp", + "label": "circumstances", + "guidelines": [ + { + "prose": "circumstances requiring sanitization of portable storage devices are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-6(3)" + }, + { + "name": "label", + "value": "MP-06(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-06.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#mp-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "mp-6.3_smt", + "name": "statement", + "prose": "Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: {{ insert: param, mp-06.03_odp }}.", + "parts": [ + { + "id": "mp-6.3_fr", + "name": "item", + "title": "MP-6 (3) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-6.3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Must comply with NIST SP 800-88" + } + ] + } + ] + }, + { + "id": "mp-6.3_gdn", + "name": "guidance", + "prose": "Portable storage devices include external or removable hard disk drives (e.g., solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices." + }, + { + "id": "mp-6.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(03)", + "class": "sp800-53a" + } + ], + "prose": "non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under {{ insert: param, mp-06.03_odp }}.", + "links": [ + { + "href": "#mp-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-06(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\ninformation on portable storage devices for the system\n\nlist of circumstances requiring sanitization of portable storage devices\n\nmedia sanitization records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-6.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-06(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "mp-6.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-06(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media sanitization of portable storage devices\n\nmechanisms supporting and/or implementing media sanitization" + } + ] + } + ] + } + ] + }, + { + "id": "mp-7", + "class": "SP800-53", + "title": "Media Use", + "params": [ + { + "id": "mp-07_odp.01", + "label": "types of system media", + "guidelines": [ + { + "prose": "types of system media to be restricted or prohibited from use on systems or system components are defined;" + } + ] + }, + { + "id": "mp-07_odp.02", + "select": { + "choice": [ + "restrict", + "prohibit" + ] + } + }, + { + "id": "mp-07_odp.03", + "label": "systems or system components", + "guidelines": [ + { + "prose": "systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;" + } + ] + }, + { + "id": "mp-07_odp.04", + "label": "controls", + "guidelines": [ + { + "prose": "controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-7" + }, + { + "name": "label", + "value": "MP-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-41", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-7_smt", + "name": "statement", + "parts": [ + { + "id": "mp-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and" + }, + { + "id": "mp-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner." + } + ] + }, + { + "id": "mp-7_gdn", + "name": "guidance", + "prose": "System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices." + }, + { + "id": "mp-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07a.", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};", + "links": [ + { + "href": "#mp-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07b.", + "class": "sp800-53a" + } + ], + "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.", + "links": [ + { + "href": "#mp-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components" + } + ] + } + ] + } + ] + }, + { + "id": "pe", + "class": "family", + "title": "Physical and Environmental Protection", + "controls": [ + { + "id": "pe-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "pe-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "pe-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "pe-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "pe-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "pe-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the physical and environmental protection policy and procedures is defined;" + } + ] + }, + { + "id": "pe-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "pe-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current physical and environmental protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "pe-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "pe-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the physical and environmental protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-1" + }, + { + "name": "label", + "value": "PE-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-1_smt", + "name": "statement", + "parts": [ + { + "id": "pe-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:", + "parts": [ + { + "id": "pe-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:", + "parts": [ + { + "id": "pe-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "pe-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "pe-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;" + } + ] + }, + { + "id": "pe-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and" + }, + { + "id": "pe-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current physical and environmental protection:", + "parts": [ + { + "id": "pe-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and" + }, + { + "id": "pe-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "pe-1_gdn", + "name": "guidance", + "prose": "Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "pe-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a physical and environmental protection policy is developed and documented;", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#pe-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;", + "links": [ + { + "href": "#pe-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};", + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};", + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};", + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.", + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "pe-2", + "class": "SP800-53", + "title": "Physical Access Authorizations", + "params": [ + { + "id": "pe-02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least every ninety (90) days" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review the access list detailing authorized facility access by individuals is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-2" + }, + { + "name": "label", + "value": "PE-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-2_smt", + "name": "statement", + "parts": [ + { + "id": "pe-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;" + }, + { + "id": "pe-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Issue authorization credentials for facility access;" + }, + { + "id": "pe-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and" + }, + { + "id": "pe-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Remove individuals from the facility access list when access is no longer required." + } + ] + }, + { + "id": "pe-2_gdn", + "name": "guidance", + "prose": "Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible." + }, + { + "id": "pe-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02b.", + "class": "sp800-53a" + } + ], + "prose": "authorization credentials are issued for facility access;", + "links": [ + { + "href": "#pe-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02c.", + "class": "sp800-53a" + } + ], + "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};", + "links": [ + { + "href": "#pe-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02d.", + "class": "sp800-53a" + } + ], + "prose": "individuals are removed from the facility access list when access is no longer required.", + "links": [ + { + "href": "#pe-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access authorizations\n\nmechanisms supporting and/or implementing physical access authorizations" + } + ] + } + ] + }, + { + "id": "pe-3", + "class": "SP800-53", + "title": "Physical Access Control", + "params": [ + { + "id": "pe-3_prm_9", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually or earlier as required by a security relevant event." + } + ] + }, + { + "id": "pe-03_odp.01", + "label": "entry and exit points", + "guidelines": [ + { + "prose": "entry and exit points to the facility in which the system resides are defined;" + } + ] + }, + { + "id": "pe-03_odp.02", + "constraints": [ + { + "description": "CSP defined physical access control systems/devices AND guards" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, pe-03_odp.03 }} ", + "guards" + ] + } + }, + { + "id": "pe-03_odp.03", + "label": "systems or devices", + "guidelines": [ + { + "prose": "physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);" + } + ] + }, + { + "id": "pe-03_odp.04", + "label": "entry or exit points", + "guidelines": [ + { + "prose": "entry or exit points for which physical access logs are maintained are defined;" + } + ] + }, + { + "id": "pe-03_odp.05", + "label": "physical access controls", + "guidelines": [ + { + "prose": "physical access controls to control access to areas within the facility designated as publicly accessible are defined;" + } + ] + }, + { + "id": "pe-03_odp.06", + "label": "circumstances", + "constraints": [ + { + "description": "in all circumstances within restricted access area where the information system resides" + } + ], + "guidelines": [ + { + "prose": "circumstances requiring visitor escorts and control of visitor activity are defined;" + } + ] + }, + { + "id": "pe-03_odp.07", + "label": "physical access devices", + "guidelines": [ + { + "prose": "physical access devices to be inventoried are defined;" + } + ] + }, + { + "id": "pe-03_odp.08", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to inventory physical access devices is defined;" + } + ] + }, + { + "id": "pe-03_odp.09", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to change combinations is defined;" + } + ] + }, + { + "id": "pe-03_odp.10", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to change keys is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-3" + }, + { + "name": "label", + "value": "PE-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#2100332a-16a5-4598-bacf-7261baea9711", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-3_smt", + "name": "statement", + "parts": [ + { + "id": "pe-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:", + "parts": [ + { + "id": "pe-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Verifying individual access authorizations before granting access to the facility; and" + }, + { + "id": "pe-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};" + } + ] + }, + { + "id": "pe-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};" + }, + { + "id": "pe-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};" + }, + { + "id": "pe-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};" + }, + { + "id": "pe-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Secure keys, combinations, and other physical access devices;" + }, + { + "id": "pe-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and" + }, + { + "id": "pe-3_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Change combinations and keys {{ insert: param, pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated." + } + ] + }, + { + "id": "pe-3_gdn", + "name": "guidance", + "prose": "Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components." + }, + { + "id": "pe-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.01", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;", + "links": [ + { + "href": "#pe-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.02", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};", + "links": [ + { + "href": "#pe-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03b.", + "class": "sp800-53a" + } + ], + "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};", + "links": [ + { + "href": "#pe-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03c.", + "class": "sp800-53a" + } + ], + "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};", + "links": [ + { + "href": "#pe-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.[01]", + "class": "sp800-53a" + } + ], + "prose": "visitors are escorted;", + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.[02]", + "class": "sp800-53a" + } + ], + "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};", + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[01]", + "class": "sp800-53a" + } + ], + "prose": "keys are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[02]", + "class": "sp800-53a" + } + ], + "prose": "combinations are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[03]", + "class": "sp800-53a" + } + ], + "prose": "other physical access devices are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03f.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};", + "links": [ + { + "href": "#pe-3_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.[01]", + "class": "sp800-53a" + } + ], + "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;", + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.[02]", + "class": "sp800-53a" + } + ], + "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.", + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access control\n\nmechanisms supporting and/or implementing physical access control\n\nphysical access control devices" + } + ] + } + ], + "controls": [ + { + "id": "pe-3.1", + "class": "SP800-53-enhancement", + "title": "System Access", + "params": [ + { + "id": "pe-03.01_odp", + "label": "physical spaces", + "guidelines": [ + { + "prose": "physical spaces containing one or more components of the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-3(1)" + }, + { + "name": "label", + "value": "PE-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-3.1_smt", + "name": "statement", + "prose": "Enforce physical access authorizations to the system in addition to the physical access controls for the facility at {{ insert: param, pe-03.01_odp }}." + }, + { + "id": "pe-3.1_gdn", + "name": "guidance", + "prose": "Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components." + }, + { + "id": "pe-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations to the system are enforced;", + "links": [ + { + "href": "#pe-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3.1_obj.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access controls are enforced for the facility at {{ insert: param, pe-03.01_odp }}.", + "links": [ + { + "href": "#pe-3.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nsystem entry and exit points\n\nlist of areas within the facility containing concentrations of system components or system components requiring additional physical protection\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access control to the information system/components\n\nmechanisms supporting and/or implementing physical access control for facility areas containing system components" + } + ] + } + ] + } + ] + }, + { + "id": "pe-4", + "class": "SP800-53", + "title": "Access Control for Transmission", + "params": [ + { + "id": "pe-04_odp.01", + "label": "system distribution and transmission lines", + "guidelines": [ + { + "prose": "system distribution and transmission lines requiring physical access controls are defined;" + } + ] + }, + { + "id": "pe-04_odp.02", + "label": "security controls", + "guidelines": [ + { + "prose": "security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-4" + }, + { + "name": "label", + "value": "PE-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-4_smt", + "name": "statement", + "prose": "Control physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities using {{ insert: param, pe-04_odp.02 }}." + }, + { + "id": "pe-4_gdn", + "name": "guidance", + "prose": "Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors." + }, + { + "id": "pe-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-04", + "class": "sp800-53a" + } + ], + "prose": "physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}.", + "links": [ + { + "href": "#pe-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing access control for transmission mediums\n\nsystem design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to system distribution and transmission lines\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for access control to distribution and transmission lines\n\nmechanisms/security safeguards supporting and/or implementing access control to distribution and transmission lines" + } + ] + } + ] + }, + { + "id": "pe-5", + "class": "SP800-53", + "title": "Access Control for Output Devices", + "params": [ + { + "id": "pe-05_odp", + "label": "output devices", + "guidelines": [ + { + "prose": "output devices that require physical access control to output are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-5" + }, + { + "name": "label", + "value": "PE-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-5_smt", + "name": "statement", + "prose": "Control physical access to output from {{ insert: param, pe-05_odp }} to prevent unauthorized individuals from obtaining the output." + }, + { + "id": "pe-5_gdn", + "name": "guidance", + "prose": "Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers." + }, + { + "id": "pe-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-05", + "class": "sp800-53a" + } + ], + "prose": "physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output.", + "links": [ + { + "href": "#pe-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of system components\n\nactual displays from system components\n\nlist of output devices and associated outputs requiring physical access controls\n\nphysical access control logs or records for areas containing output devices and related outputs\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for access control to output devices\n\nmechanisms supporting and/or implementing access control to output devices" + } + ] + } + ] + }, + { + "id": "pe-6", + "class": "SP800-53", + "title": "Monitoring Physical Access", + "params": [ + { + "id": "pe-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review physical access logs is defined;" + } + ] + }, + { + "id": "pe-06_odp.02", + "label": "events", + "guidelines": [ + { + "prose": "events or potential indication of events requiring physical access logs to be reviewed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-6" + }, + { + "name": "label", + "value": "PE-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-6_smt", + "name": "statement", + "parts": [ + { + "id": "pe-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;" + }, + { + "id": "pe-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and" + }, + { + "id": "pe-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Coordinate results of reviews and investigations with the organizational incident response capability." + } + ] + }, + { + "id": "pe-6_gdn", + "name": "guidance", + "prose": "Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses." + }, + { + "id": "pe-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06a.", + "class": "sp800-53a" + } + ], + "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;", + "links": [ + { + "href": "#pe-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};", + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};", + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": "results of reviews are coordinated with organizational incident response capabilities;", + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": "results of investigations are coordinated with organizational incident response capabilities.", + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring physical access\n\nmechanisms supporting and/or implementing physical access monitoring\n\nmechanisms supporting and/or implementing the review of physical access logs" + } + ] + } + ], + "controls": [ + { + "id": "pe-6.1", + "class": "SP800-53-enhancement", + "title": "Intrusion Alarms and Surveillance Equipment", + "props": [ + { + "name": "label", + "value": "PE-6(1)" + }, + { + "name": "label", + "value": "PE-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pe-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-6.1_smt", + "name": "statement", + "prose": "Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment." + }, + { + "id": "pe-6.1_gdn", + "name": "guidance", + "prose": "Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility." + }, + { + "id": "pe-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access to the facility where the system resides is monitored using physical intrusion alarms;", + "links": [ + { + "href": "#pe-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access to the facility where the system resides is monitored using physical surveillance equipment.", + "links": [ + { + "href": "#pe-6.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring physical intrusion alarms and surveillance equipment\n\nmechanisms supporting and/or implementing physical access monitoring\n\nmechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment" + } + ] + } + ] + }, + { + "id": "pe-6.4", + "class": "SP800-53-enhancement", + "title": "Monitoring Physical Access to Systems", + "params": [ + { + "id": "pe-06.04_odp", + "label": "physical spaces", + "guidelines": [ + { + "prose": "physical spaces containing one or more components of the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-6(4)" + }, + { + "name": "label", + "value": "PE-06(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-06.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pe-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-6.4_smt", + "name": "statement", + "prose": "Monitor physical access to the system in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}." + }, + { + "id": "pe-6.4_gdn", + "name": "guidance", + "prose": "Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization." + }, + { + "id": "pe-6.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06(04)", + "class": "sp800-53a" + } + ], + "prose": "physical access to the system is monitored in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}.", + "links": [ + { + "href": "#pe-6.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-06(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nlist of areas within the facility containing concentrations of system components or system components requiring additional physical access monitoring\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-6.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-06(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-6.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-06(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring physical access to the system\n\nmechanisms supporting and/or implementing physical access monitoring for facility areas containing system components" + } + ] + } + ] + } + ] + }, + { + "id": "pe-8", + "class": "SP800-53", + "title": "Visitor Access Records", + "params": [ + { + "id": "pe-08_odp.01", + "label": "time period", + "constraints": [ + { + "description": "for a minimum of one (1) year" + } + ], + "guidelines": [ + { + "prose": "time period for which to maintain visitor access records for the facility where the system resides is defined;" + } + ] + }, + { + "id": "pe-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review visitor access records is defined;" + } + ] + }, + { + "id": "pe-08_odp.03", + "label": "personnel", + "guidelines": [ + { + "prose": "personnel to whom visitor access records anomalies are reported to is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-8" + }, + { + "name": "label", + "value": "PE-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-8_smt", + "name": "statement", + "parts": [ + { + "id": "pe-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};" + }, + { + "id": "pe-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and" + }, + { + "id": "pe-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}." + } + ] + }, + { + "id": "pe-8_gdn", + "name": "guidance", + "prose": "Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas." + }, + { + "id": "pe-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08a.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};", + "links": [ + { + "href": "#pe-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08b.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};", + "links": [ + { + "href": "#pe-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08c.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.", + "links": [ + { + "href": "#pe-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and/or implementing the maintenance and review of visitor access records" + } + ] + } + ], + "controls": [ + { + "id": "pe-8.1", + "class": "SP800-53-enhancement", + "title": "Automated Records Maintenance and Review", + "params": [ + { + "id": "pe-8.1_prm_1", + "label": "organization-defined automated mechanisms" + }, + { + "id": "pe-08.01_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to maintain visitor access records are defined;" + } + ] + }, + { + "id": "pe-08.01_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to review visitor access records are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-8(1)" + }, + { + "name": "label", + "value": "PE-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-8.1_smt", + "name": "statement", + "prose": "Maintain and review visitor access records using {{ insert: param, pe-8.1_prm_1 }}." + }, + { + "id": "pe-8.1_gdn", + "name": "guidance", + "prose": "Visitor access records may be stored and maintained in a database management system that is accessible by organizational personnel. Automated access to such records facilitates record reviews on a regular basis to determine if access authorizations are current and still required to support organizational mission and business functions." + }, + { + "id": "pe-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-8.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "visitor access records are maintained using {{ insert: param, pe-08.01_odp.01 }};", + "links": [ + { + "href": "#pe-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "visitor access records are reviewed using {{ insert: param, pe-08.01_odp.02 }}.", + "links": [ + { + "href": "#pe-8.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nautomated mechanisms supporting management of visitor access records\n\nvisitor access control logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and/or implementing the maintenance and review of visitor access records" + } + ] + } + ] + } + ] + }, + { + "id": "pe-9", + "class": "SP800-53", + "title": "Power Equipment and Cabling", + "props": [ + { + "name": "label", + "value": "PE-9" + }, + { + "name": "label", + "value": "PE-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-9_smt", + "name": "statement", + "prose": "Protect power equipment and power cabling for the system from damage and destruction." + }, + { + "id": "pe-9_gdn", + "name": "guidance", + "prose": "Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems." + }, + { + "id": "pe-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-09[01]", + "class": "sp800-53a" + } + ], + "prose": "power equipment for the system is protected from damage and destruction;", + "links": [ + { + "href": "#pe-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-09[02]", + "class": "sp800-53a" + } + ], + "prose": "power cabling for the system is protected from damage and destruction.", + "links": [ + { + "href": "#pe-9_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing power equipment/cabling protection\n\nfacilities housing power equipment/cabling\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility to protect power equipment/cabling\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the protection of power equipment/cabling" + } + ] + } + ] + }, + { + "id": "pe-10", + "class": "SP800-53", + "title": "Emergency Shutoff", + "params": [ + { + "id": "pe-10_odp.01", + "label": "system or individual system components", + "guidelines": [ + { + "prose": "system or individual system components that require the capability to shut off power in emergency situations is/are defined;" + } + ] + }, + { + "id": "pe-10_odp.02", + "label": "location", + "constraints": [ + { + "description": "near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off" + } + ], + "guidelines": [ + { + "prose": "location of emergency shutoff switches or devices by system or system component is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-10" + }, + { + "name": "label", + "value": "PE-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-10_smt", + "name": "statement", + "parts": [ + { + "id": "pe-10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide the capability of shutting off power to {{ insert: param, pe-10_odp.01 }} in emergency situations;" + }, + { + "id": "pe-10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Place emergency shutoff switches or devices in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel; and" + }, + { + "id": "pe-10_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Protect emergency power shutoff capability from unauthorized activation." + } + ] + }, + { + "id": "pe-10_gdn", + "name": "guidance", + "prose": "Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery." + }, + { + "id": "pe-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-10_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-10a.", + "class": "sp800-53a" + } + ], + "prose": "the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;", + "links": [ + { + "href": "#pe-10_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-10_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-10b.", + "class": "sp800-53a" + } + ], + "prose": "emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;", + "links": [ + { + "href": "#pe-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-10_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-10c.", + "class": "sp800-53a" + } + ], + "prose": "the emergency power shutoff capability is protected from unauthorized activation.", + "links": [ + { + "href": "#pe-10_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting the emergency power shutoff capability from unauthorized activation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for the emergency power shutoff capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing emergency power shutoff" + } + ] + } + ] + }, + { + "id": "pe-11", + "class": "SP800-53", + "title": "Emergency Power", + "params": [ + { + "id": "pe-11_odp", + "select": { + "choice": [ + "an orderly shutdown of the system", + "transition of the system to long-term alternate power" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "PE-11" + }, + { + "name": "label", + "value": "PE-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-11_smt", + "name": "statement", + "prose": "Provide an uninterruptible power supply to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss." + }, + { + "id": "pe-11_gdn", + "name": "guidance", + "prose": "An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system." + }, + { + "id": "pe-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-11", + "class": "sp800-53a" + } + ], + "prose": "an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss.", + "links": [ + { + "href": "#pe-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for emergency power and/or planning\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an uninterruptible power supply\n\nthe uninterruptable power supply" + } + ] + } + ], + "controls": [ + { + "id": "pe-11.1", + "class": "SP800-53-enhancement", + "title": "Alternate Power Supply \u2014 Minimal Operational Capability", + "params": [ + { + "id": "pe-11.01_odp", + "constraints": [ + { + "description": "automatically" + } + ], + "select": { + "choice": [ + "manually", + "automatically" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "PE-11(1)" + }, + { + "name": "label", + "value": "PE-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-11", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-11.1_smt", + "name": "statement", + "prose": "Provide an alternate power supply for the system that is activated {{ insert: param, pe-11.01_odp }} and that can maintain minimally required operational capability in the event of an extended loss of the primary power source." + }, + { + "id": "pe-11.1_gdn", + "name": "guidance", + "prose": "Provision of an alternate power supply with minimal operating capability can be satisfied by accessing a secondary commercial power supply or other external power supply." + }, + { + "id": "pe-11.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-11(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-11.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-11(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "an alternate power supply provided for the system is activated {{ insert: param, pe-11.01_odp }};", + "links": [ + { + "href": "#pe-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-11.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-11(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source.", + "links": [ + { + "href": "#pe-11.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-11.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-11(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nalternate power supply\n\nalternate power supply documentation\n\nalternate power supply test records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-11.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-11(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for emergency power and/or planning\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-11.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-11(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an alternate power supply\n\nthe alternate power supply" + } + ] + } + ] + } + ] + }, + { + "id": "pe-12", + "class": "SP800-53", + "title": "Emergency Lighting", + "props": [ + { + "name": "label", + "value": "PE-12" + }, + { + "name": "label", + "value": "PE-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-12_smt", + "name": "statement", + "prose": "Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility." + }, + { + "id": "pe-12_gdn", + "name": "guidance", + "prose": "The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies." + }, + { + "id": "pe-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[01]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[02]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[03]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting for the system covers emergency exits within the facility;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[04]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting for the system covers evacuation routes within the facility.", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for emergency lighting and/or planning\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an emergency lighting capability" + } + ] + } + ] + }, + { + "id": "pe-13", + "class": "SP800-53", + "title": "Fire Protection", + "props": [ + { + "name": "label", + "value": "PE-13" + }, + { + "name": "label", + "value": "PE-13", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-13_smt", + "name": "statement", + "prose": "Employ and maintain fire detection and suppression systems that are supported by an independent energy source." + }, + { + "id": "pe-13_gdn", + "name": "guidance", + "prose": "The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility." + }, + { + "id": "pe-13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[01]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems are employed;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[02]", + "class": "sp800-53a" + } + ], + "prose": "employed fire detection systems are supported by an independent energy source;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[03]", + "class": "sp800-53a" + } + ], + "prose": "employed fire detection systems are maintained;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[04]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems are employed;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[05]", + "class": "sp800-53a" + } + ], + "prose": "employed fire suppression systems are supported by an independent energy source;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[06]", + "class": "sp800-53a" + } + ], + "prose": "employed fire suppression systems are maintained.", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-13-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\ntest records of fire suppression and detection devices/systems\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-13-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-13-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing fire suppression/detection devices/systems" + } + ] + } + ], + "controls": [ + { + "id": "pe-13.1", + "class": "SP800-53-enhancement", + "title": "Detection Systems \u2014 Automatic Activation and Notification", + "params": [ + { + "id": "pe-13.01_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "service provider building maintenance/physical security personnel" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified in the event of a fire is/are defined;" + } + ] + }, + { + "id": "pe-13.01_odp.02", + "label": "emergency responders", + "constraints": [ + { + "description": "service provider emergency responders with incident response responsibilities" + } + ], + "guidelines": [ + { + "prose": "emergency responders to be notified in the event of a fire are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-13(1)" + }, + { + "name": "label", + "value": "PE-13(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-13.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-13", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-13.1_smt", + "name": "statement", + "prose": "Employ fire detection systems that activate automatically and notify {{ insert: param, pe-13.01_odp.01 }} and {{ insert: param, pe-13.01_odp.02 }} in the event of a fire." + }, + { + "id": "pe-13.1_gdn", + "name": "guidance", + "prose": "Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire." + }, + { + "id": "pe-13.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems that activate automatically are employed in the event of a fire;", + "links": [ + { + "href": "#pe-13.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;", + "links": [ + { + "href": "#pe-13.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire.", + "links": [ + { + "href": "#pe-13.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-13(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\nalerts/notifications of fire events\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-13.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-13(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-13.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-13(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing fire detection devices/systems\n\nactivation of fire detection devices/systems (simulated)\n\nautomated notifications" + } + ] + } + ] + }, + { + "id": "pe-13.2", + "class": "SP800-53-enhancement", + "title": "Suppression Systems \u2014 Automatic Activation and Notification", + "params": [ + { + "id": "pe-13.02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified in the event of a fire is/are defined;" + } + ] + }, + { + "id": "pe-13.02_odp.02", + "label": "emergency responders", + "guidelines": [ + { + "prose": "emergency responders to be notified in the event of a fire are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-13(2)" + }, + { + "name": "label", + "value": "PE-13(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-13.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-13", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-13.2_smt", + "name": "statement", + "parts": [ + { + "id": "pe-13.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Employ fire suppression systems that activate automatically and notify {{ insert: param, pe-13.02_odp.01 }} and {{ insert: param, pe-13.02_odp.02 }} ; and" + }, + { + "id": "pe-13.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis." + } + ] + }, + { + "id": "pe-13.2_gdn", + "name": "guidance", + "prose": "Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and/or clearances (e.g., to enter to facilities where access is restricted due to the impact level or classification of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire." + }, + { + "id": "pe-13.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13.2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems that activate automatically are employed;", + "links": [ + { + "href": "#pe-13.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.01 }} automatically are employed;", + "links": [ + { + "href": "#pe-13.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.02 }} automatically are employed;", + "links": [ + { + "href": "#pe-13.2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(b)", + "class": "sp800-53a" + } + ], + "prose": "an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.", + "links": [ + { + "href": "#pe-13.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-13(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems documentation\n\nfacility housing the system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices/systems\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-13.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-13(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-13.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-13(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms supporting and/or implementing fire suppression devices/systems\n\nactivation of fire suppression devices/systems (simulated)\n\nautomated notifications" + } + ] + } + ] + } + ] + }, + { + "id": "pe-14", + "class": "SP800-53", + "title": "Environmental Controls", + "params": [ + { + "id": "pe-14_odp.01", + "constraints": [ + { + "description": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "temperature", + "humidity", + "pressure", + "radiation", + " {{ insert: param, pe-14_odp.02 }} " + ] + } + }, + { + "id": "pe-14_odp.02", + "label": "environmental control", + "guidelines": [ + { + "prose": "environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);" + } + ] + }, + { + "id": "pe-14_odp.03", + "label": "acceptable levels", + "guidelines": [ + { + "prose": "acceptable levels for environmental controls are defined;" + } + ] + }, + { + "id": "pe-14_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "continuously" + } + ], + "guidelines": [ + { + "prose": "frequency at which to monitor environmental control levels is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-14" + }, + { + "name": "label", + "value": "PE-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-14_smt", + "name": "statement", + "parts": [ + { + "id": "pe-14_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and" + }, + { + "id": "pe-14_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}." + }, + { + "id": "pe-14_fr", + "name": "item", + "title": "PE-14 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pe-14_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider measures temperature at server inlets and humidity levels by dew point." + } + ] + } + ] + }, + { + "id": "pe-14_gdn", + "name": "guidance", + "prose": "The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions." + }, + { + "id": "pe-14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-14_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;", + "links": [ + { + "href": "#pe-14_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14b.", + "class": "sp800-53a" + } + ], + "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.", + "links": [ + { + "href": "#pe-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-14-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-14-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-14_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-14-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels" + } + ] + } + ], + "controls": [ + { + "id": "pe-14.2", + "class": "SP800-53-enhancement", + "title": "Monitoring with Alarms and Notifications", + "params": [ + { + "id": "pe-14.02_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified by environmental control monitoring when environmental changes are potentially harmful to personnel or equipment is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-14(2)" + }, + { + "name": "label", + "value": "PE-14(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-14.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-14", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-14.2_smt", + "name": "statement", + "prose": "Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to {{ insert: param, pe-14.02_odp }}." + }, + { + "id": "pe-14.2_gdn", + "name": "guidance", + "prose": "The alarm or notification may be an audible alarm or a visual message in real time to personnel or roles defined by the organization. Such alarms and notifications can help minimize harm to individuals and damage to organizational assets by facilitating a timely incident response." + }, + { + "id": "pe-14.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-14.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "environmental control monitoring is employed;", + "links": [ + { + "href": "#pe-14.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "the environmental control monitoring capability provides an alarm or notification to {{ insert: param, pe-14.02_odp }} when changes are potentially harmful to personnel or equipment.", + "links": [ + { + "href": "#pe-14.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-14.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-14(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing temperature and humidity monitoring\n\nfacility housing the system\n\nlogs or records of temperature and humidity monitoring\n\nrecords of changes to temperature and humidity levels that generate alarms or notifications\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-14.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-14(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-14.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-14(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing temperature and humidity monitoring" + } + ] + } + ] + } + ] + }, + { + "id": "pe-15", + "class": "SP800-53", + "title": "Water Damage Protection", + "props": [ + { + "name": "label", + "value": "PE-15" + }, + { + "name": "label", + "value": "PE-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-15_smt", + "name": "statement", + "prose": "Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel." + }, + { + "id": "pe-15_gdn", + "name": "guidance", + "prose": "The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations." + }, + { + "id": "pe-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-15_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[02]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are accessible;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[03]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are working properly;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[04]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are known to key personnel.", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-15_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-15-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Master water-shutoff valves\n\norganizational process for activating master water shutoff" + } + ] + } + ], + "controls": [ + { + "id": "pe-15.1", + "class": "SP800-53-enhancement", + "title": "Automation Support", + "params": [ + { + "id": "pe-15.01_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "service provider building maintenance/physical security personnel" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be alerted when the presence of water is detected near the system is/are defined;" + } + ] + }, + { + "id": "pe-15.01_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to detect the presence of water near the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-15(1)" + }, + { + "name": "label", + "value": "PE-15(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-15.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-15", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-15.1_smt", + "name": "statement", + "prose": "Detect the presence of water near the system and alert {{ insert: param, pe-15.01_odp.01 }} using {{ insert: param, pe-15.01_odp.02 }}." + }, + { + "id": "pe-15.1_gdn", + "name": "guidance", + "prose": "Automated mechanisms include notification systems, water detection sensors, and alarms." + }, + { + "id": "pe-15.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-15.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "the presence of water near the system can be detected automatically;", + "links": [ + { + "href": "#pe-15.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15(01)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-15.01_odp.01 }} is/are alerted using {{ insert: param, pe-15.01_odp.02 }}.", + "links": [ + { + "href": "#pe-15.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-15.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-15(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nautomated mechanisms for water shutoff valves\n\nautomated mechanisms for detecting the presence of water in the vicinity of the system\n\nalerts/notifications of water detection in system facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-15.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-15(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-15.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-15(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms supporting and/or implementing water detection capabilities and alerts for the system" + } + ] + } + ] + } + ] + }, + { + "id": "pe-16", + "class": "SP800-53", + "title": "Delivery and Removal", + "params": [ + { + "id": "pe-16_prm_1", + "label": "organization-defined types of system components", + "constraints": [ + { + "description": "all information system components" + } + ] + }, + { + "id": "pe-16_odp.01", + "label": "types of system components", + "guidelines": [ + { + "prose": "types of system components to be authorized and controlled when entering the facility are defined;" + } + ] + }, + { + "id": "pe-16_odp.02", + "label": "types of system components", + "guidelines": [ + { + "prose": "types of system components to be authorized and controlled when exiting the facility are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-16" + }, + { + "name": "label", + "value": "PE-16", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-16_smt", + "name": "statement", + "parts": [ + { + "id": "pe-16_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and" + }, + { + "id": "pe-16_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain records of the system components." + } + ] + }, + { + "id": "pe-16_gdn", + "name": "guidance", + "prose": "Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries." + }, + { + "id": "pe-16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-16_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-16_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16b.", + "class": "sp800-53a" + } + ], + "prose": "records of the system components are maintained.", + "links": [ + { + "href": "#pe-16_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-16-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-16-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-16_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-16-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility" + } + ] + } + ] + }, + { + "id": "pe-17", + "class": "SP800-53", + "title": "Alternate Work Site", + "params": [ + { + "id": "pe-17_odp.01", + "label": "alternate work sites", + "guidelines": [ + { + "prose": "alternate work sites allowed for use by employees are defined;" + } + ] + }, + { + "id": "pe-17_odp.02", + "label": "controls", + "guidelines": [ + { + "prose": "controls to be employed at alternate work sites are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-17" + }, + { + "name": "label", + "value": "PE-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-17_smt", + "name": "statement", + "parts": [ + { + "id": "pe-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine and document the {{ insert: param, pe-17_odp.01 }} allowed for use by employees;" + }, + { + "id": "pe-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls at alternate work sites: {{ insert: param, pe-17_odp.02 }};" + }, + { + "id": "pe-17_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Assess the effectiveness of controls at alternate work sites; and" + }, + { + "id": "pe-17_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Provide a means for employees to communicate with information security and privacy personnel in case of incidents." + } + ] + }, + { + "id": "pe-17_gdn", + "name": "guidance", + "prose": "Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations." + }, + { + "id": "pe-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-17_odp.01 }} are determined and documented;", + "links": [ + { + "href": "#pe-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;", + "links": [ + { + "href": "#pe-17_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-17_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17c.", + "class": "sp800-53a" + } + ], + "prose": "the effectiveness of controls at alternate work sites is assessed;", + "links": [ + { + "href": "#pe-17_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-17_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17d.", + "class": "sp800-53a" + } + ], + "prose": "a means for employees to communicate with information security and privacy personnel in case of incidents is provided.", + "links": [ + { + "href": "#pe-17_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel approving the use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-17_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-17-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security and privacy at alternate work sites\n\nmechanisms supporting alternate work sites\n\nsecurity and privacy controls employed at alternate work sites\n\nmeans of communication between personnel at alternate work sites and security and privacy personnel" + } + ] + } + ] + }, + { + "id": "pe-18", + "class": "SP800-53", + "title": "Location of System Components", + "params": [ + { + "id": "pe-18_odp", + "label": "physical and environmental hazards", + "constraints": [ + { + "description": "physical and environmental hazards identified during threat assessment" + } + ], + "guidelines": [ + { + "prose": "physical and environmental hazards that could result in potential damage to system components within the facility are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-18" + }, + { + "name": "label", + "value": "PE-18", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-19", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-18_smt", + "name": "statement", + "prose": "Position system components within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access." + }, + { + "id": "pe-18_gdn", + "name": "guidance", + "prose": "Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications using wireless packet sniffers or microphones, or unauthorized disclosure of information." + }, + { + "id": "pe-18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-18", + "class": "sp800-53a" + } + ], + "prose": "system components are positioned within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access.", + "links": [ + { + "href": "#pe-18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-18-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing the positioning of system components\n\ndocumentation providing the location and position of system components within the facility\n\nlocations housing system components within the facility\n\nlist of physical and environmental hazards with the potential to damage system components within the facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-18-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for positioning system components\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-18-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for positioning system components" + } + ] + } + ] + } + ] + }, + { + "id": "pl", + "class": "family", + "title": "Planning", + "controls": [ + { + "id": "pl-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "pl-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "pl-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the planning policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "pl-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the planning procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "pl-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "pl-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the planning policy and procedures is defined;" + } + ] + }, + { + "id": "pl-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current planning policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "pl-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current planning policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "pl-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current planning procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "pl-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-1" + }, + { + "name": "label", + "value": "PL-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-1_smt", + "name": "statement", + "parts": [ + { + "id": "pl-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:", + "parts": [ + { + "id": "pl-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, pl-01_odp.03 }} planning policy that:", + "parts": [ + { + "id": "pl-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "pl-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "pl-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the planning policy and the associated planning controls;" + } + ] + }, + { + "id": "pl-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and" + }, + { + "id": "pl-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current planning:", + "parts": [ + { + "id": "pl-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and" + }, + { + "id": "pl-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "pl-1_gdn", + "name": "guidance", + "prose": "Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "pl-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a planning policy is developed and documented.", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#pl-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;", + "links": [ + { + "href": "#pl-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};", + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};", + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};", + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.", + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "pl-2", + "class": "SP800-53", + "title": "System Security and Privacy Plans", + "params": [ + { + "id": "pl-02_odp.01", + "label": "individuals or groups", + "constraints": [ + { + "description": "to include chief privacy and ISSO and/or similar role or designees" + } + ], + "guidelines": [ + { + "prose": "individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;" + } + ] + }, + { + "id": "pl-02_odp.02", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include chief privacy and ISSO and/or similar role" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;" + } + ] + }, + { + "id": "pl-02_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency to review system security and privacy plans is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-2" + }, + { + "name": "label", + "value": "PL-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-1", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-2_smt", + "name": "statement", + "parts": [ + { + "id": "pl-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop security and privacy plans for the system that:", + "parts": [ + { + "id": "pl-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Are consistent with the organization\u2019s enterprise architecture;" + }, + { + "id": "pl-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Explicitly define the constituent system components;" + }, + { + "id": "pl-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Describe the operational context of the system in terms of mission and business processes;" + }, + { + "id": "pl-2_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Identify the individuals that fulfill system roles and responsibilities;" + }, + { + "id": "pl-2_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Identify the information types processed, stored, and transmitted by the system;" + }, + { + "id": "pl-2_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Provide the security categorization of the system, including supporting rationale;" + }, + { + "id": "pl-2_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Describe any specific threats to the system that are of concern to the organization;" + }, + { + "id": "pl-2_smt.a.8", + "name": "item", + "props": [ + { + "name": "label", + "value": "8." + } + ], + "prose": "Provide the results of a privacy risk assessment for systems processing personally identifiable information;" + }, + { + "id": "pl-2_smt.a.9", + "name": "item", + "props": [ + { + "name": "label", + "value": "9." + } + ], + "prose": "Describe the operational environment for the system and any dependencies on or connections to other systems or system components;" + }, + { + "id": "pl-2_smt.a.10", + "name": "item", + "props": [ + { + "name": "label", + "value": "10." + } + ], + "prose": "Provide an overview of the security and privacy requirements for the system;" + }, + { + "id": "pl-2_smt.a.11", + "name": "item", + "props": [ + { + "name": "label", + "value": "11." + } + ], + "prose": "Identify any relevant control baselines or overlays, if applicable;" + }, + { + "id": "pl-2_smt.a.12", + "name": "item", + "props": [ + { + "name": "label", + "value": "12." + } + ], + "prose": "Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;" + }, + { + "id": "pl-2_smt.a.13", + "name": "item", + "props": [ + { + "name": "label", + "value": "13." + } + ], + "prose": "Include risk determinations for security and privacy architecture and design decisions;" + }, + { + "id": "pl-2_smt.a.14", + "name": "item", + "props": [ + { + "name": "label", + "value": "14." + } + ], + "prose": "Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and" + }, + { + "id": "pl-2_smt.a.15", + "name": "item", + "props": [ + { + "name": "label", + "value": "15." + } + ], + "prose": "Are reviewed and approved by the authorizing official or designated representative prior to plan implementation." + } + ] + }, + { + "id": "pl-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};" + }, + { + "id": "pl-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the plans {{ insert: param, pl-02_odp.03 }};" + }, + { + "id": "pl-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and" + }, + { + "id": "pl-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protect the plans from unauthorized disclosure and modification." + } + ] + }, + { + "id": "pl-2_gdn", + "name": "guidance", + "prose": "System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide\u2014explicitly or by reference\u2014sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate." + }, + { + "id": "pl-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that is consistent with the organization\u2019s enterprise architecture;", + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that is consistent with the organization\u2019s enterprise architecture;", + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that explicitly defines the constituent system components;", + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;", + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.4-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.4-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.5-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.5-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.6-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;", + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.6-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;", + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.7-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.7-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.8-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.8-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.9-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.9-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.10-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;", + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.10-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;", + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.11", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.11-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.11-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.12", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.12-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;", + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.12-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;", + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.13", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.13-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;", + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.13-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;", + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.14", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.14-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.14-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.15", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.15-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;", + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.15-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.", + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};", + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};", + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02c.", + "class": "sp800-53a" + } + ], + "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};", + "links": [ + { + "href": "#pl-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[01]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address changes to the system and environment of operations;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[02]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address problems identified during the plan implementation;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[03]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address problems identified during control assessments;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.[01]", + "class": "sp800-53a" + } + ], + "prose": "plans are protected from unauthorized disclosure;", + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.[02]", + "class": "sp800-53a" + } + ], + "prose": "plans are protected from unauthorized modification.", + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan" + } + ] + } + ] + }, + { + "id": "pl-4", + "class": "SP800-53", + "title": "Rules of Behavior", + "params": [ + { + "id": "pl-04_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency for reviewing and updating the rules of behavior is defined;" + } + ] + }, + { + "id": "pl-04_odp.02", + "constraints": [ + { + "description": "at least annually and when the rules are revised or changed" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, pl-04_odp.03 }} ", + "when the rules are revised or updated" + ] + } + }, + { + "id": "pl-04_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-4" + }, + { + "name": "label", + "value": "PL-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-9", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-4_smt", + "name": "statement", + "parts": [ + { + "id": "pl-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;" + }, + { + "id": "pl-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;" + }, + { + "id": "pl-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and" + }, + { + "id": "pl-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}." + } + ] + }, + { + "id": "pl-4_gdn", + "name": "guidance", + "prose": "Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons." + }, + { + "id": "pl-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;", + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;", + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04b.", + "class": "sp800-53a" + } + ], + "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;", + "links": [ + { + "href": "#pl-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04c.", + "class": "sp800-53a" + } + ], + "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};", + "links": [ + { + "href": "#pl-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04d.", + "class": "sp800-53a" + } + ], + "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.", + "links": [ + { + "href": "#pl-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior" + } + ] + } + ], + "controls": [ + { + "id": "pl-4.1", + "class": "SP800-53-enhancement", + "title": "Social Media and External Site/Application Usage Restrictions", + "props": [ + { + "name": "label", + "value": "PL-4(1)" + }, + { + "name": "label", + "value": "PL-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pl-4", + "rel": "required" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-4.1_smt", + "name": "statement", + "prose": "Include in the rules of behavior, restrictions on:", + "parts": [ + { + "id": "pl-4.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Use of social media, social networking sites, and external sites/applications;" + }, + { + "id": "pl-4.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Posting organizational information on public websites; and" + }, + { + "id": "pl-4.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications." + } + ] + }, + { + "id": "pl-4.1_gdn", + "name": "guidance", + "prose": "Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information." + }, + { + "id": "pl-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;", + "links": [ + { + "href": "#pl-4.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on posting organizational information on public websites;", + "links": [ + { + "href": "#pl-4.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(c)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.", + "links": [ + { + "href": "#pl-4.1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing rules of behavior\n\nmechanisms supporting and/or implementing the establishment of rules of behavior" + } + ] + } + ] + } + ] + }, + { + "id": "pl-8", + "class": "SP800-53", + "title": "Security and Privacy Architectures", + "params": [ + { + "id": "pl-08_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "frequency for review and update to reflect changes in the enterprise architecture;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-8" + }, + { + "name": "label", + "value": "PL-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-8_smt", + "name": "statement", + "parts": [ + { + "id": "pl-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop security and privacy architectures for the system that:", + "parts": [ + { + "id": "pl-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;" + }, + { + "id": "pl-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;" + }, + { + "id": "pl-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Describe how the architectures are integrated into and support the enterprise architecture; and" + }, + { + "id": "pl-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Describe any assumptions about, and dependencies on, external systems and services;" + } + ] + }, + { + "id": "pl-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and" + }, + { + "id": "pl-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions." + }, + { + "id": "pl-8_fr", + "name": "item", + "title": "PL-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pl-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + } + ] + } + ] + }, + { + "id": "pl-8_gdn", + "name": "guidance", + "prose": "The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today\u2019s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n [PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization\u2019s enterprise architecture and security and privacy architectures." + }, + { + "id": "pl-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.01", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;", + "links": [ + { + "href": "#pl-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.02", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;", + "links": [ + { + "href": "#pl-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.4-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04[01]", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;", + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.4-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;", + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08b.", + "class": "sp800-53a" + } + ], + "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[01]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the security plan;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[02]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the privacy plan;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[03]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[04]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in criticality analysis;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[05]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in organizational procedures;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[06]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in procurements and acquisitions.", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and/or implementing the development, review, and update of the information security and privacy architecture" + } + ] + } + ] + }, + { + "id": "pl-10", + "class": "SP800-53", + "title": "Baseline Selection", + "props": [ + { + "name": "label", + "value": "PL-10" + }, + { + "name": "label", + "value": "PL-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#46d9e201-840e-440e-987c-2c773333c752", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-10_smt", + "name": "statement", + "prose": "Select a control baseline for the system.", + "parts": [ + { + "id": "pl-10_fr", + "name": "item", + "title": "PL-10 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pl-10_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Select the appropriate FedRAMP Baseline" + } + ] + } + ] + }, + { + "id": "pl-10_gdn", + "name": "guidance", + "prose": "Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals\u2019 privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization\u2019s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems." + }, + { + "id": "pl-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-10", + "class": "sp800-53a" + } + ], + "prose": "a control baseline for the system is selected.", + "links": [ + { + "href": "#pl-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing system security and privacy plan reviews and updates\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for organizational risk management activities" + } + ] + } + ] + }, + { + "id": "pl-11", + "class": "SP800-53", + "title": "Baseline Tailoring", + "props": [ + { + "name": "label", + "value": "PL-11" + }, + { + "name": "label", + "value": "PL-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#46d9e201-840e-440e-987c-2c773333c752", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-11_smt", + "name": "statement", + "prose": "Tailor the selected control baseline by applying specified tailoring actions." + }, + { + "id": "pl-11_gdn", + "name": "guidance", + "prose": "The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities." + }, + { + "id": "pl-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-11", + "class": "sp800-53a" + } + ], + "prose": "the selected control baseline is tailored by applying specified tailoring actions.", + "links": [ + { + "href": "#pl-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nsystem design documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nbaseline tailoring rationale\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "ps", + "class": "family", + "title": "Personnel Security", + "controls": [ + { + "id": "ps-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ps-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ps-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the personnel security policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ps-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ps-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ps-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the personnel security policy and procedures is defined;" + } + ] + }, + { + "id": "ps-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current personnel security policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ps-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current personnel security policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ps-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current personnel security procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ps-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the personnel security procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-1" + }, + { + "name": "label", + "value": "PS-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-1_smt", + "name": "statement", + "parts": [ + { + "id": "ps-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:", + "parts": [ + { + "id": "ps-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ps-01_odp.03 }} personnel security policy that:", + "parts": [ + { + "id": "ps-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ps-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ps-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;" + } + ] + }, + { + "id": "ps-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and" + }, + { + "id": "ps-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current personnel security:", + "parts": [ + { + "id": "ps-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and" + }, + { + "id": "ps-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ps-1_gdn", + "name": "guidance", + "prose": "Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ps-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a personnel security policy is developed and documented;", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ps-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;", + "links": [ + { + "href": "#ps-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};", + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};", + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};", + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.", + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "ps-2", + "class": "SP800-53", + "title": "Position Risk Designation", + "params": [ + { + "id": "ps-02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update position risk designations is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-2" + }, + { + "name": "label", + "value": "PS-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#a5ef5e56-5c1a-4911-b419-37dddc1b3581", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-2_smt", + "name": "statement", + "parts": [ + { + "id": "ps-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assign a risk designation to all organizational positions;" + }, + { + "id": "ps-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establish screening criteria for individuals filling those positions; and" + }, + { + "id": "ps-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update position risk designations {{ insert: param, ps-02_odp }}." + } + ] + }, + { + "id": "ps-2_gdn", + "name": "guidance", + "prose": "Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions." + }, + { + "id": "ps-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02a.", + "class": "sp800-53a" + } + ], + "prose": "a risk designation is assigned to all organizational positions;", + "links": [ + { + "href": "#ps-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02b.", + "class": "sp800-53a" + } + ], + "prose": "screening criteria are established for individuals filling organizational positions;", + "links": [ + { + "href": "#ps-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02c.", + "class": "sp800-53a" + } + ], + "prose": "position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.", + "links": [ + { + "href": "#ps-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nrecords of position risk designation reviews and updates\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria" + } + ] + } + ] + }, + { + "id": "ps-3", + "class": "SP800-53", + "title": "Personnel Screening", + "params": [ + { + "id": "ps-3_prm_1", + "label": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening", + "constraints": [ + { + "description": "for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.\n\nFor moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions" + } + ] + }, + { + "id": "ps-03_odp.01", + "label": "conditions requiring rescreening", + "guidelines": [ + { + "prose": "conditions requiring rescreening of individuals are defined;" + } + ] + }, + { + "id": "ps-03_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency of rescreening individuals where it is so indicated is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-3" + }, + { + "name": "label", + "value": "PS-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#55b0c93a-5e48-457a-baa6-5ce81c239c49", + "rel": "reference" + }, + { + "href": "#0af071a6-cf8e-48ee-8c82-fe91efa20f94", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-3_smt", + "name": "statement", + "parts": [ + { + "id": "ps-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Screen individuals prior to authorizing access to the system; and" + }, + { + "id": "ps-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}." + } + ] + }, + { + "id": "ps-3_gdn", + "name": "guidance", + "prose": "Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems." + }, + { + "id": "ps-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03a.", + "class": "sp800-53a" + } + ], + "prose": "individuals are screened prior to authorizing access to the system;", + "links": [ + { + "href": "#ps-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};", + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.", + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel screening" + } + ] + } + ], + "controls": [ + { + "id": "ps-3.3", + "class": "SP800-53-enhancement", + "title": "Information Requiring Special Protective Measures", + "params": [ + { + "id": "ps-03.03_odp", + "label": "additional personnel screening criteria", + "constraints": [ + { + "description": "personnel screening criteria \u2013 as required by specific information" + } + ], + "guidelines": [ + { + "prose": "additional personnel screening criteria to be satisfied for individuals accessing a system processing, storing, or transmitting information requiring special protection are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-3(3)" + }, + { + "name": "label", + "value": "PS-03(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-03.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ps-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "ps-3.3_smt", + "name": "statement", + "prose": "Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection:", + "parts": [ + { + "id": "ps-3.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Have valid access authorizations that are demonstrated by assigned official government duties; and" + }, + { + "id": "ps-3.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Satisfy {{ insert: param, ps-03.03_odp }}." + } + ] + }, + { + "id": "ps-3.3_gdn", + "name": "guidance", + "prose": "Organizational information that requires special protection includes controlled unclassified information. Personnel security criteria include position sensitivity background screening requirements." + }, + { + "id": "ps-3.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties;", + "links": [ + { + "href": "#ps-3.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03(03)(b)", + "class": "sp800-53a" + } + ], + "prose": "individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy {{ insert: param, ps-03.03_odp }}.", + "links": [ + { + "href": "#ps-3.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-03(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\naccess control policy, procedures addressing personnel screening\n\nrecords of screened personnel\n\nscreening criteria\n\nrecords of access authorizations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-3.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-03(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-3.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-03(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for ensuring valid access authorizations for information requiring special protection\n\norganizational process for additional personnel screening for information requiring special protection" + } + ] + } + ] + } + ] + }, + { + "id": "ps-4", + "class": "SP800-53", + "title": "Personnel Termination", + "params": [ + { + "id": "ps-04_odp.01", + "label": "time period", + "constraints": [ + { + "description": "one (1) hour" + } + ], + "guidelines": [ + { + "prose": "a time period within which to disable system access is defined;" + } + ] + }, + { + "id": "ps-04_odp.02", + "label": "information security topics", + "guidelines": [ + { + "prose": "information security topics to be discussed when conducting exit interviews are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-4" + }, + { + "name": "label", + "value": "PS-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-4_smt", + "name": "statement", + "prose": "Upon termination of individual employment:", + "parts": [ + { + "id": "ps-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Disable system access within {{ insert: param, ps-04_odp.01 }};" + }, + { + "id": "ps-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Terminate or revoke any authenticators and credentials associated with the individual;" + }, + { + "id": "ps-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};" + }, + { + "id": "ps-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Retrieve all security-related organizational system-related property; and" + }, + { + "id": "ps-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Retain access to organizational information and systems formerly controlled by terminated individual." + } + ] + }, + { + "id": "ps-4_gdn", + "name": "guidance", + "prose": "System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified." + }, + { + "id": "ps-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04a.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};", + "links": [ + { + "href": "#ps-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04b.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, any authenticators and credentials are terminated or revoked;", + "links": [ + { + "href": "#ps-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04c.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;", + "links": [ + { + "href": "#ps-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04d.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, all security-related organizational system-related property is retrieved;", + "links": [ + { + "href": "#ps-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04e.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.", + "links": [ + { + "href": "#ps-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of system accounts\n\nrecords of terminated or revoked authenticators/credentials\n\nrecords of exit interviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel termination\n\nmechanisms supporting and/or implementing personnel termination notifications\n\nmechanisms for disabling system access/revoking authenticators" + } + ] + } + ], + "controls": [ + { + "id": "ps-4.2", + "class": "SP800-53-enhancement", + "title": "Automated Actions", + "params": [ + { + "id": "ps-04.02_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to notify personnel or roles of individual termination actions and/or to disable access to system resources are defined;" + } + ] + }, + { + "id": "ps-04.02_odp.02", + "constraints": [ + { + "description": "access control personnel responsible for disabling access to the system" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "notify {{ insert: param, ps-04.02_odp.03 }} of individual termination actions", + "disable access to system resources" + ] + } + }, + { + "id": "ps-04.02_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified upon termination of an individual is/are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-4(2)" + }, + { + "name": "label", + "value": "PS-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ps-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "ps-4.2_smt", + "name": "statement", + "prose": "Use {{ insert: param, ps-04.02_odp.01 }} to {{ insert: param, ps-04.02_odp.02 }}." + }, + { + "id": "ps-4.2_gdn", + "name": "guidance", + "prose": "In organizations with many employees, not all personnel who need to know about termination actions receive the appropriate notifications, or if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to organizational personnel or roles when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including via telephone, electronic mail, text message, or websites. Automated mechanisms can also be employed to quickly and thoroughly disable access to system resources after an employee is terminated." + }, + { + "id": "ps-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04(02)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-04.02_odp.01 }} are used to {{ insert: param, ps-04.02_odp.02 }}.", + "links": [ + { + "href": "#ps-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrecords of personnel termination actions\n\nautomated notifications of employee terminations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel termination\n\nautomated mechanisms supporting and/or implementing personnel termination notifications" + } + ] + } + ] + } + ] + }, + { + "id": "ps-5", + "class": "SP800-53", + "title": "Personnel Transfer", + "params": [ + { + "id": "ps-05_odp.01", + "label": "transfer or reassignment actions", + "guidelines": [ + { + "prose": "transfer or reassignment actions to be initiated following transfer or reassignment are defined;" + } + ] + }, + { + "id": "ps-05_odp.02", + "label": "time period following the formal transfer action", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;" + } + ] + }, + { + "id": "ps-05_odp.03", + "label": "personnel or roles", + "constraints": [ + { + "description": "including access control personnel responsible for the system" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined;" + } + ] + }, + { + "id": "ps-05_odp.04", + "label": "time period", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-5" + }, + { + "name": "label", + "value": "PS-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-5_smt", + "name": "statement", + "parts": [ + { + "id": "ps-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;" + }, + { + "id": "ps-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};" + }, + { + "id": "ps-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and" + }, + { + "id": "ps-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}." + } + ] + }, + { + "id": "ps-5_gdn", + "name": "guidance", + "prose": "Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts." + }, + { + "id": "ps-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05a.", + "class": "sp800-53a" + } + ], + "prose": "the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;", + "links": [ + { + "href": "#ps-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};", + "links": [ + { + "href": "#ps-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05c.", + "class": "sp800-53a" + } + ], + "prose": "access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;", + "links": [ + { + "href": "#ps-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05d.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.", + "links": [ + { + "href": "#ps-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel transfer\n\nrecords of personnel transfer actions\n\nlist of system and facility access authorizations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel transfer\n\nmechanisms supporting and/or implementing personnel transfer notifications\n\nmechanisms for disabling system access/revoking authenticators" + } + ] + } + ] + }, + { + "id": "ps-6", + "class": "SP800-53", + "title": "Access Agreements", + "params": [ + { + "id": "ps-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update access agreements is defined;" + } + ] + }, + { + "id": "ps-06_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and any time there is a change to the user's level of access" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to re-sign access agreements to maintain access to organizational information is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-6" + }, + { + "name": "label", + "value": "PS-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-6_smt", + "name": "statement", + "parts": [ + { + "id": "ps-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and document access agreements for organizational systems;" + }, + { + "id": "ps-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and" + }, + { + "id": "ps-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Verify that individuals requiring access to organizational information and systems:", + "parts": [ + { + "id": "ps-6_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Sign appropriate access agreements prior to being granted access; and" + }, + { + "id": "ps-6_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}." + } + ] + } + ] + }, + { + "id": "ps-6_gdn", + "name": "guidance", + "prose": "Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy." + }, + { + "id": "ps-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06a.", + "class": "sp800-53a" + } + ], + "prose": "access agreements are developed and documented for organizational systems;", + "links": [ + { + "href": "#ps-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06b.", + "class": "sp800-53a" + } + ], + "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};", + "links": [ + { + "href": "#ps-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-6_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.01", + "class": "sp800-53a" + } + ], + "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;", + "links": [ + { + "href": "#ps-6_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.02", + "class": "sp800-53a" + } + ], + "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.", + "links": [ + { + "href": "#ps-6_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ps-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements" + } + ] + } + ] + }, + { + "id": "ps-7", + "class": "SP800-53", + "title": "External Personnel Security", + "params": [ + { + "id": "ps-07_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "including access control personnel responsible for the system and/or facilities, as appropriate" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;" + } + ] + }, + { + "id": "ps-07_odp.02", + "label": "time period", + "constraints": [ + { + "description": "terminations: immediately; transfers: within twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-7" + }, + { + "name": "label", + "value": "PS-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-7_smt", + "name": "statement", + "parts": [ + { + "id": "ps-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish personnel security requirements, including security roles and responsibilities for external providers;" + }, + { + "id": "ps-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Require external providers to comply with personnel security policies and procedures established by the organization;" + }, + { + "id": "ps-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document personnel security requirements;" + }, + { + "id": "ps-7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and" + }, + { + "id": "ps-7_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Monitor provider compliance with personnel security requirements." + } + ] + }, + { + "id": "ps-7_gdn", + "name": "guidance", + "prose": "External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals." + }, + { + "id": "ps-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07a.", + "class": "sp800-53a" + } + ], + "prose": "personnel security requirements are established, including security roles and responsibilities for external providers;", + "links": [ + { + "href": "#ps-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07b.", + "class": "sp800-53a" + } + ], + "prose": "external providers are required to comply with personnel security policies and procedures established by the organization;", + "links": [ + { + "href": "#ps-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07c.", + "class": "sp800-53a" + } + ], + "prose": "personnel security requirements are documented;", + "links": [ + { + "href": "#ps-7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07d.", + "class": "sp800-53a" + } + ], + "prose": "external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};", + "links": [ + { + "href": "#ps-7_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07e.", + "class": "sp800-53a" + } + ], + "prose": "provider compliance with personnel security requirements is monitored.", + "links": [ + { + "href": "#ps-7_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing external personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\nexternal providers\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing and monitoring external personnel security\n\nmechanisms supporting and/or implementing the monitoring of provider compliance" + } + ] + } + ] + }, + { + "id": "ps-8", + "class": "SP800-53", + "title": "Personnel Sanctions", + "params": [ + { + "id": "ps-08_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;" + } + ] + }, + { + "id": "ps-08_odp.02", + "label": "time period", + "constraints": [ + { + "description": "24 hours" + } + ], + "guidelines": [ + { + "prose": "the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-8" + }, + { + "name": "label", + "value": "PS-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#pt-1", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-8_smt", + "name": "statement", + "parts": [ + { + "id": "ps-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and" + }, + { + "id": "ps-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction." + } + ] + }, + { + "id": "ps-8_gdn", + "name": "guidance", + "prose": "Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions." + }, + { + "id": "ps-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08a.", + "class": "sp800-53a" + } + ], + "prose": "a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;", + "links": [ + { + "href": "#ps-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.", + "links": [ + { + "href": "#ps-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing personnel sanctions\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\nlist of personnel or roles to be notified of formal employee sanctions\n\nrecords or notifications of formal employee sanctions\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ps-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing formal employee sanctions\n\nmechanisms supporting and/or implementing formal employee sanctions notifications" + } + ] + } + ] + }, + { + "id": "ps-9", + "class": "SP800-53", + "title": "Position Descriptions", + "props": [ + { + "name": "label", + "value": "PS-9" + }, + { + "name": "label", + "value": "PS-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + } + ], + "parts": [ + { + "id": "ps-9_smt", + "name": "statement", + "prose": "Incorporate security and privacy roles and responsibilities into organizational position descriptions." + }, + { + "id": "ps-9_gdn", + "name": "guidance", + "prose": "Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles." + }, + { + "id": "ps-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09[01]", + "class": "sp800-53a" + } + ], + "prose": "security roles and responsibilities are incorporated into organizational position descriptions;", + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy roles and responsibilities are incorporated into organizational position descriptions.", + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing position descriptions\n\nsecurity and privacy position descriptions\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with human capital management responsibilities" + } + ] + }, + { + "id": "ps-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing position descriptions" + } + ] + } + ] + } + ] + }, + { + "id": "ra", + "class": "family", + "title": "Risk Assessment", + "controls": [ + { + "id": "ra-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ra-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ra-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ra-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the risk assessment policy and procedures is defined;" + } + ] + }, + { + "id": "ra-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current risk assessment policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ra-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current risk assessment policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ra-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current risk assessment procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ra-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require risk assessment procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-1" + }, + { + "name": "label", + "value": "RA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-1_smt", + "name": "statement", + "parts": [ + { + "id": "ra-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:", + "parts": [ + { + "id": "ra-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ra-01_odp.03 }} risk assessment policy that:", + "parts": [ + { + "id": "ra-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ra-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ra-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;" + } + ] + }, + { + "id": "ra-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and" + }, + { + "id": "ra-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current risk assessment:", + "parts": [ + { + "id": "ra-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and" + }, + { + "id": "ra-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ra-1_gdn", + "name": "guidance", + "prose": "Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ra-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment policy is developed and documented;", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ra-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;", + "links": [ + { + "href": "#ra-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};", + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};", + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};", + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.", + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ra-2", + "class": "SP800-53", + "title": "Security Categorization", + "props": [ + { + "name": "label", + "value": "RA-2" + }, + { + "name": "label", + "value": "RA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "rel": "reference" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-2_smt", + "name": "statement", + "parts": [ + { + "id": "ra-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Categorize the system and information it processes, stores, and transmits;" + }, + { + "id": "ra-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document the security categorization results, including supporting rationale, in the security plan for the system; and" + }, + { + "id": "ra-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision." + } + ] + }, + { + "id": "ra-2_gdn", + "name": "guidance", + "prose": "Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant." + }, + { + "id": "ra-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02a.", + "class": "sp800-53a" + } + ], + "prose": "the system and the information it processes, stores, and transmits are categorized;", + "links": [ + { + "href": "#ra-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02b.", + "class": "sp800-53a" + } + ], + "prose": "the security categorization results, including supporting rationale, are documented in the security plan for the system;", + "links": [ + { + "href": "#ra-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02c.", + "class": "sp800-53a" + } + ], + "prose": "the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.", + "links": [ + { + "href": "#ra-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security categorization" + } + ] + } + ] + }, + { + "id": "ra-3", + "class": "SP800-53", + "title": "Risk Assessment", + "params": [ + { + "id": "ra-03_odp.01", + "constraints": [ + { + "description": "security assessment report" + } + ], + "select": { + "choice": [ + "security and privacy plans", + "risk assessment report", + " {{ insert: param, ra-03_odp.02 }} " + ] + } + }, + { + "id": "ra-03_odp.02", + "label": "document", + "guidelines": [ + { + "prose": "a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);" + } + ] + }, + { + "id": "ra-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and whenever a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "the frequency to review risk assessment results is defined;" + } + ] + }, + { + "id": "ra-03_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom risk assessment results are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-03_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "annually" + } + ], + "guidelines": [ + { + "prose": "the frequency to update the risk assessment is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-3" + }, + { + "name": "label", + "value": "RA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#pe-18", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-3_smt", + "name": "statement", + "parts": [ + { + "id": "ra-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Conduct a risk assessment, including:", + "parts": [ + { + "id": "ra-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Identifying threats to and vulnerabilities in the system;" + }, + { + "id": "ra-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and" + }, + { + "id": "ra-3_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;" + } + ] + }, + { + "id": "ra-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;" + }, + { + "id": "ra-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document risk assessment results in {{ insert: param, ra-03_odp.01 }};" + }, + { + "id": "ra-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review risk assessment results {{ insert: param, ra-03_odp.03 }};" + }, + { + "id": "ra-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and" + }, + { + "id": "ra-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system." + }, + { + "id": "ra-3_fr", + "name": "item", + "title": "RA-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ra-3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + }, + { + "id": "ra-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e) Requirement:" + } + ], + "prose": "Include all Authorizing Officials; for JAB authorizations to include FedRAMP." + } + ] + } + ] + }, + { + "id": "ra-3_gdn", + "name": "guidance", + "prose": "Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination." + }, + { + "id": "ra-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.01", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;", + "links": [ + { + "href": "#ra-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.02", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;", + "links": [ + { + "href": "#ra-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.03", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;", + "links": [ + { + "href": "#ra-3_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03b.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;", + "links": [ + { + "href": "#ra-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03c.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};", + "links": [ + { + "href": "#ra-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03d.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};", + "links": [ + { + "href": "#ra-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03e.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};", + "links": [ + { + "href": "#ra-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03f.", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.", + "links": [ + { + "href": "#ra-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment" + } + ] + } + ], + "controls": [ + { + "id": "ra-3.1", + "class": "SP800-53-enhancement", + "title": "Supply Chain Risk Assessment", + "params": [ + { + "id": "ra-03.01_odp.01", + "label": "systems, system components, and system services", + "guidelines": [ + { + "prose": "systems, system components, and system services to assess supply chain risks are defined;" + } + ] + }, + { + "id": "ra-03.01_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to update the supply chain risk assessment is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-3(1)" + }, + { + "name": "label", + "value": "RA-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-3", + "rel": "required" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#pm-17", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-3.1_smt", + "name": "statement", + "parts": [ + { + "id": "ra-3.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and" + }, + { + "id": "ra-3.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain." + } + ] + }, + { + "id": "ra-3.1_gdn", + "name": "guidance", + "prose": "Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required." + }, + { + "id": "ra-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;", + "links": [ + { + "href": "#ra-3.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.", + "links": [ + { + "href": "#ra-3.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\ninventory of critical systems, system components, and system services\n\nrisk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of supply chain risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nacquisition policy\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "ra-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment" + } + ] + } + ] + } + ] + }, + { + "id": "ra-5", + "class": "SP800-53", + "title": "Vulnerability Monitoring and Scanning", + "params": [ + { + "id": "ra-5_prm_1", + "label": "organization-defined frequency and/or randomly in accordance with organization-defined process", + "constraints": [ + { + "description": "monthly operating system/infrastructure; monthly web applications (including APIs) and databases" + } + ] + }, + { + "id": "ra-05_odp.01", + "label": "frequency and/or randomly in accordance with organization-defined process", + "guidelines": [ + { + "prose": "frequency for monitoring systems and hosted applications for vulnerabilities is defined;" + } + ] + }, + { + "id": "ra-05_odp.02", + "label": "frequency and/or randomly in accordance with organization-defined process", + "guidelines": [ + { + "prose": "frequency for scanning systems and hosted applications for vulnerabilities is defined;" + } + ] + }, + { + "id": "ra-05_odp.03", + "label": "response times", + "constraints": [ + { + "description": "high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery" + } + ], + "guidelines": [ + { + "prose": "response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;" + } + ] + }, + { + "id": "ra-05_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5" + }, + { + "name": "label", + "value": "RA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#8df72805-2e5c-4731-a73e-81db0f0318d0", + "rel": "reference" + }, + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "rel": "reference" + }, + { + "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "rel": "reference" + }, + { + "href": "#d2ebec9b-f868-4ee1-a2bd-0b2282aed248", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ca-8", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5_smt", + "name": "statement", + "parts": [ + { + "id": "ra-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;" + }, + { + "id": "ra-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:", + "parts": [ + { + "id": "ra-5_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Enumerating platforms, software flaws, and improper configurations;" + }, + { + "id": "ra-5_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Formatting checklists and test procedures; and" + }, + { + "id": "ra-5_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Measuring vulnerability impact;" + } + ] + }, + { + "id": "ra-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Analyze vulnerability scan reports and results from vulnerability monitoring;" + }, + { + "id": "ra-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;" + }, + { + "id": "ra-5_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and" + }, + { + "id": "ra-5_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." + }, + { + "id": "ra-5_fr", + "name": "item", + "title": "RA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ra-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/" + }, + { + "id": "ra-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually." + }, + { + "id": "ra-5_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d) Requirement:" + } + ], + "prose": "If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement." + }, + { + "id": "ra-5_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e) Requirement:" + } + ], + "prose": "to include all Authorizing Officials; for JAB authorizations to include FedRAMP" + }, + { + "id": "ra-5_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.\n\nWarning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.\n\nWarnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a \u201cwarning\u201d as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on \u201cTracking of Compliance Scans\u201d in FAQs." + } + ] + } + ] + }, + { + "id": "ra-5_gdn", + "name": "guidance", + "prose": "Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities\u2014such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers\u2014are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization\u2019s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points." + }, + { + "id": "ra-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;", + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;", + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;", + "parts": [ + { + "id": "ra-5_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.01", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;", + "links": [ + { + "href": "#ra-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.02", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;", + "links": [ + { + "href": "#ra-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.03", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;", + "links": [ + { + "href": "#ra-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05c.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;", + "links": [ + { + "href": "#ra-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05d.", + "class": "sp800-53a" + } + ], + "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;", + "links": [ + { + "href": "#ra-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05e.", + "class": "sp800-53a" + } + ], + "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;", + "links": [ + { + "href": "#ra-5_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05f.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.", + "links": [ + { + "href": "#ra-5_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ra-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing" + } + ] + } + ], + "controls": [ + { + "id": "ra-5.2", + "class": "SP800-53-enhancement", + "title": "Update Vulnerabilities to Be Scanned", + "params": [ + { + "id": "ra-05.02_odp.01", + "constraints": [ + { + "description": "within 24 hours prior to running scans" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, ra-05.02_odp.02 }} ", + "prior to a new scan", + "when new vulnerabilities are identified and reported" + ] + } + }, + { + "id": "ra-05.02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency for updating the system vulnerabilities to be scanned is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5(2)" + }, + { + "name": "label", + "value": "RA-05(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + }, + { + "href": "#si-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5.2_smt", + "name": "statement", + "prose": "Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}." + }, + { + "id": "ra-5.2_gdn", + "name": "guidance", + "prose": "Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner." + }, + { + "id": "ra-5.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(02)", + "class": "sp800-53a" + } + ], + "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.", + "links": [ + { + "href": "#ra-5.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ra-5.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" + } + ] + } + ] + }, + { + "id": "ra-5.3", + "class": "SP800-53-enhancement", + "title": "Breadth and Depth of Coverage", + "props": [ + { + "name": "label", + "value": "RA-5(3)" + }, + { + "name": "label", + "value": "RA-05(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ra-5.3_smt", + "name": "statement", + "prose": "Define the breadth and depth of vulnerability scanning coverage." + }, + { + "id": "ra-5.3_gdn", + "name": "guidance", + "prose": "The breadth of vulnerability scanning coverage can be expressed as a percentage of components within the system, by the particular types of systems, by the criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the depth of vulnerability scanning coverage can be expressed as the level of the system design that the organization intends to monitor (e.g., component, module, subsystem, element). Organizations can determine the sufficiency of vulnerability scanning coverage with regard to its risk tolerance and other factors. Scanning tools and how the tools are configured may affect the depth and coverage. Multiple scanning tools may be needed to achieve the desired depth and coverage. [SP 800-53A](#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d) provides additional information on the breadth and depth of coverage." + }, + { + "id": "ra-5.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(03)", + "class": "sp800-53a" + } + ], + "prose": "the breadth and depth of vulnerability scanning coverage are defined.", + "links": [ + { + "href": "#ra-5.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" + } + ] + } + ] + }, + { + "id": "ra-5.4", + "class": "SP800-53-enhancement", + "title": "Discoverable Information", + "params": [ + { + "id": "ra-05.04_odp", + "label": "corrective actions", + "constraints": [ + { + "description": "notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions" + } + ], + "guidelines": [ + { + "prose": "corrective actions to be taken if information about the system is discoverable are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5(4)" + }, + { + "name": "label", + "value": "RA-05(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5.4_smt", + "name": "statement", + "prose": "Determine information about the system that is discoverable and take {{ insert: param, ra-05.04_odp }}." + }, + { + "id": "ra-5.4_gdn", + "name": "guidance", + "prose": "Discoverable information includes information that adversaries could obtain without compromising or breaching the system, such as by collecting information that the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization." + }, + { + "id": "ra-5.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5.4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(04)[01]", + "class": "sp800-53a" + } + ], + "prose": "information about the system is discoverable;", + "links": [ + { + "href": "#ra-5.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(04)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ra-05.04_odp }} are taken when information about the system is confirmed as discoverable.", + "links": [ + { + "href": "#ra-5.4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Procedures addressing vulnerability scanning\n\nassessment report\n\npenetration test results\n\nvulnerability scanning results\n\nrisk assessment report\n\nrecords of corrective actions taken\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning and/or penetration testing responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel responsible for risk response\n\norganizational personnel responsible for incident management and response\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\norganizational processes for risk response\n\norganizational processes for incident management and response\n\nmechanisms/tools supporting and/or implementing vulnerability scanning\n\nmechanisms supporting and/or implementing risk response\n\nmechanisms supporting and/or implementing incident management and response" + } + ] + } + ] + }, + { + "id": "ra-5.5", + "class": "SP800-53-enhancement", + "title": "Privileged Access", + "params": [ + { + "id": "ra-05.05_odp.01", + "label": "system components", + "constraints": [ + { + "description": "all components that support authentication" + } + ], + "guidelines": [ + { + "prose": "system components to which privileged access is authorized for selected vulnerability scanning activities are defined;" + } + ] + }, + { + "id": "ra-05.05_odp.02", + "label": "vulnerability scanning activities", + "constraints": [ + { + "description": "all scans" + } + ], + "guidelines": [ + { + "prose": "vulnerability scanning activities selected for privileged access authorization to system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5(5)" + }, + { + "name": "label", + "value": "RA-05(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ra-5.5_smt", + "name": "statement", + "prose": "Implement privileged access authorization to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}." + }, + { + "id": "ra-5.5_gdn", + "name": "guidance", + "prose": "In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning." + }, + { + "id": "ra-5.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(05)", + "class": "sp800-53a" + } + ], + "prose": "privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}.", + "links": [ + { + "href": "#ra-5.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system components for vulnerability scanning\n\npersonnel access authorization list\n\nauthorization credentials\n\naccess authorization records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\nsystem/network administrators\n\norganizational personnel responsible for access control to the system\n\norganizational personnel responsible for configuration management of the system\n\nsystem developers\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\norganizational processes for access control\n\nmechanisms supporting and/or implementing access control\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" + } + ] + } + ] + }, + { + "id": "ra-5.8", + "class": "SP800-53-enhancement", + "title": "Review Historic Audit Logs", + "params": [ + { + "id": "ra-05.08_odp.01", + "label": "system", + "guidelines": [ + { + "prose": "a system whose historic audit logs are to be reviewed is defined;" + } + ] + }, + { + "id": "ra-05.08_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "a time period for a potential previous exploit of a system is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5(8)" + }, + { + "name": "label", + "value": "RA-05(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5.8_smt", + "name": "statement", + "prose": "Review historic audit logs to determine if a vulnerability identified in a {{ insert: param, ra-05.08_odp.01 }} has been previously exploited within an {{ insert: param, ra-05.08_odp.02 }}.", + "parts": [ + { + "id": "ra-5.8_fr", + "name": "item", + "title": "RA-5(8) Additional FedRAMP Requirement", + "parts": [ + { + "id": "ra-5.8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "This enhancement is required for all high (or critical) vulnerability scan findings." + } + ] + } + ] + }, + { + "id": "ra-5.8_gdn", + "name": "guidance", + "prose": "Reviewing historic audit logs to determine if a recently detected vulnerability in a system has been previously exploited by an adversary can provide important information for forensic analyses. Such analyses can help identify, for example, the extent of a previous intrusion, the trade craft employed during the attack, organizational information exfiltrated or modified, mission or business capabilities affected, and the duration of the attack." + }, + { + "id": "ra-5.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(08)", + "class": "sp800-53a" + } + ], + "prose": "historic audit logs are reviewed to determine if a vulnerability identified in a {{ insert: param, ra-05.08_odp.01 }} has been previously exploited within {{ insert: param, ra-05.08_odp.02 }}.", + "links": [ + { + "href": "#ra-5.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\naudit logs\n\nrecords of audit log reviews\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with audit record review responsibilities\n\nsystem/network administrators\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\norganizational process for audit record review and response\n\nmechanisms/tools supporting and/or implementing vulnerability scanning\n\nmechanisms supporting and/or implementing audit record review" + } + ] + } + ] + }, + { + "id": "ra-5.11", + "class": "SP800-53-enhancement", + "title": "Public Disclosure Program", + "props": [ + { + "name": "label", + "value": "RA-5(11)" + }, + { + "name": "label", + "value": "RA-05(11)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ra-5.11_smt", + "name": "statement", + "prose": "Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components." + }, + { + "id": "ra-5.11_gdn", + "name": "guidance", + "prose": "The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability." + }, + { + "id": "ra-5.11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(11)", + "class": "sp800-53a" + } + ], + "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.", + "links": [ + { + "href": "#ra-5.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(11)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(11)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(11)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities" + } + ] + } + ] + } + ] + }, + { + "id": "ra-7", + "class": "SP800-53", + "title": "Risk Response", + "props": [ + { + "name": "label", + "value": "RA-7" + }, + { + "name": "label", + "value": "RA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-7_smt", + "name": "statement", + "prose": "Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance." + }, + { + "id": "ra-7_gdn", + "name": "guidance", + "prose": "Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated." + }, + { + "id": "ra-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[01]", + "class": "sp800-53a" + } + ], + "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[02]", + "class": "sp800-53a" + } + ], + "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[03]", + "class": "sp800-53a" + } + ], + "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[04]", + "class": "sp800-53a" + } + ], + "prose": "findings from audits are responded to in accordance with organizational risk tolerance.", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nassessment reports\n\naudit records/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment and auditing responsibilities\n\nsystem/network administrators\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assessments and audits\n\nmechanisms/tools supporting and/or implementing assessments and auditing" + } + ] + } + ] + }, + { + "id": "ra-9", + "class": "SP800-53", + "title": "Criticality Analysis", + "params": [ + { + "id": "ra-09_odp.01", + "label": "systems, system components, or system services", + "guidelines": [ + { + "prose": "systems, system components, or system services to be analyzed for criticality are defined;" + } + ] + }, + { + "id": "ra-09_odp.02", + "label": "decision points in the system development life cycle", + "guidelines": [ + { + "prose": "decision points in the system development life cycle when a criticality analysis is to be performed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-9" + }, + { + "name": "label", + "value": "RA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-1", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-9_smt", + "name": "statement", + "prose": "Identify critical system components and functions by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}." + }, + { + "id": "ra-9_gdn", + "name": "guidance", + "prose": "Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.\n\nThe operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions.\n\nCriticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in [RA-2](#ra-2)." + }, + { + "id": "ra-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-09", + "class": "sp800-53a" + } + ], + "prose": "critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}.", + "links": [ + { + "href": "#ra-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nassessment reports\n\ncriticality analysis/finalized criticality for each component/subcomponent\n\naudit records/event logs\n\nanalysis reports\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment and auditing responsibilities\n\norganizational personnel with criticality analysis responsibilities\n\nsystem/network administrators\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assessments and audits\n\nmechanisms/tools supporting and/or implementing assessments and auditing" + } + ] + } + ] + } + ] + }, + { + "id": "sa", + "class": "family", + "title": "System and Services Acquisition", + "controls": [ + { + "id": "sa-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sa-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sa-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "sa-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "sa-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "sa-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and services acquisition policy and procedures is defined;" + } + ] + }, + { + "id": "sa-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and services acquisition policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sa-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and services acquisition policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sa-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "sa-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and services acquisition procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-1" + }, + { + "name": "label", + "value": "SA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-1_smt", + "name": "statement", + "parts": [ + { + "id": "sa-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:", + "parts": [ + { + "id": "sa-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:", + "parts": [ + { + "id": "sa-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sa-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sa-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;" + } + ] + }, + { + "id": "sa-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and" + }, + { + "id": "sa-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and services acquisition:", + "parts": [ + { + "id": "sa-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and" + }, + { + "id": "sa-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sa-1_gdn", + "name": "guidance", + "prose": "System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sa-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and services acquisition policy is developed and documented;", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sa-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;", + "links": [ + { + "href": "#sa-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};", + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};", + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};", + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.", + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + } + ] + }, + { + "id": "sa-2", + "class": "SP800-53", + "title": "Allocation of Resources", + "props": [ + { + "name": "label", + "value": "SA-2" + }, + { + "name": "label", + "value": "SA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pm-3", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-2_smt", + "name": "statement", + "parts": [ + { + "id": "sa-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;" + }, + { + "id": "sa-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and" + }, + { + "id": "sa-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation." + } + ] + }, + { + "id": "sa-2_gdn", + "name": "guidance", + "prose": "Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle." + }, + { + "id": "sa-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;", + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;", + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;", + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;", + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;", + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation.", + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and/or implementing organizational capital planning, programming, and budgeting" + } + ] + } + ] + }, + { + "id": "sa-3", + "class": "SP800-53", + "title": "System Development Life Cycle", + "params": [ + { + "id": "sa-03_odp", + "label": "system-development life cycle", + "guidelines": [ + { + "prose": "system development life cycle is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-3" + }, + { + "name": "label", + "value": "SA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-22", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-3_smt", + "name": "statement", + "parts": [ + { + "id": "sa-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;" + }, + { + "id": "sa-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define and document information security and privacy roles and responsibilities throughout the system development life cycle;" + }, + { + "id": "sa-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Identify individuals having information security and privacy roles and responsibilities; and" + }, + { + "id": "sa-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Integrate the organizational information security and privacy risk management process into system development life cycle activities." + } + ] + }, + { + "id": "sa-3_gdn", + "name": "guidance", + "prose": "A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle." + }, + { + "id": "sa-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;", + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;", + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;", + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;", + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.[01]", + "class": "sp800-53a" + } + ], + "prose": "individuals with information security roles and responsibilities are identified;", + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.[02]", + "class": "sp800-53a" + } + ], + "prose": "individuals with privacy roles and responsibilities are identified;", + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational information security risk management processes are integrated into system development life cycle activities;", + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.[02]", + "class": "sp800-53a" + } + ], + "prose": "organizational privacy risk management processes are integrated into system development life cycle activities.", + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and/or implementing the system development life cycle" + } + ] + } + ] + }, + { + "id": "sa-4", + "class": "SP800-53", + "title": "Acquisition Process", + "params": [ + { + "id": "sa-04_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "standardized contract language", + " {{ insert: param, sa-04_odp.02 }} " + ] + } + }, + { + "id": "sa-04_odp.02", + "label": "contract language", + "guidelines": [ + { + "prose": "contract language is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-4" + }, + { + "name": "label", + "value": "SA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", + "rel": "reference" + }, + { + "href": "#87087451-2af5-43d4-88c1-d66ad850f614", + "rel": "reference" + }, + { + "href": "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "rel": "reference" + }, + { + "href": "#06ce9216-bd54-4054-a422-94f358b50a5d", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#795aff72-3e6c-4b6b-a80a-b14d84b7f544", + "rel": "reference" + }, + { + "href": "#3d575737-98cb-459d-b41c-d7e82b73ad78", + "rel": "reference" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4_smt", + "name": "statement", + "prose": "Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:", + "parts": [ + { + "id": "sa-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Security and privacy functional requirements;" + }, + { + "id": "sa-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Strength of mechanism requirements;" + }, + { + "id": "sa-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Security and privacy assurance requirements;" + }, + { + "id": "sa-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Controls needed to satisfy the security and privacy requirements." + }, + { + "id": "sa-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Security and privacy documentation requirements;" + }, + { + "id": "sa-4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Requirements for protecting security and privacy documentation;" + }, + { + "id": "sa-4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Description of the system development environment and environment in which the system is intended to operate;" + }, + { + "id": "sa-4_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and" + }, + { + "id": "sa-4_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Acceptance criteria." + }, + { + "id": "sa-4_fr", + "name": "item", + "title": "SA-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sa-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process)." + }, + { + "id": "sa-4_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.\n\nSee https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/." + } + ] + } + ] + }, + { + "id": "sa-4_gdn", + "name": "guidance", + "prose": "Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement." + }, + { + "id": "sa-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04b.", + "class": "sp800-53a" + } + ], + "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.[01]", + "class": "sp800-53a" + } + ], + "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.[01]", + "class": "sp800-53a" + } + ], + "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.[01]", + "class": "sp800-53a" + } + ], + "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.[02]", + "class": "sp800-53a" + } + ], + "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04g.", + "class": "sp800-53a" + } + ], + "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[01]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[02]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[03]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04i.", + "class": "sp800-53a" + } + ], + "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.", + "links": [ + { + "href": "#sa-4_smt.i", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts" + } + ] + } + ], + "controls": [ + { + "id": "sa-4.1", + "class": "SP800-53-enhancement", + "title": "Functional Properties of Controls", + "props": [ + { + "name": "label", + "value": "SA-4(1)" + }, + { + "name": "label", + "value": "SA-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "sa-4.1_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented." + }, + { + "id": "sa-4.1_gdn", + "name": "guidance", + "prose": "Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls." + }, + { + "id": "sa-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(01)", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.", + "links": [ + { + "href": "#sa-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system services\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining system security functional requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts" + } + ] + } + ] + }, + { + "id": "sa-4.2", + "class": "SP800-53-enhancement", + "title": "Design and Implementation Information for Controls", + "params": [ + { + "id": "sa-04.02_odp.01", + "constraints": [ + { + "description": "at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram;\n\norganization-defined design/implementation information" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "security-relevant external system interfaces", + "high-level design", + "low-level design", + "source code or hardware schematics", + " {{ insert: param, sa-04.02_odp.02 }} " + ] + } + }, + { + "id": "sa-04.02_odp.02", + "label": "design and implementation information", + "guidelines": [ + { + "prose": "design and implementation information is defined (if selected);" + } + ] + }, + { + "id": "sa-04.02_odp.03", + "label": "level of detail", + "guidelines": [ + { + "prose": "level of detail is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-4(2)" + }, + { + "name": "label", + "value": "SA-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "sa-4.2_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}." + }, + { + "id": "sa-4.2_gdn", + "name": "guidance", + "prose": "Organizations may require different levels of detail in the documentation for the design and implementation of controls in organizational systems, system components, or system services based on mission and business requirements, requirements for resiliency and trustworthiness, and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system." + }, + { + "id": "sa-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(02)", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}.", + "links": [ + { + "href": "#sa-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system components, or system services\n\ndesign and implementation information for controls employed in the system, system component, or system service\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\nsystem developers or service provider\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "sa-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining the level of detail for system design and controls\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and/or implementing the development of system design details" + } + ] + } + ] + }, + { + "id": "sa-4.5", + "class": "SP800-53-enhancement", + "title": "System, Component, and Service Configurations", + "params": [ + { + "id": "sa-04.05_odp", + "label": "security configurations", + "constraints": [ + { + "description": "The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available." + } + ], + "guidelines": [ + { + "prose": "security configurations for the system, component, or service are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-4(5)" + }, + { + "name": "label", + "value": "SA-04(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "sa-4.5_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to:", + "parts": [ + { + "id": "sa-4.5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented; and" + }, + { + "id": "sa-4.5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade." + } + ] + }, + { + "id": "sa-4.5_gdn", + "name": "guidance", + "prose": "Examples of security configurations include the U.S. Government Configuration Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on functions, ports, protocols, and services. Security characteristics can include requiring that default passwords have been changed." + }, + { + "id": "sa-4.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4.5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(05)(a)", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented;", + "links": [ + { + "href": "#sa-4.5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(05)(b)", + "class": "sp800-53a" + } + ], + "prose": "the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade.", + "links": [ + { + "href": "#sa-4.5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nsecurity configurations to be implemented by the developer of the system, system component, or system service\n\nservice level agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\nsystem developers or service provider\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "sa-4.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms used to verify that the configuration of the system, component, or service is delivered as specified" + } + ] + } + ] + }, + { + "id": "sa-4.9", + "class": "SP800-53-enhancement", + "title": "Functions, Ports, Protocols, and Services in Use", + "props": [ + { + "name": "label", + "value": "SA-4(9)" + }, + { + "name": "label", + "value": "SA-04(09)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4.9_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use." + }, + { + "id": "sa-4.9_gdn", + "name": "guidance", + "prose": "The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design stages) allows organizations to influence the design of the system, system component, or system service. This early involvement in the system development life cycle helps organizations avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. [SA-9](#sa-9) describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources." + }, + { + "id": "sa-4.9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4.9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to identify the functions intended for organizational use;", + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to identify the ports intended for organizational use;", + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.9_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;", + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.9_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to identify the services intended for organizational use.", + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(09)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsystem design documentation\n\nsystem documentation, including functions, ports, protocols, and services intended for organizational use\n\nacquisition contracts for systems or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements, descriptions, and criteria for developers of systems, system components, and system services\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(09)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\nsystem/network administrators\n\norganizational personnel operating, using, and/or maintaining the system\n\nsystem developers\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "sa-4.10", + "class": "SP800-53-enhancement", + "title": "Use of Approved PIV Products", + "props": [ + { + "name": "label", + "value": "SA-4(10)" + }, + { + "name": "label", + "value": "SA-04(10)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4.10_smt", + "name": "statement", + "prose": "Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems." + }, + { + "id": "sa-4.10_gdn", + "name": "guidance", + "prose": "Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations." + }, + { + "id": "sa-4.10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(10)", + "class": "sp800-53a" + } + ], + "prose": "only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.", + "links": [ + { + "href": "#sa-4.10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(10)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nFIPS 201 approved products list\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(10)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "sa-4.10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04(10)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for selecting and employing FIPS 201-approved products" + } + ] + } + ] + } + ] + }, + { + "id": "sa-5", + "class": "SP800-53", + "title": "System Documentation", + "params": [ + { + "id": "sa-05_odp.01", + "label": "actions", + "guidelines": [ + { + "prose": "actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;" + } + ] + }, + { + "id": "sa-05_odp.02", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO (or similar role within the organization)" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to distribute system documentation to is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-5" + }, + { + "name": "label", + "value": "SA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-5_smt", + "name": "statement", + "parts": [ + { + "id": "sa-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Obtain or develop administrator documentation for the system, system component, or system service that describes:", + "parts": [ + { + "id": "sa-5_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Secure configuration, installation, and operation of the system, component, or service;" + }, + { + "id": "sa-5_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Effective use and maintenance of security and privacy functions and mechanisms; and" + }, + { + "id": "sa-5_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Known vulnerabilities regarding configuration and use of administrative or privileged functions;" + } + ] + }, + { + "id": "sa-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Obtain or develop user documentation for the system, system component, or system service that describes:", + "parts": [ + { + "id": "sa-5_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;" + }, + { + "id": "sa-5_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and" + }, + { + "id": "sa-5_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;" + } + ] + }, + { + "id": "sa-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and" + }, + { + "id": "sa-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Distribute documentation to {{ insert: param, sa-05_odp.02 }}." + } + ] + }, + { + "id": "sa-5_gdn", + "name": "guidance", + "prose": "System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation." + }, + { + "id": "sa-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[04]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[03]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[04]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.[01]", + "class": "sp800-53a" + } + ], + "prose": "attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;", + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.[02]", + "class": "sp800-53a" + } + ], + "prose": "after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;", + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05d.", + "class": "sp800-53a" + } + ], + "prose": "documentation is distributed to {{ insert: param, sa-05_odp.02 }}.", + "links": [ + { + "href": "#sa-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system documentation\n\nsystem documentation, including administrator and user guides\n\nsystem design documentation\n\nrecords documenting attempts to obtain unavailable or nonexistent system documentation\n\nlist of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation\n\nrisk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\norganizational personnel responsible for operating, using, and/or maintaining the system\n\nsystem developers" + } + ] + }, + { + "id": "sa-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for obtaining, protecting, and distributing system administrator and user documentation" + } + ] + } + ] + }, + { + "id": "sa-8", + "class": "SP800-53", + "title": "Security and Privacy Engineering Principles", + "params": [ + { + "id": "sa-8_prm_1", + "label": "organization-defined systems security and privacy engineering principles" + }, + { + "id": "sa-08_odp.01", + "label": "systems security engineering principles", + "guidelines": [ + { + "prose": "systems security engineering principles are defined;" + } + ] + }, + { + "id": "sa-08_odp.02", + "label": "privacy engineering principles", + "guidelines": [ + { + "prose": "privacy engineering principles are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-8" + }, + { + "name": "label", + "value": "SA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-8_smt", + "name": "statement", + "prose": "Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}." + }, + { + "id": "sa-8_gdn", + "name": "guidance", + "prose": "Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design." + }, + { + "id": "sa-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-8_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[05]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[06]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[07]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[08]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[09]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[10]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification" + } + ] + } + ] + }, + { + "id": "sa-9", + "class": "SP800-53", + "title": "External System Services", + "params": [ + { + "id": "sa-09_odp.01", + "label": "controls", + "constraints": [ + { + "description": "Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system" + } + ], + "guidelines": [ + { + "prose": "controls to be employed by external system service providers are defined;" + } + ] + }, + { + "id": "sa-09_odp.02", + "label": "processes, methods, and techniques", + "constraints": [ + { + "description": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored" + } + ], + "guidelines": [ + { + "prose": "processes, methods, and techniques employed to monitor control compliance by external service providers are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9" + }, + { + "name": "label", + "value": "SA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9_smt", + "name": "statement", + "parts": [ + { + "id": "sa-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};" + }, + { + "id": "sa-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define and document organizational oversight and user roles and responsibilities with regard to external system services; and" + }, + { + "id": "sa-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}." + } + ] + }, + { + "id": "sa-9_gdn", + "name": "guidance", + "prose": "External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance." + }, + { + "id": "sa-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[01]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services comply with organizational security requirements;", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[02]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services comply with organizational privacy requirements;", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[03]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational oversight with regard to external system services are defined and documented;", + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "user roles and responsibilities with regard to external system services are defined and documented;", + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.", + "links": [ + { + "href": "#sa-9_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis" + } + ] + } + ], + "controls": [ + { + "id": "sa-9.1", + "class": "SP800-53-enhancement", + "title": "Risk Assessments and Organizational Approvals", + "params": [ + { + "id": "sa-09.01_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles that approve the acquisition or outsourcing of dedicated information security services is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9(1)" + }, + { + "name": "label", + "value": "SA-09(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-9", + "rel": "required" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9.1_smt", + "name": "statement", + "parts": [ + { + "id": "sa-9.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and" + }, + { + "id": "sa-9.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Verify that the acquisition or outsourcing of dedicated information security services is approved by {{ insert: param, sa-09.01_odp }}." + } + ] + }, + { + "id": "sa-9.1_gdn", + "name": "guidance", + "prose": "Information security services include the operation of security devices, such as firewalls or key management services as well as incident monitoring, analysis, and response. Risks assessed can include system, mission or business, security, privacy, or supply chain risks." + }, + { + "id": "sa-9.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "an organizational assessment of risk is conducted prior to the acquisition or outsourcing of information security services;", + "links": [ + { + "href": "#sa-9.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(01)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-09.01_odp }} approve the acquisition or outsourcing of dedicated information security services.", + "links": [ + { + "href": "#sa-9.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsupply chain risk management policy and procedures\n\nprocedures addressing external system services\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nrisk assessment reports\n\napproval records for the acquisition or outsourcing of dedicated security services\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with system security responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-9.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-09(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting a risk assessment prior to acquiring or outsourcing dedicated security services\n\norganizational processes for approving the outsourcing of dedicated security services\n\nmechanisms supporting and/or implementing risk assessment\n\nmechanisms supporting and/or implementing approval processes" + } + ] + } + ] + }, + { + "id": "sa-9.2", + "class": "SP800-53-enhancement", + "title": "Identification of Functions, Ports, Protocols, and Services", + "params": [ + { + "id": "sa-09.02_odp", + "label": "external system services", + "constraints": [ + { + "description": "all external systems where Federal information is processed or stored" + } + ], + "guidelines": [ + { + "prose": "external system services that require the identification of functions, ports, protocols, and other services are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9(2)" + }, + { + "name": "label", + "value": "SA-09(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-9", + "rel": "required" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9.2_smt", + "name": "statement", + "prose": "Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ insert: param, sa-09.02_odp }}." + }, + { + "id": "sa-9.2_gdn", + "name": "guidance", + "prose": "Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols." + }, + { + "id": "sa-9.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(02)", + "class": "sp800-53a" + } + ], + "prose": "providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services.", + "links": [ + { + "href": "#sa-9.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsupply chain risk management policy and procedures\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements and security specifications for external service providers\n\nlist of required functions, ports, protocols, and other services\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nexternal providers of system services" + } + ] + } + ] + }, + { + "id": "sa-9.5", + "class": "SP800-53-enhancement", + "title": "Processing, Storage, and Service Location", + "params": [ + { + "id": "sa-09.05_odp.01", + "constraints": [ + { + "description": "information processing, information or data, AND system services" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "information processing", + "information or data", + "system services" + ] + } + }, + { + "id": "sa-09.05_odp.02", + "label": "locations", + "constraints": [ + { + "description": "U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction" + } + ], + "guidelines": [ + { + "prose": "locations where {{ insert: param, sa-09.05_odp.01 }} is/are to be restricted are defined;" + } + ] + }, + { + "id": "sa-09.05_odp.03", + "label": "requirements", + "constraints": [ + { + "description": "all High impact data, systems, or services" + } + ], + "guidelines": [ + { + "prose": "requirements or conditions for restricting the location of {{ insert: param, sa-09.05_odp.01 }} are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9(5)" + }, + { + "name": "label", + "value": "SA-09(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-9", + "rel": "required" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9.5_smt", + "name": "statement", + "prose": "Restrict the location of {{ insert: param, sa-09.05_odp.01 }} to {{ insert: param, sa-09.05_odp.02 }} based on {{ insert: param, sa-09.05_odp.03 }}." + }, + { + "id": "sa-9.5_gdn", + "name": "guidance", + "prose": "The location of information processing, information and data storage, or system services can have a direct impact on the ability of organizations to successfully execute their mission and business functions. The impact occurs when external providers control the location of processing, storage, or services. The criteria that external providers use for the selection of processing, storage, or service locations may be different from the criteria that organizations use. For example, organizations may desire that data or information storage locations be restricted to certain locations to help facilitate incident response activities in case of information security incidents or breaches. Incident response activities, including forensic analyses and after-the-fact investigations, may be adversely affected by the governing laws, policies, or protocols in the locations where processing and storage occur and/or the locations from which system services emanate." + }, + { + "id": "sa-9.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(05)", + "class": "sp800-53a" + } + ], + "prose": "based on {{ insert: param, sa-09.05_odp.03 }}, {{ insert: param, sa-09.05_odp.01 }} is/are restricted to {{ insert: param, sa-09.05_odp.02 }}.", + "links": [ + { + "href": "#sa-9.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nrestricted locations for information processing\n\ninformation/data and/or system services\n\ninformation processing, information/data, and/or system services to be maintained in restricted locations\n\norganizational security requirements or conditions for external providers\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nexternal providers of system services\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-9.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-09(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining the requirements to restrict locations of information processing, information/data, or information services\n\norganizational processes for ensuring the location is restricted in accordance with requirements or conditions" + } + ] + } + ] + } + ] + }, + { + "id": "sa-10", + "class": "SP800-53", + "title": "Developer Configuration Management", + "params": [ + { + "id": "sa-10_odp.01", + "constraints": [ + { + "description": "development, implementation, AND operation" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "design", + "development", + "implementation", + "operation", + "disposal" + ] + } + }, + { + "id": "sa-10_odp.02", + "label": "configuration items", + "guidelines": [ + { + "prose": "configuration items under configuration management are defined;" + } + ] + }, + { + "id": "sa-10_odp.03", + "label": "personnel", + "guidelines": [ + { + "prose": "personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-10" + }, + { + "name": "label", + "value": "SA-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-10_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to:", + "parts": [ + { + "id": "sa-10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};" + }, + { + "id": "sa-10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, manage, and control the integrity of changes to {{ insert: param, sa-10_odp.02 }};" + }, + { + "id": "sa-10_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Implement only organization-approved changes to the system, component, or service;" + }, + { + "id": "sa-10_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and" + }, + { + "id": "sa-10_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_odp.03 }}." + }, + { + "id": "sa-10_fr", + "name": "item", + "title": "SA-10 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sa-10_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e) Requirement:" + } + ], + "prose": "track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP." + } + ] + } + ] + }, + { + "id": "sa-10_gdn", + "name": "guidance", + "prose": "Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.\n\nThe configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle." + }, + { + "id": "sa-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-10_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10a.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};", + "links": [ + { + "href": "#sa-10_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-10_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};", + "links": [ + { + "href": "#sa-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};", + "links": [ + { + "href": "#sa-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10b.[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};", + "links": [ + { + "href": "#sa-10_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10c.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;", + "links": [ + { + "href": "#sa-10_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-10_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;", + "links": [ + { + "href": "#sa-10_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;", + "links": [ + { + "href": "#sa-10_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;", + "links": [ + { + "href": "#sa-10_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-10_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-10_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;", + "links": [ + { + "href": "#sa-10_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;", + "links": [ + { + "href": "#sa-10_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.e-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10e.[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}.", + "links": [ + { + "href": "#sa-10_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-10_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nsecurity flaw and flaw resolution tracking records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and/or implementing the monitoring of developer configuration management" + } + ] + } + ] + }, + { + "id": "sa-11", + "class": "SP800-53", + "title": "Developer Testing and Evaluation", + "params": [ + { + "id": "sa-11_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "unit", + "integration", + "system", + "regression" + ] + } + }, + { + "id": "sa-11_odp.02", + "label": "frequency to conduct", + "guidelines": [ + { + "prose": "frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;" + } + ] + }, + { + "id": "sa-11_odp.03", + "label": "depth and coverage", + "guidelines": [ + { + "prose": "depth and coverage of {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-11" + }, + { + "name": "label", + "value": "SA-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#708b94e1-3d5e-4b22-ab43-1c69f3a97e37", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-11_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:", + "parts": [ + { + "id": "sa-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and implement a plan for ongoing security and privacy control assessments;" + }, + { + "id": "sa-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};" + }, + { + "id": "sa-11_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;" + }, + { + "id": "sa-11_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Implement a verifiable flaw remediation process; and" + }, + { + "id": "sa-11_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Correct flaws identified during testing and evaluation." + } + ] + }, + { + "id": "sa-11_gdn", + "name": "guidance", + "prose": "Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes\u2014including upgrading or replacing applications, operating systems, and firmware\u2014may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\n\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation." + }, + { + "id": "sa-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;", + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;", + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;", + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;", + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11b.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};", + "links": [ + { + "href": "#sa-11_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11c.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;", + "links": [ + { + "href": "#sa-11_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;", + "links": [ + { + "href": "#sa-11_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11d.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;", + "links": [ + { + "href": "#sa-11_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11e.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.", + "links": [ + { + "href": "#sa-11_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security and privacy testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of developer security and privacy assessments for the system, system component, or system service\n\nsecurity and privacy flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and/or implementing the monitoring of developer security and privacy testing and evaluation" + } + ] + } + ], + "controls": [ + { + "id": "sa-11.1", + "class": "SP800-53-enhancement", + "title": "Static Code Analysis", + "props": [ + { + "name": "label", + "value": "SA-11(1)" + }, + { + "name": "label", + "value": "SA-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-11", + "rel": "required" + } + ], + "parts": [ + { + "id": "sa-11.1_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.", + "parts": [ + { + "id": "sa-11.1_fr", + "name": "item", + "title": "SA-11(1) Additional FedRAMP Requirements", + "parts": [ + { + "id": "sa-11.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.\n\nIf Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))" + } + ] + } + ] + }, + { + "id": "sa-11.1_gdn", + "name": "guidance", + "prose": "Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources." + }, + { + "id": "sa-11.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to employ static code analysis tools to identify common flaws;", + "links": [ + { + "href": "#sa-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to employ static code analysis tools to document the results of the analysis.", + "links": [ + { + "href": "#sa-11.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-11(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of system developer security and privacy assessments\n\nsecurity flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-11.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-11(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-11.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-11(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and/or implementing the monitoring of developer security testing and evaluation\n\nstatic code analysis tools" + } + ] + } + ] + }, + { + "id": "sa-11.2", + "class": "SP800-53-enhancement", + "title": "Threat Modeling and Vulnerability Analyses", + "params": [ + { + "id": "sa-11.2_prm_3", + "label": "organization-defined breadth and depth of modeling and analyses" + }, + { + "id": "sa-11.2_prm_4", + "label": "organization-defined acceptance criteria" + }, + { + "id": "sa-11.02_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used as contextual information for threat modeling and vulnerability analyses is defined;" + } + ] + }, + { + "id": "sa-11.02_odp.02", + "label": "tools and methods", + "guidelines": [ + { + "prose": "the tools and methods to be employed for threat modeling and vulnerability analyses are defined;" + } + ] + }, + { + "id": "sa-11.02_odp.03", + "label": "breadth and depth", + "guidelines": [ + { + "prose": "the breadth and depth of threat modeling to be conducted is defined;" + } + ] + }, + { + "id": "sa-11.02_odp.04", + "label": "breadth and depth", + "guidelines": [ + { + "prose": "the breadth and depth of vulnerability analyses to be conducted is defined;" + } + ] + }, + { + "id": "sa-11.02_odp.05", + "label": "acceptance criteria", + "guidelines": [ + { + "prose": "acceptance criteria to be met by produced evidence for threat modeling are defined;" + } + ] + }, + { + "id": "sa-11.02_odp.06", + "label": "acceptance criteria", + "guidelines": [ + { + "prose": "acceptance criteria to be met by produced evidence for vulnerability analyses are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-11(2)" + }, + { + "name": "label", + "value": "SA-11(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-11.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-11", + "rel": "required" + }, + { + "href": "#pm-15", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-11.2_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:", + "parts": [ + { + "id": "sa-11.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Uses the following contextual information: {{ insert: param, sa-11.02_odp.01 }};" + }, + { + "id": "sa-11.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Employs the following tools and methods: {{ insert: param, sa-11.02_odp.02 }};" + }, + { + "id": "sa-11.2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Conducts the modeling and analyses at the following level of rigor: {{ insert: param, sa-11.2_prm_3 }} ; and" + }, + { + "id": "sa-11.2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Produces evidence that meets the following acceptance criteria: {{ insert: param, sa-11.2_prm_4 }}." + } + ] + }, + { + "id": "sa-11.2_gdn", + "name": "guidance", + "prose": "Systems, system components, and system services may deviate significantly from the functional and design specifications created during the requirements and design stages of the system development life cycle. Therefore, updates to threat modeling and vulnerability analyses of those systems, system components, and system services during development and prior to delivery are critical to the effective operation of those systems, components, and services. Threat modeling and vulnerability analyses at this stage of the system development life cycle ensure that design and implementation changes have been accounted for and that vulnerabilities created because of those changes have been reviewed and mitigated." + }, + { + "id": "sa-11.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};", + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};", + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};", + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};", + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};", + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};", + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};", + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};", + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(c)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(c)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling at {{ insert: param, sa-11.02_odp.03 }} during development of the system, component, or service;", + "links": [ + { + "href": "#sa-11.2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(c)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses at {{ insert: param, sa-11.02_odp.04 }};", + "links": [ + { + "href": "#sa-11.2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};", + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};", + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }};", + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.d-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }}.", + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-11(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer security test plans\n\nrecords of developer security testing results for the system, system component, or system service\n\nvulnerability scanning results\n\nsystem risk assessment reports\n\nthreat and vulnerability analysis reports\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-11.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-11(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-11.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-11(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and/or implementing the monitoring of developer security testing and evaluation" + } + ] + } + ] + } + ] + }, + { + "id": "sa-15", + "class": "SP800-53", + "title": "Development Process, Standards, and Tools", + "params": [ + { + "id": "sa-15_prm_2", + "label": "organization-defined security and privacy requirements" + }, + { + "id": "sa-15_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "frequency as before first use and annually thereafter" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;" + } + ] + }, + { + "id": "sa-15_odp.02", + "label": "security requirements", + "constraints": [ + { + "description": "FedRAMP Security Authorization requirements" + } + ], + "guidelines": [ + { + "prose": "security requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;" + } + ] + }, + { + "id": "sa-15_odp.03", + "label": "privacy requirements", + "guidelines": [ + { + "prose": "privacy requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-15" + }, + { + "name": "label", + "value": "SA-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", + "rel": "reference" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-15_smt", + "name": "statement", + "parts": [ + { + "id": "sa-15_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require the developer of the system, system component, or system service to follow a documented development process that:", + "parts": [ + { + "id": "sa-15_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Explicitly addresses security and privacy requirements;" + }, + { + "id": "sa-15_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Identifies the standards and tools used in the development process;" + }, + { + "id": "sa-15_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Documents the specific tool options and tool configurations used in the development process; and" + }, + { + "id": "sa-15_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and" + } + ] + }, + { + "id": "sa-15_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review the development process, standards, tools, tool options, and tool configurations {{ insert: param, sa-15_odp.01 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ insert: param, sa-15_prm_2 }}." + } + ] + }, + { + "id": "sa-15_gdn", + "name": "guidance", + "prose": "Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes." + }, + { + "id": "sa-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;", + "links": [ + { + "href": "#sa-15_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;", + "links": [ + { + "href": "#sa-15_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;", + "links": [ + { + "href": "#sa-15_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;", + "links": [ + { + "href": "#sa-15_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;", + "links": [ + { + "href": "#sa-15_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;", + "links": [ + { + "href": "#sa-15_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.04", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;", + "links": [ + { + "href": "#sa-15_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};", + "links": [ + { + "href": "#sa-15_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}.", + "links": [ + { + "href": "#sa-15_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security and privacy requirements during the development process\n\nsolicitation documentation\n\nacquisition documentation\n\ncritical component inventory documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer documentation listing tool options/configuration guides\n\nconfiguration management policy\n\nconfiguration management records\n\ndocumentation of development process reviews using maturity models\n\nchange control records\n\nconfiguration control records\n\ndocumented reviews of the development process, standards, tools, and tool options/configurations\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer" + } + ] + } + ], + "controls": [ + { + "id": "sa-15.3", + "class": "SP800-53-enhancement", + "title": "Criticality Analysis", + "params": [ + { + "id": "sa-15.3_prm_2", + "label": "organization-defined breadth and depth of criticality analysis" + }, + { + "id": "sa-15.03_odp.01", + "label": "decision points", + "guidelines": [ + { + "prose": "decision points in the system development life cycle are defined;" + } + ] + }, + { + "id": "sa-15.03_odp.02", + "label": "breadth", + "guidelines": [ + { + "prose": "the breadth of criticality analysis is defined;" + } + ] + }, + { + "id": "sa-15.03_odp.03", + "label": "depth", + "guidelines": [ + { + "prose": "the depth of criticality analysis is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-15(3)" + }, + { + "name": "label", + "value": "SA-15(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-15.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-15", + "rel": "required" + }, + { + "href": "#ra-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-15.3_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to perform a criticality analysis:", + "parts": [ + { + "id": "sa-15.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "At the following decision points in the system development life cycle: {{ insert: param, sa-15.03_odp.01 }} ; and" + }, + { + "id": "sa-15.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "At the following level of rigor: {{ insert: param, sa-15.3_prm_2 }}." + } + ] + }, + { + "id": "sa-15.3_gdn", + "name": "guidance", + "prose": "Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, source code, and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses." + }, + { + "id": "sa-15.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;", + "links": [ + { + "href": "#sa-15.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15.3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};", + "links": [ + { + "href": "#sa-15.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15.3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} .", + "links": [ + { + "href": "#sa-15.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-15(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing criticality analysis requirements for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ncriticality analysis documentation\n\nbusiness impact analysis documentation\n\nsoftware development life cycle documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-15.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-15(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for performing criticality analysis\n\nsystem developer\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-15.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-15(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for performing criticality analysis\n\nmechanisms supporting and/or implementing criticality analysis" + } + ] + } + ] + } + ] + }, + { + "id": "sa-16", + "class": "SP800-53", + "title": "Developer-provided Training", + "params": [ + { + "id": "sa-16_odp", + "label": "training", + "guidelines": [ + { + "prose": "training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms provided by the developer of the system, system component, or system service is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-16" + }, + { + "name": "label", + "value": "SA-16", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-16_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: {{ insert: param, sa-16_odp }}." + }, + { + "id": "sa-16_gdn", + "name": "guidance", + "prose": "Developer-provided training applies to external and internal (in-house) developers. Training personnel is essential to ensuring the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms." + }, + { + "id": "sa-16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-16", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to provide {{ insert: param, sa-16_odp }} on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms.", + "links": [ + { + "href": "#sa-16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-16-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing developer-provided training\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\norganizational security and privacy training policy\n\ndeveloper-provided training materials\n\ntraining records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-16-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nexternal or internal (in-house) developers with training responsibilities for the system, system component, or information system service" + } + ] + } + ] + }, + { + "id": "sa-17", + "class": "SP800-53", + "title": "Developer Security and Privacy Architecture and Design", + "props": [ + { + "name": "label", + "value": "SA-17" + }, + { + "name": "label", + "value": "SA-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#87087451-2af5-43d4-88c1-d66ad850f614", + "rel": "reference" + }, + { + "href": "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-17_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that:", + "parts": [ + { + "id": "sa-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Is consistent with the organization\u2019s security and privacy architecture that is an integral part the organization\u2019s enterprise architecture;" + }, + { + "id": "sa-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and" + }, + { + "id": "sa-17_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection." + } + ] + }, + { + "id": "sa-17_gdn", + "name": "guidance", + "prose": "Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, [PL-8](#pl-8) is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and [PL-8](#pl-8) is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. [ISO 15408-2](#87087451-2af5-43d4-88c1-d66ad850f614), [ISO 15408-3](#4452efc0-e79e-47b8-aa30-b54f3ef61c2f) , and [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing." + }, + { + "id": "sa-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-17_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization\u2019s security architecture, which is an integral part the organization\u2019s enterprise architecture;", + "links": [ + { + "href": "#sa-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-17_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization\u2019s privacy architecture, which is an integral part the organization\u2019s enterprise architecture;", + "links": [ + { + "href": "#sa-17_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-17_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;", + "links": [ + { + "href": "#sa-17_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-17_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;", + "links": [ + { + "href": "#sa-17_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-17_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-17_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(c)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-17_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(c)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;", + "links": [ + { + "href": "#sa-17_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-17_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(c)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection.", + "links": [ + { + "href": "#sa-17_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-17_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nenterprise architecture policy\n\nenterprise architecture documentation\n\nprocedures addressing developer security and privacy architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer" + } + ] + } + ] + }, + { + "id": "sa-21", + "class": "SP800-53", + "title": "Developer Screening", + "params": [ + { + "id": "sa-21_odp.01", + "label": "system, systems component, or system service", + "guidelines": [ + { + "prose": "the system, systems component, or system service that the developer has access to is/are defined;" + } + ] + }, + { + "id": "sa-21_odp.02", + "label": "official government duties", + "guidelines": [ + { + "prose": "official government duties assigned to the developer are defined;" + } + ] + }, + { + "id": "sa-21_odp.03", + "label": "additional personnel screening criteria", + "guidelines": [ + { + "prose": "additional personnel screening criteria for the developer are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-21" + }, + { + "name": "label", + "value": "SA-21", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-21_smt", + "name": "statement", + "prose": "Require that the developer of {{ insert: param, sa-21_odp.01 }}:", + "parts": [ + { + "id": "sa-21_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Has appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }} ; and" + }, + { + "id": "sa-21_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Satisfies the following additional personnel screening criteria: {{ insert: param, sa-21_odp.03 }}." + } + ] + }, + { + "id": "sa-21_gdn", + "name": "guidance", + "prose": "Developer screening is directed at external developers. Internal developer screening is addressed by [PS-3](#ps-3) . Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals who access the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships that the company has with entities that may potentially affect the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements." + }, + { + "id": "sa-21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-21", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-21_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-21a.", + "class": "sp800-53a" + } + ], + "prose": "the developer of {{ insert: param, sa-21_odp.01 }} is required to have appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }};", + "links": [ + { + "href": "#sa-21_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-21_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-21b.", + "class": "sp800-53a" + } + ], + "prose": "the developer of {{ insert: param, sa-21_odp.01 }} is required to satisfy {{ insert: param, sa-21_odp.03 }}.", + "links": [ + { + "href": "#sa-21_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-21-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\npersonnel security policy and procedures\n\nprocedures addressing personnel screening\n\nsystem design documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for developer services\n\nsystem configuration settings and associated documentation\n\nlist of appropriate access authorizations required by the developers of the system\n\npersonnel screening criteria and associated documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-21-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for developer screening" + } + ] + }, + { + "id": "sa-21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-21-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for developer screening\n\nmechanisms supporting developer screening" + } + ] + } + ] + }, + { + "id": "sa-22", + "class": "SP800-53", + "title": "Unsupported System Components", + "params": [ + { + "id": "sa-22_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "in-house support", + " {{ insert: param, sa-22_odp.02 }} " + ] + } + }, + { + "id": "sa-22_odp.02", + "label": "support from external providers", + "guidelines": [ + { + "prose": "support from external providers is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-22" + }, + { + "name": "label", + "value": "SA-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-22_smt", + "name": "statement", + "parts": [ + { + "id": "sa-22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or" + }, + { + "id": "sa-22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}." + } + ] + }, + { + "id": "sa-22_gdn", + "name": "guidance", + "prose": "Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation." + }, + { + "id": "sa-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22a.", + "class": "sp800-53a" + } + ], + "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;", + "links": [ + { + "href": "#sa-22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.", + "links": [ + { + "href": "#sa-22_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement" + } + ] + }, + { + "id": "sa-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for replacing unsupported system components\n\nmechanisms supporting and/or implementing the replacement of unsupported system components" + } + ] + } + ] + } + ] + }, + { + "id": "sc", + "class": "family", + "title": "System and Communications Protection", + "controls": [ + { + "id": "sc-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sc-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sc-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "sc-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "sc-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business-process-level", + "system-level" + ] + } + }, + { + "id": "sc-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and communications protection policy and procedures is defined;" + } + ] + }, + { + "id": "sc-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and communications protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sc-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and communications protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sc-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and communications protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "sc-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and communications protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-1" + }, + { + "name": "label", + "value": "SC-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-1_smt", + "name": "statement", + "parts": [ + { + "id": "sc-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:", + "parts": [ + { + "id": "sc-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sc-01_odp.03 }} system and communications protection policy that:", + "parts": [ + { + "id": "sc-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sc-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sc-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;" + } + ] + }, + { + "id": "sc-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and" + }, + { + "id": "sc-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and communications protection:", + "parts": [ + { + "id": "sc-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and" + }, + { + "id": "sc-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sc-1_gdn", + "name": "guidance", + "prose": "System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sc-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and communications protection policy is developed and documented;", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sc-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;", + "links": [ + { + "href": "#sc-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};", + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};", + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};", + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.", + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nsystem and communications protection procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "sc-2", + "class": "SP800-53", + "title": "Separation of System and User Functionality", + "props": [ + { + "name": "label", + "value": "SC-2" + }, + { + "name": "label", + "value": "SC-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-2_smt", + "name": "statement", + "prose": "Separate user functionality, including user interface services, from system management functionality." + }, + { + "id": "sc-2_gdn", + "name": "guidance", + "prose": "System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18)." + }, + { + "id": "sc-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-02", + "class": "sp800-53a" + } + ], + "prose": "user functionality, including user interface services, is separated from system management functionality.", + "links": [ + { + "href": "#sc-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing application partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Separation of user functionality from system management functionality" + } + ] + } + ] + }, + { + "id": "sc-3", + "class": "SP800-53", + "title": "Security Function Isolation", + "props": [ + { + "name": "label", + "value": "SC-3" + }, + { + "name": "label", + "value": "SC-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-3_smt", + "name": "statement", + "prose": "Isolate security functions from nonsecurity functions." + }, + { + "id": "sc-3_gdn", + "name": "guidance", + "prose": "Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented within a system via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform system security functions. Systems implement code separation in many ways, such as through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code. Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities. While the ideal is for all code within the defined security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions as an exception. The isolation of security functions from nonsecurity functions can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18)." + }, + { + "id": "sc-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-03", + "class": "sp800-53a" + } + ], + "prose": "security functions are isolated from non-security functions.", + "links": [ + { + "href": "#sc-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing security function isolation\n\nlist of security functions to be isolated from non-security functions\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Separation of security functions from non-security functions within the system" + } + ] + } + ] + }, + { + "id": "sc-4", + "class": "SP800-53", + "title": "Information in Shared System Resources", + "props": [ + { + "name": "label", + "value": "SC-4" + }, + { + "name": "label", + "value": "SC-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-4_smt", + "name": "statement", + "prose": "Prevent unauthorized and unintended information transfer via shared system resources." + }, + { + "id": "sc-4_gdn", + "name": "guidance", + "prose": "Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles." + }, + { + "id": "sc-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-04[01]", + "class": "sp800-53a" + } + ], + "prose": "unauthorized information transfer via shared system resources is prevented;", + "links": [ + { + "href": "#sc-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-04[02]", + "class": "sp800-53a" + } + ], + "prose": "unintended information transfer via shared system resources is prevented.", + "links": [ + { + "href": "#sc-4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms preventing the unauthorized and unintended transfer of information via shared system resources" + } + ] + } + ] + }, + { + "id": "sc-5", + "class": "SP800-53", + "title": "Denial-of-service Protection", + "params": [ + { + "id": "sc-05_odp.01", + "label": "types of denial-of-service events", + "constraints": [ + { + "description": "at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack" + } + ], + "guidelines": [ + { + "prose": "types of denial-of-service events to be protected against or limited are defined;" + } + ] + }, + { + "id": "sc-05_odp.02", + "constraints": [ + { + "description": "Protect against" + } + ], + "select": { + "choice": [ + "protect against", + "limit" + ] + } + }, + { + "id": "sc-05_odp.03", + "label": "controls by type of denial-of-service event", + "guidelines": [ + { + "prose": "controls to achieve the denial-of-service objective by type of denial-of-service event are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-5" + }, + { + "name": "label", + "value": "SC-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#sc-6", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-5_smt", + "name": "statement", + "parts": [ + { + "id": "sc-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and" + }, + { + "id": "sc-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}." + } + ] + }, + { + "id": "sc-5_gdn", + "name": "guidance", + "prose": "Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events." + }, + { + "id": "sc-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05a.", + "class": "sp800-53a" + } + ], + "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};", + "links": [ + { + "href": "#sc-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.", + "links": [ + { + "href": "#sc-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms protecting against or limiting the effects of denial-of-service attacks" + } + ] + } + ] + }, + { + "id": "sc-7", + "class": "SP800-53", + "title": "Boundary Protection", + "params": [ + { + "id": "sc-07_odp", + "select": { + "choice": [ + "physically", + "logically" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-7" + }, + { + "name": "label", + "value": "SC-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#a7f0e897-29a3-45c4-bd88-40dfef0e034a", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-35", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7_smt", + "name": "statement", + "parts": [ + { + "id": "sc-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;" + }, + { + "id": "sc-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and" + }, + { + "id": "sc-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + }, + { + "id": "sc-7_fr", + "name": "item", + "title": "SC-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-7_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) Guidance:" + } + ], + "prose": "SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information." + } + ] + } + ] + }, + { + "id": "sc-7_gdn", + "name": "guidance", + "prose": "Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)." + }, + { + "id": "sc-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[01]", + "class": "sp800-53a" + } + ], + "prose": "communications at external managed interfaces to the system are monitored;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[02]", + "class": "sp800-53a" + } + ], + "prose": "communications at external managed interfaces to the system are controlled;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[03]", + "class": "sp800-53a" + } + ], + "prose": "communications at key internal managed interfaces within the system are monitored;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[04]", + "class": "sp800-53a" + } + ], + "prose": "communications at key internal managed interfaces within the system are controlled;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07b.", + "class": "sp800-53a" + } + ], + "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;", + "links": [ + { + "href": "#sc-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07c.", + "class": "sp800-53a" + } + ], + "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.", + "links": [ + { + "href": "#sc-7_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities" + } + ] + } + ], + "controls": [ + { + "id": "sc-7.3", + "class": "SP800-53-enhancement", + "title": "Access Points", + "props": [ + { + "name": "label", + "value": "SC-7(3)" + }, + { + "name": "label", + "value": "SC-07(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.3_smt", + "name": "statement", + "prose": "Limit the number of external network connections to the system." + }, + { + "id": "sc-7.3_gdn", + "name": "guidance", + "prose": "Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system." + }, + { + "id": "sc-7.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(03)", + "class": "sp800-53a" + } + ], + "prose": "the number of external network connections to the system is limited.", + "links": [ + { + "href": "#sc-7.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncommunications and network traffic monitoring logs\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities\n\nmechanisms limiting the number of external network connections to the system" + } + ] + } + ] + }, + { + "id": "sc-7.4", + "class": "SP800-53-enhancement", + "title": "External Telecommunications Services", + "params": [ + { + "id": "sc-07.04_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review exceptions to traffic flow policy is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(4)" + }, + { + "name": "label", + "value": "SC-07(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7.4_smt", + "name": "statement", + "parts": [ + { + "id": "sc-7.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Implement a managed interface for each external telecommunication service;" + }, + { + "id": "sc-7.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Establish a traffic flow policy for each managed interface;" + }, + { + "id": "sc-7.4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Protect the confidentiality and integrity of the information being transmitted across each interface;" + }, + { + "id": "sc-7.4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;" + }, + { + "id": "sc-7.4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e)" + } + ], + "prose": "Review exceptions to the traffic flow policy {{ insert: param, sc-07.04_odp }} and remove exceptions that are no longer supported by an explicit mission or business need;" + }, + { + "id": "sc-7.4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "(f)" + } + ], + "prose": "Prevent unauthorized exchange of control plane traffic with external networks;" + }, + { + "id": "sc-7.4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "(g)" + } + ], + "prose": "Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and" + }, + { + "id": "sc-7.4_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h)" + } + ], + "prose": "Filter unauthorized control plane traffic from external networks." + } + ] + }, + { + "id": "sc-7.4_gdn", + "name": "guidance", + "prose": "External telecommunications services can provide data and/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements." + }, + { + "id": "sc-7.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(a)", + "class": "sp800-53a" + } + ], + "prose": "a managed interface is implemented for each external telecommunication service;", + "links": [ + { + "href": "#sc-7.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "a traffic flow policy is established for each managed interface;", + "links": [ + { + "href": "#sc-7.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(c)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(c)[01]", + "class": "sp800-53a" + } + ], + "prose": "the confidentiality of the information being transmitted across each interface is protected;", + "links": [ + { + "href": "#sc-7.4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(c)[02]", + "class": "sp800-53a" + } + ], + "prose": "the integrity of the information being transmitted across each interface is protected;", + "links": [ + { + "href": "#sc-7.4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(d)", + "class": "sp800-53a" + } + ], + "prose": "each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;", + "links": [ + { + "href": "#sc-7.4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(e)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.4_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(e)[01]", + "class": "sp800-53a" + } + ], + "prose": "exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};", + "links": [ + { + "href": "#sc-7.4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(e)[02]", + "class": "sp800-53a" + } + ], + "prose": "exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;", + "links": [ + { + "href": "#sc-7.4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(f)", + "class": "sp800-53a" + } + ], + "prose": "unauthorized exchanges of control plan traffic with external networks are prevented;", + "links": [ + { + "href": "#sc-7.4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(g)", + "class": "sp800-53a" + } + ], + "prose": "information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;", + "links": [ + { + "href": "#sc-7.4_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(h)", + "class": "sp800-53a" + } + ], + "prose": "unauthorized control plane traffic is filtered from external networks.", + "links": [ + { + "href": "#sc-7.4_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\ntraffic flow policy\n\ninformation flow control policy\n\nprocedures addressing boundary protection\n\nsystem security architecture\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nrecords of traffic flow policy exceptions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for documenting and reviewing exceptions to the traffic flow policy\n\norganizational processes for removing exceptions to the traffic flow policy\n\nmechanisms implementing boundary protection capabilities\n\nmanaged interfaces implementing traffic flow policy" + } + ] + } + ] + }, + { + "id": "sc-7.5", + "class": "SP800-53-enhancement", + "title": "Deny by Default \u2014 Allow by Exception", + "params": [ + { + "id": "sc-07.05_odp.01", + "constraints": [ + { + "description": "any systems" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "at managed interfaces", + "for {{ insert: param, sc-07.05_odp.02 }} " + ] + } + }, + { + "id": "sc-07.05_odp.02", + "label": "systems", + "guidelines": [ + { + "prose": "systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined (if selected)." + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(5)" + }, + { + "name": "label", + "value": "SC-07(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.5_smt", + "name": "statement", + "prose": "Deny network communications traffic by default and allow network communications traffic by exception {{ insert: param, sc-07.05_odp.01 }}.", + "parts": [ + { + "id": "sc-7.5_fr", + "name": "item", + "title": "SC-7 (5) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-7.5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing" + } + ] + } + ] + }, + { + "id": "sc-7.5_gdn", + "name": "guidance", + "prose": "Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system." + }, + { + "id": "sc-7.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(05)[01]", + "class": "sp800-53a" + } + ], + "prose": "network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};", + "links": [ + { + "href": "#sc-7.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(05)[02]", + "class": "sp800-53a" + } + ], + "prose": "network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}.", + "links": [ + { + "href": "#sc-7.5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing traffic management at managed interfaces" + } + ] + } + ] + }, + { + "id": "sc-7.7", + "class": "SP800-53-enhancement", + "title": "Split Tunneling for Remote Devices", + "params": [ + { + "id": "sc-07.07_odp", + "label": "safeguards", + "guidelines": [ + { + "prose": "safeguards to securely provision split tunneling are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(7)" + }, + { + "name": "label", + "value": "SC-07(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.7_smt", + "name": "statement", + "prose": "Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}." + }, + { + "id": "sc-7.7_gdn", + "name": "guidance", + "prose": "Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and simultaneously, access uncontrolled networks. Split tunneling might be desirable by remote users to communicate with local system resources, such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of pre-approved addresses, without user control." + }, + { + "id": "sc-7.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(07)", + "class": "sp800-53a" + } + ], + "prose": "split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}.", + "links": [ + { + "href": "#sc-7.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities\n\nmechanisms supporting/restricting non-remote connections" + } + ] + } + ] + }, + { + "id": "sc-7.8", + "class": "SP800-53-enhancement", + "title": "Route Traffic to Authenticated Proxy Servers", + "params": [ + { + "id": "sc-07.08_odp.01", + "label": "internal communications traffic", + "guidelines": [ + { + "prose": "internal communications traffic to be routed to external networks is defined;" + } + ] + }, + { + "id": "sc-07.08_odp.02", + "label": "external networks", + "constraints": [ + { + "description": "any network outside of organizational control and any network outside the authorization boundary" + } + ], + "guidelines": [ + { + "prose": "external networks to which internal communications traffic is to be routed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(8)" + }, + { + "name": "label", + "value": "SC-07(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + }, + { + "href": "#ac-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7.8_smt", + "name": "statement", + "prose": "Route {{ insert: param, sc-07.08_odp.01 }} to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces." + }, + { + "id": "sc-7.8_gdn", + "name": "guidance", + "prose": "External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for \"man-in-the-middle\" attacks (depending on the implementation)." + }, + { + "id": "sc-7.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(08)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces.", + "links": [ + { + "href": "#sc-7.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing traffic management through authenticated proxy servers at managed interfaces" + } + ] + } + ] + }, + { + "id": "sc-7.10", + "class": "SP800-53-enhancement", + "title": "Prevent Exfiltration", + "params": [ + { + "id": "sc-07.10_odp", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency for conducting exfiltration tests is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(10)" + }, + { + "name": "label", + "value": "SC-07(10)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ca-8", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7.10_smt", + "name": "statement", + "parts": [ + { + "id": "sc-7.10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Prevent the exfiltration of information; and" + }, + { + "id": "sc-7.10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Conduct exfiltration tests {{ insert: param, sc-07.10_odp }}." + } + ] + }, + { + "id": "sc-7.10_gdn", + "name": "guidance", + "prose": "Prevention of exfiltration applies to both the intentional and unintentional exfiltration of information. Techniques used to prevent the exfiltration of information from systems may be implemented at internal endpoints, external boundaries, and across managed interfaces and include adherence to protocol formats, monitoring for beaconing activity from systems, disconnecting external network interfaces except when explicitly needed, employing traffic profile analysis to detect deviations from the volume and types of traffic expected, call backs to command and control centers, conducting penetration testing, monitoring for steganography, disassembling and reassembling packet headers, and using data loss and data leakage prevention tools. Devices that enforce strict adherence to protocol formats include deep packet inspection firewalls and Extensible Markup Language (XML) gateways. The devices verify adherence to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices that operate at the network or transport layers. The prevention of exfiltration is similar to data loss prevention or data leakage prevention and is closely associated with cross-domain solutions and system guards that enforce information flow requirements." + }, + { + "id": "sc-7.10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(10)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.10_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(10)(a)", + "class": "sp800-53a" + } + ], + "prose": "the exfiltration of information is prevented;", + "links": [ + { + "href": "#sc-7.10_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.10_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(10)(b)", + "class": "sp800-53a" + } + ], + "prose": "exfiltration tests are conducted {{ insert: param, sc-07.10_odp }}.", + "links": [ + { + "href": "#sc-7.10_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(10)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(10)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(10)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities that prevent the unauthorized exfiltration of information across managed interfaces" + } + ] + } + ] + }, + { + "id": "sc-7.12", + "class": "SP800-53-enhancement", + "title": "Host-based Protection", + "params": [ + { + "id": "sc-07.12_odp.01", + "label": "host-based boundary protection mechanisms", + "constraints": [ + { + "description": "Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall" + } + ], + "guidelines": [ + { + "prose": "host-based boundary protection mechanisms to be implemented are defined;" + } + ] + }, + { + "id": "sc-07.12_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components where host-based boundary protection mechanisms are to be implemented are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(12)" + }, + { + "name": "label", + "value": "SC-07(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.12_smt", + "name": "statement", + "prose": "Implement {{ insert: param, sc-07.12_odp.01 }} at {{ insert: param, sc-07.12_odp.02 }}." + }, + { + "id": "sc-7.12_gdn", + "name": "guidance", + "prose": "Host-based boundary protection mechanisms include host-based firewalls. System components that employ host-based boundary protection mechanisms include servers, workstations, notebook computers, and mobile devices." + }, + { + "id": "sc-7.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(12)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-07.12_odp.01 }} are implemented at {{ insert: param, sc-07.12_odp.02 }}.", + "links": [ + { + "href": "#sc-7.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities\n\nsystem users" + } + ] + }, + { + "id": "sc-7.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing host-based boundary protection capabilities" + } + ] + } + ] + }, + { + "id": "sc-7.18", + "class": "SP800-53-enhancement", + "title": "Fail Secure", + "props": [ + { + "name": "label", + "value": "SC-7(18)" + }, + { + "name": "label", + "value": "SC-07(18)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-12", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7.18_smt", + "name": "statement", + "prose": "Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device." + }, + { + "id": "sc-7.18_gdn", + "name": "guidance", + "prose": "Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways that reside on protected subnetworks (commonly referred to as demilitarized zones). Failures of boundary protection devices cannot lead to or cause information external to the devices to enter the devices nor can failures permit unauthorized information releases." + }, + { + "id": "sc-7.18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(18)", + "class": "sp800-53a" + } + ], + "prose": "systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device.", + "links": [ + { + "href": "#sc-7.18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(18)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(18)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(18)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing secure failure" + } + ] + } + ] + }, + { + "id": "sc-7.20", + "class": "SP800-53-enhancement", + "title": "Dynamic Isolation and Segregation", + "params": [ + { + "id": "sc-07.20_odp", + "label": "system components", + "guidelines": [ + { + "prose": "system components to be dynamically isolated from other system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(20)" + }, + { + "name": "label", + "value": "SC-07(20)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.20_smt", + "name": "statement", + "prose": "Provide the capability to dynamically isolate {{ insert: param, sc-07.20_odp }} from other system components." + }, + { + "id": "sc-7.20_gdn", + "name": "guidance", + "prose": "The capability to dynamically isolate certain internal system components is useful when it is necessary to partition or separate system components of questionable origin from components that possess greater trustworthiness. Component isolation reduces the attack surface of organizational systems. Isolating selected system components can also limit the damage from successful attacks when such attacks occur." + }, + { + "id": "sc-7.20_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(20)", + "class": "sp800-53a" + } + ], + "prose": "the capability to dynamically isolate {{ insert: param, sc-07.20_odp }} from other system components is provided.", + "links": [ + { + "href": "#sc-7.20_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.20_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(20)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nlist of system components to be dynamically isolated/segregated from other components of the system\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.20_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(20)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.20_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(20)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the capability to dynamically isolate/segregate system components" + } + ] + } + ] + }, + { + "id": "sc-7.21", + "class": "SP800-53-enhancement", + "title": "Isolation of System Components", + "params": [ + { + "id": "sc-07.21_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components to be isolated by boundary protection mechanisms are defined;" + } + ] + }, + { + "id": "sc-07.21_odp.02", + "label": "missions and/or business functions", + "guidelines": [ + { + "prose": "missions and/or business functions to be supported by system components isolated by boundary protection mechanisms are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(21)" + }, + { + "name": "label", + "value": "SC-07(21)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + }, + { + "href": "#ca-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7.21_smt", + "name": "statement", + "prose": "Employ boundary protection mechanisms to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}." + }, + { + "id": "sc-7.21_gdn", + "name": "guidance", + "prose": "Organizations can isolate system components that perform different mission or business functions. Such isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected system components. Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to more effectively control information flows between those components. Isolating system components provides enhanced protection that limits the potential harm from hostile cyber-attacks and errors. The degree of isolation varies depending upon the mechanisms chosen. Boundary protection mechanisms include routers, gateways, and firewalls that separate system components into physically separate networks or subnetworks; cross-domain devices that separate subnetworks; virtualization techniques; and the encryption of information flows among system components using distinct encryption keys." + }, + { + "id": "sc-7.21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(21)", + "class": "sp800-53a" + } + ], + "prose": "boundary protection mechanisms are employed to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}.", + "links": [ + { + "href": "#sc-7.21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(21)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nenterprise architecture documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(21)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(21)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the capability to separate system components supporting organizational missions and/or business functions" + } + ] + } + ] + } + ] + }, + { + "id": "sc-8", + "class": "SP800-53", + "title": "Transmission Confidentiality and Integrity", + "params": [ + { + "id": "sc-08_odp", + "constraints": [ + { + "description": "confidentiality AND integrity" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "confidentiality", + "integrity" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-8" + }, + { + "name": "label", + "value": "SC-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#736d6310-e403-4b57-a79d-9967970c66d7", + "rel": "reference" + }, + { + "href": "#7537638e-2837-407d-844b-40fb3fafdd99", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-8_smt", + "name": "statement", + "prose": "Protect the {{ insert: param, sc-08_odp }} of transmitted information.", + "parts": [ + { + "id": "sc-8_fr", + "name": "item", + "title": "SC-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.\n\n\n\nFor clarity, this control applies to all data in transit. Examples include the following data flows:\n\n* Crossing the system boundary\n* Between compute instances - including containers\n* From a compute instance to storage\n* Replication between availability zones\n* Transmission of backups to storage\n* From a load balancer to a compute instance\n* Flows from management tools required for their work \u2013 e.g. log collection, scanning, etc.\n\n\n\n\nThe following applies only when choosing SC-8 (5) in lieu of SC-8 (1).\n\nFedRAMP-Defined Assignment / Selection Parameters\n\nSC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]\n\nSC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]" + }, + { + "id": "sc-8_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.\n\n\n\nHardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).\n\n\n\nControlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS\u2019s Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS\u2019 recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).\n\n\n\nNote: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.\n\n\n\nCNSSI No.7003 can be accessed here:\n\nhttps://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf\n\n\n\nDHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:\n\nhttps://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf" + } + ] + } + ] + }, + { + "id": "sc-8_gdn", + "name": "guidance", + "prose": "Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\n\nOrganizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls." + }, + { + "id": "sc-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-08", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-08_odp }} of transmitted information is/are protected.", + "links": [ + { + "href": "#sc-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing transmission confidentiality and/or integrity" + } + ] + } + ], + "controls": [ + { + "id": "sc-8.1", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-08.01_odp", + "constraints": [ + { + "description": "prevent unauthorized disclosure of information AND detect changes to information" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "prevent unauthorized disclosure of information", + "detect changes to information" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-8(1)" + }, + { + "name": "label", + "value": "SC-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-8", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-8.1_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to {{ insert: param, sc-08.01_odp }} during transmission.", + "parts": [ + { + "id": "sc-8.1_fr", + "name": "item", + "title": "SC-8 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-8.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control." + }, + { + "id": "sc-8.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See M-22-09, including \\\"Agencies encrypt all DNS requests and HTTP traffic within their environment\\\"\n\nSC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged." + }, + { + "id": "sc-8.1_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)" + }, + { + "id": "sc-8.1_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + } + ] + } + ] + }, + { + "id": "sc-8.1_gdn", + "name": "guidance", + "prose": "Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes." + }, + { + "id": "sc-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-08(01)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.", + "links": [ + { + "href": "#sc-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity\n\nmechanisms supporting and/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards" + } + ] + } + ] + } + ] + }, + { + "id": "sc-10", + "class": "SP800-53", + "title": "Network Disconnect", + "params": [ + { + "id": "sc-10_odp", + "label": "time period", + "constraints": [ + { + "description": "no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions" + } + ], + "guidelines": [ + { + "prose": "a time period of inactivity after which the system terminates a network connection associated with a communication session is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-10" + }, + { + "name": "label", + "value": "SC-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-10_smt", + "name": "statement", + "prose": "Terminate the network connection associated with a communications session at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity." + }, + { + "id": "sc-10_gdn", + "name": "guidance", + "prose": "Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses." + }, + { + "id": "sc-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-10", + "class": "sp800-53a" + } + ], + "prose": "the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity.", + "links": [ + { + "href": "#sc-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing network disconnect\n\nsystem design documentation\n\nsecurity plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a network disconnect capability" + } + ] + } + ] + }, + { + "id": "sc-12", + "class": "SP800-53", + "title": "Cryptographic Key Establishment and Management", + "params": [ + { + "id": "sc-12_odp", + "label": "requirements", + "constraints": [ + { + "description": "In accordance with Federal requirements" + } + ], + "guidelines": [ + { + "prose": "requirements for key generation, distribution, storage, access, and destruction are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-12" + }, + { + "name": "label", + "value": "SC-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#849b2358-683f-4d97-b111-1cc3d522ded5", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-11", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-17", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-12_smt", + "name": "statement", + "prose": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}.", + "parts": [ + { + "id": "sc-12_fr", + "name": "item", + "title": "SC-12 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-12_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See references in NIST 800-53 documentation." + }, + { + "id": "sc-12_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Must meet applicable Federal Cryptographic Requirements. See References Section of control." + }, + { + "id": "sc-12_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system." + } + ] + } + ] + }, + { + "id": "sc-12_gdn", + "name": "guidance", + "prose": "Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment." + }, + { + "id": "sc-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12[01]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};", + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12[02]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.", + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and/or management" + } + ] + }, + { + "id": "sc-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic key establishment and management" + } + ] + } + ], + "controls": [ + { + "id": "sc-12.1", + "class": "SP800-53-enhancement", + "title": "Availability", + "props": [ + { + "name": "label", + "value": "SC-12(1)" + }, + { + "name": "label", + "value": "SC-12(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-12.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-12", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-12.1_smt", + "name": "statement", + "prose": "Maintain availability of information in the event of the loss of cryptographic keys by users." + }, + { + "id": "sc-12.1_gdn", + "name": "guidance", + "prose": "Escrowing of encryption keys is a common practice for ensuring availability in the event of key loss. A forgotten passphrase is an example of losing a cryptographic key." + }, + { + "id": "sc-12.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12(01)", + "class": "sp800-53a" + } + ], + "prose": "information availability is maintained in the event of the loss of cryptographic keys by users.", + "links": [ + { + "href": "#sc-12.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-12(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic key establishment, management, and recovery\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-12.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-12(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment or management" + } + ] + }, + { + "id": "sc-12.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-12(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic key establishment and management" + } + ] + } + ] + } + ] + }, + { + "id": "sc-13", + "class": "SP800-53", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-13_odp.01", + "label": "cryptographic uses", + "guidelines": [ + { + "prose": "cryptographic uses are defined;" + } + ] + }, + { + "id": "sc-13_odp.02", + "label": "types of cryptography", + "constraints": [ + { + "description": "FIPS-validated or NSA-approved cryptography" + } + ], + "guidelines": [ + { + "prose": "types of cryptography for each specified cryptographic use are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-13" + }, + { + "name": "label", + "value": "SC-13", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-13_smt", + "name": "statement", + "parts": [ + { + "id": "sc-13_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine the {{ insert: param, sc-13_odp.01 }} ; and" + }, + { + "id": "sc-13_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}." + }, + { + "id": "sc-13_fr", + "name": "item", + "title": "SC-13 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-13_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:\n\n* Encryption of data\n* Decryption of data\n* Generation of one time passwords (OTPs) for MFA\n* Protocols such as TLS, SSH, and HTTPS\n\n\n\n\nThe requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).\n\nhttps://csrc.nist.gov/projects/cryptographic-module-validation-program" + }, + { + "id": "sc-13_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:\n\nhttps://www.niap-ccevs.org/Product/index.cfm" + }, + { + "id": "sc-13_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + }, + { + "id": "sc-13_fr_gdn.4", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Moving to non-FIPS CM or product is acceptable when:\n\n* FIPS validated version has a known vulnerability\n* Feature with vulnerability is in use\n* Non-FIPS version fixes the vulnerability\n* Non-FIPS version is submitted to NIST for FIPS validation\n* POA&M is added to track approval, and deployment when ready\n" + }, + { + "id": "sc-13_fr_gdn.5", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1)." + } + ] + } + ] + }, + { + "id": "sc-13_gdn", + "name": "guidance", + "prose": "Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "sc-13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-13_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-13_odp.01 }} are identified;", + "links": [ + { + "href": "#sc-13_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-13_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.", + "links": [ + { + "href": "#sc-13_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-13-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-13-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection" + } + ] + }, + { + "id": "sc-13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-13-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic protection" + } + ] + } + ] + }, + { + "id": "sc-15", + "class": "SP800-53", + "title": "Collaborative Computing Devices and Applications", + "params": [ + { + "id": "sc-15_odp", + "label": "exceptions where remote activation is to be allowed", + "constraints": [ + { + "description": "no exceptions for computing devices" + } + ], + "guidelines": [ + { + "prose": "exceptions where remote activation is to be allowed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-15" + }, + { + "name": "label", + "value": "SC-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#sc-42", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-15_smt", + "name": "statement", + "parts": [ + { + "id": "sc-15_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and" + }, + { + "id": "sc-15_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide an explicit indication of use to users physically present at the devices." + }, + { + "id": "sc-15_fr", + "name": "item", + "title": "SC-15 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-15_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use." + } + ] + } + ] + }, + { + "id": "sc-15_gdn", + "name": "guidance", + "prose": "Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated." + }, + { + "id": "sc-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-15_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15a.", + "class": "sp800-53a" + } + ], + "prose": "remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};", + "links": [ + { + "href": "#sc-15_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-15_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15b.", + "class": "sp800-53a" + } + ], + "prose": "an explicit indication of use is provided to users physically present at the devices.", + "links": [ + { + "href": "#sc-15_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices" + } + ] + }, + { + "id": "sc-15_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-15-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the management of remote activation of collaborative computing devices\n\nmechanisms providing an indication of use of collaborative computing devices" + } + ] + } + ] + }, + { + "id": "sc-17", + "class": "SP800-53", + "title": "Public Key Infrastructure Certificates", + "params": [ + { + "id": "sc-17_odp", + "label": "certificate policy", + "guidelines": [ + { + "prose": "a certificate policy for issuing public key certificates is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-17" + }, + { + "name": "label", + "value": "SC-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#8cb338a4-e493-4177-818f-3af18983ddc5", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-17_smt", + "name": "statement", + "parts": [ + { + "id": "sc-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Issue public key certificates under an {{ insert: param, sc-17_odp }} or obtain public key certificates from an approved service provider; and" + }, + { + "id": "sc-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Include only approved trust anchors in trust stores or certificate stores managed by the organization." + } + ] + }, + { + "id": "sc-17_gdn", + "name": "guidance", + "prose": "Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates." + }, + { + "id": "sc-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-17a.", + "class": "sp800-53a" + } + ], + "prose": "public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;", + "links": [ + { + "href": "#sc-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-17b.", + "class": "sp800-53a" + } + ], + "prose": "only approved trust anchors are included in trust stores or certificate stores managed by the organization.", + "links": [ + { + "href": "#sc-17_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing public key infrastructure certificates\n\npublic key certificate policy or policies\n\npublic key issuing process\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for issuing public key certificates\n\nservice providers" + } + ] + }, + { + "id": "sc-17_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-17-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the management of public key infrastructure certificates" + } + ] + } + ] + }, + { + "id": "sc-18", + "class": "SP800-53", + "title": "Mobile Code", + "props": [ + { + "name": "label", + "value": "SC-18" + }, + { + "name": "label", + "value": "SC-18", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#f641309f-a3ad-48be-8c67-2b318648b2f5", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-18_smt", + "name": "statement", + "parts": [ + { + "id": "sc-18_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Define acceptable and unacceptable mobile code and mobile code technologies; and" + }, + { + "id": "sc-18_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize, monitor, and control the use of mobile code within the system." + } + ] + }, + { + "id": "sc-18_gdn", + "name": "guidance", + "prose": "Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source." + }, + { + "id": "sc-18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-18_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-18_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.[01]", + "class": "sp800-53a" + } + ], + "prose": "acceptable mobile code is defined;", + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.[02]", + "class": "sp800-53a" + } + ], + "prose": "unacceptable mobile code is defined;", + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.[03]", + "class": "sp800-53a" + } + ], + "prose": "acceptable mobile code technologies are defined;", + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.[04]", + "class": "sp800-53a" + } + ], + "prose": "unacceptable mobile code technologies are defined;", + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-18_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of mobile code is authorized within the system;", + "links": [ + { + "href": "#sc-18_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of mobile code is monitored within the system;", + "links": [ + { + "href": "#sc-18_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18b.[03]", + "class": "sp800-53a" + } + ], + "prose": "the use of mobile code is controlled within the system.", + "links": [ + { + "href": "#sc-18_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-18_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-18-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code implementation policy and procedures\n\nlist of acceptable mobile code and mobile code technologies\n\nlist of unacceptable mobile code and mobile technologies\n\nauthorization records\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-18-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code" + } + ] + }, + { + "id": "sc-18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-18-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for authorizing, monitoring, and controlling mobile code\n\nmechanisms supporting and/or implementing the management of mobile code\n\nmechanisms supporting and/or implementing the monitoring of mobile code" + } + ] + } + ] + }, + { + "id": "sc-20", + "class": "SP800-53", + "title": "Secure Name/Address Resolution Service (Authoritative Source)", + "props": [ + { + "name": "label", + "value": "SC-20" + }, + { + "name": "label", + "value": "SC-20", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-20_smt", + "name": "statement", + "parts": [ + { + "id": "sc-20_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and" + }, + { + "id": "sc-20_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace." + }, + { + "id": "sc-20_fr", + "name": "item", + "title": "SC-20 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-20_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests." + }, + { + "id": "sc-20_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Authoritative DNS servers must be geolocated in accordance with SA-9 (5)." + }, + { + "id": "sc-20_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary." + }, + { + "id": "sc-20_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged." + }, + { + "id": "sc-20_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)" + } + ] + } + ] + }, + { + "id": "sc-20_gdn", + "name": "guidance", + "prose": "Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data." + }, + { + "id": "sc-20_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.[01]", + "class": "sp800-53a" + } + ], + "prose": "additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;", + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.[02]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;", + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;", + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.", + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-20-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing secure name/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-20_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-20-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-20_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-20-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing secure name/address resolution services" + } + ] + } + ] + }, + { + "id": "sc-21", + "class": "SP800-53", + "title": "Secure Name/Address Resolution Service (Recursive or Caching Resolver)", + "props": [ + { + "name": "label", + "value": "SC-21" + }, + { + "name": "label", + "value": "SC-21", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-21_smt", + "name": "statement", + "prose": "Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.", + "parts": [ + { + "id": "sc-21_fr", + "name": "item", + "title": "SC-21 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-21_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.\n\n* If the reply is signed, and fails DNSSEC, do not use the reply\n* If the reply is unsigned: * CSP chooses the policy to apply \n" + }, + { + "id": "sc-21_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS." + }, + { + "id": "sc-21_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Accepting an unsigned reply is acceptable" + }, + { + "id": "sc-21_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.\n\n- DNSSEC resolution to access a component inside the boundary is excluded." + } + ] + } + ] + }, + { + "id": "sc-21_gdn", + "name": "guidance", + "prose": "Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data." + }, + { + "id": "sc-21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-21_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[01]", + "class": "sp800-53a" + } + ], + "prose": "data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[02]", + "class": "sp800-53a" + } + ], + "prose": "data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[03]", + "class": "sp800-53a" + } + ], + "prose": "data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[04]", + "class": "sp800-53a" + } + ], + "prose": "data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-21-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing secure name/address resolution services (recursive or caching resolver)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-21-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-21-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services" + } + ] + } + ] + }, + { + "id": "sc-22", + "class": "SP800-53", + "title": "Architecture and Provisioning for Name/Address Resolution Service", + "props": [ + { + "name": "label", + "value": "SC-22" + }, + { + "name": "label", + "value": "SC-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-22_smt", + "name": "statement", + "prose": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation." + }, + { + "id": "sc-22_gdn", + "name": "guidance", + "prose": "Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers\u2014one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)." + }, + { + "id": "sc-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-22_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[01]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization are fault-tolerant;", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[02]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization implement internal role separation;", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[03]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization implement external role separation.", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing architecture and provisioning for name/address resolution services\n\naccess control policy and procedures\n\nsystem design documentation\n\nassessment results from independent testing organizations\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing name/address resolution services for fault tolerance and role separation" + } + ] + } + ] + }, + { + "id": "sc-23", + "class": "SP800-53", + "title": "Session Authenticity", + "props": [ + { + "name": "label", + "value": "SC-23" + }, + { + "name": "label", + "value": "SC-23", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-23" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#7537638e-2837-407d-844b-40fb3fafdd99", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#a6b9907a-2a14-4bb4-a142-d4c73026a8b4", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + }, + { + "href": "#sc-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-23_smt", + "name": "statement", + "prose": "Protect the authenticity of communications sessions." + }, + { + "id": "sc-23_gdn", + "name": "guidance", + "prose": "Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against \"man-in-the-middle\" attacks, session hijacking, and the insertion of false information into sessions." + }, + { + "id": "sc-23_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-23", + "class": "sp800-53a" + } + ], + "prose": "the authenticity of communication sessions is protected.", + "links": [ + { + "href": "#sc-23_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-23_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-23-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing session authenticity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-23_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-23-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "sc-23_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-23-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing session authenticity" + } + ] + } + ] + }, + { + "id": "sc-24", + "class": "SP800-53", + "title": "Fail in Known State", + "params": [ + { + "id": "sc-24_odp.01", + "label": "types of system failures on system components", + "guidelines": [ + { + "prose": "types of system failures for which the system components fail to a known state are defined;" + } + ] + }, + { + "id": "sc-24_odp.02", + "label": "known system state", + "guidelines": [ + { + "prose": "known system state to which system components fail in the event of a system failure is defined;" + } + ] + }, + { + "id": "sc-24_odp.03", + "label": "system state information", + "guidelines": [ + { + "prose": "system state information to be preserved in the event of a system failure is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-24" + }, + { + "name": "label", + "value": "SC-24", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-24" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-24_smt", + "name": "statement", + "prose": "Fail to a {{ insert: param, sc-24_odp.02 }} for the following failures on the indicated components while preserving {{ insert: param, sc-24_odp.03 }} in failure: {{ insert: param, sc-24_odp.01 }}." + }, + { + "id": "sc-24_gdn", + "name": "guidance", + "prose": "Failure in a known state addresses security concerns in accordance with the mission and business needs of organizations. Failure in a known state prevents the loss of confidentiality, integrity, or availability of information in the event of failures of organizational systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving system state information facilitates system restart and return to the operational mode with less disruption of mission and business processes." + }, + { + "id": "sc-24_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-24", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-24_odp.01 }} fail to a {{ insert: param, sc-24_odp.02 }} while preserving {{ insert: param, sc-24_odp.03 }} in failure.", + "links": [ + { + "href": "#sc-24_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-24_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-24-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing system failure to known state\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of failures requiring system to fail in a known state\n\nstate information to be preserved in system failure\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-24_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-24-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-24_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-24-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the fail in known state capability\n\nmechanisms preserving system state information in the event of a system failure" + } + ] + } + ] + }, + { + "id": "sc-28", + "class": "SP800-53", + "title": "Protection of Information at Rest", + "params": [ + { + "id": "sc-28_odp.01", + "constraints": [ + { + "description": "confidentiality AND integrity" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "confidentiality", + "integrity" + ] + } + }, + { + "id": "sc-28_odp.02", + "label": "information at rest", + "guidelines": [ + { + "prose": "information at rest requiring protection is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-28" + }, + { + "name": "label", + "value": "SC-28", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-28" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-28_smt", + "name": "statement", + "prose": "Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}.", + "parts": [ + { + "id": "sc-28_fr", + "name": "item", + "title": "SC-28 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-28_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The organization supports the capability to use cryptographic mechanisms to protect information at rest." + }, + { + "id": "sc-28_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + }, + { + "id": "sc-28_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography in accordance with SC-13." + } + ] + } + ] + }, + { + "id": "sc-28_gdn", + "name": "guidance", + "prose": "Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage." + }, + { + "id": "sc-28_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected.", + "links": [ + { + "href": "#sc-28_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-28-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-28_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-28-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-28_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-28-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest" + } + ] + } + ], + "controls": [ + { + "id": "sc-28.1", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-28.01_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information requiring cryptographic protection is defined;" + } + ] + }, + { + "id": "sc-28.01_odp.02", + "label": "system components or media", + "constraints": [ + { + "description": "all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels" + } + ], + "guidelines": [ + { + "prose": "system components or media requiring cryptographic protection is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-28(1)" + }, + { + "name": "label", + "value": "SC-28(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-28.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-28", + "rel": "required" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-28.1_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.01 }}.", + "parts": [ + { + "id": "sc-28.1_fr", + "name": "item", + "title": "SC-28 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-28.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.\n\nExamples:\n\nA. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.\n\nB. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.\n\nC. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate." + } + ] + } + ] + }, + { + "id": "sc-28.1_gdn", + "name": "guidance", + "prose": "The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields." + }, + { + "id": "sc-28.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-28.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};", + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.", + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-28(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-28.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-28(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-28.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-28(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest" + } + ] + } + ] + } + ] + }, + { + "id": "sc-39", + "class": "SP800-53", + "title": "Process Isolation", + "props": [ + { + "name": "label", + "value": "SC-39" + }, + { + "name": "label", + "value": "SC-39", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-39" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-39_smt", + "name": "statement", + "prose": "Maintain a separate execution domain for each executing system process." + }, + { + "id": "sc-39_gdn", + "name": "guidance", + "prose": "Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies." + }, + { + "id": "sc-39_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-39", + "class": "sp800-53a" + } + ], + "prose": "a separate execution domain is maintained for each executing system process.", + "links": [ + { + "href": "#sc-39_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-39_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-39-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System design documentation\n\nsystem architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-39_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-39-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System developers/integrators\n\nsystem security architect" + } + ] + }, + { + "id": "sc-39_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-39-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing separate execution domains for each executing process" + } + ] + } + ] + }, + { + "id": "sc-45", + "class": "SP800-53", + "title": "System Time Synchronization", + "props": [ + { + "name": "label", + "value": "SC-45" + }, + { + "name": "label", + "value": "SC-45", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-45" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#e4d37285-1e79-4029-8b6a-42df39cace30", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#au-8", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-45_smt", + "name": "statement", + "prose": "Synchronize system clocks within and between systems and system components." + }, + { + "id": "sc-45_gdn", + "name": "guidance", + "prose": "Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities\u2014such as access control and identification and authentication\u2014depending on the nature of the mechanisms used to support the capabilities." + }, + { + "id": "sc-45_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-45", + "class": "sp800-53a" + } + ], + "prose": "system clocks are synchronized within and between systems and system components.", + "links": [ + { + "href": "#sc-45_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-45_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-45-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing time synchronization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-45_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-45-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system" + } + ] + }, + { + "id": "sc-45_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-45-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing system time synchronization" + } + ] + } + ], + "controls": [ + { + "id": "sc-45.1", + "class": "SP800-53-enhancement", + "title": "Synchronization with Authoritative Time Source", + "params": [ + { + "id": "sc-45.01_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "At least hourly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to compare the internal system clocks with the authoritative time source is defined;" + } + ] + }, + { + "id": "sc-45.01_odp.02", + "label": "authoritative time source", + "constraints": [ + { + "description": "http://tf.nist.gov/tf-cgi/servers.cgi" + } + ], + "guidelines": [ + { + "prose": "the authoritative time source to which internal system clocks are to be compared is defined;" + } + ] + }, + { + "id": "sc-45.01_odp.03", + "label": "time period", + "constraints": [ + { + "description": "any difference" + } + ], + "guidelines": [ + { + "prose": "the time period to compare the internal system clocks with the authoritative time source is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-45(1)" + }, + { + "name": "label", + "value": "SC-45(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-45.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-45", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-45.1_smt", + "name": "statement", + "parts": [ + { + "id": "sc-45.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Compare the internal system clocks {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }} ; and" + }, + { + "id": "sc-45.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Synchronize the internal system clocks to the authoritative time source when the time difference is greater than {{ insert: param, sc-45.01_odp.03 }}." + }, + { + "id": "sc-45.1_fr", + "name": "item", + "title": "SC-45(1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-45.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server." + }, + { + "id": "sc-45.1_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server." + }, + { + "id": "sc-45.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Synchronization of system clocks improves the accuracy of log analysis." + } + ] + } + ] + }, + { + "id": "sc-45.1_gdn", + "name": "guidance", + "prose": "Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network." + }, + { + "id": "sc-45.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-45(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-45.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-45(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "the internal system clocks are compared {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }};", + "links": [ + { + "href": "#sc-45.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-45.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-45(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "the internal system clocks are synchronized with the authoritative time source when the time difference is greater than {{ insert: param, sc-45.01_odp.03 }}.", + "links": [ + { + "href": "#sc-45.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-45.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-45.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-45(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing time synchronization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-45.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-45(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system" + } + ] + }, + { + "id": "sc-45.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-45(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing system time synchronization" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "si", + "class": "family", + "title": "System and Information Integrity", + "controls": [ + { + "id": "si-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "si-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "si-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "si-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "si-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "si-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and information integrity policy and procedures is defined;" + } + ] + }, + { + "id": "si-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and information integrity policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "si-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and information integrity policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "si-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and information integrity procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "si-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and information integrity procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-1" + }, + { + "name": "label", + "value": "SI-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-1_smt", + "name": "statement", + "parts": [ + { + "id": "si-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:", + "parts": [ + { + "id": "si-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, si-01_odp.03 }} system and information integrity policy that:", + "parts": [ + { + "id": "si-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "si-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "si-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;" + } + ] + }, + { + "id": "si-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and" + }, + { + "id": "si-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and information integrity:", + "parts": [ + { + "id": "si-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and" + }, + { + "id": "si-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "si-1_gdn", + "name": "guidance", + "prose": "System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "si-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and information integrity policy is developed and documented;", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#si-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;", + "links": [ + { + "href": "#si-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};", + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};", + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};", + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.", + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "si-2", + "class": "SP800-53", + "title": "Flaw Remediation", + "params": [ + { + "id": "si-02_odp", + "label": "time period", + "constraints": [ + { + "description": "within thirty (30) days of release of updates" + } + ], + "guidelines": [ + { + "prose": "time period within which to install security-relevant software updates after the release of the updates is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-2" + }, + { + "name": "label", + "value": "SI-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "rel": "reference" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-5", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-2_smt", + "name": "statement", + "parts": [ + { + "id": "si-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify, report, and correct system flaws;" + }, + { + "id": "si-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;" + }, + { + "id": "si-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and" + }, + { + "id": "si-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Incorporate flaw remediation into the organizational configuration management process." + } + ] + }, + { + "id": "si-2_gdn", + "name": "guidance", + "prose": "The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures." + }, + { + "id": "si-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are identified;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are reported;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are corrected;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "software updates related to flaw remediation are tested for effectiveness before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "software updates related to flaw remediation are tested for potential side effects before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[03]", + "class": "sp800-53a" + } + ], + "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[04]", + "class": "sp800-53a" + } + ], + "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02d.", + "class": "sp800-53a" + } + ], + "prose": "flaw remediation is incorporated into the organizational configuration management process.", + "links": [ + { + "href": "#si-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities" + } + ] + }, + { + "id": "si-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and/or implementing testing software and firmware updates" + } + ] + } + ], + "controls": [ + { + "id": "si-2.2", + "class": "SP800-53-enhancement", + "title": "Automated Flaw Remediation Status", + "params": [ + { + "id": "si-02.02_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined;" + } + ] + }, + { + "id": "si-02.02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-2(2)" + }, + { + "name": "label", + "value": "SI-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#si-2", + "rel": "required" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-2.2_smt", + "name": "statement", + "prose": "Determine if system components have applicable security-relevant software and firmware updates installed using {{ insert: param, si-02.02_odp.01 }} {{ insert: param, si-02.02_odp.02 }}." + }, + { + "id": "si-2.2_gdn", + "name": "guidance", + "prose": "Automated mechanisms can track and determine the status of known flaws for system components." + }, + { + "id": "si-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02(02)", + "class": "sp800-53a" + } + ], + "prose": "system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}.", + "links": [ + { + "href": "#si-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation" + } + ] + }, + { + "id": "si-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms used to determine the state of system components with regard to flaw remediation" + } + ] + } + ] + }, + { + "id": "si-2.3", + "class": "SP800-53-enhancement", + "title": "Time to Remediate Flaws and Benchmarks for Corrective Actions", + "params": [ + { + "id": "si-02.03_odp", + "label": "benchmarks", + "guidelines": [ + { + "prose": "the benchmarks for taking corrective actions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-2(3)" + }, + { + "name": "label", + "value": "SI-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#si-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-2.3_smt", + "name": "statement", + "parts": [ + { + "id": "si-2.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Measure the time between flaw identification and flaw remediation; and" + }, + { + "id": "si-2.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Establish the following benchmarks for taking corrective actions: {{ insert: param, si-02.03_odp }}." + } + ] + }, + { + "id": "si-2.3_gdn", + "name": "guidance", + "prose": "Organizations determine the time it takes on average to correct system flaws after such flaws have been identified and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by the type of flaw or the severity of the potential vulnerability if the flaw can be exploited." + }, + { + "id": "si-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "the time between flaw identification and flaw remediation is measured;", + "links": [ + { + "href": "#si-2.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02(03)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-02.03_odp }} for taking corrective actions have been established.", + "links": [ + { + "href": "#si-2.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of benchmarks for taking corrective action on identified flaws\n\nrecords that provide timestamps of flaw identification and subsequent flaw remediation activities\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation" + } + ] + }, + { + "id": "si-2.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-02(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying, reporting, and correcting system flaws\n\nmechanisms used to measure the time between flaw identification and flaw remediation" + } + ] + } + ] + } + ] + }, + { + "id": "si-3", + "class": "SP800-53", + "title": "Malicious Code Protection", + "params": [ + { + "id": "si-03_odp.01", + "constraints": [ + { + "description": "signature based and non-signature based" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "signature-based", + "non-signature-based" + ] + } + }, + { + "id": "si-03_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which malicious code protection mechanisms perform scans is defined;" + } + ] + }, + { + "id": "si-03_odp.03", + "constraints": [ + { + "description": "to include endpoints and network entry and exit points" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "endpoint", + "network entry and exit points" + ] + } + }, + { + "id": "si-03_odp.04", + "constraints": [ + { + "description": "to include blocking and quarantining malicious code" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "block malicious code", + "quarantine malicious code", + "take {{ insert: param, si-03_odp.05 }} " + ] + } + }, + { + "id": "si-03_odp.05", + "label": "action", + "constraints": [ + { + "description": "administrator or defined security personnel near-realtime" + } + ], + "guidelines": [ + { + "prose": "action to be taken in response to malicious code detection are defined (if selected);" + } + ] + }, + { + "id": "si-03_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted when malicious code is detected is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-3" + }, + { + "name": "label", + "value": "SI-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#88660532-2dcf-442e-845c-03340ce48999", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-44", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-8", + "rel": "related" + }, + { + "href": "#si-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-3_smt", + "name": "statement", + "parts": [ + { + "id": "si-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;" + }, + { + "id": "si-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;" + }, + { + "id": "si-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Configure malicious code protection mechanisms to:", + "parts": [ + { + "id": "si-3_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and" + }, + { + "id": "si-3_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": " {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and" + } + ] + }, + { + "id": "si-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." + } + ] + }, + { + "id": "si-3_gdn", + "name": "guidance", + "prose": "System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files." + }, + { + "id": "si-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;", + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;", + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03b.", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;", + "links": [ + { + "href": "#si-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};", + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;", + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;", + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;", + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03d.", + "class": "sp800-53a" + } + ], + "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.", + "links": [ + { + "href": "#si-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities" + } + ] + }, + { + "id": "si-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and/or implementing malicious code scanning and subsequent actions" + } + ] + } + ] + }, + { + "id": "si-4", + "class": "SP800-53", + "title": "System Monitoring", + "params": [ + { + "id": "si-04_odp.01", + "label": "monitoring objectives", + "guidelines": [ + { + "prose": "monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;" + } + ] + }, + { + "id": "si-04_odp.02", + "label": "techniques and methods", + "guidelines": [ + { + "prose": "techniques and methods used to identify unauthorized use of the system are defined;" + } + ] + }, + { + "id": "si-04_odp.03", + "label": "system monitoring information", + "guidelines": [ + { + "prose": "system monitoring information to be provided to personnel or roles is defined;" + } + ] + }, + { + "id": "si-04_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom system monitoring information is to be provided is/are defined;" + } + ] + }, + { + "id": "si-04_odp.05", + "select": { + "how-many": "one-or-more", + "choice": [ + "as needed", + " {{ insert: param, si-04_odp.06 }} " + ] + } + }, + { + "id": "si-04_odp.06", + "label": "frequency", + "guidelines": [ + { + "prose": "a frequency for providing system monitoring to personnel or roles is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4" + }, + { + "name": "label", + "value": "SI-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "rel": "reference" + }, + { + "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#sc-35", + "rel": "related" + }, + { + "href": "#sc-36", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4_smt", + "name": "statement", + "parts": [ + { + "id": "si-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor the system to detect:", + "parts": [ + { + "id": "si-4_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and" + }, + { + "id": "si-4_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Unauthorized local, network, and remote connections;" + } + ] + }, + { + "id": "si-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};" + }, + { + "id": "si-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Invoke internal monitoring capabilities or deploy monitoring devices:", + "parts": [ + { + "id": "si-4_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Strategically within the system to collect organization-determined essential information; and" + }, + { + "id": "si-4_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "At ad hoc locations within the system to track specific types of transactions of interest to the organization;" + } + ] + }, + { + "id": "si-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Analyze detected events and anomalies;" + }, + { + "id": "si-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;" + }, + { + "id": "si-4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Obtain legal opinion regarding system monitoring activities; and" + }, + { + "id": "si-4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." + }, + { + "id": "si-4_fr", + "name": "item", + "title": "SI-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-4_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See US-CERT Incident Response Reporting Guidelines." + } + ] + } + ] + }, + { + "id": "si-4_gdn", + "name": "guidance", + "prose": "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "si-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.01", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};", + "links": [ + { + "href": "#si-4_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized local connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized network connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized remote connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04b.", + "class": "sp800-53a" + } + ], + "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};", + "links": [ + { + "href": "#si-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.01", + "class": "sp800-53a" + } + ], + "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;", + "links": [ + { + "href": "#si-4_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.02", + "class": "sp800-53a" + } + ], + "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;", + "links": [ + { + "href": "#si-4_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "detected events are analyzed;", + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "detected anomalies are analyzed;", + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04e.", + "class": "sp800-53a" + } + ], + "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;", + "links": [ + { + "href": "#si-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04f.", + "class": "sp800-53a" + } + ], + "prose": "a legal opinion regarding system monitoring activities is obtained;", + "links": [ + { + "href": "#si-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04g.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.", + "links": [ + { + "href": "#si-4_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system" + } + ] + }, + { + "id": "si-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing system monitoring capabilities" + } + ] + } + ], + "controls": [ + { + "id": "si-4.1", + "class": "SP800-53-enhancement", + "title": "System-wide Intrusion Detection System", + "props": [ + { + "name": "label", + "value": "SI-4(1)" + }, + { + "name": "label", + "value": "SI-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.1_smt", + "name": "statement", + "prose": "Connect and configure individual intrusion detection tools into a system-wide intrusion detection system." + }, + { + "id": "si-4.1_gdn", + "name": "guidance", + "prose": "Linking individual intrusion detection tools into a system-wide intrusion detection system provides additional coverage and effective detection capabilities. The information contained in one intrusion detection tool can be shared widely across the organization, making the system-wide detection capability more robust and powerful." + }, + { + "id": "si-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "individual intrusion detection tools are connected to a system-wide intrusion detection system;", + "links": [ + { + "href": "#si-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "individual intrusion detection tools are configured into a system-wide intrusion detection system.", + "links": [ + { + "href": "#si-4.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection capabilities" + } + ] + } + ] + }, + { + "id": "si-4.2", + "class": "SP800-53-enhancement", + "title": "Automated Tools and Mechanisms for Real-time Analysis", + "props": [ + { + "name": "label", + "value": "SI-4(2)" + }, + { + "name": "label", + "value": "SI-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#pm-25", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.2_smt", + "name": "statement", + "prose": "Employ automated tools and mechanisms to support near real-time analysis of events." + }, + { + "id": "si-4.2_gdn", + "name": "guidance", + "prose": "Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan." + }, + { + "id": "si-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(02)", + "class": "sp800-53a" + } + ], + "prose": "automated tools and mechanisms are employed to support a near real-time analysis of events.", + "links": [ + { + "href": "#si-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nprivacy impact assessment\n\nprivacy risk management documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for incident response/management" + } + ] + }, + { + "id": "si-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for the near real-time analysis of events\n\norganizational processes for system monitoring\n\nmechanisms supporting and/or implementing system monitoring\n\nmechanisms/tools supporting and/or implementing an analysis of events" + } + ] + } + ] + }, + { + "id": "si-4.4", + "class": "SP800-53-enhancement", + "title": "Inbound and Outbound Communications Traffic", + "params": [ + { + "id": "si-4.4_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "continuously" + } + ] + }, + { + "id": "si-4.4_prm_2", + "label": "organization-defined unusual or unauthorized activities or conditions" + }, + { + "id": "si-04.04_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined;" + } + ] + }, + { + "id": "si-04.04_odp.02", + "label": "unusual or unauthorized activities or conditions", + "guidelines": [ + { + "prose": "unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined;" + } + ] + }, + { + "id": "si-04.04_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined;" + } + ] + }, + { + "id": "si-04.04_odp.04", + "label": "unusual or unauthorized activities or conditions", + "guidelines": [ + { + "prose": "unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(4)" + }, + { + "name": "label", + "value": "SI-04(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.4_smt", + "name": "statement", + "parts": [ + { + "id": "si-4.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;" + }, + { + "id": "si-4.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Monitor inbound and outbound communications traffic {{ insert: param, si-4.4_prm_1 }} for {{ insert: param, si-4.4_prm_2 }}." + } + ] + }, + { + "id": "si-4.4_gdn", + "name": "guidance", + "prose": "Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components." + }, + { + "id": "si-4.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;", + "links": [ + { + "href": "#si-4.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;", + "links": [ + { + "href": "#si-4.4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.4_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};", + "links": [ + { + "href": "#si-4.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.4_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}.", + "links": [ + { + "href": "#si-4.4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing the monitoring of inbound and outbound communications traffic" + } + ] + } + ] + }, + { + "id": "si-4.5", + "class": "SP800-53-enhancement", + "title": "System-generated Alerts", + "params": [ + { + "id": "si-04.05_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted when indications of compromise or potential compromise occur is/are defined;" + } + ] + }, + { + "id": "si-04.05_odp.02", + "label": "compromise indicators", + "guidelines": [ + { + "prose": "compromise indicators are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(5)" + }, + { + "name": "label", + "value": "SI-04(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.5_smt", + "name": "statement", + "prose": "Alert {{ insert: param, si-04.05_odp.01 }} when the following system-generated indications of compromise or potential compromise occur: {{ insert: param, si-04.05_odp.02 }}.", + "parts": [ + { + "id": "si-4.5_fr", + "name": "item", + "title": "SI-4 (5) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-4.5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "In accordance with the incident response plan." + } + ] + } + ] + }, + { + "id": "si-4.5_gdn", + "name": "guidance", + "prose": "Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in [SI-4(12)](#si-4.12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats." + }, + { + "id": "si-4.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(05)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur.", + "links": [ + { + "href": "#si-4.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of personnel selected to receive alerts\n\ndocumentation of alerts generated based on compromise indicators\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel on the system alert notification list\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing alerts for compromise indicators" + } + ] + } + ] + }, + { + "id": "si-4.10", + "class": "SP800-53-enhancement", + "title": "Visibility of Encrypted Communications", + "params": [ + { + "id": "si-04.10_odp.01", + "label": "encrypted communications traffic", + "guidelines": [ + { + "prose": "encrypted communications traffic to be made visible to system monitoring tools and mechanisms is defined;" + } + ] + }, + { + "id": "si-04.10_odp.02", + "label": "system monitoring tools and mechanisms", + "guidelines": [ + { + "prose": "system monitoring tools and mechanisms to be provided access to encrypted communications traffic are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(10)" + }, + { + "name": "label", + "value": "SI-04(10)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.10_smt", + "name": "statement", + "prose": "Make provisions so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}.", + "parts": [ + { + "id": "si-4.10_fr", + "name": "item", + "title": "SI-4 (10) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-4.10_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf)." + } + ] + } + ] + }, + { + "id": "si-4.10_gdn", + "name": "guidance", + "prose": "Organizations balance the need to encrypt communications traffic to protect data confidentiality with the need to maintain visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types." + }, + { + "id": "si-4.10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(10)", + "class": "sp800-53a" + } + ], + "prose": "provisions are made so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}.", + "links": [ + { + "href": "#si-4.10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(10)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(10)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(10)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing the visibility of encrypted communications traffic to monitoring tools" + } + ] + } + ] + }, + { + "id": "si-4.11", + "class": "SP800-53-enhancement", + "title": "Analyze Communications Traffic Anomalies", + "params": [ + { + "id": "si-04.11_odp", + "label": "interior points", + "guidelines": [ + { + "prose": "interior points within the system where communications traffic is to be analyzed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(11)" + }, + { + "name": "label", + "value": "SI-04(11)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.11_smt", + "name": "statement", + "prose": "Analyze outbound communications traffic at the external interfaces to the system and selected {{ insert: param, si-04.11_odp }} to discover anomalies." + }, + { + "id": "si-4.11_gdn", + "name": "guidance", + "prose": "Organization-defined interior points include subnetworks and subsystems. Anomalies within organizational systems include large file transfers, long-time persistent connections, attempts to access information from unexpected locations, the use of unusual protocols and ports, the use of unmonitored network protocols (e.g., IPv6 usage during IPv4 transition), and attempted communications with suspected malicious external addresses." + }, + { + "id": "si-4.11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(11)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.11_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(11)[01]", + "class": "sp800-53a" + } + ], + "prose": "outbound communications traffic at the external interfaces to the system is analyzed to discover anomalies;", + "links": [ + { + "href": "#si-4.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.11_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(11)[02]", + "class": "sp800-53a" + } + ], + "prose": "outbound communications traffic at {{ insert: param, si-04.11_odp }} is analyzed to discover anomalies.", + "links": [ + { + "href": "#si-4.11_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(11)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nnetwork diagram\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(11)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(11)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing the analysis of communications traffic" + } + ] + } + ] + }, + { + "id": "si-4.12", + "class": "SP800-53-enhancement", + "title": "Automated Organization-generated Alerts", + "params": [ + { + "id": "si-04.12_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted when indications of inappropriate or unusual activity with security or privacy implications occur is/are defined;" + } + ] + }, + { + "id": "si-04.12_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to alert personnel or roles are defined;" + } + ] + }, + { + "id": "si-04.12_odp.03", + "label": "activities that trigger alerts", + "guidelines": [ + { + "prose": "activities that trigger alerts to personnel or are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(12)" + }, + { + "name": "label", + "value": "SI-04(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.12_smt", + "name": "statement", + "prose": "Alert {{ insert: param, si-04.12_odp.01 }} using {{ insert: param, si-04.12_odp.02 }} when the following indications of inappropriate or unusual activities with security or privacy implications occur: {{ insert: param, si-04.12_odp.03 }}." + }, + { + "id": "si-4.12_gdn", + "name": "guidance", + "prose": "Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, senior agency information security officer, senior agency official for privacy, system security officers, or privacy officers. Automated organization-generated alerts are the security alerts generated by organizations and transmitted using automated means. The sources for organization-generated alerts are focused on other entities such as suspicious activity reports and reports on potential insider threats. In contrast to alerts generated by the organization, alerts generated by the system in [SI-4(5)](#si-4.5) focus on information sources that are internal to the systems, such as audit records." + }, + { + "id": "si-4.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(12)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04.12_odp.01 }} is/are alerted using {{ insert: param, si-04.12_odp.02 }} when {{ insert: param, si-04.12_odp.03 }} indicate inappropriate or unusual activities with security or privacy implications.", + "links": [ + { + "href": "#si-4.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of inappropriate or unusual activities with security and privacy implications that trigger alerts\n\nsuspicious activity reports\n\nalerts provided to security and privacy personnel\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nautomated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nautomated mechanisms supporting and/or implementing automated alerts to security personnel" + } + ] + } + ] + }, + { + "id": "si-4.14", + "class": "SP800-53-enhancement", + "title": "Wireless Intrusion Detection", + "props": [ + { + "name": "label", + "value": "SI-4(14)" + }, + { + "name": "label", + "value": "SI-04(14)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.14_smt", + "name": "statement", + "prose": "Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system." + }, + { + "id": "si-4.14_gdn", + "name": "guidance", + "prose": "Wireless signals may radiate beyond organizational facilities. Organizations proactively search for unauthorized wireless connections, including the conduct of thorough scans for unauthorized wireless access points. Wireless scans are not limited to those areas within facilities containing systems but also include areas outside of facilities to verify that unauthorized wireless access points are not connected to organizational systems." + }, + { + "id": "si-4.14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(14)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.14_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(14)[01]", + "class": "sp800-53a" + } + ], + "prose": "a wireless intrusion detection system is employed to identify rogue wireless devices;", + "links": [ + { + "href": "#si-4.14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.14_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(14)[02]", + "class": "sp800-53a" + } + ], + "prose": "a wireless intrusion detection system is employed to detect attack attempts on the system;", + "links": [ + { + "href": "#si-4.14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.14_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(14)[03]", + "class": "sp800-53a" + } + ], + "prose": "a wireless intrusion detection system is employed to detect potential compromises or breaches to the system.", + "links": [ + { + "href": "#si-4.14_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(14)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(14)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.14_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(14)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection\n\nmechanisms supporting and/or implementing a wireless intrusion detection capability" + } + ] + } + ] + }, + { + "id": "si-4.16", + "class": "SP800-53-enhancement", + "title": "Correlate Monitoring Information", + "props": [ + { + "name": "label", + "value": "SI-4(16)" + }, + { + "name": "label", + "value": "SI-04(16)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#au-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.16_smt", + "name": "statement", + "prose": "Correlate information from monitoring tools and mechanisms employed throughout the system." + }, + { + "id": "si-4.16_gdn", + "name": "guidance", + "prose": "Correlating information from different system monitoring tools and mechanisms can provide a more comprehensive view of system activity. Correlating system monitoring tools and mechanisms that typically work in isolation\u2014including malicious code protection software, host monitoring, and network monitoring\u2014can provide an organization-wide monitoring view and may reveal otherwise unseen attack patterns. Understanding the capabilities and limitations of diverse monitoring tools and mechanisms and how to maximize the use of information generated by those tools and mechanisms can help organizations develop, operate, and maintain effective monitoring programs. The correlation of monitoring information is especially important during the transition from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols)." + }, + { + "id": "si-4.16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(16)", + "class": "sp800-53a" + } + ], + "prose": "information from monitoring tools and mechanisms employed throughout the system is correlated.", + "links": [ + { + "href": "#si-4.16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(16)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nevent correlation logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(16)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.16_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(16)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing the correlation of information from monitoring tools" + } + ] + } + ] + }, + { + "id": "si-4.18", + "class": "SP800-53-enhancement", + "title": "Analyze Traffic and Covert Exfiltration", + "params": [ + { + "id": "si-04.18_odp", + "label": "interior points", + "guidelines": [ + { + "prose": "interior points within the system where communications traffic is to be analyzed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(18)" + }, + { + "name": "label", + "value": "SI-04(18)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.18_smt", + "name": "statement", + "prose": "Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: {{ insert: param, si-04.18_odp }}." + }, + { + "id": "si-4.18_gdn", + "name": "guidance", + "prose": "Organization-defined interior points include subnetworks and subsystems. Covert means that can be used to exfiltrate information include steganography." + }, + { + "id": "si-4.18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(18)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.18_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(18)[01]", + "class": "sp800-53a" + } + ], + "prose": "outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information;", + "links": [ + { + "href": "#si-4.18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.18_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(18)[02]", + "class": "sp800-53a" + } + ], + "prose": "outbound communications traffic is analyzed at {{ insert: param, si-04.18_odp }} to detect covert exfiltration of information.", + "links": [ + { + "href": "#si-4.18_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(18)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nnetwork diagram\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(18)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(18)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing an analysis of outbound communications traffic" + } + ] + } + ] + }, + { + "id": "si-4.19", + "class": "SP800-53-enhancement", + "title": "Risk for Individuals", + "params": [ + { + "id": "si-04.19_odp.01", + "label": "additional monitoring", + "guidelines": [ + { + "prose": "additional monitoring of individuals who have been identified as posing an increased level of risk is defined;" + } + ] + }, + { + "id": "si-04.19_odp.02", + "label": "sources", + "guidelines": [ + { + "prose": "sources that identify individuals who pose an increased level of risk are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(19)" + }, + { + "name": "label", + "value": "SI-04(19)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.19" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.19_smt", + "name": "statement", + "prose": "Implement {{ insert: param, si-04.19_odp.01 }} of individuals who have been identified by {{ insert: param, si-04.19_odp.02 }} as posing an increased level of risk." + }, + { + "id": "si-4.19_gdn", + "name": "guidance", + "prose": "Indications of increased risk from individuals can be obtained from different sources, including personnel records, intelligence agencies, law enforcement organizations, and other sources. The monitoring of individuals is coordinated with the management, legal, security, privacy, and human resource officials who conduct such monitoring. Monitoring is conducted in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "si-4.19_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(19)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04.19_odp.01 }} is implemented on individuals who have been identified by {{ insert: param, si-04.19_odp.02 }} as posing an increased level of risk.", + "links": [ + { + "href": "#si-4.19_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.19_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(19)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.19_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(19)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\nlegal counsel\n\nhuman resource officials\n\norganizational personnel with personnel security responsibilities" + } + ] + }, + { + "id": "si-4.19_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(19)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing a system monitoring capability" + } + ] + } + ] + }, + { + "id": "si-4.20", + "class": "SP800-53-enhancement", + "title": "Privileged Users", + "params": [ + { + "id": "si-04.20_odp", + "label": "additional monitoring", + "guidelines": [ + { + "prose": "additional monitoring of privileged users is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(20)" + }, + { + "name": "label", + "value": "SI-04(20)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#ac-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.20_smt", + "name": "statement", + "prose": "Implement the following additional monitoring of privileged users: {{ insert: param, si-04.20_odp }}." + }, + { + "id": "si-4.20_gdn", + "name": "guidance", + "prose": "Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions." + }, + { + "id": "si-4.20_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(20)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04.20_odp }} of privileged users is implemented.", + "links": [ + { + "href": "#si-4.20_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.20_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(20)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.20_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(20)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system" + } + ] + }, + { + "id": "si-4.20_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(20)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing a system monitoring capability" + } + ] + } + ] + }, + { + "id": "si-4.22", + "class": "SP800-53-enhancement", + "title": "Unauthorized Network Services", + "params": [ + { + "id": "si-04.22_odp.01", + "label": "authorization or approval processes", + "guidelines": [ + { + "prose": "authorization or approval processes for network services are defined;" + } + ] + }, + { + "id": "si-04.22_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "audit", + "alert {{ insert: param, si-04.22_odp.03 }} " + ] + } + }, + { + "id": "si-04.22_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted upon the detection of network services that have not been authorized or approved by authorization or approval processes is/are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(22)" + }, + { + "name": "label", + "value": "SI-04(22)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#cm-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.22_smt", + "name": "statement", + "parts": [ + { + "id": "si-4.22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Detect network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} ; and" + }, + { + "id": "si-4.22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": " {{ insert: param, si-04.22_odp.02 }} when detected." + } + ] + }, + { + "id": "si-4.22_gdn", + "name": "guidance", + "prose": "Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and may therefore be unreliable or serve as malicious rogues for valid services." + }, + { + "id": "si-4.22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(22)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(22)(a)", + "class": "sp800-53a" + } + ], + "prose": "network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} are detected;", + "links": [ + { + "href": "#si-4.22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(22)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04.22_odp.02 }} is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.", + "links": [ + { + "href": "#si-4.22_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(22)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\ndocumented authorization/approval of network services\n\nnotifications or alerts of unauthorized network services\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(22)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system" + } + ] + }, + { + "id": "si-4.22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(22)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing a system monitoring capability\n\nmechanisms for auditing network services\n\nmechanisms for providing alerts" + } + ] + } + ] + }, + { + "id": "si-4.23", + "class": "SP800-53-enhancement", + "title": "Host-based Devices", + "params": [ + { + "id": "si-04.23_odp.01", + "label": "host-based monitoring mechanisms", + "guidelines": [ + { + "prose": "host-based monitoring mechanisms to be implemented on system components are defined;" + } + ] + }, + { + "id": "si-04.23_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components where host-based monitoring is to be implemented are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(23)" + }, + { + "name": "label", + "value": "SI-04(23)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.23" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.23_smt", + "name": "statement", + "prose": "Implement the following host-based monitoring mechanisms at {{ insert: param, si-04.23_odp.02 }}: {{ insert: param, si-04.23_odp.01 }}." + }, + { + "id": "si-4.23_gdn", + "name": "guidance", + "prose": "Host-based monitoring collects information about the host (or system in which it resides). System components in which host-based monitoring can be implemented include servers, notebook computers, and mobile devices. Organizations may consider employing host-based monitoring mechanisms from multiple product developers or vendors." + }, + { + "id": "si-4.23_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(23)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04.23_odp.01 }} are implemented on {{ insert: param, si-04.23_odp.02 }}.", + "links": [ + { + "href": "#si-4.23_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.23_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(23)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nhost-based monitoring mechanisms\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of system components requiring host-based monitoring\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.23_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(23)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring system hosts" + } + ] + }, + { + "id": "si-4.23_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(23)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing a host-based monitoring capability" + } + ] + } + ] + } + ] + }, + { + "id": "si-5", + "class": "SP800-53", + "title": "Security Alerts, Advisories, and Directives", + "params": [ + { + "id": "si-05_odp.01", + "label": "external organizations", + "constraints": [ + { + "description": "to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives" + } + ], + "guidelines": [ + { + "prose": "external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;" + } + ] + }, + { + "id": "si-05_odp.02", + "constraints": [ + { + "description": "to include system security personnel and administrators with configuration/patch-management responsibilities" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, si-05_odp.03 }} ", + " {{ insert: param, si-05_odp.04 }} ", + " {{ insert: param, si-05_odp.05 }} " + ] + } + }, + { + "id": "si-05_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected);" + } + ] + }, + { + "id": "si-05_odp.04", + "label": "elements", + "guidelines": [ + { + "prose": "elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" + } + ] + }, + { + "id": "si-05_odp.05", + "label": "external organizations", + "guidelines": [ + { + "prose": "external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-5" + }, + { + "name": "label", + "value": "SI-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#pm-15", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-5_smt", + "name": "statement", + "parts": [ + { + "id": "si-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;" + }, + { + "id": "si-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Generate internal security alerts, advisories, and directives as deemed necessary;" + }, + { + "id": "si-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and" + }, + { + "id": "si-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + }, + { + "id": "si-5_fr_smt.1", + "name": "item", + "title": "SI-5 Additional FedRAMP Requirements and Guidance", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status." + } + ] + }, + { + "id": "si-5_gdn", + "name": "guidance", + "prose": "The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations." + }, + { + "id": "si-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05a.", + "class": "sp800-53a" + } + ], + "prose": "system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;", + "links": [ + { + "href": "#si-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05b.", + "class": "sp800-53a" + } + ], + "prose": "internal security alerts, advisories, and directives are generated as deemed necessary;", + "links": [ + { + "href": "#si-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05c.", + "class": "sp800-53a" + } + ], + "prose": "security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};", + "links": [ + { + "href": "#si-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05d.", + "class": "sp800-53a" + } + ], + "prose": "security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.", + "links": [ + { + "href": "#si-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "si-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nmechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nmechanisms supporting and/or implementing security directives" + } + ] + } + ], + "controls": [ + { + "id": "si-5.1", + "class": "SP800-53-enhancement", + "title": "Automated Alerts and Advisories", + "params": [ + { + "id": "si-05.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to broadcast security alert and advisory information throughout the organization are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-5(1)" + }, + { + "name": "label", + "value": "SI-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-5.1_smt", + "name": "statement", + "prose": "Broadcast security alert and advisory information throughout the organization using {{ insert: param, si-05.01_odp }}." + }, + { + "id": "si-5.1_gdn", + "name": "guidance", + "prose": "The significant number of changes to organizational systems and environments of operation requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational mission and business functions. Based on information provided by security alerts and advisories, changes may be required at one or more of the three levels related to the management of risk, including the governance level, mission and business process level, and the information system level." + }, + { + "id": "si-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05(01)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-05.01_odp }} are used to broadcast security alert and advisory information throughout the organization.", + "links": [ + { + "href": "#si-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nautomated mechanisms supporting the distribution of security alert and advisory information\n\nrecords of security alerts and advisories\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and/or external organizations to whom alerts and advisories are to be disseminated\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "si-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining, receiving, generating, and disseminating security alerts and advisories\n\nautomated mechanisms supporting and/or implementing the dissemination of security alerts and advisories" + } + ] + } + ] + } + ] + }, + { + "id": "si-6", + "class": "SP800-53", + "title": "Security and Privacy Function Verification", + "params": [ + { + "id": "si-6_prm_1", + "label": "organization-defined security and privacy functions" + }, + { + "id": "si-06_odp.01", + "label": "security functions", + "guidelines": [ + { + "prose": "security functions to be verified for correct operation are defined;" + } + ] + }, + { + "id": "si-06_odp.02", + "label": "privacy functions", + "guidelines": [ + { + "prose": "privacy functions to be verified for correct operation are defined;" + } + ] + }, + { + "id": "si-06_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, si-06_odp.04 }} ", + "upon command by user with appropriate privilege", + " {{ insert: param, si-06_odp.05 }} " + ] + } + }, + { + "id": "si-06_odp.04", + "label": "system transitional states", + "constraints": [ + { + "description": "to include upon system startup and/or restart" + } + ], + "guidelines": [ + { + "prose": "system transitional states requiring the verification of security and privacy functions are defined; (if selected)" + } + ] + }, + { + "id": "si-06_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "frequency at which to verify the correct operation of security and privacy functions is defined; (if selected)" + } + ] + }, + { + "id": "si-06_odp.06", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include system administrators and security personnel" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be alerted of failed security and privacy verification tests is/are defined;" + } + ] + }, + { + "id": "si-06_odp.07", + "select": { + "how-many": "one-or-more", + "choice": [ + "shut the system down", + "restart the system", + " {{ insert: param, si-06_odp.08 }} " + ] + } + }, + { + "id": "si-06_odp.08", + "label": "alternative action(s)", + "guidelines": [ + { + "prose": "alternative action(s) to be performed when anomalies are discovered are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-6" + }, + { + "name": "label", + "value": "SI-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-6_smt", + "name": "statement", + "parts": [ + { + "id": "si-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Verify the correct operation of {{ insert: param, si-6_prm_1 }};" + }, + { + "id": "si-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Perform the verification of the functions specified in SI-6a {{ insert: param, si-06_odp.03 }};" + }, + { + "id": "si-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Alert {{ insert: param, si-06_odp.06 }} to failed security and privacy verification tests; and" + }, + { + "id": "si-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": " {{ insert: param, si-06_odp.07 }} when anomalies are discovered." + } + ] + }, + { + "id": "si-6_gdn", + "name": "guidance", + "prose": "Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy or that privacy attributes are applied or used as expected." + }, + { + "id": "si-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-6_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.01 }} are verified to be operating correctly;", + "links": [ + { + "href": "#si-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.02 }} are verified to be operating correctly;", + "links": [ + { + "href": "#si-6_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-6_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06b.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.01 }} are verified {{ insert: param, si-06_odp.03 }};", + "links": [ + { + "href": "#si-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06b.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.02 }} are verified {{ insert: param, si-06_odp.03 }};", + "links": [ + { + "href": "#si-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.06 }} is/are alerted to failed security verification tests;", + "links": [ + { + "href": "#si-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.06 }} is/are alerted to failed privacy verification tests;", + "links": [ + { + "href": "#si-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06d.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.07 }} is/are initiated when anomalies are discovered.", + "links": [ + { + "href": "#si-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security and privacy function verification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts/notifications of failed security verification tests\n\nlist of system transition states requiring security functionality verification\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy function verification responsibilities\n\norganizational personnel implementing, operating, and maintaining the system\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "si-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security and privacy function verification\n\nmechanisms supporting and/or implementing the security and privacy function verification capability" + } + ] + } + ] + }, + { + "id": "si-7", + "class": "SP800-53", + "title": "Software, Firmware, and Information Integrity", + "params": [ + { + "id": "si-7_prm_1", + "label": "organization-defined software, firmware, and information" + }, + { + "id": "si-7_prm_2", + "label": "organization-defined actions" + }, + { + "id": "si-07_odp.01", + "label": "software", + "guidelines": [ + { + "prose": "software requiring integrity verification tools to be employed to detect unauthorized changes is defined;" + } + ] + }, + { + "id": "si-07_odp.02", + "label": "firmware", + "guidelines": [ + { + "prose": "firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined;" + } + ] + }, + { + "id": "si-07_odp.03", + "label": "information", + "guidelines": [ + { + "prose": "information requiring integrity verification tools to be employed to detect unauthorized changes is defined;" + } + ] + }, + { + "id": "si-07_odp.04", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be taken when unauthorized changes to software are detected are defined;" + } + ] + }, + { + "id": "si-07_odp.05", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be taken when unauthorized changes to firmware are detected are defined;" + } + ] + }, + { + "id": "si-07_odp.06", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be taken when unauthorized changes to information are detected are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7" + }, + { + "name": "label", + "value": "SI-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#e47ee630-9cbc-4133-880e-e013f83ccd51", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-7_smt", + "name": "statement", + "parts": [ + { + "id": "si-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ insert: param, si-7_prm_1 }} ; and" + }, + { + "id": "si-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ insert: param, si-7_prm_2 }}." + } + ] + }, + { + "id": "si-7_gdn", + "name": "guidance", + "prose": "Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms\u2014including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools\u2014can automatically monitor the integrity of systems and hosted applications." + }, + { + "id": "si-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-7_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07a.[01]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};", + "links": [ + { + "href": "#si-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07a.[02]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};", + "links": [ + { + "href": "#si-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07a.[03]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};", + "links": [ + { + "href": "#si-7_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;", + "links": [ + { + "href": "#si-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;", + "links": [ + { + "href": "#si-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07b.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected.", + "links": [ + { + "href": "#si-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated or triggered by integrity verification tools regarding unauthorized software, firmware, and information changes\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "si-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Software, firmware, and information integrity verification tools" + } + ] + } + ], + "controls": [ + { + "id": "si-7.1", + "class": "SP800-53-enhancement", + "title": "Integrity Checks", + "params": [ + { + "id": "si-7.1_prm_1", + "label": "organization-defined software, firmware, and information" + }, + { + "id": "si-7.1_prm_2", + "select": { + "how-many": "one-or-more", + "choice": [ + "at startup", + "at {{ insert: param, si-7.1_prm_3 }} ", + " {{ insert: param, si-7.1_prm_4 }} " + ] + } + }, + { + "id": "si-7.1_prm_3", + "label": "organization-defined transitional states or security-relevant events", + "constraints": [ + { + "description": "selection to include security relevant event" + } + ] + }, + { + "id": "si-7.1_prm_4", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least monthly" + } + ] + }, + { + "id": "si-07.01_odp.01", + "label": "software", + "guidelines": [ + { + "prose": "software on which an integrity check is to be performed is defined;" + } + ] + }, + { + "id": "si-07.01_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "at startup", + "at {{ insert: param, si-07.01_odp.03 }} ", + " {{ insert: param, si-07.01_odp.04 }} " + ] + } + }, + { + "id": "si-07.01_odp.03", + "label": "transitional states or security-relevant events", + "guidelines": [ + { + "prose": "transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.04", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency with which to perform an integrity check (on software) is defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.05", + "label": "firmware", + "guidelines": [ + { + "prose": "firmware on which an integrity check is to be performed is defined;" + } + ] + }, + { + "id": "si-07.01_odp.06", + "select": { + "how-many": "one-or-more", + "choice": [ + "at startup", + "at {{ insert: param, si-07.01_odp.07 }} ", + " {{ insert: param, si-07.01_odp.08 }} " + ] + } + }, + { + "id": "si-07.01_odp.07", + "label": "transitional states or security-relevant events", + "guidelines": [ + { + "prose": "transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.08", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency with which to perform an integrity check (on firmware) is defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.09", + "label": "information", + "guidelines": [ + { + "prose": "information on which an integrity check is to be performed is defined;" + } + ] + }, + { + "id": "si-07.01_odp.10", + "select": { + "how-many": "one-or-more", + "choice": [ + "at startup", + "at {{ insert: param, si-07.01_odp.11 }} ", + " {{ insert: param, si-07.01_odp.12 }} " + ] + } + }, + { + "id": "si-07.01_odp.11", + "label": "transitional states or security-relevant events", + "guidelines": [ + { + "prose": "transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.12", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency with which to perform an integrity check (of information) is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7(1)" + }, + { + "name": "label", + "value": "SI-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-7.1_smt", + "name": "statement", + "prose": "Perform an integrity check of {{ insert: param, si-7.1_prm_1 }} {{ insert: param, si-7.1_prm_2 }}." + }, + { + "id": "si-7.1_gdn", + "name": "guidance", + "prose": "Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort." + }, + { + "id": "si-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-7.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};", + "links": [ + { + "href": "#si-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};", + "links": [ + { + "href": "#si-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}.", + "links": [ + { + "href": "#si-7.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity testing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-7.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Software, firmware, and information integrity verification tools" + } + ] + } + ] + }, + { + "id": "si-7.2", + "class": "SP800-53-enhancement", + "title": "Automated Notifications of Integrity Violations", + "params": [ + { + "id": "si-07.02_odp", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7(2)" + }, + { + "name": "label", + "value": "SI-07(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-7.2_smt", + "name": "statement", + "prose": "Employ automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification." + }, + { + "id": "si-7.2_gdn", + "name": "guidance", + "prose": "The employment of automated tools to report system and information integrity violations and to notify organizational personnel in a timely matter is essential to effective risk response. Personnel with an interest in system and information integrity violations include mission and business owners, system owners, senior agency information security official, senior agency official for privacy, system administrators, software developers, systems integrators, information security officers, and privacy officers." + }, + { + "id": "si-7.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(02)", + "class": "sp800-53a" + } + ], + "prose": "automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification are employed.", + "links": [ + { + "href": "#si-7.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nautomated tools supporting alerts and notifications for integrity discrepancies\n\nnotifications provided upon discovering discrepancies during integrity verifications\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\nsoftware developers" + } + ] + }, + { + "id": "si-7.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Software, firmware, and information integrity verification tools\n\nmechanisms providing integrity discrepancy notifications" + } + ] + } + ] + }, + { + "id": "si-7.5", + "class": "SP800-53-enhancement", + "title": "Automated Response to Integrity Violations", + "params": [ + { + "id": "si-07.05_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "shut down the system", + "restart the system", + "implement {{ insert: param, si-07.05_odp.02 }} " + ] + } + }, + { + "id": "si-07.05_odp.02", + "label": "controls", + "guidelines": [ + { + "prose": "controls to be implemented automatically when integrity violations are discovered are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7(5)" + }, + { + "name": "label", + "value": "SI-07(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-7.5_smt", + "name": "statement", + "prose": "Automatically {{ insert: param, si-07.05_odp.01 }} when integrity violations are discovered." + }, + { + "id": "si-7.5_gdn", + "name": "guidance", + "prose": "Organizations may define different integrity-checking responses by type of information, specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur." + }, + { + "id": "si-7.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(05)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-07.05_odp.01 }} are automatically performed when integrity violations are discovered.", + "links": [ + { + "href": "#si-7.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nrecords of integrity checks and responses to integrity violations\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-7.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Software, firmware, and information integrity verification tools\n\nmechanisms providing an automated response to integrity violations\n\nmechanisms supporting and/or implementing security safeguards to be implemented when integrity violations are discovered" + } + ] + } + ] + }, + { + "id": "si-7.7", + "class": "SP800-53-enhancement", + "title": "Integration of Detection and Response", + "params": [ + { + "id": "si-07.07_odp", + "label": "changes", + "guidelines": [ + { + "prose": "security-relevant changes to the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7(7)" + }, + { + "name": "label", + "value": "SI-07(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-7", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-7.7_smt", + "name": "statement", + "prose": "Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ insert: param, si-07.07_odp }}." + }, + { + "id": "si-7.7_gdn", + "name": "guidance", + "prose": "Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges." + }, + { + "id": "si-7.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(07)", + "class": "sp800-53a" + } + ], + "prose": "the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability.", + "links": [ + { + "href": "#si-7.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities" + } + ] + }, + { + "id": "si-7.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incorporating the detection of unauthorized security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools\n\nmechanisms supporting and/or implementing the incorporation of detection of unauthorized security-relevant changes into the incident response capability" + } + ] + } + ] + }, + { + "id": "si-7.15", + "class": "SP800-53-enhancement", + "title": "Code Authentication", + "params": [ + { + "id": "si-07.15_odp", + "label": "software or firmware components", + "constraints": [ + { + "description": "to include all software and firmware inside the boundary" + } + ], + "guidelines": [ + { + "prose": "software or firmware components to be authenticated by cryptographic mechanisms prior to installation are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7(15)" + }, + { + "name": "label", + "value": "SI-07(15)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07.15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-7", + "rel": "required" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-7.15_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: {{ insert: param, si-07.15_odp }}." + }, + { + "id": "si-7.15_gdn", + "name": "guidance", + "prose": "Cryptographic authentication includes verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Organizations that employ cryptographic mechanisms also consider cryptographic key management solutions." + }, + { + "id": "si-7.15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(15)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to authenticate {{ insert: param, si-07.15_odp }} prior to installation.", + "links": [ + { + "href": "#si-7.15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07(15)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7.15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07(15)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-7.15_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07(15)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms authenticating software and firmware prior to installation" + } + ] + } + ] + } + ] + }, + { + "id": "si-8", + "class": "SP800-53", + "title": "Spam Protection", + "props": [ + { + "name": "label", + "value": "SI-8" + }, + { + "name": "label", + "value": "SI-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#314e33cb-3681-4b50-a2a2-3fae9604accd", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-8_smt", + "name": "statement", + "parts": [ + { + "id": "si-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and" + }, + { + "id": "si-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures." + }, + { + "id": "si-8_fr", + "name": "item", + "title": "SI-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.\n\nhttps://cyber.dhs.gov/bod/18-01/" + }, + { + "id": "si-8_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients." + } + ] + } + ] + }, + { + "id": "si-8_gdn", + "name": "guidance", + "prose": "System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions." + }, + { + "id": "si-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-8_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.[01]", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are employed at system entry points to detect unsolicited messages;", + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.[02]", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are employed at system exit points to detect unsolicited messages;", + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.[03]", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are employed at system entry points to act on unsolicited messages;", + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.[04]", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are employed at system exit points to act on unsolicited messages;", + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08b.", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.", + "links": [ + { + "href": "#si-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policies and procedures (CM-01)\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for implementing spam protection\n\nmechanisms supporting and/or implementing spam protection" + } + ] + } + ], + "controls": [ + { + "id": "si-8.2", + "class": "SP800-53-enhancement", + "title": "Automatic Updates", + "params": [ + { + "id": "si-08.02_odp", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to automatically update spam protection mechanisms is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-8(2)" + }, + { + "name": "label", + "value": "SI-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#si-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-8.2_smt", + "name": "statement", + "prose": "Automatically update spam protection mechanisms {{ insert: param, si-08.02_odp }}." + }, + { + "id": "si-8.2_gdn", + "name": "guidance", + "prose": "Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capabilities." + }, + { + "id": "si-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08(02)", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}.", + "links": [ + { + "href": "#si-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for spam protection\n\nmechanisms supporting and/or implementing automatic updates to spam protection mechanisms" + } + ] + } + ] + } + ] + }, + { + "id": "si-10", + "class": "SP800-53", + "title": "Information Input Validation", + "params": [ + { + "id": "si-10_odp", + "label": "information inputs", + "guidelines": [ + { + "prose": "information inputs to the system requiring validity checks are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-10" + }, + { + "name": "label", + "value": "SI-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + } + ], + "parts": [ + { + "id": "si-10_smt", + "name": "statement", + "prose": "Check the validity of the following information inputs: {{ insert: param, si-10_odp }}.", + "parts": [ + { + "id": "si-10_fr", + "name": "item", + "title": "SI-10 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-10_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Validate all information inputs and document any exceptions" + } + ] + } + ] + }, + { + "id": "si-10_gdn", + "name": "guidance", + "prose": "Checking the valid syntax and semantics of system inputs\u2014including character set, length, numerical range, and acceptable values\u2014verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of \"387,\" \"abc,\" or \"%K%\" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks." + }, + { + "id": "si-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-10", + "class": "sp800-53a" + } + ], + "prose": "the validity of the {{ insert: param, si-10_odp }} is checked.", + "links": [ + { + "href": "#si-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify the validity of information\n\nlist of information inputs requiring validity checks\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing validity checks on information inputs" + } + ] + } + ] + }, + { + "id": "si-11", + "class": "SP800-53", + "title": "Error Handling", + "params": [ + { + "id": "si-11_odp", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to whom error messages are to be revealed is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-11" + }, + { + "name": "label", + "value": "SI-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-11_smt", + "name": "statement", + "parts": [ + { + "id": "si-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and" + }, + { + "id": "si-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Reveal error messages only to {{ insert: param, si-11_odp }}." + } + ] + }, + { + "id": "si-11_gdn", + "name": "guidance", + "prose": "Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information." + }, + { + "id": "si-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-11a.", + "class": "sp800-53a" + } + ], + "prose": "error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;", + "links": [ + { + "href": "#si-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-11b.", + "class": "sp800-53a" + } + ], + "prose": "error messages are revealed only to {{ insert: param, si-11_odp }}.", + "links": [ + { + "href": "#si-11_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system error handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing the structure and content of error messages\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for error handling\n\nautomated mechanisms supporting and/or implementing error handling\n\nautomated mechanisms supporting and/or implementing the management of error messages" + } + ] + } + ] + }, + { + "id": "si-12", + "class": "SP800-53", + "title": "Information Management and Retention", + "props": [ + { + "name": "label", + "value": "SI-12" + }, + { + "name": "label", + "value": "SI-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#e922fc50-b1f9-469f-92ef-ed7d9803611c", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-3", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-12_smt", + "name": "statement", + "prose": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." + }, + { + "id": "si-12_gdn", + "name": "guidance", + "prose": "Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)." + }, + { + "id": "si-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[01]", + "class": "sp800-53a" + } + ], + "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[02]", + "class": "sp800-53a" + } + ], + "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[03]", + "class": "sp800-53a" + } + ], + "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[04]", + "class": "sp800-53a" + } + ], + "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators" + } + ] + }, + { + "id": "si-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and/or implementing information management, retention, and disposition" + } + ] + } + ] + }, + { + "id": "si-16", + "class": "SP800-53", + "title": "Memory Protection", + "params": [ + { + "id": "si-16_odp", + "label": "controls", + "guidelines": [ + { + "prose": "controls to be implemented to protect the system memory from unauthorized code execution are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-16" + }, + { + "name": "label", + "value": "SI-16", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-16_smt", + "name": "statement", + "prose": "Implement the following controls to protect the system memory from unauthorized code execution: {{ insert: param, si-16_odp }}." + }, + { + "id": "si-16_gdn", + "name": "guidance", + "prose": "Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism." + }, + { + "id": "si-16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-16", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution.", + "links": [ + { + "href": "#si-16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-16-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing memory protection for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security safeguards protecting system memory from unauthorized code execution\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-16-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-16_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-16-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms supporting and/or implementing safeguards to protect the system memory from unauthorized code execution" + } + ] + } + ] + } + ] + }, + { + "id": "sr", + "class": "family", + "title": "Supply Chain Risk Management", + "controls": [ + { + "id": "sr-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sr-1_prm_1", + "label": "organization-defined personnel or roles", + "constraints": [ + { + "description": "to include chief privacy and ISSO and/or similar role or designees" + } + ] + }, + { + "id": "sr-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;" + } + ] + }, + { + "id": "sr-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;" + } + ] + }, + { + "id": "sr-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "sr-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;" + } + ] + }, + { + "id": "sr-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current supply chain risk management policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sr-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that require the current supply chain risk management policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sr-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;" + } + ] + }, + { + "id": "sr-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that require the supply chain risk management procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-1" + }, + { + "name": "label", + "value": "SR-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-1_smt", + "name": "statement", + "parts": [ + { + "id": "sr-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:", + "parts": [ + { + "id": "sr-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:", + "parts": [ + { + "id": "sr-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sr-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sr-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;" + } + ] + }, + { + "id": "sr-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and" + }, + { + "id": "sr-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current supply chain risk management:", + "parts": [ + { + "id": "sr-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and" + }, + { + "id": "sr-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sr-1_gdn", + "name": "guidance", + "prose": "Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sr-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a supply chain risk management policy is developed and documented;", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; ", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sr-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;", + "links": [ + { + "href": "#sr-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};", + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};", + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};", + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.", + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities" + } + ] + } + ] + }, + { + "id": "sr-2", + "class": "SP800-53", + "title": "Supply Chain Risk Management Plan", + "params": [ + { + "id": "sr-02_odp.01", + "label": "systems, system components, or system services", + "guidelines": [ + { + "prose": "systems, system components, or system services for which a supply chain risk management plan is developed are defined;" + } + ] + }, + { + "id": "sr-02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update the supply chain risk management plan is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-2" + }, + { + "name": "label", + "value": "SR-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-2_smt", + "name": "statement", + "parts": [ + { + "id": "sr-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};" + }, + { + "id": "sr-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and" + }, + { + "id": "sr-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Protect the supply chain risk management plan from unauthorized disclosure and modification." + } + ] + }, + { + "id": "sr-2_gdn", + "name": "guidance", + "prose": "The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))." + }, + { + "id": "sr-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a plan for managing supply chain risks is developed;", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[05]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[06]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[07]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[08]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[09]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02b.", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;", + "links": [ + { + "href": "#sr-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is protected from unauthorized modification.", + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures for protecting the supply chain risk management plan from unauthorized disclosure and modification\n\nsystem development life cycle procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of supply chain threats\n\nlist of safeguards to be taken against supply chain threats\n\nsystem life cycle documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and documenting the system development life cycle (SDLC)\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational processes for integrating supply chain risk management into the SDLC\n\nmechanisms supporting and/or implementing the SDLC" + } + ] + } + ], + "controls": [ + { + "id": "sr-2.1", + "class": "SP800-53-enhancement", + "title": "Establish SCRM Team", + "params": [ + { + "id": "sr-02.01_odp.01", + "label": "personnel, roles and responsibilities", + "guidelines": [ + { + "prose": "the personnel, roles, and responsibilities of the supply chain risk management team are defined;" + } + ] + }, + { + "id": "sr-02.01_odp.02", + "label": "supply chain risk management activities", + "guidelines": [ + { + "prose": "supply chain risk management activities are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-2(1)" + }, + { + "name": "label", + "value": "SR-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "sr-2.1_smt", + "name": "statement", + "prose": "Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}." + }, + { + "id": "sr-2.1_gdn", + "name": "guidance", + "prose": "To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team." + }, + { + "id": "sr-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02(01)", + "class": "sp800-53a" + } + ], + "prose": "a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.", + "links": [ + { + "href": "#sr-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management team charter documentation\n\nsupply chain risk management strategy\n\nsupply chain risk management implementation plan\n\nprocedures addressing supply chain protection\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with enterprise risk management responsibilities\n\nlegal counsel\n\norganizational personnel with business continuity responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "sr-3", + "class": "SP800-53", + "title": "Supply Chain Controls and Processes", + "params": [ + { + "id": "sr-03_odp.01", + "label": "system or system component", + "guidelines": [ + { + "prose": "the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;" + } + ] + }, + { + "id": "sr-03_odp.02", + "label": "supply chain personnel", + "guidelines": [ + { + "prose": "supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;" + } + ] + }, + { + "id": "sr-03_odp.03", + "label": "supply chain controls", + "guidelines": [ + { + "prose": "supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;" + } + ] + }, + { + "id": "sr-03_odp.04", + "select": { + "how-many": "one-or-more", + "choice": [ + "security and privacy plans", + "supply chain risk management plan", + " {{ insert: param, sr-03_odp.05 }} " + ] + } + }, + { + "id": "sr-03_odp.05", + "label": "document", + "guidelines": [ + { + "prose": "the document identifying the selected and implemented supply chain processes and controls is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-3" + }, + { + "name": "label", + "value": "SR-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-29", + "rel": "related" + }, + { + "href": "#sc-30", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-3_smt", + "name": "statement", + "parts": [ + { + "id": "sr-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};" + }, + { + "id": "sr-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and" + }, + { + "id": "sr-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}." + }, + { + "id": "sr-3_fr", + "name": "item", + "title": "SR-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary." + } + ] + } + ] + }, + { + "id": "sr-3_gdn", + "name": "guidance", + "prose": "Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain." + }, + { + "id": "sr-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};", + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};", + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;", + "links": [ + { + "href": "#sr-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03c.", + "class": "sp800-53a" + } + ], + "prose": "the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.", + "links": [ + { + "href": "#sr-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystems and critical system components inventory documentation\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems or services\n\nrisk register documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying and addressing supply chain element and process deficiencies" + } + ] + } + ] + }, + { + "id": "sr-5", + "class": "SP800-53", + "title": "Acquisition Strategies, Tools, and Methods", + "params": [ + { + "id": "sr-05_odp", + "label": "strategies, tools, and methods", + "guidelines": [ + { + "prose": "acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-5" + }, + { + "name": "label", + "value": "SR-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-5_smt", + "name": "statement", + "prose": "Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}." + }, + { + "id": "sr-5_gdn", + "name": "guidance", + "prose": "The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements." + }, + { + "id": "sr-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems, system components, or services\n\ndocumentation of training, education, and awareness programs for personnel regarding supply chain risk\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods" + } + ] + } + ] + }, + { + "id": "sr-6", + "class": "SP800-53", + "title": "Supplier Assessments and Reviews", + "params": [ + { + "id": "sr-06_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-6" + }, + { + "name": "label", + "value": "SR-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-6_smt", + "name": "statement", + "prose": "Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ insert: param, sr-06_odp }}.", + "parts": [ + { + "id": "sr-6_fr", + "name": "item", + "title": "SR-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure that their supply chain vendors build and test their systems in alignment with NIST SP 800-171 or a commensurate security and compliance framework. CSOs must ensure that vendors are compliant with physical facility access and logical access controls to supplied products." + } + ] + } + ] + }, + { + "id": "sr-6_gdn", + "name": "guidance", + "prose": "An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts." + }, + { + "id": "sr-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-06", + "class": "sp800-53a" + } + ], + "prose": "the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}.", + "links": [ + { + "href": "#sr-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nrecords of supplier due diligence reviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities" + } + ] + }, + { + "id": "sr-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting supplier reviews\n\nmechanisms supporting and/or implementing supplier reviews" + } + ] + } + ] + }, + { + "id": "sr-8", + "class": "SP800-53", + "title": "Notification Agreements", + "params": [ + { + "id": "sr-08_odp.01", + "constraints": [ + { + "description": "notification of supply chain compromises and results of assessment or audits" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "notification of supply chain compromises", + " {{ insert: param, sr-08_odp.02 }} " + ] + } + }, + { + "id": "sr-08_odp.02", + "label": "results of assessments or audits", + "guidelines": [ + { + "prose": "information for which agreements and procedures are to be established are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-8" + }, + { + "name": "label", + "value": "SR-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-8_smt", + "name": "statement", + "prose": "Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}.", + "parts": [ + { + "id": "sr-8_fr", + "name": "item", + "title": "SR-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities." + } + ] + } + ] + }, + { + "id": "sr-8_gdn", + "name": "guidance", + "prose": "The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes." + }, + { + "id": "sr-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-08", + "class": "sp800-53a" + } + ], + "prose": "agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.", + "links": [ + { + "href": "#sr-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities" + } + ] + } + ] + }, + { + "id": "sr-9", + "class": "SP800-53", + "title": "Tamper Resistance and Detection", + "props": [ + { + "name": "label", + "value": "SR-9" + }, + { + "name": "label", + "value": "SR-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-9_smt", + "name": "statement", + "prose": "Implement a tamper protection program for the system, system component, or system service.", + "parts": [ + { + "id": "sr-9_fr", + "name": "item", + "title": "SR-9 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-9_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure vendors provide authenticity of software and patches supplied to the service provider including documenting the safeguards in place." + } + ] + } + ] + }, + { + "id": "sr-9_gdn", + "name": "guidance", + "prose": "Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system components, and services against many threats, including reverse engineering, modification, and substitution. Strong identification combined with tamper resistance and/or tamper detection is essential to protecting systems and components during distribution and when in use." + }, + { + "id": "sr-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-09", + "class": "sp800-53a" + } + ], + "prose": "a tamper protection program is implemented for the system, system component, or system service.", + "links": [ + { + "href": "#sr-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing tamper resistance and detection\n\ntamper protection program documentation\n\ntamper protection tools and techniques documentation\n\ntamper resistance and detection tools and techniques documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with tamper protection program responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for the implementation of the tamper protection program\n\nmechanisms supporting and/or implementing the tamper protection program" + } + ] + } + ], + "controls": [ + { + "id": "sr-9.1", + "class": "SP800-53-enhancement", + "title": "Multiple Stages of System Development Life Cycle", + "props": [ + { + "name": "label", + "value": "SR-9(1)" + }, + { + "name": "label", + "value": "SR-09(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-09.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-9", + "rel": "required" + }, + { + "href": "#sa-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-9.1_smt", + "name": "statement", + "prose": "Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle." + }, + { + "id": "sr-9.1_gdn", + "name": "guidance", + "prose": "The system development life cycle includes research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal. Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations use obfuscation and self-checking to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. The customization of systems and system components can make substitutions easier to detect and therefore limit damage." + }, + { + "id": "sr-9.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-09(01)", + "class": "sp800-53a" + } + ], + "prose": "anti-tamper technologies, tools, and techniques are employed throughout the system development life cycle.", + "links": [ + { + "href": "#sr-9.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-9.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-09(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing tamper resistance and detection\n\ntamper protection program documentation\n\ntamper protection tools and techniques documentation\n\ntamper resistance and detection tools (technologies) and techniques documentation\n\nsystem development life cycle documentation\n\nprocedures addressing supply chain protection\n\nsystem development life cycle procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-9.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-09(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with SDLC responsibilities" + } + ] + }, + { + "id": "sr-9.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-09(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for employing anti-tamper technologies\n\nmechanisms supporting and/or implementing anti-tamper technologies" + } + ] + } + ] + } + ] + }, + { + "id": "sr-10", + "class": "SP800-53", + "title": "Inspection of Systems or Components", + "params": [ + { + "id": "sr-10_odp.01", + "label": "systems or system components", + "guidelines": [ + { + "prose": "systems or system components that require inspection are defined;" + } + ] + }, + { + "id": "sr-10_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "at random", + "at {{ insert: param, sr-10_odp.03 }} ", + "upon {{ insert: param, sr-10_odp.04 }} " + ] + } + }, + { + "id": "sr-10_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to inspect systems or system components is defined (if selected);" + } + ] + }, + { + "id": "sr-10_odp.04", + "label": "indications of need for inspection", + "guidelines": [ + { + "prose": "indications of the need for an inspection of systems or system components are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-10" + }, + { + "name": "label", + "value": "SR-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-10_smt", + "name": "statement", + "prose": "Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}." + }, + { + "id": "sr-10_gdn", + "name": "guidance", + "prose": "The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations." + }, + { + "id": "sr-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-10", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.", + "links": [ + { + "href": "#sr-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nrecords of random inspections\n\ninspection reports/results\n\nassessment reports/results\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational processes to inspect for tampering" + } + ] + } + ] + }, + { + "id": "sr-11", + "class": "SP800-53", + "title": "Component Authenticity", + "params": [ + { + "id": "sr-11_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "source of counterfeit component", + " {{ insert: param, sr-11_odp.02 }} ", + " {{ insert: param, sr-11_odp.03 }} " + ] + } + }, + { + "id": "sr-11_odp.02", + "label": "external reporting organizations", + "guidelines": [ + { + "prose": "external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);" + } + ] + }, + { + "id": "sr-11_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11" + }, + { + "name": "label", + "value": "SR-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11_smt", + "name": "statement", + "parts": [ + { + "id": "sr-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and" + }, + { + "id": "sr-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}." + }, + { + "id": "sr-11_fr", + "name": "item", + "title": "SR-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-11_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline." + } + ] + } + ] + }, + { + "id": "sr-11_gdn", + "name": "guidance", + "prose": "Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA." + }, + { + "id": "sr-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an anti-counterfeit policy is developed and implemented;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[02]", + "class": "sp800-53a" + } + ], + "prose": "anti-counterfeit procedures are developed and implemented;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the anti-counterfeit procedures include the means to detect counterfeit components entering the system;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11b.", + "class": "sp800-53a" + } + ], + "prose": "counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.", + "links": [ + { + "href": "#sr-11_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\nreports notifying developers, manufacturers, vendors, contractors, and/or external reporting organizations of counterfeit system components\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nrecords of reported counterfeit system components\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting" + } + ] + }, + { + "id": "sr-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for counterfeit prevention, detection, and reporting\n\nmechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting" + } + ] + } + ], + "controls": [ + { + "id": "sr-11.1", + "class": "SP800-53-enhancement", + "title": "Anti-counterfeit Training", + "params": [ + { + "id": "sr-11.01_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11(1)" + }, + { + "name": "label", + "value": "SR-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-11", + "rel": "required" + }, + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11.1_smt", + "name": "statement", + "prose": "Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)." + }, + { + "id": "sr-11.1_gdn", + "name": "guidance", + "prose": "None." + }, + { + "id": "sr-11.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(01)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).", + "links": [ + { + "href": "#sr-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\ntraining materials addressing counterfeit system components\n\ntraining records on the detection and prevention of counterfeit components entering the system\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and training" + } + ] + }, + { + "id": "sr-11.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for anti-counterfeit training" + } + ] + } + ] + }, + { + "id": "sr-11.2", + "class": "SP800-53-enhancement", + "title": "Configuration Control for Component Service and Repair", + "params": [ + { + "id": "sr-11.02_odp", + "label": "system components", + "constraints": [ + { + "description": "all" + } + ], + "guidelines": [ + { + "prose": "system components requiring configuration control are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11(2)" + }, + { + "name": "label", + "value": "SR-11(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-11", + "rel": "required" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11.2_smt", + "name": "statement", + "prose": "Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}." + }, + { + "id": "sr-11.2_gdn", + "name": "guidance", + "prose": "None." + }, + { + "id": "sr-11.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;", + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.", + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nconfiguration control procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system component\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-11.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational configuration control processes" + } + ] + } + ] + } + ] + }, + { + "id": "sr-12", + "class": "SP800-53", + "title": "Component Disposal", + "params": [ + { + "id": "sr-12_odp.01", + "label": "data, documentation, tools, or system components", + "guidelines": [ + { + "prose": "data, documentation, tools, or system components to be disposed of are defined;" + } + ] + }, + { + "id": "sr-12_odp.02", + "label": "techniques and methods", + "guidelines": [ + { + "prose": "techniques and methods for disposing of data, documentation, tools, or system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-12" + }, + { + "name": "label", + "value": "SR-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#mp-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-12_smt", + "name": "statement", + "prose": "Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}." + }, + { + "id": "sr-12_gdn", + "name": "guidance", + "prose": "Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market." + }, + { + "id": "sr-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-12", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.", + "links": [ + { + "href": "#sr-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\ndisposal procedures addressing supply chain protection\n\nmedia disposal policy\n\nmedia protection policy\n\ndisposal records for system components\n\ndocumentation of the system components identified for disposal\n\ndocumentation of the disposal techniques and methods employed for system components\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system component disposal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities" + } + ] + }, + { + "id": "sr-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational techniques and methods for system component disposal\n\nmechanisms supporting and/or implementing system component disposal" + } + ] + } + ] + } + ] + } + ], "back-matter": { "resources": [ + { + "uuid": "91f992fb-f668-4c91-a50f-0f05b95ccee3", + "title": "32 CFR 2002", + "citation": { + "text": "Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)." + }, + "rlinks": [ + { + "href": "https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information" + } + ] + }, + { + "uuid": "0f963c17-ab5a-432a-a867-91eac550309b", + "title": "41 CFR 201", + "citation": { + "text": " \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271." + }, + "rlinks": [ + { + "href": "https://www.federalregister.gov/d/2020-18939" + } + ] + }, + { + "uuid": "a5ef5e56-5c1a-4911-b419-37dddc1b3581", + "title": "5 CFR 731", + "citation": { + "text": "Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf" + } + ] + }, + { + "uuid": "031cc4b7-9adf-4835-98f1-f1ca493519cf", + "title": "CNSSD 505", + "citation": { + "text": "Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017." + }, + "rlinks": [ + { + "href": "https://www.cnss.gov/CNSS/issuances/Directives.cfm" + } + ] + }, + { + "uuid": "4e4fbc93-333d-45e6-a875-de36b878b6b9", + "title": "CNSSI 1253", + "citation": { + "text": "Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014." + }, + "rlinks": [ + { + "href": "https://www.cnss.gov/CNSS/issuances/Instructions.cfm" + } + ] + }, + { + "uuid": "4f42ee6e-86cc-403b-a51f-76c2b4f81b54", + "title": "DHS TIC", + "citation": { + "text": "Department of Homeland Security, *Trusted Internet Connections (TIC)*." + }, + "rlinks": [ + { + "href": "https://www.dhs.gov/trusted-internet-connections" + } + ] + }, + { + "uuid": "aa66e14f-e7cb-4a37-99d2-07578dfd4608", + "title": "DOD STIG", + "citation": { + "text": "Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*." + }, + "rlinks": [ + { + "href": "https://public.cyber.mil/stigs" + } + ] + }, + { + "uuid": "55b0c93a-5e48-457a-baa6-5ce81c239c49", + "title": "EO 13526", + "citation": { + "text": "Executive Order 13526, *Classified National Security Information* , December 2009." + }, + "rlinks": [ + { + "href": "https://www.archives.gov/isoo/policy-documents/cnsi-eo.html" + } + ] + }, + { + "uuid": "34a5571f-e252-4309-a8a1-2fdb2faefbcd", + "title": "EO 13556", + "citation": { + "text": "Executive Order 13556, *Controlled Unclassified Information* , November 2010." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information" + } + ] + }, + { + "uuid": "0af071a6-cf8e-48ee-8c82-fe91efa20f94", + "title": "EO 13587", + "citation": { + "text": "Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net" + } + ] + }, + { + "uuid": "21caa535-1154-4369-ba7b-32c309fee0f7", + "title": "EO 13873", + "citation": { + "text": "Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain" + } + ] + }, + { + "uuid": "4ff10ed3-d8fe-4246-99e3-443045e27482", + "title": "FASC18", + "citation": { + "text": "Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/bill/115th-congress/senate-bill/3085" + } + ] + }, + { + "uuid": "a1555677-2b9d-4868-a97b-a1363aff32f5", + "title": "FED PKI", + "citation": { + "text": "General Services Administration, *Federal Public Key Infrastructure*." + }, + "rlinks": [ + { + "href": "https://www.idmanagement.gov/topics/fpki" + } + ] + }, + { + "uuid": "678e3d6c-150b-4393-aec5-6e3481eb1e00", + "title": "FIPS 140-3", + "citation": { + "text": "National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. " + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.140-3" + } + ] + }, + { + "uuid": "eea3c092-42ed-4382-a6f4-1adadef01b9d", + "title": "FIPS 180-4", + "citation": { + "text": "National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.180-4" + } + ] + }, + { + "uuid": "7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "title": "FIPS 186-4", + "citation": { + "text": "National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.186-4" + } + ] + }, + { + "uuid": "736d6310-e403-4b57-a79d-9967970c66d7", + "title": "FIPS 197", + "citation": { + "text": "National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.197" + } + ] + }, + { + "uuid": "628d22a1-6a11-4784-bc59-5cd9497b5445", + "title": "FIPS 199", + "citation": { + "text": "National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.199" + } + ] + }, + { + "uuid": "599fb53d-5041-444e-a7fe-640d6d30ad05", + "title": "FIPS 200", + "citation": { + "text": "National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.200" + } + ] + }, + { + "uuid": "7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "title": "FIPS 201-2", + "citation": { + "text": "National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.201-2" + } + ] + }, + { + "uuid": "a295ca19-8c75-4b4c-8800-98024732e181", + "title": "FIPS 202", + "citation": { + "text": "National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.202" + } + ] + }, + { + "uuid": "0c67b2a9-bede-43d2-b86d-5f35b8be36e9", + "title": "FISMA", + "citation": { + "text": "Federal Information Security Modernization Act (P.L. 113-283), December 2014." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf" + } + ] + }, + { + "uuid": "f16e438e-7114-4144-bfe2-2dfcad8cb2d0", + "title": "HSPD 12", + "citation": { + "text": "Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004." + }, + "rlinks": [ + { + "href": "https://www.dhs.gov/homeland-security-presidential-directive-12" + } + ] + }, + { + "uuid": "e4d37285-1e79-4029-8b6a-42df39cace30", + "title": "IETF 5905", + "citation": { + "text": "Internet Engineering Task Force (IETF), Request for Comments: 5905, *Network Time Protocol Version 4: Protocol and Algorithms Specification* , June 2010." + }, + "rlinks": [ + { + "href": "https://tools.ietf.org/pdf/rfc5905.pdf" + } + ] + }, + { + "uuid": "15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "title": "IR 7539", + "citation": { + "text": "Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7539" + } + ] + }, + { + "uuid": "2be7b163-e50a-435c-8906-f1162f2a457a", + "title": "IR 7559", + "citation": { + "text": "Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7559" + } + ] + }, + { + "uuid": "e24b06cc-9129-4998-a76a-65c3d7a576ba", + "title": "IR 7622", + "citation": { + "text": "Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7622" + } + ] + }, + { + "uuid": "4b38e961-1125-4a5b-aa35-1d6c02846dad", + "title": "IR 7676", + "citation": { + "text": "Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7676" + } + ] + }, + { + "uuid": "aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "title": "IR 7788", + "citation": { + "text": "Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7788" + } + ] + }, + { + "uuid": "91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "title": "IR 7817", + "citation": { + "text": "Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7817" + } + ] + }, + { + "uuid": "4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "title": "IR 7849", + "citation": { + "text": "Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7849" + } + ] + }, + { + "uuid": "604774da-9e1d-48eb-9c62-4e959dc80737", + "title": "IR 7870", + "citation": { + "text": "Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7870" + } + ] + }, + { + "uuid": "7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "title": "IR 7874", + "citation": { + "text": "Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7874" + } + ] + }, + { + "uuid": "849b2358-683f-4d97-b111-1cc3d522ded5", + "title": "IR 7956", + "citation": { + "text": "Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7956" + } + ] + }, + { + "uuid": "3915a084-b87b-4f02-83d4-c369e746292f", + "title": "IR 7966", + "citation": { + "text": "Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7966" + } + ] + }, + { + "uuid": "bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "title": "IR 8011-1", + "citation": { + "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-1" + } + ] + }, + { + "uuid": "70402863-5078-43af-9a6c-e11b0f3ec370", + "title": "IR 8011-2", + "citation": { + "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-2" + } + ] + }, + { + "uuid": "996241f8-f692-42d5-91f1-ce8b752e39e6", + "title": "IR 8011-3", + "citation": { + "text": "Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-3" + } + ] + }, + { + "uuid": "d2ebec9b-f868-4ee1-a2bd-0b2282aed248", + "title": "IR 8011-4", + "citation": { + "text": "Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-4" + } + ] + }, + { + "uuid": "4c501da5-9d79-4cb6-ba80-97260e1ce327", + "title": "IR 8023", + "citation": { + "text": "Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8023" + } + ] + }, + { + "uuid": "81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", + "title": "IR 8040", + "citation": { + "text": "Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8040" + } + ] + }, + { + "uuid": "98d415ca-7281-4064-9931-0c366637e324", + "title": "IR 8062", + "citation": { + "text": "Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8062" + } + ] + }, + { + "uuid": "a2590922-82f3-4277-83c0-ca5bee06dba4", + "title": "IR 8112", + "citation": { + "text": "Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8112" + } + ] + }, + { + "uuid": "d4296805-2dca-4c63-a95f-eeccaa826aec", + "title": "IR 8179", + "citation": { + "text": "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8179" + } + ] + }, + { + "uuid": "38ff38f0-1366-4f50-a4c9-26a39aacee16", + "title": "IR 8272", + "citation": { + "text": "Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8272" + } + ] + }, + { + "uuid": "6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", + "title": "ISO 15408-1", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology \u2014Security techniques \u2014 Evaluation criteria for IT security \u2014 Part 1: Introduction and general model* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf" + } + ] + }, + { + "uuid": "87087451-2af5-43d4-88c1-d66ad850f614", + "title": "ISO 15408-2", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology \u2014Security techniques \u2014 Evaluation criteria for IT security \u2014 Part 2: Security functional requirements* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf" + } + ] + }, + { + "uuid": "4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "title": "ISO 15408-3", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology\u2014Security techniques \u2014 Evaluation criteria for IT security \u2014 Part 3: Security assurance requirements* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf" + } + ] + }, + { + "uuid": "15a95e24-65b6-4686-bc18-90855a10457d", + "title": "ISO 20243", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, *Information technology \u2014 Open Trusted Technology Provider\u2122 Standard (O-TTPS) \u2014 Mitigating maliciously tainted and counterfeit products \u2014 Part 1: Requirements and recommendations* , February 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/74399.html" + } + ] + }, + { + "uuid": "863caf2a-978a-4260-9e8d-4a8929bce40c", + "title": "ISO 27036", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, *Information technology\u2014Security techniques\u2014Information security for supplier relationships, Part 1: Overview and concepts* , April 2014." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/59648.html" + } + ] + }, + { + "uuid": "8df72805-2e5c-4731-a73e-81db0f0318d0", + "title": "ISO 29147", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 29147:2018, *Information technology\u2014Security techniques\u2014Vulnerability disclosure* , October 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/72311.html" + } + ] + }, + { + "uuid": "06ce9216-bd54-4054-a422-94f358b50a5d", + "title": "ISO 29148", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, *Systems and software engineering\u2014Life cycle processes\u2014Requirements engineering* , November 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/72089.html" + } + ] + }, + { + "uuid": "c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "title": "NARA CUI", + "citation": { + "text": "National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry." + }, + "rlinks": [ + { + "href": "https://www.archives.gov/cui" + } + ] + }, + { + "uuid": "d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", + "title": "NCPR", + "citation": { + "text": "National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at" + }, + "rlinks": [ + { + "href": "https://nvd.nist.gov/ncp/repository" + } + ] + }, + { + "uuid": "795aff72-3e6c-4b6b-a80a-b14d84b7f544", + "title": "NIAP CCEVS", + "citation": { + "text": "National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*." + }, + "rlinks": [ + { + "href": "https://www.niap-ccevs.org" + } + ] + }, + { + "uuid": "84dc1b0c-acb7-4269-84c4-00dbabacd78c", + "title": "NIST CAVP", + "citation": { + "text": "National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program" + } + ] + }, + { + "uuid": "1acdc775-aafb-4d11-9341-dc6a822e9d38", + "title": "NIST CMVP", + "citation": { + "text": "National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/cryptographic-module-validation-program" + } + ] + }, + { + "uuid": "3d575737-98cb-459d-b41c-d7e82b73ad78", + "title": "NSA CSFC", + "citation": { + "text": "National Security Agency, *Commercial Solutions for Classified Program (CSfC)*." + }, + "rlinks": [ + { + "href": "https://www.nsa.gov/resources/everyone/csfc" + } + ] + }, + { + "uuid": "df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", + "title": "NSA MEDIA", + "citation": { + "text": "National Security Agency, *Media Destruction Guidance*." + }, + "rlinks": [ + { + "href": "https://www.nsa.gov/resources/everyone/media-destruction" + } + ] + }, + { + "uuid": "89f2a08d-fc49-46d0-856e-bf974c9b1573", + "title": "ODNI CTF", + "citation": { + "text": "Office of the Director of National Intelligence (ODNI) Cyber Threat Framework." + }, + "rlinks": [ + { + "href": "https://www.dni.gov/index.php/cyber-threat-framework" + } + ] + }, + { + "uuid": "27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "title": "OMB A-130", + "citation": { + "text": "Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf" + } + ] + }, + { + "uuid": "5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "title": "OMB M-17-12", + "citation": { + "text": "Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf" + } + ] + }, + { + "uuid": "c5e11048-1d38-4af3-b00b-0d88dc26860c", + "title": "OMB M-19-03", + "citation": { + "text": "Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf" + } + ] + }, + { + "uuid": "18e71fec-c6fd-475a-925a-5d8495cf8455", + "title": "PRIVACT", + "citation": { + "text": "Privacy Act (P.L. 93-579), December 1974." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf" + } + ] + }, + { + "uuid": "4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "title": "SP 800-100", + "citation": { + "text": "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-100" + } + ] + }, + { + "uuid": "10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "title": "SP 800-101", + "citation": { + "text": "Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-101r1" + } + ] + }, + { + "uuid": "22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "title": "SP 800-111", + "citation": { + "text": "Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-111" + } + ] + }, + { + "uuid": "6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "title": "SP 800-113", + "citation": { + "text": "Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-113" + } + ] + }, + { + "uuid": "42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "title": "SP 800-114", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-114r1" + } + ] + }, + { + "uuid": "122177fa-c4ed-485d-8345-3082c0fb9a06", + "title": "SP 800-115", + "citation": { + "text": "Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-115" + } + ] + }, + { + "uuid": "2100332a-16a5-4598-bacf-7261baea9711", + "title": "SP 800-116", + "citation": { + "text": "Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-116r1" + } + ] + }, + { + "uuid": "d17ebd7a-ffab-499d-bfff-e705bbb01fa6", + "title": "SP 800-121", + "citation": { + "text": "Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-121r2" + } + ] + }, + { + "uuid": "0f66be67-85e7-4ca6-bd19-39453e9f4394", + "title": "SP 800-124", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-124r1" + } + ] + }, + { + "uuid": "88660532-2dcf-442e-845c-03340ce48999", + "title": "SP 800-125B", + "citation": { + "text": "Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-125B" + } + ] + }, + { + "uuid": "8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "title": "SP 800-126", + "citation": { + "text": "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-126r3" + } + ] + }, + { + "uuid": "20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "title": "SP 800-128", + "citation": { + "text": "Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-128" + } + ] + }, + { + "uuid": "c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "title": "SP 800-12", + "citation": { + "text": "Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-12r1" + } + ] + }, + { + "uuid": "3653e316-8923-430e-8943-b3b2b2562fc6", + "title": "SP 800-130", + "citation": { + "text": "Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-130" + } + ] + }, + { + "uuid": "62ea77ca-e450-4323-b210-e0d75390e785", + "title": "SP 800-137A", + "citation": { + "text": "Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-137A" + } + ] + }, + { + "uuid": "067223d8-1ec7-45c5-b21b-c848da6de8fb", + "title": "SP 800-137", + "citation": { + "text": "Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-137" + } + ] + }, + { + "uuid": "e47ee630-9cbc-4133-880e-e013f83ccd51", + "title": "SP 800-147", + "citation": { + "text": "Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-147" + } + ] + }, + { + "uuid": "9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "title": "SP 800-150", + "citation": { + "text": "Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-150" + } + ] + }, + { + "uuid": "2494df28-9049-4196-b233-540e7440993f", + "title": "SP 800-152", + "citation": { + "text": "Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-152" + } + ] + }, + { + "uuid": "708b94e1-3d5e-4b22-ab43-1c69f3a97e37", + "title": "SP 800-154", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154." + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/publications/detail/sp/800-154/draft" + } + ] + }, + { + "uuid": "d9e036ba-6eec-46a6-9340-b0bf1fea23b4", + "title": "SP 800-156", + "citation": { + "text": "Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-156" + } + ] + }, + { + "uuid": "e3cc0520-a366-4fc9-abc2-5272db7e3564", + "title": "SP 800-160-1", + "citation": { + "text": "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-160v1" + } + ] + }, + { + "uuid": "61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "title": "SP 800-160-2", + "citation": { + "text": "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-160v2" + } + ] + }, + { + "uuid": "e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "title": "SP 800-161", + "citation": { + "text": "Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-161" + } + ] + }, + { + "uuid": "2956e175-f674-43f4-b1b9-e074ad9fc39c", + "title": "SP 800-162", + "citation": { + "text": "Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-162" + } + ] + }, + { + "uuid": "e8552d48-cf41-40aa-8b06-f45f7fb4706c", + "title": "SP 800-166", + "citation": { + "text": "Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-166" + } + ] + }, + { + "uuid": "38f39739-1ebd-43b1-8b8c-00f591d89ebd", + "title": "SP 800-167", + "citation": { + "text": "Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-167" + } + ] + }, + { + "uuid": "7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "title": "SP 800-171", + "citation": { + "text": "Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-171r2" + } + ] + }, + { + "uuid": "f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "title": "SP 800-172", + "citation": { + "text": "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-172-draft" + } + ] + }, + { + "uuid": "1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "title": "SP 800-177", + "citation": { + "text": "Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-177r1" + } + ] + }, + { + "uuid": "388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "title": "SP 800-178", + "citation": { + "text": "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-178" + } + ] + }, + { + "uuid": "276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "title": "SP 800-181", + "citation": { + "text": "Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-181r1" + } + ] + }, + { + "uuid": "31ae65ab-3f26-46b7-9d64-f25a4dac5778", + "title": "SP 800-184", + "citation": { + "text": "Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-184" + } + ] + }, + { + "uuid": "f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "title": "SP 800-189", + "citation": { + "text": "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-189" + } + ] + }, + { + "uuid": "30eb758a-2707-4bca-90ad-949a74d4eb16", + "title": "SP 800-18", + "citation": { + "text": "Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-18r1" + } + ] + }, + { + "uuid": "53df282b-8b3f-483a-bad1-6a8b8ac00114", + "title": "SP 800-192", + "citation": { + "text": "Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-192" + } + ] + }, + { + "uuid": "f641309f-a3ad-48be-8c67-2b318648b2f5", + "title": "SP 800-28", + "citation": { + "text": "Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-28ver2" + } + ] + }, + { + "uuid": "08b07465-dbdc-48d6-8a0b-37279602ac16", + "title": "SP 800-30", + "citation": { + "text": "Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-30r1" + } + ] + }, + { + "uuid": "8cb338a4-e493-4177-818f-3af18983ddc5", + "title": "SP 800-32", + "citation": { + "text": "Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-32" + } + ] + }, + { + "uuid": "bc39f179-c735-4da2-b7a7-b2b622119755", + "title": "SP 800-34", + "citation": { + "text": "Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-34r1" + } + ] + }, + { + "uuid": "77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "title": "SP 800-35", + "citation": { + "text": "Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-35" + } + ] + }, + { + "uuid": "482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "title": "SP 800-37", + "citation": { + "text": "Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-37r2" + } + ] + }, + { + "uuid": "cec037f3-8aba-4c97-84b4-4082f9e515d2", + "title": "SP 800-39", + "citation": { + "text": "Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-39" + } + ] + }, + { + "uuid": "155f941a-cba9-4afd-9ca6-5d040d697ba9", + "title": "SP 800-40", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-40r3" + } + ] + }, + { + "uuid": "a7f0e897-29a3-45c4-bd88-40dfef0e034a", + "title": "SP 800-41", + "citation": { + "text": "Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-41r1" + } + ] + }, + { + "uuid": "314e33cb-3681-4b50-a2a2-3fae9604accd", + "title": "SP 800-45", + "citation": { + "text": "Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-45ver2" + } + ] + }, + { + "uuid": "83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "title": "SP 800-46", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-46r2" + } + ] + }, + { + "uuid": "c3a76872-e160-4267-99e8-6952de967d04", + "title": "SP 800-47", + "citation": { + "text": "Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-47" + } + ] + }, + { + "uuid": "511f6832-23ca-49a3-8c0f-ce493373cab8", + "title": "SP 800-50", + "citation": { + "text": "Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-50" + } + ] + }, + { + "uuid": "7537638e-2837-407d-844b-40fb3fafdd99", + "title": "SP 800-52", + "citation": { + "text": "McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-52r2" + } + ] + }, + { + "uuid": "a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "title": "SP 800-53A", + "citation": { + "text": "Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-53Ar4" + } + ] + }, + { + "uuid": "46d9e201-840e-440e-987c-2c773333c752", + "title": "SP 800-53B", + "citation": { + "text": "Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-53B" + } + ] + }, + { + "uuid": "20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "title": "SP 800-56A", + "citation": { + "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Ar3" + } + ] + }, + { + "uuid": "0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "title": "SP 800-56B", + "citation": { + "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Br2" + } + ] + }, + { + "uuid": "eef62b16-c796-4554-955c-505824135b8a", + "title": "SP 800-56C", + "citation": { + "text": "Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Cr2" + } + ] + }, + { + "uuid": "110e26af-4765-49e1-8740-6750f83fcda1", + "title": "SP 800-57-1", + "citation": { + "text": "Barker EB (2020) Recommendation for Key Management: Part 1 \u2013 General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt1r5" + } + ] + }, + { + "uuid": "e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "title": "SP 800-57-2", + "citation": { + "text": "Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 \u2013 Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt2r1" + } + ] + }, + { + "uuid": "8306620b-1920-4d73-8b21-12008528595f", + "title": "SP 800-57-3", + "citation": { + "text": "Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt3r1" + } + ] + }, + { + "uuid": "e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "title": "SP 800-60-1", + "citation": { + "text": "Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-60v1r1" + } + ] + }, + { + "uuid": "9be5d661-421f-41ad-854e-86f98b811891", + "title": "SP 800-60-2", + "citation": { + "text": "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-60v2r1" + } + ] + }, + { + "uuid": "49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "title": "SP 800-61", + "citation": { + "text": "Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-61r2" + } + ] + }, + { + "uuid": "737513fa-6758-403f-831d-5ddab5e23cb3", + "title": "SP 800-63-3", + "citation": { + "text": "Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63-3" + } + ] + }, + { + "uuid": "9099ed2c-922a-493d-bcb4-d896192243ff", + "title": "SP 800-63A", + "citation": { + "text": "Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63a" + } + ] + }, + { + "uuid": "e59c5a7c-8b1f-49ca-8de0-6ee0882180ce", + "title": "SP 800-63B", + "citation": { + "text": "Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63b" + } + ] + }, + { + "uuid": "4895b4cd-34c5-4667-bf8a-27d443c12047", + "title": "SP 800-70", + "citation": { + "text": "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-70r4" + } + ] + }, + { + "uuid": "858705be-3c1f-48aa-a328-0ce398d95ef0", + "title": "SP 800-73-4", + "citation": { + "text": "Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-73-4" + } + ] + }, + { + "uuid": "7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "title": "SP 800-76-2", + "citation": { + "text": "Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-76-2" + } + ] + }, + { + "uuid": "d4d7c760-2907-403b-8b2a-767ca5370ecd", + "title": "SP 800-77", + "citation": { + "text": "Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-77r1" + } + ] + }, + { + "uuid": "828856bd-d7c4-427b-8b51-815517ec382d", + "title": "SP 800-78-4", + "citation": { + "text": "Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-78-4" + } + ] + }, + { + "uuid": "10963761-58fc-4b20-b3d6-b44a54daba03", + "title": "SP 800-79-2", + "citation": { + "text": "Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-79-2" + } + ] + }, + { + "uuid": "fe209006-bfd4-4033-a79a-9fee1adaf372", + "title": "SP 800-81-2", + "citation": { + "text": "Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-81-2" + } + ] + }, + { + "uuid": "3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "title": "SP 800-83", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-83r1" + } + ] + }, + { + "uuid": "53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "title": "SP 800-84", + "citation": { + "text": "Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-84" + } + ] + }, + { + "uuid": "cfdb1858-c473-46b3-89f9-a700308d0be2", + "title": "SP 800-86", + "citation": { + "text": "Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-86" + } + ] + }, + { + "uuid": "a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "title": "SP 800-88", + "citation": { + "text": "Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-88r1" + } + ] + }, + { + "uuid": "5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "title": "SP 800-92", + "citation": { + "text": "Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-92" + } + ] + }, + { + "uuid": "25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "title": "SP 800-94", + "citation": { + "text": "Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-94" + } + ] + }, + { + "uuid": "a6b9907a-2a14-4bb4-a142-d4c73026a8b4", + "title": "SP 800-95", + "citation": { + "text": "Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-95" + } + ] + }, + { + "uuid": "03fb73bc-1b12-4182-bd96-e5719254ea61", + "title": "SP 800-97", + "citation": { + "text": "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-97" + } + ] + }, + { + "uuid": "13f0c39d-eaf7-417a-baef-69a041878bb5", + "title": "USA PATRIOT", + "citation": { + "text": "USA Patriot Act (P.L. 107-56), October 2001." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf" + } + ] + }, + { + "uuid": "e922fc50-b1f9-469f-92ef-ed7d9803611c", + "title": "USC 2901", + "citation": { + "text": "United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/USCODE-2011-title44/pdf/USCODE-2011-title44-chap29-sec2901.pdf" + } + ] + }, + { + "uuid": "40b78258-c892-480e-9af8-77ac36648301", + "title": "USCERT IR", + "citation": { + "text": "Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017." + }, + "rlinks": [ + { + "href": "https://us-cert.cisa.gov/incident-notification-guidelines" + } + ] + }, + { + "uuid": "98498928-3ca3-44b3-8b1e-f48685373087", + "title": "USGCB", + "citation": { + "text": "National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/united-states-government-configuration-baseline" + } + ] + }, + { + "uuid": "c3397cc9-83c6-4459-adb2-836739dc1b94", + "title": "NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)", + "rlinks": [ + { + "href": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf", + "media-type": "application/pdf" + } + ] + }, { "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48", "title": "FedRAMP Applicable Laws and Regulations", diff --git a/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json b/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json index 6b6d52691..1056c6239 100644 --- a/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json +++ b/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json @@ -1,10 +1,10 @@ { "catalog": { - "uuid": "2c9e809f-1740-44a6-b1f2-3abfe11a0dfc", + "uuid": "e07ece0d-7f46-4cc4-b7e2-fdf109d5541f", "metadata": { "title": "FedRAMP Rev 5 High Baseline", "published": "2023-08-31T00:00:00Z", - "last-modified": "2023-12-18T20:27:34.203593-05:00", + "last-modified": "2024-01-11T18:06:26.711765-05:00", "version": "5.1.1+fedramp-20231218-0", "oscal-version": "1.1.1", "links": [ @@ -99,8 +99,116276 @@ } ] }, + "groups": [ + { + "id": "ac", + "class": "family", + "title": "Access Control", + "controls": [ + { + "id": "ac-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ac-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ac-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the access control policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ac-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the access control procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ac-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ac-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the access control policy and procedures is defined;" + } + ] + }, + { + "id": "ac-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current access control policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ac-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current access control policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ac-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current access control procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ac-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-1" + }, + { + "name": "label", + "value": "AC-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ia-1", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-24", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-1_smt", + "name": "statement", + "parts": [ + { + "id": "ac-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:", + "parts": [ + { + "id": "ac-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ac-01_odp.03 }} access control policy that:", + "parts": [ + { + "id": "ac-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ac-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ac-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the access control policy and the associated access controls;" + } + ] + }, + { + "id": "ac-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and" + }, + { + "id": "ac-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current access control:", + "parts": [ + { + "id": "ac-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and" + }, + { + "id": "ac-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ac-1_gdn", + "name": "guidance", + "prose": "Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ac-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an access control policy is developed and documented;", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ac-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;", + "links": [ + { + "href": "#ac-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};", + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};", + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};", + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.", + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ac-2", + "class": "SP800-53", + "title": "Account Management", + "params": [ + { + "id": "ac-02_odp.01", + "label": "prerequisites and criteria", + "guidelines": [ + { + "prose": "prerequisites and criteria for group and role membership are defined;" + } + ] + }, + { + "id": "ac-02_odp.02", + "label": "attributes (as required)", + "guidelines": [ + { + "prose": "attributes (as required) for each account are defined;" + } + ] + }, + { + "id": "ac-02_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles required to approve requests to create accounts is/are defined;" + } + ] + }, + { + "id": "ac-02_odp.04", + "label": "policy, procedures, prerequisites, and criteria", + "guidelines": [ + { + "prose": "policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;" + } + ] + }, + { + "id": "ac-02_odp.05", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified is/are defined;" + } + ] + }, + { + "id": "ac-02_odp.06", + "label": "time period", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when accounts are no longer required is defined;" + } + ] + }, + { + "id": "ac-02_odp.07", + "label": "time period", + "constraints": [ + { + "description": "eight (8) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when users are terminated or transferred is defined; " + } + ] + }, + { + "id": "ac-02_odp.08", + "label": "time period", + "constraints": [ + { + "description": "eight (8) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when system usage or the need to know changes for an individual is defined;" + } + ] + }, + { + "id": "ac-02_odp.09", + "label": "attributes (as required)", + "guidelines": [ + { + "prose": "attributes needed to authorize system access (as required) are defined;" + } + ] + }, + { + "id": "ac-02_odp.10", + "label": "frequency", + "constraints": [ + { + "description": "monthly for privileged accessed, every six (6) months for non-privileged access" + } + ], + "guidelines": [ + { + "prose": "the frequency of account review is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2" + }, + { + "name": "label", + "value": "AC-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#53df282b-8b3f-483a-bad1-6a8b8ac00114", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ac-24", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2_smt", + "name": "statement", + "parts": [ + { + "id": "ac-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Define and document the types of accounts allowed and specifically prohibited for use within the system;" + }, + { + "id": "ac-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Assign account managers;" + }, + { + "id": "ac-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Require {{ insert: param, ac-02_odp.01 }} for group and role membership;" + }, + { + "id": "ac-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Specify:", + "parts": [ + { + "id": "ac-2_smt.d.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Authorized users of the system;" + }, + { + "id": "ac-2_smt.d.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Group and role membership; and" + }, + { + "id": "ac-2_smt.d.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;" + } + ] + }, + { + "id": "ac-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;" + }, + { + "id": "ac-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};" + }, + { + "id": "ac-2_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Monitor the use of accounts;" + }, + { + "id": "ac-2_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Notify account managers and {{ insert: param, ac-02_odp.05 }} within:", + "parts": [ + { + "id": "ac-2_smt.h.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;" + }, + { + "id": "ac-2_smt.h.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": " {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and" + }, + { + "id": "ac-2_smt.h.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;" + } + ] + }, + { + "id": "ac-2_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Authorize access to the system based on:", + "parts": [ + { + "id": "ac-2_smt.i.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "A valid access authorization;" + }, + { + "id": "ac-2_smt.i.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Intended system usage; and" + }, + { + "id": "ac-2_smt.i.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ac-02_odp.09 }};" + } + ] + }, + { + "id": "ac-2_smt.j", + "name": "item", + "props": [ + { + "name": "label", + "value": "j." + } + ], + "prose": "Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};" + }, + { + "id": "ac-2_smt.k", + "name": "item", + "props": [ + { + "name": "label", + "value": "k." + } + ], + "prose": "Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and" + }, + { + "id": "ac-2_smt.l", + "name": "item", + "props": [ + { + "name": "label", + "value": "l." + } + ], + "prose": "Align account management processes with personnel termination and transfer processes." + } + ] + }, + { + "id": "ac-2_gdn", + "name": "guidance", + "prose": "Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training." + }, + { + "id": "ac-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "account types allowed for use within the system are defined and documented;", + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "account types specifically prohibited for use within the system are defined and documented;", + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02b.", + "class": "sp800-53a" + } + ], + "prose": "account managers are assigned;", + "links": [ + { + "href": "#ac-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-02_odp.01 }} for group and role membership are required;", + "links": [ + { + "href": "#ac-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.d.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.01", + "class": "sp800-53a" + } + ], + "prose": "authorized users of the system are specified;", + "links": [ + { + "href": "#ac-2_smt.d.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.02", + "class": "sp800-53a" + } + ], + "prose": "group and role membership are specified;", + "links": [ + { + "href": "#ac-2_smt.d.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.d.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03[01]", + "class": "sp800-53a" + } + ], + "prose": "access authorizations (i.e., privileges) are specified for each account;", + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-02_odp.02 }} are specified for each account;", + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02e.", + "class": "sp800-53a" + } + ], + "prose": "approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;", + "links": [ + { + "href": "#ac-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[01]", + "class": "sp800-53a" + } + ], + "prose": "accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[02]", + "class": "sp800-53a" + } + ], + "prose": "accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[03]", + "class": "sp800-53a" + } + ], + "prose": "accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[04]", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[05]", + "class": "sp800-53a" + } + ], + "prose": "accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02g.", + "class": "sp800-53a" + } + ], + "prose": "the use of accounts is monitored; ", + "links": [ + { + "href": "#ac-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.h.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.01", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;", + "links": [ + { + "href": "#ac-2_smt.h.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.02", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;", + "links": [ + { + "href": "#ac-2_smt.h.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.03", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;", + "links": [ + { + "href": "#ac-2_smt.h.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.i.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.01", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on a valid access authorization;", + "links": [ + { + "href": "#ac-2_smt.i.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.02", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on intended system usage;", + "links": [ + { + "href": "#ac-2_smt.i.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.03", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};", + "links": [ + { + "href": "#ac-2_smt.i.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.i", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.j", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02j.", + "class": "sp800-53a" + } + ], + "prose": "accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};", + "links": [ + { + "href": "#ac-2_smt.j", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.k", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.k-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;", + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.k-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.[02]", + "class": "sp800-53a" + } + ], + "prose": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;", + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.l", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.l-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.[01]", + "class": "sp800-53a" + } + ], + "prose": "account management processes are aligned with personnel termination processes;", + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.l-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.[02]", + "class": "sp800-53a" + } + ], + "prose": "account management processes are aligned with personnel transfer processes.", + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\npersonnel termination policy and procedure\n\npersonnel transfer policy and procedure\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of recently disabled system accounts and the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications of recent transfers, separations, or terminations of employees\n\naccess authorization records\n\naccount management compliance reviews\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security and privacy responsibilities" + } + ] + }, + { + "id": "ac-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for account management on the system\n\nmechanisms for implementing account management" + } + ] + } + ], + "controls": [ + { + "id": "ac-2.1", + "class": "SP800-53-enhancement", + "title": "Automated System Account Management", + "params": [ + { + "id": "ac-02.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to support the management of system accounts are defined; " + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(1)" + }, + { + "name": "label", + "value": "AC-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.1_smt", + "name": "statement", + "prose": "Support the management of system accounts using {{ insert: param, ac-02.01_odp }}." + }, + { + "id": "ac-2.1_gdn", + "name": "guidance", + "prose": "Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications." + }, + { + "id": "ac-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(01)", + "class": "sp800-53a" + } + ], + "prose": "the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}.", + "links": [ + { + "href": "#ac-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-2.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms for implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.2", + "class": "SP800-53-enhancement", + "title": "Automated Temporary and Emergency Account Management", + "params": [ + { + "id": "ac-02.02_odp.01", + "constraints": [ + { + "description": "Selection: disables" + } + ], + "select": { + "choice": [ + "remove", + "disable" + ] + } + }, + { + "id": "ac-02.02_odp.02", + "label": "time period", + "constraints": [ + { + "description": "no more than 24 hours from last use" + } + ], + "guidelines": [ + { + "prose": "the time period after which to automatically remove or disable temporary or emergency accounts is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(2)" + }, + { + "name": "label", + "value": "AC-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.2_smt", + "name": "statement", + "prose": "Automatically {{ insert: param, ac-02.02_odp.01 }} temporary and emergency accounts after {{ insert: param, ac-02.02_odp.02 }}." + }, + { + "id": "ac-2.2_gdn", + "name": "guidance", + "prose": "Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation." + }, + { + "id": "ac-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(02)", + "class": "sp800-53a" + } + ], + "prose": "temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}.", + "links": [ + { + "href": "#ac-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of temporary accounts removed and/or disabled\n\nsystem-generated list of emergency accounts removed and/or disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms for implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.3", + "class": "SP800-53-enhancement", + "title": "Disable Accounts", + "params": [ + { + "id": "ac-02.03_odp.01", + "label": "time period", + "constraints": [ + { + "description": "24 hours for user accounts" + } + ], + "guidelines": [ + { + "prose": "time period within which to disable accounts is defined;" + } + ] + }, + { + "id": "ac-02.03_odp.02", + "label": "time period", + "constraints": [ + { + "description": "thirty-five (35) days (See additional requirements and guidance.)" + } + ], + "guidelines": [ + { + "prose": "time period for account inactivity before disabling is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(3)" + }, + { + "name": "label", + "value": "AC-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.3_smt", + "name": "statement", + "prose": "Disable accounts within {{ insert: param, ac-02.03_odp.01 }} when the accounts:", + "parts": [ + { + "id": "ac-2.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Have expired;" + }, + { + "id": "ac-2.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Are no longer associated with a user or individual;" + }, + { + "id": "ac-2.3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Are in violation of organizational policy; or" + }, + { + "id": "ac-2.3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Have been inactive for {{ insert: param, ac-02.03_odp.02 }}." + }, + { + "id": "ac-2.3_fr", + "name": "item", + "title": "AC-2 (3) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-2.3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available." + }, + { + "id": "ac-2.3_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d) Requirement:" + } + ], + "prose": "The service provider defines the time period of inactivity for device identifiers." + }, + { + "id": "ac-2.3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/." + } + ] + } + ] + }, + { + "id": "ac-2.3_gdn", + "name": "guidance", + "prose": "Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system." + }, + { + "id": "ac-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;", + "links": [ + { + "href": "#ac-2.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)(b)", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;", + "links": [ + { + "href": "#ac-2.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)(c)", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;", + "links": [ + { + "href": "#ac-2.3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)(d)", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}.", + "links": [ + { + "href": "#ac-2.3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures for addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of accounts removed\n\nsystem-generated list of emergency accounts disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-2.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms for implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.4", + "class": "SP800-53-enhancement", + "title": "Automated Audit Actions", + "props": [ + { + "name": "label", + "value": "AC-2(4)" + }, + { + "name": "label", + "value": "AC-02(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2.4_smt", + "name": "statement", + "prose": "Automatically audit account creation, modification, enabling, disabling, and removal actions." + }, + { + "id": "ac-2.4_gdn", + "name": "guidance", + "prose": "Account management audit records are defined in accordance with [AU-2](#au-2) and reviewed, analyzed, and reported in accordance with [AU-6](#au-6)." + }, + { + "id": "ac-2.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2.4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[01]", + "class": "sp800-53a" + } + ], + "prose": "account creation is automatically audited;", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[02]", + "class": "sp800-53a" + } + ], + "prose": "account modification is automatically audited;", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[03]", + "class": "sp800-53a" + } + ], + "prose": "account enabling is automatically audited;", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[04]", + "class": "sp800-53a" + } + ], + "prose": "account disabling is automatically audited;", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[05]", + "class": "sp800-53a" + } + ], + "prose": "account removal actions are automatically audited.", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nnotifications/alerts of account creation, modification, enabling, disabling, and removal actions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.5", + "class": "SP800-53-enhancement", + "title": "Inactivity Logout", + "params": [ + { + "id": "ac-02.05_odp", + "label": "time period of expected inactivity or description of when to log out", + "constraints": [ + { + "description": "inactivity is anticipated to exceed Fifteen (15) minutes" + } + ], + "guidelines": [ + { + "prose": "the time period of expected inactivity or description of when to log out is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(5)" + }, + { + "name": "label", + "value": "AC-02(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + }, + { + "href": "#ac-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2.5_smt", + "name": "statement", + "prose": "Require that users log out when {{ insert: param, ac-02.05_odp }}.", + "parts": [ + { + "id": "ac-2.5_fr", + "name": "item", + "title": "AC-2 (5) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-2.5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Should use a shorter timeframe than AC-12." + } + ] + } + ] + }, + { + "id": "ac-2.5_gdn", + "name": "guidance", + "prose": "Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by [AC-11](#ac-11)." + }, + { + "id": "ac-2.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(05)", + "class": "sp800-53a" + } + ], + "prose": "users are required to log out when {{ insert: param, ac-02.05_odp }}.", + "links": [ + { + "href": "#ac-2.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity violation reports\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nusers that must comply with inactivity logout policy" + } + ] + } + ] + }, + { + "id": "ac-2.7", + "class": "SP800-53-enhancement", + "title": "Privileged User Accounts", + "params": [ + { + "id": "ac-02.07_odp", + "select": { + "choice": [ + "a role-based access scheme", + "an attribute-based access scheme" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(7)" + }, + { + "name": "label", + "value": "AC-02(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.7_smt", + "name": "statement", + "parts": [ + { + "id": "ac-2.7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Establish and administer privileged user accounts in accordance with {{ insert: param, ac-02.07_odp }};" + }, + { + "id": "ac-2.7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Monitor privileged role or attribute assignments;" + }, + { + "id": "ac-2.7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Monitor changes to roles or attributes; and" + }, + { + "id": "ac-2.7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Revoke access when privileged role or attribute assignments are no longer appropriate." + } + ] + }, + { + "id": "ac-2.7_gdn", + "name": "guidance", + "prose": "Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes." + }, + { + "id": "ac-2.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2.7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)(a)", + "class": "sp800-53a" + } + ], + "prose": "privileged user accounts are established and administered in accordance with {{ insert: param, ac-02.07_odp }};", + "links": [ + { + "href": "#ac-2.7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)(b)", + "class": "sp800-53a" + } + ], + "prose": "privileged role or attribute assignments are monitored;", + "links": [ + { + "href": "#ac-2.7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)(c)", + "class": "sp800-53a" + } + ], + "prose": "changes to roles or attributes are monitored;", + "links": [ + { + "href": "#ac-2.7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)(d)", + "class": "sp800-53a" + } + ], + "prose": "access is revoked when privileged role or attribute assignments are no longer appropriate.", + "links": [ + { + "href": "#ac-2.7_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged user accounts and associated roles\n\nrecords of actions taken when privileged role assignments are no longer appropriate\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing account management functions\n\nmechanisms monitoring privileged role assignments" + } + ] + } + ] + }, + { + "id": "ac-2.9", + "class": "SP800-53-enhancement", + "title": "Restrictions on Use of Shared and Group Accounts", + "params": [ + { + "id": "ac-02.09_odp", + "label": "conditions", + "constraints": [ + { + "description": "organization-defined need with justification statement that explains why such accounts are necessary" + } + ], + "guidelines": [ + { + "prose": "conditions for establishing shared and group accounts are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(9)" + }, + { + "name": "label", + "value": "AC-02(09)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.9_smt", + "name": "statement", + "prose": "Only permit the use of shared and group accounts that meet {{ insert: param, ac-02.09_odp }}.", + "parts": [ + { + "id": "ac-2.9_fr", + "name": "item", + "title": "AC-2 (9) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-2.9_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Required if shared/group accounts are deployed." + } + ] + } + ] + }, + { + "id": "ac-2.9_gdn", + "name": "guidance", + "prose": "Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts." + }, + { + "id": "ac-2.9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(09)", + "class": "sp800-53a" + } + ], + "prose": "the use of shared and group accounts is only permitted if {{ insert: param, ac-02.09_odp }} are met.", + "links": [ + { + "href": "#ac-2.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(09)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of shared/group accounts and associated roles\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(09)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(09)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing management of shared/group accounts" + } + ] + } + ] + }, + { + "id": "ac-2.11", + "class": "SP800-53-enhancement", + "title": "Usage Conditions", + "params": [ + { + "id": "ac-02.11_odp.01", + "label": "circumstances and/or usage conditions", + "guidelines": [ + { + "prose": "circumstances and/or usage conditions to be enforced for system accounts are defined;" + } + ] + }, + { + "id": "ac-02.11_odp.02", + "label": "system accounts", + "guidelines": [ + { + "prose": "system accounts subject to enforcement of circumstances and/or usage conditions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(11)" + }, + { + "name": "label", + "value": "AC-02(11)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.11_smt", + "name": "statement", + "prose": "Enforce {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }}." + }, + { + "id": "ac-2.11_gdn", + "name": "guidance", + "prose": "Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, such as by restricting usage to certain days of the week, time of day, or specific durations of time." + }, + { + "id": "ac-2.11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(11)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }} are enforced.", + "links": [ + { + "href": "#ac-2.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(11)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of system accounts and associated assignments of usage circumstances and/or usage conditions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(11)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-2.11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(11)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.12", + "class": "SP800-53-enhancement", + "title": "Account Monitoring for Atypical Usage", + "params": [ + { + "id": "ac-02.12_odp.01", + "label": "atypical usage", + "guidelines": [ + { + "prose": "atypical usage for which to monitor system accounts is defined;" + } + ] + }, + { + "id": "ac-02.12_odp.02", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to report atypical usage is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(12)" + }, + { + "name": "label", + "value": "AC-02(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2.12_smt", + "name": "statement", + "parts": [ + { + "id": "ac-2.12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Monitor system accounts for {{ insert: param, ac-02.12_odp.01 }} ; and" + }, + { + "id": "ac-2.12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Report atypical usage of system accounts to {{ insert: param, ac-02.12_odp.02 }}." + }, + { + "id": "ac-2.12_fr", + "name": "item", + "title": "AC-2 (12) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-2.12_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "Required for privileged accounts." + }, + { + "id": "ac-2.12_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "Required for privileged accounts." + } + ] + } + ] + }, + { + "id": "ac-2.12_gdn", + "name": "guidance", + "prose": "Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan." + }, + { + "id": "ac-2.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(12)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2.12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(12)(a)", + "class": "sp800-53a" + } + ], + "prose": "system accounts are monitored for {{ insert: param, ac-02.12_odp.01 }}; ", + "links": [ + { + "href": "#ac-2.12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(12)(b)", + "class": "sp800-53a" + } + ], + "prose": "atypical usage of system accounts is reported to {{ insert: param, ac-02.12_odp.02 }}.", + "links": [ + { + "href": "#ac-2.12_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring records\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nprivacy impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.13", + "class": "SP800-53-enhancement", + "title": "Disable Accounts for High-risk Individuals", + "params": [ + { + "id": "ac-02.13_odp.01", + "label": "time period", + "constraints": [ + { + "description": "one (1) hour" + } + ], + "guidelines": [ + { + "prose": "time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;" + } + ] + }, + { + "id": "ac-02.13_odp.02", + "label": "significant risks", + "guidelines": [ + { + "prose": "significant risks leading to disabling accounts are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(13)" + }, + { + "name": "label", + "value": "AC-02(13)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2.13_smt", + "name": "statement", + "prose": "Disable accounts of individuals within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}." + }, + { + "id": "ac-2.13_gdn", + "name": "guidance", + "prose": "Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals." + }, + { + "id": "ac-2.13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(13)", + "class": "sp800-53a" + } + ], + "prose": "accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.", + "links": [ + { + "href": "#ac-2.13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(13)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of disabled accounts\n\nlist of user activities posing significant organizational risk\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(13)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(13)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing account management functions" + } + ] + } + ] + } + ] + }, + { + "id": "ac-3", + "class": "SP800-53", + "title": "Access Enforcement", + "props": [ + { + "name": "label", + "value": "AC-3" + }, + { + "name": "label", + "value": "AC-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#ac-24", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-6", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pm-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-3_smt", + "name": "statement", + "prose": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." + }, + { + "id": "ac-3_gdn", + "name": "guidance", + "prose": "Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family." + }, + { + "id": "ac-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-03", + "class": "sp800-53a" + } + ], + "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.", + "links": [ + { + "href": "#ac-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy" + } + ] + } + ] + }, + { + "id": "ac-4", + "class": "SP800-53", + "title": "Information Flow Enforcement", + "params": [ + { + "id": "ac-04_odp", + "label": "information flow control policies", + "guidelines": [ + { + "prose": "information flow control policies within the system and between connected systems are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-4" + }, + { + "name": "label", + "value": "AC-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#a2590922-82f3-4277-83c0-ca5bee06dba4", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-24", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-4", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-4_smt", + "name": "statement", + "prose": "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}." + }, + { + "id": "ac-4_gdn", + "name": "guidance", + "prose": "Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see [CA-3](#ca-3) ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.\n\nOrganizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS)." + }, + { + "id": "ac-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04", + "class": "sp800-53a" + } + ], + "prose": "approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.", + "links": [ + { + "href": "#ac-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsecurity architecture documentation\n\nprivacy architecture documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem baseline configuration\n\nlist of information flow authorizations\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing information flow enforcement policy" + } + ] + } + ], + "controls": [ + { + "id": "ac-4.4", + "class": "SP800-53-enhancement", + "title": "Flow Control of Encrypted Information", + "params": [ + { + "id": "ac-04.04_odp.01", + "label": "information flow control mechanisms", + "constraints": [ + { + "description": "intrusion detection mechanisms" + } + ], + "guidelines": [ + { + "prose": "information flow control mechanisms that encrypted information is prevented from bypassing are defined;" + } + ] + }, + { + "id": "ac-04.04_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "decrypting the information", + "blocking the flow of the encrypted information", + "terminating communications sessions attempting to pass encrypted information", + " {{ insert: param, ac-04.04_odp.03 }} " + ] + } + }, + { + "id": "ac-04.04_odp.03", + "label": "organization-defined procedure or method", + "guidelines": [ + { + "prose": "the organization-defined procedure or method used to prevent encrypted information from bypassing information flow control mechanisms is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-4(4)" + }, + { + "name": "label", + "value": "AC-04(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-04.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-4", + "rel": "required" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-4.4_smt", + "name": "statement", + "prose": "Prevent encrypted information from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}.", + "parts": [ + { + "id": "ac-4.4_fr", + "name": "item", + "title": "AC-4 (4) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-4.4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf)." + } + ] + } + ] + }, + { + "id": "ac-4.4_gdn", + "name": "guidance", + "prose": "Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms." + }, + { + "id": "ac-4.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04(04)", + "class": "sp800-53a" + } + ], + "prose": "encrypted information is prevented from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}.", + "links": [ + { + "href": "#ac-4.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-4.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-04(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-4.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-04(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-4.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-04(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing information flow enforcement policy" + } + ] + } + ] + }, + { + "id": "ac-4.21", + "class": "SP800-53-enhancement", + "title": "Physical or Logical Separation of Information Flows", + "params": [ + { + "id": "ac-4.21_prm_1", + "label": "organization-defined mechanisms and/or techniques" + }, + { + "id": "ac-04.21_odp.01", + "label": "mechanisms and/or techniques", + "guidelines": [ + { + "prose": "mechanisms and/or techniques used to logically separate information flows are defined (if selected);" + } + ] + }, + { + "id": "ac-04.21_odp.02", + "label": "mechanisms and/or techniques", + "guidelines": [ + { + "prose": "mechanisms and/or techniques used to physically separate information flows are defined (if selected);" + } + ] + }, + { + "id": "ac-04.21_odp.03", + "label": "required separations", + "guidelines": [ + { + "prose": "required separations by types of information are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-4(21)" + }, + { + "name": "label", + "value": "AC-04(21)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-04.21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-4", + "rel": "required" + }, + { + "href": "#sc-32", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-4.21_smt", + "name": "statement", + "prose": "Separate information flows logically or physically using {{ insert: param, ac-4.21_prm_1 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}." + }, + { + "id": "ac-4.21_gdn", + "name": "guidance", + "prose": "Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths that are not otherwise achievable. Types of separable information include inbound and outbound communications traffic, service requests and responses, and information of differing security impact or classification levels." + }, + { + "id": "ac-4.21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04(21)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-4.21_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04(21)[01]", + "class": "sp800-53a" + } + ], + "prose": "information flows are separated logically using {{ insert: param, ac-04.21_odp.01 }} to accomplish {{ insert: param, ac-04.21_odp.03 }};", + "links": [ + { + "href": "#ac-4.21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-4.21_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04(21)[02]", + "class": "sp800-53a" + } + ], + "prose": "information flows are separated physically using {{ insert: param, ac-04.21_odp.02 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}.", + "links": [ + { + "href": "#ac-4.21_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-4.21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-4.21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-04(21)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Information flow enforcement policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of required separation of information flows by information types\n\nlist of mechanisms and/or techniques used to logically or physically separate information flows\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-4.21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-04(21)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-4.21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-04(21)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing information flow enforcement functions" + } + ] + } + ] + } + ] + }, + { + "id": "ac-5", + "class": "SP800-53", + "title": "Separation of Duties", + "params": [ + { + "id": "ac-05_odp", + "label": "duties of individuals", + "guidelines": [ + { + "prose": "duties of individuals requiring separation are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-5" + }, + { + "name": "label", + "value": "AC-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-12", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-5_smt", + "name": "statement", + "parts": [ + { + "id": "ac-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify and document {{ insert: param, ac-05_odp }} ; and" + }, + { + "id": "ac-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define system access authorizations to support separation of duties." + }, + { + "id": "ac-5_fr", + "name": "item", + "title": "AC-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "CSPs have the option to provide a separation of duties matrix as an attachment to the SSP." + } + ] + } + ] + }, + { + "id": "ac-5_gdn", + "name": "guidance", + "prose": "Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in [AC-2](#ac-2) , access control mechanisms in [AC-3](#ac-3) , and identity management activities in [IA-2](#ia-2), [IA-4](#ia-4) , and [IA-12](#ia-12)." + }, + { + "id": "ac-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-05a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-05_odp }} are identified and documented;", + "links": [ + { + "href": "#ac-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-05b.", + "class": "sp800-53a" + } + ], + "prose": "system access authorizations to support separation of duties are defined.", + "links": [ + { + "href": "#ac-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\nsystem configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\nsystem access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing separation of duties policy" + } + ] + } + ] + }, + { + "id": "ac-6", + "class": "SP800-53", + "title": "Least Privilege", + "props": [ + { + "name": "label", + "value": "AC-6" + }, + { + "name": "label", + "value": "AC-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6_smt", + "name": "statement", + "prose": "Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks." + }, + { + "id": "ac-6_gdn", + "name": "guidance", + "prose": "Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems." + }, + { + "id": "ac-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06", + "class": "sp800-53a" + } + ], + "prose": "the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.", + "links": [ + { + "href": "#ac-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ], + "controls": [ + { + "id": "ac-6.1", + "class": "SP800-53-enhancement", + "title": "Authorize Access to Security Functions", + "params": [ + { + "id": "ac-6.1_prm_2", + "label": "organization-defined security functions (deployed in hardware, software, and firmware)", + "constraints": [ + { + "description": "all functions not publicly accessible" + } + ] + }, + { + "id": "ac-06.01_odp.01", + "label": "individuals and roles", + "guidelines": [ + { + "prose": "individuals and roles with authorized access to security functions and security-relevant information are defined;" + } + ] + }, + { + "id": "ac-06.01_odp.02", + "label": "security functions (deployed in hardware)", + "guidelines": [ + { + "prose": "security functions (deployed in hardware) for authorized access are defined;" + } + ] + }, + { + "id": "ac-06.01_odp.03", + "label": "security functions (deployed in software)", + "guidelines": [ + { + "prose": "security functions (deployed in software) for authorized access are defined;" + } + ] + }, + { + "id": "ac-06.01_odp.04", + "label": "security functions (deployed in firmware)", + "guidelines": [ + { + "prose": "security functions (deployed in firmware) for authorized access are defined;" + } + ] + }, + { + "id": "ac-06.01_odp.05", + "label": "security-relevant information", + "constraints": [ + { + "description": "all security-relevant information not publicly available" + } + ], + "guidelines": [ + { + "prose": "security-relevant information for authorized access is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(1)" + }, + { + "name": "label", + "value": "AC-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.1_smt", + "name": "statement", + "prose": "Authorize access for {{ insert: param, ac-06.01_odp.01 }} to:", + "parts": [ + { + "id": "ac-6.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": " {{ insert: param, ac-6.1_prm_2 }} ; and" + }, + { + "id": "ac-6.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": " {{ insert: param, ac-06.01_odp.05 }}." + } + ] + }, + { + "id": "ac-6.1_gdn", + "name": "guidance", + "prose": "Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users." + }, + { + "id": "ac-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-6.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-6.1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};", + "links": [ + { + "href": "#ac-6.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};", + "links": [ + { + "href": "#ac-6.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};", + "links": [ + { + "href": "#ac-6.1_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-6.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}.", + "links": [ + { + "href": "#ac-6.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.2", + "class": "SP800-53-enhancement", + "title": "Non-privileged Access for Nonsecurity Functions", + "params": [ + { + "id": "ac-06.02_odp", + "label": "security functions or security-relevant information", + "constraints": [ + { + "description": "all security functions" + } + ], + "guidelines": [ + { + "prose": "security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(2)" + }, + { + "name": "label", + "value": "AC-06(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.2_smt", + "name": "statement", + "prose": "Require that users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} use non-privileged accounts or roles, when accessing nonsecurity functions.", + "parts": [ + { + "id": "ac-6.2_fr", + "name": "item", + "title": "AC-6 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-6.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions." + } + ] + } + ] + }, + { + "id": "ac-6.2_gdn", + "name": "guidance", + "prose": "Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account." + }, + { + "id": "ac-6.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(02)", + "class": "sp800-53a" + } + ], + "prose": "users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions.", + "links": [ + { + "href": "#ac-6.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information assigned to system accounts or roles\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.3", + "class": "SP800-53-enhancement", + "title": "Network Access to Privileged Commands", + "params": [ + { + "id": "ac-06.03_odp.01", + "label": "privileged commands", + "constraints": [ + { + "description": "all privileged commands" + } + ], + "guidelines": [ + { + "prose": "privileged commands to which network access is to be authorized only for compelling operational needs are defined;" + } + ] + }, + { + "id": "ac-06.03_odp.02", + "label": "compelling operational needs", + "guidelines": [ + { + "prose": "compelling operational needs necessitating network access to privileged commands are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(3)" + }, + { + "name": "label", + "value": "AC-06(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.3_smt", + "name": "statement", + "prose": "Authorize network access to {{ insert: param, ac-06.03_odp.01 }} only for {{ insert: param, ac-06.03_odp.02 }} and document the rationale for such access in the security plan for the system." + }, + { + "id": "ac-6.3_gdn", + "name": "guidance", + "prose": "Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device)." + }, + { + "id": "ac-6.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-6.3_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(03)[01]", + "class": "sp800-53a" + } + ], + "prose": "network access to {{ insert: param, ac-06.03_odp.01 }} is authorized only for {{ insert: param, ac-06.03_odp.02 }};", + "links": [ + { + "href": "#ac-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.3_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(03)[02]", + "class": "sp800-53a" + } + ], + "prose": "the rationale for authorizing network access to privileged commands is documented in the security plan for the system.", + "links": [ + { + "href": "#ac-6.3_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of operational needs for authorizing network access to privileged commands\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-6.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.5", + "class": "SP800-53-enhancement", + "title": "Privileged Accounts", + "params": [ + { + "id": "ac-06.05_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to which privileged accounts on the system are to be restricted is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(5)" + }, + { + "name": "label", + "value": "AC-06(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.5_smt", + "name": "statement", + "prose": "Restrict privileged accounts on the system to {{ insert: param, ac-06.05_odp }}." + }, + { + "id": "ac-6.5_gdn", + "name": "guidance", + "prose": "Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk." + }, + { + "id": "ac-6.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(05)", + "class": "sp800-53a" + } + ], + "prose": "privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}.", + "links": [ + { + "href": "#ac-6.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.7", + "class": "SP800-53-enhancement", + "title": "Review of User Privileges", + "params": [ + { + "id": "ac-06.07_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at a minimum, annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review the privileges assigned to roles or classes of users is defined;" + } + ] + }, + { + "id": "ac-06.07_odp.02", + "label": "roles and classes", + "constraints": [ + { + "description": "all users with privileges" + } + ], + "guidelines": [ + { + "prose": "roles or classes of users to which privileges are assigned are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(7)" + }, + { + "name": "label", + "value": "AC-06(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ca-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.7_smt", + "name": "statement", + "parts": [ + { + "id": "ac-6.7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Review {{ insert: param, ac-06.07_odp.01 }} the privileges assigned to {{ insert: param, ac-06.07_odp.02 }} to validate the need for such privileges; and" + }, + { + "id": "ac-6.7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs." + } + ] + }, + { + "id": "ac-6.7_gdn", + "name": "guidance", + "prose": "The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions." + }, + { + "id": "ac-6.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(07)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-6.7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(07)(a)", + "class": "sp800-53a" + } + ], + "prose": "privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;", + "links": [ + { + "href": "#ac-6.7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(07)(b)", + "class": "sp800-53a" + } + ], + "prose": "privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.", + "links": [ + { + "href": "#ac-6.7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-6.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated roles or classes of users and assigned privileges\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation reviews of privileges assigned to roles or classes or users\n\nrecords of privilege removals or reassignments for roles or classes of users\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing review of user privileges" + } + ] + } + ] + }, + { + "id": "ac-6.8", + "class": "SP800-53-enhancement", + "title": "Privilege Levels for Code Execution", + "params": [ + { + "id": "ac-06.08_odp", + "label": "software", + "constraints": [ + { + "description": "any software except software explicitly documented" + } + ], + "guidelines": [ + { + "prose": "software to be prevented from executing at higher privilege levels than users executing the software is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(8)" + }, + { + "name": "label", + "value": "AC-06(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-6.8_smt", + "name": "statement", + "prose": "Prevent the following software from executing at higher privilege levels than users executing the software: {{ insert: param, ac-06.08_odp }}." + }, + { + "id": "ac-6.8_gdn", + "name": "guidance", + "prose": "In certain situations, software applications or programs need to execute with elevated privileges to perform required functions. However, depending on the software functionality and configuration, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications or programs, those users may indirectly be provided with greater privileges than assigned." + }, + { + "id": "ac-6.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(08)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-06.08_odp }} is prevented from executing at higher privilege levels than users executing the software.", + "links": [ + { + "href": "#ac-6.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of software that should not execute at higher privilege levels than users executing software\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ac-6.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions for software execution" + } + ] + } + ] + }, + { + "id": "ac-6.9", + "class": "SP800-53-enhancement", + "title": "Log Use of Privileged Functions", + "props": [ + { + "name": "label", + "value": "AC-6(9)" + }, + { + "name": "label", + "value": "AC-06(09)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.9_smt", + "name": "statement", + "prose": "Log the execution of privileged functions." + }, + { + "id": "ac-6.9_gdn", + "name": "guidance", + "prose": "The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat." + }, + { + "id": "ac-6.9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(09)", + "class": "sp800-53a" + } + ], + "prose": "the execution of privileged functions is logged.", + "links": [ + { + "href": "#ac-6.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(09)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(09)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ac-6.9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(09)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms auditing the execution of least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.10", + "class": "SP800-53-enhancement", + "title": "Prohibit Non-privileged Users from Executing Privileged Functions", + "props": [ + { + "name": "label", + "value": "AC-6(10)" + }, + { + "name": "label", + "value": "AC-06(10)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-6.10_smt", + "name": "statement", + "prose": "Prevent non-privileged users from executing privileged functions." + }, + { + "id": "ac-6.10_gdn", + "name": "guidance", + "prose": "Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by [AC-3](#ac-3)." + }, + { + "id": "ac-6.10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(10)", + "class": "sp800-53a" + } + ], + "prose": "non-privileged users are prevented from executing privileged functions.", + "links": [ + { + "href": "#ac-6.10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(10)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(10)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-6.10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(10)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions for non-privileged users" + } + ] + } + ] + } + ] + }, + { + "id": "ac-7", + "class": "SP800-53", + "title": "Unsuccessful Logon Attempts", + "params": [ + { + "id": "ac-07_odp.01", + "label": "number", + "guidelines": [ + { + "prose": "the number of consecutive invalid logon attempts by a user allowed during a time period is defined;" + } + ] + }, + { + "id": "ac-07_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;" + } + ] + }, + { + "id": "ac-07_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "lock the account or node for {{ insert: param, ac-07_odp.04 }} ", + "lock the account or node until released by an administrator", + "delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ", + "notify system administrator", + "take other {{ insert: param, ac-07_odp.06 }} " + ] + } + }, + { + "id": "ac-07_odp.04", + "label": "time period", + "guidelines": [ + { + "prose": "time period for an account or node to be locked is defined (if selected);" + } + ] + }, + { + "id": "ac-07_odp.05", + "label": "delay algorithm", + "guidelines": [ + { + "prose": "delay algorithm for the next logon prompt is defined (if selected);" + } + ] + }, + { + "id": "ac-07_odp.06", + "label": "action", + "guidelines": [ + { + "prose": "other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-7" + }, + { + "name": "label", + "value": "AC-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-9", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-7_smt", + "name": "statement", + "parts": [ + { + "id": "ac-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and" + }, + { + "id": "ac-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded." + }, + { + "id": "ac-7_fr", + "name": "item", + "title": "AC-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "In alignment with NIST SP 800-63B." + } + ] + } + ] + }, + { + "id": "ac-7_gdn", + "name": "guidance", + "prose": "The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need." + }, + { + "id": "ac-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07a.", + "class": "sp800-53a" + } + ], + "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;", + "links": [ + { + "href": "#ac-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07b.", + "class": "sp800-53a" + } + ], + "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.", + "links": [ + { + "href": "#ac-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy for unsuccessful logon attempts" + } + ] + } + ] + }, + { + "id": "ac-8", + "class": "SP800-53", + "title": "System Use Notification", + "params": [ + { + "id": "ac-08_odp.01", + "label": "system use notification", + "constraints": [ + { + "description": "see additional Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "system use notification message or banner to be displayed by the system to users before granting access to the system is defined;" + } + ] + }, + { + "id": "ac-08_odp.02", + "label": "conditions", + "constraints": [ + { + "description": "see additional Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "conditions for system use to be displayed by the system before granting further access are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-8" + }, + { + "name": "label", + "value": "AC-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-8_smt", + "name": "statement", + "parts": [ + { + "id": "ac-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:", + "parts": [ + { + "id": "ac-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Users are accessing a U.S. Government system;" + }, + { + "id": "ac-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "System usage may be monitored, recorded, and subject to audit;" + }, + { + "id": "ac-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and" + }, + { + "id": "ac-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Use of the system indicates consent to monitoring and recording;" + } + ] + }, + { + "id": "ac-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and" + }, + { + "id": "ac-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "For publicly accessible systems:", + "parts": [ + { + "id": "ac-8_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;" + }, + { + "id": "ac-8_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and" + }, + { + "id": "ac-8_smt.c.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Include a description of the authorized uses of the system." + } + ] + }, + { + "id": "ac-8_fr", + "name": "item", + "title": "AC-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO." + }, + { + "id": "ac-8_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO." + }, + { + "id": "ac-8_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO." + }, + { + "id": "ac-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided." + } + ] + } + ] + }, + { + "id": "ac-8_gdn", + "name": "guidance", + "prose": "System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content." + }, + { + "id": "ac-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-08_odp.01 }} is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "parts": [ + { + "id": "ac-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.01", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that users are accessing a U.S. Government system;", + "links": [ + { + "href": "#ac-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.02", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that system usage may be monitored, recorded, and subject to audit;", + "links": [ + { + "href": "#ac-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.03", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and", + "links": [ + { + "href": "#ac-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.04", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that use of the system indicates consent to monitoring and recording;", + "links": [ + { + "href": "#ac-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08b.", + "class": "sp800-53a" + } + ], + "prose": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;", + "links": [ + { + "href": "#ac-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-8_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.01", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;", + "links": [ + { + "href": "#ac-8_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.02", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;", + "links": [ + { + "href": "#ac-8_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.03", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, a description of the authorized uses of the system is included.", + "links": [ + { + "href": "#ac-8_smt.c.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of system use notification messages or banners\n\nsystem audit records\n\nuser acknowledgements of notification message or banner\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem use notification messages\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment report\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem developers" + } + ] + }, + { + "id": "ac-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system use notification" + } + ] + } + ] + }, + { + "id": "ac-10", + "class": "SP800-53", + "title": "Concurrent Session Control", + "params": [ + { + "id": "ac-10_odp.01", + "label": "account and/or account types", + "guidelines": [ + { + "prose": "accounts and/or account types for which to limit the number of concurrent sessions is defined;" + } + ] + }, + { + "id": "ac-10_odp.02", + "label": "number", + "constraints": [ + { + "description": "three (3) sessions for privileged access and two (2) sessions for non-privileged access" + } + ], + "guidelines": [ + { + "prose": "the number of concurrent sessions to be allowed for each account and/or account type is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-10" + }, + { + "name": "label", + "value": "AC-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-23", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-10_smt", + "name": "statement", + "prose": "Limit the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} to {{ insert: param, ac-10_odp.02 }}." + }, + { + "id": "ac-10_gdn", + "name": "guidance", + "prose": "Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts." + }, + { + "id": "ac-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-10", + "class": "sp800-53a" + } + ], + "prose": "the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} is limited to {{ insert: param, ac-10_odp.02 }}.", + "links": [ + { + "href": "#ac-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing concurrent session control\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy for concurrent session control" + } + ] + } + ] + }, + { + "id": "ac-11", + "class": "SP800-53", + "title": "Device Lock", + "params": [ + { + "id": "ac-11_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "initiating a device lock after {{ insert: param, ac-11_odp.02 }} of inactivity", + "requiring the user to initiate a device lock before leaving the system unattended" + ] + } + }, + { + "id": "ac-11_odp.02", + "label": "time period", + "constraints": [ + { + "description": "fifteen (15) minutes" + } + ], + "guidelines": [ + { + "prose": "time period of inactivity after which a device lock is initiated is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-11" + }, + { + "name": "label", + "value": "AC-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-11_smt", + "name": "statement", + "parts": [ + { + "id": "ac-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and" + }, + { + "id": "ac-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain the device lock until the user reestablishes access using established identification and authentication procedures." + } + ] + }, + { + "id": "ac-11_gdn", + "name": "guidance", + "prose": "Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays." + }, + { + "id": "ac-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-11a.", + "class": "sp800-53a" + } + ], + "prose": "further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};", + "links": [ + { + "href": "#ac-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-11b.", + "class": "sp800-53a" + } + ], + "prose": "device lock is retained until the user re-establishes access using established identification and authentication procedures.", + "links": [ + { + "href": "#ac-11_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy for session lock" + } + ] + } + ], + "controls": [ + { + "id": "ac-11.1", + "class": "SP800-53-enhancement", + "title": "Pattern-hiding Displays", + "props": [ + { + "name": "label", + "value": "AC-11(1)" + }, + { + "name": "label", + "value": "AC-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-11", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-11.1_smt", + "name": "statement", + "prose": "Conceal, via the device lock, information previously visible on the display with a publicly viewable image." + }, + { + "id": "ac-11.1_gdn", + "name": "guidance", + "prose": "The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed." + }, + { + "id": "ac-11.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-11(01)", + "class": "sp800-53a" + } + ], + "prose": "information previously visible on the display is concealed, via device lock, with a publicly viewable image.", + "links": [ + { + "href": "#ac-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-11.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-11(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-11.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-11(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-11.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-11(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System session lock mechanisms" + } + ] + } + ] + } + ] + }, + { + "id": "ac-12", + "class": "SP800-53", + "title": "Session Termination", + "params": [ + { + "id": "ac-12_odp", + "label": "conditions or trigger events", + "guidelines": [ + { + "prose": "conditions or trigger events requiring session disconnect are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-12" + }, + { + "name": "label", + "value": "AC-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-12_smt", + "name": "statement", + "prose": "Automatically terminate a user session after {{ insert: param, ac-12_odp }}." + }, + { + "id": "ac-12_gdn", + "name": "guidance", + "prose": "Session termination addresses the termination of user-initiated logical sessions (in contrast to [SC-10](#sc-10) , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use." + }, + { + "id": "ac-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-12", + "class": "sp800-53a" + } + ], + "prose": "a user session is automatically terminated after {{ insert: param, ac-12_odp }}.", + "links": [ + { + "href": "#ac-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing session termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms implementing user session termination" + } + ] + } + ] + }, + { + "id": "ac-14", + "class": "SP800-53", + "title": "Permitted Actions Without Identification or Authentication", + "params": [ + { + "id": "ac-14_odp", + "label": "user actions", + "guidelines": [ + { + "prose": "user actions that can be performed on the system without identification or authentication are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-14" + }, + { + "name": "label", + "value": "AC-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-14_smt", + "name": "statement", + "parts": [ + { + "id": "ac-14_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and" + }, + { + "id": "ac-14_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication." + } + ] + }, + { + "id": "ac-14_gdn", + "name": "guidance", + "prose": "Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" " + }, + { + "id": "ac-14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-14_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;", + "links": [ + { + "href": "#ac-14_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-14_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.[01]", + "class": "sp800-53a" + } + ], + "prose": "user actions not requiring identification or authentication are documented in the security plan for the system;", + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.[02]", + "class": "sp800-53a" + } + ], + "prose": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.", + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-14-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-14-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "ac-17", + "class": "SP800-53", + "title": "Remote Access", + "props": [ + { + "name": "label", + "value": "AC-17" + }, + { + "name": "label", + "value": "AC-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "rel": "reference" + }, + { + "href": "#d17ebd7a-ffab-499d-bfff-e705bbb01fa6", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-17", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17_smt", + "name": "statement", + "parts": [ + { + "id": "ac-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and" + }, + { + "id": "ac-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize each type of remote access to the system prior to allowing such connections." + } + ] + }, + { + "id": "ac-17_gdn", + "name": "guidance", + "prose": "Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)." + }, + { + "id": "ac-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[01]", + "class": "sp800-53a" + } + ], + "prose": "usage restrictions are established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17b.", + "class": "sp800-53a" + } + ], + "prose": "each type of remote access to the system is authorized prior to allowing such connections.", + "links": [ + { + "href": "#ac-17_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing remote access connections\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-17_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Remote access management capability for the system" + } + ] + } + ], + "controls": [ + { + "id": "ac-17.1", + "class": "SP800-53-enhancement", + "title": "Monitoring and Control", + "props": [ + { + "name": "label", + "value": "AC-17(1)" + }, + { + "name": "label", + "value": "AC-17(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17.1_smt", + "name": "statement", + "prose": "Employ automated mechanisms to monitor and control remote access methods." + }, + { + "id": "ac-17.1_gdn", + "name": "guidance", + "prose": "Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a)." + }, + { + "id": "ac-17.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "automated mechanisms are employed to monitor remote access methods;", + "links": [ + { + "href": "#ac-17.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "automated mechanisms are employed to control remote access methods.", + "links": [ + { + "href": "#ac-17.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-17.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms monitoring and controlling remote access methods" + } + ] + } + ] + }, + { + "id": "ac-17.2", + "class": "SP800-53-enhancement", + "title": "Protection of Confidentiality and Integrity Using Encryption", + "props": [ + { + "name": "label", + "value": "AC-17(2)" + }, + { + "name": "label", + "value": "AC-17(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "required" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17.2_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions." + }, + { + "id": "ac-17.2_gdn", + "name": "guidance", + "prose": "Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions." + }, + { + "id": "ac-17.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(02)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.", + "links": [ + { + "href": "#ac-17.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-17.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions" + } + ] + } + ] + }, + { + "id": "ac-17.3", + "class": "SP800-53-enhancement", + "title": "Managed Access Control Points", + "props": [ + { + "name": "label", + "value": "AC-17(3)" + }, + { + "name": "label", + "value": "AC-17(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "required" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17.3_smt", + "name": "statement", + "prose": "Route remote accesses through authorized and managed network access control points." + }, + { + "id": "ac-17.3_gdn", + "name": "guidance", + "prose": "Organizations consider the Trusted Internet Connections (TIC) initiative [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces." + }, + { + "id": "ac-17.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(03)", + "class": "sp800-53a" + } + ], + "prose": "remote accesses are routed through authorized and managed network access control points.", + "links": [ + { + "href": "#ac-17.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nlist of all managed network access control points\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-17.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms routing all remote accesses through managed network access control points" + } + ] + } + ] + }, + { + "id": "ac-17.4", + "class": "SP800-53-enhancement", + "title": "Privileged Commands and Access", + "params": [ + { + "id": "ac-17.4_prm_1", + "label": "organization-defined needs" + }, + { + "id": "ac-17.04_odp.01", + "label": "needs requiring remote access", + "guidelines": [ + { + "prose": "needs requiring execution of privileged commands via remote access are defined;" + } + ] + }, + { + "id": "ac-17.04_odp.02", + "label": "needs requiring remote access", + "guidelines": [ + { + "prose": "needs requiring access to security-relevant information via remote access are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-17(4)" + }, + { + "name": "label", + "value": "AC-17(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "required" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17.4_smt", + "name": "statement", + "parts": [ + { + "id": "ac-17.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ insert: param, ac-17.4_prm_1 }} ; and" + }, + { + "id": "ac-17.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Document the rationale for remote access in the security plan for the system." + } + ] + }, + { + "id": "ac-17.4_gdn", + "name": "guidance", + "prose": "Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability." + }, + { + "id": "ac-17.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17.4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;", + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;", + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};", + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};", + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "the rationale for remote access is documented in the security plan for the system.", + "links": [ + { + "href": "#ac-17.4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-17.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing remote access management" + } + ] + } + ] + } + ] + }, + { + "id": "ac-18", + "class": "SP800-53", + "title": "Wireless Access", + "props": [ + { + "name": "label", + "value": "AC-18" + }, + { + "name": "label", + "value": "AC-18", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "rel": "reference" + }, + { + "href": "#03fb73bc-1b12-4182-bd96-e5719254ea61", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-18_smt", + "name": "statement", + "parts": [ + { + "id": "ac-18_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and" + }, + { + "id": "ac-18_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize each type of wireless access to the system prior to allowing such connections." + } + ] + }, + { + "id": "ac-18_gdn", + "name": "guidance", + "prose": "Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication." + }, + { + "id": "ac-18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration requirements are established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[02]", + "class": "sp800-53a" + } + ], + "prose": "connection requirements are established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18b.", + "class": "sp800-53a" + } + ], + "prose": "each type of wireless access to the system is authorized prior to allowing such connections.", + "links": [ + { + "href": "#ac-18_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nwireless access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Wireless access management capability for the system" + } + ] + } + ], + "controls": [ + { + "id": "ac-18.1", + "class": "SP800-53-enhancement", + "title": "Authentication and Encryption", + "params": [ + { + "id": "ac-18.01_odp", + "select": { + "how-many": "one-or-more", + "choice": [ + "users", + "devices" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "AC-18(1)" + }, + { + "name": "label", + "value": "AC-18(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-18", + "rel": "required" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-18.1_smt", + "name": "statement", + "prose": "Protect wireless access to the system using authentication of {{ insert: param, ac-18.01_odp }} and encryption." + }, + { + "id": "ac-18.1_gdn", + "name": "guidance", + "prose": "Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies." + }, + { + "id": "ac-18.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};", + "links": [ + { + "href": "#ac-18.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "wireless access to the system is protected using encryption.", + "links": [ + { + "href": "#ac-18.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-18.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing wireless access protections to the system" + } + ] + } + ] + }, + { + "id": "ac-18.3", + "class": "SP800-53-enhancement", + "title": "Disable Wireless Networking", + "props": [ + { + "name": "label", + "value": "AC-18(3)" + }, + { + "name": "label", + "value": "AC-18(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-18", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-18.3_smt", + "name": "statement", + "prose": "Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment." + }, + { + "id": "ac-18.3_gdn", + "name": "guidance", + "prose": "Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies." + }, + { + "id": "ac-18.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(03)", + "class": "sp800-53a" + } + ], + "prose": "when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.", + "links": [ + { + "href": "#ac-18.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-18.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing the disabling of wireless networking capabilities internally embedded within system components" + } + ] + } + ] + }, + { + "id": "ac-18.4", + "class": "SP800-53-enhancement", + "title": "Restrict Configurations by Users", + "props": [ + { + "name": "label", + "value": "AC-18(4)" + }, + { + "name": "label", + "value": "AC-18(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-18", + "rel": "required" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-18.4_smt", + "name": "statement", + "prose": "Identify and explicitly authorize users allowed to independently configure wireless networking capabilities." + }, + { + "id": "ac-18.4_gdn", + "name": "guidance", + "prose": "Organizational authorizations to allow selected users to configure wireless networking capabilities are enforced, in part, by the access enforcement mechanisms employed within organizational systems." + }, + { + "id": "ac-18.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18.4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(04)[01]", + "class": "sp800-53a" + } + ], + "prose": "users allowed to independently configure wireless networking capabilities are identified;", + "links": [ + { + "href": "#ac-18.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(04)[02]", + "class": "sp800-53a" + } + ], + "prose": "users allowed to independently configure wireless networking capabilities are explicitly authorized.", + "links": [ + { + "href": "#ac-18.4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-18.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms authorizing independent user configuration of wireless networking capabilities" + } + ] + } + ] + }, + { + "id": "ac-18.5", + "class": "SP800-53-enhancement", + "title": "Antennas and Transmission Power Levels", + "props": [ + { + "name": "label", + "value": "AC-18(5)" + }, + { + "name": "label", + "value": "AC-18(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-18", + "rel": "required" + }, + { + "href": "#pe-19", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-18.5_smt", + "name": "statement", + "prose": "Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries." + }, + { + "id": "ac-18.5_gdn", + "name": "guidance", + "prose": "Actions that may be taken to limit unauthorized use of wireless communications outside of organization-controlled boundaries include reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be captured outside of the physical perimeters of the organization, employing measures such as emissions security to control wireless emanations, and using directional or beamforming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such mitigating actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational systems as well as other systems that may be operating in the area." + }, + { + "id": "ac-18.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18.5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(05)[01]", + "class": "sp800-53a" + } + ], + "prose": "radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;", + "links": [ + { + "href": "#ac-18.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(05)[02]", + "class": "sp800-53a" + } + ], + "prose": "transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.", + "links": [ + { + "href": "#ac-18.5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-18.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Calibration of transmission power levels for wireless access\n\nradio antenna signals for wireless access\n\nwireless access reception outside of organization-controlled boundaries" + } + ] + } + ] + } + ] + }, + { + "id": "ac-19", + "class": "SP800-53", + "title": "Access Control for Mobile Devices", + "props": [ + { + "name": "label", + "value": "AC-19" + }, + { + "name": "label", + "value": "AC-19", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-19" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-11", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-19_smt", + "name": "statement", + "parts": [ + { + "id": "ac-19_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and" + }, + { + "id": "ac-19_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize the connection of mobile devices to organizational systems." + } + ] + }, + { + "id": "ac-19_gdn", + "name": "guidance", + "prose": "A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled." + }, + { + "id": "ac-19_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-19_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-19_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[02]", + "class": "sp800-53a" + } + ], + "prose": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19b.", + "class": "sp800-53a" + } + ], + "prose": "the connection of mobile devices to organizational systems is authorized.", + "links": [ + { + "href": "#ac-19_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-19_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-19-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-19_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-19-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel using mobile devices to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-19_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-19-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control capability for mobile device connections to organizational systems\n\nconfigurations of mobile devices" + } + ] + } + ], + "controls": [ + { + "id": "ac-19.5", + "class": "SP800-53-enhancement", + "title": "Full Device or Container-based Encryption", + "params": [ + { + "id": "ac-19.05_odp.01", + "select": { + "choice": [ + "full-device encryption", + "container-based encryption" + ] + } + }, + { + "id": "ac-19.05_odp.02", + "label": "mobile devices", + "guidelines": [ + { + "prose": "mobile devices on which to employ encryption are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-19(5)" + }, + { + "name": "label", + "value": "AC-19(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-19.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-19", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-19.5_smt", + "name": "statement", + "prose": "Employ {{ insert: param, ac-19.05_odp.01 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}." + }, + { + "id": "ac-19.5_gdn", + "name": "guidance", + "prose": "Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields." + }, + { + "id": "ac-19.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19(05)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.", + "links": [ + { + "href": "#ac-19.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-19(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access control for mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nencryption mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-19.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-19(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access control responsibilities for mobile devices\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-19.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-19(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Encryption mechanisms protecting confidentiality and integrity of information on mobile devices" + } + ] + } + ] + } + ] + }, + { + "id": "ac-20", + "class": "SP800-53", + "title": "Use of External Systems", + "params": [ + { + "id": "ac-20_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "establish {{ insert: param, ac-20_odp.02 }} ", + "identify {{ insert: param, ac-20_odp.03 }} " + ] + } + }, + { + "id": "ac-20_odp.02", + "label": "terms and conditions", + "guidelines": [ + { + "prose": "terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" + } + ] + }, + { + "id": "ac-20_odp.03", + "label": "controls asserted", + "guidelines": [ + { + "prose": "controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" + } + ] + }, + { + "id": "ac-20_odp.04", + "label": "prohibited types of external systems", + "guidelines": [ + { + "prose": "types of external systems prohibited from use are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-20" + }, + { + "name": "label", + "value": "AC-20", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-20_smt", + "name": "statement", + "parts": [ + { + "id": "ac-20_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:", + "parts": [ + { + "id": "ac-20_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Access the system from external systems; and" + }, + { + "id": "ac-20_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Process, store, or transmit organization-controlled information using external systems; or" + } + ] + }, + { + "id": "ac-20_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit the use of {{ insert: param, ac-20_odp.04 }}." + }, + { + "id": "ac-20_fr", + "name": "item", + "title": "AC-20 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-20_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:\n\nAC-20 describes system access to and from external systems.\n\nCA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.\n\nSA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3." + } + ] + } + ] + }, + { + "id": "ac-20_gdn", + "name": "guidance", + "prose": "External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems." + }, + { + "id": "ac-20_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-20_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-20_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.01", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);", + "links": [ + { + "href": "#ac-20_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.02", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);", + "links": [ + { + "href": "#ac-20_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20b.", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).", + "links": [ + { + "href": "#ac-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-20_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-20-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nexternal systems terms and conditions\n\nlist of types of applications accessible from external systems\n\nmaximum security categorization for information processed, stored, or transmitted on external systems\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-20_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-20-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-20_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-20-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing terms and conditions on the use of external systems" + } + ] + } + ], + "controls": [ + { + "id": "ac-20.1", + "class": "SP800-53-enhancement", + "title": "Limits on Authorized Use", + "props": [ + { + "name": "label", + "value": "AC-20(1)" + }, + { + "name": "label", + "value": "AC-20(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-20.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-20", + "rel": "required" + }, + { + "href": "#ca-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-20.1_smt", + "name": "statement", + "prose": "Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:", + "parts": [ + { + "id": "ac-20.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or" + }, + { + "id": "ac-20.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Retention of approved system connection or processing agreements with the organizational entity hosting the external system." + } + ] + }, + { + "id": "ac-20.1_gdn", + "name": "guidance", + "prose": "Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations." + }, + { + "id": "ac-20.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-20.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);", + "links": [ + { + "href": "#ac-20.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).", + "links": [ + { + "href": "#ac-20.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-20.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-20(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-20.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-20(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-20.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-20(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing limits on use of external systems" + } + ] + } + ] + }, + { + "id": "ac-20.2", + "class": "SP800-53-enhancement", + "title": "Portable Storage Devices — Restricted Use", + "params": [ + { + "id": "ac-20.02_odp", + "label": "restrictions", + "guidelines": [ + { + "prose": "restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-20(2)" + }, + { + "name": "label", + "value": "AC-20(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-20.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-20", + "rel": "required" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#sc-41", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-20.2_smt", + "name": "statement", + "prose": "Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ insert: param, ac-20.02_odp }}." + }, + { + "id": "ac-20.2_gdn", + "name": "guidance", + "prose": "Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used." + }, + { + "id": "ac-20.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20(02)", + "class": "sp800-53a" + } + ], + "prose": "the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}.", + "links": [ + { + "href": "#ac-20.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-20(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-20.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-20(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for restricting or prohibiting the use of organization-controlled storage devices on external systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-20.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-20(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing restrictions on the use of portable storage devices" + } + ] + } + ] + } + ] + }, + { + "id": "ac-21", + "class": "SP800-53", + "title": "Information Sharing", + "params": [ + { + "id": "ac-21_odp.01", + "label": "information-sharing circumstances", + "guidelines": [ + { + "prose": "information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined;" + } + ] + }, + { + "id": "ac-21_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-21" + }, + { + "name": "label", + "value": "AC-21", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sc-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-21_smt", + "name": "statement", + "parts": [ + { + "id": "ac-21_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }} ; and" + }, + { + "id": "ac-21_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ {{ insert: param, ac-21_odp.02 }} to assist users in making information sharing and collaboration decisions." + } + ] + }, + { + "id": "ac-21_gdn", + "name": "guidance", + "prose": "Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions." + }, + { + "id": "ac-21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-21", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-21_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-21a.", + "class": "sp800-53a" + } + ], + "prose": "authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};", + "links": [ + { + "href": "#ac-21_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-21_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-21b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions.", + "links": [ + { + "href": "#ac-21_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-21-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of users authorized to make information-sharing/collaboration decisions\n\nlist of information-sharing circumstances requiring user discretion\n\nnon-disclosure agreements\n\nacquisitions/contractual agreements\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nsecurity and privacy risk assessments\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-21-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for information-sharing/collaboration decisions\n\norganizational personnel with responsibility for acquisitions/contractual agreements\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ac-21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-21-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms or manual process implementing access authorizations supporting information-sharing/user collaboration decisions" + } + ] + } + ] + }, + { + "id": "ac-22", + "class": "SP800-53", + "title": "Publicly Accessible Content", + "params": [ + { + "id": "ac-22_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least quarterly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review the content on the publicly accessible system for non-public information is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-22" + }, + { + "name": "label", + "value": "AC-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-22_smt", + "name": "statement", + "parts": [ + { + "id": "ac-22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Designate individuals authorized to make information publicly accessible;" + }, + { + "id": "ac-22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;" + }, + { + "id": "ac-22_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and" + }, + { + "id": "ac-22_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered." + } + ] + }, + { + "id": "ac-22_gdn", + "name": "guidance", + "prose": "In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible." + }, + { + "id": "ac-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22a.", + "class": "sp800-53a" + } + ], + "prose": "designated individuals are authorized to make information publicly accessible;", + "links": [ + { + "href": "#ac-22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22b.", + "class": "sp800-53a" + } + ], + "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;", + "links": [ + { + "href": "#ac-22_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22c.", + "class": "sp800-53a" + } + ], + "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;", + "links": [ + { + "href": "#ac-22_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-22_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};", + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.[02]", + "class": "sp800-53a" + } + ], + "prose": "non-public information is removed from the publicly accessible system, if discovered.", + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing management of publicly accessible content" + } + ] + } + ] + } + ] + }, + { + "id": "at", + "class": "family", + "title": "Awareness and Training", + "controls": [ + { + "id": "at-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "at-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "at-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "at-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "at-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "at-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the awareness and training policy and procedures is defined;" + } + ] + }, + { + "id": "at-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current awareness and training policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "at-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current awareness and training policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "at-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current awareness and training procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "at-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-1" + }, + { + "name": "label", + "value": "AT-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-1_smt", + "name": "statement", + "parts": [ + { + "id": "at-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:", + "parts": [ + { + "id": "at-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, at-01_odp.03 }} awareness and training policy that:", + "parts": [ + { + "id": "at-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "at-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "at-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;" + } + ] + }, + { + "id": "at-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and" + }, + { + "id": "at-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current awareness and training:", + "parts": [ + { + "id": "at-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and" + }, + { + "id": "at-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "at-1_gdn", + "name": "guidance", + "prose": "Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "at-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an awareness and training policy is developed and documented; ", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and", + "links": [ + { + "href": "#at-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;", + "links": [ + { + "href": "#at-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ", + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};", + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};", + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.", + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "at-2", + "class": "SP800-53", + "title": "Literacy Training and Awareness", + "params": [ + { + "id": "at-2_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually" + } + ] + }, + { + "id": "at-2_prm_2", + "label": "organization-defined events" + }, + { + "id": "at-02_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" + } + ] + }, + { + "id": "at-02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" + } + ] + }, + { + "id": "at-02_odp.03", + "label": "events", + "guidelines": [ + { + "prose": "events that require security literacy training for system users are defined;" + } + ] + }, + { + "id": "at-02_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events that require privacy literacy training for system users are defined;" + } + ] + }, + { + "id": "at-02_odp.05", + "label": "awareness techniques", + "guidelines": [ + { + "prose": "techniques to be employed to increase the security and privacy awareness of system users are defined;" + } + ] + }, + { + "id": "at-02_odp.06", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update literacy training and awareness content is defined;" + } + ] + }, + { + "id": "at-02_odp.07", + "label": "events", + "guidelines": [ + { + "prose": "events that would require literacy training and awareness content to be updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-2" + }, + { + "name": "label", + "value": "AT-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#89f2a08d-fc49-46d0-856e-bf974c9b1573", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-13", + "rel": "related" + }, + { + "href": "#pm-21", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-2_smt", + "name": "statement", + "parts": [ + { + "id": "at-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):", + "parts": [ + { + "id": "at-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and" + }, + { + "id": "at-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes or following {{ insert: param, at-2_prm_2 }};" + } + ] + }, + { + "id": "at-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};" + }, + { + "id": "at-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and" + }, + { + "id": "at-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques." + } + ] + }, + { + "id": "at-2_gdn", + "name": "guidance", + "prose": "Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "at-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[04]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};", + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};", + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;", + "links": [ + { + "href": "#at-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};", + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};", + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02d.", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.", + "links": [ + { + "href": "#at-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community" + } + ] + }, + { + "id": "at-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing information security and privacy literacy training" + } + ] + } + ], + "controls": [ + { + "id": "at-2.2", + "class": "SP800-53-enhancement", + "title": "Insider Threat", + "props": [ + { + "name": "label", + "value": "AT-2(2)" + }, + { + "name": "label", + "value": "AT-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#at-2", + "rel": "required" + }, + { + "href": "#pm-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-2.2_smt", + "name": "statement", + "prose": "Provide literacy training on recognizing and reporting potential indicators of insider threat." + }, + { + "id": "at-2.2_gdn", + "name": "guidance", + "prose": "Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations." + }, + { + "id": "at-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on recognizing potential indicators of insider threat is provided;", + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on reporting potential indicators of insider threat is provided.", + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "at-2.3", + "class": "SP800-53-enhancement", + "title": "Social Engineering and Mining", + "props": [ + { + "name": "label", + "value": "AT-2(3)" + }, + { + "name": "label", + "value": "AT-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#at-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "at-2.3_smt", + "name": "statement", + "prose": "Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining." + }, + { + "id": "at-2.3_gdn", + "name": "guidance", + "prose": "Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures." + }, + { + "id": "at-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2.3_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)[01]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on recognizing potential and actual instances of social engineering is provided;", + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.3_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)[02]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on reporting potential and actual instances of social engineering is provided;", + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.3_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)[03]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on recognizing potential and actual instances of social mining is provided;", + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.3_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)[04]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on reporting potential and actual instances of social mining is provided.", + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "at-3", + "class": "SP800-53", + "title": "Role-based Training", + "params": [ + { + "id": "at-3_prm_1", + "label": "organization-defined roles and responsibilities" + }, + { + "id": "at-03_odp.01", + "label": "roles and responsibilities", + "guidelines": [ + { + "prose": "roles and responsibilities for role-based security training are defined;" + } + ] + }, + { + "id": "at-03_odp.02", + "label": "roles and responsibilities", + "guidelines": [ + { + "prose": "roles and responsibilities for role-based privacy training are defined;" + } + ] + }, + { + "id": "at-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;" + } + ] + }, + { + "id": "at-03_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update role-based training content is defined;" + } + ] + }, + { + "id": "at-03_odp.05", + "label": "events", + "guidelines": [ + { + "prose": "events that require role-based training content to be updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-3" + }, + { + "name": "label", + "value": "AT-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-13", + "rel": "related" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ps-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-3_smt", + "name": "statement", + "parts": [ + { + "id": "at-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:", + "parts": [ + { + "id": "at-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and" + }, + { + "id": "at-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes;" + } + ] + }, + { + "id": "at-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and" + }, + { + "id": "at-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Incorporate lessons learned from internal or external security incidents or breaches into role-based training." + } + ] + }, + { + "id": "at-3_gdn", + "name": "guidance", + "prose": "Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "at-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[04]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};", + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};", + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03c.", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training.", + "links": [ + { + "href": "#at-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities" + } + ] + }, + { + "id": "at-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing role-based security and privacy training" + } + ] + } + ] + }, + { + "id": "at-4", + "class": "SP800-53", + "title": "Training Records", + "params": [ + { + "id": "at-04_odp", + "label": "time period", + "constraints": [ + { + "description": "five (5) years or 5 years after completion of a specific training program" + } + ], + "guidelines": [ + { + "prose": "time period for retaining individual training records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-4" + }, + { + "name": "label", + "value": "AT-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-4_smt", + "name": "statement", + "parts": [ + { + "id": "at-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and" + }, + { + "id": "at-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain individual training records for {{ insert: param, at-04_odp }}." + } + ] + }, + { + "id": "at-4_gdn", + "name": "guidance", + "prose": "Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies." + }, + { + "id": "at-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;", + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;", + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04b.", + "class": "sp800-53a" + } + ], + "prose": "individual training records are retained for {{ insert: param, at-04_odp }}.", + "links": [ + { + "href": "#at-4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy training record retention responsibilities" + } + ] + }, + { + "id": "at-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting the management of security and privacy training records" + } + ] + } + ] + } + ] + }, + { + "id": "au", + "class": "family", + "title": "Audit and Accountability", + "controls": [ + { + "id": "au-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "au-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "au-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "au-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "au-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "au-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the audit and accountability policy and procedures is defined;" + } + ] + }, + { + "id": "au-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current audit and accountability policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "au-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current audit and accountability policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "au-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current audit and accountability procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "au-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require audit and accountability procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-1" + }, + { + "name": "label", + "value": "AU-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-1_smt", + "name": "statement", + "parts": [ + { + "id": "au-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:", + "parts": [ + { + "id": "au-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, au-01_odp.03 }} audit and accountability policy that:", + "parts": [ + { + "id": "au-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "au-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "au-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;" + } + ] + }, + { + "id": "au-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and" + }, + { + "id": "au-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current audit and accountability:", + "parts": [ + { + "id": "au-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and" + }, + { + "id": "au-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "au-1_gdn", + "name": "guidance", + "prose": "Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "au-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an audit and accountability policy is developed and documented;", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#au-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;", + "links": [ + { + "href": "#au-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};", + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};", + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};", + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.", + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "au-2", + "class": "SP800-53", + "title": "Event Logging", + "params": [ + { + "id": "au-2_prm_2", + "label": "organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type", + "constraints": [ + { + "description": "organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event." + } + ] + }, + { + "id": "au-02_odp.01", + "label": "event types", + "constraints": [ + { + "description": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes" + } + ], + "guidelines": [ + { + "prose": "the event types that the system is capable of logging in support of the audit function are defined;" + } + ] + }, + { + "id": "au-02_odp.02", + "label": "event types (subset of AU-02_ODP[01])", + "guidelines": [ + { + "prose": "the event types (subset of AU-02_ODP[01]) for logging within the system are defined;" + } + ] + }, + { + "id": "au-02_odp.03", + "label": "frequency or situation", + "guidelines": [ + { + "prose": "the frequency or situation requiring logging for each specified event type is defined;" + } + ] + }, + { + "id": "au-02_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "annually and whenever there is a change in the threat environment" + } + ], + "guidelines": [ + { + "prose": "the frequency of event types selected for logging are reviewed and updated;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-2" + }, + { + "name": "label", + "value": "AU-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pm-21", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-2_smt", + "name": "statement", + "parts": [ + { + "id": "au-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};" + }, + { + "id": "au-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" + }, + { + "id": "au-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};" + }, + { + "id": "au-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and" + }, + { + "id": "au-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}." + }, + { + "id": "au-2_fr", + "name": "item", + "title": "AU-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO." + }, + { + "id": "au-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(e) Guidance:" + } + ], + "prose": "Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO." + } + ] + } + ] + }, + { + "id": "au-2_gdn", + "name": "guidance", + "prose": "An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures." + }, + { + "id": "au-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;", + "links": [ + { + "href": "#au-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02b.", + "class": "sp800-53a" + } + ], + "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;", + "links": [ + { + "href": "#au-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-02_odp.02 }} are specified for logging within the system;", + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};", + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02d.", + "class": "sp800-53a" + } + ], + "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;", + "links": [ + { + "href": "#au-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02e.", + "class": "sp800-53a" + } + ], + "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.", + "links": [ + { + "href": "#au-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system auditing" + } + ] + } + ] + }, + { + "id": "au-3", + "class": "SP800-53", + "title": "Content of Audit Records", + "props": [ + { + "name": "label", + "value": "AU-3" + }, + { + "name": "label", + "value": "AU-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-8", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-3_smt", + "name": "statement", + "prose": "Ensure that audit records contain information that establishes the following:", + "parts": [ + { + "id": "au-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "What type of event occurred;" + }, + { + "id": "au-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "When the event occurred;" + }, + { + "id": "au-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Where the event occurred;" + }, + { + "id": "au-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Source of the event;" + }, + { + "id": "au-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Outcome of the event; and" + }, + { + "id": "au-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Identity of any individuals, subjects, or objects/entities associated with the event." + } + ] + }, + { + "id": "au-3_gdn", + "name": "guidance", + "prose": "Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage." + }, + { + "id": "au-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03a.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes what type of event occurred;", + "links": [ + { + "href": "#au-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03b.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes when the event occurred;", + "links": [ + { + "href": "#au-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03c.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes where the event occurred;", + "links": [ + { + "href": "#au-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03d.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the source of the event;", + "links": [ + { + "href": "#au-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03e.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the outcome of the event;", + "links": [ + { + "href": "#au-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03f.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.", + "links": [ + { + "href": "#au-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system auditing of auditable events" + } + ] + } + ], + "controls": [ + { + "id": "au-3.1", + "class": "SP800-53-enhancement", + "title": "Additional Audit Information", + "params": [ + { + "id": "au-03.01_odp", + "label": "additional information", + "constraints": [ + { + "description": "session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands" + } + ], + "guidelines": [ + { + "prose": "additional information to be included in audit records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-3(1)" + }, + { + "name": "label", + "value": "AU-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "au-3.1_smt", + "name": "statement", + "prose": "Generate audit records containing the following additional information: {{ insert: param, au-03.01_odp }}.", + "parts": [ + { + "id": "au-3.1_fr", + "name": "item", + "title": "AU-3 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-3.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry." + } + ] + } + ] + }, + { + "id": "au-3.1_gdn", + "name": "guidance", + "prose": "The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy." + }, + { + "id": "au-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03(01)", + "class": "sp800-53a" + } + ], + "prose": "generated audit records contain the following {{ insert: param, au-03.01_odp }}.", + "links": [ + { + "href": "#au-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing content of audit records\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "system audit capability" + } + ] + } + ] + } + ] + }, + { + "id": "au-4", + "class": "SP800-53", + "title": "Audit Log Storage Capacity", + "params": [ + { + "id": "au-04_odp", + "label": "audit log retention requirements", + "guidelines": [ + { + "prose": "audit log retention requirements are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-4" + }, + { + "name": "label", + "value": "AU-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-4_smt", + "name": "statement", + "prose": "Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}." + }, + { + "id": "au-4_gdn", + "name": "guidance", + "prose": "Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability." + }, + { + "id": "au-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-04", + "class": "sp800-53a" + } + ], + "prose": "audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.", + "links": [ + { + "href": "#au-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for system components\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit record storage capacity and related configuration settings" + } + ] + } + ] + }, + { + "id": "au-5", + "class": "SP800-53", + "title": "Response to Audit Logging Process Failures", + "params": [ + { + "id": "au-05_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles receiving audit logging process failure alerts are defined;" + } + ] + }, + { + "id": "au-05_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period for personnel or roles receiving audit logging process failure alerts is defined;" + } + ] + }, + { + "id": "au-05_odp.03", + "label": "additional actions", + "constraints": [ + { + "description": "overwrite oldest record" + } + ], + "guidelines": [ + { + "prose": "additional actions to be taken in the event of an audit logging process failure are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-5" + }, + { + "name": "label", + "value": "AU-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-5_smt", + "name": "statement", + "parts": [ + { + "id": "au-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and" + }, + { + "id": "au-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Take the following additional actions: {{ insert: param, au-05_odp.03 }}." + } + ] + }, + { + "id": "au-5_gdn", + "name": "guidance", + "prose": "Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel." + }, + { + "id": "au-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};", + "links": [ + { + "href": "#au-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.", + "links": [ + { + "href": "#au-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system response to audit processing failures" + } + ] + } + ], + "controls": [ + { + "id": "au-5.1", + "class": "SP800-53-enhancement", + "title": "Storage Capacity Warning", + "params": [ + { + "id": "au-05.01_odp.01", + "label": "personnel, roles, and/or locations", + "guidelines": [ + { + "prose": "personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity." + } + ] + }, + { + "id": "au-05.01_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period for defined personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity is defined;" + } + ] + }, + { + "id": "au-05.01_odp.03", + "label": "percentage", + "constraints": [ + { + "description": "75%, or one month before expected negative impact" + } + ], + "guidelines": [ + { + "prose": "percentage of repository maximum audit log storage capacity is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-5(1)" + }, + { + "name": "label", + "value": "AU-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "au-5.1_smt", + "name": "statement", + "prose": "Provide a warning to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity." + }, + { + "id": "au-5.1_gdn", + "name": "guidance", + "prose": "Organizations may have multiple audit log storage repositories distributed across multiple system components with each repository having different storage volume capacities." + }, + { + "id": "au-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05(01)", + "class": "sp800-53a" + } + ], + "prose": "a warning is provided to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity.", + "links": [ + { + "href": "#au-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy system configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit storage limit warnings" + } + ] + } + ] + }, + { + "id": "au-5.2", + "class": "SP800-53-enhancement", + "title": "Real-time Alerts", + "params": [ + { + "id": "au-05.02_odp.01", + "label": "real-time period", + "constraints": [ + { + "description": "real-time" + } + ], + "guidelines": [ + { + "prose": "real-time period requiring alerts when audit failure events (defined in AU-05(02)_ODP[03]) occur is defined;" + } + ] + }, + { + "id": "au-05.02_odp.02", + "label": "personnel, roles, and/or locations", + "constraints": [ + { + "description": "service provider personnel with authority to address failed audit events" + } + ], + "guidelines": [ + { + "prose": "personnel, roles, and/or locations to be alerted in real time when audit failure events (defined in AU-05(02)_ODP[03]) occur is/are defined;" + } + ] + }, + { + "id": "au-05.02_odp.03", + "label": "audit logging failure events requiring real-time alerts", + "constraints": [ + { + "description": "audit failure events requiring real-time alerts, as defined by organization audit policy" + } + ], + "guidelines": [ + { + "prose": "audit logging failure events requiring real-time alerts are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-5(2)" + }, + { + "name": "label", + "value": "AU-05(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-05.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "au-5.2_smt", + "name": "statement", + "prose": "Provide an alert within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when the following audit failure events occur: {{ insert: param, au-05.02_odp.03 }}." + }, + { + "id": "au-5.2_gdn", + "name": "guidance", + "prose": "Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less)." + }, + { + "id": "au-5.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05(02)", + "class": "sp800-53a" + } + ], + "prose": "an alert is provided within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when {{ insert: param, au-05.02_odp.03 }} occur.", + "links": [ + { + "href": "#au-5.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-05(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-5.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-05(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + } + ] + } + ] + }, + { + "id": "au-6", + "class": "SP800-53", + "title": "Audit Record Review, Analysis, and Reporting", + "params": [ + { + "id": "au-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "frequency at which system audit records are reviewed and analyzed is defined;" + } + ] + }, + { + "id": "au-06_odp.02", + "label": "inappropriate or unusual activity", + "guidelines": [ + { + "prose": "inappropriate or unusual activity is defined;" + } + ] + }, + { + "id": "au-06_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to receive findings from reviews and analyses of system records is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-6" + }, + { + "name": "label", + "value": "AU-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", + "rel": "reference" + }, + { + "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6_smt", + "name": "statement", + "parts": [ + { + "id": "au-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;" + }, + { + "id": "au-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report findings to {{ insert: param, au-06_odp.03 }} ; and" + }, + { + "id": "au-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." + }, + { + "id": "au-6_fr", + "name": "item", + "title": "AU-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented." + } + ] + } + ] + }, + { + "id": "au-6_gdn", + "name": "guidance", + "prose": "Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received." + }, + { + "id": "au-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06a.", + "class": "sp800-53a" + } + ], + "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;", + "links": [ + { + "href": "#au-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06b.", + "class": "sp800-53a" + } + ], + "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};", + "links": [ + { + "href": "#au-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06c.", + "class": "sp800-53a" + } + ], + "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.", + "links": [ + { + "href": "#au-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews/analyses of audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ], + "controls": [ + { + "id": "au-6.1", + "class": "SP800-53-enhancement", + "title": "Automated Process Integration", + "params": [ + { + "id": "au-06.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-6(1)" + }, + { + "name": "label", + "value": "AU-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-6", + "rel": "required" + }, + { + "href": "#pm-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6.1_smt", + "name": "statement", + "prose": "Integrate audit record review, analysis, and reporting processes using {{ insert: param, au-06.01_odp }}." + }, + { + "id": "au-6.1_gdn", + "name": "guidance", + "prose": "Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits." + }, + { + "id": "au-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(01)", + "class": "sp800-53a" + } + ], + "prose": "audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}.", + "links": [ + { + "href": "#au-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms integrating audit review, analysis, and reporting processes" + } + ] + } + ] + }, + { + "id": "au-6.3", + "class": "SP800-53-enhancement", + "title": "Correlate Audit Record Repositories", + "props": [ + { + "name": "label", + "value": "AU-6(3)" + }, + { + "name": "label", + "value": "AU-06(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-6", + "rel": "required" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6.3_smt", + "name": "statement", + "prose": "Analyze and correlate audit records across different repositories to gain organization-wide situational awareness." + }, + { + "id": "au-6.3_gdn", + "name": "guidance", + "prose": "Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness." + }, + { + "id": "au-6.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(03)", + "class": "sp800-53a" + } + ], + "prose": "audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.", + "links": [ + { + "href": "#au-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records across different repositories\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-6.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-06(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting the analysis and correlation of audit records" + } + ] + } + ] + }, + { + "id": "au-6.4", + "class": "SP800-53-enhancement", + "title": "Central Review and Analysis", + "props": [ + { + "name": "label", + "value": "AU-6(4)" + }, + { + "name": "label", + "value": "AU-06(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-6", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6.4_smt", + "name": "statement", + "prose": "Provide and implement the capability to centrally review and analyze audit records from multiple components within the system." + }, + { + "id": "au-6.4_gdn", + "name": "guidance", + "prose": "Automated mechanisms for centralized reviews and analyses include Security Information and Event Management products." + }, + { + "id": "au-6.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-6.4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(04)[01]", + "class": "sp800-53a" + } + ], + "prose": "the capability to centrally review and analyze audit records from multiple components within the system is provided;", + "links": [ + { + "href": "#au-6.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(04)[02]", + "class": "sp800-53a" + } + ], + "prose": "the capability to centrally review and analyze audit records from multiple components within the system is implemented.", + "links": [ + { + "href": "#au-6.4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-6.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "au-6.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-06(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System capability to centralize review and analysis of audit records" + } + ] + } + ] + }, + { + "id": "au-6.5", + "class": "SP800-53-enhancement", + "title": "Integrated Analysis of Audit Records", + "params": [ + { + "id": "au-06.05_odp.01", + "constraints": [ + { + "description": "vulnerability scanning information; performance data; information system monitoring information; penetration test data; {{ insert: param, au-06.05_odp.02 }} " + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "vulnerability scanning information", + "performance data", + "system monitoring information", + " {{ insert: param, au-06.05_odp.02 }} " + ] + } + }, + { + "id": "au-06.05_odp.02", + "label": "data/information collected from other sources", + "guidelines": [ + { + "prose": "data/information collected from other sources to be analyzed is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-6(5)" + }, + { + "name": "label", + "value": "AU-06(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-6", + "rel": "required" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6.5_smt", + "name": "statement", + "prose": "Integrate analysis of audit records with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity." + }, + { + "id": "au-6.5_gdn", + "name": "guidance", + "prose": "Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial-of-service attacks or other types of attacks that result in the unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations." + }, + { + "id": "au-6.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(05)", + "class": "sp800-53a" + } + ], + "prose": "analysis of audit records is integrated with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity.", + "links": [ + { + "href": "#au-6.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information, and associated documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-6.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-06(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing the capability to integrate analysis of audit records with analysis of data/information sources" + } + ] + } + ] + }, + { + "id": "au-6.6", + "class": "SP800-53-enhancement", + "title": "Correlation with Physical Monitoring", + "props": [ + { + "name": "label", + "value": "AU-6(6)" + }, + { + "name": "label", + "value": "AU-06(06)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06.06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "au-6.6_smt", + "name": "statement", + "prose": "Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.", + "parts": [ + { + "id": "au-6.6_fr", + "name": "item", + "title": "AU-6 (6) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-6.6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO." + } + ] + } + ] + }, + { + "id": "au-6.6_gdn", + "name": "guidance", + "prose": "The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred may be useful in investigations." + }, + { + "id": "au-6.6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(06)", + "class": "sp800-53a" + } + ], + "prose": "information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.", + "links": [ + { + "href": "#au-6.6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06(06)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing physical access monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing evidence of correlated information obtained from audit records and physical access monitoring records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6.6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06(06)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-6.6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-06(06)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing the capability to correlate information from audit records with information from monitoring physical access" + } + ] + } + ] + }, + { + "id": "au-6.7", + "class": "SP800-53-enhancement", + "title": "Permitted Actions", + "params": [ + { + "id": "au-06.07_odp", + "constraints": [ + { + "description": "information system process; role; user" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "system process", + "role", + "user" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "AU-6(7)" + }, + { + "name": "label", + "value": "AU-06(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "au-6.7_smt", + "name": "statement", + "prose": "Specify the permitted actions for each {{ insert: param, au-06.07_odp }} associated with the review, analysis, and reporting of audit record information." + }, + { + "id": "au-6.7_gdn", + "name": "guidance", + "prose": "Organizations specify permitted actions for system processes, roles, and users associated with the review, analysis, and reporting of audit records through system account management activities. Specifying permitted actions on audit record information is a way to enforce the principle of least privilege. Permitted actions are enforced by the system and include read, write, execute, append, and delete." + }, + { + "id": "au-6.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(07)", + "class": "sp800-53a" + } + ], + "prose": "the permitted actions for each {{ insert: param, au-06.07_odp }} associated with the review, analysis, and reporting of audit record information are specified.", + "links": [ + { + "href": "#au-6.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing process, role and/or user permitted actions from audit review, analysis, and reporting\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-6.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-06(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting permitted actions for the review, analysis, and reporting of audit information" + } + ] + } + ] + } + ] + }, + { + "id": "au-7", + "class": "SP800-53", + "title": "Audit Record Reduction and Report Generation", + "props": [ + { + "name": "label", + "value": "AU-7" + }, + { + "name": "label", + "value": "AU-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-7_smt", + "name": "statement", + "prose": "Provide and implement an audit record reduction and report generation capability that:", + "parts": [ + { + "id": "au-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and" + }, + { + "id": "au-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Does not alter the original content or time ordering of audit records." + } + ] + }, + { + "id": "au-7_gdn", + "name": "guidance", + "prose": "Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient." + }, + { + "id": "au-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-7_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;", + "links": [ + { + "href": "#au-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07a.[02]", + "class": "sp800-53a" + } + ], + "prose": "an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;", + "links": [ + { + "href": "#au-7_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;", + "links": [ + { + "href": "#au-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.", + "links": [ + { + "href": "#au-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit reduction and report generation capability" + } + ] + } + ], + "controls": [ + { + "id": "au-7.1", + "class": "SP800-53-enhancement", + "title": "Automatic Processing", + "params": [ + { + "id": "au-07.01_odp", + "label": "fields within audit records", + "guidelines": [ + { + "prose": "fields within audit records that can be processed, sorted, or searched are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-7(1)" + }, + { + "name": "label", + "value": "AU-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "au-7.1_smt", + "name": "statement", + "prose": "Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ insert: param, au-07.01_odp }}." + }, + { + "id": "au-7.1_gdn", + "name": "guidance", + "prose": "Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component." + }, + { + "id": "au-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-7.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;", + "links": [ + { + "href": "#au-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented.", + "links": [ + { + "href": "#au-7.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "au-7.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-07(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit reduction and report generation capability" + } + ] + } + ] + } + ] + }, + { + "id": "au-8", + "class": "SP800-53", + "title": "Time Stamps", + "params": [ + { + "id": "au-08_odp", + "label": "granularity of time measurement", + "constraints": [ + { + "description": "one second granularity of time measurement" + } + ], + "guidelines": [ + { + "prose": "granularity of time measurement for audit record timestamps is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-8" + }, + { + "name": "label", + "value": "AU-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#sc-45", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-8_smt", + "name": "statement", + "parts": [ + { + "id": "au-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Use internal system clocks to generate time stamps for audit records; and" + }, + { + "id": "au-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." + } + ] + }, + { + "id": "au-8_gdn", + "name": "guidance", + "prose": "Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities." + }, + { + "id": "au-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08a.", + "class": "sp800-53a" + } + ], + "prose": "internal system clocks are used to generate timestamps for audit records;", + "links": [ + { + "href": "#au-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08b.", + "class": "sp800-53a" + } + ], + "prose": "timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.", + "links": [ + { + "href": "#au-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing timestamp generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing timestamp generation" + } + ] + } + ] + }, + { + "id": "au-9", + "class": "SP800-53", + "title": "Protection of Audit Information", + "params": [ + { + "id": "au-09_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-9" + }, + { + "name": "label", + "value": "AU-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#au-15", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-9_smt", + "name": "statement", + "parts": [ + { + "id": "au-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and" + }, + { + "id": "au-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information." + } + ] + }, + { + "id": "au-9_gdn", + "name": "guidance", + "prose": "Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls." + }, + { + "id": "au-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09a.", + "class": "sp800-53a" + } + ], + "prose": "audit information and audit logging tools are protected from unauthorized access, modification, and deletion;", + "links": [ + { + "href": "#au-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.", + "links": [ + { + "href": "#au-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\naudit tools\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit information protection" + } + ] + } + ], + "controls": [ + { + "id": "au-9.2", + "class": "SP800-53-enhancement", + "title": "Store on Separate Physical Systems or Components", + "params": [ + { + "id": "au-09.02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "the frequency of storing audit records in a repository is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-9(2)" + }, + { + "name": "label", + "value": "AU-09(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-09.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-9", + "rel": "required" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-9.2_smt", + "name": "statement", + "prose": "Store audit records {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited." + }, + { + "id": "au-9.2_gdn", + "name": "guidance", + "prose": "Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records." + }, + { + "id": "au-9.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09(02)", + "class": "sp800-53a" + } + ], + "prose": "audit records are stored {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited.", + "links": [ + { + "href": "#au-9.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-09(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem or media storing backups of system audit records\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-9.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-09(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-9.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-09(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing the backing up of audit records" + } + ] + } + ] + }, + { + "id": "au-9.3", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "props": [ + { + "name": "label", + "value": "AU-9(3)" + }, + { + "name": "label", + "value": "AU-09(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-09.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-9", + "rel": "required" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-9.3_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.", + "parts": [ + { + "id": "au-9.3_fr", + "name": "item", + "title": "AU-9 (3) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-9.3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)" + } + ] + } + ] + }, + { + "id": "au-9.3_gdn", + "name": "guidance", + "prose": "Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash." + }, + { + "id": "au-9.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09(03)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented.", + "links": [ + { + "href": "#au-9.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-09(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem hardware settings\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-9.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-09(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-9.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-09(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms protecting the integrity of audit information and tools" + } + ] + } + ] + }, + { + "id": "au-9.4", + "class": "SP800-53-enhancement", + "title": "Access by Subset of Privileged Users", + "params": [ + { + "id": "au-09.04_odp", + "label": "subset of privileged users or roles", + "guidelines": [ + { + "prose": "a subset of privileged users or roles authorized to access management of audit logging functionality is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-9(4)" + }, + { + "name": "label", + "value": "AU-09(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-09.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#au-9", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-9.4_smt", + "name": "statement", + "prose": "Authorize access to management of audit logging functionality to only {{ insert: param, au-09.04_odp }}." + }, + { + "id": "au-9.4_gdn", + "name": "guidance", + "prose": "Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges." + }, + { + "id": "au-9.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09(04)", + "class": "sp800-53a" + } + ], + "prose": "access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}.", + "links": [ + { + "href": "#au-9.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-09(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged users with access to management of audit functionality\n\naccess authorizations\n\naccess control list\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-9.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-09(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-9.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-09(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing access to audit functionality" + } + ] + } + ] + } + ] + }, + { + "id": "au-10", + "class": "SP800-53", + "title": "Non-repudiation", + "params": [ + { + "id": "au-10_odp", + "label": "actions", + "constraints": [ + { + "description": "minimum actions including the addition, modification, deletion, approval, sending, or receiving of data" + } + ], + "guidelines": [ + { + "prose": "actions to be covered by non-repudiation are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-10" + }, + { + "name": "label", + "value": "AU-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-17", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-10_smt", + "name": "statement", + "prose": "Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}." + }, + { + "id": "au-10_gdn", + "name": "guidance", + "prose": "Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts." + }, + { + "id": "au-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-10", + "class": "sp800-53a" + } + ], + "prose": "irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}.", + "links": [ + { + "href": "#au-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing non-repudiation capability" + } + ] + } + ] + }, + { + "id": "au-11", + "class": "SP800-53", + "title": "Audit Record Retention", + "params": [ + { + "id": "au-11_odp", + "label": "time period", + "constraints": [ + { + "description": "a time period in compliance with M-21-31" + } + ], + "guidelines": [ + { + "prose": "a time period to retain audit records that is consistent with the records retention policy is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-11" + }, + { + "name": "label", + "value": "AU-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-11_smt", + "name": "statement", + "prose": "Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.", + "parts": [ + { + "id": "au-11_fr", + "name": "item", + "title": "AU-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-11_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements." + }, + { + "id": "au-11_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)" + }, + { + "id": "au-11_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The service provider is encouraged to align with M-21-31 where possible" + } + ] + } + ] + }, + { + "id": "au-11_gdn", + "name": "guidance", + "prose": "Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention." + }, + { + "id": "au-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-11", + "class": "sp800-53a" + } + ], + "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.", + "links": [ + { + "href": "#au-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + } + ] + }, + { + "id": "au-12", + "class": "SP800-53", + "title": "Audit Record Generation", + "params": [ + { + "id": "au-12_odp.01", + "label": "system components", + "constraints": [ + { + "description": "all information system and network components where audit capability is deployed/available" + } + ], + "guidelines": [ + { + "prose": "system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;" + } + ] + }, + { + "id": "au-12_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-12" + }, + { + "name": "label", + "value": "AU-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-12_smt", + "name": "statement", + "parts": [ + { + "id": "au-12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};" + }, + { + "id": "au-12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and" + }, + { + "id": "au-12_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)." + } + ] + }, + { + "id": "au-12_gdn", + "name": "guidance", + "prose": "Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records." + }, + { + "id": "au-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12a.", + "class": "sp800-53a" + } + ], + "prose": "audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};", + "links": [ + { + "href": "#au-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;", + "links": [ + { + "href": "#au-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12c.", + "class": "sp800-53a" + } + ], + "prose": "audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.", + "links": [ + { + "href": "#au-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of auditable events\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit record generation capability" + } + ] + } + ], + "controls": [ + { + "id": "au-12.1", + "class": "SP800-53-enhancement", + "title": "System-wide and Time-correlated Audit Trail", + "params": [ + { + "id": "au-12.01_odp.01", + "label": "system components", + "constraints": [ + { + "description": "all network, data storage, and computing devices" + } + ], + "guidelines": [ + { + "prose": "system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined;" + } + ] + }, + { + "id": "au-12.01_odp.02", + "label": "level of tolerance", + "guidelines": [ + { + "prose": "level of tolerance for the relationship between timestamps of individual records in the audit trail is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-12(1)" + }, + { + "name": "label", + "value": "AU-12(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-12.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-12", + "rel": "required" + }, + { + "href": "#au-8", + "rel": "related" + }, + { + "href": "#sc-45", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-12.1_smt", + "name": "statement", + "prose": "Compile audit records from {{ insert: param, au-12.01_odp.01 }} into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}." + }, + { + "id": "au-12.1_gdn", + "name": "guidance", + "prose": "Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances." + }, + { + "id": "au-12.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12(01)", + "class": "sp800-53a" + } + ], + "prose": "audit records from {{ insert: param, au-12.01_odp.01 }} are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}.", + "links": [ + { + "href": "#au-12.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-12(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-wide audit trail (logical or physical)\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-12.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-12(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-12.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-12(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit record generation capability" + } + ] + } + ] + }, + { + "id": "au-12.3", + "class": "SP800-53-enhancement", + "title": "Changes by Authorized Individuals", + "params": [ + { + "id": "au-12.03_odp.01", + "label": "individuals or roles", + "constraints": [ + { + "description": "service provider-defined individuals or roles with audit configuration responsibilities" + } + ], + "guidelines": [ + { + "prose": "individuals or roles authorized to change the logging on system components are defined;" + } + ] + }, + { + "id": "au-12.03_odp.02", + "label": "system components", + "constraints": [ + { + "description": "all network, data storage, and computing devices" + } + ], + "guidelines": [ + { + "prose": "system components on which logging is to be performed are defined;" + } + ] + }, + { + "id": "au-12.03_odp.03", + "label": "selectable event criteria", + "guidelines": [ + { + "prose": "selectable event criteria with which change logging is to be performed are defined;" + } + ] + }, + { + "id": "au-12.03_odp.04", + "label": "time thresholds", + "guidelines": [ + { + "prose": "time thresholds in which logging actions are to change is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-12(3)" + }, + { + "name": "label", + "value": "AU-12(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-12.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-12", + "rel": "required" + }, + { + "href": "#ac-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-12.3_smt", + "name": "statement", + "prose": "Provide and implement the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }}." + }, + { + "id": "au-12.3_gdn", + "name": "guidance", + "prose": "Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed (e.g., near real-time, within minutes, or within hours)." + }, + { + "id": "au-12.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-12.3_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12(03)[01]", + "class": "sp800-53a" + } + ], + "prose": "the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is provided;", + "links": [ + { + "href": "#au-12.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12.3_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12(03)[02]", + "class": "sp800-53a" + } + ], + "prose": "the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is implemented.", + "links": [ + { + "href": "#au-12.3_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-12.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-12(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of individuals or roles authorized to change auditing to be performed\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-12.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-12(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-12.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-12(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit record generation capability" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "ca", + "class": "family", + "title": "Assessment, Authorization, and Monitoring", + "controls": [ + { + "id": "ca-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ca-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ca-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ca-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ca-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ca-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the assessment, authorization, and monitoring policy and procedures is defined;" + } + ] + }, + { + "id": "ca-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ca-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ca-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ca-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-1" + }, + { + "name": "label", + "value": "CA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#62ea77ca-e450-4323-b210-e0d75390e785", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-1_smt", + "name": "statement", + "parts": [ + { + "id": "ca-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:", + "parts": [ + { + "id": "ca-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:", + "parts": [ + { + "id": "ca-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ca-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ca-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;" + } + ] + }, + { + "id": "ca-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and" + }, + { + "id": "ca-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current assessment, authorization, and monitoring:", + "parts": [ + { + "id": "ca-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and" + }, + { + "id": "ca-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ca-1_gdn", + "name": "guidance", + "prose": "Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ca-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an assessment, authorization, and monitoring policy is developed and documented;", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ca-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;", + "links": [ + { + "href": "#ca-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ", + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};", + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ", + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.", + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-2", + "class": "SP800-53", + "title": "Control Assessments", + "params": [ + { + "id": "ca-02_odp.01", + "label": "assessment frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to assess controls in the system and its environment of operation is defined;" + } + ] + }, + { + "id": "ca-02_odp.02", + "label": "individuals or roles", + "constraints": [ + { + "description": "individuals or roles to include FedRAMP PMO" + } + ], + "guidelines": [ + { + "prose": "individuals or roles to whom control assessment results are to be provided are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-2" + }, + { + "name": "label", + "value": "CA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-2_smt", + "name": "statement", + "parts": [ + { + "id": "ca-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Select the appropriate assessor or assessment team for the type of assessment to be conducted;" + }, + { + "id": "ca-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Develop a control assessment plan that describes the scope of the assessment including:", + "parts": [ + { + "id": "ca-2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Controls and control enhancements under assessment;" + }, + { + "id": "ca-2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Assessment procedures to be used to determine control effectiveness; and" + }, + { + "id": "ca-2_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Assessment environment, assessment team, and assessment roles and responsibilities;" + } + ] + }, + { + "id": "ca-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;" + }, + { + "id": "ca-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;" + }, + { + "id": "ca-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Produce a control assessment report that document the results of the assessment; and" + }, + { + "id": "ca-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}." + }, + { + "id": "ca-2_fr", + "name": "item", + "title": "CA-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Reference FedRAMP Annual Assessment Guidance." + } + ] + } + ] + }, + { + "id": "ca-2_gdn", + "name": "guidance", + "prose": "Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)." + }, + { + "id": "ca-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02a.", + "class": "sp800-53a" + } + ], + "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;", + "links": [ + { + "href": "#ca-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.01", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;", + "links": [ + { + "href": "#ca-2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.02", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;", + "links": [ + { + "href": "#ca-2_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.b.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[03]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02c.", + "class": "sp800-53a" + } + ], + "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;", + "links": [ + { + "href": "#ca-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.[01]", + "class": "sp800-53a" + } + ], + "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;", + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.[02]", + "class": "sp800-53a" + } + ], + "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;", + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02e.", + "class": "sp800-53a" + } + ], + "prose": "a control assessment report is produced that documents the results of the assessment;", + "links": [ + { + "href": "#ca-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02f.", + "class": "sp800-53a" + } + ], + "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.", + "links": [ + { + "href": "#ca-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting" + } + ] + } + ], + "controls": [ + { + "id": "ca-2.1", + "class": "SP800-53-enhancement", + "title": "Independent Assessors", + "props": [ + { + "name": "label", + "value": "CA-2(1)" + }, + { + "name": "label", + "value": "CA-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-2.1_smt", + "name": "statement", + "prose": "Employ independent assessors or assessment teams to conduct control assessments.", + "parts": [ + { + "id": "ca-2.1_fr", + "name": "item", + "title": "CA-2 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-2.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "For JAB Authorization, must use an accredited 3PAO." + } + ] + } + ] + }, + { + "id": "ca-2.1_gdn", + "name": "guidance", + "prose": "Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.\n\nIndependent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.\n\nWhen organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments." + }, + { + "id": "ca-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02(01)", + "class": "sp800-53a" + } + ], + "prose": "independent assessors or assessment teams are employed to conduct control assessments.", + "links": [ + { + "href": "#ca-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\nprevious control assessment plan\n\nprevious control assessment report\n\nplan of action and milestones\n\nexisting authorization statement\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-2.2", + "class": "SP800-53-enhancement", + "title": "Specialized Assessments", + "params": [ + { + "id": "ca-02.02_odp.01", + "label": "specialized assessment frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to include specialized assessments as part of the control assessment is defined;" + } + ] + }, + { + "id": "ca-02.02_odp.02", + "select": { + "choice": [ + "announced", + "unannounced" + ] + } + }, + { + "id": "ca-02.02_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "in-depth monitoring", + "security instrumentation", + "automated security test cases", + "vulnerability scanning", + "malicious user testing", + "insider threat assessment", + "performance and load testing", + "data leakage or data loss assessment", + " {{ insert: param, ca-02.02_odp.04 }} " + ] + } + }, + { + "id": "ca-02.02_odp.04", + "label": "other forms of assessment", + "guidelines": [ + { + "prose": "other forms of assessment are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-2(2)" + }, + { + "name": "label", + "value": "CA-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-2", + "rel": "required" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-2.2_smt", + "name": "statement", + "prose": "Include as part of control assessments, {{ insert: param, ca-02.02_odp.01 }}, {{ insert: param, ca-02.02_odp.02 }}, {{ insert: param, ca-02.02_odp.03 }}.", + "parts": [ + { + "id": "ca-2.2_fr", + "name": "item", + "title": "CA-2 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-2.2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "To include 'announced', 'vulnerability scanning'" + } + ] + } + ] + }, + { + "id": "ca-2.2_gdn", + "name": "guidance", + "prose": "Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle (e.g., during initial design, development, and unit testing)." + }, + { + "id": "ca-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02(02)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ca-02.02_odp.01 }} {{ insert: param, ca-02.02_odp.02 }} {{ insert: param, ca-02.02_odp.03 }} are included as part of control assessments.", + "links": [ + { + "href": "#ca-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting control assessment" + } + ] + } + ] + }, + { + "id": "ca-2.3", + "class": "SP800-53-enhancement", + "title": "Leveraging Results from External Organizations", + "params": [ + { + "id": "ca-02.03_odp.01", + "label": "external organization(s)", + "constraints": [ + { + "description": "any FedRAMP Accredited 3PAO" + } + ], + "guidelines": [ + { + "prose": "external organization(s) from which the results of control assessments are leveraged are defined;" + } + ] + }, + { + "id": "ca-02.03_odp.02", + "label": "system", + "guidelines": [ + { + "prose": "system on which a control assessment was performed by an external organization is defined;" + } + ] + }, + { + "id": "ca-02.03_odp.03", + "label": "requirements", + "constraints": [ + { + "description": "the conditions of the JAB/AO in the FedRAMP Repository" + } + ], + "guidelines": [ + { + "prose": "requirements to be met by the control assessment performed by an external organization on the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-2(3)" + }, + { + "name": "label", + "value": "CA-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-2", + "rel": "required" + }, + { + "href": "#sa-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-2.3_smt", + "name": "statement", + "prose": "Leverage the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} when the assessment meets {{ insert: param, ca-02.03_odp.03 }}." + }, + { + "id": "ca-2.3_gdn", + "name": "guidance", + "prose": "Organizations may rely on control assessments of organizational systems by other (external) organizations. Using such assessments and reusing existing assessment evidence can decrease the time and resources required for assessments by limiting the independent assessment activities that organizations need to perform. The factors that organizations consider in determining whether to accept assessment results from external organizations can vary. Such factors include the organization’s past experience with the organization that conducted the assessment, the reputation of the assessment organization, the level of detail of supporting assessment evidence provided, and mandates imposed by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Accredited testing laboratories that support the Common Criteria Program [ISO 15408-1](#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73) , the NIST Cryptographic Module Validation Program (CMVP), or the NIST Cryptographic Algorithm Validation Program (CAVP) can provide independent assessment results that organizations can leverage." + }, + { + "id": "ca-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02(03)", + "class": "sp800-53a" + } + ], + "prose": "the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} are leveraged when the assessment meets {{ insert: param, ca-02.03_odp.03 }}.", + "links": [ + { + "href": "#ca-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\ncontrol assessment requirements\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel performing control assessments for the specified external organization" + } + ] + } + ] + } + ] + }, + { + "id": "ca-3", + "class": "SP800-53", + "title": "Information Exchange", + "params": [ + { + "id": "ca-03_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "interconnection security agreements", + "information exchange security agreements", + "memoranda of understanding or agreement", + "service level agreements", + "user agreements", + "non-disclosure agreements", + " {{ insert: param, ca-03_odp.02 }} " + ] + } + }, + { + "id": "ca-03_odp.02", + "label": "type of agreement", + "guidelines": [ + { + "prose": "the type of agreement used to approve and manage the exchange of information is defined (if selected);" + } + ] + }, + { + "id": "ca-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and on input from JAB/AO" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update agreements is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-3" + }, + { + "name": "label", + "value": "CA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#c3a76872-e160-4267-99e8-6952de967d04", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-3_smt", + "name": "statement", + "parts": [ + { + "id": "ca-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};" + }, + { + "id": "ca-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and" + }, + { + "id": "ca-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the agreements {{ insert: param, ca-03_odp.03 }}." + } + ] + }, + { + "id": "ca-3_gdn", + "name": "guidance", + "prose": "System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks." + }, + { + "id": "ca-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03a.", + "class": "sp800-53a" + } + ], + "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};", + "links": [ + { + "href": "#ca-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the interface characteristics are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "security requirements are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[03]", + "class": "sp800-53a" + } + ], + "prose": "privacy requirements are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[04]", + "class": "sp800-53a" + } + ], + "prose": "controls are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[05]", + "class": "sp800-53a" + } + ], + "prose": "responsibilities for each system are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[06]", + "class": "sp800-53a" + } + ], + "prose": "the impact level of the information communicated is documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03c.", + "class": "sp800-53a" + } + ], + "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.", + "links": [ + { + "href": "#ca-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies" + } + ] + } + ], + "controls": [ + { + "id": "ca-3.6", + "class": "SP800-53-enhancement", + "title": "Transfer Authorizations", + "props": [ + { + "name": "label", + "value": "CA-3(6)" + }, + { + "name": "label", + "value": "CA-03(06)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-03.06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-3", + "rel": "required" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-3.6_smt", + "name": "statement", + "prose": "Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data." + }, + { + "id": "ca-3.6_gdn", + "name": "guidance", + "prose": "To prevent unauthorized individuals and systems from making information transfers to protected systems, the protected system verifies—via independent means— whether the individual or system attempting to transfer information is authorized to do so. Verification of the authorization to transfer information also applies to control plane traffic (e.g., routing and DNS) and services (e.g., authenticated SMTP relays)." + }, + { + "id": "ca-3.6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03(06)", + "class": "sp800-53a" + } + ], + "prose": "individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.", + "links": [ + { + "href": "#ca-3.6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3.6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-03(06)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontrol assessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-3.6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-03(06)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing connections to external systems\n\nnetwork administrators\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-3.6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-03(06)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing restrictions on external system connections" + } + ] + } + ] + } + ] + }, + { + "id": "ca-5", + "class": "SP800-53", + "title": "Plan of Action and Milestones", + "params": [ + { + "id": "ca-05_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-5" + }, + { + "name": "label", + "value": "CA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-5_smt", + "name": "statement", + "parts": [ + { + "id": "ca-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and" + }, + { + "id": "ca-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities." + }, + { + "id": "ca-5_fr", + "name": "item", + "title": "CA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "POA&Ms must be provided at least monthly." + }, + { + "id": "ca-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Reference FedRAMP-POAM-Template" + } + ] + } + ] + }, + { + "id": "ca-5_gdn", + "name": "guidance", + "prose": "Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB." + }, + { + "id": "ca-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05a.", + "class": "sp800-53a" + } + ], + "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;", + "links": [ + { + "href": "#ca-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05b.", + "class": "sp800-53a" + } + ], + "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.", + "links": [ + { + "href": "#ca-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms for developing, implementing, and maintaining plan of action and milestones" + } + ] + } + ] + }, + { + "id": "ca-6", + "class": "SP800-53", + "title": "Authorization", + "params": [ + { + "id": "ca-06_odp", + "label": "frequency", + "constraints": [ + { + "description": "in accordance with OMB A-130 requirements or when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "frequency at which to update the authorizations is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-6" + }, + { + "name": "label", + "value": "CA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-6_smt", + "name": "statement", + "parts": [ + { + "id": "ca-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assign a senior official as the authorizing official for the system;" + }, + { + "id": "ca-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;" + }, + { + "id": "ca-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensure that the authorizing official for the system, before commencing operations:", + "parts": [ + { + "id": "ca-6_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Accepts the use of common controls inherited by the system; and" + }, + { + "id": "ca-6_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Authorizes the system to operate;" + } + ] + }, + { + "id": "ca-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;" + }, + { + "id": "ca-6_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Update the authorizations {{ insert: param, ca-06_odp }}." + }, + { + "id": "ca-6_fr", + "name": "item", + "title": "CA-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(e) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO." + } + ] + } + ] + }, + { + "id": "ca-6_gdn", + "name": "guidance", + "prose": "Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions." + }, + { + "id": "ca-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06a.", + "class": "sp800-53a" + } + ], + "prose": "a senior official is assigned as the authorizing official for the system;", + "links": [ + { + "href": "#ca-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06b.", + "class": "sp800-53a" + } + ], + "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;", + "links": [ + { + "href": "#ca-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-6_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.01", + "class": "sp800-53a" + } + ], + "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;", + "links": [ + { + "href": "#ca-6_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.02", + "class": "sp800-53a" + } + ], + "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;", + "links": [ + { + "href": "#ca-6_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06d.", + "class": "sp800-53a" + } + ], + "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;", + "links": [ + { + "href": "#ca-6_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06e.", + "class": "sp800-53a" + } + ], + "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}.", + "links": [ + { + "href": "#ca-6_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms that facilitate authorizations and updates" + } + ] + } + ] + }, + { + "id": "ca-7", + "class": "SP800-53", + "title": "Continuous Monitoring", + "params": [ + { + "id": "ca-7_prm_4", + "label": "organization-defined personnel or roles", + "constraints": [ + { + "description": "to include JAB/AO" + } + ] + }, + { + "id": "ca-7_prm_5", + "label": "organization-defined frequency" + }, + { + "id": "ca-07_odp.01", + "label": "system-level metrics", + "guidelines": [ + { + "prose": "system-level metrics to be monitored are defined;" + } + ] + }, + { + "id": "ca-07_odp.02", + "label": "frequencies", + "guidelines": [ + { + "prose": "frequencies at which to monitor control effectiveness are defined;" + } + ] + }, + { + "id": "ca-07_odp.03", + "label": "frequencies", + "guidelines": [ + { + "prose": "frequencies at which to assess control effectiveness are defined;" + } + ] + }, + { + "id": "ca-07_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the security status of the system is reported are defined;" + } + ] + }, + { + "id": "ca-07_odp.05", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which the security status of the system is reported is defined;" + } + ] + }, + { + "id": "ca-07_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the privacy status of the system is reported are defined;" + } + ] + }, + { + "id": "ca-07_odp.07", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which the privacy status of the system is reported is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-7" + }, + { + "name": "label", + "value": "CA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pe-14", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-6", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#pm-31", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-7_smt", + "name": "statement", + "prose": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:", + "parts": [ + { + "id": "ca-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};" + }, + { + "id": "ca-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;" + }, + { + "id": "ca-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ongoing control assessments in accordance with the continuous monitoring strategy;" + }, + { + "id": "ca-7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;" + }, + { + "id": "ca-7_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Correlation and analysis of information generated by control assessments and monitoring;" + }, + { + "id": "ca-7_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" + }, + { + "id": "ca-7_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}." + }, + { + "id": "ca-7_fr", + "name": "item", + "title": "CA-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually." + }, + { + "id": "ca-7_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight." + }, + { + "id": "ca-7_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan." + } + ] + } + ] + }, + { + "id": "ca-7_gdn", + "name": "guidance", + "prose": "Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)." + }, + { + "id": "ca-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07[01]", + "class": "sp800-53a" + } + ], + "prose": "a system-level continuous monitoring strategy is developed;", + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07a.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};", + "links": [ + { + "href": "#ca-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;", + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;", + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07c.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07d.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07e.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;", + "links": [ + { + "href": "#ca-7_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07f.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;", + "links": [ + { + "href": "#ca-7_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.[01]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};", + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.", + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting" + } + ] + } + ], + "controls": [ + { + "id": "ca-7.1", + "class": "SP800-53-enhancement", + "title": "Independent Assessment", + "props": [ + { + "name": "label", + "value": "CA-7(1)" + }, + { + "name": "label", + "value": "CA-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-7.1_smt", + "name": "statement", + "prose": "Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis." + }, + { + "id": "ca-7.1_gdn", + "name": "guidance", + "prose": "Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services." + }, + { + "id": "ca-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(01)", + "class": "sp800-53a" + } + ], + "prose": "independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.", + "links": [ + { + "href": "#ca-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-7.4", + "class": "SP800-53-enhancement", + "title": "Risk Monitoring", + "props": [ + { + "name": "label", + "value": "CA-7(4)" + }, + { + "name": "label", + "value": "CA-07(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-7.4_smt", + "name": "statement", + "prose": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:", + "parts": [ + { + "id": "ca-7.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Effectiveness monitoring;" + }, + { + "id": "ca-7.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Compliance monitoring; and" + }, + { + "id": "ca-7.4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Change monitoring." + } + ] + }, + { + "id": "ca-7.4_gdn", + "name": "guidance", + "prose": "Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk." + }, + { + "id": "ca-7.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)", + "class": "sp800-53a" + } + ], + "prose": "risk monitoring is an integral part of the continuous monitoring strategy;", + "parts": [ + { + "id": "ca-7.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(a)", + "class": "sp800-53a" + } + ], + "prose": "effectiveness monitoring is included in risk monitoring;", + "links": [ + { + "href": "#ca-7.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "compliance monitoring is included in risk monitoring;", + "links": [ + { + "href": "#ca-7.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(c)", + "class": "sp800-53a" + } + ], + "prose": "change monitoring is included in risk monitoring.", + "links": [ + { + "href": "#ca-7.4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-7.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-07(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting risk monitoring" + } + ] + } + ] + } + ] + }, + { + "id": "ca-8", + "class": "SP800-53", + "title": "Penetration Testing", + "params": [ + { + "id": "ca-08_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct penetration testing on systems or system components is defined;" + } + ] + }, + { + "id": "ca-08_odp.02", + "label": "system(s) or system components", + "guidelines": [ + { + "prose": "systems or system components on which penetration testing is to be conducted are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-8" + }, + { + "name": "label", + "value": "CA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-8_smt", + "name": "statement", + "prose": "Conduct penetration testing {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", + "parts": [ + { + "id": "ca-8_fr", + "name": "item", + "title": "CA-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Reference the FedRAMP Penetration Test Guidance." + } + ] + } + ] + }, + { + "id": "ca-8_gdn", + "name": "guidance", + "prose": "Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).\n\nOrganizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing." + }, + { + "id": "ca-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-08", + "class": "sp800-53a" + } + ], + "prose": "penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", + "links": [ + { + "href": "#ca-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting penetration testing" + } + ] + } + ], + "controls": [ + { + "id": "ca-8.1", + "class": "SP800-53-enhancement", + "title": "Independent Penetration Testing Agent or Team", + "props": [ + { + "name": "label", + "value": "CA-8(1)" + }, + { + "name": "label", + "value": "CA-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-8", + "rel": "required" + }, + { + "href": "#ca-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-8.1_smt", + "name": "statement", + "prose": "Employ an independent penetration testing agent or team to perform penetration testing on the system or system components." + }, + { + "id": "ca-8.1_gdn", + "name": "guidance", + "prose": "Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. [CA-2(1)](#ca-2.1) provides additional information on independent assessments that can be applied to penetration testing." + }, + { + "id": "ca-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-08(01)", + "class": "sp800-53a" + } + ], + "prose": "an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.", + "links": [ + { + "href": "#ca-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nsecurity assessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-8.2", + "class": "SP800-53-enhancement", + "title": "Red Team Exercises", + "params": [ + { + "id": "ca-08.02_odp", + "label": "red team exercises", + "guidelines": [ + { + "prose": "red team exercises to simulate attempts by adversaries to compromise organizational systems are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-8(2)" + }, + { + "name": "label", + "value": "CA-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-8.2_smt", + "name": "statement", + "prose": "Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: {{ insert: param, ca-08.02_odp }}.", + "parts": [ + { + "id": "ca-8.2_fr", + "name": "item", + "title": "CM-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-8.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See the FedRAMP Documents page> Penetration Test Guidance\n\nhttps://www.FedRAMP.gov/documents/" + } + ] + } + ] + }, + { + "id": "ca-8.2_gdn", + "name": "guidance", + "prose": "Red team exercises extend the objectives of penetration testing by examining the security and privacy posture of organizations and the capability to implement effective cyber defenses. Red team exercises simulate attempts by adversaries to compromise mission and business functions and provide a comprehensive assessment of the security and privacy posture of systems and organizations. Such attempts may include technology-based attacks and social engineering-based attacks. Technology-based attacks include interactions with hardware, software, or firmware components and/or mission and business processes. Social engineering-based attacks include interactions via email, telephone, shoulder surfing, or personal conversations. Red team exercises are most effective when conducted by penetration testing agents and teams with knowledge of and experience with current adversarial tactics, techniques, procedures, and tools. While penetration testing may be primarily laboratory-based testing, organizations can use red team exercises to provide more comprehensive assessments that reflect real-world conditions. The results from red team exercises can be used by organizations to improve security and privacy awareness and training and to assess control effectiveness." + }, + { + "id": "ca-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-08(02)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ca-08.02_odp }} are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement.", + "links": [ + { + "href": "#ca-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nprocedures addressing red team exercises\n\nassessment plan\n\nresults of red team exercises\n\npenetration test report\n\nassessment report\n\nrules of engagement\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting the employment of red team exercises" + } + ] + } + ] + } + ] + }, + { + "id": "ca-9", + "class": "SP800-53", + "title": "Internal System Connections", + "params": [ + { + "id": "ca-09_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components or classes of components requiring internal connections to the system are defined;" + } + ] + }, + { + "id": "ca-09_odp.02", + "label": "conditions", + "guidelines": [ + { + "prose": "conditions requiring termination of internal connections are defined;" + } + ] + }, + { + "id": "ca-09_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review the continued need for each internal connection is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-9" + }, + { + "name": "label", + "value": "CA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-9_smt", + "name": "statement", + "parts": [ + { + "id": "ca-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;" + }, + { + "id": "ca-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;" + }, + { + "id": "ca-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and" + }, + { + "id": "ca-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection." + } + ] + }, + { + "id": "ca-9_gdn", + "name": "guidance", + "prose": "Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions." + }, + { + "id": "ca-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09a.", + "class": "sp800-53a" + } + ], + "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;", + "links": [ + { + "href": "#ca-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the interface characteristics are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the security requirements are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[03]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the privacy requirements are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[04]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the nature of the information communicated is documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09c.", + "class": "sp800-53a" + } + ], + "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};", + "links": [ + { + "href": "#ca-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09d.", + "class": "sp800-53a" + } + ], + "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.", + "links": [ + { + "href": "#ca-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting internal system connections" + } + ] + } + ] + } + ] + }, + { + "id": "cm", + "class": "family", + "title": "Configuration Management", + "controls": [ + { + "id": "cm-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "cm-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cm-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the configuration management policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "cm-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "cm-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "cm-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the configuration management policy and procedures is defined;" + } + ] + }, + { + "id": "cm-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current configuration management policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "cm-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current configuration management policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "cm-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current configuration management procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "cm-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require configuration management procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-1" + }, + { + "name": "label", + "value": "CM-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-1_smt", + "name": "statement", + "parts": [ + { + "id": "cm-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:", + "parts": [ + { + "id": "cm-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cm-01_odp.03 }} configuration management policy that:", + "parts": [ + { + "id": "cm-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "cm-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "cm-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;" + } + ] + }, + { + "id": "cm-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and" + }, + { + "id": "cm-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current configuration management:", + "parts": [ + { + "id": "cm-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and" + }, + { + "id": "cm-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "cm-1_gdn", + "name": "guidance", + "prose": "Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "cm-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a configuration management policy is developed and documented;", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#cm-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;", + "links": [ + { + "href": "#cm-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ", + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};", + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ", + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.", + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records" + } + ] + }, + { + "id": "cm-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "cm-2", + "class": "SP800-53", + "title": "Baseline Configuration", + "params": [ + { + "id": "cm-02_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "the frequency of baseline configuration review and update is defined;" + } + ] + }, + { + "id": "cm-02_odp.02", + "label": "circumstances", + "constraints": [ + { + "description": "to include when directed by the JAB" + } + ], + "guidelines": [ + { + "prose": "the circumstances requiring baseline configuration review and update are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2" + }, + { + "name": "label", + "value": "CM-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-1", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-12", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-2_smt", + "name": "statement", + "parts": [ + { + "id": "cm-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and maintain under configuration control, a current baseline configuration of the system; and" + }, + { + "id": "cm-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the baseline configuration of the system:", + "parts": [ + { + "id": "cm-2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cm-02_odp.01 }};" + }, + { + "id": "cm-2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required due to {{ insert: param, cm-02_odp.02 }} ; and" + }, + { + "id": "cm-2_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "When system components are installed or upgraded." + } + ] + }, + { + "id": "cm-2_fr", + "name": "item", + "title": "CM-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b)(1) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + } + ] + } + ] + }, + { + "id": "cm-2_gdn", + "name": "guidance", + "prose": "Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture." + }, + { + "id": "cm-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a current baseline configuration of the system is developed and documented;", + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "a current baseline configuration of the system is maintained under configuration control;", + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.01", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};", + "links": [ + { + "href": "#cm-2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.02", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};", + "links": [ + { + "href": "#cm-2_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.03", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.", + "links": [ + { + "href": "#cm-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration" + } + ] + } + ], + "controls": [ + { + "id": "cm-2.2", + "class": "SP800-53-enhancement", + "title": "Automation Support for Accuracy and Currency", + "params": [ + { + "id": "cm-02.02_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms for maintaining baseline configuration of the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2(2)" + }, + { + "name": "label", + "value": "CM-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-2", + "rel": "required" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-2.2_smt", + "name": "statement", + "prose": "Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ insert: param, cm-02.02_odp }}." + }, + { + "id": "cm-2.2_gdn", + "name": "guidance", + "prose": "Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of [CM-8(2)](#cm-8.2) for organizations that combine system component inventory and baseline configuration activities." + }, + { + "id": "cm-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};", + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};", + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.2_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)[03]", + "class": "sp800-53a" + } + ], + "prose": "the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};", + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.2_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)[04]", + "class": "sp800-53a" + } + ], + "prose": "the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}.", + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nconfiguration change control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations\n\nautomated mechanisms implementing baseline configuration maintenance" + } + ] + } + ] + }, + { + "id": "cm-2.3", + "class": "SP800-53-enhancement", + "title": "Retention of Previous Configurations", + "params": [ + { + "id": "cm-02.03_odp", + "label": "number", + "constraints": [ + { + "description": "organization-defined number of previous versions of baseline configurations of the previously approved baseline configuration of IS components" + } + ], + "guidelines": [ + { + "prose": "the number of previous baseline configuration versions to be retained is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2(3)" + }, + { + "name": "label", + "value": "CM-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-2.3_smt", + "name": "statement", + "prose": "Retain {{ insert: param, cm-02.03_odp }} of previous versions of baseline configurations of the system to support rollback." + }, + { + "id": "cm-2.3_gdn", + "name": "guidance", + "prose": "Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, configuration records, and associated documentation." + }, + { + "id": "cm-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(03)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is/are retained to support rollback.", + "links": [ + { + "href": "#cm-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations" + } + ] + } + ] + }, + { + "id": "cm-2.7", + "class": "SP800-53-enhancement", + "title": "Configure Systems and Components for High-risk Areas", + "params": [ + { + "id": "cm-02.07_odp.01", + "label": "systems or system components", + "guidelines": [ + { + "prose": "the systems or system components to be issued when individuals travel to high-risk areas are defined;" + } + ] + }, + { + "id": "cm-02.07_odp.02", + "label": "configurations", + "guidelines": [ + { + "prose": "configurations for systems or system components to be issued when individuals travel to high-risk areas are defined;" + } + ] + }, + { + "id": "cm-02.07_odp.03", + "label": "controls", + "guidelines": [ + { + "prose": "the controls to be applied when the individuals return from travel are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2(7)" + }, + { + "name": "label", + "value": "CM-02(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-2", + "rel": "required" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-2.7_smt", + "name": "statement", + "parts": [ + { + "id": "cm-2.7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Issue {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} to individuals traveling to locations that the organization deems to be of significant risk; and" + }, + { + "id": "cm-2.7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Apply the following controls to the systems or components when the individuals return from travel: {{ insert: param, cm-02.07_odp.03 }}." + } + ] + }, + { + "id": "cm-2.7_gdn", + "name": "guidance", + "prose": "When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the [MP](#mp) (Media Protection) family." + }, + { + "id": "cm-2.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(07)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2.7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(07)(a)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;", + "links": [ + { + "href": "#cm-2.7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(07)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel.", + "links": [ + { + "href": "#cm-2.7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the system\n\nprocedures addressing system component installations and upgrades\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nrecords of system baseline configuration reviews and updates\n\nsystem component installations/upgrades and associated records\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations" + } + ] + } + ] + } + ] + }, + { + "id": "cm-3", + "class": "SP800-53", + "title": "Configuration Change Control", + "params": [ + { + "id": "cm-03_odp.01", + "label": "time period", + "guidelines": [ + { + "prose": "the time period to retain records of configuration-controlled changes is defined;" + } + ] + }, + { + "id": "cm-03_odp.02", + "label": "configuration change control element", + "guidelines": [ + { + "prose": "the configuration change control element responsible for coordinating and overseeing change control activities is defined;" + } + ] + }, + { + "id": "cm-03_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, cm-03_odp.04 }} ", + "when {{ insert: param, cm-03_odp.05 }} " + ] + } + }, + { + "id": "cm-03_odp.04", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which the configuration control element convenes is defined (if selected);" + } + ] + }, + { + "id": "cm-03_odp.05", + "label": "configuration change conditions", + "guidelines": [ + { + "prose": "configuration change conditions that prompt the configuration control element to convene are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-3" + }, + { + "name": "label", + "value": "CM-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pt-6", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-3_smt", + "name": "statement", + "parts": [ + { + "id": "cm-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine and document the types of changes to the system that are configuration-controlled;" + }, + { + "id": "cm-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;" + }, + { + "id": "cm-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document configuration change decisions associated with the system;" + }, + { + "id": "cm-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Implement approved configuration-controlled changes to the system;" + }, + { + "id": "cm-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Retain records of configuration-controlled changes to the system for {{ insert: param, cm-03_odp.01 }};" + }, + { + "id": "cm-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Monitor and review activities associated with configuration-controlled changes to the system; and" + }, + { + "id": "cm-3_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Coordinate and provide oversight for configuration change control activities through {{ insert: param, cm-03_odp.02 }} that convenes {{ insert: param, cm-03_odp.03 }}." + }, + { + "id": "cm-3_fr", + "name": "item", + "title": "CM-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO." + }, + { + "id": "cm-3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(e) Guidance:" + } + ], + "prose": "In accordance with record retention policies and procedures." + } + ] + } + ] + }, + { + "id": "cm-3_gdn", + "name": "guidance", + "prose": "Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also [SA-10](#sa-10)." + }, + { + "id": "cm-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03a.", + "class": "sp800-53a" + } + ], + "prose": "the types of changes to the system that are configuration-controlled are determined and documented;", + "links": [ + { + "href": "#cm-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "proposed configuration-controlled changes to the system are reviewed;", + "links": [ + { + "href": "#cm-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;", + "links": [ + { + "href": "#cm-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03c.", + "class": "sp800-53a" + } + ], + "prose": "configuration change decisions associated with the system are documented;", + "links": [ + { + "href": "#cm-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03d.", + "class": "sp800-53a" + } + ], + "prose": "approved configuration-controlled changes to the system are implemented;", + "links": [ + { + "href": "#cm-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03e.", + "class": "sp800-53a" + } + ], + "prose": "records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};", + "links": [ + { + "href": "#cm-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03f.[01]", + "class": "sp800-53a" + } + ], + "prose": "activities associated with configuration-controlled changes to the system are monitored;", + "links": [ + { + "href": "#cm-3_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03f.[02]", + "class": "sp800-53a" + } + ], + "prose": "activities associated with configuration-controlled changes to the system are reviewed;", + "links": [ + { + "href": "#cm-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03g.[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};", + "links": [ + { + "href": "#cm-3_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03g.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration control element convenes {{ insert: param, cm-03_odp.03 }}.", + "links": [ + { + "href": "#cm-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nchange control records\n\nsystem audit records\n\nchange control audit and review reports\n\nagenda/minutes/documentation from configuration change control oversight meetings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessments\n\nsystem of records notices\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for configuration change control\n\nmechanisms that implement configuration change control" + } + ] + } + ], + "controls": [ + { + "id": "cm-3.1", + "class": "SP800-53-enhancement", + "title": "Automated Documentation, Notification, and Prohibition of Changes", + "params": [ + { + "id": "cm-03.01_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "mechanisms used to automate configuration change control are defined;" + } + ] + }, + { + "id": "cm-03.01_odp.02", + "label": "approval authorities", + "guidelines": [ + { + "prose": "approval authorities to be notified of and request approval for proposed changes to the system are defined;" + } + ] + }, + { + "id": "cm-03.01_odp.03", + "label": "time period", + "constraints": [ + { + "description": "organization agreed upon time period" + } + ], + "guidelines": [ + { + "prose": "the time period after which to highlight changes that have not been approved or disapproved is defined;" + } + ] + }, + { + "id": "cm-03.01_odp.04", + "label": "personnel", + "constraints": [ + { + "description": "organization defined configuration management approval authorities" + } + ], + "guidelines": [ + { + "prose": "personnel to be notified when approved changes are complete is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-3(1)" + }, + { + "name": "label", + "value": "CM-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-3.1_smt", + "name": "statement", + "prose": "Use {{ insert: param, cm-03.01_odp.01 }} to:", + "parts": [ + { + "id": "cm-3.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Document proposed changes to the system;" + }, + { + "id": "cm-3.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;" + }, + { + "id": "cm-3.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};" + }, + { + "id": "cm-3.1_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Prohibit changes to the system until designated approvals are received;" + }, + { + "id": "cm-3.1_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e)" + } + ], + "prose": "Document all changes to the system; and" + }, + { + "id": "cm-3.1_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "(f)" + } + ], + "prose": "Notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed." + } + ] + }, + { + "id": "cm-3.1_gdn", + "name": "guidance", + "prose": "None." + }, + { + "id": "cm-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(01)(a)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to document proposed changes to the system;", + "links": [ + { + "href": "#cm-3.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(01)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;", + "links": [ + { + "href": "#cm-3.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(01)(c)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};", + "links": [ + { + "href": "#cm-3.1_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.1_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(01)(d)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to prohibit changes to the system until designated approvals are received;", + "links": [ + { + "href": "#cm-3.1_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.1_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(01)(e)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to document all changes to the system;", + "links": [ + { + "href": "#cm-3.1_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.1_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(01)(f)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed.", + "links": [ + { + "href": "#cm-3.1_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nautomated configuration control mechanisms\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nchange approval requests\n\nchange approvals\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for configuration change control\n\nautomated mechanisms implementing configuration change control activities" + } + ] + } + ] + }, + { + "id": "cm-3.2", + "class": "SP800-53-enhancement", + "title": "Testing, Validation, and Documentation of Changes", + "props": [ + { + "name": "label", + "value": "CM-3(2)" + }, + { + "name": "label", + "value": "CM-03(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-03.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-3.2_smt", + "name": "statement", + "prose": "Test, validate, and document changes to the system before finalizing the implementation of the changes." + }, + { + "id": "cm-3.2_gdn", + "name": "guidance", + "prose": "Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in [CM-6](#cm-6) . Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls." + }, + { + "id": "cm-3.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are tested before finalizing the implementation of the changes;", + "links": [ + { + "href": "#cm-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are validated before finalizing the implementation of the changes;", + "links": [ + { + "href": "#cm-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.2_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(02)[03]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are documented before finalizing the implementation of the changes.", + "links": [ + { + "href": "#cm-3.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-03(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing system configuration change control\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ntest records\n\nvalidation records\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-3.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-03(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-3.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-03(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for configuration change control\n\nmechanisms supporting and/or implementing, testing, validating, and documenting system changes" + } + ] + } + ] + }, + { + "id": "cm-3.4", + "class": "SP800-53-enhancement", + "title": "Security and Privacy Representatives", + "params": [ + { + "id": "cm-3.4_prm_1", + "label": "organization-defined security and privacy representatives" + }, + { + "id": "cm-03.04_odp.01", + "label": "security representatives", + "guidelines": [ + { + "prose": "security representatives required to be members of the change control element are defined;" + } + ] + }, + { + "id": "cm-03.04_odp.02", + "label": "privacy representatives", + "guidelines": [ + { + "prose": "privacy representatives required to be members of the change control element are defined;" + } + ] + }, + { + "id": "cm-03.04_odp.03", + "label": "configuration change control element", + "constraints": [ + { + "description": "Configuration control board (CCB) or similar (as defined in CM-3)" + } + ], + "guidelines": [ + { + "prose": "the configuration change control element of which the security and privacy representatives are to be members is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-3(4)" + }, + { + "name": "label", + "value": "CM-03(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-03.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-3.4_smt", + "name": "statement", + "prose": "Require {{ insert: param, cm-3.4_prm_1 }} to be members of the {{ insert: param, cm-03.04_odp.03 }}." + }, + { + "id": "cm-3.4_gdn", + "name": "guidance", + "prose": "Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in [CM-3g](#cm-3_smt.g)." + }, + { + "id": "cm-3.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3.4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(04)[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};", + "links": [ + { + "href": "#cm-3.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(04)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}.", + "links": [ + { + "href": "#cm-3.4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-03(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-3.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-03(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-3.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-03(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for configuration change control" + } + ] + } + ] + }, + { + "id": "cm-3.6", + "class": "SP800-53-enhancement", + "title": "Cryptography Management", + "params": [ + { + "id": "cm-03.06_odp", + "label": "controls", + "constraints": [ + { + "description": "All security safeguards that rely on cryptography" + } + ], + "guidelines": [ + { + "prose": "controls provided by cryptographic mechanisms that are to be under configuration management are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-3(6)" + }, + { + "name": "label", + "value": "CM-03(06)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-03.06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-3.6_smt", + "name": "statement", + "prose": "Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: {{ insert: param, cm-03.06_odp }}." + }, + { + "id": "cm-3.6_gdn", + "name": "guidance", + "prose": "The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates." + }, + { + "id": "cm-3.6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(06)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms used to provide {{ insert: param, cm-03.06_odp }} are under configuration management.", + "links": [ + { + "href": "#cm-3.6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-03(06)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-3.6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-03(06)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-3.6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-03(06)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for configuration change control\n\ncryptographic mechanisms implementing organizational security safeguards (controls)" + } + ] + } + ] + } + ] + }, + { + "id": "cm-4", + "class": "SP800-53", + "title": "Impact Analyses", + "props": [ + { + "name": "label", + "value": "CM-4" + }, + { + "name": "label", + "value": "CM-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-4_smt", + "name": "statement", + "prose": "Analyze changes to the system to determine potential security and privacy impacts prior to change implementation." + }, + { + "id": "cm-4_gdn", + "name": "guidance", + "prose": "Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required." + }, + { + "id": "cm-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;", + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation.", + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem/network administrators\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses" + } + ] + } + ], + "controls": [ + { + "id": "cm-4.1", + "class": "SP800-53-enhancement", + "title": "Separate Test Environments", + "props": [ + { + "name": "label", + "value": "CM-4(1)" + }, + { + "name": "label", + "value": "CM-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-4", + "rel": "required" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-4.1_smt", + "name": "statement", + "prose": "Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice." + }, + { + "id": "cm-4.1_gdn", + "name": "guidance", + "prose": "A separate test environment requires an environment that is physically or logically separate and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment and that information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not implemented, organizations determine the strength of mechanism required when implementing logical separation." + }, + { + "id": "cm-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-4.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed in a separate test environment before implementation in an operational environment;", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed for security impacts due to flaws;", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed for privacy impacts due to flaws;", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[04]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed for security impacts due to weaknesses;", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[05]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed for privacy impacts due to weaknesses;", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[06]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed for security impacts due to incompatibility;", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_obj-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[07]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed for privacy impacts due to incompatibility;", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_obj-8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[08]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed for security impacts due to intentional malice;", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_obj-9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(01)[09]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed for privacy impacts due to intentional malice.", + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nanalysis tools and associated outputs system design documentation\n\nsystem architecture and configuration documentation\n\nchange control records\n\nprocedures addressing the authority to test with PII\n\nsystem audit records\n\ndocumentation of separate test and operational environments\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and/or implementing security and privacy impact analyses of changes" + } + ] + } + ] + }, + { + "id": "cm-4.2", + "class": "SP800-53-enhancement", + "title": "Verification of Controls", + "props": [ + { + "name": "label", + "value": "CM-4(2)" + }, + { + "name": "label", + "value": "CM-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-4", + "rel": "required" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-4.2_smt", + "name": "statement", + "prose": "After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system." + }, + { + "id": "cm-4.2_gdn", + "name": "guidance", + "prose": "Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls." + }, + { + "id": "cm-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-4.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[03]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[04]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[05]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[06]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nprivacy risk assessment documentation\n\nconfiguration management plan\n\nsecurity and privacy impact analysis documentation\n\nprivacy impact assessment\n\nanalysis tools and associated outputs\n\nchange control records\n\ncontrol assessment results\n\nsystem audit records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsecurity and privacy assessors" + } + ] + }, + { + "id": "cm-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and/or implementing security and privacy impact analyses of changes" + } + ] + } + ] + } + ] + }, + { + "id": "cm-5", + "class": "SP800-53", + "title": "Access Restrictions for Change", + "props": [ + { + "name": "label", + "value": "CM-5" + }, + { + "name": "label", + "value": "CM-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-5_smt", + "name": "statement", + "prose": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system." + }, + { + "id": "cm-5_gdn", + "name": "guidance", + "prose": "Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)." + }, + { + "id": "cm-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are defined and documented;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are approved;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[03]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are enforced;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[04]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are defined and documented;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[05]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are approved;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[06]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are enforced.", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system" + } + ] + } + ], + "controls": [ + { + "id": "cm-5.1", + "class": "SP800-53-enhancement", + "title": "Automated Access Enforcement and Audit Records", + "params": [ + { + "id": "cm-05.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "mechanisms used to automate the enforcement of access restrictions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-5(1)" + }, + { + "name": "label", + "value": "CM-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#cm-5", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-5.1_smt", + "name": "statement", + "parts": [ + { + "id": "cm-5.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Enforce access restrictions using {{ insert: param, cm-05.01_odp }} ; and" + }, + { + "id": "cm-5.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Automatically generate audit records of the enforcement actions." + } + ] + }, + { + "id": "cm-5.1_gdn", + "name": "guidance", + "prose": "Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes." + }, + { + "id": "cm-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "access restrictions for change are enforced using {{ insert: param, cm-05.01_odp }};", + "links": [ + { + "href": "#cm-5.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "audit records of enforcement actions are automatically generated.", + "links": [ + { + "href": "#cm-5.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing access restrictions to change\n\nautomated mechanisms implementing the enforcement of access restrictions for changes to the system\n\nautomated mechanisms supporting auditing of enforcement actions" + } + ] + } + ] + }, + { + "id": "cm-5.5", + "class": "SP800-53-enhancement", + "title": "Privilege Limitation for Production and Operation", + "params": [ + { + "id": "cm-5.5_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least quarterly" + } + ] + }, + { + "id": "cm-05.05_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to review privileges is defined;" + } + ] + }, + { + "id": "cm-05.05_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to reevaluate privileges is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-5(5)" + }, + { + "name": "label", + "value": "CM-05(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-05.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-5", + "rel": "required" + }, + { + "href": "#ac-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-5.5_smt", + "name": "statement", + "parts": [ + { + "id": "cm-5.5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Limit privileges to change system components and system-related information within a production or operational environment; and" + }, + { + "id": "cm-5.5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Review and reevaluate privileges {{ insert: param, cm-5.5_prm_1 }}." + } + ] + }, + { + "id": "cm-5.5_gdn", + "name": "guidance", + "prose": "In many organizations, systems support multiple mission and business functions. Limiting privileges to change system components with respect to operational systems is necessary because changes to a system component may have far-reaching effects on mission and business processes supported by the system. The relationships between systems and mission/business processes are, in some cases, unknown to developers. System-related information includes operational procedures." + }, + { + "id": "cm-5.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5.5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5.5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "privileges to change system components within a production or operational environment are limited;", + "links": [ + { + "href": "#cm-5.5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "privileges to change system-related information within a production or operational environment are limited;", + "links": [ + { + "href": "#cm-5.5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5.5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5.5_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "privileges are reviewed {{ insert: param, cm-05.05_odp.01 }};", + "links": [ + { + "href": "#cm-5.5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.5_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "privileges are reevaluated {{ insert: param, cm-05.05_odp.02 }}.", + "links": [ + { + "href": "#cm-5.5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5.5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-05(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nuser privilege reviews\n\nuser privilege recertifications\n\nsystem component inventory\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-5.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-05(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-5.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-05(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms supporting and/or implementing access restrictions for change" + } + ] + } + ] + } + ] + }, + { + "id": "cm-6", + "class": "SP800-53", + "title": "Configuration Settings", + "params": [ + { + "id": "cm-06_odp.01", + "label": "common secure configurations", + "guidelines": [ + { + "prose": "common secure configurations to establish and document configuration settings for components employed within the system are defined;" + } + ] + }, + { + "id": "cm-06_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which approval of deviations is needed are defined;" + } + ] + }, + { + "id": "cm-06_odp.03", + "label": "operational requirements", + "guidelines": [ + { + "prose": "operational requirements necessitating approval of deviations are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-6" + }, + { + "name": "label", + "value": "CM-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#98498928-3ca3-44b3-8b1e-f48685373087", + "rel": "reference" + }, + { + "href": "#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", + "rel": "reference" + }, + { + "href": "#aa66e14f-e7cb-4a37-99d2-07578dfd4608", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-6_smt", + "name": "statement", + "parts": [ + { + "id": "cm-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};" + }, + { + "id": "cm-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement the configuration settings;" + }, + { + "id": "cm-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and" + }, + { + "id": "cm-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." + }, + { + "id": "cm-6_fr", + "name": "item", + "title": "CM-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement 1:" + } + ], + "prose": "The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available." + }, + { + "id": "cm-6_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement 2:" + } + ], + "prose": "The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available)." + }, + { + "id": "cm-6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP’s Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.\n\nDuring monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests." + } + ] + } + ] + }, + { + "id": "cm-6_gdn", + "name": "guidance", + "prose": "Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings." + }, + { + "id": "cm-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06a.", + "class": "sp800-53a" + } + ], + "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};", + "links": [ + { + "href": "#cm-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06b.", + "class": "sp800-53a" + } + ], + "prose": "the configuration settings documented in CM-06a are implemented;", + "links": [ + { + "href": "#cm-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};", + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;", + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;", + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures.", + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and/or control system configuration settings\n\nmechanisms that identify and/or document deviations from established configuration settings" + } + ] + } + ], + "controls": [ + { + "id": "cm-6.1", + "class": "SP800-53-enhancement", + "title": "Automated Management, Application, and Verification", + "params": [ + { + "id": "cm-6.1_prm_2", + "label": "organization-defined automated mechanisms" + }, + { + "id": "cm-06.01_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which to manage, apply, and verify configuration settings are defined;" + } + ] + }, + { + "id": "cm-06.01_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to manage configuration settings are defined;" + } + ] + }, + { + "id": "cm-06.01_odp.03", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to apply configuration settings are defined;" + } + ] + }, + { + "id": "cm-06.01_odp.04", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to verify configuration settings are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-6(1)" + }, + { + "name": "label", + "value": "CM-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-6", + "rel": "required" + }, + { + "href": "#ca-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-6.1_smt", + "name": "statement", + "prose": "Manage, apply, and verify configuration settings for {{ insert: param, cm-06.01_odp.01 }} using {{ insert: param, cm-6.1_prm_2 }}." + }, + { + "id": "cm-6.1_gdn", + "name": "guidance", + "prose": "Automated tools (e.g., hardening tools, baseline configuration tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization." + }, + { + "id": "cm-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are managed using {{ insert: param, cm-06.01_odp.02 }};", + "links": [ + { + "href": "#cm-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are applied using {{ insert: param, cm-06.01_odp.03 }};", + "links": [ + { + "href": "#cm-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are verified using {{ insert: param, cm-06.01_odp.04 }}.", + "links": [ + { + "href": "#cm-6.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing configuration settings\n\nautomated mechanisms implemented to manage, apply, and verify system configuration settings" + } + ] + } + ] + }, + { + "id": "cm-6.2", + "class": "SP800-53-enhancement", + "title": "Respond to Unauthorized Changes", + "params": [ + { + "id": "cm-06.02_odp.01", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be taken upon an unauthorized change are defined;" + } + ] + }, + { + "id": "cm-06.02_odp.02", + "label": "configuration settings", + "guidelines": [ + { + "prose": "configuration settings requiring action upon an unauthorized change are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-6(2)" + }, + { + "name": "label", + "value": "CM-06(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-06.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-6", + "rel": "required" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-6.2_smt", + "name": "statement", + "prose": "Take the following actions in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}: {{ insert: param, cm-06.02_odp.01 }}." + }, + { + "id": "cm-6.2_gdn", + "name": "guidance", + "prose": "Responses to unauthorized changes to configuration settings include alerting designated organizational personnel, restoring established configuration settings, or—in extreme cases—halting affected system processing." + }, + { + "id": "cm-6.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(02)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-06.02_odp.01 }} are taken in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}.", + "links": [ + { + "href": "#cm-6.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-06(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nconfiguration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts/notifications of unauthorized changes to system configuration settings\n\nsystem component inventory\n\ndocumented responses to unauthorized changes to system configuration settings\n\nchange control records\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-6.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-06(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-6.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-06(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for responding to unauthorized changes to system configuration settings\n\nmechanisms supporting and/or implementing actions in response to unauthorized changes" + } + ] + } + ] + } + ] + }, + { + "id": "cm-7", + "class": "SP800-53", + "title": "Least Functionality", + "params": [ + { + "id": "cm-7_prm_2", + "label": "organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services" + }, + { + "id": "cm-07_odp.01", + "label": "mission-essential capabilities", + "guidelines": [ + { + "prose": "mission-essential capabilities for the system are defined;" + } + ] + }, + { + "id": "cm-07_odp.02", + "label": "functions", + "guidelines": [ + { + "prose": "functions to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.03", + "label": "ports", + "guidelines": [ + { + "prose": "ports to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.04", + "label": "protocols", + "guidelines": [ + { + "prose": "protocols to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.05", + "label": "software", + "guidelines": [ + { + "prose": "software to be prohibited or restricted is defined;" + } + ] + }, + { + "id": "cm-07_odp.06", + "label": "services", + "guidelines": [ + { + "prose": "services to be prohibited or restricted are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7" + }, + { + "name": "label", + "value": "CM-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#38f39739-1ebd-43b1-8b8c-00f591d89ebd", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7_smt", + "name": "statement", + "parts": [ + { + "id": "cm-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and" + }, + { + "id": "cm-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, cm-7_prm_2 }}." + }, + { + "id": "cm-7_fr", + "name": "item", + "title": "CM-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available." + } + ] + } + ] + }, + { + "id": "cm-7_gdn", + "name": "guidance", + "prose": "Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))." + }, + { + "id": "cm-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07a.", + "class": "sp800-53a" + } + ], + "prose": "the system is configured to provide only {{ insert: param, cm-07_odp.01 }};", + "links": [ + { + "href": "#cm-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[03]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[04]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[05]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services\n\nmechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services" + } + ] + } + ], + "controls": [ + { + "id": "cm-7.1", + "class": "SP800-53-enhancement", + "title": "Periodic Review", + "params": [ + { + "id": "cm-7.1_prm_2", + "label": "organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure" + }, + { + "id": "cm-07.01_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review the system to identify unnecessary and/or non-secure functions, ports, protocols, software, and/or services is defined;" + } + ] + }, + { + "id": "cm-07.01_odp.02", + "label": "functions", + "guidelines": [ + { + "prose": "functions to be disabled or removed when deemed unnecessary or non-secure are defined;" + } + ] + }, + { + "id": "cm-07.01_odp.03", + "label": "ports", + "guidelines": [ + { + "prose": "ports to be disabled or removed when deemed unnecessary or non-secure are defined;" + } + ] + }, + { + "id": "cm-07.01_odp.04", + "label": "protocols", + "guidelines": [ + { + "prose": "protocols to be disabled or removed when deemed unnecessary or non-secure are defined;" + } + ] + }, + { + "id": "cm-07.01_odp.05", + "label": "software", + "guidelines": [ + { + "prose": "software to be disabled or removed when deemed unnecessary or non-secure is defined;" + } + ] + }, + { + "id": "cm-07.01_odp.06", + "label": "services", + "guidelines": [ + { + "prose": "services to be disabled or removed when deemed unnecessary or non-secure are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7(1)" + }, + { + "name": "label", + "value": "CM-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#cm-7", + "rel": "required" + }, + { + "href": "#ac-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7.1_smt", + "name": "statement", + "parts": [ + { + "id": "cm-7.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Review the system {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and" + }, + { + "id": "cm-7.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Disable or remove {{ insert: param, cm-7.1_prm_2 }}." + } + ] + }, + { + "id": "cm-7.1_gdn", + "name": "guidance", + "prose": "Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking." + }, + { + "id": "cm-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:", + "links": [ + { + "href": "#cm-7.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7.1_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and/or non-secure are disabled or removed;", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and/or non-secure are disabled or removed;", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and/or non-secure are disabled or removed;", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and/or non-secure is disabled or removed;", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[05]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and/or non-secure are disabled or removed.", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\ndocumented reviews of functions, ports, protocols, and/or services\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-7.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for reviewing or disabling functions, ports, protocols, and services on the system\n\nmechanisms implementing review and disabling of functions, ports, protocols, and/or services" + } + ] + } + ] + }, + { + "id": "cm-7.2", + "class": "SP800-53-enhancement", + "title": "Prevent Program Execution", + "params": [ + { + "id": "cm-07.02_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, cm-07.02_odp.02 }} ", + "rules authorizing the terms and conditions of software program usage" + ] + } + }, + { + "id": "cm-07.02_odp.02", + "label": "policies, rules of behavior, and/or access agreements regarding software program usage and restrictions", + "guidelines": [ + { + "prose": "policies, rules of behavior, and/or access agreements regarding software program usage and restrictions are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7(2)" + }, + { + "name": "label", + "value": "CM-07(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#cm-7", + "rel": "required" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7.2_smt", + "name": "statement", + "prose": "Prevent program execution in accordance with {{ insert: param, cm-07.02_odp.01 }}.", + "parts": [ + { + "id": "cm-7.2_fr", + "name": "item", + "title": "CM-7 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-7.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "This control refers to software deployment by CSP personnel into the production environment. The control requires a policy that states conditions for deploying software. This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. allow-listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run." + } + ] + } + ] + }, + { + "id": "cm-7.2_gdn", + "name": "guidance", + "prose": "Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time." + }, + { + "id": "cm-7.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(02)", + "class": "sp800-53a" + } + ], + "prose": "program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}.", + "links": [ + { + "href": "#cm-7.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nspecifications for preventing software program execution\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-7.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes preventing program execution on the system\n\norganizational processes for software program usage and restrictions\n\nmechanisms preventing program execution on the system\n\nmechanisms supporting and/or implementing software program usage and restrictions" + } + ] + } + ] + }, + { + "id": "cm-7.5", + "class": "SP800-53-enhancement", + "title": "Authorized Software — Allow-by-exception", + "params": [ + { + "id": "cm-07.05_odp.01", + "label": "software programs", + "guidelines": [ + { + "prose": "software programs authorized to execute on the system are defined;" + } + ] + }, + { + "id": "cm-07.05_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least quarterly or when there is a change" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update the list of authorized software programs is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7(5)" + }, + { + "name": "label", + "value": "CM-07(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#cm-7", + "rel": "required" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7.5_smt", + "name": "statement", + "parts": [ + { + "id": "cm-7.5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Identify {{ insert: param, cm-07.05_odp.01 }};" + }, + { + "id": "cm-7.5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and" + }, + { + "id": "cm-7.5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Review and update the list of authorized software programs {{ insert: param, cm-07.05_odp.02 }}." + } + ] + }, + { + "id": "cm-7.5_gdn", + "name": "guidance", + "prose": "Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in [CA-3(5)](#ca-3.5) and [SC-7](#sc-7)." + }, + { + "id": "cm-7.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7.5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(05)(a)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.05_odp.01 }} are identified;", + "links": [ + { + "href": "#cm-7.5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(05)(b)", + "class": "sp800-53a" + } + ], + "prose": "a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;", + "links": [ + { + "href": "#cm-7.5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(05)(c)", + "class": "sp800-53a" + } + ], + "prose": "the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}.", + "links": [ + { + "href": "#cm-7.5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of software programs authorized to execute on the system\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nreview and update records associated with list of authorized software programs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for identifying software authorized to execute on the system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-7.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for identifying, reviewing, and updating programs authorized to execute on the system\n\norganizational process for implementing authorized software policy\n\nmechanisms supporting and/or implementing authorized software policy" + } + ] + } + ] + } + ] + }, + { + "id": "cm-8", + "class": "SP800-53", + "title": "System Component Inventory", + "params": [ + { + "id": "cm-08_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information deemed necessary to achieve effective system component accountability is defined;" + } + ] + }, + { + "id": "cm-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update the system component inventory is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-8" + }, + { + "name": "label", + "value": "CM-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#70402863-5078-43af-9a6c-e11b0f3ec370", + "rel": "reference" + }, + { + "href": "#996241f8-f692-42d5-91f1-ce8b752e39e6", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8_smt", + "name": "statement", + "parts": [ + { + "id": "cm-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and document an inventory of system components that:", + "parts": [ + { + "id": "cm-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Accurately reflects the system;" + }, + { + "id": "cm-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Includes all components within the system;" + }, + { + "id": "cm-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Does not include duplicate accounting of components or components assigned to any other system;" + }, + { + "id": "cm-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Is at the level of granularity deemed necessary for tracking and reporting; and" + }, + { + "id": "cm-8_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and" + } + ] + }, + { + "id": "cm-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}." + }, + { + "id": "cm-8_fr", + "name": "item", + "title": "CM-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "must be provided at least monthly or when there is a change." + } + ] + } + ] + }, + { + "id": "cm-8_gdn", + "name": "guidance", + "prose": "System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components." + }, + { + "id": "cm-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.01", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that accurately reflects the system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.02", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that includes all components within the system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.03", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.04", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.05", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.5", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08b.", + "class": "sp800-53a" + } + ], + "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.", + "links": [ + { + "href": "#cm-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing the system component inventory\n\nmechanisms supporting and/or implementing system component inventory" + } + ] + } + ], + "controls": [ + { + "id": "cm-8.1", + "class": "SP800-53-enhancement", + "title": "Updates During Installation and Removal", + "props": [ + { + "name": "label", + "value": "CM-8(1)" + }, + { + "name": "label", + "value": "CM-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-8", + "rel": "required" + }, + { + "href": "#pm-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8.1_smt", + "name": "statement", + "prose": "Update the inventory of system components as part of component installations, removals, and system updates." + }, + { + "id": "cm-8.1_gdn", + "name": "guidance", + "prose": "Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated as part of component installations or removals or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components." + }, + { + "id": "cm-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "the inventory of system components is updated as part of component installations;", + "links": [ + { + "href": "#cm-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "the inventory of system components is updated as part of component removals;", + "links": [ + { + "href": "#cm-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "the inventory of system components is updated as part of system updates.", + "links": [ + { + "href": "#cm-8.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\ninventory reviews and update records\n\nchange control records\n\ncomponent installation records\n\ncomponent removal records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory updating responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for updating the system component inventory\n\nmechanisms supporting and/or implementing system component inventory updates" + } + ] + } + ] + }, + { + "id": "cm-8.2", + "class": "SP800-53-enhancement", + "title": "Automated Maintenance", + "params": [ + { + "id": "cm-8.2_prm_1", + "label": "organization-defined automated mechanisms" + }, + { + "id": "cm-08.02_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to maintain the currency of the system component inventory are defined;" + } + ] + }, + { + "id": "cm-08.02_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to maintain the completeness of the system component inventory are defined;" + } + ] + }, + { + "id": "cm-08.02_odp.03", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to maintain the accuracy of the system component inventory are defined;" + } + ] + }, + { + "id": "cm-08.02_odp.04", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to maintain the availability of the system component inventory are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-8(2)" + }, + { + "name": "label", + "value": "CM-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-8.2_smt", + "name": "statement", + "prose": "Maintain the currency, completeness, accuracy, and availability of the inventory of system components using {{ insert: param, cm-8.2_prm_1 }}." + }, + { + "id": "cm-8.2_gdn", + "name": "guidance", + "prose": "Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of [CM-2(2)](#cm-2.2) for organizations that combine system component inventory and baseline configuration activities." + }, + { + "id": "cm-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(02)[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.02_odp.01 }} are used to maintain the currency of the system component inventory;", + "links": [ + { + "href": "#cm-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(02)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.02_odp.02 }} are used to maintain the completeness of the system component inventory;", + "links": [ + { + "href": "#cm-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.2_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(02)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.02_odp.03 }} are used to maintain the accuracy of the system component inventory;", + "links": [ + { + "href": "#cm-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.2_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(02)[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.02_odp.04 }} are used to maintain the availability of the system component inventory.", + "links": [ + { + "href": "#cm-8.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for maintaining the system component inventory\n\nautomated mechanisms supporting and/or implementing the system component inventory" + } + ] + } + ] + }, + { + "id": "cm-8.3", + "class": "SP800-53-enhancement", + "title": "Automated Unauthorized Component Detection", + "params": [ + { + "id": "cm-8.3_prm_1", + "label": "organization-defined automated mechanisms", + "constraints": [ + { + "description": "automated mechanisms with a maximum five-minute delay in detection" + } + ] + }, + { + "id": "cm-08.03_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to detect the presence of unauthorized hardware within the system are defined;" + } + ] + }, + { + "id": "cm-08.03_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to detect the presence of unauthorized software within the system are defined;" + } + ] + }, + { + "id": "cm-08.03_odp.03", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to detect the presence of unauthorized firmware within the system are defined;" + } + ] + }, + { + "id": "cm-08.03_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "continuously" + } + ], + "guidelines": [ + { + "prose": "frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined;" + } + ] + }, + { + "id": "cm-08.03_odp.05", + "select": { + "how-many": "one-or-more", + "choice": [ + "disable network access by unauthorized components", + "isolate unauthorized components", + "notify {{ insert: param, cm-08.03_odp.06 }} " + ] + } + }, + { + "id": "cm-08.03_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified when unauthorized components are detected is/are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-8(3)" + }, + { + "name": "label", + "value": "CM-08(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-8", + "rel": "required" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + }, + { + "href": "#sc-44", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8.3_smt", + "name": "statement", + "parts": [ + { + "id": "cm-8.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ insert: param, cm-8.3_prm_1 }} {{ insert: param, cm-08.03_odp.04 }} ; and" + }, + { + "id": "cm-8.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Take the following actions when unauthorized components are detected: {{ insert: param, cm-08.03_odp.05 }}." + } + ] + }, + { + "id": "cm-8.3_gdn", + "name": "guidance", + "prose": "Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see [CM-7(9)](#cm-7.9) ). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as \"sandboxing.\" " + }, + { + "id": "cm-8.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};", + "links": [ + { + "href": "#cm-8.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};", + "links": [ + { + "href": "#cm-8.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};", + "links": [ + { + "href": "#cm-8.3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;", + "links": [ + { + "href": "#cm-8.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;", + "links": [ + { + "href": "#cm-8.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(b)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected.", + "links": [ + { + "href": "#cm-8.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nalerts/notifications of unauthorized components within the system\n\nsystem monitoring records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized system component detection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-8.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for detection of unauthorized system components\n\norganizational processes for taking action when unauthorized system components are detected\n\nautomated mechanisms supporting and/or implementing the detection of unauthorized system components\n\nautomated mechanisms supporting and/or implementing actions taken when unauthorized system components are detected" + } + ] + } + ] + }, + { + "id": "cm-8.4", + "class": "SP800-53-enhancement", + "title": "Accountability Information", + "params": [ + { + "id": "cm-08.04_odp", + "constraints": [ + { + "description": "position and role" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "name", + "position", + "role" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "CM-8(4)" + }, + { + "name": "label", + "value": "CM-08(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-8", + "rel": "required" + }, + { + "href": "#ac-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8.4_smt", + "name": "statement", + "prose": "Include in the system component inventory information, a means for identifying by {{ insert: param, cm-08.04_odp }} , individuals responsible and accountable for administering those components." + }, + { + "id": "cm-8.4_gdn", + "name": "guidance", + "prose": "Identifying individuals who are responsible and accountable for administering system components ensures that the assigned components are properly administered and that organizations can contact those individuals if some action is required (e.g., when the component is determined to be the source of a breach, needs to be recalled or replaced, or needs to be relocated)." + }, + { + "id": "cm-8.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(04)", + "class": "sp800-53a" + } + ], + "prose": "individuals responsible and accountable for administering system components are identified by {{ insert: param, cm-08.04_odp }} in the system component inventory.", + "links": [ + { + "href": "#cm-8.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-8.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing the system component inventory\n\nmechanisms supporting and/or implementing the system component inventory" + } + ] + } + ] + } + ] + }, + { + "id": "cm-9", + "class": "SP800-53", + "title": "Configuration Management Plan", + "params": [ + { + "id": "cm-09_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to review and approve the configuration management plan is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-9" + }, + { + "name": "label", + "value": "CM-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-9_smt", + "name": "statement", + "prose": "Develop, document, and implement a configuration management plan for the system that:", + "parts": [ + { + "id": "cm-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Addresses roles, responsibilities, and configuration management processes and procedures;" + }, + { + "id": "cm-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;" + }, + { + "id": "cm-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Defines the configuration items for the system and places the configuration items under configuration management;" + }, + { + "id": "cm-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, cm-09_odp }} ; and" + }, + { + "id": "cm-9_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protects the configuration management plan from unauthorized disclosure and modification." + }, + { + "id": "cm-9_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide" + } + ] + }, + { + "id": "cm-9_gdn", + "name": "guidance", + "prose": "Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.\n\nConfiguration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.\n\nOrganizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control." + }, + { + "id": "cm-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09[01]", + "class": "sp800-53a" + } + ], + "prose": "a configuration management plan for the system is developed and documented;", + "links": [ + { + "href": "#cm-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09[02]", + "class": "sp800-53a" + } + ], + "prose": "a configuration management plan for the system is implemented;", + "links": [ + { + "href": "#cm-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan addresses roles;", + "links": [ + { + "href": "#cm-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan addresses responsibilities;", + "links": [ + { + "href": "#cm-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan addresses configuration management processes and procedures;", + "links": [ + { + "href": "#cm-9_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;", + "links": [ + { + "href": "#cm-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan establishes a process for managing the configuration of the configuration items;", + "links": [ + { + "href": "#cm-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09c.[01]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan defines the configuration items for the system;", + "links": [ + { + "href": "#cm-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan places the configuration items under configuration management;", + "links": [ + { + "href": "#cm-9_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09d.", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};", + "links": [ + { + "href": "#cm-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#cm-9_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan is protected from unauthorized modification.", + "links": [ + { + "href": "#cm-9_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing the configuration management plan\n\norganizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration management plan\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for developing and documenting the configuration management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nmechanisms implementing the configuration management plan\n\nmechanisms for managing configuration items\n\nmechanisms for protecting the configuration management plan" + } + ] + } + ] + }, + { + "id": "cm-10", + "class": "SP800-53", + "title": "Software Usage Restrictions", + "props": [ + { + "name": "label", + "value": "CM-10" + }, + { + "name": "label", + "value": "CM-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-10_smt", + "name": "statement", + "parts": [ + { + "id": "cm-10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Use software and associated documentation in accordance with contract agreements and copyright laws;" + }, + { + "id": "cm-10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and" + }, + { + "id": "cm-10_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work." + } + ] + }, + { + "id": "cm-10_gdn", + "name": "guidance", + "prose": "Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements." + }, + { + "id": "cm-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-10_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10a.", + "class": "sp800-53a" + } + ], + "prose": "software and associated documentation are used in accordance with contract agreements and copyright laws;", + "links": [ + { + "href": "#cm-10_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10b.", + "class": "sp800-53a" + } + ], + "prose": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;", + "links": [ + { + "href": "#cm-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10c.", + "class": "sp800-53a" + } + ], + "prose": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.", + "links": [ + { + "href": "#cm-10_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel operating, using, and/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology" + } + ] + } + ] + }, + { + "id": "cm-11", + "class": "SP800-53", + "title": "User-installed Software", + "params": [ + { + "id": "cm-11_odp.01", + "label": "policies", + "guidelines": [ + { + "prose": "policies governing the installation of software by users are defined;" + } + ] + }, + { + "id": "cm-11_odp.02", + "label": "methods", + "guidelines": [ + { + "prose": "methods used to enforce software installation policies are defined;" + } + ] + }, + { + "id": "cm-11_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "Continuously (via CM-7 (5))" + } + ], + "guidelines": [ + { + "prose": "frequency with which to monitor compliance is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-11" + }, + { + "name": "label", + "value": "CM-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-11_smt", + "name": "statement", + "parts": [ + { + "id": "cm-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;" + }, + { + "id": "cm-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and" + }, + { + "id": "cm-11_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Monitor policy compliance {{ insert: param, cm-11_odp.03 }}." + } + ] + }, + { + "id": "cm-11_gdn", + "name": "guidance", + "prose": "If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods." + }, + { + "id": "cm-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;", + "links": [ + { + "href": "#cm-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11b.", + "class": "sp800-53a" + } + ], + "prose": "software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};", + "links": [ + { + "href": "#cm-11_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11c.", + "class": "sp800-53a" + } + ], + "prose": "compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.", + "links": [ + { + "href": "#cm-11_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes governing user-installed software on the system\n\nmechanisms enforcing policies and methods for governing the installation of software by users\n\nmechanisms monitoring policy compliance" + } + ] + } + ] + }, + { + "id": "cm-12", + "class": "SP800-53", + "title": "Information Location", + "params": [ + { + "id": "cm-12_odp", + "label": "information", + "guidelines": [ + { + "prose": "information for which the location is to be identified and documented is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-12" + }, + { + "name": "label", + "value": "CM-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-23", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-4", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-12_smt", + "name": "statement", + "parts": [ + { + "id": "cm-12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify and document the location of {{ insert: param, cm-12_odp }} and the specific system components on which the information is processed and stored;" + }, + { + "id": "cm-12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Identify and document the users who have access to the system and system components where the information is processed and stored; and" + }, + { + "id": "cm-12_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document changes to the location (i.e., system or system components) where the information is processed and stored." + }, + { + "id": "cm-12_fr", + "name": "item", + "title": "CM-12 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-12_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to FedRAMP Authorization Boundary Guidance" + } + ] + } + ] + }, + { + "id": "cm-12_gdn", + "name": "guidance", + "prose": "Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) ). The location of the information and system components is also a factor in the architecture and design of the system (see [SA-4](#sa-4), [SA-8](#sa-8), [SA-17](#sa-17))." + }, + { + "id": "cm-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-12_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the location of {{ insert: param, cm-12_odp }} is identified and documented;", + "links": [ + { + "href": "#cm-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;", + "links": [ + { + "href": "#cm-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;", + "links": [ + { + "href": "#cm-12_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-12_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;", + "links": [ + { + "href": "#cm-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;", + "links": [ + { + "href": "#cm-12_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-12_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12c.[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;", + "links": [ + { + "href": "#cm-12_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12c.[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented.", + "links": [ + { + "href": "#cm-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\naudit records\n\nlist of users with system and system component access\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing information location and user access to information\n\norganizational personnel with responsibilities for operating, using, and/or maintaining the system\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes governing information location\n\nmechanisms enforcing policies and methods for governing information location" + } + ] + } + ], + "controls": [ + { + "id": "cm-12.1", + "class": "SP800-53-enhancement", + "title": "Automated Tools to Support Information Location", + "params": [ + { + "id": "cm-12.01_odp.01", + "label": "information by information type", + "constraints": [ + { + "description": "Federal data and system data that must be protected at the High or Moderate impact levels" + } + ], + "guidelines": [ + { + "prose": "information to be protected is defined by information type;" + } + ] + }, + { + "id": "cm-12.01_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components where the information is located are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-12(1)" + }, + { + "name": "label", + "value": "CM-12(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-12.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-12", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-12.1_smt", + "name": "statement", + "prose": "Use automated tools to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure controls are in place to protect organizational information and individual privacy.", + "parts": [ + { + "id": "cm-12.1_fr", + "name": "item", + "title": "CM-12 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-12.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to FedRAMP Authorization Boundary Guidance." + } + ] + } + ] + }, + { + "id": "cm-12.1_gdn", + "name": "guidance", + "prose": "The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions." + }, + { + "id": "cm-12.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12(01)", + "class": "sp800-53a" + } + ], + "prose": "automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy.", + "links": [ + { + "href": "#cm-12.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-12(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-12.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-12(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing information location\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-12.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-12(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes governing information location\n\nautomated mechanisms enforcing policies and methods for governing information location\n\nautomated tools used to identify information on system components" + } + ] + } + ] + } + ] + }, + { + "id": "cm-14", + "class": "SP800-53", + "title": "Signed Components", + "params": [ + { + "id": "cm-14_prm_1", + "label": "organization-defined software and firmware components" + }, + { + "id": "cm-14_odp.01", + "label": "software components", + "guidelines": [ + { + "prose": "software components requiring verification of a digitally signed certificate before installation are defined;" + } + ] + }, + { + "id": "cm-14_odp.02", + "label": "firmware components", + "guidelines": [ + { + "prose": "firmware components requiring verification of a digitally signed certificate before installation are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-14" + }, + { + "name": "label", + "value": "CM-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-14_smt", + "name": "statement", + "prose": "Prevent the installation of {{ insert: param, cm-14_prm_1 }} without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.", + "parts": [ + { + "id": "cm-14_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized." + } + ] + }, + { + "id": "cm-14_gdn", + "name": "guidance", + "prose": "Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication." + }, + { + "id": "cm-14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-14_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-14[01]", + "class": "sp800-53a" + } + ], + "prose": "the installation of {{ insert: param, cm-14_odp.01 }} is prevented unless it is verified that the software has been digitally signed using a certificate recognized and approved by the organization;", + "links": [ + { + "href": "#cm-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-14_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-14[02]", + "class": "sp800-53a" + } + ], + "prose": "the installation of {{ insert: param, cm-14_odp.02 }} is prevented unless it is verified that the firmware has been digitally signed using a certificate recognized and approved by the organization.", + "links": [ + { + "href": "#cm-14_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-14-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing digitally signed certificates for software and firmware components\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-14-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for verifying digitally signed certificates for software and firmware component installation\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-14_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-14-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes governing information location\n\nmechanisms enforcing policies and methods for governing information location\n\nautomated tools supporting or implementing digitally signatures for software and firmware components\n\nautomated tools supporting or implementing verification of digital signatures for software and firmware component installation" + } + ] + } + ] + } + ] + }, + { + "id": "cp", + "class": "family", + "title": "Contingency Planning", + "controls": [ + { + "id": "cp-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "cp-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cp-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "cp-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "cp-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "cp-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the contingency planning policy and procedures is defined;" + } + ] + }, + { + "id": "cp-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current contingency planning policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "cp-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current contingency planning policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "cp-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current contingency planning procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "cp-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-1" + }, + { + "name": "label", + "value": "CP-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-1_smt", + "name": "statement", + "parts": [ + { + "id": "cp-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:", + "parts": [ + { + "id": "cp-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cp-01_odp.03 }} contingency planning policy that:", + "parts": [ + { + "id": "cp-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "cp-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "cp-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" + } + ] + }, + { + "id": "cp-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and" + }, + { + "id": "cp-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current contingency planning:", + "parts": [ + { + "id": "cp-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and" + }, + { + "id": "cp-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "cp-1_gdn", + "name": "guidance", + "prose": "Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "cp-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency planning policy is developed and documented;", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#cp-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;", + "links": [ + { + "href": "#cp-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};", + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};", + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};", + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.", + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "cp-2", + "class": "SP800-53", + "title": "Contingency Plan", + "params": [ + { + "id": "cp-2_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cp-2_prm_2", + "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" + }, + { + "id": "cp-2_prm_4", + "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" + }, + { + "id": "cp-02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to review a contingency plan is/are defined;" + } + ] + }, + { + "id": "cp-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to approve a contingency plan is/are defined;" + } + ] + }, + { + "id": "cp-02_odp.03", + "label": "key contingency personnel", + "guidelines": [ + { + "prose": "key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;" + } + ] + }, + { + "id": "cp-02_odp.04", + "label": "organizational elements", + "guidelines": [ + { + "prose": "key contingency organizational elements to which copies of the contingency plan are distributed are defined;" + } + ] + }, + { + "id": "cp-02_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency of contingency plan review is defined;" + } + ] + }, + { + "id": "cp-02_odp.06", + "label": "key contingency personnel", + "guidelines": [ + { + "prose": "key contingency personnel (identified by name and/or by role) to communicate changes to are defined;" + } + ] + }, + { + "id": "cp-02_odp.07", + "label": "organizational elements", + "guidelines": [ + { + "prose": "key contingency organizational elements to communicate changes to are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-2" + }, + { + "name": "label", + "value": "CP-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", + "rel": "reference" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-11", + "rel": "related" + }, + { + "href": "#cp-13", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-2_smt", + "name": "statement", + "parts": [ + { + "id": "cp-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a contingency plan for the system that:", + "parts": [ + { + "id": "cp-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Identifies essential mission and business functions and associated contingency requirements;" + }, + { + "id": "cp-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Provides recovery objectives, restoration priorities, and metrics;" + }, + { + "id": "cp-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Addresses contingency roles, responsibilities, assigned individuals with contact information;" + }, + { + "id": "cp-2_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;" + }, + { + "id": "cp-2_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;" + }, + { + "id": "cp-2_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Addresses the sharing of contingency information; and" + }, + { + "id": "cp-2_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};" + } + ] + }, + { + "id": "cp-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};" + }, + { + "id": "cp-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Coordinate contingency planning activities with incident handling activities;" + }, + { + "id": "cp-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};" + }, + { + "id": "cp-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;" + }, + { + "id": "cp-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};" + }, + { + "id": "cp-2_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and" + }, + { + "id": "cp-2_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Protect the contingency plan from unauthorized disclosure and modification." + }, + { + "id": "cp-2_fr", + "name": "item", + "title": "CP-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "For JAB authorizations the contingency lists include designated FedRAMP personnel." + }, + { + "id": "cp-2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx)." + } + ] + } + ] + }, + { + "id": "cp-2_gdn", + "name": "guidance", + "prose": "Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family." + }, + { + "id": "cp-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.01", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;", + "links": [ + { + "href": "#cp-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides recovery objectives;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides restoration priorities;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides metrics;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses contingency roles;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses contingency responsibilities;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[03]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses assigned individuals with contact information;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.04", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;", + "links": [ + { + "href": "#cp-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.05", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;", + "links": [ + { + "href": "#cp-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.06", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses the sharing of contingency information;", + "links": [ + { + "href": "#cp-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.7-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};", + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.7-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};", + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};", + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};", + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02c.", + "class": "sp800-53a" + } + ], + "prose": "contingency planning activities are coordinated with incident handling activities;", + "links": [ + { + "href": "#cp-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02d.", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};", + "links": [ + { + "href": "#cp-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is updated to address changes to the organization, system, or environment of operation;", + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;", + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.[01]", + "class": "sp800-53a" + } + ], + "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};", + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.[02]", + "class": "sp800-53a" + } + ], + "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};", + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.[01]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;", + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.[02]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;", + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is protected from unauthorized modification.", + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nevidence of contingency plan reviews and updates\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency plan development, review, update, and protection\n\nmechanisms for developing, reviewing, updating, and/or protecting the contingency plan" + } + ] + } + ], + "controls": [ + { + "id": "cp-2.1", + "class": "SP800-53-enhancement", + "title": "Coordinate with Related Plans", + "props": [ + { + "name": "label", + "value": "CP-2(1)" + }, + { + "name": "label", + "value": "CP-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-2.1_smt", + "name": "statement", + "prose": "Coordinate contingency plan development with organizational elements responsible for related plans." + }, + { + "id": "cp-2.1_gdn", + "name": "guidance", + "prose": "Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Data Breach Response Plans, Cyber Incident Response Plans, Breach Response Plans, and Occupant Emergency Plans." + }, + { + "id": "cp-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(01)", + "class": "sp800-53a" + } + ], + "prose": "contingency plan development is coordinated with organizational elements responsible for related plans.", + "links": [ + { + "href": "#cp-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans" + } + ] + } + ] + }, + { + "id": "cp-2.2", + "class": "SP800-53-enhancement", + "title": "Capacity Planning", + "props": [ + { + "name": "label", + "value": "CP-2(2)" + }, + { + "name": "label", + "value": "CP-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "required" + }, + { + "href": "#pe-11", + "rel": "related" + }, + { + "href": "#pe-12", + "rel": "related" + }, + { + "href": "#pe-13", + "rel": "related" + }, + { + "href": "#pe-14", + "rel": "related" + }, + { + "href": "#pe-18", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-2.2_smt", + "name": "statement", + "prose": "Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations." + }, + { + "id": "cp-2.2_gdn", + "name": "guidance", + "prose": "Capacity planning is needed because different threats can result in a reduction of the available processing, telecommunications, and support services intended to support essential mission and business functions. Organizations anticipate degraded operations during contingency operations and factor the degradation into capacity planning. For capacity planning, environmental support refers to any environmental factor for which the organization determines that it needs to provide support in a contingency situation, even if in a degraded state. Such determinations are based on an organizational assessment of risk, system categorization (impact level), and organizational risk tolerance." + }, + { + "id": "cp-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;", + "links": [ + { + "href": "#cp-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;", + "links": [ + { + "href": "#cp-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.2_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(02)[03]", + "class": "sp800-53a" + } + ], + "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support.", + "links": [ + { + "href": "#cp-2.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\ncapacity planning documents\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel responsible for capacity planning\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-2.3", + "class": "SP800-53-enhancement", + "title": "Resume Mission and Business Functions", + "params": [ + { + "id": "cp-02.03_odp.01", + "constraints": [ + { + "description": "all" + } + ], + "select": { + "choice": [ + "all", + "essential" + ] + } + }, + { + "id": "cp-02.03_odp.02", + "label": "time period", + "constraints": [ + { + "description": "time period defined in service provider and organization SLA" + } + ], + "guidelines": [ + { + "prose": "the contingency plan activation time period within which to resume mission and business functions is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-2(3)" + }, + { + "name": "label", + "value": "CP-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-2.3_smt", + "name": "statement", + "prose": "Plan for the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation." + }, + { + "id": "cp-2.3_gdn", + "name": "guidance", + "prose": "Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure." + }, + { + "id": "cp-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(03)", + "class": "sp800-53a" + } + ], + "prose": "the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation.", + "links": [ + { + "href": "#cp-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother related plans\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions" + } + ] + }, + { + "id": "cp-2.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-02(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for resumption of missions and business functions" + } + ] + } + ] + }, + { + "id": "cp-2.5", + "class": "SP800-53-enhancement", + "title": "Continue Mission and Business Functions", + "params": [ + { + "id": "cp-02.05_odp", + "constraints": [ + { + "description": "essential" + } + ], + "select": { + "choice": [ + "all", + "essential" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "CP-2(5)" + }, + { + "name": "label", + "value": "CP-02(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-2.5_smt", + "name": "statement", + "prose": "Plan for the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites." + }, + { + "id": "cp-2.5_gdn", + "name": "guidance", + "prose": "Organizations may choose to conduct the contingency planning activities to continue mission and business functions as part of business continuity planning or business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency." + }, + { + "id": "cp-2.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2.5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(05)[01]", + "class": "sp800-53a" + } + ], + "prose": "the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity is planned for;", + "links": [ + { + "href": "#cp-2.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(05)[02]", + "class": "sp800-53a" + } + ], + "prose": "continuity is sustained until full system restoration at primary processing and/or storage sites.", + "links": [ + { + "href": "#cp-2.5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nprimary processing site agreements\n\nprimary storage site agreements\n\nalternate processing site agreements\n\nalternate storage site agreements\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-2.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-02(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for continuing missions and business functions" + } + ] + } + ] + }, + { + "id": "cp-2.8", + "class": "SP800-53-enhancement", + "title": "Identify Critical Assets", + "params": [ + { + "id": "cp-02.08_odp", + "select": { + "choice": [ + "all", + "essential" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "CP-2(8)" + }, + { + "name": "label", + "value": "CP-02(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "required" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-2.8_smt", + "name": "statement", + "prose": "Identify critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions." + }, + { + "id": "cp-2.8_gdn", + "name": "guidance", + "prose": "Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing [CP-2(7)](#cp-2.7) as a control enhancement." + }, + { + "id": "cp-2.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(08)", + "class": "sp800-53a" + } + ], + "prose": "critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified.", + "links": [ + { + "href": "#cp-2.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "cp-3", + "class": "SP800-53", + "title": "Contingency Training", + "params": [ + { + "id": "cp-03_odp.01", + "label": "time period", + "constraints": [ + { + "description": "\\*See Additional Requirements" + } + ], + "guidelines": [ + { + "prose": "the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;" + } + ] + }, + { + "id": "cp-03_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide training to system users with a contingency role or responsibility is defined;" + } + ] + }, + { + "id": "cp-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update contingency training content is defined;" + } + ] + }, + { + "id": "cp-03_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events necessitating review and update of contingency training are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-3" + }, + { + "name": "label", + "value": "CP-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-3_smt", + "name": "statement", + "parts": [ + { + "id": "cp-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide contingency training to system users consistent with assigned roles and responsibilities:", + "parts": [ + { + "id": "cp-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;" + }, + { + "id": "cp-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes; and" + }, + { + "id": "cp-3_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, cp-03_odp.02 }} thereafter; and" + } + ] + }, + { + "id": "cp-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}." + }, + { + "id": "cp-3_fr", + "name": "item", + "title": "CP-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact." + } + ] + } + ] + }, + { + "id": "cp-3_gdn", + "name": "guidance", + "prose": "Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements." + }, + { + "id": "cp-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.01", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;", + "links": [ + { + "href": "#cp-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.02", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#cp-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.03", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;", + "links": [ + { + "href": "#cp-3_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};", + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.", + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\ncontingency training records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency training" + } + ] + } + ], + "controls": [ + { + "id": "cp-3.1", + "class": "SP800-53-enhancement", + "title": "Simulated Events", + "props": [ + { + "name": "label", + "value": "CP-3(1)" + }, + { + "name": "label", + "value": "CP-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cp-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-3.1_smt", + "name": "statement", + "prose": "Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations." + }, + { + "id": "cp-3.1_gdn", + "name": "guidance", + "prose": "The use of simulated events creates an environment for personnel to experience actual threat events, including cyber-attacks that disable websites, ransomware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures." + }, + { + "id": "cp-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03(01)", + "class": "sp800-53a" + } + ], + "prose": "simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations.", + "links": [ + { + "href": "#cp-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency training\n\nmechanisms for simulating contingency events" + } + ] + } + ] + } + ] + }, + { + "id": "cp-4", + "class": "SP800-53", + "title": "Contingency Plan Testing", + "params": [ + { + "id": "cp-4_prm_2", + "label": "organization-defined tests", + "constraints": [ + { + "description": "functional exercises" + } + ] + }, + { + "id": "cp-04_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency of testing the contingency plan for the system is defined;" + } + ] + }, + { + "id": "cp-04_odp.02", + "label": "tests", + "guidelines": [ + { + "prose": "tests for determining the effectiveness of the contingency plan are defined;" + } + ] + }, + { + "id": "cp-04_odp.03", + "label": "tests", + "guidelines": [ + { + "prose": "tests for determining readiness to execute the contingency plan are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-4" + }, + { + "name": "label", + "value": "CP-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-4_smt", + "name": "statement", + "parts": [ + { + "id": "cp-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}." + }, + { + "id": "cp-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review the contingency plan test results; and" + }, + { + "id": "cp-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Initiate corrective actions, if needed." + }, + { + "id": "cp-4_fr", + "name": "item", + "title": "CP-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing." + }, + { + "id": "cp-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report)." + } + ] + } + ] + }, + { + "id": "cp-4_gdn", + "name": "guidance", + "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions." + }, + { + "id": "cp-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04b.", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan test results are reviewed;", + "links": [ + { + "href": "#cp-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04c.", + "class": "sp800-53a" + } + ], + "prose": "corrective actions are initiated, if needed.", + "links": [ + { + "href": "#cp-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and/or contingency plan testing" + } + ] + } + ], + "controls": [ + { + "id": "cp-4.1", + "class": "SP800-53-enhancement", + "title": "Coordinate with Related Plans", + "props": [ + { + "name": "label", + "value": "CP-4(1)" + }, + { + "name": "label", + "value": "CP-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cp-4", + "rel": "required" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-4.1_smt", + "name": "statement", + "prose": "Coordinate contingency plan testing with organizational elements responsible for related plans." + }, + { + "id": "cp-4.1_gdn", + "name": "guidance", + "prose": "Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements." + }, + { + "id": "cp-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04(01)", + "class": "sp800-53a" + } + ], + "prose": "contingency plan testing is coordinated with organizational elements responsible for related plans.", + "links": [ + { + "href": "#cp-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan testing responsibilities\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-4.2", + "class": "SP800-53-enhancement", + "title": "Alternate Processing Site", + "props": [ + { + "name": "label", + "value": "CP-4(2)" + }, + { + "name": "label", + "value": "CP-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cp-4", + "rel": "required" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-4.2_smt", + "name": "statement", + "prose": "Test the contingency plan at the alternate processing site:", + "parts": [ + { + "id": "cp-4.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "To familiarize contingency personnel with the facility and available resources; and" + }, + { + "id": "cp-4.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "To evaluate the capabilities of the alternate processing site to support contingency operations." + } + ] + }, + { + "id": "cp-4.2_gdn", + "name": "guidance", + "prose": "Conditions at the alternate processing site may be significantly different than the conditions at the primary site. Having the opportunity to visit the alternate site and experience the actual capabilities available at the site can provide valuable information on potential vulnerabilities that could affect essential organizational mission and business functions. The on-site visit can also provide an opportunity to refine the contingency plan to address the vulnerabilities discovered during testing." + }, + { + "id": "cp-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-4.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04(02)(a)", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;", + "links": [ + { + "href": "#cp-4.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04(02)(b)", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.", + "links": [ + { + "href": "#cp-4.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and/or contingency plan testing" + } + ] + } + ] + } + ] + }, + { + "id": "cp-6", + "class": "SP800-53", + "title": "Alternate Storage Site", + "props": [ + { + "name": "label", + "value": "CP-6" + }, + { + "name": "label", + "value": "CP-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-36", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-6_smt", + "name": "statement", + "parts": [ + { + "id": "cp-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and" + }, + { + "id": "cp-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Ensure that the alternate storage site provides controls equivalent to that of the primary site." + } + ] + }, + { + "id": "cp-6_gdn", + "name": "guidance", + "prose": "Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems." + }, + { + "id": "cp-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-6_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an alternate storage site is established;", + "links": [ + { + "href": "#cp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06a.[02]", + "class": "sp800-53a" + } + ], + "prose": "establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;", + "links": [ + { + "href": "#cp-6_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06b.", + "class": "sp800-53a" + } + ], + "prose": "the alternate storage site provides controls equivalent to that of the primary site.", + "links": [ + { + "href": "#cp-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for storing and retrieving system backup information at the alternate storage site\n\nmechanisms supporting and/or implementing the storage and retrieval of system backup information at the alternate storage site" + } + ] + } + ], + "controls": [ + { + "id": "cp-6.1", + "class": "SP800-53-enhancement", + "title": "Separation from Primary Site", + "props": [ + { + "name": "label", + "value": "CP-6(1)" + }, + { + "name": "label", + "value": "CP-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-6", + "rel": "required" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-6.1_smt", + "name": "statement", + "prose": "Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats." + }, + { + "id": "cp-6.1_gdn", + "name": "guidance", + "prose": "Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant." + }, + { + "id": "cp-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(01)", + "class": "sp800-53a" + } + ], + "prose": "an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.", + "links": [ + { + "href": "#cp-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-6.2", + "class": "SP800-53-enhancement", + "title": "Recovery Time and Recovery Point Objectives", + "props": [ + { + "name": "label", + "value": "CP-6(2)" + }, + { + "name": "label", + "value": "CP-06(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-06.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-6.2_smt", + "name": "statement", + "prose": "Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives." + }, + { + "id": "cp-6.2_gdn", + "name": "guidance", + "prose": "Organizations establish recovery time and recovery point objectives as part of contingency planning. Configuration of the alternate storage site includes physical facilities and the systems supporting recovery operations that ensure accessibility and correct execution." + }, + { + "id": "cp-6.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-6.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;", + "links": [ + { + "href": "#cp-6.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives.", + "links": [ + { + "href": "#cp-6.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-6.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-06(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nalternate storage site configurations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-6.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-06(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with responsibilities for testing related plans\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-6.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-06(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency plan testing\n\nmechanisms supporting recovery time and point objectives" + } + ] + } + ] + }, + { + "id": "cp-6.3", + "class": "SP800-53-enhancement", + "title": "Accessibility", + "props": [ + { + "name": "label", + "value": "CP-6(3)" + }, + { + "name": "label", + "value": "CP-06(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-06.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-6", + "rel": "required" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-6.3_smt", + "name": "statement", + "prose": "Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions." + }, + { + "id": "cp-6.3_gdn", + "name": "guidance", + "prose": "Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted." + }, + { + "id": "cp-6.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-6.3_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(03)[01]", + "class": "sp800-53a" + } + ], + "prose": "potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;", + "links": [ + { + "href": "#cp-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6.3_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(03)[02]", + "class": "sp800-53a" + } + ], + "prose": "explicit mitigation actions to address identified accessibility problems are outlined.", + "links": [ + { + "href": "#cp-6.3_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-06(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-6.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-06(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "cp-7", + "class": "SP800-53", + "title": "Alternate Processing Site", + "params": [ + { + "id": "cp-07_odp.01", + "label": "system operations", + "guidelines": [ + { + "prose": "system operations for essential mission and business functions are defined;" + } + ] + }, + { + "id": "cp-07_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-7" + }, + { + "name": "label", + "value": "CP-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-11", + "rel": "related" + }, + { + "href": "#pe-12", + "rel": "related" + }, + { + "href": "#pe-17", + "rel": "related" + }, + { + "href": "#sc-36", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-7_smt", + "name": "statement", + "parts": [ + { + "id": "cp-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;" + }, + { + "id": "cp-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and" + }, + { + "id": "cp-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Provide controls at the alternate processing site that are equivalent to those at the primary site." + }, + { + "id": "cp-7_fr", + "name": "item", + "title": "CP-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider defines a time period consistent with the recovery time objectives and business impact analysis." + } + ] + } + ] + }, + { + "id": "cp-7_gdn", + "name": "guidance", + "prose": "Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems." + }, + { + "id": "cp-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07a.", + "class": "sp800-53a" + } + ], + "prose": "an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;", + "links": [ + { + "href": "#cp-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;", + "links": [ + { + "href": "#cp-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;", + "links": [ + { + "href": "#cp-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07c.", + "class": "sp800-53a" + } + ], + "prose": "controls provided at the alternate processing site are equivalent to those at the primary site.", + "links": [ + { + "href": "#cp-7_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for contingency planning and/or alternate site arrangements\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for recovery at the alternate site\n\nmechanisms supporting and/or implementing recovery at the alternate processing site" + } + ] + } + ], + "controls": [ + { + "id": "cp-7.1", + "class": "SP800-53-enhancement", + "title": "Separation from Primary Site", + "props": [ + { + "name": "label", + "value": "CP-7(1)" + }, + { + "name": "label", + "value": "CP-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-7", + "rel": "required" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-7.1_smt", + "name": "statement", + "prose": "Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.", + "parts": [ + { + "id": "cp-7.1_fr", + "name": "item", + "title": "CP-7 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-7.1_fr_smt.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant." + } + ] + } + ] + }, + { + "id": "cp-7.1_gdn", + "name": "guidance", + "prose": "Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant." + }, + { + "id": "cp-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(01)", + "class": "sp800-53a" + } + ], + "prose": "an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.", + "links": [ + { + "href": "#cp-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-7.2", + "class": "SP800-53-enhancement", + "title": "Accessibility", + "props": [ + { + "name": "label", + "value": "CP-7(2)" + }, + { + "name": "label", + "value": "CP-07(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-7", + "rel": "required" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-7.2_smt", + "name": "statement", + "prose": "Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions." + }, + { + "id": "cp-7.2_gdn", + "name": "guidance", + "prose": "Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk." + }, + { + "id": "cp-7.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-7.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;", + "links": [ + { + "href": "#cp-7.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "explicit mitigation actions to address identified accessibility problems are outlined.", + "links": [ + { + "href": "#cp-7.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-7.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-7.3", + "class": "SP800-53-enhancement", + "title": "Priority of Service", + "props": [ + { + "name": "label", + "value": "CP-7(3)" + }, + { + "name": "label", + "value": "CP-07(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-7.3_smt", + "name": "statement", + "prose": "Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives)." + }, + { + "id": "cp-7.3_gdn", + "name": "guidance", + "prose": "Priority of service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning." + }, + { + "id": "cp-7.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(03)", + "class": "sp800-53a" + } + ], + "prose": "alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.", + "links": [ + { + "href": "#cp-7.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" + } + ] + } + ] + }, + { + "id": "cp-7.4", + "class": "SP800-53-enhancement", + "title": "Preparation for Use", + "props": [ + { + "name": "label", + "value": "CP-7(4)" + }, + { + "name": "label", + "value": "CP-07(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-7", + "rel": "required" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-7.4_smt", + "name": "statement", + "prose": "Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions." + }, + { + "id": "cp-7.4_gdn", + "name": "guidance", + "prose": "Site preparation includes establishing configuration settings for systems at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and logistical considerations are in place." + }, + { + "id": "cp-7.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(04)", + "class": "sp800-53a" + } + ], + "prose": "the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions.", + "links": [ + { + "href": "#cp-7.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nalternate processing site configurations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-7.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-07(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing recovery at the alternate processing site" + } + ] + } + ] + } + ] + }, + { + "id": "cp-8", + "class": "SP800-53", + "title": "Telecommunications Services", + "params": [ + { + "id": "cp-08_odp.01", + "label": "system operations", + "guidelines": [ + { + "prose": "system operations to be resumed for essential mission and business functions are defined;" + } + ] + }, + { + "id": "cp-08_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-8" + }, + { + "name": "label", + "value": "CP-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-11", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-8_smt", + "name": "statement", + "prose": "Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.", + "parts": [ + { + "id": "cp-8_fr", + "name": "item", + "title": "CP-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-8_fr_gdn.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider defines a time period consistent with the recovery time objectives and business impact analysis." + } + ] + } + ] + }, + { + "id": "cp-8_gdn", + "name": "guidance", + "prose": "Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for [CP-8](#cp-8) . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements." + }, + { + "id": "cp-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08", + "class": "sp800-53a" + } + ], + "prose": "alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.", + "links": [ + { + "href": "#cp-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" + } + ] + }, + { + "id": "cp-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting telecommunications" + } + ] + } + ], + "controls": [ + { + "id": "cp-8.1", + "class": "SP800-53-enhancement", + "title": "Priority of Service Provisions", + "props": [ + { + "name": "label", + "value": "CP-8(1)" + }, + { + "name": "label", + "value": "CP-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-8.1_smt", + "name": "statement", + "parts": [ + { + "id": "cp-8.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and" + }, + { + "id": "cp-8.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier." + } + ] + }, + { + "id": "cp-8.1_gdn", + "name": "guidance", + "prose": "Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority of service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program, and the Department of Homeland Security manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program." + }, + { + "id": "cp-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-8.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-8.1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;", + "links": [ + { + "href": "#cp-8.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;", + "links": [ + { + "href": "#cp-8.1_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-8.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.", + "links": [ + { + "href": "#cp-8.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" + } + ] + }, + { + "id": "cp-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting telecommunications" + } + ] + } + ] + }, + { + "id": "cp-8.2", + "class": "SP800-53-enhancement", + "title": "Single Points of Failure", + "props": [ + { + "name": "label", + "value": "CP-8(2)" + }, + { + "name": "label", + "value": "CP-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-8.2_smt", + "name": "statement", + "prose": "Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services." + }, + { + "id": "cp-8.2_gdn", + "name": "guidance", + "prose": "In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services." + }, + { + "id": "cp-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(02)", + "class": "sp800-53a" + } + ], + "prose": "alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.", + "links": [ + { + "href": "#cp-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-8.3", + "class": "SP800-53-enhancement", + "title": "Separation of Primary and Alternate Providers", + "props": [ + { + "name": "label", + "value": "CP-8(3)" + }, + { + "name": "label", + "value": "CP-08(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-08.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-8.3_smt", + "name": "statement", + "prose": "Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats." + }, + { + "id": "cp-8.3_gdn", + "name": "guidance", + "prose": "Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services that meet the separation needs addressed in the risk assessment." + }, + { + "id": "cp-8.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(03)", + "class": "sp800-53a" + } + ], + "prose": "alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats.", + "links": [ + { + "href": "#cp-8.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-08(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nalternate telecommunications service provider site\n\nprimary telecommunications service provider site\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-8.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-08(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-8.4", + "class": "SP800-53-enhancement", + "title": "Provider Contingency Plan", + "params": [ + { + "id": "cp-8.4_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "annually" + } + ] + }, + { + "id": "cp-08.04_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to obtain evidence of contingency testing by providers is defined;" + } + ] + }, + { + "id": "cp-08.04_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to obtain evidence of contingency training by providers is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-8(4)" + }, + { + "name": "label", + "value": "CP-08(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-08.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-8", + "rel": "required" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-8.4_smt", + "name": "statement", + "parts": [ + { + "id": "cp-8.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Require primary and alternate telecommunications service providers to have contingency plans;" + }, + { + "id": "cp-8.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and" + }, + { + "id": "cp-8.4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Obtain evidence of contingency testing and training by providers {{ insert: param, cp-8.4_prm_1 }}." + } + ] + }, + { + "id": "cp-8.4_gdn", + "name": "guidance", + "prose": "Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security and state and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training." + }, + { + "id": "cp-8.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-8.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(04)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-8.4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(04)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "primary telecommunications service providers are required to have contingency plans;", + "links": [ + { + "href": "#cp-8.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(04)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "alternate telecommunications service providers are required to have contingency plans;", + "links": [ + { + "href": "#cp-8.4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-8.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;", + "links": [ + { + "href": "#cp-8.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(04)(c)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-8.4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(04)(c)[01]", + "class": "sp800-53a" + } + ], + "prose": "evidence of contingency testing by providers is obtained {{ insert: param, cp-08.04_odp.01 }}.", + "links": [ + { + "href": "#cp-8.4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(04)(c)[02]", + "class": "sp800-53a" + } + ], + "prose": "evidence of contingency training by providers is obtained {{ insert: param, cp-08.04_odp.02 }}.", + "links": [ + { + "href": "#cp-8.4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-8.4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-8.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-08(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprovider contingency plans\n\nevidence of contingency testing/training by providers\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-8.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-08(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning, plan implementation, and testing responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" + } + ] + } + ] + } + ] + }, + { + "id": "cp-9", + "class": "SP800-53", + "title": "System Backup", + "params": [ + { + "id": "cp-09_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which to conduct backups of user-level information is defined;" + } + ] + }, + { + "id": "cp-09_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9" + }, + { + "name": "label", + "value": "CP-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#3653e316-8923-430e-8943-b3b2b2562fc6", + "rel": "reference" + }, + { + "href": "#2494df28-9049-4196-b233-540e7440993f", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9_smt", + "name": "statement", + "parts": [ + { + "id": "cp-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};" + }, + { + "id": "cp-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};" + }, + { + "id": "cp-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and" + }, + { + "id": "cp-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Protect the confidentiality, integrity, and availability of backup information." + }, + { + "id": "cp-9_fr", + "name": "item", + "title": "CP-9 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-9_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check." + }, + { + "id": "cp-9_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative." + }, + { + "id": "cp-9_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative." + }, + { + "id": "cp-9_fr_smt.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative." + } + ] + } + ] + }, + { + "id": "cp-9_gdn", + "name": "guidance", + "prose": "System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." + }, + { + "id": "cp-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09a.", + "class": "sp800-53a" + } + ], + "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};", + "links": [ + { + "href": "#cp-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09b.", + "class": "sp800-53a" + } + ], + "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};", + "links": [ + { + "href": "#cp-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09c.", + "class": "sp800-53a" + } + ], + "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};", + "links": [ + { + "href": "#cp-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the confidentiality of backup information is protected;", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the integrity of backup information is protected;", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the availability of backup information is protected.", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "cp-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" + } + ] + } + ], + "controls": [ + { + "id": "cp-9.1", + "class": "SP800-53-enhancement", + "title": "Testing for Reliability and Integrity", + "params": [ + { + "id": "cp-9.1_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least monthly" + } + ] + }, + { + "id": "cp-09.01_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to test backup information for media reliability is defined;" + } + ] + }, + { + "id": "cp-09.01_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to test backup information for information integrity is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9(1)" + }, + { + "name": "label", + "value": "CP-09(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-9", + "rel": "required" + }, + { + "href": "#cp-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9.1_smt", + "name": "statement", + "prose": "Test backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity." + }, + { + "id": "cp-9.1_gdn", + "name": "guidance", + "prose": "Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance." + }, + { + "id": "cp-9.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;", + "links": [ + { + "href": "#cp-9.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity.", + "links": [ + { + "href": "#cp-9.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-9.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" + } + ] + } + ] + }, + { + "id": "cp-9.2", + "class": "SP800-53-enhancement", + "title": "Test Restoration Using Sampling", + "props": [ + { + "name": "label", + "value": "CP-9(2)" + }, + { + "name": "label", + "value": "CP-09(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-9", + "rel": "required" + }, + { + "href": "#cp-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9.2_smt", + "name": "statement", + "prose": "Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing." + }, + { + "id": "cp-9.2_gdn", + "name": "guidance", + "prose": "Organizations need assurance that system functions can be restored correctly and can support established organizational missions. To ensure that the selected system functions are thoroughly exercised during contingency plan testing, a sample of backup information is retrieved to determine whether the functions are operating as intended. Organizations can determine the sample size for the functions and backup information based on the level of assurance needed." + }, + { + "id": "cp-9.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(02)", + "class": "sp800-53a" + } + ], + "prose": "a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.", + "links": [ + { + "href": "#cp-9.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with contingency planning/contingency plan testing responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-9.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" + } + ] + } + ] + }, + { + "id": "cp-9.3", + "class": "SP800-53-enhancement", + "title": "Separate Storage for Critical Information", + "params": [ + { + "id": "cp-09.03_odp", + "label": "critical system software and other security-related information", + "guidelines": [ + { + "prose": "critical system software and other security-related information backups to be stored in a separate facility are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9(3)" + }, + { + "name": "label", + "value": "CP-09(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-9", + "rel": "required" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9.3_smt", + "name": "statement", + "prose": "Store backup copies of {{ insert: param, cp-09.03_odp }} in a separate facility or in a fire rated container that is not collocated with the operational system." + }, + { + "id": "cp-9.3_gdn", + "name": "guidance", + "prose": "Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire rated containers." + }, + { + "id": "cp-9.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(03)", + "class": "sp800-53a" + } + ], + "prose": "backup copies of {{ insert: param, cp-09.03_odp }} are stored in a separate facility or in a fire rated container that is not collocated with the operational system.", + "links": [ + { + "href": "#cp-9.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup configurations and associated documentation\n\nsystem backup logs or records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-9.5", + "class": "SP800-53-enhancement", + "title": "Transfer to Alternate Storage Site", + "params": [ + { + "id": "cp-9.5_prm_1", + "label": "organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives", + "constraints": [ + { + "description": "time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA." + } + ] + }, + { + "id": "cp-09.05_odp.01", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09.05_odp.02", + "label": "transfer rate", + "guidelines": [ + { + "prose": "transfer rate consistent with recovery time and recovery point objectives is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9(5)" + }, + { + "name": "label", + "value": "CP-09(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-9", + "rel": "required" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#mp-3", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9.5_smt", + "name": "statement", + "prose": "Transfer system backup information to the alternate storage site {{ insert: param, cp-9.5_prm_1 }}." + }, + { + "id": "cp-9.5_gdn", + "name": "guidance", + "prose": "System backup information can be transferred to alternate storage sites either electronically or by the physical shipment of storage media." + }, + { + "id": "cp-9.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9.5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(05)[01]", + "class": "sp800-53a" + } + ], + "prose": "system backup information is transferred to the alternate storage site for {{ insert: param, cp-09.05_odp.01 }};", + "links": [ + { + "href": "#cp-9.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(05)[02]", + "class": "sp800-53a" + } + ], + "prose": "system backup information is transferred to the alternate storage site {{ insert: param, cp-09.05_odp.02 }}.", + "links": [ + { + "href": "#cp-9.5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup logs or records\n\nevidence of system backup information transferred to alternate storage site\n\nalternate storage site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-9.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for transferring system backups to the alternate storage site\n\nmechanisms supporting and/or implementing system backups\n\nmechanisms supporting and/or implementing information transfer to the alternate storage site" + } + ] + } + ] + }, + { + "id": "cp-9.8", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "cp-09.08_odp", + "label": "backup information", + "constraints": [ + { + "description": "all backup files" + } + ], + "guidelines": [ + { + "prose": "backup information to protect against unauthorized disclosure and modification is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9(8)" + }, + { + "name": "label", + "value": "CP-09(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-9", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9.8_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.", + "parts": [ + { + "id": "cp-9.8_fr", + "name": "item", + "title": "CP-9 (8) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-9.8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)" + } + ] + } + ] + }, + { + "id": "cp-9.8_gdn", + "name": "guidance", + "prose": "The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. Cryptographic protection applies to system backup information in storage at both primary and alternate locations. Organizations that implement cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions." + }, + { + "id": "cp-9.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(08)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.", + "links": [ + { + "href": "#cp-9.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-9.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic protection of backup information" + } + ] + } + ] + } + ] + }, + { + "id": "cp-10", + "class": "SP800-53", + "title": "System Recovery and Reconstitution", + "params": [ + { + "id": "cp-10_prm_1", + "label": "organization-defined time period consistent with recovery time and recovery point objectives" + }, + { + "id": "cp-10_odp.01", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;" + } + ] + }, + { + "id": "cp-10_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-10" + }, + { + "name": "label", + "value": "CP-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-10_smt", + "name": "statement", + "prose": "Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure." + }, + { + "id": "cp-10_gdn", + "name": "guidance", + "prose": "Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning." + }, + { + "id": "cp-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-10_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10[01]", + "class": "sp800-53a" + } + ], + "prose": "the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;", + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10[02]", + "class": "sp800-53a" + } + ], + "prose": "a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.", + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and/or implementing system recovery and reconstitution operations" + } + ] + } + ], + "controls": [ + { + "id": "cp-10.2", + "class": "SP800-53-enhancement", + "title": "Transaction Recovery", + "props": [ + { + "name": "label", + "value": "CP-10(2)" + }, + { + "name": "label", + "value": "CP-10(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-10.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-10", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-10.2_smt", + "name": "statement", + "prose": "Implement transaction recovery for systems that are transaction-based." + }, + { + "id": "cp-10.2_gdn", + "name": "guidance", + "prose": "Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling." + }, + { + "id": "cp-10.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10(02)", + "class": "sp800-53a" + } + ], + "prose": "transaction recovery is implemented for systems that are transaction-based.", + "links": [ + { + "href": "#cp-10.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-10(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem transaction recovery records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-10.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-10(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-10.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-10(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing transaction recovery capability" + } + ] + } + ] + }, + { + "id": "cp-10.4", + "class": "SP800-53-enhancement", + "title": "Restore Within Time Period", + "params": [ + { + "id": "cp-10.04_odp", + "label": "restoration time periods", + "constraints": [ + { + "description": "time period consistent with the restoration time-periods defined in the service provider and organization SLA" + } + ], + "guidelines": [ + { + "prose": "restoration time period within which to restore system components to a known, operational state is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-10(4)" + }, + { + "name": "label", + "value": "CP-10(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-10.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-10", + "rel": "required" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-10.4_smt", + "name": "statement", + "prose": "Provide the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components." + }, + { + "id": "cp-10.4_gdn", + "name": "guidance", + "prose": "Restoration of system components includes reimaging, which restores the components to known, operational states." + }, + { + "id": "cp-10.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10(04)", + "class": "sp800-53a" + } + ], + "prose": "the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.", + "links": [ + { + "href": "#cp-10.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-10(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nevidence of system recovery and reconstitution operations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-10.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-10(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-10.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-10(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the recovery/reconstitution of system information" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "ia", + "class": "family", + "title": "Identification and Authentication", + "controls": [ + { + "id": "ia-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ia-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ia-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the identification and authentication policy is to be disseminated are defined;" + } + ] + }, + { + "id": "ia-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ia-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ia-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the identification and authentication policy and procedures is defined;" + } + ] + }, + { + "id": "ia-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current identification and authentication policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ia-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current identification and authentication policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ia-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current identification and authentication procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ia-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require identification and authentication procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-1" + }, + { + "name": "label", + "value": "IA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ac-1", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-1_smt", + "name": "statement", + "parts": [ + { + "id": "ia-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:", + "parts": [ + { + "id": "ia-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ia-01_odp.03 }} identification and authentication policy that:", + "parts": [ + { + "id": "ia-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ia-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ia-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;" + } + ] + }, + { + "id": "ia-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and" + }, + { + "id": "ia-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current identification and authentication:", + "parts": [ + { + "id": "ia-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and" + }, + { + "id": "ia-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ia-1_gdn", + "name": "guidance", + "prose": "Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ia-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an identification and authentication policy is developed and documented;", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ia-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;", + "links": [ + { + "href": "#ia-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};", + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};", + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};", + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.", + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\nlist of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ia-2", + "class": "SP800-53", + "title": "Identification and Authentication (Organizational Users)", + "props": [ + { + "name": "label", + "value": "IA-2" + }, + { + "name": "label", + "value": "IA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#d9e036ba-6eec-46a6-9340-b0bf1fea23b4", + "rel": "reference" + }, + { + "href": "#e8552d48-cf41-40aa-8b06-f45f7fb4706c", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", + "rel": "reference" + }, + { + "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "rel": "reference" + }, + { + "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-1", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.", + "parts": [ + { + "id": "ia-2_fr", + "name": "item", + "title": "IA-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B." + }, + { + "id": "ia-2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate." + }, + { + "id": "ia-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "\\\"Phishing-resistant\\\" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system." + } + ] + } + ] + }, + { + "id": "ia-2_gdn", + "name": "guidance", + "prose": "Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)." + }, + { + "id": "ia-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational users are uniquely identified and authenticated;", + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02[02]", + "class": "sp800-53a" + } + ], + "prose": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.", + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan, system design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ia-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for uniquely identifying and authenticating users\n\nmechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ], + "controls": [ + { + "id": "ia-2.1", + "class": "SP800-53-enhancement", + "title": "Multi-factor Authentication to Privileged Accounts", + "props": [ + { + "name": "label", + "value": "IA-2(1)" + }, + { + "name": "label", + "value": "IA-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.1_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for access to privileged accounts.", + "parts": [ + { + "id": "ia-2.1_fr", + "name": "item", + "title": "IA-2 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL)." + }, + { + "id": "ia-2.1_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Multi-factor authentication to subsequent components in the same user domain is not required." + } + ] + } + ] + }, + { + "id": "ia-2.1_gdn", + "name": "guidance", + "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." + }, + { + "id": "ia-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(01)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication is implemented for access to privileged accounts.", + "links": [ + { + "href": "#ia-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" + } + ] + } + ] + }, + { + "id": "ia-2.2", + "class": "SP800-53-enhancement", + "title": "Multi-factor Authentication to Non-privileged Accounts", + "props": [ + { + "name": "label", + "value": "IA-2(2)" + }, + { + "name": "label", + "value": "IA-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.2_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for access to non-privileged accounts.", + "parts": [ + { + "id": "ia-2.2_fr", + "name": "item", + "title": "IA-2 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL)." + }, + { + "id": "ia-2.2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Multi-factor authentication to subsequent components in the same user domain is not required." + } + ] + } + ] + }, + { + "id": "ia-2.2_gdn", + "name": "guidance", + "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." + }, + { + "id": "ia-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(02)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication for access to non-privileged accounts is implemented.", + "links": [ + { + "href": "#ia-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" + } + ] + } + ] + }, + { + "id": "ia-2.5", + "class": "SP800-53-enhancement", + "title": "Individual Authentication with Group Authentication", + "props": [ + { + "name": "label", + "value": "IA-2(5)" + }, + { + "name": "label", + "value": "IA-02(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.5_smt", + "name": "statement", + "prose": "When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources." + }, + { + "id": "ia-2.5_gdn", + "name": "guidance", + "prose": "Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators." + }, + { + "id": "ia-2.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(05)", + "class": "sp800-53a" + } + ], + "prose": "users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.", + "links": [ + { + "href": "#ia-2.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an authentication capability for group accounts" + } + ] + } + ] + }, + { + "id": "ia-2.6", + "class": "SP800-53-enhancement", + "title": "Access to Accounts —separate Device", + "params": [ + { + "id": "ia-02.06_odp.01", + "constraints": [ + { + "description": "local, network and remote" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "local", + "network", + "remote" + ] + } + }, + { + "id": "ia-02.06_odp.02", + "constraints": [ + { + "description": "privileged accounts; non-privileged accounts" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "privileged accounts", + "non-privileged accounts" + ] + } + }, + { + "id": "ia-02.06_odp.03", + "label": "strength of mechanism requirements", + "constraints": [ + { + "description": "FIPS-validated or NSA-approved cryptography" + } + ], + "guidelines": [ + { + "prose": "the strength of mechanism requirements to be enforced by a device separate from the system gaining access to accounts is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-2(6)" + }, + { + "name": "label", + "value": "IA-02(06)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.6_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that:", + "parts": [ + { + "id": "ia-2.6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "One of the factors is provided by a device separate from the system gaining access; and" + }, + { + "id": "ia-2.6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "The device meets {{ insert: param, ia-02.06_odp.03 }}." + }, + { + "id": "ia-2.6_fr", + "name": "item", + "title": "IA-2 (6) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials." + }, + { + "id": "ia-2.6_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See SC-13 Guidance for more information on FIPS-validated or NSA-approved cryptography." + } + ] + } + ] + }, + { + "id": "ia-2.6_gdn", + "name": "guidance", + "prose": "The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multi-factor authentication is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process." + }, + { + "id": "ia-2.6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(06)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-2.6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(06)(a)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that one of the factors is provided by a device separate from the system gaining access;", + "links": [ + { + "href": "#ia-2.6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(06)(b)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that the device meets {{ insert: param, ia-02.06_odp.03 }}.", + "links": [ + { + "href": "#ia-2.6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-2.6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(06)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(06)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(06)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing multi-factor authentication capability" + } + ] + } + ] + }, + { + "id": "ia-2.8", + "class": "SP800-53-enhancement", + "title": "Access to Accounts — Replay Resistant", + "params": [ + { + "id": "ia-02.08_odp", + "constraints": [ + { + "description": "privileged accounts; non-privileged accounts" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "privileged accounts", + "non-privileged accounts" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "IA-2(8)" + }, + { + "name": "label", + "value": "IA-02(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.8_smt", + "name": "statement", + "prose": "Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}." + }, + { + "id": "ia-2.8_gdn", + "name": "guidance", + "prose": "Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators." + }, + { + "id": "ia-2.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(08)", + "class": "sp800-53a" + } + ], + "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.", + "links": [ + { + "href": "#ia-2.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nMechanisms supporting and/or implementing replay-resistant authentication mechanisms" + } + ] + } + ] + }, + { + "id": "ia-2.12", + "class": "SP800-53-enhancement", + "title": "Acceptance of PIV Credentials", + "props": [ + { + "name": "label", + "value": "IA-2(12)" + }, + { + "name": "label", + "value": "IA-02(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.12_smt", + "name": "statement", + "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials.", + "parts": [ + { + "id": "ia-2.12_fr", + "name": "item", + "title": "IA-2 (12) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.12_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12." + } + ] + } + ] + }, + { + "id": "ia-2.12_gdn", + "name": "guidance", + "prose": "Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential." + }, + { + "id": "ia-2.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(12)", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified.", + "links": [ + { + "href": "#ia-2.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing acceptance and verification of PIV credentials" + } + ] + } + ] + } + ] + }, + { + "id": "ia-3", + "class": "SP800-53", + "title": "Device Identification and Authentication", + "params": [ + { + "id": "ia-03_odp.01", + "label": "devices and/or types of devices", + "guidelines": [ + { + "prose": "devices and/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;" + } + ] + }, + { + "id": "ia-03_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "local", + "remote", + "network" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "IA-3" + }, + { + "name": "label", + "value": "IA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-3_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate {{ insert: param, ia-03_odp.01 }} before establishing a {{ insert: param, ia-03_odp.02 }} connection." + }, + { + "id": "ia-3_gdn", + "name": "guidance", + "prose": "Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number/type of devices based on mission or business needs." + }, + { + "id": "ia-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-03", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection.", + "links": [ + { + "href": "#ia-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\nsystem configuration settings and associated documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing device identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-4", + "class": "SP800-53", + "title": "Identifier Management", + "params": [ + { + "id": "ia-04_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO (or similar role within the organization)" + } + ], + "guidelines": [ + { + "prose": "personnel or roles from whom authorization must be received to assign an identifier are defined;" + } + ] + }, + { + "id": "ia-04_odp.02", + "label": "time period", + "constraints": [ + { + "description": "at least two (2) years" + } + ], + "guidelines": [ + { + "prose": "a time period for preventing reuse of identifiers is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-4" + }, + { + "name": "label", + "value": "IA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ia-12", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-4_smt", + "name": "statement", + "prose": "Manage system identifiers by:", + "parts": [ + { + "id": "ia-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;" + }, + { + "id": "ia-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Selecting an identifier that identifies an individual, group, role, service, or device;" + }, + { + "id": "ia-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Assigning the identifier to the intended individual, group, role, service, or device; and" + }, + { + "id": "ia-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}." + } + ] + }, + { + "id": "ia-4_gdn", + "name": "guidance", + "prose": "Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices." + }, + { + "id": "ia-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04a.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;", + "links": [ + { + "href": "#ia-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04b.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;", + "links": [ + { + "href": "#ia-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04c.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;", + "links": [ + { + "href": "#ia-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04d.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.", + "links": [ + { + "href": "#ia-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identifier management" + } + ] + } + ], + "controls": [ + { + "id": "ia-4.4", + "class": "SP800-53-enhancement", + "title": "Identify User Status", + "params": [ + { + "id": "ia-04.04_odp", + "label": "characteristics", + "constraints": [ + { + "description": "contractors; foreign nationals" + } + ], + "guidelines": [ + { + "prose": "characteristics used to identify individual status is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-4(4)" + }, + { + "name": "label", + "value": "IA-04(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-04.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-4.4_smt", + "name": "statement", + "prose": "Manage individual identifiers by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}." + }, + { + "id": "ia-4.4_gdn", + "name": "guidance", + "prose": "Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor." + }, + { + "id": "ia-4.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04(04)", + "class": "sp800-53a" + } + ], + "prose": "individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}.", + "links": [ + { + "href": "#ia-4.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-04(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nlist of characteristics identifying individual status\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-4.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-04(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ia-4.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-04(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identifier management" + } + ] + } + ] + } + ] + }, + { + "id": "ia-5", + "class": "SP800-53", + "title": "Authenticator Management", + "params": [ + { + "id": "ia-05_odp.01", + "label": "time period by authenticator type", + "guidelines": [ + { + "prose": "a time period for changing or refreshing authenticators by authenticator type is defined;" + } + ] + }, + { + "id": "ia-05_odp.02", + "label": "events", + "guidelines": [ + { + "prose": "events that trigger the change or refreshment of authenticators are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5" + }, + { + "name": "label", + "value": "IA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "rel": "reference" + }, + { + "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5_smt", + "name": "statement", + "prose": "Manage system authenticators by:", + "parts": [ + { + "id": "ia-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;" + }, + { + "id": "ia-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishing initial authenticator content for any authenticators issued by the organization;" + }, + { + "id": "ia-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensuring that authenticators have sufficient strength of mechanism for their intended use;" + }, + { + "id": "ia-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;" + }, + { + "id": "ia-5_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Changing default authenticators prior to first use;" + }, + { + "id": "ia-5_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;" + }, + { + "id": "ia-5_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Protecting authenticator content from unauthorized disclosure and modification;" + }, + { + "id": "ia-5_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and" + }, + { + "id": "ia-5_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Changing authenticators for group or role accounts when membership to those accounts changes." + }, + { + "id": "ia-5_fr", + "name": "item", + "title": "IA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3" + }, + { + "id": "ia-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE)." + } + ] + } + ] + }, + { + "id": "ia-5_gdn", + "name": "guidance", + "prose": "Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed." + }, + { + "id": "ia-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05a.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;", + "links": [ + { + "href": "#ia-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05b.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;", + "links": [ + { + "href": "#ia-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05c.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;", + "links": [ + { + "href": "#ia-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05d.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;", + "links": [ + { + "href": "#ia-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05e.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change of default authenticators prior to first use;", + "links": [ + { + "href": "#ia-5_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05f.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;", + "links": [ + { + "href": "#ia-5_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05g.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;", + "links": [ + { + "href": "#ia-5_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.[01]", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;", + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.[02]", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;", + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05i.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.", + "links": [ + { + "href": "#ia-5_smt.i", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\naddressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system authenticator types\n\nchange control records associated with managing system authenticators\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ia-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing authenticator management capability" + } + ] + } + ], + "controls": [ + { + "id": "ia-5.1", + "class": "SP800-53-enhancement", + "title": "Password-based Authentication", + "params": [ + { + "id": "ia-05.01_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;" + } + ] + }, + { + "id": "ia-05.01_odp.02", + "label": "composition and complexity rules", + "guidelines": [ + { + "prose": "authenticator composition and complexity rules are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5(1)" + }, + { + "name": "label", + "value": "IA-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ia-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.1_smt", + "name": "statement", + "prose": "For password-based authentication:", + "parts": [ + { + "id": "ia-5.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;" + }, + { + "id": "ia-5.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);" + }, + { + "id": "ia-5.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Transmit passwords only over cryptographically-protected channels;" + }, + { + "id": "ia-5.1_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Store passwords using an approved salted key derivation function, preferably using a keyed hash;" + }, + { + "id": "ia-5.1_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e)" + } + ], + "prose": "Require immediate selection of a new password upon account recovery;" + }, + { + "id": "ia-5.1_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "(f)" + } + ], + "prose": "Allow user selection of long passwords and passphrases, including spaces and all printable characters;" + }, + { + "id": "ia-5.1_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "(g)" + } + ], + "prose": "Employ automated tools to assist the user in selecting strong password authenticators; and" + }, + { + "id": "ia-5.1_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h)" + } + ], + "prose": "Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}." + }, + { + "id": "ia-5.1_fr", + "name": "item", + "title": "IA-5 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users." + }, + { + "id": "ia-5.1_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h) Requirement:" + } + ], + "prose": "For cases where technology doesn’t allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.\n\nFor emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used." + }, + { + "id": "ia-5.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13)." + } + ] + } + ] + }, + { + "id": "ia-5.1_gdn", + "name": "guidance", + "prose": "Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof." + }, + { + "id": "ia-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;", + "links": [ + { + "href": "#ia-5.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);", + "links": [ + { + "href": "#ia-5.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(c)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, passwords are only transmitted over cryptographically protected channels;", + "links": [ + { + "href": "#ia-5.1_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(d)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;", + "links": [ + { + "href": "#ia-5.1_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(e)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, immediate selection of a new password is required upon account recovery;", + "links": [ + { + "href": "#ia-5.1_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(f)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;", + "links": [ + { + "href": "#ia-5.1_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(g)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;", + "links": [ + { + "href": "#ia-5.1_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(h)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.", + "links": [ + { + "href": "#ia-5.1_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing password-based authenticator management capability" + } + ] + } + ] + }, + { + "id": "ia-5.2", + "class": "SP800-53-enhancement", + "title": "Public Key-based Authentication", + "props": [ + { + "name": "label", + "value": "IA-5(2)" + }, + { + "name": "label", + "value": "IA-05(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#sc-17", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.2_smt", + "name": "statement", + "parts": [ + { + "id": "ia-5.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "For public key-based authentication:", + "parts": [ + { + "id": "ia-5.2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(1)" + } + ], + "prose": "Enforce authorized access to the corresponding private key; and" + }, + { + "id": "ia-5.2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(2)" + } + ], + "prose": "Map the authenticated identity to the account of the individual or group; and" + } + ] + }, + { + "id": "ia-5.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "When public key infrastructure (PKI) is used:", + "parts": [ + { + "id": "ia-5.2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(1)" + } + ], + "prose": "Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and" + }, + { + "id": "ia-5.2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(2)" + } + ], + "prose": "Implement a local cache of revocation data to support path discovery and validation." + } + ] + } + ] + }, + { + "id": "ia-5.2_gdn", + "name": "guidance", + "prose": "Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network." + }, + { + "id": "ia-5.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(a)(01)", + "class": "sp800-53a" + } + ], + "prose": "authorized access to the corresponding private key is enforced for public key-based authentication;", + "links": [ + { + "href": "#ia-5.2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(a)(02)", + "class": "sp800-53a" + } + ], + "prose": "the authenticated identity is mapped to the account of the individual or group for public key-based authentication;", + "links": [ + { + "href": "#ia-5.2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(b)(01)", + "class": "sp800-53a" + } + ], + "prose": "when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;", + "links": [ + { + "href": "#ia-5.2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(b)(02)", + "class": "sp800-53a" + } + ], + "prose": "when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.", + "links": [ + { + "href": "#ia-5.2_smt.b.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with PKI-based, authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-5.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing PKI-based, authenticator management capability" + } + ] + } + ] + }, + { + "id": "ia-5.6", + "class": "SP800-53-enhancement", + "title": "Protection of Authenticators", + "props": [ + { + "name": "label", + "value": "IA-5(6)" + }, + { + "name": "label", + "value": "IA-05(06)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ra-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.6_smt", + "name": "statement", + "prose": "Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access." + }, + { + "id": "ia-5.6_gdn", + "name": "guidance", + "prose": "For systems that contain multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process." + }, + { + "id": "ia-5.6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(06)", + "class": "sp800-53a" + } + ], + "prose": "authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.", + "links": [ + { + "href": "#ia-5.6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(06)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity categorization documentation for the system\n\nsecurity assessments of authenticator protections\n\nrisk assessment results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(06)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel implementing and/or maintaining authenticator protections\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ia-5.6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(06)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing authenticator management capability\n\nmechanisms protecting authenticators" + } + ] + } + ] + }, + { + "id": "ia-5.7", + "class": "SP800-53-enhancement", + "title": "No Embedded Unencrypted Static Authenticators", + "props": [ + { + "name": "label", + "value": "IA-5(7)" + }, + { + "name": "label", + "value": "IA-05(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-5.7_smt", + "name": "statement", + "prose": "Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.", + "parts": [ + { + "id": "ia-5.7_fr", + "name": "item", + "title": "IA-5 (7) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5.7_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "In this context, prohibited static storage refers to any storage where unencrypted authenticators, such as passwords, persist beyond the time required to complete the access process." + } + ] + } + ] + }, + { + "id": "ia-5.7_gdn", + "name": "guidance", + "prose": "In addition to applications, other forms of static storage include access scripts and function keys. Organizations exercise caution when determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators." + }, + { + "id": "ia-5.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(07)", + "class": "sp800-53a" + } + ], + "prose": "unencrypted static authenticators are not embedded in applications or other forms of static storage.", + "links": [ + { + "href": "#ia-5.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlogical access scripts\n\napplication code reviews for detecting unencrypted static authenticators\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-5.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing authenticator management capability\n\nmechanisms implementing authentication in applications" + } + ] + } + ] + }, + { + "id": "ia-5.8", + "class": "SP800-53-enhancement", + "title": "Multiple System Accounts", + "params": [ + { + "id": "ia-05.08_odp", + "label": "security controls", + "constraints": [ + { + "description": "different authenticators in different user authentication domains" + } + ], + "guidelines": [ + { + "prose": "security controls implemented to manage the risk of compromise due to individuals having accounts on multiple systems are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5(8)" + }, + { + "name": "label", + "value": "IA-05(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ps-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.8_smt", + "name": "statement", + "prose": "Implement {{ insert: param, ia-05.08_odp }} to manage the risk of compromise due to individuals having accounts on multiple systems.", + "parts": [ + { + "id": "ia-5.8_fr", + "name": "item", + "title": "IA-5 (8) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5.8_fr_gdn.x", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "If a single user authentication domain is used to access multiple systems, such as in single-sign-on, then only a single authenticator is required." + } + ] + } + ] + }, + { + "id": "ia-5.8_gdn", + "name": "guidance", + "prose": "When individuals have accounts on multiple systems and use the same authenticators such as passwords, there is the risk that a compromise of one account may lead to the compromise of other accounts. Alternative approaches include having different authenticators (passwords) on all systems, employing a single sign-on or federation mechanism, or using some form of one-time passwords on all systems. Organizations can also use rules of behavior (see [PL-4](#pl-4) ) and access agreements (see [PS-6](#ps-6) ) to mitigate the risk of multiple system accounts." + }, + { + "id": "ia-5.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(08)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ia-05.08_odp }} are implemented to manage the risk of compromise due to individuals having accounts on multiple systems.", + "links": [ + { + "href": "#ia-5.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nlist of individuals having accounts on multiple systems\n\nlist of security safeguards intended to manage risk of compromise due to individuals having accounts on multiple systems\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ia-5.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing safeguards for authenticator management" + } + ] + } + ] + }, + { + "id": "ia-5.13", + "class": "SP800-53-enhancement", + "title": "Expiration of Cached Authenticators", + "params": [ + { + "id": "ia-05.13_odp", + "label": "time period", + "guidelines": [ + { + "prose": "the time period after which the use of cached authenticators is prohibited is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5(13)" + }, + { + "name": "label", + "value": "IA-05(13)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-5.13_smt", + "name": "statement", + "prose": "Prohibit the use of cached authenticators after {{ insert: param, ia-05.13_odp }}.", + "parts": [ + { + "id": "ia-5.13_fr", + "name": "item", + "title": "IA-5 (13) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5.13_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For components subject to configuration baseline(s) (such as STIG or CIS,) the time period should conform to the baseline standard." + } + ] + } + ] + }, + { + "id": "ia-5.13_gdn", + "name": "guidance", + "prose": "Cached authenticators are used to authenticate to the local machine when the network is not available. If cached authentication information is out of date, the validity of the authentication information may be questionable." + }, + { + "id": "ia-5.13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(13)", + "class": "sp800-53a" + } + ], + "prose": "the use of cached authenticators is prohibited after {{ insert: param, ia-05.13_odp }}.", + "links": [ + { + "href": "#ia-5.13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(13)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(13)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-5.13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(13)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing authenticator management capability" + } + ] + } + ] + } + ] + }, + { + "id": "ia-6", + "class": "SP800-53", + "title": "Authentication Feedback", + "props": [ + { + "name": "label", + "value": "IA-6" + }, + { + "name": "label", + "value": "IA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-6_smt", + "name": "statement", + "prose": "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals." + }, + { + "id": "ia-6_gdn", + "name": "guidance", + "prose": "Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it." + }, + { + "id": "ia-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-06", + "class": "sp800-53a" + } + ], + "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.", + "links": [ + { + "href": "#ia-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication" + } + ] + } + ] + }, + { + "id": "ia-7", + "class": "SP800-53", + "title": "Cryptographic Module Authentication", + "props": [ + { + "name": "label", + "value": "IA-7" + }, + { + "name": "label", + "value": "IA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-7_smt", + "name": "statement", + "prose": "Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication." + }, + { + "id": "ia-7_gdn", + "name": "guidance", + "prose": "Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role." + }, + { + "id": "ia-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-07", + "class": "sp800-53a" + } + ], + "prose": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.", + "links": [ + { + "href": "#ia-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing cryptographic module authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic module authentication" + } + ] + } + ] + }, + { + "id": "ia-8", + "class": "SP800-53", + "title": "Identification and Authentication (Non-organizational Users)", + "props": [ + { + "name": "label", + "value": "IA-8" + }, + { + "name": "label", + "value": "IA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#a1555677-2b9d-4868-a97b-a1363aff32f5", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#2100332a-16a5-4598-bacf-7261baea9711", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-10", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-8_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." + }, + { + "id": "ia-8_gdn", + "name": "guidance", + "prose": "Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk." + }, + { + "id": "ia-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08", + "class": "sp800-53a" + } + ], + "prose": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.", + "links": [ + { + "href": "#ia-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ], + "controls": [ + { + "id": "ia-8.1", + "class": "SP800-53-enhancement", + "title": "Acceptance of PIV Credentials from Other Agencies", + "props": [ + { + "name": "label", + "value": "IA-8(1)" + }, + { + "name": "label", + "value": "IA-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + }, + { + "href": "#pe-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-8.1_smt", + "name": "statement", + "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies." + }, + { + "id": "ia-8.1_gdn", + "name": "guidance", + "prose": "Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)." + }, + { + "id": "ia-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;", + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.", + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials" + } + ] + } + ] + }, + { + "id": "ia-8.2", + "class": "SP800-53-enhancement", + "title": "Acceptance of External Authenticators", + "props": [ + { + "name": "label", + "value": "IA-8(2)" + }, + { + "name": "label", + "value": "IA-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-8.2_smt", + "name": "statement", + "parts": [ + { + "id": "ia-8.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Accept only external authenticators that are NIST-compliant; and" + }, + { + "id": "ia-8.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Document and maintain a list of accepted external authenticators." + } + ] + }, + { + "id": "ia-8.2_gdn", + "name": "guidance", + "prose": "Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level." + }, + { + "id": "ia-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(a)", + "class": "sp800-53a" + } + ], + "prose": "only external authenticators that are NIST-compliant are accepted;", + "links": [ + { + "href": "#ia-8.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "a list of accepted external authenticators is documented;", + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "a list of accepted external authenticators is maintained.", + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials" + } + ] + } + ] + }, + { + "id": "ia-8.4", + "class": "SP800-53-enhancement", + "title": "Use of Defined Profiles", + "params": [ + { + "id": "ia-08.04_odp", + "label": "identity management profiles", + "guidelines": [ + { + "prose": "identity management profiles are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-8(4)" + }, + { + "name": "label", + "value": "IA-08(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-8.4_smt", + "name": "statement", + "prose": "Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}." + }, + { + "id": "ia-8.4_gdn", + "name": "guidance", + "prose": "Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." + }, + { + "id": "ia-8.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(04)", + "class": "sp800-53a" + } + ], + "prose": "there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.", + "links": [ + { + "href": "#ia-8.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms supporting and/or implementing conformance with profiles" + } + ] + } + ] + } + ] + }, + { + "id": "ia-11", + "class": "SP800-53", + "title": "Re-authentication", + "params": [ + { + "id": "ia-11_odp", + "label": "circumstances or situations", + "guidelines": [ + { + "prose": "circumstances or situations requiring re-authentication are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-11" + }, + { + "name": "label", + "value": "IA-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-11_smt", + "name": "statement", + "prose": "Require users to re-authenticate when {{ insert: param, ia-11_odp }}.", + "parts": [ + { + "id": "ia-11_fr", + "name": "item", + "title": "IA-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-11_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:\n\n* AAL3 (high baseline) * 12 hours or * 15 minutes of inactivity \n" + } + ] + } + ] + }, + { + "id": "ia-11_gdn", + "name": "guidance", + "prose": "In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically." + }, + { + "id": "ia-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-11", + "class": "sp800-53a" + } + ], + "prose": "users are required to re-authenticate when {{ insert: param, ia-11_odp }}.", + "links": [ + { + "href": "#ia-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user and device re-authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of circumstances or situations requiring re-authentication\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-12", + "class": "SP800-53", + "title": "Identity Proofing", + "props": [ + { + "name": "label", + "value": "IA-12" + }, + { + "name": "label", + "value": "IA-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#9099ed2c-922a-493d-bcb4-d896192243ff", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ia-1", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-6", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-12_smt", + "name": "statement", + "parts": [ + { + "id": "ia-12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;" + }, + { + "id": "ia-12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Resolve user identities to a unique individual; and" + }, + { + "id": "ia-12_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Collect, validate, and verify identity evidence." + }, + { + "id": "ia-12_fr", + "name": "item", + "title": "IA-12 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-12_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "In accordance with NIST SP 800-63A Enrollment and Identity Proofing" + } + ] + } + ] + }, + { + "id": "ia-12_gdn", + "name": "guidance", + "prose": "Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3](#737513fa-6758-403f-831d-5ddab5e23cb3) and [SP 800-63A](#9099ed2c-922a-493d-bcb4-d896192243ff) . Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." + }, + { + "id": "ia-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12a.", + "class": "sp800-53a" + } + ], + "prose": "users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;", + "links": [ + { + "href": "#ia-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12b.", + "class": "sp800-53a" + } + ], + "prose": "user identities are resolved to a unique individual;", + "links": [ + { + "href": "#ia-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-12_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12c.[01]", + "class": "sp800-53a" + } + ], + "prose": "identity evidence is collected;", + "links": [ + { + "href": "#ia-12_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12c.[02]", + "class": "sp800-53a" + } + ], + "prose": "identity evidence is validated;", + "links": [ + { + "href": "#ia-12_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_obj.c-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12c.[03]", + "class": "sp800-53a" + } + ], + "prose": "identity evidence is verified.", + "links": [ + { + "href": "#ia-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ], + "controls": [ + { + "id": "ia-12.2", + "class": "SP800-53-enhancement", + "title": "Identity Evidence", + "props": [ + { + "name": "label", + "value": "IA-12(2)" + }, + { + "name": "label", + "value": "IA-12(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-12", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-12.2_smt", + "name": "statement", + "prose": "Require evidence of individual identification be presented to the registration authority." + }, + { + "id": "ia-12.2_gdn", + "name": "guidance", + "prose": "Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risks to the systems, roles, and privileges associated with the user’s account." + }, + { + "id": "ia-12.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12(02)", + "class": "sp800-53a" + } + ], + "prose": "evidence of individual identification is presented to the registration authority.", + "links": [ + { + "href": "#ia-12.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-12.3", + "class": "SP800-53-enhancement", + "title": "Identity Evidence Validation and Verification", + "params": [ + { + "id": "ia-12.03_odp", + "label": "methods of validation and verification", + "guidelines": [ + { + "prose": "methods of validation and verification of identity evidence are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-12(3)" + }, + { + "name": "label", + "value": "IA-12(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-12", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-12.3_smt", + "name": "statement", + "prose": "Require that the presented identity evidence be validated and verified through {{ insert: param, ia-12.03_odp }}." + }, + { + "id": "ia-12.3_gdn", + "name": "guidance", + "prose": "Validation and verification of identity evidence increases the assurance that accounts and identifiers are being established for the correct user and authenticators are being bound to that user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risks to the systems, roles, and privileges associated with the users account." + }, + { + "id": "ia-12.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12(03)", + "class": "sp800-53a" + } + ], + "prose": "the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}.", + "links": [ + { + "href": "#ia-12.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-12.4", + "class": "SP800-53-enhancement", + "title": "In-person Validation and Verification", + "props": [ + { + "name": "label", + "value": "IA-12(4)" + }, + { + "name": "label", + "value": "IA-12(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-12", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-12.4_smt", + "name": "statement", + "prose": "Require that the validation and verification of identity evidence be conducted in person before a designated registration authority." + }, + { + "id": "ia-12.4_gdn", + "name": "guidance", + "prose": "In-person proofing reduces the likelihood of fraudulent credentials being issued because it requires the physical presence of individuals, the presentation of physical identity documents, and actual face-to-face interactions with designated registration authorities." + }, + { + "id": "ia-12.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12(04)", + "class": "sp800-53a" + } + ], + "prose": "the validation and verification of identity evidence is conducted in person before a designated registration authority.", + "links": [ + { + "href": "#ia-12.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-12.5", + "class": "SP800-53-enhancement", + "title": "Address Confirmation", + "params": [ + { + "id": "ia-12.05_odp", + "select": { + "choice": [ + "registration code", + "notice of proofing" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "IA-12(5)" + }, + { + "name": "label", + "value": "IA-12(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-12", + "rel": "required" + }, + { + "href": "#ia-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-12.5_smt", + "name": "statement", + "prose": "Require that a {{ insert: param, ia-12.05_odp }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record.", + "parts": [ + { + "id": "ia-12.5_fr", + "name": "item", + "title": "IA-12 (5) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-12.5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "In accordance with NIST SP 800-63A Enrollment and Identity Proofing" + } + ] + } + ] + }, + { + "id": "ia-12.5_gdn", + "name": "guidance", + "prose": "To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to ensure that the individual associated with an address of record is the same individual that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts is obtained from records and not self-asserted by the user. The address can include a physical or digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses." + }, + { + "id": "ia-12.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12(05)", + "class": "sp800-53a" + } + ], + "prose": "a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.", + "links": [ + { + "href": "#ia-12.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "ir", + "class": "family", + "title": "Incident Response", + "controls": [ + { + "id": "ir-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ir-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ir-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the incident response policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ir-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the incident response procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ir-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ir-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the incident response policy and procedures is defined;" + } + ] + }, + { + "id": "ir-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current incident response policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ir-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current incident response policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ir-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current incident response procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ir-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the incident response procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-1" + }, + { + "name": "label", + "value": "IR-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-1_smt", + "name": "statement", + "parts": [ + { + "id": "ir-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:", + "parts": [ + { + "id": "ir-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ir-01_odp.03 }} incident response policy that:", + "parts": [ + { + "id": "ir-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ir-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ir-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;" + } + ] + }, + { + "id": "ir-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and" + }, + { + "id": "ir-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current incident response:", + "parts": [ + { + "id": "ir-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and" + }, + { + "id": "ir-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ir-1_gdn", + "name": "guidance", + "prose": "Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ir-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident response policy is developed and documented;", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ir-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;", + "links": [ + { + "href": "#ir-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};", + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};", + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};", + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.", + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ir-2", + "class": "SP800-53", + "title": "Incident Response Training", + "params": [ + { + "id": "ir-02_odp.01", + "label": "time period", + "constraints": [ + { + "description": "ten (10) days for privileged users, thirty (30) days for Incident Response roles" + } + ], + "guidelines": [ + { + "prose": "a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;" + } + ] + }, + { + "id": "ir-02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide incident response training to users is defined;" + } + ] + }, + { + "id": "ir-02_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update incident response training content is defined;" + } + ] + }, + { + "id": "ir-02_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events that initiate a review of the incident response training content are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-2" + }, + { + "name": "label", + "value": "IR-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-2_smt", + "name": "statement", + "parts": [ + { + "id": "ir-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide incident response training to system users consistent with assigned roles and responsibilities:", + "parts": [ + { + "id": "ir-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;" + }, + { + "id": "ir-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes; and" + }, + { + "id": "ir-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ir-02_odp.02 }} thereafter; and" + } + ] + }, + { + "id": "ir-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}." + } + ] + }, + { + "id": "ir-2_gdn", + "name": "guidance", + "prose": "Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "ir-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.01", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;", + "links": [ + { + "href": "#ir-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.02", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#ir-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.03", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;", + "links": [ + { + "href": "#ir-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};", + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.", + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ], + "controls": [ + { + "id": "ir-2.1", + "class": "SP800-53-enhancement", + "title": "Simulated Events", + "props": [ + { + "name": "label", + "value": "IR-2(1)" + }, + { + "name": "label", + "value": "IR-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ir-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-2.1_smt", + "name": "statement", + "prose": "Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations." + }, + { + "id": "ir-2.1_gdn", + "name": "guidance", + "prose": "Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations." + }, + { + "id": "ir-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02(01)", + "class": "sp800-53a" + } + ], + "prose": "simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations.", + "links": [ + { + "href": "#ir-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-2.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-02(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms that support and/or implement simulated events for incident response training" + } + ] + } + ] + }, + { + "id": "ir-2.2", + "class": "SP800-53-enhancement", + "title": "Automated Training Environments", + "params": [ + { + "id": "ir-02.02_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used in an incident response training environment are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-2(2)" + }, + { + "name": "label", + "value": "IR-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ir-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-2.2_smt", + "name": "statement", + "prose": "Provide an incident response training environment using {{ insert: param, ir-02.02_odp }}." + }, + { + "id": "ir-2.2_gdn", + "name": "guidance", + "prose": "Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues, selecting more realistic training scenarios and environments, and stressing the response capability." + }, + { + "id": "ir-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02(02)", + "class": "sp800-53a" + } + ], + "prose": "an incident response training environment is provided using {{ insert: param, ir-02.02_odp }}.", + "links": [ + { + "href": "#ir-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nautomated mechanisms supporting incident response training\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms that provide a thorough and realistic incident response training environment" + } + ] + } + ] + } + ] + }, + { + "id": "ir-3", + "class": "SP800-53", + "title": "Incident Response Testing", + "params": [ + { + "id": "ir-03_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least every six (6) months, including functional at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to test the effectiveness of the incident response capability for the system is defined;" + } + ] + }, + { + "id": "ir-03_odp.02", + "label": "tests", + "guidelines": [ + { + "prose": "tests used to test the effectiveness of the incident response capability for the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-3" + }, + { + "name": "label", + "value": "IR-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-3_smt", + "name": "statement", + "prose": "Test the effectiveness of the incident response capability for the system {{ insert: param, ir-03_odp.01 }} using the following tests: {{ insert: param, ir-03_odp.02 }}.", + "parts": [ + { + "id": "ir-3_fr", + "name": "item", + "title": "IR-3-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing." + } + ] + } + ] + }, + { + "id": "ir-3_gdn", + "name": "guidance", + "prose": "Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes." + }, + { + "id": "ir-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-03", + "class": "sp800-53a" + } + ], + "prose": "the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.", + "links": [ + { + "href": "#ir-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ], + "controls": [ + { + "id": "ir-3.2", + "class": "SP800-53-enhancement", + "title": "Coordination with Related Plans", + "props": [ + { + "name": "label", + "value": "IR-3(2)" + }, + { + "name": "label", + "value": "IR-03(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-03.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ir-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-3.2_smt", + "name": "statement", + "prose": "Coordinate incident response testing with organizational elements responsible for related plans." + }, + { + "id": "ir-3.2_gdn", + "name": "guidance", + "prose": "Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans." + }, + { + "id": "ir-3.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-03(02)", + "class": "sp800-53a" + } + ], + "prose": "incident response testing is coordinated with organizational elements responsible for related plans.", + "links": [ + { + "href": "#ir-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-3.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-03(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-3.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-03(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "ir-4", + "class": "SP800-53", + "title": "Incident Handling", + "props": [ + { + "name": "label", + "value": "IR-4" + }, + { + "name": "label", + "value": "IR-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", + "rel": "reference" + }, + { + "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "rel": "reference" + }, + { + "href": "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#31ae65ab-3f26-46b7-9d64-f25a4dac5778", + "rel": "reference" + }, + { + "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-4_smt", + "name": "statement", + "parts": [ + { + "id": "ir-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;" + }, + { + "id": "ir-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Coordinate incident handling activities with contingency planning activities;" + }, + { + "id": "ir-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and" + }, + { + "id": "ir-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization." + }, + { + "id": "ir-4_fr", + "name": "item", + "title": "IR-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The FISMA definition of \\\"incident\\\" shall be used: \\\"An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.\\\"" + }, + { + "id": "ir-4_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system." + } + ] + } + ] + }, + { + "id": "ir-4_gdn", + "name": "guidance", + "prose": "Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes." + }, + { + "id": "ir-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes preparation;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes detection and analysis;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes containment;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[05]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes eradication;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[06]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes recovery;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04b.", + "class": "sp800-53a" + } + ], + "prose": "incident handling activities are coordinated with contingency planning activities;", + "links": [ + { + "href": "#ir-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.[01]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;", + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;", + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the rigor of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the intensity of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the scope of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[04]", + "class": "sp800-53a" + } + ], + "prose": "the results of incident handling activities are comparable and predictable across the organization.", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident handling capability for the organization" + } + ] + } + ], + "controls": [ + { + "id": "ir-4.1", + "class": "SP800-53-enhancement", + "title": "Automated Incident Handling Processes", + "params": [ + { + "id": "ir-04.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to support the incident handling process are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-4(1)" + }, + { + "name": "label", + "value": "IR-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-4.1_smt", + "name": "statement", + "prose": "Support the incident handling process using {{ insert: param, ir-04.01_odp }}." + }, + { + "id": "ir-4.1_gdn", + "name": "guidance", + "prose": "Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis." + }, + { + "id": "ir-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04(01)", + "class": "sp800-53a" + } + ], + "prose": "the incident handling process is supported using {{ insert: param, ir-04.01_odp }}.", + "links": [ + { + "href": "#ir-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms that support and/or implement the incident handling process" + } + ] + } + ] + }, + { + "id": "ir-4.2", + "class": "SP800-53-enhancement", + "title": "Dynamic Reconfiguration", + "params": [ + { + "id": "ir-04.02_odp.01", + "label": "types of dynamic reconfiguration", + "guidelines": [ + { + "prose": "types of dynamic reconfiguration for system components are defined;" + } + ] + }, + { + "id": "ir-04.02_odp.02", + "label": "system components", + "constraints": [ + { + "description": "all network, data storage, and computing devices" + } + ], + "guidelines": [ + { + "prose": "system components that require dynamic reconfiguration are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-4(2)" + }, + { + "name": "label", + "value": "IR-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-4", + "rel": "required" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-4.2_smt", + "name": "statement", + "prose": "Include the following types of dynamic reconfiguration for {{ insert: param, ir-04.02_odp.02 }} as part of the incident response capability: {{ insert: param, ir-04.02_odp.01 }}." + }, + { + "id": "ir-4.2_gdn", + "name": "guidance", + "prose": "Dynamic reconfiguration includes changes to router rules, access control lists, intrusion detection or prevention system parameters, and filter rules for guards or firewalls. Organizations may perform dynamic reconfiguration of systems to stop attacks, misdirect attackers, and isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include specific time frames for achieving the reconfiguration of systems in the definition of the reconfiguration capability, considering the potential need for rapid response to effectively address cyber threats." + }, + { + "id": "ir-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04(02)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-04.02_odp.01 }} for {{ insert: param, ir-04.02_odp.02 }} are included as part of the incident response capability.", + "links": [ + { + "href": "#ir-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nmechanisms supporting incident handling\n\nlist of system components to be dynamically reconfigured as part of incident response capability\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms that support and/or implement the dynamic reconfiguration of components as part of incident response" + } + ] + } + ] + }, + { + "id": "ir-4.4", + "class": "SP800-53-enhancement", + "title": "Information Correlation", + "props": [ + { + "name": "label", + "value": "IR-4(4)" + }, + { + "name": "label", + "value": "IR-04(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-4.4_smt", + "name": "statement", + "prose": "Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response." + }, + { + "id": "ir-4.4_gdn", + "name": "guidance", + "prose": "Sometimes, a threat event, such as a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations." + }, + { + "id": "ir-4.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04(04)", + "class": "sp800-53a" + } + ], + "prose": "incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.", + "links": [ + { + "href": "#ir-4.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\nprivacy plan\n\nmechanisms supporting incident and event correlation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nincident management correlation logs\n\nevent management correlation logs\n\nsecurity information and event management logs\n\nincident management correlation reports\n\nevent management correlation reports\n\nsecurity information and event management reports\n\naudit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with whom incident information and individual incident responses are to be correlated" + } + ] + }, + { + "id": "ir-4.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for correlating incident information and individual incident responses\n\nmechanisms that support and or implement the correlation of incident response information with individual incident responses" + } + ] + } + ] + }, + { + "id": "ir-4.6", + "class": "SP800-53-enhancement", + "title": "Insider Threats", + "props": [ + { + "name": "label", + "value": "IR-4(6)" + }, + { + "name": "label", + "value": "IR-04(06)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04.06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-4.6_smt", + "name": "statement", + "prose": "Implement an incident handling capability for incidents involving insider threats." + }, + { + "id": "ir-4.6_gdn", + "name": "guidance", + "prose": "Explicit focus on handling incidents involving insider threats provides additional emphasis on this type of threat and the need for specific incident handling capabilities to provide appropriate and timely responses." + }, + { + "id": "ir-4.6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04(06)", + "class": "sp800-53a" + } + ], + "prose": "an incident handling capability is implemented for incidents involving insider threats.", + "links": [ + { + "href": "#ir-4.6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4.6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04(06)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nmechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\naudit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4.6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04(06)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-4.6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04(06)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident handling capability for the organization" + } + ] + } + ] + }, + { + "id": "ir-4.11", + "class": "SP800-53-enhancement", + "title": "Integrated Incident Response Team", + "params": [ + { + "id": "ir-04.11_odp", + "label": "time period", + "guidelines": [ + { + "prose": "the time period within which an integrated incident response team can be deployed is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-4(11)" + }, + { + "name": "label", + "value": "IR-04(11)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04.11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-4", + "rel": "required" + }, + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-4.11_smt", + "name": "statement", + "prose": "Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}." + }, + { + "id": "ir-4.11_gdn", + "name": "guidance", + "prose": "An integrated incident response team is a team of experts that assesses, documents, and responds to incidents so that organizational systems and networks can recover quickly and implement the necessary controls to avoid future incidents. Incident response team personnel include forensic and malicious code analysts, tool developers, systems security and privacy engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. For some organizations, the incident response team can be a cross-organizational entity.\n\nAn integrated incident response team facilitates information sharing and allows organizational personnel (e.g., developers, implementers, and operators) to leverage team knowledge of the threat and implement defensive measures that enable organizations to deter intrusions more effectively. Moreover, integrated teams promote the rapid detection of intrusions, the development of appropriate mitigations, and the deployment of effective defensive measures. For example, when an intrusion is detected, the integrated team can rapidly develop an appropriate response for operators to implement, correlate the new incident with information on past intrusions, and augment ongoing cyber intelligence development. Integrated incident response teams are better able to identify adversary tactics, techniques, and procedures that are linked to the operations tempo or specific mission and business functions and to define responsive actions in a way that does not disrupt those mission and business functions. Incident response teams can be distributed within organizations to make the capability resilient." + }, + { + "id": "ir-4.11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04(11)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4.11_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04(11)[01]", + "class": "sp800-53a" + } + ], + "prose": "an integrated incident response team is established and maintained;", + "links": [ + { + "href": "#ir-4.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4.11_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04(11)[02]", + "class": "sp800-53a" + } + ], + "prose": "the integrated incident response team can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}.", + "links": [ + { + "href": "#ir-4.11_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4.11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04(11)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4.11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04(11)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of the integrated incident response team" + } + ] + } + ] + } + ] + }, + { + "id": "ir-5", + "class": "SP800-53", + "title": "Incident Monitoring", + "props": [ + { + "name": "label", + "value": "IR-5" + }, + { + "name": "label", + "value": "IR-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-5_smt", + "name": "statement", + "prose": "Track and document incidents." + }, + { + "id": "ir-5_gdn", + "name": "guidance", + "prose": "Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring." + }, + { + "id": "ir-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05[01]", + "class": "sp800-53a" + } + ], + "prose": "incidents are tracked;", + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05[02]", + "class": "sp800-53a" + } + ], + "prose": "incidents are documented.", + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident monitoring capability for the organization\n\nmechanisms supporting and/or implementing the tracking and documenting of system security incidents" + } + ] + } + ], + "controls": [ + { + "id": "ir-5.1", + "class": "SP800-53-enhancement", + "title": "Automated Tracking, Data Collection, and Analysis", + "params": [ + { + "id": "ir-5.1_prm_1", + "label": "organization-defined automated mechanisms" + }, + { + "id": "ir-05.01_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to track incidents are defined;" + } + ] + }, + { + "id": "ir-05.01_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to collect incident information are defined;" + } + ] + }, + { + "id": "ir-05.01_odp.03", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to analyze incident information are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-5(1)" + }, + { + "name": "label", + "value": "IR-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ir-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-5.1_smt", + "name": "statement", + "prose": "Track incidents and collect and analyze incident information using {{ insert: param, ir-5.1_prm_1 }}." + }, + { + "id": "ir-5.1_gdn", + "name": "guidance", + "prose": "Automated mechanisms for tracking incidents and collecting and analyzing incident information include Computer Incident Response Centers or other electronic databases of incidents and network monitoring devices." + }, + { + "id": "ir-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-5.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "incidents are tracked using {{ insert: param, ir-05.01_odp.01 }};", + "links": [ + { + "href": "#ir-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "incident information is collected using {{ insert: param, ir-05.01_odp.02 }};", + "links": [ + { + "href": "#ir-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "incident information is analyzed using {{ insert: param, ir-05.01_odp.03 }}.", + "links": [ + { + "href": "#ir-5.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nsystem security plan\n\nincident response plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident monitoring capability for the organization\n\nautomated mechanisms supporting and/or implementing the tracking and documenting of system security incidents" + } + ] + } + ] + } + ] + }, + { + "id": "ir-6", + "class": "SP800-53", + "title": "Incident Reporting", + "params": [ + { + "id": "ir-06_odp.01", + "label": "time period", + "constraints": [ + { + "description": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)" + } + ], + "guidelines": [ + { + "prose": "time period for personnel to report suspected incidents to the organizational incident response capability is defined;" + } + ] + }, + { + "id": "ir-06_odp.02", + "label": "authorities", + "guidelines": [ + { + "prose": "authorities to whom incident information is to be reported are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-6" + }, + { + "name": "label", + "value": "IR-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#40b78258-c892-480e-9af8-77ac36648301", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-6_smt", + "name": "statement", + "parts": [ + { + "id": "ir-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and" + }, + { + "id": "ir-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report incident information to {{ insert: param, ir-06_odp.02 }}." + }, + { + "id": "ir-6_fr", + "name": "item", + "title": "IR-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Reports security incident information according to FedRAMP Incident Communications Procedure." + } + ] + } + ] + }, + { + "id": "ir-6_gdn", + "name": "guidance", + "prose": "The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products." + }, + { + "id": "ir-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06a.", + "class": "sp800-53a" + } + ], + "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};", + "links": [ + { + "href": "#ir-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06b.", + "class": "sp800-53a" + } + ], + "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}.", + "links": [ + { + "href": "#ir-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users" + } + ] + }, + { + "id": "ir-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident reporting\n\nmechanisms supporting and/or implementing incident reporting" + } + ] + } + ], + "controls": [ + { + "id": "ir-6.1", + "class": "SP800-53-enhancement", + "title": "Automated Reporting", + "params": [ + { + "id": "ir-06.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used for reporting incidents are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-6(1)" + }, + { + "name": "label", + "value": "IR-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-6", + "rel": "required" + }, + { + "href": "#ir-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-6.1_smt", + "name": "statement", + "prose": "Report incidents using {{ insert: param, ir-06.01_odp }}." + }, + { + "id": "ir-6.1_gdn", + "name": "guidance", + "prose": "The recipients of incident reports are specified in [IR-6b](#ir-6_smt.b) . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs." + }, + { + "id": "ir-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06(01)", + "class": "sp800-53a" + } + ], + "prose": "incidents are reported using {{ insert: param, ir-06.01_odp }}.", + "links": [ + { + "href": "#ir-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident reporting\n\nautomated mechanisms supporting and/or implementing the reporting of security incidents" + } + ] + } + ] + }, + { + "id": "ir-6.3", + "class": "SP800-53-enhancement", + "title": "Supply Chain Coordination", + "props": [ + { + "name": "label", + "value": "IR-6(3)" + }, + { + "name": "label", + "value": "IR-06(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-06.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-6", + "rel": "required" + }, + { + "href": "#sr-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-6.3_smt", + "name": "statement", + "prose": "Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident." + }, + { + "id": "ir-6.3_gdn", + "name": "guidance", + "prose": "Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident." + }, + { + "id": "ir-6.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06(03)", + "class": "sp800-53a" + } + ], + "prose": "incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.", + "links": [ + { + "href": "#ir-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-06(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council\n\nacquisition policy\n\nacquisition contracts\n\nservice-level agreements\n\nincident response plan\n\nsupply chain risk management plan\n\nsystem security plan\n\nplans of other organizations involved in supply chain activities\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-6.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-06(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganization personnel with acquisition responsibilities" + } + ] + }, + { + "id": "ir-6.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-06(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident reporting\n\norganizational processes for supply chain risk information sharing\n\nmechanisms supporting and/or implementing the reporting of incident information involved in the supply chain" + } + ] + } + ] + } + ] + }, + { + "id": "ir-7", + "class": "SP800-53", + "title": "Incident Response Assistance", + "props": [ + { + "name": "label", + "value": "IR-7" + }, + { + "name": "label", + "value": "IR-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pm-22", + "rel": "related" + }, + { + "href": "#pm-26", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#si-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-7_smt", + "name": "statement", + "prose": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents." + }, + { + "id": "ir-7_gdn", + "name": "guidance", + "prose": "Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required." + }, + { + "id": "ir-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;", + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.", + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident response assistance\n\nmechanisms supporting and/or implementing incident response assistance" + } + ] + } + ], + "controls": [ + { + "id": "ir-7.1", + "class": "SP800-53-enhancement", + "title": "Automation Support for Availability of Information and Support", + "params": [ + { + "id": "ir-07.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to increase the availability of incident response information and support are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-7(1)" + }, + { + "name": "label", + "value": "IR-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-7.1_smt", + "name": "statement", + "prose": "Increase the availability of incident response information and support using {{ insert: param, ir-07.01_odp }}." + }, + { + "id": "ir-7.1_gdn", + "name": "guidance", + "prose": "Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support." + }, + { + "id": "ir-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07(01)", + "class": "sp800-53a" + } + ], + "prose": "the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}.", + "links": [ + { + "href": "#ir-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response support and assistance responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-7.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-07(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident response assistance\n\nautomated mechanisms supporting and/or implementing an increase in the availability of incident response information and support" + } + ] + } + ] + } + ] + }, + { + "id": "ir-8", + "class": "SP800-53", + "title": "Incident Response Plan", + "params": [ + { + "id": "ir-8_prm_5", + "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements", + "constraints": [ + { + "description": "see additional FedRAMP Requirements and Guidance" + } + ] + }, + { + "id": "ir-08_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles that review and approve the incident response plan is/are identified;" + } + ] + }, + { + "id": "ir-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and approve the incident response plan is defined;" + } + ] + }, + { + "id": "ir-08_odp.03", + "label": "entities, personnel, or roles", + "guidelines": [ + { + "prose": "entities, personnel, or roles with designated responsibility for incident response are defined;" + } + ] + }, + { + "id": "ir-08_odp.04", + "label": "incident response personnel", + "constraints": [ + { + "description": "see additional FedRAMP Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;" + } + ] + }, + { + "id": "ir-08_odp.05", + "label": "organizational elements", + "guidelines": [ + { + "prose": "organizational elements to which copies of the incident response plan are to be distributed are defined;" + } + ] + }, + { + "id": "ir-08_odp.06", + "label": "incident response personnel", + "guidelines": [ + { + "prose": "incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;" + } + ] + }, + { + "id": "ir-08_odp.07", + "label": "organizational elements", + "guidelines": [ + { + "prose": "organizational elements to which changes to the incident response plan are communicated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-8" + }, + { + "name": "label", + "value": "IR-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-8_smt", + "name": "statement", + "parts": [ + { + "id": "ir-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop an incident response plan that:", + "parts": [ + { + "id": "ir-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Provides the organization with a roadmap for implementing its incident response capability;" + }, + { + "id": "ir-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Describes the structure and organization of the incident response capability;" + }, + { + "id": "ir-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Provides a high-level approach for how the incident response capability fits into the overall organization;" + }, + { + "id": "ir-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;" + }, + { + "id": "ir-8_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Defines reportable incidents;" + }, + { + "id": "ir-8_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Provides metrics for measuring the incident response capability within the organization;" + }, + { + "id": "ir-8_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Defines the resources and management support needed to effectively maintain and mature an incident response capability;" + }, + { + "id": "ir-8_smt.a.8", + "name": "item", + "props": [ + { + "name": "label", + "value": "8." + } + ], + "prose": "Addresses the sharing of incident information;" + }, + { + "id": "ir-8_smt.a.9", + "name": "item", + "props": [ + { + "name": "label", + "value": "9." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and" + }, + { + "id": "ir-8_smt.a.10", + "name": "item", + "props": [ + { + "name": "label", + "value": "10." + } + ], + "prose": "Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}." + } + ] + }, + { + "id": "ir-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};" + }, + { + "id": "ir-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;" + }, + { + "id": "ir-8_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and" + }, + { + "id": "ir-8_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protect the incident response plan from unauthorized disclosure and modification." + }, + { + "id": "ir-8_fr", + "name": "item", + "title": "IR-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel." + }, + { + "id": "ir-8_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d) Requirement:" + } + ], + "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel." + } + ] + } + ] + }, + { + "id": "ir-8_gdn", + "name": "guidance", + "prose": "It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly." + }, + { + "id": "ir-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.01", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.02", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.03", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;", + "links": [ + { + "href": "#ir-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.04", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;", + "links": [ + { + "href": "#ir-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.05", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that defines reportable incidents;", + "links": [ + { + "href": "#ir-8_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.06", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;", + "links": [ + { + "href": "#ir-8_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.07", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.08", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that addresses the sharing of incident information;", + "links": [ + { + "href": "#ir-8_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.09", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};", + "links": [ + { + "href": "#ir-8_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.10", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.", + "links": [ + { + "href": "#ir-8_smt.a.10", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};", + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.[02]", + "class": "sp800-53a" + } + ], + "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};", + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08c.", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;", + "links": [ + { + "href": "#ir-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.[01]", + "class": "sp800-53a" + } + ], + "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};", + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.[02]", + "class": "sp800-53a" + } + ], + "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};", + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is protected from unauthorized modification.", + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational incident response plan and related organizational processes" + } + ] + } + ] + }, + { + "id": "ir-9", + "class": "SP800-53", + "title": "Information Spillage Response", + "params": [ + { + "id": "ir-09_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles assigned the responsibility for responding to information spills is/are defined;" + } + ] + }, + { + "id": "ir-09_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted of the information spill using a method of communication not associated with the spill is/are defined;" + } + ] + }, + { + "id": "ir-09_odp.03", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be performed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-9" + }, + { + "name": "label", + "value": "IR-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#pm-26", + "rel": "related" + }, + { + "href": "#pm-27", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-9_smt", + "name": "statement", + "prose": "Respond to information spills by:", + "parts": [ + { + "id": "ir-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assigning {{ insert: param, ir-09_odp.01 }} with responsibility for responding to information spills;" + }, + { + "id": "ir-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Identifying the specific information involved in the system contamination;" + }, + { + "id": "ir-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Alerting {{ insert: param, ir-09_odp.02 }} of the information spill using a method of communication not associated with the spill;" + }, + { + "id": "ir-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Isolating the contaminated system or system component;" + }, + { + "id": "ir-9_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Eradicating the information from the contaminated system or component;" + }, + { + "id": "ir-9_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Identifying other systems or system components that may have been subsequently contaminated; and" + }, + { + "id": "ir-9_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Performing the following additional actions: {{ insert: param, ir-09_odp.03 }}." + } + ] + }, + { + "id": "ir-9_gdn", + "name": "guidance", + "prose": "Information spillage refers to instances where information is placed on systems that are not authorized to process such information. Information spills occur when information that is thought to be a certain classification or impact level is transmitted to a system and subsequently is determined to be of a higher classification or impact level. At that point, corrective action is required. The nature of the response is based on the classification or impact level of the spilled information, the security capabilities of the system, the specific nature of the contaminated storage media, and the access authorizations of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated." + }, + { + "id": "ir-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09_odp.01 }} is/are assigned the responsibility to respond to information spills;", + "links": [ + { + "href": "#ir-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09b.", + "class": "sp800-53a" + } + ], + "prose": "the specific information involved in the system contamination is identified in response to information spills;", + "links": [ + { + "href": "#ir-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09_odp.02 }} is/are alerted of the information spill using a method of communication not associated with the spill;", + "links": [ + { + "href": "#ir-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09d.", + "class": "sp800-53a" + } + ], + "prose": "the contaminated system or system component is isolated in response to information spills;", + "links": [ + { + "href": "#ir-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09e.", + "class": "sp800-53a" + } + ], + "prose": "the information is eradicated from the contaminated system or component in response to information spills;", + "links": [ + { + "href": "#ir-9_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09f.", + "class": "sp800-53a" + } + ], + "prose": "other systems or system components that may have been subsequently contaminated are identified in response to information spills;", + "links": [ + { + "href": "#ir-9_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09g.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09_odp.03 }} are performed in response to information spills.", + "links": [ + { + "href": "#ir-9_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nrecords of information spillage alerts/notifications\n\nlist of personnel who should receive alerts of information spillage\n\nlist of actions to be performed regarding information spillage\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for information spillage response\n\nmechanisms supporting and/or implementing information spillage response actions and related communications" + } + ] + } + ], + "controls": [ + { + "id": "ir-9.2", + "class": "SP800-53-enhancement", + "title": "Training", + "params": [ + { + "id": "ir-09.02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide information spillage response training is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-9(2)" + }, + { + "name": "label", + "value": "IR-09(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-09.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-9", + "rel": "required" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-9.2_smt", + "name": "statement", + "prose": "Provide information spillage response training {{ insert: param, ir-09.02_odp }}." + }, + { + "id": "ir-9.2_gdn", + "name": "guidance", + "prose": "Organizations establish requirements for responding to information spillage incidents in incident response plans. Incident response training on a regular basis helps to ensure that organizational personnel understand their individual responsibilities and what specific actions to take when spillage incidents occur." + }, + { + "id": "ir-9.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09(02)", + "class": "sp800-53a" + } + ], + "prose": "information spillage response training is provided {{ insert: param, ir-09.02_odp }}.", + "links": [ + { + "href": "#ir-9.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-09(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing information spillage response training\n\ninformation spillage response training curriculum\n\ninformation spillage response training materials\n\nincident response plan\n\nsystem security plan\n\ninformation spillage response training records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-9.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-09(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response training responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "ir-9.3", + "class": "SP800-53-enhancement", + "title": "Post-spill Operations", + "params": [ + { + "id": "ir-09.03_odp", + "label": "procedures", + "guidelines": [ + { + "prose": "procedures to be implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-9(3)" + }, + { + "name": "label", + "value": "IR-09(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-09.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-9", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-9.3_smt", + "name": "statement", + "prose": "Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: {{ insert: param, ir-09.03_odp }}." + }, + { + "id": "ir-9.3_gdn", + "name": "guidance", + "prose": "Corrective actions for systems contaminated due to information spillages may be time-consuming. Personnel may not have access to the contaminated systems while corrective actions are being taken, which may potentially affect their ability to conduct organizational business." + }, + { + "id": "ir-9.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09(03)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09.03_odp }} are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.", + "links": [ + { + "href": "#ir-9.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-09(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-9.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-09(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-9.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-09(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for post-spill operations" + } + ] + } + ] + }, + { + "id": "ir-9.4", + "class": "SP800-53-enhancement", + "title": "Exposure to Unauthorized Personnel", + "params": [ + { + "id": "ir-09.04_odp", + "label": "controls", + "guidelines": [ + { + "prose": "controls employed for personnel exposed to information not within assigned access authorizations are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-9(4)" + }, + { + "name": "label", + "value": "IR-09(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-09.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-9", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-9.4_smt", + "name": "statement", + "prose": "Employ the following controls for personnel exposed to information not within assigned access authorizations: {{ insert: param, ir-09.04_odp }}." + }, + { + "id": "ir-9.4_gdn", + "name": "guidance", + "prose": "Controls include ensuring that personnel who are exposed to spilled information are made aware of the laws, executive orders, directives, regulations, policies, standards, and guidelines regarding the information and the restrictions imposed based on exposure to such information." + }, + { + "id": "ir-9.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09(04)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09.04_odp }} are employed for personnel exposed to information not within assigned access authorizations.", + "links": [ + { + "href": "#ir-9.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-09(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nsecurity safeguards regarding information spillage/exposure to unauthorized personnel\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-9.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-09(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-9.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-09(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for dealing with information exposed to unauthorized personnel\n\nmechanisms supporting and/or implementing safeguards for personnel exposed to information not within assigned access authorizations" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "ma", + "class": "family", + "title": "Maintenance", + "controls": [ + { + "id": "ma-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ma-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ma-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the maintenance policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ma-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ma-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ma-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the maintenance policy and procedures is defined;" + } + ] + }, + { + "id": "ma-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current maintenance policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ma-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current maintenance policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ma-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current maintenance procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ma-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the maintenance procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-1" + }, + { + "name": "label", + "value": "MA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-1_smt", + "name": "statement", + "parts": [ + { + "id": "ma-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:", + "parts": [ + { + "id": "ma-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ma-01_odp.03 }} maintenance policy that:", + "parts": [ + { + "id": "ma-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ma-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ma-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;" + } + ] + }, + { + "id": "ma-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and" + }, + { + "id": "ma-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current maintenance:", + "parts": [ + { + "id": "ma-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and" + }, + { + "id": "ma-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ma-1_gdn", + "name": "guidance", + "prose": "Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ma-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a maintenance policy is developed and documented;", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ma-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;", + "links": [ + { + "href": "#ma-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};", + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};", + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};", + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.", + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ma-2", + "class": "SP800-53", + "title": "Controlled Maintenance", + "params": [ + { + "id": "ma-02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined;" + } + ] + }, + { + "id": "ma-02_odp.02", + "label": "information", + "guidelines": [ + { + "prose": "information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;" + } + ] + }, + { + "id": "ma-02_odp.03", + "label": "information", + "guidelines": [ + { + "prose": "information to be included in organizational maintenance records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-2" + }, + { + "name": "label", + "value": "MA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-2_smt", + "name": "statement", + "parts": [ + { + "id": "ma-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;" + }, + { + "id": "ma-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;" + }, + { + "id": "ma-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;" + }, + { + "id": "ma-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};" + }, + { + "id": "ma-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and" + }, + { + "id": "ma-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}." + } + ] + }, + { + "id": "ma-2_gdn", + "name": "guidance", + "prose": "Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems." + }, + { + "id": "ma-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;", + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;", + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;", + "links": [ + { + "href": "#ma-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02d.", + "class": "sp800-53a" + } + ], + "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;", + "links": [ + { + "href": "#ma-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02e.", + "class": "sp800-53a" + } + ], + "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;", + "links": [ + { + "href": "#ma-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02f.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.", + "links": [ + { + "href": "#ma-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components" + } + ] + } + ], + "controls": [ + { + "id": "ma-2.2", + "class": "SP800-53-enhancement", + "title": "Automated Maintenance Activities", + "params": [ + { + "id": "ma-2.2_prm_1", + "label": "organization-defined automated mechanisms" + }, + { + "id": "ma-02.02_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to schedule maintenance, repair, and replacement actions for the system are defined;" + } + ] + }, + { + "id": "ma-02.02_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to conduct maintenance, repair, and replacement actions for the system are defined;" + } + ] + }, + { + "id": "ma-02.02_odp.03", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to document maintenance, repair, and replacement actions for the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-2(2)" + }, + { + "name": "label", + "value": "MA-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-2", + "rel": "required" + }, + { + "href": "#ma-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-2.2_smt", + "name": "statement", + "parts": [ + { + "id": "ma-2.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Schedule, conduct, and document maintenance, repair, and replacement actions for the system using {{ insert: param, ma-2.2_prm_1 }} ; and" + }, + { + "id": "ma-2.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed." + } + ] + }, + { + "id": "ma-2.2_gdn", + "name": "guidance", + "prose": "The use of automated mechanisms to manage and control system maintenance programs and activities helps to ensure the generation of timely, accurate, complete, and consistent maintenance records." + }, + { + "id": "ma-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2.2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02.02_odp.01 }} are used to schedule maintenance, repair, and replacement actions for the system;", + "links": [ + { + "href": "#ma-2.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2.2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02.02_odp.02 }} are used to conduct maintenance, repair, and replacement actions for the system;", + "links": [ + { + "href": "#ma-2.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2.2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02.02_odp.03 }} are used to document maintenance, repair, and replacement actions for the system;", + "links": [ + { + "href": "#ma-2.2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2.2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced.", + "links": [ + { + "href": "#ma-2.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2.2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced.", + "links": [ + { + "href": "#ma-2.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2.2_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02(02)(b)[03]", + "class": "sp800-53a" + } + ], + "prose": "up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced.", + "links": [ + { + "href": "#ma-2.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nautomated mechanisms supporting system maintenance activities\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms supporting and/or implementing controlled maintenance\n\nautomated mechanisms supporting and/or implementing the production of records of maintenance and repair actions" + } + ] + } + ] + } + ] + }, + { + "id": "ma-3", + "class": "SP800-53", + "title": "Maintenance Tools", + "params": [ + { + "id": "ma-03_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review previously approved system maintenance tools is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-3" + }, + { + "name": "label", + "value": "MA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-3_smt", + "name": "statement", + "parts": [ + { + "id": "ma-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve, control, and monitor the use of system maintenance tools; and" + }, + { + "id": "ma-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review previously approved system maintenance tools {{ insert: param, ma-03_odp }}." + } + ] + }, + { + "id": "ma-3_gdn", + "name": "guidance", + "prose": "Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools." + }, + { + "id": "ma-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of system maintenance tools is approved;", + "links": [ + { + "href": "#ma-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of system maintenance tools is controlled;", + "links": [ + { + "href": "#ma-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the use of system maintenance tools is monitored;", + "links": [ + { + "href": "#ma-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03b.", + "class": "sp800-53a" + } + ], + "prose": "previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}.", + "links": [ + { + "href": "#ma-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for approving, controlling, and monitoring maintenance tools\n\nmechanisms supporting and/or implementing the approval, control, and/or monitoring of maintenance tools" + } + ] + } + ], + "controls": [ + { + "id": "ma-3.1", + "class": "SP800-53-enhancement", + "title": "Inspect Tools", + "props": [ + { + "name": "label", + "value": "MA-3(1)" + }, + { + "name": "label", + "value": "MA-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-3", + "rel": "required" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-3.1_smt", + "name": "statement", + "prose": "Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications." + }, + { + "id": "ma-3.1_gdn", + "name": "guidance", + "prose": "Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling." + }, + { + "id": "ma-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(01)", + "class": "sp800-53a" + } + ], + "prose": "maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.", + "links": [ + { + "href": "#ma-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for inspecting maintenance tools\n\nmechanisms supporting and/or implementing the inspection of maintenance tools" + } + ] + } + ] + }, + { + "id": "ma-3.2", + "class": "SP800-53-enhancement", + "title": "Inspect Media", + "props": [ + { + "name": "label", + "value": "MA-3(2)" + }, + { + "name": "label", + "value": "MA-03(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-03.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-3", + "rel": "required" + }, + { + "href": "#si-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-3.2_smt", + "name": "statement", + "prose": "Check media containing diagnostic and test programs for malicious code before the media are used in the system." + }, + { + "id": "ma-3.2_gdn", + "name": "guidance", + "prose": "If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures." + }, + { + "id": "ma-3.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(02)", + "class": "sp800-53a" + } + ], + "prose": "media containing diagnostic and test programs are checked for malicious code before the media are used in the system.", + "links": [ + { + "href": "#ma-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-03(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-3.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-03(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-3.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-03(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for inspecting media for malicious code\n\nmechanisms supporting and/or implementing the inspection of media used for maintenance" + } + ] + } + ] + }, + { + "id": "ma-3.3", + "class": "SP800-53-enhancement", + "title": "Prevent Unauthorized Removal", + "params": [ + { + "id": "ma-03.03_odp", + "label": "personnel or roles", + "constraints": [ + { + "description": "the information owner" + } + ], + "guidelines": [ + { + "prose": "personnel or roles who can authorize removal of equipment from the facility is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-3(3)" + }, + { + "name": "label", + "value": "MA-03(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-03.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-3", + "rel": "required" + }, + { + "href": "#mp-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-3.3_smt", + "name": "statement", + "prose": "Prevent the removal of maintenance equipment containing organizational information by:", + "parts": [ + { + "id": "ma-3.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Verifying that there is no organizational information contained on the equipment;" + }, + { + "id": "ma-3.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Sanitizing or destroying the equipment;" + }, + { + "id": "ma-3.3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Retaining the equipment within the facility; or" + }, + { + "id": "ma-3.3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility." + } + ] + }, + { + "id": "ma-3.3_gdn", + "name": "guidance", + "prose": "Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards." + }, + { + "id": "ma-3.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-3.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or", + "links": [ + { + "href": "#ma-3.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)(b)", + "class": "sp800-53a" + } + ], + "prose": "the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or", + "links": [ + { + "href": "#ma-3.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)(c)", + "class": "sp800-53a" + } + ], + "prose": "the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or", + "links": [ + { + "href": "#ma-3.3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)(d)", + "class": "sp800-53a" + } + ], + "prose": "the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility.", + "links": [ + { + "href": "#ma-3.3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-3.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-03(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nequipment sanitization records\n\nmedia sanitization records\n\nexemptions for equipment removal\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-3.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-03(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization" + } + ] + }, + { + "id": "ma-3.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-03(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for preventing unauthorized removal of information\n\nmechanisms supporting media sanitization or destruction of equipment\n\nmechanisms supporting verification of media sanitization" + } + ] + } + ] + } + ] + }, + { + "id": "ma-4", + "class": "SP800-53", + "title": "Nonlocal Maintenance", + "props": [ + { + "name": "label", + "value": "MA-4" + }, + { + "name": "label", + "value": "MA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#736d6310-e403-4b57-a79d-9967970c66d7", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-4_smt", + "name": "statement", + "parts": [ + { + "id": "ma-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve and monitor nonlocal maintenance and diagnostic activities;" + }, + { + "id": "ma-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;" + }, + { + "id": "ma-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;" + }, + { + "id": "ma-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Maintain records for nonlocal maintenance and diagnostic activities; and" + }, + { + "id": "ma-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Terminate session and network connections when nonlocal maintenance is completed." + } + ] + }, + { + "id": "ma-4_gdn", + "name": "guidance", + "prose": "Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators." + }, + { + "id": "ma-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "nonlocal maintenance and diagnostic activities are approved;", + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "nonlocal maintenance and diagnostic activities are monitored;", + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;", + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;", + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04c.", + "class": "sp800-53a" + } + ], + "prose": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;", + "links": [ + { + "href": "#ma-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04d.", + "class": "sp800-53a" + } + ], + "prose": "records for nonlocal maintenance and diagnostic activities are maintained;", + "links": [ + { + "href": "#ma-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.[01]", + "class": "sp800-53a" + } + ], + "prose": "session connections are terminated when nonlocal maintenance is completed;", + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.[02]", + "class": "sp800-53a" + } + ], + "prose": "network connections are terminated when nonlocal maintenance is completed.", + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nremote access policy\n\nremote access procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nrecords of remote access\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing nonlocal maintenance\n\nmechanisms implementing, supporting, and/or managing nonlocal maintenance\n\nmechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nmechanisms for terminating nonlocal maintenance sessions and network connections" + } + ] + } + ], + "controls": [ + { + "id": "ma-4.3", + "class": "SP800-53-enhancement", + "title": "Comparable Security and Sanitization", + "props": [ + { + "name": "label", + "value": "MA-4(3)" + }, + { + "name": "label", + "value": "MA-04(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-04.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-4", + "rel": "required" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-4.3_smt", + "name": "statement", + "parts": [ + { + "id": "ma-4.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or" + }, + { + "id": "ma-4.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system." + } + ] + }, + { + "id": "ma-4.3_gdn", + "name": "guidance", + "prose": "Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced." + }, + { + "id": "ma-4.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04(03)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4.3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04(03)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;", + "links": [ + { + "href": "#ma-4.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4.3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04(03)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or", + "links": [ + { + "href": "#ma-4.3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04(03)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4.3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04(03)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;", + "links": [ + { + "href": "#ma-4.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4.3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04(03)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "the component to be serviced is sanitized (for organizational information);", + "links": [ + { + "href": "#ma-4.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4.3_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04(03)(b)[03]", + "class": "sp800-53a" + } + ], + "prose": "the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system.", + "links": [ + { + "href": "#ma-4.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-04(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nservice provider contracts and/or service-level agreements\n\nmaintenance records\n\ninspection records\n\naudit records\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-4.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-04(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\nsystem maintenance provider\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-4.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-04(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for comparable security and sanitization for nonlocal maintenance\n\norganizational processes for the removal, sanitization, and inspection of components serviced via nonlocal maintenance\n\nmechanisms supporting and/or implementing component sanitization and inspection" + } + ] + } + ] + } + ] + }, + { + "id": "ma-5", + "class": "SP800-53", + "title": "Maintenance Personnel", + "props": [ + { + "name": "label", + "value": "MA-5" + }, + { + "name": "label", + "value": "MA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-5_smt", + "name": "statement", + "parts": [ + { + "id": "ma-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;" + }, + { + "id": "ma-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and" + }, + { + "id": "ma-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations." + } + ] + }, + { + "id": "ma-5_gdn", + "name": "guidance", + "prose": "Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods." + }, + { + "id": "ma-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process for maintenance personnel authorization is established;", + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": "a list of authorized maintenance organizations or personnel is maintained;", + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05b.", + "class": "sp800-53a" + } + ], + "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;", + "links": [ + { + "href": "#ma-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05c.", + "class": "sp800-53a" + } + ], + "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.", + "links": [ + { + "href": "#ma-5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and/or implementing authorization of maintenance personnel" + } + ] + } + ], + "controls": [ + { + "id": "ma-5.1", + "class": "SP800-53-enhancement", + "title": "Individuals Without Appropriate Access", + "params": [ + { + "id": "ma-05.01_odp", + "label": "alternate controls", + "guidelines": [ + { + "prose": "alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed, or disconnected from the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-5(1)" + }, + { + "name": "label", + "value": "MA-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-5", + "rel": "required" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-5.1_smt", + "name": "statement", + "parts": [ + { + "id": "ma-5.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:", + "parts": [ + { + "id": "ma-5.1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(1)" + } + ], + "prose": "Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and" + }, + { + "id": "ma-5.1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(2)" + } + ], + "prose": "Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and" + } + ] + }, + { + "id": "ma-5.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Develop and implement {{ insert: param, ma-05.01_odp }} in the event a system component cannot be sanitized, removed, or disconnected from the system." + } + ] + }, + { + "id": "ma-5.1_gdn", + "name": "guidance", + "prose": "Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems." + }, + { + "id": "ma-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5.1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)(a)(01)", + "class": "sp800-53a" + } + ], + "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;", + "links": [ + { + "href": "#ma-5.1_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5.1_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)(a)(02)", + "class": "sp800-53a" + } + ], + "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;", + "links": [ + { + "href": "#ma-5.1_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-05.01_odp }} are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.", + "links": [ + { + "href": "#ma-5.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nsystem media protection policy\n\nphysical and environmental protection policy\n\nlist of maintenance personnel requiring escort/supervision\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing maintenance personnel without appropriate access\n\nmechanisms supporting and/or implementing alternative security safeguards\n\nmechanisms supporting and/or implementing information storage component sanitization" + } + ] + } + ] + } + ] + }, + { + "id": "ma-6", + "class": "SP800-53", + "title": "Timely Maintenance", + "params": [ + { + "id": "ma-06_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which maintenance support and/or spare parts are obtained are defined;" + } + ] + }, + { + "id": "ma-06_odp.02", + "label": "time period", + "constraints": [ + { + "description": "a timeframe to support advertised uptime and availability" + } + ], + "guidelines": [ + { + "prose": "time period within which maintenance support and/or spare parts are to be obtained after a failure are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-6" + }, + { + "name": "label", + "value": "MA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-6_smt", + "name": "statement", + "prose": "Obtain maintenance support and/or spare parts for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure." + }, + { + "id": "ma-6_gdn", + "name": "guidance", + "prose": "Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place." + }, + { + "id": "ma-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-06", + "class": "sp800-53a" + } + ], + "prose": "maintenance support and/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure.", + "links": [ + { + "href": "#ma-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for ensuring timely maintenance" + } + ] + } + ] + } + ] + }, + { + "id": "mp", + "class": "family", + "title": "Media Protection", + "controls": [ + { + "id": "mp-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "mp-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "mp-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the media protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "mp-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the media protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "mp-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "mp-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the media protection policy and procedures is defined;" + } + ] + }, + { + "id": "mp-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current media protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "mp-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current media protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "mp-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current media protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "mp-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require media protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-1" + }, + { + "name": "label", + "value": "MP-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-1_smt", + "name": "statement", + "parts": [ + { + "id": "mp-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:", + "parts": [ + { + "id": "mp-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, mp-01_odp.03 }} media protection policy that:", + "parts": [ + { + "id": "mp-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "mp-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "mp-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;" + } + ] + }, + { + "id": "mp-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and" + }, + { + "id": "mp-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current media protection:", + "parts": [ + { + "id": "mp-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and" + }, + { + "id": "mp-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "mp-1_gdn", + "name": "guidance", + "prose": "Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "mp-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a media protection policy is developed and documented;", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#mp-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.", + "links": [ + { + "href": "#mp-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ", + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};", + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ", + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.", + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "mp-2", + "class": "SP800-53", + "title": "Media Access", + "params": [ + { + "id": "mp-2_prm_1", + "label": "organization-defined types of digital and/or non-digital media", + "constraints": [ + { + "description": "all types of digital and/or non-digital media containing sensitive information" + } + ] + }, + { + "id": "mp-2_prm_2", + "label": "organization-defined personnel or roles" + }, + { + "id": "mp-02_odp.01", + "label": "types of digital media", + "guidelines": [ + { + "prose": "types of digital media to which access is restricted are defined;" + } + ] + }, + { + "id": "mp-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles authorized to access digital media is/are defined;" + } + ] + }, + { + "id": "mp-02_odp.03", + "label": "types of non-digital media", + "guidelines": [ + { + "prose": "types of non-digital media to which access is restricted are defined;" + } + ] + }, + { + "id": "mp-02_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles authorized to access non-digital media is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-2" + }, + { + "name": "label", + "value": "MP-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-2_smt", + "name": "statement", + "prose": "Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}." + }, + { + "id": "mp-2_gdn", + "name": "guidance", + "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media." + }, + { + "id": "mp-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02[01]", + "class": "sp800-53a" + } + ], + "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};", + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02[02]", + "class": "sp800-53a" + } + ], + "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.", + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for restricting information media\n\nmechanisms supporting and/or implementing media access restrictions" + } + ] + } + ] + }, + { + "id": "mp-3", + "class": "SP800-53", + "title": "Media Marking", + "params": [ + { + "id": "mp-03_odp.01", + "label": "types of media exempted from marking", + "constraints": [ + { + "description": "no removable media types" + } + ], + "guidelines": [ + { + "prose": "types of system media exempt from marking when remaining in controlled areas are defined;" + } + ] + }, + { + "id": "mp-03_odp.02", + "label": "controlled areas", + "constraints": [ + { + "description": "organization-defined security safeguards not applicable" + } + ], + "guidelines": [ + { + "prose": "controlled areas where media is exempt from marking are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-3" + }, + { + "name": "label", + "value": "MP-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#34a5571f-e252-4309-a8a1-2fdb2faefbcd", + "rel": "reference" + }, + { + "href": "#91f992fb-f668-4c91-a50f-0f05b95ccee3", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-3_smt", + "name": "statement", + "parts": [ + { + "id": "mp-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and" + }, + { + "id": "mp-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Exempt {{ insert: param, mp-03_odp.01 }} from marking if the media remain within {{ insert: param, mp-03_odp.02 }}." + }, + { + "id": "mp-3_fr", + "name": "item", + "title": "MP-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) Guidance:" + } + ], + "prose": "Second parameter not-applicable" + } + ] + } + ] + }, + { + "id": "mp-3_gdn", + "name": "guidance", + "prose": "Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." + }, + { + "id": "mp-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-03a.", + "class": "sp800-53a" + } + ], + "prose": "system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;", + "links": [ + { + "href": "#mp-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-03b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}.", + "links": [ + { + "href": "#mp-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nlist of system media marking security attributes\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection and marking responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "mp-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for marking information media\n\nmechanisms supporting and/or implementing media marking" + } + ] + } + ] + }, + { + "id": "mp-4", + "class": "SP800-53", + "title": "Media Storage", + "params": [ + { + "id": "mp-4_prm_1", + "label": "organization-defined types of digital and/or non-digital media", + "constraints": [ + { + "description": "all types of digital and non-digital media with sensitive information" + } + ] + }, + { + "id": "mp-4_prm_2", + "label": "organization-defined controlled areas", + "constraints": [ + { + "description": "see additional FedRAMP requirements and guidance" + } + ] + }, + { + "id": "mp-04_odp.01", + "label": "types of digital media", + "guidelines": [ + { + "prose": "types of digital media to be physically controlled are defined (if selected);" + } + ] + }, + { + "id": "mp-04_odp.02", + "label": "types of non-digital media", + "guidelines": [ + { + "prose": "types of non-digital media to be physically controlled are defined (if selected);" + } + ] + }, + { + "id": "mp-04_odp.03", + "label": "types of digital media", + "guidelines": [ + { + "prose": "types of digital media to be securely stored are defined (if selected);" + } + ] + }, + { + "id": "mp-04_odp.04", + "label": "types of non-digital media", + "guidelines": [ + { + "prose": "types of non-digital media to be securely stored are defined (if selected);" + } + ] + }, + { + "id": "mp-04_odp.05", + "label": "controlled areas", + "guidelines": [ + { + "prose": "controlled areas within which to securely store digital media are defined;" + } + ] + }, + { + "id": "mp-04_odp.06", + "label": "controlled areas", + "guidelines": [ + { + "prose": "controlled areas within which to securely store non-digital media are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-4" + }, + { + "name": "label", + "value": "MP-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-4_smt", + "name": "statement", + "parts": [ + { + "id": "mp-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Physically control and securely store {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }} ; and" + }, + { + "id": "mp-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures." + }, + { + "id": "mp-4_fr", + "name": "item", + "title": "MP-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider defines controlled areas within facilities where the information and information system reside." + } + ] + } + ] + }, + { + "id": "mp-4_gdn", + "name": "guidance", + "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection." + }, + { + "id": "mp-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-04_odp.01 }} are physically controlled;", + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-04_odp.02 }} are physically controlled;", + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};", + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};", + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04b.", + "class": "sp800-53a" + } + ], + "prose": "system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.", + "links": [ + { + "href": "#mp-4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "mp-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for storing information media\n\nmechanisms supporting and/or implementing secure media storage/media protection" + } + ] + } + ] + }, + { + "id": "mp-5", + "class": "SP800-53", + "title": "Media Transport", + "params": [ + { + "id": "mp-5_prm_2", + "label": "organization-defined controls", + "constraints": [ + { + "description": "prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or NSA approved cryptography (see SC-13.); for non-digital media, secured in locked container" + } + ] + }, + { + "id": "mp-05_odp.01", + "label": "types of system media", + "constraints": [ + { + "description": "all media with sensitive information" + } + ], + "guidelines": [ + { + "prose": "types of system media to protect and control during transport outside of controlled areas are defined;" + } + ] + }, + { + "id": "mp-05_odp.02", + "label": "controls", + "guidelines": [ + { + "prose": "controls used to protect system media outside of controlled areas are defined;" + } + ] + }, + { + "id": "mp-05_odp.03", + "label": "controls", + "guidelines": [ + { + "prose": "controls used to control system media outside of controlled areas are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-5" + }, + { + "name": "label", + "value": "MP-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#mp-3", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-5_smt", + "name": "statement", + "parts": [ + { + "id": "mp-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Protect and control {{ insert: param, mp-05_odp.01 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};" + }, + { + "id": "mp-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain accountability for system media during transport outside of controlled areas;" + }, + { + "id": "mp-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document activities associated with the transport of system media; and" + }, + { + "id": "mp-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Restrict the activities associated with the transport of system media to authorized personnel." + }, + { + "id": "mp-5_fr", + "name": "item", + "title": "MP-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO." + } + ] + } + ] + }, + { + "id": "mp-5_gdn", + "name": "guidance", + "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records." + }, + { + "id": "mp-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};", + "links": [ + { + "href": "#mp-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};", + "links": [ + { + "href": "#mp-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05b.", + "class": "sp800-53a" + } + ], + "prose": "accountability for system media is maintained during transport outside of controlled areas;", + "links": [ + { + "href": "#mp-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05c.", + "class": "sp800-53a" + } + ], + "prose": "activities associated with the transport of system media are documented;", + "links": [ + { + "href": "#mp-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-5_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05d.[01]", + "class": "sp800-53a" + } + ], + "prose": "personnel authorized to conduct media transport activities is/are identified;", + "links": [ + { + "href": "#mp-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05d.[02]", + "class": "sp800-53a" + } + ], + "prose": "activities associated with the transport of system media are restricted to identified authorized personnel.", + "links": [ + { + "href": "#mp-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nauthorized personnel list\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for storing information media\n\nmechanisms supporting and/or implementing media storage/media protection" + } + ] + } + ] + }, + { + "id": "mp-6", + "class": "SP800-53", + "title": "Media Sanitization", + "params": [ + { + "id": "mp-6_prm_1", + "label": "organization-defined system media", + "constraints": [ + { + "description": "techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware" + } + ] + }, + { + "id": "mp-6_prm_2", + "label": "organization-defined sanitization techniques and procedures" + }, + { + "id": "mp-06_odp.01", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to disposal is defined;" + } + ] + }, + { + "id": "mp-06_odp.02", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to release from organizational control is defined;" + } + ] + }, + { + "id": "mp-06_odp.03", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to release for reuse is defined;" + } + ] + }, + { + "id": "mp-06_odp.04", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to disposal are defined;" + } + ] + }, + { + "id": "mp-06_odp.05", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;" + } + ] + }, + { + "id": "mp-06_odp.06", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-6" + }, + { + "name": "label", + "value": "MP-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#91f992fb-f668-4c91-a50f-0f05b95ccee3", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pm-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#si-18", + "rel": "related" + }, + { + "href": "#si-19", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-6_smt", + "name": "statement", + "parts": [ + { + "id": "mp-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and" + }, + { + "id": "mp-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information." + } + ] + }, + { + "id": "mp-6_gdn", + "name": "guidance", + "prose": "Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information." + }, + { + "id": "mp-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06b.", + "class": "sp800-53a" + } + ], + "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.", + "links": [ + { + "href": "#mp-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media sanitization\n\nmechanisms supporting and/or implementing media sanitization" + } + ] + } + ], + "controls": [ + { + "id": "mp-6.1", + "class": "SP800-53-enhancement", + "title": "Review, Approve, Track, Document, and Verify", + "props": [ + { + "name": "label", + "value": "MP-6(1)" + }, + { + "name": "label", + "value": "MP-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#mp-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "mp-6.1_smt", + "name": "statement", + "prose": "Review, approve, track, document, and verify media sanitization and disposal actions.", + "parts": [ + { + "id": "mp-6.1_fr", + "name": "item", + "title": "MP-6 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-6.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Must comply with NIST SP 800-88" + } + ] + } + ] + }, + { + "id": "mp-6.1_gdn", + "name": "guidance", + "prose": "Organizations review and approve media to be sanitized to ensure compliance with records retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken and personnel who performed the verification, and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal." + }, + { + "id": "mp-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "media sanitization and disposal actions are reviewed;", + "links": [ + { + "href": "#mp-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "media sanitization and disposal actions are approved;", + "links": [ + { + "href": "#mp-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "media sanitization and disposal actions are tracked;", + "links": [ + { + "href": "#mp-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6.1_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(01)[04]", + "class": "sp800-53a" + } + ], + "prose": "media sanitization and disposal actions are documented;", + "links": [ + { + "href": "#mp-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6.1_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(01)[05]", + "class": "sp800-53a" + } + ], + "prose": "media sanitization and disposal actions are verified.", + "links": [ + { + "href": "#mp-6.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nmedia sanitization and disposal records\n\nreview records for media sanitization and disposal actions\n\napprovals for media sanitization and disposal actions\n\ntracking records\n\nverification records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media sanitization and disposal responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media sanitization\n\nmechanisms supporting and/or implementing media sanitization\n\nmechanisms supporting and/or implementing verification of media sanitization" + } + ] + } + ] + }, + { + "id": "mp-6.2", + "class": "SP800-53-enhancement", + "title": "Equipment Testing", + "params": [ + { + "id": "mp-6.2_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least every six (6) months" + } + ] + }, + { + "id": "mp-06.02_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency with which to test sanitization equipment is defined;" + } + ] + }, + { + "id": "mp-06.02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency with which to test sanitization procedures is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-6(2)" + }, + { + "name": "label", + "value": "MP-06(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-06.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#mp-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "mp-6.2_smt", + "name": "statement", + "prose": "Test sanitization equipment and procedures {{ insert: param, mp-6.2_prm_1 }} to ensure that the intended sanitization is being achieved.", + "parts": [ + { + "id": "mp-6.2_fr", + "name": "item", + "title": "MP-6 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-6.2_fr_smt.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Equipment and procedures may be tested or validated for effectiveness" + } + ] + } + ] + }, + { + "id": "mp-6.2_gdn", + "name": "guidance", + "prose": "Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities, including federal agencies or external service providers." + }, + { + "id": "mp-6.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "sanitization equipment is tested {{ insert: param, mp-06.02_odp.01 }} to ensure that the intended sanitization is being achieved;", + "links": [ + { + "href": "#mp-6.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "sanitization procedures are tested {{ insert: param, mp-06.02_odp.02 }} to ensure that the intended sanitization is being achieved.", + "links": [ + { + "href": "#mp-6.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-06(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nprocedures addressing testing of media sanitization equipment\n\nresults of media sanitization equipment and procedures testing\n\nsystem audit records\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-6.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-06(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "mp-6.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-06(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media sanitization\n\nautomated mechanisms supporting and/or implementing media sanitization\n\nautomated mechanisms supporting and/or implementing media sanitization procedures\n\nsanitization equipment" + } + ] + } + ] + }, + { + "id": "mp-6.3", + "class": "SP800-53-enhancement", + "title": "Nondestructive Techniques", + "params": [ + { + "id": "mp-06.03_odp", + "label": "circumstances", + "guidelines": [ + { + "prose": "circumstances requiring sanitization of portable storage devices are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-6(3)" + }, + { + "name": "label", + "value": "MP-06(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-06.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#mp-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "mp-6.3_smt", + "name": "statement", + "prose": "Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: {{ insert: param, mp-06.03_odp }}.", + "parts": [ + { + "id": "mp-6.3_fr", + "name": "item", + "title": "MP-6 (3) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-6.3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Must comply with NIST SP 800-88" + } + ] + } + ] + }, + { + "id": "mp-6.3_gdn", + "name": "guidance", + "prose": "Portable storage devices include external or removable hard disk drives (e.g., solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices." + }, + { + "id": "mp-6.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06(03)", + "class": "sp800-53a" + } + ], + "prose": "non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under {{ insert: param, mp-06.03_odp }}.", + "links": [ + { + "href": "#mp-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-06(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\ninformation on portable storage devices for the system\n\nlist of circumstances requiring sanitization of portable storage devices\n\nmedia sanitization records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-6.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-06(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "mp-6.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-06(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media sanitization of portable storage devices\n\nmechanisms supporting and/or implementing media sanitization" + } + ] + } + ] + } + ] + }, + { + "id": "mp-7", + "class": "SP800-53", + "title": "Media Use", + "params": [ + { + "id": "mp-07_odp.01", + "label": "types of system media", + "guidelines": [ + { + "prose": "types of system media to be restricted or prohibited from use on systems or system components are defined;" + } + ] + }, + { + "id": "mp-07_odp.02", + "select": { + "choice": [ + "restrict", + "prohibit" + ] + } + }, + { + "id": "mp-07_odp.03", + "label": "systems or system components", + "guidelines": [ + { + "prose": "systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;" + } + ] + }, + { + "id": "mp-07_odp.04", + "label": "controls", + "guidelines": [ + { + "prose": "controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-7" + }, + { + "name": "label", + "value": "MP-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-41", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-7_smt", + "name": "statement", + "parts": [ + { + "id": "mp-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and" + }, + { + "id": "mp-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner." + } + ] + }, + { + "id": "mp-7_gdn", + "name": "guidance", + "prose": "System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices." + }, + { + "id": "mp-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07a.", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};", + "links": [ + { + "href": "#mp-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07b.", + "class": "sp800-53a" + } + ], + "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.", + "links": [ + { + "href": "#mp-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components" + } + ] + } + ] + } + ] + }, + { + "id": "pe", + "class": "family", + "title": "Physical and Environmental Protection", + "controls": [ + { + "id": "pe-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "pe-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "pe-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "pe-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "pe-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "pe-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the physical and environmental protection policy and procedures is defined;" + } + ] + }, + { + "id": "pe-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "pe-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current physical and environmental protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "pe-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "pe-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the physical and environmental protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-1" + }, + { + "name": "label", + "value": "PE-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-1_smt", + "name": "statement", + "parts": [ + { + "id": "pe-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:", + "parts": [ + { + "id": "pe-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:", + "parts": [ + { + "id": "pe-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "pe-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "pe-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;" + } + ] + }, + { + "id": "pe-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and" + }, + { + "id": "pe-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current physical and environmental protection:", + "parts": [ + { + "id": "pe-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and" + }, + { + "id": "pe-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "pe-1_gdn", + "name": "guidance", + "prose": "Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "pe-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a physical and environmental protection policy is developed and documented;", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#pe-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;", + "links": [ + { + "href": "#pe-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};", + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};", + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};", + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.", + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "pe-2", + "class": "SP800-53", + "title": "Physical Access Authorizations", + "params": [ + { + "id": "pe-02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least every ninety (90) days" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review the access list detailing authorized facility access by individuals is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-2" + }, + { + "name": "label", + "value": "PE-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-2_smt", + "name": "statement", + "parts": [ + { + "id": "pe-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;" + }, + { + "id": "pe-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Issue authorization credentials for facility access;" + }, + { + "id": "pe-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and" + }, + { + "id": "pe-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Remove individuals from the facility access list when access is no longer required." + } + ] + }, + { + "id": "pe-2_gdn", + "name": "guidance", + "prose": "Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible." + }, + { + "id": "pe-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02b.", + "class": "sp800-53a" + } + ], + "prose": "authorization credentials are issued for facility access;", + "links": [ + { + "href": "#pe-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02c.", + "class": "sp800-53a" + } + ], + "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};", + "links": [ + { + "href": "#pe-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02d.", + "class": "sp800-53a" + } + ], + "prose": "individuals are removed from the facility access list when access is no longer required.", + "links": [ + { + "href": "#pe-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access authorizations\n\nmechanisms supporting and/or implementing physical access authorizations" + } + ] + } + ] + }, + { + "id": "pe-3", + "class": "SP800-53", + "title": "Physical Access Control", + "params": [ + { + "id": "pe-3_prm_9", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually or earlier as required by a security relevant event." + } + ] + }, + { + "id": "pe-03_odp.01", + "label": "entry and exit points", + "guidelines": [ + { + "prose": "entry and exit points to the facility in which the system resides are defined;" + } + ] + }, + { + "id": "pe-03_odp.02", + "constraints": [ + { + "description": "CSP defined physical access control systems/devices AND guards" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, pe-03_odp.03 }} ", + "guards" + ] + } + }, + { + "id": "pe-03_odp.03", + "label": "systems or devices", + "guidelines": [ + { + "prose": "physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);" + } + ] + }, + { + "id": "pe-03_odp.04", + "label": "entry or exit points", + "guidelines": [ + { + "prose": "entry or exit points for which physical access logs are maintained are defined;" + } + ] + }, + { + "id": "pe-03_odp.05", + "label": "physical access controls", + "guidelines": [ + { + "prose": "physical access controls to control access to areas within the facility designated as publicly accessible are defined;" + } + ] + }, + { + "id": "pe-03_odp.06", + "label": "circumstances", + "constraints": [ + { + "description": "in all circumstances within restricted access area where the information system resides" + } + ], + "guidelines": [ + { + "prose": "circumstances requiring visitor escorts and control of visitor activity are defined;" + } + ] + }, + { + "id": "pe-03_odp.07", + "label": "physical access devices", + "guidelines": [ + { + "prose": "physical access devices to be inventoried are defined;" + } + ] + }, + { + "id": "pe-03_odp.08", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to inventory physical access devices is defined;" + } + ] + }, + { + "id": "pe-03_odp.09", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to change combinations is defined;" + } + ] + }, + { + "id": "pe-03_odp.10", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to change keys is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-3" + }, + { + "name": "label", + "value": "PE-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#2100332a-16a5-4598-bacf-7261baea9711", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-3_smt", + "name": "statement", + "parts": [ + { + "id": "pe-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:", + "parts": [ + { + "id": "pe-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Verifying individual access authorizations before granting access to the facility; and" + }, + { + "id": "pe-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};" + } + ] + }, + { + "id": "pe-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};" + }, + { + "id": "pe-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};" + }, + { + "id": "pe-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};" + }, + { + "id": "pe-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Secure keys, combinations, and other physical access devices;" + }, + { + "id": "pe-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and" + }, + { + "id": "pe-3_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Change combinations and keys {{ insert: param, pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated." + } + ] + }, + { + "id": "pe-3_gdn", + "name": "guidance", + "prose": "Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components." + }, + { + "id": "pe-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.01", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;", + "links": [ + { + "href": "#pe-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.02", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};", + "links": [ + { + "href": "#pe-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03b.", + "class": "sp800-53a" + } + ], + "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};", + "links": [ + { + "href": "#pe-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03c.", + "class": "sp800-53a" + } + ], + "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};", + "links": [ + { + "href": "#pe-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.[01]", + "class": "sp800-53a" + } + ], + "prose": "visitors are escorted;", + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.[02]", + "class": "sp800-53a" + } + ], + "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};", + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[01]", + "class": "sp800-53a" + } + ], + "prose": "keys are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[02]", + "class": "sp800-53a" + } + ], + "prose": "combinations are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[03]", + "class": "sp800-53a" + } + ], + "prose": "other physical access devices are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03f.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};", + "links": [ + { + "href": "#pe-3_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.[01]", + "class": "sp800-53a" + } + ], + "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;", + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.[02]", + "class": "sp800-53a" + } + ], + "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.", + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access control\n\nmechanisms supporting and/or implementing physical access control\n\nphysical access control devices" + } + ] + } + ], + "controls": [ + { + "id": "pe-3.1", + "class": "SP800-53-enhancement", + "title": "System Access", + "params": [ + { + "id": "pe-03.01_odp", + "label": "physical spaces", + "guidelines": [ + { + "prose": "physical spaces containing one or more components of the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-3(1)" + }, + { + "name": "label", + "value": "PE-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-3.1_smt", + "name": "statement", + "prose": "Enforce physical access authorizations to the system in addition to the physical access controls for the facility at {{ insert: param, pe-03.01_odp }}." + }, + { + "id": "pe-3.1_gdn", + "name": "guidance", + "prose": "Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components." + }, + { + "id": "pe-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations to the system are enforced;", + "links": [ + { + "href": "#pe-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3.1_obj.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access controls are enforced for the facility at {{ insert: param, pe-03.01_odp }}.", + "links": [ + { + "href": "#pe-3.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nsystem entry and exit points\n\nlist of areas within the facility containing concentrations of system components or system components requiring additional physical protection\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access control to the information system/components\n\nmechanisms supporting and/or implementing physical access control for facility areas containing system components" + } + ] + } + ] + } + ] + }, + { + "id": "pe-4", + "class": "SP800-53", + "title": "Access Control for Transmission", + "params": [ + { + "id": "pe-04_odp.01", + "label": "system distribution and transmission lines", + "guidelines": [ + { + "prose": "system distribution and transmission lines requiring physical access controls are defined;" + } + ] + }, + { + "id": "pe-04_odp.02", + "label": "security controls", + "guidelines": [ + { + "prose": "security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-4" + }, + { + "name": "label", + "value": "PE-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-4_smt", + "name": "statement", + "prose": "Control physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities using {{ insert: param, pe-04_odp.02 }}." + }, + { + "id": "pe-4_gdn", + "name": "guidance", + "prose": "Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors." + }, + { + "id": "pe-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-04", + "class": "sp800-53a" + } + ], + "prose": "physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}.", + "links": [ + { + "href": "#pe-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing access control for transmission mediums\n\nsystem design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to system distribution and transmission lines\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for access control to distribution and transmission lines\n\nmechanisms/security safeguards supporting and/or implementing access control to distribution and transmission lines" + } + ] + } + ] + }, + { + "id": "pe-5", + "class": "SP800-53", + "title": "Access Control for Output Devices", + "params": [ + { + "id": "pe-05_odp", + "label": "output devices", + "guidelines": [ + { + "prose": "output devices that require physical access control to output are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-5" + }, + { + "name": "label", + "value": "PE-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-5_smt", + "name": "statement", + "prose": "Control physical access to output from {{ insert: param, pe-05_odp }} to prevent unauthorized individuals from obtaining the output." + }, + { + "id": "pe-5_gdn", + "name": "guidance", + "prose": "Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers." + }, + { + "id": "pe-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-05", + "class": "sp800-53a" + } + ], + "prose": "physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output.", + "links": [ + { + "href": "#pe-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of system components\n\nactual displays from system components\n\nlist of output devices and associated outputs requiring physical access controls\n\nphysical access control logs or records for areas containing output devices and related outputs\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for access control to output devices\n\nmechanisms supporting and/or implementing access control to output devices" + } + ] + } + ] + }, + { + "id": "pe-6", + "class": "SP800-53", + "title": "Monitoring Physical Access", + "params": [ + { + "id": "pe-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review physical access logs is defined;" + } + ] + }, + { + "id": "pe-06_odp.02", + "label": "events", + "guidelines": [ + { + "prose": "events or potential indication of events requiring physical access logs to be reviewed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-6" + }, + { + "name": "label", + "value": "PE-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-6_smt", + "name": "statement", + "parts": [ + { + "id": "pe-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;" + }, + { + "id": "pe-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and" + }, + { + "id": "pe-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Coordinate results of reviews and investigations with the organizational incident response capability." + } + ] + }, + { + "id": "pe-6_gdn", + "name": "guidance", + "prose": "Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses." + }, + { + "id": "pe-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06a.", + "class": "sp800-53a" + } + ], + "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;", + "links": [ + { + "href": "#pe-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};", + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};", + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": "results of reviews are coordinated with organizational incident response capabilities;", + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": "results of investigations are coordinated with organizational incident response capabilities.", + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring physical access\n\nmechanisms supporting and/or implementing physical access monitoring\n\nmechanisms supporting and/or implementing the review of physical access logs" + } + ] + } + ], + "controls": [ + { + "id": "pe-6.1", + "class": "SP800-53-enhancement", + "title": "Intrusion Alarms and Surveillance Equipment", + "props": [ + { + "name": "label", + "value": "PE-6(1)" + }, + { + "name": "label", + "value": "PE-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pe-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-6.1_smt", + "name": "statement", + "prose": "Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment." + }, + { + "id": "pe-6.1_gdn", + "name": "guidance", + "prose": "Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility." + }, + { + "id": "pe-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access to the facility where the system resides is monitored using physical intrusion alarms;", + "links": [ + { + "href": "#pe-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access to the facility where the system resides is monitored using physical surveillance equipment.", + "links": [ + { + "href": "#pe-6.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring physical intrusion alarms and surveillance equipment\n\nmechanisms supporting and/or implementing physical access monitoring\n\nmechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment" + } + ] + } + ] + }, + { + "id": "pe-6.4", + "class": "SP800-53-enhancement", + "title": "Monitoring Physical Access to Systems", + "params": [ + { + "id": "pe-06.04_odp", + "label": "physical spaces", + "guidelines": [ + { + "prose": "physical spaces containing one or more components of the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-6(4)" + }, + { + "name": "label", + "value": "PE-06(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-06.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pe-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-6.4_smt", + "name": "statement", + "prose": "Monitor physical access to the system in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}." + }, + { + "id": "pe-6.4_gdn", + "name": "guidance", + "prose": "Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization." + }, + { + "id": "pe-6.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06(04)", + "class": "sp800-53a" + } + ], + "prose": "physical access to the system is monitored in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}.", + "links": [ + { + "href": "#pe-6.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-06(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nlist of areas within the facility containing concentrations of system components or system components requiring additional physical access monitoring\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-6.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-06(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-6.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-06(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring physical access to the system\n\nmechanisms supporting and/or implementing physical access monitoring for facility areas containing system components" + } + ] + } + ] + } + ] + }, + { + "id": "pe-8", + "class": "SP800-53", + "title": "Visitor Access Records", + "params": [ + { + "id": "pe-08_odp.01", + "label": "time period", + "constraints": [ + { + "description": "for a minimum of one (1) year" + } + ], + "guidelines": [ + { + "prose": "time period for which to maintain visitor access records for the facility where the system resides is defined;" + } + ] + }, + { + "id": "pe-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review visitor access records is defined;" + } + ] + }, + { + "id": "pe-08_odp.03", + "label": "personnel", + "guidelines": [ + { + "prose": "personnel to whom visitor access records anomalies are reported to is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-8" + }, + { + "name": "label", + "value": "PE-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-8_smt", + "name": "statement", + "parts": [ + { + "id": "pe-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};" + }, + { + "id": "pe-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and" + }, + { + "id": "pe-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}." + } + ] + }, + { + "id": "pe-8_gdn", + "name": "guidance", + "prose": "Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas." + }, + { + "id": "pe-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08a.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};", + "links": [ + { + "href": "#pe-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08b.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};", + "links": [ + { + "href": "#pe-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08c.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.", + "links": [ + { + "href": "#pe-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and/or implementing the maintenance and review of visitor access records" + } + ] + } + ], + "controls": [ + { + "id": "pe-8.1", + "class": "SP800-53-enhancement", + "title": "Automated Records Maintenance and Review", + "params": [ + { + "id": "pe-8.1_prm_1", + "label": "organization-defined automated mechanisms" + }, + { + "id": "pe-08.01_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to maintain visitor access records are defined;" + } + ] + }, + { + "id": "pe-08.01_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to review visitor access records are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-8(1)" + }, + { + "name": "label", + "value": "PE-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-8.1_smt", + "name": "statement", + "prose": "Maintain and review visitor access records using {{ insert: param, pe-8.1_prm_1 }}." + }, + { + "id": "pe-8.1_gdn", + "name": "guidance", + "prose": "Visitor access records may be stored and maintained in a database management system that is accessible by organizational personnel. Automated access to such records facilitates record reviews on a regular basis to determine if access authorizations are current and still required to support organizational mission and business functions." + }, + { + "id": "pe-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-8.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "visitor access records are maintained using {{ insert: param, pe-08.01_odp.01 }};", + "links": [ + { + "href": "#pe-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "visitor access records are reviewed using {{ insert: param, pe-08.01_odp.02 }}.", + "links": [ + { + "href": "#pe-8.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nautomated mechanisms supporting management of visitor access records\n\nvisitor access control logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and/or implementing the maintenance and review of visitor access records" + } + ] + } + ] + } + ] + }, + { + "id": "pe-9", + "class": "SP800-53", + "title": "Power Equipment and Cabling", + "props": [ + { + "name": "label", + "value": "PE-9" + }, + { + "name": "label", + "value": "PE-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-9_smt", + "name": "statement", + "prose": "Protect power equipment and power cabling for the system from damage and destruction." + }, + { + "id": "pe-9_gdn", + "name": "guidance", + "prose": "Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems." + }, + { + "id": "pe-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-09[01]", + "class": "sp800-53a" + } + ], + "prose": "power equipment for the system is protected from damage and destruction;", + "links": [ + { + "href": "#pe-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-09[02]", + "class": "sp800-53a" + } + ], + "prose": "power cabling for the system is protected from damage and destruction.", + "links": [ + { + "href": "#pe-9_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing power equipment/cabling protection\n\nfacilities housing power equipment/cabling\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility to protect power equipment/cabling\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the protection of power equipment/cabling" + } + ] + } + ] + }, + { + "id": "pe-10", + "class": "SP800-53", + "title": "Emergency Shutoff", + "params": [ + { + "id": "pe-10_odp.01", + "label": "system or individual system components", + "guidelines": [ + { + "prose": "system or individual system components that require the capability to shut off power in emergency situations is/are defined;" + } + ] + }, + { + "id": "pe-10_odp.02", + "label": "location", + "constraints": [ + { + "description": "near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off" + } + ], + "guidelines": [ + { + "prose": "location of emergency shutoff switches or devices by system or system component is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-10" + }, + { + "name": "label", + "value": "PE-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-10_smt", + "name": "statement", + "parts": [ + { + "id": "pe-10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide the capability of shutting off power to {{ insert: param, pe-10_odp.01 }} in emergency situations;" + }, + { + "id": "pe-10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Place emergency shutoff switches or devices in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel; and" + }, + { + "id": "pe-10_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Protect emergency power shutoff capability from unauthorized activation." + } + ] + }, + { + "id": "pe-10_gdn", + "name": "guidance", + "prose": "Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery." + }, + { + "id": "pe-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-10_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-10a.", + "class": "sp800-53a" + } + ], + "prose": "the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;", + "links": [ + { + "href": "#pe-10_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-10_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-10b.", + "class": "sp800-53a" + } + ], + "prose": "emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;", + "links": [ + { + "href": "#pe-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-10_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-10c.", + "class": "sp800-53a" + } + ], + "prose": "the emergency power shutoff capability is protected from unauthorized activation.", + "links": [ + { + "href": "#pe-10_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting the emergency power shutoff capability from unauthorized activation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for the emergency power shutoff capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing emergency power shutoff" + } + ] + } + ] + }, + { + "id": "pe-11", + "class": "SP800-53", + "title": "Emergency Power", + "params": [ + { + "id": "pe-11_odp", + "select": { + "choice": [ + "an orderly shutdown of the system", + "transition of the system to long-term alternate power" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "PE-11" + }, + { + "name": "label", + "value": "PE-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-11_smt", + "name": "statement", + "prose": "Provide an uninterruptible power supply to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss." + }, + { + "id": "pe-11_gdn", + "name": "guidance", + "prose": "An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system." + }, + { + "id": "pe-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-11", + "class": "sp800-53a" + } + ], + "prose": "an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss.", + "links": [ + { + "href": "#pe-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for emergency power and/or planning\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an uninterruptible power supply\n\nthe uninterruptable power supply" + } + ] + } + ], + "controls": [ + { + "id": "pe-11.1", + "class": "SP800-53-enhancement", + "title": "Alternate Power Supply — Minimal Operational Capability", + "params": [ + { + "id": "pe-11.01_odp", + "constraints": [ + { + "description": "automatically" + } + ], + "select": { + "choice": [ + "manually", + "automatically" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "PE-11(1)" + }, + { + "name": "label", + "value": "PE-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-11", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-11.1_smt", + "name": "statement", + "prose": "Provide an alternate power supply for the system that is activated {{ insert: param, pe-11.01_odp }} and that can maintain minimally required operational capability in the event of an extended loss of the primary power source." + }, + { + "id": "pe-11.1_gdn", + "name": "guidance", + "prose": "Provision of an alternate power supply with minimal operating capability can be satisfied by accessing a secondary commercial power supply or other external power supply." + }, + { + "id": "pe-11.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-11(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-11.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-11(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "an alternate power supply provided for the system is activated {{ insert: param, pe-11.01_odp }};", + "links": [ + { + "href": "#pe-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-11.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-11(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source.", + "links": [ + { + "href": "#pe-11.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-11.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-11(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nalternate power supply\n\nalternate power supply documentation\n\nalternate power supply test records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-11.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-11(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for emergency power and/or planning\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-11.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-11(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an alternate power supply\n\nthe alternate power supply" + } + ] + } + ] + } + ] + }, + { + "id": "pe-12", + "class": "SP800-53", + "title": "Emergency Lighting", + "props": [ + { + "name": "label", + "value": "PE-12" + }, + { + "name": "label", + "value": "PE-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-12_smt", + "name": "statement", + "prose": "Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility." + }, + { + "id": "pe-12_gdn", + "name": "guidance", + "prose": "The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies." + }, + { + "id": "pe-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[01]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[02]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[03]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting for the system covers emergency exits within the facility;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[04]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting for the system covers evacuation routes within the facility.", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for emergency lighting and/or planning\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an emergency lighting capability" + } + ] + } + ] + }, + { + "id": "pe-13", + "class": "SP800-53", + "title": "Fire Protection", + "props": [ + { + "name": "label", + "value": "PE-13" + }, + { + "name": "label", + "value": "PE-13", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-13_smt", + "name": "statement", + "prose": "Employ and maintain fire detection and suppression systems that are supported by an independent energy source." + }, + { + "id": "pe-13_gdn", + "name": "guidance", + "prose": "The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility." + }, + { + "id": "pe-13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[01]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems are employed;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[02]", + "class": "sp800-53a" + } + ], + "prose": "employed fire detection systems are supported by an independent energy source;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[03]", + "class": "sp800-53a" + } + ], + "prose": "employed fire detection systems are maintained;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[04]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems are employed;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[05]", + "class": "sp800-53a" + } + ], + "prose": "employed fire suppression systems are supported by an independent energy source;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[06]", + "class": "sp800-53a" + } + ], + "prose": "employed fire suppression systems are maintained.", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-13-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\ntest records of fire suppression and detection devices/systems\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-13-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-13-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing fire suppression/detection devices/systems" + } + ] + } + ], + "controls": [ + { + "id": "pe-13.1", + "class": "SP800-53-enhancement", + "title": "Detection Systems — Automatic Activation and Notification", + "params": [ + { + "id": "pe-13.01_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "service provider building maintenance/physical security personnel" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified in the event of a fire is/are defined;" + } + ] + }, + { + "id": "pe-13.01_odp.02", + "label": "emergency responders", + "constraints": [ + { + "description": "service provider emergency responders with incident response responsibilities" + } + ], + "guidelines": [ + { + "prose": "emergency responders to be notified in the event of a fire are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-13(1)" + }, + { + "name": "label", + "value": "PE-13(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-13.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-13", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-13.1_smt", + "name": "statement", + "prose": "Employ fire detection systems that activate automatically and notify {{ insert: param, pe-13.01_odp.01 }} and {{ insert: param, pe-13.01_odp.02 }} in the event of a fire." + }, + { + "id": "pe-13.1_gdn", + "name": "guidance", + "prose": "Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire." + }, + { + "id": "pe-13.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems that activate automatically are employed in the event of a fire;", + "links": [ + { + "href": "#pe-13.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;", + "links": [ + { + "href": "#pe-13.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire.", + "links": [ + { + "href": "#pe-13.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-13(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\nalerts/notifications of fire events\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-13.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-13(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-13.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-13(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing fire detection devices/systems\n\nactivation of fire detection devices/systems (simulated)\n\nautomated notifications" + } + ] + } + ] + }, + { + "id": "pe-13.2", + "class": "SP800-53-enhancement", + "title": "Suppression Systems — Automatic Activation and Notification", + "params": [ + { + "id": "pe-13.02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified in the event of a fire is/are defined;" + } + ] + }, + { + "id": "pe-13.02_odp.02", + "label": "emergency responders", + "guidelines": [ + { + "prose": "emergency responders to be notified in the event of a fire are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-13(2)" + }, + { + "name": "label", + "value": "PE-13(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-13.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-13", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-13.2_smt", + "name": "statement", + "parts": [ + { + "id": "pe-13.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Employ fire suppression systems that activate automatically and notify {{ insert: param, pe-13.02_odp.01 }} and {{ insert: param, pe-13.02_odp.02 }} ; and" + }, + { + "id": "pe-13.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis." + } + ] + }, + { + "id": "pe-13.2_gdn", + "name": "guidance", + "prose": "Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and/or clearances (e.g., to enter to facilities where access is restricted due to the impact level or classification of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire." + }, + { + "id": "pe-13.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13.2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems that activate automatically are employed;", + "links": [ + { + "href": "#pe-13.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.01 }} automatically are employed;", + "links": [ + { + "href": "#pe-13.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.02 }} automatically are employed;", + "links": [ + { + "href": "#pe-13.2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(b)", + "class": "sp800-53a" + } + ], + "prose": "an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.", + "links": [ + { + "href": "#pe-13.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-13(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems documentation\n\nfacility housing the system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices/systems\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-13.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-13(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-13.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-13(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms supporting and/or implementing fire suppression devices/systems\n\nactivation of fire suppression devices/systems (simulated)\n\nautomated notifications" + } + ] + } + ] + } + ] + }, + { + "id": "pe-14", + "class": "SP800-53", + "title": "Environmental Controls", + "params": [ + { + "id": "pe-14_odp.01", + "constraints": [ + { + "description": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "temperature", + "humidity", + "pressure", + "radiation", + " {{ insert: param, pe-14_odp.02 }} " + ] + } + }, + { + "id": "pe-14_odp.02", + "label": "environmental control", + "guidelines": [ + { + "prose": "environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);" + } + ] + }, + { + "id": "pe-14_odp.03", + "label": "acceptable levels", + "guidelines": [ + { + "prose": "acceptable levels for environmental controls are defined;" + } + ] + }, + { + "id": "pe-14_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "continuously" + } + ], + "guidelines": [ + { + "prose": "frequency at which to monitor environmental control levels is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-14" + }, + { + "name": "label", + "value": "PE-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-14_smt", + "name": "statement", + "parts": [ + { + "id": "pe-14_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and" + }, + { + "id": "pe-14_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}." + }, + { + "id": "pe-14_fr", + "name": "item", + "title": "PE-14 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pe-14_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider measures temperature at server inlets and humidity levels by dew point." + } + ] + } + ] + }, + { + "id": "pe-14_gdn", + "name": "guidance", + "prose": "The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions." + }, + { + "id": "pe-14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-14_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;", + "links": [ + { + "href": "#pe-14_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14b.", + "class": "sp800-53a" + } + ], + "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.", + "links": [ + { + "href": "#pe-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-14-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-14-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-14_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-14-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels" + } + ] + } + ], + "controls": [ + { + "id": "pe-14.2", + "class": "SP800-53-enhancement", + "title": "Monitoring with Alarms and Notifications", + "params": [ + { + "id": "pe-14.02_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified by environmental control monitoring when environmental changes are potentially harmful to personnel or equipment is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-14(2)" + }, + { + "name": "label", + "value": "PE-14(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-14.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-14", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-14.2_smt", + "name": "statement", + "prose": "Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to {{ insert: param, pe-14.02_odp }}." + }, + { + "id": "pe-14.2_gdn", + "name": "guidance", + "prose": "The alarm or notification may be an audible alarm or a visual message in real time to personnel or roles defined by the organization. Such alarms and notifications can help minimize harm to individuals and damage to organizational assets by facilitating a timely incident response." + }, + { + "id": "pe-14.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-14.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "environmental control monitoring is employed;", + "links": [ + { + "href": "#pe-14.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "the environmental control monitoring capability provides an alarm or notification to {{ insert: param, pe-14.02_odp }} when changes are potentially harmful to personnel or equipment.", + "links": [ + { + "href": "#pe-14.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-14.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-14(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing temperature and humidity monitoring\n\nfacility housing the system\n\nlogs or records of temperature and humidity monitoring\n\nrecords of changes to temperature and humidity levels that generate alarms or notifications\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-14.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-14(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-14.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-14(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing temperature and humidity monitoring" + } + ] + } + ] + } + ] + }, + { + "id": "pe-15", + "class": "SP800-53", + "title": "Water Damage Protection", + "props": [ + { + "name": "label", + "value": "PE-15" + }, + { + "name": "label", + "value": "PE-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-15_smt", + "name": "statement", + "prose": "Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel." + }, + { + "id": "pe-15_gdn", + "name": "guidance", + "prose": "The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations." + }, + { + "id": "pe-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-15_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[02]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are accessible;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[03]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are working properly;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[04]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are known to key personnel.", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-15_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-15-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Master water-shutoff valves\n\norganizational process for activating master water shutoff" + } + ] + } + ], + "controls": [ + { + "id": "pe-15.1", + "class": "SP800-53-enhancement", + "title": "Automation Support", + "params": [ + { + "id": "pe-15.01_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "service provider building maintenance/physical security personnel" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be alerted when the presence of water is detected near the system is/are defined;" + } + ] + }, + { + "id": "pe-15.01_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to detect the presence of water near the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-15(1)" + }, + { + "name": "label", + "value": "PE-15(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-15.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-15", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-15.1_smt", + "name": "statement", + "prose": "Detect the presence of water near the system and alert {{ insert: param, pe-15.01_odp.01 }} using {{ insert: param, pe-15.01_odp.02 }}." + }, + { + "id": "pe-15.1_gdn", + "name": "guidance", + "prose": "Automated mechanisms include notification systems, water detection sensors, and alarms." + }, + { + "id": "pe-15.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-15.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "the presence of water near the system can be detected automatically;", + "links": [ + { + "href": "#pe-15.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15(01)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-15.01_odp.01 }} is/are alerted using {{ insert: param, pe-15.01_odp.02 }}.", + "links": [ + { + "href": "#pe-15.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-15.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-15(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nautomated mechanisms for water shutoff valves\n\nautomated mechanisms for detecting the presence of water in the vicinity of the system\n\nalerts/notifications of water detection in system facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-15.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-15(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-15.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-15(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms supporting and/or implementing water detection capabilities and alerts for the system" + } + ] + } + ] + } + ] + }, + { + "id": "pe-16", + "class": "SP800-53", + "title": "Delivery and Removal", + "params": [ + { + "id": "pe-16_prm_1", + "label": "organization-defined types of system components", + "constraints": [ + { + "description": "all information system components" + } + ] + }, + { + "id": "pe-16_odp.01", + "label": "types of system components", + "guidelines": [ + { + "prose": "types of system components to be authorized and controlled when entering the facility are defined;" + } + ] + }, + { + "id": "pe-16_odp.02", + "label": "types of system components", + "guidelines": [ + { + "prose": "types of system components to be authorized and controlled when exiting the facility are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-16" + }, + { + "name": "label", + "value": "PE-16", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-16_smt", + "name": "statement", + "parts": [ + { + "id": "pe-16_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and" + }, + { + "id": "pe-16_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain records of the system components." + } + ] + }, + { + "id": "pe-16_gdn", + "name": "guidance", + "prose": "Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries." + }, + { + "id": "pe-16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-16_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-16_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16b.", + "class": "sp800-53a" + } + ], + "prose": "records of the system components are maintained.", + "links": [ + { + "href": "#pe-16_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-16-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-16-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-16_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-16-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility" + } + ] + } + ] + }, + { + "id": "pe-17", + "class": "SP800-53", + "title": "Alternate Work Site", + "params": [ + { + "id": "pe-17_odp.01", + "label": "alternate work sites", + "guidelines": [ + { + "prose": "alternate work sites allowed for use by employees are defined;" + } + ] + }, + { + "id": "pe-17_odp.02", + "label": "controls", + "guidelines": [ + { + "prose": "controls to be employed at alternate work sites are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-17" + }, + { + "name": "label", + "value": "PE-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-17_smt", + "name": "statement", + "parts": [ + { + "id": "pe-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine and document the {{ insert: param, pe-17_odp.01 }} allowed for use by employees;" + }, + { + "id": "pe-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls at alternate work sites: {{ insert: param, pe-17_odp.02 }};" + }, + { + "id": "pe-17_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Assess the effectiveness of controls at alternate work sites; and" + }, + { + "id": "pe-17_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Provide a means for employees to communicate with information security and privacy personnel in case of incidents." + } + ] + }, + { + "id": "pe-17_gdn", + "name": "guidance", + "prose": "Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations." + }, + { + "id": "pe-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-17_odp.01 }} are determined and documented;", + "links": [ + { + "href": "#pe-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;", + "links": [ + { + "href": "#pe-17_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-17_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17c.", + "class": "sp800-53a" + } + ], + "prose": "the effectiveness of controls at alternate work sites is assessed;", + "links": [ + { + "href": "#pe-17_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-17_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17d.", + "class": "sp800-53a" + } + ], + "prose": "a means for employees to communicate with information security and privacy personnel in case of incidents is provided.", + "links": [ + { + "href": "#pe-17_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel approving the use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-17_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-17-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security and privacy at alternate work sites\n\nmechanisms supporting alternate work sites\n\nsecurity and privacy controls employed at alternate work sites\n\nmeans of communication between personnel at alternate work sites and security and privacy personnel" + } + ] + } + ] + }, + { + "id": "pe-18", + "class": "SP800-53", + "title": "Location of System Components", + "params": [ + { + "id": "pe-18_odp", + "label": "physical and environmental hazards", + "constraints": [ + { + "description": "physical and environmental hazards identified during threat assessment" + } + ], + "guidelines": [ + { + "prose": "physical and environmental hazards that could result in potential damage to system components within the facility are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-18" + }, + { + "name": "label", + "value": "PE-18", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-19", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-18_smt", + "name": "statement", + "prose": "Position system components within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access." + }, + { + "id": "pe-18_gdn", + "name": "guidance", + "prose": "Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications using wireless packet sniffers or microphones, or unauthorized disclosure of information." + }, + { + "id": "pe-18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-18", + "class": "sp800-53a" + } + ], + "prose": "system components are positioned within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access.", + "links": [ + { + "href": "#pe-18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-18-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing the positioning of system components\n\ndocumentation providing the location and position of system components within the facility\n\nlocations housing system components within the facility\n\nlist of physical and environmental hazards with the potential to damage system components within the facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-18-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for positioning system components\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-18-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for positioning system components" + } + ] + } + ] + } + ] + }, + { + "id": "pl", + "class": "family", + "title": "Planning", + "controls": [ + { + "id": "pl-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "pl-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "pl-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the planning policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "pl-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the planning procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "pl-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "pl-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the planning policy and procedures is defined;" + } + ] + }, + { + "id": "pl-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current planning policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "pl-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current planning policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "pl-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current planning procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "pl-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-1" + }, + { + "name": "label", + "value": "PL-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-1_smt", + "name": "statement", + "parts": [ + { + "id": "pl-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:", + "parts": [ + { + "id": "pl-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, pl-01_odp.03 }} planning policy that:", + "parts": [ + { + "id": "pl-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "pl-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "pl-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the planning policy and the associated planning controls;" + } + ] + }, + { + "id": "pl-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and" + }, + { + "id": "pl-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current planning:", + "parts": [ + { + "id": "pl-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and" + }, + { + "id": "pl-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "pl-1_gdn", + "name": "guidance", + "prose": "Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "pl-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a planning policy is developed and documented.", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#pl-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;", + "links": [ + { + "href": "#pl-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};", + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};", + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};", + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.", + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "pl-2", + "class": "SP800-53", + "title": "System Security and Privacy Plans", + "params": [ + { + "id": "pl-02_odp.01", + "label": "individuals or groups", + "constraints": [ + { + "description": "to include chief privacy and ISSO and/or similar role or designees" + } + ], + "guidelines": [ + { + "prose": "individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;" + } + ] + }, + { + "id": "pl-02_odp.02", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include chief privacy and ISSO and/or similar role" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;" + } + ] + }, + { + "id": "pl-02_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency to review system security and privacy plans is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-2" + }, + { + "name": "label", + "value": "PL-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-1", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-2_smt", + "name": "statement", + "parts": [ + { + "id": "pl-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop security and privacy plans for the system that:", + "parts": [ + { + "id": "pl-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Are consistent with the organization’s enterprise architecture;" + }, + { + "id": "pl-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Explicitly define the constituent system components;" + }, + { + "id": "pl-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Describe the operational context of the system in terms of mission and business processes;" + }, + { + "id": "pl-2_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Identify the individuals that fulfill system roles and responsibilities;" + }, + { + "id": "pl-2_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Identify the information types processed, stored, and transmitted by the system;" + }, + { + "id": "pl-2_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Provide the security categorization of the system, including supporting rationale;" + }, + { + "id": "pl-2_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Describe any specific threats to the system that are of concern to the organization;" + }, + { + "id": "pl-2_smt.a.8", + "name": "item", + "props": [ + { + "name": "label", + "value": "8." + } + ], + "prose": "Provide the results of a privacy risk assessment for systems processing personally identifiable information;" + }, + { + "id": "pl-2_smt.a.9", + "name": "item", + "props": [ + { + "name": "label", + "value": "9." + } + ], + "prose": "Describe the operational environment for the system and any dependencies on or connections to other systems or system components;" + }, + { + "id": "pl-2_smt.a.10", + "name": "item", + "props": [ + { + "name": "label", + "value": "10." + } + ], + "prose": "Provide an overview of the security and privacy requirements for the system;" + }, + { + "id": "pl-2_smt.a.11", + "name": "item", + "props": [ + { + "name": "label", + "value": "11." + } + ], + "prose": "Identify any relevant control baselines or overlays, if applicable;" + }, + { + "id": "pl-2_smt.a.12", + "name": "item", + "props": [ + { + "name": "label", + "value": "12." + } + ], + "prose": "Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;" + }, + { + "id": "pl-2_smt.a.13", + "name": "item", + "props": [ + { + "name": "label", + "value": "13." + } + ], + "prose": "Include risk determinations for security and privacy architecture and design decisions;" + }, + { + "id": "pl-2_smt.a.14", + "name": "item", + "props": [ + { + "name": "label", + "value": "14." + } + ], + "prose": "Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and" + }, + { + "id": "pl-2_smt.a.15", + "name": "item", + "props": [ + { + "name": "label", + "value": "15." + } + ], + "prose": "Are reviewed and approved by the authorizing official or designated representative prior to plan implementation." + } + ] + }, + { + "id": "pl-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};" + }, + { + "id": "pl-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the plans {{ insert: param, pl-02_odp.03 }};" + }, + { + "id": "pl-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and" + }, + { + "id": "pl-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protect the plans from unauthorized disclosure and modification." + } + ] + }, + { + "id": "pl-2_gdn", + "name": "guidance", + "prose": "System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate." + }, + { + "id": "pl-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that is consistent with the organization’s enterprise architecture;", + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;", + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that explicitly defines the constituent system components;", + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;", + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.4-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.4-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.5-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.5-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.6-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;", + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.6-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;", + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.7-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.7-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.8-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.8-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.9-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.9-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.10-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;", + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.10-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;", + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.11", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.11-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.11-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.12", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.12-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;", + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.12-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;", + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.13", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.13-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;", + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.13-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;", + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.14", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.14-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.14-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.15", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.15-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;", + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.15-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.", + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};", + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};", + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02c.", + "class": "sp800-53a" + } + ], + "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};", + "links": [ + { + "href": "#pl-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[01]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address changes to the system and environment of operations;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[02]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address problems identified during the plan implementation;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[03]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address problems identified during control assessments;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.[01]", + "class": "sp800-53a" + } + ], + "prose": "plans are protected from unauthorized disclosure;", + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.[02]", + "class": "sp800-53a" + } + ], + "prose": "plans are protected from unauthorized modification.", + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan" + } + ] + } + ] + }, + { + "id": "pl-4", + "class": "SP800-53", + "title": "Rules of Behavior", + "params": [ + { + "id": "pl-04_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency for reviewing and updating the rules of behavior is defined;" + } + ] + }, + { + "id": "pl-04_odp.02", + "constraints": [ + { + "description": "at least annually and when the rules are revised or changed" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, pl-04_odp.03 }} ", + "when the rules are revised or updated" + ] + } + }, + { + "id": "pl-04_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-4" + }, + { + "name": "label", + "value": "PL-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-9", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-4_smt", + "name": "statement", + "parts": [ + { + "id": "pl-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;" + }, + { + "id": "pl-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;" + }, + { + "id": "pl-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and" + }, + { + "id": "pl-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}." + } + ] + }, + { + "id": "pl-4_gdn", + "name": "guidance", + "prose": "Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons." + }, + { + "id": "pl-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;", + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;", + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04b.", + "class": "sp800-53a" + } + ], + "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;", + "links": [ + { + "href": "#pl-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04c.", + "class": "sp800-53a" + } + ], + "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};", + "links": [ + { + "href": "#pl-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04d.", + "class": "sp800-53a" + } + ], + "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.", + "links": [ + { + "href": "#pl-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior" + } + ] + } + ], + "controls": [ + { + "id": "pl-4.1", + "class": "SP800-53-enhancement", + "title": "Social Media and External Site/Application Usage Restrictions", + "props": [ + { + "name": "label", + "value": "PL-4(1)" + }, + { + "name": "label", + "value": "PL-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pl-4", + "rel": "required" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-4.1_smt", + "name": "statement", + "prose": "Include in the rules of behavior, restrictions on:", + "parts": [ + { + "id": "pl-4.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Use of social media, social networking sites, and external sites/applications;" + }, + { + "id": "pl-4.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Posting organizational information on public websites; and" + }, + { + "id": "pl-4.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications." + } + ] + }, + { + "id": "pl-4.1_gdn", + "name": "guidance", + "prose": "Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information." + }, + { + "id": "pl-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;", + "links": [ + { + "href": "#pl-4.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on posting organizational information on public websites;", + "links": [ + { + "href": "#pl-4.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(c)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.", + "links": [ + { + "href": "#pl-4.1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing rules of behavior\n\nmechanisms supporting and/or implementing the establishment of rules of behavior" + } + ] + } + ] + } + ] + }, + { + "id": "pl-8", + "class": "SP800-53", + "title": "Security and Privacy Architectures", + "params": [ + { + "id": "pl-08_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "frequency for review and update to reflect changes in the enterprise architecture;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-8" + }, + { + "name": "label", + "value": "PL-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-8_smt", + "name": "statement", + "parts": [ + { + "id": "pl-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop security and privacy architectures for the system that:", + "parts": [ + { + "id": "pl-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;" + }, + { + "id": "pl-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;" + }, + { + "id": "pl-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Describe how the architectures are integrated into and support the enterprise architecture; and" + }, + { + "id": "pl-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Describe any assumptions about, and dependencies on, external systems and services;" + } + ] + }, + { + "id": "pl-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and" + }, + { + "id": "pl-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions." + }, + { + "id": "pl-8_fr", + "name": "item", + "title": "PL-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pl-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + } + ] + } + ] + }, + { + "id": "pl-8_gdn", + "name": "guidance", + "prose": "The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n [PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures." + }, + { + "id": "pl-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.01", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;", + "links": [ + { + "href": "#pl-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.02", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;", + "links": [ + { + "href": "#pl-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.4-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04[01]", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;", + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.4-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;", + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08b.", + "class": "sp800-53a" + } + ], + "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[01]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the security plan;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[02]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the privacy plan;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[03]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[04]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in criticality analysis;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[05]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in organizational procedures;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[06]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in procurements and acquisitions.", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and/or implementing the development, review, and update of the information security and privacy architecture" + } + ] + } + ] + }, + { + "id": "pl-10", + "class": "SP800-53", + "title": "Baseline Selection", + "props": [ + { + "name": "label", + "value": "PL-10" + }, + { + "name": "label", + "value": "PL-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#46d9e201-840e-440e-987c-2c773333c752", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-10_smt", + "name": "statement", + "prose": "Select a control baseline for the system.", + "parts": [ + { + "id": "pl-10_fr", + "name": "item", + "title": "PL-10 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pl-10_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Select the appropriate FedRAMP Baseline" + } + ] + } + ] + }, + { + "id": "pl-10_gdn", + "name": "guidance", + "prose": "Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems." + }, + { + "id": "pl-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-10", + "class": "sp800-53a" + } + ], + "prose": "a control baseline for the system is selected.", + "links": [ + { + "href": "#pl-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing system security and privacy plan reviews and updates\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for organizational risk management activities" + } + ] + } + ] + }, + { + "id": "pl-11", + "class": "SP800-53", + "title": "Baseline Tailoring", + "props": [ + { + "name": "label", + "value": "PL-11" + }, + { + "name": "label", + "value": "PL-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#46d9e201-840e-440e-987c-2c773333c752", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-11_smt", + "name": "statement", + "prose": "Tailor the selected control baseline by applying specified tailoring actions." + }, + { + "id": "pl-11_gdn", + "name": "guidance", + "prose": "The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities." + }, + { + "id": "pl-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-11", + "class": "sp800-53a" + } + ], + "prose": "the selected control baseline is tailored by applying specified tailoring actions.", + "links": [ + { + "href": "#pl-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nsystem design documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nbaseline tailoring rationale\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "ps", + "class": "family", + "title": "Personnel Security", + "controls": [ + { + "id": "ps-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ps-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ps-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the personnel security policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ps-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ps-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ps-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the personnel security policy and procedures is defined;" + } + ] + }, + { + "id": "ps-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current personnel security policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ps-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current personnel security policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ps-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current personnel security procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ps-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the personnel security procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-1" + }, + { + "name": "label", + "value": "PS-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-1_smt", + "name": "statement", + "parts": [ + { + "id": "ps-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:", + "parts": [ + { + "id": "ps-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ps-01_odp.03 }} personnel security policy that:", + "parts": [ + { + "id": "ps-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ps-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ps-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;" + } + ] + }, + { + "id": "ps-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and" + }, + { + "id": "ps-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current personnel security:", + "parts": [ + { + "id": "ps-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and" + }, + { + "id": "ps-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ps-1_gdn", + "name": "guidance", + "prose": "Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ps-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a personnel security policy is developed and documented;", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ps-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;", + "links": [ + { + "href": "#ps-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};", + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};", + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};", + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.", + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "ps-2", + "class": "SP800-53", + "title": "Position Risk Designation", + "params": [ + { + "id": "ps-02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update position risk designations is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-2" + }, + { + "name": "label", + "value": "PS-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#a5ef5e56-5c1a-4911-b419-37dddc1b3581", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-2_smt", + "name": "statement", + "parts": [ + { + "id": "ps-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assign a risk designation to all organizational positions;" + }, + { + "id": "ps-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establish screening criteria for individuals filling those positions; and" + }, + { + "id": "ps-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update position risk designations {{ insert: param, ps-02_odp }}." + } + ] + }, + { + "id": "ps-2_gdn", + "name": "guidance", + "prose": "Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions." + }, + { + "id": "ps-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02a.", + "class": "sp800-53a" + } + ], + "prose": "a risk designation is assigned to all organizational positions;", + "links": [ + { + "href": "#ps-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02b.", + "class": "sp800-53a" + } + ], + "prose": "screening criteria are established for individuals filling organizational positions;", + "links": [ + { + "href": "#ps-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02c.", + "class": "sp800-53a" + } + ], + "prose": "position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.", + "links": [ + { + "href": "#ps-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nrecords of position risk designation reviews and updates\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria" + } + ] + } + ] + }, + { + "id": "ps-3", + "class": "SP800-53", + "title": "Personnel Screening", + "params": [ + { + "id": "ps-3_prm_1", + "label": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening", + "constraints": [ + { + "description": "for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.\n\nFor moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions" + } + ] + }, + { + "id": "ps-03_odp.01", + "label": "conditions requiring rescreening", + "guidelines": [ + { + "prose": "conditions requiring rescreening of individuals are defined;" + } + ] + }, + { + "id": "ps-03_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency of rescreening individuals where it is so indicated is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-3" + }, + { + "name": "label", + "value": "PS-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#55b0c93a-5e48-457a-baa6-5ce81c239c49", + "rel": "reference" + }, + { + "href": "#0af071a6-cf8e-48ee-8c82-fe91efa20f94", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-3_smt", + "name": "statement", + "parts": [ + { + "id": "ps-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Screen individuals prior to authorizing access to the system; and" + }, + { + "id": "ps-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}." + } + ] + }, + { + "id": "ps-3_gdn", + "name": "guidance", + "prose": "Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems." + }, + { + "id": "ps-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03a.", + "class": "sp800-53a" + } + ], + "prose": "individuals are screened prior to authorizing access to the system;", + "links": [ + { + "href": "#ps-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};", + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.", + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel screening" + } + ] + } + ], + "controls": [ + { + "id": "ps-3.3", + "class": "SP800-53-enhancement", + "title": "Information Requiring Special Protective Measures", + "params": [ + { + "id": "ps-03.03_odp", + "label": "additional personnel screening criteria", + "constraints": [ + { + "description": "personnel screening criteria – as required by specific information" + } + ], + "guidelines": [ + { + "prose": "additional personnel screening criteria to be satisfied for individuals accessing a system processing, storing, or transmitting information requiring special protection are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-3(3)" + }, + { + "name": "label", + "value": "PS-03(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-03.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ps-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "ps-3.3_smt", + "name": "statement", + "prose": "Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection:", + "parts": [ + { + "id": "ps-3.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Have valid access authorizations that are demonstrated by assigned official government duties; and" + }, + { + "id": "ps-3.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Satisfy {{ insert: param, ps-03.03_odp }}." + } + ] + }, + { + "id": "ps-3.3_gdn", + "name": "guidance", + "prose": "Organizational information that requires special protection includes controlled unclassified information. Personnel security criteria include position sensitivity background screening requirements." + }, + { + "id": "ps-3.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties;", + "links": [ + { + "href": "#ps-3.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03(03)(b)", + "class": "sp800-53a" + } + ], + "prose": "individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy {{ insert: param, ps-03.03_odp }}.", + "links": [ + { + "href": "#ps-3.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-03(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\naccess control policy, procedures addressing personnel screening\n\nrecords of screened personnel\n\nscreening criteria\n\nrecords of access authorizations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-3.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-03(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-3.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-03(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for ensuring valid access authorizations for information requiring special protection\n\norganizational process for additional personnel screening for information requiring special protection" + } + ] + } + ] + } + ] + }, + { + "id": "ps-4", + "class": "SP800-53", + "title": "Personnel Termination", + "params": [ + { + "id": "ps-04_odp.01", + "label": "time period", + "constraints": [ + { + "description": "one (1) hour" + } + ], + "guidelines": [ + { + "prose": "a time period within which to disable system access is defined;" + } + ] + }, + { + "id": "ps-04_odp.02", + "label": "information security topics", + "guidelines": [ + { + "prose": "information security topics to be discussed when conducting exit interviews are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-4" + }, + { + "name": "label", + "value": "PS-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-4_smt", + "name": "statement", + "prose": "Upon termination of individual employment:", + "parts": [ + { + "id": "ps-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Disable system access within {{ insert: param, ps-04_odp.01 }};" + }, + { + "id": "ps-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Terminate or revoke any authenticators and credentials associated with the individual;" + }, + { + "id": "ps-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};" + }, + { + "id": "ps-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Retrieve all security-related organizational system-related property; and" + }, + { + "id": "ps-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Retain access to organizational information and systems formerly controlled by terminated individual." + } + ] + }, + { + "id": "ps-4_gdn", + "name": "guidance", + "prose": "System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified." + }, + { + "id": "ps-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04a.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};", + "links": [ + { + "href": "#ps-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04b.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, any authenticators and credentials are terminated or revoked;", + "links": [ + { + "href": "#ps-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04c.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;", + "links": [ + { + "href": "#ps-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04d.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, all security-related organizational system-related property is retrieved;", + "links": [ + { + "href": "#ps-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04e.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.", + "links": [ + { + "href": "#ps-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of system accounts\n\nrecords of terminated or revoked authenticators/credentials\n\nrecords of exit interviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel termination\n\nmechanisms supporting and/or implementing personnel termination notifications\n\nmechanisms for disabling system access/revoking authenticators" + } + ] + } + ], + "controls": [ + { + "id": "ps-4.2", + "class": "SP800-53-enhancement", + "title": "Automated Actions", + "params": [ + { + "id": "ps-04.02_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to notify personnel or roles of individual termination actions and/or to disable access to system resources are defined;" + } + ] + }, + { + "id": "ps-04.02_odp.02", + "constraints": [ + { + "description": "access control personnel responsible for disabling access to the system" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "notify {{ insert: param, ps-04.02_odp.03 }} of individual termination actions", + "disable access to system resources" + ] + } + }, + { + "id": "ps-04.02_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified upon termination of an individual is/are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-4(2)" + }, + { + "name": "label", + "value": "PS-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ps-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "ps-4.2_smt", + "name": "statement", + "prose": "Use {{ insert: param, ps-04.02_odp.01 }} to {{ insert: param, ps-04.02_odp.02 }}." + }, + { + "id": "ps-4.2_gdn", + "name": "guidance", + "prose": "In organizations with many employees, not all personnel who need to know about termination actions receive the appropriate notifications, or if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to organizational personnel or roles when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including via telephone, electronic mail, text message, or websites. Automated mechanisms can also be employed to quickly and thoroughly disable access to system resources after an employee is terminated." + }, + { + "id": "ps-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04(02)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-04.02_odp.01 }} are used to {{ insert: param, ps-04.02_odp.02 }}.", + "links": [ + { + "href": "#ps-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrecords of personnel termination actions\n\nautomated notifications of employee terminations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel termination\n\nautomated mechanisms supporting and/or implementing personnel termination notifications" + } + ] + } + ] + } + ] + }, + { + "id": "ps-5", + "class": "SP800-53", + "title": "Personnel Transfer", + "params": [ + { + "id": "ps-05_odp.01", + "label": "transfer or reassignment actions", + "guidelines": [ + { + "prose": "transfer or reassignment actions to be initiated following transfer or reassignment are defined;" + } + ] + }, + { + "id": "ps-05_odp.02", + "label": "time period following the formal transfer action", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;" + } + ] + }, + { + "id": "ps-05_odp.03", + "label": "personnel or roles", + "constraints": [ + { + "description": "including access control personnel responsible for the system" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined;" + } + ] + }, + { + "id": "ps-05_odp.04", + "label": "time period", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-5" + }, + { + "name": "label", + "value": "PS-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-5_smt", + "name": "statement", + "parts": [ + { + "id": "ps-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;" + }, + { + "id": "ps-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};" + }, + { + "id": "ps-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and" + }, + { + "id": "ps-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}." + } + ] + }, + { + "id": "ps-5_gdn", + "name": "guidance", + "prose": "Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts." + }, + { + "id": "ps-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05a.", + "class": "sp800-53a" + } + ], + "prose": "the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;", + "links": [ + { + "href": "#ps-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};", + "links": [ + { + "href": "#ps-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05c.", + "class": "sp800-53a" + } + ], + "prose": "access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;", + "links": [ + { + "href": "#ps-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05d.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.", + "links": [ + { + "href": "#ps-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel transfer\n\nrecords of personnel transfer actions\n\nlist of system and facility access authorizations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel transfer\n\nmechanisms supporting and/or implementing personnel transfer notifications\n\nmechanisms for disabling system access/revoking authenticators" + } + ] + } + ] + }, + { + "id": "ps-6", + "class": "SP800-53", + "title": "Access Agreements", + "params": [ + { + "id": "ps-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update access agreements is defined;" + } + ] + }, + { + "id": "ps-06_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and any time there is a change to the user's level of access" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to re-sign access agreements to maintain access to organizational information is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-6" + }, + { + "name": "label", + "value": "PS-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-6_smt", + "name": "statement", + "parts": [ + { + "id": "ps-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and document access agreements for organizational systems;" + }, + { + "id": "ps-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and" + }, + { + "id": "ps-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Verify that individuals requiring access to organizational information and systems:", + "parts": [ + { + "id": "ps-6_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Sign appropriate access agreements prior to being granted access; and" + }, + { + "id": "ps-6_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}." + } + ] + } + ] + }, + { + "id": "ps-6_gdn", + "name": "guidance", + "prose": "Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy." + }, + { + "id": "ps-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06a.", + "class": "sp800-53a" + } + ], + "prose": "access agreements are developed and documented for organizational systems;", + "links": [ + { + "href": "#ps-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06b.", + "class": "sp800-53a" + } + ], + "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};", + "links": [ + { + "href": "#ps-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-6_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.01", + "class": "sp800-53a" + } + ], + "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;", + "links": [ + { + "href": "#ps-6_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.02", + "class": "sp800-53a" + } + ], + "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.", + "links": [ + { + "href": "#ps-6_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ps-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements" + } + ] + } + ] + }, + { + "id": "ps-7", + "class": "SP800-53", + "title": "External Personnel Security", + "params": [ + { + "id": "ps-07_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "including access control personnel responsible for the system and/or facilities, as appropriate" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;" + } + ] + }, + { + "id": "ps-07_odp.02", + "label": "time period", + "constraints": [ + { + "description": "terminations: immediately; transfers: within twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-7" + }, + { + "name": "label", + "value": "PS-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-7_smt", + "name": "statement", + "parts": [ + { + "id": "ps-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish personnel security requirements, including security roles and responsibilities for external providers;" + }, + { + "id": "ps-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Require external providers to comply with personnel security policies and procedures established by the organization;" + }, + { + "id": "ps-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document personnel security requirements;" + }, + { + "id": "ps-7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and" + }, + { + "id": "ps-7_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Monitor provider compliance with personnel security requirements." + } + ] + }, + { + "id": "ps-7_gdn", + "name": "guidance", + "prose": "External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals." + }, + { + "id": "ps-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07a.", + "class": "sp800-53a" + } + ], + "prose": "personnel security requirements are established, including security roles and responsibilities for external providers;", + "links": [ + { + "href": "#ps-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07b.", + "class": "sp800-53a" + } + ], + "prose": "external providers are required to comply with personnel security policies and procedures established by the organization;", + "links": [ + { + "href": "#ps-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07c.", + "class": "sp800-53a" + } + ], + "prose": "personnel security requirements are documented;", + "links": [ + { + "href": "#ps-7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07d.", + "class": "sp800-53a" + } + ], + "prose": "external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};", + "links": [ + { + "href": "#ps-7_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07e.", + "class": "sp800-53a" + } + ], + "prose": "provider compliance with personnel security requirements is monitored.", + "links": [ + { + "href": "#ps-7_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing external personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\nexternal providers\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing and monitoring external personnel security\n\nmechanisms supporting and/or implementing the monitoring of provider compliance" + } + ] + } + ] + }, + { + "id": "ps-8", + "class": "SP800-53", + "title": "Personnel Sanctions", + "params": [ + { + "id": "ps-08_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;" + } + ] + }, + { + "id": "ps-08_odp.02", + "label": "time period", + "constraints": [ + { + "description": "24 hours" + } + ], + "guidelines": [ + { + "prose": "the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-8" + }, + { + "name": "label", + "value": "PS-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#pt-1", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-8_smt", + "name": "statement", + "parts": [ + { + "id": "ps-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and" + }, + { + "id": "ps-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction." + } + ] + }, + { + "id": "ps-8_gdn", + "name": "guidance", + "prose": "Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions." + }, + { + "id": "ps-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08a.", + "class": "sp800-53a" + } + ], + "prose": "a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;", + "links": [ + { + "href": "#ps-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.", + "links": [ + { + "href": "#ps-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing personnel sanctions\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\nlist of personnel or roles to be notified of formal employee sanctions\n\nrecords or notifications of formal employee sanctions\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ps-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing formal employee sanctions\n\nmechanisms supporting and/or implementing formal employee sanctions notifications" + } + ] + } + ] + }, + { + "id": "ps-9", + "class": "SP800-53", + "title": "Position Descriptions", + "props": [ + { + "name": "label", + "value": "PS-9" + }, + { + "name": "label", + "value": "PS-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + } + ], + "parts": [ + { + "id": "ps-9_smt", + "name": "statement", + "prose": "Incorporate security and privacy roles and responsibilities into organizational position descriptions." + }, + { + "id": "ps-9_gdn", + "name": "guidance", + "prose": "Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles." + }, + { + "id": "ps-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09[01]", + "class": "sp800-53a" + } + ], + "prose": "security roles and responsibilities are incorporated into organizational position descriptions;", + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy roles and responsibilities are incorporated into organizational position descriptions.", + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing position descriptions\n\nsecurity and privacy position descriptions\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with human capital management responsibilities" + } + ] + }, + { + "id": "ps-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing position descriptions" + } + ] + } + ] + } + ] + }, + { + "id": "ra", + "class": "family", + "title": "Risk Assessment", + "controls": [ + { + "id": "ra-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ra-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ra-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ra-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the risk assessment policy and procedures is defined;" + } + ] + }, + { + "id": "ra-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current risk assessment policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ra-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current risk assessment policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ra-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current risk assessment procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ra-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require risk assessment procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-1" + }, + { + "name": "label", + "value": "RA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-1_smt", + "name": "statement", + "parts": [ + { + "id": "ra-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:", + "parts": [ + { + "id": "ra-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ra-01_odp.03 }} risk assessment policy that:", + "parts": [ + { + "id": "ra-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ra-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ra-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;" + } + ] + }, + { + "id": "ra-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and" + }, + { + "id": "ra-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current risk assessment:", + "parts": [ + { + "id": "ra-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and" + }, + { + "id": "ra-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ra-1_gdn", + "name": "guidance", + "prose": "Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ra-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment policy is developed and documented;", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ra-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;", + "links": [ + { + "href": "#ra-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};", + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};", + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};", + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.", + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ra-2", + "class": "SP800-53", + "title": "Security Categorization", + "props": [ + { + "name": "label", + "value": "RA-2" + }, + { + "name": "label", + "value": "RA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "rel": "reference" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-2_smt", + "name": "statement", + "parts": [ + { + "id": "ra-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Categorize the system and information it processes, stores, and transmits;" + }, + { + "id": "ra-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document the security categorization results, including supporting rationale, in the security plan for the system; and" + }, + { + "id": "ra-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision." + } + ] + }, + { + "id": "ra-2_gdn", + "name": "guidance", + "prose": "Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant." + }, + { + "id": "ra-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02a.", + "class": "sp800-53a" + } + ], + "prose": "the system and the information it processes, stores, and transmits are categorized;", + "links": [ + { + "href": "#ra-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02b.", + "class": "sp800-53a" + } + ], + "prose": "the security categorization results, including supporting rationale, are documented in the security plan for the system;", + "links": [ + { + "href": "#ra-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02c.", + "class": "sp800-53a" + } + ], + "prose": "the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.", + "links": [ + { + "href": "#ra-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security categorization" + } + ] + } + ] + }, + { + "id": "ra-3", + "class": "SP800-53", + "title": "Risk Assessment", + "params": [ + { + "id": "ra-03_odp.01", + "constraints": [ + { + "description": "security assessment report" + } + ], + "select": { + "choice": [ + "security and privacy plans", + "risk assessment report", + " {{ insert: param, ra-03_odp.02 }} " + ] + } + }, + { + "id": "ra-03_odp.02", + "label": "document", + "guidelines": [ + { + "prose": "a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);" + } + ] + }, + { + "id": "ra-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and whenever a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "the frequency to review risk assessment results is defined;" + } + ] + }, + { + "id": "ra-03_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom risk assessment results are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-03_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "annually" + } + ], + "guidelines": [ + { + "prose": "the frequency to update the risk assessment is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-3" + }, + { + "name": "label", + "value": "RA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#pe-18", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-3_smt", + "name": "statement", + "parts": [ + { + "id": "ra-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Conduct a risk assessment, including:", + "parts": [ + { + "id": "ra-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Identifying threats to and vulnerabilities in the system;" + }, + { + "id": "ra-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and" + }, + { + "id": "ra-3_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;" + } + ] + }, + { + "id": "ra-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;" + }, + { + "id": "ra-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document risk assessment results in {{ insert: param, ra-03_odp.01 }};" + }, + { + "id": "ra-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review risk assessment results {{ insert: param, ra-03_odp.03 }};" + }, + { + "id": "ra-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and" + }, + { + "id": "ra-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system." + }, + { + "id": "ra-3_fr", + "name": "item", + "title": "RA-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ra-3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + }, + { + "id": "ra-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e) Requirement:" + } + ], + "prose": "Include all Authorizing Officials; for JAB authorizations to include FedRAMP." + } + ] + } + ] + }, + { + "id": "ra-3_gdn", + "name": "guidance", + "prose": "Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination." + }, + { + "id": "ra-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.01", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;", + "links": [ + { + "href": "#ra-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.02", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;", + "links": [ + { + "href": "#ra-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.03", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;", + "links": [ + { + "href": "#ra-3_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03b.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;", + "links": [ + { + "href": "#ra-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03c.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};", + "links": [ + { + "href": "#ra-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03d.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};", + "links": [ + { + "href": "#ra-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03e.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};", + "links": [ + { + "href": "#ra-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03f.", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.", + "links": [ + { + "href": "#ra-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment" + } + ] + } + ], + "controls": [ + { + "id": "ra-3.1", + "class": "SP800-53-enhancement", + "title": "Supply Chain Risk Assessment", + "params": [ + { + "id": "ra-03.01_odp.01", + "label": "systems, system components, and system services", + "guidelines": [ + { + "prose": "systems, system components, and system services to assess supply chain risks are defined;" + } + ] + }, + { + "id": "ra-03.01_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to update the supply chain risk assessment is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-3(1)" + }, + { + "name": "label", + "value": "RA-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-3", + "rel": "required" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#pm-17", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-3.1_smt", + "name": "statement", + "parts": [ + { + "id": "ra-3.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and" + }, + { + "id": "ra-3.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain." + } + ] + }, + { + "id": "ra-3.1_gdn", + "name": "guidance", + "prose": "Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required." + }, + { + "id": "ra-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;", + "links": [ + { + "href": "#ra-3.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.", + "links": [ + { + "href": "#ra-3.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\ninventory of critical systems, system components, and system services\n\nrisk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of supply chain risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nacquisition policy\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "ra-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment" + } + ] + } + ] + } + ] + }, + { + "id": "ra-5", + "class": "SP800-53", + "title": "Vulnerability Monitoring and Scanning", + "params": [ + { + "id": "ra-5_prm_1", + "label": "organization-defined frequency and/or randomly in accordance with organization-defined process", + "constraints": [ + { + "description": "monthly operating system/infrastructure; monthly web applications (including APIs) and databases" + } + ] + }, + { + "id": "ra-05_odp.01", + "label": "frequency and/or randomly in accordance with organization-defined process", + "guidelines": [ + { + "prose": "frequency for monitoring systems and hosted applications for vulnerabilities is defined;" + } + ] + }, + { + "id": "ra-05_odp.02", + "label": "frequency and/or randomly in accordance with organization-defined process", + "guidelines": [ + { + "prose": "frequency for scanning systems and hosted applications for vulnerabilities is defined;" + } + ] + }, + { + "id": "ra-05_odp.03", + "label": "response times", + "constraints": [ + { + "description": "high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery" + } + ], + "guidelines": [ + { + "prose": "response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;" + } + ] + }, + { + "id": "ra-05_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5" + }, + { + "name": "label", + "value": "RA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#8df72805-2e5c-4731-a73e-81db0f0318d0", + "rel": "reference" + }, + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "rel": "reference" + }, + { + "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "rel": "reference" + }, + { + "href": "#d2ebec9b-f868-4ee1-a2bd-0b2282aed248", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ca-8", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5_smt", + "name": "statement", + "parts": [ + { + "id": "ra-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;" + }, + { + "id": "ra-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:", + "parts": [ + { + "id": "ra-5_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Enumerating platforms, software flaws, and improper configurations;" + }, + { + "id": "ra-5_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Formatting checklists and test procedures; and" + }, + { + "id": "ra-5_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Measuring vulnerability impact;" + } + ] + }, + { + "id": "ra-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Analyze vulnerability scan reports and results from vulnerability monitoring;" + }, + { + "id": "ra-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;" + }, + { + "id": "ra-5_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and" + }, + { + "id": "ra-5_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." + }, + { + "id": "ra-5_fr", + "name": "item", + "title": "RA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ra-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/" + }, + { + "id": "ra-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually." + }, + { + "id": "ra-5_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d) Requirement:" + } + ], + "prose": "If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement." + }, + { + "id": "ra-5_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e) Requirement:" + } + ], + "prose": "to include all Authorizing Officials; for JAB authorizations to include FedRAMP" + }, + { + "id": "ra-5_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.\n\nWarning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.\n\nWarnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a “warning” as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on “Tracking of Compliance Scans” in FAQs." + } + ] + } + ] + }, + { + "id": "ra-5_gdn", + "name": "guidance", + "prose": "Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points." + }, + { + "id": "ra-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;", + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;", + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;", + "parts": [ + { + "id": "ra-5_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.01", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;", + "links": [ + { + "href": "#ra-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.02", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;", + "links": [ + { + "href": "#ra-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.03", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;", + "links": [ + { + "href": "#ra-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05c.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;", + "links": [ + { + "href": "#ra-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05d.", + "class": "sp800-53a" + } + ], + "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;", + "links": [ + { + "href": "#ra-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05e.", + "class": "sp800-53a" + } + ], + "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;", + "links": [ + { + "href": "#ra-5_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05f.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.", + "links": [ + { + "href": "#ra-5_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ra-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing" + } + ] + } + ], + "controls": [ + { + "id": "ra-5.2", + "class": "SP800-53-enhancement", + "title": "Update Vulnerabilities to Be Scanned", + "params": [ + { + "id": "ra-05.02_odp.01", + "constraints": [ + { + "description": "within 24 hours prior to running scans" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, ra-05.02_odp.02 }} ", + "prior to a new scan", + "when new vulnerabilities are identified and reported" + ] + } + }, + { + "id": "ra-05.02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency for updating the system vulnerabilities to be scanned is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5(2)" + }, + { + "name": "label", + "value": "RA-05(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + }, + { + "href": "#si-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5.2_smt", + "name": "statement", + "prose": "Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}." + }, + { + "id": "ra-5.2_gdn", + "name": "guidance", + "prose": "Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner." + }, + { + "id": "ra-5.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(02)", + "class": "sp800-53a" + } + ], + "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.", + "links": [ + { + "href": "#ra-5.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ra-5.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" + } + ] + } + ] + }, + { + "id": "ra-5.3", + "class": "SP800-53-enhancement", + "title": "Breadth and Depth of Coverage", + "props": [ + { + "name": "label", + "value": "RA-5(3)" + }, + { + "name": "label", + "value": "RA-05(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ra-5.3_smt", + "name": "statement", + "prose": "Define the breadth and depth of vulnerability scanning coverage." + }, + { + "id": "ra-5.3_gdn", + "name": "guidance", + "prose": "The breadth of vulnerability scanning coverage can be expressed as a percentage of components within the system, by the particular types of systems, by the criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the depth of vulnerability scanning coverage can be expressed as the level of the system design that the organization intends to monitor (e.g., component, module, subsystem, element). Organizations can determine the sufficiency of vulnerability scanning coverage with regard to its risk tolerance and other factors. Scanning tools and how the tools are configured may affect the depth and coverage. Multiple scanning tools may be needed to achieve the desired depth and coverage. [SP 800-53A](#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d) provides additional information on the breadth and depth of coverage." + }, + { + "id": "ra-5.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(03)", + "class": "sp800-53a" + } + ], + "prose": "the breadth and depth of vulnerability scanning coverage are defined.", + "links": [ + { + "href": "#ra-5.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" + } + ] + } + ] + }, + { + "id": "ra-5.4", + "class": "SP800-53-enhancement", + "title": "Discoverable Information", + "params": [ + { + "id": "ra-05.04_odp", + "label": "corrective actions", + "constraints": [ + { + "description": "notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions" + } + ], + "guidelines": [ + { + "prose": "corrective actions to be taken if information about the system is discoverable are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5(4)" + }, + { + "name": "label", + "value": "RA-05(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5.4_smt", + "name": "statement", + "prose": "Determine information about the system that is discoverable and take {{ insert: param, ra-05.04_odp }}." + }, + { + "id": "ra-5.4_gdn", + "name": "guidance", + "prose": "Discoverable information includes information that adversaries could obtain without compromising or breaching the system, such as by collecting information that the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization." + }, + { + "id": "ra-5.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5.4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(04)[01]", + "class": "sp800-53a" + } + ], + "prose": "information about the system is discoverable;", + "links": [ + { + "href": "#ra-5.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(04)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ra-05.04_odp }} are taken when information about the system is confirmed as discoverable.", + "links": [ + { + "href": "#ra-5.4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Procedures addressing vulnerability scanning\n\nassessment report\n\npenetration test results\n\nvulnerability scanning results\n\nrisk assessment report\n\nrecords of corrective actions taken\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning and/or penetration testing responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel responsible for risk response\n\norganizational personnel responsible for incident management and response\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\norganizational processes for risk response\n\norganizational processes for incident management and response\n\nmechanisms/tools supporting and/or implementing vulnerability scanning\n\nmechanisms supporting and/or implementing risk response\n\nmechanisms supporting and/or implementing incident management and response" + } + ] + } + ] + }, + { + "id": "ra-5.5", + "class": "SP800-53-enhancement", + "title": "Privileged Access", + "params": [ + { + "id": "ra-05.05_odp.01", + "label": "system components", + "constraints": [ + { + "description": "all components that support authentication" + } + ], + "guidelines": [ + { + "prose": "system components to which privileged access is authorized for selected vulnerability scanning activities are defined;" + } + ] + }, + { + "id": "ra-05.05_odp.02", + "label": "vulnerability scanning activities", + "constraints": [ + { + "description": "all scans" + } + ], + "guidelines": [ + { + "prose": "vulnerability scanning activities selected for privileged access authorization to system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5(5)" + }, + { + "name": "label", + "value": "RA-05(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ra-5.5_smt", + "name": "statement", + "prose": "Implement privileged access authorization to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}." + }, + { + "id": "ra-5.5_gdn", + "name": "guidance", + "prose": "In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning." + }, + { + "id": "ra-5.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(05)", + "class": "sp800-53a" + } + ], + "prose": "privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}.", + "links": [ + { + "href": "#ra-5.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system components for vulnerability scanning\n\npersonnel access authorization list\n\nauthorization credentials\n\naccess authorization records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\nsystem/network administrators\n\norganizational personnel responsible for access control to the system\n\norganizational personnel responsible for configuration management of the system\n\nsystem developers\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\norganizational processes for access control\n\nmechanisms supporting and/or implementing access control\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" + } + ] + } + ] + }, + { + "id": "ra-5.8", + "class": "SP800-53-enhancement", + "title": "Review Historic Audit Logs", + "params": [ + { + "id": "ra-05.08_odp.01", + "label": "system", + "guidelines": [ + { + "prose": "a system whose historic audit logs are to be reviewed is defined;" + } + ] + }, + { + "id": "ra-05.08_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "a time period for a potential previous exploit of a system is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5(8)" + }, + { + "name": "label", + "value": "RA-05(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5.8_smt", + "name": "statement", + "prose": "Review historic audit logs to determine if a vulnerability identified in a {{ insert: param, ra-05.08_odp.01 }} has been previously exploited within an {{ insert: param, ra-05.08_odp.02 }}.", + "parts": [ + { + "id": "ra-5.8_fr", + "name": "item", + "title": "RA-5(8) Additional FedRAMP Requirement", + "parts": [ + { + "id": "ra-5.8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "This enhancement is required for all high (or critical) vulnerability scan findings." + } + ] + } + ] + }, + { + "id": "ra-5.8_gdn", + "name": "guidance", + "prose": "Reviewing historic audit logs to determine if a recently detected vulnerability in a system has been previously exploited by an adversary can provide important information for forensic analyses. Such analyses can help identify, for example, the extent of a previous intrusion, the trade craft employed during the attack, organizational information exfiltrated or modified, mission or business capabilities affected, and the duration of the attack." + }, + { + "id": "ra-5.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(08)", + "class": "sp800-53a" + } + ], + "prose": "historic audit logs are reviewed to determine if a vulnerability identified in a {{ insert: param, ra-05.08_odp.01 }} has been previously exploited within {{ insert: param, ra-05.08_odp.02 }}.", + "links": [ + { + "href": "#ra-5.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\naudit logs\n\nrecords of audit log reviews\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with audit record review responsibilities\n\nsystem/network administrators\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\norganizational process for audit record review and response\n\nmechanisms/tools supporting and/or implementing vulnerability scanning\n\nmechanisms supporting and/or implementing audit record review" + } + ] + } + ] + }, + { + "id": "ra-5.11", + "class": "SP800-53-enhancement", + "title": "Public Disclosure Program", + "props": [ + { + "name": "label", + "value": "RA-5(11)" + }, + { + "name": "label", + "value": "RA-05(11)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ra-5.11_smt", + "name": "statement", + "prose": "Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components." + }, + { + "id": "ra-5.11_gdn", + "name": "guidance", + "prose": "The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability." + }, + { + "id": "ra-5.11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(11)", + "class": "sp800-53a" + } + ], + "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.", + "links": [ + { + "href": "#ra-5.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(11)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(11)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(11)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities" + } + ] + } + ] + } + ] + }, + { + "id": "ra-7", + "class": "SP800-53", + "title": "Risk Response", + "props": [ + { + "name": "label", + "value": "RA-7" + }, + { + "name": "label", + "value": "RA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-7_smt", + "name": "statement", + "prose": "Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance." + }, + { + "id": "ra-7_gdn", + "name": "guidance", + "prose": "Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated." + }, + { + "id": "ra-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[01]", + "class": "sp800-53a" + } + ], + "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[02]", + "class": "sp800-53a" + } + ], + "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[03]", + "class": "sp800-53a" + } + ], + "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[04]", + "class": "sp800-53a" + } + ], + "prose": "findings from audits are responded to in accordance with organizational risk tolerance.", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nassessment reports\n\naudit records/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment and auditing responsibilities\n\nsystem/network administrators\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assessments and audits\n\nmechanisms/tools supporting and/or implementing assessments and auditing" + } + ] + } + ] + }, + { + "id": "ra-9", + "class": "SP800-53", + "title": "Criticality Analysis", + "params": [ + { + "id": "ra-09_odp.01", + "label": "systems, system components, or system services", + "guidelines": [ + { + "prose": "systems, system components, or system services to be analyzed for criticality are defined;" + } + ] + }, + { + "id": "ra-09_odp.02", + "label": "decision points in the system development life cycle", + "guidelines": [ + { + "prose": "decision points in the system development life cycle when a criticality analysis is to be performed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-9" + }, + { + "name": "label", + "value": "RA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-1", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-9_smt", + "name": "statement", + "prose": "Identify critical system components and functions by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}." + }, + { + "id": "ra-9_gdn", + "name": "guidance", + "prose": "Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.\n\nThe operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions.\n\nCriticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in [RA-2](#ra-2)." + }, + { + "id": "ra-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-09", + "class": "sp800-53a" + } + ], + "prose": "critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}.", + "links": [ + { + "href": "#ra-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nassessment reports\n\ncriticality analysis/finalized criticality for each component/subcomponent\n\naudit records/event logs\n\nanalysis reports\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment and auditing responsibilities\n\norganizational personnel with criticality analysis responsibilities\n\nsystem/network administrators\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assessments and audits\n\nmechanisms/tools supporting and/or implementing assessments and auditing" + } + ] + } + ] + } + ] + }, + { + "id": "sa", + "class": "family", + "title": "System and Services Acquisition", + "controls": [ + { + "id": "sa-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sa-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sa-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "sa-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "sa-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "sa-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and services acquisition policy and procedures is defined;" + } + ] + }, + { + "id": "sa-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and services acquisition policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sa-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and services acquisition policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sa-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "sa-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and services acquisition procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-1" + }, + { + "name": "label", + "value": "SA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-1_smt", + "name": "statement", + "parts": [ + { + "id": "sa-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:", + "parts": [ + { + "id": "sa-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:", + "parts": [ + { + "id": "sa-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sa-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sa-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;" + } + ] + }, + { + "id": "sa-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and" + }, + { + "id": "sa-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and services acquisition:", + "parts": [ + { + "id": "sa-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and" + }, + { + "id": "sa-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sa-1_gdn", + "name": "guidance", + "prose": "System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sa-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and services acquisition policy is developed and documented;", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sa-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;", + "links": [ + { + "href": "#sa-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};", + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};", + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};", + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.", + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + } + ] + }, + { + "id": "sa-2", + "class": "SP800-53", + "title": "Allocation of Resources", + "props": [ + { + "name": "label", + "value": "SA-2" + }, + { + "name": "label", + "value": "SA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pm-3", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-2_smt", + "name": "statement", + "parts": [ + { + "id": "sa-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;" + }, + { + "id": "sa-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and" + }, + { + "id": "sa-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation." + } + ] + }, + { + "id": "sa-2_gdn", + "name": "guidance", + "prose": "Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle." + }, + { + "id": "sa-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;", + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;", + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;", + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;", + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;", + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation.", + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and/or implementing organizational capital planning, programming, and budgeting" + } + ] + } + ] + }, + { + "id": "sa-3", + "class": "SP800-53", + "title": "System Development Life Cycle", + "params": [ + { + "id": "sa-03_odp", + "label": "system-development life cycle", + "guidelines": [ + { + "prose": "system development life cycle is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-3" + }, + { + "name": "label", + "value": "SA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-22", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-3_smt", + "name": "statement", + "parts": [ + { + "id": "sa-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;" + }, + { + "id": "sa-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define and document information security and privacy roles and responsibilities throughout the system development life cycle;" + }, + { + "id": "sa-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Identify individuals having information security and privacy roles and responsibilities; and" + }, + { + "id": "sa-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Integrate the organizational information security and privacy risk management process into system development life cycle activities." + } + ] + }, + { + "id": "sa-3_gdn", + "name": "guidance", + "prose": "A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle." + }, + { + "id": "sa-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;", + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;", + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;", + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;", + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.[01]", + "class": "sp800-53a" + } + ], + "prose": "individuals with information security roles and responsibilities are identified;", + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.[02]", + "class": "sp800-53a" + } + ], + "prose": "individuals with privacy roles and responsibilities are identified;", + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational information security risk management processes are integrated into system development life cycle activities;", + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.[02]", + "class": "sp800-53a" + } + ], + "prose": "organizational privacy risk management processes are integrated into system development life cycle activities.", + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and/or implementing the system development life cycle" + } + ] + } + ] + }, + { + "id": "sa-4", + "class": "SP800-53", + "title": "Acquisition Process", + "params": [ + { + "id": "sa-04_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "standardized contract language", + " {{ insert: param, sa-04_odp.02 }} " + ] + } + }, + { + "id": "sa-04_odp.02", + "label": "contract language", + "guidelines": [ + { + "prose": "contract language is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-4" + }, + { + "name": "label", + "value": "SA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", + "rel": "reference" + }, + { + "href": "#87087451-2af5-43d4-88c1-d66ad850f614", + "rel": "reference" + }, + { + "href": "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "rel": "reference" + }, + { + "href": "#06ce9216-bd54-4054-a422-94f358b50a5d", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#795aff72-3e6c-4b6b-a80a-b14d84b7f544", + "rel": "reference" + }, + { + "href": "#3d575737-98cb-459d-b41c-d7e82b73ad78", + "rel": "reference" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4_smt", + "name": "statement", + "prose": "Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:", + "parts": [ + { + "id": "sa-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Security and privacy functional requirements;" + }, + { + "id": "sa-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Strength of mechanism requirements;" + }, + { + "id": "sa-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Security and privacy assurance requirements;" + }, + { + "id": "sa-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Controls needed to satisfy the security and privacy requirements." + }, + { + "id": "sa-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Security and privacy documentation requirements;" + }, + { + "id": "sa-4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Requirements for protecting security and privacy documentation;" + }, + { + "id": "sa-4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Description of the system development environment and environment in which the system is intended to operate;" + }, + { + "id": "sa-4_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and" + }, + { + "id": "sa-4_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Acceptance criteria." + }, + { + "id": "sa-4_fr", + "name": "item", + "title": "SA-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sa-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process)." + }, + { + "id": "sa-4_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.\n\nSee https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/." + } + ] + } + ] + }, + { + "id": "sa-4_gdn", + "name": "guidance", + "prose": "Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement." + }, + { + "id": "sa-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04b.", + "class": "sp800-53a" + } + ], + "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.[01]", + "class": "sp800-53a" + } + ], + "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.[01]", + "class": "sp800-53a" + } + ], + "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.[01]", + "class": "sp800-53a" + } + ], + "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.[02]", + "class": "sp800-53a" + } + ], + "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04g.", + "class": "sp800-53a" + } + ], + "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[01]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[02]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[03]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04i.", + "class": "sp800-53a" + } + ], + "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.", + "links": [ + { + "href": "#sa-4_smt.i", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts" + } + ] + } + ], + "controls": [ + { + "id": "sa-4.1", + "class": "SP800-53-enhancement", + "title": "Functional Properties of Controls", + "props": [ + { + "name": "label", + "value": "SA-4(1)" + }, + { + "name": "label", + "value": "SA-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "sa-4.1_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented." + }, + { + "id": "sa-4.1_gdn", + "name": "guidance", + "prose": "Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls." + }, + { + "id": "sa-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(01)", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.", + "links": [ + { + "href": "#sa-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system services\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining system security functional requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts" + } + ] + } + ] + }, + { + "id": "sa-4.2", + "class": "SP800-53-enhancement", + "title": "Design and Implementation Information for Controls", + "params": [ + { + "id": "sa-04.02_odp.01", + "constraints": [ + { + "description": "at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram;\n\norganization-defined design/implementation information" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "security-relevant external system interfaces", + "high-level design", + "low-level design", + "source code or hardware schematics", + " {{ insert: param, sa-04.02_odp.02 }} " + ] + } + }, + { + "id": "sa-04.02_odp.02", + "label": "design and implementation information", + "guidelines": [ + { + "prose": "design and implementation information is defined (if selected);" + } + ] + }, + { + "id": "sa-04.02_odp.03", + "label": "level of detail", + "guidelines": [ + { + "prose": "level of detail is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-4(2)" + }, + { + "name": "label", + "value": "SA-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "sa-4.2_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}." + }, + { + "id": "sa-4.2_gdn", + "name": "guidance", + "prose": "Organizations may require different levels of detail in the documentation for the design and implementation of controls in organizational systems, system components, or system services based on mission and business requirements, requirements for resiliency and trustworthiness, and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system." + }, + { + "id": "sa-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(02)", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}.", + "links": [ + { + "href": "#sa-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system components, or system services\n\ndesign and implementation information for controls employed in the system, system component, or system service\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\nsystem developers or service provider\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "sa-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining the level of detail for system design and controls\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and/or implementing the development of system design details" + } + ] + } + ] + }, + { + "id": "sa-4.5", + "class": "SP800-53-enhancement", + "title": "System, Component, and Service Configurations", + "params": [ + { + "id": "sa-04.05_odp", + "label": "security configurations", + "constraints": [ + { + "description": "The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available." + } + ], + "guidelines": [ + { + "prose": "security configurations for the system, component, or service are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-4(5)" + }, + { + "name": "label", + "value": "SA-04(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "sa-4.5_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to:", + "parts": [ + { + "id": "sa-4.5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented; and" + }, + { + "id": "sa-4.5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade." + } + ] + }, + { + "id": "sa-4.5_gdn", + "name": "guidance", + "prose": "Examples of security configurations include the U.S. Government Configuration Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on functions, ports, protocols, and services. Security characteristics can include requiring that default passwords have been changed." + }, + { + "id": "sa-4.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4.5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(05)(a)", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented;", + "links": [ + { + "href": "#sa-4.5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(05)(b)", + "class": "sp800-53a" + } + ], + "prose": "the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade.", + "links": [ + { + "href": "#sa-4.5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nsecurity configurations to be implemented by the developer of the system, system component, or system service\n\nservice level agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\nsystem developers or service provider\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "sa-4.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms used to verify that the configuration of the system, component, or service is delivered as specified" + } + ] + } + ] + }, + { + "id": "sa-4.9", + "class": "SP800-53-enhancement", + "title": "Functions, Ports, Protocols, and Services in Use", + "props": [ + { + "name": "label", + "value": "SA-4(9)" + }, + { + "name": "label", + "value": "SA-04(09)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4.9_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use." + }, + { + "id": "sa-4.9_gdn", + "name": "guidance", + "prose": "The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design stages) allows organizations to influence the design of the system, system component, or system service. This early involvement in the system development life cycle helps organizations avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. [SA-9](#sa-9) describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources." + }, + { + "id": "sa-4.9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4.9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to identify the functions intended for organizational use;", + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to identify the ports intended for organizational use;", + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.9_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;", + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.9_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to identify the services intended for organizational use.", + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(09)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsystem design documentation\n\nsystem documentation, including functions, ports, protocols, and services intended for organizational use\n\nacquisition contracts for systems or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements, descriptions, and criteria for developers of systems, system components, and system services\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(09)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\nsystem/network administrators\n\norganizational personnel operating, using, and/or maintaining the system\n\nsystem developers\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "sa-4.10", + "class": "SP800-53-enhancement", + "title": "Use of Approved PIV Products", + "props": [ + { + "name": "label", + "value": "SA-4(10)" + }, + { + "name": "label", + "value": "SA-04(10)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4.10_smt", + "name": "statement", + "prose": "Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems." + }, + { + "id": "sa-4.10_gdn", + "name": "guidance", + "prose": "Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations." + }, + { + "id": "sa-4.10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(10)", + "class": "sp800-53a" + } + ], + "prose": "only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.", + "links": [ + { + "href": "#sa-4.10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(10)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nFIPS 201 approved products list\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(10)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "sa-4.10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04(10)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for selecting and employing FIPS 201-approved products" + } + ] + } + ] + } + ] + }, + { + "id": "sa-5", + "class": "SP800-53", + "title": "System Documentation", + "params": [ + { + "id": "sa-05_odp.01", + "label": "actions", + "guidelines": [ + { + "prose": "actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;" + } + ] + }, + { + "id": "sa-05_odp.02", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO (or similar role within the organization)" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to distribute system documentation to is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-5" + }, + { + "name": "label", + "value": "SA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-5_smt", + "name": "statement", + "parts": [ + { + "id": "sa-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Obtain or develop administrator documentation for the system, system component, or system service that describes:", + "parts": [ + { + "id": "sa-5_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Secure configuration, installation, and operation of the system, component, or service;" + }, + { + "id": "sa-5_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Effective use and maintenance of security and privacy functions and mechanisms; and" + }, + { + "id": "sa-5_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Known vulnerabilities regarding configuration and use of administrative or privileged functions;" + } + ] + }, + { + "id": "sa-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Obtain or develop user documentation for the system, system component, or system service that describes:", + "parts": [ + { + "id": "sa-5_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;" + }, + { + "id": "sa-5_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and" + }, + { + "id": "sa-5_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;" + } + ] + }, + { + "id": "sa-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and" + }, + { + "id": "sa-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Distribute documentation to {{ insert: param, sa-05_odp.02 }}." + } + ] + }, + { + "id": "sa-5_gdn", + "name": "guidance", + "prose": "System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation." + }, + { + "id": "sa-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[04]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[03]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[04]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.[01]", + "class": "sp800-53a" + } + ], + "prose": "attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;", + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.[02]", + "class": "sp800-53a" + } + ], + "prose": "after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;", + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05d.", + "class": "sp800-53a" + } + ], + "prose": "documentation is distributed to {{ insert: param, sa-05_odp.02 }}.", + "links": [ + { + "href": "#sa-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system documentation\n\nsystem documentation, including administrator and user guides\n\nsystem design documentation\n\nrecords documenting attempts to obtain unavailable or nonexistent system documentation\n\nlist of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation\n\nrisk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\norganizational personnel responsible for operating, using, and/or maintaining the system\n\nsystem developers" + } + ] + }, + { + "id": "sa-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for obtaining, protecting, and distributing system administrator and user documentation" + } + ] + } + ] + }, + { + "id": "sa-8", + "class": "SP800-53", + "title": "Security and Privacy Engineering Principles", + "params": [ + { + "id": "sa-8_prm_1", + "label": "organization-defined systems security and privacy engineering principles" + }, + { + "id": "sa-08_odp.01", + "label": "systems security engineering principles", + "guidelines": [ + { + "prose": "systems security engineering principles are defined;" + } + ] + }, + { + "id": "sa-08_odp.02", + "label": "privacy engineering principles", + "guidelines": [ + { + "prose": "privacy engineering principles are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-8" + }, + { + "name": "label", + "value": "SA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-8_smt", + "name": "statement", + "prose": "Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}." + }, + { + "id": "sa-8_gdn", + "name": "guidance", + "prose": "Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design." + }, + { + "id": "sa-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-8_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[05]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[06]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[07]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[08]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[09]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[10]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification" + } + ] + } + ] + }, + { + "id": "sa-9", + "class": "SP800-53", + "title": "External System Services", + "params": [ + { + "id": "sa-09_odp.01", + "label": "controls", + "constraints": [ + { + "description": "Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system" + } + ], + "guidelines": [ + { + "prose": "controls to be employed by external system service providers are defined;" + } + ] + }, + { + "id": "sa-09_odp.02", + "label": "processes, methods, and techniques", + "constraints": [ + { + "description": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored" + } + ], + "guidelines": [ + { + "prose": "processes, methods, and techniques employed to monitor control compliance by external service providers are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9" + }, + { + "name": "label", + "value": "SA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9_smt", + "name": "statement", + "parts": [ + { + "id": "sa-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};" + }, + { + "id": "sa-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define and document organizational oversight and user roles and responsibilities with regard to external system services; and" + }, + { + "id": "sa-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}." + } + ] + }, + { + "id": "sa-9_gdn", + "name": "guidance", + "prose": "External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance." + }, + { + "id": "sa-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[01]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services comply with organizational security requirements;", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[02]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services comply with organizational privacy requirements;", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[03]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational oversight with regard to external system services are defined and documented;", + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "user roles and responsibilities with regard to external system services are defined and documented;", + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.", + "links": [ + { + "href": "#sa-9_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis" + } + ] + } + ], + "controls": [ + { + "id": "sa-9.1", + "class": "SP800-53-enhancement", + "title": "Risk Assessments and Organizational Approvals", + "params": [ + { + "id": "sa-09.01_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles that approve the acquisition or outsourcing of dedicated information security services is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9(1)" + }, + { + "name": "label", + "value": "SA-09(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-9", + "rel": "required" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9.1_smt", + "name": "statement", + "parts": [ + { + "id": "sa-9.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and" + }, + { + "id": "sa-9.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Verify that the acquisition or outsourcing of dedicated information security services is approved by {{ insert: param, sa-09.01_odp }}." + } + ] + }, + { + "id": "sa-9.1_gdn", + "name": "guidance", + "prose": "Information security services include the operation of security devices, such as firewalls or key management services as well as incident monitoring, analysis, and response. Risks assessed can include system, mission or business, security, privacy, or supply chain risks." + }, + { + "id": "sa-9.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "an organizational assessment of risk is conducted prior to the acquisition or outsourcing of information security services;", + "links": [ + { + "href": "#sa-9.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(01)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-09.01_odp }} approve the acquisition or outsourcing of dedicated information security services.", + "links": [ + { + "href": "#sa-9.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsupply chain risk management policy and procedures\n\nprocedures addressing external system services\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nrisk assessment reports\n\napproval records for the acquisition or outsourcing of dedicated security services\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with system security responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-9.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-09(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting a risk assessment prior to acquiring or outsourcing dedicated security services\n\norganizational processes for approving the outsourcing of dedicated security services\n\nmechanisms supporting and/or implementing risk assessment\n\nmechanisms supporting and/or implementing approval processes" + } + ] + } + ] + }, + { + "id": "sa-9.2", + "class": "SP800-53-enhancement", + "title": "Identification of Functions, Ports, Protocols, and Services", + "params": [ + { + "id": "sa-09.02_odp", + "label": "external system services", + "constraints": [ + { + "description": "all external systems where Federal information is processed or stored" + } + ], + "guidelines": [ + { + "prose": "external system services that require the identification of functions, ports, protocols, and other services are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9(2)" + }, + { + "name": "label", + "value": "SA-09(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-9", + "rel": "required" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9.2_smt", + "name": "statement", + "prose": "Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ insert: param, sa-09.02_odp }}." + }, + { + "id": "sa-9.2_gdn", + "name": "guidance", + "prose": "Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols." + }, + { + "id": "sa-9.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(02)", + "class": "sp800-53a" + } + ], + "prose": "providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services.", + "links": [ + { + "href": "#sa-9.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsupply chain risk management policy and procedures\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements and security specifications for external service providers\n\nlist of required functions, ports, protocols, and other services\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nexternal providers of system services" + } + ] + } + ] + }, + { + "id": "sa-9.5", + "class": "SP800-53-enhancement", + "title": "Processing, Storage, and Service Location", + "params": [ + { + "id": "sa-09.05_odp.01", + "constraints": [ + { + "description": "information processing, information or data, AND system services" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "information processing", + "information or data", + "system services" + ] + } + }, + { + "id": "sa-09.05_odp.02", + "label": "locations", + "constraints": [ + { + "description": "U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction" + } + ], + "guidelines": [ + { + "prose": "locations where {{ insert: param, sa-09.05_odp.01 }} is/are to be restricted are defined;" + } + ] + }, + { + "id": "sa-09.05_odp.03", + "label": "requirements", + "constraints": [ + { + "description": "all High impact data, systems, or services" + } + ], + "guidelines": [ + { + "prose": "requirements or conditions for restricting the location of {{ insert: param, sa-09.05_odp.01 }} are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9(5)" + }, + { + "name": "label", + "value": "SA-09(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-9", + "rel": "required" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9.5_smt", + "name": "statement", + "prose": "Restrict the location of {{ insert: param, sa-09.05_odp.01 }} to {{ insert: param, sa-09.05_odp.02 }} based on {{ insert: param, sa-09.05_odp.03 }}." + }, + { + "id": "sa-9.5_gdn", + "name": "guidance", + "prose": "The location of information processing, information and data storage, or system services can have a direct impact on the ability of organizations to successfully execute their mission and business functions. The impact occurs when external providers control the location of processing, storage, or services. The criteria that external providers use for the selection of processing, storage, or service locations may be different from the criteria that organizations use. For example, organizations may desire that data or information storage locations be restricted to certain locations to help facilitate incident response activities in case of information security incidents or breaches. Incident response activities, including forensic analyses and after-the-fact investigations, may be adversely affected by the governing laws, policies, or protocols in the locations where processing and storage occur and/or the locations from which system services emanate." + }, + { + "id": "sa-9.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(05)", + "class": "sp800-53a" + } + ], + "prose": "based on {{ insert: param, sa-09.05_odp.03 }}, {{ insert: param, sa-09.05_odp.01 }} is/are restricted to {{ insert: param, sa-09.05_odp.02 }}.", + "links": [ + { + "href": "#sa-9.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nrestricted locations for information processing\n\ninformation/data and/or system services\n\ninformation processing, information/data, and/or system services to be maintained in restricted locations\n\norganizational security requirements or conditions for external providers\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nexternal providers of system services\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-9.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-09(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining the requirements to restrict locations of information processing, information/data, or information services\n\norganizational processes for ensuring the location is restricted in accordance with requirements or conditions" + } + ] + } + ] + } + ] + }, + { + "id": "sa-10", + "class": "SP800-53", + "title": "Developer Configuration Management", + "params": [ + { + "id": "sa-10_odp.01", + "constraints": [ + { + "description": "development, implementation, AND operation" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "design", + "development", + "implementation", + "operation", + "disposal" + ] + } + }, + { + "id": "sa-10_odp.02", + "label": "configuration items", + "guidelines": [ + { + "prose": "configuration items under configuration management are defined;" + } + ] + }, + { + "id": "sa-10_odp.03", + "label": "personnel", + "guidelines": [ + { + "prose": "personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-10" + }, + { + "name": "label", + "value": "SA-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-10_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to:", + "parts": [ + { + "id": "sa-10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};" + }, + { + "id": "sa-10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, manage, and control the integrity of changes to {{ insert: param, sa-10_odp.02 }};" + }, + { + "id": "sa-10_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Implement only organization-approved changes to the system, component, or service;" + }, + { + "id": "sa-10_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and" + }, + { + "id": "sa-10_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_odp.03 }}." + }, + { + "id": "sa-10_fr", + "name": "item", + "title": "SA-10 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sa-10_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e) Requirement:" + } + ], + "prose": "track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP." + } + ] + } + ] + }, + { + "id": "sa-10_gdn", + "name": "guidance", + "prose": "Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.\n\nThe configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle." + }, + { + "id": "sa-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-10_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10a.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};", + "links": [ + { + "href": "#sa-10_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-10_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};", + "links": [ + { + "href": "#sa-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};", + "links": [ + { + "href": "#sa-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10b.[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};", + "links": [ + { + "href": "#sa-10_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10c.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;", + "links": [ + { + "href": "#sa-10_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-10_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;", + "links": [ + { + "href": "#sa-10_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;", + "links": [ + { + "href": "#sa-10_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;", + "links": [ + { + "href": "#sa-10_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-10_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-10_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;", + "links": [ + { + "href": "#sa-10_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;", + "links": [ + { + "href": "#sa-10_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.e-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10e.[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}.", + "links": [ + { + "href": "#sa-10_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-10_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nsecurity flaw and flaw resolution tracking records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and/or implementing the monitoring of developer configuration management" + } + ] + } + ] + }, + { + "id": "sa-11", + "class": "SP800-53", + "title": "Developer Testing and Evaluation", + "params": [ + { + "id": "sa-11_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "unit", + "integration", + "system", + "regression" + ] + } + }, + { + "id": "sa-11_odp.02", + "label": "frequency to conduct", + "guidelines": [ + { + "prose": "frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;" + } + ] + }, + { + "id": "sa-11_odp.03", + "label": "depth and coverage", + "guidelines": [ + { + "prose": "depth and coverage of {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-11" + }, + { + "name": "label", + "value": "SA-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#708b94e1-3d5e-4b22-ab43-1c69f3a97e37", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-11_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:", + "parts": [ + { + "id": "sa-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and implement a plan for ongoing security and privacy control assessments;" + }, + { + "id": "sa-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};" + }, + { + "id": "sa-11_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;" + }, + { + "id": "sa-11_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Implement a verifiable flaw remediation process; and" + }, + { + "id": "sa-11_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Correct flaws identified during testing and evaluation." + } + ] + }, + { + "id": "sa-11_gdn", + "name": "guidance", + "prose": "Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\n\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation." + }, + { + "id": "sa-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;", + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;", + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;", + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;", + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11b.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};", + "links": [ + { + "href": "#sa-11_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11c.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;", + "links": [ + { + "href": "#sa-11_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;", + "links": [ + { + "href": "#sa-11_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11d.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;", + "links": [ + { + "href": "#sa-11_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11e.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.", + "links": [ + { + "href": "#sa-11_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security and privacy testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of developer security and privacy assessments for the system, system component, or system service\n\nsecurity and privacy flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and/or implementing the monitoring of developer security and privacy testing and evaluation" + } + ] + } + ], + "controls": [ + { + "id": "sa-11.1", + "class": "SP800-53-enhancement", + "title": "Static Code Analysis", + "props": [ + { + "name": "label", + "value": "SA-11(1)" + }, + { + "name": "label", + "value": "SA-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-11", + "rel": "required" + } + ], + "parts": [ + { + "id": "sa-11.1_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.", + "parts": [ + { + "id": "sa-11.1_fr", + "name": "item", + "title": "SA-11(1) Additional FedRAMP Requirements", + "parts": [ + { + "id": "sa-11.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.\n\nIf Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))" + } + ] + } + ] + }, + { + "id": "sa-11.1_gdn", + "name": "guidance", + "prose": "Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources." + }, + { + "id": "sa-11.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to employ static code analysis tools to identify common flaws;", + "links": [ + { + "href": "#sa-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to employ static code analysis tools to document the results of the analysis.", + "links": [ + { + "href": "#sa-11.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-11(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of system developer security and privacy assessments\n\nsecurity flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-11.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-11(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-11.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-11(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and/or implementing the monitoring of developer security testing and evaluation\n\nstatic code analysis tools" + } + ] + } + ] + }, + { + "id": "sa-11.2", + "class": "SP800-53-enhancement", + "title": "Threat Modeling and Vulnerability Analyses", + "params": [ + { + "id": "sa-11.2_prm_3", + "label": "organization-defined breadth and depth of modeling and analyses" + }, + { + "id": "sa-11.2_prm_4", + "label": "organization-defined acceptance criteria" + }, + { + "id": "sa-11.02_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used as contextual information for threat modeling and vulnerability analyses is defined;" + } + ] + }, + { + "id": "sa-11.02_odp.02", + "label": "tools and methods", + "guidelines": [ + { + "prose": "the tools and methods to be employed for threat modeling and vulnerability analyses are defined;" + } + ] + }, + { + "id": "sa-11.02_odp.03", + "label": "breadth and depth", + "guidelines": [ + { + "prose": "the breadth and depth of threat modeling to be conducted is defined;" + } + ] + }, + { + "id": "sa-11.02_odp.04", + "label": "breadth and depth", + "guidelines": [ + { + "prose": "the breadth and depth of vulnerability analyses to be conducted is defined;" + } + ] + }, + { + "id": "sa-11.02_odp.05", + "label": "acceptance criteria", + "guidelines": [ + { + "prose": "acceptance criteria to be met by produced evidence for threat modeling are defined;" + } + ] + }, + { + "id": "sa-11.02_odp.06", + "label": "acceptance criteria", + "guidelines": [ + { + "prose": "acceptance criteria to be met by produced evidence for vulnerability analyses are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-11(2)" + }, + { + "name": "label", + "value": "SA-11(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-11.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-11", + "rel": "required" + }, + { + "href": "#pm-15", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-11.2_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:", + "parts": [ + { + "id": "sa-11.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Uses the following contextual information: {{ insert: param, sa-11.02_odp.01 }};" + }, + { + "id": "sa-11.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Employs the following tools and methods: {{ insert: param, sa-11.02_odp.02 }};" + }, + { + "id": "sa-11.2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Conducts the modeling and analyses at the following level of rigor: {{ insert: param, sa-11.2_prm_3 }} ; and" + }, + { + "id": "sa-11.2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Produces evidence that meets the following acceptance criteria: {{ insert: param, sa-11.2_prm_4 }}." + } + ] + }, + { + "id": "sa-11.2_gdn", + "name": "guidance", + "prose": "Systems, system components, and system services may deviate significantly from the functional and design specifications created during the requirements and design stages of the system development life cycle. Therefore, updates to threat modeling and vulnerability analyses of those systems, system components, and system services during development and prior to delivery are critical to the effective operation of those systems, components, and services. Threat modeling and vulnerability analyses at this stage of the system development life cycle ensure that design and implementation changes have been accounted for and that vulnerabilities created because of those changes have been reviewed and mitigated." + }, + { + "id": "sa-11.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};", + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};", + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};", + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};", + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};", + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};", + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};", + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};", + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(c)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(c)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling at {{ insert: param, sa-11.02_odp.03 }} during development of the system, component, or service;", + "links": [ + { + "href": "#sa-11.2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(c)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses at {{ insert: param, sa-11.02_odp.04 }};", + "links": [ + { + "href": "#sa-11.2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};", + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};", + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }};", + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.d-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }}.", + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-11(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer security test plans\n\nrecords of developer security testing results for the system, system component, or system service\n\nvulnerability scanning results\n\nsystem risk assessment reports\n\nthreat and vulnerability analysis reports\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-11.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-11(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-11.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-11(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and/or implementing the monitoring of developer security testing and evaluation" + } + ] + } + ] + } + ] + }, + { + "id": "sa-15", + "class": "SP800-53", + "title": "Development Process, Standards, and Tools", + "params": [ + { + "id": "sa-15_prm_2", + "label": "organization-defined security and privacy requirements" + }, + { + "id": "sa-15_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "frequency as before first use and annually thereafter" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;" + } + ] + }, + { + "id": "sa-15_odp.02", + "label": "security requirements", + "constraints": [ + { + "description": "FedRAMP Security Authorization requirements" + } + ], + "guidelines": [ + { + "prose": "security requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;" + } + ] + }, + { + "id": "sa-15_odp.03", + "label": "privacy requirements", + "guidelines": [ + { + "prose": "privacy requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-15" + }, + { + "name": "label", + "value": "SA-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", + "rel": "reference" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-15_smt", + "name": "statement", + "parts": [ + { + "id": "sa-15_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require the developer of the system, system component, or system service to follow a documented development process that:", + "parts": [ + { + "id": "sa-15_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Explicitly addresses security and privacy requirements;" + }, + { + "id": "sa-15_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Identifies the standards and tools used in the development process;" + }, + { + "id": "sa-15_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Documents the specific tool options and tool configurations used in the development process; and" + }, + { + "id": "sa-15_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and" + } + ] + }, + { + "id": "sa-15_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review the development process, standards, tools, tool options, and tool configurations {{ insert: param, sa-15_odp.01 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ insert: param, sa-15_prm_2 }}." + } + ] + }, + { + "id": "sa-15_gdn", + "name": "guidance", + "prose": "Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes." + }, + { + "id": "sa-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;", + "links": [ + { + "href": "#sa-15_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;", + "links": [ + { + "href": "#sa-15_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;", + "links": [ + { + "href": "#sa-15_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;", + "links": [ + { + "href": "#sa-15_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;", + "links": [ + { + "href": "#sa-15_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;", + "links": [ + { + "href": "#sa-15_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.04", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;", + "links": [ + { + "href": "#sa-15_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};", + "links": [ + { + "href": "#sa-15_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}.", + "links": [ + { + "href": "#sa-15_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security and privacy requirements during the development process\n\nsolicitation documentation\n\nacquisition documentation\n\ncritical component inventory documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer documentation listing tool options/configuration guides\n\nconfiguration management policy\n\nconfiguration management records\n\ndocumentation of development process reviews using maturity models\n\nchange control records\n\nconfiguration control records\n\ndocumented reviews of the development process, standards, tools, and tool options/configurations\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer" + } + ] + } + ], + "controls": [ + { + "id": "sa-15.3", + "class": "SP800-53-enhancement", + "title": "Criticality Analysis", + "params": [ + { + "id": "sa-15.3_prm_2", + "label": "organization-defined breadth and depth of criticality analysis" + }, + { + "id": "sa-15.03_odp.01", + "label": "decision points", + "guidelines": [ + { + "prose": "decision points in the system development life cycle are defined;" + } + ] + }, + { + "id": "sa-15.03_odp.02", + "label": "breadth", + "guidelines": [ + { + "prose": "the breadth of criticality analysis is defined;" + } + ] + }, + { + "id": "sa-15.03_odp.03", + "label": "depth", + "guidelines": [ + { + "prose": "the depth of criticality analysis is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-15(3)" + }, + { + "name": "label", + "value": "SA-15(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-15.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-15", + "rel": "required" + }, + { + "href": "#ra-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-15.3_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to perform a criticality analysis:", + "parts": [ + { + "id": "sa-15.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "At the following decision points in the system development life cycle: {{ insert: param, sa-15.03_odp.01 }} ; and" + }, + { + "id": "sa-15.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "At the following level of rigor: {{ insert: param, sa-15.3_prm_2 }}." + } + ] + }, + { + "id": "sa-15.3_gdn", + "name": "guidance", + "prose": "Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, source code, and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses." + }, + { + "id": "sa-15.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;", + "links": [ + { + "href": "#sa-15.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15.3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};", + "links": [ + { + "href": "#sa-15.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15.3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} .", + "links": [ + { + "href": "#sa-15.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-15(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing criticality analysis requirements for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ncriticality analysis documentation\n\nbusiness impact analysis documentation\n\nsoftware development life cycle documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-15.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-15(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for performing criticality analysis\n\nsystem developer\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-15.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-15(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for performing criticality analysis\n\nmechanisms supporting and/or implementing criticality analysis" + } + ] + } + ] + } + ] + }, + { + "id": "sa-16", + "class": "SP800-53", + "title": "Developer-provided Training", + "params": [ + { + "id": "sa-16_odp", + "label": "training", + "guidelines": [ + { + "prose": "training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms provided by the developer of the system, system component, or system service is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-16" + }, + { + "name": "label", + "value": "SA-16", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-16_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: {{ insert: param, sa-16_odp }}." + }, + { + "id": "sa-16_gdn", + "name": "guidance", + "prose": "Developer-provided training applies to external and internal (in-house) developers. Training personnel is essential to ensuring the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms." + }, + { + "id": "sa-16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-16", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to provide {{ insert: param, sa-16_odp }} on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms.", + "links": [ + { + "href": "#sa-16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-16-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing developer-provided training\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\norganizational security and privacy training policy\n\ndeveloper-provided training materials\n\ntraining records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-16-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nexternal or internal (in-house) developers with training responsibilities for the system, system component, or information system service" + } + ] + } + ] + }, + { + "id": "sa-17", + "class": "SP800-53", + "title": "Developer Security and Privacy Architecture and Design", + "props": [ + { + "name": "label", + "value": "SA-17" + }, + { + "name": "label", + "value": "SA-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#87087451-2af5-43d4-88c1-d66ad850f614", + "rel": "reference" + }, + { + "href": "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-17_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that:", + "parts": [ + { + "id": "sa-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture;" + }, + { + "id": "sa-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and" + }, + { + "id": "sa-17_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection." + } + ] + }, + { + "id": "sa-17_gdn", + "name": "guidance", + "prose": "Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, [PL-8](#pl-8) is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and [PL-8](#pl-8) is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. [ISO 15408-2](#87087451-2af5-43d4-88c1-d66ad850f614), [ISO 15408-3](#4452efc0-e79e-47b8-aa30-b54f3ef61c2f) , and [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing." + }, + { + "id": "sa-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-17_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture;", + "links": [ + { + "href": "#sa-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-17_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture;", + "links": [ + { + "href": "#sa-17_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-17_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;", + "links": [ + { + "href": "#sa-17_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-17_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;", + "links": [ + { + "href": "#sa-17_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-17_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-17_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(c)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-17_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(c)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;", + "links": [ + { + "href": "#sa-17_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-17_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-17(c)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection.", + "links": [ + { + "href": "#sa-17_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-17_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nenterprise architecture policy\n\nenterprise architecture documentation\n\nprocedures addressing developer security and privacy architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer" + } + ] + } + ] + }, + { + "id": "sa-21", + "class": "SP800-53", + "title": "Developer Screening", + "params": [ + { + "id": "sa-21_odp.01", + "label": "system, systems component, or system service", + "guidelines": [ + { + "prose": "the system, systems component, or system service that the developer has access to is/are defined;" + } + ] + }, + { + "id": "sa-21_odp.02", + "label": "official government duties", + "guidelines": [ + { + "prose": "official government duties assigned to the developer are defined;" + } + ] + }, + { + "id": "sa-21_odp.03", + "label": "additional personnel screening criteria", + "guidelines": [ + { + "prose": "additional personnel screening criteria for the developer are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-21" + }, + { + "name": "label", + "value": "SA-21", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-21_smt", + "name": "statement", + "prose": "Require that the developer of {{ insert: param, sa-21_odp.01 }}:", + "parts": [ + { + "id": "sa-21_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Has appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }} ; and" + }, + { + "id": "sa-21_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Satisfies the following additional personnel screening criteria: {{ insert: param, sa-21_odp.03 }}." + } + ] + }, + { + "id": "sa-21_gdn", + "name": "guidance", + "prose": "Developer screening is directed at external developers. Internal developer screening is addressed by [PS-3](#ps-3) . Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals who access the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships that the company has with entities that may potentially affect the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements." + }, + { + "id": "sa-21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-21", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-21_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-21a.", + "class": "sp800-53a" + } + ], + "prose": "the developer of {{ insert: param, sa-21_odp.01 }} is required to have appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }};", + "links": [ + { + "href": "#sa-21_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-21_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-21b.", + "class": "sp800-53a" + } + ], + "prose": "the developer of {{ insert: param, sa-21_odp.01 }} is required to satisfy {{ insert: param, sa-21_odp.03 }}.", + "links": [ + { + "href": "#sa-21_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-21-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\npersonnel security policy and procedures\n\nprocedures addressing personnel screening\n\nsystem design documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for developer services\n\nsystem configuration settings and associated documentation\n\nlist of appropriate access authorizations required by the developers of the system\n\npersonnel screening criteria and associated documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-21-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for developer screening" + } + ] + }, + { + "id": "sa-21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-21-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for developer screening\n\nmechanisms supporting developer screening" + } + ] + } + ] + }, + { + "id": "sa-22", + "class": "SP800-53", + "title": "Unsupported System Components", + "params": [ + { + "id": "sa-22_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "in-house support", + " {{ insert: param, sa-22_odp.02 }} " + ] + } + }, + { + "id": "sa-22_odp.02", + "label": "support from external providers", + "guidelines": [ + { + "prose": "support from external providers is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-22" + }, + { + "name": "label", + "value": "SA-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-22_smt", + "name": "statement", + "parts": [ + { + "id": "sa-22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or" + }, + { + "id": "sa-22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}." + } + ] + }, + { + "id": "sa-22_gdn", + "name": "guidance", + "prose": "Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation." + }, + { + "id": "sa-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22a.", + "class": "sp800-53a" + } + ], + "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;", + "links": [ + { + "href": "#sa-22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.", + "links": [ + { + "href": "#sa-22_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement" + } + ] + }, + { + "id": "sa-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for replacing unsupported system components\n\nmechanisms supporting and/or implementing the replacement of unsupported system components" + } + ] + } + ] + } + ] + }, + { + "id": "sc", + "class": "family", + "title": "System and Communications Protection", + "controls": [ + { + "id": "sc-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sc-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sc-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "sc-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "sc-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business-process-level", + "system-level" + ] + } + }, + { + "id": "sc-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and communications protection policy and procedures is defined;" + } + ] + }, + { + "id": "sc-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and communications protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sc-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and communications protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sc-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and communications protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "sc-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and communications protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-1" + }, + { + "name": "label", + "value": "SC-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-1_smt", + "name": "statement", + "parts": [ + { + "id": "sc-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:", + "parts": [ + { + "id": "sc-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sc-01_odp.03 }} system and communications protection policy that:", + "parts": [ + { + "id": "sc-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sc-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sc-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;" + } + ] + }, + { + "id": "sc-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and" + }, + { + "id": "sc-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and communications protection:", + "parts": [ + { + "id": "sc-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and" + }, + { + "id": "sc-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sc-1_gdn", + "name": "guidance", + "prose": "System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sc-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and communications protection policy is developed and documented;", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sc-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;", + "links": [ + { + "href": "#sc-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};", + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};", + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};", + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.", + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nsystem and communications protection procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "sc-2", + "class": "SP800-53", + "title": "Separation of System and User Functionality", + "props": [ + { + "name": "label", + "value": "SC-2" + }, + { + "name": "label", + "value": "SC-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-2_smt", + "name": "statement", + "prose": "Separate user functionality, including user interface services, from system management functionality." + }, + { + "id": "sc-2_gdn", + "name": "guidance", + "prose": "System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18)." + }, + { + "id": "sc-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-02", + "class": "sp800-53a" + } + ], + "prose": "user functionality, including user interface services, is separated from system management functionality.", + "links": [ + { + "href": "#sc-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing application partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Separation of user functionality from system management functionality" + } + ] + } + ] + }, + { + "id": "sc-3", + "class": "SP800-53", + "title": "Security Function Isolation", + "props": [ + { + "name": "label", + "value": "SC-3" + }, + { + "name": "label", + "value": "SC-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-3_smt", + "name": "statement", + "prose": "Isolate security functions from nonsecurity functions." + }, + { + "id": "sc-3_gdn", + "name": "guidance", + "prose": "Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented within a system via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform system security functions. Systems implement code separation in many ways, such as through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code. Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities. While the ideal is for all code within the defined security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions as an exception. The isolation of security functions from nonsecurity functions can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18)." + }, + { + "id": "sc-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-03", + "class": "sp800-53a" + } + ], + "prose": "security functions are isolated from non-security functions.", + "links": [ + { + "href": "#sc-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing security function isolation\n\nlist of security functions to be isolated from non-security functions\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Separation of security functions from non-security functions within the system" + } + ] + } + ] + }, + { + "id": "sc-4", + "class": "SP800-53", + "title": "Information in Shared System Resources", + "props": [ + { + "name": "label", + "value": "SC-4" + }, + { + "name": "label", + "value": "SC-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-4_smt", + "name": "statement", + "prose": "Prevent unauthorized and unintended information transfer via shared system resources." + }, + { + "id": "sc-4_gdn", + "name": "guidance", + "prose": "Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles." + }, + { + "id": "sc-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-04[01]", + "class": "sp800-53a" + } + ], + "prose": "unauthorized information transfer via shared system resources is prevented;", + "links": [ + { + "href": "#sc-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-04[02]", + "class": "sp800-53a" + } + ], + "prose": "unintended information transfer via shared system resources is prevented.", + "links": [ + { + "href": "#sc-4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms preventing the unauthorized and unintended transfer of information via shared system resources" + } + ] + } + ] + }, + { + "id": "sc-5", + "class": "SP800-53", + "title": "Denial-of-service Protection", + "params": [ + { + "id": "sc-05_odp.01", + "label": "types of denial-of-service events", + "constraints": [ + { + "description": "at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack" + } + ], + "guidelines": [ + { + "prose": "types of denial-of-service events to be protected against or limited are defined;" + } + ] + }, + { + "id": "sc-05_odp.02", + "constraints": [ + { + "description": "Protect against" + } + ], + "select": { + "choice": [ + "protect against", + "limit" + ] + } + }, + { + "id": "sc-05_odp.03", + "label": "controls by type of denial-of-service event", + "guidelines": [ + { + "prose": "controls to achieve the denial-of-service objective by type of denial-of-service event are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-5" + }, + { + "name": "label", + "value": "SC-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#sc-6", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-5_smt", + "name": "statement", + "parts": [ + { + "id": "sc-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and" + }, + { + "id": "sc-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}." + } + ] + }, + { + "id": "sc-5_gdn", + "name": "guidance", + "prose": "Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events." + }, + { + "id": "sc-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05a.", + "class": "sp800-53a" + } + ], + "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};", + "links": [ + { + "href": "#sc-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.", + "links": [ + { + "href": "#sc-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms protecting against or limiting the effects of denial-of-service attacks" + } + ] + } + ] + }, + { + "id": "sc-7", + "class": "SP800-53", + "title": "Boundary Protection", + "params": [ + { + "id": "sc-07_odp", + "select": { + "choice": [ + "physically", + "logically" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-7" + }, + { + "name": "label", + "value": "SC-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#a7f0e897-29a3-45c4-bd88-40dfef0e034a", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-35", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7_smt", + "name": "statement", + "parts": [ + { + "id": "sc-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;" + }, + { + "id": "sc-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and" + }, + { + "id": "sc-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + }, + { + "id": "sc-7_fr", + "name": "item", + "title": "SC-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-7_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) Guidance:" + } + ], + "prose": "SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information." + } + ] + } + ] + }, + { + "id": "sc-7_gdn", + "name": "guidance", + "prose": "Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)." + }, + { + "id": "sc-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[01]", + "class": "sp800-53a" + } + ], + "prose": "communications at external managed interfaces to the system are monitored;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[02]", + "class": "sp800-53a" + } + ], + "prose": "communications at external managed interfaces to the system are controlled;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[03]", + "class": "sp800-53a" + } + ], + "prose": "communications at key internal managed interfaces within the system are monitored;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[04]", + "class": "sp800-53a" + } + ], + "prose": "communications at key internal managed interfaces within the system are controlled;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07b.", + "class": "sp800-53a" + } + ], + "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;", + "links": [ + { + "href": "#sc-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07c.", + "class": "sp800-53a" + } + ], + "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.", + "links": [ + { + "href": "#sc-7_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities" + } + ] + } + ], + "controls": [ + { + "id": "sc-7.3", + "class": "SP800-53-enhancement", + "title": "Access Points", + "props": [ + { + "name": "label", + "value": "SC-7(3)" + }, + { + "name": "label", + "value": "SC-07(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.3_smt", + "name": "statement", + "prose": "Limit the number of external network connections to the system." + }, + { + "id": "sc-7.3_gdn", + "name": "guidance", + "prose": "Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system." + }, + { + "id": "sc-7.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(03)", + "class": "sp800-53a" + } + ], + "prose": "the number of external network connections to the system is limited.", + "links": [ + { + "href": "#sc-7.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncommunications and network traffic monitoring logs\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities\n\nmechanisms limiting the number of external network connections to the system" + } + ] + } + ] + }, + { + "id": "sc-7.4", + "class": "SP800-53-enhancement", + "title": "External Telecommunications Services", + "params": [ + { + "id": "sc-07.04_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review exceptions to traffic flow policy is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(4)" + }, + { + "name": "label", + "value": "SC-07(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7.4_smt", + "name": "statement", + "parts": [ + { + "id": "sc-7.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Implement a managed interface for each external telecommunication service;" + }, + { + "id": "sc-7.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Establish a traffic flow policy for each managed interface;" + }, + { + "id": "sc-7.4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Protect the confidentiality and integrity of the information being transmitted across each interface;" + }, + { + "id": "sc-7.4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;" + }, + { + "id": "sc-7.4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e)" + } + ], + "prose": "Review exceptions to the traffic flow policy {{ insert: param, sc-07.04_odp }} and remove exceptions that are no longer supported by an explicit mission or business need;" + }, + { + "id": "sc-7.4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "(f)" + } + ], + "prose": "Prevent unauthorized exchange of control plane traffic with external networks;" + }, + { + "id": "sc-7.4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "(g)" + } + ], + "prose": "Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and" + }, + { + "id": "sc-7.4_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h)" + } + ], + "prose": "Filter unauthorized control plane traffic from external networks." + } + ] + }, + { + "id": "sc-7.4_gdn", + "name": "guidance", + "prose": "External telecommunications services can provide data and/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements." + }, + { + "id": "sc-7.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(a)", + "class": "sp800-53a" + } + ], + "prose": "a managed interface is implemented for each external telecommunication service;", + "links": [ + { + "href": "#sc-7.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "a traffic flow policy is established for each managed interface;", + "links": [ + { + "href": "#sc-7.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(c)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(c)[01]", + "class": "sp800-53a" + } + ], + "prose": "the confidentiality of the information being transmitted across each interface is protected;", + "links": [ + { + "href": "#sc-7.4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(c)[02]", + "class": "sp800-53a" + } + ], + "prose": "the integrity of the information being transmitted across each interface is protected;", + "links": [ + { + "href": "#sc-7.4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(d)", + "class": "sp800-53a" + } + ], + "prose": "each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;", + "links": [ + { + "href": "#sc-7.4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(e)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.4_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(e)[01]", + "class": "sp800-53a" + } + ], + "prose": "exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};", + "links": [ + { + "href": "#sc-7.4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(e)[02]", + "class": "sp800-53a" + } + ], + "prose": "exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;", + "links": [ + { + "href": "#sc-7.4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(f)", + "class": "sp800-53a" + } + ], + "prose": "unauthorized exchanges of control plan traffic with external networks are prevented;", + "links": [ + { + "href": "#sc-7.4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(g)", + "class": "sp800-53a" + } + ], + "prose": "information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;", + "links": [ + { + "href": "#sc-7.4_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(h)", + "class": "sp800-53a" + } + ], + "prose": "unauthorized control plane traffic is filtered from external networks.", + "links": [ + { + "href": "#sc-7.4_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\ntraffic flow policy\n\ninformation flow control policy\n\nprocedures addressing boundary protection\n\nsystem security architecture\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nrecords of traffic flow policy exceptions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for documenting and reviewing exceptions to the traffic flow policy\n\norganizational processes for removing exceptions to the traffic flow policy\n\nmechanisms implementing boundary protection capabilities\n\nmanaged interfaces implementing traffic flow policy" + } + ] + } + ] + }, + { + "id": "sc-7.5", + "class": "SP800-53-enhancement", + "title": "Deny by Default — Allow by Exception", + "params": [ + { + "id": "sc-07.05_odp.01", + "constraints": [ + { + "description": "any systems" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "at managed interfaces", + "for {{ insert: param, sc-07.05_odp.02 }} " + ] + } + }, + { + "id": "sc-07.05_odp.02", + "label": "systems", + "guidelines": [ + { + "prose": "systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined (if selected)." + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(5)" + }, + { + "name": "label", + "value": "SC-07(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.5_smt", + "name": "statement", + "prose": "Deny network communications traffic by default and allow network communications traffic by exception {{ insert: param, sc-07.05_odp.01 }}.", + "parts": [ + { + "id": "sc-7.5_fr", + "name": "item", + "title": "SC-7 (5) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-7.5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing" + } + ] + } + ] + }, + { + "id": "sc-7.5_gdn", + "name": "guidance", + "prose": "Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system." + }, + { + "id": "sc-7.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(05)[01]", + "class": "sp800-53a" + } + ], + "prose": "network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};", + "links": [ + { + "href": "#sc-7.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(05)[02]", + "class": "sp800-53a" + } + ], + "prose": "network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}.", + "links": [ + { + "href": "#sc-7.5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing traffic management at managed interfaces" + } + ] + } + ] + }, + { + "id": "sc-7.7", + "class": "SP800-53-enhancement", + "title": "Split Tunneling for Remote Devices", + "params": [ + { + "id": "sc-07.07_odp", + "label": "safeguards", + "guidelines": [ + { + "prose": "safeguards to securely provision split tunneling are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(7)" + }, + { + "name": "label", + "value": "SC-07(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.7_smt", + "name": "statement", + "prose": "Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}." + }, + { + "id": "sc-7.7_gdn", + "name": "guidance", + "prose": "Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and simultaneously, access uncontrolled networks. Split tunneling might be desirable by remote users to communicate with local system resources, such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of pre-approved addresses, without user control." + }, + { + "id": "sc-7.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(07)", + "class": "sp800-53a" + } + ], + "prose": "split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}.", + "links": [ + { + "href": "#sc-7.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities\n\nmechanisms supporting/restricting non-remote connections" + } + ] + } + ] + }, + { + "id": "sc-7.8", + "class": "SP800-53-enhancement", + "title": "Route Traffic to Authenticated Proxy Servers", + "params": [ + { + "id": "sc-07.08_odp.01", + "label": "internal communications traffic", + "guidelines": [ + { + "prose": "internal communications traffic to be routed to external networks is defined;" + } + ] + }, + { + "id": "sc-07.08_odp.02", + "label": "external networks", + "constraints": [ + { + "description": "any network outside of organizational control and any network outside the authorization boundary" + } + ], + "guidelines": [ + { + "prose": "external networks to which internal communications traffic is to be routed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(8)" + }, + { + "name": "label", + "value": "SC-07(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + }, + { + "href": "#ac-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7.8_smt", + "name": "statement", + "prose": "Route {{ insert: param, sc-07.08_odp.01 }} to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces." + }, + { + "id": "sc-7.8_gdn", + "name": "guidance", + "prose": "External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for \"man-in-the-middle\" attacks (depending on the implementation)." + }, + { + "id": "sc-7.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(08)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces.", + "links": [ + { + "href": "#sc-7.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing traffic management through authenticated proxy servers at managed interfaces" + } + ] + } + ] + }, + { + "id": "sc-7.10", + "class": "SP800-53-enhancement", + "title": "Prevent Exfiltration", + "params": [ + { + "id": "sc-07.10_odp", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency for conducting exfiltration tests is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(10)" + }, + { + "name": "label", + "value": "SC-07(10)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ca-8", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7.10_smt", + "name": "statement", + "parts": [ + { + "id": "sc-7.10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Prevent the exfiltration of information; and" + }, + { + "id": "sc-7.10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Conduct exfiltration tests {{ insert: param, sc-07.10_odp }}." + } + ] + }, + { + "id": "sc-7.10_gdn", + "name": "guidance", + "prose": "Prevention of exfiltration applies to both the intentional and unintentional exfiltration of information. Techniques used to prevent the exfiltration of information from systems may be implemented at internal endpoints, external boundaries, and across managed interfaces and include adherence to protocol formats, monitoring for beaconing activity from systems, disconnecting external network interfaces except when explicitly needed, employing traffic profile analysis to detect deviations from the volume and types of traffic expected, call backs to command and control centers, conducting penetration testing, monitoring for steganography, disassembling and reassembling packet headers, and using data loss and data leakage prevention tools. Devices that enforce strict adherence to protocol formats include deep packet inspection firewalls and Extensible Markup Language (XML) gateways. The devices verify adherence to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices that operate at the network or transport layers. The prevention of exfiltration is similar to data loss prevention or data leakage prevention and is closely associated with cross-domain solutions and system guards that enforce information flow requirements." + }, + { + "id": "sc-7.10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(10)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.10_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(10)(a)", + "class": "sp800-53a" + } + ], + "prose": "the exfiltration of information is prevented;", + "links": [ + { + "href": "#sc-7.10_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.10_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(10)(b)", + "class": "sp800-53a" + } + ], + "prose": "exfiltration tests are conducted {{ insert: param, sc-07.10_odp }}.", + "links": [ + { + "href": "#sc-7.10_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(10)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(10)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(10)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities that prevent the unauthorized exfiltration of information across managed interfaces" + } + ] + } + ] + }, + { + "id": "sc-7.12", + "class": "SP800-53-enhancement", + "title": "Host-based Protection", + "params": [ + { + "id": "sc-07.12_odp.01", + "label": "host-based boundary protection mechanisms", + "constraints": [ + { + "description": "Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall" + } + ], + "guidelines": [ + { + "prose": "host-based boundary protection mechanisms to be implemented are defined;" + } + ] + }, + { + "id": "sc-07.12_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components where host-based boundary protection mechanisms are to be implemented are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(12)" + }, + { + "name": "label", + "value": "SC-07(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.12_smt", + "name": "statement", + "prose": "Implement {{ insert: param, sc-07.12_odp.01 }} at {{ insert: param, sc-07.12_odp.02 }}." + }, + { + "id": "sc-7.12_gdn", + "name": "guidance", + "prose": "Host-based boundary protection mechanisms include host-based firewalls. System components that employ host-based boundary protection mechanisms include servers, workstations, notebook computers, and mobile devices." + }, + { + "id": "sc-7.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(12)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-07.12_odp.01 }} are implemented at {{ insert: param, sc-07.12_odp.02 }}.", + "links": [ + { + "href": "#sc-7.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities\n\nsystem users" + } + ] + }, + { + "id": "sc-7.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing host-based boundary protection capabilities" + } + ] + } + ] + }, + { + "id": "sc-7.18", + "class": "SP800-53-enhancement", + "title": "Fail Secure", + "props": [ + { + "name": "label", + "value": "SC-7(18)" + }, + { + "name": "label", + "value": "SC-07(18)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-12", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7.18_smt", + "name": "statement", + "prose": "Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device." + }, + { + "id": "sc-7.18_gdn", + "name": "guidance", + "prose": "Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways that reside on protected subnetworks (commonly referred to as demilitarized zones). Failures of boundary protection devices cannot lead to or cause information external to the devices to enter the devices nor can failures permit unauthorized information releases." + }, + { + "id": "sc-7.18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(18)", + "class": "sp800-53a" + } + ], + "prose": "systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device.", + "links": [ + { + "href": "#sc-7.18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(18)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(18)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(18)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing secure failure" + } + ] + } + ] + }, + { + "id": "sc-7.20", + "class": "SP800-53-enhancement", + "title": "Dynamic Isolation and Segregation", + "params": [ + { + "id": "sc-07.20_odp", + "label": "system components", + "guidelines": [ + { + "prose": "system components to be dynamically isolated from other system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(20)" + }, + { + "name": "label", + "value": "SC-07(20)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.20_smt", + "name": "statement", + "prose": "Provide the capability to dynamically isolate {{ insert: param, sc-07.20_odp }} from other system components." + }, + { + "id": "sc-7.20_gdn", + "name": "guidance", + "prose": "The capability to dynamically isolate certain internal system components is useful when it is necessary to partition or separate system components of questionable origin from components that possess greater trustworthiness. Component isolation reduces the attack surface of organizational systems. Isolating selected system components can also limit the damage from successful attacks when such attacks occur." + }, + { + "id": "sc-7.20_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(20)", + "class": "sp800-53a" + } + ], + "prose": "the capability to dynamically isolate {{ insert: param, sc-07.20_odp }} from other system components is provided.", + "links": [ + { + "href": "#sc-7.20_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.20_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(20)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nlist of system components to be dynamically isolated/segregated from other components of the system\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.20_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(20)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.20_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(20)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the capability to dynamically isolate/segregate system components" + } + ] + } + ] + }, + { + "id": "sc-7.21", + "class": "SP800-53-enhancement", + "title": "Isolation of System Components", + "params": [ + { + "id": "sc-07.21_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components to be isolated by boundary protection mechanisms are defined;" + } + ] + }, + { + "id": "sc-07.21_odp.02", + "label": "missions and/or business functions", + "guidelines": [ + { + "prose": "missions and/or business functions to be supported by system components isolated by boundary protection mechanisms are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(21)" + }, + { + "name": "label", + "value": "SC-07(21)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + }, + { + "href": "#ca-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7.21_smt", + "name": "statement", + "prose": "Employ boundary protection mechanisms to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}." + }, + { + "id": "sc-7.21_gdn", + "name": "guidance", + "prose": "Organizations can isolate system components that perform different mission or business functions. Such isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected system components. Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to more effectively control information flows between those components. Isolating system components provides enhanced protection that limits the potential harm from hostile cyber-attacks and errors. The degree of isolation varies depending upon the mechanisms chosen. Boundary protection mechanisms include routers, gateways, and firewalls that separate system components into physically separate networks or subnetworks; cross-domain devices that separate subnetworks; virtualization techniques; and the encryption of information flows among system components using distinct encryption keys." + }, + { + "id": "sc-7.21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(21)", + "class": "sp800-53a" + } + ], + "prose": "boundary protection mechanisms are employed to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}.", + "links": [ + { + "href": "#sc-7.21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(21)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nenterprise architecture documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(21)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(21)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the capability to separate system components supporting organizational missions and/or business functions" + } + ] + } + ] + } + ] + }, + { + "id": "sc-8", + "class": "SP800-53", + "title": "Transmission Confidentiality and Integrity", + "params": [ + { + "id": "sc-08_odp", + "constraints": [ + { + "description": "confidentiality AND integrity" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "confidentiality", + "integrity" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-8" + }, + { + "name": "label", + "value": "SC-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#736d6310-e403-4b57-a79d-9967970c66d7", + "rel": "reference" + }, + { + "href": "#7537638e-2837-407d-844b-40fb3fafdd99", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-8_smt", + "name": "statement", + "prose": "Protect the {{ insert: param, sc-08_odp }} of transmitted information.", + "parts": [ + { + "id": "sc-8_fr", + "name": "item", + "title": "SC-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.\n\n\n\nFor clarity, this control applies to all data in transit. Examples include the following data flows:\n\n* Crossing the system boundary\n* Between compute instances - including containers\n* From a compute instance to storage\n* Replication between availability zones\n* Transmission of backups to storage\n* From a load balancer to a compute instance\n* Flows from management tools required for their work – e.g. log collection, scanning, etc.\n\n\n\n\nThe following applies only when choosing SC-8 (5) in lieu of SC-8 (1).\n\nFedRAMP-Defined Assignment / Selection Parameters\n\nSC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]\n\nSC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]" + }, + { + "id": "sc-8_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.\n\n\n\nHardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).\n\n\n\nControlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS’s Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS’ recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).\n\n\n\nNote: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.\n\n\n\nCNSSI No.7003 can be accessed here:\n\nhttps://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf\n\n\n\nDHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:\n\nhttps://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf" + } + ] + } + ] + }, + { + "id": "sc-8_gdn", + "name": "guidance", + "prose": "Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\n\nOrganizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls." + }, + { + "id": "sc-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-08", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-08_odp }} of transmitted information is/are protected.", + "links": [ + { + "href": "#sc-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing transmission confidentiality and/or integrity" + } + ] + } + ], + "controls": [ + { + "id": "sc-8.1", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-08.01_odp", + "constraints": [ + { + "description": "prevent unauthorized disclosure of information AND detect changes to information" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "prevent unauthorized disclosure of information", + "detect changes to information" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-8(1)" + }, + { + "name": "label", + "value": "SC-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-8", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-8.1_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to {{ insert: param, sc-08.01_odp }} during transmission.", + "parts": [ + { + "id": "sc-8.1_fr", + "name": "item", + "title": "SC-8 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-8.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control." + }, + { + "id": "sc-8.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See M-22-09, including \\\"Agencies encrypt all DNS requests and HTTP traffic within their environment\\\"\n\nSC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged." + }, + { + "id": "sc-8.1_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)" + }, + { + "id": "sc-8.1_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + } + ] + } + ] + }, + { + "id": "sc-8.1_gdn", + "name": "guidance", + "prose": "Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes." + }, + { + "id": "sc-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-08(01)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.", + "links": [ + { + "href": "#sc-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity\n\nmechanisms supporting and/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards" + } + ] + } + ] + } + ] + }, + { + "id": "sc-10", + "class": "SP800-53", + "title": "Network Disconnect", + "params": [ + { + "id": "sc-10_odp", + "label": "time period", + "constraints": [ + { + "description": "no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions" + } + ], + "guidelines": [ + { + "prose": "a time period of inactivity after which the system terminates a network connection associated with a communication session is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-10" + }, + { + "name": "label", + "value": "SC-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-10_smt", + "name": "statement", + "prose": "Terminate the network connection associated with a communications session at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity." + }, + { + "id": "sc-10_gdn", + "name": "guidance", + "prose": "Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses." + }, + { + "id": "sc-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-10", + "class": "sp800-53a" + } + ], + "prose": "the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity.", + "links": [ + { + "href": "#sc-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing network disconnect\n\nsystem design documentation\n\nsecurity plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a network disconnect capability" + } + ] + } + ] + }, + { + "id": "sc-12", + "class": "SP800-53", + "title": "Cryptographic Key Establishment and Management", + "params": [ + { + "id": "sc-12_odp", + "label": "requirements", + "constraints": [ + { + "description": "In accordance with Federal requirements" + } + ], + "guidelines": [ + { + "prose": "requirements for key generation, distribution, storage, access, and destruction are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-12" + }, + { + "name": "label", + "value": "SC-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#849b2358-683f-4d97-b111-1cc3d522ded5", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-11", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-17", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-12_smt", + "name": "statement", + "prose": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}.", + "parts": [ + { + "id": "sc-12_fr", + "name": "item", + "title": "SC-12 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-12_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See references in NIST 800-53 documentation." + }, + { + "id": "sc-12_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Must meet applicable Federal Cryptographic Requirements. See References Section of control." + }, + { + "id": "sc-12_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system." + } + ] + } + ] + }, + { + "id": "sc-12_gdn", + "name": "guidance", + "prose": "Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment." + }, + { + "id": "sc-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12[01]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};", + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12[02]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.", + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and/or management" + } + ] + }, + { + "id": "sc-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic key establishment and management" + } + ] + } + ], + "controls": [ + { + "id": "sc-12.1", + "class": "SP800-53-enhancement", + "title": "Availability", + "props": [ + { + "name": "label", + "value": "SC-12(1)" + }, + { + "name": "label", + "value": "SC-12(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-12.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-12", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-12.1_smt", + "name": "statement", + "prose": "Maintain availability of information in the event of the loss of cryptographic keys by users." + }, + { + "id": "sc-12.1_gdn", + "name": "guidance", + "prose": "Escrowing of encryption keys is a common practice for ensuring availability in the event of key loss. A forgotten passphrase is an example of losing a cryptographic key." + }, + { + "id": "sc-12.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12(01)", + "class": "sp800-53a" + } + ], + "prose": "information availability is maintained in the event of the loss of cryptographic keys by users.", + "links": [ + { + "href": "#sc-12.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-12(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic key establishment, management, and recovery\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-12.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-12(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment or management" + } + ] + }, + { + "id": "sc-12.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-12(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic key establishment and management" + } + ] + } + ] + } + ] + }, + { + "id": "sc-13", + "class": "SP800-53", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-13_odp.01", + "label": "cryptographic uses", + "guidelines": [ + { + "prose": "cryptographic uses are defined;" + } + ] + }, + { + "id": "sc-13_odp.02", + "label": "types of cryptography", + "constraints": [ + { + "description": "FIPS-validated or NSA-approved cryptography" + } + ], + "guidelines": [ + { + "prose": "types of cryptography for each specified cryptographic use are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-13" + }, + { + "name": "label", + "value": "SC-13", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-13_smt", + "name": "statement", + "parts": [ + { + "id": "sc-13_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine the {{ insert: param, sc-13_odp.01 }} ; and" + }, + { + "id": "sc-13_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}." + }, + { + "id": "sc-13_fr", + "name": "item", + "title": "SC-13 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-13_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:\n\n* Encryption of data\n* Decryption of data\n* Generation of one time passwords (OTPs) for MFA\n* Protocols such as TLS, SSH, and HTTPS\n\n\n\n\nThe requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).\n\nhttps://csrc.nist.gov/projects/cryptographic-module-validation-program" + }, + { + "id": "sc-13_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:\n\nhttps://www.niap-ccevs.org/Product/index.cfm" + }, + { + "id": "sc-13_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + }, + { + "id": "sc-13_fr_gdn.4", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Moving to non-FIPS CM or product is acceptable when:\n\n* FIPS validated version has a known vulnerability\n* Feature with vulnerability is in use\n* Non-FIPS version fixes the vulnerability\n* Non-FIPS version is submitted to NIST for FIPS validation\n* POA&M is added to track approval, and deployment when ready\n" + }, + { + "id": "sc-13_fr_gdn.5", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1)." + } + ] + } + ] + }, + { + "id": "sc-13_gdn", + "name": "guidance", + "prose": "Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "sc-13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-13_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-13_odp.01 }} are identified;", + "links": [ + { + "href": "#sc-13_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-13_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.", + "links": [ + { + "href": "#sc-13_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-13-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-13-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection" + } + ] + }, + { + "id": "sc-13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-13-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic protection" + } + ] + } + ] + }, + { + "id": "sc-15", + "class": "SP800-53", + "title": "Collaborative Computing Devices and Applications", + "params": [ + { + "id": "sc-15_odp", + "label": "exceptions where remote activation is to be allowed", + "constraints": [ + { + "description": "no exceptions for computing devices" + } + ], + "guidelines": [ + { + "prose": "exceptions where remote activation is to be allowed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-15" + }, + { + "name": "label", + "value": "SC-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#sc-42", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-15_smt", + "name": "statement", + "parts": [ + { + "id": "sc-15_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and" + }, + { + "id": "sc-15_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide an explicit indication of use to users physically present at the devices." + }, + { + "id": "sc-15_fr", + "name": "item", + "title": "SC-15 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-15_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use." + } + ] + } + ] + }, + { + "id": "sc-15_gdn", + "name": "guidance", + "prose": "Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated." + }, + { + "id": "sc-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-15_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15a.", + "class": "sp800-53a" + } + ], + "prose": "remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};", + "links": [ + { + "href": "#sc-15_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-15_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15b.", + "class": "sp800-53a" + } + ], + "prose": "an explicit indication of use is provided to users physically present at the devices.", + "links": [ + { + "href": "#sc-15_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices" + } + ] + }, + { + "id": "sc-15_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-15-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the management of remote activation of collaborative computing devices\n\nmechanisms providing an indication of use of collaborative computing devices" + } + ] + } + ] + }, + { + "id": "sc-17", + "class": "SP800-53", + "title": "Public Key Infrastructure Certificates", + "params": [ + { + "id": "sc-17_odp", + "label": "certificate policy", + "guidelines": [ + { + "prose": "a certificate policy for issuing public key certificates is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-17" + }, + { + "name": "label", + "value": "SC-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#8cb338a4-e493-4177-818f-3af18983ddc5", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-17_smt", + "name": "statement", + "parts": [ + { + "id": "sc-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Issue public key certificates under an {{ insert: param, sc-17_odp }} or obtain public key certificates from an approved service provider; and" + }, + { + "id": "sc-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Include only approved trust anchors in trust stores or certificate stores managed by the organization." + } + ] + }, + { + "id": "sc-17_gdn", + "name": "guidance", + "prose": "Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates." + }, + { + "id": "sc-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-17a.", + "class": "sp800-53a" + } + ], + "prose": "public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;", + "links": [ + { + "href": "#sc-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-17b.", + "class": "sp800-53a" + } + ], + "prose": "only approved trust anchors are included in trust stores or certificate stores managed by the organization.", + "links": [ + { + "href": "#sc-17_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing public key infrastructure certificates\n\npublic key certificate policy or policies\n\npublic key issuing process\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for issuing public key certificates\n\nservice providers" + } + ] + }, + { + "id": "sc-17_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-17-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the management of public key infrastructure certificates" + } + ] + } + ] + }, + { + "id": "sc-18", + "class": "SP800-53", + "title": "Mobile Code", + "props": [ + { + "name": "label", + "value": "SC-18" + }, + { + "name": "label", + "value": "SC-18", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#f641309f-a3ad-48be-8c67-2b318648b2f5", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-18_smt", + "name": "statement", + "parts": [ + { + "id": "sc-18_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Define acceptable and unacceptable mobile code and mobile code technologies; and" + }, + { + "id": "sc-18_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize, monitor, and control the use of mobile code within the system." + } + ] + }, + { + "id": "sc-18_gdn", + "name": "guidance", + "prose": "Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source." + }, + { + "id": "sc-18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-18_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-18_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.[01]", + "class": "sp800-53a" + } + ], + "prose": "acceptable mobile code is defined;", + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.[02]", + "class": "sp800-53a" + } + ], + "prose": "unacceptable mobile code is defined;", + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.[03]", + "class": "sp800-53a" + } + ], + "prose": "acceptable mobile code technologies are defined;", + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.[04]", + "class": "sp800-53a" + } + ], + "prose": "unacceptable mobile code technologies are defined;", + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-18_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of mobile code is authorized within the system;", + "links": [ + { + "href": "#sc-18_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of mobile code is monitored within the system;", + "links": [ + { + "href": "#sc-18_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18b.[03]", + "class": "sp800-53a" + } + ], + "prose": "the use of mobile code is controlled within the system.", + "links": [ + { + "href": "#sc-18_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-18_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-18-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code implementation policy and procedures\n\nlist of acceptable mobile code and mobile code technologies\n\nlist of unacceptable mobile code and mobile technologies\n\nauthorization records\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-18-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code" + } + ] + }, + { + "id": "sc-18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-18-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for authorizing, monitoring, and controlling mobile code\n\nmechanisms supporting and/or implementing the management of mobile code\n\nmechanisms supporting and/or implementing the monitoring of mobile code" + } + ] + } + ] + }, + { + "id": "sc-20", + "class": "SP800-53", + "title": "Secure Name/Address Resolution Service (Authoritative Source)", + "props": [ + { + "name": "label", + "value": "SC-20" + }, + { + "name": "label", + "value": "SC-20", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-20_smt", + "name": "statement", + "parts": [ + { + "id": "sc-20_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and" + }, + { + "id": "sc-20_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace." + }, + { + "id": "sc-20_fr", + "name": "item", + "title": "SC-20 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-20_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests." + }, + { + "id": "sc-20_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Authoritative DNS servers must be geolocated in accordance with SA-9 (5)." + }, + { + "id": "sc-20_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary." + }, + { + "id": "sc-20_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged." + }, + { + "id": "sc-20_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)" + } + ] + } + ] + }, + { + "id": "sc-20_gdn", + "name": "guidance", + "prose": "Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data." + }, + { + "id": "sc-20_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.[01]", + "class": "sp800-53a" + } + ], + "prose": "additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;", + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.[02]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;", + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;", + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.", + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-20-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing secure name/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-20_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-20-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-20_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-20-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing secure name/address resolution services" + } + ] + } + ] + }, + { + "id": "sc-21", + "class": "SP800-53", + "title": "Secure Name/Address Resolution Service (Recursive or Caching Resolver)", + "props": [ + { + "name": "label", + "value": "SC-21" + }, + { + "name": "label", + "value": "SC-21", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-21_smt", + "name": "statement", + "prose": "Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.", + "parts": [ + { + "id": "sc-21_fr", + "name": "item", + "title": "SC-21 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-21_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.\n\n* If the reply is signed, and fails DNSSEC, do not use the reply\n* If the reply is unsigned: * CSP chooses the policy to apply \n" + }, + { + "id": "sc-21_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS." + }, + { + "id": "sc-21_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Accepting an unsigned reply is acceptable" + }, + { + "id": "sc-21_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.\n\n- DNSSEC resolution to access a component inside the boundary is excluded." + } + ] + } + ] + }, + { + "id": "sc-21_gdn", + "name": "guidance", + "prose": "Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data." + }, + { + "id": "sc-21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-21_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[01]", + "class": "sp800-53a" + } + ], + "prose": "data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[02]", + "class": "sp800-53a" + } + ], + "prose": "data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[03]", + "class": "sp800-53a" + } + ], + "prose": "data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[04]", + "class": "sp800-53a" + } + ], + "prose": "data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-21-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing secure name/address resolution services (recursive or caching resolver)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-21-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-21-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services" + } + ] + } + ] + }, + { + "id": "sc-22", + "class": "SP800-53", + "title": "Architecture and Provisioning for Name/Address Resolution Service", + "props": [ + { + "name": "label", + "value": "SC-22" + }, + { + "name": "label", + "value": "SC-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-22_smt", + "name": "statement", + "prose": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation." + }, + { + "id": "sc-22_gdn", + "name": "guidance", + "prose": "Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)." + }, + { + "id": "sc-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-22_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[01]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization are fault-tolerant;", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[02]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization implement internal role separation;", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[03]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization implement external role separation.", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing architecture and provisioning for name/address resolution services\n\naccess control policy and procedures\n\nsystem design documentation\n\nassessment results from independent testing organizations\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing name/address resolution services for fault tolerance and role separation" + } + ] + } + ] + }, + { + "id": "sc-23", + "class": "SP800-53", + "title": "Session Authenticity", + "props": [ + { + "name": "label", + "value": "SC-23" + }, + { + "name": "label", + "value": "SC-23", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-23" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#7537638e-2837-407d-844b-40fb3fafdd99", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#a6b9907a-2a14-4bb4-a142-d4c73026a8b4", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + }, + { + "href": "#sc-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-23_smt", + "name": "statement", + "prose": "Protect the authenticity of communications sessions." + }, + { + "id": "sc-23_gdn", + "name": "guidance", + "prose": "Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against \"man-in-the-middle\" attacks, session hijacking, and the insertion of false information into sessions." + }, + { + "id": "sc-23_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-23", + "class": "sp800-53a" + } + ], + "prose": "the authenticity of communication sessions is protected.", + "links": [ + { + "href": "#sc-23_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-23_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-23-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing session authenticity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-23_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-23-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "sc-23_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-23-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing session authenticity" + } + ] + } + ] + }, + { + "id": "sc-24", + "class": "SP800-53", + "title": "Fail in Known State", + "params": [ + { + "id": "sc-24_odp.01", + "label": "types of system failures on system components", + "guidelines": [ + { + "prose": "types of system failures for which the system components fail to a known state are defined;" + } + ] + }, + { + "id": "sc-24_odp.02", + "label": "known system state", + "guidelines": [ + { + "prose": "known system state to which system components fail in the event of a system failure is defined;" + } + ] + }, + { + "id": "sc-24_odp.03", + "label": "system state information", + "guidelines": [ + { + "prose": "system state information to be preserved in the event of a system failure is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-24" + }, + { + "name": "label", + "value": "SC-24", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-24" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-24_smt", + "name": "statement", + "prose": "Fail to a {{ insert: param, sc-24_odp.02 }} for the following failures on the indicated components while preserving {{ insert: param, sc-24_odp.03 }} in failure: {{ insert: param, sc-24_odp.01 }}." + }, + { + "id": "sc-24_gdn", + "name": "guidance", + "prose": "Failure in a known state addresses security concerns in accordance with the mission and business needs of organizations. Failure in a known state prevents the loss of confidentiality, integrity, or availability of information in the event of failures of organizational systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving system state information facilitates system restart and return to the operational mode with less disruption of mission and business processes." + }, + { + "id": "sc-24_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-24", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-24_odp.01 }} fail to a {{ insert: param, sc-24_odp.02 }} while preserving {{ insert: param, sc-24_odp.03 }} in failure.", + "links": [ + { + "href": "#sc-24_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-24_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-24-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing system failure to known state\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of failures requiring system to fail in a known state\n\nstate information to be preserved in system failure\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-24_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-24-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-24_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-24-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the fail in known state capability\n\nmechanisms preserving system state information in the event of a system failure" + } + ] + } + ] + }, + { + "id": "sc-28", + "class": "SP800-53", + "title": "Protection of Information at Rest", + "params": [ + { + "id": "sc-28_odp.01", + "constraints": [ + { + "description": "confidentiality AND integrity" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "confidentiality", + "integrity" + ] + } + }, + { + "id": "sc-28_odp.02", + "label": "information at rest", + "guidelines": [ + { + "prose": "information at rest requiring protection is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-28" + }, + { + "name": "label", + "value": "SC-28", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-28" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-28_smt", + "name": "statement", + "prose": "Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}.", + "parts": [ + { + "id": "sc-28_fr", + "name": "item", + "title": "SC-28 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-28_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The organization supports the capability to use cryptographic mechanisms to protect information at rest." + }, + { + "id": "sc-28_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + }, + { + "id": "sc-28_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography in accordance with SC-13." + } + ] + } + ] + }, + { + "id": "sc-28_gdn", + "name": "guidance", + "prose": "Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage." + }, + { + "id": "sc-28_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected.", + "links": [ + { + "href": "#sc-28_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-28-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-28_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-28-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-28_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-28-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest" + } + ] + } + ], + "controls": [ + { + "id": "sc-28.1", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-28.01_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information requiring cryptographic protection is defined;" + } + ] + }, + { + "id": "sc-28.01_odp.02", + "label": "system components or media", + "constraints": [ + { + "description": "all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels" + } + ], + "guidelines": [ + { + "prose": "system components or media requiring cryptographic protection is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-28(1)" + }, + { + "name": "label", + "value": "SC-28(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-28.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-28", + "rel": "required" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-28.1_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.01 }}.", + "parts": [ + { + "id": "sc-28.1_fr", + "name": "item", + "title": "SC-28 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-28.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.\n\nExamples:\n\nA. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.\n\nB. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.\n\nC. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate." + } + ] + } + ] + }, + { + "id": "sc-28.1_gdn", + "name": "guidance", + "prose": "The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields." + }, + { + "id": "sc-28.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-28.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};", + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.", + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-28(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-28.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-28(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-28.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-28(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest" + } + ] + } + ] + } + ] + }, + { + "id": "sc-39", + "class": "SP800-53", + "title": "Process Isolation", + "props": [ + { + "name": "label", + "value": "SC-39" + }, + { + "name": "label", + "value": "SC-39", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-39" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-39_smt", + "name": "statement", + "prose": "Maintain a separate execution domain for each executing system process." + }, + { + "id": "sc-39_gdn", + "name": "guidance", + "prose": "Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies." + }, + { + "id": "sc-39_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-39", + "class": "sp800-53a" + } + ], + "prose": "a separate execution domain is maintained for each executing system process.", + "links": [ + { + "href": "#sc-39_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-39_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-39-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System design documentation\n\nsystem architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-39_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-39-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System developers/integrators\n\nsystem security architect" + } + ] + }, + { + "id": "sc-39_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-39-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing separate execution domains for each executing process" + } + ] + } + ] + }, + { + "id": "sc-45", + "class": "SP800-53", + "title": "System Time Synchronization", + "props": [ + { + "name": "label", + "value": "SC-45" + }, + { + "name": "label", + "value": "SC-45", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-45" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#e4d37285-1e79-4029-8b6a-42df39cace30", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#au-8", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-45_smt", + "name": "statement", + "prose": "Synchronize system clocks within and between systems and system components." + }, + { + "id": "sc-45_gdn", + "name": "guidance", + "prose": "Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities—such as access control and identification and authentication—depending on the nature of the mechanisms used to support the capabilities." + }, + { + "id": "sc-45_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-45", + "class": "sp800-53a" + } + ], + "prose": "system clocks are synchronized within and between systems and system components.", + "links": [ + { + "href": "#sc-45_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-45_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-45-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing time synchronization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-45_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-45-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system" + } + ] + }, + { + "id": "sc-45_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-45-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing system time synchronization" + } + ] + } + ], + "controls": [ + { + "id": "sc-45.1", + "class": "SP800-53-enhancement", + "title": "Synchronization with Authoritative Time Source", + "params": [ + { + "id": "sc-45.01_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "At least hourly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to compare the internal system clocks with the authoritative time source is defined;" + } + ] + }, + { + "id": "sc-45.01_odp.02", + "label": "authoritative time source", + "constraints": [ + { + "description": "http://tf.nist.gov/tf-cgi/servers.cgi" + } + ], + "guidelines": [ + { + "prose": "the authoritative time source to which internal system clocks are to be compared is defined;" + } + ] + }, + { + "id": "sc-45.01_odp.03", + "label": "time period", + "constraints": [ + { + "description": "any difference" + } + ], + "guidelines": [ + { + "prose": "the time period to compare the internal system clocks with the authoritative time source is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-45(1)" + }, + { + "name": "label", + "value": "SC-45(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-45.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-45", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-45.1_smt", + "name": "statement", + "parts": [ + { + "id": "sc-45.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Compare the internal system clocks {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }} ; and" + }, + { + "id": "sc-45.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Synchronize the internal system clocks to the authoritative time source when the time difference is greater than {{ insert: param, sc-45.01_odp.03 }}." + }, + { + "id": "sc-45.1_fr", + "name": "item", + "title": "SC-45(1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-45.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server." + }, + { + "id": "sc-45.1_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server." + }, + { + "id": "sc-45.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Synchronization of system clocks improves the accuracy of log analysis." + } + ] + } + ] + }, + { + "id": "sc-45.1_gdn", + "name": "guidance", + "prose": "Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network." + }, + { + "id": "sc-45.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-45(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-45.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-45(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "the internal system clocks are compared {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }};", + "links": [ + { + "href": "#sc-45.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-45.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-45(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "the internal system clocks are synchronized with the authoritative time source when the time difference is greater than {{ insert: param, sc-45.01_odp.03 }}.", + "links": [ + { + "href": "#sc-45.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-45.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-45.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-45(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing time synchronization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-45.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-45(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system" + } + ] + }, + { + "id": "sc-45.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-45(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing system time synchronization" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "si", + "class": "family", + "title": "System and Information Integrity", + "controls": [ + { + "id": "si-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "si-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "si-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "si-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "si-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "si-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and information integrity policy and procedures is defined;" + } + ] + }, + { + "id": "si-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and information integrity policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "si-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and information integrity policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "si-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and information integrity procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "si-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and information integrity procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-1" + }, + { + "name": "label", + "value": "SI-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-1_smt", + "name": "statement", + "parts": [ + { + "id": "si-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:", + "parts": [ + { + "id": "si-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, si-01_odp.03 }} system and information integrity policy that:", + "parts": [ + { + "id": "si-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "si-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "si-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;" + } + ] + }, + { + "id": "si-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and" + }, + { + "id": "si-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and information integrity:", + "parts": [ + { + "id": "si-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and" + }, + { + "id": "si-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "si-1_gdn", + "name": "guidance", + "prose": "System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "si-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and information integrity policy is developed and documented;", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#si-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;", + "links": [ + { + "href": "#si-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};", + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};", + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};", + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.", + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "si-2", + "class": "SP800-53", + "title": "Flaw Remediation", + "params": [ + { + "id": "si-02_odp", + "label": "time period", + "constraints": [ + { + "description": "within thirty (30) days of release of updates" + } + ], + "guidelines": [ + { + "prose": "time period within which to install security-relevant software updates after the release of the updates is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-2" + }, + { + "name": "label", + "value": "SI-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "rel": "reference" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-5", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-2_smt", + "name": "statement", + "parts": [ + { + "id": "si-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify, report, and correct system flaws;" + }, + { + "id": "si-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;" + }, + { + "id": "si-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and" + }, + { + "id": "si-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Incorporate flaw remediation into the organizational configuration management process." + } + ] + }, + { + "id": "si-2_gdn", + "name": "guidance", + "prose": "The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures." + }, + { + "id": "si-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are identified;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are reported;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are corrected;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "software updates related to flaw remediation are tested for effectiveness before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "software updates related to flaw remediation are tested for potential side effects before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[03]", + "class": "sp800-53a" + } + ], + "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[04]", + "class": "sp800-53a" + } + ], + "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02d.", + "class": "sp800-53a" + } + ], + "prose": "flaw remediation is incorporated into the organizational configuration management process.", + "links": [ + { + "href": "#si-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities" + } + ] + }, + { + "id": "si-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and/or implementing testing software and firmware updates" + } + ] + } + ], + "controls": [ + { + "id": "si-2.2", + "class": "SP800-53-enhancement", + "title": "Automated Flaw Remediation Status", + "params": [ + { + "id": "si-02.02_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined;" + } + ] + }, + { + "id": "si-02.02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-2(2)" + }, + { + "name": "label", + "value": "SI-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#si-2", + "rel": "required" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-2.2_smt", + "name": "statement", + "prose": "Determine if system components have applicable security-relevant software and firmware updates installed using {{ insert: param, si-02.02_odp.01 }} {{ insert: param, si-02.02_odp.02 }}." + }, + { + "id": "si-2.2_gdn", + "name": "guidance", + "prose": "Automated mechanisms can track and determine the status of known flaws for system components." + }, + { + "id": "si-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02(02)", + "class": "sp800-53a" + } + ], + "prose": "system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}.", + "links": [ + { + "href": "#si-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation" + } + ] + }, + { + "id": "si-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms used to determine the state of system components with regard to flaw remediation" + } + ] + } + ] + }, + { + "id": "si-2.3", + "class": "SP800-53-enhancement", + "title": "Time to Remediate Flaws and Benchmarks for Corrective Actions", + "params": [ + { + "id": "si-02.03_odp", + "label": "benchmarks", + "guidelines": [ + { + "prose": "the benchmarks for taking corrective actions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-2(3)" + }, + { + "name": "label", + "value": "SI-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#si-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-2.3_smt", + "name": "statement", + "parts": [ + { + "id": "si-2.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Measure the time between flaw identification and flaw remediation; and" + }, + { + "id": "si-2.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Establish the following benchmarks for taking corrective actions: {{ insert: param, si-02.03_odp }}." + } + ] + }, + { + "id": "si-2.3_gdn", + "name": "guidance", + "prose": "Organizations determine the time it takes on average to correct system flaws after such flaws have been identified and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by the type of flaw or the severity of the potential vulnerability if the flaw can be exploited." + }, + { + "id": "si-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "the time between flaw identification and flaw remediation is measured;", + "links": [ + { + "href": "#si-2.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02(03)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-02.03_odp }} for taking corrective actions have been established.", + "links": [ + { + "href": "#si-2.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of benchmarks for taking corrective action on identified flaws\n\nrecords that provide timestamps of flaw identification and subsequent flaw remediation activities\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation" + } + ] + }, + { + "id": "si-2.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-02(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying, reporting, and correcting system flaws\n\nmechanisms used to measure the time between flaw identification and flaw remediation" + } + ] + } + ] + } + ] + }, + { + "id": "si-3", + "class": "SP800-53", + "title": "Malicious Code Protection", + "params": [ + { + "id": "si-03_odp.01", + "constraints": [ + { + "description": "signature based and non-signature based" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "signature-based", + "non-signature-based" + ] + } + }, + { + "id": "si-03_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which malicious code protection mechanisms perform scans is defined;" + } + ] + }, + { + "id": "si-03_odp.03", + "constraints": [ + { + "description": "to include endpoints and network entry and exit points" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "endpoint", + "network entry and exit points" + ] + } + }, + { + "id": "si-03_odp.04", + "constraints": [ + { + "description": "to include blocking and quarantining malicious code" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "block malicious code", + "quarantine malicious code", + "take {{ insert: param, si-03_odp.05 }} " + ] + } + }, + { + "id": "si-03_odp.05", + "label": "action", + "constraints": [ + { + "description": "administrator or defined security personnel near-realtime" + } + ], + "guidelines": [ + { + "prose": "action to be taken in response to malicious code detection are defined (if selected);" + } + ] + }, + { + "id": "si-03_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted when malicious code is detected is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-3" + }, + { + "name": "label", + "value": "SI-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#88660532-2dcf-442e-845c-03340ce48999", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-44", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-8", + "rel": "related" + }, + { + "href": "#si-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-3_smt", + "name": "statement", + "parts": [ + { + "id": "si-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;" + }, + { + "id": "si-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;" + }, + { + "id": "si-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Configure malicious code protection mechanisms to:", + "parts": [ + { + "id": "si-3_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and" + }, + { + "id": "si-3_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": " {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and" + } + ] + }, + { + "id": "si-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." + } + ] + }, + { + "id": "si-3_gdn", + "name": "guidance", + "prose": "System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files." + }, + { + "id": "si-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;", + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;", + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03b.", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;", + "links": [ + { + "href": "#si-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};", + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;", + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;", + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;", + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03d.", + "class": "sp800-53a" + } + ], + "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.", + "links": [ + { + "href": "#si-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities" + } + ] + }, + { + "id": "si-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and/or implementing malicious code scanning and subsequent actions" + } + ] + } + ] + }, + { + "id": "si-4", + "class": "SP800-53", + "title": "System Monitoring", + "params": [ + { + "id": "si-04_odp.01", + "label": "monitoring objectives", + "guidelines": [ + { + "prose": "monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;" + } + ] + }, + { + "id": "si-04_odp.02", + "label": "techniques and methods", + "guidelines": [ + { + "prose": "techniques and methods used to identify unauthorized use of the system are defined;" + } + ] + }, + { + "id": "si-04_odp.03", + "label": "system monitoring information", + "guidelines": [ + { + "prose": "system monitoring information to be provided to personnel or roles is defined;" + } + ] + }, + { + "id": "si-04_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom system monitoring information is to be provided is/are defined;" + } + ] + }, + { + "id": "si-04_odp.05", + "select": { + "how-many": "one-or-more", + "choice": [ + "as needed", + " {{ insert: param, si-04_odp.06 }} " + ] + } + }, + { + "id": "si-04_odp.06", + "label": "frequency", + "guidelines": [ + { + "prose": "a frequency for providing system monitoring to personnel or roles is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4" + }, + { + "name": "label", + "value": "SI-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "rel": "reference" + }, + { + "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#sc-35", + "rel": "related" + }, + { + "href": "#sc-36", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4_smt", + "name": "statement", + "parts": [ + { + "id": "si-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor the system to detect:", + "parts": [ + { + "id": "si-4_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and" + }, + { + "id": "si-4_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Unauthorized local, network, and remote connections;" + } + ] + }, + { + "id": "si-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};" + }, + { + "id": "si-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Invoke internal monitoring capabilities or deploy monitoring devices:", + "parts": [ + { + "id": "si-4_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Strategically within the system to collect organization-determined essential information; and" + }, + { + "id": "si-4_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "At ad hoc locations within the system to track specific types of transactions of interest to the organization;" + } + ] + }, + { + "id": "si-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Analyze detected events and anomalies;" + }, + { + "id": "si-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;" + }, + { + "id": "si-4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Obtain legal opinion regarding system monitoring activities; and" + }, + { + "id": "si-4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." + }, + { + "id": "si-4_fr", + "name": "item", + "title": "SI-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-4_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See US-CERT Incident Response Reporting Guidelines." + } + ] + } + ] + }, + { + "id": "si-4_gdn", + "name": "guidance", + "prose": "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "si-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.01", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};", + "links": [ + { + "href": "#si-4_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized local connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized network connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized remote connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04b.", + "class": "sp800-53a" + } + ], + "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};", + "links": [ + { + "href": "#si-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.01", + "class": "sp800-53a" + } + ], + "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;", + "links": [ + { + "href": "#si-4_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.02", + "class": "sp800-53a" + } + ], + "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;", + "links": [ + { + "href": "#si-4_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "detected events are analyzed;", + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "detected anomalies are analyzed;", + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04e.", + "class": "sp800-53a" + } + ], + "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;", + "links": [ + { + "href": "#si-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04f.", + "class": "sp800-53a" + } + ], + "prose": "a legal opinion regarding system monitoring activities is obtained;", + "links": [ + { + "href": "#si-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04g.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.", + "links": [ + { + "href": "#si-4_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system" + } + ] + }, + { + "id": "si-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing system monitoring capabilities" + } + ] + } + ], + "controls": [ + { + "id": "si-4.1", + "class": "SP800-53-enhancement", + "title": "System-wide Intrusion Detection System", + "props": [ + { + "name": "label", + "value": "SI-4(1)" + }, + { + "name": "label", + "value": "SI-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.1_smt", + "name": "statement", + "prose": "Connect and configure individual intrusion detection tools into a system-wide intrusion detection system." + }, + { + "id": "si-4.1_gdn", + "name": "guidance", + "prose": "Linking individual intrusion detection tools into a system-wide intrusion detection system provides additional coverage and effective detection capabilities. The information contained in one intrusion detection tool can be shared widely across the organization, making the system-wide detection capability more robust and powerful." + }, + { + "id": "si-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "individual intrusion detection tools are connected to a system-wide intrusion detection system;", + "links": [ + { + "href": "#si-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "individual intrusion detection tools are configured into a system-wide intrusion detection system.", + "links": [ + { + "href": "#si-4.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection capabilities" + } + ] + } + ] + }, + { + "id": "si-4.2", + "class": "SP800-53-enhancement", + "title": "Automated Tools and Mechanisms for Real-time Analysis", + "props": [ + { + "name": "label", + "value": "SI-4(2)" + }, + { + "name": "label", + "value": "SI-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#pm-25", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.2_smt", + "name": "statement", + "prose": "Employ automated tools and mechanisms to support near real-time analysis of events." + }, + { + "id": "si-4.2_gdn", + "name": "guidance", + "prose": "Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan." + }, + { + "id": "si-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(02)", + "class": "sp800-53a" + } + ], + "prose": "automated tools and mechanisms are employed to support a near real-time analysis of events.", + "links": [ + { + "href": "#si-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nprivacy impact assessment\n\nprivacy risk management documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for incident response/management" + } + ] + }, + { + "id": "si-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for the near real-time analysis of events\n\norganizational processes for system monitoring\n\nmechanisms supporting and/or implementing system monitoring\n\nmechanisms/tools supporting and/or implementing an analysis of events" + } + ] + } + ] + }, + { + "id": "si-4.4", + "class": "SP800-53-enhancement", + "title": "Inbound and Outbound Communications Traffic", + "params": [ + { + "id": "si-4.4_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "continuously" + } + ] + }, + { + "id": "si-4.4_prm_2", + "label": "organization-defined unusual or unauthorized activities or conditions" + }, + { + "id": "si-04.04_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined;" + } + ] + }, + { + "id": "si-04.04_odp.02", + "label": "unusual or unauthorized activities or conditions", + "guidelines": [ + { + "prose": "unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined;" + } + ] + }, + { + "id": "si-04.04_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined;" + } + ] + }, + { + "id": "si-04.04_odp.04", + "label": "unusual or unauthorized activities or conditions", + "guidelines": [ + { + "prose": "unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(4)" + }, + { + "name": "label", + "value": "SI-04(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.4_smt", + "name": "statement", + "parts": [ + { + "id": "si-4.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;" + }, + { + "id": "si-4.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Monitor inbound and outbound communications traffic {{ insert: param, si-4.4_prm_1 }} for {{ insert: param, si-4.4_prm_2 }}." + } + ] + }, + { + "id": "si-4.4_gdn", + "name": "guidance", + "prose": "Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components." + }, + { + "id": "si-4.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;", + "links": [ + { + "href": "#si-4.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;", + "links": [ + { + "href": "#si-4.4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.4_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};", + "links": [ + { + "href": "#si-4.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.4_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}.", + "links": [ + { + "href": "#si-4.4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing the monitoring of inbound and outbound communications traffic" + } + ] + } + ] + }, + { + "id": "si-4.5", + "class": "SP800-53-enhancement", + "title": "System-generated Alerts", + "params": [ + { + "id": "si-04.05_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted when indications of compromise or potential compromise occur is/are defined;" + } + ] + }, + { + "id": "si-04.05_odp.02", + "label": "compromise indicators", + "guidelines": [ + { + "prose": "compromise indicators are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(5)" + }, + { + "name": "label", + "value": "SI-04(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.5_smt", + "name": "statement", + "prose": "Alert {{ insert: param, si-04.05_odp.01 }} when the following system-generated indications of compromise or potential compromise occur: {{ insert: param, si-04.05_odp.02 }}.", + "parts": [ + { + "id": "si-4.5_fr", + "name": "item", + "title": "SI-4 (5) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-4.5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "In accordance with the incident response plan." + } + ] + } + ] + }, + { + "id": "si-4.5_gdn", + "name": "guidance", + "prose": "Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in [SI-4(12)](#si-4.12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats." + }, + { + "id": "si-4.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(05)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur.", + "links": [ + { + "href": "#si-4.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of personnel selected to receive alerts\n\ndocumentation of alerts generated based on compromise indicators\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel on the system alert notification list\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing alerts for compromise indicators" + } + ] + } + ] + }, + { + "id": "si-4.10", + "class": "SP800-53-enhancement", + "title": "Visibility of Encrypted Communications", + "params": [ + { + "id": "si-04.10_odp.01", + "label": "encrypted communications traffic", + "guidelines": [ + { + "prose": "encrypted communications traffic to be made visible to system monitoring tools and mechanisms is defined;" + } + ] + }, + { + "id": "si-04.10_odp.02", + "label": "system monitoring tools and mechanisms", + "guidelines": [ + { + "prose": "system monitoring tools and mechanisms to be provided access to encrypted communications traffic are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(10)" + }, + { + "name": "label", + "value": "SI-04(10)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.10_smt", + "name": "statement", + "prose": "Make provisions so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}.", + "parts": [ + { + "id": "si-4.10_fr", + "name": "item", + "title": "SI-4 (10) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-4.10_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf)." + } + ] + } + ] + }, + { + "id": "si-4.10_gdn", + "name": "guidance", + "prose": "Organizations balance the need to encrypt communications traffic to protect data confidentiality with the need to maintain visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types." + }, + { + "id": "si-4.10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(10)", + "class": "sp800-53a" + } + ], + "prose": "provisions are made so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}.", + "links": [ + { + "href": "#si-4.10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(10)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(10)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(10)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing the visibility of encrypted communications traffic to monitoring tools" + } + ] + } + ] + }, + { + "id": "si-4.11", + "class": "SP800-53-enhancement", + "title": "Analyze Communications Traffic Anomalies", + "params": [ + { + "id": "si-04.11_odp", + "label": "interior points", + "guidelines": [ + { + "prose": "interior points within the system where communications traffic is to be analyzed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(11)" + }, + { + "name": "label", + "value": "SI-04(11)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.11_smt", + "name": "statement", + "prose": "Analyze outbound communications traffic at the external interfaces to the system and selected {{ insert: param, si-04.11_odp }} to discover anomalies." + }, + { + "id": "si-4.11_gdn", + "name": "guidance", + "prose": "Organization-defined interior points include subnetworks and subsystems. Anomalies within organizational systems include large file transfers, long-time persistent connections, attempts to access information from unexpected locations, the use of unusual protocols and ports, the use of unmonitored network protocols (e.g., IPv6 usage during IPv4 transition), and attempted communications with suspected malicious external addresses." + }, + { + "id": "si-4.11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(11)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.11_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(11)[01]", + "class": "sp800-53a" + } + ], + "prose": "outbound communications traffic at the external interfaces to the system is analyzed to discover anomalies;", + "links": [ + { + "href": "#si-4.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.11_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(11)[02]", + "class": "sp800-53a" + } + ], + "prose": "outbound communications traffic at {{ insert: param, si-04.11_odp }} is analyzed to discover anomalies.", + "links": [ + { + "href": "#si-4.11_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(11)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nnetwork diagram\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(11)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(11)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing the analysis of communications traffic" + } + ] + } + ] + }, + { + "id": "si-4.12", + "class": "SP800-53-enhancement", + "title": "Automated Organization-generated Alerts", + "params": [ + { + "id": "si-04.12_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted when indications of inappropriate or unusual activity with security or privacy implications occur is/are defined;" + } + ] + }, + { + "id": "si-04.12_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to alert personnel or roles are defined;" + } + ] + }, + { + "id": "si-04.12_odp.03", + "label": "activities that trigger alerts", + "guidelines": [ + { + "prose": "activities that trigger alerts to personnel or are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(12)" + }, + { + "name": "label", + "value": "SI-04(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.12_smt", + "name": "statement", + "prose": "Alert {{ insert: param, si-04.12_odp.01 }} using {{ insert: param, si-04.12_odp.02 }} when the following indications of inappropriate or unusual activities with security or privacy implications occur: {{ insert: param, si-04.12_odp.03 }}." + }, + { + "id": "si-4.12_gdn", + "name": "guidance", + "prose": "Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, senior agency information security officer, senior agency official for privacy, system security officers, or privacy officers. Automated organization-generated alerts are the security alerts generated by organizations and transmitted using automated means. The sources for organization-generated alerts are focused on other entities such as suspicious activity reports and reports on potential insider threats. In contrast to alerts generated by the organization, alerts generated by the system in [SI-4(5)](#si-4.5) focus on information sources that are internal to the systems, such as audit records." + }, + { + "id": "si-4.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(12)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04.12_odp.01 }} is/are alerted using {{ insert: param, si-04.12_odp.02 }} when {{ insert: param, si-04.12_odp.03 }} indicate inappropriate or unusual activities with security or privacy implications.", + "links": [ + { + "href": "#si-4.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of inappropriate or unusual activities with security and privacy implications that trigger alerts\n\nsuspicious activity reports\n\nalerts provided to security and privacy personnel\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nautomated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nautomated mechanisms supporting and/or implementing automated alerts to security personnel" + } + ] + } + ] + }, + { + "id": "si-4.14", + "class": "SP800-53-enhancement", + "title": "Wireless Intrusion Detection", + "props": [ + { + "name": "label", + "value": "SI-4(14)" + }, + { + "name": "label", + "value": "SI-04(14)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.14_smt", + "name": "statement", + "prose": "Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system." + }, + { + "id": "si-4.14_gdn", + "name": "guidance", + "prose": "Wireless signals may radiate beyond organizational facilities. Organizations proactively search for unauthorized wireless connections, including the conduct of thorough scans for unauthorized wireless access points. Wireless scans are not limited to those areas within facilities containing systems but also include areas outside of facilities to verify that unauthorized wireless access points are not connected to organizational systems." + }, + { + "id": "si-4.14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(14)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.14_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(14)[01]", + "class": "sp800-53a" + } + ], + "prose": "a wireless intrusion detection system is employed to identify rogue wireless devices;", + "links": [ + { + "href": "#si-4.14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.14_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(14)[02]", + "class": "sp800-53a" + } + ], + "prose": "a wireless intrusion detection system is employed to detect attack attempts on the system;", + "links": [ + { + "href": "#si-4.14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.14_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(14)[03]", + "class": "sp800-53a" + } + ], + "prose": "a wireless intrusion detection system is employed to detect potential compromises or breaches to the system.", + "links": [ + { + "href": "#si-4.14_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(14)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(14)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.14_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(14)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection\n\nmechanisms supporting and/or implementing a wireless intrusion detection capability" + } + ] + } + ] + }, + { + "id": "si-4.16", + "class": "SP800-53-enhancement", + "title": "Correlate Monitoring Information", + "props": [ + { + "name": "label", + "value": "SI-4(16)" + }, + { + "name": "label", + "value": "SI-04(16)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#au-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.16_smt", + "name": "statement", + "prose": "Correlate information from monitoring tools and mechanisms employed throughout the system." + }, + { + "id": "si-4.16_gdn", + "name": "guidance", + "prose": "Correlating information from different system monitoring tools and mechanisms can provide a more comprehensive view of system activity. Correlating system monitoring tools and mechanisms that typically work in isolation—including malicious code protection software, host monitoring, and network monitoring—can provide an organization-wide monitoring view and may reveal otherwise unseen attack patterns. Understanding the capabilities and limitations of diverse monitoring tools and mechanisms and how to maximize the use of information generated by those tools and mechanisms can help organizations develop, operate, and maintain effective monitoring programs. The correlation of monitoring information is especially important during the transition from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols)." + }, + { + "id": "si-4.16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(16)", + "class": "sp800-53a" + } + ], + "prose": "information from monitoring tools and mechanisms employed throughout the system is correlated.", + "links": [ + { + "href": "#si-4.16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(16)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nevent correlation logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(16)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.16_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(16)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing the correlation of information from monitoring tools" + } + ] + } + ] + }, + { + "id": "si-4.18", + "class": "SP800-53-enhancement", + "title": "Analyze Traffic and Covert Exfiltration", + "params": [ + { + "id": "si-04.18_odp", + "label": "interior points", + "guidelines": [ + { + "prose": "interior points within the system where communications traffic is to be analyzed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(18)" + }, + { + "name": "label", + "value": "SI-04(18)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.18_smt", + "name": "statement", + "prose": "Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: {{ insert: param, si-04.18_odp }}." + }, + { + "id": "si-4.18_gdn", + "name": "guidance", + "prose": "Organization-defined interior points include subnetworks and subsystems. Covert means that can be used to exfiltrate information include steganography." + }, + { + "id": "si-4.18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(18)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.18_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(18)[01]", + "class": "sp800-53a" + } + ], + "prose": "outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information;", + "links": [ + { + "href": "#si-4.18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.18_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(18)[02]", + "class": "sp800-53a" + } + ], + "prose": "outbound communications traffic is analyzed at {{ insert: param, si-04.18_odp }} to detect covert exfiltration of information.", + "links": [ + { + "href": "#si-4.18_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(18)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nnetwork diagram\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(18)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(18)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing an analysis of outbound communications traffic" + } + ] + } + ] + }, + { + "id": "si-4.19", + "class": "SP800-53-enhancement", + "title": "Risk for Individuals", + "params": [ + { + "id": "si-04.19_odp.01", + "label": "additional monitoring", + "guidelines": [ + { + "prose": "additional monitoring of individuals who have been identified as posing an increased level of risk is defined;" + } + ] + }, + { + "id": "si-04.19_odp.02", + "label": "sources", + "guidelines": [ + { + "prose": "sources that identify individuals who pose an increased level of risk are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(19)" + }, + { + "name": "label", + "value": "SI-04(19)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.19" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.19_smt", + "name": "statement", + "prose": "Implement {{ insert: param, si-04.19_odp.01 }} of individuals who have been identified by {{ insert: param, si-04.19_odp.02 }} as posing an increased level of risk." + }, + { + "id": "si-4.19_gdn", + "name": "guidance", + "prose": "Indications of increased risk from individuals can be obtained from different sources, including personnel records, intelligence agencies, law enforcement organizations, and other sources. The monitoring of individuals is coordinated with the management, legal, security, privacy, and human resource officials who conduct such monitoring. Monitoring is conducted in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "si-4.19_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(19)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04.19_odp.01 }} is implemented on individuals who have been identified by {{ insert: param, si-04.19_odp.02 }} as posing an increased level of risk.", + "links": [ + { + "href": "#si-4.19_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.19_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(19)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.19_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(19)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\nlegal counsel\n\nhuman resource officials\n\norganizational personnel with personnel security responsibilities" + } + ] + }, + { + "id": "si-4.19_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(19)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing a system monitoring capability" + } + ] + } + ] + }, + { + "id": "si-4.20", + "class": "SP800-53-enhancement", + "title": "Privileged Users", + "params": [ + { + "id": "si-04.20_odp", + "label": "additional monitoring", + "guidelines": [ + { + "prose": "additional monitoring of privileged users is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(20)" + }, + { + "name": "label", + "value": "SI-04(20)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#ac-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.20_smt", + "name": "statement", + "prose": "Implement the following additional monitoring of privileged users: {{ insert: param, si-04.20_odp }}." + }, + { + "id": "si-4.20_gdn", + "name": "guidance", + "prose": "Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions." + }, + { + "id": "si-4.20_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(20)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04.20_odp }} of privileged users is implemented.", + "links": [ + { + "href": "#si-4.20_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.20_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(20)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.20_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(20)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system" + } + ] + }, + { + "id": "si-4.20_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(20)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing a system monitoring capability" + } + ] + } + ] + }, + { + "id": "si-4.22", + "class": "SP800-53-enhancement", + "title": "Unauthorized Network Services", + "params": [ + { + "id": "si-04.22_odp.01", + "label": "authorization or approval processes", + "guidelines": [ + { + "prose": "authorization or approval processes for network services are defined;" + } + ] + }, + { + "id": "si-04.22_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "audit", + "alert {{ insert: param, si-04.22_odp.03 }} " + ] + } + }, + { + "id": "si-04.22_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted upon the detection of network services that have not been authorized or approved by authorization or approval processes is/are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(22)" + }, + { + "name": "label", + "value": "SI-04(22)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#cm-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.22_smt", + "name": "statement", + "parts": [ + { + "id": "si-4.22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Detect network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} ; and" + }, + { + "id": "si-4.22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": " {{ insert: param, si-04.22_odp.02 }} when detected." + } + ] + }, + { + "id": "si-4.22_gdn", + "name": "guidance", + "prose": "Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and may therefore be unreliable or serve as malicious rogues for valid services." + }, + { + "id": "si-4.22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(22)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(22)(a)", + "class": "sp800-53a" + } + ], + "prose": "network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} are detected;", + "links": [ + { + "href": "#si-4.22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(22)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04.22_odp.02 }} is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.", + "links": [ + { + "href": "#si-4.22_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(22)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\ndocumented authorization/approval of network services\n\nnotifications or alerts of unauthorized network services\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(22)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system" + } + ] + }, + { + "id": "si-4.22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(22)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing a system monitoring capability\n\nmechanisms for auditing network services\n\nmechanisms for providing alerts" + } + ] + } + ] + }, + { + "id": "si-4.23", + "class": "SP800-53-enhancement", + "title": "Host-based Devices", + "params": [ + { + "id": "si-04.23_odp.01", + "label": "host-based monitoring mechanisms", + "guidelines": [ + { + "prose": "host-based monitoring mechanisms to be implemented on system components are defined;" + } + ] + }, + { + "id": "si-04.23_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components where host-based monitoring is to be implemented are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(23)" + }, + { + "name": "label", + "value": "SI-04(23)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.23" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.23_smt", + "name": "statement", + "prose": "Implement the following host-based monitoring mechanisms at {{ insert: param, si-04.23_odp.02 }}: {{ insert: param, si-04.23_odp.01 }}." + }, + { + "id": "si-4.23_gdn", + "name": "guidance", + "prose": "Host-based monitoring collects information about the host (or system in which it resides). System components in which host-based monitoring can be implemented include servers, notebook computers, and mobile devices. Organizations may consider employing host-based monitoring mechanisms from multiple product developers or vendors." + }, + { + "id": "si-4.23_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(23)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04.23_odp.01 }} are implemented on {{ insert: param, si-04.23_odp.02 }}.", + "links": [ + { + "href": "#si-4.23_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.23_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(23)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nhost-based monitoring mechanisms\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of system components requiring host-based monitoring\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.23_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(23)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring system hosts" + } + ] + }, + { + "id": "si-4.23_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(23)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing a host-based monitoring capability" + } + ] + } + ] + } + ] + }, + { + "id": "si-5", + "class": "SP800-53", + "title": "Security Alerts, Advisories, and Directives", + "params": [ + { + "id": "si-05_odp.01", + "label": "external organizations", + "constraints": [ + { + "description": "to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives" + } + ], + "guidelines": [ + { + "prose": "external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;" + } + ] + }, + { + "id": "si-05_odp.02", + "constraints": [ + { + "description": "to include system security personnel and administrators with configuration/patch-management responsibilities" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, si-05_odp.03 }} ", + " {{ insert: param, si-05_odp.04 }} ", + " {{ insert: param, si-05_odp.05 }} " + ] + } + }, + { + "id": "si-05_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected);" + } + ] + }, + { + "id": "si-05_odp.04", + "label": "elements", + "guidelines": [ + { + "prose": "elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" + } + ] + }, + { + "id": "si-05_odp.05", + "label": "external organizations", + "guidelines": [ + { + "prose": "external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-5" + }, + { + "name": "label", + "value": "SI-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#pm-15", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-5_smt", + "name": "statement", + "parts": [ + { + "id": "si-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;" + }, + { + "id": "si-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Generate internal security alerts, advisories, and directives as deemed necessary;" + }, + { + "id": "si-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and" + }, + { + "id": "si-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + }, + { + "id": "si-5_fr_smt.1", + "name": "item", + "title": "SI-5 Additional FedRAMP Requirements and Guidance", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status." + } + ] + }, + { + "id": "si-5_gdn", + "name": "guidance", + "prose": "The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations." + }, + { + "id": "si-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05a.", + "class": "sp800-53a" + } + ], + "prose": "system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;", + "links": [ + { + "href": "#si-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05b.", + "class": "sp800-53a" + } + ], + "prose": "internal security alerts, advisories, and directives are generated as deemed necessary;", + "links": [ + { + "href": "#si-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05c.", + "class": "sp800-53a" + } + ], + "prose": "security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};", + "links": [ + { + "href": "#si-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05d.", + "class": "sp800-53a" + } + ], + "prose": "security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.", + "links": [ + { + "href": "#si-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "si-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nmechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nmechanisms supporting and/or implementing security directives" + } + ] + } + ], + "controls": [ + { + "id": "si-5.1", + "class": "SP800-53-enhancement", + "title": "Automated Alerts and Advisories", + "params": [ + { + "id": "si-05.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to broadcast security alert and advisory information throughout the organization are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-5(1)" + }, + { + "name": "label", + "value": "SI-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-5.1_smt", + "name": "statement", + "prose": "Broadcast security alert and advisory information throughout the organization using {{ insert: param, si-05.01_odp }}." + }, + { + "id": "si-5.1_gdn", + "name": "guidance", + "prose": "The significant number of changes to organizational systems and environments of operation requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational mission and business functions. Based on information provided by security alerts and advisories, changes may be required at one or more of the three levels related to the management of risk, including the governance level, mission and business process level, and the information system level." + }, + { + "id": "si-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05(01)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-05.01_odp }} are used to broadcast security alert and advisory information throughout the organization.", + "links": [ + { + "href": "#si-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nautomated mechanisms supporting the distribution of security alert and advisory information\n\nrecords of security alerts and advisories\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and/or external organizations to whom alerts and advisories are to be disseminated\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "si-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining, receiving, generating, and disseminating security alerts and advisories\n\nautomated mechanisms supporting and/or implementing the dissemination of security alerts and advisories" + } + ] + } + ] + } + ] + }, + { + "id": "si-6", + "class": "SP800-53", + "title": "Security and Privacy Function Verification", + "params": [ + { + "id": "si-6_prm_1", + "label": "organization-defined security and privacy functions" + }, + { + "id": "si-06_odp.01", + "label": "security functions", + "guidelines": [ + { + "prose": "security functions to be verified for correct operation are defined;" + } + ] + }, + { + "id": "si-06_odp.02", + "label": "privacy functions", + "guidelines": [ + { + "prose": "privacy functions to be verified for correct operation are defined;" + } + ] + }, + { + "id": "si-06_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, si-06_odp.04 }} ", + "upon command by user with appropriate privilege", + " {{ insert: param, si-06_odp.05 }} " + ] + } + }, + { + "id": "si-06_odp.04", + "label": "system transitional states", + "constraints": [ + { + "description": "to include upon system startup and/or restart" + } + ], + "guidelines": [ + { + "prose": "system transitional states requiring the verification of security and privacy functions are defined; (if selected)" + } + ] + }, + { + "id": "si-06_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "frequency at which to verify the correct operation of security and privacy functions is defined; (if selected)" + } + ] + }, + { + "id": "si-06_odp.06", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include system administrators and security personnel" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be alerted of failed security and privacy verification tests is/are defined;" + } + ] + }, + { + "id": "si-06_odp.07", + "select": { + "how-many": "one-or-more", + "choice": [ + "shut the system down", + "restart the system", + " {{ insert: param, si-06_odp.08 }} " + ] + } + }, + { + "id": "si-06_odp.08", + "label": "alternative action(s)", + "guidelines": [ + { + "prose": "alternative action(s) to be performed when anomalies are discovered are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-6" + }, + { + "name": "label", + "value": "SI-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-6_smt", + "name": "statement", + "parts": [ + { + "id": "si-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Verify the correct operation of {{ insert: param, si-6_prm_1 }};" + }, + { + "id": "si-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Perform the verification of the functions specified in SI-6a {{ insert: param, si-06_odp.03 }};" + }, + { + "id": "si-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Alert {{ insert: param, si-06_odp.06 }} to failed security and privacy verification tests; and" + }, + { + "id": "si-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": " {{ insert: param, si-06_odp.07 }} when anomalies are discovered." + } + ] + }, + { + "id": "si-6_gdn", + "name": "guidance", + "prose": "Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy or that privacy attributes are applied or used as expected." + }, + { + "id": "si-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-6_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.01 }} are verified to be operating correctly;", + "links": [ + { + "href": "#si-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.02 }} are verified to be operating correctly;", + "links": [ + { + "href": "#si-6_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-6_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06b.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.01 }} are verified {{ insert: param, si-06_odp.03 }};", + "links": [ + { + "href": "#si-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06b.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.02 }} are verified {{ insert: param, si-06_odp.03 }};", + "links": [ + { + "href": "#si-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.06 }} is/are alerted to failed security verification tests;", + "links": [ + { + "href": "#si-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.06 }} is/are alerted to failed privacy verification tests;", + "links": [ + { + "href": "#si-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06d.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.07 }} is/are initiated when anomalies are discovered.", + "links": [ + { + "href": "#si-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security and privacy function verification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts/notifications of failed security verification tests\n\nlist of system transition states requiring security functionality verification\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy function verification responsibilities\n\norganizational personnel implementing, operating, and maintaining the system\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "si-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security and privacy function verification\n\nmechanisms supporting and/or implementing the security and privacy function verification capability" + } + ] + } + ] + }, + { + "id": "si-7", + "class": "SP800-53", + "title": "Software, Firmware, and Information Integrity", + "params": [ + { + "id": "si-7_prm_1", + "label": "organization-defined software, firmware, and information" + }, + { + "id": "si-7_prm_2", + "label": "organization-defined actions" + }, + { + "id": "si-07_odp.01", + "label": "software", + "guidelines": [ + { + "prose": "software requiring integrity verification tools to be employed to detect unauthorized changes is defined;" + } + ] + }, + { + "id": "si-07_odp.02", + "label": "firmware", + "guidelines": [ + { + "prose": "firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined;" + } + ] + }, + { + "id": "si-07_odp.03", + "label": "information", + "guidelines": [ + { + "prose": "information requiring integrity verification tools to be employed to detect unauthorized changes is defined;" + } + ] + }, + { + "id": "si-07_odp.04", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be taken when unauthorized changes to software are detected are defined;" + } + ] + }, + { + "id": "si-07_odp.05", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be taken when unauthorized changes to firmware are detected are defined;" + } + ] + }, + { + "id": "si-07_odp.06", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be taken when unauthorized changes to information are detected are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7" + }, + { + "name": "label", + "value": "SI-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#e47ee630-9cbc-4133-880e-e013f83ccd51", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-7_smt", + "name": "statement", + "parts": [ + { + "id": "si-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ insert: param, si-7_prm_1 }} ; and" + }, + { + "id": "si-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ insert: param, si-7_prm_2 }}." + } + ] + }, + { + "id": "si-7_gdn", + "name": "guidance", + "prose": "Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications." + }, + { + "id": "si-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-7_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07a.[01]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};", + "links": [ + { + "href": "#si-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07a.[02]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};", + "links": [ + { + "href": "#si-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07a.[03]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};", + "links": [ + { + "href": "#si-7_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;", + "links": [ + { + "href": "#si-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;", + "links": [ + { + "href": "#si-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07b.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected.", + "links": [ + { + "href": "#si-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated or triggered by integrity verification tools regarding unauthorized software, firmware, and information changes\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "si-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Software, firmware, and information integrity verification tools" + } + ] + } + ], + "controls": [ + { + "id": "si-7.1", + "class": "SP800-53-enhancement", + "title": "Integrity Checks", + "params": [ + { + "id": "si-7.1_prm_1", + "label": "organization-defined software, firmware, and information" + }, + { + "id": "si-7.1_prm_2", + "select": { + "how-many": "one-or-more", + "choice": [ + "at startup", + "at {{ insert: param, si-7.1_prm_3 }} ", + " {{ insert: param, si-7.1_prm_4 }} " + ] + } + }, + { + "id": "si-7.1_prm_3", + "label": "organization-defined transitional states or security-relevant events", + "constraints": [ + { + "description": "selection to include security relevant event" + } + ] + }, + { + "id": "si-7.1_prm_4", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least monthly" + } + ] + }, + { + "id": "si-07.01_odp.01", + "label": "software", + "guidelines": [ + { + "prose": "software on which an integrity check is to be performed is defined;" + } + ] + }, + { + "id": "si-07.01_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "at startup", + "at {{ insert: param, si-07.01_odp.03 }} ", + " {{ insert: param, si-07.01_odp.04 }} " + ] + } + }, + { + "id": "si-07.01_odp.03", + "label": "transitional states or security-relevant events", + "guidelines": [ + { + "prose": "transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.04", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency with which to perform an integrity check (on software) is defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.05", + "label": "firmware", + "guidelines": [ + { + "prose": "firmware on which an integrity check is to be performed is defined;" + } + ] + }, + { + "id": "si-07.01_odp.06", + "select": { + "how-many": "one-or-more", + "choice": [ + "at startup", + "at {{ insert: param, si-07.01_odp.07 }} ", + " {{ insert: param, si-07.01_odp.08 }} " + ] + } + }, + { + "id": "si-07.01_odp.07", + "label": "transitional states or security-relevant events", + "guidelines": [ + { + "prose": "transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.08", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency with which to perform an integrity check (on firmware) is defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.09", + "label": "information", + "guidelines": [ + { + "prose": "information on which an integrity check is to be performed is defined;" + } + ] + }, + { + "id": "si-07.01_odp.10", + "select": { + "how-many": "one-or-more", + "choice": [ + "at startup", + "at {{ insert: param, si-07.01_odp.11 }} ", + " {{ insert: param, si-07.01_odp.12 }} " + ] + } + }, + { + "id": "si-07.01_odp.11", + "label": "transitional states or security-relevant events", + "guidelines": [ + { + "prose": "transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.12", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency with which to perform an integrity check (of information) is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7(1)" + }, + { + "name": "label", + "value": "SI-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-7.1_smt", + "name": "statement", + "prose": "Perform an integrity check of {{ insert: param, si-7.1_prm_1 }} {{ insert: param, si-7.1_prm_2 }}." + }, + { + "id": "si-7.1_gdn", + "name": "guidance", + "prose": "Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort." + }, + { + "id": "si-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-7.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};", + "links": [ + { + "href": "#si-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};", + "links": [ + { + "href": "#si-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}.", + "links": [ + { + "href": "#si-7.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity testing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-7.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Software, firmware, and information integrity verification tools" + } + ] + } + ] + }, + { + "id": "si-7.2", + "class": "SP800-53-enhancement", + "title": "Automated Notifications of Integrity Violations", + "params": [ + { + "id": "si-07.02_odp", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7(2)" + }, + { + "name": "label", + "value": "SI-07(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-7.2_smt", + "name": "statement", + "prose": "Employ automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification." + }, + { + "id": "si-7.2_gdn", + "name": "guidance", + "prose": "The employment of automated tools to report system and information integrity violations and to notify organizational personnel in a timely matter is essential to effective risk response. Personnel with an interest in system and information integrity violations include mission and business owners, system owners, senior agency information security official, senior agency official for privacy, system administrators, software developers, systems integrators, information security officers, and privacy officers." + }, + { + "id": "si-7.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(02)", + "class": "sp800-53a" + } + ], + "prose": "automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification are employed.", + "links": [ + { + "href": "#si-7.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nautomated tools supporting alerts and notifications for integrity discrepancies\n\nnotifications provided upon discovering discrepancies during integrity verifications\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\nsoftware developers" + } + ] + }, + { + "id": "si-7.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Software, firmware, and information integrity verification tools\n\nmechanisms providing integrity discrepancy notifications" + } + ] + } + ] + }, + { + "id": "si-7.5", + "class": "SP800-53-enhancement", + "title": "Automated Response to Integrity Violations", + "params": [ + { + "id": "si-07.05_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "shut down the system", + "restart the system", + "implement {{ insert: param, si-07.05_odp.02 }} " + ] + } + }, + { + "id": "si-07.05_odp.02", + "label": "controls", + "guidelines": [ + { + "prose": "controls to be implemented automatically when integrity violations are discovered are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7(5)" + }, + { + "name": "label", + "value": "SI-07(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-7.5_smt", + "name": "statement", + "prose": "Automatically {{ insert: param, si-07.05_odp.01 }} when integrity violations are discovered." + }, + { + "id": "si-7.5_gdn", + "name": "guidance", + "prose": "Organizations may define different integrity-checking responses by type of information, specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur." + }, + { + "id": "si-7.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(05)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-07.05_odp.01 }} are automatically performed when integrity violations are discovered.", + "links": [ + { + "href": "#si-7.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nrecords of integrity checks and responses to integrity violations\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-7.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Software, firmware, and information integrity verification tools\n\nmechanisms providing an automated response to integrity violations\n\nmechanisms supporting and/or implementing security safeguards to be implemented when integrity violations are discovered" + } + ] + } + ] + }, + { + "id": "si-7.7", + "class": "SP800-53-enhancement", + "title": "Integration of Detection and Response", + "params": [ + { + "id": "si-07.07_odp", + "label": "changes", + "guidelines": [ + { + "prose": "security-relevant changes to the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7(7)" + }, + { + "name": "label", + "value": "SI-07(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-7", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-7.7_smt", + "name": "statement", + "prose": "Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ insert: param, si-07.07_odp }}." + }, + { + "id": "si-7.7_gdn", + "name": "guidance", + "prose": "Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges." + }, + { + "id": "si-7.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(07)", + "class": "sp800-53a" + } + ], + "prose": "the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability.", + "links": [ + { + "href": "#si-7.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities" + } + ] + }, + { + "id": "si-7.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incorporating the detection of unauthorized security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools\n\nmechanisms supporting and/or implementing the incorporation of detection of unauthorized security-relevant changes into the incident response capability" + } + ] + } + ] + }, + { + "id": "si-7.15", + "class": "SP800-53-enhancement", + "title": "Code Authentication", + "params": [ + { + "id": "si-07.15_odp", + "label": "software or firmware components", + "constraints": [ + { + "description": "to include all software and firmware inside the boundary" + } + ], + "guidelines": [ + { + "prose": "software or firmware components to be authenticated by cryptographic mechanisms prior to installation are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7(15)" + }, + { + "name": "label", + "value": "SI-07(15)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07.15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-7", + "rel": "required" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-7.15_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: {{ insert: param, si-07.15_odp }}." + }, + { + "id": "si-7.15_gdn", + "name": "guidance", + "prose": "Cryptographic authentication includes verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Organizations that employ cryptographic mechanisms also consider cryptographic key management solutions." + }, + { + "id": "si-7.15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(15)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to authenticate {{ insert: param, si-07.15_odp }} prior to installation.", + "links": [ + { + "href": "#si-7.15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07(15)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7.15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07(15)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-7.15_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07(15)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms authenticating software and firmware prior to installation" + } + ] + } + ] + } + ] + }, + { + "id": "si-8", + "class": "SP800-53", + "title": "Spam Protection", + "props": [ + { + "name": "label", + "value": "SI-8" + }, + { + "name": "label", + "value": "SI-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#314e33cb-3681-4b50-a2a2-3fae9604accd", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-8_smt", + "name": "statement", + "parts": [ + { + "id": "si-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and" + }, + { + "id": "si-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures." + }, + { + "id": "si-8_fr", + "name": "item", + "title": "SI-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.\n\nhttps://cyber.dhs.gov/bod/18-01/" + }, + { + "id": "si-8_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients." + } + ] + } + ] + }, + { + "id": "si-8_gdn", + "name": "guidance", + "prose": "System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions." + }, + { + "id": "si-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-8_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.[01]", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are employed at system entry points to detect unsolicited messages;", + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.[02]", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are employed at system exit points to detect unsolicited messages;", + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.[03]", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are employed at system entry points to act on unsolicited messages;", + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.[04]", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are employed at system exit points to act on unsolicited messages;", + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08b.", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.", + "links": [ + { + "href": "#si-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policies and procedures (CM-01)\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for implementing spam protection\n\nmechanisms supporting and/or implementing spam protection" + } + ] + } + ], + "controls": [ + { + "id": "si-8.2", + "class": "SP800-53-enhancement", + "title": "Automatic Updates", + "params": [ + { + "id": "si-08.02_odp", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to automatically update spam protection mechanisms is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-8(2)" + }, + { + "name": "label", + "value": "SI-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#si-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-8.2_smt", + "name": "statement", + "prose": "Automatically update spam protection mechanisms {{ insert: param, si-08.02_odp }}." + }, + { + "id": "si-8.2_gdn", + "name": "guidance", + "prose": "Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capabilities." + }, + { + "id": "si-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08(02)", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}.", + "links": [ + { + "href": "#si-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for spam protection\n\nmechanisms supporting and/or implementing automatic updates to spam protection mechanisms" + } + ] + } + ] + } + ] + }, + { + "id": "si-10", + "class": "SP800-53", + "title": "Information Input Validation", + "params": [ + { + "id": "si-10_odp", + "label": "information inputs", + "guidelines": [ + { + "prose": "information inputs to the system requiring validity checks are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-10" + }, + { + "name": "label", + "value": "SI-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + } + ], + "parts": [ + { + "id": "si-10_smt", + "name": "statement", + "prose": "Check the validity of the following information inputs: {{ insert: param, si-10_odp }}.", + "parts": [ + { + "id": "si-10_fr", + "name": "item", + "title": "SI-10 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-10_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Validate all information inputs and document any exceptions" + } + ] + } + ] + }, + { + "id": "si-10_gdn", + "name": "guidance", + "prose": "Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of \"387,\" \"abc,\" or \"%K%\" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks." + }, + { + "id": "si-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-10", + "class": "sp800-53a" + } + ], + "prose": "the validity of the {{ insert: param, si-10_odp }} is checked.", + "links": [ + { + "href": "#si-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify the validity of information\n\nlist of information inputs requiring validity checks\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing validity checks on information inputs" + } + ] + } + ] + }, + { + "id": "si-11", + "class": "SP800-53", + "title": "Error Handling", + "params": [ + { + "id": "si-11_odp", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to whom error messages are to be revealed is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-11" + }, + { + "name": "label", + "value": "SI-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-11_smt", + "name": "statement", + "parts": [ + { + "id": "si-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and" + }, + { + "id": "si-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Reveal error messages only to {{ insert: param, si-11_odp }}." + } + ] + }, + { + "id": "si-11_gdn", + "name": "guidance", + "prose": "Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information." + }, + { + "id": "si-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-11a.", + "class": "sp800-53a" + } + ], + "prose": "error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;", + "links": [ + { + "href": "#si-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-11b.", + "class": "sp800-53a" + } + ], + "prose": "error messages are revealed only to {{ insert: param, si-11_odp }}.", + "links": [ + { + "href": "#si-11_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system error handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing the structure and content of error messages\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for error handling\n\nautomated mechanisms supporting and/or implementing error handling\n\nautomated mechanisms supporting and/or implementing the management of error messages" + } + ] + } + ] + }, + { + "id": "si-12", + "class": "SP800-53", + "title": "Information Management and Retention", + "props": [ + { + "name": "label", + "value": "SI-12" + }, + { + "name": "label", + "value": "SI-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#e922fc50-b1f9-469f-92ef-ed7d9803611c", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-3", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-12_smt", + "name": "statement", + "prose": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." + }, + { + "id": "si-12_gdn", + "name": "guidance", + "prose": "Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)." + }, + { + "id": "si-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[01]", + "class": "sp800-53a" + } + ], + "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[02]", + "class": "sp800-53a" + } + ], + "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[03]", + "class": "sp800-53a" + } + ], + "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[04]", + "class": "sp800-53a" + } + ], + "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators" + } + ] + }, + { + "id": "si-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and/or implementing information management, retention, and disposition" + } + ] + } + ] + }, + { + "id": "si-16", + "class": "SP800-53", + "title": "Memory Protection", + "params": [ + { + "id": "si-16_odp", + "label": "controls", + "guidelines": [ + { + "prose": "controls to be implemented to protect the system memory from unauthorized code execution are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-16" + }, + { + "name": "label", + "value": "SI-16", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-16_smt", + "name": "statement", + "prose": "Implement the following controls to protect the system memory from unauthorized code execution: {{ insert: param, si-16_odp }}." + }, + { + "id": "si-16_gdn", + "name": "guidance", + "prose": "Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism." + }, + { + "id": "si-16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-16", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution.", + "links": [ + { + "href": "#si-16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-16-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing memory protection for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security safeguards protecting system memory from unauthorized code execution\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-16-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-16_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-16-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms supporting and/or implementing safeguards to protect the system memory from unauthorized code execution" + } + ] + } + ] + } + ] + }, + { + "id": "sr", + "class": "family", + "title": "Supply Chain Risk Management", + "controls": [ + { + "id": "sr-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sr-1_prm_1", + "label": "organization-defined personnel or roles", + "constraints": [ + { + "description": "to include chief privacy and ISSO and/or similar role or designees" + } + ] + }, + { + "id": "sr-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;" + } + ] + }, + { + "id": "sr-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;" + } + ] + }, + { + "id": "sr-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "sr-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;" + } + ] + }, + { + "id": "sr-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current supply chain risk management policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sr-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that require the current supply chain risk management policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sr-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;" + } + ] + }, + { + "id": "sr-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that require the supply chain risk management procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-1" + }, + { + "name": "label", + "value": "SR-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-1_smt", + "name": "statement", + "parts": [ + { + "id": "sr-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:", + "parts": [ + { + "id": "sr-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:", + "parts": [ + { + "id": "sr-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sr-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sr-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;" + } + ] + }, + { + "id": "sr-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and" + }, + { + "id": "sr-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current supply chain risk management:", + "parts": [ + { + "id": "sr-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and" + }, + { + "id": "sr-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sr-1_gdn", + "name": "guidance", + "prose": "Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sr-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a supply chain risk management policy is developed and documented;", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; ", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sr-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;", + "links": [ + { + "href": "#sr-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};", + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};", + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};", + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.", + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities" + } + ] + } + ] + }, + { + "id": "sr-2", + "class": "SP800-53", + "title": "Supply Chain Risk Management Plan", + "params": [ + { + "id": "sr-02_odp.01", + "label": "systems, system components, or system services", + "guidelines": [ + { + "prose": "systems, system components, or system services for which a supply chain risk management plan is developed are defined;" + } + ] + }, + { + "id": "sr-02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update the supply chain risk management plan is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-2" + }, + { + "name": "label", + "value": "SR-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-2_smt", + "name": "statement", + "parts": [ + { + "id": "sr-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};" + }, + { + "id": "sr-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and" + }, + { + "id": "sr-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Protect the supply chain risk management plan from unauthorized disclosure and modification." + } + ] + }, + { + "id": "sr-2_gdn", + "name": "guidance", + "prose": "The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))." + }, + { + "id": "sr-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a plan for managing supply chain risks is developed;", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[05]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[06]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[07]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[08]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[09]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02b.", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;", + "links": [ + { + "href": "#sr-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is protected from unauthorized modification.", + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures for protecting the supply chain risk management plan from unauthorized disclosure and modification\n\nsystem development life cycle procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of supply chain threats\n\nlist of safeguards to be taken against supply chain threats\n\nsystem life cycle documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and documenting the system development life cycle (SDLC)\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational processes for integrating supply chain risk management into the SDLC\n\nmechanisms supporting and/or implementing the SDLC" + } + ] + } + ], + "controls": [ + { + "id": "sr-2.1", + "class": "SP800-53-enhancement", + "title": "Establish SCRM Team", + "params": [ + { + "id": "sr-02.01_odp.01", + "label": "personnel, roles and responsibilities", + "guidelines": [ + { + "prose": "the personnel, roles, and responsibilities of the supply chain risk management team are defined;" + } + ] + }, + { + "id": "sr-02.01_odp.02", + "label": "supply chain risk management activities", + "guidelines": [ + { + "prose": "supply chain risk management activities are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-2(1)" + }, + { + "name": "label", + "value": "SR-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "sr-2.1_smt", + "name": "statement", + "prose": "Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}." + }, + { + "id": "sr-2.1_gdn", + "name": "guidance", + "prose": "To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team." + }, + { + "id": "sr-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02(01)", + "class": "sp800-53a" + } + ], + "prose": "a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.", + "links": [ + { + "href": "#sr-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management team charter documentation\n\nsupply chain risk management strategy\n\nsupply chain risk management implementation plan\n\nprocedures addressing supply chain protection\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with enterprise risk management responsibilities\n\nlegal counsel\n\norganizational personnel with business continuity responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "sr-3", + "class": "SP800-53", + "title": "Supply Chain Controls and Processes", + "params": [ + { + "id": "sr-03_odp.01", + "label": "system or system component", + "guidelines": [ + { + "prose": "the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;" + } + ] + }, + { + "id": "sr-03_odp.02", + "label": "supply chain personnel", + "guidelines": [ + { + "prose": "supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;" + } + ] + }, + { + "id": "sr-03_odp.03", + "label": "supply chain controls", + "guidelines": [ + { + "prose": "supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;" + } + ] + }, + { + "id": "sr-03_odp.04", + "select": { + "how-many": "one-or-more", + "choice": [ + "security and privacy plans", + "supply chain risk management plan", + " {{ insert: param, sr-03_odp.05 }} " + ] + } + }, + { + "id": "sr-03_odp.05", + "label": "document", + "guidelines": [ + { + "prose": "the document identifying the selected and implemented supply chain processes and controls is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-3" + }, + { + "name": "label", + "value": "SR-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-29", + "rel": "related" + }, + { + "href": "#sc-30", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-3_smt", + "name": "statement", + "parts": [ + { + "id": "sr-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};" + }, + { + "id": "sr-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and" + }, + { + "id": "sr-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}." + }, + { + "id": "sr-3_fr", + "name": "item", + "title": "SR-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary." + } + ] + } + ] + }, + { + "id": "sr-3_gdn", + "name": "guidance", + "prose": "Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain." + }, + { + "id": "sr-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};", + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};", + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;", + "links": [ + { + "href": "#sr-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03c.", + "class": "sp800-53a" + } + ], + "prose": "the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.", + "links": [ + { + "href": "#sr-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystems and critical system components inventory documentation\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems or services\n\nrisk register documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying and addressing supply chain element and process deficiencies" + } + ] + } + ] + }, + { + "id": "sr-5", + "class": "SP800-53", + "title": "Acquisition Strategies, Tools, and Methods", + "params": [ + { + "id": "sr-05_odp", + "label": "strategies, tools, and methods", + "guidelines": [ + { + "prose": "acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-5" + }, + { + "name": "label", + "value": "SR-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-5_smt", + "name": "statement", + "prose": "Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}." + }, + { + "id": "sr-5_gdn", + "name": "guidance", + "prose": "The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements." + }, + { + "id": "sr-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems, system components, or services\n\ndocumentation of training, education, and awareness programs for personnel regarding supply chain risk\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods" + } + ] + } + ] + }, + { + "id": "sr-6", + "class": "SP800-53", + "title": "Supplier Assessments and Reviews", + "params": [ + { + "id": "sr-06_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-6" + }, + { + "name": "label", + "value": "SR-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-6_smt", + "name": "statement", + "prose": "Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ insert: param, sr-06_odp }}.", + "parts": [ + { + "id": "sr-6_fr", + "name": "item", + "title": "SR-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure that their supply chain vendors build and test their systems in alignment with NIST SP 800-171 or a commensurate security and compliance framework. CSOs must ensure that vendors are compliant with physical facility access and logical access controls to supplied products." + } + ] + } + ] + }, + { + "id": "sr-6_gdn", + "name": "guidance", + "prose": "An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts." + }, + { + "id": "sr-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-06", + "class": "sp800-53a" + } + ], + "prose": "the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}.", + "links": [ + { + "href": "#sr-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nrecords of supplier due diligence reviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities" + } + ] + }, + { + "id": "sr-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting supplier reviews\n\nmechanisms supporting and/or implementing supplier reviews" + } + ] + } + ] + }, + { + "id": "sr-8", + "class": "SP800-53", + "title": "Notification Agreements", + "params": [ + { + "id": "sr-08_odp.01", + "constraints": [ + { + "description": "notification of supply chain compromises and results of assessment or audits" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "notification of supply chain compromises", + " {{ insert: param, sr-08_odp.02 }} " + ] + } + }, + { + "id": "sr-08_odp.02", + "label": "results of assessments or audits", + "guidelines": [ + { + "prose": "information for which agreements and procedures are to be established are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-8" + }, + { + "name": "label", + "value": "SR-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-8_smt", + "name": "statement", + "prose": "Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}.", + "parts": [ + { + "id": "sr-8_fr", + "name": "item", + "title": "SR-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities." + } + ] + } + ] + }, + { + "id": "sr-8_gdn", + "name": "guidance", + "prose": "The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes." + }, + { + "id": "sr-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-08", + "class": "sp800-53a" + } + ], + "prose": "agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.", + "links": [ + { + "href": "#sr-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities" + } + ] + } + ] + }, + { + "id": "sr-9", + "class": "SP800-53", + "title": "Tamper Resistance and Detection", + "props": [ + { + "name": "label", + "value": "SR-9" + }, + { + "name": "label", + "value": "SR-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-9_smt", + "name": "statement", + "prose": "Implement a tamper protection program for the system, system component, or system service.", + "parts": [ + { + "id": "sr-9_fr", + "name": "item", + "title": "SR-9 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-9_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure vendors provide authenticity of software and patches supplied to the service provider including documenting the safeguards in place." + } + ] + } + ] + }, + { + "id": "sr-9_gdn", + "name": "guidance", + "prose": "Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system components, and services against many threats, including reverse engineering, modification, and substitution. Strong identification combined with tamper resistance and/or tamper detection is essential to protecting systems and components during distribution and when in use." + }, + { + "id": "sr-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-09", + "class": "sp800-53a" + } + ], + "prose": "a tamper protection program is implemented for the system, system component, or system service.", + "links": [ + { + "href": "#sr-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing tamper resistance and detection\n\ntamper protection program documentation\n\ntamper protection tools and techniques documentation\n\ntamper resistance and detection tools and techniques documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with tamper protection program responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for the implementation of the tamper protection program\n\nmechanisms supporting and/or implementing the tamper protection program" + } + ] + } + ], + "controls": [ + { + "id": "sr-9.1", + "class": "SP800-53-enhancement", + "title": "Multiple Stages of System Development Life Cycle", + "props": [ + { + "name": "label", + "value": "SR-9(1)" + }, + { + "name": "label", + "value": "SR-09(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-09.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-9", + "rel": "required" + }, + { + "href": "#sa-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-9.1_smt", + "name": "statement", + "prose": "Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle." + }, + { + "id": "sr-9.1_gdn", + "name": "guidance", + "prose": "The system development life cycle includes research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal. Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations use obfuscation and self-checking to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. The customization of systems and system components can make substitutions easier to detect and therefore limit damage." + }, + { + "id": "sr-9.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-09(01)", + "class": "sp800-53a" + } + ], + "prose": "anti-tamper technologies, tools, and techniques are employed throughout the system development life cycle.", + "links": [ + { + "href": "#sr-9.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-9.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-09(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing tamper resistance and detection\n\ntamper protection program documentation\n\ntamper protection tools and techniques documentation\n\ntamper resistance and detection tools (technologies) and techniques documentation\n\nsystem development life cycle documentation\n\nprocedures addressing supply chain protection\n\nsystem development life cycle procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-9.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-09(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with SDLC responsibilities" + } + ] + }, + { + "id": "sr-9.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-09(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for employing anti-tamper technologies\n\nmechanisms supporting and/or implementing anti-tamper technologies" + } + ] + } + ] + } + ] + }, + { + "id": "sr-10", + "class": "SP800-53", + "title": "Inspection of Systems or Components", + "params": [ + { + "id": "sr-10_odp.01", + "label": "systems or system components", + "guidelines": [ + { + "prose": "systems or system components that require inspection are defined;" + } + ] + }, + { + "id": "sr-10_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "at random", + "at {{ insert: param, sr-10_odp.03 }} ", + "upon {{ insert: param, sr-10_odp.04 }} " + ] + } + }, + { + "id": "sr-10_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to inspect systems or system components is defined (if selected);" + } + ] + }, + { + "id": "sr-10_odp.04", + "label": "indications of need for inspection", + "guidelines": [ + { + "prose": "indications of the need for an inspection of systems or system components are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-10" + }, + { + "name": "label", + "value": "SR-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-10_smt", + "name": "statement", + "prose": "Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}." + }, + { + "id": "sr-10_gdn", + "name": "guidance", + "prose": "The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations." + }, + { + "id": "sr-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-10", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.", + "links": [ + { + "href": "#sr-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nrecords of random inspections\n\ninspection reports/results\n\nassessment reports/results\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational processes to inspect for tampering" + } + ] + } + ] + }, + { + "id": "sr-11", + "class": "SP800-53", + "title": "Component Authenticity", + "params": [ + { + "id": "sr-11_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "source of counterfeit component", + " {{ insert: param, sr-11_odp.02 }} ", + " {{ insert: param, sr-11_odp.03 }} " + ] + } + }, + { + "id": "sr-11_odp.02", + "label": "external reporting organizations", + "guidelines": [ + { + "prose": "external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);" + } + ] + }, + { + "id": "sr-11_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11" + }, + { + "name": "label", + "value": "SR-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11_smt", + "name": "statement", + "parts": [ + { + "id": "sr-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and" + }, + { + "id": "sr-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}." + }, + { + "id": "sr-11_fr", + "name": "item", + "title": "SR-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-11_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline." + } + ] + } + ] + }, + { + "id": "sr-11_gdn", + "name": "guidance", + "prose": "Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA." + }, + { + "id": "sr-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an anti-counterfeit policy is developed and implemented;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[02]", + "class": "sp800-53a" + } + ], + "prose": "anti-counterfeit procedures are developed and implemented;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the anti-counterfeit procedures include the means to detect counterfeit components entering the system;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11b.", + "class": "sp800-53a" + } + ], + "prose": "counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.", + "links": [ + { + "href": "#sr-11_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\nreports notifying developers, manufacturers, vendors, contractors, and/or external reporting organizations of counterfeit system components\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nrecords of reported counterfeit system components\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting" + } + ] + }, + { + "id": "sr-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for counterfeit prevention, detection, and reporting\n\nmechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting" + } + ] + } + ], + "controls": [ + { + "id": "sr-11.1", + "class": "SP800-53-enhancement", + "title": "Anti-counterfeit Training", + "params": [ + { + "id": "sr-11.01_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11(1)" + }, + { + "name": "label", + "value": "SR-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-11", + "rel": "required" + }, + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11.1_smt", + "name": "statement", + "prose": "Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)." + }, + { + "id": "sr-11.1_gdn", + "name": "guidance", + "prose": "None." + }, + { + "id": "sr-11.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(01)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).", + "links": [ + { + "href": "#sr-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\ntraining materials addressing counterfeit system components\n\ntraining records on the detection and prevention of counterfeit components entering the system\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and training" + } + ] + }, + { + "id": "sr-11.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for anti-counterfeit training" + } + ] + } + ] + }, + { + "id": "sr-11.2", + "class": "SP800-53-enhancement", + "title": "Configuration Control for Component Service and Repair", + "params": [ + { + "id": "sr-11.02_odp", + "label": "system components", + "constraints": [ + { + "description": "all" + } + ], + "guidelines": [ + { + "prose": "system components requiring configuration control are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11(2)" + }, + { + "name": "label", + "value": "SR-11(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-11", + "rel": "required" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11.2_smt", + "name": "statement", + "prose": "Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}." + }, + { + "id": "sr-11.2_gdn", + "name": "guidance", + "prose": "None." + }, + { + "id": "sr-11.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;", + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.", + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nconfiguration control procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system component\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-11.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational configuration control processes" + } + ] + } + ] + } + ] + }, + { + "id": "sr-12", + "class": "SP800-53", + "title": "Component Disposal", + "params": [ + { + "id": "sr-12_odp.01", + "label": "data, documentation, tools, or system components", + "guidelines": [ + { + "prose": "data, documentation, tools, or system components to be disposed of are defined;" + } + ] + }, + { + "id": "sr-12_odp.02", + "label": "techniques and methods", + "guidelines": [ + { + "prose": "techniques and methods for disposing of data, documentation, tools, or system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-12" + }, + { + "name": "label", + "value": "SR-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#mp-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-12_smt", + "name": "statement", + "prose": "Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}." + }, + { + "id": "sr-12_gdn", + "name": "guidance", + "prose": "Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market." + }, + { + "id": "sr-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-12", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.", + "links": [ + { + "href": "#sr-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\ndisposal procedures addressing supply chain protection\n\nmedia disposal policy\n\nmedia protection policy\n\ndisposal records for system components\n\ndocumentation of the system components identified for disposal\n\ndocumentation of the disposal techniques and methods employed for system components\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system component disposal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities" + } + ] + }, + { + "id": "sr-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational techniques and methods for system component disposal\n\nmechanisms supporting and/or implementing system component disposal" + } + ] + } + ] + } + ] + } + ], "back-matter": { "resources": [ + { + "uuid": "91f992fb-f668-4c91-a50f-0f05b95ccee3", + "title": "32 CFR 2002", + "citation": { + "text": "Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)." + }, + "rlinks": [ + { + "href": "https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information" + } + ] + }, + { + "uuid": "0f963c17-ab5a-432a-a867-91eac550309b", + "title": "41 CFR 201", + "citation": { + "text": " \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271." + }, + "rlinks": [ + { + "href": "https://www.federalregister.gov/d/2020-18939" + } + ] + }, + { + "uuid": "a5ef5e56-5c1a-4911-b419-37dddc1b3581", + "title": "5 CFR 731", + "citation": { + "text": "Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf" + } + ] + }, + { + "uuid": "031cc4b7-9adf-4835-98f1-f1ca493519cf", + "title": "CNSSD 505", + "citation": { + "text": "Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017." + }, + "rlinks": [ + { + "href": "https://www.cnss.gov/CNSS/issuances/Directives.cfm" + } + ] + }, + { + "uuid": "4e4fbc93-333d-45e6-a875-de36b878b6b9", + "title": "CNSSI 1253", + "citation": { + "text": "Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014." + }, + "rlinks": [ + { + "href": "https://www.cnss.gov/CNSS/issuances/Instructions.cfm" + } + ] + }, + { + "uuid": "4f42ee6e-86cc-403b-a51f-76c2b4f81b54", + "title": "DHS TIC", + "citation": { + "text": "Department of Homeland Security, *Trusted Internet Connections (TIC)*." + }, + "rlinks": [ + { + "href": "https://www.dhs.gov/trusted-internet-connections" + } + ] + }, + { + "uuid": "aa66e14f-e7cb-4a37-99d2-07578dfd4608", + "title": "DOD STIG", + "citation": { + "text": "Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*." + }, + "rlinks": [ + { + "href": "https://public.cyber.mil/stigs" + } + ] + }, + { + "uuid": "55b0c93a-5e48-457a-baa6-5ce81c239c49", + "title": "EO 13526", + "citation": { + "text": "Executive Order 13526, *Classified National Security Information* , December 2009." + }, + "rlinks": [ + { + "href": "https://www.archives.gov/isoo/policy-documents/cnsi-eo.html" + } + ] + }, + { + "uuid": "34a5571f-e252-4309-a8a1-2fdb2faefbcd", + "title": "EO 13556", + "citation": { + "text": "Executive Order 13556, *Controlled Unclassified Information* , November 2010." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information" + } + ] + }, + { + "uuid": "0af071a6-cf8e-48ee-8c82-fe91efa20f94", + "title": "EO 13587", + "citation": { + "text": "Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net" + } + ] + }, + { + "uuid": "21caa535-1154-4369-ba7b-32c309fee0f7", + "title": "EO 13873", + "citation": { + "text": "Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain" + } + ] + }, + { + "uuid": "4ff10ed3-d8fe-4246-99e3-443045e27482", + "title": "FASC18", + "citation": { + "text": "Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/bill/115th-congress/senate-bill/3085" + } + ] + }, + { + "uuid": "a1555677-2b9d-4868-a97b-a1363aff32f5", + "title": "FED PKI", + "citation": { + "text": "General Services Administration, *Federal Public Key Infrastructure*." + }, + "rlinks": [ + { + "href": "https://www.idmanagement.gov/topics/fpki" + } + ] + }, + { + "uuid": "678e3d6c-150b-4393-aec5-6e3481eb1e00", + "title": "FIPS 140-3", + "citation": { + "text": "National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. " + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.140-3" + } + ] + }, + { + "uuid": "eea3c092-42ed-4382-a6f4-1adadef01b9d", + "title": "FIPS 180-4", + "citation": { + "text": "National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.180-4" + } + ] + }, + { + "uuid": "7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "title": "FIPS 186-4", + "citation": { + "text": "National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.186-4" + } + ] + }, + { + "uuid": "736d6310-e403-4b57-a79d-9967970c66d7", + "title": "FIPS 197", + "citation": { + "text": "National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.197" + } + ] + }, + { + "uuid": "628d22a1-6a11-4784-bc59-5cd9497b5445", + "title": "FIPS 199", + "citation": { + "text": "National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.199" + } + ] + }, + { + "uuid": "599fb53d-5041-444e-a7fe-640d6d30ad05", + "title": "FIPS 200", + "citation": { + "text": "National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.200" + } + ] + }, + { + "uuid": "7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "title": "FIPS 201-2", + "citation": { + "text": "National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.201-2" + } + ] + }, + { + "uuid": "a295ca19-8c75-4b4c-8800-98024732e181", + "title": "FIPS 202", + "citation": { + "text": "National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.202" + } + ] + }, + { + "uuid": "0c67b2a9-bede-43d2-b86d-5f35b8be36e9", + "title": "FISMA", + "citation": { + "text": "Federal Information Security Modernization Act (P.L. 113-283), December 2014." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf" + } + ] + }, + { + "uuid": "f16e438e-7114-4144-bfe2-2dfcad8cb2d0", + "title": "HSPD 12", + "citation": { + "text": "Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004." + }, + "rlinks": [ + { + "href": "https://www.dhs.gov/homeland-security-presidential-directive-12" + } + ] + }, + { + "uuid": "e4d37285-1e79-4029-8b6a-42df39cace30", + "title": "IETF 5905", + "citation": { + "text": "Internet Engineering Task Force (IETF), Request for Comments: 5905, *Network Time Protocol Version 4: Protocol and Algorithms Specification* , June 2010." + }, + "rlinks": [ + { + "href": "https://tools.ietf.org/pdf/rfc5905.pdf" + } + ] + }, + { + "uuid": "15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "title": "IR 7539", + "citation": { + "text": "Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7539" + } + ] + }, + { + "uuid": "2be7b163-e50a-435c-8906-f1162f2a457a", + "title": "IR 7559", + "citation": { + "text": "Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7559" + } + ] + }, + { + "uuid": "e24b06cc-9129-4998-a76a-65c3d7a576ba", + "title": "IR 7622", + "citation": { + "text": "Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7622" + } + ] + }, + { + "uuid": "4b38e961-1125-4a5b-aa35-1d6c02846dad", + "title": "IR 7676", + "citation": { + "text": "Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7676" + } + ] + }, + { + "uuid": "aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "title": "IR 7788", + "citation": { + "text": "Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7788" + } + ] + }, + { + "uuid": "91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "title": "IR 7817", + "citation": { + "text": "Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7817" + } + ] + }, + { + "uuid": "4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "title": "IR 7849", + "citation": { + "text": "Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7849" + } + ] + }, + { + "uuid": "604774da-9e1d-48eb-9c62-4e959dc80737", + "title": "IR 7870", + "citation": { + "text": "Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7870" + } + ] + }, + { + "uuid": "7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "title": "IR 7874", + "citation": { + "text": "Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7874" + } + ] + }, + { + "uuid": "849b2358-683f-4d97-b111-1cc3d522ded5", + "title": "IR 7956", + "citation": { + "text": "Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7956" + } + ] + }, + { + "uuid": "3915a084-b87b-4f02-83d4-c369e746292f", + "title": "IR 7966", + "citation": { + "text": "Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7966" + } + ] + }, + { + "uuid": "bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "title": "IR 8011-1", + "citation": { + "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-1" + } + ] + }, + { + "uuid": "70402863-5078-43af-9a6c-e11b0f3ec370", + "title": "IR 8011-2", + "citation": { + "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-2" + } + ] + }, + { + "uuid": "996241f8-f692-42d5-91f1-ce8b752e39e6", + "title": "IR 8011-3", + "citation": { + "text": "Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-3" + } + ] + }, + { + "uuid": "d2ebec9b-f868-4ee1-a2bd-0b2282aed248", + "title": "IR 8011-4", + "citation": { + "text": "Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-4" + } + ] + }, + { + "uuid": "4c501da5-9d79-4cb6-ba80-97260e1ce327", + "title": "IR 8023", + "citation": { + "text": "Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8023" + } + ] + }, + { + "uuid": "81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", + "title": "IR 8040", + "citation": { + "text": "Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8040" + } + ] + }, + { + "uuid": "98d415ca-7281-4064-9931-0c366637e324", + "title": "IR 8062", + "citation": { + "text": "Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8062" + } + ] + }, + { + "uuid": "a2590922-82f3-4277-83c0-ca5bee06dba4", + "title": "IR 8112", + "citation": { + "text": "Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8112" + } + ] + }, + { + "uuid": "d4296805-2dca-4c63-a95f-eeccaa826aec", + "title": "IR 8179", + "citation": { + "text": "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8179" + } + ] + }, + { + "uuid": "38ff38f0-1366-4f50-a4c9-26a39aacee16", + "title": "IR 8272", + "citation": { + "text": "Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8272" + } + ] + }, + { + "uuid": "6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", + "title": "ISO 15408-1", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf" + } + ] + }, + { + "uuid": "87087451-2af5-43d4-88c1-d66ad850f614", + "title": "ISO 15408-2", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf" + } + ] + }, + { + "uuid": "4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "title": "ISO 15408-3", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf" + } + ] + }, + { + "uuid": "15a95e24-65b6-4686-bc18-90855a10457d", + "title": "ISO 20243", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/74399.html" + } + ] + }, + { + "uuid": "863caf2a-978a-4260-9e8d-4a8929bce40c", + "title": "ISO 27036", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/59648.html" + } + ] + }, + { + "uuid": "8df72805-2e5c-4731-a73e-81db0f0318d0", + "title": "ISO 29147", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 29147:2018, *Information technology—Security techniques—Vulnerability disclosure* , October 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/72311.html" + } + ] + }, + { + "uuid": "06ce9216-bd54-4054-a422-94f358b50a5d", + "title": "ISO 29148", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, *Systems and software engineering—Life cycle processes—Requirements engineering* , November 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/72089.html" + } + ] + }, + { + "uuid": "c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "title": "NARA CUI", + "citation": { + "text": "National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry." + }, + "rlinks": [ + { + "href": "https://www.archives.gov/cui" + } + ] + }, + { + "uuid": "d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", + "title": "NCPR", + "citation": { + "text": "National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at" + }, + "rlinks": [ + { + "href": "https://nvd.nist.gov/ncp/repository" + } + ] + }, + { + "uuid": "795aff72-3e6c-4b6b-a80a-b14d84b7f544", + "title": "NIAP CCEVS", + "citation": { + "text": "National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*." + }, + "rlinks": [ + { + "href": "https://www.niap-ccevs.org" + } + ] + }, + { + "uuid": "84dc1b0c-acb7-4269-84c4-00dbabacd78c", + "title": "NIST CAVP", + "citation": { + "text": "National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program" + } + ] + }, + { + "uuid": "1acdc775-aafb-4d11-9341-dc6a822e9d38", + "title": "NIST CMVP", + "citation": { + "text": "National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/cryptographic-module-validation-program" + } + ] + }, + { + "uuid": "3d575737-98cb-459d-b41c-d7e82b73ad78", + "title": "NSA CSFC", + "citation": { + "text": "National Security Agency, *Commercial Solutions for Classified Program (CSfC)*." + }, + "rlinks": [ + { + "href": "https://www.nsa.gov/resources/everyone/csfc" + } + ] + }, + { + "uuid": "df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", + "title": "NSA MEDIA", + "citation": { + "text": "National Security Agency, *Media Destruction Guidance*." + }, + "rlinks": [ + { + "href": "https://www.nsa.gov/resources/everyone/media-destruction" + } + ] + }, + { + "uuid": "89f2a08d-fc49-46d0-856e-bf974c9b1573", + "title": "ODNI CTF", + "citation": { + "text": "Office of the Director of National Intelligence (ODNI) Cyber Threat Framework." + }, + "rlinks": [ + { + "href": "https://www.dni.gov/index.php/cyber-threat-framework" + } + ] + }, + { + "uuid": "27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "title": "OMB A-130", + "citation": { + "text": "Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf" + } + ] + }, + { + "uuid": "5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "title": "OMB M-17-12", + "citation": { + "text": "Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf" + } + ] + }, + { + "uuid": "c5e11048-1d38-4af3-b00b-0d88dc26860c", + "title": "OMB M-19-03", + "citation": { + "text": "Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf" + } + ] + }, + { + "uuid": "18e71fec-c6fd-475a-925a-5d8495cf8455", + "title": "PRIVACT", + "citation": { + "text": "Privacy Act (P.L. 93-579), December 1974." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf" + } + ] + }, + { + "uuid": "4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "title": "SP 800-100", + "citation": { + "text": "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-100" + } + ] + }, + { + "uuid": "10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "title": "SP 800-101", + "citation": { + "text": "Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-101r1" + } + ] + }, + { + "uuid": "22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "title": "SP 800-111", + "citation": { + "text": "Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-111" + } + ] + }, + { + "uuid": "6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "title": "SP 800-113", + "citation": { + "text": "Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-113" + } + ] + }, + { + "uuid": "42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "title": "SP 800-114", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-114r1" + } + ] + }, + { + "uuid": "122177fa-c4ed-485d-8345-3082c0fb9a06", + "title": "SP 800-115", + "citation": { + "text": "Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-115" + } + ] + }, + { + "uuid": "2100332a-16a5-4598-bacf-7261baea9711", + "title": "SP 800-116", + "citation": { + "text": "Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-116r1" + } + ] + }, + { + "uuid": "d17ebd7a-ffab-499d-bfff-e705bbb01fa6", + "title": "SP 800-121", + "citation": { + "text": "Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-121r2" + } + ] + }, + { + "uuid": "0f66be67-85e7-4ca6-bd19-39453e9f4394", + "title": "SP 800-124", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-124r1" + } + ] + }, + { + "uuid": "88660532-2dcf-442e-845c-03340ce48999", + "title": "SP 800-125B", + "citation": { + "text": "Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-125B" + } + ] + }, + { + "uuid": "8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "title": "SP 800-126", + "citation": { + "text": "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-126r3" + } + ] + }, + { + "uuid": "20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "title": "SP 800-128", + "citation": { + "text": "Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-128" + } + ] + }, + { + "uuid": "c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "title": "SP 800-12", + "citation": { + "text": "Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-12r1" + } + ] + }, + { + "uuid": "3653e316-8923-430e-8943-b3b2b2562fc6", + "title": "SP 800-130", + "citation": { + "text": "Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-130" + } + ] + }, + { + "uuid": "62ea77ca-e450-4323-b210-e0d75390e785", + "title": "SP 800-137A", + "citation": { + "text": "Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-137A" + } + ] + }, + { + "uuid": "067223d8-1ec7-45c5-b21b-c848da6de8fb", + "title": "SP 800-137", + "citation": { + "text": "Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-137" + } + ] + }, + { + "uuid": "e47ee630-9cbc-4133-880e-e013f83ccd51", + "title": "SP 800-147", + "citation": { + "text": "Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-147" + } + ] + }, + { + "uuid": "9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "title": "SP 800-150", + "citation": { + "text": "Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-150" + } + ] + }, + { + "uuid": "2494df28-9049-4196-b233-540e7440993f", + "title": "SP 800-152", + "citation": { + "text": "Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-152" + } + ] + }, + { + "uuid": "708b94e1-3d5e-4b22-ab43-1c69f3a97e37", + "title": "SP 800-154", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154." + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/publications/detail/sp/800-154/draft" + } + ] + }, + { + "uuid": "d9e036ba-6eec-46a6-9340-b0bf1fea23b4", + "title": "SP 800-156", + "citation": { + "text": "Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-156" + } + ] + }, + { + "uuid": "e3cc0520-a366-4fc9-abc2-5272db7e3564", + "title": "SP 800-160-1", + "citation": { + "text": "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-160v1" + } + ] + }, + { + "uuid": "61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "title": "SP 800-160-2", + "citation": { + "text": "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-160v2" + } + ] + }, + { + "uuid": "e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "title": "SP 800-161", + "citation": { + "text": "Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-161" + } + ] + }, + { + "uuid": "2956e175-f674-43f4-b1b9-e074ad9fc39c", + "title": "SP 800-162", + "citation": { + "text": "Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-162" + } + ] + }, + { + "uuid": "e8552d48-cf41-40aa-8b06-f45f7fb4706c", + "title": "SP 800-166", + "citation": { + "text": "Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-166" + } + ] + }, + { + "uuid": "38f39739-1ebd-43b1-8b8c-00f591d89ebd", + "title": "SP 800-167", + "citation": { + "text": "Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-167" + } + ] + }, + { + "uuid": "7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "title": "SP 800-171", + "citation": { + "text": "Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-171r2" + } + ] + }, + { + "uuid": "f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "title": "SP 800-172", + "citation": { + "text": "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-172-draft" + } + ] + }, + { + "uuid": "1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "title": "SP 800-177", + "citation": { + "text": "Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-177r1" + } + ] + }, + { + "uuid": "388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "title": "SP 800-178", + "citation": { + "text": "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-178" + } + ] + }, + { + "uuid": "276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "title": "SP 800-181", + "citation": { + "text": "Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-181r1" + } + ] + }, + { + "uuid": "31ae65ab-3f26-46b7-9d64-f25a4dac5778", + "title": "SP 800-184", + "citation": { + "text": "Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-184" + } + ] + }, + { + "uuid": "f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "title": "SP 800-189", + "citation": { + "text": "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-189" + } + ] + }, + { + "uuid": "30eb758a-2707-4bca-90ad-949a74d4eb16", + "title": "SP 800-18", + "citation": { + "text": "Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-18r1" + } + ] + }, + { + "uuid": "53df282b-8b3f-483a-bad1-6a8b8ac00114", + "title": "SP 800-192", + "citation": { + "text": "Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-192" + } + ] + }, + { + "uuid": "f641309f-a3ad-48be-8c67-2b318648b2f5", + "title": "SP 800-28", + "citation": { + "text": "Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-28ver2" + } + ] + }, + { + "uuid": "08b07465-dbdc-48d6-8a0b-37279602ac16", + "title": "SP 800-30", + "citation": { + "text": "Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-30r1" + } + ] + }, + { + "uuid": "8cb338a4-e493-4177-818f-3af18983ddc5", + "title": "SP 800-32", + "citation": { + "text": "Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-32" + } + ] + }, + { + "uuid": "bc39f179-c735-4da2-b7a7-b2b622119755", + "title": "SP 800-34", + "citation": { + "text": "Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-34r1" + } + ] + }, + { + "uuid": "77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "title": "SP 800-35", + "citation": { + "text": "Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-35" + } + ] + }, + { + "uuid": "482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "title": "SP 800-37", + "citation": { + "text": "Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-37r2" + } + ] + }, + { + "uuid": "cec037f3-8aba-4c97-84b4-4082f9e515d2", + "title": "SP 800-39", + "citation": { + "text": "Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-39" + } + ] + }, + { + "uuid": "155f941a-cba9-4afd-9ca6-5d040d697ba9", + "title": "SP 800-40", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-40r3" + } + ] + }, + { + "uuid": "a7f0e897-29a3-45c4-bd88-40dfef0e034a", + "title": "SP 800-41", + "citation": { + "text": "Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-41r1" + } + ] + }, + { + "uuid": "314e33cb-3681-4b50-a2a2-3fae9604accd", + "title": "SP 800-45", + "citation": { + "text": "Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-45ver2" + } + ] + }, + { + "uuid": "83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "title": "SP 800-46", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-46r2" + } + ] + }, + { + "uuid": "c3a76872-e160-4267-99e8-6952de967d04", + "title": "SP 800-47", + "citation": { + "text": "Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-47" + } + ] + }, + { + "uuid": "511f6832-23ca-49a3-8c0f-ce493373cab8", + "title": "SP 800-50", + "citation": { + "text": "Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-50" + } + ] + }, + { + "uuid": "7537638e-2837-407d-844b-40fb3fafdd99", + "title": "SP 800-52", + "citation": { + "text": "McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-52r2" + } + ] + }, + { + "uuid": "a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "title": "SP 800-53A", + "citation": { + "text": "Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-53Ar4" + } + ] + }, + { + "uuid": "46d9e201-840e-440e-987c-2c773333c752", + "title": "SP 800-53B", + "citation": { + "text": "Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-53B" + } + ] + }, + { + "uuid": "20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "title": "SP 800-56A", + "citation": { + "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Ar3" + } + ] + }, + { + "uuid": "0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "title": "SP 800-56B", + "citation": { + "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Br2" + } + ] + }, + { + "uuid": "eef62b16-c796-4554-955c-505824135b8a", + "title": "SP 800-56C", + "citation": { + "text": "Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Cr2" + } + ] + }, + { + "uuid": "110e26af-4765-49e1-8740-6750f83fcda1", + "title": "SP 800-57-1", + "citation": { + "text": "Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt1r5" + } + ] + }, + { + "uuid": "e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "title": "SP 800-57-2", + "citation": { + "text": "Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt2r1" + } + ] + }, + { + "uuid": "8306620b-1920-4d73-8b21-12008528595f", + "title": "SP 800-57-3", + "citation": { + "text": "Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt3r1" + } + ] + }, + { + "uuid": "e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "title": "SP 800-60-1", + "citation": { + "text": "Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-60v1r1" + } + ] + }, + { + "uuid": "9be5d661-421f-41ad-854e-86f98b811891", + "title": "SP 800-60-2", + "citation": { + "text": "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-60v2r1" + } + ] + }, + { + "uuid": "49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "title": "SP 800-61", + "citation": { + "text": "Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-61r2" + } + ] + }, + { + "uuid": "737513fa-6758-403f-831d-5ddab5e23cb3", + "title": "SP 800-63-3", + "citation": { + "text": "Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63-3" + } + ] + }, + { + "uuid": "9099ed2c-922a-493d-bcb4-d896192243ff", + "title": "SP 800-63A", + "citation": { + "text": "Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63a" + } + ] + }, + { + "uuid": "e59c5a7c-8b1f-49ca-8de0-6ee0882180ce", + "title": "SP 800-63B", + "citation": { + "text": "Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63b" + } + ] + }, + { + "uuid": "4895b4cd-34c5-4667-bf8a-27d443c12047", + "title": "SP 800-70", + "citation": { + "text": "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-70r4" + } + ] + }, + { + "uuid": "858705be-3c1f-48aa-a328-0ce398d95ef0", + "title": "SP 800-73-4", + "citation": { + "text": "Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-73-4" + } + ] + }, + { + "uuid": "7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "title": "SP 800-76-2", + "citation": { + "text": "Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-76-2" + } + ] + }, + { + "uuid": "d4d7c760-2907-403b-8b2a-767ca5370ecd", + "title": "SP 800-77", + "citation": { + "text": "Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-77r1" + } + ] + }, + { + "uuid": "828856bd-d7c4-427b-8b51-815517ec382d", + "title": "SP 800-78-4", + "citation": { + "text": "Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-78-4" + } + ] + }, + { + "uuid": "10963761-58fc-4b20-b3d6-b44a54daba03", + "title": "SP 800-79-2", + "citation": { + "text": "Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-79-2" + } + ] + }, + { + "uuid": "fe209006-bfd4-4033-a79a-9fee1adaf372", + "title": "SP 800-81-2", + "citation": { + "text": "Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-81-2" + } + ] + }, + { + "uuid": "3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "title": "SP 800-83", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-83r1" + } + ] + }, + { + "uuid": "53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "title": "SP 800-84", + "citation": { + "text": "Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-84" + } + ] + }, + { + "uuid": "cfdb1858-c473-46b3-89f9-a700308d0be2", + "title": "SP 800-86", + "citation": { + "text": "Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-86" + } + ] + }, + { + "uuid": "a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "title": "SP 800-88", + "citation": { + "text": "Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-88r1" + } + ] + }, + { + "uuid": "5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "title": "SP 800-92", + "citation": { + "text": "Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-92" + } + ] + }, + { + "uuid": "25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "title": "SP 800-94", + "citation": { + "text": "Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-94" + } + ] + }, + { + "uuid": "a6b9907a-2a14-4bb4-a142-d4c73026a8b4", + "title": "SP 800-95", + "citation": { + "text": "Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-95" + } + ] + }, + { + "uuid": "03fb73bc-1b12-4182-bd96-e5719254ea61", + "title": "SP 800-97", + "citation": { + "text": "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-97" + } + ] + }, + { + "uuid": "13f0c39d-eaf7-417a-baef-69a041878bb5", + "title": "USA PATRIOT", + "citation": { + "text": "USA Patriot Act (P.L. 107-56), October 2001." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf" + } + ] + }, + { + "uuid": "e922fc50-b1f9-469f-92ef-ed7d9803611c", + "title": "USC 2901", + "citation": { + "text": "United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/USCODE-2011-title44/pdf/USCODE-2011-title44-chap29-sec2901.pdf" + } + ] + }, + { + "uuid": "40b78258-c892-480e-9af8-77ac36648301", + "title": "USCERT IR", + "citation": { + "text": "Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017." + }, + "rlinks": [ + { + "href": "https://us-cert.cisa.gov/incident-notification-guidelines" + } + ] + }, + { + "uuid": "98498928-3ca3-44b3-8b1e-f48685373087", + "title": "USGCB", + "citation": { + "text": "National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/united-states-government-configuration-baseline" + } + ] + }, + { + "uuid": "c3397cc9-83c6-4459-adb2-836739dc1b94", + "title": "NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)", + "rlinks": [ + { + "href": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf", + "media-type": "application/pdf" + } + ] + }, { "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48", "title": "FedRAMP Applicable Laws and Regulations", diff --git a/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline_profile-min.json b/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline_profile-min.json index 05d82e135..04551182c 100644 --- a/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline_profile-min.json +++ b/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline_profile-min.json @@ -6232,7 +6232,7 @@ ], "rlinks": [ { - "href": "https://github.com/usnistgov/oscal-content/blob/v1.2.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", + "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/v1.2.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", "media-type": "application/json" } ] diff --git a/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline_profile.json b/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline_profile.json index 2a0e10ce9..0db1cfdbd 100644 --- a/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline_profile.json +++ b/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline_profile.json @@ -6232,7 +6232,7 @@ ], "rlinks": [ { - "href": "https://github.com/usnistgov/oscal-content/blob/v1.2.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", + "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/v1.2.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", "media-type": "application/json" } ] diff --git a/dist/content/rev5/baselines/json/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog-min.json b/dist/content/rev5/baselines/json/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog-min.json index c353942e1..b0ffda1da 100644 --- a/dist/content/rev5/baselines/json/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog-min.json +++ b/dist/content/rev5/baselines/json/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog-min.json @@ -1,10 +1,10 @@ { "catalog": { - "uuid": "4aec79b6-d24f-45e5-9eb8-364a00656b9e", + "uuid": "f64f62d2-ae80-4908-9674-da5201f1b2d7", "metadata": { "title": "FedRAMP Rev 5 Tailored Low Impact Software as a Service (LI-SaaS) Baseline", "published": "2023-08-31T00:00:00Z", - "last-modified": "2023-12-18T20:27:42.148396-05:00", + "last-modified": "2024-01-11T18:07:19.115856-05:00", "version": "5.1.1+fedramp-20231218-0", "oscal-version": "1.1.1", "links": [ @@ -99,8 +99,42372 @@ } ] }, + "groups": [ + { + "id": "ac", + "class": "family", + "title": "Access Control", + "controls": [ + { + "id": "ac-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ac-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ac-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the access control policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ac-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the access control procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ac-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ac-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the access control policy and procedures is defined;" + } + ] + }, + { + "id": "ac-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current access control policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ac-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current access control policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ac-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current access control procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ac-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-1" + }, + { + "name": "label", + "value": "AC-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ia-1", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-24", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-1_smt", + "name": "statement", + "parts": [ + { + "id": "ac-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:", + "parts": [ + { + "id": "ac-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ac-01_odp.03 }} access control policy that:", + "parts": [ + { + "id": "ac-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ac-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ac-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the access control policy and the associated access controls;" + } + ] + }, + { + "id": "ac-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and" + }, + { + "id": "ac-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current access control:", + "parts": [ + { + "id": "ac-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and" + }, + { + "id": "ac-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ac-1_gdn", + "name": "guidance", + "prose": "Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "ac-2", + "class": "SP800-53", + "title": "Account Management", + "params": [ + { + "id": "ac-02_odp.01", + "label": "prerequisites and criteria", + "guidelines": [ + { + "prose": "prerequisites and criteria for group and role membership are defined;" + } + ] + }, + { + "id": "ac-02_odp.02", + "label": "attributes (as required)", + "guidelines": [ + { + "prose": "attributes (as required) for each account are defined;" + } + ] + }, + { + "id": "ac-02_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles required to approve requests to create accounts is/are defined;" + } + ] + }, + { + "id": "ac-02_odp.04", + "label": "policy, procedures, prerequisites, and criteria", + "guidelines": [ + { + "prose": "policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;" + } + ] + }, + { + "id": "ac-02_odp.05", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified is/are defined;" + } + ] + }, + { + "id": "ac-02_odp.06", + "label": "time period", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when accounts are no longer required is defined;" + } + ] + }, + { + "id": "ac-02_odp.07", + "label": "time period", + "constraints": [ + { + "description": "eight (8) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when users are terminated or transferred is defined; " + } + ] + }, + { + "id": "ac-02_odp.08", + "label": "time period", + "constraints": [ + { + "description": "eight (8) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when system usage or the need to know changes for an individual is defined;" + } + ] + }, + { + "id": "ac-02_odp.09", + "label": "attributes (as required)", + "guidelines": [ + { + "prose": "attributes needed to authorize system access (as required) are defined;" + } + ] + }, + { + "id": "ac-02_odp.10", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency of account review is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2" + }, + { + "name": "label", + "value": "AC-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#53df282b-8b3f-483a-bad1-6a8b8ac00114", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ac-24", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ac-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Define and document the types of accounts allowed and specifically prohibited for use within the system;" + }, + { + "id": "ac-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};" + }, + { + "id": "ac-2_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Monitor the use of accounts;" + }, + { + "id": "ac-2_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Notify account managers and {{ insert: param, ac-02_odp.05 }} within:", + "parts": [ + { + "id": "ac-2_smt.h.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;" + }, + { + "id": "ac-2_smt.h.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": " {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and" + }, + { + "id": "ac-2_smt.h.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;" + } + ] + } + ] + }, + { + "id": "ac-2_gdn", + "name": "guidance", + "prose": "Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training." + }, + { + "id": "ac-2_obj_fr", + "name": "assessment-objective", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE", + "class": "fedramp" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW", + "class": "fedramp" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST", + "class": "fedramp" + } + ], + "prose": "Determine if the organization defines information system account types to be identified and selected to support organizational missions/business functions." + }, + { + "id": "ac-2_asmt_fr.1", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; information system monitoring records; information system audit records; other relevant documents or records." + } + ] + }, + { + "id": "ac-2_asmt_fr.2", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities." + } + ] + }, + { + "id": "ac-2_asmt_fr.3", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for account management on the information system; automated mechanisms for implementing account management." + } + ] + } + ] + }, + { + "id": "ac-3", + "class": "SP800-53", + "title": "Access Enforcement", + "props": [ + { + "name": "label", + "value": "AC-3" + }, + { + "name": "label", + "value": "AC-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#ac-24", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-6", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pm-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-3_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." + }, + { + "id": "ac-3_gdn", + "name": "guidance", + "prose": "Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family." + }, + { + "id": "ac-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-03", + "class": "sp800-53a" + } + ], + "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.", + "links": [ + { + "href": "#ac-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy" + } + ] + } + ] + }, + { + "id": "ac-7", + "class": "SP800-53", + "title": "Unsuccessful Logon Attempts", + "params": [ + { + "id": "ac-07_odp.01", + "label": "number", + "guidelines": [ + { + "prose": "the number of consecutive invalid logon attempts by a user allowed during a time period is defined;" + } + ] + }, + { + "id": "ac-07_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;" + } + ] + }, + { + "id": "ac-07_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "lock the account or node for {{ insert: param, ac-07_odp.04 }} ", + "lock the account or node until released by an administrator", + "delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ", + "notify system administrator", + "take other {{ insert: param, ac-07_odp.06 }} " + ] + } + }, + { + "id": "ac-07_odp.04", + "label": "time period", + "guidelines": [ + { + "prose": "time period for an account or node to be locked is defined (if selected);" + } + ] + }, + { + "id": "ac-07_odp.05", + "label": "delay algorithm", + "guidelines": [ + { + "prose": "delay algorithm for the next logon prompt is defined (if selected);" + } + ] + }, + { + "id": "ac-07_odp.06", + "label": "action", + "guidelines": [ + { + "prose": "other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-7" + }, + { + "name": "label", + "value": "AC-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-9", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-7_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ac-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and" + }, + { + "id": "ac-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded." + } + ] + }, + { + "id": "ac-7_gdn", + "name": "guidance", + "prose": "The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need." + }, + { + "id": "ac-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07a.", + "class": "sp800-53a" + } + ], + "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;", + "links": [ + { + "href": "#ac-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07b.", + "class": "sp800-53a" + } + ], + "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.", + "links": [ + { + "href": "#ac-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy for unsuccessful logon attempts" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication." + } + ] + }, + { + "id": "ac-8", + "class": "SP800-53", + "title": "System Use Notification", + "params": [ + { + "id": "ac-08_odp.01", + "label": "system use notification", + "constraints": [ + { + "description": "see additional Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "system use notification message or banner to be displayed by the system to users before granting access to the system is defined;" + } + ] + }, + { + "id": "ac-08_odp.02", + "label": "conditions", + "constraints": [ + { + "description": "see additional Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "conditions for system use to be displayed by the system before granting further access are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-8" + }, + { + "name": "label", + "value": "AC-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "FED", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-8_smt", + "name": "statement", + "parts": [ + { + "id": "ac-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:", + "parts": [ + { + "id": "ac-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Users are accessing a U.S. Government system;" + }, + { + "id": "ac-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "System usage may be monitored, recorded, and subject to audit;" + }, + { + "id": "ac-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and" + }, + { + "id": "ac-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Use of the system indicates consent to monitoring and recording;" + } + ] + }, + { + "id": "ac-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and" + }, + { + "id": "ac-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "For publicly accessible systems:", + "parts": [ + { + "id": "ac-8_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;" + }, + { + "id": "ac-8_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and" + }, + { + "id": "ac-8_smt.c.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Include a description of the authorized uses of the system." + } + ] + } + ] + }, + { + "id": "ac-8_gdn", + "name": "guidance", + "prose": "System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "FED - This is related to agency data and agency policy solution." + } + ] + }, + { + "id": "ac-14", + "class": "SP800-53", + "title": "Permitted Actions Without Identification or Authentication", + "params": [ + { + "id": "ac-14_odp", + "label": "user actions", + "guidelines": [ + { + "prose": "user actions that can be performed on the system without identification or authentication are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-14" + }, + { + "name": "label", + "value": "AC-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "FED", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-14_smt", + "name": "statement", + "parts": [ + { + "id": "ac-14_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and" + }, + { + "id": "ac-14_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication." + } + ] + }, + { + "id": "ac-14_gdn", + "name": "guidance", + "prose": "Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" " + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "FED - This is related to agency data and agency policy solution." + } + ] + }, + { + "id": "ac-17", + "class": "SP800-53", + "title": "Remote Access", + "props": [ + { + "name": "label", + "value": "AC-17" + }, + { + "name": "label", + "value": "AC-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "rel": "reference" + }, + { + "href": "#d17ebd7a-ffab-499d-bfff-e705bbb01fa6", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-17", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ac-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and" + }, + { + "id": "ac-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize each type of remote access to the system prior to allowing such connections." + } + ] + }, + { + "id": "ac-17_gdn", + "name": "guidance", + "prose": "Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)." + }, + { + "id": "ac-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[01]", + "class": "sp800-53a" + } + ], + "prose": "usage restrictions are established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17b.", + "class": "sp800-53a" + } + ], + "prose": "each type of remote access to the system is authorized prior to allowing such connections.", + "links": [ + { + "href": "#ac-17_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing remote access connections\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-17_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Remote access management capability for the system" + } + ] + } + ] + }, + { + "id": "ac-18", + "class": "SP800-53", + "title": "Wireless Access", + "props": [ + { + "name": "label", + "value": "AC-18" + }, + { + "name": "label", + "value": "AC-18", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "rel": "reference" + }, + { + "href": "#03fb73bc-1b12-4182-bd96-e5719254ea61", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-18_smt", + "name": "statement", + "parts": [ + { + "id": "ac-18_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and" + }, + { + "id": "ac-18_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize each type of wireless access to the system prior to allowing such connections." + } + ] + }, + { + "id": "ac-18_gdn", + "name": "guidance", + "prose": "Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1])." + } + ] + }, + { + "id": "ac-19", + "class": "SP800-53", + "title": "Access Control for Mobile Devices", + "props": [ + { + "name": "label", + "value": "AC-19" + }, + { + "name": "label", + "value": "AC-19", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-19" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-11", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-19_smt", + "name": "statement", + "parts": [ + { + "id": "ac-19_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and" + }, + { + "id": "ac-19_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize the connection of mobile devices to organizational systems." + } + ] + }, + { + "id": "ac-19_gdn", + "name": "guidance", + "prose": "A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1])." + } + ] + }, + { + "id": "ac-20", + "class": "SP800-53", + "title": "Use of External Systems", + "params": [ + { + "id": "ac-20_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "establish {{ insert: param, ac-20_odp.02 }} ", + "identify {{ insert: param, ac-20_odp.03 }} " + ] + } + }, + { + "id": "ac-20_odp.02", + "label": "terms and conditions", + "guidelines": [ + { + "prose": "terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" + } + ] + }, + { + "id": "ac-20_odp.03", + "label": "controls asserted", + "guidelines": [ + { + "prose": "controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" + } + ] + }, + { + "id": "ac-20_odp.04", + "label": "prohibited types of external systems", + "guidelines": [ + { + "prose": "types of external systems prohibited from use are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-20" + }, + { + "name": "label", + "value": "AC-20", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-20_smt", + "name": "statement", + "parts": [ + { + "id": "ac-20_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:", + "parts": [ + { + "id": "ac-20_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Access the system from external systems; and" + }, + { + "id": "ac-20_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Process, store, or transmit organization-controlled information using external systems; or" + } + ] + }, + { + "id": "ac-20_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit the use of {{ insert: param, ac-20_odp.04 }}." + } + ] + }, + { + "id": "ac-20_gdn", + "name": "guidance", + "prose": "External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems." + } + ] + }, + { + "id": "ac-22", + "class": "SP800-53", + "title": "Publicly Accessible Content", + "params": [ + { + "id": "ac-22_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least quarterly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review the content on the publicly accessible system for non-public information is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-22" + }, + { + "name": "label", + "value": "AC-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-22_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ac-22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Designate individuals authorized to make information publicly accessible;" + }, + { + "id": "ac-22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;" + }, + { + "id": "ac-22_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and" + }, + { + "id": "ac-22_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered." + } + ] + }, + { + "id": "ac-22_gdn", + "name": "guidance", + "prose": "In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible." + }, + { + "id": "ac-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22a.", + "class": "sp800-53a" + } + ], + "prose": "designated individuals are authorized to make information publicly accessible;", + "links": [ + { + "href": "#ac-22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22b.", + "class": "sp800-53a" + } + ], + "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;", + "links": [ + { + "href": "#ac-22_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22c.", + "class": "sp800-53a" + } + ], + "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;", + "links": [ + { + "href": "#ac-22_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-22_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};", + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.[02]", + "class": "sp800-53a" + } + ], + "prose": "non-public information is removed from the publicly accessible system, if discovered.", + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing management of publicly accessible content" + } + ] + } + ] + } + ] + }, + { + "id": "at", + "class": "family", + "title": "Awareness and Training", + "controls": [ + { + "id": "at-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "at-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "at-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "at-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "at-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "at-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the awareness and training policy and procedures is defined;" + } + ] + }, + { + "id": "at-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current awareness and training policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "at-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current awareness and training policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "at-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current awareness and training procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "at-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-1" + }, + { + "name": "label", + "value": "AT-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-1_smt", + "name": "statement", + "parts": [ + { + "id": "at-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:", + "parts": [ + { + "id": "at-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, at-01_odp.03 }} awareness and training policy that:", + "parts": [ + { + "id": "at-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "at-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "at-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;" + } + ] + }, + { + "id": "at-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and" + }, + { + "id": "at-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current awareness and training:", + "parts": [ + { + "id": "at-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and" + }, + { + "id": "at-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "at-1_gdn", + "name": "guidance", + "prose": "Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "at-2", + "class": "SP800-53", + "title": "Literacy Training and Awareness", + "params": [ + { + "id": "at-2_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually" + } + ] + }, + { + "id": "at-2_prm_2", + "label": "organization-defined events" + }, + { + "id": "at-02_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" + } + ] + }, + { + "id": "at-02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" + } + ] + }, + { + "id": "at-02_odp.03", + "label": "events", + "guidelines": [ + { + "prose": "events that require security literacy training for system users are defined;" + } + ] + }, + { + "id": "at-02_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events that require privacy literacy training for system users are defined;" + } + ] + }, + { + "id": "at-02_odp.05", + "label": "awareness techniques", + "guidelines": [ + { + "prose": "techniques to be employed to increase the security and privacy awareness of system users are defined;" + } + ] + }, + { + "id": "at-02_odp.06", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update literacy training and awareness content is defined;" + } + ] + }, + { + "id": "at-02_odp.07", + "label": "events", + "guidelines": [ + { + "prose": "events that would require literacy training and awareness content to be updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-2" + }, + { + "name": "label", + "value": "AT-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#89f2a08d-fc49-46d0-856e-bf974c9b1573", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-13", + "rel": "related" + }, + { + "href": "#pm-21", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-2_smt", + "name": "statement", + "parts": [ + { + "id": "at-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):", + "parts": [ + { + "id": "at-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and" + }, + { + "id": "at-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes or following {{ insert: param, at-2_prm_2 }};" + } + ] + }, + { + "id": "at-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};" + }, + { + "id": "at-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and" + }, + { + "id": "at-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques." + } + ] + }, + { + "id": "at-2_gdn", + "name": "guidance", + "prose": "Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + } + ], + "controls": [ + { + "id": "at-2.2", + "class": "SP800-53-enhancement", + "title": "Insider Threat", + "props": [ + { + "name": "label", + "value": "AT-2(2)" + }, + { + "name": "label", + "value": "AT-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#at-2", + "rel": "required" + }, + { + "href": "#pm-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-2.2_smt", + "name": "statement", + "prose": "Provide literacy training on recognizing and reporting potential indicators of insider threat." + }, + { + "id": "at-2.2_gdn", + "name": "guidance", + "prose": "Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations." + } + ] + } + ] + }, + { + "id": "at-3", + "class": "SP800-53", + "title": "Role-based Training", + "params": [ + { + "id": "at-3_prm_1", + "label": "organization-defined roles and responsibilities" + }, + { + "id": "at-03_odp.01", + "label": "roles and responsibilities", + "guidelines": [ + { + "prose": "roles and responsibilities for role-based security training are defined;" + } + ] + }, + { + "id": "at-03_odp.02", + "label": "roles and responsibilities", + "guidelines": [ + { + "prose": "roles and responsibilities for role-based privacy training are defined;" + } + ] + }, + { + "id": "at-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;" + } + ] + }, + { + "id": "at-03_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update role-based training content is defined;" + } + ] + }, + { + "id": "at-03_odp.05", + "label": "events", + "guidelines": [ + { + "prose": "events that require role-based training content to be updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-3" + }, + { + "name": "label", + "value": "AT-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-13", + "rel": "related" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ps-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-3_smt", + "name": "statement", + "parts": [ + { + "id": "at-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:", + "parts": [ + { + "id": "at-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and" + }, + { + "id": "at-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes;" + } + ] + }, + { + "id": "at-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and" + }, + { + "id": "at-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Incorporate lessons learned from internal or external security incidents or breaches into role-based training." + } + ] + }, + { + "id": "at-3_gdn", + "name": "guidance", + "prose": "Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + } + ] + }, + { + "id": "at-4", + "class": "SP800-53", + "title": "Training Records", + "params": [ + { + "id": "at-04_odp", + "label": "time period", + "constraints": [ + { + "description": "at least one (1) year or 1 year after completion of a specific training program" + } + ], + "guidelines": [ + { + "prose": "time period for retaining individual training records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-4" + }, + { + "name": "label", + "value": "AT-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-4_smt", + "name": "statement", + "parts": [ + { + "id": "at-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and" + }, + { + "id": "at-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain individual training records for {{ insert: param, at-04_odp }}." + } + ] + }, + { + "id": "at-4_gdn", + "name": "guidance", + "prose": "Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies." + } + ] + } + ] + }, + { + "id": "au", + "class": "family", + "title": "Audit and Accountability", + "controls": [ + { + "id": "au-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "au-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "au-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "au-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "au-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "au-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the audit and accountability policy and procedures is defined;" + } + ] + }, + { + "id": "au-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current audit and accountability policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "au-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current audit and accountability policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "au-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current audit and accountability procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "au-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require audit and accountability procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-1" + }, + { + "name": "label", + "value": "AU-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-1_smt", + "name": "statement", + "parts": [ + { + "id": "au-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:", + "parts": [ + { + "id": "au-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, au-01_odp.03 }} audit and accountability policy that:", + "parts": [ + { + "id": "au-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "au-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "au-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;" + } + ] + }, + { + "id": "au-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and" + }, + { + "id": "au-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current audit and accountability:", + "parts": [ + { + "id": "au-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and" + }, + { + "id": "au-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "au-1_gdn", + "name": "guidance", + "prose": "Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "au-2", + "class": "SP800-53", + "title": "Event Logging", + "params": [ + { + "id": "au-2_prm_2", + "label": "organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type", + "constraints": [ + { + "description": "organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event." + } + ] + }, + { + "id": "au-02_odp.01", + "label": "event types", + "constraints": [ + { + "description": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes" + } + ], + "guidelines": [ + { + "prose": "the event types that the system is capable of logging in support of the audit function are defined;" + } + ] + }, + { + "id": "au-02_odp.02", + "label": "event types (subset of AU-02_ODP[01])", + "guidelines": [ + { + "prose": "the event types (subset of AU-02_ODP[01]) for logging within the system are defined;" + } + ] + }, + { + "id": "au-02_odp.03", + "label": "frequency or situation", + "guidelines": [ + { + "prose": "the frequency or situation requiring logging for each specified event type is defined;" + } + ] + }, + { + "id": "au-02_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "annually and whenever there is a change in the threat environment" + } + ], + "guidelines": [ + { + "prose": "the frequency of event types selected for logging are reviewed and updated;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-2" + }, + { + "name": "label", + "value": "AU-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pm-21", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-2_smt", + "name": "statement", + "parts": [ + { + "id": "au-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};" + }, + { + "id": "au-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" + }, + { + "id": "au-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};" + }, + { + "id": "au-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and" + }, + { + "id": "au-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}." + } + ] + }, + { + "id": "au-2_gdn", + "name": "guidance", + "prose": "An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures." + } + ] + }, + { + "id": "au-3", + "class": "SP800-53", + "title": "Content of Audit Records", + "props": [ + { + "name": "label", + "value": "AU-3" + }, + { + "name": "label", + "value": "AU-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-8", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-3_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Ensure that audit records contain information that establishes the following:", + "parts": [ + { + "id": "au-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "What type of event occurred;" + }, + { + "id": "au-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "When the event occurred;" + }, + { + "id": "au-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Where the event occurred;" + }, + { + "id": "au-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Source of the event;" + }, + { + "id": "au-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Outcome of the event; and" + }, + { + "id": "au-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Identity of any individuals, subjects, or objects/entities associated with the event." + } + ] + }, + { + "id": "au-3_gdn", + "name": "guidance", + "prose": "Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage." + }, + { + "id": "au-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03a.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes what type of event occurred;", + "links": [ + { + "href": "#au-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03b.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes when the event occurred;", + "links": [ + { + "href": "#au-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03c.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes where the event occurred;", + "links": [ + { + "href": "#au-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03d.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the source of the event;", + "links": [ + { + "href": "#au-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03e.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the outcome of the event;", + "links": [ + { + "href": "#au-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03f.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.", + "links": [ + { + "href": "#au-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system auditing of auditable events" + } + ] + } + ] + }, + { + "id": "au-4", + "class": "SP800-53", + "title": "Audit Log Storage Capacity", + "params": [ + { + "id": "au-04_odp", + "label": "audit log retention requirements", + "guidelines": [ + { + "prose": "audit log retention requirements are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-4" + }, + { + "name": "label", + "value": "AU-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-4_smt", + "name": "statement", + "prose": "Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}." + }, + { + "id": "au-4_gdn", + "name": "guidance", + "prose": "Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs." + } + ] + }, + { + "id": "au-5", + "class": "SP800-53", + "title": "Response to Audit Logging Process Failures", + "params": [ + { + "id": "au-05_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles receiving audit logging process failure alerts are defined;" + } + ] + }, + { + "id": "au-05_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period for personnel or roles receiving audit logging process failure alerts is defined;" + } + ] + }, + { + "id": "au-05_odp.03", + "label": "additional actions", + "constraints": [ + { + "description": "overwrite oldest record" + } + ], + "guidelines": [ + { + "prose": "additional actions to be taken in the event of an audit logging process failure are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-5" + }, + { + "name": "label", + "value": "AU-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-5_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "au-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and" + }, + { + "id": "au-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Take the following additional actions: {{ insert: param, au-05_odp.03 }}." + } + ] + }, + { + "id": "au-5_gdn", + "name": "guidance", + "prose": "Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel." + }, + { + "id": "au-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};", + "links": [ + { + "href": "#au-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.", + "links": [ + { + "href": "#au-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system response to audit processing failures" + } + ] + } + ] + }, + { + "id": "au-6", + "class": "SP800-53", + "title": "Audit Record Review, Analysis, and Reporting", + "params": [ + { + "id": "au-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "frequency at which system audit records are reviewed and analyzed is defined;" + } + ] + }, + { + "id": "au-06_odp.02", + "label": "inappropriate or unusual activity", + "guidelines": [ + { + "prose": "inappropriate or unusual activity is defined;" + } + ] + }, + { + "id": "au-06_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to receive findings from reviews and analyses of system records is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-6" + }, + { + "name": "label", + "value": "AU-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", + "rel": "reference" + }, + { + "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "au-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;" + }, + { + "id": "au-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report findings to {{ insert: param, au-06_odp.03 }} ; and" + }, + { + "id": "au-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." + } + ] + }, + { + "id": "au-6_gdn", + "name": "guidance", + "prose": "Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received." + }, + { + "id": "au-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06a.", + "class": "sp800-53a" + } + ], + "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;", + "links": [ + { + "href": "#au-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06b.", + "class": "sp800-53a" + } + ], + "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};", + "links": [ + { + "href": "#au-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06c.", + "class": "sp800-53a" + } + ], + "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.", + "links": [ + { + "href": "#au-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews/analyses of audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "au-8", + "class": "SP800-53", + "title": "Time Stamps", + "params": [ + { + "id": "au-08_odp", + "label": "granularity of time measurement", + "constraints": [ + { + "description": "one second granularity of time measurement" + } + ], + "guidelines": [ + { + "prose": "granularity of time measurement for audit record timestamps is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-8" + }, + { + "name": "label", + "value": "AU-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#sc-45", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-8_smt", + "name": "statement", + "parts": [ + { + "id": "au-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Use internal system clocks to generate time stamps for audit records; and" + }, + { + "id": "au-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." + } + ] + }, + { + "id": "au-8_gdn", + "name": "guidance", + "prose": "Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities." + } + ] + }, + { + "id": "au-9", + "class": "SP800-53", + "title": "Protection of Audit Information", + "params": [ + { + "id": "au-09_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-9" + }, + { + "name": "label", + "value": "AU-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#au-15", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-9_smt", + "name": "statement", + "parts": [ + { + "id": "au-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and" + }, + { + "id": "au-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information." + } + ] + }, + { + "id": "au-9_gdn", + "name": "guidance", + "prose": "Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls." + } + ] + }, + { + "id": "au-11", + "class": "SP800-53", + "title": "Audit Record Retention", + "params": [ + { + "id": "au-11_odp", + "label": "time period", + "constraints": [ + { + "description": "a time period in compliance with M-21-31" + } + ], + "guidelines": [ + { + "prose": "a time period to retain audit records that is consistent with the records retention policy is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-11" + }, + { + "name": "label", + "value": "AU-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-11_smt", + "name": "statement", + "prose": "Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements." + }, + { + "id": "au-11_gdn", + "name": "guidance", + "prose": "Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs." + } + ] + }, + { + "id": "au-12", + "class": "SP800-53", + "title": "Audit Record Generation", + "params": [ + { + "id": "au-12_odp.01", + "label": "system components", + "constraints": [ + { + "description": "all information system and network components where audit capability is deployed/available" + } + ], + "guidelines": [ + { + "prose": "system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;" + } + ] + }, + { + "id": "au-12_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-12" + }, + { + "name": "label", + "value": "AU-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-12_smt", + "name": "statement", + "parts": [ + { + "id": "au-12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};" + }, + { + "id": "au-12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and" + }, + { + "id": "au-12_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)." + } + ] + }, + { + "id": "au-12_gdn", + "name": "guidance", + "prose": "Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records." + } + ] + } + ] + }, + { + "id": "ca", + "class": "family", + "title": "Assessment, Authorization, and Monitoring", + "controls": [ + { + "id": "ca-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ca-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ca-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ca-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ca-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ca-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the assessment, authorization, and monitoring policy and procedures is defined;" + } + ] + }, + { + "id": "ca-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ca-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ca-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ca-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-1" + }, + { + "name": "label", + "value": "CA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#62ea77ca-e450-4323-b210-e0d75390e785", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-1_smt", + "name": "statement", + "parts": [ + { + "id": "ca-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:", + "parts": [ + { + "id": "ca-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:", + "parts": [ + { + "id": "ca-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ca-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ca-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;" + } + ] + }, + { + "id": "ca-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and" + }, + { + "id": "ca-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current assessment, authorization, and monitoring:", + "parts": [ + { + "id": "ca-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and" + }, + { + "id": "ca-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ca-1_gdn", + "name": "guidance", + "prose": "Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "ca-2", + "class": "SP800-53", + "title": "Control Assessments", + "params": [ + { + "id": "ca-02_odp.01", + "label": "assessment frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to assess controls in the system and its environment of operation is defined;" + } + ] + }, + { + "id": "ca-02_odp.02", + "label": "individuals or roles", + "constraints": [ + { + "description": "individuals or roles to include FedRAMP PMO" + } + ], + "guidelines": [ + { + "prose": "individuals or roles to whom control assessment results are to be provided are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-2" + }, + { + "name": "label", + "value": "CA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ca-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Select the appropriate assessor or assessment team for the type of assessment to be conducted;" + }, + { + "id": "ca-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Develop a control assessment plan that describes the scope of the assessment including:", + "parts": [ + { + "id": "ca-2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Controls and control enhancements under assessment;" + }, + { + "id": "ca-2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Assessment procedures to be used to determine control effectiveness; and" + }, + { + "id": "ca-2_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Assessment environment, assessment team, and assessment roles and responsibilities;" + } + ] + }, + { + "id": "ca-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;" + }, + { + "id": "ca-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;" + }, + { + "id": "ca-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Produce a control assessment report that document the results of the assessment; and" + }, + { + "id": "ca-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}." + } + ] + }, + { + "id": "ca-2_gdn", + "name": "guidance", + "prose": "Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)." + }, + { + "id": "ca-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02a.", + "class": "sp800-53a" + } + ], + "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;", + "links": [ + { + "href": "#ca-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.01", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;", + "links": [ + { + "href": "#ca-2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.02", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;", + "links": [ + { + "href": "#ca-2_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.b.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[03]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02c.", + "class": "sp800-53a" + } + ], + "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;", + "links": [ + { + "href": "#ca-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.[01]", + "class": "sp800-53a" + } + ], + "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;", + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.[02]", + "class": "sp800-53a" + } + ], + "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;", + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02e.", + "class": "sp800-53a" + } + ], + "prose": "a control assessment report is produced that documents the results of the assessment;", + "links": [ + { + "href": "#ca-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02f.", + "class": "sp800-53a" + } + ], + "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.", + "links": [ + { + "href": "#ca-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting" + } + ] + } + ], + "controls": [ + { + "id": "ca-2.1", + "class": "SP800-53-enhancement", + "title": "Independent Assessors", + "props": [ + { + "name": "label", + "value": "CA-2(1)" + }, + { + "name": "label", + "value": "CA-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ca-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-2.1_smt", + "name": "statement", + "prose": "Employ independent assessors or assessment teams to conduct control assessments." + }, + { + "id": "ca-2.1_gdn", + "name": "guidance", + "prose": "Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.\n\nIndependent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.\n\nWhen organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments." + } + ] + } + ] + }, + { + "id": "ca-3", + "class": "SP800-53", + "title": "Information Exchange", + "params": [ + { + "id": "ca-03_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "interconnection security agreements", + "information exchange security agreements", + "memoranda of understanding or agreement", + "service level agreements", + "user agreements", + "non-disclosure agreements", + " {{ insert: param, ca-03_odp.02 }} " + ] + } + }, + { + "id": "ca-03_odp.02", + "label": "type of agreement", + "guidelines": [ + { + "prose": "the type of agreement used to approve and manage the exchange of information is defined (if selected);" + } + ] + }, + { + "id": "ca-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and on input from JAB/AO" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update agreements is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-3" + }, + { + "name": "label", + "value": "CA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#c3a76872-e160-4267-99e8-6952de967d04", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-3_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ca-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};" + }, + { + "id": "ca-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and" + }, + { + "id": "ca-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the agreements {{ insert: param, ca-03_odp.03 }}." + } + ] + }, + { + "id": "ca-3_gdn", + "name": "guidance", + "prose": "System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks." + }, + { + "id": "ca-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03a.", + "class": "sp800-53a" + } + ], + "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};", + "links": [ + { + "href": "#ca-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the interface characteristics are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "security requirements are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[03]", + "class": "sp800-53a" + } + ], + "prose": "privacy requirements are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[04]", + "class": "sp800-53a" + } + ], + "prose": "controls are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[05]", + "class": "sp800-53a" + } + ], + "prose": "responsibilities for each system are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[06]", + "class": "sp800-53a" + } + ], + "prose": "the impact level of the information communicated is documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03c.", + "class": "sp800-53a" + } + ], + "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.", + "links": [ + { + "href": "#ca-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured." + } + ] + }, + { + "id": "ca-5", + "class": "SP800-53", + "title": "Plan of Action and Milestones", + "params": [ + { + "id": "ca-05_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-5" + }, + { + "name": "label", + "value": "CA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-5_smt", + "name": "statement", + "parts": [ + { + "id": "ca-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and" + }, + { + "id": "ca-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities." + } + ] + }, + { + "id": "ca-5_gdn", + "name": "guidance", + "prose": "Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements." + } + ] + }, + { + "id": "ca-6", + "class": "SP800-53", + "title": "Authorization", + "params": [ + { + "id": "ca-06_odp", + "label": "frequency", + "constraints": [ + { + "description": "in accordance with OMB A-130 requirements or when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "frequency at which to update the authorizations is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-6" + }, + { + "name": "label", + "value": "CA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-6_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ca-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assign a senior official as the authorizing official for the system;" + }, + { + "id": "ca-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;" + }, + { + "id": "ca-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensure that the authorizing official for the system, before commencing operations:", + "parts": [ + { + "id": "ca-6_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Accepts the use of common controls inherited by the system; and" + }, + { + "id": "ca-6_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Authorizes the system to operate;" + } + ] + }, + { + "id": "ca-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;" + }, + { + "id": "ca-6_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Update the authorizations {{ insert: param, ca-06_odp }}." + } + ] + }, + { + "id": "ca-6_gdn", + "name": "guidance", + "prose": "Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions." + }, + { + "id": "ca-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06a.", + "class": "sp800-53a" + } + ], + "prose": "a senior official is assigned as the authorizing official for the system;", + "links": [ + { + "href": "#ca-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06b.", + "class": "sp800-53a" + } + ], + "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;", + "links": [ + { + "href": "#ca-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-6_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.01", + "class": "sp800-53a" + } + ], + "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;", + "links": [ + { + "href": "#ca-6_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.02", + "class": "sp800-53a" + } + ], + "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;", + "links": [ + { + "href": "#ca-6_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06d.", + "class": "sp800-53a" + } + ], + "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;", + "links": [ + { + "href": "#ca-6_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06e.", + "class": "sp800-53a" + } + ], + "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}.", + "links": [ + { + "href": "#ca-6_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms that facilitate authorizations and updates" + } + ] + } + ] + }, + { + "id": "ca-7", + "class": "SP800-53", + "title": "Continuous Monitoring", + "params": [ + { + "id": "ca-7_prm_4", + "label": "organization-defined personnel or roles", + "constraints": [ + { + "description": "to include JAB/AO" + } + ] + }, + { + "id": "ca-7_prm_5", + "label": "organization-defined frequency" + }, + { + "id": "ca-07_odp.01", + "label": "system-level metrics", + "guidelines": [ + { + "prose": "system-level metrics to be monitored are defined;" + } + ] + }, + { + "id": "ca-07_odp.02", + "label": "frequencies", + "guidelines": [ + { + "prose": "frequencies at which to monitor control effectiveness are defined;" + } + ] + }, + { + "id": "ca-07_odp.03", + "label": "frequencies", + "guidelines": [ + { + "prose": "frequencies at which to assess control effectiveness are defined;" + } + ] + }, + { + "id": "ca-07_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the security status of the system is reported are defined;" + } + ] + }, + { + "id": "ca-07_odp.05", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which the security status of the system is reported is defined;" + } + ] + }, + { + "id": "ca-07_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the privacy status of the system is reported are defined;" + } + ] + }, + { + "id": "ca-07_odp.07", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which the privacy status of the system is reported is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-7" + }, + { + "name": "label", + "value": "CA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pe-14", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-6", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#pm-31", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-7_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:", + "parts": [ + { + "id": "ca-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};" + }, + { + "id": "ca-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;" + }, + { + "id": "ca-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ongoing control assessments in accordance with the continuous monitoring strategy;" + }, + { + "id": "ca-7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;" + }, + { + "id": "ca-7_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Correlation and analysis of information generated by control assessments and monitoring;" + }, + { + "id": "ca-7_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" + }, + { + "id": "ca-7_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}." + } + ] + }, + { + "id": "ca-7_gdn", + "name": "guidance", + "prose": "Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)." + }, + { + "id": "ca-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07[01]", + "class": "sp800-53a" + } + ], + "prose": "a system-level continuous monitoring strategy is developed;", + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07a.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};", + "links": [ + { + "href": "#ca-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;", + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;", + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07c.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07d.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07e.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;", + "links": [ + { + "href": "#ca-7_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07f.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;", + "links": [ + { + "href": "#ca-7_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.[01]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};", + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.", + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting" + } + ] + } + ], + "controls": [ + { + "id": "ca-7.4", + "class": "SP800-53-enhancement", + "title": "Risk Monitoring", + "props": [ + { + "name": "label", + "value": "CA-7(4)" + }, + { + "name": "label", + "value": "CA-07(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ca-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-7.4_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:", + "parts": [ + { + "id": "ca-7.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Effectiveness monitoring;" + }, + { + "id": "ca-7.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Compliance monitoring; and" + }, + { + "id": "ca-7.4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Change monitoring." + } + ] + }, + { + "id": "ca-7.4_gdn", + "name": "guidance", + "prose": "Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk." + }, + { + "id": "ca-7.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)", + "class": "sp800-53a" + } + ], + "prose": "risk monitoring is an integral part of the continuous monitoring strategy;", + "parts": [ + { + "id": "ca-7.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(a)", + "class": "sp800-53a" + } + ], + "prose": "effectiveness monitoring is included in risk monitoring;", + "links": [ + { + "href": "#ca-7.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "compliance monitoring is included in risk monitoring;", + "links": [ + { + "href": "#ca-7.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(c)", + "class": "sp800-53a" + } + ], + "prose": "change monitoring is included in risk monitoring.", + "links": [ + { + "href": "#ca-7.4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-7.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-07(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting risk monitoring" + } + ] + } + ] + } + ] + }, + { + "id": "ca-8", + "class": "SP800-53", + "title": "Penetration Testing", + "params": [ + { + "id": "ca-08_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct penetration testing on systems or system components is defined;" + } + ] + }, + { + "id": "ca-08_odp.02", + "label": "system(s) or system components", + "guidelines": [ + { + "prose": "systems or system components on which penetration testing is to be conducted are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-8" + }, + { + "name": "label", + "value": "CA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-8_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Conduct penetration testing {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}." + }, + { + "id": "ca-8_gdn", + "name": "guidance", + "prose": "Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).\n\nOrganizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing." + }, + { + "id": "ca-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-08", + "class": "sp800-53a" + } + ], + "prose": "penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", + "links": [ + { + "href": "#ca-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting penetration testing" + } + ] + } + ] + }, + { + "id": "ca-9", + "class": "SP800-53", + "title": "Internal System Connections", + "params": [ + { + "id": "ca-09_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components or classes of components requiring internal connections to the system are defined;" + } + ] + }, + { + "id": "ca-09_odp.02", + "label": "conditions", + "guidelines": [ + { + "prose": "conditions requiring termination of internal connections are defined;" + } + ] + }, + { + "id": "ca-09_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to review the continued need for each internal connection is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-9" + }, + { + "name": "label", + "value": "CA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-9_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ca-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;" + }, + { + "id": "ca-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;" + }, + { + "id": "ca-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and" + }, + { + "id": "ca-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection." + } + ] + }, + { + "id": "ca-9_gdn", + "name": "guidance", + "prose": "Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions." + }, + { + "id": "ca-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09a.", + "class": "sp800-53a" + } + ], + "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;", + "links": [ + { + "href": "#ca-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the interface characteristics are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the security requirements are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[03]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the privacy requirements are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[04]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the nature of the information communicated is documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09c.", + "class": "sp800-53a" + } + ], + "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};", + "links": [ + { + "href": "#ca-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09d.", + "class": "sp800-53a" + } + ], + "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.", + "links": [ + { + "href": "#ca-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting internal system connections" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured." + } + ] + } + ] + }, + { + "id": "cm", + "class": "family", + "title": "Configuration Management", + "controls": [ + { + "id": "cm-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "cm-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cm-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the configuration management policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "cm-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "cm-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "cm-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the configuration management policy and procedures is defined;" + } + ] + }, + { + "id": "cm-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current configuration management policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "cm-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current configuration management policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "cm-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current configuration management procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "cm-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require configuration management procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-1" + }, + { + "name": "label", + "value": "CM-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-1_smt", + "name": "statement", + "parts": [ + { + "id": "cm-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:", + "parts": [ + { + "id": "cm-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cm-01_odp.03 }} configuration management policy that:", + "parts": [ + { + "id": "cm-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "cm-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "cm-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;" + } + ] + }, + { + "id": "cm-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and" + }, + { + "id": "cm-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current configuration management:", + "parts": [ + { + "id": "cm-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and" + }, + { + "id": "cm-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "cm-1_gdn", + "name": "guidance", + "prose": "Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "cm-2", + "class": "SP800-53", + "title": "Baseline Configuration", + "params": [ + { + "id": "cm-02_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "the frequency of baseline configuration review and update is defined;" + } + ] + }, + { + "id": "cm-02_odp.02", + "label": "circumstances", + "constraints": [ + { + "description": "to include when directed by the JAB" + } + ], + "guidelines": [ + { + "prose": "the circumstances requiring baseline configuration review and update are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2" + }, + { + "name": "label", + "value": "CM-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-1", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-12", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-2_smt", + "name": "statement", + "parts": [ + { + "id": "cm-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and maintain under configuration control, a current baseline configuration of the system; and" + }, + { + "id": "cm-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the baseline configuration of the system:", + "parts": [ + { + "id": "cm-2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cm-02_odp.01 }};" + }, + { + "id": "cm-2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required due to {{ insert: param, cm-02_odp.02 }} ; and" + }, + { + "id": "cm-2_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "When system components are installed or upgraded." + } + ] + } + ] + }, + { + "id": "cm-2_gdn", + "name": "guidance", + "prose": "Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture." + } + ] + }, + { + "id": "cm-4", + "class": "SP800-53", + "title": "Impact Analyses", + "props": [ + { + "name": "label", + "value": "CM-4" + }, + { + "name": "label", + "value": "CM-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-4_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Analyze changes to the system to determine potential security and privacy impacts prior to change implementation." + }, + { + "id": "cm-4_gdn", + "name": "guidance", + "prose": "Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required." + }, + { + "id": "cm-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;", + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation.", + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem/network administrators\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses" + } + ] + } + ] + }, + { + "id": "cm-5", + "class": "SP800-53", + "title": "Access Restrictions for Change", + "props": [ + { + "name": "label", + "value": "CM-5" + }, + { + "name": "label", + "value": "CM-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-5_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system." + }, + { + "id": "cm-5_gdn", + "name": "guidance", + "prose": "Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals\u2019 privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)." + }, + { + "id": "cm-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are defined and documented;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are approved;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[03]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are enforced;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[04]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are defined and documented;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[05]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are approved;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[06]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are enforced.", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system" + } + ] + } + ] + }, + { + "id": "cm-6", + "class": "SP800-53", + "title": "Configuration Settings", + "params": [ + { + "id": "cm-06_odp.01", + "label": "common secure configurations", + "guidelines": [ + { + "prose": "common secure configurations to establish and document configuration settings for components employed within the system are defined;" + } + ] + }, + { + "id": "cm-06_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which approval of deviations is needed are defined;" + } + ] + }, + { + "id": "cm-06_odp.03", + "label": "operational requirements", + "guidelines": [ + { + "prose": "operational requirements necessitating approval of deviations are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-6" + }, + { + "name": "label", + "value": "CM-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#98498928-3ca3-44b3-8b1e-f48685373087", + "rel": "reference" + }, + { + "href": "#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", + "rel": "reference" + }, + { + "href": "#aa66e14f-e7cb-4a37-99d2-07578dfd4608", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-6_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "cm-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};" + }, + { + "id": "cm-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement the configuration settings;" + }, + { + "id": "cm-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and" + }, + { + "id": "cm-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." + } + ] + }, + { + "id": "cm-6_gdn", + "name": "guidance", + "prose": "Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings." + }, + { + "id": "cm-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06a.", + "class": "sp800-53a" + } + ], + "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};", + "links": [ + { + "href": "#cm-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06b.", + "class": "sp800-53a" + } + ], + "prose": "the configuration settings documented in CM-06a are implemented;", + "links": [ + { + "href": "#cm-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};", + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;", + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;", + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures.", + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and/or control system configuration settings\n\nmechanisms that identify and/or document deviations from established configuration settings" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Required - Specifically include details of least functionality." + }, + { + "id": "cm-6_fr", + "name": "item", + "title": "CM-6(a) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement 1:" + } + ], + "prose": "The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available." + }, + { + "id": "cm-6_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement 2:" + } + ], + "prose": "The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available)." + }, + { + "id": "cm-6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)." + } + ] + } + ] + }, + { + "id": "cm-7", + "class": "SP800-53", + "title": "Least Functionality", + "params": [ + { + "id": "cm-7_prm_2", + "label": "organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services" + }, + { + "id": "cm-07_odp.01", + "label": "mission-essential capabilities", + "guidelines": [ + { + "prose": "mission-essential capabilities for the system are defined;" + } + ] + }, + { + "id": "cm-07_odp.02", + "label": "functions", + "guidelines": [ + { + "prose": "functions to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.03", + "label": "ports", + "guidelines": [ + { + "prose": "ports to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.04", + "label": "protocols", + "guidelines": [ + { + "prose": "protocols to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.05", + "label": "software", + "guidelines": [ + { + "prose": "software to be prohibited or restricted is defined;" + } + ] + }, + { + "id": "cm-07_odp.06", + "label": "services", + "guidelines": [ + { + "prose": "services to be prohibited or restricted are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7" + }, + { + "name": "label", + "value": "CM-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#38f39739-1ebd-43b1-8b8c-00f591d89ebd", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7_smt", + "name": "statement", + "parts": [ + { + "id": "cm-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and" + }, + { + "id": "cm-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, cm-7_prm_2 }}." + } + ] + }, + { + "id": "cm-7_gdn", + "name": "guidance", + "prose": "Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))." + } + ] + }, + { + "id": "cm-8", + "class": "SP800-53", + "title": "System Component Inventory", + "params": [ + { + "id": "cm-08_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information deemed necessary to achieve effective system component accountability is defined;" + } + ] + }, + { + "id": "cm-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update the system component inventory is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-8" + }, + { + "name": "label", + "value": "CM-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#70402863-5078-43af-9a6c-e11b0f3ec370", + "rel": "reference" + }, + { + "href": "#996241f8-f692-42d5-91f1-ce8b752e39e6", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "cm-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and document an inventory of system components that:", + "parts": [ + { + "id": "cm-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Accurately reflects the system;" + }, + { + "id": "cm-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Includes all components within the system;" + }, + { + "id": "cm-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Does not include duplicate accounting of components or components assigned to any other system;" + }, + { + "id": "cm-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Is at the level of granularity deemed necessary for tracking and reporting; and" + }, + { + "id": "cm-8_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and" + } + ] + }, + { + "id": "cm-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}." + } + ] + }, + { + "id": "cm-8_gdn", + "name": "guidance", + "prose": "System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components." + }, + { + "id": "cm-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.01", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that accurately reflects the system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.02", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that includes all components within the system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.03", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.04", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.05", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.5", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08b.", + "class": "sp800-53a" + } + ], + "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.", + "links": [ + { + "href": "#cm-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing the system component inventory\n\nmechanisms supporting and/or implementing system component inventory" + } + ] + } + ] + }, + { + "id": "cm-10", + "class": "SP800-53", + "title": "Software Usage Restrictions", + "props": [ + { + "name": "label", + "value": "CM-10" + }, + { + "name": "label", + "value": "CM-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-10_smt", + "name": "statement", + "parts": [ + { + "id": "cm-10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Use software and associated documentation in accordance with contract agreements and copyright laws;" + }, + { + "id": "cm-10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and" + }, + { + "id": "cm-10_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work." + } + ] + }, + { + "id": "cm-10_gdn", + "name": "guidance", + "prose": "Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO- Not directly related to protection of the data." + } + ] + }, + { + "id": "cm-11", + "class": "SP800-53", + "title": "User-installed Software", + "params": [ + { + "id": "cm-11_odp.01", + "label": "policies", + "guidelines": [ + { + "prose": "policies governing the installation of software by users are defined;" + } + ] + }, + { + "id": "cm-11_odp.02", + "label": "methods", + "guidelines": [ + { + "prose": "methods used to enforce software installation policies are defined;" + } + ] + }, + { + "id": "cm-11_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "Continuously (via CM-7 (5))" + } + ], + "guidelines": [ + { + "prose": "frequency with which to monitor compliance is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-11" + }, + { + "name": "label", + "value": "CM-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-11_smt", + "name": "statement", + "parts": [ + { + "id": "cm-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;" + }, + { + "id": "cm-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and" + }, + { + "id": "cm-11_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Monitor policy compliance {{ insert: param, cm-11_odp.03 }}." + } + ] + }, + { + "id": "cm-11_gdn", + "name": "guidance", + "prose": "If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations." + } + ] + } + ] + }, + { + "id": "cp", + "class": "family", + "title": "Contingency Planning", + "controls": [ + { + "id": "cp-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "cp-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cp-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "cp-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "cp-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "cp-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the contingency planning policy and procedures is defined;" + } + ] + }, + { + "id": "cp-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current contingency planning policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "cp-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current contingency planning policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "cp-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current contingency planning procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "cp-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-1" + }, + { + "name": "label", + "value": "CP-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-1_smt", + "name": "statement", + "parts": [ + { + "id": "cp-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:", + "parts": [ + { + "id": "cp-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cp-01_odp.03 }} contingency planning policy that:", + "parts": [ + { + "id": "cp-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "cp-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "cp-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" + } + ] + }, + { + "id": "cp-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and" + }, + { + "id": "cp-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current contingency planning:", + "parts": [ + { + "id": "cp-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and" + }, + { + "id": "cp-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "cp-1_gdn", + "name": "guidance", + "prose": "Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "cp-2", + "class": "SP800-53", + "title": "Contingency Plan", + "params": [ + { + "id": "cp-2_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cp-2_prm_2", + "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" + }, + { + "id": "cp-2_prm_4", + "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" + }, + { + "id": "cp-02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to review a contingency plan is/are defined;" + } + ] + }, + { + "id": "cp-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to approve a contingency plan is/are defined;" + } + ] + }, + { + "id": "cp-02_odp.03", + "label": "key contingency personnel", + "guidelines": [ + { + "prose": "key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;" + } + ] + }, + { + "id": "cp-02_odp.04", + "label": "organizational elements", + "guidelines": [ + { + "prose": "key contingency organizational elements to which copies of the contingency plan are distributed are defined;" + } + ] + }, + { + "id": "cp-02_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency of contingency plan review is defined;" + } + ] + }, + { + "id": "cp-02_odp.06", + "label": "key contingency personnel", + "guidelines": [ + { + "prose": "key contingency personnel (identified by name and/or by role) to communicate changes to are defined;" + } + ] + }, + { + "id": "cp-02_odp.07", + "label": "organizational elements", + "guidelines": [ + { + "prose": "key contingency organizational elements to communicate changes to are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-2" + }, + { + "name": "label", + "value": "CP-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", + "rel": "reference" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-11", + "rel": "related" + }, + { + "href": "#cp-13", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-2_smt", + "name": "statement", + "parts": [ + { + "id": "cp-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a contingency plan for the system that:", + "parts": [ + { + "id": "cp-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Identifies essential mission and business functions and associated contingency requirements;" + }, + { + "id": "cp-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Provides recovery objectives, restoration priorities, and metrics;" + }, + { + "id": "cp-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Addresses contingency roles, responsibilities, assigned individuals with contact information;" + }, + { + "id": "cp-2_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;" + }, + { + "id": "cp-2_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;" + }, + { + "id": "cp-2_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Addresses the sharing of contingency information; and" + }, + { + "id": "cp-2_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};" + } + ] + }, + { + "id": "cp-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};" + }, + { + "id": "cp-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Coordinate contingency planning activities with incident handling activities;" + }, + { + "id": "cp-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};" + }, + { + "id": "cp-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;" + }, + { + "id": "cp-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};" + }, + { + "id": "cp-2_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and" + }, + { + "id": "cp-2_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Protect the contingency plan from unauthorized disclosure and modification." + } + ] + }, + { + "id": "cp-2_gdn", + "name": "guidance", + "prose": "Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs." + } + ] + }, + { + "id": "cp-3", + "class": "SP800-53", + "title": "Contingency Training", + "params": [ + { + "id": "cp-03_odp.01", + "label": "time period", + "constraints": [ + { + "description": "\\*See Additional Requirements" + } + ], + "guidelines": [ + { + "prose": "the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;" + } + ] + }, + { + "id": "cp-03_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide training to system users with a contingency role or responsibility is defined;" + } + ] + }, + { + "id": "cp-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update contingency training content is defined;" + } + ] + }, + { + "id": "cp-03_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events necessitating review and update of contingency training are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-3" + }, + { + "name": "label", + "value": "CP-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-3_smt", + "name": "statement", + "parts": [ + { + "id": "cp-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide contingency training to system users consistent with assigned roles and responsibilities:", + "parts": [ + { + "id": "cp-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;" + }, + { + "id": "cp-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes; and" + }, + { + "id": "cp-3_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, cp-03_odp.02 }} thereafter; and" + } + ] + }, + { + "id": "cp-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}." + } + ] + }, + { + "id": "cp-3_gdn", + "name": "guidance", + "prose": "Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs." + } + ] + }, + { + "id": "cp-4", + "class": "SP800-53", + "title": "Contingency Plan Testing", + "params": [ + { + "id": "cp-4_prm_2", + "label": "organization-defined tests", + "constraints": [ + { + "description": "classroom exercise/table top written tests" + } + ] + }, + { + "id": "cp-04_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "frequency of testing the contingency plan for the system is defined;" + } + ] + }, + { + "id": "cp-04_odp.02", + "label": "tests", + "guidelines": [ + { + "prose": "tests for determining the effectiveness of the contingency plan are defined;" + } + ] + }, + { + "id": "cp-04_odp.03", + "label": "tests", + "guidelines": [ + { + "prose": "tests for determining readiness to execute the contingency plan are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-4" + }, + { + "name": "label", + "value": "CP-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-4_smt", + "name": "statement", + "parts": [ + { + "id": "cp-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}." + }, + { + "id": "cp-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review the contingency plan test results; and" + }, + { + "id": "cp-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Initiate corrective actions, if needed." + } + ] + }, + { + "id": "cp-4_gdn", + "name": "guidance", + "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs." + } + ] + }, + { + "id": "cp-9", + "class": "SP800-53", + "title": "System Backup", + "params": [ + { + "id": "cp-09_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which to conduct backups of user-level information is defined;" + } + ] + }, + { + "id": "cp-09_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9" + }, + { + "name": "label", + "value": "CP-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#3653e316-8923-430e-8943-b3b2b2562fc6", + "rel": "reference" + }, + { + "href": "#2494df28-9049-4196-b233-540e7440993f", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "cp-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};" + }, + { + "id": "cp-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};" + }, + { + "id": "cp-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and" + }, + { + "id": "cp-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Protect the confidentiality, integrity, and availability of backup information." + } + ] + }, + { + "id": "cp-9_gdn", + "name": "guidance", + "prose": "System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." + }, + { + "id": "cp-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09a.", + "class": "sp800-53a" + } + ], + "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};", + "links": [ + { + "href": "#cp-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09b.", + "class": "sp800-53a" + } + ], + "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};", + "links": [ + { + "href": "#cp-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09c.", + "class": "sp800-53a" + } + ], + "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};", + "links": [ + { + "href": "#cp-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the confidentiality of backup information is protected;", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the integrity of backup information is protected;", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the availability of backup information is protected.", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "cp-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" + } + ] + } + ] + }, + { + "id": "cp-10", + "class": "SP800-53", + "title": "System Recovery and Reconstitution", + "params": [ + { + "id": "cp-10_prm_1", + "label": "organization-defined time period consistent with recovery time and recovery point objectives" + }, + { + "id": "cp-10_odp.01", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;" + } + ] + }, + { + "id": "cp-10_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-10" + }, + { + "name": "label", + "value": "CP-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-10_smt", + "name": "statement", + "prose": "Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure." + }, + { + "id": "cp-10_gdn", + "name": "guidance", + "prose": "Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs." + } + ] + } + ] + }, + { + "id": "ia", + "class": "family", + "title": "Identification and Authentication", + "controls": [ + { + "id": "ia-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ia-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ia-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the identification and authentication policy is to be disseminated are defined;" + } + ] + }, + { + "id": "ia-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ia-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ia-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the identification and authentication policy and procedures is defined;" + } + ] + }, + { + "id": "ia-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current identification and authentication policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ia-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current identification and authentication policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ia-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current identification and authentication procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ia-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require identification and authentication procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-1" + }, + { + "name": "label", + "value": "IA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ac-1", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-1_smt", + "name": "statement", + "parts": [ + { + "id": "ia-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:", + "parts": [ + { + "id": "ia-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ia-01_odp.03 }} identification and authentication policy that:", + "parts": [ + { + "id": "ia-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ia-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ia-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;" + } + ] + }, + { + "id": "ia-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and" + }, + { + "id": "ia-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current identification and authentication:", + "parts": [ + { + "id": "ia-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and" + }, + { + "id": "ia-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ia-1_gdn", + "name": "guidance", + "prose": "Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "ia-2", + "class": "SP800-53", + "title": "Identification and Authentication (Organizational Users)", + "props": [ + { + "name": "label", + "value": "IA-2" + }, + { + "name": "label", + "value": "IA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#d9e036ba-6eec-46a6-9340-b0bf1fea23b4", + "rel": "reference" + }, + { + "href": "#e8552d48-cf41-40aa-8b06-f45f7fb4706c", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", + "rel": "reference" + }, + { + "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "rel": "reference" + }, + { + "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-1", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users." + }, + { + "id": "ia-2_gdn", + "name": "guidance", + "prose": "Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts." + } + ], + "controls": [ + { + "id": "ia-2.1", + "class": "SP800-53-enhancement", + "title": "Multi-factor Authentication to Privileged Accounts", + "props": [ + { + "name": "label", + "value": "IA-2(1)" + }, + { + "name": "label", + "value": "IA-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.1_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Implement multi-factor authentication for access to privileged accounts." + }, + { + "id": "ia-2.1_gdn", + "name": "guidance", + "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." + }, + { + "id": "ia-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(01)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication is implemented for access to privileged accounts.", + "links": [ + { + "href": "#ia-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" + } + ] + }, + { + "id": "ia-2.1_fr", + "name": "item", + "title": "IA-2(1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP." + } + ] + } + ] + }, + { + "id": "ia-2.2", + "class": "SP800-53-enhancement", + "title": "Multi-factor Authentication to Non-privileged Accounts", + "props": [ + { + "name": "label", + "value": "IA-2(2)" + }, + { + "name": "label", + "value": "IA-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.2_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for access to non-privileged accounts." + }, + { + "id": "ia-2.2_gdn", + "name": "guidance", + "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." + } + ] + }, + { + "id": "ia-2.8", + "class": "SP800-53-enhancement", + "title": "Access to Accounts \u2014 Replay Resistant", + "params": [ + { + "id": "ia-02.08_odp", + "select": { + "how-many": "one-or-more", + "choice": [ + "privileged accounts", + "non-privileged accounts" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "IA-2(8)" + }, + { + "name": "label", + "value": "IA-02(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.8_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}." + }, + { + "id": "ia-2.8_gdn", + "name": "guidance", + "prose": "Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators." + }, + { + "id": "ia-2.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(08)", + "class": "sp800-53a" + } + ], + "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.", + "links": [ + { + "href": "#ia-2.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nMechanisms supporting and/or implementing replay-resistant authentication mechanisms" + } + ] + } + ] + }, + { + "id": "ia-2.12", + "class": "SP800-53-enhancement", + "title": "Acceptance of PIV Credentials", + "props": [ + { + "name": "label", + "value": "IA-2(12)" + }, + { + "name": "label", + "value": "IA-02(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.12_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials." + }, + { + "id": "ia-2.12_gdn", + "name": "guidance", + "prose": "Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential." + }, + { + "id": "ia-2.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(12)", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified.", + "links": [ + { + "href": "#ia-2.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing acceptance and verification of PIV credentials" + } + ] + }, + { + "id": "ia-2.12_obj_fr", + "name": "objective", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE", + "class": "fedramp" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW", + "class": "fedramp" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST", + "class": "fedramp" + } + ], + "prose": "Determine if the information system:\n\n* Accepts PIV credentials.\n* Electronically verifies PIV credentials.\n" + } + ] + } + ] + }, + { + "id": "ia-4", + "class": "SP800-53", + "title": "Identifier Management", + "params": [ + { + "id": "ia-04_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO (or similar role within the organization)" + } + ], + "guidelines": [ + { + "prose": "personnel or roles from whom authorization must be received to assign an identifier are defined;" + } + ] + }, + { + "id": "ia-04_odp.02", + "label": "time period", + "constraints": [ + { + "description": "at least two (2) years" + } + ], + "guidelines": [ + { + "prose": "a time period for preventing reuse of identifiers is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-4" + }, + { + "name": "label", + "value": "IA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ia-12", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-4_smt", + "name": "statement", + "prose": "Manage system identifiers by:", + "parts": [ + { + "id": "ia-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;" + }, + { + "id": "ia-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Selecting an identifier that identifies an individual, group, role, service, or device;" + }, + { + "id": "ia-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Assigning the identifier to the intended individual, group, role, service, or device; and" + }, + { + "id": "ia-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}." + } + ] + }, + { + "id": "ia-4_gdn", + "name": "guidance", + "prose": "Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices." + } + ] + }, + { + "id": "ia-5", + "class": "SP800-53", + "title": "Authenticator Management", + "params": [ + { + "id": "ia-05_odp.01", + "label": "time period by authenticator type", + "guidelines": [ + { + "prose": "a time period for changing or refreshing authenticators by authenticator type is defined;" + } + ] + }, + { + "id": "ia-05_odp.02", + "label": "events", + "guidelines": [ + { + "prose": "events that trigger the change or refreshment of authenticators are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5" + }, + { + "name": "label", + "value": "IA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "rel": "reference" + }, + { + "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5_smt", + "name": "statement", + "prose": "Manage system authenticators by:", + "parts": [ + { + "id": "ia-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;" + }, + { + "id": "ia-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishing initial authenticator content for any authenticators issued by the organization;" + }, + { + "id": "ia-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensuring that authenticators have sufficient strength of mechanism for their intended use;" + }, + { + "id": "ia-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;" + }, + { + "id": "ia-5_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Changing default authenticators prior to first use;" + }, + { + "id": "ia-5_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;" + }, + { + "id": "ia-5_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Protecting authenticator content from unauthorized disclosure and modification;" + }, + { + "id": "ia-5_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and" + }, + { + "id": "ia-5_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Changing authenticators for group or role accounts when membership to those accounts changes." + } + ] + }, + { + "id": "ia-5_gdn", + "name": "guidance", + "prose": "Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed." + } + ], + "controls": [ + { + "id": "ia-5.1", + "class": "SP800-53-enhancement", + "title": "Password-based Authentication", + "params": [ + { + "id": "ia-05.01_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;" + } + ] + }, + { + "id": "ia-05.01_odp.02", + "label": "composition and complexity rules", + "guidelines": [ + { + "prose": "authenticator composition and complexity rules are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5(1)" + }, + { + "name": "label", + "value": "IA-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ia-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.1_smt", + "name": "statement", + "prose": "For password-based authentication:", + "parts": [ + { + "id": "ia-5.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;" + }, + { + "id": "ia-5.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);" + }, + { + "id": "ia-5.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Transmit passwords only over cryptographically-protected channels;" + }, + { + "id": "ia-5.1_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Store passwords using an approved salted key derivation function, preferably using a keyed hash;" + }, + { + "id": "ia-5.1_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e)" + } + ], + "prose": "Require immediate selection of a new password upon account recovery;" + }, + { + "id": "ia-5.1_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "(f)" + } + ], + "prose": "Allow user selection of long passwords and passphrases, including spaces and all printable characters;" + }, + { + "id": "ia-5.1_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "(g)" + } + ], + "prose": "Employ automated tools to assist the user in selecting strong password authenticators; and" + }, + { + "id": "ia-5.1_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h)" + } + ], + "prose": "Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}." + } + ] + }, + { + "id": "ia-5.1_gdn", + "name": "guidance", + "prose": "Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof." + } + ] + } + ] + }, + { + "id": "ia-6", + "class": "SP800-53", + "title": "Authentication Feedback", + "props": [ + { + "name": "label", + "value": "IA-6" + }, + { + "name": "label", + "value": "IA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-6_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals." + }, + { + "id": "ia-6_gdn", + "name": "guidance", + "prose": "Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it." + }, + { + "id": "ia-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-06", + "class": "sp800-53a" + } + ], + "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.", + "links": [ + { + "href": "#ia-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication" + } + ] + } + ] + }, + { + "id": "ia-7", + "class": "SP800-53", + "title": "Cryptographic Module Authentication", + "props": [ + { + "name": "label", + "value": "IA-7" + }, + { + "name": "label", + "value": "IA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-7_smt", + "name": "statement", + "prose": "Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication." + }, + { + "id": "ia-7_gdn", + "name": "guidance", + "prose": "Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role." + } + ] + }, + { + "id": "ia-8", + "class": "SP800-53", + "title": "Identification and Authentication (Non-organizational Users)", + "props": [ + { + "name": "label", + "value": "IA-8" + }, + { + "name": "label", + "value": "IA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#a1555677-2b9d-4868-a97b-a1363aff32f5", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#2100332a-16a5-4598-bacf-7261baea9711", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-10", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-8_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." + }, + { + "id": "ia-8_gdn", + "name": "guidance", + "prose": "Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors\u2014including security, privacy, scalability, and practicality\u2014when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk." + } + ], + "controls": [ + { + "id": "ia-8.1", + "class": "SP800-53-enhancement", + "title": "Acceptance of PIV Credentials from Other Agencies", + "props": [ + { + "name": "label", + "value": "IA-8(1)" + }, + { + "name": "label", + "value": "IA-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + }, + { + "href": "#pe-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-8.1_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies." + }, + { + "id": "ia-8.1_gdn", + "name": "guidance", + "prose": "Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)." + }, + { + "id": "ia-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;", + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.", + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP." + } + ] + }, + { + "id": "ia-8.2", + "class": "SP800-53-enhancement", + "title": "Acceptance of External Authenticators", + "props": [ + { + "name": "label", + "value": "IA-8(2)" + }, + { + "name": "label", + "value": "IA-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-8.2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ia-8.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Accept only external authenticators that are NIST-compliant; and" + }, + { + "id": "ia-8.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Document and maintain a list of accepted external authenticators." + } + ] + }, + { + "id": "ia-8.2_gdn", + "name": "guidance", + "prose": "Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level." + }, + { + "id": "ia-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(a)", + "class": "sp800-53a" + } + ], + "prose": "only external authenticators that are NIST-compliant are accepted;", + "links": [ + { + "href": "#ia-8.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "a list of accepted external authenticators is documented;", + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "a list of accepted external authenticators is maintained.", + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP." + } + ] + }, + { + "id": "ia-8.4", + "class": "SP800-53-enhancement", + "title": "Use of Defined Profiles", + "params": [ + { + "id": "ia-08.04_odp", + "label": "identity management profiles", + "guidelines": [ + { + "prose": "identity management profiles are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-8(4)" + }, + { + "name": "label", + "value": "IA-08(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-8.4_smt", + "name": "statement", + "prose": "Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}." + }, + { + "id": "ia-8.4_gdn", + "name": "guidance", + "prose": "Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." + } + ] + } + ] + }, + { + "id": "ia-11", + "class": "SP800-53", + "title": "Re-authentication", + "params": [ + { + "id": "ia-11_odp", + "label": "circumstances or situations", + "guidelines": [ + { + "prose": "circumstances or situations requiring re-authentication are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-11" + }, + { + "name": "label", + "value": "IA-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-11_smt", + "name": "statement", + "prose": "Require users to re-authenticate when {{ insert: param, ia-11_odp }}." + }, + { + "id": "ia-11_gdn", + "name": "guidance", + "prose": "In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically." + } + ] + } + ] + }, + { + "id": "ir", + "class": "family", + "title": "Incident Response", + "controls": [ + { + "id": "ir-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ir-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ir-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the incident response policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ir-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the incident response procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ir-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ir-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the incident response policy and procedures is defined;" + } + ] + }, + { + "id": "ir-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current incident response policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ir-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current incident response policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ir-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current incident response procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ir-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the incident response procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-1" + }, + { + "name": "label", + "value": "IR-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-1_smt", + "name": "statement", + "parts": [ + { + "id": "ir-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:", + "parts": [ + { + "id": "ir-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ir-01_odp.03 }} incident response policy that:", + "parts": [ + { + "id": "ir-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ir-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ir-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;" + } + ] + }, + { + "id": "ir-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and" + }, + { + "id": "ir-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current incident response:", + "parts": [ + { + "id": "ir-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and" + }, + { + "id": "ir-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ir-1_gdn", + "name": "guidance", + "prose": "Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "ir-2", + "class": "SP800-53", + "title": "Incident Response Training", + "params": [ + { + "id": "ir-02_odp.01", + "label": "time period", + "constraints": [ + { + "description": "ten (10) days for privileged users, thirty (30) days for Incident Response roles" + } + ], + "guidelines": [ + { + "prose": "a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;" + } + ] + }, + { + "id": "ir-02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide incident response training to users is defined;" + } + ] + }, + { + "id": "ir-02_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update incident response training content is defined;" + } + ] + }, + { + "id": "ir-02_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events that initiate a review of the incident response training content are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-2" + }, + { + "name": "label", + "value": "IR-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-2_smt", + "name": "statement", + "parts": [ + { + "id": "ir-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide incident response training to system users consistent with assigned roles and responsibilities:", + "parts": [ + { + "id": "ir-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;" + }, + { + "id": "ir-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes; and" + }, + { + "id": "ir-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ir-02_odp.02 }} thereafter; and" + } + ] + }, + { + "id": "ir-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}." + } + ] + }, + { + "id": "ir-2_gdn", + "name": "guidance", + "prose": "Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + } + ] + }, + { + "id": "ir-4", + "class": "SP800-53", + "title": "Incident Handling", + "props": [ + { + "name": "label", + "value": "IR-4" + }, + { + "name": "label", + "value": "IR-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", + "rel": "reference" + }, + { + "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "rel": "reference" + }, + { + "href": "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#31ae65ab-3f26-46b7-9d64-f25a4dac5778", + "rel": "reference" + }, + { + "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-4_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ir-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;" + }, + { + "id": "ir-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Coordinate incident handling activities with contingency planning activities;" + }, + { + "id": "ir-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and" + }, + { + "id": "ir-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization." + } + ] + }, + { + "id": "ir-4_gdn", + "name": "guidance", + "prose": "Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes." + }, + { + "id": "ir-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes preparation;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes detection and analysis;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes containment;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[05]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes eradication;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[06]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes recovery;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04b.", + "class": "sp800-53a" + } + ], + "prose": "incident handling activities are coordinated with contingency planning activities;", + "links": [ + { + "href": "#ir-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.[01]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;", + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;", + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the rigor of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the intensity of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the scope of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[04]", + "class": "sp800-53a" + } + ], + "prose": "the results of incident handling activities are comparable and predictable across the organization.", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident handling capability for the organization" + } + ] + } + ] + }, + { + "id": "ir-5", + "class": "SP800-53", + "title": "Incident Monitoring", + "props": [ + { + "name": "label", + "value": "IR-5" + }, + { + "name": "label", + "value": "IR-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-5_smt", + "name": "statement", + "prose": "Track and document incidents." + }, + { + "id": "ir-5_gdn", + "name": "guidance", + "prose": "Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring." + } + ] + }, + { + "id": "ir-6", + "class": "SP800-53", + "title": "Incident Reporting", + "params": [ + { + "id": "ir-06_odp.01", + "label": "time period", + "constraints": [ + { + "description": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)" + } + ], + "guidelines": [ + { + "prose": "time period for personnel to report suspected incidents to the organizational incident response capability is defined;" + } + ] + }, + { + "id": "ir-06_odp.02", + "label": "authorities", + "guidelines": [ + { + "prose": "authorities to whom incident information is to be reported are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-6" + }, + { + "name": "label", + "value": "IR-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#40b78258-c892-480e-9af8-77ac36648301", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-6_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ir-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and" + }, + { + "id": "ir-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report incident information to {{ insert: param, ir-06_odp.02 }}." + } + ] + }, + { + "id": "ir-6_gdn", + "name": "guidance", + "prose": "The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products." + }, + { + "id": "ir-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06a.", + "class": "sp800-53a" + } + ], + "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};", + "links": [ + { + "href": "#ir-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06b.", + "class": "sp800-53a" + } + ], + "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}.", + "links": [ + { + "href": "#ir-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users" + } + ] + }, + { + "id": "ir-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident reporting\n\nmechanisms supporting and/or implementing incident reporting" + } + ] + } + ] + }, + { + "id": "ir-7", + "class": "SP800-53", + "title": "Incident Response Assistance", + "props": [ + { + "name": "label", + "value": "IR-7" + }, + { + "name": "label", + "value": "IR-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pm-22", + "rel": "related" + }, + { + "href": "#pm-26", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#si-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-7_smt", + "name": "statement", + "prose": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents." + }, + { + "id": "ir-7_gdn", + "name": "guidance", + "prose": "Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required." + } + ] + }, + { + "id": "ir-8", + "class": "SP800-53", + "title": "Incident Response Plan", + "params": [ + { + "id": "ir-8_prm_5", + "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements", + "constraints": [ + { + "description": "see additional FedRAMP Requirements and Guidance" + } + ] + }, + { + "id": "ir-08_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles that review and approve the incident response plan is/are identified;" + } + ] + }, + { + "id": "ir-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and approve the incident response plan is defined;" + } + ] + }, + { + "id": "ir-08_odp.03", + "label": "entities, personnel, or roles", + "guidelines": [ + { + "prose": "entities, personnel, or roles with designated responsibility for incident response are defined;" + } + ] + }, + { + "id": "ir-08_odp.04", + "label": "incident response personnel", + "constraints": [ + { + "description": "see additional FedRAMP Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;" + } + ] + }, + { + "id": "ir-08_odp.05", + "label": "organizational elements", + "guidelines": [ + { + "prose": "organizational elements to which copies of the incident response plan are to be distributed are defined;" + } + ] + }, + { + "id": "ir-08_odp.06", + "label": "incident response personnel", + "guidelines": [ + { + "prose": "incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;" + } + ] + }, + { + "id": "ir-08_odp.07", + "label": "organizational elements", + "guidelines": [ + { + "prose": "organizational elements to which changes to the incident response plan are communicated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-8" + }, + { + "name": "label", + "value": "IR-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-8_smt", + "name": "statement", + "parts": [ + { + "id": "ir-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop an incident response plan that:", + "parts": [ + { + "id": "ir-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Provides the organization with a roadmap for implementing its incident response capability;" + }, + { + "id": "ir-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Describes the structure and organization of the incident response capability;" + }, + { + "id": "ir-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Provides a high-level approach for how the incident response capability fits into the overall organization;" + }, + { + "id": "ir-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;" + }, + { + "id": "ir-8_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Defines reportable incidents;" + }, + { + "id": "ir-8_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Provides metrics for measuring the incident response capability within the organization;" + }, + { + "id": "ir-8_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Defines the resources and management support needed to effectively maintain and mature an incident response capability;" + }, + { + "id": "ir-8_smt.a.8", + "name": "item", + "props": [ + { + "name": "label", + "value": "8." + } + ], + "prose": "Addresses the sharing of incident information;" + }, + { + "id": "ir-8_smt.a.9", + "name": "item", + "props": [ + { + "name": "label", + "value": "9." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and" + }, + { + "id": "ir-8_smt.a.10", + "name": "item", + "props": [ + { + "name": "label", + "value": "10." + } + ], + "prose": "Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}." + } + ] + }, + { + "id": "ir-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};" + }, + { + "id": "ir-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;" + }, + { + "id": "ir-8_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and" + }, + { + "id": "ir-8_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protect the incident response plan from unauthorized disclosure and modification." + } + ] + }, + { + "id": "ir-8_gdn", + "name": "guidance", + "prose": "It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Attestation - Specifically attest to US-CERT compliance." + } + ] + } + ] + }, + { + "id": "ma", + "class": "family", + "title": "Maintenance", + "controls": [ + { + "id": "ma-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ma-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ma-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the maintenance policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ma-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ma-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ma-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the maintenance policy and procedures is defined;" + } + ] + }, + { + "id": "ma-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current maintenance policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ma-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current maintenance policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ma-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current maintenance procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ma-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the maintenance procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-1" + }, + { + "name": "label", + "value": "MA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-1_smt", + "name": "statement", + "parts": [ + { + "id": "ma-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:", + "parts": [ + { + "id": "ma-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ma-01_odp.03 }} maintenance policy that:", + "parts": [ + { + "id": "ma-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ma-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ma-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;" + } + ] + }, + { + "id": "ma-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and" + }, + { + "id": "ma-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current maintenance:", + "parts": [ + { + "id": "ma-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and" + }, + { + "id": "ma-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ma-1_gdn", + "name": "guidance", + "prose": "Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "ma-2", + "class": "SP800-53", + "title": "Controlled Maintenance", + "params": [ + { + "id": "ma-02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined;" + } + ] + }, + { + "id": "ma-02_odp.02", + "label": "information", + "guidelines": [ + { + "prose": "information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;" + } + ] + }, + { + "id": "ma-02_odp.03", + "label": "information", + "guidelines": [ + { + "prose": "information to be included in organizational maintenance records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-2" + }, + { + "name": "label", + "value": "MA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ma-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;" + }, + { + "id": "ma-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;" + }, + { + "id": "ma-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;" + }, + { + "id": "ma-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};" + }, + { + "id": "ma-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and" + }, + { + "id": "ma-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}." + } + ] + }, + { + "id": "ma-2_gdn", + "name": "guidance", + "prose": "Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems." + }, + { + "id": "ma-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;", + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;", + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;", + "links": [ + { + "href": "#ma-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02d.", + "class": "sp800-53a" + } + ], + "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;", + "links": [ + { + "href": "#ma-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02e.", + "class": "sp800-53a" + } + ], + "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;", + "links": [ + { + "href": "#ma-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02f.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.", + "links": [ + { + "href": "#ma-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "ma-4", + "class": "SP800-53", + "title": "Nonlocal Maintenance", + "props": [ + { + "name": "label", + "value": "MA-4" + }, + { + "name": "label", + "value": "MA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#736d6310-e403-4b57-a79d-9967970c66d7", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-4_smt", + "name": "statement", + "parts": [ + { + "id": "ma-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve and monitor nonlocal maintenance and diagnostic activities;" + }, + { + "id": "ma-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;" + }, + { + "id": "ma-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;" + }, + { + "id": "ma-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Maintain records for nonlocal maintenance and diagnostic activities; and" + }, + { + "id": "ma-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Terminate session and network connections when nonlocal maintenance is completed." + } + ] + }, + { + "id": "ma-4_gdn", + "name": "guidance", + "prose": "Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators." + } + ] + }, + { + "id": "ma-5", + "class": "SP800-53", + "title": "Maintenance Personnel", + "props": [ + { + "name": "label", + "value": "MA-5" + }, + { + "name": "label", + "value": "MA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-5_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ma-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;" + }, + { + "id": "ma-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and" + }, + { + "id": "ma-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations." + } + ] + }, + { + "id": "ma-5_gdn", + "name": "guidance", + "prose": "Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel\u2014such as information technology manufacturers, vendors, systems integrators, and consultants\u2014may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods." + }, + { + "id": "ma-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process for maintenance personnel authorization is established;", + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": "a list of authorized maintenance organizations or personnel is maintained;", + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05b.", + "class": "sp800-53a" + } + ], + "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;", + "links": [ + { + "href": "#ma-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05c.", + "class": "sp800-53a" + } + ], + "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.", + "links": [ + { + "href": "#ma-5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and/or implementing authorization of maintenance personnel" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + } + ] + }, + { + "id": "mp", + "class": "family", + "title": "Media Protection", + "controls": [ + { + "id": "mp-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "mp-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "mp-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the media protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "mp-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the media protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "mp-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "mp-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the media protection policy and procedures is defined;" + } + ] + }, + { + "id": "mp-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current media protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "mp-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current media protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "mp-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current media protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "mp-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require media protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-1" + }, + { + "name": "label", + "value": "MP-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-1_smt", + "name": "statement", + "parts": [ + { + "id": "mp-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:", + "parts": [ + { + "id": "mp-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, mp-01_odp.03 }} media protection policy that:", + "parts": [ + { + "id": "mp-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "mp-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "mp-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;" + } + ] + }, + { + "id": "mp-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and" + }, + { + "id": "mp-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current media protection:", + "parts": [ + { + "id": "mp-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and" + }, + { + "id": "mp-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "mp-1_gdn", + "name": "guidance", + "prose": "Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "mp-2", + "class": "SP800-53", + "title": "Media Access", + "params": [ + { + "id": "mp-2_prm_1", + "label": "organization-defined types of digital and/or non-digital media" + }, + { + "id": "mp-2_prm_2", + "label": "organization-defined personnel or roles" + }, + { + "id": "mp-02_odp.01", + "label": "types of digital media", + "guidelines": [ + { + "prose": "types of digital media to which access is restricted are defined;" + } + ] + }, + { + "id": "mp-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles authorized to access digital media is/are defined;" + } + ] + }, + { + "id": "mp-02_odp.03", + "label": "types of non-digital media", + "guidelines": [ + { + "prose": "types of non-digital media to which access is restricted are defined;" + } + ] + }, + { + "id": "mp-02_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles authorized to access non-digital media is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-2" + }, + { + "name": "label", + "value": "MP-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}." + }, + { + "id": "mp-2_gdn", + "name": "guidance", + "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media." + }, + { + "id": "mp-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02[01]", + "class": "sp800-53a" + } + ], + "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};", + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02[02]", + "class": "sp800-53a" + } + ], + "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.", + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for restricting information media\n\nmechanisms supporting and/or implementing media access restrictions" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "mp-6", + "class": "SP800-53", + "title": "Media Sanitization", + "params": [ + { + "id": "mp-6_prm_1", + "label": "organization-defined system media", + "constraints": [ + { + "description": "techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware" + } + ] + }, + { + "id": "mp-6_prm_2", + "label": "organization-defined sanitization techniques and procedures" + }, + { + "id": "mp-06_odp.01", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to disposal is defined;" + } + ] + }, + { + "id": "mp-06_odp.02", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to release from organizational control is defined;" + } + ] + }, + { + "id": "mp-06_odp.03", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to release for reuse is defined;" + } + ] + }, + { + "id": "mp-06_odp.04", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to disposal are defined;" + } + ] + }, + { + "id": "mp-06_odp.05", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;" + } + ] + }, + { + "id": "mp-06_odp.06", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-6" + }, + { + "name": "label", + "value": "MP-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#91f992fb-f668-4c91-a50f-0f05b95ccee3", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pm-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#si-18", + "rel": "related" + }, + { + "href": "#si-19", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-6_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "mp-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and" + }, + { + "id": "mp-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information." + } + ] + }, + { + "id": "mp-6_gdn", + "name": "guidance", + "prose": "Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques\u2014including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction\u2014prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information." + }, + { + "id": "mp-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06b.", + "class": "sp800-53a" + } + ], + "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.", + "links": [ + { + "href": "#mp-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media sanitization\n\nmechanisms supporting and/or implementing media sanitization" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "mp-7", + "class": "SP800-53", + "title": "Media Use", + "params": [ + { + "id": "mp-07_odp.01", + "label": "types of system media", + "guidelines": [ + { + "prose": "types of system media to be restricted or prohibited from use on systems or system components are defined;" + } + ] + }, + { + "id": "mp-07_odp.02", + "select": { + "choice": [ + "restrict", + "prohibit" + ] + } + }, + { + "id": "mp-07_odp.03", + "label": "systems or system components", + "guidelines": [ + { + "prose": "systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;" + } + ] + }, + { + "id": "mp-07_odp.04", + "label": "controls", + "guidelines": [ + { + "prose": "controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-7" + }, + { + "name": "label", + "value": "MP-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-41", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-7_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "mp-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and" + }, + { + "id": "mp-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner." + } + ] + }, + { + "id": "mp-7_gdn", + "name": "guidance", + "prose": "System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices." + }, + { + "id": "mp-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07a.", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};", + "links": [ + { + "href": "#mp-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07b.", + "class": "sp800-53a" + } + ], + "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.", + "links": [ + { + "href": "#mp-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + } + ] + }, + { + "id": "pe", + "class": "family", + "title": "Physical and Environmental Protection", + "controls": [ + { + "id": "pe-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "pe-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "pe-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "pe-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "pe-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "pe-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the physical and environmental protection policy and procedures is defined;" + } + ] + }, + { + "id": "pe-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "pe-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current physical and environmental protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "pe-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "pe-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the physical and environmental protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-1" + }, + { + "name": "label", + "value": "PE-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-1_smt", + "name": "statement", + "parts": [ + { + "id": "pe-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:", + "parts": [ + { + "id": "pe-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:", + "parts": [ + { + "id": "pe-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "pe-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "pe-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;" + } + ] + }, + { + "id": "pe-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and" + }, + { + "id": "pe-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current physical and environmental protection:", + "parts": [ + { + "id": "pe-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and" + }, + { + "id": "pe-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "pe-1_gdn", + "name": "guidance", + "prose": "Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "pe-2", + "class": "SP800-53", + "title": "Physical Access Authorizations", + "params": [ + { + "id": "pe-02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review the access list detailing authorized facility access by individuals is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-2" + }, + { + "name": "label", + "value": "PE-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "pe-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;" + }, + { + "id": "pe-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Issue authorization credentials for facility access;" + }, + { + "id": "pe-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and" + }, + { + "id": "pe-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Remove individuals from the facility access list when access is no longer required." + } + ] + }, + { + "id": "pe-2_gdn", + "name": "guidance", + "prose": "Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible." + }, + { + "id": "pe-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02b.", + "class": "sp800-53a" + } + ], + "prose": "authorization credentials are issued for facility access;", + "links": [ + { + "href": "#pe-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02c.", + "class": "sp800-53a" + } + ], + "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};", + "links": [ + { + "href": "#pe-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02d.", + "class": "sp800-53a" + } + ], + "prose": "individuals are removed from the facility access list when access is no longer required.", + "links": [ + { + "href": "#pe-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access authorizations\n\nmechanisms supporting and/or implementing physical access authorizations" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "pe-3", + "class": "SP800-53", + "title": "Physical Access Control", + "params": [ + { + "id": "pe-3_prm_9", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually" + } + ] + }, + { + "id": "pe-03_odp.01", + "label": "entry and exit points", + "guidelines": [ + { + "prose": "entry and exit points to the facility in which the system resides are defined;" + } + ] + }, + { + "id": "pe-03_odp.02", + "constraints": [ + { + "description": "CSP defined physical access control systems/devices AND guards" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, pe-03_odp.03 }} ", + "guards" + ] + } + }, + { + "id": "pe-03_odp.03", + "label": "systems or devices", + "guidelines": [ + { + "prose": "physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);" + } + ] + }, + { + "id": "pe-03_odp.04", + "label": "entry or exit points", + "guidelines": [ + { + "prose": "entry or exit points for which physical access logs are maintained are defined;" + } + ] + }, + { + "id": "pe-03_odp.05", + "label": "physical access controls", + "guidelines": [ + { + "prose": "physical access controls to control access to areas within the facility designated as publicly accessible are defined;" + } + ] + }, + { + "id": "pe-03_odp.06", + "label": "circumstances", + "constraints": [ + { + "description": "in all circumstances within restricted access area where the information system resides" + } + ], + "guidelines": [ + { + "prose": "circumstances requiring visitor escorts and control of visitor activity are defined;" + } + ] + }, + { + "id": "pe-03_odp.07", + "label": "physical access devices", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "physical access devices to be inventoried are defined;" + } + ] + }, + { + "id": "pe-03_odp.08", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to inventory physical access devices is defined;" + } + ] + }, + { + "id": "pe-03_odp.09", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to change combinations is defined;" + } + ] + }, + { + "id": "pe-03_odp.10", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to change keys is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-3" + }, + { + "name": "label", + "value": "PE-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#2100332a-16a5-4598-bacf-7261baea9711", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-3_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "pe-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:", + "parts": [ + { + "id": "pe-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Verifying individual access authorizations before granting access to the facility; and" + }, + { + "id": "pe-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};" + } + ] + }, + { + "id": "pe-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};" + }, + { + "id": "pe-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};" + }, + { + "id": "pe-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};" + }, + { + "id": "pe-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Secure keys, combinations, and other physical access devices;" + }, + { + "id": "pe-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and" + }, + { + "id": "pe-3_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Change combinations and keys {{ insert: param, pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated." + } + ] + }, + { + "id": "pe-3_gdn", + "name": "guidance", + "prose": "Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components." + }, + { + "id": "pe-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.01", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;", + "links": [ + { + "href": "#pe-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.02", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};", + "links": [ + { + "href": "#pe-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03b.", + "class": "sp800-53a" + } + ], + "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};", + "links": [ + { + "href": "#pe-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03c.", + "class": "sp800-53a" + } + ], + "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};", + "links": [ + { + "href": "#pe-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.[01]", + "class": "sp800-53a" + } + ], + "prose": "visitors are escorted;", + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.[02]", + "class": "sp800-53a" + } + ], + "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};", + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[01]", + "class": "sp800-53a" + } + ], + "prose": "keys are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[02]", + "class": "sp800-53a" + } + ], + "prose": "combinations are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[03]", + "class": "sp800-53a" + } + ], + "prose": "other physical access devices are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03f.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};", + "links": [ + { + "href": "#pe-3_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.[01]", + "class": "sp800-53a" + } + ], + "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;", + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.[02]", + "class": "sp800-53a" + } + ], + "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.", + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access control\n\nmechanisms supporting and/or implementing physical access control\n\nphysical access control devices" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "pe-6", + "class": "SP800-53", + "title": "Monitoring Physical Access", + "params": [ + { + "id": "pe-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review physical access logs is defined;" + } + ] + }, + { + "id": "pe-06_odp.02", + "label": "events", + "guidelines": [ + { + "prose": "events or potential indication of events requiring physical access logs to be reviewed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-6" + }, + { + "name": "label", + "value": "PE-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-6_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "pe-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;" + }, + { + "id": "pe-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and" + }, + { + "id": "pe-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Coordinate results of reviews and investigations with the organizational incident response capability." + } + ] + }, + { + "id": "pe-6_gdn", + "name": "guidance", + "prose": "Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses." + }, + { + "id": "pe-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06a.", + "class": "sp800-53a" + } + ], + "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;", + "links": [ + { + "href": "#pe-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};", + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};", + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": "results of reviews are coordinated with organizational incident response capabilities;", + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": "results of investigations are coordinated with organizational incident response capabilities.", + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring physical access\n\nmechanisms supporting and/or implementing physical access monitoring\n\nmechanisms supporting and/or implementing the review of physical access logs" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "pe-8", + "class": "SP800-53", + "title": "Visitor Access Records", + "params": [ + { + "id": "pe-08_odp.01", + "label": "time period", + "constraints": [ + { + "description": "for a minimum of one (1) year" + } + ], + "guidelines": [ + { + "prose": "time period for which to maintain visitor access records for the facility where the system resides is defined;" + } + ] + }, + { + "id": "pe-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review visitor access records is defined;" + } + ] + }, + { + "id": "pe-08_odp.03", + "label": "personnel", + "guidelines": [ + { + "prose": "personnel to whom visitor access records anomalies are reported to is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-8" + }, + { + "name": "label", + "value": "PE-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-8_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "pe-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};" + }, + { + "id": "pe-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and" + }, + { + "id": "pe-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}." + } + ] + }, + { + "id": "pe-8_gdn", + "name": "guidance", + "prose": "Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas." + }, + { + "id": "pe-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08a.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};", + "links": [ + { + "href": "#pe-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08b.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};", + "links": [ + { + "href": "#pe-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08c.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.", + "links": [ + { + "href": "#pe-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and/or implementing the maintenance and review of visitor access records" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "pe-12", + "class": "SP800-53", + "title": "Emergency Lighting", + "props": [ + { + "name": "label", + "value": "PE-12" + }, + { + "name": "label", + "value": "PE-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-12_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility." + }, + { + "id": "pe-12_gdn", + "name": "guidance", + "prose": "The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies." + }, + { + "id": "pe-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[01]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[02]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[03]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting for the system covers emergency exits within the facility;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[04]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting for the system covers evacuation routes within the facility.", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for emergency lighting and/or planning\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an emergency lighting capability" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "pe-13", + "class": "SP800-53", + "title": "Fire Protection", + "props": [ + { + "name": "label", + "value": "PE-13" + }, + { + "name": "label", + "value": "PE-13", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-13_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Employ and maintain fire detection and suppression systems that are supported by an independent energy source." + }, + { + "id": "pe-13_gdn", + "name": "guidance", + "prose": "The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility." + }, + { + "id": "pe-13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[01]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems are employed;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[02]", + "class": "sp800-53a" + } + ], + "prose": "employed fire detection systems are supported by an independent energy source;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[03]", + "class": "sp800-53a" + } + ], + "prose": "employed fire detection systems are maintained;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[04]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems are employed;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[05]", + "class": "sp800-53a" + } + ], + "prose": "employed fire suppression systems are supported by an independent energy source;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[06]", + "class": "sp800-53a" + } + ], + "prose": "employed fire suppression systems are maintained.", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-13-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\ntest records of fire suppression and detection devices/systems\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-13-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-13-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing fire suppression/detection devices/systems" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "pe-14", + "class": "SP800-53", + "title": "Environmental Controls", + "params": [ + { + "id": "pe-14_odp.01", + "constraints": [ + { + "description": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "temperature", + "humidity", + "pressure", + "radiation", + " {{ insert: param, pe-14_odp.02 }} " + ] + } + }, + { + "id": "pe-14_odp.02", + "label": "environmental control", + "guidelines": [ + { + "prose": "environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);" + } + ] + }, + { + "id": "pe-14_odp.03", + "label": "acceptable levels", + "guidelines": [ + { + "prose": "acceptable levels for environmental controls are defined;" + } + ] + }, + { + "id": "pe-14_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "continuously" + } + ], + "guidelines": [ + { + "prose": "frequency at which to monitor environmental control levels is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-14" + }, + { + "name": "label", + "value": "PE-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-14_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "pe-14_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and" + }, + { + "id": "pe-14_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}." + }, + { + "id": "pe-14_fr", + "name": "item", + "title": "PE-14(a) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pe-14_fr_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider measures temperature at server inlets and humidity levels by dew point." + } + ] + } + ] + }, + { + "id": "pe-14_gdn", + "name": "guidance", + "prose": "The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions." + }, + { + "id": "pe-14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-14_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;", + "links": [ + { + "href": "#pe-14_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14b.", + "class": "sp800-53a" + } + ], + "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.", + "links": [ + { + "href": "#pe-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-14-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-14-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-14_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-14-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "pe-15", + "class": "SP800-53", + "title": "Water Damage Protection", + "props": [ + { + "name": "label", + "value": "PE-15" + }, + { + "name": "label", + "value": "PE-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-15_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel." + }, + { + "id": "pe-15_gdn", + "name": "guidance", + "prose": "The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations." + }, + { + "id": "pe-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-15_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[02]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are accessible;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[03]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are working properly;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[04]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are known to key personnel.", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-15_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-15-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Master water-shutoff valves\n\norganizational process for activating master water shutoff" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "pe-16", + "class": "SP800-53", + "title": "Delivery and Removal", + "params": [ + { + "id": "pe-16_prm_1", + "label": "organization-defined types of system components", + "constraints": [ + { + "description": "all information system components" + } + ] + }, + { + "id": "pe-16_odp.01", + "label": "types of system components", + "guidelines": [ + { + "prose": "types of system components to be authorized and controlled when entering the facility are defined;" + } + ] + }, + { + "id": "pe-16_odp.02", + "label": "types of system components", + "guidelines": [ + { + "prose": "types of system components to be authorized and controlled when exiting the facility are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-16" + }, + { + "name": "label", + "value": "PE-16", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-16_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "pe-16_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and" + }, + { + "id": "pe-16_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain records of the system components." + } + ] + }, + { + "id": "pe-16_gdn", + "name": "guidance", + "prose": "Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries." + }, + { + "id": "pe-16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-16_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-16_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16b.", + "class": "sp800-53a" + } + ], + "prose": "records of the system components are maintained.", + "links": [ + { + "href": "#pe-16_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-16-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-16-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-16_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-16-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + } + ] + }, + { + "id": "pl", + "class": "family", + "title": "Planning", + "controls": [ + { + "id": "pl-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "pl-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "pl-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the planning policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "pl-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the planning procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "pl-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "pl-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the planning policy and procedures is defined;" + } + ] + }, + { + "id": "pl-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current planning policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "pl-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current planning policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "pl-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current planning procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "pl-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-1" + }, + { + "name": "label", + "value": "PL-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-1_smt", + "name": "statement", + "parts": [ + { + "id": "pl-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:", + "parts": [ + { + "id": "pl-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, pl-01_odp.03 }} planning policy that:", + "parts": [ + { + "id": "pl-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "pl-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "pl-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the planning policy and the associated planning controls;" + } + ] + }, + { + "id": "pl-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and" + }, + { + "id": "pl-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current planning:", + "parts": [ + { + "id": "pl-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and" + }, + { + "id": "pl-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "pl-1_gdn", + "name": "guidance", + "prose": "Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "pl-2", + "class": "SP800-53", + "title": "System Security and Privacy Plans", + "params": [ + { + "id": "pl-02_odp.01", + "label": "individuals or groups", + "guidelines": [ + { + "prose": "individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;" + } + ] + }, + { + "id": "pl-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;" + } + ] + }, + { + "id": "pl-02_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency to review system security and privacy plans is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-2" + }, + { + "name": "label", + "value": "PL-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-1", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "pl-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop security and privacy plans for the system that:", + "parts": [ + { + "id": "pl-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Are consistent with the organization\u2019s enterprise architecture;" + }, + { + "id": "pl-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Explicitly define the constituent system components;" + }, + { + "id": "pl-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Describe the operational context of the system in terms of mission and business processes;" + }, + { + "id": "pl-2_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Identify the individuals that fulfill system roles and responsibilities;" + }, + { + "id": "pl-2_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Identify the information types processed, stored, and transmitted by the system;" + }, + { + "id": "pl-2_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Provide the security categorization of the system, including supporting rationale;" + }, + { + "id": "pl-2_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Describe any specific threats to the system that are of concern to the organization;" + }, + { + "id": "pl-2_smt.a.8", + "name": "item", + "props": [ + { + "name": "label", + "value": "8." + } + ], + "prose": "Provide the results of a privacy risk assessment for systems processing personally identifiable information;" + }, + { + "id": "pl-2_smt.a.9", + "name": "item", + "props": [ + { + "name": "label", + "value": "9." + } + ], + "prose": "Describe the operational environment for the system and any dependencies on or connections to other systems or system components;" + }, + { + "id": "pl-2_smt.a.10", + "name": "item", + "props": [ + { + "name": "label", + "value": "10." + } + ], + "prose": "Provide an overview of the security and privacy requirements for the system;" + }, + { + "id": "pl-2_smt.a.11", + "name": "item", + "props": [ + { + "name": "label", + "value": "11." + } + ], + "prose": "Identify any relevant control baselines or overlays, if applicable;" + }, + { + "id": "pl-2_smt.a.12", + "name": "item", + "props": [ + { + "name": "label", + "value": "12." + } + ], + "prose": "Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;" + }, + { + "id": "pl-2_smt.a.13", + "name": "item", + "props": [ + { + "name": "label", + "value": "13." + } + ], + "prose": "Include risk determinations for security and privacy architecture and design decisions;" + }, + { + "id": "pl-2_smt.a.14", + "name": "item", + "props": [ + { + "name": "label", + "value": "14." + } + ], + "prose": "Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and" + }, + { + "id": "pl-2_smt.a.15", + "name": "item", + "props": [ + { + "name": "label", + "value": "15." + } + ], + "prose": "Are reviewed and approved by the authorizing official or designated representative prior to plan implementation." + } + ] + }, + { + "id": "pl-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};" + }, + { + "id": "pl-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the plans {{ insert: param, pl-02_odp.03 }};" + }, + { + "id": "pl-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and" + }, + { + "id": "pl-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protect the plans from unauthorized disclosure and modification." + } + ] + }, + { + "id": "pl-2_gdn", + "name": "guidance", + "prose": "System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide\u2014explicitly or by reference\u2014sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate." + }, + { + "id": "pl-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that is consistent with the organization\u2019s enterprise architecture;", + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that is consistent with the organization\u2019s enterprise architecture;", + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that explicitly defines the constituent system components;", + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;", + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.4-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.4-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.5-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.5-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.6-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;", + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.6-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;", + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.7-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.7-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.8-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.8-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.9-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.9-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.10-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;", + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.10-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;", + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.11", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.11-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.11-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.12", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.12-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;", + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.12-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;", + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.13", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.13-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;", + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.13-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;", + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.14", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.14-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.14-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.15", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.15-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;", + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.15-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.", + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};", + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};", + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02c.", + "class": "sp800-53a" + } + ], + "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};", + "links": [ + { + "href": "#pl-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[01]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address changes to the system and environment of operations;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[02]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address problems identified during the plan implementation;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[03]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address problems identified during control assessments;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.[01]", + "class": "sp800-53a" + } + ], + "prose": "plans are protected from unauthorized disclosure;", + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.[02]", + "class": "sp800-53a" + } + ], + "prose": "plans are protected from unauthorized modification.", + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan" + } + ] + } + ] + }, + { + "id": "pl-4", + "class": "SP800-53", + "title": "Rules of Behavior", + "params": [ + { + "id": "pl-04_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "frequency for reviewing and updating the rules of behavior is defined;" + } + ] + }, + { + "id": "pl-04_odp.02", + "constraints": [ + { + "description": "at least annually and when the rules are revised or changed" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, pl-04_odp.03 }} ", + "when the rules are revised or updated" + ] + } + }, + { + "id": "pl-04_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-4" + }, + { + "name": "label", + "value": "PL-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-9", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-4_smt", + "name": "statement", + "parts": [ + { + "id": "pl-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;" + }, + { + "id": "pl-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;" + }, + { + "id": "pl-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and" + }, + { + "id": "pl-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}." + } + ] + }, + { + "id": "pl-4_gdn", + "name": "guidance", + "prose": "Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons." + } + ], + "controls": [ + { + "id": "pl-4.1", + "class": "SP800-53-enhancement", + "title": "Social Media and External Site/Application Usage Restrictions", + "props": [ + { + "name": "label", + "value": "PL-4(1)" + }, + { + "name": "label", + "value": "PL-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#pl-4", + "rel": "required" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-4.1_smt", + "name": "statement", + "prose": "Include in the rules of behavior, restrictions on:", + "parts": [ + { + "id": "pl-4.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Use of social media, social networking sites, and external sites/applications;" + }, + { + "id": "pl-4.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Posting organizational information on public websites; and" + }, + { + "id": "pl-4.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications." + } + ] + }, + { + "id": "pl-4.1_gdn", + "name": "guidance", + "prose": "Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information." + } + ] + } + ] + }, + { + "id": "pl-8", + "class": "SP800-53", + "title": "Security and Privacy Architectures", + "params": [ + { + "id": "pl-08_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "frequency for review and update to reflect changes in the enterprise architecture;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-8" + }, + { + "name": "label", + "value": "PL-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-8_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "pl-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop security and privacy architectures for the system that:", + "parts": [ + { + "id": "pl-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;" + }, + { + "id": "pl-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;" + }, + { + "id": "pl-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Describe how the architectures are integrated into and support the enterprise architecture; and" + }, + { + "id": "pl-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Describe any assumptions about, and dependencies on, external systems and services;" + } + ] + }, + { + "id": "pl-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and" + }, + { + "id": "pl-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions." + } + ] + }, + { + "id": "pl-8_gdn", + "name": "guidance", + "prose": "The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today\u2019s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n [PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization\u2019s enterprise architecture and security and privacy architectures." + }, + { + "id": "pl-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.01", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;", + "links": [ + { + "href": "#pl-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.02", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;", + "links": [ + { + "href": "#pl-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.4-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04[01]", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;", + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.4-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;", + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08b.", + "class": "sp800-53a" + } + ], + "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[01]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the security plan;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[02]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the privacy plan;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[03]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[04]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in criticality analysis;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[05]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in organizational procedures;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[06]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in procurements and acquisitions.", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and/or implementing the development, review, and update of the information security and privacy architecture" + } + ] + } + ] + }, + { + "id": "pl-10", + "class": "SP800-53", + "title": "Baseline Selection", + "props": [ + { + "name": "label", + "value": "PL-10" + }, + { + "name": "label", + "value": "PL-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#46d9e201-840e-440e-987c-2c773333c752", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-10_smt", + "name": "statement", + "prose": "Select a control baseline for the system." + }, + { + "id": "pl-10_gdn", + "name": "guidance", + "prose": "Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals\u2019 privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization\u2019s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems." + } + ] + }, + { + "id": "pl-11", + "class": "SP800-53", + "title": "Baseline Tailoring", + "props": [ + { + "name": "label", + "value": "PL-11" + }, + { + "name": "label", + "value": "PL-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#46d9e201-840e-440e-987c-2c773333c752", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-11_smt", + "name": "statement", + "prose": "Tailor the selected control baseline by applying specified tailoring actions." + }, + { + "id": "pl-11_gdn", + "name": "guidance", + "prose": "The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities." + } + ] + } + ] + }, + { + "id": "ps", + "class": "family", + "title": "Personnel Security", + "controls": [ + { + "id": "ps-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ps-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ps-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the personnel security policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ps-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ps-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ps-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the personnel security policy and procedures is defined;" + } + ] + }, + { + "id": "ps-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current personnel security policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ps-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current personnel security policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ps-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current personnel security procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ps-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the personnel security procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-1" + }, + { + "name": "label", + "value": "PS-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-1_smt", + "name": "statement", + "parts": [ + { + "id": "ps-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:", + "parts": [ + { + "id": "ps-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ps-01_odp.03 }} personnel security policy that:", + "parts": [ + { + "id": "ps-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ps-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ps-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;" + } + ] + }, + { + "id": "ps-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and" + }, + { + "id": "ps-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current personnel security:", + "parts": [ + { + "id": "ps-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and" + }, + { + "id": "ps-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ps-1_gdn", + "name": "guidance", + "prose": "Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "ps-2", + "class": "SP800-53", + "title": "Position Risk Designation", + "params": [ + { + "id": "ps-02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least every three years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update position risk designations is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-2" + }, + { + "name": "label", + "value": "PS-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "FED", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#a5ef5e56-5c1a-4911-b419-37dddc1b3581", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-2_smt", + "name": "statement", + "parts": [ + { + "id": "ps-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assign a risk designation to all organizational positions;" + }, + { + "id": "ps-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establish screening criteria for individuals filling those positions; and" + }, + { + "id": "ps-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update position risk designations {{ insert: param, ps-02_odp }}." + } + ] + }, + { + "id": "ps-2_gdn", + "name": "guidance", + "prose": "Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions." + } + ] + }, + { + "id": "ps-3", + "class": "SP800-53", + "title": "Personnel Screening", + "params": [ + { + "id": "ps-3_prm_1", + "label": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening", + "constraints": [ + { + "description": "for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.\n\nFor moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions" + } + ] + }, + { + "id": "ps-03_odp.01", + "label": "conditions requiring rescreening", + "guidelines": [ + { + "prose": "conditions requiring rescreening of individuals are defined;" + } + ] + }, + { + "id": "ps-03_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency of rescreening individuals where it is so indicated is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-3" + }, + { + "name": "label", + "value": "PS-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#55b0c93a-5e48-457a-baa6-5ce81c239c49", + "rel": "reference" + }, + { + "href": "#0af071a6-cf8e-48ee-8c82-fe91efa20f94", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-3_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ps-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Screen individuals prior to authorizing access to the system; and" + }, + { + "id": "ps-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}." + } + ] + }, + { + "id": "ps-3_gdn", + "name": "guidance", + "prose": "Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems." + }, + { + "id": "ps-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03a.", + "class": "sp800-53a" + } + ], + "prose": "individuals are screened prior to authorizing access to the system;", + "links": [ + { + "href": "#ps-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};", + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.", + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel screening" + } + ] + } + ] + }, + { + "id": "ps-4", + "class": "SP800-53", + "title": "Personnel Termination", + "params": [ + { + "id": "ps-04_odp.01", + "label": "time period", + "constraints": [ + { + "description": "four (4) hours" + } + ], + "guidelines": [ + { + "prose": "a time period within which to disable system access is defined;" + } + ] + }, + { + "id": "ps-04_odp.02", + "label": "information security topics", + "guidelines": [ + { + "prose": "information security topics to be discussed when conducting exit interviews are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-4" + }, + { + "name": "label", + "value": "PS-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-4_smt", + "name": "statement", + "prose": "Upon termination of individual employment:", + "parts": [ + { + "id": "ps-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Disable system access within {{ insert: param, ps-04_odp.01 }};" + }, + { + "id": "ps-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Terminate or revoke any authenticators and credentials associated with the individual;" + }, + { + "id": "ps-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};" + }, + { + "id": "ps-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Retrieve all security-related organizational system-related property; and" + }, + { + "id": "ps-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Retain access to organizational information and systems formerly controlled by terminated individual." + } + ] + }, + { + "id": "ps-4_gdn", + "name": "guidance", + "prose": "System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified." + } + ] + }, + { + "id": "ps-5", + "class": "SP800-53", + "title": "Personnel Transfer", + "params": [ + { + "id": "ps-05_odp.01", + "label": "transfer or reassignment actions", + "guidelines": [ + { + "prose": "transfer or reassignment actions to be initiated following transfer or reassignment are defined;" + } + ] + }, + { + "id": "ps-05_odp.02", + "label": "time period following the formal transfer action", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;" + } + ] + }, + { + "id": "ps-05_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined;" + } + ] + }, + { + "id": "ps-05_odp.04", + "label": "time period", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-5" + }, + { + "name": "label", + "value": "PS-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-5_smt", + "name": "statement", + "parts": [ + { + "id": "ps-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;" + }, + { + "id": "ps-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};" + }, + { + "id": "ps-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and" + }, + { + "id": "ps-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}." + } + ] + }, + { + "id": "ps-5_gdn", + "name": "guidance", + "prose": "Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts." + } + ] + }, + { + "id": "ps-6", + "class": "SP800-53", + "title": "Access Agreements", + "params": [ + { + "id": "ps-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update access agreements is defined;" + } + ] + }, + { + "id": "ps-06_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and any time there is a change to the user's level of access" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to re-sign access agreements to maintain access to organizational information is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-6" + }, + { + "name": "label", + "value": "PS-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-6_smt", + "name": "statement", + "parts": [ + { + "id": "ps-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and document access agreements for organizational systems;" + }, + { + "id": "ps-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and" + }, + { + "id": "ps-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Verify that individuals requiring access to organizational information and systems:", + "parts": [ + { + "id": "ps-6_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Sign appropriate access agreements prior to being granted access; and" + }, + { + "id": "ps-6_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}." + } + ] + } + ] + }, + { + "id": "ps-6_gdn", + "name": "guidance", + "prose": "Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy." + } + ] + }, + { + "id": "ps-7", + "class": "SP800-53", + "title": "External Personnel Security", + "params": [ + { + "id": "ps-07_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "including access control personnel responsible for the system and/or facilities, as appropriate" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;" + } + ] + }, + { + "id": "ps-07_odp.02", + "label": "time period", + "constraints": [ + { + "description": "within twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-7" + }, + { + "name": "label", + "value": "PS-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-7_smt", + "name": "statement", + "parts": [ + { + "id": "ps-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish personnel security requirements, including security roles and responsibilities for external providers;" + }, + { + "id": "ps-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Require external providers to comply with personnel security policies and procedures established by the organization;" + }, + { + "id": "ps-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document personnel security requirements;" + }, + { + "id": "ps-7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and" + }, + { + "id": "ps-7_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Monitor provider compliance with personnel security requirements." + } + ] + }, + { + "id": "ps-7_gdn", + "name": "guidance", + "prose": "External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Attestation - Specifically stating that any third-party security personnel are treated as CSP employees." + } + ] + }, + { + "id": "ps-8", + "class": "SP800-53", + "title": "Personnel Sanctions", + "params": [ + { + "id": "ps-08_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;" + } + ] + }, + { + "id": "ps-08_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-8" + }, + { + "name": "label", + "value": "PS-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#pt-1", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-8_smt", + "name": "statement", + "parts": [ + { + "id": "ps-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and" + }, + { + "id": "ps-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction." + } + ] + }, + { + "id": "ps-8_gdn", + "name": "guidance", + "prose": "Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions." + } + ] + }, + { + "id": "ps-9", + "class": "SP800-53", + "title": "Position Descriptions", + "props": [ + { + "name": "label", + "value": "PS-9" + }, + { + "name": "label", + "value": "PS-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + } + ], + "parts": [ + { + "id": "ps-9_smt", + "name": "statement", + "prose": "Incorporate security and privacy roles and responsibilities into organizational position descriptions." + }, + { + "id": "ps-9_gdn", + "name": "guidance", + "prose": "Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles." + } + ] + } + ] + }, + { + "id": "ra", + "class": "family", + "title": "Risk Assessment", + "controls": [ + { + "id": "ra-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ra-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ra-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ra-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the risk assessment policy and procedures is defined;" + } + ] + }, + { + "id": "ra-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current risk assessment policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ra-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current risk assessment policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ra-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current risk assessment procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ra-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require risk assessment procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-1" + }, + { + "name": "label", + "value": "RA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-1_smt", + "name": "statement", + "parts": [ + { + "id": "ra-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:", + "parts": [ + { + "id": "ra-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ra-01_odp.03 }} risk assessment policy that:", + "parts": [ + { + "id": "ra-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ra-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ra-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;" + } + ] + }, + { + "id": "ra-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and" + }, + { + "id": "ra-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current risk assessment:", + "parts": [ + { + "id": "ra-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and" + }, + { + "id": "ra-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ra-1_gdn", + "name": "guidance", + "prose": "Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "ra-2", + "class": "SP800-53", + "title": "Security Categorization", + "props": [ + { + "name": "label", + "value": "RA-2" + }, + { + "name": "label", + "value": "RA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "rel": "reference" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ra-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Categorize the system and information it processes, stores, and transmits;" + }, + { + "id": "ra-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document the security categorization results, including supporting rationale, in the security plan for the system; and" + }, + { + "id": "ra-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision." + } + ] + }, + { + "id": "ra-2_gdn", + "name": "guidance", + "prose": "Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant." + } + ] + }, + { + "id": "ra-3", + "class": "SP800-53", + "title": "Risk Assessment", + "params": [ + { + "id": "ra-03_odp.01", + "constraints": [ + { + "description": "security assessment report" + } + ], + "select": { + "choice": [ + "security and privacy plans", + "risk assessment report", + " {{ insert: param, ra-03_odp.02 }} " + ] + } + }, + { + "id": "ra-03_odp.02", + "label": "document", + "guidelines": [ + { + "prose": "a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);" + } + ] + }, + { + "id": "ra-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least every three (3) years and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "the frequency to review risk assessment results is defined;" + } + ] + }, + { + "id": "ra-03_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom risk assessment results are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-03_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every three (3) years" + } + ], + "guidelines": [ + { + "prose": "the frequency to update the risk assessment is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-3" + }, + { + "name": "label", + "value": "RA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#pe-18", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-3_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ra-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Conduct a risk assessment, including:", + "parts": [ + { + "id": "ra-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Identifying threats to and vulnerabilities in the system;" + }, + { + "id": "ra-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and" + }, + { + "id": "ra-3_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;" + } + ] + }, + { + "id": "ra-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;" + }, + { + "id": "ra-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document risk assessment results in {{ insert: param, ra-03_odp.01 }};" + }, + { + "id": "ra-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review risk assessment results {{ insert: param, ra-03_odp.03 }};" + }, + { + "id": "ra-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and" + }, + { + "id": "ra-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system." + } + ] + }, + { + "id": "ra-3_gdn", + "name": "guidance", + "prose": "Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination." + }, + { + "id": "ra-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.01", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;", + "links": [ + { + "href": "#ra-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.02", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;", + "links": [ + { + "href": "#ra-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.03", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;", + "links": [ + { + "href": "#ra-3_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03b.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;", + "links": [ + { + "href": "#ra-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03c.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};", + "links": [ + { + "href": "#ra-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03d.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};", + "links": [ + { + "href": "#ra-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03e.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};", + "links": [ + { + "href": "#ra-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03f.", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.", + "links": [ + { + "href": "#ra-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment" + } + ] + } + ], + "controls": [ + { + "id": "ra-3.1", + "class": "SP800-53-enhancement", + "title": "Supply Chain Risk Assessment", + "params": [ + { + "id": "ra-03.01_odp.01", + "label": "systems, system components, and system services", + "guidelines": [ + { + "prose": "systems, system components, and system services to assess supply chain risks are defined;" + } + ] + }, + { + "id": "ra-03.01_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to update the supply chain risk assessment is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-3(1)" + }, + { + "name": "label", + "value": "RA-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ra-3", + "rel": "required" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#pm-17", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-3.1_smt", + "name": "statement", + "parts": [ + { + "id": "ra-3.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and" + }, + { + "id": "ra-3.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain." + } + ] + }, + { + "id": "ra-3.1_gdn", + "name": "guidance", + "prose": "Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required." + } + ] + } + ] + }, + { + "id": "ra-5", + "class": "SP800-53", + "title": "Vulnerability Monitoring and Scanning", + "params": [ + { + "id": "ra-5_prm_1", + "label": "organization-defined frequency and/or randomly in accordance with organization-defined process", + "constraints": [ + { + "description": "monthly operating system/infrastructure; monthly web applications (including APIs) and databases" + } + ] + }, + { + "id": "ra-05_odp.01", + "label": "frequency and/or randomly in accordance with organization-defined process", + "guidelines": [ + { + "prose": "frequency for monitoring systems and hosted applications for vulnerabilities is defined;" + } + ] + }, + { + "id": "ra-05_odp.02", + "label": "frequency and/or randomly in accordance with organization-defined process", + "guidelines": [ + { + "prose": "frequency for scanning systems and hosted applications for vulnerabilities is defined;" + } + ] + }, + { + "id": "ra-05_odp.03", + "label": "response times", + "constraints": [ + { + "description": "high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery" + } + ], + "guidelines": [ + { + "prose": "response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;" + } + ] + }, + { + "id": "ra-05_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5" + }, + { + "name": "label", + "value": "RA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#8df72805-2e5c-4731-a73e-81db0f0318d0", + "rel": "reference" + }, + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "rel": "reference" + }, + { + "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "rel": "reference" + }, + { + "href": "#d2ebec9b-f868-4ee1-a2bd-0b2282aed248", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ca-8", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ra-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;" + }, + { + "id": "ra-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:", + "parts": [ + { + "id": "ra-5_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Enumerating platforms, software flaws, and improper configurations;" + }, + { + "id": "ra-5_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Formatting checklists and test procedures; and" + }, + { + "id": "ra-5_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Measuring vulnerability impact;" + } + ] + }, + { + "id": "ra-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Analyze vulnerability scan reports and results from vulnerability monitoring;" + }, + { + "id": "ra-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;" + }, + { + "id": "ra-5_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and" + }, + { + "id": "ra-5_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." + } + ] + }, + { + "id": "ra-5_gdn", + "name": "guidance", + "prose": "Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities\u2014such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers\u2014are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization\u2019s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points." + }, + { + "id": "ra-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;", + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;", + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;", + "parts": [ + { + "id": "ra-5_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.01", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;", + "links": [ + { + "href": "#ra-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.02", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;", + "links": [ + { + "href": "#ra-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.03", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;", + "links": [ + { + "href": "#ra-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05c.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;", + "links": [ + { + "href": "#ra-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05d.", + "class": "sp800-53a" + } + ], + "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;", + "links": [ + { + "href": "#ra-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05e.", + "class": "sp800-53a" + } + ], + "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;", + "links": [ + { + "href": "#ra-5_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05f.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.", + "links": [ + { + "href": "#ra-5_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ra-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing" + } + ] + } + ], + "controls": [ + { + "id": "ra-5.2", + "class": "SP800-53-enhancement", + "title": "Update Vulnerabilities to Be Scanned", + "params": [ + { + "id": "ra-05.02_odp.01", + "constraints": [ + { + "description": "prior to a new scan" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, ra-05.02_odp.02 }} ", + "prior to a new scan", + "when new vulnerabilities are identified and reported" + ] + } + }, + { + "id": "ra-05.02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency for updating the system vulnerabilities to be scanned is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5(2)" + }, + { + "name": "label", + "value": "RA-05(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + }, + { + "href": "#si-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5.2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}." + }, + { + "id": "ra-5.2_gdn", + "name": "guidance", + "prose": "Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner." + }, + { + "id": "ra-5.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(02)", + "class": "sp800-53a" + } + ], + "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.", + "links": [ + { + "href": "#ra-5.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ra-5.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" + } + ] + } + ] + }, + { + "id": "ra-5.11", + "class": "SP800-53-enhancement", + "title": "Public Disclosure Program", + "props": [ + { + "name": "label", + "value": "RA-5(11)" + }, + { + "name": "label", + "value": "RA-05(11)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ra-5.11_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components." + }, + { + "id": "ra-5.11_gdn", + "name": "guidance", + "prose": "The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability." + }, + { + "id": "ra-5.11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(11)", + "class": "sp800-53a" + } + ], + "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.", + "links": [ + { + "href": "#ra-5.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(11)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(11)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(11)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities" + } + ] + } + ] + } + ] + }, + { + "id": "ra-7", + "class": "SP800-53", + "title": "Risk Response", + "props": [ + { + "name": "label", + "value": "RA-7" + }, + { + "name": "label", + "value": "RA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-7_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance." + }, + { + "id": "ra-7_gdn", + "name": "guidance", + "prose": "Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated." + }, + { + "id": "ra-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[01]", + "class": "sp800-53a" + } + ], + "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[02]", + "class": "sp800-53a" + } + ], + "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[03]", + "class": "sp800-53a" + } + ], + "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[04]", + "class": "sp800-53a" + } + ], + "prose": "findings from audits are responded to in accordance with organizational risk tolerance.", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nassessment reports\n\naudit records/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment and auditing responsibilities\n\nsystem/network administrators\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assessments and audits\n\nmechanisms/tools supporting and/or implementing assessments and auditing" + } + ] + } + ] + } + ] + }, + { + "id": "sa", + "class": "family", + "title": "System and Services Acquisition", + "controls": [ + { + "id": "sa-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sa-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sa-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "sa-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "sa-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "sa-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and services acquisition policy and procedures is defined;" + } + ] + }, + { + "id": "sa-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and services acquisition policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sa-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and services acquisition policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sa-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "sa-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and services acquisition procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-1" + }, + { + "name": "label", + "value": "SA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-1_smt", + "name": "statement", + "parts": [ + { + "id": "sa-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:", + "parts": [ + { + "id": "sa-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:", + "parts": [ + { + "id": "sa-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sa-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sa-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;" + } + ] + }, + { + "id": "sa-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and" + }, + { + "id": "sa-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and services acquisition:", + "parts": [ + { + "id": "sa-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and" + }, + { + "id": "sa-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sa-1_gdn", + "name": "guidance", + "prose": "System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "sa-2", + "class": "SP800-53", + "title": "Allocation of Resources", + "props": [ + { + "name": "label", + "value": "SA-2" + }, + { + "name": "label", + "value": "SA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pm-3", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-2_smt", + "name": "statement", + "parts": [ + { + "id": "sa-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;" + }, + { + "id": "sa-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and" + }, + { + "id": "sa-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation." + } + ] + }, + { + "id": "sa-2_gdn", + "name": "guidance", + "prose": "Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle." + } + ] + }, + { + "id": "sa-3", + "class": "SP800-53", + "title": "System Development Life Cycle", + "params": [ + { + "id": "sa-03_odp", + "label": "system-development life cycle", + "guidelines": [ + { + "prose": "system development life cycle is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-3" + }, + { + "name": "label", + "value": "SA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-22", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-3_smt", + "name": "statement", + "parts": [ + { + "id": "sa-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;" + }, + { + "id": "sa-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define and document information security and privacy roles and responsibilities throughout the system development life cycle;" + }, + { + "id": "sa-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Identify individuals having information security and privacy roles and responsibilities; and" + }, + { + "id": "sa-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Integrate the organizational information security and privacy risk management process into system development life cycle activities." + } + ] + }, + { + "id": "sa-3_gdn", + "name": "guidance", + "prose": "A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle." + } + ] + }, + { + "id": "sa-4", + "class": "SP800-53", + "title": "Acquisition Process", + "params": [ + { + "id": "sa-04_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "standardized contract language", + " {{ insert: param, sa-04_odp.02 }} " + ] + } + }, + { + "id": "sa-04_odp.02", + "label": "contract language", + "guidelines": [ + { + "prose": "contract language is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-4" + }, + { + "name": "label", + "value": "SA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", + "rel": "reference" + }, + { + "href": "#87087451-2af5-43d4-88c1-d66ad850f614", + "rel": "reference" + }, + { + "href": "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "rel": "reference" + }, + { + "href": "#06ce9216-bd54-4054-a422-94f358b50a5d", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#795aff72-3e6c-4b6b-a80a-b14d84b7f544", + "rel": "reference" + }, + { + "href": "#3d575737-98cb-459d-b41c-d7e82b73ad78", + "rel": "reference" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4_smt", + "name": "statement", + "prose": "Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:", + "parts": [ + { + "id": "sa-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Security and privacy functional requirements;" + }, + { + "id": "sa-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Strength of mechanism requirements;" + }, + { + "id": "sa-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Security and privacy assurance requirements;" + }, + { + "id": "sa-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Controls needed to satisfy the security and privacy requirements." + }, + { + "id": "sa-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Security and privacy documentation requirements;" + }, + { + "id": "sa-4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Requirements for protecting security and privacy documentation;" + }, + { + "id": "sa-4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Description of the system development environment and environment in which the system is intended to operate;" + }, + { + "id": "sa-4_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and" + }, + { + "id": "sa-4_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Acceptance criteria." + } + ] + }, + { + "id": "sa-4_gdn", + "name": "guidance", + "prose": "Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement." + } + ], + "controls": [ + { + "id": "sa-4.10", + "class": "SP800-53-enhancement", + "title": "Use of Approved PIV Products", + "props": [ + { + "name": "label", + "value": "SA-4(10)" + }, + { + "name": "label", + "value": "SA-04(10)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4.10_smt", + "name": "statement", + "prose": "Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems." + }, + { + "id": "sa-4.10_gdn", + "name": "guidance", + "prose": "Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations." + } + ] + } + ] + }, + { + "id": "sa-5", + "class": "SP800-53", + "title": "System Documentation", + "params": [ + { + "id": "sa-05_odp.01", + "label": "actions", + "guidelines": [ + { + "prose": "actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;" + } + ] + }, + { + "id": "sa-05_odp.02", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO (or similar role within the organization)" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to distribute system documentation to is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-5" + }, + { + "name": "label", + "value": "SA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-5_smt", + "name": "statement", + "parts": [ + { + "id": "sa-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Obtain or develop administrator documentation for the system, system component, or system service that describes:", + "parts": [ + { + "id": "sa-5_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Secure configuration, installation, and operation of the system, component, or service;" + }, + { + "id": "sa-5_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Effective use and maintenance of security and privacy functions and mechanisms; and" + }, + { + "id": "sa-5_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Known vulnerabilities regarding configuration and use of administrative or privileged functions;" + } + ] + }, + { + "id": "sa-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Obtain or develop user documentation for the system, system component, or system service that describes:", + "parts": [ + { + "id": "sa-5_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;" + }, + { + "id": "sa-5_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and" + }, + { + "id": "sa-5_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;" + } + ] + }, + { + "id": "sa-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and" + }, + { + "id": "sa-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Distribute documentation to {{ insert: param, sa-05_odp.02 }}." + } + ] + }, + { + "id": "sa-5_gdn", + "name": "guidance", + "prose": "System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation." + } + ] + }, + { + "id": "sa-8", + "class": "SP800-53", + "title": "Security and Privacy Engineering Principles", + "params": [ + { + "id": "sa-8_prm_1", + "label": "organization-defined systems security and privacy engineering principles" + }, + { + "id": "sa-08_odp.01", + "label": "systems security engineering principles", + "guidelines": [ + { + "prose": "systems security engineering principles are defined;" + } + ] + }, + { + "id": "sa-08_odp.02", + "label": "privacy engineering principles", + "guidelines": [ + { + "prose": "privacy engineering principles are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-8" + }, + { + "name": "label", + "value": "SA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-8_smt", + "name": "statement", + "prose": "Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}." + }, + { + "id": "sa-8_gdn", + "name": "guidance", + "prose": "Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design." + } + ] + }, + { + "id": "sa-9", + "class": "SP800-53", + "title": "External System Services", + "params": [ + { + "id": "sa-09_odp.01", + "label": "controls", + "constraints": [ + { + "description": "Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system" + } + ], + "guidelines": [ + { + "prose": "controls to be employed by external system service providers are defined;" + } + ] + }, + { + "id": "sa-09_odp.02", + "label": "processes, methods, and techniques", + "constraints": [ + { + "description": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored" + } + ], + "guidelines": [ + { + "prose": "processes, methods, and techniques employed to monitor control compliance by external service providers are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9" + }, + { + "name": "label", + "value": "SA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "sa-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};" + }, + { + "id": "sa-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define and document organizational oversight and user roles and responsibilities with regard to external system services; and" + }, + { + "id": "sa-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}." + } + ] + }, + { + "id": "sa-9_gdn", + "name": "guidance", + "prose": "External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance." + }, + { + "id": "sa-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[01]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services comply with organizational security requirements;", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[02]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services comply with organizational privacy requirements;", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[03]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational oversight with regard to external system services are defined and documented;", + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "user roles and responsibilities with regard to external system services are defined and documented;", + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.", + "links": [ + { + "href": "#sa-9_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis" + } + ] + } + ] + }, + { + "id": "sa-22", + "class": "SP800-53", + "title": "Unsupported System Components", + "params": [ + { + "id": "sa-22_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "in-house support", + " {{ insert: param, sa-22_odp.02 }} " + ] + } + }, + { + "id": "sa-22_odp.02", + "label": "support from external providers", + "guidelines": [ + { + "prose": "support from external providers is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-22" + }, + { + "name": "label", + "value": "SA-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-22_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "sa-22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or" + }, + { + "id": "sa-22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}." + } + ] + }, + { + "id": "sa-22_gdn", + "name": "guidance", + "prose": "Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation." + }, + { + "id": "sa-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22a.", + "class": "sp800-53a" + } + ], + "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;", + "links": [ + { + "href": "#sa-22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.", + "links": [ + { + "href": "#sa-22_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement" + } + ] + }, + { + "id": "sa-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for replacing unsupported system components\n\nmechanisms supporting and/or implementing the replacement of unsupported system components" + } + ] + } + ] + } + ] + }, + { + "id": "sc", + "class": "family", + "title": "System and Communications Protection", + "controls": [ + { + "id": "sc-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sc-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sc-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "sc-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "sc-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business-process-level", + "system-level" + ] + } + }, + { + "id": "sc-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and communications protection policy and procedures is defined;" + } + ] + }, + { + "id": "sc-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and communications protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sc-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and communications protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sc-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and communications protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "sc-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and communications protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-1" + }, + { + "name": "label", + "value": "SC-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-1_smt", + "name": "statement", + "parts": [ + { + "id": "sc-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:", + "parts": [ + { + "id": "sc-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sc-01_odp.03 }} system and communications protection policy that:", + "parts": [ + { + "id": "sc-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sc-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sc-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;" + } + ] + }, + { + "id": "sc-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and" + }, + { + "id": "sc-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and communications protection:", + "parts": [ + { + "id": "sc-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and" + }, + { + "id": "sc-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sc-1_gdn", + "name": "guidance", + "prose": "System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "sc-5", + "class": "SP800-53", + "title": "Denial-of-service Protection", + "params": [ + { + "id": "sc-05_odp.01", + "label": "types of denial-of-service events", + "constraints": [ + { + "description": "at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack" + } + ], + "guidelines": [ + { + "prose": "types of denial-of-service events to be protected against or limited are defined;" + } + ] + }, + { + "id": "sc-05_odp.02", + "constraints": [ + { + "description": "Protect against" + } + ], + "select": { + "choice": [ + "protect against", + "limit" + ] + } + }, + { + "id": "sc-05_odp.03", + "label": "controls by type of denial-of-service event", + "guidelines": [ + { + "prose": "controls to achieve the denial-of-service objective by type of denial-of-service event are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-5" + }, + { + "name": "label", + "value": "SC-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#sc-6", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-5_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "sc-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and" + }, + { + "id": "sc-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}." + } + ] + }, + { + "id": "sc-5_gdn", + "name": "guidance", + "prose": "Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events." + }, + { + "id": "sc-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05a.", + "class": "sp800-53a" + } + ], + "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};", + "links": [ + { + "href": "#sc-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.", + "links": [ + { + "href": "#sc-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms protecting against or limiting the effects of denial-of-service attacks" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: If availability is a requirement, define protections in place as per control requirement." + } + ] + }, + { + "id": "sc-7", + "class": "SP800-53", + "title": "Boundary Protection", + "params": [ + { + "id": "sc-07_odp", + "select": { + "choice": [ + "physically", + "logically" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-7" + }, + { + "name": "label", + "value": "SC-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#a7f0e897-29a3-45c4-bd88-40dfef0e034a", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-35", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "sc-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;" + }, + { + "id": "sc-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and" + }, + { + "id": "sc-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + } + ] + }, + { + "id": "sc-7_gdn", + "name": "guidance", + "prose": "Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)." + }, + { + "id": "sc-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[01]", + "class": "sp800-53a" + } + ], + "prose": "communications at external managed interfaces to the system are monitored;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[02]", + "class": "sp800-53a" + } + ], + "prose": "communications at external managed interfaces to the system are controlled;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[03]", + "class": "sp800-53a" + } + ], + "prose": "communications at key internal managed interfaces within the system are monitored;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[04]", + "class": "sp800-53a" + } + ], + "prose": "communications at key internal managed interfaces within the system are controlled;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07b.", + "class": "sp800-53a" + } + ], + "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;", + "links": [ + { + "href": "#sc-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07c.", + "class": "sp800-53a" + } + ], + "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.", + "links": [ + { + "href": "#sc-7_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities" + } + ] + } + ] + }, + { + "id": "sc-8", + "class": "SP800-53", + "title": "Transmission Confidentiality and Integrity", + "params": [ + { + "id": "sc-08_odp", + "select": { + "how-many": "one-or-more", + "choice": [ + "confidentiality", + "integrity" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-8" + }, + { + "name": "label", + "value": "SC-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#736d6310-e403-4b57-a79d-9967970c66d7", + "rel": "reference" + }, + { + "href": "#7537638e-2837-407d-844b-40fb3fafdd99", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-8_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Protect the {{ insert: param, sc-08_odp }} of transmitted information." + }, + { + "id": "sc-8_gdn", + "name": "guidance", + "prose": "Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\n\nOrganizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls." + }, + { + "id": "sc-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-08", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-08_odp }} of transmitted information is/are protected.", + "links": [ + { + "href": "#sc-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing transmission confidentiality and/or integrity" + } + ] + } + ], + "controls": [ + { + "id": "sc-8.1", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-08.01_odp", + "select": { + "how-many": "one-or-more", + "choice": [ + "prevent unauthorized disclosure of information", + "detect changes to information" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-8(1)" + }, + { + "name": "label", + "value": "SC-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#sc-8", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-8.1_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Implement cryptographic mechanisms to {{ insert: param, sc-08.01_odp }} during transmission." + }, + { + "id": "sc-8.1_gdn", + "name": "guidance", + "prose": "Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes." + }, + { + "id": "sc-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-08(01)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.", + "links": [ + { + "href": "#sc-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity\n\nmechanisms supporting and/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards" + } + ] + } + ] + } + ] + }, + { + "id": "sc-12", + "class": "SP800-53", + "title": "Cryptographic Key Establishment and Management", + "params": [ + { + "id": "sc-12_odp", + "label": "requirements", + "constraints": [ + { + "description": "In accordance with Federal requirements" + } + ], + "guidelines": [ + { + "prose": "requirements for key generation, distribution, storage, access, and destruction are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-12" + }, + { + "name": "label", + "value": "SC-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#849b2358-683f-4d97-b111-1cc3d522ded5", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-11", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-17", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-12_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}." + }, + { + "id": "sc-12_gdn", + "name": "guidance", + "prose": "Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment." + }, + { + "id": "sc-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12[01]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};", + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12[02]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.", + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and/or management" + } + ] + }, + { + "id": "sc-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic key establishment and management" + } + ] + } + ] + }, + { + "id": "sc-13", + "class": "SP800-53", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-13_odp.01", + "label": "cryptographic uses", + "guidelines": [ + { + "prose": "cryptographic uses are defined;" + } + ] + }, + { + "id": "sc-13_odp.02", + "label": "types of cryptography", + "constraints": [ + { + "description": "FIPS-validated or NSA-approved cryptography" + } + ], + "guidelines": [ + { + "prose": "types of cryptography for each specified cryptographic use are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-13" + }, + { + "name": "label", + "value": "SC-13", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-13_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "sc-13_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine the {{ insert: param, sc-13_odp.01 }} ; and" + }, + { + "id": "sc-13_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}." + } + ] + }, + { + "id": "sc-13_gdn", + "name": "guidance", + "prose": "Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "sc-13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-13_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-13_odp.01 }} are identified;", + "links": [ + { + "href": "#sc-13_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-13_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.", + "links": [ + { + "href": "#sc-13_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-13-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-13-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection" + } + ] + }, + { + "id": "sc-13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-13-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic protection" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: If implementing need to detail how they meet it or don't meet it." + } + ] + }, + { + "id": "sc-15", + "class": "SP800-53", + "title": "Collaborative Computing Devices and Applications", + "params": [ + { + "id": "sc-15_odp", + "label": "exceptions where remote activation is to be allowed", + "constraints": [ + { + "description": "no exceptions for computing devices" + } + ], + "guidelines": [ + { + "prose": "exceptions where remote activation is to be allowed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-15" + }, + { + "name": "label", + "value": "SC-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#sc-42", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-15_smt", + "name": "statement", + "parts": [ + { + "id": "sc-15_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and" + }, + { + "id": "sc-15_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide an explicit indication of use to users physically present at the devices." + } + ] + }, + { + "id": "sc-15_gdn", + "name": "guidance", + "prose": "Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - Not directly related to the security of the SaaS." + } + ] + }, + { + "id": "sc-20", + "class": "SP800-53", + "title": "Secure Name/Address Resolution Service (Authoritative Source)", + "props": [ + { + "name": "label", + "value": "SC-20" + }, + { + "name": "label", + "value": "SC-20", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-20_smt", + "name": "statement", + "parts": [ + { + "id": "sc-20_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and" + }, + { + "id": "sc-20_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace." + } + ] + }, + { + "id": "sc-20_gdn", + "name": "guidance", + "prose": "Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data." + } + ] + }, + { + "id": "sc-21", + "class": "SP800-53", + "title": "Secure Name/Address Resolution Service (Recursive or Caching Resolver)", + "props": [ + { + "name": "label", + "value": "SC-21" + }, + { + "name": "label", + "value": "SC-21", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-21_smt", + "name": "statement", + "prose": "Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources." + }, + { + "id": "sc-21_gdn", + "name": "guidance", + "prose": "Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data." + } + ] + }, + { + "id": "sc-22", + "class": "SP800-53", + "title": "Architecture and Provisioning for Name/Address Resolution Service", + "props": [ + { + "name": "label", + "value": "SC-22" + }, + { + "name": "label", + "value": "SC-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-22_smt", + "name": "statement", + "prose": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation." + }, + { + "id": "sc-22_gdn", + "name": "guidance", + "prose": "Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers\u2014one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)." + } + ] + }, + { + "id": "sc-28", + "class": "SP800-53", + "title": "Protection of Information at Rest", + "params": [ + { + "id": "sc-28_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "confidentiality", + "integrity" + ] + } + }, + { + "id": "sc-28_odp.02", + "label": "information at rest", + "guidelines": [ + { + "prose": "information at rest requiring protection is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-28" + }, + { + "name": "label", + "value": "SC-28", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-28" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-28_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}." + }, + { + "id": "sc-28_gdn", + "name": "guidance", + "prose": "Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage." + }, + { + "id": "sc-28_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected.", + "links": [ + { + "href": "#sc-28_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-28-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-28_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-28-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-28_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-28-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest" + } + ] + } + ], + "controls": [ + { + "id": "sc-28.1", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-28.01_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information requiring cryptographic protection is defined;" + } + ] + }, + { + "id": "sc-28.01_odp.02", + "label": "system components or media", + "constraints": [ + { + "description": "all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels" + } + ], + "guidelines": [ + { + "prose": "system components or media requiring cryptographic protection is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-28(1)" + }, + { + "name": "label", + "value": "SC-28(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-28.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#sc-28", + "rel": "required" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-28.1_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.01 }}." + }, + { + "id": "sc-28.1_gdn", + "name": "guidance", + "prose": "The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields." + }, + { + "id": "sc-28.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-28.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};", + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.", + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-28(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-28.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-28(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-28.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-28(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest" + } + ] + } + ] + } + ] + }, + { + "id": "sc-39", + "class": "SP800-53", + "title": "Process Isolation", + "props": [ + { + "name": "label", + "value": "SC-39" + }, + { + "name": "label", + "value": "SC-39", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-39" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-39_smt", + "name": "statement", + "prose": "Maintain a separate execution domain for each executing system process." + }, + { + "id": "sc-39_gdn", + "name": "guidance", + "prose": "Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies." + } + ] + } + ] + }, + { + "id": "si", + "class": "family", + "title": "System and Information Integrity", + "controls": [ + { + "id": "si-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "si-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "si-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "si-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "si-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "si-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and information integrity policy and procedures is defined;" + } + ] + }, + { + "id": "si-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and information integrity policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "si-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and information integrity policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "si-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and information integrity procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "si-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and information integrity procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-1" + }, + { + "name": "label", + "value": "SI-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-1_smt", + "name": "statement", + "parts": [ + { + "id": "si-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:", + "parts": [ + { + "id": "si-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, si-01_odp.03 }} system and information integrity policy that:", + "parts": [ + { + "id": "si-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "si-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "si-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;" + } + ] + }, + { + "id": "si-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and" + }, + { + "id": "si-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and information integrity:", + "parts": [ + { + "id": "si-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and" + }, + { + "id": "si-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "si-1_gdn", + "name": "guidance", + "prose": "System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "si-2", + "class": "SP800-53", + "title": "Flaw Remediation", + "params": [ + { + "id": "si-02_odp", + "label": "time period", + "constraints": [ + { + "description": "within thirty (30) days of release of updates" + } + ], + "guidelines": [ + { + "prose": "time period within which to install security-relevant software updates after the release of the updates is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-2" + }, + { + "name": "label", + "value": "SI-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "rel": "reference" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-5", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "si-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify, report, and correct system flaws;" + }, + { + "id": "si-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;" + }, + { + "id": "si-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and" + }, + { + "id": "si-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Incorporate flaw remediation into the organizational configuration management process." + } + ] + }, + { + "id": "si-2_gdn", + "name": "guidance", + "prose": "The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures." + }, + { + "id": "si-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are identified;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are reported;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are corrected;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "software updates related to flaw remediation are tested for effectiveness before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "software updates related to flaw remediation are tested for potential side effects before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[03]", + "class": "sp800-53a" + } + ], + "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[04]", + "class": "sp800-53a" + } + ], + "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02d.", + "class": "sp800-53a" + } + ], + "prose": "flaw remediation is incorporated into the organizational configuration management process.", + "links": [ + { + "href": "#si-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities" + } + ] + }, + { + "id": "si-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and/or implementing testing software and firmware updates" + } + ] + } + ] + }, + { + "id": "si-3", + "class": "SP800-53", + "title": "Malicious Code Protection", + "params": [ + { + "id": "si-03_odp.01", + "constraints": [ + { + "description": "signature based and non-signature based" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "signature-based", + "non-signature-based" + ] + } + }, + { + "id": "si-03_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which malicious code protection mechanisms perform scans is defined;" + } + ] + }, + { + "id": "si-03_odp.03", + "constraints": [ + { + "description": "to include endpoints and network entry and exit points" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "endpoint", + "network entry and exit points" + ] + } + }, + { + "id": "si-03_odp.04", + "constraints": [ + { + "description": "to include blocking and quarantining malicious code" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "block malicious code", + "quarantine malicious code", + "take {{ insert: param, si-03_odp.05 }} " + ] + } + }, + { + "id": "si-03_odp.05", + "label": "action", + "constraints": [ + { + "description": "administrator or defined security personnel near-realtime" + } + ], + "guidelines": [ + { + "prose": "action to be taken in response to malicious code detection are defined (if selected);" + } + ] + }, + { + "id": "si-03_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted when malicious code is detected is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-3" + }, + { + "name": "label", + "value": "SI-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#88660532-2dcf-442e-845c-03340ce48999", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-44", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-8", + "rel": "related" + }, + { + "href": "#si-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-3_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "si-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;" + }, + { + "id": "si-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;" + }, + { + "id": "si-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Configure malicious code protection mechanisms to:", + "parts": [ + { + "id": "si-3_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and" + }, + { + "id": "si-3_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": " {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and" + } + ] + }, + { + "id": "si-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." + } + ] + }, + { + "id": "si-3_gdn", + "name": "guidance", + "prose": "System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files." + }, + { + "id": "si-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;", + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;", + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03b.", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;", + "links": [ + { + "href": "#si-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};", + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;", + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;", + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;", + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03d.", + "class": "sp800-53a" + } + ], + "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.", + "links": [ + { + "href": "#si-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities" + } + ] + }, + { + "id": "si-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and/or implementing malicious code scanning and subsequent actions" + } + ] + } + ] + }, + { + "id": "si-4", + "class": "SP800-53", + "title": "System Monitoring", + "params": [ + { + "id": "si-04_odp.01", + "label": "monitoring objectives", + "guidelines": [ + { + "prose": "monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;" + } + ] + }, + { + "id": "si-04_odp.02", + "label": "techniques and methods", + "guidelines": [ + { + "prose": "techniques and methods used to identify unauthorized use of the system are defined;" + } + ] + }, + { + "id": "si-04_odp.03", + "label": "system monitoring information", + "guidelines": [ + { + "prose": "system monitoring information to be provided to personnel or roles is defined;" + } + ] + }, + { + "id": "si-04_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom system monitoring information is to be provided is/are defined;" + } + ] + }, + { + "id": "si-04_odp.05", + "select": { + "how-many": "one-or-more", + "choice": [ + "as needed", + " {{ insert: param, si-04_odp.06 }} " + ] + } + }, + { + "id": "si-04_odp.06", + "label": "frequency", + "guidelines": [ + { + "prose": "a frequency for providing system monitoring to personnel or roles is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4" + }, + { + "name": "label", + "value": "SI-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "rel": "reference" + }, + { + "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#sc-35", + "rel": "related" + }, + { + "href": "#sc-36", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "si-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor the system to detect:", + "parts": [ + { + "id": "si-4_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and" + }, + { + "id": "si-4_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Unauthorized local, network, and remote connections;" + } + ] + }, + { + "id": "si-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};" + }, + { + "id": "si-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Invoke internal monitoring capabilities or deploy monitoring devices:", + "parts": [ + { + "id": "si-4_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Strategically within the system to collect organization-determined essential information; and" + }, + { + "id": "si-4_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "At ad hoc locations within the system to track specific types of transactions of interest to the organization;" + } + ] + }, + { + "id": "si-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Analyze detected events and anomalies;" + }, + { + "id": "si-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;" + }, + { + "id": "si-4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Obtain legal opinion regarding system monitoring activities; and" + }, + { + "id": "si-4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." + } + ] + }, + { + "id": "si-4_gdn", + "name": "guidance", + "prose": "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "si-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.01", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};", + "links": [ + { + "href": "#si-4_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized local connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized network connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized remote connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04b.", + "class": "sp800-53a" + } + ], + "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};", + "links": [ + { + "href": "#si-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.01", + "class": "sp800-53a" + } + ], + "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;", + "links": [ + { + "href": "#si-4_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.02", + "class": "sp800-53a" + } + ], + "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;", + "links": [ + { + "href": "#si-4_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "detected events are analyzed;", + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "detected anomalies are analyzed;", + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04e.", + "class": "sp800-53a" + } + ], + "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;", + "links": [ + { + "href": "#si-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04f.", + "class": "sp800-53a" + } + ], + "prose": "a legal opinion regarding system monitoring activities is obtained;", + "links": [ + { + "href": "#si-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04g.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.", + "links": [ + { + "href": "#si-4_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system" + } + ] + }, + { + "id": "si-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing system monitoring capabilities" + } + ] + } + ] + }, + { + "id": "si-5", + "class": "SP800-53", + "title": "Security Alerts, Advisories, and Directives", + "params": [ + { + "id": "si-05_odp.01", + "label": "external organizations", + "constraints": [ + { + "description": "to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives" + } + ], + "guidelines": [ + { + "prose": "external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;" + } + ] + }, + { + "id": "si-05_odp.02", + "constraints": [ + { + "description": "to include system security personnel and administrators with configuration/patch-management responsibilities" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, si-05_odp.03 }} ", + " {{ insert: param, si-05_odp.04 }} ", + " {{ insert: param, si-05_odp.05 }} " + ] + } + }, + { + "id": "si-05_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected);" + } + ] + }, + { + "id": "si-05_odp.04", + "label": "elements", + "guidelines": [ + { + "prose": "elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" + } + ] + }, + { + "id": "si-05_odp.05", + "label": "external organizations", + "guidelines": [ + { + "prose": "external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-5" + }, + { + "name": "label", + "value": "SI-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#pm-15", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-5_smt", + "name": "statement", + "parts": [ + { + "id": "si-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;" + }, + { + "id": "si-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Generate internal security alerts, advisories, and directives as deemed necessary;" + }, + { + "id": "si-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and" + }, + { + "id": "si-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + } + ] + }, + { + "id": "si-5_gdn", + "name": "guidance", + "prose": "The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations." + } + ] + }, + { + "id": "si-12", + "class": "SP800-53", + "title": "Information Management and Retention", + "props": [ + { + "name": "label", + "value": "SI-12" + }, + { + "name": "label", + "value": "SI-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#e922fc50-b1f9-469f-92ef-ed7d9803611c", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-3", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-12_smt", + "name": "statement", + "prose": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." + }, + { + "id": "si-12_gdn", + "name": "guidance", + "prose": "Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Attestation - Specifically related to US-CERT and FedRAMP communications procedures." + } + ] + } + ] + }, + { + "id": "sr", + "class": "family", + "title": "Supply Chain Risk Management", + "controls": [ + { + "id": "sr-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sr-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sr-01_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include chief privacy and ISSO and/or similar role or designees" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;" + } + ] + }, + { + "id": "sr-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;" + } + ] + }, + { + "id": "sr-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "sr-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;" + } + ] + }, + { + "id": "sr-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current supply chain risk management policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sr-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that require the current supply chain risk management policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sr-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;" + } + ] + }, + { + "id": "sr-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that require the supply chain risk management procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-1" + }, + { + "name": "label", + "value": "SR-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-1_smt", + "name": "statement", + "parts": [ + { + "id": "sr-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:", + "parts": [ + { + "id": "sr-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:", + "parts": [ + { + "id": "sr-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sr-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sr-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;" + } + ] + }, + { + "id": "sr-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and" + }, + { + "id": "sr-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current supply chain risk management:", + "parts": [ + { + "id": "sr-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and" + }, + { + "id": "sr-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sr-1_gdn", + "name": "guidance", + "prose": "Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "sr-2", + "class": "SP800-53", + "title": "Supply Chain Risk Management Plan", + "params": [ + { + "id": "sr-02_odp.01", + "label": "systems, system components, or system services", + "guidelines": [ + { + "prose": "systems, system components, or system services for which a supply chain risk management plan is developed are defined;" + } + ] + }, + { + "id": "sr-02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update the supply chain risk management plan is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-2" + }, + { + "name": "label", + "value": "SR-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-2_smt", + "name": "statement", + "parts": [ + { + "id": "sr-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};" + }, + { + "id": "sr-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and" + }, + { + "id": "sr-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Protect the supply chain risk management plan from unauthorized disclosure and modification." + } + ] + }, + { + "id": "sr-2_gdn", + "name": "guidance", + "prose": "The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))." + } + ], + "controls": [ + { + "id": "sr-2.1", + "class": "SP800-53-enhancement", + "title": "Establish SCRM Team", + "params": [ + { + "id": "sr-02.01_odp.01", + "label": "personnel, roles and responsibilities", + "guidelines": [ + { + "prose": "the personnel, roles, and responsibilities of the supply chain risk management team are defined;" + } + ] + }, + { + "id": "sr-02.01_odp.02", + "label": "supply chain risk management activities", + "guidelines": [ + { + "prose": "supply chain risk management activities are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-2(1)" + }, + { + "name": "label", + "value": "SR-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#sr-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "sr-2.1_smt", + "name": "statement", + "prose": "Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}." + }, + { + "id": "sr-2.1_gdn", + "name": "guidance", + "prose": "To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team." + } + ] + } + ] + }, + { + "id": "sr-3", + "class": "SP800-53", + "title": "Supply Chain Controls and Processes", + "params": [ + { + "id": "sr-03_odp.01", + "label": "system or system component", + "guidelines": [ + { + "prose": "the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;" + } + ] + }, + { + "id": "sr-03_odp.02", + "label": "supply chain personnel", + "guidelines": [ + { + "prose": "supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;" + } + ] + }, + { + "id": "sr-03_odp.03", + "label": "supply chain controls", + "guidelines": [ + { + "prose": "supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;" + } + ] + }, + { + "id": "sr-03_odp.04", + "select": { + "how-many": "one-or-more", + "choice": [ + "security and privacy plans", + "supply chain risk management plan", + " {{ insert: param, sr-03_odp.05 }} " + ] + } + }, + { + "id": "sr-03_odp.05", + "label": "document", + "guidelines": [ + { + "prose": "the document identifying the selected and implemented supply chain processes and controls is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-3" + }, + { + "name": "label", + "value": "SR-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-29", + "rel": "related" + }, + { + "href": "#sc-30", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-3_smt", + "name": "statement", + "parts": [ + { + "id": "sr-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};" + }, + { + "id": "sr-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and" + }, + { + "id": "sr-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}." + } + ] + }, + { + "id": "sr-3_gdn", + "name": "guidance", + "prose": "Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain." + } + ] + }, + { + "id": "sr-5", + "class": "SP800-53", + "title": "Acquisition Strategies, Tools, and Methods", + "params": [ + { + "id": "sr-05_odp", + "label": "strategies, tools, and methods", + "guidelines": [ + { + "prose": "acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-5" + }, + { + "name": "label", + "value": "SR-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-5_smt", + "name": "statement", + "prose": "Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}." + }, + { + "id": "sr-5_gdn", + "name": "guidance", + "prose": "The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements." + } + ] + }, + { + "id": "sr-8", + "class": "SP800-53", + "title": "Notification Agreements", + "params": [ + { + "id": "sr-08_odp.01", + "constraints": [ + { + "description": "notification of supply chain compromises and results of assessment or audits" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "notification of supply chain compromises", + " {{ insert: param, sr-08_odp.02 }} " + ] + } + }, + { + "id": "sr-08_odp.02", + "label": "results of assessments or audits", + "guidelines": [ + { + "prose": "information for which agreements and procedures are to be established are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-8" + }, + { + "name": "label", + "value": "SR-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-8_smt", + "name": "statement", + "prose": "Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}." + }, + { + "id": "sr-8_gdn", + "name": "guidance", + "prose": "The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes." + } + ] + }, + { + "id": "sr-10", + "class": "SP800-53", + "title": "Inspection of Systems or Components", + "params": [ + { + "id": "sr-10_odp.01", + "label": "systems or system components", + "guidelines": [ + { + "prose": "systems or system components that require inspection are defined;" + } + ] + }, + { + "id": "sr-10_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "at random", + "at {{ insert: param, sr-10_odp.03 }} ", + "upon {{ insert: param, sr-10_odp.04 }} " + ] + } + }, + { + "id": "sr-10_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to inspect systems or system components is defined (if selected);" + } + ] + }, + { + "id": "sr-10_odp.04", + "label": "indications of need for inspection", + "guidelines": [ + { + "prose": "indications of the need for an inspection of systems or system components are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-10" + }, + { + "name": "label", + "value": "SR-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-10_smt", + "name": "statement", + "prose": "Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}." + }, + { + "id": "sr-10_gdn", + "name": "guidance", + "prose": "The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations." + } + ] + }, + { + "id": "sr-11", + "class": "SP800-53", + "title": "Component Authenticity", + "params": [ + { + "id": "sr-11_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "source of counterfeit component", + " {{ insert: param, sr-11_odp.02 }} ", + " {{ insert: param, sr-11_odp.03 }} " + ] + } + }, + { + "id": "sr-11_odp.02", + "label": "external reporting organizations", + "guidelines": [ + { + "prose": "external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);" + } + ] + }, + { + "id": "sr-11_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11" + }, + { + "name": "label", + "value": "SR-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11_smt", + "name": "statement", + "parts": [ + { + "id": "sr-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and" + }, + { + "id": "sr-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}." + } + ] + }, + { + "id": "sr-11_gdn", + "name": "guidance", + "prose": "Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA." + } + ], + "controls": [ + { + "id": "sr-11.1", + "class": "SP800-53-enhancement", + "title": "Anti-counterfeit Training", + "params": [ + { + "id": "sr-11.01_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11(1)" + }, + { + "name": "label", + "value": "SR-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#sr-11", + "rel": "required" + }, + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11.1_smt", + "name": "statement", + "prose": "Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)." + }, + { + "id": "sr-11.1_gdn", + "name": "guidance", + "prose": "None." + } + ] + }, + { + "id": "sr-11.2", + "class": "SP800-53-enhancement", + "title": "Configuration Control for Component Service and Repair", + "params": [ + { + "id": "sr-11.02_odp", + "label": "system components", + "constraints": [ + { + "description": "all" + } + ], + "guidelines": [ + { + "prose": "system components requiring configuration control are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11(2)" + }, + { + "name": "label", + "value": "SR-11(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#sr-11", + "rel": "required" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11.2_smt", + "name": "statement", + "prose": "Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}." + }, + { + "id": "sr-11.2_gdn", + "name": "guidance", + "prose": "None." + } + ] + } + ] + }, + { + "id": "sr-12", + "class": "SP800-53", + "title": "Component Disposal", + "params": [ + { + "id": "sr-12_odp.01", + "label": "data, documentation, tools, or system components", + "guidelines": [ + { + "prose": "data, documentation, tools, or system components to be disposed of are defined;" + } + ] + }, + { + "id": "sr-12_odp.02", + "label": "techniques and methods", + "guidelines": [ + { + "prose": "techniques and methods for disposing of data, documentation, tools, or system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-12" + }, + { + "name": "label", + "value": "SR-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#mp-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-12_smt", + "name": "statement", + "prose": "Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}." + }, + { + "id": "sr-12_gdn", + "name": "guidance", + "prose": "Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market." + } + ] + } + ] + } + ], "back-matter": { "resources": [ + { + "uuid": "91f992fb-f668-4c91-a50f-0f05b95ccee3", + "title": "32 CFR 2002", + "citation": { + "text": "Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)." + }, + "rlinks": [ + { + "href": "https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information" + } + ] + }, + { + "uuid": "0f963c17-ab5a-432a-a867-91eac550309b", + "title": "41 CFR 201", + "citation": { + "text": " \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271." + }, + "rlinks": [ + { + "href": "https://www.federalregister.gov/d/2020-18939" + } + ] + }, + { + "uuid": "a5ef5e56-5c1a-4911-b419-37dddc1b3581", + "title": "5 CFR 731", + "citation": { + "text": "Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf" + } + ] + }, + { + "uuid": "031cc4b7-9adf-4835-98f1-f1ca493519cf", + "title": "CNSSD 505", + "citation": { + "text": "Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017." + }, + "rlinks": [ + { + "href": "https://www.cnss.gov/CNSS/issuances/Directives.cfm" + } + ] + }, + { + "uuid": "4e4fbc93-333d-45e6-a875-de36b878b6b9", + "title": "CNSSI 1253", + "citation": { + "text": "Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014." + }, + "rlinks": [ + { + "href": "https://www.cnss.gov/CNSS/issuances/Instructions.cfm" + } + ] + }, + { + "uuid": "aa66e14f-e7cb-4a37-99d2-07578dfd4608", + "title": "DOD STIG", + "citation": { + "text": "Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*." + }, + "rlinks": [ + { + "href": "https://public.cyber.mil/stigs" + } + ] + }, + { + "uuid": "55b0c93a-5e48-457a-baa6-5ce81c239c49", + "title": "EO 13526", + "citation": { + "text": "Executive Order 13526, *Classified National Security Information* , December 2009." + }, + "rlinks": [ + { + "href": "https://www.archives.gov/isoo/policy-documents/cnsi-eo.html" + } + ] + }, + { + "uuid": "0af071a6-cf8e-48ee-8c82-fe91efa20f94", + "title": "EO 13587", + "citation": { + "text": "Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net" + } + ] + }, + { + "uuid": "21caa535-1154-4369-ba7b-32c309fee0f7", + "title": "EO 13873", + "citation": { + "text": "Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain" + } + ] + }, + { + "uuid": "4ff10ed3-d8fe-4246-99e3-443045e27482", + "title": "FASC18", + "citation": { + "text": "Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/bill/115th-congress/senate-bill/3085" + } + ] + }, + { + "uuid": "a1555677-2b9d-4868-a97b-a1363aff32f5", + "title": "FED PKI", + "citation": { + "text": "General Services Administration, *Federal Public Key Infrastructure*." + }, + "rlinks": [ + { + "href": "https://www.idmanagement.gov/topics/fpki" + } + ] + }, + { + "uuid": "678e3d6c-150b-4393-aec5-6e3481eb1e00", + "title": "FIPS 140-3", + "citation": { + "text": "National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. " + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.140-3" + } + ] + }, + { + "uuid": "eea3c092-42ed-4382-a6f4-1adadef01b9d", + "title": "FIPS 180-4", + "citation": { + "text": "National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.180-4" + } + ] + }, + { + "uuid": "7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "title": "FIPS 186-4", + "citation": { + "text": "National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.186-4" + } + ] + }, + { + "uuid": "736d6310-e403-4b57-a79d-9967970c66d7", + "title": "FIPS 197", + "citation": { + "text": "National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.197" + } + ] + }, + { + "uuid": "628d22a1-6a11-4784-bc59-5cd9497b5445", + "title": "FIPS 199", + "citation": { + "text": "National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.199" + } + ] + }, + { + "uuid": "599fb53d-5041-444e-a7fe-640d6d30ad05", + "title": "FIPS 200", + "citation": { + "text": "National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.200" + } + ] + }, + { + "uuid": "7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "title": "FIPS 201-2", + "citation": { + "text": "National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.201-2" + } + ] + }, + { + "uuid": "a295ca19-8c75-4b4c-8800-98024732e181", + "title": "FIPS 202", + "citation": { + "text": "National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.202" + } + ] + }, + { + "uuid": "0c67b2a9-bede-43d2-b86d-5f35b8be36e9", + "title": "FISMA", + "citation": { + "text": "Federal Information Security Modernization Act (P.L. 113-283), December 2014." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf" + } + ] + }, + { + "uuid": "f16e438e-7114-4144-bfe2-2dfcad8cb2d0", + "title": "HSPD 12", + "citation": { + "text": "Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004." + }, + "rlinks": [ + { + "href": "https://www.dhs.gov/homeland-security-presidential-directive-12" + } + ] + }, + { + "uuid": "15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "title": "IR 7539", + "citation": { + "text": "Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7539" + } + ] + }, + { + "uuid": "2be7b163-e50a-435c-8906-f1162f2a457a", + "title": "IR 7559", + "citation": { + "text": "Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7559" + } + ] + }, + { + "uuid": "e24b06cc-9129-4998-a76a-65c3d7a576ba", + "title": "IR 7622", + "citation": { + "text": "Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7622" + } + ] + }, + { + "uuid": "4b38e961-1125-4a5b-aa35-1d6c02846dad", + "title": "IR 7676", + "citation": { + "text": "Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7676" + } + ] + }, + { + "uuid": "aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "title": "IR 7788", + "citation": { + "text": "Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7788" + } + ] + }, + { + "uuid": "91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "title": "IR 7817", + "citation": { + "text": "Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7817" + } + ] + }, + { + "uuid": "4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "title": "IR 7849", + "citation": { + "text": "Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7849" + } + ] + }, + { + "uuid": "604774da-9e1d-48eb-9c62-4e959dc80737", + "title": "IR 7870", + "citation": { + "text": "Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7870" + } + ] + }, + { + "uuid": "7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "title": "IR 7874", + "citation": { + "text": "Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7874" + } + ] + }, + { + "uuid": "849b2358-683f-4d97-b111-1cc3d522ded5", + "title": "IR 7956", + "citation": { + "text": "Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7956" + } + ] + }, + { + "uuid": "3915a084-b87b-4f02-83d4-c369e746292f", + "title": "IR 7966", + "citation": { + "text": "Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7966" + } + ] + }, + { + "uuid": "bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "title": "IR 8011-1", + "citation": { + "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-1" + } + ] + }, + { + "uuid": "70402863-5078-43af-9a6c-e11b0f3ec370", + "title": "IR 8011-2", + "citation": { + "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-2" + } + ] + }, + { + "uuid": "996241f8-f692-42d5-91f1-ce8b752e39e6", + "title": "IR 8011-3", + "citation": { + "text": "Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-3" + } + ] + }, + { + "uuid": "d2ebec9b-f868-4ee1-a2bd-0b2282aed248", + "title": "IR 8011-4", + "citation": { + "text": "Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-4" + } + ] + }, + { + "uuid": "4c501da5-9d79-4cb6-ba80-97260e1ce327", + "title": "IR 8023", + "citation": { + "text": "Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8023" + } + ] + }, + { + "uuid": "81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", + "title": "IR 8040", + "citation": { + "text": "Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8040" + } + ] + }, + { + "uuid": "98d415ca-7281-4064-9931-0c366637e324", + "title": "IR 8062", + "citation": { + "text": "Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8062" + } + ] + }, + { + "uuid": "d4296805-2dca-4c63-a95f-eeccaa826aec", + "title": "IR 8179", + "citation": { + "text": "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8179" + } + ] + }, + { + "uuid": "38ff38f0-1366-4f50-a4c9-26a39aacee16", + "title": "IR 8272", + "citation": { + "text": "Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8272" + } + ] + }, + { + "uuid": "6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", + "title": "ISO 15408-1", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology \u2014Security techniques \u2014 Evaluation criteria for IT security \u2014 Part 1: Introduction and general model* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf" + } + ] + }, + { + "uuid": "87087451-2af5-43d4-88c1-d66ad850f614", + "title": "ISO 15408-2", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology \u2014Security techniques \u2014 Evaluation criteria for IT security \u2014 Part 2: Security functional requirements* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf" + } + ] + }, + { + "uuid": "4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "title": "ISO 15408-3", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology\u2014Security techniques \u2014 Evaluation criteria for IT security \u2014 Part 3: Security assurance requirements* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf" + } + ] + }, + { + "uuid": "15a95e24-65b6-4686-bc18-90855a10457d", + "title": "ISO 20243", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, *Information technology \u2014 Open Trusted Technology Provider\u2122 Standard (O-TTPS) \u2014 Mitigating maliciously tainted and counterfeit products \u2014 Part 1: Requirements and recommendations* , February 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/74399.html" + } + ] + }, + { + "uuid": "863caf2a-978a-4260-9e8d-4a8929bce40c", + "title": "ISO 27036", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, *Information technology\u2014Security techniques\u2014Information security for supplier relationships, Part 1: Overview and concepts* , April 2014." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/59648.html" + } + ] + }, + { + "uuid": "8df72805-2e5c-4731-a73e-81db0f0318d0", + "title": "ISO 29147", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 29147:2018, *Information technology\u2014Security techniques\u2014Vulnerability disclosure* , October 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/72311.html" + } + ] + }, + { + "uuid": "06ce9216-bd54-4054-a422-94f358b50a5d", + "title": "ISO 29148", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, *Systems and software engineering\u2014Life cycle processes\u2014Requirements engineering* , November 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/72089.html" + } + ] + }, + { + "uuid": "c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "title": "NARA CUI", + "citation": { + "text": "National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry." + }, + "rlinks": [ + { + "href": "https://www.archives.gov/cui" + } + ] + }, + { + "uuid": "d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", + "title": "NCPR", + "citation": { + "text": "National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at" + }, + "rlinks": [ + { + "href": "https://nvd.nist.gov/ncp/repository" + } + ] + }, + { + "uuid": "795aff72-3e6c-4b6b-a80a-b14d84b7f544", + "title": "NIAP CCEVS", + "citation": { + "text": "National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*." + }, + "rlinks": [ + { + "href": "https://www.niap-ccevs.org" + } + ] + }, + { + "uuid": "84dc1b0c-acb7-4269-84c4-00dbabacd78c", + "title": "NIST CAVP", + "citation": { + "text": "National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program" + } + ] + }, + { + "uuid": "1acdc775-aafb-4d11-9341-dc6a822e9d38", + "title": "NIST CMVP", + "citation": { + "text": "National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/cryptographic-module-validation-program" + } + ] + }, + { + "uuid": "3d575737-98cb-459d-b41c-d7e82b73ad78", + "title": "NSA CSFC", + "citation": { + "text": "National Security Agency, *Commercial Solutions for Classified Program (CSfC)*." + }, + "rlinks": [ + { + "href": "https://www.nsa.gov/resources/everyone/csfc" + } + ] + }, + { + "uuid": "df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", + "title": "NSA MEDIA", + "citation": { + "text": "National Security Agency, *Media Destruction Guidance*." + }, + "rlinks": [ + { + "href": "https://www.nsa.gov/resources/everyone/media-destruction" + } + ] + }, + { + "uuid": "89f2a08d-fc49-46d0-856e-bf974c9b1573", + "title": "ODNI CTF", + "citation": { + "text": "Office of the Director of National Intelligence (ODNI) Cyber Threat Framework." + }, + "rlinks": [ + { + "href": "https://www.dni.gov/index.php/cyber-threat-framework" + } + ] + }, + { + "uuid": "27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "title": "OMB A-130", + "citation": { + "text": "Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf" + } + ] + }, + { + "uuid": "5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "title": "OMB M-17-12", + "citation": { + "text": "Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf" + } + ] + }, + { + "uuid": "c5e11048-1d38-4af3-b00b-0d88dc26860c", + "title": "OMB M-19-03", + "citation": { + "text": "Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf" + } + ] + }, + { + "uuid": "18e71fec-c6fd-475a-925a-5d8495cf8455", + "title": "PRIVACT", + "citation": { + "text": "Privacy Act (P.L. 93-579), December 1974." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf" + } + ] + }, + { + "uuid": "4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "title": "SP 800-100", + "citation": { + "text": "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-100" + } + ] + }, + { + "uuid": "10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "title": "SP 800-101", + "citation": { + "text": "Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-101r1" + } + ] + }, + { + "uuid": "22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "title": "SP 800-111", + "citation": { + "text": "Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-111" + } + ] + }, + { + "uuid": "6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "title": "SP 800-113", + "citation": { + "text": "Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-113" + } + ] + }, + { + "uuid": "42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "title": "SP 800-114", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-114r1" + } + ] + }, + { + "uuid": "122177fa-c4ed-485d-8345-3082c0fb9a06", + "title": "SP 800-115", + "citation": { + "text": "Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-115" + } + ] + }, + { + "uuid": "2100332a-16a5-4598-bacf-7261baea9711", + "title": "SP 800-116", + "citation": { + "text": "Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-116r1" + } + ] + }, + { + "uuid": "d17ebd7a-ffab-499d-bfff-e705bbb01fa6", + "title": "SP 800-121", + "citation": { + "text": "Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-121r2" + } + ] + }, + { + "uuid": "0f66be67-85e7-4ca6-bd19-39453e9f4394", + "title": "SP 800-124", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-124r1" + } + ] + }, + { + "uuid": "88660532-2dcf-442e-845c-03340ce48999", + "title": "SP 800-125B", + "citation": { + "text": "Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-125B" + } + ] + }, + { + "uuid": "8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "title": "SP 800-126", + "citation": { + "text": "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-126r3" + } + ] + }, + { + "uuid": "20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "title": "SP 800-128", + "citation": { + "text": "Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-128" + } + ] + }, + { + "uuid": "c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "title": "SP 800-12", + "citation": { + "text": "Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-12r1" + } + ] + }, + { + "uuid": "3653e316-8923-430e-8943-b3b2b2562fc6", + "title": "SP 800-130", + "citation": { + "text": "Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-130" + } + ] + }, + { + "uuid": "62ea77ca-e450-4323-b210-e0d75390e785", + "title": "SP 800-137A", + "citation": { + "text": "Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-137A" + } + ] + }, + { + "uuid": "067223d8-1ec7-45c5-b21b-c848da6de8fb", + "title": "SP 800-137", + "citation": { + "text": "Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-137" + } + ] + }, + { + "uuid": "9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "title": "SP 800-150", + "citation": { + "text": "Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-150" + } + ] + }, + { + "uuid": "2494df28-9049-4196-b233-540e7440993f", + "title": "SP 800-152", + "citation": { + "text": "Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-152" + } + ] + }, + { + "uuid": "d9e036ba-6eec-46a6-9340-b0bf1fea23b4", + "title": "SP 800-156", + "citation": { + "text": "Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-156" + } + ] + }, + { + "uuid": "e3cc0520-a366-4fc9-abc2-5272db7e3564", + "title": "SP 800-160-1", + "citation": { + "text": "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-160v1" + } + ] + }, + { + "uuid": "61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "title": "SP 800-160-2", + "citation": { + "text": "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-160v2" + } + ] + }, + { + "uuid": "e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "title": "SP 800-161", + "citation": { + "text": "Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-161" + } + ] + }, + { + "uuid": "2956e175-f674-43f4-b1b9-e074ad9fc39c", + "title": "SP 800-162", + "citation": { + "text": "Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-162" + } + ] + }, + { + "uuid": "e8552d48-cf41-40aa-8b06-f45f7fb4706c", + "title": "SP 800-166", + "citation": { + "text": "Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-166" + } + ] + }, + { + "uuid": "38f39739-1ebd-43b1-8b8c-00f591d89ebd", + "title": "SP 800-167", + "citation": { + "text": "Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-167" + } + ] + }, + { + "uuid": "7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "title": "SP 800-171", + "citation": { + "text": "Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-171r2" + } + ] + }, + { + "uuid": "f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "title": "SP 800-172", + "citation": { + "text": "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-172-draft" + } + ] + }, + { + "uuid": "1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "title": "SP 800-177", + "citation": { + "text": "Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-177r1" + } + ] + }, + { + "uuid": "388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "title": "SP 800-178", + "citation": { + "text": "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-178" + } + ] + }, + { + "uuid": "276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "title": "SP 800-181", + "citation": { + "text": "Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-181r1" + } + ] + }, + { + "uuid": "31ae65ab-3f26-46b7-9d64-f25a4dac5778", + "title": "SP 800-184", + "citation": { + "text": "Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-184" + } + ] + }, + { + "uuid": "f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "title": "SP 800-189", + "citation": { + "text": "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-189" + } + ] + }, + { + "uuid": "30eb758a-2707-4bca-90ad-949a74d4eb16", + "title": "SP 800-18", + "citation": { + "text": "Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-18r1" + } + ] + }, + { + "uuid": "53df282b-8b3f-483a-bad1-6a8b8ac00114", + "title": "SP 800-192", + "citation": { + "text": "Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-192" + } + ] + }, + { + "uuid": "08b07465-dbdc-48d6-8a0b-37279602ac16", + "title": "SP 800-30", + "citation": { + "text": "Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-30r1" + } + ] + }, + { + "uuid": "bc39f179-c735-4da2-b7a7-b2b622119755", + "title": "SP 800-34", + "citation": { + "text": "Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-34r1" + } + ] + }, + { + "uuid": "77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "title": "SP 800-35", + "citation": { + "text": "Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-35" + } + ] + }, + { + "uuid": "482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "title": "SP 800-37", + "citation": { + "text": "Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-37r2" + } + ] + }, + { + "uuid": "cec037f3-8aba-4c97-84b4-4082f9e515d2", + "title": "SP 800-39", + "citation": { + "text": "Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-39" + } + ] + }, + { + "uuid": "155f941a-cba9-4afd-9ca6-5d040d697ba9", + "title": "SP 800-40", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-40r3" + } + ] + }, + { + "uuid": "a7f0e897-29a3-45c4-bd88-40dfef0e034a", + "title": "SP 800-41", + "citation": { + "text": "Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-41r1" + } + ] + }, + { + "uuid": "83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "title": "SP 800-46", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-46r2" + } + ] + }, + { + "uuid": "c3a76872-e160-4267-99e8-6952de967d04", + "title": "SP 800-47", + "citation": { + "text": "Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-47" + } + ] + }, + { + "uuid": "511f6832-23ca-49a3-8c0f-ce493373cab8", + "title": "SP 800-50", + "citation": { + "text": "Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-50" + } + ] + }, + { + "uuid": "7537638e-2837-407d-844b-40fb3fafdd99", + "title": "SP 800-52", + "citation": { + "text": "McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-52r2" + } + ] + }, + { + "uuid": "a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "title": "SP 800-53A", + "citation": { + "text": "Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-53Ar4" + } + ] + }, + { + "uuid": "46d9e201-840e-440e-987c-2c773333c752", + "title": "SP 800-53B", + "citation": { + "text": "Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-53B" + } + ] + }, + { + "uuid": "20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "title": "SP 800-56A", + "citation": { + "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Ar3" + } + ] + }, + { + "uuid": "0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "title": "SP 800-56B", + "citation": { + "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Br2" + } + ] + }, + { + "uuid": "eef62b16-c796-4554-955c-505824135b8a", + "title": "SP 800-56C", + "citation": { + "text": "Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Cr2" + } + ] + }, + { + "uuid": "110e26af-4765-49e1-8740-6750f83fcda1", + "title": "SP 800-57-1", + "citation": { + "text": "Barker EB (2020) Recommendation for Key Management: Part 1 \u2013 General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt1r5" + } + ] + }, + { + "uuid": "e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "title": "SP 800-57-2", + "citation": { + "text": "Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 \u2013 Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt2r1" + } + ] + }, + { + "uuid": "8306620b-1920-4d73-8b21-12008528595f", + "title": "SP 800-57-3", + "citation": { + "text": "Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt3r1" + } + ] + }, + { + "uuid": "e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "title": "SP 800-60-1", + "citation": { + "text": "Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-60v1r1" + } + ] + }, + { + "uuid": "9be5d661-421f-41ad-854e-86f98b811891", + "title": "SP 800-60-2", + "citation": { + "text": "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-60v2r1" + } + ] + }, + { + "uuid": "49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "title": "SP 800-61", + "citation": { + "text": "Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-61r2" + } + ] + }, + { + "uuid": "737513fa-6758-403f-831d-5ddab5e23cb3", + "title": "SP 800-63-3", + "citation": { + "text": "Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63-3" + } + ] + }, + { + "uuid": "e59c5a7c-8b1f-49ca-8de0-6ee0882180ce", + "title": "SP 800-63B", + "citation": { + "text": "Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63b" + } + ] + }, + { + "uuid": "4895b4cd-34c5-4667-bf8a-27d443c12047", + "title": "SP 800-70", + "citation": { + "text": "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-70r4" + } + ] + }, + { + "uuid": "858705be-3c1f-48aa-a328-0ce398d95ef0", + "title": "SP 800-73-4", + "citation": { + "text": "Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-73-4" + } + ] + }, + { + "uuid": "7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "title": "SP 800-76-2", + "citation": { + "text": "Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-76-2" + } + ] + }, + { + "uuid": "d4d7c760-2907-403b-8b2a-767ca5370ecd", + "title": "SP 800-77", + "citation": { + "text": "Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-77r1" + } + ] + }, + { + "uuid": "828856bd-d7c4-427b-8b51-815517ec382d", + "title": "SP 800-78-4", + "citation": { + "text": "Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-78-4" + } + ] + }, + { + "uuid": "10963761-58fc-4b20-b3d6-b44a54daba03", + "title": "SP 800-79-2", + "citation": { + "text": "Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-79-2" + } + ] + }, + { + "uuid": "fe209006-bfd4-4033-a79a-9fee1adaf372", + "title": "SP 800-81-2", + "citation": { + "text": "Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-81-2" + } + ] + }, + { + "uuid": "3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "title": "SP 800-83", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-83r1" + } + ] + }, + { + "uuid": "53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "title": "SP 800-84", + "citation": { + "text": "Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-84" + } + ] + }, + { + "uuid": "cfdb1858-c473-46b3-89f9-a700308d0be2", + "title": "SP 800-86", + "citation": { + "text": "Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-86" + } + ] + }, + { + "uuid": "a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "title": "SP 800-88", + "citation": { + "text": "Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-88r1" + } + ] + }, + { + "uuid": "5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "title": "SP 800-92", + "citation": { + "text": "Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-92" + } + ] + }, + { + "uuid": "25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "title": "SP 800-94", + "citation": { + "text": "Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-94" + } + ] + }, + { + "uuid": "03fb73bc-1b12-4182-bd96-e5719254ea61", + "title": "SP 800-97", + "citation": { + "text": "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-97" + } + ] + }, + { + "uuid": "13f0c39d-eaf7-417a-baef-69a041878bb5", + "title": "USA PATRIOT", + "citation": { + "text": "USA Patriot Act (P.L. 107-56), October 2001." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf" + } + ] + }, + { + "uuid": "e922fc50-b1f9-469f-92ef-ed7d9803611c", + "title": "USC 2901", + "citation": { + "text": "United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/USCODE-2011-title44/pdf/USCODE-2011-title44-chap29-sec2901.pdf" + } + ] + }, + { + "uuid": "40b78258-c892-480e-9af8-77ac36648301", + "title": "USCERT IR", + "citation": { + "text": "Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017." + }, + "rlinks": [ + { + "href": "https://us-cert.cisa.gov/incident-notification-guidelines" + } + ] + }, + { + "uuid": "98498928-3ca3-44b3-8b1e-f48685373087", + "title": "USGCB", + "citation": { + "text": "National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/united-states-government-configuration-baseline" + } + ] + }, + { + "uuid": "c3397cc9-83c6-4459-adb2-836739dc1b94", + "title": "NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)", + "rlinks": [ + { + "href": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf", + "media-type": "application/pdf" + } + ] + }, { "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48", "title": "FedRAMP Applicable Laws and Regulations", diff --git a/dist/content/rev5/baselines/json/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog.json b/dist/content/rev5/baselines/json/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog.json index f5852ca60..b1f2af989 100644 --- a/dist/content/rev5/baselines/json/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog.json +++ b/dist/content/rev5/baselines/json/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog.json @@ -1,10 +1,10 @@ { "catalog": { - "uuid": "4aec79b6-d24f-45e5-9eb8-364a00656b9e", + "uuid": "f64f62d2-ae80-4908-9674-da5201f1b2d7", "metadata": { "title": "FedRAMP Rev 5 Tailored Low Impact Software as a Service (LI-SaaS) Baseline", "published": "2023-08-31T00:00:00Z", - "last-modified": "2023-12-18T20:27:42.148396-05:00", + "last-modified": "2024-01-11T18:07:19.115856-05:00", "version": "5.1.1+fedramp-20231218-0", "oscal-version": "1.1.1", "links": [ @@ -99,8 +99,42372 @@ } ] }, + "groups": [ + { + "id": "ac", + "class": "family", + "title": "Access Control", + "controls": [ + { + "id": "ac-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ac-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ac-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the access control policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ac-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the access control procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ac-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ac-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the access control policy and procedures is defined;" + } + ] + }, + { + "id": "ac-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current access control policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ac-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current access control policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ac-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current access control procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ac-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-1" + }, + { + "name": "label", + "value": "AC-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ia-1", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-24", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-1_smt", + "name": "statement", + "parts": [ + { + "id": "ac-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:", + "parts": [ + { + "id": "ac-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ac-01_odp.03 }} access control policy that:", + "parts": [ + { + "id": "ac-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ac-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ac-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the access control policy and the associated access controls;" + } + ] + }, + { + "id": "ac-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and" + }, + { + "id": "ac-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current access control:", + "parts": [ + { + "id": "ac-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and" + }, + { + "id": "ac-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ac-1_gdn", + "name": "guidance", + "prose": "Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "ac-2", + "class": "SP800-53", + "title": "Account Management", + "params": [ + { + "id": "ac-02_odp.01", + "label": "prerequisites and criteria", + "guidelines": [ + { + "prose": "prerequisites and criteria for group and role membership are defined;" + } + ] + }, + { + "id": "ac-02_odp.02", + "label": "attributes (as required)", + "guidelines": [ + { + "prose": "attributes (as required) for each account are defined;" + } + ] + }, + { + "id": "ac-02_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles required to approve requests to create accounts is/are defined;" + } + ] + }, + { + "id": "ac-02_odp.04", + "label": "policy, procedures, prerequisites, and criteria", + "guidelines": [ + { + "prose": "policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;" + } + ] + }, + { + "id": "ac-02_odp.05", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified is/are defined;" + } + ] + }, + { + "id": "ac-02_odp.06", + "label": "time period", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when accounts are no longer required is defined;" + } + ] + }, + { + "id": "ac-02_odp.07", + "label": "time period", + "constraints": [ + { + "description": "eight (8) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when users are terminated or transferred is defined; " + } + ] + }, + { + "id": "ac-02_odp.08", + "label": "time period", + "constraints": [ + { + "description": "eight (8) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when system usage or the need to know changes for an individual is defined;" + } + ] + }, + { + "id": "ac-02_odp.09", + "label": "attributes (as required)", + "guidelines": [ + { + "prose": "attributes needed to authorize system access (as required) are defined;" + } + ] + }, + { + "id": "ac-02_odp.10", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency of account review is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2" + }, + { + "name": "label", + "value": "AC-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#53df282b-8b3f-483a-bad1-6a8b8ac00114", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ac-24", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ac-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Define and document the types of accounts allowed and specifically prohibited for use within the system;" + }, + { + "id": "ac-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};" + }, + { + "id": "ac-2_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Monitor the use of accounts;" + }, + { + "id": "ac-2_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Notify account managers and {{ insert: param, ac-02_odp.05 }} within:", + "parts": [ + { + "id": "ac-2_smt.h.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;" + }, + { + "id": "ac-2_smt.h.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": " {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and" + }, + { + "id": "ac-2_smt.h.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;" + } + ] + } + ] + }, + { + "id": "ac-2_gdn", + "name": "guidance", + "prose": "Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training." + }, + { + "id": "ac-2_obj_fr", + "name": "assessment-objective", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE", + "class": "fedramp" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW", + "class": "fedramp" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST", + "class": "fedramp" + } + ], + "prose": "Determine if the organization defines information system account types to be identified and selected to support organizational missions/business functions." + }, + { + "id": "ac-2_asmt_fr.1", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; information system monitoring records; information system audit records; other relevant documents or records." + } + ] + }, + { + "id": "ac-2_asmt_fr.2", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities." + } + ] + }, + { + "id": "ac-2_asmt_fr.3", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for account management on the information system; automated mechanisms for implementing account management." + } + ] + } + ] + }, + { + "id": "ac-3", + "class": "SP800-53", + "title": "Access Enforcement", + "props": [ + { + "name": "label", + "value": "AC-3" + }, + { + "name": "label", + "value": "AC-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#ac-24", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-6", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pm-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-3_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." + }, + { + "id": "ac-3_gdn", + "name": "guidance", + "prose": "Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family." + }, + { + "id": "ac-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-03", + "class": "sp800-53a" + } + ], + "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.", + "links": [ + { + "href": "#ac-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy" + } + ] + } + ] + }, + { + "id": "ac-7", + "class": "SP800-53", + "title": "Unsuccessful Logon Attempts", + "params": [ + { + "id": "ac-07_odp.01", + "label": "number", + "guidelines": [ + { + "prose": "the number of consecutive invalid logon attempts by a user allowed during a time period is defined;" + } + ] + }, + { + "id": "ac-07_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;" + } + ] + }, + { + "id": "ac-07_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "lock the account or node for {{ insert: param, ac-07_odp.04 }} ", + "lock the account or node until released by an administrator", + "delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ", + "notify system administrator", + "take other {{ insert: param, ac-07_odp.06 }} " + ] + } + }, + { + "id": "ac-07_odp.04", + "label": "time period", + "guidelines": [ + { + "prose": "time period for an account or node to be locked is defined (if selected);" + } + ] + }, + { + "id": "ac-07_odp.05", + "label": "delay algorithm", + "guidelines": [ + { + "prose": "delay algorithm for the next logon prompt is defined (if selected);" + } + ] + }, + { + "id": "ac-07_odp.06", + "label": "action", + "guidelines": [ + { + "prose": "other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-7" + }, + { + "name": "label", + "value": "AC-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-9", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-7_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ac-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and" + }, + { + "id": "ac-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded." + } + ] + }, + { + "id": "ac-7_gdn", + "name": "guidance", + "prose": "The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need." + }, + { + "id": "ac-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07a.", + "class": "sp800-53a" + } + ], + "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;", + "links": [ + { + "href": "#ac-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07b.", + "class": "sp800-53a" + } + ], + "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.", + "links": [ + { + "href": "#ac-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy for unsuccessful logon attempts" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication." + } + ] + }, + { + "id": "ac-8", + "class": "SP800-53", + "title": "System Use Notification", + "params": [ + { + "id": "ac-08_odp.01", + "label": "system use notification", + "constraints": [ + { + "description": "see additional Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "system use notification message or banner to be displayed by the system to users before granting access to the system is defined;" + } + ] + }, + { + "id": "ac-08_odp.02", + "label": "conditions", + "constraints": [ + { + "description": "see additional Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "conditions for system use to be displayed by the system before granting further access are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-8" + }, + { + "name": "label", + "value": "AC-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "FED", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-8_smt", + "name": "statement", + "parts": [ + { + "id": "ac-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:", + "parts": [ + { + "id": "ac-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Users are accessing a U.S. Government system;" + }, + { + "id": "ac-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "System usage may be monitored, recorded, and subject to audit;" + }, + { + "id": "ac-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and" + }, + { + "id": "ac-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Use of the system indicates consent to monitoring and recording;" + } + ] + }, + { + "id": "ac-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and" + }, + { + "id": "ac-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "For publicly accessible systems:", + "parts": [ + { + "id": "ac-8_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;" + }, + { + "id": "ac-8_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and" + }, + { + "id": "ac-8_smt.c.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Include a description of the authorized uses of the system." + } + ] + } + ] + }, + { + "id": "ac-8_gdn", + "name": "guidance", + "prose": "System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "FED - This is related to agency data and agency policy solution." + } + ] + }, + { + "id": "ac-14", + "class": "SP800-53", + "title": "Permitted Actions Without Identification or Authentication", + "params": [ + { + "id": "ac-14_odp", + "label": "user actions", + "guidelines": [ + { + "prose": "user actions that can be performed on the system without identification or authentication are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-14" + }, + { + "name": "label", + "value": "AC-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "FED", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-14_smt", + "name": "statement", + "parts": [ + { + "id": "ac-14_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and" + }, + { + "id": "ac-14_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication." + } + ] + }, + { + "id": "ac-14_gdn", + "name": "guidance", + "prose": "Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" " + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "FED - This is related to agency data and agency policy solution." + } + ] + }, + { + "id": "ac-17", + "class": "SP800-53", + "title": "Remote Access", + "props": [ + { + "name": "label", + "value": "AC-17" + }, + { + "name": "label", + "value": "AC-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "rel": "reference" + }, + { + "href": "#d17ebd7a-ffab-499d-bfff-e705bbb01fa6", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-17", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ac-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and" + }, + { + "id": "ac-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize each type of remote access to the system prior to allowing such connections." + } + ] + }, + { + "id": "ac-17_gdn", + "name": "guidance", + "prose": "Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)." + }, + { + "id": "ac-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[01]", + "class": "sp800-53a" + } + ], + "prose": "usage restrictions are established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17b.", + "class": "sp800-53a" + } + ], + "prose": "each type of remote access to the system is authorized prior to allowing such connections.", + "links": [ + { + "href": "#ac-17_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing remote access connections\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-17_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Remote access management capability for the system" + } + ] + } + ] + }, + { + "id": "ac-18", + "class": "SP800-53", + "title": "Wireless Access", + "props": [ + { + "name": "label", + "value": "AC-18" + }, + { + "name": "label", + "value": "AC-18", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "rel": "reference" + }, + { + "href": "#03fb73bc-1b12-4182-bd96-e5719254ea61", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-18_smt", + "name": "statement", + "parts": [ + { + "id": "ac-18_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and" + }, + { + "id": "ac-18_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize each type of wireless access to the system prior to allowing such connections." + } + ] + }, + { + "id": "ac-18_gdn", + "name": "guidance", + "prose": "Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1])." + } + ] + }, + { + "id": "ac-19", + "class": "SP800-53", + "title": "Access Control for Mobile Devices", + "props": [ + { + "name": "label", + "value": "AC-19" + }, + { + "name": "label", + "value": "AC-19", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-19" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-11", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-19_smt", + "name": "statement", + "parts": [ + { + "id": "ac-19_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and" + }, + { + "id": "ac-19_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize the connection of mobile devices to organizational systems." + } + ] + }, + { + "id": "ac-19_gdn", + "name": "guidance", + "prose": "A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1])." + } + ] + }, + { + "id": "ac-20", + "class": "SP800-53", + "title": "Use of External Systems", + "params": [ + { + "id": "ac-20_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "establish {{ insert: param, ac-20_odp.02 }} ", + "identify {{ insert: param, ac-20_odp.03 }} " + ] + } + }, + { + "id": "ac-20_odp.02", + "label": "terms and conditions", + "guidelines": [ + { + "prose": "terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" + } + ] + }, + { + "id": "ac-20_odp.03", + "label": "controls asserted", + "guidelines": [ + { + "prose": "controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" + } + ] + }, + { + "id": "ac-20_odp.04", + "label": "prohibited types of external systems", + "guidelines": [ + { + "prose": "types of external systems prohibited from use are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-20" + }, + { + "name": "label", + "value": "AC-20", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-20_smt", + "name": "statement", + "parts": [ + { + "id": "ac-20_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:", + "parts": [ + { + "id": "ac-20_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Access the system from external systems; and" + }, + { + "id": "ac-20_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Process, store, or transmit organization-controlled information using external systems; or" + } + ] + }, + { + "id": "ac-20_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit the use of {{ insert: param, ac-20_odp.04 }}." + } + ] + }, + { + "id": "ac-20_gdn", + "name": "guidance", + "prose": "External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems." + } + ] + }, + { + "id": "ac-22", + "class": "SP800-53", + "title": "Publicly Accessible Content", + "params": [ + { + "id": "ac-22_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least quarterly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review the content on the publicly accessible system for non-public information is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-22" + }, + { + "name": "label", + "value": "AC-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-22_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ac-22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Designate individuals authorized to make information publicly accessible;" + }, + { + "id": "ac-22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;" + }, + { + "id": "ac-22_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and" + }, + { + "id": "ac-22_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered." + } + ] + }, + { + "id": "ac-22_gdn", + "name": "guidance", + "prose": "In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible." + }, + { + "id": "ac-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22a.", + "class": "sp800-53a" + } + ], + "prose": "designated individuals are authorized to make information publicly accessible;", + "links": [ + { + "href": "#ac-22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22b.", + "class": "sp800-53a" + } + ], + "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;", + "links": [ + { + "href": "#ac-22_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22c.", + "class": "sp800-53a" + } + ], + "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;", + "links": [ + { + "href": "#ac-22_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-22_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};", + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.[02]", + "class": "sp800-53a" + } + ], + "prose": "non-public information is removed from the publicly accessible system, if discovered.", + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing management of publicly accessible content" + } + ] + } + ] + } + ] + }, + { + "id": "at", + "class": "family", + "title": "Awareness and Training", + "controls": [ + { + "id": "at-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "at-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "at-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "at-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "at-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "at-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the awareness and training policy and procedures is defined;" + } + ] + }, + { + "id": "at-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current awareness and training policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "at-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current awareness and training policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "at-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current awareness and training procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "at-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-1" + }, + { + "name": "label", + "value": "AT-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-1_smt", + "name": "statement", + "parts": [ + { + "id": "at-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:", + "parts": [ + { + "id": "at-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, at-01_odp.03 }} awareness and training policy that:", + "parts": [ + { + "id": "at-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "at-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "at-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;" + } + ] + }, + { + "id": "at-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and" + }, + { + "id": "at-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current awareness and training:", + "parts": [ + { + "id": "at-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and" + }, + { + "id": "at-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "at-1_gdn", + "name": "guidance", + "prose": "Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "at-2", + "class": "SP800-53", + "title": "Literacy Training and Awareness", + "params": [ + { + "id": "at-2_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually" + } + ] + }, + { + "id": "at-2_prm_2", + "label": "organization-defined events" + }, + { + "id": "at-02_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" + } + ] + }, + { + "id": "at-02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" + } + ] + }, + { + "id": "at-02_odp.03", + "label": "events", + "guidelines": [ + { + "prose": "events that require security literacy training for system users are defined;" + } + ] + }, + { + "id": "at-02_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events that require privacy literacy training for system users are defined;" + } + ] + }, + { + "id": "at-02_odp.05", + "label": "awareness techniques", + "guidelines": [ + { + "prose": "techniques to be employed to increase the security and privacy awareness of system users are defined;" + } + ] + }, + { + "id": "at-02_odp.06", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update literacy training and awareness content is defined;" + } + ] + }, + { + "id": "at-02_odp.07", + "label": "events", + "guidelines": [ + { + "prose": "events that would require literacy training and awareness content to be updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-2" + }, + { + "name": "label", + "value": "AT-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#89f2a08d-fc49-46d0-856e-bf974c9b1573", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-13", + "rel": "related" + }, + { + "href": "#pm-21", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-2_smt", + "name": "statement", + "parts": [ + { + "id": "at-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):", + "parts": [ + { + "id": "at-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and" + }, + { + "id": "at-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes or following {{ insert: param, at-2_prm_2 }};" + } + ] + }, + { + "id": "at-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};" + }, + { + "id": "at-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and" + }, + { + "id": "at-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques." + } + ] + }, + { + "id": "at-2_gdn", + "name": "guidance", + "prose": "Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + } + ], + "controls": [ + { + "id": "at-2.2", + "class": "SP800-53-enhancement", + "title": "Insider Threat", + "props": [ + { + "name": "label", + "value": "AT-2(2)" + }, + { + "name": "label", + "value": "AT-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#at-2", + "rel": "required" + }, + { + "href": "#pm-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-2.2_smt", + "name": "statement", + "prose": "Provide literacy training on recognizing and reporting potential indicators of insider threat." + }, + { + "id": "at-2.2_gdn", + "name": "guidance", + "prose": "Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations." + } + ] + } + ] + }, + { + "id": "at-3", + "class": "SP800-53", + "title": "Role-based Training", + "params": [ + { + "id": "at-3_prm_1", + "label": "organization-defined roles and responsibilities" + }, + { + "id": "at-03_odp.01", + "label": "roles and responsibilities", + "guidelines": [ + { + "prose": "roles and responsibilities for role-based security training are defined;" + } + ] + }, + { + "id": "at-03_odp.02", + "label": "roles and responsibilities", + "guidelines": [ + { + "prose": "roles and responsibilities for role-based privacy training are defined;" + } + ] + }, + { + "id": "at-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;" + } + ] + }, + { + "id": "at-03_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update role-based training content is defined;" + } + ] + }, + { + "id": "at-03_odp.05", + "label": "events", + "guidelines": [ + { + "prose": "events that require role-based training content to be updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-3" + }, + { + "name": "label", + "value": "AT-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-13", + "rel": "related" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ps-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-3_smt", + "name": "statement", + "parts": [ + { + "id": "at-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:", + "parts": [ + { + "id": "at-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and" + }, + { + "id": "at-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes;" + } + ] + }, + { + "id": "at-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and" + }, + { + "id": "at-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Incorporate lessons learned from internal or external security incidents or breaches into role-based training." + } + ] + }, + { + "id": "at-3_gdn", + "name": "guidance", + "prose": "Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + } + ] + }, + { + "id": "at-4", + "class": "SP800-53", + "title": "Training Records", + "params": [ + { + "id": "at-04_odp", + "label": "time period", + "constraints": [ + { + "description": "at least one (1) year or 1 year after completion of a specific training program" + } + ], + "guidelines": [ + { + "prose": "time period for retaining individual training records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-4" + }, + { + "name": "label", + "value": "AT-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-4_smt", + "name": "statement", + "parts": [ + { + "id": "at-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and" + }, + { + "id": "at-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain individual training records for {{ insert: param, at-04_odp }}." + } + ] + }, + { + "id": "at-4_gdn", + "name": "guidance", + "prose": "Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies." + } + ] + } + ] + }, + { + "id": "au", + "class": "family", + "title": "Audit and Accountability", + "controls": [ + { + "id": "au-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "au-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "au-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "au-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "au-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "au-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the audit and accountability policy and procedures is defined;" + } + ] + }, + { + "id": "au-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current audit and accountability policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "au-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current audit and accountability policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "au-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current audit and accountability procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "au-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require audit and accountability procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-1" + }, + { + "name": "label", + "value": "AU-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-1_smt", + "name": "statement", + "parts": [ + { + "id": "au-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:", + "parts": [ + { + "id": "au-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, au-01_odp.03 }} audit and accountability policy that:", + "parts": [ + { + "id": "au-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "au-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "au-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;" + } + ] + }, + { + "id": "au-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and" + }, + { + "id": "au-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current audit and accountability:", + "parts": [ + { + "id": "au-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and" + }, + { + "id": "au-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "au-1_gdn", + "name": "guidance", + "prose": "Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "au-2", + "class": "SP800-53", + "title": "Event Logging", + "params": [ + { + "id": "au-2_prm_2", + "label": "organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type", + "constraints": [ + { + "description": "organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event." + } + ] + }, + { + "id": "au-02_odp.01", + "label": "event types", + "constraints": [ + { + "description": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes" + } + ], + "guidelines": [ + { + "prose": "the event types that the system is capable of logging in support of the audit function are defined;" + } + ] + }, + { + "id": "au-02_odp.02", + "label": "event types (subset of AU-02_ODP[01])", + "guidelines": [ + { + "prose": "the event types (subset of AU-02_ODP[01]) for logging within the system are defined;" + } + ] + }, + { + "id": "au-02_odp.03", + "label": "frequency or situation", + "guidelines": [ + { + "prose": "the frequency or situation requiring logging for each specified event type is defined;" + } + ] + }, + { + "id": "au-02_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "annually and whenever there is a change in the threat environment" + } + ], + "guidelines": [ + { + "prose": "the frequency of event types selected for logging are reviewed and updated;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-2" + }, + { + "name": "label", + "value": "AU-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pm-21", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-2_smt", + "name": "statement", + "parts": [ + { + "id": "au-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};" + }, + { + "id": "au-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" + }, + { + "id": "au-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};" + }, + { + "id": "au-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and" + }, + { + "id": "au-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}." + } + ] + }, + { + "id": "au-2_gdn", + "name": "guidance", + "prose": "An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures." + } + ] + }, + { + "id": "au-3", + "class": "SP800-53", + "title": "Content of Audit Records", + "props": [ + { + "name": "label", + "value": "AU-3" + }, + { + "name": "label", + "value": "AU-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-8", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-3_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Ensure that audit records contain information that establishes the following:", + "parts": [ + { + "id": "au-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "What type of event occurred;" + }, + { + "id": "au-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "When the event occurred;" + }, + { + "id": "au-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Where the event occurred;" + }, + { + "id": "au-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Source of the event;" + }, + { + "id": "au-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Outcome of the event; and" + }, + { + "id": "au-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Identity of any individuals, subjects, or objects/entities associated with the event." + } + ] + }, + { + "id": "au-3_gdn", + "name": "guidance", + "prose": "Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage." + }, + { + "id": "au-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03a.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes what type of event occurred;", + "links": [ + { + "href": "#au-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03b.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes when the event occurred;", + "links": [ + { + "href": "#au-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03c.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes where the event occurred;", + "links": [ + { + "href": "#au-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03d.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the source of the event;", + "links": [ + { + "href": "#au-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03e.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the outcome of the event;", + "links": [ + { + "href": "#au-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03f.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.", + "links": [ + { + "href": "#au-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system auditing of auditable events" + } + ] + } + ] + }, + { + "id": "au-4", + "class": "SP800-53", + "title": "Audit Log Storage Capacity", + "params": [ + { + "id": "au-04_odp", + "label": "audit log retention requirements", + "guidelines": [ + { + "prose": "audit log retention requirements are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-4" + }, + { + "name": "label", + "value": "AU-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-4_smt", + "name": "statement", + "prose": "Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}." + }, + { + "id": "au-4_gdn", + "name": "guidance", + "prose": "Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs." + } + ] + }, + { + "id": "au-5", + "class": "SP800-53", + "title": "Response to Audit Logging Process Failures", + "params": [ + { + "id": "au-05_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles receiving audit logging process failure alerts are defined;" + } + ] + }, + { + "id": "au-05_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period for personnel or roles receiving audit logging process failure alerts is defined;" + } + ] + }, + { + "id": "au-05_odp.03", + "label": "additional actions", + "constraints": [ + { + "description": "overwrite oldest record" + } + ], + "guidelines": [ + { + "prose": "additional actions to be taken in the event of an audit logging process failure are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-5" + }, + { + "name": "label", + "value": "AU-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-5_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "au-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and" + }, + { + "id": "au-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Take the following additional actions: {{ insert: param, au-05_odp.03 }}." + } + ] + }, + { + "id": "au-5_gdn", + "name": "guidance", + "prose": "Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel." + }, + { + "id": "au-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};", + "links": [ + { + "href": "#au-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.", + "links": [ + { + "href": "#au-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system response to audit processing failures" + } + ] + } + ] + }, + { + "id": "au-6", + "class": "SP800-53", + "title": "Audit Record Review, Analysis, and Reporting", + "params": [ + { + "id": "au-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "frequency at which system audit records are reviewed and analyzed is defined;" + } + ] + }, + { + "id": "au-06_odp.02", + "label": "inappropriate or unusual activity", + "guidelines": [ + { + "prose": "inappropriate or unusual activity is defined;" + } + ] + }, + { + "id": "au-06_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to receive findings from reviews and analyses of system records is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-6" + }, + { + "name": "label", + "value": "AU-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", + "rel": "reference" + }, + { + "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "au-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;" + }, + { + "id": "au-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report findings to {{ insert: param, au-06_odp.03 }} ; and" + }, + { + "id": "au-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." + } + ] + }, + { + "id": "au-6_gdn", + "name": "guidance", + "prose": "Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received." + }, + { + "id": "au-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06a.", + "class": "sp800-53a" + } + ], + "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;", + "links": [ + { + "href": "#au-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06b.", + "class": "sp800-53a" + } + ], + "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};", + "links": [ + { + "href": "#au-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06c.", + "class": "sp800-53a" + } + ], + "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.", + "links": [ + { + "href": "#au-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews/analyses of audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "au-8", + "class": "SP800-53", + "title": "Time Stamps", + "params": [ + { + "id": "au-08_odp", + "label": "granularity of time measurement", + "constraints": [ + { + "description": "one second granularity of time measurement" + } + ], + "guidelines": [ + { + "prose": "granularity of time measurement for audit record timestamps is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-8" + }, + { + "name": "label", + "value": "AU-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#sc-45", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-8_smt", + "name": "statement", + "parts": [ + { + "id": "au-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Use internal system clocks to generate time stamps for audit records; and" + }, + { + "id": "au-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." + } + ] + }, + { + "id": "au-8_gdn", + "name": "guidance", + "prose": "Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities." + } + ] + }, + { + "id": "au-9", + "class": "SP800-53", + "title": "Protection of Audit Information", + "params": [ + { + "id": "au-09_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-9" + }, + { + "name": "label", + "value": "AU-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#au-15", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-9_smt", + "name": "statement", + "parts": [ + { + "id": "au-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and" + }, + { + "id": "au-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information." + } + ] + }, + { + "id": "au-9_gdn", + "name": "guidance", + "prose": "Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls." + } + ] + }, + { + "id": "au-11", + "class": "SP800-53", + "title": "Audit Record Retention", + "params": [ + { + "id": "au-11_odp", + "label": "time period", + "constraints": [ + { + "description": "a time period in compliance with M-21-31" + } + ], + "guidelines": [ + { + "prose": "a time period to retain audit records that is consistent with the records retention policy is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-11" + }, + { + "name": "label", + "value": "AU-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-11_smt", + "name": "statement", + "prose": "Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements." + }, + { + "id": "au-11_gdn", + "name": "guidance", + "prose": "Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs." + } + ] + }, + { + "id": "au-12", + "class": "SP800-53", + "title": "Audit Record Generation", + "params": [ + { + "id": "au-12_odp.01", + "label": "system components", + "constraints": [ + { + "description": "all information system and network components where audit capability is deployed/available" + } + ], + "guidelines": [ + { + "prose": "system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;" + } + ] + }, + { + "id": "au-12_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-12" + }, + { + "name": "label", + "value": "AU-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-12_smt", + "name": "statement", + "parts": [ + { + "id": "au-12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};" + }, + { + "id": "au-12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and" + }, + { + "id": "au-12_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)." + } + ] + }, + { + "id": "au-12_gdn", + "name": "guidance", + "prose": "Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records." + } + ] + } + ] + }, + { + "id": "ca", + "class": "family", + "title": "Assessment, Authorization, and Monitoring", + "controls": [ + { + "id": "ca-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ca-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ca-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ca-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ca-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ca-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the assessment, authorization, and monitoring policy and procedures is defined;" + } + ] + }, + { + "id": "ca-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ca-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ca-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ca-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-1" + }, + { + "name": "label", + "value": "CA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#62ea77ca-e450-4323-b210-e0d75390e785", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-1_smt", + "name": "statement", + "parts": [ + { + "id": "ca-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:", + "parts": [ + { + "id": "ca-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:", + "parts": [ + { + "id": "ca-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ca-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ca-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;" + } + ] + }, + { + "id": "ca-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and" + }, + { + "id": "ca-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current assessment, authorization, and monitoring:", + "parts": [ + { + "id": "ca-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and" + }, + { + "id": "ca-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ca-1_gdn", + "name": "guidance", + "prose": "Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "ca-2", + "class": "SP800-53", + "title": "Control Assessments", + "params": [ + { + "id": "ca-02_odp.01", + "label": "assessment frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to assess controls in the system and its environment of operation is defined;" + } + ] + }, + { + "id": "ca-02_odp.02", + "label": "individuals or roles", + "constraints": [ + { + "description": "individuals or roles to include FedRAMP PMO" + } + ], + "guidelines": [ + { + "prose": "individuals or roles to whom control assessment results are to be provided are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-2" + }, + { + "name": "label", + "value": "CA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ca-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Select the appropriate assessor or assessment team for the type of assessment to be conducted;" + }, + { + "id": "ca-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Develop a control assessment plan that describes the scope of the assessment including:", + "parts": [ + { + "id": "ca-2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Controls and control enhancements under assessment;" + }, + { + "id": "ca-2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Assessment procedures to be used to determine control effectiveness; and" + }, + { + "id": "ca-2_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Assessment environment, assessment team, and assessment roles and responsibilities;" + } + ] + }, + { + "id": "ca-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;" + }, + { + "id": "ca-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;" + }, + { + "id": "ca-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Produce a control assessment report that document the results of the assessment; and" + }, + { + "id": "ca-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}." + } + ] + }, + { + "id": "ca-2_gdn", + "name": "guidance", + "prose": "Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)." + }, + { + "id": "ca-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02a.", + "class": "sp800-53a" + } + ], + "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;", + "links": [ + { + "href": "#ca-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.01", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;", + "links": [ + { + "href": "#ca-2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.02", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;", + "links": [ + { + "href": "#ca-2_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.b.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[03]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02c.", + "class": "sp800-53a" + } + ], + "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;", + "links": [ + { + "href": "#ca-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.[01]", + "class": "sp800-53a" + } + ], + "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;", + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.[02]", + "class": "sp800-53a" + } + ], + "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;", + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02e.", + "class": "sp800-53a" + } + ], + "prose": "a control assessment report is produced that documents the results of the assessment;", + "links": [ + { + "href": "#ca-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02f.", + "class": "sp800-53a" + } + ], + "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.", + "links": [ + { + "href": "#ca-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting" + } + ] + } + ], + "controls": [ + { + "id": "ca-2.1", + "class": "SP800-53-enhancement", + "title": "Independent Assessors", + "props": [ + { + "name": "label", + "value": "CA-2(1)" + }, + { + "name": "label", + "value": "CA-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ca-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-2.1_smt", + "name": "statement", + "prose": "Employ independent assessors or assessment teams to conduct control assessments." + }, + { + "id": "ca-2.1_gdn", + "name": "guidance", + "prose": "Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.\n\nIndependent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.\n\nWhen organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments." + } + ] + } + ] + }, + { + "id": "ca-3", + "class": "SP800-53", + "title": "Information Exchange", + "params": [ + { + "id": "ca-03_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "interconnection security agreements", + "information exchange security agreements", + "memoranda of understanding or agreement", + "service level agreements", + "user agreements", + "non-disclosure agreements", + " {{ insert: param, ca-03_odp.02 }} " + ] + } + }, + { + "id": "ca-03_odp.02", + "label": "type of agreement", + "guidelines": [ + { + "prose": "the type of agreement used to approve and manage the exchange of information is defined (if selected);" + } + ] + }, + { + "id": "ca-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and on input from JAB/AO" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update agreements is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-3" + }, + { + "name": "label", + "value": "CA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#c3a76872-e160-4267-99e8-6952de967d04", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-3_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ca-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};" + }, + { + "id": "ca-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and" + }, + { + "id": "ca-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the agreements {{ insert: param, ca-03_odp.03 }}." + } + ] + }, + { + "id": "ca-3_gdn", + "name": "guidance", + "prose": "System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks." + }, + { + "id": "ca-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03a.", + "class": "sp800-53a" + } + ], + "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};", + "links": [ + { + "href": "#ca-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the interface characteristics are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "security requirements are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[03]", + "class": "sp800-53a" + } + ], + "prose": "privacy requirements are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[04]", + "class": "sp800-53a" + } + ], + "prose": "controls are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[05]", + "class": "sp800-53a" + } + ], + "prose": "responsibilities for each system are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[06]", + "class": "sp800-53a" + } + ], + "prose": "the impact level of the information communicated is documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03c.", + "class": "sp800-53a" + } + ], + "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.", + "links": [ + { + "href": "#ca-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured." + } + ] + }, + { + "id": "ca-5", + "class": "SP800-53", + "title": "Plan of Action and Milestones", + "params": [ + { + "id": "ca-05_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-5" + }, + { + "name": "label", + "value": "CA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-5_smt", + "name": "statement", + "parts": [ + { + "id": "ca-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and" + }, + { + "id": "ca-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities." + } + ] + }, + { + "id": "ca-5_gdn", + "name": "guidance", + "prose": "Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements." + } + ] + }, + { + "id": "ca-6", + "class": "SP800-53", + "title": "Authorization", + "params": [ + { + "id": "ca-06_odp", + "label": "frequency", + "constraints": [ + { + "description": "in accordance with OMB A-130 requirements or when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "frequency at which to update the authorizations is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-6" + }, + { + "name": "label", + "value": "CA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-6_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ca-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assign a senior official as the authorizing official for the system;" + }, + { + "id": "ca-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;" + }, + { + "id": "ca-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensure that the authorizing official for the system, before commencing operations:", + "parts": [ + { + "id": "ca-6_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Accepts the use of common controls inherited by the system; and" + }, + { + "id": "ca-6_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Authorizes the system to operate;" + } + ] + }, + { + "id": "ca-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;" + }, + { + "id": "ca-6_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Update the authorizations {{ insert: param, ca-06_odp }}." + } + ] + }, + { + "id": "ca-6_gdn", + "name": "guidance", + "prose": "Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions." + }, + { + "id": "ca-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06a.", + "class": "sp800-53a" + } + ], + "prose": "a senior official is assigned as the authorizing official for the system;", + "links": [ + { + "href": "#ca-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06b.", + "class": "sp800-53a" + } + ], + "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;", + "links": [ + { + "href": "#ca-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-6_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.01", + "class": "sp800-53a" + } + ], + "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;", + "links": [ + { + "href": "#ca-6_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.02", + "class": "sp800-53a" + } + ], + "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;", + "links": [ + { + "href": "#ca-6_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06d.", + "class": "sp800-53a" + } + ], + "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;", + "links": [ + { + "href": "#ca-6_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06e.", + "class": "sp800-53a" + } + ], + "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}.", + "links": [ + { + "href": "#ca-6_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms that facilitate authorizations and updates" + } + ] + } + ] + }, + { + "id": "ca-7", + "class": "SP800-53", + "title": "Continuous Monitoring", + "params": [ + { + "id": "ca-7_prm_4", + "label": "organization-defined personnel or roles", + "constraints": [ + { + "description": "to include JAB/AO" + } + ] + }, + { + "id": "ca-7_prm_5", + "label": "organization-defined frequency" + }, + { + "id": "ca-07_odp.01", + "label": "system-level metrics", + "guidelines": [ + { + "prose": "system-level metrics to be monitored are defined;" + } + ] + }, + { + "id": "ca-07_odp.02", + "label": "frequencies", + "guidelines": [ + { + "prose": "frequencies at which to monitor control effectiveness are defined;" + } + ] + }, + { + "id": "ca-07_odp.03", + "label": "frequencies", + "guidelines": [ + { + "prose": "frequencies at which to assess control effectiveness are defined;" + } + ] + }, + { + "id": "ca-07_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the security status of the system is reported are defined;" + } + ] + }, + { + "id": "ca-07_odp.05", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which the security status of the system is reported is defined;" + } + ] + }, + { + "id": "ca-07_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the privacy status of the system is reported are defined;" + } + ] + }, + { + "id": "ca-07_odp.07", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which the privacy status of the system is reported is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-7" + }, + { + "name": "label", + "value": "CA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pe-14", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-6", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#pm-31", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-7_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:", + "parts": [ + { + "id": "ca-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};" + }, + { + "id": "ca-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;" + }, + { + "id": "ca-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ongoing control assessments in accordance with the continuous monitoring strategy;" + }, + { + "id": "ca-7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;" + }, + { + "id": "ca-7_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Correlation and analysis of information generated by control assessments and monitoring;" + }, + { + "id": "ca-7_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" + }, + { + "id": "ca-7_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}." + } + ] + }, + { + "id": "ca-7_gdn", + "name": "guidance", + "prose": "Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)." + }, + { + "id": "ca-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07[01]", + "class": "sp800-53a" + } + ], + "prose": "a system-level continuous monitoring strategy is developed;", + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07a.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};", + "links": [ + { + "href": "#ca-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;", + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;", + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07c.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07d.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07e.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;", + "links": [ + { + "href": "#ca-7_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07f.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;", + "links": [ + { + "href": "#ca-7_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.[01]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};", + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.", + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting" + } + ] + } + ], + "controls": [ + { + "id": "ca-7.4", + "class": "SP800-53-enhancement", + "title": "Risk Monitoring", + "props": [ + { + "name": "label", + "value": "CA-7(4)" + }, + { + "name": "label", + "value": "CA-07(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ca-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-7.4_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:", + "parts": [ + { + "id": "ca-7.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Effectiveness monitoring;" + }, + { + "id": "ca-7.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Compliance monitoring; and" + }, + { + "id": "ca-7.4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Change monitoring." + } + ] + }, + { + "id": "ca-7.4_gdn", + "name": "guidance", + "prose": "Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk." + }, + { + "id": "ca-7.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)", + "class": "sp800-53a" + } + ], + "prose": "risk monitoring is an integral part of the continuous monitoring strategy;", + "parts": [ + { + "id": "ca-7.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(a)", + "class": "sp800-53a" + } + ], + "prose": "effectiveness monitoring is included in risk monitoring;", + "links": [ + { + "href": "#ca-7.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "compliance monitoring is included in risk monitoring;", + "links": [ + { + "href": "#ca-7.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(c)", + "class": "sp800-53a" + } + ], + "prose": "change monitoring is included in risk monitoring.", + "links": [ + { + "href": "#ca-7.4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-7.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-07(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting risk monitoring" + } + ] + } + ] + } + ] + }, + { + "id": "ca-8", + "class": "SP800-53", + "title": "Penetration Testing", + "params": [ + { + "id": "ca-08_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct penetration testing on systems or system components is defined;" + } + ] + }, + { + "id": "ca-08_odp.02", + "label": "system(s) or system components", + "guidelines": [ + { + "prose": "systems or system components on which penetration testing is to be conducted are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-8" + }, + { + "name": "label", + "value": "CA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-8_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Conduct penetration testing {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}." + }, + { + "id": "ca-8_gdn", + "name": "guidance", + "prose": "Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).\n\nOrganizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing." + }, + { + "id": "ca-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-08", + "class": "sp800-53a" + } + ], + "prose": "penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", + "links": [ + { + "href": "#ca-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting penetration testing" + } + ] + } + ] + }, + { + "id": "ca-9", + "class": "SP800-53", + "title": "Internal System Connections", + "params": [ + { + "id": "ca-09_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components or classes of components requiring internal connections to the system are defined;" + } + ] + }, + { + "id": "ca-09_odp.02", + "label": "conditions", + "guidelines": [ + { + "prose": "conditions requiring termination of internal connections are defined;" + } + ] + }, + { + "id": "ca-09_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to review the continued need for each internal connection is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-9" + }, + { + "name": "label", + "value": "CA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-9_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ca-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;" + }, + { + "id": "ca-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;" + }, + { + "id": "ca-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and" + }, + { + "id": "ca-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection." + } + ] + }, + { + "id": "ca-9_gdn", + "name": "guidance", + "prose": "Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions." + }, + { + "id": "ca-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09a.", + "class": "sp800-53a" + } + ], + "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;", + "links": [ + { + "href": "#ca-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the interface characteristics are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the security requirements are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[03]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the privacy requirements are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[04]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the nature of the information communicated is documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09c.", + "class": "sp800-53a" + } + ], + "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};", + "links": [ + { + "href": "#ca-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09d.", + "class": "sp800-53a" + } + ], + "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.", + "links": [ + { + "href": "#ca-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting internal system connections" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured." + } + ] + } + ] + }, + { + "id": "cm", + "class": "family", + "title": "Configuration Management", + "controls": [ + { + "id": "cm-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "cm-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cm-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the configuration management policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "cm-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "cm-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "cm-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the configuration management policy and procedures is defined;" + } + ] + }, + { + "id": "cm-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current configuration management policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "cm-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current configuration management policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "cm-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current configuration management procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "cm-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require configuration management procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-1" + }, + { + "name": "label", + "value": "CM-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-1_smt", + "name": "statement", + "parts": [ + { + "id": "cm-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:", + "parts": [ + { + "id": "cm-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cm-01_odp.03 }} configuration management policy that:", + "parts": [ + { + "id": "cm-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "cm-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "cm-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;" + } + ] + }, + { + "id": "cm-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and" + }, + { + "id": "cm-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current configuration management:", + "parts": [ + { + "id": "cm-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and" + }, + { + "id": "cm-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "cm-1_gdn", + "name": "guidance", + "prose": "Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "cm-2", + "class": "SP800-53", + "title": "Baseline Configuration", + "params": [ + { + "id": "cm-02_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "the frequency of baseline configuration review and update is defined;" + } + ] + }, + { + "id": "cm-02_odp.02", + "label": "circumstances", + "constraints": [ + { + "description": "to include when directed by the JAB" + } + ], + "guidelines": [ + { + "prose": "the circumstances requiring baseline configuration review and update are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2" + }, + { + "name": "label", + "value": "CM-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-1", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-12", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-2_smt", + "name": "statement", + "parts": [ + { + "id": "cm-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and maintain under configuration control, a current baseline configuration of the system; and" + }, + { + "id": "cm-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the baseline configuration of the system:", + "parts": [ + { + "id": "cm-2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cm-02_odp.01 }};" + }, + { + "id": "cm-2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required due to {{ insert: param, cm-02_odp.02 }} ; and" + }, + { + "id": "cm-2_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "When system components are installed or upgraded." + } + ] + } + ] + }, + { + "id": "cm-2_gdn", + "name": "guidance", + "prose": "Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture." + } + ] + }, + { + "id": "cm-4", + "class": "SP800-53", + "title": "Impact Analyses", + "props": [ + { + "name": "label", + "value": "CM-4" + }, + { + "name": "label", + "value": "CM-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-4_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Analyze changes to the system to determine potential security and privacy impacts prior to change implementation." + }, + { + "id": "cm-4_gdn", + "name": "guidance", + "prose": "Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required." + }, + { + "id": "cm-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;", + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation.", + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem/network administrators\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses" + } + ] + } + ] + }, + { + "id": "cm-5", + "class": "SP800-53", + "title": "Access Restrictions for Change", + "props": [ + { + "name": "label", + "value": "CM-5" + }, + { + "name": "label", + "value": "CM-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-5_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system." + }, + { + "id": "cm-5_gdn", + "name": "guidance", + "prose": "Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)." + }, + { + "id": "cm-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are defined and documented;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are approved;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[03]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are enforced;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[04]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are defined and documented;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[05]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are approved;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[06]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are enforced.", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system" + } + ] + } + ] + }, + { + "id": "cm-6", + "class": "SP800-53", + "title": "Configuration Settings", + "params": [ + { + "id": "cm-06_odp.01", + "label": "common secure configurations", + "guidelines": [ + { + "prose": "common secure configurations to establish and document configuration settings for components employed within the system are defined;" + } + ] + }, + { + "id": "cm-06_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which approval of deviations is needed are defined;" + } + ] + }, + { + "id": "cm-06_odp.03", + "label": "operational requirements", + "guidelines": [ + { + "prose": "operational requirements necessitating approval of deviations are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-6" + }, + { + "name": "label", + "value": "CM-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#98498928-3ca3-44b3-8b1e-f48685373087", + "rel": "reference" + }, + { + "href": "#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", + "rel": "reference" + }, + { + "href": "#aa66e14f-e7cb-4a37-99d2-07578dfd4608", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-6_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "cm-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};" + }, + { + "id": "cm-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement the configuration settings;" + }, + { + "id": "cm-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and" + }, + { + "id": "cm-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." + } + ] + }, + { + "id": "cm-6_gdn", + "name": "guidance", + "prose": "Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings." + }, + { + "id": "cm-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06a.", + "class": "sp800-53a" + } + ], + "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};", + "links": [ + { + "href": "#cm-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06b.", + "class": "sp800-53a" + } + ], + "prose": "the configuration settings documented in CM-06a are implemented;", + "links": [ + { + "href": "#cm-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};", + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;", + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;", + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures.", + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and/or control system configuration settings\n\nmechanisms that identify and/or document deviations from established configuration settings" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Required - Specifically include details of least functionality." + }, + { + "id": "cm-6_fr", + "name": "item", + "title": "CM-6(a) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement 1:" + } + ], + "prose": "The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available." + }, + { + "id": "cm-6_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement 2:" + } + ], + "prose": "The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available)." + }, + { + "id": "cm-6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)." + } + ] + } + ] + }, + { + "id": "cm-7", + "class": "SP800-53", + "title": "Least Functionality", + "params": [ + { + "id": "cm-7_prm_2", + "label": "organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services" + }, + { + "id": "cm-07_odp.01", + "label": "mission-essential capabilities", + "guidelines": [ + { + "prose": "mission-essential capabilities for the system are defined;" + } + ] + }, + { + "id": "cm-07_odp.02", + "label": "functions", + "guidelines": [ + { + "prose": "functions to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.03", + "label": "ports", + "guidelines": [ + { + "prose": "ports to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.04", + "label": "protocols", + "guidelines": [ + { + "prose": "protocols to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.05", + "label": "software", + "guidelines": [ + { + "prose": "software to be prohibited or restricted is defined;" + } + ] + }, + { + "id": "cm-07_odp.06", + "label": "services", + "guidelines": [ + { + "prose": "services to be prohibited or restricted are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7" + }, + { + "name": "label", + "value": "CM-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#38f39739-1ebd-43b1-8b8c-00f591d89ebd", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7_smt", + "name": "statement", + "parts": [ + { + "id": "cm-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and" + }, + { + "id": "cm-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, cm-7_prm_2 }}." + } + ] + }, + { + "id": "cm-7_gdn", + "name": "guidance", + "prose": "Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))." + } + ] + }, + { + "id": "cm-8", + "class": "SP800-53", + "title": "System Component Inventory", + "params": [ + { + "id": "cm-08_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information deemed necessary to achieve effective system component accountability is defined;" + } + ] + }, + { + "id": "cm-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update the system component inventory is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-8" + }, + { + "name": "label", + "value": "CM-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#70402863-5078-43af-9a6c-e11b0f3ec370", + "rel": "reference" + }, + { + "href": "#996241f8-f692-42d5-91f1-ce8b752e39e6", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "cm-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and document an inventory of system components that:", + "parts": [ + { + "id": "cm-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Accurately reflects the system;" + }, + { + "id": "cm-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Includes all components within the system;" + }, + { + "id": "cm-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Does not include duplicate accounting of components or components assigned to any other system;" + }, + { + "id": "cm-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Is at the level of granularity deemed necessary for tracking and reporting; and" + }, + { + "id": "cm-8_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and" + } + ] + }, + { + "id": "cm-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}." + } + ] + }, + { + "id": "cm-8_gdn", + "name": "guidance", + "prose": "System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components." + }, + { + "id": "cm-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.01", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that accurately reflects the system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.02", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that includes all components within the system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.03", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.04", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.05", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.5", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08b.", + "class": "sp800-53a" + } + ], + "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.", + "links": [ + { + "href": "#cm-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing the system component inventory\n\nmechanisms supporting and/or implementing system component inventory" + } + ] + } + ] + }, + { + "id": "cm-10", + "class": "SP800-53", + "title": "Software Usage Restrictions", + "props": [ + { + "name": "label", + "value": "CM-10" + }, + { + "name": "label", + "value": "CM-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-10_smt", + "name": "statement", + "parts": [ + { + "id": "cm-10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Use software and associated documentation in accordance with contract agreements and copyright laws;" + }, + { + "id": "cm-10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and" + }, + { + "id": "cm-10_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work." + } + ] + }, + { + "id": "cm-10_gdn", + "name": "guidance", + "prose": "Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO- Not directly related to protection of the data." + } + ] + }, + { + "id": "cm-11", + "class": "SP800-53", + "title": "User-installed Software", + "params": [ + { + "id": "cm-11_odp.01", + "label": "policies", + "guidelines": [ + { + "prose": "policies governing the installation of software by users are defined;" + } + ] + }, + { + "id": "cm-11_odp.02", + "label": "methods", + "guidelines": [ + { + "prose": "methods used to enforce software installation policies are defined;" + } + ] + }, + { + "id": "cm-11_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "Continuously (via CM-7 (5))" + } + ], + "guidelines": [ + { + "prose": "frequency with which to monitor compliance is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-11" + }, + { + "name": "label", + "value": "CM-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-11_smt", + "name": "statement", + "parts": [ + { + "id": "cm-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;" + }, + { + "id": "cm-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and" + }, + { + "id": "cm-11_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Monitor policy compliance {{ insert: param, cm-11_odp.03 }}." + } + ] + }, + { + "id": "cm-11_gdn", + "name": "guidance", + "prose": "If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations." + } + ] + } + ] + }, + { + "id": "cp", + "class": "family", + "title": "Contingency Planning", + "controls": [ + { + "id": "cp-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "cp-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cp-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "cp-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "cp-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "cp-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the contingency planning policy and procedures is defined;" + } + ] + }, + { + "id": "cp-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current contingency planning policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "cp-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current contingency planning policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "cp-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current contingency planning procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "cp-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-1" + }, + { + "name": "label", + "value": "CP-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-1_smt", + "name": "statement", + "parts": [ + { + "id": "cp-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:", + "parts": [ + { + "id": "cp-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cp-01_odp.03 }} contingency planning policy that:", + "parts": [ + { + "id": "cp-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "cp-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "cp-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" + } + ] + }, + { + "id": "cp-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and" + }, + { + "id": "cp-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current contingency planning:", + "parts": [ + { + "id": "cp-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and" + }, + { + "id": "cp-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "cp-1_gdn", + "name": "guidance", + "prose": "Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "cp-2", + "class": "SP800-53", + "title": "Contingency Plan", + "params": [ + { + "id": "cp-2_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cp-2_prm_2", + "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" + }, + { + "id": "cp-2_prm_4", + "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" + }, + { + "id": "cp-02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to review a contingency plan is/are defined;" + } + ] + }, + { + "id": "cp-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to approve a contingency plan is/are defined;" + } + ] + }, + { + "id": "cp-02_odp.03", + "label": "key contingency personnel", + "guidelines": [ + { + "prose": "key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;" + } + ] + }, + { + "id": "cp-02_odp.04", + "label": "organizational elements", + "guidelines": [ + { + "prose": "key contingency organizational elements to which copies of the contingency plan are distributed are defined;" + } + ] + }, + { + "id": "cp-02_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency of contingency plan review is defined;" + } + ] + }, + { + "id": "cp-02_odp.06", + "label": "key contingency personnel", + "guidelines": [ + { + "prose": "key contingency personnel (identified by name and/or by role) to communicate changes to are defined;" + } + ] + }, + { + "id": "cp-02_odp.07", + "label": "organizational elements", + "guidelines": [ + { + "prose": "key contingency organizational elements to communicate changes to are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-2" + }, + { + "name": "label", + "value": "CP-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", + "rel": "reference" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-11", + "rel": "related" + }, + { + "href": "#cp-13", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-2_smt", + "name": "statement", + "parts": [ + { + "id": "cp-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a contingency plan for the system that:", + "parts": [ + { + "id": "cp-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Identifies essential mission and business functions and associated contingency requirements;" + }, + { + "id": "cp-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Provides recovery objectives, restoration priorities, and metrics;" + }, + { + "id": "cp-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Addresses contingency roles, responsibilities, assigned individuals with contact information;" + }, + { + "id": "cp-2_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;" + }, + { + "id": "cp-2_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;" + }, + { + "id": "cp-2_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Addresses the sharing of contingency information; and" + }, + { + "id": "cp-2_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};" + } + ] + }, + { + "id": "cp-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};" + }, + { + "id": "cp-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Coordinate contingency planning activities with incident handling activities;" + }, + { + "id": "cp-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};" + }, + { + "id": "cp-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;" + }, + { + "id": "cp-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};" + }, + { + "id": "cp-2_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and" + }, + { + "id": "cp-2_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Protect the contingency plan from unauthorized disclosure and modification." + } + ] + }, + { + "id": "cp-2_gdn", + "name": "guidance", + "prose": "Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs." + } + ] + }, + { + "id": "cp-3", + "class": "SP800-53", + "title": "Contingency Training", + "params": [ + { + "id": "cp-03_odp.01", + "label": "time period", + "constraints": [ + { + "description": "\\*See Additional Requirements" + } + ], + "guidelines": [ + { + "prose": "the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;" + } + ] + }, + { + "id": "cp-03_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide training to system users with a contingency role or responsibility is defined;" + } + ] + }, + { + "id": "cp-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update contingency training content is defined;" + } + ] + }, + { + "id": "cp-03_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events necessitating review and update of contingency training are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-3" + }, + { + "name": "label", + "value": "CP-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-3_smt", + "name": "statement", + "parts": [ + { + "id": "cp-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide contingency training to system users consistent with assigned roles and responsibilities:", + "parts": [ + { + "id": "cp-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;" + }, + { + "id": "cp-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes; and" + }, + { + "id": "cp-3_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, cp-03_odp.02 }} thereafter; and" + } + ] + }, + { + "id": "cp-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}." + } + ] + }, + { + "id": "cp-3_gdn", + "name": "guidance", + "prose": "Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs." + } + ] + }, + { + "id": "cp-4", + "class": "SP800-53", + "title": "Contingency Plan Testing", + "params": [ + { + "id": "cp-4_prm_2", + "label": "organization-defined tests", + "constraints": [ + { + "description": "classroom exercise/table top written tests" + } + ] + }, + { + "id": "cp-04_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "frequency of testing the contingency plan for the system is defined;" + } + ] + }, + { + "id": "cp-04_odp.02", + "label": "tests", + "guidelines": [ + { + "prose": "tests for determining the effectiveness of the contingency plan are defined;" + } + ] + }, + { + "id": "cp-04_odp.03", + "label": "tests", + "guidelines": [ + { + "prose": "tests for determining readiness to execute the contingency plan are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-4" + }, + { + "name": "label", + "value": "CP-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-4_smt", + "name": "statement", + "parts": [ + { + "id": "cp-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}." + }, + { + "id": "cp-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review the contingency plan test results; and" + }, + { + "id": "cp-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Initiate corrective actions, if needed." + } + ] + }, + { + "id": "cp-4_gdn", + "name": "guidance", + "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs." + } + ] + }, + { + "id": "cp-9", + "class": "SP800-53", + "title": "System Backup", + "params": [ + { + "id": "cp-09_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which to conduct backups of user-level information is defined;" + } + ] + }, + { + "id": "cp-09_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9" + }, + { + "name": "label", + "value": "CP-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#3653e316-8923-430e-8943-b3b2b2562fc6", + "rel": "reference" + }, + { + "href": "#2494df28-9049-4196-b233-540e7440993f", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "cp-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};" + }, + { + "id": "cp-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};" + }, + { + "id": "cp-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and" + }, + { + "id": "cp-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Protect the confidentiality, integrity, and availability of backup information." + } + ] + }, + { + "id": "cp-9_gdn", + "name": "guidance", + "prose": "System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." + }, + { + "id": "cp-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09a.", + "class": "sp800-53a" + } + ], + "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};", + "links": [ + { + "href": "#cp-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09b.", + "class": "sp800-53a" + } + ], + "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};", + "links": [ + { + "href": "#cp-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09c.", + "class": "sp800-53a" + } + ], + "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};", + "links": [ + { + "href": "#cp-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the confidentiality of backup information is protected;", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the integrity of backup information is protected;", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the availability of backup information is protected.", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "cp-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" + } + ] + } + ] + }, + { + "id": "cp-10", + "class": "SP800-53", + "title": "System Recovery and Reconstitution", + "params": [ + { + "id": "cp-10_prm_1", + "label": "organization-defined time period consistent with recovery time and recovery point objectives" + }, + { + "id": "cp-10_odp.01", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;" + } + ] + }, + { + "id": "cp-10_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-10" + }, + { + "name": "label", + "value": "CP-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-10_smt", + "name": "statement", + "prose": "Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure." + }, + { + "id": "cp-10_gdn", + "name": "guidance", + "prose": "Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs." + } + ] + } + ] + }, + { + "id": "ia", + "class": "family", + "title": "Identification and Authentication", + "controls": [ + { + "id": "ia-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ia-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ia-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the identification and authentication policy is to be disseminated are defined;" + } + ] + }, + { + "id": "ia-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ia-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ia-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the identification and authentication policy and procedures is defined;" + } + ] + }, + { + "id": "ia-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current identification and authentication policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ia-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current identification and authentication policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ia-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current identification and authentication procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ia-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require identification and authentication procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-1" + }, + { + "name": "label", + "value": "IA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ac-1", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-1_smt", + "name": "statement", + "parts": [ + { + "id": "ia-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:", + "parts": [ + { + "id": "ia-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ia-01_odp.03 }} identification and authentication policy that:", + "parts": [ + { + "id": "ia-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ia-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ia-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;" + } + ] + }, + { + "id": "ia-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and" + }, + { + "id": "ia-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current identification and authentication:", + "parts": [ + { + "id": "ia-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and" + }, + { + "id": "ia-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ia-1_gdn", + "name": "guidance", + "prose": "Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "ia-2", + "class": "SP800-53", + "title": "Identification and Authentication (Organizational Users)", + "props": [ + { + "name": "label", + "value": "IA-2" + }, + { + "name": "label", + "value": "IA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#d9e036ba-6eec-46a6-9340-b0bf1fea23b4", + "rel": "reference" + }, + { + "href": "#e8552d48-cf41-40aa-8b06-f45f7fb4706c", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", + "rel": "reference" + }, + { + "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "rel": "reference" + }, + { + "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-1", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users." + }, + { + "id": "ia-2_gdn", + "name": "guidance", + "prose": "Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts." + } + ], + "controls": [ + { + "id": "ia-2.1", + "class": "SP800-53-enhancement", + "title": "Multi-factor Authentication to Privileged Accounts", + "props": [ + { + "name": "label", + "value": "IA-2(1)" + }, + { + "name": "label", + "value": "IA-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.1_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Implement multi-factor authentication for access to privileged accounts." + }, + { + "id": "ia-2.1_gdn", + "name": "guidance", + "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." + }, + { + "id": "ia-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(01)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication is implemented for access to privileged accounts.", + "links": [ + { + "href": "#ia-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" + } + ] + }, + { + "id": "ia-2.1_fr", + "name": "item", + "title": "IA-2(1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP." + } + ] + } + ] + }, + { + "id": "ia-2.2", + "class": "SP800-53-enhancement", + "title": "Multi-factor Authentication to Non-privileged Accounts", + "props": [ + { + "name": "label", + "value": "IA-2(2)" + }, + { + "name": "label", + "value": "IA-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.2_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for access to non-privileged accounts." + }, + { + "id": "ia-2.2_gdn", + "name": "guidance", + "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." + } + ] + }, + { + "id": "ia-2.8", + "class": "SP800-53-enhancement", + "title": "Access to Accounts — Replay Resistant", + "params": [ + { + "id": "ia-02.08_odp", + "select": { + "how-many": "one-or-more", + "choice": [ + "privileged accounts", + "non-privileged accounts" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "IA-2(8)" + }, + { + "name": "label", + "value": "IA-02(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.8_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}." + }, + { + "id": "ia-2.8_gdn", + "name": "guidance", + "prose": "Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators." + }, + { + "id": "ia-2.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(08)", + "class": "sp800-53a" + } + ], + "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.", + "links": [ + { + "href": "#ia-2.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nMechanisms supporting and/or implementing replay-resistant authentication mechanisms" + } + ] + } + ] + }, + { + "id": "ia-2.12", + "class": "SP800-53-enhancement", + "title": "Acceptance of PIV Credentials", + "props": [ + { + "name": "label", + "value": "IA-2(12)" + }, + { + "name": "label", + "value": "IA-02(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.12_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials." + }, + { + "id": "ia-2.12_gdn", + "name": "guidance", + "prose": "Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential." + }, + { + "id": "ia-2.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(12)", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified.", + "links": [ + { + "href": "#ia-2.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing acceptance and verification of PIV credentials" + } + ] + }, + { + "id": "ia-2.12_obj_fr", + "name": "objective", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE", + "class": "fedramp" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW", + "class": "fedramp" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST", + "class": "fedramp" + } + ], + "prose": "Determine if the information system:\n\n* Accepts PIV credentials.\n* Electronically verifies PIV credentials.\n" + } + ] + } + ] + }, + { + "id": "ia-4", + "class": "SP800-53", + "title": "Identifier Management", + "params": [ + { + "id": "ia-04_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO (or similar role within the organization)" + } + ], + "guidelines": [ + { + "prose": "personnel or roles from whom authorization must be received to assign an identifier are defined;" + } + ] + }, + { + "id": "ia-04_odp.02", + "label": "time period", + "constraints": [ + { + "description": "at least two (2) years" + } + ], + "guidelines": [ + { + "prose": "a time period for preventing reuse of identifiers is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-4" + }, + { + "name": "label", + "value": "IA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ia-12", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-4_smt", + "name": "statement", + "prose": "Manage system identifiers by:", + "parts": [ + { + "id": "ia-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;" + }, + { + "id": "ia-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Selecting an identifier that identifies an individual, group, role, service, or device;" + }, + { + "id": "ia-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Assigning the identifier to the intended individual, group, role, service, or device; and" + }, + { + "id": "ia-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}." + } + ] + }, + { + "id": "ia-4_gdn", + "name": "guidance", + "prose": "Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices." + } + ] + }, + { + "id": "ia-5", + "class": "SP800-53", + "title": "Authenticator Management", + "params": [ + { + "id": "ia-05_odp.01", + "label": "time period by authenticator type", + "guidelines": [ + { + "prose": "a time period for changing or refreshing authenticators by authenticator type is defined;" + } + ] + }, + { + "id": "ia-05_odp.02", + "label": "events", + "guidelines": [ + { + "prose": "events that trigger the change or refreshment of authenticators are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5" + }, + { + "name": "label", + "value": "IA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "rel": "reference" + }, + { + "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5_smt", + "name": "statement", + "prose": "Manage system authenticators by:", + "parts": [ + { + "id": "ia-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;" + }, + { + "id": "ia-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishing initial authenticator content for any authenticators issued by the organization;" + }, + { + "id": "ia-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensuring that authenticators have sufficient strength of mechanism for their intended use;" + }, + { + "id": "ia-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;" + }, + { + "id": "ia-5_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Changing default authenticators prior to first use;" + }, + { + "id": "ia-5_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;" + }, + { + "id": "ia-5_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Protecting authenticator content from unauthorized disclosure and modification;" + }, + { + "id": "ia-5_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and" + }, + { + "id": "ia-5_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Changing authenticators for group or role accounts when membership to those accounts changes." + } + ] + }, + { + "id": "ia-5_gdn", + "name": "guidance", + "prose": "Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed." + } + ], + "controls": [ + { + "id": "ia-5.1", + "class": "SP800-53-enhancement", + "title": "Password-based Authentication", + "params": [ + { + "id": "ia-05.01_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;" + } + ] + }, + { + "id": "ia-05.01_odp.02", + "label": "composition and complexity rules", + "guidelines": [ + { + "prose": "authenticator composition and complexity rules are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5(1)" + }, + { + "name": "label", + "value": "IA-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ia-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.1_smt", + "name": "statement", + "prose": "For password-based authentication:", + "parts": [ + { + "id": "ia-5.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;" + }, + { + "id": "ia-5.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);" + }, + { + "id": "ia-5.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Transmit passwords only over cryptographically-protected channels;" + }, + { + "id": "ia-5.1_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Store passwords using an approved salted key derivation function, preferably using a keyed hash;" + }, + { + "id": "ia-5.1_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e)" + } + ], + "prose": "Require immediate selection of a new password upon account recovery;" + }, + { + "id": "ia-5.1_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "(f)" + } + ], + "prose": "Allow user selection of long passwords and passphrases, including spaces and all printable characters;" + }, + { + "id": "ia-5.1_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "(g)" + } + ], + "prose": "Employ automated tools to assist the user in selecting strong password authenticators; and" + }, + { + "id": "ia-5.1_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h)" + } + ], + "prose": "Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}." + } + ] + }, + { + "id": "ia-5.1_gdn", + "name": "guidance", + "prose": "Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof." + } + ] + } + ] + }, + { + "id": "ia-6", + "class": "SP800-53", + "title": "Authentication Feedback", + "props": [ + { + "name": "label", + "value": "IA-6" + }, + { + "name": "label", + "value": "IA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-6_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals." + }, + { + "id": "ia-6_gdn", + "name": "guidance", + "prose": "Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it." + }, + { + "id": "ia-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-06", + "class": "sp800-53a" + } + ], + "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.", + "links": [ + { + "href": "#ia-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication" + } + ] + } + ] + }, + { + "id": "ia-7", + "class": "SP800-53", + "title": "Cryptographic Module Authentication", + "props": [ + { + "name": "label", + "value": "IA-7" + }, + { + "name": "label", + "value": "IA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-7_smt", + "name": "statement", + "prose": "Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication." + }, + { + "id": "ia-7_gdn", + "name": "guidance", + "prose": "Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role." + } + ] + }, + { + "id": "ia-8", + "class": "SP800-53", + "title": "Identification and Authentication (Non-organizational Users)", + "props": [ + { + "name": "label", + "value": "IA-8" + }, + { + "name": "label", + "value": "IA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#a1555677-2b9d-4868-a97b-a1363aff32f5", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#2100332a-16a5-4598-bacf-7261baea9711", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-10", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-8_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." + }, + { + "id": "ia-8_gdn", + "name": "guidance", + "prose": "Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk." + } + ], + "controls": [ + { + "id": "ia-8.1", + "class": "SP800-53-enhancement", + "title": "Acceptance of PIV Credentials from Other Agencies", + "props": [ + { + "name": "label", + "value": "IA-8(1)" + }, + { + "name": "label", + "value": "IA-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + }, + { + "href": "#pe-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-8.1_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies." + }, + { + "id": "ia-8.1_gdn", + "name": "guidance", + "prose": "Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)." + }, + { + "id": "ia-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;", + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.", + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP." + } + ] + }, + { + "id": "ia-8.2", + "class": "SP800-53-enhancement", + "title": "Acceptance of External Authenticators", + "props": [ + { + "name": "label", + "value": "IA-8(2)" + }, + { + "name": "label", + "value": "IA-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-8.2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ia-8.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Accept only external authenticators that are NIST-compliant; and" + }, + { + "id": "ia-8.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Document and maintain a list of accepted external authenticators." + } + ] + }, + { + "id": "ia-8.2_gdn", + "name": "guidance", + "prose": "Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level." + }, + { + "id": "ia-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(a)", + "class": "sp800-53a" + } + ], + "prose": "only external authenticators that are NIST-compliant are accepted;", + "links": [ + { + "href": "#ia-8.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "a list of accepted external authenticators is documented;", + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "a list of accepted external authenticators is maintained.", + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP." + } + ] + }, + { + "id": "ia-8.4", + "class": "SP800-53-enhancement", + "title": "Use of Defined Profiles", + "params": [ + { + "id": "ia-08.04_odp", + "label": "identity management profiles", + "guidelines": [ + { + "prose": "identity management profiles are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-8(4)" + }, + { + "name": "label", + "value": "IA-08(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-8.4_smt", + "name": "statement", + "prose": "Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}." + }, + { + "id": "ia-8.4_gdn", + "name": "guidance", + "prose": "Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." + } + ] + } + ] + }, + { + "id": "ia-11", + "class": "SP800-53", + "title": "Re-authentication", + "params": [ + { + "id": "ia-11_odp", + "label": "circumstances or situations", + "guidelines": [ + { + "prose": "circumstances or situations requiring re-authentication are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-11" + }, + { + "name": "label", + "value": "IA-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-11_smt", + "name": "statement", + "prose": "Require users to re-authenticate when {{ insert: param, ia-11_odp }}." + }, + { + "id": "ia-11_gdn", + "name": "guidance", + "prose": "In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically." + } + ] + } + ] + }, + { + "id": "ir", + "class": "family", + "title": "Incident Response", + "controls": [ + { + "id": "ir-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ir-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ir-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the incident response policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ir-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the incident response procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ir-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ir-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the incident response policy and procedures is defined;" + } + ] + }, + { + "id": "ir-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current incident response policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ir-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current incident response policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ir-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current incident response procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ir-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the incident response procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-1" + }, + { + "name": "label", + "value": "IR-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-1_smt", + "name": "statement", + "parts": [ + { + "id": "ir-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:", + "parts": [ + { + "id": "ir-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ir-01_odp.03 }} incident response policy that:", + "parts": [ + { + "id": "ir-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ir-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ir-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;" + } + ] + }, + { + "id": "ir-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and" + }, + { + "id": "ir-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current incident response:", + "parts": [ + { + "id": "ir-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and" + }, + { + "id": "ir-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ir-1_gdn", + "name": "guidance", + "prose": "Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "ir-2", + "class": "SP800-53", + "title": "Incident Response Training", + "params": [ + { + "id": "ir-02_odp.01", + "label": "time period", + "constraints": [ + { + "description": "ten (10) days for privileged users, thirty (30) days for Incident Response roles" + } + ], + "guidelines": [ + { + "prose": "a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;" + } + ] + }, + { + "id": "ir-02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide incident response training to users is defined;" + } + ] + }, + { + "id": "ir-02_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update incident response training content is defined;" + } + ] + }, + { + "id": "ir-02_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events that initiate a review of the incident response training content are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-2" + }, + { + "name": "label", + "value": "IR-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-2_smt", + "name": "statement", + "parts": [ + { + "id": "ir-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide incident response training to system users consistent with assigned roles and responsibilities:", + "parts": [ + { + "id": "ir-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;" + }, + { + "id": "ir-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes; and" + }, + { + "id": "ir-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ir-02_odp.02 }} thereafter; and" + } + ] + }, + { + "id": "ir-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}." + } + ] + }, + { + "id": "ir-2_gdn", + "name": "guidance", + "prose": "Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + } + ] + }, + { + "id": "ir-4", + "class": "SP800-53", + "title": "Incident Handling", + "props": [ + { + "name": "label", + "value": "IR-4" + }, + { + "name": "label", + "value": "IR-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", + "rel": "reference" + }, + { + "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "rel": "reference" + }, + { + "href": "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#31ae65ab-3f26-46b7-9d64-f25a4dac5778", + "rel": "reference" + }, + { + "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-4_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ir-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;" + }, + { + "id": "ir-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Coordinate incident handling activities with contingency planning activities;" + }, + { + "id": "ir-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and" + }, + { + "id": "ir-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization." + } + ] + }, + { + "id": "ir-4_gdn", + "name": "guidance", + "prose": "Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes." + }, + { + "id": "ir-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes preparation;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes detection and analysis;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes containment;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[05]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes eradication;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[06]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes recovery;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04b.", + "class": "sp800-53a" + } + ], + "prose": "incident handling activities are coordinated with contingency planning activities;", + "links": [ + { + "href": "#ir-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.[01]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;", + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;", + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the rigor of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the intensity of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the scope of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[04]", + "class": "sp800-53a" + } + ], + "prose": "the results of incident handling activities are comparable and predictable across the organization.", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident handling capability for the organization" + } + ] + } + ] + }, + { + "id": "ir-5", + "class": "SP800-53", + "title": "Incident Monitoring", + "props": [ + { + "name": "label", + "value": "IR-5" + }, + { + "name": "label", + "value": "IR-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-5_smt", + "name": "statement", + "prose": "Track and document incidents." + }, + { + "id": "ir-5_gdn", + "name": "guidance", + "prose": "Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring." + } + ] + }, + { + "id": "ir-6", + "class": "SP800-53", + "title": "Incident Reporting", + "params": [ + { + "id": "ir-06_odp.01", + "label": "time period", + "constraints": [ + { + "description": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)" + } + ], + "guidelines": [ + { + "prose": "time period for personnel to report suspected incidents to the organizational incident response capability is defined;" + } + ] + }, + { + "id": "ir-06_odp.02", + "label": "authorities", + "guidelines": [ + { + "prose": "authorities to whom incident information is to be reported are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-6" + }, + { + "name": "label", + "value": "IR-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#40b78258-c892-480e-9af8-77ac36648301", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-6_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ir-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and" + }, + { + "id": "ir-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report incident information to {{ insert: param, ir-06_odp.02 }}." + } + ] + }, + { + "id": "ir-6_gdn", + "name": "guidance", + "prose": "The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products." + }, + { + "id": "ir-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06a.", + "class": "sp800-53a" + } + ], + "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};", + "links": [ + { + "href": "#ir-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06b.", + "class": "sp800-53a" + } + ], + "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}.", + "links": [ + { + "href": "#ir-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users" + } + ] + }, + { + "id": "ir-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident reporting\n\nmechanisms supporting and/or implementing incident reporting" + } + ] + } + ] + }, + { + "id": "ir-7", + "class": "SP800-53", + "title": "Incident Response Assistance", + "props": [ + { + "name": "label", + "value": "IR-7" + }, + { + "name": "label", + "value": "IR-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pm-22", + "rel": "related" + }, + { + "href": "#pm-26", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#si-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-7_smt", + "name": "statement", + "prose": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents." + }, + { + "id": "ir-7_gdn", + "name": "guidance", + "prose": "Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required." + } + ] + }, + { + "id": "ir-8", + "class": "SP800-53", + "title": "Incident Response Plan", + "params": [ + { + "id": "ir-8_prm_5", + "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements", + "constraints": [ + { + "description": "see additional FedRAMP Requirements and Guidance" + } + ] + }, + { + "id": "ir-08_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles that review and approve the incident response plan is/are identified;" + } + ] + }, + { + "id": "ir-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and approve the incident response plan is defined;" + } + ] + }, + { + "id": "ir-08_odp.03", + "label": "entities, personnel, or roles", + "guidelines": [ + { + "prose": "entities, personnel, or roles with designated responsibility for incident response are defined;" + } + ] + }, + { + "id": "ir-08_odp.04", + "label": "incident response personnel", + "constraints": [ + { + "description": "see additional FedRAMP Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;" + } + ] + }, + { + "id": "ir-08_odp.05", + "label": "organizational elements", + "guidelines": [ + { + "prose": "organizational elements to which copies of the incident response plan are to be distributed are defined;" + } + ] + }, + { + "id": "ir-08_odp.06", + "label": "incident response personnel", + "guidelines": [ + { + "prose": "incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;" + } + ] + }, + { + "id": "ir-08_odp.07", + "label": "organizational elements", + "guidelines": [ + { + "prose": "organizational elements to which changes to the incident response plan are communicated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-8" + }, + { + "name": "label", + "value": "IR-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-8_smt", + "name": "statement", + "parts": [ + { + "id": "ir-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop an incident response plan that:", + "parts": [ + { + "id": "ir-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Provides the organization with a roadmap for implementing its incident response capability;" + }, + { + "id": "ir-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Describes the structure and organization of the incident response capability;" + }, + { + "id": "ir-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Provides a high-level approach for how the incident response capability fits into the overall organization;" + }, + { + "id": "ir-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;" + }, + { + "id": "ir-8_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Defines reportable incidents;" + }, + { + "id": "ir-8_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Provides metrics for measuring the incident response capability within the organization;" + }, + { + "id": "ir-8_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Defines the resources and management support needed to effectively maintain and mature an incident response capability;" + }, + { + "id": "ir-8_smt.a.8", + "name": "item", + "props": [ + { + "name": "label", + "value": "8." + } + ], + "prose": "Addresses the sharing of incident information;" + }, + { + "id": "ir-8_smt.a.9", + "name": "item", + "props": [ + { + "name": "label", + "value": "9." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and" + }, + { + "id": "ir-8_smt.a.10", + "name": "item", + "props": [ + { + "name": "label", + "value": "10." + } + ], + "prose": "Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}." + } + ] + }, + { + "id": "ir-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};" + }, + { + "id": "ir-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;" + }, + { + "id": "ir-8_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and" + }, + { + "id": "ir-8_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protect the incident response plan from unauthorized disclosure and modification." + } + ] + }, + { + "id": "ir-8_gdn", + "name": "guidance", + "prose": "It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Attestation - Specifically attest to US-CERT compliance." + } + ] + } + ] + }, + { + "id": "ma", + "class": "family", + "title": "Maintenance", + "controls": [ + { + "id": "ma-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ma-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ma-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the maintenance policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ma-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ma-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ma-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the maintenance policy and procedures is defined;" + } + ] + }, + { + "id": "ma-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current maintenance policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ma-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current maintenance policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ma-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current maintenance procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ma-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the maintenance procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-1" + }, + { + "name": "label", + "value": "MA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-1_smt", + "name": "statement", + "parts": [ + { + "id": "ma-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:", + "parts": [ + { + "id": "ma-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ma-01_odp.03 }} maintenance policy that:", + "parts": [ + { + "id": "ma-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ma-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ma-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;" + } + ] + }, + { + "id": "ma-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and" + }, + { + "id": "ma-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current maintenance:", + "parts": [ + { + "id": "ma-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and" + }, + { + "id": "ma-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ma-1_gdn", + "name": "guidance", + "prose": "Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "ma-2", + "class": "SP800-53", + "title": "Controlled Maintenance", + "params": [ + { + "id": "ma-02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined;" + } + ] + }, + { + "id": "ma-02_odp.02", + "label": "information", + "guidelines": [ + { + "prose": "information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;" + } + ] + }, + { + "id": "ma-02_odp.03", + "label": "information", + "guidelines": [ + { + "prose": "information to be included in organizational maintenance records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-2" + }, + { + "name": "label", + "value": "MA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ma-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;" + }, + { + "id": "ma-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;" + }, + { + "id": "ma-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;" + }, + { + "id": "ma-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};" + }, + { + "id": "ma-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and" + }, + { + "id": "ma-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}." + } + ] + }, + { + "id": "ma-2_gdn", + "name": "guidance", + "prose": "Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems." + }, + { + "id": "ma-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;", + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;", + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;", + "links": [ + { + "href": "#ma-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02d.", + "class": "sp800-53a" + } + ], + "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;", + "links": [ + { + "href": "#ma-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02e.", + "class": "sp800-53a" + } + ], + "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;", + "links": [ + { + "href": "#ma-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02f.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.", + "links": [ + { + "href": "#ma-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "ma-4", + "class": "SP800-53", + "title": "Nonlocal Maintenance", + "props": [ + { + "name": "label", + "value": "MA-4" + }, + { + "name": "label", + "value": "MA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#736d6310-e403-4b57-a79d-9967970c66d7", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-4_smt", + "name": "statement", + "parts": [ + { + "id": "ma-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve and monitor nonlocal maintenance and diagnostic activities;" + }, + { + "id": "ma-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;" + }, + { + "id": "ma-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;" + }, + { + "id": "ma-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Maintain records for nonlocal maintenance and diagnostic activities; and" + }, + { + "id": "ma-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Terminate session and network connections when nonlocal maintenance is completed." + } + ] + }, + { + "id": "ma-4_gdn", + "name": "guidance", + "prose": "Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators." + } + ] + }, + { + "id": "ma-5", + "class": "SP800-53", + "title": "Maintenance Personnel", + "props": [ + { + "name": "label", + "value": "MA-5" + }, + { + "name": "label", + "value": "MA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-5_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ma-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;" + }, + { + "id": "ma-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and" + }, + { + "id": "ma-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations." + } + ] + }, + { + "id": "ma-5_gdn", + "name": "guidance", + "prose": "Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods." + }, + { + "id": "ma-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process for maintenance personnel authorization is established;", + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": "a list of authorized maintenance organizations or personnel is maintained;", + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05b.", + "class": "sp800-53a" + } + ], + "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;", + "links": [ + { + "href": "#ma-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05c.", + "class": "sp800-53a" + } + ], + "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.", + "links": [ + { + "href": "#ma-5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and/or implementing authorization of maintenance personnel" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + } + ] + }, + { + "id": "mp", + "class": "family", + "title": "Media Protection", + "controls": [ + { + "id": "mp-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "mp-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "mp-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the media protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "mp-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the media protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "mp-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "mp-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the media protection policy and procedures is defined;" + } + ] + }, + { + "id": "mp-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current media protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "mp-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current media protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "mp-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current media protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "mp-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require media protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-1" + }, + { + "name": "label", + "value": "MP-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-1_smt", + "name": "statement", + "parts": [ + { + "id": "mp-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:", + "parts": [ + { + "id": "mp-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, mp-01_odp.03 }} media protection policy that:", + "parts": [ + { + "id": "mp-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "mp-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "mp-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;" + } + ] + }, + { + "id": "mp-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and" + }, + { + "id": "mp-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current media protection:", + "parts": [ + { + "id": "mp-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and" + }, + { + "id": "mp-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "mp-1_gdn", + "name": "guidance", + "prose": "Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "mp-2", + "class": "SP800-53", + "title": "Media Access", + "params": [ + { + "id": "mp-2_prm_1", + "label": "organization-defined types of digital and/or non-digital media" + }, + { + "id": "mp-2_prm_2", + "label": "organization-defined personnel or roles" + }, + { + "id": "mp-02_odp.01", + "label": "types of digital media", + "guidelines": [ + { + "prose": "types of digital media to which access is restricted are defined;" + } + ] + }, + { + "id": "mp-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles authorized to access digital media is/are defined;" + } + ] + }, + { + "id": "mp-02_odp.03", + "label": "types of non-digital media", + "guidelines": [ + { + "prose": "types of non-digital media to which access is restricted are defined;" + } + ] + }, + { + "id": "mp-02_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles authorized to access non-digital media is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-2" + }, + { + "name": "label", + "value": "MP-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}." + }, + { + "id": "mp-2_gdn", + "name": "guidance", + "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media." + }, + { + "id": "mp-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02[01]", + "class": "sp800-53a" + } + ], + "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};", + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02[02]", + "class": "sp800-53a" + } + ], + "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.", + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for restricting information media\n\nmechanisms supporting and/or implementing media access restrictions" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "mp-6", + "class": "SP800-53", + "title": "Media Sanitization", + "params": [ + { + "id": "mp-6_prm_1", + "label": "organization-defined system media", + "constraints": [ + { + "description": "techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware" + } + ] + }, + { + "id": "mp-6_prm_2", + "label": "organization-defined sanitization techniques and procedures" + }, + { + "id": "mp-06_odp.01", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to disposal is defined;" + } + ] + }, + { + "id": "mp-06_odp.02", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to release from organizational control is defined;" + } + ] + }, + { + "id": "mp-06_odp.03", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to release for reuse is defined;" + } + ] + }, + { + "id": "mp-06_odp.04", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to disposal are defined;" + } + ] + }, + { + "id": "mp-06_odp.05", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;" + } + ] + }, + { + "id": "mp-06_odp.06", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-6" + }, + { + "name": "label", + "value": "MP-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#91f992fb-f668-4c91-a50f-0f05b95ccee3", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pm-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#si-18", + "rel": "related" + }, + { + "href": "#si-19", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-6_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "mp-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and" + }, + { + "id": "mp-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information." + } + ] + }, + { + "id": "mp-6_gdn", + "name": "guidance", + "prose": "Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information." + }, + { + "id": "mp-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06b.", + "class": "sp800-53a" + } + ], + "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.", + "links": [ + { + "href": "#mp-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media sanitization\n\nmechanisms supporting and/or implementing media sanitization" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "mp-7", + "class": "SP800-53", + "title": "Media Use", + "params": [ + { + "id": "mp-07_odp.01", + "label": "types of system media", + "guidelines": [ + { + "prose": "types of system media to be restricted or prohibited from use on systems or system components are defined;" + } + ] + }, + { + "id": "mp-07_odp.02", + "select": { + "choice": [ + "restrict", + "prohibit" + ] + } + }, + { + "id": "mp-07_odp.03", + "label": "systems or system components", + "guidelines": [ + { + "prose": "systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;" + } + ] + }, + { + "id": "mp-07_odp.04", + "label": "controls", + "guidelines": [ + { + "prose": "controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-7" + }, + { + "name": "label", + "value": "MP-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-41", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-7_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "mp-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and" + }, + { + "id": "mp-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner." + } + ] + }, + { + "id": "mp-7_gdn", + "name": "guidance", + "prose": "System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices." + }, + { + "id": "mp-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07a.", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};", + "links": [ + { + "href": "#mp-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07b.", + "class": "sp800-53a" + } + ], + "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.", + "links": [ + { + "href": "#mp-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + } + ] + }, + { + "id": "pe", + "class": "family", + "title": "Physical and Environmental Protection", + "controls": [ + { + "id": "pe-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "pe-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "pe-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "pe-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "pe-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "pe-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the physical and environmental protection policy and procedures is defined;" + } + ] + }, + { + "id": "pe-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "pe-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current physical and environmental protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "pe-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "pe-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the physical and environmental protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-1" + }, + { + "name": "label", + "value": "PE-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-1_smt", + "name": "statement", + "parts": [ + { + "id": "pe-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:", + "parts": [ + { + "id": "pe-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:", + "parts": [ + { + "id": "pe-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "pe-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "pe-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;" + } + ] + }, + { + "id": "pe-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and" + }, + { + "id": "pe-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current physical and environmental protection:", + "parts": [ + { + "id": "pe-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and" + }, + { + "id": "pe-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "pe-1_gdn", + "name": "guidance", + "prose": "Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "pe-2", + "class": "SP800-53", + "title": "Physical Access Authorizations", + "params": [ + { + "id": "pe-02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review the access list detailing authorized facility access by individuals is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-2" + }, + { + "name": "label", + "value": "PE-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "pe-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;" + }, + { + "id": "pe-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Issue authorization credentials for facility access;" + }, + { + "id": "pe-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and" + }, + { + "id": "pe-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Remove individuals from the facility access list when access is no longer required." + } + ] + }, + { + "id": "pe-2_gdn", + "name": "guidance", + "prose": "Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible." + }, + { + "id": "pe-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02b.", + "class": "sp800-53a" + } + ], + "prose": "authorization credentials are issued for facility access;", + "links": [ + { + "href": "#pe-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02c.", + "class": "sp800-53a" + } + ], + "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};", + "links": [ + { + "href": "#pe-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02d.", + "class": "sp800-53a" + } + ], + "prose": "individuals are removed from the facility access list when access is no longer required.", + "links": [ + { + "href": "#pe-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access authorizations\n\nmechanisms supporting and/or implementing physical access authorizations" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "pe-3", + "class": "SP800-53", + "title": "Physical Access Control", + "params": [ + { + "id": "pe-3_prm_9", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually" + } + ] + }, + { + "id": "pe-03_odp.01", + "label": "entry and exit points", + "guidelines": [ + { + "prose": "entry and exit points to the facility in which the system resides are defined;" + } + ] + }, + { + "id": "pe-03_odp.02", + "constraints": [ + { + "description": "CSP defined physical access control systems/devices AND guards" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, pe-03_odp.03 }} ", + "guards" + ] + } + }, + { + "id": "pe-03_odp.03", + "label": "systems or devices", + "guidelines": [ + { + "prose": "physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);" + } + ] + }, + { + "id": "pe-03_odp.04", + "label": "entry or exit points", + "guidelines": [ + { + "prose": "entry or exit points for which physical access logs are maintained are defined;" + } + ] + }, + { + "id": "pe-03_odp.05", + "label": "physical access controls", + "guidelines": [ + { + "prose": "physical access controls to control access to areas within the facility designated as publicly accessible are defined;" + } + ] + }, + { + "id": "pe-03_odp.06", + "label": "circumstances", + "constraints": [ + { + "description": "in all circumstances within restricted access area where the information system resides" + } + ], + "guidelines": [ + { + "prose": "circumstances requiring visitor escorts and control of visitor activity are defined;" + } + ] + }, + { + "id": "pe-03_odp.07", + "label": "physical access devices", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "physical access devices to be inventoried are defined;" + } + ] + }, + { + "id": "pe-03_odp.08", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to inventory physical access devices is defined;" + } + ] + }, + { + "id": "pe-03_odp.09", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to change combinations is defined;" + } + ] + }, + { + "id": "pe-03_odp.10", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to change keys is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-3" + }, + { + "name": "label", + "value": "PE-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#2100332a-16a5-4598-bacf-7261baea9711", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-3_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "pe-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:", + "parts": [ + { + "id": "pe-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Verifying individual access authorizations before granting access to the facility; and" + }, + { + "id": "pe-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};" + } + ] + }, + { + "id": "pe-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};" + }, + { + "id": "pe-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};" + }, + { + "id": "pe-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};" + }, + { + "id": "pe-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Secure keys, combinations, and other physical access devices;" + }, + { + "id": "pe-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and" + }, + { + "id": "pe-3_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Change combinations and keys {{ insert: param, pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated." + } + ] + }, + { + "id": "pe-3_gdn", + "name": "guidance", + "prose": "Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components." + }, + { + "id": "pe-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.01", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;", + "links": [ + { + "href": "#pe-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.02", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};", + "links": [ + { + "href": "#pe-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03b.", + "class": "sp800-53a" + } + ], + "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};", + "links": [ + { + "href": "#pe-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03c.", + "class": "sp800-53a" + } + ], + "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};", + "links": [ + { + "href": "#pe-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.[01]", + "class": "sp800-53a" + } + ], + "prose": "visitors are escorted;", + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.[02]", + "class": "sp800-53a" + } + ], + "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};", + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[01]", + "class": "sp800-53a" + } + ], + "prose": "keys are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[02]", + "class": "sp800-53a" + } + ], + "prose": "combinations are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[03]", + "class": "sp800-53a" + } + ], + "prose": "other physical access devices are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03f.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};", + "links": [ + { + "href": "#pe-3_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.[01]", + "class": "sp800-53a" + } + ], + "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;", + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.[02]", + "class": "sp800-53a" + } + ], + "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.", + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access control\n\nmechanisms supporting and/or implementing physical access control\n\nphysical access control devices" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "pe-6", + "class": "SP800-53", + "title": "Monitoring Physical Access", + "params": [ + { + "id": "pe-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review physical access logs is defined;" + } + ] + }, + { + "id": "pe-06_odp.02", + "label": "events", + "guidelines": [ + { + "prose": "events or potential indication of events requiring physical access logs to be reviewed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-6" + }, + { + "name": "label", + "value": "PE-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-6_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "pe-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;" + }, + { + "id": "pe-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and" + }, + { + "id": "pe-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Coordinate results of reviews and investigations with the organizational incident response capability." + } + ] + }, + { + "id": "pe-6_gdn", + "name": "guidance", + "prose": "Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses." + }, + { + "id": "pe-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06a.", + "class": "sp800-53a" + } + ], + "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;", + "links": [ + { + "href": "#pe-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};", + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};", + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": "results of reviews are coordinated with organizational incident response capabilities;", + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": "results of investigations are coordinated with organizational incident response capabilities.", + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring physical access\n\nmechanisms supporting and/or implementing physical access monitoring\n\nmechanisms supporting and/or implementing the review of physical access logs" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "pe-8", + "class": "SP800-53", + "title": "Visitor Access Records", + "params": [ + { + "id": "pe-08_odp.01", + "label": "time period", + "constraints": [ + { + "description": "for a minimum of one (1) year" + } + ], + "guidelines": [ + { + "prose": "time period for which to maintain visitor access records for the facility where the system resides is defined;" + } + ] + }, + { + "id": "pe-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review visitor access records is defined;" + } + ] + }, + { + "id": "pe-08_odp.03", + "label": "personnel", + "guidelines": [ + { + "prose": "personnel to whom visitor access records anomalies are reported to is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-8" + }, + { + "name": "label", + "value": "PE-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-8_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "pe-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};" + }, + { + "id": "pe-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and" + }, + { + "id": "pe-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}." + } + ] + }, + { + "id": "pe-8_gdn", + "name": "guidance", + "prose": "Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas." + }, + { + "id": "pe-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08a.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};", + "links": [ + { + "href": "#pe-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08b.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};", + "links": [ + { + "href": "#pe-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08c.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.", + "links": [ + { + "href": "#pe-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and/or implementing the maintenance and review of visitor access records" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "pe-12", + "class": "SP800-53", + "title": "Emergency Lighting", + "props": [ + { + "name": "label", + "value": "PE-12" + }, + { + "name": "label", + "value": "PE-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-12_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility." + }, + { + "id": "pe-12_gdn", + "name": "guidance", + "prose": "The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies." + }, + { + "id": "pe-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[01]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[02]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[03]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting for the system covers emergency exits within the facility;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[04]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting for the system covers evacuation routes within the facility.", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for emergency lighting and/or planning\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an emergency lighting capability" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "pe-13", + "class": "SP800-53", + "title": "Fire Protection", + "props": [ + { + "name": "label", + "value": "PE-13" + }, + { + "name": "label", + "value": "PE-13", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-13_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Employ and maintain fire detection and suppression systems that are supported by an independent energy source." + }, + { + "id": "pe-13_gdn", + "name": "guidance", + "prose": "The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility." + }, + { + "id": "pe-13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[01]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems are employed;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[02]", + "class": "sp800-53a" + } + ], + "prose": "employed fire detection systems are supported by an independent energy source;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[03]", + "class": "sp800-53a" + } + ], + "prose": "employed fire detection systems are maintained;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[04]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems are employed;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[05]", + "class": "sp800-53a" + } + ], + "prose": "employed fire suppression systems are supported by an independent energy source;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[06]", + "class": "sp800-53a" + } + ], + "prose": "employed fire suppression systems are maintained.", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-13-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\ntest records of fire suppression and detection devices/systems\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-13-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-13-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing fire suppression/detection devices/systems" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "pe-14", + "class": "SP800-53", + "title": "Environmental Controls", + "params": [ + { + "id": "pe-14_odp.01", + "constraints": [ + { + "description": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "temperature", + "humidity", + "pressure", + "radiation", + " {{ insert: param, pe-14_odp.02 }} " + ] + } + }, + { + "id": "pe-14_odp.02", + "label": "environmental control", + "guidelines": [ + { + "prose": "environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);" + } + ] + }, + { + "id": "pe-14_odp.03", + "label": "acceptable levels", + "guidelines": [ + { + "prose": "acceptable levels for environmental controls are defined;" + } + ] + }, + { + "id": "pe-14_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "continuously" + } + ], + "guidelines": [ + { + "prose": "frequency at which to monitor environmental control levels is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-14" + }, + { + "name": "label", + "value": "PE-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-14_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "pe-14_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and" + }, + { + "id": "pe-14_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}." + }, + { + "id": "pe-14_fr", + "name": "item", + "title": "PE-14(a) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pe-14_fr_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider measures temperature at server inlets and humidity levels by dew point." + } + ] + } + ] + }, + { + "id": "pe-14_gdn", + "name": "guidance", + "prose": "The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions." + }, + { + "id": "pe-14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-14_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;", + "links": [ + { + "href": "#pe-14_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14b.", + "class": "sp800-53a" + } + ], + "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.", + "links": [ + { + "href": "#pe-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-14-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-14-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-14_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-14-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "pe-15", + "class": "SP800-53", + "title": "Water Damage Protection", + "props": [ + { + "name": "label", + "value": "PE-15" + }, + { + "name": "label", + "value": "PE-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-15_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel." + }, + { + "id": "pe-15_gdn", + "name": "guidance", + "prose": "The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations." + }, + { + "id": "pe-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-15_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[02]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are accessible;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[03]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are working properly;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[04]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are known to key personnel.", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-15_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-15-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Master water-shutoff valves\n\norganizational process for activating master water shutoff" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + }, + { + "id": "pe-16", + "class": "SP800-53", + "title": "Delivery and Removal", + "params": [ + { + "id": "pe-16_prm_1", + "label": "organization-defined types of system components", + "constraints": [ + { + "description": "all information system components" + } + ] + }, + { + "id": "pe-16_odp.01", + "label": "types of system components", + "guidelines": [ + { + "prose": "types of system components to be authorized and controlled when entering the facility are defined;" + } + ] + }, + { + "id": "pe-16_odp.02", + "label": "types of system components", + "guidelines": [ + { + "prose": "types of system components to be authorized and controlled when exiting the facility are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-16" + }, + { + "name": "label", + "value": "PE-16", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-16_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "pe-16_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and" + }, + { + "id": "pe-16_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain records of the system components." + } + ] + }, + { + "id": "pe-16_gdn", + "name": "guidance", + "prose": "Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries." + }, + { + "id": "pe-16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-16_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-16_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16b.", + "class": "sp800-53a" + } + ], + "prose": "records of the system components are maintained.", + "links": [ + { + "href": "#pe-16_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-16-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-16-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-16_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-16-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS." + } + ] + } + ] + }, + { + "id": "pl", + "class": "family", + "title": "Planning", + "controls": [ + { + "id": "pl-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "pl-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "pl-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the planning policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "pl-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the planning procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "pl-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "pl-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the planning policy and procedures is defined;" + } + ] + }, + { + "id": "pl-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current planning policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "pl-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current planning policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "pl-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current planning procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "pl-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-1" + }, + { + "name": "label", + "value": "PL-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-1_smt", + "name": "statement", + "parts": [ + { + "id": "pl-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:", + "parts": [ + { + "id": "pl-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, pl-01_odp.03 }} planning policy that:", + "parts": [ + { + "id": "pl-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "pl-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "pl-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the planning policy and the associated planning controls;" + } + ] + }, + { + "id": "pl-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and" + }, + { + "id": "pl-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current planning:", + "parts": [ + { + "id": "pl-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and" + }, + { + "id": "pl-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "pl-1_gdn", + "name": "guidance", + "prose": "Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "pl-2", + "class": "SP800-53", + "title": "System Security and Privacy Plans", + "params": [ + { + "id": "pl-02_odp.01", + "label": "individuals or groups", + "guidelines": [ + { + "prose": "individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;" + } + ] + }, + { + "id": "pl-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;" + } + ] + }, + { + "id": "pl-02_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency to review system security and privacy plans is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-2" + }, + { + "name": "label", + "value": "PL-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-1", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "pl-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop security and privacy plans for the system that:", + "parts": [ + { + "id": "pl-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Are consistent with the organization’s enterprise architecture;" + }, + { + "id": "pl-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Explicitly define the constituent system components;" + }, + { + "id": "pl-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Describe the operational context of the system in terms of mission and business processes;" + }, + { + "id": "pl-2_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Identify the individuals that fulfill system roles and responsibilities;" + }, + { + "id": "pl-2_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Identify the information types processed, stored, and transmitted by the system;" + }, + { + "id": "pl-2_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Provide the security categorization of the system, including supporting rationale;" + }, + { + "id": "pl-2_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Describe any specific threats to the system that are of concern to the organization;" + }, + { + "id": "pl-2_smt.a.8", + "name": "item", + "props": [ + { + "name": "label", + "value": "8." + } + ], + "prose": "Provide the results of a privacy risk assessment for systems processing personally identifiable information;" + }, + { + "id": "pl-2_smt.a.9", + "name": "item", + "props": [ + { + "name": "label", + "value": "9." + } + ], + "prose": "Describe the operational environment for the system and any dependencies on or connections to other systems or system components;" + }, + { + "id": "pl-2_smt.a.10", + "name": "item", + "props": [ + { + "name": "label", + "value": "10." + } + ], + "prose": "Provide an overview of the security and privacy requirements for the system;" + }, + { + "id": "pl-2_smt.a.11", + "name": "item", + "props": [ + { + "name": "label", + "value": "11." + } + ], + "prose": "Identify any relevant control baselines or overlays, if applicable;" + }, + { + "id": "pl-2_smt.a.12", + "name": "item", + "props": [ + { + "name": "label", + "value": "12." + } + ], + "prose": "Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;" + }, + { + "id": "pl-2_smt.a.13", + "name": "item", + "props": [ + { + "name": "label", + "value": "13." + } + ], + "prose": "Include risk determinations for security and privacy architecture and design decisions;" + }, + { + "id": "pl-2_smt.a.14", + "name": "item", + "props": [ + { + "name": "label", + "value": "14." + } + ], + "prose": "Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and" + }, + { + "id": "pl-2_smt.a.15", + "name": "item", + "props": [ + { + "name": "label", + "value": "15." + } + ], + "prose": "Are reviewed and approved by the authorizing official or designated representative prior to plan implementation." + } + ] + }, + { + "id": "pl-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};" + }, + { + "id": "pl-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the plans {{ insert: param, pl-02_odp.03 }};" + }, + { + "id": "pl-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and" + }, + { + "id": "pl-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protect the plans from unauthorized disclosure and modification." + } + ] + }, + { + "id": "pl-2_gdn", + "name": "guidance", + "prose": "System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate." + }, + { + "id": "pl-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that is consistent with the organization’s enterprise architecture;", + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;", + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that explicitly defines the constituent system components;", + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;", + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.4-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.4-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.5-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.5-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.6-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;", + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.6-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;", + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.7-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.7-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.8-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.8-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.9-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.9-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.10-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;", + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.10-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;", + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.11", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.11-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.11-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.12", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.12-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;", + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.12-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;", + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.13", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.13-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;", + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.13-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;", + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.14", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.14-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.14-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.15", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.15-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;", + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.15-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.", + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};", + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};", + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02c.", + "class": "sp800-53a" + } + ], + "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};", + "links": [ + { + "href": "#pl-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[01]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address changes to the system and environment of operations;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[02]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address problems identified during the plan implementation;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[03]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address problems identified during control assessments;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.[01]", + "class": "sp800-53a" + } + ], + "prose": "plans are protected from unauthorized disclosure;", + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.[02]", + "class": "sp800-53a" + } + ], + "prose": "plans are protected from unauthorized modification.", + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan" + } + ] + } + ] + }, + { + "id": "pl-4", + "class": "SP800-53", + "title": "Rules of Behavior", + "params": [ + { + "id": "pl-04_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "frequency for reviewing and updating the rules of behavior is defined;" + } + ] + }, + { + "id": "pl-04_odp.02", + "constraints": [ + { + "description": "at least annually and when the rules are revised or changed" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, pl-04_odp.03 }} ", + "when the rules are revised or updated" + ] + } + }, + { + "id": "pl-04_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-4" + }, + { + "name": "label", + "value": "PL-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-9", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-4_smt", + "name": "statement", + "parts": [ + { + "id": "pl-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;" + }, + { + "id": "pl-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;" + }, + { + "id": "pl-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and" + }, + { + "id": "pl-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}." + } + ] + }, + { + "id": "pl-4_gdn", + "name": "guidance", + "prose": "Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons." + } + ], + "controls": [ + { + "id": "pl-4.1", + "class": "SP800-53-enhancement", + "title": "Social Media and External Site/Application Usage Restrictions", + "props": [ + { + "name": "label", + "value": "PL-4(1)" + }, + { + "name": "label", + "value": "PL-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#pl-4", + "rel": "required" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-4.1_smt", + "name": "statement", + "prose": "Include in the rules of behavior, restrictions on:", + "parts": [ + { + "id": "pl-4.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Use of social media, social networking sites, and external sites/applications;" + }, + { + "id": "pl-4.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Posting organizational information on public websites; and" + }, + { + "id": "pl-4.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications." + } + ] + }, + { + "id": "pl-4.1_gdn", + "name": "guidance", + "prose": "Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information." + } + ] + } + ] + }, + { + "id": "pl-8", + "class": "SP800-53", + "title": "Security and Privacy Architectures", + "params": [ + { + "id": "pl-08_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "frequency for review and update to reflect changes in the enterprise architecture;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-8" + }, + { + "name": "label", + "value": "PL-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-8_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "pl-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop security and privacy architectures for the system that:", + "parts": [ + { + "id": "pl-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;" + }, + { + "id": "pl-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;" + }, + { + "id": "pl-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Describe how the architectures are integrated into and support the enterprise architecture; and" + }, + { + "id": "pl-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Describe any assumptions about, and dependencies on, external systems and services;" + } + ] + }, + { + "id": "pl-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and" + }, + { + "id": "pl-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions." + } + ] + }, + { + "id": "pl-8_gdn", + "name": "guidance", + "prose": "The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n [PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures." + }, + { + "id": "pl-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.01", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;", + "links": [ + { + "href": "#pl-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.02", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;", + "links": [ + { + "href": "#pl-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.4-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04[01]", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;", + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.4-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;", + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08b.", + "class": "sp800-53a" + } + ], + "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[01]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the security plan;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[02]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the privacy plan;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[03]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[04]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in criticality analysis;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[05]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in organizational procedures;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[06]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in procurements and acquisitions.", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and/or implementing the development, review, and update of the information security and privacy architecture" + } + ] + } + ] + }, + { + "id": "pl-10", + "class": "SP800-53", + "title": "Baseline Selection", + "props": [ + { + "name": "label", + "value": "PL-10" + }, + { + "name": "label", + "value": "PL-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#46d9e201-840e-440e-987c-2c773333c752", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-10_smt", + "name": "statement", + "prose": "Select a control baseline for the system." + }, + { + "id": "pl-10_gdn", + "name": "guidance", + "prose": "Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems." + } + ] + }, + { + "id": "pl-11", + "class": "SP800-53", + "title": "Baseline Tailoring", + "props": [ + { + "name": "label", + "value": "PL-11" + }, + { + "name": "label", + "value": "PL-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#46d9e201-840e-440e-987c-2c773333c752", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-11_smt", + "name": "statement", + "prose": "Tailor the selected control baseline by applying specified tailoring actions." + }, + { + "id": "pl-11_gdn", + "name": "guidance", + "prose": "The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities." + } + ] + } + ] + }, + { + "id": "ps", + "class": "family", + "title": "Personnel Security", + "controls": [ + { + "id": "ps-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ps-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ps-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the personnel security policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ps-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ps-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ps-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the personnel security policy and procedures is defined;" + } + ] + }, + { + "id": "ps-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current personnel security policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ps-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current personnel security policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ps-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current personnel security procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ps-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the personnel security procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-1" + }, + { + "name": "label", + "value": "PS-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-1_smt", + "name": "statement", + "parts": [ + { + "id": "ps-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:", + "parts": [ + { + "id": "ps-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ps-01_odp.03 }} personnel security policy that:", + "parts": [ + { + "id": "ps-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ps-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ps-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;" + } + ] + }, + { + "id": "ps-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and" + }, + { + "id": "ps-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current personnel security:", + "parts": [ + { + "id": "ps-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and" + }, + { + "id": "ps-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ps-1_gdn", + "name": "guidance", + "prose": "Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "ps-2", + "class": "SP800-53", + "title": "Position Risk Designation", + "params": [ + { + "id": "ps-02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least every three years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update position risk designations is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-2" + }, + { + "name": "label", + "value": "PS-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "FED", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#a5ef5e56-5c1a-4911-b419-37dddc1b3581", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-2_smt", + "name": "statement", + "parts": [ + { + "id": "ps-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assign a risk designation to all organizational positions;" + }, + { + "id": "ps-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establish screening criteria for individuals filling those positions; and" + }, + { + "id": "ps-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update position risk designations {{ insert: param, ps-02_odp }}." + } + ] + }, + { + "id": "ps-2_gdn", + "name": "guidance", + "prose": "Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions." + } + ] + }, + { + "id": "ps-3", + "class": "SP800-53", + "title": "Personnel Screening", + "params": [ + { + "id": "ps-3_prm_1", + "label": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening", + "constraints": [ + { + "description": "for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.\n\nFor moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions" + } + ] + }, + { + "id": "ps-03_odp.01", + "label": "conditions requiring rescreening", + "guidelines": [ + { + "prose": "conditions requiring rescreening of individuals are defined;" + } + ] + }, + { + "id": "ps-03_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency of rescreening individuals where it is so indicated is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-3" + }, + { + "name": "label", + "value": "PS-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#55b0c93a-5e48-457a-baa6-5ce81c239c49", + "rel": "reference" + }, + { + "href": "#0af071a6-cf8e-48ee-8c82-fe91efa20f94", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-3_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ps-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Screen individuals prior to authorizing access to the system; and" + }, + { + "id": "ps-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}." + } + ] + }, + { + "id": "ps-3_gdn", + "name": "guidance", + "prose": "Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems." + }, + { + "id": "ps-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03a.", + "class": "sp800-53a" + } + ], + "prose": "individuals are screened prior to authorizing access to the system;", + "links": [ + { + "href": "#ps-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};", + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.", + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel screening" + } + ] + } + ] + }, + { + "id": "ps-4", + "class": "SP800-53", + "title": "Personnel Termination", + "params": [ + { + "id": "ps-04_odp.01", + "label": "time period", + "constraints": [ + { + "description": "four (4) hours" + } + ], + "guidelines": [ + { + "prose": "a time period within which to disable system access is defined;" + } + ] + }, + { + "id": "ps-04_odp.02", + "label": "information security topics", + "guidelines": [ + { + "prose": "information security topics to be discussed when conducting exit interviews are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-4" + }, + { + "name": "label", + "value": "PS-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-4_smt", + "name": "statement", + "prose": "Upon termination of individual employment:", + "parts": [ + { + "id": "ps-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Disable system access within {{ insert: param, ps-04_odp.01 }};" + }, + { + "id": "ps-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Terminate or revoke any authenticators and credentials associated with the individual;" + }, + { + "id": "ps-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};" + }, + { + "id": "ps-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Retrieve all security-related organizational system-related property; and" + }, + { + "id": "ps-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Retain access to organizational information and systems formerly controlled by terminated individual." + } + ] + }, + { + "id": "ps-4_gdn", + "name": "guidance", + "prose": "System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified." + } + ] + }, + { + "id": "ps-5", + "class": "SP800-53", + "title": "Personnel Transfer", + "params": [ + { + "id": "ps-05_odp.01", + "label": "transfer or reassignment actions", + "guidelines": [ + { + "prose": "transfer or reassignment actions to be initiated following transfer or reassignment are defined;" + } + ] + }, + { + "id": "ps-05_odp.02", + "label": "time period following the formal transfer action", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;" + } + ] + }, + { + "id": "ps-05_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined;" + } + ] + }, + { + "id": "ps-05_odp.04", + "label": "time period", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-5" + }, + { + "name": "label", + "value": "PS-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-5_smt", + "name": "statement", + "parts": [ + { + "id": "ps-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;" + }, + { + "id": "ps-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};" + }, + { + "id": "ps-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and" + }, + { + "id": "ps-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}." + } + ] + }, + { + "id": "ps-5_gdn", + "name": "guidance", + "prose": "Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts." + } + ] + }, + { + "id": "ps-6", + "class": "SP800-53", + "title": "Access Agreements", + "params": [ + { + "id": "ps-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update access agreements is defined;" + } + ] + }, + { + "id": "ps-06_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and any time there is a change to the user's level of access" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to re-sign access agreements to maintain access to organizational information is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-6" + }, + { + "name": "label", + "value": "PS-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-6_smt", + "name": "statement", + "parts": [ + { + "id": "ps-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and document access agreements for organizational systems;" + }, + { + "id": "ps-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and" + }, + { + "id": "ps-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Verify that individuals requiring access to organizational information and systems:", + "parts": [ + { + "id": "ps-6_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Sign appropriate access agreements prior to being granted access; and" + }, + { + "id": "ps-6_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}." + } + ] + } + ] + }, + { + "id": "ps-6_gdn", + "name": "guidance", + "prose": "Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy." + } + ] + }, + { + "id": "ps-7", + "class": "SP800-53", + "title": "External Personnel Security", + "params": [ + { + "id": "ps-07_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "including access control personnel responsible for the system and/or facilities, as appropriate" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;" + } + ] + }, + { + "id": "ps-07_odp.02", + "label": "time period", + "constraints": [ + { + "description": "within twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-7" + }, + { + "name": "label", + "value": "PS-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-7_smt", + "name": "statement", + "parts": [ + { + "id": "ps-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish personnel security requirements, including security roles and responsibilities for external providers;" + }, + { + "id": "ps-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Require external providers to comply with personnel security policies and procedures established by the organization;" + }, + { + "id": "ps-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document personnel security requirements;" + }, + { + "id": "ps-7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and" + }, + { + "id": "ps-7_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Monitor provider compliance with personnel security requirements." + } + ] + }, + { + "id": "ps-7_gdn", + "name": "guidance", + "prose": "External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Attestation - Specifically stating that any third-party security personnel are treated as CSP employees." + } + ] + }, + { + "id": "ps-8", + "class": "SP800-53", + "title": "Personnel Sanctions", + "params": [ + { + "id": "ps-08_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;" + } + ] + }, + { + "id": "ps-08_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-8" + }, + { + "name": "label", + "value": "PS-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#pt-1", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-8_smt", + "name": "statement", + "parts": [ + { + "id": "ps-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and" + }, + { + "id": "ps-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction." + } + ] + }, + { + "id": "ps-8_gdn", + "name": "guidance", + "prose": "Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions." + } + ] + }, + { + "id": "ps-9", + "class": "SP800-53", + "title": "Position Descriptions", + "props": [ + { + "name": "label", + "value": "PS-9" + }, + { + "name": "label", + "value": "PS-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + } + ], + "parts": [ + { + "id": "ps-9_smt", + "name": "statement", + "prose": "Incorporate security and privacy roles and responsibilities into organizational position descriptions." + }, + { + "id": "ps-9_gdn", + "name": "guidance", + "prose": "Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles." + } + ] + } + ] + }, + { + "id": "ra", + "class": "family", + "title": "Risk Assessment", + "controls": [ + { + "id": "ra-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ra-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ra-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ra-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the risk assessment policy and procedures is defined;" + } + ] + }, + { + "id": "ra-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current risk assessment policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ra-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current risk assessment policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ra-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current risk assessment procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ra-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require risk assessment procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-1" + }, + { + "name": "label", + "value": "RA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-1_smt", + "name": "statement", + "parts": [ + { + "id": "ra-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:", + "parts": [ + { + "id": "ra-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ra-01_odp.03 }} risk assessment policy that:", + "parts": [ + { + "id": "ra-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ra-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ra-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;" + } + ] + }, + { + "id": "ra-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and" + }, + { + "id": "ra-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current risk assessment:", + "parts": [ + { + "id": "ra-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and" + }, + { + "id": "ra-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ra-1_gdn", + "name": "guidance", + "prose": "Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "ra-2", + "class": "SP800-53", + "title": "Security Categorization", + "props": [ + { + "name": "label", + "value": "RA-2" + }, + { + "name": "label", + "value": "RA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "rel": "reference" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ra-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Categorize the system and information it processes, stores, and transmits;" + }, + { + "id": "ra-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document the security categorization results, including supporting rationale, in the security plan for the system; and" + }, + { + "id": "ra-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision." + } + ] + }, + { + "id": "ra-2_gdn", + "name": "guidance", + "prose": "Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant." + } + ] + }, + { + "id": "ra-3", + "class": "SP800-53", + "title": "Risk Assessment", + "params": [ + { + "id": "ra-03_odp.01", + "constraints": [ + { + "description": "security assessment report" + } + ], + "select": { + "choice": [ + "security and privacy plans", + "risk assessment report", + " {{ insert: param, ra-03_odp.02 }} " + ] + } + }, + { + "id": "ra-03_odp.02", + "label": "document", + "guidelines": [ + { + "prose": "a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);" + } + ] + }, + { + "id": "ra-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least every three (3) years and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "the frequency to review risk assessment results is defined;" + } + ] + }, + { + "id": "ra-03_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom risk assessment results are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-03_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every three (3) years" + } + ], + "guidelines": [ + { + "prose": "the frequency to update the risk assessment is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-3" + }, + { + "name": "label", + "value": "RA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#pe-18", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-3_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ra-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Conduct a risk assessment, including:", + "parts": [ + { + "id": "ra-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Identifying threats to and vulnerabilities in the system;" + }, + { + "id": "ra-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and" + }, + { + "id": "ra-3_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;" + } + ] + }, + { + "id": "ra-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;" + }, + { + "id": "ra-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document risk assessment results in {{ insert: param, ra-03_odp.01 }};" + }, + { + "id": "ra-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review risk assessment results {{ insert: param, ra-03_odp.03 }};" + }, + { + "id": "ra-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and" + }, + { + "id": "ra-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system." + } + ] + }, + { + "id": "ra-3_gdn", + "name": "guidance", + "prose": "Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination." + }, + { + "id": "ra-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.01", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;", + "links": [ + { + "href": "#ra-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.02", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;", + "links": [ + { + "href": "#ra-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.03", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;", + "links": [ + { + "href": "#ra-3_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03b.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;", + "links": [ + { + "href": "#ra-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03c.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};", + "links": [ + { + "href": "#ra-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03d.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};", + "links": [ + { + "href": "#ra-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03e.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};", + "links": [ + { + "href": "#ra-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03f.", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.", + "links": [ + { + "href": "#ra-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment" + } + ] + } + ], + "controls": [ + { + "id": "ra-3.1", + "class": "SP800-53-enhancement", + "title": "Supply Chain Risk Assessment", + "params": [ + { + "id": "ra-03.01_odp.01", + "label": "systems, system components, and system services", + "guidelines": [ + { + "prose": "systems, system components, and system services to assess supply chain risks are defined;" + } + ] + }, + { + "id": "ra-03.01_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to update the supply chain risk assessment is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-3(1)" + }, + { + "name": "label", + "value": "RA-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ra-3", + "rel": "required" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#pm-17", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-3.1_smt", + "name": "statement", + "parts": [ + { + "id": "ra-3.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and" + }, + { + "id": "ra-3.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain." + } + ] + }, + { + "id": "ra-3.1_gdn", + "name": "guidance", + "prose": "Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required." + } + ] + } + ] + }, + { + "id": "ra-5", + "class": "SP800-53", + "title": "Vulnerability Monitoring and Scanning", + "params": [ + { + "id": "ra-5_prm_1", + "label": "organization-defined frequency and/or randomly in accordance with organization-defined process", + "constraints": [ + { + "description": "monthly operating system/infrastructure; monthly web applications (including APIs) and databases" + } + ] + }, + { + "id": "ra-05_odp.01", + "label": "frequency and/or randomly in accordance with organization-defined process", + "guidelines": [ + { + "prose": "frequency for monitoring systems and hosted applications for vulnerabilities is defined;" + } + ] + }, + { + "id": "ra-05_odp.02", + "label": "frequency and/or randomly in accordance with organization-defined process", + "guidelines": [ + { + "prose": "frequency for scanning systems and hosted applications for vulnerabilities is defined;" + } + ] + }, + { + "id": "ra-05_odp.03", + "label": "response times", + "constraints": [ + { + "description": "high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery" + } + ], + "guidelines": [ + { + "prose": "response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;" + } + ] + }, + { + "id": "ra-05_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5" + }, + { + "name": "label", + "value": "RA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#8df72805-2e5c-4731-a73e-81db0f0318d0", + "rel": "reference" + }, + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "rel": "reference" + }, + { + "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "rel": "reference" + }, + { + "href": "#d2ebec9b-f868-4ee1-a2bd-0b2282aed248", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ca-8", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "ra-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;" + }, + { + "id": "ra-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:", + "parts": [ + { + "id": "ra-5_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Enumerating platforms, software flaws, and improper configurations;" + }, + { + "id": "ra-5_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Formatting checklists and test procedures; and" + }, + { + "id": "ra-5_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Measuring vulnerability impact;" + } + ] + }, + { + "id": "ra-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Analyze vulnerability scan reports and results from vulnerability monitoring;" + }, + { + "id": "ra-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;" + }, + { + "id": "ra-5_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and" + }, + { + "id": "ra-5_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." + } + ] + }, + { + "id": "ra-5_gdn", + "name": "guidance", + "prose": "Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points." + }, + { + "id": "ra-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;", + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;", + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;", + "parts": [ + { + "id": "ra-5_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.01", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;", + "links": [ + { + "href": "#ra-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.02", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;", + "links": [ + { + "href": "#ra-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.03", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;", + "links": [ + { + "href": "#ra-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05c.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;", + "links": [ + { + "href": "#ra-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05d.", + "class": "sp800-53a" + } + ], + "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;", + "links": [ + { + "href": "#ra-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05e.", + "class": "sp800-53a" + } + ], + "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;", + "links": [ + { + "href": "#ra-5_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05f.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.", + "links": [ + { + "href": "#ra-5_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ra-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing" + } + ] + } + ], + "controls": [ + { + "id": "ra-5.2", + "class": "SP800-53-enhancement", + "title": "Update Vulnerabilities to Be Scanned", + "params": [ + { + "id": "ra-05.02_odp.01", + "constraints": [ + { + "description": "prior to a new scan" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, ra-05.02_odp.02 }} ", + "prior to a new scan", + "when new vulnerabilities are identified and reported" + ] + } + }, + { + "id": "ra-05.02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency for updating the system vulnerabilities to be scanned is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5(2)" + }, + { + "name": "label", + "value": "RA-05(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + }, + { + "href": "#si-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5.2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}." + }, + { + "id": "ra-5.2_gdn", + "name": "guidance", + "prose": "Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner." + }, + { + "id": "ra-5.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(02)", + "class": "sp800-53a" + } + ], + "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.", + "links": [ + { + "href": "#ra-5.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ra-5.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" + } + ] + } + ] + }, + { + "id": "ra-5.11", + "class": "SP800-53-enhancement", + "title": "Public Disclosure Program", + "props": [ + { + "name": "label", + "value": "RA-5(11)" + }, + { + "name": "label", + "value": "RA-05(11)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ra-5.11_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components." + }, + { + "id": "ra-5.11_gdn", + "name": "guidance", + "prose": "The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability." + }, + { + "id": "ra-5.11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(11)", + "class": "sp800-53a" + } + ], + "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.", + "links": [ + { + "href": "#ra-5.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(11)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(11)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(11)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities" + } + ] + } + ] + } + ] + }, + { + "id": "ra-7", + "class": "SP800-53", + "title": "Risk Response", + "props": [ + { + "name": "label", + "value": "RA-7" + }, + { + "name": "label", + "value": "RA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-7_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance." + }, + { + "id": "ra-7_gdn", + "name": "guidance", + "prose": "Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated." + }, + { + "id": "ra-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[01]", + "class": "sp800-53a" + } + ], + "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[02]", + "class": "sp800-53a" + } + ], + "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[03]", + "class": "sp800-53a" + } + ], + "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[04]", + "class": "sp800-53a" + } + ], + "prose": "findings from audits are responded to in accordance with organizational risk tolerance.", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nassessment reports\n\naudit records/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment and auditing responsibilities\n\nsystem/network administrators\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assessments and audits\n\nmechanisms/tools supporting and/or implementing assessments and auditing" + } + ] + } + ] + } + ] + }, + { + "id": "sa", + "class": "family", + "title": "System and Services Acquisition", + "controls": [ + { + "id": "sa-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sa-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sa-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "sa-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "sa-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "sa-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and services acquisition policy and procedures is defined;" + } + ] + }, + { + "id": "sa-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and services acquisition policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sa-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and services acquisition policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sa-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "sa-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and services acquisition procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-1" + }, + { + "name": "label", + "value": "SA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-1_smt", + "name": "statement", + "parts": [ + { + "id": "sa-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:", + "parts": [ + { + "id": "sa-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:", + "parts": [ + { + "id": "sa-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sa-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sa-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;" + } + ] + }, + { + "id": "sa-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and" + }, + { + "id": "sa-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and services acquisition:", + "parts": [ + { + "id": "sa-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and" + }, + { + "id": "sa-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sa-1_gdn", + "name": "guidance", + "prose": "System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "sa-2", + "class": "SP800-53", + "title": "Allocation of Resources", + "props": [ + { + "name": "label", + "value": "SA-2" + }, + { + "name": "label", + "value": "SA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pm-3", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-2_smt", + "name": "statement", + "parts": [ + { + "id": "sa-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;" + }, + { + "id": "sa-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and" + }, + { + "id": "sa-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation." + } + ] + }, + { + "id": "sa-2_gdn", + "name": "guidance", + "prose": "Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle." + } + ] + }, + { + "id": "sa-3", + "class": "SP800-53", + "title": "System Development Life Cycle", + "params": [ + { + "id": "sa-03_odp", + "label": "system-development life cycle", + "guidelines": [ + { + "prose": "system development life cycle is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-3" + }, + { + "name": "label", + "value": "SA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-22", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-3_smt", + "name": "statement", + "parts": [ + { + "id": "sa-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;" + }, + { + "id": "sa-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define and document information security and privacy roles and responsibilities throughout the system development life cycle;" + }, + { + "id": "sa-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Identify individuals having information security and privacy roles and responsibilities; and" + }, + { + "id": "sa-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Integrate the organizational information security and privacy risk management process into system development life cycle activities." + } + ] + }, + { + "id": "sa-3_gdn", + "name": "guidance", + "prose": "A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle." + } + ] + }, + { + "id": "sa-4", + "class": "SP800-53", + "title": "Acquisition Process", + "params": [ + { + "id": "sa-04_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "standardized contract language", + " {{ insert: param, sa-04_odp.02 }} " + ] + } + }, + { + "id": "sa-04_odp.02", + "label": "contract language", + "guidelines": [ + { + "prose": "contract language is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-4" + }, + { + "name": "label", + "value": "SA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", + "rel": "reference" + }, + { + "href": "#87087451-2af5-43d4-88c1-d66ad850f614", + "rel": "reference" + }, + { + "href": "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "rel": "reference" + }, + { + "href": "#06ce9216-bd54-4054-a422-94f358b50a5d", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#795aff72-3e6c-4b6b-a80a-b14d84b7f544", + "rel": "reference" + }, + { + "href": "#3d575737-98cb-459d-b41c-d7e82b73ad78", + "rel": "reference" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4_smt", + "name": "statement", + "prose": "Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:", + "parts": [ + { + "id": "sa-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Security and privacy functional requirements;" + }, + { + "id": "sa-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Strength of mechanism requirements;" + }, + { + "id": "sa-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Security and privacy assurance requirements;" + }, + { + "id": "sa-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Controls needed to satisfy the security and privacy requirements." + }, + { + "id": "sa-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Security and privacy documentation requirements;" + }, + { + "id": "sa-4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Requirements for protecting security and privacy documentation;" + }, + { + "id": "sa-4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Description of the system development environment and environment in which the system is intended to operate;" + }, + { + "id": "sa-4_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and" + }, + { + "id": "sa-4_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Acceptance criteria." + } + ] + }, + { + "id": "sa-4_gdn", + "name": "guidance", + "prose": "Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement." + } + ], + "controls": [ + { + "id": "sa-4.10", + "class": "SP800-53-enhancement", + "title": "Use of Approved PIV Products", + "props": [ + { + "name": "label", + "value": "SA-4(10)" + }, + { + "name": "label", + "value": "SA-04(10)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4.10_smt", + "name": "statement", + "prose": "Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems." + }, + { + "id": "sa-4.10_gdn", + "name": "guidance", + "prose": "Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations." + } + ] + } + ] + }, + { + "id": "sa-5", + "class": "SP800-53", + "title": "System Documentation", + "params": [ + { + "id": "sa-05_odp.01", + "label": "actions", + "guidelines": [ + { + "prose": "actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;" + } + ] + }, + { + "id": "sa-05_odp.02", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO (or similar role within the organization)" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to distribute system documentation to is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-5" + }, + { + "name": "label", + "value": "SA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-5_smt", + "name": "statement", + "parts": [ + { + "id": "sa-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Obtain or develop administrator documentation for the system, system component, or system service that describes:", + "parts": [ + { + "id": "sa-5_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Secure configuration, installation, and operation of the system, component, or service;" + }, + { + "id": "sa-5_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Effective use and maintenance of security and privacy functions and mechanisms; and" + }, + { + "id": "sa-5_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Known vulnerabilities regarding configuration and use of administrative or privileged functions;" + } + ] + }, + { + "id": "sa-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Obtain or develop user documentation for the system, system component, or system service that describes:", + "parts": [ + { + "id": "sa-5_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;" + }, + { + "id": "sa-5_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and" + }, + { + "id": "sa-5_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;" + } + ] + }, + { + "id": "sa-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and" + }, + { + "id": "sa-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Distribute documentation to {{ insert: param, sa-05_odp.02 }}." + } + ] + }, + { + "id": "sa-5_gdn", + "name": "guidance", + "prose": "System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation." + } + ] + }, + { + "id": "sa-8", + "class": "SP800-53", + "title": "Security and Privacy Engineering Principles", + "params": [ + { + "id": "sa-8_prm_1", + "label": "organization-defined systems security and privacy engineering principles" + }, + { + "id": "sa-08_odp.01", + "label": "systems security engineering principles", + "guidelines": [ + { + "prose": "systems security engineering principles are defined;" + } + ] + }, + { + "id": "sa-08_odp.02", + "label": "privacy engineering principles", + "guidelines": [ + { + "prose": "privacy engineering principles are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-8" + }, + { + "name": "label", + "value": "SA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-8_smt", + "name": "statement", + "prose": "Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}." + }, + { + "id": "sa-8_gdn", + "name": "guidance", + "prose": "Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design." + } + ] + }, + { + "id": "sa-9", + "class": "SP800-53", + "title": "External System Services", + "params": [ + { + "id": "sa-09_odp.01", + "label": "controls", + "constraints": [ + { + "description": "Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system" + } + ], + "guidelines": [ + { + "prose": "controls to be employed by external system service providers are defined;" + } + ] + }, + { + "id": "sa-09_odp.02", + "label": "processes, methods, and techniques", + "constraints": [ + { + "description": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored" + } + ], + "guidelines": [ + { + "prose": "processes, methods, and techniques employed to monitor control compliance by external service providers are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9" + }, + { + "name": "label", + "value": "SA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "sa-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};" + }, + { + "id": "sa-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define and document organizational oversight and user roles and responsibilities with regard to external system services; and" + }, + { + "id": "sa-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}." + } + ] + }, + { + "id": "sa-9_gdn", + "name": "guidance", + "prose": "External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance." + }, + { + "id": "sa-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[01]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services comply with organizational security requirements;", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[02]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services comply with organizational privacy requirements;", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[03]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational oversight with regard to external system services are defined and documented;", + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "user roles and responsibilities with regard to external system services are defined and documented;", + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.", + "links": [ + { + "href": "#sa-9_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis" + } + ] + } + ] + }, + { + "id": "sa-22", + "class": "SP800-53", + "title": "Unsupported System Components", + "params": [ + { + "id": "sa-22_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "in-house support", + " {{ insert: param, sa-22_odp.02 }} " + ] + } + }, + { + "id": "sa-22_odp.02", + "label": "support from external providers", + "guidelines": [ + { + "prose": "support from external providers is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-22" + }, + { + "name": "label", + "value": "SA-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-22_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "sa-22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or" + }, + { + "id": "sa-22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}." + } + ] + }, + { + "id": "sa-22_gdn", + "name": "guidance", + "prose": "Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation." + }, + { + "id": "sa-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22a.", + "class": "sp800-53a" + } + ], + "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;", + "links": [ + { + "href": "#sa-22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.", + "links": [ + { + "href": "#sa-22_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement" + } + ] + }, + { + "id": "sa-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for replacing unsupported system components\n\nmechanisms supporting and/or implementing the replacement of unsupported system components" + } + ] + } + ] + } + ] + }, + { + "id": "sc", + "class": "family", + "title": "System and Communications Protection", + "controls": [ + { + "id": "sc-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sc-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sc-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "sc-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "sc-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business-process-level", + "system-level" + ] + } + }, + { + "id": "sc-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and communications protection policy and procedures is defined;" + } + ] + }, + { + "id": "sc-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and communications protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sc-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and communications protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sc-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and communications protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "sc-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and communications protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-1" + }, + { + "name": "label", + "value": "SC-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-1_smt", + "name": "statement", + "parts": [ + { + "id": "sc-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:", + "parts": [ + { + "id": "sc-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sc-01_odp.03 }} system and communications protection policy that:", + "parts": [ + { + "id": "sc-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sc-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sc-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;" + } + ] + }, + { + "id": "sc-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and" + }, + { + "id": "sc-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and communications protection:", + "parts": [ + { + "id": "sc-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and" + }, + { + "id": "sc-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sc-1_gdn", + "name": "guidance", + "prose": "System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "sc-5", + "class": "SP800-53", + "title": "Denial-of-service Protection", + "params": [ + { + "id": "sc-05_odp.01", + "label": "types of denial-of-service events", + "constraints": [ + { + "description": "at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack" + } + ], + "guidelines": [ + { + "prose": "types of denial-of-service events to be protected against or limited are defined;" + } + ] + }, + { + "id": "sc-05_odp.02", + "constraints": [ + { + "description": "Protect against" + } + ], + "select": { + "choice": [ + "protect against", + "limit" + ] + } + }, + { + "id": "sc-05_odp.03", + "label": "controls by type of denial-of-service event", + "guidelines": [ + { + "prose": "controls to achieve the denial-of-service objective by type of denial-of-service event are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-5" + }, + { + "name": "label", + "value": "SC-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#sc-6", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-5_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "sc-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and" + }, + { + "id": "sc-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}." + } + ] + }, + { + "id": "sc-5_gdn", + "name": "guidance", + "prose": "Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events." + }, + { + "id": "sc-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05a.", + "class": "sp800-53a" + } + ], + "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};", + "links": [ + { + "href": "#sc-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.", + "links": [ + { + "href": "#sc-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms protecting against or limiting the effects of denial-of-service attacks" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: If availability is a requirement, define protections in place as per control requirement." + } + ] + }, + { + "id": "sc-7", + "class": "SP800-53", + "title": "Boundary Protection", + "params": [ + { + "id": "sc-07_odp", + "select": { + "choice": [ + "physically", + "logically" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-7" + }, + { + "name": "label", + "value": "SC-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#a7f0e897-29a3-45c4-bd88-40dfef0e034a", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-35", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "sc-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;" + }, + { + "id": "sc-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and" + }, + { + "id": "sc-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + } + ] + }, + { + "id": "sc-7_gdn", + "name": "guidance", + "prose": "Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)." + }, + { + "id": "sc-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[01]", + "class": "sp800-53a" + } + ], + "prose": "communications at external managed interfaces to the system are monitored;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[02]", + "class": "sp800-53a" + } + ], + "prose": "communications at external managed interfaces to the system are controlled;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[03]", + "class": "sp800-53a" + } + ], + "prose": "communications at key internal managed interfaces within the system are monitored;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[04]", + "class": "sp800-53a" + } + ], + "prose": "communications at key internal managed interfaces within the system are controlled;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07b.", + "class": "sp800-53a" + } + ], + "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;", + "links": [ + { + "href": "#sc-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07c.", + "class": "sp800-53a" + } + ], + "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.", + "links": [ + { + "href": "#sc-7_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities" + } + ] + } + ] + }, + { + "id": "sc-8", + "class": "SP800-53", + "title": "Transmission Confidentiality and Integrity", + "params": [ + { + "id": "sc-08_odp", + "select": { + "how-many": "one-or-more", + "choice": [ + "confidentiality", + "integrity" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-8" + }, + { + "name": "label", + "value": "SC-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#736d6310-e403-4b57-a79d-9967970c66d7", + "rel": "reference" + }, + { + "href": "#7537638e-2837-407d-844b-40fb3fafdd99", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-8_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Protect the {{ insert: param, sc-08_odp }} of transmitted information." + }, + { + "id": "sc-8_gdn", + "name": "guidance", + "prose": "Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\n\nOrganizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls." + }, + { + "id": "sc-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-08", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-08_odp }} of transmitted information is/are protected.", + "links": [ + { + "href": "#sc-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing transmission confidentiality and/or integrity" + } + ] + } + ], + "controls": [ + { + "id": "sc-8.1", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-08.01_odp", + "select": { + "how-many": "one-or-more", + "choice": [ + "prevent unauthorized disclosure of information", + "detect changes to information" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-8(1)" + }, + { + "name": "label", + "value": "SC-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#sc-8", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-8.1_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Implement cryptographic mechanisms to {{ insert: param, sc-08.01_odp }} during transmission." + }, + { + "id": "sc-8.1_gdn", + "name": "guidance", + "prose": "Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes." + }, + { + "id": "sc-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-08(01)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.", + "links": [ + { + "href": "#sc-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity\n\nmechanisms supporting and/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards" + } + ] + } + ] + } + ] + }, + { + "id": "sc-12", + "class": "SP800-53", + "title": "Cryptographic Key Establishment and Management", + "params": [ + { + "id": "sc-12_odp", + "label": "requirements", + "constraints": [ + { + "description": "In accordance with Federal requirements" + } + ], + "guidelines": [ + { + "prose": "requirements for key generation, distribution, storage, access, and destruction are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-12" + }, + { + "name": "label", + "value": "SC-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#849b2358-683f-4d97-b111-1cc3d522ded5", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-11", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-17", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-12_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}." + }, + { + "id": "sc-12_gdn", + "name": "guidance", + "prose": "Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment." + }, + { + "id": "sc-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12[01]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};", + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12[02]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.", + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and/or management" + } + ] + }, + { + "id": "sc-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic key establishment and management" + } + ] + } + ] + }, + { + "id": "sc-13", + "class": "SP800-53", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-13_odp.01", + "label": "cryptographic uses", + "guidelines": [ + { + "prose": "cryptographic uses are defined;" + } + ] + }, + { + "id": "sc-13_odp.02", + "label": "types of cryptography", + "constraints": [ + { + "description": "FIPS-validated or NSA-approved cryptography" + } + ], + "guidelines": [ + { + "prose": "types of cryptography for each specified cryptographic use are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-13" + }, + { + "name": "label", + "value": "SC-13", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "CONDITIONAL", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-13_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "sc-13_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine the {{ insert: param, sc-13_odp.01 }} ; and" + }, + { + "id": "sc-13_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}." + } + ] + }, + { + "id": "sc-13_gdn", + "name": "guidance", + "prose": "Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "sc-13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-13_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-13_odp.01 }} are identified;", + "links": [ + { + "href": "#sc-13_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-13_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.", + "links": [ + { + "href": "#sc-13_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-13-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-13-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection" + } + ] + }, + { + "id": "sc-13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-13-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic protection" + } + ] + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Condition: If implementing need to detail how they meet it or don't meet it." + } + ] + }, + { + "id": "sc-15", + "class": "SP800-53", + "title": "Collaborative Computing Devices and Applications", + "params": [ + { + "id": "sc-15_odp", + "label": "exceptions where remote activation is to be allowed", + "constraints": [ + { + "description": "no exceptions for computing devices" + } + ], + "guidelines": [ + { + "prose": "exceptions where remote activation is to be allowed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-15" + }, + { + "name": "label", + "value": "SC-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "NSO", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#sc-42", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-15_smt", + "name": "statement", + "parts": [ + { + "id": "sc-15_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and" + }, + { + "id": "sc-15_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide an explicit indication of use to users physically present at the devices." + } + ] + }, + { + "id": "sc-15_gdn", + "name": "guidance", + "prose": "Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "NSO - Not directly related to the security of the SaaS." + } + ] + }, + { + "id": "sc-20", + "class": "SP800-53", + "title": "Secure Name/Address Resolution Service (Authoritative Source)", + "props": [ + { + "name": "label", + "value": "SC-20" + }, + { + "name": "label", + "value": "SC-20", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-20_smt", + "name": "statement", + "parts": [ + { + "id": "sc-20_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and" + }, + { + "id": "sc-20_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace." + } + ] + }, + { + "id": "sc-20_gdn", + "name": "guidance", + "prose": "Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data." + } + ] + }, + { + "id": "sc-21", + "class": "SP800-53", + "title": "Secure Name/Address Resolution Service (Recursive or Caching Resolver)", + "props": [ + { + "name": "label", + "value": "SC-21" + }, + { + "name": "label", + "value": "SC-21", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-21_smt", + "name": "statement", + "prose": "Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources." + }, + { + "id": "sc-21_gdn", + "name": "guidance", + "prose": "Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data." + } + ] + }, + { + "id": "sc-22", + "class": "SP800-53", + "title": "Architecture and Provisioning for Name/Address Resolution Service", + "props": [ + { + "name": "label", + "value": "SC-22" + }, + { + "name": "label", + "value": "SC-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-22_smt", + "name": "statement", + "prose": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation." + }, + { + "id": "sc-22_gdn", + "name": "guidance", + "prose": "Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)." + } + ] + }, + { + "id": "sc-28", + "class": "SP800-53", + "title": "Protection of Information at Rest", + "params": [ + { + "id": "sc-28_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "confidentiality", + "integrity" + ] + } + }, + { + "id": "sc-28_odp.02", + "label": "information at rest", + "guidelines": [ + { + "prose": "information at rest requiring protection is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-28" + }, + { + "name": "label", + "value": "SC-28", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-28" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-28_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}." + }, + { + "id": "sc-28_gdn", + "name": "guidance", + "prose": "Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage." + }, + { + "id": "sc-28_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected.", + "links": [ + { + "href": "#sc-28_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-28-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-28_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-28-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-28_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-28-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest" + } + ] + } + ], + "controls": [ + { + "id": "sc-28.1", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-28.01_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information requiring cryptographic protection is defined;" + } + ] + }, + { + "id": "sc-28.01_odp.02", + "label": "system components or media", + "constraints": [ + { + "description": "all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels" + } + ], + "guidelines": [ + { + "prose": "system components or media requiring cryptographic protection is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-28(1)" + }, + { + "name": "label", + "value": "SC-28(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-28.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#sc-28", + "rel": "required" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-28.1_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.01 }}." + }, + { + "id": "sc-28.1_gdn", + "name": "guidance", + "prose": "The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields." + }, + { + "id": "sc-28.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-28.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};", + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.", + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-28(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-28.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-28(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-28.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-28(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest" + } + ] + } + ] + } + ] + }, + { + "id": "sc-39", + "class": "SP800-53", + "title": "Process Isolation", + "props": [ + { + "name": "label", + "value": "SC-39" + }, + { + "name": "label", + "value": "SC-39", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-39" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-39_smt", + "name": "statement", + "prose": "Maintain a separate execution domain for each executing system process." + }, + { + "id": "sc-39_gdn", + "name": "guidance", + "prose": "Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies." + } + ] + } + ] + }, + { + "id": "si", + "class": "family", + "title": "System and Information Integrity", + "controls": [ + { + "id": "si-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "si-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "si-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "si-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "si-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "si-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and information integrity policy and procedures is defined;" + } + ] + }, + { + "id": "si-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and information integrity policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "si-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and information integrity policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "si-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and information integrity procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "si-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and information integrity procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-1" + }, + { + "name": "label", + "value": "SI-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-1_smt", + "name": "statement", + "parts": [ + { + "id": "si-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:", + "parts": [ + { + "id": "si-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, si-01_odp.03 }} system and information integrity policy that:", + "parts": [ + { + "id": "si-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "si-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "si-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;" + } + ] + }, + { + "id": "si-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and" + }, + { + "id": "si-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and information integrity:", + "parts": [ + { + "id": "si-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and" + }, + { + "id": "si-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "si-1_gdn", + "name": "guidance", + "prose": "System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "si-2", + "class": "SP800-53", + "title": "Flaw Remediation", + "params": [ + { + "id": "si-02_odp", + "label": "time period", + "constraints": [ + { + "description": "within thirty (30) days of release of updates" + } + ], + "guidelines": [ + { + "prose": "time period within which to install security-relevant software updates after the release of the updates is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-2" + }, + { + "name": "label", + "value": "SI-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "rel": "reference" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-5", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-2_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "si-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify, report, and correct system flaws;" + }, + { + "id": "si-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;" + }, + { + "id": "si-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and" + }, + { + "id": "si-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Incorporate flaw remediation into the organizational configuration management process." + } + ] + }, + { + "id": "si-2_gdn", + "name": "guidance", + "prose": "The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures." + }, + { + "id": "si-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are identified;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are reported;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are corrected;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "software updates related to flaw remediation are tested for effectiveness before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "software updates related to flaw remediation are tested for potential side effects before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[03]", + "class": "sp800-53a" + } + ], + "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[04]", + "class": "sp800-53a" + } + ], + "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02d.", + "class": "sp800-53a" + } + ], + "prose": "flaw remediation is incorporated into the organizational configuration management process.", + "links": [ + { + "href": "#si-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities" + } + ] + }, + { + "id": "si-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and/or implementing testing software and firmware updates" + } + ] + } + ] + }, + { + "id": "si-3", + "class": "SP800-53", + "title": "Malicious Code Protection", + "params": [ + { + "id": "si-03_odp.01", + "constraints": [ + { + "description": "signature based and non-signature based" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "signature-based", + "non-signature-based" + ] + } + }, + { + "id": "si-03_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which malicious code protection mechanisms perform scans is defined;" + } + ] + }, + { + "id": "si-03_odp.03", + "constraints": [ + { + "description": "to include endpoints and network entry and exit points" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "endpoint", + "network entry and exit points" + ] + } + }, + { + "id": "si-03_odp.04", + "constraints": [ + { + "description": "to include blocking and quarantining malicious code" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "block malicious code", + "quarantine malicious code", + "take {{ insert: param, si-03_odp.05 }} " + ] + } + }, + { + "id": "si-03_odp.05", + "label": "action", + "constraints": [ + { + "description": "administrator or defined security personnel near-realtime" + } + ], + "guidelines": [ + { + "prose": "action to be taken in response to malicious code detection are defined (if selected);" + } + ] + }, + { + "id": "si-03_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted when malicious code is detected is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-3" + }, + { + "name": "label", + "value": "SI-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#88660532-2dcf-442e-845c-03340ce48999", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-44", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-8", + "rel": "related" + }, + { + "href": "#si-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-3_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "si-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;" + }, + { + "id": "si-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;" + }, + { + "id": "si-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Configure malicious code protection mechanisms to:", + "parts": [ + { + "id": "si-3_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and" + }, + { + "id": "si-3_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": " {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and" + } + ] + }, + { + "id": "si-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." + } + ] + }, + { + "id": "si-3_gdn", + "name": "guidance", + "prose": "System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files." + }, + { + "id": "si-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;", + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;", + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03b.", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;", + "links": [ + { + "href": "#si-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};", + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;", + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;", + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;", + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03d.", + "class": "sp800-53a" + } + ], + "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.", + "links": [ + { + "href": "#si-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities" + } + ] + }, + { + "id": "si-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and/or implementing malicious code scanning and subsequent actions" + } + ] + } + ] + }, + { + "id": "si-4", + "class": "SP800-53", + "title": "System Monitoring", + "params": [ + { + "id": "si-04_odp.01", + "label": "monitoring objectives", + "guidelines": [ + { + "prose": "monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;" + } + ] + }, + { + "id": "si-04_odp.02", + "label": "techniques and methods", + "guidelines": [ + { + "prose": "techniques and methods used to identify unauthorized use of the system are defined;" + } + ] + }, + { + "id": "si-04_odp.03", + "label": "system monitoring information", + "guidelines": [ + { + "prose": "system monitoring information to be provided to personnel or roles is defined;" + } + ] + }, + { + "id": "si-04_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom system monitoring information is to be provided is/are defined;" + } + ] + }, + { + "id": "si-04_odp.05", + "select": { + "how-many": "one-or-more", + "choice": [ + "as needed", + " {{ insert: param, si-04_odp.06 }} " + ] + } + }, + { + "id": "si-04_odp.06", + "label": "frequency", + "guidelines": [ + { + "prose": "a frequency for providing system monitoring to personnel or roles is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4" + }, + { + "name": "label", + "value": "SI-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ASSESS", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "rel": "reference" + }, + { + "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#sc-35", + "rel": "related" + }, + { + "href": "#sc-36", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4_smt", + "name": "statement", + "props": [ + { + "name": "response-point", + "ns": "https://fedramp.gov/ns/oscal", + "value": "Required" + } + ], + "parts": [ + { + "id": "si-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor the system to detect:", + "parts": [ + { + "id": "si-4_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and" + }, + { + "id": "si-4_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Unauthorized local, network, and remote connections;" + } + ] + }, + { + "id": "si-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};" + }, + { + "id": "si-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Invoke internal monitoring capabilities or deploy monitoring devices:", + "parts": [ + { + "id": "si-4_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Strategically within the system to collect organization-determined essential information; and" + }, + { + "id": "si-4_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "At ad hoc locations within the system to track specific types of transactions of interest to the organization;" + } + ] + }, + { + "id": "si-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Analyze detected events and anomalies;" + }, + { + "id": "si-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;" + }, + { + "id": "si-4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Obtain legal opinion regarding system monitoring activities; and" + }, + { + "id": "si-4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." + } + ] + }, + { + "id": "si-4_gdn", + "name": "guidance", + "prose": "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "si-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.01", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};", + "links": [ + { + "href": "#si-4_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized local connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized network connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized remote connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04b.", + "class": "sp800-53a" + } + ], + "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};", + "links": [ + { + "href": "#si-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.01", + "class": "sp800-53a" + } + ], + "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;", + "links": [ + { + "href": "#si-4_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.02", + "class": "sp800-53a" + } + ], + "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;", + "links": [ + { + "href": "#si-4_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "detected events are analyzed;", + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "detected anomalies are analyzed;", + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04e.", + "class": "sp800-53a" + } + ], + "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;", + "links": [ + { + "href": "#si-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04f.", + "class": "sp800-53a" + } + ], + "prose": "a legal opinion regarding system monitoring activities is obtained;", + "links": [ + { + "href": "#si-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04g.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.", + "links": [ + { + "href": "#si-4_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system" + } + ] + }, + { + "id": "si-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing system monitoring capabilities" + } + ] + } + ] + }, + { + "id": "si-5", + "class": "SP800-53", + "title": "Security Alerts, Advisories, and Directives", + "params": [ + { + "id": "si-05_odp.01", + "label": "external organizations", + "constraints": [ + { + "description": "to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives" + } + ], + "guidelines": [ + { + "prose": "external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;" + } + ] + }, + { + "id": "si-05_odp.02", + "constraints": [ + { + "description": "to include system security personnel and administrators with configuration/patch-management responsibilities" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, si-05_odp.03 }} ", + " {{ insert: param, si-05_odp.04 }} ", + " {{ insert: param, si-05_odp.05 }} " + ] + } + }, + { + "id": "si-05_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected);" + } + ] + }, + { + "id": "si-05_odp.04", + "label": "elements", + "guidelines": [ + { + "prose": "elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" + } + ] + }, + { + "id": "si-05_odp.05", + "label": "external organizations", + "guidelines": [ + { + "prose": "external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-5" + }, + { + "name": "label", + "value": "SI-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#pm-15", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-5_smt", + "name": "statement", + "parts": [ + { + "id": "si-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;" + }, + { + "id": "si-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Generate internal security alerts, advisories, and directives as deemed necessary;" + }, + { + "id": "si-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and" + }, + { + "id": "si-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + } + ] + }, + { + "id": "si-5_gdn", + "name": "guidance", + "prose": "The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations." + } + ] + }, + { + "id": "si-12", + "class": "SP800-53", + "title": "Information Management and Retention", + "props": [ + { + "name": "label", + "value": "SI-12" + }, + { + "name": "label", + "value": "SI-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#e922fc50-b1f9-469f-92ef-ed7d9803611c", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-3", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-12_smt", + "name": "statement", + "prose": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." + }, + { + "id": "si-12_gdn", + "name": "guidance", + "prose": "Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)." + }, + { + "name": "guidance", + "class": "FedRAMP-Tailored-LI-SaaS", + "prose": "Attestation - Specifically related to US-CERT and FedRAMP communications procedures." + } + ] + } + ] + }, + { + "id": "sr", + "class": "family", + "title": "Supply Chain Risk Management", + "controls": [ + { + "id": "sr-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sr-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sr-01_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include chief privacy and ISSO and/or similar role or designees" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;" + } + ] + }, + { + "id": "sr-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;" + } + ] + }, + { + "id": "sr-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "sr-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;" + } + ] + }, + { + "id": "sr-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current supply chain risk management policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sr-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that require the current supply chain risk management policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sr-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;" + } + ] + }, + { + "id": "sr-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that require the supply chain risk management procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-1" + }, + { + "name": "label", + "value": "SR-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-1_smt", + "name": "statement", + "parts": [ + { + "id": "sr-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:", + "parts": [ + { + "id": "sr-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:", + "parts": [ + { + "id": "sr-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sr-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sr-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;" + } + ] + }, + { + "id": "sr-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and" + }, + { + "id": "sr-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current supply chain risk management:", + "parts": [ + { + "id": "sr-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and" + }, + { + "id": "sr-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sr-1_gdn", + "name": "guidance", + "prose": "Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + } + ] + }, + { + "id": "sr-2", + "class": "SP800-53", + "title": "Supply Chain Risk Management Plan", + "params": [ + { + "id": "sr-02_odp.01", + "label": "systems, system components, or system services", + "guidelines": [ + { + "prose": "systems, system components, or system services for which a supply chain risk management plan is developed are defined;" + } + ] + }, + { + "id": "sr-02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update the supply chain risk management plan is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-2" + }, + { + "name": "label", + "value": "SR-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-2_smt", + "name": "statement", + "parts": [ + { + "id": "sr-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};" + }, + { + "id": "sr-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and" + }, + { + "id": "sr-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Protect the supply chain risk management plan from unauthorized disclosure and modification." + } + ] + }, + { + "id": "sr-2_gdn", + "name": "guidance", + "prose": "The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))." + } + ], + "controls": [ + { + "id": "sr-2.1", + "class": "SP800-53-enhancement", + "title": "Establish SCRM Team", + "params": [ + { + "id": "sr-02.01_odp.01", + "label": "personnel, roles and responsibilities", + "guidelines": [ + { + "prose": "the personnel, roles, and responsibilities of the supply chain risk management team are defined;" + } + ] + }, + { + "id": "sr-02.01_odp.02", + "label": "supply chain risk management activities", + "guidelines": [ + { + "prose": "supply chain risk management activities are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-2(1)" + }, + { + "name": "label", + "value": "SR-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#sr-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "sr-2.1_smt", + "name": "statement", + "prose": "Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}." + }, + { + "id": "sr-2.1_gdn", + "name": "guidance", + "prose": "To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team." + } + ] + } + ] + }, + { + "id": "sr-3", + "class": "SP800-53", + "title": "Supply Chain Controls and Processes", + "params": [ + { + "id": "sr-03_odp.01", + "label": "system or system component", + "guidelines": [ + { + "prose": "the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;" + } + ] + }, + { + "id": "sr-03_odp.02", + "label": "supply chain personnel", + "guidelines": [ + { + "prose": "supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;" + } + ] + }, + { + "id": "sr-03_odp.03", + "label": "supply chain controls", + "guidelines": [ + { + "prose": "supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;" + } + ] + }, + { + "id": "sr-03_odp.04", + "select": { + "how-many": "one-or-more", + "choice": [ + "security and privacy plans", + "supply chain risk management plan", + " {{ insert: param, sr-03_odp.05 }} " + ] + } + }, + { + "id": "sr-03_odp.05", + "label": "document", + "guidelines": [ + { + "prose": "the document identifying the selected and implemented supply chain processes and controls is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-3" + }, + { + "name": "label", + "value": "SR-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-29", + "rel": "related" + }, + { + "href": "#sc-30", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-3_smt", + "name": "statement", + "parts": [ + { + "id": "sr-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};" + }, + { + "id": "sr-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and" + }, + { + "id": "sr-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}." + } + ] + }, + { + "id": "sr-3_gdn", + "name": "guidance", + "prose": "Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain." + } + ] + }, + { + "id": "sr-5", + "class": "SP800-53", + "title": "Acquisition Strategies, Tools, and Methods", + "params": [ + { + "id": "sr-05_odp", + "label": "strategies, tools, and methods", + "guidelines": [ + { + "prose": "acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-5" + }, + { + "name": "label", + "value": "SR-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-5_smt", + "name": "statement", + "prose": "Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}." + }, + { + "id": "sr-5_gdn", + "name": "guidance", + "prose": "The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements." + } + ] + }, + { + "id": "sr-8", + "class": "SP800-53", + "title": "Notification Agreements", + "params": [ + { + "id": "sr-08_odp.01", + "constraints": [ + { + "description": "notification of supply chain compromises and results of assessment or audits" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "notification of supply chain compromises", + " {{ insert: param, sr-08_odp.02 }} " + ] + } + }, + { + "id": "sr-08_odp.02", + "label": "results of assessments or audits", + "guidelines": [ + { + "prose": "information for which agreements and procedures are to be established are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-8" + }, + { + "name": "label", + "value": "SR-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-8_smt", + "name": "statement", + "prose": "Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}." + }, + { + "id": "sr-8_gdn", + "name": "guidance", + "prose": "The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes." + } + ] + }, + { + "id": "sr-10", + "class": "SP800-53", + "title": "Inspection of Systems or Components", + "params": [ + { + "id": "sr-10_odp.01", + "label": "systems or system components", + "guidelines": [ + { + "prose": "systems or system components that require inspection are defined;" + } + ] + }, + { + "id": "sr-10_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "at random", + "at {{ insert: param, sr-10_odp.03 }} ", + "upon {{ insert: param, sr-10_odp.04 }} " + ] + } + }, + { + "id": "sr-10_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to inspect systems or system components is defined (if selected);" + } + ] + }, + { + "id": "sr-10_odp.04", + "label": "indications of need for inspection", + "guidelines": [ + { + "prose": "indications of the need for an inspection of systems or system components are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-10" + }, + { + "name": "label", + "value": "SR-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-10_smt", + "name": "statement", + "prose": "Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}." + }, + { + "id": "sr-10_gdn", + "name": "guidance", + "prose": "The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations." + } + ] + }, + { + "id": "sr-11", + "class": "SP800-53", + "title": "Component Authenticity", + "params": [ + { + "id": "sr-11_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "source of counterfeit component", + " {{ insert: param, sr-11_odp.02 }} ", + " {{ insert: param, sr-11_odp.03 }} " + ] + } + }, + { + "id": "sr-11_odp.02", + "label": "external reporting organizations", + "guidelines": [ + { + "prose": "external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);" + } + ] + }, + { + "id": "sr-11_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11" + }, + { + "name": "label", + "value": "SR-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11_smt", + "name": "statement", + "parts": [ + { + "id": "sr-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and" + }, + { + "id": "sr-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}." + } + ] + }, + { + "id": "sr-11_gdn", + "name": "guidance", + "prose": "Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA." + } + ], + "controls": [ + { + "id": "sr-11.1", + "class": "SP800-53-enhancement", + "title": "Anti-counterfeit Training", + "params": [ + { + "id": "sr-11.01_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11(1)" + }, + { + "name": "label", + "value": "SR-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#sr-11", + "rel": "required" + }, + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11.1_smt", + "name": "statement", + "prose": "Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)." + }, + { + "id": "sr-11.1_gdn", + "name": "guidance", + "prose": "None." + } + ] + }, + { + "id": "sr-11.2", + "class": "SP800-53-enhancement", + "title": "Configuration Control for Component Service and Repair", + "params": [ + { + "id": "sr-11.02_odp", + "label": "system components", + "constraints": [ + { + "description": "all" + } + ], + "guidelines": [ + { + "prose": "system components requiring configuration control are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11(2)" + }, + { + "name": "label", + "value": "SR-11(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#sr-11", + "rel": "required" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11.2_smt", + "name": "statement", + "prose": "Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}." + }, + { + "id": "sr-11.2_gdn", + "name": "guidance", + "prose": "None." + } + ] + } + ] + }, + { + "id": "sr-12", + "class": "SP800-53", + "title": "Component Disposal", + "params": [ + { + "id": "sr-12_odp.01", + "label": "data, documentation, tools, or system components", + "guidelines": [ + { + "prose": "data, documentation, tools, or system components to be disposed of are defined;" + } + ] + }, + { + "id": "sr-12_odp.02", + "label": "techniques and methods", + "guidelines": [ + { + "prose": "techniques and methods for disposing of data, documentation, tools, or system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-12" + }, + { + "name": "label", + "value": "SR-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + }, + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "ATTEST", + "class": "FedRAMP-Tailored-LI-SaaS" + } + ], + "links": [ + { + "href": "#mp-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-12_smt", + "name": "statement", + "prose": "Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}." + }, + { + "id": "sr-12_gdn", + "name": "guidance", + "prose": "Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market." + } + ] + } + ] + } + ], "back-matter": { "resources": [ + { + "uuid": "91f992fb-f668-4c91-a50f-0f05b95ccee3", + "title": "32 CFR 2002", + "citation": { + "text": "Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)." + }, + "rlinks": [ + { + "href": "https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information" + } + ] + }, + { + "uuid": "0f963c17-ab5a-432a-a867-91eac550309b", + "title": "41 CFR 201", + "citation": { + "text": " \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271." + }, + "rlinks": [ + { + "href": "https://www.federalregister.gov/d/2020-18939" + } + ] + }, + { + "uuid": "a5ef5e56-5c1a-4911-b419-37dddc1b3581", + "title": "5 CFR 731", + "citation": { + "text": "Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf" + } + ] + }, + { + "uuid": "031cc4b7-9adf-4835-98f1-f1ca493519cf", + "title": "CNSSD 505", + "citation": { + "text": "Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017." + }, + "rlinks": [ + { + "href": "https://www.cnss.gov/CNSS/issuances/Directives.cfm" + } + ] + }, + { + "uuid": "4e4fbc93-333d-45e6-a875-de36b878b6b9", + "title": "CNSSI 1253", + "citation": { + "text": "Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014." + }, + "rlinks": [ + { + "href": "https://www.cnss.gov/CNSS/issuances/Instructions.cfm" + } + ] + }, + { + "uuid": "aa66e14f-e7cb-4a37-99d2-07578dfd4608", + "title": "DOD STIG", + "citation": { + "text": "Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*." + }, + "rlinks": [ + { + "href": "https://public.cyber.mil/stigs" + } + ] + }, + { + "uuid": "55b0c93a-5e48-457a-baa6-5ce81c239c49", + "title": "EO 13526", + "citation": { + "text": "Executive Order 13526, *Classified National Security Information* , December 2009." + }, + "rlinks": [ + { + "href": "https://www.archives.gov/isoo/policy-documents/cnsi-eo.html" + } + ] + }, + { + "uuid": "0af071a6-cf8e-48ee-8c82-fe91efa20f94", + "title": "EO 13587", + "citation": { + "text": "Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net" + } + ] + }, + { + "uuid": "21caa535-1154-4369-ba7b-32c309fee0f7", + "title": "EO 13873", + "citation": { + "text": "Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain" + } + ] + }, + { + "uuid": "4ff10ed3-d8fe-4246-99e3-443045e27482", + "title": "FASC18", + "citation": { + "text": "Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/bill/115th-congress/senate-bill/3085" + } + ] + }, + { + "uuid": "a1555677-2b9d-4868-a97b-a1363aff32f5", + "title": "FED PKI", + "citation": { + "text": "General Services Administration, *Federal Public Key Infrastructure*." + }, + "rlinks": [ + { + "href": "https://www.idmanagement.gov/topics/fpki" + } + ] + }, + { + "uuid": "678e3d6c-150b-4393-aec5-6e3481eb1e00", + "title": "FIPS 140-3", + "citation": { + "text": "National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. " + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.140-3" + } + ] + }, + { + "uuid": "eea3c092-42ed-4382-a6f4-1adadef01b9d", + "title": "FIPS 180-4", + "citation": { + "text": "National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.180-4" + } + ] + }, + { + "uuid": "7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "title": "FIPS 186-4", + "citation": { + "text": "National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.186-4" + } + ] + }, + { + "uuid": "736d6310-e403-4b57-a79d-9967970c66d7", + "title": "FIPS 197", + "citation": { + "text": "National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.197" + } + ] + }, + { + "uuid": "628d22a1-6a11-4784-bc59-5cd9497b5445", + "title": "FIPS 199", + "citation": { + "text": "National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.199" + } + ] + }, + { + "uuid": "599fb53d-5041-444e-a7fe-640d6d30ad05", + "title": "FIPS 200", + "citation": { + "text": "National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.200" + } + ] + }, + { + "uuid": "7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "title": "FIPS 201-2", + "citation": { + "text": "National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.201-2" + } + ] + }, + { + "uuid": "a295ca19-8c75-4b4c-8800-98024732e181", + "title": "FIPS 202", + "citation": { + "text": "National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.202" + } + ] + }, + { + "uuid": "0c67b2a9-bede-43d2-b86d-5f35b8be36e9", + "title": "FISMA", + "citation": { + "text": "Federal Information Security Modernization Act (P.L. 113-283), December 2014." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf" + } + ] + }, + { + "uuid": "f16e438e-7114-4144-bfe2-2dfcad8cb2d0", + "title": "HSPD 12", + "citation": { + "text": "Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004." + }, + "rlinks": [ + { + "href": "https://www.dhs.gov/homeland-security-presidential-directive-12" + } + ] + }, + { + "uuid": "15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "title": "IR 7539", + "citation": { + "text": "Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7539" + } + ] + }, + { + "uuid": "2be7b163-e50a-435c-8906-f1162f2a457a", + "title": "IR 7559", + "citation": { + "text": "Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7559" + } + ] + }, + { + "uuid": "e24b06cc-9129-4998-a76a-65c3d7a576ba", + "title": "IR 7622", + "citation": { + "text": "Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7622" + } + ] + }, + { + "uuid": "4b38e961-1125-4a5b-aa35-1d6c02846dad", + "title": "IR 7676", + "citation": { + "text": "Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7676" + } + ] + }, + { + "uuid": "aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "title": "IR 7788", + "citation": { + "text": "Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7788" + } + ] + }, + { + "uuid": "91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "title": "IR 7817", + "citation": { + "text": "Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7817" + } + ] + }, + { + "uuid": "4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "title": "IR 7849", + "citation": { + "text": "Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7849" + } + ] + }, + { + "uuid": "604774da-9e1d-48eb-9c62-4e959dc80737", + "title": "IR 7870", + "citation": { + "text": "Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7870" + } + ] + }, + { + "uuid": "7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "title": "IR 7874", + "citation": { + "text": "Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7874" + } + ] + }, + { + "uuid": "849b2358-683f-4d97-b111-1cc3d522ded5", + "title": "IR 7956", + "citation": { + "text": "Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7956" + } + ] + }, + { + "uuid": "3915a084-b87b-4f02-83d4-c369e746292f", + "title": "IR 7966", + "citation": { + "text": "Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7966" + } + ] + }, + { + "uuid": "bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "title": "IR 8011-1", + "citation": { + "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-1" + } + ] + }, + { + "uuid": "70402863-5078-43af-9a6c-e11b0f3ec370", + "title": "IR 8011-2", + "citation": { + "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-2" + } + ] + }, + { + "uuid": "996241f8-f692-42d5-91f1-ce8b752e39e6", + "title": "IR 8011-3", + "citation": { + "text": "Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-3" + } + ] + }, + { + "uuid": "d2ebec9b-f868-4ee1-a2bd-0b2282aed248", + "title": "IR 8011-4", + "citation": { + "text": "Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-4" + } + ] + }, + { + "uuid": "4c501da5-9d79-4cb6-ba80-97260e1ce327", + "title": "IR 8023", + "citation": { + "text": "Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8023" + } + ] + }, + { + "uuid": "81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", + "title": "IR 8040", + "citation": { + "text": "Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8040" + } + ] + }, + { + "uuid": "98d415ca-7281-4064-9931-0c366637e324", + "title": "IR 8062", + "citation": { + "text": "Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8062" + } + ] + }, + { + "uuid": "d4296805-2dca-4c63-a95f-eeccaa826aec", + "title": "IR 8179", + "citation": { + "text": "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8179" + } + ] + }, + { + "uuid": "38ff38f0-1366-4f50-a4c9-26a39aacee16", + "title": "IR 8272", + "citation": { + "text": "Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8272" + } + ] + }, + { + "uuid": "6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", + "title": "ISO 15408-1", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf" + } + ] + }, + { + "uuid": "87087451-2af5-43d4-88c1-d66ad850f614", + "title": "ISO 15408-2", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf" + } + ] + }, + { + "uuid": "4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "title": "ISO 15408-3", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf" + } + ] + }, + { + "uuid": "15a95e24-65b6-4686-bc18-90855a10457d", + "title": "ISO 20243", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/74399.html" + } + ] + }, + { + "uuid": "863caf2a-978a-4260-9e8d-4a8929bce40c", + "title": "ISO 27036", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/59648.html" + } + ] + }, + { + "uuid": "8df72805-2e5c-4731-a73e-81db0f0318d0", + "title": "ISO 29147", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 29147:2018, *Information technology—Security techniques—Vulnerability disclosure* , October 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/72311.html" + } + ] + }, + { + "uuid": "06ce9216-bd54-4054-a422-94f358b50a5d", + "title": "ISO 29148", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, *Systems and software engineering—Life cycle processes—Requirements engineering* , November 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/72089.html" + } + ] + }, + { + "uuid": "c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "title": "NARA CUI", + "citation": { + "text": "National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry." + }, + "rlinks": [ + { + "href": "https://www.archives.gov/cui" + } + ] + }, + { + "uuid": "d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", + "title": "NCPR", + "citation": { + "text": "National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at" + }, + "rlinks": [ + { + "href": "https://nvd.nist.gov/ncp/repository" + } + ] + }, + { + "uuid": "795aff72-3e6c-4b6b-a80a-b14d84b7f544", + "title": "NIAP CCEVS", + "citation": { + "text": "National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*." + }, + "rlinks": [ + { + "href": "https://www.niap-ccevs.org" + } + ] + }, + { + "uuid": "84dc1b0c-acb7-4269-84c4-00dbabacd78c", + "title": "NIST CAVP", + "citation": { + "text": "National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program" + } + ] + }, + { + "uuid": "1acdc775-aafb-4d11-9341-dc6a822e9d38", + "title": "NIST CMVP", + "citation": { + "text": "National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/cryptographic-module-validation-program" + } + ] + }, + { + "uuid": "3d575737-98cb-459d-b41c-d7e82b73ad78", + "title": "NSA CSFC", + "citation": { + "text": "National Security Agency, *Commercial Solutions for Classified Program (CSfC)*." + }, + "rlinks": [ + { + "href": "https://www.nsa.gov/resources/everyone/csfc" + } + ] + }, + { + "uuid": "df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", + "title": "NSA MEDIA", + "citation": { + "text": "National Security Agency, *Media Destruction Guidance*." + }, + "rlinks": [ + { + "href": "https://www.nsa.gov/resources/everyone/media-destruction" + } + ] + }, + { + "uuid": "89f2a08d-fc49-46d0-856e-bf974c9b1573", + "title": "ODNI CTF", + "citation": { + "text": "Office of the Director of National Intelligence (ODNI) Cyber Threat Framework." + }, + "rlinks": [ + { + "href": "https://www.dni.gov/index.php/cyber-threat-framework" + } + ] + }, + { + "uuid": "27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "title": "OMB A-130", + "citation": { + "text": "Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf" + } + ] + }, + { + "uuid": "5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "title": "OMB M-17-12", + "citation": { + "text": "Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf" + } + ] + }, + { + "uuid": "c5e11048-1d38-4af3-b00b-0d88dc26860c", + "title": "OMB M-19-03", + "citation": { + "text": "Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf" + } + ] + }, + { + "uuid": "18e71fec-c6fd-475a-925a-5d8495cf8455", + "title": "PRIVACT", + "citation": { + "text": "Privacy Act (P.L. 93-579), December 1974." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf" + } + ] + }, + { + "uuid": "4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "title": "SP 800-100", + "citation": { + "text": "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-100" + } + ] + }, + { + "uuid": "10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "title": "SP 800-101", + "citation": { + "text": "Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-101r1" + } + ] + }, + { + "uuid": "22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "title": "SP 800-111", + "citation": { + "text": "Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-111" + } + ] + }, + { + "uuid": "6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "title": "SP 800-113", + "citation": { + "text": "Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-113" + } + ] + }, + { + "uuid": "42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "title": "SP 800-114", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-114r1" + } + ] + }, + { + "uuid": "122177fa-c4ed-485d-8345-3082c0fb9a06", + "title": "SP 800-115", + "citation": { + "text": "Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-115" + } + ] + }, + { + "uuid": "2100332a-16a5-4598-bacf-7261baea9711", + "title": "SP 800-116", + "citation": { + "text": "Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-116r1" + } + ] + }, + { + "uuid": "d17ebd7a-ffab-499d-bfff-e705bbb01fa6", + "title": "SP 800-121", + "citation": { + "text": "Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-121r2" + } + ] + }, + { + "uuid": "0f66be67-85e7-4ca6-bd19-39453e9f4394", + "title": "SP 800-124", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-124r1" + } + ] + }, + { + "uuid": "88660532-2dcf-442e-845c-03340ce48999", + "title": "SP 800-125B", + "citation": { + "text": "Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-125B" + } + ] + }, + { + "uuid": "8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "title": "SP 800-126", + "citation": { + "text": "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-126r3" + } + ] + }, + { + "uuid": "20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "title": "SP 800-128", + "citation": { + "text": "Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-128" + } + ] + }, + { + "uuid": "c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "title": "SP 800-12", + "citation": { + "text": "Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-12r1" + } + ] + }, + { + "uuid": "3653e316-8923-430e-8943-b3b2b2562fc6", + "title": "SP 800-130", + "citation": { + "text": "Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-130" + } + ] + }, + { + "uuid": "62ea77ca-e450-4323-b210-e0d75390e785", + "title": "SP 800-137A", + "citation": { + "text": "Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-137A" + } + ] + }, + { + "uuid": "067223d8-1ec7-45c5-b21b-c848da6de8fb", + "title": "SP 800-137", + "citation": { + "text": "Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-137" + } + ] + }, + { + "uuid": "9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "title": "SP 800-150", + "citation": { + "text": "Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-150" + } + ] + }, + { + "uuid": "2494df28-9049-4196-b233-540e7440993f", + "title": "SP 800-152", + "citation": { + "text": "Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-152" + } + ] + }, + { + "uuid": "d9e036ba-6eec-46a6-9340-b0bf1fea23b4", + "title": "SP 800-156", + "citation": { + "text": "Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-156" + } + ] + }, + { + "uuid": "e3cc0520-a366-4fc9-abc2-5272db7e3564", + "title": "SP 800-160-1", + "citation": { + "text": "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-160v1" + } + ] + }, + { + "uuid": "61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "title": "SP 800-160-2", + "citation": { + "text": "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-160v2" + } + ] + }, + { + "uuid": "e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "title": "SP 800-161", + "citation": { + "text": "Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-161" + } + ] + }, + { + "uuid": "2956e175-f674-43f4-b1b9-e074ad9fc39c", + "title": "SP 800-162", + "citation": { + "text": "Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-162" + } + ] + }, + { + "uuid": "e8552d48-cf41-40aa-8b06-f45f7fb4706c", + "title": "SP 800-166", + "citation": { + "text": "Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-166" + } + ] + }, + { + "uuid": "38f39739-1ebd-43b1-8b8c-00f591d89ebd", + "title": "SP 800-167", + "citation": { + "text": "Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-167" + } + ] + }, + { + "uuid": "7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "title": "SP 800-171", + "citation": { + "text": "Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-171r2" + } + ] + }, + { + "uuid": "f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "title": "SP 800-172", + "citation": { + "text": "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-172-draft" + } + ] + }, + { + "uuid": "1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "title": "SP 800-177", + "citation": { + "text": "Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-177r1" + } + ] + }, + { + "uuid": "388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "title": "SP 800-178", + "citation": { + "text": "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-178" + } + ] + }, + { + "uuid": "276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "title": "SP 800-181", + "citation": { + "text": "Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-181r1" + } + ] + }, + { + "uuid": "31ae65ab-3f26-46b7-9d64-f25a4dac5778", + "title": "SP 800-184", + "citation": { + "text": "Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-184" + } + ] + }, + { + "uuid": "f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "title": "SP 800-189", + "citation": { + "text": "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-189" + } + ] + }, + { + "uuid": "30eb758a-2707-4bca-90ad-949a74d4eb16", + "title": "SP 800-18", + "citation": { + "text": "Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-18r1" + } + ] + }, + { + "uuid": "53df282b-8b3f-483a-bad1-6a8b8ac00114", + "title": "SP 800-192", + "citation": { + "text": "Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-192" + } + ] + }, + { + "uuid": "08b07465-dbdc-48d6-8a0b-37279602ac16", + "title": "SP 800-30", + "citation": { + "text": "Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-30r1" + } + ] + }, + { + "uuid": "bc39f179-c735-4da2-b7a7-b2b622119755", + "title": "SP 800-34", + "citation": { + "text": "Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-34r1" + } + ] + }, + { + "uuid": "77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "title": "SP 800-35", + "citation": { + "text": "Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-35" + } + ] + }, + { + "uuid": "482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "title": "SP 800-37", + "citation": { + "text": "Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-37r2" + } + ] + }, + { + "uuid": "cec037f3-8aba-4c97-84b4-4082f9e515d2", + "title": "SP 800-39", + "citation": { + "text": "Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-39" + } + ] + }, + { + "uuid": "155f941a-cba9-4afd-9ca6-5d040d697ba9", + "title": "SP 800-40", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-40r3" + } + ] + }, + { + "uuid": "a7f0e897-29a3-45c4-bd88-40dfef0e034a", + "title": "SP 800-41", + "citation": { + "text": "Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-41r1" + } + ] + }, + { + "uuid": "83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "title": "SP 800-46", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-46r2" + } + ] + }, + { + "uuid": "c3a76872-e160-4267-99e8-6952de967d04", + "title": "SP 800-47", + "citation": { + "text": "Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-47" + } + ] + }, + { + "uuid": "511f6832-23ca-49a3-8c0f-ce493373cab8", + "title": "SP 800-50", + "citation": { + "text": "Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-50" + } + ] + }, + { + "uuid": "7537638e-2837-407d-844b-40fb3fafdd99", + "title": "SP 800-52", + "citation": { + "text": "McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-52r2" + } + ] + }, + { + "uuid": "a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "title": "SP 800-53A", + "citation": { + "text": "Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-53Ar4" + } + ] + }, + { + "uuid": "46d9e201-840e-440e-987c-2c773333c752", + "title": "SP 800-53B", + "citation": { + "text": "Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-53B" + } + ] + }, + { + "uuid": "20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "title": "SP 800-56A", + "citation": { + "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Ar3" + } + ] + }, + { + "uuid": "0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "title": "SP 800-56B", + "citation": { + "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Br2" + } + ] + }, + { + "uuid": "eef62b16-c796-4554-955c-505824135b8a", + "title": "SP 800-56C", + "citation": { + "text": "Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Cr2" + } + ] + }, + { + "uuid": "110e26af-4765-49e1-8740-6750f83fcda1", + "title": "SP 800-57-1", + "citation": { + "text": "Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt1r5" + } + ] + }, + { + "uuid": "e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "title": "SP 800-57-2", + "citation": { + "text": "Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt2r1" + } + ] + }, + { + "uuid": "8306620b-1920-4d73-8b21-12008528595f", + "title": "SP 800-57-3", + "citation": { + "text": "Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt3r1" + } + ] + }, + { + "uuid": "e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "title": "SP 800-60-1", + "citation": { + "text": "Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-60v1r1" + } + ] + }, + { + "uuid": "9be5d661-421f-41ad-854e-86f98b811891", + "title": "SP 800-60-2", + "citation": { + "text": "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-60v2r1" + } + ] + }, + { + "uuid": "49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "title": "SP 800-61", + "citation": { + "text": "Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-61r2" + } + ] + }, + { + "uuid": "737513fa-6758-403f-831d-5ddab5e23cb3", + "title": "SP 800-63-3", + "citation": { + "text": "Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63-3" + } + ] + }, + { + "uuid": "e59c5a7c-8b1f-49ca-8de0-6ee0882180ce", + "title": "SP 800-63B", + "citation": { + "text": "Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63b" + } + ] + }, + { + "uuid": "4895b4cd-34c5-4667-bf8a-27d443c12047", + "title": "SP 800-70", + "citation": { + "text": "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-70r4" + } + ] + }, + { + "uuid": "858705be-3c1f-48aa-a328-0ce398d95ef0", + "title": "SP 800-73-4", + "citation": { + "text": "Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-73-4" + } + ] + }, + { + "uuid": "7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "title": "SP 800-76-2", + "citation": { + "text": "Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-76-2" + } + ] + }, + { + "uuid": "d4d7c760-2907-403b-8b2a-767ca5370ecd", + "title": "SP 800-77", + "citation": { + "text": "Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-77r1" + } + ] + }, + { + "uuid": "828856bd-d7c4-427b-8b51-815517ec382d", + "title": "SP 800-78-4", + "citation": { + "text": "Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-78-4" + } + ] + }, + { + "uuid": "10963761-58fc-4b20-b3d6-b44a54daba03", + "title": "SP 800-79-2", + "citation": { + "text": "Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-79-2" + } + ] + }, + { + "uuid": "fe209006-bfd4-4033-a79a-9fee1adaf372", + "title": "SP 800-81-2", + "citation": { + "text": "Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-81-2" + } + ] + }, + { + "uuid": "3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "title": "SP 800-83", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-83r1" + } + ] + }, + { + "uuid": "53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "title": "SP 800-84", + "citation": { + "text": "Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-84" + } + ] + }, + { + "uuid": "cfdb1858-c473-46b3-89f9-a700308d0be2", + "title": "SP 800-86", + "citation": { + "text": "Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-86" + } + ] + }, + { + "uuid": "a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "title": "SP 800-88", + "citation": { + "text": "Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-88r1" + } + ] + }, + { + "uuid": "5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "title": "SP 800-92", + "citation": { + "text": "Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-92" + } + ] + }, + { + "uuid": "25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "title": "SP 800-94", + "citation": { + "text": "Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-94" + } + ] + }, + { + "uuid": "03fb73bc-1b12-4182-bd96-e5719254ea61", + "title": "SP 800-97", + "citation": { + "text": "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-97" + } + ] + }, + { + "uuid": "13f0c39d-eaf7-417a-baef-69a041878bb5", + "title": "USA PATRIOT", + "citation": { + "text": "USA Patriot Act (P.L. 107-56), October 2001." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf" + } + ] + }, + { + "uuid": "e922fc50-b1f9-469f-92ef-ed7d9803611c", + "title": "USC 2901", + "citation": { + "text": "United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/USCODE-2011-title44/pdf/USCODE-2011-title44-chap29-sec2901.pdf" + } + ] + }, + { + "uuid": "40b78258-c892-480e-9af8-77ac36648301", + "title": "USCERT IR", + "citation": { + "text": "Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017." + }, + "rlinks": [ + { + "href": "https://us-cert.cisa.gov/incident-notification-guidelines" + } + ] + }, + { + "uuid": "98498928-3ca3-44b3-8b1e-f48685373087", + "title": "USGCB", + "citation": { + "text": "National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/united-states-government-configuration-baseline" + } + ] + }, + { + "uuid": "c3397cc9-83c6-4459-adb2-836739dc1b94", + "title": "NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)", + "rlinks": [ + { + "href": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf", + "media-type": "application/pdf" + } + ] + }, { "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48", "title": "FedRAMP Applicable Laws and Regulations", diff --git a/dist/content/rev5/baselines/json/FedRAMP_rev5_LI-SaaS-baseline_profile-min.json b/dist/content/rev5/baselines/json/FedRAMP_rev5_LI-SaaS-baseline_profile-min.json index d467c2a5e..30be19546 100644 --- a/dist/content/rev5/baselines/json/FedRAMP_rev5_LI-SaaS-baseline_profile-min.json +++ b/dist/content/rev5/baselines/json/FedRAMP_rev5_LI-SaaS-baseline_profile-min.json @@ -6141,7 +6141,7 @@ ], "rlinks": [ { - "href": "https://github.com/usnistgov/oscal-content/blob/v1.2.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", + "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/v1.2.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", "media-type": "application/oscal+json" } ] diff --git a/dist/content/rev5/baselines/json/FedRAMP_rev5_LI-SaaS-baseline_profile.json b/dist/content/rev5/baselines/json/FedRAMP_rev5_LI-SaaS-baseline_profile.json index 521740cf8..93f2a6764 100644 --- a/dist/content/rev5/baselines/json/FedRAMP_rev5_LI-SaaS-baseline_profile.json +++ b/dist/content/rev5/baselines/json/FedRAMP_rev5_LI-SaaS-baseline_profile.json @@ -6141,7 +6141,7 @@ ], "rlinks": [ { - "href": "https://github.com/usnistgov/oscal-content/blob/v1.2.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", + "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/v1.2.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", "media-type": "application/oscal+json" } ] diff --git a/dist/content/rev5/baselines/json/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog-min.json b/dist/content/rev5/baselines/json/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog-min.json index 41070ed90..3c3ed8981 100644 --- a/dist/content/rev5/baselines/json/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog-min.json +++ b/dist/content/rev5/baselines/json/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog-min.json @@ -1,10 +1,10 @@ { "catalog": { - "uuid": "3692455f-a09d-4523-b9c7-8f4630c06ba4", + "uuid": "35042880-1779-490e-aca6-409ea1086471", "metadata": { "title": "FedRAMP Rev 5 Low Baseline", "published": "2023-08-31T00:00:00Z", - "last-modified": "2023-12-18T20:27:49.732066-05:00", + "last-modified": "2024-01-11T18:07:47.981586-05:00", "version": "5.1.1+fedramp-20231218-0", "oscal-version": "1.1.1", "links": [ @@ -99,8 +99,64760 @@ } ] }, + "groups": [ + { + "id": "ac", + "class": "family", + "title": "Access Control", + "controls": [ + { + "id": "ac-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ac-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ac-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the access control policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ac-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the access control procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ac-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ac-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the access control policy and procedures is defined;" + } + ] + }, + { + "id": "ac-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current access control policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ac-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current access control policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ac-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current access control procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ac-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-1" + }, + { + "name": "label", + "value": "AC-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ia-1", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-24", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-1_smt", + "name": "statement", + "parts": [ + { + "id": "ac-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:", + "parts": [ + { + "id": "ac-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ac-01_odp.03 }} access control policy that:", + "parts": [ + { + "id": "ac-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ac-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ac-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the access control policy and the associated access controls;" + } + ] + }, + { + "id": "ac-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and" + }, + { + "id": "ac-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current access control:", + "parts": [ + { + "id": "ac-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and" + }, + { + "id": "ac-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ac-1_gdn", + "name": "guidance", + "prose": "Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ac-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an access control policy is developed and documented;", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ac-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;", + "links": [ + { + "href": "#ac-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};", + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};", + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};", + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.", + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ac-2", + "class": "SP800-53", + "title": "Account Management", + "params": [ + { + "id": "ac-02_odp.01", + "label": "prerequisites and criteria", + "guidelines": [ + { + "prose": "prerequisites and criteria for group and role membership are defined;" + } + ] + }, + { + "id": "ac-02_odp.02", + "label": "attributes (as required)", + "guidelines": [ + { + "prose": "attributes (as required) for each account are defined;" + } + ] + }, + { + "id": "ac-02_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles required to approve requests to create accounts is/are defined;" + } + ] + }, + { + "id": "ac-02_odp.04", + "label": "policy, procedures, prerequisites, and criteria", + "guidelines": [ + { + "prose": "policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;" + } + ] + }, + { + "id": "ac-02_odp.05", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified is/are defined;" + } + ] + }, + { + "id": "ac-02_odp.06", + "label": "time period", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when accounts are no longer required is defined;" + } + ] + }, + { + "id": "ac-02_odp.07", + "label": "time period", + "constraints": [ + { + "description": "eight (8) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when users are terminated or transferred is defined; " + } + ] + }, + { + "id": "ac-02_odp.08", + "label": "time period", + "constraints": [ + { + "description": "eight (8) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when system usage or the need to know changes for an individual is defined;" + } + ] + }, + { + "id": "ac-02_odp.09", + "label": "attributes (as required)", + "guidelines": [ + { + "prose": "attributes needed to authorize system access (as required) are defined;" + } + ] + }, + { + "id": "ac-02_odp.10", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency of account review is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2" + }, + { + "name": "label", + "value": "AC-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#53df282b-8b3f-483a-bad1-6a8b8ac00114", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ac-24", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2_smt", + "name": "statement", + "parts": [ + { + "id": "ac-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Define and document the types of accounts allowed and specifically prohibited for use within the system;" + }, + { + "id": "ac-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Assign account managers;" + }, + { + "id": "ac-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Require {{ insert: param, ac-02_odp.01 }} for group and role membership;" + }, + { + "id": "ac-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Specify:", + "parts": [ + { + "id": "ac-2_smt.d.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Authorized users of the system;" + }, + { + "id": "ac-2_smt.d.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Group and role membership; and" + }, + { + "id": "ac-2_smt.d.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;" + } + ] + }, + { + "id": "ac-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;" + }, + { + "id": "ac-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};" + }, + { + "id": "ac-2_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Monitor the use of accounts;" + }, + { + "id": "ac-2_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Notify account managers and {{ insert: param, ac-02_odp.05 }} within:", + "parts": [ + { + "id": "ac-2_smt.h.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;" + }, + { + "id": "ac-2_smt.h.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": " {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and" + }, + { + "id": "ac-2_smt.h.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;" + } + ] + }, + { + "id": "ac-2_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Authorize access to the system based on:", + "parts": [ + { + "id": "ac-2_smt.i.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "A valid access authorization;" + }, + { + "id": "ac-2_smt.i.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Intended system usage; and" + }, + { + "id": "ac-2_smt.i.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ac-02_odp.09 }};" + } + ] + }, + { + "id": "ac-2_smt.j", + "name": "item", + "props": [ + { + "name": "label", + "value": "j." + } + ], + "prose": "Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};" + }, + { + "id": "ac-2_smt.k", + "name": "item", + "props": [ + { + "name": "label", + "value": "k." + } + ], + "prose": "Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and" + }, + { + "id": "ac-2_smt.l", + "name": "item", + "props": [ + { + "name": "label", + "value": "l." + } + ], + "prose": "Align account management processes with personnel termination and transfer processes." + } + ] + }, + { + "id": "ac-2_gdn", + "name": "guidance", + "prose": "Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training." + }, + { + "id": "ac-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "account types allowed for use within the system are defined and documented;", + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "account types specifically prohibited for use within the system are defined and documented;", + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02b.", + "class": "sp800-53a" + } + ], + "prose": "account managers are assigned;", + "links": [ + { + "href": "#ac-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-02_odp.01 }} for group and role membership are required;", + "links": [ + { + "href": "#ac-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.d.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.01", + "class": "sp800-53a" + } + ], + "prose": "authorized users of the system are specified;", + "links": [ + { + "href": "#ac-2_smt.d.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.02", + "class": "sp800-53a" + } + ], + "prose": "group and role membership are specified;", + "links": [ + { + "href": "#ac-2_smt.d.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.d.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03[01]", + "class": "sp800-53a" + } + ], + "prose": "access authorizations (i.e., privileges) are specified for each account;", + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-02_odp.02 }} are specified for each account;", + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02e.", + "class": "sp800-53a" + } + ], + "prose": "approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;", + "links": [ + { + "href": "#ac-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[01]", + "class": "sp800-53a" + } + ], + "prose": "accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[02]", + "class": "sp800-53a" + } + ], + "prose": "accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[03]", + "class": "sp800-53a" + } + ], + "prose": "accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[04]", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[05]", + "class": "sp800-53a" + } + ], + "prose": "accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02g.", + "class": "sp800-53a" + } + ], + "prose": "the use of accounts is monitored; ", + "links": [ + { + "href": "#ac-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.h.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.01", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;", + "links": [ + { + "href": "#ac-2_smt.h.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.02", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;", + "links": [ + { + "href": "#ac-2_smt.h.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.03", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;", + "links": [ + { + "href": "#ac-2_smt.h.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.i.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.01", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on a valid access authorization;", + "links": [ + { + "href": "#ac-2_smt.i.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.02", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on intended system usage;", + "links": [ + { + "href": "#ac-2_smt.i.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.03", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};", + "links": [ + { + "href": "#ac-2_smt.i.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.i", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.j", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02j.", + "class": "sp800-53a" + } + ], + "prose": "accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};", + "links": [ + { + "href": "#ac-2_smt.j", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.k", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.k-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;", + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.k-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.[02]", + "class": "sp800-53a" + } + ], + "prose": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;", + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.l", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.l-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.[01]", + "class": "sp800-53a" + } + ], + "prose": "account management processes are aligned with personnel termination processes;", + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.l-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.[02]", + "class": "sp800-53a" + } + ], + "prose": "account management processes are aligned with personnel transfer processes.", + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\npersonnel termination policy and procedure\n\npersonnel transfer policy and procedure\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of recently disabled system accounts and the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications of recent transfers, separations, or terminations of employees\n\naccess authorization records\n\naccount management compliance reviews\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security and privacy responsibilities" + } + ] + }, + { + "id": "ac-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for account management on the system\n\nmechanisms for implementing account management" + } + ] + } + ] + }, + { + "id": "ac-3", + "class": "SP800-53", + "title": "Access Enforcement", + "props": [ + { + "name": "label", + "value": "AC-3" + }, + { + "name": "label", + "value": "AC-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#ac-24", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-6", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pm-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-3_smt", + "name": "statement", + "prose": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." + }, + { + "id": "ac-3_gdn", + "name": "guidance", + "prose": "Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family." + }, + { + "id": "ac-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-03", + "class": "sp800-53a" + } + ], + "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.", + "links": [ + { + "href": "#ac-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy" + } + ] + } + ] + }, + { + "id": "ac-7", + "class": "SP800-53", + "title": "Unsuccessful Logon Attempts", + "params": [ + { + "id": "ac-07_odp.01", + "label": "number", + "guidelines": [ + { + "prose": "the number of consecutive invalid logon attempts by a user allowed during a time period is defined;" + } + ] + }, + { + "id": "ac-07_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;" + } + ] + }, + { + "id": "ac-07_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "lock the account or node for {{ insert: param, ac-07_odp.04 }} ", + "lock the account or node until released by an administrator", + "delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ", + "notify system administrator", + "take other {{ insert: param, ac-07_odp.06 }} " + ] + } + }, + { + "id": "ac-07_odp.04", + "label": "time period", + "guidelines": [ + { + "prose": "time period for an account or node to be locked is defined (if selected);" + } + ] + }, + { + "id": "ac-07_odp.05", + "label": "delay algorithm", + "guidelines": [ + { + "prose": "delay algorithm for the next logon prompt is defined (if selected);" + } + ] + }, + { + "id": "ac-07_odp.06", + "label": "action", + "guidelines": [ + { + "prose": "other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-7" + }, + { + "name": "label", + "value": "AC-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-9", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-7_smt", + "name": "statement", + "parts": [ + { + "id": "ac-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and" + }, + { + "id": "ac-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded." + }, + { + "id": "ac-7_fr", + "name": "item", + "title": "AC-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "In alignment with NIST SP 800-63B" + } + ] + } + ] + }, + { + "id": "ac-7_gdn", + "name": "guidance", + "prose": "The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need." + }, + { + "id": "ac-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07a.", + "class": "sp800-53a" + } + ], + "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;", + "links": [ + { + "href": "#ac-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07b.", + "class": "sp800-53a" + } + ], + "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.", + "links": [ + { + "href": "#ac-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy for unsuccessful logon attempts" + } + ] + } + ] + }, + { + "id": "ac-8", + "class": "SP800-53", + "title": "System Use Notification", + "params": [ + { + "id": "ac-08_odp.01", + "label": "system use notification", + "constraints": [ + { + "description": "see additional Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "system use notification message or banner to be displayed by the system to users before granting access to the system is defined;" + } + ] + }, + { + "id": "ac-08_odp.02", + "label": "conditions", + "constraints": [ + { + "description": "see additional Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "conditions for system use to be displayed by the system before granting further access are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-8" + }, + { + "name": "label", + "value": "AC-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-8_smt", + "name": "statement", + "parts": [ + { + "id": "ac-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:", + "parts": [ + { + "id": "ac-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Users are accessing a U.S. Government system;" + }, + { + "id": "ac-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "System usage may be monitored, recorded, and subject to audit;" + }, + { + "id": "ac-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and" + }, + { + "id": "ac-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Use of the system indicates consent to monitoring and recording;" + } + ] + }, + { + "id": "ac-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and" + }, + { + "id": "ac-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "For publicly accessible systems:", + "parts": [ + { + "id": "ac-8_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;" + }, + { + "id": "ac-8_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and" + }, + { + "id": "ac-8_smt.c.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Include a description of the authorized uses of the system." + } + ] + }, + { + "id": "ac-8_fr", + "name": "item", + "title": "AC-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO. " + }, + { + "id": "ac-8_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO." + }, + { + "id": "ac-8_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO." + }, + { + "id": "ac-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided." + } + ] + } + ] + }, + { + "id": "ac-8_gdn", + "name": "guidance", + "prose": "System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content." + }, + { + "id": "ac-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-08_odp.01 }} is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "parts": [ + { + "id": "ac-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.01", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that users are accessing a U.S. Government system;", + "links": [ + { + "href": "#ac-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.02", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that system usage may be monitored, recorded, and subject to audit;", + "links": [ + { + "href": "#ac-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.03", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and", + "links": [ + { + "href": "#ac-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.04", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that use of the system indicates consent to monitoring and recording;", + "links": [ + { + "href": "#ac-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08b.", + "class": "sp800-53a" + } + ], + "prose": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;", + "links": [ + { + "href": "#ac-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-8_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.01", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;", + "links": [ + { + "href": "#ac-8_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.02", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;", + "links": [ + { + "href": "#ac-8_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.03", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, a description of the authorized uses of the system is included.", + "links": [ + { + "href": "#ac-8_smt.c.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of system use notification messages or banners\n\nsystem audit records\n\nuser acknowledgements of notification message or banner\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem use notification messages\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment report\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem developers" + } + ] + }, + { + "id": "ac-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system use notification" + } + ] + } + ] + }, + { + "id": "ac-14", + "class": "SP800-53", + "title": "Permitted Actions Without Identification or Authentication", + "params": [ + { + "id": "ac-14_odp", + "label": "user actions", + "guidelines": [ + { + "prose": "user actions that can be performed on the system without identification or authentication are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-14" + }, + { + "name": "label", + "value": "AC-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-14_smt", + "name": "statement", + "parts": [ + { + "id": "ac-14_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and" + }, + { + "id": "ac-14_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication." + } + ] + }, + { + "id": "ac-14_gdn", + "name": "guidance", + "prose": "Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" " + }, + { + "id": "ac-14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-14_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;", + "links": [ + { + "href": "#ac-14_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-14_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.[01]", + "class": "sp800-53a" + } + ], + "prose": "user actions not requiring identification or authentication are documented in the security plan for the system;", + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.[02]", + "class": "sp800-53a" + } + ], + "prose": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.", + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-14-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-14-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "ac-17", + "class": "SP800-53", + "title": "Remote Access", + "props": [ + { + "name": "label", + "value": "AC-17" + }, + { + "name": "label", + "value": "AC-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "rel": "reference" + }, + { + "href": "#d17ebd7a-ffab-499d-bfff-e705bbb01fa6", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-17", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17_smt", + "name": "statement", + "parts": [ + { + "id": "ac-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and" + }, + { + "id": "ac-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize each type of remote access to the system prior to allowing such connections." + } + ] + }, + { + "id": "ac-17_gdn", + "name": "guidance", + "prose": "Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)." + }, + { + "id": "ac-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[01]", + "class": "sp800-53a" + } + ], + "prose": "usage restrictions are established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17b.", + "class": "sp800-53a" + } + ], + "prose": "each type of remote access to the system is authorized prior to allowing such connections.", + "links": [ + { + "href": "#ac-17_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing remote access connections\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-17_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Remote access management capability for the system" + } + ] + } + ] + }, + { + "id": "ac-18", + "class": "SP800-53", + "title": "Wireless Access", + "props": [ + { + "name": "label", + "value": "AC-18" + }, + { + "name": "label", + "value": "AC-18", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "rel": "reference" + }, + { + "href": "#03fb73bc-1b12-4182-bd96-e5719254ea61", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-18_smt", + "name": "statement", + "parts": [ + { + "id": "ac-18_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and" + }, + { + "id": "ac-18_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize each type of wireless access to the system prior to allowing such connections." + } + ] + }, + { + "id": "ac-18_gdn", + "name": "guidance", + "prose": "Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication." + }, + { + "id": "ac-18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration requirements are established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[02]", + "class": "sp800-53a" + } + ], + "prose": "connection requirements are established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18b.", + "class": "sp800-53a" + } + ], + "prose": "each type of wireless access to the system is authorized prior to allowing such connections.", + "links": [ + { + "href": "#ac-18_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nwireless access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Wireless access management capability for the system" + } + ] + } + ] + }, + { + "id": "ac-19", + "class": "SP800-53", + "title": "Access Control for Mobile Devices", + "props": [ + { + "name": "label", + "value": "AC-19" + }, + { + "name": "label", + "value": "AC-19", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-19" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-11", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-19_smt", + "name": "statement", + "parts": [ + { + "id": "ac-19_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and" + }, + { + "id": "ac-19_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize the connection of mobile devices to organizational systems." + } + ] + }, + { + "id": "ac-19_gdn", + "name": "guidance", + "prose": "A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled." + }, + { + "id": "ac-19_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-19_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-19_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[02]", + "class": "sp800-53a" + } + ], + "prose": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19b.", + "class": "sp800-53a" + } + ], + "prose": "the connection of mobile devices to organizational systems is authorized.", + "links": [ + { + "href": "#ac-19_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-19_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-19-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-19_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-19-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel using mobile devices to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-19_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-19-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control capability for mobile device connections to organizational systems\n\nconfigurations of mobile devices" + } + ] + } + ] + }, + { + "id": "ac-20", + "class": "SP800-53", + "title": "Use of External Systems", + "params": [ + { + "id": "ac-20_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "establish {{ insert: param, ac-20_odp.02 }} ", + "identify {{ insert: param, ac-20_odp.03 }} " + ] + } + }, + { + "id": "ac-20_odp.02", + "label": "terms and conditions", + "guidelines": [ + { + "prose": "terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" + } + ] + }, + { + "id": "ac-20_odp.03", + "label": "controls asserted", + "guidelines": [ + { + "prose": "controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" + } + ] + }, + { + "id": "ac-20_odp.04", + "label": "prohibited types of external systems", + "guidelines": [ + { + "prose": "types of external systems prohibited from use are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-20" + }, + { + "name": "label", + "value": "AC-20", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-20_smt", + "name": "statement", + "parts": [ + { + "id": "ac-20_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:", + "parts": [ + { + "id": "ac-20_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Access the system from external systems; and" + }, + { + "id": "ac-20_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Process, store, or transmit organization-controlled information using external systems; or" + } + ] + }, + { + "id": "ac-20_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit the use of {{ insert: param, ac-20_odp.04 }}." + }, + { + "id": "ac-20_fr", + "name": "item", + "title": "AC-20 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-20_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:\n\nAC-20 describes system access to and from external systems.\n\nCA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.\n\nSA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3." + } + ] + } + ] + }, + { + "id": "ac-20_gdn", + "name": "guidance", + "prose": "External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems." + }, + { + "id": "ac-20_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-20_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-20_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.01", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);", + "links": [ + { + "href": "#ac-20_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.02", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);", + "links": [ + { + "href": "#ac-20_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20b.", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).", + "links": [ + { + "href": "#ac-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-20_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-20-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nexternal systems terms and conditions\n\nlist of types of applications accessible from external systems\n\nmaximum security categorization for information processed, stored, or transmitted on external systems\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-20_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-20-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-20_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-20-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing terms and conditions on the use of external systems" + } + ] + } + ] + }, + { + "id": "ac-22", + "class": "SP800-53", + "title": "Publicly Accessible Content", + "params": [ + { + "id": "ac-22_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least quarterly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review the content on the publicly accessible system for non-public information is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-22" + }, + { + "name": "label", + "value": "AC-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-22_smt", + "name": "statement", + "parts": [ + { + "id": "ac-22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Designate individuals authorized to make information publicly accessible;" + }, + { + "id": "ac-22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;" + }, + { + "id": "ac-22_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and" + }, + { + "id": "ac-22_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered." + } + ] + }, + { + "id": "ac-22_gdn", + "name": "guidance", + "prose": "In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible." + }, + { + "id": "ac-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22a.", + "class": "sp800-53a" + } + ], + "prose": "designated individuals are authorized to make information publicly accessible;", + "links": [ + { + "href": "#ac-22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22b.", + "class": "sp800-53a" + } + ], + "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;", + "links": [ + { + "href": "#ac-22_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22c.", + "class": "sp800-53a" + } + ], + "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;", + "links": [ + { + "href": "#ac-22_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-22_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};", + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.[02]", + "class": "sp800-53a" + } + ], + "prose": "non-public information is removed from the publicly accessible system, if discovered.", + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing management of publicly accessible content" + } + ] + } + ] + } + ] + }, + { + "id": "at", + "class": "family", + "title": "Awareness and Training", + "controls": [ + { + "id": "at-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "at-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "at-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "at-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "at-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "at-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the awareness and training policy and procedures is defined;" + } + ] + }, + { + "id": "at-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current awareness and training policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "at-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current awareness and training policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "at-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current awareness and training procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "at-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-1" + }, + { + "name": "label", + "value": "AT-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-1_smt", + "name": "statement", + "parts": [ + { + "id": "at-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:", + "parts": [ + { + "id": "at-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, at-01_odp.03 }} awareness and training policy that:", + "parts": [ + { + "id": "at-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "at-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "at-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;" + } + ] + }, + { + "id": "at-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and" + }, + { + "id": "at-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current awareness and training:", + "parts": [ + { + "id": "at-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and" + }, + { + "id": "at-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "at-1_gdn", + "name": "guidance", + "prose": "Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "at-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an awareness and training policy is developed and documented; ", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and", + "links": [ + { + "href": "#at-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;", + "links": [ + { + "href": "#at-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ", + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};", + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};", + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.", + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "at-2", + "class": "SP800-53", + "title": "Literacy Training and Awareness", + "params": [ + { + "id": "at-2_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually" + } + ] + }, + { + "id": "at-2_prm_2", + "label": "organization-defined events" + }, + { + "id": "at-02_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" + } + ] + }, + { + "id": "at-02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" + } + ] + }, + { + "id": "at-02_odp.03", + "label": "events", + "guidelines": [ + { + "prose": "events that require security literacy training for system users are defined;" + } + ] + }, + { + "id": "at-02_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events that require privacy literacy training for system users are defined;" + } + ] + }, + { + "id": "at-02_odp.05", + "label": "awareness techniques", + "guidelines": [ + { + "prose": "techniques to be employed to increase the security and privacy awareness of system users are defined;" + } + ] + }, + { + "id": "at-02_odp.06", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update literacy training and awareness content is defined;" + } + ] + }, + { + "id": "at-02_odp.07", + "label": "events", + "guidelines": [ + { + "prose": "events that would require literacy training and awareness content to be updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-2" + }, + { + "name": "label", + "value": "AT-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#89f2a08d-fc49-46d0-856e-bf974c9b1573", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-13", + "rel": "related" + }, + { + "href": "#pm-21", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-2_smt", + "name": "statement", + "parts": [ + { + "id": "at-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):", + "parts": [ + { + "id": "at-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and" + }, + { + "id": "at-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes or following {{ insert: param, at-2_prm_2 }};" + } + ] + }, + { + "id": "at-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};" + }, + { + "id": "at-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and" + }, + { + "id": "at-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques." + } + ] + }, + { + "id": "at-2_gdn", + "name": "guidance", + "prose": "Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "at-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[04]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};", + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};", + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;", + "links": [ + { + "href": "#at-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};", + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};", + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02d.", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.", + "links": [ + { + "href": "#at-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community" + } + ] + }, + { + "id": "at-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing information security and privacy literacy training" + } + ] + } + ], + "controls": [ + { + "id": "at-2.2", + "class": "SP800-53-enhancement", + "title": "Insider Threat", + "props": [ + { + "name": "label", + "value": "AT-2(2)" + }, + { + "name": "label", + "value": "AT-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#at-2", + "rel": "required" + }, + { + "href": "#pm-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-2.2_smt", + "name": "statement", + "prose": "Provide literacy training on recognizing and reporting potential indicators of insider threat." + }, + { + "id": "at-2.2_gdn", + "name": "guidance", + "prose": "Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations." + }, + { + "id": "at-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on recognizing potential indicators of insider threat is provided;", + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on reporting potential indicators of insider threat is provided.", + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "at-3", + "class": "SP800-53", + "title": "Role-based Training", + "params": [ + { + "id": "at-3_prm_1", + "label": "organization-defined roles and responsibilities" + }, + { + "id": "at-03_odp.01", + "label": "roles and responsibilities", + "guidelines": [ + { + "prose": "roles and responsibilities for role-based security training are defined;" + } + ] + }, + { + "id": "at-03_odp.02", + "label": "roles and responsibilities", + "guidelines": [ + { + "prose": "roles and responsibilities for role-based privacy training are defined;" + } + ] + }, + { + "id": "at-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;" + } + ] + }, + { + "id": "at-03_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update role-based training content is defined;" + } + ] + }, + { + "id": "at-03_odp.05", + "label": "events", + "guidelines": [ + { + "prose": "events that require role-based training content to be updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-3" + }, + { + "name": "label", + "value": "AT-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-13", + "rel": "related" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ps-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-3_smt", + "name": "statement", + "parts": [ + { + "id": "at-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:", + "parts": [ + { + "id": "at-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and" + }, + { + "id": "at-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes;" + } + ] + }, + { + "id": "at-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and" + }, + { + "id": "at-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Incorporate lessons learned from internal or external security incidents or breaches into role-based training." + } + ] + }, + { + "id": "at-3_gdn", + "name": "guidance", + "prose": "Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "at-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[04]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};", + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};", + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03c.", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training.", + "links": [ + { + "href": "#at-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities" + } + ] + }, + { + "id": "at-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing role-based security and privacy training" + } + ] + } + ] + }, + { + "id": "at-4", + "class": "SP800-53", + "title": "Training Records", + "params": [ + { + "id": "at-04_odp", + "label": "time period", + "constraints": [ + { + "description": "at least one (1) year or 1 year after completion of a specific training program" + } + ], + "guidelines": [ + { + "prose": "time period for retaining individual training records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-4" + }, + { + "name": "label", + "value": "AT-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-4_smt", + "name": "statement", + "parts": [ + { + "id": "at-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and" + }, + { + "id": "at-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain individual training records for {{ insert: param, at-04_odp }}." + } + ] + }, + { + "id": "at-4_gdn", + "name": "guidance", + "prose": "Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies." + }, + { + "id": "at-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;", + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;", + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04b.", + "class": "sp800-53a" + } + ], + "prose": "individual training records are retained for {{ insert: param, at-04_odp }}.", + "links": [ + { + "href": "#at-4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy training record retention responsibilities" + } + ] + }, + { + "id": "at-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting the management of security and privacy training records" + } + ] + } + ] + } + ] + }, + { + "id": "au", + "class": "family", + "title": "Audit and Accountability", + "controls": [ + { + "id": "au-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "au-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "au-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "au-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "au-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "au-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the audit and accountability policy and procedures is defined;" + } + ] + }, + { + "id": "au-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current audit and accountability policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "au-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current audit and accountability policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "au-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current audit and accountability procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "au-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require audit and accountability procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-1" + }, + { + "name": "label", + "value": "AU-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-1_smt", + "name": "statement", + "parts": [ + { + "id": "au-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:", + "parts": [ + { + "id": "au-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, au-01_odp.03 }} audit and accountability policy that:", + "parts": [ + { + "id": "au-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "au-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "au-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;" + } + ] + }, + { + "id": "au-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and" + }, + { + "id": "au-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current audit and accountability:", + "parts": [ + { + "id": "au-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and" + }, + { + "id": "au-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "au-1_gdn", + "name": "guidance", + "prose": "Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "au-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an audit and accountability policy is developed and documented;", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#au-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;", + "links": [ + { + "href": "#au-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};", + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};", + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};", + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.", + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "au-2", + "class": "SP800-53", + "title": "Event Logging", + "params": [ + { + "id": "au-2_prm_2", + "label": "organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type", + "constraints": [ + { + "description": "organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event." + } + ] + }, + { + "id": "au-02_odp.01", + "label": "event types", + "constraints": [ + { + "description": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes" + } + ], + "guidelines": [ + { + "prose": "the event types that the system is capable of logging in support of the audit function are defined;" + } + ] + }, + { + "id": "au-02_odp.02", + "label": "event types (subset of AU-02_ODP[01])", + "guidelines": [ + { + "prose": "the event types (subset of AU-02_ODP[01]) for logging within the system are defined;" + } + ] + }, + { + "id": "au-02_odp.03", + "label": "frequency or situation", + "guidelines": [ + { + "prose": "the frequency or situation requiring logging for each specified event type is defined;" + } + ] + }, + { + "id": "au-02_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "annually and whenever there is a change in the threat environment" + } + ], + "guidelines": [ + { + "prose": "the frequency of event types selected for logging are reviewed and updated;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-2" + }, + { + "name": "label", + "value": "AU-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pm-21", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-2_smt", + "name": "statement", + "parts": [ + { + "id": "au-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};" + }, + { + "id": "au-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" + }, + { + "id": "au-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};" + }, + { + "id": "au-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and" + }, + { + "id": "au-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}." + }, + { + "id": "au-2_fr", + "name": "item", + "title": "AU-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO." + }, + { + "id": "au-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(e) Guidance:" + } + ], + "prose": "Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO." + } + ] + } + ] + }, + { + "id": "au-2_gdn", + "name": "guidance", + "prose": "An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures." + }, + { + "id": "au-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;", + "links": [ + { + "href": "#au-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02b.", + "class": "sp800-53a" + } + ], + "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;", + "links": [ + { + "href": "#au-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-02_odp.02 }} are specified for logging within the system;", + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};", + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02d.", + "class": "sp800-53a" + } + ], + "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;", + "links": [ + { + "href": "#au-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02e.", + "class": "sp800-53a" + } + ], + "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.", + "links": [ + { + "href": "#au-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system auditing" + } + ] + } + ] + }, + { + "id": "au-3", + "class": "SP800-53", + "title": "Content of Audit Records", + "props": [ + { + "name": "label", + "value": "AU-3" + }, + { + "name": "label", + "value": "AU-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-8", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-3_smt", + "name": "statement", + "prose": "Ensure that audit records contain information that establishes the following:", + "parts": [ + { + "id": "au-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "What type of event occurred;" + }, + { + "id": "au-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "When the event occurred;" + }, + { + "id": "au-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Where the event occurred;" + }, + { + "id": "au-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Source of the event;" + }, + { + "id": "au-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Outcome of the event; and" + }, + { + "id": "au-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Identity of any individuals, subjects, or objects/entities associated with the event." + } + ] + }, + { + "id": "au-3_gdn", + "name": "guidance", + "prose": "Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage." + }, + { + "id": "au-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03a.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes what type of event occurred;", + "links": [ + { + "href": "#au-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03b.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes when the event occurred;", + "links": [ + { + "href": "#au-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03c.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes where the event occurred;", + "links": [ + { + "href": "#au-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03d.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the source of the event;", + "links": [ + { + "href": "#au-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03e.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the outcome of the event;", + "links": [ + { + "href": "#au-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03f.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.", + "links": [ + { + "href": "#au-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system auditing of auditable events" + } + ] + } + ] + }, + { + "id": "au-4", + "class": "SP800-53", + "title": "Audit Log Storage Capacity", + "params": [ + { + "id": "au-04_odp", + "label": "audit log retention requirements", + "guidelines": [ + { + "prose": "audit log retention requirements are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-4" + }, + { + "name": "label", + "value": "AU-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-4_smt", + "name": "statement", + "prose": "Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}." + }, + { + "id": "au-4_gdn", + "name": "guidance", + "prose": "Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability." + }, + { + "id": "au-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-04", + "class": "sp800-53a" + } + ], + "prose": "audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.", + "links": [ + { + "href": "#au-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for system components\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit record storage capacity and related configuration settings" + } + ] + } + ] + }, + { + "id": "au-5", + "class": "SP800-53", + "title": "Response to Audit Logging Process Failures", + "params": [ + { + "id": "au-05_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles receiving audit logging process failure alerts are defined;" + } + ] + }, + { + "id": "au-05_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period for personnel or roles receiving audit logging process failure alerts is defined;" + } + ] + }, + { + "id": "au-05_odp.03", + "label": "additional actions", + "constraints": [ + { + "description": "overwrite oldest record" + } + ], + "guidelines": [ + { + "prose": "additional actions to be taken in the event of an audit logging process failure are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-5" + }, + { + "name": "label", + "value": "AU-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-5_smt", + "name": "statement", + "parts": [ + { + "id": "au-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and" + }, + { + "id": "au-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Take the following additional actions: {{ insert: param, au-05_odp.03 }}." + } + ] + }, + { + "id": "au-5_gdn", + "name": "guidance", + "prose": "Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel." + }, + { + "id": "au-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};", + "links": [ + { + "href": "#au-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.", + "links": [ + { + "href": "#au-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system response to audit processing failures" + } + ] + } + ] + }, + { + "id": "au-6", + "class": "SP800-53", + "title": "Audit Record Review, Analysis, and Reporting", + "params": [ + { + "id": "au-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "frequency at which system audit records are reviewed and analyzed is defined;" + } + ] + }, + { + "id": "au-06_odp.02", + "label": "inappropriate or unusual activity", + "guidelines": [ + { + "prose": "inappropriate or unusual activity is defined;" + } + ] + }, + { + "id": "au-06_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to receive findings from reviews and analyses of system records is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-6" + }, + { + "name": "label", + "value": "AU-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", + "rel": "reference" + }, + { + "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6_smt", + "name": "statement", + "parts": [ + { + "id": "au-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;" + }, + { + "id": "au-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report findings to {{ insert: param, au-06_odp.03 }} ; and" + }, + { + "id": "au-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." + }, + { + "id": "au-6_fr", + "name": "item", + "title": "AU-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented." + } + ] + } + ] + }, + { + "id": "au-6_gdn", + "name": "guidance", + "prose": "Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received." + }, + { + "id": "au-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06a.", + "class": "sp800-53a" + } + ], + "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;", + "links": [ + { + "href": "#au-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06b.", + "class": "sp800-53a" + } + ], + "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};", + "links": [ + { + "href": "#au-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06c.", + "class": "sp800-53a" + } + ], + "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.", + "links": [ + { + "href": "#au-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews/analyses of audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "au-8", + "class": "SP800-53", + "title": "Time Stamps", + "params": [ + { + "id": "au-08_odp", + "label": "granularity of time measurement", + "constraints": [ + { + "description": "one second granularity of time measurement" + } + ], + "guidelines": [ + { + "prose": "granularity of time measurement for audit record timestamps is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-8" + }, + { + "name": "label", + "value": "AU-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#sc-45", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-8_smt", + "name": "statement", + "parts": [ + { + "id": "au-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Use internal system clocks to generate time stamps for audit records; and" + }, + { + "id": "au-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." + } + ] + }, + { + "id": "au-8_gdn", + "name": "guidance", + "prose": "Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities." + }, + { + "id": "au-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08a.", + "class": "sp800-53a" + } + ], + "prose": "internal system clocks are used to generate timestamps for audit records;", + "links": [ + { + "href": "#au-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08b.", + "class": "sp800-53a" + } + ], + "prose": "timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.", + "links": [ + { + "href": "#au-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing timestamp generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing timestamp generation" + } + ] + } + ] + }, + { + "id": "au-9", + "class": "SP800-53", + "title": "Protection of Audit Information", + "params": [ + { + "id": "au-09_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-9" + }, + { + "name": "label", + "value": "AU-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#au-15", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-9_smt", + "name": "statement", + "parts": [ + { + "id": "au-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and" + }, + { + "id": "au-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information." + } + ] + }, + { + "id": "au-9_gdn", + "name": "guidance", + "prose": "Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls." + }, + { + "id": "au-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09a.", + "class": "sp800-53a" + } + ], + "prose": "audit information and audit logging tools are protected from unauthorized access, modification, and deletion;", + "links": [ + { + "href": "#au-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.", + "links": [ + { + "href": "#au-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\naudit tools\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit information protection" + } + ] + } + ] + }, + { + "id": "au-11", + "class": "SP800-53", + "title": "Audit Record Retention", + "params": [ + { + "id": "au-11_odp", + "label": "time period", + "constraints": [ + { + "description": "a time period in compliance with M-21-31" + } + ], + "guidelines": [ + { + "prose": "a time period to retain audit records that is consistent with the records retention policy is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-11" + }, + { + "name": "label", + "value": "AU-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-11_smt", + "name": "statement", + "prose": "Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.", + "parts": [ + { + "id": "au-11_fr", + "name": "item", + "title": "AU-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-11_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements." + }, + { + "id": "au-11_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)" + }, + { + "id": "au-11_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The service provider is encouraged to align with M-21-31 where possible" + } + ] + } + ] + }, + { + "id": "au-11_gdn", + "name": "guidance", + "prose": "Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention." + }, + { + "id": "au-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-11", + "class": "sp800-53a" + } + ], + "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.", + "links": [ + { + "href": "#au-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + } + ] + }, + { + "id": "au-12", + "class": "SP800-53", + "title": "Audit Record Generation", + "params": [ + { + "id": "au-12_odp.01", + "label": "system components", + "constraints": [ + { + "description": "all information system and network components where audit capability is deployed/available" + } + ], + "guidelines": [ + { + "prose": "system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;" + } + ] + }, + { + "id": "au-12_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-12" + }, + { + "name": "label", + "value": "AU-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-12_smt", + "name": "statement", + "parts": [ + { + "id": "au-12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};" + }, + { + "id": "au-12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and" + }, + { + "id": "au-12_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)." + } + ] + }, + { + "id": "au-12_gdn", + "name": "guidance", + "prose": "Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records." + }, + { + "id": "au-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12a.", + "class": "sp800-53a" + } + ], + "prose": "audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};", + "links": [ + { + "href": "#au-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;", + "links": [ + { + "href": "#au-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12c.", + "class": "sp800-53a" + } + ], + "prose": "audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.", + "links": [ + { + "href": "#au-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of auditable events\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit record generation capability" + } + ] + } + ] + } + ] + }, + { + "id": "ca", + "class": "family", + "title": "Assessment, Authorization, and Monitoring", + "controls": [ + { + "id": "ca-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ca-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ca-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ca-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ca-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ca-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the assessment, authorization, and monitoring policy and procedures is defined;" + } + ] + }, + { + "id": "ca-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ca-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ca-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ca-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-1" + }, + { + "name": "label", + "value": "CA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#62ea77ca-e450-4323-b210-e0d75390e785", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-1_smt", + "name": "statement", + "parts": [ + { + "id": "ca-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:", + "parts": [ + { + "id": "ca-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:", + "parts": [ + { + "id": "ca-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ca-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ca-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;" + } + ] + }, + { + "id": "ca-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and" + }, + { + "id": "ca-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current assessment, authorization, and monitoring:", + "parts": [ + { + "id": "ca-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and" + }, + { + "id": "ca-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ca-1_gdn", + "name": "guidance", + "prose": "Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ca-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an assessment, authorization, and monitoring policy is developed and documented;", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ca-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;", + "links": [ + { + "href": "#ca-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ", + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};", + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ", + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.", + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-2", + "class": "SP800-53", + "title": "Control Assessments", + "params": [ + { + "id": "ca-02_odp.01", + "label": "assessment frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to assess controls in the system and its environment of operation is defined;" + } + ] + }, + { + "id": "ca-02_odp.02", + "label": "individuals or roles", + "constraints": [ + { + "description": "individuals or roles to include FedRAMP PMO" + } + ], + "guidelines": [ + { + "prose": "individuals or roles to whom control assessment results are to be provided are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-2" + }, + { + "name": "label", + "value": "CA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-2_smt", + "name": "statement", + "parts": [ + { + "id": "ca-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Select the appropriate assessor or assessment team for the type of assessment to be conducted;" + }, + { + "id": "ca-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Develop a control assessment plan that describes the scope of the assessment including:", + "parts": [ + { + "id": "ca-2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Controls and control enhancements under assessment;" + }, + { + "id": "ca-2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Assessment procedures to be used to determine control effectiveness; and" + }, + { + "id": "ca-2_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Assessment environment, assessment team, and assessment roles and responsibilities;" + } + ] + }, + { + "id": "ca-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;" + }, + { + "id": "ca-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;" + }, + { + "id": "ca-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Produce a control assessment report that document the results of the assessment; and" + }, + { + "id": "ca-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}." + }, + { + "id": "ca-2_fr", + "name": "item", + "title": "CA-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Reference FedRAMP Annual Assessment Guidance." + } + ] + } + ] + }, + { + "id": "ca-2_gdn", + "name": "guidance", + "prose": "Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)." + }, + { + "id": "ca-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02a.", + "class": "sp800-53a" + } + ], + "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;", + "links": [ + { + "href": "#ca-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.01", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;", + "links": [ + { + "href": "#ca-2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.02", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;", + "links": [ + { + "href": "#ca-2_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.b.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[03]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02c.", + "class": "sp800-53a" + } + ], + "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;", + "links": [ + { + "href": "#ca-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.[01]", + "class": "sp800-53a" + } + ], + "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;", + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.[02]", + "class": "sp800-53a" + } + ], + "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;", + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02e.", + "class": "sp800-53a" + } + ], + "prose": "a control assessment report is produced that documents the results of the assessment;", + "links": [ + { + "href": "#ca-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02f.", + "class": "sp800-53a" + } + ], + "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.", + "links": [ + { + "href": "#ca-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting" + } + ] + } + ], + "controls": [ + { + "id": "ca-2.1", + "class": "SP800-53-enhancement", + "title": "Independent Assessors", + "props": [ + { + "name": "label", + "value": "CA-2(1)" + }, + { + "name": "label", + "value": "CA-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-2.1_smt", + "name": "statement", + "prose": "Employ independent assessors or assessment teams to conduct control assessments." + }, + { + "id": "ca-2.1_gdn", + "name": "guidance", + "prose": "Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.\n\nIndependent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.\n\nWhen organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments." + }, + { + "id": "ca-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02(01)", + "class": "sp800-53a" + } + ], + "prose": "independent assessors or assessment teams are employed to conduct control assessments.", + "links": [ + { + "href": "#ca-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\nprevious control assessment plan\n\nprevious control assessment report\n\nplan of action and milestones\n\nexisting authorization statement\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "ca-3", + "class": "SP800-53", + "title": "Information Exchange", + "params": [ + { + "id": "ca-03_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "interconnection security agreements", + "information exchange security agreements", + "memoranda of understanding or agreement", + "service level agreements", + "user agreements", + "non-disclosure agreements", + " {{ insert: param, ca-03_odp.02 }} " + ] + } + }, + { + "id": "ca-03_odp.02", + "label": "type of agreement", + "guidelines": [ + { + "prose": "the type of agreement used to approve and manage the exchange of information is defined (if selected);" + } + ] + }, + { + "id": "ca-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and on input from JAB/AO" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update agreements is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-3" + }, + { + "name": "label", + "value": "CA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#c3a76872-e160-4267-99e8-6952de967d04", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-3_smt", + "name": "statement", + "parts": [ + { + "id": "ca-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};" + }, + { + "id": "ca-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and" + }, + { + "id": "ca-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the agreements {{ insert: param, ca-03_odp.03 }}." + } + ] + }, + { + "id": "ca-3_gdn", + "name": "guidance", + "prose": "System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks." + }, + { + "id": "ca-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03a.", + "class": "sp800-53a" + } + ], + "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};", + "links": [ + { + "href": "#ca-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the interface characteristics are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "security requirements are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[03]", + "class": "sp800-53a" + } + ], + "prose": "privacy requirements are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[04]", + "class": "sp800-53a" + } + ], + "prose": "controls are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[05]", + "class": "sp800-53a" + } + ], + "prose": "responsibilities for each system are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[06]", + "class": "sp800-53a" + } + ], + "prose": "the impact level of the information communicated is documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03c.", + "class": "sp800-53a" + } + ], + "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.", + "links": [ + { + "href": "#ca-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies" + } + ] + } + ] + }, + { + "id": "ca-5", + "class": "SP800-53", + "title": "Plan of Action and Milestones", + "params": [ + { + "id": "ca-05_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-5" + }, + { + "name": "label", + "value": "CA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-5_smt", + "name": "statement", + "parts": [ + { + "id": "ca-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and" + }, + { + "id": "ca-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities." + }, + { + "id": "ca-5_fr", + "name": "item", + "title": "CA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-5_fr_gdn.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "POA&Ms must be provided at least monthly." + }, + { + "id": "ca-5_fr_smt.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Reference FedRAMP-POAM-Template" + } + ] + } + ] + }, + { + "id": "ca-5_gdn", + "name": "guidance", + "prose": "Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB." + }, + { + "id": "ca-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05a.", + "class": "sp800-53a" + } + ], + "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;", + "links": [ + { + "href": "#ca-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05b.", + "class": "sp800-53a" + } + ], + "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.", + "links": [ + { + "href": "#ca-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms for developing, implementing, and maintaining plan of action and milestones" + } + ] + } + ] + }, + { + "id": "ca-6", + "class": "SP800-53", + "title": "Authorization", + "params": [ + { + "id": "ca-06_odp", + "label": "frequency", + "constraints": [ + { + "description": "in accordance with OMB A-130 requirements or when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "frequency at which to update the authorizations is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-6" + }, + { + "name": "label", + "value": "CA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-6_smt", + "name": "statement", + "parts": [ + { + "id": "ca-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assign a senior official as the authorizing official for the system;" + }, + { + "id": "ca-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;" + }, + { + "id": "ca-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensure that the authorizing official for the system, before commencing operations:", + "parts": [ + { + "id": "ca-6_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Accepts the use of common controls inherited by the system; and" + }, + { + "id": "ca-6_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Authorizes the system to operate;" + } + ] + }, + { + "id": "ca-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;" + }, + { + "id": "ca-6_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Update the authorizations {{ insert: param, ca-06_odp }}." + }, + { + "id": "ca-6_fr", + "name": "item", + "title": "CA-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(e) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO." + } + ] + } + ] + }, + { + "id": "ca-6_gdn", + "name": "guidance", + "prose": "Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions." + }, + { + "id": "ca-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06a.", + "class": "sp800-53a" + } + ], + "prose": "a senior official is assigned as the authorizing official for the system;", + "links": [ + { + "href": "#ca-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06b.", + "class": "sp800-53a" + } + ], + "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;", + "links": [ + { + "href": "#ca-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-6_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.01", + "class": "sp800-53a" + } + ], + "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;", + "links": [ + { + "href": "#ca-6_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.02", + "class": "sp800-53a" + } + ], + "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;", + "links": [ + { + "href": "#ca-6_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06d.", + "class": "sp800-53a" + } + ], + "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;", + "links": [ + { + "href": "#ca-6_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06e.", + "class": "sp800-53a" + } + ], + "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}.", + "links": [ + { + "href": "#ca-6_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms that facilitate authorizations and updates" + } + ] + } + ] + }, + { + "id": "ca-7", + "class": "SP800-53", + "title": "Continuous Monitoring", + "params": [ + { + "id": "ca-7_prm_4", + "label": "organization-defined personnel or roles", + "constraints": [ + { + "description": "to include JAB/AO" + } + ] + }, + { + "id": "ca-7_prm_5", + "label": "organization-defined frequency" + }, + { + "id": "ca-07_odp.01", + "label": "system-level metrics", + "guidelines": [ + { + "prose": "system-level metrics to be monitored are defined;" + } + ] + }, + { + "id": "ca-07_odp.02", + "label": "frequencies", + "guidelines": [ + { + "prose": "frequencies at which to monitor control effectiveness are defined;" + } + ] + }, + { + "id": "ca-07_odp.03", + "label": "frequencies", + "guidelines": [ + { + "prose": "frequencies at which to assess control effectiveness are defined;" + } + ] + }, + { + "id": "ca-07_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the security status of the system is reported are defined;" + } + ] + }, + { + "id": "ca-07_odp.05", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which the security status of the system is reported is defined;" + } + ] + }, + { + "id": "ca-07_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the privacy status of the system is reported are defined;" + } + ] + }, + { + "id": "ca-07_odp.07", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which the privacy status of the system is reported is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-7" + }, + { + "name": "label", + "value": "CA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pe-14", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-6", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#pm-31", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-7_smt", + "name": "statement", + "prose": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:", + "parts": [ + { + "id": "ca-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};" + }, + { + "id": "ca-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;" + }, + { + "id": "ca-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ongoing control assessments in accordance with the continuous monitoring strategy;" + }, + { + "id": "ca-7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;" + }, + { + "id": "ca-7_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Correlation and analysis of information generated by control assessments and monitoring;" + }, + { + "id": "ca-7_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" + }, + { + "id": "ca-7_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}." + }, + { + "id": "ca-7_fr", + "name": "item", + "title": "CA-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually." + }, + { + "id": "ca-7_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight." + }, + { + "id": "ca-7_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan." + } + ] + } + ] + }, + { + "id": "ca-7_gdn", + "name": "guidance", + "prose": "Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)." + }, + { + "id": "ca-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07[01]", + "class": "sp800-53a" + } + ], + "prose": "a system-level continuous monitoring strategy is developed;", + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07a.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};", + "links": [ + { + "href": "#ca-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;", + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;", + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07c.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07d.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07e.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;", + "links": [ + { + "href": "#ca-7_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07f.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;", + "links": [ + { + "href": "#ca-7_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.[01]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};", + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.", + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting" + } + ] + } + ], + "controls": [ + { + "id": "ca-7.4", + "class": "SP800-53-enhancement", + "title": "Risk Monitoring", + "props": [ + { + "name": "label", + "value": "CA-7(4)" + }, + { + "name": "label", + "value": "CA-07(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-7.4_smt", + "name": "statement", + "prose": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:", + "parts": [ + { + "id": "ca-7.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Effectiveness monitoring;" + }, + { + "id": "ca-7.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Compliance monitoring; and" + }, + { + "id": "ca-7.4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Change monitoring." + } + ] + }, + { + "id": "ca-7.4_gdn", + "name": "guidance", + "prose": "Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk." + }, + { + "id": "ca-7.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)", + "class": "sp800-53a" + } + ], + "prose": "risk monitoring is an integral part of the continuous monitoring strategy;", + "parts": [ + { + "id": "ca-7.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(a)", + "class": "sp800-53a" + } + ], + "prose": "effectiveness monitoring is included in risk monitoring;", + "links": [ + { + "href": "#ca-7.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "compliance monitoring is included in risk monitoring;", + "links": [ + { + "href": "#ca-7.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(c)", + "class": "sp800-53a" + } + ], + "prose": "change monitoring is included in risk monitoring.", + "links": [ + { + "href": "#ca-7.4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-7.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-07(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting risk monitoring" + } + ] + } + ] + } + ] + }, + { + "id": "ca-8", + "class": "SP800-53", + "title": "Penetration Testing", + "params": [ + { + "id": "ca-08_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct penetration testing on systems or system components is defined;" + } + ] + }, + { + "id": "ca-08_odp.02", + "label": "system(s) or system components", + "guidelines": [ + { + "prose": "systems or system components on which penetration testing is to be conducted are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-8" + }, + { + "name": "label", + "value": "CA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-8_smt", + "name": "statement", + "prose": "Conduct penetration testing {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", + "parts": [ + { + "id": "ca-8_fr", + "name": "item", + "title": "CA-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Scope can be limited to public facing applications in alignment with M-22-09. Reference the FedRAMP Penetration Test Guidance." + } + ] + } + ] + }, + { + "id": "ca-8_gdn", + "name": "guidance", + "prose": "Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).\n\nOrganizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing." + }, + { + "id": "ca-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-08", + "class": "sp800-53a" + } + ], + "prose": "penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", + "links": [ + { + "href": "#ca-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting penetration testing" + } + ] + } + ] + }, + { + "id": "ca-9", + "class": "SP800-53", + "title": "Internal System Connections", + "params": [ + { + "id": "ca-09_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components or classes of components requiring internal connections to the system are defined;" + } + ] + }, + { + "id": "ca-09_odp.02", + "label": "conditions", + "guidelines": [ + { + "prose": "conditions requiring termination of internal connections are defined;" + } + ] + }, + { + "id": "ca-09_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to review the continued need for each internal connection is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-9" + }, + { + "name": "label", + "value": "CA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-9_smt", + "name": "statement", + "parts": [ + { + "id": "ca-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;" + }, + { + "id": "ca-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;" + }, + { + "id": "ca-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and" + }, + { + "id": "ca-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection." + } + ] + }, + { + "id": "ca-9_gdn", + "name": "guidance", + "prose": "Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions." + }, + { + "id": "ca-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09a.", + "class": "sp800-53a" + } + ], + "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;", + "links": [ + { + "href": "#ca-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the interface characteristics are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the security requirements are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[03]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the privacy requirements are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[04]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the nature of the information communicated is documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09c.", + "class": "sp800-53a" + } + ], + "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};", + "links": [ + { + "href": "#ca-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09d.", + "class": "sp800-53a" + } + ], + "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.", + "links": [ + { + "href": "#ca-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting internal system connections" + } + ] + } + ] + } + ] + }, + { + "id": "cm", + "class": "family", + "title": "Configuration Management", + "controls": [ + { + "id": "cm-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "cm-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cm-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the configuration management policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "cm-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "cm-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "cm-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the configuration management policy and procedures is defined;" + } + ] + }, + { + "id": "cm-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current configuration management policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "cm-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current configuration management policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "cm-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current configuration management procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "cm-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require configuration management procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-1" + }, + { + "name": "label", + "value": "CM-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-1_smt", + "name": "statement", + "parts": [ + { + "id": "cm-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:", + "parts": [ + { + "id": "cm-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cm-01_odp.03 }} configuration management policy that:", + "parts": [ + { + "id": "cm-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "cm-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "cm-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;" + } + ] + }, + { + "id": "cm-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and" + }, + { + "id": "cm-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current configuration management:", + "parts": [ + { + "id": "cm-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and" + }, + { + "id": "cm-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "cm-1_gdn", + "name": "guidance", + "prose": "Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "cm-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a configuration management policy is developed and documented;", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#cm-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;", + "links": [ + { + "href": "#cm-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ", + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};", + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ", + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.", + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records" + } + ] + }, + { + "id": "cm-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "cm-2", + "class": "SP800-53", + "title": "Baseline Configuration", + "params": [ + { + "id": "cm-02_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "the frequency of baseline configuration review and update is defined;" + } + ] + }, + { + "id": "cm-02_odp.02", + "label": "circumstances", + "constraints": [ + { + "description": "to include when directed by the JAB" + } + ], + "guidelines": [ + { + "prose": "the circumstances requiring baseline configuration review and update are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2" + }, + { + "name": "label", + "value": "CM-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-1", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-12", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-2_smt", + "name": "statement", + "parts": [ + { + "id": "cm-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and maintain under configuration control, a current baseline configuration of the system; and" + }, + { + "id": "cm-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the baseline configuration of the system:", + "parts": [ + { + "id": "cm-2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cm-02_odp.01 }};" + }, + { + "id": "cm-2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required due to {{ insert: param, cm-02_odp.02 }} ; and" + }, + { + "id": "cm-2_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "When system components are installed or upgraded." + } + ] + }, + { + "id": "cm-2_fr", + "name": "item", + "title": "CM-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) (1) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + } + ] + } + ] + }, + { + "id": "cm-2_gdn", + "name": "guidance", + "prose": "Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture." + }, + { + "id": "cm-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a current baseline configuration of the system is developed and documented;", + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "a current baseline configuration of the system is maintained under configuration control;", + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.01", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};", + "links": [ + { + "href": "#cm-2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.02", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};", + "links": [ + { + "href": "#cm-2_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.03", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.", + "links": [ + { + "href": "#cm-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration" + } + ] + } + ] + }, + { + "id": "cm-4", + "class": "SP800-53", + "title": "Impact Analyses", + "props": [ + { + "name": "label", + "value": "CM-4" + }, + { + "name": "label", + "value": "CM-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-4_smt", + "name": "statement", + "prose": "Analyze changes to the system to determine potential security and privacy impacts prior to change implementation." + }, + { + "id": "cm-4_gdn", + "name": "guidance", + "prose": "Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required." + }, + { + "id": "cm-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;", + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation.", + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem/network administrators\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses" + } + ] + } + ] + }, + { + "id": "cm-5", + "class": "SP800-53", + "title": "Access Restrictions for Change", + "props": [ + { + "name": "label", + "value": "CM-5" + }, + { + "name": "label", + "value": "CM-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-5_smt", + "name": "statement", + "prose": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system." + }, + { + "id": "cm-5_gdn", + "name": "guidance", + "prose": "Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals\u2019 privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)." + }, + { + "id": "cm-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are defined and documented;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are approved;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[03]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are enforced;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[04]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are defined and documented;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[05]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are approved;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[06]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are enforced.", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system" + } + ] + } + ] + }, + { + "id": "cm-6", + "class": "SP800-53", + "title": "Configuration Settings", + "params": [ + { + "id": "cm-06_odp.01", + "label": "common secure configurations", + "guidelines": [ + { + "prose": "common secure configurations to establish and document configuration settings for components employed within the system are defined;" + } + ] + }, + { + "id": "cm-06_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which approval of deviations is needed are defined;" + } + ] + }, + { + "id": "cm-06_odp.03", + "label": "operational requirements", + "guidelines": [ + { + "prose": "operational requirements necessitating approval of deviations are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-6" + }, + { + "name": "label", + "value": "CM-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#98498928-3ca3-44b3-8b1e-f48685373087", + "rel": "reference" + }, + { + "href": "#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", + "rel": "reference" + }, + { + "href": "#aa66e14f-e7cb-4a37-99d2-07578dfd4608", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-6_smt", + "name": "statement", + "parts": [ + { + "id": "cm-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};" + }, + { + "id": "cm-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement the configuration settings;" + }, + { + "id": "cm-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and" + }, + { + "id": "cm-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." + }, + { + "id": "cm-6_fr", + "name": "item", + "title": "CM-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement 1:" + } + ], + "prose": "The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish configuration settings;" + }, + { + "id": "cm-6_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement 2:" + } + ], + "prose": "The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available)." + }, + { + "id": "cm-6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP\u2019s Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.\n\nDuring monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests." + } + ] + } + ] + }, + { + "id": "cm-6_gdn", + "name": "guidance", + "prose": "Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings." + }, + { + "id": "cm-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06a.", + "class": "sp800-53a" + } + ], + "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};", + "links": [ + { + "href": "#cm-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06b.", + "class": "sp800-53a" + } + ], + "prose": "the configuration settings documented in CM-06a are implemented;", + "links": [ + { + "href": "#cm-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};", + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;", + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;", + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures.", + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and/or control system configuration settings\n\nmechanisms that identify and/or document deviations from established configuration settings" + } + ] + } + ] + }, + { + "id": "cm-7", + "class": "SP800-53", + "title": "Least Functionality", + "params": [ + { + "id": "cm-7_prm_2", + "label": "organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services" + }, + { + "id": "cm-07_odp.01", + "label": "mission-essential capabilities", + "guidelines": [ + { + "prose": "mission-essential capabilities for the system are defined;" + } + ] + }, + { + "id": "cm-07_odp.02", + "label": "functions", + "guidelines": [ + { + "prose": "functions to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.03", + "label": "ports", + "guidelines": [ + { + "prose": "ports to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.04", + "label": "protocols", + "guidelines": [ + { + "prose": "protocols to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.05", + "label": "software", + "guidelines": [ + { + "prose": "software to be prohibited or restricted is defined;" + } + ] + }, + { + "id": "cm-07_odp.06", + "label": "services", + "guidelines": [ + { + "prose": "services to be prohibited or restricted are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7" + }, + { + "name": "label", + "value": "CM-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#38f39739-1ebd-43b1-8b8c-00f591d89ebd", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7_smt", + "name": "statement", + "parts": [ + { + "id": "cm-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and" + }, + { + "id": "cm-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, cm-7_prm_2 }}." + }, + { + "id": "cm-7_fr", + "name": "item", + "title": "CM-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available." + } + ] + } + ] + }, + { + "id": "cm-7_gdn", + "name": "guidance", + "prose": "Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))." + }, + { + "id": "cm-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07a.", + "class": "sp800-53a" + } + ], + "prose": "the system is configured to provide only {{ insert: param, cm-07_odp.01 }};", + "links": [ + { + "href": "#cm-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[03]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[04]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[05]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services\n\nmechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services" + } + ] + } + ] + }, + { + "id": "cm-8", + "class": "SP800-53", + "title": "System Component Inventory", + "params": [ + { + "id": "cm-08_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information deemed necessary to achieve effective system component accountability is defined;" + } + ] + }, + { + "id": "cm-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update the system component inventory is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-8" + }, + { + "name": "label", + "value": "CM-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#70402863-5078-43af-9a6c-e11b0f3ec370", + "rel": "reference" + }, + { + "href": "#996241f8-f692-42d5-91f1-ce8b752e39e6", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8_smt", + "name": "statement", + "parts": [ + { + "id": "cm-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and document an inventory of system components that:", + "parts": [ + { + "id": "cm-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Accurately reflects the system;" + }, + { + "id": "cm-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Includes all components within the system;" + }, + { + "id": "cm-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Does not include duplicate accounting of components or components assigned to any other system;" + }, + { + "id": "cm-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Is at the level of granularity deemed necessary for tracking and reporting; and" + }, + { + "id": "cm-8_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and" + } + ] + }, + { + "id": "cm-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}." + }, + { + "id": "cm-8_fr", + "name": "item", + "title": "CM-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "must be provided at least monthly or when there is a change." + } + ] + } + ] + }, + { + "id": "cm-8_gdn", + "name": "guidance", + "prose": "System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components." + }, + { + "id": "cm-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.01", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that accurately reflects the system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.02", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that includes all components within the system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.03", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.04", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.05", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.5", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08b.", + "class": "sp800-53a" + } + ], + "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.", + "links": [ + { + "href": "#cm-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing the system component inventory\n\nmechanisms supporting and/or implementing system component inventory" + } + ] + } + ] + }, + { + "id": "cm-10", + "class": "SP800-53", + "title": "Software Usage Restrictions", + "props": [ + { + "name": "label", + "value": "CM-10" + }, + { + "name": "label", + "value": "CM-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-10_smt", + "name": "statement", + "parts": [ + { + "id": "cm-10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Use software and associated documentation in accordance with contract agreements and copyright laws;" + }, + { + "id": "cm-10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and" + }, + { + "id": "cm-10_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work." + } + ] + }, + { + "id": "cm-10_gdn", + "name": "guidance", + "prose": "Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements." + }, + { + "id": "cm-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-10_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10a.", + "class": "sp800-53a" + } + ], + "prose": "software and associated documentation are used in accordance with contract agreements and copyright laws;", + "links": [ + { + "href": "#cm-10_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10b.", + "class": "sp800-53a" + } + ], + "prose": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;", + "links": [ + { + "href": "#cm-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10c.", + "class": "sp800-53a" + } + ], + "prose": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.", + "links": [ + { + "href": "#cm-10_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel operating, using, and/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology" + } + ] + } + ] + }, + { + "id": "cm-11", + "class": "SP800-53", + "title": "User-installed Software", + "params": [ + { + "id": "cm-11_odp.01", + "label": "policies", + "guidelines": [ + { + "prose": "policies governing the installation of software by users are defined;" + } + ] + }, + { + "id": "cm-11_odp.02", + "label": "methods", + "guidelines": [ + { + "prose": "methods used to enforce software installation policies are defined;" + } + ] + }, + { + "id": "cm-11_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "Continuously (via CM-7 (5))" + } + ], + "guidelines": [ + { + "prose": "frequency with which to monitor compliance is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-11" + }, + { + "name": "label", + "value": "CM-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-11_smt", + "name": "statement", + "parts": [ + { + "id": "cm-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;" + }, + { + "id": "cm-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and" + }, + { + "id": "cm-11_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Monitor policy compliance {{ insert: param, cm-11_odp.03 }}." + } + ] + }, + { + "id": "cm-11_gdn", + "name": "guidance", + "prose": "If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods." + }, + { + "id": "cm-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;", + "links": [ + { + "href": "#cm-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11b.", + "class": "sp800-53a" + } + ], + "prose": "software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};", + "links": [ + { + "href": "#cm-11_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11c.", + "class": "sp800-53a" + } + ], + "prose": "compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.", + "links": [ + { + "href": "#cm-11_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes governing user-installed software on the system\n\nmechanisms enforcing policies and methods for governing the installation of software by users\n\nmechanisms monitoring policy compliance" + } + ] + } + ] + } + ] + }, + { + "id": "cp", + "class": "family", + "title": "Contingency Planning", + "controls": [ + { + "id": "cp-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "cp-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cp-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "cp-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "cp-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "cp-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the contingency planning policy and procedures is defined;" + } + ] + }, + { + "id": "cp-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current contingency planning policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "cp-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current contingency planning policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "cp-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current contingency planning procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "cp-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-1" + }, + { + "name": "label", + "value": "CP-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-1_smt", + "name": "statement", + "parts": [ + { + "id": "cp-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:", + "parts": [ + { + "id": "cp-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cp-01_odp.03 }} contingency planning policy that:", + "parts": [ + { + "id": "cp-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "cp-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "cp-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" + } + ] + }, + { + "id": "cp-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and" + }, + { + "id": "cp-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current contingency planning:", + "parts": [ + { + "id": "cp-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and" + }, + { + "id": "cp-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "cp-1_gdn", + "name": "guidance", + "prose": "Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "cp-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency planning policy is developed and documented;", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#cp-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;", + "links": [ + { + "href": "#cp-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};", + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};", + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};", + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.", + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "cp-2", + "class": "SP800-53", + "title": "Contingency Plan", + "params": [ + { + "id": "cp-2_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cp-2_prm_2", + "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" + }, + { + "id": "cp-2_prm_4", + "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" + }, + { + "id": "cp-02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to review a contingency plan is/are defined;" + } + ] + }, + { + "id": "cp-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to approve a contingency plan is/are defined;" + } + ] + }, + { + "id": "cp-02_odp.03", + "label": "key contingency personnel", + "guidelines": [ + { + "prose": "key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;" + } + ] + }, + { + "id": "cp-02_odp.04", + "label": "organizational elements", + "guidelines": [ + { + "prose": "key contingency organizational elements to which copies of the contingency plan are distributed are defined;" + } + ] + }, + { + "id": "cp-02_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency of contingency plan review is defined;" + } + ] + }, + { + "id": "cp-02_odp.06", + "label": "key contingency personnel", + "guidelines": [ + { + "prose": "key contingency personnel (identified by name and/or by role) to communicate changes to are defined;" + } + ] + }, + { + "id": "cp-02_odp.07", + "label": "organizational elements", + "guidelines": [ + { + "prose": "key contingency organizational elements to communicate changes to are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-2" + }, + { + "name": "label", + "value": "CP-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", + "rel": "reference" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-11", + "rel": "related" + }, + { + "href": "#cp-13", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-2_smt", + "name": "statement", + "parts": [ + { + "id": "cp-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a contingency plan for the system that:", + "parts": [ + { + "id": "cp-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Identifies essential mission and business functions and associated contingency requirements;" + }, + { + "id": "cp-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Provides recovery objectives, restoration priorities, and metrics;" + }, + { + "id": "cp-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Addresses contingency roles, responsibilities, assigned individuals with contact information;" + }, + { + "id": "cp-2_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;" + }, + { + "id": "cp-2_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;" + }, + { + "id": "cp-2_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Addresses the sharing of contingency information; and" + }, + { + "id": "cp-2_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};" + } + ] + }, + { + "id": "cp-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};" + }, + { + "id": "cp-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Coordinate contingency planning activities with incident handling activities;" + }, + { + "id": "cp-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};" + }, + { + "id": "cp-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;" + }, + { + "id": "cp-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};" + }, + { + "id": "cp-2_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and" + }, + { + "id": "cp-2_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Protect the contingency plan from unauthorized disclosure and modification." + }, + { + "id": "cp-2_fr", + "name": "item", + "title": "CP-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "For JAB authorizations the contingency lists include designated FedRAMP personnel." + }, + { + "id": "cp-2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx)." + } + ] + } + ] + }, + { + "id": "cp-2_gdn", + "name": "guidance", + "prose": "Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family." + }, + { + "id": "cp-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.01", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;", + "links": [ + { + "href": "#cp-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides recovery objectives;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides restoration priorities;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides metrics;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses contingency roles;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses contingency responsibilities;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[03]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses assigned individuals with contact information;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.04", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;", + "links": [ + { + "href": "#cp-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.05", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;", + "links": [ + { + "href": "#cp-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.06", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses the sharing of contingency information;", + "links": [ + { + "href": "#cp-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.7-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};", + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.7-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};", + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};", + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};", + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02c.", + "class": "sp800-53a" + } + ], + "prose": "contingency planning activities are coordinated with incident handling activities;", + "links": [ + { + "href": "#cp-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02d.", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};", + "links": [ + { + "href": "#cp-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is updated to address changes to the organization, system, or environment of operation;", + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;", + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.[01]", + "class": "sp800-53a" + } + ], + "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};", + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.[02]", + "class": "sp800-53a" + } + ], + "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};", + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.[01]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;", + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.[02]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;", + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is protected from unauthorized modification.", + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nevidence of contingency plan reviews and updates\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency plan development, review, update, and protection\n\nmechanisms for developing, reviewing, updating, and/or protecting the contingency plan" + } + ] + } + ] + }, + { + "id": "cp-3", + "class": "SP800-53", + "title": "Contingency Training", + "params": [ + { + "id": "cp-03_odp.01", + "label": "time period", + "constraints": [ + { + "description": "\\*See Additional Requirements" + } + ], + "guidelines": [ + { + "prose": "the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;" + } + ] + }, + { + "id": "cp-03_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide training to system users with a contingency role or responsibility is defined;" + } + ] + }, + { + "id": "cp-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update contingency training content is defined;" + } + ] + }, + { + "id": "cp-03_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events necessitating review and update of contingency training are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-3" + }, + { + "name": "label", + "value": "CP-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-3_smt", + "name": "statement", + "parts": [ + { + "id": "cp-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide contingency training to system users consistent with assigned roles and responsibilities:", + "parts": [ + { + "id": "cp-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;" + }, + { + "id": "cp-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes; and" + }, + { + "id": "cp-3_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, cp-03_odp.02 }} thereafter; and" + } + ] + }, + { + "id": "cp-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}." + }, + { + "id": "cp-3_fr", + "name": "item", + "title": "CP-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact." + } + ] + } + ] + }, + { + "id": "cp-3_gdn", + "name": "guidance", + "prose": "Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements." + }, + { + "id": "cp-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.01", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;", + "links": [ + { + "href": "#cp-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.02", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#cp-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.03", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;", + "links": [ + { + "href": "#cp-3_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};", + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.", + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\ncontingency training records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency training" + } + ] + } + ] + }, + { + "id": "cp-4", + "class": "SP800-53", + "title": "Contingency Plan Testing", + "params": [ + { + "id": "cp-4_prm_2", + "label": "organization-defined tests", + "constraints": [ + { + "description": "classroom exercise/table top written tests" + } + ] + }, + { + "id": "cp-04_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "frequency of testing the contingency plan for the system is defined;" + } + ] + }, + { + "id": "cp-04_odp.02", + "label": "tests", + "guidelines": [ + { + "prose": "tests for determining the effectiveness of the contingency plan are defined;" + } + ] + }, + { + "id": "cp-04_odp.03", + "label": "tests", + "guidelines": [ + { + "prose": "tests for determining readiness to execute the contingency plan are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-4" + }, + { + "name": "label", + "value": "CP-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-4_smt", + "name": "statement", + "parts": [ + { + "id": "cp-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}." + }, + { + "id": "cp-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review the contingency plan test results; and" + }, + { + "id": "cp-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Initiate corrective actions, if needed." + }, + { + "id": "cp-4_fr", + "name": "item", + "title": "CP-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing." + }, + { + "id": "cp-4_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report)." + } + ] + } + ] + }, + { + "id": "cp-4_gdn", + "name": "guidance", + "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions." + }, + { + "id": "cp-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04b.", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan test results are reviewed;", + "links": [ + { + "href": "#cp-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04c.", + "class": "sp800-53a" + } + ], + "prose": "corrective actions are initiated, if needed.", + "links": [ + { + "href": "#cp-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and/or contingency plan testing" + } + ] + } + ] + }, + { + "id": "cp-9", + "class": "SP800-53", + "title": "System Backup", + "params": [ + { + "id": "cp-09_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which to conduct backups of user-level information is defined;" + } + ] + }, + { + "id": "cp-09_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9" + }, + { + "name": "label", + "value": "CP-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#3653e316-8923-430e-8943-b3b2b2562fc6", + "rel": "reference" + }, + { + "href": "#2494df28-9049-4196-b233-540e7440993f", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9_smt", + "name": "statement", + "parts": [ + { + "id": "cp-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};" + }, + { + "id": "cp-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};" + }, + { + "id": "cp-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and" + }, + { + "id": "cp-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Protect the confidentiality, integrity, and availability of backup information." + }, + { + "id": "cp-9_fr", + "name": "item", + "title": "CP-9 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-9_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check." + }, + { + "id": "cp-9_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative." + }, + { + "id": "cp-9_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative." + }, + { + "id": "cp-9_fr_smt.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative." + } + ] + } + ] + }, + { + "id": "cp-9_gdn", + "name": "guidance", + "prose": "System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." + }, + { + "id": "cp-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09a.", + "class": "sp800-53a" + } + ], + "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};", + "links": [ + { + "href": "#cp-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09b.", + "class": "sp800-53a" + } + ], + "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};", + "links": [ + { + "href": "#cp-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09c.", + "class": "sp800-53a" + } + ], + "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};", + "links": [ + { + "href": "#cp-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the confidentiality of backup information is protected;", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the integrity of backup information is protected;", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the availability of backup information is protected.", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "cp-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" + } + ] + } + ] + }, + { + "id": "cp-10", + "class": "SP800-53", + "title": "System Recovery and Reconstitution", + "params": [ + { + "id": "cp-10_prm_1", + "label": "organization-defined time period consistent with recovery time and recovery point objectives" + }, + { + "id": "cp-10_odp.01", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;" + } + ] + }, + { + "id": "cp-10_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-10" + }, + { + "name": "label", + "value": "CP-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-10_smt", + "name": "statement", + "prose": "Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure." + }, + { + "id": "cp-10_gdn", + "name": "guidance", + "prose": "Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning." + }, + { + "id": "cp-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-10_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10[01]", + "class": "sp800-53a" + } + ], + "prose": "the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;", + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10[02]", + "class": "sp800-53a" + } + ], + "prose": "a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.", + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and/or implementing system recovery and reconstitution operations" + } + ] + } + ] + } + ] + }, + { + "id": "ia", + "class": "family", + "title": "Identification and Authentication", + "controls": [ + { + "id": "ia-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ia-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ia-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the identification and authentication policy is to be disseminated are defined;" + } + ] + }, + { + "id": "ia-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ia-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ia-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the identification and authentication policy and procedures is defined;" + } + ] + }, + { + "id": "ia-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current identification and authentication policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ia-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current identification and authentication policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ia-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current identification and authentication procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ia-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require identification and authentication procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-1" + }, + { + "name": "label", + "value": "IA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ac-1", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-1_smt", + "name": "statement", + "parts": [ + { + "id": "ia-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:", + "parts": [ + { + "id": "ia-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ia-01_odp.03 }} identification and authentication policy that:", + "parts": [ + { + "id": "ia-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ia-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ia-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;" + } + ] + }, + { + "id": "ia-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and" + }, + { + "id": "ia-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current identification and authentication:", + "parts": [ + { + "id": "ia-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and" + }, + { + "id": "ia-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ia-1_gdn", + "name": "guidance", + "prose": "Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ia-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an identification and authentication policy is developed and documented;", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ia-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;", + "links": [ + { + "href": "#ia-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};", + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};", + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};", + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.", + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\nlist of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ia-2", + "class": "SP800-53", + "title": "Identification and Authentication (Organizational Users)", + "props": [ + { + "name": "label", + "value": "IA-2" + }, + { + "name": "label", + "value": "IA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#d9e036ba-6eec-46a6-9340-b0bf1fea23b4", + "rel": "reference" + }, + { + "href": "#e8552d48-cf41-40aa-8b06-f45f7fb4706c", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", + "rel": "reference" + }, + { + "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "rel": "reference" + }, + { + "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-1", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.", + "parts": [ + { + "id": "ia-2_fr", + "name": "item", + "title": "IA-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B." + }, + { + "id": "ia-2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "\\\"Phishing-resistant\\\" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system." + }, + { + "id": "ia-2_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate." + } + ] + } + ] + }, + { + "id": "ia-2_gdn", + "name": "guidance", + "prose": "Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)." + }, + { + "id": "ia-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational users are uniquely identified and authenticated;", + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02[02]", + "class": "sp800-53a" + } + ], + "prose": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.", + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan, system design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ia-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for uniquely identifying and authenticating users\n\nmechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ], + "controls": [ + { + "id": "ia-2.1", + "class": "SP800-53-enhancement", + "title": "Multi-factor Authentication to Privileged Accounts", + "props": [ + { + "name": "label", + "value": "IA-2(1)" + }, + { + "name": "label", + "value": "IA-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.1_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for access to privileged accounts.", + "parts": [ + { + "id": "ia-2.1_fr", + "name": "item", + "title": "IA-2 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL)." + }, + { + "id": "ia-2.1_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Multi-factor authentication to subsequent components in the same user domain is not required." + } + ] + } + ] + }, + { + "id": "ia-2.1_gdn", + "name": "guidance", + "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." + }, + { + "id": "ia-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(01)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication is implemented for access to privileged accounts.", + "links": [ + { + "href": "#ia-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" + } + ] + } + ] + }, + { + "id": "ia-2.2", + "class": "SP800-53-enhancement", + "title": "Multi-factor Authentication to Non-privileged Accounts", + "props": [ + { + "name": "label", + "value": "IA-2(2)" + }, + { + "name": "label", + "value": "IA-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.2_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for access to non-privileged accounts.", + "parts": [ + { + "id": "ia-2.2_fr", + "name": "item", + "title": "IA-2 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL)." + }, + { + "id": "ia-2.2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Multi-factor authentication to subsequent components in the same user domain is not required." + } + ] + } + ] + }, + { + "id": "ia-2.2_gdn", + "name": "guidance", + "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." + }, + { + "id": "ia-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(02)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication for access to non-privileged accounts is implemented.", + "links": [ + { + "href": "#ia-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" + } + ] + } + ] + }, + { + "id": "ia-2.8", + "class": "SP800-53-enhancement", + "title": "Access to Accounts \u2014 Replay Resistant", + "params": [ + { + "id": "ia-02.08_odp", + "select": { + "how-many": "one-or-more", + "choice": [ + "privileged accounts", + "non-privileged accounts" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "IA-2(8)" + }, + { + "name": "label", + "value": "IA-02(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.8_smt", + "name": "statement", + "prose": "Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}." + }, + { + "id": "ia-2.8_gdn", + "name": "guidance", + "prose": "Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators." + }, + { + "id": "ia-2.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(08)", + "class": "sp800-53a" + } + ], + "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.", + "links": [ + { + "href": "#ia-2.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nMechanisms supporting and/or implementing replay-resistant authentication mechanisms" + } + ] + } + ] + }, + { + "id": "ia-2.12", + "class": "SP800-53-enhancement", + "title": "Acceptance of PIV Credentials", + "props": [ + { + "name": "label", + "value": "IA-2(12)" + }, + { + "name": "label", + "value": "IA-02(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.12_smt", + "name": "statement", + "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials.", + "parts": [ + { + "id": "ia-2.12_fr", + "name": "item", + "title": "IA-2 (12) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.12_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12." + } + ] + } + ] + }, + { + "id": "ia-2.12_gdn", + "name": "guidance", + "prose": "Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential." + }, + { + "id": "ia-2.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(12)", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified.", + "links": [ + { + "href": "#ia-2.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing acceptance and verification of PIV credentials" + } + ] + } + ] + } + ] + }, + { + "id": "ia-4", + "class": "SP800-53", + "title": "Identifier Management", + "params": [ + { + "id": "ia-04_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO (or similar role within the organization) " + } + ], + "guidelines": [ + { + "prose": "personnel or roles from whom authorization must be received to assign an identifier are defined;" + } + ] + }, + { + "id": "ia-04_odp.02", + "label": "time period", + "constraints": [ + { + "description": "at least two (2) years" + } + ], + "guidelines": [ + { + "prose": "a time period for preventing reuse of identifiers is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-4" + }, + { + "name": "label", + "value": "IA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ia-12", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-4_smt", + "name": "statement", + "prose": "Manage system identifiers by:", + "parts": [ + { + "id": "ia-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;" + }, + { + "id": "ia-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Selecting an identifier that identifies an individual, group, role, service, or device;" + }, + { + "id": "ia-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Assigning the identifier to the intended individual, group, role, service, or device; and" + }, + { + "id": "ia-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}." + } + ] + }, + { + "id": "ia-4_gdn", + "name": "guidance", + "prose": "Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices." + }, + { + "id": "ia-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04a.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;", + "links": [ + { + "href": "#ia-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04b.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;", + "links": [ + { + "href": "#ia-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04c.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;", + "links": [ + { + "href": "#ia-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04d.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.", + "links": [ + { + "href": "#ia-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identifier management" + } + ] + } + ] + }, + { + "id": "ia-5", + "class": "SP800-53", + "title": "Authenticator Management", + "params": [ + { + "id": "ia-05_odp.01", + "label": "time period by authenticator type", + "guidelines": [ + { + "prose": "a time period for changing or refreshing authenticators by authenticator type is defined;" + } + ] + }, + { + "id": "ia-05_odp.02", + "label": "events", + "guidelines": [ + { + "prose": "events that trigger the change or refreshment of authenticators are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5" + }, + { + "name": "label", + "value": "IA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "rel": "reference" + }, + { + "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5_smt", + "name": "statement", + "prose": "Manage system authenticators by:", + "parts": [ + { + "id": "ia-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;" + }, + { + "id": "ia-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishing initial authenticator content for any authenticators issued by the organization;" + }, + { + "id": "ia-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensuring that authenticators have sufficient strength of mechanism for their intended use;" + }, + { + "id": "ia-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;" + }, + { + "id": "ia-5_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Changing default authenticators prior to first use;" + }, + { + "id": "ia-5_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;" + }, + { + "id": "ia-5_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Protecting authenticator content from unauthorized disclosure and modification;" + }, + { + "id": "ia-5_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and" + }, + { + "id": "ia-5_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Changing authenticators for group or role accounts when membership to those accounts changes." + }, + { + "id": "ia-5_fr", + "name": "item", + "title": "IA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link https://pages.nist.gov/800-63-3" + }, + { + "id": "ia-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE)." + } + ] + } + ] + }, + { + "id": "ia-5_gdn", + "name": "guidance", + "prose": "Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed." + }, + { + "id": "ia-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05a.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;", + "links": [ + { + "href": "#ia-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05b.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;", + "links": [ + { + "href": "#ia-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05c.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;", + "links": [ + { + "href": "#ia-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05d.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;", + "links": [ + { + "href": "#ia-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05e.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change of default authenticators prior to first use;", + "links": [ + { + "href": "#ia-5_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05f.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;", + "links": [ + { + "href": "#ia-5_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05g.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;", + "links": [ + { + "href": "#ia-5_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.[01]", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;", + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.[02]", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;", + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05i.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.", + "links": [ + { + "href": "#ia-5_smt.i", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\naddressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system authenticator types\n\nchange control records associated with managing system authenticators\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ia-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing authenticator management capability" + } + ] + } + ], + "controls": [ + { + "id": "ia-5.1", + "class": "SP800-53-enhancement", + "title": "Password-based Authentication", + "params": [ + { + "id": "ia-05.01_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;" + } + ] + }, + { + "id": "ia-05.01_odp.02", + "label": "composition and complexity rules", + "guidelines": [ + { + "prose": "authenticator composition and complexity rules are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5(1)" + }, + { + "name": "label", + "value": "IA-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ia-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.1_smt", + "name": "statement", + "prose": "For password-based authentication:", + "parts": [ + { + "id": "ia-5.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;" + }, + { + "id": "ia-5.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);" + }, + { + "id": "ia-5.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Transmit passwords only over cryptographically-protected channels;" + }, + { + "id": "ia-5.1_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Store passwords using an approved salted key derivation function, preferably using a keyed hash;" + }, + { + "id": "ia-5.1_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e)" + } + ], + "prose": "Require immediate selection of a new password upon account recovery;" + }, + { + "id": "ia-5.1_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "(f)" + } + ], + "prose": "Allow user selection of long passwords and passphrases, including spaces and all printable characters;" + }, + { + "id": "ia-5.1_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "(g)" + } + ], + "prose": "Employ automated tools to assist the user in selecting strong password authenticators; and" + }, + { + "id": "ia-5.1_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h)" + } + ], + "prose": "Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}." + }, + { + "id": "ia-5.1_fr", + "name": "item", + "title": "IA-5 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users." + }, + { + "id": "ia-5.1_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h) Requirement:" + } + ], + "prose": "For cases where technology doesn\u2019t allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.\n\nFor emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used." + }, + { + "id": "ia-5.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13)." + } + ] + } + ] + }, + { + "id": "ia-5.1_gdn", + "name": "guidance", + "prose": "Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof." + }, + { + "id": "ia-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;", + "links": [ + { + "href": "#ia-5.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);", + "links": [ + { + "href": "#ia-5.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(c)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, passwords are only transmitted over cryptographically protected channels;", + "links": [ + { + "href": "#ia-5.1_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(d)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;", + "links": [ + { + "href": "#ia-5.1_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(e)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, immediate selection of a new password is required upon account recovery;", + "links": [ + { + "href": "#ia-5.1_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(f)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;", + "links": [ + { + "href": "#ia-5.1_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(g)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;", + "links": [ + { + "href": "#ia-5.1_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(h)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.", + "links": [ + { + "href": "#ia-5.1_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing password-based authenticator management capability" + } + ] + } + ] + } + ] + }, + { + "id": "ia-6", + "class": "SP800-53", + "title": "Authentication Feedback", + "props": [ + { + "name": "label", + "value": "IA-6" + }, + { + "name": "label", + "value": "IA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-6_smt", + "name": "statement", + "prose": "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals." + }, + { + "id": "ia-6_gdn", + "name": "guidance", + "prose": "Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it." + }, + { + "id": "ia-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-06", + "class": "sp800-53a" + } + ], + "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.", + "links": [ + { + "href": "#ia-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication" + } + ] + } + ] + }, + { + "id": "ia-7", + "class": "SP800-53", + "title": "Cryptographic Module Authentication", + "props": [ + { + "name": "label", + "value": "IA-7" + }, + { + "name": "label", + "value": "IA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-7_smt", + "name": "statement", + "prose": "Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication." + }, + { + "id": "ia-7_gdn", + "name": "guidance", + "prose": "Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role." + }, + { + "id": "ia-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-07", + "class": "sp800-53a" + } + ], + "prose": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.", + "links": [ + { + "href": "#ia-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing cryptographic module authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic module authentication" + } + ] + } + ] + }, + { + "id": "ia-8", + "class": "SP800-53", + "title": "Identification and Authentication (Non-organizational Users)", + "props": [ + { + "name": "label", + "value": "IA-8" + }, + { + "name": "label", + "value": "IA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#a1555677-2b9d-4868-a97b-a1363aff32f5", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#2100332a-16a5-4598-bacf-7261baea9711", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-10", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-8_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." + }, + { + "id": "ia-8_gdn", + "name": "guidance", + "prose": "Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors\u2014including security, privacy, scalability, and practicality\u2014when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk." + }, + { + "id": "ia-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08", + "class": "sp800-53a" + } + ], + "prose": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.", + "links": [ + { + "href": "#ia-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ], + "controls": [ + { + "id": "ia-8.1", + "class": "SP800-53-enhancement", + "title": "Acceptance of PIV Credentials from Other Agencies", + "props": [ + { + "name": "label", + "value": "IA-8(1)" + }, + { + "name": "label", + "value": "IA-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + }, + { + "href": "#pe-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-8.1_smt", + "name": "statement", + "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies." + }, + { + "id": "ia-8.1_gdn", + "name": "guidance", + "prose": "Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)." + }, + { + "id": "ia-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;", + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.", + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials" + } + ] + } + ] + }, + { + "id": "ia-8.2", + "class": "SP800-53-enhancement", + "title": "Acceptance of External Authenticators", + "props": [ + { + "name": "label", + "value": "IA-8(2)" + }, + { + "name": "label", + "value": "IA-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-8.2_smt", + "name": "statement", + "parts": [ + { + "id": "ia-8.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Accept only external authenticators that are NIST-compliant; and" + }, + { + "id": "ia-8.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Document and maintain a list of accepted external authenticators." + } + ] + }, + { + "id": "ia-8.2_gdn", + "name": "guidance", + "prose": "Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level." + }, + { + "id": "ia-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(a)", + "class": "sp800-53a" + } + ], + "prose": "only external authenticators that are NIST-compliant are accepted;", + "links": [ + { + "href": "#ia-8.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "a list of accepted external authenticators is documented;", + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "a list of accepted external authenticators is maintained.", + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials" + } + ] + } + ] + }, + { + "id": "ia-8.4", + "class": "SP800-53-enhancement", + "title": "Use of Defined Profiles", + "params": [ + { + "id": "ia-08.04_odp", + "label": "identity management profiles", + "guidelines": [ + { + "prose": "identity management profiles are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-8(4)" + }, + { + "name": "label", + "value": "IA-08(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-8.4_smt", + "name": "statement", + "prose": "Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}." + }, + { + "id": "ia-8.4_gdn", + "name": "guidance", + "prose": "Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." + }, + { + "id": "ia-8.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(04)", + "class": "sp800-53a" + } + ], + "prose": "there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.", + "links": [ + { + "href": "#ia-8.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms supporting and/or implementing conformance with profiles" + } + ] + } + ] + } + ] + }, + { + "id": "ia-11", + "class": "SP800-53", + "title": "Re-authentication", + "params": [ + { + "id": "ia-11_odp", + "label": "circumstances or situations", + "guidelines": [ + { + "prose": "circumstances or situations requiring re-authentication are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-11" + }, + { + "name": "label", + "value": "IA-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-11_smt", + "name": "statement", + "prose": "Require users to re-authenticate when {{ insert: param, ia-11_odp }}.", + "parts": [ + { + "id": "ia-11_fr", + "name": "item", + "title": "IA-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-11_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:\n\n* AAL1 (low baseline) * 30 days of extended session * No limit on inactivity \n" + } + ] + } + ] + }, + { + "id": "ia-11_gdn", + "name": "guidance", + "prose": "In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically." + }, + { + "id": "ia-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-11", + "class": "sp800-53a" + } + ], + "prose": "users are required to re-authenticate when {{ insert: param, ia-11_odp }}.", + "links": [ + { + "href": "#ia-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user and device re-authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of circumstances or situations requiring re-authentication\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + } + ] + }, + { + "id": "ir", + "class": "family", + "title": "Incident Response", + "controls": [ + { + "id": "ir-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ir-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ir-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the incident response policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ir-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the incident response procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ir-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ir-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the incident response policy and procedures is defined;" + } + ] + }, + { + "id": "ir-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current incident response policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ir-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current incident response policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ir-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current incident response procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ir-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the incident response procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-1" + }, + { + "name": "label", + "value": "IR-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-1_smt", + "name": "statement", + "parts": [ + { + "id": "ir-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:", + "parts": [ + { + "id": "ir-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ir-01_odp.03 }} incident response policy that:", + "parts": [ + { + "id": "ir-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ir-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ir-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;" + } + ] + }, + { + "id": "ir-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and" + }, + { + "id": "ir-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current incident response:", + "parts": [ + { + "id": "ir-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and" + }, + { + "id": "ir-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ir-1_gdn", + "name": "guidance", + "prose": "Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ir-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident response policy is developed and documented;", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ir-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;", + "links": [ + { + "href": "#ir-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};", + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};", + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};", + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.", + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ir-2", + "class": "SP800-53", + "title": "Incident Response Training", + "params": [ + { + "id": "ir-02_odp.01", + "label": "time period", + "constraints": [ + { + "description": "ten (10) days for privileged users, thirty (30) days for Incident Response roles" + } + ], + "guidelines": [ + { + "prose": "a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;" + } + ] + }, + { + "id": "ir-02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide incident response training to users is defined;" + } + ] + }, + { + "id": "ir-02_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update incident response training content is defined;" + } + ] + }, + { + "id": "ir-02_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events that initiate a review of the incident response training content are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-2" + }, + { + "name": "label", + "value": "IR-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-2_smt", + "name": "statement", + "parts": [ + { + "id": "ir-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide incident response training to system users consistent with assigned roles and responsibilities:", + "parts": [ + { + "id": "ir-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;" + }, + { + "id": "ir-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes; and" + }, + { + "id": "ir-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ir-02_odp.02 }} thereafter; and" + } + ] + }, + { + "id": "ir-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}." + } + ] + }, + { + "id": "ir-2_gdn", + "name": "guidance", + "prose": "Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "ir-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.01", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;", + "links": [ + { + "href": "#ir-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.02", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#ir-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.03", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;", + "links": [ + { + "href": "#ir-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};", + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.", + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ir-4", + "class": "SP800-53", + "title": "Incident Handling", + "props": [ + { + "name": "label", + "value": "IR-4" + }, + { + "name": "label", + "value": "IR-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", + "rel": "reference" + }, + { + "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "rel": "reference" + }, + { + "href": "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#31ae65ab-3f26-46b7-9d64-f25a4dac5778", + "rel": "reference" + }, + { + "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-4_smt", + "name": "statement", + "parts": [ + { + "id": "ir-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;" + }, + { + "id": "ir-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Coordinate incident handling activities with contingency planning activities;" + }, + { + "id": "ir-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and" + }, + { + "id": "ir-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization." + }, + { + "id": "ir-4_fr", + "name": "item", + "title": "IR-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The FISMA definition of \\\"incident\\\" shall be used: \\\"An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.\\\"" + }, + { + "id": "ir-4_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system." + } + ] + } + ] + }, + { + "id": "ir-4_gdn", + "name": "guidance", + "prose": "Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes." + }, + { + "id": "ir-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes preparation;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes detection and analysis;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes containment;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[05]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes eradication;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[06]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes recovery;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04b.", + "class": "sp800-53a" + } + ], + "prose": "incident handling activities are coordinated with contingency planning activities;", + "links": [ + { + "href": "#ir-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.[01]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;", + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;", + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the rigor of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the intensity of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the scope of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[04]", + "class": "sp800-53a" + } + ], + "prose": "the results of incident handling activities are comparable and predictable across the organization.", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident handling capability for the organization" + } + ] + } + ] + }, + { + "id": "ir-5", + "class": "SP800-53", + "title": "Incident Monitoring", + "props": [ + { + "name": "label", + "value": "IR-5" + }, + { + "name": "label", + "value": "IR-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-5_smt", + "name": "statement", + "prose": "Track and document incidents." + }, + { + "id": "ir-5_gdn", + "name": "guidance", + "prose": "Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring." + }, + { + "id": "ir-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05[01]", + "class": "sp800-53a" + } + ], + "prose": "incidents are tracked;", + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05[02]", + "class": "sp800-53a" + } + ], + "prose": "incidents are documented.", + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident monitoring capability for the organization\n\nmechanisms supporting and/or implementing the tracking and documenting of system security incidents" + } + ] + } + ] + }, + { + "id": "ir-6", + "class": "SP800-53", + "title": "Incident Reporting", + "params": [ + { + "id": "ir-06_odp.01", + "label": "time period", + "constraints": [ + { + "description": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)" + } + ], + "guidelines": [ + { + "prose": "time period for personnel to report suspected incidents to the organizational incident response capability is defined;" + } + ] + }, + { + "id": "ir-06_odp.02", + "label": "authorities", + "guidelines": [ + { + "prose": "authorities to whom incident information is to be reported are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-6" + }, + { + "name": "label", + "value": "IR-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#40b78258-c892-480e-9af8-77ac36648301", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-6_smt", + "name": "statement", + "parts": [ + { + "id": "ir-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and" + }, + { + "id": "ir-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report incident information to {{ insert: param, ir-06_odp.02 }}." + }, + { + "id": "ir-6_fr", + "name": "item", + "title": "IR-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Reports security incident information according to FedRAMP Incident Communications Procedure." + } + ] + } + ] + }, + { + "id": "ir-6_gdn", + "name": "guidance", + "prose": "The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products." + }, + { + "id": "ir-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06a.", + "class": "sp800-53a" + } + ], + "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};", + "links": [ + { + "href": "#ir-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06b.", + "class": "sp800-53a" + } + ], + "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}.", + "links": [ + { + "href": "#ir-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users" + } + ] + }, + { + "id": "ir-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident reporting\n\nmechanisms supporting and/or implementing incident reporting" + } + ] + } + ] + }, + { + "id": "ir-7", + "class": "SP800-53", + "title": "Incident Response Assistance", + "props": [ + { + "name": "label", + "value": "IR-7" + }, + { + "name": "label", + "value": "IR-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pm-22", + "rel": "related" + }, + { + "href": "#pm-26", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#si-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-7_smt", + "name": "statement", + "prose": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents." + }, + { + "id": "ir-7_gdn", + "name": "guidance", + "prose": "Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required." + }, + { + "id": "ir-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;", + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.", + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident response assistance\n\nmechanisms supporting and/or implementing incident response assistance" + } + ] + } + ] + }, + { + "id": "ir-8", + "class": "SP800-53", + "title": "Incident Response Plan", + "params": [ + { + "id": "ir-8_prm_5", + "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements", + "constraints": [ + { + "description": "see additional FedRAMP Requirements and Guidance" + } + ] + }, + { + "id": "ir-08_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles that review and approve the incident response plan is/are identified;" + } + ] + }, + { + "id": "ir-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and approve the incident response plan is defined;" + } + ] + }, + { + "id": "ir-08_odp.03", + "label": "entities, personnel, or roles", + "guidelines": [ + { + "prose": "entities, personnel, or roles with designated responsibility for incident response are defined;" + } + ] + }, + { + "id": "ir-08_odp.04", + "label": "incident response personnel", + "constraints": [ + { + "description": "see additional FedRAMP Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;" + } + ] + }, + { + "id": "ir-08_odp.05", + "label": "organizational elements", + "guidelines": [ + { + "prose": "organizational elements to which copies of the incident response plan are to be distributed are defined;" + } + ] + }, + { + "id": "ir-08_odp.06", + "label": "incident response personnel", + "guidelines": [ + { + "prose": "incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;" + } + ] + }, + { + "id": "ir-08_odp.07", + "label": "organizational elements", + "guidelines": [ + { + "prose": "organizational elements to which changes to the incident response plan are communicated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-8" + }, + { + "name": "label", + "value": "IR-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-8_smt", + "name": "statement", + "parts": [ + { + "id": "ir-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop an incident response plan that:", + "parts": [ + { + "id": "ir-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Provides the organization with a roadmap for implementing its incident response capability;" + }, + { + "id": "ir-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Describes the structure and organization of the incident response capability;" + }, + { + "id": "ir-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Provides a high-level approach for how the incident response capability fits into the overall organization;" + }, + { + "id": "ir-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;" + }, + { + "id": "ir-8_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Defines reportable incidents;" + }, + { + "id": "ir-8_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Provides metrics for measuring the incident response capability within the organization;" + }, + { + "id": "ir-8_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Defines the resources and management support needed to effectively maintain and mature an incident response capability;" + }, + { + "id": "ir-8_smt.a.8", + "name": "item", + "props": [ + { + "name": "label", + "value": "8." + } + ], + "prose": "Addresses the sharing of incident information;" + }, + { + "id": "ir-8_smt.a.9", + "name": "item", + "props": [ + { + "name": "label", + "value": "9." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and" + }, + { + "id": "ir-8_smt.a.10", + "name": "item", + "props": [ + { + "name": "label", + "value": "10." + } + ], + "prose": "Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}." + } + ] + }, + { + "id": "ir-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};" + }, + { + "id": "ir-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;" + }, + { + "id": "ir-8_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and" + }, + { + "id": "ir-8_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protect the incident response plan from unauthorized disclosure and modification." + }, + { + "id": "ir-8_fr", + "name": "item", + "title": "IR-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel." + }, + { + "id": "ir-8_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d) Requirement:" + } + ], + "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel." + } + ] + } + ] + }, + { + "id": "ir-8_gdn", + "name": "guidance", + "prose": "It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly." + }, + { + "id": "ir-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.01", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.02", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.03", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;", + "links": [ + { + "href": "#ir-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.04", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;", + "links": [ + { + "href": "#ir-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.05", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that defines reportable incidents;", + "links": [ + { + "href": "#ir-8_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.06", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;", + "links": [ + { + "href": "#ir-8_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.07", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.08", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that addresses the sharing of incident information;", + "links": [ + { + "href": "#ir-8_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.09", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};", + "links": [ + { + "href": "#ir-8_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.10", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.", + "links": [ + { + "href": "#ir-8_smt.a.10", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};", + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.[02]", + "class": "sp800-53a" + } + ], + "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};", + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08c.", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;", + "links": [ + { + "href": "#ir-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.[01]", + "class": "sp800-53a" + } + ], + "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};", + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.[02]", + "class": "sp800-53a" + } + ], + "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};", + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is protected from unauthorized modification.", + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational incident response plan and related organizational processes" + } + ] + } + ] + } + ] + }, + { + "id": "ma", + "class": "family", + "title": "Maintenance", + "controls": [ + { + "id": "ma-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ma-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ma-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the maintenance policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ma-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ma-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ma-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the maintenance policy and procedures is defined;" + } + ] + }, + { + "id": "ma-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current maintenance policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ma-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current maintenance policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ma-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current maintenance procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ma-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the maintenance procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-1" + }, + { + "name": "label", + "value": "MA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-1_smt", + "name": "statement", + "parts": [ + { + "id": "ma-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:", + "parts": [ + { + "id": "ma-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ma-01_odp.03 }} maintenance policy that:", + "parts": [ + { + "id": "ma-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ma-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ma-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;" + } + ] + }, + { + "id": "ma-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and" + }, + { + "id": "ma-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current maintenance:", + "parts": [ + { + "id": "ma-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and" + }, + { + "id": "ma-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ma-1_gdn", + "name": "guidance", + "prose": "Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ma-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a maintenance policy is developed and documented;", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ma-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;", + "links": [ + { + "href": "#ma-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};", + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};", + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};", + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.", + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ma-2", + "class": "SP800-53", + "title": "Controlled Maintenance", + "params": [ + { + "id": "ma-02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined;" + } + ] + }, + { + "id": "ma-02_odp.02", + "label": "information", + "guidelines": [ + { + "prose": "information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;" + } + ] + }, + { + "id": "ma-02_odp.03", + "label": "information", + "guidelines": [ + { + "prose": "information to be included in organizational maintenance records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-2" + }, + { + "name": "label", + "value": "MA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-2_smt", + "name": "statement", + "parts": [ + { + "id": "ma-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;" + }, + { + "id": "ma-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;" + }, + { + "id": "ma-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;" + }, + { + "id": "ma-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};" + }, + { + "id": "ma-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and" + }, + { + "id": "ma-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}." + } + ] + }, + { + "id": "ma-2_gdn", + "name": "guidance", + "prose": "Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems." + }, + { + "id": "ma-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;", + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;", + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;", + "links": [ + { + "href": "#ma-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02d.", + "class": "sp800-53a" + } + ], + "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;", + "links": [ + { + "href": "#ma-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02e.", + "class": "sp800-53a" + } + ], + "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;", + "links": [ + { + "href": "#ma-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02f.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.", + "links": [ + { + "href": "#ma-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components" + } + ] + } + ] + }, + { + "id": "ma-4", + "class": "SP800-53", + "title": "Nonlocal Maintenance", + "props": [ + { + "name": "label", + "value": "MA-4" + }, + { + "name": "label", + "value": "MA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#736d6310-e403-4b57-a79d-9967970c66d7", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-4_smt", + "name": "statement", + "parts": [ + { + "id": "ma-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve and monitor nonlocal maintenance and diagnostic activities;" + }, + { + "id": "ma-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;" + }, + { + "id": "ma-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;" + }, + { + "id": "ma-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Maintain records for nonlocal maintenance and diagnostic activities; and" + }, + { + "id": "ma-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Terminate session and network connections when nonlocal maintenance is completed." + } + ] + }, + { + "id": "ma-4_gdn", + "name": "guidance", + "prose": "Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators." + }, + { + "id": "ma-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "nonlocal maintenance and diagnostic activities are approved;", + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "nonlocal maintenance and diagnostic activities are monitored;", + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;", + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;", + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04c.", + "class": "sp800-53a" + } + ], + "prose": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;", + "links": [ + { + "href": "#ma-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04d.", + "class": "sp800-53a" + } + ], + "prose": "records for nonlocal maintenance and diagnostic activities are maintained;", + "links": [ + { + "href": "#ma-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.[01]", + "class": "sp800-53a" + } + ], + "prose": "session connections are terminated when nonlocal maintenance is completed;", + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.[02]", + "class": "sp800-53a" + } + ], + "prose": "network connections are terminated when nonlocal maintenance is completed.", + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nremote access policy\n\nremote access procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nrecords of remote access\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing nonlocal maintenance\n\nmechanisms implementing, supporting, and/or managing nonlocal maintenance\n\nmechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nmechanisms for terminating nonlocal maintenance sessions and network connections" + } + ] + } + ] + }, + { + "id": "ma-5", + "class": "SP800-53", + "title": "Maintenance Personnel", + "props": [ + { + "name": "label", + "value": "MA-5" + }, + { + "name": "label", + "value": "MA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-5_smt", + "name": "statement", + "parts": [ + { + "id": "ma-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;" + }, + { + "id": "ma-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and" + }, + { + "id": "ma-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations." + } + ] + }, + { + "id": "ma-5_gdn", + "name": "guidance", + "prose": "Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel\u2014such as information technology manufacturers, vendors, systems integrators, and consultants\u2014may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods." + }, + { + "id": "ma-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process for maintenance personnel authorization is established;", + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": "a list of authorized maintenance organizations or personnel is maintained;", + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05b.", + "class": "sp800-53a" + } + ], + "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;", + "links": [ + { + "href": "#ma-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05c.", + "class": "sp800-53a" + } + ], + "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.", + "links": [ + { + "href": "#ma-5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and/or implementing authorization of maintenance personnel" + } + ] + } + ] + } + ] + }, + { + "id": "mp", + "class": "family", + "title": "Media Protection", + "controls": [ + { + "id": "mp-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "mp-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "mp-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the media protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "mp-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the media protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "mp-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "mp-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the media protection policy and procedures is defined;" + } + ] + }, + { + "id": "mp-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current media protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "mp-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current media protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "mp-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current media protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "mp-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require media protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-1" + }, + { + "name": "label", + "value": "MP-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-1_smt", + "name": "statement", + "parts": [ + { + "id": "mp-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:", + "parts": [ + { + "id": "mp-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, mp-01_odp.03 }} media protection policy that:", + "parts": [ + { + "id": "mp-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "mp-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "mp-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;" + } + ] + }, + { + "id": "mp-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and" + }, + { + "id": "mp-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current media protection:", + "parts": [ + { + "id": "mp-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and" + }, + { + "id": "mp-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "mp-1_gdn", + "name": "guidance", + "prose": "Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "mp-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a media protection policy is developed and documented;", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#mp-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.", + "links": [ + { + "href": "#mp-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ", + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};", + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ", + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.", + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "mp-2", + "class": "SP800-53", + "title": "Media Access", + "params": [ + { + "id": "mp-2_prm_1", + "label": "organization-defined types of digital and/or non-digital media" + }, + { + "id": "mp-2_prm_2", + "label": "organization-defined personnel or roles" + }, + { + "id": "mp-02_odp.01", + "label": "types of digital media", + "guidelines": [ + { + "prose": "types of digital media to which access is restricted are defined;" + } + ] + }, + { + "id": "mp-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles authorized to access digital media is/are defined;" + } + ] + }, + { + "id": "mp-02_odp.03", + "label": "types of non-digital media", + "guidelines": [ + { + "prose": "types of non-digital media to which access is restricted are defined;" + } + ] + }, + { + "id": "mp-02_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles authorized to access non-digital media is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-2" + }, + { + "name": "label", + "value": "MP-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-2_smt", + "name": "statement", + "prose": "Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}." + }, + { + "id": "mp-2_gdn", + "name": "guidance", + "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media." + }, + { + "id": "mp-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02[01]", + "class": "sp800-53a" + } + ], + "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};", + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02[02]", + "class": "sp800-53a" + } + ], + "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.", + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for restricting information media\n\nmechanisms supporting and/or implementing media access restrictions" + } + ] + } + ] + }, + { + "id": "mp-6", + "class": "SP800-53", + "title": "Media Sanitization", + "params": [ + { + "id": "mp-6_prm_1", + "label": "organization-defined system media", + "constraints": [ + { + "description": "techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware" + } + ] + }, + { + "id": "mp-6_prm_2", + "label": "organization-defined sanitization techniques and procedures" + }, + { + "id": "mp-06_odp.01", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to disposal is defined;" + } + ] + }, + { + "id": "mp-06_odp.02", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to release from organizational control is defined;" + } + ] + }, + { + "id": "mp-06_odp.03", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to release for reuse is defined;" + } + ] + }, + { + "id": "mp-06_odp.04", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to disposal are defined;" + } + ] + }, + { + "id": "mp-06_odp.05", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;" + } + ] + }, + { + "id": "mp-06_odp.06", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-6" + }, + { + "name": "label", + "value": "MP-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#91f992fb-f668-4c91-a50f-0f05b95ccee3", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pm-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#si-18", + "rel": "related" + }, + { + "href": "#si-19", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-6_smt", + "name": "statement", + "parts": [ + { + "id": "mp-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and" + }, + { + "id": "mp-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information." + } + ] + }, + { + "id": "mp-6_gdn", + "name": "guidance", + "prose": "Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques\u2014including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction\u2014prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information." + }, + { + "id": "mp-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06b.", + "class": "sp800-53a" + } + ], + "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.", + "links": [ + { + "href": "#mp-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media sanitization\n\nmechanisms supporting and/or implementing media sanitization" + } + ] + } + ] + }, + { + "id": "mp-7", + "class": "SP800-53", + "title": "Media Use", + "params": [ + { + "id": "mp-07_odp.01", + "label": "types of system media", + "guidelines": [ + { + "prose": "types of system media to be restricted or prohibited from use on systems or system components are defined;" + } + ] + }, + { + "id": "mp-07_odp.02", + "select": { + "choice": [ + "restrict", + "prohibit" + ] + } + }, + { + "id": "mp-07_odp.03", + "label": "systems or system components", + "guidelines": [ + { + "prose": "systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;" + } + ] + }, + { + "id": "mp-07_odp.04", + "label": "controls", + "guidelines": [ + { + "prose": "controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-7" + }, + { + "name": "label", + "value": "MP-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-41", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-7_smt", + "name": "statement", + "parts": [ + { + "id": "mp-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and" + }, + { + "id": "mp-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner." + } + ] + }, + { + "id": "mp-7_gdn", + "name": "guidance", + "prose": "System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices." + }, + { + "id": "mp-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07a.", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};", + "links": [ + { + "href": "#mp-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07b.", + "class": "sp800-53a" + } + ], + "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.", + "links": [ + { + "href": "#mp-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components" + } + ] + } + ] + } + ] + }, + { + "id": "pe", + "class": "family", + "title": "Physical and Environmental Protection", + "controls": [ + { + "id": "pe-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "pe-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "pe-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "pe-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "pe-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "pe-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the physical and environmental protection policy and procedures is defined;" + } + ] + }, + { + "id": "pe-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "pe-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current physical and environmental protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "pe-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "pe-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the physical and environmental protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-1" + }, + { + "name": "label", + "value": "PE-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-1_smt", + "name": "statement", + "parts": [ + { + "id": "pe-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:", + "parts": [ + { + "id": "pe-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:", + "parts": [ + { + "id": "pe-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "pe-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "pe-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;" + } + ] + }, + { + "id": "pe-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and" + }, + { + "id": "pe-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current physical and environmental protection:", + "parts": [ + { + "id": "pe-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and" + }, + { + "id": "pe-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "pe-1_gdn", + "name": "guidance", + "prose": "Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "pe-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a physical and environmental protection policy is developed and documented;", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#pe-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;", + "links": [ + { + "href": "#pe-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};", + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};", + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};", + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.", + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "pe-2", + "class": "SP800-53", + "title": "Physical Access Authorizations", + "params": [ + { + "id": "pe-02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review the access list detailing authorized facility access by individuals is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-2" + }, + { + "name": "label", + "value": "PE-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-2_smt", + "name": "statement", + "parts": [ + { + "id": "pe-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;" + }, + { + "id": "pe-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Issue authorization credentials for facility access;" + }, + { + "id": "pe-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and" + }, + { + "id": "pe-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Remove individuals from the facility access list when access is no longer required." + } + ] + }, + { + "id": "pe-2_gdn", + "name": "guidance", + "prose": "Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible." + }, + { + "id": "pe-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02b.", + "class": "sp800-53a" + } + ], + "prose": "authorization credentials are issued for facility access;", + "links": [ + { + "href": "#pe-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02c.", + "class": "sp800-53a" + } + ], + "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};", + "links": [ + { + "href": "#pe-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02d.", + "class": "sp800-53a" + } + ], + "prose": "individuals are removed from the facility access list when access is no longer required.", + "links": [ + { + "href": "#pe-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access authorizations\n\nmechanisms supporting and/or implementing physical access authorizations" + } + ] + } + ] + }, + { + "id": "pe-3", + "class": "SP800-53", + "title": "Physical Access Control", + "params": [ + { + "id": "pe-3_prm_9", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually" + } + ] + }, + { + "id": "pe-03_odp.01", + "label": "entry and exit points", + "guidelines": [ + { + "prose": "entry and exit points to the facility in which the system resides are defined;" + } + ] + }, + { + "id": "pe-03_odp.02", + "constraints": [ + { + "description": "CSP defined physical access control systems/devices AND guards" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, pe-03_odp.03 }} ", + "guards" + ] + } + }, + { + "id": "pe-03_odp.03", + "label": "systems or devices", + "guidelines": [ + { + "prose": "physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);" + } + ] + }, + { + "id": "pe-03_odp.04", + "label": "entry or exit points", + "guidelines": [ + { + "prose": "entry or exit points for which physical access logs are maintained are defined;" + } + ] + }, + { + "id": "pe-03_odp.05", + "label": "physical access controls", + "guidelines": [ + { + "prose": "physical access controls to control access to areas within the facility designated as publicly accessible are defined;" + } + ] + }, + { + "id": "pe-03_odp.06", + "label": "circumstances", + "constraints": [ + { + "description": "in all circumstances within restricted access area where the information system resides" + } + ], + "guidelines": [ + { + "prose": "circumstances requiring visitor escorts and control of visitor activity are defined;" + } + ] + }, + { + "id": "pe-03_odp.07", + "label": "physical access devices", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "physical access devices to be inventoried are defined;" + } + ] + }, + { + "id": "pe-03_odp.08", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to inventory physical access devices is defined;" + } + ] + }, + { + "id": "pe-03_odp.09", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to change combinations is defined;" + } + ] + }, + { + "id": "pe-03_odp.10", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to change keys is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-3" + }, + { + "name": "label", + "value": "PE-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#2100332a-16a5-4598-bacf-7261baea9711", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-3_smt", + "name": "statement", + "parts": [ + { + "id": "pe-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:", + "parts": [ + { + "id": "pe-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Verifying individual access authorizations before granting access to the facility; and" + }, + { + "id": "pe-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};" + } + ] + }, + { + "id": "pe-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};" + }, + { + "id": "pe-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};" + }, + { + "id": "pe-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};" + }, + { + "id": "pe-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Secure keys, combinations, and other physical access devices;" + }, + { + "id": "pe-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and" + }, + { + "id": "pe-3_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Change combinations and keys {{ insert: param, pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated." + } + ] + }, + { + "id": "pe-3_gdn", + "name": "guidance", + "prose": "Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components." + }, + { + "id": "pe-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.01", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;", + "links": [ + { + "href": "#pe-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.02", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};", + "links": [ + { + "href": "#pe-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03b.", + "class": "sp800-53a" + } + ], + "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};", + "links": [ + { + "href": "#pe-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03c.", + "class": "sp800-53a" + } + ], + "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};", + "links": [ + { + "href": "#pe-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.[01]", + "class": "sp800-53a" + } + ], + "prose": "visitors are escorted;", + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.[02]", + "class": "sp800-53a" + } + ], + "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};", + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[01]", + "class": "sp800-53a" + } + ], + "prose": "keys are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[02]", + "class": "sp800-53a" + } + ], + "prose": "combinations are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[03]", + "class": "sp800-53a" + } + ], + "prose": "other physical access devices are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03f.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};", + "links": [ + { + "href": "#pe-3_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.[01]", + "class": "sp800-53a" + } + ], + "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;", + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.[02]", + "class": "sp800-53a" + } + ], + "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.", + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access control\n\nmechanisms supporting and/or implementing physical access control\n\nphysical access control devices" + } + ] + } + ] + }, + { + "id": "pe-6", + "class": "SP800-53", + "title": "Monitoring Physical Access", + "params": [ + { + "id": "pe-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review physical access logs is defined;" + } + ] + }, + { + "id": "pe-06_odp.02", + "label": "events", + "guidelines": [ + { + "prose": "events or potential indication of events requiring physical access logs to be reviewed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-6" + }, + { + "name": "label", + "value": "PE-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-6_smt", + "name": "statement", + "parts": [ + { + "id": "pe-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;" + }, + { + "id": "pe-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and" + }, + { + "id": "pe-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Coordinate results of reviews and investigations with the organizational incident response capability." + } + ] + }, + { + "id": "pe-6_gdn", + "name": "guidance", + "prose": "Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses." + }, + { + "id": "pe-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06a.", + "class": "sp800-53a" + } + ], + "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;", + "links": [ + { + "href": "#pe-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};", + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};", + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": "results of reviews are coordinated with organizational incident response capabilities;", + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": "results of investigations are coordinated with organizational incident response capabilities.", + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring physical access\n\nmechanisms supporting and/or implementing physical access monitoring\n\nmechanisms supporting and/or implementing the review of physical access logs" + } + ] + } + ] + }, + { + "id": "pe-8", + "class": "SP800-53", + "title": "Visitor Access Records", + "params": [ + { + "id": "pe-08_odp.01", + "label": "time period", + "constraints": [ + { + "description": "for a minimum of one (1) year" + } + ], + "guidelines": [ + { + "prose": "time period for which to maintain visitor access records for the facility where the system resides is defined;" + } + ] + }, + { + "id": "pe-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review visitor access records is defined;" + } + ] + }, + { + "id": "pe-08_odp.03", + "label": "personnel", + "guidelines": [ + { + "prose": "personnel to whom visitor access records anomalies are reported to is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-8" + }, + { + "name": "label", + "value": "PE-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-8_smt", + "name": "statement", + "parts": [ + { + "id": "pe-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};" + }, + { + "id": "pe-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and" + }, + { + "id": "pe-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}." + } + ] + }, + { + "id": "pe-8_gdn", + "name": "guidance", + "prose": "Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas." + }, + { + "id": "pe-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08a.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};", + "links": [ + { + "href": "#pe-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08b.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};", + "links": [ + { + "href": "#pe-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08c.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.", + "links": [ + { + "href": "#pe-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and/or implementing the maintenance and review of visitor access records" + } + ] + } + ] + }, + { + "id": "pe-12", + "class": "SP800-53", + "title": "Emergency Lighting", + "props": [ + { + "name": "label", + "value": "PE-12" + }, + { + "name": "label", + "value": "PE-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-12_smt", + "name": "statement", + "prose": "Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility." + }, + { + "id": "pe-12_gdn", + "name": "guidance", + "prose": "The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies." + }, + { + "id": "pe-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[01]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[02]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[03]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting for the system covers emergency exits within the facility;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[04]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting for the system covers evacuation routes within the facility.", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for emergency lighting and/or planning\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an emergency lighting capability" + } + ] + } + ] + }, + { + "id": "pe-13", + "class": "SP800-53", + "title": "Fire Protection", + "props": [ + { + "name": "label", + "value": "PE-13" + }, + { + "name": "label", + "value": "PE-13", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-13_smt", + "name": "statement", + "prose": "Employ and maintain fire detection and suppression systems that are supported by an independent energy source." + }, + { + "id": "pe-13_gdn", + "name": "guidance", + "prose": "The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility." + }, + { + "id": "pe-13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[01]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems are employed;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[02]", + "class": "sp800-53a" + } + ], + "prose": "employed fire detection systems are supported by an independent energy source;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[03]", + "class": "sp800-53a" + } + ], + "prose": "employed fire detection systems are maintained;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[04]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems are employed;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[05]", + "class": "sp800-53a" + } + ], + "prose": "employed fire suppression systems are supported by an independent energy source;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[06]", + "class": "sp800-53a" + } + ], + "prose": "employed fire suppression systems are maintained.", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-13-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\ntest records of fire suppression and detection devices/systems\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-13-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-13-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing fire suppression/detection devices/systems" + } + ] + } + ] + }, + { + "id": "pe-14", + "class": "SP800-53", + "title": "Environmental Controls", + "params": [ + { + "id": "pe-14_odp.01", + "constraints": [ + { + "description": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "temperature", + "humidity", + "pressure", + "radiation", + " {{ insert: param, pe-14_odp.02 }} " + ] + } + }, + { + "id": "pe-14_odp.02", + "label": "environmental control", + "guidelines": [ + { + "prose": "environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);" + } + ] + }, + { + "id": "pe-14_odp.03", + "label": "acceptable levels", + "guidelines": [ + { + "prose": "acceptable levels for environmental controls are defined;" + } + ] + }, + { + "id": "pe-14_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "continuously" + } + ], + "guidelines": [ + { + "prose": "frequency at which to monitor environmental control levels is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-14" + }, + { + "name": "label", + "value": "PE-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-14_smt", + "name": "statement", + "parts": [ + { + "id": "pe-14_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and" + }, + { + "id": "pe-14_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}." + }, + { + "id": "pe-14_fr", + "name": "item", + "title": "PE-14 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pe-14_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider measures temperature at server inlets and humidity levels by dew point." + } + ] + } + ] + }, + { + "id": "pe-14_gdn", + "name": "guidance", + "prose": "The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions." + }, + { + "id": "pe-14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-14_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;", + "links": [ + { + "href": "#pe-14_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14b.", + "class": "sp800-53a" + } + ], + "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.", + "links": [ + { + "href": "#pe-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-14-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-14-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-14_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-14-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels" + } + ] + } + ] + }, + { + "id": "pe-15", + "class": "SP800-53", + "title": "Water Damage Protection", + "props": [ + { + "name": "label", + "value": "PE-15" + }, + { + "name": "label", + "value": "PE-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-15_smt", + "name": "statement", + "prose": "Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel." + }, + { + "id": "pe-15_gdn", + "name": "guidance", + "prose": "The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations." + }, + { + "id": "pe-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-15_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[02]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are accessible;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[03]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are working properly;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[04]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are known to key personnel.", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-15_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-15-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Master water-shutoff valves\n\norganizational process for activating master water shutoff" + } + ] + } + ] + }, + { + "id": "pe-16", + "class": "SP800-53", + "title": "Delivery and Removal", + "params": [ + { + "id": "pe-16_prm_1", + "label": "organization-defined types of system components", + "constraints": [ + { + "description": "all information system components" + } + ] + }, + { + "id": "pe-16_odp.01", + "label": "types of system components", + "guidelines": [ + { + "prose": "types of system components to be authorized and controlled when entering the facility are defined;" + } + ] + }, + { + "id": "pe-16_odp.02", + "label": "types of system components", + "guidelines": [ + { + "prose": "types of system components to be authorized and controlled when exiting the facility are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-16" + }, + { + "name": "label", + "value": "PE-16", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-16_smt", + "name": "statement", + "parts": [ + { + "id": "pe-16_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and" + }, + { + "id": "pe-16_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain records of the system components." + } + ] + }, + { + "id": "pe-16_gdn", + "name": "guidance", + "prose": "Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries." + }, + { + "id": "pe-16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-16_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-16_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16b.", + "class": "sp800-53a" + } + ], + "prose": "records of the system components are maintained.", + "links": [ + { + "href": "#pe-16_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-16-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-16-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-16_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-16-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility" + } + ] + } + ] + } + ] + }, + { + "id": "pl", + "class": "family", + "title": "Planning", + "controls": [ + { + "id": "pl-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "pl-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "pl-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the planning policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "pl-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the planning procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "pl-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "pl-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the planning policy and procedures is defined;" + } + ] + }, + { + "id": "pl-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current planning policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "pl-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current planning policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "pl-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current planning procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "pl-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-1" + }, + { + "name": "label", + "value": "PL-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-1_smt", + "name": "statement", + "parts": [ + { + "id": "pl-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:", + "parts": [ + { + "id": "pl-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, pl-01_odp.03 }} planning policy that:", + "parts": [ + { + "id": "pl-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "pl-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "pl-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the planning policy and the associated planning controls;" + } + ] + }, + { + "id": "pl-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and" + }, + { + "id": "pl-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current planning:", + "parts": [ + { + "id": "pl-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and" + }, + { + "id": "pl-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "pl-1_gdn", + "name": "guidance", + "prose": "Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "pl-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a planning policy is developed and documented.", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#pl-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;", + "links": [ + { + "href": "#pl-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};", + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};", + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};", + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.", + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "pl-2", + "class": "SP800-53", + "title": "System Security and Privacy Plans", + "params": [ + { + "id": "pl-02_odp.01", + "label": "individuals or groups", + "guidelines": [ + { + "prose": "individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;" + } + ] + }, + { + "id": "pl-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;" + } + ] + }, + { + "id": "pl-02_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency to review system security and privacy plans is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-2" + }, + { + "name": "label", + "value": "PL-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-1", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-2_smt", + "name": "statement", + "parts": [ + { + "id": "pl-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop security and privacy plans for the system that:", + "parts": [ + { + "id": "pl-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Are consistent with the organization\u2019s enterprise architecture;" + }, + { + "id": "pl-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Explicitly define the constituent system components;" + }, + { + "id": "pl-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Describe the operational context of the system in terms of mission and business processes;" + }, + { + "id": "pl-2_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Identify the individuals that fulfill system roles and responsibilities;" + }, + { + "id": "pl-2_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Identify the information types processed, stored, and transmitted by the system;" + }, + { + "id": "pl-2_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Provide the security categorization of the system, including supporting rationale;" + }, + { + "id": "pl-2_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Describe any specific threats to the system that are of concern to the organization;" + }, + { + "id": "pl-2_smt.a.8", + "name": "item", + "props": [ + { + "name": "label", + "value": "8." + } + ], + "prose": "Provide the results of a privacy risk assessment for systems processing personally identifiable information;" + }, + { + "id": "pl-2_smt.a.9", + "name": "item", + "props": [ + { + "name": "label", + "value": "9." + } + ], + "prose": "Describe the operational environment for the system and any dependencies on or connections to other systems or system components;" + }, + { + "id": "pl-2_smt.a.10", + "name": "item", + "props": [ + { + "name": "label", + "value": "10." + } + ], + "prose": "Provide an overview of the security and privacy requirements for the system;" + }, + { + "id": "pl-2_smt.a.11", + "name": "item", + "props": [ + { + "name": "label", + "value": "11." + } + ], + "prose": "Identify any relevant control baselines or overlays, if applicable;" + }, + { + "id": "pl-2_smt.a.12", + "name": "item", + "props": [ + { + "name": "label", + "value": "12." + } + ], + "prose": "Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;" + }, + { + "id": "pl-2_smt.a.13", + "name": "item", + "props": [ + { + "name": "label", + "value": "13." + } + ], + "prose": "Include risk determinations for security and privacy architecture and design decisions;" + }, + { + "id": "pl-2_smt.a.14", + "name": "item", + "props": [ + { + "name": "label", + "value": "14." + } + ], + "prose": "Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and" + }, + { + "id": "pl-2_smt.a.15", + "name": "item", + "props": [ + { + "name": "label", + "value": "15." + } + ], + "prose": "Are reviewed and approved by the authorizing official or designated representative prior to plan implementation." + } + ] + }, + { + "id": "pl-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};" + }, + { + "id": "pl-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the plans {{ insert: param, pl-02_odp.03 }};" + }, + { + "id": "pl-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and" + }, + { + "id": "pl-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protect the plans from unauthorized disclosure and modification." + } + ] + }, + { + "id": "pl-2_gdn", + "name": "guidance", + "prose": "System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide\u2014explicitly or by reference\u2014sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate." + }, + { + "id": "pl-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that is consistent with the organization\u2019s enterprise architecture;", + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that is consistent with the organization\u2019s enterprise architecture;", + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that explicitly defines the constituent system components;", + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;", + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.4-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.4-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.5-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.5-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.6-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;", + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.6-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;", + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.7-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.7-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.8-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.8-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.9-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.9-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.10-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;", + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.10-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;", + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.11", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.11-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.11-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.12", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.12-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;", + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.12-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;", + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.13", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.13-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;", + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.13-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;", + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.14", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.14-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.14-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.15", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.15-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;", + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.15-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.", + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};", + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};", + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02c.", + "class": "sp800-53a" + } + ], + "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};", + "links": [ + { + "href": "#pl-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[01]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address changes to the system and environment of operations;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[02]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address problems identified during the plan implementation;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[03]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address problems identified during control assessments;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.[01]", + "class": "sp800-53a" + } + ], + "prose": "plans are protected from unauthorized disclosure;", + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.[02]", + "class": "sp800-53a" + } + ], + "prose": "plans are protected from unauthorized modification.", + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan" + } + ] + } + ] + }, + { + "id": "pl-4", + "class": "SP800-53", + "title": "Rules of Behavior", + "params": [ + { + "id": "pl-04_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "frequency for reviewing and updating the rules of behavior is defined;" + } + ] + }, + { + "id": "pl-04_odp.02", + "constraints": [ + { + "description": "at least annually and when the rules are revised or changed" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, pl-04_odp.03 }} ", + "when the rules are revised or updated" + ] + } + }, + { + "id": "pl-04_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-4" + }, + { + "name": "label", + "value": "PL-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-9", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-4_smt", + "name": "statement", + "parts": [ + { + "id": "pl-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;" + }, + { + "id": "pl-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;" + }, + { + "id": "pl-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and" + }, + { + "id": "pl-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}." + } + ] + }, + { + "id": "pl-4_gdn", + "name": "guidance", + "prose": "Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons." + }, + { + "id": "pl-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;", + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;", + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04b.", + "class": "sp800-53a" + } + ], + "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;", + "links": [ + { + "href": "#pl-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04c.", + "class": "sp800-53a" + } + ], + "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};", + "links": [ + { + "href": "#pl-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04d.", + "class": "sp800-53a" + } + ], + "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.", + "links": [ + { + "href": "#pl-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior" + } + ] + } + ], + "controls": [ + { + "id": "pl-4.1", + "class": "SP800-53-enhancement", + "title": "Social Media and External Site/Application Usage Restrictions", + "props": [ + { + "name": "label", + "value": "PL-4(1)" + }, + { + "name": "label", + "value": "PL-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pl-4", + "rel": "required" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-4.1_smt", + "name": "statement", + "prose": "Include in the rules of behavior, restrictions on:", + "parts": [ + { + "id": "pl-4.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Use of social media, social networking sites, and external sites/applications;" + }, + { + "id": "pl-4.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Posting organizational information on public websites; and" + }, + { + "id": "pl-4.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications." + } + ] + }, + { + "id": "pl-4.1_gdn", + "name": "guidance", + "prose": "Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information." + }, + { + "id": "pl-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;", + "links": [ + { + "href": "#pl-4.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on posting organizational information on public websites;", + "links": [ + { + "href": "#pl-4.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(c)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.", + "links": [ + { + "href": "#pl-4.1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing rules of behavior\n\nmechanisms supporting and/or implementing the establishment of rules of behavior" + } + ] + } + ] + } + ] + }, + { + "id": "pl-8", + "class": "SP800-53", + "title": "Security and Privacy Architectures", + "params": [ + { + "id": "pl-08_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "frequency for review and update to reflect changes in the enterprise architecture;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-8" + }, + { + "name": "label", + "value": "PL-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-8_smt", + "name": "statement", + "parts": [ + { + "id": "pl-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop security and privacy architectures for the system that:", + "parts": [ + { + "id": "pl-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;" + }, + { + "id": "pl-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;" + }, + { + "id": "pl-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Describe how the architectures are integrated into and support the enterprise architecture; and" + }, + { + "id": "pl-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Describe any assumptions about, and dependencies on, external systems and services;" + } + ] + }, + { + "id": "pl-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and" + }, + { + "id": "pl-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions." + }, + { + "id": "pl-8_fr", + "name": "item", + "title": "PL-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pl-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + } + ] + } + ] + }, + { + "id": "pl-8_gdn", + "name": "guidance", + "prose": "The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today\u2019s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n [PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization\u2019s enterprise architecture and security and privacy architectures." + }, + { + "id": "pl-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.01", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;", + "links": [ + { + "href": "#pl-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.02", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;", + "links": [ + { + "href": "#pl-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.4-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04[01]", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;", + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.4-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;", + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08b.", + "class": "sp800-53a" + } + ], + "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[01]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the security plan;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[02]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the privacy plan;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[03]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[04]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in criticality analysis;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[05]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in organizational procedures;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[06]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in procurements and acquisitions.", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and/or implementing the development, review, and update of the information security and privacy architecture" + } + ] + } + ] + }, + { + "id": "pl-10", + "class": "SP800-53", + "title": "Baseline Selection", + "props": [ + { + "name": "label", + "value": "PL-10" + }, + { + "name": "label", + "value": "PL-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#46d9e201-840e-440e-987c-2c773333c752", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-10_smt", + "name": "statement", + "prose": "Select a control baseline for the system.", + "parts": [ + { + "id": "pl-10_fr", + "name": "item", + "title": "PL-10 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pl-10_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Select the appropriate FedRAMP Baseline" + } + ] + } + ] + }, + { + "id": "pl-10_gdn", + "name": "guidance", + "prose": "Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals\u2019 privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization\u2019s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems." + }, + { + "id": "pl-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-10", + "class": "sp800-53a" + } + ], + "prose": "a control baseline for the system is selected.", + "links": [ + { + "href": "#pl-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing system security and privacy plan reviews and updates\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for organizational risk management activities" + } + ] + } + ] + }, + { + "id": "pl-11", + "class": "SP800-53", + "title": "Baseline Tailoring", + "props": [ + { + "name": "label", + "value": "PL-11" + }, + { + "name": "label", + "value": "PL-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#46d9e201-840e-440e-987c-2c773333c752", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-11_smt", + "name": "statement", + "prose": "Tailor the selected control baseline by applying specified tailoring actions." + }, + { + "id": "pl-11_gdn", + "name": "guidance", + "prose": "The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities." + }, + { + "id": "pl-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-11", + "class": "sp800-53a" + } + ], + "prose": "the selected control baseline is tailored by applying specified tailoring actions.", + "links": [ + { + "href": "#pl-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nsystem design documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nbaseline tailoring rationale\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "ps", + "class": "family", + "title": "Personnel Security", + "controls": [ + { + "id": "ps-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ps-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ps-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the personnel security policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ps-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ps-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ps-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the personnel security policy and procedures is defined;" + } + ] + }, + { + "id": "ps-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current personnel security policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ps-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current personnel security policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ps-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current personnel security procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ps-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the personnel security procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-1" + }, + { + "name": "label", + "value": "PS-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-1_smt", + "name": "statement", + "parts": [ + { + "id": "ps-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:", + "parts": [ + { + "id": "ps-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ps-01_odp.03 }} personnel security policy that:", + "parts": [ + { + "id": "ps-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ps-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ps-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;" + } + ] + }, + { + "id": "ps-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and" + }, + { + "id": "ps-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current personnel security:", + "parts": [ + { + "id": "ps-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and" + }, + { + "id": "ps-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ps-1_gdn", + "name": "guidance", + "prose": "Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ps-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a personnel security policy is developed and documented;", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ps-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;", + "links": [ + { + "href": "#ps-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};", + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};", + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};", + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.", + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "ps-2", + "class": "SP800-53", + "title": "Position Risk Designation", + "params": [ + { + "id": "ps-02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least every three years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update position risk designations is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-2" + }, + { + "name": "label", + "value": "PS-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#a5ef5e56-5c1a-4911-b419-37dddc1b3581", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-2_smt", + "name": "statement", + "parts": [ + { + "id": "ps-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assign a risk designation to all organizational positions;" + }, + { + "id": "ps-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establish screening criteria for individuals filling those positions; and" + }, + { + "id": "ps-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update position risk designations {{ insert: param, ps-02_odp }}." + } + ] + }, + { + "id": "ps-2_gdn", + "name": "guidance", + "prose": "Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions." + }, + { + "id": "ps-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02a.", + "class": "sp800-53a" + } + ], + "prose": "a risk designation is assigned to all organizational positions;", + "links": [ + { + "href": "#ps-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02b.", + "class": "sp800-53a" + } + ], + "prose": "screening criteria are established for individuals filling organizational positions;", + "links": [ + { + "href": "#ps-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02c.", + "class": "sp800-53a" + } + ], + "prose": "position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.", + "links": [ + { + "href": "#ps-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nrecords of position risk designation reviews and updates\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria" + } + ] + } + ] + }, + { + "id": "ps-3", + "class": "SP800-53", + "title": "Personnel Screening", + "params": [ + { + "id": "ps-3_prm_1", + "label": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening", + "constraints": [ + { + "description": "for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.\n\nFor moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions" + } + ] + }, + { + "id": "ps-03_odp.01", + "label": "conditions requiring rescreening", + "guidelines": [ + { + "prose": "conditions requiring rescreening of individuals are defined;" + } + ] + }, + { + "id": "ps-03_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency of rescreening individuals where it is so indicated is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-3" + }, + { + "name": "label", + "value": "PS-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#55b0c93a-5e48-457a-baa6-5ce81c239c49", + "rel": "reference" + }, + { + "href": "#0af071a6-cf8e-48ee-8c82-fe91efa20f94", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-3_smt", + "name": "statement", + "parts": [ + { + "id": "ps-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Screen individuals prior to authorizing access to the system; and" + }, + { + "id": "ps-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}." + } + ] + }, + { + "id": "ps-3_gdn", + "name": "guidance", + "prose": "Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems." + }, + { + "id": "ps-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03a.", + "class": "sp800-53a" + } + ], + "prose": "individuals are screened prior to authorizing access to the system;", + "links": [ + { + "href": "#ps-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};", + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.", + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel screening" + } + ] + } + ] + }, + { + "id": "ps-4", + "class": "SP800-53", + "title": "Personnel Termination", + "params": [ + { + "id": "ps-04_odp.01", + "label": "time period", + "constraints": [ + { + "description": "four (4) hours" + } + ], + "guidelines": [ + { + "prose": "a time period within which to disable system access is defined;" + } + ] + }, + { + "id": "ps-04_odp.02", + "label": "information security topics", + "guidelines": [ + { + "prose": "information security topics to be discussed when conducting exit interviews are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-4" + }, + { + "name": "label", + "value": "PS-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-4_smt", + "name": "statement", + "prose": "Upon termination of individual employment:", + "parts": [ + { + "id": "ps-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Disable system access within {{ insert: param, ps-04_odp.01 }};" + }, + { + "id": "ps-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Terminate or revoke any authenticators and credentials associated with the individual;" + }, + { + "id": "ps-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};" + }, + { + "id": "ps-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Retrieve all security-related organizational system-related property; and" + }, + { + "id": "ps-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Retain access to organizational information and systems formerly controlled by terminated individual." + } + ] + }, + { + "id": "ps-4_gdn", + "name": "guidance", + "prose": "System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified." + }, + { + "id": "ps-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04a.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};", + "links": [ + { + "href": "#ps-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04b.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, any authenticators and credentials are terminated or revoked;", + "links": [ + { + "href": "#ps-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04c.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;", + "links": [ + { + "href": "#ps-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04d.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, all security-related organizational system-related property is retrieved;", + "links": [ + { + "href": "#ps-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04e.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.", + "links": [ + { + "href": "#ps-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of system accounts\n\nrecords of terminated or revoked authenticators/credentials\n\nrecords of exit interviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel termination\n\nmechanisms supporting and/or implementing personnel termination notifications\n\nmechanisms for disabling system access/revoking authenticators" + } + ] + } + ] + }, + { + "id": "ps-5", + "class": "SP800-53", + "title": "Personnel Transfer", + "params": [ + { + "id": "ps-05_odp.01", + "label": "transfer or reassignment actions", + "guidelines": [ + { + "prose": "transfer or reassignment actions to be initiated following transfer or reassignment are defined;" + } + ] + }, + { + "id": "ps-05_odp.02", + "label": "time period following the formal transfer action", + "constraints": [ + { + "description": "twenty-four (24) hours " + } + ], + "guidelines": [ + { + "prose": "the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;" + } + ] + }, + { + "id": "ps-05_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined;" + } + ] + }, + { + "id": "ps-05_odp.04", + "label": "time period", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-5" + }, + { + "name": "label", + "value": "PS-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-5_smt", + "name": "statement", + "parts": [ + { + "id": "ps-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;" + }, + { + "id": "ps-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};" + }, + { + "id": "ps-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and" + }, + { + "id": "ps-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}." + } + ] + }, + { + "id": "ps-5_gdn", + "name": "guidance", + "prose": "Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts." + }, + { + "id": "ps-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05a.", + "class": "sp800-53a" + } + ], + "prose": "the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;", + "links": [ + { + "href": "#ps-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};", + "links": [ + { + "href": "#ps-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05c.", + "class": "sp800-53a" + } + ], + "prose": "access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;", + "links": [ + { + "href": "#ps-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05d.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.", + "links": [ + { + "href": "#ps-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel transfer\n\nrecords of personnel transfer actions\n\nlist of system and facility access authorizations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel transfer\n\nmechanisms supporting and/or implementing personnel transfer notifications\n\nmechanisms for disabling system access/revoking authenticators" + } + ] + } + ] + }, + { + "id": "ps-6", + "class": "SP800-53", + "title": "Access Agreements", + "params": [ + { + "id": "ps-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update access agreements is defined;" + } + ] + }, + { + "id": "ps-06_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and any time there is a change to the user's level of access" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to re-sign access agreements to maintain access to organizational information is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-6" + }, + { + "name": "label", + "value": "PS-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-6_smt", + "name": "statement", + "parts": [ + { + "id": "ps-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and document access agreements for organizational systems;" + }, + { + "id": "ps-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and" + }, + { + "id": "ps-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Verify that individuals requiring access to organizational information and systems:", + "parts": [ + { + "id": "ps-6_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Sign appropriate access agreements prior to being granted access; and" + }, + { + "id": "ps-6_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}." + } + ] + } + ] + }, + { + "id": "ps-6_gdn", + "name": "guidance", + "prose": "Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy." + }, + { + "id": "ps-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06a.", + "class": "sp800-53a" + } + ], + "prose": "access agreements are developed and documented for organizational systems;", + "links": [ + { + "href": "#ps-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06b.", + "class": "sp800-53a" + } + ], + "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};", + "links": [ + { + "href": "#ps-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-6_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.01", + "class": "sp800-53a" + } + ], + "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;", + "links": [ + { + "href": "#ps-6_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.02", + "class": "sp800-53a" + } + ], + "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.", + "links": [ + { + "href": "#ps-6_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ps-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements" + } + ] + } + ] + }, + { + "id": "ps-7", + "class": "SP800-53", + "title": "External Personnel Security", + "params": [ + { + "id": "ps-07_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "including access control personnel responsible for the system and/or facilities, as appropriate" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;" + } + ] + }, + { + "id": "ps-07_odp.02", + "label": "time period", + "constraints": [ + { + "description": "within twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-7" + }, + { + "name": "label", + "value": "PS-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-7_smt", + "name": "statement", + "parts": [ + { + "id": "ps-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish personnel security requirements, including security roles and responsibilities for external providers;" + }, + { + "id": "ps-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Require external providers to comply with personnel security policies and procedures established by the organization;" + }, + { + "id": "ps-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document personnel security requirements;" + }, + { + "id": "ps-7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and" + }, + { + "id": "ps-7_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Monitor provider compliance with personnel security requirements." + } + ] + }, + { + "id": "ps-7_gdn", + "name": "guidance", + "prose": "External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals." + }, + { + "id": "ps-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07a.", + "class": "sp800-53a" + } + ], + "prose": "personnel security requirements are established, including security roles and responsibilities for external providers;", + "links": [ + { + "href": "#ps-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07b.", + "class": "sp800-53a" + } + ], + "prose": "external providers are required to comply with personnel security policies and procedures established by the organization;", + "links": [ + { + "href": "#ps-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07c.", + "class": "sp800-53a" + } + ], + "prose": "personnel security requirements are documented;", + "links": [ + { + "href": "#ps-7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07d.", + "class": "sp800-53a" + } + ], + "prose": "external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};", + "links": [ + { + "href": "#ps-7_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07e.", + "class": "sp800-53a" + } + ], + "prose": "provider compliance with personnel security requirements is monitored.", + "links": [ + { + "href": "#ps-7_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing external personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\nexternal providers\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing and monitoring external personnel security\n\nmechanisms supporting and/or implementing the monitoring of provider compliance" + } + ] + } + ] + }, + { + "id": "ps-8", + "class": "SP800-53", + "title": "Personnel Sanctions", + "params": [ + { + "id": "ps-08_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;" + } + ] + }, + { + "id": "ps-08_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-8" + }, + { + "name": "label", + "value": "PS-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#pt-1", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-8_smt", + "name": "statement", + "parts": [ + { + "id": "ps-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and" + }, + { + "id": "ps-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction." + } + ] + }, + { + "id": "ps-8_gdn", + "name": "guidance", + "prose": "Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions." + }, + { + "id": "ps-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08a.", + "class": "sp800-53a" + } + ], + "prose": "a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;", + "links": [ + { + "href": "#ps-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.", + "links": [ + { + "href": "#ps-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing personnel sanctions\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\nlist of personnel or roles to be notified of formal employee sanctions\n\nrecords or notifications of formal employee sanctions\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ps-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing formal employee sanctions\n\nmechanisms supporting and/or implementing formal employee sanctions notifications" + } + ] + } + ] + }, + { + "id": "ps-9", + "class": "SP800-53", + "title": "Position Descriptions", + "props": [ + { + "name": "label", + "value": "PS-9" + }, + { + "name": "label", + "value": "PS-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + } + ], + "parts": [ + { + "id": "ps-9_smt", + "name": "statement", + "prose": "Incorporate security and privacy roles and responsibilities into organizational position descriptions." + }, + { + "id": "ps-9_gdn", + "name": "guidance", + "prose": "Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles." + }, + { + "id": "ps-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09[01]", + "class": "sp800-53a" + } + ], + "prose": "security roles and responsibilities are incorporated into organizational position descriptions;", + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy roles and responsibilities are incorporated into organizational position descriptions.", + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing position descriptions\n\nsecurity and privacy position descriptions\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with human capital management responsibilities" + } + ] + }, + { + "id": "ps-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing position descriptions" + } + ] + } + ] + } + ] + }, + { + "id": "ra", + "class": "family", + "title": "Risk Assessment", + "controls": [ + { + "id": "ra-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ra-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ra-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ra-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the risk assessment policy and procedures is defined;" + } + ] + }, + { + "id": "ra-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current risk assessment policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ra-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current risk assessment policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ra-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current risk assessment procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ra-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require risk assessment procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-1" + }, + { + "name": "label", + "value": "RA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-1_smt", + "name": "statement", + "parts": [ + { + "id": "ra-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:", + "parts": [ + { + "id": "ra-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ra-01_odp.03 }} risk assessment policy that:", + "parts": [ + { + "id": "ra-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ra-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ra-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;" + } + ] + }, + { + "id": "ra-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and" + }, + { + "id": "ra-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current risk assessment:", + "parts": [ + { + "id": "ra-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and" + }, + { + "id": "ra-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ra-1_gdn", + "name": "guidance", + "prose": "Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ra-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment policy is developed and documented;", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ra-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;", + "links": [ + { + "href": "#ra-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};", + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};", + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};", + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.", + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ra-2", + "class": "SP800-53", + "title": "Security Categorization", + "props": [ + { + "name": "label", + "value": "RA-2" + }, + { + "name": "label", + "value": "RA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "rel": "reference" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-2_smt", + "name": "statement", + "parts": [ + { + "id": "ra-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Categorize the system and information it processes, stores, and transmits;" + }, + { + "id": "ra-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document the security categorization results, including supporting rationale, in the security plan for the system; and" + }, + { + "id": "ra-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision." + } + ] + }, + { + "id": "ra-2_gdn", + "name": "guidance", + "prose": "Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant." + }, + { + "id": "ra-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02a.", + "class": "sp800-53a" + } + ], + "prose": "the system and the information it processes, stores, and transmits are categorized;", + "links": [ + { + "href": "#ra-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02b.", + "class": "sp800-53a" + } + ], + "prose": "the security categorization results, including supporting rationale, are documented in the security plan for the system;", + "links": [ + { + "href": "#ra-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02c.", + "class": "sp800-53a" + } + ], + "prose": "the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.", + "links": [ + { + "href": "#ra-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security categorization" + } + ] + } + ] + }, + { + "id": "ra-3", + "class": "SP800-53", + "title": "Risk Assessment", + "params": [ + { + "id": "ra-03_odp.01", + "constraints": [ + { + "description": "security assessment report" + } + ], + "select": { + "choice": [ + "security and privacy plans", + "risk assessment report", + " {{ insert: param, ra-03_odp.02 }} " + ] + } + }, + { + "id": "ra-03_odp.02", + "label": "document", + "guidelines": [ + { + "prose": "a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);" + } + ] + }, + { + "id": "ra-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least every three (3) years and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "the frequency to review risk assessment results is defined;" + } + ] + }, + { + "id": "ra-03_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom risk assessment results are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-03_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every three (3) years" + } + ], + "guidelines": [ + { + "prose": "the frequency to update the risk assessment is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-3" + }, + { + "name": "label", + "value": "RA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#pe-18", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-3_smt", + "name": "statement", + "parts": [ + { + "id": "ra-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Conduct a risk assessment, including:", + "parts": [ + { + "id": "ra-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Identifying threats to and vulnerabilities in the system;" + }, + { + "id": "ra-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and" + }, + { + "id": "ra-3_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;" + } + ] + }, + { + "id": "ra-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;" + }, + { + "id": "ra-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document risk assessment results in {{ insert: param, ra-03_odp.01 }};" + }, + { + "id": "ra-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review risk assessment results {{ insert: param, ra-03_odp.03 }};" + }, + { + "id": "ra-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and" + }, + { + "id": "ra-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system." + }, + { + "id": "ra-3_fr", + "name": "item", + "title": "RA-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ra-3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + }, + { + "id": "ra-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e) Requirement:" + } + ], + "prose": "Include all Authorizing Officials; for JAB authorizations to include FedRAMP." + } + ] + } + ] + }, + { + "id": "ra-3_gdn", + "name": "guidance", + "prose": "Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination." + }, + { + "id": "ra-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.01", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;", + "links": [ + { + "href": "#ra-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.02", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;", + "links": [ + { + "href": "#ra-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.03", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;", + "links": [ + { + "href": "#ra-3_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03b.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;", + "links": [ + { + "href": "#ra-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03c.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};", + "links": [ + { + "href": "#ra-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03d.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};", + "links": [ + { + "href": "#ra-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03e.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};", + "links": [ + { + "href": "#ra-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03f.", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.", + "links": [ + { + "href": "#ra-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment" + } + ] + } + ], + "controls": [ + { + "id": "ra-3.1", + "class": "SP800-53-enhancement", + "title": "Supply Chain Risk Assessment", + "params": [ + { + "id": "ra-03.01_odp.01", + "label": "systems, system components, and system services", + "guidelines": [ + { + "prose": "systems, system components, and system services to assess supply chain risks are defined;" + } + ] + }, + { + "id": "ra-03.01_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to update the supply chain risk assessment is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-3(1)" + }, + { + "name": "label", + "value": "RA-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-3", + "rel": "required" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#pm-17", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-3.1_smt", + "name": "statement", + "parts": [ + { + "id": "ra-3.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and" + }, + { + "id": "ra-3.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain." + } + ] + }, + { + "id": "ra-3.1_gdn", + "name": "guidance", + "prose": "Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required." + }, + { + "id": "ra-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;", + "links": [ + { + "href": "#ra-3.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.", + "links": [ + { + "href": "#ra-3.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\ninventory of critical systems, system components, and system services\n\nrisk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of supply chain risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nacquisition policy\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "ra-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment" + } + ] + } + ] + } + ] + }, + { + "id": "ra-5", + "class": "SP800-53", + "title": "Vulnerability Monitoring and Scanning", + "params": [ + { + "id": "ra-5_prm_1", + "label": "organization-defined frequency and/or randomly in accordance with organization-defined process", + "constraints": [ + { + "description": "monthly operating system/infrastructure; monthly web applications (including APIs) and databases" + } + ] + }, + { + "id": "ra-05_odp.01", + "label": "frequency and/or randomly in accordance with organization-defined process", + "guidelines": [ + { + "prose": "frequency for monitoring systems and hosted applications for vulnerabilities is defined;" + } + ] + }, + { + "id": "ra-05_odp.02", + "label": "frequency and/or randomly in accordance with organization-defined process", + "guidelines": [ + { + "prose": "frequency for scanning systems and hosted applications for vulnerabilities is defined;" + } + ] + }, + { + "id": "ra-05_odp.03", + "label": "response times", + "constraints": [ + { + "description": "high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery" + } + ], + "guidelines": [ + { + "prose": "response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;" + } + ] + }, + { + "id": "ra-05_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5" + }, + { + "name": "label", + "value": "RA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#8df72805-2e5c-4731-a73e-81db0f0318d0", + "rel": "reference" + }, + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "rel": "reference" + }, + { + "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "rel": "reference" + }, + { + "href": "#d2ebec9b-f868-4ee1-a2bd-0b2282aed248", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ca-8", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5_smt", + "name": "statement", + "parts": [ + { + "id": "ra-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;" + }, + { + "id": "ra-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:", + "parts": [ + { + "id": "ra-5_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Enumerating platforms, software flaws, and improper configurations;" + }, + { + "id": "ra-5_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Formatting checklists and test procedures; and" + }, + { + "id": "ra-5_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Measuring vulnerability impact;" + } + ] + }, + { + "id": "ra-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Analyze vulnerability scan reports and results from vulnerability monitoring;" + }, + { + "id": "ra-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;" + }, + { + "id": "ra-5_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and" + }, + { + "id": "ra-5_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." + }, + { + "id": "ra-5_fr", + "name": "item", + "title": "RA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ra-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/" + }, + { + "id": "ra-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually." + }, + { + "id": "ra-5_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d) Requirement:" + } + ], + "prose": "If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement." + }, + { + "id": "ra-5_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e) Requirement:" + } + ], + "prose": "to include all Authorizing Officials; for JAB authorizations to include FedRAMP" + }, + { + "id": "ra-5_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.\n\nWarning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.\n\nWarnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a \u201cwarning\u201d as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on \u201cTracking of Compliance Scans\u201d in FAQs." + } + ] + } + ] + }, + { + "id": "ra-5_gdn", + "name": "guidance", + "prose": "Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities\u2014such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers\u2014are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization\u2019s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points." + }, + { + "id": "ra-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;", + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;", + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;", + "parts": [ + { + "id": "ra-5_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.01", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;", + "links": [ + { + "href": "#ra-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.02", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;", + "links": [ + { + "href": "#ra-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.03", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;", + "links": [ + { + "href": "#ra-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05c.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;", + "links": [ + { + "href": "#ra-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05d.", + "class": "sp800-53a" + } + ], + "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;", + "links": [ + { + "href": "#ra-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05e.", + "class": "sp800-53a" + } + ], + "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;", + "links": [ + { + "href": "#ra-5_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05f.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.", + "links": [ + { + "href": "#ra-5_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ra-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing" + } + ] + } + ], + "controls": [ + { + "id": "ra-5.2", + "class": "SP800-53-enhancement", + "title": "Update Vulnerabilities to Be Scanned", + "params": [ + { + "id": "ra-05.02_odp.01", + "constraints": [ + { + "description": "prior to a new scan" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, ra-05.02_odp.02 }} ", + "prior to a new scan", + "when new vulnerabilities are identified and reported" + ] + } + }, + { + "id": "ra-05.02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency for updating the system vulnerabilities to be scanned is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5(2)" + }, + { + "name": "label", + "value": "RA-05(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + }, + { + "href": "#si-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5.2_smt", + "name": "statement", + "prose": "Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}." + }, + { + "id": "ra-5.2_gdn", + "name": "guidance", + "prose": "Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner." + }, + { + "id": "ra-5.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(02)", + "class": "sp800-53a" + } + ], + "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.", + "links": [ + { + "href": "#ra-5.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ra-5.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" + } + ] + } + ] + }, + { + "id": "ra-5.11", + "class": "SP800-53-enhancement", + "title": "Public Disclosure Program", + "props": [ + { + "name": "label", + "value": "RA-5(11)" + }, + { + "name": "label", + "value": "RA-05(11)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ra-5.11_smt", + "name": "statement", + "prose": "Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components." + }, + { + "id": "ra-5.11_gdn", + "name": "guidance", + "prose": "The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability." + }, + { + "id": "ra-5.11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(11)", + "class": "sp800-53a" + } + ], + "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.", + "links": [ + { + "href": "#ra-5.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(11)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(11)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(11)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities" + } + ] + } + ] + } + ] + }, + { + "id": "ra-7", + "class": "SP800-53", + "title": "Risk Response", + "props": [ + { + "name": "label", + "value": "RA-7" + }, + { + "name": "label", + "value": "RA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-7_smt", + "name": "statement", + "prose": "Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance." + }, + { + "id": "ra-7_gdn", + "name": "guidance", + "prose": "Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated." + }, + { + "id": "ra-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[01]", + "class": "sp800-53a" + } + ], + "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[02]", + "class": "sp800-53a" + } + ], + "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[03]", + "class": "sp800-53a" + } + ], + "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[04]", + "class": "sp800-53a" + } + ], + "prose": "findings from audits are responded to in accordance with organizational risk tolerance.", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nassessment reports\n\naudit records/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment and auditing responsibilities\n\nsystem/network administrators\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assessments and audits\n\nmechanisms/tools supporting and/or implementing assessments and auditing" + } + ] + } + ] + } + ] + }, + { + "id": "sa", + "class": "family", + "title": "System and Services Acquisition", + "controls": [ + { + "id": "sa-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sa-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sa-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "sa-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "sa-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "sa-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and services acquisition policy and procedures is defined;" + } + ] + }, + { + "id": "sa-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and services acquisition policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sa-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and services acquisition policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sa-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "sa-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and services acquisition procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-1" + }, + { + "name": "label", + "value": "SA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-1_smt", + "name": "statement", + "parts": [ + { + "id": "sa-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:", + "parts": [ + { + "id": "sa-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:", + "parts": [ + { + "id": "sa-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sa-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sa-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;" + } + ] + }, + { + "id": "sa-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and" + }, + { + "id": "sa-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and services acquisition:", + "parts": [ + { + "id": "sa-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and" + }, + { + "id": "sa-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sa-1_gdn", + "name": "guidance", + "prose": "System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sa-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and services acquisition policy is developed and documented;", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sa-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;", + "links": [ + { + "href": "#sa-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};", + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};", + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};", + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.", + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + } + ] + }, + { + "id": "sa-2", + "class": "SP800-53", + "title": "Allocation of Resources", + "props": [ + { + "name": "label", + "value": "SA-2" + }, + { + "name": "label", + "value": "SA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pm-3", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-2_smt", + "name": "statement", + "parts": [ + { + "id": "sa-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;" + }, + { + "id": "sa-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and" + }, + { + "id": "sa-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation." + } + ] + }, + { + "id": "sa-2_gdn", + "name": "guidance", + "prose": "Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle." + }, + { + "id": "sa-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;", + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;", + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;", + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;", + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;", + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation.", + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and/or implementing organizational capital planning, programming, and budgeting" + } + ] + } + ] + }, + { + "id": "sa-3", + "class": "SP800-53", + "title": "System Development Life Cycle", + "params": [ + { + "id": "sa-03_odp", + "label": "system-development life cycle", + "guidelines": [ + { + "prose": "system development life cycle is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-3" + }, + { + "name": "label", + "value": "SA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-22", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-3_smt", + "name": "statement", + "parts": [ + { + "id": "sa-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;" + }, + { + "id": "sa-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define and document information security and privacy roles and responsibilities throughout the system development life cycle;" + }, + { + "id": "sa-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Identify individuals having information security and privacy roles and responsibilities; and" + }, + { + "id": "sa-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Integrate the organizational information security and privacy risk management process into system development life cycle activities." + } + ] + }, + { + "id": "sa-3_gdn", + "name": "guidance", + "prose": "A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle." + }, + { + "id": "sa-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;", + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;", + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;", + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;", + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.[01]", + "class": "sp800-53a" + } + ], + "prose": "individuals with information security roles and responsibilities are identified;", + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.[02]", + "class": "sp800-53a" + } + ], + "prose": "individuals with privacy roles and responsibilities are identified;", + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational information security risk management processes are integrated into system development life cycle activities;", + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.[02]", + "class": "sp800-53a" + } + ], + "prose": "organizational privacy risk management processes are integrated into system development life cycle activities.", + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and/or implementing the system development life cycle" + } + ] + } + ] + }, + { + "id": "sa-4", + "class": "SP800-53", + "title": "Acquisition Process", + "params": [ + { + "id": "sa-04_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "standardized contract language", + " {{ insert: param, sa-04_odp.02 }} " + ] + } + }, + { + "id": "sa-04_odp.02", + "label": "contract language", + "guidelines": [ + { + "prose": "contract language is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-4" + }, + { + "name": "label", + "value": "SA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", + "rel": "reference" + }, + { + "href": "#87087451-2af5-43d4-88c1-d66ad850f614", + "rel": "reference" + }, + { + "href": "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "rel": "reference" + }, + { + "href": "#06ce9216-bd54-4054-a422-94f358b50a5d", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#795aff72-3e6c-4b6b-a80a-b14d84b7f544", + "rel": "reference" + }, + { + "href": "#3d575737-98cb-459d-b41c-d7e82b73ad78", + "rel": "reference" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4_smt", + "name": "statement", + "prose": "Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:", + "parts": [ + { + "id": "sa-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Security and privacy functional requirements;" + }, + { + "id": "sa-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Strength of mechanism requirements;" + }, + { + "id": "sa-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Security and privacy assurance requirements;" + }, + { + "id": "sa-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Controls needed to satisfy the security and privacy requirements." + }, + { + "id": "sa-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Security and privacy documentation requirements;" + }, + { + "id": "sa-4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Requirements for protecting security and privacy documentation;" + }, + { + "id": "sa-4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Description of the system development environment and environment in which the system is intended to operate;" + }, + { + "id": "sa-4_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and" + }, + { + "id": "sa-4_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Acceptance criteria." + }, + { + "id": "sa-4_fr", + "name": "item", + "title": "SA-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sa-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process)." + }, + { + "id": "sa-4_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.\n\nSee https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/." + } + ] + } + ] + }, + { + "id": "sa-4_gdn", + "name": "guidance", + "prose": "Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement." + }, + { + "id": "sa-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04b.", + "class": "sp800-53a" + } + ], + "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.[01]", + "class": "sp800-53a" + } + ], + "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.[01]", + "class": "sp800-53a" + } + ], + "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.[01]", + "class": "sp800-53a" + } + ], + "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.[02]", + "class": "sp800-53a" + } + ], + "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04g.", + "class": "sp800-53a" + } + ], + "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[01]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[02]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[03]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04i.", + "class": "sp800-53a" + } + ], + "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.", + "links": [ + { + "href": "#sa-4_smt.i", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts" + } + ] + } + ], + "controls": [ + { + "id": "sa-4.10", + "class": "SP800-53-enhancement", + "title": "Use of Approved PIV Products", + "props": [ + { + "name": "label", + "value": "SA-4(10)" + }, + { + "name": "label", + "value": "SA-04(10)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4.10_smt", + "name": "statement", + "prose": "Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems." + }, + { + "id": "sa-4.10_gdn", + "name": "guidance", + "prose": "Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations." + }, + { + "id": "sa-4.10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(10)", + "class": "sp800-53a" + } + ], + "prose": "only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.", + "links": [ + { + "href": "#sa-4.10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(10)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nFIPS 201 approved products list\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(10)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "sa-4.10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04(10)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for selecting and employing FIPS 201-approved products" + } + ] + } + ] + } + ] + }, + { + "id": "sa-5", + "class": "SP800-53", + "title": "System Documentation", + "params": [ + { + "id": "sa-05_odp.01", + "label": "actions", + "guidelines": [ + { + "prose": "actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;" + } + ] + }, + { + "id": "sa-05_odp.02", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO (or similar role within the organization)" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to distribute system documentation to is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-5" + }, + { + "name": "label", + "value": "SA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-5_smt", + "name": "statement", + "parts": [ + { + "id": "sa-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Obtain or develop administrator documentation for the system, system component, or system service that describes:", + "parts": [ + { + "id": "sa-5_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Secure configuration, installation, and operation of the system, component, or service;" + }, + { + "id": "sa-5_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Effective use and maintenance of security and privacy functions and mechanisms; and" + }, + { + "id": "sa-5_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Known vulnerabilities regarding configuration and use of administrative or privileged functions;" + } + ] + }, + { + "id": "sa-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Obtain or develop user documentation for the system, system component, or system service that describes:", + "parts": [ + { + "id": "sa-5_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;" + }, + { + "id": "sa-5_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and" + }, + { + "id": "sa-5_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;" + } + ] + }, + { + "id": "sa-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and" + }, + { + "id": "sa-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Distribute documentation to {{ insert: param, sa-05_odp.02 }}." + } + ] + }, + { + "id": "sa-5_gdn", + "name": "guidance", + "prose": "System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation." + }, + { + "id": "sa-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[04]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[03]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[04]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.[01]", + "class": "sp800-53a" + } + ], + "prose": "attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;", + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.[02]", + "class": "sp800-53a" + } + ], + "prose": "after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;", + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05d.", + "class": "sp800-53a" + } + ], + "prose": "documentation is distributed to {{ insert: param, sa-05_odp.02 }}.", + "links": [ + { + "href": "#sa-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system documentation\n\nsystem documentation, including administrator and user guides\n\nsystem design documentation\n\nrecords documenting attempts to obtain unavailable or nonexistent system documentation\n\nlist of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation\n\nrisk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\norganizational personnel responsible for operating, using, and/or maintaining the system\n\nsystem developers" + } + ] + }, + { + "id": "sa-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for obtaining, protecting, and distributing system administrator and user documentation" + } + ] + } + ] + }, + { + "id": "sa-8", + "class": "SP800-53", + "title": "Security and Privacy Engineering Principles", + "params": [ + { + "id": "sa-8_prm_1", + "label": "organization-defined systems security and privacy engineering principles" + }, + { + "id": "sa-08_odp.01", + "label": "systems security engineering principles", + "guidelines": [ + { + "prose": "systems security engineering principles are defined;" + } + ] + }, + { + "id": "sa-08_odp.02", + "label": "privacy engineering principles", + "guidelines": [ + { + "prose": "privacy engineering principles are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-8" + }, + { + "name": "label", + "value": "SA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-8_smt", + "name": "statement", + "prose": "Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}." + }, + { + "id": "sa-8_gdn", + "name": "guidance", + "prose": "Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design." + }, + { + "id": "sa-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-8_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[05]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[06]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[07]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[08]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[09]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[10]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification" + } + ] + } + ] + }, + { + "id": "sa-9", + "class": "SP800-53", + "title": "External System Services", + "params": [ + { + "id": "sa-09_odp.01", + "label": "controls", + "constraints": [ + { + "description": "Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system" + } + ], + "guidelines": [ + { + "prose": "controls to be employed by external system service providers are defined;" + } + ] + }, + { + "id": "sa-09_odp.02", + "label": "processes, methods, and techniques", + "constraints": [ + { + "description": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored" + } + ], + "guidelines": [ + { + "prose": "processes, methods, and techniques employed to monitor control compliance by external service providers are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9" + }, + { + "name": "label", + "value": "SA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9_smt", + "name": "statement", + "parts": [ + { + "id": "sa-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};" + }, + { + "id": "sa-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define and document organizational oversight and user roles and responsibilities with regard to external system services; and" + }, + { + "id": "sa-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}." + } + ] + }, + { + "id": "sa-9_gdn", + "name": "guidance", + "prose": "External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance." + }, + { + "id": "sa-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[01]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services comply with organizational security requirements;", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[02]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services comply with organizational privacy requirements;", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[03]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational oversight with regard to external system services are defined and documented;", + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "user roles and responsibilities with regard to external system services are defined and documented;", + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.", + "links": [ + { + "href": "#sa-9_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis" + } + ] + } + ] + }, + { + "id": "sa-22", + "class": "SP800-53", + "title": "Unsupported System Components", + "params": [ + { + "id": "sa-22_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "in-house support", + " {{ insert: param, sa-22_odp.02 }} " + ] + } + }, + { + "id": "sa-22_odp.02", + "label": "support from external providers", + "guidelines": [ + { + "prose": "support from external providers is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-22" + }, + { + "name": "label", + "value": "SA-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-22_smt", + "name": "statement", + "parts": [ + { + "id": "sa-22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or" + }, + { + "id": "sa-22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}." + } + ] + }, + { + "id": "sa-22_gdn", + "name": "guidance", + "prose": "Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation." + }, + { + "id": "sa-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22a.", + "class": "sp800-53a" + } + ], + "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;", + "links": [ + { + "href": "#sa-22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.", + "links": [ + { + "href": "#sa-22_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement" + } + ] + }, + { + "id": "sa-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for replacing unsupported system components\n\nmechanisms supporting and/or implementing the replacement of unsupported system components" + } + ] + } + ] + } + ] + }, + { + "id": "sc", + "class": "family", + "title": "System and Communications Protection", + "controls": [ + { + "id": "sc-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sc-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sc-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "sc-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "sc-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business-process-level", + "system-level" + ] + } + }, + { + "id": "sc-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and communications protection policy and procedures is defined;" + } + ] + }, + { + "id": "sc-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and communications protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sc-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and communications protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sc-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and communications protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "sc-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and communications protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-1" + }, + { + "name": "label", + "value": "SC-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-1_smt", + "name": "statement", + "parts": [ + { + "id": "sc-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:", + "parts": [ + { + "id": "sc-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sc-01_odp.03 }} system and communications protection policy that:", + "parts": [ + { + "id": "sc-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sc-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sc-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;" + } + ] + }, + { + "id": "sc-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and" + }, + { + "id": "sc-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and communications protection:", + "parts": [ + { + "id": "sc-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and" + }, + { + "id": "sc-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sc-1_gdn", + "name": "guidance", + "prose": "System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sc-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and communications protection policy is developed and documented;", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sc-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;", + "links": [ + { + "href": "#sc-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};", + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};", + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};", + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.", + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nsystem and communications protection procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "sc-5", + "class": "SP800-53", + "title": "Denial-of-service Protection", + "params": [ + { + "id": "sc-05_odp.01", + "label": "types of denial-of-service events", + "constraints": [ + { + "description": "at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack" + } + ], + "guidelines": [ + { + "prose": "types of denial-of-service events to be protected against or limited are defined;" + } + ] + }, + { + "id": "sc-05_odp.02", + "constraints": [ + { + "description": "Protect against" + } + ], + "select": { + "choice": [ + "protect against", + "limit" + ] + } + }, + { + "id": "sc-05_odp.03", + "label": "controls by type of denial-of-service event", + "guidelines": [ + { + "prose": "controls to achieve the denial-of-service objective by type of denial-of-service event are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-5" + }, + { + "name": "label", + "value": "SC-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#sc-6", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-5_smt", + "name": "statement", + "parts": [ + { + "id": "sc-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and" + }, + { + "id": "sc-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}." + } + ] + }, + { + "id": "sc-5_gdn", + "name": "guidance", + "prose": "Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events." + }, + { + "id": "sc-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05a.", + "class": "sp800-53a" + } + ], + "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};", + "links": [ + { + "href": "#sc-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.", + "links": [ + { + "href": "#sc-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms protecting against or limiting the effects of denial-of-service attacks" + } + ] + } + ] + }, + { + "id": "sc-7", + "class": "SP800-53", + "title": "Boundary Protection", + "params": [ + { + "id": "sc-07_odp", + "select": { + "choice": [ + "physically", + "logically" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-7" + }, + { + "name": "label", + "value": "SC-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#a7f0e897-29a3-45c4-bd88-40dfef0e034a", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-35", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7_smt", + "name": "statement", + "parts": [ + { + "id": "sc-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;" + }, + { + "id": "sc-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and" + }, + { + "id": "sc-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + }, + { + "id": "sc-7_fr", + "name": "item", + "title": "SC-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-7_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) Guidance:" + } + ], + "prose": "SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information." + } + ] + } + ] + }, + { + "id": "sc-7_gdn", + "name": "guidance", + "prose": "Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)." + }, + { + "id": "sc-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[01]", + "class": "sp800-53a" + } + ], + "prose": "communications at external managed interfaces to the system are monitored;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[02]", + "class": "sp800-53a" + } + ], + "prose": "communications at external managed interfaces to the system are controlled;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[03]", + "class": "sp800-53a" + } + ], + "prose": "communications at key internal managed interfaces within the system are monitored;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[04]", + "class": "sp800-53a" + } + ], + "prose": "communications at key internal managed interfaces within the system are controlled;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07b.", + "class": "sp800-53a" + } + ], + "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;", + "links": [ + { + "href": "#sc-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07c.", + "class": "sp800-53a" + } + ], + "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.", + "links": [ + { + "href": "#sc-7_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities" + } + ] + } + ] + }, + { + "id": "sc-8", + "class": "SP800-53", + "title": "Transmission Confidentiality and Integrity", + "params": [ + { + "id": "sc-08_odp", + "select": { + "how-many": "one-or-more", + "choice": [ + "confidentiality", + "integrity" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-8" + }, + { + "name": "label", + "value": "SC-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#736d6310-e403-4b57-a79d-9967970c66d7", + "rel": "reference" + }, + { + "href": "#7537638e-2837-407d-844b-40fb3fafdd99", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-8_smt", + "name": "statement", + "prose": "Protect the {{ insert: param, sc-08_odp }} of transmitted information.", + "parts": [ + { + "id": "sc-8_fr", + "name": "item", + "title": "SC-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.\n\n \n\nFor clarity, this control applies to all data in transit. Examples include the following data flows:\n\n* Crossing the system boundary\n* Between compute instances - including containers\n* From a compute instance to storage\n* Replication between availability zones\n* Transmission of backups to storage\n* From a load balancer to a compute instance\n* Flows from management tools required for their work \u2013 e.g. log collection, scanning, etc.\n\n\n \n\nThe following applies only when choosing SC-8 (5) in lieu of SC-8 (1).\n\nFedRAMP-Defined Assignment / Selection Parameters \n\nSC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]\n\nSC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information] " + }, + { + "id": "sc-8_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.\n\n \n\nHardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).\n\n \n\nControlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS\u2019s Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS\u2019 recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).\n\n \n\nNote: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.\n\n \n\nCNSSI No.7003 can be accessed here:\n\nhttps://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf\n\n \n\nDHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:\n\nhttps://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf " + } + ] + } + ] + }, + { + "id": "sc-8_gdn", + "name": "guidance", + "prose": "Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\n\nOrganizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls." + }, + { + "id": "sc-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-08", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-08_odp }} of transmitted information is/are protected.", + "links": [ + { + "href": "#sc-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing transmission confidentiality and/or integrity" + } + ] + } + ], + "controls": [ + { + "id": "sc-8.1", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-08.01_odp", + "select": { + "how-many": "one-or-more", + "choice": [ + "prevent unauthorized disclosure of information", + "detect changes to information" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-8(1)" + }, + { + "name": "label", + "value": "SC-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-8", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-8.1_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to {{ insert: param, sc-08.01_odp }} during transmission.", + "parts": [ + { + "id": "sc-8.1_fr", + "name": "item", + "title": "SC-8 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-8.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control." + }, + { + "id": "sc-8.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See M-22-09, including \\\"Agencies encrypt all DNS requests and HTTP traffic within their environment\\\"\n\nSC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged." + }, + { + "id": "sc-8.1_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)" + }, + { + "id": "sc-8.1_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + } + ] + } + ] + }, + { + "id": "sc-8.1_gdn", + "name": "guidance", + "prose": "Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes." + }, + { + "id": "sc-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-08(01)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.", + "links": [ + { + "href": "#sc-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity\n\nmechanisms supporting and/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards" + } + ] + } + ] + } + ] + }, + { + "id": "sc-12", + "class": "SP800-53", + "title": "Cryptographic Key Establishment and Management", + "params": [ + { + "id": "sc-12_odp", + "label": "requirements", + "constraints": [ + { + "description": "In accordance with Federal requirements" + } + ], + "guidelines": [ + { + "prose": "requirements for key generation, distribution, storage, access, and destruction are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-12" + }, + { + "name": "label", + "value": "SC-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#849b2358-683f-4d97-b111-1cc3d522ded5", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-11", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-17", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-12_smt", + "name": "statement", + "prose": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}.", + "parts": [ + { + "id": "sc-12_fr", + "name": "item", + "title": "SC-12 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-12_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See references in NIST 800-53 documentation." + }, + { + "id": "sc-12_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Must meet applicable Federal Cryptographic Requirements. See References Section of control." + }, + { + "id": "sc-12_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system." + } + ] + } + ] + }, + { + "id": "sc-12_gdn", + "name": "guidance", + "prose": "Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment." + }, + { + "id": "sc-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12[01]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};", + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12[02]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.", + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and/or management" + } + ] + }, + { + "id": "sc-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic key establishment and management" + } + ] + } + ] + }, + { + "id": "sc-13", + "class": "SP800-53", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-13_odp.01", + "label": "cryptographic uses", + "guidelines": [ + { + "prose": "cryptographic uses are defined;" + } + ] + }, + { + "id": "sc-13_odp.02", + "label": "types of cryptography", + "constraints": [ + { + "description": "FIPS-validated or NSA-approved cryptography" + } + ], + "guidelines": [ + { + "prose": "types of cryptography for each specified cryptographic use are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-13" + }, + { + "name": "label", + "value": "SC-13", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-13_smt", + "name": "statement", + "parts": [ + { + "id": "sc-13_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine the {{ insert: param, sc-13_odp.01 }} ; and" + }, + { + "id": "sc-13_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}." + }, + { + "id": "sc-13_fr", + "name": "item", + "title": "SC-13 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-13_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:\n\n* Encryption of data\n* Decryption of data\n* Generation of one time passwords (OTPs) for MFA\n* Protocols such as TLS, SSH, and HTTPS\n\n\n \n\nThe requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).\n\nhttps://csrc.nist.gov/projects/cryptographic-module-validation-program" + }, + { + "id": "sc-13_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:\n\nhttps://www.niap-ccevs.org/Product/index.cfm" + }, + { + "id": "sc-13_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + }, + { + "id": "sc-13_fr_gdn.4", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Moving to non-FIPS CM or product is acceptable when:\n\n* FIPS validated version has a known vulnerability\n* Feature with vulnerability is in use\n* Non-FIPS version fixes the vulnerability\n* Non-FIPS version is submitted to NIST for FIPS validation\n* POA&M is added to track approval, and deployment when ready\n" + }, + { + "id": "sc-13_fr_gdn.5", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1)." + } + ] + } + ] + }, + { + "id": "sc-13_gdn", + "name": "guidance", + "prose": "Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "sc-13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-13_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-13_odp.01 }} are identified;", + "links": [ + { + "href": "#sc-13_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-13_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.", + "links": [ + { + "href": "#sc-13_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-13-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-13-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection" + } + ] + }, + { + "id": "sc-13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-13-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic protection" + } + ] + } + ] + }, + { + "id": "sc-15", + "class": "SP800-53", + "title": "Collaborative Computing Devices and Applications", + "params": [ + { + "id": "sc-15_odp", + "label": "exceptions where remote activation is to be allowed", + "constraints": [ + { + "description": "no exceptions for computing devices" + } + ], + "guidelines": [ + { + "prose": "exceptions where remote activation is to be allowed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-15" + }, + { + "name": "label", + "value": "SC-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#sc-42", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-15_smt", + "name": "statement", + "parts": [ + { + "id": "sc-15_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and" + }, + { + "id": "sc-15_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide an explicit indication of use to users physically present at the devices." + }, + { + "id": "sc-15_fr", + "name": "item", + "title": "SC-15 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-15_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use." + } + ] + } + ] + }, + { + "id": "sc-15_gdn", + "name": "guidance", + "prose": "Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated." + }, + { + "id": "sc-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-15_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15a.", + "class": "sp800-53a" + } + ], + "prose": "remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};", + "links": [ + { + "href": "#sc-15_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-15_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15b.", + "class": "sp800-53a" + } + ], + "prose": "an explicit indication of use is provided to users physically present at the devices.", + "links": [ + { + "href": "#sc-15_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices" + } + ] + }, + { + "id": "sc-15_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-15-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the management of remote activation of collaborative computing devices\n\nmechanisms providing an indication of use of collaborative computing devices" + } + ] + } + ] + }, + { + "id": "sc-20", + "class": "SP800-53", + "title": "Secure Name/Address Resolution Service (Authoritative Source)", + "props": [ + { + "name": "label", + "value": "SC-20" + }, + { + "name": "label", + "value": "SC-20", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-20_smt", + "name": "statement", + "parts": [ + { + "id": "sc-20_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and" + }, + { + "id": "sc-20_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace." + }, + { + "id": "sc-20_fr", + "name": "item", + "title": "SC-20 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-20_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests." + }, + { + "id": "sc-20_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary." + }, + { + "id": "sc-20_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged." + }, + { + "id": "sc-20_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)" + } + ] + } + ] + }, + { + "id": "sc-20_gdn", + "name": "guidance", + "prose": "Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data." + }, + { + "id": "sc-20_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.[01]", + "class": "sp800-53a" + } + ], + "prose": "additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;", + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.[02]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;", + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;", + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.", + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-20-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing secure name/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-20_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-20-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-20_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-20-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing secure name/address resolution services" + } + ] + } + ] + }, + { + "id": "sc-21", + "class": "SP800-53", + "title": "Secure Name/Address Resolution Service (Recursive or Caching Resolver)", + "props": [ + { + "name": "label", + "value": "SC-21" + }, + { + "name": "label", + "value": "SC-21", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-21_smt", + "name": "statement", + "prose": "Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.", + "parts": [ + { + "id": "sc-21_fr", + "name": "item", + "title": "SC-21 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-21_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.\n\n* If the reply is signed, and fails DNSSEC, do not use the reply\n* If the reply is unsigned: * CSP chooses the policy to apply \n" + }, + { + "id": "sc-21_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS." + }, + { + "id": "sc-21_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Accepting an unsigned reply is acceptable" + }, + { + "id": "sc-21_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.\n\n* DNSSEC resolution to access a component inside the boundary is excluded.\n" + } + ] + } + ] + }, + { + "id": "sc-21_gdn", + "name": "guidance", + "prose": "Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data." + }, + { + "id": "sc-21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-21_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[01]", + "class": "sp800-53a" + } + ], + "prose": "data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[02]", + "class": "sp800-53a" + } + ], + "prose": "data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[03]", + "class": "sp800-53a" + } + ], + "prose": "data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[04]", + "class": "sp800-53a" + } + ], + "prose": "data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-21-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing secure name/address resolution services (recursive or caching resolver)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-21-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-21-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services" + } + ] + } + ] + }, + { + "id": "sc-22", + "class": "SP800-53", + "title": "Architecture and Provisioning for Name/Address Resolution Service", + "props": [ + { + "name": "label", + "value": "SC-22" + }, + { + "name": "label", + "value": "SC-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-22_smt", + "name": "statement", + "prose": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation." + }, + { + "id": "sc-22_gdn", + "name": "guidance", + "prose": "Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers\u2014one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)." + }, + { + "id": "sc-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-22_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[01]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization are fault-tolerant;", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[02]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization implement internal role separation;", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[03]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization implement external role separation.", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing architecture and provisioning for name/address resolution services\n\naccess control policy and procedures\n\nsystem design documentation\n\nassessment results from independent testing organizations\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing name/address resolution services for fault tolerance and role separation" + } + ] + } + ] + }, + { + "id": "sc-28", + "class": "SP800-53", + "title": "Protection of Information at Rest", + "params": [ + { + "id": "sc-28_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "confidentiality", + "integrity" + ] + } + }, + { + "id": "sc-28_odp.02", + "label": "information at rest", + "guidelines": [ + { + "prose": "information at rest requiring protection is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-28" + }, + { + "name": "label", + "value": "SC-28", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-28" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-28_smt", + "name": "statement", + "prose": "Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}.", + "parts": [ + { + "id": "sc-28_fr", + "name": "item", + "title": "SC-28 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-28_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The organization supports the capability to use cryptographic mechanisms to protect information at rest." + }, + { + "id": "sc-28_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + }, + { + "id": "sc-28_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography in accordance with SC-13." + } + ] + } + ] + }, + { + "id": "sc-28_gdn", + "name": "guidance", + "prose": "Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage." + }, + { + "id": "sc-28_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected.", + "links": [ + { + "href": "#sc-28_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-28-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-28_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-28-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-28_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-28-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest" + } + ] + } + ], + "controls": [ + { + "id": "sc-28.1", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-28.01_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information requiring cryptographic protection is defined;" + } + ] + }, + { + "id": "sc-28.01_odp.02", + "label": "system components or media", + "constraints": [ + { + "description": "all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels" + } + ], + "guidelines": [ + { + "prose": "system components or media requiring cryptographic protection is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-28(1)" + }, + { + "name": "label", + "value": "SC-28(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-28.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-28", + "rel": "required" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-28.1_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.01 }}.", + "parts": [ + { + "id": "sc-28.1_fr", + "name": "item", + "title": "SC-28 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-28.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.\n\nExamples:\n\nA. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.\n\nB. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.\n\nC. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate." + } + ] + } + ] + }, + { + "id": "sc-28.1_gdn", + "name": "guidance", + "prose": "The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields." + }, + { + "id": "sc-28.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-28.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};", + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.", + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-28(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-28.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-28(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-28.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-28(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest" + } + ] + } + ] + } + ] + }, + { + "id": "sc-39", + "class": "SP800-53", + "title": "Process Isolation", + "props": [ + { + "name": "label", + "value": "SC-39" + }, + { + "name": "label", + "value": "SC-39", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-39" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-39_smt", + "name": "statement", + "prose": "Maintain a separate execution domain for each executing system process." + }, + { + "id": "sc-39_gdn", + "name": "guidance", + "prose": "Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies." + }, + { + "id": "sc-39_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-39", + "class": "sp800-53a" + } + ], + "prose": "a separate execution domain is maintained for each executing system process.", + "links": [ + { + "href": "#sc-39_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-39_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-39-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System design documentation\n\nsystem architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-39_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-39-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System developers/integrators\n\nsystem security architect" + } + ] + }, + { + "id": "sc-39_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-39-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing separate execution domains for each executing process" + } + ] + } + ] + } + ] + }, + { + "id": "si", + "class": "family", + "title": "System and Information Integrity", + "controls": [ + { + "id": "si-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "si-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "si-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "si-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "si-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "si-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and information integrity policy and procedures is defined;" + } + ] + }, + { + "id": "si-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and information integrity policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "si-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and information integrity policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "si-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and information integrity procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "si-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and information integrity procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-1" + }, + { + "name": "label", + "value": "SI-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-1_smt", + "name": "statement", + "parts": [ + { + "id": "si-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:", + "parts": [ + { + "id": "si-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, si-01_odp.03 }} system and information integrity policy that:", + "parts": [ + { + "id": "si-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "si-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "si-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;" + } + ] + }, + { + "id": "si-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and" + }, + { + "id": "si-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and information integrity:", + "parts": [ + { + "id": "si-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and" + }, + { + "id": "si-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "si-1_gdn", + "name": "guidance", + "prose": "System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "si-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and information integrity policy is developed and documented;", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#si-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;", + "links": [ + { + "href": "#si-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};", + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};", + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};", + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.", + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "si-2", + "class": "SP800-53", + "title": "Flaw Remediation", + "params": [ + { + "id": "si-02_odp", + "label": "time period", + "constraints": [ + { + "description": "within thirty (30) days of release of updates" + } + ], + "guidelines": [ + { + "prose": "time period within which to install security-relevant software updates after the release of the updates is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-2" + }, + { + "name": "label", + "value": "SI-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "rel": "reference" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-5", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-2_smt", + "name": "statement", + "parts": [ + { + "id": "si-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify, report, and correct system flaws;" + }, + { + "id": "si-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;" + }, + { + "id": "si-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and" + }, + { + "id": "si-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Incorporate flaw remediation into the organizational configuration management process." + } + ] + }, + { + "id": "si-2_gdn", + "name": "guidance", + "prose": "The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures." + }, + { + "id": "si-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are identified;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are reported;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are corrected;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "software updates related to flaw remediation are tested for effectiveness before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "software updates related to flaw remediation are tested for potential side effects before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[03]", + "class": "sp800-53a" + } + ], + "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[04]", + "class": "sp800-53a" + } + ], + "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02d.", + "class": "sp800-53a" + } + ], + "prose": "flaw remediation is incorporated into the organizational configuration management process.", + "links": [ + { + "href": "#si-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities" + } + ] + }, + { + "id": "si-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and/or implementing testing software and firmware updates" + } + ] + } + ] + }, + { + "id": "si-3", + "class": "SP800-53", + "title": "Malicious Code Protection", + "params": [ + { + "id": "si-03_odp.01", + "constraints": [ + { + "description": "signature based and non-signature based" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "signature-based", + "non-signature-based" + ] + } + }, + { + "id": "si-03_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which malicious code protection mechanisms perform scans is defined;" + } + ] + }, + { + "id": "si-03_odp.03", + "constraints": [ + { + "description": "to include endpoints and network entry and exit points" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "endpoint", + "network entry and exit points" + ] + } + }, + { + "id": "si-03_odp.04", + "constraints": [ + { + "description": "to include blocking and quarantining malicious code" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "block malicious code", + "quarantine malicious code", + "take {{ insert: param, si-03_odp.05 }} " + ] + } + }, + { + "id": "si-03_odp.05", + "label": "action", + "constraints": [ + { + "description": "administrator or defined security personnel near-realtime" + } + ], + "guidelines": [ + { + "prose": "action to be taken in response to malicious code detection are defined (if selected);" + } + ] + }, + { + "id": "si-03_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted when malicious code is detected is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-3" + }, + { + "name": "label", + "value": "SI-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#88660532-2dcf-442e-845c-03340ce48999", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-44", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-8", + "rel": "related" + }, + { + "href": "#si-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-3_smt", + "name": "statement", + "parts": [ + { + "id": "si-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;" + }, + { + "id": "si-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;" + }, + { + "id": "si-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Configure malicious code protection mechanisms to:", + "parts": [ + { + "id": "si-3_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and" + }, + { + "id": "si-3_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": " {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and" + } + ] + }, + { + "id": "si-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." + } + ] + }, + { + "id": "si-3_gdn", + "name": "guidance", + "prose": "System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files." + }, + { + "id": "si-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;", + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;", + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03b.", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;", + "links": [ + { + "href": "#si-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};", + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;", + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;", + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;", + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03d.", + "class": "sp800-53a" + } + ], + "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.", + "links": [ + { + "href": "#si-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities" + } + ] + }, + { + "id": "si-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and/or implementing malicious code scanning and subsequent actions" + } + ] + } + ] + }, + { + "id": "si-4", + "class": "SP800-53", + "title": "System Monitoring", + "params": [ + { + "id": "si-04_odp.01", + "label": "monitoring objectives", + "guidelines": [ + { + "prose": "monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;" + } + ] + }, + { + "id": "si-04_odp.02", + "label": "techniques and methods", + "guidelines": [ + { + "prose": "techniques and methods used to identify unauthorized use of the system are defined;" + } + ] + }, + { + "id": "si-04_odp.03", + "label": "system monitoring information", + "guidelines": [ + { + "prose": "system monitoring information to be provided to personnel or roles is defined;" + } + ] + }, + { + "id": "si-04_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom system monitoring information is to be provided is/are defined;" + } + ] + }, + { + "id": "si-04_odp.05", + "select": { + "how-many": "one-or-more", + "choice": [ + "as needed", + " {{ insert: param, si-04_odp.06 }} " + ] + } + }, + { + "id": "si-04_odp.06", + "label": "frequency", + "guidelines": [ + { + "prose": "a frequency for providing system monitoring to personnel or roles is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4" + }, + { + "name": "label", + "value": "SI-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "rel": "reference" + }, + { + "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#sc-35", + "rel": "related" + }, + { + "href": "#sc-36", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4_smt", + "name": "statement", + "parts": [ + { + "id": "si-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor the system to detect:", + "parts": [ + { + "id": "si-4_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and" + }, + { + "id": "si-4_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Unauthorized local, network, and remote connections;" + } + ] + }, + { + "id": "si-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};" + }, + { + "id": "si-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Invoke internal monitoring capabilities or deploy monitoring devices:", + "parts": [ + { + "id": "si-4_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Strategically within the system to collect organization-determined essential information; and" + }, + { + "id": "si-4_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "At ad hoc locations within the system to track specific types of transactions of interest to the organization;" + } + ] + }, + { + "id": "si-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Analyze detected events and anomalies;" + }, + { + "id": "si-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;" + }, + { + "id": "si-4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Obtain legal opinion regarding system monitoring activities; and" + }, + { + "id": "si-4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." + }, + { + "id": "si-4_fr", + "name": "item", + "title": "SI-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-4_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See US-CERT Incident Response Reporting Guidelines." + } + ] + } + ] + }, + { + "id": "si-4_gdn", + "name": "guidance", + "prose": "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "si-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.01", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};", + "links": [ + { + "href": "#si-4_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized local connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized network connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized remote connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04b.", + "class": "sp800-53a" + } + ], + "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};", + "links": [ + { + "href": "#si-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.01", + "class": "sp800-53a" + } + ], + "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;", + "links": [ + { + "href": "#si-4_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.02", + "class": "sp800-53a" + } + ], + "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;", + "links": [ + { + "href": "#si-4_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "detected events are analyzed;", + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "detected anomalies are analyzed;", + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04e.", + "class": "sp800-53a" + } + ], + "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;", + "links": [ + { + "href": "#si-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04f.", + "class": "sp800-53a" + } + ], + "prose": "a legal opinion regarding system monitoring activities is obtained;", + "links": [ + { + "href": "#si-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04g.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.", + "links": [ + { + "href": "#si-4_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system" + } + ] + }, + { + "id": "si-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing system monitoring capabilities" + } + ] + } + ] + }, + { + "id": "si-5", + "class": "SP800-53", + "title": "Security Alerts, Advisories, and Directives", + "params": [ + { + "id": "si-05_odp.01", + "label": "external organizations", + "constraints": [ + { + "description": "to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives" + } + ], + "guidelines": [ + { + "prose": "external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;" + } + ] + }, + { + "id": "si-05_odp.02", + "constraints": [ + { + "description": "to include system security personnel and administrators with configuration/patch-management responsibilities" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, si-05_odp.03 }} ", + " {{ insert: param, si-05_odp.04 }} ", + " {{ insert: param, si-05_odp.05 }} " + ] + } + }, + { + "id": "si-05_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected);" + } + ] + }, + { + "id": "si-05_odp.04", + "label": "elements", + "guidelines": [ + { + "prose": "elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" + } + ] + }, + { + "id": "si-05_odp.05", + "label": "external organizations", + "guidelines": [ + { + "prose": "external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-5" + }, + { + "name": "label", + "value": "SI-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#pm-15", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-5_smt", + "name": "statement", + "parts": [ + { + "id": "si-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;" + }, + { + "id": "si-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Generate internal security alerts, advisories, and directives as deemed necessary;" + }, + { + "id": "si-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and" + }, + { + "id": "si-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + }, + { + "id": "si-5_fr_smt.1", + "name": "item", + "title": "SI-5 Additional FedRAMP Requirements and Guidance", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status." + } + ] + }, + { + "id": "si-5_gdn", + "name": "guidance", + "prose": "The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations." + }, + { + "id": "si-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05a.", + "class": "sp800-53a" + } + ], + "prose": "system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;", + "links": [ + { + "href": "#si-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05b.", + "class": "sp800-53a" + } + ], + "prose": "internal security alerts, advisories, and directives are generated as deemed necessary;", + "links": [ + { + "href": "#si-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05c.", + "class": "sp800-53a" + } + ], + "prose": "security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};", + "links": [ + { + "href": "#si-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05d.", + "class": "sp800-53a" + } + ], + "prose": "security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.", + "links": [ + { + "href": "#si-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "si-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nmechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nmechanisms supporting and/or implementing security directives" + } + ] + } + ] + }, + { + "id": "si-12", + "class": "SP800-53", + "title": "Information Management and Retention", + "props": [ + { + "name": "label", + "value": "SI-12" + }, + { + "name": "label", + "value": "SI-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#e922fc50-b1f9-469f-92ef-ed7d9803611c", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-3", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-12_smt", + "name": "statement", + "prose": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." + }, + { + "id": "si-12_gdn", + "name": "guidance", + "prose": "Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)." + }, + { + "id": "si-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[01]", + "class": "sp800-53a" + } + ], + "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[02]", + "class": "sp800-53a" + } + ], + "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[03]", + "class": "sp800-53a" + } + ], + "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[04]", + "class": "sp800-53a" + } + ], + "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators" + } + ] + }, + { + "id": "si-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and/or implementing information management, retention, and disposition" + } + ] + } + ] + } + ] + }, + { + "id": "sr", + "class": "family", + "title": "Supply Chain Risk Management", + "controls": [ + { + "id": "sr-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sr-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sr-01_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include chief privacy and ISSO and/or similar role or designees" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;" + } + ] + }, + { + "id": "sr-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;" + } + ] + }, + { + "id": "sr-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "sr-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;" + } + ] + }, + { + "id": "sr-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current supply chain risk management policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sr-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that require the current supply chain risk management policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sr-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;" + } + ] + }, + { + "id": "sr-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that require the supply chain risk management procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-1" + }, + { + "name": "label", + "value": "SR-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-1_smt", + "name": "statement", + "parts": [ + { + "id": "sr-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:", + "parts": [ + { + "id": "sr-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:", + "parts": [ + { + "id": "sr-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sr-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sr-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;" + } + ] + }, + { + "id": "sr-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and" + }, + { + "id": "sr-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current supply chain risk management:", + "parts": [ + { + "id": "sr-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and" + }, + { + "id": "sr-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sr-1_gdn", + "name": "guidance", + "prose": "Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sr-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a supply chain risk management policy is developed and documented;", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; ", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sr-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;", + "links": [ + { + "href": "#sr-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};", + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};", + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};", + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.", + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities" + } + ] + } + ] + }, + { + "id": "sr-2", + "class": "SP800-53", + "title": "Supply Chain Risk Management Plan", + "params": [ + { + "id": "sr-02_odp.01", + "label": "systems, system components, or system services", + "guidelines": [ + { + "prose": "systems, system components, or system services for which a supply chain risk management plan is developed are defined;" + } + ] + }, + { + "id": "sr-02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update the supply chain risk management plan is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-2" + }, + { + "name": "label", + "value": "SR-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-2_smt", + "name": "statement", + "parts": [ + { + "id": "sr-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};" + }, + { + "id": "sr-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and" + }, + { + "id": "sr-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Protect the supply chain risk management plan from unauthorized disclosure and modification." + } + ] + }, + { + "id": "sr-2_gdn", + "name": "guidance", + "prose": "The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))." + }, + { + "id": "sr-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a plan for managing supply chain risks is developed;", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[05]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[06]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[07]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[08]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[09]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02b.", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;", + "links": [ + { + "href": "#sr-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is protected from unauthorized modification.", + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures for protecting the supply chain risk management plan from unauthorized disclosure and modification\n\nsystem development life cycle procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of supply chain threats\n\nlist of safeguards to be taken against supply chain threats\n\nsystem life cycle documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and documenting the system development life cycle (SDLC)\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational processes for integrating supply chain risk management into the SDLC\n\nmechanisms supporting and/or implementing the SDLC" + } + ] + } + ], + "controls": [ + { + "id": "sr-2.1", + "class": "SP800-53-enhancement", + "title": "Establish SCRM Team", + "params": [ + { + "id": "sr-02.01_odp.01", + "label": "personnel, roles and responsibilities", + "guidelines": [ + { + "prose": "the personnel, roles, and responsibilities of the supply chain risk management team are defined;" + } + ] + }, + { + "id": "sr-02.01_odp.02", + "label": "supply chain risk management activities", + "guidelines": [ + { + "prose": "supply chain risk management activities are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-2(1)" + }, + { + "name": "label", + "value": "SR-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "sr-2.1_smt", + "name": "statement", + "prose": "Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}." + }, + { + "id": "sr-2.1_gdn", + "name": "guidance", + "prose": "To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team." + }, + { + "id": "sr-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02(01)", + "class": "sp800-53a" + } + ], + "prose": "a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.", + "links": [ + { + "href": "#sr-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management team charter documentation\n\nsupply chain risk management strategy\n\nsupply chain risk management implementation plan\n\nprocedures addressing supply chain protection\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with enterprise risk management responsibilities\n\nlegal counsel\n\norganizational personnel with business continuity responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "sr-3", + "class": "SP800-53", + "title": "Supply Chain Controls and Processes", + "params": [ + { + "id": "sr-03_odp.01", + "label": "system or system component", + "guidelines": [ + { + "prose": "the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;" + } + ] + }, + { + "id": "sr-03_odp.02", + "label": "supply chain personnel", + "guidelines": [ + { + "prose": "supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;" + } + ] + }, + { + "id": "sr-03_odp.03", + "label": "supply chain controls", + "guidelines": [ + { + "prose": "supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;" + } + ] + }, + { + "id": "sr-03_odp.04", + "select": { + "how-many": "one-or-more", + "choice": [ + "security and privacy plans", + "supply chain risk management plan", + " {{ insert: param, sr-03_odp.05 }} " + ] + } + }, + { + "id": "sr-03_odp.05", + "label": "document", + "guidelines": [ + { + "prose": "the document identifying the selected and implemented supply chain processes and controls is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-3" + }, + { + "name": "label", + "value": "SR-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-29", + "rel": "related" + }, + { + "href": "#sc-30", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-3_smt", + "name": "statement", + "parts": [ + { + "id": "sr-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};" + }, + { + "id": "sr-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and" + }, + { + "id": "sr-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}." + }, + { + "id": "sr-3_fr", + "name": "item", + "title": "SR-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary." + } + ] + } + ] + }, + { + "id": "sr-3_gdn", + "name": "guidance", + "prose": "Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain." + }, + { + "id": "sr-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};", + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};", + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;", + "links": [ + { + "href": "#sr-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03c.", + "class": "sp800-53a" + } + ], + "prose": "the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.", + "links": [ + { + "href": "#sr-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystems and critical system components inventory documentation\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems or services\n\nrisk register documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying and addressing supply chain element and process deficiencies" + } + ] + } + ] + }, + { + "id": "sr-5", + "class": "SP800-53", + "title": "Acquisition Strategies, Tools, and Methods", + "params": [ + { + "id": "sr-05_odp", + "label": "strategies, tools, and methods", + "guidelines": [ + { + "prose": "acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-5" + }, + { + "name": "label", + "value": "SR-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-5_smt", + "name": "statement", + "prose": "Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}." + }, + { + "id": "sr-5_gdn", + "name": "guidance", + "prose": "The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements." + }, + { + "id": "sr-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems, system components, or services\n\ndocumentation of training, education, and awareness programs for personnel regarding supply chain risk\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods" + } + ] + } + ] + }, + { + "id": "sr-8", + "class": "SP800-53", + "title": "Notification Agreements", + "params": [ + { + "id": "sr-08_odp.01", + "constraints": [ + { + "description": "notification of supply chain compromises and results of assessment or audits" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "notification of supply chain compromises", + " {{ insert: param, sr-08_odp.02 }} " + ] + } + }, + { + "id": "sr-08_odp.02", + "label": "results of assessments or audits", + "guidelines": [ + { + "prose": "information for which agreements and procedures are to be established are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-8" + }, + { + "name": "label", + "value": "SR-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-8_smt", + "name": "statement", + "prose": "Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}.", + "parts": [ + { + "id": "sr-8_fr", + "name": "item", + "title": "SR-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities." + } + ] + } + ] + }, + { + "id": "sr-8_gdn", + "name": "guidance", + "prose": "The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes." + }, + { + "id": "sr-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-08", + "class": "sp800-53a" + } + ], + "prose": "agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.", + "links": [ + { + "href": "#sr-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities" + } + ] + } + ] + }, + { + "id": "sr-10", + "class": "SP800-53", + "title": "Inspection of Systems or Components", + "params": [ + { + "id": "sr-10_odp.01", + "label": "systems or system components", + "guidelines": [ + { + "prose": "systems or system components that require inspection are defined;" + } + ] + }, + { + "id": "sr-10_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "at random", + "at {{ insert: param, sr-10_odp.03 }} ", + "upon {{ insert: param, sr-10_odp.04 }} " + ] + } + }, + { + "id": "sr-10_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to inspect systems or system components is defined (if selected);" + } + ] + }, + { + "id": "sr-10_odp.04", + "label": "indications of need for inspection", + "guidelines": [ + { + "prose": "indications of the need for an inspection of systems or system components are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-10" + }, + { + "name": "label", + "value": "SR-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-10_smt", + "name": "statement", + "prose": "Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}." + }, + { + "id": "sr-10_gdn", + "name": "guidance", + "prose": "The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations." + }, + { + "id": "sr-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-10", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.", + "links": [ + { + "href": "#sr-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nrecords of random inspections\n\ninspection reports/results\n\nassessment reports/results\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational processes to inspect for tampering" + } + ] + } + ] + }, + { + "id": "sr-11", + "class": "SP800-53", + "title": "Component Authenticity", + "params": [ + { + "id": "sr-11_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "source of counterfeit component", + " {{ insert: param, sr-11_odp.02 }} ", + " {{ insert: param, sr-11_odp.03 }} " + ] + } + }, + { + "id": "sr-11_odp.02", + "label": "external reporting organizations", + "guidelines": [ + { + "prose": "external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);" + } + ] + }, + { + "id": "sr-11_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11" + }, + { + "name": "label", + "value": "SR-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11_smt", + "name": "statement", + "parts": [ + { + "id": "sr-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and" + }, + { + "id": "sr-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}." + }, + { + "id": "sr-11_fr", + "name": "item", + "title": "SR-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-11_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline." + } + ] + } + ] + }, + { + "id": "sr-11_gdn", + "name": "guidance", + "prose": "Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA." + }, + { + "id": "sr-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an anti-counterfeit policy is developed and implemented;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[02]", + "class": "sp800-53a" + } + ], + "prose": "anti-counterfeit procedures are developed and implemented;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the anti-counterfeit procedures include the means to detect counterfeit components entering the system;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11b.", + "class": "sp800-53a" + } + ], + "prose": "counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.", + "links": [ + { + "href": "#sr-11_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\nreports notifying developers, manufacturers, vendors, contractors, and/or external reporting organizations of counterfeit system components\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nrecords of reported counterfeit system components\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting" + } + ] + }, + { + "id": "sr-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for counterfeit prevention, detection, and reporting\n\nmechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting" + } + ] + } + ], + "controls": [ + { + "id": "sr-11.1", + "class": "SP800-53-enhancement", + "title": "Anti-counterfeit Training", + "params": [ + { + "id": "sr-11.01_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11(1)" + }, + { + "name": "label", + "value": "SR-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-11", + "rel": "required" + }, + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11.1_smt", + "name": "statement", + "prose": "Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)." + }, + { + "id": "sr-11.1_gdn", + "name": "guidance", + "prose": "None." + }, + { + "id": "sr-11.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(01)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).", + "links": [ + { + "href": "#sr-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\ntraining materials addressing counterfeit system components\n\ntraining records on the detection and prevention of counterfeit components entering the system\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and training" + } + ] + }, + { + "id": "sr-11.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for anti-counterfeit training" + } + ] + } + ] + }, + { + "id": "sr-11.2", + "class": "SP800-53-enhancement", + "title": "Configuration Control for Component Service and Repair", + "params": [ + { + "id": "sr-11.02_odp", + "label": "system components", + "constraints": [ + { + "description": "all" + } + ], + "guidelines": [ + { + "prose": "system components requiring configuration control are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11(2)" + }, + { + "name": "label", + "value": "SR-11(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-11", + "rel": "required" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11.2_smt", + "name": "statement", + "prose": "Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}." + }, + { + "id": "sr-11.2_gdn", + "name": "guidance", + "prose": "None." + }, + { + "id": "sr-11.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;", + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.", + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nconfiguration control procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system component\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-11.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational configuration control processes" + } + ] + } + ] + } + ] + }, + { + "id": "sr-12", + "class": "SP800-53", + "title": "Component Disposal", + "params": [ + { + "id": "sr-12_odp.01", + "label": "data, documentation, tools, or system components", + "guidelines": [ + { + "prose": "data, documentation, tools, or system components to be disposed of are defined;" + } + ] + }, + { + "id": "sr-12_odp.02", + "label": "techniques and methods", + "guidelines": [ + { + "prose": "techniques and methods for disposing of data, documentation, tools, or system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-12" + }, + { + "name": "label", + "value": "SR-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#mp-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-12_smt", + "name": "statement", + "prose": "Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}." + }, + { + "id": "sr-12_gdn", + "name": "guidance", + "prose": "Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market." + }, + { + "id": "sr-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-12", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.", + "links": [ + { + "href": "#sr-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\ndisposal procedures addressing supply chain protection\n\nmedia disposal policy\n\nmedia protection policy\n\ndisposal records for system components\n\ndocumentation of the system components identified for disposal\n\ndocumentation of the disposal techniques and methods employed for system components\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system component disposal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities" + } + ] + }, + { + "id": "sr-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational techniques and methods for system component disposal\n\nmechanisms supporting and/or implementing system component disposal" + } + ] + } + ] + } + ] + } + ], "back-matter": { "resources": [ + { + "uuid": "91f992fb-f668-4c91-a50f-0f05b95ccee3", + "title": "32 CFR 2002", + "citation": { + "text": "Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)." + }, + "rlinks": [ + { + "href": "https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information" + } + ] + }, + { + "uuid": "0f963c17-ab5a-432a-a867-91eac550309b", + "title": "41 CFR 201", + "citation": { + "text": " \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271." + }, + "rlinks": [ + { + "href": "https://www.federalregister.gov/d/2020-18939" + } + ] + }, + { + "uuid": "a5ef5e56-5c1a-4911-b419-37dddc1b3581", + "title": "5 CFR 731", + "citation": { + "text": "Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf" + } + ] + }, + { + "uuid": "031cc4b7-9adf-4835-98f1-f1ca493519cf", + "title": "CNSSD 505", + "citation": { + "text": "Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017." + }, + "rlinks": [ + { + "href": "https://www.cnss.gov/CNSS/issuances/Directives.cfm" + } + ] + }, + { + "uuid": "4e4fbc93-333d-45e6-a875-de36b878b6b9", + "title": "CNSSI 1253", + "citation": { + "text": "Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014." + }, + "rlinks": [ + { + "href": "https://www.cnss.gov/CNSS/issuances/Instructions.cfm" + } + ] + }, + { + "uuid": "aa66e14f-e7cb-4a37-99d2-07578dfd4608", + "title": "DOD STIG", + "citation": { + "text": "Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*." + }, + "rlinks": [ + { + "href": "https://public.cyber.mil/stigs" + } + ] + }, + { + "uuid": "55b0c93a-5e48-457a-baa6-5ce81c239c49", + "title": "EO 13526", + "citation": { + "text": "Executive Order 13526, *Classified National Security Information* , December 2009." + }, + "rlinks": [ + { + "href": "https://www.archives.gov/isoo/policy-documents/cnsi-eo.html" + } + ] + }, + { + "uuid": "0af071a6-cf8e-48ee-8c82-fe91efa20f94", + "title": "EO 13587", + "citation": { + "text": "Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net" + } + ] + }, + { + "uuid": "21caa535-1154-4369-ba7b-32c309fee0f7", + "title": "EO 13873", + "citation": { + "text": "Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain" + } + ] + }, + { + "uuid": "4ff10ed3-d8fe-4246-99e3-443045e27482", + "title": "FASC18", + "citation": { + "text": "Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/bill/115th-congress/senate-bill/3085" + } + ] + }, + { + "uuid": "a1555677-2b9d-4868-a97b-a1363aff32f5", + "title": "FED PKI", + "citation": { + "text": "General Services Administration, *Federal Public Key Infrastructure*." + }, + "rlinks": [ + { + "href": "https://www.idmanagement.gov/topics/fpki" + } + ] + }, + { + "uuid": "678e3d6c-150b-4393-aec5-6e3481eb1e00", + "title": "FIPS 140-3", + "citation": { + "text": "National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. " + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.140-3" + } + ] + }, + { + "uuid": "eea3c092-42ed-4382-a6f4-1adadef01b9d", + "title": "FIPS 180-4", + "citation": { + "text": "National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.180-4" + } + ] + }, + { + "uuid": "7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "title": "FIPS 186-4", + "citation": { + "text": "National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.186-4" + } + ] + }, + { + "uuid": "736d6310-e403-4b57-a79d-9967970c66d7", + "title": "FIPS 197", + "citation": { + "text": "National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.197" + } + ] + }, + { + "uuid": "628d22a1-6a11-4784-bc59-5cd9497b5445", + "title": "FIPS 199", + "citation": { + "text": "National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.199" + } + ] + }, + { + "uuid": "599fb53d-5041-444e-a7fe-640d6d30ad05", + "title": "FIPS 200", + "citation": { + "text": "National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.200" + } + ] + }, + { + "uuid": "7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "title": "FIPS 201-2", + "citation": { + "text": "National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.201-2" + } + ] + }, + { + "uuid": "a295ca19-8c75-4b4c-8800-98024732e181", + "title": "FIPS 202", + "citation": { + "text": "National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.202" + } + ] + }, + { + "uuid": "0c67b2a9-bede-43d2-b86d-5f35b8be36e9", + "title": "FISMA", + "citation": { + "text": "Federal Information Security Modernization Act (P.L. 113-283), December 2014." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf" + } + ] + }, + { + "uuid": "f16e438e-7114-4144-bfe2-2dfcad8cb2d0", + "title": "HSPD 12", + "citation": { + "text": "Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004." + }, + "rlinks": [ + { + "href": "https://www.dhs.gov/homeland-security-presidential-directive-12" + } + ] + }, + { + "uuid": "15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "title": "IR 7539", + "citation": { + "text": "Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7539" + } + ] + }, + { + "uuid": "2be7b163-e50a-435c-8906-f1162f2a457a", + "title": "IR 7559", + "citation": { + "text": "Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7559" + } + ] + }, + { + "uuid": "e24b06cc-9129-4998-a76a-65c3d7a576ba", + "title": "IR 7622", + "citation": { + "text": "Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7622" + } + ] + }, + { + "uuid": "4b38e961-1125-4a5b-aa35-1d6c02846dad", + "title": "IR 7676", + "citation": { + "text": "Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7676" + } + ] + }, + { + "uuid": "aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "title": "IR 7788", + "citation": { + "text": "Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7788" + } + ] + }, + { + "uuid": "91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "title": "IR 7817", + "citation": { + "text": "Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7817" + } + ] + }, + { + "uuid": "4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "title": "IR 7849", + "citation": { + "text": "Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7849" + } + ] + }, + { + "uuid": "604774da-9e1d-48eb-9c62-4e959dc80737", + "title": "IR 7870", + "citation": { + "text": "Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7870" + } + ] + }, + { + "uuid": "7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "title": "IR 7874", + "citation": { + "text": "Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7874" + } + ] + }, + { + "uuid": "849b2358-683f-4d97-b111-1cc3d522ded5", + "title": "IR 7956", + "citation": { + "text": "Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7956" + } + ] + }, + { + "uuid": "3915a084-b87b-4f02-83d4-c369e746292f", + "title": "IR 7966", + "citation": { + "text": "Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7966" + } + ] + }, + { + "uuid": "bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "title": "IR 8011-1", + "citation": { + "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-1" + } + ] + }, + { + "uuid": "70402863-5078-43af-9a6c-e11b0f3ec370", + "title": "IR 8011-2", + "citation": { + "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-2" + } + ] + }, + { + "uuid": "996241f8-f692-42d5-91f1-ce8b752e39e6", + "title": "IR 8011-3", + "citation": { + "text": "Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-3" + } + ] + }, + { + "uuid": "d2ebec9b-f868-4ee1-a2bd-0b2282aed248", + "title": "IR 8011-4", + "citation": { + "text": "Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-4" + } + ] + }, + { + "uuid": "4c501da5-9d79-4cb6-ba80-97260e1ce327", + "title": "IR 8023", + "citation": { + "text": "Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8023" + } + ] + }, + { + "uuid": "81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", + "title": "IR 8040", + "citation": { + "text": "Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8040" + } + ] + }, + { + "uuid": "98d415ca-7281-4064-9931-0c366637e324", + "title": "IR 8062", + "citation": { + "text": "Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8062" + } + ] + }, + { + "uuid": "d4296805-2dca-4c63-a95f-eeccaa826aec", + "title": "IR 8179", + "citation": { + "text": "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8179" + } + ] + }, + { + "uuid": "38ff38f0-1366-4f50-a4c9-26a39aacee16", + "title": "IR 8272", + "citation": { + "text": "Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8272" + } + ] + }, + { + "uuid": "6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", + "title": "ISO 15408-1", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology \u2014Security techniques \u2014 Evaluation criteria for IT security \u2014 Part 1: Introduction and general model* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf" + } + ] + }, + { + "uuid": "87087451-2af5-43d4-88c1-d66ad850f614", + "title": "ISO 15408-2", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology \u2014Security techniques \u2014 Evaluation criteria for IT security \u2014 Part 2: Security functional requirements* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf" + } + ] + }, + { + "uuid": "4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "title": "ISO 15408-3", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology\u2014Security techniques \u2014 Evaluation criteria for IT security \u2014 Part 3: Security assurance requirements* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf" + } + ] + }, + { + "uuid": "15a95e24-65b6-4686-bc18-90855a10457d", + "title": "ISO 20243", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, *Information technology \u2014 Open Trusted Technology Provider\u2122 Standard (O-TTPS) \u2014 Mitigating maliciously tainted and counterfeit products \u2014 Part 1: Requirements and recommendations* , February 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/74399.html" + } + ] + }, + { + "uuid": "863caf2a-978a-4260-9e8d-4a8929bce40c", + "title": "ISO 27036", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, *Information technology\u2014Security techniques\u2014Information security for supplier relationships, Part 1: Overview and concepts* , April 2014." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/59648.html" + } + ] + }, + { + "uuid": "8df72805-2e5c-4731-a73e-81db0f0318d0", + "title": "ISO 29147", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 29147:2018, *Information technology\u2014Security techniques\u2014Vulnerability disclosure* , October 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/72311.html" + } + ] + }, + { + "uuid": "06ce9216-bd54-4054-a422-94f358b50a5d", + "title": "ISO 29148", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, *Systems and software engineering\u2014Life cycle processes\u2014Requirements engineering* , November 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/72089.html" + } + ] + }, + { + "uuid": "c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "title": "NARA CUI", + "citation": { + "text": "National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry." + }, + "rlinks": [ + { + "href": "https://www.archives.gov/cui" + } + ] + }, + { + "uuid": "d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", + "title": "NCPR", + "citation": { + "text": "National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at" + }, + "rlinks": [ + { + "href": "https://nvd.nist.gov/ncp/repository" + } + ] + }, + { + "uuid": "795aff72-3e6c-4b6b-a80a-b14d84b7f544", + "title": "NIAP CCEVS", + "citation": { + "text": "National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*." + }, + "rlinks": [ + { + "href": "https://www.niap-ccevs.org" + } + ] + }, + { + "uuid": "84dc1b0c-acb7-4269-84c4-00dbabacd78c", + "title": "NIST CAVP", + "citation": { + "text": "National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program" + } + ] + }, + { + "uuid": "1acdc775-aafb-4d11-9341-dc6a822e9d38", + "title": "NIST CMVP", + "citation": { + "text": "National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/cryptographic-module-validation-program" + } + ] + }, + { + "uuid": "3d575737-98cb-459d-b41c-d7e82b73ad78", + "title": "NSA CSFC", + "citation": { + "text": "National Security Agency, *Commercial Solutions for Classified Program (CSfC)*." + }, + "rlinks": [ + { + "href": "https://www.nsa.gov/resources/everyone/csfc" + } + ] + }, + { + "uuid": "df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", + "title": "NSA MEDIA", + "citation": { + "text": "National Security Agency, *Media Destruction Guidance*." + }, + "rlinks": [ + { + "href": "https://www.nsa.gov/resources/everyone/media-destruction" + } + ] + }, + { + "uuid": "89f2a08d-fc49-46d0-856e-bf974c9b1573", + "title": "ODNI CTF", + "citation": { + "text": "Office of the Director of National Intelligence (ODNI) Cyber Threat Framework." + }, + "rlinks": [ + { + "href": "https://www.dni.gov/index.php/cyber-threat-framework" + } + ] + }, + { + "uuid": "27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "title": "OMB A-130", + "citation": { + "text": "Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf" + } + ] + }, + { + "uuid": "5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "title": "OMB M-17-12", + "citation": { + "text": "Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf" + } + ] + }, + { + "uuid": "c5e11048-1d38-4af3-b00b-0d88dc26860c", + "title": "OMB M-19-03", + "citation": { + "text": "Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf" + } + ] + }, + { + "uuid": "18e71fec-c6fd-475a-925a-5d8495cf8455", + "title": "PRIVACT", + "citation": { + "text": "Privacy Act (P.L. 93-579), December 1974." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf" + } + ] + }, + { + "uuid": "4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "title": "SP 800-100", + "citation": { + "text": "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-100" + } + ] + }, + { + "uuid": "10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "title": "SP 800-101", + "citation": { + "text": "Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-101r1" + } + ] + }, + { + "uuid": "22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "title": "SP 800-111", + "citation": { + "text": "Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-111" + } + ] + }, + { + "uuid": "6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "title": "SP 800-113", + "citation": { + "text": "Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-113" + } + ] + }, + { + "uuid": "42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "title": "SP 800-114", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-114r1" + } + ] + }, + { + "uuid": "122177fa-c4ed-485d-8345-3082c0fb9a06", + "title": "SP 800-115", + "citation": { + "text": "Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-115" + } + ] + }, + { + "uuid": "2100332a-16a5-4598-bacf-7261baea9711", + "title": "SP 800-116", + "citation": { + "text": "Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-116r1" + } + ] + }, + { + "uuid": "d17ebd7a-ffab-499d-bfff-e705bbb01fa6", + "title": "SP 800-121", + "citation": { + "text": "Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-121r2" + } + ] + }, + { + "uuid": "0f66be67-85e7-4ca6-bd19-39453e9f4394", + "title": "SP 800-124", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-124r1" + } + ] + }, + { + "uuid": "88660532-2dcf-442e-845c-03340ce48999", + "title": "SP 800-125B", + "citation": { + "text": "Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-125B" + } + ] + }, + { + "uuid": "8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "title": "SP 800-126", + "citation": { + "text": "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-126r3" + } + ] + }, + { + "uuid": "20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "title": "SP 800-128", + "citation": { + "text": "Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-128" + } + ] + }, + { + "uuid": "c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "title": "SP 800-12", + "citation": { + "text": "Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-12r1" + } + ] + }, + { + "uuid": "3653e316-8923-430e-8943-b3b2b2562fc6", + "title": "SP 800-130", + "citation": { + "text": "Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-130" + } + ] + }, + { + "uuid": "62ea77ca-e450-4323-b210-e0d75390e785", + "title": "SP 800-137A", + "citation": { + "text": "Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-137A" + } + ] + }, + { + "uuid": "067223d8-1ec7-45c5-b21b-c848da6de8fb", + "title": "SP 800-137", + "citation": { + "text": "Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-137" + } + ] + }, + { + "uuid": "9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "title": "SP 800-150", + "citation": { + "text": "Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-150" + } + ] + }, + { + "uuid": "2494df28-9049-4196-b233-540e7440993f", + "title": "SP 800-152", + "citation": { + "text": "Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-152" + } + ] + }, + { + "uuid": "d9e036ba-6eec-46a6-9340-b0bf1fea23b4", + "title": "SP 800-156", + "citation": { + "text": "Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-156" + } + ] + }, + { + "uuid": "e3cc0520-a366-4fc9-abc2-5272db7e3564", + "title": "SP 800-160-1", + "citation": { + "text": "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-160v1" + } + ] + }, + { + "uuid": "61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "title": "SP 800-160-2", + "citation": { + "text": "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-160v2" + } + ] + }, + { + "uuid": "e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "title": "SP 800-161", + "citation": { + "text": "Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-161" + } + ] + }, + { + "uuid": "2956e175-f674-43f4-b1b9-e074ad9fc39c", + "title": "SP 800-162", + "citation": { + "text": "Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-162" + } + ] + }, + { + "uuid": "e8552d48-cf41-40aa-8b06-f45f7fb4706c", + "title": "SP 800-166", + "citation": { + "text": "Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-166" + } + ] + }, + { + "uuid": "38f39739-1ebd-43b1-8b8c-00f591d89ebd", + "title": "SP 800-167", + "citation": { + "text": "Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-167" + } + ] + }, + { + "uuid": "7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "title": "SP 800-171", + "citation": { + "text": "Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-171r2" + } + ] + }, + { + "uuid": "f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "title": "SP 800-172", + "citation": { + "text": "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-172-draft" + } + ] + }, + { + "uuid": "1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "title": "SP 800-177", + "citation": { + "text": "Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-177r1" + } + ] + }, + { + "uuid": "388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "title": "SP 800-178", + "citation": { + "text": "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-178" + } + ] + }, + { + "uuid": "276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "title": "SP 800-181", + "citation": { + "text": "Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-181r1" + } + ] + }, + { + "uuid": "31ae65ab-3f26-46b7-9d64-f25a4dac5778", + "title": "SP 800-184", + "citation": { + "text": "Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-184" + } + ] + }, + { + "uuid": "f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "title": "SP 800-189", + "citation": { + "text": "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-189" + } + ] + }, + { + "uuid": "30eb758a-2707-4bca-90ad-949a74d4eb16", + "title": "SP 800-18", + "citation": { + "text": "Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-18r1" + } + ] + }, + { + "uuid": "53df282b-8b3f-483a-bad1-6a8b8ac00114", + "title": "SP 800-192", + "citation": { + "text": "Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-192" + } + ] + }, + { + "uuid": "08b07465-dbdc-48d6-8a0b-37279602ac16", + "title": "SP 800-30", + "citation": { + "text": "Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-30r1" + } + ] + }, + { + "uuid": "bc39f179-c735-4da2-b7a7-b2b622119755", + "title": "SP 800-34", + "citation": { + "text": "Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-34r1" + } + ] + }, + { + "uuid": "77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "title": "SP 800-35", + "citation": { + "text": "Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-35" + } + ] + }, + { + "uuid": "482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "title": "SP 800-37", + "citation": { + "text": "Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-37r2" + } + ] + }, + { + "uuid": "cec037f3-8aba-4c97-84b4-4082f9e515d2", + "title": "SP 800-39", + "citation": { + "text": "Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-39" + } + ] + }, + { + "uuid": "155f941a-cba9-4afd-9ca6-5d040d697ba9", + "title": "SP 800-40", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-40r3" + } + ] + }, + { + "uuid": "a7f0e897-29a3-45c4-bd88-40dfef0e034a", + "title": "SP 800-41", + "citation": { + "text": "Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-41r1" + } + ] + }, + { + "uuid": "83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "title": "SP 800-46", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-46r2" + } + ] + }, + { + "uuid": "c3a76872-e160-4267-99e8-6952de967d04", + "title": "SP 800-47", + "citation": { + "text": "Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-47" + } + ] + }, + { + "uuid": "511f6832-23ca-49a3-8c0f-ce493373cab8", + "title": "SP 800-50", + "citation": { + "text": "Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-50" + } + ] + }, + { + "uuid": "7537638e-2837-407d-844b-40fb3fafdd99", + "title": "SP 800-52", + "citation": { + "text": "McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-52r2" + } + ] + }, + { + "uuid": "a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "title": "SP 800-53A", + "citation": { + "text": "Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-53Ar4" + } + ] + }, + { + "uuid": "46d9e201-840e-440e-987c-2c773333c752", + "title": "SP 800-53B", + "citation": { + "text": "Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-53B" + } + ] + }, + { + "uuid": "20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "title": "SP 800-56A", + "citation": { + "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Ar3" + } + ] + }, + { + "uuid": "0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "title": "SP 800-56B", + "citation": { + "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Br2" + } + ] + }, + { + "uuid": "eef62b16-c796-4554-955c-505824135b8a", + "title": "SP 800-56C", + "citation": { + "text": "Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Cr2" + } + ] + }, + { + "uuid": "110e26af-4765-49e1-8740-6750f83fcda1", + "title": "SP 800-57-1", + "citation": { + "text": "Barker EB (2020) Recommendation for Key Management: Part 1 \u2013 General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt1r5" + } + ] + }, + { + "uuid": "e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "title": "SP 800-57-2", + "citation": { + "text": "Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 \u2013 Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt2r1" + } + ] + }, + { + "uuid": "8306620b-1920-4d73-8b21-12008528595f", + "title": "SP 800-57-3", + "citation": { + "text": "Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt3r1" + } + ] + }, + { + "uuid": "e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "title": "SP 800-60-1", + "citation": { + "text": "Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-60v1r1" + } + ] + }, + { + "uuid": "9be5d661-421f-41ad-854e-86f98b811891", + "title": "SP 800-60-2", + "citation": { + "text": "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-60v2r1" + } + ] + }, + { + "uuid": "49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "title": "SP 800-61", + "citation": { + "text": "Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-61r2" + } + ] + }, + { + "uuid": "737513fa-6758-403f-831d-5ddab5e23cb3", + "title": "SP 800-63-3", + "citation": { + "text": "Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63-3" + } + ] + }, + { + "uuid": "e59c5a7c-8b1f-49ca-8de0-6ee0882180ce", + "title": "SP 800-63B", + "citation": { + "text": "Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63b" + } + ] + }, + { + "uuid": "4895b4cd-34c5-4667-bf8a-27d443c12047", + "title": "SP 800-70", + "citation": { + "text": "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-70r4" + } + ] + }, + { + "uuid": "858705be-3c1f-48aa-a328-0ce398d95ef0", + "title": "SP 800-73-4", + "citation": { + "text": "Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-73-4" + } + ] + }, + { + "uuid": "7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "title": "SP 800-76-2", + "citation": { + "text": "Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-76-2" + } + ] + }, + { + "uuid": "d4d7c760-2907-403b-8b2a-767ca5370ecd", + "title": "SP 800-77", + "citation": { + "text": "Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-77r1" + } + ] + }, + { + "uuid": "828856bd-d7c4-427b-8b51-815517ec382d", + "title": "SP 800-78-4", + "citation": { + "text": "Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-78-4" + } + ] + }, + { + "uuid": "10963761-58fc-4b20-b3d6-b44a54daba03", + "title": "SP 800-79-2", + "citation": { + "text": "Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-79-2" + } + ] + }, + { + "uuid": "fe209006-bfd4-4033-a79a-9fee1adaf372", + "title": "SP 800-81-2", + "citation": { + "text": "Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-81-2" + } + ] + }, + { + "uuid": "3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "title": "SP 800-83", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-83r1" + } + ] + }, + { + "uuid": "53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "title": "SP 800-84", + "citation": { + "text": "Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-84" + } + ] + }, + { + "uuid": "cfdb1858-c473-46b3-89f9-a700308d0be2", + "title": "SP 800-86", + "citation": { + "text": "Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-86" + } + ] + }, + { + "uuid": "a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "title": "SP 800-88", + "citation": { + "text": "Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-88r1" + } + ] + }, + { + "uuid": "5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "title": "SP 800-92", + "citation": { + "text": "Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-92" + } + ] + }, + { + "uuid": "25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "title": "SP 800-94", + "citation": { + "text": "Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-94" + } + ] + }, + { + "uuid": "03fb73bc-1b12-4182-bd96-e5719254ea61", + "title": "SP 800-97", + "citation": { + "text": "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-97" + } + ] + }, + { + "uuid": "13f0c39d-eaf7-417a-baef-69a041878bb5", + "title": "USA PATRIOT", + "citation": { + "text": "USA Patriot Act (P.L. 107-56), October 2001." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf" + } + ] + }, + { + "uuid": "e922fc50-b1f9-469f-92ef-ed7d9803611c", + "title": "USC 2901", + "citation": { + "text": "United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/USCODE-2011-title44/pdf/USCODE-2011-title44-chap29-sec2901.pdf" + } + ] + }, + { + "uuid": "40b78258-c892-480e-9af8-77ac36648301", + "title": "USCERT IR", + "citation": { + "text": "Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017." + }, + "rlinks": [ + { + "href": "https://us-cert.cisa.gov/incident-notification-guidelines" + } + ] + }, + { + "uuid": "98498928-3ca3-44b3-8b1e-f48685373087", + "title": "USGCB", + "citation": { + "text": "National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/united-states-government-configuration-baseline" + } + ] + }, + { + "uuid": "c3397cc9-83c6-4459-adb2-836739dc1b94", + "title": "NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)", + "rlinks": [ + { + "href": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf", + "media-type": "application/pdf" + } + ] + }, { "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48", "title": "FedRAMP Applicable Laws and Regulations", diff --git a/dist/content/rev5/baselines/json/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog.json b/dist/content/rev5/baselines/json/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog.json index e9e18d6e6..42785497d 100644 --- a/dist/content/rev5/baselines/json/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog.json +++ b/dist/content/rev5/baselines/json/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog.json @@ -1,10 +1,10 @@ { "catalog": { - "uuid": "3692455f-a09d-4523-b9c7-8f4630c06ba4", + "uuid": "35042880-1779-490e-aca6-409ea1086471", "metadata": { "title": "FedRAMP Rev 5 Low Baseline", "published": "2023-08-31T00:00:00Z", - "last-modified": "2023-12-18T20:27:49.732066-05:00", + "last-modified": "2024-01-11T18:07:47.981586-05:00", "version": "5.1.1+fedramp-20231218-0", "oscal-version": "1.1.1", "links": [ @@ -99,8 +99,64760 @@ } ] }, + "groups": [ + { + "id": "ac", + "class": "family", + "title": "Access Control", + "controls": [ + { + "id": "ac-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ac-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ac-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the access control policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ac-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the access control procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ac-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ac-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the access control policy and procedures is defined;" + } + ] + }, + { + "id": "ac-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current access control policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ac-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current access control policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ac-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current access control procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ac-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-1" + }, + { + "name": "label", + "value": "AC-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ia-1", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-24", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-1_smt", + "name": "statement", + "parts": [ + { + "id": "ac-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:", + "parts": [ + { + "id": "ac-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ac-01_odp.03 }} access control policy that:", + "parts": [ + { + "id": "ac-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ac-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ac-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the access control policy and the associated access controls;" + } + ] + }, + { + "id": "ac-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and" + }, + { + "id": "ac-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current access control:", + "parts": [ + { + "id": "ac-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and" + }, + { + "id": "ac-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ac-1_gdn", + "name": "guidance", + "prose": "Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ac-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an access control policy is developed and documented;", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ac-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;", + "links": [ + { + "href": "#ac-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};", + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};", + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};", + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.", + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ac-2", + "class": "SP800-53", + "title": "Account Management", + "params": [ + { + "id": "ac-02_odp.01", + "label": "prerequisites and criteria", + "guidelines": [ + { + "prose": "prerequisites and criteria for group and role membership are defined;" + } + ] + }, + { + "id": "ac-02_odp.02", + "label": "attributes (as required)", + "guidelines": [ + { + "prose": "attributes (as required) for each account are defined;" + } + ] + }, + { + "id": "ac-02_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles required to approve requests to create accounts is/are defined;" + } + ] + }, + { + "id": "ac-02_odp.04", + "label": "policy, procedures, prerequisites, and criteria", + "guidelines": [ + { + "prose": "policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;" + } + ] + }, + { + "id": "ac-02_odp.05", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified is/are defined;" + } + ] + }, + { + "id": "ac-02_odp.06", + "label": "time period", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when accounts are no longer required is defined;" + } + ] + }, + { + "id": "ac-02_odp.07", + "label": "time period", + "constraints": [ + { + "description": "eight (8) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when users are terminated or transferred is defined; " + } + ] + }, + { + "id": "ac-02_odp.08", + "label": "time period", + "constraints": [ + { + "description": "eight (8) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when system usage or the need to know changes for an individual is defined;" + } + ] + }, + { + "id": "ac-02_odp.09", + "label": "attributes (as required)", + "guidelines": [ + { + "prose": "attributes needed to authorize system access (as required) are defined;" + } + ] + }, + { + "id": "ac-02_odp.10", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency of account review is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2" + }, + { + "name": "label", + "value": "AC-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#53df282b-8b3f-483a-bad1-6a8b8ac00114", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ac-24", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2_smt", + "name": "statement", + "parts": [ + { + "id": "ac-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Define and document the types of accounts allowed and specifically prohibited for use within the system;" + }, + { + "id": "ac-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Assign account managers;" + }, + { + "id": "ac-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Require {{ insert: param, ac-02_odp.01 }} for group and role membership;" + }, + { + "id": "ac-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Specify:", + "parts": [ + { + "id": "ac-2_smt.d.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Authorized users of the system;" + }, + { + "id": "ac-2_smt.d.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Group and role membership; and" + }, + { + "id": "ac-2_smt.d.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;" + } + ] + }, + { + "id": "ac-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;" + }, + { + "id": "ac-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};" + }, + { + "id": "ac-2_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Monitor the use of accounts;" + }, + { + "id": "ac-2_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Notify account managers and {{ insert: param, ac-02_odp.05 }} within:", + "parts": [ + { + "id": "ac-2_smt.h.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;" + }, + { + "id": "ac-2_smt.h.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": " {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and" + }, + { + "id": "ac-2_smt.h.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;" + } + ] + }, + { + "id": "ac-2_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Authorize access to the system based on:", + "parts": [ + { + "id": "ac-2_smt.i.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "A valid access authorization;" + }, + { + "id": "ac-2_smt.i.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Intended system usage; and" + }, + { + "id": "ac-2_smt.i.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ac-02_odp.09 }};" + } + ] + }, + { + "id": "ac-2_smt.j", + "name": "item", + "props": [ + { + "name": "label", + "value": "j." + } + ], + "prose": "Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};" + }, + { + "id": "ac-2_smt.k", + "name": "item", + "props": [ + { + "name": "label", + "value": "k." + } + ], + "prose": "Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and" + }, + { + "id": "ac-2_smt.l", + "name": "item", + "props": [ + { + "name": "label", + "value": "l." + } + ], + "prose": "Align account management processes with personnel termination and transfer processes." + } + ] + }, + { + "id": "ac-2_gdn", + "name": "guidance", + "prose": "Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training." + }, + { + "id": "ac-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "account types allowed for use within the system are defined and documented;", + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "account types specifically prohibited for use within the system are defined and documented;", + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02b.", + "class": "sp800-53a" + } + ], + "prose": "account managers are assigned;", + "links": [ + { + "href": "#ac-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-02_odp.01 }} for group and role membership are required;", + "links": [ + { + "href": "#ac-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.d.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.01", + "class": "sp800-53a" + } + ], + "prose": "authorized users of the system are specified;", + "links": [ + { + "href": "#ac-2_smt.d.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.02", + "class": "sp800-53a" + } + ], + "prose": "group and role membership are specified;", + "links": [ + { + "href": "#ac-2_smt.d.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.d.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03[01]", + "class": "sp800-53a" + } + ], + "prose": "access authorizations (i.e., privileges) are specified for each account;", + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-02_odp.02 }} are specified for each account;", + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02e.", + "class": "sp800-53a" + } + ], + "prose": "approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;", + "links": [ + { + "href": "#ac-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[01]", + "class": "sp800-53a" + } + ], + "prose": "accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[02]", + "class": "sp800-53a" + } + ], + "prose": "accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[03]", + "class": "sp800-53a" + } + ], + "prose": "accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[04]", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[05]", + "class": "sp800-53a" + } + ], + "prose": "accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02g.", + "class": "sp800-53a" + } + ], + "prose": "the use of accounts is monitored; ", + "links": [ + { + "href": "#ac-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.h.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.01", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;", + "links": [ + { + "href": "#ac-2_smt.h.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.02", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;", + "links": [ + { + "href": "#ac-2_smt.h.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.03", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;", + "links": [ + { + "href": "#ac-2_smt.h.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.i.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.01", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on a valid access authorization;", + "links": [ + { + "href": "#ac-2_smt.i.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.02", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on intended system usage;", + "links": [ + { + "href": "#ac-2_smt.i.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.03", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};", + "links": [ + { + "href": "#ac-2_smt.i.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.i", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.j", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02j.", + "class": "sp800-53a" + } + ], + "prose": "accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};", + "links": [ + { + "href": "#ac-2_smt.j", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.k", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.k-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;", + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.k-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.[02]", + "class": "sp800-53a" + } + ], + "prose": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;", + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.l", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.l-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.[01]", + "class": "sp800-53a" + } + ], + "prose": "account management processes are aligned with personnel termination processes;", + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.l-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.[02]", + "class": "sp800-53a" + } + ], + "prose": "account management processes are aligned with personnel transfer processes.", + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\npersonnel termination policy and procedure\n\npersonnel transfer policy and procedure\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of recently disabled system accounts and the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications of recent transfers, separations, or terminations of employees\n\naccess authorization records\n\naccount management compliance reviews\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security and privacy responsibilities" + } + ] + }, + { + "id": "ac-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for account management on the system\n\nmechanisms for implementing account management" + } + ] + } + ] + }, + { + "id": "ac-3", + "class": "SP800-53", + "title": "Access Enforcement", + "props": [ + { + "name": "label", + "value": "AC-3" + }, + { + "name": "label", + "value": "AC-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#ac-24", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-6", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pm-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-3_smt", + "name": "statement", + "prose": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." + }, + { + "id": "ac-3_gdn", + "name": "guidance", + "prose": "Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family." + }, + { + "id": "ac-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-03", + "class": "sp800-53a" + } + ], + "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.", + "links": [ + { + "href": "#ac-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy" + } + ] + } + ] + }, + { + "id": "ac-7", + "class": "SP800-53", + "title": "Unsuccessful Logon Attempts", + "params": [ + { + "id": "ac-07_odp.01", + "label": "number", + "guidelines": [ + { + "prose": "the number of consecutive invalid logon attempts by a user allowed during a time period is defined;" + } + ] + }, + { + "id": "ac-07_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;" + } + ] + }, + { + "id": "ac-07_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "lock the account or node for {{ insert: param, ac-07_odp.04 }} ", + "lock the account or node until released by an administrator", + "delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ", + "notify system administrator", + "take other {{ insert: param, ac-07_odp.06 }} " + ] + } + }, + { + "id": "ac-07_odp.04", + "label": "time period", + "guidelines": [ + { + "prose": "time period for an account or node to be locked is defined (if selected);" + } + ] + }, + { + "id": "ac-07_odp.05", + "label": "delay algorithm", + "guidelines": [ + { + "prose": "delay algorithm for the next logon prompt is defined (if selected);" + } + ] + }, + { + "id": "ac-07_odp.06", + "label": "action", + "guidelines": [ + { + "prose": "other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-7" + }, + { + "name": "label", + "value": "AC-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-9", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-7_smt", + "name": "statement", + "parts": [ + { + "id": "ac-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and" + }, + { + "id": "ac-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded." + }, + { + "id": "ac-7_fr", + "name": "item", + "title": "AC-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "In alignment with NIST SP 800-63B" + } + ] + } + ] + }, + { + "id": "ac-7_gdn", + "name": "guidance", + "prose": "The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need." + }, + { + "id": "ac-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07a.", + "class": "sp800-53a" + } + ], + "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;", + "links": [ + { + "href": "#ac-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07b.", + "class": "sp800-53a" + } + ], + "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.", + "links": [ + { + "href": "#ac-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy for unsuccessful logon attempts" + } + ] + } + ] + }, + { + "id": "ac-8", + "class": "SP800-53", + "title": "System Use Notification", + "params": [ + { + "id": "ac-08_odp.01", + "label": "system use notification", + "constraints": [ + { + "description": "see additional Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "system use notification message or banner to be displayed by the system to users before granting access to the system is defined;" + } + ] + }, + { + "id": "ac-08_odp.02", + "label": "conditions", + "constraints": [ + { + "description": "see additional Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "conditions for system use to be displayed by the system before granting further access are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-8" + }, + { + "name": "label", + "value": "AC-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-8_smt", + "name": "statement", + "parts": [ + { + "id": "ac-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:", + "parts": [ + { + "id": "ac-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Users are accessing a U.S. Government system;" + }, + { + "id": "ac-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "System usage may be monitored, recorded, and subject to audit;" + }, + { + "id": "ac-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and" + }, + { + "id": "ac-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Use of the system indicates consent to monitoring and recording;" + } + ] + }, + { + "id": "ac-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and" + }, + { + "id": "ac-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "For publicly accessible systems:", + "parts": [ + { + "id": "ac-8_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;" + }, + { + "id": "ac-8_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and" + }, + { + "id": "ac-8_smt.c.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Include a description of the authorized uses of the system." + } + ] + }, + { + "id": "ac-8_fr", + "name": "item", + "title": "AC-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO. " + }, + { + "id": "ac-8_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO." + }, + { + "id": "ac-8_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO." + }, + { + "id": "ac-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided." + } + ] + } + ] + }, + { + "id": "ac-8_gdn", + "name": "guidance", + "prose": "System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content." + }, + { + "id": "ac-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-08_odp.01 }} is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "parts": [ + { + "id": "ac-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.01", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that users are accessing a U.S. Government system;", + "links": [ + { + "href": "#ac-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.02", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that system usage may be monitored, recorded, and subject to audit;", + "links": [ + { + "href": "#ac-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.03", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and", + "links": [ + { + "href": "#ac-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.04", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that use of the system indicates consent to monitoring and recording;", + "links": [ + { + "href": "#ac-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08b.", + "class": "sp800-53a" + } + ], + "prose": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;", + "links": [ + { + "href": "#ac-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-8_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.01", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;", + "links": [ + { + "href": "#ac-8_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.02", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;", + "links": [ + { + "href": "#ac-8_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.03", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, a description of the authorized uses of the system is included.", + "links": [ + { + "href": "#ac-8_smt.c.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of system use notification messages or banners\n\nsystem audit records\n\nuser acknowledgements of notification message or banner\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem use notification messages\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment report\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem developers" + } + ] + }, + { + "id": "ac-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system use notification" + } + ] + } + ] + }, + { + "id": "ac-14", + "class": "SP800-53", + "title": "Permitted Actions Without Identification or Authentication", + "params": [ + { + "id": "ac-14_odp", + "label": "user actions", + "guidelines": [ + { + "prose": "user actions that can be performed on the system without identification or authentication are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-14" + }, + { + "name": "label", + "value": "AC-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-14_smt", + "name": "statement", + "parts": [ + { + "id": "ac-14_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and" + }, + { + "id": "ac-14_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication." + } + ] + }, + { + "id": "ac-14_gdn", + "name": "guidance", + "prose": "Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" " + }, + { + "id": "ac-14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-14_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;", + "links": [ + { + "href": "#ac-14_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-14_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.[01]", + "class": "sp800-53a" + } + ], + "prose": "user actions not requiring identification or authentication are documented in the security plan for the system;", + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.[02]", + "class": "sp800-53a" + } + ], + "prose": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.", + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-14-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-14-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "ac-17", + "class": "SP800-53", + "title": "Remote Access", + "props": [ + { + "name": "label", + "value": "AC-17" + }, + { + "name": "label", + "value": "AC-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "rel": "reference" + }, + { + "href": "#d17ebd7a-ffab-499d-bfff-e705bbb01fa6", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-17", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17_smt", + "name": "statement", + "parts": [ + { + "id": "ac-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and" + }, + { + "id": "ac-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize each type of remote access to the system prior to allowing such connections." + } + ] + }, + { + "id": "ac-17_gdn", + "name": "guidance", + "prose": "Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)." + }, + { + "id": "ac-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[01]", + "class": "sp800-53a" + } + ], + "prose": "usage restrictions are established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17b.", + "class": "sp800-53a" + } + ], + "prose": "each type of remote access to the system is authorized prior to allowing such connections.", + "links": [ + { + "href": "#ac-17_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing remote access connections\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-17_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Remote access management capability for the system" + } + ] + } + ] + }, + { + "id": "ac-18", + "class": "SP800-53", + "title": "Wireless Access", + "props": [ + { + "name": "label", + "value": "AC-18" + }, + { + "name": "label", + "value": "AC-18", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "rel": "reference" + }, + { + "href": "#03fb73bc-1b12-4182-bd96-e5719254ea61", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-18_smt", + "name": "statement", + "parts": [ + { + "id": "ac-18_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and" + }, + { + "id": "ac-18_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize each type of wireless access to the system prior to allowing such connections." + } + ] + }, + { + "id": "ac-18_gdn", + "name": "guidance", + "prose": "Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication." + }, + { + "id": "ac-18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration requirements are established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[02]", + "class": "sp800-53a" + } + ], + "prose": "connection requirements are established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18b.", + "class": "sp800-53a" + } + ], + "prose": "each type of wireless access to the system is authorized prior to allowing such connections.", + "links": [ + { + "href": "#ac-18_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nwireless access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Wireless access management capability for the system" + } + ] + } + ] + }, + { + "id": "ac-19", + "class": "SP800-53", + "title": "Access Control for Mobile Devices", + "props": [ + { + "name": "label", + "value": "AC-19" + }, + { + "name": "label", + "value": "AC-19", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-19" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-11", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-19_smt", + "name": "statement", + "parts": [ + { + "id": "ac-19_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and" + }, + { + "id": "ac-19_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize the connection of mobile devices to organizational systems." + } + ] + }, + { + "id": "ac-19_gdn", + "name": "guidance", + "prose": "A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled." + }, + { + "id": "ac-19_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-19_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-19_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[02]", + "class": "sp800-53a" + } + ], + "prose": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19b.", + "class": "sp800-53a" + } + ], + "prose": "the connection of mobile devices to organizational systems is authorized.", + "links": [ + { + "href": "#ac-19_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-19_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-19-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-19_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-19-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel using mobile devices to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-19_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-19-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control capability for mobile device connections to organizational systems\n\nconfigurations of mobile devices" + } + ] + } + ] + }, + { + "id": "ac-20", + "class": "SP800-53", + "title": "Use of External Systems", + "params": [ + { + "id": "ac-20_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "establish {{ insert: param, ac-20_odp.02 }} ", + "identify {{ insert: param, ac-20_odp.03 }} " + ] + } + }, + { + "id": "ac-20_odp.02", + "label": "terms and conditions", + "guidelines": [ + { + "prose": "terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" + } + ] + }, + { + "id": "ac-20_odp.03", + "label": "controls asserted", + "guidelines": [ + { + "prose": "controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" + } + ] + }, + { + "id": "ac-20_odp.04", + "label": "prohibited types of external systems", + "guidelines": [ + { + "prose": "types of external systems prohibited from use are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-20" + }, + { + "name": "label", + "value": "AC-20", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-20_smt", + "name": "statement", + "parts": [ + { + "id": "ac-20_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:", + "parts": [ + { + "id": "ac-20_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Access the system from external systems; and" + }, + { + "id": "ac-20_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Process, store, or transmit organization-controlled information using external systems; or" + } + ] + }, + { + "id": "ac-20_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit the use of {{ insert: param, ac-20_odp.04 }}." + }, + { + "id": "ac-20_fr", + "name": "item", + "title": "AC-20 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-20_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:\n\nAC-20 describes system access to and from external systems.\n\nCA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.\n\nSA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3." + } + ] + } + ] + }, + { + "id": "ac-20_gdn", + "name": "guidance", + "prose": "External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems." + }, + { + "id": "ac-20_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-20_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-20_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.01", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);", + "links": [ + { + "href": "#ac-20_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.02", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);", + "links": [ + { + "href": "#ac-20_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20b.", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).", + "links": [ + { + "href": "#ac-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-20_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-20-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nexternal systems terms and conditions\n\nlist of types of applications accessible from external systems\n\nmaximum security categorization for information processed, stored, or transmitted on external systems\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-20_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-20-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-20_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-20-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing terms and conditions on the use of external systems" + } + ] + } + ] + }, + { + "id": "ac-22", + "class": "SP800-53", + "title": "Publicly Accessible Content", + "params": [ + { + "id": "ac-22_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least quarterly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review the content on the publicly accessible system for non-public information is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-22" + }, + { + "name": "label", + "value": "AC-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-22_smt", + "name": "statement", + "parts": [ + { + "id": "ac-22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Designate individuals authorized to make information publicly accessible;" + }, + { + "id": "ac-22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;" + }, + { + "id": "ac-22_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and" + }, + { + "id": "ac-22_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered." + } + ] + }, + { + "id": "ac-22_gdn", + "name": "guidance", + "prose": "In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible." + }, + { + "id": "ac-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22a.", + "class": "sp800-53a" + } + ], + "prose": "designated individuals are authorized to make information publicly accessible;", + "links": [ + { + "href": "#ac-22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22b.", + "class": "sp800-53a" + } + ], + "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;", + "links": [ + { + "href": "#ac-22_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22c.", + "class": "sp800-53a" + } + ], + "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;", + "links": [ + { + "href": "#ac-22_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-22_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};", + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.[02]", + "class": "sp800-53a" + } + ], + "prose": "non-public information is removed from the publicly accessible system, if discovered.", + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing management of publicly accessible content" + } + ] + } + ] + } + ] + }, + { + "id": "at", + "class": "family", + "title": "Awareness and Training", + "controls": [ + { + "id": "at-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "at-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "at-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "at-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "at-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "at-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the awareness and training policy and procedures is defined;" + } + ] + }, + { + "id": "at-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current awareness and training policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "at-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current awareness and training policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "at-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current awareness and training procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "at-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-1" + }, + { + "name": "label", + "value": "AT-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-1_smt", + "name": "statement", + "parts": [ + { + "id": "at-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:", + "parts": [ + { + "id": "at-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, at-01_odp.03 }} awareness and training policy that:", + "parts": [ + { + "id": "at-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "at-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "at-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;" + } + ] + }, + { + "id": "at-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and" + }, + { + "id": "at-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current awareness and training:", + "parts": [ + { + "id": "at-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and" + }, + { + "id": "at-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "at-1_gdn", + "name": "guidance", + "prose": "Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "at-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an awareness and training policy is developed and documented; ", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and", + "links": [ + { + "href": "#at-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;", + "links": [ + { + "href": "#at-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ", + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};", + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};", + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.", + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "at-2", + "class": "SP800-53", + "title": "Literacy Training and Awareness", + "params": [ + { + "id": "at-2_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually" + } + ] + }, + { + "id": "at-2_prm_2", + "label": "organization-defined events" + }, + { + "id": "at-02_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" + } + ] + }, + { + "id": "at-02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" + } + ] + }, + { + "id": "at-02_odp.03", + "label": "events", + "guidelines": [ + { + "prose": "events that require security literacy training for system users are defined;" + } + ] + }, + { + "id": "at-02_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events that require privacy literacy training for system users are defined;" + } + ] + }, + { + "id": "at-02_odp.05", + "label": "awareness techniques", + "guidelines": [ + { + "prose": "techniques to be employed to increase the security and privacy awareness of system users are defined;" + } + ] + }, + { + "id": "at-02_odp.06", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update literacy training and awareness content is defined;" + } + ] + }, + { + "id": "at-02_odp.07", + "label": "events", + "guidelines": [ + { + "prose": "events that would require literacy training and awareness content to be updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-2" + }, + { + "name": "label", + "value": "AT-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#89f2a08d-fc49-46d0-856e-bf974c9b1573", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-13", + "rel": "related" + }, + { + "href": "#pm-21", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-2_smt", + "name": "statement", + "parts": [ + { + "id": "at-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):", + "parts": [ + { + "id": "at-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and" + }, + { + "id": "at-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes or following {{ insert: param, at-2_prm_2 }};" + } + ] + }, + { + "id": "at-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};" + }, + { + "id": "at-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and" + }, + { + "id": "at-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques." + } + ] + }, + { + "id": "at-2_gdn", + "name": "guidance", + "prose": "Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "at-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[04]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};", + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};", + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;", + "links": [ + { + "href": "#at-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};", + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};", + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02d.", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.", + "links": [ + { + "href": "#at-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community" + } + ] + }, + { + "id": "at-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing information security and privacy literacy training" + } + ] + } + ], + "controls": [ + { + "id": "at-2.2", + "class": "SP800-53-enhancement", + "title": "Insider Threat", + "props": [ + { + "name": "label", + "value": "AT-2(2)" + }, + { + "name": "label", + "value": "AT-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#at-2", + "rel": "required" + }, + { + "href": "#pm-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-2.2_smt", + "name": "statement", + "prose": "Provide literacy training on recognizing and reporting potential indicators of insider threat." + }, + { + "id": "at-2.2_gdn", + "name": "guidance", + "prose": "Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations." + }, + { + "id": "at-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on recognizing potential indicators of insider threat is provided;", + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on reporting potential indicators of insider threat is provided.", + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "at-3", + "class": "SP800-53", + "title": "Role-based Training", + "params": [ + { + "id": "at-3_prm_1", + "label": "organization-defined roles and responsibilities" + }, + { + "id": "at-03_odp.01", + "label": "roles and responsibilities", + "guidelines": [ + { + "prose": "roles and responsibilities for role-based security training are defined;" + } + ] + }, + { + "id": "at-03_odp.02", + "label": "roles and responsibilities", + "guidelines": [ + { + "prose": "roles and responsibilities for role-based privacy training are defined;" + } + ] + }, + { + "id": "at-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;" + } + ] + }, + { + "id": "at-03_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update role-based training content is defined;" + } + ] + }, + { + "id": "at-03_odp.05", + "label": "events", + "guidelines": [ + { + "prose": "events that require role-based training content to be updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-3" + }, + { + "name": "label", + "value": "AT-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-13", + "rel": "related" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ps-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-3_smt", + "name": "statement", + "parts": [ + { + "id": "at-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:", + "parts": [ + { + "id": "at-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and" + }, + { + "id": "at-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes;" + } + ] + }, + { + "id": "at-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and" + }, + { + "id": "at-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Incorporate lessons learned from internal or external security incidents or breaches into role-based training." + } + ] + }, + { + "id": "at-3_gdn", + "name": "guidance", + "prose": "Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "at-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[04]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};", + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};", + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03c.", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training.", + "links": [ + { + "href": "#at-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities" + } + ] + }, + { + "id": "at-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing role-based security and privacy training" + } + ] + } + ] + }, + { + "id": "at-4", + "class": "SP800-53", + "title": "Training Records", + "params": [ + { + "id": "at-04_odp", + "label": "time period", + "constraints": [ + { + "description": "at least one (1) year or 1 year after completion of a specific training program" + } + ], + "guidelines": [ + { + "prose": "time period for retaining individual training records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-4" + }, + { + "name": "label", + "value": "AT-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-4_smt", + "name": "statement", + "parts": [ + { + "id": "at-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and" + }, + { + "id": "at-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain individual training records for {{ insert: param, at-04_odp }}." + } + ] + }, + { + "id": "at-4_gdn", + "name": "guidance", + "prose": "Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies." + }, + { + "id": "at-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;", + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;", + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04b.", + "class": "sp800-53a" + } + ], + "prose": "individual training records are retained for {{ insert: param, at-04_odp }}.", + "links": [ + { + "href": "#at-4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy training record retention responsibilities" + } + ] + }, + { + "id": "at-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting the management of security and privacy training records" + } + ] + } + ] + } + ] + }, + { + "id": "au", + "class": "family", + "title": "Audit and Accountability", + "controls": [ + { + "id": "au-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "au-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "au-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "au-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "au-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "au-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the audit and accountability policy and procedures is defined;" + } + ] + }, + { + "id": "au-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current audit and accountability policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "au-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current audit and accountability policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "au-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current audit and accountability procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "au-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require audit and accountability procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-1" + }, + { + "name": "label", + "value": "AU-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-1_smt", + "name": "statement", + "parts": [ + { + "id": "au-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:", + "parts": [ + { + "id": "au-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, au-01_odp.03 }} audit and accountability policy that:", + "parts": [ + { + "id": "au-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "au-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "au-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;" + } + ] + }, + { + "id": "au-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and" + }, + { + "id": "au-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current audit and accountability:", + "parts": [ + { + "id": "au-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and" + }, + { + "id": "au-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "au-1_gdn", + "name": "guidance", + "prose": "Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "au-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an audit and accountability policy is developed and documented;", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#au-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;", + "links": [ + { + "href": "#au-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};", + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};", + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};", + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.", + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "au-2", + "class": "SP800-53", + "title": "Event Logging", + "params": [ + { + "id": "au-2_prm_2", + "label": "organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type", + "constraints": [ + { + "description": "organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event." + } + ] + }, + { + "id": "au-02_odp.01", + "label": "event types", + "constraints": [ + { + "description": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes" + } + ], + "guidelines": [ + { + "prose": "the event types that the system is capable of logging in support of the audit function are defined;" + } + ] + }, + { + "id": "au-02_odp.02", + "label": "event types (subset of AU-02_ODP[01])", + "guidelines": [ + { + "prose": "the event types (subset of AU-02_ODP[01]) for logging within the system are defined;" + } + ] + }, + { + "id": "au-02_odp.03", + "label": "frequency or situation", + "guidelines": [ + { + "prose": "the frequency or situation requiring logging for each specified event type is defined;" + } + ] + }, + { + "id": "au-02_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "annually and whenever there is a change in the threat environment" + } + ], + "guidelines": [ + { + "prose": "the frequency of event types selected for logging are reviewed and updated;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-2" + }, + { + "name": "label", + "value": "AU-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pm-21", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-2_smt", + "name": "statement", + "parts": [ + { + "id": "au-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};" + }, + { + "id": "au-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" + }, + { + "id": "au-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};" + }, + { + "id": "au-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and" + }, + { + "id": "au-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}." + }, + { + "id": "au-2_fr", + "name": "item", + "title": "AU-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO." + }, + { + "id": "au-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(e) Guidance:" + } + ], + "prose": "Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO." + } + ] + } + ] + }, + { + "id": "au-2_gdn", + "name": "guidance", + "prose": "An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures." + }, + { + "id": "au-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;", + "links": [ + { + "href": "#au-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02b.", + "class": "sp800-53a" + } + ], + "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;", + "links": [ + { + "href": "#au-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-02_odp.02 }} are specified for logging within the system;", + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};", + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02d.", + "class": "sp800-53a" + } + ], + "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;", + "links": [ + { + "href": "#au-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02e.", + "class": "sp800-53a" + } + ], + "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.", + "links": [ + { + "href": "#au-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system auditing" + } + ] + } + ] + }, + { + "id": "au-3", + "class": "SP800-53", + "title": "Content of Audit Records", + "props": [ + { + "name": "label", + "value": "AU-3" + }, + { + "name": "label", + "value": "AU-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-8", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-3_smt", + "name": "statement", + "prose": "Ensure that audit records contain information that establishes the following:", + "parts": [ + { + "id": "au-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "What type of event occurred;" + }, + { + "id": "au-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "When the event occurred;" + }, + { + "id": "au-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Where the event occurred;" + }, + { + "id": "au-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Source of the event;" + }, + { + "id": "au-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Outcome of the event; and" + }, + { + "id": "au-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Identity of any individuals, subjects, or objects/entities associated with the event." + } + ] + }, + { + "id": "au-3_gdn", + "name": "guidance", + "prose": "Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage." + }, + { + "id": "au-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03a.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes what type of event occurred;", + "links": [ + { + "href": "#au-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03b.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes when the event occurred;", + "links": [ + { + "href": "#au-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03c.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes where the event occurred;", + "links": [ + { + "href": "#au-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03d.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the source of the event;", + "links": [ + { + "href": "#au-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03e.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the outcome of the event;", + "links": [ + { + "href": "#au-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03f.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.", + "links": [ + { + "href": "#au-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system auditing of auditable events" + } + ] + } + ] + }, + { + "id": "au-4", + "class": "SP800-53", + "title": "Audit Log Storage Capacity", + "params": [ + { + "id": "au-04_odp", + "label": "audit log retention requirements", + "guidelines": [ + { + "prose": "audit log retention requirements are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-4" + }, + { + "name": "label", + "value": "AU-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-4_smt", + "name": "statement", + "prose": "Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}." + }, + { + "id": "au-4_gdn", + "name": "guidance", + "prose": "Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability." + }, + { + "id": "au-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-04", + "class": "sp800-53a" + } + ], + "prose": "audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.", + "links": [ + { + "href": "#au-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for system components\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit record storage capacity and related configuration settings" + } + ] + } + ] + }, + { + "id": "au-5", + "class": "SP800-53", + "title": "Response to Audit Logging Process Failures", + "params": [ + { + "id": "au-05_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles receiving audit logging process failure alerts are defined;" + } + ] + }, + { + "id": "au-05_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period for personnel or roles receiving audit logging process failure alerts is defined;" + } + ] + }, + { + "id": "au-05_odp.03", + "label": "additional actions", + "constraints": [ + { + "description": "overwrite oldest record" + } + ], + "guidelines": [ + { + "prose": "additional actions to be taken in the event of an audit logging process failure are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-5" + }, + { + "name": "label", + "value": "AU-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-5_smt", + "name": "statement", + "parts": [ + { + "id": "au-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and" + }, + { + "id": "au-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Take the following additional actions: {{ insert: param, au-05_odp.03 }}." + } + ] + }, + { + "id": "au-5_gdn", + "name": "guidance", + "prose": "Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel." + }, + { + "id": "au-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};", + "links": [ + { + "href": "#au-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.", + "links": [ + { + "href": "#au-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system response to audit processing failures" + } + ] + } + ] + }, + { + "id": "au-6", + "class": "SP800-53", + "title": "Audit Record Review, Analysis, and Reporting", + "params": [ + { + "id": "au-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "frequency at which system audit records are reviewed and analyzed is defined;" + } + ] + }, + { + "id": "au-06_odp.02", + "label": "inappropriate or unusual activity", + "guidelines": [ + { + "prose": "inappropriate or unusual activity is defined;" + } + ] + }, + { + "id": "au-06_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to receive findings from reviews and analyses of system records is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-6" + }, + { + "name": "label", + "value": "AU-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", + "rel": "reference" + }, + { + "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6_smt", + "name": "statement", + "parts": [ + { + "id": "au-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;" + }, + { + "id": "au-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report findings to {{ insert: param, au-06_odp.03 }} ; and" + }, + { + "id": "au-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." + }, + { + "id": "au-6_fr", + "name": "item", + "title": "AU-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented." + } + ] + } + ] + }, + { + "id": "au-6_gdn", + "name": "guidance", + "prose": "Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received." + }, + { + "id": "au-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06a.", + "class": "sp800-53a" + } + ], + "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;", + "links": [ + { + "href": "#au-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06b.", + "class": "sp800-53a" + } + ], + "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};", + "links": [ + { + "href": "#au-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06c.", + "class": "sp800-53a" + } + ], + "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.", + "links": [ + { + "href": "#au-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews/analyses of audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "au-8", + "class": "SP800-53", + "title": "Time Stamps", + "params": [ + { + "id": "au-08_odp", + "label": "granularity of time measurement", + "constraints": [ + { + "description": "one second granularity of time measurement" + } + ], + "guidelines": [ + { + "prose": "granularity of time measurement for audit record timestamps is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-8" + }, + { + "name": "label", + "value": "AU-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#sc-45", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-8_smt", + "name": "statement", + "parts": [ + { + "id": "au-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Use internal system clocks to generate time stamps for audit records; and" + }, + { + "id": "au-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." + } + ] + }, + { + "id": "au-8_gdn", + "name": "guidance", + "prose": "Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities." + }, + { + "id": "au-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08a.", + "class": "sp800-53a" + } + ], + "prose": "internal system clocks are used to generate timestamps for audit records;", + "links": [ + { + "href": "#au-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08b.", + "class": "sp800-53a" + } + ], + "prose": "timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.", + "links": [ + { + "href": "#au-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing timestamp generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing timestamp generation" + } + ] + } + ] + }, + { + "id": "au-9", + "class": "SP800-53", + "title": "Protection of Audit Information", + "params": [ + { + "id": "au-09_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-9" + }, + { + "name": "label", + "value": "AU-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#au-15", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-9_smt", + "name": "statement", + "parts": [ + { + "id": "au-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and" + }, + { + "id": "au-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information." + } + ] + }, + { + "id": "au-9_gdn", + "name": "guidance", + "prose": "Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls." + }, + { + "id": "au-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09a.", + "class": "sp800-53a" + } + ], + "prose": "audit information and audit logging tools are protected from unauthorized access, modification, and deletion;", + "links": [ + { + "href": "#au-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.", + "links": [ + { + "href": "#au-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\naudit tools\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit information protection" + } + ] + } + ] + }, + { + "id": "au-11", + "class": "SP800-53", + "title": "Audit Record Retention", + "params": [ + { + "id": "au-11_odp", + "label": "time period", + "constraints": [ + { + "description": "a time period in compliance with M-21-31" + } + ], + "guidelines": [ + { + "prose": "a time period to retain audit records that is consistent with the records retention policy is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-11" + }, + { + "name": "label", + "value": "AU-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-11_smt", + "name": "statement", + "prose": "Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.", + "parts": [ + { + "id": "au-11_fr", + "name": "item", + "title": "AU-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-11_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements." + }, + { + "id": "au-11_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)" + }, + { + "id": "au-11_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The service provider is encouraged to align with M-21-31 where possible" + } + ] + } + ] + }, + { + "id": "au-11_gdn", + "name": "guidance", + "prose": "Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention." + }, + { + "id": "au-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-11", + "class": "sp800-53a" + } + ], + "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.", + "links": [ + { + "href": "#au-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + } + ] + }, + { + "id": "au-12", + "class": "SP800-53", + "title": "Audit Record Generation", + "params": [ + { + "id": "au-12_odp.01", + "label": "system components", + "constraints": [ + { + "description": "all information system and network components where audit capability is deployed/available" + } + ], + "guidelines": [ + { + "prose": "system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;" + } + ] + }, + { + "id": "au-12_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-12" + }, + { + "name": "label", + "value": "AU-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-12_smt", + "name": "statement", + "parts": [ + { + "id": "au-12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};" + }, + { + "id": "au-12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and" + }, + { + "id": "au-12_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)." + } + ] + }, + { + "id": "au-12_gdn", + "name": "guidance", + "prose": "Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records." + }, + { + "id": "au-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12a.", + "class": "sp800-53a" + } + ], + "prose": "audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};", + "links": [ + { + "href": "#au-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;", + "links": [ + { + "href": "#au-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12c.", + "class": "sp800-53a" + } + ], + "prose": "audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.", + "links": [ + { + "href": "#au-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of auditable events\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit record generation capability" + } + ] + } + ] + } + ] + }, + { + "id": "ca", + "class": "family", + "title": "Assessment, Authorization, and Monitoring", + "controls": [ + { + "id": "ca-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ca-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ca-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ca-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ca-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ca-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the assessment, authorization, and monitoring policy and procedures is defined;" + } + ] + }, + { + "id": "ca-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ca-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ca-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ca-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-1" + }, + { + "name": "label", + "value": "CA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#62ea77ca-e450-4323-b210-e0d75390e785", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-1_smt", + "name": "statement", + "parts": [ + { + "id": "ca-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:", + "parts": [ + { + "id": "ca-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:", + "parts": [ + { + "id": "ca-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ca-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ca-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;" + } + ] + }, + { + "id": "ca-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and" + }, + { + "id": "ca-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current assessment, authorization, and monitoring:", + "parts": [ + { + "id": "ca-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and" + }, + { + "id": "ca-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ca-1_gdn", + "name": "guidance", + "prose": "Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ca-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an assessment, authorization, and monitoring policy is developed and documented;", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ca-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;", + "links": [ + { + "href": "#ca-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ", + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};", + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ", + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.", + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-2", + "class": "SP800-53", + "title": "Control Assessments", + "params": [ + { + "id": "ca-02_odp.01", + "label": "assessment frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to assess controls in the system and its environment of operation is defined;" + } + ] + }, + { + "id": "ca-02_odp.02", + "label": "individuals or roles", + "constraints": [ + { + "description": "individuals or roles to include FedRAMP PMO" + } + ], + "guidelines": [ + { + "prose": "individuals or roles to whom control assessment results are to be provided are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-2" + }, + { + "name": "label", + "value": "CA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-2_smt", + "name": "statement", + "parts": [ + { + "id": "ca-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Select the appropriate assessor or assessment team for the type of assessment to be conducted;" + }, + { + "id": "ca-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Develop a control assessment plan that describes the scope of the assessment including:", + "parts": [ + { + "id": "ca-2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Controls and control enhancements under assessment;" + }, + { + "id": "ca-2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Assessment procedures to be used to determine control effectiveness; and" + }, + { + "id": "ca-2_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Assessment environment, assessment team, and assessment roles and responsibilities;" + } + ] + }, + { + "id": "ca-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;" + }, + { + "id": "ca-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;" + }, + { + "id": "ca-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Produce a control assessment report that document the results of the assessment; and" + }, + { + "id": "ca-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}." + }, + { + "id": "ca-2_fr", + "name": "item", + "title": "CA-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Reference FedRAMP Annual Assessment Guidance." + } + ] + } + ] + }, + { + "id": "ca-2_gdn", + "name": "guidance", + "prose": "Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)." + }, + { + "id": "ca-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02a.", + "class": "sp800-53a" + } + ], + "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;", + "links": [ + { + "href": "#ca-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.01", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;", + "links": [ + { + "href": "#ca-2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.02", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;", + "links": [ + { + "href": "#ca-2_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.b.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[03]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02c.", + "class": "sp800-53a" + } + ], + "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;", + "links": [ + { + "href": "#ca-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.[01]", + "class": "sp800-53a" + } + ], + "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;", + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.[02]", + "class": "sp800-53a" + } + ], + "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;", + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02e.", + "class": "sp800-53a" + } + ], + "prose": "a control assessment report is produced that documents the results of the assessment;", + "links": [ + { + "href": "#ca-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02f.", + "class": "sp800-53a" + } + ], + "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.", + "links": [ + { + "href": "#ca-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting" + } + ] + } + ], + "controls": [ + { + "id": "ca-2.1", + "class": "SP800-53-enhancement", + "title": "Independent Assessors", + "props": [ + { + "name": "label", + "value": "CA-2(1)" + }, + { + "name": "label", + "value": "CA-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-2.1_smt", + "name": "statement", + "prose": "Employ independent assessors or assessment teams to conduct control assessments." + }, + { + "id": "ca-2.1_gdn", + "name": "guidance", + "prose": "Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.\n\nIndependent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.\n\nWhen organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments." + }, + { + "id": "ca-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02(01)", + "class": "sp800-53a" + } + ], + "prose": "independent assessors or assessment teams are employed to conduct control assessments.", + "links": [ + { + "href": "#ca-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\nprevious control assessment plan\n\nprevious control assessment report\n\nplan of action and milestones\n\nexisting authorization statement\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "ca-3", + "class": "SP800-53", + "title": "Information Exchange", + "params": [ + { + "id": "ca-03_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "interconnection security agreements", + "information exchange security agreements", + "memoranda of understanding or agreement", + "service level agreements", + "user agreements", + "non-disclosure agreements", + " {{ insert: param, ca-03_odp.02 }} " + ] + } + }, + { + "id": "ca-03_odp.02", + "label": "type of agreement", + "guidelines": [ + { + "prose": "the type of agreement used to approve and manage the exchange of information is defined (if selected);" + } + ] + }, + { + "id": "ca-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and on input from JAB/AO" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update agreements is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-3" + }, + { + "name": "label", + "value": "CA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#c3a76872-e160-4267-99e8-6952de967d04", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-3_smt", + "name": "statement", + "parts": [ + { + "id": "ca-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};" + }, + { + "id": "ca-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and" + }, + { + "id": "ca-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the agreements {{ insert: param, ca-03_odp.03 }}." + } + ] + }, + { + "id": "ca-3_gdn", + "name": "guidance", + "prose": "System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks." + }, + { + "id": "ca-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03a.", + "class": "sp800-53a" + } + ], + "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};", + "links": [ + { + "href": "#ca-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the interface characteristics are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "security requirements are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[03]", + "class": "sp800-53a" + } + ], + "prose": "privacy requirements are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[04]", + "class": "sp800-53a" + } + ], + "prose": "controls are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[05]", + "class": "sp800-53a" + } + ], + "prose": "responsibilities for each system are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[06]", + "class": "sp800-53a" + } + ], + "prose": "the impact level of the information communicated is documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03c.", + "class": "sp800-53a" + } + ], + "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.", + "links": [ + { + "href": "#ca-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies" + } + ] + } + ] + }, + { + "id": "ca-5", + "class": "SP800-53", + "title": "Plan of Action and Milestones", + "params": [ + { + "id": "ca-05_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-5" + }, + { + "name": "label", + "value": "CA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-5_smt", + "name": "statement", + "parts": [ + { + "id": "ca-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and" + }, + { + "id": "ca-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities." + }, + { + "id": "ca-5_fr", + "name": "item", + "title": "CA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-5_fr_gdn.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "POA&Ms must be provided at least monthly." + }, + { + "id": "ca-5_fr_smt.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Reference FedRAMP-POAM-Template" + } + ] + } + ] + }, + { + "id": "ca-5_gdn", + "name": "guidance", + "prose": "Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB." + }, + { + "id": "ca-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05a.", + "class": "sp800-53a" + } + ], + "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;", + "links": [ + { + "href": "#ca-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05b.", + "class": "sp800-53a" + } + ], + "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.", + "links": [ + { + "href": "#ca-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms for developing, implementing, and maintaining plan of action and milestones" + } + ] + } + ] + }, + { + "id": "ca-6", + "class": "SP800-53", + "title": "Authorization", + "params": [ + { + "id": "ca-06_odp", + "label": "frequency", + "constraints": [ + { + "description": "in accordance with OMB A-130 requirements or when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "frequency at which to update the authorizations is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-6" + }, + { + "name": "label", + "value": "CA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-6_smt", + "name": "statement", + "parts": [ + { + "id": "ca-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assign a senior official as the authorizing official for the system;" + }, + { + "id": "ca-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;" + }, + { + "id": "ca-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensure that the authorizing official for the system, before commencing operations:", + "parts": [ + { + "id": "ca-6_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Accepts the use of common controls inherited by the system; and" + }, + { + "id": "ca-6_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Authorizes the system to operate;" + } + ] + }, + { + "id": "ca-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;" + }, + { + "id": "ca-6_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Update the authorizations {{ insert: param, ca-06_odp }}." + }, + { + "id": "ca-6_fr", + "name": "item", + "title": "CA-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(e) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO." + } + ] + } + ] + }, + { + "id": "ca-6_gdn", + "name": "guidance", + "prose": "Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions." + }, + { + "id": "ca-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06a.", + "class": "sp800-53a" + } + ], + "prose": "a senior official is assigned as the authorizing official for the system;", + "links": [ + { + "href": "#ca-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06b.", + "class": "sp800-53a" + } + ], + "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;", + "links": [ + { + "href": "#ca-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-6_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.01", + "class": "sp800-53a" + } + ], + "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;", + "links": [ + { + "href": "#ca-6_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.02", + "class": "sp800-53a" + } + ], + "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;", + "links": [ + { + "href": "#ca-6_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06d.", + "class": "sp800-53a" + } + ], + "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;", + "links": [ + { + "href": "#ca-6_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06e.", + "class": "sp800-53a" + } + ], + "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}.", + "links": [ + { + "href": "#ca-6_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms that facilitate authorizations and updates" + } + ] + } + ] + }, + { + "id": "ca-7", + "class": "SP800-53", + "title": "Continuous Monitoring", + "params": [ + { + "id": "ca-7_prm_4", + "label": "organization-defined personnel or roles", + "constraints": [ + { + "description": "to include JAB/AO" + } + ] + }, + { + "id": "ca-7_prm_5", + "label": "organization-defined frequency" + }, + { + "id": "ca-07_odp.01", + "label": "system-level metrics", + "guidelines": [ + { + "prose": "system-level metrics to be monitored are defined;" + } + ] + }, + { + "id": "ca-07_odp.02", + "label": "frequencies", + "guidelines": [ + { + "prose": "frequencies at which to monitor control effectiveness are defined;" + } + ] + }, + { + "id": "ca-07_odp.03", + "label": "frequencies", + "guidelines": [ + { + "prose": "frequencies at which to assess control effectiveness are defined;" + } + ] + }, + { + "id": "ca-07_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the security status of the system is reported are defined;" + } + ] + }, + { + "id": "ca-07_odp.05", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which the security status of the system is reported is defined;" + } + ] + }, + { + "id": "ca-07_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the privacy status of the system is reported are defined;" + } + ] + }, + { + "id": "ca-07_odp.07", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which the privacy status of the system is reported is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-7" + }, + { + "name": "label", + "value": "CA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pe-14", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-6", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#pm-31", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-7_smt", + "name": "statement", + "prose": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:", + "parts": [ + { + "id": "ca-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};" + }, + { + "id": "ca-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;" + }, + { + "id": "ca-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ongoing control assessments in accordance with the continuous monitoring strategy;" + }, + { + "id": "ca-7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;" + }, + { + "id": "ca-7_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Correlation and analysis of information generated by control assessments and monitoring;" + }, + { + "id": "ca-7_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" + }, + { + "id": "ca-7_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}." + }, + { + "id": "ca-7_fr", + "name": "item", + "title": "CA-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually." + }, + { + "id": "ca-7_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight." + }, + { + "id": "ca-7_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan." + } + ] + } + ] + }, + { + "id": "ca-7_gdn", + "name": "guidance", + "prose": "Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)." + }, + { + "id": "ca-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07[01]", + "class": "sp800-53a" + } + ], + "prose": "a system-level continuous monitoring strategy is developed;", + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07a.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};", + "links": [ + { + "href": "#ca-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;", + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;", + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07c.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07d.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07e.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;", + "links": [ + { + "href": "#ca-7_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07f.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;", + "links": [ + { + "href": "#ca-7_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.[01]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};", + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.", + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting" + } + ] + } + ], + "controls": [ + { + "id": "ca-7.4", + "class": "SP800-53-enhancement", + "title": "Risk Monitoring", + "props": [ + { + "name": "label", + "value": "CA-7(4)" + }, + { + "name": "label", + "value": "CA-07(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-7.4_smt", + "name": "statement", + "prose": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:", + "parts": [ + { + "id": "ca-7.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Effectiveness monitoring;" + }, + { + "id": "ca-7.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Compliance monitoring; and" + }, + { + "id": "ca-7.4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Change monitoring." + } + ] + }, + { + "id": "ca-7.4_gdn", + "name": "guidance", + "prose": "Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk." + }, + { + "id": "ca-7.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)", + "class": "sp800-53a" + } + ], + "prose": "risk monitoring is an integral part of the continuous monitoring strategy;", + "parts": [ + { + "id": "ca-7.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(a)", + "class": "sp800-53a" + } + ], + "prose": "effectiveness monitoring is included in risk monitoring;", + "links": [ + { + "href": "#ca-7.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "compliance monitoring is included in risk monitoring;", + "links": [ + { + "href": "#ca-7.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(c)", + "class": "sp800-53a" + } + ], + "prose": "change monitoring is included in risk monitoring.", + "links": [ + { + "href": "#ca-7.4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-7.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-07(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting risk monitoring" + } + ] + } + ] + } + ] + }, + { + "id": "ca-8", + "class": "SP800-53", + "title": "Penetration Testing", + "params": [ + { + "id": "ca-08_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct penetration testing on systems or system components is defined;" + } + ] + }, + { + "id": "ca-08_odp.02", + "label": "system(s) or system components", + "guidelines": [ + { + "prose": "systems or system components on which penetration testing is to be conducted are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-8" + }, + { + "name": "label", + "value": "CA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-8_smt", + "name": "statement", + "prose": "Conduct penetration testing {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", + "parts": [ + { + "id": "ca-8_fr", + "name": "item", + "title": "CA-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Scope can be limited to public facing applications in alignment with M-22-09. Reference the FedRAMP Penetration Test Guidance." + } + ] + } + ] + }, + { + "id": "ca-8_gdn", + "name": "guidance", + "prose": "Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).\n\nOrganizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing." + }, + { + "id": "ca-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-08", + "class": "sp800-53a" + } + ], + "prose": "penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", + "links": [ + { + "href": "#ca-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting penetration testing" + } + ] + } + ] + }, + { + "id": "ca-9", + "class": "SP800-53", + "title": "Internal System Connections", + "params": [ + { + "id": "ca-09_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components or classes of components requiring internal connections to the system are defined;" + } + ] + }, + { + "id": "ca-09_odp.02", + "label": "conditions", + "guidelines": [ + { + "prose": "conditions requiring termination of internal connections are defined;" + } + ] + }, + { + "id": "ca-09_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to review the continued need for each internal connection is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-9" + }, + { + "name": "label", + "value": "CA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-9_smt", + "name": "statement", + "parts": [ + { + "id": "ca-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;" + }, + { + "id": "ca-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;" + }, + { + "id": "ca-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and" + }, + { + "id": "ca-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection." + } + ] + }, + { + "id": "ca-9_gdn", + "name": "guidance", + "prose": "Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions." + }, + { + "id": "ca-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09a.", + "class": "sp800-53a" + } + ], + "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;", + "links": [ + { + "href": "#ca-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the interface characteristics are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the security requirements are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[03]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the privacy requirements are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[04]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the nature of the information communicated is documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09c.", + "class": "sp800-53a" + } + ], + "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};", + "links": [ + { + "href": "#ca-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09d.", + "class": "sp800-53a" + } + ], + "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.", + "links": [ + { + "href": "#ca-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting internal system connections" + } + ] + } + ] + } + ] + }, + { + "id": "cm", + "class": "family", + "title": "Configuration Management", + "controls": [ + { + "id": "cm-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "cm-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cm-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the configuration management policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "cm-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "cm-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "cm-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the configuration management policy and procedures is defined;" + } + ] + }, + { + "id": "cm-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current configuration management policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "cm-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current configuration management policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "cm-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current configuration management procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "cm-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require configuration management procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-1" + }, + { + "name": "label", + "value": "CM-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-1_smt", + "name": "statement", + "parts": [ + { + "id": "cm-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:", + "parts": [ + { + "id": "cm-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cm-01_odp.03 }} configuration management policy that:", + "parts": [ + { + "id": "cm-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "cm-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "cm-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;" + } + ] + }, + { + "id": "cm-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and" + }, + { + "id": "cm-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current configuration management:", + "parts": [ + { + "id": "cm-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and" + }, + { + "id": "cm-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "cm-1_gdn", + "name": "guidance", + "prose": "Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "cm-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a configuration management policy is developed and documented;", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#cm-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;", + "links": [ + { + "href": "#cm-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ", + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};", + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ", + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.", + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records" + } + ] + }, + { + "id": "cm-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "cm-2", + "class": "SP800-53", + "title": "Baseline Configuration", + "params": [ + { + "id": "cm-02_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "the frequency of baseline configuration review and update is defined;" + } + ] + }, + { + "id": "cm-02_odp.02", + "label": "circumstances", + "constraints": [ + { + "description": "to include when directed by the JAB" + } + ], + "guidelines": [ + { + "prose": "the circumstances requiring baseline configuration review and update are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2" + }, + { + "name": "label", + "value": "CM-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-1", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-12", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-2_smt", + "name": "statement", + "parts": [ + { + "id": "cm-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and maintain under configuration control, a current baseline configuration of the system; and" + }, + { + "id": "cm-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the baseline configuration of the system:", + "parts": [ + { + "id": "cm-2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cm-02_odp.01 }};" + }, + { + "id": "cm-2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required due to {{ insert: param, cm-02_odp.02 }} ; and" + }, + { + "id": "cm-2_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "When system components are installed or upgraded." + } + ] + }, + { + "id": "cm-2_fr", + "name": "item", + "title": "CM-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) (1) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + } + ] + } + ] + }, + { + "id": "cm-2_gdn", + "name": "guidance", + "prose": "Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture." + }, + { + "id": "cm-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a current baseline configuration of the system is developed and documented;", + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "a current baseline configuration of the system is maintained under configuration control;", + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.01", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};", + "links": [ + { + "href": "#cm-2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.02", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};", + "links": [ + { + "href": "#cm-2_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.03", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.", + "links": [ + { + "href": "#cm-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration" + } + ] + } + ] + }, + { + "id": "cm-4", + "class": "SP800-53", + "title": "Impact Analyses", + "props": [ + { + "name": "label", + "value": "CM-4" + }, + { + "name": "label", + "value": "CM-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-4_smt", + "name": "statement", + "prose": "Analyze changes to the system to determine potential security and privacy impacts prior to change implementation." + }, + { + "id": "cm-4_gdn", + "name": "guidance", + "prose": "Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required." + }, + { + "id": "cm-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;", + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation.", + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem/network administrators\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses" + } + ] + } + ] + }, + { + "id": "cm-5", + "class": "SP800-53", + "title": "Access Restrictions for Change", + "props": [ + { + "name": "label", + "value": "CM-5" + }, + { + "name": "label", + "value": "CM-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-5_smt", + "name": "statement", + "prose": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system." + }, + { + "id": "cm-5_gdn", + "name": "guidance", + "prose": "Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)." + }, + { + "id": "cm-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are defined and documented;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are approved;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[03]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are enforced;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[04]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are defined and documented;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[05]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are approved;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[06]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are enforced.", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system" + } + ] + } + ] + }, + { + "id": "cm-6", + "class": "SP800-53", + "title": "Configuration Settings", + "params": [ + { + "id": "cm-06_odp.01", + "label": "common secure configurations", + "guidelines": [ + { + "prose": "common secure configurations to establish and document configuration settings for components employed within the system are defined;" + } + ] + }, + { + "id": "cm-06_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which approval of deviations is needed are defined;" + } + ] + }, + { + "id": "cm-06_odp.03", + "label": "operational requirements", + "guidelines": [ + { + "prose": "operational requirements necessitating approval of deviations are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-6" + }, + { + "name": "label", + "value": "CM-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#98498928-3ca3-44b3-8b1e-f48685373087", + "rel": "reference" + }, + { + "href": "#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", + "rel": "reference" + }, + { + "href": "#aa66e14f-e7cb-4a37-99d2-07578dfd4608", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-6_smt", + "name": "statement", + "parts": [ + { + "id": "cm-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};" + }, + { + "id": "cm-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement the configuration settings;" + }, + { + "id": "cm-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and" + }, + { + "id": "cm-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." + }, + { + "id": "cm-6_fr", + "name": "item", + "title": "CM-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement 1:" + } + ], + "prose": "The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish configuration settings;" + }, + { + "id": "cm-6_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement 2:" + } + ], + "prose": "The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available)." + }, + { + "id": "cm-6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP’s Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.\n\nDuring monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests." + } + ] + } + ] + }, + { + "id": "cm-6_gdn", + "name": "guidance", + "prose": "Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings." + }, + { + "id": "cm-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06a.", + "class": "sp800-53a" + } + ], + "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};", + "links": [ + { + "href": "#cm-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06b.", + "class": "sp800-53a" + } + ], + "prose": "the configuration settings documented in CM-06a are implemented;", + "links": [ + { + "href": "#cm-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};", + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;", + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;", + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures.", + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and/or control system configuration settings\n\nmechanisms that identify and/or document deviations from established configuration settings" + } + ] + } + ] + }, + { + "id": "cm-7", + "class": "SP800-53", + "title": "Least Functionality", + "params": [ + { + "id": "cm-7_prm_2", + "label": "organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services" + }, + { + "id": "cm-07_odp.01", + "label": "mission-essential capabilities", + "guidelines": [ + { + "prose": "mission-essential capabilities for the system are defined;" + } + ] + }, + { + "id": "cm-07_odp.02", + "label": "functions", + "guidelines": [ + { + "prose": "functions to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.03", + "label": "ports", + "guidelines": [ + { + "prose": "ports to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.04", + "label": "protocols", + "guidelines": [ + { + "prose": "protocols to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.05", + "label": "software", + "guidelines": [ + { + "prose": "software to be prohibited or restricted is defined;" + } + ] + }, + { + "id": "cm-07_odp.06", + "label": "services", + "guidelines": [ + { + "prose": "services to be prohibited or restricted are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7" + }, + { + "name": "label", + "value": "CM-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#38f39739-1ebd-43b1-8b8c-00f591d89ebd", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7_smt", + "name": "statement", + "parts": [ + { + "id": "cm-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and" + }, + { + "id": "cm-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, cm-7_prm_2 }}." + }, + { + "id": "cm-7_fr", + "name": "item", + "title": "CM-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available." + } + ] + } + ] + }, + { + "id": "cm-7_gdn", + "name": "guidance", + "prose": "Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))." + }, + { + "id": "cm-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07a.", + "class": "sp800-53a" + } + ], + "prose": "the system is configured to provide only {{ insert: param, cm-07_odp.01 }};", + "links": [ + { + "href": "#cm-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[03]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[04]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[05]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services\n\nmechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services" + } + ] + } + ] + }, + { + "id": "cm-8", + "class": "SP800-53", + "title": "System Component Inventory", + "params": [ + { + "id": "cm-08_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information deemed necessary to achieve effective system component accountability is defined;" + } + ] + }, + { + "id": "cm-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update the system component inventory is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-8" + }, + { + "name": "label", + "value": "CM-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#70402863-5078-43af-9a6c-e11b0f3ec370", + "rel": "reference" + }, + { + "href": "#996241f8-f692-42d5-91f1-ce8b752e39e6", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8_smt", + "name": "statement", + "parts": [ + { + "id": "cm-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and document an inventory of system components that:", + "parts": [ + { + "id": "cm-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Accurately reflects the system;" + }, + { + "id": "cm-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Includes all components within the system;" + }, + { + "id": "cm-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Does not include duplicate accounting of components or components assigned to any other system;" + }, + { + "id": "cm-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Is at the level of granularity deemed necessary for tracking and reporting; and" + }, + { + "id": "cm-8_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and" + } + ] + }, + { + "id": "cm-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}." + }, + { + "id": "cm-8_fr", + "name": "item", + "title": "CM-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "must be provided at least monthly or when there is a change." + } + ] + } + ] + }, + { + "id": "cm-8_gdn", + "name": "guidance", + "prose": "System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components." + }, + { + "id": "cm-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.01", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that accurately reflects the system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.02", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that includes all components within the system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.03", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.04", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.05", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.5", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08b.", + "class": "sp800-53a" + } + ], + "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.", + "links": [ + { + "href": "#cm-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing the system component inventory\n\nmechanisms supporting and/or implementing system component inventory" + } + ] + } + ] + }, + { + "id": "cm-10", + "class": "SP800-53", + "title": "Software Usage Restrictions", + "props": [ + { + "name": "label", + "value": "CM-10" + }, + { + "name": "label", + "value": "CM-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-10_smt", + "name": "statement", + "parts": [ + { + "id": "cm-10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Use software and associated documentation in accordance with contract agreements and copyright laws;" + }, + { + "id": "cm-10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and" + }, + { + "id": "cm-10_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work." + } + ] + }, + { + "id": "cm-10_gdn", + "name": "guidance", + "prose": "Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements." + }, + { + "id": "cm-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-10_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10a.", + "class": "sp800-53a" + } + ], + "prose": "software and associated documentation are used in accordance with contract agreements and copyright laws;", + "links": [ + { + "href": "#cm-10_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10b.", + "class": "sp800-53a" + } + ], + "prose": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;", + "links": [ + { + "href": "#cm-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10c.", + "class": "sp800-53a" + } + ], + "prose": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.", + "links": [ + { + "href": "#cm-10_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel operating, using, and/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology" + } + ] + } + ] + }, + { + "id": "cm-11", + "class": "SP800-53", + "title": "User-installed Software", + "params": [ + { + "id": "cm-11_odp.01", + "label": "policies", + "guidelines": [ + { + "prose": "policies governing the installation of software by users are defined;" + } + ] + }, + { + "id": "cm-11_odp.02", + "label": "methods", + "guidelines": [ + { + "prose": "methods used to enforce software installation policies are defined;" + } + ] + }, + { + "id": "cm-11_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "Continuously (via CM-7 (5))" + } + ], + "guidelines": [ + { + "prose": "frequency with which to monitor compliance is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-11" + }, + { + "name": "label", + "value": "CM-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-11_smt", + "name": "statement", + "parts": [ + { + "id": "cm-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;" + }, + { + "id": "cm-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and" + }, + { + "id": "cm-11_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Monitor policy compliance {{ insert: param, cm-11_odp.03 }}." + } + ] + }, + { + "id": "cm-11_gdn", + "name": "guidance", + "prose": "If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods." + }, + { + "id": "cm-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;", + "links": [ + { + "href": "#cm-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11b.", + "class": "sp800-53a" + } + ], + "prose": "software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};", + "links": [ + { + "href": "#cm-11_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11c.", + "class": "sp800-53a" + } + ], + "prose": "compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.", + "links": [ + { + "href": "#cm-11_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes governing user-installed software on the system\n\nmechanisms enforcing policies and methods for governing the installation of software by users\n\nmechanisms monitoring policy compliance" + } + ] + } + ] + } + ] + }, + { + "id": "cp", + "class": "family", + "title": "Contingency Planning", + "controls": [ + { + "id": "cp-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "cp-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cp-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "cp-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "cp-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "cp-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the contingency planning policy and procedures is defined;" + } + ] + }, + { + "id": "cp-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current contingency planning policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "cp-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current contingency planning policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "cp-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current contingency planning procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "cp-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-1" + }, + { + "name": "label", + "value": "CP-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-1_smt", + "name": "statement", + "parts": [ + { + "id": "cp-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:", + "parts": [ + { + "id": "cp-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cp-01_odp.03 }} contingency planning policy that:", + "parts": [ + { + "id": "cp-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "cp-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "cp-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" + } + ] + }, + { + "id": "cp-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and" + }, + { + "id": "cp-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current contingency planning:", + "parts": [ + { + "id": "cp-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and" + }, + { + "id": "cp-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "cp-1_gdn", + "name": "guidance", + "prose": "Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "cp-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency planning policy is developed and documented;", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#cp-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;", + "links": [ + { + "href": "#cp-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};", + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};", + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};", + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.", + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "cp-2", + "class": "SP800-53", + "title": "Contingency Plan", + "params": [ + { + "id": "cp-2_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cp-2_prm_2", + "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" + }, + { + "id": "cp-2_prm_4", + "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" + }, + { + "id": "cp-02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to review a contingency plan is/are defined;" + } + ] + }, + { + "id": "cp-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to approve a contingency plan is/are defined;" + } + ] + }, + { + "id": "cp-02_odp.03", + "label": "key contingency personnel", + "guidelines": [ + { + "prose": "key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;" + } + ] + }, + { + "id": "cp-02_odp.04", + "label": "organizational elements", + "guidelines": [ + { + "prose": "key contingency organizational elements to which copies of the contingency plan are distributed are defined;" + } + ] + }, + { + "id": "cp-02_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency of contingency plan review is defined;" + } + ] + }, + { + "id": "cp-02_odp.06", + "label": "key contingency personnel", + "guidelines": [ + { + "prose": "key contingency personnel (identified by name and/or by role) to communicate changes to are defined;" + } + ] + }, + { + "id": "cp-02_odp.07", + "label": "organizational elements", + "guidelines": [ + { + "prose": "key contingency organizational elements to communicate changes to are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-2" + }, + { + "name": "label", + "value": "CP-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", + "rel": "reference" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-11", + "rel": "related" + }, + { + "href": "#cp-13", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-2_smt", + "name": "statement", + "parts": [ + { + "id": "cp-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a contingency plan for the system that:", + "parts": [ + { + "id": "cp-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Identifies essential mission and business functions and associated contingency requirements;" + }, + { + "id": "cp-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Provides recovery objectives, restoration priorities, and metrics;" + }, + { + "id": "cp-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Addresses contingency roles, responsibilities, assigned individuals with contact information;" + }, + { + "id": "cp-2_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;" + }, + { + "id": "cp-2_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;" + }, + { + "id": "cp-2_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Addresses the sharing of contingency information; and" + }, + { + "id": "cp-2_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};" + } + ] + }, + { + "id": "cp-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};" + }, + { + "id": "cp-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Coordinate contingency planning activities with incident handling activities;" + }, + { + "id": "cp-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};" + }, + { + "id": "cp-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;" + }, + { + "id": "cp-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};" + }, + { + "id": "cp-2_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and" + }, + { + "id": "cp-2_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Protect the contingency plan from unauthorized disclosure and modification." + }, + { + "id": "cp-2_fr", + "name": "item", + "title": "CP-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "For JAB authorizations the contingency lists include designated FedRAMP personnel." + }, + { + "id": "cp-2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx)." + } + ] + } + ] + }, + { + "id": "cp-2_gdn", + "name": "guidance", + "prose": "Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family." + }, + { + "id": "cp-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.01", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;", + "links": [ + { + "href": "#cp-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides recovery objectives;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides restoration priorities;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides metrics;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses contingency roles;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses contingency responsibilities;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[03]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses assigned individuals with contact information;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.04", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;", + "links": [ + { + "href": "#cp-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.05", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;", + "links": [ + { + "href": "#cp-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.06", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses the sharing of contingency information;", + "links": [ + { + "href": "#cp-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.7-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};", + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.7-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};", + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};", + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};", + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02c.", + "class": "sp800-53a" + } + ], + "prose": "contingency planning activities are coordinated with incident handling activities;", + "links": [ + { + "href": "#cp-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02d.", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};", + "links": [ + { + "href": "#cp-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is updated to address changes to the organization, system, or environment of operation;", + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;", + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.[01]", + "class": "sp800-53a" + } + ], + "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};", + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.[02]", + "class": "sp800-53a" + } + ], + "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};", + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.[01]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;", + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.[02]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;", + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is protected from unauthorized modification.", + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nevidence of contingency plan reviews and updates\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency plan development, review, update, and protection\n\nmechanisms for developing, reviewing, updating, and/or protecting the contingency plan" + } + ] + } + ] + }, + { + "id": "cp-3", + "class": "SP800-53", + "title": "Contingency Training", + "params": [ + { + "id": "cp-03_odp.01", + "label": "time period", + "constraints": [ + { + "description": "\\*See Additional Requirements" + } + ], + "guidelines": [ + { + "prose": "the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;" + } + ] + }, + { + "id": "cp-03_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide training to system users with a contingency role or responsibility is defined;" + } + ] + }, + { + "id": "cp-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update contingency training content is defined;" + } + ] + }, + { + "id": "cp-03_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events necessitating review and update of contingency training are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-3" + }, + { + "name": "label", + "value": "CP-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-3_smt", + "name": "statement", + "parts": [ + { + "id": "cp-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide contingency training to system users consistent with assigned roles and responsibilities:", + "parts": [ + { + "id": "cp-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;" + }, + { + "id": "cp-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes; and" + }, + { + "id": "cp-3_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, cp-03_odp.02 }} thereafter; and" + } + ] + }, + { + "id": "cp-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}." + }, + { + "id": "cp-3_fr", + "name": "item", + "title": "CP-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact." + } + ] + } + ] + }, + { + "id": "cp-3_gdn", + "name": "guidance", + "prose": "Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements." + }, + { + "id": "cp-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.01", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;", + "links": [ + { + "href": "#cp-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.02", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#cp-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.03", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;", + "links": [ + { + "href": "#cp-3_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};", + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.", + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\ncontingency training records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency training" + } + ] + } + ] + }, + { + "id": "cp-4", + "class": "SP800-53", + "title": "Contingency Plan Testing", + "params": [ + { + "id": "cp-4_prm_2", + "label": "organization-defined tests", + "constraints": [ + { + "description": "classroom exercise/table top written tests" + } + ] + }, + { + "id": "cp-04_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "frequency of testing the contingency plan for the system is defined;" + } + ] + }, + { + "id": "cp-04_odp.02", + "label": "tests", + "guidelines": [ + { + "prose": "tests for determining the effectiveness of the contingency plan are defined;" + } + ] + }, + { + "id": "cp-04_odp.03", + "label": "tests", + "guidelines": [ + { + "prose": "tests for determining readiness to execute the contingency plan are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-4" + }, + { + "name": "label", + "value": "CP-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-4_smt", + "name": "statement", + "parts": [ + { + "id": "cp-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}." + }, + { + "id": "cp-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review the contingency plan test results; and" + }, + { + "id": "cp-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Initiate corrective actions, if needed." + }, + { + "id": "cp-4_fr", + "name": "item", + "title": "CP-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing." + }, + { + "id": "cp-4_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report)." + } + ] + } + ] + }, + { + "id": "cp-4_gdn", + "name": "guidance", + "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions." + }, + { + "id": "cp-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04b.", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan test results are reviewed;", + "links": [ + { + "href": "#cp-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04c.", + "class": "sp800-53a" + } + ], + "prose": "corrective actions are initiated, if needed.", + "links": [ + { + "href": "#cp-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and/or contingency plan testing" + } + ] + } + ] + }, + { + "id": "cp-9", + "class": "SP800-53", + "title": "System Backup", + "params": [ + { + "id": "cp-09_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which to conduct backups of user-level information is defined;" + } + ] + }, + { + "id": "cp-09_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9" + }, + { + "name": "label", + "value": "CP-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#3653e316-8923-430e-8943-b3b2b2562fc6", + "rel": "reference" + }, + { + "href": "#2494df28-9049-4196-b233-540e7440993f", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9_smt", + "name": "statement", + "parts": [ + { + "id": "cp-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};" + }, + { + "id": "cp-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};" + }, + { + "id": "cp-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and" + }, + { + "id": "cp-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Protect the confidentiality, integrity, and availability of backup information." + }, + { + "id": "cp-9_fr", + "name": "item", + "title": "CP-9 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-9_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check." + }, + { + "id": "cp-9_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative." + }, + { + "id": "cp-9_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative." + }, + { + "id": "cp-9_fr_smt.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative." + } + ] + } + ] + }, + { + "id": "cp-9_gdn", + "name": "guidance", + "prose": "System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." + }, + { + "id": "cp-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09a.", + "class": "sp800-53a" + } + ], + "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};", + "links": [ + { + "href": "#cp-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09b.", + "class": "sp800-53a" + } + ], + "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};", + "links": [ + { + "href": "#cp-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09c.", + "class": "sp800-53a" + } + ], + "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};", + "links": [ + { + "href": "#cp-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the confidentiality of backup information is protected;", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the integrity of backup information is protected;", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the availability of backup information is protected.", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "cp-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" + } + ] + } + ] + }, + { + "id": "cp-10", + "class": "SP800-53", + "title": "System Recovery and Reconstitution", + "params": [ + { + "id": "cp-10_prm_1", + "label": "organization-defined time period consistent with recovery time and recovery point objectives" + }, + { + "id": "cp-10_odp.01", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;" + } + ] + }, + { + "id": "cp-10_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-10" + }, + { + "name": "label", + "value": "CP-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-10_smt", + "name": "statement", + "prose": "Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure." + }, + { + "id": "cp-10_gdn", + "name": "guidance", + "prose": "Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning." + }, + { + "id": "cp-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-10_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10[01]", + "class": "sp800-53a" + } + ], + "prose": "the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;", + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10[02]", + "class": "sp800-53a" + } + ], + "prose": "a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.", + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and/or implementing system recovery and reconstitution operations" + } + ] + } + ] + } + ] + }, + { + "id": "ia", + "class": "family", + "title": "Identification and Authentication", + "controls": [ + { + "id": "ia-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ia-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ia-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the identification and authentication policy is to be disseminated are defined;" + } + ] + }, + { + "id": "ia-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ia-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ia-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the identification and authentication policy and procedures is defined;" + } + ] + }, + { + "id": "ia-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current identification and authentication policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ia-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current identification and authentication policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ia-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current identification and authentication procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ia-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require identification and authentication procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-1" + }, + { + "name": "label", + "value": "IA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ac-1", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-1_smt", + "name": "statement", + "parts": [ + { + "id": "ia-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:", + "parts": [ + { + "id": "ia-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ia-01_odp.03 }} identification and authentication policy that:", + "parts": [ + { + "id": "ia-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ia-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ia-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;" + } + ] + }, + { + "id": "ia-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and" + }, + { + "id": "ia-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current identification and authentication:", + "parts": [ + { + "id": "ia-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and" + }, + { + "id": "ia-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ia-1_gdn", + "name": "guidance", + "prose": "Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ia-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an identification and authentication policy is developed and documented;", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ia-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;", + "links": [ + { + "href": "#ia-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};", + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};", + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};", + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.", + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\nlist of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ia-2", + "class": "SP800-53", + "title": "Identification and Authentication (Organizational Users)", + "props": [ + { + "name": "label", + "value": "IA-2" + }, + { + "name": "label", + "value": "IA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#d9e036ba-6eec-46a6-9340-b0bf1fea23b4", + "rel": "reference" + }, + { + "href": "#e8552d48-cf41-40aa-8b06-f45f7fb4706c", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", + "rel": "reference" + }, + { + "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "rel": "reference" + }, + { + "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-1", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.", + "parts": [ + { + "id": "ia-2_fr", + "name": "item", + "title": "IA-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B." + }, + { + "id": "ia-2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "\\\"Phishing-resistant\\\" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system." + }, + { + "id": "ia-2_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate." + } + ] + } + ] + }, + { + "id": "ia-2_gdn", + "name": "guidance", + "prose": "Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)." + }, + { + "id": "ia-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational users are uniquely identified and authenticated;", + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02[02]", + "class": "sp800-53a" + } + ], + "prose": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.", + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan, system design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ia-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for uniquely identifying and authenticating users\n\nmechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ], + "controls": [ + { + "id": "ia-2.1", + "class": "SP800-53-enhancement", + "title": "Multi-factor Authentication to Privileged Accounts", + "props": [ + { + "name": "label", + "value": "IA-2(1)" + }, + { + "name": "label", + "value": "IA-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.1_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for access to privileged accounts.", + "parts": [ + { + "id": "ia-2.1_fr", + "name": "item", + "title": "IA-2 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL)." + }, + { + "id": "ia-2.1_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Multi-factor authentication to subsequent components in the same user domain is not required." + } + ] + } + ] + }, + { + "id": "ia-2.1_gdn", + "name": "guidance", + "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." + }, + { + "id": "ia-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(01)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication is implemented for access to privileged accounts.", + "links": [ + { + "href": "#ia-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" + } + ] + } + ] + }, + { + "id": "ia-2.2", + "class": "SP800-53-enhancement", + "title": "Multi-factor Authentication to Non-privileged Accounts", + "props": [ + { + "name": "label", + "value": "IA-2(2)" + }, + { + "name": "label", + "value": "IA-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.2_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for access to non-privileged accounts.", + "parts": [ + { + "id": "ia-2.2_fr", + "name": "item", + "title": "IA-2 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL)." + }, + { + "id": "ia-2.2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Multi-factor authentication to subsequent components in the same user domain is not required." + } + ] + } + ] + }, + { + "id": "ia-2.2_gdn", + "name": "guidance", + "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." + }, + { + "id": "ia-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(02)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication for access to non-privileged accounts is implemented.", + "links": [ + { + "href": "#ia-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" + } + ] + } + ] + }, + { + "id": "ia-2.8", + "class": "SP800-53-enhancement", + "title": "Access to Accounts — Replay Resistant", + "params": [ + { + "id": "ia-02.08_odp", + "select": { + "how-many": "one-or-more", + "choice": [ + "privileged accounts", + "non-privileged accounts" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "IA-2(8)" + }, + { + "name": "label", + "value": "IA-02(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.8_smt", + "name": "statement", + "prose": "Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}." + }, + { + "id": "ia-2.8_gdn", + "name": "guidance", + "prose": "Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators." + }, + { + "id": "ia-2.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(08)", + "class": "sp800-53a" + } + ], + "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.", + "links": [ + { + "href": "#ia-2.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nMechanisms supporting and/or implementing replay-resistant authentication mechanisms" + } + ] + } + ] + }, + { + "id": "ia-2.12", + "class": "SP800-53-enhancement", + "title": "Acceptance of PIV Credentials", + "props": [ + { + "name": "label", + "value": "IA-2(12)" + }, + { + "name": "label", + "value": "IA-02(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.12_smt", + "name": "statement", + "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials.", + "parts": [ + { + "id": "ia-2.12_fr", + "name": "item", + "title": "IA-2 (12) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.12_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12." + } + ] + } + ] + }, + { + "id": "ia-2.12_gdn", + "name": "guidance", + "prose": "Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential." + }, + { + "id": "ia-2.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(12)", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified.", + "links": [ + { + "href": "#ia-2.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing acceptance and verification of PIV credentials" + } + ] + } + ] + } + ] + }, + { + "id": "ia-4", + "class": "SP800-53", + "title": "Identifier Management", + "params": [ + { + "id": "ia-04_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO (or similar role within the organization) " + } + ], + "guidelines": [ + { + "prose": "personnel or roles from whom authorization must be received to assign an identifier are defined;" + } + ] + }, + { + "id": "ia-04_odp.02", + "label": "time period", + "constraints": [ + { + "description": "at least two (2) years" + } + ], + "guidelines": [ + { + "prose": "a time period for preventing reuse of identifiers is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-4" + }, + { + "name": "label", + "value": "IA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ia-12", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-4_smt", + "name": "statement", + "prose": "Manage system identifiers by:", + "parts": [ + { + "id": "ia-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;" + }, + { + "id": "ia-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Selecting an identifier that identifies an individual, group, role, service, or device;" + }, + { + "id": "ia-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Assigning the identifier to the intended individual, group, role, service, or device; and" + }, + { + "id": "ia-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}." + } + ] + }, + { + "id": "ia-4_gdn", + "name": "guidance", + "prose": "Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices." + }, + { + "id": "ia-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04a.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;", + "links": [ + { + "href": "#ia-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04b.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;", + "links": [ + { + "href": "#ia-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04c.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;", + "links": [ + { + "href": "#ia-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04d.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.", + "links": [ + { + "href": "#ia-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identifier management" + } + ] + } + ] + }, + { + "id": "ia-5", + "class": "SP800-53", + "title": "Authenticator Management", + "params": [ + { + "id": "ia-05_odp.01", + "label": "time period by authenticator type", + "guidelines": [ + { + "prose": "a time period for changing or refreshing authenticators by authenticator type is defined;" + } + ] + }, + { + "id": "ia-05_odp.02", + "label": "events", + "guidelines": [ + { + "prose": "events that trigger the change or refreshment of authenticators are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5" + }, + { + "name": "label", + "value": "IA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "rel": "reference" + }, + { + "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5_smt", + "name": "statement", + "prose": "Manage system authenticators by:", + "parts": [ + { + "id": "ia-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;" + }, + { + "id": "ia-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishing initial authenticator content for any authenticators issued by the organization;" + }, + { + "id": "ia-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensuring that authenticators have sufficient strength of mechanism for their intended use;" + }, + { + "id": "ia-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;" + }, + { + "id": "ia-5_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Changing default authenticators prior to first use;" + }, + { + "id": "ia-5_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;" + }, + { + "id": "ia-5_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Protecting authenticator content from unauthorized disclosure and modification;" + }, + { + "id": "ia-5_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and" + }, + { + "id": "ia-5_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Changing authenticators for group or role accounts when membership to those accounts changes." + }, + { + "id": "ia-5_fr", + "name": "item", + "title": "IA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link https://pages.nist.gov/800-63-3" + }, + { + "id": "ia-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE)." + } + ] + } + ] + }, + { + "id": "ia-5_gdn", + "name": "guidance", + "prose": "Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed." + }, + { + "id": "ia-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05a.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;", + "links": [ + { + "href": "#ia-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05b.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;", + "links": [ + { + "href": "#ia-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05c.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;", + "links": [ + { + "href": "#ia-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05d.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;", + "links": [ + { + "href": "#ia-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05e.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change of default authenticators prior to first use;", + "links": [ + { + "href": "#ia-5_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05f.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;", + "links": [ + { + "href": "#ia-5_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05g.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;", + "links": [ + { + "href": "#ia-5_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.[01]", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;", + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.[02]", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;", + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05i.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.", + "links": [ + { + "href": "#ia-5_smt.i", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\naddressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system authenticator types\n\nchange control records associated with managing system authenticators\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ia-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing authenticator management capability" + } + ] + } + ], + "controls": [ + { + "id": "ia-5.1", + "class": "SP800-53-enhancement", + "title": "Password-based Authentication", + "params": [ + { + "id": "ia-05.01_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;" + } + ] + }, + { + "id": "ia-05.01_odp.02", + "label": "composition and complexity rules", + "guidelines": [ + { + "prose": "authenticator composition and complexity rules are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5(1)" + }, + { + "name": "label", + "value": "IA-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ia-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.1_smt", + "name": "statement", + "prose": "For password-based authentication:", + "parts": [ + { + "id": "ia-5.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;" + }, + { + "id": "ia-5.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);" + }, + { + "id": "ia-5.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Transmit passwords only over cryptographically-protected channels;" + }, + { + "id": "ia-5.1_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Store passwords using an approved salted key derivation function, preferably using a keyed hash;" + }, + { + "id": "ia-5.1_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e)" + } + ], + "prose": "Require immediate selection of a new password upon account recovery;" + }, + { + "id": "ia-5.1_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "(f)" + } + ], + "prose": "Allow user selection of long passwords and passphrases, including spaces and all printable characters;" + }, + { + "id": "ia-5.1_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "(g)" + } + ], + "prose": "Employ automated tools to assist the user in selecting strong password authenticators; and" + }, + { + "id": "ia-5.1_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h)" + } + ], + "prose": "Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}." + }, + { + "id": "ia-5.1_fr", + "name": "item", + "title": "IA-5 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users." + }, + { + "id": "ia-5.1_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h) Requirement:" + } + ], + "prose": "For cases where technology doesn’t allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.\n\nFor emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used." + }, + { + "id": "ia-5.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13)." + } + ] + } + ] + }, + { + "id": "ia-5.1_gdn", + "name": "guidance", + "prose": "Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof." + }, + { + "id": "ia-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;", + "links": [ + { + "href": "#ia-5.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);", + "links": [ + { + "href": "#ia-5.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(c)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, passwords are only transmitted over cryptographically protected channels;", + "links": [ + { + "href": "#ia-5.1_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(d)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;", + "links": [ + { + "href": "#ia-5.1_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(e)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, immediate selection of a new password is required upon account recovery;", + "links": [ + { + "href": "#ia-5.1_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(f)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;", + "links": [ + { + "href": "#ia-5.1_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(g)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;", + "links": [ + { + "href": "#ia-5.1_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(h)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.", + "links": [ + { + "href": "#ia-5.1_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing password-based authenticator management capability" + } + ] + } + ] + } + ] + }, + { + "id": "ia-6", + "class": "SP800-53", + "title": "Authentication Feedback", + "props": [ + { + "name": "label", + "value": "IA-6" + }, + { + "name": "label", + "value": "IA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-6_smt", + "name": "statement", + "prose": "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals." + }, + { + "id": "ia-6_gdn", + "name": "guidance", + "prose": "Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it." + }, + { + "id": "ia-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-06", + "class": "sp800-53a" + } + ], + "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.", + "links": [ + { + "href": "#ia-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication" + } + ] + } + ] + }, + { + "id": "ia-7", + "class": "SP800-53", + "title": "Cryptographic Module Authentication", + "props": [ + { + "name": "label", + "value": "IA-7" + }, + { + "name": "label", + "value": "IA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-7_smt", + "name": "statement", + "prose": "Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication." + }, + { + "id": "ia-7_gdn", + "name": "guidance", + "prose": "Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role." + }, + { + "id": "ia-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-07", + "class": "sp800-53a" + } + ], + "prose": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.", + "links": [ + { + "href": "#ia-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing cryptographic module authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic module authentication" + } + ] + } + ] + }, + { + "id": "ia-8", + "class": "SP800-53", + "title": "Identification and Authentication (Non-organizational Users)", + "props": [ + { + "name": "label", + "value": "IA-8" + }, + { + "name": "label", + "value": "IA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#a1555677-2b9d-4868-a97b-a1363aff32f5", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#2100332a-16a5-4598-bacf-7261baea9711", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-10", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-8_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." + }, + { + "id": "ia-8_gdn", + "name": "guidance", + "prose": "Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk." + }, + { + "id": "ia-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08", + "class": "sp800-53a" + } + ], + "prose": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.", + "links": [ + { + "href": "#ia-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ], + "controls": [ + { + "id": "ia-8.1", + "class": "SP800-53-enhancement", + "title": "Acceptance of PIV Credentials from Other Agencies", + "props": [ + { + "name": "label", + "value": "IA-8(1)" + }, + { + "name": "label", + "value": "IA-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + }, + { + "href": "#pe-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-8.1_smt", + "name": "statement", + "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies." + }, + { + "id": "ia-8.1_gdn", + "name": "guidance", + "prose": "Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)." + }, + { + "id": "ia-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;", + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.", + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials" + } + ] + } + ] + }, + { + "id": "ia-8.2", + "class": "SP800-53-enhancement", + "title": "Acceptance of External Authenticators", + "props": [ + { + "name": "label", + "value": "IA-8(2)" + }, + { + "name": "label", + "value": "IA-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-8.2_smt", + "name": "statement", + "parts": [ + { + "id": "ia-8.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Accept only external authenticators that are NIST-compliant; and" + }, + { + "id": "ia-8.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Document and maintain a list of accepted external authenticators." + } + ] + }, + { + "id": "ia-8.2_gdn", + "name": "guidance", + "prose": "Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level." + }, + { + "id": "ia-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(a)", + "class": "sp800-53a" + } + ], + "prose": "only external authenticators that are NIST-compliant are accepted;", + "links": [ + { + "href": "#ia-8.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "a list of accepted external authenticators is documented;", + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "a list of accepted external authenticators is maintained.", + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials" + } + ] + } + ] + }, + { + "id": "ia-8.4", + "class": "SP800-53-enhancement", + "title": "Use of Defined Profiles", + "params": [ + { + "id": "ia-08.04_odp", + "label": "identity management profiles", + "guidelines": [ + { + "prose": "identity management profiles are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-8(4)" + }, + { + "name": "label", + "value": "IA-08(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-8.4_smt", + "name": "statement", + "prose": "Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}." + }, + { + "id": "ia-8.4_gdn", + "name": "guidance", + "prose": "Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." + }, + { + "id": "ia-8.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(04)", + "class": "sp800-53a" + } + ], + "prose": "there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.", + "links": [ + { + "href": "#ia-8.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms supporting and/or implementing conformance with profiles" + } + ] + } + ] + } + ] + }, + { + "id": "ia-11", + "class": "SP800-53", + "title": "Re-authentication", + "params": [ + { + "id": "ia-11_odp", + "label": "circumstances or situations", + "guidelines": [ + { + "prose": "circumstances or situations requiring re-authentication are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-11" + }, + { + "name": "label", + "value": "IA-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-11_smt", + "name": "statement", + "prose": "Require users to re-authenticate when {{ insert: param, ia-11_odp }}.", + "parts": [ + { + "id": "ia-11_fr", + "name": "item", + "title": "IA-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-11_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:\n\n* AAL1 (low baseline) * 30 days of extended session * No limit on inactivity \n" + } + ] + } + ] + }, + { + "id": "ia-11_gdn", + "name": "guidance", + "prose": "In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically." + }, + { + "id": "ia-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-11", + "class": "sp800-53a" + } + ], + "prose": "users are required to re-authenticate when {{ insert: param, ia-11_odp }}.", + "links": [ + { + "href": "#ia-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user and device re-authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of circumstances or situations requiring re-authentication\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + } + ] + }, + { + "id": "ir", + "class": "family", + "title": "Incident Response", + "controls": [ + { + "id": "ir-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ir-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ir-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the incident response policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ir-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the incident response procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ir-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ir-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the incident response policy and procedures is defined;" + } + ] + }, + { + "id": "ir-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current incident response policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ir-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current incident response policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ir-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current incident response procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ir-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the incident response procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-1" + }, + { + "name": "label", + "value": "IR-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-1_smt", + "name": "statement", + "parts": [ + { + "id": "ir-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:", + "parts": [ + { + "id": "ir-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ir-01_odp.03 }} incident response policy that:", + "parts": [ + { + "id": "ir-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ir-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ir-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;" + } + ] + }, + { + "id": "ir-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and" + }, + { + "id": "ir-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current incident response:", + "parts": [ + { + "id": "ir-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and" + }, + { + "id": "ir-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ir-1_gdn", + "name": "guidance", + "prose": "Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ir-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident response policy is developed and documented;", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ir-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;", + "links": [ + { + "href": "#ir-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};", + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};", + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};", + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.", + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ir-2", + "class": "SP800-53", + "title": "Incident Response Training", + "params": [ + { + "id": "ir-02_odp.01", + "label": "time period", + "constraints": [ + { + "description": "ten (10) days for privileged users, thirty (30) days for Incident Response roles" + } + ], + "guidelines": [ + { + "prose": "a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;" + } + ] + }, + { + "id": "ir-02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide incident response training to users is defined;" + } + ] + }, + { + "id": "ir-02_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update incident response training content is defined;" + } + ] + }, + { + "id": "ir-02_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events that initiate a review of the incident response training content are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-2" + }, + { + "name": "label", + "value": "IR-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-2_smt", + "name": "statement", + "parts": [ + { + "id": "ir-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide incident response training to system users consistent with assigned roles and responsibilities:", + "parts": [ + { + "id": "ir-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;" + }, + { + "id": "ir-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes; and" + }, + { + "id": "ir-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ir-02_odp.02 }} thereafter; and" + } + ] + }, + { + "id": "ir-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}." + } + ] + }, + { + "id": "ir-2_gdn", + "name": "guidance", + "prose": "Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "ir-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.01", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;", + "links": [ + { + "href": "#ir-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.02", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#ir-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.03", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;", + "links": [ + { + "href": "#ir-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};", + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.", + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ir-4", + "class": "SP800-53", + "title": "Incident Handling", + "props": [ + { + "name": "label", + "value": "IR-4" + }, + { + "name": "label", + "value": "IR-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", + "rel": "reference" + }, + { + "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "rel": "reference" + }, + { + "href": "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#31ae65ab-3f26-46b7-9d64-f25a4dac5778", + "rel": "reference" + }, + { + "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-4_smt", + "name": "statement", + "parts": [ + { + "id": "ir-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;" + }, + { + "id": "ir-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Coordinate incident handling activities with contingency planning activities;" + }, + { + "id": "ir-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and" + }, + { + "id": "ir-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization." + }, + { + "id": "ir-4_fr", + "name": "item", + "title": "IR-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The FISMA definition of \\\"incident\\\" shall be used: \\\"An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.\\\"" + }, + { + "id": "ir-4_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system." + } + ] + } + ] + }, + { + "id": "ir-4_gdn", + "name": "guidance", + "prose": "Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes." + }, + { + "id": "ir-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes preparation;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes detection and analysis;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes containment;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[05]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes eradication;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[06]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes recovery;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04b.", + "class": "sp800-53a" + } + ], + "prose": "incident handling activities are coordinated with contingency planning activities;", + "links": [ + { + "href": "#ir-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.[01]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;", + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;", + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the rigor of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the intensity of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the scope of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[04]", + "class": "sp800-53a" + } + ], + "prose": "the results of incident handling activities are comparable and predictable across the organization.", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident handling capability for the organization" + } + ] + } + ] + }, + { + "id": "ir-5", + "class": "SP800-53", + "title": "Incident Monitoring", + "props": [ + { + "name": "label", + "value": "IR-5" + }, + { + "name": "label", + "value": "IR-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-5_smt", + "name": "statement", + "prose": "Track and document incidents." + }, + { + "id": "ir-5_gdn", + "name": "guidance", + "prose": "Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring." + }, + { + "id": "ir-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05[01]", + "class": "sp800-53a" + } + ], + "prose": "incidents are tracked;", + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05[02]", + "class": "sp800-53a" + } + ], + "prose": "incidents are documented.", + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident monitoring capability for the organization\n\nmechanisms supporting and/or implementing the tracking and documenting of system security incidents" + } + ] + } + ] + }, + { + "id": "ir-6", + "class": "SP800-53", + "title": "Incident Reporting", + "params": [ + { + "id": "ir-06_odp.01", + "label": "time period", + "constraints": [ + { + "description": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)" + } + ], + "guidelines": [ + { + "prose": "time period for personnel to report suspected incidents to the organizational incident response capability is defined;" + } + ] + }, + { + "id": "ir-06_odp.02", + "label": "authorities", + "guidelines": [ + { + "prose": "authorities to whom incident information is to be reported are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-6" + }, + { + "name": "label", + "value": "IR-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#40b78258-c892-480e-9af8-77ac36648301", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-6_smt", + "name": "statement", + "parts": [ + { + "id": "ir-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and" + }, + { + "id": "ir-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report incident information to {{ insert: param, ir-06_odp.02 }}." + }, + { + "id": "ir-6_fr", + "name": "item", + "title": "IR-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Reports security incident information according to FedRAMP Incident Communications Procedure." + } + ] + } + ] + }, + { + "id": "ir-6_gdn", + "name": "guidance", + "prose": "The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products." + }, + { + "id": "ir-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06a.", + "class": "sp800-53a" + } + ], + "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};", + "links": [ + { + "href": "#ir-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06b.", + "class": "sp800-53a" + } + ], + "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}.", + "links": [ + { + "href": "#ir-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users" + } + ] + }, + { + "id": "ir-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident reporting\n\nmechanisms supporting and/or implementing incident reporting" + } + ] + } + ] + }, + { + "id": "ir-7", + "class": "SP800-53", + "title": "Incident Response Assistance", + "props": [ + { + "name": "label", + "value": "IR-7" + }, + { + "name": "label", + "value": "IR-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pm-22", + "rel": "related" + }, + { + "href": "#pm-26", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#si-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-7_smt", + "name": "statement", + "prose": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents." + }, + { + "id": "ir-7_gdn", + "name": "guidance", + "prose": "Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required." + }, + { + "id": "ir-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;", + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.", + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident response assistance\n\nmechanisms supporting and/or implementing incident response assistance" + } + ] + } + ] + }, + { + "id": "ir-8", + "class": "SP800-53", + "title": "Incident Response Plan", + "params": [ + { + "id": "ir-8_prm_5", + "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements", + "constraints": [ + { + "description": "see additional FedRAMP Requirements and Guidance" + } + ] + }, + { + "id": "ir-08_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles that review and approve the incident response plan is/are identified;" + } + ] + }, + { + "id": "ir-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and approve the incident response plan is defined;" + } + ] + }, + { + "id": "ir-08_odp.03", + "label": "entities, personnel, or roles", + "guidelines": [ + { + "prose": "entities, personnel, or roles with designated responsibility for incident response are defined;" + } + ] + }, + { + "id": "ir-08_odp.04", + "label": "incident response personnel", + "constraints": [ + { + "description": "see additional FedRAMP Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;" + } + ] + }, + { + "id": "ir-08_odp.05", + "label": "organizational elements", + "guidelines": [ + { + "prose": "organizational elements to which copies of the incident response plan are to be distributed are defined;" + } + ] + }, + { + "id": "ir-08_odp.06", + "label": "incident response personnel", + "guidelines": [ + { + "prose": "incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;" + } + ] + }, + { + "id": "ir-08_odp.07", + "label": "organizational elements", + "guidelines": [ + { + "prose": "organizational elements to which changes to the incident response plan are communicated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-8" + }, + { + "name": "label", + "value": "IR-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-8_smt", + "name": "statement", + "parts": [ + { + "id": "ir-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop an incident response plan that:", + "parts": [ + { + "id": "ir-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Provides the organization with a roadmap for implementing its incident response capability;" + }, + { + "id": "ir-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Describes the structure and organization of the incident response capability;" + }, + { + "id": "ir-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Provides a high-level approach for how the incident response capability fits into the overall organization;" + }, + { + "id": "ir-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;" + }, + { + "id": "ir-8_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Defines reportable incidents;" + }, + { + "id": "ir-8_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Provides metrics for measuring the incident response capability within the organization;" + }, + { + "id": "ir-8_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Defines the resources and management support needed to effectively maintain and mature an incident response capability;" + }, + { + "id": "ir-8_smt.a.8", + "name": "item", + "props": [ + { + "name": "label", + "value": "8." + } + ], + "prose": "Addresses the sharing of incident information;" + }, + { + "id": "ir-8_smt.a.9", + "name": "item", + "props": [ + { + "name": "label", + "value": "9." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and" + }, + { + "id": "ir-8_smt.a.10", + "name": "item", + "props": [ + { + "name": "label", + "value": "10." + } + ], + "prose": "Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}." + } + ] + }, + { + "id": "ir-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};" + }, + { + "id": "ir-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;" + }, + { + "id": "ir-8_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and" + }, + { + "id": "ir-8_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protect the incident response plan from unauthorized disclosure and modification." + }, + { + "id": "ir-8_fr", + "name": "item", + "title": "IR-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel." + }, + { + "id": "ir-8_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d) Requirement:" + } + ], + "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel." + } + ] + } + ] + }, + { + "id": "ir-8_gdn", + "name": "guidance", + "prose": "It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly." + }, + { + "id": "ir-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.01", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.02", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.03", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;", + "links": [ + { + "href": "#ir-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.04", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;", + "links": [ + { + "href": "#ir-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.05", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that defines reportable incidents;", + "links": [ + { + "href": "#ir-8_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.06", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;", + "links": [ + { + "href": "#ir-8_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.07", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.08", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that addresses the sharing of incident information;", + "links": [ + { + "href": "#ir-8_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.09", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};", + "links": [ + { + "href": "#ir-8_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.10", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.", + "links": [ + { + "href": "#ir-8_smt.a.10", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};", + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.[02]", + "class": "sp800-53a" + } + ], + "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};", + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08c.", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;", + "links": [ + { + "href": "#ir-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.[01]", + "class": "sp800-53a" + } + ], + "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};", + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.[02]", + "class": "sp800-53a" + } + ], + "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};", + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is protected from unauthorized modification.", + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational incident response plan and related organizational processes" + } + ] + } + ] + } + ] + }, + { + "id": "ma", + "class": "family", + "title": "Maintenance", + "controls": [ + { + "id": "ma-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ma-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ma-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the maintenance policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ma-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ma-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ma-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the maintenance policy and procedures is defined;" + } + ] + }, + { + "id": "ma-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current maintenance policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ma-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current maintenance policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ma-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current maintenance procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ma-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the maintenance procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-1" + }, + { + "name": "label", + "value": "MA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-1_smt", + "name": "statement", + "parts": [ + { + "id": "ma-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:", + "parts": [ + { + "id": "ma-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ma-01_odp.03 }} maintenance policy that:", + "parts": [ + { + "id": "ma-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ma-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ma-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;" + } + ] + }, + { + "id": "ma-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and" + }, + { + "id": "ma-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current maintenance:", + "parts": [ + { + "id": "ma-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and" + }, + { + "id": "ma-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ma-1_gdn", + "name": "guidance", + "prose": "Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ma-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a maintenance policy is developed and documented;", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ma-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;", + "links": [ + { + "href": "#ma-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};", + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};", + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};", + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.", + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ma-2", + "class": "SP800-53", + "title": "Controlled Maintenance", + "params": [ + { + "id": "ma-02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined;" + } + ] + }, + { + "id": "ma-02_odp.02", + "label": "information", + "guidelines": [ + { + "prose": "information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;" + } + ] + }, + { + "id": "ma-02_odp.03", + "label": "information", + "guidelines": [ + { + "prose": "information to be included in organizational maintenance records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-2" + }, + { + "name": "label", + "value": "MA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-2_smt", + "name": "statement", + "parts": [ + { + "id": "ma-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;" + }, + { + "id": "ma-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;" + }, + { + "id": "ma-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;" + }, + { + "id": "ma-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};" + }, + { + "id": "ma-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and" + }, + { + "id": "ma-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}." + } + ] + }, + { + "id": "ma-2_gdn", + "name": "guidance", + "prose": "Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems." + }, + { + "id": "ma-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;", + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;", + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;", + "links": [ + { + "href": "#ma-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02d.", + "class": "sp800-53a" + } + ], + "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;", + "links": [ + { + "href": "#ma-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02e.", + "class": "sp800-53a" + } + ], + "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;", + "links": [ + { + "href": "#ma-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02f.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.", + "links": [ + { + "href": "#ma-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components" + } + ] + } + ] + }, + { + "id": "ma-4", + "class": "SP800-53", + "title": "Nonlocal Maintenance", + "props": [ + { + "name": "label", + "value": "MA-4" + }, + { + "name": "label", + "value": "MA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#736d6310-e403-4b57-a79d-9967970c66d7", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-4_smt", + "name": "statement", + "parts": [ + { + "id": "ma-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve and monitor nonlocal maintenance and diagnostic activities;" + }, + { + "id": "ma-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;" + }, + { + "id": "ma-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;" + }, + { + "id": "ma-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Maintain records for nonlocal maintenance and diagnostic activities; and" + }, + { + "id": "ma-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Terminate session and network connections when nonlocal maintenance is completed." + } + ] + }, + { + "id": "ma-4_gdn", + "name": "guidance", + "prose": "Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators." + }, + { + "id": "ma-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "nonlocal maintenance and diagnostic activities are approved;", + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "nonlocal maintenance and diagnostic activities are monitored;", + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;", + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;", + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04c.", + "class": "sp800-53a" + } + ], + "prose": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;", + "links": [ + { + "href": "#ma-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04d.", + "class": "sp800-53a" + } + ], + "prose": "records for nonlocal maintenance and diagnostic activities are maintained;", + "links": [ + { + "href": "#ma-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.[01]", + "class": "sp800-53a" + } + ], + "prose": "session connections are terminated when nonlocal maintenance is completed;", + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.[02]", + "class": "sp800-53a" + } + ], + "prose": "network connections are terminated when nonlocal maintenance is completed.", + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nremote access policy\n\nremote access procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nrecords of remote access\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing nonlocal maintenance\n\nmechanisms implementing, supporting, and/or managing nonlocal maintenance\n\nmechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nmechanisms for terminating nonlocal maintenance sessions and network connections" + } + ] + } + ] + }, + { + "id": "ma-5", + "class": "SP800-53", + "title": "Maintenance Personnel", + "props": [ + { + "name": "label", + "value": "MA-5" + }, + { + "name": "label", + "value": "MA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-5_smt", + "name": "statement", + "parts": [ + { + "id": "ma-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;" + }, + { + "id": "ma-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and" + }, + { + "id": "ma-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations." + } + ] + }, + { + "id": "ma-5_gdn", + "name": "guidance", + "prose": "Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods." + }, + { + "id": "ma-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process for maintenance personnel authorization is established;", + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": "a list of authorized maintenance organizations or personnel is maintained;", + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05b.", + "class": "sp800-53a" + } + ], + "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;", + "links": [ + { + "href": "#ma-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05c.", + "class": "sp800-53a" + } + ], + "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.", + "links": [ + { + "href": "#ma-5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and/or implementing authorization of maintenance personnel" + } + ] + } + ] + } + ] + }, + { + "id": "mp", + "class": "family", + "title": "Media Protection", + "controls": [ + { + "id": "mp-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "mp-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "mp-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the media protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "mp-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the media protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "mp-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "mp-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the media protection policy and procedures is defined;" + } + ] + }, + { + "id": "mp-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current media protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "mp-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current media protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "mp-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current media protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "mp-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require media protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-1" + }, + { + "name": "label", + "value": "MP-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-1_smt", + "name": "statement", + "parts": [ + { + "id": "mp-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:", + "parts": [ + { + "id": "mp-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, mp-01_odp.03 }} media protection policy that:", + "parts": [ + { + "id": "mp-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "mp-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "mp-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;" + } + ] + }, + { + "id": "mp-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and" + }, + { + "id": "mp-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current media protection:", + "parts": [ + { + "id": "mp-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and" + }, + { + "id": "mp-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "mp-1_gdn", + "name": "guidance", + "prose": "Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "mp-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a media protection policy is developed and documented;", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#mp-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.", + "links": [ + { + "href": "#mp-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ", + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};", + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ", + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.", + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "mp-2", + "class": "SP800-53", + "title": "Media Access", + "params": [ + { + "id": "mp-2_prm_1", + "label": "organization-defined types of digital and/or non-digital media" + }, + { + "id": "mp-2_prm_2", + "label": "organization-defined personnel or roles" + }, + { + "id": "mp-02_odp.01", + "label": "types of digital media", + "guidelines": [ + { + "prose": "types of digital media to which access is restricted are defined;" + } + ] + }, + { + "id": "mp-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles authorized to access digital media is/are defined;" + } + ] + }, + { + "id": "mp-02_odp.03", + "label": "types of non-digital media", + "guidelines": [ + { + "prose": "types of non-digital media to which access is restricted are defined;" + } + ] + }, + { + "id": "mp-02_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles authorized to access non-digital media is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-2" + }, + { + "name": "label", + "value": "MP-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-2_smt", + "name": "statement", + "prose": "Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}." + }, + { + "id": "mp-2_gdn", + "name": "guidance", + "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media." + }, + { + "id": "mp-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02[01]", + "class": "sp800-53a" + } + ], + "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};", + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02[02]", + "class": "sp800-53a" + } + ], + "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.", + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for restricting information media\n\nmechanisms supporting and/or implementing media access restrictions" + } + ] + } + ] + }, + { + "id": "mp-6", + "class": "SP800-53", + "title": "Media Sanitization", + "params": [ + { + "id": "mp-6_prm_1", + "label": "organization-defined system media", + "constraints": [ + { + "description": "techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware" + } + ] + }, + { + "id": "mp-6_prm_2", + "label": "organization-defined sanitization techniques and procedures" + }, + { + "id": "mp-06_odp.01", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to disposal is defined;" + } + ] + }, + { + "id": "mp-06_odp.02", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to release from organizational control is defined;" + } + ] + }, + { + "id": "mp-06_odp.03", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to release for reuse is defined;" + } + ] + }, + { + "id": "mp-06_odp.04", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to disposal are defined;" + } + ] + }, + { + "id": "mp-06_odp.05", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;" + } + ] + }, + { + "id": "mp-06_odp.06", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-6" + }, + { + "name": "label", + "value": "MP-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#91f992fb-f668-4c91-a50f-0f05b95ccee3", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pm-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#si-18", + "rel": "related" + }, + { + "href": "#si-19", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-6_smt", + "name": "statement", + "parts": [ + { + "id": "mp-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and" + }, + { + "id": "mp-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information." + } + ] + }, + { + "id": "mp-6_gdn", + "name": "guidance", + "prose": "Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information." + }, + { + "id": "mp-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06b.", + "class": "sp800-53a" + } + ], + "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.", + "links": [ + { + "href": "#mp-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media sanitization\n\nmechanisms supporting and/or implementing media sanitization" + } + ] + } + ] + }, + { + "id": "mp-7", + "class": "SP800-53", + "title": "Media Use", + "params": [ + { + "id": "mp-07_odp.01", + "label": "types of system media", + "guidelines": [ + { + "prose": "types of system media to be restricted or prohibited from use on systems or system components are defined;" + } + ] + }, + { + "id": "mp-07_odp.02", + "select": { + "choice": [ + "restrict", + "prohibit" + ] + } + }, + { + "id": "mp-07_odp.03", + "label": "systems or system components", + "guidelines": [ + { + "prose": "systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;" + } + ] + }, + { + "id": "mp-07_odp.04", + "label": "controls", + "guidelines": [ + { + "prose": "controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-7" + }, + { + "name": "label", + "value": "MP-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-41", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-7_smt", + "name": "statement", + "parts": [ + { + "id": "mp-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and" + }, + { + "id": "mp-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner." + } + ] + }, + { + "id": "mp-7_gdn", + "name": "guidance", + "prose": "System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices." + }, + { + "id": "mp-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07a.", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};", + "links": [ + { + "href": "#mp-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07b.", + "class": "sp800-53a" + } + ], + "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.", + "links": [ + { + "href": "#mp-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components" + } + ] + } + ] + } + ] + }, + { + "id": "pe", + "class": "family", + "title": "Physical and Environmental Protection", + "controls": [ + { + "id": "pe-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "pe-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "pe-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "pe-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "pe-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "pe-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the physical and environmental protection policy and procedures is defined;" + } + ] + }, + { + "id": "pe-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "pe-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current physical and environmental protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "pe-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "pe-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the physical and environmental protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-1" + }, + { + "name": "label", + "value": "PE-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-1_smt", + "name": "statement", + "parts": [ + { + "id": "pe-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:", + "parts": [ + { + "id": "pe-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:", + "parts": [ + { + "id": "pe-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "pe-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "pe-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;" + } + ] + }, + { + "id": "pe-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and" + }, + { + "id": "pe-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current physical and environmental protection:", + "parts": [ + { + "id": "pe-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and" + }, + { + "id": "pe-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "pe-1_gdn", + "name": "guidance", + "prose": "Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "pe-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a physical and environmental protection policy is developed and documented;", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#pe-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;", + "links": [ + { + "href": "#pe-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};", + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};", + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};", + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.", + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "pe-2", + "class": "SP800-53", + "title": "Physical Access Authorizations", + "params": [ + { + "id": "pe-02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review the access list detailing authorized facility access by individuals is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-2" + }, + { + "name": "label", + "value": "PE-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-2_smt", + "name": "statement", + "parts": [ + { + "id": "pe-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;" + }, + { + "id": "pe-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Issue authorization credentials for facility access;" + }, + { + "id": "pe-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and" + }, + { + "id": "pe-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Remove individuals from the facility access list when access is no longer required." + } + ] + }, + { + "id": "pe-2_gdn", + "name": "guidance", + "prose": "Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible." + }, + { + "id": "pe-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02b.", + "class": "sp800-53a" + } + ], + "prose": "authorization credentials are issued for facility access;", + "links": [ + { + "href": "#pe-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02c.", + "class": "sp800-53a" + } + ], + "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};", + "links": [ + { + "href": "#pe-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02d.", + "class": "sp800-53a" + } + ], + "prose": "individuals are removed from the facility access list when access is no longer required.", + "links": [ + { + "href": "#pe-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access authorizations\n\nmechanisms supporting and/or implementing physical access authorizations" + } + ] + } + ] + }, + { + "id": "pe-3", + "class": "SP800-53", + "title": "Physical Access Control", + "params": [ + { + "id": "pe-3_prm_9", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually" + } + ] + }, + { + "id": "pe-03_odp.01", + "label": "entry and exit points", + "guidelines": [ + { + "prose": "entry and exit points to the facility in which the system resides are defined;" + } + ] + }, + { + "id": "pe-03_odp.02", + "constraints": [ + { + "description": "CSP defined physical access control systems/devices AND guards" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, pe-03_odp.03 }} ", + "guards" + ] + } + }, + { + "id": "pe-03_odp.03", + "label": "systems or devices", + "guidelines": [ + { + "prose": "physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);" + } + ] + }, + { + "id": "pe-03_odp.04", + "label": "entry or exit points", + "guidelines": [ + { + "prose": "entry or exit points for which physical access logs are maintained are defined;" + } + ] + }, + { + "id": "pe-03_odp.05", + "label": "physical access controls", + "guidelines": [ + { + "prose": "physical access controls to control access to areas within the facility designated as publicly accessible are defined;" + } + ] + }, + { + "id": "pe-03_odp.06", + "label": "circumstances", + "constraints": [ + { + "description": "in all circumstances within restricted access area where the information system resides" + } + ], + "guidelines": [ + { + "prose": "circumstances requiring visitor escorts and control of visitor activity are defined;" + } + ] + }, + { + "id": "pe-03_odp.07", + "label": "physical access devices", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "physical access devices to be inventoried are defined;" + } + ] + }, + { + "id": "pe-03_odp.08", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to inventory physical access devices is defined;" + } + ] + }, + { + "id": "pe-03_odp.09", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to change combinations is defined;" + } + ] + }, + { + "id": "pe-03_odp.10", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to change keys is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-3" + }, + { + "name": "label", + "value": "PE-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#2100332a-16a5-4598-bacf-7261baea9711", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-3_smt", + "name": "statement", + "parts": [ + { + "id": "pe-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:", + "parts": [ + { + "id": "pe-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Verifying individual access authorizations before granting access to the facility; and" + }, + { + "id": "pe-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};" + } + ] + }, + { + "id": "pe-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};" + }, + { + "id": "pe-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};" + }, + { + "id": "pe-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};" + }, + { + "id": "pe-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Secure keys, combinations, and other physical access devices;" + }, + { + "id": "pe-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and" + }, + { + "id": "pe-3_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Change combinations and keys {{ insert: param, pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated." + } + ] + }, + { + "id": "pe-3_gdn", + "name": "guidance", + "prose": "Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components." + }, + { + "id": "pe-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.01", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;", + "links": [ + { + "href": "#pe-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.02", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};", + "links": [ + { + "href": "#pe-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03b.", + "class": "sp800-53a" + } + ], + "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};", + "links": [ + { + "href": "#pe-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03c.", + "class": "sp800-53a" + } + ], + "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};", + "links": [ + { + "href": "#pe-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.[01]", + "class": "sp800-53a" + } + ], + "prose": "visitors are escorted;", + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.[02]", + "class": "sp800-53a" + } + ], + "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};", + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[01]", + "class": "sp800-53a" + } + ], + "prose": "keys are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[02]", + "class": "sp800-53a" + } + ], + "prose": "combinations are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[03]", + "class": "sp800-53a" + } + ], + "prose": "other physical access devices are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03f.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};", + "links": [ + { + "href": "#pe-3_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.[01]", + "class": "sp800-53a" + } + ], + "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;", + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.[02]", + "class": "sp800-53a" + } + ], + "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.", + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access control\n\nmechanisms supporting and/or implementing physical access control\n\nphysical access control devices" + } + ] + } + ] + }, + { + "id": "pe-6", + "class": "SP800-53", + "title": "Monitoring Physical Access", + "params": [ + { + "id": "pe-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review physical access logs is defined;" + } + ] + }, + { + "id": "pe-06_odp.02", + "label": "events", + "guidelines": [ + { + "prose": "events or potential indication of events requiring physical access logs to be reviewed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-6" + }, + { + "name": "label", + "value": "PE-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-6_smt", + "name": "statement", + "parts": [ + { + "id": "pe-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;" + }, + { + "id": "pe-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and" + }, + { + "id": "pe-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Coordinate results of reviews and investigations with the organizational incident response capability." + } + ] + }, + { + "id": "pe-6_gdn", + "name": "guidance", + "prose": "Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses." + }, + { + "id": "pe-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06a.", + "class": "sp800-53a" + } + ], + "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;", + "links": [ + { + "href": "#pe-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};", + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};", + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": "results of reviews are coordinated with organizational incident response capabilities;", + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": "results of investigations are coordinated with organizational incident response capabilities.", + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring physical access\n\nmechanisms supporting and/or implementing physical access monitoring\n\nmechanisms supporting and/or implementing the review of physical access logs" + } + ] + } + ] + }, + { + "id": "pe-8", + "class": "SP800-53", + "title": "Visitor Access Records", + "params": [ + { + "id": "pe-08_odp.01", + "label": "time period", + "constraints": [ + { + "description": "for a minimum of one (1) year" + } + ], + "guidelines": [ + { + "prose": "time period for which to maintain visitor access records for the facility where the system resides is defined;" + } + ] + }, + { + "id": "pe-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review visitor access records is defined;" + } + ] + }, + { + "id": "pe-08_odp.03", + "label": "personnel", + "guidelines": [ + { + "prose": "personnel to whom visitor access records anomalies are reported to is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-8" + }, + { + "name": "label", + "value": "PE-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-8_smt", + "name": "statement", + "parts": [ + { + "id": "pe-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};" + }, + { + "id": "pe-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and" + }, + { + "id": "pe-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}." + } + ] + }, + { + "id": "pe-8_gdn", + "name": "guidance", + "prose": "Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas." + }, + { + "id": "pe-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08a.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};", + "links": [ + { + "href": "#pe-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08b.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};", + "links": [ + { + "href": "#pe-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08c.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.", + "links": [ + { + "href": "#pe-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and/or implementing the maintenance and review of visitor access records" + } + ] + } + ] + }, + { + "id": "pe-12", + "class": "SP800-53", + "title": "Emergency Lighting", + "props": [ + { + "name": "label", + "value": "PE-12" + }, + { + "name": "label", + "value": "PE-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-12_smt", + "name": "statement", + "prose": "Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility." + }, + { + "id": "pe-12_gdn", + "name": "guidance", + "prose": "The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies." + }, + { + "id": "pe-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[01]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[02]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[03]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting for the system covers emergency exits within the facility;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[04]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting for the system covers evacuation routes within the facility.", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for emergency lighting and/or planning\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an emergency lighting capability" + } + ] + } + ] + }, + { + "id": "pe-13", + "class": "SP800-53", + "title": "Fire Protection", + "props": [ + { + "name": "label", + "value": "PE-13" + }, + { + "name": "label", + "value": "PE-13", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-13_smt", + "name": "statement", + "prose": "Employ and maintain fire detection and suppression systems that are supported by an independent energy source." + }, + { + "id": "pe-13_gdn", + "name": "guidance", + "prose": "The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility." + }, + { + "id": "pe-13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[01]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems are employed;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[02]", + "class": "sp800-53a" + } + ], + "prose": "employed fire detection systems are supported by an independent energy source;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[03]", + "class": "sp800-53a" + } + ], + "prose": "employed fire detection systems are maintained;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[04]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems are employed;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[05]", + "class": "sp800-53a" + } + ], + "prose": "employed fire suppression systems are supported by an independent energy source;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[06]", + "class": "sp800-53a" + } + ], + "prose": "employed fire suppression systems are maintained.", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-13-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\ntest records of fire suppression and detection devices/systems\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-13-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-13-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing fire suppression/detection devices/systems" + } + ] + } + ] + }, + { + "id": "pe-14", + "class": "SP800-53", + "title": "Environmental Controls", + "params": [ + { + "id": "pe-14_odp.01", + "constraints": [ + { + "description": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "temperature", + "humidity", + "pressure", + "radiation", + " {{ insert: param, pe-14_odp.02 }} " + ] + } + }, + { + "id": "pe-14_odp.02", + "label": "environmental control", + "guidelines": [ + { + "prose": "environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);" + } + ] + }, + { + "id": "pe-14_odp.03", + "label": "acceptable levels", + "guidelines": [ + { + "prose": "acceptable levels for environmental controls are defined;" + } + ] + }, + { + "id": "pe-14_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "continuously" + } + ], + "guidelines": [ + { + "prose": "frequency at which to monitor environmental control levels is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-14" + }, + { + "name": "label", + "value": "PE-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-14_smt", + "name": "statement", + "parts": [ + { + "id": "pe-14_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and" + }, + { + "id": "pe-14_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}." + }, + { + "id": "pe-14_fr", + "name": "item", + "title": "PE-14 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pe-14_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider measures temperature at server inlets and humidity levels by dew point." + } + ] + } + ] + }, + { + "id": "pe-14_gdn", + "name": "guidance", + "prose": "The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions." + }, + { + "id": "pe-14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-14_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;", + "links": [ + { + "href": "#pe-14_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14b.", + "class": "sp800-53a" + } + ], + "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.", + "links": [ + { + "href": "#pe-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-14-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-14-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-14_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-14-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels" + } + ] + } + ] + }, + { + "id": "pe-15", + "class": "SP800-53", + "title": "Water Damage Protection", + "props": [ + { + "name": "label", + "value": "PE-15" + }, + { + "name": "label", + "value": "PE-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-15_smt", + "name": "statement", + "prose": "Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel." + }, + { + "id": "pe-15_gdn", + "name": "guidance", + "prose": "The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations." + }, + { + "id": "pe-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-15_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[02]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are accessible;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[03]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are working properly;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[04]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are known to key personnel.", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-15_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-15-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Master water-shutoff valves\n\norganizational process for activating master water shutoff" + } + ] + } + ] + }, + { + "id": "pe-16", + "class": "SP800-53", + "title": "Delivery and Removal", + "params": [ + { + "id": "pe-16_prm_1", + "label": "organization-defined types of system components", + "constraints": [ + { + "description": "all information system components" + } + ] + }, + { + "id": "pe-16_odp.01", + "label": "types of system components", + "guidelines": [ + { + "prose": "types of system components to be authorized and controlled when entering the facility are defined;" + } + ] + }, + { + "id": "pe-16_odp.02", + "label": "types of system components", + "guidelines": [ + { + "prose": "types of system components to be authorized and controlled when exiting the facility are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-16" + }, + { + "name": "label", + "value": "PE-16", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-16_smt", + "name": "statement", + "parts": [ + { + "id": "pe-16_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and" + }, + { + "id": "pe-16_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain records of the system components." + } + ] + }, + { + "id": "pe-16_gdn", + "name": "guidance", + "prose": "Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries." + }, + { + "id": "pe-16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-16_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-16_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16b.", + "class": "sp800-53a" + } + ], + "prose": "records of the system components are maintained.", + "links": [ + { + "href": "#pe-16_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-16-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-16-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-16_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-16-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility" + } + ] + } + ] + } + ] + }, + { + "id": "pl", + "class": "family", + "title": "Planning", + "controls": [ + { + "id": "pl-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "pl-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "pl-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the planning policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "pl-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the planning procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "pl-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "pl-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the planning policy and procedures is defined;" + } + ] + }, + { + "id": "pl-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current planning policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "pl-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current planning policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "pl-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current planning procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "pl-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-1" + }, + { + "name": "label", + "value": "PL-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-1_smt", + "name": "statement", + "parts": [ + { + "id": "pl-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:", + "parts": [ + { + "id": "pl-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, pl-01_odp.03 }} planning policy that:", + "parts": [ + { + "id": "pl-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "pl-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "pl-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the planning policy and the associated planning controls;" + } + ] + }, + { + "id": "pl-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and" + }, + { + "id": "pl-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current planning:", + "parts": [ + { + "id": "pl-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and" + }, + { + "id": "pl-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "pl-1_gdn", + "name": "guidance", + "prose": "Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "pl-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a planning policy is developed and documented.", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#pl-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;", + "links": [ + { + "href": "#pl-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};", + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};", + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};", + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.", + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "pl-2", + "class": "SP800-53", + "title": "System Security and Privacy Plans", + "params": [ + { + "id": "pl-02_odp.01", + "label": "individuals or groups", + "guidelines": [ + { + "prose": "individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;" + } + ] + }, + { + "id": "pl-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;" + } + ] + }, + { + "id": "pl-02_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency to review system security and privacy plans is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-2" + }, + { + "name": "label", + "value": "PL-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-1", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-2_smt", + "name": "statement", + "parts": [ + { + "id": "pl-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop security and privacy plans for the system that:", + "parts": [ + { + "id": "pl-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Are consistent with the organization’s enterprise architecture;" + }, + { + "id": "pl-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Explicitly define the constituent system components;" + }, + { + "id": "pl-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Describe the operational context of the system in terms of mission and business processes;" + }, + { + "id": "pl-2_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Identify the individuals that fulfill system roles and responsibilities;" + }, + { + "id": "pl-2_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Identify the information types processed, stored, and transmitted by the system;" + }, + { + "id": "pl-2_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Provide the security categorization of the system, including supporting rationale;" + }, + { + "id": "pl-2_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Describe any specific threats to the system that are of concern to the organization;" + }, + { + "id": "pl-2_smt.a.8", + "name": "item", + "props": [ + { + "name": "label", + "value": "8." + } + ], + "prose": "Provide the results of a privacy risk assessment for systems processing personally identifiable information;" + }, + { + "id": "pl-2_smt.a.9", + "name": "item", + "props": [ + { + "name": "label", + "value": "9." + } + ], + "prose": "Describe the operational environment for the system and any dependencies on or connections to other systems or system components;" + }, + { + "id": "pl-2_smt.a.10", + "name": "item", + "props": [ + { + "name": "label", + "value": "10." + } + ], + "prose": "Provide an overview of the security and privacy requirements for the system;" + }, + { + "id": "pl-2_smt.a.11", + "name": "item", + "props": [ + { + "name": "label", + "value": "11." + } + ], + "prose": "Identify any relevant control baselines or overlays, if applicable;" + }, + { + "id": "pl-2_smt.a.12", + "name": "item", + "props": [ + { + "name": "label", + "value": "12." + } + ], + "prose": "Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;" + }, + { + "id": "pl-2_smt.a.13", + "name": "item", + "props": [ + { + "name": "label", + "value": "13." + } + ], + "prose": "Include risk determinations for security and privacy architecture and design decisions;" + }, + { + "id": "pl-2_smt.a.14", + "name": "item", + "props": [ + { + "name": "label", + "value": "14." + } + ], + "prose": "Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and" + }, + { + "id": "pl-2_smt.a.15", + "name": "item", + "props": [ + { + "name": "label", + "value": "15." + } + ], + "prose": "Are reviewed and approved by the authorizing official or designated representative prior to plan implementation." + } + ] + }, + { + "id": "pl-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};" + }, + { + "id": "pl-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the plans {{ insert: param, pl-02_odp.03 }};" + }, + { + "id": "pl-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and" + }, + { + "id": "pl-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protect the plans from unauthorized disclosure and modification." + } + ] + }, + { + "id": "pl-2_gdn", + "name": "guidance", + "prose": "System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate." + }, + { + "id": "pl-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that is consistent with the organization’s enterprise architecture;", + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;", + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that explicitly defines the constituent system components;", + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;", + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.4-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.4-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.5-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.5-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.6-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;", + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.6-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;", + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.7-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.7-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.8-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.8-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.9-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.9-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.10-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;", + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.10-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;", + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.11", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.11-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.11-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.12", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.12-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;", + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.12-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;", + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.13", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.13-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;", + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.13-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;", + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.14", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.14-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.14-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.15", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.15-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;", + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.15-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.", + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};", + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};", + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02c.", + "class": "sp800-53a" + } + ], + "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};", + "links": [ + { + "href": "#pl-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[01]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address changes to the system and environment of operations;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[02]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address problems identified during the plan implementation;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[03]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address problems identified during control assessments;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.[01]", + "class": "sp800-53a" + } + ], + "prose": "plans are protected from unauthorized disclosure;", + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.[02]", + "class": "sp800-53a" + } + ], + "prose": "plans are protected from unauthorized modification.", + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan" + } + ] + } + ] + }, + { + "id": "pl-4", + "class": "SP800-53", + "title": "Rules of Behavior", + "params": [ + { + "id": "pl-04_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "frequency for reviewing and updating the rules of behavior is defined;" + } + ] + }, + { + "id": "pl-04_odp.02", + "constraints": [ + { + "description": "at least annually and when the rules are revised or changed" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, pl-04_odp.03 }} ", + "when the rules are revised or updated" + ] + } + }, + { + "id": "pl-04_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-4" + }, + { + "name": "label", + "value": "PL-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-9", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-4_smt", + "name": "statement", + "parts": [ + { + "id": "pl-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;" + }, + { + "id": "pl-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;" + }, + { + "id": "pl-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and" + }, + { + "id": "pl-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}." + } + ] + }, + { + "id": "pl-4_gdn", + "name": "guidance", + "prose": "Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons." + }, + { + "id": "pl-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;", + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;", + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04b.", + "class": "sp800-53a" + } + ], + "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;", + "links": [ + { + "href": "#pl-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04c.", + "class": "sp800-53a" + } + ], + "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};", + "links": [ + { + "href": "#pl-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04d.", + "class": "sp800-53a" + } + ], + "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.", + "links": [ + { + "href": "#pl-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior" + } + ] + } + ], + "controls": [ + { + "id": "pl-4.1", + "class": "SP800-53-enhancement", + "title": "Social Media and External Site/Application Usage Restrictions", + "props": [ + { + "name": "label", + "value": "PL-4(1)" + }, + { + "name": "label", + "value": "PL-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pl-4", + "rel": "required" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-4.1_smt", + "name": "statement", + "prose": "Include in the rules of behavior, restrictions on:", + "parts": [ + { + "id": "pl-4.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Use of social media, social networking sites, and external sites/applications;" + }, + { + "id": "pl-4.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Posting organizational information on public websites; and" + }, + { + "id": "pl-4.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications." + } + ] + }, + { + "id": "pl-4.1_gdn", + "name": "guidance", + "prose": "Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information." + }, + { + "id": "pl-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;", + "links": [ + { + "href": "#pl-4.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on posting organizational information on public websites;", + "links": [ + { + "href": "#pl-4.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(c)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.", + "links": [ + { + "href": "#pl-4.1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing rules of behavior\n\nmechanisms supporting and/or implementing the establishment of rules of behavior" + } + ] + } + ] + } + ] + }, + { + "id": "pl-8", + "class": "SP800-53", + "title": "Security and Privacy Architectures", + "params": [ + { + "id": "pl-08_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "frequency for review and update to reflect changes in the enterprise architecture;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-8" + }, + { + "name": "label", + "value": "PL-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-8_smt", + "name": "statement", + "parts": [ + { + "id": "pl-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop security and privacy architectures for the system that:", + "parts": [ + { + "id": "pl-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;" + }, + { + "id": "pl-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;" + }, + { + "id": "pl-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Describe how the architectures are integrated into and support the enterprise architecture; and" + }, + { + "id": "pl-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Describe any assumptions about, and dependencies on, external systems and services;" + } + ] + }, + { + "id": "pl-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and" + }, + { + "id": "pl-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions." + }, + { + "id": "pl-8_fr", + "name": "item", + "title": "PL-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pl-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + } + ] + } + ] + }, + { + "id": "pl-8_gdn", + "name": "guidance", + "prose": "The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n [PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures." + }, + { + "id": "pl-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.01", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;", + "links": [ + { + "href": "#pl-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.02", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;", + "links": [ + { + "href": "#pl-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.4-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04[01]", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;", + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.4-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;", + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08b.", + "class": "sp800-53a" + } + ], + "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[01]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the security plan;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[02]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the privacy plan;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[03]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[04]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in criticality analysis;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[05]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in organizational procedures;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[06]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in procurements and acquisitions.", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and/or implementing the development, review, and update of the information security and privacy architecture" + } + ] + } + ] + }, + { + "id": "pl-10", + "class": "SP800-53", + "title": "Baseline Selection", + "props": [ + { + "name": "label", + "value": "PL-10" + }, + { + "name": "label", + "value": "PL-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#46d9e201-840e-440e-987c-2c773333c752", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-10_smt", + "name": "statement", + "prose": "Select a control baseline for the system.", + "parts": [ + { + "id": "pl-10_fr", + "name": "item", + "title": "PL-10 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pl-10_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Select the appropriate FedRAMP Baseline" + } + ] + } + ] + }, + { + "id": "pl-10_gdn", + "name": "guidance", + "prose": "Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems." + }, + { + "id": "pl-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-10", + "class": "sp800-53a" + } + ], + "prose": "a control baseline for the system is selected.", + "links": [ + { + "href": "#pl-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing system security and privacy plan reviews and updates\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for organizational risk management activities" + } + ] + } + ] + }, + { + "id": "pl-11", + "class": "SP800-53", + "title": "Baseline Tailoring", + "props": [ + { + "name": "label", + "value": "PL-11" + }, + { + "name": "label", + "value": "PL-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#46d9e201-840e-440e-987c-2c773333c752", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-11_smt", + "name": "statement", + "prose": "Tailor the selected control baseline by applying specified tailoring actions." + }, + { + "id": "pl-11_gdn", + "name": "guidance", + "prose": "The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities." + }, + { + "id": "pl-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-11", + "class": "sp800-53a" + } + ], + "prose": "the selected control baseline is tailored by applying specified tailoring actions.", + "links": [ + { + "href": "#pl-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nsystem design documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nbaseline tailoring rationale\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "ps", + "class": "family", + "title": "Personnel Security", + "controls": [ + { + "id": "ps-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ps-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ps-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the personnel security policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ps-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ps-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ps-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the personnel security policy and procedures is defined;" + } + ] + }, + { + "id": "ps-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current personnel security policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ps-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current personnel security policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ps-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current personnel security procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ps-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the personnel security procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-1" + }, + { + "name": "label", + "value": "PS-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-1_smt", + "name": "statement", + "parts": [ + { + "id": "ps-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:", + "parts": [ + { + "id": "ps-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ps-01_odp.03 }} personnel security policy that:", + "parts": [ + { + "id": "ps-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ps-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ps-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;" + } + ] + }, + { + "id": "ps-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and" + }, + { + "id": "ps-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current personnel security:", + "parts": [ + { + "id": "ps-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and" + }, + { + "id": "ps-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ps-1_gdn", + "name": "guidance", + "prose": "Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ps-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a personnel security policy is developed and documented;", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ps-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;", + "links": [ + { + "href": "#ps-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};", + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};", + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};", + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.", + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "ps-2", + "class": "SP800-53", + "title": "Position Risk Designation", + "params": [ + { + "id": "ps-02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least every three years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update position risk designations is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-2" + }, + { + "name": "label", + "value": "PS-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#a5ef5e56-5c1a-4911-b419-37dddc1b3581", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-2_smt", + "name": "statement", + "parts": [ + { + "id": "ps-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assign a risk designation to all organizational positions;" + }, + { + "id": "ps-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establish screening criteria for individuals filling those positions; and" + }, + { + "id": "ps-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update position risk designations {{ insert: param, ps-02_odp }}." + } + ] + }, + { + "id": "ps-2_gdn", + "name": "guidance", + "prose": "Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions." + }, + { + "id": "ps-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02a.", + "class": "sp800-53a" + } + ], + "prose": "a risk designation is assigned to all organizational positions;", + "links": [ + { + "href": "#ps-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02b.", + "class": "sp800-53a" + } + ], + "prose": "screening criteria are established for individuals filling organizational positions;", + "links": [ + { + "href": "#ps-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02c.", + "class": "sp800-53a" + } + ], + "prose": "position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.", + "links": [ + { + "href": "#ps-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nrecords of position risk designation reviews and updates\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria" + } + ] + } + ] + }, + { + "id": "ps-3", + "class": "SP800-53", + "title": "Personnel Screening", + "params": [ + { + "id": "ps-3_prm_1", + "label": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening", + "constraints": [ + { + "description": "for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.\n\nFor moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions" + } + ] + }, + { + "id": "ps-03_odp.01", + "label": "conditions requiring rescreening", + "guidelines": [ + { + "prose": "conditions requiring rescreening of individuals are defined;" + } + ] + }, + { + "id": "ps-03_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency of rescreening individuals where it is so indicated is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-3" + }, + { + "name": "label", + "value": "PS-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#55b0c93a-5e48-457a-baa6-5ce81c239c49", + "rel": "reference" + }, + { + "href": "#0af071a6-cf8e-48ee-8c82-fe91efa20f94", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-3_smt", + "name": "statement", + "parts": [ + { + "id": "ps-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Screen individuals prior to authorizing access to the system; and" + }, + { + "id": "ps-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}." + } + ] + }, + { + "id": "ps-3_gdn", + "name": "guidance", + "prose": "Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems." + }, + { + "id": "ps-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03a.", + "class": "sp800-53a" + } + ], + "prose": "individuals are screened prior to authorizing access to the system;", + "links": [ + { + "href": "#ps-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};", + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.", + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel screening" + } + ] + } + ] + }, + { + "id": "ps-4", + "class": "SP800-53", + "title": "Personnel Termination", + "params": [ + { + "id": "ps-04_odp.01", + "label": "time period", + "constraints": [ + { + "description": "four (4) hours" + } + ], + "guidelines": [ + { + "prose": "a time period within which to disable system access is defined;" + } + ] + }, + { + "id": "ps-04_odp.02", + "label": "information security topics", + "guidelines": [ + { + "prose": "information security topics to be discussed when conducting exit interviews are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-4" + }, + { + "name": "label", + "value": "PS-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-4_smt", + "name": "statement", + "prose": "Upon termination of individual employment:", + "parts": [ + { + "id": "ps-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Disable system access within {{ insert: param, ps-04_odp.01 }};" + }, + { + "id": "ps-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Terminate or revoke any authenticators and credentials associated with the individual;" + }, + { + "id": "ps-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};" + }, + { + "id": "ps-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Retrieve all security-related organizational system-related property; and" + }, + { + "id": "ps-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Retain access to organizational information and systems formerly controlled by terminated individual." + } + ] + }, + { + "id": "ps-4_gdn", + "name": "guidance", + "prose": "System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified." + }, + { + "id": "ps-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04a.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};", + "links": [ + { + "href": "#ps-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04b.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, any authenticators and credentials are terminated or revoked;", + "links": [ + { + "href": "#ps-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04c.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;", + "links": [ + { + "href": "#ps-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04d.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, all security-related organizational system-related property is retrieved;", + "links": [ + { + "href": "#ps-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04e.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.", + "links": [ + { + "href": "#ps-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of system accounts\n\nrecords of terminated or revoked authenticators/credentials\n\nrecords of exit interviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel termination\n\nmechanisms supporting and/or implementing personnel termination notifications\n\nmechanisms for disabling system access/revoking authenticators" + } + ] + } + ] + }, + { + "id": "ps-5", + "class": "SP800-53", + "title": "Personnel Transfer", + "params": [ + { + "id": "ps-05_odp.01", + "label": "transfer or reassignment actions", + "guidelines": [ + { + "prose": "transfer or reassignment actions to be initiated following transfer or reassignment are defined;" + } + ] + }, + { + "id": "ps-05_odp.02", + "label": "time period following the formal transfer action", + "constraints": [ + { + "description": "twenty-four (24) hours " + } + ], + "guidelines": [ + { + "prose": "the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;" + } + ] + }, + { + "id": "ps-05_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined;" + } + ] + }, + { + "id": "ps-05_odp.04", + "label": "time period", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-5" + }, + { + "name": "label", + "value": "PS-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-5_smt", + "name": "statement", + "parts": [ + { + "id": "ps-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;" + }, + { + "id": "ps-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};" + }, + { + "id": "ps-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and" + }, + { + "id": "ps-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}." + } + ] + }, + { + "id": "ps-5_gdn", + "name": "guidance", + "prose": "Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts." + }, + { + "id": "ps-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05a.", + "class": "sp800-53a" + } + ], + "prose": "the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;", + "links": [ + { + "href": "#ps-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};", + "links": [ + { + "href": "#ps-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05c.", + "class": "sp800-53a" + } + ], + "prose": "access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;", + "links": [ + { + "href": "#ps-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05d.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.", + "links": [ + { + "href": "#ps-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel transfer\n\nrecords of personnel transfer actions\n\nlist of system and facility access authorizations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel transfer\n\nmechanisms supporting and/or implementing personnel transfer notifications\n\nmechanisms for disabling system access/revoking authenticators" + } + ] + } + ] + }, + { + "id": "ps-6", + "class": "SP800-53", + "title": "Access Agreements", + "params": [ + { + "id": "ps-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update access agreements is defined;" + } + ] + }, + { + "id": "ps-06_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and any time there is a change to the user's level of access" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to re-sign access agreements to maintain access to organizational information is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-6" + }, + { + "name": "label", + "value": "PS-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-6_smt", + "name": "statement", + "parts": [ + { + "id": "ps-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and document access agreements for organizational systems;" + }, + { + "id": "ps-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and" + }, + { + "id": "ps-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Verify that individuals requiring access to organizational information and systems:", + "parts": [ + { + "id": "ps-6_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Sign appropriate access agreements prior to being granted access; and" + }, + { + "id": "ps-6_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}." + } + ] + } + ] + }, + { + "id": "ps-6_gdn", + "name": "guidance", + "prose": "Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy." + }, + { + "id": "ps-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06a.", + "class": "sp800-53a" + } + ], + "prose": "access agreements are developed and documented for organizational systems;", + "links": [ + { + "href": "#ps-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06b.", + "class": "sp800-53a" + } + ], + "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};", + "links": [ + { + "href": "#ps-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-6_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.01", + "class": "sp800-53a" + } + ], + "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;", + "links": [ + { + "href": "#ps-6_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.02", + "class": "sp800-53a" + } + ], + "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.", + "links": [ + { + "href": "#ps-6_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ps-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements" + } + ] + } + ] + }, + { + "id": "ps-7", + "class": "SP800-53", + "title": "External Personnel Security", + "params": [ + { + "id": "ps-07_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "including access control personnel responsible for the system and/or facilities, as appropriate" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;" + } + ] + }, + { + "id": "ps-07_odp.02", + "label": "time period", + "constraints": [ + { + "description": "within twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-7" + }, + { + "name": "label", + "value": "PS-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-7_smt", + "name": "statement", + "parts": [ + { + "id": "ps-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish personnel security requirements, including security roles and responsibilities for external providers;" + }, + { + "id": "ps-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Require external providers to comply with personnel security policies and procedures established by the organization;" + }, + { + "id": "ps-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document personnel security requirements;" + }, + { + "id": "ps-7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and" + }, + { + "id": "ps-7_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Monitor provider compliance with personnel security requirements." + } + ] + }, + { + "id": "ps-7_gdn", + "name": "guidance", + "prose": "External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals." + }, + { + "id": "ps-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07a.", + "class": "sp800-53a" + } + ], + "prose": "personnel security requirements are established, including security roles and responsibilities for external providers;", + "links": [ + { + "href": "#ps-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07b.", + "class": "sp800-53a" + } + ], + "prose": "external providers are required to comply with personnel security policies and procedures established by the organization;", + "links": [ + { + "href": "#ps-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07c.", + "class": "sp800-53a" + } + ], + "prose": "personnel security requirements are documented;", + "links": [ + { + "href": "#ps-7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07d.", + "class": "sp800-53a" + } + ], + "prose": "external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};", + "links": [ + { + "href": "#ps-7_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07e.", + "class": "sp800-53a" + } + ], + "prose": "provider compliance with personnel security requirements is monitored.", + "links": [ + { + "href": "#ps-7_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing external personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\nexternal providers\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing and monitoring external personnel security\n\nmechanisms supporting and/or implementing the monitoring of provider compliance" + } + ] + } + ] + }, + { + "id": "ps-8", + "class": "SP800-53", + "title": "Personnel Sanctions", + "params": [ + { + "id": "ps-08_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;" + } + ] + }, + { + "id": "ps-08_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-8" + }, + { + "name": "label", + "value": "PS-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#pt-1", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-8_smt", + "name": "statement", + "parts": [ + { + "id": "ps-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and" + }, + { + "id": "ps-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction." + } + ] + }, + { + "id": "ps-8_gdn", + "name": "guidance", + "prose": "Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions." + }, + { + "id": "ps-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08a.", + "class": "sp800-53a" + } + ], + "prose": "a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;", + "links": [ + { + "href": "#ps-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.", + "links": [ + { + "href": "#ps-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing personnel sanctions\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\nlist of personnel or roles to be notified of formal employee sanctions\n\nrecords or notifications of formal employee sanctions\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ps-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing formal employee sanctions\n\nmechanisms supporting and/or implementing formal employee sanctions notifications" + } + ] + } + ] + }, + { + "id": "ps-9", + "class": "SP800-53", + "title": "Position Descriptions", + "props": [ + { + "name": "label", + "value": "PS-9" + }, + { + "name": "label", + "value": "PS-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + } + ], + "parts": [ + { + "id": "ps-9_smt", + "name": "statement", + "prose": "Incorporate security and privacy roles and responsibilities into organizational position descriptions." + }, + { + "id": "ps-9_gdn", + "name": "guidance", + "prose": "Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles." + }, + { + "id": "ps-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09[01]", + "class": "sp800-53a" + } + ], + "prose": "security roles and responsibilities are incorporated into organizational position descriptions;", + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy roles and responsibilities are incorporated into organizational position descriptions.", + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing position descriptions\n\nsecurity and privacy position descriptions\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with human capital management responsibilities" + } + ] + }, + { + "id": "ps-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing position descriptions" + } + ] + } + ] + } + ] + }, + { + "id": "ra", + "class": "family", + "title": "Risk Assessment", + "controls": [ + { + "id": "ra-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ra-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ra-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ra-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the risk assessment policy and procedures is defined;" + } + ] + }, + { + "id": "ra-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current risk assessment policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ra-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current risk assessment policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ra-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current risk assessment procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ra-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require risk assessment procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-1" + }, + { + "name": "label", + "value": "RA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-1_smt", + "name": "statement", + "parts": [ + { + "id": "ra-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:", + "parts": [ + { + "id": "ra-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ra-01_odp.03 }} risk assessment policy that:", + "parts": [ + { + "id": "ra-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ra-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ra-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;" + } + ] + }, + { + "id": "ra-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and" + }, + { + "id": "ra-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current risk assessment:", + "parts": [ + { + "id": "ra-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and" + }, + { + "id": "ra-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ra-1_gdn", + "name": "guidance", + "prose": "Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ra-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment policy is developed and documented;", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ra-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;", + "links": [ + { + "href": "#ra-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};", + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};", + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};", + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.", + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ra-2", + "class": "SP800-53", + "title": "Security Categorization", + "props": [ + { + "name": "label", + "value": "RA-2" + }, + { + "name": "label", + "value": "RA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "rel": "reference" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-2_smt", + "name": "statement", + "parts": [ + { + "id": "ra-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Categorize the system and information it processes, stores, and transmits;" + }, + { + "id": "ra-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document the security categorization results, including supporting rationale, in the security plan for the system; and" + }, + { + "id": "ra-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision." + } + ] + }, + { + "id": "ra-2_gdn", + "name": "guidance", + "prose": "Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant." + }, + { + "id": "ra-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02a.", + "class": "sp800-53a" + } + ], + "prose": "the system and the information it processes, stores, and transmits are categorized;", + "links": [ + { + "href": "#ra-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02b.", + "class": "sp800-53a" + } + ], + "prose": "the security categorization results, including supporting rationale, are documented in the security plan for the system;", + "links": [ + { + "href": "#ra-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02c.", + "class": "sp800-53a" + } + ], + "prose": "the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.", + "links": [ + { + "href": "#ra-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security categorization" + } + ] + } + ] + }, + { + "id": "ra-3", + "class": "SP800-53", + "title": "Risk Assessment", + "params": [ + { + "id": "ra-03_odp.01", + "constraints": [ + { + "description": "security assessment report" + } + ], + "select": { + "choice": [ + "security and privacy plans", + "risk assessment report", + " {{ insert: param, ra-03_odp.02 }} " + ] + } + }, + { + "id": "ra-03_odp.02", + "label": "document", + "guidelines": [ + { + "prose": "a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);" + } + ] + }, + { + "id": "ra-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least every three (3) years and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "the frequency to review risk assessment results is defined;" + } + ] + }, + { + "id": "ra-03_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom risk assessment results are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-03_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every three (3) years" + } + ], + "guidelines": [ + { + "prose": "the frequency to update the risk assessment is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-3" + }, + { + "name": "label", + "value": "RA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#pe-18", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-3_smt", + "name": "statement", + "parts": [ + { + "id": "ra-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Conduct a risk assessment, including:", + "parts": [ + { + "id": "ra-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Identifying threats to and vulnerabilities in the system;" + }, + { + "id": "ra-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and" + }, + { + "id": "ra-3_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;" + } + ] + }, + { + "id": "ra-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;" + }, + { + "id": "ra-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document risk assessment results in {{ insert: param, ra-03_odp.01 }};" + }, + { + "id": "ra-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review risk assessment results {{ insert: param, ra-03_odp.03 }};" + }, + { + "id": "ra-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and" + }, + { + "id": "ra-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system." + }, + { + "id": "ra-3_fr", + "name": "item", + "title": "RA-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ra-3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + }, + { + "id": "ra-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e) Requirement:" + } + ], + "prose": "Include all Authorizing Officials; for JAB authorizations to include FedRAMP." + } + ] + } + ] + }, + { + "id": "ra-3_gdn", + "name": "guidance", + "prose": "Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination." + }, + { + "id": "ra-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.01", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;", + "links": [ + { + "href": "#ra-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.02", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;", + "links": [ + { + "href": "#ra-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.03", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;", + "links": [ + { + "href": "#ra-3_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03b.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;", + "links": [ + { + "href": "#ra-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03c.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};", + "links": [ + { + "href": "#ra-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03d.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};", + "links": [ + { + "href": "#ra-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03e.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};", + "links": [ + { + "href": "#ra-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03f.", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.", + "links": [ + { + "href": "#ra-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment" + } + ] + } + ], + "controls": [ + { + "id": "ra-3.1", + "class": "SP800-53-enhancement", + "title": "Supply Chain Risk Assessment", + "params": [ + { + "id": "ra-03.01_odp.01", + "label": "systems, system components, and system services", + "guidelines": [ + { + "prose": "systems, system components, and system services to assess supply chain risks are defined;" + } + ] + }, + { + "id": "ra-03.01_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to update the supply chain risk assessment is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-3(1)" + }, + { + "name": "label", + "value": "RA-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-3", + "rel": "required" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#pm-17", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-3.1_smt", + "name": "statement", + "parts": [ + { + "id": "ra-3.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and" + }, + { + "id": "ra-3.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain." + } + ] + }, + { + "id": "ra-3.1_gdn", + "name": "guidance", + "prose": "Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required." + }, + { + "id": "ra-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;", + "links": [ + { + "href": "#ra-3.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.", + "links": [ + { + "href": "#ra-3.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\ninventory of critical systems, system components, and system services\n\nrisk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of supply chain risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nacquisition policy\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "ra-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment" + } + ] + } + ] + } + ] + }, + { + "id": "ra-5", + "class": "SP800-53", + "title": "Vulnerability Monitoring and Scanning", + "params": [ + { + "id": "ra-5_prm_1", + "label": "organization-defined frequency and/or randomly in accordance with organization-defined process", + "constraints": [ + { + "description": "monthly operating system/infrastructure; monthly web applications (including APIs) and databases" + } + ] + }, + { + "id": "ra-05_odp.01", + "label": "frequency and/or randomly in accordance with organization-defined process", + "guidelines": [ + { + "prose": "frequency for monitoring systems and hosted applications for vulnerabilities is defined;" + } + ] + }, + { + "id": "ra-05_odp.02", + "label": "frequency and/or randomly in accordance with organization-defined process", + "guidelines": [ + { + "prose": "frequency for scanning systems and hosted applications for vulnerabilities is defined;" + } + ] + }, + { + "id": "ra-05_odp.03", + "label": "response times", + "constraints": [ + { + "description": "high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery" + } + ], + "guidelines": [ + { + "prose": "response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;" + } + ] + }, + { + "id": "ra-05_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5" + }, + { + "name": "label", + "value": "RA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#8df72805-2e5c-4731-a73e-81db0f0318d0", + "rel": "reference" + }, + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "rel": "reference" + }, + { + "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "rel": "reference" + }, + { + "href": "#d2ebec9b-f868-4ee1-a2bd-0b2282aed248", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ca-8", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5_smt", + "name": "statement", + "parts": [ + { + "id": "ra-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;" + }, + { + "id": "ra-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:", + "parts": [ + { + "id": "ra-5_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Enumerating platforms, software flaws, and improper configurations;" + }, + { + "id": "ra-5_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Formatting checklists and test procedures; and" + }, + { + "id": "ra-5_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Measuring vulnerability impact;" + } + ] + }, + { + "id": "ra-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Analyze vulnerability scan reports and results from vulnerability monitoring;" + }, + { + "id": "ra-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;" + }, + { + "id": "ra-5_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and" + }, + { + "id": "ra-5_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." + }, + { + "id": "ra-5_fr", + "name": "item", + "title": "RA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ra-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/" + }, + { + "id": "ra-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually." + }, + { + "id": "ra-5_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d) Requirement:" + } + ], + "prose": "If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement." + }, + { + "id": "ra-5_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e) Requirement:" + } + ], + "prose": "to include all Authorizing Officials; for JAB authorizations to include FedRAMP" + }, + { + "id": "ra-5_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.\n\nWarning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.\n\nWarnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a “warning” as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on “Tracking of Compliance Scans” in FAQs." + } + ] + } + ] + }, + { + "id": "ra-5_gdn", + "name": "guidance", + "prose": "Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points." + }, + { + "id": "ra-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;", + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;", + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;", + "parts": [ + { + "id": "ra-5_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.01", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;", + "links": [ + { + "href": "#ra-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.02", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;", + "links": [ + { + "href": "#ra-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.03", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;", + "links": [ + { + "href": "#ra-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05c.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;", + "links": [ + { + "href": "#ra-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05d.", + "class": "sp800-53a" + } + ], + "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;", + "links": [ + { + "href": "#ra-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05e.", + "class": "sp800-53a" + } + ], + "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;", + "links": [ + { + "href": "#ra-5_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05f.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.", + "links": [ + { + "href": "#ra-5_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ra-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing" + } + ] + } + ], + "controls": [ + { + "id": "ra-5.2", + "class": "SP800-53-enhancement", + "title": "Update Vulnerabilities to Be Scanned", + "params": [ + { + "id": "ra-05.02_odp.01", + "constraints": [ + { + "description": "prior to a new scan" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, ra-05.02_odp.02 }} ", + "prior to a new scan", + "when new vulnerabilities are identified and reported" + ] + } + }, + { + "id": "ra-05.02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency for updating the system vulnerabilities to be scanned is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5(2)" + }, + { + "name": "label", + "value": "RA-05(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + }, + { + "href": "#si-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5.2_smt", + "name": "statement", + "prose": "Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}." + }, + { + "id": "ra-5.2_gdn", + "name": "guidance", + "prose": "Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner." + }, + { + "id": "ra-5.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(02)", + "class": "sp800-53a" + } + ], + "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.", + "links": [ + { + "href": "#ra-5.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ra-5.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" + } + ] + } + ] + }, + { + "id": "ra-5.11", + "class": "SP800-53-enhancement", + "title": "Public Disclosure Program", + "props": [ + { + "name": "label", + "value": "RA-5(11)" + }, + { + "name": "label", + "value": "RA-05(11)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ra-5.11_smt", + "name": "statement", + "prose": "Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components." + }, + { + "id": "ra-5.11_gdn", + "name": "guidance", + "prose": "The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability." + }, + { + "id": "ra-5.11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(11)", + "class": "sp800-53a" + } + ], + "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.", + "links": [ + { + "href": "#ra-5.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(11)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(11)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(11)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities" + } + ] + } + ] + } + ] + }, + { + "id": "ra-7", + "class": "SP800-53", + "title": "Risk Response", + "props": [ + { + "name": "label", + "value": "RA-7" + }, + { + "name": "label", + "value": "RA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-7_smt", + "name": "statement", + "prose": "Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance." + }, + { + "id": "ra-7_gdn", + "name": "guidance", + "prose": "Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated." + }, + { + "id": "ra-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[01]", + "class": "sp800-53a" + } + ], + "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[02]", + "class": "sp800-53a" + } + ], + "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[03]", + "class": "sp800-53a" + } + ], + "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[04]", + "class": "sp800-53a" + } + ], + "prose": "findings from audits are responded to in accordance with organizational risk tolerance.", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nassessment reports\n\naudit records/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment and auditing responsibilities\n\nsystem/network administrators\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assessments and audits\n\nmechanisms/tools supporting and/or implementing assessments and auditing" + } + ] + } + ] + } + ] + }, + { + "id": "sa", + "class": "family", + "title": "System and Services Acquisition", + "controls": [ + { + "id": "sa-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sa-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sa-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "sa-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "sa-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "sa-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and services acquisition policy and procedures is defined;" + } + ] + }, + { + "id": "sa-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and services acquisition policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sa-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and services acquisition policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sa-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "sa-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and services acquisition procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-1" + }, + { + "name": "label", + "value": "SA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-1_smt", + "name": "statement", + "parts": [ + { + "id": "sa-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:", + "parts": [ + { + "id": "sa-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:", + "parts": [ + { + "id": "sa-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sa-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sa-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;" + } + ] + }, + { + "id": "sa-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and" + }, + { + "id": "sa-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and services acquisition:", + "parts": [ + { + "id": "sa-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and" + }, + { + "id": "sa-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sa-1_gdn", + "name": "guidance", + "prose": "System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sa-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and services acquisition policy is developed and documented;", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sa-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;", + "links": [ + { + "href": "#sa-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};", + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};", + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};", + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.", + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + } + ] + }, + { + "id": "sa-2", + "class": "SP800-53", + "title": "Allocation of Resources", + "props": [ + { + "name": "label", + "value": "SA-2" + }, + { + "name": "label", + "value": "SA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pm-3", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-2_smt", + "name": "statement", + "parts": [ + { + "id": "sa-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;" + }, + { + "id": "sa-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and" + }, + { + "id": "sa-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation." + } + ] + }, + { + "id": "sa-2_gdn", + "name": "guidance", + "prose": "Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle." + }, + { + "id": "sa-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;", + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;", + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;", + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;", + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;", + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation.", + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and/or implementing organizational capital planning, programming, and budgeting" + } + ] + } + ] + }, + { + "id": "sa-3", + "class": "SP800-53", + "title": "System Development Life Cycle", + "params": [ + { + "id": "sa-03_odp", + "label": "system-development life cycle", + "guidelines": [ + { + "prose": "system development life cycle is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-3" + }, + { + "name": "label", + "value": "SA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-22", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-3_smt", + "name": "statement", + "parts": [ + { + "id": "sa-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;" + }, + { + "id": "sa-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define and document information security and privacy roles and responsibilities throughout the system development life cycle;" + }, + { + "id": "sa-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Identify individuals having information security and privacy roles and responsibilities; and" + }, + { + "id": "sa-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Integrate the organizational information security and privacy risk management process into system development life cycle activities." + } + ] + }, + { + "id": "sa-3_gdn", + "name": "guidance", + "prose": "A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle." + }, + { + "id": "sa-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;", + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;", + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;", + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;", + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.[01]", + "class": "sp800-53a" + } + ], + "prose": "individuals with information security roles and responsibilities are identified;", + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.[02]", + "class": "sp800-53a" + } + ], + "prose": "individuals with privacy roles and responsibilities are identified;", + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational information security risk management processes are integrated into system development life cycle activities;", + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.[02]", + "class": "sp800-53a" + } + ], + "prose": "organizational privacy risk management processes are integrated into system development life cycle activities.", + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and/or implementing the system development life cycle" + } + ] + } + ] + }, + { + "id": "sa-4", + "class": "SP800-53", + "title": "Acquisition Process", + "params": [ + { + "id": "sa-04_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "standardized contract language", + " {{ insert: param, sa-04_odp.02 }} " + ] + } + }, + { + "id": "sa-04_odp.02", + "label": "contract language", + "guidelines": [ + { + "prose": "contract language is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-4" + }, + { + "name": "label", + "value": "SA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", + "rel": "reference" + }, + { + "href": "#87087451-2af5-43d4-88c1-d66ad850f614", + "rel": "reference" + }, + { + "href": "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "rel": "reference" + }, + { + "href": "#06ce9216-bd54-4054-a422-94f358b50a5d", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#795aff72-3e6c-4b6b-a80a-b14d84b7f544", + "rel": "reference" + }, + { + "href": "#3d575737-98cb-459d-b41c-d7e82b73ad78", + "rel": "reference" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4_smt", + "name": "statement", + "prose": "Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:", + "parts": [ + { + "id": "sa-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Security and privacy functional requirements;" + }, + { + "id": "sa-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Strength of mechanism requirements;" + }, + { + "id": "sa-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Security and privacy assurance requirements;" + }, + { + "id": "sa-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Controls needed to satisfy the security and privacy requirements." + }, + { + "id": "sa-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Security and privacy documentation requirements;" + }, + { + "id": "sa-4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Requirements for protecting security and privacy documentation;" + }, + { + "id": "sa-4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Description of the system development environment and environment in which the system is intended to operate;" + }, + { + "id": "sa-4_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and" + }, + { + "id": "sa-4_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Acceptance criteria." + }, + { + "id": "sa-4_fr", + "name": "item", + "title": "SA-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sa-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process)." + }, + { + "id": "sa-4_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.\n\nSee https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/." + } + ] + } + ] + }, + { + "id": "sa-4_gdn", + "name": "guidance", + "prose": "Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement." + }, + { + "id": "sa-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04b.", + "class": "sp800-53a" + } + ], + "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.[01]", + "class": "sp800-53a" + } + ], + "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.[01]", + "class": "sp800-53a" + } + ], + "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.[01]", + "class": "sp800-53a" + } + ], + "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.[02]", + "class": "sp800-53a" + } + ], + "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04g.", + "class": "sp800-53a" + } + ], + "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[01]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[02]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[03]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04i.", + "class": "sp800-53a" + } + ], + "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.", + "links": [ + { + "href": "#sa-4_smt.i", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts" + } + ] + } + ], + "controls": [ + { + "id": "sa-4.10", + "class": "SP800-53-enhancement", + "title": "Use of Approved PIV Products", + "props": [ + { + "name": "label", + "value": "SA-4(10)" + }, + { + "name": "label", + "value": "SA-04(10)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4.10_smt", + "name": "statement", + "prose": "Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems." + }, + { + "id": "sa-4.10_gdn", + "name": "guidance", + "prose": "Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations." + }, + { + "id": "sa-4.10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(10)", + "class": "sp800-53a" + } + ], + "prose": "only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.", + "links": [ + { + "href": "#sa-4.10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(10)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nFIPS 201 approved products list\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(10)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "sa-4.10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04(10)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for selecting and employing FIPS 201-approved products" + } + ] + } + ] + } + ] + }, + { + "id": "sa-5", + "class": "SP800-53", + "title": "System Documentation", + "params": [ + { + "id": "sa-05_odp.01", + "label": "actions", + "guidelines": [ + { + "prose": "actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;" + } + ] + }, + { + "id": "sa-05_odp.02", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO (or similar role within the organization)" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to distribute system documentation to is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-5" + }, + { + "name": "label", + "value": "SA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-5_smt", + "name": "statement", + "parts": [ + { + "id": "sa-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Obtain or develop administrator documentation for the system, system component, or system service that describes:", + "parts": [ + { + "id": "sa-5_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Secure configuration, installation, and operation of the system, component, or service;" + }, + { + "id": "sa-5_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Effective use and maintenance of security and privacy functions and mechanisms; and" + }, + { + "id": "sa-5_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Known vulnerabilities regarding configuration and use of administrative or privileged functions;" + } + ] + }, + { + "id": "sa-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Obtain or develop user documentation for the system, system component, or system service that describes:", + "parts": [ + { + "id": "sa-5_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;" + }, + { + "id": "sa-5_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and" + }, + { + "id": "sa-5_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;" + } + ] + }, + { + "id": "sa-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and" + }, + { + "id": "sa-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Distribute documentation to {{ insert: param, sa-05_odp.02 }}." + } + ] + }, + { + "id": "sa-5_gdn", + "name": "guidance", + "prose": "System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation." + }, + { + "id": "sa-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[04]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[03]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[04]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.[01]", + "class": "sp800-53a" + } + ], + "prose": "attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;", + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.[02]", + "class": "sp800-53a" + } + ], + "prose": "after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;", + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05d.", + "class": "sp800-53a" + } + ], + "prose": "documentation is distributed to {{ insert: param, sa-05_odp.02 }}.", + "links": [ + { + "href": "#sa-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system documentation\n\nsystem documentation, including administrator and user guides\n\nsystem design documentation\n\nrecords documenting attempts to obtain unavailable or nonexistent system documentation\n\nlist of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation\n\nrisk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\norganizational personnel responsible for operating, using, and/or maintaining the system\n\nsystem developers" + } + ] + }, + { + "id": "sa-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for obtaining, protecting, and distributing system administrator and user documentation" + } + ] + } + ] + }, + { + "id": "sa-8", + "class": "SP800-53", + "title": "Security and Privacy Engineering Principles", + "params": [ + { + "id": "sa-8_prm_1", + "label": "organization-defined systems security and privacy engineering principles" + }, + { + "id": "sa-08_odp.01", + "label": "systems security engineering principles", + "guidelines": [ + { + "prose": "systems security engineering principles are defined;" + } + ] + }, + { + "id": "sa-08_odp.02", + "label": "privacy engineering principles", + "guidelines": [ + { + "prose": "privacy engineering principles are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-8" + }, + { + "name": "label", + "value": "SA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-8_smt", + "name": "statement", + "prose": "Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}." + }, + { + "id": "sa-8_gdn", + "name": "guidance", + "prose": "Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design." + }, + { + "id": "sa-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-8_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[05]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[06]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[07]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[08]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[09]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[10]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification" + } + ] + } + ] + }, + { + "id": "sa-9", + "class": "SP800-53", + "title": "External System Services", + "params": [ + { + "id": "sa-09_odp.01", + "label": "controls", + "constraints": [ + { + "description": "Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system" + } + ], + "guidelines": [ + { + "prose": "controls to be employed by external system service providers are defined;" + } + ] + }, + { + "id": "sa-09_odp.02", + "label": "processes, methods, and techniques", + "constraints": [ + { + "description": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored" + } + ], + "guidelines": [ + { + "prose": "processes, methods, and techniques employed to monitor control compliance by external service providers are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9" + }, + { + "name": "label", + "value": "SA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9_smt", + "name": "statement", + "parts": [ + { + "id": "sa-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};" + }, + { + "id": "sa-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define and document organizational oversight and user roles and responsibilities with regard to external system services; and" + }, + { + "id": "sa-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}." + } + ] + }, + { + "id": "sa-9_gdn", + "name": "guidance", + "prose": "External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance." + }, + { + "id": "sa-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[01]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services comply with organizational security requirements;", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[02]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services comply with organizational privacy requirements;", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[03]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational oversight with regard to external system services are defined and documented;", + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "user roles and responsibilities with regard to external system services are defined and documented;", + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.", + "links": [ + { + "href": "#sa-9_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis" + } + ] + } + ] + }, + { + "id": "sa-22", + "class": "SP800-53", + "title": "Unsupported System Components", + "params": [ + { + "id": "sa-22_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "in-house support", + " {{ insert: param, sa-22_odp.02 }} " + ] + } + }, + { + "id": "sa-22_odp.02", + "label": "support from external providers", + "guidelines": [ + { + "prose": "support from external providers is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-22" + }, + { + "name": "label", + "value": "SA-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-22_smt", + "name": "statement", + "parts": [ + { + "id": "sa-22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or" + }, + { + "id": "sa-22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}." + } + ] + }, + { + "id": "sa-22_gdn", + "name": "guidance", + "prose": "Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation." + }, + { + "id": "sa-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22a.", + "class": "sp800-53a" + } + ], + "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;", + "links": [ + { + "href": "#sa-22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.", + "links": [ + { + "href": "#sa-22_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement" + } + ] + }, + { + "id": "sa-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for replacing unsupported system components\n\nmechanisms supporting and/or implementing the replacement of unsupported system components" + } + ] + } + ] + } + ] + }, + { + "id": "sc", + "class": "family", + "title": "System and Communications Protection", + "controls": [ + { + "id": "sc-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sc-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sc-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "sc-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "sc-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business-process-level", + "system-level" + ] + } + }, + { + "id": "sc-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and communications protection policy and procedures is defined;" + } + ] + }, + { + "id": "sc-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and communications protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sc-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and communications protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sc-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and communications protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "sc-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and communications protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-1" + }, + { + "name": "label", + "value": "SC-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-1_smt", + "name": "statement", + "parts": [ + { + "id": "sc-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:", + "parts": [ + { + "id": "sc-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sc-01_odp.03 }} system and communications protection policy that:", + "parts": [ + { + "id": "sc-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sc-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sc-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;" + } + ] + }, + { + "id": "sc-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and" + }, + { + "id": "sc-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and communications protection:", + "parts": [ + { + "id": "sc-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and" + }, + { + "id": "sc-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sc-1_gdn", + "name": "guidance", + "prose": "System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sc-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and communications protection policy is developed and documented;", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sc-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;", + "links": [ + { + "href": "#sc-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};", + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};", + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};", + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.", + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nsystem and communications protection procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "sc-5", + "class": "SP800-53", + "title": "Denial-of-service Protection", + "params": [ + { + "id": "sc-05_odp.01", + "label": "types of denial-of-service events", + "constraints": [ + { + "description": "at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack" + } + ], + "guidelines": [ + { + "prose": "types of denial-of-service events to be protected against or limited are defined;" + } + ] + }, + { + "id": "sc-05_odp.02", + "constraints": [ + { + "description": "Protect against" + } + ], + "select": { + "choice": [ + "protect against", + "limit" + ] + } + }, + { + "id": "sc-05_odp.03", + "label": "controls by type of denial-of-service event", + "guidelines": [ + { + "prose": "controls to achieve the denial-of-service objective by type of denial-of-service event are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-5" + }, + { + "name": "label", + "value": "SC-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#sc-6", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-5_smt", + "name": "statement", + "parts": [ + { + "id": "sc-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and" + }, + { + "id": "sc-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}." + } + ] + }, + { + "id": "sc-5_gdn", + "name": "guidance", + "prose": "Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events." + }, + { + "id": "sc-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05a.", + "class": "sp800-53a" + } + ], + "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};", + "links": [ + { + "href": "#sc-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.", + "links": [ + { + "href": "#sc-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms protecting against or limiting the effects of denial-of-service attacks" + } + ] + } + ] + }, + { + "id": "sc-7", + "class": "SP800-53", + "title": "Boundary Protection", + "params": [ + { + "id": "sc-07_odp", + "select": { + "choice": [ + "physically", + "logically" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-7" + }, + { + "name": "label", + "value": "SC-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#a7f0e897-29a3-45c4-bd88-40dfef0e034a", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-35", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7_smt", + "name": "statement", + "parts": [ + { + "id": "sc-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;" + }, + { + "id": "sc-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and" + }, + { + "id": "sc-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + }, + { + "id": "sc-7_fr", + "name": "item", + "title": "SC-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-7_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) Guidance:" + } + ], + "prose": "SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information." + } + ] + } + ] + }, + { + "id": "sc-7_gdn", + "name": "guidance", + "prose": "Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)." + }, + { + "id": "sc-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[01]", + "class": "sp800-53a" + } + ], + "prose": "communications at external managed interfaces to the system are monitored;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[02]", + "class": "sp800-53a" + } + ], + "prose": "communications at external managed interfaces to the system are controlled;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[03]", + "class": "sp800-53a" + } + ], + "prose": "communications at key internal managed interfaces within the system are monitored;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[04]", + "class": "sp800-53a" + } + ], + "prose": "communications at key internal managed interfaces within the system are controlled;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07b.", + "class": "sp800-53a" + } + ], + "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;", + "links": [ + { + "href": "#sc-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07c.", + "class": "sp800-53a" + } + ], + "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.", + "links": [ + { + "href": "#sc-7_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities" + } + ] + } + ] + }, + { + "id": "sc-8", + "class": "SP800-53", + "title": "Transmission Confidentiality and Integrity", + "params": [ + { + "id": "sc-08_odp", + "select": { + "how-many": "one-or-more", + "choice": [ + "confidentiality", + "integrity" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-8" + }, + { + "name": "label", + "value": "SC-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#736d6310-e403-4b57-a79d-9967970c66d7", + "rel": "reference" + }, + { + "href": "#7537638e-2837-407d-844b-40fb3fafdd99", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-8_smt", + "name": "statement", + "prose": "Protect the {{ insert: param, sc-08_odp }} of transmitted information.", + "parts": [ + { + "id": "sc-8_fr", + "name": "item", + "title": "SC-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.\n\n \n\nFor clarity, this control applies to all data in transit. Examples include the following data flows:\n\n* Crossing the system boundary\n* Between compute instances - including containers\n* From a compute instance to storage\n* Replication between availability zones\n* Transmission of backups to storage\n* From a load balancer to a compute instance\n* Flows from management tools required for their work – e.g. log collection, scanning, etc.\n\n\n \n\nThe following applies only when choosing SC-8 (5) in lieu of SC-8 (1).\n\nFedRAMP-Defined Assignment / Selection Parameters \n\nSC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]\n\nSC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information] " + }, + { + "id": "sc-8_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.\n\n \n\nHardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).\n\n \n\nControlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS’s Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS’ recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).\n\n \n\nNote: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.\n\n \n\nCNSSI No.7003 can be accessed here:\n\nhttps://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf\n\n \n\nDHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:\n\nhttps://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf " + } + ] + } + ] + }, + { + "id": "sc-8_gdn", + "name": "guidance", + "prose": "Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\n\nOrganizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls." + }, + { + "id": "sc-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-08", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-08_odp }} of transmitted information is/are protected.", + "links": [ + { + "href": "#sc-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing transmission confidentiality and/or integrity" + } + ] + } + ], + "controls": [ + { + "id": "sc-8.1", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-08.01_odp", + "select": { + "how-many": "one-or-more", + "choice": [ + "prevent unauthorized disclosure of information", + "detect changes to information" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-8(1)" + }, + { + "name": "label", + "value": "SC-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-8", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-8.1_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to {{ insert: param, sc-08.01_odp }} during transmission.", + "parts": [ + { + "id": "sc-8.1_fr", + "name": "item", + "title": "SC-8 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-8.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control." + }, + { + "id": "sc-8.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See M-22-09, including \\\"Agencies encrypt all DNS requests and HTTP traffic within their environment\\\"\n\nSC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged." + }, + { + "id": "sc-8.1_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)" + }, + { + "id": "sc-8.1_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + } + ] + } + ] + }, + { + "id": "sc-8.1_gdn", + "name": "guidance", + "prose": "Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes." + }, + { + "id": "sc-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-08(01)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.", + "links": [ + { + "href": "#sc-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity\n\nmechanisms supporting and/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards" + } + ] + } + ] + } + ] + }, + { + "id": "sc-12", + "class": "SP800-53", + "title": "Cryptographic Key Establishment and Management", + "params": [ + { + "id": "sc-12_odp", + "label": "requirements", + "constraints": [ + { + "description": "In accordance with Federal requirements" + } + ], + "guidelines": [ + { + "prose": "requirements for key generation, distribution, storage, access, and destruction are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-12" + }, + { + "name": "label", + "value": "SC-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#849b2358-683f-4d97-b111-1cc3d522ded5", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-11", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-17", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-12_smt", + "name": "statement", + "prose": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}.", + "parts": [ + { + "id": "sc-12_fr", + "name": "item", + "title": "SC-12 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-12_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See references in NIST 800-53 documentation." + }, + { + "id": "sc-12_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Must meet applicable Federal Cryptographic Requirements. See References Section of control." + }, + { + "id": "sc-12_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system." + } + ] + } + ] + }, + { + "id": "sc-12_gdn", + "name": "guidance", + "prose": "Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment." + }, + { + "id": "sc-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12[01]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};", + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12[02]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.", + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and/or management" + } + ] + }, + { + "id": "sc-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic key establishment and management" + } + ] + } + ] + }, + { + "id": "sc-13", + "class": "SP800-53", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-13_odp.01", + "label": "cryptographic uses", + "guidelines": [ + { + "prose": "cryptographic uses are defined;" + } + ] + }, + { + "id": "sc-13_odp.02", + "label": "types of cryptography", + "constraints": [ + { + "description": "FIPS-validated or NSA-approved cryptography" + } + ], + "guidelines": [ + { + "prose": "types of cryptography for each specified cryptographic use are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-13" + }, + { + "name": "label", + "value": "SC-13", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-13_smt", + "name": "statement", + "parts": [ + { + "id": "sc-13_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine the {{ insert: param, sc-13_odp.01 }} ; and" + }, + { + "id": "sc-13_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}." + }, + { + "id": "sc-13_fr", + "name": "item", + "title": "SC-13 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-13_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:\n\n* Encryption of data\n* Decryption of data\n* Generation of one time passwords (OTPs) for MFA\n* Protocols such as TLS, SSH, and HTTPS\n\n\n \n\nThe requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).\n\nhttps://csrc.nist.gov/projects/cryptographic-module-validation-program" + }, + { + "id": "sc-13_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:\n\nhttps://www.niap-ccevs.org/Product/index.cfm" + }, + { + "id": "sc-13_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + }, + { + "id": "sc-13_fr_gdn.4", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Moving to non-FIPS CM or product is acceptable when:\n\n* FIPS validated version has a known vulnerability\n* Feature with vulnerability is in use\n* Non-FIPS version fixes the vulnerability\n* Non-FIPS version is submitted to NIST for FIPS validation\n* POA&M is added to track approval, and deployment when ready\n" + }, + { + "id": "sc-13_fr_gdn.5", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1)." + } + ] + } + ] + }, + { + "id": "sc-13_gdn", + "name": "guidance", + "prose": "Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "sc-13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-13_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-13_odp.01 }} are identified;", + "links": [ + { + "href": "#sc-13_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-13_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.", + "links": [ + { + "href": "#sc-13_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-13-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-13-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection" + } + ] + }, + { + "id": "sc-13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-13-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic protection" + } + ] + } + ] + }, + { + "id": "sc-15", + "class": "SP800-53", + "title": "Collaborative Computing Devices and Applications", + "params": [ + { + "id": "sc-15_odp", + "label": "exceptions where remote activation is to be allowed", + "constraints": [ + { + "description": "no exceptions for computing devices" + } + ], + "guidelines": [ + { + "prose": "exceptions where remote activation is to be allowed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-15" + }, + { + "name": "label", + "value": "SC-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#sc-42", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-15_smt", + "name": "statement", + "parts": [ + { + "id": "sc-15_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and" + }, + { + "id": "sc-15_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide an explicit indication of use to users physically present at the devices." + }, + { + "id": "sc-15_fr", + "name": "item", + "title": "SC-15 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-15_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use." + } + ] + } + ] + }, + { + "id": "sc-15_gdn", + "name": "guidance", + "prose": "Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated." + }, + { + "id": "sc-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-15_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15a.", + "class": "sp800-53a" + } + ], + "prose": "remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};", + "links": [ + { + "href": "#sc-15_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-15_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15b.", + "class": "sp800-53a" + } + ], + "prose": "an explicit indication of use is provided to users physically present at the devices.", + "links": [ + { + "href": "#sc-15_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices" + } + ] + }, + { + "id": "sc-15_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-15-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the management of remote activation of collaborative computing devices\n\nmechanisms providing an indication of use of collaborative computing devices" + } + ] + } + ] + }, + { + "id": "sc-20", + "class": "SP800-53", + "title": "Secure Name/Address Resolution Service (Authoritative Source)", + "props": [ + { + "name": "label", + "value": "SC-20" + }, + { + "name": "label", + "value": "SC-20", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-20_smt", + "name": "statement", + "parts": [ + { + "id": "sc-20_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and" + }, + { + "id": "sc-20_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace." + }, + { + "id": "sc-20_fr", + "name": "item", + "title": "SC-20 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-20_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests." + }, + { + "id": "sc-20_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary." + }, + { + "id": "sc-20_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged." + }, + { + "id": "sc-20_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)" + } + ] + } + ] + }, + { + "id": "sc-20_gdn", + "name": "guidance", + "prose": "Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data." + }, + { + "id": "sc-20_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.[01]", + "class": "sp800-53a" + } + ], + "prose": "additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;", + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.[02]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;", + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;", + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.", + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-20-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing secure name/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-20_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-20-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-20_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-20-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing secure name/address resolution services" + } + ] + } + ] + }, + { + "id": "sc-21", + "class": "SP800-53", + "title": "Secure Name/Address Resolution Service (Recursive or Caching Resolver)", + "props": [ + { + "name": "label", + "value": "SC-21" + }, + { + "name": "label", + "value": "SC-21", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-21_smt", + "name": "statement", + "prose": "Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.", + "parts": [ + { + "id": "sc-21_fr", + "name": "item", + "title": "SC-21 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-21_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.\n\n* If the reply is signed, and fails DNSSEC, do not use the reply\n* If the reply is unsigned: * CSP chooses the policy to apply \n" + }, + { + "id": "sc-21_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS." + }, + { + "id": "sc-21_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Accepting an unsigned reply is acceptable" + }, + { + "id": "sc-21_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.\n\n* DNSSEC resolution to access a component inside the boundary is excluded.\n" + } + ] + } + ] + }, + { + "id": "sc-21_gdn", + "name": "guidance", + "prose": "Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data." + }, + { + "id": "sc-21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-21_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[01]", + "class": "sp800-53a" + } + ], + "prose": "data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[02]", + "class": "sp800-53a" + } + ], + "prose": "data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[03]", + "class": "sp800-53a" + } + ], + "prose": "data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[04]", + "class": "sp800-53a" + } + ], + "prose": "data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-21-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing secure name/address resolution services (recursive or caching resolver)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-21-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-21-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services" + } + ] + } + ] + }, + { + "id": "sc-22", + "class": "SP800-53", + "title": "Architecture and Provisioning for Name/Address Resolution Service", + "props": [ + { + "name": "label", + "value": "SC-22" + }, + { + "name": "label", + "value": "SC-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-22_smt", + "name": "statement", + "prose": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation." + }, + { + "id": "sc-22_gdn", + "name": "guidance", + "prose": "Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)." + }, + { + "id": "sc-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-22_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[01]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization are fault-tolerant;", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[02]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization implement internal role separation;", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[03]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization implement external role separation.", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing architecture and provisioning for name/address resolution services\n\naccess control policy and procedures\n\nsystem design documentation\n\nassessment results from independent testing organizations\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing name/address resolution services for fault tolerance and role separation" + } + ] + } + ] + }, + { + "id": "sc-28", + "class": "SP800-53", + "title": "Protection of Information at Rest", + "params": [ + { + "id": "sc-28_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "confidentiality", + "integrity" + ] + } + }, + { + "id": "sc-28_odp.02", + "label": "information at rest", + "guidelines": [ + { + "prose": "information at rest requiring protection is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-28" + }, + { + "name": "label", + "value": "SC-28", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-28" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-28_smt", + "name": "statement", + "prose": "Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}.", + "parts": [ + { + "id": "sc-28_fr", + "name": "item", + "title": "SC-28 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-28_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The organization supports the capability to use cryptographic mechanisms to protect information at rest." + }, + { + "id": "sc-28_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + }, + { + "id": "sc-28_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography in accordance with SC-13." + } + ] + } + ] + }, + { + "id": "sc-28_gdn", + "name": "guidance", + "prose": "Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage." + }, + { + "id": "sc-28_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected.", + "links": [ + { + "href": "#sc-28_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-28-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-28_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-28-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-28_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-28-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest" + } + ] + } + ], + "controls": [ + { + "id": "sc-28.1", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-28.01_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information requiring cryptographic protection is defined;" + } + ] + }, + { + "id": "sc-28.01_odp.02", + "label": "system components or media", + "constraints": [ + { + "description": "all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels" + } + ], + "guidelines": [ + { + "prose": "system components or media requiring cryptographic protection is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-28(1)" + }, + { + "name": "label", + "value": "SC-28(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-28.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-28", + "rel": "required" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-28.1_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.01 }}.", + "parts": [ + { + "id": "sc-28.1_fr", + "name": "item", + "title": "SC-28 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-28.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.\n\nExamples:\n\nA. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.\n\nB. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.\n\nC. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate." + } + ] + } + ] + }, + { + "id": "sc-28.1_gdn", + "name": "guidance", + "prose": "The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields." + }, + { + "id": "sc-28.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-28.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};", + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.", + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-28(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-28.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-28(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-28.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-28(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest" + } + ] + } + ] + } + ] + }, + { + "id": "sc-39", + "class": "SP800-53", + "title": "Process Isolation", + "props": [ + { + "name": "label", + "value": "SC-39" + }, + { + "name": "label", + "value": "SC-39", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-39" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-39_smt", + "name": "statement", + "prose": "Maintain a separate execution domain for each executing system process." + }, + { + "id": "sc-39_gdn", + "name": "guidance", + "prose": "Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies." + }, + { + "id": "sc-39_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-39", + "class": "sp800-53a" + } + ], + "prose": "a separate execution domain is maintained for each executing system process.", + "links": [ + { + "href": "#sc-39_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-39_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-39-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System design documentation\n\nsystem architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-39_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-39-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System developers/integrators\n\nsystem security architect" + } + ] + }, + { + "id": "sc-39_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-39-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing separate execution domains for each executing process" + } + ] + } + ] + } + ] + }, + { + "id": "si", + "class": "family", + "title": "System and Information Integrity", + "controls": [ + { + "id": "si-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "si-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "si-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "si-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "si-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "si-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and information integrity policy and procedures is defined;" + } + ] + }, + { + "id": "si-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years " + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and information integrity policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "si-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and information integrity policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "si-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and information integrity procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "si-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and information integrity procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-1" + }, + { + "name": "label", + "value": "SI-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-1_smt", + "name": "statement", + "parts": [ + { + "id": "si-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:", + "parts": [ + { + "id": "si-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, si-01_odp.03 }} system and information integrity policy that:", + "parts": [ + { + "id": "si-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "si-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "si-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;" + } + ] + }, + { + "id": "si-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and" + }, + { + "id": "si-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and information integrity:", + "parts": [ + { + "id": "si-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and" + }, + { + "id": "si-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "si-1_gdn", + "name": "guidance", + "prose": "System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "si-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and information integrity policy is developed and documented;", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#si-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;", + "links": [ + { + "href": "#si-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};", + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};", + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};", + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.", + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "si-2", + "class": "SP800-53", + "title": "Flaw Remediation", + "params": [ + { + "id": "si-02_odp", + "label": "time period", + "constraints": [ + { + "description": "within thirty (30) days of release of updates" + } + ], + "guidelines": [ + { + "prose": "time period within which to install security-relevant software updates after the release of the updates is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-2" + }, + { + "name": "label", + "value": "SI-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "rel": "reference" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-5", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-2_smt", + "name": "statement", + "parts": [ + { + "id": "si-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify, report, and correct system flaws;" + }, + { + "id": "si-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;" + }, + { + "id": "si-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and" + }, + { + "id": "si-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Incorporate flaw remediation into the organizational configuration management process." + } + ] + }, + { + "id": "si-2_gdn", + "name": "guidance", + "prose": "The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures." + }, + { + "id": "si-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are identified;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are reported;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are corrected;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "software updates related to flaw remediation are tested for effectiveness before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "software updates related to flaw remediation are tested for potential side effects before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[03]", + "class": "sp800-53a" + } + ], + "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[04]", + "class": "sp800-53a" + } + ], + "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02d.", + "class": "sp800-53a" + } + ], + "prose": "flaw remediation is incorporated into the organizational configuration management process.", + "links": [ + { + "href": "#si-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities" + } + ] + }, + { + "id": "si-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and/or implementing testing software and firmware updates" + } + ] + } + ] + }, + { + "id": "si-3", + "class": "SP800-53", + "title": "Malicious Code Protection", + "params": [ + { + "id": "si-03_odp.01", + "constraints": [ + { + "description": "signature based and non-signature based" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "signature-based", + "non-signature-based" + ] + } + }, + { + "id": "si-03_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which malicious code protection mechanisms perform scans is defined;" + } + ] + }, + { + "id": "si-03_odp.03", + "constraints": [ + { + "description": "to include endpoints and network entry and exit points" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "endpoint", + "network entry and exit points" + ] + } + }, + { + "id": "si-03_odp.04", + "constraints": [ + { + "description": "to include blocking and quarantining malicious code" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "block malicious code", + "quarantine malicious code", + "take {{ insert: param, si-03_odp.05 }} " + ] + } + }, + { + "id": "si-03_odp.05", + "label": "action", + "constraints": [ + { + "description": "administrator or defined security personnel near-realtime" + } + ], + "guidelines": [ + { + "prose": "action to be taken in response to malicious code detection are defined (if selected);" + } + ] + }, + { + "id": "si-03_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted when malicious code is detected is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-3" + }, + { + "name": "label", + "value": "SI-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#88660532-2dcf-442e-845c-03340ce48999", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-44", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-8", + "rel": "related" + }, + { + "href": "#si-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-3_smt", + "name": "statement", + "parts": [ + { + "id": "si-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;" + }, + { + "id": "si-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;" + }, + { + "id": "si-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Configure malicious code protection mechanisms to:", + "parts": [ + { + "id": "si-3_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and" + }, + { + "id": "si-3_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": " {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and" + } + ] + }, + { + "id": "si-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." + } + ] + }, + { + "id": "si-3_gdn", + "name": "guidance", + "prose": "System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files." + }, + { + "id": "si-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;", + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;", + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03b.", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;", + "links": [ + { + "href": "#si-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};", + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;", + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;", + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;", + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03d.", + "class": "sp800-53a" + } + ], + "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.", + "links": [ + { + "href": "#si-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities" + } + ] + }, + { + "id": "si-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and/or implementing malicious code scanning and subsequent actions" + } + ] + } + ] + }, + { + "id": "si-4", + "class": "SP800-53", + "title": "System Monitoring", + "params": [ + { + "id": "si-04_odp.01", + "label": "monitoring objectives", + "guidelines": [ + { + "prose": "monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;" + } + ] + }, + { + "id": "si-04_odp.02", + "label": "techniques and methods", + "guidelines": [ + { + "prose": "techniques and methods used to identify unauthorized use of the system are defined;" + } + ] + }, + { + "id": "si-04_odp.03", + "label": "system monitoring information", + "guidelines": [ + { + "prose": "system monitoring information to be provided to personnel or roles is defined;" + } + ] + }, + { + "id": "si-04_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom system monitoring information is to be provided is/are defined;" + } + ] + }, + { + "id": "si-04_odp.05", + "select": { + "how-many": "one-or-more", + "choice": [ + "as needed", + " {{ insert: param, si-04_odp.06 }} " + ] + } + }, + { + "id": "si-04_odp.06", + "label": "frequency", + "guidelines": [ + { + "prose": "a frequency for providing system monitoring to personnel or roles is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4" + }, + { + "name": "label", + "value": "SI-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "rel": "reference" + }, + { + "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#sc-35", + "rel": "related" + }, + { + "href": "#sc-36", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4_smt", + "name": "statement", + "parts": [ + { + "id": "si-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor the system to detect:", + "parts": [ + { + "id": "si-4_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and" + }, + { + "id": "si-4_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Unauthorized local, network, and remote connections;" + } + ] + }, + { + "id": "si-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};" + }, + { + "id": "si-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Invoke internal monitoring capabilities or deploy monitoring devices:", + "parts": [ + { + "id": "si-4_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Strategically within the system to collect organization-determined essential information; and" + }, + { + "id": "si-4_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "At ad hoc locations within the system to track specific types of transactions of interest to the organization;" + } + ] + }, + { + "id": "si-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Analyze detected events and anomalies;" + }, + { + "id": "si-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;" + }, + { + "id": "si-4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Obtain legal opinion regarding system monitoring activities; and" + }, + { + "id": "si-4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." + }, + { + "id": "si-4_fr", + "name": "item", + "title": "SI-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-4_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See US-CERT Incident Response Reporting Guidelines." + } + ] + } + ] + }, + { + "id": "si-4_gdn", + "name": "guidance", + "prose": "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "si-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.01", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};", + "links": [ + { + "href": "#si-4_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized local connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized network connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized remote connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04b.", + "class": "sp800-53a" + } + ], + "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};", + "links": [ + { + "href": "#si-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.01", + "class": "sp800-53a" + } + ], + "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;", + "links": [ + { + "href": "#si-4_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.02", + "class": "sp800-53a" + } + ], + "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;", + "links": [ + { + "href": "#si-4_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "detected events are analyzed;", + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "detected anomalies are analyzed;", + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04e.", + "class": "sp800-53a" + } + ], + "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;", + "links": [ + { + "href": "#si-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04f.", + "class": "sp800-53a" + } + ], + "prose": "a legal opinion regarding system monitoring activities is obtained;", + "links": [ + { + "href": "#si-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04g.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.", + "links": [ + { + "href": "#si-4_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system" + } + ] + }, + { + "id": "si-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing system monitoring capabilities" + } + ] + } + ] + }, + { + "id": "si-5", + "class": "SP800-53", + "title": "Security Alerts, Advisories, and Directives", + "params": [ + { + "id": "si-05_odp.01", + "label": "external organizations", + "constraints": [ + { + "description": "to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives" + } + ], + "guidelines": [ + { + "prose": "external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;" + } + ] + }, + { + "id": "si-05_odp.02", + "constraints": [ + { + "description": "to include system security personnel and administrators with configuration/patch-management responsibilities" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, si-05_odp.03 }} ", + " {{ insert: param, si-05_odp.04 }} ", + " {{ insert: param, si-05_odp.05 }} " + ] + } + }, + { + "id": "si-05_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected);" + } + ] + }, + { + "id": "si-05_odp.04", + "label": "elements", + "guidelines": [ + { + "prose": "elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" + } + ] + }, + { + "id": "si-05_odp.05", + "label": "external organizations", + "guidelines": [ + { + "prose": "external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-5" + }, + { + "name": "label", + "value": "SI-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#pm-15", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-5_smt", + "name": "statement", + "parts": [ + { + "id": "si-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;" + }, + { + "id": "si-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Generate internal security alerts, advisories, and directives as deemed necessary;" + }, + { + "id": "si-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and" + }, + { + "id": "si-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + }, + { + "id": "si-5_fr_smt.1", + "name": "item", + "title": "SI-5 Additional FedRAMP Requirements and Guidance", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status." + } + ] + }, + { + "id": "si-5_gdn", + "name": "guidance", + "prose": "The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations." + }, + { + "id": "si-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05a.", + "class": "sp800-53a" + } + ], + "prose": "system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;", + "links": [ + { + "href": "#si-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05b.", + "class": "sp800-53a" + } + ], + "prose": "internal security alerts, advisories, and directives are generated as deemed necessary;", + "links": [ + { + "href": "#si-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05c.", + "class": "sp800-53a" + } + ], + "prose": "security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};", + "links": [ + { + "href": "#si-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05d.", + "class": "sp800-53a" + } + ], + "prose": "security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.", + "links": [ + { + "href": "#si-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "si-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nmechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nmechanisms supporting and/or implementing security directives" + } + ] + } + ] + }, + { + "id": "si-12", + "class": "SP800-53", + "title": "Information Management and Retention", + "props": [ + { + "name": "label", + "value": "SI-12" + }, + { + "name": "label", + "value": "SI-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#e922fc50-b1f9-469f-92ef-ed7d9803611c", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-3", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-12_smt", + "name": "statement", + "prose": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." + }, + { + "id": "si-12_gdn", + "name": "guidance", + "prose": "Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)." + }, + { + "id": "si-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[01]", + "class": "sp800-53a" + } + ], + "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[02]", + "class": "sp800-53a" + } + ], + "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[03]", + "class": "sp800-53a" + } + ], + "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[04]", + "class": "sp800-53a" + } + ], + "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators" + } + ] + }, + { + "id": "si-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and/or implementing information management, retention, and disposition" + } + ] + } + ] + } + ] + }, + { + "id": "sr", + "class": "family", + "title": "Supply Chain Risk Management", + "controls": [ + { + "id": "sr-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sr-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sr-01_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include chief privacy and ISSO and/or similar role or designees" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;" + } + ] + }, + { + "id": "sr-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;" + } + ] + }, + { + "id": "sr-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "sr-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;" + } + ] + }, + { + "id": "sr-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current supply chain risk management policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sr-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that require the current supply chain risk management policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sr-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;" + } + ] + }, + { + "id": "sr-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that require the supply chain risk management procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-1" + }, + { + "name": "label", + "value": "SR-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-1_smt", + "name": "statement", + "parts": [ + { + "id": "sr-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:", + "parts": [ + { + "id": "sr-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:", + "parts": [ + { + "id": "sr-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sr-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sr-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;" + } + ] + }, + { + "id": "sr-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and" + }, + { + "id": "sr-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current supply chain risk management:", + "parts": [ + { + "id": "sr-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and" + }, + { + "id": "sr-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sr-1_gdn", + "name": "guidance", + "prose": "Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sr-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a supply chain risk management policy is developed and documented;", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; ", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sr-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;", + "links": [ + { + "href": "#sr-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};", + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};", + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};", + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.", + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities" + } + ] + } + ] + }, + { + "id": "sr-2", + "class": "SP800-53", + "title": "Supply Chain Risk Management Plan", + "params": [ + { + "id": "sr-02_odp.01", + "label": "systems, system components, or system services", + "guidelines": [ + { + "prose": "systems, system components, or system services for which a supply chain risk management plan is developed are defined;" + } + ] + }, + { + "id": "sr-02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update the supply chain risk management plan is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-2" + }, + { + "name": "label", + "value": "SR-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-2_smt", + "name": "statement", + "parts": [ + { + "id": "sr-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};" + }, + { + "id": "sr-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and" + }, + { + "id": "sr-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Protect the supply chain risk management plan from unauthorized disclosure and modification." + } + ] + }, + { + "id": "sr-2_gdn", + "name": "guidance", + "prose": "The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))." + }, + { + "id": "sr-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a plan for managing supply chain risks is developed;", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[05]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[06]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[07]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[08]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[09]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02b.", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;", + "links": [ + { + "href": "#sr-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is protected from unauthorized modification.", + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures for protecting the supply chain risk management plan from unauthorized disclosure and modification\n\nsystem development life cycle procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of supply chain threats\n\nlist of safeguards to be taken against supply chain threats\n\nsystem life cycle documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and documenting the system development life cycle (SDLC)\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational processes for integrating supply chain risk management into the SDLC\n\nmechanisms supporting and/or implementing the SDLC" + } + ] + } + ], + "controls": [ + { + "id": "sr-2.1", + "class": "SP800-53-enhancement", + "title": "Establish SCRM Team", + "params": [ + { + "id": "sr-02.01_odp.01", + "label": "personnel, roles and responsibilities", + "guidelines": [ + { + "prose": "the personnel, roles, and responsibilities of the supply chain risk management team are defined;" + } + ] + }, + { + "id": "sr-02.01_odp.02", + "label": "supply chain risk management activities", + "guidelines": [ + { + "prose": "supply chain risk management activities are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-2(1)" + }, + { + "name": "label", + "value": "SR-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "sr-2.1_smt", + "name": "statement", + "prose": "Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}." + }, + { + "id": "sr-2.1_gdn", + "name": "guidance", + "prose": "To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team." + }, + { + "id": "sr-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02(01)", + "class": "sp800-53a" + } + ], + "prose": "a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.", + "links": [ + { + "href": "#sr-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management team charter documentation\n\nsupply chain risk management strategy\n\nsupply chain risk management implementation plan\n\nprocedures addressing supply chain protection\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with enterprise risk management responsibilities\n\nlegal counsel\n\norganizational personnel with business continuity responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "sr-3", + "class": "SP800-53", + "title": "Supply Chain Controls and Processes", + "params": [ + { + "id": "sr-03_odp.01", + "label": "system or system component", + "guidelines": [ + { + "prose": "the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;" + } + ] + }, + { + "id": "sr-03_odp.02", + "label": "supply chain personnel", + "guidelines": [ + { + "prose": "supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;" + } + ] + }, + { + "id": "sr-03_odp.03", + "label": "supply chain controls", + "guidelines": [ + { + "prose": "supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;" + } + ] + }, + { + "id": "sr-03_odp.04", + "select": { + "how-many": "one-or-more", + "choice": [ + "security and privacy plans", + "supply chain risk management plan", + " {{ insert: param, sr-03_odp.05 }} " + ] + } + }, + { + "id": "sr-03_odp.05", + "label": "document", + "guidelines": [ + { + "prose": "the document identifying the selected and implemented supply chain processes and controls is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-3" + }, + { + "name": "label", + "value": "SR-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-29", + "rel": "related" + }, + { + "href": "#sc-30", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-3_smt", + "name": "statement", + "parts": [ + { + "id": "sr-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};" + }, + { + "id": "sr-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and" + }, + { + "id": "sr-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}." + }, + { + "id": "sr-3_fr", + "name": "item", + "title": "SR-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary." + } + ] + } + ] + }, + { + "id": "sr-3_gdn", + "name": "guidance", + "prose": "Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain." + }, + { + "id": "sr-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};", + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};", + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;", + "links": [ + { + "href": "#sr-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03c.", + "class": "sp800-53a" + } + ], + "prose": "the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.", + "links": [ + { + "href": "#sr-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystems and critical system components inventory documentation\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems or services\n\nrisk register documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying and addressing supply chain element and process deficiencies" + } + ] + } + ] + }, + { + "id": "sr-5", + "class": "SP800-53", + "title": "Acquisition Strategies, Tools, and Methods", + "params": [ + { + "id": "sr-05_odp", + "label": "strategies, tools, and methods", + "guidelines": [ + { + "prose": "acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-5" + }, + { + "name": "label", + "value": "SR-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-5_smt", + "name": "statement", + "prose": "Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}." + }, + { + "id": "sr-5_gdn", + "name": "guidance", + "prose": "The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements." + }, + { + "id": "sr-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems, system components, or services\n\ndocumentation of training, education, and awareness programs for personnel regarding supply chain risk\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods" + } + ] + } + ] + }, + { + "id": "sr-8", + "class": "SP800-53", + "title": "Notification Agreements", + "params": [ + { + "id": "sr-08_odp.01", + "constraints": [ + { + "description": "notification of supply chain compromises and results of assessment or audits" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "notification of supply chain compromises", + " {{ insert: param, sr-08_odp.02 }} " + ] + } + }, + { + "id": "sr-08_odp.02", + "label": "results of assessments or audits", + "guidelines": [ + { + "prose": "information for which agreements and procedures are to be established are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-8" + }, + { + "name": "label", + "value": "SR-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-8_smt", + "name": "statement", + "prose": "Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}.", + "parts": [ + { + "id": "sr-8_fr", + "name": "item", + "title": "SR-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities." + } + ] + } + ] + }, + { + "id": "sr-8_gdn", + "name": "guidance", + "prose": "The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes." + }, + { + "id": "sr-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-08", + "class": "sp800-53a" + } + ], + "prose": "agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.", + "links": [ + { + "href": "#sr-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities" + } + ] + } + ] + }, + { + "id": "sr-10", + "class": "SP800-53", + "title": "Inspection of Systems or Components", + "params": [ + { + "id": "sr-10_odp.01", + "label": "systems or system components", + "guidelines": [ + { + "prose": "systems or system components that require inspection are defined;" + } + ] + }, + { + "id": "sr-10_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "at random", + "at {{ insert: param, sr-10_odp.03 }} ", + "upon {{ insert: param, sr-10_odp.04 }} " + ] + } + }, + { + "id": "sr-10_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to inspect systems or system components is defined (if selected);" + } + ] + }, + { + "id": "sr-10_odp.04", + "label": "indications of need for inspection", + "guidelines": [ + { + "prose": "indications of the need for an inspection of systems or system components are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-10" + }, + { + "name": "label", + "value": "SR-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-10_smt", + "name": "statement", + "prose": "Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}." + }, + { + "id": "sr-10_gdn", + "name": "guidance", + "prose": "The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations." + }, + { + "id": "sr-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-10", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.", + "links": [ + { + "href": "#sr-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nrecords of random inspections\n\ninspection reports/results\n\nassessment reports/results\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational processes to inspect for tampering" + } + ] + } + ] + }, + { + "id": "sr-11", + "class": "SP800-53", + "title": "Component Authenticity", + "params": [ + { + "id": "sr-11_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "source of counterfeit component", + " {{ insert: param, sr-11_odp.02 }} ", + " {{ insert: param, sr-11_odp.03 }} " + ] + } + }, + { + "id": "sr-11_odp.02", + "label": "external reporting organizations", + "guidelines": [ + { + "prose": "external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);" + } + ] + }, + { + "id": "sr-11_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11" + }, + { + "name": "label", + "value": "SR-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11_smt", + "name": "statement", + "parts": [ + { + "id": "sr-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and" + }, + { + "id": "sr-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}." + }, + { + "id": "sr-11_fr", + "name": "item", + "title": "SR-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-11_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline." + } + ] + } + ] + }, + { + "id": "sr-11_gdn", + "name": "guidance", + "prose": "Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA." + }, + { + "id": "sr-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an anti-counterfeit policy is developed and implemented;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[02]", + "class": "sp800-53a" + } + ], + "prose": "anti-counterfeit procedures are developed and implemented;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the anti-counterfeit procedures include the means to detect counterfeit components entering the system;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11b.", + "class": "sp800-53a" + } + ], + "prose": "counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.", + "links": [ + { + "href": "#sr-11_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\nreports notifying developers, manufacturers, vendors, contractors, and/or external reporting organizations of counterfeit system components\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nrecords of reported counterfeit system components\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting" + } + ] + }, + { + "id": "sr-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for counterfeit prevention, detection, and reporting\n\nmechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting" + } + ] + } + ], + "controls": [ + { + "id": "sr-11.1", + "class": "SP800-53-enhancement", + "title": "Anti-counterfeit Training", + "params": [ + { + "id": "sr-11.01_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11(1)" + }, + { + "name": "label", + "value": "SR-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-11", + "rel": "required" + }, + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11.1_smt", + "name": "statement", + "prose": "Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)." + }, + { + "id": "sr-11.1_gdn", + "name": "guidance", + "prose": "None." + }, + { + "id": "sr-11.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(01)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).", + "links": [ + { + "href": "#sr-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\ntraining materials addressing counterfeit system components\n\ntraining records on the detection and prevention of counterfeit components entering the system\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and training" + } + ] + }, + { + "id": "sr-11.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for anti-counterfeit training" + } + ] + } + ] + }, + { + "id": "sr-11.2", + "class": "SP800-53-enhancement", + "title": "Configuration Control for Component Service and Repair", + "params": [ + { + "id": "sr-11.02_odp", + "label": "system components", + "constraints": [ + { + "description": "all" + } + ], + "guidelines": [ + { + "prose": "system components requiring configuration control are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11(2)" + }, + { + "name": "label", + "value": "SR-11(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-11", + "rel": "required" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11.2_smt", + "name": "statement", + "prose": "Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}." + }, + { + "id": "sr-11.2_gdn", + "name": "guidance", + "prose": "None." + }, + { + "id": "sr-11.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;", + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.", + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nconfiguration control procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system component\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-11.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational configuration control processes" + } + ] + } + ] + } + ] + }, + { + "id": "sr-12", + "class": "SP800-53", + "title": "Component Disposal", + "params": [ + { + "id": "sr-12_odp.01", + "label": "data, documentation, tools, or system components", + "guidelines": [ + { + "prose": "data, documentation, tools, or system components to be disposed of are defined;" + } + ] + }, + { + "id": "sr-12_odp.02", + "label": "techniques and methods", + "guidelines": [ + { + "prose": "techniques and methods for disposing of data, documentation, tools, or system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-12" + }, + { + "name": "label", + "value": "SR-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#mp-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-12_smt", + "name": "statement", + "prose": "Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}." + }, + { + "id": "sr-12_gdn", + "name": "guidance", + "prose": "Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market." + }, + { + "id": "sr-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-12", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.", + "links": [ + { + "href": "#sr-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\ndisposal procedures addressing supply chain protection\n\nmedia disposal policy\n\nmedia protection policy\n\ndisposal records for system components\n\ndocumentation of the system components identified for disposal\n\ndocumentation of the disposal techniques and methods employed for system components\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system component disposal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities" + } + ] + }, + { + "id": "sr-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational techniques and methods for system component disposal\n\nmechanisms supporting and/or implementing system component disposal" + } + ] + } + ] + } + ] + } + ], "back-matter": { "resources": [ + { + "uuid": "91f992fb-f668-4c91-a50f-0f05b95ccee3", + "title": "32 CFR 2002", + "citation": { + "text": "Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)." + }, + "rlinks": [ + { + "href": "https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information" + } + ] + }, + { + "uuid": "0f963c17-ab5a-432a-a867-91eac550309b", + "title": "41 CFR 201", + "citation": { + "text": " \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271." + }, + "rlinks": [ + { + "href": "https://www.federalregister.gov/d/2020-18939" + } + ] + }, + { + "uuid": "a5ef5e56-5c1a-4911-b419-37dddc1b3581", + "title": "5 CFR 731", + "citation": { + "text": "Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf" + } + ] + }, + { + "uuid": "031cc4b7-9adf-4835-98f1-f1ca493519cf", + "title": "CNSSD 505", + "citation": { + "text": "Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017." + }, + "rlinks": [ + { + "href": "https://www.cnss.gov/CNSS/issuances/Directives.cfm" + } + ] + }, + { + "uuid": "4e4fbc93-333d-45e6-a875-de36b878b6b9", + "title": "CNSSI 1253", + "citation": { + "text": "Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014." + }, + "rlinks": [ + { + "href": "https://www.cnss.gov/CNSS/issuances/Instructions.cfm" + } + ] + }, + { + "uuid": "aa66e14f-e7cb-4a37-99d2-07578dfd4608", + "title": "DOD STIG", + "citation": { + "text": "Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*." + }, + "rlinks": [ + { + "href": "https://public.cyber.mil/stigs" + } + ] + }, + { + "uuid": "55b0c93a-5e48-457a-baa6-5ce81c239c49", + "title": "EO 13526", + "citation": { + "text": "Executive Order 13526, *Classified National Security Information* , December 2009." + }, + "rlinks": [ + { + "href": "https://www.archives.gov/isoo/policy-documents/cnsi-eo.html" + } + ] + }, + { + "uuid": "0af071a6-cf8e-48ee-8c82-fe91efa20f94", + "title": "EO 13587", + "citation": { + "text": "Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net" + } + ] + }, + { + "uuid": "21caa535-1154-4369-ba7b-32c309fee0f7", + "title": "EO 13873", + "citation": { + "text": "Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain" + } + ] + }, + { + "uuid": "4ff10ed3-d8fe-4246-99e3-443045e27482", + "title": "FASC18", + "citation": { + "text": "Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/bill/115th-congress/senate-bill/3085" + } + ] + }, + { + "uuid": "a1555677-2b9d-4868-a97b-a1363aff32f5", + "title": "FED PKI", + "citation": { + "text": "General Services Administration, *Federal Public Key Infrastructure*." + }, + "rlinks": [ + { + "href": "https://www.idmanagement.gov/topics/fpki" + } + ] + }, + { + "uuid": "678e3d6c-150b-4393-aec5-6e3481eb1e00", + "title": "FIPS 140-3", + "citation": { + "text": "National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. " + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.140-3" + } + ] + }, + { + "uuid": "eea3c092-42ed-4382-a6f4-1adadef01b9d", + "title": "FIPS 180-4", + "citation": { + "text": "National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.180-4" + } + ] + }, + { + "uuid": "7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "title": "FIPS 186-4", + "citation": { + "text": "National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.186-4" + } + ] + }, + { + "uuid": "736d6310-e403-4b57-a79d-9967970c66d7", + "title": "FIPS 197", + "citation": { + "text": "National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.197" + } + ] + }, + { + "uuid": "628d22a1-6a11-4784-bc59-5cd9497b5445", + "title": "FIPS 199", + "citation": { + "text": "National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.199" + } + ] + }, + { + "uuid": "599fb53d-5041-444e-a7fe-640d6d30ad05", + "title": "FIPS 200", + "citation": { + "text": "National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.200" + } + ] + }, + { + "uuid": "7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "title": "FIPS 201-2", + "citation": { + "text": "National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.201-2" + } + ] + }, + { + "uuid": "a295ca19-8c75-4b4c-8800-98024732e181", + "title": "FIPS 202", + "citation": { + "text": "National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.202" + } + ] + }, + { + "uuid": "0c67b2a9-bede-43d2-b86d-5f35b8be36e9", + "title": "FISMA", + "citation": { + "text": "Federal Information Security Modernization Act (P.L. 113-283), December 2014." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf" + } + ] + }, + { + "uuid": "f16e438e-7114-4144-bfe2-2dfcad8cb2d0", + "title": "HSPD 12", + "citation": { + "text": "Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004." + }, + "rlinks": [ + { + "href": "https://www.dhs.gov/homeland-security-presidential-directive-12" + } + ] + }, + { + "uuid": "15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "title": "IR 7539", + "citation": { + "text": "Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7539" + } + ] + }, + { + "uuid": "2be7b163-e50a-435c-8906-f1162f2a457a", + "title": "IR 7559", + "citation": { + "text": "Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7559" + } + ] + }, + { + "uuid": "e24b06cc-9129-4998-a76a-65c3d7a576ba", + "title": "IR 7622", + "citation": { + "text": "Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7622" + } + ] + }, + { + "uuid": "4b38e961-1125-4a5b-aa35-1d6c02846dad", + "title": "IR 7676", + "citation": { + "text": "Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7676" + } + ] + }, + { + "uuid": "aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "title": "IR 7788", + "citation": { + "text": "Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7788" + } + ] + }, + { + "uuid": "91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "title": "IR 7817", + "citation": { + "text": "Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7817" + } + ] + }, + { + "uuid": "4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "title": "IR 7849", + "citation": { + "text": "Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7849" + } + ] + }, + { + "uuid": "604774da-9e1d-48eb-9c62-4e959dc80737", + "title": "IR 7870", + "citation": { + "text": "Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7870" + } + ] + }, + { + "uuid": "7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "title": "IR 7874", + "citation": { + "text": "Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7874" + } + ] + }, + { + "uuid": "849b2358-683f-4d97-b111-1cc3d522ded5", + "title": "IR 7956", + "citation": { + "text": "Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7956" + } + ] + }, + { + "uuid": "3915a084-b87b-4f02-83d4-c369e746292f", + "title": "IR 7966", + "citation": { + "text": "Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7966" + } + ] + }, + { + "uuid": "bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "title": "IR 8011-1", + "citation": { + "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-1" + } + ] + }, + { + "uuid": "70402863-5078-43af-9a6c-e11b0f3ec370", + "title": "IR 8011-2", + "citation": { + "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-2" + } + ] + }, + { + "uuid": "996241f8-f692-42d5-91f1-ce8b752e39e6", + "title": "IR 8011-3", + "citation": { + "text": "Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-3" + } + ] + }, + { + "uuid": "d2ebec9b-f868-4ee1-a2bd-0b2282aed248", + "title": "IR 8011-4", + "citation": { + "text": "Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-4" + } + ] + }, + { + "uuid": "4c501da5-9d79-4cb6-ba80-97260e1ce327", + "title": "IR 8023", + "citation": { + "text": "Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8023" + } + ] + }, + { + "uuid": "81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", + "title": "IR 8040", + "citation": { + "text": "Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8040" + } + ] + }, + { + "uuid": "98d415ca-7281-4064-9931-0c366637e324", + "title": "IR 8062", + "citation": { + "text": "Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8062" + } + ] + }, + { + "uuid": "d4296805-2dca-4c63-a95f-eeccaa826aec", + "title": "IR 8179", + "citation": { + "text": "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8179" + } + ] + }, + { + "uuid": "38ff38f0-1366-4f50-a4c9-26a39aacee16", + "title": "IR 8272", + "citation": { + "text": "Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8272" + } + ] + }, + { + "uuid": "6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", + "title": "ISO 15408-1", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf" + } + ] + }, + { + "uuid": "87087451-2af5-43d4-88c1-d66ad850f614", + "title": "ISO 15408-2", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf" + } + ] + }, + { + "uuid": "4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "title": "ISO 15408-3", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf" + } + ] + }, + { + "uuid": "15a95e24-65b6-4686-bc18-90855a10457d", + "title": "ISO 20243", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/74399.html" + } + ] + }, + { + "uuid": "863caf2a-978a-4260-9e8d-4a8929bce40c", + "title": "ISO 27036", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/59648.html" + } + ] + }, + { + "uuid": "8df72805-2e5c-4731-a73e-81db0f0318d0", + "title": "ISO 29147", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 29147:2018, *Information technology—Security techniques—Vulnerability disclosure* , October 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/72311.html" + } + ] + }, + { + "uuid": "06ce9216-bd54-4054-a422-94f358b50a5d", + "title": "ISO 29148", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, *Systems and software engineering—Life cycle processes—Requirements engineering* , November 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/72089.html" + } + ] + }, + { + "uuid": "c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "title": "NARA CUI", + "citation": { + "text": "National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry." + }, + "rlinks": [ + { + "href": "https://www.archives.gov/cui" + } + ] + }, + { + "uuid": "d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", + "title": "NCPR", + "citation": { + "text": "National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at" + }, + "rlinks": [ + { + "href": "https://nvd.nist.gov/ncp/repository" + } + ] + }, + { + "uuid": "795aff72-3e6c-4b6b-a80a-b14d84b7f544", + "title": "NIAP CCEVS", + "citation": { + "text": "National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*." + }, + "rlinks": [ + { + "href": "https://www.niap-ccevs.org" + } + ] + }, + { + "uuid": "84dc1b0c-acb7-4269-84c4-00dbabacd78c", + "title": "NIST CAVP", + "citation": { + "text": "National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program" + } + ] + }, + { + "uuid": "1acdc775-aafb-4d11-9341-dc6a822e9d38", + "title": "NIST CMVP", + "citation": { + "text": "National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/cryptographic-module-validation-program" + } + ] + }, + { + "uuid": "3d575737-98cb-459d-b41c-d7e82b73ad78", + "title": "NSA CSFC", + "citation": { + "text": "National Security Agency, *Commercial Solutions for Classified Program (CSfC)*." + }, + "rlinks": [ + { + "href": "https://www.nsa.gov/resources/everyone/csfc" + } + ] + }, + { + "uuid": "df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", + "title": "NSA MEDIA", + "citation": { + "text": "National Security Agency, *Media Destruction Guidance*." + }, + "rlinks": [ + { + "href": "https://www.nsa.gov/resources/everyone/media-destruction" + } + ] + }, + { + "uuid": "89f2a08d-fc49-46d0-856e-bf974c9b1573", + "title": "ODNI CTF", + "citation": { + "text": "Office of the Director of National Intelligence (ODNI) Cyber Threat Framework." + }, + "rlinks": [ + { + "href": "https://www.dni.gov/index.php/cyber-threat-framework" + } + ] + }, + { + "uuid": "27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "title": "OMB A-130", + "citation": { + "text": "Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf" + } + ] + }, + { + "uuid": "5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "title": "OMB M-17-12", + "citation": { + "text": "Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf" + } + ] + }, + { + "uuid": "c5e11048-1d38-4af3-b00b-0d88dc26860c", + "title": "OMB M-19-03", + "citation": { + "text": "Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf" + } + ] + }, + { + "uuid": "18e71fec-c6fd-475a-925a-5d8495cf8455", + "title": "PRIVACT", + "citation": { + "text": "Privacy Act (P.L. 93-579), December 1974." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf" + } + ] + }, + { + "uuid": "4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "title": "SP 800-100", + "citation": { + "text": "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-100" + } + ] + }, + { + "uuid": "10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "title": "SP 800-101", + "citation": { + "text": "Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-101r1" + } + ] + }, + { + "uuid": "22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "title": "SP 800-111", + "citation": { + "text": "Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-111" + } + ] + }, + { + "uuid": "6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "title": "SP 800-113", + "citation": { + "text": "Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-113" + } + ] + }, + { + "uuid": "42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "title": "SP 800-114", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-114r1" + } + ] + }, + { + "uuid": "122177fa-c4ed-485d-8345-3082c0fb9a06", + "title": "SP 800-115", + "citation": { + "text": "Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-115" + } + ] + }, + { + "uuid": "2100332a-16a5-4598-bacf-7261baea9711", + "title": "SP 800-116", + "citation": { + "text": "Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-116r1" + } + ] + }, + { + "uuid": "d17ebd7a-ffab-499d-bfff-e705bbb01fa6", + "title": "SP 800-121", + "citation": { + "text": "Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-121r2" + } + ] + }, + { + "uuid": "0f66be67-85e7-4ca6-bd19-39453e9f4394", + "title": "SP 800-124", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-124r1" + } + ] + }, + { + "uuid": "88660532-2dcf-442e-845c-03340ce48999", + "title": "SP 800-125B", + "citation": { + "text": "Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-125B" + } + ] + }, + { + "uuid": "8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "title": "SP 800-126", + "citation": { + "text": "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-126r3" + } + ] + }, + { + "uuid": "20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "title": "SP 800-128", + "citation": { + "text": "Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-128" + } + ] + }, + { + "uuid": "c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "title": "SP 800-12", + "citation": { + "text": "Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-12r1" + } + ] + }, + { + "uuid": "3653e316-8923-430e-8943-b3b2b2562fc6", + "title": "SP 800-130", + "citation": { + "text": "Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-130" + } + ] + }, + { + "uuid": "62ea77ca-e450-4323-b210-e0d75390e785", + "title": "SP 800-137A", + "citation": { + "text": "Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-137A" + } + ] + }, + { + "uuid": "067223d8-1ec7-45c5-b21b-c848da6de8fb", + "title": "SP 800-137", + "citation": { + "text": "Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-137" + } + ] + }, + { + "uuid": "9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "title": "SP 800-150", + "citation": { + "text": "Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-150" + } + ] + }, + { + "uuid": "2494df28-9049-4196-b233-540e7440993f", + "title": "SP 800-152", + "citation": { + "text": "Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-152" + } + ] + }, + { + "uuid": "d9e036ba-6eec-46a6-9340-b0bf1fea23b4", + "title": "SP 800-156", + "citation": { + "text": "Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-156" + } + ] + }, + { + "uuid": "e3cc0520-a366-4fc9-abc2-5272db7e3564", + "title": "SP 800-160-1", + "citation": { + "text": "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-160v1" + } + ] + }, + { + "uuid": "61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "title": "SP 800-160-2", + "citation": { + "text": "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-160v2" + } + ] + }, + { + "uuid": "e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "title": "SP 800-161", + "citation": { + "text": "Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-161" + } + ] + }, + { + "uuid": "2956e175-f674-43f4-b1b9-e074ad9fc39c", + "title": "SP 800-162", + "citation": { + "text": "Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-162" + } + ] + }, + { + "uuid": "e8552d48-cf41-40aa-8b06-f45f7fb4706c", + "title": "SP 800-166", + "citation": { + "text": "Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-166" + } + ] + }, + { + "uuid": "38f39739-1ebd-43b1-8b8c-00f591d89ebd", + "title": "SP 800-167", + "citation": { + "text": "Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-167" + } + ] + }, + { + "uuid": "7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "title": "SP 800-171", + "citation": { + "text": "Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-171r2" + } + ] + }, + { + "uuid": "f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "title": "SP 800-172", + "citation": { + "text": "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-172-draft" + } + ] + }, + { + "uuid": "1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "title": "SP 800-177", + "citation": { + "text": "Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-177r1" + } + ] + }, + { + "uuid": "388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "title": "SP 800-178", + "citation": { + "text": "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-178" + } + ] + }, + { + "uuid": "276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "title": "SP 800-181", + "citation": { + "text": "Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-181r1" + } + ] + }, + { + "uuid": "31ae65ab-3f26-46b7-9d64-f25a4dac5778", + "title": "SP 800-184", + "citation": { + "text": "Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-184" + } + ] + }, + { + "uuid": "f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "title": "SP 800-189", + "citation": { + "text": "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-189" + } + ] + }, + { + "uuid": "30eb758a-2707-4bca-90ad-949a74d4eb16", + "title": "SP 800-18", + "citation": { + "text": "Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-18r1" + } + ] + }, + { + "uuid": "53df282b-8b3f-483a-bad1-6a8b8ac00114", + "title": "SP 800-192", + "citation": { + "text": "Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-192" + } + ] + }, + { + "uuid": "08b07465-dbdc-48d6-8a0b-37279602ac16", + "title": "SP 800-30", + "citation": { + "text": "Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-30r1" + } + ] + }, + { + "uuid": "bc39f179-c735-4da2-b7a7-b2b622119755", + "title": "SP 800-34", + "citation": { + "text": "Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-34r1" + } + ] + }, + { + "uuid": "77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "title": "SP 800-35", + "citation": { + "text": "Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-35" + } + ] + }, + { + "uuid": "482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "title": "SP 800-37", + "citation": { + "text": "Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-37r2" + } + ] + }, + { + "uuid": "cec037f3-8aba-4c97-84b4-4082f9e515d2", + "title": "SP 800-39", + "citation": { + "text": "Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-39" + } + ] + }, + { + "uuid": "155f941a-cba9-4afd-9ca6-5d040d697ba9", + "title": "SP 800-40", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-40r3" + } + ] + }, + { + "uuid": "a7f0e897-29a3-45c4-bd88-40dfef0e034a", + "title": "SP 800-41", + "citation": { + "text": "Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-41r1" + } + ] + }, + { + "uuid": "83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "title": "SP 800-46", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-46r2" + } + ] + }, + { + "uuid": "c3a76872-e160-4267-99e8-6952de967d04", + "title": "SP 800-47", + "citation": { + "text": "Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-47" + } + ] + }, + { + "uuid": "511f6832-23ca-49a3-8c0f-ce493373cab8", + "title": "SP 800-50", + "citation": { + "text": "Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-50" + } + ] + }, + { + "uuid": "7537638e-2837-407d-844b-40fb3fafdd99", + "title": "SP 800-52", + "citation": { + "text": "McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-52r2" + } + ] + }, + { + "uuid": "a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "title": "SP 800-53A", + "citation": { + "text": "Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-53Ar4" + } + ] + }, + { + "uuid": "46d9e201-840e-440e-987c-2c773333c752", + "title": "SP 800-53B", + "citation": { + "text": "Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-53B" + } + ] + }, + { + "uuid": "20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "title": "SP 800-56A", + "citation": { + "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Ar3" + } + ] + }, + { + "uuid": "0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "title": "SP 800-56B", + "citation": { + "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Br2" + } + ] + }, + { + "uuid": "eef62b16-c796-4554-955c-505824135b8a", + "title": "SP 800-56C", + "citation": { + "text": "Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Cr2" + } + ] + }, + { + "uuid": "110e26af-4765-49e1-8740-6750f83fcda1", + "title": "SP 800-57-1", + "citation": { + "text": "Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt1r5" + } + ] + }, + { + "uuid": "e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "title": "SP 800-57-2", + "citation": { + "text": "Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt2r1" + } + ] + }, + { + "uuid": "8306620b-1920-4d73-8b21-12008528595f", + "title": "SP 800-57-3", + "citation": { + "text": "Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt3r1" + } + ] + }, + { + "uuid": "e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "title": "SP 800-60-1", + "citation": { + "text": "Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-60v1r1" + } + ] + }, + { + "uuid": "9be5d661-421f-41ad-854e-86f98b811891", + "title": "SP 800-60-2", + "citation": { + "text": "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-60v2r1" + } + ] + }, + { + "uuid": "49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "title": "SP 800-61", + "citation": { + "text": "Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-61r2" + } + ] + }, + { + "uuid": "737513fa-6758-403f-831d-5ddab5e23cb3", + "title": "SP 800-63-3", + "citation": { + "text": "Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63-3" + } + ] + }, + { + "uuid": "e59c5a7c-8b1f-49ca-8de0-6ee0882180ce", + "title": "SP 800-63B", + "citation": { + "text": "Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63b" + } + ] + }, + { + "uuid": "4895b4cd-34c5-4667-bf8a-27d443c12047", + "title": "SP 800-70", + "citation": { + "text": "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-70r4" + } + ] + }, + { + "uuid": "858705be-3c1f-48aa-a328-0ce398d95ef0", + "title": "SP 800-73-4", + "citation": { + "text": "Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-73-4" + } + ] + }, + { + "uuid": "7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "title": "SP 800-76-2", + "citation": { + "text": "Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-76-2" + } + ] + }, + { + "uuid": "d4d7c760-2907-403b-8b2a-767ca5370ecd", + "title": "SP 800-77", + "citation": { + "text": "Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-77r1" + } + ] + }, + { + "uuid": "828856bd-d7c4-427b-8b51-815517ec382d", + "title": "SP 800-78-4", + "citation": { + "text": "Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-78-4" + } + ] + }, + { + "uuid": "10963761-58fc-4b20-b3d6-b44a54daba03", + "title": "SP 800-79-2", + "citation": { + "text": "Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-79-2" + } + ] + }, + { + "uuid": "fe209006-bfd4-4033-a79a-9fee1adaf372", + "title": "SP 800-81-2", + "citation": { + "text": "Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-81-2" + } + ] + }, + { + "uuid": "3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "title": "SP 800-83", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-83r1" + } + ] + }, + { + "uuid": "53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "title": "SP 800-84", + "citation": { + "text": "Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-84" + } + ] + }, + { + "uuid": "cfdb1858-c473-46b3-89f9-a700308d0be2", + "title": "SP 800-86", + "citation": { + "text": "Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-86" + } + ] + }, + { + "uuid": "a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "title": "SP 800-88", + "citation": { + "text": "Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-88r1" + } + ] + }, + { + "uuid": "5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "title": "SP 800-92", + "citation": { + "text": "Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-92" + } + ] + }, + { + "uuid": "25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "title": "SP 800-94", + "citation": { + "text": "Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-94" + } + ] + }, + { + "uuid": "03fb73bc-1b12-4182-bd96-e5719254ea61", + "title": "SP 800-97", + "citation": { + "text": "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-97" + } + ] + }, + { + "uuid": "13f0c39d-eaf7-417a-baef-69a041878bb5", + "title": "USA PATRIOT", + "citation": { + "text": "USA Patriot Act (P.L. 107-56), October 2001." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf" + } + ] + }, + { + "uuid": "e922fc50-b1f9-469f-92ef-ed7d9803611c", + "title": "USC 2901", + "citation": { + "text": "United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/USCODE-2011-title44/pdf/USCODE-2011-title44-chap29-sec2901.pdf" + } + ] + }, + { + "uuid": "40b78258-c892-480e-9af8-77ac36648301", + "title": "USCERT IR", + "citation": { + "text": "Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017." + }, + "rlinks": [ + { + "href": "https://us-cert.cisa.gov/incident-notification-guidelines" + } + ] + }, + { + "uuid": "98498928-3ca3-44b3-8b1e-f48685373087", + "title": "USGCB", + "citation": { + "text": "National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/united-states-government-configuration-baseline" + } + ] + }, + { + "uuid": "c3397cc9-83c6-4459-adb2-836739dc1b94", + "title": "NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)", + "rlinks": [ + { + "href": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf", + "media-type": "application/pdf" + } + ] + }, { "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48", "title": "FedRAMP Applicable Laws and Regulations", diff --git a/dist/content/rev5/baselines/json/FedRAMP_rev5_LOW-baseline_profile-min.json b/dist/content/rev5/baselines/json/FedRAMP_rev5_LOW-baseline_profile-min.json index 384733a05..7ab4b4aba 100644 --- a/dist/content/rev5/baselines/json/FedRAMP_rev5_LOW-baseline_profile-min.json +++ b/dist/content/rev5/baselines/json/FedRAMP_rev5_LOW-baseline_profile-min.json @@ -3570,7 +3570,7 @@ ], "rlinks": [ { - "href": "https://github.com/usnistgov/oscal-content/blob/v1.2.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", + "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/v1.2.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", "media-type": "application/oscal+json" } ] diff --git a/dist/content/rev5/baselines/json/FedRAMP_rev5_LOW-baseline_profile.json b/dist/content/rev5/baselines/json/FedRAMP_rev5_LOW-baseline_profile.json index 3d50c408d..54c4bbb95 100644 --- a/dist/content/rev5/baselines/json/FedRAMP_rev5_LOW-baseline_profile.json +++ b/dist/content/rev5/baselines/json/FedRAMP_rev5_LOW-baseline_profile.json @@ -3570,7 +3570,7 @@ ], "rlinks": [ { - "href": "https://github.com/usnistgov/oscal-content/blob/v1.2.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", + "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/v1.2.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", "media-type": "application/oscal+json" } ] diff --git a/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog-min.json b/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog-min.json index c0e51b166..fef4533d8 100644 --- a/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog-min.json +++ b/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog-min.json @@ -1,10 +1,10 @@ { "catalog": { - "uuid": "36094314-56ce-43fd-9ab8-0e1f6fa6bfaa", + "uuid": "05787e43-fa8f-4f67-9a3b-2240fb4d9a78", "metadata": { "title": "FedRAMP Rev 5 Moderate Baseline", "published": "2023-08-31T00:00:00Z", - "last-modified": "2023-12-18T20:27:56.71703-05:00", + "last-modified": "2024-01-11T18:08:21.203723-05:00", "version": "5.1.1+fedramp-20231218-0", "oscal-version": "1.1.1", "links": [ @@ -99,8 +99,100600 @@ } ] }, + "groups": [ + { + "id": "ac", + "class": "family", + "title": "Access Control", + "controls": [ + { + "id": "ac-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ac-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ac-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the access control policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ac-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the access control procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ac-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ac-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the access control policy and procedures is defined;" + } + ] + }, + { + "id": "ac-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current access control policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ac-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current access control policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ac-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current access control procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ac-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-1" + }, + { + "name": "label", + "value": "AC-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ia-1", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-24", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-1_smt", + "name": "statement", + "parts": [ + { + "id": "ac-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:", + "parts": [ + { + "id": "ac-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ac-01_odp.03 }} access control policy that:", + "parts": [ + { + "id": "ac-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ac-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ac-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the access control policy and the associated access controls;" + } + ] + }, + { + "id": "ac-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and" + }, + { + "id": "ac-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current access control:", + "parts": [ + { + "id": "ac-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and" + }, + { + "id": "ac-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ac-1_gdn", + "name": "guidance", + "prose": "Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ac-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an access control policy is developed and documented;", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ac-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;", + "links": [ + { + "href": "#ac-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};", + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};", + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};", + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.", + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ac-2", + "class": "SP800-53", + "title": "Account Management", + "params": [ + { + "id": "ac-02_odp.01", + "label": "prerequisites and criteria", + "guidelines": [ + { + "prose": "prerequisites and criteria for group and role membership are defined;" + } + ] + }, + { + "id": "ac-02_odp.02", + "label": "attributes (as required)", + "guidelines": [ + { + "prose": "attributes (as required) for each account are defined;" + } + ] + }, + { + "id": "ac-02_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles required to approve requests to create accounts is/are defined;" + } + ] + }, + { + "id": "ac-02_odp.04", + "label": "policy, procedures, prerequisites, and criteria", + "guidelines": [ + { + "prose": "policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;" + } + ] + }, + { + "id": "ac-02_odp.05", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified is/are defined;" + } + ] + }, + { + "id": "ac-02_odp.06", + "label": "time period", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when accounts are no longer required is defined;" + } + ] + }, + { + "id": "ac-02_odp.07", + "label": "time period", + "constraints": [ + { + "description": "eight (8) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when users are terminated or transferred is defined; " + } + ] + }, + { + "id": "ac-02_odp.08", + "label": "time period", + "constraints": [ + { + "description": "eight (8) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when system usage or the need to know changes for an individual is defined;" + } + ] + }, + { + "id": "ac-02_odp.09", + "label": "attributes (as required)", + "guidelines": [ + { + "prose": "attributes needed to authorize system access (as required) are defined;" + } + ] + }, + { + "id": "ac-02_odp.10", + "label": "frequency", + "constraints": [ + { + "description": "quarterly for privileged access, annually for non-privileged access" + } + ], + "guidelines": [ + { + "prose": "the frequency of account review is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2" + }, + { + "name": "label", + "value": "AC-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#53df282b-8b3f-483a-bad1-6a8b8ac00114", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ac-24", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2_smt", + "name": "statement", + "parts": [ + { + "id": "ac-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Define and document the types of accounts allowed and specifically prohibited for use within the system;" + }, + { + "id": "ac-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Assign account managers;" + }, + { + "id": "ac-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Require {{ insert: param, ac-02_odp.01 }} for group and role membership;" + }, + { + "id": "ac-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Specify:", + "parts": [ + { + "id": "ac-2_smt.d.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Authorized users of the system;" + }, + { + "id": "ac-2_smt.d.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Group and role membership; and" + }, + { + "id": "ac-2_smt.d.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;" + } + ] + }, + { + "id": "ac-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;" + }, + { + "id": "ac-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};" + }, + { + "id": "ac-2_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Monitor the use of accounts;" + }, + { + "id": "ac-2_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Notify account managers and {{ insert: param, ac-02_odp.05 }} within:", + "parts": [ + { + "id": "ac-2_smt.h.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;" + }, + { + "id": "ac-2_smt.h.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": " {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and" + }, + { + "id": "ac-2_smt.h.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;" + } + ] + }, + { + "id": "ac-2_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Authorize access to the system based on:", + "parts": [ + { + "id": "ac-2_smt.i.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "A valid access authorization;" + }, + { + "id": "ac-2_smt.i.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Intended system usage; and" + }, + { + "id": "ac-2_smt.i.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ac-02_odp.09 }};" + } + ] + }, + { + "id": "ac-2_smt.j", + "name": "item", + "props": [ + { + "name": "label", + "value": "j." + } + ], + "prose": "Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};" + }, + { + "id": "ac-2_smt.k", + "name": "item", + "props": [ + { + "name": "label", + "value": "k." + } + ], + "prose": "Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and" + }, + { + "id": "ac-2_smt.l", + "name": "item", + "props": [ + { + "name": "label", + "value": "l." + } + ], + "prose": "Align account management processes with personnel termination and transfer processes." + } + ] + }, + { + "id": "ac-2_gdn", + "name": "guidance", + "prose": "Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training." + }, + { + "id": "ac-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "account types allowed for use within the system are defined and documented;", + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "account types specifically prohibited for use within the system are defined and documented;", + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02b.", + "class": "sp800-53a" + } + ], + "prose": "account managers are assigned;", + "links": [ + { + "href": "#ac-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-02_odp.01 }} for group and role membership are required;", + "links": [ + { + "href": "#ac-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.d.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.01", + "class": "sp800-53a" + } + ], + "prose": "authorized users of the system are specified;", + "links": [ + { + "href": "#ac-2_smt.d.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.02", + "class": "sp800-53a" + } + ], + "prose": "group and role membership are specified;", + "links": [ + { + "href": "#ac-2_smt.d.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.d.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03[01]", + "class": "sp800-53a" + } + ], + "prose": "access authorizations (i.e., privileges) are specified for each account;", + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-02_odp.02 }} are specified for each account;", + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02e.", + "class": "sp800-53a" + } + ], + "prose": "approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;", + "links": [ + { + "href": "#ac-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[01]", + "class": "sp800-53a" + } + ], + "prose": "accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[02]", + "class": "sp800-53a" + } + ], + "prose": "accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[03]", + "class": "sp800-53a" + } + ], + "prose": "accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[04]", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[05]", + "class": "sp800-53a" + } + ], + "prose": "accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02g.", + "class": "sp800-53a" + } + ], + "prose": "the use of accounts is monitored; ", + "links": [ + { + "href": "#ac-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.h.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.01", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;", + "links": [ + { + "href": "#ac-2_smt.h.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.02", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;", + "links": [ + { + "href": "#ac-2_smt.h.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.03", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;", + "links": [ + { + "href": "#ac-2_smt.h.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.i.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.01", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on a valid access authorization;", + "links": [ + { + "href": "#ac-2_smt.i.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.02", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on intended system usage;", + "links": [ + { + "href": "#ac-2_smt.i.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.03", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};", + "links": [ + { + "href": "#ac-2_smt.i.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.i", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.j", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02j.", + "class": "sp800-53a" + } + ], + "prose": "accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};", + "links": [ + { + "href": "#ac-2_smt.j", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.k", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.k-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;", + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.k-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.[02]", + "class": "sp800-53a" + } + ], + "prose": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;", + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.l", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.l-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.[01]", + "class": "sp800-53a" + } + ], + "prose": "account management processes are aligned with personnel termination processes;", + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.l-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.[02]", + "class": "sp800-53a" + } + ], + "prose": "account management processes are aligned with personnel transfer processes.", + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\npersonnel termination policy and procedure\n\npersonnel transfer policy and procedure\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of recently disabled system accounts and the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications of recent transfers, separations, or terminations of employees\n\naccess authorization records\n\naccount management compliance reviews\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security and privacy responsibilities" + } + ] + }, + { + "id": "ac-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for account management on the system\n\nmechanisms for implementing account management" + } + ] + } + ], + "controls": [ + { + "id": "ac-2.1", + "class": "SP800-53-enhancement", + "title": "Automated System Account Management", + "params": [ + { + "id": "ac-02.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to support the management of system accounts are defined; " + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(1)" + }, + { + "name": "label", + "value": "AC-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.1_smt", + "name": "statement", + "prose": "Support the management of system accounts using {{ insert: param, ac-02.01_odp }}." + }, + { + "id": "ac-2.1_gdn", + "name": "guidance", + "prose": "Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications." + }, + { + "id": "ac-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(01)", + "class": "sp800-53a" + } + ], + "prose": "the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}.", + "links": [ + { + "href": "#ac-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-2.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms for implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.2", + "class": "SP800-53-enhancement", + "title": "Automated Temporary and Emergency Account Management", + "params": [ + { + "id": "ac-02.02_odp.01", + "constraints": [ + { + "description": "Selection: disables" + } + ], + "select": { + "choice": [ + "remove", + "disable" + ] + } + }, + { + "id": "ac-02.02_odp.02", + "label": "time period", + "constraints": [ + { + "description": "no more than 96 hours from last use" + } + ], + "guidelines": [ + { + "prose": "the time period after which to automatically remove or disable temporary or emergency accounts is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(2)" + }, + { + "name": "label", + "value": "AC-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.2_smt", + "name": "statement", + "prose": "Automatically {{ insert: param, ac-02.02_odp.01 }} temporary and emergency accounts after {{ insert: param, ac-02.02_odp.02 }}." + }, + { + "id": "ac-2.2_gdn", + "name": "guidance", + "prose": "Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation." + }, + { + "id": "ac-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(02)", + "class": "sp800-53a" + } + ], + "prose": "temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}.", + "links": [ + { + "href": "#ac-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of temporary accounts removed and/or disabled\n\nsystem-generated list of emergency accounts removed and/or disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms for implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.3", + "class": "SP800-53-enhancement", + "title": "Disable Accounts", + "params": [ + { + "id": "ac-02.03_odp.01", + "label": "time period", + "constraints": [ + { + "description": "24 hours for user accounts" + } + ], + "guidelines": [ + { + "prose": "time period within which to disable accounts is defined;" + } + ] + }, + { + "id": "ac-02.03_odp.02", + "label": "time period", + "constraints": [ + { + "description": "ninety (90) days (See additional requirements and guidance.)" + } + ], + "guidelines": [ + { + "prose": "time period for account inactivity before disabling is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(3)" + }, + { + "name": "label", + "value": "AC-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.3_smt", + "name": "statement", + "prose": "Disable accounts within {{ insert: param, ac-02.03_odp.01 }} when the accounts:", + "parts": [ + { + "id": "ac-2.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Have expired;" + }, + { + "id": "ac-2.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Are no longer associated with a user or individual;" + }, + { + "id": "ac-2.3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Are in violation of organizational policy; or" + }, + { + "id": "ac-2.3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Have been inactive for {{ insert: param, ac-02.03_odp.02 }}." + }, + { + "id": "ac-2.3_fr", + "name": "item", + "title": "AC-2 (3) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-2.3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available." + }, + { + "id": "ac-2.3_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d) Requirement:" + } + ], + "prose": "The service provider defines the time period of inactivity for device identifiers." + }, + { + "id": "ac-2.3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/." + } + ] + } + ] + }, + { + "id": "ac-2.3_gdn", + "name": "guidance", + "prose": "Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system." + }, + { + "id": "ac-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;", + "links": [ + { + "href": "#ac-2.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)(b)", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;", + "links": [ + { + "href": "#ac-2.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)(c)", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;", + "links": [ + { + "href": "#ac-2.3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)(d)", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}.", + "links": [ + { + "href": "#ac-2.3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures for addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of accounts removed\n\nsystem-generated list of emergency accounts disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-2.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms for implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.4", + "class": "SP800-53-enhancement", + "title": "Automated Audit Actions", + "props": [ + { + "name": "label", + "value": "AC-2(4)" + }, + { + "name": "label", + "value": "AC-02(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2.4_smt", + "name": "statement", + "prose": "Automatically audit account creation, modification, enabling, disabling, and removal actions." + }, + { + "id": "ac-2.4_gdn", + "name": "guidance", + "prose": "Account management audit records are defined in accordance with [AU-2](#au-2) and reviewed, analyzed, and reported in accordance with [AU-6](#au-6)." + }, + { + "id": "ac-2.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2.4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[01]", + "class": "sp800-53a" + } + ], + "prose": "account creation is automatically audited;", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[02]", + "class": "sp800-53a" + } + ], + "prose": "account modification is automatically audited;", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[03]", + "class": "sp800-53a" + } + ], + "prose": "account enabling is automatically audited;", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[04]", + "class": "sp800-53a" + } + ], + "prose": "account disabling is automatically audited;", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[05]", + "class": "sp800-53a" + } + ], + "prose": "account removal actions are automatically audited.", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nnotifications/alerts of account creation, modification, enabling, disabling, and removal actions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.5", + "class": "SP800-53-enhancement", + "title": "Inactivity Logout", + "params": [ + { + "id": "ac-02.05_odp", + "label": "time period of expected inactivity or description of when to log out", + "constraints": [ + { + "description": "for privileged users, it is the end of a user's standard work period" + } + ], + "guidelines": [ + { + "prose": "the time period of expected inactivity or description of when to log out is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(5)" + }, + { + "name": "label", + "value": "AC-02(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + }, + { + "href": "#ac-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2.5_smt", + "name": "statement", + "prose": "Require that users log out when {{ insert: param, ac-02.05_odp }}.", + "parts": [ + { + "id": "ac-2.5_fr", + "name": "item", + "title": "AC-2 (5) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-2.5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Should use a shorter timeframe than AC-12." + } + ] + } + ] + }, + { + "id": "ac-2.5_gdn", + "name": "guidance", + "prose": "Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by [AC-11](#ac-11)." + }, + { + "id": "ac-2.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(05)", + "class": "sp800-53a" + } + ], + "prose": "users are required to log out when {{ insert: param, ac-02.05_odp }}.", + "links": [ + { + "href": "#ac-2.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity violation reports\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nusers that must comply with inactivity logout policy" + } + ] + } + ] + }, + { + "id": "ac-2.7", + "class": "SP800-53-enhancement", + "title": "Privileged User Accounts", + "params": [ + { + "id": "ac-02.07_odp", + "select": { + "choice": [ + "a role-based access scheme", + "an attribute-based access scheme" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(7)" + }, + { + "name": "label", + "value": "AC-02(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.7_smt", + "name": "statement", + "parts": [ + { + "id": "ac-2.7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Establish and administer privileged user accounts in accordance with {{ insert: param, ac-02.07_odp }};" + }, + { + "id": "ac-2.7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Monitor privileged role or attribute assignments;" + }, + { + "id": "ac-2.7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Monitor changes to roles or attributes; and" + }, + { + "id": "ac-2.7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Revoke access when privileged role or attribute assignments are no longer appropriate." + } + ] + }, + { + "id": "ac-2.7_gdn", + "name": "guidance", + "prose": "Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes." + }, + { + "id": "ac-2.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2.7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)(a)", + "class": "sp800-53a" + } + ], + "prose": "privileged user accounts are established and administered in accordance with {{ insert: param, ac-02.07_odp }};", + "links": [ + { + "href": "#ac-2.7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)(b)", + "class": "sp800-53a" + } + ], + "prose": "privileged role or attribute assignments are monitored;", + "links": [ + { + "href": "#ac-2.7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)(c)", + "class": "sp800-53a" + } + ], + "prose": "changes to roles or attributes are monitored;", + "links": [ + { + "href": "#ac-2.7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)(d)", + "class": "sp800-53a" + } + ], + "prose": "access is revoked when privileged role or attribute assignments are no longer appropriate.", + "links": [ + { + "href": "#ac-2.7_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged user accounts and associated roles\n\nrecords of actions taken when privileged role assignments are no longer appropriate\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing account management functions\n\nmechanisms monitoring privileged role assignments" + } + ] + } + ] + }, + { + "id": "ac-2.9", + "class": "SP800-53-enhancement", + "title": "Restrictions on Use of Shared and Group Accounts", + "params": [ + { + "id": "ac-02.09_odp", + "label": "conditions", + "constraints": [ + { + "description": "organization-defined need with justification statement that explains why such accounts are necessary" + } + ], + "guidelines": [ + { + "prose": "conditions for establishing shared and group accounts are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(9)" + }, + { + "name": "label", + "value": "AC-02(09)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.9_smt", + "name": "statement", + "prose": "Only permit the use of shared and group accounts that meet {{ insert: param, ac-02.09_odp }}.", + "parts": [ + { + "id": "ac-2.9_fr", + "name": "item", + "title": "AC-2 (9) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-2.9_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Required if shared/group accounts are deployed." + } + ] + } + ] + }, + { + "id": "ac-2.9_gdn", + "name": "guidance", + "prose": "Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts." + }, + { + "id": "ac-2.9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(09)", + "class": "sp800-53a" + } + ], + "prose": "the use of shared and group accounts is only permitted if {{ insert: param, ac-02.09_odp }} are met.", + "links": [ + { + "href": "#ac-2.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(09)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of shared/group accounts and associated roles\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(09)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(09)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing management of shared/group accounts" + } + ] + } + ] + }, + { + "id": "ac-2.12", + "class": "SP800-53-enhancement", + "title": "Account Monitoring for Atypical Usage", + "params": [ + { + "id": "ac-02.12_odp.01", + "label": "atypical usage", + "guidelines": [ + { + "prose": "atypical usage for which to monitor system accounts is defined;" + } + ] + }, + { + "id": "ac-02.12_odp.02", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to report atypical usage is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(12)" + }, + { + "name": "label", + "value": "AC-02(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2.12_smt", + "name": "statement", + "parts": [ + { + "id": "ac-2.12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Monitor system accounts for {{ insert: param, ac-02.12_odp.01 }} ; and" + }, + { + "id": "ac-2.12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Report atypical usage of system accounts to {{ insert: param, ac-02.12_odp.02 }}." + }, + { + "id": "ac-2.12_fr", + "name": "item", + "title": "AC-2 (12) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-2.12_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "Required for privileged accounts." + }, + { + "id": "ac-2.12_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "Required for privileged accounts." + } + ] + } + ] + }, + { + "id": "ac-2.12_gdn", + "name": "guidance", + "prose": "Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan." + }, + { + "id": "ac-2.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(12)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2.12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(12)(a)", + "class": "sp800-53a" + } + ], + "prose": "system accounts are monitored for {{ insert: param, ac-02.12_odp.01 }}; ", + "links": [ + { + "href": "#ac-2.12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(12)(b)", + "class": "sp800-53a" + } + ], + "prose": "atypical usage of system accounts is reported to {{ insert: param, ac-02.12_odp.02 }}.", + "links": [ + { + "href": "#ac-2.12_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring records\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nprivacy impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.13", + "class": "SP800-53-enhancement", + "title": "Disable Accounts for High-risk Individuals", + "params": [ + { + "id": "ac-02.13_odp.01", + "label": "time period", + "constraints": [ + { + "description": "one (1) hour" + } + ], + "guidelines": [ + { + "prose": "time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;" + } + ] + }, + { + "id": "ac-02.13_odp.02", + "label": "significant risks", + "guidelines": [ + { + "prose": "significant risks leading to disabling accounts are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(13)" + }, + { + "name": "label", + "value": "AC-02(13)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2.13_smt", + "name": "statement", + "prose": "Disable accounts of individuals within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}." + }, + { + "id": "ac-2.13_gdn", + "name": "guidance", + "prose": "Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals." + }, + { + "id": "ac-2.13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(13)", + "class": "sp800-53a" + } + ], + "prose": "accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.", + "links": [ + { + "href": "#ac-2.13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(13)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of disabled accounts\n\nlist of user activities posing significant organizational risk\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(13)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(13)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing account management functions" + } + ] + } + ] + } + ] + }, + { + "id": "ac-3", + "class": "SP800-53", + "title": "Access Enforcement", + "props": [ + { + "name": "label", + "value": "AC-3" + }, + { + "name": "label", + "value": "AC-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#ac-24", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-6", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pm-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-3_smt", + "name": "statement", + "prose": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." + }, + { + "id": "ac-3_gdn", + "name": "guidance", + "prose": "Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family." + }, + { + "id": "ac-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-03", + "class": "sp800-53a" + } + ], + "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.", + "links": [ + { + "href": "#ac-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy" + } + ] + } + ] + }, + { + "id": "ac-4", + "class": "SP800-53", + "title": "Information Flow Enforcement", + "params": [ + { + "id": "ac-04_odp", + "label": "information flow control policies", + "guidelines": [ + { + "prose": "information flow control policies within the system and between connected systems are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-4" + }, + { + "name": "label", + "value": "AC-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#a2590922-82f3-4277-83c0-ca5bee06dba4", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-24", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-4", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-4_smt", + "name": "statement", + "prose": "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}." + }, + { + "id": "ac-4_gdn", + "name": "guidance", + "prose": "Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see [CA-3](#ca-3) ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.\n\nOrganizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS)." + }, + { + "id": "ac-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04", + "class": "sp800-53a" + } + ], + "prose": "approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.", + "links": [ + { + "href": "#ac-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsecurity architecture documentation\n\nprivacy architecture documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem baseline configuration\n\nlist of information flow authorizations\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing information flow enforcement policy" + } + ] + } + ], + "controls": [ + { + "id": "ac-4.21", + "class": "SP800-53-enhancement", + "title": "Physical or Logical Separation of Information Flows", + "params": [ + { + "id": "ac-4.21_prm_1", + "label": "organization-defined mechanisms and/or techniques" + }, + { + "id": "ac-04.21_odp.01", + "label": "mechanisms and/or techniques", + "guidelines": [ + { + "prose": "mechanisms and/or techniques used to logically separate information flows are defined (if selected);" + } + ] + }, + { + "id": "ac-04.21_odp.02", + "label": "mechanisms and/or techniques", + "guidelines": [ + { + "prose": "mechanisms and/or techniques used to physically separate information flows are defined (if selected);" + } + ] + }, + { + "id": "ac-04.21_odp.03", + "label": "required separations", + "guidelines": [ + { + "prose": "required separations by types of information are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-4(21)" + }, + { + "name": "label", + "value": "AC-04(21)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-04.21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-4", + "rel": "required" + }, + { + "href": "#sc-32", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-4.21_smt", + "name": "statement", + "prose": "Separate information flows logically or physically using {{ insert: param, ac-4.21_prm_1 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}." + }, + { + "id": "ac-4.21_gdn", + "name": "guidance", + "prose": "Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths that are not otherwise achievable. Types of separable information include inbound and outbound communications traffic, service requests and responses, and information of differing security impact or classification levels." + }, + { + "id": "ac-4.21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04(21)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-4.21_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04(21)[01]", + "class": "sp800-53a" + } + ], + "prose": "information flows are separated logically using {{ insert: param, ac-04.21_odp.01 }} to accomplish {{ insert: param, ac-04.21_odp.03 }};", + "links": [ + { + "href": "#ac-4.21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-4.21_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04(21)[02]", + "class": "sp800-53a" + } + ], + "prose": "information flows are separated physically using {{ insert: param, ac-04.21_odp.02 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}.", + "links": [ + { + "href": "#ac-4.21_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-4.21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-4.21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-04(21)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Information flow enforcement policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of required separation of information flows by information types\n\nlist of mechanisms and/or techniques used to logically or physically separate information flows\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-4.21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-04(21)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-4.21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-04(21)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing information flow enforcement functions" + } + ] + } + ] + } + ] + }, + { + "id": "ac-5", + "class": "SP800-53", + "title": "Separation of Duties", + "params": [ + { + "id": "ac-05_odp", + "label": "duties of individuals", + "guidelines": [ + { + "prose": "duties of individuals requiring separation are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-5" + }, + { + "name": "label", + "value": "AC-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-12", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-5_smt", + "name": "statement", + "parts": [ + { + "id": "ac-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify and document {{ insert: param, ac-05_odp }} ; and" + }, + { + "id": "ac-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define system access authorizations to support separation of duties." + }, + { + "id": "ac-5_fr", + "name": "item", + "title": "AC-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "CSPs have the option to provide a separation of duties matrix as an attachment to the SSP." + } + ] + } + ] + }, + { + "id": "ac-5_gdn", + "name": "guidance", + "prose": "Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in [AC-2](#ac-2) , access control mechanisms in [AC-3](#ac-3) , and identity management activities in [IA-2](#ia-2), [IA-4](#ia-4) , and [IA-12](#ia-12)." + }, + { + "id": "ac-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-05a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-05_odp }} are identified and documented;", + "links": [ + { + "href": "#ac-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-05b.", + "class": "sp800-53a" + } + ], + "prose": "system access authorizations to support separation of duties are defined.", + "links": [ + { + "href": "#ac-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\nsystem configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\nsystem access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing separation of duties policy" + } + ] + } + ] + }, + { + "id": "ac-6", + "class": "SP800-53", + "title": "Least Privilege", + "props": [ + { + "name": "label", + "value": "AC-6" + }, + { + "name": "label", + "value": "AC-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6_smt", + "name": "statement", + "prose": "Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks." + }, + { + "id": "ac-6_gdn", + "name": "guidance", + "prose": "Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems." + }, + { + "id": "ac-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06", + "class": "sp800-53a" + } + ], + "prose": "the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.", + "links": [ + { + "href": "#ac-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ], + "controls": [ + { + "id": "ac-6.1", + "class": "SP800-53-enhancement", + "title": "Authorize Access to Security Functions", + "params": [ + { + "id": "ac-6.1_prm_2", + "label": "organization-defined security functions (deployed in hardware, software, and firmware)" + }, + { + "id": "ac-06.01_odp.01", + "label": "individuals and roles", + "guidelines": [ + { + "prose": "individuals and roles with authorized access to security functions and security-relevant information are defined;" + } + ] + }, + { + "id": "ac-06.01_odp.02", + "label": "security functions (deployed in hardware)", + "guidelines": [ + { + "prose": "security functions (deployed in hardware) for authorized access are defined;" + } + ] + }, + { + "id": "ac-06.01_odp.03", + "label": "security functions (deployed in software)", + "guidelines": [ + { + "prose": "security functions (deployed in software) for authorized access are defined;" + } + ] + }, + { + "id": "ac-06.01_odp.04", + "label": "security functions (deployed in firmware)", + "guidelines": [ + { + "prose": "security functions (deployed in firmware) for authorized access are defined;" + } + ] + }, + { + "id": "ac-06.01_odp.05", + "label": "security-relevant information", + "guidelines": [ + { + "prose": "security-relevant information for authorized access is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(1)" + }, + { + "name": "label", + "value": "AC-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.1_smt", + "name": "statement", + "prose": "Authorize access for {{ insert: param, ac-06.01_odp.01 }} to:", + "parts": [ + { + "id": "ac-6.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": " {{ insert: param, ac-6.1_prm_2 }} ; and" + }, + { + "id": "ac-6.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": " {{ insert: param, ac-06.01_odp.05 }}." + } + ] + }, + { + "id": "ac-6.1_gdn", + "name": "guidance", + "prose": "Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users." + }, + { + "id": "ac-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-6.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-6.1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};", + "links": [ + { + "href": "#ac-6.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};", + "links": [ + { + "href": "#ac-6.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};", + "links": [ + { + "href": "#ac-6.1_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-6.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}.", + "links": [ + { + "href": "#ac-6.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.2", + "class": "SP800-53-enhancement", + "title": "Non-privileged Access for Nonsecurity Functions", + "params": [ + { + "id": "ac-06.02_odp", + "label": "security functions or security-relevant information", + "constraints": [ + { + "description": "all security functions" + } + ], + "guidelines": [ + { + "prose": "security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(2)" + }, + { + "name": "label", + "value": "AC-06(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.2_smt", + "name": "statement", + "prose": "Require that users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} use non-privileged accounts or roles, when accessing nonsecurity functions.", + "parts": [ + { + "id": "ac-6.2_fr", + "name": "item", + "title": "AC-6 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-6.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions." + } + ] + } + ] + }, + { + "id": "ac-6.2_gdn", + "name": "guidance", + "prose": "Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account." + }, + { + "id": "ac-6.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(02)", + "class": "sp800-53a" + } + ], + "prose": "users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions.", + "links": [ + { + "href": "#ac-6.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information assigned to system accounts or roles\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.5", + "class": "SP800-53-enhancement", + "title": "Privileged Accounts", + "params": [ + { + "id": "ac-06.05_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to which privileged accounts on the system are to be restricted is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(5)" + }, + { + "name": "label", + "value": "AC-06(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.5_smt", + "name": "statement", + "prose": "Restrict privileged accounts on the system to {{ insert: param, ac-06.05_odp }}." + }, + { + "id": "ac-6.5_gdn", + "name": "guidance", + "prose": "Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk." + }, + { + "id": "ac-6.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(05)", + "class": "sp800-53a" + } + ], + "prose": "privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}.", + "links": [ + { + "href": "#ac-6.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.7", + "class": "SP800-53-enhancement", + "title": "Review of User Privileges", + "params": [ + { + "id": "ac-06.07_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at a minimum, annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review the privileges assigned to roles or classes of users is defined;" + } + ] + }, + { + "id": "ac-06.07_odp.02", + "label": "roles and classes", + "constraints": [ + { + "description": "all users with privileges" + } + ], + "guidelines": [ + { + "prose": "roles or classes of users to which privileges are assigned are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(7)" + }, + { + "name": "label", + "value": "AC-06(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ca-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.7_smt", + "name": "statement", + "parts": [ + { + "id": "ac-6.7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Review {{ insert: param, ac-06.07_odp.01 }} the privileges assigned to {{ insert: param, ac-06.07_odp.02 }} to validate the need for such privileges; and" + }, + { + "id": "ac-6.7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs." + } + ] + }, + { + "id": "ac-6.7_gdn", + "name": "guidance", + "prose": "The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions." + }, + { + "id": "ac-6.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(07)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-6.7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(07)(a)", + "class": "sp800-53a" + } + ], + "prose": "privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;", + "links": [ + { + "href": "#ac-6.7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(07)(b)", + "class": "sp800-53a" + } + ], + "prose": "privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.", + "links": [ + { + "href": "#ac-6.7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-6.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated roles or classes of users and assigned privileges\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation reviews of privileges assigned to roles or classes or users\n\nrecords of privilege removals or reassignments for roles or classes of users\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing review of user privileges" + } + ] + } + ] + }, + { + "id": "ac-6.9", + "class": "SP800-53-enhancement", + "title": "Log Use of Privileged Functions", + "props": [ + { + "name": "label", + "value": "AC-6(9)" + }, + { + "name": "label", + "value": "AC-06(09)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.9_smt", + "name": "statement", + "prose": "Log the execution of privileged functions." + }, + { + "id": "ac-6.9_gdn", + "name": "guidance", + "prose": "The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat." + }, + { + "id": "ac-6.9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(09)", + "class": "sp800-53a" + } + ], + "prose": "the execution of privileged functions is logged.", + "links": [ + { + "href": "#ac-6.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(09)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(09)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ac-6.9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(09)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms auditing the execution of least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.10", + "class": "SP800-53-enhancement", + "title": "Prohibit Non-privileged Users from Executing Privileged Functions", + "props": [ + { + "name": "label", + "value": "AC-6(10)" + }, + { + "name": "label", + "value": "AC-06(10)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-6.10_smt", + "name": "statement", + "prose": "Prevent non-privileged users from executing privileged functions." + }, + { + "id": "ac-6.10_gdn", + "name": "guidance", + "prose": "Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by [AC-3](#ac-3)." + }, + { + "id": "ac-6.10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(10)", + "class": "sp800-53a" + } + ], + "prose": "non-privileged users are prevented from executing privileged functions.", + "links": [ + { + "href": "#ac-6.10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(10)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(10)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-6.10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(10)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions for non-privileged users" + } + ] + } + ] + } + ] + }, + { + "id": "ac-7", + "class": "SP800-53", + "title": "Unsuccessful Logon Attempts", + "params": [ + { + "id": "ac-07_odp.01", + "label": "number", + "guidelines": [ + { + "prose": "the number of consecutive invalid logon attempts by a user allowed during a time period is defined;" + } + ] + }, + { + "id": "ac-07_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;" + } + ] + }, + { + "id": "ac-07_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "lock the account or node for {{ insert: param, ac-07_odp.04 }} ", + "lock the account or node until released by an administrator", + "delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ", + "notify system administrator", + "take other {{ insert: param, ac-07_odp.06 }} " + ] + } + }, + { + "id": "ac-07_odp.04", + "label": "time period", + "guidelines": [ + { + "prose": "time period for an account or node to be locked is defined (if selected);" + } + ] + }, + { + "id": "ac-07_odp.05", + "label": "delay algorithm", + "guidelines": [ + { + "prose": "delay algorithm for the next logon prompt is defined (if selected);" + } + ] + }, + { + "id": "ac-07_odp.06", + "label": "action", + "guidelines": [ + { + "prose": "other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-7" + }, + { + "name": "label", + "value": "AC-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-9", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-7_smt", + "name": "statement", + "parts": [ + { + "id": "ac-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and" + }, + { + "id": "ac-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded." + }, + { + "id": "ac-7_fr", + "name": "item", + "title": "AC-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "In alignment with NIST SP 800-63B" + } + ] + } + ] + }, + { + "id": "ac-7_gdn", + "name": "guidance", + "prose": "The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need." + }, + { + "id": "ac-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07a.", + "class": "sp800-53a" + } + ], + "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;", + "links": [ + { + "href": "#ac-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07b.", + "class": "sp800-53a" + } + ], + "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.", + "links": [ + { + "href": "#ac-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy for unsuccessful logon attempts" + } + ] + } + ] + }, + { + "id": "ac-8", + "class": "SP800-53", + "title": "System Use Notification", + "params": [ + { + "id": "ac-08_odp.01", + "label": "system use notification", + "constraints": [ + { + "description": "see additional Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "system use notification message or banner to be displayed by the system to users before granting access to the system is defined;" + } + ] + }, + { + "id": "ac-08_odp.02", + "label": "conditions", + "constraints": [ + { + "description": "see additional Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "conditions for system use to be displayed by the system before granting further access are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-8" + }, + { + "name": "label", + "value": "AC-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-8_smt", + "name": "statement", + "parts": [ + { + "id": "ac-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:", + "parts": [ + { + "id": "ac-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Users are accessing a U.S. Government system;" + }, + { + "id": "ac-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "System usage may be monitored, recorded, and subject to audit;" + }, + { + "id": "ac-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and" + }, + { + "id": "ac-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Use of the system indicates consent to monitoring and recording;" + } + ] + }, + { + "id": "ac-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and" + }, + { + "id": "ac-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "For publicly accessible systems:", + "parts": [ + { + "id": "ac-8_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;" + }, + { + "id": "ac-8_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and" + }, + { + "id": "ac-8_smt.c.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Include a description of the authorized uses of the system." + } + ] + }, + { + "id": "ac-8_fr", + "name": "item", + "title": "AC-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO." + }, + { + "id": "ac-8_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO." + }, + { + "id": "ac-8_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO." + }, + { + "id": "ac-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided." + } + ] + } + ] + }, + { + "id": "ac-8_gdn", + "name": "guidance", + "prose": "System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content." + }, + { + "id": "ac-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-08_odp.01 }} is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "parts": [ + { + "id": "ac-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.01", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that users are accessing a U.S. Government system;", + "links": [ + { + "href": "#ac-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.02", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that system usage may be monitored, recorded, and subject to audit;", + "links": [ + { + "href": "#ac-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.03", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and", + "links": [ + { + "href": "#ac-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.04", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that use of the system indicates consent to monitoring and recording;", + "links": [ + { + "href": "#ac-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08b.", + "class": "sp800-53a" + } + ], + "prose": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;", + "links": [ + { + "href": "#ac-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-8_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.01", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;", + "links": [ + { + "href": "#ac-8_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.02", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;", + "links": [ + { + "href": "#ac-8_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.03", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, a description of the authorized uses of the system is included.", + "links": [ + { + "href": "#ac-8_smt.c.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of system use notification messages or banners\n\nsystem audit records\n\nuser acknowledgements of notification message or banner\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem use notification messages\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment report\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem developers" + } + ] + }, + { + "id": "ac-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system use notification" + } + ] + } + ] + }, + { + "id": "ac-11", + "class": "SP800-53", + "title": "Device Lock", + "params": [ + { + "id": "ac-11_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "initiating a device lock after {{ insert: param, ac-11_odp.02 }} of inactivity", + "requiring the user to initiate a device lock before leaving the system unattended" + ] + } + }, + { + "id": "ac-11_odp.02", + "label": "time period", + "constraints": [ + { + "description": "fifteen (15) minutes" + } + ], + "guidelines": [ + { + "prose": "time period of inactivity after which a device lock is initiated is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-11" + }, + { + "name": "label", + "value": "AC-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-11_smt", + "name": "statement", + "parts": [ + { + "id": "ac-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and" + }, + { + "id": "ac-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain the device lock until the user reestablishes access using established identification and authentication procedures." + } + ] + }, + { + "id": "ac-11_gdn", + "name": "guidance", + "prose": "Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays." + }, + { + "id": "ac-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-11a.", + "class": "sp800-53a" + } + ], + "prose": "further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};", + "links": [ + { + "href": "#ac-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-11b.", + "class": "sp800-53a" + } + ], + "prose": "device lock is retained until the user re-establishes access using established identification and authentication procedures.", + "links": [ + { + "href": "#ac-11_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy for session lock" + } + ] + } + ], + "controls": [ + { + "id": "ac-11.1", + "class": "SP800-53-enhancement", + "title": "Pattern-hiding Displays", + "props": [ + { + "name": "label", + "value": "AC-11(1)" + }, + { + "name": "label", + "value": "AC-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-11", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-11.1_smt", + "name": "statement", + "prose": "Conceal, via the device lock, information previously visible on the display with a publicly viewable image." + }, + { + "id": "ac-11.1_gdn", + "name": "guidance", + "prose": "The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed." + }, + { + "id": "ac-11.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-11(01)", + "class": "sp800-53a" + } + ], + "prose": "information previously visible on the display is concealed, via device lock, with a publicly viewable image.", + "links": [ + { + "href": "#ac-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-11.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-11(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-11.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-11(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-11.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-11(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System session lock mechanisms" + } + ] + } + ] + } + ] + }, + { + "id": "ac-12", + "class": "SP800-53", + "title": "Session Termination", + "params": [ + { + "id": "ac-12_odp", + "label": "conditions or trigger events", + "guidelines": [ + { + "prose": "conditions or trigger events requiring session disconnect are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-12" + }, + { + "name": "label", + "value": "AC-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-12_smt", + "name": "statement", + "prose": "Automatically terminate a user session after {{ insert: param, ac-12_odp }}." + }, + { + "id": "ac-12_gdn", + "name": "guidance", + "prose": "Session termination addresses the termination of user-initiated logical sessions (in contrast to [SC-10](#sc-10) , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user\u2019s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use." + }, + { + "id": "ac-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-12", + "class": "sp800-53a" + } + ], + "prose": "a user session is automatically terminated after {{ insert: param, ac-12_odp }}.", + "links": [ + { + "href": "#ac-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing session termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms implementing user session termination" + } + ] + } + ] + }, + { + "id": "ac-14", + "class": "SP800-53", + "title": "Permitted Actions Without Identification or Authentication", + "params": [ + { + "id": "ac-14_odp", + "label": "user actions", + "guidelines": [ + { + "prose": "user actions that can be performed on the system without identification or authentication are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-14" + }, + { + "name": "label", + "value": "AC-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-14_smt", + "name": "statement", + "parts": [ + { + "id": "ac-14_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and" + }, + { + "id": "ac-14_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication." + } + ] + }, + { + "id": "ac-14_gdn", + "name": "guidance", + "prose": "Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" " + }, + { + "id": "ac-14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-14_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;", + "links": [ + { + "href": "#ac-14_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-14_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.[01]", + "class": "sp800-53a" + } + ], + "prose": "user actions not requiring identification or authentication are documented in the security plan for the system;", + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.[02]", + "class": "sp800-53a" + } + ], + "prose": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.", + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-14-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-14-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "ac-17", + "class": "SP800-53", + "title": "Remote Access", + "props": [ + { + "name": "label", + "value": "AC-17" + }, + { + "name": "label", + "value": "AC-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "rel": "reference" + }, + { + "href": "#d17ebd7a-ffab-499d-bfff-e705bbb01fa6", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-17", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17_smt", + "name": "statement", + "parts": [ + { + "id": "ac-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and" + }, + { + "id": "ac-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize each type of remote access to the system prior to allowing such connections." + } + ] + }, + { + "id": "ac-17_gdn", + "name": "guidance", + "prose": "Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)." + }, + { + "id": "ac-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[01]", + "class": "sp800-53a" + } + ], + "prose": "usage restrictions are established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17b.", + "class": "sp800-53a" + } + ], + "prose": "each type of remote access to the system is authorized prior to allowing such connections.", + "links": [ + { + "href": "#ac-17_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing remote access connections\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-17_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Remote access management capability for the system" + } + ] + } + ], + "controls": [ + { + "id": "ac-17.1", + "class": "SP800-53-enhancement", + "title": "Monitoring and Control", + "props": [ + { + "name": "label", + "value": "AC-17(1)" + }, + { + "name": "label", + "value": "AC-17(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17.1_smt", + "name": "statement", + "prose": "Employ automated mechanisms to monitor and control remote access methods." + }, + { + "id": "ac-17.1_gdn", + "name": "guidance", + "prose": "Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a)." + }, + { + "id": "ac-17.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "automated mechanisms are employed to monitor remote access methods;", + "links": [ + { + "href": "#ac-17.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "automated mechanisms are employed to control remote access methods.", + "links": [ + { + "href": "#ac-17.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-17.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms monitoring and controlling remote access methods" + } + ] + } + ] + }, + { + "id": "ac-17.2", + "class": "SP800-53-enhancement", + "title": "Protection of Confidentiality and Integrity Using Encryption", + "props": [ + { + "name": "label", + "value": "AC-17(2)" + }, + { + "name": "label", + "value": "AC-17(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "required" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17.2_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions." + }, + { + "id": "ac-17.2_gdn", + "name": "guidance", + "prose": "Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions." + }, + { + "id": "ac-17.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(02)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.", + "links": [ + { + "href": "#ac-17.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-17.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions" + } + ] + } + ] + }, + { + "id": "ac-17.3", + "class": "SP800-53-enhancement", + "title": "Managed Access Control Points", + "props": [ + { + "name": "label", + "value": "AC-17(3)" + }, + { + "name": "label", + "value": "AC-17(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "required" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17.3_smt", + "name": "statement", + "prose": "Route remote accesses through authorized and managed network access control points." + }, + { + "id": "ac-17.3_gdn", + "name": "guidance", + "prose": "Organizations consider the Trusted Internet Connections (TIC) initiative [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces." + }, + { + "id": "ac-17.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(03)", + "class": "sp800-53a" + } + ], + "prose": "remote accesses are routed through authorized and managed network access control points.", + "links": [ + { + "href": "#ac-17.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nlist of all managed network access control points\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-17.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms routing all remote accesses through managed network access control points" + } + ] + } + ] + }, + { + "id": "ac-17.4", + "class": "SP800-53-enhancement", + "title": "Privileged Commands and Access", + "params": [ + { + "id": "ac-17.4_prm_1", + "label": "organization-defined needs" + }, + { + "id": "ac-17.04_odp.01", + "label": "needs requiring remote access", + "guidelines": [ + { + "prose": "needs requiring execution of privileged commands via remote access are defined;" + } + ] + }, + { + "id": "ac-17.04_odp.02", + "label": "needs requiring remote access", + "guidelines": [ + { + "prose": "needs requiring access to security-relevant information via remote access are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-17(4)" + }, + { + "name": "label", + "value": "AC-17(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "required" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17.4_smt", + "name": "statement", + "parts": [ + { + "id": "ac-17.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ insert: param, ac-17.4_prm_1 }} ; and" + }, + { + "id": "ac-17.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Document the rationale for remote access in the security plan for the system." + } + ] + }, + { + "id": "ac-17.4_gdn", + "name": "guidance", + "prose": "Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability." + }, + { + "id": "ac-17.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17.4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;", + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;", + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};", + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};", + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "the rationale for remote access is documented in the security plan for the system.", + "links": [ + { + "href": "#ac-17.4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-17.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing remote access management" + } + ] + } + ] + } + ] + }, + { + "id": "ac-18", + "class": "SP800-53", + "title": "Wireless Access", + "props": [ + { + "name": "label", + "value": "AC-18" + }, + { + "name": "label", + "value": "AC-18", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "rel": "reference" + }, + { + "href": "#03fb73bc-1b12-4182-bd96-e5719254ea61", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-18_smt", + "name": "statement", + "parts": [ + { + "id": "ac-18_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and" + }, + { + "id": "ac-18_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize each type of wireless access to the system prior to allowing such connections." + } + ] + }, + { + "id": "ac-18_gdn", + "name": "guidance", + "prose": "Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication." + }, + { + "id": "ac-18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration requirements are established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[02]", + "class": "sp800-53a" + } + ], + "prose": "connection requirements are established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18b.", + "class": "sp800-53a" + } + ], + "prose": "each type of wireless access to the system is authorized prior to allowing such connections.", + "links": [ + { + "href": "#ac-18_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nwireless access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Wireless access management capability for the system" + } + ] + } + ], + "controls": [ + { + "id": "ac-18.1", + "class": "SP800-53-enhancement", + "title": "Authentication and Encryption", + "params": [ + { + "id": "ac-18.01_odp", + "select": { + "how-many": "one-or-more", + "choice": [ + "users", + "devices" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "AC-18(1)" + }, + { + "name": "label", + "value": "AC-18(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-18", + "rel": "required" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-18.1_smt", + "name": "statement", + "prose": "Protect wireless access to the system using authentication of {{ insert: param, ac-18.01_odp }} and encryption." + }, + { + "id": "ac-18.1_gdn", + "name": "guidance", + "prose": "Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies." + }, + { + "id": "ac-18.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};", + "links": [ + { + "href": "#ac-18.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "wireless access to the system is protected using encryption.", + "links": [ + { + "href": "#ac-18.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-18.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing wireless access protections to the system" + } + ] + } + ] + }, + { + "id": "ac-18.3", + "class": "SP800-53-enhancement", + "title": "Disable Wireless Networking", + "props": [ + { + "name": "label", + "value": "AC-18(3)" + }, + { + "name": "label", + "value": "AC-18(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-18", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-18.3_smt", + "name": "statement", + "prose": "Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment." + }, + { + "id": "ac-18.3_gdn", + "name": "guidance", + "prose": "Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies." + }, + { + "id": "ac-18.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(03)", + "class": "sp800-53a" + } + ], + "prose": "when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.", + "links": [ + { + "href": "#ac-18.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-18.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing the disabling of wireless networking capabilities internally embedded within system components" + } + ] + } + ] + } + ] + }, + { + "id": "ac-19", + "class": "SP800-53", + "title": "Access Control for Mobile Devices", + "props": [ + { + "name": "label", + "value": "AC-19" + }, + { + "name": "label", + "value": "AC-19", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-19" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-11", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-19_smt", + "name": "statement", + "parts": [ + { + "id": "ac-19_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and" + }, + { + "id": "ac-19_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize the connection of mobile devices to organizational systems." + } + ] + }, + { + "id": "ac-19_gdn", + "name": "guidance", + "prose": "A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled." + }, + { + "id": "ac-19_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-19_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-19_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[02]", + "class": "sp800-53a" + } + ], + "prose": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19b.", + "class": "sp800-53a" + } + ], + "prose": "the connection of mobile devices to organizational systems is authorized.", + "links": [ + { + "href": "#ac-19_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-19_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-19-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-19_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-19-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel using mobile devices to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-19_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-19-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control capability for mobile device connections to organizational systems\n\nconfigurations of mobile devices" + } + ] + } + ], + "controls": [ + { + "id": "ac-19.5", + "class": "SP800-53-enhancement", + "title": "Full Device or Container-based Encryption", + "params": [ + { + "id": "ac-19.05_odp.01", + "select": { + "choice": [ + "full-device encryption", + "container-based encryption" + ] + } + }, + { + "id": "ac-19.05_odp.02", + "label": "mobile devices", + "guidelines": [ + { + "prose": "mobile devices on which to employ encryption are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-19(5)" + }, + { + "name": "label", + "value": "AC-19(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-19.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-19", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-19.5_smt", + "name": "statement", + "prose": "Employ {{ insert: param, ac-19.05_odp.01 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}." + }, + { + "id": "ac-19.5_gdn", + "name": "guidance", + "prose": "Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields." + }, + { + "id": "ac-19.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19(05)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.", + "links": [ + { + "href": "#ac-19.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-19(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access control for mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nencryption mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-19.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-19(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access control responsibilities for mobile devices\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-19.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-19(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Encryption mechanisms protecting confidentiality and integrity of information on mobile devices" + } + ] + } + ] + } + ] + }, + { + "id": "ac-20", + "class": "SP800-53", + "title": "Use of External Systems", + "params": [ + { + "id": "ac-20_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "establish {{ insert: param, ac-20_odp.02 }} ", + "identify {{ insert: param, ac-20_odp.03 }} " + ] + } + }, + { + "id": "ac-20_odp.02", + "label": "terms and conditions", + "guidelines": [ + { + "prose": "terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" + } + ] + }, + { + "id": "ac-20_odp.03", + "label": "controls asserted", + "guidelines": [ + { + "prose": "controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" + } + ] + }, + { + "id": "ac-20_odp.04", + "label": "prohibited types of external systems", + "guidelines": [ + { + "prose": "types of external systems prohibited from use are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-20" + }, + { + "name": "label", + "value": "AC-20", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-20_smt", + "name": "statement", + "parts": [ + { + "id": "ac-20_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:", + "parts": [ + { + "id": "ac-20_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Access the system from external systems; and" + }, + { + "id": "ac-20_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Process, store, or transmit organization-controlled information using external systems; or" + } + ] + }, + { + "id": "ac-20_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit the use of {{ insert: param, ac-20_odp.04 }}." + }, + { + "id": "ac-20_fr", + "name": "item", + "title": "AC-20 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-20_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:\n\nAC-20 describes system access to and from external systems.\n\nCA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.\n\nSA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3." + } + ] + } + ] + }, + { + "id": "ac-20_gdn", + "name": "guidance", + "prose": "External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems." + }, + { + "id": "ac-20_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-20_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-20_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.01", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);", + "links": [ + { + "href": "#ac-20_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.02", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);", + "links": [ + { + "href": "#ac-20_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20b.", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).", + "links": [ + { + "href": "#ac-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-20_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-20-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nexternal systems terms and conditions\n\nlist of types of applications accessible from external systems\n\nmaximum security categorization for information processed, stored, or transmitted on external systems\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-20_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-20-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-20_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-20-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing terms and conditions on the use of external systems" + } + ] + } + ], + "controls": [ + { + "id": "ac-20.1", + "class": "SP800-53-enhancement", + "title": "Limits on Authorized Use", + "props": [ + { + "name": "label", + "value": "AC-20(1)" + }, + { + "name": "label", + "value": "AC-20(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-20.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-20", + "rel": "required" + }, + { + "href": "#ca-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-20.1_smt", + "name": "statement", + "prose": "Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:", + "parts": [ + { + "id": "ac-20.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Verification of the implementation of controls on the external system as specified in the organization\u2019s security and privacy policies and security and privacy plans; or" + }, + { + "id": "ac-20.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Retention of approved system connection or processing agreements with the organizational entity hosting the external system." + } + ] + }, + { + "id": "ac-20.1_gdn", + "name": "guidance", + "prose": "Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations." + }, + { + "id": "ac-20.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-20.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization\u2019s security and privacy policies and security and privacy plans (if applicable);", + "links": [ + { + "href": "#ac-20.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).", + "links": [ + { + "href": "#ac-20.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-20.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-20(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-20.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-20(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-20.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-20(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing limits on use of external systems" + } + ] + } + ] + }, + { + "id": "ac-20.2", + "class": "SP800-53-enhancement", + "title": "Portable Storage Devices \u2014 Restricted Use", + "params": [ + { + "id": "ac-20.02_odp", + "label": "restrictions", + "guidelines": [ + { + "prose": "restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-20(2)" + }, + { + "name": "label", + "value": "AC-20(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-20.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-20", + "rel": "required" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#sc-41", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-20.2_smt", + "name": "statement", + "prose": "Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ insert: param, ac-20.02_odp }}." + }, + { + "id": "ac-20.2_gdn", + "name": "guidance", + "prose": "Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used." + }, + { + "id": "ac-20.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20(02)", + "class": "sp800-53a" + } + ], + "prose": "the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}.", + "links": [ + { + "href": "#ac-20.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-20(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-20.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-20(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for restricting or prohibiting the use of organization-controlled storage devices on external systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-20.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-20(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing restrictions on the use of portable storage devices" + } + ] + } + ] + } + ] + }, + { + "id": "ac-21", + "class": "SP800-53", + "title": "Information Sharing", + "params": [ + { + "id": "ac-21_odp.01", + "label": "information-sharing circumstances", + "guidelines": [ + { + "prose": "information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information\u2019s access and use restrictions are defined;" + } + ] + }, + { + "id": "ac-21_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-21" + }, + { + "name": "label", + "value": "AC-21", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sc-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-21_smt", + "name": "statement", + "parts": [ + { + "id": "ac-21_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information\u2019s access and use restrictions for {{ insert: param, ac-21_odp.01 }} ; and" + }, + { + "id": "ac-21_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ {{ insert: param, ac-21_odp.02 }} to assist users in making information sharing and collaboration decisions." + } + ] + }, + { + "id": "ac-21_gdn", + "name": "guidance", + "prose": "Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions." + }, + { + "id": "ac-21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-21", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-21_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-21a.", + "class": "sp800-53a" + } + ], + "prose": "authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information\u2019s access and use restrictions for {{ insert: param, ac-21_odp.01 }};", + "links": [ + { + "href": "#ac-21_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-21_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-21b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions.", + "links": [ + { + "href": "#ac-21_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-21-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of users authorized to make information-sharing/collaboration decisions\n\nlist of information-sharing circumstances requiring user discretion\n\nnon-disclosure agreements\n\nacquisitions/contractual agreements\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nsecurity and privacy risk assessments\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-21-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for information-sharing/collaboration decisions\n\norganizational personnel with responsibility for acquisitions/contractual agreements\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ac-21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-21-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms or manual process implementing access authorizations supporting information-sharing/user collaboration decisions" + } + ] + } + ] + }, + { + "id": "ac-22", + "class": "SP800-53", + "title": "Publicly Accessible Content", + "params": [ + { + "id": "ac-22_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least quarterly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review the content on the publicly accessible system for non-public information is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-22" + }, + { + "name": "label", + "value": "AC-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-22_smt", + "name": "statement", + "parts": [ + { + "id": "ac-22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Designate individuals authorized to make information publicly accessible;" + }, + { + "id": "ac-22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;" + }, + { + "id": "ac-22_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and" + }, + { + "id": "ac-22_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered." + } + ] + }, + { + "id": "ac-22_gdn", + "name": "guidance", + "prose": "In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible." + }, + { + "id": "ac-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22a.", + "class": "sp800-53a" + } + ], + "prose": "designated individuals are authorized to make information publicly accessible;", + "links": [ + { + "href": "#ac-22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22b.", + "class": "sp800-53a" + } + ], + "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;", + "links": [ + { + "href": "#ac-22_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22c.", + "class": "sp800-53a" + } + ], + "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;", + "links": [ + { + "href": "#ac-22_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-22_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};", + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.[02]", + "class": "sp800-53a" + } + ], + "prose": "non-public information is removed from the publicly accessible system, if discovered.", + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing management of publicly accessible content" + } + ] + } + ] + } + ] + }, + { + "id": "at", + "class": "family", + "title": "Awareness and Training", + "controls": [ + { + "id": "at-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "at-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "at-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "at-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "at-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "at-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the awareness and training policy and procedures is defined;" + } + ] + }, + { + "id": "at-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current awareness and training policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "at-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current awareness and training policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "at-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current awareness and training procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "at-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-1" + }, + { + "name": "label", + "value": "AT-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-1_smt", + "name": "statement", + "parts": [ + { + "id": "at-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:", + "parts": [ + { + "id": "at-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, at-01_odp.03 }} awareness and training policy that:", + "parts": [ + { + "id": "at-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "at-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "at-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;" + } + ] + }, + { + "id": "at-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and" + }, + { + "id": "at-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current awareness and training:", + "parts": [ + { + "id": "at-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and" + }, + { + "id": "at-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "at-1_gdn", + "name": "guidance", + "prose": "Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "at-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an awareness and training policy is developed and documented; ", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and", + "links": [ + { + "href": "#at-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;", + "links": [ + { + "href": "#at-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ", + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};", + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};", + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.", + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "at-2", + "class": "SP800-53", + "title": "Literacy Training and Awareness", + "params": [ + { + "id": "at-2_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually" + } + ] + }, + { + "id": "at-2_prm_2", + "label": "organization-defined events" + }, + { + "id": "at-02_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" + } + ] + }, + { + "id": "at-02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" + } + ] + }, + { + "id": "at-02_odp.03", + "label": "events", + "guidelines": [ + { + "prose": "events that require security literacy training for system users are defined;" + } + ] + }, + { + "id": "at-02_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events that require privacy literacy training for system users are defined;" + } + ] + }, + { + "id": "at-02_odp.05", + "label": "awareness techniques", + "guidelines": [ + { + "prose": "techniques to be employed to increase the security and privacy awareness of system users are defined;" + } + ] + }, + { + "id": "at-02_odp.06", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update literacy training and awareness content is defined;" + } + ] + }, + { + "id": "at-02_odp.07", + "label": "events", + "guidelines": [ + { + "prose": "events that would require literacy training and awareness content to be updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-2" + }, + { + "name": "label", + "value": "AT-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#89f2a08d-fc49-46d0-856e-bf974c9b1573", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-13", + "rel": "related" + }, + { + "href": "#pm-21", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-2_smt", + "name": "statement", + "parts": [ + { + "id": "at-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):", + "parts": [ + { + "id": "at-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and" + }, + { + "id": "at-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes or following {{ insert: param, at-2_prm_2 }};" + } + ] + }, + { + "id": "at-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};" + }, + { + "id": "at-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and" + }, + { + "id": "at-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques." + } + ] + }, + { + "id": "at-2_gdn", + "name": "guidance", + "prose": "Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "at-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[04]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};", + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};", + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;", + "links": [ + { + "href": "#at-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};", + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};", + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02d.", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.", + "links": [ + { + "href": "#at-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community" + } + ] + }, + { + "id": "at-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing information security and privacy literacy training" + } + ] + } + ], + "controls": [ + { + "id": "at-2.2", + "class": "SP800-53-enhancement", + "title": "Insider Threat", + "props": [ + { + "name": "label", + "value": "AT-2(2)" + }, + { + "name": "label", + "value": "AT-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#at-2", + "rel": "required" + }, + { + "href": "#pm-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-2.2_smt", + "name": "statement", + "prose": "Provide literacy training on recognizing and reporting potential indicators of insider threat." + }, + { + "id": "at-2.2_gdn", + "name": "guidance", + "prose": "Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations." + }, + { + "id": "at-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on recognizing potential indicators of insider threat is provided;", + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on reporting potential indicators of insider threat is provided.", + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "at-2.3", + "class": "SP800-53-enhancement", + "title": "Social Engineering and Mining", + "props": [ + { + "name": "label", + "value": "AT-2(3)" + }, + { + "name": "label", + "value": "AT-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#at-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "at-2.3_smt", + "name": "statement", + "prose": "Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining." + }, + { + "id": "at-2.3_gdn", + "name": "guidance", + "prose": "Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures." + }, + { + "id": "at-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2.3_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)[01]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on recognizing potential and actual instances of social engineering is provided;", + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.3_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)[02]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on reporting potential and actual instances of social engineering is provided;", + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.3_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)[03]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on recognizing potential and actual instances of social mining is provided;", + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.3_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)[04]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on reporting potential and actual instances of social mining is provided.", + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "at-3", + "class": "SP800-53", + "title": "Role-based Training", + "params": [ + { + "id": "at-3_prm_1", + "label": "organization-defined roles and responsibilities" + }, + { + "id": "at-03_odp.01", + "label": "roles and responsibilities", + "guidelines": [ + { + "prose": "roles and responsibilities for role-based security training are defined;" + } + ] + }, + { + "id": "at-03_odp.02", + "label": "roles and responsibilities", + "guidelines": [ + { + "prose": "roles and responsibilities for role-based privacy training are defined;" + } + ] + }, + { + "id": "at-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;" + } + ] + }, + { + "id": "at-03_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update role-based training content is defined;" + } + ] + }, + { + "id": "at-03_odp.05", + "label": "events", + "guidelines": [ + { + "prose": "events that require role-based training content to be updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-3" + }, + { + "name": "label", + "value": "AT-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-13", + "rel": "related" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ps-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-3_smt", + "name": "statement", + "parts": [ + { + "id": "at-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:", + "parts": [ + { + "id": "at-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and" + }, + { + "id": "at-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes;" + } + ] + }, + { + "id": "at-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and" + }, + { + "id": "at-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Incorporate lessons learned from internal or external security incidents or breaches into role-based training." + } + ] + }, + { + "id": "at-3_gdn", + "name": "guidance", + "prose": "Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "at-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[04]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};", + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};", + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03c.", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training.", + "links": [ + { + "href": "#at-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities" + } + ] + }, + { + "id": "at-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing role-based security and privacy training" + } + ] + } + ] + }, + { + "id": "at-4", + "class": "SP800-53", + "title": "Training Records", + "params": [ + { + "id": "at-04_odp", + "label": "time period", + "constraints": [ + { + "description": "at least one (1) year or 1 year after completion of a specific training program" + } + ], + "guidelines": [ + { + "prose": "time period for retaining individual training records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-4" + }, + { + "name": "label", + "value": "AT-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-4_smt", + "name": "statement", + "parts": [ + { + "id": "at-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and" + }, + { + "id": "at-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain individual training records for {{ insert: param, at-04_odp }}." + } + ] + }, + { + "id": "at-4_gdn", + "name": "guidance", + "prose": "Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies." + }, + { + "id": "at-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;", + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;", + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04b.", + "class": "sp800-53a" + } + ], + "prose": "individual training records are retained for {{ insert: param, at-04_odp }}.", + "links": [ + { + "href": "#at-4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy training record retention responsibilities" + } + ] + }, + { + "id": "at-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting the management of security and privacy training records" + } + ] + } + ] + } + ] + }, + { + "id": "au", + "class": "family", + "title": "Audit and Accountability", + "controls": [ + { + "id": "au-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "au-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "au-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "au-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "au-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "au-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the audit and accountability policy and procedures is defined;" + } + ] + }, + { + "id": "au-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current audit and accountability policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "au-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current audit and accountability policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "au-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current audit and accountability procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "au-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require audit and accountability procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-1" + }, + { + "name": "label", + "value": "AU-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-1_smt", + "name": "statement", + "parts": [ + { + "id": "au-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:", + "parts": [ + { + "id": "au-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, au-01_odp.03 }} audit and accountability policy that:", + "parts": [ + { + "id": "au-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "au-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "au-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;" + } + ] + }, + { + "id": "au-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and" + }, + { + "id": "au-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current audit and accountability:", + "parts": [ + { + "id": "au-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and" + }, + { + "id": "au-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "au-1_gdn", + "name": "guidance", + "prose": "Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "au-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an audit and accountability policy is developed and documented;", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#au-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;", + "links": [ + { + "href": "#au-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};", + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};", + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};", + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.", + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "au-2", + "class": "SP800-53", + "title": "Event Logging", + "params": [ + { + "id": "au-2_prm_2", + "label": "organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type", + "constraints": [ + { + "description": "organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event." + } + ] + }, + { + "id": "au-02_odp.01", + "label": "event types", + "constraints": [ + { + "description": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes" + } + ], + "guidelines": [ + { + "prose": "the event types that the system is capable of logging in support of the audit function are defined;" + } + ] + }, + { + "id": "au-02_odp.02", + "label": "event types (subset of AU-02_ODP[01])", + "guidelines": [ + { + "prose": "the event types (subset of AU-02_ODP[01]) for logging within the system are defined;" + } + ] + }, + { + "id": "au-02_odp.03", + "label": "frequency or situation", + "guidelines": [ + { + "prose": "the frequency or situation requiring logging for each specified event type is defined;" + } + ] + }, + { + "id": "au-02_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "annually and whenever there is a change in the threat environment" + } + ], + "guidelines": [ + { + "prose": "the frequency of event types selected for logging are reviewed and updated;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-2" + }, + { + "name": "label", + "value": "AU-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pm-21", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-2_smt", + "name": "statement", + "parts": [ + { + "id": "au-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};" + }, + { + "id": "au-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" + }, + { + "id": "au-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};" + }, + { + "id": "au-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and" + }, + { + "id": "au-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}." + }, + { + "id": "au-2_fr", + "name": "item", + "title": "AU-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO." + }, + { + "id": "au-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(e) Guidance:" + } + ], + "prose": "Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO." + } + ] + } + ] + }, + { + "id": "au-2_gdn", + "name": "guidance", + "prose": "An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures." + }, + { + "id": "au-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;", + "links": [ + { + "href": "#au-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02b.", + "class": "sp800-53a" + } + ], + "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;", + "links": [ + { + "href": "#au-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-02_odp.02 }} are specified for logging within the system;", + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};", + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02d.", + "class": "sp800-53a" + } + ], + "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;", + "links": [ + { + "href": "#au-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02e.", + "class": "sp800-53a" + } + ], + "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.", + "links": [ + { + "href": "#au-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system auditing" + } + ] + } + ] + }, + { + "id": "au-3", + "class": "SP800-53", + "title": "Content of Audit Records", + "props": [ + { + "name": "label", + "value": "AU-3" + }, + { + "name": "label", + "value": "AU-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-8", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-3_smt", + "name": "statement", + "prose": "Ensure that audit records contain information that establishes the following:", + "parts": [ + { + "id": "au-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "What type of event occurred;" + }, + { + "id": "au-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "When the event occurred;" + }, + { + "id": "au-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Where the event occurred;" + }, + { + "id": "au-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Source of the event;" + }, + { + "id": "au-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Outcome of the event; and" + }, + { + "id": "au-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Identity of any individuals, subjects, or objects/entities associated with the event." + } + ] + }, + { + "id": "au-3_gdn", + "name": "guidance", + "prose": "Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage." + }, + { + "id": "au-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03a.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes what type of event occurred;", + "links": [ + { + "href": "#au-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03b.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes when the event occurred;", + "links": [ + { + "href": "#au-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03c.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes where the event occurred;", + "links": [ + { + "href": "#au-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03d.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the source of the event;", + "links": [ + { + "href": "#au-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03e.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the outcome of the event;", + "links": [ + { + "href": "#au-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03f.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.", + "links": [ + { + "href": "#au-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system auditing of auditable events" + } + ] + } + ], + "controls": [ + { + "id": "au-3.1", + "class": "SP800-53-enhancement", + "title": "Additional Audit Information", + "params": [ + { + "id": "au-03.01_odp", + "label": "additional information", + "constraints": [ + { + "description": "session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands" + } + ], + "guidelines": [ + { + "prose": "additional information to be included in audit records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-3(1)" + }, + { + "name": "label", + "value": "AU-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "au-3.1_smt", + "name": "statement", + "prose": "Generate audit records containing the following additional information: {{ insert: param, au-03.01_odp }}.", + "parts": [ + { + "id": "au-3.1_fr", + "name": "item", + "title": "AU-3 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-3.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry." + } + ] + } + ] + }, + { + "id": "au-3.1_gdn", + "name": "guidance", + "prose": "The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy." + }, + { + "id": "au-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03(01)", + "class": "sp800-53a" + } + ], + "prose": "generated audit records contain the following {{ insert: param, au-03.01_odp }}.", + "links": [ + { + "href": "#au-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing content of audit records\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "system audit capability" + } + ] + } + ] + } + ] + }, + { + "id": "au-4", + "class": "SP800-53", + "title": "Audit Log Storage Capacity", + "params": [ + { + "id": "au-04_odp", + "label": "audit log retention requirements", + "guidelines": [ + { + "prose": "audit log retention requirements are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-4" + }, + { + "name": "label", + "value": "AU-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-4_smt", + "name": "statement", + "prose": "Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}." + }, + { + "id": "au-4_gdn", + "name": "guidance", + "prose": "Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability." + }, + { + "id": "au-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-04", + "class": "sp800-53a" + } + ], + "prose": "audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.", + "links": [ + { + "href": "#au-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for system components\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit record storage capacity and related configuration settings" + } + ] + } + ] + }, + { + "id": "au-5", + "class": "SP800-53", + "title": "Response to Audit Logging Process Failures", + "params": [ + { + "id": "au-05_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles receiving audit logging process failure alerts are defined;" + } + ] + }, + { + "id": "au-05_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period for personnel or roles receiving audit logging process failure alerts is defined;" + } + ] + }, + { + "id": "au-05_odp.03", + "label": "additional actions", + "constraints": [ + { + "description": "overwrite oldest record" + } + ], + "guidelines": [ + { + "prose": "additional actions to be taken in the event of an audit logging process failure are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-5" + }, + { + "name": "label", + "value": "AU-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-5_smt", + "name": "statement", + "parts": [ + { + "id": "au-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and" + }, + { + "id": "au-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Take the following additional actions: {{ insert: param, au-05_odp.03 }}." + } + ] + }, + { + "id": "au-5_gdn", + "name": "guidance", + "prose": "Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel." + }, + { + "id": "au-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};", + "links": [ + { + "href": "#au-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.", + "links": [ + { + "href": "#au-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system response to audit processing failures" + } + ] + } + ] + }, + { + "id": "au-6", + "class": "SP800-53", + "title": "Audit Record Review, Analysis, and Reporting", + "params": [ + { + "id": "au-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "frequency at which system audit records are reviewed and analyzed is defined;" + } + ] + }, + { + "id": "au-06_odp.02", + "label": "inappropriate or unusual activity", + "guidelines": [ + { + "prose": "inappropriate or unusual activity is defined;" + } + ] + }, + { + "id": "au-06_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to receive findings from reviews and analyses of system records is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-6" + }, + { + "name": "label", + "value": "AU-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", + "rel": "reference" + }, + { + "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6_smt", + "name": "statement", + "parts": [ + { + "id": "au-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;" + }, + { + "id": "au-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report findings to {{ insert: param, au-06_odp.03 }} ; and" + }, + { + "id": "au-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." + }, + { + "id": "au-6_fr", + "name": "item", + "title": "AU-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented." + } + ] + } + ] + }, + { + "id": "au-6_gdn", + "name": "guidance", + "prose": "Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received." + }, + { + "id": "au-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06a.", + "class": "sp800-53a" + } + ], + "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;", + "links": [ + { + "href": "#au-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06b.", + "class": "sp800-53a" + } + ], + "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};", + "links": [ + { + "href": "#au-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06c.", + "class": "sp800-53a" + } + ], + "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.", + "links": [ + { + "href": "#au-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews/analyses of audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ], + "controls": [ + { + "id": "au-6.1", + "class": "SP800-53-enhancement", + "title": "Automated Process Integration", + "params": [ + { + "id": "au-06.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-6(1)" + }, + { + "name": "label", + "value": "AU-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-6", + "rel": "required" + }, + { + "href": "#pm-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6.1_smt", + "name": "statement", + "prose": "Integrate audit record review, analysis, and reporting processes using {{ insert: param, au-06.01_odp }}." + }, + { + "id": "au-6.1_gdn", + "name": "guidance", + "prose": "Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits." + }, + { + "id": "au-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(01)", + "class": "sp800-53a" + } + ], + "prose": "audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}.", + "links": [ + { + "href": "#au-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms integrating audit review, analysis, and reporting processes" + } + ] + } + ] + }, + { + "id": "au-6.3", + "class": "SP800-53-enhancement", + "title": "Correlate Audit Record Repositories", + "props": [ + { + "name": "label", + "value": "AU-6(3)" + }, + { + "name": "label", + "value": "AU-06(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-6", + "rel": "required" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6.3_smt", + "name": "statement", + "prose": "Analyze and correlate audit records across different repositories to gain organization-wide situational awareness." + }, + { + "id": "au-6.3_gdn", + "name": "guidance", + "prose": "Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness." + }, + { + "id": "au-6.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(03)", + "class": "sp800-53a" + } + ], + "prose": "audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.", + "links": [ + { + "href": "#au-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records across different repositories\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-6.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-06(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting the analysis and correlation of audit records" + } + ] + } + ] + } + ] + }, + { + "id": "au-7", + "class": "SP800-53", + "title": "Audit Record Reduction and Report Generation", + "props": [ + { + "name": "label", + "value": "AU-7" + }, + { + "name": "label", + "value": "AU-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-7_smt", + "name": "statement", + "prose": "Provide and implement an audit record reduction and report generation capability that:", + "parts": [ + { + "id": "au-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and" + }, + { + "id": "au-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Does not alter the original content or time ordering of audit records." + } + ] + }, + { + "id": "au-7_gdn", + "name": "guidance", + "prose": "Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient." + }, + { + "id": "au-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-7_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;", + "links": [ + { + "href": "#au-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07a.[02]", + "class": "sp800-53a" + } + ], + "prose": "an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;", + "links": [ + { + "href": "#au-7_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;", + "links": [ + { + "href": "#au-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.", + "links": [ + { + "href": "#au-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit reduction and report generation capability" + } + ] + } + ], + "controls": [ + { + "id": "au-7.1", + "class": "SP800-53-enhancement", + "title": "Automatic Processing", + "params": [ + { + "id": "au-07.01_odp", + "label": "fields within audit records", + "guidelines": [ + { + "prose": "fields within audit records that can be processed, sorted, or searched are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-7(1)" + }, + { + "name": "label", + "value": "AU-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "au-7.1_smt", + "name": "statement", + "prose": "Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ insert: param, au-07.01_odp }}." + }, + { + "id": "au-7.1_gdn", + "name": "guidance", + "prose": "Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component." + }, + { + "id": "au-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-7.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;", + "links": [ + { + "href": "#au-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented.", + "links": [ + { + "href": "#au-7.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "au-7.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-07(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit reduction and report generation capability" + } + ] + } + ] + } + ] + }, + { + "id": "au-8", + "class": "SP800-53", + "title": "Time Stamps", + "params": [ + { + "id": "au-08_odp", + "label": "granularity of time measurement", + "constraints": [ + { + "description": "one second granularity of time measurement" + } + ], + "guidelines": [ + { + "prose": "granularity of time measurement for audit record timestamps is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-8" + }, + { + "name": "label", + "value": "AU-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#sc-45", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-8_smt", + "name": "statement", + "parts": [ + { + "id": "au-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Use internal system clocks to generate time stamps for audit records; and" + }, + { + "id": "au-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." + } + ] + }, + { + "id": "au-8_gdn", + "name": "guidance", + "prose": "Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities." + }, + { + "id": "au-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08a.", + "class": "sp800-53a" + } + ], + "prose": "internal system clocks are used to generate timestamps for audit records;", + "links": [ + { + "href": "#au-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08b.", + "class": "sp800-53a" + } + ], + "prose": "timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.", + "links": [ + { + "href": "#au-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing timestamp generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing timestamp generation" + } + ] + } + ] + }, + { + "id": "au-9", + "class": "SP800-53", + "title": "Protection of Audit Information", + "params": [ + { + "id": "au-09_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-9" + }, + { + "name": "label", + "value": "AU-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#au-15", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-9_smt", + "name": "statement", + "parts": [ + { + "id": "au-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and" + }, + { + "id": "au-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information." + } + ] + }, + { + "id": "au-9_gdn", + "name": "guidance", + "prose": "Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls." + }, + { + "id": "au-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09a.", + "class": "sp800-53a" + } + ], + "prose": "audit information and audit logging tools are protected from unauthorized access, modification, and deletion;", + "links": [ + { + "href": "#au-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.", + "links": [ + { + "href": "#au-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\naudit tools\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit information protection" + } + ] + } + ], + "controls": [ + { + "id": "au-9.4", + "class": "SP800-53-enhancement", + "title": "Access by Subset of Privileged Users", + "params": [ + { + "id": "au-09.04_odp", + "label": "subset of privileged users or roles", + "guidelines": [ + { + "prose": "a subset of privileged users or roles authorized to access management of audit logging functionality is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-9(4)" + }, + { + "name": "label", + "value": "AU-09(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-09.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#au-9", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-9.4_smt", + "name": "statement", + "prose": "Authorize access to management of audit logging functionality to only {{ insert: param, au-09.04_odp }}." + }, + { + "id": "au-9.4_gdn", + "name": "guidance", + "prose": "Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges." + }, + { + "id": "au-9.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09(04)", + "class": "sp800-53a" + } + ], + "prose": "access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}.", + "links": [ + { + "href": "#au-9.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-09(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged users with access to management of audit functionality\n\naccess authorizations\n\naccess control list\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-9.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-09(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-9.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-09(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing access to audit functionality" + } + ] + } + ] + } + ] + }, + { + "id": "au-11", + "class": "SP800-53", + "title": "Audit Record Retention", + "params": [ + { + "id": "au-11_odp", + "label": "time period", + "constraints": [ + { + "description": "a time period in compliance with M-21-31" + } + ], + "guidelines": [ + { + "prose": "a time period to retain audit records that is consistent with the records retention policy is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-11" + }, + { + "name": "label", + "value": "AU-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-11_smt", + "name": "statement", + "prose": "Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.", + "parts": [ + { + "id": "au-11_fr", + "name": "item", + "title": "AU-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-11_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements." + }, + { + "id": "au-11_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)" + }, + { + "id": "au-11_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The service provider is encouraged to align with M-21-31 where possible" + } + ] + } + ] + }, + { + "id": "au-11_gdn", + "name": "guidance", + "prose": "Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention." + }, + { + "id": "au-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-11", + "class": "sp800-53a" + } + ], + "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.", + "links": [ + { + "href": "#au-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + } + ] + }, + { + "id": "au-12", + "class": "SP800-53", + "title": "Audit Record Generation", + "params": [ + { + "id": "au-12_odp.01", + "label": "system components", + "constraints": [ + { + "description": "all information system and network components where audit capability is deployed/available" + } + ], + "guidelines": [ + { + "prose": "system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;" + } + ] + }, + { + "id": "au-12_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-12" + }, + { + "name": "label", + "value": "AU-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-12_smt", + "name": "statement", + "parts": [ + { + "id": "au-12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};" + }, + { + "id": "au-12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and" + }, + { + "id": "au-12_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)." + } + ] + }, + { + "id": "au-12_gdn", + "name": "guidance", + "prose": "Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records." + }, + { + "id": "au-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12a.", + "class": "sp800-53a" + } + ], + "prose": "audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};", + "links": [ + { + "href": "#au-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;", + "links": [ + { + "href": "#au-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12c.", + "class": "sp800-53a" + } + ], + "prose": "audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.", + "links": [ + { + "href": "#au-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of auditable events\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit record generation capability" + } + ] + } + ] + } + ] + }, + { + "id": "ca", + "class": "family", + "title": "Assessment, Authorization, and Monitoring", + "controls": [ + { + "id": "ca-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ca-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ca-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ca-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ca-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ca-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the assessment, authorization, and monitoring policy and procedures is defined;" + } + ] + }, + { + "id": "ca-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ca-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ca-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ca-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-1" + }, + { + "name": "label", + "value": "CA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#62ea77ca-e450-4323-b210-e0d75390e785", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-1_smt", + "name": "statement", + "parts": [ + { + "id": "ca-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:", + "parts": [ + { + "id": "ca-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:", + "parts": [ + { + "id": "ca-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ca-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ca-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;" + } + ] + }, + { + "id": "ca-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and" + }, + { + "id": "ca-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current assessment, authorization, and monitoring:", + "parts": [ + { + "id": "ca-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and" + }, + { + "id": "ca-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ca-1_gdn", + "name": "guidance", + "prose": "Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ca-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an assessment, authorization, and monitoring policy is developed and documented;", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ca-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;", + "links": [ + { + "href": "#ca-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ", + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};", + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ", + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.", + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-2", + "class": "SP800-53", + "title": "Control Assessments", + "params": [ + { + "id": "ca-02_odp.01", + "label": "assessment frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to assess controls in the system and its environment of operation is defined;" + } + ] + }, + { + "id": "ca-02_odp.02", + "label": "individuals or roles", + "constraints": [ + { + "description": "individuals or roles to include FedRAMP PMO" + } + ], + "guidelines": [ + { + "prose": "individuals or roles to whom control assessment results are to be provided are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-2" + }, + { + "name": "label", + "value": "CA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-2_smt", + "name": "statement", + "parts": [ + { + "id": "ca-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Select the appropriate assessor or assessment team for the type of assessment to be conducted;" + }, + { + "id": "ca-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Develop a control assessment plan that describes the scope of the assessment including:", + "parts": [ + { + "id": "ca-2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Controls and control enhancements under assessment;" + }, + { + "id": "ca-2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Assessment procedures to be used to determine control effectiveness; and" + }, + { + "id": "ca-2_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Assessment environment, assessment team, and assessment roles and responsibilities;" + } + ] + }, + { + "id": "ca-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;" + }, + { + "id": "ca-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;" + }, + { + "id": "ca-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Produce a control assessment report that document the results of the assessment; and" + }, + { + "id": "ca-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}." + }, + { + "id": "ca-2_fr", + "name": "item", + "title": "CA-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Reference FedRAMP Annual Assessment Guidance." + } + ] + } + ] + }, + { + "id": "ca-2_gdn", + "name": "guidance", + "prose": "Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)." + }, + { + "id": "ca-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02a.", + "class": "sp800-53a" + } + ], + "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;", + "links": [ + { + "href": "#ca-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.01", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;", + "links": [ + { + "href": "#ca-2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.02", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;", + "links": [ + { + "href": "#ca-2_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.b.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[03]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02c.", + "class": "sp800-53a" + } + ], + "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;", + "links": [ + { + "href": "#ca-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.[01]", + "class": "sp800-53a" + } + ], + "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;", + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.[02]", + "class": "sp800-53a" + } + ], + "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;", + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02e.", + "class": "sp800-53a" + } + ], + "prose": "a control assessment report is produced that documents the results of the assessment;", + "links": [ + { + "href": "#ca-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02f.", + "class": "sp800-53a" + } + ], + "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.", + "links": [ + { + "href": "#ca-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting" + } + ] + } + ], + "controls": [ + { + "id": "ca-2.1", + "class": "SP800-53-enhancement", + "title": "Independent Assessors", + "props": [ + { + "name": "label", + "value": "CA-2(1)" + }, + { + "name": "label", + "value": "CA-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-2.1_smt", + "name": "statement", + "prose": "Employ independent assessors or assessment teams to conduct control assessments.", + "parts": [ + { + "id": "ca-2.1_fr", + "name": "item", + "title": "CA-2 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-2.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "For JAB Authorization, must use an accredited 3PAO." + } + ] + } + ] + }, + { + "id": "ca-2.1_gdn", + "name": "guidance", + "prose": "Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.\n\nIndependent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.\n\nWhen organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments." + }, + { + "id": "ca-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02(01)", + "class": "sp800-53a" + } + ], + "prose": "independent assessors or assessment teams are employed to conduct control assessments.", + "links": [ + { + "href": "#ca-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\nprevious control assessment plan\n\nprevious control assessment report\n\nplan of action and milestones\n\nexisting authorization statement\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-2.3", + "class": "SP800-53-enhancement", + "title": "Leveraging Results from External Organizations", + "params": [ + { + "id": "ca-02.03_odp.01", + "label": "external organization(s)", + "constraints": [ + { + "description": "any FedRAMP Accredited 3PAO" + } + ], + "guidelines": [ + { + "prose": "external organization(s) from which the results of control assessments are leveraged are defined;" + } + ] + }, + { + "id": "ca-02.03_odp.02", + "label": "system", + "guidelines": [ + { + "prose": "system on which a control assessment was performed by an external organization is defined;" + } + ] + }, + { + "id": "ca-02.03_odp.03", + "label": "requirements", + "constraints": [ + { + "description": "the conditions of the JAB/AO in the FedRAMP Repository" + } + ], + "guidelines": [ + { + "prose": "requirements to be met by the control assessment performed by an external organization on the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-2(3)" + }, + { + "name": "label", + "value": "CA-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-2", + "rel": "required" + }, + { + "href": "#sa-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-2.3_smt", + "name": "statement", + "prose": "Leverage the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} when the assessment meets {{ insert: param, ca-02.03_odp.03 }}." + }, + { + "id": "ca-2.3_gdn", + "name": "guidance", + "prose": "Organizations may rely on control assessments of organizational systems by other (external) organizations. Using such assessments and reusing existing assessment evidence can decrease the time and resources required for assessments by limiting the independent assessment activities that organizations need to perform. The factors that organizations consider in determining whether to accept assessment results from external organizations can vary. Such factors include the organization\u2019s past experience with the organization that conducted the assessment, the reputation of the assessment organization, the level of detail of supporting assessment evidence provided, and mandates imposed by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Accredited testing laboratories that support the Common Criteria Program [ISO 15408-1](#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73) , the NIST Cryptographic Module Validation Program (CMVP), or the NIST Cryptographic Algorithm Validation Program (CAVP) can provide independent assessment results that organizations can leverage." + }, + { + "id": "ca-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02(03)", + "class": "sp800-53a" + } + ], + "prose": "the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} are leveraged when the assessment meets {{ insert: param, ca-02.03_odp.03 }}.", + "links": [ + { + "href": "#ca-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\ncontrol assessment requirements\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel performing control assessments for the specified external organization" + } + ] + } + ] + } + ] + }, + { + "id": "ca-3", + "class": "SP800-53", + "title": "Information Exchange", + "params": [ + { + "id": "ca-03_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "interconnection security agreements", + "information exchange security agreements", + "memoranda of understanding or agreement", + "service level agreements", + "user agreements", + "non-disclosure agreements", + " {{ insert: param, ca-03_odp.02 }} " + ] + } + }, + { + "id": "ca-03_odp.02", + "label": "type of agreement", + "guidelines": [ + { + "prose": "the type of agreement used to approve and manage the exchange of information is defined (if selected);" + } + ] + }, + { + "id": "ca-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and on input from JAB/AO" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update agreements is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-3" + }, + { + "name": "label", + "value": "CA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#c3a76872-e160-4267-99e8-6952de967d04", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-3_smt", + "name": "statement", + "parts": [ + { + "id": "ca-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};" + }, + { + "id": "ca-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and" + }, + { + "id": "ca-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the agreements {{ insert: param, ca-03_odp.03 }}." + } + ] + }, + { + "id": "ca-3_gdn", + "name": "guidance", + "prose": "System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks." + }, + { + "id": "ca-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03a.", + "class": "sp800-53a" + } + ], + "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};", + "links": [ + { + "href": "#ca-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the interface characteristics are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "security requirements are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[03]", + "class": "sp800-53a" + } + ], + "prose": "privacy requirements are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[04]", + "class": "sp800-53a" + } + ], + "prose": "controls are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[05]", + "class": "sp800-53a" + } + ], + "prose": "responsibilities for each system are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[06]", + "class": "sp800-53a" + } + ], + "prose": "the impact level of the information communicated is documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03c.", + "class": "sp800-53a" + } + ], + "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.", + "links": [ + { + "href": "#ca-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies" + } + ] + } + ] + }, + { + "id": "ca-5", + "class": "SP800-53", + "title": "Plan of Action and Milestones", + "params": [ + { + "id": "ca-05_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-5" + }, + { + "name": "label", + "value": "CA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-5_smt", + "name": "statement", + "parts": [ + { + "id": "ca-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and" + }, + { + "id": "ca-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities." + }, + { + "id": "ca-5_fr", + "name": "item", + "title": "CA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "POA&Ms must be provided at least monthly." + }, + { + "id": "ca-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Reference FedRAMP-POAM-Template" + } + ] + } + ] + }, + { + "id": "ca-5_gdn", + "name": "guidance", + "prose": "Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB." + }, + { + "id": "ca-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05a.", + "class": "sp800-53a" + } + ], + "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;", + "links": [ + { + "href": "#ca-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05b.", + "class": "sp800-53a" + } + ], + "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.", + "links": [ + { + "href": "#ca-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms for developing, implementing, and maintaining plan of action and milestones" + } + ] + } + ] + }, + { + "id": "ca-6", + "class": "SP800-53", + "title": "Authorization", + "params": [ + { + "id": "ca-06_odp", + "label": "frequency", + "constraints": [ + { + "description": "in accordance with OMB A-130 requirements or when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "frequency at which to update the authorizations is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-6" + }, + { + "name": "label", + "value": "CA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-6_smt", + "name": "statement", + "parts": [ + { + "id": "ca-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assign a senior official as the authorizing official for the system;" + }, + { + "id": "ca-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;" + }, + { + "id": "ca-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensure that the authorizing official for the system, before commencing operations:", + "parts": [ + { + "id": "ca-6_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Accepts the use of common controls inherited by the system; and" + }, + { + "id": "ca-6_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Authorizes the system to operate;" + } + ] + }, + { + "id": "ca-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;" + }, + { + "id": "ca-6_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Update the authorizations {{ insert: param, ca-06_odp }}." + }, + { + "id": "ca-6_fr", + "name": "item", + "title": "CA-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(e) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO." + } + ] + } + ] + }, + { + "id": "ca-6_gdn", + "name": "guidance", + "prose": "Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions." + }, + { + "id": "ca-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06a.", + "class": "sp800-53a" + } + ], + "prose": "a senior official is assigned as the authorizing official for the system;", + "links": [ + { + "href": "#ca-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06b.", + "class": "sp800-53a" + } + ], + "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;", + "links": [ + { + "href": "#ca-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-6_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.01", + "class": "sp800-53a" + } + ], + "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;", + "links": [ + { + "href": "#ca-6_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.02", + "class": "sp800-53a" + } + ], + "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;", + "links": [ + { + "href": "#ca-6_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06d.", + "class": "sp800-53a" + } + ], + "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;", + "links": [ + { + "href": "#ca-6_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06e.", + "class": "sp800-53a" + } + ], + "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}.", + "links": [ + { + "href": "#ca-6_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms that facilitate authorizations and updates" + } + ] + } + ] + }, + { + "id": "ca-7", + "class": "SP800-53", + "title": "Continuous Monitoring", + "params": [ + { + "id": "ca-7_prm_4", + "label": "organization-defined personnel or roles", + "constraints": [ + { + "description": "to include JAB/AO" + } + ] + }, + { + "id": "ca-7_prm_5", + "label": "organization-defined frequency" + }, + { + "id": "ca-07_odp.01", + "label": "system-level metrics", + "guidelines": [ + { + "prose": "system-level metrics to be monitored are defined;" + } + ] + }, + { + "id": "ca-07_odp.02", + "label": "frequencies", + "guidelines": [ + { + "prose": "frequencies at which to monitor control effectiveness are defined;" + } + ] + }, + { + "id": "ca-07_odp.03", + "label": "frequencies", + "guidelines": [ + { + "prose": "frequencies at which to assess control effectiveness are defined;" + } + ] + }, + { + "id": "ca-07_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the security status of the system is reported are defined;" + } + ] + }, + { + "id": "ca-07_odp.05", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which the security status of the system is reported is defined;" + } + ] + }, + { + "id": "ca-07_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the privacy status of the system is reported are defined;" + } + ] + }, + { + "id": "ca-07_odp.07", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which the privacy status of the system is reported is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-7" + }, + { + "name": "label", + "value": "CA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pe-14", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-6", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#pm-31", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-7_smt", + "name": "statement", + "prose": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:", + "parts": [ + { + "id": "ca-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};" + }, + { + "id": "ca-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;" + }, + { + "id": "ca-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ongoing control assessments in accordance with the continuous monitoring strategy;" + }, + { + "id": "ca-7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;" + }, + { + "id": "ca-7_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Correlation and analysis of information generated by control assessments and monitoring;" + }, + { + "id": "ca-7_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" + }, + { + "id": "ca-7_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}." + }, + { + "id": "ca-7_fr", + "name": "item", + "title": "CA-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually." + }, + { + "id": "ca-7_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (Con Mon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSPs authorized via the Agency path as each agency customer is responsible for performing Con Mon oversight. It does not apply to CSPs authorized via the JAB path because the JAB performs Con Mon oversight." + }, + { + "id": "ca-7_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan." + } + ] + } + ] + }, + { + "id": "ca-7_gdn", + "name": "guidance", + "prose": "Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)." + }, + { + "id": "ca-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07[01]", + "class": "sp800-53a" + } + ], + "prose": "a system-level continuous monitoring strategy is developed;", + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07a.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};", + "links": [ + { + "href": "#ca-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;", + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;", + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07c.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07d.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07e.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;", + "links": [ + { + "href": "#ca-7_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07f.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;", + "links": [ + { + "href": "#ca-7_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.[01]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};", + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.", + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting" + } + ] + } + ], + "controls": [ + { + "id": "ca-7.1", + "class": "SP800-53-enhancement", + "title": "Independent Assessment", + "props": [ + { + "name": "label", + "value": "CA-7(1)" + }, + { + "name": "label", + "value": "CA-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-7.1_smt", + "name": "statement", + "prose": "Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis." + }, + { + "id": "ca-7.1_gdn", + "name": "guidance", + "prose": "Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services." + }, + { + "id": "ca-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(01)", + "class": "sp800-53a" + } + ], + "prose": "independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.", + "links": [ + { + "href": "#ca-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-7.4", + "class": "SP800-53-enhancement", + "title": "Risk Monitoring", + "props": [ + { + "name": "label", + "value": "CA-7(4)" + }, + { + "name": "label", + "value": "CA-07(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-7.4_smt", + "name": "statement", + "prose": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:", + "parts": [ + { + "id": "ca-7.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Effectiveness monitoring;" + }, + { + "id": "ca-7.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Compliance monitoring; and" + }, + { + "id": "ca-7.4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Change monitoring." + } + ] + }, + { + "id": "ca-7.4_gdn", + "name": "guidance", + "prose": "Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk." + }, + { + "id": "ca-7.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)", + "class": "sp800-53a" + } + ], + "prose": "risk monitoring is an integral part of the continuous monitoring strategy;", + "parts": [ + { + "id": "ca-7.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(a)", + "class": "sp800-53a" + } + ], + "prose": "effectiveness monitoring is included in risk monitoring;", + "links": [ + { + "href": "#ca-7.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "compliance monitoring is included in risk monitoring;", + "links": [ + { + "href": "#ca-7.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(c)", + "class": "sp800-53a" + } + ], + "prose": "change monitoring is included in risk monitoring.", + "links": [ + { + "href": "#ca-7.4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-7.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-07(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting risk monitoring" + } + ] + } + ] + } + ] + }, + { + "id": "ca-8", + "class": "SP800-53", + "title": "Penetration Testing", + "params": [ + { + "id": "ca-08_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct penetration testing on systems or system components is defined;" + } + ] + }, + { + "id": "ca-08_odp.02", + "label": "system(s) or system components", + "guidelines": [ + { + "prose": "systems or system components on which penetration testing is to be conducted are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-8" + }, + { + "name": "label", + "value": "CA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-8_smt", + "name": "statement", + "prose": "Conduct penetration testing {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", + "parts": [ + { + "id": "ca-8_fr", + "name": "item", + "title": "CA-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Reference the FedRAMP Penetration Test Guidance." + } + ] + } + ] + }, + { + "id": "ca-8_gdn", + "name": "guidance", + "prose": "Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).\n\nOrganizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing." + }, + { + "id": "ca-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-08", + "class": "sp800-53a" + } + ], + "prose": "penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", + "links": [ + { + "href": "#ca-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting penetration testing" + } + ] + } + ], + "controls": [ + { + "id": "ca-8.1", + "class": "SP800-53-enhancement", + "title": "Independent Penetration Testing Agent or Team", + "props": [ + { + "name": "label", + "value": "CA-8(1)" + }, + { + "name": "label", + "value": "CA-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-8", + "rel": "required" + }, + { + "href": "#ca-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-8.1_smt", + "name": "statement", + "prose": "Employ an independent penetration testing agent or team to perform penetration testing on the system or system components." + }, + { + "id": "ca-8.1_gdn", + "name": "guidance", + "prose": "Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. [CA-2(1)](#ca-2.1) provides additional information on independent assessments that can be applied to penetration testing." + }, + { + "id": "ca-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-08(01)", + "class": "sp800-53a" + } + ], + "prose": "an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.", + "links": [ + { + "href": "#ca-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nsecurity assessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-8.2", + "class": "SP800-53-enhancement", + "title": "Red Team Exercises", + "params": [ + { + "id": "ca-08.02_odp", + "label": "red team exercises", + "guidelines": [ + { + "prose": "red team exercises to simulate attempts by adversaries to compromise organizational systems are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-8(2)" + }, + { + "name": "label", + "value": "CA-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-8.2_smt", + "name": "statement", + "prose": "Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: {{ insert: param, ca-08.02_odp }}.", + "parts": [ + { + "id": "ca-8.2_fr", + "name": "item", + "title": "CM-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-8.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See the FedRAMP Documents page> Penetration Test Guidance\n\nhttps://www.FedRAMP.gov/documents/" + } + ] + } + ] + }, + { + "id": "ca-8.2_gdn", + "name": "guidance", + "prose": "Red team exercises extend the objectives of penetration testing by examining the security and privacy posture of organizations and the capability to implement effective cyber defenses. Red team exercises simulate attempts by adversaries to compromise mission and business functions and provide a comprehensive assessment of the security and privacy posture of systems and organizations. Such attempts may include technology-based attacks and social engineering-based attacks. Technology-based attacks include interactions with hardware, software, or firmware components and/or mission and business processes. Social engineering-based attacks include interactions via email, telephone, shoulder surfing, or personal conversations. Red team exercises are most effective when conducted by penetration testing agents and teams with knowledge of and experience with current adversarial tactics, techniques, procedures, and tools. While penetration testing may be primarily laboratory-based testing, organizations can use red team exercises to provide more comprehensive assessments that reflect real-world conditions. The results from red team exercises can be used by organizations to improve security and privacy awareness and training and to assess control effectiveness." + }, + { + "id": "ca-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-08(02)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ca-08.02_odp }} are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement.", + "links": [ + { + "href": "#ca-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nprocedures addressing red team exercises\n\nassessment plan\n\nresults of red team exercises\n\npenetration test report\n\nassessment report\n\nrules of engagement\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting the employment of red team exercises" + } + ] + } + ] + } + ] + }, + { + "id": "ca-9", + "class": "SP800-53", + "title": "Internal System Connections", + "params": [ + { + "id": "ca-09_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components or classes of components requiring internal connections to the system are defined;" + } + ] + }, + { + "id": "ca-09_odp.02", + "label": "conditions", + "guidelines": [ + { + "prose": "conditions requiring termination of internal connections are defined;" + } + ] + }, + { + "id": "ca-09_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review the continued need for each internal connection is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-9" + }, + { + "name": "label", + "value": "CA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-9_smt", + "name": "statement", + "parts": [ + { + "id": "ca-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;" + }, + { + "id": "ca-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;" + }, + { + "id": "ca-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and" + }, + { + "id": "ca-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection." + } + ] + }, + { + "id": "ca-9_gdn", + "name": "guidance", + "prose": "Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions." + }, + { + "id": "ca-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09a.", + "class": "sp800-53a" + } + ], + "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;", + "links": [ + { + "href": "#ca-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the interface characteristics are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the security requirements are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[03]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the privacy requirements are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[04]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the nature of the information communicated is documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09c.", + "class": "sp800-53a" + } + ], + "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};", + "links": [ + { + "href": "#ca-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09d.", + "class": "sp800-53a" + } + ], + "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.", + "links": [ + { + "href": "#ca-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting internal system connections" + } + ] + } + ] + } + ] + }, + { + "id": "cm", + "class": "family", + "title": "Configuration Management", + "controls": [ + { + "id": "cm-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "cm-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cm-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the configuration management policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "cm-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "cm-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "cm-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the configuration management policy and procedures is defined;" + } + ] + }, + { + "id": "cm-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current configuration management policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "cm-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current configuration management policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "cm-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current configuration management procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "cm-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require configuration management procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-1" + }, + { + "name": "label", + "value": "CM-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-1_smt", + "name": "statement", + "parts": [ + { + "id": "cm-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:", + "parts": [ + { + "id": "cm-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cm-01_odp.03 }} configuration management policy that:", + "parts": [ + { + "id": "cm-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "cm-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "cm-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;" + } + ] + }, + { + "id": "cm-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and" + }, + { + "id": "cm-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current configuration management:", + "parts": [ + { + "id": "cm-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and" + }, + { + "id": "cm-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "cm-1_gdn", + "name": "guidance", + "prose": "Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "cm-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a configuration management policy is developed and documented;", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#cm-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;", + "links": [ + { + "href": "#cm-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ", + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};", + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ", + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.", + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records" + } + ] + }, + { + "id": "cm-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "cm-2", + "class": "SP800-53", + "title": "Baseline Configuration", + "params": [ + { + "id": "cm-02_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "the frequency of baseline configuration review and update is defined;" + } + ] + }, + { + "id": "cm-02_odp.02", + "label": "circumstances", + "constraints": [ + { + "description": "to include when directed by the JAB" + } + ], + "guidelines": [ + { + "prose": "the circumstances requiring baseline configuration review and update are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2" + }, + { + "name": "label", + "value": "CM-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-1", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-12", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-2_smt", + "name": "statement", + "parts": [ + { + "id": "cm-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and maintain under configuration control, a current baseline configuration of the system; and" + }, + { + "id": "cm-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the baseline configuration of the system:", + "parts": [ + { + "id": "cm-2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cm-02_odp.01 }};" + }, + { + "id": "cm-2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required due to {{ insert: param, cm-02_odp.02 }} ; and" + }, + { + "id": "cm-2_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "When system components are installed or upgraded." + } + ] + }, + { + "id": "cm-2_fr", + "name": "item", + "title": "CM-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) (1) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + } + ] + } + ] + }, + { + "id": "cm-2_gdn", + "name": "guidance", + "prose": "Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture." + }, + { + "id": "cm-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a current baseline configuration of the system is developed and documented;", + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "a current baseline configuration of the system is maintained under configuration control;", + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.01", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};", + "links": [ + { + "href": "#cm-2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.02", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};", + "links": [ + { + "href": "#cm-2_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.03", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.", + "links": [ + { + "href": "#cm-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration" + } + ] + } + ], + "controls": [ + { + "id": "cm-2.2", + "class": "SP800-53-enhancement", + "title": "Automation Support for Accuracy and Currency", + "params": [ + { + "id": "cm-02.02_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms for maintaining baseline configuration of the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2(2)" + }, + { + "name": "label", + "value": "CM-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-2", + "rel": "required" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-2.2_smt", + "name": "statement", + "prose": "Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ insert: param, cm-02.02_odp }}." + }, + { + "id": "cm-2.2_gdn", + "name": "guidance", + "prose": "Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of [CM-8(2)](#cm-8.2) for organizations that combine system component inventory and baseline configuration activities." + }, + { + "id": "cm-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};", + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};", + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.2_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)[03]", + "class": "sp800-53a" + } + ], + "prose": "the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};", + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.2_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)[04]", + "class": "sp800-53a" + } + ], + "prose": "the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}.", + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nconfiguration change control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations\n\nautomated mechanisms implementing baseline configuration maintenance" + } + ] + } + ] + }, + { + "id": "cm-2.3", + "class": "SP800-53-enhancement", + "title": "Retention of Previous Configurations", + "params": [ + { + "id": "cm-02.03_odp", + "label": "number", + "guidelines": [ + { + "prose": "the number of previous baseline configuration versions to be retained is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2(3)" + }, + { + "name": "label", + "value": "CM-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-2.3_smt", + "name": "statement", + "prose": "Retain {{ insert: param, cm-02.03_odp }} of previous versions of baseline configurations of the system to support rollback." + }, + { + "id": "cm-2.3_gdn", + "name": "guidance", + "prose": "Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, configuration records, and associated documentation." + }, + { + "id": "cm-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(03)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is/are retained to support rollback.", + "links": [ + { + "href": "#cm-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations" + } + ] + } + ] + }, + { + "id": "cm-2.7", + "class": "SP800-53-enhancement", + "title": "Configure Systems and Components for High-risk Areas", + "params": [ + { + "id": "cm-02.07_odp.01", + "label": "systems or system components", + "guidelines": [ + { + "prose": "the systems or system components to be issued when individuals travel to high-risk areas are defined;" + } + ] + }, + { + "id": "cm-02.07_odp.02", + "label": "configurations", + "guidelines": [ + { + "prose": "configurations for systems or system components to be issued when individuals travel to high-risk areas are defined;" + } + ] + }, + { + "id": "cm-02.07_odp.03", + "label": "controls", + "guidelines": [ + { + "prose": "the controls to be applied when the individuals return from travel are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2(7)" + }, + { + "name": "label", + "value": "CM-02(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-2", + "rel": "required" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-2.7_smt", + "name": "statement", + "parts": [ + { + "id": "cm-2.7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Issue {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} to individuals traveling to locations that the organization deems to be of significant risk; and" + }, + { + "id": "cm-2.7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Apply the following controls to the systems or components when the individuals return from travel: {{ insert: param, cm-02.07_odp.03 }}." + } + ] + }, + { + "id": "cm-2.7_gdn", + "name": "guidance", + "prose": "When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the [MP](#mp) (Media Protection) family." + }, + { + "id": "cm-2.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(07)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2.7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(07)(a)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;", + "links": [ + { + "href": "#cm-2.7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(07)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel.", + "links": [ + { + "href": "#cm-2.7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the system\n\nprocedures addressing system component installations and upgrades\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nrecords of system baseline configuration reviews and updates\n\nsystem component installations/upgrades and associated records\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations" + } + ] + } + ] + } + ] + }, + { + "id": "cm-3", + "class": "SP800-53", + "title": "Configuration Change Control", + "params": [ + { + "id": "cm-03_odp.01", + "label": "time period", + "guidelines": [ + { + "prose": "the time period to retain records of configuration-controlled changes is defined;" + } + ] + }, + { + "id": "cm-03_odp.02", + "label": "configuration change control element", + "guidelines": [ + { + "prose": "the configuration change control element responsible for coordinating and overseeing change control activities is defined;" + } + ] + }, + { + "id": "cm-03_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, cm-03_odp.04 }} ", + "when {{ insert: param, cm-03_odp.05 }} " + ] + } + }, + { + "id": "cm-03_odp.04", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which the configuration control element convenes is defined (if selected);" + } + ] + }, + { + "id": "cm-03_odp.05", + "label": "configuration change conditions", + "guidelines": [ + { + "prose": "configuration change conditions that prompt the configuration control element to convene are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-3" + }, + { + "name": "label", + "value": "CM-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pt-6", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-3_smt", + "name": "statement", + "parts": [ + { + "id": "cm-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine and document the types of changes to the system that are configuration-controlled;" + }, + { + "id": "cm-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;" + }, + { + "id": "cm-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document configuration change decisions associated with the system;" + }, + { + "id": "cm-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Implement approved configuration-controlled changes to the system;" + }, + { + "id": "cm-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Retain records of configuration-controlled changes to the system for {{ insert: param, cm-03_odp.01 }};" + }, + { + "id": "cm-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Monitor and review activities associated with configuration-controlled changes to the system; and" + }, + { + "id": "cm-3_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Coordinate and provide oversight for configuration change control activities through {{ insert: param, cm-03_odp.02 }} that convenes {{ insert: param, cm-03_odp.03 }}." + }, + { + "id": "cm-3_fr", + "name": "item", + "title": "CM-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO." + }, + { + "id": "cm-3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(e) Guidance:" + } + ], + "prose": "In accordance with record retention policies and procedures." + } + ] + } + ] + }, + { + "id": "cm-3_gdn", + "name": "guidance", + "prose": "Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also [SA-10](#sa-10)." + }, + { + "id": "cm-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03a.", + "class": "sp800-53a" + } + ], + "prose": "the types of changes to the system that are configuration-controlled are determined and documented;", + "links": [ + { + "href": "#cm-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "proposed configuration-controlled changes to the system are reviewed;", + "links": [ + { + "href": "#cm-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;", + "links": [ + { + "href": "#cm-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03c.", + "class": "sp800-53a" + } + ], + "prose": "configuration change decisions associated with the system are documented;", + "links": [ + { + "href": "#cm-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03d.", + "class": "sp800-53a" + } + ], + "prose": "approved configuration-controlled changes to the system are implemented;", + "links": [ + { + "href": "#cm-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03e.", + "class": "sp800-53a" + } + ], + "prose": "records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};", + "links": [ + { + "href": "#cm-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03f.[01]", + "class": "sp800-53a" + } + ], + "prose": "activities associated with configuration-controlled changes to the system are monitored;", + "links": [ + { + "href": "#cm-3_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03f.[02]", + "class": "sp800-53a" + } + ], + "prose": "activities associated with configuration-controlled changes to the system are reviewed;", + "links": [ + { + "href": "#cm-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03g.[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};", + "links": [ + { + "href": "#cm-3_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03g.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration control element convenes {{ insert: param, cm-03_odp.03 }}.", + "links": [ + { + "href": "#cm-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nchange control records\n\nsystem audit records\n\nchange control audit and review reports\n\nagenda/minutes/documentation from configuration change control oversight meetings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessments\n\nsystem of records notices\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for configuration change control\n\nmechanisms that implement configuration change control" + } + ] + } + ], + "controls": [ + { + "id": "cm-3.2", + "class": "SP800-53-enhancement", + "title": "Testing, Validation, and Documentation of Changes", + "props": [ + { + "name": "label", + "value": "CM-3(2)" + }, + { + "name": "label", + "value": "CM-03(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-03.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-3.2_smt", + "name": "statement", + "prose": "Test, validate, and document changes to the system before finalizing the implementation of the changes." + }, + { + "id": "cm-3.2_gdn", + "name": "guidance", + "prose": "Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in [CM-6](#cm-6) . Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls." + }, + { + "id": "cm-3.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are tested before finalizing the implementation of the changes;", + "links": [ + { + "href": "#cm-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are validated before finalizing the implementation of the changes;", + "links": [ + { + "href": "#cm-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.2_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(02)[03]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are documented before finalizing the implementation of the changes.", + "links": [ + { + "href": "#cm-3.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-03(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing system configuration change control\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ntest records\n\nvalidation records\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-3.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-03(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-3.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-03(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for configuration change control\n\nmechanisms supporting and/or implementing, testing, validating, and documenting system changes" + } + ] + } + ] + }, + { + "id": "cm-3.4", + "class": "SP800-53-enhancement", + "title": "Security and Privacy Representatives", + "params": [ + { + "id": "cm-3.4_prm_1", + "label": "organization-defined security and privacy representatives" + }, + { + "id": "cm-03.04_odp.01", + "label": "security representatives", + "guidelines": [ + { + "prose": "security representatives required to be members of the change control element are defined;" + } + ] + }, + { + "id": "cm-03.04_odp.02", + "label": "privacy representatives", + "guidelines": [ + { + "prose": "privacy representatives required to be members of the change control element are defined;" + } + ] + }, + { + "id": "cm-03.04_odp.03", + "label": "configuration change control element", + "constraints": [ + { + "description": "Configuration control board (CCB) or similar (as defined in CM-3)" + } + ], + "guidelines": [ + { + "prose": "the configuration change control element of which the security and privacy representatives are to be members is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-3(4)" + }, + { + "name": "label", + "value": "CM-03(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-03.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-3.4_smt", + "name": "statement", + "prose": "Require {{ insert: param, cm-3.4_prm_1 }} to be members of the {{ insert: param, cm-03.04_odp.03 }}." + }, + { + "id": "cm-3.4_gdn", + "name": "guidance", + "prose": "Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in [CM-3g](#cm-3_smt.g)." + }, + { + "id": "cm-3.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3.4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(04)[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};", + "links": [ + { + "href": "#cm-3.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(04)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}.", + "links": [ + { + "href": "#cm-3.4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-03(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-3.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-03(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-3.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-03(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for configuration change control" + } + ] + } + ] + } + ] + }, + { + "id": "cm-4", + "class": "SP800-53", + "title": "Impact Analyses", + "props": [ + { + "name": "label", + "value": "CM-4" + }, + { + "name": "label", + "value": "CM-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-4_smt", + "name": "statement", + "prose": "Analyze changes to the system to determine potential security and privacy impacts prior to change implementation." + }, + { + "id": "cm-4_gdn", + "name": "guidance", + "prose": "Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required." + }, + { + "id": "cm-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;", + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation.", + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem/network administrators\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses" + } + ] + } + ], + "controls": [ + { + "id": "cm-4.2", + "class": "SP800-53-enhancement", + "title": "Verification of Controls", + "props": [ + { + "name": "label", + "value": "CM-4(2)" + }, + { + "name": "label", + "value": "CM-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-4", + "rel": "required" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-4.2_smt", + "name": "statement", + "prose": "After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system." + }, + { + "id": "cm-4.2_gdn", + "name": "guidance", + "prose": "Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls." + }, + { + "id": "cm-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-4.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[03]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[04]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[05]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[06]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nprivacy risk assessment documentation\n\nconfiguration management plan\n\nsecurity and privacy impact analysis documentation\n\nprivacy impact assessment\n\nanalysis tools and associated outputs\n\nchange control records\n\ncontrol assessment results\n\nsystem audit records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsecurity and privacy assessors" + } + ] + }, + { + "id": "cm-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and/or implementing security and privacy impact analyses of changes" + } + ] + } + ] + } + ] + }, + { + "id": "cm-5", + "class": "SP800-53", + "title": "Access Restrictions for Change", + "props": [ + { + "name": "label", + "value": "CM-5" + }, + { + "name": "label", + "value": "CM-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-5_smt", + "name": "statement", + "prose": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system." + }, + { + "id": "cm-5_gdn", + "name": "guidance", + "prose": "Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals\u2019 privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)." + }, + { + "id": "cm-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are defined and documented;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are approved;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[03]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are enforced;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[04]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are defined and documented;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[05]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are approved;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[06]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are enforced.", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system" + } + ] + } + ], + "controls": [ + { + "id": "cm-5.1", + "class": "SP800-53-enhancement", + "title": "Automated Access Enforcement and Audit Records", + "params": [ + { + "id": "cm-05.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "mechanisms used to automate the enforcement of access restrictions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-5(1)" + }, + { + "name": "label", + "value": "CM-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#cm-5", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-5.1_smt", + "name": "statement", + "parts": [ + { + "id": "cm-5.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Enforce access restrictions using {{ insert: param, cm-05.01_odp }} ; and" + }, + { + "id": "cm-5.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Automatically generate audit records of the enforcement actions." + } + ] + }, + { + "id": "cm-5.1_gdn", + "name": "guidance", + "prose": "Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes." + }, + { + "id": "cm-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "access restrictions for change are enforced using {{ insert: param, cm-05.01_odp }};", + "links": [ + { + "href": "#cm-5.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "audit records of enforcement actions are automatically generated.", + "links": [ + { + "href": "#cm-5.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing access restrictions to change\n\nautomated mechanisms implementing the enforcement of access restrictions for changes to the system\n\nautomated mechanisms supporting auditing of enforcement actions" + } + ] + } + ] + }, + { + "id": "cm-5.5", + "class": "SP800-53-enhancement", + "title": "Privilege Limitation for Production and Operation", + "params": [ + { + "id": "cm-5.5_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least quarterly" + } + ] + }, + { + "id": "cm-05.05_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to review privileges is defined;" + } + ] + }, + { + "id": "cm-05.05_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to reevaluate privileges is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-5(5)" + }, + { + "name": "label", + "value": "CM-05(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-05.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-5", + "rel": "required" + }, + { + "href": "#ac-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-5.5_smt", + "name": "statement", + "parts": [ + { + "id": "cm-5.5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Limit privileges to change system components and system-related information within a production or operational environment; and" + }, + { + "id": "cm-5.5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Review and reevaluate privileges {{ insert: param, cm-5.5_prm_1 }}." + } + ] + }, + { + "id": "cm-5.5_gdn", + "name": "guidance", + "prose": "In many organizations, systems support multiple mission and business functions. Limiting privileges to change system components with respect to operational systems is necessary because changes to a system component may have far-reaching effects on mission and business processes supported by the system. The relationships between systems and mission/business processes are, in some cases, unknown to developers. System-related information includes operational procedures." + }, + { + "id": "cm-5.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5.5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5.5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "privileges to change system components within a production or operational environment are limited;", + "links": [ + { + "href": "#cm-5.5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "privileges to change system-related information within a production or operational environment are limited;", + "links": [ + { + "href": "#cm-5.5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5.5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5.5_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "privileges are reviewed {{ insert: param, cm-05.05_odp.01 }};", + "links": [ + { + "href": "#cm-5.5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.5_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "privileges are reevaluated {{ insert: param, cm-05.05_odp.02 }}.", + "links": [ + { + "href": "#cm-5.5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5.5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-05(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nuser privilege reviews\n\nuser privilege recertifications\n\nsystem component inventory\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-5.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-05(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-5.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-05(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms supporting and/or implementing access restrictions for change" + } + ] + } + ] + } + ] + }, + { + "id": "cm-6", + "class": "SP800-53", + "title": "Configuration Settings", + "params": [ + { + "id": "cm-06_odp.01", + "label": "common secure configurations", + "guidelines": [ + { + "prose": "common secure configurations to establish and document configuration settings for components employed within the system are defined;" + } + ] + }, + { + "id": "cm-06_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which approval of deviations is needed are defined;" + } + ] + }, + { + "id": "cm-06_odp.03", + "label": "operational requirements", + "guidelines": [ + { + "prose": "operational requirements necessitating approval of deviations are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-6" + }, + { + "name": "label", + "value": "CM-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#98498928-3ca3-44b3-8b1e-f48685373087", + "rel": "reference" + }, + { + "href": "#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", + "rel": "reference" + }, + { + "href": "#aa66e14f-e7cb-4a37-99d2-07578dfd4608", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-6_smt", + "name": "statement", + "parts": [ + { + "id": "cm-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};" + }, + { + "id": "cm-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement the configuration settings;" + }, + { + "id": "cm-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and" + }, + { + "id": "cm-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." + }, + { + "id": "cm-6_fr", + "name": "item", + "title": "CM-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement 1:" + } + ], + "prose": "The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available." + }, + { + "id": "cm-6_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement 2:" + } + ], + "prose": "The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available)." + }, + { + "id": "cm-6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP\u2019s Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.\n\nDuring monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests." + } + ] + } + ] + }, + { + "id": "cm-6_gdn", + "name": "guidance", + "prose": "Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings." + }, + { + "id": "cm-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06a.", + "class": "sp800-53a" + } + ], + "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};", + "links": [ + { + "href": "#cm-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06b.", + "class": "sp800-53a" + } + ], + "prose": "the configuration settings documented in CM-06a are implemented;", + "links": [ + { + "href": "#cm-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};", + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;", + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;", + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures.", + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and/or control system configuration settings\n\nmechanisms that identify and/or document deviations from established configuration settings" + } + ] + } + ], + "controls": [ + { + "id": "cm-6.1", + "class": "SP800-53-enhancement", + "title": "Automated Management, Application, and Verification", + "params": [ + { + "id": "cm-6.1_prm_2", + "label": "organization-defined automated mechanisms" + }, + { + "id": "cm-06.01_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which to manage, apply, and verify configuration settings are defined;" + } + ] + }, + { + "id": "cm-06.01_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to manage configuration settings are defined;" + } + ] + }, + { + "id": "cm-06.01_odp.03", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to apply configuration settings are defined;" + } + ] + }, + { + "id": "cm-06.01_odp.04", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to verify configuration settings are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-6(1)" + }, + { + "name": "label", + "value": "CM-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-6", + "rel": "required" + }, + { + "href": "#ca-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-6.1_smt", + "name": "statement", + "prose": "Manage, apply, and verify configuration settings for {{ insert: param, cm-06.01_odp.01 }} using {{ insert: param, cm-6.1_prm_2 }}." + }, + { + "id": "cm-6.1_gdn", + "name": "guidance", + "prose": "Automated tools (e.g., hardening tools, baseline configuration tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization." + }, + { + "id": "cm-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are managed using {{ insert: param, cm-06.01_odp.02 }};", + "links": [ + { + "href": "#cm-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are applied using {{ insert: param, cm-06.01_odp.03 }};", + "links": [ + { + "href": "#cm-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are verified using {{ insert: param, cm-06.01_odp.04 }}.", + "links": [ + { + "href": "#cm-6.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing configuration settings\n\nautomated mechanisms implemented to manage, apply, and verify system configuration settings" + } + ] + } + ] + } + ] + }, + { + "id": "cm-7", + "class": "SP800-53", + "title": "Least Functionality", + "params": [ + { + "id": "cm-7_prm_2", + "label": "organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services" + }, + { + "id": "cm-07_odp.01", + "label": "mission-essential capabilities", + "guidelines": [ + { + "prose": "mission-essential capabilities for the system are defined;" + } + ] + }, + { + "id": "cm-07_odp.02", + "label": "functions", + "guidelines": [ + { + "prose": "functions to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.03", + "label": "ports", + "guidelines": [ + { + "prose": "ports to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.04", + "label": "protocols", + "guidelines": [ + { + "prose": "protocols to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.05", + "label": "software", + "guidelines": [ + { + "prose": "software to be prohibited or restricted is defined;" + } + ] + }, + { + "id": "cm-07_odp.06", + "label": "services", + "guidelines": [ + { + "prose": "services to be prohibited or restricted are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7" + }, + { + "name": "label", + "value": "CM-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#38f39739-1ebd-43b1-8b8c-00f591d89ebd", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7_smt", + "name": "statement", + "parts": [ + { + "id": "cm-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and" + }, + { + "id": "cm-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, cm-7_prm_2 }}." + }, + { + "id": "cm-7_fr", + "name": "item", + "title": "CM-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available." + } + ] + } + ] + }, + { + "id": "cm-7_gdn", + "name": "guidance", + "prose": "Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))." + }, + { + "id": "cm-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07a.", + "class": "sp800-53a" + } + ], + "prose": "the system is configured to provide only {{ insert: param, cm-07_odp.01 }};", + "links": [ + { + "href": "#cm-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[03]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[04]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[05]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services\n\nmechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services" + } + ] + } + ], + "controls": [ + { + "id": "cm-7.1", + "class": "SP800-53-enhancement", + "title": "Periodic Review", + "params": [ + { + "id": "cm-7.1_prm_2", + "label": "organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure" + }, + { + "id": "cm-07.01_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review the system to identify unnecessary and/or non-secure functions, ports, protocols, software, and/or services is defined;" + } + ] + }, + { + "id": "cm-07.01_odp.02", + "label": "functions", + "guidelines": [ + { + "prose": "functions to be disabled or removed when deemed unnecessary or non-secure are defined;" + } + ] + }, + { + "id": "cm-07.01_odp.03", + "label": "ports", + "guidelines": [ + { + "prose": "ports to be disabled or removed when deemed unnecessary or non-secure are defined;" + } + ] + }, + { + "id": "cm-07.01_odp.04", + "label": "protocols", + "guidelines": [ + { + "prose": "protocols to be disabled or removed when deemed unnecessary or non-secure are defined;" + } + ] + }, + { + "id": "cm-07.01_odp.05", + "label": "software", + "guidelines": [ + { + "prose": "software to be disabled or removed when deemed unnecessary or non-secure is defined;" + } + ] + }, + { + "id": "cm-07.01_odp.06", + "label": "services", + "guidelines": [ + { + "prose": "services to be disabled or removed when deemed unnecessary or non-secure are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7(1)" + }, + { + "name": "label", + "value": "CM-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#cm-7", + "rel": "required" + }, + { + "href": "#ac-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7.1_smt", + "name": "statement", + "parts": [ + { + "id": "cm-7.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Review the system {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and" + }, + { + "id": "cm-7.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Disable or remove {{ insert: param, cm-7.1_prm_2 }}." + } + ] + }, + { + "id": "cm-7.1_gdn", + "name": "guidance", + "prose": "Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking." + }, + { + "id": "cm-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:", + "links": [ + { + "href": "#cm-7.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7.1_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and/or non-secure are disabled or removed;", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and/or non-secure are disabled or removed;", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and/or non-secure are disabled or removed;", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and/or non-secure is disabled or removed;", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[05]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and/or non-secure are disabled or removed.", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\ndocumented reviews of functions, ports, protocols, and/or services\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-7.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for reviewing or disabling functions, ports, protocols, and services on the system\n\nmechanisms implementing review and disabling of functions, ports, protocols, and/or services" + } + ] + } + ] + }, + { + "id": "cm-7.2", + "class": "SP800-53-enhancement", + "title": "Prevent Program Execution", + "params": [ + { + "id": "cm-07.02_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, cm-07.02_odp.02 }} ", + "rules authorizing the terms and conditions of software program usage" + ] + } + }, + { + "id": "cm-07.02_odp.02", + "label": "policies, rules of behavior, and/or access agreements regarding software program usage and restrictions", + "guidelines": [ + { + "prose": "policies, rules of behavior, and/or access agreements regarding software program usage and restrictions are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7(2)" + }, + { + "name": "label", + "value": "CM-07(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#cm-7", + "rel": "required" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7.2_smt", + "name": "statement", + "prose": "Prevent program execution in accordance with {{ insert: param, cm-07.02_odp.01 }}.", + "parts": [ + { + "id": "cm-7.2_fr", + "name": "item", + "title": "CM-7 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-7.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "This control refers to software deployment by CSP personnel into the production environment. The control requires a policy that states conditions for deploying software. This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. allow-listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run." + } + ] + } + ] + }, + { + "id": "cm-7.2_gdn", + "name": "guidance", + "prose": "Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time." + }, + { + "id": "cm-7.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(02)", + "class": "sp800-53a" + } + ], + "prose": "program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}.", + "links": [ + { + "href": "#cm-7.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nspecifications for preventing software program execution\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-7.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes preventing program execution on the system\n\norganizational processes for software program usage and restrictions\n\nmechanisms preventing program execution on the system\n\nmechanisms supporting and/or implementing software program usage and restrictions" + } + ] + } + ] + }, + { + "id": "cm-7.5", + "class": "SP800-53-enhancement", + "title": "Authorized Software \u2014 Allow-by-exception", + "params": [ + { + "id": "cm-07.05_odp.01", + "label": "software programs", + "guidelines": [ + { + "prose": "software programs authorized to execute on the system are defined;" + } + ] + }, + { + "id": "cm-07.05_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least quarterly or when there is a change" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update the list of authorized software programs is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7(5)" + }, + { + "name": "label", + "value": "CM-07(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#cm-7", + "rel": "required" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7.5_smt", + "name": "statement", + "parts": [ + { + "id": "cm-7.5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Identify {{ insert: param, cm-07.05_odp.01 }};" + }, + { + "id": "cm-7.5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and" + }, + { + "id": "cm-7.5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Review and update the list of authorized software programs {{ insert: param, cm-07.05_odp.02 }}." + } + ] + }, + { + "id": "cm-7.5_gdn", + "name": "guidance", + "prose": "Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in [CA-3(5)](#ca-3.5) and [SC-7](#sc-7)." + }, + { + "id": "cm-7.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7.5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(05)(a)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.05_odp.01 }} are identified;", + "links": [ + { + "href": "#cm-7.5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(05)(b)", + "class": "sp800-53a" + } + ], + "prose": "a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;", + "links": [ + { + "href": "#cm-7.5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(05)(c)", + "class": "sp800-53a" + } + ], + "prose": "the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}.", + "links": [ + { + "href": "#cm-7.5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of software programs authorized to execute on the system\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nreview and update records associated with list of authorized software programs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for identifying software authorized to execute on the system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-7.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for identifying, reviewing, and updating programs authorized to execute on the system\n\norganizational process for implementing authorized software policy\n\nmechanisms supporting and/or implementing authorized software policy" + } + ] + } + ] + } + ] + }, + { + "id": "cm-8", + "class": "SP800-53", + "title": "System Component Inventory", + "params": [ + { + "id": "cm-08_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information deemed necessary to achieve effective system component accountability is defined;" + } + ] + }, + { + "id": "cm-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update the system component inventory is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-8" + }, + { + "name": "label", + "value": "CM-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#70402863-5078-43af-9a6c-e11b0f3ec370", + "rel": "reference" + }, + { + "href": "#996241f8-f692-42d5-91f1-ce8b752e39e6", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8_smt", + "name": "statement", + "parts": [ + { + "id": "cm-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and document an inventory of system components that:", + "parts": [ + { + "id": "cm-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Accurately reflects the system;" + }, + { + "id": "cm-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Includes all components within the system;" + }, + { + "id": "cm-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Does not include duplicate accounting of components or components assigned to any other system;" + }, + { + "id": "cm-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Is at the level of granularity deemed necessary for tracking and reporting; and" + }, + { + "id": "cm-8_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and" + } + ] + }, + { + "id": "cm-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}." + }, + { + "id": "cm-8_fr", + "name": "item", + "title": "CM-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "must be provided at least monthly or when there is a change." + } + ] + } + ] + }, + { + "id": "cm-8_gdn", + "name": "guidance", + "prose": "System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components." + }, + { + "id": "cm-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.01", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that accurately reflects the system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.02", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that includes all components within the system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.03", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.04", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.05", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.5", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08b.", + "class": "sp800-53a" + } + ], + "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.", + "links": [ + { + "href": "#cm-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing the system component inventory\n\nmechanisms supporting and/or implementing system component inventory" + } + ] + } + ], + "controls": [ + { + "id": "cm-8.1", + "class": "SP800-53-enhancement", + "title": "Updates During Installation and Removal", + "props": [ + { + "name": "label", + "value": "CM-8(1)" + }, + { + "name": "label", + "value": "CM-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-8", + "rel": "required" + }, + { + "href": "#pm-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8.1_smt", + "name": "statement", + "prose": "Update the inventory of system components as part of component installations, removals, and system updates." + }, + { + "id": "cm-8.1_gdn", + "name": "guidance", + "prose": "Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated as part of component installations or removals or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components." + }, + { + "id": "cm-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "the inventory of system components is updated as part of component installations;", + "links": [ + { + "href": "#cm-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "the inventory of system components is updated as part of component removals;", + "links": [ + { + "href": "#cm-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "the inventory of system components is updated as part of system updates.", + "links": [ + { + "href": "#cm-8.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\ninventory reviews and update records\n\nchange control records\n\ncomponent installation records\n\ncomponent removal records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory updating responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for updating the system component inventory\n\nmechanisms supporting and/or implementing system component inventory updates" + } + ] + } + ] + }, + { + "id": "cm-8.3", + "class": "SP800-53-enhancement", + "title": "Automated Unauthorized Component Detection", + "params": [ + { + "id": "cm-8.3_prm_1", + "label": "organization-defined automated mechanisms", + "constraints": [ + { + "description": "automated mechanisms with a maximum five-minute delay in detection" + } + ] + }, + { + "id": "cm-08.03_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to detect the presence of unauthorized hardware within the system are defined;" + } + ] + }, + { + "id": "cm-08.03_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to detect the presence of unauthorized software within the system are defined;" + } + ] + }, + { + "id": "cm-08.03_odp.03", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to detect the presence of unauthorized firmware within the system are defined;" + } + ] + }, + { + "id": "cm-08.03_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "continuously" + } + ], + "guidelines": [ + { + "prose": "frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined;" + } + ] + }, + { + "id": "cm-08.03_odp.05", + "select": { + "how-many": "one-or-more", + "choice": [ + "disable network access by unauthorized components", + "isolate unauthorized components", + "notify {{ insert: param, cm-08.03_odp.06 }} " + ] + } + }, + { + "id": "cm-08.03_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified when unauthorized components are detected is/are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-8(3)" + }, + { + "name": "label", + "value": "CM-08(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-8", + "rel": "required" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + }, + { + "href": "#sc-44", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8.3_smt", + "name": "statement", + "parts": [ + { + "id": "cm-8.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ insert: param, cm-8.3_prm_1 }} {{ insert: param, cm-08.03_odp.04 }} ; and" + }, + { + "id": "cm-8.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Take the following actions when unauthorized components are detected: {{ insert: param, cm-08.03_odp.05 }}." + } + ] + }, + { + "id": "cm-8.3_gdn", + "name": "guidance", + "prose": "Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see [CM-7(9)](#cm-7.9) ). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as \"sandboxing.\" " + }, + { + "id": "cm-8.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};", + "links": [ + { + "href": "#cm-8.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};", + "links": [ + { + "href": "#cm-8.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};", + "links": [ + { + "href": "#cm-8.3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;", + "links": [ + { + "href": "#cm-8.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;", + "links": [ + { + "href": "#cm-8.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(b)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected.", + "links": [ + { + "href": "#cm-8.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nalerts/notifications of unauthorized components within the system\n\nsystem monitoring records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized system component detection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-8.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for detection of unauthorized system components\n\norganizational processes for taking action when unauthorized system components are detected\n\nautomated mechanisms supporting and/or implementing the detection of unauthorized system components\n\nautomated mechanisms supporting and/or implementing actions taken when unauthorized system components are detected" + } + ] + } + ] + } + ] + }, + { + "id": "cm-9", + "class": "SP800-53", + "title": "Configuration Management Plan", + "params": [ + { + "id": "cm-09_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to review and approve the configuration management plan is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-9" + }, + { + "name": "label", + "value": "CM-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-9_smt", + "name": "statement", + "prose": "Develop, document, and implement a configuration management plan for the system that:", + "parts": [ + { + "id": "cm-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Addresses roles, responsibilities, and configuration management processes and procedures;" + }, + { + "id": "cm-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;" + }, + { + "id": "cm-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Defines the configuration items for the system and places the configuration items under configuration management;" + }, + { + "id": "cm-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, cm-09_odp }} ; and" + }, + { + "id": "cm-9_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protects the configuration management plan from unauthorized disclosure and modification." + }, + { + "id": "cm-9_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide" + } + ] + }, + { + "id": "cm-9_gdn", + "name": "guidance", + "prose": "Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.\n\nConfiguration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.\n\nOrganizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control." + }, + { + "id": "cm-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09[01]", + "class": "sp800-53a" + } + ], + "prose": "a configuration management plan for the system is developed and documented;", + "links": [ + { + "href": "#cm-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09[02]", + "class": "sp800-53a" + } + ], + "prose": "a configuration management plan for the system is implemented;", + "links": [ + { + "href": "#cm-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan addresses roles;", + "links": [ + { + "href": "#cm-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan addresses responsibilities;", + "links": [ + { + "href": "#cm-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan addresses configuration management processes and procedures;", + "links": [ + { + "href": "#cm-9_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;", + "links": [ + { + "href": "#cm-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan establishes a process for managing the configuration of the configuration items;", + "links": [ + { + "href": "#cm-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09c.[01]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan defines the configuration items for the system;", + "links": [ + { + "href": "#cm-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan places the configuration items under configuration management;", + "links": [ + { + "href": "#cm-9_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09d.", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};", + "links": [ + { + "href": "#cm-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#cm-9_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan is protected from unauthorized modification.", + "links": [ + { + "href": "#cm-9_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing the configuration management plan\n\norganizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration management plan\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for developing and documenting the configuration management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nmechanisms implementing the configuration management plan\n\nmechanisms for managing configuration items\n\nmechanisms for protecting the configuration management plan" + } + ] + } + ] + }, + { + "id": "cm-10", + "class": "SP800-53", + "title": "Software Usage Restrictions", + "props": [ + { + "name": "label", + "value": "CM-10" + }, + { + "name": "label", + "value": "CM-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-10_smt", + "name": "statement", + "parts": [ + { + "id": "cm-10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Use software and associated documentation in accordance with contract agreements and copyright laws;" + }, + { + "id": "cm-10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and" + }, + { + "id": "cm-10_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work." + } + ] + }, + { + "id": "cm-10_gdn", + "name": "guidance", + "prose": "Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements." + }, + { + "id": "cm-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-10_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10a.", + "class": "sp800-53a" + } + ], + "prose": "software and associated documentation are used in accordance with contract agreements and copyright laws;", + "links": [ + { + "href": "#cm-10_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10b.", + "class": "sp800-53a" + } + ], + "prose": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;", + "links": [ + { + "href": "#cm-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10c.", + "class": "sp800-53a" + } + ], + "prose": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.", + "links": [ + { + "href": "#cm-10_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel operating, using, and/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology" + } + ] + } + ] + }, + { + "id": "cm-11", + "class": "SP800-53", + "title": "User-installed Software", + "params": [ + { + "id": "cm-11_odp.01", + "label": "policies", + "guidelines": [ + { + "prose": "policies governing the installation of software by users are defined;" + } + ] + }, + { + "id": "cm-11_odp.02", + "label": "methods", + "guidelines": [ + { + "prose": "methods used to enforce software installation policies are defined;" + } + ] + }, + { + "id": "cm-11_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "Continuously (via CM-7 (5))" + } + ], + "guidelines": [ + { + "prose": "frequency with which to monitor compliance is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-11" + }, + { + "name": "label", + "value": "CM-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-11_smt", + "name": "statement", + "parts": [ + { + "id": "cm-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;" + }, + { + "id": "cm-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and" + }, + { + "id": "cm-11_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Monitor policy compliance {{ insert: param, cm-11_odp.03 }}." + } + ] + }, + { + "id": "cm-11_gdn", + "name": "guidance", + "prose": "If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods." + }, + { + "id": "cm-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;", + "links": [ + { + "href": "#cm-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11b.", + "class": "sp800-53a" + } + ], + "prose": "software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};", + "links": [ + { + "href": "#cm-11_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11c.", + "class": "sp800-53a" + } + ], + "prose": "compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.", + "links": [ + { + "href": "#cm-11_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes governing user-installed software on the system\n\nmechanisms enforcing policies and methods for governing the installation of software by users\n\nmechanisms monitoring policy compliance" + } + ] + } + ] + }, + { + "id": "cm-12", + "class": "SP800-53", + "title": "Information Location", + "params": [ + { + "id": "cm-12_odp", + "label": "information", + "guidelines": [ + { + "prose": "information for which the location is to be identified and documented is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-12" + }, + { + "name": "label", + "value": "CM-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-23", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-4", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-12_smt", + "name": "statement", + "parts": [ + { + "id": "cm-12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify and document the location of {{ insert: param, cm-12_odp }} and the specific system components on which the information is processed and stored;" + }, + { + "id": "cm-12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Identify and document the users who have access to the system and system components where the information is processed and stored; and" + }, + { + "id": "cm-12_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document changes to the location (i.e., system or system components) where the information is processed and stored." + }, + { + "id": "cm-12_fr", + "name": "item", + "title": "CM-12 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-12_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to FedRAMP Authorization Boundary Guidance" + } + ] + } + ] + }, + { + "id": "cm-12_gdn", + "name": "guidance", + "prose": "Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) ). The location of the information and system components is also a factor in the architecture and design of the system (see [SA-4](#sa-4), [SA-8](#sa-8), [SA-17](#sa-17))." + }, + { + "id": "cm-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-12_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the location of {{ insert: param, cm-12_odp }} is identified and documented;", + "links": [ + { + "href": "#cm-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;", + "links": [ + { + "href": "#cm-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;", + "links": [ + { + "href": "#cm-12_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-12_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;", + "links": [ + { + "href": "#cm-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;", + "links": [ + { + "href": "#cm-12_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-12_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12c.[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;", + "links": [ + { + "href": "#cm-12_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12c.[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented.", + "links": [ + { + "href": "#cm-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\naudit records\n\nlist of users with system and system component access\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing information location and user access to information\n\norganizational personnel with responsibilities for operating, using, and/or maintaining the system\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes governing information location\n\nmechanisms enforcing policies and methods for governing information location" + } + ] + } + ], + "controls": [ + { + "id": "cm-12.1", + "class": "SP800-53-enhancement", + "title": "Automated Tools to Support Information Location", + "params": [ + { + "id": "cm-12.01_odp.01", + "label": "information by information type", + "constraints": [ + { + "description": "Federal data and system data that must be protected at the High or Moderate impact levels" + } + ], + "guidelines": [ + { + "prose": "information to be protected is defined by information type;" + } + ] + }, + { + "id": "cm-12.01_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components where the information is located are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-12(1)" + }, + { + "name": "label", + "value": "CM-12(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-12.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-12", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-12.1_smt", + "name": "statement", + "prose": "Use automated tools to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure controls are in place to protect organizational information and individual privacy.", + "parts": [ + { + "id": "cm-12.1_fr", + "name": "item", + "title": "CM-12 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-12.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to FedRAMP Authorization Boundary Guidance." + } + ] + } + ] + }, + { + "id": "cm-12.1_gdn", + "name": "guidance", + "prose": "The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions." + }, + { + "id": "cm-12.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12(01)", + "class": "sp800-53a" + } + ], + "prose": "automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy.", + "links": [ + { + "href": "#cm-12.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-12(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-12.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-12(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing information location\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-12.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-12(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes governing information location\n\nautomated mechanisms enforcing policies and methods for governing information location\n\nautomated tools used to identify information on system components" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "cp", + "class": "family", + "title": "Contingency Planning", + "controls": [ + { + "id": "cp-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "cp-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cp-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "cp-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "cp-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "cp-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the contingency planning policy and procedures is defined;" + } + ] + }, + { + "id": "cp-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current contingency planning policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "cp-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current contingency planning policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "cp-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current contingency planning procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "cp-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-1" + }, + { + "name": "label", + "value": "CP-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-1_smt", + "name": "statement", + "parts": [ + { + "id": "cp-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:", + "parts": [ + { + "id": "cp-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cp-01_odp.03 }} contingency planning policy that:", + "parts": [ + { + "id": "cp-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "cp-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "cp-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" + } + ] + }, + { + "id": "cp-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and" + }, + { + "id": "cp-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current contingency planning:", + "parts": [ + { + "id": "cp-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and" + }, + { + "id": "cp-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "cp-1_gdn", + "name": "guidance", + "prose": "Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "cp-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency planning policy is developed and documented;", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#cp-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;", + "links": [ + { + "href": "#cp-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};", + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};", + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};", + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.", + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "cp-2", + "class": "SP800-53", + "title": "Contingency Plan", + "params": [ + { + "id": "cp-2_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cp-2_prm_2", + "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" + }, + { + "id": "cp-2_prm_4", + "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" + }, + { + "id": "cp-02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to review a contingency plan is/are defined;" + } + ] + }, + { + "id": "cp-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to approve a contingency plan is/are defined;" + } + ] + }, + { + "id": "cp-02_odp.03", + "label": "key contingency personnel", + "guidelines": [ + { + "prose": "key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;" + } + ] + }, + { + "id": "cp-02_odp.04", + "label": "organizational elements", + "guidelines": [ + { + "prose": "key contingency organizational elements to which copies of the contingency plan are distributed are defined;" + } + ] + }, + { + "id": "cp-02_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency of contingency plan review is defined;" + } + ] + }, + { + "id": "cp-02_odp.06", + "label": "key contingency personnel", + "guidelines": [ + { + "prose": "key contingency personnel (identified by name and/or by role) to communicate changes to are defined;" + } + ] + }, + { + "id": "cp-02_odp.07", + "label": "organizational elements", + "guidelines": [ + { + "prose": "key contingency organizational elements to communicate changes to are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-2" + }, + { + "name": "label", + "value": "CP-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", + "rel": "reference" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-11", + "rel": "related" + }, + { + "href": "#cp-13", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-2_smt", + "name": "statement", + "parts": [ + { + "id": "cp-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a contingency plan for the system that:", + "parts": [ + { + "id": "cp-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Identifies essential mission and business functions and associated contingency requirements;" + }, + { + "id": "cp-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Provides recovery objectives, restoration priorities, and metrics;" + }, + { + "id": "cp-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Addresses contingency roles, responsibilities, assigned individuals with contact information;" + }, + { + "id": "cp-2_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;" + }, + { + "id": "cp-2_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;" + }, + { + "id": "cp-2_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Addresses the sharing of contingency information; and" + }, + { + "id": "cp-2_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};" + } + ] + }, + { + "id": "cp-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};" + }, + { + "id": "cp-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Coordinate contingency planning activities with incident handling activities;" + }, + { + "id": "cp-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};" + }, + { + "id": "cp-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;" + }, + { + "id": "cp-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};" + }, + { + "id": "cp-2_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and" + }, + { + "id": "cp-2_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Protect the contingency plan from unauthorized disclosure and modification." + }, + { + "id": "cp-2_fr", + "name": "item", + "title": "CP-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "For JAB authorizations the contingency lists include designated FedRAMP personnel." + }, + { + "id": "cp-2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx)." + } + ] + } + ] + }, + { + "id": "cp-2_gdn", + "name": "guidance", + "prose": "Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family." + }, + { + "id": "cp-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.01", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;", + "links": [ + { + "href": "#cp-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides recovery objectives;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides restoration priorities;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides metrics;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses contingency roles;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses contingency responsibilities;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[03]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses assigned individuals with contact information;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.04", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;", + "links": [ + { + "href": "#cp-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.05", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;", + "links": [ + { + "href": "#cp-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.06", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses the sharing of contingency information;", + "links": [ + { + "href": "#cp-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.7-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};", + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.7-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};", + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};", + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};", + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02c.", + "class": "sp800-53a" + } + ], + "prose": "contingency planning activities are coordinated with incident handling activities;", + "links": [ + { + "href": "#cp-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02d.", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};", + "links": [ + { + "href": "#cp-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is updated to address changes to the organization, system, or environment of operation;", + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;", + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.[01]", + "class": "sp800-53a" + } + ], + "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};", + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.[02]", + "class": "sp800-53a" + } + ], + "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};", + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.[01]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;", + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.[02]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;", + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is protected from unauthorized modification.", + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nevidence of contingency plan reviews and updates\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency plan development, review, update, and protection\n\nmechanisms for developing, reviewing, updating, and/or protecting the contingency plan" + } + ] + } + ], + "controls": [ + { + "id": "cp-2.1", + "class": "SP800-53-enhancement", + "title": "Coordinate with Related Plans", + "props": [ + { + "name": "label", + "value": "CP-2(1)" + }, + { + "name": "label", + "value": "CP-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-2.1_smt", + "name": "statement", + "prose": "Coordinate contingency plan development with organizational elements responsible for related plans." + }, + { + "id": "cp-2.1_gdn", + "name": "guidance", + "prose": "Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Data Breach Response Plans, Cyber Incident Response Plans, Breach Response Plans, and Occupant Emergency Plans." + }, + { + "id": "cp-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(01)", + "class": "sp800-53a" + } + ], + "prose": "contingency plan development is coordinated with organizational elements responsible for related plans.", + "links": [ + { + "href": "#cp-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans" + } + ] + } + ] + }, + { + "id": "cp-2.3", + "class": "SP800-53-enhancement", + "title": "Resume Mission and Business Functions", + "params": [ + { + "id": "cp-02.03_odp.01", + "constraints": [ + { + "description": "all" + } + ], + "select": { + "choice": [ + "all", + "essential" + ] + } + }, + { + "id": "cp-02.03_odp.02", + "label": "time period", + "constraints": [ + { + "description": "time period defined in service provider and organization SLA" + } + ], + "guidelines": [ + { + "prose": "the contingency plan activation time period within which to resume mission and business functions is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-2(3)" + }, + { + "name": "label", + "value": "CP-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-2.3_smt", + "name": "statement", + "prose": "Plan for the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation." + }, + { + "id": "cp-2.3_gdn", + "name": "guidance", + "prose": "Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure." + }, + { + "id": "cp-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(03)", + "class": "sp800-53a" + } + ], + "prose": "the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation.", + "links": [ + { + "href": "#cp-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother related plans\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions" + } + ] + }, + { + "id": "cp-2.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-02(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for resumption of missions and business functions" + } + ] + } + ] + }, + { + "id": "cp-2.8", + "class": "SP800-53-enhancement", + "title": "Identify Critical Assets", + "params": [ + { + "id": "cp-02.08_odp", + "select": { + "choice": [ + "all", + "essential" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "CP-2(8)" + }, + { + "name": "label", + "value": "CP-02(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "required" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-2.8_smt", + "name": "statement", + "prose": "Identify critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions." + }, + { + "id": "cp-2.8_gdn", + "name": "guidance", + "prose": "Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing [CP-2(7)](#cp-2.7) as a control enhancement." + }, + { + "id": "cp-2.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(08)", + "class": "sp800-53a" + } + ], + "prose": "critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified.", + "links": [ + { + "href": "#cp-2.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "cp-3", + "class": "SP800-53", + "title": "Contingency Training", + "params": [ + { + "id": "cp-03_odp.01", + "label": "time period", + "constraints": [ + { + "description": "\\*See Additional Requirements" + } + ], + "guidelines": [ + { + "prose": "the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;" + } + ] + }, + { + "id": "cp-03_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide training to system users with a contingency role or responsibility is defined;" + } + ] + }, + { + "id": "cp-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update contingency training content is defined;" + } + ] + }, + { + "id": "cp-03_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events necessitating review and update of contingency training are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-3" + }, + { + "name": "label", + "value": "CP-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-3_smt", + "name": "statement", + "parts": [ + { + "id": "cp-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide contingency training to system users consistent with assigned roles and responsibilities:", + "parts": [ + { + "id": "cp-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;" + }, + { + "id": "cp-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes; and" + }, + { + "id": "cp-3_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, cp-03_odp.02 }} thereafter; and" + } + ] + }, + { + "id": "cp-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}." + }, + { + "id": "cp-3_fr", + "name": "item", + "title": "CP-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact." + } + ] + } + ] + }, + { + "id": "cp-3_gdn", + "name": "guidance", + "prose": "Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements." + }, + { + "id": "cp-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.01", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;", + "links": [ + { + "href": "#cp-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.02", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#cp-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.03", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;", + "links": [ + { + "href": "#cp-3_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};", + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.", + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\ncontingency training records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency training" + } + ] + } + ] + }, + { + "id": "cp-4", + "class": "SP800-53", + "title": "Contingency Plan Testing", + "params": [ + { + "id": "cp-4_prm_2", + "label": "organization-defined tests", + "constraints": [ + { + "description": "functional exercises" + } + ] + }, + { + "id": "cp-04_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency of testing the contingency plan for the system is defined;" + } + ] + }, + { + "id": "cp-04_odp.02", + "label": "tests", + "guidelines": [ + { + "prose": "tests for determining the effectiveness of the contingency plan are defined;" + } + ] + }, + { + "id": "cp-04_odp.03", + "label": "tests", + "guidelines": [ + { + "prose": "tests for determining readiness to execute the contingency plan are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-4" + }, + { + "name": "label", + "value": "CP-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-4_smt", + "name": "statement", + "parts": [ + { + "id": "cp-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}." + }, + { + "id": "cp-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review the contingency plan test results; and" + }, + { + "id": "cp-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Initiate corrective actions, if needed." + }, + { + "id": "cp-4_fr", + "name": "item", + "title": "CP-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing." + }, + { + "id": "cp-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report)." + } + ] + } + ] + }, + { + "id": "cp-4_gdn", + "name": "guidance", + "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions." + }, + { + "id": "cp-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04b.", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan test results are reviewed;", + "links": [ + { + "href": "#cp-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04c.", + "class": "sp800-53a" + } + ], + "prose": "corrective actions are initiated, if needed.", + "links": [ + { + "href": "#cp-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and/or contingency plan testing" + } + ] + } + ], + "controls": [ + { + "id": "cp-4.1", + "class": "SP800-53-enhancement", + "title": "Coordinate with Related Plans", + "props": [ + { + "name": "label", + "value": "CP-4(1)" + }, + { + "name": "label", + "value": "CP-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cp-4", + "rel": "required" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-4.1_smt", + "name": "statement", + "prose": "Coordinate contingency plan testing with organizational elements responsible for related plans." + }, + { + "id": "cp-4.1_gdn", + "name": "guidance", + "prose": "Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements." + }, + { + "id": "cp-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04(01)", + "class": "sp800-53a" + } + ], + "prose": "contingency plan testing is coordinated with organizational elements responsible for related plans.", + "links": [ + { + "href": "#cp-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan testing responsibilities\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "cp-6", + "class": "SP800-53", + "title": "Alternate Storage Site", + "props": [ + { + "name": "label", + "value": "CP-6" + }, + { + "name": "label", + "value": "CP-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-36", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-6_smt", + "name": "statement", + "parts": [ + { + "id": "cp-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and" + }, + { + "id": "cp-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Ensure that the alternate storage site provides controls equivalent to that of the primary site." + } + ] + }, + { + "id": "cp-6_gdn", + "name": "guidance", + "prose": "Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems." + }, + { + "id": "cp-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-6_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an alternate storage site is established;", + "links": [ + { + "href": "#cp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06a.[02]", + "class": "sp800-53a" + } + ], + "prose": "establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;", + "links": [ + { + "href": "#cp-6_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06b.", + "class": "sp800-53a" + } + ], + "prose": "the alternate storage site provides controls equivalent to that of the primary site.", + "links": [ + { + "href": "#cp-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for storing and retrieving system backup information at the alternate storage site\n\nmechanisms supporting and/or implementing the storage and retrieval of system backup information at the alternate storage site" + } + ] + } + ], + "controls": [ + { + "id": "cp-6.1", + "class": "SP800-53-enhancement", + "title": "Separation from Primary Site", + "props": [ + { + "name": "label", + "value": "CP-6(1)" + }, + { + "name": "label", + "value": "CP-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-6", + "rel": "required" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-6.1_smt", + "name": "statement", + "prose": "Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats." + }, + { + "id": "cp-6.1_gdn", + "name": "guidance", + "prose": "Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant." + }, + { + "id": "cp-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(01)", + "class": "sp800-53a" + } + ], + "prose": "an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.", + "links": [ + { + "href": "#cp-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-6.3", + "class": "SP800-53-enhancement", + "title": "Accessibility", + "props": [ + { + "name": "label", + "value": "CP-6(3)" + }, + { + "name": "label", + "value": "CP-06(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-06.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-6", + "rel": "required" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-6.3_smt", + "name": "statement", + "prose": "Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions." + }, + { + "id": "cp-6.3_gdn", + "name": "guidance", + "prose": "Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted." + }, + { + "id": "cp-6.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-6.3_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(03)[01]", + "class": "sp800-53a" + } + ], + "prose": "potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;", + "links": [ + { + "href": "#cp-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6.3_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(03)[02]", + "class": "sp800-53a" + } + ], + "prose": "explicit mitigation actions to address identified accessibility problems are outlined.", + "links": [ + { + "href": "#cp-6.3_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-06(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-6.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-06(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "cp-7", + "class": "SP800-53", + "title": "Alternate Processing Site", + "params": [ + { + "id": "cp-07_odp.01", + "label": "system operations", + "guidelines": [ + { + "prose": "system operations for essential mission and business functions are defined;" + } + ] + }, + { + "id": "cp-07_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-7" + }, + { + "name": "label", + "value": "CP-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-11", + "rel": "related" + }, + { + "href": "#pe-12", + "rel": "related" + }, + { + "href": "#pe-17", + "rel": "related" + }, + { + "href": "#sc-36", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-7_smt", + "name": "statement", + "parts": [ + { + "id": "cp-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;" + }, + { + "id": "cp-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and" + }, + { + "id": "cp-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Provide controls at the alternate processing site that are equivalent to those at the primary site." + }, + { + "id": "cp-7_fr", + "name": "item", + "title": "CP-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider defines a time period consistent with the recovery time objectives and business impact analysis." + } + ] + } + ] + }, + { + "id": "cp-7_gdn", + "name": "guidance", + "prose": "Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems." + }, + { + "id": "cp-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07a.", + "class": "sp800-53a" + } + ], + "prose": "an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;", + "links": [ + { + "href": "#cp-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;", + "links": [ + { + "href": "#cp-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;", + "links": [ + { + "href": "#cp-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07c.", + "class": "sp800-53a" + } + ], + "prose": "controls provided at the alternate processing site are equivalent to those at the primary site.", + "links": [ + { + "href": "#cp-7_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for contingency planning and/or alternate site arrangements\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for recovery at the alternate site\n\nmechanisms supporting and/or implementing recovery at the alternate processing site" + } + ] + } + ], + "controls": [ + { + "id": "cp-7.1", + "class": "SP800-53-enhancement", + "title": "Separation from Primary Site", + "props": [ + { + "name": "label", + "value": "CP-7(1)" + }, + { + "name": "label", + "value": "CP-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-7", + "rel": "required" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-7.1_smt", + "name": "statement", + "prose": "Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.", + "parts": [ + { + "id": "cp-7.1_fr", + "name": "item", + "title": "CP-7 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-7.1_fr_smt.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant." + } + ] + } + ] + }, + { + "id": "cp-7.1_gdn", + "name": "guidance", + "prose": "Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant." + }, + { + "id": "cp-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(01)", + "class": "sp800-53a" + } + ], + "prose": "an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.", + "links": [ + { + "href": "#cp-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-7.2", + "class": "SP800-53-enhancement", + "title": "Accessibility", + "props": [ + { + "name": "label", + "value": "CP-7(2)" + }, + { + "name": "label", + "value": "CP-07(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-7", + "rel": "required" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-7.2_smt", + "name": "statement", + "prose": "Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions." + }, + { + "id": "cp-7.2_gdn", + "name": "guidance", + "prose": "Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk." + }, + { + "id": "cp-7.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-7.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;", + "links": [ + { + "href": "#cp-7.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "explicit mitigation actions to address identified accessibility problems are outlined.", + "links": [ + { + "href": "#cp-7.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-7.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-7.3", + "class": "SP800-53-enhancement", + "title": "Priority of Service", + "props": [ + { + "name": "label", + "value": "CP-7(3)" + }, + { + "name": "label", + "value": "CP-07(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-7.3_smt", + "name": "statement", + "prose": "Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives)." + }, + { + "id": "cp-7.3_gdn", + "name": "guidance", + "prose": "Priority of service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning." + }, + { + "id": "cp-7.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(03)", + "class": "sp800-53a" + } + ], + "prose": "alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.", + "links": [ + { + "href": "#cp-7.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" + } + ] + } + ] + } + ] + }, + { + "id": "cp-8", + "class": "SP800-53", + "title": "Telecommunications Services", + "params": [ + { + "id": "cp-08_odp.01", + "label": "system operations", + "guidelines": [ + { + "prose": "system operations to be resumed for essential mission and business functions are defined;" + } + ] + }, + { + "id": "cp-08_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-8" + }, + { + "name": "label", + "value": "CP-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-11", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-8_smt", + "name": "statement", + "prose": "Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.", + "parts": [ + { + "id": "cp-8_fr", + "name": "item", + "title": "CP-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-8_fr_gdn.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider defines a time period consistent with the recovery time objectives and business impact analysis." + } + ] + } + ] + }, + { + "id": "cp-8_gdn", + "name": "guidance", + "prose": "Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for [CP-8](#cp-8) . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements." + }, + { + "id": "cp-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08", + "class": "sp800-53a" + } + ], + "prose": "alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.", + "links": [ + { + "href": "#cp-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" + } + ] + }, + { + "id": "cp-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting telecommunications" + } + ] + } + ], + "controls": [ + { + "id": "cp-8.1", + "class": "SP800-53-enhancement", + "title": "Priority of Service Provisions", + "props": [ + { + "name": "label", + "value": "CP-8(1)" + }, + { + "name": "label", + "value": "CP-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-8.1_smt", + "name": "statement", + "parts": [ + { + "id": "cp-8.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and" + }, + { + "id": "cp-8.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier." + } + ] + }, + { + "id": "cp-8.1_gdn", + "name": "guidance", + "prose": "Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority of service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program, and the Department of Homeland Security manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program." + }, + { + "id": "cp-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-8.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-8.1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;", + "links": [ + { + "href": "#cp-8.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;", + "links": [ + { + "href": "#cp-8.1_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-8.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.", + "links": [ + { + "href": "#cp-8.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" + } + ] + }, + { + "id": "cp-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting telecommunications" + } + ] + } + ] + }, + { + "id": "cp-8.2", + "class": "SP800-53-enhancement", + "title": "Single Points of Failure", + "props": [ + { + "name": "label", + "value": "CP-8(2)" + }, + { + "name": "label", + "value": "CP-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-8.2_smt", + "name": "statement", + "prose": "Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services." + }, + { + "id": "cp-8.2_gdn", + "name": "guidance", + "prose": "In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services." + }, + { + "id": "cp-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(02)", + "class": "sp800-53a" + } + ], + "prose": "alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.", + "links": [ + { + "href": "#cp-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "cp-9", + "class": "SP800-53", + "title": "System Backup", + "params": [ + { + "id": "cp-09_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which to conduct backups of user-level information is defined;" + } + ] + }, + { + "id": "cp-09_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9" + }, + { + "name": "label", + "value": "CP-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#3653e316-8923-430e-8943-b3b2b2562fc6", + "rel": "reference" + }, + { + "href": "#2494df28-9049-4196-b233-540e7440993f", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9_smt", + "name": "statement", + "parts": [ + { + "id": "cp-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};" + }, + { + "id": "cp-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};" + }, + { + "id": "cp-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and" + }, + { + "id": "cp-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Protect the confidentiality, integrity, and availability of backup information." + }, + { + "id": "cp-9_fr", + "name": "item", + "title": "CP-9 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-9_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check." + }, + { + "id": "cp-9_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative." + }, + { + "id": "cp-9_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative." + }, + { + "id": "cp-9_fr_smt.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative." + } + ] + } + ] + }, + { + "id": "cp-9_gdn", + "name": "guidance", + "prose": "System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." + }, + { + "id": "cp-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09a.", + "class": "sp800-53a" + } + ], + "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};", + "links": [ + { + "href": "#cp-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09b.", + "class": "sp800-53a" + } + ], + "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};", + "links": [ + { + "href": "#cp-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09c.", + "class": "sp800-53a" + } + ], + "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};", + "links": [ + { + "href": "#cp-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the confidentiality of backup information is protected;", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the integrity of backup information is protected;", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the availability of backup information is protected.", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "cp-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" + } + ] + } + ], + "controls": [ + { + "id": "cp-9.1", + "class": "SP800-53-enhancement", + "title": "Testing for Reliability and Integrity", + "params": [ + { + "id": "cp-9.1_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually" + } + ] + }, + { + "id": "cp-09.01_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to test backup information for media reliability is defined;" + } + ] + }, + { + "id": "cp-09.01_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to test backup information for information integrity is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9(1)" + }, + { + "name": "label", + "value": "CP-09(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-9", + "rel": "required" + }, + { + "href": "#cp-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9.1_smt", + "name": "statement", + "prose": "Test backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity." + }, + { + "id": "cp-9.1_gdn", + "name": "guidance", + "prose": "Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance." + }, + { + "id": "cp-9.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;", + "links": [ + { + "href": "#cp-9.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity.", + "links": [ + { + "href": "#cp-9.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-9.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" + } + ] + } + ] + }, + { + "id": "cp-9.8", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "cp-09.08_odp", + "label": "backup information", + "constraints": [ + { + "description": "all backup files" + } + ], + "guidelines": [ + { + "prose": "backup information to protect against unauthorized disclosure and modification is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9(8)" + }, + { + "name": "label", + "value": "CP-09(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-9", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9.8_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.", + "parts": [ + { + "id": "cp-9.8_fr", + "name": "item", + "title": "CP-9 (8) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-9.8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)" + } + ] + } + ] + }, + { + "id": "cp-9.8_gdn", + "name": "guidance", + "prose": "The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. Cryptographic protection applies to system backup information in storage at both primary and alternate locations. Organizations that implement cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions." + }, + { + "id": "cp-9.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(08)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.", + "links": [ + { + "href": "#cp-9.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-9.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic protection of backup information" + } + ] + } + ] + } + ] + }, + { + "id": "cp-10", + "class": "SP800-53", + "title": "System Recovery and Reconstitution", + "params": [ + { + "id": "cp-10_prm_1", + "label": "organization-defined time period consistent with recovery time and recovery point objectives" + }, + { + "id": "cp-10_odp.01", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;" + } + ] + }, + { + "id": "cp-10_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-10" + }, + { + "name": "label", + "value": "CP-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-10_smt", + "name": "statement", + "prose": "Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure." + }, + { + "id": "cp-10_gdn", + "name": "guidance", + "prose": "Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning." + }, + { + "id": "cp-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-10_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10[01]", + "class": "sp800-53a" + } + ], + "prose": "the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;", + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10[02]", + "class": "sp800-53a" + } + ], + "prose": "a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.", + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and/or implementing system recovery and reconstitution operations" + } + ] + } + ], + "controls": [ + { + "id": "cp-10.2", + "class": "SP800-53-enhancement", + "title": "Transaction Recovery", + "props": [ + { + "name": "label", + "value": "CP-10(2)" + }, + { + "name": "label", + "value": "CP-10(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-10.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-10", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-10.2_smt", + "name": "statement", + "prose": "Implement transaction recovery for systems that are transaction-based." + }, + { + "id": "cp-10.2_gdn", + "name": "guidance", + "prose": "Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling." + }, + { + "id": "cp-10.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10(02)", + "class": "sp800-53a" + } + ], + "prose": "transaction recovery is implemented for systems that are transaction-based.", + "links": [ + { + "href": "#cp-10.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-10(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem transaction recovery records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-10.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-10(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-10.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-10(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing transaction recovery capability" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "ia", + "class": "family", + "title": "Identification and Authentication", + "controls": [ + { + "id": "ia-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ia-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ia-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the identification and authentication policy is to be disseminated are defined;" + } + ] + }, + { + "id": "ia-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ia-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ia-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the identification and authentication policy and procedures is defined;" + } + ] + }, + { + "id": "ia-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current identification and authentication policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ia-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current identification and authentication policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ia-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current identification and authentication procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ia-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require identification and authentication procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-1" + }, + { + "name": "label", + "value": "IA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ac-1", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-1_smt", + "name": "statement", + "parts": [ + { + "id": "ia-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:", + "parts": [ + { + "id": "ia-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ia-01_odp.03 }} identification and authentication policy that:", + "parts": [ + { + "id": "ia-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ia-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ia-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;" + } + ] + }, + { + "id": "ia-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and" + }, + { + "id": "ia-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current identification and authentication:", + "parts": [ + { + "id": "ia-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and" + }, + { + "id": "ia-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ia-1_gdn", + "name": "guidance", + "prose": "Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ia-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an identification and authentication policy is developed and documented;", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ia-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;", + "links": [ + { + "href": "#ia-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};", + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};", + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};", + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.", + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\nlist of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ia-2", + "class": "SP800-53", + "title": "Identification and Authentication (Organizational Users)", + "props": [ + { + "name": "label", + "value": "IA-2" + }, + { + "name": "label", + "value": "IA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#d9e036ba-6eec-46a6-9340-b0bf1fea23b4", + "rel": "reference" + }, + { + "href": "#e8552d48-cf41-40aa-8b06-f45f7fb4706c", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", + "rel": "reference" + }, + { + "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "rel": "reference" + }, + { + "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-1", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.", + "parts": [ + { + "id": "ia-2_fr", + "name": "item", + "title": "IA-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B." + }, + { + "id": "ia-2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate." + }, + { + "id": "ia-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "\\\"Phishing-resistant\\\" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system." + } + ] + } + ] + }, + { + "id": "ia-2_gdn", + "name": "guidance", + "prose": "Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)." + }, + { + "id": "ia-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational users are uniquely identified and authenticated;", + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02[02]", + "class": "sp800-53a" + } + ], + "prose": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.", + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan, system design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ia-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for uniquely identifying and authenticating users\n\nmechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ], + "controls": [ + { + "id": "ia-2.1", + "class": "SP800-53-enhancement", + "title": "Multi-factor Authentication to Privileged Accounts", + "props": [ + { + "name": "label", + "value": "IA-2(1)" + }, + { + "name": "label", + "value": "IA-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.1_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for access to privileged accounts.", + "parts": [ + { + "id": "ia-2.1_fr", + "name": "item", + "title": "IA-2 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL)." + }, + { + "id": "ia-2.1_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Multi-factor authentication to subsequent components in the same user domain is not required." + } + ] + } + ] + }, + { + "id": "ia-2.1_gdn", + "name": "guidance", + "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." + }, + { + "id": "ia-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(01)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication is implemented for access to privileged accounts.", + "links": [ + { + "href": "#ia-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" + } + ] + } + ] + }, + { + "id": "ia-2.2", + "class": "SP800-53-enhancement", + "title": "Multi-factor Authentication to Non-privileged Accounts", + "props": [ + { + "name": "label", + "value": "IA-2(2)" + }, + { + "name": "label", + "value": "IA-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.2_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for access to non-privileged accounts.", + "parts": [ + { + "id": "ia-2.2_fr", + "name": "item", + "title": "IA-2 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL)." + }, + { + "id": "ia-2.2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Multi-factor authentication to subsequent components in the same user domain is not required." + } + ] + } + ] + }, + { + "id": "ia-2.2_gdn", + "name": "guidance", + "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." + }, + { + "id": "ia-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(02)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication for access to non-privileged accounts is implemented.", + "links": [ + { + "href": "#ia-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" + } + ] + } + ] + }, + { + "id": "ia-2.5", + "class": "SP800-53-enhancement", + "title": "Individual Authentication with Group Authentication", + "props": [ + { + "name": "label", + "value": "IA-2(5)" + }, + { + "name": "label", + "value": "IA-02(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.5_smt", + "name": "statement", + "prose": "When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources." + }, + { + "id": "ia-2.5_gdn", + "name": "guidance", + "prose": "Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators." + }, + { + "id": "ia-2.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(05)", + "class": "sp800-53a" + } + ], + "prose": "users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.", + "links": [ + { + "href": "#ia-2.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an authentication capability for group accounts" + } + ] + } + ] + }, + { + "id": "ia-2.6", + "class": "SP800-53-enhancement", + "title": "Access to Accounts \u2014separate Device", + "params": [ + { + "id": "ia-02.06_odp.01", + "constraints": [ + { + "description": "local, network and remote" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "local", + "network", + "remote" + ] + } + }, + { + "id": "ia-02.06_odp.02", + "constraints": [ + { + "description": "privileged accounts; non-privileged accounts" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "privileged accounts", + "non-privileged accounts" + ] + } + }, + { + "id": "ia-02.06_odp.03", + "label": "strength of mechanism requirements", + "constraints": [ + { + "description": "FIPS-validated or NSA-approved cryptography" + } + ], + "guidelines": [ + { + "prose": "the strength of mechanism requirements to be enforced by a device separate from the system gaining access to accounts is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-2(6)" + }, + { + "name": "label", + "value": "IA-02(06)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.6_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that:", + "parts": [ + { + "id": "ia-2.6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "One of the factors is provided by a device separate from the system gaining access; and" + }, + { + "id": "ia-2.6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "The device meets {{ insert: param, ia-02.06_odp.03 }}." + }, + { + "id": "ia-2.6_fr", + "name": "item", + "title": "IA-2 (6) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials." + }, + { + "id": "ia-2.6_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See SC-13 Guidance for more information on FIPS-validated or NSA-approved cryptography." + } + ] + } + ] + }, + { + "id": "ia-2.6_gdn", + "name": "guidance", + "prose": "The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multi-factor authentication is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process." + }, + { + "id": "ia-2.6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(06)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-2.6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(06)(a)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that one of the factors is provided by a device separate from the system gaining access;", + "links": [ + { + "href": "#ia-2.6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(06)(b)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that the device meets {{ insert: param, ia-02.06_odp.03 }}.", + "links": [ + { + "href": "#ia-2.6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-2.6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(06)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(06)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(06)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing multi-factor authentication capability" + } + ] + } + ] + }, + { + "id": "ia-2.8", + "class": "SP800-53-enhancement", + "title": "Access to Accounts \u2014 Replay Resistant", + "params": [ + { + "id": "ia-02.08_odp", + "constraints": [ + { + "description": "privileged accounts; non-privileged accounts" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "privileged accounts", + "non-privileged accounts" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "IA-2(8)" + }, + { + "name": "label", + "value": "IA-02(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.8_smt", + "name": "statement", + "prose": "Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}." + }, + { + "id": "ia-2.8_gdn", + "name": "guidance", + "prose": "Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators." + }, + { + "id": "ia-2.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(08)", + "class": "sp800-53a" + } + ], + "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.", + "links": [ + { + "href": "#ia-2.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nMechanisms supporting and/or implementing replay-resistant authentication mechanisms" + } + ] + } + ] + }, + { + "id": "ia-2.12", + "class": "SP800-53-enhancement", + "title": "Acceptance of PIV Credentials", + "props": [ + { + "name": "label", + "value": "IA-2(12)" + }, + { + "name": "label", + "value": "IA-02(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.12_smt", + "name": "statement", + "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials.", + "parts": [ + { + "id": "ia-2.12_fr", + "name": "item", + "title": "IA-2 (12) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.12_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12." + } + ] + } + ] + }, + { + "id": "ia-2.12_gdn", + "name": "guidance", + "prose": "Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential." + }, + { + "id": "ia-2.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(12)", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified.", + "links": [ + { + "href": "#ia-2.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing acceptance and verification of PIV credentials" + } + ] + } + ] + } + ] + }, + { + "id": "ia-3", + "class": "SP800-53", + "title": "Device Identification and Authentication", + "params": [ + { + "id": "ia-03_odp.01", + "label": "devices and/or types of devices", + "guidelines": [ + { + "prose": "devices and/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;" + } + ] + }, + { + "id": "ia-03_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "local", + "remote", + "network" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "IA-3" + }, + { + "name": "label", + "value": "IA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-3_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate {{ insert: param, ia-03_odp.01 }} before establishing a {{ insert: param, ia-03_odp.02 }} connection." + }, + { + "id": "ia-3_gdn", + "name": "guidance", + "prose": "Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number/type of devices based on mission or business needs." + }, + { + "id": "ia-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-03", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection.", + "links": [ + { + "href": "#ia-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\nsystem configuration settings and associated documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing device identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-4", + "class": "SP800-53", + "title": "Identifier Management", + "params": [ + { + "id": "ia-04_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO (or similar role within the organization)" + } + ], + "guidelines": [ + { + "prose": "personnel or roles from whom authorization must be received to assign an identifier are defined;" + } + ] + }, + { + "id": "ia-04_odp.02", + "label": "time period", + "constraints": [ + { + "description": "at least two (2) years" + } + ], + "guidelines": [ + { + "prose": "a time period for preventing reuse of identifiers is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-4" + }, + { + "name": "label", + "value": "IA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ia-12", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-4_smt", + "name": "statement", + "prose": "Manage system identifiers by:", + "parts": [ + { + "id": "ia-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;" + }, + { + "id": "ia-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Selecting an identifier that identifies an individual, group, role, service, or device;" + }, + { + "id": "ia-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Assigning the identifier to the intended individual, group, role, service, or device; and" + }, + { + "id": "ia-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}." + } + ] + }, + { + "id": "ia-4_gdn", + "name": "guidance", + "prose": "Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices." + }, + { + "id": "ia-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04a.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;", + "links": [ + { + "href": "#ia-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04b.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;", + "links": [ + { + "href": "#ia-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04c.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;", + "links": [ + { + "href": "#ia-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04d.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.", + "links": [ + { + "href": "#ia-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identifier management" + } + ] + } + ], + "controls": [ + { + "id": "ia-4.4", + "class": "SP800-53-enhancement", + "title": "Identify User Status", + "params": [ + { + "id": "ia-04.04_odp", + "label": "characteristics", + "constraints": [ + { + "description": "contractors; foreign nationals" + } + ], + "guidelines": [ + { + "prose": "characteristics used to identify individual status is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-4(4)" + }, + { + "name": "label", + "value": "IA-04(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-04.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-4.4_smt", + "name": "statement", + "prose": "Manage individual identifiers by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}." + }, + { + "id": "ia-4.4_gdn", + "name": "guidance", + "prose": "Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor." + }, + { + "id": "ia-4.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04(04)", + "class": "sp800-53a" + } + ], + "prose": "individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}.", + "links": [ + { + "href": "#ia-4.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-04(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nlist of characteristics identifying individual status\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-4.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-04(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ia-4.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-04(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identifier management" + } + ] + } + ] + } + ] + }, + { + "id": "ia-5", + "class": "SP800-53", + "title": "Authenticator Management", + "params": [ + { + "id": "ia-05_odp.01", + "label": "time period by authenticator type", + "guidelines": [ + { + "prose": "a time period for changing or refreshing authenticators by authenticator type is defined;" + } + ] + }, + { + "id": "ia-05_odp.02", + "label": "events", + "guidelines": [ + { + "prose": "events that trigger the change or refreshment of authenticators are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5" + }, + { + "name": "label", + "value": "IA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "rel": "reference" + }, + { + "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5_smt", + "name": "statement", + "prose": "Manage system authenticators by:", + "parts": [ + { + "id": "ia-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;" + }, + { + "id": "ia-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishing initial authenticator content for any authenticators issued by the organization;" + }, + { + "id": "ia-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensuring that authenticators have sufficient strength of mechanism for their intended use;" + }, + { + "id": "ia-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;" + }, + { + "id": "ia-5_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Changing default authenticators prior to first use;" + }, + { + "id": "ia-5_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;" + }, + { + "id": "ia-5_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Protecting authenticator content from unauthorized disclosure and modification;" + }, + { + "id": "ia-5_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and" + }, + { + "id": "ia-5_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Changing authenticators for group or role accounts when membership to those accounts changes." + }, + { + "id": "ia-5_fr", + "name": "item", + "title": "IA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3" + }, + { + "id": "ia-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE)." + } + ] + } + ] + }, + { + "id": "ia-5_gdn", + "name": "guidance", + "prose": "Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed." + }, + { + "id": "ia-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05a.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;", + "links": [ + { + "href": "#ia-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05b.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;", + "links": [ + { + "href": "#ia-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05c.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;", + "links": [ + { + "href": "#ia-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05d.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;", + "links": [ + { + "href": "#ia-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05e.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change of default authenticators prior to first use;", + "links": [ + { + "href": "#ia-5_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05f.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;", + "links": [ + { + "href": "#ia-5_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05g.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;", + "links": [ + { + "href": "#ia-5_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.[01]", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;", + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.[02]", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;", + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05i.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.", + "links": [ + { + "href": "#ia-5_smt.i", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\naddressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system authenticator types\n\nchange control records associated with managing system authenticators\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ia-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing authenticator management capability" + } + ] + } + ], + "controls": [ + { + "id": "ia-5.1", + "class": "SP800-53-enhancement", + "title": "Password-based Authentication", + "params": [ + { + "id": "ia-05.01_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;" + } + ] + }, + { + "id": "ia-05.01_odp.02", + "label": "composition and complexity rules", + "guidelines": [ + { + "prose": "authenticator composition and complexity rules are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5(1)" + }, + { + "name": "label", + "value": "IA-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ia-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.1_smt", + "name": "statement", + "prose": "For password-based authentication:", + "parts": [ + { + "id": "ia-5.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;" + }, + { + "id": "ia-5.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);" + }, + { + "id": "ia-5.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Transmit passwords only over cryptographically-protected channels;" + }, + { + "id": "ia-5.1_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Store passwords using an approved salted key derivation function, preferably using a keyed hash;" + }, + { + "id": "ia-5.1_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e)" + } + ], + "prose": "Require immediate selection of a new password upon account recovery;" + }, + { + "id": "ia-5.1_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "(f)" + } + ], + "prose": "Allow user selection of long passwords and passphrases, including spaces and all printable characters;" + }, + { + "id": "ia-5.1_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "(g)" + } + ], + "prose": "Employ automated tools to assist the user in selecting strong password authenticators; and" + }, + { + "id": "ia-5.1_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h)" + } + ], + "prose": "Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}." + }, + { + "id": "ia-5.1_fr", + "name": "item", + "title": "IA-5 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users." + }, + { + "id": "ia-5.1_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h) Requirement:" + } + ], + "prose": "For cases where technology doesn\u2019t allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.\n\nFor emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used." + }, + { + "id": "ia-5.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13)." + } + ] + } + ] + }, + { + "id": "ia-5.1_gdn", + "name": "guidance", + "prose": "Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof." + }, + { + "id": "ia-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;", + "links": [ + { + "href": "#ia-5.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);", + "links": [ + { + "href": "#ia-5.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(c)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, passwords are only transmitted over cryptographically protected channels;", + "links": [ + { + "href": "#ia-5.1_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(d)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;", + "links": [ + { + "href": "#ia-5.1_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(e)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, immediate selection of a new password is required upon account recovery;", + "links": [ + { + "href": "#ia-5.1_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(f)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;", + "links": [ + { + "href": "#ia-5.1_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(g)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;", + "links": [ + { + "href": "#ia-5.1_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(h)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.", + "links": [ + { + "href": "#ia-5.1_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing password-based authenticator management capability" + } + ] + } + ] + }, + { + "id": "ia-5.2", + "class": "SP800-53-enhancement", + "title": "Public Key-based Authentication", + "props": [ + { + "name": "label", + "value": "IA-5(2)" + }, + { + "name": "label", + "value": "IA-05(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#sc-17", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.2_smt", + "name": "statement", + "parts": [ + { + "id": "ia-5.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "For public key-based authentication:", + "parts": [ + { + "id": "ia-5.2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(1)" + } + ], + "prose": "Enforce authorized access to the corresponding private key; and" + }, + { + "id": "ia-5.2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(2)" + } + ], + "prose": "Map the authenticated identity to the account of the individual or group; and" + } + ] + }, + { + "id": "ia-5.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "When public key infrastructure (PKI) is used:", + "parts": [ + { + "id": "ia-5.2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(1)" + } + ], + "prose": "Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and" + }, + { + "id": "ia-5.2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(2)" + } + ], + "prose": "Implement a local cache of revocation data to support path discovery and validation." + } + ] + } + ] + }, + { + "id": "ia-5.2_gdn", + "name": "guidance", + "prose": "Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network." + }, + { + "id": "ia-5.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(a)(01)", + "class": "sp800-53a" + } + ], + "prose": "authorized access to the corresponding private key is enforced for public key-based authentication;", + "links": [ + { + "href": "#ia-5.2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(a)(02)", + "class": "sp800-53a" + } + ], + "prose": "the authenticated identity is mapped to the account of the individual or group for public key-based authentication;", + "links": [ + { + "href": "#ia-5.2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(b)(01)", + "class": "sp800-53a" + } + ], + "prose": "when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;", + "links": [ + { + "href": "#ia-5.2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(b)(02)", + "class": "sp800-53a" + } + ], + "prose": "when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.", + "links": [ + { + "href": "#ia-5.2_smt.b.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with PKI-based, authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-5.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing PKI-based, authenticator management capability" + } + ] + } + ] + }, + { + "id": "ia-5.6", + "class": "SP800-53-enhancement", + "title": "Protection of Authenticators", + "props": [ + { + "name": "label", + "value": "IA-5(6)" + }, + { + "name": "label", + "value": "IA-05(06)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ra-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.6_smt", + "name": "statement", + "prose": "Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access." + }, + { + "id": "ia-5.6_gdn", + "name": "guidance", + "prose": "For systems that contain multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process." + }, + { + "id": "ia-5.6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(06)", + "class": "sp800-53a" + } + ], + "prose": "authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.", + "links": [ + { + "href": "#ia-5.6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(06)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity categorization documentation for the system\n\nsecurity assessments of authenticator protections\n\nrisk assessment results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(06)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel implementing and/or maintaining authenticator protections\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ia-5.6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(06)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing authenticator management capability\n\nmechanisms protecting authenticators" + } + ] + } + ] + }, + { + "id": "ia-5.7", + "class": "SP800-53-enhancement", + "title": "No Embedded Unencrypted Static Authenticators", + "props": [ + { + "name": "label", + "value": "IA-5(7)" + }, + { + "name": "label", + "value": "IA-05(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-5.7_smt", + "name": "statement", + "prose": "Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.", + "parts": [ + { + "id": "ia-5.7_fr", + "name": "item", + "title": "IA-5 (7) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5.7_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "In this context, prohibited static storage refers to any storage where unencrypted authenticators, such as passwords, persist beyond the time required to complete the access process." + } + ] + } + ] + }, + { + "id": "ia-5.7_gdn", + "name": "guidance", + "prose": "In addition to applications, other forms of static storage include access scripts and function keys. Organizations exercise caution when determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators." + }, + { + "id": "ia-5.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(07)", + "class": "sp800-53a" + } + ], + "prose": "unencrypted static authenticators are not embedded in applications or other forms of static storage.", + "links": [ + { + "href": "#ia-5.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlogical access scripts\n\napplication code reviews for detecting unencrypted static authenticators\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-5.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing authenticator management capability\n\nmechanisms implementing authentication in applications" + } + ] + } + ] + } + ] + }, + { + "id": "ia-6", + "class": "SP800-53", + "title": "Authentication Feedback", + "props": [ + { + "name": "label", + "value": "IA-6" + }, + { + "name": "label", + "value": "IA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-6_smt", + "name": "statement", + "prose": "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals." + }, + { + "id": "ia-6_gdn", + "name": "guidance", + "prose": "Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it." + }, + { + "id": "ia-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-06", + "class": "sp800-53a" + } + ], + "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.", + "links": [ + { + "href": "#ia-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication" + } + ] + } + ] + }, + { + "id": "ia-7", + "class": "SP800-53", + "title": "Cryptographic Module Authentication", + "props": [ + { + "name": "label", + "value": "IA-7" + }, + { + "name": "label", + "value": "IA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-7_smt", + "name": "statement", + "prose": "Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication." + }, + { + "id": "ia-7_gdn", + "name": "guidance", + "prose": "Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role." + }, + { + "id": "ia-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-07", + "class": "sp800-53a" + } + ], + "prose": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.", + "links": [ + { + "href": "#ia-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing cryptographic module authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic module authentication" + } + ] + } + ] + }, + { + "id": "ia-8", + "class": "SP800-53", + "title": "Identification and Authentication (Non-organizational Users)", + "props": [ + { + "name": "label", + "value": "IA-8" + }, + { + "name": "label", + "value": "IA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#a1555677-2b9d-4868-a97b-a1363aff32f5", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#2100332a-16a5-4598-bacf-7261baea9711", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-10", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-8_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." + }, + { + "id": "ia-8_gdn", + "name": "guidance", + "prose": "Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors\u2014including security, privacy, scalability, and practicality\u2014when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk." + }, + { + "id": "ia-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08", + "class": "sp800-53a" + } + ], + "prose": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.", + "links": [ + { + "href": "#ia-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ], + "controls": [ + { + "id": "ia-8.1", + "class": "SP800-53-enhancement", + "title": "Acceptance of PIV Credentials from Other Agencies", + "props": [ + { + "name": "label", + "value": "IA-8(1)" + }, + { + "name": "label", + "value": "IA-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + }, + { + "href": "#pe-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-8.1_smt", + "name": "statement", + "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies." + }, + { + "id": "ia-8.1_gdn", + "name": "guidance", + "prose": "Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)." + }, + { + "id": "ia-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;", + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.", + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials" + } + ] + } + ] + }, + { + "id": "ia-8.2", + "class": "SP800-53-enhancement", + "title": "Acceptance of External Authenticators", + "props": [ + { + "name": "label", + "value": "IA-8(2)" + }, + { + "name": "label", + "value": "IA-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-8.2_smt", + "name": "statement", + "parts": [ + { + "id": "ia-8.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Accept only external authenticators that are NIST-compliant; and" + }, + { + "id": "ia-8.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Document and maintain a list of accepted external authenticators." + } + ] + }, + { + "id": "ia-8.2_gdn", + "name": "guidance", + "prose": "Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level." + }, + { + "id": "ia-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(a)", + "class": "sp800-53a" + } + ], + "prose": "only external authenticators that are NIST-compliant are accepted;", + "links": [ + { + "href": "#ia-8.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "a list of accepted external authenticators is documented;", + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "a list of accepted external authenticators is maintained.", + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials" + } + ] + } + ] + }, + { + "id": "ia-8.4", + "class": "SP800-53-enhancement", + "title": "Use of Defined Profiles", + "params": [ + { + "id": "ia-08.04_odp", + "label": "identity management profiles", + "guidelines": [ + { + "prose": "identity management profiles are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-8(4)" + }, + { + "name": "label", + "value": "IA-08(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-8.4_smt", + "name": "statement", + "prose": "Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}." + }, + { + "id": "ia-8.4_gdn", + "name": "guidance", + "prose": "Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." + }, + { + "id": "ia-8.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(04)", + "class": "sp800-53a" + } + ], + "prose": "there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.", + "links": [ + { + "href": "#ia-8.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms supporting and/or implementing conformance with profiles" + } + ] + } + ] + } + ] + }, + { + "id": "ia-11", + "class": "SP800-53", + "title": "Re-authentication", + "params": [ + { + "id": "ia-11_odp", + "label": "circumstances or situations", + "guidelines": [ + { + "prose": "circumstances or situations requiring re-authentication are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-11" + }, + { + "name": "label", + "value": "IA-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-11_smt", + "name": "statement", + "prose": "Require users to re-authenticate when {{ insert: param, ia-11_odp }}.", + "parts": [ + { + "id": "ia-11_fr", + "name": "item", + "title": "IA-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-11_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:\n\n* AAL2 (moderate baseline) * 12 hours or * 30 minutes of inactivity \n" + } + ] + } + ] + }, + { + "id": "ia-11_gdn", + "name": "guidance", + "prose": "In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically." + }, + { + "id": "ia-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-11", + "class": "sp800-53a" + } + ], + "prose": "users are required to re-authenticate when {{ insert: param, ia-11_odp }}.", + "links": [ + { + "href": "#ia-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user and device re-authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of circumstances or situations requiring re-authentication\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-12", + "class": "SP800-53", + "title": "Identity Proofing", + "props": [ + { + "name": "label", + "value": "IA-12" + }, + { + "name": "label", + "value": "IA-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#9099ed2c-922a-493d-bcb4-d896192243ff", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ia-1", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-6", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-12_smt", + "name": "statement", + "parts": [ + { + "id": "ia-12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;" + }, + { + "id": "ia-12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Resolve user identities to a unique individual; and" + }, + { + "id": "ia-12_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Collect, validate, and verify identity evidence." + }, + { + "id": "ia-12_fr", + "name": "item", + "title": "IA-12 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-12_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "In accordance with NIST SP 800-63A Enrollment and Identity Proofing" + } + ] + } + ] + }, + { + "id": "ia-12_gdn", + "name": "guidance", + "prose": "Identity proofing is the process of collecting, validating, and verifying a user\u2019s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3](#737513fa-6758-403f-831d-5ddab5e23cb3) and [SP 800-63A](#9099ed2c-922a-493d-bcb4-d896192243ff) . Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." + }, + { + "id": "ia-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12a.", + "class": "sp800-53a" + } + ], + "prose": "users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;", + "links": [ + { + "href": "#ia-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12b.", + "class": "sp800-53a" + } + ], + "prose": "user identities are resolved to a unique individual;", + "links": [ + { + "href": "#ia-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-12_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12c.[01]", + "class": "sp800-53a" + } + ], + "prose": "identity evidence is collected;", + "links": [ + { + "href": "#ia-12_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12c.[02]", + "class": "sp800-53a" + } + ], + "prose": "identity evidence is validated;", + "links": [ + { + "href": "#ia-12_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_obj.c-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12c.[03]", + "class": "sp800-53a" + } + ], + "prose": "identity evidence is verified.", + "links": [ + { + "href": "#ia-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ], + "controls": [ + { + "id": "ia-12.2", + "class": "SP800-53-enhancement", + "title": "Identity Evidence", + "props": [ + { + "name": "label", + "value": "IA-12(2)" + }, + { + "name": "label", + "value": "IA-12(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-12", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-12.2_smt", + "name": "statement", + "prose": "Require evidence of individual identification be presented to the registration authority." + }, + { + "id": "ia-12.2_gdn", + "name": "guidance", + "prose": "Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risks to the systems, roles, and privileges associated with the user\u2019s account." + }, + { + "id": "ia-12.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12(02)", + "class": "sp800-53a" + } + ], + "prose": "evidence of individual identification is presented to the registration authority.", + "links": [ + { + "href": "#ia-12.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-12.3", + "class": "SP800-53-enhancement", + "title": "Identity Evidence Validation and Verification", + "params": [ + { + "id": "ia-12.03_odp", + "label": "methods of validation and verification", + "guidelines": [ + { + "prose": "methods of validation and verification of identity evidence are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-12(3)" + }, + { + "name": "label", + "value": "IA-12(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-12", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-12.3_smt", + "name": "statement", + "prose": "Require that the presented identity evidence be validated and verified through {{ insert: param, ia-12.03_odp }}." + }, + { + "id": "ia-12.3_gdn", + "name": "guidance", + "prose": "Validation and verification of identity evidence increases the assurance that accounts and identifiers are being established for the correct user and authenticators are being bound to that user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risks to the systems, roles, and privileges associated with the users account." + }, + { + "id": "ia-12.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12(03)", + "class": "sp800-53a" + } + ], + "prose": "the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}.", + "links": [ + { + "href": "#ia-12.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-12.5", + "class": "SP800-53-enhancement", + "title": "Address Confirmation", + "params": [ + { + "id": "ia-12.05_odp", + "select": { + "choice": [ + "registration code", + "notice of proofing" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "IA-12(5)" + }, + { + "name": "label", + "value": "IA-12(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-12", + "rel": "required" + }, + { + "href": "#ia-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-12.5_smt", + "name": "statement", + "prose": "Require that a {{ insert: param, ia-12.05_odp }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record.", + "parts": [ + { + "id": "ia-12.5_fr", + "name": "item", + "title": "IA-12 (5) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-12.5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "In accordance with NIST SP 800-63A Enrollment and Identity Proofing" + } + ] + } + ] + }, + { + "id": "ia-12.5_gdn", + "name": "guidance", + "prose": "To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to ensure that the individual associated with an address of record is the same individual that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts is obtained from records and not self-asserted by the user. The address can include a physical or digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses." + }, + { + "id": "ia-12.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12(05)", + "class": "sp800-53a" + } + ], + "prose": "a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user\u2019s address (physical or digital) of record.", + "links": [ + { + "href": "#ia-12.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "ir", + "class": "family", + "title": "Incident Response", + "controls": [ + { + "id": "ir-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ir-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ir-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the incident response policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ir-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the incident response procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ir-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ir-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the incident response policy and procedures is defined;" + } + ] + }, + { + "id": "ir-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current incident response policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ir-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current incident response policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ir-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current incident response procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ir-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the incident response procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-1" + }, + { + "name": "label", + "value": "IR-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-1_smt", + "name": "statement", + "parts": [ + { + "id": "ir-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:", + "parts": [ + { + "id": "ir-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ir-01_odp.03 }} incident response policy that:", + "parts": [ + { + "id": "ir-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ir-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ir-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;" + } + ] + }, + { + "id": "ir-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and" + }, + { + "id": "ir-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current incident response:", + "parts": [ + { + "id": "ir-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and" + }, + { + "id": "ir-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ir-1_gdn", + "name": "guidance", + "prose": "Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ir-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident response policy is developed and documented;", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ir-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;", + "links": [ + { + "href": "#ir-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};", + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};", + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};", + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.", + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ir-2", + "class": "SP800-53", + "title": "Incident Response Training", + "params": [ + { + "id": "ir-02_odp.01", + "label": "time period", + "constraints": [ + { + "description": "ten (10) days for privileged users, thirty (30) days for Incident Response roles" + } + ], + "guidelines": [ + { + "prose": "a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;" + } + ] + }, + { + "id": "ir-02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide incident response training to users is defined;" + } + ] + }, + { + "id": "ir-02_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update incident response training content is defined;" + } + ] + }, + { + "id": "ir-02_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events that initiate a review of the incident response training content are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-2" + }, + { + "name": "label", + "value": "IR-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-2_smt", + "name": "statement", + "parts": [ + { + "id": "ir-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide incident response training to system users consistent with assigned roles and responsibilities:", + "parts": [ + { + "id": "ir-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;" + }, + { + "id": "ir-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes; and" + }, + { + "id": "ir-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ir-02_odp.02 }} thereafter; and" + } + ] + }, + { + "id": "ir-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}." + } + ] + }, + { + "id": "ir-2_gdn", + "name": "guidance", + "prose": "Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "ir-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.01", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;", + "links": [ + { + "href": "#ir-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.02", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#ir-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.03", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;", + "links": [ + { + "href": "#ir-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};", + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.", + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ir-3", + "class": "SP800-53", + "title": "Incident Response Testing", + "params": [ + { + "id": "ir-03_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "functional, at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to test the effectiveness of the incident response capability for the system is defined;" + } + ] + }, + { + "id": "ir-03_odp.02", + "label": "tests", + "guidelines": [ + { + "prose": "tests used to test the effectiveness of the incident response capability for the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-3" + }, + { + "name": "label", + "value": "IR-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-3_smt", + "name": "statement", + "prose": "Test the effectiveness of the incident response capability for the system {{ insert: param, ir-03_odp.01 }} using the following tests: {{ insert: param, ir-03_odp.02 }}.", + "parts": [ + { + "id": "ir-3_fr", + "name": "item", + "title": "IR-3-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing." + } + ] + } + ] + }, + { + "id": "ir-3_gdn", + "name": "guidance", + "prose": "Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes." + }, + { + "id": "ir-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-03", + "class": "sp800-53a" + } + ], + "prose": "the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.", + "links": [ + { + "href": "#ir-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ], + "controls": [ + { + "id": "ir-3.2", + "class": "SP800-53-enhancement", + "title": "Coordination with Related Plans", + "props": [ + { + "name": "label", + "value": "IR-3(2)" + }, + { + "name": "label", + "value": "IR-03(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-03.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ir-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-3.2_smt", + "name": "statement", + "prose": "Coordinate incident response testing with organizational elements responsible for related plans." + }, + { + "id": "ir-3.2_gdn", + "name": "guidance", + "prose": "Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans." + }, + { + "id": "ir-3.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-03(02)", + "class": "sp800-53a" + } + ], + "prose": "incident response testing is coordinated with organizational elements responsible for related plans.", + "links": [ + { + "href": "#ir-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-3.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-03(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-3.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-03(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "ir-4", + "class": "SP800-53", + "title": "Incident Handling", + "props": [ + { + "name": "label", + "value": "IR-4" + }, + { + "name": "label", + "value": "IR-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", + "rel": "reference" + }, + { + "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "rel": "reference" + }, + { + "href": "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#31ae65ab-3f26-46b7-9d64-f25a4dac5778", + "rel": "reference" + }, + { + "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-4_smt", + "name": "statement", + "parts": [ + { + "id": "ir-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;" + }, + { + "id": "ir-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Coordinate incident handling activities with contingency planning activities;" + }, + { + "id": "ir-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and" + }, + { + "id": "ir-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization." + }, + { + "id": "ir-4_fr", + "name": "item", + "title": "IR-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The FISMA definition of \\\"incident\\\" shall be used: \\\"An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.\\\"" + }, + { + "id": "ir-4_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system." + } + ] + } + ] + }, + { + "id": "ir-4_gdn", + "name": "guidance", + "prose": "Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes." + }, + { + "id": "ir-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes preparation;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes detection and analysis;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes containment;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[05]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes eradication;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[06]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes recovery;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04b.", + "class": "sp800-53a" + } + ], + "prose": "incident handling activities are coordinated with contingency planning activities;", + "links": [ + { + "href": "#ir-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.[01]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;", + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;", + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the rigor of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the intensity of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the scope of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[04]", + "class": "sp800-53a" + } + ], + "prose": "the results of incident handling activities are comparable and predictable across the organization.", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident handling capability for the organization" + } + ] + } + ], + "controls": [ + { + "id": "ir-4.1", + "class": "SP800-53-enhancement", + "title": "Automated Incident Handling Processes", + "params": [ + { + "id": "ir-04.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to support the incident handling process are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-4(1)" + }, + { + "name": "label", + "value": "IR-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-4.1_smt", + "name": "statement", + "prose": "Support the incident handling process using {{ insert: param, ir-04.01_odp }}." + }, + { + "id": "ir-4.1_gdn", + "name": "guidance", + "prose": "Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis." + }, + { + "id": "ir-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04(01)", + "class": "sp800-53a" + } + ], + "prose": "the incident handling process is supported using {{ insert: param, ir-04.01_odp }}.", + "links": [ + { + "href": "#ir-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms that support and/or implement the incident handling process" + } + ] + } + ] + } + ] + }, + { + "id": "ir-5", + "class": "SP800-53", + "title": "Incident Monitoring", + "props": [ + { + "name": "label", + "value": "IR-5" + }, + { + "name": "label", + "value": "IR-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-5_smt", + "name": "statement", + "prose": "Track and document incidents." + }, + { + "id": "ir-5_gdn", + "name": "guidance", + "prose": "Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring." + }, + { + "id": "ir-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05[01]", + "class": "sp800-53a" + } + ], + "prose": "incidents are tracked;", + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05[02]", + "class": "sp800-53a" + } + ], + "prose": "incidents are documented.", + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident monitoring capability for the organization\n\nmechanisms supporting and/or implementing the tracking and documenting of system security incidents" + } + ] + } + ] + }, + { + "id": "ir-6", + "class": "SP800-53", + "title": "Incident Reporting", + "params": [ + { + "id": "ir-06_odp.01", + "label": "time period", + "constraints": [ + { + "description": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)" + } + ], + "guidelines": [ + { + "prose": "time period for personnel to report suspected incidents to the organizational incident response capability is defined;" + } + ] + }, + { + "id": "ir-06_odp.02", + "label": "authorities", + "guidelines": [ + { + "prose": "authorities to whom incident information is to be reported are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-6" + }, + { + "name": "label", + "value": "IR-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#40b78258-c892-480e-9af8-77ac36648301", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-6_smt", + "name": "statement", + "parts": [ + { + "id": "ir-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and" + }, + { + "id": "ir-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report incident information to {{ insert: param, ir-06_odp.02 }}." + }, + { + "id": "ir-6_fr", + "name": "item", + "title": "IR-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Reports security incident information according to FedRAMP Incident Communications Procedure." + } + ] + } + ] + }, + { + "id": "ir-6_gdn", + "name": "guidance", + "prose": "The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products." + }, + { + "id": "ir-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06a.", + "class": "sp800-53a" + } + ], + "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};", + "links": [ + { + "href": "#ir-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06b.", + "class": "sp800-53a" + } + ], + "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}.", + "links": [ + { + "href": "#ir-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users" + } + ] + }, + { + "id": "ir-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident reporting\n\nmechanisms supporting and/or implementing incident reporting" + } + ] + } + ], + "controls": [ + { + "id": "ir-6.1", + "class": "SP800-53-enhancement", + "title": "Automated Reporting", + "params": [ + { + "id": "ir-06.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used for reporting incidents are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-6(1)" + }, + { + "name": "label", + "value": "IR-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-6", + "rel": "required" + }, + { + "href": "#ir-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-6.1_smt", + "name": "statement", + "prose": "Report incidents using {{ insert: param, ir-06.01_odp }}." + }, + { + "id": "ir-6.1_gdn", + "name": "guidance", + "prose": "The recipients of incident reports are specified in [IR-6b](#ir-6_smt.b) . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs." + }, + { + "id": "ir-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06(01)", + "class": "sp800-53a" + } + ], + "prose": "incidents are reported using {{ insert: param, ir-06.01_odp }}.", + "links": [ + { + "href": "#ir-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident reporting\n\nautomated mechanisms supporting and/or implementing the reporting of security incidents" + } + ] + } + ] + }, + { + "id": "ir-6.3", + "class": "SP800-53-enhancement", + "title": "Supply Chain Coordination", + "props": [ + { + "name": "label", + "value": "IR-6(3)" + }, + { + "name": "label", + "value": "IR-06(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-06.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-6", + "rel": "required" + }, + { + "href": "#sr-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-6.3_smt", + "name": "statement", + "prose": "Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident." + }, + { + "id": "ir-6.3_gdn", + "name": "guidance", + "prose": "Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident." + }, + { + "id": "ir-6.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06(03)", + "class": "sp800-53a" + } + ], + "prose": "incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.", + "links": [ + { + "href": "#ir-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-06(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council\n\nacquisition policy\n\nacquisition contracts\n\nservice-level agreements\n\nincident response plan\n\nsupply chain risk management plan\n\nsystem security plan\n\nplans of other organizations involved in supply chain activities\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-6.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-06(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganization personnel with acquisition responsibilities" + } + ] + }, + { + "id": "ir-6.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-06(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident reporting\n\norganizational processes for supply chain risk information sharing\n\nmechanisms supporting and/or implementing the reporting of incident information involved in the supply chain" + } + ] + } + ] + } + ] + }, + { + "id": "ir-7", + "class": "SP800-53", + "title": "Incident Response Assistance", + "props": [ + { + "name": "label", + "value": "IR-7" + }, + { + "name": "label", + "value": "IR-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pm-22", + "rel": "related" + }, + { + "href": "#pm-26", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#si-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-7_smt", + "name": "statement", + "prose": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents." + }, + { + "id": "ir-7_gdn", + "name": "guidance", + "prose": "Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required." + }, + { + "id": "ir-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;", + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.", + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident response assistance\n\nmechanisms supporting and/or implementing incident response assistance" + } + ] + } + ], + "controls": [ + { + "id": "ir-7.1", + "class": "SP800-53-enhancement", + "title": "Automation Support for Availability of Information and Support", + "params": [ + { + "id": "ir-07.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to increase the availability of incident response information and support are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-7(1)" + }, + { + "name": "label", + "value": "IR-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-7.1_smt", + "name": "statement", + "prose": "Increase the availability of incident response information and support using {{ insert: param, ir-07.01_odp }}." + }, + { + "id": "ir-7.1_gdn", + "name": "guidance", + "prose": "Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support." + }, + { + "id": "ir-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07(01)", + "class": "sp800-53a" + } + ], + "prose": "the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}.", + "links": [ + { + "href": "#ir-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response support and assistance responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-7.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-07(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident response assistance\n\nautomated mechanisms supporting and/or implementing an increase in the availability of incident response information and support" + } + ] + } + ] + } + ] + }, + { + "id": "ir-8", + "class": "SP800-53", + "title": "Incident Response Plan", + "params": [ + { + "id": "ir-8_prm_5", + "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements", + "constraints": [ + { + "description": "see additional FedRAMP Requirements and Guidance" + } + ] + }, + { + "id": "ir-08_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles that review and approve the incident response plan is/are identified;" + } + ] + }, + { + "id": "ir-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and approve the incident response plan is defined;" + } + ] + }, + { + "id": "ir-08_odp.03", + "label": "entities, personnel, or roles", + "guidelines": [ + { + "prose": "entities, personnel, or roles with designated responsibility for incident response are defined;" + } + ] + }, + { + "id": "ir-08_odp.04", + "label": "incident response personnel", + "constraints": [ + { + "description": "see additional FedRAMP Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;" + } + ] + }, + { + "id": "ir-08_odp.05", + "label": "organizational elements", + "guidelines": [ + { + "prose": "organizational elements to which copies of the incident response plan are to be distributed are defined;" + } + ] + }, + { + "id": "ir-08_odp.06", + "label": "incident response personnel", + "guidelines": [ + { + "prose": "incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;" + } + ] + }, + { + "id": "ir-08_odp.07", + "label": "organizational elements", + "guidelines": [ + { + "prose": "organizational elements to which changes to the incident response plan are communicated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-8" + }, + { + "name": "label", + "value": "IR-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-8_smt", + "name": "statement", + "parts": [ + { + "id": "ir-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop an incident response plan that:", + "parts": [ + { + "id": "ir-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Provides the organization with a roadmap for implementing its incident response capability;" + }, + { + "id": "ir-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Describes the structure and organization of the incident response capability;" + }, + { + "id": "ir-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Provides a high-level approach for how the incident response capability fits into the overall organization;" + }, + { + "id": "ir-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;" + }, + { + "id": "ir-8_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Defines reportable incidents;" + }, + { + "id": "ir-8_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Provides metrics for measuring the incident response capability within the organization;" + }, + { + "id": "ir-8_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Defines the resources and management support needed to effectively maintain and mature an incident response capability;" + }, + { + "id": "ir-8_smt.a.8", + "name": "item", + "props": [ + { + "name": "label", + "value": "8." + } + ], + "prose": "Addresses the sharing of incident information;" + }, + { + "id": "ir-8_smt.a.9", + "name": "item", + "props": [ + { + "name": "label", + "value": "9." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and" + }, + { + "id": "ir-8_smt.a.10", + "name": "item", + "props": [ + { + "name": "label", + "value": "10." + } + ], + "prose": "Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}." + } + ] + }, + { + "id": "ir-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};" + }, + { + "id": "ir-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;" + }, + { + "id": "ir-8_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and" + }, + { + "id": "ir-8_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protect the incident response plan from unauthorized disclosure and modification." + }, + { + "id": "ir-8_fr", + "name": "item", + "title": "IR-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel." + }, + { + "id": "ir-8_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d) Requirement:" + } + ], + "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel." + } + ] + } + ] + }, + { + "id": "ir-8_gdn", + "name": "guidance", + "prose": "It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly." + }, + { + "id": "ir-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.01", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.02", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.03", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;", + "links": [ + { + "href": "#ir-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.04", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;", + "links": [ + { + "href": "#ir-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.05", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that defines reportable incidents;", + "links": [ + { + "href": "#ir-8_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.06", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;", + "links": [ + { + "href": "#ir-8_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.07", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.08", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that addresses the sharing of incident information;", + "links": [ + { + "href": "#ir-8_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.09", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};", + "links": [ + { + "href": "#ir-8_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.10", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.", + "links": [ + { + "href": "#ir-8_smt.a.10", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};", + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.[02]", + "class": "sp800-53a" + } + ], + "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};", + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08c.", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;", + "links": [ + { + "href": "#ir-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.[01]", + "class": "sp800-53a" + } + ], + "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};", + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.[02]", + "class": "sp800-53a" + } + ], + "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};", + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is protected from unauthorized modification.", + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational incident response plan and related organizational processes" + } + ] + } + ] + }, + { + "id": "ir-9", + "class": "SP800-53", + "title": "Information Spillage Response", + "params": [ + { + "id": "ir-09_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles assigned the responsibility for responding to information spills is/are defined;" + } + ] + }, + { + "id": "ir-09_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted of the information spill using a method of communication not associated with the spill is/are defined;" + } + ] + }, + { + "id": "ir-09_odp.03", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be performed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-9" + }, + { + "name": "label", + "value": "IR-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#pm-26", + "rel": "related" + }, + { + "href": "#pm-27", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-9_smt", + "name": "statement", + "prose": "Respond to information spills by:", + "parts": [ + { + "id": "ir-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assigning {{ insert: param, ir-09_odp.01 }} with responsibility for responding to information spills;" + }, + { + "id": "ir-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Identifying the specific information involved in the system contamination;" + }, + { + "id": "ir-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Alerting {{ insert: param, ir-09_odp.02 }} of the information spill using a method of communication not associated with the spill;" + }, + { + "id": "ir-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Isolating the contaminated system or system component;" + }, + { + "id": "ir-9_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Eradicating the information from the contaminated system or component;" + }, + { + "id": "ir-9_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Identifying other systems or system components that may have been subsequently contaminated; and" + }, + { + "id": "ir-9_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Performing the following additional actions: {{ insert: param, ir-09_odp.03 }}." + } + ] + }, + { + "id": "ir-9_gdn", + "name": "guidance", + "prose": "Information spillage refers to instances where information is placed on systems that are not authorized to process such information. Information spills occur when information that is thought to be a certain classification or impact level is transmitted to a system and subsequently is determined to be of a higher classification or impact level. At that point, corrective action is required. The nature of the response is based on the classification or impact level of the spilled information, the security capabilities of the system, the specific nature of the contaminated storage media, and the access authorizations of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated." + }, + { + "id": "ir-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09_odp.01 }} is/are assigned the responsibility to respond to information spills;", + "links": [ + { + "href": "#ir-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09b.", + "class": "sp800-53a" + } + ], + "prose": "the specific information involved in the system contamination is identified in response to information spills;", + "links": [ + { + "href": "#ir-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09_odp.02 }} is/are alerted of the information spill using a method of communication not associated with the spill;", + "links": [ + { + "href": "#ir-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09d.", + "class": "sp800-53a" + } + ], + "prose": "the contaminated system or system component is isolated in response to information spills;", + "links": [ + { + "href": "#ir-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09e.", + "class": "sp800-53a" + } + ], + "prose": "the information is eradicated from the contaminated system or component in response to information spills;", + "links": [ + { + "href": "#ir-9_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09f.", + "class": "sp800-53a" + } + ], + "prose": "other systems or system components that may have been subsequently contaminated are identified in response to information spills;", + "links": [ + { + "href": "#ir-9_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09g.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09_odp.03 }} are performed in response to information spills.", + "links": [ + { + "href": "#ir-9_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nrecords of information spillage alerts/notifications\n\nlist of personnel who should receive alerts of information spillage\n\nlist of actions to be performed regarding information spillage\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for information spillage response\n\nmechanisms supporting and/or implementing information spillage response actions and related communications" + } + ] + } + ], + "controls": [ + { + "id": "ir-9.2", + "class": "SP800-53-enhancement", + "title": "Training", + "params": [ + { + "id": "ir-09.02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide information spillage response training is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-9(2)" + }, + { + "name": "label", + "value": "IR-09(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-09.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-9", + "rel": "required" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-9.2_smt", + "name": "statement", + "prose": "Provide information spillage response training {{ insert: param, ir-09.02_odp }}." + }, + { + "id": "ir-9.2_gdn", + "name": "guidance", + "prose": "Organizations establish requirements for responding to information spillage incidents in incident response plans. Incident response training on a regular basis helps to ensure that organizational personnel understand their individual responsibilities and what specific actions to take when spillage incidents occur." + }, + { + "id": "ir-9.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09(02)", + "class": "sp800-53a" + } + ], + "prose": "information spillage response training is provided {{ insert: param, ir-09.02_odp }}.", + "links": [ + { + "href": "#ir-9.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-09(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing information spillage response training\n\ninformation spillage response training curriculum\n\ninformation spillage response training materials\n\nincident response plan\n\nsystem security plan\n\ninformation spillage response training records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-9.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-09(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response training responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "ir-9.3", + "class": "SP800-53-enhancement", + "title": "Post-spill Operations", + "params": [ + { + "id": "ir-09.03_odp", + "label": "procedures", + "guidelines": [ + { + "prose": "procedures to be implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-9(3)" + }, + { + "name": "label", + "value": "IR-09(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-09.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-9", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-9.3_smt", + "name": "statement", + "prose": "Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: {{ insert: param, ir-09.03_odp }}." + }, + { + "id": "ir-9.3_gdn", + "name": "guidance", + "prose": "Corrective actions for systems contaminated due to information spillages may be time-consuming. Personnel may not have access to the contaminated systems while corrective actions are being taken, which may potentially affect their ability to conduct organizational business." + }, + { + "id": "ir-9.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09(03)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09.03_odp }} are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.", + "links": [ + { + "href": "#ir-9.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-09(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-9.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-09(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-9.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-09(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for post-spill operations" + } + ] + } + ] + }, + { + "id": "ir-9.4", + "class": "SP800-53-enhancement", + "title": "Exposure to Unauthorized Personnel", + "params": [ + { + "id": "ir-09.04_odp", + "label": "controls", + "guidelines": [ + { + "prose": "controls employed for personnel exposed to information not within assigned access authorizations are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-9(4)" + }, + { + "name": "label", + "value": "IR-09(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-09.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-9", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-9.4_smt", + "name": "statement", + "prose": "Employ the following controls for personnel exposed to information not within assigned access authorizations: {{ insert: param, ir-09.04_odp }}." + }, + { + "id": "ir-9.4_gdn", + "name": "guidance", + "prose": "Controls include ensuring that personnel who are exposed to spilled information are made aware of the laws, executive orders, directives, regulations, policies, standards, and guidelines regarding the information and the restrictions imposed based on exposure to such information." + }, + { + "id": "ir-9.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09(04)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09.04_odp }} are employed for personnel exposed to information not within assigned access authorizations.", + "links": [ + { + "href": "#ir-9.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-09(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nsecurity safeguards regarding information spillage/exposure to unauthorized personnel\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-9.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-09(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-9.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-09(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for dealing with information exposed to unauthorized personnel\n\nmechanisms supporting and/or implementing safeguards for personnel exposed to information not within assigned access authorizations" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "ma", + "class": "family", + "title": "Maintenance", + "controls": [ + { + "id": "ma-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ma-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ma-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the maintenance policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ma-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ma-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ma-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the maintenance policy and procedures is defined;" + } + ] + }, + { + "id": "ma-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current maintenance policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ma-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current maintenance policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ma-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current maintenance procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ma-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the maintenance procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-1" + }, + { + "name": "label", + "value": "MA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-1_smt", + "name": "statement", + "parts": [ + { + "id": "ma-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:", + "parts": [ + { + "id": "ma-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ma-01_odp.03 }} maintenance policy that:", + "parts": [ + { + "id": "ma-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ma-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ma-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;" + } + ] + }, + { + "id": "ma-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and" + }, + { + "id": "ma-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current maintenance:", + "parts": [ + { + "id": "ma-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and" + }, + { + "id": "ma-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ma-1_gdn", + "name": "guidance", + "prose": "Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ma-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a maintenance policy is developed and documented;", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ma-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;", + "links": [ + { + "href": "#ma-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};", + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};", + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};", + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.", + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ma-2", + "class": "SP800-53", + "title": "Controlled Maintenance", + "params": [ + { + "id": "ma-02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined;" + } + ] + }, + { + "id": "ma-02_odp.02", + "label": "information", + "guidelines": [ + { + "prose": "information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;" + } + ] + }, + { + "id": "ma-02_odp.03", + "label": "information", + "guidelines": [ + { + "prose": "information to be included in organizational maintenance records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-2" + }, + { + "name": "label", + "value": "MA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-2_smt", + "name": "statement", + "parts": [ + { + "id": "ma-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;" + }, + { + "id": "ma-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;" + }, + { + "id": "ma-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;" + }, + { + "id": "ma-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};" + }, + { + "id": "ma-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and" + }, + { + "id": "ma-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}." + } + ] + }, + { + "id": "ma-2_gdn", + "name": "guidance", + "prose": "Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems." + }, + { + "id": "ma-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;", + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;", + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;", + "links": [ + { + "href": "#ma-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02d.", + "class": "sp800-53a" + } + ], + "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;", + "links": [ + { + "href": "#ma-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02e.", + "class": "sp800-53a" + } + ], + "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;", + "links": [ + { + "href": "#ma-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02f.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.", + "links": [ + { + "href": "#ma-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components" + } + ] + } + ] + }, + { + "id": "ma-3", + "class": "SP800-53", + "title": "Maintenance Tools", + "params": [ + { + "id": "ma-03_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review previously approved system maintenance tools is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-3" + }, + { + "name": "label", + "value": "MA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-3_smt", + "name": "statement", + "parts": [ + { + "id": "ma-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve, control, and monitor the use of system maintenance tools; and" + }, + { + "id": "ma-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review previously approved system maintenance tools {{ insert: param, ma-03_odp }}." + } + ] + }, + { + "id": "ma-3_gdn", + "name": "guidance", + "prose": "Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools." + }, + { + "id": "ma-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of system maintenance tools is approved;", + "links": [ + { + "href": "#ma-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of system maintenance tools is controlled;", + "links": [ + { + "href": "#ma-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the use of system maintenance tools is monitored;", + "links": [ + { + "href": "#ma-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03b.", + "class": "sp800-53a" + } + ], + "prose": "previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}.", + "links": [ + { + "href": "#ma-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for approving, controlling, and monitoring maintenance tools\n\nmechanisms supporting and/or implementing the approval, control, and/or monitoring of maintenance tools" + } + ] + } + ], + "controls": [ + { + "id": "ma-3.1", + "class": "SP800-53-enhancement", + "title": "Inspect Tools", + "props": [ + { + "name": "label", + "value": "MA-3(1)" + }, + { + "name": "label", + "value": "MA-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-3", + "rel": "required" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-3.1_smt", + "name": "statement", + "prose": "Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications." + }, + { + "id": "ma-3.1_gdn", + "name": "guidance", + "prose": "Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor\u2019s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling." + }, + { + "id": "ma-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(01)", + "class": "sp800-53a" + } + ], + "prose": "maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.", + "links": [ + { + "href": "#ma-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for inspecting maintenance tools\n\nmechanisms supporting and/or implementing the inspection of maintenance tools" + } + ] + } + ] + }, + { + "id": "ma-3.2", + "class": "SP800-53-enhancement", + "title": "Inspect Media", + "props": [ + { + "name": "label", + "value": "MA-3(2)" + }, + { + "name": "label", + "value": "MA-03(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-03.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-3", + "rel": "required" + }, + { + "href": "#si-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-3.2_smt", + "name": "statement", + "prose": "Check media containing diagnostic and test programs for malicious code before the media are used in the system." + }, + { + "id": "ma-3.2_gdn", + "name": "guidance", + "prose": "If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures." + }, + { + "id": "ma-3.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(02)", + "class": "sp800-53a" + } + ], + "prose": "media containing diagnostic and test programs are checked for malicious code before the media are used in the system.", + "links": [ + { + "href": "#ma-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-03(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-3.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-03(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-3.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-03(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for inspecting media for malicious code\n\nmechanisms supporting and/or implementing the inspection of media used for maintenance" + } + ] + } + ] + }, + { + "id": "ma-3.3", + "class": "SP800-53-enhancement", + "title": "Prevent Unauthorized Removal", + "params": [ + { + "id": "ma-03.03_odp", + "label": "personnel or roles", + "constraints": [ + { + "description": "the information owner" + } + ], + "guidelines": [ + { + "prose": "personnel or roles who can authorize removal of equipment from the facility is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-3(3)" + }, + { + "name": "label", + "value": "MA-03(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-03.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-3", + "rel": "required" + }, + { + "href": "#mp-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-3.3_smt", + "name": "statement", + "prose": "Prevent the removal of maintenance equipment containing organizational information by:", + "parts": [ + { + "id": "ma-3.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Verifying that there is no organizational information contained on the equipment;" + }, + { + "id": "ma-3.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Sanitizing or destroying the equipment;" + }, + { + "id": "ma-3.3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Retaining the equipment within the facility; or" + }, + { + "id": "ma-3.3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility." + } + ] + }, + { + "id": "ma-3.3_gdn", + "name": "guidance", + "prose": "Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards." + }, + { + "id": "ma-3.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-3.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or", + "links": [ + { + "href": "#ma-3.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)(b)", + "class": "sp800-53a" + } + ], + "prose": "the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or", + "links": [ + { + "href": "#ma-3.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)(c)", + "class": "sp800-53a" + } + ], + "prose": "the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or", + "links": [ + { + "href": "#ma-3.3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)(d)", + "class": "sp800-53a" + } + ], + "prose": "the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility.", + "links": [ + { + "href": "#ma-3.3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-3.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-03(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nequipment sanitization records\n\nmedia sanitization records\n\nexemptions for equipment removal\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-3.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-03(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization" + } + ] + }, + { + "id": "ma-3.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-03(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for preventing unauthorized removal of information\n\nmechanisms supporting media sanitization or destruction of equipment\n\nmechanisms supporting verification of media sanitization" + } + ] + } + ] + } + ] + }, + { + "id": "ma-4", + "class": "SP800-53", + "title": "Nonlocal Maintenance", + "props": [ + { + "name": "label", + "value": "MA-4" + }, + { + "name": "label", + "value": "MA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#736d6310-e403-4b57-a79d-9967970c66d7", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-4_smt", + "name": "statement", + "parts": [ + { + "id": "ma-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve and monitor nonlocal maintenance and diagnostic activities;" + }, + { + "id": "ma-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;" + }, + { + "id": "ma-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;" + }, + { + "id": "ma-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Maintain records for nonlocal maintenance and diagnostic activities; and" + }, + { + "id": "ma-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Terminate session and network connections when nonlocal maintenance is completed." + } + ] + }, + { + "id": "ma-4_gdn", + "name": "guidance", + "prose": "Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators." + }, + { + "id": "ma-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "nonlocal maintenance and diagnostic activities are approved;", + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "nonlocal maintenance and diagnostic activities are monitored;", + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;", + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;", + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04c.", + "class": "sp800-53a" + } + ], + "prose": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;", + "links": [ + { + "href": "#ma-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04d.", + "class": "sp800-53a" + } + ], + "prose": "records for nonlocal maintenance and diagnostic activities are maintained;", + "links": [ + { + "href": "#ma-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.[01]", + "class": "sp800-53a" + } + ], + "prose": "session connections are terminated when nonlocal maintenance is completed;", + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.[02]", + "class": "sp800-53a" + } + ], + "prose": "network connections are terminated when nonlocal maintenance is completed.", + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nremote access policy\n\nremote access procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nrecords of remote access\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing nonlocal maintenance\n\nmechanisms implementing, supporting, and/or managing nonlocal maintenance\n\nmechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nmechanisms for terminating nonlocal maintenance sessions and network connections" + } + ] + } + ] + }, + { + "id": "ma-5", + "class": "SP800-53", + "title": "Maintenance Personnel", + "props": [ + { + "name": "label", + "value": "MA-5" + }, + { + "name": "label", + "value": "MA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-5_smt", + "name": "statement", + "parts": [ + { + "id": "ma-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;" + }, + { + "id": "ma-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and" + }, + { + "id": "ma-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations." + } + ] + }, + { + "id": "ma-5_gdn", + "name": "guidance", + "prose": "Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel\u2014such as information technology manufacturers, vendors, systems integrators, and consultants\u2014may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods." + }, + { + "id": "ma-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process for maintenance personnel authorization is established;", + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": "a list of authorized maintenance organizations or personnel is maintained;", + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05b.", + "class": "sp800-53a" + } + ], + "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;", + "links": [ + { + "href": "#ma-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05c.", + "class": "sp800-53a" + } + ], + "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.", + "links": [ + { + "href": "#ma-5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and/or implementing authorization of maintenance personnel" + } + ] + } + ], + "controls": [ + { + "id": "ma-5.1", + "class": "SP800-53-enhancement", + "title": "Individuals Without Appropriate Access", + "params": [ + { + "id": "ma-05.01_odp", + "label": "alternate controls", + "guidelines": [ + { + "prose": "alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed, or disconnected from the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-5(1)" + }, + { + "name": "label", + "value": "MA-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-5", + "rel": "required" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-5.1_smt", + "name": "statement", + "parts": [ + { + "id": "ma-5.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:", + "parts": [ + { + "id": "ma-5.1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(1)" + } + ], + "prose": "Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and" + }, + { + "id": "ma-5.1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(2)" + } + ], + "prose": "Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and" + } + ] + }, + { + "id": "ma-5.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Develop and implement {{ insert: param, ma-05.01_odp }} in the event a system component cannot be sanitized, removed, or disconnected from the system." + }, + { + "id": "ma-5.1_fr", + "name": "item", + "title": "MA-5 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ma-5.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Only MA-5 (1) (a) (1) is required by FedRAMP Moderate Baseline" + } + ] + } + ] + }, + { + "id": "ma-5.1_gdn", + "name": "guidance", + "prose": "Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems." + }, + { + "id": "ma-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5.1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)(a)(01)", + "class": "sp800-53a" + } + ], + "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;", + "links": [ + { + "href": "#ma-5.1_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5.1_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)(a)(02)", + "class": "sp800-53a" + } + ], + "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;", + "links": [ + { + "href": "#ma-5.1_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-05.01_odp }} are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.", + "links": [ + { + "href": "#ma-5.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nsystem media protection policy\n\nphysical and environmental protection policy\n\nlist of maintenance personnel requiring escort/supervision\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing maintenance personnel without appropriate access\n\nmechanisms supporting and/or implementing alternative security safeguards\n\nmechanisms supporting and/or implementing information storage component sanitization" + } + ] + } + ] + } + ] + }, + { + "id": "ma-6", + "class": "SP800-53", + "title": "Timely Maintenance", + "params": [ + { + "id": "ma-06_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which maintenance support and/or spare parts are obtained are defined;" + } + ] + }, + { + "id": "ma-06_odp.02", + "label": "time period", + "constraints": [ + { + "description": "a timeframe to support advertised uptime and availability" + } + ], + "guidelines": [ + { + "prose": "time period within which maintenance support and/or spare parts are to be obtained after a failure are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-6" + }, + { + "name": "label", + "value": "MA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-6_smt", + "name": "statement", + "prose": "Obtain maintenance support and/or spare parts for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure." + }, + { + "id": "ma-6_gdn", + "name": "guidance", + "prose": "Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place." + }, + { + "id": "ma-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-06", + "class": "sp800-53a" + } + ], + "prose": "maintenance support and/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure.", + "links": [ + { + "href": "#ma-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for ensuring timely maintenance" + } + ] + } + ] + } + ] + }, + { + "id": "mp", + "class": "family", + "title": "Media Protection", + "controls": [ + { + "id": "mp-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "mp-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "mp-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the media protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "mp-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the media protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "mp-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "mp-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the media protection policy and procedures is defined;" + } + ] + }, + { + "id": "mp-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current media protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "mp-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current media protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "mp-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current media protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "mp-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require media protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-1" + }, + { + "name": "label", + "value": "MP-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-1_smt", + "name": "statement", + "parts": [ + { + "id": "mp-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:", + "parts": [ + { + "id": "mp-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, mp-01_odp.03 }} media protection policy that:", + "parts": [ + { + "id": "mp-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "mp-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "mp-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;" + } + ] + }, + { + "id": "mp-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and" + }, + { + "id": "mp-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current media protection:", + "parts": [ + { + "id": "mp-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and" + }, + { + "id": "mp-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "mp-1_gdn", + "name": "guidance", + "prose": "Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "mp-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a media protection policy is developed and documented;", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#mp-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.", + "links": [ + { + "href": "#mp-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ", + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};", + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ", + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.", + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "mp-2", + "class": "SP800-53", + "title": "Media Access", + "params": [ + { + "id": "mp-2_prm_1", + "label": "organization-defined types of digital and/or non-digital media", + "constraints": [ + { + "description": "all types of digital and/or non-digital media containing sensitive information" + } + ] + }, + { + "id": "mp-2_prm_2", + "label": "organization-defined personnel or roles" + }, + { + "id": "mp-02_odp.01", + "label": "types of digital media", + "guidelines": [ + { + "prose": "types of digital media to which access is restricted are defined;" + } + ] + }, + { + "id": "mp-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles authorized to access digital media is/are defined;" + } + ] + }, + { + "id": "mp-02_odp.03", + "label": "types of non-digital media", + "guidelines": [ + { + "prose": "types of non-digital media to which access is restricted are defined;" + } + ] + }, + { + "id": "mp-02_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles authorized to access non-digital media is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-2" + }, + { + "name": "label", + "value": "MP-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-2_smt", + "name": "statement", + "prose": "Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}." + }, + { + "id": "mp-2_gdn", + "name": "guidance", + "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media." + }, + { + "id": "mp-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02[01]", + "class": "sp800-53a" + } + ], + "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};", + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02[02]", + "class": "sp800-53a" + } + ], + "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.", + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for restricting information media\n\nmechanisms supporting and/or implementing media access restrictions" + } + ] + } + ] + }, + { + "id": "mp-3", + "class": "SP800-53", + "title": "Media Marking", + "params": [ + { + "id": "mp-03_odp.01", + "label": "types of media exempted from marking", + "constraints": [ + { + "description": "no removable media types" + } + ], + "guidelines": [ + { + "prose": "types of system media exempt from marking when remaining in controlled areas are defined;" + } + ] + }, + { + "id": "mp-03_odp.02", + "label": "controlled areas", + "constraints": [ + { + "description": "organization-defined security safeguards not applicable" + } + ], + "guidelines": [ + { + "prose": "controlled areas where media is exempt from marking are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-3" + }, + { + "name": "label", + "value": "MP-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#34a5571f-e252-4309-a8a1-2fdb2faefbcd", + "rel": "reference" + }, + { + "href": "#91f992fb-f668-4c91-a50f-0f05b95ccee3", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-3_smt", + "name": "statement", + "parts": [ + { + "id": "mp-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and" + }, + { + "id": "mp-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Exempt {{ insert: param, mp-03_odp.01 }} from marking if the media remain within {{ insert: param, mp-03_odp.02 }}." + }, + { + "id": "mp-3_fr", + "name": "item", + "title": "MP-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) Guidance:" + } + ], + "prose": "Second parameter not-applicable" + } + ] + } + ] + }, + { + "id": "mp-3_gdn", + "name": "guidance", + "prose": "Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." + }, + { + "id": "mp-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-03a.", + "class": "sp800-53a" + } + ], + "prose": "system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;", + "links": [ + { + "href": "#mp-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-03b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}.", + "links": [ + { + "href": "#mp-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nlist of system media marking security attributes\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection and marking responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "mp-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for marking information media\n\nmechanisms supporting and/or implementing media marking" + } + ] + } + ] + }, + { + "id": "mp-4", + "class": "SP800-53", + "title": "Media Storage", + "params": [ + { + "id": "mp-4_prm_1", + "label": "organization-defined types of digital and/or non-digital media", + "constraints": [ + { + "description": "all types of digital and non-digital media with sensitive information" + } + ] + }, + { + "id": "mp-4_prm_2", + "label": "organization-defined controlled areas", + "constraints": [ + { + "description": "see additional FedRAMP requirements and guidance" + } + ] + }, + { + "id": "mp-04_odp.01", + "label": "types of digital media", + "guidelines": [ + { + "prose": "types of digital media to be physically controlled are defined (if selected);" + } + ] + }, + { + "id": "mp-04_odp.02", + "label": "types of non-digital media", + "guidelines": [ + { + "prose": "types of non-digital media to be physically controlled are defined (if selected);" + } + ] + }, + { + "id": "mp-04_odp.03", + "label": "types of digital media", + "guidelines": [ + { + "prose": "types of digital media to be securely stored are defined (if selected);" + } + ] + }, + { + "id": "mp-04_odp.04", + "label": "types of non-digital media", + "guidelines": [ + { + "prose": "types of non-digital media to be securely stored are defined (if selected);" + } + ] + }, + { + "id": "mp-04_odp.05", + "label": "controlled areas", + "guidelines": [ + { + "prose": "controlled areas within which to securely store digital media are defined;" + } + ] + }, + { + "id": "mp-04_odp.06", + "label": "controlled areas", + "guidelines": [ + { + "prose": "controlled areas within which to securely store non-digital media are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-4" + }, + { + "name": "label", + "value": "MP-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-4_smt", + "name": "statement", + "parts": [ + { + "id": "mp-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Physically control and securely store {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }} ; and" + }, + { + "id": "mp-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures." + }, + { + "id": "mp-4_fr", + "name": "item", + "title": "MP-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider defines controlled areas within facilities where the information and information system reside." + } + ] + } + ] + }, + { + "id": "mp-4_gdn", + "name": "guidance", + "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection." + }, + { + "id": "mp-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-04_odp.01 }} are physically controlled;", + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-04_odp.02 }} are physically controlled;", + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};", + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};", + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04b.", + "class": "sp800-53a" + } + ], + "prose": "system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.", + "links": [ + { + "href": "#mp-4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "mp-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for storing information media\n\nmechanisms supporting and/or implementing secure media storage/media protection" + } + ] + } + ] + }, + { + "id": "mp-5", + "class": "SP800-53", + "title": "Media Transport", + "params": [ + { + "id": "mp-5_prm_2", + "label": "organization-defined controls", + "constraints": [ + { + "description": "prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or NSA approved cryptography (see SC-13.); for non-digital media, secured in locked container" + } + ] + }, + { + "id": "mp-05_odp.01", + "label": "types of system media", + "constraints": [ + { + "description": "all media with sensitive information" + } + ], + "guidelines": [ + { + "prose": "types of system media to protect and control during transport outside of controlled areas are defined;" + } + ] + }, + { + "id": "mp-05_odp.02", + "label": "controls", + "guidelines": [ + { + "prose": "controls used to protect system media outside of controlled areas are defined;" + } + ] + }, + { + "id": "mp-05_odp.03", + "label": "controls", + "guidelines": [ + { + "prose": "controls used to control system media outside of controlled areas are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-5" + }, + { + "name": "label", + "value": "MP-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#mp-3", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-5_smt", + "name": "statement", + "parts": [ + { + "id": "mp-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Protect and control {{ insert: param, mp-05_odp.01 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};" + }, + { + "id": "mp-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain accountability for system media during transport outside of controlled areas;" + }, + { + "id": "mp-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document activities associated with the transport of system media; and" + }, + { + "id": "mp-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Restrict the activities associated with the transport of system media to authorized personnel." + }, + { + "id": "mp-5_fr", + "name": "item", + "title": "MP-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO." + } + ] + } + ] + }, + { + "id": "mp-5_gdn", + "name": "guidance", + "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records." + }, + { + "id": "mp-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};", + "links": [ + { + "href": "#mp-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};", + "links": [ + { + "href": "#mp-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05b.", + "class": "sp800-53a" + } + ], + "prose": "accountability for system media is maintained during transport outside of controlled areas;", + "links": [ + { + "href": "#mp-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05c.", + "class": "sp800-53a" + } + ], + "prose": "activities associated with the transport of system media are documented;", + "links": [ + { + "href": "#mp-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-5_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05d.[01]", + "class": "sp800-53a" + } + ], + "prose": "personnel authorized to conduct media transport activities is/are identified;", + "links": [ + { + "href": "#mp-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05d.[02]", + "class": "sp800-53a" + } + ], + "prose": "activities associated with the transport of system media are restricted to identified authorized personnel.", + "links": [ + { + "href": "#mp-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nauthorized personnel list\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for storing information media\n\nmechanisms supporting and/or implementing media storage/media protection" + } + ] + } + ] + }, + { + "id": "mp-6", + "class": "SP800-53", + "title": "Media Sanitization", + "params": [ + { + "id": "mp-6_prm_1", + "label": "organization-defined system media", + "constraints": [ + { + "description": "techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware" + } + ] + }, + { + "id": "mp-6_prm_2", + "label": "organization-defined sanitization techniques and procedures" + }, + { + "id": "mp-06_odp.01", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to disposal is defined;" + } + ] + }, + { + "id": "mp-06_odp.02", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to release from organizational control is defined;" + } + ] + }, + { + "id": "mp-06_odp.03", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to release for reuse is defined;" + } + ] + }, + { + "id": "mp-06_odp.04", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to disposal are defined;" + } + ] + }, + { + "id": "mp-06_odp.05", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;" + } + ] + }, + { + "id": "mp-06_odp.06", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-6" + }, + { + "name": "label", + "value": "MP-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#91f992fb-f668-4c91-a50f-0f05b95ccee3", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pm-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#si-18", + "rel": "related" + }, + { + "href": "#si-19", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-6_smt", + "name": "statement", + "parts": [ + { + "id": "mp-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and" + }, + { + "id": "mp-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information." + } + ] + }, + { + "id": "mp-6_gdn", + "name": "guidance", + "prose": "Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques\u2014including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction\u2014prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information." + }, + { + "id": "mp-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06b.", + "class": "sp800-53a" + } + ], + "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.", + "links": [ + { + "href": "#mp-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media sanitization\n\nmechanisms supporting and/or implementing media sanitization" + } + ] + } + ] + }, + { + "id": "mp-7", + "class": "SP800-53", + "title": "Media Use", + "params": [ + { + "id": "mp-07_odp.01", + "label": "types of system media", + "guidelines": [ + { + "prose": "types of system media to be restricted or prohibited from use on systems or system components are defined;" + } + ] + }, + { + "id": "mp-07_odp.02", + "select": { + "choice": [ + "restrict", + "prohibit" + ] + } + }, + { + "id": "mp-07_odp.03", + "label": "systems or system components", + "guidelines": [ + { + "prose": "systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;" + } + ] + }, + { + "id": "mp-07_odp.04", + "label": "controls", + "guidelines": [ + { + "prose": "controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-7" + }, + { + "name": "label", + "value": "MP-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-41", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-7_smt", + "name": "statement", + "parts": [ + { + "id": "mp-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and" + }, + { + "id": "mp-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner." + } + ] + }, + { + "id": "mp-7_gdn", + "name": "guidance", + "prose": "System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices." + }, + { + "id": "mp-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07a.", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};", + "links": [ + { + "href": "#mp-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07b.", + "class": "sp800-53a" + } + ], + "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.", + "links": [ + { + "href": "#mp-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components" + } + ] + } + ] + } + ] + }, + { + "id": "pe", + "class": "family", + "title": "Physical and Environmental Protection", + "controls": [ + { + "id": "pe-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "pe-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "pe-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "pe-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "pe-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "pe-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the physical and environmental protection policy and procedures is defined;" + } + ] + }, + { + "id": "pe-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "pe-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current physical and environmental protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "pe-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "pe-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the physical and environmental protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-1" + }, + { + "name": "label", + "value": "PE-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-1_smt", + "name": "statement", + "parts": [ + { + "id": "pe-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:", + "parts": [ + { + "id": "pe-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:", + "parts": [ + { + "id": "pe-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "pe-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "pe-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;" + } + ] + }, + { + "id": "pe-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and" + }, + { + "id": "pe-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current physical and environmental protection:", + "parts": [ + { + "id": "pe-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and" + }, + { + "id": "pe-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "pe-1_gdn", + "name": "guidance", + "prose": "Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "pe-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a physical and environmental protection policy is developed and documented;", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#pe-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;", + "links": [ + { + "href": "#pe-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};", + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};", + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};", + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.", + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "pe-2", + "class": "SP800-53", + "title": "Physical Access Authorizations", + "params": [ + { + "id": "pe-02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review the access list detailing authorized facility access by individuals is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-2" + }, + { + "name": "label", + "value": "PE-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-2_smt", + "name": "statement", + "parts": [ + { + "id": "pe-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;" + }, + { + "id": "pe-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Issue authorization credentials for facility access;" + }, + { + "id": "pe-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and" + }, + { + "id": "pe-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Remove individuals from the facility access list when access is no longer required." + } + ] + }, + { + "id": "pe-2_gdn", + "name": "guidance", + "prose": "Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible." + }, + { + "id": "pe-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02b.", + "class": "sp800-53a" + } + ], + "prose": "authorization credentials are issued for facility access;", + "links": [ + { + "href": "#pe-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02c.", + "class": "sp800-53a" + } + ], + "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};", + "links": [ + { + "href": "#pe-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02d.", + "class": "sp800-53a" + } + ], + "prose": "individuals are removed from the facility access list when access is no longer required.", + "links": [ + { + "href": "#pe-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access authorizations\n\nmechanisms supporting and/or implementing physical access authorizations" + } + ] + } + ] + }, + { + "id": "pe-3", + "class": "SP800-53", + "title": "Physical Access Control", + "params": [ + { + "id": "pe-3_prm_9", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually or earlier as required by a security relevant event." + } + ] + }, + { + "id": "pe-03_odp.01", + "label": "entry and exit points", + "guidelines": [ + { + "prose": "entry and exit points to the facility in which the system resides are defined;" + } + ] + }, + { + "id": "pe-03_odp.02", + "constraints": [ + { + "description": "CSP defined physical access control systems/devices AND guards" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, pe-03_odp.03 }} ", + "guards" + ] + } + }, + { + "id": "pe-03_odp.03", + "label": "systems or devices", + "guidelines": [ + { + "prose": "physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);" + } + ] + }, + { + "id": "pe-03_odp.04", + "label": "entry or exit points", + "guidelines": [ + { + "prose": "entry or exit points for which physical access logs are maintained are defined;" + } + ] + }, + { + "id": "pe-03_odp.05", + "label": "physical access controls", + "guidelines": [ + { + "prose": "physical access controls to control access to areas within the facility designated as publicly accessible are defined;" + } + ] + }, + { + "id": "pe-03_odp.06", + "label": "circumstances", + "constraints": [ + { + "description": "in all circumstances within restricted access area where the information system resides" + } + ], + "guidelines": [ + { + "prose": "circumstances requiring visitor escorts and control of visitor activity are defined;" + } + ] + }, + { + "id": "pe-03_odp.07", + "label": "physical access devices", + "guidelines": [ + { + "prose": "physical access devices to be inventoried are defined;" + } + ] + }, + { + "id": "pe-03_odp.08", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to inventory physical access devices is defined;" + } + ] + }, + { + "id": "pe-03_odp.09", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to change combinations is defined;" + } + ] + }, + { + "id": "pe-03_odp.10", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to change keys is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-3" + }, + { + "name": "label", + "value": "PE-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#2100332a-16a5-4598-bacf-7261baea9711", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-3_smt", + "name": "statement", + "parts": [ + { + "id": "pe-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:", + "parts": [ + { + "id": "pe-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Verifying individual access authorizations before granting access to the facility; and" + }, + { + "id": "pe-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};" + } + ] + }, + { + "id": "pe-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};" + }, + { + "id": "pe-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};" + }, + { + "id": "pe-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};" + }, + { + "id": "pe-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Secure keys, combinations, and other physical access devices;" + }, + { + "id": "pe-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and" + }, + { + "id": "pe-3_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Change combinations and keys {{ insert: param, pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated." + } + ] + }, + { + "id": "pe-3_gdn", + "name": "guidance", + "prose": "Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components." + }, + { + "id": "pe-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.01", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;", + "links": [ + { + "href": "#pe-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.02", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};", + "links": [ + { + "href": "#pe-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03b.", + "class": "sp800-53a" + } + ], + "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};", + "links": [ + { + "href": "#pe-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03c.", + "class": "sp800-53a" + } + ], + "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};", + "links": [ + { + "href": "#pe-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.[01]", + "class": "sp800-53a" + } + ], + "prose": "visitors are escorted;", + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.[02]", + "class": "sp800-53a" + } + ], + "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};", + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[01]", + "class": "sp800-53a" + } + ], + "prose": "keys are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[02]", + "class": "sp800-53a" + } + ], + "prose": "combinations are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[03]", + "class": "sp800-53a" + } + ], + "prose": "other physical access devices are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03f.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};", + "links": [ + { + "href": "#pe-3_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.[01]", + "class": "sp800-53a" + } + ], + "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;", + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.[02]", + "class": "sp800-53a" + } + ], + "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.", + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access control\n\nmechanisms supporting and/or implementing physical access control\n\nphysical access control devices" + } + ] + } + ] + }, + { + "id": "pe-4", + "class": "SP800-53", + "title": "Access Control for Transmission", + "params": [ + { + "id": "pe-04_odp.01", + "label": "system distribution and transmission lines", + "guidelines": [ + { + "prose": "system distribution and transmission lines requiring physical access controls are defined;" + } + ] + }, + { + "id": "pe-04_odp.02", + "label": "security controls", + "guidelines": [ + { + "prose": "security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-4" + }, + { + "name": "label", + "value": "PE-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-4_smt", + "name": "statement", + "prose": "Control physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities using {{ insert: param, pe-04_odp.02 }}." + }, + { + "id": "pe-4_gdn", + "name": "guidance", + "prose": "Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors." + }, + { + "id": "pe-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-04", + "class": "sp800-53a" + } + ], + "prose": "physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}.", + "links": [ + { + "href": "#pe-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing access control for transmission mediums\n\nsystem design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to system distribution and transmission lines\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for access control to distribution and transmission lines\n\nmechanisms/security safeguards supporting and/or implementing access control to distribution and transmission lines" + } + ] + } + ] + }, + { + "id": "pe-5", + "class": "SP800-53", + "title": "Access Control for Output Devices", + "params": [ + { + "id": "pe-05_odp", + "label": "output devices", + "guidelines": [ + { + "prose": "output devices that require physical access control to output are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-5" + }, + { + "name": "label", + "value": "PE-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-5_smt", + "name": "statement", + "prose": "Control physical access to output from {{ insert: param, pe-05_odp }} to prevent unauthorized individuals from obtaining the output." + }, + { + "id": "pe-5_gdn", + "name": "guidance", + "prose": "Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers." + }, + { + "id": "pe-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-05", + "class": "sp800-53a" + } + ], + "prose": "physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output.", + "links": [ + { + "href": "#pe-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of system components\n\nactual displays from system components\n\nlist of output devices and associated outputs requiring physical access controls\n\nphysical access control logs or records for areas containing output devices and related outputs\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for access control to output devices\n\nmechanisms supporting and/or implementing access control to output devices" + } + ] + } + ] + }, + { + "id": "pe-6", + "class": "SP800-53", + "title": "Monitoring Physical Access", + "params": [ + { + "id": "pe-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review physical access logs is defined;" + } + ] + }, + { + "id": "pe-06_odp.02", + "label": "events", + "guidelines": [ + { + "prose": "events or potential indication of events requiring physical access logs to be reviewed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-6" + }, + { + "name": "label", + "value": "PE-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-6_smt", + "name": "statement", + "parts": [ + { + "id": "pe-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;" + }, + { + "id": "pe-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and" + }, + { + "id": "pe-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Coordinate results of reviews and investigations with the organizational incident response capability." + } + ] + }, + { + "id": "pe-6_gdn", + "name": "guidance", + "prose": "Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses." + }, + { + "id": "pe-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06a.", + "class": "sp800-53a" + } + ], + "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;", + "links": [ + { + "href": "#pe-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};", + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};", + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": "results of reviews are coordinated with organizational incident response capabilities;", + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": "results of investigations are coordinated with organizational incident response capabilities.", + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring physical access\n\nmechanisms supporting and/or implementing physical access monitoring\n\nmechanisms supporting and/or implementing the review of physical access logs" + } + ] + } + ], + "controls": [ + { + "id": "pe-6.1", + "class": "SP800-53-enhancement", + "title": "Intrusion Alarms and Surveillance Equipment", + "props": [ + { + "name": "label", + "value": "PE-6(1)" + }, + { + "name": "label", + "value": "PE-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pe-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-6.1_smt", + "name": "statement", + "prose": "Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment." + }, + { + "id": "pe-6.1_gdn", + "name": "guidance", + "prose": "Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility." + }, + { + "id": "pe-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access to the facility where the system resides is monitored using physical intrusion alarms;", + "links": [ + { + "href": "#pe-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access to the facility where the system resides is monitored using physical surveillance equipment.", + "links": [ + { + "href": "#pe-6.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring physical intrusion alarms and surveillance equipment\n\nmechanisms supporting and/or implementing physical access monitoring\n\nmechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment" + } + ] + } + ] + } + ] + }, + { + "id": "pe-8", + "class": "SP800-53", + "title": "Visitor Access Records", + "params": [ + { + "id": "pe-08_odp.01", + "label": "time period", + "constraints": [ + { + "description": "for a minimum of one (1) year" + } + ], + "guidelines": [ + { + "prose": "time period for which to maintain visitor access records for the facility where the system resides is defined;" + } + ] + }, + { + "id": "pe-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review visitor access records is defined;" + } + ] + }, + { + "id": "pe-08_odp.03", + "label": "personnel", + "guidelines": [ + { + "prose": "personnel to whom visitor access records anomalies are reported to is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-8" + }, + { + "name": "label", + "value": "PE-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-8_smt", + "name": "statement", + "parts": [ + { + "id": "pe-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};" + }, + { + "id": "pe-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and" + }, + { + "id": "pe-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}." + } + ] + }, + { + "id": "pe-8_gdn", + "name": "guidance", + "prose": "Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas." + }, + { + "id": "pe-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08a.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};", + "links": [ + { + "href": "#pe-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08b.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};", + "links": [ + { + "href": "#pe-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08c.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.", + "links": [ + { + "href": "#pe-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and/or implementing the maintenance and review of visitor access records" + } + ] + } + ] + }, + { + "id": "pe-9", + "class": "SP800-53", + "title": "Power Equipment and Cabling", + "props": [ + { + "name": "label", + "value": "PE-9" + }, + { + "name": "label", + "value": "PE-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-9_smt", + "name": "statement", + "prose": "Protect power equipment and power cabling for the system from damage and destruction." + }, + { + "id": "pe-9_gdn", + "name": "guidance", + "prose": "Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems." + }, + { + "id": "pe-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-09[01]", + "class": "sp800-53a" + } + ], + "prose": "power equipment for the system is protected from damage and destruction;", + "links": [ + { + "href": "#pe-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-09[02]", + "class": "sp800-53a" + } + ], + "prose": "power cabling for the system is protected from damage and destruction.", + "links": [ + { + "href": "#pe-9_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing power equipment/cabling protection\n\nfacilities housing power equipment/cabling\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility to protect power equipment/cabling\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the protection of power equipment/cabling" + } + ] + } + ] + }, + { + "id": "pe-10", + "class": "SP800-53", + "title": "Emergency Shutoff", + "params": [ + { + "id": "pe-10_odp.01", + "label": "system or individual system components", + "guidelines": [ + { + "prose": "system or individual system components that require the capability to shut off power in emergency situations is/are defined;" + } + ] + }, + { + "id": "pe-10_odp.02", + "label": "location", + "constraints": [ + { + "description": "near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off" + } + ], + "guidelines": [ + { + "prose": "location of emergency shutoff switches or devices by system or system component is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-10" + }, + { + "name": "label", + "value": "PE-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-10_smt", + "name": "statement", + "parts": [ + { + "id": "pe-10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide the capability of shutting off power to {{ insert: param, pe-10_odp.01 }} in emergency situations;" + }, + { + "id": "pe-10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Place emergency shutoff switches or devices in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel; and" + }, + { + "id": "pe-10_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Protect emergency power shutoff capability from unauthorized activation." + } + ] + }, + { + "id": "pe-10_gdn", + "name": "guidance", + "prose": "Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery." + }, + { + "id": "pe-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-10_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-10a.", + "class": "sp800-53a" + } + ], + "prose": "the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;", + "links": [ + { + "href": "#pe-10_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-10_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-10b.", + "class": "sp800-53a" + } + ], + "prose": "emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;", + "links": [ + { + "href": "#pe-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-10_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-10c.", + "class": "sp800-53a" + } + ], + "prose": "the emergency power shutoff capability is protected from unauthorized activation.", + "links": [ + { + "href": "#pe-10_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting the emergency power shutoff capability from unauthorized activation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for the emergency power shutoff capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing emergency power shutoff" + } + ] + } + ] + }, + { + "id": "pe-11", + "class": "SP800-53", + "title": "Emergency Power", + "params": [ + { + "id": "pe-11_odp", + "select": { + "choice": [ + "an orderly shutdown of the system", + "transition of the system to long-term alternate power" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "PE-11" + }, + { + "name": "label", + "value": "PE-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-11_smt", + "name": "statement", + "prose": "Provide an uninterruptible power supply to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss." + }, + { + "id": "pe-11_gdn", + "name": "guidance", + "prose": "An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system." + }, + { + "id": "pe-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-11", + "class": "sp800-53a" + } + ], + "prose": "an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss.", + "links": [ + { + "href": "#pe-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for emergency power and/or planning\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an uninterruptible power supply\n\nthe uninterruptable power supply" + } + ] + } + ] + }, + { + "id": "pe-12", + "class": "SP800-53", + "title": "Emergency Lighting", + "props": [ + { + "name": "label", + "value": "PE-12" + }, + { + "name": "label", + "value": "PE-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-12_smt", + "name": "statement", + "prose": "Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility." + }, + { + "id": "pe-12_gdn", + "name": "guidance", + "prose": "The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies." + }, + { + "id": "pe-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[01]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[02]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[03]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting for the system covers emergency exits within the facility;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[04]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting for the system covers evacuation routes within the facility.", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for emergency lighting and/or planning\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an emergency lighting capability" + } + ] + } + ] + }, + { + "id": "pe-13", + "class": "SP800-53", + "title": "Fire Protection", + "props": [ + { + "name": "label", + "value": "PE-13" + }, + { + "name": "label", + "value": "PE-13", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-13_smt", + "name": "statement", + "prose": "Employ and maintain fire detection and suppression systems that are supported by an independent energy source." + }, + { + "id": "pe-13_gdn", + "name": "guidance", + "prose": "The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility." + }, + { + "id": "pe-13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[01]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems are employed;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[02]", + "class": "sp800-53a" + } + ], + "prose": "employed fire detection systems are supported by an independent energy source;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[03]", + "class": "sp800-53a" + } + ], + "prose": "employed fire detection systems are maintained;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[04]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems are employed;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[05]", + "class": "sp800-53a" + } + ], + "prose": "employed fire suppression systems are supported by an independent energy source;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[06]", + "class": "sp800-53a" + } + ], + "prose": "employed fire suppression systems are maintained.", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-13-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\ntest records of fire suppression and detection devices/systems\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-13-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-13-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing fire suppression/detection devices/systems" + } + ] + } + ], + "controls": [ + { + "id": "pe-13.1", + "class": "SP800-53-enhancement", + "title": "Detection Systems \u2014 Automatic Activation and Notification", + "params": [ + { + "id": "pe-13.01_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "service provider building maintenance/physical security personnel" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified in the event of a fire is/are defined;" + } + ] + }, + { + "id": "pe-13.01_odp.02", + "label": "emergency responders", + "constraints": [ + { + "description": "service provider emergency responders with incident response responsibilities" + } + ], + "guidelines": [ + { + "prose": "emergency responders to be notified in the event of a fire are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-13(1)" + }, + { + "name": "label", + "value": "PE-13(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-13.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-13", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-13.1_smt", + "name": "statement", + "prose": "Employ fire detection systems that activate automatically and notify {{ insert: param, pe-13.01_odp.01 }} and {{ insert: param, pe-13.01_odp.02 }} in the event of a fire." + }, + { + "id": "pe-13.1_gdn", + "name": "guidance", + "prose": "Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire." + }, + { + "id": "pe-13.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems that activate automatically are employed in the event of a fire;", + "links": [ + { + "href": "#pe-13.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;", + "links": [ + { + "href": "#pe-13.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire.", + "links": [ + { + "href": "#pe-13.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-13(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\nalerts/notifications of fire events\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-13.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-13(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-13.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-13(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing fire detection devices/systems\n\nactivation of fire detection devices/systems (simulated)\n\nautomated notifications" + } + ] + } + ] + }, + { + "id": "pe-13.2", + "class": "SP800-53-enhancement", + "title": "Suppression Systems \u2014 Automatic Activation and Notification", + "params": [ + { + "id": "pe-13.02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified in the event of a fire is/are defined;" + } + ] + }, + { + "id": "pe-13.02_odp.02", + "label": "emergency responders", + "guidelines": [ + { + "prose": "emergency responders to be notified in the event of a fire are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-13(2)" + }, + { + "name": "label", + "value": "PE-13(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-13.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-13", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-13.2_smt", + "name": "statement", + "parts": [ + { + "id": "pe-13.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Employ fire suppression systems that activate automatically and notify {{ insert: param, pe-13.02_odp.01 }} and {{ insert: param, pe-13.02_odp.02 }} ; and" + }, + { + "id": "pe-13.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis." + } + ] + }, + { + "id": "pe-13.2_gdn", + "name": "guidance", + "prose": "Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and/or clearances (e.g., to enter to facilities where access is restricted due to the impact level or classification of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire." + }, + { + "id": "pe-13.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13.2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems that activate automatically are employed;", + "links": [ + { + "href": "#pe-13.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.01 }} automatically are employed;", + "links": [ + { + "href": "#pe-13.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.02 }} automatically are employed;", + "links": [ + { + "href": "#pe-13.2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(b)", + "class": "sp800-53a" + } + ], + "prose": "an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.", + "links": [ + { + "href": "#pe-13.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-13(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems documentation\n\nfacility housing the system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices/systems\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-13.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-13(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-13.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-13(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms supporting and/or implementing fire suppression devices/systems\n\nactivation of fire suppression devices/systems (simulated)\n\nautomated notifications" + } + ] + } + ] + } + ] + }, + { + "id": "pe-14", + "class": "SP800-53", + "title": "Environmental Controls", + "params": [ + { + "id": "pe-14_odp.01", + "constraints": [ + { + "description": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "temperature", + "humidity", + "pressure", + "radiation", + " {{ insert: param, pe-14_odp.02 }} " + ] + } + }, + { + "id": "pe-14_odp.02", + "label": "environmental control", + "guidelines": [ + { + "prose": "environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);" + } + ] + }, + { + "id": "pe-14_odp.03", + "label": "acceptable levels", + "guidelines": [ + { + "prose": "acceptable levels for environmental controls are defined;" + } + ] + }, + { + "id": "pe-14_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "continuously" + } + ], + "guidelines": [ + { + "prose": "frequency at which to monitor environmental control levels is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-14" + }, + { + "name": "label", + "value": "PE-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-14_smt", + "name": "statement", + "parts": [ + { + "id": "pe-14_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and" + }, + { + "id": "pe-14_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}." + }, + { + "id": "pe-14_fr", + "name": "item", + "title": "PE-14 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pe-14_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider measures temperature at server inlets and humidity levels by dew point." + } + ] + } + ] + }, + { + "id": "pe-14_gdn", + "name": "guidance", + "prose": "The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions." + }, + { + "id": "pe-14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-14_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;", + "links": [ + { + "href": "#pe-14_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14b.", + "class": "sp800-53a" + } + ], + "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.", + "links": [ + { + "href": "#pe-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-14-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-14-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-14_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-14-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels" + } + ] + } + ] + }, + { + "id": "pe-15", + "class": "SP800-53", + "title": "Water Damage Protection", + "props": [ + { + "name": "label", + "value": "PE-15" + }, + { + "name": "label", + "value": "PE-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-15_smt", + "name": "statement", + "prose": "Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel." + }, + { + "id": "pe-15_gdn", + "name": "guidance", + "prose": "The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations." + }, + { + "id": "pe-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-15_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[02]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are accessible;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[03]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are working properly;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[04]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are known to key personnel.", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-15_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-15-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Master water-shutoff valves\n\norganizational process for activating master water shutoff" + } + ] + } + ] + }, + { + "id": "pe-16", + "class": "SP800-53", + "title": "Delivery and Removal", + "params": [ + { + "id": "pe-16_prm_1", + "label": "organization-defined types of system components", + "constraints": [ + { + "description": "all information system components" + } + ] + }, + { + "id": "pe-16_odp.01", + "label": "types of system components", + "guidelines": [ + { + "prose": "types of system components to be authorized and controlled when entering the facility are defined;" + } + ] + }, + { + "id": "pe-16_odp.02", + "label": "types of system components", + "guidelines": [ + { + "prose": "types of system components to be authorized and controlled when exiting the facility are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-16" + }, + { + "name": "label", + "value": "PE-16", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-16_smt", + "name": "statement", + "parts": [ + { + "id": "pe-16_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and" + }, + { + "id": "pe-16_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain records of the system components." + } + ] + }, + { + "id": "pe-16_gdn", + "name": "guidance", + "prose": "Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries." + }, + { + "id": "pe-16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-16_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-16_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16b.", + "class": "sp800-53a" + } + ], + "prose": "records of the system components are maintained.", + "links": [ + { + "href": "#pe-16_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-16-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-16-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-16_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-16-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility" + } + ] + } + ] + }, + { + "id": "pe-17", + "class": "SP800-53", + "title": "Alternate Work Site", + "params": [ + { + "id": "pe-17_odp.01", + "label": "alternate work sites", + "guidelines": [ + { + "prose": "alternate work sites allowed for use by employees are defined;" + } + ] + }, + { + "id": "pe-17_odp.02", + "label": "controls", + "guidelines": [ + { + "prose": "controls to be employed at alternate work sites are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-17" + }, + { + "name": "label", + "value": "PE-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-17_smt", + "name": "statement", + "parts": [ + { + "id": "pe-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine and document the {{ insert: param, pe-17_odp.01 }} allowed for use by employees;" + }, + { + "id": "pe-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls at alternate work sites: {{ insert: param, pe-17_odp.02 }};" + }, + { + "id": "pe-17_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Assess the effectiveness of controls at alternate work sites; and" + }, + { + "id": "pe-17_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Provide a means for employees to communicate with information security and privacy personnel in case of incidents." + } + ] + }, + { + "id": "pe-17_gdn", + "name": "guidance", + "prose": "Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations." + }, + { + "id": "pe-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-17_odp.01 }} are determined and documented;", + "links": [ + { + "href": "#pe-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;", + "links": [ + { + "href": "#pe-17_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-17_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17c.", + "class": "sp800-53a" + } + ], + "prose": "the effectiveness of controls at alternate work sites is assessed;", + "links": [ + { + "href": "#pe-17_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-17_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17d.", + "class": "sp800-53a" + } + ], + "prose": "a means for employees to communicate with information security and privacy personnel in case of incidents is provided.", + "links": [ + { + "href": "#pe-17_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel approving the use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-17_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-17-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security and privacy at alternate work sites\n\nmechanisms supporting alternate work sites\n\nsecurity and privacy controls employed at alternate work sites\n\nmeans of communication between personnel at alternate work sites and security and privacy personnel" + } + ] + } + ] + } + ] + }, + { + "id": "pl", + "class": "family", + "title": "Planning", + "controls": [ + { + "id": "pl-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "pl-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "pl-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the planning policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "pl-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the planning procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "pl-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "pl-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the planning policy and procedures is defined;" + } + ] + }, + { + "id": "pl-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current planning policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "pl-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current planning policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "pl-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current planning procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "pl-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-1" + }, + { + "name": "label", + "value": "PL-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-1_smt", + "name": "statement", + "parts": [ + { + "id": "pl-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:", + "parts": [ + { + "id": "pl-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, pl-01_odp.03 }} planning policy that:", + "parts": [ + { + "id": "pl-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "pl-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "pl-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the planning policy and the associated planning controls;" + } + ] + }, + { + "id": "pl-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and" + }, + { + "id": "pl-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current planning:", + "parts": [ + { + "id": "pl-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and" + }, + { + "id": "pl-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "pl-1_gdn", + "name": "guidance", + "prose": "Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "pl-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a planning policy is developed and documented.", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#pl-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;", + "links": [ + { + "href": "#pl-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};", + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};", + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};", + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.", + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "pl-2", + "class": "SP800-53", + "title": "System Security and Privacy Plans", + "params": [ + { + "id": "pl-02_odp.01", + "label": "individuals or groups", + "constraints": [ + { + "description": "to include chief privacy and ISSO and/or similar role or designees" + } + ], + "guidelines": [ + { + "prose": "individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;" + } + ] + }, + { + "id": "pl-02_odp.02", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include chief privacy and ISSO and/or similar role" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;" + } + ] + }, + { + "id": "pl-02_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency to review system security and privacy plans is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-2" + }, + { + "name": "label", + "value": "PL-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-1", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-2_smt", + "name": "statement", + "parts": [ + { + "id": "pl-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop security and privacy plans for the system that:", + "parts": [ + { + "id": "pl-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Are consistent with the organization\u2019s enterprise architecture;" + }, + { + "id": "pl-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Explicitly define the constituent system components;" + }, + { + "id": "pl-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Describe the operational context of the system in terms of mission and business processes;" + }, + { + "id": "pl-2_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Identify the individuals that fulfill system roles and responsibilities;" + }, + { + "id": "pl-2_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Identify the information types processed, stored, and transmitted by the system;" + }, + { + "id": "pl-2_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Provide the security categorization of the system, including supporting rationale;" + }, + { + "id": "pl-2_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Describe any specific threats to the system that are of concern to the organization;" + }, + { + "id": "pl-2_smt.a.8", + "name": "item", + "props": [ + { + "name": "label", + "value": "8." + } + ], + "prose": "Provide the results of a privacy risk assessment for systems processing personally identifiable information;" + }, + { + "id": "pl-2_smt.a.9", + "name": "item", + "props": [ + { + "name": "label", + "value": "9." + } + ], + "prose": "Describe the operational environment for the system and any dependencies on or connections to other systems or system components;" + }, + { + "id": "pl-2_smt.a.10", + "name": "item", + "props": [ + { + "name": "label", + "value": "10." + } + ], + "prose": "Provide an overview of the security and privacy requirements for the system;" + }, + { + "id": "pl-2_smt.a.11", + "name": "item", + "props": [ + { + "name": "label", + "value": "11." + } + ], + "prose": "Identify any relevant control baselines or overlays, if applicable;" + }, + { + "id": "pl-2_smt.a.12", + "name": "item", + "props": [ + { + "name": "label", + "value": "12." + } + ], + "prose": "Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;" + }, + { + "id": "pl-2_smt.a.13", + "name": "item", + "props": [ + { + "name": "label", + "value": "13." + } + ], + "prose": "Include risk determinations for security and privacy architecture and design decisions;" + }, + { + "id": "pl-2_smt.a.14", + "name": "item", + "props": [ + { + "name": "label", + "value": "14." + } + ], + "prose": "Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and" + }, + { + "id": "pl-2_smt.a.15", + "name": "item", + "props": [ + { + "name": "label", + "value": "15." + } + ], + "prose": "Are reviewed and approved by the authorizing official or designated representative prior to plan implementation." + } + ] + }, + { + "id": "pl-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};" + }, + { + "id": "pl-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the plans {{ insert: param, pl-02_odp.03 }};" + }, + { + "id": "pl-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and" + }, + { + "id": "pl-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protect the plans from unauthorized disclosure and modification." + } + ] + }, + { + "id": "pl-2_gdn", + "name": "guidance", + "prose": "System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide\u2014explicitly or by reference\u2014sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate." + }, + { + "id": "pl-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that is consistent with the organization\u2019s enterprise architecture;", + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that is consistent with the organization\u2019s enterprise architecture;", + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that explicitly defines the constituent system components;", + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;", + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.4-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.4-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.5-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.5-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.6-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;", + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.6-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;", + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.7-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.7-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.8-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.8-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.9-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.9-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.10-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;", + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.10-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;", + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.11", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.11-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.11-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.12", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.12-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;", + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.12-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;", + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.13", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.13-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;", + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.13-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;", + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.14", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.14-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.14-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.15", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.15-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;", + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.15-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.", + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};", + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};", + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02c.", + "class": "sp800-53a" + } + ], + "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};", + "links": [ + { + "href": "#pl-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[01]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address changes to the system and environment of operations;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[02]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address problems identified during the plan implementation;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[03]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address problems identified during control assessments;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.[01]", + "class": "sp800-53a" + } + ], + "prose": "plans are protected from unauthorized disclosure;", + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.[02]", + "class": "sp800-53a" + } + ], + "prose": "plans are protected from unauthorized modification.", + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan" + } + ] + } + ] + }, + { + "id": "pl-4", + "class": "SP800-53", + "title": "Rules of Behavior", + "params": [ + { + "id": "pl-04_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "frequency for reviewing and updating the rules of behavior is defined;" + } + ] + }, + { + "id": "pl-04_odp.02", + "constraints": [ + { + "description": "at least annually and when the rules are revised or changed" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, pl-04_odp.03 }} ", + "when the rules are revised or updated" + ] + } + }, + { + "id": "pl-04_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-4" + }, + { + "name": "label", + "value": "PL-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-9", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-4_smt", + "name": "statement", + "parts": [ + { + "id": "pl-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;" + }, + { + "id": "pl-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;" + }, + { + "id": "pl-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and" + }, + { + "id": "pl-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}." + } + ] + }, + { + "id": "pl-4_gdn", + "name": "guidance", + "prose": "Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons." + }, + { + "id": "pl-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;", + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;", + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04b.", + "class": "sp800-53a" + } + ], + "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;", + "links": [ + { + "href": "#pl-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04c.", + "class": "sp800-53a" + } + ], + "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};", + "links": [ + { + "href": "#pl-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04d.", + "class": "sp800-53a" + } + ], + "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.", + "links": [ + { + "href": "#pl-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior" + } + ] + } + ], + "controls": [ + { + "id": "pl-4.1", + "class": "SP800-53-enhancement", + "title": "Social Media and External Site/Application Usage Restrictions", + "props": [ + { + "name": "label", + "value": "PL-4(1)" + }, + { + "name": "label", + "value": "PL-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pl-4", + "rel": "required" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-4.1_smt", + "name": "statement", + "prose": "Include in the rules of behavior, restrictions on:", + "parts": [ + { + "id": "pl-4.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Use of social media, social networking sites, and external sites/applications;" + }, + { + "id": "pl-4.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Posting organizational information on public websites; and" + }, + { + "id": "pl-4.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications." + } + ] + }, + { + "id": "pl-4.1_gdn", + "name": "guidance", + "prose": "Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information." + }, + { + "id": "pl-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;", + "links": [ + { + "href": "#pl-4.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on posting organizational information on public websites;", + "links": [ + { + "href": "#pl-4.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(c)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.", + "links": [ + { + "href": "#pl-4.1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing rules of behavior\n\nmechanisms supporting and/or implementing the establishment of rules of behavior" + } + ] + } + ] + } + ] + }, + { + "id": "pl-8", + "class": "SP800-53", + "title": "Security and Privacy Architectures", + "params": [ + { + "id": "pl-08_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "frequency for review and update to reflect changes in the enterprise architecture;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-8" + }, + { + "name": "label", + "value": "PL-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-8_smt", + "name": "statement", + "parts": [ + { + "id": "pl-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop security and privacy architectures for the system that:", + "parts": [ + { + "id": "pl-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;" + }, + { + "id": "pl-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;" + }, + { + "id": "pl-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Describe how the architectures are integrated into and support the enterprise architecture; and" + }, + { + "id": "pl-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Describe any assumptions about, and dependencies on, external systems and services;" + } + ] + }, + { + "id": "pl-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and" + }, + { + "id": "pl-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions." + }, + { + "id": "pl-8_fr", + "name": "item", + "title": "PL-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pl-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + } + ] + } + ] + }, + { + "id": "pl-8_gdn", + "name": "guidance", + "prose": "The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today\u2019s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n [PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization\u2019s enterprise architecture and security and privacy architectures." + }, + { + "id": "pl-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.01", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;", + "links": [ + { + "href": "#pl-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.02", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;", + "links": [ + { + "href": "#pl-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.4-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04[01]", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;", + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.4-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;", + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08b.", + "class": "sp800-53a" + } + ], + "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[01]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the security plan;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[02]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the privacy plan;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[03]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[04]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in criticality analysis;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[05]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in organizational procedures;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[06]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in procurements and acquisitions.", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and/or implementing the development, review, and update of the information security and privacy architecture" + } + ] + } + ] + }, + { + "id": "pl-10", + "class": "SP800-53", + "title": "Baseline Selection", + "props": [ + { + "name": "label", + "value": "PL-10" + }, + { + "name": "label", + "value": "PL-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#46d9e201-840e-440e-987c-2c773333c752", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-10_smt", + "name": "statement", + "prose": "Select a control baseline for the system.", + "parts": [ + { + "id": "pl-10_fr", + "name": "item", + "title": "PL-10 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pl-10_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Select the appropriate FedRAMP Baseline" + } + ] + } + ] + }, + { + "id": "pl-10_gdn", + "name": "guidance", + "prose": "Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals\u2019 privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization\u2019s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems." + }, + { + "id": "pl-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-10", + "class": "sp800-53a" + } + ], + "prose": "a control baseline for the system is selected.", + "links": [ + { + "href": "#pl-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing system security and privacy plan reviews and updates\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for organizational risk management activities" + } + ] + } + ] + }, + { + "id": "pl-11", + "class": "SP800-53", + "title": "Baseline Tailoring", + "props": [ + { + "name": "label", + "value": "PL-11" + }, + { + "name": "label", + "value": "PL-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#46d9e201-840e-440e-987c-2c773333c752", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-11_smt", + "name": "statement", + "prose": "Tailor the selected control baseline by applying specified tailoring actions." + }, + { + "id": "pl-11_gdn", + "name": "guidance", + "prose": "The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities." + }, + { + "id": "pl-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-11", + "class": "sp800-53a" + } + ], + "prose": "the selected control baseline is tailored by applying specified tailoring actions.", + "links": [ + { + "href": "#pl-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nsystem design documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nbaseline tailoring rationale\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "ps", + "class": "family", + "title": "Personnel Security", + "controls": [ + { + "id": "ps-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ps-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ps-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the personnel security policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ps-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ps-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ps-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the personnel security policy and procedures is defined;" + } + ] + }, + { + "id": "ps-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current personnel security policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ps-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current personnel security policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ps-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current personnel security procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ps-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the personnel security procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-1" + }, + { + "name": "label", + "value": "PS-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-1_smt", + "name": "statement", + "parts": [ + { + "id": "ps-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:", + "parts": [ + { + "id": "ps-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ps-01_odp.03 }} personnel security policy that:", + "parts": [ + { + "id": "ps-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ps-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ps-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;" + } + ] + }, + { + "id": "ps-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and" + }, + { + "id": "ps-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current personnel security:", + "parts": [ + { + "id": "ps-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and" + }, + { + "id": "ps-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ps-1_gdn", + "name": "guidance", + "prose": "Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ps-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a personnel security policy is developed and documented;", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ps-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;", + "links": [ + { + "href": "#ps-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};", + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};", + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};", + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.", + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "ps-2", + "class": "SP800-53", + "title": "Position Risk Designation", + "params": [ + { + "id": "ps-02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least every three years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update position risk designations is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-2" + }, + { + "name": "label", + "value": "PS-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#a5ef5e56-5c1a-4911-b419-37dddc1b3581", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-2_smt", + "name": "statement", + "parts": [ + { + "id": "ps-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assign a risk designation to all organizational positions;" + }, + { + "id": "ps-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establish screening criteria for individuals filling those positions; and" + }, + { + "id": "ps-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update position risk designations {{ insert: param, ps-02_odp }}." + } + ] + }, + { + "id": "ps-2_gdn", + "name": "guidance", + "prose": "Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions." + }, + { + "id": "ps-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02a.", + "class": "sp800-53a" + } + ], + "prose": "a risk designation is assigned to all organizational positions;", + "links": [ + { + "href": "#ps-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02b.", + "class": "sp800-53a" + } + ], + "prose": "screening criteria are established for individuals filling organizational positions;", + "links": [ + { + "href": "#ps-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02c.", + "class": "sp800-53a" + } + ], + "prose": "position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.", + "links": [ + { + "href": "#ps-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nrecords of position risk designation reviews and updates\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria" + } + ] + } + ] + }, + { + "id": "ps-3", + "class": "SP800-53", + "title": "Personnel Screening", + "params": [ + { + "id": "ps-3_prm_1", + "label": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening", + "constraints": [ + { + "description": "for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.\n\nFor moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions" + } + ] + }, + { + "id": "ps-03_odp.01", + "label": "conditions requiring rescreening", + "guidelines": [ + { + "prose": "conditions requiring rescreening of individuals are defined;" + } + ] + }, + { + "id": "ps-03_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency of rescreening individuals where it is so indicated is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-3" + }, + { + "name": "label", + "value": "PS-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#55b0c93a-5e48-457a-baa6-5ce81c239c49", + "rel": "reference" + }, + { + "href": "#0af071a6-cf8e-48ee-8c82-fe91efa20f94", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-3_smt", + "name": "statement", + "parts": [ + { + "id": "ps-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Screen individuals prior to authorizing access to the system; and" + }, + { + "id": "ps-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}." + } + ] + }, + { + "id": "ps-3_gdn", + "name": "guidance", + "prose": "Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems." + }, + { + "id": "ps-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03a.", + "class": "sp800-53a" + } + ], + "prose": "individuals are screened prior to authorizing access to the system;", + "links": [ + { + "href": "#ps-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};", + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.", + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel screening" + } + ] + } + ], + "controls": [ + { + "id": "ps-3.3", + "class": "SP800-53-enhancement", + "title": "Information Requiring Special Protective Measures", + "params": [ + { + "id": "ps-03.03_odp", + "label": "additional personnel screening criteria", + "constraints": [ + { + "description": "personnel screening criteria \u2013 as required by specific information" + } + ], + "guidelines": [ + { + "prose": "additional personnel screening criteria to be satisfied for individuals accessing a system processing, storing, or transmitting information requiring special protection are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-3(3)" + }, + { + "name": "label", + "value": "PS-03(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-03.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ps-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "ps-3.3_smt", + "name": "statement", + "prose": "Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection:", + "parts": [ + { + "id": "ps-3.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Have valid access authorizations that are demonstrated by assigned official government duties; and" + }, + { + "id": "ps-3.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Satisfy {{ insert: param, ps-03.03_odp }}." + } + ] + }, + { + "id": "ps-3.3_gdn", + "name": "guidance", + "prose": "Organizational information that requires special protection includes controlled unclassified information. Personnel security criteria include position sensitivity background screening requirements." + }, + { + "id": "ps-3.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties;", + "links": [ + { + "href": "#ps-3.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03(03)(b)", + "class": "sp800-53a" + } + ], + "prose": "individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy {{ insert: param, ps-03.03_odp }}.", + "links": [ + { + "href": "#ps-3.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-03(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\naccess control policy, procedures addressing personnel screening\n\nrecords of screened personnel\n\nscreening criteria\n\nrecords of access authorizations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-3.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-03(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-3.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-03(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for ensuring valid access authorizations for information requiring special protection\n\norganizational process for additional personnel screening for information requiring special protection" + } + ] + } + ] + } + ] + }, + { + "id": "ps-4", + "class": "SP800-53", + "title": "Personnel Termination", + "params": [ + { + "id": "ps-04_odp.01", + "label": "time period", + "constraints": [ + { + "description": "four (4) hours" + } + ], + "guidelines": [ + { + "prose": "a time period within which to disable system access is defined;" + } + ] + }, + { + "id": "ps-04_odp.02", + "label": "information security topics", + "guidelines": [ + { + "prose": "information security topics to be discussed when conducting exit interviews are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-4" + }, + { + "name": "label", + "value": "PS-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-4_smt", + "name": "statement", + "prose": "Upon termination of individual employment:", + "parts": [ + { + "id": "ps-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Disable system access within {{ insert: param, ps-04_odp.01 }};" + }, + { + "id": "ps-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Terminate or revoke any authenticators and credentials associated with the individual;" + }, + { + "id": "ps-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};" + }, + { + "id": "ps-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Retrieve all security-related organizational system-related property; and" + }, + { + "id": "ps-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Retain access to organizational information and systems formerly controlled by terminated individual." + } + ] + }, + { + "id": "ps-4_gdn", + "name": "guidance", + "prose": "System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified." + }, + { + "id": "ps-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04a.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};", + "links": [ + { + "href": "#ps-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04b.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, any authenticators and credentials are terminated or revoked;", + "links": [ + { + "href": "#ps-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04c.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;", + "links": [ + { + "href": "#ps-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04d.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, all security-related organizational system-related property is retrieved;", + "links": [ + { + "href": "#ps-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04e.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.", + "links": [ + { + "href": "#ps-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of system accounts\n\nrecords of terminated or revoked authenticators/credentials\n\nrecords of exit interviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel termination\n\nmechanisms supporting and/or implementing personnel termination notifications\n\nmechanisms for disabling system access/revoking authenticators" + } + ] + } + ] + }, + { + "id": "ps-5", + "class": "SP800-53", + "title": "Personnel Transfer", + "params": [ + { + "id": "ps-05_odp.01", + "label": "transfer or reassignment actions", + "guidelines": [ + { + "prose": "transfer or reassignment actions to be initiated following transfer or reassignment are defined;" + } + ] + }, + { + "id": "ps-05_odp.02", + "label": "time period following the formal transfer action", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;" + } + ] + }, + { + "id": "ps-05_odp.03", + "label": "personnel or roles", + "constraints": [ + { + "description": "including access control personnel responsible for the system" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined;" + } + ] + }, + { + "id": "ps-05_odp.04", + "label": "time period", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-5" + }, + { + "name": "label", + "value": "PS-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-5_smt", + "name": "statement", + "parts": [ + { + "id": "ps-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;" + }, + { + "id": "ps-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};" + }, + { + "id": "ps-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and" + }, + { + "id": "ps-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}." + } + ] + }, + { + "id": "ps-5_gdn", + "name": "guidance", + "prose": "Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts." + }, + { + "id": "ps-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05a.", + "class": "sp800-53a" + } + ], + "prose": "the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;", + "links": [ + { + "href": "#ps-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};", + "links": [ + { + "href": "#ps-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05c.", + "class": "sp800-53a" + } + ], + "prose": "access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;", + "links": [ + { + "href": "#ps-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05d.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.", + "links": [ + { + "href": "#ps-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel transfer\n\nrecords of personnel transfer actions\n\nlist of system and facility access authorizations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel transfer\n\nmechanisms supporting and/or implementing personnel transfer notifications\n\nmechanisms for disabling system access/revoking authenticators" + } + ] + } + ] + }, + { + "id": "ps-6", + "class": "SP800-53", + "title": "Access Agreements", + "params": [ + { + "id": "ps-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update access agreements is defined;" + } + ] + }, + { + "id": "ps-06_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and any time there is a change to the user's level of access" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to re-sign access agreements to maintain access to organizational information is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-6" + }, + { + "name": "label", + "value": "PS-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-6_smt", + "name": "statement", + "parts": [ + { + "id": "ps-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and document access agreements for organizational systems;" + }, + { + "id": "ps-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and" + }, + { + "id": "ps-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Verify that individuals requiring access to organizational information and systems:", + "parts": [ + { + "id": "ps-6_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Sign appropriate access agreements prior to being granted access; and" + }, + { + "id": "ps-6_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}." + } + ] + } + ] + }, + { + "id": "ps-6_gdn", + "name": "guidance", + "prose": "Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy." + }, + { + "id": "ps-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06a.", + "class": "sp800-53a" + } + ], + "prose": "access agreements are developed and documented for organizational systems;", + "links": [ + { + "href": "#ps-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06b.", + "class": "sp800-53a" + } + ], + "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};", + "links": [ + { + "href": "#ps-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-6_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.01", + "class": "sp800-53a" + } + ], + "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;", + "links": [ + { + "href": "#ps-6_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.02", + "class": "sp800-53a" + } + ], + "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.", + "links": [ + { + "href": "#ps-6_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ps-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements" + } + ] + } + ] + }, + { + "id": "ps-7", + "class": "SP800-53", + "title": "External Personnel Security", + "params": [ + { + "id": "ps-07_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "including access control personnel responsible for the system and/or facilities, as appropriate" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;" + } + ] + }, + { + "id": "ps-07_odp.02", + "label": "time period", + "constraints": [ + { + "description": "within twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-7" + }, + { + "name": "label", + "value": "PS-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-7_smt", + "name": "statement", + "parts": [ + { + "id": "ps-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish personnel security requirements, including security roles and responsibilities for external providers;" + }, + { + "id": "ps-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Require external providers to comply with personnel security policies and procedures established by the organization;" + }, + { + "id": "ps-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document personnel security requirements;" + }, + { + "id": "ps-7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and" + }, + { + "id": "ps-7_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Monitor provider compliance with personnel security requirements." + } + ] + }, + { + "id": "ps-7_gdn", + "name": "guidance", + "prose": "External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals." + }, + { + "id": "ps-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07a.", + "class": "sp800-53a" + } + ], + "prose": "personnel security requirements are established, including security roles and responsibilities for external providers;", + "links": [ + { + "href": "#ps-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07b.", + "class": "sp800-53a" + } + ], + "prose": "external providers are required to comply with personnel security policies and procedures established by the organization;", + "links": [ + { + "href": "#ps-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07c.", + "class": "sp800-53a" + } + ], + "prose": "personnel security requirements are documented;", + "links": [ + { + "href": "#ps-7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07d.", + "class": "sp800-53a" + } + ], + "prose": "external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};", + "links": [ + { + "href": "#ps-7_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07e.", + "class": "sp800-53a" + } + ], + "prose": "provider compliance with personnel security requirements is monitored.", + "links": [ + { + "href": "#ps-7_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing external personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\nexternal providers\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing and monitoring external personnel security\n\nmechanisms supporting and/or implementing the monitoring of provider compliance" + } + ] + } + ] + }, + { + "id": "ps-8", + "class": "SP800-53", + "title": "Personnel Sanctions", + "params": [ + { + "id": "ps-08_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;" + } + ] + }, + { + "id": "ps-08_odp.02", + "label": "time period", + "constraints": [ + { + "description": "24 hours" + } + ], + "guidelines": [ + { + "prose": "the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-8" + }, + { + "name": "label", + "value": "PS-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#pt-1", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-8_smt", + "name": "statement", + "parts": [ + { + "id": "ps-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and" + }, + { + "id": "ps-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction." + } + ] + }, + { + "id": "ps-8_gdn", + "name": "guidance", + "prose": "Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions." + }, + { + "id": "ps-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08a.", + "class": "sp800-53a" + } + ], + "prose": "a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;", + "links": [ + { + "href": "#ps-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.", + "links": [ + { + "href": "#ps-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing personnel sanctions\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\nlist of personnel or roles to be notified of formal employee sanctions\n\nrecords or notifications of formal employee sanctions\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ps-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing formal employee sanctions\n\nmechanisms supporting and/or implementing formal employee sanctions notifications" + } + ] + } + ] + }, + { + "id": "ps-9", + "class": "SP800-53", + "title": "Position Descriptions", + "props": [ + { + "name": "label", + "value": "PS-9" + }, + { + "name": "label", + "value": "PS-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + } + ], + "parts": [ + { + "id": "ps-9_smt", + "name": "statement", + "prose": "Incorporate security and privacy roles and responsibilities into organizational position descriptions." + }, + { + "id": "ps-9_gdn", + "name": "guidance", + "prose": "Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles." + }, + { + "id": "ps-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09[01]", + "class": "sp800-53a" + } + ], + "prose": "security roles and responsibilities are incorporated into organizational position descriptions;", + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy roles and responsibilities are incorporated into organizational position descriptions.", + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing position descriptions\n\nsecurity and privacy position descriptions\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with human capital management responsibilities" + } + ] + }, + { + "id": "ps-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing position descriptions" + } + ] + } + ] + } + ] + }, + { + "id": "ra", + "class": "family", + "title": "Risk Assessment", + "controls": [ + { + "id": "ra-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ra-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ra-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ra-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the risk assessment policy and procedures is defined;" + } + ] + }, + { + "id": "ra-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current risk assessment policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ra-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current risk assessment policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ra-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current risk assessment procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ra-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require risk assessment procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-1" + }, + { + "name": "label", + "value": "RA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-1_smt", + "name": "statement", + "parts": [ + { + "id": "ra-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:", + "parts": [ + { + "id": "ra-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ra-01_odp.03 }} risk assessment policy that:", + "parts": [ + { + "id": "ra-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ra-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ra-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;" + } + ] + }, + { + "id": "ra-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and" + }, + { + "id": "ra-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current risk assessment:", + "parts": [ + { + "id": "ra-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and" + }, + { + "id": "ra-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ra-1_gdn", + "name": "guidance", + "prose": "Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ra-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment policy is developed and documented;", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ra-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;", + "links": [ + { + "href": "#ra-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};", + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};", + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};", + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.", + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ra-2", + "class": "SP800-53", + "title": "Security Categorization", + "props": [ + { + "name": "label", + "value": "RA-2" + }, + { + "name": "label", + "value": "RA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "rel": "reference" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-2_smt", + "name": "statement", + "parts": [ + { + "id": "ra-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Categorize the system and information it processes, stores, and transmits;" + }, + { + "id": "ra-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document the security categorization results, including supporting rationale, in the security plan for the system; and" + }, + { + "id": "ra-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision." + } + ] + }, + { + "id": "ra-2_gdn", + "name": "guidance", + "prose": "Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant." + }, + { + "id": "ra-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02a.", + "class": "sp800-53a" + } + ], + "prose": "the system and the information it processes, stores, and transmits are categorized;", + "links": [ + { + "href": "#ra-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02b.", + "class": "sp800-53a" + } + ], + "prose": "the security categorization results, including supporting rationale, are documented in the security plan for the system;", + "links": [ + { + "href": "#ra-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02c.", + "class": "sp800-53a" + } + ], + "prose": "the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.", + "links": [ + { + "href": "#ra-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security categorization" + } + ] + } + ] + }, + { + "id": "ra-3", + "class": "SP800-53", + "title": "Risk Assessment", + "params": [ + { + "id": "ra-03_odp.01", + "constraints": [ + { + "description": "security assessment report" + } + ], + "select": { + "choice": [ + "security and privacy plans", + "risk assessment report", + " {{ insert: param, ra-03_odp.02 }} " + ] + } + }, + { + "id": "ra-03_odp.02", + "label": "document", + "guidelines": [ + { + "prose": "a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);" + } + ] + }, + { + "id": "ra-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least every three (3) years and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "the frequency to review risk assessment results is defined;" + } + ] + }, + { + "id": "ra-03_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom risk assessment results are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-03_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every three (3) years" + } + ], + "guidelines": [ + { + "prose": "the frequency to update the risk assessment is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-3" + }, + { + "name": "label", + "value": "RA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#pe-18", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-3_smt", + "name": "statement", + "parts": [ + { + "id": "ra-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Conduct a risk assessment, including:", + "parts": [ + { + "id": "ra-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Identifying threats to and vulnerabilities in the system;" + }, + { + "id": "ra-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and" + }, + { + "id": "ra-3_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;" + } + ] + }, + { + "id": "ra-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;" + }, + { + "id": "ra-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document risk assessment results in {{ insert: param, ra-03_odp.01 }};" + }, + { + "id": "ra-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review risk assessment results {{ insert: param, ra-03_odp.03 }};" + }, + { + "id": "ra-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and" + }, + { + "id": "ra-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system." + }, + { + "id": "ra-3_fr", + "name": "item", + "title": "RA-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ra-3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + }, + { + "id": "ra-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e) Requirement:" + } + ], + "prose": "Include all Authorizing Officials; for JAB authorizations to include FedRAMP." + } + ] + } + ] + }, + { + "id": "ra-3_gdn", + "name": "guidance", + "prose": "Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination." + }, + { + "id": "ra-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.01", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;", + "links": [ + { + "href": "#ra-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.02", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;", + "links": [ + { + "href": "#ra-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.03", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;", + "links": [ + { + "href": "#ra-3_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03b.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;", + "links": [ + { + "href": "#ra-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03c.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};", + "links": [ + { + "href": "#ra-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03d.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};", + "links": [ + { + "href": "#ra-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03e.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};", + "links": [ + { + "href": "#ra-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03f.", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.", + "links": [ + { + "href": "#ra-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment" + } + ] + } + ], + "controls": [ + { + "id": "ra-3.1", + "class": "SP800-53-enhancement", + "title": "Supply Chain Risk Assessment", + "params": [ + { + "id": "ra-03.01_odp.01", + "label": "systems, system components, and system services", + "guidelines": [ + { + "prose": "systems, system components, and system services to assess supply chain risks are defined;" + } + ] + }, + { + "id": "ra-03.01_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to update the supply chain risk assessment is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-3(1)" + }, + { + "name": "label", + "value": "RA-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-3", + "rel": "required" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#pm-17", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-3.1_smt", + "name": "statement", + "parts": [ + { + "id": "ra-3.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and" + }, + { + "id": "ra-3.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain." + } + ] + }, + { + "id": "ra-3.1_gdn", + "name": "guidance", + "prose": "Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required." + }, + { + "id": "ra-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;", + "links": [ + { + "href": "#ra-3.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.", + "links": [ + { + "href": "#ra-3.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\ninventory of critical systems, system components, and system services\n\nrisk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of supply chain risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nacquisition policy\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "ra-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment" + } + ] + } + ] + } + ] + }, + { + "id": "ra-5", + "class": "SP800-53", + "title": "Vulnerability Monitoring and Scanning", + "params": [ + { + "id": "ra-5_prm_1", + "label": "organization-defined frequency and/or randomly in accordance with organization-defined process", + "constraints": [ + { + "description": "monthly operating system/infrastructure; monthly web applications (including APIs) and databases" + } + ] + }, + { + "id": "ra-05_odp.01", + "label": "frequency and/or randomly in accordance with organization-defined process", + "guidelines": [ + { + "prose": "frequency for monitoring systems and hosted applications for vulnerabilities is defined;" + } + ] + }, + { + "id": "ra-05_odp.02", + "label": "frequency and/or randomly in accordance with organization-defined process", + "guidelines": [ + { + "prose": "frequency for scanning systems and hosted applications for vulnerabilities is defined;" + } + ] + }, + { + "id": "ra-05_odp.03", + "label": "response times", + "constraints": [ + { + "description": "high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery" + } + ], + "guidelines": [ + { + "prose": "response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;" + } + ] + }, + { + "id": "ra-05_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5" + }, + { + "name": "label", + "value": "RA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#8df72805-2e5c-4731-a73e-81db0f0318d0", + "rel": "reference" + }, + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "rel": "reference" + }, + { + "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "rel": "reference" + }, + { + "href": "#d2ebec9b-f868-4ee1-a2bd-0b2282aed248", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ca-8", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5_smt", + "name": "statement", + "parts": [ + { + "id": "ra-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;" + }, + { + "id": "ra-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:", + "parts": [ + { + "id": "ra-5_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Enumerating platforms, software flaws, and improper configurations;" + }, + { + "id": "ra-5_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Formatting checklists and test procedures; and" + }, + { + "id": "ra-5_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Measuring vulnerability impact;" + } + ] + }, + { + "id": "ra-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Analyze vulnerability scan reports and results from vulnerability monitoring;" + }, + { + "id": "ra-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;" + }, + { + "id": "ra-5_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and" + }, + { + "id": "ra-5_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." + }, + { + "id": "ra-5_fr", + "name": "item", + "title": "RA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ra-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/" + }, + { + "id": "ra-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually." + }, + { + "id": "ra-5_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d) Requirement:" + } + ], + "prose": "If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement." + }, + { + "id": "ra-5_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e) Requirement:" + } + ], + "prose": "to include all Authorizing Officials; for JAB authorizations to include FedRAMP" + }, + { + "id": "ra-5_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.\n\nWarning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.\n\nWarnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a \u201cwarning\u201d as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on \u201cTracking of Compliance Scans\u201d in FAQs." + } + ] + } + ] + }, + { + "id": "ra-5_gdn", + "name": "guidance", + "prose": "Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities\u2014such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers\u2014are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization\u2019s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points." + }, + { + "id": "ra-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;", + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;", + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;", + "parts": [ + { + "id": "ra-5_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.01", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;", + "links": [ + { + "href": "#ra-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.02", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;", + "links": [ + { + "href": "#ra-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.03", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;", + "links": [ + { + "href": "#ra-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05c.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;", + "links": [ + { + "href": "#ra-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05d.", + "class": "sp800-53a" + } + ], + "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;", + "links": [ + { + "href": "#ra-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05e.", + "class": "sp800-53a" + } + ], + "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;", + "links": [ + { + "href": "#ra-5_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05f.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.", + "links": [ + { + "href": "#ra-5_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ra-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing" + } + ] + } + ], + "controls": [ + { + "id": "ra-5.2", + "class": "SP800-53-enhancement", + "title": "Update Vulnerabilities to Be Scanned", + "params": [ + { + "id": "ra-05.02_odp.01", + "constraints": [ + { + "description": "within 24 hours prior to running scans" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, ra-05.02_odp.02 }} ", + "prior to a new scan", + "when new vulnerabilities are identified and reported" + ] + } + }, + { + "id": "ra-05.02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency for updating the system vulnerabilities to be scanned is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5(2)" + }, + { + "name": "label", + "value": "RA-05(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + }, + { + "href": "#si-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5.2_smt", + "name": "statement", + "prose": "Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}." + }, + { + "id": "ra-5.2_gdn", + "name": "guidance", + "prose": "Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner." + }, + { + "id": "ra-5.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(02)", + "class": "sp800-53a" + } + ], + "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.", + "links": [ + { + "href": "#ra-5.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ra-5.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" + } + ] + } + ] + }, + { + "id": "ra-5.3", + "class": "SP800-53-enhancement", + "title": "Breadth and Depth of Coverage", + "props": [ + { + "name": "label", + "value": "RA-5(3)" + }, + { + "name": "label", + "value": "RA-05(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ra-5.3_smt", + "name": "statement", + "prose": "Define the breadth and depth of vulnerability scanning coverage." + }, + { + "id": "ra-5.3_gdn", + "name": "guidance", + "prose": "The breadth of vulnerability scanning coverage can be expressed as a percentage of components within the system, by the particular types of systems, by the criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the depth of vulnerability scanning coverage can be expressed as the level of the system design that the organization intends to monitor (e.g., component, module, subsystem, element). Organizations can determine the sufficiency of vulnerability scanning coverage with regard to its risk tolerance and other factors. Scanning tools and how the tools are configured may affect the depth and coverage. Multiple scanning tools may be needed to achieve the desired depth and coverage. [SP 800-53A](#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d) provides additional information on the breadth and depth of coverage." + }, + { + "id": "ra-5.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(03)", + "class": "sp800-53a" + } + ], + "prose": "the breadth and depth of vulnerability scanning coverage are defined.", + "links": [ + { + "href": "#ra-5.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" + } + ] + } + ] + }, + { + "id": "ra-5.5", + "class": "SP800-53-enhancement", + "title": "Privileged Access", + "params": [ + { + "id": "ra-05.05_odp.01", + "label": "system components", + "constraints": [ + { + "description": "all components that support authentication" + } + ], + "guidelines": [ + { + "prose": "system components to which privileged access is authorized for selected vulnerability scanning activities are defined;" + } + ] + }, + { + "id": "ra-05.05_odp.02", + "label": "vulnerability scanning activities", + "constraints": [ + { + "description": "all scans" + } + ], + "guidelines": [ + { + "prose": "vulnerability scanning activities selected for privileged access authorization to system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5(5)" + }, + { + "name": "label", + "value": "RA-05(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ra-5.5_smt", + "name": "statement", + "prose": "Implement privileged access authorization to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}." + }, + { + "id": "ra-5.5_gdn", + "name": "guidance", + "prose": "In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning." + }, + { + "id": "ra-5.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(05)", + "class": "sp800-53a" + } + ], + "prose": "privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}.", + "links": [ + { + "href": "#ra-5.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system components for vulnerability scanning\n\npersonnel access authorization list\n\nauthorization credentials\n\naccess authorization records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\nsystem/network administrators\n\norganizational personnel responsible for access control to the system\n\norganizational personnel responsible for configuration management of the system\n\nsystem developers\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\norganizational processes for access control\n\nmechanisms supporting and/or implementing access control\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" + } + ] + } + ] + }, + { + "id": "ra-5.11", + "class": "SP800-53-enhancement", + "title": "Public Disclosure Program", + "props": [ + { + "name": "label", + "value": "RA-5(11)" + }, + { + "name": "label", + "value": "RA-05(11)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ra-5.11_smt", + "name": "statement", + "prose": "Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components." + }, + { + "id": "ra-5.11_gdn", + "name": "guidance", + "prose": "The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability." + }, + { + "id": "ra-5.11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(11)", + "class": "sp800-53a" + } + ], + "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.", + "links": [ + { + "href": "#ra-5.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(11)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(11)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(11)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities" + } + ] + } + ] + } + ] + }, + { + "id": "ra-7", + "class": "SP800-53", + "title": "Risk Response", + "props": [ + { + "name": "label", + "value": "RA-7" + }, + { + "name": "label", + "value": "RA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-7_smt", + "name": "statement", + "prose": "Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance." + }, + { + "id": "ra-7_gdn", + "name": "guidance", + "prose": "Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated." + }, + { + "id": "ra-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[01]", + "class": "sp800-53a" + } + ], + "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[02]", + "class": "sp800-53a" + } + ], + "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[03]", + "class": "sp800-53a" + } + ], + "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[04]", + "class": "sp800-53a" + } + ], + "prose": "findings from audits are responded to in accordance with organizational risk tolerance.", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nassessment reports\n\naudit records/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment and auditing responsibilities\n\nsystem/network administrators\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assessments and audits\n\nmechanisms/tools supporting and/or implementing assessments and auditing" + } + ] + } + ] + }, + { + "id": "ra-9", + "class": "SP800-53", + "title": "Criticality Analysis", + "params": [ + { + "id": "ra-09_odp.01", + "label": "systems, system components, or system services", + "guidelines": [ + { + "prose": "systems, system components, or system services to be analyzed for criticality are defined;" + } + ] + }, + { + "id": "ra-09_odp.02", + "label": "decision points in the system development life cycle", + "guidelines": [ + { + "prose": "decision points in the system development life cycle when a criticality analysis is to be performed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-9" + }, + { + "name": "label", + "value": "RA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-1", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-9_smt", + "name": "statement", + "prose": "Identify critical system components and functions by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}." + }, + { + "id": "ra-9_gdn", + "name": "guidance", + "prose": "Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.\n\nThe operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions.\n\nCriticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in [RA-2](#ra-2)." + }, + { + "id": "ra-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-09", + "class": "sp800-53a" + } + ], + "prose": "critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}.", + "links": [ + { + "href": "#ra-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nassessment reports\n\ncriticality analysis/finalized criticality for each component/subcomponent\n\naudit records/event logs\n\nanalysis reports\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment and auditing responsibilities\n\norganizational personnel with criticality analysis responsibilities\n\nsystem/network administrators\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assessments and audits\n\nmechanisms/tools supporting and/or implementing assessments and auditing" + } + ] + } + ] + } + ] + }, + { + "id": "sa", + "class": "family", + "title": "System and Services Acquisition", + "controls": [ + { + "id": "sa-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sa-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sa-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "sa-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "sa-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "sa-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and services acquisition policy and procedures is defined;" + } + ] + }, + { + "id": "sa-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and services acquisition policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sa-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and services acquisition policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sa-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "sa-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and services acquisition procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-1" + }, + { + "name": "label", + "value": "SA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-1_smt", + "name": "statement", + "parts": [ + { + "id": "sa-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:", + "parts": [ + { + "id": "sa-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:", + "parts": [ + { + "id": "sa-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sa-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sa-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;" + } + ] + }, + { + "id": "sa-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and" + }, + { + "id": "sa-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and services acquisition:", + "parts": [ + { + "id": "sa-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and" + }, + { + "id": "sa-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sa-1_gdn", + "name": "guidance", + "prose": "System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sa-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and services acquisition policy is developed and documented;", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sa-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;", + "links": [ + { + "href": "#sa-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};", + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};", + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};", + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.", + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + } + ] + }, + { + "id": "sa-2", + "class": "SP800-53", + "title": "Allocation of Resources", + "props": [ + { + "name": "label", + "value": "SA-2" + }, + { + "name": "label", + "value": "SA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pm-3", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-2_smt", + "name": "statement", + "parts": [ + { + "id": "sa-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;" + }, + { + "id": "sa-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and" + }, + { + "id": "sa-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation." + } + ] + }, + { + "id": "sa-2_gdn", + "name": "guidance", + "prose": "Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle." + }, + { + "id": "sa-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;", + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;", + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;", + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;", + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;", + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation.", + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and/or implementing organizational capital planning, programming, and budgeting" + } + ] + } + ] + }, + { + "id": "sa-3", + "class": "SP800-53", + "title": "System Development Life Cycle", + "params": [ + { + "id": "sa-03_odp", + "label": "system-development life cycle", + "guidelines": [ + { + "prose": "system development life cycle is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-3" + }, + { + "name": "label", + "value": "SA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-22", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-3_smt", + "name": "statement", + "parts": [ + { + "id": "sa-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;" + }, + { + "id": "sa-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define and document information security and privacy roles and responsibilities throughout the system development life cycle;" + }, + { + "id": "sa-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Identify individuals having information security and privacy roles and responsibilities; and" + }, + { + "id": "sa-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Integrate the organizational information security and privacy risk management process into system development life cycle activities." + } + ] + }, + { + "id": "sa-3_gdn", + "name": "guidance", + "prose": "A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle." + }, + { + "id": "sa-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;", + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;", + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;", + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;", + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.[01]", + "class": "sp800-53a" + } + ], + "prose": "individuals with information security roles and responsibilities are identified;", + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.[02]", + "class": "sp800-53a" + } + ], + "prose": "individuals with privacy roles and responsibilities are identified;", + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational information security risk management processes are integrated into system development life cycle activities;", + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.[02]", + "class": "sp800-53a" + } + ], + "prose": "organizational privacy risk management processes are integrated into system development life cycle activities.", + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and/or implementing the system development life cycle" + } + ] + } + ] + }, + { + "id": "sa-4", + "class": "SP800-53", + "title": "Acquisition Process", + "params": [ + { + "id": "sa-04_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "standardized contract language", + " {{ insert: param, sa-04_odp.02 }} " + ] + } + }, + { + "id": "sa-04_odp.02", + "label": "contract language", + "guidelines": [ + { + "prose": "contract language is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-4" + }, + { + "name": "label", + "value": "SA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", + "rel": "reference" + }, + { + "href": "#87087451-2af5-43d4-88c1-d66ad850f614", + "rel": "reference" + }, + { + "href": "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "rel": "reference" + }, + { + "href": "#06ce9216-bd54-4054-a422-94f358b50a5d", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#795aff72-3e6c-4b6b-a80a-b14d84b7f544", + "rel": "reference" + }, + { + "href": "#3d575737-98cb-459d-b41c-d7e82b73ad78", + "rel": "reference" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4_smt", + "name": "statement", + "prose": "Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:", + "parts": [ + { + "id": "sa-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Security and privacy functional requirements;" + }, + { + "id": "sa-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Strength of mechanism requirements;" + }, + { + "id": "sa-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Security and privacy assurance requirements;" + }, + { + "id": "sa-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Controls needed to satisfy the security and privacy requirements." + }, + { + "id": "sa-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Security and privacy documentation requirements;" + }, + { + "id": "sa-4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Requirements for protecting security and privacy documentation;" + }, + { + "id": "sa-4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Description of the system development environment and environment in which the system is intended to operate;" + }, + { + "id": "sa-4_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and" + }, + { + "id": "sa-4_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Acceptance criteria." + }, + { + "id": "sa-4_fr", + "name": "item", + "title": "SA-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sa-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process)." + }, + { + "id": "sa-4_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.\n\nSee https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/." + } + ] + } + ] + }, + { + "id": "sa-4_gdn", + "name": "guidance", + "prose": "Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement." + }, + { + "id": "sa-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04b.", + "class": "sp800-53a" + } + ], + "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.[01]", + "class": "sp800-53a" + } + ], + "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.[01]", + "class": "sp800-53a" + } + ], + "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.[01]", + "class": "sp800-53a" + } + ], + "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.[02]", + "class": "sp800-53a" + } + ], + "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04g.", + "class": "sp800-53a" + } + ], + "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[01]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[02]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[03]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04i.", + "class": "sp800-53a" + } + ], + "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.", + "links": [ + { + "href": "#sa-4_smt.i", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts" + } + ] + } + ], + "controls": [ + { + "id": "sa-4.1", + "class": "SP800-53-enhancement", + "title": "Functional Properties of Controls", + "props": [ + { + "name": "label", + "value": "SA-4(1)" + }, + { + "name": "label", + "value": "SA-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "sa-4.1_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented." + }, + { + "id": "sa-4.1_gdn", + "name": "guidance", + "prose": "Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls." + }, + { + "id": "sa-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(01)", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.", + "links": [ + { + "href": "#sa-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system services\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining system security functional requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts" + } + ] + } + ] + }, + { + "id": "sa-4.2", + "class": "SP800-53-enhancement", + "title": "Design and Implementation Information for Controls", + "params": [ + { + "id": "sa-04.02_odp.01", + "constraints": [ + { + "description": "at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram;" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "security-relevant external system interfaces", + "high-level design", + "low-level design", + "source code or hardware schematics", + " {{ insert: param, sa-04.02_odp.02 }} " + ] + } + }, + { + "id": "sa-04.02_odp.02", + "label": "design and implementation information", + "guidelines": [ + { + "prose": "design and implementation information is defined (if selected);" + } + ] + }, + { + "id": "sa-04.02_odp.03", + "label": "level of detail", + "guidelines": [ + { + "prose": "level of detail is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-4(2)" + }, + { + "name": "label", + "value": "SA-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "sa-4.2_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}." + }, + { + "id": "sa-4.2_gdn", + "name": "guidance", + "prose": "Organizations may require different levels of detail in the documentation for the design and implementation of controls in organizational systems, system components, or system services based on mission and business requirements, requirements for resiliency and trustworthiness, and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system." + }, + { + "id": "sa-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(02)", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}.", + "links": [ + { + "href": "#sa-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system components, or system services\n\ndesign and implementation information for controls employed in the system, system component, or system service\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\nsystem developers or service provider\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "sa-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining the level of detail for system design and controls\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and/or implementing the development of system design details" + } + ] + } + ] + }, + { + "id": "sa-4.9", + "class": "SP800-53-enhancement", + "title": "Functions, Ports, Protocols, and Services in Use", + "props": [ + { + "name": "label", + "value": "SA-4(9)" + }, + { + "name": "label", + "value": "SA-04(09)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4.9_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use." + }, + { + "id": "sa-4.9_gdn", + "name": "guidance", + "prose": "The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design stages) allows organizations to influence the design of the system, system component, or system service. This early involvement in the system development life cycle helps organizations avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. [SA-9](#sa-9) describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources." + }, + { + "id": "sa-4.9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4.9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to identify the functions intended for organizational use;", + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to identify the ports intended for organizational use;", + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.9_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;", + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.9_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to identify the services intended for organizational use.", + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(09)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsystem design documentation\n\nsystem documentation, including functions, ports, protocols, and services intended for organizational use\n\nacquisition contracts for systems or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements, descriptions, and criteria for developers of systems, system components, and system services\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(09)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\nsystem/network administrators\n\norganizational personnel operating, using, and/or maintaining the system\n\nsystem developers\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "sa-4.10", + "class": "SP800-53-enhancement", + "title": "Use of Approved PIV Products", + "props": [ + { + "name": "label", + "value": "SA-4(10)" + }, + { + "name": "label", + "value": "SA-04(10)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4.10_smt", + "name": "statement", + "prose": "Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems." + }, + { + "id": "sa-4.10_gdn", + "name": "guidance", + "prose": "Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations." + }, + { + "id": "sa-4.10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(10)", + "class": "sp800-53a" + } + ], + "prose": "only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.", + "links": [ + { + "href": "#sa-4.10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(10)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nFIPS 201 approved products list\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(10)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "sa-4.10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04(10)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for selecting and employing FIPS 201-approved products" + } + ] + } + ] + } + ] + }, + { + "id": "sa-5", + "class": "SP800-53", + "title": "System Documentation", + "params": [ + { + "id": "sa-05_odp.01", + "label": "actions", + "guidelines": [ + { + "prose": "actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;" + } + ] + }, + { + "id": "sa-05_odp.02", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO (or similar role within the organization)" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to distribute system documentation to is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-5" + }, + { + "name": "label", + "value": "SA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-5_smt", + "name": "statement", + "parts": [ + { + "id": "sa-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Obtain or develop administrator documentation for the system, system component, or system service that describes:", + "parts": [ + { + "id": "sa-5_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Secure configuration, installation, and operation of the system, component, or service;" + }, + { + "id": "sa-5_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Effective use and maintenance of security and privacy functions and mechanisms; and" + }, + { + "id": "sa-5_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Known vulnerabilities regarding configuration and use of administrative or privileged functions;" + } + ] + }, + { + "id": "sa-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Obtain or develop user documentation for the system, system component, or system service that describes:", + "parts": [ + { + "id": "sa-5_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;" + }, + { + "id": "sa-5_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and" + }, + { + "id": "sa-5_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;" + } + ] + }, + { + "id": "sa-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and" + }, + { + "id": "sa-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Distribute documentation to {{ insert: param, sa-05_odp.02 }}." + } + ] + }, + { + "id": "sa-5_gdn", + "name": "guidance", + "prose": "System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation." + }, + { + "id": "sa-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[04]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[03]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[04]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.[01]", + "class": "sp800-53a" + } + ], + "prose": "attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;", + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.[02]", + "class": "sp800-53a" + } + ], + "prose": "after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;", + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05d.", + "class": "sp800-53a" + } + ], + "prose": "documentation is distributed to {{ insert: param, sa-05_odp.02 }}.", + "links": [ + { + "href": "#sa-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system documentation\n\nsystem documentation, including administrator and user guides\n\nsystem design documentation\n\nrecords documenting attempts to obtain unavailable or nonexistent system documentation\n\nlist of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation\n\nrisk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\norganizational personnel responsible for operating, using, and/or maintaining the system\n\nsystem developers" + } + ] + }, + { + "id": "sa-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for obtaining, protecting, and distributing system administrator and user documentation" + } + ] + } + ] + }, + { + "id": "sa-8", + "class": "SP800-53", + "title": "Security and Privacy Engineering Principles", + "params": [ + { + "id": "sa-8_prm_1", + "label": "organization-defined systems security and privacy engineering principles" + }, + { + "id": "sa-08_odp.01", + "label": "systems security engineering principles", + "guidelines": [ + { + "prose": "systems security engineering principles are defined;" + } + ] + }, + { + "id": "sa-08_odp.02", + "label": "privacy engineering principles", + "guidelines": [ + { + "prose": "privacy engineering principles are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-8" + }, + { + "name": "label", + "value": "SA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-8_smt", + "name": "statement", + "prose": "Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}." + }, + { + "id": "sa-8_gdn", + "name": "guidance", + "prose": "Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design." + }, + { + "id": "sa-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-8_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[05]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[06]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[07]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[08]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[09]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[10]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification" + } + ] + } + ] + }, + { + "id": "sa-9", + "class": "SP800-53", + "title": "External System Services", + "params": [ + { + "id": "sa-09_odp.01", + "label": "controls", + "constraints": [ + { + "description": "Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system" + } + ], + "guidelines": [ + { + "prose": "controls to be employed by external system service providers are defined;" + } + ] + }, + { + "id": "sa-09_odp.02", + "label": "processes, methods, and techniques", + "constraints": [ + { + "description": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored" + } + ], + "guidelines": [ + { + "prose": "processes, methods, and techniques employed to monitor control compliance by external service providers are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9" + }, + { + "name": "label", + "value": "SA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9_smt", + "name": "statement", + "parts": [ + { + "id": "sa-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};" + }, + { + "id": "sa-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define and document organizational oversight and user roles and responsibilities with regard to external system services; and" + }, + { + "id": "sa-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}." + } + ] + }, + { + "id": "sa-9_gdn", + "name": "guidance", + "prose": "External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance." + }, + { + "id": "sa-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[01]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services comply with organizational security requirements;", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[02]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services comply with organizational privacy requirements;", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[03]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational oversight with regard to external system services are defined and documented;", + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "user roles and responsibilities with regard to external system services are defined and documented;", + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.", + "links": [ + { + "href": "#sa-9_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis" + } + ] + } + ], + "controls": [ + { + "id": "sa-9.1", + "class": "SP800-53-enhancement", + "title": "Risk Assessments and Organizational Approvals", + "params": [ + { + "id": "sa-09.01_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles that approve the acquisition or outsourcing of dedicated information security services is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9(1)" + }, + { + "name": "label", + "value": "SA-09(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-9", + "rel": "required" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9.1_smt", + "name": "statement", + "parts": [ + { + "id": "sa-9.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and" + }, + { + "id": "sa-9.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Verify that the acquisition or outsourcing of dedicated information security services is approved by {{ insert: param, sa-09.01_odp }}." + } + ] + }, + { + "id": "sa-9.1_gdn", + "name": "guidance", + "prose": "Information security services include the operation of security devices, such as firewalls or key management services as well as incident monitoring, analysis, and response. Risks assessed can include system, mission or business, security, privacy, or supply chain risks." + }, + { + "id": "sa-9.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "an organizational assessment of risk is conducted prior to the acquisition or outsourcing of information security services;", + "links": [ + { + "href": "#sa-9.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(01)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-09.01_odp }} approve the acquisition or outsourcing of dedicated information security services.", + "links": [ + { + "href": "#sa-9.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsupply chain risk management policy and procedures\n\nprocedures addressing external system services\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nrisk assessment reports\n\napproval records for the acquisition or outsourcing of dedicated security services\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with system security responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-9.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-09(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting a risk assessment prior to acquiring or outsourcing dedicated security services\n\norganizational processes for approving the outsourcing of dedicated security services\n\nmechanisms supporting and/or implementing risk assessment\n\nmechanisms supporting and/or implementing approval processes" + } + ] + } + ] + }, + { + "id": "sa-9.2", + "class": "SP800-53-enhancement", + "title": "Identification of Functions, Ports, Protocols, and Services", + "params": [ + { + "id": "sa-09.02_odp", + "label": "external system services", + "constraints": [ + { + "description": "all external systems where Federal information is processed or stored" + } + ], + "guidelines": [ + { + "prose": "external system services that require the identification of functions, ports, protocols, and other services are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9(2)" + }, + { + "name": "label", + "value": "SA-09(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-9", + "rel": "required" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9.2_smt", + "name": "statement", + "prose": "Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ insert: param, sa-09.02_odp }}." + }, + { + "id": "sa-9.2_gdn", + "name": "guidance", + "prose": "Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols." + }, + { + "id": "sa-9.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(02)", + "class": "sp800-53a" + } + ], + "prose": "providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services.", + "links": [ + { + "href": "#sa-9.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsupply chain risk management policy and procedures\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements and security specifications for external service providers\n\nlist of required functions, ports, protocols, and other services\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nexternal providers of system services" + } + ] + } + ] + }, + { + "id": "sa-9.5", + "class": "SP800-53-enhancement", + "title": "Processing, Storage, and Service Location", + "params": [ + { + "id": "sa-09.05_odp.01", + "constraints": [ + { + "description": "information processing, information or data, AND system services" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "information processing", + "information or data", + "system services" + ] + } + }, + { + "id": "sa-09.05_odp.02", + "label": "locations", + "guidelines": [ + { + "prose": "locations where {{ insert: param, sa-09.05_odp.01 }} is/are to be restricted are defined;" + } + ] + }, + { + "id": "sa-09.05_odp.03", + "label": "requirements", + "guidelines": [ + { + "prose": "requirements or conditions for restricting the location of {{ insert: param, sa-09.05_odp.01 }} are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9(5)" + }, + { + "name": "label", + "value": "SA-09(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-9", + "rel": "required" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9.5_smt", + "name": "statement", + "prose": "Restrict the location of {{ insert: param, sa-09.05_odp.01 }} to {{ insert: param, sa-09.05_odp.02 }} based on {{ insert: param, sa-09.05_odp.03 }}." + }, + { + "id": "sa-9.5_gdn", + "name": "guidance", + "prose": "The location of information processing, information and data storage, or system services can have a direct impact on the ability of organizations to successfully execute their mission and business functions. The impact occurs when external providers control the location of processing, storage, or services. The criteria that external providers use for the selection of processing, storage, or service locations may be different from the criteria that organizations use. For example, organizations may desire that data or information storage locations be restricted to certain locations to help facilitate incident response activities in case of information security incidents or breaches. Incident response activities, including forensic analyses and after-the-fact investigations, may be adversely affected by the governing laws, policies, or protocols in the locations where processing and storage occur and/or the locations from which system services emanate." + }, + { + "id": "sa-9.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(05)", + "class": "sp800-53a" + } + ], + "prose": "based on {{ insert: param, sa-09.05_odp.03 }}, {{ insert: param, sa-09.05_odp.01 }} is/are restricted to {{ insert: param, sa-09.05_odp.02 }}.", + "links": [ + { + "href": "#sa-9.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nrestricted locations for information processing\n\ninformation/data and/or system services\n\ninformation processing, information/data, and/or system services to be maintained in restricted locations\n\norganizational security requirements or conditions for external providers\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nexternal providers of system services\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-9.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-09(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining the requirements to restrict locations of information processing, information/data, or information services\n\norganizational processes for ensuring the location is restricted in accordance with requirements or conditions" + } + ] + } + ] + } + ] + }, + { + "id": "sa-10", + "class": "SP800-53", + "title": "Developer Configuration Management", + "params": [ + { + "id": "sa-10_odp.01", + "constraints": [ + { + "description": "development, implementation, AND operation" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "design", + "development", + "implementation", + "operation", + "disposal" + ] + } + }, + { + "id": "sa-10_odp.02", + "label": "configuration items", + "guidelines": [ + { + "prose": "configuration items under configuration management are defined;" + } + ] + }, + { + "id": "sa-10_odp.03", + "label": "personnel", + "guidelines": [ + { + "prose": "personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-10" + }, + { + "name": "label", + "value": "SA-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-10_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to:", + "parts": [ + { + "id": "sa-10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};" + }, + { + "id": "sa-10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, manage, and control the integrity of changes to {{ insert: param, sa-10_odp.02 }};" + }, + { + "id": "sa-10_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Implement only organization-approved changes to the system, component, or service;" + }, + { + "id": "sa-10_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and" + }, + { + "id": "sa-10_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_odp.03 }}." + }, + { + "id": "sa-10_fr", + "name": "item", + "title": "SA-10 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sa-10_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e) Requirement:" + } + ], + "prose": "track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP." + } + ] + } + ] + }, + { + "id": "sa-10_gdn", + "name": "guidance", + "prose": "Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.\n\nThe configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle." + }, + { + "id": "sa-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-10_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10a.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};", + "links": [ + { + "href": "#sa-10_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-10_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};", + "links": [ + { + "href": "#sa-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};", + "links": [ + { + "href": "#sa-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10b.[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};", + "links": [ + { + "href": "#sa-10_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10c.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;", + "links": [ + { + "href": "#sa-10_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-10_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;", + "links": [ + { + "href": "#sa-10_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;", + "links": [ + { + "href": "#sa-10_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;", + "links": [ + { + "href": "#sa-10_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-10_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-10_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;", + "links": [ + { + "href": "#sa-10_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;", + "links": [ + { + "href": "#sa-10_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.e-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10e.[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}.", + "links": [ + { + "href": "#sa-10_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-10_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nsecurity flaw and flaw resolution tracking records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and/or implementing the monitoring of developer configuration management" + } + ] + } + ] + }, + { + "id": "sa-11", + "class": "SP800-53", + "title": "Developer Testing and Evaluation", + "params": [ + { + "id": "sa-11_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "unit", + "integration", + "system", + "regression" + ] + } + }, + { + "id": "sa-11_odp.02", + "label": "frequency to conduct", + "guidelines": [ + { + "prose": "frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;" + } + ] + }, + { + "id": "sa-11_odp.03", + "label": "depth and coverage", + "guidelines": [ + { + "prose": "depth and coverage of {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-11" + }, + { + "name": "label", + "value": "SA-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#708b94e1-3d5e-4b22-ab43-1c69f3a97e37", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-11_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:", + "parts": [ + { + "id": "sa-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and implement a plan for ongoing security and privacy control assessments;" + }, + { + "id": "sa-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};" + }, + { + "id": "sa-11_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;" + }, + { + "id": "sa-11_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Implement a verifiable flaw remediation process; and" + }, + { + "id": "sa-11_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Correct flaws identified during testing and evaluation." + } + ] + }, + { + "id": "sa-11_gdn", + "name": "guidance", + "prose": "Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes\u2014including upgrading or replacing applications, operating systems, and firmware\u2014may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\n\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation." + }, + { + "id": "sa-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;", + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;", + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;", + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;", + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11b.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};", + "links": [ + { + "href": "#sa-11_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11c.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;", + "links": [ + { + "href": "#sa-11_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;", + "links": [ + { + "href": "#sa-11_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11d.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;", + "links": [ + { + "href": "#sa-11_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11e.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.", + "links": [ + { + "href": "#sa-11_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security and privacy testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of developer security and privacy assessments for the system, system component, or system service\n\nsecurity and privacy flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and/or implementing the monitoring of developer security and privacy testing and evaluation" + } + ] + } + ], + "controls": [ + { + "id": "sa-11.1", + "class": "SP800-53-enhancement", + "title": "Static Code Analysis", + "props": [ + { + "name": "label", + "value": "SA-11(1)" + }, + { + "name": "label", + "value": "SA-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-11", + "rel": "required" + } + ], + "parts": [ + { + "id": "sa-11.1_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.", + "parts": [ + { + "id": "sa-11.1_fr", + "name": "item", + "title": "SA-11(1) Additional FedRAMP Requirements", + "parts": [ + { + "id": "sa-11.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.\n\nIf Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))" + } + ] + } + ] + }, + { + "id": "sa-11.1_gdn", + "name": "guidance", + "prose": "Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources." + }, + { + "id": "sa-11.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to employ static code analysis tools to identify common flaws;", + "links": [ + { + "href": "#sa-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to employ static code analysis tools to document the results of the analysis.", + "links": [ + { + "href": "#sa-11.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-11(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of system developer security and privacy assessments\n\nsecurity flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-11.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-11(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-11.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-11(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and/or implementing the monitoring of developer security testing and evaluation\n\nstatic code analysis tools" + } + ] + } + ] + }, + { + "id": "sa-11.2", + "class": "SP800-53-enhancement", + "title": "Threat Modeling and Vulnerability Analyses", + "params": [ + { + "id": "sa-11.2_prm_3", + "label": "organization-defined breadth and depth of modeling and analyses" + }, + { + "id": "sa-11.2_prm_4", + "label": "organization-defined acceptance criteria" + }, + { + "id": "sa-11.02_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used as contextual information for threat modeling and vulnerability analyses is defined;" + } + ] + }, + { + "id": "sa-11.02_odp.02", + "label": "tools and methods", + "guidelines": [ + { + "prose": "the tools and methods to be employed for threat modeling and vulnerability analyses are defined;" + } + ] + }, + { + "id": "sa-11.02_odp.03", + "label": "breadth and depth", + "guidelines": [ + { + "prose": "the breadth and depth of threat modeling to be conducted is defined;" + } + ] + }, + { + "id": "sa-11.02_odp.04", + "label": "breadth and depth", + "guidelines": [ + { + "prose": "the breadth and depth of vulnerability analyses to be conducted is defined;" + } + ] + }, + { + "id": "sa-11.02_odp.05", + "label": "acceptance criteria", + "guidelines": [ + { + "prose": "acceptance criteria to be met by produced evidence for threat modeling are defined;" + } + ] + }, + { + "id": "sa-11.02_odp.06", + "label": "acceptance criteria", + "guidelines": [ + { + "prose": "acceptance criteria to be met by produced evidence for vulnerability analyses are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-11(2)" + }, + { + "name": "label", + "value": "SA-11(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-11.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-11", + "rel": "required" + }, + { + "href": "#pm-15", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-11.2_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:", + "parts": [ + { + "id": "sa-11.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Uses the following contextual information: {{ insert: param, sa-11.02_odp.01 }};" + }, + { + "id": "sa-11.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Employs the following tools and methods: {{ insert: param, sa-11.02_odp.02 }};" + }, + { + "id": "sa-11.2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Conducts the modeling and analyses at the following level of rigor: {{ insert: param, sa-11.2_prm_3 }} ; and" + }, + { + "id": "sa-11.2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Produces evidence that meets the following acceptance criteria: {{ insert: param, sa-11.2_prm_4 }}." + } + ] + }, + { + "id": "sa-11.2_gdn", + "name": "guidance", + "prose": "Systems, system components, and system services may deviate significantly from the functional and design specifications created during the requirements and design stages of the system development life cycle. Therefore, updates to threat modeling and vulnerability analyses of those systems, system components, and system services during development and prior to delivery are critical to the effective operation of those systems, components, and services. Threat modeling and vulnerability analyses at this stage of the system development life cycle ensure that design and implementation changes have been accounted for and that vulnerabilities created because of those changes have been reviewed and mitigated." + }, + { + "id": "sa-11.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};", + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};", + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};", + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};", + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};", + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};", + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};", + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};", + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(c)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(c)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling at {{ insert: param, sa-11.02_odp.03 }} during development of the system, component, or service;", + "links": [ + { + "href": "#sa-11.2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(c)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses at {{ insert: param, sa-11.02_odp.04 }};", + "links": [ + { + "href": "#sa-11.2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};", + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};", + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }};", + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.d-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }}.", + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-11(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer security test plans\n\nrecords of developer security testing results for the system, system component, or system service\n\nvulnerability scanning results\n\nsystem risk assessment reports\n\nthreat and vulnerability analysis reports\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-11.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-11(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-11.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-11(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and/or implementing the monitoring of developer security testing and evaluation" + } + ] + } + ] + } + ] + }, + { + "id": "sa-15", + "class": "SP800-53", + "title": "Development Process, Standards, and Tools", + "params": [ + { + "id": "sa-15_prm_2", + "label": "organization-defined security and privacy requirements" + }, + { + "id": "sa-15_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "frequency at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;" + } + ] + }, + { + "id": "sa-15_odp.02", + "label": "security requirements", + "constraints": [ + { + "description": "FedRAMP Security Authorization requirements" + } + ], + "guidelines": [ + { + "prose": "security requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;" + } + ] + }, + { + "id": "sa-15_odp.03", + "label": "privacy requirements", + "guidelines": [ + { + "prose": "privacy requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-15" + }, + { + "name": "label", + "value": "SA-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", + "rel": "reference" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-15_smt", + "name": "statement", + "parts": [ + { + "id": "sa-15_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require the developer of the system, system component, or system service to follow a documented development process that:", + "parts": [ + { + "id": "sa-15_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Explicitly addresses security and privacy requirements;" + }, + { + "id": "sa-15_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Identifies the standards and tools used in the development process;" + }, + { + "id": "sa-15_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Documents the specific tool options and tool configurations used in the development process; and" + }, + { + "id": "sa-15_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and" + } + ] + }, + { + "id": "sa-15_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review the development process, standards, tools, tool options, and tool configurations {{ insert: param, sa-15_odp.01 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ insert: param, sa-15_prm_2 }}." + } + ] + }, + { + "id": "sa-15_gdn", + "name": "guidance", + "prose": "Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes." + }, + { + "id": "sa-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;", + "links": [ + { + "href": "#sa-15_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;", + "links": [ + { + "href": "#sa-15_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;", + "links": [ + { + "href": "#sa-15_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;", + "links": [ + { + "href": "#sa-15_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;", + "links": [ + { + "href": "#sa-15_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;", + "links": [ + { + "href": "#sa-15_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.04", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;", + "links": [ + { + "href": "#sa-15_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};", + "links": [ + { + "href": "#sa-15_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}.", + "links": [ + { + "href": "#sa-15_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security and privacy requirements during the development process\n\nsolicitation documentation\n\nacquisition documentation\n\ncritical component inventory documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer documentation listing tool options/configuration guides\n\nconfiguration management policy\n\nconfiguration management records\n\ndocumentation of development process reviews using maturity models\n\nchange control records\n\nconfiguration control records\n\ndocumented reviews of the development process, standards, tools, and tool options/configurations\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer" + } + ] + } + ], + "controls": [ + { + "id": "sa-15.3", + "class": "SP800-53-enhancement", + "title": "Criticality Analysis", + "params": [ + { + "id": "sa-15.3_prm_2", + "label": "organization-defined breadth and depth of criticality analysis" + }, + { + "id": "sa-15.03_odp.01", + "label": "decision points", + "guidelines": [ + { + "prose": "decision points in the system development life cycle are defined;" + } + ] + }, + { + "id": "sa-15.03_odp.02", + "label": "breadth", + "guidelines": [ + { + "prose": "the breadth of criticality analysis is defined;" + } + ] + }, + { + "id": "sa-15.03_odp.03", + "label": "depth", + "guidelines": [ + { + "prose": "the depth of criticality analysis is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-15(3)" + }, + { + "name": "label", + "value": "SA-15(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-15.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-15", + "rel": "required" + }, + { + "href": "#ra-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-15.3_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to perform a criticality analysis:", + "parts": [ + { + "id": "sa-15.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "At the following decision points in the system development life cycle: {{ insert: param, sa-15.03_odp.01 }} ; and" + }, + { + "id": "sa-15.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "At the following level of rigor: {{ insert: param, sa-15.3_prm_2 }}." + } + ] + }, + { + "id": "sa-15.3_gdn", + "name": "guidance", + "prose": "Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, source code, and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses." + }, + { + "id": "sa-15.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;", + "links": [ + { + "href": "#sa-15.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15.3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};", + "links": [ + { + "href": "#sa-15.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15.3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} .", + "links": [ + { + "href": "#sa-15.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-15(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing criticality analysis requirements for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ncriticality analysis documentation\n\nbusiness impact analysis documentation\n\nsoftware development life cycle documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-15.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-15(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for performing criticality analysis\n\nsystem developer\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-15.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-15(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for performing criticality analysis\n\nmechanisms supporting and/or implementing criticality analysis" + } + ] + } + ] + } + ] + }, + { + "id": "sa-22", + "class": "SP800-53", + "title": "Unsupported System Components", + "params": [ + { + "id": "sa-22_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "in-house support", + " {{ insert: param, sa-22_odp.02 }} " + ] + } + }, + { + "id": "sa-22_odp.02", + "label": "support from external providers", + "guidelines": [ + { + "prose": "support from external providers is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-22" + }, + { + "name": "label", + "value": "SA-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-22_smt", + "name": "statement", + "parts": [ + { + "id": "sa-22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or" + }, + { + "id": "sa-22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}." + } + ] + }, + { + "id": "sa-22_gdn", + "name": "guidance", + "prose": "Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation." + }, + { + "id": "sa-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22a.", + "class": "sp800-53a" + } + ], + "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;", + "links": [ + { + "href": "#sa-22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.", + "links": [ + { + "href": "#sa-22_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement" + } + ] + }, + { + "id": "sa-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for replacing unsupported system components\n\nmechanisms supporting and/or implementing the replacement of unsupported system components" + } + ] + } + ] + } + ] + }, + { + "id": "sc", + "class": "family", + "title": "System and Communications Protection", + "controls": [ + { + "id": "sc-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sc-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sc-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "sc-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "sc-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business-process-level", + "system-level" + ] + } + }, + { + "id": "sc-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and communications protection policy and procedures is defined;" + } + ] + }, + { + "id": "sc-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and communications protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sc-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and communications protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sc-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and communications protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "sc-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and communications protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-1" + }, + { + "name": "label", + "value": "SC-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-1_smt", + "name": "statement", + "parts": [ + { + "id": "sc-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:", + "parts": [ + { + "id": "sc-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sc-01_odp.03 }} system and communications protection policy that:", + "parts": [ + { + "id": "sc-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sc-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sc-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;" + } + ] + }, + { + "id": "sc-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and" + }, + { + "id": "sc-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and communications protection:", + "parts": [ + { + "id": "sc-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and" + }, + { + "id": "sc-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sc-1_gdn", + "name": "guidance", + "prose": "System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sc-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and communications protection policy is developed and documented;", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sc-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;", + "links": [ + { + "href": "#sc-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};", + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};", + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};", + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.", + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nsystem and communications protection procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "sc-2", + "class": "SP800-53", + "title": "Separation of System and User Functionality", + "props": [ + { + "name": "label", + "value": "SC-2" + }, + { + "name": "label", + "value": "SC-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-2_smt", + "name": "statement", + "prose": "Separate user functionality, including user interface services, from system management functionality." + }, + { + "id": "sc-2_gdn", + "name": "guidance", + "prose": "System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18)." + }, + { + "id": "sc-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-02", + "class": "sp800-53a" + } + ], + "prose": "user functionality, including user interface services, is separated from system management functionality.", + "links": [ + { + "href": "#sc-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing application partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Separation of user functionality from system management functionality" + } + ] + } + ] + }, + { + "id": "sc-4", + "class": "SP800-53", + "title": "Information in Shared System Resources", + "props": [ + { + "name": "label", + "value": "SC-4" + }, + { + "name": "label", + "value": "SC-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-4_smt", + "name": "statement", + "prose": "Prevent unauthorized and unintended information transfer via shared system resources." + }, + { + "id": "sc-4_gdn", + "name": "guidance", + "prose": "Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles." + }, + { + "id": "sc-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-04[01]", + "class": "sp800-53a" + } + ], + "prose": "unauthorized information transfer via shared system resources is prevented;", + "links": [ + { + "href": "#sc-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-04[02]", + "class": "sp800-53a" + } + ], + "prose": "unintended information transfer via shared system resources is prevented.", + "links": [ + { + "href": "#sc-4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms preventing the unauthorized and unintended transfer of information via shared system resources" + } + ] + } + ] + }, + { + "id": "sc-5", + "class": "SP800-53", + "title": "Denial-of-service Protection", + "params": [ + { + "id": "sc-05_odp.01", + "label": "types of denial-of-service events", + "constraints": [ + { + "description": "at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack" + } + ], + "guidelines": [ + { + "prose": "types of denial-of-service events to be protected against or limited are defined;" + } + ] + }, + { + "id": "sc-05_odp.02", + "constraints": [ + { + "description": "Protect against" + } + ], + "select": { + "choice": [ + "protect against", + "limit" + ] + } + }, + { + "id": "sc-05_odp.03", + "label": "controls by type of denial-of-service event", + "guidelines": [ + { + "prose": "controls to achieve the denial-of-service objective by type of denial-of-service event are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-5" + }, + { + "name": "label", + "value": "SC-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#sc-6", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-5_smt", + "name": "statement", + "parts": [ + { + "id": "sc-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and" + }, + { + "id": "sc-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}." + } + ] + }, + { + "id": "sc-5_gdn", + "name": "guidance", + "prose": "Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events." + }, + { + "id": "sc-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05a.", + "class": "sp800-53a" + } + ], + "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};", + "links": [ + { + "href": "#sc-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.", + "links": [ + { + "href": "#sc-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms protecting against or limiting the effects of denial-of-service attacks" + } + ] + } + ] + }, + { + "id": "sc-7", + "class": "SP800-53", + "title": "Boundary Protection", + "params": [ + { + "id": "sc-07_odp", + "select": { + "choice": [ + "physically", + "logically" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-7" + }, + { + "name": "label", + "value": "SC-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#a7f0e897-29a3-45c4-bd88-40dfef0e034a", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-35", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7_smt", + "name": "statement", + "parts": [ + { + "id": "sc-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;" + }, + { + "id": "sc-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and" + }, + { + "id": "sc-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + }, + { + "id": "sc-7_fr", + "name": "item", + "title": "SC-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-7_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) Guidance:" + } + ], + "prose": "SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information." + } + ] + } + ] + }, + { + "id": "sc-7_gdn", + "name": "guidance", + "prose": "Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)." + }, + { + "id": "sc-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[01]", + "class": "sp800-53a" + } + ], + "prose": "communications at external managed interfaces to the system are monitored;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[02]", + "class": "sp800-53a" + } + ], + "prose": "communications at external managed interfaces to the system are controlled;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[03]", + "class": "sp800-53a" + } + ], + "prose": "communications at key internal managed interfaces within the system are monitored;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[04]", + "class": "sp800-53a" + } + ], + "prose": "communications at key internal managed interfaces within the system are controlled;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07b.", + "class": "sp800-53a" + } + ], + "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;", + "links": [ + { + "href": "#sc-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07c.", + "class": "sp800-53a" + } + ], + "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.", + "links": [ + { + "href": "#sc-7_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities" + } + ] + } + ], + "controls": [ + { + "id": "sc-7.3", + "class": "SP800-53-enhancement", + "title": "Access Points", + "props": [ + { + "name": "label", + "value": "SC-7(3)" + }, + { + "name": "label", + "value": "SC-07(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.3_smt", + "name": "statement", + "prose": "Limit the number of external network connections to the system." + }, + { + "id": "sc-7.3_gdn", + "name": "guidance", + "prose": "Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system." + }, + { + "id": "sc-7.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(03)", + "class": "sp800-53a" + } + ], + "prose": "the number of external network connections to the system is limited.", + "links": [ + { + "href": "#sc-7.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncommunications and network traffic monitoring logs\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities\n\nmechanisms limiting the number of external network connections to the system" + } + ] + } + ] + }, + { + "id": "sc-7.4", + "class": "SP800-53-enhancement", + "title": "External Telecommunications Services", + "params": [ + { + "id": "sc-07.04_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least every 180 days or whenever there is a change in the threat environment that warrants a review of the exceptions" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review exceptions to traffic flow policy is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(4)" + }, + { + "name": "label", + "value": "SC-07(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7.4_smt", + "name": "statement", + "parts": [ + { + "id": "sc-7.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Implement a managed interface for each external telecommunication service;" + }, + { + "id": "sc-7.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Establish a traffic flow policy for each managed interface;" + }, + { + "id": "sc-7.4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Protect the confidentiality and integrity of the information being transmitted across each interface;" + }, + { + "id": "sc-7.4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;" + }, + { + "id": "sc-7.4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e)" + } + ], + "prose": "Review exceptions to the traffic flow policy {{ insert: param, sc-07.04_odp }} and remove exceptions that are no longer supported by an explicit mission or business need;" + }, + { + "id": "sc-7.4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "(f)" + } + ], + "prose": "Prevent unauthorized exchange of control plane traffic with external networks;" + }, + { + "id": "sc-7.4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "(g)" + } + ], + "prose": "Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and" + }, + { + "id": "sc-7.4_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h)" + } + ], + "prose": "Filter unauthorized control plane traffic from external networks." + } + ] + }, + { + "id": "sc-7.4_gdn", + "name": "guidance", + "prose": "External telecommunications services can provide data and/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements." + }, + { + "id": "sc-7.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(a)", + "class": "sp800-53a" + } + ], + "prose": "a managed interface is implemented for each external telecommunication service;", + "links": [ + { + "href": "#sc-7.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "a traffic flow policy is established for each managed interface;", + "links": [ + { + "href": "#sc-7.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(c)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(c)[01]", + "class": "sp800-53a" + } + ], + "prose": "the confidentiality of the information being transmitted across each interface is protected;", + "links": [ + { + "href": "#sc-7.4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(c)[02]", + "class": "sp800-53a" + } + ], + "prose": "the integrity of the information being transmitted across each interface is protected;", + "links": [ + { + "href": "#sc-7.4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(d)", + "class": "sp800-53a" + } + ], + "prose": "each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;", + "links": [ + { + "href": "#sc-7.4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(e)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.4_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(e)[01]", + "class": "sp800-53a" + } + ], + "prose": "exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};", + "links": [ + { + "href": "#sc-7.4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(e)[02]", + "class": "sp800-53a" + } + ], + "prose": "exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;", + "links": [ + { + "href": "#sc-7.4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(f)", + "class": "sp800-53a" + } + ], + "prose": "unauthorized exchanges of control plan traffic with external networks are prevented;", + "links": [ + { + "href": "#sc-7.4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(g)", + "class": "sp800-53a" + } + ], + "prose": "information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;", + "links": [ + { + "href": "#sc-7.4_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(h)", + "class": "sp800-53a" + } + ], + "prose": "unauthorized control plane traffic is filtered from external networks.", + "links": [ + { + "href": "#sc-7.4_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\ntraffic flow policy\n\ninformation flow control policy\n\nprocedures addressing boundary protection\n\nsystem security architecture\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nrecords of traffic flow policy exceptions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for documenting and reviewing exceptions to the traffic flow policy\n\norganizational processes for removing exceptions to the traffic flow policy\n\nmechanisms implementing boundary protection capabilities\n\nmanaged interfaces implementing traffic flow policy" + } + ] + } + ] + }, + { + "id": "sc-7.5", + "class": "SP800-53-enhancement", + "title": "Deny by Default \u2014 Allow by Exception", + "params": [ + { + "id": "sc-07.05_odp.01", + "constraints": [ + { + "description": "any systems" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "at managed interfaces", + "for {{ insert: param, sc-07.05_odp.02 }} " + ] + } + }, + { + "id": "sc-07.05_odp.02", + "label": "systems", + "guidelines": [ + { + "prose": "systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined (if selected)." + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(5)" + }, + { + "name": "label", + "value": "SC-07(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.5_smt", + "name": "statement", + "prose": "Deny network communications traffic by default and allow network communications traffic by exception {{ insert: param, sc-07.05_odp.01 }}.", + "parts": [ + { + "id": "sc-7.5_fr", + "name": "item", + "title": "SC-7 (5) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-7.5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing" + } + ] + } + ] + }, + { + "id": "sc-7.5_gdn", + "name": "guidance", + "prose": "Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system." + }, + { + "id": "sc-7.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(05)[01]", + "class": "sp800-53a" + } + ], + "prose": "network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};", + "links": [ + { + "href": "#sc-7.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(05)[02]", + "class": "sp800-53a" + } + ], + "prose": "network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}.", + "links": [ + { + "href": "#sc-7.5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing traffic management at managed interfaces" + } + ] + } + ] + }, + { + "id": "sc-7.7", + "class": "SP800-53-enhancement", + "title": "Split Tunneling for Remote Devices", + "params": [ + { + "id": "sc-07.07_odp", + "label": "safeguards", + "guidelines": [ + { + "prose": "safeguards to securely provision split tunneling are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(7)" + }, + { + "name": "label", + "value": "SC-07(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.7_smt", + "name": "statement", + "prose": "Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}." + }, + { + "id": "sc-7.7_gdn", + "name": "guidance", + "prose": "Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and simultaneously, access uncontrolled networks. Split tunneling might be desirable by remote users to communicate with local system resources, such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of pre-approved addresses, without user control." + }, + { + "id": "sc-7.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(07)", + "class": "sp800-53a" + } + ], + "prose": "split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}.", + "links": [ + { + "href": "#sc-7.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities\n\nmechanisms supporting/restricting non-remote connections" + } + ] + } + ] + }, + { + "id": "sc-7.8", + "class": "SP800-53-enhancement", + "title": "Route Traffic to Authenticated Proxy Servers", + "params": [ + { + "id": "sc-07.08_odp.01", + "label": "internal communications traffic", + "guidelines": [ + { + "prose": "internal communications traffic to be routed to external networks is defined;" + } + ] + }, + { + "id": "sc-07.08_odp.02", + "label": "external networks", + "constraints": [ + { + "description": "any network outside of organizational control and any network outside the authorization boundary" + } + ], + "guidelines": [ + { + "prose": "external networks to which internal communications traffic is to be routed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(8)" + }, + { + "name": "label", + "value": "SC-07(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + }, + { + "href": "#ac-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7.8_smt", + "name": "statement", + "prose": "Route {{ insert: param, sc-07.08_odp.01 }} to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces." + }, + { + "id": "sc-7.8_gdn", + "name": "guidance", + "prose": "External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for \"man-in-the-middle\" attacks (depending on the implementation)." + }, + { + "id": "sc-7.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(08)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces.", + "links": [ + { + "href": "#sc-7.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing traffic management through authenticated proxy servers at managed interfaces" + } + ] + } + ] + }, + { + "id": "sc-7.12", + "class": "SP800-53-enhancement", + "title": "Host-based Protection", + "params": [ + { + "id": "sc-07.12_odp.01", + "label": "host-based boundary protection mechanisms", + "constraints": [ + { + "description": "Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall" + } + ], + "guidelines": [ + { + "prose": "host-based boundary protection mechanisms to be implemented are defined;" + } + ] + }, + { + "id": "sc-07.12_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components where host-based boundary protection mechanisms are to be implemented are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(12)" + }, + { + "name": "label", + "value": "SC-07(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.12_smt", + "name": "statement", + "prose": "Implement {{ insert: param, sc-07.12_odp.01 }} at {{ insert: param, sc-07.12_odp.02 }}." + }, + { + "id": "sc-7.12_gdn", + "name": "guidance", + "prose": "Host-based boundary protection mechanisms include host-based firewalls. System components that employ host-based boundary protection mechanisms include servers, workstations, notebook computers, and mobile devices." + }, + { + "id": "sc-7.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(12)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-07.12_odp.01 }} are implemented at {{ insert: param, sc-07.12_odp.02 }}.", + "links": [ + { + "href": "#sc-7.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities\n\nsystem users" + } + ] + }, + { + "id": "sc-7.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing host-based boundary protection capabilities" + } + ] + } + ] + }, + { + "id": "sc-7.18", + "class": "SP800-53-enhancement", + "title": "Fail Secure", + "props": [ + { + "name": "label", + "value": "SC-7(18)" + }, + { + "name": "label", + "value": "SC-07(18)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-12", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7.18_smt", + "name": "statement", + "prose": "Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device." + }, + { + "id": "sc-7.18_gdn", + "name": "guidance", + "prose": "Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways that reside on protected subnetworks (commonly referred to as demilitarized zones). Failures of boundary protection devices cannot lead to or cause information external to the devices to enter the devices nor can failures permit unauthorized information releases." + }, + { + "id": "sc-7.18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(18)", + "class": "sp800-53a" + } + ], + "prose": "systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device.", + "links": [ + { + "href": "#sc-7.18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(18)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(18)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(18)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing secure failure" + } + ] + } + ] + } + ] + }, + { + "id": "sc-8", + "class": "SP800-53", + "title": "Transmission Confidentiality and Integrity", + "params": [ + { + "id": "sc-08_odp", + "constraints": [ + { + "description": "confidentiality AND integrity" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "confidentiality", + "integrity" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-8" + }, + { + "name": "label", + "value": "SC-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#736d6310-e403-4b57-a79d-9967970c66d7", + "rel": "reference" + }, + { + "href": "#7537638e-2837-407d-844b-40fb3fafdd99", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-8_smt", + "name": "statement", + "prose": "Protect the {{ insert: param, sc-08_odp }} of transmitted information.", + "parts": [ + { + "id": "sc-8_fr", + "name": "item", + "title": "SC-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.\n\n\n\nFor clarity, this control applies to all data in transit. Examples include the following data flows:\n\n* Crossing the system boundary\n* Between compute instances - including containers\n* From a compute instance to storage\n* Replication between availability zones\n* Transmission of backups to storage\n* From a load balancer to a compute instance\n* Flows from management tools required for their work \u2013 e.g. log collection, scanning, etc.\n\n\n\n\nThe following applies only when choosing SC-8 (5) in lieu of SC-8 (1).\n\nFedRAMP-Defined Assignment / Selection Parameters\n\nSC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]\n\nSC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]" + }, + { + "id": "sc-8_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.\n\n\n\nHardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).\n\n\n\nControlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS\u2019s Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS\u2019 recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).\n\n\n\nNote: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.\n\n\n\nCNSSI No.7003 can be accessed here:\n\nhttps://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf\n\n\n\nDHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:\n\nhttps://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf" + } + ] + } + ] + }, + { + "id": "sc-8_gdn", + "name": "guidance", + "prose": "Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\n\nOrganizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls." + }, + { + "id": "sc-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-08", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-08_odp }} of transmitted information is/are protected.", + "links": [ + { + "href": "#sc-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing transmission confidentiality and/or integrity" + } + ] + } + ], + "controls": [ + { + "id": "sc-8.1", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-08.01_odp", + "constraints": [ + { + "description": "prevent unauthorized disclosure of information AND detect changes to information" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "prevent unauthorized disclosure of information", + "detect changes to information" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-8(1)" + }, + { + "name": "label", + "value": "SC-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-8", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-8.1_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to {{ insert: param, sc-08.01_odp }} during transmission.", + "parts": [ + { + "id": "sc-8.1_fr", + "name": "item", + "title": "SC-8 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-8.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control." + }, + { + "id": "sc-8.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See M-22-09, including \\\"Agencies encrypt all DNS requests and HTTP traffic within their environment\\\"\n\nSC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged." + }, + { + "id": "sc-8.1_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)" + }, + { + "id": "sc-8.1_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + } + ] + } + ] + }, + { + "id": "sc-8.1_gdn", + "name": "guidance", + "prose": "Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes." + }, + { + "id": "sc-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-08(01)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.", + "links": [ + { + "href": "#sc-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity\n\nmechanisms supporting and/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards" + } + ] + } + ] + } + ] + }, + { + "id": "sc-10", + "class": "SP800-53", + "title": "Network Disconnect", + "params": [ + { + "id": "sc-10_odp", + "label": "time period", + "constraints": [ + { + "description": "no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions" + } + ], + "guidelines": [ + { + "prose": "a time period of inactivity after which the system terminates a network connection associated with a communication session is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-10" + }, + { + "name": "label", + "value": "SC-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-10_smt", + "name": "statement", + "prose": "Terminate the network connection associated with a communications session at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity." + }, + { + "id": "sc-10_gdn", + "name": "guidance", + "prose": "Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses." + }, + { + "id": "sc-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-10", + "class": "sp800-53a" + } + ], + "prose": "the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity.", + "links": [ + { + "href": "#sc-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing network disconnect\n\nsystem design documentation\n\nsecurity plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a network disconnect capability" + } + ] + } + ] + }, + { + "id": "sc-12", + "class": "SP800-53", + "title": "Cryptographic Key Establishment and Management", + "params": [ + { + "id": "sc-12_odp", + "label": "requirements", + "constraints": [ + { + "description": "In accordance with Federal requirements" + } + ], + "guidelines": [ + { + "prose": "requirements for key generation, distribution, storage, access, and destruction are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-12" + }, + { + "name": "label", + "value": "SC-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#849b2358-683f-4d97-b111-1cc3d522ded5", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-11", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-17", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-12_smt", + "name": "statement", + "prose": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}.", + "parts": [ + { + "id": "sc-12_fr", + "name": "item", + "title": "SC-12 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-12_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See references in NIST 800-53 documentation." + }, + { + "id": "sc-12_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Must meet applicable Federal Cryptographic Requirements. See References Section of control." + }, + { + "id": "sc-12_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system." + } + ] + } + ] + }, + { + "id": "sc-12_gdn", + "name": "guidance", + "prose": "Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment." + }, + { + "id": "sc-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12[01]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};", + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12[02]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.", + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and/or management" + } + ] + }, + { + "id": "sc-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic key establishment and management" + } + ] + } + ] + }, + { + "id": "sc-13", + "class": "SP800-53", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-13_odp.01", + "label": "cryptographic uses", + "guidelines": [ + { + "prose": "cryptographic uses are defined;" + } + ] + }, + { + "id": "sc-13_odp.02", + "label": "types of cryptography", + "constraints": [ + { + "description": "FIPS-validated or NSA-approved cryptography" + } + ], + "guidelines": [ + { + "prose": "types of cryptography for each specified cryptographic use are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-13" + }, + { + "name": "label", + "value": "SC-13", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-13_smt", + "name": "statement", + "parts": [ + { + "id": "sc-13_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine the {{ insert: param, sc-13_odp.01 }} ; and" + }, + { + "id": "sc-13_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}." + }, + { + "id": "sc-13_fr", + "name": "item", + "title": "SC-13 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-13_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:\n\n* Encryption of data\n* Decryption of data\n* Generation of one time passwords (OTPs) for MFA\n* Protocols such as TLS, SSH, and HTTPS\n\n\n\n\nThe requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).\n\nhttps://csrc.nist.gov/projects/cryptographic-module-validation-program" + }, + { + "id": "sc-13_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:\n\nhttps://www.niap-ccevs.org/Product/index.cfm" + }, + { + "id": "sc-13_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + }, + { + "id": "sc-13_fr_gdn.4", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Moving to non-FIPS CM or product is acceptable when:\n\n* FIPS validated version has a known vulnerability\n* Feature with vulnerability is in use\n* Non-FIPS version fixes the vulnerability\n* Non-FIPS version is submitted to NIST for FIPS validation\n* POA&M is added to track approval, and deployment when ready\n" + }, + { + "id": "sc-13_fr_gdn.5", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1)." + } + ] + } + ] + }, + { + "id": "sc-13_gdn", + "name": "guidance", + "prose": "Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "sc-13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-13_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-13_odp.01 }} are identified;", + "links": [ + { + "href": "#sc-13_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-13_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.", + "links": [ + { + "href": "#sc-13_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-13-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-13-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection" + } + ] + }, + { + "id": "sc-13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-13-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic protection" + } + ] + } + ] + }, + { + "id": "sc-15", + "class": "SP800-53", + "title": "Collaborative Computing Devices and Applications", + "params": [ + { + "id": "sc-15_odp", + "label": "exceptions where remote activation is to be allowed", + "constraints": [ + { + "description": "no exceptions for computing devices" + } + ], + "guidelines": [ + { + "prose": "exceptions where remote activation is to be allowed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-15" + }, + { + "name": "label", + "value": "SC-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#sc-42", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-15_smt", + "name": "statement", + "parts": [ + { + "id": "sc-15_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and" + }, + { + "id": "sc-15_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide an explicit indication of use to users physically present at the devices." + }, + { + "id": "sc-15_fr", + "name": "item", + "title": "SC-15 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-15_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use." + } + ] + } + ] + }, + { + "id": "sc-15_gdn", + "name": "guidance", + "prose": "Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated." + }, + { + "id": "sc-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-15_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15a.", + "class": "sp800-53a" + } + ], + "prose": "remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};", + "links": [ + { + "href": "#sc-15_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-15_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15b.", + "class": "sp800-53a" + } + ], + "prose": "an explicit indication of use is provided to users physically present at the devices.", + "links": [ + { + "href": "#sc-15_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices" + } + ] + }, + { + "id": "sc-15_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-15-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the management of remote activation of collaborative computing devices\n\nmechanisms providing an indication of use of collaborative computing devices" + } + ] + } + ] + }, + { + "id": "sc-17", + "class": "SP800-53", + "title": "Public Key Infrastructure Certificates", + "params": [ + { + "id": "sc-17_odp", + "label": "certificate policy", + "guidelines": [ + { + "prose": "a certificate policy for issuing public key certificates is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-17" + }, + { + "name": "label", + "value": "SC-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#8cb338a4-e493-4177-818f-3af18983ddc5", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-17_smt", + "name": "statement", + "parts": [ + { + "id": "sc-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Issue public key certificates under an {{ insert: param, sc-17_odp }} or obtain public key certificates from an approved service provider; and" + }, + { + "id": "sc-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Include only approved trust anchors in trust stores or certificate stores managed by the organization." + } + ] + }, + { + "id": "sc-17_gdn", + "name": "guidance", + "prose": "Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates." + }, + { + "id": "sc-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-17a.", + "class": "sp800-53a" + } + ], + "prose": "public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;", + "links": [ + { + "href": "#sc-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-17b.", + "class": "sp800-53a" + } + ], + "prose": "only approved trust anchors are included in trust stores or certificate stores managed by the organization.", + "links": [ + { + "href": "#sc-17_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing public key infrastructure certificates\n\npublic key certificate policy or policies\n\npublic key issuing process\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for issuing public key certificates\n\nservice providers" + } + ] + }, + { + "id": "sc-17_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-17-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the management of public key infrastructure certificates" + } + ] + } + ] + }, + { + "id": "sc-18", + "class": "SP800-53", + "title": "Mobile Code", + "props": [ + { + "name": "label", + "value": "SC-18" + }, + { + "name": "label", + "value": "SC-18", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#f641309f-a3ad-48be-8c67-2b318648b2f5", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-18_smt", + "name": "statement", + "parts": [ + { + "id": "sc-18_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Define acceptable and unacceptable mobile code and mobile code technologies; and" + }, + { + "id": "sc-18_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize, monitor, and control the use of mobile code within the system." + } + ] + }, + { + "id": "sc-18_gdn", + "name": "guidance", + "prose": "Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source." + }, + { + "id": "sc-18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-18_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-18_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.[01]", + "class": "sp800-53a" + } + ], + "prose": "acceptable mobile code is defined;", + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.[02]", + "class": "sp800-53a" + } + ], + "prose": "unacceptable mobile code is defined;", + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.[03]", + "class": "sp800-53a" + } + ], + "prose": "acceptable mobile code technologies are defined;", + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.[04]", + "class": "sp800-53a" + } + ], + "prose": "unacceptable mobile code technologies are defined;", + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-18_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of mobile code is authorized within the system;", + "links": [ + { + "href": "#sc-18_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of mobile code is monitored within the system;", + "links": [ + { + "href": "#sc-18_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18b.[03]", + "class": "sp800-53a" + } + ], + "prose": "the use of mobile code is controlled within the system.", + "links": [ + { + "href": "#sc-18_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-18_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-18-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code implementation policy and procedures\n\nlist of acceptable mobile code and mobile code technologies\n\nlist of unacceptable mobile code and mobile technologies\n\nauthorization records\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-18-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code" + } + ] + }, + { + "id": "sc-18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-18-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for authorizing, monitoring, and controlling mobile code\n\nmechanisms supporting and/or implementing the management of mobile code\n\nmechanisms supporting and/or implementing the monitoring of mobile code" + } + ] + } + ] + }, + { + "id": "sc-20", + "class": "SP800-53", + "title": "Secure Name/Address Resolution Service (Authoritative Source)", + "props": [ + { + "name": "label", + "value": "SC-20" + }, + { + "name": "label", + "value": "SC-20", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-20_smt", + "name": "statement", + "parts": [ + { + "id": "sc-20_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and" + }, + { + "id": "sc-20_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace." + }, + { + "id": "sc-20_fr", + "name": "item", + "title": "SC-20 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-20_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests." + }, + { + "id": "sc-20_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary." + }, + { + "id": "sc-20_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged." + }, + { + "id": "sc-20_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)" + } + ] + } + ] + }, + { + "id": "sc-20_gdn", + "name": "guidance", + "prose": "Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data." + }, + { + "id": "sc-20_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.[01]", + "class": "sp800-53a" + } + ], + "prose": "additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;", + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.[02]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;", + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;", + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.", + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-20-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing secure name/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-20_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-20-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-20_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-20-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing secure name/address resolution services" + } + ] + } + ] + }, + { + "id": "sc-21", + "class": "SP800-53", + "title": "Secure Name/Address Resolution Service (Recursive or Caching Resolver)", + "props": [ + { + "name": "label", + "value": "SC-21" + }, + { + "name": "label", + "value": "SC-21", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-21_smt", + "name": "statement", + "prose": "Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.", + "parts": [ + { + "id": "sc-21_fr", + "name": "item", + "title": "SC-21 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-21_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.\n\n* If the reply is signed, and fails DNSSEC, do not use the reply\n* If the reply is unsigned: * CSP chooses the policy to apply \n" + }, + { + "id": "sc-21_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS." + }, + { + "id": "sc-21_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Accepting an unsigned reply is acceptable" + }, + { + "id": "sc-21_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.\n\n* DNSSEC resolution to access a component inside the boundary is excluded.\n" + } + ] + } + ] + }, + { + "id": "sc-21_gdn", + "name": "guidance", + "prose": "Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data." + }, + { + "id": "sc-21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-21_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[01]", + "class": "sp800-53a" + } + ], + "prose": "data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[02]", + "class": "sp800-53a" + } + ], + "prose": "data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[03]", + "class": "sp800-53a" + } + ], + "prose": "data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[04]", + "class": "sp800-53a" + } + ], + "prose": "data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-21-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing secure name/address resolution services (recursive or caching resolver)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-21-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-21-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services" + } + ] + } + ] + }, + { + "id": "sc-22", + "class": "SP800-53", + "title": "Architecture and Provisioning for Name/Address Resolution Service", + "props": [ + { + "name": "label", + "value": "SC-22" + }, + { + "name": "label", + "value": "SC-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-22_smt", + "name": "statement", + "prose": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation." + }, + { + "id": "sc-22_gdn", + "name": "guidance", + "prose": "Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers\u2014one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)." + }, + { + "id": "sc-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-22_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[01]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization are fault-tolerant;", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[02]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization implement internal role separation;", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[03]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization implement external role separation.", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing architecture and provisioning for name/address resolution services\n\naccess control policy and procedures\n\nsystem design documentation\n\nassessment results from independent testing organizations\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing name/address resolution services for fault tolerance and role separation" + } + ] + } + ] + }, + { + "id": "sc-23", + "class": "SP800-53", + "title": "Session Authenticity", + "props": [ + { + "name": "label", + "value": "SC-23" + }, + { + "name": "label", + "value": "SC-23", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-23" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#7537638e-2837-407d-844b-40fb3fafdd99", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#a6b9907a-2a14-4bb4-a142-d4c73026a8b4", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + }, + { + "href": "#sc-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-23_smt", + "name": "statement", + "prose": "Protect the authenticity of communications sessions." + }, + { + "id": "sc-23_gdn", + "name": "guidance", + "prose": "Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against \"man-in-the-middle\" attacks, session hijacking, and the insertion of false information into sessions." + }, + { + "id": "sc-23_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-23", + "class": "sp800-53a" + } + ], + "prose": "the authenticity of communication sessions is protected.", + "links": [ + { + "href": "#sc-23_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-23_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-23-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing session authenticity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-23_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-23-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "sc-23_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-23-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing session authenticity" + } + ] + } + ] + }, + { + "id": "sc-28", + "class": "SP800-53", + "title": "Protection of Information at Rest", + "params": [ + { + "id": "sc-28_odp.01", + "constraints": [ + { + "description": "confidentiality AND integrity" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "confidentiality", + "integrity" + ] + } + }, + { + "id": "sc-28_odp.02", + "label": "information at rest", + "guidelines": [ + { + "prose": "information at rest requiring protection is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-28" + }, + { + "name": "label", + "value": "SC-28", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-28" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-28_smt", + "name": "statement", + "prose": "Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}.", + "parts": [ + { + "id": "sc-28_fr", + "name": "item", + "title": "SC-28 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-28_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The organization supports the capability to use cryptographic mechanisms to protect information at rest." + }, + { + "id": "sc-28_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + }, + { + "id": "sc-28_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography in accordance with SC-13." + } + ] + } + ] + }, + { + "id": "sc-28_gdn", + "name": "guidance", + "prose": "Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage." + }, + { + "id": "sc-28_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected.", + "links": [ + { + "href": "#sc-28_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-28-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-28_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-28-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-28_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-28-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest" + } + ] + } + ], + "controls": [ + { + "id": "sc-28.1", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-28.01_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information requiring cryptographic protection is defined;" + } + ] + }, + { + "id": "sc-28.01_odp.02", + "label": "system components or media", + "constraints": [ + { + "description": "all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels" + } + ], + "guidelines": [ + { + "prose": "system components or media requiring cryptographic protection is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-28(1)" + }, + { + "name": "label", + "value": "SC-28(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-28.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-28", + "rel": "required" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-28.1_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.01 }}.", + "parts": [ + { + "id": "sc-28.1_fr", + "name": "item", + "title": "SC-28 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-28.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.\n\nExamples:\n\nA. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.\n\nB. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.\n\nC. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate." + } + ] + } + ] + }, + { + "id": "sc-28.1_gdn", + "name": "guidance", + "prose": "The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields." + }, + { + "id": "sc-28.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-28.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};", + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.", + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-28(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-28.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-28(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-28.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-28(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest" + } + ] + } + ] + } + ] + }, + { + "id": "sc-39", + "class": "SP800-53", + "title": "Process Isolation", + "props": [ + { + "name": "label", + "value": "SC-39" + }, + { + "name": "label", + "value": "SC-39", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-39" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-39_smt", + "name": "statement", + "prose": "Maintain a separate execution domain for each executing system process." + }, + { + "id": "sc-39_gdn", + "name": "guidance", + "prose": "Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies." + }, + { + "id": "sc-39_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-39", + "class": "sp800-53a" + } + ], + "prose": "a separate execution domain is maintained for each executing system process.", + "links": [ + { + "href": "#sc-39_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-39_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-39-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System design documentation\n\nsystem architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-39_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-39-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System developers/integrators\n\nsystem security architect" + } + ] + }, + { + "id": "sc-39_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-39-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing separate execution domains for each executing process" + } + ] + } + ] + }, + { + "id": "sc-45", + "class": "SP800-53", + "title": "System Time Synchronization", + "props": [ + { + "name": "label", + "value": "SC-45" + }, + { + "name": "label", + "value": "SC-45", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-45" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#e4d37285-1e79-4029-8b6a-42df39cace30", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#au-8", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-45_smt", + "name": "statement", + "prose": "Synchronize system clocks within and between systems and system components." + }, + { + "id": "sc-45_gdn", + "name": "guidance", + "prose": "Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities\u2014such as access control and identification and authentication\u2014depending on the nature of the mechanisms used to support the capabilities." + }, + { + "id": "sc-45_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-45", + "class": "sp800-53a" + } + ], + "prose": "system clocks are synchronized within and between systems and system components.", + "links": [ + { + "href": "#sc-45_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-45_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-45-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing time synchronization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-45_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-45-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system" + } + ] + }, + { + "id": "sc-45_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-45-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing system time synchronization" + } + ] + } + ], + "controls": [ + { + "id": "sc-45.1", + "class": "SP800-53-enhancement", + "title": "Synchronization with Authoritative Time Source", + "params": [ + { + "id": "sc-45.01_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "At least hourly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to compare the internal system clocks with the authoritative time source is defined;" + } + ] + }, + { + "id": "sc-45.01_odp.02", + "label": "authoritative time source", + "constraints": [ + { + "description": "http://tf.nist.gov/tf-cgi/servers.cgi" + } + ], + "guidelines": [ + { + "prose": "the authoritative time source to which internal system clocks are to be compared is defined;" + } + ] + }, + { + "id": "sc-45.01_odp.03", + "label": "time period", + "constraints": [ + { + "description": "any difference" + } + ], + "guidelines": [ + { + "prose": "the time period to compare the internal system clocks with the authoritative time source is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-45(1)" + }, + { + "name": "label", + "value": "SC-45(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-45.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-45", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-45.1_smt", + "name": "statement", + "parts": [ + { + "id": "sc-45.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Compare the internal system clocks {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }} ; and" + }, + { + "id": "sc-45.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Synchronize the internal system clocks to the authoritative time source when the time difference is greater than {{ insert: param, sc-45.01_odp.03 }}." + }, + { + "id": "sc-45.1_fr", + "name": "item", + "title": "SC-45(1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-45.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server." + }, + { + "id": "sc-45.1_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server." + }, + { + "id": "sc-45.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Synchronization of system clocks improves the accuracy of log analysis." + } + ] + } + ] + }, + { + "id": "sc-45.1_gdn", + "name": "guidance", + "prose": "Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network." + }, + { + "id": "sc-45.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-45(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-45.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-45(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "the internal system clocks are compared {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }};", + "links": [ + { + "href": "#sc-45.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-45.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-45(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "the internal system clocks are synchronized with the authoritative time source when the time difference is greater than {{ insert: param, sc-45.01_odp.03 }}.", + "links": [ + { + "href": "#sc-45.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-45.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-45.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-45(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing time synchronization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-45.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-45(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system" + } + ] + }, + { + "id": "sc-45.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-45(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing system time synchronization" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "si", + "class": "family", + "title": "System and Information Integrity", + "controls": [ + { + "id": "si-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "si-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "si-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "si-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "si-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "si-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and information integrity policy and procedures is defined;" + } + ] + }, + { + "id": "si-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and information integrity policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "si-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and information integrity policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "si-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and information integrity procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "si-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and information integrity procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-1" + }, + { + "name": "label", + "value": "SI-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-1_smt", + "name": "statement", + "parts": [ + { + "id": "si-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:", + "parts": [ + { + "id": "si-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, si-01_odp.03 }} system and information integrity policy that:", + "parts": [ + { + "id": "si-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "si-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "si-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;" + } + ] + }, + { + "id": "si-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and" + }, + { + "id": "si-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and information integrity:", + "parts": [ + { + "id": "si-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and" + }, + { + "id": "si-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "si-1_gdn", + "name": "guidance", + "prose": "System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "si-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and information integrity policy is developed and documented;", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#si-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;", + "links": [ + { + "href": "#si-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};", + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};", + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};", + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.", + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "si-2", + "class": "SP800-53", + "title": "Flaw Remediation", + "params": [ + { + "id": "si-02_odp", + "label": "time period", + "constraints": [ + { + "description": "within thirty (30) days of release of updates" + } + ], + "guidelines": [ + { + "prose": "time period within which to install security-relevant software updates after the release of the updates is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-2" + }, + { + "name": "label", + "value": "SI-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "rel": "reference" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-5", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-2_smt", + "name": "statement", + "parts": [ + { + "id": "si-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify, report, and correct system flaws;" + }, + { + "id": "si-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;" + }, + { + "id": "si-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and" + }, + { + "id": "si-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Incorporate flaw remediation into the organizational configuration management process." + } + ] + }, + { + "id": "si-2_gdn", + "name": "guidance", + "prose": "The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures." + }, + { + "id": "si-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are identified;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are reported;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are corrected;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "software updates related to flaw remediation are tested for effectiveness before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "software updates related to flaw remediation are tested for potential side effects before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[03]", + "class": "sp800-53a" + } + ], + "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[04]", + "class": "sp800-53a" + } + ], + "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02d.", + "class": "sp800-53a" + } + ], + "prose": "flaw remediation is incorporated into the organizational configuration management process.", + "links": [ + { + "href": "#si-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities" + } + ] + }, + { + "id": "si-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and/or implementing testing software and firmware updates" + } + ] + } + ], + "controls": [ + { + "id": "si-2.2", + "class": "SP800-53-enhancement", + "title": "Automated Flaw Remediation Status", + "params": [ + { + "id": "si-02.02_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined;" + } + ] + }, + { + "id": "si-02.02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-2(2)" + }, + { + "name": "label", + "value": "SI-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#si-2", + "rel": "required" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-2.2_smt", + "name": "statement", + "prose": "Determine if system components have applicable security-relevant software and firmware updates installed using {{ insert: param, si-02.02_odp.01 }} {{ insert: param, si-02.02_odp.02 }}." + }, + { + "id": "si-2.2_gdn", + "name": "guidance", + "prose": "Automated mechanisms can track and determine the status of known flaws for system components." + }, + { + "id": "si-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02(02)", + "class": "sp800-53a" + } + ], + "prose": "system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}.", + "links": [ + { + "href": "#si-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation" + } + ] + }, + { + "id": "si-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms used to determine the state of system components with regard to flaw remediation" + } + ] + } + ] + }, + { + "id": "si-2.3", + "class": "SP800-53-enhancement", + "title": "Time to Remediate Flaws and Benchmarks for Corrective Actions", + "params": [ + { + "id": "si-02.03_odp", + "label": "benchmarks", + "guidelines": [ + { + "prose": "the benchmarks for taking corrective actions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-2(3)" + }, + { + "name": "label", + "value": "SI-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#si-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-2.3_smt", + "name": "statement", + "parts": [ + { + "id": "si-2.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Measure the time between flaw identification and flaw remediation; and" + }, + { + "id": "si-2.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Establish the following benchmarks for taking corrective actions: {{ insert: param, si-02.03_odp }}." + } + ] + }, + { + "id": "si-2.3_gdn", + "name": "guidance", + "prose": "Organizations determine the time it takes on average to correct system flaws after such flaws have been identified and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by the type of flaw or the severity of the potential vulnerability if the flaw can be exploited." + }, + { + "id": "si-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "the time between flaw identification and flaw remediation is measured;", + "links": [ + { + "href": "#si-2.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02(03)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-02.03_odp }} for taking corrective actions have been established.", + "links": [ + { + "href": "#si-2.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of benchmarks for taking corrective action on identified flaws\n\nrecords that provide timestamps of flaw identification and subsequent flaw remediation activities\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation" + } + ] + }, + { + "id": "si-2.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-02(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying, reporting, and correcting system flaws\n\nmechanisms used to measure the time between flaw identification and flaw remediation" + } + ] + } + ] + } + ] + }, + { + "id": "si-3", + "class": "SP800-53", + "title": "Malicious Code Protection", + "params": [ + { + "id": "si-03_odp.01", + "constraints": [ + { + "description": "signature based and non-signature based" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "signature-based", + "non-signature-based" + ] + } + }, + { + "id": "si-03_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which malicious code protection mechanisms perform scans is defined;" + } + ] + }, + { + "id": "si-03_odp.03", + "constraints": [ + { + "description": "to include endpoints and network entry and exit points" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "endpoint", + "network entry and exit points" + ] + } + }, + { + "id": "si-03_odp.04", + "constraints": [ + { + "description": "to include blocking and quarantining malicious code" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "block malicious code", + "quarantine malicious code", + "take {{ insert: param, si-03_odp.05 }} " + ] + } + }, + { + "id": "si-03_odp.05", + "label": "action", + "constraints": [ + { + "description": "administrator or defined security personnel near-realtime" + } + ], + "guidelines": [ + { + "prose": "action to be taken in response to malicious code detection are defined (if selected);" + } + ] + }, + { + "id": "si-03_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted when malicious code is detected is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-3" + }, + { + "name": "label", + "value": "SI-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#88660532-2dcf-442e-845c-03340ce48999", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-44", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-8", + "rel": "related" + }, + { + "href": "#si-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-3_smt", + "name": "statement", + "parts": [ + { + "id": "si-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;" + }, + { + "id": "si-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;" + }, + { + "id": "si-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Configure malicious code protection mechanisms to:", + "parts": [ + { + "id": "si-3_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and" + }, + { + "id": "si-3_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": " {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and" + } + ] + }, + { + "id": "si-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." + } + ] + }, + { + "id": "si-3_gdn", + "name": "guidance", + "prose": "System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files." + }, + { + "id": "si-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;", + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;", + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03b.", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;", + "links": [ + { + "href": "#si-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};", + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;", + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;", + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;", + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03d.", + "class": "sp800-53a" + } + ], + "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.", + "links": [ + { + "href": "#si-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities" + } + ] + }, + { + "id": "si-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and/or implementing malicious code scanning and subsequent actions" + } + ] + } + ] + }, + { + "id": "si-4", + "class": "SP800-53", + "title": "System Monitoring", + "params": [ + { + "id": "si-04_odp.01", + "label": "monitoring objectives", + "guidelines": [ + { + "prose": "monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;" + } + ] + }, + { + "id": "si-04_odp.02", + "label": "techniques and methods", + "guidelines": [ + { + "prose": "techniques and methods used to identify unauthorized use of the system are defined;" + } + ] + }, + { + "id": "si-04_odp.03", + "label": "system monitoring information", + "guidelines": [ + { + "prose": "system monitoring information to be provided to personnel or roles is defined;" + } + ] + }, + { + "id": "si-04_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom system monitoring information is to be provided is/are defined;" + } + ] + }, + { + "id": "si-04_odp.05", + "select": { + "how-many": "one-or-more", + "choice": [ + "as needed", + " {{ insert: param, si-04_odp.06 }} " + ] + } + }, + { + "id": "si-04_odp.06", + "label": "frequency", + "guidelines": [ + { + "prose": "a frequency for providing system monitoring to personnel or roles is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4" + }, + { + "name": "label", + "value": "SI-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "rel": "reference" + }, + { + "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#sc-35", + "rel": "related" + }, + { + "href": "#sc-36", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4_smt", + "name": "statement", + "parts": [ + { + "id": "si-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor the system to detect:", + "parts": [ + { + "id": "si-4_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and" + }, + { + "id": "si-4_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Unauthorized local, network, and remote connections;" + } + ] + }, + { + "id": "si-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};" + }, + { + "id": "si-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Invoke internal monitoring capabilities or deploy monitoring devices:", + "parts": [ + { + "id": "si-4_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Strategically within the system to collect organization-determined essential information; and" + }, + { + "id": "si-4_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "At ad hoc locations within the system to track specific types of transactions of interest to the organization;" + } + ] + }, + { + "id": "si-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Analyze detected events and anomalies;" + }, + { + "id": "si-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;" + }, + { + "id": "si-4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Obtain legal opinion regarding system monitoring activities; and" + }, + { + "id": "si-4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." + }, + { + "id": "si-4_fr", + "name": "item", + "title": "SI-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-4_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See US-CERT Incident Response Reporting Guidelines." + } + ] + } + ] + }, + { + "id": "si-4_gdn", + "name": "guidance", + "prose": "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "si-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.01", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};", + "links": [ + { + "href": "#si-4_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized local connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized network connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized remote connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04b.", + "class": "sp800-53a" + } + ], + "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};", + "links": [ + { + "href": "#si-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.01", + "class": "sp800-53a" + } + ], + "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;", + "links": [ + { + "href": "#si-4_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.02", + "class": "sp800-53a" + } + ], + "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;", + "links": [ + { + "href": "#si-4_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "detected events are analyzed;", + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "detected anomalies are analyzed;", + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04e.", + "class": "sp800-53a" + } + ], + "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;", + "links": [ + { + "href": "#si-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04f.", + "class": "sp800-53a" + } + ], + "prose": "a legal opinion regarding system monitoring activities is obtained;", + "links": [ + { + "href": "#si-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04g.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.", + "links": [ + { + "href": "#si-4_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system" + } + ] + }, + { + "id": "si-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing system monitoring capabilities" + } + ] + } + ], + "controls": [ + { + "id": "si-4.1", + "class": "SP800-53-enhancement", + "title": "System-wide Intrusion Detection System", + "props": [ + { + "name": "label", + "value": "SI-4(1)" + }, + { + "name": "label", + "value": "SI-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.1_smt", + "name": "statement", + "prose": "Connect and configure individual intrusion detection tools into a system-wide intrusion detection system." + }, + { + "id": "si-4.1_gdn", + "name": "guidance", + "prose": "Linking individual intrusion detection tools into a system-wide intrusion detection system provides additional coverage and effective detection capabilities. The information contained in one intrusion detection tool can be shared widely across the organization, making the system-wide detection capability more robust and powerful." + }, + { + "id": "si-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "individual intrusion detection tools are connected to a system-wide intrusion detection system;", + "links": [ + { + "href": "#si-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "individual intrusion detection tools are configured into a system-wide intrusion detection system.", + "links": [ + { + "href": "#si-4.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection capabilities" + } + ] + } + ] + }, + { + "id": "si-4.2", + "class": "SP800-53-enhancement", + "title": "Automated Tools and Mechanisms for Real-time Analysis", + "props": [ + { + "name": "label", + "value": "SI-4(2)" + }, + { + "name": "label", + "value": "SI-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#pm-25", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.2_smt", + "name": "statement", + "prose": "Employ automated tools and mechanisms to support near real-time analysis of events." + }, + { + "id": "si-4.2_gdn", + "name": "guidance", + "prose": "Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan." + }, + { + "id": "si-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(02)", + "class": "sp800-53a" + } + ], + "prose": "automated tools and mechanisms are employed to support a near real-time analysis of events.", + "links": [ + { + "href": "#si-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nprivacy impact assessment\n\nprivacy risk management documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for incident response/management" + } + ] + }, + { + "id": "si-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for the near real-time analysis of events\n\norganizational processes for system monitoring\n\nmechanisms supporting and/or implementing system monitoring\n\nmechanisms/tools supporting and/or implementing an analysis of events" + } + ] + } + ] + }, + { + "id": "si-4.4", + "class": "SP800-53-enhancement", + "title": "Inbound and Outbound Communications Traffic", + "params": [ + { + "id": "si-4.4_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "continuously" + } + ] + }, + { + "id": "si-4.4_prm_2", + "label": "organization-defined unusual or unauthorized activities or conditions" + }, + { + "id": "si-04.04_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined;" + } + ] + }, + { + "id": "si-04.04_odp.02", + "label": "unusual or unauthorized activities or conditions", + "guidelines": [ + { + "prose": "unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined;" + } + ] + }, + { + "id": "si-04.04_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined;" + } + ] + }, + { + "id": "si-04.04_odp.04", + "label": "unusual or unauthorized activities or conditions", + "guidelines": [ + { + "prose": "unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(4)" + }, + { + "name": "label", + "value": "SI-04(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.4_smt", + "name": "statement", + "parts": [ + { + "id": "si-4.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;" + }, + { + "id": "si-4.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Monitor inbound and outbound communications traffic {{ insert: param, si-4.4_prm_1 }} for {{ insert: param, si-4.4_prm_2 }}." + } + ] + }, + { + "id": "si-4.4_gdn", + "name": "guidance", + "prose": "Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components." + }, + { + "id": "si-4.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;", + "links": [ + { + "href": "#si-4.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;", + "links": [ + { + "href": "#si-4.4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.4_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};", + "links": [ + { + "href": "#si-4.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.4_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}.", + "links": [ + { + "href": "#si-4.4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing the monitoring of inbound and outbound communications traffic" + } + ] + } + ] + }, + { + "id": "si-4.5", + "class": "SP800-53-enhancement", + "title": "System-generated Alerts", + "params": [ + { + "id": "si-04.05_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted when indications of compromise or potential compromise occur is/are defined;" + } + ] + }, + { + "id": "si-04.05_odp.02", + "label": "compromise indicators", + "guidelines": [ + { + "prose": "compromise indicators are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(5)" + }, + { + "name": "label", + "value": "SI-04(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.5_smt", + "name": "statement", + "prose": "Alert {{ insert: param, si-04.05_odp.01 }} when the following system-generated indications of compromise or potential compromise occur: {{ insert: param, si-04.05_odp.02 }}.", + "parts": [ + { + "id": "si-4.5_fr", + "name": "item", + "title": "SI-4 (5) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-4.5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "In accordance with the incident response plan." + } + ] + } + ] + }, + { + "id": "si-4.5_gdn", + "name": "guidance", + "prose": "Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in [SI-4(12)](#si-4.12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats." + }, + { + "id": "si-4.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(05)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur.", + "links": [ + { + "href": "#si-4.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of personnel selected to receive alerts\n\ndocumentation of alerts generated based on compromise indicators\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel on the system alert notification list\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing alerts for compromise indicators" + } + ] + } + ] + }, + { + "id": "si-4.16", + "class": "SP800-53-enhancement", + "title": "Correlate Monitoring Information", + "props": [ + { + "name": "label", + "value": "SI-4(16)" + }, + { + "name": "label", + "value": "SI-04(16)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#au-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.16_smt", + "name": "statement", + "prose": "Correlate information from monitoring tools and mechanisms employed throughout the system." + }, + { + "id": "si-4.16_gdn", + "name": "guidance", + "prose": "Correlating information from different system monitoring tools and mechanisms can provide a more comprehensive view of system activity. Correlating system monitoring tools and mechanisms that typically work in isolation\u2014including malicious code protection software, host monitoring, and network monitoring\u2014can provide an organization-wide monitoring view and may reveal otherwise unseen attack patterns. Understanding the capabilities and limitations of diverse monitoring tools and mechanisms and how to maximize the use of information generated by those tools and mechanisms can help organizations develop, operate, and maintain effective monitoring programs. The correlation of monitoring information is especially important during the transition from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols)." + }, + { + "id": "si-4.16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(16)", + "class": "sp800-53a" + } + ], + "prose": "information from monitoring tools and mechanisms employed throughout the system is correlated.", + "links": [ + { + "href": "#si-4.16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(16)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nevent correlation logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(16)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.16_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(16)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing the correlation of information from monitoring tools" + } + ] + } + ] + }, + { + "id": "si-4.18", + "class": "SP800-53-enhancement", + "title": "Analyze Traffic and Covert Exfiltration", + "params": [ + { + "id": "si-04.18_odp", + "label": "interior points", + "guidelines": [ + { + "prose": "interior points within the system where communications traffic is to be analyzed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(18)" + }, + { + "name": "label", + "value": "SI-04(18)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.18_smt", + "name": "statement", + "prose": "Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: {{ insert: param, si-04.18_odp }}." + }, + { + "id": "si-4.18_gdn", + "name": "guidance", + "prose": "Organization-defined interior points include subnetworks and subsystems. Covert means that can be used to exfiltrate information include steganography." + }, + { + "id": "si-4.18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(18)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.18_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(18)[01]", + "class": "sp800-53a" + } + ], + "prose": "outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information;", + "links": [ + { + "href": "#si-4.18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.18_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(18)[02]", + "class": "sp800-53a" + } + ], + "prose": "outbound communications traffic is analyzed at {{ insert: param, si-04.18_odp }} to detect covert exfiltration of information.", + "links": [ + { + "href": "#si-4.18_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(18)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nnetwork diagram\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(18)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(18)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing an analysis of outbound communications traffic" + } + ] + } + ] + }, + { + "id": "si-4.23", + "class": "SP800-53-enhancement", + "title": "Host-based Devices", + "params": [ + { + "id": "si-04.23_odp.01", + "label": "host-based monitoring mechanisms", + "guidelines": [ + { + "prose": "host-based monitoring mechanisms to be implemented on system components are defined;" + } + ] + }, + { + "id": "si-04.23_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components where host-based monitoring is to be implemented are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(23)" + }, + { + "name": "label", + "value": "SI-04(23)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.23" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.23_smt", + "name": "statement", + "prose": "Implement the following host-based monitoring mechanisms at {{ insert: param, si-04.23_odp.02 }}: {{ insert: param, si-04.23_odp.01 }}." + }, + { + "id": "si-4.23_gdn", + "name": "guidance", + "prose": "Host-based monitoring collects information about the host (or system in which it resides). System components in which host-based monitoring can be implemented include servers, notebook computers, and mobile devices. Organizations may consider employing host-based monitoring mechanisms from multiple product developers or vendors." + }, + { + "id": "si-4.23_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(23)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04.23_odp.01 }} are implemented on {{ insert: param, si-04.23_odp.02 }}.", + "links": [ + { + "href": "#si-4.23_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.23_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(23)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nhost-based monitoring mechanisms\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of system components requiring host-based monitoring\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.23_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(23)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring system hosts" + } + ] + }, + { + "id": "si-4.23_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(23)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing a host-based monitoring capability" + } + ] + } + ] + } + ] + }, + { + "id": "si-5", + "class": "SP800-53", + "title": "Security Alerts, Advisories, and Directives", + "params": [ + { + "id": "si-05_odp.01", + "label": "external organizations", + "constraints": [ + { + "description": "to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives" + } + ], + "guidelines": [ + { + "prose": "external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;" + } + ] + }, + { + "id": "si-05_odp.02", + "constraints": [ + { + "description": "to include system security personnel and administrators with configuration/patch-management responsibilities" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, si-05_odp.03 }} ", + " {{ insert: param, si-05_odp.04 }} ", + " {{ insert: param, si-05_odp.05 }} " + ] + } + }, + { + "id": "si-05_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected);" + } + ] + }, + { + "id": "si-05_odp.04", + "label": "elements", + "guidelines": [ + { + "prose": "elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" + } + ] + }, + { + "id": "si-05_odp.05", + "label": "external organizations", + "guidelines": [ + { + "prose": "external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-5" + }, + { + "name": "label", + "value": "SI-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#pm-15", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-5_smt", + "name": "statement", + "parts": [ + { + "id": "si-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;" + }, + { + "id": "si-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Generate internal security alerts, advisories, and directives as deemed necessary;" + }, + { + "id": "si-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and" + }, + { + "id": "si-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + }, + { + "id": "si-5_fr_smt.1", + "name": "item", + "title": "SI-5 Additional FedRAMP Requirements and Guidance", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status." + } + ] + }, + { + "id": "si-5_gdn", + "name": "guidance", + "prose": "The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations." + }, + { + "id": "si-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05a.", + "class": "sp800-53a" + } + ], + "prose": "system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;", + "links": [ + { + "href": "#si-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05b.", + "class": "sp800-53a" + } + ], + "prose": "internal security alerts, advisories, and directives are generated as deemed necessary;", + "links": [ + { + "href": "#si-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05c.", + "class": "sp800-53a" + } + ], + "prose": "security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};", + "links": [ + { + "href": "#si-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05d.", + "class": "sp800-53a" + } + ], + "prose": "security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.", + "links": [ + { + "href": "#si-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "si-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nmechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nmechanisms supporting and/or implementing security directives" + } + ] + } + ] + }, + { + "id": "si-6", + "class": "SP800-53", + "title": "Security and Privacy Function Verification", + "params": [ + { + "id": "si-6_prm_1", + "label": "organization-defined security and privacy functions" + }, + { + "id": "si-06_odp.01", + "label": "security functions", + "guidelines": [ + { + "prose": "security functions to be verified for correct operation are defined;" + } + ] + }, + { + "id": "si-06_odp.02", + "label": "privacy functions", + "guidelines": [ + { + "prose": "privacy functions to be verified for correct operation are defined;" + } + ] + }, + { + "id": "si-06_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, si-06_odp.04 }} ", + "upon command by user with appropriate privilege", + " {{ insert: param, si-06_odp.05 }} " + ] + } + }, + { + "id": "si-06_odp.04", + "label": "system transitional states", + "constraints": [ + { + "description": "to include upon system startup and/or restart" + } + ], + "guidelines": [ + { + "prose": "system transitional states requiring the verification of security and privacy functions are defined; (if selected)" + } + ] + }, + { + "id": "si-06_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "frequency at which to verify the correct operation of security and privacy functions is defined; (if selected)" + } + ] + }, + { + "id": "si-06_odp.06", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include system administrators and security personnel" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be alerted of failed security and privacy verification tests is/are defined;" + } + ] + }, + { + "id": "si-06_odp.07", + "select": { + "how-many": "one-or-more", + "choice": [ + "shut the system down", + "restart the system", + " {{ insert: param, si-06_odp.08 }} " + ] + } + }, + { + "id": "si-06_odp.08", + "label": "alternative action(s)", + "guidelines": [ + { + "prose": "alternative action(s) to be performed when anomalies are discovered are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-6" + }, + { + "name": "label", + "value": "SI-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-6_smt", + "name": "statement", + "parts": [ + { + "id": "si-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Verify the correct operation of {{ insert: param, si-6_prm_1 }};" + }, + { + "id": "si-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Perform the verification of the functions specified in SI-6a {{ insert: param, si-06_odp.03 }};" + }, + { + "id": "si-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Alert {{ insert: param, si-06_odp.06 }} to failed security and privacy verification tests; and" + }, + { + "id": "si-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": " {{ insert: param, si-06_odp.07 }} when anomalies are discovered." + } + ] + }, + { + "id": "si-6_gdn", + "name": "guidance", + "prose": "Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy or that privacy attributes are applied or used as expected." + }, + { + "id": "si-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-6_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.01 }} are verified to be operating correctly;", + "links": [ + { + "href": "#si-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.02 }} are verified to be operating correctly;", + "links": [ + { + "href": "#si-6_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-6_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06b.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.01 }} are verified {{ insert: param, si-06_odp.03 }};", + "links": [ + { + "href": "#si-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06b.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.02 }} are verified {{ insert: param, si-06_odp.03 }};", + "links": [ + { + "href": "#si-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.06 }} is/are alerted to failed security verification tests;", + "links": [ + { + "href": "#si-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.06 }} is/are alerted to failed privacy verification tests;", + "links": [ + { + "href": "#si-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06d.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.07 }} is/are initiated when anomalies are discovered.", + "links": [ + { + "href": "#si-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security and privacy function verification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts/notifications of failed security verification tests\n\nlist of system transition states requiring security functionality verification\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy function verification responsibilities\n\norganizational personnel implementing, operating, and maintaining the system\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "si-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security and privacy function verification\n\nmechanisms supporting and/or implementing the security and privacy function verification capability" + } + ] + } + ] + }, + { + "id": "si-7", + "class": "SP800-53", + "title": "Software, Firmware, and Information Integrity", + "params": [ + { + "id": "si-7_prm_1", + "label": "organization-defined software, firmware, and information" + }, + { + "id": "si-7_prm_2", + "label": "organization-defined actions" + }, + { + "id": "si-07_odp.01", + "label": "software", + "guidelines": [ + { + "prose": "software requiring integrity verification tools to be employed to detect unauthorized changes is defined;" + } + ] + }, + { + "id": "si-07_odp.02", + "label": "firmware", + "guidelines": [ + { + "prose": "firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined;" + } + ] + }, + { + "id": "si-07_odp.03", + "label": "information", + "guidelines": [ + { + "prose": "information requiring integrity verification tools to be employed to detect unauthorized changes is defined;" + } + ] + }, + { + "id": "si-07_odp.04", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be taken when unauthorized changes to software are detected are defined;" + } + ] + }, + { + "id": "si-07_odp.05", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be taken when unauthorized changes to firmware are detected are defined;" + } + ] + }, + { + "id": "si-07_odp.06", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be taken when unauthorized changes to information are detected are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7" + }, + { + "name": "label", + "value": "SI-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#e47ee630-9cbc-4133-880e-e013f83ccd51", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-7_smt", + "name": "statement", + "parts": [ + { + "id": "si-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ insert: param, si-7_prm_1 }} ; and" + }, + { + "id": "si-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ insert: param, si-7_prm_2 }}." + } + ] + }, + { + "id": "si-7_gdn", + "name": "guidance", + "prose": "Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms\u2014including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools\u2014can automatically monitor the integrity of systems and hosted applications." + }, + { + "id": "si-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-7_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07a.[01]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};", + "links": [ + { + "href": "#si-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07a.[02]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};", + "links": [ + { + "href": "#si-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07a.[03]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};", + "links": [ + { + "href": "#si-7_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;", + "links": [ + { + "href": "#si-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;", + "links": [ + { + "href": "#si-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07b.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected.", + "links": [ + { + "href": "#si-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated or triggered by integrity verification tools regarding unauthorized software, firmware, and information changes\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "si-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Software, firmware, and information integrity verification tools" + } + ] + } + ], + "controls": [ + { + "id": "si-7.1", + "class": "SP800-53-enhancement", + "title": "Integrity Checks", + "params": [ + { + "id": "si-7.1_prm_1", + "label": "organization-defined software, firmware, and information" + }, + { + "id": "si-7.1_prm_2", + "select": { + "how-many": "one-or-more", + "choice": [ + "at startup", + "at {{ insert: param, si-7.1_prm_3 }} ", + " {{ insert: param, si-7.1_prm_4 }} " + ] + } + }, + { + "id": "si-7.1_prm_3", + "label": "organization-defined transitional states or security-relevant events", + "constraints": [ + { + "description": "selection to include security relevant event" + } + ] + }, + { + "id": "si-7.1_prm_4", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least monthly" + } + ] + }, + { + "id": "si-07.01_odp.01", + "label": "software", + "guidelines": [ + { + "prose": "software on which an integrity check is to be performed is defined;" + } + ] + }, + { + "id": "si-07.01_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "at startup", + "at {{ insert: param, si-07.01_odp.03 }} ", + " {{ insert: param, si-07.01_odp.04 }} " + ] + } + }, + { + "id": "si-07.01_odp.03", + "label": "transitional states or security-relevant events", + "guidelines": [ + { + "prose": "transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.04", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency with which to perform an integrity check (on software) is defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.05", + "label": "firmware", + "guidelines": [ + { + "prose": "firmware on which an integrity check is to be performed is defined;" + } + ] + }, + { + "id": "si-07.01_odp.06", + "select": { + "how-many": "one-or-more", + "choice": [ + "at startup", + "at {{ insert: param, si-07.01_odp.07 }} ", + " {{ insert: param, si-07.01_odp.08 }} " + ] + } + }, + { + "id": "si-07.01_odp.07", + "label": "transitional states or security-relevant events", + "guidelines": [ + { + "prose": "transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.08", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency with which to perform an integrity check (on firmware) is defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.09", + "label": "information", + "guidelines": [ + { + "prose": "information on which an integrity check is to be performed is defined;" + } + ] + }, + { + "id": "si-07.01_odp.10", + "select": { + "how-many": "one-or-more", + "choice": [ + "at startup", + "at {{ insert: param, si-07.01_odp.11 }} ", + " {{ insert: param, si-07.01_odp.12 }} " + ] + } + }, + { + "id": "si-07.01_odp.11", + "label": "transitional states or security-relevant events", + "guidelines": [ + { + "prose": "transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.12", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency with which to perform an integrity check (of information) is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7(1)" + }, + { + "name": "label", + "value": "SI-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-7.1_smt", + "name": "statement", + "prose": "Perform an integrity check of {{ insert: param, si-7.1_prm_1 }} {{ insert: param, si-7.1_prm_2 }}." + }, + { + "id": "si-7.1_gdn", + "name": "guidance", + "prose": "Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort." + }, + { + "id": "si-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-7.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};", + "links": [ + { + "href": "#si-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};", + "links": [ + { + "href": "#si-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}.", + "links": [ + { + "href": "#si-7.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity testing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-7.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Software, firmware, and information integrity verification tools" + } + ] + } + ] + }, + { + "id": "si-7.7", + "class": "SP800-53-enhancement", + "title": "Integration of Detection and Response", + "params": [ + { + "id": "si-07.07_odp", + "label": "changes", + "guidelines": [ + { + "prose": "security-relevant changes to the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7(7)" + }, + { + "name": "label", + "value": "SI-07(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-7", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-7.7_smt", + "name": "statement", + "prose": "Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ insert: param, si-07.07_odp }}." + }, + { + "id": "si-7.7_gdn", + "name": "guidance", + "prose": "Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges." + }, + { + "id": "si-7.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(07)", + "class": "sp800-53a" + } + ], + "prose": "the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability.", + "links": [ + { + "href": "#si-7.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities" + } + ] + }, + { + "id": "si-7.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incorporating the detection of unauthorized security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools\n\nmechanisms supporting and/or implementing the incorporation of detection of unauthorized security-relevant changes into the incident response capability" + } + ] + } + ] + } + ] + }, + { + "id": "si-8", + "class": "SP800-53", + "title": "Spam Protection", + "props": [ + { + "name": "label", + "value": "SI-8" + }, + { + "name": "label", + "value": "SI-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#314e33cb-3681-4b50-a2a2-3fae9604accd", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-8_smt", + "name": "statement", + "parts": [ + { + "id": "si-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and" + }, + { + "id": "si-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures." + }, + { + "id": "si-8_fr", + "name": "item", + "title": "SI-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.\n\nhttps://cyber.dhs.gov/bod/18-01/" + }, + { + "id": "si-8_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients." + } + ] + } + ] + }, + { + "id": "si-8_gdn", + "name": "guidance", + "prose": "System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions." + }, + { + "id": "si-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-8_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.[01]", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are employed at system entry points to detect unsolicited messages;", + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.[02]", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are employed at system exit points to detect unsolicited messages;", + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.[03]", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are employed at system entry points to act on unsolicited messages;", + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.[04]", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are employed at system exit points to act on unsolicited messages;", + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08b.", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.", + "links": [ + { + "href": "#si-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policies and procedures (CM-01)\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for implementing spam protection\n\nmechanisms supporting and/or implementing spam protection" + } + ] + } + ], + "controls": [ + { + "id": "si-8.2", + "class": "SP800-53-enhancement", + "title": "Automatic Updates", + "params": [ + { + "id": "si-08.02_odp", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to automatically update spam protection mechanisms is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-8(2)" + }, + { + "name": "label", + "value": "SI-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#si-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-8.2_smt", + "name": "statement", + "prose": "Automatically update spam protection mechanisms {{ insert: param, si-08.02_odp }}." + }, + { + "id": "si-8.2_gdn", + "name": "guidance", + "prose": "Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capabilities." + }, + { + "id": "si-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08(02)", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}.", + "links": [ + { + "href": "#si-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for spam protection\n\nmechanisms supporting and/or implementing automatic updates to spam protection mechanisms" + } + ] + } + ] + } + ] + }, + { + "id": "si-10", + "class": "SP800-53", + "title": "Information Input Validation", + "params": [ + { + "id": "si-10_odp", + "label": "information inputs", + "guidelines": [ + { + "prose": "information inputs to the system requiring validity checks are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-10" + }, + { + "name": "label", + "value": "SI-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + } + ], + "parts": [ + { + "id": "si-10_smt", + "name": "statement", + "prose": "Check the validity of the following information inputs: {{ insert: param, si-10_odp }}.", + "parts": [ + { + "id": "si-10_fr", + "name": "item", + "title": "SI-10 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-10_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Validate all information inputs and document any exceptions" + } + ] + } + ] + }, + { + "id": "si-10_gdn", + "name": "guidance", + "prose": "Checking the valid syntax and semantics of system inputs\u2014including character set, length, numerical range, and acceptable values\u2014verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of \"387,\" \"abc,\" or \"%K%\" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks." + }, + { + "id": "si-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-10", + "class": "sp800-53a" + } + ], + "prose": "the validity of the {{ insert: param, si-10_odp }} is checked.", + "links": [ + { + "href": "#si-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify the validity of information\n\nlist of information inputs requiring validity checks\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing validity checks on information inputs" + } + ] + } + ] + }, + { + "id": "si-11", + "class": "SP800-53", + "title": "Error Handling", + "params": [ + { + "id": "si-11_odp", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to whom error messages are to be revealed is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-11" + }, + { + "name": "label", + "value": "SI-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-11_smt", + "name": "statement", + "parts": [ + { + "id": "si-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and" + }, + { + "id": "si-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Reveal error messages only to {{ insert: param, si-11_odp }}." + } + ] + }, + { + "id": "si-11_gdn", + "name": "guidance", + "prose": "Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information." + }, + { + "id": "si-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-11a.", + "class": "sp800-53a" + } + ], + "prose": "error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;", + "links": [ + { + "href": "#si-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-11b.", + "class": "sp800-53a" + } + ], + "prose": "error messages are revealed only to {{ insert: param, si-11_odp }}.", + "links": [ + { + "href": "#si-11_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system error handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing the structure and content of error messages\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for error handling\n\nautomated mechanisms supporting and/or implementing error handling\n\nautomated mechanisms supporting and/or implementing the management of error messages" + } + ] + } + ] + }, + { + "id": "si-12", + "class": "SP800-53", + "title": "Information Management and Retention", + "props": [ + { + "name": "label", + "value": "SI-12" + }, + { + "name": "label", + "value": "SI-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#e922fc50-b1f9-469f-92ef-ed7d9803611c", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-3", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-12_smt", + "name": "statement", + "prose": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." + }, + { + "id": "si-12_gdn", + "name": "guidance", + "prose": "Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)." + }, + { + "id": "si-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[01]", + "class": "sp800-53a" + } + ], + "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[02]", + "class": "sp800-53a" + } + ], + "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[03]", + "class": "sp800-53a" + } + ], + "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[04]", + "class": "sp800-53a" + } + ], + "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators" + } + ] + }, + { + "id": "si-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and/or implementing information management, retention, and disposition" + } + ] + } + ] + }, + { + "id": "si-16", + "class": "SP800-53", + "title": "Memory Protection", + "params": [ + { + "id": "si-16_odp", + "label": "controls", + "guidelines": [ + { + "prose": "controls to be implemented to protect the system memory from unauthorized code execution are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-16" + }, + { + "name": "label", + "value": "SI-16", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-16_smt", + "name": "statement", + "prose": "Implement the following controls to protect the system memory from unauthorized code execution: {{ insert: param, si-16_odp }}." + }, + { + "id": "si-16_gdn", + "name": "guidance", + "prose": "Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism." + }, + { + "id": "si-16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-16", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution.", + "links": [ + { + "href": "#si-16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-16-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing memory protection for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security safeguards protecting system memory from unauthorized code execution\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-16-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-16_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-16-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms supporting and/or implementing safeguards to protect the system memory from unauthorized code execution" + } + ] + } + ] + } + ] + }, + { + "id": "sr", + "class": "family", + "title": "Supply Chain Risk Management", + "controls": [ + { + "id": "sr-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sr-1_prm_1", + "label": "organization-defined personnel or roles", + "constraints": [ + { + "description": "to include chief privacy and ISSO and/or similar role or designees" + } + ] + }, + { + "id": "sr-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;" + } + ] + }, + { + "id": "sr-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;" + } + ] + }, + { + "id": "sr-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "sr-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;" + } + ] + }, + { + "id": "sr-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current supply chain risk management policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sr-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that require the current supply chain risk management policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sr-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;" + } + ] + }, + { + "id": "sr-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that require the supply chain risk management procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-1" + }, + { + "name": "label", + "value": "SR-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-1_smt", + "name": "statement", + "parts": [ + { + "id": "sr-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:", + "parts": [ + { + "id": "sr-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:", + "parts": [ + { + "id": "sr-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sr-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sr-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;" + } + ] + }, + { + "id": "sr-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and" + }, + { + "id": "sr-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current supply chain risk management:", + "parts": [ + { + "id": "sr-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and" + }, + { + "id": "sr-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sr-1_gdn", + "name": "guidance", + "prose": "Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sr-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a supply chain risk management policy is developed and documented;", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; ", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sr-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;", + "links": [ + { + "href": "#sr-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};", + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};", + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};", + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.", + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities" + } + ] + } + ] + }, + { + "id": "sr-2", + "class": "SP800-53", + "title": "Supply Chain Risk Management Plan", + "params": [ + { + "id": "sr-02_odp.01", + "label": "systems, system components, or system services", + "guidelines": [ + { + "prose": "systems, system components, or system services for which a supply chain risk management plan is developed are defined;" + } + ] + }, + { + "id": "sr-02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update the supply chain risk management plan is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-2" + }, + { + "name": "label", + "value": "SR-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-2_smt", + "name": "statement", + "parts": [ + { + "id": "sr-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};" + }, + { + "id": "sr-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and" + }, + { + "id": "sr-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Protect the supply chain risk management plan from unauthorized disclosure and modification." + } + ] + }, + { + "id": "sr-2_gdn", + "name": "guidance", + "prose": "The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))." + }, + { + "id": "sr-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a plan for managing supply chain risks is developed;", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[05]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[06]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[07]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[08]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[09]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02b.", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;", + "links": [ + { + "href": "#sr-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is protected from unauthorized modification.", + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures for protecting the supply chain risk management plan from unauthorized disclosure and modification\n\nsystem development life cycle procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of supply chain threats\n\nlist of safeguards to be taken against supply chain threats\n\nsystem life cycle documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and documenting the system development life cycle (SDLC)\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational processes for integrating supply chain risk management into the SDLC\n\nmechanisms supporting and/or implementing the SDLC" + } + ] + } + ], + "controls": [ + { + "id": "sr-2.1", + "class": "SP800-53-enhancement", + "title": "Establish SCRM Team", + "params": [ + { + "id": "sr-02.01_odp.01", + "label": "personnel, roles and responsibilities", + "guidelines": [ + { + "prose": "the personnel, roles, and responsibilities of the supply chain risk management team are defined;" + } + ] + }, + { + "id": "sr-02.01_odp.02", + "label": "supply chain risk management activities", + "guidelines": [ + { + "prose": "supply chain risk management activities are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-2(1)" + }, + { + "name": "label", + "value": "SR-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "sr-2.1_smt", + "name": "statement", + "prose": "Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}." + }, + { + "id": "sr-2.1_gdn", + "name": "guidance", + "prose": "To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team." + }, + { + "id": "sr-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02(01)", + "class": "sp800-53a" + } + ], + "prose": "a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.", + "links": [ + { + "href": "#sr-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management team charter documentation\n\nsupply chain risk management strategy\n\nsupply chain risk management implementation plan\n\nprocedures addressing supply chain protection\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with enterprise risk management responsibilities\n\nlegal counsel\n\norganizational personnel with business continuity responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "sr-3", + "class": "SP800-53", + "title": "Supply Chain Controls and Processes", + "params": [ + { + "id": "sr-03_odp.01", + "label": "system or system component", + "guidelines": [ + { + "prose": "the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;" + } + ] + }, + { + "id": "sr-03_odp.02", + "label": "supply chain personnel", + "guidelines": [ + { + "prose": "supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;" + } + ] + }, + { + "id": "sr-03_odp.03", + "label": "supply chain controls", + "guidelines": [ + { + "prose": "supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;" + } + ] + }, + { + "id": "sr-03_odp.04", + "select": { + "how-many": "one-or-more", + "choice": [ + "security and privacy plans", + "supply chain risk management plan", + " {{ insert: param, sr-03_odp.05 }} " + ] + } + }, + { + "id": "sr-03_odp.05", + "label": "document", + "guidelines": [ + { + "prose": "the document identifying the selected and implemented supply chain processes and controls is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-3" + }, + { + "name": "label", + "value": "SR-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-29", + "rel": "related" + }, + { + "href": "#sc-30", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-3_smt", + "name": "statement", + "parts": [ + { + "id": "sr-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};" + }, + { + "id": "sr-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and" + }, + { + "id": "sr-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}." + }, + { + "id": "sr-3_fr", + "name": "item", + "title": "SR-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary." + } + ] + } + ] + }, + { + "id": "sr-3_gdn", + "name": "guidance", + "prose": "Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain." + }, + { + "id": "sr-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};", + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};", + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;", + "links": [ + { + "href": "#sr-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03c.", + "class": "sp800-53a" + } + ], + "prose": "the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.", + "links": [ + { + "href": "#sr-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystems and critical system components inventory documentation\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems or services\n\nrisk register documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying and addressing supply chain element and process deficiencies" + } + ] + } + ] + }, + { + "id": "sr-5", + "class": "SP800-53", + "title": "Acquisition Strategies, Tools, and Methods", + "params": [ + { + "id": "sr-05_odp", + "label": "strategies, tools, and methods", + "guidelines": [ + { + "prose": "acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-5" + }, + { + "name": "label", + "value": "SR-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-5_smt", + "name": "statement", + "prose": "Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}." + }, + { + "id": "sr-5_gdn", + "name": "guidance", + "prose": "The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements." + }, + { + "id": "sr-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems, system components, or services\n\ndocumentation of training, education, and awareness programs for personnel regarding supply chain risk\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods" + } + ] + } + ] + }, + { + "id": "sr-6", + "class": "SP800-53", + "title": "Supplier Assessments and Reviews", + "params": [ + { + "id": "sr-06_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-6" + }, + { + "name": "label", + "value": "SR-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-6_smt", + "name": "statement", + "prose": "Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ insert: param, sr-06_odp }}.", + "parts": [ + { + "id": "sr-6_fr", + "name": "item", + "title": "SR-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure that their supply chain vendors build and test their systems in alignment with NIST SP 800-171 or a commensurate security and compliance framework. CSOs must ensure that vendors are compliant with physical facility access and logical access controls to supplied products." + } + ] + } + ] + }, + { + "id": "sr-6_gdn", + "name": "guidance", + "prose": "An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts." + }, + { + "id": "sr-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-06", + "class": "sp800-53a" + } + ], + "prose": "the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}.", + "links": [ + { + "href": "#sr-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nrecords of supplier due diligence reviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities" + } + ] + }, + { + "id": "sr-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting supplier reviews\n\nmechanisms supporting and/or implementing supplier reviews" + } + ] + } + ] + }, + { + "id": "sr-8", + "class": "SP800-53", + "title": "Notification Agreements", + "params": [ + { + "id": "sr-08_odp.01", + "constraints": [ + { + "description": "notification of supply chain compromises and results of assessment or audits" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "notification of supply chain compromises", + " {{ insert: param, sr-08_odp.02 }} " + ] + } + }, + { + "id": "sr-08_odp.02", + "label": "results of assessments or audits", + "guidelines": [ + { + "prose": "information for which agreements and procedures are to be established are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-8" + }, + { + "name": "label", + "value": "SR-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-8_smt", + "name": "statement", + "prose": "Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}.", + "parts": [ + { + "id": "sr-8_fr", + "name": "item", + "title": "SR-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities." + } + ] + } + ] + }, + { + "id": "sr-8_gdn", + "name": "guidance", + "prose": "The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes." + }, + { + "id": "sr-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-08", + "class": "sp800-53a" + } + ], + "prose": "agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.", + "links": [ + { + "href": "#sr-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities" + } + ] + } + ] + }, + { + "id": "sr-10", + "class": "SP800-53", + "title": "Inspection of Systems or Components", + "params": [ + { + "id": "sr-10_odp.01", + "label": "systems or system components", + "guidelines": [ + { + "prose": "systems or system components that require inspection are defined;" + } + ] + }, + { + "id": "sr-10_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "at random", + "at {{ insert: param, sr-10_odp.03 }} ", + "upon {{ insert: param, sr-10_odp.04 }} " + ] + } + }, + { + "id": "sr-10_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to inspect systems or system components is defined (if selected);" + } + ] + }, + { + "id": "sr-10_odp.04", + "label": "indications of need for inspection", + "guidelines": [ + { + "prose": "indications of the need for an inspection of systems or system components are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-10" + }, + { + "name": "label", + "value": "SR-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-10_smt", + "name": "statement", + "prose": "Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}." + }, + { + "id": "sr-10_gdn", + "name": "guidance", + "prose": "The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations." + }, + { + "id": "sr-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-10", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.", + "links": [ + { + "href": "#sr-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nrecords of random inspections\n\ninspection reports/results\n\nassessment reports/results\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational processes to inspect for tampering" + } + ] + } + ] + }, + { + "id": "sr-11", + "class": "SP800-53", + "title": "Component Authenticity", + "params": [ + { + "id": "sr-11_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "source of counterfeit component", + " {{ insert: param, sr-11_odp.02 }} ", + " {{ insert: param, sr-11_odp.03 }} " + ] + } + }, + { + "id": "sr-11_odp.02", + "label": "external reporting organizations", + "guidelines": [ + { + "prose": "external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);" + } + ] + }, + { + "id": "sr-11_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11" + }, + { + "name": "label", + "value": "SR-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11_smt", + "name": "statement", + "parts": [ + { + "id": "sr-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and" + }, + { + "id": "sr-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}." + }, + { + "id": "sr-11_fr", + "name": "item", + "title": "SR-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-11_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline." + } + ] + } + ] + }, + { + "id": "sr-11_gdn", + "name": "guidance", + "prose": "Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA." + }, + { + "id": "sr-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an anti-counterfeit policy is developed and implemented;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[02]", + "class": "sp800-53a" + } + ], + "prose": "anti-counterfeit procedures are developed and implemented;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the anti-counterfeit procedures include the means to detect counterfeit components entering the system;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11b.", + "class": "sp800-53a" + } + ], + "prose": "counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.", + "links": [ + { + "href": "#sr-11_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\nreports notifying developers, manufacturers, vendors, contractors, and/or external reporting organizations of counterfeit system components\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nrecords of reported counterfeit system components\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting" + } + ] + }, + { + "id": "sr-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for counterfeit prevention, detection, and reporting\n\nmechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting" + } + ] + } + ], + "controls": [ + { + "id": "sr-11.1", + "class": "SP800-53-enhancement", + "title": "Anti-counterfeit Training", + "params": [ + { + "id": "sr-11.01_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11(1)" + }, + { + "name": "label", + "value": "SR-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-11", + "rel": "required" + }, + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11.1_smt", + "name": "statement", + "prose": "Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)." + }, + { + "id": "sr-11.1_gdn", + "name": "guidance", + "prose": "None." + }, + { + "id": "sr-11.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(01)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).", + "links": [ + { + "href": "#sr-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\ntraining materials addressing counterfeit system components\n\ntraining records on the detection and prevention of counterfeit components entering the system\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and training" + } + ] + }, + { + "id": "sr-11.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for anti-counterfeit training" + } + ] + } + ] + }, + { + "id": "sr-11.2", + "class": "SP800-53-enhancement", + "title": "Configuration Control for Component Service and Repair", + "params": [ + { + "id": "sr-11.02_odp", + "label": "system components", + "constraints": [ + { + "description": "all" + } + ], + "guidelines": [ + { + "prose": "system components requiring configuration control are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11(2)" + }, + { + "name": "label", + "value": "SR-11(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-11", + "rel": "required" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11.2_smt", + "name": "statement", + "prose": "Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}." + }, + { + "id": "sr-11.2_gdn", + "name": "guidance", + "prose": "None." + }, + { + "id": "sr-11.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;", + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.", + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nconfiguration control procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system component\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-11.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational configuration control processes" + } + ] + } + ] + } + ] + }, + { + "id": "sr-12", + "class": "SP800-53", + "title": "Component Disposal", + "params": [ + { + "id": "sr-12_odp.01", + "label": "data, documentation, tools, or system components", + "guidelines": [ + { + "prose": "data, documentation, tools, or system components to be disposed of are defined;" + } + ] + }, + { + "id": "sr-12_odp.02", + "label": "techniques and methods", + "guidelines": [ + { + "prose": "techniques and methods for disposing of data, documentation, tools, or system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-12" + }, + { + "name": "label", + "value": "SR-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#mp-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-12_smt", + "name": "statement", + "prose": "Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}." + }, + { + "id": "sr-12_gdn", + "name": "guidance", + "prose": "Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market." + }, + { + "id": "sr-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-12", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.", + "links": [ + { + "href": "#sr-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\ndisposal procedures addressing supply chain protection\n\nmedia disposal policy\n\nmedia protection policy\n\ndisposal records for system components\n\ndocumentation of the system components identified for disposal\n\ndocumentation of the disposal techniques and methods employed for system components\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system component disposal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities" + } + ] + }, + { + "id": "sr-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational techniques and methods for system component disposal\n\nmechanisms supporting and/or implementing system component disposal" + } + ] + } + ] + } + ] + } + ], "back-matter": { "resources": [ + { + "uuid": "91f992fb-f668-4c91-a50f-0f05b95ccee3", + "title": "32 CFR 2002", + "citation": { + "text": "Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)." + }, + "rlinks": [ + { + "href": "https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information" + } + ] + }, + { + "uuid": "0f963c17-ab5a-432a-a867-91eac550309b", + "title": "41 CFR 201", + "citation": { + "text": " \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271." + }, + "rlinks": [ + { + "href": "https://www.federalregister.gov/d/2020-18939" + } + ] + }, + { + "uuid": "a5ef5e56-5c1a-4911-b419-37dddc1b3581", + "title": "5 CFR 731", + "citation": { + "text": "Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf" + } + ] + }, + { + "uuid": "031cc4b7-9adf-4835-98f1-f1ca493519cf", + "title": "CNSSD 505", + "citation": { + "text": "Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017." + }, + "rlinks": [ + { + "href": "https://www.cnss.gov/CNSS/issuances/Directives.cfm" + } + ] + }, + { + "uuid": "4e4fbc93-333d-45e6-a875-de36b878b6b9", + "title": "CNSSI 1253", + "citation": { + "text": "Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014." + }, + "rlinks": [ + { + "href": "https://www.cnss.gov/CNSS/issuances/Instructions.cfm" + } + ] + }, + { + "uuid": "4f42ee6e-86cc-403b-a51f-76c2b4f81b54", + "title": "DHS TIC", + "citation": { + "text": "Department of Homeland Security, *Trusted Internet Connections (TIC)*." + }, + "rlinks": [ + { + "href": "https://www.dhs.gov/trusted-internet-connections" + } + ] + }, + { + "uuid": "aa66e14f-e7cb-4a37-99d2-07578dfd4608", + "title": "DOD STIG", + "citation": { + "text": "Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*." + }, + "rlinks": [ + { + "href": "https://public.cyber.mil/stigs" + } + ] + }, + { + "uuid": "55b0c93a-5e48-457a-baa6-5ce81c239c49", + "title": "EO 13526", + "citation": { + "text": "Executive Order 13526, *Classified National Security Information* , December 2009." + }, + "rlinks": [ + { + "href": "https://www.archives.gov/isoo/policy-documents/cnsi-eo.html" + } + ] + }, + { + "uuid": "34a5571f-e252-4309-a8a1-2fdb2faefbcd", + "title": "EO 13556", + "citation": { + "text": "Executive Order 13556, *Controlled Unclassified Information* , November 2010." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information" + } + ] + }, + { + "uuid": "0af071a6-cf8e-48ee-8c82-fe91efa20f94", + "title": "EO 13587", + "citation": { + "text": "Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net" + } + ] + }, + { + "uuid": "21caa535-1154-4369-ba7b-32c309fee0f7", + "title": "EO 13873", + "citation": { + "text": "Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain" + } + ] + }, + { + "uuid": "4ff10ed3-d8fe-4246-99e3-443045e27482", + "title": "FASC18", + "citation": { + "text": "Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/bill/115th-congress/senate-bill/3085" + } + ] + }, + { + "uuid": "a1555677-2b9d-4868-a97b-a1363aff32f5", + "title": "FED PKI", + "citation": { + "text": "General Services Administration, *Federal Public Key Infrastructure*." + }, + "rlinks": [ + { + "href": "https://www.idmanagement.gov/topics/fpki" + } + ] + }, + { + "uuid": "678e3d6c-150b-4393-aec5-6e3481eb1e00", + "title": "FIPS 140-3", + "citation": { + "text": "National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. " + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.140-3" + } + ] + }, + { + "uuid": "eea3c092-42ed-4382-a6f4-1adadef01b9d", + "title": "FIPS 180-4", + "citation": { + "text": "National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.180-4" + } + ] + }, + { + "uuid": "7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "title": "FIPS 186-4", + "citation": { + "text": "National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.186-4" + } + ] + }, + { + "uuid": "736d6310-e403-4b57-a79d-9967970c66d7", + "title": "FIPS 197", + "citation": { + "text": "National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.197" + } + ] + }, + { + "uuid": "628d22a1-6a11-4784-bc59-5cd9497b5445", + "title": "FIPS 199", + "citation": { + "text": "National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.199" + } + ] + }, + { + "uuid": "599fb53d-5041-444e-a7fe-640d6d30ad05", + "title": "FIPS 200", + "citation": { + "text": "National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.200" + } + ] + }, + { + "uuid": "7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "title": "FIPS 201-2", + "citation": { + "text": "National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.201-2" + } + ] + }, + { + "uuid": "a295ca19-8c75-4b4c-8800-98024732e181", + "title": "FIPS 202", + "citation": { + "text": "National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.202" + } + ] + }, + { + "uuid": "0c67b2a9-bede-43d2-b86d-5f35b8be36e9", + "title": "FISMA", + "citation": { + "text": "Federal Information Security Modernization Act (P.L. 113-283), December 2014." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf" + } + ] + }, + { + "uuid": "f16e438e-7114-4144-bfe2-2dfcad8cb2d0", + "title": "HSPD 12", + "citation": { + "text": "Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004." + }, + "rlinks": [ + { + "href": "https://www.dhs.gov/homeland-security-presidential-directive-12" + } + ] + }, + { + "uuid": "e4d37285-1e79-4029-8b6a-42df39cace30", + "title": "IETF 5905", + "citation": { + "text": "Internet Engineering Task Force (IETF), Request for Comments: 5905, *Network Time Protocol Version 4: Protocol and Algorithms Specification* , June 2010." + }, + "rlinks": [ + { + "href": "https://tools.ietf.org/pdf/rfc5905.pdf" + } + ] + }, + { + "uuid": "15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "title": "IR 7539", + "citation": { + "text": "Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7539" + } + ] + }, + { + "uuid": "2be7b163-e50a-435c-8906-f1162f2a457a", + "title": "IR 7559", + "citation": { + "text": "Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7559" + } + ] + }, + { + "uuid": "e24b06cc-9129-4998-a76a-65c3d7a576ba", + "title": "IR 7622", + "citation": { + "text": "Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7622" + } + ] + }, + { + "uuid": "4b38e961-1125-4a5b-aa35-1d6c02846dad", + "title": "IR 7676", + "citation": { + "text": "Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7676" + } + ] + }, + { + "uuid": "aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "title": "IR 7788", + "citation": { + "text": "Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7788" + } + ] + }, + { + "uuid": "91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "title": "IR 7817", + "citation": { + "text": "Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7817" + } + ] + }, + { + "uuid": "4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "title": "IR 7849", + "citation": { + "text": "Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7849" + } + ] + }, + { + "uuid": "604774da-9e1d-48eb-9c62-4e959dc80737", + "title": "IR 7870", + "citation": { + "text": "Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7870" + } + ] + }, + { + "uuid": "7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "title": "IR 7874", + "citation": { + "text": "Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7874" + } + ] + }, + { + "uuid": "849b2358-683f-4d97-b111-1cc3d522ded5", + "title": "IR 7956", + "citation": { + "text": "Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7956" + } + ] + }, + { + "uuid": "3915a084-b87b-4f02-83d4-c369e746292f", + "title": "IR 7966", + "citation": { + "text": "Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7966" + } + ] + }, + { + "uuid": "bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "title": "IR 8011-1", + "citation": { + "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-1" + } + ] + }, + { + "uuid": "70402863-5078-43af-9a6c-e11b0f3ec370", + "title": "IR 8011-2", + "citation": { + "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-2" + } + ] + }, + { + "uuid": "996241f8-f692-42d5-91f1-ce8b752e39e6", + "title": "IR 8011-3", + "citation": { + "text": "Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-3" + } + ] + }, + { + "uuid": "d2ebec9b-f868-4ee1-a2bd-0b2282aed248", + "title": "IR 8011-4", + "citation": { + "text": "Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-4" + } + ] + }, + { + "uuid": "4c501da5-9d79-4cb6-ba80-97260e1ce327", + "title": "IR 8023", + "citation": { + "text": "Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8023" + } + ] + }, + { + "uuid": "81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", + "title": "IR 8040", + "citation": { + "text": "Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8040" + } + ] + }, + { + "uuid": "98d415ca-7281-4064-9931-0c366637e324", + "title": "IR 8062", + "citation": { + "text": "Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8062" + } + ] + }, + { + "uuid": "a2590922-82f3-4277-83c0-ca5bee06dba4", + "title": "IR 8112", + "citation": { + "text": "Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8112" + } + ] + }, + { + "uuid": "d4296805-2dca-4c63-a95f-eeccaa826aec", + "title": "IR 8179", + "citation": { + "text": "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8179" + } + ] + }, + { + "uuid": "38ff38f0-1366-4f50-a4c9-26a39aacee16", + "title": "IR 8272", + "citation": { + "text": "Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8272" + } + ] + }, + { + "uuid": "6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", + "title": "ISO 15408-1", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology \u2014Security techniques \u2014 Evaluation criteria for IT security \u2014 Part 1: Introduction and general model* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf" + } + ] + }, + { + "uuid": "87087451-2af5-43d4-88c1-d66ad850f614", + "title": "ISO 15408-2", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology \u2014Security techniques \u2014 Evaluation criteria for IT security \u2014 Part 2: Security functional requirements* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf" + } + ] + }, + { + "uuid": "4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "title": "ISO 15408-3", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology\u2014Security techniques \u2014 Evaluation criteria for IT security \u2014 Part 3: Security assurance requirements* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf" + } + ] + }, + { + "uuid": "15a95e24-65b6-4686-bc18-90855a10457d", + "title": "ISO 20243", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, *Information technology \u2014 Open Trusted Technology Provider\u2122 Standard (O-TTPS) \u2014 Mitigating maliciously tainted and counterfeit products \u2014 Part 1: Requirements and recommendations* , February 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/74399.html" + } + ] + }, + { + "uuid": "863caf2a-978a-4260-9e8d-4a8929bce40c", + "title": "ISO 27036", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, *Information technology\u2014Security techniques\u2014Information security for supplier relationships, Part 1: Overview and concepts* , April 2014." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/59648.html" + } + ] + }, + { + "uuid": "8df72805-2e5c-4731-a73e-81db0f0318d0", + "title": "ISO 29147", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 29147:2018, *Information technology\u2014Security techniques\u2014Vulnerability disclosure* , October 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/72311.html" + } + ] + }, + { + "uuid": "06ce9216-bd54-4054-a422-94f358b50a5d", + "title": "ISO 29148", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, *Systems and software engineering\u2014Life cycle processes\u2014Requirements engineering* , November 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/72089.html" + } + ] + }, + { + "uuid": "c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "title": "NARA CUI", + "citation": { + "text": "National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry." + }, + "rlinks": [ + { + "href": "https://www.archives.gov/cui" + } + ] + }, + { + "uuid": "d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", + "title": "NCPR", + "citation": { + "text": "National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at" + }, + "rlinks": [ + { + "href": "https://nvd.nist.gov/ncp/repository" + } + ] + }, + { + "uuid": "795aff72-3e6c-4b6b-a80a-b14d84b7f544", + "title": "NIAP CCEVS", + "citation": { + "text": "National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*." + }, + "rlinks": [ + { + "href": "https://www.niap-ccevs.org" + } + ] + }, + { + "uuid": "84dc1b0c-acb7-4269-84c4-00dbabacd78c", + "title": "NIST CAVP", + "citation": { + "text": "National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program" + } + ] + }, + { + "uuid": "1acdc775-aafb-4d11-9341-dc6a822e9d38", + "title": "NIST CMVP", + "citation": { + "text": "National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/cryptographic-module-validation-program" + } + ] + }, + { + "uuid": "3d575737-98cb-459d-b41c-d7e82b73ad78", + "title": "NSA CSFC", + "citation": { + "text": "National Security Agency, *Commercial Solutions for Classified Program (CSfC)*." + }, + "rlinks": [ + { + "href": "https://www.nsa.gov/resources/everyone/csfc" + } + ] + }, + { + "uuid": "df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", + "title": "NSA MEDIA", + "citation": { + "text": "National Security Agency, *Media Destruction Guidance*." + }, + "rlinks": [ + { + "href": "https://www.nsa.gov/resources/everyone/media-destruction" + } + ] + }, + { + "uuid": "89f2a08d-fc49-46d0-856e-bf974c9b1573", + "title": "ODNI CTF", + "citation": { + "text": "Office of the Director of National Intelligence (ODNI) Cyber Threat Framework." + }, + "rlinks": [ + { + "href": "https://www.dni.gov/index.php/cyber-threat-framework" + } + ] + }, + { + "uuid": "27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "title": "OMB A-130", + "citation": { + "text": "Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf" + } + ] + }, + { + "uuid": "5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "title": "OMB M-17-12", + "citation": { + "text": "Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf" + } + ] + }, + { + "uuid": "c5e11048-1d38-4af3-b00b-0d88dc26860c", + "title": "OMB M-19-03", + "citation": { + "text": "Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf" + } + ] + }, + { + "uuid": "18e71fec-c6fd-475a-925a-5d8495cf8455", + "title": "PRIVACT", + "citation": { + "text": "Privacy Act (P.L. 93-579), December 1974." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf" + } + ] + }, + { + "uuid": "4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "title": "SP 800-100", + "citation": { + "text": "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-100" + } + ] + }, + { + "uuid": "10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "title": "SP 800-101", + "citation": { + "text": "Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-101r1" + } + ] + }, + { + "uuid": "22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "title": "SP 800-111", + "citation": { + "text": "Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-111" + } + ] + }, + { + "uuid": "6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "title": "SP 800-113", + "citation": { + "text": "Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-113" + } + ] + }, + { + "uuid": "42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "title": "SP 800-114", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-114r1" + } + ] + }, + { + "uuid": "122177fa-c4ed-485d-8345-3082c0fb9a06", + "title": "SP 800-115", + "citation": { + "text": "Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-115" + } + ] + }, + { + "uuid": "2100332a-16a5-4598-bacf-7261baea9711", + "title": "SP 800-116", + "citation": { + "text": "Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-116r1" + } + ] + }, + { + "uuid": "d17ebd7a-ffab-499d-bfff-e705bbb01fa6", + "title": "SP 800-121", + "citation": { + "text": "Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-121r2" + } + ] + }, + { + "uuid": "0f66be67-85e7-4ca6-bd19-39453e9f4394", + "title": "SP 800-124", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-124r1" + } + ] + }, + { + "uuid": "88660532-2dcf-442e-845c-03340ce48999", + "title": "SP 800-125B", + "citation": { + "text": "Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-125B" + } + ] + }, + { + "uuid": "8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "title": "SP 800-126", + "citation": { + "text": "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-126r3" + } + ] + }, + { + "uuid": "20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "title": "SP 800-128", + "citation": { + "text": "Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-128" + } + ] + }, + { + "uuid": "c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "title": "SP 800-12", + "citation": { + "text": "Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-12r1" + } + ] + }, + { + "uuid": "3653e316-8923-430e-8943-b3b2b2562fc6", + "title": "SP 800-130", + "citation": { + "text": "Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-130" + } + ] + }, + { + "uuid": "62ea77ca-e450-4323-b210-e0d75390e785", + "title": "SP 800-137A", + "citation": { + "text": "Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-137A" + } + ] + }, + { + "uuid": "067223d8-1ec7-45c5-b21b-c848da6de8fb", + "title": "SP 800-137", + "citation": { + "text": "Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-137" + } + ] + }, + { + "uuid": "e47ee630-9cbc-4133-880e-e013f83ccd51", + "title": "SP 800-147", + "citation": { + "text": "Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-147" + } + ] + }, + { + "uuid": "9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "title": "SP 800-150", + "citation": { + "text": "Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-150" + } + ] + }, + { + "uuid": "2494df28-9049-4196-b233-540e7440993f", + "title": "SP 800-152", + "citation": { + "text": "Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-152" + } + ] + }, + { + "uuid": "708b94e1-3d5e-4b22-ab43-1c69f3a97e37", + "title": "SP 800-154", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154." + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/publications/detail/sp/800-154/draft" + } + ] + }, + { + "uuid": "d9e036ba-6eec-46a6-9340-b0bf1fea23b4", + "title": "SP 800-156", + "citation": { + "text": "Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-156" + } + ] + }, + { + "uuid": "e3cc0520-a366-4fc9-abc2-5272db7e3564", + "title": "SP 800-160-1", + "citation": { + "text": "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-160v1" + } + ] + }, + { + "uuid": "61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "title": "SP 800-160-2", + "citation": { + "text": "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-160v2" + } + ] + }, + { + "uuid": "e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "title": "SP 800-161", + "citation": { + "text": "Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-161" + } + ] + }, + { + "uuid": "2956e175-f674-43f4-b1b9-e074ad9fc39c", + "title": "SP 800-162", + "citation": { + "text": "Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-162" + } + ] + }, + { + "uuid": "e8552d48-cf41-40aa-8b06-f45f7fb4706c", + "title": "SP 800-166", + "citation": { + "text": "Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-166" + } + ] + }, + { + "uuid": "38f39739-1ebd-43b1-8b8c-00f591d89ebd", + "title": "SP 800-167", + "citation": { + "text": "Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-167" + } + ] + }, + { + "uuid": "7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "title": "SP 800-171", + "citation": { + "text": "Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-171r2" + } + ] + }, + { + "uuid": "f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "title": "SP 800-172", + "citation": { + "text": "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-172-draft" + } + ] + }, + { + "uuid": "1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "title": "SP 800-177", + "citation": { + "text": "Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-177r1" + } + ] + }, + { + "uuid": "388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "title": "SP 800-178", + "citation": { + "text": "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-178" + } + ] + }, + { + "uuid": "276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "title": "SP 800-181", + "citation": { + "text": "Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-181r1" + } + ] + }, + { + "uuid": "31ae65ab-3f26-46b7-9d64-f25a4dac5778", + "title": "SP 800-184", + "citation": { + "text": "Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-184" + } + ] + }, + { + "uuid": "f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "title": "SP 800-189", + "citation": { + "text": "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-189" + } + ] + }, + { + "uuid": "30eb758a-2707-4bca-90ad-949a74d4eb16", + "title": "SP 800-18", + "citation": { + "text": "Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-18r1" + } + ] + }, + { + "uuid": "53df282b-8b3f-483a-bad1-6a8b8ac00114", + "title": "SP 800-192", + "citation": { + "text": "Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-192" + } + ] + }, + { + "uuid": "f641309f-a3ad-48be-8c67-2b318648b2f5", + "title": "SP 800-28", + "citation": { + "text": "Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-28ver2" + } + ] + }, + { + "uuid": "08b07465-dbdc-48d6-8a0b-37279602ac16", + "title": "SP 800-30", + "citation": { + "text": "Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-30r1" + } + ] + }, + { + "uuid": "8cb338a4-e493-4177-818f-3af18983ddc5", + "title": "SP 800-32", + "citation": { + "text": "Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-32" + } + ] + }, + { + "uuid": "bc39f179-c735-4da2-b7a7-b2b622119755", + "title": "SP 800-34", + "citation": { + "text": "Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-34r1" + } + ] + }, + { + "uuid": "77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "title": "SP 800-35", + "citation": { + "text": "Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-35" + } + ] + }, + { + "uuid": "482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "title": "SP 800-37", + "citation": { + "text": "Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-37r2" + } + ] + }, + { + "uuid": "cec037f3-8aba-4c97-84b4-4082f9e515d2", + "title": "SP 800-39", + "citation": { + "text": "Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-39" + } + ] + }, + { + "uuid": "155f941a-cba9-4afd-9ca6-5d040d697ba9", + "title": "SP 800-40", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-40r3" + } + ] + }, + { + "uuid": "a7f0e897-29a3-45c4-bd88-40dfef0e034a", + "title": "SP 800-41", + "citation": { + "text": "Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-41r1" + } + ] + }, + { + "uuid": "314e33cb-3681-4b50-a2a2-3fae9604accd", + "title": "SP 800-45", + "citation": { + "text": "Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-45ver2" + } + ] + }, + { + "uuid": "83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "title": "SP 800-46", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-46r2" + } + ] + }, + { + "uuid": "c3a76872-e160-4267-99e8-6952de967d04", + "title": "SP 800-47", + "citation": { + "text": "Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-47" + } + ] + }, + { + "uuid": "511f6832-23ca-49a3-8c0f-ce493373cab8", + "title": "SP 800-50", + "citation": { + "text": "Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-50" + } + ] + }, + { + "uuid": "7537638e-2837-407d-844b-40fb3fafdd99", + "title": "SP 800-52", + "citation": { + "text": "McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-52r2" + } + ] + }, + { + "uuid": "a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "title": "SP 800-53A", + "citation": { + "text": "Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-53Ar4" + } + ] + }, + { + "uuid": "46d9e201-840e-440e-987c-2c773333c752", + "title": "SP 800-53B", + "citation": { + "text": "Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-53B" + } + ] + }, + { + "uuid": "20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "title": "SP 800-56A", + "citation": { + "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Ar3" + } + ] + }, + { + "uuid": "0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "title": "SP 800-56B", + "citation": { + "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Br2" + } + ] + }, + { + "uuid": "eef62b16-c796-4554-955c-505824135b8a", + "title": "SP 800-56C", + "citation": { + "text": "Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Cr2" + } + ] + }, + { + "uuid": "110e26af-4765-49e1-8740-6750f83fcda1", + "title": "SP 800-57-1", + "citation": { + "text": "Barker EB (2020) Recommendation for Key Management: Part 1 \u2013 General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt1r5" + } + ] + }, + { + "uuid": "e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "title": "SP 800-57-2", + "citation": { + "text": "Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 \u2013 Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt2r1" + } + ] + }, + { + "uuid": "8306620b-1920-4d73-8b21-12008528595f", + "title": "SP 800-57-3", + "citation": { + "text": "Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt3r1" + } + ] + }, + { + "uuid": "e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "title": "SP 800-60-1", + "citation": { + "text": "Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-60v1r1" + } + ] + }, + { + "uuid": "9be5d661-421f-41ad-854e-86f98b811891", + "title": "SP 800-60-2", + "citation": { + "text": "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-60v2r1" + } + ] + }, + { + "uuid": "49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "title": "SP 800-61", + "citation": { + "text": "Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-61r2" + } + ] + }, + { + "uuid": "737513fa-6758-403f-831d-5ddab5e23cb3", + "title": "SP 800-63-3", + "citation": { + "text": "Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63-3" + } + ] + }, + { + "uuid": "9099ed2c-922a-493d-bcb4-d896192243ff", + "title": "SP 800-63A", + "citation": { + "text": "Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63a" + } + ] + }, + { + "uuid": "e59c5a7c-8b1f-49ca-8de0-6ee0882180ce", + "title": "SP 800-63B", + "citation": { + "text": "Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63b" + } + ] + }, + { + "uuid": "4895b4cd-34c5-4667-bf8a-27d443c12047", + "title": "SP 800-70", + "citation": { + "text": "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-70r4" + } + ] + }, + { + "uuid": "858705be-3c1f-48aa-a328-0ce398d95ef0", + "title": "SP 800-73-4", + "citation": { + "text": "Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-73-4" + } + ] + }, + { + "uuid": "7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "title": "SP 800-76-2", + "citation": { + "text": "Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-76-2" + } + ] + }, + { + "uuid": "d4d7c760-2907-403b-8b2a-767ca5370ecd", + "title": "SP 800-77", + "citation": { + "text": "Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-77r1" + } + ] + }, + { + "uuid": "828856bd-d7c4-427b-8b51-815517ec382d", + "title": "SP 800-78-4", + "citation": { + "text": "Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-78-4" + } + ] + }, + { + "uuid": "10963761-58fc-4b20-b3d6-b44a54daba03", + "title": "SP 800-79-2", + "citation": { + "text": "Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-79-2" + } + ] + }, + { + "uuid": "fe209006-bfd4-4033-a79a-9fee1adaf372", + "title": "SP 800-81-2", + "citation": { + "text": "Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-81-2" + } + ] + }, + { + "uuid": "3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "title": "SP 800-83", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-83r1" + } + ] + }, + { + "uuid": "53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "title": "SP 800-84", + "citation": { + "text": "Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-84" + } + ] + }, + { + "uuid": "cfdb1858-c473-46b3-89f9-a700308d0be2", + "title": "SP 800-86", + "citation": { + "text": "Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-86" + } + ] + }, + { + "uuid": "a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "title": "SP 800-88", + "citation": { + "text": "Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-88r1" + } + ] + }, + { + "uuid": "5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "title": "SP 800-92", + "citation": { + "text": "Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-92" + } + ] + }, + { + "uuid": "25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "title": "SP 800-94", + "citation": { + "text": "Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-94" + } + ] + }, + { + "uuid": "a6b9907a-2a14-4bb4-a142-d4c73026a8b4", + "title": "SP 800-95", + "citation": { + "text": "Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-95" + } + ] + }, + { + "uuid": "03fb73bc-1b12-4182-bd96-e5719254ea61", + "title": "SP 800-97", + "citation": { + "text": "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-97" + } + ] + }, + { + "uuid": "13f0c39d-eaf7-417a-baef-69a041878bb5", + "title": "USA PATRIOT", + "citation": { + "text": "USA Patriot Act (P.L. 107-56), October 2001." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf" + } + ] + }, + { + "uuid": "e922fc50-b1f9-469f-92ef-ed7d9803611c", + "title": "USC 2901", + "citation": { + "text": "United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/USCODE-2011-title44/pdf/USCODE-2011-title44-chap29-sec2901.pdf" + } + ] + }, + { + "uuid": "40b78258-c892-480e-9af8-77ac36648301", + "title": "USCERT IR", + "citation": { + "text": "Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017." + }, + "rlinks": [ + { + "href": "https://us-cert.cisa.gov/incident-notification-guidelines" + } + ] + }, + { + "uuid": "98498928-3ca3-44b3-8b1e-f48685373087", + "title": "USGCB", + "citation": { + "text": "National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/united-states-government-configuration-baseline" + } + ] + }, + { + "uuid": "c3397cc9-83c6-4459-adb2-836739dc1b94", + "title": "NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)", + "rlinks": [ + { + "href": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf", + "media-type": "application/pdf" + } + ] + }, { "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48", "title": "FedRAMP Applicable Laws and Regulations", diff --git a/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json b/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json index 9f08acd09..95ffb9027 100644 --- a/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json +++ b/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json @@ -1,10 +1,10 @@ { "catalog": { - "uuid": "36094314-56ce-43fd-9ab8-0e1f6fa6bfaa", + "uuid": "05787e43-fa8f-4f67-9a3b-2240fb4d9a78", "metadata": { "title": "FedRAMP Rev 5 Moderate Baseline", "published": "2023-08-31T00:00:00Z", - "last-modified": "2023-12-18T20:27:56.71703-05:00", + "last-modified": "2024-01-11T18:08:21.203723-05:00", "version": "5.1.1+fedramp-20231218-0", "oscal-version": "1.1.1", "links": [ @@ -99,8 +99,100600 @@ } ] }, + "groups": [ + { + "id": "ac", + "class": "family", + "title": "Access Control", + "controls": [ + { + "id": "ac-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ac-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ac-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the access control policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ac-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the access control procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ac-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ac-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the access control policy and procedures is defined;" + } + ] + }, + { + "id": "ac-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current access control policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ac-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current access control policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ac-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current access control procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ac-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-1" + }, + { + "name": "label", + "value": "AC-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ia-1", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-24", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-1_smt", + "name": "statement", + "parts": [ + { + "id": "ac-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:", + "parts": [ + { + "id": "ac-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ac-01_odp.03 }} access control policy that:", + "parts": [ + { + "id": "ac-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ac-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ac-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the access control policy and the associated access controls;" + } + ] + }, + { + "id": "ac-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and" + }, + { + "id": "ac-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current access control:", + "parts": [ + { + "id": "ac-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and" + }, + { + "id": "ac-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ac-1_gdn", + "name": "guidance", + "prose": "Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ac-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an access control policy is developed and documented;", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};", + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;", + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ac-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;", + "links": [ + { + "href": "#ac-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};", + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};", + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};", + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.", + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ac-2", + "class": "SP800-53", + "title": "Account Management", + "params": [ + { + "id": "ac-02_odp.01", + "label": "prerequisites and criteria", + "guidelines": [ + { + "prose": "prerequisites and criteria for group and role membership are defined;" + } + ] + }, + { + "id": "ac-02_odp.02", + "label": "attributes (as required)", + "guidelines": [ + { + "prose": "attributes (as required) for each account are defined;" + } + ] + }, + { + "id": "ac-02_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles required to approve requests to create accounts is/are defined;" + } + ] + }, + { + "id": "ac-02_odp.04", + "label": "policy, procedures, prerequisites, and criteria", + "guidelines": [ + { + "prose": "policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;" + } + ] + }, + { + "id": "ac-02_odp.05", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified is/are defined;" + } + ] + }, + { + "id": "ac-02_odp.06", + "label": "time period", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when accounts are no longer required is defined;" + } + ] + }, + { + "id": "ac-02_odp.07", + "label": "time period", + "constraints": [ + { + "description": "eight (8) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when users are terminated or transferred is defined; " + } + ] + }, + { + "id": "ac-02_odp.08", + "label": "time period", + "constraints": [ + { + "description": "eight (8) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify account managers when system usage or the need to know changes for an individual is defined;" + } + ] + }, + { + "id": "ac-02_odp.09", + "label": "attributes (as required)", + "guidelines": [ + { + "prose": "attributes needed to authorize system access (as required) are defined;" + } + ] + }, + { + "id": "ac-02_odp.10", + "label": "frequency", + "constraints": [ + { + "description": "quarterly for privileged access, annually for non-privileged access" + } + ], + "guidelines": [ + { + "prose": "the frequency of account review is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2" + }, + { + "name": "label", + "value": "AC-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#53df282b-8b3f-483a-bad1-6a8b8ac00114", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ac-24", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2_smt", + "name": "statement", + "parts": [ + { + "id": "ac-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Define and document the types of accounts allowed and specifically prohibited for use within the system;" + }, + { + "id": "ac-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Assign account managers;" + }, + { + "id": "ac-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Require {{ insert: param, ac-02_odp.01 }} for group and role membership;" + }, + { + "id": "ac-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Specify:", + "parts": [ + { + "id": "ac-2_smt.d.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Authorized users of the system;" + }, + { + "id": "ac-2_smt.d.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Group and role membership; and" + }, + { + "id": "ac-2_smt.d.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;" + } + ] + }, + { + "id": "ac-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;" + }, + { + "id": "ac-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};" + }, + { + "id": "ac-2_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Monitor the use of accounts;" + }, + { + "id": "ac-2_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Notify account managers and {{ insert: param, ac-02_odp.05 }} within:", + "parts": [ + { + "id": "ac-2_smt.h.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;" + }, + { + "id": "ac-2_smt.h.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": " {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and" + }, + { + "id": "ac-2_smt.h.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;" + } + ] + }, + { + "id": "ac-2_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Authorize access to the system based on:", + "parts": [ + { + "id": "ac-2_smt.i.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "A valid access authorization;" + }, + { + "id": "ac-2_smt.i.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Intended system usage; and" + }, + { + "id": "ac-2_smt.i.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ac-02_odp.09 }};" + } + ] + }, + { + "id": "ac-2_smt.j", + "name": "item", + "props": [ + { + "name": "label", + "value": "j." + } + ], + "prose": "Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};" + }, + { + "id": "ac-2_smt.k", + "name": "item", + "props": [ + { + "name": "label", + "value": "k." + } + ], + "prose": "Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and" + }, + { + "id": "ac-2_smt.l", + "name": "item", + "props": [ + { + "name": "label", + "value": "l." + } + ], + "prose": "Align account management processes with personnel termination and transfer processes." + } + ] + }, + { + "id": "ac-2_gdn", + "name": "guidance", + "prose": "Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training." + }, + { + "id": "ac-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "account types allowed for use within the system are defined and documented;", + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "account types specifically prohibited for use within the system are defined and documented;", + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02b.", + "class": "sp800-53a" + } + ], + "prose": "account managers are assigned;", + "links": [ + { + "href": "#ac-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-02_odp.01 }} for group and role membership are required;", + "links": [ + { + "href": "#ac-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.d.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.01", + "class": "sp800-53a" + } + ], + "prose": "authorized users of the system are specified;", + "links": [ + { + "href": "#ac-2_smt.d.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.02", + "class": "sp800-53a" + } + ], + "prose": "group and role membership are specified;", + "links": [ + { + "href": "#ac-2_smt.d.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.d.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03[01]", + "class": "sp800-53a" + } + ], + "prose": "access authorizations (i.e., privileges) are specified for each account;", + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.d.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02d.03[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-02_odp.02 }} are specified for each account;", + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.d.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02e.", + "class": "sp800-53a" + } + ], + "prose": "approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;", + "links": [ + { + "href": "#ac-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[01]", + "class": "sp800-53a" + } + ], + "prose": "accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[02]", + "class": "sp800-53a" + } + ], + "prose": "accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[03]", + "class": "sp800-53a" + } + ], + "prose": "accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[04]", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.f-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02f.[05]", + "class": "sp800-53a" + } + ], + "prose": "accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};", + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02g.", + "class": "sp800-53a" + } + ], + "prose": "the use of accounts is monitored; ", + "links": [ + { + "href": "#ac-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.h.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.01", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;", + "links": [ + { + "href": "#ac-2_smt.h.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.02", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;", + "links": [ + { + "href": "#ac-2_smt.h.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.h.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02h.03", + "class": "sp800-53a" + } + ], + "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;", + "links": [ + { + "href": "#ac-2_smt.h.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.i.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.01", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on a valid access authorization;", + "links": [ + { + "href": "#ac-2_smt.i.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.02", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on intended system usage;", + "links": [ + { + "href": "#ac-2_smt.i.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.i.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02i.03", + "class": "sp800-53a" + } + ], + "prose": "access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};", + "links": [ + { + "href": "#ac-2_smt.i.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.i", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.j", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02j.", + "class": "sp800-53a" + } + ], + "prose": "accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};", + "links": [ + { + "href": "#ac-2_smt.j", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.k", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.k-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;", + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.k-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02k.[02]", + "class": "sp800-53a" + } + ], + "prose": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;", + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.k", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.l", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2_obj.l-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.[01]", + "class": "sp800-53a" + } + ], + "prose": "account management processes are aligned with personnel termination processes;", + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_obj.l-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02l.[02]", + "class": "sp800-53a" + } + ], + "prose": "account management processes are aligned with personnel transfer processes.", + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt.l", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\npersonnel termination policy and procedure\n\npersonnel transfer policy and procedure\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of recently disabled system accounts and the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications of recent transfers, separations, or terminations of employees\n\naccess authorization records\n\naccount management compliance reviews\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security and privacy responsibilities" + } + ] + }, + { + "id": "ac-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for account management on the system\n\nmechanisms for implementing account management" + } + ] + } + ], + "controls": [ + { + "id": "ac-2.1", + "class": "SP800-53-enhancement", + "title": "Automated System Account Management", + "params": [ + { + "id": "ac-02.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to support the management of system accounts are defined; " + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(1)" + }, + { + "name": "label", + "value": "AC-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.1_smt", + "name": "statement", + "prose": "Support the management of system accounts using {{ insert: param, ac-02.01_odp }}." + }, + { + "id": "ac-2.1_gdn", + "name": "guidance", + "prose": "Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications." + }, + { + "id": "ac-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(01)", + "class": "sp800-53a" + } + ], + "prose": "the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}.", + "links": [ + { + "href": "#ac-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-2.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms for implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.2", + "class": "SP800-53-enhancement", + "title": "Automated Temporary and Emergency Account Management", + "params": [ + { + "id": "ac-02.02_odp.01", + "constraints": [ + { + "description": "Selection: disables" + } + ], + "select": { + "choice": [ + "remove", + "disable" + ] + } + }, + { + "id": "ac-02.02_odp.02", + "label": "time period", + "constraints": [ + { + "description": "no more than 96 hours from last use" + } + ], + "guidelines": [ + { + "prose": "the time period after which to automatically remove or disable temporary or emergency accounts is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(2)" + }, + { + "name": "label", + "value": "AC-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.2_smt", + "name": "statement", + "prose": "Automatically {{ insert: param, ac-02.02_odp.01 }} temporary and emergency accounts after {{ insert: param, ac-02.02_odp.02 }}." + }, + { + "id": "ac-2.2_gdn", + "name": "guidance", + "prose": "Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation." + }, + { + "id": "ac-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(02)", + "class": "sp800-53a" + } + ], + "prose": "temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}.", + "links": [ + { + "href": "#ac-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of temporary accounts removed and/or disabled\n\nsystem-generated list of emergency accounts removed and/or disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms for implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.3", + "class": "SP800-53-enhancement", + "title": "Disable Accounts", + "params": [ + { + "id": "ac-02.03_odp.01", + "label": "time period", + "constraints": [ + { + "description": "24 hours for user accounts" + } + ], + "guidelines": [ + { + "prose": "time period within which to disable accounts is defined;" + } + ] + }, + { + "id": "ac-02.03_odp.02", + "label": "time period", + "constraints": [ + { + "description": "ninety (90) days (See additional requirements and guidance.)" + } + ], + "guidelines": [ + { + "prose": "time period for account inactivity before disabling is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(3)" + }, + { + "name": "label", + "value": "AC-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.3_smt", + "name": "statement", + "prose": "Disable accounts within {{ insert: param, ac-02.03_odp.01 }} when the accounts:", + "parts": [ + { + "id": "ac-2.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Have expired;" + }, + { + "id": "ac-2.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Are no longer associated with a user or individual;" + }, + { + "id": "ac-2.3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Are in violation of organizational policy; or" + }, + { + "id": "ac-2.3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Have been inactive for {{ insert: param, ac-02.03_odp.02 }}." + }, + { + "id": "ac-2.3_fr", + "name": "item", + "title": "AC-2 (3) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-2.3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available." + }, + { + "id": "ac-2.3_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d) Requirement:" + } + ], + "prose": "The service provider defines the time period of inactivity for device identifiers." + }, + { + "id": "ac-2.3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/." + } + ] + } + ] + }, + { + "id": "ac-2.3_gdn", + "name": "guidance", + "prose": "Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system." + }, + { + "id": "ac-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;", + "links": [ + { + "href": "#ac-2.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)(b)", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;", + "links": [ + { + "href": "#ac-2.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)(c)", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;", + "links": [ + { + "href": "#ac-2.3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(03)(d)", + "class": "sp800-53a" + } + ], + "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}.", + "links": [ + { + "href": "#ac-2.3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures for addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of accounts removed\n\nsystem-generated list of emergency accounts disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-2.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms for implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.4", + "class": "SP800-53-enhancement", + "title": "Automated Audit Actions", + "props": [ + { + "name": "label", + "value": "AC-2(4)" + }, + { + "name": "label", + "value": "AC-02(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2.4_smt", + "name": "statement", + "prose": "Automatically audit account creation, modification, enabling, disabling, and removal actions." + }, + { + "id": "ac-2.4_gdn", + "name": "guidance", + "prose": "Account management audit records are defined in accordance with [AU-2](#au-2) and reviewed, analyzed, and reported in accordance with [AU-6](#au-6)." + }, + { + "id": "ac-2.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2.4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[01]", + "class": "sp800-53a" + } + ], + "prose": "account creation is automatically audited;", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[02]", + "class": "sp800-53a" + } + ], + "prose": "account modification is automatically audited;", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[03]", + "class": "sp800-53a" + } + ], + "prose": "account enabling is automatically audited;", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[04]", + "class": "sp800-53a" + } + ], + "prose": "account disabling is automatically audited;", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(04)[05]", + "class": "sp800-53a" + } + ], + "prose": "account removal actions are automatically audited.", + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nnotifications/alerts of account creation, modification, enabling, disabling, and removal actions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.5", + "class": "SP800-53-enhancement", + "title": "Inactivity Logout", + "params": [ + { + "id": "ac-02.05_odp", + "label": "time period of expected inactivity or description of when to log out", + "constraints": [ + { + "description": "for privileged users, it is the end of a user's standard work period" + } + ], + "guidelines": [ + { + "prose": "the time period of expected inactivity or description of when to log out is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(5)" + }, + { + "name": "label", + "value": "AC-02(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + }, + { + "href": "#ac-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2.5_smt", + "name": "statement", + "prose": "Require that users log out when {{ insert: param, ac-02.05_odp }}.", + "parts": [ + { + "id": "ac-2.5_fr", + "name": "item", + "title": "AC-2 (5) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-2.5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Should use a shorter timeframe than AC-12." + } + ] + } + ] + }, + { + "id": "ac-2.5_gdn", + "name": "guidance", + "prose": "Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by [AC-11](#ac-11)." + }, + { + "id": "ac-2.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(05)", + "class": "sp800-53a" + } + ], + "prose": "users are required to log out when {{ insert: param, ac-02.05_odp }}.", + "links": [ + { + "href": "#ac-2.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity violation reports\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nusers that must comply with inactivity logout policy" + } + ] + } + ] + }, + { + "id": "ac-2.7", + "class": "SP800-53-enhancement", + "title": "Privileged User Accounts", + "params": [ + { + "id": "ac-02.07_odp", + "select": { + "choice": [ + "a role-based access scheme", + "an attribute-based access scheme" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(7)" + }, + { + "name": "label", + "value": "AC-02(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.7_smt", + "name": "statement", + "parts": [ + { + "id": "ac-2.7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Establish and administer privileged user accounts in accordance with {{ insert: param, ac-02.07_odp }};" + }, + { + "id": "ac-2.7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Monitor privileged role or attribute assignments;" + }, + { + "id": "ac-2.7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Monitor changes to roles or attributes; and" + }, + { + "id": "ac-2.7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Revoke access when privileged role or attribute assignments are no longer appropriate." + } + ] + }, + { + "id": "ac-2.7_gdn", + "name": "guidance", + "prose": "Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes." + }, + { + "id": "ac-2.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2.7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)(a)", + "class": "sp800-53a" + } + ], + "prose": "privileged user accounts are established and administered in accordance with {{ insert: param, ac-02.07_odp }};", + "links": [ + { + "href": "#ac-2.7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)(b)", + "class": "sp800-53a" + } + ], + "prose": "privileged role or attribute assignments are monitored;", + "links": [ + { + "href": "#ac-2.7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)(c)", + "class": "sp800-53a" + } + ], + "prose": "changes to roles or attributes are monitored;", + "links": [ + { + "href": "#ac-2.7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(07)(d)", + "class": "sp800-53a" + } + ], + "prose": "access is revoked when privileged role or attribute assignments are no longer appropriate.", + "links": [ + { + "href": "#ac-2.7_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged user accounts and associated roles\n\nrecords of actions taken when privileged role assignments are no longer appropriate\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing account management functions\n\nmechanisms monitoring privileged role assignments" + } + ] + } + ] + }, + { + "id": "ac-2.9", + "class": "SP800-53-enhancement", + "title": "Restrictions on Use of Shared and Group Accounts", + "params": [ + { + "id": "ac-02.09_odp", + "label": "conditions", + "constraints": [ + { + "description": "organization-defined need with justification statement that explains why such accounts are necessary" + } + ], + "guidelines": [ + { + "prose": "conditions for establishing shared and group accounts are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(9)" + }, + { + "name": "label", + "value": "AC-02(09)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-2.9_smt", + "name": "statement", + "prose": "Only permit the use of shared and group accounts that meet {{ insert: param, ac-02.09_odp }}.", + "parts": [ + { + "id": "ac-2.9_fr", + "name": "item", + "title": "AC-2 (9) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-2.9_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Required if shared/group accounts are deployed." + } + ] + } + ] + }, + { + "id": "ac-2.9_gdn", + "name": "guidance", + "prose": "Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts." + }, + { + "id": "ac-2.9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(09)", + "class": "sp800-53a" + } + ], + "prose": "the use of shared and group accounts is only permitted if {{ insert: param, ac-02.09_odp }} are met.", + "links": [ + { + "href": "#ac-2.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(09)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of shared/group accounts and associated roles\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(09)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(09)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing management of shared/group accounts" + } + ] + } + ] + }, + { + "id": "ac-2.12", + "class": "SP800-53-enhancement", + "title": "Account Monitoring for Atypical Usage", + "params": [ + { + "id": "ac-02.12_odp.01", + "label": "atypical usage", + "guidelines": [ + { + "prose": "atypical usage for which to monitor system accounts is defined;" + } + ] + }, + { + "id": "ac-02.12_odp.02", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to report atypical usage is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(12)" + }, + { + "name": "label", + "value": "AC-02(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2.12_smt", + "name": "statement", + "parts": [ + { + "id": "ac-2.12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Monitor system accounts for {{ insert: param, ac-02.12_odp.01 }} ; and" + }, + { + "id": "ac-2.12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Report atypical usage of system accounts to {{ insert: param, ac-02.12_odp.02 }}." + }, + { + "id": "ac-2.12_fr", + "name": "item", + "title": "AC-2 (12) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-2.12_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "Required for privileged accounts." + }, + { + "id": "ac-2.12_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "Required for privileged accounts." + } + ] + } + ] + }, + { + "id": "ac-2.12_gdn", + "name": "guidance", + "prose": "Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan." + }, + { + "id": "ac-2.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(12)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-2.12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(12)(a)", + "class": "sp800-53a" + } + ], + "prose": "system accounts are monitored for {{ insert: param, ac-02.12_odp.01 }}; ", + "links": [ + { + "href": "#ac-2.12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(12)(b)", + "class": "sp800-53a" + } + ], + "prose": "atypical usage of system accounts is reported to {{ insert: param, ac-02.12_odp.02 }}.", + "links": [ + { + "href": "#ac-2.12_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-2.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring records\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nprivacy impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing account management functions" + } + ] + } + ] + }, + { + "id": "ac-2.13", + "class": "SP800-53-enhancement", + "title": "Disable Accounts for High-risk Individuals", + "params": [ + { + "id": "ac-02.13_odp.01", + "label": "time period", + "constraints": [ + { + "description": "one (1) hour" + } + ], + "guidelines": [ + { + "prose": "time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;" + } + ] + }, + { + "id": "ac-02.13_odp.02", + "label": "significant risks", + "guidelines": [ + { + "prose": "significant risks leading to disabling accounts are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-2(13)" + }, + { + "name": "label", + "value": "AC-02(13)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-02.13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "required" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-2.13_smt", + "name": "statement", + "prose": "Disable accounts of individuals within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}." + }, + { + "id": "ac-2.13_gdn", + "name": "guidance", + "prose": "Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals." + }, + { + "id": "ac-2.13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-02(13)", + "class": "sp800-53a" + } + ], + "prose": "accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.", + "links": [ + { + "href": "#ac-2.13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-2.13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-02(13)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of disabled accounts\n\nlist of user activities posing significant organizational risk\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-2.13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-02(13)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-2.13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-02(13)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing account management functions" + } + ] + } + ] + } + ] + }, + { + "id": "ac-3", + "class": "SP800-53", + "title": "Access Enforcement", + "props": [ + { + "name": "label", + "value": "AC-3" + }, + { + "name": "label", + "value": "AC-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#ac-24", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-6", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pm-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-3_smt", + "name": "statement", + "prose": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." + }, + { + "id": "ac-3_gdn", + "name": "guidance", + "prose": "Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family." + }, + { + "id": "ac-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-03", + "class": "sp800-53a" + } + ], + "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.", + "links": [ + { + "href": "#ac-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy" + } + ] + } + ] + }, + { + "id": "ac-4", + "class": "SP800-53", + "title": "Information Flow Enforcement", + "params": [ + { + "id": "ac-04_odp", + "label": "information flow control policies", + "guidelines": [ + { + "prose": "information flow control policies within the system and between connected systems are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-4" + }, + { + "name": "label", + "value": "AC-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", + "rel": "reference" + }, + { + "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "rel": "reference" + }, + { + "href": "#a2590922-82f3-4277-83c0-ca5bee06dba4", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-24", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-4", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-4_smt", + "name": "statement", + "prose": "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}." + }, + { + "id": "ac-4_gdn", + "name": "guidance", + "prose": "Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see [CA-3](#ca-3) ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.\n\nOrganizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS)." + }, + { + "id": "ac-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04", + "class": "sp800-53a" + } + ], + "prose": "approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.", + "links": [ + { + "href": "#ac-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsecurity architecture documentation\n\nprivacy architecture documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem baseline configuration\n\nlist of information flow authorizations\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing information flow enforcement policy" + } + ] + } + ], + "controls": [ + { + "id": "ac-4.21", + "class": "SP800-53-enhancement", + "title": "Physical or Logical Separation of Information Flows", + "params": [ + { + "id": "ac-4.21_prm_1", + "label": "organization-defined mechanisms and/or techniques" + }, + { + "id": "ac-04.21_odp.01", + "label": "mechanisms and/or techniques", + "guidelines": [ + { + "prose": "mechanisms and/or techniques used to logically separate information flows are defined (if selected);" + } + ] + }, + { + "id": "ac-04.21_odp.02", + "label": "mechanisms and/or techniques", + "guidelines": [ + { + "prose": "mechanisms and/or techniques used to physically separate information flows are defined (if selected);" + } + ] + }, + { + "id": "ac-04.21_odp.03", + "label": "required separations", + "guidelines": [ + { + "prose": "required separations by types of information are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-4(21)" + }, + { + "name": "label", + "value": "AC-04(21)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-04.21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-4", + "rel": "required" + }, + { + "href": "#sc-32", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-4.21_smt", + "name": "statement", + "prose": "Separate information flows logically or physically using {{ insert: param, ac-4.21_prm_1 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}." + }, + { + "id": "ac-4.21_gdn", + "name": "guidance", + "prose": "Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths that are not otherwise achievable. Types of separable information include inbound and outbound communications traffic, service requests and responses, and information of differing security impact or classification levels." + }, + { + "id": "ac-4.21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04(21)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-4.21_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04(21)[01]", + "class": "sp800-53a" + } + ], + "prose": "information flows are separated logically using {{ insert: param, ac-04.21_odp.01 }} to accomplish {{ insert: param, ac-04.21_odp.03 }};", + "links": [ + { + "href": "#ac-4.21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-4.21_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-04(21)[02]", + "class": "sp800-53a" + } + ], + "prose": "information flows are separated physically using {{ insert: param, ac-04.21_odp.02 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}.", + "links": [ + { + "href": "#ac-4.21_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-4.21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-4.21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-04(21)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Information flow enforcement policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of required separation of information flows by information types\n\nlist of mechanisms and/or techniques used to logically or physically separate information flows\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-4.21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-04(21)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-4.21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-04(21)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing information flow enforcement functions" + } + ] + } + ] + } + ] + }, + { + "id": "ac-5", + "class": "SP800-53", + "title": "Separation of Duties", + "params": [ + { + "id": "ac-05_odp", + "label": "duties of individuals", + "guidelines": [ + { + "prose": "duties of individuals requiring separation are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-5" + }, + { + "name": "label", + "value": "AC-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-12", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-5_smt", + "name": "statement", + "parts": [ + { + "id": "ac-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify and document {{ insert: param, ac-05_odp }} ; and" + }, + { + "id": "ac-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define system access authorizations to support separation of duties." + }, + { + "id": "ac-5_fr", + "name": "item", + "title": "AC-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "CSPs have the option to provide a separation of duties matrix as an attachment to the SSP." + } + ] + } + ] + }, + { + "id": "ac-5_gdn", + "name": "guidance", + "prose": "Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in [AC-2](#ac-2) , access control mechanisms in [AC-3](#ac-3) , and identity management activities in [IA-2](#ia-2), [IA-4](#ia-4) , and [IA-12](#ia-12)." + }, + { + "id": "ac-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-05a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-05_odp }} are identified and documented;", + "links": [ + { + "href": "#ac-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-05b.", + "class": "sp800-53a" + } + ], + "prose": "system access authorizations to support separation of duties are defined.", + "links": [ + { + "href": "#ac-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\nsystem configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\nsystem access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing separation of duties policy" + } + ] + } + ] + }, + { + "id": "ac-6", + "class": "SP800-53", + "title": "Least Privilege", + "props": [ + { + "name": "label", + "value": "AC-6" + }, + { + "name": "label", + "value": "AC-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6_smt", + "name": "statement", + "prose": "Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks." + }, + { + "id": "ac-6_gdn", + "name": "guidance", + "prose": "Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems." + }, + { + "id": "ac-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06", + "class": "sp800-53a" + } + ], + "prose": "the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.", + "links": [ + { + "href": "#ac-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ], + "controls": [ + { + "id": "ac-6.1", + "class": "SP800-53-enhancement", + "title": "Authorize Access to Security Functions", + "params": [ + { + "id": "ac-6.1_prm_2", + "label": "organization-defined security functions (deployed in hardware, software, and firmware)" + }, + { + "id": "ac-06.01_odp.01", + "label": "individuals and roles", + "guidelines": [ + { + "prose": "individuals and roles with authorized access to security functions and security-relevant information are defined;" + } + ] + }, + { + "id": "ac-06.01_odp.02", + "label": "security functions (deployed in hardware)", + "guidelines": [ + { + "prose": "security functions (deployed in hardware) for authorized access are defined;" + } + ] + }, + { + "id": "ac-06.01_odp.03", + "label": "security functions (deployed in software)", + "guidelines": [ + { + "prose": "security functions (deployed in software) for authorized access are defined;" + } + ] + }, + { + "id": "ac-06.01_odp.04", + "label": "security functions (deployed in firmware)", + "guidelines": [ + { + "prose": "security functions (deployed in firmware) for authorized access are defined;" + } + ] + }, + { + "id": "ac-06.01_odp.05", + "label": "security-relevant information", + "guidelines": [ + { + "prose": "security-relevant information for authorized access is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(1)" + }, + { + "name": "label", + "value": "AC-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.1_smt", + "name": "statement", + "prose": "Authorize access for {{ insert: param, ac-06.01_odp.01 }} to:", + "parts": [ + { + "id": "ac-6.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": " {{ insert: param, ac-6.1_prm_2 }} ; and" + }, + { + "id": "ac-6.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": " {{ insert: param, ac-06.01_odp.05 }}." + } + ] + }, + { + "id": "ac-6.1_gdn", + "name": "guidance", + "prose": "Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users." + }, + { + "id": "ac-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-6.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-6.1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};", + "links": [ + { + "href": "#ac-6.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};", + "links": [ + { + "href": "#ac-6.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};", + "links": [ + { + "href": "#ac-6.1_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-6.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}.", + "links": [ + { + "href": "#ac-6.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.2", + "class": "SP800-53-enhancement", + "title": "Non-privileged Access for Nonsecurity Functions", + "params": [ + { + "id": "ac-06.02_odp", + "label": "security functions or security-relevant information", + "constraints": [ + { + "description": "all security functions" + } + ], + "guidelines": [ + { + "prose": "security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(2)" + }, + { + "name": "label", + "value": "AC-06(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.2_smt", + "name": "statement", + "prose": "Require that users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} use non-privileged accounts or roles, when accessing nonsecurity functions.", + "parts": [ + { + "id": "ac-6.2_fr", + "name": "item", + "title": "AC-6 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-6.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions." + } + ] + } + ] + }, + { + "id": "ac-6.2_gdn", + "name": "guidance", + "prose": "Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account." + }, + { + "id": "ac-6.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(02)", + "class": "sp800-53a" + } + ], + "prose": "users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions.", + "links": [ + { + "href": "#ac-6.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information assigned to system accounts or roles\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.5", + "class": "SP800-53-enhancement", + "title": "Privileged Accounts", + "params": [ + { + "id": "ac-06.05_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to which privileged accounts on the system are to be restricted is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(5)" + }, + { + "name": "label", + "value": "AC-06(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.5_smt", + "name": "statement", + "prose": "Restrict privileged accounts on the system to {{ insert: param, ac-06.05_odp }}." + }, + { + "id": "ac-6.5_gdn", + "name": "guidance", + "prose": "Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk." + }, + { + "id": "ac-6.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(05)", + "class": "sp800-53a" + } + ], + "prose": "privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}.", + "links": [ + { + "href": "#ac-6.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.7", + "class": "SP800-53-enhancement", + "title": "Review of User Privileges", + "params": [ + { + "id": "ac-06.07_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at a minimum, annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review the privileges assigned to roles or classes of users is defined;" + } + ] + }, + { + "id": "ac-06.07_odp.02", + "label": "roles and classes", + "constraints": [ + { + "description": "all users with privileges" + } + ], + "guidelines": [ + { + "prose": "roles or classes of users to which privileges are assigned are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-6(7)" + }, + { + "name": "label", + "value": "AC-06(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#ca-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.7_smt", + "name": "statement", + "parts": [ + { + "id": "ac-6.7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Review {{ insert: param, ac-06.07_odp.01 }} the privileges assigned to {{ insert: param, ac-06.07_odp.02 }} to validate the need for such privileges; and" + }, + { + "id": "ac-6.7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs." + } + ] + }, + { + "id": "ac-6.7_gdn", + "name": "guidance", + "prose": "The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions." + }, + { + "id": "ac-6.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(07)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-6.7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(07)(a)", + "class": "sp800-53a" + } + ], + "prose": "privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;", + "links": [ + { + "href": "#ac-6.7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(07)(b)", + "class": "sp800-53a" + } + ], + "prose": "privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.", + "links": [ + { + "href": "#ac-6.7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-6.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated roles or classes of users and assigned privileges\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation reviews of privileges assigned to roles or classes or users\n\nrecords of privilege removals or reassignments for roles or classes of users\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-6.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing review of user privileges" + } + ] + } + ] + }, + { + "id": "ac-6.9", + "class": "SP800-53-enhancement", + "title": "Log Use of Privileged Functions", + "props": [ + { + "name": "label", + "value": "AC-6(9)" + }, + { + "name": "label", + "value": "AC-06(09)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-6.9_smt", + "name": "statement", + "prose": "Log the execution of privileged functions." + }, + { + "id": "ac-6.9_gdn", + "name": "guidance", + "prose": "The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat." + }, + { + "id": "ac-6.9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(09)", + "class": "sp800-53a" + } + ], + "prose": "the execution of privileged functions is logged.", + "links": [ + { + "href": "#ac-6.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(09)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(09)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ac-6.9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(09)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms auditing the execution of least privilege functions" + } + ] + } + ] + }, + { + "id": "ac-6.10", + "class": "SP800-53-enhancement", + "title": "Prohibit Non-privileged Users from Executing Privileged Functions", + "props": [ + { + "name": "label", + "value": "AC-6(10)" + }, + { + "name": "label", + "value": "AC-06(10)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-06.10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-6.10_smt", + "name": "statement", + "prose": "Prevent non-privileged users from executing privileged functions." + }, + { + "id": "ac-6.10_gdn", + "name": "guidance", + "prose": "Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by [AC-3](#ac-3)." + }, + { + "id": "ac-6.10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-06(10)", + "class": "sp800-53a" + } + ], + "prose": "non-privileged users are prevented from executing privileged functions.", + "links": [ + { + "href": "#ac-6.10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-6.10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-06(10)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-6.10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-06(10)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-6.10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-06(10)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing least privilege functions for non-privileged users" + } + ] + } + ] + } + ] + }, + { + "id": "ac-7", + "class": "SP800-53", + "title": "Unsuccessful Logon Attempts", + "params": [ + { + "id": "ac-07_odp.01", + "label": "number", + "guidelines": [ + { + "prose": "the number of consecutive invalid logon attempts by a user allowed during a time period is defined;" + } + ] + }, + { + "id": "ac-07_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;" + } + ] + }, + { + "id": "ac-07_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "lock the account or node for {{ insert: param, ac-07_odp.04 }} ", + "lock the account or node until released by an administrator", + "delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ", + "notify system administrator", + "take other {{ insert: param, ac-07_odp.06 }} " + ] + } + }, + { + "id": "ac-07_odp.04", + "label": "time period", + "guidelines": [ + { + "prose": "time period for an account or node to be locked is defined (if selected);" + } + ] + }, + { + "id": "ac-07_odp.05", + "label": "delay algorithm", + "guidelines": [ + { + "prose": "delay algorithm for the next logon prompt is defined (if selected);" + } + ] + }, + { + "id": "ac-07_odp.06", + "label": "action", + "guidelines": [ + { + "prose": "other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-7" + }, + { + "name": "label", + "value": "AC-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-9", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-7_smt", + "name": "statement", + "parts": [ + { + "id": "ac-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and" + }, + { + "id": "ac-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded." + }, + { + "id": "ac-7_fr", + "name": "item", + "title": "AC-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "In alignment with NIST SP 800-63B" + } + ] + } + ] + }, + { + "id": "ac-7_gdn", + "name": "guidance", + "prose": "The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need." + }, + { + "id": "ac-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07a.", + "class": "sp800-53a" + } + ], + "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;", + "links": [ + { + "href": "#ac-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-07b.", + "class": "sp800-53a" + } + ], + "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.", + "links": [ + { + "href": "#ac-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem/network administrators" + } + ] + }, + { + "id": "ac-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy for unsuccessful logon attempts" + } + ] + } + ] + }, + { + "id": "ac-8", + "class": "SP800-53", + "title": "System Use Notification", + "params": [ + { + "id": "ac-08_odp.01", + "label": "system use notification", + "constraints": [ + { + "description": "see additional Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "system use notification message or banner to be displayed by the system to users before granting access to the system is defined;" + } + ] + }, + { + "id": "ac-08_odp.02", + "label": "conditions", + "constraints": [ + { + "description": "see additional Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "conditions for system use to be displayed by the system before granting further access are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-8" + }, + { + "name": "label", + "value": "AC-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-8_smt", + "name": "statement", + "parts": [ + { + "id": "ac-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:", + "parts": [ + { + "id": "ac-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Users are accessing a U.S. Government system;" + }, + { + "id": "ac-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "System usage may be monitored, recorded, and subject to audit;" + }, + { + "id": "ac-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and" + }, + { + "id": "ac-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Use of the system indicates consent to monitoring and recording;" + } + ] + }, + { + "id": "ac-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and" + }, + { + "id": "ac-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "For publicly accessible systems:", + "parts": [ + { + "id": "ac-8_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;" + }, + { + "id": "ac-8_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and" + }, + { + "id": "ac-8_smt.c.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Include a description of the authorized uses of the system." + } + ] + }, + { + "id": "ac-8_fr", + "name": "item", + "title": "AC-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO." + }, + { + "id": "ac-8_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO." + }, + { + "id": "ac-8_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO." + }, + { + "id": "ac-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided." + } + ] + } + ] + }, + { + "id": "ac-8_gdn", + "name": "guidance", + "prose": "System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content." + }, + { + "id": "ac-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-08_odp.01 }} is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "parts": [ + { + "id": "ac-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.01", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that users are accessing a U.S. Government system;", + "links": [ + { + "href": "#ac-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.02", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that system usage may be monitored, recorded, and subject to audit;", + "links": [ + { + "href": "#ac-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.03", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and", + "links": [ + { + "href": "#ac-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08a.04", + "class": "sp800-53a" + } + ], + "prose": "the system use notification states that use of the system indicates consent to monitoring and recording;", + "links": [ + { + "href": "#ac-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08b.", + "class": "sp800-53a" + } + ], + "prose": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;", + "links": [ + { + "href": "#ac-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-8_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.01", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;", + "links": [ + { + "href": "#ac-8_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.02", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;", + "links": [ + { + "href": "#ac-8_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_obj.c.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-08c.03", + "class": "sp800-53a" + } + ], + "prose": "for publicly accessible systems, a description of the authorized uses of the system is included.", + "links": [ + { + "href": "#ac-8_smt.c.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of system use notification messages or banners\n\nsystem audit records\n\nuser acknowledgements of notification message or banner\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem use notification messages\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment report\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem developers" + } + ] + }, + { + "id": "ac-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system use notification" + } + ] + } + ] + }, + { + "id": "ac-11", + "class": "SP800-53", + "title": "Device Lock", + "params": [ + { + "id": "ac-11_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "initiating a device lock after {{ insert: param, ac-11_odp.02 }} of inactivity", + "requiring the user to initiate a device lock before leaving the system unattended" + ] + } + }, + { + "id": "ac-11_odp.02", + "label": "time period", + "constraints": [ + { + "description": "fifteen (15) minutes" + } + ], + "guidelines": [ + { + "prose": "time period of inactivity after which a device lock is initiated is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-11" + }, + { + "name": "label", + "value": "AC-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-11_smt", + "name": "statement", + "parts": [ + { + "id": "ac-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and" + }, + { + "id": "ac-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain the device lock until the user reestablishes access using established identification and authentication procedures." + } + ] + }, + { + "id": "ac-11_gdn", + "name": "guidance", + "prose": "Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays." + }, + { + "id": "ac-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-11a.", + "class": "sp800-53a" + } + ], + "prose": "further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};", + "links": [ + { + "href": "#ac-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-11b.", + "class": "sp800-53a" + } + ], + "prose": "device lock is retained until the user re-establishes access using established identification and authentication procedures.", + "links": [ + { + "href": "#ac-11_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing access control policy for session lock" + } + ] + } + ], + "controls": [ + { + "id": "ac-11.1", + "class": "SP800-53-enhancement", + "title": "Pattern-hiding Displays", + "props": [ + { + "name": "label", + "value": "AC-11(1)" + }, + { + "name": "label", + "value": "AC-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-11", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-11.1_smt", + "name": "statement", + "prose": "Conceal, via the device lock, information previously visible on the display with a publicly viewable image." + }, + { + "id": "ac-11.1_gdn", + "name": "guidance", + "prose": "The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed." + }, + { + "id": "ac-11.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-11(01)", + "class": "sp800-53a" + } + ], + "prose": "information previously visible on the display is concealed, via device lock, with a publicly viewable image.", + "links": [ + { + "href": "#ac-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-11.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-11(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-11.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-11(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-11.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-11(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System session lock mechanisms" + } + ] + } + ] + } + ] + }, + { + "id": "ac-12", + "class": "SP800-53", + "title": "Session Termination", + "params": [ + { + "id": "ac-12_odp", + "label": "conditions or trigger events", + "guidelines": [ + { + "prose": "conditions or trigger events requiring session disconnect are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-12" + }, + { + "name": "label", + "value": "AC-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-12_smt", + "name": "statement", + "prose": "Automatically terminate a user session after {{ insert: param, ac-12_odp }}." + }, + { + "id": "ac-12_gdn", + "name": "guidance", + "prose": "Session termination addresses the termination of user-initiated logical sessions (in contrast to [SC-10](#sc-10) , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use." + }, + { + "id": "ac-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-12", + "class": "sp800-53a" + } + ], + "prose": "a user session is automatically terminated after {{ insert: param, ac-12_odp }}.", + "links": [ + { + "href": "#ac-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing session termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms implementing user session termination" + } + ] + } + ] + }, + { + "id": "ac-14", + "class": "SP800-53", + "title": "Permitted Actions Without Identification or Authentication", + "params": [ + { + "id": "ac-14_odp", + "label": "user actions", + "guidelines": [ + { + "prose": "user actions that can be performed on the system without identification or authentication are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-14" + }, + { + "name": "label", + "value": "AC-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-14_smt", + "name": "statement", + "parts": [ + { + "id": "ac-14_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and" + }, + { + "id": "ac-14_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication." + } + ] + }, + { + "id": "ac-14_gdn", + "name": "guidance", + "prose": "Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" " + }, + { + "id": "ac-14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-14_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;", + "links": [ + { + "href": "#ac-14_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-14_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.[01]", + "class": "sp800-53a" + } + ], + "prose": "user actions not requiring identification or authentication are documented in the security plan for the system;", + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-14b.[02]", + "class": "sp800-53a" + } + ], + "prose": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.", + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-14-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-14-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "ac-17", + "class": "SP800-53", + "title": "Remote Access", + "props": [ + { + "name": "label", + "value": "AC-17" + }, + { + "name": "label", + "value": "AC-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "rel": "reference" + }, + { + "href": "#d17ebd7a-ffab-499d-bfff-e705bbb01fa6", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-17", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17_smt", + "name": "statement", + "parts": [ + { + "id": "ac-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and" + }, + { + "id": "ac-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize each type of remote access to the system prior to allowing such connections." + } + ] + }, + { + "id": "ac-17_gdn", + "name": "guidance", + "prose": "Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)." + }, + { + "id": "ac-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[01]", + "class": "sp800-53a" + } + ], + "prose": "usage restrictions are established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established and documented for each type of remote access allowed;", + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17b.", + "class": "sp800-53a" + } + ], + "prose": "each type of remote access to the system is authorized prior to allowing such connections.", + "links": [ + { + "href": "#ac-17_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing remote access connections\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-17_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Remote access management capability for the system" + } + ] + } + ], + "controls": [ + { + "id": "ac-17.1", + "class": "SP800-53-enhancement", + "title": "Monitoring and Control", + "props": [ + { + "name": "label", + "value": "AC-17(1)" + }, + { + "name": "label", + "value": "AC-17(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17.1_smt", + "name": "statement", + "prose": "Employ automated mechanisms to monitor and control remote access methods." + }, + { + "id": "ac-17.1_gdn", + "name": "guidance", + "prose": "Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a)." + }, + { + "id": "ac-17.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "automated mechanisms are employed to monitor remote access methods;", + "links": [ + { + "href": "#ac-17.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "automated mechanisms are employed to control remote access methods.", + "links": [ + { + "href": "#ac-17.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-17.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms monitoring and controlling remote access methods" + } + ] + } + ] + }, + { + "id": "ac-17.2", + "class": "SP800-53-enhancement", + "title": "Protection of Confidentiality and Integrity Using Encryption", + "props": [ + { + "name": "label", + "value": "AC-17(2)" + }, + { + "name": "label", + "value": "AC-17(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "required" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17.2_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions." + }, + { + "id": "ac-17.2_gdn", + "name": "guidance", + "prose": "Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions." + }, + { + "id": "ac-17.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(02)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.", + "links": [ + { + "href": "#ac-17.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-17.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions" + } + ] + } + ] + }, + { + "id": "ac-17.3", + "class": "SP800-53-enhancement", + "title": "Managed Access Control Points", + "props": [ + { + "name": "label", + "value": "AC-17(3)" + }, + { + "name": "label", + "value": "AC-17(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "required" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17.3_smt", + "name": "statement", + "prose": "Route remote accesses through authorized and managed network access control points." + }, + { + "id": "ac-17.3_gdn", + "name": "guidance", + "prose": "Organizations consider the Trusted Internet Connections (TIC) initiative [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces." + }, + { + "id": "ac-17.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(03)", + "class": "sp800-53a" + } + ], + "prose": "remote accesses are routed through authorized and managed network access control points.", + "links": [ + { + "href": "#ac-17.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nlist of all managed network access control points\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-17.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms routing all remote accesses through managed network access control points" + } + ] + } + ] + }, + { + "id": "ac-17.4", + "class": "SP800-53-enhancement", + "title": "Privileged Commands and Access", + "params": [ + { + "id": "ac-17.4_prm_1", + "label": "organization-defined needs" + }, + { + "id": "ac-17.04_odp.01", + "label": "needs requiring remote access", + "guidelines": [ + { + "prose": "needs requiring execution of privileged commands via remote access are defined;" + } + ] + }, + { + "id": "ac-17.04_odp.02", + "label": "needs requiring remote access", + "guidelines": [ + { + "prose": "needs requiring access to security-relevant information via remote access are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-17(4)" + }, + { + "name": "label", + "value": "AC-17(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-17.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "required" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-17.4_smt", + "name": "statement", + "parts": [ + { + "id": "ac-17.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ insert: param, ac-17.4_prm_1 }} ; and" + }, + { + "id": "ac-17.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Document the rationale for remote access in the security plan for the system." + } + ] + }, + { + "id": "ac-17.4_gdn", + "name": "guidance", + "prose": "Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability." + }, + { + "id": "ac-17.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-17.4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;", + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;", + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};", + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};", + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-17(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "the rationale for remote access is documented in the security plan for the system.", + "links": [ + { + "href": "#ac-17.4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-17.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-17.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-17(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-17.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-17(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-17.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-17(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing remote access management" + } + ] + } + ] + } + ] + }, + { + "id": "ac-18", + "class": "SP800-53", + "title": "Wireless Access", + "props": [ + { + "name": "label", + "value": "AC-18" + }, + { + "name": "label", + "value": "AC-18", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "rel": "reference" + }, + { + "href": "#03fb73bc-1b12-4182-bd96-e5719254ea61", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-18_smt", + "name": "statement", + "parts": [ + { + "id": "ac-18_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and" + }, + { + "id": "ac-18_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize each type of wireless access to the system prior to allowing such connections." + } + ] + }, + { + "id": "ac-18_gdn", + "name": "guidance", + "prose": "Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication." + }, + { + "id": "ac-18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration requirements are established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[02]", + "class": "sp800-53a" + } + ], + "prose": "connection requirements are established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established for each type of wireless access;", + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18b.", + "class": "sp800-53a" + } + ], + "prose": "each type of wireless access to the system is authorized prior to allowing such connections.", + "links": [ + { + "href": "#ac-18_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nwireless access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Wireless access management capability for the system" + } + ] + } + ], + "controls": [ + { + "id": "ac-18.1", + "class": "SP800-53-enhancement", + "title": "Authentication and Encryption", + "params": [ + { + "id": "ac-18.01_odp", + "select": { + "how-many": "one-or-more", + "choice": [ + "users", + "devices" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "AC-18(1)" + }, + { + "name": "label", + "value": "AC-18(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-18", + "rel": "required" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-18.1_smt", + "name": "statement", + "prose": "Protect wireless access to the system using authentication of {{ insert: param, ac-18.01_odp }} and encryption." + }, + { + "id": "ac-18.1_gdn", + "name": "guidance", + "prose": "Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies." + }, + { + "id": "ac-18.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-18.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};", + "links": [ + { + "href": "#ac-18.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "wireless access to the system is protected using encryption.", + "links": [ + { + "href": "#ac-18.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-18.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ac-18.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing wireless access protections to the system" + } + ] + } + ] + }, + { + "id": "ac-18.3", + "class": "SP800-53-enhancement", + "title": "Disable Wireless Networking", + "props": [ + { + "name": "label", + "value": "AC-18(3)" + }, + { + "name": "label", + "value": "AC-18(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-18.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-18", + "rel": "required" + } + ], + "parts": [ + { + "id": "ac-18.3_smt", + "name": "statement", + "prose": "Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment." + }, + { + "id": "ac-18.3_gdn", + "name": "guidance", + "prose": "Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies." + }, + { + "id": "ac-18.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-18(03)", + "class": "sp800-53a" + } + ], + "prose": "when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.", + "links": [ + { + "href": "#ac-18.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-18.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-18(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-18.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-18(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-18.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-18(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing the disabling of wireless networking capabilities internally embedded within system components" + } + ] + } + ] + } + ] + }, + { + "id": "ac-19", + "class": "SP800-53", + "title": "Access Control for Mobile Devices", + "props": [ + { + "name": "label", + "value": "AC-19" + }, + { + "name": "label", + "value": "AC-19", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-19" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-11", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-19_smt", + "name": "statement", + "parts": [ + { + "id": "ac-19_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and" + }, + { + "id": "ac-19_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize the connection of mobile devices to organizational systems." + } + ] + }, + { + "id": "ac-19_gdn", + "name": "guidance", + "prose": "A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled." + }, + { + "id": "ac-19_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-19_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-19_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[02]", + "class": "sp800-53a" + } + ], + "prose": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19a.[03]", + "class": "sp800-53a" + } + ], + "prose": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-19_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19b.", + "class": "sp800-53a" + } + ], + "prose": "the connection of mobile devices to organizational systems is authorized.", + "links": [ + { + "href": "#ac-19_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-19_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-19-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-19_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-19-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel using mobile devices to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-19_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-19-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control capability for mobile device connections to organizational systems\n\nconfigurations of mobile devices" + } + ] + } + ], + "controls": [ + { + "id": "ac-19.5", + "class": "SP800-53-enhancement", + "title": "Full Device or Container-based Encryption", + "params": [ + { + "id": "ac-19.05_odp.01", + "select": { + "choice": [ + "full-device encryption", + "container-based encryption" + ] + } + }, + { + "id": "ac-19.05_odp.02", + "label": "mobile devices", + "guidelines": [ + { + "prose": "mobile devices on which to employ encryption are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-19(5)" + }, + { + "name": "label", + "value": "AC-19(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-19.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-19", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-19.5_smt", + "name": "statement", + "prose": "Employ {{ insert: param, ac-19.05_odp.01 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}." + }, + { + "id": "ac-19.5_gdn", + "name": "guidance", + "prose": "Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields." + }, + { + "id": "ac-19.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-19(05)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.", + "links": [ + { + "href": "#ac-19.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-19.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-19(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing access control for mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nencryption mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-19.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-19(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with access control responsibilities for mobile devices\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-19.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-19(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Encryption mechanisms protecting confidentiality and integrity of information on mobile devices" + } + ] + } + ] + } + ] + }, + { + "id": "ac-20", + "class": "SP800-53", + "title": "Use of External Systems", + "params": [ + { + "id": "ac-20_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "establish {{ insert: param, ac-20_odp.02 }} ", + "identify {{ insert: param, ac-20_odp.03 }} " + ] + } + }, + { + "id": "ac-20_odp.02", + "label": "terms and conditions", + "guidelines": [ + { + "prose": "terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" + } + ] + }, + { + "id": "ac-20_odp.03", + "label": "controls asserted", + "guidelines": [ + { + "prose": "controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" + } + ] + }, + { + "id": "ac-20_odp.04", + "label": "prohibited types of external systems", + "guidelines": [ + { + "prose": "types of external systems prohibited from use are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-20" + }, + { + "name": "label", + "value": "AC-20", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-20_smt", + "name": "statement", + "parts": [ + { + "id": "ac-20_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:", + "parts": [ + { + "id": "ac-20_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Access the system from external systems; and" + }, + { + "id": "ac-20_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Process, store, or transmit organization-controlled information using external systems; or" + } + ] + }, + { + "id": "ac-20_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit the use of {{ insert: param, ac-20_odp.04 }}." + }, + { + "id": "ac-20_fr", + "name": "item", + "title": "AC-20 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ac-20_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:\n\nAC-20 describes system access to and from external systems.\n\nCA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.\n\nSA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3." + } + ] + } + ] + }, + { + "id": "ac-20_gdn", + "name": "guidance", + "prose": "External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems." + }, + { + "id": "ac-20_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-20_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-20_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.01", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);", + "links": [ + { + "href": "#ac-20_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20a.02", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);", + "links": [ + { + "href": "#ac-20_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20b.", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).", + "links": [ + { + "href": "#ac-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-20_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-20-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nexternal systems terms and conditions\n\nlist of types of applications accessible from external systems\n\nmaximum security categorization for information processed, stored, or transmitted on external systems\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-20_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-20-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-20_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-20-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing terms and conditions on the use of external systems" + } + ] + } + ], + "controls": [ + { + "id": "ac-20.1", + "class": "SP800-53-enhancement", + "title": "Limits on Authorized Use", + "props": [ + { + "name": "label", + "value": "AC-20(1)" + }, + { + "name": "label", + "value": "AC-20(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-20.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-20", + "rel": "required" + }, + { + "href": "#ca-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-20.1_smt", + "name": "statement", + "prose": "Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:", + "parts": [ + { + "id": "ac-20.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or" + }, + { + "id": "ac-20.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Retention of approved system connection or processing agreements with the organizational entity hosting the external system." + } + ] + }, + { + "id": "ac-20.1_gdn", + "name": "guidance", + "prose": "Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations." + }, + { + "id": "ac-20.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-20.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);", + "links": [ + { + "href": "#ac-20.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).", + "links": [ + { + "href": "#ac-20.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-20.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-20(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-20.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-20(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-20.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-20(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing limits on use of external systems" + } + ] + } + ] + }, + { + "id": "ac-20.2", + "class": "SP800-53-enhancement", + "title": "Portable Storage Devices — Restricted Use", + "params": [ + { + "id": "ac-20.02_odp", + "label": "restrictions", + "guidelines": [ + { + "prose": "restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-20(2)" + }, + { + "name": "label", + "value": "AC-20(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-20.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-20", + "rel": "required" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#sc-41", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-20.2_smt", + "name": "statement", + "prose": "Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ insert: param, ac-20.02_odp }}." + }, + { + "id": "ac-20.2_gdn", + "name": "guidance", + "prose": "Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used." + }, + { + "id": "ac-20.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-20(02)", + "class": "sp800-53a" + } + ], + "prose": "the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}.", + "links": [ + { + "href": "#ac-20.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-20.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-20(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-20.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-20(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for restricting or prohibiting the use of organization-controlled storage devices on external systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-20.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-20(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing restrictions on the use of portable storage devices" + } + ] + } + ] + } + ] + }, + { + "id": "ac-21", + "class": "SP800-53", + "title": "Information Sharing", + "params": [ + { + "id": "ac-21_odp.01", + "label": "information-sharing circumstances", + "guidelines": [ + { + "prose": "information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined;" + } + ] + }, + { + "id": "ac-21_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-21" + }, + { + "name": "label", + "value": "AC-21", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sc-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-21_smt", + "name": "statement", + "parts": [ + { + "id": "ac-21_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }} ; and" + }, + { + "id": "ac-21_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ {{ insert: param, ac-21_odp.02 }} to assist users in making information sharing and collaboration decisions." + } + ] + }, + { + "id": "ac-21_gdn", + "name": "guidance", + "prose": "Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions." + }, + { + "id": "ac-21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-21", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-21_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-21a.", + "class": "sp800-53a" + } + ], + "prose": "authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};", + "links": [ + { + "href": "#ac-21_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-21_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-21b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions.", + "links": [ + { + "href": "#ac-21_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-21-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of users authorized to make information-sharing/collaboration decisions\n\nlist of information-sharing circumstances requiring user discretion\n\nnon-disclosure agreements\n\nacquisitions/contractual agreements\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nsecurity and privacy risk assessments\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-21-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for information-sharing/collaboration decisions\n\norganizational personnel with responsibility for acquisitions/contractual agreements\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ac-21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-21-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms or manual process implementing access authorizations supporting information-sharing/user collaboration decisions" + } + ] + } + ] + }, + { + "id": "ac-22", + "class": "SP800-53", + "title": "Publicly Accessible Content", + "params": [ + { + "id": "ac-22_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least quarterly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review the content on the publicly accessible system for non-public information is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AC-22" + }, + { + "name": "label", + "value": "AC-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ac-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ac-22_smt", + "name": "statement", + "parts": [ + { + "id": "ac-22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Designate individuals authorized to make information publicly accessible;" + }, + { + "id": "ac-22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;" + }, + { + "id": "ac-22_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and" + }, + { + "id": "ac-22_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered." + } + ] + }, + { + "id": "ac-22_gdn", + "name": "guidance", + "prose": "In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible." + }, + { + "id": "ac-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22a.", + "class": "sp800-53a" + } + ], + "prose": "designated individuals are authorized to make information publicly accessible;", + "links": [ + { + "href": "#ac-22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22b.", + "class": "sp800-53a" + } + ], + "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;", + "links": [ + { + "href": "#ac-22_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22c.", + "class": "sp800-53a" + } + ], + "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;", + "links": [ + { + "href": "#ac-22_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ac-22_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};", + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AC-22d.[02]", + "class": "sp800-53a" + } + ], + "prose": "non-public information is removed from the publicly accessible system, if discovered.", + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-22_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ac-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ac-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AC-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ac-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AC-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ac-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AC-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing management of publicly accessible content" + } + ] + } + ] + } + ] + }, + { + "id": "at", + "class": "family", + "title": "Awareness and Training", + "controls": [ + { + "id": "at-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "at-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "at-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "at-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "at-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "at-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the awareness and training policy and procedures is defined;" + } + ] + }, + { + "id": "at-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current awareness and training policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "at-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current awareness and training policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "at-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current awareness and training procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "at-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-1" + }, + { + "name": "label", + "value": "AT-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-1_smt", + "name": "statement", + "parts": [ + { + "id": "at-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:", + "parts": [ + { + "id": "at-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, at-01_odp.03 }} awareness and training policy that:", + "parts": [ + { + "id": "at-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "at-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "at-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;" + } + ] + }, + { + "id": "at-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and" + }, + { + "id": "at-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current awareness and training:", + "parts": [ + { + "id": "at-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and" + }, + { + "id": "at-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "at-1_gdn", + "name": "guidance", + "prose": "Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "at-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an awareness and training policy is developed and documented; ", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.", + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and", + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and", + "links": [ + { + "href": "#at-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;", + "links": [ + { + "href": "#at-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ", + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};", + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};", + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.", + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "at-2", + "class": "SP800-53", + "title": "Literacy Training and Awareness", + "params": [ + { + "id": "at-2_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually" + } + ] + }, + { + "id": "at-2_prm_2", + "label": "organization-defined events" + }, + { + "id": "at-02_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" + } + ] + }, + { + "id": "at-02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" + } + ] + }, + { + "id": "at-02_odp.03", + "label": "events", + "guidelines": [ + { + "prose": "events that require security literacy training for system users are defined;" + } + ] + }, + { + "id": "at-02_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events that require privacy literacy training for system users are defined;" + } + ] + }, + { + "id": "at-02_odp.05", + "label": "awareness techniques", + "guidelines": [ + { + "prose": "techniques to be employed to increase the security and privacy awareness of system users are defined;" + } + ] + }, + { + "id": "at-02_odp.06", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update literacy training and awareness content is defined;" + } + ] + }, + { + "id": "at-02_odp.07", + "label": "events", + "guidelines": [ + { + "prose": "events that would require literacy training and awareness content to be updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-2" + }, + { + "name": "label", + "value": "AT-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#89f2a08d-fc49-46d0-856e-bf974c9b1573", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-13", + "rel": "related" + }, + { + "href": "#pm-21", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-2_smt", + "name": "statement", + "parts": [ + { + "id": "at-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):", + "parts": [ + { + "id": "at-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and" + }, + { + "id": "at-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes or following {{ insert: param, at-2_prm_2 }};" + } + ] + }, + { + "id": "at-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};" + }, + { + "id": "at-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and" + }, + { + "id": "at-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques." + } + ] + }, + { + "id": "at-2_gdn", + "name": "guidance", + "prose": "Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "at-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.01[04]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;", + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};", + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};", + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;", + "links": [ + { + "href": "#at-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};", + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};", + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02d.", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.", + "links": [ + { + "href": "#at-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community" + } + ] + }, + { + "id": "at-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing information security and privacy literacy training" + } + ] + } + ], + "controls": [ + { + "id": "at-2.2", + "class": "SP800-53-enhancement", + "title": "Insider Threat", + "props": [ + { + "name": "label", + "value": "AT-2(2)" + }, + { + "name": "label", + "value": "AT-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#at-2", + "rel": "required" + }, + { + "href": "#pm-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-2.2_smt", + "name": "statement", + "prose": "Provide literacy training on recognizing and reporting potential indicators of insider threat." + }, + { + "id": "at-2.2_gdn", + "name": "guidance", + "prose": "Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations." + }, + { + "id": "at-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on recognizing potential indicators of insider threat is provided;", + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on reporting potential indicators of insider threat is provided.", + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "at-2.3", + "class": "SP800-53-enhancement", + "title": "Social Engineering and Mining", + "props": [ + { + "name": "label", + "value": "AT-2(3)" + }, + { + "name": "label", + "value": "AT-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#at-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "at-2.3_smt", + "name": "statement", + "prose": "Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining." + }, + { + "id": "at-2.3_gdn", + "name": "guidance", + "prose": "Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures." + }, + { + "id": "at-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-2.3_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)[01]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on recognizing potential and actual instances of social engineering is provided;", + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.3_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)[02]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on reporting potential and actual instances of social engineering is provided;", + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.3_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)[03]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on recognizing potential and actual instances of social mining is provided;", + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.3_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-02(03)[04]", + "class": "sp800-53a" + } + ], + "prose": "literacy training on reporting potential and actual instances of social mining is provided.", + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "at-3", + "class": "SP800-53", + "title": "Role-based Training", + "params": [ + { + "id": "at-3_prm_1", + "label": "organization-defined roles and responsibilities" + }, + { + "id": "at-03_odp.01", + "label": "roles and responsibilities", + "guidelines": [ + { + "prose": "roles and responsibilities for role-based security training are defined;" + } + ] + }, + { + "id": "at-03_odp.02", + "label": "roles and responsibilities", + "guidelines": [ + { + "prose": "roles and responsibilities for role-based privacy training are defined;" + } + ] + }, + { + "id": "at-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;" + } + ] + }, + { + "id": "at-03_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update role-based training content is defined;" + } + ] + }, + { + "id": "at-03_odp.05", + "label": "events", + "guidelines": [ + { + "prose": "events that require role-based training content to be updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-3" + }, + { + "name": "label", + "value": "AT-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-13", + "rel": "related" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ps-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-3_smt", + "name": "statement", + "parts": [ + { + "id": "at-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:", + "parts": [ + { + "id": "at-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and" + }, + { + "id": "at-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes;" + } + ] + }, + { + "id": "at-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and" + }, + { + "id": "at-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Incorporate lessons learned from internal or external security incidents or breaches into role-based training." + } + ] + }, + { + "id": "at-3_gdn", + "name": "guidance", + "prose": "Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "at-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.01[04]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;", + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};", + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};", + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-03c.", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training.", + "links": [ + { + "href": "#at-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities" + } + ] + }, + { + "id": "at-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing role-based security and privacy training" + } + ] + } + ] + }, + { + "id": "at-4", + "class": "SP800-53", + "title": "Training Records", + "params": [ + { + "id": "at-04_odp", + "label": "time period", + "constraints": [ + { + "description": "at least one (1) year or 1 year after completion of a specific training program" + } + ], + "guidelines": [ + { + "prose": "time period for retaining individual training records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AT-4" + }, + { + "name": "label", + "value": "AT-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "at-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "at-4_smt", + "name": "statement", + "parts": [ + { + "id": "at-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and" + }, + { + "id": "at-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Retain individual training records for {{ insert: param, at-04_odp }}." + } + ] + }, + { + "id": "at-4_gdn", + "name": "guidance", + "prose": "Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies." + }, + { + "id": "at-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "at-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;", + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;", + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AT-04b.", + "class": "sp800-53a" + } + ], + "prose": "individual training records are retained for {{ insert: param, at-04_odp }}.", + "links": [ + { + "href": "#at-4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#at-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "at-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AT-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "at-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AT-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy training record retention responsibilities" + } + ] + }, + { + "id": "at-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AT-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting the management of security and privacy training records" + } + ] + } + ] + } + ] + }, + { + "id": "au", + "class": "family", + "title": "Audit and Accountability", + "controls": [ + { + "id": "au-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "au-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "au-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "au-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "au-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "au-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the audit and accountability policy and procedures is defined;" + } + ] + }, + { + "id": "au-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current audit and accountability policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "au-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current audit and accountability policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "au-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current audit and accountability procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "au-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require audit and accountability procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-1" + }, + { + "name": "label", + "value": "AU-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-1_smt", + "name": "statement", + "parts": [ + { + "id": "au-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:", + "parts": [ + { + "id": "au-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, au-01_odp.03 }} audit and accountability policy that:", + "parts": [ + { + "id": "au-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "au-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "au-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;" + } + ] + }, + { + "id": "au-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and" + }, + { + "id": "au-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current audit and accountability:", + "parts": [ + { + "id": "au-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and" + }, + { + "id": "au-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "au-1_gdn", + "name": "guidance", + "prose": "Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "au-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an audit and accountability policy is developed and documented;", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};", + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;", + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#au-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;", + "links": [ + { + "href": "#au-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};", + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};", + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};", + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.", + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "au-2", + "class": "SP800-53", + "title": "Event Logging", + "params": [ + { + "id": "au-2_prm_2", + "label": "organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type", + "constraints": [ + { + "description": "organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event." + } + ] + }, + { + "id": "au-02_odp.01", + "label": "event types", + "constraints": [ + { + "description": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes" + } + ], + "guidelines": [ + { + "prose": "the event types that the system is capable of logging in support of the audit function are defined;" + } + ] + }, + { + "id": "au-02_odp.02", + "label": "event types (subset of AU-02_ODP[01])", + "guidelines": [ + { + "prose": "the event types (subset of AU-02_ODP[01]) for logging within the system are defined;" + } + ] + }, + { + "id": "au-02_odp.03", + "label": "frequency or situation", + "guidelines": [ + { + "prose": "the frequency or situation requiring logging for each specified event type is defined;" + } + ] + }, + { + "id": "au-02_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "annually and whenever there is a change in the threat environment" + } + ], + "guidelines": [ + { + "prose": "the frequency of event types selected for logging are reviewed and updated;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-2" + }, + { + "name": "label", + "value": "AU-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pm-21", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-2_smt", + "name": "statement", + "parts": [ + { + "id": "au-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};" + }, + { + "id": "au-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" + }, + { + "id": "au-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};" + }, + { + "id": "au-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and" + }, + { + "id": "au-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}." + }, + { + "id": "au-2_fr", + "name": "item", + "title": "AU-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO." + }, + { + "id": "au-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(e) Guidance:" + } + ], + "prose": "Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO." + } + ] + } + ] + }, + { + "id": "au-2_gdn", + "name": "guidance", + "prose": "An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures." + }, + { + "id": "au-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;", + "links": [ + { + "href": "#au-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02b.", + "class": "sp800-53a" + } + ], + "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;", + "links": [ + { + "href": "#au-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-02_odp.02 }} are specified for logging within the system;", + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};", + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02d.", + "class": "sp800-53a" + } + ], + "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;", + "links": [ + { + "href": "#au-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-02e.", + "class": "sp800-53a" + } + ], + "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.", + "links": [ + { + "href": "#au-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system auditing" + } + ] + } + ] + }, + { + "id": "au-3", + "class": "SP800-53", + "title": "Content of Audit Records", + "props": [ + { + "name": "label", + "value": "AU-3" + }, + { + "name": "label", + "value": "AU-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-8", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-3_smt", + "name": "statement", + "prose": "Ensure that audit records contain information that establishes the following:", + "parts": [ + { + "id": "au-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "What type of event occurred;" + }, + { + "id": "au-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "When the event occurred;" + }, + { + "id": "au-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Where the event occurred;" + }, + { + "id": "au-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Source of the event;" + }, + { + "id": "au-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Outcome of the event; and" + }, + { + "id": "au-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Identity of any individuals, subjects, or objects/entities associated with the event." + } + ] + }, + { + "id": "au-3_gdn", + "name": "guidance", + "prose": "Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage." + }, + { + "id": "au-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03a.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes what type of event occurred;", + "links": [ + { + "href": "#au-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03b.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes when the event occurred;", + "links": [ + { + "href": "#au-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03c.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes where the event occurred;", + "links": [ + { + "href": "#au-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03d.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the source of the event;", + "links": [ + { + "href": "#au-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03e.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the outcome of the event;", + "links": [ + { + "href": "#au-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03f.", + "class": "sp800-53a" + } + ], + "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.", + "links": [ + { + "href": "#au-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system auditing of auditable events" + } + ] + } + ], + "controls": [ + { + "id": "au-3.1", + "class": "SP800-53-enhancement", + "title": "Additional Audit Information", + "params": [ + { + "id": "au-03.01_odp", + "label": "additional information", + "constraints": [ + { + "description": "session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands" + } + ], + "guidelines": [ + { + "prose": "additional information to be included in audit records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-3(1)" + }, + { + "name": "label", + "value": "AU-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "au-3.1_smt", + "name": "statement", + "prose": "Generate audit records containing the following additional information: {{ insert: param, au-03.01_odp }}.", + "parts": [ + { + "id": "au-3.1_fr", + "name": "item", + "title": "AU-3 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-3.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry." + } + ] + } + ] + }, + { + "id": "au-3.1_gdn", + "name": "guidance", + "prose": "The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy." + }, + { + "id": "au-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-03(01)", + "class": "sp800-53a" + } + ], + "prose": "generated audit records contain the following {{ insert: param, au-03.01_odp }}.", + "links": [ + { + "href": "#au-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing content of audit records\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "system audit capability" + } + ] + } + ] + } + ] + }, + { + "id": "au-4", + "class": "SP800-53", + "title": "Audit Log Storage Capacity", + "params": [ + { + "id": "au-04_odp", + "label": "audit log retention requirements", + "guidelines": [ + { + "prose": "audit log retention requirements are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-4" + }, + { + "name": "label", + "value": "AU-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-4_smt", + "name": "statement", + "prose": "Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}." + }, + { + "id": "au-4_gdn", + "name": "guidance", + "prose": "Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability." + }, + { + "id": "au-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-04", + "class": "sp800-53a" + } + ], + "prose": "audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.", + "links": [ + { + "href": "#au-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for system components\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit record storage capacity and related configuration settings" + } + ] + } + ] + }, + { + "id": "au-5", + "class": "SP800-53", + "title": "Response to Audit Logging Process Failures", + "params": [ + { + "id": "au-05_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles receiving audit logging process failure alerts are defined;" + } + ] + }, + { + "id": "au-05_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period for personnel or roles receiving audit logging process failure alerts is defined;" + } + ] + }, + { + "id": "au-05_odp.03", + "label": "additional actions", + "constraints": [ + { + "description": "overwrite oldest record" + } + ], + "guidelines": [ + { + "prose": "additional actions to be taken in the event of an audit logging process failure are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-5" + }, + { + "name": "label", + "value": "AU-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-5_smt", + "name": "statement", + "parts": [ + { + "id": "au-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and" + }, + { + "id": "au-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Take the following additional actions: {{ insert: param, au-05_odp.03 }}." + } + ] + }, + { + "id": "au-5_gdn", + "name": "guidance", + "prose": "Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel." + }, + { + "id": "au-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};", + "links": [ + { + "href": "#au-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.", + "links": [ + { + "href": "#au-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing system response to audit processing failures" + } + ] + } + ] + }, + { + "id": "au-6", + "class": "SP800-53", + "title": "Audit Record Review, Analysis, and Reporting", + "params": [ + { + "id": "au-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "frequency at which system audit records are reviewed and analyzed is defined;" + } + ] + }, + { + "id": "au-06_odp.02", + "label": "inappropriate or unusual activity", + "guidelines": [ + { + "prose": "inappropriate or unusual activity is defined;" + } + ] + }, + { + "id": "au-06_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to receive findings from reviews and analyses of system records is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-6" + }, + { + "name": "label", + "value": "AU-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", + "rel": "reference" + }, + { + "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6_smt", + "name": "statement", + "parts": [ + { + "id": "au-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;" + }, + { + "id": "au-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report findings to {{ insert: param, au-06_odp.03 }} ; and" + }, + { + "id": "au-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." + }, + { + "id": "au-6_fr", + "name": "item", + "title": "AU-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented." + } + ] + } + ] + }, + { + "id": "au-6_gdn", + "name": "guidance", + "prose": "Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received." + }, + { + "id": "au-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06a.", + "class": "sp800-53a" + } + ], + "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;", + "links": [ + { + "href": "#au-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06b.", + "class": "sp800-53a" + } + ], + "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};", + "links": [ + { + "href": "#au-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06c.", + "class": "sp800-53a" + } + ], + "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.", + "links": [ + { + "href": "#au-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews/analyses of audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ], + "controls": [ + { + "id": "au-6.1", + "class": "SP800-53-enhancement", + "title": "Automated Process Integration", + "params": [ + { + "id": "au-06.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-6(1)" + }, + { + "name": "label", + "value": "AU-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-6", + "rel": "required" + }, + { + "href": "#pm-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6.1_smt", + "name": "statement", + "prose": "Integrate audit record review, analysis, and reporting processes using {{ insert: param, au-06.01_odp }}." + }, + { + "id": "au-6.1_gdn", + "name": "guidance", + "prose": "Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits." + }, + { + "id": "au-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(01)", + "class": "sp800-53a" + } + ], + "prose": "audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}.", + "links": [ + { + "href": "#au-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms integrating audit review, analysis, and reporting processes" + } + ] + } + ] + }, + { + "id": "au-6.3", + "class": "SP800-53-enhancement", + "title": "Correlate Audit Record Repositories", + "props": [ + { + "name": "label", + "value": "AU-6(3)" + }, + { + "name": "label", + "value": "AU-06(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-06.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-6", + "rel": "required" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-6.3_smt", + "name": "statement", + "prose": "Analyze and correlate audit records across different repositories to gain organization-wide situational awareness." + }, + { + "id": "au-6.3_gdn", + "name": "guidance", + "prose": "Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness." + }, + { + "id": "au-6.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-06(03)", + "class": "sp800-53a" + } + ], + "prose": "audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.", + "links": [ + { + "href": "#au-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-6.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-06(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records across different repositories\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-6.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-06(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-6.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-06(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting the analysis and correlation of audit records" + } + ] + } + ] + } + ] + }, + { + "id": "au-7", + "class": "SP800-53", + "title": "Audit Record Reduction and Report Generation", + "props": [ + { + "name": "label", + "value": "AU-7" + }, + { + "name": "label", + "value": "AU-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-7_smt", + "name": "statement", + "prose": "Provide and implement an audit record reduction and report generation capability that:", + "parts": [ + { + "id": "au-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and" + }, + { + "id": "au-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Does not alter the original content or time ordering of audit records." + } + ] + }, + { + "id": "au-7_gdn", + "name": "guidance", + "prose": "Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient." + }, + { + "id": "au-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-7_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;", + "links": [ + { + "href": "#au-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07a.[02]", + "class": "sp800-53a" + } + ], + "prose": "an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;", + "links": [ + { + "href": "#au-7_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;", + "links": [ + { + "href": "#au-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.", + "links": [ + { + "href": "#au-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "au-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit reduction and report generation capability" + } + ] + } + ], + "controls": [ + { + "id": "au-7.1", + "class": "SP800-53-enhancement", + "title": "Automatic Processing", + "params": [ + { + "id": "au-07.01_odp", + "label": "fields within audit records", + "guidelines": [ + { + "prose": "fields within audit records that can be processed, sorted, or searched are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-7(1)" + }, + { + "name": "label", + "value": "AU-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "au-7.1_smt", + "name": "statement", + "prose": "Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ insert: param, au-07.01_odp }}." + }, + { + "id": "au-7.1_gdn", + "name": "guidance", + "prose": "Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component." + }, + { + "id": "au-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-7.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;", + "links": [ + { + "href": "#au-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-07(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented.", + "links": [ + { + "href": "#au-7.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "au-7.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-07(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit reduction and report generation capability" + } + ] + } + ] + } + ] + }, + { + "id": "au-8", + "class": "SP800-53", + "title": "Time Stamps", + "params": [ + { + "id": "au-08_odp", + "label": "granularity of time measurement", + "constraints": [ + { + "description": "one second granularity of time measurement" + } + ], + "guidelines": [ + { + "prose": "granularity of time measurement for audit record timestamps is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-8" + }, + { + "name": "label", + "value": "AU-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#sc-45", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-8_smt", + "name": "statement", + "parts": [ + { + "id": "au-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Use internal system clocks to generate time stamps for audit records; and" + }, + { + "id": "au-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." + } + ] + }, + { + "id": "au-8_gdn", + "name": "guidance", + "prose": "Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities." + }, + { + "id": "au-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08a.", + "class": "sp800-53a" + } + ], + "prose": "internal system clocks are used to generate timestamps for audit records;", + "links": [ + { + "href": "#au-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-08b.", + "class": "sp800-53a" + } + ], + "prose": "timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.", + "links": [ + { + "href": "#au-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing timestamp generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing timestamp generation" + } + ] + } + ] + }, + { + "id": "au-9", + "class": "SP800-53", + "title": "Protection of Audit Information", + "params": [ + { + "id": "au-09_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-9" + }, + { + "name": "label", + "value": "AU-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#au-15", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-9_smt", + "name": "statement", + "parts": [ + { + "id": "au-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and" + }, + { + "id": "au-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information." + } + ] + }, + { + "id": "au-9_gdn", + "name": "guidance", + "prose": "Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls." + }, + { + "id": "au-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09a.", + "class": "sp800-53a" + } + ], + "prose": "audit information and audit logging tools are protected from unauthorized access, modification, and deletion;", + "links": [ + { + "href": "#au-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.", + "links": [ + { + "href": "#au-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\naudit tools\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit information protection" + } + ] + } + ], + "controls": [ + { + "id": "au-9.4", + "class": "SP800-53-enhancement", + "title": "Access by Subset of Privileged Users", + "params": [ + { + "id": "au-09.04_odp", + "label": "subset of privileged users or roles", + "guidelines": [ + { + "prose": "a subset of privileged users or roles authorized to access management of audit logging functionality is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-9(4)" + }, + { + "name": "label", + "value": "AU-09(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-09.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#au-9", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-9.4_smt", + "name": "statement", + "prose": "Authorize access to management of audit logging functionality to only {{ insert: param, au-09.04_odp }}." + }, + { + "id": "au-9.4_gdn", + "name": "guidance", + "prose": "Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges." + }, + { + "id": "au-9.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-09(04)", + "class": "sp800-53a" + } + ], + "prose": "access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}.", + "links": [ + { + "href": "#au-9.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-9.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-09(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged users with access to management of audit functionality\n\naccess authorizations\n\naccess control list\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-9.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-09(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "au-9.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-09(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms managing access to audit functionality" + } + ] + } + ] + } + ] + }, + { + "id": "au-11", + "class": "SP800-53", + "title": "Audit Record Retention", + "params": [ + { + "id": "au-11_odp", + "label": "time period", + "constraints": [ + { + "description": "a time period in compliance with M-21-31" + } + ], + "guidelines": [ + { + "prose": "a time period to retain audit records that is consistent with the records retention policy is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-11" + }, + { + "name": "label", + "value": "AU-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-11_smt", + "name": "statement", + "prose": "Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.", + "parts": [ + { + "id": "au-11_fr", + "name": "item", + "title": "AU-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "au-11_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements." + }, + { + "id": "au-11_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)" + }, + { + "id": "au-11_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The service provider is encouraged to align with M-21-31 where possible" + } + ] + } + ] + }, + { + "id": "au-11_gdn", + "name": "guidance", + "prose": "Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention." + }, + { + "id": "au-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-11", + "class": "sp800-53a" + } + ], + "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.", + "links": [ + { + "href": "#au-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + } + ] + }, + { + "id": "au-12", + "class": "SP800-53", + "title": "Audit Record Generation", + "params": [ + { + "id": "au-12_odp.01", + "label": "system components", + "constraints": [ + { + "description": "all information system and network components where audit capability is deployed/available" + } + ], + "guidelines": [ + { + "prose": "system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;" + } + ] + }, + { + "id": "au-12_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "AU-12" + }, + { + "name": "label", + "value": "AU-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "au-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "au-12_smt", + "name": "statement", + "parts": [ + { + "id": "au-12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};" + }, + { + "id": "au-12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and" + }, + { + "id": "au-12_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)." + } + ] + }, + { + "id": "au-12_gdn", + "name": "guidance", + "prose": "Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records." + }, + { + "id": "au-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "au-12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12a.", + "class": "sp800-53a" + } + ], + "prose": "audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};", + "links": [ + { + "href": "#au-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;", + "links": [ + { + "href": "#au-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "AU-12c.", + "class": "sp800-53a" + } + ], + "prose": "audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.", + "links": [ + { + "href": "#au-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#au-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "au-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "AU-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of auditable events\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "au-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "AU-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "au-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "AU-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing audit record generation capability" + } + ] + } + ] + } + ] + }, + { + "id": "ca", + "class": "family", + "title": "Assessment, Authorization, and Monitoring", + "controls": [ + { + "id": "ca-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ca-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ca-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ca-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ca-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ca-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the assessment, authorization, and monitoring policy and procedures is defined;" + } + ] + }, + { + "id": "ca-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ca-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ca-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ca-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-1" + }, + { + "name": "label", + "value": "CA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#62ea77ca-e450-4323-b210-e0d75390e785", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-1_smt", + "name": "statement", + "parts": [ + { + "id": "ca-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:", + "parts": [ + { + "id": "ca-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:", + "parts": [ + { + "id": "ca-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ca-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ca-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;" + } + ] + }, + { + "id": "ca-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and" + }, + { + "id": "ca-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current assessment, authorization, and monitoring:", + "parts": [ + { + "id": "ca-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and" + }, + { + "id": "ca-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ca-1_gdn", + "name": "guidance", + "prose": "Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ca-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an assessment, authorization, and monitoring policy is developed and documented;", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};", + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;", + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ca-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;", + "links": [ + { + "href": "#ca-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ", + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};", + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ", + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.", + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-2", + "class": "SP800-53", + "title": "Control Assessments", + "params": [ + { + "id": "ca-02_odp.01", + "label": "assessment frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to assess controls in the system and its environment of operation is defined;" + } + ] + }, + { + "id": "ca-02_odp.02", + "label": "individuals or roles", + "constraints": [ + { + "description": "individuals or roles to include FedRAMP PMO" + } + ], + "guidelines": [ + { + "prose": "individuals or roles to whom control assessment results are to be provided are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-2" + }, + { + "name": "label", + "value": "CA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-2_smt", + "name": "statement", + "parts": [ + { + "id": "ca-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Select the appropriate assessor or assessment team for the type of assessment to be conducted;" + }, + { + "id": "ca-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Develop a control assessment plan that describes the scope of the assessment including:", + "parts": [ + { + "id": "ca-2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Controls and control enhancements under assessment;" + }, + { + "id": "ca-2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Assessment procedures to be used to determine control effectiveness; and" + }, + { + "id": "ca-2_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Assessment environment, assessment team, and assessment roles and responsibilities;" + } + ] + }, + { + "id": "ca-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;" + }, + { + "id": "ca-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;" + }, + { + "id": "ca-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Produce a control assessment report that document the results of the assessment; and" + }, + { + "id": "ca-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}." + }, + { + "id": "ca-2_fr", + "name": "item", + "title": "CA-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Reference FedRAMP Annual Assessment Guidance." + } + ] + } + ] + }, + { + "id": "ca-2_gdn", + "name": "guidance", + "prose": "Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)." + }, + { + "id": "ca-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02a.", + "class": "sp800-53a" + } + ], + "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;", + "links": [ + { + "href": "#ca-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.01", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;", + "links": [ + { + "href": "#ca-2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.02", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;", + "links": [ + { + "href": "#ca-2_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.b.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.b.3-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02b.03[03]", + "class": "sp800-53a" + } + ], + "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;", + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02c.", + "class": "sp800-53a" + } + ], + "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;", + "links": [ + { + "href": "#ca-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.[01]", + "class": "sp800-53a" + } + ], + "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;", + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02d.[02]", + "class": "sp800-53a" + } + ], + "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;", + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02e.", + "class": "sp800-53a" + } + ], + "prose": "a control assessment report is produced that documents the results of the assessment;", + "links": [ + { + "href": "#ca-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02f.", + "class": "sp800-53a" + } + ], + "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.", + "links": [ + { + "href": "#ca-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting" + } + ] + } + ], + "controls": [ + { + "id": "ca-2.1", + "class": "SP800-53-enhancement", + "title": "Independent Assessors", + "props": [ + { + "name": "label", + "value": "CA-2(1)" + }, + { + "name": "label", + "value": "CA-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-2.1_smt", + "name": "statement", + "prose": "Employ independent assessors or assessment teams to conduct control assessments.", + "parts": [ + { + "id": "ca-2.1_fr", + "name": "item", + "title": "CA-2 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-2.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "For JAB Authorization, must use an accredited 3PAO." + } + ] + } + ] + }, + { + "id": "ca-2.1_gdn", + "name": "guidance", + "prose": "Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.\n\nIndependent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.\n\nWhen organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments." + }, + { + "id": "ca-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02(01)", + "class": "sp800-53a" + } + ], + "prose": "independent assessors or assessment teams are employed to conduct control assessments.", + "links": [ + { + "href": "#ca-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\nprevious control assessment plan\n\nprevious control assessment report\n\nplan of action and milestones\n\nexisting authorization statement\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-2.3", + "class": "SP800-53-enhancement", + "title": "Leveraging Results from External Organizations", + "params": [ + { + "id": "ca-02.03_odp.01", + "label": "external organization(s)", + "constraints": [ + { + "description": "any FedRAMP Accredited 3PAO" + } + ], + "guidelines": [ + { + "prose": "external organization(s) from which the results of control assessments are leveraged are defined;" + } + ] + }, + { + "id": "ca-02.03_odp.02", + "label": "system", + "guidelines": [ + { + "prose": "system on which a control assessment was performed by an external organization is defined;" + } + ] + }, + { + "id": "ca-02.03_odp.03", + "label": "requirements", + "constraints": [ + { + "description": "the conditions of the JAB/AO in the FedRAMP Repository" + } + ], + "guidelines": [ + { + "prose": "requirements to be met by the control assessment performed by an external organization on the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-2(3)" + }, + { + "name": "label", + "value": "CA-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-2", + "rel": "required" + }, + { + "href": "#sa-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-2.3_smt", + "name": "statement", + "prose": "Leverage the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} when the assessment meets {{ insert: param, ca-02.03_odp.03 }}." + }, + { + "id": "ca-2.3_gdn", + "name": "guidance", + "prose": "Organizations may rely on control assessments of organizational systems by other (external) organizations. Using such assessments and reusing existing assessment evidence can decrease the time and resources required for assessments by limiting the independent assessment activities that organizations need to perform. The factors that organizations consider in determining whether to accept assessment results from external organizations can vary. Such factors include the organization’s past experience with the organization that conducted the assessment, the reputation of the assessment organization, the level of detail of supporting assessment evidence provided, and mandates imposed by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Accredited testing laboratories that support the Common Criteria Program [ISO 15408-1](#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73) , the NIST Cryptographic Module Validation Program (CMVP), or the NIST Cryptographic Algorithm Validation Program (CAVP) can provide independent assessment results that organizations can leverage." + }, + { + "id": "ca-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-02(03)", + "class": "sp800-53a" + } + ], + "prose": "the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} are leveraged when the assessment meets {{ insert: param, ca-02.03_odp.03 }}.", + "links": [ + { + "href": "#ca-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\ncontrol assessment requirements\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel performing control assessments for the specified external organization" + } + ] + } + ] + } + ] + }, + { + "id": "ca-3", + "class": "SP800-53", + "title": "Information Exchange", + "params": [ + { + "id": "ca-03_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "interconnection security agreements", + "information exchange security agreements", + "memoranda of understanding or agreement", + "service level agreements", + "user agreements", + "non-disclosure agreements", + " {{ insert: param, ca-03_odp.02 }} " + ] + } + }, + { + "id": "ca-03_odp.02", + "label": "type of agreement", + "guidelines": [ + { + "prose": "the type of agreement used to approve and manage the exchange of information is defined (if selected);" + } + ] + }, + { + "id": "ca-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and on input from JAB/AO" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update agreements is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-3" + }, + { + "name": "label", + "value": "CA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#c3a76872-e160-4267-99e8-6952de967d04", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#au-16", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-3_smt", + "name": "statement", + "parts": [ + { + "id": "ca-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};" + }, + { + "id": "ca-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and" + }, + { + "id": "ca-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the agreements {{ insert: param, ca-03_odp.03 }}." + } + ] + }, + { + "id": "ca-3_gdn", + "name": "guidance", + "prose": "System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks." + }, + { + "id": "ca-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03a.", + "class": "sp800-53a" + } + ], + "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};", + "links": [ + { + "href": "#ca-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the interface characteristics are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "security requirements are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[03]", + "class": "sp800-53a" + } + ], + "prose": "privacy requirements are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[04]", + "class": "sp800-53a" + } + ], + "prose": "controls are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[05]", + "class": "sp800-53a" + } + ], + "prose": "responsibilities for each system are documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.b-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03b.[06]", + "class": "sp800-53a" + } + ], + "prose": "the impact level of the information communicated is documented as part of each exchange agreement;", + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-03c.", + "class": "sp800-53a" + } + ], + "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.", + "links": [ + { + "href": "#ca-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies" + } + ] + } + ] + }, + { + "id": "ca-5", + "class": "SP800-53", + "title": "Plan of Action and Milestones", + "params": [ + { + "id": "ca-05_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-5" + }, + { + "name": "label", + "value": "CA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-5_smt", + "name": "statement", + "parts": [ + { + "id": "ca-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and" + }, + { + "id": "ca-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities." + }, + { + "id": "ca-5_fr", + "name": "item", + "title": "CA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "POA&Ms must be provided at least monthly." + }, + { + "id": "ca-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Reference FedRAMP-POAM-Template" + } + ] + } + ] + }, + { + "id": "ca-5_gdn", + "name": "guidance", + "prose": "Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB." + }, + { + "id": "ca-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05a.", + "class": "sp800-53a" + } + ], + "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;", + "links": [ + { + "href": "#ca-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-05b.", + "class": "sp800-53a" + } + ], + "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.", + "links": [ + { + "href": "#ca-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms for developing, implementing, and maintaining plan of action and milestones" + } + ] + } + ] + }, + { + "id": "ca-6", + "class": "SP800-53", + "title": "Authorization", + "params": [ + { + "id": "ca-06_odp", + "label": "frequency", + "constraints": [ + { + "description": "in accordance with OMB A-130 requirements or when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "frequency at which to update the authorizations is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-6" + }, + { + "name": "label", + "value": "CA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-6_smt", + "name": "statement", + "parts": [ + { + "id": "ca-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assign a senior official as the authorizing official for the system;" + }, + { + "id": "ca-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;" + }, + { + "id": "ca-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensure that the authorizing official for the system, before commencing operations:", + "parts": [ + { + "id": "ca-6_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Accepts the use of common controls inherited by the system; and" + }, + { + "id": "ca-6_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Authorizes the system to operate;" + } + ] + }, + { + "id": "ca-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;" + }, + { + "id": "ca-6_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Update the authorizations {{ insert: param, ca-06_odp }}." + }, + { + "id": "ca-6_fr", + "name": "item", + "title": "CA-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(e) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO." + } + ] + } + ] + }, + { + "id": "ca-6_gdn", + "name": "guidance", + "prose": "Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions." + }, + { + "id": "ca-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06a.", + "class": "sp800-53a" + } + ], + "prose": "a senior official is assigned as the authorizing official for the system;", + "links": [ + { + "href": "#ca-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06b.", + "class": "sp800-53a" + } + ], + "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;", + "links": [ + { + "href": "#ca-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-6_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.01", + "class": "sp800-53a" + } + ], + "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;", + "links": [ + { + "href": "#ca-6_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06c.02", + "class": "sp800-53a" + } + ], + "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;", + "links": [ + { + "href": "#ca-6_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06d.", + "class": "sp800-53a" + } + ], + "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;", + "links": [ + { + "href": "#ca-6_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-06e.", + "class": "sp800-53a" + } + ], + "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}.", + "links": [ + { + "href": "#ca-6_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms that facilitate authorizations and updates" + } + ] + } + ] + }, + { + "id": "ca-7", + "class": "SP800-53", + "title": "Continuous Monitoring", + "params": [ + { + "id": "ca-7_prm_4", + "label": "organization-defined personnel or roles", + "constraints": [ + { + "description": "to include JAB/AO" + } + ] + }, + { + "id": "ca-7_prm_5", + "label": "organization-defined frequency" + }, + { + "id": "ca-07_odp.01", + "label": "system-level metrics", + "guidelines": [ + { + "prose": "system-level metrics to be monitored are defined;" + } + ] + }, + { + "id": "ca-07_odp.02", + "label": "frequencies", + "guidelines": [ + { + "prose": "frequencies at which to monitor control effectiveness are defined;" + } + ] + }, + { + "id": "ca-07_odp.03", + "label": "frequencies", + "guidelines": [ + { + "prose": "frequencies at which to assess control effectiveness are defined;" + } + ] + }, + { + "id": "ca-07_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the security status of the system is reported are defined;" + } + ] + }, + { + "id": "ca-07_odp.05", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which the security status of the system is reported is defined;" + } + ] + }, + { + "id": "ca-07_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the privacy status of the system is reported are defined;" + } + ] + }, + { + "id": "ca-07_odp.07", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which the privacy status of the system is reported is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-7" + }, + { + "name": "label", + "value": "CA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pe-14", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-6", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#pm-31", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-7_smt", + "name": "statement", + "prose": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:", + "parts": [ + { + "id": "ca-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};" + }, + { + "id": "ca-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;" + }, + { + "id": "ca-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ongoing control assessments in accordance with the continuous monitoring strategy;" + }, + { + "id": "ca-7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;" + }, + { + "id": "ca-7_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Correlation and analysis of information generated by control assessments and monitoring;" + }, + { + "id": "ca-7_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" + }, + { + "id": "ca-7_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}." + }, + { + "id": "ca-7_fr", + "name": "item", + "title": "CA-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually." + }, + { + "id": "ca-7_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (Con Mon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSPs authorized via the Agency path as each agency customer is responsible for performing Con Mon oversight. It does not apply to CSPs authorized via the JAB path because the JAB performs Con Mon oversight." + }, + { + "id": "ca-7_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan." + } + ] + } + ] + }, + { + "id": "ca-7_gdn", + "name": "guidance", + "prose": "Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)." + }, + { + "id": "ca-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07[01]", + "class": "sp800-53a" + } + ], + "prose": "a system-level continuous monitoring strategy is developed;", + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07a.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};", + "links": [ + { + "href": "#ca-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;", + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;", + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07c.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07d.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;", + "links": [ + { + "href": "#ca-7_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07e.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;", + "links": [ + { + "href": "#ca-7_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07f.", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;", + "links": [ + { + "href": "#ca-7_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-7_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.[01]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};", + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07g.[02]", + "class": "sp800-53a" + } + ], + "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.", + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting" + } + ] + } + ], + "controls": [ + { + "id": "ca-7.1", + "class": "SP800-53-enhancement", + "title": "Independent Assessment", + "props": [ + { + "name": "label", + "value": "CA-7(1)" + }, + { + "name": "label", + "value": "CA-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-7.1_smt", + "name": "statement", + "prose": "Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis." + }, + { + "id": "ca-7.1_gdn", + "name": "guidance", + "prose": "Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services." + }, + { + "id": "ca-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(01)", + "class": "sp800-53a" + } + ], + "prose": "independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.", + "links": [ + { + "href": "#ca-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-7.4", + "class": "SP800-53-enhancement", + "title": "Risk Monitoring", + "props": [ + { + "name": "label", + "value": "CA-7(4)" + }, + { + "name": "label", + "value": "CA-07(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-07.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-7.4_smt", + "name": "statement", + "prose": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:", + "parts": [ + { + "id": "ca-7.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Effectiveness monitoring;" + }, + { + "id": "ca-7.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Compliance monitoring; and" + }, + { + "id": "ca-7.4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Change monitoring." + } + ] + }, + { + "id": "ca-7.4_gdn", + "name": "guidance", + "prose": "Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk." + }, + { + "id": "ca-7.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)", + "class": "sp800-53a" + } + ], + "prose": "risk monitoring is an integral part of the continuous monitoring strategy;", + "parts": [ + { + "id": "ca-7.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(a)", + "class": "sp800-53a" + } + ], + "prose": "effectiveness monitoring is included in risk monitoring;", + "links": [ + { + "href": "#ca-7.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "compliance monitoring is included in risk monitoring;", + "links": [ + { + "href": "#ca-7.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-07(04)(c)", + "class": "sp800-53a" + } + ], + "prose": "change monitoring is included in risk monitoring.", + "links": [ + { + "href": "#ca-7.4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-7.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-7.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-07(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-7.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-07(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-7.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-07(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting risk monitoring" + } + ] + } + ] + } + ] + }, + { + "id": "ca-8", + "class": "SP800-53", + "title": "Penetration Testing", + "params": [ + { + "id": "ca-08_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct penetration testing on systems or system components is defined;" + } + ] + }, + { + "id": "ca-08_odp.02", + "label": "system(s) or system components", + "guidelines": [ + { + "prose": "systems or system components on which penetration testing is to be conducted are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-8" + }, + { + "name": "label", + "value": "CA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-8_smt", + "name": "statement", + "prose": "Conduct penetration testing {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", + "parts": [ + { + "id": "ca-8_fr", + "name": "item", + "title": "CA-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Reference the FedRAMP Penetration Test Guidance." + } + ] + } + ] + }, + { + "id": "ca-8_gdn", + "name": "guidance", + "prose": "Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).\n\nOrganizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing." + }, + { + "id": "ca-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-08", + "class": "sp800-53a" + } + ], + "prose": "penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", + "links": [ + { + "href": "#ca-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting penetration testing" + } + ] + } + ], + "controls": [ + { + "id": "ca-8.1", + "class": "SP800-53-enhancement", + "title": "Independent Penetration Testing Agent or Team", + "props": [ + { + "name": "label", + "value": "CA-8(1)" + }, + { + "name": "label", + "value": "CA-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-8", + "rel": "required" + }, + { + "href": "#ca-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-8.1_smt", + "name": "statement", + "prose": "Employ an independent penetration testing agent or team to perform penetration testing on the system or system components." + }, + { + "id": "ca-8.1_gdn", + "name": "guidance", + "prose": "Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. [CA-2(1)](#ca-2.1) provides additional information on independent assessments that can be applied to penetration testing." + }, + { + "id": "ca-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-08(01)", + "class": "sp800-53a" + } + ], + "prose": "an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.", + "links": [ + { + "href": "#ca-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nsecurity assessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ca-8.2", + "class": "SP800-53-enhancement", + "title": "Red Team Exercises", + "params": [ + { + "id": "ca-08.02_odp", + "label": "red team exercises", + "guidelines": [ + { + "prose": "red team exercises to simulate attempts by adversaries to compromise organizational systems are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-8(2)" + }, + { + "name": "label", + "value": "CA-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ca-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ca-8.2_smt", + "name": "statement", + "prose": "Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: {{ insert: param, ca-08.02_odp }}.", + "parts": [ + { + "id": "ca-8.2_fr", + "name": "item", + "title": "CM-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ca-8.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See the FedRAMP Documents page> Penetration Test Guidance\n\nhttps://www.FedRAMP.gov/documents/" + } + ] + } + ] + }, + { + "id": "ca-8.2_gdn", + "name": "guidance", + "prose": "Red team exercises extend the objectives of penetration testing by examining the security and privacy posture of organizations and the capability to implement effective cyber defenses. Red team exercises simulate attempts by adversaries to compromise mission and business functions and provide a comprehensive assessment of the security and privacy posture of systems and organizations. Such attempts may include technology-based attacks and social engineering-based attacks. Technology-based attacks include interactions with hardware, software, or firmware components and/or mission and business processes. Social engineering-based attacks include interactions via email, telephone, shoulder surfing, or personal conversations. Red team exercises are most effective when conducted by penetration testing agents and teams with knowledge of and experience with current adversarial tactics, techniques, procedures, and tools. While penetration testing may be primarily laboratory-based testing, organizations can use red team exercises to provide more comprehensive assessments that reflect real-world conditions. The results from red team exercises can be used by organizations to improve security and privacy awareness and training and to assess control effectiveness." + }, + { + "id": "ca-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-08(02)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ca-08.02_odp }} are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement.", + "links": [ + { + "href": "#ca-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nprocedures addressing red team exercises\n\nassessment plan\n\nresults of red team exercises\n\npenetration test report\n\nassessment report\n\nrules of engagement\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ca-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting the employment of red team exercises" + } + ] + } + ] + } + ] + }, + { + "id": "ca-9", + "class": "SP800-53", + "title": "Internal System Connections", + "params": [ + { + "id": "ca-09_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components or classes of components requiring internal connections to the system are defined;" + } + ] + }, + { + "id": "ca-09_odp.02", + "label": "conditions", + "guidelines": [ + { + "prose": "conditions requiring termination of internal connections are defined;" + } + ] + }, + { + "id": "ca-09_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review the continued need for each internal connection is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CA-9" + }, + { + "name": "label", + "value": "CA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ca-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ca-9_smt", + "name": "statement", + "parts": [ + { + "id": "ca-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;" + }, + { + "id": "ca-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;" + }, + { + "id": "ca-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and" + }, + { + "id": "ca-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection." + } + ] + }, + { + "id": "ca-9_gdn", + "name": "guidance", + "prose": "Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions." + }, + { + "id": "ca-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09a.", + "class": "sp800-53a" + } + ], + "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;", + "links": [ + { + "href": "#ca-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ca-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the interface characteristics are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the security requirements are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[03]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the privacy requirements are documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09b.[04]", + "class": "sp800-53a" + } + ], + "prose": "for each internal connection, the nature of the information communicated is documented;", + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09c.", + "class": "sp800-53a" + } + ], + "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};", + "links": [ + { + "href": "#ca-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CA-09d.", + "class": "sp800-53a" + } + ], + "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.", + "links": [ + { + "href": "#ca-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ca-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ca-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ca-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ca-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting internal system connections" + } + ] + } + ] + } + ] + }, + { + "id": "cm", + "class": "family", + "title": "Configuration Management", + "controls": [ + { + "id": "cm-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "cm-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cm-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the configuration management policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "cm-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "cm-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "cm-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the configuration management policy and procedures is defined;" + } + ] + }, + { + "id": "cm-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current configuration management policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "cm-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current configuration management policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "cm-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current configuration management procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "cm-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require configuration management procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-1" + }, + { + "name": "label", + "value": "CM-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-1_smt", + "name": "statement", + "parts": [ + { + "id": "cm-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:", + "parts": [ + { + "id": "cm-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cm-01_odp.03 }} configuration management policy that:", + "parts": [ + { + "id": "cm-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "cm-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "cm-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;" + } + ] + }, + { + "id": "cm-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and" + }, + { + "id": "cm-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current configuration management:", + "parts": [ + { + "id": "cm-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and" + }, + { + "id": "cm-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "cm-1_gdn", + "name": "guidance", + "prose": "Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "cm-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a configuration management policy is developed and documented;", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};", + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;", + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#cm-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;", + "links": [ + { + "href": "#cm-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ", + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};", + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ", + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.", + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records" + } + ] + }, + { + "id": "cm-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "cm-2", + "class": "SP800-53", + "title": "Baseline Configuration", + "params": [ + { + "id": "cm-02_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "the frequency of baseline configuration review and update is defined;" + } + ] + }, + { + "id": "cm-02_odp.02", + "label": "circumstances", + "constraints": [ + { + "description": "to include when directed by the JAB" + } + ], + "guidelines": [ + { + "prose": "the circumstances requiring baseline configuration review and update are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2" + }, + { + "name": "label", + "value": "CM-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-1", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-12", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-2_smt", + "name": "statement", + "parts": [ + { + "id": "cm-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and maintain under configuration control, a current baseline configuration of the system; and" + }, + { + "id": "cm-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the baseline configuration of the system:", + "parts": [ + { + "id": "cm-2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cm-02_odp.01 }};" + }, + { + "id": "cm-2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required due to {{ insert: param, cm-02_odp.02 }} ; and" + }, + { + "id": "cm-2_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "When system components are installed or upgraded." + } + ] + }, + { + "id": "cm-2_fr", + "name": "item", + "title": "CM-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) (1) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + } + ] + } + ] + }, + { + "id": "cm-2_gdn", + "name": "guidance", + "prose": "Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture." + }, + { + "id": "cm-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a current baseline configuration of the system is developed and documented;", + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "a current baseline configuration of the system is maintained under configuration control;", + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.01", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};", + "links": [ + { + "href": "#cm-2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.02", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};", + "links": [ + { + "href": "#cm-2_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02b.03", + "class": "sp800-53a" + } + ], + "prose": "the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.", + "links": [ + { + "href": "#cm-2_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration" + } + ] + } + ], + "controls": [ + { + "id": "cm-2.2", + "class": "SP800-53-enhancement", + "title": "Automation Support for Accuracy and Currency", + "params": [ + { + "id": "cm-02.02_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms for maintaining baseline configuration of the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2(2)" + }, + { + "name": "label", + "value": "CM-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-2", + "rel": "required" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-2.2_smt", + "name": "statement", + "prose": "Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ insert: param, cm-02.02_odp }}." + }, + { + "id": "cm-2.2_gdn", + "name": "guidance", + "prose": "Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of [CM-8(2)](#cm-8.2) for organizations that combine system component inventory and baseline configuration activities." + }, + { + "id": "cm-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};", + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};", + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.2_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)[03]", + "class": "sp800-53a" + } + ], + "prose": "the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};", + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.2_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(02)[04]", + "class": "sp800-53a" + } + ], + "prose": "the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}.", + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nconfiguration change control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations\n\nautomated mechanisms implementing baseline configuration maintenance" + } + ] + } + ] + }, + { + "id": "cm-2.3", + "class": "SP800-53-enhancement", + "title": "Retention of Previous Configurations", + "params": [ + { + "id": "cm-02.03_odp", + "label": "number", + "guidelines": [ + { + "prose": "the number of previous baseline configuration versions to be retained is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2(3)" + }, + { + "name": "label", + "value": "CM-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-2.3_smt", + "name": "statement", + "prose": "Retain {{ insert: param, cm-02.03_odp }} of previous versions of baseline configurations of the system to support rollback." + }, + { + "id": "cm-2.3_gdn", + "name": "guidance", + "prose": "Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, configuration records, and associated documentation." + }, + { + "id": "cm-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(03)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is/are retained to support rollback.", + "links": [ + { + "href": "#cm-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations" + } + ] + } + ] + }, + { + "id": "cm-2.7", + "class": "SP800-53-enhancement", + "title": "Configure Systems and Components for High-risk Areas", + "params": [ + { + "id": "cm-02.07_odp.01", + "label": "systems or system components", + "guidelines": [ + { + "prose": "the systems or system components to be issued when individuals travel to high-risk areas are defined;" + } + ] + }, + { + "id": "cm-02.07_odp.02", + "label": "configurations", + "guidelines": [ + { + "prose": "configurations for systems or system components to be issued when individuals travel to high-risk areas are defined;" + } + ] + }, + { + "id": "cm-02.07_odp.03", + "label": "controls", + "guidelines": [ + { + "prose": "the controls to be applied when the individuals return from travel are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-2(7)" + }, + { + "name": "label", + "value": "CM-02(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-02.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-2", + "rel": "required" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-2.7_smt", + "name": "statement", + "parts": [ + { + "id": "cm-2.7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Issue {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} to individuals traveling to locations that the organization deems to be of significant risk; and" + }, + { + "id": "cm-2.7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Apply the following controls to the systems or components when the individuals return from travel: {{ insert: param, cm-02.07_odp.03 }}." + } + ] + }, + { + "id": "cm-2.7_gdn", + "name": "guidance", + "prose": "When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the [MP](#mp) (Media Protection) family." + }, + { + "id": "cm-2.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(07)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-2.7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(07)(a)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;", + "links": [ + { + "href": "#cm-2.7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-02(07)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel.", + "links": [ + { + "href": "#cm-2.7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-2.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-2.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-02(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the system\n\nprocedures addressing system component installations and upgrades\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nrecords of system baseline configuration reviews and updates\n\nsystem component installations/upgrades and associated records\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-2.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-02(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-2.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-02(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing baseline configurations" + } + ] + } + ] + } + ] + }, + { + "id": "cm-3", + "class": "SP800-53", + "title": "Configuration Change Control", + "params": [ + { + "id": "cm-03_odp.01", + "label": "time period", + "guidelines": [ + { + "prose": "the time period to retain records of configuration-controlled changes is defined;" + } + ] + }, + { + "id": "cm-03_odp.02", + "label": "configuration change control element", + "guidelines": [ + { + "prose": "the configuration change control element responsible for coordinating and overseeing change control activities is defined;" + } + ] + }, + { + "id": "cm-03_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, cm-03_odp.04 }} ", + "when {{ insert: param, cm-03_odp.05 }} " + ] + } + }, + { + "id": "cm-03_odp.04", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which the configuration control element convenes is defined (if selected);" + } + ] + }, + { + "id": "cm-03_odp.05", + "label": "configuration change conditions", + "guidelines": [ + { + "prose": "configuration change conditions that prompt the configuration control element to convene are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-3" + }, + { + "name": "label", + "value": "CM-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pt-6", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-3_smt", + "name": "statement", + "parts": [ + { + "id": "cm-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine and document the types of changes to the system that are configuration-controlled;" + }, + { + "id": "cm-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;" + }, + { + "id": "cm-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document configuration change decisions associated with the system;" + }, + { + "id": "cm-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Implement approved configuration-controlled changes to the system;" + }, + { + "id": "cm-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Retain records of configuration-controlled changes to the system for {{ insert: param, cm-03_odp.01 }};" + }, + { + "id": "cm-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Monitor and review activities associated with configuration-controlled changes to the system; and" + }, + { + "id": "cm-3_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Coordinate and provide oversight for configuration change control activities through {{ insert: param, cm-03_odp.02 }} that convenes {{ insert: param, cm-03_odp.03 }}." + }, + { + "id": "cm-3_fr", + "name": "item", + "title": "CM-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO." + }, + { + "id": "cm-3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(e) Guidance:" + } + ], + "prose": "In accordance with record retention policies and procedures." + } + ] + } + ] + }, + { + "id": "cm-3_gdn", + "name": "guidance", + "prose": "Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also [SA-10](#sa-10)." + }, + { + "id": "cm-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03a.", + "class": "sp800-53a" + } + ], + "prose": "the types of changes to the system that are configuration-controlled are determined and documented;", + "links": [ + { + "href": "#cm-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "proposed configuration-controlled changes to the system are reviewed;", + "links": [ + { + "href": "#cm-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;", + "links": [ + { + "href": "#cm-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03c.", + "class": "sp800-53a" + } + ], + "prose": "configuration change decisions associated with the system are documented;", + "links": [ + { + "href": "#cm-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03d.", + "class": "sp800-53a" + } + ], + "prose": "approved configuration-controlled changes to the system are implemented;", + "links": [ + { + "href": "#cm-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03e.", + "class": "sp800-53a" + } + ], + "prose": "records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};", + "links": [ + { + "href": "#cm-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03f.[01]", + "class": "sp800-53a" + } + ], + "prose": "activities associated with configuration-controlled changes to the system are monitored;", + "links": [ + { + "href": "#cm-3_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03f.[02]", + "class": "sp800-53a" + } + ], + "prose": "activities associated with configuration-controlled changes to the system are reviewed;", + "links": [ + { + "href": "#cm-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03g.[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};", + "links": [ + { + "href": "#cm-3_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03g.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration control element convenes {{ insert: param, cm-03_odp.03 }}.", + "links": [ + { + "href": "#cm-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nchange control records\n\nsystem audit records\n\nchange control audit and review reports\n\nagenda/minutes/documentation from configuration change control oversight meetings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessments\n\nsystem of records notices\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for configuration change control\n\nmechanisms that implement configuration change control" + } + ] + } + ], + "controls": [ + { + "id": "cm-3.2", + "class": "SP800-53-enhancement", + "title": "Testing, Validation, and Documentation of Changes", + "props": [ + { + "name": "label", + "value": "CM-3(2)" + }, + { + "name": "label", + "value": "CM-03(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-03.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-3.2_smt", + "name": "statement", + "prose": "Test, validate, and document changes to the system before finalizing the implementation of the changes." + }, + { + "id": "cm-3.2_gdn", + "name": "guidance", + "prose": "Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in [CM-6](#cm-6) . Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls." + }, + { + "id": "cm-3.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are tested before finalizing the implementation of the changes;", + "links": [ + { + "href": "#cm-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are validated before finalizing the implementation of the changes;", + "links": [ + { + "href": "#cm-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.2_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(02)[03]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are documented before finalizing the implementation of the changes.", + "links": [ + { + "href": "#cm-3.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-03(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing system configuration change control\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ntest records\n\nvalidation records\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-3.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-03(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-3.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-03(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for configuration change control\n\nmechanisms supporting and/or implementing, testing, validating, and documenting system changes" + } + ] + } + ] + }, + { + "id": "cm-3.4", + "class": "SP800-53-enhancement", + "title": "Security and Privacy Representatives", + "params": [ + { + "id": "cm-3.4_prm_1", + "label": "organization-defined security and privacy representatives" + }, + { + "id": "cm-03.04_odp.01", + "label": "security representatives", + "guidelines": [ + { + "prose": "security representatives required to be members of the change control element are defined;" + } + ] + }, + { + "id": "cm-03.04_odp.02", + "label": "privacy representatives", + "guidelines": [ + { + "prose": "privacy representatives required to be members of the change control element are defined;" + } + ] + }, + { + "id": "cm-03.04_odp.03", + "label": "configuration change control element", + "constraints": [ + { + "description": "Configuration control board (CCB) or similar (as defined in CM-3)" + } + ], + "guidelines": [ + { + "prose": "the configuration change control element of which the security and privacy representatives are to be members is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-3(4)" + }, + { + "name": "label", + "value": "CM-03(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-03.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-3.4_smt", + "name": "statement", + "prose": "Require {{ insert: param, cm-3.4_prm_1 }} to be members of the {{ insert: param, cm-03.04_odp.03 }}." + }, + { + "id": "cm-3.4_gdn", + "name": "guidance", + "prose": "Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in [CM-3g](#cm-3_smt.g)." + }, + { + "id": "cm-3.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-3.4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(04)[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};", + "links": [ + { + "href": "#cm-3.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-03(04)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}.", + "links": [ + { + "href": "#cm-3.4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-3.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-3.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-03(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-3.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-03(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-3.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-03(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for configuration change control" + } + ] + } + ] + } + ] + }, + { + "id": "cm-4", + "class": "SP800-53", + "title": "Impact Analyses", + "props": [ + { + "name": "label", + "value": "CM-4" + }, + { + "name": "label", + "value": "CM-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-4_smt", + "name": "statement", + "prose": "Analyze changes to the system to determine potential security and privacy impacts prior to change implementation." + }, + { + "id": "cm-4_gdn", + "name": "guidance", + "prose": "Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required." + }, + { + "id": "cm-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;", + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation.", + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem/network administrators\n\nmembers of change control board or similar" + } + ] + }, + { + "id": "cm-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses" + } + ] + } + ], + "controls": [ + { + "id": "cm-4.2", + "class": "SP800-53-enhancement", + "title": "Verification of Controls", + "props": [ + { + "name": "label", + "value": "CM-4(2)" + }, + { + "name": "label", + "value": "CM-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-4", + "rel": "required" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-4.2_smt", + "name": "statement", + "prose": "After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system." + }, + { + "id": "cm-4.2_gdn", + "name": "guidance", + "prose": "Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls." + }, + { + "id": "cm-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-4.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[03]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[04]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[05]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-04(02)[06]", + "class": "sp800-53a" + } + ], + "prose": "the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.", + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nprivacy risk assessment documentation\n\nconfiguration management plan\n\nsecurity and privacy impact analysis documentation\n\nprivacy impact assessment\n\nanalysis tools and associated outputs\n\nchange control records\n\ncontrol assessment results\n\nsystem audit records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsecurity and privacy assessors" + } + ] + }, + { + "id": "cm-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and/or implementing security and privacy impact analyses of changes" + } + ] + } + ] + } + ] + }, + { + "id": "cm-5", + "class": "SP800-53", + "title": "Access Restrictions for Change", + "props": [ + { + "name": "label", + "value": "CM-5" + }, + { + "name": "label", + "value": "CM-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-5_smt", + "name": "statement", + "prose": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system." + }, + { + "id": "cm-5_gdn", + "name": "guidance", + "prose": "Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)." + }, + { + "id": "cm-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are defined and documented;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are approved;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[03]", + "class": "sp800-53a" + } + ], + "prose": "physical access restrictions associated with changes to the system are enforced;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[04]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are defined and documented;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[05]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are approved;", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05[06]", + "class": "sp800-53a" + } + ], + "prose": "logical access restrictions associated with changes to the system are enforced.", + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system" + } + ] + } + ], + "controls": [ + { + "id": "cm-5.1", + "class": "SP800-53-enhancement", + "title": "Automated Access Enforcement and Audit Records", + "params": [ + { + "id": "cm-05.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "mechanisms used to automate the enforcement of access restrictions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-5(1)" + }, + { + "name": "label", + "value": "CM-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#cm-5", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-5.1_smt", + "name": "statement", + "parts": [ + { + "id": "cm-5.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Enforce access restrictions using {{ insert: param, cm-05.01_odp }} ; and" + }, + { + "id": "cm-5.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Automatically generate audit records of the enforcement actions." + } + ] + }, + { + "id": "cm-5.1_gdn", + "name": "guidance", + "prose": "Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes." + }, + { + "id": "cm-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "access restrictions for change are enforced using {{ insert: param, cm-05.01_odp }};", + "links": [ + { + "href": "#cm-5.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "audit records of enforcement actions are automatically generated.", + "links": [ + { + "href": "#cm-5.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing access restrictions to change\n\nautomated mechanisms implementing the enforcement of access restrictions for changes to the system\n\nautomated mechanisms supporting auditing of enforcement actions" + } + ] + } + ] + }, + { + "id": "cm-5.5", + "class": "SP800-53-enhancement", + "title": "Privilege Limitation for Production and Operation", + "params": [ + { + "id": "cm-5.5_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least quarterly" + } + ] + }, + { + "id": "cm-05.05_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to review privileges is defined;" + } + ] + }, + { + "id": "cm-05.05_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to reevaluate privileges is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-5(5)" + }, + { + "name": "label", + "value": "CM-05(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-05.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-5", + "rel": "required" + }, + { + "href": "#ac-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-5.5_smt", + "name": "statement", + "parts": [ + { + "id": "cm-5.5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Limit privileges to change system components and system-related information within a production or operational environment; and" + }, + { + "id": "cm-5.5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Review and reevaluate privileges {{ insert: param, cm-5.5_prm_1 }}." + } + ] + }, + { + "id": "cm-5.5_gdn", + "name": "guidance", + "prose": "In many organizations, systems support multiple mission and business functions. Limiting privileges to change system components with respect to operational systems is necessary because changes to a system component may have far-reaching effects on mission and business processes supported by the system. The relationships between systems and mission/business processes are, in some cases, unknown to developers. System-related information includes operational procedures." + }, + { + "id": "cm-5.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5.5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5.5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "privileges to change system components within a production or operational environment are limited;", + "links": [ + { + "href": "#cm-5.5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "privileges to change system-related information within a production or operational environment are limited;", + "links": [ + { + "href": "#cm-5.5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5.5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-5.5_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "privileges are reviewed {{ insert: param, cm-05.05_odp.01 }};", + "links": [ + { + "href": "#cm-5.5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.5_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-05(05)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "privileges are reevaluated {{ insert: param, cm-05.05_odp.02 }}.", + "links": [ + { + "href": "#cm-5.5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5.5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-5.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-5.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-05(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nuser privilege reviews\n\nuser privilege recertifications\n\nsystem component inventory\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-5.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-05(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-5.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-05(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms supporting and/or implementing access restrictions for change" + } + ] + } + ] + } + ] + }, + { + "id": "cm-6", + "class": "SP800-53", + "title": "Configuration Settings", + "params": [ + { + "id": "cm-06_odp.01", + "label": "common secure configurations", + "guidelines": [ + { + "prose": "common secure configurations to establish and document configuration settings for components employed within the system are defined;" + } + ] + }, + { + "id": "cm-06_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which approval of deviations is needed are defined;" + } + ] + }, + { + "id": "cm-06_odp.03", + "label": "operational requirements", + "guidelines": [ + { + "prose": "operational requirements necessitating approval of deviations are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-6" + }, + { + "name": "label", + "value": "CM-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#98498928-3ca3-44b3-8b1e-f48685373087", + "rel": "reference" + }, + { + "href": "#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", + "rel": "reference" + }, + { + "href": "#aa66e14f-e7cb-4a37-99d2-07578dfd4608", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-6_smt", + "name": "statement", + "parts": [ + { + "id": "cm-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};" + }, + { + "id": "cm-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement the configuration settings;" + }, + { + "id": "cm-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and" + }, + { + "id": "cm-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." + }, + { + "id": "cm-6_fr", + "name": "item", + "title": "CM-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement 1:" + } + ], + "prose": "The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available." + }, + { + "id": "cm-6_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement 2:" + } + ], + "prose": "The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available)." + }, + { + "id": "cm-6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP’s Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.\n\nDuring monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests." + } + ] + } + ] + }, + { + "id": "cm-6_gdn", + "name": "guidance", + "prose": "Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings." + }, + { + "id": "cm-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06a.", + "class": "sp800-53a" + } + ], + "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};", + "links": [ + { + "href": "#cm-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06b.", + "class": "sp800-53a" + } + ], + "prose": "the configuration settings documented in CM-06a are implemented;", + "links": [ + { + "href": "#cm-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};", + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;", + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;", + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06d.[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures.", + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and/or control system configuration settings\n\nmechanisms that identify and/or document deviations from established configuration settings" + } + ] + } + ], + "controls": [ + { + "id": "cm-6.1", + "class": "SP800-53-enhancement", + "title": "Automated Management, Application, and Verification", + "params": [ + { + "id": "cm-6.1_prm_2", + "label": "organization-defined automated mechanisms" + }, + { + "id": "cm-06.01_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which to manage, apply, and verify configuration settings are defined;" + } + ] + }, + { + "id": "cm-06.01_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to manage configuration settings are defined;" + } + ] + }, + { + "id": "cm-06.01_odp.03", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to apply configuration settings are defined;" + } + ] + }, + { + "id": "cm-06.01_odp.04", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to verify configuration settings are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-6(1)" + }, + { + "name": "label", + "value": "CM-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-6", + "rel": "required" + }, + { + "href": "#ca-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-6.1_smt", + "name": "statement", + "prose": "Manage, apply, and verify configuration settings for {{ insert: param, cm-06.01_odp.01 }} using {{ insert: param, cm-6.1_prm_2 }}." + }, + { + "id": "cm-6.1_gdn", + "name": "guidance", + "prose": "Automated tools (e.g., hardening tools, baseline configuration tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization." + }, + { + "id": "cm-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-6.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are managed using {{ insert: param, cm-06.01_odp.02 }};", + "links": [ + { + "href": "#cm-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are applied using {{ insert: param, cm-06.01_odp.03 }};", + "links": [ + { + "href": "#cm-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-06(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are verified using {{ insert: param, cm-06.01_odp.04 }}.", + "links": [ + { + "href": "#cm-6.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing configuration settings\n\nautomated mechanisms implemented to manage, apply, and verify system configuration settings" + } + ] + } + ] + } + ] + }, + { + "id": "cm-7", + "class": "SP800-53", + "title": "Least Functionality", + "params": [ + { + "id": "cm-7_prm_2", + "label": "organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services" + }, + { + "id": "cm-07_odp.01", + "label": "mission-essential capabilities", + "guidelines": [ + { + "prose": "mission-essential capabilities for the system are defined;" + } + ] + }, + { + "id": "cm-07_odp.02", + "label": "functions", + "guidelines": [ + { + "prose": "functions to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.03", + "label": "ports", + "guidelines": [ + { + "prose": "ports to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.04", + "label": "protocols", + "guidelines": [ + { + "prose": "protocols to be prohibited or restricted are defined;" + } + ] + }, + { + "id": "cm-07_odp.05", + "label": "software", + "guidelines": [ + { + "prose": "software to be prohibited or restricted is defined;" + } + ] + }, + { + "id": "cm-07_odp.06", + "label": "services", + "guidelines": [ + { + "prose": "services to be prohibited or restricted are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7" + }, + { + "name": "label", + "value": "CM-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#38f39739-1ebd-43b1-8b8c-00f591d89ebd", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7_smt", + "name": "statement", + "parts": [ + { + "id": "cm-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and" + }, + { + "id": "cm-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, cm-7_prm_2 }}." + }, + { + "id": "cm-7_fr", + "name": "item", + "title": "CM-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available." + } + ] + } + ] + }, + { + "id": "cm-7_gdn", + "name": "guidance", + "prose": "Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))." + }, + { + "id": "cm-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07a.", + "class": "sp800-53a" + } + ], + "prose": "the system is configured to provide only {{ insert: param, cm-07_odp.01 }};", + "links": [ + { + "href": "#cm-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[03]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[04]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07b.[05]", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.", + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services\n\nmechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services" + } + ] + } + ], + "controls": [ + { + "id": "cm-7.1", + "class": "SP800-53-enhancement", + "title": "Periodic Review", + "params": [ + { + "id": "cm-7.1_prm_2", + "label": "organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure" + }, + { + "id": "cm-07.01_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review the system to identify unnecessary and/or non-secure functions, ports, protocols, software, and/or services is defined;" + } + ] + }, + { + "id": "cm-07.01_odp.02", + "label": "functions", + "guidelines": [ + { + "prose": "functions to be disabled or removed when deemed unnecessary or non-secure are defined;" + } + ] + }, + { + "id": "cm-07.01_odp.03", + "label": "ports", + "guidelines": [ + { + "prose": "ports to be disabled or removed when deemed unnecessary or non-secure are defined;" + } + ] + }, + { + "id": "cm-07.01_odp.04", + "label": "protocols", + "guidelines": [ + { + "prose": "protocols to be disabled or removed when deemed unnecessary or non-secure are defined;" + } + ] + }, + { + "id": "cm-07.01_odp.05", + "label": "software", + "guidelines": [ + { + "prose": "software to be disabled or removed when deemed unnecessary or non-secure is defined;" + } + ] + }, + { + "id": "cm-07.01_odp.06", + "label": "services", + "guidelines": [ + { + "prose": "services to be disabled or removed when deemed unnecessary or non-secure are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7(1)" + }, + { + "name": "label", + "value": "CM-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#cm-7", + "rel": "required" + }, + { + "href": "#ac-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7.1_smt", + "name": "statement", + "parts": [ + { + "id": "cm-7.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Review the system {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and" + }, + { + "id": "cm-7.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Disable or remove {{ insert: param, cm-7.1_prm_2 }}." + } + ] + }, + { + "id": "cm-7.1_gdn", + "name": "guidance", + "prose": "Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking." + }, + { + "id": "cm-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:", + "links": [ + { + "href": "#cm-7.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7.1_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and/or non-secure are disabled or removed;", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and/or non-secure are disabled or removed;", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and/or non-secure are disabled or removed;", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and/or non-secure is disabled or removed;", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_obj.b-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(01)(b)[05]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and/or non-secure are disabled or removed.", + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\ndocumented reviews of functions, ports, protocols, and/or services\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-7.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for reviewing or disabling functions, ports, protocols, and services on the system\n\nmechanisms implementing review and disabling of functions, ports, protocols, and/or services" + } + ] + } + ] + }, + { + "id": "cm-7.2", + "class": "SP800-53-enhancement", + "title": "Prevent Program Execution", + "params": [ + { + "id": "cm-07.02_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, cm-07.02_odp.02 }} ", + "rules authorizing the terms and conditions of software program usage" + ] + } + }, + { + "id": "cm-07.02_odp.02", + "label": "policies, rules of behavior, and/or access agreements regarding software program usage and restrictions", + "guidelines": [ + { + "prose": "policies, rules of behavior, and/or access agreements regarding software program usage and restrictions are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7(2)" + }, + { + "name": "label", + "value": "CM-07(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#cm-7", + "rel": "required" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7.2_smt", + "name": "statement", + "prose": "Prevent program execution in accordance with {{ insert: param, cm-07.02_odp.01 }}.", + "parts": [ + { + "id": "cm-7.2_fr", + "name": "item", + "title": "CM-7 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-7.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "This control refers to software deployment by CSP personnel into the production environment. The control requires a policy that states conditions for deploying software. This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. allow-listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run." + } + ] + } + ] + }, + { + "id": "cm-7.2_gdn", + "name": "guidance", + "prose": "Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time." + }, + { + "id": "cm-7.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(02)", + "class": "sp800-53a" + } + ], + "prose": "program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}.", + "links": [ + { + "href": "#cm-7.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nspecifications for preventing software program execution\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-7.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes preventing program execution on the system\n\norganizational processes for software program usage and restrictions\n\nmechanisms preventing program execution on the system\n\nmechanisms supporting and/or implementing software program usage and restrictions" + } + ] + } + ] + }, + { + "id": "cm-7.5", + "class": "SP800-53-enhancement", + "title": "Authorized Software — Allow-by-exception", + "params": [ + { + "id": "cm-07.05_odp.01", + "label": "software programs", + "guidelines": [ + { + "prose": "software programs authorized to execute on the system are defined;" + } + ] + }, + { + "id": "cm-07.05_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least quarterly or when there is a change" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update the list of authorized software programs is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-7(5)" + }, + { + "name": "label", + "value": "CM-07(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-07.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#cm-7", + "rel": "required" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-7.5_smt", + "name": "statement", + "parts": [ + { + "id": "cm-7.5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Identify {{ insert: param, cm-07.05_odp.01 }};" + }, + { + "id": "cm-7.5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and" + }, + { + "id": "cm-7.5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Review and update the list of authorized software programs {{ insert: param, cm-07.05_odp.02 }}." + } + ] + }, + { + "id": "cm-7.5_gdn", + "name": "guidance", + "prose": "Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in [CA-3(5)](#ca-3.5) and [SC-7](#sc-7)." + }, + { + "id": "cm-7.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-7.5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(05)(a)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-07.05_odp.01 }} are identified;", + "links": [ + { + "href": "#cm-7.5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(05)(b)", + "class": "sp800-53a" + } + ], + "prose": "a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;", + "links": [ + { + "href": "#cm-7.5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-07(05)(c)", + "class": "sp800-53a" + } + ], + "prose": "the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}.", + "links": [ + { + "href": "#cm-7.5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-7.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-7.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-07(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of software programs authorized to execute on the system\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nreview and update records associated with list of authorized software programs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-7.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-07(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for identifying software authorized to execute on the system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-7.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-07(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for identifying, reviewing, and updating programs authorized to execute on the system\n\norganizational process for implementing authorized software policy\n\nmechanisms supporting and/or implementing authorized software policy" + } + ] + } + ] + } + ] + }, + { + "id": "cm-8", + "class": "SP800-53", + "title": "System Component Inventory", + "params": [ + { + "id": "cm-08_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information deemed necessary to achieve effective system component accountability is defined;" + } + ] + }, + { + "id": "cm-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update the system component inventory is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-8" + }, + { + "name": "label", + "value": "CM-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#70402863-5078-43af-9a6c-e11b0f3ec370", + "rel": "reference" + }, + { + "href": "#996241f8-f692-42d5-91f1-ce8b752e39e6", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8_smt", + "name": "statement", + "parts": [ + { + "id": "cm-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and document an inventory of system components that:", + "parts": [ + { + "id": "cm-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Accurately reflects the system;" + }, + { + "id": "cm-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Includes all components within the system;" + }, + { + "id": "cm-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Does not include duplicate accounting of components or components assigned to any other system;" + }, + { + "id": "cm-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Is at the level of granularity deemed necessary for tracking and reporting; and" + }, + { + "id": "cm-8_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and" + } + ] + }, + { + "id": "cm-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}." + }, + { + "id": "cm-8_fr", + "name": "item", + "title": "CM-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "must be provided at least monthly or when there is a change." + } + ] + } + ] + }, + { + "id": "cm-8_gdn", + "name": "guidance", + "prose": "System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components." + }, + { + "id": "cm-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.01", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that accurately reflects the system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.02", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that includes all components within the system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.03", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.04", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08a.05", + "class": "sp800-53a" + } + ], + "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;", + "links": [ + { + "href": "#cm-8_smt.a.5", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08b.", + "class": "sp800-53a" + } + ], + "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.", + "links": [ + { + "href": "#cm-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing the system component inventory\n\nmechanisms supporting and/or implementing system component inventory" + } + ] + } + ], + "controls": [ + { + "id": "cm-8.1", + "class": "SP800-53-enhancement", + "title": "Updates During Installation and Removal", + "props": [ + { + "name": "label", + "value": "CM-8(1)" + }, + { + "name": "label", + "value": "CM-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-8", + "rel": "required" + }, + { + "href": "#pm-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8.1_smt", + "name": "statement", + "prose": "Update the inventory of system components as part of component installations, removals, and system updates." + }, + { + "id": "cm-8.1_gdn", + "name": "guidance", + "prose": "Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated as part of component installations or removals or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components." + }, + { + "id": "cm-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "the inventory of system components is updated as part of component installations;", + "links": [ + { + "href": "#cm-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "the inventory of system components is updated as part of component removals;", + "links": [ + { + "href": "#cm-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "the inventory of system components is updated as part of system updates.", + "links": [ + { + "href": "#cm-8.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\ninventory reviews and update records\n\nchange control records\n\ncomponent installation records\n\ncomponent removal records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory updating responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for updating the system component inventory\n\nmechanisms supporting and/or implementing system component inventory updates" + } + ] + } + ] + }, + { + "id": "cm-8.3", + "class": "SP800-53-enhancement", + "title": "Automated Unauthorized Component Detection", + "params": [ + { + "id": "cm-8.3_prm_1", + "label": "organization-defined automated mechanisms", + "constraints": [ + { + "description": "automated mechanisms with a maximum five-minute delay in detection" + } + ] + }, + { + "id": "cm-08.03_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to detect the presence of unauthorized hardware within the system are defined;" + } + ] + }, + { + "id": "cm-08.03_odp.02", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to detect the presence of unauthorized software within the system are defined;" + } + ] + }, + { + "id": "cm-08.03_odp.03", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to detect the presence of unauthorized firmware within the system are defined;" + } + ] + }, + { + "id": "cm-08.03_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "continuously" + } + ], + "guidelines": [ + { + "prose": "frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined;" + } + ] + }, + { + "id": "cm-08.03_odp.05", + "select": { + "how-many": "one-or-more", + "choice": [ + "disable network access by unauthorized components", + "isolate unauthorized components", + "notify {{ insert: param, cm-08.03_odp.06 }} " + ] + } + }, + { + "id": "cm-08.03_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified when unauthorized components are detected is/are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-8(3)" + }, + { + "name": "label", + "value": "CM-08(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-08.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-8", + "rel": "required" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + }, + { + "href": "#sc-44", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-8.3_smt", + "name": "statement", + "parts": [ + { + "id": "cm-8.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ insert: param, cm-8.3_prm_1 }} {{ insert: param, cm-08.03_odp.04 }} ; and" + }, + { + "id": "cm-8.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Take the following actions when unauthorized components are detected: {{ insert: param, cm-08.03_odp.05 }}." + } + ] + }, + { + "id": "cm-8.3_gdn", + "name": "guidance", + "prose": "Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see [CM-7(9)](#cm-7.9) ). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as \"sandboxing.\" " + }, + { + "id": "cm-8.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};", + "links": [ + { + "href": "#cm-8.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};", + "links": [ + { + "href": "#cm-8.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};", + "links": [ + { + "href": "#cm-8.3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-8.3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;", + "links": [ + { + "href": "#cm-8.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;", + "links": [ + { + "href": "#cm-8.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-08(03)(b)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected.", + "links": [ + { + "href": "#cm-8.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-8.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-8.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-08(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nalerts/notifications of unauthorized components within the system\n\nsystem monitoring records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-8.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-08(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized system component detection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-8.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-08(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for detection of unauthorized system components\n\norganizational processes for taking action when unauthorized system components are detected\n\nautomated mechanisms supporting and/or implementing the detection of unauthorized system components\n\nautomated mechanisms supporting and/or implementing actions taken when unauthorized system components are detected" + } + ] + } + ] + } + ] + }, + { + "id": "cm-9", + "class": "SP800-53", + "title": "Configuration Management Plan", + "params": [ + { + "id": "cm-09_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to review and approve the configuration management plan is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-9" + }, + { + "name": "label", + "value": "CM-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-9_smt", + "name": "statement", + "prose": "Develop, document, and implement a configuration management plan for the system that:", + "parts": [ + { + "id": "cm-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Addresses roles, responsibilities, and configuration management processes and procedures;" + }, + { + "id": "cm-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;" + }, + { + "id": "cm-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Defines the configuration items for the system and places the configuration items under configuration management;" + }, + { + "id": "cm-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, cm-09_odp }} ; and" + }, + { + "id": "cm-9_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protects the configuration management plan from unauthorized disclosure and modification." + }, + { + "id": "cm-9_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide" + } + ] + }, + { + "id": "cm-9_gdn", + "name": "guidance", + "prose": "Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.\n\nConfiguration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.\n\nOrganizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control." + }, + { + "id": "cm-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09[01]", + "class": "sp800-53a" + } + ], + "prose": "a configuration management plan for the system is developed and documented;", + "links": [ + { + "href": "#cm-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09[02]", + "class": "sp800-53a" + } + ], + "prose": "a configuration management plan for the system is implemented;", + "links": [ + { + "href": "#cm-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan addresses roles;", + "links": [ + { + "href": "#cm-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan addresses responsibilities;", + "links": [ + { + "href": "#cm-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan addresses configuration management processes and procedures;", + "links": [ + { + "href": "#cm-9_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;", + "links": [ + { + "href": "#cm-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan establishes a process for managing the configuration of the configuration items;", + "links": [ + { + "href": "#cm-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09c.[01]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan defines the configuration items for the system;", + "links": [ + { + "href": "#cm-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan places the configuration items under configuration management;", + "links": [ + { + "href": "#cm-9_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09d.", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};", + "links": [ + { + "href": "#cm-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-9_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#cm-9_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-09e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the configuration management plan is protected from unauthorized modification.", + "links": [ + { + "href": "#cm-9_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for developing the configuration management plan\n\norganizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration management plan\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for developing and documenting the configuration management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nmechanisms implementing the configuration management plan\n\nmechanisms for managing configuration items\n\nmechanisms for protecting the configuration management plan" + } + ] + } + ] + }, + { + "id": "cm-10", + "class": "SP800-53", + "title": "Software Usage Restrictions", + "props": [ + { + "name": "label", + "value": "CM-10" + }, + { + "name": "label", + "value": "CM-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-10_smt", + "name": "statement", + "parts": [ + { + "id": "cm-10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Use software and associated documentation in accordance with contract agreements and copyright laws;" + }, + { + "id": "cm-10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and" + }, + { + "id": "cm-10_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work." + } + ] + }, + { + "id": "cm-10_gdn", + "name": "guidance", + "prose": "Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements." + }, + { + "id": "cm-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-10_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10a.", + "class": "sp800-53a" + } + ], + "prose": "software and associated documentation are used in accordance with contract agreements and copyright laws;", + "links": [ + { + "href": "#cm-10_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10b.", + "class": "sp800-53a" + } + ], + "prose": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;", + "links": [ + { + "href": "#cm-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-10c.", + "class": "sp800-53a" + } + ], + "prose": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.", + "links": [ + { + "href": "#cm-10_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel operating, using, and/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology" + } + ] + } + ] + }, + { + "id": "cm-11", + "class": "SP800-53", + "title": "User-installed Software", + "params": [ + { + "id": "cm-11_odp.01", + "label": "policies", + "guidelines": [ + { + "prose": "policies governing the installation of software by users are defined;" + } + ] + }, + { + "id": "cm-11_odp.02", + "label": "methods", + "guidelines": [ + { + "prose": "methods used to enforce software installation policies are defined;" + } + ] + }, + { + "id": "cm-11_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "Continuously (via CM-7 (5))" + } + ], + "guidelines": [ + { + "prose": "frequency with which to monitor compliance is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-11" + }, + { + "name": "label", + "value": "CM-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-11_smt", + "name": "statement", + "parts": [ + { + "id": "cm-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;" + }, + { + "id": "cm-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and" + }, + { + "id": "cm-11_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Monitor policy compliance {{ insert: param, cm-11_odp.03 }}." + } + ] + }, + { + "id": "cm-11_gdn", + "name": "guidance", + "prose": "If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods." + }, + { + "id": "cm-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;", + "links": [ + { + "href": "#cm-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11b.", + "class": "sp800-53a" + } + ], + "prose": "software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};", + "links": [ + { + "href": "#cm-11_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-11c.", + "class": "sp800-53a" + } + ], + "prose": "compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.", + "links": [ + { + "href": "#cm-11_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "cm-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes governing user-installed software on the system\n\nmechanisms enforcing policies and methods for governing the installation of software by users\n\nmechanisms monitoring policy compliance" + } + ] + } + ] + }, + { + "id": "cm-12", + "class": "SP800-53", + "title": "Information Location", + "params": [ + { + "id": "cm-12_odp", + "label": "information", + "guidelines": [ + { + "prose": "information for which the location is to be identified and documented is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-12" + }, + { + "name": "label", + "value": "CM-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-23", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-4", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cm-12_smt", + "name": "statement", + "parts": [ + { + "id": "cm-12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify and document the location of {{ insert: param, cm-12_odp }} and the specific system components on which the information is processed and stored;" + }, + { + "id": "cm-12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Identify and document the users who have access to the system and system components where the information is processed and stored; and" + }, + { + "id": "cm-12_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document changes to the location (i.e., system or system components) where the information is processed and stored." + }, + { + "id": "cm-12_fr", + "name": "item", + "title": "CM-12 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-12_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to FedRAMP Authorization Boundary Guidance" + } + ] + } + ] + }, + { + "id": "cm-12_gdn", + "name": "guidance", + "prose": "Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) ). The location of the information and system components is also a factor in the architecture and design of the system (see [SA-4](#sa-4), [SA-8](#sa-8), [SA-17](#sa-17))." + }, + { + "id": "cm-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-12_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the location of {{ insert: param, cm-12_odp }} is identified and documented;", + "links": [ + { + "href": "#cm-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;", + "links": [ + { + "href": "#cm-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;", + "links": [ + { + "href": "#cm-12_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-12_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;", + "links": [ + { + "href": "#cm-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;", + "links": [ + { + "href": "#cm-12_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cm-12_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12c.[01]", + "class": "sp800-53a" + } + ], + "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;", + "links": [ + { + "href": "#cm-12_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12c.[02]", + "class": "sp800-53a" + } + ], + "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented.", + "links": [ + { + "href": "#cm-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cm-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\naudit records\n\nlist of users with system and system component access\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing information location and user access to information\n\norganizational personnel with responsibilities for operating, using, and/or maintaining the system\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes governing information location\n\nmechanisms enforcing policies and methods for governing information location" + } + ] + } + ], + "controls": [ + { + "id": "cm-12.1", + "class": "SP800-53-enhancement", + "title": "Automated Tools to Support Information Location", + "params": [ + { + "id": "cm-12.01_odp.01", + "label": "information by information type", + "constraints": [ + { + "description": "Federal data and system data that must be protected at the High or Moderate impact levels" + } + ], + "guidelines": [ + { + "prose": "information to be protected is defined by information type;" + } + ] + }, + { + "id": "cm-12.01_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components where the information is located are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CM-12(1)" + }, + { + "name": "label", + "value": "CM-12(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cm-12.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cm-12", + "rel": "required" + } + ], + "parts": [ + { + "id": "cm-12.1_smt", + "name": "statement", + "prose": "Use automated tools to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure controls are in place to protect organizational information and individual privacy.", + "parts": [ + { + "id": "cm-12.1_fr", + "name": "item", + "title": "CM-12 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cm-12.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to FedRAMP Authorization Boundary Guidance." + } + ] + } + ] + }, + { + "id": "cm-12.1_gdn", + "name": "guidance", + "prose": "The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions." + }, + { + "id": "cm-12.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CM-12(01)", + "class": "sp800-53a" + } + ], + "prose": "automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy.", + "links": [ + { + "href": "#cm-12.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cm-12.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CM-12(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cm-12.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CM-12(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for managing information location\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "cm-12.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CM-12(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes governing information location\n\nautomated mechanisms enforcing policies and methods for governing information location\n\nautomated tools used to identify information on system components" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "cp", + "class": "family", + "title": "Contingency Planning", + "controls": [ + { + "id": "cp-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "cp-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cp-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "cp-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "cp-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "cp-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the contingency planning policy and procedures is defined;" + } + ] + }, + { + "id": "cp-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current contingency planning policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "cp-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current contingency planning policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "cp-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current contingency planning procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "cp-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-1" + }, + { + "name": "label", + "value": "CP-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-1_smt", + "name": "statement", + "parts": [ + { + "id": "cp-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:", + "parts": [ + { + "id": "cp-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, cp-01_odp.03 }} contingency planning policy that:", + "parts": [ + { + "id": "cp-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "cp-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "cp-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" + } + ] + }, + { + "id": "cp-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and" + }, + { + "id": "cp-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current contingency planning:", + "parts": [ + { + "id": "cp-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and" + }, + { + "id": "cp-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "cp-1_gdn", + "name": "guidance", + "prose": "Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "cp-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency planning policy is developed and documented;", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};", + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;", + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#cp-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;", + "links": [ + { + "href": "#cp-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};", + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};", + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};", + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.", + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "cp-2", + "class": "SP800-53", + "title": "Contingency Plan", + "params": [ + { + "id": "cp-2_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "cp-2_prm_2", + "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" + }, + { + "id": "cp-2_prm_4", + "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" + }, + { + "id": "cp-02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to review a contingency plan is/are defined;" + } + ] + }, + { + "id": "cp-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to approve a contingency plan is/are defined;" + } + ] + }, + { + "id": "cp-02_odp.03", + "label": "key contingency personnel", + "guidelines": [ + { + "prose": "key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;" + } + ] + }, + { + "id": "cp-02_odp.04", + "label": "organizational elements", + "guidelines": [ + { + "prose": "key contingency organizational elements to which copies of the contingency plan are distributed are defined;" + } + ] + }, + { + "id": "cp-02_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency of contingency plan review is defined;" + } + ] + }, + { + "id": "cp-02_odp.06", + "label": "key contingency personnel", + "guidelines": [ + { + "prose": "key contingency personnel (identified by name and/or by role) to communicate changes to are defined;" + } + ] + }, + { + "id": "cp-02_odp.07", + "label": "organizational elements", + "guidelines": [ + { + "prose": "key contingency organizational elements to communicate changes to are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-2" + }, + { + "name": "label", + "value": "CP-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", + "rel": "reference" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#cp-11", + "rel": "related" + }, + { + "href": "#cp-13", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-2_smt", + "name": "statement", + "parts": [ + { + "id": "cp-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a contingency plan for the system that:", + "parts": [ + { + "id": "cp-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Identifies essential mission and business functions and associated contingency requirements;" + }, + { + "id": "cp-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Provides recovery objectives, restoration priorities, and metrics;" + }, + { + "id": "cp-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Addresses contingency roles, responsibilities, assigned individuals with contact information;" + }, + { + "id": "cp-2_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;" + }, + { + "id": "cp-2_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;" + }, + { + "id": "cp-2_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Addresses the sharing of contingency information; and" + }, + { + "id": "cp-2_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};" + } + ] + }, + { + "id": "cp-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};" + }, + { + "id": "cp-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Coordinate contingency planning activities with incident handling activities;" + }, + { + "id": "cp-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};" + }, + { + "id": "cp-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;" + }, + { + "id": "cp-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};" + }, + { + "id": "cp-2_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and" + }, + { + "id": "cp-2_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Protect the contingency plan from unauthorized disclosure and modification." + }, + { + "id": "cp-2_fr", + "name": "item", + "title": "CP-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "For JAB authorizations the contingency lists include designated FedRAMP personnel." + }, + { + "id": "cp-2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx)." + } + ] + } + ] + }, + { + "id": "cp-2_gdn", + "name": "guidance", + "prose": "Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family." + }, + { + "id": "cp-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.01", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;", + "links": [ + { + "href": "#cp-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides recovery objectives;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides restoration priorities;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that provides metrics;", + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses contingency roles;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses contingency responsibilities;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.3-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.03[03]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses assigned individuals with contact information;", + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.04", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;", + "links": [ + { + "href": "#cp-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.05", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;", + "links": [ + { + "href": "#cp-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.06", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that addresses the sharing of contingency information;", + "links": [ + { + "href": "#cp-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.a.7-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07[01]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};", + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.a.7-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02a.07[02]", + "class": "sp800-53a" + } + ], + "prose": "a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};", + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};", + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};", + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02c.", + "class": "sp800-53a" + } + ], + "prose": "contingency planning activities are coordinated with incident handling activities;", + "links": [ + { + "href": "#cp-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02d.", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};", + "links": [ + { + "href": "#cp-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is updated to address changes to the organization, system, or environment of operation;", + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;", + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.[01]", + "class": "sp800-53a" + } + ], + "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};", + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02f.[02]", + "class": "sp800-53a" + } + ], + "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};", + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.[01]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;", + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02g.[02]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;", + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-2_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02h.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan is protected from unauthorized modification.", + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nevidence of contingency plan reviews and updates\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency plan development, review, update, and protection\n\nmechanisms for developing, reviewing, updating, and/or protecting the contingency plan" + } + ] + } + ], + "controls": [ + { + "id": "cp-2.1", + "class": "SP800-53-enhancement", + "title": "Coordinate with Related Plans", + "props": [ + { + "name": "label", + "value": "CP-2(1)" + }, + { + "name": "label", + "value": "CP-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-2.1_smt", + "name": "statement", + "prose": "Coordinate contingency plan development with organizational elements responsible for related plans." + }, + { + "id": "cp-2.1_gdn", + "name": "guidance", + "prose": "Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Data Breach Response Plans, Cyber Incident Response Plans, Breach Response Plans, and Occupant Emergency Plans." + }, + { + "id": "cp-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(01)", + "class": "sp800-53a" + } + ], + "prose": "contingency plan development is coordinated with organizational elements responsible for related plans.", + "links": [ + { + "href": "#cp-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans" + } + ] + } + ] + }, + { + "id": "cp-2.3", + "class": "SP800-53-enhancement", + "title": "Resume Mission and Business Functions", + "params": [ + { + "id": "cp-02.03_odp.01", + "constraints": [ + { + "description": "all" + } + ], + "select": { + "choice": [ + "all", + "essential" + ] + } + }, + { + "id": "cp-02.03_odp.02", + "label": "time period", + "constraints": [ + { + "description": "time period defined in service provider and organization SLA" + } + ], + "guidelines": [ + { + "prose": "the contingency plan activation time period within which to resume mission and business functions is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-2(3)" + }, + { + "name": "label", + "value": "CP-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-2.3_smt", + "name": "statement", + "prose": "Plan for the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation." + }, + { + "id": "cp-2.3_gdn", + "name": "guidance", + "prose": "Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure." + }, + { + "id": "cp-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(03)", + "class": "sp800-53a" + } + ], + "prose": "the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation.", + "links": [ + { + "href": "#cp-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother related plans\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions" + } + ] + }, + { + "id": "cp-2.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-02(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for resumption of missions and business functions" + } + ] + } + ] + }, + { + "id": "cp-2.8", + "class": "SP800-53-enhancement", + "title": "Identify Critical Assets", + "params": [ + { + "id": "cp-02.08_odp", + "select": { + "choice": [ + "all", + "essential" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "CP-2(8)" + }, + { + "name": "label", + "value": "CP-02(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-02.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "required" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-2.8_smt", + "name": "statement", + "prose": "Identify critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions." + }, + { + "id": "cp-2.8_gdn", + "name": "guidance", + "prose": "Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing [CP-2(7)](#cp-2.7) as a control enhancement." + }, + { + "id": "cp-2.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-02(08)", + "class": "sp800-53a" + } + ], + "prose": "critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified.", + "links": [ + { + "href": "#cp-2.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-2.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-02(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-2.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-02(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "cp-3", + "class": "SP800-53", + "title": "Contingency Training", + "params": [ + { + "id": "cp-03_odp.01", + "label": "time period", + "constraints": [ + { + "description": "\\*See Additional Requirements" + } + ], + "guidelines": [ + { + "prose": "the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;" + } + ] + }, + { + "id": "cp-03_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide training to system users with a contingency role or responsibility is defined;" + } + ] + }, + { + "id": "cp-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update contingency training content is defined;" + } + ] + }, + { + "id": "cp-03_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events necessitating review and update of contingency training are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-3" + }, + { + "name": "label", + "value": "CP-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-3_smt", + "name": "statement", + "parts": [ + { + "id": "cp-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide contingency training to system users consistent with assigned roles and responsibilities:", + "parts": [ + { + "id": "cp-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;" + }, + { + "id": "cp-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes; and" + }, + { + "id": "cp-3_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, cp-03_odp.02 }} thereafter; and" + } + ] + }, + { + "id": "cp-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}." + }, + { + "id": "cp-3_fr", + "name": "item", + "title": "CP-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact." + } + ] + } + ] + }, + { + "id": "cp-3_gdn", + "name": "guidance", + "prose": "Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements." + }, + { + "id": "cp-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.01", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;", + "links": [ + { + "href": "#cp-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.02", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#cp-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03a.03", + "class": "sp800-53a" + } + ], + "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;", + "links": [ + { + "href": "#cp-3_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};", + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.", + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\ncontingency training records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency training" + } + ] + } + ] + }, + { + "id": "cp-4", + "class": "SP800-53", + "title": "Contingency Plan Testing", + "params": [ + { + "id": "cp-4_prm_2", + "label": "organization-defined tests", + "constraints": [ + { + "description": "functional exercises" + } + ] + }, + { + "id": "cp-04_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency of testing the contingency plan for the system is defined;" + } + ] + }, + { + "id": "cp-04_odp.02", + "label": "tests", + "guidelines": [ + { + "prose": "tests for determining the effectiveness of the contingency plan are defined;" + } + ] + }, + { + "id": "cp-04_odp.03", + "label": "tests", + "guidelines": [ + { + "prose": "tests for determining readiness to execute the contingency plan are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-4" + }, + { + "name": "label", + "value": "CP-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-4_smt", + "name": "statement", + "parts": [ + { + "id": "cp-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}." + }, + { + "id": "cp-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review the contingency plan test results; and" + }, + { + "id": "cp-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Initiate corrective actions, if needed." + }, + { + "id": "cp-4_fr", + "name": "item", + "title": "CP-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing." + }, + { + "id": "cp-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report)." + } + ] + } + ] + }, + { + "id": "cp-4_gdn", + "name": "guidance", + "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions." + }, + { + "id": "cp-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;", + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04b.", + "class": "sp800-53a" + } + ], + "prose": "the contingency plan test results are reviewed;", + "links": [ + { + "href": "#cp-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04c.", + "class": "sp800-53a" + } + ], + "prose": "corrective actions are initiated, if needed.", + "links": [ + { + "href": "#cp-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and/or contingency plan testing" + } + ] + } + ], + "controls": [ + { + "id": "cp-4.1", + "class": "SP800-53-enhancement", + "title": "Coordinate with Related Plans", + "props": [ + { + "name": "label", + "value": "CP-4(1)" + }, + { + "name": "label", + "value": "CP-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#cp-4", + "rel": "required" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-4.1_smt", + "name": "statement", + "prose": "Coordinate contingency plan testing with organizational elements responsible for related plans." + }, + { + "id": "cp-4.1_gdn", + "name": "guidance", + "prose": "Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements." + }, + { + "id": "cp-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-04(01)", + "class": "sp800-53a" + } + ], + "prose": "contingency plan testing is coordinated with organizational elements responsible for related plans.", + "links": [ + { + "href": "#cp-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan testing responsibilities\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "cp-6", + "class": "SP800-53", + "title": "Alternate Storage Site", + "props": [ + { + "name": "label", + "value": "CP-6" + }, + { + "name": "label", + "value": "CP-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-36", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-6_smt", + "name": "statement", + "parts": [ + { + "id": "cp-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and" + }, + { + "id": "cp-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Ensure that the alternate storage site provides controls equivalent to that of the primary site." + } + ] + }, + { + "id": "cp-6_gdn", + "name": "guidance", + "prose": "Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems." + }, + { + "id": "cp-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-6_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an alternate storage site is established;", + "links": [ + { + "href": "#cp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06a.[02]", + "class": "sp800-53a" + } + ], + "prose": "establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;", + "links": [ + { + "href": "#cp-6_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06b.", + "class": "sp800-53a" + } + ], + "prose": "the alternate storage site provides controls equivalent to that of the primary site.", + "links": [ + { + "href": "#cp-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for storing and retrieving system backup information at the alternate storage site\n\nmechanisms supporting and/or implementing the storage and retrieval of system backup information at the alternate storage site" + } + ] + } + ], + "controls": [ + { + "id": "cp-6.1", + "class": "SP800-53-enhancement", + "title": "Separation from Primary Site", + "props": [ + { + "name": "label", + "value": "CP-6(1)" + }, + { + "name": "label", + "value": "CP-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-6", + "rel": "required" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-6.1_smt", + "name": "statement", + "prose": "Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats." + }, + { + "id": "cp-6.1_gdn", + "name": "guidance", + "prose": "Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant." + }, + { + "id": "cp-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(01)", + "class": "sp800-53a" + } + ], + "prose": "an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.", + "links": [ + { + "href": "#cp-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-6.3", + "class": "SP800-53-enhancement", + "title": "Accessibility", + "props": [ + { + "name": "label", + "value": "CP-6(3)" + }, + { + "name": "label", + "value": "CP-06(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-06.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-6", + "rel": "required" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-6.3_smt", + "name": "statement", + "prose": "Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions." + }, + { + "id": "cp-6.3_gdn", + "name": "guidance", + "prose": "Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted." + }, + { + "id": "cp-6.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-6.3_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(03)[01]", + "class": "sp800-53a" + } + ], + "prose": "potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;", + "links": [ + { + "href": "#cp-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6.3_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-06(03)[02]", + "class": "sp800-53a" + } + ], + "prose": "explicit mitigation actions to address identified accessibility problems are outlined.", + "links": [ + { + "href": "#cp-6.3_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-6.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-06(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-6.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-06(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "cp-7", + "class": "SP800-53", + "title": "Alternate Processing Site", + "params": [ + { + "id": "cp-07_odp.01", + "label": "system operations", + "guidelines": [ + { + "prose": "system operations for essential mission and business functions are defined;" + } + ] + }, + { + "id": "cp-07_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-7" + }, + { + "name": "label", + "value": "CP-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-11", + "rel": "related" + }, + { + "href": "#pe-12", + "rel": "related" + }, + { + "href": "#pe-17", + "rel": "related" + }, + { + "href": "#sc-36", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-7_smt", + "name": "statement", + "parts": [ + { + "id": "cp-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;" + }, + { + "id": "cp-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and" + }, + { + "id": "cp-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Provide controls at the alternate processing site that are equivalent to those at the primary site." + }, + { + "id": "cp-7_fr", + "name": "item", + "title": "CP-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-7_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider defines a time period consistent with the recovery time objectives and business impact analysis." + } + ] + } + ] + }, + { + "id": "cp-7_gdn", + "name": "guidance", + "prose": "Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems." + }, + { + "id": "cp-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07a.", + "class": "sp800-53a" + } + ], + "prose": "an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;", + "links": [ + { + "href": "#cp-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;", + "links": [ + { + "href": "#cp-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;", + "links": [ + { + "href": "#cp-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07c.", + "class": "sp800-53a" + } + ], + "prose": "controls provided at the alternate processing site are equivalent to those at the primary site.", + "links": [ + { + "href": "#cp-7_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for contingency planning and/or alternate site arrangements\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for recovery at the alternate site\n\nmechanisms supporting and/or implementing recovery at the alternate processing site" + } + ] + } + ], + "controls": [ + { + "id": "cp-7.1", + "class": "SP800-53-enhancement", + "title": "Separation from Primary Site", + "props": [ + { + "name": "label", + "value": "CP-7(1)" + }, + { + "name": "label", + "value": "CP-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-7", + "rel": "required" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-7.1_smt", + "name": "statement", + "prose": "Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.", + "parts": [ + { + "id": "cp-7.1_fr", + "name": "item", + "title": "CP-7 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-7.1_fr_smt.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant." + } + ] + } + ] + }, + { + "id": "cp-7.1_gdn", + "name": "guidance", + "prose": "Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant." + }, + { + "id": "cp-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(01)", + "class": "sp800-53a" + } + ], + "prose": "an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.", + "links": [ + { + "href": "#cp-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-7.2", + "class": "SP800-53-enhancement", + "title": "Accessibility", + "props": [ + { + "name": "label", + "value": "CP-7(2)" + }, + { + "name": "label", + "value": "CP-07(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-7", + "rel": "required" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-7.2_smt", + "name": "statement", + "prose": "Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions." + }, + { + "id": "cp-7.2_gdn", + "name": "guidance", + "prose": "Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk." + }, + { + "id": "cp-7.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-7.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;", + "links": [ + { + "href": "#cp-7.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "explicit mitigation actions to address identified accessibility problems are outlined.", + "links": [ + { + "href": "#cp-7.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-7.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "cp-7.3", + "class": "SP800-53-enhancement", + "title": "Priority of Service", + "props": [ + { + "name": "label", + "value": "CP-7(3)" + }, + { + "name": "label", + "value": "CP-07(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-07.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-7.3_smt", + "name": "statement", + "prose": "Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives)." + }, + { + "id": "cp-7.3_gdn", + "name": "guidance", + "prose": "Priority of service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning." + }, + { + "id": "cp-7.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-07(03)", + "class": "sp800-53a" + } + ], + "prose": "alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.", + "links": [ + { + "href": "#cp-7.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-7.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-07(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-7.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-07(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" + } + ] + } + ] + } + ] + }, + { + "id": "cp-8", + "class": "SP800-53", + "title": "Telecommunications Services", + "params": [ + { + "id": "cp-08_odp.01", + "label": "system operations", + "guidelines": [ + { + "prose": "system operations to be resumed for essential mission and business functions are defined;" + } + ] + }, + { + "id": "cp-08_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-8" + }, + { + "name": "label", + "value": "CP-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-11", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-8_smt", + "name": "statement", + "prose": "Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.", + "parts": [ + { + "id": "cp-8_fr", + "name": "item", + "title": "CP-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-8_fr_gdn.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider defines a time period consistent with the recovery time objectives and business impact analysis." + } + ] + } + ] + }, + { + "id": "cp-8_gdn", + "name": "guidance", + "prose": "Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for [CP-8](#cp-8) . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements." + }, + { + "id": "cp-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08", + "class": "sp800-53a" + } + ], + "prose": "alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.", + "links": [ + { + "href": "#cp-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" + } + ] + }, + { + "id": "cp-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting telecommunications" + } + ] + } + ], + "controls": [ + { + "id": "cp-8.1", + "class": "SP800-53-enhancement", + "title": "Priority of Service Provisions", + "props": [ + { + "name": "label", + "value": "CP-8(1)" + }, + { + "name": "label", + "value": "CP-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-8.1_smt", + "name": "statement", + "parts": [ + { + "id": "cp-8.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and" + }, + { + "id": "cp-8.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier." + } + ] + }, + { + "id": "cp-8.1_gdn", + "name": "guidance", + "prose": "Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority of service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program, and the Department of Homeland Security manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program." + }, + { + "id": "cp-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-8.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-8.1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;", + "links": [ + { + "href": "#cp-8.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;", + "links": [ + { + "href": "#cp-8.1_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-8.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.", + "links": [ + { + "href": "#cp-8.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" + } + ] + }, + { + "id": "cp-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting telecommunications" + } + ] + } + ] + }, + { + "id": "cp-8.2", + "class": "SP800-53-enhancement", + "title": "Single Points of Failure", + "props": [ + { + "name": "label", + "value": "CP-8(2)" + }, + { + "name": "label", + "value": "CP-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-8.2_smt", + "name": "statement", + "prose": "Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services." + }, + { + "id": "cp-8.2_gdn", + "name": "guidance", + "prose": "In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services." + }, + { + "id": "cp-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-08(02)", + "class": "sp800-53a" + } + ], + "prose": "alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.", + "links": [ + { + "href": "#cp-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "cp-9", + "class": "SP800-53", + "title": "System Backup", + "params": [ + { + "id": "cp-09_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which to conduct backups of user-level information is defined;" + } + ] + }, + { + "id": "cp-09_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;" + } + ] + }, + { + "id": "cp-09_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "daily incremental; weekly full" + } + ], + "guidelines": [ + { + "prose": "frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9" + }, + { + "name": "label", + "value": "CP-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#3653e316-8923-430e-8943-b3b2b2562fc6", + "rel": "reference" + }, + { + "href": "#2494df28-9049-4196-b233-540e7440993f", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9_smt", + "name": "statement", + "parts": [ + { + "id": "cp-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};" + }, + { + "id": "cp-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};" + }, + { + "id": "cp-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and" + }, + { + "id": "cp-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Protect the confidentiality, integrity, and availability of backup information." + }, + { + "id": "cp-9_fr", + "name": "item", + "title": "CP-9 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-9_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check." + }, + { + "id": "cp-9_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative." + }, + { + "id": "cp-9_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative." + }, + { + "id": "cp-9_fr_smt.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c) Requirement:" + } + ], + "prose": "The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative." + } + ] + } + ] + }, + { + "id": "cp-9_gdn", + "name": "guidance", + "prose": "System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." + }, + { + "id": "cp-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09a.", + "class": "sp800-53a" + } + ], + "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};", + "links": [ + { + "href": "#cp-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09b.", + "class": "sp800-53a" + } + ], + "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};", + "links": [ + { + "href": "#cp-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09c.", + "class": "sp800-53a" + } + ], + "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};", + "links": [ + { + "href": "#cp-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the confidentiality of backup information is protected;", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the integrity of backup information is protected;", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the availability of backup information is protected.", + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "cp-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" + } + ] + } + ], + "controls": [ + { + "id": "cp-9.1", + "class": "SP800-53-enhancement", + "title": "Testing for Reliability and Integrity", + "params": [ + { + "id": "cp-9.1_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually" + } + ] + }, + { + "id": "cp-09.01_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to test backup information for media reliability is defined;" + } + ] + }, + { + "id": "cp-09.01_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to test backup information for information integrity is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9(1)" + }, + { + "name": "label", + "value": "CP-09(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-9", + "rel": "required" + }, + { + "href": "#cp-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9.1_smt", + "name": "statement", + "prose": "Test backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity." + }, + { + "id": "cp-9.1_gdn", + "name": "guidance", + "prose": "Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance." + }, + { + "id": "cp-9.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-9.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;", + "links": [ + { + "href": "#cp-9.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity.", + "links": [ + { + "href": "#cp-9.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-9.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-9.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" + } + ] + } + ] + }, + { + "id": "cp-9.8", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "cp-09.08_odp", + "label": "backup information", + "constraints": [ + { + "description": "all backup files" + } + ], + "guidelines": [ + { + "prose": "backup information to protect against unauthorized disclosure and modification is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-9(8)" + }, + { + "name": "label", + "value": "CP-09(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-09.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-9", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-9.8_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.", + "parts": [ + { + "id": "cp-9.8_fr", + "name": "item", + "title": "CP-9 (8) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "cp-9.8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)" + } + ] + } + ] + }, + { + "id": "cp-9.8_gdn", + "name": "guidance", + "prose": "The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. Cryptographic protection applies to system backup information in storage at both primary and alternate locations. Organizations that implement cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions." + }, + { + "id": "cp-9.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-09(08)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.", + "links": [ + { + "href": "#cp-9.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-9.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-09(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-9.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-09(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-9.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-09(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic protection of backup information" + } + ] + } + ] + } + ] + }, + { + "id": "cp-10", + "class": "SP800-53", + "title": "System Recovery and Reconstitution", + "params": [ + { + "id": "cp-10_prm_1", + "label": "organization-defined time period consistent with recovery time and recovery point objectives" + }, + { + "id": "cp-10_odp.01", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;" + } + ] + }, + { + "id": "cp-10_odp.02", + "label": "time period", + "guidelines": [ + { + "prose": "time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "CP-10" + }, + { + "name": "label", + "value": "CP-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "cp-10_smt", + "name": "statement", + "prose": "Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure." + }, + { + "id": "cp-10_gdn", + "name": "guidance", + "prose": "Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning." + }, + { + "id": "cp-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "cp-10_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10[01]", + "class": "sp800-53a" + } + ], + "prose": "the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;", + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10[02]", + "class": "sp800-53a" + } + ], + "prose": "a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.", + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#cp-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and/or implementing system recovery and reconstitution operations" + } + ] + } + ], + "controls": [ + { + "id": "cp-10.2", + "class": "SP800-53-enhancement", + "title": "Transaction Recovery", + "props": [ + { + "name": "label", + "value": "CP-10(2)" + }, + { + "name": "label", + "value": "CP-10(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "cp-10.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-10", + "rel": "required" + } + ], + "parts": [ + { + "id": "cp-10.2_smt", + "name": "statement", + "prose": "Implement transaction recovery for systems that are transaction-based." + }, + { + "id": "cp-10.2_gdn", + "name": "guidance", + "prose": "Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling." + }, + { + "id": "cp-10.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "CP-10(02)", + "class": "sp800-53a" + } + ], + "prose": "transaction recovery is implemented for systems that are transaction-based.", + "links": [ + { + "href": "#cp-10.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "cp-10.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "CP-10(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem transaction recovery records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "cp-10.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "CP-10(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "cp-10.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "CP-10(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing transaction recovery capability" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "ia", + "class": "family", + "title": "Identification and Authentication", + "controls": [ + { + "id": "ia-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ia-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ia-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the identification and authentication policy is to be disseminated are defined;" + } + ] + }, + { + "id": "ia-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ia-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ia-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the identification and authentication policy and procedures is defined;" + } + ] + }, + { + "id": "ia-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current identification and authentication policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ia-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current identification and authentication policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ia-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current identification and authentication procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ia-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require identification and authentication procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-1" + }, + { + "name": "label", + "value": "IA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#ac-1", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-1_smt", + "name": "statement", + "parts": [ + { + "id": "ia-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:", + "parts": [ + { + "id": "ia-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ia-01_odp.03 }} identification and authentication policy that:", + "parts": [ + { + "id": "ia-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ia-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ia-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;" + } + ] + }, + { + "id": "ia-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and" + }, + { + "id": "ia-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current identification and authentication:", + "parts": [ + { + "id": "ia-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and" + }, + { + "id": "ia-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ia-1_gdn", + "name": "guidance", + "prose": "Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ia-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an identification and authentication policy is developed and documented;", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};", + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;", + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ia-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;", + "links": [ + { + "href": "#ia-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};", + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};", + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};", + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.", + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\nlist of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ia-2", + "class": "SP800-53", + "title": "Identification and Authentication (Organizational Users)", + "props": [ + { + "name": "label", + "value": "IA-2" + }, + { + "name": "label", + "value": "IA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#d9e036ba-6eec-46a6-9340-b0bf1fea23b4", + "rel": "reference" + }, + { + "href": "#e8552d48-cf41-40aa-8b06-f45f7fb4706c", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", + "rel": "reference" + }, + { + "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "rel": "reference" + }, + { + "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-1", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.", + "parts": [ + { + "id": "ia-2_fr", + "name": "item", + "title": "IA-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B." + }, + { + "id": "ia-2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate." + }, + { + "id": "ia-2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "\\\"Phishing-resistant\\\" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system." + } + ] + } + ] + }, + { + "id": "ia-2_gdn", + "name": "guidance", + "prose": "Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)." + }, + { + "id": "ia-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational users are uniquely identified and authenticated;", + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02[02]", + "class": "sp800-53a" + } + ], + "prose": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.", + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan, system design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "ia-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for uniquely identifying and authenticating users\n\nmechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ], + "controls": [ + { + "id": "ia-2.1", + "class": "SP800-53-enhancement", + "title": "Multi-factor Authentication to Privileged Accounts", + "props": [ + { + "name": "label", + "value": "IA-2(1)" + }, + { + "name": "label", + "value": "IA-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.1_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for access to privileged accounts.", + "parts": [ + { + "id": "ia-2.1_fr", + "name": "item", + "title": "IA-2 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL)." + }, + { + "id": "ia-2.1_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Multi-factor authentication to subsequent components in the same user domain is not required." + } + ] + } + ] + }, + { + "id": "ia-2.1_gdn", + "name": "guidance", + "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." + }, + { + "id": "ia-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(01)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication is implemented for access to privileged accounts.", + "links": [ + { + "href": "#ia-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" + } + ] + } + ] + }, + { + "id": "ia-2.2", + "class": "SP800-53-enhancement", + "title": "Multi-factor Authentication to Non-privileged Accounts", + "props": [ + { + "name": "label", + "value": "IA-2(2)" + }, + { + "name": "label", + "value": "IA-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.2_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for access to non-privileged accounts.", + "parts": [ + { + "id": "ia-2.2_fr", + "name": "item", + "title": "IA-2 (2) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.2_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL)." + }, + { + "id": "ia-2.2_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Multi-factor authentication must be phishing-resistant." + }, + { + "id": "ia-2.2_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Multi-factor authentication to subsequent components in the same user domain is not required." + } + ] + } + ] + }, + { + "id": "ia-2.2_gdn", + "name": "guidance", + "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." + }, + { + "id": "ia-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(02)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication for access to non-privileged accounts is implemented.", + "links": [ + { + "href": "#ia-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" + } + ] + } + ] + }, + { + "id": "ia-2.5", + "class": "SP800-53-enhancement", + "title": "Individual Authentication with Group Authentication", + "props": [ + { + "name": "label", + "value": "IA-2(5)" + }, + { + "name": "label", + "value": "IA-02(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.5_smt", + "name": "statement", + "prose": "When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources." + }, + { + "id": "ia-2.5_gdn", + "name": "guidance", + "prose": "Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators." + }, + { + "id": "ia-2.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(05)", + "class": "sp800-53a" + } + ], + "prose": "users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.", + "links": [ + { + "href": "#ia-2.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an authentication capability for group accounts" + } + ] + } + ] + }, + { + "id": "ia-2.6", + "class": "SP800-53-enhancement", + "title": "Access to Accounts —separate Device", + "params": [ + { + "id": "ia-02.06_odp.01", + "constraints": [ + { + "description": "local, network and remote" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "local", + "network", + "remote" + ] + } + }, + { + "id": "ia-02.06_odp.02", + "constraints": [ + { + "description": "privileged accounts; non-privileged accounts" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "privileged accounts", + "non-privileged accounts" + ] + } + }, + { + "id": "ia-02.06_odp.03", + "label": "strength of mechanism requirements", + "constraints": [ + { + "description": "FIPS-validated or NSA-approved cryptography" + } + ], + "guidelines": [ + { + "prose": "the strength of mechanism requirements to be enforced by a device separate from the system gaining access to accounts is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-2(6)" + }, + { + "name": "label", + "value": "IA-02(06)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + }, + { + "href": "#ac-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-2.6_smt", + "name": "statement", + "prose": "Implement multi-factor authentication for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that:", + "parts": [ + { + "id": "ia-2.6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "One of the factors is provided by a device separate from the system gaining access; and" + }, + { + "id": "ia-2.6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "The device meets {{ insert: param, ia-02.06_odp.03 }}." + }, + { + "id": "ia-2.6_fr", + "name": "item", + "title": "IA-2 (6) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.6_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials." + }, + { + "id": "ia-2.6_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See SC-13 Guidance for more information on FIPS-validated or NSA-approved cryptography." + } + ] + } + ] + }, + { + "id": "ia-2.6_gdn", + "name": "guidance", + "prose": "The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multi-factor authentication is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process." + }, + { + "id": "ia-2.6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(06)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-2.6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(06)(a)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that one of the factors is provided by a device separate from the system gaining access;", + "links": [ + { + "href": "#ia-2.6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(06)(b)", + "class": "sp800-53a" + } + ], + "prose": "multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that the device meets {{ insert: param, ia-02.06_odp.03 }}.", + "links": [ + { + "href": "#ia-2.6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-2.6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(06)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(06)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(06)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing multi-factor authentication capability" + } + ] + } + ] + }, + { + "id": "ia-2.8", + "class": "SP800-53-enhancement", + "title": "Access to Accounts — Replay Resistant", + "params": [ + { + "id": "ia-02.08_odp", + "constraints": [ + { + "description": "privileged accounts; non-privileged accounts" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "privileged accounts", + "non-privileged accounts" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "IA-2(8)" + }, + { + "name": "label", + "value": "IA-02(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.8_smt", + "name": "statement", + "prose": "Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}." + }, + { + "id": "ia-2.8_gdn", + "name": "guidance", + "prose": "Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators." + }, + { + "id": "ia-2.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(08)", + "class": "sp800-53a" + } + ], + "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.", + "links": [ + { + "href": "#ia-2.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nMechanisms supporting and/or implementing replay-resistant authentication mechanisms" + } + ] + } + ] + }, + { + "id": "ia-2.12", + "class": "SP800-53-enhancement", + "title": "Acceptance of PIV Credentials", + "props": [ + { + "name": "label", + "value": "IA-2(12)" + }, + { + "name": "label", + "value": "IA-02(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-02.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-2.12_smt", + "name": "statement", + "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials.", + "parts": [ + { + "id": "ia-2.12_fr", + "name": "item", + "title": "IA-2 (12) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-2.12_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12." + } + ] + } + ] + }, + { + "id": "ia-2.12_gdn", + "name": "guidance", + "prose": "Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential." + }, + { + "id": "ia-2.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-02(12)", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified.", + "links": [ + { + "href": "#ia-2.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-2.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-02(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-2.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-02(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-2.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-02(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing acceptance and verification of PIV credentials" + } + ] + } + ] + } + ] + }, + { + "id": "ia-3", + "class": "SP800-53", + "title": "Device Identification and Authentication", + "params": [ + { + "id": "ia-03_odp.01", + "label": "devices and/or types of devices", + "guidelines": [ + { + "prose": "devices and/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;" + } + ] + }, + { + "id": "ia-03_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "local", + "remote", + "network" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "IA-3" + }, + { + "name": "label", + "value": "IA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-3_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate {{ insert: param, ia-03_odp.01 }} before establishing a {{ insert: param, ia-03_odp.02 }} connection." + }, + { + "id": "ia-3_gdn", + "name": "guidance", + "prose": "Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number/type of devices based on mission or business needs." + }, + { + "id": "ia-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-03", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection.", + "links": [ + { + "href": "#ia-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\nsystem configuration settings and associated documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing device identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-4", + "class": "SP800-53", + "title": "Identifier Management", + "params": [ + { + "id": "ia-04_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO (or similar role within the organization)" + } + ], + "guidelines": [ + { + "prose": "personnel or roles from whom authorization must be received to assign an identifier are defined;" + } + ] + }, + { + "id": "ia-04_odp.02", + "label": "time period", + "constraints": [ + { + "description": "at least two (2) years" + } + ], + "guidelines": [ + { + "prose": "a time period for preventing reuse of identifiers is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-4" + }, + { + "name": "label", + "value": "IA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ia-12", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-4_smt", + "name": "statement", + "prose": "Manage system identifiers by:", + "parts": [ + { + "id": "ia-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;" + }, + { + "id": "ia-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Selecting an identifier that identifies an individual, group, role, service, or device;" + }, + { + "id": "ia-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Assigning the identifier to the intended individual, group, role, service, or device; and" + }, + { + "id": "ia-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}." + } + ] + }, + { + "id": "ia-4_gdn", + "name": "guidance", + "prose": "Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices." + }, + { + "id": "ia-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04a.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;", + "links": [ + { + "href": "#ia-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04b.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;", + "links": [ + { + "href": "#ia-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04c.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;", + "links": [ + { + "href": "#ia-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04d.", + "class": "sp800-53a" + } + ], + "prose": "system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.", + "links": [ + { + "href": "#ia-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identifier management" + } + ] + } + ], + "controls": [ + { + "id": "ia-4.4", + "class": "SP800-53-enhancement", + "title": "Identify User Status", + "params": [ + { + "id": "ia-04.04_odp", + "label": "characteristics", + "constraints": [ + { + "description": "contractors; foreign nationals" + } + ], + "guidelines": [ + { + "prose": "characteristics used to identify individual status is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-4(4)" + }, + { + "name": "label", + "value": "IA-04(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-04.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-4.4_smt", + "name": "statement", + "prose": "Manage individual identifiers by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}." + }, + { + "id": "ia-4.4_gdn", + "name": "guidance", + "prose": "Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor." + }, + { + "id": "ia-4.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-04(04)", + "class": "sp800-53a" + } + ], + "prose": "individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}.", + "links": [ + { + "href": "#ia-4.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-4.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-04(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nlist of characteristics identifying individual status\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-4.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-04(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ia-4.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-04(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identifier management" + } + ] + } + ] + } + ] + }, + { + "id": "ia-5", + "class": "SP800-53", + "title": "Authenticator Management", + "params": [ + { + "id": "ia-05_odp.01", + "label": "time period by authenticator type", + "guidelines": [ + { + "prose": "a time period for changing or refreshing authenticators by authenticator type is defined;" + } + ] + }, + { + "id": "ia-05_odp.02", + "label": "events", + "guidelines": [ + { + "prose": "events that trigger the change or refreshment of authenticators are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5" + }, + { + "name": "label", + "value": "IA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "rel": "reference" + }, + { + "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5_smt", + "name": "statement", + "prose": "Manage system authenticators by:", + "parts": [ + { + "id": "ia-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;" + }, + { + "id": "ia-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establishing initial authenticator content for any authenticators issued by the organization;" + }, + { + "id": "ia-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Ensuring that authenticators have sufficient strength of mechanism for their intended use;" + }, + { + "id": "ia-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;" + }, + { + "id": "ia-5_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Changing default authenticators prior to first use;" + }, + { + "id": "ia-5_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;" + }, + { + "id": "ia-5_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Protecting authenticator content from unauthorized disclosure and modification;" + }, + { + "id": "ia-5_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and" + }, + { + "id": "ia-5_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Changing authenticators for group or role accounts when membership to those accounts changes." + }, + { + "id": "ia-5_fr", + "name": "item", + "title": "IA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3" + }, + { + "id": "ia-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE)." + } + ] + } + ] + }, + { + "id": "ia-5_gdn", + "name": "guidance", + "prose": "Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed." + }, + { + "id": "ia-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05a.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;", + "links": [ + { + "href": "#ia-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05b.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;", + "links": [ + { + "href": "#ia-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05c.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;", + "links": [ + { + "href": "#ia-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05d.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;", + "links": [ + { + "href": "#ia-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05e.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change of default authenticators prior to first use;", + "links": [ + { + "href": "#ia-5_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05f.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;", + "links": [ + { + "href": "#ia-5_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05g.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;", + "links": [ + { + "href": "#ia-5_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.[01]", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;", + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05h.[02]", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;", + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05i.", + "class": "sp800-53a" + } + ], + "prose": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.", + "links": [ + { + "href": "#ia-5_smt.i", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\naddressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system authenticator types\n\nchange control records associated with managing system authenticators\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ia-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing authenticator management capability" + } + ] + } + ], + "controls": [ + { + "id": "ia-5.1", + "class": "SP800-53-enhancement", + "title": "Password-based Authentication", + "params": [ + { + "id": "ia-05.01_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;" + } + ] + }, + { + "id": "ia-05.01_odp.02", + "label": "composition and complexity rules", + "guidelines": [ + { + "prose": "authenticator composition and complexity rules are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-5(1)" + }, + { + "name": "label", + "value": "IA-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ia-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.1_smt", + "name": "statement", + "prose": "For password-based authentication:", + "parts": [ + { + "id": "ia-5.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;" + }, + { + "id": "ia-5.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);" + }, + { + "id": "ia-5.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Transmit passwords only over cryptographically-protected channels;" + }, + { + "id": "ia-5.1_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Store passwords using an approved salted key derivation function, preferably using a keyed hash;" + }, + { + "id": "ia-5.1_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e)" + } + ], + "prose": "Require immediate selection of a new password upon account recovery;" + }, + { + "id": "ia-5.1_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "(f)" + } + ], + "prose": "Allow user selection of long passwords and passphrases, including spaces and all printable characters;" + }, + { + "id": "ia-5.1_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "(g)" + } + ], + "prose": "Employ automated tools to assist the user in selecting strong password authenticators; and" + }, + { + "id": "ia-5.1_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h)" + } + ], + "prose": "Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}." + }, + { + "id": "ia-5.1_fr", + "name": "item", + "title": "IA-5 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users." + }, + { + "id": "ia-5.1_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h) Requirement:" + } + ], + "prose": "For cases where technology doesn’t allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.\n\nFor emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used." + }, + { + "id": "ia-5.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13)." + } + ] + } + ] + }, + { + "id": "ia-5.1_gdn", + "name": "guidance", + "prose": "Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof." + }, + { + "id": "ia-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;", + "links": [ + { + "href": "#ia-5.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);", + "links": [ + { + "href": "#ia-5.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(c)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, passwords are only transmitted over cryptographically protected channels;", + "links": [ + { + "href": "#ia-5.1_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(d)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;", + "links": [ + { + "href": "#ia-5.1_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(e)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, immediate selection of a new password is required upon account recovery;", + "links": [ + { + "href": "#ia-5.1_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(f)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;", + "links": [ + { + "href": "#ia-5.1_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(g)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;", + "links": [ + { + "href": "#ia-5.1_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(01)(h)", + "class": "sp800-53a" + } + ], + "prose": "for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.", + "links": [ + { + "href": "#ia-5.1_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing password-based authenticator management capability" + } + ] + } + ] + }, + { + "id": "ia-5.2", + "class": "SP800-53-enhancement", + "title": "Public Key-based Authentication", + "props": [ + { + "name": "label", + "value": "IA-5(2)" + }, + { + "name": "label", + "value": "IA-05(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#sc-17", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.2_smt", + "name": "statement", + "parts": [ + { + "id": "ia-5.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "For public key-based authentication:", + "parts": [ + { + "id": "ia-5.2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(1)" + } + ], + "prose": "Enforce authorized access to the corresponding private key; and" + }, + { + "id": "ia-5.2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(2)" + } + ], + "prose": "Map the authenticated identity to the account of the individual or group; and" + } + ] + }, + { + "id": "ia-5.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "When public key infrastructure (PKI) is used:", + "parts": [ + { + "id": "ia-5.2_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(1)" + } + ], + "prose": "Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and" + }, + { + "id": "ia-5.2_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(2)" + } + ], + "prose": "Implement a local cache of revocation data to support path discovery and validation." + } + ] + } + ] + }, + { + "id": "ia-5.2_gdn", + "name": "guidance", + "prose": "Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network." + }, + { + "id": "ia-5.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(a)(01)", + "class": "sp800-53a" + } + ], + "prose": "authorized access to the corresponding private key is enforced for public key-based authentication;", + "links": [ + { + "href": "#ia-5.2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(a)(02)", + "class": "sp800-53a" + } + ], + "prose": "the authenticated identity is mapped to the account of the individual or group for public key-based authentication;", + "links": [ + { + "href": "#ia-5.2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-5.2_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(b)(01)", + "class": "sp800-53a" + } + ], + "prose": "when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;", + "links": [ + { + "href": "#ia-5.2_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.2_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(02)(b)(02)", + "class": "sp800-53a" + } + ], + "prose": "when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.", + "links": [ + { + "href": "#ia-5.2_smt.b.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-5.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with PKI-based, authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-5.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing PKI-based, authenticator management capability" + } + ] + } + ] + }, + { + "id": "ia-5.6", + "class": "SP800-53-enhancement", + "title": "Protection of Authenticators", + "props": [ + { + "name": "label", + "value": "IA-5(6)" + }, + { + "name": "label", + "value": "IA-05(06)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + }, + { + "href": "#ra-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-5.6_smt", + "name": "statement", + "prose": "Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access." + }, + { + "id": "ia-5.6_gdn", + "name": "guidance", + "prose": "For systems that contain multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process." + }, + { + "id": "ia-5.6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(06)", + "class": "sp800-53a" + } + ], + "prose": "authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.", + "links": [ + { + "href": "#ia-5.6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(06)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity categorization documentation for the system\n\nsecurity assessments of authenticator protections\n\nrisk assessment results\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(06)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel implementing and/or maintaining authenticator protections\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ia-5.6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(06)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing authenticator management capability\n\nmechanisms protecting authenticators" + } + ] + } + ] + }, + { + "id": "ia-5.7", + "class": "SP800-53-enhancement", + "title": "No Embedded Unencrypted Static Authenticators", + "props": [ + { + "name": "label", + "value": "IA-5(7)" + }, + { + "name": "label", + "value": "IA-05(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-05.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-5.7_smt", + "name": "statement", + "prose": "Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.", + "parts": [ + { + "id": "ia-5.7_fr", + "name": "item", + "title": "IA-5 (7) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-5.7_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "In this context, prohibited static storage refers to any storage where unencrypted authenticators, such as passwords, persist beyond the time required to complete the access process." + } + ] + } + ] + }, + { + "id": "ia-5.7_gdn", + "name": "guidance", + "prose": "In addition to applications, other forms of static storage include access scripts and function keys. Organizations exercise caution when determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators." + }, + { + "id": "ia-5.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-05(07)", + "class": "sp800-53a" + } + ], + "prose": "unencrypted static authenticators are not embedded in applications or other forms of static storage.", + "links": [ + { + "href": "#ia-5.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-5.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-05(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlogical access scripts\n\napplication code reviews for detecting unencrypted static authenticators\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-5.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-05(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-5.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-05(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing authenticator management capability\n\nmechanisms implementing authentication in applications" + } + ] + } + ] + } + ] + }, + { + "id": "ia-6", + "class": "SP800-53", + "title": "Authentication Feedback", + "props": [ + { + "name": "label", + "value": "IA-6" + }, + { + "name": "label", + "value": "IA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-6_smt", + "name": "statement", + "prose": "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals." + }, + { + "id": "ia-6_gdn", + "name": "guidance", + "prose": "Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it." + }, + { + "id": "ia-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-06", + "class": "sp800-53a" + } + ], + "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.", + "links": [ + { + "href": "#ia-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication" + } + ] + } + ] + }, + { + "id": "ia-7", + "class": "SP800-53", + "title": "Cryptographic Module Authentication", + "props": [ + { + "name": "label", + "value": "IA-7" + }, + { + "name": "label", + "value": "IA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-7_smt", + "name": "statement", + "prose": "Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication." + }, + { + "id": "ia-7_gdn", + "name": "guidance", + "prose": "Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role." + }, + { + "id": "ia-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-07", + "class": "sp800-53a" + } + ], + "prose": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.", + "links": [ + { + "href": "#ia-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing cryptographic module authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" + } + ] + }, + { + "id": "ia-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic module authentication" + } + ] + } + ] + }, + { + "id": "ia-8", + "class": "SP800-53", + "title": "Identification and Authentication (Non-organizational Users)", + "props": [ + { + "name": "label", + "value": "IA-8" + }, + { + "name": "label", + "value": "IA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#a1555677-2b9d-4868-a97b-a1363aff32f5", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#2100332a-16a5-4598-bacf-7261baea9711", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-10", + "rel": "related" + }, + { + "href": "#ia-11", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-8_smt", + "name": "statement", + "prose": "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." + }, + { + "id": "ia-8_gdn", + "name": "guidance", + "prose": "Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk." + }, + { + "id": "ia-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08", + "class": "sp800-53a" + } + ], + "prose": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.", + "links": [ + { + "href": "#ia-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ], + "controls": [ + { + "id": "ia-8.1", + "class": "SP800-53-enhancement", + "title": "Acceptance of PIV Credentials from Other Agencies", + "props": [ + { + "name": "label", + "value": "IA-8(1)" + }, + { + "name": "label", + "value": "IA-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + }, + { + "href": "#pe-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-8.1_smt", + "name": "statement", + "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies." + }, + { + "id": "ia-8.1_gdn", + "name": "guidance", + "prose": "Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)." + }, + { + "id": "ia-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;", + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.", + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials" + } + ] + } + ] + }, + { + "id": "ia-8.2", + "class": "SP800-53-enhancement", + "title": "Acceptance of External Authenticators", + "props": [ + { + "name": "label", + "value": "IA-8(2)" + }, + { + "name": "label", + "value": "IA-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-8.2_smt", + "name": "statement", + "parts": [ + { + "id": "ia-8.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Accept only external authenticators that are NIST-compliant; and" + }, + { + "id": "ia-8.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Document and maintain a list of accepted external authenticators." + } + ] + }, + { + "id": "ia-8.2_gdn", + "name": "guidance", + "prose": "Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level." + }, + { + "id": "ia-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(a)", + "class": "sp800-53a" + } + ], + "prose": "only external authenticators that are NIST-compliant are accepted;", + "links": [ + { + "href": "#ia-8.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-8.2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "a list of accepted external authenticators is documented;", + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(02)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "a list of accepted external authenticators is maintained.", + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials" + } + ] + } + ] + }, + { + "id": "ia-8.4", + "class": "SP800-53-enhancement", + "title": "Use of Defined Profiles", + "params": [ + { + "id": "ia-08.04_odp", + "label": "identity management profiles", + "guidelines": [ + { + "prose": "identity management profiles are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-8(4)" + }, + { + "name": "label", + "value": "IA-08(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-08.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ia-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-8.4_smt", + "name": "statement", + "prose": "Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}." + }, + { + "id": "ia-8.4_gdn", + "name": "guidance", + "prose": "Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." + }, + { + "id": "ia-8.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-08(04)", + "class": "sp800-53a" + } + ], + "prose": "there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.", + "links": [ + { + "href": "#ia-8.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-8.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-08(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-8.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-08(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" + } + ] + }, + { + "id": "ia-8.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-08(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms supporting and/or implementing conformance with profiles" + } + ] + } + ] + } + ] + }, + { + "id": "ia-11", + "class": "SP800-53", + "title": "Re-authentication", + "params": [ + { + "id": "ia-11_odp", + "label": "circumstances or situations", + "guidelines": [ + { + "prose": "circumstances or situations requiring re-authentication are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-11" + }, + { + "name": "label", + "value": "IA-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-11_smt", + "name": "statement", + "prose": "Require users to re-authenticate when {{ insert: param, ia-11_odp }}.", + "parts": [ + { + "id": "ia-11_fr", + "name": "item", + "title": "IA-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-11_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:\n\n* AAL2 (moderate baseline) * 12 hours or * 30 minutes of inactivity \n" + } + ] + } + ] + }, + { + "id": "ia-11_gdn", + "name": "guidance", + "prose": "In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically." + }, + { + "id": "ia-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-11", + "class": "sp800-53a" + } + ], + "prose": "users are required to re-authenticate when {{ insert: param, ia-11_odp }}.", + "links": [ + { + "href": "#ia-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing user and device re-authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of circumstances or situations requiring re-authentication\n\nsystem audit records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-12", + "class": "SP800-53", + "title": "Identity Proofing", + "props": [ + { + "name": "label", + "value": "IA-12" + }, + { + "name": "label", + "value": "IA-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#9099ed2c-922a-493d-bcb4-d896192243ff", + "rel": "reference" + }, + { + "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ia-1", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-6", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-12_smt", + "name": "statement", + "parts": [ + { + "id": "ia-12_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;" + }, + { + "id": "ia-12_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Resolve user identities to a unique individual; and" + }, + { + "id": "ia-12_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Collect, validate, and verify identity evidence." + }, + { + "id": "ia-12_fr", + "name": "item", + "title": "IA-12 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-12_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "In accordance with NIST SP 800-63A Enrollment and Identity Proofing" + } + ] + } + ] + }, + { + "id": "ia-12_gdn", + "name": "guidance", + "prose": "Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3](#737513fa-6758-403f-831d-5ddab5e23cb3) and [SP 800-63A](#9099ed2c-922a-493d-bcb4-d896192243ff) . Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." + }, + { + "id": "ia-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-12_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12a.", + "class": "sp800-53a" + } + ], + "prose": "users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;", + "links": [ + { + "href": "#ia-12_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12b.", + "class": "sp800-53a" + } + ], + "prose": "user identities are resolved to a unique individual;", + "links": [ + { + "href": "#ia-12_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ia-12_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12c.[01]", + "class": "sp800-53a" + } + ], + "prose": "identity evidence is collected;", + "links": [ + { + "href": "#ia-12_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12c.[02]", + "class": "sp800-53a" + } + ], + "prose": "identity evidence is validated;", + "links": [ + { + "href": "#ia-12_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_obj.c-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12c.[03]", + "class": "sp800-53a" + } + ], + "prose": "identity evidence is verified.", + "links": [ + { + "href": "#ia-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-12_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ia-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ], + "controls": [ + { + "id": "ia-12.2", + "class": "SP800-53-enhancement", + "title": "Identity Evidence", + "props": [ + { + "name": "label", + "value": "IA-12(2)" + }, + { + "name": "label", + "value": "IA-12(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-12", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-12.2_smt", + "name": "statement", + "prose": "Require evidence of individual identification be presented to the registration authority." + }, + { + "id": "ia-12.2_gdn", + "name": "guidance", + "prose": "Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risks to the systems, roles, and privileges associated with the user’s account." + }, + { + "id": "ia-12.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12(02)", + "class": "sp800-53a" + } + ], + "prose": "evidence of individual identification is presented to the registration authority.", + "links": [ + { + "href": "#ia-12.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-12.3", + "class": "SP800-53-enhancement", + "title": "Identity Evidence Validation and Verification", + "params": [ + { + "id": "ia-12.03_odp", + "label": "methods of validation and verification", + "guidelines": [ + { + "prose": "methods of validation and verification of identity evidence are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IA-12(3)" + }, + { + "name": "label", + "value": "IA-12(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-12", + "rel": "required" + } + ], + "parts": [ + { + "id": "ia-12.3_smt", + "name": "statement", + "prose": "Require that the presented identity evidence be validated and verified through {{ insert: param, ia-12.03_odp }}." + }, + { + "id": "ia-12.3_gdn", + "name": "guidance", + "prose": "Validation and verification of identity evidence increases the assurance that accounts and identifiers are being established for the correct user and authenticators are being bound to that user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risks to the systems, roles, and privileges associated with the users account." + }, + { + "id": "ia-12.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12(03)", + "class": "sp800-53a" + } + ], + "prose": "the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}.", + "links": [ + { + "href": "#ia-12.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + }, + { + "id": "ia-12.5", + "class": "SP800-53-enhancement", + "title": "Address Confirmation", + "params": [ + { + "id": "ia-12.05_odp", + "select": { + "choice": [ + "registration code", + "notice of proofing" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "IA-12(5)" + }, + { + "name": "label", + "value": "IA-12(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ia-12.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ia-12", + "rel": "required" + }, + { + "href": "#ia-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ia-12.5_smt", + "name": "statement", + "prose": "Require that a {{ insert: param, ia-12.05_odp }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record.", + "parts": [ + { + "id": "ia-12.5_fr", + "name": "item", + "title": "IA-12 (5) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ia-12.5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "In accordance with NIST SP 800-63A Enrollment and Identity Proofing" + } + ] + } + ] + }, + { + "id": "ia-12.5_gdn", + "name": "guidance", + "prose": "To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to ensure that the individual associated with an address of record is the same individual that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts is obtained from records and not self-asserted by the user. The address can include a physical or digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses." + }, + { + "id": "ia-12.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IA-12(05)", + "class": "sp800-53a" + } + ], + "prose": "a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.", + "links": [ + { + "href": "#ia-12.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ia-12.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IA-12(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ia-12.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IA-12(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" + } + ] + }, + { + "id": "ia-12.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IA-12(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "ir", + "class": "family", + "title": "Incident Response", + "controls": [ + { + "id": "ir-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ir-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ir-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the incident response policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ir-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the incident response procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ir-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ir-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the incident response policy and procedures is defined;" + } + ] + }, + { + "id": "ir-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current incident response policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ir-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current incident response policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ir-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current incident response procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ir-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the incident response procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-1" + }, + { + "name": "label", + "value": "IR-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-1_smt", + "name": "statement", + "parts": [ + { + "id": "ir-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:", + "parts": [ + { + "id": "ir-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ir-01_odp.03 }} incident response policy that:", + "parts": [ + { + "id": "ir-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ir-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ir-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;" + } + ] + }, + { + "id": "ir-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and" + }, + { + "id": "ir-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current incident response:", + "parts": [ + { + "id": "ir-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and" + }, + { + "id": "ir-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ir-1_gdn", + "name": "guidance", + "prose": "Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ir-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident response policy is developed and documented;", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};", + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;", + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ir-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;", + "links": [ + { + "href": "#ir-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};", + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};", + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};", + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.", + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ir-2", + "class": "SP800-53", + "title": "Incident Response Training", + "params": [ + { + "id": "ir-02_odp.01", + "label": "time period", + "constraints": [ + { + "description": "ten (10) days for privileged users, thirty (30) days for Incident Response roles" + } + ], + "guidelines": [ + { + "prose": "a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;" + } + ] + }, + { + "id": "ir-02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide incident response training to users is defined;" + } + ] + }, + { + "id": "ir-02_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review and update incident response training content is defined;" + } + ] + }, + { + "id": "ir-02_odp.04", + "label": "events", + "guidelines": [ + { + "prose": "events that initiate a review of the incident response training content are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-2" + }, + { + "name": "label", + "value": "IR-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#at-4", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-2_smt", + "name": "statement", + "parts": [ + { + "id": "ir-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide incident response training to system users consistent with assigned roles and responsibilities:", + "parts": [ + { + "id": "ir-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;" + }, + { + "id": "ir-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "When required by system changes; and" + }, + { + "id": "ir-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": " {{ insert: param, ir-02_odp.02 }} thereafter; and" + } + ] + }, + { + "id": "ir-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}." + } + ] + }, + { + "id": "ir-2_gdn", + "name": "guidance", + "prose": "Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "ir-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.01", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;", + "links": [ + { + "href": "#ir-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.02", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;", + "links": [ + { + "href": "#ir-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02a.03", + "class": "sp800-53a" + } + ], + "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;", + "links": [ + { + "href": "#ir-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};", + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.", + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ir-3", + "class": "SP800-53", + "title": "Incident Response Testing", + "params": [ + { + "id": "ir-03_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "functional, at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to test the effectiveness of the incident response capability for the system is defined;" + } + ] + }, + { + "id": "ir-03_odp.02", + "label": "tests", + "guidelines": [ + { + "prose": "tests used to test the effectiveness of the incident response capability for the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-3" + }, + { + "name": "label", + "value": "IR-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pm-14", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-3_smt", + "name": "statement", + "prose": "Test the effectiveness of the incident response capability for the system {{ insert: param, ir-03_odp.01 }} using the following tests: {{ insert: param, ir-03_odp.02 }}.", + "parts": [ + { + "id": "ir-3_fr", + "name": "item", + "title": "IR-3-2 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing." + } + ] + } + ] + }, + { + "id": "ir-3_gdn", + "name": "guidance", + "prose": "Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes." + }, + { + "id": "ir-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-03", + "class": "sp800-53a" + } + ], + "prose": "the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.", + "links": [ + { + "href": "#ir-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ], + "controls": [ + { + "id": "ir-3.2", + "class": "SP800-53-enhancement", + "title": "Coordination with Related Plans", + "props": [ + { + "name": "label", + "value": "IR-3(2)" + }, + { + "name": "label", + "value": "IR-03(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-03.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ir-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-3.2_smt", + "name": "statement", + "prose": "Coordinate incident response testing with organizational elements responsible for related plans." + }, + { + "id": "ir-3.2_gdn", + "name": "guidance", + "prose": "Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans." + }, + { + "id": "ir-3.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-03(02)", + "class": "sp800-53a" + } + ], + "prose": "incident response testing is coordinated with organizational elements responsible for related plans.", + "links": [ + { + "href": "#ir-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-3.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-03(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-3.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-03(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "ir-4", + "class": "SP800-53", + "title": "Incident Handling", + "props": [ + { + "name": "label", + "value": "IR-4" + }, + { + "name": "label", + "value": "IR-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", + "rel": "reference" + }, + { + "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "rel": "reference" + }, + { + "href": "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#31ae65ab-3f26-46b7-9d64-f25a4dac5778", + "rel": "reference" + }, + { + "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + }, + { + "href": "#ir-3", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-4_smt", + "name": "statement", + "parts": [ + { + "id": "ir-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;" + }, + { + "id": "ir-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Coordinate incident handling activities with contingency planning activities;" + }, + { + "id": "ir-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and" + }, + { + "id": "ir-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization." + }, + { + "id": "ir-4_fr", + "name": "item", + "title": "IR-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The FISMA definition of \\\"incident\\\" shall be used: \\\"An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.\\\"" + }, + { + "id": "ir-4_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system." + } + ] + } + ] + }, + { + "id": "ir-4_gdn", + "name": "guidance", + "prose": "Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes." + }, + { + "id": "ir-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes preparation;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes detection and analysis;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes containment;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[05]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes eradication;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04a.[06]", + "class": "sp800-53a" + } + ], + "prose": "the incident handling capability for incidents includes recovery;", + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04b.", + "class": "sp800-53a" + } + ], + "prose": "incident handling activities are coordinated with contingency planning activities;", + "links": [ + { + "href": "#ir-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.[01]", + "class": "sp800-53a" + } + ], + "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;", + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;", + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the rigor of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the intensity of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the scope of incident handling activities is comparable and predictable across the organization;", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_obj.d-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04d.[04]", + "class": "sp800-53a" + } + ], + "prose": "the results of incident handling activities are comparable and predictable across the organization.", + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident handling capability for the organization" + } + ] + } + ], + "controls": [ + { + "id": "ir-4.1", + "class": "SP800-53-enhancement", + "title": "Automated Incident Handling Processes", + "params": [ + { + "id": "ir-04.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to support the incident handling process are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-4(1)" + }, + { + "name": "label", + "value": "IR-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-4.1_smt", + "name": "statement", + "prose": "Support the incident handling process using {{ insert: param, ir-04.01_odp }}." + }, + { + "id": "ir-4.1_gdn", + "name": "guidance", + "prose": "Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis." + }, + { + "id": "ir-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-04(01)", + "class": "sp800-53a" + } + ], + "prose": "the incident handling process is supported using {{ insert: param, ir-04.01_odp }}.", + "links": [ + { + "href": "#ir-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms that support and/or implement the incident handling process" + } + ] + } + ] + } + ] + }, + { + "id": "ir-5", + "class": "SP800-53", + "title": "Incident Monitoring", + "props": [ + { + "name": "label", + "value": "IR-5" + }, + { + "name": "label", + "value": "IR-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-5_smt", + "name": "statement", + "prose": "Track and document incidents." + }, + { + "id": "ir-5_gdn", + "name": "guidance", + "prose": "Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring." + }, + { + "id": "ir-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05[01]", + "class": "sp800-53a" + } + ], + "prose": "incidents are tracked;", + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-05[02]", + "class": "sp800-53a" + } + ], + "prose": "incidents are documented.", + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident monitoring capability for the organization\n\nmechanisms supporting and/or implementing the tracking and documenting of system security incidents" + } + ] + } + ] + }, + { + "id": "ir-6", + "class": "SP800-53", + "title": "Incident Reporting", + "params": [ + { + "id": "ir-06_odp.01", + "label": "time period", + "constraints": [ + { + "description": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)" + } + ], + "guidelines": [ + { + "prose": "time period for personnel to report suspected incidents to the organizational incident response capability is defined;" + } + ] + }, + { + "id": "ir-06_odp.02", + "label": "authorities", + "guidelines": [ + { + "prose": "authorities to whom incident information is to be reported are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-6" + }, + { + "name": "label", + "value": "IR-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#40b78258-c892-480e-9af8-77ac36648301", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-6_smt", + "name": "statement", + "parts": [ + { + "id": "ir-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and" + }, + { + "id": "ir-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report incident information to {{ insert: param, ir-06_odp.02 }}." + }, + { + "id": "ir-6_fr", + "name": "item", + "title": "IR-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Reports security incident information according to FedRAMP Incident Communications Procedure." + } + ] + } + ] + }, + { + "id": "ir-6_gdn", + "name": "guidance", + "prose": "The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products." + }, + { + "id": "ir-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06a.", + "class": "sp800-53a" + } + ], + "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};", + "links": [ + { + "href": "#ir-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06b.", + "class": "sp800-53a" + } + ], + "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}.", + "links": [ + { + "href": "#ir-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users" + } + ] + }, + { + "id": "ir-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident reporting\n\nmechanisms supporting and/or implementing incident reporting" + } + ] + } + ], + "controls": [ + { + "id": "ir-6.1", + "class": "SP800-53-enhancement", + "title": "Automated Reporting", + "params": [ + { + "id": "ir-06.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used for reporting incidents are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-6(1)" + }, + { + "name": "label", + "value": "IR-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-6", + "rel": "required" + }, + { + "href": "#ir-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-6.1_smt", + "name": "statement", + "prose": "Report incidents using {{ insert: param, ir-06.01_odp }}." + }, + { + "id": "ir-6.1_gdn", + "name": "guidance", + "prose": "The recipients of incident reports are specified in [IR-6b](#ir-6_smt.b) . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs." + }, + { + "id": "ir-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06(01)", + "class": "sp800-53a" + } + ], + "prose": "incidents are reported using {{ insert: param, ir-06.01_odp }}.", + "links": [ + { + "href": "#ir-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident reporting\n\nautomated mechanisms supporting and/or implementing the reporting of security incidents" + } + ] + } + ] + }, + { + "id": "ir-6.3", + "class": "SP800-53-enhancement", + "title": "Supply Chain Coordination", + "props": [ + { + "name": "label", + "value": "IR-6(3)" + }, + { + "name": "label", + "value": "IR-06(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-06.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-6", + "rel": "required" + }, + { + "href": "#sr-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-6.3_smt", + "name": "statement", + "prose": "Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident." + }, + { + "id": "ir-6.3_gdn", + "name": "guidance", + "prose": "Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident." + }, + { + "id": "ir-6.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-06(03)", + "class": "sp800-53a" + } + ], + "prose": "incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.", + "links": [ + { + "href": "#ir-6.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-6.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-06(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council\n\nacquisition policy\n\nacquisition contracts\n\nservice-level agreements\n\nincident response plan\n\nsupply chain risk management plan\n\nsystem security plan\n\nplans of other organizations involved in supply chain activities\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-6.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-06(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganization personnel with acquisition responsibilities" + } + ] + }, + { + "id": "ir-6.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-06(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident reporting\n\norganizational processes for supply chain risk information sharing\n\nmechanisms supporting and/or implementing the reporting of incident information involved in the supply chain" + } + ] + } + ] + } + ] + }, + { + "id": "ir-7", + "class": "SP800-53", + "title": "Incident Response Assistance", + "props": [ + { + "name": "label", + "value": "IR-7" + }, + { + "name": "label", + "value": "IR-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#pm-22", + "rel": "related" + }, + { + "href": "#pm-26", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#si-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-7_smt", + "name": "statement", + "prose": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents." + }, + { + "id": "ir-7_gdn", + "name": "guidance", + "prose": "Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required." + }, + { + "id": "ir-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07[01]", + "class": "sp800-53a" + } + ], + "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;", + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.", + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident response assistance\n\nmechanisms supporting and/or implementing incident response assistance" + } + ] + } + ], + "controls": [ + { + "id": "ir-7.1", + "class": "SP800-53-enhancement", + "title": "Automation Support for Availability of Information and Support", + "params": [ + { + "id": "ir-07.01_odp", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms used to increase the availability of incident response information and support are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-7(1)" + }, + { + "name": "label", + "value": "IR-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-7.1_smt", + "name": "statement", + "prose": "Increase the availability of incident response information and support using {{ insert: param, ir-07.01_odp }}." + }, + { + "id": "ir-7.1_gdn", + "name": "guidance", + "prose": "Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support." + }, + { + "id": "ir-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-07(01)", + "class": "sp800-53a" + } + ], + "prose": "the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}.", + "links": [ + { + "href": "#ir-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response support and assistance responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-7.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-07(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incident response assistance\n\nautomated mechanisms supporting and/or implementing an increase in the availability of incident response information and support" + } + ] + } + ] + } + ] + }, + { + "id": "ir-8", + "class": "SP800-53", + "title": "Incident Response Plan", + "params": [ + { + "id": "ir-8_prm_5", + "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements", + "constraints": [ + { + "description": "see additional FedRAMP Requirements and Guidance" + } + ] + }, + { + "id": "ir-08_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles that review and approve the incident response plan is/are identified;" + } + ] + }, + { + "id": "ir-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and approve the incident response plan is defined;" + } + ] + }, + { + "id": "ir-08_odp.03", + "label": "entities, personnel, or roles", + "guidelines": [ + { + "prose": "entities, personnel, or roles with designated responsibility for incident response are defined;" + } + ] + }, + { + "id": "ir-08_odp.04", + "label": "incident response personnel", + "constraints": [ + { + "description": "see additional FedRAMP Requirements and Guidance" + } + ], + "guidelines": [ + { + "prose": "incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;" + } + ] + }, + { + "id": "ir-08_odp.05", + "label": "organizational elements", + "guidelines": [ + { + "prose": "organizational elements to which copies of the incident response plan are to be distributed are defined;" + } + ] + }, + { + "id": "ir-08_odp.06", + "label": "incident response personnel", + "guidelines": [ + { + "prose": "incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;" + } + ] + }, + { + "id": "ir-08_odp.07", + "label": "organizational elements", + "guidelines": [ + { + "prose": "organizational elements to which changes to the incident response plan are communicated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-8" + }, + { + "name": "label", + "value": "IR-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-8_smt", + "name": "statement", + "parts": [ + { + "id": "ir-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop an incident response plan that:", + "parts": [ + { + "id": "ir-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Provides the organization with a roadmap for implementing its incident response capability;" + }, + { + "id": "ir-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Describes the structure and organization of the incident response capability;" + }, + { + "id": "ir-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Provides a high-level approach for how the incident response capability fits into the overall organization;" + }, + { + "id": "ir-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;" + }, + { + "id": "ir-8_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Defines reportable incidents;" + }, + { + "id": "ir-8_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Provides metrics for measuring the incident response capability within the organization;" + }, + { + "id": "ir-8_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Defines the resources and management support needed to effectively maintain and mature an incident response capability;" + }, + { + "id": "ir-8_smt.a.8", + "name": "item", + "props": [ + { + "name": "label", + "value": "8." + } + ], + "prose": "Addresses the sharing of incident information;" + }, + { + "id": "ir-8_smt.a.9", + "name": "item", + "props": [ + { + "name": "label", + "value": "9." + } + ], + "prose": "Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and" + }, + { + "id": "ir-8_smt.a.10", + "name": "item", + "props": [ + { + "name": "label", + "value": "10." + } + ], + "prose": "Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}." + } + ] + }, + { + "id": "ir-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};" + }, + { + "id": "ir-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;" + }, + { + "id": "ir-8_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and" + }, + { + "id": "ir-8_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protect the incident response plan from unauthorized disclosure and modification." + }, + { + "id": "ir-8_fr", + "name": "item", + "title": "IR-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ir-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b) Requirement:" + } + ], + "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel." + }, + { + "id": "ir-8_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d) Requirement:" + } + ], + "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel." + } + ] + } + ] + }, + { + "id": "ir-8_gdn", + "name": "guidance", + "prose": "It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly." + }, + { + "id": "ir-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.01", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.02", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.03", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;", + "links": [ + { + "href": "#ir-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.04", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;", + "links": [ + { + "href": "#ir-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.05", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that defines reportable incidents;", + "links": [ + { + "href": "#ir-8_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.06", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;", + "links": [ + { + "href": "#ir-8_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.07", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;", + "links": [ + { + "href": "#ir-8_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.08", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that addresses the sharing of incident information;", + "links": [ + { + "href": "#ir-8_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.09", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};", + "links": [ + { + "href": "#ir-8_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.a.10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08a.10", + "class": "sp800-53a" + } + ], + "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.", + "links": [ + { + "href": "#ir-8_smt.a.10", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};", + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08b.[02]", + "class": "sp800-53a" + } + ], + "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};", + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08c.", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;", + "links": [ + { + "href": "#ir-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.[01]", + "class": "sp800-53a" + } + ], + "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};", + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08d.[02]", + "class": "sp800-53a" + } + ], + "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};", + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-8_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-08e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the incident response plan is protected from unauthorized modification.", + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ir-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational incident response plan and related organizational processes" + } + ] + } + ] + }, + { + "id": "ir-9", + "class": "SP800-53", + "title": "Information Spillage Response", + "params": [ + { + "id": "ir-09_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles assigned the responsibility for responding to information spills is/are defined;" + } + ] + }, + { + "id": "ir-09_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted of the information spill using a method of communication not associated with the spill is/are defined;" + } + ] + }, + { + "id": "ir-09_odp.03", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be performed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-9" + }, + { + "name": "label", + "value": "IR-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#pm-26", + "rel": "related" + }, + { + "href": "#pm-27", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-9_smt", + "name": "statement", + "prose": "Respond to information spills by:", + "parts": [ + { + "id": "ir-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assigning {{ insert: param, ir-09_odp.01 }} with responsibility for responding to information spills;" + }, + { + "id": "ir-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Identifying the specific information involved in the system contamination;" + }, + { + "id": "ir-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Alerting {{ insert: param, ir-09_odp.02 }} of the information spill using a method of communication not associated with the spill;" + }, + { + "id": "ir-9_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Isolating the contaminated system or system component;" + }, + { + "id": "ir-9_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Eradicating the information from the contaminated system or component;" + }, + { + "id": "ir-9_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Identifying other systems or system components that may have been subsequently contaminated; and" + }, + { + "id": "ir-9_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Performing the following additional actions: {{ insert: param, ir-09_odp.03 }}." + } + ] + }, + { + "id": "ir-9_gdn", + "name": "guidance", + "prose": "Information spillage refers to instances where information is placed on systems that are not authorized to process such information. Information spills occur when information that is thought to be a certain classification or impact level is transmitted to a system and subsequently is determined to be of a higher classification or impact level. At that point, corrective action is required. The nature of the response is based on the classification or impact level of the spilled information, the security capabilities of the system, the specific nature of the contaminated storage media, and the access authorizations of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated." + }, + { + "id": "ir-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ir-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09_odp.01 }} is/are assigned the responsibility to respond to information spills;", + "links": [ + { + "href": "#ir-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09b.", + "class": "sp800-53a" + } + ], + "prose": "the specific information involved in the system contamination is identified in response to information spills;", + "links": [ + { + "href": "#ir-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09_odp.02 }} is/are alerted of the information spill using a method of communication not associated with the spill;", + "links": [ + { + "href": "#ir-9_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09d.", + "class": "sp800-53a" + } + ], + "prose": "the contaminated system or system component is isolated in response to information spills;", + "links": [ + { + "href": "#ir-9_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09e.", + "class": "sp800-53a" + } + ], + "prose": "the information is eradicated from the contaminated system or component in response to information spills;", + "links": [ + { + "href": "#ir-9_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09f.", + "class": "sp800-53a" + } + ], + "prose": "other systems or system components that may have been subsequently contaminated are identified in response to information spills;", + "links": [ + { + "href": "#ir-9_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09g.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09_odp.03 }} are performed in response to information spills.", + "links": [ + { + "href": "#ir-9_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ir-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nrecords of information spillage alerts/notifications\n\nlist of personnel who should receive alerts of information spillage\n\nlist of actions to be performed regarding information spillage\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for information spillage response\n\nmechanisms supporting and/or implementing information spillage response actions and related communications" + } + ] + } + ], + "controls": [ + { + "id": "ir-9.2", + "class": "SP800-53-enhancement", + "title": "Training", + "params": [ + { + "id": "ir-09.02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to provide information spillage response training is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-9(2)" + }, + { + "name": "label", + "value": "IR-09(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-09.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-9", + "rel": "required" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-3", + "rel": "related" + }, + { + "href": "#ir-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ir-9.2_smt", + "name": "statement", + "prose": "Provide information spillage response training {{ insert: param, ir-09.02_odp }}." + }, + { + "id": "ir-9.2_gdn", + "name": "guidance", + "prose": "Organizations establish requirements for responding to information spillage incidents in incident response plans. Incident response training on a regular basis helps to ensure that organizational personnel understand their individual responsibilities and what specific actions to take when spillage incidents occur." + }, + { + "id": "ir-9.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09(02)", + "class": "sp800-53a" + } + ], + "prose": "information spillage response training is provided {{ insert: param, ir-09.02_odp }}.", + "links": [ + { + "href": "#ir-9.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-09(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing information spillage response training\n\ninformation spillage response training curriculum\n\ninformation spillage response training materials\n\nincident response plan\n\nsystem security plan\n\ninformation spillage response training records\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-9.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-09(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response training responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "ir-9.3", + "class": "SP800-53-enhancement", + "title": "Post-spill Operations", + "params": [ + { + "id": "ir-09.03_odp", + "label": "procedures", + "guidelines": [ + { + "prose": "procedures to be implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-9(3)" + }, + { + "name": "label", + "value": "IR-09(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-09.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-9", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-9.3_smt", + "name": "statement", + "prose": "Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: {{ insert: param, ir-09.03_odp }}." + }, + { + "id": "ir-9.3_gdn", + "name": "guidance", + "prose": "Corrective actions for systems contaminated due to information spillages may be time-consuming. Personnel may not have access to the contaminated systems while corrective actions are being taken, which may potentially affect their ability to conduct organizational business." + }, + { + "id": "ir-9.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09(03)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09.03_odp }} are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.", + "links": [ + { + "href": "#ir-9.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-09(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-9.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-09(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-9.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-09(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for post-spill operations" + } + ] + } + ] + }, + { + "id": "ir-9.4", + "class": "SP800-53-enhancement", + "title": "Exposure to Unauthorized Personnel", + "params": [ + { + "id": "ir-09.04_odp", + "label": "controls", + "guidelines": [ + { + "prose": "controls employed for personnel exposed to information not within assigned access authorizations are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "IR-9(4)" + }, + { + "name": "label", + "value": "IR-09(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ir-09.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ir-9", + "rel": "required" + } + ], + "parts": [ + { + "id": "ir-9.4_smt", + "name": "statement", + "prose": "Employ the following controls for personnel exposed to information not within assigned access authorizations: {{ insert: param, ir-09.04_odp }}." + }, + { + "id": "ir-9.4_gdn", + "name": "guidance", + "prose": "Controls include ensuring that personnel who are exposed to spilled information are made aware of the laws, executive orders, directives, regulations, policies, standards, and guidelines regarding the information and the restrictions imposed based on exposure to such information." + }, + { + "id": "ir-9.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "IR-09(04)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ir-09.04_odp }} are employed for personnel exposed to information not within assigned access authorizations.", + "links": [ + { + "href": "#ir-9.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ir-9.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "IR-09(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nsecurity safeguards regarding information spillage/exposure to unauthorized personnel\n\nother relevant documents or records" + } + ] + }, + { + "id": "ir-9.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "IR-09(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ir-9.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "IR-09(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for dealing with information exposed to unauthorized personnel\n\nmechanisms supporting and/or implementing safeguards for personnel exposed to information not within assigned access authorizations" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "ma", + "class": "family", + "title": "Maintenance", + "controls": [ + { + "id": "ma-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ma-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ma-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the maintenance policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ma-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ma-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ma-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the maintenance policy and procedures is defined;" + } + ] + }, + { + "id": "ma-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current maintenance policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ma-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current maintenance policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ma-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current maintenance procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ma-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the maintenance procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-1" + }, + { + "name": "label", + "value": "MA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-1_smt", + "name": "statement", + "parts": [ + { + "id": "ma-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:", + "parts": [ + { + "id": "ma-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ma-01_odp.03 }} maintenance policy that:", + "parts": [ + { + "id": "ma-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ma-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ma-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;" + } + ] + }, + { + "id": "ma-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and" + }, + { + "id": "ma-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current maintenance:", + "parts": [ + { + "id": "ma-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and" + }, + { + "id": "ma-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ma-1_gdn", + "name": "guidance", + "prose": "Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ma-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a maintenance policy is developed and documented;", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};", + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;", + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ma-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;", + "links": [ + { + "href": "#ma-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};", + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};", + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};", + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.", + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ma-2", + "class": "SP800-53", + "title": "Controlled Maintenance", + "params": [ + { + "id": "ma-02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined;" + } + ] + }, + { + "id": "ma-02_odp.02", + "label": "information", + "guidelines": [ + { + "prose": "information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;" + } + ] + }, + { + "id": "ma-02_odp.03", + "label": "information", + "guidelines": [ + { + "prose": "information to be included in organizational maintenance records is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-2" + }, + { + "name": "label", + "value": "MA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-2_smt", + "name": "statement", + "parts": [ + { + "id": "ma-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;" + }, + { + "id": "ma-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;" + }, + { + "id": "ma-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;" + }, + { + "id": "ma-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};" + }, + { + "id": "ma-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and" + }, + { + "id": "ma-2_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}." + } + ] + }, + { + "id": "ma-2_gdn", + "name": "guidance", + "prose": "Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems." + }, + { + "id": "ma-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;", + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;", + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;", + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;", + "links": [ + { + "href": "#ma-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02d.", + "class": "sp800-53a" + } + ], + "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;", + "links": [ + { + "href": "#ma-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02e.", + "class": "sp800-53a" + } + ], + "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;", + "links": [ + { + "href": "#ma-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-02f.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.", + "links": [ + { + "href": "#ma-2_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components" + } + ] + } + ] + }, + { + "id": "ma-3", + "class": "SP800-53", + "title": "Maintenance Tools", + "params": [ + { + "id": "ma-03_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review previously approved system maintenance tools is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-3" + }, + { + "name": "label", + "value": "MA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-3_smt", + "name": "statement", + "parts": [ + { + "id": "ma-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve, control, and monitor the use of system maintenance tools; and" + }, + { + "id": "ma-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review previously approved system maintenance tools {{ insert: param, ma-03_odp }}." + } + ] + }, + { + "id": "ma-3_gdn", + "name": "guidance", + "prose": "Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools." + }, + { + "id": "ma-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of system maintenance tools is approved;", + "links": [ + { + "href": "#ma-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of system maintenance tools is controlled;", + "links": [ + { + "href": "#ma-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the use of system maintenance tools is monitored;", + "links": [ + { + "href": "#ma-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03b.", + "class": "sp800-53a" + } + ], + "prose": "previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}.", + "links": [ + { + "href": "#ma-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for approving, controlling, and monitoring maintenance tools\n\nmechanisms supporting and/or implementing the approval, control, and/or monitoring of maintenance tools" + } + ] + } + ], + "controls": [ + { + "id": "ma-3.1", + "class": "SP800-53-enhancement", + "title": "Inspect Tools", + "props": [ + { + "name": "label", + "value": "MA-3(1)" + }, + { + "name": "label", + "value": "MA-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-3", + "rel": "required" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-3.1_smt", + "name": "statement", + "prose": "Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications." + }, + { + "id": "ma-3.1_gdn", + "name": "guidance", + "prose": "Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling." + }, + { + "id": "ma-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(01)", + "class": "sp800-53a" + } + ], + "prose": "maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.", + "links": [ + { + "href": "#ma-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for inspecting maintenance tools\n\nmechanisms supporting and/or implementing the inspection of maintenance tools" + } + ] + } + ] + }, + { + "id": "ma-3.2", + "class": "SP800-53-enhancement", + "title": "Inspect Media", + "props": [ + { + "name": "label", + "value": "MA-3(2)" + }, + { + "name": "label", + "value": "MA-03(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-03.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-3", + "rel": "required" + }, + { + "href": "#si-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-3.2_smt", + "name": "statement", + "prose": "Check media containing diagnostic and test programs for malicious code before the media are used in the system." + }, + { + "id": "ma-3.2_gdn", + "name": "guidance", + "prose": "If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures." + }, + { + "id": "ma-3.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(02)", + "class": "sp800-53a" + } + ], + "prose": "media containing diagnostic and test programs are checked for malicious code before the media are used in the system.", + "links": [ + { + "href": "#ma-3.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-03(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-3.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-03(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-3.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-03(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for inspecting media for malicious code\n\nmechanisms supporting and/or implementing the inspection of media used for maintenance" + } + ] + } + ] + }, + { + "id": "ma-3.3", + "class": "SP800-53-enhancement", + "title": "Prevent Unauthorized Removal", + "params": [ + { + "id": "ma-03.03_odp", + "label": "personnel or roles", + "constraints": [ + { + "description": "the information owner" + } + ], + "guidelines": [ + { + "prose": "personnel or roles who can authorize removal of equipment from the facility is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-3(3)" + }, + { + "name": "label", + "value": "MA-03(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-03.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-3", + "rel": "required" + }, + { + "href": "#mp-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-3.3_smt", + "name": "statement", + "prose": "Prevent the removal of maintenance equipment containing organizational information by:", + "parts": [ + { + "id": "ma-3.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Verifying that there is no organizational information contained on the equipment;" + }, + { + "id": "ma-3.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Sanitizing or destroying the equipment;" + }, + { + "id": "ma-3.3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Retaining the equipment within the facility; or" + }, + { + "id": "ma-3.3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility." + } + ] + }, + { + "id": "ma-3.3_gdn", + "name": "guidance", + "prose": "Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards." + }, + { + "id": "ma-3.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-3.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or", + "links": [ + { + "href": "#ma-3.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)(b)", + "class": "sp800-53a" + } + ], + "prose": "the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or", + "links": [ + { + "href": "#ma-3.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)(c)", + "class": "sp800-53a" + } + ], + "prose": "the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or", + "links": [ + { + "href": "#ma-3.3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-03(03)(d)", + "class": "sp800-53a" + } + ], + "prose": "the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility.", + "links": [ + { + "href": "#ma-3.3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-3.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-3.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-03(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nequipment sanitization records\n\nmedia sanitization records\n\nexemptions for equipment removal\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-3.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-03(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization" + } + ] + }, + { + "id": "ma-3.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-03(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for preventing unauthorized removal of information\n\nmechanisms supporting media sanitization or destruction of equipment\n\nmechanisms supporting verification of media sanitization" + } + ] + } + ] + } + ] + }, + { + "id": "ma-4", + "class": "SP800-53", + "title": "Nonlocal Maintenance", + "props": [ + { + "name": "label", + "value": "MA-4" + }, + { + "name": "label", + "value": "MA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#736d6310-e403-4b57-a79d-9967970c66d7", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-4_smt", + "name": "statement", + "parts": [ + { + "id": "ma-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Approve and monitor nonlocal maintenance and diagnostic activities;" + }, + { + "id": "ma-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;" + }, + { + "id": "ma-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;" + }, + { + "id": "ma-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Maintain records for nonlocal maintenance and diagnostic activities; and" + }, + { + "id": "ma-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Terminate session and network connections when nonlocal maintenance is completed." + } + ] + }, + { + "id": "ma-4_gdn", + "name": "guidance", + "prose": "Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators." + }, + { + "id": "ma-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "nonlocal maintenance and diagnostic activities are approved;", + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "nonlocal maintenance and diagnostic activities are monitored;", + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;", + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;", + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04c.", + "class": "sp800-53a" + } + ], + "prose": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;", + "links": [ + { + "href": "#ma-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04d.", + "class": "sp800-53a" + } + ], + "prose": "records for nonlocal maintenance and diagnostic activities are maintained;", + "links": [ + { + "href": "#ma-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-4_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.[01]", + "class": "sp800-53a" + } + ], + "prose": "session connections are terminated when nonlocal maintenance is completed;", + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-04e.[02]", + "class": "sp800-53a" + } + ], + "prose": "network connections are terminated when nonlocal maintenance is completed.", + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nremote access policy\n\nremote access procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nrecords of remote access\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing nonlocal maintenance\n\nmechanisms implementing, supporting, and/or managing nonlocal maintenance\n\nmechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nmechanisms for terminating nonlocal maintenance sessions and network connections" + } + ] + } + ] + }, + { + "id": "ma-5", + "class": "SP800-53", + "title": "Maintenance Personnel", + "props": [ + { + "name": "label", + "value": "MA-5" + }, + { + "name": "label", + "value": "MA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-5_smt", + "name": "statement", + "parts": [ + { + "id": "ma-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;" + }, + { + "id": "ma-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and" + }, + { + "id": "ma-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations." + } + ] + }, + { + "id": "ma-5_gdn", + "name": "guidance", + "prose": "Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods." + }, + { + "id": "ma-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process for maintenance personnel authorization is established;", + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": "a list of authorized maintenance organizations or personnel is maintained;", + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05b.", + "class": "sp800-53a" + } + ], + "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;", + "links": [ + { + "href": "#ma-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05c.", + "class": "sp800-53a" + } + ], + "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.", + "links": [ + { + "href": "#ma-5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ma-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and/or implementing authorization of maintenance personnel" + } + ] + } + ], + "controls": [ + { + "id": "ma-5.1", + "class": "SP800-53-enhancement", + "title": "Individuals Without Appropriate Access", + "params": [ + { + "id": "ma-05.01_odp", + "label": "alternate controls", + "guidelines": [ + { + "prose": "alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed, or disconnected from the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-5(1)" + }, + { + "name": "label", + "value": "MA-05(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-05.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ma-5", + "rel": "required" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-5.1_smt", + "name": "statement", + "parts": [ + { + "id": "ma-5.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:", + "parts": [ + { + "id": "ma-5.1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(1)" + } + ], + "prose": "Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and" + }, + { + "id": "ma-5.1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(2)" + } + ], + "prose": "Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and" + } + ] + }, + { + "id": "ma-5.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Develop and implement {{ insert: param, ma-05.01_odp }} in the event a system component cannot be sanitized, removed, or disconnected from the system." + }, + { + "id": "ma-5.1_fr", + "name": "item", + "title": "MA-5 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ma-5.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Only MA-5 (1) (a) (1) is required by FedRAMP Moderate Baseline" + } + ] + } + ] + }, + { + "id": "ma-5.1_gdn", + "name": "guidance", + "prose": "Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems." + }, + { + "id": "ma-5.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ma-5.1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)(a)(01)", + "class": "sp800-53a" + } + ], + "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;", + "links": [ + { + "href": "#ma-5.1_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5.1_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)(a)(02)", + "class": "sp800-53a" + } + ], + "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;", + "links": [ + { + "href": "#ma-5.1_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-05(01)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ma-05.01_odp }} are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.", + "links": [ + { + "href": "#ma-5.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ma-5.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-5.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-05(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nsystem media protection policy\n\nphysical and environmental protection policy\n\nlist of maintenance personnel requiring escort/supervision\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-5.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-05(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-5.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-05(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing maintenance personnel without appropriate access\n\nmechanisms supporting and/or implementing alternative security safeguards\n\nmechanisms supporting and/or implementing information storage component sanitization" + } + ] + } + ] + } + ] + }, + { + "id": "ma-6", + "class": "SP800-53", + "title": "Timely Maintenance", + "params": [ + { + "id": "ma-06_odp.01", + "label": "system components", + "guidelines": [ + { + "prose": "system components for which maintenance support and/or spare parts are obtained are defined;" + } + ] + }, + { + "id": "ma-06_odp.02", + "label": "time period", + "constraints": [ + { + "description": "a timeframe to support advertised uptime and availability" + } + ], + "guidelines": [ + { + "prose": "time period within which maintenance support and/or spare parts are to be obtained after a failure are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MA-6" + }, + { + "name": "label", + "value": "MA-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ma-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-13", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "ma-6_smt", + "name": "statement", + "prose": "Obtain maintenance support and/or spare parts for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure." + }, + { + "id": "ma-6_gdn", + "name": "guidance", + "prose": "Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place." + }, + { + "id": "ma-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MA-06", + "class": "sp800-53a" + } + ], + "prose": "maintenance support and/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure.", + "links": [ + { + "href": "#ma-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ma-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MA-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ma-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MA-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ma-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MA-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for ensuring timely maintenance" + } + ] + } + ] + } + ] + }, + { + "id": "mp", + "class": "family", + "title": "Media Protection", + "controls": [ + { + "id": "mp-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "mp-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "mp-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the media protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "mp-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the media protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "mp-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "mp-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the media protection policy and procedures is defined;" + } + ] + }, + { + "id": "mp-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current media protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "mp-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current media protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "mp-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current media protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "mp-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require media protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-1" + }, + { + "name": "label", + "value": "MP-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-1_smt", + "name": "statement", + "parts": [ + { + "id": "mp-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:", + "parts": [ + { + "id": "mp-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, mp-01_odp.03 }} media protection policy that:", + "parts": [ + { + "id": "mp-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "mp-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "mp-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;" + } + ] + }, + { + "id": "mp-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and" + }, + { + "id": "mp-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current media protection:", + "parts": [ + { + "id": "mp-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and" + }, + { + "id": "mp-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "mp-1_gdn", + "name": "guidance", + "prose": "Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "mp-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a media protection policy is developed and documented;", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};", + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;", + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#mp-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.", + "links": [ + { + "href": "#mp-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ", + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};", + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ", + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.", + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "mp-2", + "class": "SP800-53", + "title": "Media Access", + "params": [ + { + "id": "mp-2_prm_1", + "label": "organization-defined types of digital and/or non-digital media", + "constraints": [ + { + "description": "all types of digital and/or non-digital media containing sensitive information" + } + ] + }, + { + "id": "mp-2_prm_2", + "label": "organization-defined personnel or roles" + }, + { + "id": "mp-02_odp.01", + "label": "types of digital media", + "guidelines": [ + { + "prose": "types of digital media to which access is restricted are defined;" + } + ] + }, + { + "id": "mp-02_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles authorized to access digital media is/are defined;" + } + ] + }, + { + "id": "mp-02_odp.03", + "label": "types of non-digital media", + "guidelines": [ + { + "prose": "types of non-digital media to which access is restricted are defined;" + } + ] + }, + { + "id": "mp-02_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles authorized to access non-digital media is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-2" + }, + { + "name": "label", + "value": "MP-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-2_smt", + "name": "statement", + "prose": "Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}." + }, + { + "id": "mp-2_gdn", + "name": "guidance", + "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media." + }, + { + "id": "mp-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02[01]", + "class": "sp800-53a" + } + ], + "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};", + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-02[02]", + "class": "sp800-53a" + } + ], + "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.", + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for restricting information media\n\nmechanisms supporting and/or implementing media access restrictions" + } + ] + } + ] + }, + { + "id": "mp-3", + "class": "SP800-53", + "title": "Media Marking", + "params": [ + { + "id": "mp-03_odp.01", + "label": "types of media exempted from marking", + "constraints": [ + { + "description": "no removable media types" + } + ], + "guidelines": [ + { + "prose": "types of system media exempt from marking when remaining in controlled areas are defined;" + } + ] + }, + { + "id": "mp-03_odp.02", + "label": "controlled areas", + "constraints": [ + { + "description": "organization-defined security safeguards not applicable" + } + ], + "guidelines": [ + { + "prose": "controlled areas where media is exempt from marking are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-3" + }, + { + "name": "label", + "value": "MP-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#34a5571f-e252-4309-a8a1-2fdb2faefbcd", + "rel": "reference" + }, + { + "href": "#91f992fb-f668-4c91-a50f-0f05b95ccee3", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-3_smt", + "name": "statement", + "parts": [ + { + "id": "mp-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and" + }, + { + "id": "mp-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Exempt {{ insert: param, mp-03_odp.01 }} from marking if the media remain within {{ insert: param, mp-03_odp.02 }}." + }, + { + "id": "mp-3_fr", + "name": "item", + "title": "MP-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) Guidance:" + } + ], + "prose": "Second parameter not-applicable" + } + ] + } + ] + }, + { + "id": "mp-3_gdn", + "name": "guidance", + "prose": "Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." + }, + { + "id": "mp-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-03a.", + "class": "sp800-53a" + } + ], + "prose": "system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;", + "links": [ + { + "href": "#mp-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-03b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}.", + "links": [ + { + "href": "#mp-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nlist of system media marking security attributes\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection and marking responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "mp-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for marking information media\n\nmechanisms supporting and/or implementing media marking" + } + ] + } + ] + }, + { + "id": "mp-4", + "class": "SP800-53", + "title": "Media Storage", + "params": [ + { + "id": "mp-4_prm_1", + "label": "organization-defined types of digital and/or non-digital media", + "constraints": [ + { + "description": "all types of digital and non-digital media with sensitive information" + } + ] + }, + { + "id": "mp-4_prm_2", + "label": "organization-defined controlled areas", + "constraints": [ + { + "description": "see additional FedRAMP requirements and guidance" + } + ] + }, + { + "id": "mp-04_odp.01", + "label": "types of digital media", + "guidelines": [ + { + "prose": "types of digital media to be physically controlled are defined (if selected);" + } + ] + }, + { + "id": "mp-04_odp.02", + "label": "types of non-digital media", + "guidelines": [ + { + "prose": "types of non-digital media to be physically controlled are defined (if selected);" + } + ] + }, + { + "id": "mp-04_odp.03", + "label": "types of digital media", + "guidelines": [ + { + "prose": "types of digital media to be securely stored are defined (if selected);" + } + ] + }, + { + "id": "mp-04_odp.04", + "label": "types of non-digital media", + "guidelines": [ + { + "prose": "types of non-digital media to be securely stored are defined (if selected);" + } + ] + }, + { + "id": "mp-04_odp.05", + "label": "controlled areas", + "guidelines": [ + { + "prose": "controlled areas within which to securely store digital media are defined;" + } + ] + }, + { + "id": "mp-04_odp.06", + "label": "controlled areas", + "guidelines": [ + { + "prose": "controlled areas within which to securely store non-digital media are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-4" + }, + { + "name": "label", + "value": "MP-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-4_smt", + "name": "statement", + "parts": [ + { + "id": "mp-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Physically control and securely store {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }} ; and" + }, + { + "id": "mp-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures." + }, + { + "id": "mp-4_fr", + "name": "item", + "title": "MP-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider defines controlled areas within facilities where the information and information system reside." + } + ] + } + ] + }, + { + "id": "mp-4_gdn", + "name": "guidance", + "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection." + }, + { + "id": "mp-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-04_odp.01 }} are physically controlled;", + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-04_odp.02 }} are physically controlled;", + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};", + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04a.[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};", + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-04b.", + "class": "sp800-53a" + } + ], + "prose": "system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.", + "links": [ + { + "href": "#mp-4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "mp-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for storing information media\n\nmechanisms supporting and/or implementing secure media storage/media protection" + } + ] + } + ] + }, + { + "id": "mp-5", + "class": "SP800-53", + "title": "Media Transport", + "params": [ + { + "id": "mp-5_prm_2", + "label": "organization-defined controls", + "constraints": [ + { + "description": "prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or NSA approved cryptography (see SC-13.); for non-digital media, secured in locked container" + } + ] + }, + { + "id": "mp-05_odp.01", + "label": "types of system media", + "constraints": [ + { + "description": "all media with sensitive information" + } + ], + "guidelines": [ + { + "prose": "types of system media to protect and control during transport outside of controlled areas are defined;" + } + ] + }, + { + "id": "mp-05_odp.02", + "label": "controls", + "guidelines": [ + { + "prose": "controls used to protect system media outside of controlled areas are defined;" + } + ] + }, + { + "id": "mp-05_odp.03", + "label": "controls", + "guidelines": [ + { + "prose": "controls used to control system media outside of controlled areas are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-5" + }, + { + "name": "label", + "value": "MP-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#mp-3", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-5_smt", + "name": "statement", + "parts": [ + { + "id": "mp-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Protect and control {{ insert: param, mp-05_odp.01 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};" + }, + { + "id": "mp-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain accountability for system media during transport outside of controlled areas;" + }, + { + "id": "mp-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document activities associated with the transport of system media; and" + }, + { + "id": "mp-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Restrict the activities associated with the transport of system media to authorized personnel." + }, + { + "id": "mp-5_fr", + "name": "item", + "title": "MP-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "mp-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO." + } + ] + } + ] + }, + { + "id": "mp-5_gdn", + "name": "guidance", + "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records." + }, + { + "id": "mp-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};", + "links": [ + { + "href": "#mp-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};", + "links": [ + { + "href": "#mp-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05b.", + "class": "sp800-53a" + } + ], + "prose": "accountability for system media is maintained during transport outside of controlled areas;", + "links": [ + { + "href": "#mp-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05c.", + "class": "sp800-53a" + } + ], + "prose": "activities associated with the transport of system media are documented;", + "links": [ + { + "href": "#mp-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-5_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05d.[01]", + "class": "sp800-53a" + } + ], + "prose": "personnel authorized to conduct media transport activities is/are identified;", + "links": [ + { + "href": "#mp-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-05d.[02]", + "class": "sp800-53a" + } + ], + "prose": "activities associated with the transport of system media are restricted to identified authorized personnel.", + "links": [ + { + "href": "#mp-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nauthorized personnel list\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for storing information media\n\nmechanisms supporting and/or implementing media storage/media protection" + } + ] + } + ] + }, + { + "id": "mp-6", + "class": "SP800-53", + "title": "Media Sanitization", + "params": [ + { + "id": "mp-6_prm_1", + "label": "organization-defined system media", + "constraints": [ + { + "description": "techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware" + } + ] + }, + { + "id": "mp-6_prm_2", + "label": "organization-defined sanitization techniques and procedures" + }, + { + "id": "mp-06_odp.01", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to disposal is defined;" + } + ] + }, + { + "id": "mp-06_odp.02", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to release from organizational control is defined;" + } + ] + }, + { + "id": "mp-06_odp.03", + "label": "system media", + "guidelines": [ + { + "prose": "system media to be sanitized prior to release for reuse is defined;" + } + ] + }, + { + "id": "mp-06_odp.04", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to disposal are defined;" + } + ] + }, + { + "id": "mp-06_odp.05", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;" + } + ] + }, + { + "id": "mp-06_odp.06", + "label": "sanitization techniques and procedures", + "guidelines": [ + { + "prose": "sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-6" + }, + { + "name": "label", + "value": "MP-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#91f992fb-f668-4c91-a50f-0f05b95ccee3", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pm-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#si-18", + "rel": "related" + }, + { + "href": "#si-19", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-6_smt", + "name": "statement", + "parts": [ + { + "id": "mp-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and" + }, + { + "id": "mp-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information." + } + ] + }, + { + "id": "mp-6_gdn", + "name": "guidance", + "prose": "Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information." + }, + { + "id": "mp-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-6_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;", + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-06b.", + "class": "sp800-53a" + } + ], + "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.", + "links": [ + { + "href": "#mp-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media sanitization\n\nmechanisms supporting and/or implementing media sanitization" + } + ] + } + ] + }, + { + "id": "mp-7", + "class": "SP800-53", + "title": "Media Use", + "params": [ + { + "id": "mp-07_odp.01", + "label": "types of system media", + "guidelines": [ + { + "prose": "types of system media to be restricted or prohibited from use on systems or system components are defined;" + } + ] + }, + { + "id": "mp-07_odp.02", + "select": { + "choice": [ + "restrict", + "prohibit" + ] + } + }, + { + "id": "mp-07_odp.03", + "label": "systems or system components", + "guidelines": [ + { + "prose": "systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;" + } + ] + }, + { + "id": "mp-07_odp.04", + "label": "controls", + "guidelines": [ + { + "prose": "controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "MP-7" + }, + { + "name": "label", + "value": "MP-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "mp-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#sc-41", + "rel": "related" + } + ], + "parts": [ + { + "id": "mp-7_smt", + "name": "statement", + "parts": [ + { + "id": "mp-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and" + }, + { + "id": "mp-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner." + } + ] + }, + { + "id": "mp-7_gdn", + "name": "guidance", + "prose": "System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices." + }, + { + "id": "mp-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "mp-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07a.", + "class": "sp800-53a" + } + ], + "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};", + "links": [ + { + "href": "#mp-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "MP-07b.", + "class": "sp800-53a" + } + ], + "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.", + "links": [ + { + "href": "#mp-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#mp-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "mp-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "MP-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "mp-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "MP-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "mp-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "MP-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components" + } + ] + } + ] + } + ] + }, + { + "id": "pe", + "class": "family", + "title": "Physical and Environmental Protection", + "controls": [ + { + "id": "pe-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "pe-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "pe-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "pe-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "pe-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "pe-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the physical and environmental protection policy and procedures is defined;" + } + ] + }, + { + "id": "pe-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "pe-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current physical and environmental protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "pe-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "pe-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the physical and environmental protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-1" + }, + { + "name": "label", + "value": "PE-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-1_smt", + "name": "statement", + "parts": [ + { + "id": "pe-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:", + "parts": [ + { + "id": "pe-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:", + "parts": [ + { + "id": "pe-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "pe-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "pe-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;" + } + ] + }, + { + "id": "pe-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and" + }, + { + "id": "pe-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current physical and environmental protection:", + "parts": [ + { + "id": "pe-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and" + }, + { + "id": "pe-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "pe-1_gdn", + "name": "guidance", + "prose": "Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "pe-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a physical and environmental protection policy is developed and documented;", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};", + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;", + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#pe-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;", + "links": [ + { + "href": "#pe-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};", + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};", + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};", + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.", + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "pe-2", + "class": "SP800-53", + "title": "Physical Access Authorizations", + "params": [ + { + "id": "pe-02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review the access list detailing authorized facility access by individuals is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-2" + }, + { + "name": "label", + "value": "PE-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-2_smt", + "name": "statement", + "parts": [ + { + "id": "pe-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;" + }, + { + "id": "pe-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Issue authorization credentials for facility access;" + }, + { + "id": "pe-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and" + }, + { + "id": "pe-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Remove individuals from the facility access list when access is no longer required." + } + ] + }, + { + "id": "pe-2_gdn", + "name": "guidance", + "prose": "Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible." + }, + { + "id": "pe-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;", + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02b.", + "class": "sp800-53a" + } + ], + "prose": "authorization credentials are issued for facility access;", + "links": [ + { + "href": "#pe-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02c.", + "class": "sp800-53a" + } + ], + "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};", + "links": [ + { + "href": "#pe-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-02d.", + "class": "sp800-53a" + } + ], + "prose": "individuals are removed from the facility access list when access is no longer required.", + "links": [ + { + "href": "#pe-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access authorizations\n\nmechanisms supporting and/or implementing physical access authorizations" + } + ] + } + ] + }, + { + "id": "pe-3", + "class": "SP800-53", + "title": "Physical Access Control", + "params": [ + { + "id": "pe-3_prm_9", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least annually or earlier as required by a security relevant event." + } + ] + }, + { + "id": "pe-03_odp.01", + "label": "entry and exit points", + "guidelines": [ + { + "prose": "entry and exit points to the facility in which the system resides are defined;" + } + ] + }, + { + "id": "pe-03_odp.02", + "constraints": [ + { + "description": "CSP defined physical access control systems/devices AND guards" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, pe-03_odp.03 }} ", + "guards" + ] + } + }, + { + "id": "pe-03_odp.03", + "label": "systems or devices", + "guidelines": [ + { + "prose": "physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);" + } + ] + }, + { + "id": "pe-03_odp.04", + "label": "entry or exit points", + "guidelines": [ + { + "prose": "entry or exit points for which physical access logs are maintained are defined;" + } + ] + }, + { + "id": "pe-03_odp.05", + "label": "physical access controls", + "guidelines": [ + { + "prose": "physical access controls to control access to areas within the facility designated as publicly accessible are defined;" + } + ] + }, + { + "id": "pe-03_odp.06", + "label": "circumstances", + "constraints": [ + { + "description": "in all circumstances within restricted access area where the information system resides" + } + ], + "guidelines": [ + { + "prose": "circumstances requiring visitor escorts and control of visitor activity are defined;" + } + ] + }, + { + "id": "pe-03_odp.07", + "label": "physical access devices", + "guidelines": [ + { + "prose": "physical access devices to be inventoried are defined;" + } + ] + }, + { + "id": "pe-03_odp.08", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to inventory physical access devices is defined;" + } + ] + }, + { + "id": "pe-03_odp.09", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to change combinations is defined;" + } + ] + }, + { + "id": "pe-03_odp.10", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to change keys is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-3" + }, + { + "name": "label", + "value": "PE-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#2100332a-16a5-4598-bacf-7261baea9711", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-3_smt", + "name": "statement", + "parts": [ + { + "id": "pe-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:", + "parts": [ + { + "id": "pe-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Verifying individual access authorizations before granting access to the facility; and" + }, + { + "id": "pe-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};" + } + ] + }, + { + "id": "pe-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};" + }, + { + "id": "pe-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};" + }, + { + "id": "pe-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};" + }, + { + "id": "pe-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Secure keys, combinations, and other physical access devices;" + }, + { + "id": "pe-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and" + }, + { + "id": "pe-3_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Change combinations and keys {{ insert: param, pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated." + } + ] + }, + { + "id": "pe-3_gdn", + "name": "guidance", + "prose": "Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components." + }, + { + "id": "pe-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.01", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;", + "links": [ + { + "href": "#pe-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03a.02", + "class": "sp800-53a" + } + ], + "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};", + "links": [ + { + "href": "#pe-3_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03b.", + "class": "sp800-53a" + } + ], + "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};", + "links": [ + { + "href": "#pe-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03c.", + "class": "sp800-53a" + } + ], + "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};", + "links": [ + { + "href": "#pe-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.[01]", + "class": "sp800-53a" + } + ], + "prose": "visitors are escorted;", + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03d.[02]", + "class": "sp800-53a" + } + ], + "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};", + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[01]", + "class": "sp800-53a" + } + ], + "prose": "keys are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[02]", + "class": "sp800-53a" + } + ], + "prose": "combinations are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.e-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03e.[03]", + "class": "sp800-53a" + } + ], + "prose": "other physical access devices are secured;", + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03f.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};", + "links": [ + { + "href": "#pe-3_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-3_obj.g-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.[01]", + "class": "sp800-53a" + } + ], + "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;", + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_obj.g-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-03g.[02]", + "class": "sp800-53a" + } + ], + "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.", + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for physical access control\n\nmechanisms supporting and/or implementing physical access control\n\nphysical access control devices" + } + ] + } + ] + }, + { + "id": "pe-4", + "class": "SP800-53", + "title": "Access Control for Transmission", + "params": [ + { + "id": "pe-04_odp.01", + "label": "system distribution and transmission lines", + "guidelines": [ + { + "prose": "system distribution and transmission lines requiring physical access controls are defined;" + } + ] + }, + { + "id": "pe-04_odp.02", + "label": "security controls", + "guidelines": [ + { + "prose": "security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-4" + }, + { + "name": "label", + "value": "PE-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-5", + "rel": "related" + }, + { + "href": "#pe-9", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-4_smt", + "name": "statement", + "prose": "Control physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities using {{ insert: param, pe-04_odp.02 }}." + }, + { + "id": "pe-4_gdn", + "name": "guidance", + "prose": "Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors." + }, + { + "id": "pe-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-04", + "class": "sp800-53a" + } + ], + "prose": "physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}.", + "links": [ + { + "href": "#pe-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing access control for transmission mediums\n\nsystem design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to system distribution and transmission lines\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for access control to distribution and transmission lines\n\nmechanisms/security safeguards supporting and/or implementing access control to distribution and transmission lines" + } + ] + } + ] + }, + { + "id": "pe-5", + "class": "SP800-53", + "title": "Access Control for Output Devices", + "params": [ + { + "id": "pe-05_odp", + "label": "output devices", + "guidelines": [ + { + "prose": "output devices that require physical access control to output are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-5" + }, + { + "name": "label", + "value": "PE-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#pe-18", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-5_smt", + "name": "statement", + "prose": "Control physical access to output from {{ insert: param, pe-05_odp }} to prevent unauthorized individuals from obtaining the output." + }, + { + "id": "pe-5_gdn", + "name": "guidance", + "prose": "Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers." + }, + { + "id": "pe-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-05", + "class": "sp800-53a" + } + ], + "prose": "physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output.", + "links": [ + { + "href": "#pe-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of system components\n\nactual displays from system components\n\nlist of output devices and associated outputs requiring physical access controls\n\nphysical access control logs or records for areas containing output devices and related outputs\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for access control to output devices\n\nmechanisms supporting and/or implementing access control to output devices" + } + ] + } + ] + }, + { + "id": "pe-6", + "class": "SP800-53", + "title": "Monitoring Physical Access", + "params": [ + { + "id": "pe-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review physical access logs is defined;" + } + ] + }, + { + "id": "pe-06_odp.02", + "label": "events", + "guidelines": [ + { + "prose": "events or potential indication of events requiring physical access logs to be reviewed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-6" + }, + { + "name": "label", + "value": "PE-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-6_smt", + "name": "statement", + "parts": [ + { + "id": "pe-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;" + }, + { + "id": "pe-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and" + }, + { + "id": "pe-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Coordinate results of reviews and investigations with the organizational incident response capability." + } + ] + }, + { + "id": "pe-6_gdn", + "name": "guidance", + "prose": "Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses." + }, + { + "id": "pe-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06a.", + "class": "sp800-53a" + } + ], + "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;", + "links": [ + { + "href": "#pe-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};", + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06b.[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};", + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": "results of reviews are coordinated with organizational incident response capabilities;", + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": "results of investigations are coordinated with organizational incident response capabilities.", + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring physical access\n\nmechanisms supporting and/or implementing physical access monitoring\n\nmechanisms supporting and/or implementing the review of physical access logs" + } + ] + } + ], + "controls": [ + { + "id": "pe-6.1", + "class": "SP800-53-enhancement", + "title": "Intrusion Alarms and Surveillance Equipment", + "props": [ + { + "name": "label", + "value": "PE-6(1)" + }, + { + "name": "label", + "value": "PE-06(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-06.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pe-6", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-6.1_smt", + "name": "statement", + "prose": "Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment." + }, + { + "id": "pe-6.1_gdn", + "name": "guidance", + "prose": "Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility." + }, + { + "id": "pe-6.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-6.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "physical access to the facility where the system resides is monitored using physical intrusion alarms;", + "links": [ + { + "href": "#pe-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-06(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "physical access to the facility where the system resides is monitored using physical surveillance equipment.", + "links": [ + { + "href": "#pe-6.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-6.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-6.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-06(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-6.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-06(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-6.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-06(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring physical intrusion alarms and surveillance equipment\n\nmechanisms supporting and/or implementing physical access monitoring\n\nmechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment" + } + ] + } + ] + } + ] + }, + { + "id": "pe-8", + "class": "SP800-53", + "title": "Visitor Access Records", + "params": [ + { + "id": "pe-08_odp.01", + "label": "time period", + "constraints": [ + { + "description": "for a minimum of one (1) year" + } + ], + "guidelines": [ + { + "prose": "time period for which to maintain visitor access records for the facility where the system resides is defined;" + } + ] + }, + { + "id": "pe-08_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review visitor access records is defined;" + } + ] + }, + { + "id": "pe-08_odp.03", + "label": "personnel", + "guidelines": [ + { + "prose": "personnel to whom visitor access records anomalies are reported to is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-8" + }, + { + "name": "label", + "value": "PE-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-8_smt", + "name": "statement", + "parts": [ + { + "id": "pe-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};" + }, + { + "id": "pe-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and" + }, + { + "id": "pe-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}." + } + ] + }, + { + "id": "pe-8_gdn", + "name": "guidance", + "prose": "Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas." + }, + { + "id": "pe-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08a.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};", + "links": [ + { + "href": "#pe-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08b.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};", + "links": [ + { + "href": "#pe-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-08c.", + "class": "sp800-53a" + } + ], + "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.", + "links": [ + { + "href": "#pe-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and/or implementing the maintenance and review of visitor access records" + } + ] + } + ] + }, + { + "id": "pe-9", + "class": "SP800-53", + "title": "Power Equipment and Cabling", + "props": [ + { + "name": "label", + "value": "PE-9" + }, + { + "name": "label", + "value": "PE-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-9_smt", + "name": "statement", + "prose": "Protect power equipment and power cabling for the system from damage and destruction." + }, + { + "id": "pe-9_gdn", + "name": "guidance", + "prose": "Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems." + }, + { + "id": "pe-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-09[01]", + "class": "sp800-53a" + } + ], + "prose": "power equipment for the system is protected from damage and destruction;", + "links": [ + { + "href": "#pe-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-09[02]", + "class": "sp800-53a" + } + ], + "prose": "power cabling for the system is protected from damage and destruction.", + "links": [ + { + "href": "#pe-9_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing power equipment/cabling protection\n\nfacilities housing power equipment/cabling\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility to protect power equipment/cabling\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the protection of power equipment/cabling" + } + ] + } + ] + }, + { + "id": "pe-10", + "class": "SP800-53", + "title": "Emergency Shutoff", + "params": [ + { + "id": "pe-10_odp.01", + "label": "system or individual system components", + "guidelines": [ + { + "prose": "system or individual system components that require the capability to shut off power in emergency situations is/are defined;" + } + ] + }, + { + "id": "pe-10_odp.02", + "label": "location", + "constraints": [ + { + "description": "near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off" + } + ], + "guidelines": [ + { + "prose": "location of emergency shutoff switches or devices by system or system component is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-10" + }, + { + "name": "label", + "value": "PE-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-10_smt", + "name": "statement", + "parts": [ + { + "id": "pe-10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide the capability of shutting off power to {{ insert: param, pe-10_odp.01 }} in emergency situations;" + }, + { + "id": "pe-10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Place emergency shutoff switches or devices in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel; and" + }, + { + "id": "pe-10_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Protect emergency power shutoff capability from unauthorized activation." + } + ] + }, + { + "id": "pe-10_gdn", + "name": "guidance", + "prose": "Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery." + }, + { + "id": "pe-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-10_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-10a.", + "class": "sp800-53a" + } + ], + "prose": "the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;", + "links": [ + { + "href": "#pe-10_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-10_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-10b.", + "class": "sp800-53a" + } + ], + "prose": "emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;", + "links": [ + { + "href": "#pe-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-10_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-10c.", + "class": "sp800-53a" + } + ], + "prose": "the emergency power shutoff capability is protected from unauthorized activation.", + "links": [ + { + "href": "#pe-10_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting the emergency power shutoff capability from unauthorized activation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for the emergency power shutoff capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing emergency power shutoff" + } + ] + } + ] + }, + { + "id": "pe-11", + "class": "SP800-53", + "title": "Emergency Power", + "params": [ + { + "id": "pe-11_odp", + "select": { + "choice": [ + "an orderly shutdown of the system", + "transition of the system to long-term alternate power" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "PE-11" + }, + { + "name": "label", + "value": "PE-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-11_smt", + "name": "statement", + "prose": "Provide an uninterruptible power supply to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss." + }, + { + "id": "pe-11_gdn", + "name": "guidance", + "prose": "An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system." + }, + { + "id": "pe-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-11", + "class": "sp800-53a" + } + ], + "prose": "an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss.", + "links": [ + { + "href": "#pe-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for emergency power and/or planning\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an uninterruptible power supply\n\nthe uninterruptable power supply" + } + ] + } + ] + }, + { + "id": "pe-12", + "class": "SP800-53", + "title": "Emergency Lighting", + "props": [ + { + "name": "label", + "value": "PE-12" + }, + { + "name": "label", + "value": "PE-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-12_smt", + "name": "statement", + "prose": "Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility." + }, + { + "id": "pe-12_gdn", + "name": "guidance", + "prose": "The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies." + }, + { + "id": "pe-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[01]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[02]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[03]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting for the system covers emergency exits within the facility;", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-12[04]", + "class": "sp800-53a" + } + ], + "prose": "automatic emergency lighting for the system covers evacuation routes within the facility.", + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with the responsibility for emergency lighting and/or planning\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing an emergency lighting capability" + } + ] + } + ] + }, + { + "id": "pe-13", + "class": "SP800-53", + "title": "Fire Protection", + "props": [ + { + "name": "label", + "value": "PE-13" + }, + { + "name": "label", + "value": "PE-13", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-13_smt", + "name": "statement", + "prose": "Employ and maintain fire detection and suppression systems that are supported by an independent energy source." + }, + { + "id": "pe-13_gdn", + "name": "guidance", + "prose": "The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility." + }, + { + "id": "pe-13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[01]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems are employed;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[02]", + "class": "sp800-53a" + } + ], + "prose": "employed fire detection systems are supported by an independent energy source;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[03]", + "class": "sp800-53a" + } + ], + "prose": "employed fire detection systems are maintained;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[04]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems are employed;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[05]", + "class": "sp800-53a" + } + ], + "prose": "employed fire suppression systems are supported by an independent energy source;", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13[06]", + "class": "sp800-53a" + } + ], + "prose": "employed fire suppression systems are maintained.", + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-13-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\ntest records of fire suppression and detection devices/systems\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-13-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-13-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing fire suppression/detection devices/systems" + } + ] + } + ], + "controls": [ + { + "id": "pe-13.1", + "class": "SP800-53-enhancement", + "title": "Detection Systems — Automatic Activation and Notification", + "params": [ + { + "id": "pe-13.01_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "service provider building maintenance/physical security personnel" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified in the event of a fire is/are defined;" + } + ] + }, + { + "id": "pe-13.01_odp.02", + "label": "emergency responders", + "constraints": [ + { + "description": "service provider emergency responders with incident response responsibilities" + } + ], + "guidelines": [ + { + "prose": "emergency responders to be notified in the event of a fire are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-13(1)" + }, + { + "name": "label", + "value": "PE-13(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-13.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-13", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-13.1_smt", + "name": "statement", + "prose": "Employ fire detection systems that activate automatically and notify {{ insert: param, pe-13.01_odp.01 }} and {{ insert: param, pe-13.01_odp.02 }} in the event of a fire." + }, + { + "id": "pe-13.1_gdn", + "name": "guidance", + "prose": "Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire." + }, + { + "id": "pe-13.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems that activate automatically are employed in the event of a fire;", + "links": [ + { + "href": "#pe-13.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;", + "links": [ + { + "href": "#pe-13.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire.", + "links": [ + { + "href": "#pe-13.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-13(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\nalerts/notifications of fire events\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-13.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-13(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-13.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-13(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing fire detection devices/systems\n\nactivation of fire detection devices/systems (simulated)\n\nautomated notifications" + } + ] + } + ] + }, + { + "id": "pe-13.2", + "class": "SP800-53-enhancement", + "title": "Suppression Systems — Automatic Activation and Notification", + "params": [ + { + "id": "pe-13.02_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be notified in the event of a fire is/are defined;" + } + ] + }, + { + "id": "pe-13.02_odp.02", + "label": "emergency responders", + "guidelines": [ + { + "prose": "emergency responders to be notified in the event of a fire are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-13(2)" + }, + { + "name": "label", + "value": "PE-13(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-13.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pe-13", + "rel": "required" + } + ], + "parts": [ + { + "id": "pe-13.2_smt", + "name": "statement", + "parts": [ + { + "id": "pe-13.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Employ fire suppression systems that activate automatically and notify {{ insert: param, pe-13.02_odp.01 }} and {{ insert: param, pe-13.02_odp.02 }} ; and" + }, + { + "id": "pe-13.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis." + } + ] + }, + { + "id": "pe-13.2_gdn", + "name": "guidance", + "prose": "Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and/or clearances (e.g., to enter to facilities where access is restricted due to the impact level or classification of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire." + }, + { + "id": "pe-13.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-13.2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems that activate automatically are employed;", + "links": [ + { + "href": "#pe-13.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.01 }} automatically are employed;", + "links": [ + { + "href": "#pe-13.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.02 }} automatically are employed;", + "links": [ + { + "href": "#pe-13.2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-13(02)(b)", + "class": "sp800-53a" + } + ], + "prose": "an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.", + "links": [ + { + "href": "#pe-13.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-13.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-13.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-13(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems documentation\n\nfacility housing the system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices/systems\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-13.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-13(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-13.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-13(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms supporting and/or implementing fire suppression devices/systems\n\nactivation of fire suppression devices/systems (simulated)\n\nautomated notifications" + } + ] + } + ] + } + ] + }, + { + "id": "pe-14", + "class": "SP800-53", + "title": "Environmental Controls", + "params": [ + { + "id": "pe-14_odp.01", + "constraints": [ + { + "description": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "temperature", + "humidity", + "pressure", + "radiation", + " {{ insert: param, pe-14_odp.02 }} " + ] + } + }, + { + "id": "pe-14_odp.02", + "label": "environmental control", + "guidelines": [ + { + "prose": "environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);" + } + ] + }, + { + "id": "pe-14_odp.03", + "label": "acceptable levels", + "guidelines": [ + { + "prose": "acceptable levels for environmental controls are defined;" + } + ] + }, + { + "id": "pe-14_odp.04", + "label": "frequency", + "constraints": [ + { + "description": "continuously" + } + ], + "guidelines": [ + { + "prose": "frequency at which to monitor environmental control levels is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-14" + }, + { + "name": "label", + "value": "PE-14", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-14" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-14_smt", + "name": "statement", + "parts": [ + { + "id": "pe-14_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and" + }, + { + "id": "pe-14_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}." + }, + { + "id": "pe-14_fr", + "name": "item", + "title": "PE-14 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pe-14_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "The service provider measures temperature at server inlets and humidity levels by dew point." + } + ] + } + ] + }, + { + "id": "pe-14_gdn", + "name": "guidance", + "prose": "The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions." + }, + { + "id": "pe-14_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-14_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;", + "links": [ + { + "href": "#pe-14_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-14b.", + "class": "sp800-53a" + } + ], + "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.", + "links": [ + { + "href": "#pe-14_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-14_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-14_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-14-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-14_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-14-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-14_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-14-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels" + } + ] + } + ] + }, + { + "id": "pe-15", + "class": "SP800-53", + "title": "Water Damage Protection", + "props": [ + { + "name": "label", + "value": "PE-15" + }, + { + "name": "label", + "value": "PE-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-15_smt", + "name": "statement", + "prose": "Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel." + }, + { + "id": "pe-15_gdn", + "name": "guidance", + "prose": "The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations." + }, + { + "id": "pe-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-15_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[02]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are accessible;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[03]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are working properly;", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-15[04]", + "class": "sp800-53a" + } + ], + "prose": "the master shutoff or isolation valves are known to key personnel.", + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-15_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-15-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Master water-shutoff valves\n\norganizational process for activating master water shutoff" + } + ] + } + ] + }, + { + "id": "pe-16", + "class": "SP800-53", + "title": "Delivery and Removal", + "params": [ + { + "id": "pe-16_prm_1", + "label": "organization-defined types of system components", + "constraints": [ + { + "description": "all information system components" + } + ] + }, + { + "id": "pe-16_odp.01", + "label": "types of system components", + "guidelines": [ + { + "prose": "types of system components to be authorized and controlled when entering the facility are defined;" + } + ] + }, + { + "id": "pe-16_odp.02", + "label": "types of system components", + "guidelines": [ + { + "prose": "types of system components to be authorized and controlled when exiting the facility are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-16" + }, + { + "name": "label", + "value": "PE-16", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-20", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-16_smt", + "name": "statement", + "parts": [ + { + "id": "pe-16_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and" + }, + { + "id": "pe-16_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Maintain records of the system components." + } + ] + }, + { + "id": "pe-16_gdn", + "name": "guidance", + "prose": "Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries." + }, + { + "id": "pe-16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-16_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-16_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16a.[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;", + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-16_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-16b.", + "class": "sp800-53a" + } + ], + "prose": "records of the system components are maintained.", + "links": [ + { + "href": "#pe-16_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-16-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-16-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "pe-16_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-16-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility" + } + ] + } + ] + }, + { + "id": "pe-17", + "class": "SP800-53", + "title": "Alternate Work Site", + "params": [ + { + "id": "pe-17_odp.01", + "label": "alternate work sites", + "guidelines": [ + { + "prose": "alternate work sites allowed for use by employees are defined;" + } + ] + }, + { + "id": "pe-17_odp.02", + "label": "controls", + "guidelines": [ + { + "prose": "controls to be employed at alternate work sites are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PE-17" + }, + { + "name": "label", + "value": "PE-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pe-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pe-17_smt", + "name": "statement", + "parts": [ + { + "id": "pe-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine and document the {{ insert: param, pe-17_odp.01 }} allowed for use by employees;" + }, + { + "id": "pe-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls at alternate work sites: {{ insert: param, pe-17_odp.02 }};" + }, + { + "id": "pe-17_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Assess the effectiveness of controls at alternate work sites; and" + }, + { + "id": "pe-17_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Provide a means for employees to communicate with information security and privacy personnel in case of incidents." + } + ] + }, + { + "id": "pe-17_gdn", + "name": "guidance", + "prose": "Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations." + }, + { + "id": "pe-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pe-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-17_odp.01 }} are determined and documented;", + "links": [ + { + "href": "#pe-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;", + "links": [ + { + "href": "#pe-17_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-17_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17c.", + "class": "sp800-53a" + } + ], + "prose": "the effectiveness of controls at alternate work sites is assessed;", + "links": [ + { + "href": "#pe-17_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-17_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PE-17d.", + "class": "sp800-53a" + } + ], + "prose": "a means for employees to communicate with information security and privacy personnel in case of incidents is provided.", + "links": [ + { + "href": "#pe-17_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pe-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pe-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PE-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pe-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PE-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel approving the use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pe-17_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PE-17-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security and privacy at alternate work sites\n\nmechanisms supporting alternate work sites\n\nsecurity and privacy controls employed at alternate work sites\n\nmeans of communication between personnel at alternate work sites and security and privacy personnel" + } + ] + } + ] + } + ] + }, + { + "id": "pl", + "class": "family", + "title": "Planning", + "controls": [ + { + "id": "pl-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "pl-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "pl-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the planning policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "pl-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the planning procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "pl-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "pl-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the planning policy and procedures is defined;" + } + ] + }, + { + "id": "pl-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current planning policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "pl-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current planning policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "pl-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency with which the current planning procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "pl-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-1" + }, + { + "name": "label", + "value": "PL-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-1_smt", + "name": "statement", + "parts": [ + { + "id": "pl-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:", + "parts": [ + { + "id": "pl-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, pl-01_odp.03 }} planning policy that:", + "parts": [ + { + "id": "pl-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "pl-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "pl-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the planning policy and the associated planning controls;" + } + ] + }, + { + "id": "pl-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and" + }, + { + "id": "pl-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current planning:", + "parts": [ + { + "id": "pl-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and" + }, + { + "id": "pl-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "pl-1_gdn", + "name": "guidance", + "prose": "Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "pl-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a planning policy is developed and documented.", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};", + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;", + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#pl-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;", + "links": [ + { + "href": "#pl-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};", + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};", + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};", + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.", + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "pl-2", + "class": "SP800-53", + "title": "System Security and Privacy Plans", + "params": [ + { + "id": "pl-02_odp.01", + "label": "individuals or groups", + "constraints": [ + { + "description": "to include chief privacy and ISSO and/or similar role or designees" + } + ], + "guidelines": [ + { + "prose": "individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;" + } + ] + }, + { + "id": "pl-02_odp.02", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include chief privacy and ISSO and/or similar role" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;" + } + ] + }, + { + "id": "pl-02_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency to review system security and privacy plans is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-2" + }, + { + "name": "label", + "value": "PL-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-14", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-1", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-10", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-22", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-2_smt", + "name": "statement", + "parts": [ + { + "id": "pl-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop security and privacy plans for the system that:", + "parts": [ + { + "id": "pl-2_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Are consistent with the organization’s enterprise architecture;" + }, + { + "id": "pl-2_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Explicitly define the constituent system components;" + }, + { + "id": "pl-2_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Describe the operational context of the system in terms of mission and business processes;" + }, + { + "id": "pl-2_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Identify the individuals that fulfill system roles and responsibilities;" + }, + { + "id": "pl-2_smt.a.5", + "name": "item", + "props": [ + { + "name": "label", + "value": "5." + } + ], + "prose": "Identify the information types processed, stored, and transmitted by the system;" + }, + { + "id": "pl-2_smt.a.6", + "name": "item", + "props": [ + { + "name": "label", + "value": "6." + } + ], + "prose": "Provide the security categorization of the system, including supporting rationale;" + }, + { + "id": "pl-2_smt.a.7", + "name": "item", + "props": [ + { + "name": "label", + "value": "7." + } + ], + "prose": "Describe any specific threats to the system that are of concern to the organization;" + }, + { + "id": "pl-2_smt.a.8", + "name": "item", + "props": [ + { + "name": "label", + "value": "8." + } + ], + "prose": "Provide the results of a privacy risk assessment for systems processing personally identifiable information;" + }, + { + "id": "pl-2_smt.a.9", + "name": "item", + "props": [ + { + "name": "label", + "value": "9." + } + ], + "prose": "Describe the operational environment for the system and any dependencies on or connections to other systems or system components;" + }, + { + "id": "pl-2_smt.a.10", + "name": "item", + "props": [ + { + "name": "label", + "value": "10." + } + ], + "prose": "Provide an overview of the security and privacy requirements for the system;" + }, + { + "id": "pl-2_smt.a.11", + "name": "item", + "props": [ + { + "name": "label", + "value": "11." + } + ], + "prose": "Identify any relevant control baselines or overlays, if applicable;" + }, + { + "id": "pl-2_smt.a.12", + "name": "item", + "props": [ + { + "name": "label", + "value": "12." + } + ], + "prose": "Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;" + }, + { + "id": "pl-2_smt.a.13", + "name": "item", + "props": [ + { + "name": "label", + "value": "13." + } + ], + "prose": "Include risk determinations for security and privacy architecture and design decisions;" + }, + { + "id": "pl-2_smt.a.14", + "name": "item", + "props": [ + { + "name": "label", + "value": "14." + } + ], + "prose": "Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and" + }, + { + "id": "pl-2_smt.a.15", + "name": "item", + "props": [ + { + "name": "label", + "value": "15." + } + ], + "prose": "Are reviewed and approved by the authorizing official or designated representative prior to plan implementation." + } + ] + }, + { + "id": "pl-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};" + }, + { + "id": "pl-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review the plans {{ insert: param, pl-02_odp.03 }};" + }, + { + "id": "pl-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and" + }, + { + "id": "pl-2_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Protect the plans from unauthorized disclosure and modification." + } + ] + }, + { + "id": "pl-2_gdn", + "name": "guidance", + "prose": "System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate." + }, + { + "id": "pl-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that is consistent with the organization’s enterprise architecture;", + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;", + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that explicitly defines the constituent system components;", + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;", + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.4-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.4-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.04[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.5-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.5-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.05[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.5", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.6-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;", + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.6-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.06[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;", + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.6", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.7-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.7-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.07[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.7", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.8-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.8-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.08[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.8", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.9-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.9-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.09[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.9", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.10-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;", + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.10-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.10[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;", + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.10", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.11", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.11-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.11-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.11[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.11", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.12", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.12-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;", + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.12-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.12[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;", + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.12", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.13", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.13-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;", + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.13-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.13[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;", + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.13", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.14", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.14-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.14-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.14[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.14", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.15", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.a.15-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15[01]", + "class": "sp800-53a" + } + ], + "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;", + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.a.15-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02a.15[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.", + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a.15", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};", + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};", + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02c.", + "class": "sp800-53a" + } + ], + "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};", + "links": [ + { + "href": "#pl-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[01]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address changes to the system and environment of operations;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[02]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address problems identified during the plan implementation;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02d.[03]", + "class": "sp800-53a" + } + ], + "prose": "plans are updated to address problems identified during control assessments;", + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-2_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.[01]", + "class": "sp800-53a" + } + ], + "prose": "plans are protected from unauthorized disclosure;", + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-02e.[02]", + "class": "sp800-53a" + } + ], + "prose": "plans are protected from unauthorized modification.", + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan" + } + ] + } + ] + }, + { + "id": "pl-4", + "class": "SP800-53", + "title": "Rules of Behavior", + "params": [ + { + "id": "pl-04_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "frequency for reviewing and updating the rules of behavior is defined;" + } + ] + }, + { + "id": "pl-04_odp.02", + "constraints": [ + { + "description": "at least annually and when the rules are revised or changed" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, pl-04_odp.03 }} ", + "when the rules are revised or updated" + ] + } + }, + { + "id": "pl-04_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-4" + }, + { + "name": "label", + "value": "PL-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-9", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#mp-7", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-4_smt", + "name": "statement", + "parts": [ + { + "id": "pl-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;" + }, + { + "id": "pl-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;" + }, + { + "id": "pl-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and" + }, + { + "id": "pl-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}." + } + ] + }, + { + "id": "pl-4_gdn", + "name": "guidance", + "prose": "Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons." + }, + { + "id": "pl-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;", + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;", + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04b.", + "class": "sp800-53a" + } + ], + "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;", + "links": [ + { + "href": "#pl-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04c.", + "class": "sp800-53a" + } + ], + "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};", + "links": [ + { + "href": "#pl-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04d.", + "class": "sp800-53a" + } + ], + "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.", + "links": [ + { + "href": "#pl-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior" + } + ] + } + ], + "controls": [ + { + "id": "pl-4.1", + "class": "SP800-53-enhancement", + "title": "Social Media and External Site/Application Usage Restrictions", + "props": [ + { + "name": "label", + "value": "PL-4(1)" + }, + { + "name": "label", + "value": "PL-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pl-4", + "rel": "required" + }, + { + "href": "#ac-22", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-4.1_smt", + "name": "statement", + "prose": "Include in the rules of behavior, restrictions on:", + "parts": [ + { + "id": "pl-4.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Use of social media, social networking sites, and external sites/applications;" + }, + { + "id": "pl-4.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Posting organizational information on public websites; and" + }, + { + "id": "pl-4.1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications." + } + ] + }, + { + "id": "pl-4.1_gdn", + "name": "guidance", + "prose": "Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information." + }, + { + "id": "pl-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-4.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;", + "links": [ + { + "href": "#pl-4.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on posting organizational information on public websites;", + "links": [ + { + "href": "#pl-4.1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-04(01)(c)", + "class": "sp800-53a" + } + ], + "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.", + "links": [ + { + "href": "#pl-4.1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing rules of behavior\n\nmechanisms supporting and/or implementing the establishment of rules of behavior" + } + ] + } + ] + } + ] + }, + { + "id": "pl-8", + "class": "SP800-53", + "title": "Security and Privacy Architectures", + "params": [ + { + "id": "pl-08_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "frequency for review and update to reflect changes in the enterprise architecture;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PL-8" + }, + { + "name": "label", + "value": "PL-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-5", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-8_smt", + "name": "statement", + "parts": [ + { + "id": "pl-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop security and privacy architectures for the system that:", + "parts": [ + { + "id": "pl-8_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;" + }, + { + "id": "pl-8_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;" + }, + { + "id": "pl-8_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Describe how the architectures are integrated into and support the enterprise architecture; and" + }, + { + "id": "pl-8_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Describe any assumptions about, and dependencies on, external systems and services;" + } + ] + }, + { + "id": "pl-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and" + }, + { + "id": "pl-8_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions." + }, + { + "id": "pl-8_fr", + "name": "item", + "title": "PL-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pl-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + } + ] + } + ] + }, + { + "id": "pl-8_gdn", + "name": "guidance", + "prose": "The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n [PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures." + }, + { + "id": "pl-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.01", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;", + "links": [ + { + "href": "#pl-8_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.02", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;", + "links": [ + { + "href": "#pl-8_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.a.4-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04[01]", + "class": "sp800-53a" + } + ], + "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;", + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.a.4-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08a.04[02]", + "class": "sp800-53a" + } + ], + "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;", + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08b.", + "class": "sp800-53a" + } + ], + "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;", + "links": [ + { + "href": "#pl-8_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "pl-8_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[01]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the security plan;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[02]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the privacy plan;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[03]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[04]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in criticality analysis;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[05]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in organizational procedures;", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_obj.c-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-08c.[06]", + "class": "sp800-53a" + } + ], + "prose": "planned architecture changes are reflected in procurements and acquisitions.", + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#pl-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "pl-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PL-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and/or implementing the development, review, and update of the information security and privacy architecture" + } + ] + } + ] + }, + { + "id": "pl-10", + "class": "SP800-53", + "title": "Baseline Selection", + "props": [ + { + "name": "label", + "value": "PL-10" + }, + { + "name": "label", + "value": "PL-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#46d9e201-840e-440e-987c-2c773333c752", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-10_smt", + "name": "statement", + "prose": "Select a control baseline for the system.", + "parts": [ + { + "id": "pl-10_fr", + "name": "item", + "title": "PL-10 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "pl-10_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Select the appropriate FedRAMP Baseline" + } + ] + } + ] + }, + { + "id": "pl-10_gdn", + "name": "guidance", + "prose": "Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems." + }, + { + "id": "pl-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-10", + "class": "sp800-53a" + } + ], + "prose": "a control baseline for the system is selected.", + "links": [ + { + "href": "#pl-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing system security and privacy plan reviews and updates\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for organizational risk management activities" + } + ] + } + ] + }, + { + "id": "pl-11", + "class": "SP800-53", + "title": "Baseline Tailoring", + "props": [ + { + "name": "label", + "value": "PL-11" + }, + { + "name": "label", + "value": "PL-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "pl-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#46d9e201-840e-440e-987c-2c773333c752", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "pl-11_smt", + "name": "statement", + "prose": "Tailor the selected control baseline by applying specified tailoring actions." + }, + { + "id": "pl-11_gdn", + "name": "guidance", + "prose": "The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities." + }, + { + "id": "pl-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PL-11", + "class": "sp800-53a" + } + ], + "prose": "the selected control baseline is tailored by applying specified tailoring actions.", + "links": [ + { + "href": "#pl-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "pl-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PL-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nsystem design documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nbaseline tailoring rationale\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nother relevant documents or records" + } + ] + }, + { + "id": "pl-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PL-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "ps", + "class": "family", + "title": "Personnel Security", + "controls": [ + { + "id": "ps-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ps-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ps-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the personnel security policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ps-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ps-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ps-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the personnel security policy and procedures is defined;" + } + ] + }, + { + "id": "ps-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current personnel security policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ps-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current personnel security policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ps-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current personnel security procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ps-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the personnel security procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-1" + }, + { + "name": "label", + "value": "PS-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-1_smt", + "name": "statement", + "parts": [ + { + "id": "ps-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:", + "parts": [ + { + "id": "ps-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ps-01_odp.03 }} personnel security policy that:", + "parts": [ + { + "id": "ps-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ps-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ps-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;" + } + ] + }, + { + "id": "ps-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and" + }, + { + "id": "ps-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current personnel security:", + "parts": [ + { + "id": "ps-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and" + }, + { + "id": "ps-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ps-1_gdn", + "name": "guidance", + "prose": "Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ps-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a personnel security policy is developed and documented;", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};", + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;", + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ps-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;", + "links": [ + { + "href": "#ps-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};", + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};", + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};", + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.", + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "ps-2", + "class": "SP800-53", + "title": "Position Risk Designation", + "params": [ + { + "id": "ps-02_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least every three years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update position risk designations is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-2" + }, + { + "name": "label", + "value": "PS-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#a5ef5e56-5c1a-4911-b419-37dddc1b3581", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#ac-5", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-2_smt", + "name": "statement", + "parts": [ + { + "id": "ps-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Assign a risk designation to all organizational positions;" + }, + { + "id": "ps-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Establish screening criteria for individuals filling those positions; and" + }, + { + "id": "ps-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update position risk designations {{ insert: param, ps-02_odp }}." + } + ] + }, + { + "id": "ps-2_gdn", + "name": "guidance", + "prose": "Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions." + }, + { + "id": "ps-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02a.", + "class": "sp800-53a" + } + ], + "prose": "a risk designation is assigned to all organizational positions;", + "links": [ + { + "href": "#ps-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02b.", + "class": "sp800-53a" + } + ], + "prose": "screening criteria are established for individuals filling organizational positions;", + "links": [ + { + "href": "#ps-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-02c.", + "class": "sp800-53a" + } + ], + "prose": "position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.", + "links": [ + { + "href": "#ps-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nrecords of position risk designation reviews and updates\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria" + } + ] + } + ] + }, + { + "id": "ps-3", + "class": "SP800-53", + "title": "Personnel Screening", + "params": [ + { + "id": "ps-3_prm_1", + "label": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening", + "constraints": [ + { + "description": "for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.\n\nFor moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions" + } + ] + }, + { + "id": "ps-03_odp.01", + "label": "conditions requiring rescreening", + "guidelines": [ + { + "prose": "conditions requiring rescreening of individuals are defined;" + } + ] + }, + { + "id": "ps-03_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency of rescreening individuals where it is so indicated is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-3" + }, + { + "name": "label", + "value": "PS-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#55b0c93a-5e48-457a-baa6-5ce81c239c49", + "rel": "reference" + }, + { + "href": "#0af071a6-cf8e-48ee-8c82-fe91efa20f94", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "rel": "reference" + }, + { + "href": "#828856bd-d7c4-427b-8b51-815517ec382d", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-3_smt", + "name": "statement", + "parts": [ + { + "id": "ps-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Screen individuals prior to authorizing access to the system; and" + }, + { + "id": "ps-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}." + } + ] + }, + { + "id": "ps-3_gdn", + "name": "guidance", + "prose": "Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems." + }, + { + "id": "ps-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03a.", + "class": "sp800-53a" + } + ], + "prose": "individuals are screened prior to authorizing access to the system;", + "links": [ + { + "href": "#ps-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};", + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.", + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel screening" + } + ] + } + ], + "controls": [ + { + "id": "ps-3.3", + "class": "SP800-53-enhancement", + "title": "Information Requiring Special Protective Measures", + "params": [ + { + "id": "ps-03.03_odp", + "label": "additional personnel screening criteria", + "constraints": [ + { + "description": "personnel screening criteria – as required by specific information" + } + ], + "guidelines": [ + { + "prose": "additional personnel screening criteria to be satisfied for individuals accessing a system processing, storing, or transmitting information requiring special protection are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-3(3)" + }, + { + "name": "label", + "value": "PS-03(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-03.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ps-3", + "rel": "required" + } + ], + "parts": [ + { + "id": "ps-3.3_smt", + "name": "statement", + "prose": "Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection:", + "parts": [ + { + "id": "ps-3.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Have valid access authorizations that are demonstrated by assigned official government duties; and" + }, + { + "id": "ps-3.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Satisfy {{ insert: param, ps-03.03_odp }}." + } + ] + }, + { + "id": "ps-3.3_gdn", + "name": "guidance", + "prose": "Organizational information that requires special protection includes controlled unclassified information. Personnel security criteria include position sensitivity background screening requirements." + }, + { + "id": "ps-3.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-3.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties;", + "links": [ + { + "href": "#ps-3.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-03(03)(b)", + "class": "sp800-53a" + } + ], + "prose": "individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy {{ insert: param, ps-03.03_odp }}.", + "links": [ + { + "href": "#ps-3.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-3.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-3.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-03(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\naccess control policy, procedures addressing personnel screening\n\nrecords of screened personnel\n\nscreening criteria\n\nrecords of access authorizations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-3.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-03(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-3.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-03(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for ensuring valid access authorizations for information requiring special protection\n\norganizational process for additional personnel screening for information requiring special protection" + } + ] + } + ] + } + ] + }, + { + "id": "ps-4", + "class": "SP800-53", + "title": "Personnel Termination", + "params": [ + { + "id": "ps-04_odp.01", + "label": "time period", + "constraints": [ + { + "description": "four (4) hours" + } + ], + "guidelines": [ + { + "prose": "a time period within which to disable system access is defined;" + } + ] + }, + { + "id": "ps-04_odp.02", + "label": "information security topics", + "guidelines": [ + { + "prose": "information security topics to be discussed when conducting exit interviews are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-4" + }, + { + "name": "label", + "value": "PS-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-4_smt", + "name": "statement", + "prose": "Upon termination of individual employment:", + "parts": [ + { + "id": "ps-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Disable system access within {{ insert: param, ps-04_odp.01 }};" + }, + { + "id": "ps-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Terminate or revoke any authenticators and credentials associated with the individual;" + }, + { + "id": "ps-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};" + }, + { + "id": "ps-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Retrieve all security-related organizational system-related property; and" + }, + { + "id": "ps-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Retain access to organizational information and systems formerly controlled by terminated individual." + } + ] + }, + { + "id": "ps-4_gdn", + "name": "guidance", + "prose": "System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified." + }, + { + "id": "ps-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04a.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};", + "links": [ + { + "href": "#ps-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04b.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, any authenticators and credentials are terminated or revoked;", + "links": [ + { + "href": "#ps-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04c.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;", + "links": [ + { + "href": "#ps-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04d.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, all security-related organizational system-related property is retrieved;", + "links": [ + { + "href": "#ps-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-04e.", + "class": "sp800-53a" + } + ], + "prose": "upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.", + "links": [ + { + "href": "#ps-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of system accounts\n\nrecords of terminated or revoked authenticators/credentials\n\nrecords of exit interviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel termination\n\nmechanisms supporting and/or implementing personnel termination notifications\n\nmechanisms for disabling system access/revoking authenticators" + } + ] + } + ] + }, + { + "id": "ps-5", + "class": "SP800-53", + "title": "Personnel Transfer", + "params": [ + { + "id": "ps-05_odp.01", + "label": "transfer or reassignment actions", + "guidelines": [ + { + "prose": "transfer or reassignment actions to be initiated following transfer or reassignment are defined;" + } + ] + }, + { + "id": "ps-05_odp.02", + "label": "time period following the formal transfer action", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;" + } + ] + }, + { + "id": "ps-05_odp.03", + "label": "personnel or roles", + "constraints": [ + { + "description": "including access control personnel responsible for the system" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined;" + } + ] + }, + { + "id": "ps-05_odp.04", + "label": "time period", + "constraints": [ + { + "description": "twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-5" + }, + { + "name": "label", + "value": "PS-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ia-4", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-5_smt", + "name": "statement", + "parts": [ + { + "id": "ps-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;" + }, + { + "id": "ps-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};" + }, + { + "id": "ps-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and" + }, + { + "id": "ps-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}." + } + ] + }, + { + "id": "ps-5_gdn", + "name": "guidance", + "prose": "Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts." + }, + { + "id": "ps-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05a.", + "class": "sp800-53a" + } + ], + "prose": "the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;", + "links": [ + { + "href": "#ps-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};", + "links": [ + { + "href": "#ps-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05c.", + "class": "sp800-53a" + } + ], + "prose": "access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;", + "links": [ + { + "href": "#ps-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-05d.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.", + "links": [ + { + "href": "#ps-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing personnel transfer\n\nrecords of personnel transfer actions\n\nlist of system and facility access authorizations\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for personnel transfer\n\nmechanisms supporting and/or implementing personnel transfer notifications\n\nmechanisms for disabling system access/revoking authenticators" + } + ] + } + ] + }, + { + "id": "ps-6", + "class": "SP800-53", + "title": "Access Agreements", + "params": [ + { + "id": "ps-06_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update access agreements is defined;" + } + ] + }, + { + "id": "ps-06_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually and any time there is a change to the user's level of access" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to re-sign access agreements to maintain access to organizational information is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-6" + }, + { + "name": "label", + "value": "PS-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#pe-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-6_smt", + "name": "statement", + "parts": [ + { + "id": "ps-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and document access agreements for organizational systems;" + }, + { + "id": "ps-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and" + }, + { + "id": "ps-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Verify that individuals requiring access to organizational information and systems:", + "parts": [ + { + "id": "ps-6_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Sign appropriate access agreements prior to being granted access; and" + }, + { + "id": "ps-6_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}." + } + ] + } + ] + }, + { + "id": "ps-6_gdn", + "name": "guidance", + "prose": "Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy." + }, + { + "id": "ps-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06a.", + "class": "sp800-53a" + } + ], + "prose": "access agreements are developed and documented for organizational systems;", + "links": [ + { + "href": "#ps-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06b.", + "class": "sp800-53a" + } + ], + "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};", + "links": [ + { + "href": "#ps-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-6_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.01", + "class": "sp800-53a" + } + ], + "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;", + "links": [ + { + "href": "#ps-6_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-06c.02", + "class": "sp800-53a" + } + ], + "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.", + "links": [ + { + "href": "#ps-6_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ps-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements" + } + ] + } + ] + }, + { + "id": "ps-7", + "class": "SP800-53", + "title": "External Personnel Security", + "params": [ + { + "id": "ps-07_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "including access control personnel responsible for the system and/or facilities, as appropriate" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;" + } + ] + }, + { + "id": "ps-07_odp.02", + "label": "time period", + "constraints": [ + { + "description": "within twenty-four (24) hours" + } + ], + "guidelines": [ + { + "prose": "time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-7" + }, + { + "name": "label", + "value": "PS-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#at-2", + "rel": "related" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-3", + "rel": "related" + }, + { + "href": "#ps-4", + "rel": "related" + }, + { + "href": "#ps-5", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-7_smt", + "name": "statement", + "parts": [ + { + "id": "ps-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish personnel security requirements, including security roles and responsibilities for external providers;" + }, + { + "id": "ps-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Require external providers to comply with personnel security policies and procedures established by the organization;" + }, + { + "id": "ps-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document personnel security requirements;" + }, + { + "id": "ps-7_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and" + }, + { + "id": "ps-7_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Monitor provider compliance with personnel security requirements." + } + ] + }, + { + "id": "ps-7_gdn", + "name": "guidance", + "prose": "External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals." + }, + { + "id": "ps-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07a.", + "class": "sp800-53a" + } + ], + "prose": "personnel security requirements are established, including security roles and responsibilities for external providers;", + "links": [ + { + "href": "#ps-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07b.", + "class": "sp800-53a" + } + ], + "prose": "external providers are required to comply with personnel security policies and procedures established by the organization;", + "links": [ + { + "href": "#ps-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07c.", + "class": "sp800-53a" + } + ], + "prose": "personnel security requirements are documented;", + "links": [ + { + "href": "#ps-7_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07d.", + "class": "sp800-53a" + } + ], + "prose": "external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};", + "links": [ + { + "href": "#ps-7_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-07e.", + "class": "sp800-53a" + } + ], + "prose": "provider compliance with personnel security requirements is monitored.", + "links": [ + { + "href": "#ps-7_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\nprocedures addressing external personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\nexternal providers\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "ps-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing and monitoring external personnel security\n\nmechanisms supporting and/or implementing the monitoring of provider compliance" + } + ] + } + ] + }, + { + "id": "ps-8", + "class": "SP800-53", + "title": "Personnel Sanctions", + "params": [ + { + "id": "ps-08_odp.01", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;" + } + ] + }, + { + "id": "ps-08_odp.02", + "label": "time period", + "constraints": [ + { + "description": "24 hours" + } + ], + "guidelines": [ + { + "prose": "the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "PS-8" + }, + { + "name": "label", + "value": "PS-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#pt-1", + "rel": "related" + } + ], + "parts": [ + { + "id": "ps-8_smt", + "name": "statement", + "parts": [ + { + "id": "ps-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and" + }, + { + "id": "ps-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction." + } + ] + }, + { + "id": "ps-8_gdn", + "name": "guidance", + "prose": "Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions." + }, + { + "id": "ps-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08a.", + "class": "sp800-53a" + } + ], + "prose": "a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;", + "links": [ + { + "href": "#ps-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-08b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.", + "links": [ + { + "href": "#ps-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing personnel sanctions\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\nlist of personnel or roles to be notified of formal employee sanctions\n\nrecords or notifications of formal employee sanctions\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities" + } + ] + }, + { + "id": "ps-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing formal employee sanctions\n\nmechanisms supporting and/or implementing formal employee sanctions notifications" + } + ] + } + ] + }, + { + "id": "ps-9", + "class": "SP800-53", + "title": "Position Descriptions", + "props": [ + { + "name": "label", + "value": "PS-9" + }, + { + "name": "label", + "value": "PS-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ps-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + } + ], + "parts": [ + { + "id": "ps-9_smt", + "name": "statement", + "prose": "Incorporate security and privacy roles and responsibilities into organizational position descriptions." + }, + { + "id": "ps-9_gdn", + "name": "guidance", + "prose": "Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles." + }, + { + "id": "ps-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ps-9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09[01]", + "class": "sp800-53a" + } + ], + "prose": "security roles and responsibilities are incorporated into organizational position descriptions;", + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "PS-09[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy roles and responsibilities are incorporated into organizational position descriptions.", + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ps-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ps-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "PS-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing position descriptions\n\nsecurity and privacy position descriptions\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ps-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "PS-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with human capital management responsibilities" + } + ] + }, + { + "id": "ps-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "PS-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for managing position descriptions" + } + ] + } + ] + } + ] + }, + { + "id": "ra", + "class": "family", + "title": "Risk Assessment", + "controls": [ + { + "id": "ra-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "ra-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "ra-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "ra-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the risk assessment policy and procedures is defined;" + } + ] + }, + { + "id": "ra-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current risk assessment policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "ra-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current risk assessment policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "ra-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current risk assessment procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "ra-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require risk assessment procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-1" + }, + { + "name": "label", + "value": "RA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-1_smt", + "name": "statement", + "parts": [ + { + "id": "ra-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:", + "parts": [ + { + "id": "ra-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, ra-01_odp.03 }} risk assessment policy that:", + "parts": [ + { + "id": "ra-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "ra-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "ra-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;" + } + ] + }, + { + "id": "ra-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and" + }, + { + "id": "ra-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current risk assessment:", + "parts": [ + { + "id": "ra-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and" + }, + { + "id": "ra-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "ra-1_gdn", + "name": "guidance", + "prose": "Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "ra-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment policy is developed and documented;", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};", + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;", + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#ra-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;", + "links": [ + { + "href": "#ra-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};", + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};", + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};", + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.", + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "ra-2", + "class": "SP800-53", + "title": "Security Categorization", + "props": [ + { + "name": "label", + "value": "RA-2" + }, + { + "name": "label", + "value": "RA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", + "rel": "reference" + }, + { + "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "rel": "reference" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-2_smt", + "name": "statement", + "parts": [ + { + "id": "ra-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Categorize the system and information it processes, stores, and transmits;" + }, + { + "id": "ra-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document the security categorization results, including supporting rationale, in the security plan for the system; and" + }, + { + "id": "ra-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision." + } + ] + }, + { + "id": "ra-2_gdn", + "name": "guidance", + "prose": "Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant." + }, + { + "id": "ra-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02a.", + "class": "sp800-53a" + } + ], + "prose": "the system and the information it processes, stores, and transmits are categorized;", + "links": [ + { + "href": "#ra-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02b.", + "class": "sp800-53a" + } + ], + "prose": "the security categorization results, including supporting rationale, are documented in the security plan for the system;", + "links": [ + { + "href": "#ra-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-02c.", + "class": "sp800-53a" + } + ], + "prose": "the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.", + "links": [ + { + "href": "#ra-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security categorization" + } + ] + } + ] + }, + { + "id": "ra-3", + "class": "SP800-53", + "title": "Risk Assessment", + "params": [ + { + "id": "ra-03_odp.01", + "constraints": [ + { + "description": "security assessment report" + } + ], + "select": { + "choice": [ + "security and privacy plans", + "risk assessment report", + " {{ insert: param, ra-03_odp.02 }} " + ] + } + }, + { + "id": "ra-03_odp.02", + "label": "document", + "guidelines": [ + { + "prose": "a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);" + } + ] + }, + { + "id": "ra-03_odp.03", + "label": "frequency", + "constraints": [ + { + "description": "at least every three (3) years and when a significant change occurs" + } + ], + "guidelines": [ + { + "prose": "the frequency to review risk assessment results is defined;" + } + ] + }, + { + "id": "ra-03_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom risk assessment results are to be disseminated is/are defined;" + } + ] + }, + { + "id": "ra-03_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every three (3) years" + } + ], + "guidelines": [ + { + "prose": "the frequency to update the risk assessment is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-3" + }, + { + "name": "label", + "value": "RA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-13", + "rel": "related" + }, + { + "href": "#cp-6", + "rel": "related" + }, + { + "href": "#cp-7", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ma-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-8", + "rel": "related" + }, + { + "href": "#pe-18", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-7", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-3_smt", + "name": "statement", + "parts": [ + { + "id": "ra-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Conduct a risk assessment, including:", + "parts": [ + { + "id": "ra-3_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Identifying threats to and vulnerabilities in the system;" + }, + { + "id": "ra-3_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and" + }, + { + "id": "ra-3_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;" + } + ] + }, + { + "id": "ra-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;" + }, + { + "id": "ra-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document risk assessment results in {{ insert: param, ra-03_odp.01 }};" + }, + { + "id": "ra-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Review risk assessment results {{ insert: param, ra-03_odp.03 }};" + }, + { + "id": "ra-3_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and" + }, + { + "id": "ra-3_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system." + }, + { + "id": "ra-3_fr", + "name": "item", + "title": "RA-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ra-3_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." + }, + { + "id": "ra-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e) Requirement:" + } + ], + "prose": "Include all Authorizing Officials; for JAB authorizations to include FedRAMP." + } + ] + } + ] + }, + { + "id": "ra-3_gdn", + "name": "guidance", + "prose": "Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination." + }, + { + "id": "ra-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.01", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;", + "links": [ + { + "href": "#ra-3_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.02", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;", + "links": [ + { + "href": "#ra-3_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03a.03", + "class": "sp800-53a" + } + ], + "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;", + "links": [ + { + "href": "#ra-3_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03b.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;", + "links": [ + { + "href": "#ra-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03c.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};", + "links": [ + { + "href": "#ra-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03d.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};", + "links": [ + { + "href": "#ra-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03e.", + "class": "sp800-53a" + } + ], + "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};", + "links": [ + { + "href": "#ra-3_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03f.", + "class": "sp800-53a" + } + ], + "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.", + "links": [ + { + "href": "#ra-3_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment" + } + ] + } + ], + "controls": [ + { + "id": "ra-3.1", + "class": "SP800-53-enhancement", + "title": "Supply Chain Risk Assessment", + "params": [ + { + "id": "ra-03.01_odp.01", + "label": "systems, system components, and system services", + "guidelines": [ + { + "prose": "systems, system components, and system services to assess supply chain risks are defined;" + } + ] + }, + { + "id": "ra-03.01_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to update the supply chain risk assessment is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-3(1)" + }, + { + "name": "label", + "value": "RA-03(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-03.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-3", + "rel": "required" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#pm-17", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-3.1_smt", + "name": "statement", + "parts": [ + { + "id": "ra-3.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and" + }, + { + "id": "ra-3.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain." + } + ] + }, + { + "id": "ra-3.1_gdn", + "name": "guidance", + "prose": "Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required." + }, + { + "id": "ra-3.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-3.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;", + "links": [ + { + "href": "#ra-3.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-03(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.", + "links": [ + { + "href": "#ra-3.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-3.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-3.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-03(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\ninventory of critical systems, system components, and system services\n\nrisk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of supply chain risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nacquisition policy\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-3.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-03(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "ra-3.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-03(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment" + } + ] + } + ] + } + ] + }, + { + "id": "ra-5", + "class": "SP800-53", + "title": "Vulnerability Monitoring and Scanning", + "params": [ + { + "id": "ra-5_prm_1", + "label": "organization-defined frequency and/or randomly in accordance with organization-defined process", + "constraints": [ + { + "description": "monthly operating system/infrastructure; monthly web applications (including APIs) and databases" + } + ] + }, + { + "id": "ra-05_odp.01", + "label": "frequency and/or randomly in accordance with organization-defined process", + "guidelines": [ + { + "prose": "frequency for monitoring systems and hosted applications for vulnerabilities is defined;" + } + ] + }, + { + "id": "ra-05_odp.02", + "label": "frequency and/or randomly in accordance with organization-defined process", + "guidelines": [ + { + "prose": "frequency for scanning systems and hosted applications for vulnerabilities is defined;" + } + ] + }, + { + "id": "ra-05_odp.03", + "label": "response times", + "constraints": [ + { + "description": "high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery" + } + ], + "guidelines": [ + { + "prose": "response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;" + } + ] + }, + { + "id": "ra-05_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5" + }, + { + "name": "label", + "value": "RA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#8df72805-2e5c-4731-a73e-81db0f0318d0", + "rel": "reference" + }, + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", + "rel": "reference" + }, + { + "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "rel": "reference" + }, + { + "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "rel": "reference" + }, + { + "href": "#d2ebec9b-f868-4ee1-a2bd-0b2282aed248", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ca-8", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5_smt", + "name": "statement", + "parts": [ + { + "id": "ra-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;" + }, + { + "id": "ra-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:", + "parts": [ + { + "id": "ra-5_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Enumerating platforms, software flaws, and improper configurations;" + }, + { + "id": "ra-5_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Formatting checklists and test procedures; and" + }, + { + "id": "ra-5_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Measuring vulnerability impact;" + } + ] + }, + { + "id": "ra-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Analyze vulnerability scan reports and results from vulnerability monitoring;" + }, + { + "id": "ra-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;" + }, + { + "id": "ra-5_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and" + }, + { + "id": "ra-5_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." + }, + { + "id": "ra-5_fr", + "name": "item", + "title": "RA-5 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "ra-5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/" + }, + { + "id": "ra-5_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a) Requirement:" + } + ], + "prose": "an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually." + }, + { + "id": "ra-5_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d) Requirement:" + } + ], + "prose": "If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement." + }, + { + "id": "ra-5_fr_smt.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e) Requirement:" + } + ], + "prose": "to include all Authorizing Officials; for JAB authorizations to include FedRAMP" + }, + { + "id": "ra-5_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.\n\nWarning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.\n\nWarnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a “warning” as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on “Tracking of Compliance Scans” in FAQs." + } + ] + } + ] + }, + { + "id": "ra-5_gdn", + "name": "guidance", + "prose": "Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points." + }, + { + "id": "ra-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-5_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.[01]", + "class": "sp800-53a" + } + ], + "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;", + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05a.[02]", + "class": "sp800-53a" + } + ], + "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;", + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;", + "parts": [ + { + "id": "ra-5_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.01", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;", + "links": [ + { + "href": "#ra-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.02", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;", + "links": [ + { + "href": "#ra-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05b.03", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;", + "links": [ + { + "href": "#ra-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05c.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;", + "links": [ + { + "href": "#ra-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05d.", + "class": "sp800-53a" + } + ], + "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;", + "links": [ + { + "href": "#ra-5_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05e.", + "class": "sp800-53a" + } + ], + "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;", + "links": [ + { + "href": "#ra-5_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05f.", + "class": "sp800-53a" + } + ], + "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.", + "links": [ + { + "href": "#ra-5_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ra-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing" + } + ] + } + ], + "controls": [ + { + "id": "ra-5.2", + "class": "SP800-53-enhancement", + "title": "Update Vulnerabilities to Be Scanned", + "params": [ + { + "id": "ra-05.02_odp.01", + "constraints": [ + { + "description": "within 24 hours prior to running scans" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, ra-05.02_odp.02 }} ", + "prior to a new scan", + "when new vulnerabilities are identified and reported" + ] + } + }, + { + "id": "ra-05.02_odp.02", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency for updating the system vulnerabilities to be scanned is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5(2)" + }, + { + "name": "label", + "value": "RA-05(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + }, + { + "href": "#si-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-5.2_smt", + "name": "statement", + "prose": "Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}." + }, + { + "id": "ra-5.2_gdn", + "name": "guidance", + "prose": "Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner." + }, + { + "id": "ra-5.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(02)", + "class": "sp800-53a" + } + ], + "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.", + "links": [ + { + "href": "#ra-5.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "ra-5.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" + } + ] + } + ] + }, + { + "id": "ra-5.3", + "class": "SP800-53-enhancement", + "title": "Breadth and Depth of Coverage", + "props": [ + { + "name": "label", + "value": "RA-5(3)" + }, + { + "name": "label", + "value": "RA-05(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ra-5.3_smt", + "name": "statement", + "prose": "Define the breadth and depth of vulnerability scanning coverage." + }, + { + "id": "ra-5.3_gdn", + "name": "guidance", + "prose": "The breadth of vulnerability scanning coverage can be expressed as a percentage of components within the system, by the particular types of systems, by the criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the depth of vulnerability scanning coverage can be expressed as the level of the system design that the organization intends to monitor (e.g., component, module, subsystem, element). Organizations can determine the sufficiency of vulnerability scanning coverage with regard to its risk tolerance and other factors. Scanning tools and how the tools are configured may affect the depth and coverage. Multiple scanning tools may be needed to achieve the desired depth and coverage. [SP 800-53A](#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d) provides additional information on the breadth and depth of coverage." + }, + { + "id": "ra-5.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(03)", + "class": "sp800-53a" + } + ], + "prose": "the breadth and depth of vulnerability scanning coverage are defined.", + "links": [ + { + "href": "#ra-5.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" + } + ] + } + ] + }, + { + "id": "ra-5.5", + "class": "SP800-53-enhancement", + "title": "Privileged Access", + "params": [ + { + "id": "ra-05.05_odp.01", + "label": "system components", + "constraints": [ + { + "description": "all components that support authentication" + } + ], + "guidelines": [ + { + "prose": "system components to which privileged access is authorized for selected vulnerability scanning activities are defined;" + } + ] + }, + { + "id": "ra-05.05_odp.02", + "label": "vulnerability scanning activities", + "constraints": [ + { + "description": "all scans" + } + ], + "guidelines": [ + { + "prose": "vulnerability scanning activities selected for privileged access authorization to system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-5(5)" + }, + { + "name": "label", + "value": "RA-05(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ra-5.5_smt", + "name": "statement", + "prose": "Implement privileged access authorization to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}." + }, + { + "id": "ra-5.5_gdn", + "name": "guidance", + "prose": "In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning." + }, + { + "id": "ra-5.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(05)", + "class": "sp800-53a" + } + ], + "prose": "privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}.", + "links": [ + { + "href": "#ra-5.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system components for vulnerability scanning\n\npersonnel access authorization list\n\nauthorization credentials\n\naccess authorization records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\nsystem/network administrators\n\norganizational personnel responsible for access control to the system\n\norganizational personnel responsible for configuration management of the system\n\nsystem developers\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\norganizational processes for access control\n\nmechanisms supporting and/or implementing access control\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" + } + ] + } + ] + }, + { + "id": "ra-5.11", + "class": "SP800-53-enhancement", + "title": "Public Disclosure Program", + "props": [ + { + "name": "label", + "value": "RA-5(11)" + }, + { + "name": "label", + "value": "RA-05(11)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-05.11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ra-5", + "rel": "required" + } + ], + "parts": [ + { + "id": "ra-5.11_smt", + "name": "statement", + "prose": "Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components." + }, + { + "id": "ra-5.11_gdn", + "name": "guidance", + "prose": "The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability." + }, + { + "id": "ra-5.11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-05(11)", + "class": "sp800-53a" + } + ], + "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.", + "links": [ + { + "href": "#ra-5.11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-5.11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-05(11)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-5.11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-05(11)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-5.11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-05(11)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities" + } + ] + } + ] + } + ] + }, + { + "id": "ra-7", + "class": "SP800-53", + "title": "Risk Response", + "props": [ + { + "name": "label", + "value": "RA-7" + }, + { + "name": "label", + "value": "RA-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ir-9", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-28", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-7_smt", + "name": "statement", + "prose": "Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance." + }, + { + "id": "ra-7_gdn", + "name": "guidance", + "prose": "Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated." + }, + { + "id": "ra-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "ra-7_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[01]", + "class": "sp800-53a" + } + ], + "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[02]", + "class": "sp800-53a" + } + ], + "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[03]", + "class": "sp800-53a" + } + ], + "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-07[04]", + "class": "sp800-53a" + } + ], + "prose": "findings from audits are responded to in accordance with organizational risk tolerance.", + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#ra-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nassessment reports\n\naudit records/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment and auditing responsibilities\n\nsystem/network administrators\n\norganizational personnel with security and privacy responsibilities" + } + ] + }, + { + "id": "ra-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assessments and audits\n\nmechanisms/tools supporting and/or implementing assessments and auditing" + } + ] + } + ] + }, + { + "id": "ra-9", + "class": "SP800-53", + "title": "Criticality Analysis", + "params": [ + { + "id": "ra-09_odp.01", + "label": "systems, system components, or system services", + "guidelines": [ + { + "prose": "systems, system components, or system services to be analyzed for criticality are defined;" + } + ] + }, + { + "id": "ra-09_odp.02", + "label": "decision points in the system development life cycle", + "guidelines": [ + { + "prose": "decision points in the system development life cycle when a criticality analysis is to be performed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "RA-9" + }, + { + "name": "label", + "value": "RA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "ra-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#pm-1", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "ra-9_smt", + "name": "statement", + "prose": "Identify critical system components and functions by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}." + }, + { + "id": "ra-9_gdn", + "name": "guidance", + "prose": "Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.\n\nThe operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions.\n\nCriticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in [RA-2](#ra-2)." + }, + { + "id": "ra-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "RA-09", + "class": "sp800-53a" + } + ], + "prose": "critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}.", + "links": [ + { + "href": "#ra-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "ra-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "RA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Risk assessment policy\n\nassessment reports\n\ncriticality analysis/finalized criticality for each component/subcomponent\n\naudit records/event logs\n\nanalysis reports\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "ra-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "RA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with assessment and auditing responsibilities\n\norganizational personnel with criticality analysis responsibilities\n\nsystem/network administrators\n\norganizational personnel with security responsibilities" + } + ] + }, + { + "id": "ra-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "RA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for assessments and audits\n\nmechanisms/tools supporting and/or implementing assessments and auditing" + } + ] + } + ] + } + ] + }, + { + "id": "sa", + "class": "family", + "title": "System and Services Acquisition", + "controls": [ + { + "id": "sa-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sa-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sa-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "sa-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "sa-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "sa-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and services acquisition policy and procedures is defined;" + } + ] + }, + { + "id": "sa-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and services acquisition policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sa-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and services acquisition policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sa-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "sa-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and services acquisition procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-1" + }, + { + "name": "label", + "value": "SA-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-1_smt", + "name": "statement", + "parts": [ + { + "id": "sa-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:", + "parts": [ + { + "id": "sa-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:", + "parts": [ + { + "id": "sa-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sa-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sa-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;" + } + ] + }, + { + "id": "sa-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and" + }, + { + "id": "sa-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and services acquisition:", + "parts": [ + { + "id": "sa-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and" + }, + { + "id": "sa-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sa-1_gdn", + "name": "guidance", + "prose": "System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sa-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and services acquisition policy is developed and documented;", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};", + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;", + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sa-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;", + "links": [ + { + "href": "#sa-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};", + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};", + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};", + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.", + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + } + ] + }, + { + "id": "sa-2", + "class": "SP800-53", + "title": "Allocation of Resources", + "props": [ + { + "name": "label", + "value": "SA-2" + }, + { + "name": "label", + "value": "SA-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#pl-7", + "rel": "related" + }, + { + "href": "#pm-3", + "rel": "related" + }, + { + "href": "#pm-11", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-2_smt", + "name": "statement", + "parts": [ + { + "id": "sa-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;" + }, + { + "id": "sa-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and" + }, + { + "id": "sa-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation." + } + ] + }, + { + "id": "sa-2_gdn", + "name": "guidance", + "prose": "Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle." + }, + { + "id": "sa-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;", + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;", + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;", + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;", + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;", + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation.", + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and/or implementing organizational capital planning, programming, and budgeting" + } + ] + } + ] + }, + { + "id": "sa-3", + "class": "SP800-53", + "title": "System Development Life Cycle", + "params": [ + { + "id": "sa-03_odp", + "label": "system-development life cycle", + "guidelines": [ + { + "prose": "system development life cycle is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-3" + }, + { + "name": "label", + "value": "SA-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-22", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-3_smt", + "name": "statement", + "parts": [ + { + "id": "sa-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;" + }, + { + "id": "sa-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define and document information security and privacy roles and responsibilities throughout the system development life cycle;" + }, + { + "id": "sa-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Identify individuals having information security and privacy roles and responsibilities; and" + }, + { + "id": "sa-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Integrate the organizational information security and privacy risk management process into system development life cycle activities." + } + ] + }, + { + "id": "sa-3_gdn", + "name": "guidance", + "prose": "A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle." + }, + { + "id": "sa-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;", + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;", + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.[01]", + "class": "sp800-53a" + } + ], + "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;", + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03b.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;", + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.[01]", + "class": "sp800-53a" + } + ], + "prose": "individuals with information security roles and responsibilities are identified;", + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03c.[02]", + "class": "sp800-53a" + } + ], + "prose": "individuals with privacy roles and responsibilities are identified;", + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-3_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational information security risk management processes are integrated into system development life cycle activities;", + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-03d.[02]", + "class": "sp800-53a" + } + ], + "prose": "organizational privacy risk management processes are integrated into system development life cycle activities.", + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and/or implementing the system development life cycle" + } + ] + } + ] + }, + { + "id": "sa-4", + "class": "SP800-53", + "title": "Acquisition Process", + "params": [ + { + "id": "sa-04_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "standardized contract language", + " {{ insert: param, sa-04_odp.02 }} " + ] + } + }, + { + "id": "sa-04_odp.02", + "label": "contract language", + "guidelines": [ + { + "prose": "contract language is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-4" + }, + { + "name": "label", + "value": "SA-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", + "rel": "reference" + }, + { + "href": "#87087451-2af5-43d4-88c1-d66ad850f614", + "rel": "reference" + }, + { + "href": "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "rel": "reference" + }, + { + "href": "#06ce9216-bd54-4054-a422-94f358b50a5d", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "rel": "reference" + }, + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", + "rel": "reference" + }, + { + "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#795aff72-3e6c-4b6b-a80a-b14d84b7f544", + "rel": "reference" + }, + { + "href": "#3d575737-98cb-459d-b41c-d7e82b73ad78", + "rel": "reference" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-21", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4_smt", + "name": "statement", + "prose": "Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:", + "parts": [ + { + "id": "sa-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Security and privacy functional requirements;" + }, + { + "id": "sa-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Strength of mechanism requirements;" + }, + { + "id": "sa-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Security and privacy assurance requirements;" + }, + { + "id": "sa-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Controls needed to satisfy the security and privacy requirements." + }, + { + "id": "sa-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Security and privacy documentation requirements;" + }, + { + "id": "sa-4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Requirements for protecting security and privacy documentation;" + }, + { + "id": "sa-4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Description of the system development environment and environment in which the system is intended to operate;" + }, + { + "id": "sa-4_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "h." + } + ], + "prose": "Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and" + }, + { + "id": "sa-4_smt.i", + "name": "item", + "props": [ + { + "name": "label", + "value": "i." + } + ], + "prose": "Acceptance criteria." + }, + { + "id": "sa-4_fr", + "name": "item", + "title": "SA-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sa-4_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process)." + }, + { + "id": "sa-4_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.\n\nSee https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/." + } + ] + } + ] + }, + { + "id": "sa-4_gdn", + "name": "guidance", + "prose": "Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement." + }, + { + "id": "sa-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.[01]", + "class": "sp800-53a" + } + ], + "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04a.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04b.", + "class": "sp800-53a" + } + ], + "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.[01]", + "class": "sp800-53a" + } + ], + "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04c.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.[01]", + "class": "sp800-53a" + } + ], + "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04e.[02]", + "class": "sp800-53a" + } + ], + "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.f-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.[01]", + "class": "sp800-53a" + } + ], + "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.f-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04f.[02]", + "class": "sp800-53a" + } + ], + "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04g.", + "class": "sp800-53a" + } + ], + "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4_obj.h-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[01]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[02]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.h-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04h.[03]", + "class": "sp800-53a" + } + ], + "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};", + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt.h", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_obj.i", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04i.", + "class": "sp800-53a" + } + ], + "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.", + "links": [ + { + "href": "#sa-4_smt.i", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts" + } + ] + } + ], + "controls": [ + { + "id": "sa-4.1", + "class": "SP800-53-enhancement", + "title": "Functional Properties of Controls", + "props": [ + { + "name": "label", + "value": "SA-4(1)" + }, + { + "name": "label", + "value": "SA-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "sa-4.1_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented." + }, + { + "id": "sa-4.1_gdn", + "name": "guidance", + "prose": "Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls." + }, + { + "id": "sa-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(01)", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.", + "links": [ + { + "href": "#sa-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system services\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining system security functional requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts" + } + ] + } + ] + }, + { + "id": "sa-4.2", + "class": "SP800-53-enhancement", + "title": "Design and Implementation Information for Controls", + "params": [ + { + "id": "sa-04.02_odp.01", + "constraints": [ + { + "description": "at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram;" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "security-relevant external system interfaces", + "high-level design", + "low-level design", + "source code or hardware schematics", + " {{ insert: param, sa-04.02_odp.02 }} " + ] + } + }, + { + "id": "sa-04.02_odp.02", + "label": "design and implementation information", + "guidelines": [ + { + "prose": "design and implementation information is defined (if selected);" + } + ] + }, + { + "id": "sa-04.02_odp.03", + "label": "level of detail", + "guidelines": [ + { + "prose": "level of detail is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-4(2)" + }, + { + "name": "label", + "value": "SA-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "sa-4.2_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}." + }, + { + "id": "sa-4.2_gdn", + "name": "guidance", + "prose": "Organizations may require different levels of detail in the documentation for the design and implementation of controls in organizational systems, system components, or system services based on mission and business requirements, requirements for resiliency and trustworthiness, and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system." + }, + { + "id": "sa-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(02)", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}.", + "links": [ + { + "href": "#sa-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system components, or system services\n\ndesign and implementation information for controls employed in the system, system component, or system service\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\nsystem developers or service provider\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "sa-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for determining the level of detail for system design and controls\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and/or implementing the development of system design details" + } + ] + } + ] + }, + { + "id": "sa-4.9", + "class": "SP800-53-enhancement", + "title": "Functions, Ports, Protocols, and Services in Use", + "props": [ + { + "name": "label", + "value": "SA-4(9)" + }, + { + "name": "label", + "value": "SA-04(09)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4.9_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use." + }, + { + "id": "sa-4.9_gdn", + "name": "guidance", + "prose": "The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design stages) allows organizations to influence the design of the system, system component, or system service. This early involvement in the system development life cycle helps organizations avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. [SA-9](#sa-9) describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources." + }, + { + "id": "sa-4.9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-4.9_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to identify the functions intended for organizational use;", + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.9_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to identify the ports intended for organizational use;", + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.9_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;", + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.9_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(09)[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to identify the services intended for organizational use.", + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-4.9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(09)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsystem design documentation\n\nsystem documentation, including functions, ports, protocols, and services intended for organizational use\n\nacquisition contracts for systems or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements, descriptions, and criteria for developers of systems, system components, and system services\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(09)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\nsystem/network administrators\n\norganizational personnel operating, using, and/or maintaining the system\n\nsystem developers\n\norganizational personnel with information security responsibilities" + } + ] + } + ] + }, + { + "id": "sa-4.10", + "class": "SP800-53-enhancement", + "title": "Use of Approved PIV Products", + "props": [ + { + "name": "label", + "value": "SA-4(10)" + }, + { + "name": "label", + "value": "SA-04(10)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-04.10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-4", + "rel": "required" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-4.10_smt", + "name": "statement", + "prose": "Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems." + }, + { + "id": "sa-4.10_gdn", + "name": "guidance", + "prose": "Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations." + }, + { + "id": "sa-4.10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-04(10)", + "class": "sp800-53a" + } + ], + "prose": "only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.", + "links": [ + { + "href": "#sa-4.10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-4.10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-04(10)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nFIPS 201 approved products list\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-4.10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-04(10)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "sa-4.10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-04(10)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for selecting and employing FIPS 201-approved products" + } + ] + } + ] + } + ] + }, + { + "id": "sa-5", + "class": "SP800-53", + "title": "System Documentation", + "params": [ + { + "id": "sa-05_odp.01", + "label": "actions", + "guidelines": [ + { + "prose": "actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;" + } + ] + }, + { + "id": "sa-05_odp.02", + "label": "personnel or roles", + "constraints": [ + { + "description": "at a minimum, the ISSO (or similar role within the organization)" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to distribute system documentation to is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-5" + }, + { + "name": "label", + "value": "SA-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-16", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-5_smt", + "name": "statement", + "parts": [ + { + "id": "sa-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Obtain or develop administrator documentation for the system, system component, or system service that describes:", + "parts": [ + { + "id": "sa-5_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Secure configuration, installation, and operation of the system, component, or service;" + }, + { + "id": "sa-5_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Effective use and maintenance of security and privacy functions and mechanisms; and" + }, + { + "id": "sa-5_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Known vulnerabilities regarding configuration and use of administrative or privileged functions;" + } + ] + }, + { + "id": "sa-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Obtain or develop user documentation for the system, system component, or system service that describes:", + "parts": [ + { + "id": "sa-5_smt.b.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;" + }, + { + "id": "sa-5_smt.b.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and" + }, + { + "id": "sa-5_smt.b.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;" + } + ] + }, + { + "id": "sa-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and" + }, + { + "id": "sa-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Distribute documentation to {{ insert: param, sa-05_odp.02 }}." + } + ] + }, + { + "id": "sa-5_gdn", + "name": "guidance", + "prose": "System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation." + }, + { + "id": "sa-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.01[03]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.2-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.02[04]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[03]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.1-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.01[04]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.02[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.b.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03[01]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.b.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05b.03[02]", + "class": "sp800-53a" + } + ], + "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;", + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-5_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.[01]", + "class": "sp800-53a" + } + ], + "prose": "attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;", + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05c.[02]", + "class": "sp800-53a" + } + ], + "prose": "after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;", + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-05d.", + "class": "sp800-53a" + } + ], + "prose": "documentation is distributed to {{ insert: param, sa-05_odp.02 }}.", + "links": [ + { + "href": "#sa-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system documentation\n\nsystem documentation, including administrator and user guides\n\nsystem design documentation\n\nrecords documenting attempts to obtain unavailable or nonexistent system documentation\n\nlist of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation\n\nrisk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\norganizational personnel responsible for operating, using, and/or maintaining the system\n\nsystem developers" + } + ] + }, + { + "id": "sa-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for obtaining, protecting, and distributing system administrator and user documentation" + } + ] + } + ] + }, + { + "id": "sa-8", + "class": "SP800-53", + "title": "Security and Privacy Engineering Principles", + "params": [ + { + "id": "sa-8_prm_1", + "label": "organization-defined systems security and privacy engineering principles" + }, + { + "id": "sa-08_odp.01", + "label": "systems security engineering principles", + "guidelines": [ + { + "prose": "systems security engineering principles are defined;" + } + ] + }, + { + "id": "sa-08_odp.02", + "label": "privacy engineering principles", + "guidelines": [ + { + "prose": "privacy engineering principles are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-8" + }, + { + "name": "label", + "value": "SA-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "rel": "reference" + }, + { + "href": "#9be5d661-421f-41ad-854e-86f98b811891", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#98d415ca-7281-4064-9931-0c366637e324", + "rel": "reference" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-7", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-9", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sa-20", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-8_smt", + "name": "statement", + "prose": "Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}." + }, + { + "id": "sa-8_gdn", + "name": "guidance", + "prose": "Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design." + }, + { + "id": "sa-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-8_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[04]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[05]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[06]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[07]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[08]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[09]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_obj-10", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-08[10]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.", + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification" + } + ] + } + ] + }, + { + "id": "sa-9", + "class": "SP800-53", + "title": "External System Services", + "params": [ + { + "id": "sa-09_odp.01", + "label": "controls", + "constraints": [ + { + "description": "Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system" + } + ], + "guidelines": [ + { + "prose": "controls to be employed by external system service providers are defined;" + } + ] + }, + { + "id": "sa-09_odp.02", + "label": "processes, methods, and techniques", + "constraints": [ + { + "description": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored" + } + ], + "guidelines": [ + { + "prose": "processes, methods, and techniques employed to monitor control compliance by external service providers are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9" + }, + { + "name": "label", + "value": "SA-09", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "rel": "reference" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-7", + "rel": "related" + }, + { + "href": "#pl-10", + "rel": "related" + }, + { + "href": "#pl-11", + "rel": "related" + }, + { + "href": "#ps-7", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9_smt", + "name": "statement", + "parts": [ + { + "id": "sa-9_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};" + }, + { + "id": "sa-9_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Define and document organizational oversight and user roles and responsibilities with regard to external system services; and" + }, + { + "id": "sa-9_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}." + } + ] + }, + { + "id": "sa-9_gdn", + "name": "guidance", + "prose": "External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance." + }, + { + "id": "sa-9_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[01]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services comply with organizational security requirements;", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[02]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services comply with organizational privacy requirements;", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09a.[03]", + "class": "sp800-53a" + } + ], + "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};", + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.[01]", + "class": "sp800-53a" + } + ], + "prose": "organizational oversight with regard to external system services are defined and documented;", + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09b.[02]", + "class": "sp800-53a" + } + ], + "prose": "user roles and responsibilities with regard to external system services are defined and documented;", + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09c.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.", + "links": [ + { + "href": "#sa-9_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-9_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-09-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis" + } + ] + } + ], + "controls": [ + { + "id": "sa-9.1", + "class": "SP800-53-enhancement", + "title": "Risk Assessments and Organizational Approvals", + "params": [ + { + "id": "sa-09.01_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles that approve the acquisition or outsourcing of dedicated information security services is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9(1)" + }, + { + "name": "label", + "value": "SA-09(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-9", + "rel": "required" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9.1_smt", + "name": "statement", + "parts": [ + { + "id": "sa-9.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and" + }, + { + "id": "sa-9.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Verify that the acquisition or outsourcing of dedicated information security services is approved by {{ insert: param, sa-09.01_odp }}." + } + ] + }, + { + "id": "sa-9.1_gdn", + "name": "guidance", + "prose": "Information security services include the operation of security devices, such as firewalls or key management services as well as incident monitoring, analysis, and response. Risks assessed can include system, mission or business, security, privacy, or supply chain risks." + }, + { + "id": "sa-9.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-9.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "an organizational assessment of risk is conducted prior to the acquisition or outsourcing of information security services;", + "links": [ + { + "href": "#sa-9.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(01)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-09.01_odp }} approve the acquisition or outsourcing of dedicated information security services.", + "links": [ + { + "href": "#sa-9.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-9.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsupply chain risk management policy and procedures\n\nprocedures addressing external system services\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nrisk assessment reports\n\napproval records for the acquisition or outsourcing of dedicated security services\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with system security responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-9.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-09(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting a risk assessment prior to acquiring or outsourcing dedicated security services\n\norganizational processes for approving the outsourcing of dedicated security services\n\nmechanisms supporting and/or implementing risk assessment\n\nmechanisms supporting and/or implementing approval processes" + } + ] + } + ] + }, + { + "id": "sa-9.2", + "class": "SP800-53-enhancement", + "title": "Identification of Functions, Ports, Protocols, and Services", + "params": [ + { + "id": "sa-09.02_odp", + "label": "external system services", + "constraints": [ + { + "description": "all external systems where Federal information is processed or stored" + } + ], + "guidelines": [ + { + "prose": "external system services that require the identification of functions, ports, protocols, and other services are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9(2)" + }, + { + "name": "label", + "value": "SA-09(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-9", + "rel": "required" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9.2_smt", + "name": "statement", + "prose": "Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ insert: param, sa-09.02_odp }}." + }, + { + "id": "sa-9.2_gdn", + "name": "guidance", + "prose": "Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols." + }, + { + "id": "sa-9.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(02)", + "class": "sp800-53a" + } + ], + "prose": "providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services.", + "links": [ + { + "href": "#sa-9.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsupply chain risk management policy and procedures\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements and security specifications for external service providers\n\nlist of required functions, ports, protocols, and other services\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nexternal providers of system services" + } + ] + } + ] + }, + { + "id": "sa-9.5", + "class": "SP800-53-enhancement", + "title": "Processing, Storage, and Service Location", + "params": [ + { + "id": "sa-09.05_odp.01", + "constraints": [ + { + "description": "information processing, information or data, AND system services" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "information processing", + "information or data", + "system services" + ] + } + }, + { + "id": "sa-09.05_odp.02", + "label": "locations", + "guidelines": [ + { + "prose": "locations where {{ insert: param, sa-09.05_odp.01 }} is/are to be restricted are defined;" + } + ] + }, + { + "id": "sa-09.05_odp.03", + "label": "requirements", + "guidelines": [ + { + "prose": "requirements or conditions for restricting the location of {{ insert: param, sa-09.05_odp.01 }} are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-9(5)" + }, + { + "name": "label", + "value": "SA-09(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-09.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-9", + "rel": "required" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-9.5_smt", + "name": "statement", + "prose": "Restrict the location of {{ insert: param, sa-09.05_odp.01 }} to {{ insert: param, sa-09.05_odp.02 }} based on {{ insert: param, sa-09.05_odp.03 }}." + }, + { + "id": "sa-9.5_gdn", + "name": "guidance", + "prose": "The location of information processing, information and data storage, or system services can have a direct impact on the ability of organizations to successfully execute their mission and business functions. The impact occurs when external providers control the location of processing, storage, or services. The criteria that external providers use for the selection of processing, storage, or service locations may be different from the criteria that organizations use. For example, organizations may desire that data or information storage locations be restricted to certain locations to help facilitate incident response activities in case of information security incidents or breaches. Incident response activities, including forensic analyses and after-the-fact investigations, may be adversely affected by the governing laws, policies, or protocols in the locations where processing and storage occur and/or the locations from which system services emanate." + }, + { + "id": "sa-9.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-09(05)", + "class": "sp800-53a" + } + ], + "prose": "based on {{ insert: param, sa-09.05_odp.03 }}, {{ insert: param, sa-09.05_odp.01 }} is/are restricted to {{ insert: param, sa-09.05_odp.02 }}.", + "links": [ + { + "href": "#sa-9.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-9.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-09(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nrestricted locations for information processing\n\ninformation/data and/or system services\n\ninformation processing, information/data, and/or system services to be maintained in restricted locations\n\norganizational security requirements or conditions for external providers\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-9.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-09(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nexternal providers of system services\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-9.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-09(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining the requirements to restrict locations of information processing, information/data, or information services\n\norganizational processes for ensuring the location is restricted in accordance with requirements or conditions" + } + ] + } + ] + } + ] + }, + { + "id": "sa-10", + "class": "SP800-53", + "title": "Developer Configuration Management", + "params": [ + { + "id": "sa-10_odp.01", + "constraints": [ + { + "description": "development, implementation, AND operation" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "design", + "development", + "implementation", + "operation", + "disposal" + ] + } + }, + { + "id": "sa-10_odp.02", + "label": "configuration items", + "guidelines": [ + { + "prose": "configuration items under configuration management are defined;" + } + ] + }, + { + "id": "sa-10_odp.03", + "label": "personnel", + "guidelines": [ + { + "prose": "personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-10" + }, + { + "name": "label", + "value": "SA-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-10_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to:", + "parts": [ + { + "id": "sa-10_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};" + }, + { + "id": "sa-10_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Document, manage, and control the integrity of changes to {{ insert: param, sa-10_odp.02 }};" + }, + { + "id": "sa-10_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Implement only organization-approved changes to the system, component, or service;" + }, + { + "id": "sa-10_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and" + }, + { + "id": "sa-10_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_odp.03 }}." + }, + { + "id": "sa-10_fr", + "name": "item", + "title": "SA-10 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sa-10_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e) Requirement:" + } + ], + "prose": "track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP." + } + ] + } + ] + }, + { + "id": "sa-10_gdn", + "name": "guidance", + "prose": "Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.\n\nThe configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle." + }, + { + "id": "sa-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-10_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10a.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};", + "links": [ + { + "href": "#sa-10_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-10_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};", + "links": [ + { + "href": "#sa-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};", + "links": [ + { + "href": "#sa-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10b.[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};", + "links": [ + { + "href": "#sa-10_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-10_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10c.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;", + "links": [ + { + "href": "#sa-10_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-10_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10d.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;", + "links": [ + { + "href": "#sa-10_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10d.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;", + "links": [ + { + "href": "#sa-10_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10d.[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;", + "links": [ + { + "href": "#sa-10_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-10_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10e.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-10_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10e.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;", + "links": [ + { + "href": "#sa-10_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10e.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;", + "links": [ + { + "href": "#sa-10_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_obj.e-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-10e.[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}.", + "links": [ + { + "href": "#sa-10_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-10_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nsecurity flaw and flaw resolution tracking records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and/or implementing the monitoring of developer configuration management" + } + ] + } + ] + }, + { + "id": "sa-11", + "class": "SP800-53", + "title": "Developer Testing and Evaluation", + "params": [ + { + "id": "sa-11_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "unit", + "integration", + "system", + "regression" + ] + } + }, + { + "id": "sa-11_odp.02", + "label": "frequency to conduct", + "guidelines": [ + { + "prose": "frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;" + } + ] + }, + { + "id": "sa-11_odp.03", + "label": "depth and coverage", + "guidelines": [ + { + "prose": "depth and coverage of {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-11" + }, + { + "name": "label", + "value": "SA-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "rel": "reference" + }, + { + "href": "#708b94e1-3d5e-4b22-ab43-1c69f3a97e37", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-11_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:", + "parts": [ + { + "id": "sa-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and implement a plan for ongoing security and privacy control assessments;" + }, + { + "id": "sa-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};" + }, + { + "id": "sa-11_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;" + }, + { + "id": "sa-11_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Implement a verifiable flaw remediation process; and" + }, + { + "id": "sa-11_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Correct flaws identified during testing and evaluation." + } + ] + }, + { + "id": "sa-11_gdn", + "name": "guidance", + "prose": "Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\n\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation." + }, + { + "id": "sa-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;", + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;", + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;", + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;", + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11b.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};", + "links": [ + { + "href": "#sa-11_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11c.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;", + "links": [ + { + "href": "#sa-11_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;", + "links": [ + { + "href": "#sa-11_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11d.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;", + "links": [ + { + "href": "#sa-11_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11e.", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.", + "links": [ + { + "href": "#sa-11_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security and privacy testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of developer security and privacy assessments for the system, system component, or system service\n\nsecurity and privacy flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and/or implementing the monitoring of developer security and privacy testing and evaluation" + } + ] + } + ], + "controls": [ + { + "id": "sa-11.1", + "class": "SP800-53-enhancement", + "title": "Static Code Analysis", + "props": [ + { + "name": "label", + "value": "SA-11(1)" + }, + { + "name": "label", + "value": "SA-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-11", + "rel": "required" + } + ], + "parts": [ + { + "id": "sa-11.1_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.", + "parts": [ + { + "id": "sa-11.1_fr", + "name": "item", + "title": "SA-11(1) Additional FedRAMP Requirements", + "parts": [ + { + "id": "sa-11.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.\n\nIf Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))" + } + ] + } + ] + }, + { + "id": "sa-11.1_gdn", + "name": "guidance", + "prose": "Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources." + }, + { + "id": "sa-11.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to employ static code analysis tools to identify common flaws;", + "links": [ + { + "href": "#sa-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to employ static code analysis tools to document the results of the analysis.", + "links": [ + { + "href": "#sa-11.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-11(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of system developer security and privacy assessments\n\nsecurity flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-11.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-11(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers" + } + ] + }, + { + "id": "sa-11.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-11(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and/or implementing the monitoring of developer security testing and evaluation\n\nstatic code analysis tools" + } + ] + } + ] + }, + { + "id": "sa-11.2", + "class": "SP800-53-enhancement", + "title": "Threat Modeling and Vulnerability Analyses", + "params": [ + { + "id": "sa-11.2_prm_3", + "label": "organization-defined breadth and depth of modeling and analyses" + }, + { + "id": "sa-11.2_prm_4", + "label": "organization-defined acceptance criteria" + }, + { + "id": "sa-11.02_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used as contextual information for threat modeling and vulnerability analyses is defined;" + } + ] + }, + { + "id": "sa-11.02_odp.02", + "label": "tools and methods", + "guidelines": [ + { + "prose": "the tools and methods to be employed for threat modeling and vulnerability analyses are defined;" + } + ] + }, + { + "id": "sa-11.02_odp.03", + "label": "breadth and depth", + "guidelines": [ + { + "prose": "the breadth and depth of threat modeling to be conducted is defined;" + } + ] + }, + { + "id": "sa-11.02_odp.04", + "label": "breadth and depth", + "guidelines": [ + { + "prose": "the breadth and depth of vulnerability analyses to be conducted is defined;" + } + ] + }, + { + "id": "sa-11.02_odp.05", + "label": "acceptance criteria", + "guidelines": [ + { + "prose": "acceptance criteria to be met by produced evidence for threat modeling are defined;" + } + ] + }, + { + "id": "sa-11.02_odp.06", + "label": "acceptance criteria", + "guidelines": [ + { + "prose": "acceptance criteria to be met by produced evidence for vulnerability analyses are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-11(2)" + }, + { + "name": "label", + "value": "SA-11(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-11.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-11", + "rel": "required" + }, + { + "href": "#pm-15", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-11.2_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:", + "parts": [ + { + "id": "sa-11.2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Uses the following contextual information: {{ insert: param, sa-11.02_odp.01 }};" + }, + { + "id": "sa-11.2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Employs the following tools and methods: {{ insert: param, sa-11.02_odp.02 }};" + }, + { + "id": "sa-11.2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Conducts the modeling and analyses at the following level of rigor: {{ insert: param, sa-11.2_prm_3 }} ; and" + }, + { + "id": "sa-11.2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Produces evidence that meets the following acceptance criteria: {{ insert: param, sa-11.2_prm_4 }}." + } + ] + }, + { + "id": "sa-11.2_gdn", + "name": "guidance", + "prose": "Systems, system components, and system services may deviate significantly from the functional and design specifications created during the requirements and design stages of the system development life cycle. Therefore, updates to threat modeling and vulnerability analyses of those systems, system components, and system services during development and prior to delivery are critical to the effective operation of those systems, components, and services. Threat modeling and vulnerability analyses at this stage of the system development life cycle ensure that design and implementation changes have been accounted for and that vulnerabilities created because of those changes have been reviewed and mitigated." + }, + { + "id": "sa-11.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};", + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};", + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};", + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};", + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};", + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};", + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};", + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(b)[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};", + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(c)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(c)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling at {{ insert: param, sa-11.02_odp.03 }} during development of the system, component, or service;", + "links": [ + { + "href": "#sa-11.2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(c)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses at {{ insert: param, sa-11.02_odp.04 }};", + "links": [ + { + "href": "#sa-11.2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-11.2_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};", + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};", + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.d-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)[03]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }};", + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_obj.d-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-11(02)(d)[04]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }}.", + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-11.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-11.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-11(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer security test plans\n\nrecords of developer security testing results for the system, system component, or system service\n\nvulnerability scanning results\n\nsystem risk assessment reports\n\nthreat and vulnerability analysis reports\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-11.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-11(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-11.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-11(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and/or implementing the monitoring of developer security testing and evaluation" + } + ] + } + ] + } + ] + }, + { + "id": "sa-15", + "class": "SP800-53", + "title": "Development Process, Standards, and Tools", + "params": [ + { + "id": "sa-15_prm_2", + "label": "organization-defined security and privacy requirements" + }, + { + "id": "sa-15_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "frequency at least annually" + } + ], + "guidelines": [ + { + "prose": "frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;" + } + ] + }, + { + "id": "sa-15_odp.02", + "label": "security requirements", + "constraints": [ + { + "description": "FedRAMP Security Authorization requirements" + } + ], + "guidelines": [ + { + "prose": "security requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;" + } + ] + }, + { + "id": "sa-15_odp.03", + "label": "privacy requirements", + "guidelines": [ + { + "prose": "privacy requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-15" + }, + { + "name": "label", + "value": "SA-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", + "rel": "reference" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-15_smt", + "name": "statement", + "parts": [ + { + "id": "sa-15_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Require the developer of the system, system component, or system service to follow a documented development process that:", + "parts": [ + { + "id": "sa-15_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Explicitly addresses security and privacy requirements;" + }, + { + "id": "sa-15_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Identifies the standards and tools used in the development process;" + }, + { + "id": "sa-15_smt.a.3", + "name": "item", + "props": [ + { + "name": "label", + "value": "3." + } + ], + "prose": "Documents the specific tool options and tool configurations used in the development process; and" + }, + { + "id": "sa-15_smt.a.4", + "name": "item", + "props": [ + { + "name": "label", + "value": "4." + } + ], + "prose": "Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and" + } + ] + }, + { + "id": "sa-15_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review the development process, standards, tools, tool options, and tool configurations {{ insert: param, sa-15_odp.01 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ insert: param, sa-15_prm_2 }}." + } + ] + }, + { + "id": "sa-15_gdn", + "name": "guidance", + "prose": "Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes." + }, + { + "id": "sa-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;", + "links": [ + { + "href": "#sa-15_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;", + "links": [ + { + "href": "#sa-15_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;", + "links": [ + { + "href": "#sa-15_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;", + "links": [ + { + "href": "#sa-15_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.a.3-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.03[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;", + "links": [ + { + "href": "#sa-15_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.3-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.03[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;", + "links": [ + { + "href": "#sa-15_smt.a.3", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.a.3", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.a.4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15a.04", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;", + "links": [ + { + "href": "#sa-15_smt.a.4", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};", + "links": [ + { + "href": "#sa-15_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}.", + "links": [ + { + "href": "#sa-15_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security and privacy requirements during the development process\n\nsolicitation documentation\n\nacquisition documentation\n\ncritical component inventory documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer documentation listing tool options/configuration guides\n\nconfiguration management policy\n\nconfiguration management records\n\ndocumentation of development process reviews using maturity models\n\nchange control records\n\nconfiguration control records\n\ndocumented reviews of the development process, standards, tools, and tool options/configurations\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer" + } + ] + } + ], + "controls": [ + { + "id": "sa-15.3", + "class": "SP800-53-enhancement", + "title": "Criticality Analysis", + "params": [ + { + "id": "sa-15.3_prm_2", + "label": "organization-defined breadth and depth of criticality analysis" + }, + { + "id": "sa-15.03_odp.01", + "label": "decision points", + "guidelines": [ + { + "prose": "decision points in the system development life cycle are defined;" + } + ] + }, + { + "id": "sa-15.03_odp.02", + "label": "breadth", + "guidelines": [ + { + "prose": "the breadth of criticality analysis is defined;" + } + ] + }, + { + "id": "sa-15.03_odp.03", + "label": "depth", + "guidelines": [ + { + "prose": "the depth of criticality analysis is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-15(3)" + }, + { + "name": "label", + "value": "SA-15(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-15.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sa-15", + "rel": "required" + }, + { + "href": "#ra-9", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-15.3_smt", + "name": "statement", + "prose": "Require the developer of the system, system component, or system service to perform a criticality analysis:", + "parts": [ + { + "id": "sa-15.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "At the following decision points in the system development life cycle: {{ insert: param, sa-15.03_odp.01 }} ; and" + }, + { + "id": "sa-15.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "At the following level of rigor: {{ insert: param, sa-15.3_prm_2 }}." + } + ] + }, + { + "id": "sa-15.3_gdn", + "name": "guidance", + "prose": "Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, source code, and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses." + }, + { + "id": "sa-15.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;", + "links": [ + { + "href": "#sa-15.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-15.3_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};", + "links": [ + { + "href": "#sa-15.3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15.3_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-15(03)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} .", + "links": [ + { + "href": "#sa-15.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-15.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-15.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-15(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing criticality analysis requirements for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ncriticality analysis documentation\n\nbusiness impact analysis documentation\n\nsoftware development life cycle documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-15.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-15(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for performing criticality analysis\n\nsystem developer\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sa-15.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-15(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for performing criticality analysis\n\nmechanisms supporting and/or implementing criticality analysis" + } + ] + } + ] + } + ] + }, + { + "id": "sa-22", + "class": "SP800-53", + "title": "Unsupported System Components", + "params": [ + { + "id": "sa-22_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "in-house support", + " {{ insert: param, sa-22_odp.02 }} " + ] + } + }, + { + "id": "sa-22_odp.02", + "label": "support from external providers", + "guidelines": [ + { + "prose": "support from external providers is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SA-22" + }, + { + "name": "label", + "value": "SA-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sa-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sa-22_smt", + "name": "statement", + "parts": [ + { + "id": "sa-22_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or" + }, + { + "id": "sa-22_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}." + } + ] + }, + { + "id": "sa-22_gdn", + "name": "guidance", + "prose": "Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation." + }, + { + "id": "sa-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sa-22_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22a.", + "class": "sp800-53a" + } + ], + "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;", + "links": [ + { + "href": "#sa-22_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-22_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SA-22b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.", + "links": [ + { + "href": "#sa-22_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sa-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sa-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SA-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sa-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SA-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement" + } + ] + }, + { + "id": "sa-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SA-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for replacing unsupported system components\n\nmechanisms supporting and/or implementing the replacement of unsupported system components" + } + ] + } + ] + } + ] + }, + { + "id": "sc", + "class": "family", + "title": "System and Communications Protection", + "controls": [ + { + "id": "sc-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sc-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "sc-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "sc-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "sc-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business-process-level", + "system-level" + ] + } + }, + { + "id": "sc-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and communications protection policy and procedures is defined;" + } + ] + }, + { + "id": "sc-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and communications protection policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sc-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and communications protection policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sc-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and communications protection procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "sc-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and communications protection procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-1" + }, + { + "name": "label", + "value": "SC-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-1_smt", + "name": "statement", + "parts": [ + { + "id": "sc-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:", + "parts": [ + { + "id": "sc-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sc-01_odp.03 }} system and communications protection policy that:", + "parts": [ + { + "id": "sc-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sc-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sc-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;" + } + ] + }, + { + "id": "sc-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and" + }, + { + "id": "sc-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and communications protection:", + "parts": [ + { + "id": "sc-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and" + }, + { + "id": "sc-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sc-1_gdn", + "name": "guidance", + "prose": "System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sc-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and communications protection policy is developed and documented;", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};", + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;", + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sc-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;", + "links": [ + { + "href": "#sc-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};", + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};", + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};", + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.", + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nsystem and communications protection procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "sc-2", + "class": "SP800-53", + "title": "Separation of System and User Functionality", + "props": [ + { + "name": "label", + "value": "SC-2" + }, + { + "name": "label", + "value": "SC-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-39", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-2_smt", + "name": "statement", + "prose": "Separate user functionality, including user interface services, from system management functionality." + }, + { + "id": "sc-2_gdn", + "name": "guidance", + "prose": "System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18)." + }, + { + "id": "sc-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-02", + "class": "sp800-53a" + } + ], + "prose": "user functionality, including user interface services, is separated from system management functionality.", + "links": [ + { + "href": "#sc-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing application partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Separation of user functionality from system management functionality" + } + ] + } + ] + }, + { + "id": "sc-4", + "class": "SP800-53", + "title": "Information in Shared System Resources", + "props": [ + { + "name": "label", + "value": "SC-4" + }, + { + "name": "label", + "value": "SC-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-4_smt", + "name": "statement", + "prose": "Prevent unauthorized and unintended information transfer via shared system resources." + }, + { + "id": "sc-4_gdn", + "name": "guidance", + "prose": "Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles." + }, + { + "id": "sc-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-4_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-04[01]", + "class": "sp800-53a" + } + ], + "prose": "unauthorized information transfer via shared system resources is prevented;", + "links": [ + { + "href": "#sc-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-4_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-04[02]", + "class": "sp800-53a" + } + ], + "prose": "unintended information transfer via shared system resources is prevented.", + "links": [ + { + "href": "#sc-4_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms preventing the unauthorized and unintended transfer of information via shared system resources" + } + ] + } + ] + }, + { + "id": "sc-5", + "class": "SP800-53", + "title": "Denial-of-service Protection", + "params": [ + { + "id": "sc-05_odp.01", + "label": "types of denial-of-service events", + "constraints": [ + { + "description": "at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack" + } + ], + "guidelines": [ + { + "prose": "types of denial-of-service events to be protected against or limited are defined;" + } + ] + }, + { + "id": "sc-05_odp.02", + "constraints": [ + { + "description": "Protect against" + } + ], + "select": { + "choice": [ + "protect against", + "limit" + ] + } + }, + { + "id": "sc-05_odp.03", + "label": "controls by type of denial-of-service event", + "guidelines": [ + { + "prose": "controls to achieve the denial-of-service objective by type of denial-of-service event are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-5" + }, + { + "name": "label", + "value": "SC-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "rel": "reference" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#sc-6", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-5_smt", + "name": "statement", + "parts": [ + { + "id": "sc-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": " {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and" + }, + { + "id": "sc-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}." + } + ] + }, + { + "id": "sc-5_gdn", + "name": "guidance", + "prose": "Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events." + }, + { + "id": "sc-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05a.", + "class": "sp800-53a" + } + ], + "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};", + "links": [ + { + "href": "#sc-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-05b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.", + "links": [ + { + "href": "#sc-5_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms protecting against or limiting the effects of denial-of-service attacks" + } + ] + } + ] + }, + { + "id": "sc-7", + "class": "SP800-53", + "title": "Boundary Protection", + "params": [ + { + "id": "sc-07_odp", + "select": { + "choice": [ + "physically", + "logically" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-7" + }, + { + "name": "label", + "value": "SC-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", + "rel": "reference" + }, + { + "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "rel": "reference" + }, + { + "href": "#a7f0e897-29a3-45c4-bd88-40dfef0e034a", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ac-20", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-10", + "rel": "related" + }, + { + "href": "#cp-8", + "rel": "related" + }, + { + "href": "#cp-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-17", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-32", + "rel": "related" + }, + { + "href": "#sc-35", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7_smt", + "name": "statement", + "parts": [ + { + "id": "sc-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;" + }, + { + "id": "sc-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and" + }, + { + "id": "sc-7_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + }, + { + "id": "sc-7_fr", + "name": "item", + "title": "SC-7 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-7_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "(b) Guidance:" + } + ], + "prose": "SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information." + } + ] + } + ] + }, + { + "id": "sc-7_gdn", + "name": "guidance", + "prose": "Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)." + }, + { + "id": "sc-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[01]", + "class": "sp800-53a" + } + ], + "prose": "communications at external managed interfaces to the system are monitored;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[02]", + "class": "sp800-53a" + } + ], + "prose": "communications at external managed interfaces to the system are controlled;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[03]", + "class": "sp800-53a" + } + ], + "prose": "communications at key internal managed interfaces within the system are monitored;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07a.[04]", + "class": "sp800-53a" + } + ], + "prose": "communications at key internal managed interfaces within the system are controlled;", + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07b.", + "class": "sp800-53a" + } + ], + "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;", + "links": [ + { + "href": "#sc-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07c.", + "class": "sp800-53a" + } + ], + "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.", + "links": [ + { + "href": "#sc-7_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities" + } + ] + } + ], + "controls": [ + { + "id": "sc-7.3", + "class": "SP800-53-enhancement", + "title": "Access Points", + "props": [ + { + "name": "label", + "value": "SC-7(3)" + }, + { + "name": "label", + "value": "SC-07(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.3_smt", + "name": "statement", + "prose": "Limit the number of external network connections to the system." + }, + { + "id": "sc-7.3_gdn", + "name": "guidance", + "prose": "Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system." + }, + { + "id": "sc-7.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(03)", + "class": "sp800-53a" + } + ], + "prose": "the number of external network connections to the system is limited.", + "links": [ + { + "href": "#sc-7.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncommunications and network traffic monitoring logs\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities\n\nmechanisms limiting the number of external network connections to the system" + } + ] + } + ] + }, + { + "id": "sc-7.4", + "class": "SP800-53-enhancement", + "title": "External Telecommunications Services", + "params": [ + { + "id": "sc-07.04_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least every 180 days or whenever there is a change in the threat environment that warrants a review of the exceptions" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review exceptions to traffic flow policy is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(4)" + }, + { + "name": "label", + "value": "SC-07(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7.4_smt", + "name": "statement", + "parts": [ + { + "id": "sc-7.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Implement a managed interface for each external telecommunication service;" + }, + { + "id": "sc-7.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Establish a traffic flow policy for each managed interface;" + }, + { + "id": "sc-7.4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "(c)" + } + ], + "prose": "Protect the confidentiality and integrity of the information being transmitted across each interface;" + }, + { + "id": "sc-7.4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "(d)" + } + ], + "prose": "Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;" + }, + { + "id": "sc-7.4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "(e)" + } + ], + "prose": "Review exceptions to the traffic flow policy {{ insert: param, sc-07.04_odp }} and remove exceptions that are no longer supported by an explicit mission or business need;" + }, + { + "id": "sc-7.4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "(f)" + } + ], + "prose": "Prevent unauthorized exchange of control plane traffic with external networks;" + }, + { + "id": "sc-7.4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "(g)" + } + ], + "prose": "Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and" + }, + { + "id": "sc-7.4_smt.h", + "name": "item", + "props": [ + { + "name": "label", + "value": "(h)" + } + ], + "prose": "Filter unauthorized control plane traffic from external networks." + } + ] + }, + { + "id": "sc-7.4_gdn", + "name": "guidance", + "prose": "External telecommunications services can provide data and/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements." + }, + { + "id": "sc-7.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(a)", + "class": "sp800-53a" + } + ], + "prose": "a managed interface is implemented for each external telecommunication service;", + "links": [ + { + "href": "#sc-7.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(b)", + "class": "sp800-53a" + } + ], + "prose": "a traffic flow policy is established for each managed interface;", + "links": [ + { + "href": "#sc-7.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(c)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.4_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(c)[01]", + "class": "sp800-53a" + } + ], + "prose": "the confidentiality of the information being transmitted across each interface is protected;", + "links": [ + { + "href": "#sc-7.4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(c)[02]", + "class": "sp800-53a" + } + ], + "prose": "the integrity of the information being transmitted across each interface is protected;", + "links": [ + { + "href": "#sc-7.4_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(d)", + "class": "sp800-53a" + } + ], + "prose": "each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;", + "links": [ + { + "href": "#sc-7.4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(e)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.4_obj.e-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(e)[01]", + "class": "sp800-53a" + } + ], + "prose": "exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};", + "links": [ + { + "href": "#sc-7.4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.e-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(e)[02]", + "class": "sp800-53a" + } + ], + "prose": "exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;", + "links": [ + { + "href": "#sc-7.4_smt.e", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(f)", + "class": "sp800-53a" + } + ], + "prose": "unauthorized exchanges of control plan traffic with external networks are prevented;", + "links": [ + { + "href": "#sc-7.4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(g)", + "class": "sp800-53a" + } + ], + "prose": "information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;", + "links": [ + { + "href": "#sc-7.4_smt.g", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_obj.h", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(04)(h)", + "class": "sp800-53a" + } + ], + "prose": "unauthorized control plane traffic is filtered from external networks.", + "links": [ + { + "href": "#sc-7.4_smt.h", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\ntraffic flow policy\n\ninformation flow control policy\n\nprocedures addressing boundary protection\n\nsystem security architecture\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nrecords of traffic flow policy exceptions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for documenting and reviewing exceptions to the traffic flow policy\n\norganizational processes for removing exceptions to the traffic flow policy\n\nmechanisms implementing boundary protection capabilities\n\nmanaged interfaces implementing traffic flow policy" + } + ] + } + ] + }, + { + "id": "sc-7.5", + "class": "SP800-53-enhancement", + "title": "Deny by Default — Allow by Exception", + "params": [ + { + "id": "sc-07.05_odp.01", + "constraints": [ + { + "description": "any systems" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "at managed interfaces", + "for {{ insert: param, sc-07.05_odp.02 }} " + ] + } + }, + { + "id": "sc-07.05_odp.02", + "label": "systems", + "guidelines": [ + { + "prose": "systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined (if selected)." + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(5)" + }, + { + "name": "label", + "value": "SC-07(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.5_smt", + "name": "statement", + "prose": "Deny network communications traffic by default and allow network communications traffic by exception {{ insert: param, sc-07.05_odp.01 }}.", + "parts": [ + { + "id": "sc-7.5_fr", + "name": "item", + "title": "SC-7 (5) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-7.5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing" + } + ] + } + ] + }, + { + "id": "sc-7.5_gdn", + "name": "guidance", + "prose": "Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system." + }, + { + "id": "sc-7.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(05)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-7.5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(05)[01]", + "class": "sp800-53a" + } + ], + "prose": "network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};", + "links": [ + { + "href": "#sc-7.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(05)[02]", + "class": "sp800-53a" + } + ], + "prose": "network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}.", + "links": [ + { + "href": "#sc-7.5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-7.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing traffic management at managed interfaces" + } + ] + } + ] + }, + { + "id": "sc-7.7", + "class": "SP800-53-enhancement", + "title": "Split Tunneling for Remote Devices", + "params": [ + { + "id": "sc-07.07_odp", + "label": "safeguards", + "guidelines": [ + { + "prose": "safeguards to securely provision split tunneling are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(7)" + }, + { + "name": "label", + "value": "SC-07(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.7_smt", + "name": "statement", + "prose": "Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}." + }, + { + "id": "sc-7.7_gdn", + "name": "guidance", + "prose": "Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and simultaneously, access uncontrolled networks. Split tunneling might be desirable by remote users to communicate with local system resources, such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of pre-approved addresses, without user control." + }, + { + "id": "sc-7.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(07)", + "class": "sp800-53a" + } + ], + "prose": "split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}.", + "links": [ + { + "href": "#sc-7.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing boundary protection capabilities\n\nmechanisms supporting/restricting non-remote connections" + } + ] + } + ] + }, + { + "id": "sc-7.8", + "class": "SP800-53-enhancement", + "title": "Route Traffic to Authenticated Proxy Servers", + "params": [ + { + "id": "sc-07.08_odp.01", + "label": "internal communications traffic", + "guidelines": [ + { + "prose": "internal communications traffic to be routed to external networks is defined;" + } + ] + }, + { + "id": "sc-07.08_odp.02", + "label": "external networks", + "constraints": [ + { + "description": "any network outside of organizational control and any network outside the authorization boundary" + } + ], + "guidelines": [ + { + "prose": "external networks to which internal communications traffic is to be routed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(8)" + }, + { + "name": "label", + "value": "SC-07(08)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + }, + { + "href": "#ac-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7.8_smt", + "name": "statement", + "prose": "Route {{ insert: param, sc-07.08_odp.01 }} to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces." + }, + { + "id": "sc-7.8_gdn", + "name": "guidance", + "prose": "External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for \"man-in-the-middle\" attacks (depending on the implementation)." + }, + { + "id": "sc-7.8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(08)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces.", + "links": [ + { + "href": "#sc-7.8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(08)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(08)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(08)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing traffic management through authenticated proxy servers at managed interfaces" + } + ] + } + ] + }, + { + "id": "sc-7.12", + "class": "SP800-53-enhancement", + "title": "Host-based Protection", + "params": [ + { + "id": "sc-07.12_odp.01", + "label": "host-based boundary protection mechanisms", + "constraints": [ + { + "description": "Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall" + } + ], + "guidelines": [ + { + "prose": "host-based boundary protection mechanisms to be implemented are defined;" + } + ] + }, + { + "id": "sc-07.12_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components where host-based boundary protection mechanisms are to be implemented are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-7(12)" + }, + { + "name": "label", + "value": "SC-07(12)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-7.12_smt", + "name": "statement", + "prose": "Implement {{ insert: param, sc-07.12_odp.01 }} at {{ insert: param, sc-07.12_odp.02 }}." + }, + { + "id": "sc-7.12_gdn", + "name": "guidance", + "prose": "Host-based boundary protection mechanisms include host-based firewalls. System components that employ host-based boundary protection mechanisms include servers, workstations, notebook computers, and mobile devices." + }, + { + "id": "sc-7.12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(12)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-07.12_odp.01 }} are implemented at {{ insert: param, sc-07.12_odp.02 }}.", + "links": [ + { + "href": "#sc-7.12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(12)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(12)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities\n\nsystem users" + } + ] + }, + { + "id": "sc-7.12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(12)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms implementing host-based boundary protection capabilities" + } + ] + } + ] + }, + { + "id": "sc-7.18", + "class": "SP800-53-enhancement", + "title": "Fail Secure", + "props": [ + { + "name": "label", + "value": "SC-7(18)" + }, + { + "name": "label", + "value": "SC-07(18)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-07.18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sc-7", + "rel": "required" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#cp-12", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-7.18_smt", + "name": "statement", + "prose": "Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device." + }, + { + "id": "sc-7.18_gdn", + "name": "guidance", + "prose": "Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways that reside on protected subnetworks (commonly referred to as demilitarized zones). Failures of boundary protection devices cannot lead to or cause information external to the devices to enter the devices nor can failures permit unauthorized information releases." + }, + { + "id": "sc-7.18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-07(18)", + "class": "sp800-53a" + } + ], + "prose": "systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device.", + "links": [ + { + "href": "#sc-7.18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-7.18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-07(18)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-7.18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-07(18)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" + } + ] + }, + { + "id": "sc-7.18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-07(18)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing secure failure" + } + ] + } + ] + } + ] + }, + { + "id": "sc-8", + "class": "SP800-53", + "title": "Transmission Confidentiality and Integrity", + "params": [ + { + "id": "sc-08_odp", + "constraints": [ + { + "description": "confidentiality AND integrity" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "confidentiality", + "integrity" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-8" + }, + { + "name": "label", + "value": "SC-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#736d6310-e403-4b57-a79d-9967970c66d7", + "rel": "reference" + }, + { + "href": "#7537638e-2837-407d-844b-40fb3fafdd99", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + }, + { + "href": "#ia-9", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pe-4", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-16", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-8_smt", + "name": "statement", + "prose": "Protect the {{ insert: param, sc-08_odp }} of transmitted information.", + "parts": [ + { + "id": "sc-8_fr", + "name": "item", + "title": "SC-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.\n\n\n\nFor clarity, this control applies to all data in transit. Examples include the following data flows:\n\n* Crossing the system boundary\n* Between compute instances - including containers\n* From a compute instance to storage\n* Replication between availability zones\n* Transmission of backups to storage\n* From a load balancer to a compute instance\n* Flows from management tools required for their work – e.g. log collection, scanning, etc.\n\n\n\n\nThe following applies only when choosing SC-8 (5) in lieu of SC-8 (1).\n\nFedRAMP-Defined Assignment / Selection Parameters\n\nSC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]\n\nSC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]" + }, + { + "id": "sc-8_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.\n\n\n\nHardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).\n\n\n\nControlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS’s Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS’ recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).\n\n\n\nNote: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.\n\n\n\nCNSSI No.7003 can be accessed here:\n\nhttps://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf\n\n\n\nDHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:\n\nhttps://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf" + } + ] + } + ] + }, + { + "id": "sc-8_gdn", + "name": "guidance", + "prose": "Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\n\nOrganizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls." + }, + { + "id": "sc-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-08", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-08_odp }} of transmitted information is/are protected.", + "links": [ + { + "href": "#sc-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing transmission confidentiality and/or integrity" + } + ] + } + ], + "controls": [ + { + "id": "sc-8.1", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-08.01_odp", + "constraints": [ + { + "description": "prevent unauthorized disclosure of information AND detect changes to information" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "prevent unauthorized disclosure of information", + "detect changes to information" + ] + } + } + ], + "props": [ + { + "name": "label", + "value": "SC-8(1)" + }, + { + "name": "label", + "value": "SC-08(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-08.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-8", + "rel": "required" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-8.1_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to {{ insert: param, sc-08.01_odp }} during transmission.", + "parts": [ + { + "id": "sc-8.1_fr", + "name": "item", + "title": "SC-8 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-8.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control." + }, + { + "id": "sc-8.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See M-22-09, including \\\"Agencies encrypt all DNS requests and HTTP traffic within their environment\\\"\n\nSC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged." + }, + { + "id": "sc-8.1_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)" + }, + { + "id": "sc-8.1_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + } + ] + } + ] + }, + { + "id": "sc-8.1_gdn", + "name": "guidance", + "prose": "Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes." + }, + { + "id": "sc-8.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-08(01)", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.", + "links": [ + { + "href": "#sc-8.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-8.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-08(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-8.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-08(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-8.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-08(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity\n\nmechanisms supporting and/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards" + } + ] + } + ] + } + ] + }, + { + "id": "sc-10", + "class": "SP800-53", + "title": "Network Disconnect", + "params": [ + { + "id": "sc-10_odp", + "label": "time period", + "constraints": [ + { + "description": "no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions" + } + ], + "guidelines": [ + { + "prose": "a time period of inactivity after which the system terminates a network connection associated with a communication session is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-10" + }, + { + "name": "label", + "value": "SC-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-10_smt", + "name": "statement", + "prose": "Terminate the network connection associated with a communications session at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity." + }, + { + "id": "sc-10_gdn", + "name": "guidance", + "prose": "Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses." + }, + { + "id": "sc-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-10", + "class": "sp800-53a" + } + ], + "prose": "the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity.", + "links": [ + { + "href": "#sc-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing network disconnect\n\nsystem design documentation\n\nsecurity plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing a network disconnect capability" + } + ] + } + ] + }, + { + "id": "sc-12", + "class": "SP800-53", + "title": "Cryptographic Key Establishment and Management", + "params": [ + { + "id": "sc-12_odp", + "label": "requirements", + "constraints": [ + { + "description": "In accordance with Federal requirements" + } + ], + "guidelines": [ + { + "prose": "requirements for key generation, distribution, storage, access, and destruction are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-12" + }, + { + "name": "label", + "value": "SC-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#849b2358-683f-4d97-b111-1cc3d522ded5", + "rel": "reference" + }, + { + "href": "#3915a084-b87b-4f02-83d4-c369e746292f", + "rel": "reference" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-11", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-17", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-12_smt", + "name": "statement", + "prose": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}.", + "parts": [ + { + "id": "sc-12_fr", + "name": "item", + "title": "SC-12 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-12_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See references in NIST 800-53 documentation." + }, + { + "id": "sc-12_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Must meet applicable Federal Cryptographic Requirements. See References Section of control." + }, + { + "id": "sc-12_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system." + } + ] + } + ] + }, + { + "id": "sc-12_gdn", + "name": "guidance", + "prose": "Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment." + }, + { + "id": "sc-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12[01]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};", + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-12[02]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.", + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and/or management" + } + ] + }, + { + "id": "sc-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic key establishment and management" + } + ] + } + ] + }, + { + "id": "sc-13", + "class": "SP800-53", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-13_odp.01", + "label": "cryptographic uses", + "guidelines": [ + { + "prose": "cryptographic uses are defined;" + } + ] + }, + { + "id": "sc-13_odp.02", + "label": "types of cryptography", + "constraints": [ + { + "description": "FIPS-validated or NSA-approved cryptography" + } + ], + "guidelines": [ + { + "prose": "types of cryptography for each specified cryptographic use are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-13" + }, + { + "name": "label", + "value": "SC-13", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-13" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-7", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#ia-3", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#ia-7", + "rel": "related" + }, + { + "href": "#ia-13", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-40", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-13_smt", + "name": "statement", + "parts": [ + { + "id": "sc-13_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Determine the {{ insert: param, sc-13_odp.01 }} ; and" + }, + { + "id": "sc-13_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}." + }, + { + "id": "sc-13_fr", + "name": "item", + "title": "SC-13 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-13_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:\n\n* Encryption of data\n* Decryption of data\n* Generation of one time passwords (OTPs) for MFA\n* Protocols such as TLS, SSH, and HTTPS\n\n\n\n\nThe requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).\n\nhttps://csrc.nist.gov/projects/cryptographic-module-validation-program" + }, + { + "id": "sc-13_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:\n\nhttps://www.niap-ccevs.org/Product/index.cfm" + }, + { + "id": "sc-13_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + }, + { + "id": "sc-13_fr_gdn.4", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Moving to non-FIPS CM or product is acceptable when:\n\n* FIPS validated version has a known vulnerability\n* Feature with vulnerability is in use\n* Non-FIPS version fixes the vulnerability\n* Non-FIPS version is submitted to NIST for FIPS validation\n* POA&M is added to track approval, and deployment when ready\n" + }, + { + "id": "sc-13_fr_gdn.5", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1)." + } + ] + } + ] + }, + { + "id": "sc-13_gdn", + "name": "guidance", + "prose": "Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "sc-13_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-13_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13a.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-13_odp.01 }} are identified;", + "links": [ + { + "href": "#sc-13_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-13_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-13b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.", + "links": [ + { + "href": "#sc-13_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-13_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-13_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-13-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-13_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-13-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection" + } + ] + }, + { + "id": "sc-13_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-13-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing cryptographic protection" + } + ] + } + ] + }, + { + "id": "sc-15", + "class": "SP800-53", + "title": "Collaborative Computing Devices and Applications", + "params": [ + { + "id": "sc-15_odp", + "label": "exceptions where remote activation is to be allowed", + "constraints": [ + { + "description": "no exceptions for computing devices" + } + ], + "guidelines": [ + { + "prose": "exceptions where remote activation is to be allowed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-15" + }, + { + "name": "label", + "value": "SC-15", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-15" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#ac-21", + "rel": "related" + }, + { + "href": "#sc-42", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-15_smt", + "name": "statement", + "parts": [ + { + "id": "sc-15_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and" + }, + { + "id": "sc-15_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide an explicit indication of use to users physically present at the devices." + }, + { + "id": "sc-15_fr", + "name": "item", + "title": "SC-15 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-15_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use." + } + ] + } + ] + }, + { + "id": "sc-15_gdn", + "name": "guidance", + "prose": "Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated." + }, + { + "id": "sc-15_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-15_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15a.", + "class": "sp800-53a" + } + ], + "prose": "remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};", + "links": [ + { + "href": "#sc-15_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-15_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-15b.", + "class": "sp800-53a" + } + ], + "prose": "an explicit indication of use is provided to users physically present at the devices.", + "links": [ + { + "href": "#sc-15_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-15_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-15_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-15-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-15_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-15-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices" + } + ] + }, + { + "id": "sc-15_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-15-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the management of remote activation of collaborative computing devices\n\nmechanisms providing an indication of use of collaborative computing devices" + } + ] + } + ] + }, + { + "id": "sc-17", + "class": "SP800-53", + "title": "Public Key Infrastructure Certificates", + "params": [ + { + "id": "sc-17_odp", + "label": "certificate policy", + "guidelines": [ + { + "prose": "a certificate policy for issuing public key certificates is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-17" + }, + { + "name": "label", + "value": "SC-17", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-17" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#8cb338a4-e493-4177-818f-3af18983ddc5", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", + "rel": "reference" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#ia-5", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-17_smt", + "name": "statement", + "parts": [ + { + "id": "sc-17_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Issue public key certificates under an {{ insert: param, sc-17_odp }} or obtain public key certificates from an approved service provider; and" + }, + { + "id": "sc-17_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Include only approved trust anchors in trust stores or certificate stores managed by the organization." + } + ] + }, + { + "id": "sc-17_gdn", + "name": "guidance", + "prose": "Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates." + }, + { + "id": "sc-17_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-17", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-17_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-17a.", + "class": "sp800-53a" + } + ], + "prose": "public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;", + "links": [ + { + "href": "#sc-17_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-17_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-17b.", + "class": "sp800-53a" + } + ], + "prose": "only approved trust anchors are included in trust stores or certificate stores managed by the organization.", + "links": [ + { + "href": "#sc-17_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-17_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-17_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-17-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing public key infrastructure certificates\n\npublic key certificate policy or policies\n\npublic key issuing process\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-17_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-17-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for issuing public key certificates\n\nservice providers" + } + ] + }, + { + "id": "sc-17_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-17-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing the management of public key infrastructure certificates" + } + ] + } + ] + }, + { + "id": "sc-18", + "class": "SP800-53", + "title": "Mobile Code", + "props": [ + { + "name": "label", + "value": "SC-18" + }, + { + "name": "label", + "value": "SC-18", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#f641309f-a3ad-48be-8c67-2b318648b2f5", + "rel": "reference" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#cm-2", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-18_smt", + "name": "statement", + "parts": [ + { + "id": "sc-18_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Define acceptable and unacceptable mobile code and mobile code technologies; and" + }, + { + "id": "sc-18_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Authorize, monitor, and control the use of mobile code within the system." + } + ] + }, + { + "id": "sc-18_gdn", + "name": "guidance", + "prose": "Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source." + }, + { + "id": "sc-18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-18_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-18_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.[01]", + "class": "sp800-53a" + } + ], + "prose": "acceptable mobile code is defined;", + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.[02]", + "class": "sp800-53a" + } + ], + "prose": "unacceptable mobile code is defined;", + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.[03]", + "class": "sp800-53a" + } + ], + "prose": "acceptable mobile code technologies are defined;", + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18a.[04]", + "class": "sp800-53a" + } + ], + "prose": "unacceptable mobile code technologies are defined;", + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-18_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-18_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the use of mobile code is authorized within the system;", + "links": [ + { + "href": "#sc-18_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the use of mobile code is monitored within the system;", + "links": [ + { + "href": "#sc-18_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-18b.[03]", + "class": "sp800-53a" + } + ], + "prose": "the use of mobile code is controlled within the system.", + "links": [ + { + "href": "#sc-18_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-18_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-18-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code implementation policy and procedures\n\nlist of acceptable mobile code and mobile code technologies\n\nlist of unacceptable mobile code and mobile technologies\n\nauthorization records\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-18-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code" + } + ] + }, + { + "id": "sc-18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-18-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational process for authorizing, monitoring, and controlling mobile code\n\nmechanisms supporting and/or implementing the management of mobile code\n\nmechanisms supporting and/or implementing the monitoring of mobile code" + } + ] + } + ] + }, + { + "id": "sc-20", + "class": "SP800-53", + "title": "Secure Name/Address Resolution Service (Authoritative Source)", + "props": [ + { + "name": "label", + "value": "SC-20" + }, + { + "name": "label", + "value": "SC-20", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-20" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-20_smt", + "name": "statement", + "parts": [ + { + "id": "sc-20_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and" + }, + { + "id": "sc-20_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace." + }, + { + "id": "sc-20_fr", + "name": "item", + "title": "SC-20 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-20_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests." + }, + { + "id": "sc-20_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary." + }, + { + "id": "sc-20_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged." + }, + { + "id": "sc-20_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)" + } + ] + } + ] + }, + { + "id": "sc-20_gdn", + "name": "guidance", + "prose": "Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data." + }, + { + "id": "sc-20_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.[01]", + "class": "sp800-53a" + } + ], + "prose": "additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;", + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20a.[02]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;", + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-20_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.[01]", + "class": "sp800-53a" + } + ], + "prose": "the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;", + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-20b.[02]", + "class": "sp800-53a" + } + ], + "prose": "the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.", + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-20_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-20_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-20-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing secure name/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-20_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-20-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-20_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-20-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing secure name/address resolution services" + } + ] + } + ] + }, + { + "id": "sc-21", + "class": "SP800-53", + "title": "Secure Name/Address Resolution Service (Recursive or Caching Resolver)", + "props": [ + { + "name": "label", + "value": "SC-21" + }, + { + "name": "label", + "value": "SC-21", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-21" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-22", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-21_smt", + "name": "statement", + "prose": "Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.", + "parts": [ + { + "id": "sc-21_fr", + "name": "item", + "title": "SC-21 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-21_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.\n\n* If the reply is signed, and fails DNSSEC, do not use the reply\n* If the reply is unsigned: * CSP chooses the policy to apply \n" + }, + { + "id": "sc-21_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS." + }, + { + "id": "sc-21_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Accepting an unsigned reply is acceptable" + }, + { + "id": "sc-21_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.\n\n* DNSSEC resolution to access a component inside the boundary is excluded.\n" + } + ] + } + ] + }, + { + "id": "sc-21_gdn", + "name": "guidance", + "prose": "Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data." + }, + { + "id": "sc-21_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-21_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[01]", + "class": "sp800-53a" + } + ], + "prose": "data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[02]", + "class": "sp800-53a" + } + ], + "prose": "data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[03]", + "class": "sp800-53a" + } + ], + "prose": "data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-21[04]", + "class": "sp800-53a" + } + ], + "prose": "data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.", + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-21_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-21_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-21-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing secure name/address resolution services (recursive or caching resolver)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-21_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-21-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-21_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-21-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services" + } + ] + } + ] + }, + { + "id": "sc-22", + "class": "SP800-53", + "title": "Architecture and Provisioning for Name/Address Resolution Service", + "props": [ + { + "name": "label", + "value": "SC-22" + }, + { + "name": "label", + "value": "SC-22", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-22" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", + "rel": "reference" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-20", + "rel": "related" + }, + { + "href": "#sc-21", + "rel": "related" + }, + { + "href": "#sc-24", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-22_smt", + "name": "statement", + "prose": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation." + }, + { + "id": "sc-22_gdn", + "name": "guidance", + "prose": "Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)." + }, + { + "id": "sc-22_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-22_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[01]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization are fault-tolerant;", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[02]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization implement internal role separation;", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-22[03]", + "class": "sp800-53a" + } + ], + "prose": "the systems that collectively provide name/address resolution services for an organization implement external role separation.", + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-22_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-22_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-22-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing architecture and provisioning for name/address resolution services\n\naccess control policy and procedures\n\nsystem design documentation\n\nassessment results from independent testing organizations\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-22_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-22-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" + } + ] + }, + { + "id": "sc-22_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-22-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing name/address resolution services for fault tolerance and role separation" + } + ] + } + ] + }, + { + "id": "sc-23", + "class": "SP800-53", + "title": "Session Authenticity", + "props": [ + { + "name": "label", + "value": "SC-23" + }, + { + "name": "label", + "value": "SC-23", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-23" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#7537638e-2837-407d-844b-40fb3fafdd99", + "rel": "reference" + }, + { + "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", + "rel": "reference" + }, + { + "href": "#a6b9907a-2a14-4bb4-a142-d4c73026a8b4", + "rel": "reference" + }, + { + "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "rel": "reference" + }, + { + "href": "#au-10", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-10", + "rel": "related" + }, + { + "href": "#sc-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-23_smt", + "name": "statement", + "prose": "Protect the authenticity of communications sessions." + }, + { + "id": "sc-23_gdn", + "name": "guidance", + "prose": "Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against \"man-in-the-middle\" attacks, session hijacking, and the insertion of false information into sessions." + }, + { + "id": "sc-23_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-23", + "class": "sp800-53a" + } + ], + "prose": "the authenticity of communication sessions is protected.", + "links": [ + { + "href": "#sc-23_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-23_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-23-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing session authenticity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-23_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-23-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "sc-23_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-23-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing session authenticity" + } + ] + } + ] + }, + { + "id": "sc-28", + "class": "SP800-53", + "title": "Protection of Information at Rest", + "params": [ + { + "id": "sc-28_odp.01", + "constraints": [ + { + "description": "confidentiality AND integrity" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "confidentiality", + "integrity" + ] + } + }, + { + "id": "sc-28_odp.02", + "label": "information at rest", + "guidelines": [ + { + "prose": "information at rest requiring protection is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-28" + }, + { + "name": "label", + "value": "SC-28", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-28" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "rel": "reference" + }, + { + "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "rel": "reference" + }, + { + "href": "#eef62b16-c796-4554-955c-505824135b8a", + "rel": "reference" + }, + { + "href": "#110e26af-4765-49e1-8740-6750f83fcda1", + "rel": "reference" + }, + { + "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "rel": "reference" + }, + { + "href": "#8306620b-1920-4d73-8b21-12008528595f", + "rel": "reference" + }, + { + "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "rel": "reference" + }, + { + "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cp-9", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-5", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-34", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-28_smt", + "name": "statement", + "prose": "Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}.", + "parts": [ + { + "id": "sc-28_fr", + "name": "item", + "title": "SC-28 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-28_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "The organization supports the capability to use cryptographic mechanisms to protect information at rest." + }, + { + "id": "sc-28_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." + }, + { + "id": "sc-28_fr_gdn.3", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Note that this enhancement requires the use of cryptography in accordance with SC-13." + } + ] + } + ] + }, + { + "id": "sc-28_gdn", + "name": "guidance", + "prose": "Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage." + }, + { + "id": "sc-28_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected.", + "links": [ + { + "href": "#sc-28_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-28-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-28_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-28-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-28_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-28-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest" + } + ] + } + ], + "controls": [ + { + "id": "sc-28.1", + "class": "SP800-53-enhancement", + "title": "Cryptographic Protection", + "params": [ + { + "id": "sc-28.01_odp.01", + "label": "information", + "guidelines": [ + { + "prose": "information requiring cryptographic protection is defined;" + } + ] + }, + { + "id": "sc-28.01_odp.02", + "label": "system components or media", + "constraints": [ + { + "description": "all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels" + } + ], + "guidelines": [ + { + "prose": "system components or media requiring cryptographic protection is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-28(1)" + }, + { + "name": "label", + "value": "SC-28(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-28.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-28", + "rel": "required" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-28.1_smt", + "name": "statement", + "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.01 }}.", + "parts": [ + { + "id": "sc-28.1_fr", + "name": "item", + "title": "SC-28 (1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-28.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.\n\nExamples:\n\nA. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.\n\nB. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.\n\nC. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate." + } + ] + } + ] + }, + { + "id": "sc-28.1_gdn", + "name": "guidance", + "prose": "The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields." + }, + { + "id": "sc-28.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-28.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};", + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-28(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.", + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-28.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-28.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-28(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-28.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-28(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "sc-28.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-28(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest" + } + ] + } + ] + } + ] + }, + { + "id": "sc-39", + "class": "SP800-53", + "title": "Process Isolation", + "props": [ + { + "name": "label", + "value": "SC-39" + }, + { + "name": "label", + "value": "SC-39", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-39" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-6", + "rel": "related" + }, + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sc-2", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#si-16", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-39_smt", + "name": "statement", + "prose": "Maintain a separate execution domain for each executing system process." + }, + { + "id": "sc-39_gdn", + "name": "guidance", + "prose": "Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies." + }, + { + "id": "sc-39_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-39", + "class": "sp800-53a" + } + ], + "prose": "a separate execution domain is maintained for each executing system process.", + "links": [ + { + "href": "#sc-39_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-39_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-39-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System design documentation\n\nsystem architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-39_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-39-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System developers/integrators\n\nsystem security architect" + } + ] + }, + { + "id": "sc-39_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-39-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing separate execution domains for each executing process" + } + ] + } + ] + }, + { + "id": "sc-45", + "class": "SP800-53", + "title": "System Time Synchronization", + "props": [ + { + "name": "label", + "value": "SC-45" + }, + { + "name": "label", + "value": "SC-45", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-45" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#e4d37285-1e79-4029-8b6a-42df39cace30", + "rel": "reference" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#au-8", + "rel": "related" + }, + { + "href": "#ia-2", + "rel": "related" + }, + { + "href": "#ia-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sc-45_smt", + "name": "statement", + "prose": "Synchronize system clocks within and between systems and system components." + }, + { + "id": "sc-45_gdn", + "name": "guidance", + "prose": "Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities—such as access control and identification and authentication—depending on the nature of the mechanisms used to support the capabilities." + }, + { + "id": "sc-45_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-45", + "class": "sp800-53a" + } + ], + "prose": "system clocks are synchronized within and between systems and system components.", + "links": [ + { + "href": "#sc-45_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-45_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-45-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing time synchronization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-45_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-45-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system" + } + ] + }, + { + "id": "sc-45_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-45-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing system time synchronization" + } + ] + } + ], + "controls": [ + { + "id": "sc-45.1", + "class": "SP800-53-enhancement", + "title": "Synchronization with Authoritative Time Source", + "params": [ + { + "id": "sc-45.01_odp.01", + "label": "frequency", + "constraints": [ + { + "description": "At least hourly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to compare the internal system clocks with the authoritative time source is defined;" + } + ] + }, + { + "id": "sc-45.01_odp.02", + "label": "authoritative time source", + "constraints": [ + { + "description": "http://tf.nist.gov/tf-cgi/servers.cgi" + } + ], + "guidelines": [ + { + "prose": "the authoritative time source to which internal system clocks are to be compared is defined;" + } + ] + }, + { + "id": "sc-45.01_odp.03", + "label": "time period", + "constraints": [ + { + "description": "any difference" + } + ], + "guidelines": [ + { + "prose": "the time period to compare the internal system clocks with the authoritative time source is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SC-45(1)" + }, + { + "name": "label", + "value": "SC-45(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sc-45.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#sc-45", + "rel": "required" + } + ], + "parts": [ + { + "id": "sc-45.1_smt", + "name": "statement", + "parts": [ + { + "id": "sc-45.1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Compare the internal system clocks {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }} ; and" + }, + { + "id": "sc-45.1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Synchronize the internal system clocks to the authoritative time source when the time difference is greater than {{ insert: param, sc-45.01_odp.03 }}." + }, + { + "id": "sc-45.1_fr", + "name": "item", + "title": "SC-45(1) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sc-45.1_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server." + }, + { + "id": "sc-45.1_fr_smt.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server." + }, + { + "id": "sc-45.1_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "Synchronization of system clocks improves the accuracy of log analysis." + } + ] + } + ] + }, + { + "id": "sc-45.1_gdn", + "name": "guidance", + "prose": "Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network." + }, + { + "id": "sc-45.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-45(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sc-45.1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-45(01)(a)", + "class": "sp800-53a" + } + ], + "prose": "the internal system clocks are compared {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }};", + "links": [ + { + "href": "#sc-45.1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-45.1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SC-45(01)(b)", + "class": "sp800-53a" + } + ], + "prose": "the internal system clocks are synchronized with the authoritative time source when the time difference is greater than {{ insert: param, sc-45.01_odp.03 }}.", + "links": [ + { + "href": "#sc-45.1_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sc-45.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sc-45.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SC-45(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and communications protection policy\n\nprocedures addressing time synchronization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sc-45.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SC-45(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system" + } + ] + }, + { + "id": "sc-45.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SC-45(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing system time synchronization" + } + ] + } + ] + } + ] + } + ] + }, + { + "id": "si", + "class": "family", + "title": "System and Information Integrity", + "controls": [ + { + "id": "si-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "si-1_prm_1", + "label": "organization-defined personnel or roles" + }, + { + "id": "si-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined;" + } + ] + }, + { + "id": "si-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined;" + } + ] + }, + { + "id": "si-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "si-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the system and information integrity policy and procedures is defined;" + } + ] + }, + { + "id": "si-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and information integrity policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "si-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that would require the current system and information integrity policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "si-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current system and information integrity procedures are reviewed and updated is defined;" + } + ] + }, + { + "id": "si-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that would require the system and information integrity procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-1" + }, + { + "name": "label", + "value": "SI-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-1_smt", + "name": "statement", + "parts": [ + { + "id": "si-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:", + "parts": [ + { + "id": "si-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, si-01_odp.03 }} system and information integrity policy that:", + "parts": [ + { + "id": "si-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "si-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "si-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;" + } + ] + }, + { + "id": "si-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and" + }, + { + "id": "si-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current system and information integrity:", + "parts": [ + { + "id": "si-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and" + }, + { + "id": "si-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "si-1_gdn", + "name": "guidance", + "prose": "System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "si-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a system and information integrity policy is developed and documented;", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};", + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;", + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#si-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;", + "links": [ + { + "href": "#si-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};", + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};", + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};", + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.", + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities" + } + ] + } + ] + }, + { + "id": "si-2", + "class": "SP800-53", + "title": "Flaw Remediation", + "params": [ + { + "id": "si-02_odp", + "label": "time period", + "constraints": [ + { + "description": "within thirty (30) days of release of updates" + } + ], + "guidelines": [ + { + "prose": "time period within which to install security-relevant software updates after the release of the updates is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-2" + }, + { + "name": "label", + "value": "SI-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "rel": "reference" + }, + { + "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "rel": "reference" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-11", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-5", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-2_smt", + "name": "statement", + "parts": [ + { + "id": "si-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Identify, report, and correct system flaws;" + }, + { + "id": "si-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;" + }, + { + "id": "si-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and" + }, + { + "id": "si-2_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Incorporate flaw remediation into the organizational configuration management process." + } + ] + }, + { + "id": "si-2_gdn", + "name": "guidance", + "prose": "The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures." + }, + { + "id": "si-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are identified;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are reported;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "system flaws are corrected;", + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[01]", + "class": "sp800-53a" + } + ], + "prose": "software updates related to flaw remediation are tested for effectiveness before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[02]", + "class": "sp800-53a" + } + ], + "prose": "software updates related to flaw remediation are tested for potential side effects before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[03]", + "class": "sp800-53a" + } + ], + "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.b-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02b.[04]", + "class": "sp800-53a" + } + ], + "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;", + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02d.", + "class": "sp800-53a" + } + ], + "prose": "flaw remediation is incorporated into the organizational configuration management process.", + "links": [ + { + "href": "#si-2_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities" + } + ] + }, + { + "id": "si-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and/or implementing testing software and firmware updates" + } + ] + } + ], + "controls": [ + { + "id": "si-2.2", + "class": "SP800-53-enhancement", + "title": "Automated Flaw Remediation Status", + "params": [ + { + "id": "si-02.02_odp.01", + "label": "automated mechanisms", + "guidelines": [ + { + "prose": "automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined;" + } + ] + }, + { + "id": "si-02.02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-2(2)" + }, + { + "name": "label", + "value": "SI-02(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-02.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#si-2", + "rel": "required" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-2.2_smt", + "name": "statement", + "prose": "Determine if system components have applicable security-relevant software and firmware updates installed using {{ insert: param, si-02.02_odp.01 }} {{ insert: param, si-02.02_odp.02 }}." + }, + { + "id": "si-2.2_gdn", + "name": "guidance", + "prose": "Automated mechanisms can track and determine the status of known flaws for system components." + }, + { + "id": "si-2.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02(02)", + "class": "sp800-53a" + } + ], + "prose": "system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}.", + "links": [ + { + "href": "#si-2.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-02(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-2.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-02(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation" + } + ] + }, + { + "id": "si-2.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-02(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms used to determine the state of system components with regard to flaw remediation" + } + ] + } + ] + }, + { + "id": "si-2.3", + "class": "SP800-53-enhancement", + "title": "Time to Remediate Flaws and Benchmarks for Corrective Actions", + "params": [ + { + "id": "si-02.03_odp", + "label": "benchmarks", + "guidelines": [ + { + "prose": "the benchmarks for taking corrective actions are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-2(3)" + }, + { + "name": "label", + "value": "SI-02(03)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-02.03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#si-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-2.3_smt", + "name": "statement", + "parts": [ + { + "id": "si-2.3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Measure the time between flaw identification and flaw remediation; and" + }, + { + "id": "si-2.3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Establish the following benchmarks for taking corrective actions: {{ insert: param, si-02.03_odp }}." + } + ] + }, + { + "id": "si-2.3_gdn", + "name": "guidance", + "prose": "Organizations determine the time it takes on average to correct system flaws after such flaws have been identified and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by the type of flaw or the severity of the potential vulnerability if the flaw can be exploited." + }, + { + "id": "si-2.3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02(03)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-2.3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02(03)(a)", + "class": "sp800-53a" + } + ], + "prose": "the time between flaw identification and flaw remediation is measured;", + "links": [ + { + "href": "#si-2.3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2.3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-02(03)(b)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-02.03_odp }} for taking corrective actions have been established.", + "links": [ + { + "href": "#si-2.3_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-2.3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-2.3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-02(03)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of benchmarks for taking corrective action on identified flaws\n\nrecords that provide timestamps of flaw identification and subsequent flaw remediation activities\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-2.3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-02(03)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation" + } + ] + }, + { + "id": "si-2.3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-02(03)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying, reporting, and correcting system flaws\n\nmechanisms used to measure the time between flaw identification and flaw remediation" + } + ] + } + ] + } + ] + }, + { + "id": "si-3", + "class": "SP800-53", + "title": "Malicious Code Protection", + "params": [ + { + "id": "si-03_odp.01", + "constraints": [ + { + "description": "signature based and non-signature based" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "signature-based", + "non-signature-based" + ] + } + }, + { + "id": "si-03_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least weekly" + } + ], + "guidelines": [ + { + "prose": "the frequency at which malicious code protection mechanisms perform scans is defined;" + } + ] + }, + { + "id": "si-03_odp.03", + "constraints": [ + { + "description": "to include endpoints and network entry and exit points" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "endpoint", + "network entry and exit points" + ] + } + }, + { + "id": "si-03_odp.04", + "constraints": [ + { + "description": "to include blocking and quarantining malicious code" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "block malicious code", + "quarantine malicious code", + "take {{ insert: param, si-03_odp.05 }} " + ] + } + }, + { + "id": "si-03_odp.05", + "label": "action", + "constraints": [ + { + "description": "administrator or defined security personnel near-realtime" + } + ], + "guidelines": [ + { + "prose": "action to be taken in response to malicious code detection are defined (if selected);" + } + ] + }, + { + "id": "si-03_odp.06", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted when malicious code is detected is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-3" + }, + { + "name": "label", + "value": "SI-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#88660532-2dcf-442e-845c-03340ce48999", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-23", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-44", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#si-8", + "rel": "related" + }, + { + "href": "#si-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-3_smt", + "name": "statement", + "parts": [ + { + "id": "si-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;" + }, + { + "id": "si-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;" + }, + { + "id": "si-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Configure malicious code protection mechanisms to:", + "parts": [ + { + "id": "si-3_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and" + }, + { + "id": "si-3_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": " {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and" + } + ] + }, + { + "id": "si-3_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." + } + ] + }, + { + "id": "si-3_gdn", + "name": "guidance", + "prose": "System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files." + }, + { + "id": "si-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;", + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;", + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03b.", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;", + "links": [ + { + "href": "#si-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};", + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;", + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-3_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;", + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;", + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-03d.", + "class": "sp800-53a" + } + ], + "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.", + "links": [ + { + "href": "#si-3_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities" + } + ] + }, + { + "id": "si-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and/or implementing malicious code scanning and subsequent actions" + } + ] + } + ] + }, + { + "id": "si-4", + "class": "SP800-53", + "title": "System Monitoring", + "params": [ + { + "id": "si-04_odp.01", + "label": "monitoring objectives", + "guidelines": [ + { + "prose": "monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;" + } + ] + }, + { + "id": "si-04_odp.02", + "label": "techniques and methods", + "guidelines": [ + { + "prose": "techniques and methods used to identify unauthorized use of the system are defined;" + } + ] + }, + { + "id": "si-04_odp.03", + "label": "system monitoring information", + "guidelines": [ + { + "prose": "system monitoring information to be provided to personnel or roles is defined;" + } + ] + }, + { + "id": "si-04_odp.04", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom system monitoring information is to be provided is/are defined;" + } + ] + }, + { + "id": "si-04_odp.05", + "select": { + "how-many": "one-or-more", + "choice": [ + "as needed", + " {{ insert: param, si-04_odp.06 }} " + ] + } + }, + { + "id": "si-04_odp.06", + "label": "frequency", + "guidelines": [ + { + "prose": "a frequency for providing system monitoring to personnel or roles is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4" + }, + { + "name": "label", + "value": "SI-04", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "rel": "reference" + }, + { + "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "rel": "reference" + }, + { + "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "rel": "reference" + }, + { + "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "rel": "reference" + }, + { + "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", + "rel": "reference" + }, + { + "href": "#ac-2", + "rel": "related" + }, + { + "href": "#ac-3", + "rel": "related" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#ac-8", + "rel": "related" + }, + { + "href": "#ac-17", + "rel": "related" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#au-7", + "rel": "related" + }, + { + "href": "#au-9", + "rel": "related" + }, + { + "href": "#au-12", + "rel": "related" + }, + { + "href": "#au-13", + "rel": "related" + }, + { + "href": "#au-14", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#cm-11", + "rel": "related" + }, + { + "href": "#ia-10", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#pm-12", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#ra-10", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-18", + "rel": "related" + }, + { + "href": "#sc-26", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#sc-35", + "rel": "related" + }, + { + "href": "#sc-36", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#sc-43", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-6", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4_smt", + "name": "statement", + "parts": [ + { + "id": "si-4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Monitor the system to detect:", + "parts": [ + { + "id": "si-4_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and" + }, + { + "id": "si-4_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Unauthorized local, network, and remote connections;" + } + ] + }, + { + "id": "si-4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};" + }, + { + "id": "si-4_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Invoke internal monitoring capabilities or deploy monitoring devices:", + "parts": [ + { + "id": "si-4_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Strategically within the system to collect organization-determined essential information; and" + }, + { + "id": "si-4_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "At ad hoc locations within the system to track specific types of transactions of interest to the organization;" + } + ] + }, + { + "id": "si-4_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Analyze detected events and anomalies;" + }, + { + "id": "si-4_smt.e", + "name": "item", + "props": [ + { + "name": "label", + "value": "e." + } + ], + "prose": "Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;" + }, + { + "id": "si-4_smt.f", + "name": "item", + "props": [ + { + "name": "label", + "value": "f." + } + ], + "prose": "Obtain legal opinion regarding system monitoring activities; and" + }, + { + "id": "si-4_smt.g", + "name": "item", + "props": [ + { + "name": "label", + "value": "g." + } + ], + "prose": "Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." + }, + { + "id": "si-4_fr", + "name": "item", + "title": "SI-4 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-4_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "See US-CERT Incident Response Reporting Guidelines." + } + ] + } + ] + }, + { + "id": "si-4_gdn", + "name": "guidance", + "prose": "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + }, + { + "id": "si-4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.01", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};", + "links": [ + { + "href": "#si-4_smt.a.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.a.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized local connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized network connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.a.2-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04a.02[03]", + "class": "sp800-53a" + } + ], + "prose": "the system is monitored to detect unauthorized remote connections;", + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.a.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04b.", + "class": "sp800-53a" + } + ], + "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};", + "links": [ + { + "href": "#si-4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.01", + "class": "sp800-53a" + } + ], + "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;", + "links": [ + { + "href": "#si-4_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04c.02", + "class": "sp800-53a" + } + ], + "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;", + "links": [ + { + "href": "#si-4_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4_obj.d-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.[01]", + "class": "sp800-53a" + } + ], + "prose": "detected events are analyzed;", + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.d-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04d.[02]", + "class": "sp800-53a" + } + ], + "prose": "detected anomalies are analyzed;", + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt.d", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.e", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04e.", + "class": "sp800-53a" + } + ], + "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;", + "links": [ + { + "href": "#si-4_smt.e", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.f", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04f.", + "class": "sp800-53a" + } + ], + "prose": "a legal opinion regarding system monitoring activities is obtained;", + "links": [ + { + "href": "#si-4_smt.f", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_obj.g", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04g.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.", + "links": [ + { + "href": "#si-4_smt.g", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system" + } + ] + }, + { + "id": "si-4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing system monitoring capabilities" + } + ] + } + ], + "controls": [ + { + "id": "si-4.1", + "class": "SP800-53-enhancement", + "title": "System-wide Intrusion Detection System", + "props": [ + { + "name": "label", + "value": "SI-4(1)" + }, + { + "name": "label", + "value": "SI-04(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.1_smt", + "name": "statement", + "prose": "Connect and configure individual intrusion detection tools into a system-wide intrusion detection system." + }, + { + "id": "si-4.1_gdn", + "name": "guidance", + "prose": "Linking individual intrusion detection tools into a system-wide intrusion detection system provides additional coverage and effective detection capabilities. The information contained in one intrusion detection tool can be shared widely across the organization, making the system-wide detection capability more robust and powerful." + }, + { + "id": "si-4.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "individual intrusion detection tools are connected to a system-wide intrusion detection system;", + "links": [ + { + "href": "#si-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "individual intrusion detection tools are configured into a system-wide intrusion detection system.", + "links": [ + { + "href": "#si-4.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection capabilities" + } + ] + } + ] + }, + { + "id": "si-4.2", + "class": "SP800-53-enhancement", + "title": "Automated Tools and Mechanisms for Real-time Analysis", + "props": [ + { + "name": "label", + "value": "SI-4(2)" + }, + { + "name": "label", + "value": "SI-04(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#pm-23", + "rel": "related" + }, + { + "href": "#pm-25", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.2_smt", + "name": "statement", + "prose": "Employ automated tools and mechanisms to support near real-time analysis of events." + }, + { + "id": "si-4.2_gdn", + "name": "guidance", + "prose": "Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan." + }, + { + "id": "si-4.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(02)", + "class": "sp800-53a" + } + ], + "prose": "automated tools and mechanisms are employed to support a near real-time analysis of events.", + "links": [ + { + "href": "#si-4.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nprivacy impact assessment\n\nprivacy risk management documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for incident response/management" + } + ] + }, + { + "id": "si-4.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for the near real-time analysis of events\n\norganizational processes for system monitoring\n\nmechanisms supporting and/or implementing system monitoring\n\nmechanisms/tools supporting and/or implementing an analysis of events" + } + ] + } + ] + }, + { + "id": "si-4.4", + "class": "SP800-53-enhancement", + "title": "Inbound and Outbound Communications Traffic", + "params": [ + { + "id": "si-4.4_prm_1", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "continuously" + } + ] + }, + { + "id": "si-4.4_prm_2", + "label": "organization-defined unusual or unauthorized activities or conditions" + }, + { + "id": "si-04.04_odp.01", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined;" + } + ] + }, + { + "id": "si-04.04_odp.02", + "label": "unusual or unauthorized activities or conditions", + "guidelines": [ + { + "prose": "unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined;" + } + ] + }, + { + "id": "si-04.04_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined;" + } + ] + }, + { + "id": "si-04.04_odp.04", + "label": "unusual or unauthorized activities or conditions", + "guidelines": [ + { + "prose": "unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(4)" + }, + { + "name": "label", + "value": "SI-04(04)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.04" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.4_smt", + "name": "statement", + "parts": [ + { + "id": "si-4.4_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;" + }, + { + "id": "si-4.4_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Monitor inbound and outbound communications traffic {{ insert: param, si-4.4_prm_1 }} for {{ insert: param, si-4.4_prm_2 }}." + } + ] + }, + { + "id": "si-4.4_gdn", + "name": "guidance", + "prose": "Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components." + }, + { + "id": "si-4.4_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.4_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.4_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;", + "links": [ + { + "href": "#si-4.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.4_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;", + "links": [ + { + "href": "#si-4.4_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.4_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.4_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(b)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.4_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(b)[01]", + "class": "sp800-53a" + } + ], + "prose": "inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};", + "links": [ + { + "href": "#si-4.4_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.4_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(04)(b)[02]", + "class": "sp800-53a" + } + ], + "prose": "outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}.", + "links": [ + { + "href": "#si-4.4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.4_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.4_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.4_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(04)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.4_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(04)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.4_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(04)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing the monitoring of inbound and outbound communications traffic" + } + ] + } + ] + }, + { + "id": "si-4.5", + "class": "SP800-53-enhancement", + "title": "System-generated Alerts", + "params": [ + { + "id": "si-04.05_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to be alerted when indications of compromise or potential compromise occur is/are defined;" + } + ] + }, + { + "id": "si-04.05_odp.02", + "label": "compromise indicators", + "guidelines": [ + { + "prose": "compromise indicators are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(5)" + }, + { + "name": "label", + "value": "SI-04(05)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#au-4", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#pe-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.5_smt", + "name": "statement", + "prose": "Alert {{ insert: param, si-04.05_odp.01 }} when the following system-generated indications of compromise or potential compromise occur: {{ insert: param, si-04.05_odp.02 }}.", + "parts": [ + { + "id": "si-4.5_fr", + "name": "item", + "title": "SI-4 (5) Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-4.5_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "In accordance with the incident response plan." + } + ] + } + ] + }, + { + "id": "si-4.5_gdn", + "name": "guidance", + "prose": "Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in [SI-4(12)](#si-4.12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats." + }, + { + "id": "si-4.5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(05)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur.", + "links": [ + { + "href": "#si-4.5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(05)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of personnel selected to receive alerts\n\ndocumentation of alerts generated based on compromise indicators\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(05)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel on the system alert notification list\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(05)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing alerts for compromise indicators" + } + ] + } + ] + }, + { + "id": "si-4.16", + "class": "SP800-53-enhancement", + "title": "Correlate Monitoring Information", + "props": [ + { + "name": "label", + "value": "SI-4(16)" + }, + { + "name": "label", + "value": "SI-04(16)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#au-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.16_smt", + "name": "statement", + "prose": "Correlate information from monitoring tools and mechanisms employed throughout the system." + }, + { + "id": "si-4.16_gdn", + "name": "guidance", + "prose": "Correlating information from different system monitoring tools and mechanisms can provide a more comprehensive view of system activity. Correlating system monitoring tools and mechanisms that typically work in isolation—including malicious code protection software, host monitoring, and network monitoring—can provide an organization-wide monitoring view and may reveal otherwise unseen attack patterns. Understanding the capabilities and limitations of diverse monitoring tools and mechanisms and how to maximize the use of information generated by those tools and mechanisms can help organizations develop, operate, and maintain effective monitoring programs. The correlation of monitoring information is especially important during the transition from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols)." + }, + { + "id": "si-4.16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(16)", + "class": "sp800-53a" + } + ], + "prose": "information from monitoring tools and mechanisms employed throughout the system is correlated.", + "links": [ + { + "href": "#si-4.16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(16)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nevent correlation logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(16)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.16_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(16)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing the correlation of information from monitoring tools" + } + ] + } + ] + }, + { + "id": "si-4.18", + "class": "SP800-53-enhancement", + "title": "Analyze Traffic and Covert Exfiltration", + "params": [ + { + "id": "si-04.18_odp", + "label": "interior points", + "guidelines": [ + { + "prose": "interior points within the system where communications traffic is to be analyzed are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(18)" + }, + { + "name": "label", + "value": "SI-04(18)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.18" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-4.18_smt", + "name": "statement", + "prose": "Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: {{ insert: param, si-04.18_odp }}." + }, + { + "id": "si-4.18_gdn", + "name": "guidance", + "prose": "Organization-defined interior points include subnetworks and subsystems. Covert means that can be used to exfiltrate information include steganography." + }, + { + "id": "si-4.18_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(18)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-4.18_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(18)[01]", + "class": "sp800-53a" + } + ], + "prose": "outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information;", + "links": [ + { + "href": "#si-4.18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.18_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(18)[02]", + "class": "sp800-53a" + } + ], + "prose": "outbound communications traffic is analyzed at {{ insert: param, si-04.18_odp }} to detect covert exfiltration of information.", + "links": [ + { + "href": "#si-4.18_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-4.18_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.18_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(18)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nnetwork diagram\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.18_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(18)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system" + } + ] + }, + { + "id": "si-4.18_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(18)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing an analysis of outbound communications traffic" + } + ] + } + ] + }, + { + "id": "si-4.23", + "class": "SP800-53-enhancement", + "title": "Host-based Devices", + "params": [ + { + "id": "si-04.23_odp.01", + "label": "host-based monitoring mechanisms", + "guidelines": [ + { + "prose": "host-based monitoring mechanisms to be implemented on system components are defined;" + } + ] + }, + { + "id": "si-04.23_odp.02", + "label": "system components", + "guidelines": [ + { + "prose": "system components where host-based monitoring is to be implemented are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-4(23)" + }, + { + "name": "label", + "value": "SI-04(23)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-04.23" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-4", + "rel": "required" + }, + { + "href": "#ac-18", + "rel": "related" + }, + { + "href": "#ac-19", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-4.23_smt", + "name": "statement", + "prose": "Implement the following host-based monitoring mechanisms at {{ insert: param, si-04.23_odp.02 }}: {{ insert: param, si-04.23_odp.01 }}." + }, + { + "id": "si-4.23_gdn", + "name": "guidance", + "prose": "Host-based monitoring collects information about the host (or system in which it resides). System components in which host-based monitoring can be implemented include servers, notebook computers, and mobile devices. Organizations may consider employing host-based monitoring mechanisms from multiple product developers or vendors." + }, + { + "id": "si-4.23_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-04(23)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-04.23_odp.01 }} are implemented on {{ insert: param, si-04.23_odp.02 }}.", + "links": [ + { + "href": "#si-4.23_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-4.23_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-04(23)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nhost-based monitoring mechanisms\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of system components requiring host-based monitoring\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-4.23_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-04(23)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring system hosts" + } + ] + }, + { + "id": "si-4.23_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-04(23)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing a host-based monitoring capability" + } + ] + } + ] + } + ] + }, + { + "id": "si-5", + "class": "SP800-53", + "title": "Security Alerts, Advisories, and Directives", + "params": [ + { + "id": "si-05_odp.01", + "label": "external organizations", + "constraints": [ + { + "description": "to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives" + } + ], + "guidelines": [ + { + "prose": "external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;" + } + ] + }, + { + "id": "si-05_odp.02", + "constraints": [ + { + "description": "to include system security personnel and administrators with configuration/patch-management responsibilities" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, si-05_odp.03 }} ", + " {{ insert: param, si-05_odp.04 }} ", + " {{ insert: param, si-05_odp.05 }} " + ] + } + }, + { + "id": "si-05_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected);" + } + ] + }, + { + "id": "si-05_odp.04", + "label": "elements", + "guidelines": [ + { + "prose": "elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" + } + ] + }, + { + "id": "si-05_odp.05", + "label": "external organizations", + "guidelines": [ + { + "prose": "external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-5" + }, + { + "name": "label", + "value": "SI-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", + "rel": "reference" + }, + { + "href": "#pm-15", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-5_smt", + "name": "statement", + "parts": [ + { + "id": "si-5_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;" + }, + { + "id": "si-5_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Generate internal security alerts, advisories, and directives as deemed necessary;" + }, + { + "id": "si-5_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and" + }, + { + "id": "si-5_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": "Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + }, + { + "id": "si-5_fr_smt.1", + "name": "item", + "title": "SI-5 Additional FedRAMP Requirements and Guidance", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status." + } + ] + }, + { + "id": "si-5_gdn", + "name": "guidance", + "prose": "The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations." + }, + { + "id": "si-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-5_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05a.", + "class": "sp800-53a" + } + ], + "prose": "system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;", + "links": [ + { + "href": "#si-5_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05b.", + "class": "sp800-53a" + } + ], + "prose": "internal security alerts, advisories, and directives are generated as deemed necessary;", + "links": [ + { + "href": "#si-5_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05c.", + "class": "sp800-53a" + } + ], + "prose": "security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};", + "links": [ + { + "href": "#si-5_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-05d.", + "class": "sp800-53a" + } + ], + "prose": "security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.", + "links": [ + { + "href": "#si-5_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" + } + ] + }, + { + "id": "si-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nmechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nmechanisms supporting and/or implementing security directives" + } + ] + } + ] + }, + { + "id": "si-6", + "class": "SP800-53", + "title": "Security and Privacy Function Verification", + "params": [ + { + "id": "si-6_prm_1", + "label": "organization-defined security and privacy functions" + }, + { + "id": "si-06_odp.01", + "label": "security functions", + "guidelines": [ + { + "prose": "security functions to be verified for correct operation are defined;" + } + ] + }, + { + "id": "si-06_odp.02", + "label": "privacy functions", + "guidelines": [ + { + "prose": "privacy functions to be verified for correct operation are defined;" + } + ] + }, + { + "id": "si-06_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + " {{ insert: param, si-06_odp.04 }} ", + "upon command by user with appropriate privilege", + " {{ insert: param, si-06_odp.05 }} " + ] + } + }, + { + "id": "si-06_odp.04", + "label": "system transitional states", + "constraints": [ + { + "description": "to include upon system startup and/or restart" + } + ], + "guidelines": [ + { + "prose": "system transitional states requiring the verification of security and privacy functions are defined; (if selected)" + } + ] + }, + { + "id": "si-06_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least monthly" + } + ], + "guidelines": [ + { + "prose": "frequency at which to verify the correct operation of security and privacy functions is defined; (if selected)" + } + ] + }, + { + "id": "si-06_odp.06", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include system administrators and security personnel" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to be alerted of failed security and privacy verification tests is/are defined;" + } + ] + }, + { + "id": "si-06_odp.07", + "select": { + "how-many": "one-or-more", + "choice": [ + "shut the system down", + "restart the system", + " {{ insert: param, si-06_odp.08 }} " + ] + } + }, + { + "id": "si-06_odp.08", + "label": "alternative action(s)", + "guidelines": [ + { + "prose": "alternative action(s) to be performed when anomalies are discovered are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-6" + }, + { + "name": "label", + "value": "SI-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#cm-4", + "rel": "related" + }, + { + "href": "#cm-6", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-6_smt", + "name": "statement", + "parts": [ + { + "id": "si-6_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Verify the correct operation of {{ insert: param, si-6_prm_1 }};" + }, + { + "id": "si-6_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Perform the verification of the functions specified in SI-6a {{ insert: param, si-06_odp.03 }};" + }, + { + "id": "si-6_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Alert {{ insert: param, si-06_odp.06 }} to failed security and privacy verification tests; and" + }, + { + "id": "si-6_smt.d", + "name": "item", + "props": [ + { + "name": "label", + "value": "d." + } + ], + "prose": " {{ insert: param, si-06_odp.07 }} when anomalies are discovered." + } + ] + }, + { + "id": "si-6_gdn", + "name": "guidance", + "prose": "Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy or that privacy attributes are applied or used as expected." + }, + { + "id": "si-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-6_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-6_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06a.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.01 }} are verified to be operating correctly;", + "links": [ + { + "href": "#si-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06a.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.02 }} are verified to be operating correctly;", + "links": [ + { + "href": "#si-6_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-6_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-6_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06b.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.01 }} are verified {{ insert: param, si-06_odp.03 }};", + "links": [ + { + "href": "#si-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06b.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.02 }} are verified {{ insert: param, si-06_odp.03 }};", + "links": [ + { + "href": "#si-6_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-6_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-6_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06c.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.06 }} is/are alerted to failed security verification tests;", + "links": [ + { + "href": "#si-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06c.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.06 }} is/are alerted to failed privacy verification tests;", + "links": [ + { + "href": "#si-6_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-6_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_obj.d", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-06d.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-06_odp.07 }} is/are initiated when anomalies are discovered.", + "links": [ + { + "href": "#si-6_smt.d", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security and privacy function verification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts/notifications of failed security verification tests\n\nlist of system transition states requiring security functionality verification\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with security and privacy function verification responsibilities\n\norganizational personnel implementing, operating, and maintaining the system\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer" + } + ] + }, + { + "id": "si-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for security and privacy function verification\n\nmechanisms supporting and/or implementing the security and privacy function verification capability" + } + ] + } + ] + }, + { + "id": "si-7", + "class": "SP800-53", + "title": "Software, Firmware, and Information Integrity", + "params": [ + { + "id": "si-7_prm_1", + "label": "organization-defined software, firmware, and information" + }, + { + "id": "si-7_prm_2", + "label": "organization-defined actions" + }, + { + "id": "si-07_odp.01", + "label": "software", + "guidelines": [ + { + "prose": "software requiring integrity verification tools to be employed to detect unauthorized changes is defined;" + } + ] + }, + { + "id": "si-07_odp.02", + "label": "firmware", + "guidelines": [ + { + "prose": "firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined;" + } + ] + }, + { + "id": "si-07_odp.03", + "label": "information", + "guidelines": [ + { + "prose": "information requiring integrity verification tools to be employed to detect unauthorized changes is defined;" + } + ] + }, + { + "id": "si-07_odp.04", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be taken when unauthorized changes to software are detected are defined;" + } + ] + }, + { + "id": "si-07_odp.05", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be taken when unauthorized changes to firmware are detected are defined;" + } + ] + }, + { + "id": "si-07_odp.06", + "label": "actions", + "guidelines": [ + { + "prose": "actions to be taken when unauthorized changes to information are detected are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7" + }, + { + "name": "label", + "value": "SI-07", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", + "rel": "reference" + }, + { + "href": "#e47ee630-9cbc-4133-880e-e013f83ccd51", + "rel": "reference" + }, + { + "href": "#ac-4", + "rel": "related" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#cm-7", + "rel": "related" + }, + { + "href": "#cm-8", + "rel": "related" + }, + { + "href": "#ma-3", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#ra-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sc-8", + "rel": "related" + }, + { + "href": "#sc-12", + "rel": "related" + }, + { + "href": "#sc-13", + "rel": "related" + }, + { + "href": "#sc-28", + "rel": "related" + }, + { + "href": "#sc-37", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-7_smt", + "name": "statement", + "parts": [ + { + "id": "si-7_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ insert: param, si-7_prm_1 }} ; and" + }, + { + "id": "si-7_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ insert: param, si-7_prm_2 }}." + } + ] + }, + { + "id": "si-7_gdn", + "name": "guidance", + "prose": "Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications." + }, + { + "id": "si-7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-7_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-7_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07a.[01]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};", + "links": [ + { + "href": "#si-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07a.[02]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};", + "links": [ + { + "href": "#si-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07a.[03]", + "class": "sp800-53a" + } + ], + "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};", + "links": [ + { + "href": "#si-7_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-7_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07b.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-7_obj.b-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07b.[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;", + "links": [ + { + "href": "#si-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.b-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07b.[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;", + "links": [ + { + "href": "#si-7_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_obj.b-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07b.[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected.", + "links": [ + { + "href": "#si-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-7_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated or triggered by integrity verification tools regarding unauthorized software, firmware, and information changes\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" + } + ] + }, + { + "id": "si-7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Software, firmware, and information integrity verification tools" + } + ] + } + ], + "controls": [ + { + "id": "si-7.1", + "class": "SP800-53-enhancement", + "title": "Integrity Checks", + "params": [ + { + "id": "si-7.1_prm_1", + "label": "organization-defined software, firmware, and information" + }, + { + "id": "si-7.1_prm_2", + "select": { + "how-many": "one-or-more", + "choice": [ + "at startup", + "at {{ insert: param, si-7.1_prm_3 }} ", + " {{ insert: param, si-7.1_prm_4 }} " + ] + } + }, + { + "id": "si-7.1_prm_3", + "label": "organization-defined transitional states or security-relevant events", + "constraints": [ + { + "description": "selection to include security relevant event" + } + ] + }, + { + "id": "si-7.1_prm_4", + "label": "organization-defined frequency", + "constraints": [ + { + "description": "at least monthly" + } + ] + }, + { + "id": "si-07.01_odp.01", + "label": "software", + "guidelines": [ + { + "prose": "software on which an integrity check is to be performed is defined;" + } + ] + }, + { + "id": "si-07.01_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "at startup", + "at {{ insert: param, si-07.01_odp.03 }} ", + " {{ insert: param, si-07.01_odp.04 }} " + ] + } + }, + { + "id": "si-07.01_odp.03", + "label": "transitional states or security-relevant events", + "guidelines": [ + { + "prose": "transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.04", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency with which to perform an integrity check (on software) is defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.05", + "label": "firmware", + "guidelines": [ + { + "prose": "firmware on which an integrity check is to be performed is defined;" + } + ] + }, + { + "id": "si-07.01_odp.06", + "select": { + "how-many": "one-or-more", + "choice": [ + "at startup", + "at {{ insert: param, si-07.01_odp.07 }} ", + " {{ insert: param, si-07.01_odp.08 }} " + ] + } + }, + { + "id": "si-07.01_odp.07", + "label": "transitional states or security-relevant events", + "guidelines": [ + { + "prose": "transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.08", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency with which to perform an integrity check (on firmware) is defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.09", + "label": "information", + "guidelines": [ + { + "prose": "information on which an integrity check is to be performed is defined;" + } + ] + }, + { + "id": "si-07.01_odp.10", + "select": { + "how-many": "one-or-more", + "choice": [ + "at startup", + "at {{ insert: param, si-07.01_odp.11 }} ", + " {{ insert: param, si-07.01_odp.12 }} " + ] + } + }, + { + "id": "si-07.01_odp.11", + "label": "transitional states or security-relevant events", + "guidelines": [ + { + "prose": "transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected);" + } + ] + }, + { + "id": "si-07.01_odp.12", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency with which to perform an integrity check (of information) is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7(1)" + }, + { + "name": "label", + "value": "SI-07(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-7", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-7.1_smt", + "name": "statement", + "prose": "Perform an integrity check of {{ insert: param, si-7.1_prm_1 }} {{ insert: param, si-7.1_prm_2 }}." + }, + { + "id": "si-7.1_gdn", + "name": "guidance", + "prose": "Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort." + }, + { + "id": "si-7.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(01)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-7.1_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(01)[01]", + "class": "sp800-53a" + } + ], + "prose": "an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};", + "links": [ + { + "href": "#si-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.1_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(01)[02]", + "class": "sp800-53a" + } + ], + "prose": "an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};", + "links": [ + { + "href": "#si-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.1_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(01)[03]", + "class": "sp800-53a" + } + ], + "prose": "an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}.", + "links": [ + { + "href": "#si-7.1_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-7.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity testing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-7.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Software, firmware, and information integrity verification tools" + } + ] + } + ] + }, + { + "id": "si-7.7", + "class": "SP800-53-enhancement", + "title": "Integration of Detection and Response", + "params": [ + { + "id": "si-07.07_odp", + "label": "changes", + "guidelines": [ + { + "prose": "security-relevant changes to the system are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-7(7)" + }, + { + "name": "label", + "value": "SI-07(07)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-07.07" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#si-7", + "rel": "required" + }, + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-6", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-5", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-7.7_smt", + "name": "statement", + "prose": "Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ insert: param, si-07.07_odp }}." + }, + { + "id": "si-7.7_gdn", + "name": "guidance", + "prose": "Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges." + }, + { + "id": "si-7.7_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-07(07)", + "class": "sp800-53a" + } + ], + "prose": "the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability.", + "links": [ + { + "href": "#si-7.7_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-7.7_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-07(07)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-7.7_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-07(07)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for software, firmware, and/or information integrity\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities" + } + ] + }, + { + "id": "si-7.7_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-07(07)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for incorporating the detection of unauthorized security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools\n\nmechanisms supporting and/or implementing the incorporation of detection of unauthorized security-relevant changes into the incident response capability" + } + ] + } + ] + } + ] + }, + { + "id": "si-8", + "class": "SP800-53", + "title": "Spam Protection", + "props": [ + { + "name": "label", + "value": "SI-8" + }, + { + "name": "label", + "value": "SI-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#314e33cb-3681-4b50-a2a2-3fae9604accd", + "rel": "reference" + }, + { + "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "rel": "reference" + }, + { + "href": "#pl-9", + "rel": "related" + }, + { + "href": "#sc-5", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-3", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-8_smt", + "name": "statement", + "parts": [ + { + "id": "si-8_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and" + }, + { + "id": "si-8_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures." + }, + { + "id": "si-8_fr", + "name": "item", + "title": "SI-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-8_fr_gdn.1", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.\n\nhttps://cyber.dhs.gov/bod/18-01/" + }, + { + "id": "si-8_fr_gdn.2", + "name": "guidance", + "props": [ + { + "name": "label", + "value": "Guidance:" + } + ], + "prose": "CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients." + } + ] + } + ] + }, + { + "id": "si-8_gdn", + "name": "guidance", + "prose": "System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions." + }, + { + "id": "si-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-8_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-8_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.[01]", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are employed at system entry points to detect unsolicited messages;", + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.[02]", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are employed at system exit points to detect unsolicited messages;", + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.[03]", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are employed at system entry points to act on unsolicited messages;", + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08a.[04]", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are employed at system exit points to act on unsolicited messages;", + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-8_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08b.", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.", + "links": [ + { + "href": "#si-8_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policies and procedures (CM-01)\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for implementing spam protection\n\nmechanisms supporting and/or implementing spam protection" + } + ] + } + ], + "controls": [ + { + "id": "si-8.2", + "class": "SP800-53-enhancement", + "title": "Automatic Updates", + "params": [ + { + "id": "si-08.02_odp", + "label": "frequency", + "guidelines": [ + { + "prose": "the frequency at which to automatically update spam protection mechanisms is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-8(2)" + }, + { + "name": "label", + "value": "SI-08(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-08.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#si-8", + "rel": "required" + } + ], + "parts": [ + { + "id": "si-8.2_smt", + "name": "statement", + "prose": "Automatically update spam protection mechanisms {{ insert: param, si-08.02_odp }}." + }, + { + "id": "si-8.2_gdn", + "name": "guidance", + "prose": "Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capabilities." + }, + { + "id": "si-8.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-08(02)", + "class": "sp800-53a" + } + ], + "prose": "spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}.", + "links": [ + { + "href": "#si-8.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-8.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-08(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-8.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-08(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-8.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-08(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for spam protection\n\nmechanisms supporting and/or implementing automatic updates to spam protection mechanisms" + } + ] + } + ] + } + ] + }, + { + "id": "si-10", + "class": "SP800-53", + "title": "Information Input Validation", + "params": [ + { + "id": "si-10_odp", + "label": "information inputs", + "guidelines": [ + { + "prose": "information inputs to the system requiring validity checks are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-10" + }, + { + "name": "label", + "value": "SI-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + } + ], + "parts": [ + { + "id": "si-10_smt", + "name": "statement", + "prose": "Check the validity of the following information inputs: {{ insert: param, si-10_odp }}.", + "parts": [ + { + "id": "si-10_fr", + "name": "item", + "title": "SI-10 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "si-10_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "Validate all information inputs and document any exceptions" + } + ] + } + ] + }, + { + "id": "si-10_gdn", + "name": "guidance", + "prose": "Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of \"387,\" \"abc,\" or \"%K%\" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks." + }, + { + "id": "si-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-10", + "class": "sp800-53a" + } + ], + "prose": "the validity of the {{ insert: param, si-10_odp }} is checked.", + "links": [ + { + "href": "#si-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify the validity of information\n\nlist of information inputs requiring validity checks\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Mechanisms supporting and/or implementing validity checks on information inputs" + } + ] + } + ] + }, + { + "id": "si-11", + "class": "SP800-53", + "title": "Error Handling", + "params": [ + { + "id": "si-11_odp", + "label": "personnel or roles", + "constraints": [ + { + "description": "to include the ISSO and/or similar role within the organization" + } + ], + "guidelines": [ + { + "prose": "personnel or roles to whom error messages are to be revealed is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-11" + }, + { + "name": "label", + "value": "SI-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + } + ], + "links": [ + { + "href": "#au-2", + "rel": "related" + }, + { + "href": "#au-3", + "rel": "related" + }, + { + "href": "#sc-31", + "rel": "related" + }, + { + "href": "#si-2", + "rel": "related" + }, + { + "href": "#si-15", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-11_smt", + "name": "statement", + "parts": [ + { + "id": "si-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and" + }, + { + "id": "si-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Reveal error messages only to {{ insert: param, si-11_odp }}." + } + ] + }, + { + "id": "si-11_gdn", + "name": "guidance", + "prose": "Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information." + }, + { + "id": "si-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-11a.", + "class": "sp800-53a" + } + ], + "prose": "error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;", + "links": [ + { + "href": "#si-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-11b.", + "class": "sp800-53a" + } + ], + "prose": "error messages are revealed only to {{ insert: param, si-11_odp }}.", + "links": [ + { + "href": "#si-11_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system error handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing the structure and content of error messages\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for error handling\n\nautomated mechanisms supporting and/or implementing error handling\n\nautomated mechanisms supporting and/or implementing the management of error messages" + } + ] + } + ] + }, + { + "id": "si-12", + "class": "SP800-53", + "title": "Information Management and Retention", + "props": [ + { + "name": "label", + "value": "SI-12" + }, + { + "name": "label", + "value": "SI-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + } + ], + "links": [ + { + "href": "#e922fc50-b1f9-469f-92ef-ed7d9803611c", + "rel": "reference" + }, + { + "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "rel": "reference" + }, + { + "href": "#ac-16", + "rel": "related" + }, + { + "href": "#au-5", + "rel": "related" + }, + { + "href": "#au-11", + "rel": "related" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ca-3", + "rel": "related" + }, + { + "href": "#ca-5", + "rel": "related" + }, + { + "href": "#ca-6", + "rel": "related" + }, + { + "href": "#ca-7", + "rel": "related" + }, + { + "href": "#ca-9", + "rel": "related" + }, + { + "href": "#cm-5", + "rel": "related" + }, + { + "href": "#cm-9", + "rel": "related" + }, + { + "href": "#cp-2", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + }, + { + "href": "#mp-2", + "rel": "related" + }, + { + "href": "#mp-3", + "rel": "related" + }, + { + "href": "#mp-4", + "rel": "related" + }, + { + "href": "#mp-6", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pl-4", + "rel": "related" + }, + { + "href": "#pm-4", + "rel": "related" + }, + { + "href": "#pm-8", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#ps-2", + "rel": "related" + }, + { + "href": "#ps-6", + "rel": "related" + }, + { + "href": "#pt-2", + "rel": "related" + }, + { + "href": "#pt-3", + "rel": "related" + }, + { + "href": "#ra-2", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sr-2", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-12_smt", + "name": "statement", + "prose": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." + }, + { + "id": "si-12_gdn", + "name": "guidance", + "prose": "Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)." + }, + { + "id": "si-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "si-12_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[01]", + "class": "sp800-53a" + } + ], + "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[02]", + "class": "sp800-53a" + } + ], + "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[03]", + "class": "sp800-53a" + } + ], + "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_obj-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-12[04]", + "class": "sp800-53a" + } + ], + "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.", + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#si-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators" + } + ] + }, + { + "id": "si-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and/or implementing information management, retention, and disposition" + } + ] + } + ] + }, + { + "id": "si-16", + "class": "SP800-53", + "title": "Memory Protection", + "params": [ + { + "id": "si-16_odp", + "label": "controls", + "guidelines": [ + { + "prose": "controls to be implemented to protect the system memory from unauthorized code execution are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SI-16" + }, + { + "name": "label", + "value": "SI-16", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "si-16" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#ac-25", + "rel": "related" + }, + { + "href": "#sc-3", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + } + ], + "parts": [ + { + "id": "si-16_smt", + "name": "statement", + "prose": "Implement the following controls to protect the system memory from unauthorized code execution: {{ insert: param, si-16_odp }}." + }, + { + "id": "si-16_gdn", + "name": "guidance", + "prose": "Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism." + }, + { + "id": "si-16_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SI-16", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution.", + "links": [ + { + "href": "#si-16_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "si-16_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SI-16-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing memory protection for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security safeguards protecting system memory from unauthorized code execution\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "si-16_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SI-16-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel responsible for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer" + } + ] + }, + { + "id": "si-16_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SI-16-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Automated mechanisms supporting and/or implementing safeguards to protect the system memory from unauthorized code execution" + } + ] + } + ] + } + ] + }, + { + "id": "sr", + "class": "family", + "title": "Supply Chain Risk Management", + "controls": [ + { + "id": "sr-1", + "class": "SP800-53", + "title": "Policy and Procedures", + "params": [ + { + "id": "sr-1_prm_1", + "label": "organization-defined personnel or roles", + "constraints": [ + { + "description": "to include chief privacy and ISSO and/or similar role or designees" + } + ] + }, + { + "id": "sr-01_odp.01", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;" + } + ] + }, + { + "id": "sr-01_odp.02", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;" + } + ] + }, + { + "id": "sr-01_odp.03", + "select": { + "how-many": "one-or-more", + "choice": [ + "organization-level", + "mission/business process-level", + "system-level" + ] + } + }, + { + "id": "sr-01_odp.04", + "label": "official", + "guidelines": [ + { + "prose": "an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;" + } + ] + }, + { + "id": "sr-01_odp.05", + "label": "frequency", + "constraints": [ + { + "description": "at least every 3 years" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current supply chain risk management policy is reviewed and updated is defined;" + } + ] + }, + { + "id": "sr-01_odp.06", + "label": "events", + "guidelines": [ + { + "prose": "events that require the current supply chain risk management policy to be reviewed and updated are defined;" + } + ] + }, + { + "id": "sr-01_odp.07", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;" + } + ] + }, + { + "id": "sr-01_odp.08", + "label": "events", + "constraints": [ + { + "description": "significant changes" + } + ], + "guidelines": [ + { + "prose": "events that require the supply chain risk management procedures to be reviewed and updated are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-1" + }, + { + "name": "label", + "value": "SR-01", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", + "rel": "reference" + }, + { + "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#ps-8", + "rel": "related" + }, + { + "href": "#si-12", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-1_smt", + "name": "statement", + "parts": [ + { + "id": "sr-1_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:", + "parts": [ + { + "id": "sr-1_smt.a.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:", + "parts": [ + { + "id": "sr-1_smt.a.1.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "(a)" + } + ], + "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" + }, + { + "id": "sr-1_smt.a.1.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "(b)" + } + ], + "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" + } + ] + }, + { + "id": "sr-1_smt.a.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;" + } + ] + }, + { + "id": "sr-1_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and" + }, + { + "id": "sr-1_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Review and update the current supply chain risk management:", + "parts": [ + { + "id": "sr-1_smt.c.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "1." + } + ], + "prose": "Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and" + }, + { + "id": "sr-1_smt.c.2", + "name": "item", + "props": [ + { + "name": "label", + "value": "2." + } + ], + "prose": "Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}." + } + ] + } + ] + }, + { + "id": "sr-1_gdn", + "name": "guidance", + "prose": "Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." + }, + { + "id": "sr-1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a supply chain risk management policy is developed and documented;", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[03]", + "class": "sp800-53a" + } + ], + "prose": "supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.", + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a.1.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.a.1.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[01]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[02]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; ", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[04]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[05]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[06]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(a)[07]", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.", + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a.1.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.a.1.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01a.01(b)", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", + "links": [ + { + "href": "#sr-1_smt.a.1.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01b.", + "class": "sp800-53a" + } + ], + "prose": "the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;", + "links": [ + { + "href": "#sr-1_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.1-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01[01]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};", + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.1-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.01[02]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};", + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c.1", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-1_obj.c.2-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02[01]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};", + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_obj.c.2-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-01c.02[02]", + "class": "sp800-53a" + } + ], + "prose": "the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.", + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c.2", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-01-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-01-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities" + } + ] + } + ] + }, + { + "id": "sr-2", + "class": "SP800-53", + "title": "Supply Chain Risk Management Plan", + "params": [ + { + "id": "sr-02_odp.01", + "label": "systems, system components, or system services", + "guidelines": [ + { + "prose": "systems, system components, or system services for which a supply chain risk management plan is developed are defined;" + } + ] + }, + { + "id": "sr-02_odp.02", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to review and update the supply chain risk management plan is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-2" + }, + { + "name": "label", + "value": "SR-02", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", + "rel": "reference" + }, + { + "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#cp-4", + "rel": "related" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-2", + "rel": "related" + }, + { + "href": "#pm-9", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#ra-3", + "rel": "related" + }, + { + "href": "#ra-7", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-2_smt", + "name": "statement", + "parts": [ + { + "id": "sr-2_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};" + }, + { + "id": "sr-2_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and" + }, + { + "id": "sr-2_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Protect the supply chain risk management plan from unauthorized disclosure and modification." + } + ] + }, + { + "id": "sr-2_gdn", + "name": "guidance", + "prose": "The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))." + }, + { + "id": "sr-2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a plan for managing supply chain risks is developed;", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-5", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[05]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-6", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[06]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-7", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[07]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-8", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[08]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.a-9", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02a.[09]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};", + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02b.", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;", + "links": [ + { + "href": "#sr-2_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-2_obj.c-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.[01]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is protected from unauthorized disclosure;", + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_obj.c-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02c.[02]", + "class": "sp800-53a" + } + ], + "prose": "the supply chain risk management plan is protected from unauthorized modification.", + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-02-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures for protecting the supply chain risk management plan from unauthorized disclosure and modification\n\nsystem development life cycle procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of supply chain threats\n\nlist of safeguards to be taken against supply chain threats\n\nsystem life cycle documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-02-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-02-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and documenting the system development life cycle (SDLC)\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational processes for integrating supply chain risk management into the SDLC\n\nmechanisms supporting and/or implementing the SDLC" + } + ] + } + ], + "controls": [ + { + "id": "sr-2.1", + "class": "SP800-53-enhancement", + "title": "Establish SCRM Team", + "params": [ + { + "id": "sr-02.01_odp.01", + "label": "personnel, roles and responsibilities", + "guidelines": [ + { + "prose": "the personnel, roles, and responsibilities of the supply chain risk management team are defined;" + } + ] + }, + { + "id": "sr-02.01_odp.02", + "label": "supply chain risk management activities", + "guidelines": [ + { + "prose": "supply chain risk management activities are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-2(1)" + }, + { + "name": "label", + "value": "SR-02(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-02.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-2", + "rel": "required" + } + ], + "parts": [ + { + "id": "sr-2.1_smt", + "name": "statement", + "prose": "Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}." + }, + { + "id": "sr-2.1_gdn", + "name": "guidance", + "prose": "To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team." + }, + { + "id": "sr-2.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-02(01)", + "class": "sp800-53a" + } + ], + "prose": "a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.", + "links": [ + { + "href": "#sr-2.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-2.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-02(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management team charter documentation\n\nsupply chain risk management strategy\n\nsupply chain risk management implementation plan\n\nprocedures addressing supply chain protection\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-2.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-02(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with enterprise risk management responsibilities\n\nlegal counsel\n\norganizational personnel with business continuity responsibilities" + } + ] + } + ] + } + ] + }, + { + "id": "sr-3", + "class": "SP800-53", + "title": "Supply Chain Controls and Processes", + "params": [ + { + "id": "sr-03_odp.01", + "label": "system or system component", + "guidelines": [ + { + "prose": "the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;" + } + ] + }, + { + "id": "sr-03_odp.02", + "label": "supply chain personnel", + "guidelines": [ + { + "prose": "supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;" + } + ] + }, + { + "id": "sr-03_odp.03", + "label": "supply chain controls", + "guidelines": [ + { + "prose": "supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;" + } + ] + }, + { + "id": "sr-03_odp.04", + "select": { + "how-many": "one-or-more", + "choice": [ + "security and privacy plans", + "supply chain risk management plan", + " {{ insert: param, sr-03_odp.05 }} " + ] + } + }, + { + "id": "sr-03_odp.05", + "label": "document", + "guidelines": [ + { + "prose": "the document identifying the selected and implemented supply chain processes and controls is defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-3" + }, + { + "name": "label", + "value": "SR-03", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-03" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "system" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#ca-2", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-6", + "rel": "related" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#pe-16", + "rel": "related" + }, + { + "href": "#pl-8", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sc-7", + "rel": "related" + }, + { + "href": "#sc-29", + "rel": "related" + }, + { + "href": "#sc-30", + "rel": "related" + }, + { + "href": "#sc-38", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-3_smt", + "name": "statement", + "parts": [ + { + "id": "sr-3_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};" + }, + { + "id": "sr-3_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and" + }, + { + "id": "sr-3_smt.c", + "name": "item", + "props": [ + { + "name": "label", + "value": "c." + } + ], + "prose": "Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}." + }, + { + "id": "sr-3_fr", + "name": "item", + "title": "SR-3 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-3_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary." + } + ] + } + ] + }, + { + "id": "sr-3_gdn", + "name": "guidance", + "prose": "Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain." + }, + { + "id": "sr-3_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-3_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-3_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.[01]", + "class": "sp800-53a" + } + ], + "prose": "a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};", + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03a.[02]", + "class": "sp800-53a" + } + ], + "prose": "the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};", + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-3_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03b.", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;", + "links": [ + { + "href": "#sr-3_smt.b", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_obj.c", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-03c.", + "class": "sp800-53a" + } + ], + "prose": "the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.", + "links": [ + { + "href": "#sr-3_smt.c", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-3_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-3_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-03-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystems and critical system components inventory documentation\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems or services\n\nrisk register documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-3_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-03-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-3_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-03-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for identifying and addressing supply chain element and process deficiencies" + } + ] + } + ] + }, + { + "id": "sr-5", + "class": "SP800-53", + "title": "Acquisition Strategies, Tools, and Methods", + "params": [ + { + "id": "sr-05_odp", + "label": "strategies, tools, and methods", + "guidelines": [ + { + "prose": "acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-5" + }, + { + "name": "label", + "value": "SR-05", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-05" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#sa-2", + "rel": "related" + }, + { + "href": "#sa-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#sa-5", + "rel": "related" + }, + { + "href": "#sa-8", + "rel": "related" + }, + { + "href": "#sa-9", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + }, + { + "href": "#sa-15", + "rel": "related" + }, + { + "href": "#sr-6", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-5_smt", + "name": "statement", + "prose": "Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}." + }, + { + "id": "sr-5_gdn", + "name": "guidance", + "prose": "The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements." + }, + { + "id": "sr-5_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-5_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[01]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[02]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_obj-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-05[03]", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.", + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-5_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-5_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-05-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems, system components, or services\n\ndocumentation of training, education, and awareness programs for personnel regarding supply chain risk\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-5_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-05-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-5_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-05-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods" + } + ] + } + ] + }, + { + "id": "sr-6", + "class": "SP800-53", + "title": "Supplier Assessments and Reviews", + "params": [ + { + "id": "sr-06_odp", + "label": "frequency", + "constraints": [ + { + "description": "at least annually" + } + ], + "guidelines": [ + { + "prose": "the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-6" + }, + { + "name": "label", + "value": "SR-06", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-06" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", + "rel": "reference" + }, + { + "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", + "rel": "reference" + }, + { + "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "rel": "reference" + }, + { + "href": "#a295ca19-8c75-4b4c-8800-98024732e181", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", + "rel": "reference" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-6_smt", + "name": "statement", + "prose": "Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ insert: param, sr-06_odp }}.", + "parts": [ + { + "id": "sr-6_fr", + "name": "item", + "title": "SR-6 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-6_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure that their supply chain vendors build and test their systems in alignment with NIST SP 800-171 or a commensurate security and compliance framework. CSOs must ensure that vendors are compliant with physical facility access and logical access controls to supplied products." + } + ] + } + ] + }, + { + "id": "sr-6_gdn", + "name": "guidance", + "prose": "An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts." + }, + { + "id": "sr-6_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-06", + "class": "sp800-53a" + } + ], + "prose": "the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}.", + "links": [ + { + "href": "#sr-6_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-6_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-06-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nrecords of supplier due diligence reviews\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-6_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-06-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities" + } + ] + }, + { + "id": "sr-6_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-06-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for conducting supplier reviews\n\nmechanisms supporting and/or implementing supplier reviews" + } + ] + } + ] + }, + { + "id": "sr-8", + "class": "SP800-53", + "title": "Notification Agreements", + "params": [ + { + "id": "sr-08_odp.01", + "constraints": [ + { + "description": "notification of supply chain compromises and results of assessment or audits" + } + ], + "select": { + "how-many": "one-or-more", + "choice": [ + "notification of supply chain compromises", + " {{ insert: param, sr-08_odp.02 }} " + ] + } + }, + { + "id": "sr-08_odp.02", + "label": "results of assessments or audits", + "guidelines": [ + { + "prose": "information for which agreements and procedures are to be established are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-8" + }, + { + "name": "label", + "value": "SR-08", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-08" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", + "rel": "reference" + }, + { + "href": "#0f963c17-ab5a-432a-a867-91eac550309b", + "rel": "reference" + }, + { + "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", + "rel": "reference" + }, + { + "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", + "rel": "reference" + }, + { + "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", + "rel": "reference" + }, + { + "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "rel": "reference" + }, + { + "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", + "rel": "reference" + }, + { + "href": "#ir-4", + "rel": "related" + }, + { + "href": "#ir-6", + "rel": "related" + }, + { + "href": "#ir-8", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-8_smt", + "name": "statement", + "prose": "Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}.", + "parts": [ + { + "id": "sr-8_fr", + "name": "item", + "title": "SR-8 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-8_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities." + } + ] + } + ] + }, + { + "id": "sr-8_gdn", + "name": "guidance", + "prose": "The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes." + }, + { + "id": "sr-8_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-08", + "class": "sp800-53a" + } + ], + "prose": "agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.", + "links": [ + { + "href": "#sr-8_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-8_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-08-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-8_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-08-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-8_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-08-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities" + } + ] + } + ] + }, + { + "id": "sr-10", + "class": "SP800-53", + "title": "Inspection of Systems or Components", + "params": [ + { + "id": "sr-10_odp.01", + "label": "systems or system components", + "guidelines": [ + { + "prose": "systems or system components that require inspection are defined;" + } + ] + }, + { + "id": "sr-10_odp.02", + "select": { + "how-many": "one-or-more", + "choice": [ + "at random", + "at {{ insert: param, sr-10_odp.03 }} ", + "upon {{ insert: param, sr-10_odp.04 }} " + ] + } + }, + { + "id": "sr-10_odp.03", + "label": "frequency", + "guidelines": [ + { + "prose": "frequency at which to inspect systems or system components is defined (if selected);" + } + ] + }, + { + "id": "sr-10_odp.04", + "label": "indications of need for inspection", + "guidelines": [ + { + "prose": "indications of the need for an inspection of systems or system components are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-10" + }, + { + "name": "label", + "value": "SR-10", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-10" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#at-3", + "rel": "related" + }, + { + "href": "#pm-30", + "rel": "related" + }, + { + "href": "#si-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-3", + "rel": "related" + }, + { + "href": "#sr-4", + "rel": "related" + }, + { + "href": "#sr-5", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-11", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-10_smt", + "name": "statement", + "prose": "Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}." + }, + { + "id": "sr-10_gdn", + "name": "guidance", + "prose": "The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations." + }, + { + "id": "sr-10_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-10", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.", + "links": [ + { + "href": "#sr-10_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-10_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-10-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nrecords of random inspections\n\ninspection reports/results\n\nassessment reports/results\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-10_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-10-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-10_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-10-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational processes to inspect for tampering" + } + ] + } + ] + }, + { + "id": "sr-11", + "class": "SP800-53", + "title": "Component Authenticity", + "params": [ + { + "id": "sr-11_odp.01", + "select": { + "how-many": "one-or-more", + "choice": [ + "source of counterfeit component", + " {{ insert: param, sr-11_odp.02 }} ", + " {{ insert: param, sr-11_odp.03 }} " + ] + } + }, + { + "id": "sr-11_odp.02", + "label": "external reporting organizations", + "guidelines": [ + { + "prose": "external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);" + } + ] + }, + { + "id": "sr-11_odp.03", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11" + }, + { + "name": "label", + "value": "SR-11", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#15a95e24-65b6-4686-bc18-90855a10457d", + "rel": "reference" + }, + { + "href": "#pe-3", + "rel": "related" + }, + { + "href": "#sa-4", + "rel": "related" + }, + { + "href": "#si-7", + "rel": "related" + }, + { + "href": "#sr-9", + "rel": "related" + }, + { + "href": "#sr-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11_smt", + "name": "statement", + "parts": [ + { + "id": "sr-11_smt.a", + "name": "item", + "props": [ + { + "name": "label", + "value": "a." + } + ], + "prose": "Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and" + }, + { + "id": "sr-11_smt.b", + "name": "item", + "props": [ + { + "name": "label", + "value": "b." + } + ], + "prose": "Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}." + }, + { + "id": "sr-11_fr", + "name": "item", + "title": "SR-11 Additional FedRAMP Requirements and Guidance", + "parts": [ + { + "id": "sr-11_fr_smt.1", + "name": "item", + "props": [ + { + "name": "label", + "value": "Requirement:" + } + ], + "prose": "CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline." + } + ] + } + ] + }, + { + "id": "sr-11_gdn", + "name": "guidance", + "prose": "Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA." + }, + { + "id": "sr-11_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11_obj.a", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11_obj.a-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[01]", + "class": "sp800-53a" + } + ], + "prose": "an anti-counterfeit policy is developed and implemented;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[02]", + "class": "sp800-53a" + } + ], + "prose": "anti-counterfeit procedures are developed and implemented;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-3", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[03]", + "class": "sp800-53a" + } + ], + "prose": "the anti-counterfeit procedures include the means to detect counterfeit components entering the system;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.a-4", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11a.[04]", + "class": "sp800-53a" + } + ], + "prose": "the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;", + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11_smt.a", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_obj.b", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11b.", + "class": "sp800-53a" + } + ], + "prose": "counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.", + "links": [ + { + "href": "#sr-11_smt.b", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\nreports notifying developers, manufacturers, vendors, contractors, and/or external reporting organizations of counterfeit system components\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nrecords of reported counterfeit system components\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting" + } + ] + }, + { + "id": "sr-11_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for counterfeit prevention, detection, and reporting\n\nmechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting" + } + ] + } + ], + "controls": [ + { + "id": "sr-11.1", + "class": "SP800-53-enhancement", + "title": "Anti-counterfeit Training", + "params": [ + { + "id": "sr-11.01_odp", + "label": "personnel or roles", + "guidelines": [ + { + "prose": "personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11(1)" + }, + { + "name": "label", + "value": "SR-11(01)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11.01" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-11", + "rel": "required" + }, + { + "href": "#at-3", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11.1_smt", + "name": "statement", + "prose": "Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)." + }, + { + "id": "sr-11.1_gdn", + "name": "guidance", + "prose": "None." + }, + { + "id": "sr-11.1_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(01)", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).", + "links": [ + { + "href": "#sr-11.1_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.1_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11(01)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\ntraining materials addressing counterfeit system components\n\ntraining records on the detection and prevention of counterfeit components entering the system\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11.1_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11(01)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and training" + } + ] + }, + { + "id": "sr-11.1_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11(01)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for anti-counterfeit training" + } + ] + } + ] + }, + { + "id": "sr-11.2", + "class": "SP800-53-enhancement", + "title": "Configuration Control for Component Service and Repair", + "params": [ + { + "id": "sr-11.02_odp", + "label": "system components", + "constraints": [ + { + "description": "all" + } + ], + "guidelines": [ + { + "prose": "system components requiring configuration control are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-11(2)" + }, + { + "name": "label", + "value": "SR-11(02)", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-11.02" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#sr-11", + "rel": "required" + }, + { + "href": "#cm-3", + "rel": "related" + }, + { + "href": "#ma-2", + "rel": "related" + }, + { + "href": "#ma-4", + "rel": "related" + }, + { + "href": "#sa-10", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-11.2_smt", + "name": "statement", + "prose": "Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}." + }, + { + "id": "sr-11.2_gdn", + "name": "guidance", + "prose": "None." + }, + { + "id": "sr-11.2_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)", + "class": "sp800-53a" + } + ], + "parts": [ + { + "id": "sr-11.2_obj-1", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)[01]", + "class": "sp800-53a" + } + ], + "prose": "configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;", + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.2_obj-2", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-11(02)[02]", + "class": "sp800-53a" + } + ], + "prose": "configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.", + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + } + ], + "links": [ + { + "href": "#sr-11.2_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-11.2_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-11(02)-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nconfiguration control procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system component\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-11.2_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-11(02)-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" + } + ] + }, + { + "id": "sr-11.2_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-11(02)-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational configuration control processes" + } + ] + } + ] + } + ] + }, + { + "id": "sr-12", + "class": "SP800-53", + "title": "Component Disposal", + "params": [ + { + "id": "sr-12_odp.01", + "label": "data, documentation, tools, or system components", + "guidelines": [ + { + "prose": "data, documentation, tools, or system components to be disposed of are defined;" + } + ] + }, + { + "id": "sr-12_odp.02", + "label": "techniques and methods", + "guidelines": [ + { + "prose": "techniques and methods for disposing of data, documentation, tools, or system components are defined;" + } + ] + } + ], + "props": [ + { + "name": "label", + "value": "SR-12" + }, + { + "name": "label", + "value": "SR-12", + "class": "sp800-53a" + }, + { + "name": "sort-id", + "value": "sr-12" + }, + { + "name": "implementation-level", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "organization" + }, + { + "name": "contributes-to-assurance", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "true" + } + ], + "links": [ + { + "href": "#mp-6", + "rel": "related" + } + ], + "parts": [ + { + "id": "sr-12_smt", + "name": "statement", + "prose": "Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}." + }, + { + "id": "sr-12_gdn", + "name": "guidance", + "prose": "Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market." + }, + { + "id": "sr-12_obj", + "name": "assessment-objective", + "props": [ + { + "name": "label", + "value": "SR-12", + "class": "sp800-53a" + } + ], + "prose": " {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.", + "links": [ + { + "href": "#sr-12_smt", + "rel": "assessment-for" + } + ] + }, + { + "id": "sr-12_asm-examine", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "EXAMINE" + }, + { + "name": "label", + "value": "SR-12-Examine", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\ndisposal procedures addressing supply chain protection\n\nmedia disposal policy\n\nmedia protection policy\n\ndisposal records for system components\n\ndocumentation of the system components identified for disposal\n\ndocumentation of the disposal techniques and methods employed for system components\n\nsystem security plan\n\nother relevant documents or records" + } + ] + }, + { + "id": "sr-12_asm-interview", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "INTERVIEW" + }, + { + "name": "label", + "value": "SR-12-Interview", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational personnel with system component disposal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities" + } + ] + }, + { + "id": "sr-12_asm-test", + "name": "assessment-method", + "props": [ + { + "name": "method", + "ns": "http://csrc.nist.gov/ns/rmf", + "value": "TEST" + }, + { + "name": "label", + "value": "SR-12-Test", + "class": "sp800-53a" + } + ], + "parts": [ + { + "name": "assessment-objects", + "prose": "Organizational techniques and methods for system component disposal\n\nmechanisms supporting and/or implementing system component disposal" + } + ] + } + ] + } + ] + } + ], "back-matter": { "resources": [ + { + "uuid": "91f992fb-f668-4c91-a50f-0f05b95ccee3", + "title": "32 CFR 2002", + "citation": { + "text": "Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)." + }, + "rlinks": [ + { + "href": "https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information" + } + ] + }, + { + "uuid": "0f963c17-ab5a-432a-a867-91eac550309b", + "title": "41 CFR 201", + "citation": { + "text": " \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271." + }, + "rlinks": [ + { + "href": "https://www.federalregister.gov/d/2020-18939" + } + ] + }, + { + "uuid": "a5ef5e56-5c1a-4911-b419-37dddc1b3581", + "title": "5 CFR 731", + "citation": { + "text": "Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf" + } + ] + }, + { + "uuid": "031cc4b7-9adf-4835-98f1-f1ca493519cf", + "title": "CNSSD 505", + "citation": { + "text": "Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017." + }, + "rlinks": [ + { + "href": "https://www.cnss.gov/CNSS/issuances/Directives.cfm" + } + ] + }, + { + "uuid": "4e4fbc93-333d-45e6-a875-de36b878b6b9", + "title": "CNSSI 1253", + "citation": { + "text": "Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014." + }, + "rlinks": [ + { + "href": "https://www.cnss.gov/CNSS/issuances/Instructions.cfm" + } + ] + }, + { + "uuid": "4f42ee6e-86cc-403b-a51f-76c2b4f81b54", + "title": "DHS TIC", + "citation": { + "text": "Department of Homeland Security, *Trusted Internet Connections (TIC)*." + }, + "rlinks": [ + { + "href": "https://www.dhs.gov/trusted-internet-connections" + } + ] + }, + { + "uuid": "aa66e14f-e7cb-4a37-99d2-07578dfd4608", + "title": "DOD STIG", + "citation": { + "text": "Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*." + }, + "rlinks": [ + { + "href": "https://public.cyber.mil/stigs" + } + ] + }, + { + "uuid": "55b0c93a-5e48-457a-baa6-5ce81c239c49", + "title": "EO 13526", + "citation": { + "text": "Executive Order 13526, *Classified National Security Information* , December 2009." + }, + "rlinks": [ + { + "href": "https://www.archives.gov/isoo/policy-documents/cnsi-eo.html" + } + ] + }, + { + "uuid": "34a5571f-e252-4309-a8a1-2fdb2faefbcd", + "title": "EO 13556", + "citation": { + "text": "Executive Order 13556, *Controlled Unclassified Information* , November 2010." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information" + } + ] + }, + { + "uuid": "0af071a6-cf8e-48ee-8c82-fe91efa20f94", + "title": "EO 13587", + "citation": { + "text": "Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net" + } + ] + }, + { + "uuid": "21caa535-1154-4369-ba7b-32c309fee0f7", + "title": "EO 13873", + "citation": { + "text": "Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain" + } + ] + }, + { + "uuid": "4ff10ed3-d8fe-4246-99e3-443045e27482", + "title": "FASC18", + "citation": { + "text": "Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/bill/115th-congress/senate-bill/3085" + } + ] + }, + { + "uuid": "a1555677-2b9d-4868-a97b-a1363aff32f5", + "title": "FED PKI", + "citation": { + "text": "General Services Administration, *Federal Public Key Infrastructure*." + }, + "rlinks": [ + { + "href": "https://www.idmanagement.gov/topics/fpki" + } + ] + }, + { + "uuid": "678e3d6c-150b-4393-aec5-6e3481eb1e00", + "title": "FIPS 140-3", + "citation": { + "text": "National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. " + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.140-3" + } + ] + }, + { + "uuid": "eea3c092-42ed-4382-a6f4-1adadef01b9d", + "title": "FIPS 180-4", + "citation": { + "text": "National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.180-4" + } + ] + }, + { + "uuid": "7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", + "title": "FIPS 186-4", + "citation": { + "text": "National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.186-4" + } + ] + }, + { + "uuid": "736d6310-e403-4b57-a79d-9967970c66d7", + "title": "FIPS 197", + "citation": { + "text": "National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.197" + } + ] + }, + { + "uuid": "628d22a1-6a11-4784-bc59-5cd9497b5445", + "title": "FIPS 199", + "citation": { + "text": "National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.199" + } + ] + }, + { + "uuid": "599fb53d-5041-444e-a7fe-640d6d30ad05", + "title": "FIPS 200", + "citation": { + "text": "National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.200" + } + ] + }, + { + "uuid": "7ba1d91c-3934-4d5a-8532-b32f864ad34c", + "title": "FIPS 201-2", + "citation": { + "text": "National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.201-2" + } + ] + }, + { + "uuid": "a295ca19-8c75-4b4c-8800-98024732e181", + "title": "FIPS 202", + "citation": { + "text": "National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.FIPS.202" + } + ] + }, + { + "uuid": "0c67b2a9-bede-43d2-b86d-5f35b8be36e9", + "title": "FISMA", + "citation": { + "text": "Federal Information Security Modernization Act (P.L. 113-283), December 2014." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf" + } + ] + }, + { + "uuid": "f16e438e-7114-4144-bfe2-2dfcad8cb2d0", + "title": "HSPD 12", + "citation": { + "text": "Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004." + }, + "rlinks": [ + { + "href": "https://www.dhs.gov/homeland-security-presidential-directive-12" + } + ] + }, + { + "uuid": "e4d37285-1e79-4029-8b6a-42df39cace30", + "title": "IETF 5905", + "citation": { + "text": "Internet Engineering Task Force (IETF), Request for Comments: 5905, *Network Time Protocol Version 4: Protocol and Algorithms Specification* , June 2010." + }, + "rlinks": [ + { + "href": "https://tools.ietf.org/pdf/rfc5905.pdf" + } + ] + }, + { + "uuid": "15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", + "title": "IR 7539", + "citation": { + "text": "Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7539" + } + ] + }, + { + "uuid": "2be7b163-e50a-435c-8906-f1162f2a457a", + "title": "IR 7559", + "citation": { + "text": "Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7559" + } + ] + }, + { + "uuid": "e24b06cc-9129-4998-a76a-65c3d7a576ba", + "title": "IR 7622", + "citation": { + "text": "Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7622" + } + ] + }, + { + "uuid": "4b38e961-1125-4a5b-aa35-1d6c02846dad", + "title": "IR 7676", + "citation": { + "text": "Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7676" + } + ] + }, + { + "uuid": "aa5d04e0-6090-4e17-84d4-b9963d55fc2c", + "title": "IR 7788", + "citation": { + "text": "Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7788" + } + ] + }, + { + "uuid": "91701292-8bcd-4d2e-a5bd-59ab61e34b3c", + "title": "IR 7817", + "citation": { + "text": "Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7817" + } + ] + }, + { + "uuid": "4f5f51ac-2b8d-4b90-a3c7-46f56e967617", + "title": "IR 7849", + "citation": { + "text": "Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7849" + } + ] + }, + { + "uuid": "604774da-9e1d-48eb-9c62-4e959dc80737", + "title": "IR 7870", + "citation": { + "text": "Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7870" + } + ] + }, + { + "uuid": "7f473f21-fdbf-4a6c-81a1-0ab95919609d", + "title": "IR 7874", + "citation": { + "text": "Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7874" + } + ] + }, + { + "uuid": "849b2358-683f-4d97-b111-1cc3d522ded5", + "title": "IR 7956", + "citation": { + "text": "Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7956" + } + ] + }, + { + "uuid": "3915a084-b87b-4f02-83d4-c369e746292f", + "title": "IR 7966", + "citation": { + "text": "Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.7966" + } + ] + }, + { + "uuid": "bbac9fc2-df5b-4f2d-bf99-90d0ade45349", + "title": "IR 8011-1", + "citation": { + "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-1" + } + ] + }, + { + "uuid": "70402863-5078-43af-9a6c-e11b0f3ec370", + "title": "IR 8011-2", + "citation": { + "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-2" + } + ] + }, + { + "uuid": "996241f8-f692-42d5-91f1-ce8b752e39e6", + "title": "IR 8011-3", + "citation": { + "text": "Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-3" + } + ] + }, + { + "uuid": "d2ebec9b-f868-4ee1-a2bd-0b2282aed248", + "title": "IR 8011-4", + "citation": { + "text": "Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8011-4" + } + ] + }, + { + "uuid": "4c501da5-9d79-4cb6-ba80-97260e1ce327", + "title": "IR 8023", + "citation": { + "text": "Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8023" + } + ] + }, + { + "uuid": "81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", + "title": "IR 8040", + "citation": { + "text": "Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8040" + } + ] + }, + { + "uuid": "98d415ca-7281-4064-9931-0c366637e324", + "title": "IR 8062", + "citation": { + "text": "Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8062" + } + ] + }, + { + "uuid": "a2590922-82f3-4277-83c0-ca5bee06dba4", + "title": "IR 8112", + "citation": { + "text": "Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8112" + } + ] + }, + { + "uuid": "d4296805-2dca-4c63-a95f-eeccaa826aec", + "title": "IR 8179", + "citation": { + "text": "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8179" + } + ] + }, + { + "uuid": "38ff38f0-1366-4f50-a4c9-26a39aacee16", + "title": "IR 8272", + "citation": { + "text": "Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.IR.8272" + } + ] + }, + { + "uuid": "6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", + "title": "ISO 15408-1", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf" + } + ] + }, + { + "uuid": "87087451-2af5-43d4-88c1-d66ad850f614", + "title": "ISO 15408-2", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf" + } + ] + }, + { + "uuid": "4452efc0-e79e-47b8-aa30-b54f3ef61c2f", + "title": "ISO 15408-3", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements* , April 2017." + }, + "rlinks": [ + { + "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf" + } + ] + }, + { + "uuid": "15a95e24-65b6-4686-bc18-90855a10457d", + "title": "ISO 20243", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/74399.html" + } + ] + }, + { + "uuid": "863caf2a-978a-4260-9e8d-4a8929bce40c", + "title": "ISO 27036", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/59648.html" + } + ] + }, + { + "uuid": "8df72805-2e5c-4731-a73e-81db0f0318d0", + "title": "ISO 29147", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission 29147:2018, *Information technology—Security techniques—Vulnerability disclosure* , October 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/72311.html" + } + ] + }, + { + "uuid": "06ce9216-bd54-4054-a422-94f358b50a5d", + "title": "ISO 29148", + "citation": { + "text": "International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, *Systems and software engineering—Life cycle processes—Requirements engineering* , November 2018." + }, + "rlinks": [ + { + "href": "https://www.iso.org/standard/72089.html" + } + ] + }, + { + "uuid": "c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", + "title": "NARA CUI", + "citation": { + "text": "National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry." + }, + "rlinks": [ + { + "href": "https://www.archives.gov/cui" + } + ] + }, + { + "uuid": "d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", + "title": "NCPR", + "citation": { + "text": "National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at" + }, + "rlinks": [ + { + "href": "https://nvd.nist.gov/ncp/repository" + } + ] + }, + { + "uuid": "795aff72-3e6c-4b6b-a80a-b14d84b7f544", + "title": "NIAP CCEVS", + "citation": { + "text": "National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*." + }, + "rlinks": [ + { + "href": "https://www.niap-ccevs.org" + } + ] + }, + { + "uuid": "84dc1b0c-acb7-4269-84c4-00dbabacd78c", + "title": "NIST CAVP", + "citation": { + "text": "National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program" + } + ] + }, + { + "uuid": "1acdc775-aafb-4d11-9341-dc6a822e9d38", + "title": "NIST CMVP", + "citation": { + "text": "National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/cryptographic-module-validation-program" + } + ] + }, + { + "uuid": "3d575737-98cb-459d-b41c-d7e82b73ad78", + "title": "NSA CSFC", + "citation": { + "text": "National Security Agency, *Commercial Solutions for Classified Program (CSfC)*." + }, + "rlinks": [ + { + "href": "https://www.nsa.gov/resources/everyone/csfc" + } + ] + }, + { + "uuid": "df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", + "title": "NSA MEDIA", + "citation": { + "text": "National Security Agency, *Media Destruction Guidance*." + }, + "rlinks": [ + { + "href": "https://www.nsa.gov/resources/everyone/media-destruction" + } + ] + }, + { + "uuid": "89f2a08d-fc49-46d0-856e-bf974c9b1573", + "title": "ODNI CTF", + "citation": { + "text": "Office of the Director of National Intelligence (ODNI) Cyber Threat Framework." + }, + "rlinks": [ + { + "href": "https://www.dni.gov/index.php/cyber-threat-framework" + } + ] + }, + { + "uuid": "27847491-5ce1-4f6a-a1e4-9e483782f0ef", + "title": "OMB A-130", + "citation": { + "text": "Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf" + } + ] + }, + { + "uuid": "5f4705ac-8d17-438c-b23a-ac7f12362ae4", + "title": "OMB M-17-12", + "citation": { + "text": "Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017." + }, + "rlinks": [ + { + "href": "https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf" + } + ] + }, + { + "uuid": "c5e11048-1d38-4af3-b00b-0d88dc26860c", + "title": "OMB M-19-03", + "citation": { + "text": "Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018." + }, + "rlinks": [ + { + "href": "https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf" + } + ] + }, + { + "uuid": "18e71fec-c6fd-475a-925a-5d8495cf8455", + "title": "PRIVACT", + "citation": { + "text": "Privacy Act (P.L. 93-579), December 1974." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf" + } + ] + }, + { + "uuid": "4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", + "title": "SP 800-100", + "citation": { + "text": "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-100" + } + ] + }, + { + "uuid": "10cf2fad-a216-41f9-bb1a-531b7e3119e3", + "title": "SP 800-101", + "citation": { + "text": "Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-101r1" + } + ] + }, + { + "uuid": "22f2d4f0-4365-4e88-a30d-275c1f5473ea", + "title": "SP 800-111", + "citation": { + "text": "Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-111" + } + ] + }, + { + "uuid": "6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", + "title": "SP 800-113", + "citation": { + "text": "Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-113" + } + ] + }, + { + "uuid": "42e37e51-7cc0-4ffa-81c9-0ac942da7e99", + "title": "SP 800-114", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-114r1" + } + ] + }, + { + "uuid": "122177fa-c4ed-485d-8345-3082c0fb9a06", + "title": "SP 800-115", + "citation": { + "text": "Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-115" + } + ] + }, + { + "uuid": "2100332a-16a5-4598-bacf-7261baea9711", + "title": "SP 800-116", + "citation": { + "text": "Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-116r1" + } + ] + }, + { + "uuid": "d17ebd7a-ffab-499d-bfff-e705bbb01fa6", + "title": "SP 800-121", + "citation": { + "text": "Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-121r2" + } + ] + }, + { + "uuid": "0f66be67-85e7-4ca6-bd19-39453e9f4394", + "title": "SP 800-124", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-124r1" + } + ] + }, + { + "uuid": "88660532-2dcf-442e-845c-03340ce48999", + "title": "SP 800-125B", + "citation": { + "text": "Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-125B" + } + ] + }, + { + "uuid": "8016d2ed-d30f-4416-9c45-0f42c7aa3232", + "title": "SP 800-126", + "citation": { + "text": "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-126r3" + } + ] + }, + { + "uuid": "20db4e66-e257-450c-b2e4-2bb9a62a2c88", + "title": "SP 800-128", + "citation": { + "text": "Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-128" + } + ] + }, + { + "uuid": "c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", + "title": "SP 800-12", + "citation": { + "text": "Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-12r1" + } + ] + }, + { + "uuid": "3653e316-8923-430e-8943-b3b2b2562fc6", + "title": "SP 800-130", + "citation": { + "text": "Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-130" + } + ] + }, + { + "uuid": "62ea77ca-e450-4323-b210-e0d75390e785", + "title": "SP 800-137A", + "citation": { + "text": "Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-137A" + } + ] + }, + { + "uuid": "067223d8-1ec7-45c5-b21b-c848da6de8fb", + "title": "SP 800-137", + "citation": { + "text": "Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-137" + } + ] + }, + { + "uuid": "e47ee630-9cbc-4133-880e-e013f83ccd51", + "title": "SP 800-147", + "citation": { + "text": "Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-147" + } + ] + }, + { + "uuid": "9ef4b43c-42a4-4316-87dc-ffaf528bc05c", + "title": "SP 800-150", + "citation": { + "text": "Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-150" + } + ] + }, + { + "uuid": "2494df28-9049-4196-b233-540e7440993f", + "title": "SP 800-152", + "citation": { + "text": "Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-152" + } + ] + }, + { + "uuid": "708b94e1-3d5e-4b22-ab43-1c69f3a97e37", + "title": "SP 800-154", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154." + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/publications/detail/sp/800-154/draft" + } + ] + }, + { + "uuid": "d9e036ba-6eec-46a6-9340-b0bf1fea23b4", + "title": "SP 800-156", + "citation": { + "text": "Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-156" + } + ] + }, + { + "uuid": "e3cc0520-a366-4fc9-abc2-5272db7e3564", + "title": "SP 800-160-1", + "citation": { + "text": "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-160v1" + } + ] + }, + { + "uuid": "61ccf0f4-d3e7-42db-9796-ce6cb1c85989", + "title": "SP 800-160-2", + "citation": { + "text": "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-160v2" + } + ] + }, + { + "uuid": "e8e84963-14fc-4c3a-be05-b412a5d37cd2", + "title": "SP 800-161", + "citation": { + "text": "Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-161" + } + ] + }, + { + "uuid": "2956e175-f674-43f4-b1b9-e074ad9fc39c", + "title": "SP 800-162", + "citation": { + "text": "Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-162" + } + ] + }, + { + "uuid": "e8552d48-cf41-40aa-8b06-f45f7fb4706c", + "title": "SP 800-166", + "citation": { + "text": "Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-166" + } + ] + }, + { + "uuid": "38f39739-1ebd-43b1-8b8c-00f591d89ebd", + "title": "SP 800-167", + "citation": { + "text": "Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-167" + } + ] + }, + { + "uuid": "7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", + "title": "SP 800-171", + "citation": { + "text": "Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-171r2" + } + ] + }, + { + "uuid": "f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", + "title": "SP 800-172", + "citation": { + "text": "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-172-draft" + } + ] + }, + { + "uuid": "1c71b420-2bd9-4e52-9fc8-390f58b85b59", + "title": "SP 800-177", + "citation": { + "text": "Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-177r1" + } + ] + }, + { + "uuid": "388a3aa2-5d85-4bad-b8a3-77db80d63c4f", + "title": "SP 800-178", + "citation": { + "text": "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-178" + } + ] + }, + { + "uuid": "276bd50a-7e58-48e5-a405-8c8cb91d7a5f", + "title": "SP 800-181", + "citation": { + "text": "Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-181r1" + } + ] + }, + { + "uuid": "31ae65ab-3f26-46b7-9d64-f25a4dac5778", + "title": "SP 800-184", + "citation": { + "text": "Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-184" + } + ] + }, + { + "uuid": "f5edfe51-d1f2-422e-9b27-5d0e90b49c72", + "title": "SP 800-189", + "citation": { + "text": "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-189" + } + ] + }, + { + "uuid": "30eb758a-2707-4bca-90ad-949a74d4eb16", + "title": "SP 800-18", + "citation": { + "text": "Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-18r1" + } + ] + }, + { + "uuid": "53df282b-8b3f-483a-bad1-6a8b8ac00114", + "title": "SP 800-192", + "citation": { + "text": "Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-192" + } + ] + }, + { + "uuid": "f641309f-a3ad-48be-8c67-2b318648b2f5", + "title": "SP 800-28", + "citation": { + "text": "Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-28ver2" + } + ] + }, + { + "uuid": "08b07465-dbdc-48d6-8a0b-37279602ac16", + "title": "SP 800-30", + "citation": { + "text": "Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-30r1" + } + ] + }, + { + "uuid": "8cb338a4-e493-4177-818f-3af18983ddc5", + "title": "SP 800-32", + "citation": { + "text": "Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-32" + } + ] + }, + { + "uuid": "bc39f179-c735-4da2-b7a7-b2b622119755", + "title": "SP 800-34", + "citation": { + "text": "Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-34r1" + } + ] + }, + { + "uuid": "77faf0bc-c394-44ad-9154-bbac3b79c8ad", + "title": "SP 800-35", + "citation": { + "text": "Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-35" + } + ] + }, + { + "uuid": "482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", + "title": "SP 800-37", + "citation": { + "text": "Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-37r2" + } + ] + }, + { + "uuid": "cec037f3-8aba-4c97-84b4-4082f9e515d2", + "title": "SP 800-39", + "citation": { + "text": "Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-39" + } + ] + }, + { + "uuid": "155f941a-cba9-4afd-9ca6-5d040d697ba9", + "title": "SP 800-40", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-40r3" + } + ] + }, + { + "uuid": "a7f0e897-29a3-45c4-bd88-40dfef0e034a", + "title": "SP 800-41", + "citation": { + "text": "Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-41r1" + } + ] + }, + { + "uuid": "314e33cb-3681-4b50-a2a2-3fae9604accd", + "title": "SP 800-45", + "citation": { + "text": "Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-45ver2" + } + ] + }, + { + "uuid": "83b9d63b-66b1-467c-9f3b-3a0b108771e9", + "title": "SP 800-46", + "citation": { + "text": "Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-46r2" + } + ] + }, + { + "uuid": "c3a76872-e160-4267-99e8-6952de967d04", + "title": "SP 800-47", + "citation": { + "text": "Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-47" + } + ] + }, + { + "uuid": "511f6832-23ca-49a3-8c0f-ce493373cab8", + "title": "SP 800-50", + "citation": { + "text": "Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-50" + } + ] + }, + { + "uuid": "7537638e-2837-407d-844b-40fb3fafdd99", + "title": "SP 800-52", + "citation": { + "text": "McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-52r2" + } + ] + }, + { + "uuid": "a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", + "title": "SP 800-53A", + "citation": { + "text": "Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-53Ar4" + } + ] + }, + { + "uuid": "46d9e201-840e-440e-987c-2c773333c752", + "title": "SP 800-53B", + "citation": { + "text": "Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-53B" + } + ] + }, + { + "uuid": "20957dbb-6a1e-40a2-b38a-66f67d33ac2e", + "title": "SP 800-56A", + "citation": { + "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Ar3" + } + ] + }, + { + "uuid": "0d083d8a-5cc6-46f1-8d79-3081d42bcb75", + "title": "SP 800-56B", + "citation": { + "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Br2" + } + ] + }, + { + "uuid": "eef62b16-c796-4554-955c-505824135b8a", + "title": "SP 800-56C", + "citation": { + "text": "Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-56Cr2" + } + ] + }, + { + "uuid": "110e26af-4765-49e1-8740-6750f83fcda1", + "title": "SP 800-57-1", + "citation": { + "text": "Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt1r5" + } + ] + }, + { + "uuid": "e7942589-e267-4a5a-a3d9-f39a7aae81f0", + "title": "SP 800-57-2", + "citation": { + "text": "Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt2r1" + } + ] + }, + { + "uuid": "8306620b-1920-4d73-8b21-12008528595f", + "title": "SP 800-57-3", + "citation": { + "text": "Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-57pt3r1" + } + ] + }, + { + "uuid": "e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", + "title": "SP 800-60-1", + "citation": { + "text": "Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-60v1r1" + } + ] + }, + { + "uuid": "9be5d661-421f-41ad-854e-86f98b811891", + "title": "SP 800-60-2", + "citation": { + "text": "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-60v2r1" + } + ] + }, + { + "uuid": "49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", + "title": "SP 800-61", + "citation": { + "text": "Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-61r2" + } + ] + }, + { + "uuid": "737513fa-6758-403f-831d-5ddab5e23cb3", + "title": "SP 800-63-3", + "citation": { + "text": "Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63-3" + } + ] + }, + { + "uuid": "9099ed2c-922a-493d-bcb4-d896192243ff", + "title": "SP 800-63A", + "citation": { + "text": "Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63a" + } + ] + }, + { + "uuid": "e59c5a7c-8b1f-49ca-8de0-6ee0882180ce", + "title": "SP 800-63B", + "citation": { + "text": "Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-63b" + } + ] + }, + { + "uuid": "4895b4cd-34c5-4667-bf8a-27d443c12047", + "title": "SP 800-70", + "citation": { + "text": "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-70r4" + } + ] + }, + { + "uuid": "858705be-3c1f-48aa-a328-0ce398d95ef0", + "title": "SP 800-73-4", + "citation": { + "text": "Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-73-4" + } + ] + }, + { + "uuid": "7af2e6ec-9f7e-4232-ad3f-09888eb0793a", + "title": "SP 800-76-2", + "citation": { + "text": "Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-76-2" + } + ] + }, + { + "uuid": "d4d7c760-2907-403b-8b2a-767ca5370ecd", + "title": "SP 800-77", + "citation": { + "text": "Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-77r1" + } + ] + }, + { + "uuid": "828856bd-d7c4-427b-8b51-815517ec382d", + "title": "SP 800-78-4", + "citation": { + "text": "Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-78-4" + } + ] + }, + { + "uuid": "10963761-58fc-4b20-b3d6-b44a54daba03", + "title": "SP 800-79-2", + "citation": { + "text": "Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-79-2" + } + ] + }, + { + "uuid": "fe209006-bfd4-4033-a79a-9fee1adaf372", + "title": "SP 800-81-2", + "citation": { + "text": "Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-81-2" + } + ] + }, + { + "uuid": "3dd249b0-f57d-44ba-a03e-c3eab1b835ff", + "title": "SP 800-83", + "citation": { + "text": "Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-83r1" + } + ] + }, + { + "uuid": "53be2fcf-cfd1-4bcb-896b-9a3b65c22098", + "title": "SP 800-84", + "citation": { + "text": "Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-84" + } + ] + }, + { + "uuid": "cfdb1858-c473-46b3-89f9-a700308d0be2", + "title": "SP 800-86", + "citation": { + "text": "Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-86" + } + ] + }, + { + "uuid": "a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", + "title": "SP 800-88", + "citation": { + "text": "Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-88r1" + } + ] + }, + { + "uuid": "5eee45d8-3313-4fdc-8d54-1742092bbdd6", + "title": "SP 800-92", + "citation": { + "text": "Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-92" + } + ] + }, + { + "uuid": "25e3e57b-dc2f-4934-af9b-050b020c6f0e", + "title": "SP 800-94", + "citation": { + "text": "Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-94" + } + ] + }, + { + "uuid": "a6b9907a-2a14-4bb4-a142-d4c73026a8b4", + "title": "SP 800-95", + "citation": { + "text": "Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-95" + } + ] + }, + { + "uuid": "03fb73bc-1b12-4182-bd96-e5719254ea61", + "title": "SP 800-97", + "citation": { + "text": "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97." + }, + "rlinks": [ + { + "href": "https://doi.org/10.6028/NIST.SP.800-97" + } + ] + }, + { + "uuid": "13f0c39d-eaf7-417a-baef-69a041878bb5", + "title": "USA PATRIOT", + "citation": { + "text": "USA Patriot Act (P.L. 107-56), October 2001." + }, + "rlinks": [ + { + "href": "https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf" + } + ] + }, + { + "uuid": "e922fc50-b1f9-469f-92ef-ed7d9803611c", + "title": "USC 2901", + "citation": { + "text": "United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012." + }, + "rlinks": [ + { + "href": "https://www.govinfo.gov/content/pkg/USCODE-2011-title44/pdf/USCODE-2011-title44-chap29-sec2901.pdf" + } + ] + }, + { + "uuid": "40b78258-c892-480e-9af8-77ac36648301", + "title": "USCERT IR", + "citation": { + "text": "Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017." + }, + "rlinks": [ + { + "href": "https://us-cert.cisa.gov/incident-notification-guidelines" + } + ] + }, + { + "uuid": "98498928-3ca3-44b3-8b1e-f48685373087", + "title": "USGCB", + "citation": { + "text": "National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at" + }, + "rlinks": [ + { + "href": "https://csrc.nist.gov/projects/united-states-government-configuration-baseline" + } + ] + }, + { + "uuid": "c3397cc9-83c6-4459-adb2-836739dc1b94", + "title": "NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)", + "rlinks": [ + { + "href": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf", + "media-type": "application/pdf" + } + ] + }, { "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48", "title": "FedRAMP Applicable Laws and Regulations", diff --git a/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline_profile-min.json b/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline_profile-min.json index c84b66fc6..4b7b1b901 100644 --- a/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline_profile-min.json +++ b/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline_profile-min.json @@ -5473,7 +5473,7 @@ ], "rlinks": [ { - "href": "https://github.com/usnistgov/oscal-content/blob/v1.2.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", + "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/v1.2.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", "media-type": "application/json" } ] diff --git a/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline_profile.json b/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline_profile.json index bc6991c8b..3e9639917 100644 --- a/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline_profile.json +++ b/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline_profile.json @@ -5473,7 +5473,7 @@ ], "rlinks": [ { - "href": "https://github.com/usnistgov/oscal-content/blob/v1.2.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", + "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/v1.2.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", "media-type": "application/json" } ] diff --git a/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.xml b/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.xml index 007e5671c..284251cb6 100644 --- a/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.xml +++ b/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.xml @@ -1,10 +1,10 @@ + uuid="e07ece0d-7f46-4cc4-b7e2-fdf109d5541f"> FedRAMP Rev 5 High Baseline 2023-08-31T00:00:00Z - 2023-12-18T20:27:34.203593-05:00 + 2024-01-11T18:06:26.711765-05:00 5.1.1+fedramp-20231218-0 1.1.1 @@ -49,7 +49,44122 @@ ca9ba80e-1342-4bfd-b32a-abac468c24b4 + + Access Control + + Policy and Procedures + + + + + + +

personnel or roles to whom the access control policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the access control procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the access control policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current access control policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current access control policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current access control procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ access control policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the access control policy and the associated access controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the access control policy and procedures; and

+
+ + +

Review and update the current access control:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an access control policy is developed and documented;

+ +
+ + +

the access control policy is disseminated to ;

+ +
+ + +

access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;

+ +
+ + +

the access control procedures are disseminated to ;

+ +
+ + + + + + +

the access control policy addresses purpose;

+ +
+ + +

the access control policy addresses scope;

+ +
+ + +

the access control policy addresses roles;

+ +
+ + +

the access control policy addresses responsibilities;

+ +
+ + +

the access control policy addresses management commitment;

+ +
+ + +

the access control policy addresses coordination among organizational entities;

+ +
+ + +

the access control policy addresses compliance;

+ +
+ +
+ + +

the access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the access control policy and procedures;

+ +
+ + + + + + +

the current access control policy is reviewed and updated ;

+ +
+ + +

the current access control policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current access control procedures are reviewed and updated ;

+ +
+ + +

the current access control procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Access control policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with access control responsibilities

+

organizational personnel with information security with information security and privacy responsibilities

+
+
+
+ + Account Management + + + +

prerequisites and criteria for group and role membership are defined;

+
+ + + + +

attributes (as required) for each account are defined;

+
+ + + + +

personnel or roles required to approve requests to create accounts is/are defined;

+
+ + + + +

policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;

+
+ + + + +

personnel or roles to be notified is/are defined;

+
+ + + + + +

twenty-four (24) hours

+
+
+ +

time period within which to notify account managers when accounts are no longer required is defined;

+
+ + + + + +

eight (8) hours

+
+
+ +

time period within which to notify account managers when users are terminated or transferred is defined;

+
+ + + + + +

eight (8) hours

+
+
+ +

time period within which to notify account managers when system usage or the need to know changes for an individual is defined;

+
+ + + + +

attributes needed to authorize system access (as required) are defined;

+
+ + + + + +

monthly for privileged accessed, every six (6) months for non-privileged access

+
+
+ +

the frequency of account review is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Define and document the types of accounts allowed and specifically prohibited for use within the system;

+
+ + +

Assign account managers;

+
+ + +

Require for group and role membership;

+
+ + +

Specify:

+ + +

Authorized users of the system;

+
+ + +

Group and role membership; and

+
+ + +

Access authorizations (i.e., privileges) and for each account;

+
+
+ + +

Require approvals by for requests to create accounts;

+
+ + +

Create, enable, modify, disable, and remove accounts in accordance with ;

+
+ + +

Monitor the use of accounts;

+
+ + +

Notify account managers and within:

+ + +

+ when accounts are no longer required;

+
+ + +

+ when users are terminated or transferred; and

+
+ + +

+ when system usage or need-to-know changes for an individual;

+
+
+ + +

Authorize access to the system based on:

+ + +

A valid access authorization;

+
+ + +

Intended system usage; and

+
+ + +

+ ;

+
+
+ + +

Review accounts for compliance with account management requirements ;

+
+ + +

Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and

+
+ + +

Align account management processes with personnel termination and transfer processes.

+
+
+ +

Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.

+

Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.

+

Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.

+
+ + + + + + +

account types allowed for use within the system are defined and documented;

+ +
+ + +

account types specifically prohibited for use within the system are defined and documented;

+ +
+ +
+ + +

account managers are assigned;

+ +
+ + +

+ for group and role membership are required;

+ +
+ + + + +

authorized users of the system are specified;

+ +
+ + +

group and role membership are specified;

+ +
+ + + + +

access authorizations (i.e., privileges) are specified for each account;

+ +
+ + +

+ are specified for each account;

+ +
+ +
+ +
+ + +

approvals are required by for requests to create accounts;

+ +
+ + + + +

accounts are created in accordance with ;

+ +
+ + +

accounts are enabled in accordance with ;

+ +
+ + +

accounts are modified in accordance with ;

+ +
+ + +

accounts are disabled in accordance with ;

+ +
+ + +

accounts are removed in accordance with ;

+ +
+ +
+ + +

the use of accounts is monitored;

+ +
+ + + + +

account managers and are notified within when accounts are no longer required;

+ +
+ + +

account managers and are notified within when users are terminated or transferred;

+ +
+ + +

account managers and are notified within when system usage or the need to know changes for an individual;

+ +
+ +
+ + + + +

access to the system is authorized based on a valid access authorization;

+ +
+ + +

access to the system is authorized based on intended system usage;

+ +
+ + +

access to the system is authorized based on ;

+ +
+ +
+ + +

accounts are reviewed for compliance with account management requirements ;

+ +
+ + + + +

a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;

+ +
+ + +

a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;

+ +
+ +
+ + + + +

account management processes are aligned with personnel termination processes;

+ +
+ + +

account management processes are aligned with personnel transfer processes.

+ +
+ +
+ +
+ + + + +

Access control policy

+

personnel termination policy and procedure

+

personnel transfer policy and procedure

+

procedures for addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

list of active system accounts along with the name of the individual associated with each account

+

list of recently disabled system accounts and the name of the individual associated with each account

+

list of conditions for group and role membership

+

notifications of recent transfers, separations, or terminations of employees

+

access authorization records

+

account management compliance reviews

+

system monitoring records

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for account management on the system

+

mechanisms for implementing account management

+
+
+ + Automated System Account Management + + + +

automated mechanisms used to support the management of system accounts are defined;

+
+ + + + + + + +

Support the management of system accounts using .

+
+ +

Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications.

+
+ + +

the management of system accounts is supported using .

+ +
+ + + + +

Access control policy

+

procedures for addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security with information security responsibilities

+

system developers

+
+
+ + + + +

Automated mechanisms for implementing account management functions

+
+
+
+ + Automated Temporary and Emergency Account Management + + + +

Selection: disables

+
+
+ + + + + + +

no more than 24 hours from last use

+
+
+ +

the time period after which to automatically remove or disable temporary or emergency accounts is defined;

+
+ + + + + + + +

Automatically temporary and emergency accounts after .

+
+ +

Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation.

+
+ + +

temporary and emergency accounts are automatically after .

+ +
+ + + + +

Access control policy

+

procedures for addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

system-generated list of temporary accounts removed and/or disabled

+

system-generated list of emergency accounts removed and/or disabled

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security with information security responsibilities

+

system developers

+
+
+ + + + +

Automated mechanisms for implementing account management functions

+
+
+
+ + Disable Accounts + + + + +

24 hours for user accounts

+
+
+ +

time period within which to disable accounts is defined;

+
+ + + + + +

thirty-five (35) days (See additional requirements and guidance.)

+
+
+ +

time period for account inactivity before disabling is defined;

+
+ + + + + + + +

Disable accounts within when the accounts:

+ + +

Have expired;

+
+ + +

Are no longer associated with a user or individual;

+
+ + +

Are in violation of organizational policy; or

+
+ + +

Have been inactive for .

+
+ + AC-2 (3) Additional FedRAMP Requirements and Guidance + + +

The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.

+
+ + +

The service provider defines the time period of inactivity for device identifiers.

+
+ + +

For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/.

+
+
+
+ +

Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.

+
+ + + + +

accounts are disabled within when the accounts have expired;

+ +
+ + +

accounts are disabled within when the accounts are no longer associated with a user or individual;

+ +
+ + +

accounts are disabled within when the accounts are in violation of organizational policy;

+ +
+ + +

accounts are disabled within when the accounts have been inactive for .

+ +
+ +
+ + + + +

Access control policy

+

procedures for addressing account management

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

system-generated list of accounts removed

+

system-generated list of emergency accounts disabled

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Mechanisms for implementing account management functions

+
+
+
+ + Automated Audit Actions + + + + + + + + +

Automatically audit account creation, modification, enabling, disabling, and removal actions.

+
+ +

Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6.

+
+ + + + +

account creation is automatically audited;

+ +
+ + +

account modification is automatically audited;

+ +
+ + +

account enabling is automatically audited;

+ +
+ + +

account disabling is automatically audited;

+ +
+ + +

account removal actions are automatically audited.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

notifications/alerts of account creation, modification, enabling, disabling, and removal actions

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Automated mechanisms implementing account management functions

+
+
+
+ + Inactivity Logout + + + + +

inactivity is anticipated to exceed Fifteen (15) minutes

+
+
+ +

the time period of expected inactivity or description of when to log out is defined;

+
+ + + + + + + + + +

Require that users log out when .

+ + AC-2 (5) Additional FedRAMP Requirements and Guidance + + +

Should use a shorter timeframe than AC-12.

+
+
+
+ +

Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by AC-11.

+
+ + +

users are required to log out when .

+ +
+ + + + +

Access control policy

+

procedures addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

security violation reports

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+

users that must comply with inactivity logout policy

+
+
+
+ + Privileged User Accounts + + + + + + + + + + + +

Establish and administer privileged user accounts in accordance with ;

+
+ + +

Monitor privileged role or attribute assignments;

+
+ + +

Monitor changes to roles or attributes; and

+
+ + +

Revoke access when privileged role or attribute assignments are no longer appropriate.

+
+
+ +

Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.

+
+ + + + +

privileged user accounts are established and administered in accordance with ;

+ +
+ + +

privileged role or attribute assignments are monitored;

+ +
+ + +

changes to roles or attributes are monitored;

+ +
+ + +

access is revoked when privileged role or attribute assignments are no longer appropriate.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

system-generated list of privileged user accounts and associated roles

+

records of actions taken when privileged role assignments are no longer appropriate

+

system audit records

+

audit tracking and monitoring reports

+

system monitoring records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing account management functions

+

mechanisms monitoring privileged role assignments

+
+
+
+ + Restrictions on Use of Shared and Group Accounts + + + + +

organization-defined need with justification statement that explains why such accounts are necessary

+
+
+ +

conditions for establishing shared and group accounts are defined;

+
+ + + + + + + +

Only permit the use of shared and group accounts that meet .

+ + AC-2 (9) Additional FedRAMP Requirements and Guidance + + +

Required if shared/group accounts are deployed.

+
+
+
+ +

Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts.

+
+ + +

the use of shared and group accounts is only permitted if are met.

+ +
+ + + + +

Access control policy

+

procedures addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

system-generated list of shared/group accounts and associated roles

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing management of shared/group accounts

+
+
+
+ + Usage Conditions + + + +

circumstances and/or usage conditions to be enforced for system accounts are defined;

+
+ + + + +

system accounts subject to enforcement of circumstances and/or usage conditions are defined;

+
+ + + + + + + +

Enforce for .

+
+ +

Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, such as by restricting usage to certain days of the week, time of day, or specific durations of time.

+
+ + +

+ for are enforced.

+ +
+ + + + +

Access control policy

+

procedures addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

system-generated list of system accounts and associated assignments of usage circumstances and/or usage conditions

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing account management functions

+
+
+
+ + Account Monitoring for Atypical Usage + + + +

atypical usage for which to monitor system accounts is defined;

+
+ + + + + +

at a minimum, the ISSO and/or similar role within the organization

+
+
+ +

personnel or roles to report atypical usage is/are defined;

+
+ + + + + + + + + + + + + + + +

Monitor system accounts for ; and

+
+ + +

Report atypical usage of system accounts to .

+
+ + AC-2 (12) Additional FedRAMP Requirements and Guidance + + +

Required for privileged accounts.

+
+ + +

Required for privileged accounts.

+
+
+
+ +

Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.

+
+ + + + +

system accounts are monitored for ;

+ +
+ + +

atypical usage of system accounts is reported to .

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

system monitoring records

+

system audit records

+

audit tracking and monitoring reports

+

privacy impact assessment

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing account management functions

+
+
+
+ + Disable Accounts for High-risk Individuals + + + + +

one (1) hour

+
+
+ +

time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;

+
+ + + + +

significant risks leading to disabling accounts are defined;

+
+ + + + + + + + + +

Disable accounts of individuals within of discovery of .

+
+ +

Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals.

+
+ + +

accounts of individuals are disabled within of discovery of .

+ +
+ + + + +

Access control policy

+

procedures addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

system-generated list of disabled accounts

+

list of user activities posing significant organizational risk

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing account management functions

+
+
+
+
+ + Access Enforcement + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

+
+ +

Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( PE ) family.

+
+ + +

approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.

+ +
+ + + + +

Access control policy

+

procedures addressing access enforcement

+

system design documentation

+

system configuration settings and associated documentation

+

list of approved authorizations (user privileges)

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with access enforcement responsibilities

+

system/network administrators

+

organizational personnel with information security and privacy responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing access control policy

+
+
+
+ + Information Flow Enforcement + + + +

information flow control policies within the system and between connected systems are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on .

+
+ +

Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3 ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.

+

Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS).

+
+ + +

approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on .

+ +
+ + + + +

Access control policy

+

information flow control policies

+

procedures addressing information flow enforcement

+

security architecture documentation

+

privacy architecture documentation

+

system design documentation

+

system configuration settings and associated documentation

+

system baseline configuration

+

list of information flow authorizations

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security and privacy architecture development responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing information flow enforcement policy

+
+
+ + Flow Control of Encrypted Information + + + + +

intrusion detection mechanisms

+
+
+ +

information flow control mechanisms that encrypted information is prevented from bypassing are defined;

+
+ + + + + + + +

the organization-defined procedure or method used to prevent encrypted information from bypassing information flow control mechanisms is defined (if selected);

+
+ + + + + + + + +

Prevent encrypted information from bypassing by .

+ + AC-4 (4) Additional FedRAMP Requirements and Guidance + + +

The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf).

+
+
+
+ +

Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms.

+
+ + +

encrypted information is prevented from bypassing by .

+ +
+ + + + +

Access control policy

+

information flow control policies

+

procedures addressing information flow enforcement

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing information flow enforcement policy

+
+
+
+ + Physical or Logical Separation of Information Flows + + + + + + +

mechanisms and/or techniques used to logically separate information flows are defined (if selected);

+
+ + + + +

mechanisms and/or techniques used to physically separate information flows are defined (if selected);

+
+ + + + +

required separations by types of information are defined;

+
+ + + + + + + + + +

Separate information flows logically or physically using to accomplish .

+
+ +

Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths that are not otherwise achievable. Types of separable information include inbound and outbound communications traffic, service requests and responses, and information of differing security impact or classification levels.

+
+ + + + +

information flows are separated logically using to accomplish ;

+ +
+ + +

information flows are separated physically using to accomplish .

+ +
+ +
+ + + + +

Information flow enforcement policy

+

information flow control policies

+

procedures addressing information flow enforcement

+

system design documentation

+

system configuration settings and associated documentation

+

list of required separation of information flows by information types

+

list of mechanisms and/or techniques used to logically or physically separate information flows

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information flow enforcement responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing information flow enforcement functions

+
+
+
+
+ + Separation of Duties + + + +

duties of individuals requiring separation are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + +

Identify and document ; and

+
+ + +

Define system access authorizations to support separation of duties.

+
+ + AC-5 Additional FedRAMP Requirements and Guidance + + +

CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

+
+
+
+ +

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in AC-2 , access control mechanisms in AC-3 , and identity management activities in IA-2, IA-4 , and IA-12.

+
+ + + + +

+ are identified and documented;

+ +
+ + +

system access authorizations to support separation of duties are defined.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing divisions of responsibility and separation of duties

+

system configuration settings and associated documentation

+

list of divisions of responsibility and separation of duties

+

system access authorizations

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing separation of duties policy

+
+
+
+ + Least Privilege + + + + + + + + + + + + + + + + + +

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

+
+ +

Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.

+
+ + +

the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

+ +
+ + + + +

Access control policy

+

procedures addressing least privilege

+

list of assigned access authorizations (user privileges)

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing least privilege functions

+
+
+ + Authorize Access to Security Functions + + + + +

all functions not publicly accessible

+
+
+ + + + +

individuals and roles with authorized access to security functions and security-relevant information are defined;

+
+ + + + +

security functions (deployed in hardware) for authorized access are defined;

+
+ + + + +

security functions (deployed in software) for authorized access are defined;

+
+ + + + +

security functions (deployed in firmware) for authorized access are defined;

+
+ + + + + +

all security-relevant information not publicly available

+
+
+ +

security-relevant information for authorized access is defined;

+
+ + + + + + + + + + + + +

Authorize access for to:

+ + +

+ ; and

+
+ + +

+ .

+
+
+ +

Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users.

+
+ + + + + + +

access is authorized for to ;

+ +
+ + +

access is authorized for to ;

+ +
+ + +

access is authorized for to ;

+ +
+ +
+ + +

access is authorized for to .

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing least privilege

+

list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing least privilege functions

+
+
+
+ + Non-privileged Access for Nonsecurity Functions + + + + +

all security functions

+
+
+ +

security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;

+
+ + + + + + + + + + + +

Require that users of system accounts (or roles) with access to use non-privileged accounts or roles, when accessing nonsecurity functions.

+ + AC-6 (2) Additional FedRAMP Requirements and Guidance + + +

Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

+
+
+
+ +

Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

+
+ + +

users of system accounts (or roles) with access to are required to use non-privileged accounts or roles when accessing non-security functions.

+ +
+ + + + +

Access control policy

+

procedures addressing least privilege

+

list of system-generated security functions or security-relevant information assigned to system accounts or roles

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing least privilege functions

+
+
+
+ + Network Access to Privileged Commands + + + + +

all privileged commands

+
+
+ +

privileged commands to which network access is to be authorized only for compelling operational needs are defined;

+
+ + + + +

compelling operational needs necessitating network access to privileged commands are defined;

+
+ + + + + + + + + + +

Authorize network access to only for and document the rationale for such access in the security plan for the system.

+
+ +

Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).

+
+ + + + +

network access to is authorized only for ;

+ +
+ + +

the rationale for authorizing network access to privileged commands is documented in the security plan for the system.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing least privilege

+

system configuration settings and associated documentation

+

system audit records

+

list of operational needs for authorizing network access to privileged commands

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing least privilege functions

+
+
+
+ + Privileged Accounts + + + +

personnel or roles to which privileged accounts on the system are to be restricted is/are defined;

+
+ + + + + + + + + + +

Restrict privileged accounts on the system to .

+
+ +

Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk.

+
+ + +

privileged accounts on the system are restricted to .

+ +
+ + + + +

Access control policy

+

procedures addressing least privilege

+

list of system-generated privileged accounts

+

list of system administration personnel

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing least privilege functions

+
+
+
+ + Review of User Privileges + + + + +

at a minimum, annually

+
+
+ +

the frequency at which to review the privileges assigned to roles or classes of users is defined;

+
+ + + + + +

all users with privileges

+
+
+ +

roles or classes of users to which privileges are assigned are defined;

+
+ + + + + + + + + + +

Review the privileges assigned to to validate the need for such privileges; and

+
+ + +

Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.

+
+
+ +

The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions.

+
+ + + + +

privileges assigned to are reviewed to validate the need for such privileges;

+ +
+ + +

privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing least privilege

+

list of system-generated roles or classes of users and assigned privileges

+

system design documentation

+

system configuration settings and associated documentation

+

validation reviews of privileges assigned to roles or classes or users

+

records of privilege removals or reassignments for roles or classes of users

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing review of user privileges

+
+
+
+ + Privilege Levels for Code Execution + + + + +

any software except software explicitly documented

+
+
+ +

software to be prevented from executing at higher privilege levels than users executing the software is defined;

+
+ + + + + + + +

Prevent the following software from executing at higher privilege levels than users executing the software: .

+
+ +

In certain situations, software applications or programs need to execute with elevated privileges to perform required functions. However, depending on the software functionality and configuration, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications or programs, those users may indirectly be provided with greater privileges than assigned.

+
+ + +

+ is prevented from executing at higher privilege levels than users executing the software.

+ +
+ + + + +

Access control policy

+

procedures addressing least privilege

+

list of software that should not execute at higher privilege levels than users executing software

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing least privilege functions for software execution

+
+
+
+ + Log Use of Privileged Functions + + + + + + + + + +

Log the execution of privileged functions.

+
+ +

The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat.

+
+ + +

the execution of privileged functions is logged.

+ +
+ + + + +

Access control policy

+

procedures addressing least privilege

+

system design documentation

+

system configuration settings and associated documentation

+

list of privileged functions to be audited

+

list of audited events

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms auditing the execution of least privilege functions

+
+
+
+ + Prohibit Non-privileged Users from Executing Privileged Functions + + + + + + +

Prevent non-privileged users from executing privileged functions.

+
+ +

Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by AC-3.

+
+ + +

non-privileged users are prevented from executing privileged functions.

+ +
+ + + + +

Access control policy

+

procedures addressing least privilege

+

system design documentation

+

system configuration settings and associated documentation

+

list of privileged functions and associated user account assignments

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing least privilege functions for non-privileged users

+
+
+
+
+ + Unsuccessful Logon Attempts + + + +

the number of consecutive invalid logon attempts by a user allowed during a time period is defined;

+
+ + + + +

the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;

+
+ + + + + + + +

time period for an account or node to be locked is defined (if selected);

+
+ + + + +

delay algorithm for the next logon prompt is defined (if selected);

+
+ + + + +

other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);

+
+ + + + + + + + + + + + + + + +

Enforce a limit of consecutive invalid logon attempts by a user during a ; and

+
+ + +

Automatically when the maximum number of unsuccessful attempts is exceeded.

+
+ + AC-7 Additional FedRAMP Requirements and Guidance + + +

In alignment with NIST SP 800-63B.

+
+
+
+ +

The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.

+
+ + + + +

a limit of consecutive invalid logon attempts by a user during is enforced;

+ +
+ + +

automatically when the maximum number of unsuccessful attempts is exceeded.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing unsuccessful logon attempts

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security responsibilities

+

system developers

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing access control policy for unsuccessful logon attempts

+
+
+
+ + System Use Notification + + + + +

see additional Requirements and Guidance

+
+
+ +

system use notification message or banner to be displayed by the system to users before granting access to the system is defined;

+
+ + + + + +

see additional Requirements and Guidance

+
+
+ +

conditions for system use to be displayed by the system before granting further access are defined;

+
+ + + + + + + + + + + + +

Display to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:

+ + +

Users are accessing a U.S. Government system;

+
+ + +

System usage may be monitored, recorded, and subject to audit;

+
+ + +

Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and

+
+ + +

Use of the system indicates consent to monitoring and recording;

+
+
+ + +

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and

+
+ + +

For publicly accessible systems:

+ + +

Display system use information , before granting further access to the publicly accessible system;

+
+ + +

Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

+
+ + +

Include a description of the authorized uses of the system.

+
+
+ + AC-8 Additional FedRAMP Requirements and Guidance + + +

The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

+
+ + +

The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.

+
+ + +

If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

+
+ + +

If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

+
+
+
+ +

System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content.

+
+ + + + +

+ is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ + +

the system use notification states that users are accessing a U.S. Government system;

+ +
+ + +

the system use notification states that system usage may be monitored, recorded, and subject to audit;

+ +
+ + +

the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and

+ +
+ + +

the system use notification states that use of the system indicates consent to monitoring and recording;

+ +
+ +
+ + +

the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;

+ +
+ + + + +

for publicly accessible systems, system use information is displayed before granting further access to the publicly accessible system;

+ +
+ + +

for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;

+ +
+ + +

for publicly accessible systems, a description of the authorized uses of the system is included.

+ +
+ +
+ +
+ + + + +

Access control policy

+

privacy and security policies, procedures addressing system use notification

+

documented approval of system use notification messages or banners

+

system audit records

+

user acknowledgements of notification message or banner

+

system design documentation

+

system configuration settings and associated documentation

+

system use notification messages

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy assessment report

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security and privacy responsibilities

+

legal counsel

+

system developers

+
+
+ + + + +

Mechanisms implementing system use notification

+
+
+
+ + Concurrent Session Control + + + +

accounts and/or account types for which to limit the number of concurrent sessions is defined;

+
+ + + + + +

three (3) sessions for privileged access and two (2) sessions for non-privileged access

+
+
+ +

the number of concurrent sessions to be allowed for each account and/or account type is defined;

+
+ + + + + + + +

Limit the number of concurrent sessions for each to .

+
+ +

Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts.

+
+ + +

the number of concurrent sessions for each is limited to .

+ +
+ + + + +

Access control policy

+

procedures addressing concurrent session control

+

system design documentation

+

system configuration settings and associated documentation

+

security plan

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing access control policy for concurrent session control

+
+
+
+ + Device Lock + + + + + + + +

fifteen (15) minutes

+
+
+ +

time period of inactivity after which a device lock is initiated is defined (if selected);

+
+ + + + + + + + + + + + +

Prevent further access to the system by ; and

+
+ + +

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

+
+
+ +

Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays.

+
+ + + + +

further access to the system is prevented by ;

+ +
+ + +

device lock is retained until the user re-establishes access using established identification and authentication procedures.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing session lock

+

procedures addressing identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

security plan

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing access control policy for session lock

+
+
+ + Pattern-hiding Displays + + + + + + +

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

+
+ +

The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed.

+
+ + +

information previously visible on the display is concealed, via device lock, with a publicly viewable image.

+ +
+ + + + +

Access control policy

+

procedures addressing session lock

+

display screen with session lock activated

+

system design documentation

+

system configuration settings and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

System session lock mechanisms

+
+
+
+
+ + Session Termination + + + +

conditions or trigger events requiring session disconnect are defined;

+
+ + + + + + + + + +

Automatically terminate a user session after .

+
+ +

Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10 , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.

+
+ + +

a user session is automatically terminated after .

+ +
+ + + + +

Access control policy

+

procedures addressing session termination

+

system design documentation

+

system configuration settings and associated documentation

+

list of conditions or trigger events requiring session disconnect

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Automated mechanisms implementing user session termination

+
+
+
+ + Permitted Actions Without Identification or Authentication + + + +

user actions that can be performed on the system without identification or authentication are defined;

+
+ + + + + + + + + + + +

Identify that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and

+
+ + +

Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

+
+
+ +

Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be none. +

+
+ + + + +

+ that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;

+ +
+ + + + +

user actions not requiring identification or authentication are documented in the security plan for the system;

+ +
+ + +

a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.

+ +
+ +
+ +
+ + + + +

Access control policy

+

procedures addressing permitted actions without identification or authentication

+

system configuration settings and associated documentation

+

security plan

+

list of user actions that can be performed without identification or authentication

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+
+
+
+ + Remote Access + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

+
+ + +

Authorize each type of remote access to the system prior to allowing such connections.

+
+
+ +

Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3 . Enforcing access restrictions for remote access is addressed via AC-3.

+
+ + + + + + +

usage restrictions are established and documented for each type of remote access allowed;

+ +
+ + +

configuration/connection requirements are established and documented for each type of remote access allowed;

+ +
+ + +

implementation guidance is established and documented for each type of remote access allowed;

+ +
+ +
+ + +

each type of remote access to the system is authorized prior to allowing such connections.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing remote access implementation and usage (including restrictions)

+

configuration management plan

+

system configuration settings and associated documentation

+

remote access authorizations

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for managing remote access connections

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Remote access management capability for the system

+
+
+ + Monitoring and Control + + + + + + + + + + + +

Employ automated mechanisms to monitor and control remote access methods.

+
+ +

Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2 . Audit events are defined in AU-2a.

+
+ + + + +

automated mechanisms are employed to monitor remote access methods;

+ +
+ + +

automated mechanisms are employed to control remote access methods.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing remote access to the system

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system monitoring records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Automated mechanisms monitoring and controlling remote access methods

+
+
+
+ + Protection of Confidentiality and Integrity Using Encryption + + + + + + + + + +

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

+
+ +

Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions.

+
+ + +

cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.

+ +
+ + + + +

Access control policy

+

procedures addressing remote access to the system

+

system design documentation

+

system configuration settings and associated documentation

+

cryptographic mechanisms and associated configuration documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions

+
+
+
+ + Managed Access Control Points + + + + + + + +

Route remote accesses through authorized and managed network access control points.

+
+ +

Organizations consider the Trusted Internet Connections (TIC) initiative DHS TIC requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces.

+
+ + +

remote accesses are routed through authorized and managed network access control points.

+ +
+ + + + +

Access control policy

+

procedures addressing remote access to the system

+

system design documentation

+

list of all managed network access control points

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms routing all remote accesses through managed network access control points

+
+
+
+ + Privileged Commands and Access + + + + + + +

needs requiring execution of privileged commands via remote access are defined;

+
+ + + + +

needs requiring access to security-relevant information via remote access are defined;

+
+ + + + + + + + + + + + +

Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: ; and

+
+ + +

Document the rationale for remote access in the security plan for the system.

+
+
+ +

Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability.

+
+ + + + + + +

the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;

+ +
+ + +

access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;

+ +
+ + +

the execution of privileged commands via remote access is authorized only for the following needs: ;

+ +
+ + +

access to security-relevant information via remote access is authorized only for the following needs: ;

+ +
+ +
+ + +

the rationale for remote access is documented in the security plan for the system.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing remote access to the system

+

system configuration settings and associated documentation

+

security plan

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing remote access management

+
+
+
+
+ + Wireless Access + + + + + + + + + + + + + + + + + + + + + + +

Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and

+
+ + +

Authorize each type of wireless access to the system prior to allowing such connections.

+
+
+ +

Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication.

+
+ + + + + + +

configuration requirements are established for each type of wireless access;

+ +
+ + +

connection requirements are established for each type of wireless access;

+ +
+ + +

implementation guidance is established for each type of wireless access;

+ +
+ +
+ + +

each type of wireless access to the system is authorized prior to allowing such connections.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing wireless access implementation and usage (including restrictions)

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

wireless access authorizations

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for managing wireless access connections

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Wireless access management capability for the system

+
+
+ + Authentication and Encryption + + + + + + + + + + + + +

Protect wireless access to the system using authentication of and encryption.

+
+ +

Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies.

+
+ + + + +

wireless access to the system is protected using authentication of ;

+ +
+ + +

wireless access to the system is protected using encryption.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing wireless implementation and usage (including restrictions)

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing wireless access protections to the system

+
+
+
+ + Disable Wireless Networking + + + + + + + +

Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.

+
+ +

Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies.

+
+ + +

when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.

+ +
+ + + + +

Access control policy

+

procedures addressing wireless implementation and usage (including restrictions)

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms managing the disabling of wireless networking capabilities internally embedded within system components

+
+
+
+ + Restrict Configurations by Users + + + + + + + + +

Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.

+
+ +

Organizational authorizations to allow selected users to configure wireless networking capabilities are enforced, in part, by the access enforcement mechanisms employed within organizational systems.

+
+ + + + +

users allowed to independently configure wireless networking capabilities are identified;

+ +
+ + +

users allowed to independently configure wireless networking capabilities are explicitly authorized.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing wireless implementation and usage (including restrictions)

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms authorizing independent user configuration of wireless networking capabilities

+
+
+
+ + Antennas and Transmission Power Levels + + + + + + + +

Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.

+
+ +

Actions that may be taken to limit unauthorized use of wireless communications outside of organization-controlled boundaries include reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be captured outside of the physical perimeters of the organization, employing measures such as emissions security to control wireless emanations, and using directional or beamforming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such mitigating actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational systems as well as other systems that may be operating in the area.

+
+ + + + +

radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;

+ +
+ + +

transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing wireless implementation and usage (including restrictions)

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Calibration of transmission power levels for wireless access

+

radio antenna signals for wireless access

+

wireless access reception outside of organization-controlled boundaries

+
+
+
+
+ + Access Control for Mobile Devices + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and

+
+ + +

Authorize the connection of mobile devices to organizational systems.

+
+
+ +

A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.

+

Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.

+

Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in AC-19 . Many safeguards for mobile devices are reflected in other controls. AC-20 addresses mobile devices that are not organization-controlled.

+
+ + + + + + +

configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;

+ +
+ + +

connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;

+ +
+ + +

implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;

+ +
+ +
+ + +

the connection of mobile devices to organizational systems is authorized.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing access control for mobile device usage (including restrictions)

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

authorizations for mobile device connections to organizational systems

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel using mobile devices to access organizational systems

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Access control capability for mobile device connections to organizational systems

+

configurations of mobile devices

+
+
+ + Full Device or Container-based Encryption + + + + + + +

mobile devices on which to employ encryption are defined;

+
+ + + + + + + + + + +

Employ to protect the confidentiality and integrity of information on .

+
+ +

Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields.

+
+ + +

+ is employed to protect the confidentiality and integrity of information on .

+ +
+ + + + +

Access control policy

+

procedures addressing access control for mobile devices

+

system design documentation

+

system configuration settings and associated documentation

+

encryption mechanisms and associated configuration documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with access control responsibilities for mobile devices

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Encryption mechanisms protecting confidentiality and integrity of information on mobile devices

+
+
+
+
+ + Use of External Systems + + + + + + +

terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);

+
+ + + + +

controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);

+
+ + + + +

types of external systems prohibited from use are defined;

+
+ + + + + + + + + + + + + + + + + + + + +

+ , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:

+ + +

Access the system from external systems; and

+
+ + +

Process, store, or transmit organization-controlled information using external systems; or

+
+
+ + +

Prohibit the use of .

+
+ + AC-20 Additional FedRAMP Requirements and Guidance + + +

The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:

+

AC-20 describes system access to and from external systems.

+

CA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.

+

SA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3.

+
+
+
+ +

External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).

+

For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.

+

External systems used to access public interfaces to organizational systems are outside the scope of AC-20 . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

+
+ + + + + + +

+ is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);

+ +
+ + +

+ is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);

+ +
+ +
+ + +

the use of is prohibited (if applicable).

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing the use of external systems

+

external systems terms and conditions

+

list of types of applications accessible from external systems

+

maximum security categorization for information processed, stored, or transmitted on external systems

+

system configuration settings and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing terms and conditions on the use of external systems

+
+
+ + Limits on Authorized Use + + + + + + + +

Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:

+ + +

Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or

+
+ + +

Retention of approved system connection or processing agreements with the organizational entity hosting the external system.

+
+
+ +

Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations.

+
+ + + + +

authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);

+ +
+ + +

authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing the use of external systems

+

system connection or processing agreements

+

account management documents

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing limits on use of external systems

+
+
+
+ + Portable Storage Devices — Restricted Use + + + +

restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;

+
+ + + + + + + + + +

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using .

+
+ +

Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used.

+
+ + +

the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using .

+ +
+ + + + +

Access control policy

+

procedures addressing the use of external systems

+

system configuration settings and associated documentation

+

system connection or processing agreements

+

account management documents

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for restricting or prohibiting the use of organization-controlled storage devices on external systems

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing restrictions on the use of portable storage devices

+
+
+
+
+ + Information Sharing + + + +

information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined;

+
+ + + + +

automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;

+
+ + + + + + + + + + + + + + + + + + +

Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for ; and

+
+ + +

Employ to assist users in making information sharing and collaboration decisions.

+
+
+ +

Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions.

+
+ + + + +

authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for ;

+ +
+ + +

+ are employed to assist users in making information-sharing and collaboration decisions.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing user-based collaboration and information sharing (including restrictions)

+

system design documentation

+

system configuration settings and associated documentation

+

list of users authorized to make information-sharing/collaboration decisions

+

list of information-sharing circumstances requiring user discretion

+

non-disclosure agreements

+

acquisitions/contractual agreements

+

system security plan

+

privacy plan

+

privacy impact assessment

+

security and privacy risk assessments

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for information-sharing/collaboration decisions

+

organizational personnel with responsibility for acquisitions/contractual agreements

+

system/network administrators

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Automated mechanisms or manual process implementing access authorizations supporting information-sharing/user collaboration decisions

+
+
+
+ + Publicly Accessible Content + + + + +

at least quarterly

+
+
+ +

the frequency at which to review the content on the publicly accessible system for non-public information is defined;

+
+ + + + + + + + + + + + + +

Designate individuals authorized to make information publicly accessible;

+
+ + +

Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

+
+ + +

Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and

+
+ + +

Review the content on the publicly accessible system for nonpublic information and remove such information, if discovered.

+
+
+ +

In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the PRIVACT and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible.

+
+ + + + +

designated individuals are authorized to make information publicly accessible;

+ +
+ + +

authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;

+ +
+ + +

the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;

+ +
+ + + + +

the content on the publicly accessible system is reviewed for non-public information ;

+ +
+ + +

non-public information is removed from the publicly accessible system, if discovered.

+ +
+ +
+ +
+ + + + +

Access control policy

+

procedures addressing publicly accessible content

+

list of users authorized to post publicly accessible content on organizational systems

+

training materials and/or records

+

records of publicly accessible information reviews

+

records of response to non-public information on public websites

+

system audit logs

+

security awareness training records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing management of publicly accessible content

+
+
+
+
+ + Awareness and Training + + Policy and Procedures + + + + + + +

personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the awareness and training policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current awareness and training policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current awareness and training policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current awareness and training procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ awareness and training policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and

+
+ + +

Review and update the current awareness and training:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an awareness and training policy is developed and documented;

+ +
+ + +

the awareness and training policy is disseminated to ;

+ +
+ + +

awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;

+ +
+ + +

the awareness and training procedures are disseminated to .

+ +
+ + + + + + +

the awareness and training policy addresses purpose;

+ +
+ + +

the awareness and training policy addresses scope;

+ +
+ + +

the awareness and training policy addresses roles;

+ +
+ + +

the awareness and training policy addresses responsibilities;

+ +
+ + +

the awareness and training policy addresses management commitment;

+ +
+ + +

the awareness and training policy addresses coordination among organizational entities;

+ +
+ + +

the awareness and training policy addresses compliance; and

+ +
+ +
+ + +

the awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;

+ +
+ + + + + + +

the current awareness and training policy is reviewed and updated ;

+ +
+ + +

the current awareness and training policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current awareness and training procedures are reviewed and updated ;

+ +
+ + +

the current awareness and training procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

System security plan

+

privacy plan

+

awareness and training policy and procedures

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with awareness and training responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Literacy Training and Awareness + + + + +

at least annually

+
+
+ + + + + + + +

the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;

+
+ + + + +

the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;

+
+ + + + +

events that require security literacy training for system users are defined;

+
+ + + + +

events that require privacy literacy training for system users are defined;

+
+ + + + +

techniques to be employed to increase the security and privacy awareness of system users are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to update literacy training and awareness content is defined;

+
+ + + + +

events that would require literacy training and awareness content to be updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):

+ + +

As part of initial training for new users and thereafter; and

+
+ + +

When required by system changes or following ;

+
+
+ + +

Employ the following techniques to increase the security and privacy awareness of system users ;

+
+ + +

Update literacy training and awareness content and following ; and

+
+ + +

Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.

+
+
+ +

Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.

+

Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in AT-2a.1 is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + + + + + +

security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;

+ +
+ + +

privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;

+ +
+ + +

security literacy training is provided to system users (including managers, senior executives, and contractors) thereafter;

+ +
+ + +

privacy literacy training is provided to system users (including managers, senior executives, and contractors) thereafter;

+ +
+ +
+ + + + +

security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following ;

+ +
+ + +

privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following ;

+ +
+ +
+ +
+ + +

+ are employed to increase the security and privacy awareness of system users;

+ +
+ + + + +

literacy training and awareness content is updated ;

+ +
+ + +

literacy training and awareness content is updated following ;

+ +
+ +
+ + +

lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.

+ +
+ +
+ + + + +

System security plan

+

privacy plan

+

literacy training and awareness policy

+

procedures addressing literacy training and awareness implementation

+

appropriate codes of federal regulations

+

security and privacy literacy training curriculum

+

security and privacy literacy training materials

+

training records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for literacy training and awareness

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel comprising the general system user community

+
+
+ + + + +

Mechanisms managing information security and privacy literacy training

+
+
+ + Insider Threat + + + + + + + + +

Provide literacy training on recognizing and reporting potential indicators of insider threat.

+
+ +

Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations.

+
+ + + + +

literacy training on recognizing potential indicators of insider threat is provided;

+ +
+ + +

literacy training on reporting potential indicators of insider threat is provided.

+ +
+ +
+ + + + +

System security plan

+

privacy plan

+

literacy training and awareness policy

+

procedures addressing literacy training and awareness implementation

+

literacy training and awareness curriculum

+

literacy training and awareness materials

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel who receive literacy training and awareness

+

organizational personnel with responsibilities for literacy training and awareness

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Social Engineering and Mining + + + + + + + +

Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.

+
+ +

Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures.

+
+ + + + +

literacy training on recognizing potential and actual instances of social engineering is provided;

+ +
+ + +

literacy training on reporting potential and actual instances of social engineering is provided;

+ +
+ + +

literacy training on recognizing potential and actual instances of social mining is provided;

+ +
+ + +

literacy training on reporting potential and actual instances of social mining is provided.

+ +
+ +
+ + + + +

System security plan

+

privacy plan

+

literacy training and awareness policy

+

procedures addressing literacy training and awareness implementation

+

literacy training and awareness curriculum

+

literacy training and awareness materials

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel who receive literacy training and awareness

+

organizational personnel with responsibilities for literacy training and awareness

+

organizational personnel with information security and privacy responsibilities

+
+
+
+
+ + Role-based Training + + + + + + +

roles and responsibilities for role-based security training are defined;

+
+ + + + +

roles and responsibilities for role-based privacy training are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to update role-based training content is defined;

+
+ + + + +

events that require role-based training content to be updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Provide role-based security and privacy training to personnel with the following roles and responsibilities: :

+ + +

Before authorizing access to the system, information, or performing assigned duties, and thereafter; and

+
+ + +

When required by system changes;

+
+
+ + +

Update role-based training content and following ; and

+
+ + +

Incorporate lessons learned from internal or external security incidents or breaches into role-based training.

+
+
+ +

Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.

+

Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + + + + + +

role-based security training is provided to before authorizing access to the system, information, or performing assigned duties;

+ +
+ + +

role-based privacy training is provided to before authorizing access to the system, information, or performing assigned duties;

+ +
+ + +

role-based security training is provided to + thereafter;

+ +
+ + +

role-based privacy training is provided to + thereafter;

+ +
+ +
+ + + + +

role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;

+ +
+ + +

role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;

+ +
+ +
+ +
+ + + + +

role-based training content is updated ;

+ +
+ + +

role-based training content is updated following ;

+ +
+ +
+ + +

lessons learned from internal or external security incidents or breaches are incorporated into role-based training.

+ +
+ +
+ + + + +

System security plan

+

privacy plan

+

security and privacy awareness and training policy

+

procedures addressing security and privacy training implementation

+

codes of federal regulations

+

security and privacy training curriculum

+

security and privacy training materials

+

training records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for role-based security and privacy training

+

organizational personnel with assigned system security and privacy roles and responsibilities

+
+
+ + + + +

Mechanisms managing role-based security and privacy training

+
+
+
+ + Training Records + + + + +

five (5) years or 5 years after completion of a specific training program

+
+
+ +

time period for retaining individual training records is defined;

+
+ + + + + + + + + + + + + + + + +

Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and

+
+ + +

Retain individual training records for .

+
+
+ +

Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.

+
+ + + + + + +

information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;

+ +
+ + +

information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;

+ +
+ +
+ + +

individual training records are retained for .

+ +
+ +
+ + + + +

Security and privacy awareness and training policy

+

procedures addressing security and privacy training records

+

security and privacy awareness and training records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security and privacy training record retention responsibilities

+
+
+ + + + +

Mechanisms supporting the management of security and privacy training records

+
+
+
+
+ + Audit and Accountability + + Policy and Procedures + + + + + + +

personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the audit and accountability policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current audit and accountability policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current audit and accountability policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current audit and accountability procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require audit and accountability procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ audit and accountability policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and

+
+ + +

Review and update the current audit and accountability:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an audit and accountability policy is developed and documented;

+ +
+ + +

the audit and accountability policy is disseminated to ;

+ +
+ + +

audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;

+ +
+ + +

the audit and accountability procedures are disseminated to ;

+ +
+ + + + + + +

the of the audit and accountability policy addresses purpose;

+ +
+ + +

the of the audit and accountability policy addresses scope;

+ +
+ + +

the of the audit and accountability policy addresses roles;

+ +
+ + +

the of the audit and accountability policy addresses responsibilities;

+ +
+ + +

the of the audit and accountability policy addresses management commitment;

+ +
+ + +

the of the audit and accountability policy addresses coordination among organizational entities;

+ +
+ + +

the of the audit and accountability policy addresses compliance;

+ +
+ +
+ + +

the of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;

+ +
+ + + + + + +

the current audit and accountability policy is reviewed and updated ;

+ +
+ + +

the current audit and accountability policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current audit and accountability procedures are reviewed and updated ;

+ +
+ + +

the current audit and accountability procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Audit and accountability policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Event Logging + + + + +

organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.

+
+
+ + + + + +

successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes

+
+
+ +

the event types that the system is capable of logging in support of the audit function are defined;

+
+ + + + +

the event types (subset of AU-02_ODP[01]) for logging within the system are defined;

+
+ + + + +

the frequency or situation requiring logging for each specified event type is defined;

+
+ + + + + +

annually and whenever there is a change in the threat environment

+
+
+ +

the frequency of event types selected for logging are reviewed and updated;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Identify the types of events that the system is capable of logging in support of the audit function: ;

+
+ + +

Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;

+
+ + +

Specify the following event types for logging within the system: ;

+
+ + +

Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and

+
+ + +

Review and update the event types selected for logging .

+
+ + AU-2 Additional FedRAMP Requirements and Guidance + + +

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

+
+ + +

Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

+
+
+
+ +

An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.

+

To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.

+

Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3)(b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8) , and SI-10(1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.

+
+ + + + +

+ that the system is capable of logging are identified in support of the audit logging function;

+ +
+ + +

the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;

+ +
+ + + + +

+ are specified for logging within the system;

+ +
+ + +

the specified event types are logged within the system ;

+ +
+ +
+ + +

a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;

+ +
+ + +

the event types selected for logging are reviewed and updated .

+ +
+ +
+ + + + +

Audit and accountability policy

+

procedures addressing auditable events

+

system security plan

+

privacy plan

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system auditable events

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing system auditing

+
+
+
+ + Content of Audit Records + + + + + + + + + + + + + + + + +

Ensure that audit records contain information that establishes the following:

+ + +

What type of event occurred;

+
+ + +

When the event occurred;

+
+ + +

Where the event occurred;

+
+ + +

Source of the event;

+
+ + +

Outcome of the event; and

+
+ + +

Identity of any individuals, subjects, or objects/entities associated with the event.

+
+
+ +

Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage.

+
+ + + + +

audit records contain information that establishes what type of event occurred;

+ +
+ + +

audit records contain information that establishes when the event occurred;

+ +
+ + +

audit records contain information that establishes where the event occurred;

+ +
+ + +

audit records contain information that establishes the source of the event;

+ +
+ + +

audit records contain information that establishes the outcome of the event;

+ +
+ + +

audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing content of audit records

+

system design documentation

+

system configuration settings and associated documentation

+

list of organization-defined auditable events

+

system audit records

+

system incident reports

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing system auditing of auditable events

+
+
+ + Additional Audit Information + + + + +

session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands

+
+
+ +

additional information to be included in audit records is defined;

+
+ + + + + + + +

Generate audit records containing the following additional information: .

+ + AU-3 (1) Additional FedRAMP Requirements and Guidance + + +

For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

+
+
+
+ +

The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy.

+
+ + +

generated audit records contain the following .

+ +
+ + + + +

Audit and accountability policy

+

procedures addressing content of audit records

+

system security plan

+

privacy plan

+

system design documentation

+

system configuration settings and associated documentation

+

list of organization-defined auditable events

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

system audit capability

+
+
+
+
+ + Audit Log Storage Capacity + + + +

audit log retention requirements are defined;

+
+ + + + + + + + + + + + + + + + +

Allocate audit log storage capacity to accommodate .

+
+ +

Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.

+
+ + +

audit log storage capacity is allocated to accommodate .

+ +
+ + + + +

Audit and accountability policy

+

procedures addressing audit storage capacity

+

system security plan

+

privacy plan

+

system design documentation

+

system configuration settings and associated documentation

+

audit record storage requirements

+

audit record storage capability for system components

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Audit record storage capacity and related configuration settings

+
+
+
+ + Response to Audit Logging Process Failures + + + +

personnel or roles receiving audit logging process failure alerts are defined;

+
+ + + + +

time period for personnel or roles receiving audit logging process failure alerts is defined;

+
+ + + + + +

overwrite oldest record

+
+
+ +

additional actions to be taken in the event of an audit logging process failure are defined;

+
+ + + + + + + + + + + + + + + + + +

Alert within in the event of an audit logging process failure; and

+
+ + +

Take the following additional actions: .

+
+
+ +

Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.

+
+ + + + +

+ are alerted in the event of an audit logging process failure within ;

+ +
+ + +

+ are taken in the event of an audit logging process failure.

+ +
+ +
+ + + + +

Audit and accountability policy

+

procedures addressing response to audit processing failures

+

system design documentation

+

system security plan

+

privacy plan

+

system configuration settings and associated documentation

+

list of personnel to be notified in case of an audit processing failure

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing system response to audit processing failures

+
+
+ + Storage Capacity Warning + + + +

personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity.

+
+ + + + +

time period for defined personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity is defined;

+
+ + + + + +

75%, or one month before expected negative impact

+
+
+ +

percentage of repository maximum audit log storage capacity is defined;

+
+ + + + + + + +

Provide a warning to within when allocated audit log storage volume reaches of repository maximum audit log storage capacity.

+
+ +

Organizations may have multiple audit log storage repositories distributed across multiple system components with each repository having different storage volume capacities.

+
+ + +

a warning is provided to within when allocated audit log storage volume reaches of repository maximum audit log storage capacity.

+ +
+ + + + +

Audit and accountability policy

+

procedures addressing response to audit processing failures

+

system design documentation

+

system security plan

+

privacy system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing audit storage limit warnings

+
+
+
+ + Real-time Alerts + + + + +

real-time

+
+
+ +

real-time period requiring alerts when audit failure events (defined in AU-05(02)_ODP[03]) occur is defined;

+
+ + + + + +

service provider personnel with authority to address failed audit events

+
+
+ +

personnel, roles, and/or locations to be alerted in real time when audit failure events (defined in AU-05(02)_ODP[03]) occur is/are defined;

+
+ + + + + +

audit failure events requiring real-time alerts, as defined by organization audit policy

+
+
+ +

audit logging failure events requiring real-time alerts are defined;

+
+ + + + + + + +

Provide an alert within to when the following audit failure events occur: .

+
+ +

Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).

+
+ + +

an alert is provided within to when occur.

+ +
+ + + + +

Audit and accountability policy

+

procedures addressing response to audit processing failures

+

system design documentation

+

system security plan

+

privacy plan

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+
+
+ + Audit Record Review, Analysis, and Reporting + + + + +

at least weekly

+
+
+ +

frequency at which system audit records are reviewed and analyzed is defined;

+
+ + + + +

inappropriate or unusual activity is defined;

+
+ + + + +

personnel or roles to receive findings from reviews and analyses of system records is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Review and analyze system audit records for indications of and the potential impact of the inappropriate or unusual activity;

+
+ + +

Report findings to ; and

+
+ + +

Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

+
+ + AU-6 Additional FedRAMP Requirements and Guidance + + +

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

+
+
+
+ +

Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.

+
+ + + + +

system audit records are reviewed and analyzed for indications of and the potential impact of the inappropriate or unusual activity;

+ +
+ + +

findings are reported to ;

+ +
+ + +

the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing audit review, analysis, and reporting

+

reports of audit findings

+

records of actions taken in response to reviews/analyses of audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit review, analysis, and reporting responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + Automated Process Integration + + + +

automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;

+
+ + + + + + + + + +

Integrate audit record review, analysis, and reporting processes using .

+
+ +

Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits.

+
+ + +

audit record review, analysis, and reporting processes are integrated using .

+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing audit review, analysis, and reporting

+

procedures addressing investigation and response to suspicious activities

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit review, analysis, and reporting responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Automated mechanisms integrating audit review, analysis, and reporting processes

+
+
+
+ + Correlate Audit Record Repositories + + + + + + + + + +

Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.

+
+ +

Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness.

+
+ + +

audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.

+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing audit review, analysis, and reporting

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records across different repositories

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit review, analysis, and reporting responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms supporting the analysis and correlation of audit records

+
+
+
+ + Central Review and Analysis + + + + + + + + + +

Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.

+
+ +

Automated mechanisms for centralized reviews and analyses include Security Information and Event Management products.

+
+ + + + +

the capability to centrally review and analyze audit records from multiple components within the system is provided;

+ +
+ + +

the capability to centrally review and analyze audit records from multiple components within the system is implemented.

+ +
+ +
+ + + + +

Audit and accountability policy

+

procedures addressing audit review, analysis, and reporting

+

system design documentation

+

system configuration settings and associated documentation

+

system security plan

+

privacy plan

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit review, analysis, and reporting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system developers

+
+
+ + + + +

System capability to centralize review and analysis of audit records

+
+
+
+ + Integrated Analysis of Audit Records + + + +

vulnerability scanning information; performance data; information system monitoring information; penetration test data; +

+
+
+ + + + + +

data/information collected from other sources to be analyzed is defined (if selected);

+
+ + + + + + + + + + +

Integrate analysis of audit records with analysis of to further enhance the ability to identify inappropriate or unusual activity.

+
+ +

Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial-of-service attacks or other types of attacks that result in the unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations.

+
+ + +

analysis of audit records is integrated with analysis of to further enhance the ability to identify inappropriate or unusual activity.

+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing audit review, analysis, and reporting

+

system design documentation

+

system configuration settings and associated documentation

+

integrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information, and associated documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit review, analysis, and reporting responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms implementing the capability to integrate analysis of audit records with analysis of data/information sources

+
+
+
+ + Correlation with Physical Monitoring + + + + + + + +

Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

+ + AU-6 (6) Additional FedRAMP Requirements and Guidance + + +

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

+
+
+
+ +

The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred may be useful in investigations.

+
+ + +

information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

+ +
+ + + + +

Audit and accountability policy

+

procedures addressing audit review, analysis, and reporting

+

procedures addressing physical access monitoring

+

system design documentation

+

system configuration settings and associated documentation

+

documentation providing evidence of correlated information obtained from audit records and physical access monitoring records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit review, analysis, and reporting responsibilities

+

organizational personnel with physical access monitoring responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms implementing the capability to correlate information from audit records with information from monitoring physical access

+
+
+
+ + Permitted Actions + + + +

information system process; role; user

+
+
+ + + + + + + + + +

Specify the permitted actions for each associated with the review, analysis, and reporting of audit record information.

+
+ +

Organizations specify permitted actions for system processes, roles, and users associated with the review, analysis, and reporting of audit records through system account management activities. Specifying permitted actions on audit record information is a way to enforce the principle of least privilege. Permitted actions are enforced by the system and include read, write, execute, append, and delete.

+
+ + +

the permitted actions for each associated with the review, analysis, and reporting of audit record information are specified.

+ +
+ + + + +

Audit and accountability policy

+

procedures addressing process, role and/or user permitted actions from audit review, analysis, and reporting

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit review, analysis, and reporting responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms supporting permitted actions for the review, analysis, and reporting of audit information

+
+
+
+
+ + Audit Record Reduction and Report Generation + + + + + + + + + + + + + + + + + + + +

Provide and implement an audit record reduction and report generation capability that:

+ + +

Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and

+
+ + +

Does not alter the original content or time ordering of audit records.

+
+
+ +

Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.

+
+ + + + + + +

an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;

+ +
+ + +

an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;

+ +
+ +
+ + + + +

an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;

+ +
+ + +

an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.

+ +
+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing audit reduction and report generation

+

system design documentation

+

system configuration settings and associated documentation

+

audit reduction, review, analysis, and reporting tools

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit reduction and report generation responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Audit reduction and report generation capability

+
+
+ + Automatic Processing + + + +

fields within audit records that can be processed, sorted, or searched are defined;

+
+ + + + + + + + +

Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: .

+
+ +

Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component.

+
+ + + + +

the capability to process, sort, and search audit records for events of interest based on are provided;

+ +
+ + +

the capability to process, sort, and search audit records for events of interest based on are implemented.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing audit reduction and report generation

+

system design documentation

+

system configuration settings and associated documentation

+

audit reduction, review, analysis, and reporting tools

+

audit record criteria (fields) establishing events of interest

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit reduction and report generation responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system developers

+
+
+ + + + +

Audit reduction and report generation capability

+
+
+
+
+ + Time Stamps + + + + +

one second granularity of time measurement

+
+
+ +

granularity of time measurement for audit record timestamps is defined;

+
+ + + + + + + + + + + + +

Use internal system clocks to generate time stamps for audit records; and

+
+ + +

Record time stamps for audit records that meet and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.

+
+
+ +

Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.

+
+ + + + +

internal system clocks are used to generate timestamps for audit records;

+ +
+ + +

timestamps are recorded for audit records that meet and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing timestamp generation

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing timestamp generation

+
+
+
+ + Protection of Audit Information + + + +

personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +

Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and

+
+ + +

Alert upon detection of unauthorized access, modification, or deletion of audit information.

+
+
+ +

Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.

+
+ + + + +

audit information and audit logging tools are protected from unauthorized access, modification, and deletion;

+ +
+ + +

+ are alerted upon detection of unauthorized access, modification, or deletion of audit information.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

access control policy and procedures

+

procedures addressing protection of audit information

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

audit tools

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing audit information protection

+
+
+ + Store on Separate Physical Systems or Components + + + + +

at least weekly

+
+
+ +

the frequency of storing audit records in a repository is defined;

+
+ + + + + + + + + +

Store audit records in a repository that is part of a physically different system or system component than the system or component being audited.

+
+ +

Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records.

+
+ + +

audit records are stored in a repository that is part of a physically different system or system component than the system or component being audited.

+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing protection of audit information

+

system design documentation

+

system configuration settings and associated documentation

+

system or media storing backups of system audit records

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing the backing up of audit records

+
+
+
+ + Cryptographic Protection + + + + + + + + + +

Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.

+ + AU-9 (3) Additional FedRAMP Requirements and Guidance + + +

Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

+
+
+
+ +

Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.

+
+ + +

cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented.

+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

access control policy and procedures

+

procedures addressing protection of audit information

+

system design documentation

+

system hardware settings

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Cryptographic mechanisms protecting the integrity of audit information and tools

+
+
+
+ + Access by Subset of Privileged Users + + + +

a subset of privileged users or roles authorized to access management of audit logging functionality is defined;

+
+ + + + + + + + +

Authorize access to management of audit logging functionality to only .

+
+ +

Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges.

+
+ + +

access to management of audit logging functionality is authorized only to .

+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

access control policy and procedures

+

procedures addressing protection of audit information

+

system design documentation

+

system configuration settings and associated documentation

+

system-generated list of privileged users with access to management of audit functionality

+

access authorizations

+

access control list

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms managing access to audit functionality

+
+
+
+
+ + Non-repudiation + + + + +

minimum actions including the addition, modification, deletion, approval, sending, or receiving of data

+
+
+ +

actions to be covered by non-repudiation are defined;

+
+ + + + + + + + + + + + + + + + + + + + + +

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed .

+
+ +

Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts.

+
+ + +

irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed .

+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing non-repudiation

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing non-repudiation capability

+
+
+
+ + Audit Record Retention + + + + +

a time period in compliance with M-21-31

+
+
+ +

a time period to retain audit records that is consistent with the records retention policy is defined;

+
+ + + + + + + + + + + + + + + + +

Retain audit records for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

+ + AU-11 Additional FedRAMP Requirements and Guidance + + +

The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

+
+ + +

The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)

+
+ + +

The service provider is encouraged to align with M-21-31 where possible

+
+
+
+ +

Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention.

+
+ + +

audit records are retained for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

audit record retention policy and procedures

+

security plan

+

organization-defined retention period for audit records

+

audit record archives

+

audit logs

+

audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit record retention responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+
+ + Audit Record Generation + + + + +

all information system and network components where audit capability is deployed/available

+
+
+ +

system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;

+
+ + + + +

personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +

Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on ;

+
+ + +

Allow to select the event types that are to be logged by specific components of the system; and

+
+ + +

Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

+
+
+ +

Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.

+
+ + + + +

audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by ;

+ +
+ + +

+ is/are allowed to select the event types that are to be logged by specific components of the system;

+ +
+ + +

audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.

+ +
+ +
+ + + + +

Audit and accountability policy

+

procedures addressing audit record generation

+

system security plan

+

privacy plan

+

system design documentation

+

system configuration settings and associated documentation

+

list of auditable events

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit record generation responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing audit record generation capability

+
+
+ + System-wide and Time-correlated Audit Trail + + + + +

all network, data storage, and computing devices

+
+
+ +

system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined;

+
+ + + + +

level of tolerance for the relationship between timestamps of individual records in the audit trail is defined;

+
+ + + + + + + + + +

Compile audit records from into a system-wide (logical or physical) audit trail that is time-correlated to within .

+
+ +

Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances.

+
+ + +

audit records from are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within .

+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing audit record generation

+

system design documentation

+

system configuration settings and associated documentation

+

system-wide audit trail (logical or physical)

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit record generation responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing audit record generation capability

+
+
+
+ + Changes by Authorized Individuals + + + + +

service provider-defined individuals or roles with audit configuration responsibilities

+
+
+ +

individuals or roles authorized to change the logging on system components are defined;

+
+ + + + + +

all network, data storage, and computing devices

+
+
+ +

system components on which logging is to be performed are defined;

+
+ + + + +

selectable event criteria with which change logging is to be performed are defined;

+
+ + + + +

time thresholds in which logging actions are to change is defined;

+
+ + + + + + + + +

Provide and implement the capability for to change the logging to be performed on based on within .

+
+ +

Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed (e.g., near real-time, within minutes, or within hours).

+
+ + + + +

the capability for to change the logging to be performed on based on within is provided;

+ +
+ + +

the capability for to change the logging to be performed on based on within is implemented.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing audit record generation

+

system design documentation

+

system configuration settings and associated documentation

+

system-generated list of individuals or roles authorized to change auditing to be performed

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit record generation responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing audit record generation capability

+
+
+
+
+
+ + Assessment, Authorization, and Monitoring + + Policy and Procedures + + + + + + +

personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the assessment, authorization, and monitoring policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ assessment, authorization, and monitoring policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and

+
+ + +

Review and update the current assessment, authorization, and monitoring:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an assessment, authorization, and monitoring policy is developed and documented;

+ +
+ + +

the assessment, authorization, and monitoring policy is disseminated to ;

+ +
+ + +

assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;

+ +
+ + +

the assessment, authorization, and monitoring procedures are disseminated to ;

+ +
+ + + + + + +

the assessment, authorization, and monitoring policy addresses purpose;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses scope;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses roles;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses responsibilities;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses management commitment;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses coordination among organizational entities;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses compliance;

+ +
+ +
+ + +

the assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;

+ +
+ + + + + + +

the current assessment, authorization, and monitoring policy is reviewed and updated ;

+ +
+ + +

the current assessment, authorization, and monitoring policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current assessment, authorization, and monitoring procedures are reviewed and updated ;

+ +
+ + +

the current assessment, authorization, and monitoring procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with assessment, authorization, and monitoring policy responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Control Assessments + + + + +

at least annually

+
+
+ +

the frequency at which to assess controls in the system and its environment of operation is defined;

+
+ + + + + +

individuals or roles to include FedRAMP PMO

+
+
+ +

individuals or roles to whom control assessment results are to be provided are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Select the appropriate assessor or assessment team for the type of assessment to be conducted;

+
+ + +

Develop a control assessment plan that describes the scope of the assessment including:

+ + +

Controls and control enhancements under assessment;

+
+ + +

Assessment procedures to be used to determine control effectiveness; and

+
+ + +

Assessment environment, assessment team, and assessment roles and responsibilities;

+
+
+ + +

Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;

+
+ + +

Assess the controls in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;

+
+ + +

Produce a control assessment report that document the results of the assessment; and

+
+ + +

Provide the results of the control assessment to .

+
+ + CA-2 Additional FedRAMP Requirements and Guidance + + +

Reference FedRAMP Annual Assessment Guidance.

+
+
+
+ +

Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.

+

Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.

+

Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.

+

Organizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.

+

To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of CA-2.

+
+ + + + +

an appropriate assessor or assessment team is selected for the type of assessment to be conducted;

+ +
+ + + + +

a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;

+ +
+ + +

a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;

+ +
+ + + + +

a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;

+ +
+ + +

a control assessment plan is developed that describes the scope of the assessment, including the assessment team;

+ +
+ + +

a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;

+ +
+ +
+ +
+ + +

the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;

+ +
+ + + + +

controls are assessed in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

+ +
+ + +

controls are assessed in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;

+ +
+ +
+ + +

a control assessment report is produced that documents the results of the assessment;

+ +
+ + +

the results of the control assessment are provided to .

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing assessment planning

+

procedures addressing control assessments

+

control assessment plan

+

control assessment report

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with control assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting

+
+
+ + Independent Assessors + + + + + + + +

Employ independent assessors or assessment teams to conduct control assessments.

+ + CA-2 (1) Additional FedRAMP Requirements and Guidance + + +

For JAB Authorization, must use an accredited 3PAO.

+
+
+
+ +

Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.

+

Independent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.

+

When organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments.

+
+ + +

independent assessors or assessment teams are employed to conduct control assessments.

+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing control assessments

+

previous control assessment plan

+

previous control assessment report

+

plan of action and milestones

+

existing authorization statement

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Specialized Assessments + + + + +

at least annually

+
+
+ +

frequency at which to include specialized assessments as part of the control assessment is defined;

+
+ + + + + + + + + + +

other forms of assessment are defined (if selected);

+
+ + + + + + + + + + +

Include as part of control assessments, , , .

+ + CA-2 (2) Additional FedRAMP Requirements and Guidance + + +

To include 'announced', 'vulnerability scanning'

+
+
+
+ +

Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle (e.g., during initial design, development, and unit testing).

+
+ + +

+ + + are included as part of control assessments.

+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing control assessments

+

control assessment plan

+

control assessment report

+

control assessment evidence

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with control assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms supporting control assessment

+
+
+
+ + Leveraging Results from External Organizations + + + + +

any FedRAMP Accredited 3PAO

+
+
+ +

external organization(s) from which the results of control assessments are leveraged are defined;

+
+ + + + +

system on which a control assessment was performed by an external organization is defined;

+
+ + + + + +

the conditions of the JAB/AO in the FedRAMP Repository

+
+
+ +

requirements to be met by the control assessment performed by an external organization on the system are defined;

+
+ + + + + + + + + +

Leverage the results of control assessments performed by on when the assessment meets .

+
+ +

Organizations may rely on control assessments of organizational systems by other (external) organizations. Using such assessments and reusing existing assessment evidence can decrease the time and resources required for assessments by limiting the independent assessment activities that organizations need to perform. The factors that organizations consider in determining whether to accept assessment results from external organizations can vary. Such factors include the organization’s past experience with the organization that conducted the assessment, the reputation of the assessment organization, the level of detail of supporting assessment evidence provided, and mandates imposed by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Accredited testing laboratories that support the Common Criteria Program ISO 15408-1 , the NIST Cryptographic Module Validation Program (CMVP), or the NIST Cryptographic Algorithm Validation Program (CAVP) can provide independent assessment results that organizations can leverage.

+
+ + +

the results of control assessments performed by on are leveraged when the assessment meets .

+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing control assessments

+

control assessment requirements

+

control assessment plan

+

control assessment report

+

control assessment evidence

+

plan of action and milestones

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with control assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+

personnel performing control assessments for the specified external organization

+
+
+
+
+ + Information Exchange + + + + + + +

the type of agreement used to approve and manage the exchange of information is defined (if selected);

+
+ + + + + +

at least annually and on input from JAB/AO

+
+
+ +

the frequency at which to review and update agreements is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + +

Approve and manage the exchange of information between the system and other systems using ;

+
+ + +

Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and

+
+ + +

Review and update the agreements .

+
+
+ +

System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in CA-6(1) or CA-6(2) , may help to communicate and reduce risk.

+

Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks.

+
+ + + + +

the exchange of information between the system and other systems is approved and managed using ;

+ +
+ + + + +

the interface characteristics are documented as part of each exchange agreement;

+ +
+ + +

security requirements are documented as part of each exchange agreement;

+ +
+ + +

privacy requirements are documented as part of each exchange agreement;

+ +
+ + +

controls are documented as part of each exchange agreement;

+ +
+ + +

responsibilities for each system are documented as part of each exchange agreement;

+ +
+ + +

the impact level of the information communicated is documented as part of each exchange agreement;

+ +
+ +
+ + +

agreements are reviewed and updated .

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing system connections

+

system and communications protection policy

+

system interconnection security agreements

+

information exchange security agreements

+

memoranda of understanding or agreements

+

service level agreements

+

non-disclosure agreements

+

system design documentation

+

enterprise architecture

+

system architecture

+

system configuration settings and associated documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements

+

organizational personnel with information security and privacy responsibilities

+

personnel managing the system(s) to which the interconnection security agreement applies

+
+
+ + Transfer Authorizations + + + + + + + + + + + +

Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.

+
+ +

To prevent unauthorized individuals and systems from making information transfers to protected systems, the protected system verifies—via independent means— whether the individual or system attempting to transfer information is authorized to do so. Verification of the authorization to transfer information also applies to control plane traffic (e.g., routing and DNS) and services (e.g., authenticated SMTP relays).

+
+ + +

individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.

+ +
+ + + + +

Access control policy

+

procedures addressing system connections

+

system and communications protection policy

+

system interconnection agreements

+

information exchange security agreements

+

memoranda of understanding or agreements

+

service level agreements

+

non-disclosure agreements

+

system design documentation

+

system configuration settings and associated documentation

+

control assessment report

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for managing connections to external systems

+

network administrators

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms implementing restrictions on external system connections

+
+
+
+
+ + Plan of Action and Milestones + + + + +

at least monthly

+
+
+ +

the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and

+
+ + +

Update existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

+
+ + CA-5 Additional FedRAMP Requirements and Guidance + + +

POA&Ms must be provided at least monthly.

+
+ + +

Reference FedRAMP-POAM-Template

+
+
+
+ +

Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB.

+
+ + + + +

a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;

+ +
+ + +

existing plan of action and milestones are updated based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing plan of action and milestones

+

control assessment plan

+

control assessment report

+

control assessment evidence

+

plan of action and milestones

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with plan of action and milestones development and implementation responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms for developing, implementing, and maintaining plan of action and milestones

+
+
+
+ + Authorization + + + + +

in accordance with OMB A-130 requirements or when a significant change occurs

+
+
+ +

frequency at which to update the authorizations is defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Assign a senior official as the authorizing official for the system;

+
+ + +

Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;

+
+ + +

Ensure that the authorizing official for the system, before commencing operations:

+ + +

Accepts the use of common controls inherited by the system; and

+
+ + +

Authorizes the system to operate;

+
+
+ + +

Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;

+
+ + +

Update the authorizations .

+
+ + CA-6 Additional FedRAMP Requirements and Guidance + + +

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

+
+
+
+ +

Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.

+

Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

+
+ + + + +

a senior official is assigned as the authorizing official for the system;

+ +
+ + +

a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;

+ +
+ + + + +

before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;

+ +
+ + +

before commencing operations, the authorizing official for the system authorizes the system to operate;

+ +
+ +
+ + +

the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;

+ +
+ + +

the authorizations are updated .

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing authorization

+

system security plan, privacy plan, assessment report, plan of action and milestones

+

authorization statement

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with authorization responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms that facilitate authorizations and updates

+
+
+
+ + Continuous Monitoring + + + + +

to include JAB/AO

+
+
+ + + + + + + +

system-level metrics to be monitored are defined;

+
+ + + + +

frequencies at which to monitor control effectiveness are defined;

+
+ + + + +

frequencies at which to assess control effectiveness are defined;

+
+ + + + +

personnel or roles to whom the security status of the system is reported are defined;

+
+ + + + +

frequency at which the security status of the system is reported is defined;

+
+ + + + +

personnel or roles to whom the privacy status of the system is reported are defined;

+
+ + + + +

frequency at which the privacy status of the system is reported is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

+ + +

Establishing the following system-level metrics to be monitored: ;

+
+ + +

Establishing for monitoring and for assessment of control effectiveness;

+
+ + +

Ongoing control assessments in accordance with the continuous monitoring strategy;

+
+ + +

Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

+
+ + +

Correlation and analysis of information generated by control assessments and monitoring;

+
+ + +

Response actions to address results of the analysis of control assessment and monitoring information; and

+
+ + +

Reporting the security and privacy status of the system to + .

+
+ + CA-7 Additional FedRAMP Requirements and Guidance + + +

Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

+
+ + +

CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight.

+
+ + +

FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.

+
+
+
+ +

Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.

+

Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b , and SI-4.

+
+ + + + +

a system-level continuous monitoring strategy is developed;

+ +
+ + +

system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;

+ +
+ + +

system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: ;

+ +
+ + + + +

system-level continuous monitoring includes established for monitoring;

+ +
+ + +

system-level continuous monitoring includes established for assessment of control effectiveness;

+ +
+ +
+ + +

system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;

+ +
+ + +

system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

+ +
+ + +

system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;

+ +
+ + +

system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;

+ +
+ + + + +

system-level continuous monitoring includes reporting the security status of the system to + ;

+ +
+ + +

system-level continuous monitoring includes reporting the privacy status of the system to + .

+ +
+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

organizational continuous monitoring strategy

+

system-level continuous monitoring strategy

+

procedures addressing continuous monitoring of system controls

+

procedures addressing configuration management

+

control assessment report

+

plan of action and milestones

+

system monitoring records

+

configuration management records

+

impact analyses

+

status reports

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with continuous monitoring responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing continuous monitoring

+

mechanisms supporting response actions to address assessment and monitoring results

+

mechanisms supporting security and privacy status reporting

+
+
+ + Independent Assessment + + + + + + + +

Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.

+
+ +

Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services.

+
+ + +

independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.

+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

organizational continuous monitoring strategy

+

system-level continuous monitoring strategy

+

procedures addressing continuous monitoring of system controls

+

control assessment report

+

plan of action and milestones

+

system monitoring records

+

impact analyses

+

status reports

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with continuous monitoring responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Risk Monitoring + + + + + + + + +

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

+ + +

Effectiveness monitoring;

+
+ + +

Compliance monitoring; and

+
+ + +

Change monitoring.

+
+
+ +

Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk.

+
+ + +

risk monitoring is an integral part of the continuous monitoring strategy;

+ + +

effectiveness monitoring is included in risk monitoring;

+ +
+ + +

compliance monitoring is included in risk monitoring;

+ +
+ + +

change monitoring is included in risk monitoring.

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

organizational continuous monitoring strategy

+

system-level continuous monitoring strategy

+

procedures addressing continuous monitoring of system controls

+

assessment report

+

plan of action and milestones

+

system monitoring records

+

impact analyses

+

status reports

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with continuous monitoring responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms supporting risk monitoring

+
+
+
+
+ + Penetration Testing + + + + +

at least annually

+
+
+ +

frequency at which to conduct penetration testing on systems or system components is defined;

+
+ + + + +

systems or system components on which penetration testing is to be conducted are defined;

+
+ + + + + + + + + + + + +

Conduct penetration testing on .

+ + CA-8 Additional FedRAMP Requirements and Guidance + + +

Reference the FedRAMP Penetration Test Guidance.

+
+
+
+ +

Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).

+

Organizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing.

+
+ + +

penetration testing is conducted on .

+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing penetration testing

+

assessment plan

+

penetration test report

+

assessment report

+

assessment evidence

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with control assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms supporting penetration testing

+
+
+ + Independent Penetration Testing Agent or Team + + + + + + + + +

Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.

+
+ +

Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. CA-2(1) provides additional information on independent assessments that can be applied to penetration testing.

+
+ + +

an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.

+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing penetration testing

+

assessment plan

+

penetration test report

+

assessment report

+

security assessment evidence

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Red Team Exercises + + + +

red team exercises to simulate attempts by adversaries to compromise organizational systems are defined;

+
+ + + + + + + + +

Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: .

+ + CM-2 Additional FedRAMP Requirements and Guidance + + +

See the FedRAMP Documents page> Penetration Test Guidance

+

https://www.FedRAMP.gov/documents/

+
+
+
+ +

Red team exercises extend the objectives of penetration testing by examining the security and privacy posture of organizations and the capability to implement effective cyber defenses. Red team exercises simulate attempts by adversaries to compromise mission and business functions and provide a comprehensive assessment of the security and privacy posture of systems and organizations. Such attempts may include technology-based attacks and social engineering-based attacks. Technology-based attacks include interactions with hardware, software, or firmware components and/or mission and business processes. Social engineering-based attacks include interactions via email, telephone, shoulder surfing, or personal conversations. Red team exercises are most effective when conducted by penetration testing agents and teams with knowledge of and experience with current adversarial tactics, techniques, procedures, and tools. While penetration testing may be primarily laboratory-based testing, organizations can use red team exercises to provide more comprehensive assessments that reflect real-world conditions. The results from red team exercises can be used by organizations to improve security and privacy awareness and training and to assess control effectiveness.

+
+ + +

+ are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement.

+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing penetration testing

+

procedures addressing red team exercises

+

assessment plan

+

results of red team exercises

+

penetration test report

+

assessment report

+

rules of engagement

+

assessment evidence

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms supporting the employment of red team exercises

+
+
+
+
+ + Internal System Connections + + + +

system components or classes of components requiring internal connections to the system are defined;

+
+ + + + +

conditions requiring termination of internal connections are defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to review the continued need for each internal connection is defined;

+
+ + + + + + + + + + + + + + + + + + + +

Authorize internal connections of to the system;

+
+ + +

Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;

+
+ + +

Terminate internal system connections after ; and

+
+ + +

Review the continued need for each internal connection.

+
+
+ +

Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.

+
+ + + + +

internal connections of to the system are authorized;

+ +
+ + + + +

for each internal connection, the interface characteristics are documented;

+ +
+ + +

for each internal connection, the security requirements are documented;

+ +
+ + +

for each internal connection, the privacy requirements are documented;

+ +
+ + +

for each internal connection, the nature of the information communicated is documented;

+ +
+ +
+ + +

internal system connections are terminated after ;

+ +
+ + +

the continued need for each internal connection is reviewed .

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

access control policy

+

procedures addressing system connections

+

system and communications protection policy

+

system design documentation

+

system configuration settings and associated documentation

+

list of components or classes of components authorized as internal system connections

+

assessment report

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms supporting internal system connections

+
+
+
+
+ + Configuration Management + + Policy and Procedures + + + + + + +

personnel or roles to whom the configuration management policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the configuration management policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current configuration management policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current configuration management policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current configuration management procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require configuration management procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ configuration management policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the configuration management policy and procedures; and

+
+ + +

Review and update the current configuration management:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a configuration management policy is developed and documented;

+ +
+ + +

the configuration management policy is disseminated to ;

+ +
+ + +

configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;

+ +
+ + +

the configuration management procedures are disseminated to ;

+ +
+ + + + + + +

the of the configuration management policy addresses purpose;

+ +
+ + +

the of the configuration management policy addresses scope;

+ +
+ + +

the of the configuration management policy addresses roles;

+ +
+ + +

the of the configuration management policy addresses responsibilities;

+ +
+ + +

the of the configuration management policy addresses management commitment;

+ +
+ + +

the of the configuration management policy addresses coordination among organizational entities;

+ +
+ + +

the of the configuration management policy addresses compliance;

+ +
+ +
+ + +

the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;

+ +
+ + + + + + +

the current configuration management policy is reviewed and updated ;

+ +
+ + +

the current configuration management policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current configuration management procedures are reviewed and updated ;

+ +
+ + +

the current configuration management procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Configuration management policy and procedures

+

security and privacy program policies and procedures

+

assessment or audit findings

+

documentation of security incidents or breaches

+

system security plan

+

privacy plan

+

risk management strategy

+

other relevant artifacts, documents, or records

+
+
+ + + + +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Baseline Configuration + + + + +

at least annually and when a significant change occurs

+
+
+ +

the frequency of baseline configuration review and update is defined;

+
+ + + + + +

to include when directed by the JAB

+
+
+ +

the circumstances requiring baseline configuration review and update are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop, document, and maintain under configuration control, a current baseline configuration of the system; and

+
+ + +

Review and update the baseline configuration of the system:

+ + +

+ ;

+
+ + +

When required due to ; and

+
+ + +

When system components are installed or upgraded.

+
+
+ + CM-2 Additional FedRAMP Requirements and Guidance + + +

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

+
+
+
+ +

Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.

+
+ + + + + + +

a current baseline configuration of the system is developed and documented;

+ +
+ + +

a current baseline configuration of the system is maintained under configuration control;

+ +
+ +
+ + + + +

the baseline configuration of the system is reviewed and updated ;

+ +
+ + +

the baseline configuration of the system is reviewed and updated when required due to ;

+ +
+ + +

the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing the baseline configuration of the system

+

configuration management plan

+

enterprise architecture documentation

+

system design documentation

+

system security plan

+

privacy plan

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

system component inventory

+

change control records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing baseline configurations

+

mechanisms supporting configuration control of the baseline configuration

+
+
+ + Automation Support for Accuracy and Currency + + + +

automated mechanisms for maintaining baseline configuration of the system are defined;

+
+ + + + + + + + + + + +

Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using .

+
+ +

Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of CM-8(2) for organizations that combine system component inventory and baseline configuration activities.

+
+ + + + +

the currency of the baseline configuration of the system is maintained using ;

+ +
+ + +

the completeness of the baseline configuration of the system is maintained using ;

+ +
+ + +

the accuracy of the baseline configuration of the system is maintained using ;

+ +
+ + +

the availability of the baseline configuration of the system is maintained using .

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing the baseline configuration of the system

+

configuration management plan

+

system design documentation

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

system component inventory

+

configuration change control records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing baseline configurations

+

automated mechanisms implementing baseline configuration maintenance

+
+
+
+ + Retention of Previous Configurations + + + + +

organization-defined number of previous versions of baseline configurations of the previously approved baseline configuration of IS components

+
+
+ +

the number of previous baseline configuration versions to be retained is defined;

+
+ + + + + + + + +

Retain of previous versions of baseline configurations of the system to support rollback.

+
+ +

Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, configuration records, and associated documentation.

+
+ + +

+ of previous baseline configuration version(s) of the system is/are retained to support rollback.

+ +
+ + + + +

Configuration management policy

+

procedures addressing the baseline configuration of the system

+

configuration management plan

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

copies of previous baseline configuration versions

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing baseline configurations

+
+
+
+ + Configure Systems and Components for High-risk Areas + + + +

the systems or system components to be issued when individuals travel to high-risk areas are defined;

+
+ + + + +

configurations for systems or system components to be issued when individuals travel to high-risk areas are defined;

+
+ + + + +

the controls to be applied when the individuals return from travel are defined;

+
+ + + + + + + + + + + + +

Issue with to individuals traveling to locations that the organization deems to be of significant risk; and

+
+ + +

Apply the following controls to the systems or components when the individuals return from travel: .

+
+
+ +

When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the MP (Media Protection) family.

+
+ + + + +

+ with are issued to individuals traveling to locations that the organization deems to be of significant risk;

+ +
+ + +

+ are applied to the systems or system components when the individuals return from travel.

+ +
+ +
+ + + + +

Configuration management policy

+

configuration management plan

+

procedures addressing the baseline configuration of the system

+

procedures addressing system component installations and upgrades

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

system component inventory

+

records of system baseline configuration reviews and updates

+

system component installations/upgrades and associated records

+

change control records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing baseline configurations

+
+
+
+
+ + Configuration Change Control + + + +

the time period to retain records of configuration-controlled changes is defined;

+
+ + + + +

the configuration change control element responsible for coordinating and overseeing change control activities is defined;

+
+ + + + + + + +

the frequency at which the configuration control element convenes is defined (if selected);

+
+ + + + +

configuration change conditions that prompt the configuration control element to convene are defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Determine and document the types of changes to the system that are configuration-controlled;

+
+ + +

Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;

+
+ + +

Document configuration change decisions associated with the system;

+
+ + +

Implement approved configuration-controlled changes to the system;

+
+ + +

Retain records of configuration-controlled changes to the system for ;

+
+ + +

Monitor and review activities associated with configuration-controlled changes to the system; and

+
+ + +

Coordinate and provide oversight for configuration change control activities through that convenes .

+
+ + CM-3 Additional FedRAMP Requirements and Guidance + + +

The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

+
+ + +

In accordance with record retention policies and procedures.

+
+
+
+ +

Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10.

+
+ + + + +

the types of changes to the system that are configuration-controlled are determined and documented;

+ +
+ + + + +

proposed configuration-controlled changes to the system are reviewed;

+ +
+ + +

proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;

+ +
+ +
+ + +

configuration change decisions associated with the system are documented;

+ +
+ + +

approved configuration-controlled changes to the system are implemented;

+ +
+ + +

records of configuration-controlled changes to the system are retained for ;

+ +
+ + + + +

activities associated with configuration-controlled changes to the system are monitored;

+ +
+ + +

activities associated with configuration-controlled changes to the system are reviewed;

+ +
+ +
+ + + + +

configuration change control activities are coordinated and overseen by ;

+ +
+ + +

the configuration control element convenes .

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing system configuration change control

+

configuration management plan

+

system architecture and configuration documentation

+

change control records

+

system audit records

+

change control audit and review reports

+

agenda/minutes/documentation from configuration change control oversight meetings

+

system security plan

+

privacy plan

+

privacy impact assessments

+

system of records notices

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration change control responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

members of change control board or similar

+
+
+ + + + +

Organizational processes for configuration change control

+

mechanisms that implement configuration change control

+
+
+ + Automated Documentation, Notification, and Prohibition of Changes + + + +

mechanisms used to automate configuration change control are defined;

+
+ + + + +

approval authorities to be notified of and request approval for proposed changes to the system are defined;

+
+ + + + + +

organization agreed upon time period

+
+
+ +

the time period after which to highlight changes that have not been approved or disapproved is defined;

+
+ + + + + +

organization defined configuration management approval authorities

+
+
+ +

personnel to be notified when approved changes are complete is/are defined;

+
+ + + + + + + + +

Use to:

+ + +

Document proposed changes to the system;

+
+ + +

Notify of proposed changes to the system and request change approval;

+
+ + +

Highlight proposed changes to the system that have not been approved or disapproved within ;

+
+ + +

Prohibit changes to the system until designated approvals are received;

+
+ + +

Document all changes to the system; and

+
+ + +

Notify when approved changes to the system are completed.

+
+
+ +

None.

+
+ + + + +

+ are used to document proposed changes to the system;

+ +
+ + +

+ are used to notify of proposed changes to the system and request change approval;

+ +
+ + +

+ are used to highlight proposed changes to the system that have not been approved or disapproved within ;

+ +
+ + +

+ are used to prohibit changes to the system until designated approvals are received;

+ +
+ + +

+ are used to document all changes to the system;

+ +
+ + +

+ are used to notify when approved changes to the system are completed.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing system configuration change control

+

configuration management plan

+

system design documentation

+

system architecture and configuration documentation

+

automated configuration control mechanisms

+

system configuration settings and associated documentation

+

change control records

+

system audit records

+

change approval requests

+

change approvals

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration change control responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

members of change control board or similar

+
+
+ + + + +

Organizational processes for configuration change control

+

automated mechanisms implementing configuration change control activities

+
+
+
+ + Testing, Validation, and Documentation of Changes + + + + + + + +

Test, validate, and document changes to the system before finalizing the implementation of the changes.

+
+ +

Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6 . Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls.

+
+ + + + +

changes to the system are tested before finalizing the implementation of the changes;

+ +
+ + +

changes to the system are validated before finalizing the implementation of the changes;

+ +
+ + +

changes to the system are documented before finalizing the implementation of the changes.

+ +
+ +
+ + + + +

Configuration management policy

+

configuration management plan

+

procedures addressing system configuration change control

+

system design documentation

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

test records

+

validation records

+

change control records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration change control responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

members of change control board or similar

+
+
+ + + + +

Organizational processes for configuration change control

+

mechanisms supporting and/or implementing, testing, validating, and documenting system changes

+
+
+
+ + Security and Privacy Representatives + + + + + + +

security representatives required to be members of the change control element are defined;

+
+ + + + +

privacy representatives required to be members of the change control element are defined;

+
+ + + + + +

Configuration control board (CCB) or similar (as defined in CM-3)

+
+
+ +

the configuration change control element of which the security and privacy representatives are to be members is defined;

+
+ + + + + + + +

Require to be members of the .

+
+ +

Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in CM-3g.

+
+ + + + +

+ are required to be members of the ;

+ +
+ + +

+ are required to be members of the .

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing system configuration change control

+

configuration management plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration change control responsibilities

+

organizational personnel with information security and privacy responsibilities

+

members of change control board or similar

+
+
+ + + + +

Organizational processes for configuration change control

+
+
+
+ + Cryptography Management + + + + +

All security safeguards that rely on cryptography

+
+
+ +

controls provided by cryptographic mechanisms that are to be under configuration management are defined;

+
+ + + + + + + + +

Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: .

+
+ +

The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates.

+
+ + +

cryptographic mechanisms used to provide are under configuration management.

+ +
+ + + + +

Configuration management policy

+

procedures addressing system configuration change control

+

configuration management plan

+

system design documentation

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration change control responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

members of change control board or similar

+
+
+ + + + +

Organizational processes for configuration change control

+

cryptographic mechanisms implementing organizational security safeguards (controls)

+
+
+
+
+ + Impact Analyses + + + + + + + + + + + + + + + + + + + +

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

+
+ +

Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required.

+
+ + + + +

changes to the system are analyzed to determine potential security impacts prior to change implementation;

+ +
+ + +

changes to the system are analyzed to determine potential privacy impacts prior to change implementation.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing security impact analyses for changes to the system

+

procedures addressing privacy impact analyses for changes to the system

+

configuration management plan

+

security impact analysis documentation

+

privacy impact analysis documentation

+

privacy impact assessment

+

privacy risk assessment documentation, system design documentation

+

analysis tools and associated outputs

+

change control records

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for conducting security impact analyses

+

organizational personnel with responsibility for conducting privacy impact analyses

+

organizational personnel with information security and privacy responsibilities

+

system developer

+

system/network administrators

+

members of change control board or similar

+
+
+ + + + +

Organizational processes for security impact analyses

+

organizational processes for privacy impact analyses

+
+
+ + Separate Test Environments + + + + + + + + + +

Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice.

+
+ +

A separate test environment requires an environment that is physically or logically separate and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment and that information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not implemented, organizations determine the strength of mechanism required when implementing logical separation.

+
+ + + + +

changes to the system are analyzed in a separate test environment before implementation in an operational environment;

+ +
+ + +

changes to the system are analyzed for security impacts due to flaws;

+ +
+ + +

changes to the system are analyzed for privacy impacts due to flaws;

+ +
+ + +

changes to the system are analyzed for security impacts due to weaknesses;

+ +
+ + +

changes to the system are analyzed for privacy impacts due to weaknesses;

+ +
+ + +

changes to the system are analyzed for security impacts due to incompatibility;

+ +
+ + +

changes to the system are analyzed for privacy impacts due to incompatibility;

+ +
+ + +

changes to the system are analyzed for security impacts due to intentional malice;

+ +
+ + +

changes to the system are analyzed for privacy impacts due to intentional malice.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing security impact analyses for changes to the system

+

procedures addressing privacy impact analyses for changes to the system

+

configuration management plan

+

security impact analysis documentation

+

privacy impact analysis documentation

+

privacy impact assessment

+

privacy risk assessment documentation

+

analysis tools and associated outputs system design documentation

+

system architecture and configuration documentation

+

change control records

+

procedures addressing the authority to test with PII

+

system audit records

+

documentation of separate test and operational environments

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for conducting security and privacy impact analyses

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

members of change control board or similar

+
+
+ + + + +

Organizational processes for security and privacy impact analyses

+

mechanisms supporting and/or implementing security and privacy impact analyses of changes

+
+
+
+ + Verification of Controls + + + + + + + + + + +

After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.

+
+ +

Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls.

+
+ + + + +

the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;

+ +
+ + +

the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;

+ +
+ + +

the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;

+ +
+ + +

the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;

+ +
+ + +

the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;

+ +
+ + +

the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing security impact analyses for changes to the system

+

procedures addressing privacy impact analyses for changes to the system

+

privacy risk assessment documentation

+

configuration management plan

+

security and privacy impact analysis documentation

+

privacy impact assessment

+

analysis tools and associated outputs

+

change control records

+

control assessment results

+

system audit records

+

system component inventory

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for conducting security and privacy impact analyses

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

security and privacy assessors

+
+
+ + + + +

Organizational processes for security and privacy impact analyses

+

mechanisms supporting and/or implementing security and privacy impact analyses of changes

+
+
+
+
+ + Access Restrictions for Change + + + + + + + + + + + + + + + + + +

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

+
+ +

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3 ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

+
+ + + + +

physical access restrictions associated with changes to the system are defined and documented;

+ +
+ + +

physical access restrictions associated with changes to the system are approved;

+ +
+ + +

physical access restrictions associated with changes to the system are enforced;

+ +
+ + +

logical access restrictions associated with changes to the system are defined and documented;

+ +
+ + +

logical access restrictions associated with changes to the system are approved;

+ +
+ + +

logical access restrictions associated with changes to the system are enforced.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing access restrictions for changes to the system

+

configuration management plan

+

system design documentation

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

logical access approvals

+

physical access approvals

+

access credentials

+

change control records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with logical access control responsibilities

+

organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing access restrictions to change

+

mechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system

+
+
+ + Automated Access Enforcement and Audit Records + + + +

mechanisms used to automate the enforcement of access restrictions are defined;

+
+ + + + + + + + + + + + + + + + +

Enforce access restrictions using ; and

+
+ + +

Automatically generate audit records of the enforcement actions.

+
+
+ +

Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes.

+
+ + + + +

access restrictions for change are enforced using ;

+ +
+ + +

audit records of enforcement actions are automatically generated.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing access restrictions for changes to the system

+

system design documentation

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

change control records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with logical access control responsibilities

+

organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing access restrictions to change

+

automated mechanisms implementing the enforcement of access restrictions for changes to the system

+

automated mechanisms supporting auditing of enforcement actions

+
+
+
+ + Privilege Limitation for Production and Operation + + + + +

at least quarterly

+
+
+ + + + +

frequency at which to review privileges is defined;

+
+ + + + +

frequency at which to reevaluate privileges is defined;

+
+ + + + + + + + + + +

Limit privileges to change system components and system-related information within a production or operational environment; and

+
+ + +

Review and reevaluate privileges .

+
+
+ +

In many organizations, systems support multiple mission and business functions. Limiting privileges to change system components with respect to operational systems is necessary because changes to a system component may have far-reaching effects on mission and business processes supported by the system. The relationships between systems and mission/business processes are, in some cases, unknown to developers. System-related information includes operational procedures.

+
+ + + + + + +

privileges to change system components within a production or operational environment are limited;

+ +
+ + +

privileges to change system-related information within a production or operational environment are limited;

+ +
+ +
+ + + + +

privileges are reviewed ;

+ +
+ + +

privileges are reevaluated .

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing access restrictions for changes to the system

+

configuration management plan

+

system design documentation

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

user privilege reviews

+

user privilege recertifications

+

system component inventory

+

change control records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing access restrictions to change

+

mechanisms supporting and/or implementing access restrictions for change

+
+
+
+
+ + Configuration Settings + + + +

common secure configurations to establish and document configuration settings for components employed within the system are defined;

+
+ + + + +

system components for which approval of deviations is needed are defined;

+
+ + + + +

operational requirements necessitating approval of deviations are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using ;

+
+ + +

Implement the configuration settings;

+
+ + +

Identify, document, and approve any deviations from established configuration settings for based on ; and

+
+ + +

Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

+
+ + CM-6 Additional FedRAMP Requirements and Guidance + + +

The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.

+
+ + +

The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

+
+ + +

Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP’s Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

+

During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

+
+
+
+ +

Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.

+

Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.

+

Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline USGCB and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7 . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.

+
+ + + + +

configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using ;

+ +
+ + +

the configuration settings documented in CM-06a are implemented;

+ +
+ + + + +

any deviations from established configuration settings for are identified and documented based on ;

+ +
+ + +

any deviations from established configuration settings for are approved;

+ +
+ +
+ + + + +

changes to the configuration settings are monitored in accordance with organizational policies and procedures;

+ +
+ + +

changes to the configuration settings are controlled in accordance with organizational policies and procedures.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing configuration settings for the system

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

common secure configuration checklists

+

system component inventory

+

evidence supporting approved deviations from established configuration settings

+

change control records

+

system data processing and retention permissions

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security configuration management responsibilities

+

organizational personnel with privacy configuration management responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing configuration settings

+

mechanisms that implement, monitor, and/or control system configuration settings

+

mechanisms that identify and/or document deviations from established configuration settings

+
+
+ + Automated Management, Application, and Verification + + + + + + +

system components for which to manage, apply, and verify configuration settings are defined;

+
+ + + + +

automated mechanisms to manage configuration settings are defined;

+
+ + + + +

automated mechanisms to apply configuration settings are defined;

+
+ + + + +

automated mechanisms to verify configuration settings are defined;

+
+ + + + + + + + +

Manage, apply, and verify configuration settings for using .

+
+ +

Automated tools (e.g., hardening tools, baseline configuration tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization.

+
+ + + + +

configuration settings for are managed using ;

+ +
+ + +

configuration settings for are applied using ;

+ +
+ + +

configuration settings for are verified using .

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing configuration settings for the system

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

system component inventory

+

common secure configuration checklists

+

change control records

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security configuration management responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes for managing configuration settings

+

automated mechanisms implemented to manage, apply, and verify system configuration settings

+
+
+
+ + Respond to Unauthorized Changes + + + +

actions to be taken upon an unauthorized change are defined;

+
+ + + + +

configuration settings requiring action upon an unauthorized change are defined;

+
+ + + + + + + + + + +

Take the following actions in response to unauthorized changes to : .

+
+ +

Responses to unauthorized changes to configuration settings include alerting designated organizational personnel, restoring established configuration settings, or—in extreme cases—halting affected system processing.

+
+ + +

+ are taken in response to unauthorized changes to .

+ +
+ + + + +

System security plan

+

privacy plan

+

configuration management policy

+

procedures addressing configuration settings for the system

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

alerts/notifications of unauthorized changes to system configuration settings

+

system component inventory

+

documented responses to unauthorized changes to system configuration settings

+

change control records

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security configuration management responsibilities

+

organizational personnel with security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational process for responding to unauthorized changes to system configuration settings

+

mechanisms supporting and/or implementing actions in response to unauthorized changes

+
+
+
+
+ + Least Functionality + + + + + + +

mission-essential capabilities for the system are defined;

+
+ + + + +

functions to be prohibited or restricted are defined;

+
+ + + + +

ports to be prohibited or restricted are defined;

+
+ + + + +

protocols to be prohibited or restricted are defined;

+
+ + + + +

software to be prohibited or restricted is defined;

+
+ + + + +

services to be prohibited or restricted are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Configure the system to provide only ; and

+
+ + +

Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: .

+
+ + CM-7 Additional FedRAMP Requirements and Guidance + + +

The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.

+
+
+
+ +

Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2 , and SC-3).

+
+ + + + +

the system is configured to provide only ;

+ +
+ + + + +

the use of is prohibited or restricted;

+ +
+ + +

the use of is prohibited or restricted;

+ +
+ + +

the use of is prohibited or restricted;

+ +
+ + +

the use of is prohibited or restricted;

+ +
+ + +

the use of is prohibited or restricted.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing least functionality in the system

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

system component inventory

+

common secure configuration checklists

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security configuration management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services

+

mechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services

+
+
+ + Periodic Review + + + + + + + +

at least annually

+
+
+ +

the frequency at which to review the system to identify unnecessary and/or non-secure functions, ports, protocols, software, and/or services is defined;

+
+ + + + +

functions to be disabled or removed when deemed unnecessary or non-secure are defined;

+
+ + + + +

ports to be disabled or removed when deemed unnecessary or non-secure are defined;

+
+ + + + +

protocols to be disabled or removed when deemed unnecessary or non-secure are defined;

+
+ + + + +

software to be disabled or removed when deemed unnecessary or non-secure is defined;

+
+ + + + +

services to be disabled or removed when deemed unnecessary or non-secure are defined;

+
+ + + + + + + + + + + +

Review the system to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and

+
+ + +

Disable or remove .

+
+
+ +

Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking.

+
+ + + + +

the system is reviewed to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:

+ +
+ + + + +

+ deemed to be unnecessary and/or non-secure are disabled or removed;

+ +
+ + +

+ deemed to be unnecessary and/or non-secure are disabled or removed;

+ +
+ + +

+ deemed to be unnecessary and/or non-secure are disabled or removed;

+ +
+ + +

+ deemed to be unnecessary and/or non-secure is disabled or removed;

+ +
+ + +

+ deemed to be unnecessary and/or non-secure are disabled or removed.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing least functionality in the system

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

common secure configuration checklists

+

documented reviews of functions, ports, protocols, and/or services

+

change control records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the system

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes for reviewing or disabling functions, ports, protocols, and services on the system

+

mechanisms implementing review and disabling of functions, ports, protocols, and/or services

+
+
+
+ + Prevent Program Execution + + + + + + +

policies, rules of behavior, and/or access agreements regarding software program usage and restrictions are defined (if selected);

+
+ + + + + + + + + + + + +

Prevent program execution in accordance with .

+ + CM-7 (2) Additional FedRAMP Requirements and Guidance + + +

This control refers to software deployment by CSP personnel into the production environment. The control requires a policy that states conditions for deploying software. This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. allow-listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

+
+
+
+ +

Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time.

+
+ + +

program execution is prevented in accordance with .

+ +
+ + + + +

Configuration management policy

+

procedures addressing least functionality in the system

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

system component inventory

+

common secure configuration checklists

+

specifications for preventing software program execution

+

change control records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes preventing program execution on the system

+

organizational processes for software program usage and restrictions

+

mechanisms preventing program execution on the system

+

mechanisms supporting and/or implementing software program usage and restrictions

+
+
+
+ + Authorized Software — Allow-by-exception + + + +

software programs authorized to execute on the system are defined;

+
+ + + + + +

at least quarterly or when there is a change

+
+
+ +

frequency at which to review and update the list of authorized software programs is defined;

+
+ + + + + + + + + + + + + + + + + + + +

Identify ;

+
+ + +

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and

+
+ + +

Review and update the list of authorized software programs .

+
+
+ +

Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in CA-3(5) and SC-7.

+
+ + + + +

+ are identified;

+ +
+ + +

a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;

+ +
+ + +

the list of authorized software programs is reviewed and updated .

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing least functionality in the system

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

list of software programs authorized to execute on the system

+

system component inventory

+

common secure configuration checklists

+

review and update records associated with list of authorized software programs

+

change control records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for identifying software authorized to execute on the system

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational process for identifying, reviewing, and updating programs authorized to execute on the system

+

organizational process for implementing authorized software policy

+

mechanisms supporting and/or implementing authorized software policy

+
+
+
+
+ + System Component Inventory + + + +

information deemed necessary to achieve effective system component accountability is defined;

+
+ + + + + +

at least monthly

+
+
+ +

frequency at which to review and update the system component inventory is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop and document an inventory of system components that:

+ + +

Accurately reflects the system;

+
+ + +

Includes all components within the system;

+
+ + +

Does not include duplicate accounting of components or components assigned to any other system;

+
+ + +

Is at the level of granularity deemed necessary for tracking and reporting; and

+
+ + +

Includes the following information to achieve system component accountability: ; and

+
+
+ + +

Review and update the system component inventory .

+
+ + CM-8 Additional FedRAMP Requirements and Guidance + + +

must be provided at least monthly or when there is a change.

+
+
+
+ +

System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.

+

Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components.

+
+ + + + + + +

an inventory of system components that accurately reflects the system is developed and documented;

+ +
+ + +

an inventory of system components that includes all components within the system is developed and documented;

+ +
+ + +

an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;

+ +
+ + +

an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;

+ +
+ + +

an inventory of system components that includes is developed and documented;

+ +
+ +
+ + +

the system component inventory is reviewed and updated .

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing system component inventory

+

configuration management plan

+

system security plan

+

system design documentation

+

system component inventory

+

inventory reviews and update records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with component inventory management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing the system component inventory

+

mechanisms supporting and/or implementing system component inventory

+
+
+ + Updates During Installation and Removal + + + + + + + + +

Update the inventory of system components as part of component installations, removals, and system updates.

+
+ +

Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated as part of component installations or removals or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components.

+
+ + + + +

the inventory of system components is updated as part of component installations;

+ +
+ + +

the inventory of system components is updated as part of component removals;

+ +
+ + +

the inventory of system components is updated as part of system updates.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing system component inventory

+

configuration management plan

+

system security plan

+

system component inventory

+

inventory reviews and update records

+

change control records

+

component installation records

+

component removal records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with component inventory updating responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for updating the system component inventory

+

mechanisms supporting and/or implementing system component inventory updates

+
+
+
+ + Automated Maintenance + + + + + + +

automated mechanisms used to maintain the currency of the system component inventory are defined;

+
+ + + + +

automated mechanisms used to maintain the completeness of the system component inventory are defined;

+
+ + + + +

automated mechanisms used to maintain the accuracy of the system component inventory are defined;

+
+ + + + +

automated mechanisms used to maintain the availability of the system component inventory are defined;

+
+ + + + + + + + +

Maintain the currency, completeness, accuracy, and availability of the inventory of system components using .

+
+ +

Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of CM-2(2) for organizations that combine system component inventory and baseline configuration activities.

+
+ + + + +

+ are used to maintain the currency of the system component inventory;

+ +
+ + +

+ are used to maintain the completeness of the system component inventory;

+ +
+ + +

+ are used to maintain the accuracy of the system component inventory;

+ +
+ + +

+ are used to maintain the availability of the system component inventory.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing system component inventory

+

configuration management plan

+

system design documentation

+

system security plan

+

system component inventory

+

change control records

+

system maintenance records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with component inventory management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes for maintaining the system component inventory

+

automated mechanisms supporting and/or implementing the system component inventory

+
+
+
+ + Automated Unauthorized Component Detection + + + + +

automated mechanisms with a maximum five-minute delay in detection

+
+
+ + + + +

automated mechanisms used to detect the presence of unauthorized hardware within the system are defined;

+
+ + + + +

automated mechanisms used to detect the presence of unauthorized software within the system are defined;

+
+ + + + +

automated mechanisms used to detect the presence of unauthorized firmware within the system are defined;

+
+ + + + + +

continuously

+
+
+ +

frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined;

+
+ + + + + + + +

personnel or roles to be notified when unauthorized components are detected is/are defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + +

Detect the presence of unauthorized hardware, software, and firmware components within the system using + ; and

+
+ + +

Take the following actions when unauthorized components are detected: .

+
+
+ +

Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see CM-7(9) ). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as sandboxing. +

+
+ + + + + + +

the presence of unauthorized hardware within the system is detected using + ;

+ +
+ + +

the presence of unauthorized software within the system is detected using + ;

+ +
+ + +

the presence of unauthorized firmware within the system is detected using + ;

+ +
+ +
+ + + + +

+ are taken when unauthorized hardware is detected;

+ +
+ + +

+ are taken when unauthorized software is detected;

+ +
+ + +

+ are taken when unauthorized firmware is detected.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing system component inventory

+

configuration management plan

+

system design documentation

+

system security plan

+

system component inventory

+

change control records

+

alerts/notifications of unauthorized components within the system

+

system monitoring records

+

system maintenance records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with component inventory management responsibilities

+

organizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized system component detection

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes for detection of unauthorized system components

+

organizational processes for taking action when unauthorized system components are detected

+

automated mechanisms supporting and/or implementing the detection of unauthorized system components

+

automated mechanisms supporting and/or implementing actions taken when unauthorized system components are detected

+
+
+
+ + Accountability Information + + + +

position and role

+
+
+ + + + + + + + + + +

Include in the system component inventory information, a means for identifying by , individuals responsible and accountable for administering those components.

+
+ +

Identifying individuals who are responsible and accountable for administering system components ensures that the assigned components are properly administered and that organizations can contact those individuals if some action is required (e.g., when the component is determined to be the source of a breach, needs to be recalled or replaced, or needs to be relocated).

+
+ + +

individuals responsible and accountable for administering system components are identified by in the system component inventory.

+ +
+ + + + +

Configuration management policy

+

procedures addressing system component inventory

+

configuration management plan

+

system security plan

+

system component inventory

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with component inventory management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing the system component inventory

+

mechanisms supporting and/or implementing the system component inventory

+
+
+
+
+ + Configuration Management Plan + + + +

personnel or roles to review and approve the configuration management plan is/are defined;

+
+ + + + + + + + + + + + + + + + +

Develop, document, and implement a configuration management plan for the system that:

+ + +

Addresses roles, responsibilities, and configuration management processes and procedures;

+
+ + +

Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;

+
+ + +

Defines the configuration items for the system and places the configuration items under configuration management;

+
+ + +

Is reviewed and approved by ; and

+
+ + +

Protects the configuration management plan from unauthorized disclosure and modification.

+
+ + +

FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide

+
+
+ +

Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.

+

Configuration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.

+

Organizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control.

+
+ + + + +

a configuration management plan for the system is developed and documented;

+ +
+ + +

a configuration management plan for the system is implemented;

+ +
+ + + + +

the configuration management plan addresses roles;

+ +
+ + +

the configuration management plan addresses responsibilities;

+ +
+ + +

the configuration management plan addresses configuration management processes and procedures;

+ +
+ +
+ + + + +

the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;

+ +
+ + +

the configuration management plan establishes a process for managing the configuration of the configuration items;

+ +
+ +
+ + + + +

the configuration management plan defines the configuration items for the system;

+ +
+ + +

the configuration management plan places the configuration items under configuration management;

+ +
+ +
+ + +

the configuration management plan is reviewed and approved by ;

+ +
+ + + + +

the configuration management plan is protected from unauthorized disclosure;

+ +
+ + +

the configuration management plan is protected from unauthorized modification.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing configuration management planning

+

configuration management plan

+

system design documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for developing the configuration management plan

+

organizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan

+

organizational personnel with responsibilities for protecting the configuration management plan

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for developing and documenting the configuration management plan

+

organizational processes for identifying and managing configuration items

+

organizational processes for protecting the configuration management plan

+

mechanisms implementing the configuration management plan

+

mechanisms for managing configuration items

+

mechanisms for protecting the configuration management plan

+
+
+
+ + Software Usage Restrictions + + + + + + + + + + + + + +

Use software and associated documentation in accordance with contract agreements and copyright laws;

+
+ + +

Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

+
+ + +

Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

+
+
+ +

Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements.

+
+ + + + +

software and associated documentation are used in accordance with contract agreements and copyright laws;

+ +
+ + +

the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;

+ +
+ + +

the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

+ +
+ +
+ + + + +

Configuration management policy

+

software usage restrictions

+

software contract agreements and copyright laws

+

site license documentation

+

list of software usage restrictions

+

software license tracking reports

+

configuration management plan

+

system security plan

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel operating, using, and/or maintaining the system

+

organizational personnel with software license management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for tracking the use of software protected by quantity licenses

+

organizational processes for controlling/documenting the use of peer-to-peer file sharing technology

+

mechanisms implementing software license tracking

+

mechanisms implementing and controlling the use of peer-to-peer files sharing technology

+
+
+
+ + User-installed Software + + + +

policies governing the installation of software by users are defined;

+
+ + + + +

methods used to enforce software installation policies are defined;

+
+ + + + + +

Continuously (via CM-7 (5))

+
+
+ +

frequency with which to monitor compliance is defined;

+
+ + + + + + + + + + + + + + + + + + + +

Establish governing the installation of software by users;

+
+ + +

Enforce software installation policies through the following methods: ; and

+
+ + +

Monitor policy compliance .

+
+
+ +

If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved app stores. Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.

+
+ + + + +

+ governing the installation of software by users are established;

+ +
+ + +

software installation policies are enforced through ;

+ +
+ + +

compliance with is monitored .

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing user-installed software

+

configuration management plan

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

list of rules governing user installed software

+

system monitoring records

+

system audit records

+

continuous monitoring strategy

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for governing user-installed software

+

organizational personnel operating, using, and/or maintaining the system

+

organizational personnel monitoring compliance with user-installed software policy

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes governing user-installed software on the system

+

mechanisms enforcing policies and methods for governing the installation of software by users

+

mechanisms monitoring policy compliance

+
+
+
+ + Information Location + + + +

information for which the location is to be identified and documented is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Identify and document the location of and the specific system components on which the information is processed and stored;

+
+ + +

Identify and document the users who have access to the system and system components where the information is processed and stored; and

+
+ + +

Document changes to the location (i.e., system or system components) where the information is processed and stored.

+
+ + CM-12 Additional FedRAMP Requirements and Guidance + + +

According to FedRAMP Authorization Boundary Guidance

+
+
+
+ +

Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199 ). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17).

+
+ + + + + + +

the location of is identified and documented;

+ +
+ + +

the specific system components on which is processed are identified and documented;

+ +
+ + +

the specific system components on which is stored are identified and documented;

+ +
+ +
+ + + + +

the users who have access to the system and system components where is processed are identified and documented;

+ +
+ + +

the users who have access to the system and system components where is stored are identified and documented;

+ +
+ +
+ + + + +

changes to the location (i.e., system or system components) where is processed are documented;

+ +
+ + +

changes to the location (i.e., system or system components) where is stored are documented.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing identification and documentation of information location

+

configuration management plan

+

system design documentation

+

system architecture documentation

+

PII inventory documentation

+

data mapping documentation

+

audit records

+

list of users with system and system component access

+

change control records

+

system component inventory

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for managing information location and user access to information

+

organizational personnel with responsibilities for operating, using, and/or maintaining the system

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes governing information location

+

mechanisms enforcing policies and methods for governing information location

+
+
+ + Automated Tools to Support Information Location + + + + +

Federal data and system data that must be protected at the High or Moderate impact levels

+
+
+ +

information to be protected is defined by information type;

+
+ + + + +

system components where the information is located are defined;

+
+ + + + + + + + +

Use automated tools to identify on to ensure controls are in place to protect organizational information and individual privacy.

+ + CM-12 (1) Additional FedRAMP Requirements and Guidance + + +

According to FedRAMP Authorization Boundary Guidance.

+
+
+
+ +

The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions.

+
+ + +

automated tools are used to identify on to ensure that controls are in place to protect organizational information and individual privacy.

+ +
+ + + + +

Configuration management policy

+

procedures addressing identification and documentation of information location

+

configuration management plan

+

system design documentation

+

PII inventory documentation

+

data mapping documentation

+

change control records

+

system component inventory

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for managing information location

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes governing information location

+

automated mechanisms enforcing policies and methods for governing information location

+

automated tools used to identify information on system components

+
+
+
+
+ + Signed Components + + + + + + +

software components requiring verification of a digitally signed certificate before installation are defined;

+
+ + + + +

firmware components requiring verification of a digitally signed certificate before installation are defined;

+
+ + + + + + + + + + + + + +

Prevent the installation of without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

+ + +

If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.

+
+
+ +

Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication.

+
+ + + + +

the installation of is prevented unless it is verified that the software has been digitally signed using a certificate recognized and approved by the organization;

+ +
+ + +

the installation of is prevented unless it is verified that the firmware has been digitally signed using a certificate recognized and approved by the organization.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing digitally signed certificates for software and firmware components

+

configuration management plan

+

system security plan

+

system design documentation

+

change control records

+

system component inventory

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for verifying digitally signed certificates for software and firmware component installation

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes governing information location

+

mechanisms enforcing policies and methods for governing information location

+

automated tools supporting or implementing digitally signatures for software and firmware components

+

automated tools supporting or implementing verification of digital signatures for software and firmware component installation

+
+
+
+
+ + Contingency Planning + + Policy and Procedures + + + + + + +

personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the contingency planning policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current contingency planning policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current contingency planning policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current contingency planning procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ contingency planning policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and

+
+ + +

Review and update the current contingency planning:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a contingency planning policy is developed and documented;

+ +
+ + +

the contingency planning policy is disseminated to ;

+ +
+ + +

contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;

+ +
+ + +

the contingency planning procedures are disseminated to ;

+ +
+ + + + + + +

the contingency planning policy addresses purpose;

+ +
+ + +

the contingency planning policy addresses scope;

+ +
+ + +

the contingency planning policy addresses roles;

+ +
+ + +

the contingency planning policy addresses responsibilities;

+ +
+ + +

the contingency planning policy addresses management commitment;

+ +
+ + +

the contingency planning policy addresses coordination among organizational entities;

+ +
+ + +

the contingency planning policy addresses compliance;

+ +
+ +
+ + +

the contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;

+ +
+ + + + + + +

the current contingency planning policy is reviewed and updated ;

+ +
+ + +

the current contingency planning policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current contingency planning procedures are reviewed and updated ;

+ +
+ + +

the current contingency planning procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Contingency planning policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Contingency Plan + + + + + + + + + + + + +

personnel or roles to review a contingency plan is/are defined;

+
+ + + + +

personnel or roles to approve a contingency plan is/are defined;

+
+ + + + +

key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;

+
+ + + + +

key contingency organizational elements to which copies of the contingency plan are distributed are defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency of contingency plan review is defined;

+
+ + + + +

key contingency personnel (identified by name and/or by role) to communicate changes to are defined;

+
+ + + + +

key contingency organizational elements to communicate changes to are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop a contingency plan for the system that:

+ + +

Identifies essential mission and business functions and associated contingency requirements;

+
+ + +

Provides recovery objectives, restoration priorities, and metrics;

+
+ + +

Addresses contingency roles, responsibilities, assigned individuals with contact information;

+
+ + +

Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;

+
+ + +

Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;

+
+ + +

Addresses the sharing of contingency information; and

+
+ + +

Is reviewed and approved by ;

+
+
+ + +

Distribute copies of the contingency plan to ;

+
+ + +

Coordinate contingency planning activities with incident handling activities;

+
+ + +

Review the contingency plan for the system ;

+
+ + +

Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

+
+ + +

Communicate contingency plan changes to ;

+
+ + +

Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and

+
+ + +

Protect the contingency plan from unauthorized disclosure and modification.

+
+ + CP-2 Additional FedRAMP Requirements and Guidance + + +

For JAB authorizations the contingency lists include designated FedRAMP personnel.

+
+ + +

CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).

+
+
+
+ +

Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.

+

Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in IR-4(5) . Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family.

+
+ + + + + + +

a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;

+ +
+ + + + +

a contingency plan for the system is developed that provides recovery objectives;

+ +
+ + +

a contingency plan for the system is developed that provides restoration priorities;

+ +
+ + +

a contingency plan for the system is developed that provides metrics;

+ +
+ +
+ + + + +

a contingency plan for the system is developed that addresses contingency roles;

+ +
+ + +

a contingency plan for the system is developed that addresses contingency responsibilities;

+ +
+ + +

a contingency plan for the system is developed that addresses assigned individuals with contact information;

+ +
+ +
+ + +

a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;

+ +
+ + +

a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;

+ +
+ + +

a contingency plan for the system is developed that addresses the sharing of contingency information;

+ +
+ + + + +

a contingency plan for the system is developed that is reviewed by ;

+ +
+ + +

a contingency plan for the system is developed that is approved by ;

+ +
+ +
+ +
+ + + + +

copies of the contingency plan are distributed to ;

+ +
+ + +

copies of the contingency plan are distributed to ;

+ +
+ +
+ + +

contingency planning activities are coordinated with incident handling activities;

+ +
+ + +

the contingency plan for the system is reviewed ;

+ +
+ + + + +

the contingency plan is updated to address changes to the organization, system, or environment of operation;

+ +
+ + +

the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;

+ +
+ +
+ + + + +

contingency plan changes are communicated to ;

+ +
+ + +

contingency plan changes are communicated to ;

+ +
+ +
+ + + + +

lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;

+ +
+ + +

lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;

+ +
+ +
+ + + + +

the contingency plan is protected from unauthorized disclosure;

+ +
+ + +

the contingency plan is protected from unauthorized modification.

+ +
+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency operations for the system

+

contingency plan

+

evidence of contingency plan reviews and updates

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel with incident handling responsibilities

+

organizational personnel with knowledge of requirements for mission and business functions

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for contingency plan development, review, update, and protection

+

mechanisms for developing, reviewing, updating, and/or protecting the contingency plan

+
+
+ + Coordinate with Related Plans + + + + + + +

Coordinate contingency plan development with organizational elements responsible for related plans.

+
+ +

Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Data Breach Response Plans, Cyber Incident Response Plans, Breach Response Plans, and Occupant Emergency Plans.

+
+ + +

contingency plan development is coordinated with organizational elements responsible for related plans.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency operations for the system

+

contingency plan

+

business contingency plans

+

disaster recovery plans

+

continuity of operations plans

+

crisis communications plans

+

critical infrastructure plans

+

cyber incident response plan

+

insider threat implementation plans

+

occupant emergency plans

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel with information security responsibilities

+

personnel with responsibility for related plans

+
+
+
+ + Capacity Planning + + + + + + + + + + + + +

Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

+
+ +

Capacity planning is needed because different threats can result in a reduction of the available processing, telecommunications, and support services intended to support essential mission and business functions. Organizations anticipate degraded operations during contingency operations and factor the degradation into capacity planning. For capacity planning, environmental support refers to any environmental factor for which the organization determines that it needs to provide support in a contingency situation, even if in a degraded state. Such determinations are based on an organizational assessment of risk, system categorization (impact level), and organizational risk tolerance.

+
+ + + + +

capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;

+ +
+ + +

capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;

+ +
+ + +

capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency operations for the system

+

contingency plan

+

capacity planning documents

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel responsible for capacity planning

+

organizational personnel with information security responsibilities

+
+
+
+ + Resume Mission and Business Functions + + + +

all

+
+
+ + + + + + +

time period defined in service provider and organization SLA

+
+
+ +

the contingency plan activation time period within which to resume mission and business functions is defined;

+
+ + + + + + + +

Plan for the resumption of mission and business functions within of contingency plan activation.

+
+ +

Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure.

+
+ + +

the resumption of mission and business functions are planned for within of contingency plan activation.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency operations for the system

+

contingency plan

+

business impact assessment

+

system security plan

+

privacy plan

+

other related plans

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with knowledge of requirements for mission and business functions

+
+
+ + + + +

Organizational processes for resumption of missions and business functions

+
+
+
+ + Continue Mission and Business Functions + + + +

essential

+
+
+ + + + + + + + +

Plan for the continuance of mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.

+
+ +

Organizations may choose to conduct the contingency planning activities to continue mission and business functions as part of business continuity planning or business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency.

+
+ + + + +

the continuance of mission and business functions with minimal or no loss of operational continuity is planned for;

+ +
+ + +

continuity is sustained until full system restoration at primary processing and/or storage sites.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency operations for the system

+

contingency plan

+

business impact assessment

+

primary processing site agreements

+

primary storage site agreements

+

alternate processing site agreements

+

alternate storage site agreements

+

contingency plan test documentation

+

contingency plan test results

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel with knowledge of requirements for mission and business functions

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for continuing missions and business functions

+
+
+
+ + Identify Critical Assets + + + + + + + + + + + +

Identify critical system assets supporting mission and business functions.

+
+ +

Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing CP-2(7) as a control enhancement.

+
+ + +

critical system assets supporting mission and business functions are identified.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency operations for the system

+

contingency plan

+

business impact assessment

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel with knowledge of requirements for mission and business functions

+

organizational personnel with information security responsibilities

+
+
+
+
+ + Contingency Training + + + + +

*See Additional Requirements

+
+
+ +

the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to provide training to system users with a contingency role or responsibility is defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to review and update contingency training content is defined;

+
+ + + + +

events necessitating review and update of contingency training are defined;

+
+ + + + + + + + + + + + + + + + + + + +

Provide contingency training to system users consistent with assigned roles and responsibilities:

+ + +

Within of assuming a contingency role or responsibility;

+
+ + +

When required by system changes; and

+
+ + +

+ thereafter; and

+
+
+ + +

Review and update contingency training content and following .

+
+ + CP-3 Additional FedRAMP Requirements and Guidance + + +

Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.

+
+
+
+ +

Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements.

+
+ + + + + + +

contingency training is provided to system users consistent with assigned roles and responsibilities within of assuming a contingency role or responsibility;

+ +
+ + +

contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;

+ +
+ + +

contingency training is provided to system users consistent with assigned roles and responsibilities thereafter;

+ +
+ +
+ + + + +

the contingency plan training content is reviewed and updated ;

+ +
+ + +

the contingency plan training content is reviewed and updated following .

+ +
+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency training

+

contingency plan

+

contingency training curriculum

+

contingency training material

+

contingency training records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning, plan implementation, and training responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for contingency training

+
+
+ + Simulated Events + + + + + + + +

Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.

+
+ +

The use of simulated events creates an environment for personnel to experience actual threat events, including cyber-attacks that disable websites, ransomware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures.

+
+ + +

simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency training

+

contingency plan

+

contingency training curriculum

+

contingency training material

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning, plan implementation, and training responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for contingency training

+

mechanisms for simulating contingency events

+
+
+
+
+ + Contingency Plan Testing + + + + +

functional exercises

+
+
+ + + + + +

at least annually

+
+
+ +

frequency of testing the contingency plan for the system is defined;

+
+ + + + +

tests for determining the effectiveness of the contingency plan are defined;

+
+ + + + +

tests for determining readiness to execute the contingency plan are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Test the contingency plan for the system using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: .

+
+ + +

Review the contingency plan test results; and

+
+ + +

Initiate corrective actions, if needed.

+
+ + CP-4 Additional FedRAMP Requirements and Guidance + + +

The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

+
+ + +

The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report).

+
+
+
+ +

Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

+
+ + + + + + +

the contingency plan for the system is tested ;

+ +
+ + +

+ are used to determine the effectiveness of the plan;

+ +
+ + +

+ are used to determine the readiness to execute the plan;

+ +
+ +
+ + +

the contingency plan test results are reviewed;

+ +
+ + +

corrective actions are initiated, if needed.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency plan testing

+

contingency plan

+

contingency plan test documentation

+

contingency plan test results

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for contingency plan testing

+

mechanisms supporting the contingency plan and/or contingency plan testing

+
+
+ + Coordinate with Related Plans + + + + + + + + + +

Coordinate contingency plan testing with organizational elements responsible for related plans.

+
+ +

Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements.

+
+ + +

contingency plan testing is coordinated with organizational elements responsible for related plans.

+ +
+ + + + +

Contingency planning policy

+

incident response policy

+

procedures addressing contingency plan testing

+

contingency plan testing documentation

+

contingency plan

+

business continuity plans

+

disaster recovery plans

+

continuity of operations plans

+

crisis communications plans

+

critical infrastructure plans

+

cyber incident response plans

+

occupant emergency plans

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan testing responsibilities

+

personnel with responsibilities for related plans

+

organizational personnel with information security responsibilities

+
+
+
+ + Alternate Processing Site + + + + + + + + +

Test the contingency plan at the alternate processing site:

+ + +

To familiarize contingency personnel with the facility and available resources; and

+
+ + +

To evaluate the capabilities of the alternate processing site to support contingency operations.

+
+
+ +

Conditions at the alternate processing site may be significantly different than the conditions at the primary site. Having the opportunity to visit the alternate site and experience the actual capabilities available at the site can provide valuable information on potential vulnerabilities that could affect essential organizational mission and business functions. The on-site visit can also provide an opportunity to refine the contingency plan to address the vulnerabilities discovered during testing.

+
+ + + + +

the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;

+ +
+ + +

the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency plan testing

+

contingency plan

+

contingency plan test documentation

+

contingency plan test results

+

alternate processing site agreements

+

service-level agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for contingency plan testing

+

mechanisms supporting the contingency plan and/or contingency plan testing

+
+
+
+
+ + Alternate Storage Site + + + + + + + + + + + + + + + + + + +

Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and

+
+ + +

Ensure that the alternate storage site provides controls equivalent to that of the primary site.

+
+
+ +

Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems.

+
+ + + + + + +

an alternate storage site is established;

+ +
+ + +

establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;

+ +
+ +
+ + +

the alternate storage site provides controls equivalent to that of the primary site.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate storage sites

+

contingency plan

+

alternate storage site agreements

+

primary storage site agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan alternate storage site responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for storing and retrieving system backup information at the alternate storage site

+

mechanisms supporting and/or implementing the storage and retrieval of system backup information at the alternate storage site

+
+
+ + Separation from Primary Site + + + + + + + +

Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.

+
+ +

Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.

+
+ + +

an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate storage sites

+

contingency plan

+

alternate storage site

+

alternate storage site agreements

+

primary storage site agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan alternate storage site responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with information security responsibilities

+
+
+
+ + Recovery Time and Recovery Point Objectives + + + + + + +

Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

+
+ +

Organizations establish recovery time and recovery point objectives as part of contingency planning. Configuration of the alternate storage site includes physical facilities and the systems supporting recovery operations that ensure accessibility and correct execution.

+
+ + + + +

the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;

+ +
+ + +

the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate storage sites

+

contingency plan

+

alternate storage site

+

alternate storage site agreements

+

alternate storage site configurations

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan testing responsibilities

+

organizational personnel with responsibilities for testing related plans

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for contingency plan testing

+

mechanisms supporting recovery time and point objectives

+
+
+
+ + Accessibility + + + + + + + +

Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.

+
+ +

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted.

+
+ + + + +

potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;

+ +
+ + +

explicit mitigation actions to address identified accessibility problems are outlined.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate storage sites

+

contingency plan

+

alternate storage site

+

list of potential accessibility problems to alternate storage site

+

mitigation actions for accessibility problems to alternate storage site

+

organizational risk assessments

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan alternate storage site responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with information security responsibilities

+
+
+
+
+ + Alternate Processing Site + + + +

system operations for essential mission and business functions are defined;

+
+ + + + +

time period consistent with recovery time and recovery point objectives is defined;

+
+ + + + + + + + + + + + + + + + + + + + + +

Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of for essential mission and business functions within when the primary processing capabilities are unavailable;

+
+ + +

Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and

+
+ + +

Provide controls at the alternate processing site that are equivalent to those at the primary site.

+
+ + CP-7 Additional FedRAMP Requirements and Guidance + + +

The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

+
+
+
+ +

Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems.

+
+ + + + +

an alternate processing site, including necessary agreements to permit the transfer and resumption of for essential mission and business functions, is established within when the primary processing capabilities are unavailable;

+ +
+ + + + +

the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within for transfer;

+ +
+ + +

the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within for resumption;

+ +
+ +
+ + +

controls provided at the alternate processing site are equivalent to those at the primary site.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate processing sites

+

contingency plan

+

alternate processing site agreements

+

primary processing site agreements

+

spare equipment and supplies inventory at alternate processing site

+

equipment and supply contracts

+

service-level agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for contingency planning and/or alternate site arrangements

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for recovery at the alternate site

+

mechanisms supporting and/or implementing recovery at the alternate processing site

+
+
+ + Separation from Primary Site + + + + + + + +

Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.

+ + CP-7 (1) Additional FedRAMP Requirements and Guidance + + +

The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.

+
+
+
+ +

Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.

+
+ + +

an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate processing sites

+

contingency plan

+

alternate processing site

+

alternate processing site agreements

+

primary processing site agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan alternate processing site responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with information security responsibilities

+
+
+
+ + Accessibility + + + + + + + +

Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

+
+ +

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk.

+
+ + + + +

potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;

+ +
+ + +

explicit mitigation actions to address identified accessibility problems are outlined.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate processing sites

+

contingency plan

+

alternate processing site

+

alternate processing site agreements

+

primary processing site agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan alternate processing site responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with information security responsibilities

+
+
+
+ + Priority of Service + + + + + + +

Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).

+
+ +

Priority of service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning.

+
+ + +

alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate processing sites

+

contingency plan

+

alternate processing site agreements

+

service-level agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan alternate processing site responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibility for acquisitions/contractual agreements

+
+
+
+ + Preparation for Use + + + + + + + + + +

Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions.

+
+ +

Site preparation includes establishing configuration settings for systems at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and logistical considerations are in place.

+
+ + +

the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate processing sites

+

contingency plan

+

alternate processing site

+

alternate processing site agreements

+

alternate processing site configurations

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan alternate processing site responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing recovery at the alternate processing site

+
+
+
+
+ + Telecommunications Services + + + +

system operations to be resumed for essential mission and business functions are defined;

+
+ + + + +

time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined;

+
+ + + + + + + + + + + + +

Establish alternate telecommunications services, including necessary agreements to permit the resumption of for essential mission and business functions within when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

+ + CP-8 Additional FedRAMP Requirements and Guidance + + +

The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

+
+
+
+ +

Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for CP-8 . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.

+
+ + +

alternate telecommunications services, including necessary agreements to permit the resumption of , are established for essential mission and business functions within when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate telecommunications services

+

contingency plan

+

primary and alternate telecommunications service agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan telecommunications responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with knowledge of requirements for mission and business functions

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibility for acquisitions/contractual agreements

+
+
+ + + + +

Mechanisms supporting telecommunications

+
+
+ + Priority of Service Provisions + + + + + + + + +

Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and

+
+ + +

Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.

+
+
+ +

Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority of service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program, and the Department of Homeland Security manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program.

+
+ + + + + + +

primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;

+ +
+ + +

alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;

+ +
+ +
+ + +

Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing primary and alternate telecommunications services

+

contingency plan

+

primary and alternate telecommunications service agreements

+

Telecommunications Service Priority documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan telecommunications responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibility for acquisitions/contractual agreements

+
+
+ + + + +

Mechanisms supporting telecommunications

+
+
+
+ + Single Points of Failure + + + + + + +

Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

+
+ +

In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services.

+
+ + +

alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing primary and alternate telecommunications services

+

contingency plan

+

primary and alternate telecommunications service agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan telecommunications responsibilities

+

organizational personnel with system recovery responsibilities

+

primary and alternate telecommunications service providers

+

organizational personnel with information security responsibilities

+
+
+
+ + Separation of Primary and Alternate Providers + + + + + + +

Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

+
+ +

Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services that meet the separation needs addressed in the risk assessment.

+
+ + +

alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing primary and alternate telecommunications services

+

contingency plan

+

primary and alternate telecommunications service agreements

+

alternate telecommunications service provider site

+

primary telecommunications service provider site

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan telecommunications responsibilities

+

organizational personnel with system recovery responsibilities

+

primary and alternate telecommunications service providers

+

organizational personnel with information security responsibilities

+
+
+
+ + Provider Contingency Plan + + + + +

annually

+
+
+ + + + +

frequency at which to obtain evidence of contingency testing by providers is defined;

+
+ + + + +

frequency at which to obtain evidence of contingency training by providers is defined;

+
+ + + + + + + + + + + +

Require primary and alternate telecommunications service providers to have contingency plans;

+
+ + +

Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and

+
+ + +

Obtain evidence of contingency testing and training by providers .

+
+
+ +

Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security and state and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.

+
+ + + + + + +

primary telecommunications service providers are required to have contingency plans;

+ +
+ + +

alternate telecommunications service providers are required to have contingency plans;

+ +
+ +
+ + +

provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;

+ +
+ + + + +

evidence of contingency testing by providers is obtained .

+ +
+ + +

evidence of contingency training by providers is obtained .

+ +
+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing primary and alternate telecommunications services

+

contingency plan

+

provider contingency plans

+

evidence of contingency testing/training by providers

+

primary and alternate telecommunications service agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning, plan implementation, and testing responsibilities

+

primary and alternate telecommunications service providers

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibility for acquisitions/contractual agreements

+
+
+
+
+ + System Backup + + + +

system components for which to conduct backups of user-level information is defined;

+
+ + + + + +

daily incremental; weekly full

+
+
+ +

frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;

+
+ + + + + +

daily incremental; weekly full

+
+
+ +

frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;

+
+ + + + + +

daily incremental; weekly full

+
+
+ +

frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Conduct backups of user-level information contained in + ;

+
+ + +

Conduct backups of system-level information contained in the system ;

+
+ + +

Conduct backups of system documentation, including security- and privacy-related documentation ; and

+
+ + +

Protect the confidentiality, integrity, and availability of backup information.

+
+ + CP-9 Additional FedRAMP Requirements and Guidance + + +

The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

+
+ + +

The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.

+
+ + +

The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.

+
+ + +

The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

+
+
+
+ +

System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8 . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

+
+ + + + +

backups of user-level information contained in are conducted ;

+ +
+ + +

backups of system-level information contained in the system are conducted ;

+ +
+ + +

backups of system documentation, including security- and privacy-related documentation are conducted ;

+ +
+ + + + +

the confidentiality of backup information is protected;

+ +
+ + +

the integrity of backup information is protected;

+ +
+ + +

the availability of backup information is protected.

+ +
+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing system backup

+

contingency plan

+

backup storage location(s)

+

system backup logs or records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system backup responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for conducting system backups

+

mechanisms supporting and/or implementing system backups

+
+
+ + Testing for Reliability and Integrity + + + + +

at least monthly

+
+
+ + + + +

frequency at which to test backup information for media reliability is defined;

+
+ + + + +

frequency at which to test backup information for information integrity is defined;

+
+ + + + + + + + +

Test backup information to verify media reliability and information integrity.

+
+ +

Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance.

+
+ + + + +

backup information is tested to verify media reliability;

+ +
+ + +

backup information is tested to verify information integrity.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing system backup

+

contingency plan

+

system backup test results

+

contingency plan test documentation

+

contingency plan test results

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system backup responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for conducting system backups

+

mechanisms supporting and/or implementing system backups

+
+
+
+ + Test Restoration Using Sampling + + + + + + + +

Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.

+
+ +

Organizations need assurance that system functions can be restored correctly and can support established organizational missions. To ensure that the selected system functions are thoroughly exercised during contingency plan testing, a sample of backup information is retrieved to determine whether the functions are operating as intended. Organizations can determine the sample size for the functions and backup information based on the level of assurance needed.

+
+ + +

a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing system backup

+

contingency plan

+

system backup test results

+

contingency plan test documentation

+

contingency plan test results

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system backup responsibilities

+

organizational personnel with contingency planning/contingency plan testing responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for conducting system backups

+

mechanisms supporting and/or implementing system backups

+
+
+
+ + Separate Storage for Critical Information + + + +

critical system software and other security-related information backups to be stored in a separate facility are defined;

+
+ + + + + + + + + + +

Store backup copies of in a separate facility or in a fire rated container that is not collocated with the operational system.

+
+ +

Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire rated containers.

+
+ + +

backup copies of are stored in a separate facility or in a fire rated container that is not collocated with the operational system.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing system backup

+

contingency plan

+

backup storage location(s)

+

system backup configurations and associated documentation

+

system backup logs or records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel with system backup responsibilities

+

organizational personnel with information security responsibilities

+
+
+
+ + Transfer to Alternate Storage Site + + + + +

time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA.

+
+
+ + + + +

time period consistent with recovery time and recovery point objectives is defined;

+
+ + + + +

transfer rate consistent with recovery time and recovery point objectives is defined;

+
+ + + + + + + + + + + +

Transfer system backup information to the alternate storage site .

+
+ +

System backup information can be transferred to alternate storage sites either electronically or by the physical shipment of storage media.

+
+ + + + +

system backup information is transferred to the alternate storage site for ;

+ +
+ + +

system backup information is transferred to the alternate storage site .

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing system backup

+

contingency plan

+

system backup logs or records

+

evidence of system backup information transferred to alternate storage site

+

alternate storage site agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system backup responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for transferring system backups to the alternate storage site

+

mechanisms supporting and/or implementing system backups

+

mechanisms supporting and/or implementing information transfer to the alternate storage site

+
+
+
+ + Cryptographic Protection + + + + +

all backup files

+
+
+ +

backup information to protect against unauthorized disclosure and modification is defined;

+
+ + + + + + + + + + +

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of .

+ + CP-9 (8) Additional FedRAMP Requirements and Guidance + + +

Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

+
+
+
+ +

The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. Cryptographic protection applies to system backup information in storage at both primary and alternate locations. Organizations that implement cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions.

+
+ + +

cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of .

+ +
+ + + + +

Contingency planning policy

+

procedures addressing system backup

+

contingency plan

+

system design documentation

+

system configuration settings and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system backup responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing cryptographic protection of backup information

+
+
+
+
+ + System Recovery and Reconstitution + + + + + + +

time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;

+
+ + + + +

time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;

+
+ + + + + + + + + + + + + + + + +

Provide for the recovery and reconstitution of the system to a known state within after a disruption, compromise, or failure.

+
+ +

Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning.

+
+ + + + +

the recovery of the system to a known state is provided within after a disruption, compromise, or failure;

+ +
+ + +

a reconstitution of the system to a known state is provided within after a disruption, compromise, or failure.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing system backup

+

contingency plan

+

system backup test results

+

contingency plan test results

+

contingency plan test documentation

+

redundant secondary system for system backups

+

location(s) of redundant secondary backup system(s)

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes implementing system recovery and reconstitution operations

+

mechanisms supporting and/or implementing system recovery and reconstitution operations

+
+
+ + Transaction Recovery + + + + + + +

Implement transaction recovery for systems that are transaction-based.

+
+ +

Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling.

+
+ + +

transaction recovery is implemented for systems that are transaction-based.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing system recovery and reconstitution

+

contingency plan

+

system design documentation

+

system configuration settings and associated documentation

+

contingency plan test documentation

+

contingency plan test results

+

system transaction recovery records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for transaction recovery

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing transaction recovery capability

+
+
+
+ + Restore Within Time Period + + + + +

time period consistent with the restoration time-periods defined in the service provider and organization SLA

+
+
+ +

restoration time period within which to restore system components to a known, operational state is defined;

+
+ + + + + + + + + +

Provide the capability to restore system components within from configuration-controlled and integrity-protected information representing a known, operational state for the components.

+
+ +

Restoration of system components includes reimaging, which restores the components to known, operational states.

+
+ + +

the capability to restore system components within from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing system recovery and reconstitution

+

contingency plan

+

system design documentation

+

system configuration settings and associated documentation

+

contingency plan test documentation

+

contingency plan test results

+

evidence of system recovery and reconstitution operations

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system recovery and reconstitution responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing the recovery/reconstitution of system information

+
+
+
+
+
+ + Identification and Authentication + + Policy and Procedures + + + + + + +

personnel or roles to whom the identification and authentication policy is to be disseminated are defined;

+
+ + + + +

personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the identification and authentication policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current identification and authentication policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current identification and authentication policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current identification and authentication procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require identification and authentication procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ identification and authentication policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and

+
+ + +

Review and update the current identification and authentication:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an identification and authentication policy is developed and documented;

+ +
+ + +

the identification and authentication policy is disseminated to ;

+ +
+ + +

identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;

+ +
+ + +

the identification and authentication procedures are disseminated to ;

+ +
+ + + + + + +

the identification and authentication policy addresses purpose;

+ +
+ + +

the identification and authentication policy addresses scope;

+ +
+ + +

the identification and authentication policy addresses roles;

+ +
+ + +

the identification and authentication policy addresses responsibilities;

+ +
+ + +

the identification and authentication policy addresses management commitment;

+ +
+ + +

the identification and authentication policy addresses coordination among organizational entities;

+ +
+ + +

the identification and authentication policy addresses compliance;

+ +
+ +
+ + +

the identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;

+ +
+ + + + + + +

the current identification and authentication policy is reviewed and updated ;

+ +
+ + +

the current identification and authentication policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current identification and authentication procedures are reviewed and updated ;

+ +
+ + +

the current identification and authentication procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Identification and authentication policy and procedures

+

system security plan

+

privacy plan

+

risk management strategy documentation

+

list of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with identification and authentication responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Identification and Authentication (Organizational Users) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

+ + IA-2 Additional FedRAMP Requirements and Guidance + + +

For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.

+
+ + +

Multi-factor authentication must be phishing-resistant.

+
+ + +

All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.

+
+ + +

"Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

+
+
+
+ +

Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12 . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.

+

Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.

+

The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8.

+
+ + + + +

organizational users are uniquely identified and authenticated;

+ +
+ + +

the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.

+ +
+ +
+ + + + +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

system security plan, system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

organizational personnel with account management responsibilities

+

system developers

+
+
+ + + + +

Organizational processes for uniquely identifying and authenticating users

+

mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+ + Multi-factor Authentication to Privileged Accounts + + + + + + + + +

Implement multi-factor authentication for access to privileged accounts.

+ + IA-2 (1) Additional FedRAMP Requirements and Guidance + + +

According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

+
+ + +

Multi-factor authentication must be phishing-resistant.

+
+ + +

Multi-factor authentication to subsequent components in the same user domain is not required.

+
+
+
+ +

Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.

+
+ + +

multi-factor authentication is implemented for access to privileged accounts.

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing a multi-factor authentication capability

+
+
+
+ + Multi-factor Authentication to Non-privileged Accounts + + + + + + + +

Implement multi-factor authentication for access to non-privileged accounts.

+ + IA-2 (2) Additional FedRAMP Requirements and Guidance + + +

According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

+
+ + +

Multi-factor authentication must be phishing-resistant.

+
+ + +

Multi-factor authentication to subsequent components in the same user domain is not required.

+
+
+
+ +

Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.

+
+ + +

multi-factor authentication for access to non-privileged accounts is implemented.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing a multi-factor authentication capability

+
+
+
+ + Individual Authentication with Group Authentication + + + + + + + +

When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources.

+
+ +

Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators.

+
+ + +

users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing an authentication capability for group accounts

+
+
+
+ + Access to Accounts —separate Device + + + +

local, network and remote

+
+
+ + + + + +

privileged accounts; non-privileged accounts

+
+
+ + + + + + +

FIPS-validated or NSA-approved cryptography

+
+
+ +

the strength of mechanism requirements to be enforced by a device separate from the system gaining access to accounts is defined;

+
+ + + + + + + + +

Implement multi-factor authentication for access to such that:

+ + +

One of the factors is provided by a device separate from the system gaining access; and

+
+ + +

The device meets .

+
+ + IA-2 (6) Additional FedRAMP Requirements and Guidance + + +

PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.

+
+ + +

See SC-13 Guidance for more information on FIPS-validated or NSA-approved cryptography.

+
+
+
+ +

The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multi-factor authentication is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process.

+
+ + + + +

multi-factor authentication is implemented for access to such that one of the factors is provided by a device separate from the system gaining access;

+ +
+ + +

multi-factor authentication is implemented for access to such that the device meets .

+ +
+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing multi-factor authentication capability

+
+
+
+ + Access to Accounts — Replay Resistant + + + +

privileged accounts; non-privileged accounts

+
+
+ + + + + + + + +

Implement replay-resistant authentication mechanisms for access to .

+
+ +

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators.

+
+ + +

replay-resistant authentication mechanisms for access to are implemented.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of privileged system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+

Mechanisms supporting and/or implementing replay-resistant authentication mechanisms

+
+
+
+ + Acceptance of PIV Credentials + + + + + + +

Accept and electronically verify Personal Identity Verification-compliant credentials.

+ + IA-2 (12) Additional FedRAMP Requirements and Guidance + + +

Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

+
+
+
+ +

Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using SP 800-79-2 . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in SP 800-166 . The DOD Common Access Card (CAC) is an example of a PIV credential.

+
+ + +

Personal Identity Verification-compliant credentials are accepted and electronically verified.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

PIV verification records

+

evidence of PIV credentials

+

PIV credential authorizations

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing acceptance and verification of PIV credentials

+
+
+
+
+ + Device Identification and Authentication + + + +

devices and/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;

+
+ + + + + + + + + + + + + + + + + + + + + +

Uniquely identify and authenticate before establishing a connection.

+
+ +

Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number/type of devices based on mission or business needs.

+
+ + +

+ are uniquely identified and authenticated before establishing a connection.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing device identification and authentication

+

system design documentation

+

list of devices requiring unique identification and authentication

+

device connection reports

+

system configuration settings and associated documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with operational responsibilities for device identification and authentication

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing device identification and authentication capabilities

+
+
+
+ + Identifier Management + + + + +

at a minimum, the ISSO (or similar role within the organization)

+
+
+ +

personnel or roles from whom authorization must be received to assign an identifier are defined;

+
+ + + + + +

at least two (2) years

+
+
+ +

a time period for preventing reuse of identifiers is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Manage system identifiers by:

+ + +

Receiving authorization from to assign an individual, group, role, service, or device identifier;

+
+ + +

Selecting an identifier that identifies an individual, group, role, service, or device;

+
+ + +

Assigning the identifier to the intended individual, group, role, service, or device; and

+
+ + +

Preventing reuse of identifiers for .

+
+
+ +

Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4 . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.

+
+ + + + +

system identifiers are managed by receiving authorization from to assign to an individual, group, role, or device identifier;

+ +
+ + +

system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;

+ +
+ + +

system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;

+ +
+ + +

system identifiers are managed by preventing reuse of identifiers for .

+ +
+ +
+ + + + +

Identification and authentication policy

+

procedures addressing identifier management

+

procedures addressing account management

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

list of system accounts

+

list of identifiers generated from physical access control devices

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with identifier management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing identifier management

+
+
+ + Identify User Status + + + + +

contractors; foreign nationals

+
+
+ +

characteristics used to identify individual status is defined;

+
+ + + + + + + +

Manage individual identifiers by uniquely identifying each individual as .

+
+ +

Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor.

+
+ + +

individual identifiers are managed by uniquely identifying each individual as .

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing identifier management

+

procedures addressing account management

+

list of characteristics identifying individual status

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with identifier management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms supporting and/or implementing identifier management

+
+
+
+
+ + Authenticator Management + + + +

a time period for changing or refreshing authenticators by authenticator type is defined;

+
+ + + + +

events that trigger the change or refreshment of authenticators are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Manage system authenticators by:

+ + +

Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;

+
+ + +

Establishing initial authenticator content for any authenticators issued by the organization;

+
+ + +

Ensuring that authenticators have sufficient strength of mechanism for their intended use;

+
+ + +

Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;

+
+ + +

Changing default authenticators prior to first use;

+
+ + +

Changing or refreshing authenticators or when occur;

+
+ + +

Protecting authenticator content from unauthorized disclosure and modification;

+
+ + +

Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and

+
+ + +

Changing authenticators for group or role accounts when membership to those accounts changes.

+
+ + IA-5 Additional FedRAMP Requirements and Guidance + + +

Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3

+
+ + +

SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

+
+
+
+ +

Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6 , and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.

+

Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.

+
+ + + + +

system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;

+ +
+ + +

system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;

+ +
+ + +

system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;

+ +
+ + +

system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;

+ +
+ + +

system authenticators are managed through the change of default authenticators prior to first use;

+ +
+ + +

system authenticators are managed through the change or refreshment of authenticators or when occur;

+ +
+ + +

system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;

+ +
+ + + + +

system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;

+ +
+ + +

system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;

+ +
+ +
+ + +

system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.

+ +
+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

addressing authenticator management

+

system design documentation

+

system configuration settings and associated documentation

+

list of system authenticator types

+

change control records associated with managing system authenticators

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with authenticator management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms supporting and/or implementing authenticator management capability

+
+
+ + Password-based Authentication + + + +

the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;

+
+ + + + +

authenticator composition and complexity rules are defined;

+
+ + + + + + + + + +

For password-based authentication:

+ + +

Maintain a list of commonly-used, expected, or compromised passwords and update the list and when organizational passwords are suspected to have been compromised directly or indirectly;

+
+ + +

Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);

+
+ + +

Transmit passwords only over cryptographically-protected channels;

+
+ + +

Store passwords using an approved salted key derivation function, preferably using a keyed hash;

+
+ + +

Require immediate selection of a new password upon account recovery;

+
+ + +

Allow user selection of long passwords and passphrases, including spaces and all printable characters;

+
+ + +

Employ automated tools to assist the user in selecting strong password authenticators; and

+
+ + +

Enforce the following composition and complexity rules: .

+
+ + IA-5 (1) Additional FedRAMP Requirements and Guidance + + +

Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

+
+ + +

For cases where technology doesn’t allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

+

For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

+
+ + +

Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

+
+
+
+ +

Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.

+
+ + + + +

for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated and when organizational passwords are suspected to have been compromised directly or indirectly;

+ +
+ + +

for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);

+ +
+ + +

for password-based authentication, passwords are only transmitted over cryptographically protected channels;

+ +
+ + +

for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;

+ +
+ + +

for password-based authentication, immediate selection of a new password is required upon account recovery;

+ +
+ + +

for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;

+ +
+ + +

for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;

+ +
+ + +

for password-based authentication, are enforced.

+ +
+ +
+ + + + +

Identification and authentication policy

+

password policy

+

procedures addressing authenticator management

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

password configurations and associated documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with authenticator management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing password-based authenticator management capability

+
+
+
+ + Public Key-based Authentication + + + + + + + + + + +

For public key-based authentication:

+ + +

Enforce authorized access to the corresponding private key; and

+
+ + +

Map the authenticated identity to the account of the individual or group; and

+
+
+ + +

When public key infrastructure (PKI) is used:

+ + +

Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and

+
+ + +

Implement a local cache of revocation data to support path discovery and validation.

+
+
+
+ +

Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network.

+
+ + + + + + +

authorized access to the corresponding private key is enforced for public key-based authentication;

+ +
+ + +

the authenticated identity is mapped to the account of the individual or group for public key-based authentication;

+ +
+ +
+ + + + +

when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;

+ +
+ + +

when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.

+ +
+ +
+ +
+ + + + +

Identification and authentication policy

+

procedures addressing authenticator management

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

PKI certification validation records

+

PKI certification revocation lists

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with PKI-based, authenticator management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing PKI-based, authenticator management capability

+
+
+
+ + Protection of Authenticators + + + + + + + +

Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.

+
+ +

For systems that contain multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process.

+
+ + +

authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing authenticator management

+

security categorization documentation for the system

+

security assessments of authenticator protections

+

risk assessment results

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with authenticator management responsibilities

+

organizational personnel implementing and/or maintaining authenticator protections

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms supporting and/or implementing authenticator management capability

+

mechanisms protecting authenticators

+
+
+
+ + No Embedded Unencrypted Static Authenticators + + + + + + +

Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.

+ + IA-5 (7) Additional FedRAMP Requirements and Guidance + + +

In this context, prohibited static storage refers to any storage where unencrypted authenticators, such as passwords, persist beyond the time required to complete the access process.

+
+
+
+ +

In addition to applications, other forms of static storage include access scripts and function keys. Organizations exercise caution when determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators.

+
+ + +

unencrypted static authenticators are not embedded in applications or other forms of static storage.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing authenticator management

+

system design documentation

+

system configuration settings and associated documentation

+

logical access scripts

+

application code reviews for detecting unencrypted static authenticators

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with authenticator management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing authenticator management capability

+

mechanisms implementing authentication in applications

+
+
+
+ + Multiple System Accounts + + + + +

different authenticators in different user authentication domains

+
+
+ +

security controls implemented to manage the risk of compromise due to individuals having accounts on multiple systems are defined;

+
+ + + + + + + + +

Implement to manage the risk of compromise due to individuals having accounts on multiple systems.

+ + IA-5 (8) Additional FedRAMP Requirements and Guidance + + +

If a single user authentication domain is used to access multiple systems, such as in single-sign-on, then only a single authenticator is required.

+
+
+
+ +

When individuals have accounts on multiple systems and use the same authenticators such as passwords, there is the risk that a compromise of one account may lead to the compromise of other accounts. Alternative approaches include having different authenticators (passwords) on all systems, employing a single sign-on or federation mechanism, or using some form of one-time passwords on all systems. Organizations can also use rules of behavior (see PL-4 ) and access agreements (see PS-6 ) to mitigate the risk of multiple system accounts.

+
+ + +

+ are implemented to manage the risk of compromise due to individuals having accounts on multiple systems.

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing authenticator management

+

system security plan

+

list of individuals having accounts on multiple systems

+

list of security safeguards intended to manage risk of compromise due to individuals having accounts on multiple systems

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with authenticator management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms supporting and/or implementing safeguards for authenticator management

+
+
+
+ + Expiration of Cached Authenticators + + + +

the time period after which the use of cached authenticators is prohibited is defined;

+
+ + + + + + + +

Prohibit the use of cached authenticators after .

+ + IA-5 (13) Additional FedRAMP Requirements and Guidance + + +

For components subject to configuration baseline(s) (such as STIG or CIS,) the time period should conform to the baseline standard.

+
+
+
+ +

Cached authenticators are used to authenticate to the local machine when the network is not available. If cached authentication information is out of date, the validity of the authentication information may be questionable.

+
+ + +

the use of cached authenticators is prohibited after .

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing authenticator management

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with authenticator management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing authenticator management capability

+
+
+
+
+ + Authentication Feedback + + + + + + +

Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

+
+ +

Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it.

+
+ + +

the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing authenticator feedback

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication

+
+
+
+ + Cryptographic Module Authentication + + + + + + + + + + + +

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

+
+ +

Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.

+
+ + +

mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing cryptographic module authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for cryptographic module authentication

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing cryptographic module authentication

+
+
+
+ + Identification and Authentication (Non-organizational Users) + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

+
+ +

Non-organizational users include system users other than organizational users explicitly covered by IA-2 . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14 . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.

+
+ + +

non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

privacy plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

organizational personnel with account management responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+ + Acceptance of PIV Credentials from Other Agencies + + + + + + + +

Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.

+
+ +

Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using SP 800-79-2.

+
+ + + + +

Personal Identity Verification-compliant credentials from other federal agencies are accepted;

+ +
+ + +

Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.

+ +
+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

PIV verification records

+

evidence of PIV credentials

+

PIV credential authorizations

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with account management responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+

mechanisms that accept and verify PIV credentials

+
+
+
+ + Acceptance of External Authenticators + + + + + + + + +

Accept only external authenticators that are NIST-compliant; and

+
+ + +

Document and maintain a list of accepted external authenticators.

+
+
+ +

Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with SP 800-63B . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level.

+
+ + + + +

only external authenticators that are NIST-compliant are accepted;

+ +
+ + + + +

a list of accepted external authenticators is documented;

+ +
+ + +

a list of accepted external authenticators is maintained.

+ +
+ +
+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of third-party credentialing products, components, or services procured and implemented by organization

+

third-party credential verification records

+

evidence of third-party credentials

+

third-party credential authorizations

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with account management responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+

mechanisms that accept external credentials

+
+
+
+ + Use of Defined Profiles + + + +

identity management profiles are defined;

+
+ + + + + + + +

Conform to the following profiles for identity management .

+
+ +

Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

+
+ + +

there is conformance with for identity management.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with account management responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+

mechanisms supporting and/or implementing conformance with profiles

+
+
+
+
+ + Re-authentication + + + +

circumstances or situations requiring re-authentication are defined;

+
+ + + + + + + + + + + + + +

Require users to re-authenticate when .

+ + IA-11 Additional FedRAMP Requirements and Guidance + + +

The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

+
    +
  • AAL3 (high baseline)
      +
    • 12 hours or
    • +
    • 15 minutes of inactivity
    • +
    +
  • +
+
+
+
+ +

In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically.

+
+ + +

users are required to re-authenticate when .

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing user and device re-authentication

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

list of circumstances or situations requiring re-authentication

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with identification and authentication responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+
+ + Identity Proofing + + + + + + + + + + + + + + + + + + + + +

Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;

+
+ + +

Resolve user identities to a unique individual; and

+
+ + +

Collect, validate, and verify identity evidence.

+
+ + IA-12 Additional FedRAMP Requirements and Guidance + + +

In accordance with NIST SP 800-63A Enrollment and Identity Proofing

+
+
+
+ +

Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include SP 800-63-3 and SP 800-63A . Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

+
+ + + + +

users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;

+ +
+ + +

user identities are resolved to a unique individual;

+ +
+ + + + +

identity evidence is collected;

+ +
+ + +

identity evidence is validated;

+ +
+ + +

identity evidence is verified.

+ +
+ +
+ +
+ + + + +

Identification and authentication policy

+

procedures addressing identity proofing

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security and privacy responsibilities

+

legal counsel

+

system/network administrators

+

system developers

+

organizational personnel with identification and authentication responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+ + Identity Evidence + + + + + + +

Require evidence of individual identification be presented to the registration authority.

+
+ +

Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risks to the systems, roles, and privileges associated with the user’s account.

+
+ + +

evidence of individual identification is presented to the registration authority.

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing identity proofing

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with identification and authentication responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+
+ + Identity Evidence Validation and Verification + + + +

methods of validation and verification of identity evidence are defined;

+
+ + + + + + + +

Require that the presented identity evidence be validated and verified through .

+
+ +

Validation and verification of identity evidence increases the assurance that accounts and identifiers are being established for the correct user and authenticators are being bound to that user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risks to the systems, roles, and privileges associated with the users account.

+
+ + +

the presented identity evidence is validated and verified through .

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing identity proofing

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with identification and authentication responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+
+ + In-person Validation and Verification + + + + + + +

Require that the validation and verification of identity evidence be conducted in person before a designated registration authority.

+
+ +

In-person proofing reduces the likelihood of fraudulent credentials being issued because it requires the physical presence of individuals, the presentation of physical identity documents, and actual face-to-face interactions with designated registration authorities.

+
+ + +

the validation and verification of identity evidence is conducted in person before a designated registration authority.

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing identity proofing

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with identification and authentication responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+
+ + Address Confirmation + + + + + + + + + + +

Require that a be delivered through an out-of-band channel to verify the users address (physical or digital) of record.

+ + IA-12 (5) Additional FedRAMP Requirements and Guidance + + +

In accordance with NIST SP 800-63A Enrollment and Identity Proofing

+
+
+
+ +

To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to ensure that the individual associated with an address of record is the same individual that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts is obtained from records and not self-asserted by the user. The address can include a physical or digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses.

+
+ + +

a is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing identity proofing

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with identification and authentication responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+
+
+
+ + Incident Response + + Policy and Procedures + + + + + + +

personnel or roles to whom the incident response policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the incident response procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the incident response policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current incident response policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current incident response policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current incident response procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the incident response procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ incident response policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the incident response policy and procedures; and

+
+ + +

Review and update the current incident response:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an incident response policy is developed and documented;

+ +
+ + +

the incident response policy is disseminated to ;

+ +
+ + +

incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;

+ +
+ + +

the incident response procedures are disseminated to ;

+ +
+ + + + + + +

the incident response policy addresses purpose;

+ +
+ + +

the incident response policy addresses scope;

+ +
+ + +

the incident response policy addresses roles;

+ +
+ + +

the incident response policy addresses responsibilities;

+ +
+ + +

the incident response policy addresses management commitment;

+ +
+ + +

the incident response policy addresses coordination among organizational entities;

+ +
+ + +

the incident response policy addresses compliance;

+ +
+ +
+ + +

the incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;

+ +
+ + + + + + +

the current incident response policy is reviewed and updated ;

+ +
+ + +

the current incident response policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current incident response procedures are reviewed and updated ;

+ +
+ + +

the current incident response procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Incident response policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Incident Response Training + + + + +

ten (10) days for privileged users, thirty (30) days for Incident Response roles

+
+
+ +

a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to provide incident response training to users is defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to review and update incident response training content is defined;

+
+ + + + +

events that initiate a review of the incident response training content are defined;

+
+ + + + + + + + + + + + + + + + + + + +

Provide incident response training to system users consistent with assigned roles and responsibilities:

+ + +

Within of assuming an incident response role or responsibility or acquiring system access;

+
+ + +

When required by system changes; and

+
+ + +

+ thereafter; and

+
+
+ + +

Review and update incident response training content and following .

+
+
+ +

Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3 . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + + + +

incident response training is provided to system users consistent with assigned roles and responsibilities within of assuming an incident response role or responsibility or acquiring system access;

+ +
+ + +

incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;

+ +
+ + +

incident response training is provided to system users consistent with assigned roles and responsibilities thereafter;

+ +
+ +
+ + + + +

incident response training content is reviewed and updated ;

+ +
+ + +

incident response training content is reviewed and updated following .

+ +
+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident response training

+

incident response training curriculum

+

incident response training materials

+

privacy plan

+

incident response plan

+

incident response training records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response training and operational responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + Simulated Events + + + + + + + +

Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.

+
+ +

Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations.

+
+ + +

simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations.

+ +
+ + + + +

Incident response policy

+

procedures addressing incident response training

+

incident response training curriculum

+

incident response training materials

+

incident response plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response training and operational responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms that support and/or implement simulated events for incident response training

+
+
+
+ + Automated Training Environments + + + +

automated mechanisms used in an incident response training environment are defined;

+
+ + + + + + + + +

Provide an incident response training environment using .

+
+ +

Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues, selecting more realistic training scenarios and environments, and stressing the response capability.

+
+ + +

an incident response training environment is provided using .

+ +
+ + + + +

Incident response policy

+

procedures addressing incident response training

+

incident response training curriculum

+

incident response training materials

+

automated mechanisms supporting incident response training

+

incident response plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response training and operational responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Automated mechanisms that provide a thorough and realistic incident response training environment

+
+
+
+
+ + Incident Response Testing + + + + +

at least every six (6) months, including functional at least annually

+
+
+ +

frequency at which to test the effectiveness of the incident response capability for the system is defined;

+
+ + + + +

tests used to test the effectiveness of the incident response capability for the system are defined;

+
+ + + + + + + + + + + + + + + + +

Test the effectiveness of the incident response capability for the system using the following tests: .

+ + IR-3-2 Additional FedRAMP Requirements and Guidance + + +

The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.

+
+
+
+ +

Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes.

+
+ + +

the effectiveness of the incident response capability for the system is tested using .

+ +
+ + + + +

Incident response policy

+

contingency planning policy

+

procedures addressing incident response testing

+

procedures addressing contingency plan testing

+

incident response testing material

+

incident response test results

+

incident response test plan

+

incident response plan

+

contingency plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response testing responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + Coordination with Related Plans + + + + + + + +

Coordinate incident response testing with organizational elements responsible for related plans.

+
+ +

Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans.

+
+ + +

incident response testing is coordinated with organizational elements responsible for related plans.

+ +
+ + + + +

Incident response policy

+

contingency planning policy

+

procedures addressing incident response testing

+

incident response testing documentation

+

incident response plan

+

business continuity plans

+

contingency plans

+

disaster recovery plans

+

continuity of operations plans

+

crisis communications plans

+

critical infrastructure plans

+

occupant emergency plans

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response testing responsibilities

+

organizational personnel with responsibilities for testing organizational plans related to incident response testing

+

organizational personnel with information security and privacy responsibilities

+
+
+
+
+ + Incident Handling + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;

+
+ + +

Coordinate incident handling activities with contingency planning activities;

+
+ + +

Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and

+
+ + +

Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

+
+ + IR-4 Additional FedRAMP Requirements and Guidance + + +

The FISMA definition of "incident" shall be used: "An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies."

+
+ + +

The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

+
+
+
+ +

Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes.

+
+ + + + + + +

an incident handling capability for incidents is implemented that is consistent with the incident response plan;

+ +
+ + +

the incident handling capability for incidents includes preparation;

+ +
+ + +

the incident handling capability for incidents includes detection and analysis;

+ +
+ + +

the incident handling capability for incidents includes containment;

+ +
+ + +

the incident handling capability for incidents includes eradication;

+ +
+ + +

the incident handling capability for incidents includes recovery;

+ +
+ +
+ + +

incident handling activities are coordinated with contingency planning activities;

+ +
+ + + + +

lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;

+ +
+ + +

the changes resulting from the incorporated lessons learned are implemented accordingly;

+ +
+ +
+ + + + +

the rigor of incident handling activities is comparable and predictable across the organization;

+ +
+ + +

the intensity of incident handling activities is comparable and predictable across the organization;

+ +
+ + +

the scope of incident handling activities is comparable and predictable across the organization;

+ +
+ + +

the results of incident handling activities are comparable and predictable across the organization.

+ +
+ +
+ +
+ + + + +

Incident response policy

+

contingency planning policy

+

procedures addressing incident handling

+

incident response plan

+

contingency plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident handling responsibilities

+

organizational personnel with contingency planning responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Incident handling capability for the organization

+
+
+ + Automated Incident Handling Processes + + + +

automated mechanisms used to support the incident handling process are defined;

+
+ + + + + + + +

Support the incident handling process using .

+
+ +

Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis.

+
+ + +

the incident handling process is supported using .

+ +
+ + + + +

Incident response policy

+

procedures addressing incident handling

+

automated mechanisms supporting incident handling

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

incident response plan

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident handling responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Automated mechanisms that support and/or implement the incident handling process

+
+
+
+ + Dynamic Reconfiguration + + + +

types of dynamic reconfiguration for system components are defined;

+
+ + + + + +

all network, data storage, and computing devices

+
+
+ +

system components that require dynamic reconfiguration are defined;

+
+ + + + + + + + + + +

Include the following types of dynamic reconfiguration for as part of the incident response capability: .

+
+ +

Dynamic reconfiguration includes changes to router rules, access control lists, intrusion detection or prevention system parameters, and filter rules for guards or firewalls. Organizations may perform dynamic reconfiguration of systems to stop attacks, misdirect attackers, and isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include specific time frames for achieving the reconfiguration of systems in the definition of the reconfiguration capability, considering the potential need for rapid response to effectively address cyber threats.

+
+ + +

+ for are included as part of the incident response capability.

+ +
+ + + + +

Incident response policy

+

procedures addressing incident handling

+

mechanisms supporting incident handling

+

list of system components to be dynamically reconfigured as part of incident response capability

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

incident response plan

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident handling responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms that support and/or implement the dynamic reconfiguration of components as part of incident response

+
+
+
+ + Information Correlation + + + + + + +

Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

+
+ +

Sometimes, a threat event, such as a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations.

+
+ + +

incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.

+ +
+ + + + +

Incident response policy

+

procedures addressing incident handling

+

incident response plan

+

privacy plan

+

mechanisms supporting incident and event correlation

+

system design documentation

+

system configuration settings and associated documentation

+

system security plan

+

privacy plan

+

incident management correlation logs

+

event management correlation logs

+

security information and event management logs

+

incident management correlation reports

+

event management correlation reports

+

security information and event management reports

+

audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident handling responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with whom incident information and individual incident responses are to be correlated

+
+
+ + + + +

Organizational processes for correlating incident information and individual incident responses

+

mechanisms that support and or implement the correlation of incident response information with individual incident responses

+
+
+
+ + Insider Threats + + + + + + +

Implement an incident handling capability for incidents involving insider threats.

+
+ +

Explicit focus on handling incidents involving insider threats provides additional emphasis on this type of threat and the need for specific incident handling capabilities to provide appropriate and timely responses.

+
+ + +

an incident handling capability is implemented for incidents involving insider threats.

+ +
+ + + + +

Incident response policy

+

procedures addressing incident handling

+

mechanisms supporting incident handling

+

system design documentation

+

system configuration settings and associated documentation

+

incident response plan

+

system security plan

+

audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident handling responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Incident handling capability for the organization

+
+
+
+ + Integrated Incident Response Team + + + +

the time period within which an integrated incident response team can be deployed is defined;

+
+ + + + + + + + +

Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in .

+
+ +

An integrated incident response team is a team of experts that assesses, documents, and responds to incidents so that organizational systems and networks can recover quickly and implement the necessary controls to avoid future incidents. Incident response team personnel include forensic and malicious code analysts, tool developers, systems security and privacy engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. For some organizations, the incident response team can be a cross-organizational entity.

+

An integrated incident response team facilitates information sharing and allows organizational personnel (e.g., developers, implementers, and operators) to leverage team knowledge of the threat and implement defensive measures that enable organizations to deter intrusions more effectively. Moreover, integrated teams promote the rapid detection of intrusions, the development of appropriate mitigations, and the deployment of effective defensive measures. For example, when an intrusion is detected, the integrated team can rapidly develop an appropriate response for operators to implement, correlate the new incident with information on past intrusions, and augment ongoing cyber intelligence development. Integrated incident response teams are better able to identify adversary tactics, techniques, and procedures that are linked to the operations tempo or specific mission and business functions and to define responsive actions in a way that does not disrupt those mission and business functions. Incident response teams can be distributed within organizations to make the capability resilient.

+
+ + + + +

an integrated incident response team is established and maintained;

+ +
+ + +

the integrated incident response team can be deployed to any location identified by the organization in .

+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident handling

+

procedures addressing incident response planning

+

incident response plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident handling responsibilities

+

organizational personnel with information security and privacy responsibilities

+

members of the integrated incident response team

+
+
+
+
+ + Incident Monitoring + + + + + + + + + + + + + + + + + + + +

Track and document incidents.

+
+ +

Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. IR-4 provides information on the types of incidents that are appropriate for monitoring.

+
+ + + + +

incidents are tracked;

+ +
+ + +

incidents are documented.

+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident monitoring

+

incident response records and documentation

+

incident response plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident monitoring responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Incident monitoring capability for the organization

+

mechanisms supporting and/or implementing the tracking and documenting of system security incidents

+
+
+ + Automated Tracking, Data Collection, and Analysis + + + + + + +

automated mechanisms used to track incidents are defined;

+
+ + + + +

automated mechanisms used to collect incident information are defined;

+
+ + + + +

automated mechanisms used to analyze incident information are defined;

+
+ + + + + + + + +

Track incidents and collect and analyze incident information using .

+
+ +

Automated mechanisms for tracking incidents and collecting and analyzing incident information include Computer Incident Response Centers or other electronic databases of incidents and network monitoring devices.

+
+ + + + +

incidents are tracked using ;

+ +
+ + +

incident information is collected using ;

+ +
+ + +

incident information is analyzed using .

+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident monitoring

+

incident response records and documentation

+

system security plan

+

incident response plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident monitoring responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Incident monitoring capability for the organization

+

automated mechanisms supporting and/or implementing the tracking and documenting of system security incidents

+
+
+
+
+ + Incident Reporting + + + + +

US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)

+
+
+ +

time period for personnel to report suspected incidents to the organizational incident response capability is defined;

+
+ + + + +

authorities to whom incident information is to be reported are defined;

+
+ + + + + + + + + + + + + + + + + + +

Require personnel to report suspected incidents to the organizational incident response capability within ; and

+
+ + +

Report incident information to .

+
+ + IR-6 Additional FedRAMP Requirements and Guidance + + +

Reports security incident information according to FedRAMP Incident Communications Procedure.

+
+
+
+ +

The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products.

+
+ + + + +

personnel is/are required to report suspected incidents to the organizational incident response capability within ;

+ +
+ + +

incident information is reported to .

+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident reporting

+

incident reporting records and documentation

+

incident response plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident reporting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

personnel who have/should have reported incidents

+

personnel (authorities) to whom incident information is to be reported

+

system users

+
+
+ + + + +

Organizational processes for incident reporting

+

mechanisms supporting and/or implementing incident reporting

+
+
+ + Automated Reporting + + + +

automated mechanisms used for reporting incidents are defined;

+
+ + + + + + + + +

Report incidents using .

+
+ +

The recipients of incident reports are specified in IR-6b . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs.

+
+ + +

incidents are reported using .

+ +
+ + + + +

Incident response policy

+

procedures addressing incident reporting

+

automated mechanisms supporting incident reporting

+

system design documentation

+

system configuration settings and associated documentation

+

incident response plan

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident reporting responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for incident reporting

+

automated mechanisms supporting and/or implementing the reporting of security incidents

+
+
+
+ + Supply Chain Coordination + + + + + + + +

Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

+
+ +

Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident.

+
+ + +

incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

+ +
+ + + + +

Incident response policy

+

procedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council

+

acquisition policy

+

acquisition contracts

+

service-level agreements

+

incident response plan

+

supply chain risk management plan

+

system security plan

+

plans of other organizations involved in supply chain activities

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident reporting responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+

organization personnel with acquisition responsibilities

+
+
+ + + + +

Organizational processes for incident reporting

+

organizational processes for supply chain risk information sharing

+

mechanisms supporting and/or implementing the reporting of incident information involved in the supply chain

+
+
+
+
+ + Incident Response Assistance + + + + + + + + + + + + + + + + +

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.

+
+ +

Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required.

+
+ + + + +

an incident response support resource, integral to the organizational incident response capability, is provided;

+ +
+ + +

the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.

+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident response assistance

+

incident response plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response assistance and support responsibilities

+

organizational personnel with access to incident response support and assistance capability

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for incident response assistance

+

mechanisms supporting and/or implementing incident response assistance

+
+
+ + Automation Support for Availability of Information and Support + + + +

automated mechanisms used to increase the availability of incident response information and support are defined;

+
+ + + + + + + +

Increase the availability of incident response information and support using .

+
+ +

Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support.

+
+ + +

the availability of incident response information and support is increased using .

+ +
+ + + + +

Incident response policy

+

procedures addressing incident response assistance

+

automated mechanisms supporting incident response support and assistance

+

system design documentation

+

system configuration settings and associated documentation

+

incident response plan

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response support and assistance responsibilities

+

organizational personnel with access to incident response support and assistance capability

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for incident response assistance

+

automated mechanisms supporting and/or implementing an increase in the availability of incident response information and support

+
+
+
+
+ + Incident Response Plan + + + + +

see additional FedRAMP Requirements and Guidance

+
+
+ + + + +

personnel or roles that review and approve the incident response plan is/are identified;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to review and approve the incident response plan is defined;

+
+ + + + +

entities, personnel, or roles with designated responsibility for incident response are defined;

+
+ + + + + +

see additional FedRAMP Requirements and Guidance

+
+
+ +

incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;

+
+ + + + +

organizational elements to which copies of the incident response plan are to be distributed are defined;

+
+ + + + +

incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;

+
+ + + + +

organizational elements to which changes to the incident response plan are communicated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Develop an incident response plan that:

+ + +

Provides the organization with a roadmap for implementing its incident response capability;

+
+ + +

Describes the structure and organization of the incident response capability;

+
+ + +

Provides a high-level approach for how the incident response capability fits into the overall organization;

+
+ + +

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

+
+ + +

Defines reportable incidents;

+
+ + +

Provides metrics for measuring the incident response capability within the organization;

+
+ + +

Defines the resources and management support needed to effectively maintain and mature an incident response capability;

+
+ + +

Addresses the sharing of incident information;

+
+ + +

Is reviewed and approved by + ; and

+
+ + +

Explicitly designates responsibility for incident response to .

+
+
+ + +

Distribute copies of the incident response plan to ;

+
+ + +

Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

+
+ + +

Communicate incident response plan changes to ; and

+
+ + +

Protect the incident response plan from unauthorized disclosure and modification.

+
+ + IR-8 Additional FedRAMP Requirements and Guidance + + +

The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

+
+ + +

The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

+
+
+
+ +

It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.

+
+ + + + + + +

an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;

+ +
+ + +

an incident response plan is developed that describes the structure and organization of the incident response capability;

+ +
+ + +

an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;

+ +
+ + +

an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;

+ +
+ + +

an incident response plan is developed that defines reportable incidents;

+ +
+ + +

an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;

+ +
+ + +

an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;

+ +
+ + +

an incident response plan is developed that addresses the sharing of incident information;

+ +
+ + +

an incident response plan is developed that is reviewed and approved by + ;

+ +
+ + +

an incident response plan is developed that explicitly designates responsibility for incident response to .

+ +
+ +
+ + + + +

copies of the incident response plan are distributed to ;

+ +
+ + +

copies of the incident response plan are distributed to ;

+ +
+ +
+ + +

the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

+ +
+ + + + +

incident response plan changes are communicated to ;

+ +
+ + +

incident response plan changes are communicated to ;

+ +
+ +
+ + + + +

the incident response plan is protected from unauthorized disclosure;

+ +
+ + +

the incident response plan is protected from unauthorized modification.

+ +
+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident response planning

+

incident response plan

+

system security plan

+

privacy plan

+

records of incident response plan reviews and approvals

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response planning responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational incident response plan and related organizational processes

+
+
+
+ + Information Spillage Response + + + +

personnel or roles assigned the responsibility for responding to information spills is/are defined;

+
+ + + + +

personnel or roles to be alerted of the information spill using a method of communication not associated with the spill is/are defined;

+
+ + + + +

actions to be performed are defined;

+
+ + + + + + + + + + + + + + +

Respond to information spills by:

+ + +

Assigning with responsibility for responding to information spills;

+
+ + +

Identifying the specific information involved in the system contamination;

+
+ + +

Alerting of the information spill using a method of communication not associated with the spill;

+
+ + +

Isolating the contaminated system or system component;

+
+ + +

Eradicating the information from the contaminated system or component;

+
+ + +

Identifying other systems or system components that may have been subsequently contaminated; and

+
+ + +

Performing the following additional actions: .

+
+
+ +

Information spillage refers to instances where information is placed on systems that are not authorized to process such information. Information spills occur when information that is thought to be a certain classification or impact level is transmitted to a system and subsequently is determined to be of a higher classification or impact level. At that point, corrective action is required. The nature of the response is based on the classification or impact level of the spilled information, the security capabilities of the system, the specific nature of the contaminated storage media, and the access authorizations of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated.

+
+ + + + +

+ is/are assigned the responsibility to respond to information spills;

+ +
+ + +

the specific information involved in the system contamination is identified in response to information spills;

+ +
+ + +

+ is/are alerted of the information spill using a method of communication not associated with the spill;

+ +
+ + +

the contaminated system or system component is isolated in response to information spills;

+ +
+ + +

the information is eradicated from the contaminated system or component in response to information spills;

+ +
+ + +

other systems or system components that may have been subsequently contaminated are identified in response to information spills;

+ +
+ + +

+ are performed in response to information spills.

+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing information spillage

+

incident response plan

+

system security plan

+

records of information spillage alerts/notifications

+

list of personnel who should receive alerts of information spillage

+

list of actions to be performed regarding information spillage

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for information spillage response

+

mechanisms supporting and/or implementing information spillage response actions and related communications

+
+
+ + Training + + + + +

at least annually

+
+
+ +

frequency at which to provide information spillage response training is defined;

+
+ + + + + + + + + + + +

Provide information spillage response training .

+
+ +

Organizations establish requirements for responding to information spillage incidents in incident response plans. Incident response training on a regular basis helps to ensure that organizational personnel understand their individual responsibilities and what specific actions to take when spillage incidents occur.

+
+ + +

information spillage response training is provided .

+ +
+ + + + +

Incident response policy

+

procedures addressing information spillage response training

+

information spillage response training curriculum

+

information spillage response training materials

+

incident response plan

+

system security plan

+

information spillage response training records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response training responsibilities

+

organizational personnel with information security responsibilities

+
+
+
+ + Post-spill Operations + + + +

procedures to be implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions are defined;

+
+ + + + + + + +

Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: .

+
+ +

Corrective actions for systems contaminated due to information spillages may be time-consuming. Personnel may not have access to the contaminated systems while corrective actions are being taken, which may potentially affect their ability to conduct organizational business.

+
+ + +

+ are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

+ +
+ + + + +

Incident response policy

+

procedures addressing incident response

+

procedures addressing information spillage

+

incident response plan

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for post-spill operations

+
+
+
+ + Exposure to Unauthorized Personnel + + + +

controls employed for personnel exposed to information not within assigned access authorizations are defined;

+
+ + + + + + + +

Employ the following controls for personnel exposed to information not within assigned access authorizations: .

+
+ +

Controls include ensuring that personnel who are exposed to spilled information are made aware of the laws, executive orders, directives, regulations, policies, standards, and guidelines regarding the information and the restrictions imposed based on exposure to such information.

+
+ + +

+ are employed for personnel exposed to information not within assigned access authorizations.

+ +
+ + + + +

Incident response policy

+

procedures addressing incident response

+

procedures addressing information spillage

+

incident response plan

+

system security plan

+

security safeguards regarding information spillage/exposure to unauthorized personnel

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for dealing with information exposed to unauthorized personnel

+

mechanisms supporting and/or implementing safeguards for personnel exposed to information not within assigned access authorizations

+
+
+
+
+
+ + Maintenance + + Policy and Procedures + + + + + + +

personnel or roles to whom the maintenance policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the maintenance policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency with which the current maintenance policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current maintenance policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency with which the current maintenance procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the maintenance procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ maintenance policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the maintenance policy and procedures; and

+
+ + +

Review and update the current maintenance:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a maintenance policy is developed and documented;

+ +
+ + +

the maintenance policy is disseminated to ;

+ +
+ + +

maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;

+ +
+ + +

the maintenance procedures are disseminated to ;

+ +
+ + + + + + +

the maintenance policy addresses purpose;

+ +
+ + +

the maintenance policy addresses scope;

+ +
+ + +

the maintenance policy addresses roles;

+ +
+ + +

the maintenance policy addresses responsibilities;

+ +
+ + +

the maintenance policy addresses management commitment;

+ +
+ + +

the maintenance policy addresses coordination among organizational entities;

+ +
+ + +

the maintenance policy addresses compliance;

+ +
+ +
+ + +

the maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;

+ +
+ + + + + + +

the current maintenance policy is reviewed and updated ;

+ +
+ + +

the current maintenance policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current maintenance procedures are reviewed and updated ;

+ +
+ + +

the current maintenance procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Maintenance policy and procedures

+

system security plan

+

privacy plan

+

organizational risk management strategy

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with maintenance responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Controlled Maintenance + + + +

personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined;

+
+ + + + +

information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;

+
+ + + + +

information to be included in organizational maintenance records is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;

+
+ + +

Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;

+
+ + +

Require that explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;

+
+ + +

Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: ;

+
+ + +

Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and

+
+ + +

Include the following information in organizational maintenance records: .

+
+
+ +

Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems.

+
+ + + + + + +

maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;

+ +
+ + +

maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;

+ +
+ + +

records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;

+ +
+ +
+ + + + +

all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;

+ +
+ + +

all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;

+ +
+ +
+ + +

+ is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;

+ +
+ + +

equipment is sanitized to remove from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;

+ +
+ + +

all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;

+ +
+ + +

+ is included in organizational maintenance records.

+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing controlled system maintenance

+

maintenance records

+

manufacturer/vendor maintenance specifications

+

equipment sanitization records

+

media sanitization records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel responsible for media sanitization

+

system/network administrators

+
+
+ + + + +

Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system

+

organizational processes for sanitizing system components

+

mechanisms supporting and/or implementing controlled maintenance

+

mechanisms implementing the sanitization of system components

+
+
+ + Automated Maintenance Activities + + + + + + +

automated mechanisms used to schedule maintenance, repair, and replacement actions for the system are defined;

+
+ + + + +

automated mechanisms used to conduct maintenance, repair, and replacement actions for the system are defined;

+
+ + + + +

automated mechanisms used to document maintenance, repair, and replacement actions for the system are defined;

+
+ + + + + + + + + + +

Schedule, conduct, and document maintenance, repair, and replacement actions for the system using ; and

+
+ + +

Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed.

+
+
+ +

The use of automated mechanisms to manage and control system maintenance programs and activities helps to ensure the generation of timely, accurate, complete, and consistent maintenance records.

+
+ + + + + + +

+ are used to schedule maintenance, repair, and replacement actions for the system;

+ +
+ + +

+ are used to conduct maintenance, repair, and replacement actions for the system;

+ +
+ + +

+ are used to document maintenance, repair, and replacement actions for the system;

+ +
+ +
+ + + + +

up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced.

+ +
+ + +

up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced.

+ +
+ + +

up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced.

+ +
+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing controlled system maintenance

+

automated mechanisms supporting system maintenance activities

+

system configuration settings and associated documentation

+

maintenance records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Automated mechanisms supporting and/or implementing controlled maintenance

+

automated mechanisms supporting and/or implementing the production of records of maintenance and repair actions

+
+
+
+
+ + Maintenance Tools + + + + +

at least annually

+
+
+ +

frequency at which to review previously approved system maintenance tools is defined;

+
+ + + + + + + + + + + +

Approve, control, and monitor the use of system maintenance tools; and

+
+ + +

Review previously approved system maintenance tools .

+
+
+ +

Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as ping, + ls, + ipconfig, or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools.

+
+ + + + + + +

the use of system maintenance tools is approved;

+ +
+ + +

the use of system maintenance tools is controlled;

+ +
+ + +

the use of system maintenance tools is monitored;

+ +
+ +
+ + +

previously approved system maintenance tools are reviewed .

+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing system maintenance tools

+

system maintenance tools and associated documentation

+

maintenance records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for approving, controlling, and monitoring maintenance tools

+

mechanisms supporting and/or implementing the approval, control, and/or monitoring of maintenance tools

+
+
+ + Inspect Tools + + + + + + + +

Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.

+
+ +

Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.

+
+ + +

maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.

+ +
+ + + + +

Maintenance policy

+

procedures addressing system maintenance tools

+

system maintenance tools and associated documentation

+

maintenance tool inspection records

+

maintenance records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for inspecting maintenance tools

+

mechanisms supporting and/or implementing the inspection of maintenance tools

+
+
+
+ + Inspect Media + + + + + + + +

Check media containing diagnostic and test programs for malicious code before the media are used in the system.

+
+ +

If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures.

+
+ + +

media containing diagnostic and test programs are checked for malicious code before the media are used in the system.

+ +
+ + + + +

Maintenance policy

+

procedures addressing system maintenance tools

+

system maintenance tools and associated documentation

+

maintenance records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational process for inspecting media for malicious code

+

mechanisms supporting and/or implementing the inspection of media used for maintenance

+
+
+
+ + Prevent Unauthorized Removal + + + + +

the information owner

+
+
+ +

personnel or roles who can authorize removal of equipment from the facility is/are defined;

+
+ + + + + + + + +

Prevent the removal of maintenance equipment containing organizational information by:

+ + +

Verifying that there is no organizational information contained on the equipment;

+
+ + +

Sanitizing or destroying the equipment;

+
+ + +

Retaining the equipment within the facility; or

+
+ + +

Obtaining an exemption from explicitly authorizing removal of the equipment from the facility.

+
+
+ +

Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards.

+
+ + + + +

the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or

+ +
+ + +

the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or

+ +
+ + +

the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or

+ +
+ + +

the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from explicitly authorizing removal of the equipment from the facility.

+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing system maintenance tools

+

system maintenance tools and associated documentation

+

maintenance records

+

equipment sanitization records

+

media sanitization records

+

exemptions for equipment removal

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel responsible for media sanitization

+
+
+ + + + +

Organizational process for preventing unauthorized removal of information

+

mechanisms supporting media sanitization or destruction of equipment

+

mechanisms supporting verification of media sanitization

+
+
+
+
+ + Nonlocal Maintenance + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Approve and monitor nonlocal maintenance and diagnostic activities;

+
+ + +

Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;

+
+ + +

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;

+
+ + +

Maintain records for nonlocal maintenance and diagnostic activities; and

+
+ + +

Terminate session and network connections when nonlocal maintenance is completed.

+
+
+ +

Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2 . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished, in part, by other controls. SP 800-63B provides additional guidance on strong authentication and authenticators.

+
+ + + + + + +

nonlocal maintenance and diagnostic activities are approved;

+ +
+ + +

nonlocal maintenance and diagnostic activities are monitored;

+ +
+ +
+ + + + +

the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;

+ +
+ + +

the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;

+ +
+ +
+ + +

strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;

+ +
+ + +

records for nonlocal maintenance and diagnostic activities are maintained;

+ +
+ + + + +

session connections are terminated when nonlocal maintenance is completed;

+ +
+ + +

network connections are terminated when nonlocal maintenance is completed.

+ +
+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing nonlocal system maintenance

+

remote access policy

+

remote access procedures

+

system design documentation

+

system configuration settings and associated documentation

+

maintenance records

+

records of remote access

+

diagnostic records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing nonlocal maintenance

+

mechanisms implementing, supporting, and/or managing nonlocal maintenance

+

mechanisms for strong authentication of nonlocal maintenance diagnostic sessions

+

mechanisms for terminating nonlocal maintenance sessions and network connections

+
+
+ + Comparable Security and Sanitization + + + + + + + + + + + +

Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or

+
+ + +

Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system.

+
+
+ +

Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced.

+
+ + + + + + +

nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;

+ +
+ + +

nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or

+ +
+ +
+ + + + +

the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;

+ +
+ + +

the component to be serviced is sanitized (for organizational information);

+ +
+ + +

the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system.

+ +
+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing nonlocal system maintenance

+

service provider contracts and/or service-level agreements

+

maintenance records

+

inspection records

+

audit records

+

equipment sanitization records

+

media sanitization records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

system maintenance provider

+

organizational personnel with information security responsibilities

+

organizational personnel responsible for media sanitization

+

system/network administrators

+
+
+ + + + +

Organizational processes for comparable security and sanitization for nonlocal maintenance

+

organizational processes for the removal, sanitization, and inspection of components serviced via nonlocal maintenance

+

mechanisms supporting and/or implementing component sanitization and inspection

+
+
+
+
+ + Maintenance Personnel + + + + + + + + + + + + + + + + + + + +

Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;

+
+ + +

Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and

+
+ + +

Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

+
+
+ +

Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

+
+ + + + + + +

a process for maintenance personnel authorization is established;

+ +
+ + +

a list of authorized maintenance organizations or personnel is maintained;

+ +
+ +
+ + +

non-escorted personnel performing maintenance on the system possess the required access authorizations;

+ +
+ + +

organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.

+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing maintenance personnel

+

service provider contracts

+

service-level agreements

+

list of authorized personnel

+

maintenance records

+

access control records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for authorizing and managing maintenance personnel

+

mechanisms supporting and/or implementing authorization of maintenance personnel

+
+
+ + Individuals Without Appropriate Access + + + +

alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed, or disconnected from the system are defined;

+
+ + + + + + + + + + + +

Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:

+ + +

Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and

+
+ + +

Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and

+
+
+ + +

Develop and implement in the event a system component cannot be sanitized, removed, or disconnected from the system.

+
+
+ +

Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems.

+
+ + + + + + +

procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;

+ +
+ + +

procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;

+ +
+ +
+ + +

+ are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.

+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing maintenance personnel

+

system media protection policy

+

physical and environmental protection policy

+

list of maintenance personnel requiring escort/supervision

+

maintenance records

+

access control records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with personnel security responsibilities

+

organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel responsible for media sanitization

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing maintenance personnel without appropriate access

+

mechanisms supporting and/or implementing alternative security safeguards

+

mechanisms supporting and/or implementing information storage component sanitization

+
+
+
+
+ + Timely Maintenance + + + +

system components for which maintenance support and/or spare parts are obtained are defined;

+
+ + + + + +

a timeframe to support advertised uptime and availability

+
+
+ +

time period within which maintenance support and/or spare parts are to be obtained after a failure are defined;

+
+ + + + + + + + + + + + + + + +

Obtain maintenance support and/or spare parts for within of failure.

+
+ +

Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place.

+
+ + +

maintenance support and/or spare parts are obtained for within of failure.

+ +
+ + + + +

Maintenance policy

+

procedures addressing system maintenance

+

service provider contracts

+

service-level agreements

+

inventory and availability of spare parts

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with acquisition responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for ensuring timely maintenance

+
+
+
+
+ + Media Protection + + Policy and Procedures + + + + + + +

personnel or roles to whom the media protection policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the media protection procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the media protection policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency with which the current media protection policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current media protection policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency with which the current media protection procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require media protection procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ media protection policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the media protection policy and procedures; and

+
+ + +

Review and update the current media protection:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a media protection policy is developed and documented;

+ +
+ + +

the media protection policy is disseminated to ;

+ +
+ + +

media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;

+ +
+ + +

the media protection procedures are disseminated to ;

+ +
+ + + + + + +

the media protection policy addresses purpose;

+ +
+ + +

the media protection policy addresses scope;

+ +
+ + +

the media protection policy addresses roles;

+ +
+ + +

the media protection policy addresses responsibilities;

+ +
+ + +

the media protection policy addresses management commitment;

+ +
+ + +

the media protection policy addresses coordination among organizational entities;

+ +
+ + +

the media protection policy compliance;

+ +
+ +
+ + +

the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.

+ +
+ + + + + + +

the current media protection policy is reviewed and updated ;

+ +
+ + +

the current media protection policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current media protection procedures are reviewed and updated ;

+ +
+ + +

the current media protection procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Media protection policy and procedures

+

organizational risk management strategy

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with media protection responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Media Access + + + + +

all types of digital and/or non-digital media containing sensitive information

+
+
+ + + + + + + +

types of digital media to which access is restricted are defined;

+
+ + + + +

personnel or roles authorized to access digital media is/are defined;

+
+ + + + +

types of non-digital media to which access is restricted are defined;

+
+ + + + +

personnel or roles authorized to access non-digital media is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Restrict access to to .

+
+ +

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media.

+
+ + + + +

access to is restricted to ;

+ +
+ + +

access to is restricted to .

+ +
+ +
+ + + + +

System media protection policy

+

procedures addressing media access restrictions

+

access control policy and procedures

+

physical and environmental protection policy and procedures

+

media storage facilities

+

access control records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media protection responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for restricting information media

+

mechanisms supporting and/or implementing media access restrictions

+
+
+
+ + Media Marking + + + + +

no removable media types

+
+
+ +

types of system media exempt from marking when remaining in controlled areas are defined;

+
+ + + + + +

organization-defined security safeguards not applicable

+
+
+ +

controlled areas where media is exempt from marking are defined;

+
+ + + + + + + + + + + + + + + + +

Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and

+
+ + +

Exempt from marking if the media remain within .

+
+ + MP-3 Additional FedRAMP Requirements and Guidance + + +

Second parameter not-applicable

+
+
+
+ +

Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in 32 CFR 2002 . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

+
+ + + + +

system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;

+ +
+ + +

+ remain within .

+ +
+ +
+ + + + +

System media protection policy

+

procedures addressing media marking

+

physical and environmental protection policy and procedures

+

list of system media marking security attributes

+

designated controlled areas

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media protection and marking responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for marking information media

+

mechanisms supporting and/or implementing media marking

+
+
+
+ + Media Storage + + + + +

all types of digital and non-digital media with sensitive information

+
+
+ + + + + +

see additional FedRAMP requirements and guidance

+
+
+ + + + +

types of digital media to be physically controlled are defined (if selected);

+
+ + + + +

types of non-digital media to be physically controlled are defined (if selected);

+
+ + + + +

types of digital media to be securely stored are defined (if selected);

+
+ + + + +

types of non-digital media to be securely stored are defined (if selected);

+
+ + + + +

controlled areas within which to securely store digital media are defined;

+
+ + + + +

controlled areas within which to securely store non-digital media are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Physically control and securely store within ; and

+
+ + +

Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

+
+ + MP-4 Additional FedRAMP Requirements and Guidance + + +

The service provider defines controlled areas within facilities where the information and information system reside.

+
+
+
+ +

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection.

+
+ + + + + + +

+ are physically controlled;

+ +
+ + +

+ are physically controlled;

+ +
+ + +

+ are securely stored within ;

+ +
+ + +

+ are securely stored within ;

+ +
+ +
+ + +

system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

+ +
+ +
+ + + + +

System media protection policy

+

procedures addressing media storage

+

physical and environmental protection policy and procedures

+

access control policy and procedures

+

system media

+

designated controlled areas

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media protection and storage responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for storing information media

+

mechanisms supporting and/or implementing secure media storage/media protection

+
+
+
+ + Media Transport + + + + +

prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or NSA approved cryptography (see SC-13.); for non-digital media, secured in locked container

+
+
+ + + + + +

all media with sensitive information

+
+
+ +

types of system media to protect and control during transport outside of controlled areas are defined;

+
+ + + + +

controls used to protect system media outside of controlled areas are defined;

+
+ + + + +

controls used to control system media outside of controlled areas are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Protect and control during transport outside of controlled areas using ;

+
+ + +

Maintain accountability for system media during transport outside of controlled areas;

+
+ + +

Document activities associated with the transport of system media; and

+
+ + +

Restrict the activities associated with the transport of system media to authorized personnel.

+
+ + MP-5 Additional FedRAMP Requirements and Guidance + + +

The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO.

+
+
+
+ +

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.

+
+ + + + + + +

+ are protected during transport outside of controlled areas using ;

+ +
+ + +

+ are controlled during transport outside of controlled areas using ;

+ +
+ +
+ + +

accountability for system media is maintained during transport outside of controlled areas;

+ +
+ + +

activities associated with the transport of system media are documented;

+ +
+ + + + +

personnel authorized to conduct media transport activities is/are identified;

+ +
+ + +

activities associated with the transport of system media are restricted to identified authorized personnel.

+ +
+ +
+ +
+ + + + +

System media protection policy

+

procedures addressing media storage

+

physical and environmental protection policy and procedures

+

access control policy and procedures

+

authorized personnel list

+

system media

+

designated controlled areas

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media protection and storage responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for storing information media

+

mechanisms supporting and/or implementing media storage/media protection

+
+
+
+ + Media Sanitization + + + + +

techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware

+
+
+ + + + + + + +

system media to be sanitized prior to disposal is defined;

+
+ + + + +

system media to be sanitized prior to release from organizational control is defined;

+
+ + + + +

system media to be sanitized prior to release for reuse is defined;

+
+ + + + +

sanitization techniques and procedures to be used for sanitization prior to disposal are defined;

+
+ + + + +

sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;

+
+ + + + +

sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Sanitize prior to disposal, release out of organizational control, or release for reuse using ; and

+
+ + +

Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

+
+
+ +

Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information.

+
+ + + + + + +

+ is sanitized using prior to disposal;

+ +
+ + +

+ is sanitized using prior to release from organizational control;

+ +
+ + +

+ is sanitized using prior to release for reuse;

+ +
+ +
+ + +

sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.

+ +
+ +
+ + + + +

System media protection policy

+

procedures addressing media sanitization and disposal

+

applicable federal standards and policies addressing media sanitization policy

+

media sanitization records

+

system audit records

+

system design documentation

+

records retention and disposition policy

+

records retention and disposition procedures

+

system configuration settings and associated documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with media sanitization responsibilities

+

organizational personnel with records retention and disposition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for media sanitization

+

mechanisms supporting and/or implementing media sanitization

+
+
+ + Review, Approve, Track, Document, and Verify + + + + + + +

Review, approve, track, document, and verify media sanitization and disposal actions.

+ + MP-6 (1) Additional FedRAMP Requirements and Guidance + + +

Must comply with NIST SP 800-88

+
+
+
+ +

Organizations review and approve media to be sanitized to ensure compliance with records retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken and personnel who performed the verification, and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal.

+
+ + + + +

media sanitization and disposal actions are reviewed;

+ +
+ + +

media sanitization and disposal actions are approved;

+ +
+ + +

media sanitization and disposal actions are tracked;

+ +
+ + +

media sanitization and disposal actions are documented;

+ +
+ + +

media sanitization and disposal actions are verified.

+ +
+ +
+ + + + +

System media protection policy

+

procedures addressing media sanitization and disposal

+

records retention and disposition policy

+

records retention and disposition procedures

+

media sanitization and disposal records

+

review records for media sanitization and disposal actions

+

approvals for media sanitization and disposal actions

+

tracking records

+

verification records

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media sanitization and disposal responsibilities

+

organizational personnel with records retention and disposition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for media sanitization

+

mechanisms supporting and/or implementing media sanitization

+

mechanisms supporting and/or implementing verification of media sanitization

+
+
+
+ + Equipment Testing + + + + +

at least every six (6) months

+
+
+ + + + +

frequency with which to test sanitization equipment is defined;

+
+ + + + +

frequency with which to test sanitization procedures is defined;

+
+ + + + + + + +

Test sanitization equipment and procedures to ensure that the intended sanitization is being achieved.

+ + MP-6 (2) Additional FedRAMP Requirements and Guidance + + +

Equipment and procedures may be tested or validated for effectiveness

+
+
+
+ +

Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities, including federal agencies or external service providers.

+
+ + + + +

sanitization equipment is tested to ensure that the intended sanitization is being achieved;

+ +
+ + +

sanitization procedures are tested to ensure that the intended sanitization is being achieved.

+ +
+ +
+ + + + +

System media protection policy

+

procedures addressing media sanitization and disposal

+

procedures addressing testing of media sanitization equipment

+

results of media sanitization equipment and procedures testing

+

system audit records

+

records retention and disposition policy

+

records retention and disposition procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media sanitization responsibilities

+

organizational personnel with records retention and disposition responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for media sanitization

+

automated mechanisms supporting and/or implementing media sanitization

+

automated mechanisms supporting and/or implementing media sanitization procedures

+

sanitization equipment

+
+
+
+ + Nondestructive Techniques + + + +

circumstances requiring sanitization of portable storage devices are defined;

+
+ + + + + + + +

Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: .

+ + MP-6 (3) Additional FedRAMP Requirements and Guidance + + +

Must comply with NIST SP 800-88

+
+
+
+ +

Portable storage devices include external or removable hard disk drives (e.g., solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices.

+
+ + +

non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under .

+ +
+ + + + +

System media protection policy

+

procedures addressing media sanitization and disposal

+

information on portable storage devices for the system

+

list of circumstances requiring sanitization of portable storage devices

+

media sanitization records

+

audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media sanitization responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for media sanitization of portable storage devices

+

mechanisms supporting and/or implementing media sanitization

+
+
+
+
+ + Media Use + + + +

types of system media to be restricted or prohibited from use on systems or system components are defined;

+
+ + + + + + + +

systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;

+
+ + + + +

controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;

+
+ + + + + + + + + + + + + + + + +

+ the use of on using ; and

+
+ + +

Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.

+
+
+ +

System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to MP-2 , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.

+
+ + + + +

the use of is on using ;

+ +
+ + +

the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.

+ +
+ +
+ + + + +

System media protection policy

+

system use policy

+

procedures addressing media usage restrictions

+

rules of behavior

+

system design documentation

+

system configuration settings and associated documentation

+

audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media use responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for media use

+

mechanisms restricting or prohibiting the use of system media on systems or system components

+
+
+
+
+ + Physical and Environmental Protection + + Policy and Procedures + + + + + + +

personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the physical and environmental protection policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current physical and environmental protection policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the physical and environmental protection procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ physical and environmental protection policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and

+
+ + +

Review and update the current physical and environmental protection:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a physical and environmental protection policy is developed and documented;

+ +
+ + +

the physical and environmental protection policy is disseminated to ;

+ +
+ + +

physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;

+ +
+ + +

the physical and environmental protection procedures are disseminated to ;

+ +
+ + + + + + +

the physical and environmental protection policy addresses purpose;

+ +
+ + +

the physical and environmental protection policy addresses scope;

+ +
+ + +

the physical and environmental protection policy addresses roles;

+ +
+ + +

the physical and environmental protection policy addresses responsibilities;

+ +
+ + +

the physical and environmental protection policy addresses management commitment;

+ +
+ + +

the physical and environmental protection policy addresses coordination among organizational entities;

+ +
+ + +

the physical and environmental protection policy addresses compliance;

+ +
+ +
+ + +

the physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;

+ +
+ + + + + + +

the current physical and environmental protection policy is reviewed and updated ;

+ +
+ + +

the current physical and environmental protection policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current physical and environmental protection procedures are reviewed and updated ;

+ +
+ + +

the current physical and environmental protection procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Physical and environmental protection policy and procedures

+

system security plan

+

privacy plan

+

organizational risk management strategy

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical and environmental protection responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Physical Access Authorizations + + + + +

at least every ninety (90) days

+
+
+ +

frequency at which to review the access list detailing authorized facility access by individuals is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;

+
+ + +

Issue authorization credentials for facility access;

+
+ + +

Review the access list detailing authorized facility access by individuals ; and

+
+ + +

Remove individuals from the facility access list when access is no longer required.

+
+
+ +

Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.

+
+ + + + + + +

a list of individuals with authorized access to the facility where the system resides has been developed;

+ +
+ + +

the list of individuals with authorized access to the facility where the system resides has been approved;

+ +
+ + +

the list of individuals with authorized access to the facility where the system resides has been maintained;

+ +
+ +
+ + +

authorization credentials are issued for facility access;

+ +
+ + +

the access list detailing authorized facility access by individuals is reviewed ;

+ +
+ + +

individuals are removed from the facility access list when access is no longer required.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing physical access authorizations

+

authorized personnel access list

+

authorization credentials

+

physical access list reviews

+

physical access termination records and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access authorization responsibilities

+

organizational personnel with physical access to system facility

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for physical access authorizations

+

mechanisms supporting and/or implementing physical access authorizations

+
+
+
+ + Physical Access Control + + + + +

at least annually or earlier as required by a security relevant event.

+
+
+ + + + +

entry and exit points to the facility in which the system resides are defined;

+
+ + + + +

CSP defined physical access control systems/devices AND guards

+
+
+ + + + + +

physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);

+
+ + + + +

entry or exit points for which physical access logs are maintained are defined;

+
+ + + + +

physical access controls to control access to areas within the facility designated as publicly accessible are defined;

+
+ + + + + +

in all circumstances within restricted access area where the information system resides

+
+
+ +

circumstances requiring visitor escorts and control of visitor activity are defined;

+
+ + + + +

physical access devices to be inventoried are defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to inventory physical access devices is defined;

+
+ + + + +

frequency at which to change combinations is defined;

+
+ + + + +

frequency at which to change keys is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Enforce physical access authorizations at by:

+ + +

Verifying individual access authorizations before granting access to the facility; and

+
+ + +

Controlling ingress and egress to the facility using ;

+
+
+ + +

Maintain physical access audit logs for ;

+
+ + +

Control access to areas within the facility designated as publicly accessible by implementing the following controls: ;

+
+ + +

Escort visitors and control visitor activity ;

+
+ + +

Secure keys, combinations, and other physical access devices;

+
+ + +

Inventory every ; and

+
+ + +

Change combinations and keys and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

+
+
+ +

Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.

+
+ + + + + + +

physical access authorizations are enforced at by verifying individual access authorizations before granting access to the facility;

+ +
+ + +

physical access authorizations are enforced at by controlling ingress and egress to the facility using ;

+ +
+ +
+ + +

physical access audit logs are maintained for ;

+ +
+ + +

access to areas within the facility designated as publicly accessible are maintained by implementing ;

+ +
+ + + + +

visitors are escorted;

+ +
+ + +

visitor activity is controlled ;

+ +
+ +
+ + + + +

keys are secured;

+ +
+ + +

combinations are secured;

+ +
+ + +

other physical access devices are secured;

+ +
+ +
+ + +

+ are inventoried ;

+ +
+ + + + +

combinations are changed , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;

+ +
+ + +

keys are changed , when keys are lost, or when individuals possessing the keys are transferred or terminated.

+ +
+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing physical access control

+

physical access control logs or records

+

inventory records of physical access control devices

+

system entry and exit points

+

records of key and lock combination changes

+

storage locations for physical access control devices

+

physical access control devices

+

list of security safeguards controlling access to designated publicly accessible areas within facility

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for physical access control

+

mechanisms supporting and/or implementing physical access control

+

physical access control devices

+
+
+ + System Access + + + +

physical spaces containing one or more components of the system are defined;

+
+ + + + + + + +

Enforce physical access authorizations to the system in addition to the physical access controls for the facility at .

+
+ +

Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components.

+
+ + + + +

physical access authorizations to the system are enforced;

+ +
+ + +

physical access controls are enforced for the facility at .

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing physical access control

+

physical access control logs or records

+

physical access control devices

+

access authorizations

+

access credentials

+

system entry and exit points

+

list of areas within the facility containing concentrations of system components or system components requiring additional physical protection

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access authorization responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for physical access control to the information system/components

+

mechanisms supporting and/or implementing physical access control for facility areas containing system components

+
+
+
+
+ + Access Control for Transmission + + + +

system distribution and transmission lines requiring physical access controls are defined;

+
+ + + + +

security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;

+
+ + + + + + + + + + + + + + + + +

Control physical access to within organizational facilities using .

+
+ +

Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors.

+
+ + +

physical access to within organizational facilities is controlled using .

+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing access control for transmission mediums

+

system design documentation

+

facility communications and wiring diagrams

+

list of physical security safeguards applied to system distribution and transmission lines

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for access control to distribution and transmission lines

+

mechanisms/security safeguards supporting and/or implementing access control to distribution and transmission lines

+
+
+
+ + Access Control for Output Devices + + + +

output devices that require physical access control to output are defined;

+
+ + + + + + + + + + + +

Control physical access to output from to prevent unauthorized individuals from obtaining the output.

+
+ +

Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.

+
+ + +

physical access to output from is controlled to prevent unauthorized individuals from obtaining the output.

+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing access control for display medium

+

facility layout of system components

+

actual displays from system components

+

list of output devices and associated outputs requiring physical access controls

+

physical access control logs or records for areas containing output devices and related outputs

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for access control to output devices

+

mechanisms supporting and/or implementing access control to output devices

+
+
+
+ + Monitoring Physical Access + + + + +

at least monthly

+
+
+ +

the frequency at which to review physical access logs is defined;

+
+ + + + +

events or potential indication of events requiring physical access logs to be reviewed are defined;

+
+ + + + + + + + + + + + + + + + + +

Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;

+
+ + +

Review physical access logs and upon occurrence of ; and

+
+ + +

Coordinate results of reviews and investigations with the organizational incident response capability.

+
+
+ +

Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as AU-2 , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.

+
+ + + + +

physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;

+ +
+ + + + +

physical access logs are reviewed ;

+ +
+ + +

physical access logs are reviewed upon occurrence of ;

+ +
+ +
+ + + + +

results of reviews are coordinated with organizational incident response capabilities;

+ +
+ + +

results of investigations are coordinated with organizational incident response capabilities.

+ +
+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing physical access monitoring

+

physical access logs or records

+

physical access monitoring records

+

physical access log reviews

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access monitoring responsibilities

+

organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for monitoring physical access

+

mechanisms supporting and/or implementing physical access monitoring

+

mechanisms supporting and/or implementing the review of physical access logs

+
+
+ + Intrusion Alarms and Surveillance Equipment + + + + + + + +

Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.

+
+ +

Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility.

+
+ + + + +

physical access to the facility where the system resides is monitored using physical intrusion alarms;

+ +
+ + +

physical access to the facility where the system resides is monitored using physical surveillance equipment.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing physical access monitoring

+

physical access logs or records

+

physical access monitoring records

+

physical access log reviews

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access monitoring responsibilities

+

organizational personnel with incident response responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for monitoring physical intrusion alarms and surveillance equipment

+

mechanisms supporting and/or implementing physical access monitoring

+

mechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment

+
+
+
+ + Monitoring Physical Access to Systems + + + +

physical spaces containing one or more components of the system are defined;

+
+ + + + + + + + +

Monitor physical access to the system in addition to the physical access monitoring of the facility at .

+
+ +

Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization.

+
+ + +

physical access to the system is monitored in addition to the physical access monitoring of the facility at .

+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing physical access monitoring

+

physical access control logs or records

+

physical access control devices

+

access authorizations

+

access credentials

+

list of areas within the facility containing concentrations of system components or system components requiring additional physical access monitoring

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access monitoring responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for monitoring physical access to the system

+

mechanisms supporting and/or implementing physical access monitoring for facility areas containing system components

+
+
+
+
+ + Visitor Access Records + + + + +

for a minimum of one (1) year

+
+
+ +

time period for which to maintain visitor access records for the facility where the system resides is defined;

+
+ + + + + +

at least monthly

+
+
+ +

the frequency at which to review visitor access records is defined;

+
+ + + + +

personnel to whom visitor access records anomalies are reported to is/are defined;

+
+ + + + + + + + + + + + +

Maintain visitor access records to the facility where the system resides for ;

+
+ + +

Review visitor access records ; and

+
+ + +

Report anomalies in visitor access records to .

+
+
+ +

Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.

+
+ + + + +

visitor access records for the facility where the system resides are maintained for ;

+ +
+ + +

visitor access records are reviewed ;

+ +
+ + +

visitor access records anomalies are reported to .

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing visitor access records

+

visitor access control logs or records

+

visitor access record or log reviews

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with visitor access record responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for maintaining and reviewing visitor access records

+

mechanisms supporting and/or implementing the maintenance and review of visitor access records

+
+
+ + Automated Records Maintenance and Review + + + + + + +

automated mechanisms used to maintain visitor access records are defined;

+
+ + + + +

automated mechanisms used to review visitor access records are defined;

+
+ + + + + + + +

Maintain and review visitor access records using .

+
+ +

Visitor access records may be stored and maintained in a database management system that is accessible by organizational personnel. Automated access to such records facilitates record reviews on a regular basis to determine if access authorizations are current and still required to support organizational mission and business functions.

+
+ + + + +

visitor access records are maintained using ;

+ +
+ + +

visitor access records are reviewed using .

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing visitor access records

+

automated mechanisms supporting management of visitor access records

+

visitor access control logs or records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with visitor access record responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for maintaining and reviewing visitor access records

+

automated mechanisms supporting and/or implementing the maintenance and review of visitor access records

+
+
+
+
+ + Power Equipment and Cabling + + + + + + +

Protect power equipment and power cabling for the system from damage and destruction.

+
+ +

Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems.

+
+ + + + +

power equipment for the system is protected from damage and destruction;

+ +
+ + +

power cabling for the system is protected from damage and destruction.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing power equipment/cabling protection

+

facilities housing power equipment/cabling

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with the responsibility to protect power equipment/cabling

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing the protection of power equipment/cabling

+
+
+
+ + Emergency Shutoff + + + +

system or individual system components that require the capability to shut off power in emergency situations is/are defined;

+
+ + + + + +

near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off

+
+
+ +

location of emergency shutoff switches or devices by system or system component is defined;

+
+ + + + + + + + + +

Provide the capability of shutting off power to in emergency situations;

+
+ + +

Place emergency shutoff switches or devices in to facilitate access for authorized personnel; and

+
+ + +

Protect emergency power shutoff capability from unauthorized activation.

+
+
+ +

Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery.

+
+ + + + +

the capability to shut off power to in emergency situations is provided;

+ +
+ + +

emergency shutoff switches or devices are placed in to facilitate access for authorized personnel;

+ +
+ + +

the emergency power shutoff capability is protected from unauthorized activation.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing power source emergency shutoff

+

emergency shutoff controls or switches

+

locations housing emergency shutoff switches and devices

+

security safeguards protecting the emergency power shutoff capability from unauthorized activation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with the responsibility for the emergency power shutoff capability (both implementing and using the capability)

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing emergency power shutoff

+
+
+
+ + Emergency Power + + + + + + + + + + + +

Provide an uninterruptible power supply to facilitate in the event of a primary power source loss.

+
+ +

An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system.

+
+ + +

an uninterruptible power supply is provided to facilitate in the event of a primary power source loss.

+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing emergency power

+

uninterruptible power supply

+

uninterruptible power supply documentation

+

uninterruptible power supply test records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with the responsibility for emergency power and/or planning

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing an uninterruptible power supply

+

the uninterruptable power supply

+
+
+ + Alternate Power Supply — Minimal Operational Capability + + + +

automatically

+
+
+ + + + + + + + +

Provide an alternate power supply for the system that is activated and that can maintain minimally required operational capability in the event of an extended loss of the primary power source.

+
+ +

Provision of an alternate power supply with minimal operating capability can be satisfied by accessing a secondary commercial power supply or other external power supply.

+
+ + + + +

an alternate power supply provided for the system is activated ;

+ +
+ + +

the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing emergency power

+

alternate power supply

+

alternate power supply documentation

+

alternate power supply test records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with the responsibility for emergency power and/or planning

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing an alternate power supply

+

the alternate power supply

+
+
+
+
+ + Emergency Lighting + + + + + + + +

Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

+
+ +

The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies.

+
+ + + + +

automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;

+ +
+ + +

automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;

+ +
+ + +

automatic emergency lighting for the system covers emergency exits within the facility;

+ +
+ + +

automatic emergency lighting for the system covers evacuation routes within the facility.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing emergency lighting

+

emergency lighting documentation

+

emergency lighting test records

+

emergency exits and evacuation routes

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with the responsibility for emergency lighting and/or planning

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing an emergency lighting capability

+
+
+
+ + Fire Protection + + + + + + +

Employ and maintain fire detection and suppression systems that are supported by an independent energy source.

+
+ +

The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility.

+
+ + + + +

fire detection systems are employed;

+ +
+ + +

employed fire detection systems are supported by an independent energy source;

+ +
+ + +

employed fire detection systems are maintained;

+ +
+ + +

fire suppression systems are employed;

+ +
+ + +

employed fire suppression systems are supported by an independent energy source;

+ +
+ + +

employed fire suppression systems are maintained.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing fire protection

+

fire suppression and detection devices/systems

+

fire suppression and detection devices/systems documentation

+

test records of fire suppression and detection devices/systems

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for fire detection and suppression devices/systems

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing fire suppression/detection devices/systems

+
+
+ + Detection Systems — Automatic Activation and Notification + + + + +

service provider building maintenance/physical security personnel

+
+
+ +

personnel or roles to be notified in the event of a fire is/are defined;

+
+ + + + + +

service provider emergency responders with incident response responsibilities

+
+
+ +

emergency responders to be notified in the event of a fire are defined;

+
+ + + + + + + +

Employ fire detection systems that activate automatically and notify and in the event of a fire.

+
+ +

Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire.

+
+ + + + +

fire detection systems that activate automatically are employed in the event of a fire;

+ +
+ + +

fire detection systems that notify automatically are employed in the event of a fire;

+ +
+ + +

fire detection systems that notify automatically are employed in the event of a fire.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing fire protection

+

facility housing the information system

+

alarm service-level agreements

+

test records of fire suppression and detection devices/systems

+

fire suppression and detection devices/systems documentation

+

alerts/notifications of fire events

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for fire detection and suppression devices/systems

+

organizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing fire detection devices/systems

+

activation of fire detection devices/systems (simulated)

+

automated notifications

+
+
+
+ + Suppression Systems — Automatic Activation and Notification + + + +

personnel or roles to be notified in the event of a fire is/are defined;

+
+ + + + +

emergency responders to be notified in the event of a fire are defined;

+
+ + + + + + + + + +

Employ fire suppression systems that activate automatically and notify and ; and

+
+ + +

Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis.

+
+
+ +

Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and/or clearances (e.g., to enter to facilities where access is restricted due to the impact level or classification of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire.

+
+ + + + + + +

fire suppression systems that activate automatically are employed;

+ +
+ + +

fire suppression systems that notify automatically are employed;

+ +
+ + +

fire suppression systems that notify automatically are employed;

+ +
+ +
+ + +

an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing fire protection

+

fire suppression and detection devices/systems documentation

+

facility housing the system

+

alarm service-level agreements

+

test records of fire suppression and detection devices/systems

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for fire detection and suppression devices/systems

+

organizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Automated mechanisms supporting and/or implementing fire suppression devices/systems

+

activation of fire suppression devices/systems (simulated)

+

automated notifications

+
+
+
+
+ + Environmental Controls + + + +

consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments

+
+
+ + + + + +

environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);

+
+ + + + +

acceptable levels for environmental controls are defined;

+
+ + + + + +

continuously

+
+
+ +

frequency at which to monitor environmental control levels is defined;

+
+ + + + + + + + + + +

Maintain levels within the facility where the system resides at ; and

+
+ + +

Monitor environmental control levels .

+
+ + PE-14 Additional FedRAMP Requirements and Guidance + + +

The service provider measures temperature at server inlets and humidity levels by dew point.

+
+
+
+ +

The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions.

+
+ + + + +

+ levels are maintained at within the facility where the system resides;

+ +
+ + +

environmental control levels are monitored .

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing temperature and humidity control

+

temperature and humidity controls

+

facility housing the system

+

temperature and humidity controls documentation

+

temperature and humidity records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for system environmental controls

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels

+
+
+ + Monitoring with Alarms and Notifications + + + +

personnel or roles to be notified by environmental control monitoring when environmental changes are potentially harmful to personnel or equipment is/are defined;

+
+ + + + + + + +

Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to .

+
+ +

The alarm or notification may be an audible alarm or a visual message in real time to personnel or roles defined by the organization. Such alarms and notifications can help minimize harm to individuals and damage to organizational assets by facilitating a timely incident response.

+
+ + + + +

environmental control monitoring is employed;

+ +
+ + +

the environmental control monitoring capability provides an alarm or notification to when changes are potentially harmful to personnel or equipment.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing temperature and humidity monitoring

+

facility housing the system

+

logs or records of temperature and humidity monitoring

+

records of changes to temperature and humidity levels that generate alarms or notifications

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for system environmental controls

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing temperature and humidity monitoring

+
+
+
+
+ + Water Damage Protection + + + + + + + +

Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

+
+ +

The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations.

+
+ + + + +

the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;

+ +
+ + +

the master shutoff or isolation valves are accessible;

+ +
+ + +

the master shutoff or isolation valves are working properly;

+ +
+ + +

the master shutoff or isolation valves are known to key personnel.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing water damage protection

+

facility housing the system

+

master shutoff valves

+

list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system

+

master shutoff valve documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for system environmental controls

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Master water-shutoff valves

+

organizational process for activating master water shutoff

+
+
+ + Automation Support + + + + +

service provider building maintenance/physical security personnel

+
+
+ +

personnel or roles to be alerted when the presence of water is detected near the system is/are defined;

+
+ + + + +

automated mechanisms used to detect the presence of water near the system are defined;

+
+ + + + + + + +

Detect the presence of water near the system and alert using .

+
+ +

Automated mechanisms include notification systems, water detection sensors, and alarms.

+
+ + + + +

the presence of water near the system can be detected automatically;

+ +
+ + +

+ is/are alerted using .

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing water damage protection

+

facility housing the system

+

automated mechanisms for water shutoff valves

+

automated mechanisms for detecting the presence of water in the vicinity of the system

+

alerts/notifications of water detection in system facility

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for system environmental controls

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Automated mechanisms supporting and/or implementing water detection capabilities and alerts for the system

+
+
+
+
+ + Delivery and Removal + + + + +

all information system components

+
+
+ + + + +

types of system components to be authorized and controlled when entering the facility are defined;

+
+ + + + +

types of system components to be authorized and controlled when exiting the facility are defined;

+
+ + + + + + + + + + + + + + + + + + +

Authorize and control entering and exiting the facility; and

+
+ + +

Maintain records of the system components.

+
+
+ +

Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.

+
+ + + + + + +

+ are authorized when entering the facility;

+ +
+ + +

+ are controlled when entering the facility;

+ +
+ + +

+ are authorized when exiting the facility;

+ +
+ + +

+ are controlled when exiting the facility;

+ +
+ +
+ + +

records of the system components are maintained.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing the delivery and removal of system components from the facility

+

facility housing the system

+

records of items entering and exiting the facility

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for controlling system components entering and exiting the facility

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility

+

mechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility

+
+
+
+ + Alternate Work Site + + + +

alternate work sites allowed for use by employees are defined;

+
+ + + + +

controls to be employed at alternate work sites are defined;

+
+ + + + + + + + + + + + +

Determine and document the allowed for use by employees;

+
+ + +

Employ the following controls at alternate work sites: ;

+
+ + +

Assess the effectiveness of controls at alternate work sites; and

+
+ + +

Provide a means for employees to communicate with information security and privacy personnel in case of incidents.

+
+
+ +

Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.

+
+ + + + +

+ are determined and documented;

+ +
+ + +

+ are employed at alternate work sites;

+ +
+ + +

the effectiveness of controls at alternate work sites is assessed;

+ +
+ + +

a means for employees to communicate with information security and privacy personnel in case of incidents is provided.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing alternate work sites for organizational personnel

+

list of security controls required for alternate work sites

+

assessments of security controls at alternate work sites

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel approving the use of alternate work sites

+

organizational personnel using alternate work sites

+

organizational personnel assessing controls at alternate work sites

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for security and privacy at alternate work sites

+

mechanisms supporting alternate work sites

+

security and privacy controls employed at alternate work sites

+

means of communication between personnel at alternate work sites and security and privacy personnel

+
+
+
+ + Location of System Components + + + + +

physical and environmental hazards identified during threat assessment

+
+
+ +

physical and environmental hazards that could result in potential damage to system components within the facility are defined;

+
+ + + + + + + + + + + +

Position system components within the facility to minimize potential damage from and to minimize the opportunity for unauthorized access.

+
+ +

Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications using wireless packet sniffers or microphones, or unauthorized disclosure of information.

+
+ + +

system components are positioned within the facility to minimize potential damage from and to minimize the opportunity for unauthorized access.

+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing the positioning of system components

+

documentation providing the location and position of system components within the facility

+

locations housing system components within the facility

+

list of physical and environmental hazards with the potential to damage system components within the facility

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for positioning system components

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for positioning system components

+
+
+
+
+ + Planning + + Policy and Procedures + + + + + + +

personnel or roles to whom the planning policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the planning procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the planning policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency with which the current planning policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current planning policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency with which the current planning procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ planning policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the planning policy and the associated planning controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the planning policy and procedures; and

+
+ + +

Review and update the current planning:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a planning policy is developed and documented.

+ +
+ + +

the planning policy is disseminated to ;

+ +
+ + +

planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;

+ +
+ + +

the planning procedures are disseminated to ;

+ +
+ + + + + + +

the planning policy addresses purpose;

+ +
+ + +

the planning policy addresses scope;

+ +
+ + +

the planning policy addresses roles;

+ +
+ + +

the planning policy addresses responsibilities;

+ +
+ + +

the planning policy addresses management commitment;

+ +
+ + +

the planning policy addresses coordination among organizational entities;

+ +
+ + +

the planning policy addresses compliance;

+ +
+ +
+ + +

the planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the planning policy and procedures;

+ +
+ + + + + + +

the current planning policy is reviewed and updated ;

+ +
+ + +

the current planning policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current planning procedures are reviewed and updated ;

+ +
+ + +

the current planning procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Planning policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with planning responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + System Security and Privacy Plans + + + + +

to include chief privacy and ISSO and/or similar role or designees

+
+
+ +

individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;

+
+ + + + + +

to include chief privacy and ISSO and/or similar role

+
+
+ +

personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;

+
+ + + + + +

at least annually

+
+
+ +

frequency to review system security and privacy plans is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop security and privacy plans for the system that:

+ + +

Are consistent with the organization’s enterprise architecture;

+
+ + +

Explicitly define the constituent system components;

+
+ + +

Describe the operational context of the system in terms of mission and business processes;

+
+ + +

Identify the individuals that fulfill system roles and responsibilities;

+
+ + +

Identify the information types processed, stored, and transmitted by the system;

+
+ + +

Provide the security categorization of the system, including supporting rationale;

+
+ + +

Describe any specific threats to the system that are of concern to the organization;

+
+ + +

Provide the results of a privacy risk assessment for systems processing personally identifiable information;

+
+ + +

Describe the operational environment for the system and any dependencies on or connections to other systems or system components;

+
+ + +

Provide an overview of the security and privacy requirements for the system;

+
+ + +

Identify any relevant control baselines or overlays, if applicable;

+
+ + +

Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;

+
+ + +

Include risk determinations for security and privacy architecture and design decisions;

+
+ + +

Include security- and privacy-related activities affecting the system that require planning and coordination with ; and

+
+ + +

Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.

+
+
+ + +

Distribute copies of the plans and communicate subsequent changes to the plans to ;

+
+ + +

Review the plans ;

+
+ + +

Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and

+
+ + +

Protect the plans from unauthorized disclosure and modification.

+
+
+ +

System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.

+

Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.

+

Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.

+

Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate.

+
+ + + + + + + + +

a security plan for the system is developed that is consistent with the organization’s enterprise architecture;

+ +
+ + +

a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;

+ +
+ +
+ + + + +

a security plan for the system is developed that explicitly defines the constituent system components;

+ +
+ + +

a privacy plan for the system is developed that explicitly defines the constituent system components;

+ +
+ +
+ + + + +

a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;

+ +
+ + +

a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;

+ +
+ +
+ + + + +

a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;

+ +
+ + +

a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;

+ +
+ +
+ + + + +

a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;

+ +
+ + +

a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;

+ +
+ +
+ + + + +

a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;

+ +
+ + +

a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;

+ +
+ +
+ + + + +

a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;

+ +
+ + +

a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;

+ +
+ +
+ + + + +

a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;

+ +
+ + +

a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;

+ +
+ +
+ + + + +

a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;

+ +
+ + +

a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;

+ +
+ +
+ + + + +

a security plan for the system is developed that provides an overview of the security requirements for the system;

+ +
+ + +

a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;

+ +
+ +
+ + + + +

a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;

+ +
+ + +

a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;

+ +
+ +
+ + + + +

a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;

+ +
+ + +

a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;

+ +
+ +
+ + + + +

a security plan for the system is developed that includes risk determinations for security architecture and design decisions;

+ +
+ + +

a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;

+ +
+ +
+ + + + +

a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with ;

+ +
+ + +

a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with ;

+ +
+ +
+ + + + +

a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

+ +
+ + +

a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.

+ +
+ +
+ +
+ + + + +

copies of the plans are distributed to ;

+ +
+ + +

subsequent changes to the plans are communicated to ;

+ +
+ +
+ + +

plans are reviewed ;

+ +
+ + + + +

plans are updated to address changes to the system and environment of operations;

+ +
+ + +

plans are updated to address problems identified during the plan implementation;

+ +
+ + +

plans are updated to address problems identified during control assessments;

+ +
+ +
+ + + + +

plans are protected from unauthorized disclosure;

+ +
+ + +

plans are protected from unauthorized modification.

+ +
+ +
+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing system security and privacy plan development and implementation

+

procedures addressing security and privacy plan reviews and updates

+

enterprise architecture documentation

+

system security plan

+

privacy plan

+

records of system security and privacy plan reviews and updates

+

security and privacy architecture and design documentation

+

risk assessments

+

risk assessment results

+

control assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system security and privacy planning and plan implementation responsibilities

+

system developers

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for system security and privacy plan development, review, update, and approval

+

mechanisms supporting the system security and privacy plan

+
+
+
+ + Rules of Behavior + + + + +

at least annually

+
+
+ +

frequency for reviewing and updating the rules of behavior is defined;

+
+ + + + +

at least annually and when the rules are revised or changed

+
+
+ + + + + +

frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;

+
+ + +

Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;

+
+ + +

Review and update the rules of behavior ; and

+
+ + +

Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge .

+
+
+ +

Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6 ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8 . The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.

+
+ + + + + + +

rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;

+ +
+ + +

rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;

+ +
+ +
+ + +

before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;

+ +
+ + +

rules of behavior are reviewed and updated ;

+ +
+ + +

individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge .

+ +
+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing rules of behavior for system users

+

rules of behavior

+

signed acknowledgements

+

records for rules of behavior reviews and updates

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior

+

organizational personnel with responsibility for literacy training and awareness and role-based training

+

organizational personnel who are authorized users of the system and have signed and resigned rules of behavior

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior

+

mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior

+
+
+ + Social Media and External Site/Application Usage Restrictions + + + + + + + + + +

Include in the rules of behavior, restrictions on:

+ + +

Use of social media, social networking sites, and external sites/applications;

+
+ + +

Posting organizational information on public websites; and

+
+ + +

Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.

+
+
+ +

Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information.

+
+ + + + +

the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;

+ +
+ + +

the rules of behavior include restrictions on posting organizational information on public websites;

+ +
+ + +

the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.

+ +
+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing rules of behavior for system users

+

rules of behavior

+

training policy

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior

+

organizational personnel with responsibility for literacy training and awareness and role-based training

+

organizational personnel who are authorized users of the system and have signed rules of behavior

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for establishing rules of behavior

+

mechanisms supporting and/or implementing the establishment of rules of behavior

+
+
+
+
+ + Security and Privacy Architectures + + + + +

at least annually and when a significant change occurs

+
+
+ +

frequency for review and update to reflect changes in the enterprise architecture;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +

Develop security and privacy architectures for the system that:

+ + +

Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;

+
+ + +

Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;

+
+ + +

Describe how the architectures are integrated into and support the enterprise architecture; and

+
+ + +

Describe any assumptions about, and dependencies on, external systems and services;

+
+
+ + +

Review and update the architectures to reflect changes in the enterprise architecture; and

+
+ + +

Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.

+
+ + PL-8 Additional FedRAMP Requirements and Guidance + + +

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

+
+
+
+ +

The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in PM-7 , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.

+

+ SP 800-160-1 provides guidance on the use of security architectures as part of the system development life cycle process. OMB M-19-03 requires the use of the systems security engineering concepts described in SP 800-160-1 for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).

+

In today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.

+

+ PL-8 is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17 , which is complementary to PL-8 , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures.

+
+ + + + + + +

a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;

+ +
+ + +

a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;

+ +
+ + + + +

a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;

+ +
+ + +

a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;

+ +
+ +
+ + + + +

a security architecture for the system describes any assumptions about and dependencies on external systems and services;

+ +
+ + +

a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;

+ +
+ +
+ +
+ + +

changes in the enterprise architecture are reviewed and updated to reflect changes in the enterprise architecture;

+ +
+ + + + +

planned architecture changes are reflected in the security plan;

+ +
+ + +

planned architecture changes are reflected in the privacy plan;

+ +
+ + +

planned architecture changes are reflected in the Concept of Operations (CONOPS);

+ +
+ + +

planned architecture changes are reflected in criticality analysis;

+ +
+ + +

planned architecture changes are reflected in organizational procedures;

+ +
+ + +

planned architecture changes are reflected in procurements and acquisitions.

+ +
+ +
+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing information security and privacy architecture development

+

procedures addressing information security and privacy architecture reviews and updates

+

enterprise architecture documentation

+

information security and privacy architecture documentation

+

system security plan

+

privacy plan

+

security and privacy CONOPS for the system

+

records of information security and privacy architecture reviews and updates

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security and privacy planning and plan implementation responsibilities

+

organizational personnel with information security and privacy architecture development responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for developing, reviewing, and updating the information security and privacy architecture

+

mechanisms supporting and/or implementing the development, review, and update of the information security and privacy architecture

+
+
+
+ + Baseline Selection + + + + + + + + + + + + + + + + + + + + +

Select a control baseline for the system.

+ + PL-10 Additional FedRAMP Requirements and Guidance + + +

Select the appropriate FedRAMP Baseline

+
+
+
+ +

Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11 ). Federal control baselines are provided in SP 800-53B . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in SP 800-53B are based on the requirements from FISMA and PRIVACT . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. CNSSI 1253 provides guidance on control baselines for national security systems.

+
+ + +

a control baseline for the system is selected.

+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing system security and privacy plan development and implementation

+

procedures addressing system security and privacy plan reviews and updates

+

system design documentation

+

system architecture and configuration documentation

+

system categorization decision

+

information types stored, transmitted, and processed by the system

+

system element/component information

+

stakeholder needs analysis

+

list of security and privacy requirements allocated to the system, system elements, and environment of operation

+

list of contractual requirements allocated to external providers of the system or system element

+

business impact analysis or criticality analysis

+

risk assessments

+

risk management strategy

+

organizational security and privacy policy

+

federal or organization-approved or mandated baselines or overlays

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security and privacy planning and plan implementation responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with responsibility for organizational risk management activities

+
+
+
+ + Baseline Tailoring + + + + + + + + + + + + + + + + + + + + +

Tailor the selected control baseline by applying specified tailoring actions.

+
+ +

The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in SP 800-53B . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in SP 800-53B can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in SP 800-53B in accordance with the security and privacy requirements from FISMA, PRIVACT , and OMB A-130 . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in SP 800-53B to specialize or customize the controls that represent the specific needs and concerns of those entities.

+
+ + +

the selected control baseline is tailored by applying specified tailoring actions.

+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing system security and privacy plan development and implementation

+

system design documentation

+

system categorization decision

+

information types stored, transmitted, and processed by the system

+

system element/component information

+

stakeholder needs analysis

+

list of security and privacy requirements allocated to the system, system elements, and environment of operation

+

list of contractual requirements allocated to external providers of the system or system element

+

business impact analysis or criticality analysis

+

risk assessments

+

risk management strategy

+

organizational security and privacy policy

+

federal or organization-approved or mandated baselines or overlays

+

baseline tailoring rationale

+

system security plan

+

privacy plan

+

records of system security and privacy plan reviews and updates

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security and privacy planning and plan implementation responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+
+ + Personnel Security + + Policy and Procedures + + + + + + +

personnel or roles to whom the personnel security policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the personnel security policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current personnel security policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current personnel security policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current personnel security procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the personnel security procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ personnel security policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the personnel security policy and procedures; and

+
+ + +

Review and update the current personnel security:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a personnel security policy is developed and documented;

+ +
+ + +

the personnel security policy is disseminated to ;

+ +
+ + +

personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;

+ +
+ + +

the personnel security procedures are disseminated to ;

+ +
+ + + + + + +

the personnel security policy addresses purpose;

+ +
+ + +

the personnel security policy addresses scope;

+ +
+ + +

the personnel security policy addresses roles;

+ +
+ + +

the personnel security policy addresses responsibilities;

+ +
+ + +

the personnel security policy addresses management commitment;

+ +
+ + +

the personnel security policy addresses coordination among organizational entities;

+ +
+ + +

the personnel security policy addresses compliance;

+ +
+ +
+ + +

the personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;

+ +
+ + + + + + +

the current personnel security policy is reviewed and updated ;

+ +
+ + +

the current personnel security policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current personnel security procedures are reviewed and updated ;

+ +
+ + +

the current personnel security procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Personnel security policy

+

personnel security procedures

+

system security plan

+

privacy plan

+

risk management strategy documentation

+

audit findings

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security responsibilities

+
+
+
+ + Position Risk Designation + + + + +

at least annually

+
+
+ +

the frequency at which to review and update position risk designations is defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Assign a risk designation to all organizational positions;

+
+ + +

Establish screening criteria for individuals filling those positions; and

+
+ + +

Review and update position risk designations .

+
+
+ +

Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.

+
+ + + + +

a risk designation is assigned to all organizational positions;

+ +
+ + +

screening criteria are established for individuals filling organizational positions;

+ +
+ + +

position risk designations are reviewed and updated .

+ +
+ +
+ + + + +

Personnel security policy

+

procedures addressing position categorization

+

appropriate codes of federal regulations

+

list of risk designations for organizational positions

+

records of position risk designation reviews and updates

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for assigning, reviewing, and updating position risk designations

+

organizational processes for establishing screening criteria

+
+
+
+ + Personnel Screening + + + + +

for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.

+

For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions

+
+
+ + + + +

conditions requiring rescreening of individuals are defined;

+
+ + + + +

the frequency of rescreening individuals where it is so indicated is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +

Screen individuals prior to authorizing access to the system; and

+
+ + +

Rescreen individuals in accordance with .

+
+
+ +

Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.

+
+ + + + +

individuals are screened prior to authorizing access to the system;

+ +
+ + + + +

individuals are rescreened in accordance with ;

+ +
+ + +

where rescreening is so indicated, individuals are rescreened .

+ +
+ +
+ +
+ + + + +

Personnel security policy

+

procedures addressing personnel screening

+

records of screened personnel

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for personnel screening

+
+
+ + Information Requiring Special Protective Measures + + + + +

personnel screening criteria – as required by specific information

+
+
+ +

additional personnel screening criteria to be satisfied for individuals accessing a system processing, storing, or transmitting information requiring special protection are defined;

+
+ + + + + + + +

Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection:

+ + +

Have valid access authorizations that are demonstrated by assigned official government duties; and

+
+ + +

Satisfy .

+
+
+ +

Organizational information that requires special protection includes controlled unclassified information. Personnel security criteria include position sensitivity background screening requirements.

+
+ + + + +

individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties;

+ +
+ + +

individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy .

+ +
+ +
+ + + + +

Personnel security policy

+

access control policy, procedures addressing personnel screening

+

records of screened personnel

+

screening criteria

+

records of access authorizations

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for ensuring valid access authorizations for information requiring special protection

+

organizational process for additional personnel screening for information requiring special protection

+
+
+
+
+ + Personnel Termination + + + + +

one (1) hour

+
+
+ +

a time period within which to disable system access is defined;

+
+ + + + +

information security topics to be discussed when conducting exit interviews are defined;

+
+ + + + + + + + + + + + +

Upon termination of individual employment:

+ + +

Disable system access within ;

+
+ + +

Terminate or revoke any authenticators and credentials associated with the individual;

+
+ + +

Conduct exit interviews that include a discussion of ;

+
+ + +

Retrieve all security-related organizational system-related property; and

+
+ + +

Retain access to organizational information and systems formerly controlled by terminated individual.

+
+
+ +

System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified.

+
+ + + + +

upon termination of individual employment, system access is disabled within ;

+ +
+ + +

upon termination of individual employment, any authenticators and credentials are terminated or revoked;

+ +
+ + +

upon termination of individual employment, exit interviews that include a discussion of are conducted;

+ +
+ + +

upon termination of individual employment, all security-related organizational system-related property is retrieved;

+ +
+ + +

upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.

+ +
+ +
+ + + + +

Personnel security policy

+

procedures addressing personnel termination

+

records of personnel termination actions

+

list of system accounts

+

records of terminated or revoked authenticators/credentials

+

records of exit interviews

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for personnel termination

+

mechanisms supporting and/or implementing personnel termination notifications

+

mechanisms for disabling system access/revoking authenticators

+
+
+ + Automated Actions + + + +

automated mechanisms to notify personnel or roles of individual termination actions and/or to disable access to system resources are defined;

+
+ + + + +

access control personnel responsible for disabling access to the system

+
+
+ + + + + +

personnel or roles to be notified upon termination of an individual is/are defined (if selected);

+
+ + + + + + + +

Use to .

+
+ +

In organizations with many employees, not all personnel who need to know about termination actions receive the appropriate notifications, or if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to organizational personnel or roles when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including via telephone, electronic mail, text message, or websites. Automated mechanisms can also be employed to quickly and thoroughly disable access to system resources after an employee is terminated.

+
+ + +

+ are used to .

+ +
+ + + + +

Personnel security policy

+

procedures addressing personnel termination

+

system design documentation

+

system configuration settings and associated documentation

+

records of personnel termination actions

+

automated notifications of employee terminations

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for personnel termination

+

automated mechanisms supporting and/or implementing personnel termination notifications

+
+
+
+
+ + Personnel Transfer + + + +

transfer or reassignment actions to be initiated following transfer or reassignment are defined;

+
+ + + + + +

twenty-four (24) hours

+
+
+ +

the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;

+
+ + + + + +

including access control personnel responsible for the system

+
+
+ +

personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined;

+
+ + + + + +

twenty-four (24) hours

+
+
+ +

time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;

+
+ + + + + + + + + + + + + + +

Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;

+
+ + +

Initiate within ;

+
+ + +

Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

+
+ + +

Notify within .

+
+
+ +

Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.

+
+ + + + +

the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;

+ +
+ + +

+ are initiated within ;

+ +
+ + +

access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;

+ +
+ + +

+ are notified within .

+ +
+ +
+ + + + +

Personnel security policy

+

procedures addressing personnel transfer

+

records of personnel transfer actions

+

list of system and facility access authorizations

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for personnel transfer

+

mechanisms supporting and/or implementing personnel transfer notifications

+

mechanisms for disabling system access/revoking authenticators

+
+
+
+ + Access Agreements + + + + +

at least annually

+
+
+ +

the frequency at which to review and update access agreements is defined;

+
+ + + + + +

at least annually and any time there is a change to the user's level of access

+
+
+ +

the frequency at which to re-sign access agreements to maintain access to organizational information is defined;

+
+ + + + + + + + + + + + + + + + + + + +

Develop and document access agreements for organizational systems;

+
+ + +

Review and update the access agreements ; and

+
+ + +

Verify that individuals requiring access to organizational information and systems:

+ + +

Sign appropriate access agreements prior to being granted access; and

+
+ + +

Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or .

+
+
+
+ +

Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

+
+ + + + +

access agreements are developed and documented for organizational systems;

+ +
+ + +

the access agreements are reviewed and updated ;

+ +
+ + + + +

individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;

+ +
+ + +

individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or .

+ +
+ +
+ +
+ + + + +

Personnel security policy

+

personnel security procedures

+

procedures addressing access agreements for organizational information and systems

+

access control policy

+

access control procedures

+

access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)

+

documentation of access agreement reviews, updates, and re-signing

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel who have signed/resigned access agreements

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for reviewing, updating, and re-signing access agreements

+

mechanisms supporting the reviewing, updating, and re-signing of access agreements

+
+
+
+ + External Personnel Security + + + + +

including access control personnel responsible for the system and/or facilities, as appropriate

+
+
+ +

personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;

+
+ + + + + +

terminations: immediately; transfers: within twenty-four (24) hours

+
+
+ +

time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Establish personnel security requirements, including security roles and responsibilities for external providers;

+
+ + +

Require external providers to comply with personnel security policies and procedures established by the organization;

+
+ + +

Document personnel security requirements;

+
+ + +

Require external providers to notify of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within ; and

+
+ + +

Monitor provider compliance with personnel security requirements.

+
+
+ +

External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.

+
+ + + + +

personnel security requirements are established, including security roles and responsibilities for external providers;

+ +
+ + +

external providers are required to comply with personnel security policies and procedures established by the organization;

+ +
+ + +

personnel security requirements are documented;

+ +
+ + +

external providers are required to notify of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within ;

+ +
+ + +

provider compliance with personnel security requirements is monitored.

+ +
+ +
+ + + + +

Personnel security policy

+

procedures addressing external personnel security

+

list of personnel security requirements

+

acquisition documents

+

service-level agreements

+

compliance monitoring process

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

external providers

+

system/network administrators

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for managing and monitoring external personnel security

+

mechanisms supporting and/or implementing the monitoring of provider compliance

+
+
+
+ + Personnel Sanctions + + + + +

to include the ISSO and/or similar role within the organization

+
+
+ +

personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;

+
+ + + + + +

24 hours

+
+
+ +

the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;

+
+ + + + + + + + + + + + +

Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and

+
+ + +

Notify within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

+
+
+ +

Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

+
+ + + + +

a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;

+ +
+ + +

+ is/are notified within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

+ +
+ +
+ + + + +

Personnel security policy

+

personnel security procedures

+

procedures addressing personnel sanctions

+

access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)

+

list of personnel or roles to be notified of formal employee sanctions

+

records or notifications of formal employee sanctions

+

system security plan

+

privacy plan

+

personally identifiable information processing policy

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

legal counsel

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for managing formal employee sanctions

+

mechanisms supporting and/or implementing formal employee sanctions notifications

+
+
+
+ + Position Descriptions + + + + + + +

Incorporate security and privacy roles and responsibilities into organizational position descriptions.

+
+ +

Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles.

+
+ + + + +

security roles and responsibilities are incorporated into organizational position descriptions;

+ +
+ + +

privacy roles and responsibilities are incorporated into organizational position descriptions.

+ +
+ +
+ + + + +

Personnel security policy

+

personnel security procedures

+

procedures addressing position descriptions

+

security and privacy position descriptions

+

system security plan

+

privacy plan

+

privacy program plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with human capital management responsibilities

+
+
+ + + + +

Organizational processes for managing position descriptions

+
+
+
+
+ + Risk Assessment + + Policy and Procedures + + + + + + +

personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the risk assessment policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current risk assessment policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current risk assessment policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current risk assessment procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require risk assessment procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ risk assessment policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and

+
+ + +

Review and update the current risk assessment:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a risk assessment policy is developed and documented;

+ +
+ + +

the risk assessment policy is disseminated to ;

+ +
+ + +

risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;

+ +
+ + +

the risk assessment procedures are disseminated to ;

+ +
+ + + + + + +

the risk assessment policy addresses purpose;

+ +
+ + +

the risk assessment policy addresses scope;

+ +
+ + +

the risk assessment policy addresses roles;

+ +
+ + +

the risk assessment policy addresses responsibilities;

+ +
+ + +

the risk assessment policy addresses management commitment;

+ +
+ + +

the risk assessment policy addresses coordination among organizational entities;

+ +
+ + +

the risk assessment policy addresses compliance;

+ +
+ +
+ + +

the risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;

+ +
+ + + + + + +

the current risk assessment policy is reviewed and updated ;

+ +
+ + +

the current risk assessment policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current risk assessment procedures are reviewed and updated ;

+ +
+ + +

the current risk assessment procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Risk assessment policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with risk assessment responsibilities

+

organizational personnel with security and privacy responsibilities

+
+
+
+ + Security Categorization + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Categorize the system and information it processes, stores, and transmits;

+
+ + +

Document the security categorization results, including supporting rationale, in the security plan for the system; and

+
+ + +

Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

+
+
+ +

Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. CNSSI 1253 provides additional guidance on categorization for national security systems.

+

Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with USA PATRIOT and Homeland Security Presidential Directives, potential national-level adverse impacts.

+

Security categorization processes facilitate the development of inventories of information assets and, along with CM-8 , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant.

+
+ + + + +

the system and the information it processes, stores, and transmits are categorized;

+ +
+ + +

the security categorization results, including supporting rationale, are documented in the security plan for the system;

+ +
+ + +

the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

+ +
+ +
+ + + + +

Risk assessment policy

+

security planning policy and procedures

+

procedures addressing security categorization of organizational information and systems

+

security categorization documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security categorization and risk assessment responsibilities

+

organizational personnel with security and privacy responsibilities

+
+
+ + + + +

Organizational processes for security categorization

+
+
+
+ + Risk Assessment + + + +

security assessment report

+
+
+ + + + + +

a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);

+
+ + + + + +

at least annually and whenever a significant change occurs

+
+
+ +

the frequency to review risk assessment results is defined;

+
+ + + + +

personnel or roles to whom risk assessment results are to be disseminated is/are defined;

+
+ + + + + +

annually

+
+
+ +

the frequency to update the risk assessment is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Conduct a risk assessment, including:

+ + +

Identifying threats to and vulnerabilities in the system;

+
+ + +

Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and

+
+ + +

Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

+
+
+ + +

Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;

+
+ + +

Document risk assessment results in ;

+
+ + +

Review risk assessment results ;

+
+ + +

Disseminate risk assessment results to ; and

+
+ + +

Update the risk assessment or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

+
+ + RA-3 Additional FedRAMP Requirements and Guidance + + +

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

+
+ + +

Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

+
+
+
+ +

Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.

+

Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.

+

Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.

+
+ + + + + + +

a risk assessment is conducted to identify threats to and vulnerabilities in the system;

+ +
+ + +

a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;

+ +
+ + +

a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

+ +
+ +
+ + +

risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;

+ +
+ + +

risk assessment results are documented in ;

+ +
+ + +

risk assessment results are reviewed ;

+ +
+ + +

risk assessment results are disseminated to ;

+ +
+ + +

the risk assessment is updated or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

+ +
+ +
+ + + + +

Risk assessment policy

+

risk assessment procedures

+

security and privacy planning policy and procedures

+

procedures addressing organizational assessments of risk

+

risk assessment

+

risk assessment results

+

risk assessment reviews

+

risk assessment updates

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with risk assessment responsibilities

+

organizational personnel with security and privacy responsibilities

+
+
+ + + + +

Organizational processes for risk assessment

+

mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment

+
+
+ + Supply Chain Risk Assessment + + + +

systems, system components, and system services to assess supply chain risks are defined;

+
+ + + + +

the frequency at which to update the supply chain risk assessment is defined;

+
+ + + + + + + + + + + + + + + +

Assess supply chain risks associated with ; and

+
+ + +

Update the supply chain risk assessment , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

+
+
+ +

Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.

+
+ + + + +

supply chain risks associated with are assessed;

+ +
+ + +

the supply chain risk assessment is updated , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

+ +
+ +
+ + + + +

Supply chain risk management policy

+

inventory of critical systems, system components, and system services

+

risk assessment policy

+

security planning policy and procedures

+

procedures addressing organizational assessments of supply chain risk

+

risk assessment

+

risk assessment results

+

risk assessment reviews

+

risk assessment updates

+

acquisition policy

+

system security plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with risk assessment responsibilities

+

organizational personnel with security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for risk assessment

+

mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment

+
+
+
+
+ + Vulnerability Monitoring and Scanning + + + + +

monthly operating system/infrastructure; monthly web applications (including APIs) and databases

+
+
+ + + + +

frequency for monitoring systems and hosted applications for vulnerabilities is defined;

+
+ + + + +

frequency for scanning systems and hosted applications for vulnerabilities is defined;

+
+ + + + + +

high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery

+
+
+ +

response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;

+
+ + + + +

personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Monitor and scan for vulnerabilities in the system and hosted applications and when new vulnerabilities potentially affecting the system are identified and reported;

+
+ + +

Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

+ + +

Enumerating platforms, software flaws, and improper configurations;

+
+ + +

Formatting checklists and test procedures; and

+
+ + +

Measuring vulnerability impact;

+
+
+ + +

Analyze vulnerability scan reports and results from vulnerability monitoring;

+
+ + +

Remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;

+
+ + +

Share information obtained from the vulnerability monitoring process and control assessments with to help eliminate similar vulnerabilities in other systems; and

+
+ + +

Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

+
+ + RA-5 Additional FedRAMP Requirements and Guidance + + +

See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

+
+ + +

an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

+
+ + +

If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

+
+ + +

to include all Authorizing Officials; for JAB authorizations to include FedRAMP

+
+ + +

Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

+

Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

+

Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a “warning” as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on “Tracking of Compliance Scans” in FAQs.

+
+
+
+ +

Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.

+

Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

+

Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.

+

Organizations may also employ the use of financial incentives (also known as bug bounties ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.

+
+ + + + + + +

systems and hosted applications are monitored for vulnerabilities and when new vulnerabilities potentially affecting the system are identified and reported;

+ +
+ + +

systems and hosted applications are scanned for vulnerabilities and when new vulnerabilities potentially affecting the system are identified and reported;

+ +
+ +
+ + +

vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;

+ + +

vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;

+ +
+ + +

vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;

+ +
+ + +

vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;

+ +
+ +
+ + +

vulnerability scan reports and results from vulnerability monitoring are analyzed;

+ +
+ + +

legitimate vulnerabilities are remediated in accordance with an organizational assessment of risk;

+ +
+ + +

information obtained from the vulnerability monitoring process and control assessments is shared with to help eliminate similar vulnerabilities in other systems;

+ +
+ + +

vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.

+ +
+ +
+ + + + +

Risk assessment policy

+

procedures addressing vulnerability scanning

+

risk assessment

+

assessment report

+

vulnerability scanning tools and associated configuration documentation

+

vulnerability scanning results

+

patch and vulnerability management records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with vulnerability remediation responsibilities

+

organizational personnel with security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for vulnerability scanning, analysis, remediation, and information sharing

+

mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing

+
+
+ + Update Vulnerabilities to Be Scanned + + + +

within 24 hours prior to running scans

+
+
+ + + + + +

the frequency for updating the system vulnerabilities to be scanned is defined (if selected);

+
+ + + + + + + + + +

Update the system vulnerabilities to be scanned .

+
+ +

Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner.

+
+ + +

the system vulnerabilities to be scanned are updated .

+ +
+ + + + +

Procedures addressing vulnerability scanning

+

assessment report

+

vulnerability scanning tools and associated configuration documentation

+

vulnerability scanning results

+

patch and vulnerability management records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for vulnerability scanning

+

mechanisms/tools supporting and/or implementing vulnerability scanning

+
+
+
+ + Breadth and Depth of Coverage + + + + + + + +

Define the breadth and depth of vulnerability scanning coverage.

+
+ +

The breadth of vulnerability scanning coverage can be expressed as a percentage of components within the system, by the particular types of systems, by the criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the depth of vulnerability scanning coverage can be expressed as the level of the system design that the organization intends to monitor (e.g., component, module, subsystem, element). Organizations can determine the sufficiency of vulnerability scanning coverage with regard to its risk tolerance and other factors. Scanning tools and how the tools are configured may affect the depth and coverage. Multiple scanning tools may be needed to achieve the desired depth and coverage. SP 800-53A provides additional information on the breadth and depth of coverage.

+
+ + +

the breadth and depth of vulnerability scanning coverage are defined.

+ +
+ + + + +

Procedures addressing vulnerability scanning

+

assessment report

+

vulnerability scanning tools and associated configuration documentation

+

vulnerability scanning results

+

patch and vulnerability management records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with security responsibilities

+
+
+ + + + +

Organizational processes for vulnerability scanning

+

mechanisms/tools supporting and/or implementing vulnerability scanning

+
+
+
+ + Discoverable Information + + + + +

notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions

+
+
+ +

corrective actions to be taken if information about the system is discoverable are defined;

+
+ + + + + + + + + + +

Determine information about the system that is discoverable and take .

+
+ +

Discoverable information includes information that adversaries could obtain without compromising or breaching the system, such as by collecting information that the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization.

+
+ + + + +

information about the system is discoverable;

+ +
+ + +

+ are taken when information about the system is confirmed as discoverable.

+ +
+ +
+ + + + +

Procedures addressing vulnerability scanning

+

assessment report

+

penetration test results

+

vulnerability scanning results

+

risk assessment report

+

records of corrective actions taken

+

incident response records

+

audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with vulnerability scanning and/or penetration testing responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel responsible for risk response

+

organizational personnel responsible for incident management and response

+

organizational personnel with security responsibilities

+
+
+ + + + +

Organizational processes for vulnerability scanning

+

organizational processes for risk response

+

organizational processes for incident management and response

+

mechanisms/tools supporting and/or implementing vulnerability scanning

+

mechanisms supporting and/or implementing risk response

+

mechanisms supporting and/or implementing incident management and response

+
+
+
+ + Privileged Access + + + + +

all components that support authentication

+
+
+ +

system components to which privileged access is authorized for selected vulnerability scanning activities are defined;

+
+ + + + + +

all scans

+
+
+ +

vulnerability scanning activities selected for privileged access authorization to system components are defined;

+
+ + + + + + + + +

Implement privileged access authorization to for .

+
+ +

In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning.

+
+ + +

privileged access authorization is implemented to for .

+ +
+ + + + +

Risk assessment policy

+

procedures addressing vulnerability scanning

+

system design documentation

+

system configuration settings and associated documentation

+

list of system components for vulnerability scanning

+

personnel access authorization list

+

authorization credentials

+

access authorization records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with vulnerability scanning responsibilities

+

system/network administrators

+

organizational personnel responsible for access control to the system

+

organizational personnel responsible for configuration management of the system

+

system developers

+

organizational personnel with security responsibilities

+
+
+ + + + +

Organizational processes for vulnerability scanning

+

organizational processes for access control

+

mechanisms supporting and/or implementing access control

+

mechanisms/tools supporting and/or implementing vulnerability scanning

+
+
+
+ + Review Historic Audit Logs + + + +

a system whose historic audit logs are to be reviewed is defined;

+
+ + + + +

a time period for a potential previous exploit of a system is defined;

+
+ + + + + + + + + + +

Review historic audit logs to determine if a vulnerability identified in a has been previously exploited within an .

+ + RA-5(8) Additional FedRAMP Requirement + + +

This enhancement is required for all high (or critical) vulnerability scan findings.

+
+
+
+ +

Reviewing historic audit logs to determine if a recently detected vulnerability in a system has been previously exploited by an adversary can provide important information for forensic analyses. Such analyses can help identify, for example, the extent of a previous intrusion, the trade craft employed during the attack, organizational information exfiltrated or modified, mission or business capabilities affected, and the duration of the attack.

+
+ + +

historic audit logs are reviewed to determine if a vulnerability identified in a has been previously exploited within .

+ +
+ + + + +

Risk assessment policy

+

procedures addressing vulnerability scanning

+

audit logs

+

records of audit log reviews

+

vulnerability scanning results

+

patch and vulnerability management records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with audit record review responsibilities

+

system/network administrators

+

organizational personnel with security responsibilities

+
+
+ + + + +

Organizational processes for vulnerability scanning

+

organizational process for audit record review and response

+

mechanisms/tools supporting and/or implementing vulnerability scanning

+

mechanisms supporting and/or implementing audit record review

+
+
+
+ + Public Disclosure Program + + + + + + + +

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

+
+ +

The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.

+
+ + +

a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.

+ +
+ + + + +

Risk assessment policy

+

procedures addressing vulnerability scanning

+

risk assessment

+

vulnerability scanning tools and techniques documentation

+

vulnerability scanning results

+

vulnerability management records

+

audit records

+

public reporting channel

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with security responsibilities

+
+
+ + + + +

Organizational processes for vulnerability scanning

+

mechanisms/tools supporting and/or implementing vulnerability scanning

+

mechanisms implementing the public reporting of vulnerabilities

+
+
+
+
+ + Risk Response + + + + + + + + + + + + + + + + + + + +

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

+
+ +

Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated.

+
+ + + + +

findings from security assessments are responded to in accordance with organizational risk tolerance;

+ +
+ + +

findings from privacy assessments are responded to in accordance with organizational risk tolerance;

+ +
+ + +

findings from monitoring are responded to in accordance with organizational risk tolerance;

+ +
+ + +

findings from audits are responded to in accordance with organizational risk tolerance.

+ +
+ +
+ + + + +

Risk assessment policy

+

assessment reports

+

audit records/event logs

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with assessment and auditing responsibilities

+

system/network administrators

+

organizational personnel with security and privacy responsibilities

+
+
+ + + + +

Organizational processes for assessments and audits

+

mechanisms/tools supporting and/or implementing assessments and auditing

+
+
+
+ + Criticality Analysis + + + +

systems, system components, or system services to be analyzed for criticality are defined;

+
+ + + + +

decision points in the system development life cycle when a criticality analysis is to be performed are defined;

+
+ + + + + + + + + + + + + + + + + + +

Identify critical system components and functions by performing a criticality analysis for at .

+
+ +

Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.

+

The operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions.

+

Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.

+
+ + +

critical system components and functions are identified by performing a criticality analysis for at .

+ +
+ + + + +

Risk assessment policy

+

assessment reports

+

criticality analysis/finalized criticality for each component/subcomponent

+

audit records/event logs

+

analysis reports

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with assessment and auditing responsibilities

+

organizational personnel with criticality analysis responsibilities

+

system/network administrators

+

organizational personnel with security responsibilities

+
+
+ + + + +

Organizational processes for assessments and audits

+

mechanisms/tools supporting and/or implementing assessments and auditing

+
+
+
+
+ + System and Services Acquisition + + Policy and Procedures + + + + + + +

personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the system and services acquisition policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current system and services acquisition policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current system and services acquisition policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the system and services acquisition procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ system and services acquisition policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and

+
+ + +

Review and update the current system and services acquisition:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a system and services acquisition policy is developed and documented;

+ +
+ + +

the system and services acquisition policy is disseminated to ;

+ +
+ + +

system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;

+ +
+ + +

the system and services acquisition procedures are disseminated to ;

+ +
+ + + + + + +

the system and services acquisition policy addresses purpose;

+ +
+ + +

the system and services acquisition policy addresses scope;

+ +
+ + +

the system and services acquisition policy addresses roles;

+ +
+ + +

the system and services acquisition policy addresses responsibilities;

+ +
+ + +

the system and services acquisition policy addresses management commitment;

+ +
+ + +

the system and services acquisition policy addresses coordination among organizational entities;

+ +
+ + +

the system and services acquisition policy addresses compliance;

+ +
+ +
+ + +

the system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;

+ +
+ + + + + + +

the system and services acquisition policy is reviewed and updated ;

+ +
+ + +

the current system and services acquisition policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current system and services acquisition procedures are reviewed and updated ;

+ +
+ + +

the current system and services acquisition procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

supply chain risk management policy

+

supply chain risk management procedures

+

supply chain risk management plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and services acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+
+ + Allocation of Resources + + + + + + + + + + + + + + + + + +

Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;

+
+ + +

Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and

+
+ + +

Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.

+
+
+ +

Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle.

+
+ + + + + + +

the high-level information security requirements for the system or system service are determined in mission and business process planning;

+ +
+ + +

the high-level privacy requirements for the system or system service are determined in mission and business process planning;

+ +
+ +
+ + + + +

the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;

+ +
+ + +

the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;

+ +
+ +
+ + + + +

a discrete line item for information security is established in organizational programming and budgeting documentation;

+ +
+ + +

a discrete line item for privacy is established in organizational programming and budgeting documentation.

+ +
+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

system and services acquisition strategy and plans

+

procedures addressing the allocation of resources to information security and privacy requirements

+

procedures addressing capital planning and investment control

+

organizational programming and budgeting documentation

+

system security plan

+

privacy plan

+

supply chain risk management policy

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for determining information security and privacy requirements

+

organizational processes for capital planning, programming, and budgeting

+

mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting

+
+
+
+ + System Development Life Cycle + + + +

system development life cycle is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Acquire, develop, and manage the system using that incorporates information security and privacy considerations;

+
+ + +

Define and document information security and privacy roles and responsibilities throughout the system development life cycle;

+
+ + +

Identify individuals having information security and privacy roles and responsibilities; and

+
+ + +

Integrate the organizational information security and privacy risk management process into system development life cycle activities.

+
+
+ +

A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.

+

The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle.

+
+ + + + + + +

the system is acquired, developed, and managed using that incorporates information security considerations;

+ +
+ + +

the system is acquired, developed, and managed using that incorporates privacy considerations;

+ +
+ +
+ + + + +

information security roles and responsibilities are defined and documented throughout the system development life cycle;

+ +
+ + +

privacy roles and responsibilities are defined and documented throughout the system development life cycle;

+ +
+ +
+ + + + +

individuals with information security roles and responsibilities are identified;

+ +
+ + +

individuals with privacy roles and responsibilities are identified;

+ +
+ +
+ + + + +

organizational information security risk management processes are integrated into system development life cycle activities;

+ +
+ + +

organizational privacy risk management processes are integrated into system development life cycle activities.

+ +
+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process

+

system development life cycle documentation

+

organizational risk management strategy

+

information security and privacy risk management strategy documentation

+

system security plan

+

privacy plan

+

privacy program plan

+

enterprise architecture documentation

+

role-based security and privacy training program documentation

+

data mapping documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security and privacy responsibilities

+

organizational personnel with system life cycle development responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for defining and documenting the system development life cycle

+

organizational processes for identifying system development life cycle roles and responsibilities

+

organizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle

+

mechanisms supporting and/or implementing the system development life cycle

+
+
+
+ + Acquisition Process + + + + + + +

contract language is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service:

+ + +

Security and privacy functional requirements;

+
+ + +

Strength of mechanism requirements;

+
+ + +

Security and privacy assurance requirements;

+
+ + +

Controls needed to satisfy the security and privacy requirements.

+
+ + +

Security and privacy documentation requirements;

+
+ + +

Requirements for protecting security and privacy documentation;

+
+ + +

Description of the system development environment and environment in which the system is intended to operate;

+
+ + +

Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and

+
+ + +

Acceptance criteria.

+
+ + SA-4 Additional FedRAMP Requirements and Guidance + + +

The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

+
+ + +

The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

+

See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

+
+
+
+ +

Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2 . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. SP 800-160-1 describes the process of requirements engineering as part of the system development life cycle.

+

Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.

+

Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement.

+
+ + + + + + +

security functional requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

privacy functional requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ +
+ + +

strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + + + +

security assurance requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ +
+ + + + +

controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ +
+ + + + +

security documentation requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ +
+ + + + +

requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ +
+ + +

the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + + + +

the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using ;

+ +
+ + +

the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using ;

+ +
+ +
+ + +

acceptance criteria requirements and descriptions are included explicitly or by reference using in the acquisition contract for the system, system component, or system service.

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process

+

configuration management plan

+

acquisition contracts for the system, system component, or system service

+

system design documentation

+

system security plan

+

supply chain risk management plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for determining system security and privacy functional, strength, and assurance requirements

+

organizational processes for developing acquisition contracts

+

mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts

+
+
+ + Functional Properties of Controls + + + + + + + +

Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.

+
+ +

Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.

+
+ + +

the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.

+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process

+

solicitation documents

+

acquisition documentation

+

acquisition contracts for the system, system component, or system services

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system developers

+
+
+ + + + +

Organizational processes for determining system security functional requirements

+

organizational processes for developing acquisition contracts

+

mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts

+
+
+
+ + Design and Implementation Information for Controls + + + +

at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram;

+

organization-defined design/implementation information

+
+
+ + + + + +

design and implementation information is defined (if selected);

+
+ + + + +

level of detail is defined;

+
+ + + + + + + + +

Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: at .

+
+ +

Organizations may require different levels of detail in the documentation for the design and implementation of controls in organizational systems, system components, or system services based on mission and business requirements, requirements for resiliency and trustworthiness, and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system.

+
+ + +

the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using at .

+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process

+

solicitation documents

+

acquisition documentation

+

acquisition contracts for the system, system components, or system services

+

design and implementation information for controls employed in the system, system component, or system service

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with the responsibility to determine system security requirements

+

system developers or service provider

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for determining the level of detail for system design and controls

+

organizational processes for developing acquisition contracts

+

mechanisms supporting and/or implementing the development of system design details

+
+
+
+ + System, Component, and Service Configurations + + + + +

The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.

+
+
+ +

security configurations for the system, component, or service are defined;

+
+ + + + + + + + +

Require the developer of the system, system component, or system service to:

+ + +

Deliver the system, component, or service with implemented; and

+
+ + +

Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

+
+
+ +

Examples of security configurations include the U.S. Government Configuration Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on functions, ports, protocols, and services. Security characteristics can include requiring that default passwords have been changed.

+
+ + + + +

the developer of the system, system component, or system service is required to deliver the system, component, or service with implemented;

+ +
+ + +

the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade.

+ +
+ +
+ + + + +

System and services acquisition policy

+

procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process

+

solicitation documents

+

acquisition documentation

+

acquisition contracts for the system, system component, or system service

+

security configurations to be implemented by the developer of the system, system component, or system service

+

service level agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with the responsibility to determine system security requirements

+

system developers or service provider

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms used to verify that the configuration of the system, component, or service is delivered as specified

+
+
+
+ + Functions, Ports, Protocols, and Services in Use + + + + + + + + + +

Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.

+
+ +

The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design stages) allows organizations to influence the design of the system, system component, or system service. This early involvement in the system development life cycle helps organizations avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. SA-9 describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources.

+
+ + + + +

the developer of the system, system component, or system service is required to identify the functions intended for organizational use;

+ +
+ + +

the developer of the system, system component, or system service is required to identify the ports intended for organizational use;

+ +
+ + +

the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;

+ +
+ + +

the developer of the system, system component, or system service is required to identify the services intended for organizational use.

+ +
+ +
+ + + + +

System and services acquisition policy

+

procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process

+

system design documentation

+

system documentation, including functions, ports, protocols, and services intended for organizational use

+

acquisition contracts for systems or services

+

acquisition documentation

+

solicitation documentation

+

service level agreements

+

organizational security requirements, descriptions, and criteria for developers of systems, system components, and system services

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with the responsibility for determining system security requirements

+

system/network administrators

+

organizational personnel operating, using, and/or maintaining the system

+

system developers

+

organizational personnel with information security responsibilities

+
+
+
+ + Use of Approved PIV Products + + + + + + + + + + +

Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.

+
+ +

Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations.

+
+ + +

only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.

+ +
+ + + + +

Supply chain risk management plan

+

system and services acquisition policy

+

procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process

+

solicitation documentation

+

acquisition documentation

+

acquisition contracts for the system, system component, or system service

+

service level agreements

+

FIPS 201 approved products list

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with the responsibility for determining system security requirements

+

organizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for selecting and employing FIPS 201-approved products

+
+
+
+
+ + System Documentation + + + +

actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;

+
+ + + + + +

at a minimum, the ISSO (or similar role within the organization)

+
+
+ +

personnel or roles to distribute system documentation to is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Obtain or develop administrator documentation for the system, system component, or system service that describes:

+ + +

Secure configuration, installation, and operation of the system, component, or service;

+
+ + +

Effective use and maintenance of security and privacy functions and mechanisms; and

+
+ + +

Known vulnerabilities regarding configuration and use of administrative or privileged functions;

+
+
+ + +

Obtain or develop user documentation for the system, system component, or system service that describes:

+ + +

User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;

+
+ + +

Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and

+
+ + +

User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;

+
+
+ + +

Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take in response; and

+
+ + +

Distribute documentation to .

+
+
+ +

System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.

+
+ + + + + + + + +

administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;

+ +
+ +
+ + + + +

administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;

+ +
+ +
+ + + + +

administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;

+ +
+ +
+ +
+ + + + + + +

user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;

+ +
+ + +

user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;

+ +
+ + +

user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;

+ +
+ + +

user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;

+ +
+ +
+ + + + +

user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;

+ +
+ + +

user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;

+ +
+ +
+ + + + +

user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;

+ +
+ + +

user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;

+ +
+ +
+ +
+ + + + +

attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;

+ +
+ + +

after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, are taken in response;

+ +
+ +
+ + +

documentation is distributed to .

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing system documentation

+

system documentation, including administrator and user guides

+

system design documentation

+

records documenting attempts to obtain unavailable or nonexistent system documentation

+

list of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation

+

risk management strategy documentation

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system administrators

+

organizational personnel responsible for operating, using, and/or maintaining the system

+

system developers

+
+
+ + + + +

Organizational processes for obtaining, protecting, and distributing system administrator and user documentation

+
+
+
+ + Security and Privacy Engineering Principles + + + + + + +

systems security engineering principles are defined;

+
+ + + + +

privacy engineering principles are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: .

+
+ +

Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3 ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.

+

The application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.

+

Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design.

+
+ + + + +

+ are applied in the specification of the system and system components;

+ +
+ + +

+ are applied in the design of the system and system components;

+ +
+ + +

+ are applied in the development of the system and system components;

+ +
+ + +

+ are applied in the implementation of the system and system components;

+ +
+ + +

+ are applied in the modification of the system and system components;

+ +
+ + +

+ are applied in the specification of the system and system components;

+ +
+ + +

+ are applied in the design of the system and system components;

+ +
+ + +

+ are applied in the development of the system and system components;

+ +
+ + +

+ are applied in the implementation of the system and system components;

+ +
+ + +

+ are applied in the modification of the system and system components.

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

assessment and authorization procedures

+

procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system

+

system design documentation

+

security and privacy requirements and specifications for the system

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with system specification, design, development, implementation, and modification responsibilities

+

system developers

+
+
+ + + + +

Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification

+

mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification

+
+
+
+ + External System Services + + + + +

Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system

+
+
+ +

controls to be employed by external system service providers are defined;

+
+ + + + + +

Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored

+
+
+ +

processes, methods, and techniques employed to monitor control compliance by external service providers are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: ;

+
+ + +

Define and document organizational oversight and user roles and responsibilities with regard to external system services; and

+
+ + +

Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: .

+
+
+ +

External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

+
+ + + + + + +

providers of external system services comply with organizational security requirements;

+ +
+ + +

providers of external system services comply with organizational privacy requirements;

+ +
+ + +

providers of external system services employ ;

+ +
+ +
+ + + + +

organizational oversight with regard to external system services are defined and documented;

+ +
+ + +

user roles and responsibilities with regard to external system services are defined and documented;

+ +
+ +
+ + +

+ are employed to monitor control compliance by external service providers on an ongoing basis.

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing methods and techniques for monitoring control compliance by external service providers of system services

+

acquisition documentation

+

contracts

+

service level agreements

+

interagency agreements

+

licensing agreements

+

list of organizational security and privacy requirements for external provider services

+

control assessment results or reports from external providers of system services

+

system security plan

+

privacy plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

external providers of system services

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis

+

mechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis

+
+
+ + Risk Assessments and Organizational Approvals + + + +

personnel or roles that approve the acquisition or outsourcing of dedicated information security services is/are defined;

+
+ + + + + + + + + + + + + +

Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and

+
+ + +

Verify that the acquisition or outsourcing of dedicated information security services is approved by .

+
+
+ +

Information security services include the operation of security devices, such as firewalls or key management services as well as incident monitoring, analysis, and response. Risks assessed can include system, mission or business, security, privacy, or supply chain risks.

+
+ + + + +

an organizational assessment of risk is conducted prior to the acquisition or outsourcing of information security services;

+ +
+ + +

+ approve the acquisition or outsourcing of dedicated information security services.

+ +
+ +
+ + + + +

System and services acquisition policy

+

supply chain risk management policy and procedures

+

procedures addressing external system services

+

acquisition documentation

+

acquisition contracts for the system, system component, or system service

+

risk assessment reports

+

approval records for the acquisition or outsourcing of dedicated security services

+

system security plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with system security responsibilities

+

external providers of system services

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for conducting a risk assessment prior to acquiring or outsourcing dedicated security services

+

organizational processes for approving the outsourcing of dedicated security services

+

mechanisms supporting and/or implementing risk assessment

+

mechanisms supporting and/or implementing approval processes

+
+
+
+ + Identification of Functions, Ports, Protocols, and Services + + + + +

all external systems where Federal information is processed or stored

+
+
+ +

external system services that require the identification of functions, ports, protocols, and other services are defined;

+
+ + + + + + + + + + +

Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: .

+
+ +

Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols.

+
+ + +

providers of are required to identify the functions, ports, protocols, and other services required for the use of such services.

+ +
+ + + + +

System and services acquisition policy

+

supply chain risk management policy and procedures

+

procedures addressing external system services

+

acquisition contracts for the system, system component, or system service

+

acquisition documentation

+

solicitation documentation

+

service level agreements

+

organizational security requirements and security specifications for external service providers

+

list of required functions, ports, protocols, and other services

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

external providers of system services

+
+
+
+ + Processing, Storage, and Service Location + + + +

information processing, information or data, AND system services

+
+
+ + + + + + +

U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction

+
+
+ +

locations where is/are to be restricted are defined;

+
+ + + + + +

all High impact data, systems, or services

+
+
+ +

requirements or conditions for restricting the location of are defined;

+
+ + + + + + + + + + +

Restrict the location of to based on .

+
+ +

The location of information processing, information and data storage, or system services can have a direct impact on the ability of organizations to successfully execute their mission and business functions. The impact occurs when external providers control the location of processing, storage, or services. The criteria that external providers use for the selection of processing, storage, or service locations may be different from the criteria that organizations use. For example, organizations may desire that data or information storage locations be restricted to certain locations to help facilitate incident response activities in case of information security incidents or breaches. Incident response activities, including forensic analyses and after-the-fact investigations, may be adversely affected by the governing laws, policies, or protocols in the locations where processing and storage occur and/or the locations from which system services emanate.

+
+ + +

based on , is/are restricted to .

+ +
+ + + + +

System and services acquisition policy

+

procedures addressing external system services

+

acquisition contracts for the system, system component, or system service

+

solicitation documentation

+

acquisition documentation

+

service level agreements

+

restricted locations for information processing

+

information/data and/or system services

+

information processing, information/data, and/or system services to be maintained in restricted locations

+

organizational security requirements or conditions for external providers

+

system security plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

external providers of system services

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for defining the requirements to restrict locations of information processing, information/data, or information services

+

organizational processes for ensuring the location is restricted in accordance with requirements or conditions

+
+
+
+
+ + Developer Configuration Management + + + +

development, implementation, AND operation

+
+
+ + + + + +

configuration items under configuration management are defined;

+
+ + + + +

personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +

Require the developer of the system, system component, or system service to:

+ + +

Perform configuration management during system, component, or service ;

+
+ + +

Document, manage, and control the integrity of changes to ;

+
+ + +

Implement only organization-approved changes to the system, component, or service;

+
+ + +

Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and

+
+ + +

Track security flaws and flaw resolution within the system, component, or service and report findings to .

+
+ + SA-10 Additional FedRAMP Requirements and Guidance + + +

track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.

+
+
+
+ +

Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.

+

The configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle.

+
+ + + + +

the developer of the system, system component, or system service is required to perform configuration management during system, component, or service ;

+ +
+ + + + +

the developer of the system, system component, or system service is required to document the integrity of changes to ;

+ +
+ + +

the developer of the system, system component, or system service is required to manage the integrity of changes to ;

+ +
+ + +

the developer of the system, system component, or system service is required to control the integrity of changes to ;

+ +
+ +
+ + +

the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;

+ +
+ + + + +

the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;

+ +
+ + +

the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;

+ +
+ + +

the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;

+ +
+ +
+ + + + +

the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;

+ +
+ + +

the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;

+ +
+ + +

the developer of the system, system component, or system service is required to report findings to .

+ +
+ +
+ +
+ + + + +

System and services acquisition policy

+

procedures addressing system developer configuration management

+

solicitation documentation

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

system developer configuration management plan

+

security flaw and flaw resolution tracking records

+

system change authorization records

+

change control records

+

configuration management records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with configuration management responsibilities

+

system developers

+
+
+ + + + +

Organizational processes for monitoring developer configuration management

+

mechanisms supporting and/or implementing the monitoring of developer configuration management

+
+
+
+ + Developer Testing and Evaluation + + + + + + +

frequency at which to conduct testing/evaluation is defined;

+
+ + + + +

depth and coverage of testing/evaluation is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:

+ + +

Develop and implement a plan for ongoing security and privacy control assessments;

+
+ + +

Perform testing/evaluation at ;

+
+ + +

Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;

+
+ + +

Implement a verifiable flaw remediation process; and

+
+ + +

Correct flaws identified during testing and evaluation.

+
+
+ +

Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.

+

Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation.

+
+ + + + + + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;

+ +
+ + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;

+ +
+ + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;

+ +
+ + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;

+ +
+ +
+ + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform testing/evaluation at ;

+ +
+ + + + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;

+ +
+ + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;

+ +
+ +
+ + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;

+ +
+ + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing system developer security and privacy testing

+

procedures addressing flaw remediation

+

solicitation documentation

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

security and privacy architecture

+

system design documentation

+

system developer security and privacy assessment plans

+

results of developer security and privacy assessments for the system, system component, or system service

+

security and privacy flaw and remediation tracking records

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with developer security and privacy testing responsibilities

+

system developers

+
+
+ + + + +

Organizational processes for monitoring developer security testing and evaluation

+

mechanisms supporting and/or implementing the monitoring of developer security and privacy testing and evaluation

+
+
+ + Static Code Analysis + + + + + + + +

Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

+ + SA-11(1) Additional FedRAMP Requirements + + +

The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.

+

If Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))

+
+
+
+ +

Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources.

+
+ + + + +

the developer of the system, system component, or system service is required to employ static code analysis tools to identify common flaws;

+ +
+ + +

the developer of the system, system component, or system service is required to employ static code analysis tools to document the results of the analysis.

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing system developer security testing

+

procedures addressing flaw remediation

+

solicitation documentation

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

security and privacy architecture

+

system design documentation

+

system developer security and privacy assessment plans

+

results of system developer security and privacy assessments

+

security flaw and remediation tracking records

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with developer security and privacy testing responsibilities

+

organizational personnel with configuration management responsibilities

+

system developers

+
+
+ + + + +

Organizational processes for monitoring developer security testing and evaluation

+

mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation

+

static code analysis tools

+
+
+
+ + Threat Modeling and Vulnerability Analyses + + + + + + + + + +

information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used as contextual information for threat modeling and vulnerability analyses is defined;

+
+ + + + +

the tools and methods to be employed for threat modeling and vulnerability analyses are defined;

+
+ + + + +

the breadth and depth of threat modeling to be conducted is defined;

+
+ + + + +

the breadth and depth of vulnerability analyses to be conducted is defined;

+
+ + + + +

acceptance criteria to be met by produced evidence for threat modeling are defined;

+
+ + + + +

acceptance criteria to be met by produced evidence for vulnerability analyses are defined;

+
+ + + + + + + + + + + +

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:

+ + +

Uses the following contextual information: ;

+
+ + +

Employs the following tools and methods: ;

+
+ + +

Conducts the modeling and analyses at the following level of rigor: ; and

+
+ + +

Produces evidence that meets the following acceptance criteria: .

+
+
+ +

Systems, system components, and system services may deviate significantly from the functional and design specifications created during the requirements and design stages of the system development life cycle. Therefore, updates to threat modeling and vulnerability analyses of those systems, system components, and system services during development and prior to delivery are critical to the effective operation of those systems, components, and services. Threat modeling and vulnerability analyses at this stage of the system development life cycle ensure that design and implementation changes have been accounted for and that vulnerabilities created because of those changes have been reviewed and mitigated.

+
+ + + + + + +

the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses ;

+ +
+ +
+ + + + +

the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs ;

+ +
+ +
+ + + + +

the developer of the system, system component, or system service is required to perform threat modeling at during development of the system, component, or service;

+ +
+ + +

the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses at ;

+ +
+ +
+ + + + +

the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets .

+ +
+ +
+ +
+ + + + +

System and services acquisition policy

+

procedures addressing system developer security testing

+

solicitation documentation

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

system developer security test plans

+

records of developer security testing results for the system, system component, or system service

+

vulnerability scanning results

+

system risk assessment reports

+

threat and vulnerability analysis reports

+

system security plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with developer security testing responsibilities

+

system developers

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for monitoring developer security testing and evaluation

+

mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation

+
+
+
+
+ + Development Process, Standards, and Tools + + + + + + + +

frequency as before first use and annually thereafter

+
+
+ +

frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;

+
+ + + + + +

FedRAMP Security Authorization requirements

+
+
+ +

security requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;

+
+ + + + +

privacy requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Require the developer of the system, system component, or system service to follow a documented development process that:

+ + +

Explicitly addresses security and privacy requirements;

+
+ + +

Identifies the standards and tools used in the development process;

+
+ + +

Documents the specific tool options and tool configurations used in the development process; and

+
+ + +

Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and

+
+
+ + +

Review the development process, standards, tools, tool options, and tool configurations to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: .

+
+
+ +

Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.

+
+ + + + + + + + +

the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;

+ +
+ + +

the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;

+ +
+ +
+ + + + +

the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;

+ +
+ + +

the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;

+ +
+ +
+ + + + +

the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;

+ +
+ + +

the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;

+ +
+ +
+ + +

the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;

+ +
+ +
+ + + + +

the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy ;

+ +
+ + +

the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy .

+ +
+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing development process, standards, and tools

+

procedures addressing the integration of security and privacy requirements during the development process

+

solicitation documentation

+

acquisition documentation

+

critical component inventory documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

system developer documentation listing tool options/configuration guides

+

configuration management policy

+

configuration management records

+

documentation of development process reviews using maturity models

+

change control records

+

configuration control records

+

documented reviews of the development process, standards, tools, and tool options/configurations

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system developer

+
+
+ + Criticality Analysis + + + + + + +

decision points in the system development life cycle are defined;

+
+ + + + +

the breadth of criticality analysis is defined;

+
+ + + + +

the depth of criticality analysis is defined;

+
+ + + + + + + + + +

Require the developer of the system, system component, or system service to perform a criticality analysis:

+ + +

At the following decision points in the system development life cycle: ; and

+
+ + +

At the following level of rigor: .

+
+
+ +

Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, source code, and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses.

+
+ + + + +

the developer of the system, system component, or system service is required to perform a criticality analysis at in the system development life cycle;

+ +
+ + + + +

the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: .

+ +
+ +
+ +
+ + + + +

Supply chain risk management plan

+

system and services acquisition policy

+

procedures addressing development process, standards, and tools

+

procedures addressing criticality analysis requirements for the system, system component, or system service

+

solicitation documentation

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

criticality analysis documentation

+

business impact analysis documentation

+

software development life cycle documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel responsible for performing criticality analysis

+

system developer

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for performing criticality analysis

+

mechanisms supporting and/or implementing criticality analysis

+
+
+
+
+ + Developer-provided Training + + + +

training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms provided by the developer of the system, system component, or system service is defined;

+
+ + + + + + + + + + + + +

Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: .

+
+ +

Developer-provided training applies to external and internal (in-house) developers. Training personnel is essential to ensuring the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms.

+
+ + +

the developer of the system, system component, or system service is required to provide on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms.

+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing developer-provided training

+

solicitation documentation

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

organizational security and privacy training policy

+

developer-provided training materials

+

training records

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system developer

+

external or internal (in-house) developers with training responsibilities for the system, system component, or information system service

+
+
+
+ + Developer Security and Privacy Architecture and Design + + + + + + + + + + + + + + + + +

Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that:

+ + +

Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture;

+
+ + +

Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and

+
+ + +

Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection.

+
+
+ +

Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, PL-8 is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and PL-8 is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. ISO 15408-2, ISO 15408-3 , and SP 800-160-1 provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing.

+
+ + + + + + +

the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture;

+ +
+ + +

the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture;

+ +
+ +
+ + + + +

the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;

+ +
+ + +

the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;

+ +
+ +
+ + + + +

the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;

+ +
+ + +

the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection.

+ +
+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

enterprise architecture policy

+

enterprise architecture documentation

+

procedures addressing developer security and privacy architecture and design specifications for the system

+

solicitation documentation

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

system design documentation

+

information system configuration settings and associated documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system developer

+
+
+
+ + Developer Screening + + + +

the system, systems component, or system service that the developer has access to is/are defined;

+
+ + + + +

official government duties assigned to the developer are defined;

+
+ + + + +

additional personnel screening criteria for the developer are defined;

+
+ + + + + + + + + + + + + +

Require that the developer of :

+ + +

Has appropriate access authorizations as determined by assigned ; and

+
+ + +

Satisfies the following additional personnel screening criteria: .

+
+
+ +

Developer screening is directed at external developers. Internal developer screening is addressed by PS-3 . Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals who access the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships that the company has with entities that may potentially affect the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements.

+
+ + + + +

the developer of is required to have appropriate access authorizations as determined by assigned ;

+ +
+ + +

the developer of is required to satisfy .

+ +
+ +
+ + + + +

System and services acquisition policy

+

personnel security policy and procedures

+

procedures addressing personnel screening

+

system design documentation

+

acquisition documentation

+

service level agreements

+

acquisition contracts for developer services

+

system configuration settings and associated documentation

+

list of appropriate access authorizations required by the developers of the system

+

personnel screening criteria and associated documentation

+

system security plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel responsible for developer screening

+
+
+ + + + +

Organizational processes for developer screening

+

mechanisms supporting developer screening

+
+
+
+ + Unsupported System Components + + + + + + +

support from external providers is defined (if selected);

+
+ + + + + + + + + + + +

Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or

+
+ + +

Provide the following options for alternative sources for continued support for unsupported components .

+
+
+ +

Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.

+

Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation.

+
+ + + + +

system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;

+ +
+ + +

+ provide options for alternative sources for continued support for unsupported components.

+ +
+ +
+ + + + +

System and services acquisition policy

+

procedures addressing the replacement or continued use of unsupported system components

+

documented evidence of replacing unsupported system components

+

documented approvals (including justification) for the continued use of unsupported system components

+

system security plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with the responsibility for the system development life cycle

+

organizational personnel responsible for component replacement

+
+
+ + + + +

Organizational processes for replacing unsupported system components

+

mechanisms supporting and/or implementing the replacement of unsupported system components

+
+
+
+
+ + System and Communications Protection + + Policy and Procedures + + + + + + +

personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the system and communications protection policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current system and communications protection policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current system and communications protection policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current system and communications protection procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the system and communications protection procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ system and communications protection policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and

+
+ + +

Review and update the current system and communications protection:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a system and communications protection policy is developed and documented;

+ +
+ + +

the system and communications protection policy is disseminated to ;

+ +
+ + +

system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;

+ +
+ + +

the system and communications protection procedures are disseminated to ;

+ +
+ + + + + + +

the system and communications protection policy addresses purpose;

+ +
+ + +

the system and communications protection policy addresses scope;

+ +
+ + +

the system and communications protection policy addresses roles;

+ +
+ + +

the system and communications protection policy addresses responsibilities;

+ +
+ + +

the system and communications protection policy addresses management commitment;

+ +
+ + +

the system and communications protection policy addresses coordination among organizational entities;

+ +
+ + +

the system and communications protection policy addresses compliance;

+ +
+ +
+ + +

the system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;

+ +
+ + + + + + +

the current system and communications protection policy is reviewed and updated ;

+ +
+ + +

the current system and communications protection policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current system and communications protection procedures are reviewed and updated ;

+ +
+ + +

the current system and communications protection procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

System and communications protection policy

+

system and communications protection procedures

+

system security plan

+

privacy plan

+

risk management strategy documentation

+

audit findings

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and communications protection responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Separation of System and User Functionality + + + + + + + + + + + + + + +

Separate user functionality, including user interface services, from system management functionality.

+
+ +

System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-8 , including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14) , and SA-8(18).

+
+ + +

user functionality, including user interface services, is separated from system management functionality.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing application partitioning

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Separation of user functionality from system management functionality

+
+
+
+ + Security Function Isolation + + + + + + + + + + + + + + + + + + + + + +

Isolate security functions from nonsecurity functions.

+
+ +

Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented within a system via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform system security functions. Systems implement code separation in many ways, such as through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code. Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities. While the ideal is for all code within the defined security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions as an exception. The isolation of security functions from nonsecurity functions can be achieved by applying the systems security engineering design principles in SA-8 , including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14) , and SA-8(18).

+
+ + +

security functions are isolated from non-security functions.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing security function isolation

+

list of security functions to be isolated from non-security functions

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Separation of security functions from non-security functions within the system

+
+
+
+ + Information in Shared System Resources + + + + + + + + +

Prevent unauthorized and unintended information transfer via shared system resources.

+
+ +

Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.

+
+ + + + +

unauthorized information transfer via shared system resources is prevented;

+ +
+ + +

unintended information transfer via shared system resources is prevented.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing information protection in shared system resources

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Mechanisms preventing the unauthorized and unintended transfer of information via shared system resources

+
+
+
+ + Denial-of-service Protection + + + + +

at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack

+
+
+ +

types of denial-of-service events to be protected against or limited are defined;

+
+ + + + +

Protect against

+
+
+ + + + + +

controls to achieve the denial-of-service objective by type of denial-of-service event are defined;

+
+ + + + + + + + + + + + + + +

+ the effects of the following types of denial-of-service events: ; and

+
+ + +

Employ the following controls to achieve the denial-of-service objective: .

+
+
+ +

Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events.

+
+ + + + +

the effects of are ;

+ +
+ + +

+ are employed to achieve the denial-of-service protection objective.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing denial-of-service protection

+

system design documentation

+

list of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks

+

list of security safeguards protecting against or limiting the effects of denial-of-service attacks

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with incident response responsibilities

+

system developer

+
+
+ + + + +

Mechanisms protecting against or limiting the effects of denial-of-service attacks

+
+
+
+ + Boundary Protection + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;

+
+ + +

Implement subnetworks for publicly accessible system components that are separated from internal organizational networks; and

+
+ + +

Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

+
+ + SC-7 Additional FedRAMP Requirements and Guidance + + +

SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information.

+
+
+
+ +

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. SP 800-189 provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).

+
+ + + + + + +

communications at external managed interfaces to the system are monitored;

+ +
+ + +

communications at external managed interfaces to the system are controlled;

+ +
+ + +

communications at key internal managed interfaces within the system are monitored;

+ +
+ + +

communications at key internal managed interfaces within the system are controlled;

+ +
+ +
+ + +

subnetworks for publicly accessible system components are separated from internal organizational networks;

+ +
+ + +

external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

list of key internal boundaries of the system

+

system design documentation

+

boundary protection hardware and software

+

system configuration settings and associated documentation

+

enterprise security architecture documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms implementing boundary protection capabilities

+
+
+ + Access Points + + + + + + +

Limit the number of external network connections to the system.

+
+ +

Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection DHS TIC initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system.

+
+ + +

the number of external network connections to the system is limited.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

system design documentation

+

boundary protection hardware and software

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

communications and network traffic monitoring logs

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms implementing boundary protection capabilities

+

mechanisms limiting the number of external network connections to the system

+
+
+
+ + External Telecommunications Services + + + + +

at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions

+
+
+ +

the frequency at which to review exceptions to traffic flow policy is defined;

+
+ + + + + + + + + + + + + + +

Implement a managed interface for each external telecommunication service;

+
+ + +

Establish a traffic flow policy for each managed interface;

+
+ + +

Protect the confidentiality and integrity of the information being transmitted across each interface;

+
+ + +

Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;

+
+ + +

Review exceptions to the traffic flow policy and remove exceptions that are no longer supported by an explicit mission or business need;

+
+ + +

Prevent unauthorized exchange of control plane traffic with external networks;

+
+ + +

Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and

+
+ + +

Filter unauthorized control plane traffic from external networks.

+
+
+ +

External telecommunications services can provide data and/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See SP 800-189 for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements.

+
+ + + + +

a managed interface is implemented for each external telecommunication service;

+ +
+ + +

a traffic flow policy is established for each managed interface;

+ +
+ + + + +

the confidentiality of the information being transmitted across each interface is protected;

+ +
+ + +

the integrity of the information being transmitted across each interface is protected;

+ +
+ +
+ + +

each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;

+ +
+ + + + +

exceptions to the traffic flow policy are reviewed ;

+ +
+ + +

exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;

+ +
+ +
+ + +

unauthorized exchanges of control plan traffic with external networks are prevented;

+ +
+ + +

information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;

+ +
+ + +

unauthorized control plane traffic is filtered from external networks.

+ +
+ +
+ + + + +

System and communications protection policy

+

traffic flow policy

+

information flow control policy

+

procedures addressing boundary protection

+

system security architecture

+

system design documentation

+

boundary protection hardware and software

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

records of traffic flow policy exceptions

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Organizational processes for documenting and reviewing exceptions to the traffic flow policy

+

organizational processes for removing exceptions to the traffic flow policy

+

mechanisms implementing boundary protection capabilities

+

managed interfaces implementing traffic flow policy

+
+
+
+ + Deny by Default — Allow by Exception + + + +

any systems

+
+
+ + + + + +

systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined (if selected).

+
+ + + + + + + +

Deny network communications traffic by default and allow network communications traffic by exception .

+ + SC-7 (5) Additional FedRAMP Requirements and Guidance + + +

For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing

+
+
+
+ +

Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system.

+
+ + + + +

network communications traffic is denied by default ;

+ +
+ + +

network communications traffic is allowed by exception .

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms implementing traffic management at managed interfaces

+
+
+
+ + Split Tunneling for Remote Devices + + + +

safeguards to securely provision split tunneling are defined;

+
+ + + + + + + +

Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using .

+
+ +

Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and simultaneously, access uncontrolled networks. Split tunneling might be desirable by remote users to communicate with local system resources, such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of pre-approved addresses, without user control.

+
+ + +

split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using .

+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

system design documentation

+

system hardware and software

+

system architecture

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms implementing boundary protection capabilities

+

mechanisms supporting/restricting non-remote connections

+
+
+
+ + Route Traffic to Authenticated Proxy Servers + + + +

internal communications traffic to be routed to external networks is defined;

+
+ + + + + +

any network outside of organizational control and any network outside the authorization boundary

+
+
+ +

external networks to which internal communications traffic is to be routed are defined;

+
+ + + + + + + + +

Route to through authenticated proxy servers at managed interfaces.

+
+ +

External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for man-in-the-middle attacks (depending on the implementation).

+
+ + +

+ is routed to through authenticated proxy servers at managed interfaces.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

system design documentation

+

system hardware and software

+

system architecture

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms implementing traffic management through authenticated proxy servers at managed interfaces

+
+
+
+ + Prevent Exfiltration + + + +

the frequency for conducting exfiltration tests is defined;

+
+ + + + + + + + + + + + +

Prevent the exfiltration of information; and

+
+ + +

Conduct exfiltration tests .

+
+
+ +

Prevention of exfiltration applies to both the intentional and unintentional exfiltration of information. Techniques used to prevent the exfiltration of information from systems may be implemented at internal endpoints, external boundaries, and across managed interfaces and include adherence to protocol formats, monitoring for beaconing activity from systems, disconnecting external network interfaces except when explicitly needed, employing traffic profile analysis to detect deviations from the volume and types of traffic expected, call backs to command and control centers, conducting penetration testing, monitoring for steganography, disassembling and reassembling packet headers, and using data loss and data leakage prevention tools. Devices that enforce strict adherence to protocol formats include deep packet inspection firewalls and Extensible Markup Language (XML) gateways. The devices verify adherence to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices that operate at the network or transport layers. The prevention of exfiltration is similar to data loss prevention or data leakage prevention and is closely associated with cross-domain solutions and system guards that enforce information flow requirements.

+
+ + + + +

the exfiltration of information is prevented;

+ +
+ + +

exfiltration tests are conducted .

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms implementing boundary protection capabilities that prevent the unauthorized exfiltration of information across managed interfaces

+
+
+
+ + Host-based Protection + + + + +

Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall

+
+
+ +

host-based boundary protection mechanisms to be implemented are defined;

+
+ + + + +

system components where host-based boundary protection mechanisms are to be implemented are defined;

+
+ + + + + + + +

Implement at .

+
+ +

Host-based boundary protection mechanisms include host-based firewalls. System components that employ host-based boundary protection mechanisms include servers, workstations, notebook computers, and mobile devices.

+
+ + +

+ are implemented at .

+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

system design documentation

+

boundary protection hardware and software

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with boundary protection responsibilities

+

system users

+
+
+ + + + +

Mechanisms implementing host-based boundary protection capabilities

+
+
+
+ + Fail Secure + + + + + + + + + + +

Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.

+
+ +

Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways that reside on protected subnetworks (commonly referred to as demilitarized zones). Failures of boundary protection devices cannot lead to or cause information external to the devices to enter the devices nor can failures permit unauthorized information releases.

+
+ + +

systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

system design documentation

+

system architecture

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing secure failure

+
+
+
+ + Dynamic Isolation and Segregation + + + +

system components to be dynamically isolated from other system components are defined;

+
+ + + + + + + +

Provide the capability to dynamically isolate from other system components.

+
+ +

The capability to dynamically isolate certain internal system components is useful when it is necessary to partition or separate system components of questionable origin from components that possess greater trustworthiness. Component isolation reduces the attack surface of organizational systems. Isolating selected system components can also limit the damage from successful attacks when such attacks occur.

+
+ + +

the capability to dynamically isolate from other system components is provided.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

system design documentation

+

system hardware and software

+

system architecture

+

system configuration settings and associated documentation

+

list of system components to be dynamically isolated/segregated from other components of the system

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing the capability to dynamically isolate/segregate system components

+
+
+
+ + Isolation of System Components + + + +

system components to be isolated by boundary protection mechanisms are defined;

+
+ + + + +

missions and/or business functions to be supported by system components isolated by boundary protection mechanisms are defined;

+
+ + + + + + + + + + +

Employ boundary protection mechanisms to isolate supporting .

+
+ +

Organizations can isolate system components that perform different mission or business functions. Such isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected system components. Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to more effectively control information flows between those components. Isolating system components provides enhanced protection that limits the potential harm from hostile cyber-attacks and errors. The degree of isolation varies depending upon the mechanisms chosen. Boundary protection mechanisms include routers, gateways, and firewalls that separate system components into physically separate networks or subnetworks; cross-domain devices that separate subnetworks; virtualization techniques; and the encryption of information flows among system components using distinct encryption keys.

+
+ + +

boundary protection mechanisms are employed to isolate supporting .

+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

system design documentation

+

system hardware and software

+

enterprise architecture documentation

+

system architecture

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing the capability to separate system components supporting organizational missions and/or business functions

+
+
+
+
+ + Transmission Confidentiality and Integrity + + + +

confidentiality AND integrity

+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Protect the of transmitted information.

+ + SC-8 Additional FedRAMP Requirements and Guidance + + +

For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.

+

+

For clarity, this control applies to all data in transit. Examples include the following data flows:

+
    +
  • Crossing the system boundary
  • +
  • Between compute instances - including containers
  • +
  • From a compute instance to storage
  • +
  • Replication between availability zones
  • +
  • Transmission of backups to storage
  • +
  • From a load balancer to a compute instance
  • +
  • Flows from management tools required for their work – e.g. log collection, scanning, etc.
  • +
+

+

The following applies only when choosing SC-8 (5) in lieu of SC-8 (1).

+

FedRAMP-Defined Assignment / Selection Parameters

+

SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]

+

SC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]

+
+ + +

SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.

+

+

Hardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).

+

+

Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS’s Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS’ recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).

+

+

Note: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.

+

+

CNSSI No.7003 can be accessed here:

+

https://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf

+

+

DHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:

+

https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf

+
+
+
+ +

Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.

+

Organizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls.

+
+ + +

the of transmitted information is/are protected.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing transmission confidentiality and integrity

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Mechanisms supporting and/or implementing transmission confidentiality and/or integrity

+
+
+ + Cryptographic Protection + + + +

prevent unauthorized disclosure of information AND detect changes to information

+
+
+ + + + + + + + + + +

Implement cryptographic mechanisms to during transmission.

+ + SC-8 (1) Additional FedRAMP Requirements and Guidance + + +

Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control.

+
+ + +

See M-22-09, including "Agencies encrypt all DNS requests and HTTP traffic within their environment"

+

SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

+
+ + +

Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

+
+ + +

When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

+
+
+
+ +

Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes.

+
+ + +

cryptographic mechanisms are implemented to during transmission.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing transmission confidentiality and integrity

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity

+

mechanisms supporting and/or implementing alternative physical safeguards

+

organizational processes for defining and implementing alternative physical safeguards

+
+
+
+
+ + Network Disconnect + + + + +

no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions

+
+
+ +

a time period of inactivity after which the system terminates a network connection associated with a communication session is defined;

+
+ + + + + + + + +

Terminate the network connection associated with a communications session at the end of the session or after of inactivity.

+
+ +

Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.

+
+ + +

the network connection associated with a communication session is terminated at the end of the session or after of inactivity.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing network disconnect

+

system design documentation

+

security plan

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Mechanisms supporting and/or implementing a network disconnect capability

+
+
+
+ + Cryptographic Key Establishment and Management + + + + +

In accordance with Federal requirements

+
+
+ +

requirements for key generation, distribution, storage, access, and destruction are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: .

+ + SC-12 Additional FedRAMP Requirements and Guidance + + +

See references in NIST 800-53 documentation.

+
+ + +

Must meet applicable Federal Cryptographic Requirements. See References Section of control.

+
+ + +

Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system.

+
+
+
+ +

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. NIST CMVP and NIST CAVP provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.

+
+ + + + +

cryptographic keys are established when cryptography is employed within the system in accordance with ;

+ +
+ + +

cryptographic keys are managed when cryptography is employed within the system in accordance with .

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing cryptographic key establishment and management

+

system design documentation

+

cryptographic mechanisms

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for cryptographic key establishment and/or management

+
+
+ + + + +

Mechanisms supporting and/or implementing cryptographic key establishment and management

+
+
+ + Availability + + + + + + + +

Maintain availability of information in the event of the loss of cryptographic keys by users.

+
+ +

Escrowing of encryption keys is a common practice for ensuring availability in the event of key loss. A forgotten passphrase is an example of losing a cryptographic key.

+
+ + +

information availability is maintained in the event of the loss of cryptographic keys by users.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing cryptographic key establishment, management, and recovery

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for cryptographic key establishment or management

+
+
+ + + + +

Mechanisms supporting and/or implementing cryptographic key establishment and management

+
+
+
+
+ + Cryptographic Protection + + + +

cryptographic uses are defined;

+
+ + + + + +

FIPS-validated or NSA-approved cryptography

+
+
+ +

types of cryptography for each specified cryptographic use are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Determine the ; and

+
+ + +

Implement the following types of cryptography required for each specified cryptographic use: .

+
+ + SC-13 Additional FedRAMP Requirements and Guidance + + +

This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:

+
    +
  • Encryption of data
  • +
  • Decryption of data
  • +
  • Generation of one time passwords (OTPs) for MFA
  • +
  • Protocols such as TLS, SSH, and HTTPS
  • +
+

+

The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

+

https://csrc.nist.gov/projects/cryptographic-module-validation-program

+
+ + +

For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:

+

https://www.niap-ccevs.org/Product/index.cfm

+
+ + +

When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

+
+ + +

Moving to non-FIPS CM or product is acceptable when:

+
    +
  • FIPS validated version has a known vulnerability
  • +
  • Feature with vulnerability is in use
  • +
  • Non-FIPS version fixes the vulnerability
  • +
  • Non-FIPS version is submitted to NIST for FIPS validation
  • +
  • POA&M is added to track approval, and deployment when ready
  • +
+
+ + +

At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

+
+
+
+ +

Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + +

+ are identified;

+ +
+ + +

+ for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing cryptographic protection

+

system design documentation

+

system configuration settings and associated documentation

+

cryptographic module validation certificates

+

list of FIPS-validated cryptographic modules

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with responsibilities for cryptographic protection

+
+
+ + + + +

Mechanisms supporting and/or implementing cryptographic protection

+
+
+
+ + Collaborative Computing Devices and Applications + + + + +

no exceptions for computing devices

+
+
+ +

exceptions where remote activation is to be allowed are defined;

+
+ + + + + + + + + + +

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: ; and

+
+ + +

Provide an explicit indication of use to users physically present at the devices.

+
+ + SC-15 Additional FedRAMP Requirements and Guidance + + +

The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

+
+
+
+ +

Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated.

+
+ + + + +

remote activation of collaborative computing devices and applications is prohibited except ;

+ +
+ + +

an explicit indication of use is provided to users physically present at the devices.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing collaborative computing

+

access control policy and procedures

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with responsibilities for managing collaborative computing devices

+
+
+ + + + +

Mechanisms supporting and/or implementing the management of remote activation of collaborative computing devices

+

mechanisms providing an indication of use of collaborative computing devices

+
+
+
+ + Public Key Infrastructure Certificates + + + +

a certificate policy for issuing public key certificates is defined;

+
+ + + + + + + + + + + + + + + + + +

Issue public key certificates under an or obtain public key certificates from an approved service provider; and

+
+ + +

Include only approved trust anchors in trust stores or certificate stores managed by the organization.

+
+
+ +

Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates.

+
+ + + + +

public key certificates are issued under , or public key certificates are obtained from an approved service provider;

+ +
+ + +

only approved trust anchors are included in trust stores or certificate stores managed by the organization.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing public key infrastructure certificates

+

public key certificate policy or policies

+

public key issuing process

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for issuing public key certificates

+

service providers

+
+
+ + + + +

Mechanisms supporting and/or implementing the management of public key infrastructure certificates

+
+
+
+ + Mobile Code + + + + + + + + + + + + + +

Define acceptable and unacceptable mobile code and mobile code technologies; and

+
+ + +

Authorize, monitor, and control the use of mobile code within the system.

+
+
+ +

Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.

+
+ + + + + + +

acceptable mobile code is defined;

+ +
+ + +

unacceptable mobile code is defined;

+ +
+ + +

acceptable mobile code technologies are defined;

+ +
+ + +

unacceptable mobile code technologies are defined;

+ +
+ +
+ + + + +

the use of mobile code is authorized within the system;

+ +
+ + +

the use of mobile code is monitored within the system;

+ +
+ + +

the use of mobile code is controlled within the system.

+ +
+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing mobile code

+

mobile code implementation policy and procedures

+

list of acceptable mobile code and mobile code technologies

+

list of unacceptable mobile code and mobile technologies

+

authorization records

+

system monitoring records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for managing mobile code

+
+
+ + + + +

Organizational process for authorizing, monitoring, and controlling mobile code

+

mechanisms supporting and/or implementing the management of mobile code

+

mechanisms supporting and/or implementing the monitoring of mobile code

+
+
+
+ + Secure Name/Address Resolution Service (Authoritative Source) + + + + + + + + + + + + + + + + +

Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

+
+ + +

Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

+
+ + SC-20 Additional FedRAMP Requirements and Guidance + + +

Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests.

+
+ + +

Authoritative DNS servers must be geolocated in accordance with SA-9 (5).

+
+ + +

SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary.

+
+ + +

External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged.

+
+ + +

CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)

+
+
+
+ +

Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data.

+
+ + + + + + +

additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;

+ +
+ + +

integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;

+ +
+ +
+ + + + +

the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;

+ +
+ + +

the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.

+ +
+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing secure name/address resolution services (authoritative source)

+

system design documentation

+

system configuration settings and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for managing DNS

+
+
+ + + + +

Mechanisms supporting and/or implementing secure name/address resolution services

+
+
+
+ + Secure Name/Address Resolution Service (Recursive or Caching Resolver) + + + + + + + + +

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

+ + SC-21 Additional FedRAMP Requirements and Guidance + + +

Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.

+
    +
  • If the reply is signed, and fails DNSSEC, do not use the reply
  • +
  • If the reply is unsigned:
      +
    • CSP chooses the policy to apply
    • +
    +
  • +
+
+ + +

Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS.

+
+ + +

Accepting an unsigned reply is acceptable

+
+ + +

SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.

+

- DNSSEC resolution to access a component inside the boundary is excluded.

+
+
+
+ +

Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data.

+
+ + + + +

data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;

+ +
+ + +

data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;

+ +
+ + +

data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;

+ +
+ + +

data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing secure name/address resolution services (recursive or caching resolver)

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for managing DNS

+
+
+ + + + +

Mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services

+
+
+
+ + Architecture and Provisioning for Name/Address Resolution Service + + + + + + + + + + +

Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

+
+ +

Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists).

+
+ + + + +

the systems that collectively provide name/address resolution services for an organization are fault-tolerant;

+ +
+ + +

the systems that collectively provide name/address resolution services for an organization implement internal role separation;

+ +
+ + +

the systems that collectively provide name/address resolution services for an organization implement external role separation.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing architecture and provisioning for name/address resolution services

+

access control policy and procedures

+

system design documentation

+

assessment results from independent testing organizations

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for managing DNS

+
+
+ + + + +

Mechanisms supporting and/or implementing name/address resolution services for fault tolerance and role separation

+
+
+
+ + Session Authenticity + + + + + + + + + + + + + +

Protect the authenticity of communications sessions.

+
+ +

Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into sessions.

+
+ + +

the authenticity of communication sessions is protected.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing session authenticity

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing session authenticity

+
+
+
+ + Fail in Known State + + + +

types of system failures for which the system components fail to a known state are defined;

+
+ + + + +

known system state to which system components fail in the event of a system failure is defined;

+
+ + + + +

system state information to be preserved in the event of a system failure is defined;

+
+ + + + + + + + + + + + + + + +

Fail to a for the following failures on the indicated components while preserving in failure: .

+
+ +

Failure in a known state addresses security concerns in accordance with the mission and business needs of organizations. Failure in a known state prevents the loss of confidentiality, integrity, or availability of information in the event of failures of organizational systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving system state information facilitates system restart and return to the operational mode with less disruption of mission and business processes.

+
+ + +

+ fail to a while preserving in failure.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing system failure to known state

+

system design documentation

+

system configuration settings and associated documentation

+

list of failures requiring system to fail in a known state

+

state information to be preserved in system failure

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Mechanisms supporting and/or implementing the fail in known state capability

+

mechanisms preserving system state information in the event of a system failure

+
+
+
+ + Protection of Information at Rest + + + +

confidentiality AND integrity

+
+
+ + + + + +

information at rest requiring protection is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Protect the of the following information at rest: .

+ + SC-28 Additional FedRAMP Requirements and Guidance + + +

The organization supports the capability to use cryptographic mechanisms to protect information at rest.

+
+ + +

When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

+
+ + +

Note that this enhancement requires the use of cryptography in accordance with SC-13.

+
+
+
+ +

Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage.

+
+ + +

the of is/are protected.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing the protection of information at rest

+

system design documentation

+

system configuration settings and associated documentation

+

cryptographic mechanisms and associated configuration documentation

+

list of information at rest requiring confidentiality and integrity protections

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest

+
+
+ + Cryptographic Protection + + + +

information requiring cryptographic protection is defined;

+
+ + + + + +

all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels

+
+
+ +

system components or media requiring cryptographic protection is/are defined;

+
+ + + + + + + + + + +

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on : .

+ + SC-28 (1) Additional FedRAMP Requirements and Guidance + + +

Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

+

Examples:

+

A. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.

+

B. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.

+

C. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate.

+
+
+
+ +

The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields.

+
+ + + + +

cryptographic mechanisms are implemented to prevent unauthorized disclosure of at rest on ;

+ +
+ + +

cryptographic mechanisms are implemented to prevent unauthorized modification of at rest on .

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing the protection of information at rest

+

system design documentation

+

system configuration settings and associated documentation

+

cryptographic mechanisms and associated configuration documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest

+
+
+
+
+ + Process Isolation + + + + + + + + + + + + + + + +

Maintain a separate execution domain for each executing system process.

+
+ +

Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies.

+
+ + +

a separate execution domain is maintained for each executing system process.

+ +
+ + + + +

System design documentation

+

system architecture

+

independent verification and validation documentation

+

testing and evaluation documentation

+

other relevant documents or records

+
+
+ + + + +

System developers/integrators

+

system security architect

+
+
+ + + + +

Mechanisms supporting and/or implementing separate execution domains for each executing process

+
+
+
+ + System Time Synchronization + + + + + + + + + + +

Synchronize system clocks within and between systems and system components.

+
+ +

Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities—such as access control and identification and authentication—depending on the nature of the mechanisms used to support the capabilities.

+
+ + +

system clocks are synchronized within and between systems and system components.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing time synchronization

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+
+
+ + + + +

Mechanisms supporting and/or implementing system time synchronization

+
+
+ + Synchronization with Authoritative Time Source + + + + +

At least hourly

+
+
+ +

the frequency at which to compare the internal system clocks with the authoritative time source is defined;

+
+ + + + + +

http://tf.nist.gov/tf-cgi/servers.cgi

+
+
+ +

the authoritative time source to which internal system clocks are to be compared is defined;

+
+ + + + + +

any difference

+
+
+ +

the time period to compare the internal system clocks with the authoritative time source is defined;

+
+ + + + + + + + + +

Compare the internal system clocks with ; and

+
+ + +

Synchronize the internal system clocks to the authoritative time source when the time difference is greater than .

+
+ + SC-45(1) Additional FedRAMP Requirements and Guidance + + +

The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.

+
+ + +

The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.

+
+ + +

Synchronization of system clocks improves the accuracy of log analysis.

+
+
+
+ +

Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network.

+
+ + + + +

the internal system clocks are compared with ;

+ +
+ + +

the internal system clocks are synchronized with the authoritative time source when the time difference is greater than .

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing time synchronization

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+
+
+ + + + +

Mechanisms supporting and/or implementing system time synchronization

+
+
+
+
+
+ + System and Information Integrity + + Policy and Procedures + + + + + + +

personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the system and information integrity policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current system and information integrity policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current system and information integrity policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current system and information integrity procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the system and information integrity procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ system and information integrity policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and

+
+ + +

Review and update the current system and information integrity:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a system and information integrity policy is developed and documented;

+ +
+ + +

the system and information integrity policy is disseminated to ;

+ +
+ + +

system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;

+ +
+ + +

the system and information integrity procedures are disseminated to ;

+ +
+ + + + + + +

the system and information integrity policy addresses purpose;

+ +
+ + +

the system and information integrity policy addresses scope;

+ +
+ + +

the system and information integrity policy addresses roles;

+ +
+ + +

the system and information integrity policy addresses responsibilities;

+ +
+ + +

the system and information integrity policy addresses management commitment;

+ +
+ + +

the system and information integrity policy addresses coordination among organizational entities;

+ +
+ + +

the system and information integrity policy addresses compliance;

+ +
+ +
+ + +

the system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;

+ +
+ + + + + + +

the current system and information integrity policy is reviewed and updated ;

+ +
+ + +

the current system and information integrity policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current system and information integrity procedures are reviewed and updated ;

+ +
+ + +

the current system and information integrity procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and information integrity responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Flaw Remediation + + + + +

within thirty (30) days of release of updates

+
+
+ +

time period within which to install security-relevant software updates after the release of the updates is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Identify, report, and correct system flaws;

+
+ + +

Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

+
+ + +

Install security-relevant software and firmware updates within of the release of the updates; and

+
+ + +

Incorporate flaw remediation into the organizational configuration management process.

+
+
+ +

The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.

+

Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

+
+ + + + + + +

system flaws are identified;

+ +
+ + +

system flaws are reported;

+ +
+ + +

system flaws are corrected;

+ +
+ +
+ + + + +

software updates related to flaw remediation are tested for effectiveness before installation;

+ +
+ + +

software updates related to flaw remediation are tested for potential side effects before installation;

+ +
+ + +

firmware updates related to flaw remediation are tested for effectiveness before installation;

+ +
+ + +

firmware updates related to flaw remediation are tested for potential side effects before installation;

+ +
+ +
+ + + + +

security-relevant software updates are installed within of the release of the updates;

+ +
+ + +

security-relevant firmware updates are installed within of the release of the updates;

+ +
+ +
+ + +

flaw remediation is incorporated into the organizational configuration management process.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing flaw remediation

+

procedures addressing configuration management

+

list of flaws and vulnerabilities potentially affecting the system

+

list of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)

+

test results from the installation of software and firmware updates to correct system flaws

+

installation/change control records for security-relevant software and firmware updates

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel responsible for installing, configuring, and/or maintaining the system

+

organizational personnel responsible for flaw remediation

+

organizational personnel with configuration management responsibilities

+
+
+ + + + +

Organizational processes for identifying, reporting, and correcting system flaws

+

organizational process for installing software and firmware updates

+

mechanisms supporting and/or implementing the reporting and correcting of system flaws

+

mechanisms supporting and/or implementing testing software and firmware updates

+
+
+ + Automated Flaw Remediation Status + + + +

automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined;

+
+ + + + + +

at least monthly

+
+
+ +

the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined;

+
+ + + + + + + + + +

Determine if system components have applicable security-relevant software and firmware updates installed using + .

+
+ +

Automated mechanisms can track and determine the status of known flaws for system components.

+
+ + +

system components have applicable security-relevant software and firmware updates installed using .

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing flaw remediation

+

automated mechanisms supporting centralized management of flaw remediation

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for flaw remediation

+
+
+ + + + +

Automated mechanisms used to determine the state of system components with regard to flaw remediation

+
+
+
+ + Time to Remediate Flaws and Benchmarks for Corrective Actions + + + +

the benchmarks for taking corrective actions are defined;

+
+ + + + + + + + + +

Measure the time between flaw identification and flaw remediation; and

+
+ + +

Establish the following benchmarks for taking corrective actions: .

+
+
+ +

Organizations determine the time it takes on average to correct system flaws after such flaws have been identified and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by the type of flaw or the severity of the potential vulnerability if the flaw can be exploited.

+
+ + + + +

the time between flaw identification and flaw remediation is measured;

+ +
+ + +

+ for taking corrective actions have been established.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing flaw remediation

+

system design documentation

+

system configuration settings and associated documentation

+

list of benchmarks for taking corrective action on identified flaws

+

records that provide timestamps of flaw identification and subsequent flaw remediation activities

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for flaw remediation

+
+
+ + + + +

Organizational processes for identifying, reporting, and correcting system flaws

+

mechanisms used to measure the time between flaw identification and flaw remediation

+
+
+
+
+ + Malicious Code Protection + + + +

signature based and non-signature based

+
+
+ + + + + + +

at least weekly

+
+
+ +

the frequency at which malicious code protection mechanisms perform scans is defined;

+
+ + + + +

to include endpoints and network entry and exit points

+
+
+ + + + + +

to include blocking and quarantining malicious code

+
+
+ + + + + + +

administrator or defined security personnel near-realtime

+
+
+ +

action to be taken in response to malicious code detection are defined (if selected);

+
+ + + + +

personnel or roles to be alerted when malicious code is detected is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;

+
+ + +

Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;

+
+ + +

Configure malicious code protection mechanisms to:

+ + +

Perform periodic scans of the system and real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy; and

+
+ + +

+ ; and send alert to in response to malicious code detection; and

+
+
+ + +

Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

+
+
+ +

System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.

+

Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.

+

In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files.

+
+ + + + + + +

+ malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;

+ +
+ + +

+ malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;

+ +
+ +
+ + +

malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;

+ +
+ + + + + + +

malicious code protection mechanisms are configured to perform periodic scans of the system ;

+ +
+ + +

malicious code protection mechanisms are configured to perform real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy;

+ +
+ +
+ + + + +

malicious code protection mechanisms are configured to in response to malicious code detection;

+ +
+ + +

malicious code protection mechanisms are configured to send alerts to in response to malicious code detection;

+ +
+ +
+ +
+ + +

the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

configuration management policy and procedures

+

procedures addressing malicious code protection

+

malicious code protection mechanisms

+

records of malicious code protection updates

+

system design documentation

+

system configuration settings and associated documentation

+

scan results from malicious code protection mechanisms

+

record of actions initiated by malicious code protection mechanisms in response to malicious code detection

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for malicious code protection

+

organizational personnel with configuration management responsibilities

+
+
+ + + + +

Organizational processes for employing, updating, and configuring malicious code protection mechanisms

+

organizational processes for addressing false positives and resulting potential impacts

+

mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms

+

mechanisms supporting and/or implementing malicious code scanning and subsequent actions

+
+
+
+ + System Monitoring + + + +

monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;

+
+ + + + +

techniques and methods used to identify unauthorized use of the system are defined;

+
+ + + + +

system monitoring information to be provided to personnel or roles is defined;

+
+ + + + +

personnel or roles to whom system monitoring information is to be provided is/are defined;

+
+ + + + + + + +

a frequency for providing system monitoring to personnel or roles is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Monitor the system to detect:

+ + +

Attacks and indicators of potential attacks in accordance with the following monitoring objectives: ; and

+
+ + +

Unauthorized local, network, and remote connections;

+
+
+ + +

Identify unauthorized use of the system through the following techniques and methods: ;

+
+ + +

Invoke internal monitoring capabilities or deploy monitoring devices:

+ + +

Strategically within the system to collect organization-determined essential information; and

+
+ + +

At ad hoc locations within the system to track specific types of transactions of interest to the organization;

+
+
+ + +

Analyze detected events and anomalies;

+
+ + +

Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

+
+ + +

Obtain legal opinion regarding system monitoring activities; and

+
+ + +

Provide to + .

+
+ + SI-4 Additional FedRAMP Requirements and Guidance + + +

See US-CERT Incident Response Reporting Guidelines.

+
+
+
+ +

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.

+

Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17 . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + + + +

the system is monitored to detect attacks and indicators of potential attacks in accordance with ;

+ +
+ + + + +

the system is monitored to detect unauthorized local connections;

+ +
+ + +

the system is monitored to detect unauthorized network connections;

+ +
+ + +

the system is monitored to detect unauthorized remote connections;

+ +
+ +
+ +
+ + +

unauthorized use of the system is identified through ;

+ +
+ + + + +

internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;

+ +
+ + +

internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;

+ +
+ +
+ + + + +

detected events are analyzed;

+ +
+ + +

detected anomalies are analyzed;

+ +
+ +
+ + +

the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

+ +
+ + +

a legal opinion regarding system monitoring activities is obtained;

+ +
+ + +

+ is provided to + .

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

continuous monitoring strategy

+

facility diagram/layout

+

system design documentation

+

system monitoring tools and techniques documentation

+

locations within the system where monitoring devices are deployed

+

system configuration settings and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+
+
+ + + + +

Organizational processes for system monitoring

+

mechanisms supporting and/or implementing system monitoring capabilities

+
+
+ + System-wide Intrusion Detection System + + + + + + + + +

Connect and configure individual intrusion detection tools into a system-wide intrusion detection system.

+
+ +

Linking individual intrusion detection tools into a system-wide intrusion detection system provides additional coverage and effective detection capabilities. The information contained in one intrusion detection tool can be shared widely across the organization, making the system-wide detection capability more robust and powerful.

+
+ + + + +

individual intrusion detection tools are connected to a system-wide intrusion detection system;

+ +
+ + +

individual intrusion detection tools are configured into a system-wide intrusion detection system.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

organizational personnel responsible for the intrusion detection system

+
+
+ + + + +

Organizational processes for intrusion detection and system monitoring

+

mechanisms supporting and/or implementing intrusion detection capabilities

+
+
+
+ + Automated Tools and Mechanisms for Real-time Analysis + + + + + + + + + +

Employ automated tools and mechanisms to support near real-time analysis of events.

+
+ +

Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.

+
+ + +

automated tools and mechanisms are employed to support a near real-time analysis of events.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

privacy plan

+

privacy program plan

+

privacy impact assessment

+

privacy risk management documentation

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

organizational personnel responsible for incident response/management

+
+
+ + + + +

Organizational processes for the near real-time analysis of events

+

organizational processes for system monitoring

+

mechanisms supporting and/or implementing system monitoring

+

mechanisms/tools supporting and/or implementing an analysis of events

+
+
+
+ + Inbound and Outbound Communications Traffic + + + + +

continuously

+
+
+ + + + + + + +

the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined;

+
+ + + + +

unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined;

+
+ + + + +

the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined;

+
+ + + + +

unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined;

+
+ + + + + + + + + + +

Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;

+
+ + +

Monitor inbound and outbound communications traffic for .

+
+
+ +

Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components.

+
+ + + + + + +

criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;

+ +
+ + +

criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;

+ +
+ +
+ + + + +

inbound communications traffic is monitored for ;

+ +
+ + +

outbound communications traffic is monitored for .

+ +
+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

system protocols

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

organizational personnel responsible for the intrusion detection system

+
+
+ + + + +

Organizational processes for intrusion detection and system monitoring

+

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

+

mechanisms supporting and/or implementing the monitoring of inbound and outbound communications traffic

+
+
+
+ + System-generated Alerts + + + +

personnel or roles to be alerted when indications of compromise or potential compromise occur is/are defined;

+
+ + + + +

compromise indicators are defined;

+
+ + + + + + + + + + + +

Alert when the following system-generated indications of compromise or potential compromise occur: .

+ + SI-4 (5) Additional FedRAMP Requirements and Guidance + + +

In accordance with the incident response plan.

+
+
+
+ +

Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in SI-4(12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats.

+
+ + +

+ are alerted when system-generated occur.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

list of personnel selected to receive alerts

+

documentation of alerts generated based on compromise indicators

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security and privacy responsibilities

+

system developers

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

organizational personnel on the system alert notification list

+

organizational personnel responsible for the intrusion detection system

+
+
+ + + + +

Organizational processes for intrusion detection and system monitoring

+

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

+

mechanisms supporting and/or implementing alerts for compromise indicators

+
+
+
+ + Visibility of Encrypted Communications + + + +

encrypted communications traffic to be made visible to system monitoring tools and mechanisms is defined;

+
+ + + + +

system monitoring tools and mechanisms to be provided access to encrypted communications traffic are defined;

+
+ + + + + + + + +

Make provisions so that is visible to .

+ + SI-4 (10) Additional FedRAMP Requirements and Guidance + + +

The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf).

+
+
+
+ +

Organizations balance the need to encrypt communications traffic to protect data confidentiality with the need to maintain visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types.

+
+ + +

provisions are made so that is visible to .

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

system protocols

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

organizational personnel responsible for the intrusion detection system

+
+
+ + + + +

Organizational processes for intrusion detection and system monitoring

+

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

+

mechanisms supporting and/or implementing the visibility of encrypted communications traffic to monitoring tools

+
+
+
+ + Analyze Communications Traffic Anomalies + + + +

interior points within the system where communications traffic is to be analyzed are defined;

+
+ + + + + + + + + +

Analyze outbound communications traffic at the external interfaces to the system and selected to discover anomalies.

+
+ +

Organization-defined interior points include subnetworks and subsystems. Anomalies within organizational systems include large file transfers, long-time persistent connections, attempts to access information from unexpected locations, the use of unusual protocols and ports, the use of unmonitored network protocols (e.g., IPv6 usage during IPv4 transition), and attempted communications with suspected malicious external addresses.

+
+ + + + +

outbound communications traffic at the external interfaces to the system is analyzed to discover anomalies;

+ +
+ + +

outbound communications traffic at is analyzed to discover anomalies.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

network diagram

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

system monitoring logs or records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

organizational personnel responsible for the intrusion detection system

+
+
+ + + + +

Organizational processes for intrusion detection and system monitoring

+

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

+

mechanisms supporting and/or implementing the analysis of communications traffic

+
+
+
+ + Automated Organization-generated Alerts + + + +

personnel or roles to be alerted when indications of inappropriate or unusual activity with security or privacy implications occur is/are defined;

+
+ + + + +

automated mechanisms used to alert personnel or roles are defined;

+
+ + + + +

activities that trigger alerts to personnel or are defined;

+
+ + + + + + + + + +

Alert using when the following indications of inappropriate or unusual activities with security or privacy implications occur: .

+
+ +

Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, senior agency information security officer, senior agency official for privacy, system security officers, or privacy officers. Automated organization-generated alerts are the security alerts generated by organizations and transmitted using automated means. The sources for organization-generated alerts are focused on other entities such as suspicious activity reports and reports on potential insider threats. In contrast to alerts generated by the organization, alerts generated by the system in SI-4(5) focus on information sources that are internal to the systems, such as audit records.

+
+ + +

+ is/are alerted using when indicate inappropriate or unusual activities with security or privacy implications.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

list of inappropriate or unusual activities with security and privacy implications that trigger alerts

+

suspicious activity reports

+

alerts provided to security and privacy personnel

+

system monitoring logs or records

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security and privacy responsibilities

+

system developers

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

organizational personnel responsible for the intrusion detection system

+
+
+ + + + +

Organizational processes for intrusion detection and system monitoring

+

automated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

+

automated mechanisms supporting and/or implementing automated alerts to security personnel

+
+
+
+ + Wireless Intrusion Detection + + + + + + + + + +

Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.

+
+ +

Wireless signals may radiate beyond organizational facilities. Organizations proactively search for unauthorized wireless connections, including the conduct of thorough scans for unauthorized wireless access points. Wireless scans are not limited to those areas within facilities containing systems but also include areas outside of facilities to verify that unauthorized wireless access points are not connected to organizational systems.

+
+ + + + +

a wireless intrusion detection system is employed to identify rogue wireless devices;

+ +
+ + +

a wireless intrusion detection system is employed to detect attack attempts on the system;

+ +
+ + +

a wireless intrusion detection system is employed to detect potential compromises or breaches to the system.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

system protocols

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

organizational personnel responsible for the intrusion detection system

+
+
+ + + + +

Organizational processes for intrusion detection

+

mechanisms supporting and/or implementing a wireless intrusion detection capability

+
+
+
+ + Correlate Monitoring Information + + + + + + + + + +

Correlate information from monitoring tools and mechanisms employed throughout the system.

+
+ +

Correlating information from different system monitoring tools and mechanisms can provide a more comprehensive view of system activity. Correlating system monitoring tools and mechanisms that typically work in isolation—including malicious code protection software, host monitoring, and network monitoring—can provide an organization-wide monitoring view and may reveal otherwise unseen attack patterns. Understanding the capabilities and limitations of diverse monitoring tools and mechanisms and how to maximize the use of information generated by those tools and mechanisms can help organizations develop, operate, and maintain effective monitoring programs. The correlation of monitoring information is especially important during the transition from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).

+
+ + +

information from monitoring tools and mechanisms employed throughout the system is correlated.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

event correlation logs or records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

organizational personnel responsible for the intrusion detection system

+
+
+ + + + +

Organizational processes for intrusion detection and system monitoring

+

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

+

mechanisms supporting and/or implementing the correlation of information from monitoring tools

+
+
+
+ + Analyze Traffic and Covert Exfiltration + + + +

interior points within the system where communications traffic is to be analyzed are defined;

+
+ + + + + + + + + +

Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: .

+
+ +

Organization-defined interior points include subnetworks and subsystems. Covert means that can be used to exfiltrate information include steganography.

+
+ + + + +

outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information;

+ +
+ + +

outbound communications traffic is analyzed at to detect covert exfiltration of information.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

network diagram

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

system monitoring logs or records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

organizational personnel responsible for the intrusion detection system

+
+
+ + + + +

Organizational processes for intrusion detection and system monitoring

+

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

+

mechanisms supporting and/or implementing an analysis of outbound communications traffic

+
+
+
+ + Risk for Individuals + + + +

additional monitoring of individuals who have been identified as posing an increased level of risk is defined;

+
+ + + + +

sources that identify individuals who pose an increased level of risk are defined;

+
+ + + + + + + + +

Implement of individuals who have been identified by as posing an increased level of risk.

+
+ +

Indications of increased risk from individuals can be obtained from different sources, including personnel records, intelligence agencies, law enforcement organizations, and other sources. The monitoring of individuals is coordinated with the management, legal, security, privacy, and human resource officials who conduct such monitoring. Monitoring is conducted in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + +

+ is implemented on individuals who have been identified by as posing an increased level of risk.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring

+

system design documentation

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

legal counsel

+

human resource officials

+

organizational personnel with personnel security responsibilities

+
+
+ + + + +

Organizational processes for system monitoring

+

mechanisms supporting and/or implementing a system monitoring capability

+
+
+
+ + Privileged Users + + + +

additional monitoring of privileged users is defined;

+
+ + + + + + + + + +

Implement the following additional monitoring of privileged users: .

+
+ +

Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions.

+
+ + +

+ of privileged users is implemented.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

system monitoring logs or records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+
+
+ + + + +

Organizational processes for system monitoring

+

mechanisms supporting and/or implementing a system monitoring capability

+
+
+
+ + Unauthorized Network Services + + + +

authorization or approval processes for network services are defined;

+
+ + + + + + + +

personnel or roles to be alerted upon the detection of network services that have not been authorized or approved by authorization or approval processes is/are defined (if selected);

+
+ + + + + + + + + + + +

Detect network services that have not been authorized or approved by ; and

+
+ + +

+ when detected.

+
+
+ +

Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and may therefore be unreliable or serve as malicious rogues for valid services.

+
+ + + + +

network services that have not been authorized or approved by are detected;

+ +
+ + +

+ is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

documented authorization/approval of network services

+

notifications or alerts of unauthorized network services

+

system monitoring logs or records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+
+
+ + + + +

Organizational processes for system monitoring

+

mechanisms supporting and/or implementing a system monitoring capability

+

mechanisms for auditing network services

+

mechanisms for providing alerts

+
+
+
+ + Host-based Devices + + + +

host-based monitoring mechanisms to be implemented on system components are defined;

+
+ + + + +

system components where host-based monitoring is to be implemented are defined;

+
+ + + + + + + + + + +

Implement the following host-based monitoring mechanisms at : .

+
+ +

Host-based monitoring collects information about the host (or system in which it resides). System components in which host-based monitoring can be implemented include servers, notebook computers, and mobile devices. Organizations may consider employing host-based monitoring mechanisms from multiple product developers or vendors.

+
+ + +

+ are implemented on .

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

host-based monitoring mechanisms

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

list of system components requiring host-based monitoring

+

system monitoring logs or records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring system hosts

+
+
+ + + + +

Organizational processes for system monitoring

+

mechanisms supporting and/or implementing a host-based monitoring capability

+
+
+
+
+ + Security Alerts, Advisories, and Directives + + + + +

to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives

+
+
+ +

external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;

+
+ + + + +

to include system security personnel and administrators with configuration/patch-management responsibilities

+
+
+ + + + + +

personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected);

+
+ + + + +

elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);

+
+ + + + +

external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);

+
+ + + + + + + + + + + + + +

Receive system security alerts, advisories, and directives from on an ongoing basis;

+
+ + +

Generate internal security alerts, advisories, and directives as deemed necessary;

+
+ + +

Disseminate security alerts, advisories, and directives to: ; and

+
+ + +

Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

+
+ + SI-5 Additional FedRAMP Requirements and Guidance + +

Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status.

+
+
+ +

The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations.

+
+ + + + +

system security alerts, advisories, and directives are received from on an ongoing basis;

+ +
+ + +

internal security alerts, advisories, and directives are generated as deemed necessary;

+ +
+ + +

security alerts, advisories, and directives are disseminated to ;

+ +
+ + +

security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing security alerts, advisories, and directives

+

records of security alerts and advisories

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security alert and advisory responsibilities

+

organizational personnel implementing, operating, maintaining, and using the system

+

organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives

+

mechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives

+

mechanisms supporting and/or implementing security directives

+
+
+ + Automated Alerts and Advisories + + + +

automated mechanisms used to broadcast security alert and advisory information throughout the organization are defined;

+
+ + + + + + + + +

Broadcast security alert and advisory information throughout the organization using .

+
+ +

The significant number of changes to organizational systems and environments of operation requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational mission and business functions. Based on information provided by security alerts and advisories, changes may be required at one or more of the three levels related to the management of risk, including the governance level, mission and business process level, and the information system level.

+
+ + +

+ are used to broadcast security alert and advisory information throughout the organization.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing security alerts, advisories, and directives

+

system design documentation

+

system configuration settings and associated documentation

+

automated mechanisms supporting the distribution of security alert and advisory information

+

records of security alerts and advisories

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security alert and advisory responsibilities

+

organizational personnel implementing, operating, maintaining, and using the system

+

organizational personnel, organizational elements, and/or external organizations to whom alerts and advisories are to be disseminated

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for defining, receiving, generating, and disseminating security alerts and advisories

+

automated mechanisms supporting and/or implementing the dissemination of security alerts and advisories

+
+
+
+
+ + Security and Privacy Function Verification + + + + + + +

security functions to be verified for correct operation are defined;

+
+ + + + +

privacy functions to be verified for correct operation are defined;

+
+ + + + + + + + +

to include upon system startup and/or restart

+
+
+ +

system transitional states requiring the verification of security and privacy functions are defined; (if selected)

+
+ + + + + +

at least monthly

+
+
+ +

frequency at which to verify the correct operation of security and privacy functions is defined; (if selected)

+
+ + + + + +

to include system administrators and security personnel

+
+
+ +

personnel or roles to be alerted of failed security and privacy verification tests is/are defined;

+
+ + + + + + + +

alternative action(s) to be performed when anomalies are discovered are defined (if selected);

+
+ + + + + + + + + + + + + + +

Verify the correct operation of ;

+
+ + +

Perform the verification of the functions specified in SI-6a ;

+
+ + +

Alert to failed security and privacy verification tests; and

+
+ + +

+ when anomalies are discovered.

+
+
+ +

Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy or that privacy attributes are applied or used as expected.

+
+ + + + + + +

+ are verified to be operating correctly;

+ +
+ + +

+ are verified to be operating correctly;

+ +
+ +
+ + + + +

+ are verified ;

+ +
+ + +

+ are verified ;

+ +
+ +
+ + + + +

+ is/are alerted to failed security verification tests;

+ +
+ + +

+ is/are alerted to failed privacy verification tests;

+ +
+ +
+ + +

+ is/are initiated when anomalies are discovered.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing security and privacy function verification

+

system design documentation

+

system configuration settings and associated documentation

+

alerts/notifications of failed security verification tests

+

list of system transition states requiring security functionality verification

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security and privacy function verification responsibilities

+

organizational personnel implementing, operating, and maintaining the system

+

system/network administrators

+

organizational personnel with information security and privacy responsibilities

+

system developer

+
+
+ + + + +

Organizational processes for security and privacy function verification

+

mechanisms supporting and/or implementing the security and privacy function verification capability

+
+
+
+ + Software, Firmware, and Information Integrity + + + + + + + + + +

software requiring integrity verification tools to be employed to detect unauthorized changes is defined;

+
+ + + + +

firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined;

+
+ + + + +

information requiring integrity verification tools to be employed to detect unauthorized changes is defined;

+
+ + + + +

actions to be taken when unauthorized changes to software are detected are defined;

+
+ + + + +

actions to be taken when unauthorized changes to firmware are detected are defined;

+
+ + + + +

actions to be taken when unauthorized changes to information are detected are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: ; and

+
+ + +

Take the following actions when unauthorized changes to the software, firmware, and information are detected: .

+
+
+ +

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications.

+
+ + + + + + +

integrity verification tools are employed to detect unauthorized changes to ;

+ +
+ + +

integrity verification tools are employed to detect unauthorized changes to ;

+ +
+ + +

integrity verification tools are employed to detect unauthorized changes to ;

+ +
+ +
+ + + + +

+ are taken when unauthorized changes to the software, are detected;

+ +
+ + +

+ are taken when unauthorized changes to the firmware are detected;

+ +
+ + +

+ are taken when unauthorized changes to the information are detected.

+ +
+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing software, firmware, and information integrity

+

personally identifiable information processing policy

+

system design documentation

+

system configuration settings and associated documentation

+

integrity verification tools and associated documentation

+

records generated or triggered by integrity verification tools regarding unauthorized software, firmware, and information changes

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for software, firmware, and/or information integrity

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Software, firmware, and information integrity verification tools

+
+
+ + Integrity Checks + + + + + + + + + + +

selection to include security relevant event

+
+
+ + + + + +

at least monthly

+
+
+ + + + +

software on which an integrity check is to be performed is defined;

+
+ + + + + + + +

transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected);

+
+ + + + +

frequency with which to perform an integrity check (on software) is defined (if selected);

+
+ + + + +

firmware on which an integrity check is to be performed is defined;

+
+ + + + + + + +

transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected);

+
+ + + + +

frequency with which to perform an integrity check (on firmware) is defined (if selected);

+
+ + + + +

information on which an integrity check is to be performed is defined;

+
+ + + + + + + +

transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected);

+
+ + + + +

frequency with which to perform an integrity check (of information) is defined (if selected);

+
+ + + + + + + + +

Perform an integrity check of + .

+
+ +

Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort.

+
+ + + + +

an integrity check of is performed ;

+ +
+ + +

an integrity check of is performed ;

+ +
+ + +

an integrity check of is performed .

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing software, firmware, and information integrity testing

+

system design documentation

+

system configuration settings and associated documentation

+

integrity verification tools and associated documentation

+

records of integrity scans

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for software, firmware, and/or information integrity

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+
+ + + + +

Software, firmware, and information integrity verification tools

+
+
+
+ + Automated Notifications of Integrity Violations + + + + +

to include the ISSO and/or similar role within the organization

+
+
+ +

personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification is/are defined;

+
+ + + + + + + + +

Employ automated tools that provide notification to upon discovering discrepancies during integrity verification.

+
+ +

The employment of automated tools to report system and information integrity violations and to notify organizational personnel in a timely matter is essential to effective risk response. Personnel with an interest in system and information integrity violations include mission and business owners, system owners, senior agency information security official, senior agency official for privacy, system administrators, software developers, systems integrators, information security officers, and privacy officers.

+
+ + +

automated tools that provide notification to upon discovering discrepancies during integrity verification are employed.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing software, firmware, and information integrity

+

personally identifiable information processing policy

+

system design documentation

+

system configuration settings and associated documentation

+

integrity verification tools and associated documentation

+

records of integrity scans

+

automated tools supporting alerts and notifications for integrity discrepancies

+

notifications provided upon discovering discrepancies during integrity verifications

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for software, firmware, and/or information integrity

+

organizational personnel with information security and privacy responsibilities

+

system administrators

+

software developers

+
+
+ + + + +

Software, firmware, and information integrity verification tools

+

mechanisms providing integrity discrepancy notifications

+
+
+
+ + Automated Response to Integrity Violations + + + + + + +

controls to be implemented automatically when integrity violations are discovered are defined (if selected);

+
+ + + + + + + + +

Automatically when integrity violations are discovered.

+
+ +

Organizations may define different integrity-checking responses by type of information, specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur.

+
+ + +

+ are automatically performed when integrity violations are discovered.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing software, firmware, and information integrity

+

system design documentation

+

system configuration settings and associated documentation

+

integrity verification tools and associated documentation

+

records of integrity scans

+

records of integrity checks and responses to integrity violations

+

audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for software, firmware, and/or information integrity

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+
+ + + + +

Software, firmware, and information integrity verification tools

+

mechanisms providing an automated response to integrity violations

+

mechanisms supporting and/or implementing security safeguards to be implemented when integrity violations are discovered

+
+
+
+ + Integration of Detection and Response + + + +

security-relevant changes to the system are defined;

+
+ + + + + + + + + + + + + +

Incorporate the detection of the following unauthorized changes into the organizational incident response capability: .

+
+ +

Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges.

+
+ + +

the detection of are incorporated into the organizational incident response capability.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing software, firmware, and information integrity

+

procedures addressing incident response

+

system design documentation

+

system configuration settings and associated documentation

+

incident response records

+

audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for software, firmware, and/or information integrity

+

organizational personnel with information security responsibilities

+

organizational personnel with incident response responsibilities

+
+
+ + + + +

Organizational processes for incorporating the detection of unauthorized security-relevant changes into the incident response capability

+

software, firmware, and information integrity verification tools

+

mechanisms supporting and/or implementing the incorporation of detection of unauthorized security-relevant changes into the incident response capability

+
+
+
+ + Code Authentication + + + + +

to include all software and firmware inside the boundary

+
+
+ +

software or firmware components to be authenticated by cryptographic mechanisms prior to installation are defined;

+
+ + + + + + + + + + + +

Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: .

+
+ +

Cryptographic authentication includes verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Organizations that employ cryptographic mechanisms also consider cryptographic key management solutions.

+
+ + +

cryptographic mechanisms are implemented to authenticate prior to installation.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing software, firmware, and information integrity

+

system design documentation

+

system configuration settings and associated documentation

+

cryptographic mechanisms and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for software, firmware, and/or information integrity

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+
+ + + + +

Cryptographic mechanisms authenticating software and firmware prior to installation

+
+
+
+
+ + Spam Protection + + + + + + + + + + + + + + + +

Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and

+
+ + +

Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

+
+ + SI-8 Additional FedRAMP Requirements and Guidance + + +

When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.

+

https://cyber.dhs.gov/bod/18-01/

+
+ + +

CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients.

+
+
+
+ +

System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions.

+
+ + + + + + +

spam protection mechanisms are employed at system entry points to detect unsolicited messages;

+ +
+ + +

spam protection mechanisms are employed at system exit points to detect unsolicited messages;

+ +
+ + +

spam protection mechanisms are employed at system entry points to act on unsolicited messages;

+ +
+ + +

spam protection mechanisms are employed at system exit points to act on unsolicited messages;

+ +
+ +
+ + +

spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

configuration management policies and procedures (CM-01)

+

procedures addressing spam protection

+

spam protection mechanisms

+

records of spam protection updates

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for spam protection

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+
+ + + + +

Organizational processes for implementing spam protection

+

mechanisms supporting and/or implementing spam protection

+
+
+ + Automatic Updates + + + +

the frequency at which to automatically update spam protection mechanisms is defined;

+
+ + + + + + + +

Automatically update spam protection mechanisms .

+
+ +

Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capabilities.

+
+ + +

spam protection mechanisms are automatically updated .

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing spam protection

+

spam protection mechanisms

+

records of spam protection updates

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for spam protection

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+
+ + + + +

Organizational processes for spam protection

+

mechanisms supporting and/or implementing automatic updates to spam protection mechanisms

+
+
+
+
+ + Information Input Validation + + + +

information inputs to the system requiring validity checks are defined;

+
+ + + + + + + + +

Check the validity of the following information inputs: .

+ + SI-10 Additional FedRAMP Requirements and Guidance + + +

Validate all information inputs and document any exceptions

+
+
+
+ +

Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, + abc, or %K% are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks.

+
+ + +

the validity of the is checked.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

access control policy and procedures

+

separation of duties policy and procedures

+

procedures addressing information input validation

+

documentation for automated tools and applications to verify the validity of information

+

list of information inputs requiring validity checks

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for information input validation

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+
+ + + + +

Mechanisms supporting and/or implementing validity checks on information inputs

+
+
+
+ + Error Handling + + + + +

to include the ISSO and/or similar role within the organization

+
+
+ +

personnel or roles to whom error messages are to be revealed is/are defined;

+
+ + + + + + + + + + + + + +

Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and

+
+ + +

Reveal error messages only to .

+
+
+ +

Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information.

+
+ + + + +

error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;

+ +
+ + +

error messages are revealed only to .

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system error handling

+

system design documentation

+

system configuration settings and associated documentation

+

documentation providing the structure and content of error messages

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for information input validation

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+
+ + + + +

Organizational processes for error handling

+

automated mechanisms supporting and/or implementing error handling

+

automated mechanisms supporting and/or implementing the management of error messages

+
+
+
+ + Information Management and Retention + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

+
+ +

Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, AC-6(9), AT-4, AU-12, CA-2, CA-3, CA-5, CA-6, CA-7, CA-8, CA-9, CM-2, CM-3, CM-4, CM-6, CM-8, CM-9, CM-12, CM-13, CP-2, IR-6, IR-8, MA-2, MA-4, PE-2, PE-8, PE-16, PE-17, PL-2, PL-4, PL-7, PL-8, PM-5, PM-8, PM-9, PM-18, PM-21, PM-27, PM-28, PM-30, PM-31, PS-2, PS-6, PS-7, PT-2, PT-3, PT-7, RA-2, RA-3, RA-5, RA-8, SA-4, SA-5, SA-8, SA-10, SI-4, SR-2, SR-4, SR-8.

+
+ + + + +

information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;

+ +
+ + +

information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;

+ +
+ + +

information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;

+ +
+ + +

information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

personally identifiable information processing policy

+

records retention and disposition policy

+

records retention and disposition procedures

+

federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention

+

media protection policy

+

media protection procedures

+

audit findings

+

system security plan

+

privacy plan

+

privacy program plan

+

personally identifiable information inventory

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information and records management, retention, and disposition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

network administrators

+
+
+ + + + +

Organizational processes for information management, retention, and disposition

+

automated mechanisms supporting and/or implementing information management, retention, and disposition

+
+
+
+ + Memory Protection + + + +

controls to be implemented to protect the system memory from unauthorized code execution are defined;

+
+ + + + + + + + + + +

Implement the following controls to protect the system memory from unauthorized code execution: .

+
+ +

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism.

+
+ + +

+ are implemented to protect the system memory from unauthorized code execution.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing memory protection for the system

+

system design documentation

+

system configuration settings and associated documentation

+

list of security safeguards protecting system memory from unauthorized code execution

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for memory protection

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+
+ + + + +

Automated mechanisms supporting and/or implementing safeguards to protect the system memory from unauthorized code execution

+
+
+
+
+ + Supply Chain Risk Management + + Policy and Procedures + + + + +

to include chief privacy and ISSO and/or similar role or designees

+
+
+ + + + +

personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;

+
+ + + + +

personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;

+
+ + + + + + + +

an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current supply chain risk management policy is reviewed and updated is defined;

+
+ + + + +

events that require the current supply chain risk management policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that require the supply chain risk management procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ supply chain risk management policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and

+
+ + +

Review and update the current supply chain risk management:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a supply chain risk management policy is developed and documented;

+ +
+ + +

the supply chain risk management policy is disseminated to ;

+ +
+ + +

supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;

+ +
+ + +

the supply chain risk management procedures are disseminated to .

+ +
+ + + + + + +

the supply chain risk management policy addresses purpose;

+ +
+ + +

the supply chain risk management policy addresses scope;

+ +
+ + +

+ supply chain risk management policy addresses roles;

+ +
+ + +

the supply chain risk management policy addresses responsibilities;

+ +
+ + +

the supply chain risk management policy addresses management commitment;

+ +
+ + +

the supply chain risk management policy addresses coordination among organizational entities;

+ +
+ + +

the supply chain risk management policy addresses compliance.

+ +
+ +
+ + +

the supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;

+ +
+ + + + + + +

the current supply chain risk management policy is reviewed and updated ;

+ +
+ + +

the current supply chain risk management policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current supply chain risk management procedures are reviewed and updated ;

+ +
+ + +

the current supply chain risk management procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Supply chain risk management policy

+

supply chain risk management procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with supply chain risk management responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with acquisition responsibilities

+

organizational personnel with enterprise risk management responsibilities

+
+
+
+ + Supply Chain Risk Management Plan + + + +

systems, system components, or system services for which a supply chain risk management plan is developed are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to review and update the supply chain risk management plan is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: ;

+
+ + +

Review and update the supply chain risk management plan or as required, to address threat, organizational or environmental changes; and

+
+ + +

Protect the supply chain risk management plan from unauthorized disclosure and modification.

+
+
+ +

The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.

+

Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8).

+
+ + + + + + +

a plan for managing supply chain risks is developed;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the research and development of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the design of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the manufacturing of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the acquisition of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the delivery of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the integration of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the operation and maintenance of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the disposal of ;

+ +
+ +
+ + +

the supply chain risk management plan is reviewed and updated or as required to address threat, organizational, or environmental changes;

+ +
+ + + + +

the supply chain risk management plan is protected from unauthorized disclosure;

+ +
+ + +

the supply chain risk management plan is protected from unauthorized modification.

+ +
+ +
+ +
+ + + + +

Supply chain risk management policy

+

supply chain risk management procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing supply chain protection

+

procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification

+

system development life cycle procedures

+

procedures addressing the integration of information security and privacy requirements into the acquisition process

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

list of supply chain threats

+

list of safeguards to be taken against supply chain threats

+

system life cycle documentation

+

inter-organizational agreements and procedures

+

system security plan

+

privacy plan

+

privacy program plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for defining and documenting the system development life cycle (SDLC)

+

organizational processes for identifying SDLC roles and responsibilities

+

organizational processes for integrating supply chain risk management into the SDLC

+

mechanisms supporting and/or implementing the SDLC

+
+
+ + Establish SCRM Team + + + +

the personnel, roles, and responsibilities of the supply chain risk management team are defined;

+
+ + + + +

supply chain risk management activities are defined;

+
+ + + + + + + + +

Establish a supply chain risk management team consisting of to lead and support the following SCRM activities: .

+
+ +

To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team.

+
+ + +

a supply chain risk management team consisting of is established to lead and support .

+ +
+ + + + +

Supply chain risk management policy

+

supply chain risk management procedures

+

supply chain risk management team charter documentation

+

supply chain risk management strategy

+

supply chain risk management implementation plan

+

procedures addressing supply chain protection

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+

organizational personnel with enterprise risk management responsibilities

+

legal counsel

+

organizational personnel with business continuity responsibilities

+
+
+
+
+ + Supply Chain Controls and Processes + + + +

the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;

+
+ + + + +

supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;

+
+ + + + +

supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;

+
+ + + + + + + +

the document identifying the selected and implemented supply chain processes and controls is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of in coordination with ;

+
+ + +

Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: ; and

+
+ + +

Document the selected and implemented supply chain processes and controls in .

+
+ + SR-3 Additional FedRAMP Requirements and Guidance + + +

CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary.

+
+
+
+ +

Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.

+
+ + + + + + +

a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of ;

+ +
+ + +

the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of is/are coordinated with ;

+ +
+ +
+ + +

+ are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;

+ +
+ + +

the selected and implemented supply chain processes and controls are documented in .

+ +
+ +
+ + + + +

Supply chain risk management policy

+

supply chain risk management procedures

+

supply chain risk management strategy

+

supply chain risk management plan

+

systems and critical system components inventory documentation

+

system and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing the integration of information security and privacy requirements into the acquisition process

+

solicitation documentation

+

acquisition documentation (including purchase orders)

+

service level agreements

+

acquisition contracts for systems or services

+

risk register documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for identifying and addressing supply chain element and process deficiencies

+
+
+
+ + Acquisition Strategies, Tools, and Methods + + + +

acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: .

+
+ +

The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.

+
+ + + + +

+ are employed to protect against supply chain risks;

+ +
+ + +

+ are employed to identify supply chain risks;

+ +
+ + +

+ are employed to mitigate supply chain risks.

+ +
+ +
+ + + + +

Supply chain risk management policy

+

supply chain risk management procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing supply chain protection

+

procedures addressing the integration of information security and privacy requirements into the acquisition process

+

solicitation documentation

+

acquisition documentation (including purchase orders)

+

service level agreements

+

acquisition contracts for systems, system components, or services

+

documentation of training, education, and awareness programs for personnel regarding supply chain risk

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods

+

mechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods

+
+
+
+ + Supplier Assessments and Reviews + + + + +

at least annually

+
+
+ +

the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide .

+ + SR-6 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure that their supply chain vendors build and test their systems in alignment with NIST SP 800-171 or a commensurate security and compliance framework. CSOs must ensure that vendors are compliant with physical facility access and logical access controls to supplied products.

+
+
+
+ +

An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts.

+
+ + +

the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed .

+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management strategy

+

supply chain risk management plan

+

system and services acquisition policy

+

procedures addressing supply chain protection

+

procedures addressing the integration of information security requirements into the acquisition process

+

records of supplier due diligence reviews

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and services acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain protection responsibilities

+
+
+ + + + +

Organizational processes for conducting supplier reviews

+

mechanisms supporting and/or implementing supplier reviews

+
+
+
+ + Notification Agreements + + + +

notification of supply chain compromises and results of assessment or audits

+
+
+ + + + + +

information for which agreements and procedures are to be established are defined (if selected);

+
+ + + + + + + + + + + + + + + + + +

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the .

+ + SR-8 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities.

+
+
+
+ +

The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.

+
+ + +

agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for .

+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

procedures addressing supply chain protection

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

inter-organizational agreements and procedures

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

+
+
+
+ + Tamper Resistance and Detection + + + + + + + + + + + + + + + + + +

Implement a tamper protection program for the system, system component, or system service.

+ + SR-9 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure vendors provide authenticity of software and patches supplied to the service provider including documenting the safeguards in place.

+
+
+
+ +

Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system components, and services against many threats, including reverse engineering, modification, and substitution. Strong identification combined with tamper resistance and/or tamper detection is essential to protecting systems and components during distribution and when in use.

+
+ + +

a tamper protection program is implemented for the system, system component, or system service.

+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

procedures addressing supply chain protection

+

procedures addressing tamper resistance and detection

+

tamper protection program documentation

+

tamper protection tools and techniques documentation

+

tamper resistance and detection tools and techniques documentation

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with tamper protection program responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for the implementation of the tamper protection program

+

mechanisms supporting and/or implementing the tamper protection program

+
+
+ + Multiple Stages of System Development Life Cycle + + + + + + + + +

Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle.

+
+ +

The system development life cycle includes research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal. Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations use obfuscation and self-checking to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. The customization of systems and system components can make substitutions easier to detect and therefore limit damage.

+
+ + +

anti-tamper technologies, tools, and techniques are employed throughout the system development life cycle.

+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

procedures addressing tamper resistance and detection

+

tamper protection program documentation

+

tamper protection tools and techniques documentation

+

tamper resistance and detection tools (technologies) and techniques documentation

+

system development life cycle documentation

+

procedures addressing supply chain protection

+

system development life cycle procedures

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

inter-organizational agreements and procedures

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and services acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+

organizational personnel with SDLC responsibilities

+
+
+ + + + +

Organizational processes for employing anti-tamper technologies

+

mechanisms supporting and/or implementing anti-tamper technologies

+
+
+
+
+ + Inspection of Systems or Components + + + +

systems or system components that require inspection are defined;

+
+ + + + + + + +

frequency at which to inspect systems or system components is defined (if selected);

+
+ + + + +

indications of the need for an inspection of systems or system components are defined (if selected);

+
+ + + + + + + + + + + + + + + + + +

Inspect the following systems or system components to detect tampering: .

+
+ +

The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations.

+
+ + +

+ are inspected to detect tampering.

+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

records of random inspections

+

inspection reports/results

+

assessment reports/results

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

inter-organizational agreements and procedures

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and services acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

+

organizational processes to inspect for tampering

+
+
+
+ + Component Authenticity + + + + + + +

external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);

+
+ + + + +

personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);

+
+ + + + + + + + + + + + + + + +

Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and

+
+ + +

Report counterfeit system components to .

+
+ + SR-11 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline.

+
+
+
+ +

Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.

+
+ + + + + + +

an anti-counterfeit policy is developed and implemented;

+ +
+ + +

anti-counterfeit procedures are developed and implemented;

+ +
+ + +

the anti-counterfeit procedures include the means to detect counterfeit components entering the system;

+ +
+ + +

the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;

+ +
+ +
+ + +

counterfeit system components are reported to .

+ +
+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

anti-counterfeit plan

+

anti-counterfeit policy and procedures

+

media disposal policy

+

media protection policy

+

incident response policy

+

reports notifying developers, manufacturers, vendors, contractors, and/or external reporting organizations of counterfeit system components

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

inter-organizational agreements and procedures

+

records of reported counterfeit system components

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+

organizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting

+
+
+ + + + +

Organizational processes for counterfeit prevention, detection, and reporting

+

mechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting

+
+
+ + Anti-counterfeit Training + + + +

personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;

+
+ + + + + + + + + +

Train to detect counterfeit system components (including hardware, software, and firmware).

+
+ +

None.

+
+ + +

+ are trained to detect counterfeit system components (including hardware, software, and firmware).

+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

anti-counterfeit plan

+

anti-counterfeit policy and procedures

+

media disposal policy

+

media protection policy

+

incident response policy

+

training materials addressing counterfeit system components

+

training records on the detection and prevention of counterfeit components entering the system

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+

organizational personnel with responsibilities for anti-counterfeit policies, procedures, and training

+
+
+ + + + +

Organizational processes for anti-counterfeit training

+
+
+
+ + Configuration Control for Component Service and Repair + + + + +

all

+
+
+ +

system components requiring configuration control are defined;

+
+ + + + + + + + + + + + +

Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: .

+
+ +

None.

+
+ + + + +

configuration control over awaiting service or repair is maintained;

+ +
+ + +

configuration control over serviced or repaired awaiting return to service is maintained.

+ +
+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

configuration control procedures

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system component

+

inter-organizational agreements and procedures

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and services acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

+

organizational configuration control processes

+
+
+
+
+ + Component Disposal + + + +

data, documentation, tools, or system components to be disposed of are defined;

+
+ + + + +

techniques and methods for disposing of data, documentation, tools, or system components are defined;

+
+ + + + + + + + +

Dispose of using the following techniques and methods: .

+
+ +

Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market.

+
+ + +

+ are disposed of using .

+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

disposal procedures addressing supply chain protection

+

media disposal policy

+

media protection policy

+

disposal records for system components

+

documentation of the system components identified for disposal

+

documentation of the disposal techniques and methods employed for system components

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system component disposal responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain protection responsibilities

+
+
+ + + + +

Organizational techniques and methods for system component disposal

+

mechanisms supporting and/or implementing system component disposal

+
+
+
+
+ + 32 CFR 2002 + + Code of Federal Regulations, Title 32, Controlled Unclassified Information (32 C.F.R. 2002). + + + + + 41 CFR 201 + + + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + + + + + 5 CFR 731 + + Code of Federal Regulations, Title 5, Administrative Personnel , Section 731.106, Designation of Public Trust Positions and Investigative Requirements (5 C.F.R. 731.106). + + + + + CNSSD 505 + + Committee on National Security Systems Directive No. 505, Supply Chain Risk Management (SCRM) , August 2017. + + + + + CNSSI 1253 + + Committee on National Security Systems Instruction No. 1253, Security Categorization and Control Selection for National Security Systems , March 2014. + + + + + DHS TIC + + Department of Homeland Security, Trusted Internet Connections (TIC). + + + + + DOD STIG + + Defense Information Systems Agency, Security Technical Implementation Guides (STIG). + + + + + EO 13526 + + Executive Order 13526, Classified National Security Information , December 2009. + + + + + EO 13556 + + Executive Order 13556, Controlled Unclassified Information , November 2010. + + + + + EO 13587 + + Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information , October 2011. + + + + + EO 13873 + + Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain , May 2019. + + + + + FASC18 + + Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018. + + + + + FED PKI + + General Services Administration, Federal Public Key Infrastructure. + + + + + FIPS 140-3 + + National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. + + + + + FIPS 180-4 + + National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4. + + + + + FIPS 186-4 + + National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4. + + + + + FIPS 197 + + National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197. + + + + + FIPS 199 + + National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199. + + + + + FIPS 200 + + National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200. + + + + + FIPS 201-2 + + National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2. + + + + + FIPS 202 + + National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202. + + + + + FISMA + + Federal Information Security Modernization Act (P.L. 113-283), December 2014. + + + + + HSPD 12 + + Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004. + + + + + IETF 5905 + + Internet Engineering Task Force (IETF), Request for Comments: 5905, Network Time Protocol Version 4: Protocol and Algorithms Specification , June 2010. + + + + + IR 7539 + + Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539. + + + + + IR 7559 + + Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559. + + + + + IR 7622 + + Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622. + + + + + IR 7676 + + Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. + + + + + IR 7788 + + Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788. + + + + + IR 7817 + + Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817. + + + + + IR 7849 + + Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849. + + + + + IR 7870 + + Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870. + + + + + IR 7874 + + Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874. + + + + + IR 7956 + + Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956. + + + + + IR 7966 + + Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966. + + + + + IR 8011-1 + + Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1. + + + + + IR 8011-2 + + Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2. + + + + + IR 8011-3 + + Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3. + + + + + IR 8011-4 + + Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4. + + + + + IR 8023 + + Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023. + + + + + IR 8040 + + Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040. + + + + + IR 8062 + + Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062. + + + + + IR 8112 + + Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112. + + + + + IR 8179 + + Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179. + + + + + IR 8272 + + Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272. + + + + + ISO 15408-1 + + International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model , April 2017. + + + + + ISO 15408-2 + + International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements , April 2017. + + + + + ISO 15408-3 + + International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements , April 2017. + + + + + ISO 20243 + + International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations , February 2018. + + + + + ISO 27036 + + International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts , April 2014. + + + + + ISO 29147 + + International Organization for Standardization/International Electrotechnical Commission 29147:2018, Information technology—Security techniques—Vulnerability disclosure , October 2018. + + + + + ISO 29148 + + International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, Systems and software engineering—Life cycle processes—Requirements engineering , November 2018. + + + + + NARA CUI + + National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry. + + + + + NCPR + + National Institute of Standards and Technology (2020) National Checklist Program Repository . Available at + + + + + NIAP CCEVS + + National Information Assurance Partnership, Common Criteria Evaluation and Validation Scheme. + + + + + NIST CAVP + + National Institute of Standards and Technology (2020) Cryptographic Algorithm Validation Program . Available at + + + + + NIST CMVP + + National Institute of Standards and Technology (2020) Cryptographic Module Validation Program . Available at + + + + + NSA CSFC + + National Security Agency, Commercial Solutions for Classified Program (CSfC). + + + + + NSA MEDIA + + National Security Agency, Media Destruction Guidance. + + + + + ODNI CTF + + Office of the Director of National Intelligence (ODNI) Cyber Threat Framework. + + + + + OMB A-130 + + Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource , July 2016. + + + + + OMB M-17-12 + + Office of Management and Budget Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information , January 2017. + + + + + OMB M-19-03 + + Office of Management and Budget Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program , December 2018. + + + + + PRIVACT + + Privacy Act (P.L. 93-579), December 1974. + + + + + SP 800-100 + + Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007. + + + + + SP 800-101 + + Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. + + + + + SP 800-111 + + Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. + + + + + SP 800-113 + + Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113. + + + + + SP 800-114 + + Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1. + + + + + SP 800-115 + + Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115. + + + + + SP 800-116 + + Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1. + + + + + SP 800-121 + + Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2. + + + + + SP 800-124 + + Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1. + + + + + SP 800-125B + + Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B. + + + + + SP 800-126 + + Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3. + + + + + SP 800-128 + + Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019. + + + + + SP 800-12 + + Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. + + + + + SP 800-130 + + Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130. + + + + + SP 800-137A + + Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A. + + + + + SP 800-137 + + Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137. + + + + + SP 800-147 + + Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147. + + + + + SP 800-150 + + Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. + + + + + SP 800-152 + + Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152. + + + + + SP 800-154 + + Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154. + + + + + SP 800-156 + + Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156. + + + + + SP 800-160-1 + + Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018. + + + + + SP 800-160-2 + + Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2. + + + + + SP 800-161 + + Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161. + + + + + SP 800-162 + + Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019. + + + + + SP 800-166 + + Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166. + + + + + SP 800-167 + + Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167. + + + + + SP 800-171 + + Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2. + + + + + SP 800-172 + + Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172. + + + + + SP 800-177 + + Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1. + + + + + SP 800-178 + + Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178. + + + + + SP 800-181 + + Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1. + + + + + SP 800-184 + + Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184. + + + + + SP 800-189 + + Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189. + + + + + SP 800-18 + + Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. + + + + + SP 800-192 + + Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192. + + + + + SP 800-28 + + Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2. + + + + + SP 800-30 + + Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1. + + + + + SP 800-32 + + Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32. + + + + + SP 800-34 + + Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010. + + + + + SP 800-35 + + Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35. + + + + + SP 800-37 + + Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2. + + + + + SP 800-39 + + Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39. + + + + + SP 800-40 + + Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3. + + + + + SP 800-41 + + Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1. + + + + + SP 800-45 + + Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2. + + + + + SP 800-46 + + Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2. + + + + + SP 800-47 + + Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47. + + + + + SP 800-50 + + Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50. + + + + + SP 800-52 + + McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2. + + + + + SP 800-53A + + Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014. + + + + + SP 800-53B + + Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B. + + + + + SP 800-56A + + Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3. + + + + + SP 800-56B + + Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2. + + + + + SP 800-56C + + Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2. + + + + + SP 800-57-1 + + Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5. + + + + + SP 800-57-2 + + Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1. + + + + + SP 800-57-3 + + Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1. + + + + + SP 800-60-1 + + Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1. + + + + + SP 800-60-2 + + Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1. + + + + + SP 800-61 + + Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. + + + + + SP 800-63-3 + + Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. + + + + + SP 800-63A + + Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020. + + + + + SP 800-63B + + Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020. + + + + + SP 800-70 + + Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4. + + + + + SP 800-73-4 + + Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016. + + + + + SP 800-76-2 + + Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. + + + + + SP 800-77 + + Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1. + + + + + SP 800-78-4 + + Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. + + + + + SP 800-79-2 + + Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. + + + + + SP 800-81-2 + + Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. + + + + + SP 800-83 + + Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1. + + + + + SP 800-84 + + Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84. + + + + + SP 800-86 + + Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. + + + + + SP 800-88 + + Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1. + + + + + SP 800-92 + + Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92. + + + + + SP 800-94 + + Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94. + + + + + SP 800-95 + + Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95. + + + + + SP 800-97 + + Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97. + + + + + USA PATRIOT + + USA Patriot Act (P.L. 107-56), October 2001. + + + + + USC 2901 + + United States Code, 2008 Edition, Title 44 - Public Printing and Documents , Chapters 29, 31, and 33, January 2012. + + + + + USCERT IR + + Department of Homeland Security, US-CERT Federal Incident Notification Guidelines , April 2017. + + + + + USGCB + + National Institute of Standards and Technology (2020) United States Government Configuration Baseline . Available at + + + + + NIST Special Publication 800-53, Revision 5: <em> Security and Privacy Controls for Information Systems and Organizations</em> (PDF) + + FedRAMP Applicable Laws and Regulations diff --git a/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml b/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml index 69c566e7d..6752f9b75 100644 --- a/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml +++ b/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml @@ -3805,7 +3805,7 @@ NIST Special Publication (SP) 800-53 - +
diff --git a/dist/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog.xml b/dist/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog.xml index e2da19cb3..79c4cd665 100644 --- a/dist/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog.xml +++ b/dist/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog.xml @@ -1,10 +1,10 @@ + uuid="f64f62d2-ae80-4908-9674-da5201f1b2d7"> FedRAMP Rev 5 Tailored Low Impact Software as a Service (LI-SaaS) Baseline 2023-08-31T00:00:00Z - 2023-12-18T20:27:42.148396-05:00 + 2024-01-11T18:07:19.115856-05:00 5.1.1+fedramp-20231218-0 1.1.1 ca9ba80e-1342-4bfd-b32a-abac468c24b4 + + Access Control + + Policy and Procedures + + + + + + +

personnel or roles to whom the access control policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the access control procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the access control policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current access control policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current access control policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current access control procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ access control policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the access control policy and the associated access controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the access control policy and procedures; and

+
+ + +

Review and update the current access control:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Account Management + + + +

prerequisites and criteria for group and role membership are defined;

+
+ + + + +

attributes (as required) for each account are defined;

+
+ + + + +

personnel or roles required to approve requests to create accounts is/are defined;

+
+ + + + +

policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;

+
+ + + + +

personnel or roles to be notified is/are defined;

+
+ + + + + +

twenty-four (24) hours

+
+
+ +

time period within which to notify account managers when accounts are no longer required is defined;

+
+ + + + + +

eight (8) hours

+
+
+ +

time period within which to notify account managers when users are terminated or transferred is defined;

+
+ + + + + +

eight (8) hours

+
+
+ +

time period within which to notify account managers when system usage or the need to know changes for an individual is defined;

+
+ + + + +

attributes needed to authorize system access (as required) are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency of account review is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Define and document the types of accounts allowed and specifically prohibited for use within the system;

+
+ + +

Create, enable, modify, disable, and remove accounts in accordance with ;

+
+ + +

Monitor the use of accounts;

+
+ + +

Notify account managers and within:

+ + +

+ when accounts are no longer required;

+
+ + +

+ when users are terminated or transferred; and

+
+ + +

+ when system usage or need-to-know changes for an individual;

+
+
+
+ +

Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.

+

Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.

+

Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.

+
+ + + + + +

Determine if the organization defines information system account types to be identified and selected to support organizational missions/business functions.

+
+ + + +

Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; information system monitoring records; information system audit records; other relevant documents or records.

+
+
+ + + +

Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities.

+
+
+ + + +

Organizational processes for account management on the information system; automated mechanisms for implementing account management.

+
+
+
+ + Access Enforcement + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

+
+ +

Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( PE ) family.

+
+ + +

approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.

+ +
+ + + + +

Access control policy

+

procedures addressing access enforcement

+

system design documentation

+

system configuration settings and associated documentation

+

list of approved authorizations (user privileges)

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with access enforcement responsibilities

+

system/network administrators

+

organizational personnel with information security and privacy responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing access control policy

+
+
+
+ + Unsuccessful Logon Attempts + + + +

the number of consecutive invalid logon attempts by a user allowed during a time period is defined;

+
+ + + + +

the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;

+
+ + + + + + + +

time period for an account or node to be locked is defined (if selected);

+
+ + + + +

delay algorithm for the next logon prompt is defined (if selected);

+
+ + + + +

other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + +

Enforce a limit of consecutive invalid logon attempts by a user during a ; and

+
+ + +

Automatically when the maximum number of unsuccessful attempts is exceeded.

+
+
+ +

The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.

+
+ + + + +

a limit of consecutive invalid logon attempts by a user during is enforced;

+ +
+ + +

automatically when the maximum number of unsuccessful attempts is exceeded.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing unsuccessful logon attempts

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security responsibilities

+

system developers

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing access control policy for unsuccessful logon attempts

+
+
+ +

NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication.

+
+
+ + System Use Notification + + + + +

see additional Requirements and Guidance

+
+
+ +

system use notification message or banner to be displayed by the system to users before granting access to the system is defined;

+
+ + + + + +

see additional Requirements and Guidance

+
+
+ +

conditions for system use to be displayed by the system before granting further access are defined;

+
+ + + + + + + + + + + + + +

Display to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:

+ + +

Users are accessing a U.S. Government system;

+
+ + +

System usage may be monitored, recorded, and subject to audit;

+
+ + +

Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and

+
+ + +

Use of the system indicates consent to monitoring and recording;

+
+
+ + +

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and

+
+ + +

For publicly accessible systems:

+ + +

Display system use information , before granting further access to the publicly accessible system;

+
+ + +

Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

+
+ + +

Include a description of the authorized uses of the system.

+
+
+
+ +

System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content.

+
+ +

FED - This is related to agency data and agency policy solution.

+
+
+ + Permitted Actions Without Identification or Authentication + + + +

user actions that can be performed on the system without identification or authentication are defined;

+
+ + + + + + + + + + + + +

Identify that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and

+
+ + +

Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

+
+
+ +

Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be none. +

+
+ +

FED - This is related to agency data and agency policy solution.

+
+
+ + Remote Access + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

+
+ + +

Authorize each type of remote access to the system prior to allowing such connections.

+
+
+ +

Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3 . Enforcing access restrictions for remote access is addressed via AC-3.

+
+ + + + + + +

usage restrictions are established and documented for each type of remote access allowed;

+ +
+ + +

configuration/connection requirements are established and documented for each type of remote access allowed;

+ +
+ + +

implementation guidance is established and documented for each type of remote access allowed;

+ +
+ +
+ + +

each type of remote access to the system is authorized prior to allowing such connections.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing remote access implementation and usage (including restrictions)

+

configuration management plan

+

system configuration settings and associated documentation

+

remote access authorizations

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for managing remote access connections

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Remote access management capability for the system

+
+
+
+ + Wireless Access + + + + + + + + + + + + + + + + + + + + + + + +

Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and

+
+ + +

Authorize each type of wireless access to the system prior to allowing such connections.

+
+
+ +

Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication.

+
+ +

NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1]).

+
+
+ + Access Control for Mobile Devices + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and

+
+ + +

Authorize the connection of mobile devices to organizational systems.

+
+
+ +

A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.

+

Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.

+

Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in AC-19 . Many safeguards for mobile devices are reflected in other controls. AC-20 addresses mobile devices that are not organization-controlled.

+
+ +

NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1]).

+
+
+ + Use of External Systems + + + + + + +

terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);

+
+ + + + +

controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);

+
+ + + + +

types of external systems prohibited from use are defined;

+
+ + + + + + + + + + + + + + + + + + + + + +

+ , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:

+ + +

Access the system from external systems; and

+
+ + +

Process, store, or transmit organization-controlled information using external systems; or

+
+
+ + +

Prohibit the use of .

+
+
+ +

External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).

+

For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.

+

External systems used to access public interfaces to organizational systems are outside the scope of AC-20 . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

+
+
+ + Publicly Accessible Content + + + + +

at least quarterly

+
+
+ +

the frequency at which to review the content on the publicly accessible system for non-public information is defined;

+
+ + + + + + + + + + + + + + + +

Designate individuals authorized to make information publicly accessible;

+
+ + +

Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

+
+ + +

Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and

+
+ + +

Review the content on the publicly accessible system for nonpublic information and remove such information, if discovered.

+
+
+ +

In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the PRIVACT and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible.

+
+ + + + +

designated individuals are authorized to make information publicly accessible;

+ +
+ + +

authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;

+ +
+ + +

the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;

+ +
+ + + + +

the content on the publicly accessible system is reviewed for non-public information ;

+ +
+ + +

non-public information is removed from the publicly accessible system, if discovered.

+ +
+ +
+ +
+ + + + +

Access control policy

+

procedures addressing publicly accessible content

+

list of users authorized to post publicly accessible content on organizational systems

+

training materials and/or records

+

records of publicly accessible information reviews

+

records of response to non-public information on public websites

+

system audit logs

+

security awareness training records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing management of publicly accessible content

+
+
+
+
+ + Awareness and Training + + Policy and Procedures + + + + + + +

personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the awareness and training policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current awareness and training policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current awareness and training policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current awareness and training procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ awareness and training policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and

+
+ + +

Review and update the current awareness and training:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Literacy Training and Awareness + + + + +

at least annually

+
+
+ + + + + + + +

the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;

+
+ + + + +

the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;

+
+ + + + +

events that require security literacy training for system users are defined;

+
+ + + + +

events that require privacy literacy training for system users are defined;

+
+ + + + +

techniques to be employed to increase the security and privacy awareness of system users are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to update literacy training and awareness content is defined;

+
+ + + + +

events that would require literacy training and awareness content to be updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):

+ + +

As part of initial training for new users and thereafter; and

+
+ + +

When required by system changes or following ;

+
+
+ + +

Employ the following techniques to increase the security and privacy awareness of system users ;

+
+ + +

Update literacy training and awareness content and following ; and

+
+ + +

Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.

+
+
+ +

Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.

+

Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in AT-2a.1 is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + Insider Threat + + + + + + + + + +

Provide literacy training on recognizing and reporting potential indicators of insider threat.

+
+ +

Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations.

+
+
+
+ + Role-based Training + + + + + + +

roles and responsibilities for role-based security training are defined;

+
+ + + + +

roles and responsibilities for role-based privacy training are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to update role-based training content is defined;

+
+ + + + +

events that require role-based training content to be updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Provide role-based security and privacy training to personnel with the following roles and responsibilities: :

+ + +

Before authorizing access to the system, information, or performing assigned duties, and thereafter; and

+
+ + +

When required by system changes;

+
+
+ + +

Update role-based training content and following ; and

+
+ + +

Incorporate lessons learned from internal or external security incidents or breaches into role-based training.

+
+
+ +

Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.

+

Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+
+ + Training Records + + + + +

at least one (1) year or 1 year after completion of a specific training program

+
+
+ +

time period for retaining individual training records is defined;

+
+ + + + + + + + + + + + + + + + + +

Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and

+
+ + +

Retain individual training records for .

+
+
+ +

Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.

+
+
+
+ + Audit and Accountability + + Policy and Procedures + + + + + + +

personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the audit and accountability policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current audit and accountability policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current audit and accountability policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current audit and accountability procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require audit and accountability procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ audit and accountability policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and

+
+ + +

Review and update the current audit and accountability:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Event Logging + + + + +

organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.

+
+
+ + + + + +

successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes

+
+
+ +

the event types that the system is capable of logging in support of the audit function are defined;

+
+ + + + +

the event types (subset of AU-02_ODP[01]) for logging within the system are defined;

+
+ + + + +

the frequency or situation requiring logging for each specified event type is defined;

+
+ + + + + +

annually and whenever there is a change in the threat environment

+
+
+ +

the frequency of event types selected for logging are reviewed and updated;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Identify the types of events that the system is capable of logging in support of the audit function: ;

+
+ + +

Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;

+
+ + +

Specify the following event types for logging within the system: ;

+
+ + +

Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and

+
+ + +

Review and update the event types selected for logging .

+
+
+ +

An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.

+

To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.

+

Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3)(b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8) , and SI-10(1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.

+
+
+ + Content of Audit Records + + + + + + + + + + + + + + + + + + +

Ensure that audit records contain information that establishes the following:

+ + +

What type of event occurred;

+
+ + +

When the event occurred;

+
+ + +

Where the event occurred;

+
+ + +

Source of the event;

+
+ + +

Outcome of the event; and

+
+ + +

Identity of any individuals, subjects, or objects/entities associated with the event.

+
+
+ +

Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage.

+
+ + + + +

audit records contain information that establishes what type of event occurred;

+ +
+ + +

audit records contain information that establishes when the event occurred;

+ +
+ + +

audit records contain information that establishes where the event occurred;

+ +
+ + +

audit records contain information that establishes the source of the event;

+ +
+ + +

audit records contain information that establishes the outcome of the event;

+ +
+ + +

audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing content of audit records

+

system design documentation

+

system configuration settings and associated documentation

+

list of organization-defined auditable events

+

system audit records

+

system incident reports

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing system auditing of auditable events

+
+
+
+ + Audit Log Storage Capacity + + + +

audit log retention requirements are defined;

+
+ + + + + + + + + + + + + + + + + +

Allocate audit log storage capacity to accommodate .

+
+ +

Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.

+
+ +

NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs.

+
+
+ + Response to Audit Logging Process Failures + + + +

personnel or roles receiving audit logging process failure alerts are defined;

+
+ + + + +

time period for personnel or roles receiving audit logging process failure alerts is defined;

+
+ + + + + +

overwrite oldest record

+
+
+ +

additional actions to be taken in the event of an audit logging process failure are defined;

+
+ + + + + + + + + + + + + + + + + + + +

Alert within in the event of an audit logging process failure; and

+
+ + +

Take the following additional actions: .

+
+
+ +

Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.

+
+ + + + +

+ are alerted in the event of an audit logging process failure within ;

+ +
+ + +

+ are taken in the event of an audit logging process failure.

+ +
+ +
+ + + + +

Audit and accountability policy

+

procedures addressing response to audit processing failures

+

system design documentation

+

system security plan

+

privacy plan

+

system configuration settings and associated documentation

+

list of personnel to be notified in case of an audit processing failure

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing system response to audit processing failures

+
+
+
+ + Audit Record Review, Analysis, and Reporting + + + + +

at least weekly

+
+
+ +

frequency at which system audit records are reviewed and analyzed is defined;

+
+ + + + +

inappropriate or unusual activity is defined;

+
+ + + + +

personnel or roles to receive findings from reviews and analyses of system records is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Review and analyze system audit records for indications of and the potential impact of the inappropriate or unusual activity;

+
+ + +

Report findings to ; and

+
+ + +

Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

+
+
+ +

Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.

+
+ + + + +

system audit records are reviewed and analyzed for indications of and the potential impact of the inappropriate or unusual activity;

+ +
+ + +

findings are reported to ;

+ +
+ + +

the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing audit review, analysis, and reporting

+

reports of audit findings

+

records of actions taken in response to reviews/analyses of audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit review, analysis, and reporting responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Time Stamps + + + + +

one second granularity of time measurement

+
+
+ +

granularity of time measurement for audit record timestamps is defined;

+
+ + + + + + + + + + + + + +

Use internal system clocks to generate time stamps for audit records; and

+
+ + +

Record time stamps for audit records that meet and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.

+
+
+ +

Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.

+
+
+ + Protection of Audit Information + + + +

personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +

Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and

+
+ + +

Alert upon detection of unauthorized access, modification, or deletion of audit information.

+
+
+ +

Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.

+
+
+ + Audit Record Retention + + + + +

a time period in compliance with M-21-31

+
+
+ +

a time period to retain audit records that is consistent with the records retention policy is defined;

+
+ + + + + + + + + + + + + + + + + +

Retain audit records for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

+
+ +

Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention.

+
+ +

NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs.

+
+
+ + Audit Record Generation + + + + +

all information system and network components where audit capability is deployed/available

+
+
+ +

system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;

+
+ + + + +

personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on ;

+
+ + +

Allow to select the event types that are to be logged by specific components of the system; and

+
+ + +

Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

+
+
+ +

Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.

+
+
+
+ + Assessment, Authorization, and Monitoring + + Policy and Procedures + + + + + + +

personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the assessment, authorization, and monitoring policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ assessment, authorization, and monitoring policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and

+
+ + +

Review and update the current assessment, authorization, and monitoring:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Control Assessments + + + + +

at least annually

+
+
+ +

the frequency at which to assess controls in the system and its environment of operation is defined;

+
+ + + + + +

individuals or roles to include FedRAMP PMO

+
+
+ +

individuals or roles to whom control assessment results are to be provided are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Select the appropriate assessor or assessment team for the type of assessment to be conducted;

+
+ + +

Develop a control assessment plan that describes the scope of the assessment including:

+ + +

Controls and control enhancements under assessment;

+
+ + +

Assessment procedures to be used to determine control effectiveness; and

+
+ + +

Assessment environment, assessment team, and assessment roles and responsibilities;

+
+
+ + +

Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;

+
+ + +

Assess the controls in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;

+
+ + +

Produce a control assessment report that document the results of the assessment; and

+
+ + +

Provide the results of the control assessment to .

+
+
+ +

Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.

+

Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.

+

Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.

+

Organizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.

+

To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of CA-2.

+
+ + + + +

an appropriate assessor or assessment team is selected for the type of assessment to be conducted;

+ +
+ + + + +

a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;

+ +
+ + +

a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;

+ +
+ + + + +

a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;

+ +
+ + +

a control assessment plan is developed that describes the scope of the assessment, including the assessment team;

+ +
+ + +

a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;

+ +
+ +
+ +
+ + +

the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;

+ +
+ + + + +

controls are assessed in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

+ +
+ + +

controls are assessed in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;

+ +
+ +
+ + +

a control assessment report is produced that documents the results of the assessment;

+ +
+ + +

the results of the control assessment are provided to .

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing assessment planning

+

procedures addressing control assessments

+

control assessment plan

+

control assessment report

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with control assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting

+
+
+ + Independent Assessors + + + + + + + + +

Employ independent assessors or assessment teams to conduct control assessments.

+
+ +

Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.

+

Independent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.

+

When organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments.

+
+
+
+ + Information Exchange + + + + + + +

the type of agreement used to approve and manage the exchange of information is defined (if selected);

+
+ + + + + +

at least annually and on input from JAB/AO

+
+
+ +

the frequency at which to review and update agreements is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +

Approve and manage the exchange of information between the system and other systems using ;

+
+ + +

Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and

+
+ + +

Review and update the agreements .

+
+
+ +

System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in CA-6(1) or CA-6(2) , may help to communicate and reduce risk.

+

Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks.

+
+ + + + +

the exchange of information between the system and other systems is approved and managed using ;

+ +
+ + + + +

the interface characteristics are documented as part of each exchange agreement;

+ +
+ + +

security requirements are documented as part of each exchange agreement;

+ +
+ + +

privacy requirements are documented as part of each exchange agreement;

+ +
+ + +

controls are documented as part of each exchange agreement;

+ +
+ + +

responsibilities for each system are documented as part of each exchange agreement;

+ +
+ + +

the impact level of the information communicated is documented as part of each exchange agreement;

+ +
+ +
+ + +

agreements are reviewed and updated .

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing system connections

+

system and communications protection policy

+

system interconnection security agreements

+

information exchange security agreements

+

memoranda of understanding or agreements

+

service level agreements

+

non-disclosure agreements

+

system design documentation

+

enterprise architecture

+

system architecture

+

system configuration settings and associated documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements

+

organizational personnel with information security and privacy responsibilities

+

personnel managing the system(s) to which the interconnection security agreement applies

+
+
+ +

Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.

+
+
+ + Plan of Action and Milestones + + + + +

at least monthly

+
+
+ +

the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;

+
+ + + + + + + + + + + + + + + + + + + +

Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and

+
+ + +

Update existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

+
+
+ +

Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB.

+
+ +

Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements.

+
+
+ + Authorization + + + + +

in accordance with OMB A-130 requirements or when a significant change occurs

+
+
+ +

frequency at which to update the authorizations is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Assign a senior official as the authorizing official for the system;

+
+ + +

Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;

+
+ + +

Ensure that the authorizing official for the system, before commencing operations:

+ + +

Accepts the use of common controls inherited by the system; and

+
+ + +

Authorizes the system to operate;

+
+
+ + +

Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;

+
+ + +

Update the authorizations .

+
+
+ +

Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.

+

Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

+
+ + + + +

a senior official is assigned as the authorizing official for the system;

+ +
+ + +

a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;

+ +
+ + + + +

before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;

+ +
+ + +

before commencing operations, the authorizing official for the system authorizes the system to operate;

+ +
+ +
+ + +

the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;

+ +
+ + +

the authorizations are updated .

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing authorization

+

system security plan, privacy plan, assessment report, plan of action and milestones

+

authorization statement

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with authorization responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms that facilitate authorizations and updates

+
+
+
+ + Continuous Monitoring + + + + +

to include JAB/AO

+
+
+ + + + + + + +

system-level metrics to be monitored are defined;

+
+ + + + +

frequencies at which to monitor control effectiveness are defined;

+
+ + + + +

frequencies at which to assess control effectiveness are defined;

+
+ + + + +

personnel or roles to whom the security status of the system is reported are defined;

+
+ + + + +

frequency at which the security status of the system is reported is defined;

+
+ + + + +

personnel or roles to whom the privacy status of the system is reported are defined;

+
+ + + + +

frequency at which the privacy status of the system is reported is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

+ + +

Establishing the following system-level metrics to be monitored: ;

+
+ + +

Establishing for monitoring and for assessment of control effectiveness;

+
+ + +

Ongoing control assessments in accordance with the continuous monitoring strategy;

+
+ + +

Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

+
+ + +

Correlation and analysis of information generated by control assessments and monitoring;

+
+ + +

Response actions to address results of the analysis of control assessment and monitoring information; and

+
+ + +

Reporting the security and privacy status of the system to + .

+
+
+ +

Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.

+

Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b , and SI-4.

+
+ + + + +

a system-level continuous monitoring strategy is developed;

+ +
+ + +

system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;

+ +
+ + +

system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: ;

+ +
+ + + + +

system-level continuous monitoring includes established for monitoring;

+ +
+ + +

system-level continuous monitoring includes established for assessment of control effectiveness;

+ +
+ +
+ + +

system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;

+ +
+ + +

system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

+ +
+ + +

system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;

+ +
+ + +

system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;

+ +
+ + + + +

system-level continuous monitoring includes reporting the security status of the system to + ;

+ +
+ + +

system-level continuous monitoring includes reporting the privacy status of the system to + .

+ +
+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

organizational continuous monitoring strategy

+

system-level continuous monitoring strategy

+

procedures addressing continuous monitoring of system controls

+

procedures addressing configuration management

+

control assessment report

+

plan of action and milestones

+

system monitoring records

+

configuration management records

+

impact analyses

+

status reports

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with continuous monitoring responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing continuous monitoring

+

mechanisms supporting response actions to address assessment and monitoring results

+

mechanisms supporting security and privacy status reporting

+
+
+ + Risk Monitoring + + + + + + + + + + +

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

+ + +

Effectiveness monitoring;

+
+ + +

Compliance monitoring; and

+
+ + +

Change monitoring.

+
+
+ +

Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk.

+
+ + +

risk monitoring is an integral part of the continuous monitoring strategy;

+ + +

effectiveness monitoring is included in risk monitoring;

+ +
+ + +

compliance monitoring is included in risk monitoring;

+ +
+ + +

change monitoring is included in risk monitoring.

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

organizational continuous monitoring strategy

+

system-level continuous monitoring strategy

+

procedures addressing continuous monitoring of system controls

+

assessment report

+

plan of action and milestones

+

system monitoring records

+

impact analyses

+

status reports

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with continuous monitoring responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms supporting risk monitoring

+
+
+
+
+ + Penetration Testing + + + + +

at least annually

+
+
+ +

frequency at which to conduct penetration testing on systems or system components is defined;

+
+ + + + +

systems or system components on which penetration testing is to be conducted are defined;

+
+ + + + + + + + + + + + + + +

Conduct penetration testing on .

+
+ +

Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).

+

Organizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing.

+
+ + +

penetration testing is conducted on .

+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing penetration testing

+

assessment plan

+

penetration test report

+

assessment report

+

assessment evidence

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with control assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms supporting penetration testing

+
+
+
+ + Internal System Connections + + + +

system components or classes of components requiring internal connections to the system are defined;

+
+ + + + +

conditions requiring termination of internal connections are defined;

+
+ + + + +

frequency at which to review the continued need for each internal connection is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Authorize internal connections of to the system;

+
+ + +

Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;

+
+ + +

Terminate internal system connections after ; and

+
+ + +

Review the continued need for each internal connection.

+
+
+ +

Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.

+
+ + + + +

internal connections of to the system are authorized;

+ +
+ + + + +

for each internal connection, the interface characteristics are documented;

+ +
+ + +

for each internal connection, the security requirements are documented;

+ +
+ + +

for each internal connection, the privacy requirements are documented;

+ +
+ + +

for each internal connection, the nature of the information communicated is documented;

+ +
+ +
+ + +

internal system connections are terminated after ;

+ +
+ + +

the continued need for each internal connection is reviewed .

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

access control policy

+

procedures addressing system connections

+

system and communications protection policy

+

system design documentation

+

system configuration settings and associated documentation

+

list of components or classes of components authorized as internal system connections

+

assessment report

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms supporting internal system connections

+
+
+ +

Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.

+
+
+
+ + Configuration Management + + Policy and Procedures + + + + + + +

personnel or roles to whom the configuration management policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the configuration management policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current configuration management policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current configuration management policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current configuration management procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require configuration management procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ configuration management policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the configuration management policy and procedures; and

+
+ + +

Review and update the current configuration management:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Baseline Configuration + + + + +

at least annually and when a significant change occurs

+
+
+ +

the frequency of baseline configuration review and update is defined;

+
+ + + + + +

to include when directed by the JAB

+
+
+ +

the circumstances requiring baseline configuration review and update are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop, document, and maintain under configuration control, a current baseline configuration of the system; and

+
+ + +

Review and update the baseline configuration of the system:

+ + +

+ ;

+
+ + +

When required due to ; and

+
+ + +

When system components are installed or upgraded.

+
+
+
+ +

Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.

+
+
+ + Impact Analyses + + + + + + + + + + + + + + + + + + + + + +

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

+
+ +

Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required.

+
+ + + + +

changes to the system are analyzed to determine potential security impacts prior to change implementation;

+ +
+ + +

changes to the system are analyzed to determine potential privacy impacts prior to change implementation.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing security impact analyses for changes to the system

+

procedures addressing privacy impact analyses for changes to the system

+

configuration management plan

+

security impact analysis documentation

+

privacy impact analysis documentation

+

privacy impact assessment

+

privacy risk assessment documentation, system design documentation

+

analysis tools and associated outputs

+

change control records

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for conducting security impact analyses

+

organizational personnel with responsibility for conducting privacy impact analyses

+

organizational personnel with information security and privacy responsibilities

+

system developer

+

system/network administrators

+

members of change control board or similar

+
+
+ + + + +

Organizational processes for security impact analyses

+

organizational processes for privacy impact analyses

+
+
+
+ + Access Restrictions for Change + + + + + + + + + + + + + + + + + + + +

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

+
+ +

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3 ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

+
+ + + + +

physical access restrictions associated with changes to the system are defined and documented;

+ +
+ + +

physical access restrictions associated with changes to the system are approved;

+ +
+ + +

physical access restrictions associated with changes to the system are enforced;

+ +
+ + +

logical access restrictions associated with changes to the system are defined and documented;

+ +
+ + +

logical access restrictions associated with changes to the system are approved;

+ +
+ + +

logical access restrictions associated with changes to the system are enforced.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing access restrictions for changes to the system

+

configuration management plan

+

system design documentation

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

logical access approvals

+

physical access approvals

+

access credentials

+

change control records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with logical access control responsibilities

+

organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing access restrictions to change

+

mechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system

+
+
+
+ + Configuration Settings + + + +

common secure configurations to establish and document configuration settings for components employed within the system are defined;

+
+ + + + +

system components for which approval of deviations is needed are defined;

+
+ + + + +

operational requirements necessitating approval of deviations are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using ;

+
+ + +

Implement the configuration settings;

+
+ + +

Identify, document, and approve any deviations from established configuration settings for based on ; and

+
+ + +

Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

+
+
+ +

Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.

+

Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.

+

Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline USGCB and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7 . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.

+
+ + + + +

configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using ;

+ +
+ + +

the configuration settings documented in CM-06a are implemented;

+ +
+ + + + +

any deviations from established configuration settings for are identified and documented based on ;

+ +
+ + +

any deviations from established configuration settings for are approved;

+ +
+ +
+ + + + +

changes to the configuration settings are monitored in accordance with organizational policies and procedures;

+ +
+ + +

changes to the configuration settings are controlled in accordance with organizational policies and procedures.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing configuration settings for the system

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

common secure configuration checklists

+

system component inventory

+

evidence supporting approved deviations from established configuration settings

+

change control records

+

system data processing and retention permissions

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security configuration management responsibilities

+

organizational personnel with privacy configuration management responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing configuration settings

+

mechanisms that implement, monitor, and/or control system configuration settings

+

mechanisms that identify and/or document deviations from established configuration settings

+
+
+ +

Required - Specifically include details of least functionality.

+
+ + CM-6(a) Additional FedRAMP Requirements and Guidance + + +

The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.

+
+ + +

The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP compatible (if validated checklists are not available).

+
+ + +

Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.

+
+
+
+ + Least Functionality + + + + + + +

mission-essential capabilities for the system are defined;

+
+ + + + +

functions to be prohibited or restricted are defined;

+
+ + + + +

ports to be prohibited or restricted are defined;

+
+ + + + +

protocols to be prohibited or restricted are defined;

+
+ + + + +

software to be prohibited or restricted is defined;

+
+ + + + +

services to be prohibited or restricted are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Configure the system to provide only ; and

+
+ + +

Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: .

+
+
+ +

Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2 , and SC-3).

+
+
+ + System Component Inventory + + + +

information deemed necessary to achieve effective system component accountability is defined;

+
+ + + + + +

at least monthly

+
+
+ +

frequency at which to review and update the system component inventory is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop and document an inventory of system components that:

+ + +

Accurately reflects the system;

+
+ + +

Includes all components within the system;

+
+ + +

Does not include duplicate accounting of components or components assigned to any other system;

+
+ + +

Is at the level of granularity deemed necessary for tracking and reporting; and

+
+ + +

Includes the following information to achieve system component accountability: ; and

+
+
+ + +

Review and update the system component inventory .

+
+
+ +

System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.

+

Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components.

+
+ + + + + + +

an inventory of system components that accurately reflects the system is developed and documented;

+ +
+ + +

an inventory of system components that includes all components within the system is developed and documented;

+ +
+ + +

an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;

+ +
+ + +

an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;

+ +
+ + +

an inventory of system components that includes is developed and documented;

+ +
+ +
+ + +

the system component inventory is reviewed and updated .

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing system component inventory

+

configuration management plan

+

system security plan

+

system design documentation

+

system component inventory

+

inventory reviews and update records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with component inventory management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing the system component inventory

+

mechanisms supporting and/or implementing system component inventory

+
+
+
+ + Software Usage Restrictions + + + + + + + + + + + + + + +

Use software and associated documentation in accordance with contract agreements and copyright laws;

+
+ + +

Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

+
+ + +

Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

+
+
+ +

Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements.

+
+ +

NSO- Not directly related to protection of the data.

+
+
+ + User-installed Software + + + +

policies governing the installation of software by users are defined;

+
+ + + + +

methods used to enforce software installation policies are defined;

+
+ + + + + +

Continuously (via CM-7 (5))

+
+
+ +

frequency with which to monitor compliance is defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Establish governing the installation of software by users;

+
+ + +

Enforce software installation policies through the following methods: ; and

+
+ + +

Monitor policy compliance .

+
+
+ +

If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved app stores. Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.

+
+ +

NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations.

+
+
+
+ + Contingency Planning + + Policy and Procedures + + + + + + +

personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the contingency planning policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current contingency planning policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current contingency planning policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current contingency planning procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ contingency planning policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and

+
+ + +

Review and update the current contingency planning:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Contingency Plan + + + + + + + + + + + + +

personnel or roles to review a contingency plan is/are defined;

+
+ + + + +

personnel or roles to approve a contingency plan is/are defined;

+
+ + + + +

key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;

+
+ + + + +

key contingency organizational elements to which copies of the contingency plan are distributed are defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency of contingency plan review is defined;

+
+ + + + +

key contingency personnel (identified by name and/or by role) to communicate changes to are defined;

+
+ + + + +

key contingency organizational elements to communicate changes to are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop a contingency plan for the system that:

+ + +

Identifies essential mission and business functions and associated contingency requirements;

+
+ + +

Provides recovery objectives, restoration priorities, and metrics;

+
+ + +

Addresses contingency roles, responsibilities, assigned individuals with contact information;

+
+ + +

Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;

+
+ + +

Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;

+
+ + +

Addresses the sharing of contingency information; and

+
+ + +

Is reviewed and approved by ;

+
+
+ + +

Distribute copies of the contingency plan to ;

+
+ + +

Coordinate contingency planning activities with incident handling activities;

+
+ + +

Review the contingency plan for the system ;

+
+ + +

Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

+
+ + +

Communicate contingency plan changes to ;

+
+ + +

Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and

+
+ + +

Protect the contingency plan from unauthorized disclosure and modification.

+
+
+ +

Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.

+

Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in IR-4(5) . Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family.

+
+ +

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

+
+
+ + Contingency Training + + + + +

*See Additional Requirements

+
+
+ +

the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to provide training to system users with a contingency role or responsibility is defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to review and update contingency training content is defined;

+
+ + + + +

events necessitating review and update of contingency training are defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Provide contingency training to system users consistent with assigned roles and responsibilities:

+ + +

Within of assuming a contingency role or responsibility;

+
+ + +

When required by system changes; and

+
+ + +

+ thereafter; and

+
+
+ + +

Review and update contingency training content and following .

+
+
+ +

Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements.

+
+ +

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

+
+
+ + Contingency Plan Testing + + + + +

classroom exercise/table top written tests

+
+
+ + + + + +

at least every 3 years

+
+
+ +

frequency of testing the contingency plan for the system is defined;

+
+ + + + +

tests for determining the effectiveness of the contingency plan are defined;

+
+ + + + +

tests for determining readiness to execute the contingency plan are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + +

Test the contingency plan for the system using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: .

+
+ + +

Review the contingency plan test results; and

+
+ + +

Initiate corrective actions, if needed.

+
+
+ +

Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

+
+ +

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

+
+
+ + System Backup + + + +

system components for which to conduct backups of user-level information is defined;

+
+ + + + + +

daily incremental; weekly full

+
+
+ +

frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;

+
+ + + + + +

daily incremental; weekly full

+
+
+ +

frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;

+
+ + + + + +

daily incremental; weekly full

+
+
+ +

frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +

Conduct backups of user-level information contained in + ;

+
+ + +

Conduct backups of system-level information contained in the system ;

+
+ + +

Conduct backups of system documentation, including security- and privacy-related documentation ; and

+
+ + +

Protect the confidentiality, integrity, and availability of backup information.

+
+
+ +

System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8 . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

+
+ + + + +

backups of user-level information contained in are conducted ;

+ +
+ + +

backups of system-level information contained in the system are conducted ;

+ +
+ + +

backups of system documentation, including security- and privacy-related documentation are conducted ;

+ +
+ + + + +

the confidentiality of backup information is protected;

+ +
+ + +

the integrity of backup information is protected;

+ +
+ + +

the availability of backup information is protected.

+ +
+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing system backup

+

contingency plan

+

backup storage location(s)

+

system backup logs or records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system backup responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for conducting system backups

+

mechanisms supporting and/or implementing system backups

+
+
+
+ + System Recovery and Reconstitution + + + + + + +

time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;

+
+ + + + +

time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;

+
+ + + + + + + + + + + + + + + + + +

Provide for the recovery and reconstitution of the system to a known state within after a disruption, compromise, or failure.

+
+ +

Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning.

+
+ +

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

+
+
+
+ + Identification and Authentication + + Policy and Procedures + + + + + + +

personnel or roles to whom the identification and authentication policy is to be disseminated are defined;

+
+ + + + +

personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the identification and authentication policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current identification and authentication policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current identification and authentication policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current identification and authentication procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require identification and authentication procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ identification and authentication policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and

+
+ + +

Review and update the current identification and authentication:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Identification and Authentication (Organizational Users) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

+
+ +

Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12 . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.

+

Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.

+

The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8.

+
+ +

NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts.

+
+ + Multi-factor Authentication to Privileged Accounts + + + + + + + + + + +

Implement multi-factor authentication for access to privileged accounts.

+
+ +

Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.

+
+ + +

multi-factor authentication is implemented for access to privileged accounts.

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing a multi-factor authentication capability

+
+
+ + IA-2(1) Additional FedRAMP Requirements and Guidance + +

FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

+
+
+
+ + Multi-factor Authentication to Non-privileged Accounts + + + + + + + + +

Implement multi-factor authentication for access to non-privileged accounts.

+
+ +

Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.

+
+
+ + Access to Accounts — Replay Resistant + + + + + + + + + + + +

Implement replay-resistant authentication mechanisms for access to .

+
+ +

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators.

+
+ + +

replay-resistant authentication mechanisms for access to are implemented.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of privileged system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+

Mechanisms supporting and/or implementing replay-resistant authentication mechanisms

+
+
+
+ + Acceptance of PIV Credentials + + + + + + + + + +

Accept and electronically verify Personal Identity Verification-compliant credentials.

+
+ +

Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using SP 800-79-2 . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in SP 800-166 . The DOD Common Access Card (CAC) is an example of a PIV credential.

+
+ + +

Personal Identity Verification-compliant credentials are accepted and electronically verified.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

PIV verification records

+

evidence of PIV credentials

+

PIV credential authorizations

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing acceptance and verification of PIV credentials

+
+
+ + + + + +

Determine if the information system:

+
    +
  • Accepts PIV credentials.
  • +
  • Electronically verifies PIV credentials.
  • +
+
+
+
+ + Identifier Management + + + + +

at a minimum, the ISSO (or similar role within the organization)

+
+
+ +

personnel or roles from whom authorization must be received to assign an identifier are defined;

+
+ + + + + +

at least two (2) years

+
+
+ +

a time period for preventing reuse of identifiers is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Manage system identifiers by:

+ + +

Receiving authorization from to assign an individual, group, role, service, or device identifier;

+
+ + +

Selecting an identifier that identifies an individual, group, role, service, or device;

+
+ + +

Assigning the identifier to the intended individual, group, role, service, or device; and

+
+ + +

Preventing reuse of identifiers for .

+
+
+ +

Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4 . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.

+
+
+ + Authenticator Management + + + +

a time period for changing or refreshing authenticators by authenticator type is defined;

+
+ + + + +

events that trigger the change or refreshment of authenticators are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Manage system authenticators by:

+ + +

Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;

+
+ + +

Establishing initial authenticator content for any authenticators issued by the organization;

+
+ + +

Ensuring that authenticators have sufficient strength of mechanism for their intended use;

+
+ + +

Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;

+
+ + +

Changing default authenticators prior to first use;

+
+ + +

Changing or refreshing authenticators or when occur;

+
+ + +

Protecting authenticator content from unauthorized disclosure and modification;

+
+ + +

Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and

+
+ + +

Changing authenticators for group or role accounts when membership to those accounts changes.

+
+
+ +

Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6 , and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.

+

Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.

+
+ + Password-based Authentication + + + +

the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;

+
+ + + + +

authenticator composition and complexity rules are defined;

+
+ + + + + + + + + + +

For password-based authentication:

+ + +

Maintain a list of commonly-used, expected, or compromised passwords and update the list and when organizational passwords are suspected to have been compromised directly or indirectly;

+
+ + +

Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);

+
+ + +

Transmit passwords only over cryptographically-protected channels;

+
+ + +

Store passwords using an approved salted key derivation function, preferably using a keyed hash;

+
+ + +

Require immediate selection of a new password upon account recovery;

+
+ + +

Allow user selection of long passwords and passphrases, including spaces and all printable characters;

+
+ + +

Employ automated tools to assist the user in selecting strong password authenticators; and

+
+ + +

Enforce the following composition and complexity rules: .

+
+
+ +

Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.

+
+
+
+ + Authentication Feedback + + + + + + + + +

Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

+
+ +

Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it.

+
+ + +

the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing authenticator feedback

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication

+
+
+
+ + Cryptographic Module Authentication + + + + + + + + + + + + +

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

+
+ +

Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.

+
+
+ + Identification and Authentication (Non-organizational Users) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

+
+ +

Non-organizational users include system users other than organizational users explicitly covered by IA-2 . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14 . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.

+
+ + Acceptance of PIV Credentials from Other Agencies + + + + + + + + + + +

Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.

+
+ +

Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using SP 800-79-2.

+
+ + + + +

Personal Identity Verification-compliant credentials from other federal agencies are accepted;

+ +
+ + +

Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.

+ +
+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

PIV verification records

+

evidence of PIV credentials

+

PIV credential authorizations

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with account management responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+

mechanisms that accept and verify PIV credentials

+
+
+ +

Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

+
+
+ + Acceptance of External Authenticators + + + + + + + + + + + +

Accept only external authenticators that are NIST-compliant; and

+
+ + +

Document and maintain a list of accepted external authenticators.

+
+
+ +

Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with SP 800-63B . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level.

+
+ + + + +

only external authenticators that are NIST-compliant are accepted;

+ +
+ + + + +

a list of accepted external authenticators is documented;

+ +
+ + +

a list of accepted external authenticators is maintained.

+ +
+ +
+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of third-party credentialing products, components, or services procured and implemented by organization

+

third-party credential verification records

+

evidence of third-party credentials

+

third-party credential authorizations

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with account management responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+

mechanisms that accept external credentials

+
+
+ +

Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

+
+
+ + Use of Defined Profiles + + + +

identity management profiles are defined;

+
+ + + + + + + + +

Conform to the following profiles for identity management .

+
+ +

Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

+
+
+
+ + Re-authentication + + + +

circumstances or situations requiring re-authentication are defined;

+
+ + + + + + + + + + + + + + +

Require users to re-authenticate when .

+
+ +

In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically.

+
+
+
+ + Incident Response + + Policy and Procedures + + + + + + +

personnel or roles to whom the incident response policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the incident response procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the incident response policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current incident response policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current incident response policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current incident response procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the incident response procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ incident response policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the incident response policy and procedures; and

+
+ + +

Review and update the current incident response:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Incident Response Training + + + + +

ten (10) days for privileged users, thirty (30) days for Incident Response roles

+
+
+ +

a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to provide incident response training to users is defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to review and update incident response training content is defined;

+
+ + + + +

events that initiate a review of the incident response training content are defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Provide incident response training to system users consistent with assigned roles and responsibilities:

+ + +

Within of assuming an incident response role or responsibility or acquiring system access;

+
+ + +

When required by system changes; and

+
+ + +

+ thereafter; and

+
+
+ + +

Review and update incident response training content and following .

+
+
+ +

Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3 . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+
+ + Incident Handling + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;

+
+ + +

Coordinate incident handling activities with contingency planning activities;

+
+ + +

Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and

+
+ + +

Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

+
+
+ +

Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes.

+
+ + + + + + +

an incident handling capability for incidents is implemented that is consistent with the incident response plan;

+ +
+ + +

the incident handling capability for incidents includes preparation;

+ +
+ + +

the incident handling capability for incidents includes detection and analysis;

+ +
+ + +

the incident handling capability for incidents includes containment;

+ +
+ + +

the incident handling capability for incidents includes eradication;

+ +
+ + +

the incident handling capability for incidents includes recovery;

+ +
+ +
+ + +

incident handling activities are coordinated with contingency planning activities;

+ +
+ + + + +

lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;

+ +
+ + +

the changes resulting from the incorporated lessons learned are implemented accordingly;

+ +
+ +
+ + + + +

the rigor of incident handling activities is comparable and predictable across the organization;

+ +
+ + +

the intensity of incident handling activities is comparable and predictable across the organization;

+ +
+ + +

the scope of incident handling activities is comparable and predictable across the organization;

+ +
+ + +

the results of incident handling activities are comparable and predictable across the organization.

+ +
+ +
+ +
+ + + + +

Incident response policy

+

contingency planning policy

+

procedures addressing incident handling

+

incident response plan

+

contingency plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident handling responsibilities

+

organizational personnel with contingency planning responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Incident handling capability for the organization

+
+
+
+ + Incident Monitoring + + + + + + + + + + + + + + + + + + + + +

Track and document incidents.

+
+ +

Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. IR-4 provides information on the types of incidents that are appropriate for monitoring.

+
+
+ + Incident Reporting + + + + +

US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)

+
+
+ +

time period for personnel to report suspected incidents to the organizational incident response capability is defined;

+
+ + + + +

authorities to whom incident information is to be reported are defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Require personnel to report suspected incidents to the organizational incident response capability within ; and

+
+ + +

Report incident information to .

+
+
+ +

The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products.

+
+ + + + +

personnel is/are required to report suspected incidents to the organizational incident response capability within ;

+ +
+ + +

incident information is reported to .

+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident reporting

+

incident reporting records and documentation

+

incident response plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident reporting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

personnel who have/should have reported incidents

+

personnel (authorities) to whom incident information is to be reported

+

system users

+
+
+ + + + +

Organizational processes for incident reporting

+

mechanisms supporting and/or implementing incident reporting

+
+
+
+ + Incident Response Assistance + + + + + + + + + + + + + + + + + +

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.

+
+ +

Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required.

+
+
+ + Incident Response Plan + + + + +

see additional FedRAMP Requirements and Guidance

+
+
+ + + + +

personnel or roles that review and approve the incident response plan is/are identified;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to review and approve the incident response plan is defined;

+
+ + + + +

entities, personnel, or roles with designated responsibility for incident response are defined;

+
+ + + + + +

see additional FedRAMP Requirements and Guidance

+
+
+ +

incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;

+
+ + + + +

organizational elements to which copies of the incident response plan are to be distributed are defined;

+
+ + + + +

incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;

+
+ + + + +

organizational elements to which changes to the incident response plan are communicated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Develop an incident response plan that:

+ + +

Provides the organization with a roadmap for implementing its incident response capability;

+
+ + +

Describes the structure and organization of the incident response capability;

+
+ + +

Provides a high-level approach for how the incident response capability fits into the overall organization;

+
+ + +

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

+
+ + +

Defines reportable incidents;

+
+ + +

Provides metrics for measuring the incident response capability within the organization;

+
+ + +

Defines the resources and management support needed to effectively maintain and mature an incident response capability;

+
+ + +

Addresses the sharing of incident information;

+
+ + +

Is reviewed and approved by + ; and

+
+ + +

Explicitly designates responsibility for incident response to .

+
+
+ + +

Distribute copies of the incident response plan to ;

+
+ + +

Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

+
+ + +

Communicate incident response plan changes to ; and

+
+ + +

Protect the incident response plan from unauthorized disclosure and modification.

+
+
+ +

It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.

+
+ +

Attestation - Specifically attest to US-CERT compliance.

+
+
+
+ + Maintenance + + Policy and Procedures + + + + + + +

personnel or roles to whom the maintenance policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the maintenance policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency with which the current maintenance policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current maintenance policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency with which the current maintenance procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the maintenance procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ maintenance policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the maintenance policy and procedures; and

+
+ + +

Review and update the current maintenance:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Controlled Maintenance + + + +

personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined;

+
+ + + + +

information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;

+
+ + + + +

information to be included in organizational maintenance records is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +

Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;

+
+ + +

Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;

+
+ + +

Require that explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;

+
+ + +

Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: ;

+
+ + +

Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and

+
+ + +

Include the following information in organizational maintenance records: .

+
+
+ +

Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems.

+
+ + + + + + +

maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;

+ +
+ + +

maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;

+ +
+ + +

records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;

+ +
+ +
+ + + + +

all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;

+ +
+ + +

all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;

+ +
+ +
+ + +

+ is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;

+ +
+ + +

equipment is sanitized to remove from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;

+ +
+ + +

all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;

+ +
+ + +

+ is included in organizational maintenance records.

+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing controlled system maintenance

+

maintenance records

+

manufacturer/vendor maintenance specifications

+

equipment sanitization records

+

media sanitization records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel responsible for media sanitization

+

system/network administrators

+
+
+ + + + +

Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system

+

organizational processes for sanitizing system components

+

mechanisms supporting and/or implementing controlled maintenance

+

mechanisms implementing the sanitization of system components

+
+
+ +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+
+
+ + Nonlocal Maintenance + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Approve and monitor nonlocal maintenance and diagnostic activities;

+
+ + +

Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;

+
+ + +

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;

+
+ + +

Maintain records for nonlocal maintenance and diagnostic activities; and

+
+ + +

Terminate session and network connections when nonlocal maintenance is completed.

+
+
+ +

Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2 . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished, in part, by other controls. SP 800-63B provides additional guidance on strong authentication and authenticators.

+
+
+ + Maintenance Personnel + + + + + + + + + + + + + + + + + + + + + + +

Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;

+
+ + +

Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and

+
+ + +

Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

+
+
+ +

Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

+
+ + + + + + +

a process for maintenance personnel authorization is established;

+ +
+ + +

a list of authorized maintenance organizations or personnel is maintained;

+ +
+ +
+ + +

non-escorted personnel performing maintenance on the system possess the required access authorizations;

+ +
+ + +

organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.

+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing maintenance personnel

+

service provider contracts

+

service-level agreements

+

list of authorized personnel

+

maintenance records

+

access control records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for authorizing and managing maintenance personnel

+

mechanisms supporting and/or implementing authorization of maintenance personnel

+
+
+ +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+
+
+
+ + Media Protection + + Policy and Procedures + + + + + + +

personnel or roles to whom the media protection policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the media protection procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the media protection policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency with which the current media protection policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current media protection policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency with which the current media protection procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require media protection procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ media protection policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the media protection policy and procedures; and

+
+ + +

Review and update the current media protection:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Media Access + + + + + + + + + +

types of digital media to which access is restricted are defined;

+
+ + + + +

personnel or roles authorized to access digital media is/are defined;

+
+ + + + +

types of non-digital media to which access is restricted are defined;

+
+ + + + +

personnel or roles authorized to access non-digital media is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +

Restrict access to to .

+
+ +

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media.

+
+ + + + +

access to is restricted to ;

+ +
+ + +

access to is restricted to .

+ +
+ +
+ + + + +

System media protection policy

+

procedures addressing media access restrictions

+

access control policy and procedures

+

physical and environmental protection policy and procedures

+

media storage facilities

+

access control records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media protection responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for restricting information media

+

mechanisms supporting and/or implementing media access restrictions

+
+
+ +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+
+
+ + Media Sanitization + + + + +

techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware

+
+
+ + + + + + + +

system media to be sanitized prior to disposal is defined;

+
+ + + + +

system media to be sanitized prior to release from organizational control is defined;

+
+ + + + +

system media to be sanitized prior to release for reuse is defined;

+
+ + + + +

sanitization techniques and procedures to be used for sanitization prior to disposal are defined;

+
+ + + + +

sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;

+
+ + + + +

sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Sanitize prior to disposal, release out of organizational control, or release for reuse using ; and

+
+ + +

Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

+
+
+ +

Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information.

+
+ + + + + + +

+ is sanitized using prior to disposal;

+ +
+ + +

+ is sanitized using prior to release from organizational control;

+ +
+ + +

+ is sanitized using prior to release for reuse;

+ +
+ +
+ + +

sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.

+ +
+ +
+ + + + +

System media protection policy

+

procedures addressing media sanitization and disposal

+

applicable federal standards and policies addressing media sanitization policy

+

media sanitization records

+

system audit records

+

system design documentation

+

records retention and disposition policy

+

records retention and disposition procedures

+

system configuration settings and associated documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with media sanitization responsibilities

+

organizational personnel with records retention and disposition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for media sanitization

+

mechanisms supporting and/or implementing media sanitization

+
+
+ +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+
+
+ + Media Use + + + +

types of system media to be restricted or prohibited from use on systems or system components are defined;

+
+ + + + + + + +

systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;

+
+ + + + +

controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;

+
+ + + + + + + + + + + + + + + + + + + +

+ the use of on using ; and

+
+ + +

Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.

+
+
+ +

System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to MP-2 , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.

+
+ + + + +

the use of is on using ;

+ +
+ + +

the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.

+ +
+ +
+ + + + +

System media protection policy

+

system use policy

+

procedures addressing media usage restrictions

+

rules of behavior

+

system design documentation

+

system configuration settings and associated documentation

+

audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media use responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for media use

+

mechanisms restricting or prohibiting the use of system media on systems or system components

+
+
+ +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+
+
+
+ + Physical and Environmental Protection + + Policy and Procedures + + + + + + +

personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the physical and environmental protection policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current physical and environmental protection policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the physical and environmental protection procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ physical and environmental protection policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and

+
+ + +

Review and update the current physical and environmental protection:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Physical Access Authorizations + + + + +

at least annually

+
+
+ +

frequency at which to review the access list detailing authorized facility access by individuals is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;

+
+ + +

Issue authorization credentials for facility access;

+
+ + +

Review the access list detailing authorized facility access by individuals ; and

+
+ + +

Remove individuals from the facility access list when access is no longer required.

+
+
+ +

Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.

+
+ + + + + + +

a list of individuals with authorized access to the facility where the system resides has been developed;

+ +
+ + +

the list of individuals with authorized access to the facility where the system resides has been approved;

+ +
+ + +

the list of individuals with authorized access to the facility where the system resides has been maintained;

+ +
+ +
+ + +

authorization credentials are issued for facility access;

+ +
+ + +

the access list detailing authorized facility access by individuals is reviewed ;

+ +
+ + +

individuals are removed from the facility access list when access is no longer required.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing physical access authorizations

+

authorized personnel access list

+

authorization credentials

+

physical access list reviews

+

physical access termination records and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access authorization responsibilities

+

organizational personnel with physical access to system facility

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for physical access authorizations

+

mechanisms supporting and/or implementing physical access authorizations

+
+
+ +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+
+
+ + Physical Access Control + + + + +

at least annually

+
+
+ + + + +

entry and exit points to the facility in which the system resides are defined;

+
+ + + + +

CSP defined physical access control systems/devices AND guards

+
+
+ + + + + +

physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);

+
+ + + + +

entry or exit points for which physical access logs are maintained are defined;

+
+ + + + +

physical access controls to control access to areas within the facility designated as publicly accessible are defined;

+
+ + + + + +

in all circumstances within restricted access area where the information system resides

+
+
+ +

circumstances requiring visitor escorts and control of visitor activity are defined;

+
+ + + + + +

at least annually

+
+
+ +

physical access devices to be inventoried are defined;

+
+ + + + +

frequency at which to inventory physical access devices is defined;

+
+ + + + +

frequency at which to change combinations is defined;

+
+ + + + +

frequency at which to change keys is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Enforce physical access authorizations at by:

+ + +

Verifying individual access authorizations before granting access to the facility; and

+
+ + +

Controlling ingress and egress to the facility using ;

+
+
+ + +

Maintain physical access audit logs for ;

+
+ + +

Control access to areas within the facility designated as publicly accessible by implementing the following controls: ;

+
+ + +

Escort visitors and control visitor activity ;

+
+ + +

Secure keys, combinations, and other physical access devices;

+
+ + +

Inventory every ; and

+
+ + +

Change combinations and keys and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

+
+
+ +

Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.

+
+ + + + + + +

physical access authorizations are enforced at by verifying individual access authorizations before granting access to the facility;

+ +
+ + +

physical access authorizations are enforced at by controlling ingress and egress to the facility using ;

+ +
+ +
+ + +

physical access audit logs are maintained for ;

+ +
+ + +

access to areas within the facility designated as publicly accessible are maintained by implementing ;

+ +
+ + + + +

visitors are escorted;

+ +
+ + +

visitor activity is controlled ;

+ +
+ +
+ + + + +

keys are secured;

+ +
+ + +

combinations are secured;

+ +
+ + +

other physical access devices are secured;

+ +
+ +
+ + +

+ are inventoried ;

+ +
+ + + + +

combinations are changed , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;

+ +
+ + +

keys are changed , when keys are lost, or when individuals possessing the keys are transferred or terminated.

+ +
+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing physical access control

+

physical access control logs or records

+

inventory records of physical access control devices

+

system entry and exit points

+

records of key and lock combination changes

+

storage locations for physical access control devices

+

physical access control devices

+

list of security safeguards controlling access to designated publicly accessible areas within facility

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for physical access control

+

mechanisms supporting and/or implementing physical access control

+

physical access control devices

+
+
+ +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+
+
+ + Monitoring Physical Access + + + + +

at least monthly

+
+
+ +

the frequency at which to review physical access logs is defined;

+
+ + + + +

events or potential indication of events requiring physical access logs to be reviewed are defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;

+
+ + +

Review physical access logs and upon occurrence of ; and

+
+ + +

Coordinate results of reviews and investigations with the organizational incident response capability.

+
+
+ +

Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as AU-2 , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.

+
+ + + + +

physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;

+ +
+ + + + +

physical access logs are reviewed ;

+ +
+ + +

physical access logs are reviewed upon occurrence of ;

+ +
+ +
+ + + + +

results of reviews are coordinated with organizational incident response capabilities;

+ +
+ + +

results of investigations are coordinated with organizational incident response capabilities.

+ +
+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing physical access monitoring

+

physical access logs or records

+

physical access monitoring records

+

physical access log reviews

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access monitoring responsibilities

+

organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for monitoring physical access

+

mechanisms supporting and/or implementing physical access monitoring

+

mechanisms supporting and/or implementing the review of physical access logs

+
+
+ +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+
+
+ + Visitor Access Records + + + + +

for a minimum of one (1) year

+
+
+ +

time period for which to maintain visitor access records for the facility where the system resides is defined;

+
+ + + + + +

at least monthly

+
+
+ +

the frequency at which to review visitor access records is defined;

+
+ + + + +

personnel to whom visitor access records anomalies are reported to is/are defined;

+
+ + + + + + + + + + + + + + + +

Maintain visitor access records to the facility where the system resides for ;

+
+ + +

Review visitor access records ; and

+
+ + +

Report anomalies in visitor access records to .

+
+
+ +

Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.

+
+ + + + +

visitor access records for the facility where the system resides are maintained for ;

+ +
+ + +

visitor access records are reviewed ;

+ +
+ + +

visitor access records anomalies are reported to .

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing visitor access records

+

visitor access control logs or records

+

visitor access record or log reviews

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with visitor access record responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for maintaining and reviewing visitor access records

+

mechanisms supporting and/or implementing the maintenance and review of visitor access records

+
+
+ +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+
+
+ + Emergency Lighting + + + + + + + + + + +

Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

+
+ +

The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies.

+
+ + + + +

automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;

+ +
+ + +

automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;

+ +
+ + +

automatic emergency lighting for the system covers emergency exits within the facility;

+ +
+ + +

automatic emergency lighting for the system covers evacuation routes within the facility.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing emergency lighting

+

emergency lighting documentation

+

emergency lighting test records

+

emergency exits and evacuation routes

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with the responsibility for emergency lighting and/or planning

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing an emergency lighting capability

+
+
+ +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+
+
+ + Fire Protection + + + + + + + + + +

Employ and maintain fire detection and suppression systems that are supported by an independent energy source.

+
+ +

The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility.

+
+ + + + +

fire detection systems are employed;

+ +
+ + +

employed fire detection systems are supported by an independent energy source;

+ +
+ + +

employed fire detection systems are maintained;

+ +
+ + +

fire suppression systems are employed;

+ +
+ + +

employed fire suppression systems are supported by an independent energy source;

+ +
+ + +

employed fire suppression systems are maintained.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing fire protection

+

fire suppression and detection devices/systems

+

fire suppression and detection devices/systems documentation

+

test records of fire suppression and detection devices/systems

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for fire detection and suppression devices/systems

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing fire suppression/detection devices/systems

+
+
+ +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+
+
+ + Environmental Controls + + + +

consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments

+
+
+ + + + + +

environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);

+
+ + + + +

acceptable levels for environmental controls are defined;

+
+ + + + + +

continuously

+
+
+ +

frequency at which to monitor environmental control levels is defined;

+
+ + + + + + + + + + + + + +

Maintain levels within the facility where the system resides at ; and

+
+ + +

Monitor environmental control levels .

+
+ + PE-14(a) Additional FedRAMP Requirements and Guidance + + +

The service provider measures temperature at server inlets and humidity levels by dew point.

+
+
+
+ +

The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions.

+
+ + + + +

+ levels are maintained at within the facility where the system resides;

+ +
+ + +

environmental control levels are monitored .

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing temperature and humidity control

+

temperature and humidity controls

+

facility housing the system

+

temperature and humidity controls documentation

+

temperature and humidity records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for system environmental controls

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels

+
+
+ +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+
+
+ + Water Damage Protection + + + + + + + + + + +

Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

+
+ +

The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations.

+
+ + + + +

the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;

+ +
+ + +

the master shutoff or isolation valves are accessible;

+ +
+ + +

the master shutoff or isolation valves are working properly;

+ +
+ + +

the master shutoff or isolation valves are known to key personnel.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing water damage protection

+

facility housing the system

+

master shutoff valves

+

list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system

+

master shutoff valve documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for system environmental controls

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Master water-shutoff valves

+

organizational process for activating master water shutoff

+
+
+ +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+
+
+ + Delivery and Removal + + + + +

all information system components

+
+
+ + + + +

types of system components to be authorized and controlled when entering the facility are defined;

+
+ + + + +

types of system components to be authorized and controlled when exiting the facility are defined;

+
+ + + + + + + + + + + + + + + + + + + + + +

Authorize and control entering and exiting the facility; and

+
+ + +

Maintain records of the system components.

+
+
+ +

Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.

+
+ + + + + + +

+ are authorized when entering the facility;

+ +
+ + +

+ are controlled when entering the facility;

+ +
+ + +

+ are authorized when exiting the facility;

+ +
+ + +

+ are controlled when exiting the facility;

+ +
+ +
+ + +

records of the system components are maintained.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing the delivery and removal of system components from the facility

+

facility housing the system

+

records of items entering and exiting the facility

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for controlling system components entering and exiting the facility

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility

+

mechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility

+
+
+ +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+
+
+
+ + Planning + + Policy and Procedures + + + + + + +

personnel or roles to whom the planning policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the planning procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the planning policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency with which the current planning policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current planning policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency with which the current planning procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ planning policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the planning policy and the associated planning controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the planning policy and procedures; and

+
+ + +

Review and update the current planning:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + System Security and Privacy Plans + + + +

individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;

+
+ + + + +

personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;

+
+ + + + + +

at least annually

+
+
+ +

frequency to review system security and privacy plans is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop security and privacy plans for the system that:

+ + +

Are consistent with the organization’s enterprise architecture;

+
+ + +

Explicitly define the constituent system components;

+
+ + +

Describe the operational context of the system in terms of mission and business processes;

+
+ + +

Identify the individuals that fulfill system roles and responsibilities;

+
+ + +

Identify the information types processed, stored, and transmitted by the system;

+
+ + +

Provide the security categorization of the system, including supporting rationale;

+
+ + +

Describe any specific threats to the system that are of concern to the organization;

+
+ + +

Provide the results of a privacy risk assessment for systems processing personally identifiable information;

+
+ + +

Describe the operational environment for the system and any dependencies on or connections to other systems or system components;

+
+ + +

Provide an overview of the security and privacy requirements for the system;

+
+ + +

Identify any relevant control baselines or overlays, if applicable;

+
+ + +

Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;

+
+ + +

Include risk determinations for security and privacy architecture and design decisions;

+
+ + +

Include security- and privacy-related activities affecting the system that require planning and coordination with ; and

+
+ + +

Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.

+
+
+ + +

Distribute copies of the plans and communicate subsequent changes to the plans to ;

+
+ + +

Review the plans ;

+
+ + +

Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and

+
+ + +

Protect the plans from unauthorized disclosure and modification.

+
+
+ +

System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.

+

Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.

+

Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.

+

Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate.

+
+ + + + + + + + +

a security plan for the system is developed that is consistent with the organization’s enterprise architecture;

+ +
+ + +

a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;

+ +
+ +
+ + + + +

a security plan for the system is developed that explicitly defines the constituent system components;

+ +
+ + +

a privacy plan for the system is developed that explicitly defines the constituent system components;

+ +
+ +
+ + + + +

a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;

+ +
+ + +

a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;

+ +
+ +
+ + + + +

a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;

+ +
+ + +

a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;

+ +
+ +
+ + + + +

a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;

+ +
+ + +

a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;

+ +
+ +
+ + + + +

a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;

+ +
+ + +

a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;

+ +
+ +
+ + + + +

a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;

+ +
+ + +

a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;

+ +
+ +
+ + + + +

a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;

+ +
+ + +

a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;

+ +
+ +
+ + + + +

a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;

+ +
+ + +

a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;

+ +
+ +
+ + + + +

a security plan for the system is developed that provides an overview of the security requirements for the system;

+ +
+ + +

a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;

+ +
+ +
+ + + + +

a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;

+ +
+ + +

a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;

+ +
+ +
+ + + + +

a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;

+ +
+ + +

a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;

+ +
+ +
+ + + + +

a security plan for the system is developed that includes risk determinations for security architecture and design decisions;

+ +
+ + +

a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;

+ +
+ +
+ + + + +

a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with ;

+ +
+ + +

a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with ;

+ +
+ +
+ + + + +

a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

+ +
+ + +

a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.

+ +
+ +
+ +
+ + + + +

copies of the plans are distributed to ;

+ +
+ + +

subsequent changes to the plans are communicated to ;

+ +
+ +
+ + +

plans are reviewed ;

+ +
+ + + + +

plans are updated to address changes to the system and environment of operations;

+ +
+ + +

plans are updated to address problems identified during the plan implementation;

+ +
+ + +

plans are updated to address problems identified during control assessments;

+ +
+ +
+ + + + +

plans are protected from unauthorized disclosure;

+ +
+ + +

plans are protected from unauthorized modification.

+ +
+ +
+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing system security and privacy plan development and implementation

+

procedures addressing security and privacy plan reviews and updates

+

enterprise architecture documentation

+

system security plan

+

privacy plan

+

records of system security and privacy plan reviews and updates

+

security and privacy architecture and design documentation

+

risk assessments

+

risk assessment results

+

control assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system security and privacy planning and plan implementation responsibilities

+

system developers

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for system security and privacy plan development, review, update, and approval

+

mechanisms supporting the system security and privacy plan

+
+
+
+ + Rules of Behavior + + + + +

at least every 3 years

+
+
+ +

frequency for reviewing and updating the rules of behavior is defined;

+
+ + + + +

at least annually and when the rules are revised or changed

+
+
+ + + + + +

frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;

+
+ + +

Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;

+
+ + +

Review and update the rules of behavior ; and

+
+ + +

Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge .

+
+
+ +

Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6 ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8 . The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.

+
+ + Social Media and External Site/Application Usage Restrictions + + + + + + + + + + +

Include in the rules of behavior, restrictions on:

+ + +

Use of social media, social networking sites, and external sites/applications;

+
+ + +

Posting organizational information on public websites; and

+
+ + +

Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.

+
+
+ +

Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information.

+
+
+
+ + Security and Privacy Architectures + + + + +

at least annually and when a significant change occurs

+
+
+ +

frequency for review and update to reflect changes in the enterprise architecture;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop security and privacy architectures for the system that:

+ + +

Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;

+
+ + +

Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;

+
+ + +

Describe how the architectures are integrated into and support the enterprise architecture; and

+
+ + +

Describe any assumptions about, and dependencies on, external systems and services;

+
+
+ + +

Review and update the architectures to reflect changes in the enterprise architecture; and

+
+ + +

Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.

+
+
+ +

The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in PM-7 , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.

+

+ SP 800-160-1 provides guidance on the use of security architectures as part of the system development life cycle process. OMB M-19-03 requires the use of the systems security engineering concepts described in SP 800-160-1 for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).

+

In today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.

+

+ PL-8 is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17 , which is complementary to PL-8 , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures.

+
+ + + + + + +

a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;

+ +
+ + +

a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;

+ +
+ + + + +

a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;

+ +
+ + +

a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;

+ +
+ +
+ + + + +

a security architecture for the system describes any assumptions about and dependencies on external systems and services;

+ +
+ + +

a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;

+ +
+ +
+ +
+ + +

changes in the enterprise architecture are reviewed and updated to reflect changes in the enterprise architecture;

+ +
+ + + + +

planned architecture changes are reflected in the security plan;

+ +
+ + +

planned architecture changes are reflected in the privacy plan;

+ +
+ + +

planned architecture changes are reflected in the Concept of Operations (CONOPS);

+ +
+ + +

planned architecture changes are reflected in criticality analysis;

+ +
+ + +

planned architecture changes are reflected in organizational procedures;

+ +
+ + +

planned architecture changes are reflected in procurements and acquisitions.

+ +
+ +
+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing information security and privacy architecture development

+

procedures addressing information security and privacy architecture reviews and updates

+

enterprise architecture documentation

+

information security and privacy architecture documentation

+

system security plan

+

privacy plan

+

security and privacy CONOPS for the system

+

records of information security and privacy architecture reviews and updates

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security and privacy planning and plan implementation responsibilities

+

organizational personnel with information security and privacy architecture development responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for developing, reviewing, and updating the information security and privacy architecture

+

mechanisms supporting and/or implementing the development, review, and update of the information security and privacy architecture

+
+
+
+ + Baseline Selection + + + + + + + + + + + + + + + + + + + + + +

Select a control baseline for the system.

+
+ +

Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11 ). Federal control baselines are provided in SP 800-53B . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in SP 800-53B are based on the requirements from FISMA and PRIVACT . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. CNSSI 1253 provides guidance on control baselines for national security systems.

+
+
+ + Baseline Tailoring + + + + + + + + + + + + + + + + + + + + + +

Tailor the selected control baseline by applying specified tailoring actions.

+
+ +

The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in SP 800-53B . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in SP 800-53B can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in SP 800-53B in accordance with the security and privacy requirements from FISMA, PRIVACT , and OMB A-130 . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in SP 800-53B to specialize or customize the controls that represent the specific needs and concerns of those entities.

+
+
+
+ + Personnel Security + + Policy and Procedures + + + + + + +

personnel or roles to whom the personnel security policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the personnel security policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current personnel security policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current personnel security policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current personnel security procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the personnel security procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ personnel security policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the personnel security policy and procedures; and

+
+ + +

Review and update the current personnel security:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Position Risk Designation + + + + +

at least every three years

+
+
+ +

the frequency at which to review and update position risk designations is defined;

+
+ + + + + + + + + + + + + + + + + + + + + +

Assign a risk designation to all organizational positions;

+
+ + +

Establish screening criteria for individuals filling those positions; and

+
+ + +

Review and update position risk designations .

+
+
+ +

Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.

+
+
+ + Personnel Screening + + + + +

for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.

+

For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions

+
+
+ + + + +

conditions requiring rescreening of individuals are defined;

+
+ + + + +

the frequency of rescreening individuals where it is so indicated is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Screen individuals prior to authorizing access to the system; and

+
+ + +

Rescreen individuals in accordance with .

+
+
+ +

Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.

+
+ + + + +

individuals are screened prior to authorizing access to the system;

+ +
+ + + + +

individuals are rescreened in accordance with ;

+ +
+ + +

where rescreening is so indicated, individuals are rescreened .

+ +
+ +
+ +
+ + + + +

Personnel security policy

+

procedures addressing personnel screening

+

records of screened personnel

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for personnel screening

+
+
+
+ + Personnel Termination + + + + +

four (4) hours

+
+
+ +

a time period within which to disable system access is defined;

+
+ + + + +

information security topics to be discussed when conducting exit interviews are defined;

+
+ + + + + + + + + + + + + +

Upon termination of individual employment:

+ + +

Disable system access within ;

+
+ + +

Terminate or revoke any authenticators and credentials associated with the individual;

+
+ + +

Conduct exit interviews that include a discussion of ;

+
+ + +

Retrieve all security-related organizational system-related property; and

+
+ + +

Retain access to organizational information and systems formerly controlled by terminated individual.

+
+
+ +

System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified.

+
+
+ + Personnel Transfer + + + +

transfer or reassignment actions to be initiated following transfer or reassignment are defined;

+
+ + + + + +

twenty-four (24) hours

+
+
+ +

the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;

+
+ + + + +

personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined;

+
+ + + + + +

twenty-four (24) hours

+
+
+ +

time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;

+
+ + + + + + + + + + + + + + + +

Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;

+
+ + +

Initiate within ;

+
+ + +

Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

+
+ + +

Notify within .

+
+
+ +

Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.

+
+
+ + Access Agreements + + + + +

at least annually

+
+
+ +

the frequency at which to review and update access agreements is defined;

+
+ + + + + +

at least annually and any time there is a change to the user's level of access

+
+
+ +

the frequency at which to re-sign access agreements to maintain access to organizational information is defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Develop and document access agreements for organizational systems;

+
+ + +

Review and update the access agreements ; and

+
+ + +

Verify that individuals requiring access to organizational information and systems:

+ + +

Sign appropriate access agreements prior to being granted access; and

+
+ + +

Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or .

+
+
+
+ +

Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

+
+
+ + External Personnel Security + + + + +

including access control personnel responsible for the system and/or facilities, as appropriate

+
+
+ +

personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;

+
+ + + + + +

within twenty-four (24) hours

+
+
+ +

time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + +

Establish personnel security requirements, including security roles and responsibilities for external providers;

+
+ + +

Require external providers to comply with personnel security policies and procedures established by the organization;

+
+ + +

Document personnel security requirements;

+
+ + +

Require external providers to notify of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within ; and

+
+ + +

Monitor provider compliance with personnel security requirements.

+
+
+ +

External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.

+
+ +

Attestation - Specifically stating that any third-party security personnel are treated as CSP employees.

+
+
+ + Personnel Sanctions + + + + +

at a minimum, the ISSO and/or similar role within the organization

+
+
+ +

personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;

+
+ + + + +

the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;

+
+ + + + + + + + + + + + + +

Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and

+
+ + +

Notify within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

+
+
+ +

Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

+
+
+ + Position Descriptions + + + + + + + +

Incorporate security and privacy roles and responsibilities into organizational position descriptions.

+
+ +

Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles.

+
+
+
+ + Risk Assessment + + Policy and Procedures + + + + + + +

personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the risk assessment policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current risk assessment policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current risk assessment policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current risk assessment procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require risk assessment procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ risk assessment policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and

+
+ + +

Review and update the current risk assessment:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Security Categorization + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Categorize the system and information it processes, stores, and transmits;

+
+ + +

Document the security categorization results, including supporting rationale, in the security plan for the system; and

+
+ + +

Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

+
+
+ +

Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. CNSSI 1253 provides additional guidance on categorization for national security systems.

+

Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with USA PATRIOT and Homeland Security Presidential Directives, potential national-level adverse impacts.

+

Security categorization processes facilitate the development of inventories of information assets and, along with CM-8 , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant.

+
+
+ + Risk Assessment + + + +

security assessment report

+
+
+ + + + + +

a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);

+
+ + + + + +

at least every three (3) years and when a significant change occurs

+
+
+ +

the frequency to review risk assessment results is defined;

+
+ + + + +

personnel or roles to whom risk assessment results are to be disseminated is/are defined;

+
+ + + + + +

at least every three (3) years

+
+
+ +

the frequency to update the risk assessment is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Conduct a risk assessment, including:

+ + +

Identifying threats to and vulnerabilities in the system;

+
+ + +

Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and

+
+ + +

Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

+
+
+ + +

Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;

+
+ + +

Document risk assessment results in ;

+
+ + +

Review risk assessment results ;

+
+ + +

Disseminate risk assessment results to ; and

+
+ + +

Update the risk assessment or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

+
+
+ +

Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.

+

Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.

+

Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.

+
+ + + + + + +

a risk assessment is conducted to identify threats to and vulnerabilities in the system;

+ +
+ + +

a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;

+ +
+ + +

a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

+ +
+ +
+ + +

risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;

+ +
+ + +

risk assessment results are documented in ;

+ +
+ + +

risk assessment results are reviewed ;

+ +
+ + +

risk assessment results are disseminated to ;

+ +
+ + +

the risk assessment is updated or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

+ +
+ +
+ + + + +

Risk assessment policy

+

risk assessment procedures

+

security and privacy planning policy and procedures

+

procedures addressing organizational assessments of risk

+

risk assessment

+

risk assessment results

+

risk assessment reviews

+

risk assessment updates

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with risk assessment responsibilities

+

organizational personnel with security and privacy responsibilities

+
+
+ + + + +

Organizational processes for risk assessment

+

mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment

+
+
+ + Supply Chain Risk Assessment + + + +

systems, system components, and system services to assess supply chain risks are defined;

+
+ + + + +

the frequency at which to update the supply chain risk assessment is defined;

+
+ + + + + + + + + + + + + + + + +

Assess supply chain risks associated with ; and

+
+ + +

Update the supply chain risk assessment , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

+
+
+ +

Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.

+
+
+
+ + Vulnerability Monitoring and Scanning + + + + +

monthly operating system/infrastructure; monthly web applications (including APIs) and databases

+
+
+ + + + +

frequency for monitoring systems and hosted applications for vulnerabilities is defined;

+
+ + + + +

frequency for scanning systems and hosted applications for vulnerabilities is defined;

+
+ + + + + +

high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery

+
+
+ +

response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;

+
+ + + + +

personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Monitor and scan for vulnerabilities in the system and hosted applications and when new vulnerabilities potentially affecting the system are identified and reported;

+
+ + +

Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

+ + +

Enumerating platforms, software flaws, and improper configurations;

+
+ + +

Formatting checklists and test procedures; and

+
+ + +

Measuring vulnerability impact;

+
+
+ + +

Analyze vulnerability scan reports and results from vulnerability monitoring;

+
+ + +

Remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;

+
+ + +

Share information obtained from the vulnerability monitoring process and control assessments with to help eliminate similar vulnerabilities in other systems; and

+
+ + +

Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

+
+
+ +

Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.

+

Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

+

Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.

+

Organizations may also employ the use of financial incentives (also known as bug bounties ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.

+
+ + + + + + +

systems and hosted applications are monitored for vulnerabilities and when new vulnerabilities potentially affecting the system are identified and reported;

+ +
+ + +

systems and hosted applications are scanned for vulnerabilities and when new vulnerabilities potentially affecting the system are identified and reported;

+ +
+ +
+ + +

vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;

+ + +

vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;

+ +
+ + +

vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;

+ +
+ + +

vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;

+ +
+ +
+ + +

vulnerability scan reports and results from vulnerability monitoring are analyzed;

+ +
+ + +

legitimate vulnerabilities are remediated in accordance with an organizational assessment of risk;

+ +
+ + +

information obtained from the vulnerability monitoring process and control assessments is shared with to help eliminate similar vulnerabilities in other systems;

+ +
+ + +

vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.

+ +
+ +
+ + + + +

Risk assessment policy

+

procedures addressing vulnerability scanning

+

risk assessment

+

assessment report

+

vulnerability scanning tools and associated configuration documentation

+

vulnerability scanning results

+

patch and vulnerability management records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with vulnerability remediation responsibilities

+

organizational personnel with security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for vulnerability scanning, analysis, remediation, and information sharing

+

mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing

+
+
+ + Update Vulnerabilities to Be Scanned + + + +

prior to a new scan

+
+
+ + + + + +

the frequency for updating the system vulnerabilities to be scanned is defined (if selected);

+
+ + + + + + + + + + + +

Update the system vulnerabilities to be scanned .

+
+ +

Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner.

+
+ + +

the system vulnerabilities to be scanned are updated .

+ +
+ + + + +

Procedures addressing vulnerability scanning

+

assessment report

+

vulnerability scanning tools and associated configuration documentation

+

vulnerability scanning results

+

patch and vulnerability management records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for vulnerability scanning

+

mechanisms/tools supporting and/or implementing vulnerability scanning

+
+
+
+ + Public Disclosure Program + + + + + + + + + +

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

+
+ +

The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.

+
+ + +

a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.

+ +
+ + + + +

Risk assessment policy

+

procedures addressing vulnerability scanning

+

risk assessment

+

vulnerability scanning tools and techniques documentation

+

vulnerability scanning results

+

vulnerability management records

+

audit records

+

public reporting channel

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with security responsibilities

+
+
+ + + + +

Organizational processes for vulnerability scanning

+

mechanisms/tools supporting and/or implementing vulnerability scanning

+

mechanisms implementing the public reporting of vulnerabilities

+
+
+
+
+ + Risk Response + + + + + + + + + + + + + + + + + + + + + +

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

+
+ +

Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated.

+
+ + + + +

findings from security assessments are responded to in accordance with organizational risk tolerance;

+ +
+ + +

findings from privacy assessments are responded to in accordance with organizational risk tolerance;

+ +
+ + +

findings from monitoring are responded to in accordance with organizational risk tolerance;

+ +
+ + +

findings from audits are responded to in accordance with organizational risk tolerance.

+ +
+ +
+ + + + +

Risk assessment policy

+

assessment reports

+

audit records/event logs

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with assessment and auditing responsibilities

+

system/network administrators

+

organizational personnel with security and privacy responsibilities

+
+
+ + + + +

Organizational processes for assessments and audits

+

mechanisms/tools supporting and/or implementing assessments and auditing

+
+
+
+
+ + System and Services Acquisition + + Policy and Procedures + + + + + + +

personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the system and services acquisition policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current system and services acquisition policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current system and services acquisition policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the system and services acquisition procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ system and services acquisition policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and

+
+ + +

Review and update the current system and services acquisition:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Allocation of Resources + + + + + + + + + + + + + + + + + + +

Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;

+
+ + +

Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and

+
+ + +

Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.

+
+
+ +

Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle.

+
+
+ + System Development Life Cycle + + + +

system development life cycle is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Acquire, develop, and manage the system using that incorporates information security and privacy considerations;

+
+ + +

Define and document information security and privacy roles and responsibilities throughout the system development life cycle;

+
+ + +

Identify individuals having information security and privacy roles and responsibilities; and

+
+ + +

Integrate the organizational information security and privacy risk management process into system development life cycle activities.

+
+
+ +

A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.

+

The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle.

+
+
+ + Acquisition Process + + + + + + +

contract language is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service:

+ + +

Security and privacy functional requirements;

+
+ + +

Strength of mechanism requirements;

+
+ + +

Security and privacy assurance requirements;

+
+ + +

Controls needed to satisfy the security and privacy requirements.

+
+ + +

Security and privacy documentation requirements;

+
+ + +

Requirements for protecting security and privacy documentation;

+
+ + +

Description of the system development environment and environment in which the system is intended to operate;

+
+ + +

Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and

+
+ + +

Acceptance criteria.

+
+
+ +

Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2 . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. SP 800-160-1 describes the process of requirements engineering as part of the system development life cycle.

+

Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.

+

Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement.

+
+ + Use of Approved PIV Products + + + + + + + + + + + +

Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.

+
+ +

Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations.

+
+
+
+ + System Documentation + + + +

actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;

+
+ + + + + +

at a minimum, the ISSO (or similar role within the organization)

+
+
+ +

personnel or roles to distribute system documentation to is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Obtain or develop administrator documentation for the system, system component, or system service that describes:

+ + +

Secure configuration, installation, and operation of the system, component, or service;

+
+ + +

Effective use and maintenance of security and privacy functions and mechanisms; and

+
+ + +

Known vulnerabilities regarding configuration and use of administrative or privileged functions;

+
+
+ + +

Obtain or develop user documentation for the system, system component, or system service that describes:

+ + +

User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;

+
+ + +

Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and

+
+ + +

User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;

+
+
+ + +

Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take in response; and

+
+ + +

Distribute documentation to .

+
+
+ +

System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.

+
+
+ + Security and Privacy Engineering Principles + + + + + + +

systems security engineering principles are defined;

+
+ + + + +

privacy engineering principles are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: .

+
+ +

Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3 ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.

+

The application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.

+

Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design.

+
+
+ + External System Services + + + + +

Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system

+
+
+ +

controls to be employed by external system service providers are defined;

+
+ + + + + +

Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored

+
+
+ +

processes, methods, and techniques employed to monitor control compliance by external service providers are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: ;

+
+ + +

Define and document organizational oversight and user roles and responsibilities with regard to external system services; and

+
+ + +

Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: .

+
+
+ +

External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

+
+ + + + + + +

providers of external system services comply with organizational security requirements;

+ +
+ + +

providers of external system services comply with organizational privacy requirements;

+ +
+ + +

providers of external system services employ ;

+ +
+ +
+ + + + +

organizational oversight with regard to external system services are defined and documented;

+ +
+ + +

user roles and responsibilities with regard to external system services are defined and documented;

+ +
+ +
+ + +

+ are employed to monitor control compliance by external service providers on an ongoing basis.

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing methods and techniques for monitoring control compliance by external service providers of system services

+

acquisition documentation

+

contracts

+

service level agreements

+

interagency agreements

+

licensing agreements

+

list of organizational security and privacy requirements for external provider services

+

control assessment results or reports from external providers of system services

+

system security plan

+

privacy plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

external providers of system services

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis

+

mechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis

+
+
+
+ + Unsupported System Components + + + + + + +

support from external providers is defined (if selected);

+
+ + + + + + + + + + + + + +

Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or

+
+ + +

Provide the following options for alternative sources for continued support for unsupported components .

+
+
+ +

Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.

+

Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation.

+
+ + + + +

system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;

+ +
+ + +

+ provide options for alternative sources for continued support for unsupported components.

+ +
+ +
+ + + + +

System and services acquisition policy

+

procedures addressing the replacement or continued use of unsupported system components

+

documented evidence of replacing unsupported system components

+

documented approvals (including justification) for the continued use of unsupported system components

+

system security plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with the responsibility for the system development life cycle

+

organizational personnel responsible for component replacement

+
+
+ + + + +

Organizational processes for replacing unsupported system components

+

mechanisms supporting and/or implementing the replacement of unsupported system components

+
+
+
+
+ + System and Communications Protection + + Policy and Procedures + + + + + + +

personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the system and communications protection policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current system and communications protection policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current system and communications protection policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current system and communications protection procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the system and communications protection procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ system and communications protection policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and

+
+ + +

Review and update the current system and communications protection:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Denial-of-service Protection + + + + +

at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack

+
+
+ +

types of denial-of-service events to be protected against or limited are defined;

+
+ + + + +

Protect against

+
+
+ + + + + +

controls to achieve the denial-of-service objective by type of denial-of-service event are defined;

+
+ + + + + + + + + + + + + + + + + +

+ the effects of the following types of denial-of-service events: ; and

+
+ + +

Employ the following controls to achieve the denial-of-service objective: .

+
+
+ +

Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events.

+
+ + + + +

the effects of are ;

+ +
+ + +

+ are employed to achieve the denial-of-service protection objective.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing denial-of-service protection

+

system design documentation

+

list of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks

+

list of security safeguards protecting against or limiting the effects of denial-of-service attacks

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with incident response responsibilities

+

system developer

+
+
+ + + + +

Mechanisms protecting against or limiting the effects of denial-of-service attacks

+
+
+ +

Condition: If availability is a requirement, define protections in place as per control requirement.

+
+
+ + Boundary Protection + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;

+
+ + +

Implement subnetworks for publicly accessible system components that are separated from internal organizational networks; and

+
+ + +

Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

+
+
+ +

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. SP 800-189 provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).

+
+ + + + + + +

communications at external managed interfaces to the system are monitored;

+ +
+ + +

communications at external managed interfaces to the system are controlled;

+ +
+ + +

communications at key internal managed interfaces within the system are monitored;

+ +
+ + +

communications at key internal managed interfaces within the system are controlled;

+ +
+ +
+ + +

subnetworks for publicly accessible system components are separated from internal organizational networks;

+ +
+ + +

external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

list of key internal boundaries of the system

+

system design documentation

+

boundary protection hardware and software

+

system configuration settings and associated documentation

+

enterprise security architecture documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms implementing boundary protection capabilities

+
+
+
+ + Transmission Confidentiality and Integrity + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Protect the of transmitted information.

+
+ +

Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.

+

Organizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls.

+
+ + +

the of transmitted information is/are protected.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing transmission confidentiality and integrity

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Mechanisms supporting and/or implementing transmission confidentiality and/or integrity

+
+
+ + Cryptographic Protection + + + + + + + + + + + + + +

Implement cryptographic mechanisms to during transmission.

+
+ +

Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes.

+
+ + +

cryptographic mechanisms are implemented to during transmission.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing transmission confidentiality and integrity

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity

+

mechanisms supporting and/or implementing alternative physical safeguards

+

organizational processes for defining and implementing alternative physical safeguards

+
+
+
+
+ + Cryptographic Key Establishment and Management + + + + +

In accordance with Federal requirements

+
+
+ +

requirements for key generation, distribution, storage, access, and destruction are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: .

+
+ +

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. NIST CMVP and NIST CAVP provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.

+
+ + + + +

cryptographic keys are established when cryptography is employed within the system in accordance with ;

+ +
+ + +

cryptographic keys are managed when cryptography is employed within the system in accordance with .

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing cryptographic key establishment and management

+

system design documentation

+

cryptographic mechanisms

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for cryptographic key establishment and/or management

+
+
+ + + + +

Mechanisms supporting and/or implementing cryptographic key establishment and management

+
+
+
+ + Cryptographic Protection + + + +

cryptographic uses are defined;

+
+ + + + + +

FIPS-validated or NSA-approved cryptography

+
+
+ +

types of cryptography for each specified cryptographic use are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Determine the ; and

+
+ + +

Implement the following types of cryptography required for each specified cryptographic use: .

+
+
+ +

Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + +

+ are identified;

+ +
+ + +

+ for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing cryptographic protection

+

system design documentation

+

system configuration settings and associated documentation

+

cryptographic module validation certificates

+

list of FIPS-validated cryptographic modules

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with responsibilities for cryptographic protection

+
+
+ + + + +

Mechanisms supporting and/or implementing cryptographic protection

+
+
+ +

Condition: If implementing need to detail how they meet it or don't meet it.

+
+
+ + Collaborative Computing Devices and Applications + + + + +

no exceptions for computing devices

+
+
+ +

exceptions where remote activation is to be allowed are defined;

+
+ + + + + + + + + + + +

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: ; and

+
+ + +

Provide an explicit indication of use to users physically present at the devices.

+
+
+ +

Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated.

+
+ +

NSO - Not directly related to the security of the SaaS.

+
+
+ + Secure Name/Address Resolution Service (Authoritative Source) + + + + + + + + + + + + + + + + + +

Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

+
+ + +

Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

+
+
+ +

Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data.

+
+
+ + Secure Name/Address Resolution Service (Recursive or Caching Resolver) + + + + + + + + + +

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

+
+ +

Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data.

+
+
+ + Architecture and Provisioning for Name/Address Resolution Service + + + + + + + + + + + +

Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

+
+ +

Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists).

+
+
+ + Protection of Information at Rest + + + + + + +

information at rest requiring protection is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Protect the of the following information at rest: .

+
+ +

Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage.

+
+ + +

the of is/are protected.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing the protection of information at rest

+

system design documentation

+

system configuration settings and associated documentation

+

cryptographic mechanisms and associated configuration documentation

+

list of information at rest requiring confidentiality and integrity protections

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest

+
+
+ + Cryptographic Protection + + + +

information requiring cryptographic protection is defined;

+
+ + + + + +

all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels

+
+
+ +

system components or media requiring cryptographic protection is/are defined;

+
+ + + + + + + + + + + + +

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on : .

+
+ +

The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields.

+
+ + + + +

cryptographic mechanisms are implemented to prevent unauthorized disclosure of at rest on ;

+ +
+ + +

cryptographic mechanisms are implemented to prevent unauthorized modification of at rest on .

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing the protection of information at rest

+

system design documentation

+

system configuration settings and associated documentation

+

cryptographic mechanisms and associated configuration documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest

+
+
+
+
+ + Process Isolation + + + + + + + + + + + + + + + + +

Maintain a separate execution domain for each executing system process.

+
+ +

Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies.

+
+
+
+ + System and Information Integrity + + Policy and Procedures + + + + + + +

personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the system and information integrity policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current system and information integrity policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current system and information integrity policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current system and information integrity procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the system and information integrity procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ system and information integrity policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and

+
+ + +

Review and update the current system and information integrity:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Flaw Remediation + + + + +

within thirty (30) days of release of updates

+
+
+ +

time period within which to install security-relevant software updates after the release of the updates is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Identify, report, and correct system flaws;

+
+ + +

Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

+
+ + +

Install security-relevant software and firmware updates within of the release of the updates; and

+
+ + +

Incorporate flaw remediation into the organizational configuration management process.

+
+
+ +

The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.

+

Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

+
+ + + + + + +

system flaws are identified;

+ +
+ + +

system flaws are reported;

+ +
+ + +

system flaws are corrected;

+ +
+ +
+ + + + +

software updates related to flaw remediation are tested for effectiveness before installation;

+ +
+ + +

software updates related to flaw remediation are tested for potential side effects before installation;

+ +
+ + +

firmware updates related to flaw remediation are tested for effectiveness before installation;

+ +
+ + +

firmware updates related to flaw remediation are tested for potential side effects before installation;

+ +
+ +
+ + + + +

security-relevant software updates are installed within of the release of the updates;

+ +
+ + +

security-relevant firmware updates are installed within of the release of the updates;

+ +
+ +
+ + +

flaw remediation is incorporated into the organizational configuration management process.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing flaw remediation

+

procedures addressing configuration management

+

list of flaws and vulnerabilities potentially affecting the system

+

list of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)

+

test results from the installation of software and firmware updates to correct system flaws

+

installation/change control records for security-relevant software and firmware updates

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel responsible for installing, configuring, and/or maintaining the system

+

organizational personnel responsible for flaw remediation

+

organizational personnel with configuration management responsibilities

+
+
+ + + + +

Organizational processes for identifying, reporting, and correcting system flaws

+

organizational process for installing software and firmware updates

+

mechanisms supporting and/or implementing the reporting and correcting of system flaws

+

mechanisms supporting and/or implementing testing software and firmware updates

+
+
+
+ + Malicious Code Protection + + + +

signature based and non-signature based

+
+
+ + + + + + +

at least weekly

+
+
+ +

the frequency at which malicious code protection mechanisms perform scans is defined;

+
+ + + + +

to include endpoints and network entry and exit points

+
+
+ + + + + +

to include blocking and quarantining malicious code

+
+
+ + + + + + +

administrator or defined security personnel near-realtime

+
+
+ +

action to be taken in response to malicious code detection are defined (if selected);

+
+ + + + +

personnel or roles to be alerted when malicious code is detected is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;

+
+ + +

Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;

+
+ + +

Configure malicious code protection mechanisms to:

+ + +

Perform periodic scans of the system and real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy; and

+
+ + +

+ ; and send alert to in response to malicious code detection; and

+
+
+ + +

Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

+
+
+ +

System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.

+

Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.

+

In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files.

+
+ + + + + + +

+ malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;

+ +
+ + +

+ malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;

+ +
+ +
+ + +

malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;

+ +
+ + + + + + +

malicious code protection mechanisms are configured to perform periodic scans of the system ;

+ +
+ + +

malicious code protection mechanisms are configured to perform real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy;

+ +
+ +
+ + + + +

malicious code protection mechanisms are configured to in response to malicious code detection;

+ +
+ + +

malicious code protection mechanisms are configured to send alerts to in response to malicious code detection;

+ +
+ +
+ +
+ + +

the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

configuration management policy and procedures

+

procedures addressing malicious code protection

+

malicious code protection mechanisms

+

records of malicious code protection updates

+

system design documentation

+

system configuration settings and associated documentation

+

scan results from malicious code protection mechanisms

+

record of actions initiated by malicious code protection mechanisms in response to malicious code detection

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for malicious code protection

+

organizational personnel with configuration management responsibilities

+
+
+ + + + +

Organizational processes for employing, updating, and configuring malicious code protection mechanisms

+

organizational processes for addressing false positives and resulting potential impacts

+

mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms

+

mechanisms supporting and/or implementing malicious code scanning and subsequent actions

+
+
+
+ + System Monitoring + + + +

monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;

+
+ + + + +

techniques and methods used to identify unauthorized use of the system are defined;

+
+ + + + +

system monitoring information to be provided to personnel or roles is defined;

+
+ + + + +

personnel or roles to whom system monitoring information is to be provided is/are defined;

+
+ + + + + + + +

a frequency for providing system monitoring to personnel or roles is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Monitor the system to detect:

+ + +

Attacks and indicators of potential attacks in accordance with the following monitoring objectives: ; and

+
+ + +

Unauthorized local, network, and remote connections;

+
+
+ + +

Identify unauthorized use of the system through the following techniques and methods: ;

+
+ + +

Invoke internal monitoring capabilities or deploy monitoring devices:

+ + +

Strategically within the system to collect organization-determined essential information; and

+
+ + +

At ad hoc locations within the system to track specific types of transactions of interest to the organization;

+
+
+ + +

Analyze detected events and anomalies;

+
+ + +

Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

+
+ + +

Obtain legal opinion regarding system monitoring activities; and

+
+ + +

Provide to + .

+
+
+ +

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.

+

Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17 . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + + + +

the system is monitored to detect attacks and indicators of potential attacks in accordance with ;

+ +
+ + + + +

the system is monitored to detect unauthorized local connections;

+ +
+ + +

the system is monitored to detect unauthorized network connections;

+ +
+ + +

the system is monitored to detect unauthorized remote connections;

+ +
+ +
+ +
+ + +

unauthorized use of the system is identified through ;

+ +
+ + + + +

internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;

+ +
+ + +

internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;

+ +
+ +
+ + + + +

detected events are analyzed;

+ +
+ + +

detected anomalies are analyzed;

+ +
+ +
+ + +

the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

+ +
+ + +

a legal opinion regarding system monitoring activities is obtained;

+ +
+ + +

+ is provided to + .

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

continuous monitoring strategy

+

facility diagram/layout

+

system design documentation

+

system monitoring tools and techniques documentation

+

locations within the system where monitoring devices are deployed

+

system configuration settings and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+
+
+ + + + +

Organizational processes for system monitoring

+

mechanisms supporting and/or implementing system monitoring capabilities

+
+
+
+ + Security Alerts, Advisories, and Directives + + + + +

to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives

+
+
+ +

external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;

+
+ + + + +

to include system security personnel and administrators with configuration/patch-management responsibilities

+
+
+ + + + + +

personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected);

+
+ + + + +

elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);

+
+ + + + +

external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);

+
+ + + + + + + + + + + + + + +

Receive system security alerts, advisories, and directives from on an ongoing basis;

+
+ + +

Generate internal security alerts, advisories, and directives as deemed necessary;

+
+ + +

Disseminate security alerts, advisories, and directives to: ; and

+
+ + +

Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

+
+
+ +

The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations.

+
+
+ + Information Management and Retention + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

+
+ +

Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, AC-6(9), AT-4, AU-12, CA-2, CA-3, CA-5, CA-6, CA-7, CA-8, CA-9, CM-2, CM-3, CM-4, CM-6, CM-8, CM-9, CM-12, CM-13, CP-2, IR-6, IR-8, MA-2, MA-4, PE-2, PE-8, PE-16, PE-17, PL-2, PL-4, PL-7, PL-8, PM-5, PM-8, PM-9, PM-18, PM-21, PM-27, PM-28, PM-30, PM-31, PS-2, PS-6, PS-7, PT-2, PT-3, PT-7, RA-2, RA-3, RA-5, RA-8, SA-4, SA-5, SA-8, SA-10, SI-4, SR-2, SR-4, SR-8.

+
+ +

Attestation - Specifically related to US-CERT and FedRAMP communications procedures.

+
+
+
+ + Supply Chain Risk Management + + Policy and Procedures + + + + + + + +

to include chief privacy and ISSO and/or similar role or designees

+
+
+ +

personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;

+
+ + + + +

personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;

+
+ + + + + + + +

an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current supply chain risk management policy is reviewed and updated is defined;

+
+ + + + +

events that require the current supply chain risk management policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that require the supply chain risk management procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ supply chain risk management policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and

+
+ + +

Review and update the current supply chain risk management:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+
+ + Supply Chain Risk Management Plan + + + +

systems, system components, or system services for which a supply chain risk management plan is developed are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to review and update the supply chain risk management plan is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: ;

+
+ + +

Review and update the supply chain risk management plan or as required, to address threat, organizational or environmental changes; and

+
+ + +

Protect the supply chain risk management plan from unauthorized disclosure and modification.

+
+
+ +

The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.

+

Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8).

+
+ + Establish SCRM Team + + + +

the personnel, roles, and responsibilities of the supply chain risk management team are defined;

+
+ + + + +

supply chain risk management activities are defined;

+
+ + + + + + + + + +

Establish a supply chain risk management team consisting of to lead and support the following SCRM activities: .

+
+ +

To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team.

+
+
+
+ + Supply Chain Controls and Processes + + + +

the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;

+
+ + + + +

supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;

+
+ + + + +

supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;

+
+ + + + + + + +

the document identifying the selected and implemented supply chain processes and controls is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of in coordination with ;

+
+ + +

Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: ; and

+
+ + +

Document the selected and implemented supply chain processes and controls in .

+
+
+ +

Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.

+
+
+ + Acquisition Strategies, Tools, and Methods + + + +

acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: .

+
+ +

The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.

+
+
+ + Notification Agreements + + + +

notification of supply chain compromises and results of assessment or audits

+
+
+ + + + + +

information for which agreements and procedures are to be established are defined (if selected);

+
+ + + + + + + + + + + + + + + + + + +

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the .

+
+ +

The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.

+
+
+ + Inspection of Systems or Components + + + +

systems or system components that require inspection are defined;

+
+ + + + + + + +

frequency at which to inspect systems or system components is defined (if selected);

+
+ + + + +

indications of the need for an inspection of systems or system components are defined (if selected);

+
+ + + + + + + + + + + + + + + + + + +

Inspect the following systems or system components to detect tampering: .

+
+ +

The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations.

+
+
+ + Component Authenticity + + + + + + +

external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);

+
+ + + + +

personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);

+
+ + + + + + + + + + + + + + + + +

Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and

+
+ + +

Report counterfeit system components to .

+
+
+ +

Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.

+
+ + Anti-counterfeit Training + + + +

personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;

+
+ + + + + + + + + + +

Train to detect counterfeit system components (including hardware, software, and firmware).

+
+ +

None.

+
+
+ + Configuration Control for Component Service and Repair + + + + +

all

+
+
+ +

system components requiring configuration control are defined;

+
+ + + + + + + + + + + + + +

Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: .

+
+ +

None.

+
+
+
+ + Component Disposal + + + +

data, documentation, tools, or system components to be disposed of are defined;

+
+ + + + +

techniques and methods for disposing of data, documentation, tools, or system components are defined;

+
+ + + + + + + + + +

Dispose of using the following techniques and methods: .

+
+ +

Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market.

+
+
+
+ + 32 CFR 2002 + + Code of Federal Regulations, Title 32, Controlled Unclassified Information (32 C.F.R. 2002). + + + + + 41 CFR 201 + + + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + + + + + 5 CFR 731 + + Code of Federal Regulations, Title 5, Administrative Personnel , Section 731.106, Designation of Public Trust Positions and Investigative Requirements (5 C.F.R. 731.106). + + + + + CNSSD 505 + + Committee on National Security Systems Directive No. 505, Supply Chain Risk Management (SCRM) , August 2017. + + + + + CNSSI 1253 + + Committee on National Security Systems Instruction No. 1253, Security Categorization and Control Selection for National Security Systems , March 2014. + + + + + DOD STIG + + Defense Information Systems Agency, Security Technical Implementation Guides (STIG). + + + + + EO 13526 + + Executive Order 13526, Classified National Security Information , December 2009. + + + + + EO 13587 + + Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information , October 2011. + + + + + EO 13873 + + Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain , May 2019. + + + + + FASC18 + + Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018. + + + + + FED PKI + + General Services Administration, Federal Public Key Infrastructure. + + + + + FIPS 140-3 + + National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. + + + + + FIPS 180-4 + + National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4. + + + + + FIPS 186-4 + + National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4. + + + + + FIPS 197 + + National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197. + + + + + FIPS 199 + + National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199. + + + + + FIPS 200 + + National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200. + + + + + FIPS 201-2 + + National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2. + + + + + FIPS 202 + + National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202. + + + + + FISMA + + Federal Information Security Modernization Act (P.L. 113-283), December 2014. + + + + + HSPD 12 + + Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004. + + + + + IR 7539 + + Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539. + + + + + IR 7559 + + Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559. + + + + + IR 7622 + + Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622. + + + + + IR 7676 + + Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. + + + + + IR 7788 + + Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788. + + + + + IR 7817 + + Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817. + + + + + IR 7849 + + Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849. + + + + + IR 7870 + + Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870. + + + + + IR 7874 + + Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874. + + + + + IR 7956 + + Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956. + + + + + IR 7966 + + Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966. + + + + + IR 8011-1 + + Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1. + + + + + IR 8011-2 + + Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2. + + + + + IR 8011-3 + + Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3. + + + + + IR 8011-4 + + Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4. + + + + + IR 8023 + + Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023. + + + + + IR 8040 + + Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040. + + + + + IR 8062 + + Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062. + + + + + IR 8179 + + Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179. + + + + + IR 8272 + + Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272. + + + + + ISO 15408-1 + + International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model , April 2017. + + + + + ISO 15408-2 + + International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements , April 2017. + + + + + ISO 15408-3 + + International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements , April 2017. + + + + + ISO 20243 + + International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations , February 2018. + + + + + ISO 27036 + + International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts , April 2014. + + + + + ISO 29147 + + International Organization for Standardization/International Electrotechnical Commission 29147:2018, Information technology—Security techniques—Vulnerability disclosure , October 2018. + + + + + ISO 29148 + + International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, Systems and software engineering—Life cycle processes—Requirements engineering , November 2018. + + + + + NARA CUI + + National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry. + + + + + NCPR + + National Institute of Standards and Technology (2020) National Checklist Program Repository . Available at + + + + + NIAP CCEVS + + National Information Assurance Partnership, Common Criteria Evaluation and Validation Scheme. + + + + + NIST CAVP + + National Institute of Standards and Technology (2020) Cryptographic Algorithm Validation Program . Available at + + + + + NIST CMVP + + National Institute of Standards and Technology (2020) Cryptographic Module Validation Program . Available at + + + + + NSA CSFC + + National Security Agency, Commercial Solutions for Classified Program (CSfC). + + + + + NSA MEDIA + + National Security Agency, Media Destruction Guidance. + + + + + ODNI CTF + + Office of the Director of National Intelligence (ODNI) Cyber Threat Framework. + + + + + OMB A-130 + + Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource , July 2016. + + + + + OMB M-17-12 + + Office of Management and Budget Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information , January 2017. + + + + + OMB M-19-03 + + Office of Management and Budget Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program , December 2018. + + + + + PRIVACT + + Privacy Act (P.L. 93-579), December 1974. + + + + + SP 800-100 + + Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007. + + + + + SP 800-101 + + Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. + + + + + SP 800-111 + + Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. + + + + + SP 800-113 + + Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113. + + + + + SP 800-114 + + Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1. + + + + + SP 800-115 + + Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115. + + + + + SP 800-116 + + Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1. + + + + + SP 800-121 + + Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2. + + + + + SP 800-124 + + Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1. + + + + + SP 800-125B + + Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B. + + + + + SP 800-126 + + Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3. + + + + + SP 800-128 + + Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019. + + + + + SP 800-12 + + Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. + + + + + SP 800-130 + + Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130. + + + + + SP 800-137A + + Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A. + + + + + SP 800-137 + + Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137. + + + + + SP 800-150 + + Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. + + + + + SP 800-152 + + Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152. + + + + + SP 800-156 + + Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156. + + + + + SP 800-160-1 + + Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018. + + + + + SP 800-160-2 + + Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2. + + + + + SP 800-161 + + Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161. + + + + + SP 800-162 + + Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019. + + + + + SP 800-166 + + Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166. + + + + + SP 800-167 + + Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167. + + + + + SP 800-171 + + Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2. + + + + + SP 800-172 + + Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172. + + + + + SP 800-177 + + Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1. + + + + + SP 800-178 + + Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178. + + + + + SP 800-181 + + Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1. + + + + + SP 800-184 + + Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184. + + + + + SP 800-189 + + Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189. + + + + + SP 800-18 + + Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. + + + + + SP 800-192 + + Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192. + + + + + SP 800-30 + + Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1. + + + + + SP 800-34 + + Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010. + + + + + SP 800-35 + + Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35. + + + + + SP 800-37 + + Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2. + + + + + SP 800-39 + + Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39. + + + + + SP 800-40 + + Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3. + + + + + SP 800-41 + + Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1. + + + + + SP 800-46 + + Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2. + + + + + SP 800-47 + + Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47. + + + + + SP 800-50 + + Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50. + + + + + SP 800-52 + + McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2. + + + + + SP 800-53A + + Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014. + + + + + SP 800-53B + + Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B. + + + + + SP 800-56A + + Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3. + + + + + SP 800-56B + + Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2. + + + + + SP 800-56C + + Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2. + + + + + SP 800-57-1 + + Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5. + + + + + SP 800-57-2 + + Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1. + + + + + SP 800-57-3 + + Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1. + + + + + SP 800-60-1 + + Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1. + + + + + SP 800-60-2 + + Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1. + + + + + SP 800-61 + + Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. + + + + + SP 800-63-3 + + Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. + + + + + SP 800-63B + + Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020. + + + + + SP 800-70 + + Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4. + + + + + SP 800-73-4 + + Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016. + + + + + SP 800-76-2 + + Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. + + + + + SP 800-77 + + Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1. + + + + + SP 800-78-4 + + Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. + + + + + SP 800-79-2 + + Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. + + + + + SP 800-81-2 + + Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. + + + + + SP 800-83 + + Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1. + + + + + SP 800-84 + + Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84. + + + + + SP 800-86 + + Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. + + + + + SP 800-88 + + Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1. + + + + + SP 800-92 + + Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92. + + + + + SP 800-94 + + Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94. + + + + + SP 800-97 + + Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97. + + + + + USA PATRIOT + + USA Patriot Act (P.L. 107-56), October 2001. + + + + + USC 2901 + + United States Code, 2008 Edition, Title 44 - Public Printing and Documents , Chapters 29, 31, and 33, January 2012. + + + + + USCERT IR + + Department of Homeland Security, US-CERT Federal Incident Notification Guidelines , April 2017. + + + + + USGCB + + National Institute of Standards and Technology (2020) United States Government Configuration Baseline . Available at + + + + + NIST Special Publication 800-53, Revision 5: <em> Security and Privacy Controls for Information Systems and Organizations</em> (PDF) + + FedRAMP Applicable Laws and Regulations diff --git a/dist/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml b/dist/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml index de4e87a34..16b30c37b 100644 --- a/dist/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml +++ b/dist/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml @@ -2952,7 +2952,7 @@ NIST Special Publication (SP) 800-53 - +
diff --git a/dist/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog.xml b/dist/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog.xml index 8f2b19aea..c29214489 100644 --- a/dist/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog.xml +++ b/dist/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog.xml @@ -1,10 +1,10 @@ + uuid="35042880-1779-490e-aca6-409ea1086471"> FedRAMP Rev 5 Low Baseline 2023-08-31T00:00:00Z - 2023-12-18T20:27:49.732066-05:00 + 2024-01-11T18:07:47.981586-05:00 5.1.1+fedramp-20231218-0 1.1.1 @@ -49,7 +49,23454 @@ ca9ba80e-1342-4bfd-b32a-abac468c24b4 + + Access Control + + Policy and Procedures + + + + + + +

personnel or roles to whom the access control policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the access control procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the access control policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current access control policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current access control policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current access control procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ access control policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the access control policy and the associated access controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the access control policy and procedures; and

+
+ + +

Review and update the current access control:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an access control policy is developed and documented;

+ +
+ + +

the access control policy is disseminated to ;

+ +
+ + +

access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;

+ +
+ + +

the access control procedures are disseminated to ;

+ +
+ + + + + + +

the access control policy addresses purpose;

+ +
+ + +

the access control policy addresses scope;

+ +
+ + +

the access control policy addresses roles;

+ +
+ + +

the access control policy addresses responsibilities;

+ +
+ + +

the access control policy addresses management commitment;

+ +
+ + +

the access control policy addresses coordination among organizational entities;

+ +
+ + +

the access control policy addresses compliance;

+ +
+ +
+ + +

the access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the access control policy and procedures;

+ +
+ + + + + + +

the current access control policy is reviewed and updated ;

+ +
+ + +

the current access control policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current access control procedures are reviewed and updated ;

+ +
+ + +

the current access control procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Access control policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with access control responsibilities

+

organizational personnel with information security with information security and privacy responsibilities

+
+
+
+ + Account Management + + + +

prerequisites and criteria for group and role membership are defined;

+
+ + + + +

attributes (as required) for each account are defined;

+
+ + + + +

personnel or roles required to approve requests to create accounts is/are defined;

+
+ + + + +

policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;

+
+ + + + +

personnel or roles to be notified is/are defined;

+
+ + + + + +

twenty-four (24) hours

+
+
+ +

time period within which to notify account managers when accounts are no longer required is defined;

+
+ + + + + +

eight (8) hours

+
+
+ +

time period within which to notify account managers when users are terminated or transferred is defined;

+
+ + + + + +

eight (8) hours

+
+
+ +

time period within which to notify account managers when system usage or the need to know changes for an individual is defined;

+
+ + + + +

attributes needed to authorize system access (as required) are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency of account review is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Define and document the types of accounts allowed and specifically prohibited for use within the system;

+
+ + +

Assign account managers;

+
+ + +

Require for group and role membership;

+
+ + +

Specify:

+ + +

Authorized users of the system;

+
+ + +

Group and role membership; and

+
+ + +

Access authorizations (i.e., privileges) and for each account;

+
+
+ + +

Require approvals by for requests to create accounts;

+
+ + +

Create, enable, modify, disable, and remove accounts in accordance with ;

+
+ + +

Monitor the use of accounts;

+
+ + +

Notify account managers and within:

+ + +

+ when accounts are no longer required;

+
+ + +

+ when users are terminated or transferred; and

+
+ + +

+ when system usage or need-to-know changes for an individual;

+
+
+ + +

Authorize access to the system based on:

+ + +

A valid access authorization;

+
+ + +

Intended system usage; and

+
+ + +

+ ;

+
+
+ + +

Review accounts for compliance with account management requirements ;

+
+ + +

Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and

+
+ + +

Align account management processes with personnel termination and transfer processes.

+
+
+ +

Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.

+

Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.

+

Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.

+
+ + + + + + +

account types allowed for use within the system are defined and documented;

+ +
+ + +

account types specifically prohibited for use within the system are defined and documented;

+ +
+ +
+ + +

account managers are assigned;

+ +
+ + +

+ for group and role membership are required;

+ +
+ + + + +

authorized users of the system are specified;

+ +
+ + +

group and role membership are specified;

+ +
+ + + + +

access authorizations (i.e., privileges) are specified for each account;

+ +
+ + +

+ are specified for each account;

+ +
+ +
+ +
+ + +

approvals are required by for requests to create accounts;

+ +
+ + + + +

accounts are created in accordance with ;

+ +
+ + +

accounts are enabled in accordance with ;

+ +
+ + +

accounts are modified in accordance with ;

+ +
+ + +

accounts are disabled in accordance with ;

+ +
+ + +

accounts are removed in accordance with ;

+ +
+ +
+ + +

the use of accounts is monitored;

+ +
+ + + + +

account managers and are notified within when accounts are no longer required;

+ +
+ + +

account managers and are notified within when users are terminated or transferred;

+ +
+ + +

account managers and are notified within when system usage or the need to know changes for an individual;

+ +
+ +
+ + + + +

access to the system is authorized based on a valid access authorization;

+ +
+ + +

access to the system is authorized based on intended system usage;

+ +
+ + +

access to the system is authorized based on ;

+ +
+ +
+ + +

accounts are reviewed for compliance with account management requirements ;

+ +
+ + + + +

a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;

+ +
+ + +

a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;

+ +
+ +
+ + + + +

account management processes are aligned with personnel termination processes;

+ +
+ + +

account management processes are aligned with personnel transfer processes.

+ +
+ +
+ +
+ + + + +

Access control policy

+

personnel termination policy and procedure

+

personnel transfer policy and procedure

+

procedures for addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

list of active system accounts along with the name of the individual associated with each account

+

list of recently disabled system accounts and the name of the individual associated with each account

+

list of conditions for group and role membership

+

notifications of recent transfers, separations, or terminations of employees

+

access authorization records

+

account management compliance reviews

+

system monitoring records

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for account management on the system

+

mechanisms for implementing account management

+
+
+
+ + Access Enforcement + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

+
+ +

Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( PE ) family.

+
+ + +

approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.

+ +
+ + + + +

Access control policy

+

procedures addressing access enforcement

+

system design documentation

+

system configuration settings and associated documentation

+

list of approved authorizations (user privileges)

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with access enforcement responsibilities

+

system/network administrators

+

organizational personnel with information security and privacy responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing access control policy

+
+
+
+ + Unsuccessful Logon Attempts + + + +

the number of consecutive invalid logon attempts by a user allowed during a time period is defined;

+
+ + + + +

the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;

+
+ + + + + + + +

time period for an account or node to be locked is defined (if selected);

+
+ + + + +

delay algorithm for the next logon prompt is defined (if selected);

+
+ + + + +

other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);

+
+ + + + + + + + + + + + + + + +

Enforce a limit of consecutive invalid logon attempts by a user during a ; and

+
+ + +

Automatically when the maximum number of unsuccessful attempts is exceeded.

+
+ + AC-7 Additional FedRAMP Requirements and Guidance + + +

In alignment with NIST SP 800-63B

+
+
+
+ +

The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.

+
+ + + + +

a limit of consecutive invalid logon attempts by a user during is enforced;

+ +
+ + +

automatically when the maximum number of unsuccessful attempts is exceeded.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing unsuccessful logon attempts

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security responsibilities

+

system developers

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing access control policy for unsuccessful logon attempts

+
+
+
+ + System Use Notification + + + + +

see additional Requirements and Guidance

+
+
+ +

system use notification message or banner to be displayed by the system to users before granting access to the system is defined;

+
+ + + + + +

see additional Requirements and Guidance

+
+
+ +

conditions for system use to be displayed by the system before granting further access are defined;

+
+ + + + + + + + + + + + +

Display to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:

+ + +

Users are accessing a U.S. Government system;

+
+ + +

System usage may be monitored, recorded, and subject to audit;

+
+ + +

Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and

+
+ + +

Use of the system indicates consent to monitoring and recording;

+
+
+ + +

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and

+
+ + +

For publicly accessible systems:

+ + +

Display system use information , before granting further access to the publicly accessible system;

+
+ + +

Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

+
+ + +

Include a description of the authorized uses of the system.

+
+
+ + AC-8 Additional FedRAMP Requirements and Guidance + + +

The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

+
+ + +

The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.

+
+ + +

If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

+
+ + +

If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

+
+
+
+ +

System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content.

+
+ + + + +

+ is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ + +

the system use notification states that users are accessing a U.S. Government system;

+ +
+ + +

the system use notification states that system usage may be monitored, recorded, and subject to audit;

+ +
+ + +

the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and

+ +
+ + +

the system use notification states that use of the system indicates consent to monitoring and recording;

+ +
+ +
+ + +

the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;

+ +
+ + + + +

for publicly accessible systems, system use information is displayed before granting further access to the publicly accessible system;

+ +
+ + +

for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;

+ +
+ + +

for publicly accessible systems, a description of the authorized uses of the system is included.

+ +
+ +
+ +
+ + + + +

Access control policy

+

privacy and security policies, procedures addressing system use notification

+

documented approval of system use notification messages or banners

+

system audit records

+

user acknowledgements of notification message or banner

+

system design documentation

+

system configuration settings and associated documentation

+

system use notification messages

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy assessment report

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security and privacy responsibilities

+

legal counsel

+

system developers

+
+
+ + + + +

Mechanisms implementing system use notification

+
+
+
+ + Permitted Actions Without Identification or Authentication + + + +

user actions that can be performed on the system without identification or authentication are defined;

+
+ + + + + + + + + + + +

Identify that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and

+
+ + +

Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

+
+
+ +

Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be none. +

+
+ + + + +

+ that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;

+ +
+ + + + +

user actions not requiring identification or authentication are documented in the security plan for the system;

+ +
+ + +

a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.

+ +
+ +
+ +
+ + + + +

Access control policy

+

procedures addressing permitted actions without identification or authentication

+

system configuration settings and associated documentation

+

security plan

+

list of user actions that can be performed without identification or authentication

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+
+
+
+ + Remote Access + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

+
+ + +

Authorize each type of remote access to the system prior to allowing such connections.

+
+
+ +

Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3 . Enforcing access restrictions for remote access is addressed via AC-3.

+
+ + + + + + +

usage restrictions are established and documented for each type of remote access allowed;

+ +
+ + +

configuration/connection requirements are established and documented for each type of remote access allowed;

+ +
+ + +

implementation guidance is established and documented for each type of remote access allowed;

+ +
+ +
+ + +

each type of remote access to the system is authorized prior to allowing such connections.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing remote access implementation and usage (including restrictions)

+

configuration management plan

+

system configuration settings and associated documentation

+

remote access authorizations

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for managing remote access connections

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Remote access management capability for the system

+
+
+
+ + Wireless Access + + + + + + + + + + + + + + + + + + + + + + +

Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and

+
+ + +

Authorize each type of wireless access to the system prior to allowing such connections.

+
+
+ +

Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication.

+
+ + + + + + +

configuration requirements are established for each type of wireless access;

+ +
+ + +

connection requirements are established for each type of wireless access;

+ +
+ + +

implementation guidance is established for each type of wireless access;

+ +
+ +
+ + +

each type of wireless access to the system is authorized prior to allowing such connections.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing wireless access implementation and usage (including restrictions)

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

wireless access authorizations

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for managing wireless access connections

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Wireless access management capability for the system

+
+
+
+ + Access Control for Mobile Devices + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and

+
+ + +

Authorize the connection of mobile devices to organizational systems.

+
+
+ +

A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.

+

Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.

+

Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in AC-19 . Many safeguards for mobile devices are reflected in other controls. AC-20 addresses mobile devices that are not organization-controlled.

+
+ + + + + + +

configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;

+ +
+ + +

connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;

+ +
+ + +

implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;

+ +
+ +
+ + +

the connection of mobile devices to organizational systems is authorized.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing access control for mobile device usage (including restrictions)

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

authorizations for mobile device connections to organizational systems

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel using mobile devices to access organizational systems

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Access control capability for mobile device connections to organizational systems

+

configurations of mobile devices

+
+
+
+ + Use of External Systems + + + + + + +

terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);

+
+ + + + +

controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);

+
+ + + + +

types of external systems prohibited from use are defined;

+
+ + + + + + + + + + + + + + + + + + + + +

+ , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:

+ + +

Access the system from external systems; and

+
+ + +

Process, store, or transmit organization-controlled information using external systems; or

+
+
+ + +

Prohibit the use of .

+
+ + AC-20 Additional FedRAMP Requirements and Guidance + + +

The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:

+

AC-20 describes system access to and from external systems.

+

CA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.

+

SA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3.

+
+
+
+ +

External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).

+

For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.

+

External systems used to access public interfaces to organizational systems are outside the scope of AC-20 . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

+
+ + + + + + +

+ is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);

+ +
+ + +

+ is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);

+ +
+ +
+ + +

the use of is prohibited (if applicable).

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing the use of external systems

+

external systems terms and conditions

+

list of types of applications accessible from external systems

+

maximum security categorization for information processed, stored, or transmitted on external systems

+

system configuration settings and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing terms and conditions on the use of external systems

+
+
+
+ + Publicly Accessible Content + + + + +

at least quarterly

+
+
+ +

the frequency at which to review the content on the publicly accessible system for non-public information is defined;

+
+ + + + + + + + + + + + + +

Designate individuals authorized to make information publicly accessible;

+
+ + +

Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

+
+ + +

Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and

+
+ + +

Review the content on the publicly accessible system for nonpublic information and remove such information, if discovered.

+
+
+ +

In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the PRIVACT and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible.

+
+ + + + +

designated individuals are authorized to make information publicly accessible;

+ +
+ + +

authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;

+ +
+ + +

the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;

+ +
+ + + + +

the content on the publicly accessible system is reviewed for non-public information ;

+ +
+ + +

non-public information is removed from the publicly accessible system, if discovered.

+ +
+ +
+ +
+ + + + +

Access control policy

+

procedures addressing publicly accessible content

+

list of users authorized to post publicly accessible content on organizational systems

+

training materials and/or records

+

records of publicly accessible information reviews

+

records of response to non-public information on public websites

+

system audit logs

+

security awareness training records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing management of publicly accessible content

+
+
+
+
+ + Awareness and Training + + Policy and Procedures + + + + + + +

personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the awareness and training policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current awareness and training policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current awareness and training policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current awareness and training procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ awareness and training policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and

+
+ + +

Review and update the current awareness and training:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an awareness and training policy is developed and documented;

+ +
+ + +

the awareness and training policy is disseminated to ;

+ +
+ + +

awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;

+ +
+ + +

the awareness and training procedures are disseminated to .

+ +
+ + + + + + +

the awareness and training policy addresses purpose;

+ +
+ + +

the awareness and training policy addresses scope;

+ +
+ + +

the awareness and training policy addresses roles;

+ +
+ + +

the awareness and training policy addresses responsibilities;

+ +
+ + +

the awareness and training policy addresses management commitment;

+ +
+ + +

the awareness and training policy addresses coordination among organizational entities;

+ +
+ + +

the awareness and training policy addresses compliance; and

+ +
+ +
+ + +

the awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;

+ +
+ + + + + + +

the current awareness and training policy is reviewed and updated ;

+ +
+ + +

the current awareness and training policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current awareness and training procedures are reviewed and updated ;

+ +
+ + +

the current awareness and training procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

System security plan

+

privacy plan

+

awareness and training policy and procedures

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with awareness and training responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Literacy Training and Awareness + + + + +

at least annually

+
+
+ + + + + + + +

the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;

+
+ + + + +

the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;

+
+ + + + +

events that require security literacy training for system users are defined;

+
+ + + + +

events that require privacy literacy training for system users are defined;

+
+ + + + +

techniques to be employed to increase the security and privacy awareness of system users are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to update literacy training and awareness content is defined;

+
+ + + + +

events that would require literacy training and awareness content to be updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):

+ + +

As part of initial training for new users and thereafter; and

+
+ + +

When required by system changes or following ;

+
+
+ + +

Employ the following techniques to increase the security and privacy awareness of system users ;

+
+ + +

Update literacy training and awareness content and following ; and

+
+ + +

Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.

+
+
+ +

Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.

+

Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in AT-2a.1 is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + + + + + +

security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;

+ +
+ + +

privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;

+ +
+ + +

security literacy training is provided to system users (including managers, senior executives, and contractors) thereafter;

+ +
+ + +

privacy literacy training is provided to system users (including managers, senior executives, and contractors) thereafter;

+ +
+ +
+ + + + +

security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following ;

+ +
+ + +

privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following ;

+ +
+ +
+ +
+ + +

+ are employed to increase the security and privacy awareness of system users;

+ +
+ + + + +

literacy training and awareness content is updated ;

+ +
+ + +

literacy training and awareness content is updated following ;

+ +
+ +
+ + +

lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.

+ +
+ +
+ + + + +

System security plan

+

privacy plan

+

literacy training and awareness policy

+

procedures addressing literacy training and awareness implementation

+

appropriate codes of federal regulations

+

security and privacy literacy training curriculum

+

security and privacy literacy training materials

+

training records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for literacy training and awareness

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel comprising the general system user community

+
+
+ + + + +

Mechanisms managing information security and privacy literacy training

+
+
+ + Insider Threat + + + + + + + + +

Provide literacy training on recognizing and reporting potential indicators of insider threat.

+
+ +

Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations.

+
+ + + + +

literacy training on recognizing potential indicators of insider threat is provided;

+ +
+ + +

literacy training on reporting potential indicators of insider threat is provided.

+ +
+ +
+ + + + +

System security plan

+

privacy plan

+

literacy training and awareness policy

+

procedures addressing literacy training and awareness implementation

+

literacy training and awareness curriculum

+

literacy training and awareness materials

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel who receive literacy training and awareness

+

organizational personnel with responsibilities for literacy training and awareness

+

organizational personnel with information security and privacy responsibilities

+
+
+
+
+ + Role-based Training + + + + + + +

roles and responsibilities for role-based security training are defined;

+
+ + + + +

roles and responsibilities for role-based privacy training are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to update role-based training content is defined;

+
+ + + + +

events that require role-based training content to be updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Provide role-based security and privacy training to personnel with the following roles and responsibilities: :

+ + +

Before authorizing access to the system, information, or performing assigned duties, and thereafter; and

+
+ + +

When required by system changes;

+
+
+ + +

Update role-based training content and following ; and

+
+ + +

Incorporate lessons learned from internal or external security incidents or breaches into role-based training.

+
+
+ +

Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.

+

Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + + + + + +

role-based security training is provided to before authorizing access to the system, information, or performing assigned duties;

+ +
+ + +

role-based privacy training is provided to before authorizing access to the system, information, or performing assigned duties;

+ +
+ + +

role-based security training is provided to + thereafter;

+ +
+ + +

role-based privacy training is provided to + thereafter;

+ +
+ +
+ + + + +

role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;

+ +
+ + +

role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;

+ +
+ +
+ +
+ + + + +

role-based training content is updated ;

+ +
+ + +

role-based training content is updated following ;

+ +
+ +
+ + +

lessons learned from internal or external security incidents or breaches are incorporated into role-based training.

+ +
+ +
+ + + + +

System security plan

+

privacy plan

+

security and privacy awareness and training policy

+

procedures addressing security and privacy training implementation

+

codes of federal regulations

+

security and privacy training curriculum

+

security and privacy training materials

+

training records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for role-based security and privacy training

+

organizational personnel with assigned system security and privacy roles and responsibilities

+
+
+ + + + +

Mechanisms managing role-based security and privacy training

+
+
+
+ + Training Records + + + + +

at least one (1) year or 1 year after completion of a specific training program

+
+
+ +

time period for retaining individual training records is defined;

+
+ + + + + + + + + + + + + + + + +

Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and

+
+ + +

Retain individual training records for .

+
+
+ +

Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.

+
+ + + + + + +

information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;

+ +
+ + +

information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;

+ +
+ +
+ + +

individual training records are retained for .

+ +
+ +
+ + + + +

Security and privacy awareness and training policy

+

procedures addressing security and privacy training records

+

security and privacy awareness and training records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security and privacy training record retention responsibilities

+
+
+ + + + +

Mechanisms supporting the management of security and privacy training records

+
+
+
+
+ + Audit and Accountability + + Policy and Procedures + + + + + + +

personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the audit and accountability policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current audit and accountability policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current audit and accountability policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current audit and accountability procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require audit and accountability procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ audit and accountability policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and

+
+ + +

Review and update the current audit and accountability:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an audit and accountability policy is developed and documented;

+ +
+ + +

the audit and accountability policy is disseminated to ;

+ +
+ + +

audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;

+ +
+ + +

the audit and accountability procedures are disseminated to ;

+ +
+ + + + + + +

the of the audit and accountability policy addresses purpose;

+ +
+ + +

the of the audit and accountability policy addresses scope;

+ +
+ + +

the of the audit and accountability policy addresses roles;

+ +
+ + +

the of the audit and accountability policy addresses responsibilities;

+ +
+ + +

the of the audit and accountability policy addresses management commitment;

+ +
+ + +

the of the audit and accountability policy addresses coordination among organizational entities;

+ +
+ + +

the of the audit and accountability policy addresses compliance;

+ +
+ +
+ + +

the of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;

+ +
+ + + + + + +

the current audit and accountability policy is reviewed and updated ;

+ +
+ + +

the current audit and accountability policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current audit and accountability procedures are reviewed and updated ;

+ +
+ + +

the current audit and accountability procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Audit and accountability policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Event Logging + + + + +

organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.

+
+
+ + + + + +

successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes

+
+
+ +

the event types that the system is capable of logging in support of the audit function are defined;

+
+ + + + +

the event types (subset of AU-02_ODP[01]) for logging within the system are defined;

+
+ + + + +

the frequency or situation requiring logging for each specified event type is defined;

+
+ + + + + +

annually and whenever there is a change in the threat environment

+
+
+ +

the frequency of event types selected for logging are reviewed and updated;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Identify the types of events that the system is capable of logging in support of the audit function: ;

+
+ + +

Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;

+
+ + +

Specify the following event types for logging within the system: ;

+
+ + +

Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and

+
+ + +

Review and update the event types selected for logging .

+
+ + AU-2 Additional FedRAMP Requirements and Guidance + + +

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

+
+ + +

Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

+
+
+
+ +

An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.

+

To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.

+

Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3)(b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8) , and SI-10(1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.

+
+ + + + +

+ that the system is capable of logging are identified in support of the audit logging function;

+ +
+ + +

the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;

+ +
+ + + + +

+ are specified for logging within the system;

+ +
+ + +

the specified event types are logged within the system ;

+ +
+ +
+ + +

a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;

+ +
+ + +

the event types selected for logging are reviewed and updated .

+ +
+ +
+ + + + +

Audit and accountability policy

+

procedures addressing auditable events

+

system security plan

+

privacy plan

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system auditable events

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing system auditing

+
+
+
+ + Content of Audit Records + + + + + + + + + + + + + + + + +

Ensure that audit records contain information that establishes the following:

+ + +

What type of event occurred;

+
+ + +

When the event occurred;

+
+ + +

Where the event occurred;

+
+ + +

Source of the event;

+
+ + +

Outcome of the event; and

+
+ + +

Identity of any individuals, subjects, or objects/entities associated with the event.

+
+
+ +

Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage.

+
+ + + + +

audit records contain information that establishes what type of event occurred;

+ +
+ + +

audit records contain information that establishes when the event occurred;

+ +
+ + +

audit records contain information that establishes where the event occurred;

+ +
+ + +

audit records contain information that establishes the source of the event;

+ +
+ + +

audit records contain information that establishes the outcome of the event;

+ +
+ + +

audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing content of audit records

+

system design documentation

+

system configuration settings and associated documentation

+

list of organization-defined auditable events

+

system audit records

+

system incident reports

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing system auditing of auditable events

+
+
+
+ + Audit Log Storage Capacity + + + +

audit log retention requirements are defined;

+
+ + + + + + + + + + + + + + + + +

Allocate audit log storage capacity to accommodate .

+
+ +

Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.

+
+ + +

audit log storage capacity is allocated to accommodate .

+ +
+ + + + +

Audit and accountability policy

+

procedures addressing audit storage capacity

+

system security plan

+

privacy plan

+

system design documentation

+

system configuration settings and associated documentation

+

audit record storage requirements

+

audit record storage capability for system components

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Audit record storage capacity and related configuration settings

+
+
+
+ + Response to Audit Logging Process Failures + + + +

personnel or roles receiving audit logging process failure alerts are defined;

+
+ + + + +

time period for personnel or roles receiving audit logging process failure alerts is defined;

+
+ + + + + +

overwrite oldest record

+
+
+ +

additional actions to be taken in the event of an audit logging process failure are defined;

+
+ + + + + + + + + + + + + + + + + +

Alert within in the event of an audit logging process failure; and

+
+ + +

Take the following additional actions: .

+
+
+ +

Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.

+
+ + + + +

+ are alerted in the event of an audit logging process failure within ;

+ +
+ + +

+ are taken in the event of an audit logging process failure.

+ +
+ +
+ + + + +

Audit and accountability policy

+

procedures addressing response to audit processing failures

+

system design documentation

+

system security plan

+

privacy plan

+

system configuration settings and associated documentation

+

list of personnel to be notified in case of an audit processing failure

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing system response to audit processing failures

+
+
+
+ + Audit Record Review, Analysis, and Reporting + + + + +

at least weekly

+
+
+ +

frequency at which system audit records are reviewed and analyzed is defined;

+
+ + + + +

inappropriate or unusual activity is defined;

+
+ + + + +

personnel or roles to receive findings from reviews and analyses of system records is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Review and analyze system audit records for indications of and the potential impact of the inappropriate or unusual activity;

+
+ + +

Report findings to ; and

+
+ + +

Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

+
+ + AU-6 Additional FedRAMP Requirements and Guidance + + +

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

+
+
+
+ +

Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.

+
+ + + + +

system audit records are reviewed and analyzed for indications of and the potential impact of the inappropriate or unusual activity;

+ +
+ + +

findings are reported to ;

+ +
+ + +

the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing audit review, analysis, and reporting

+

reports of audit findings

+

records of actions taken in response to reviews/analyses of audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit review, analysis, and reporting responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Time Stamps + + + + +

one second granularity of time measurement

+
+
+ +

granularity of time measurement for audit record timestamps is defined;

+
+ + + + + + + + + + + + +

Use internal system clocks to generate time stamps for audit records; and

+
+ + +

Record time stamps for audit records that meet and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.

+
+
+ +

Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.

+
+ + + + +

internal system clocks are used to generate timestamps for audit records;

+ +
+ + +

timestamps are recorded for audit records that meet and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing timestamp generation

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing timestamp generation

+
+
+
+ + Protection of Audit Information + + + +

personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +

Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and

+
+ + +

Alert upon detection of unauthorized access, modification, or deletion of audit information.

+
+
+ +

Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.

+
+ + + + +

audit information and audit logging tools are protected from unauthorized access, modification, and deletion;

+ +
+ + +

+ are alerted upon detection of unauthorized access, modification, or deletion of audit information.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

access control policy and procedures

+

procedures addressing protection of audit information

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

audit tools

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing audit information protection

+
+
+
+ + Audit Record Retention + + + + +

a time period in compliance with M-21-31

+
+
+ +

a time period to retain audit records that is consistent with the records retention policy is defined;

+
+ + + + + + + + + + + + + + + + +

Retain audit records for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

+ + AU-11 Additional FedRAMP Requirements and Guidance + + +

The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

+
+ + +

The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)

+
+ + +

The service provider is encouraged to align with M-21-31 where possible

+
+
+
+ +

Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention.

+
+ + +

audit records are retained for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

audit record retention policy and procedures

+

security plan

+

organization-defined retention period for audit records

+

audit record archives

+

audit logs

+

audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit record retention responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+
+ + Audit Record Generation + + + + +

all information system and network components where audit capability is deployed/available

+
+
+ +

system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;

+
+ + + + +

personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +

Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on ;

+
+ + +

Allow to select the event types that are to be logged by specific components of the system; and

+
+ + +

Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

+
+
+ +

Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.

+
+ + + + +

audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by ;

+ +
+ + +

+ is/are allowed to select the event types that are to be logged by specific components of the system;

+ +
+ + +

audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.

+ +
+ +
+ + + + +

Audit and accountability policy

+

procedures addressing audit record generation

+

system security plan

+

privacy plan

+

system design documentation

+

system configuration settings and associated documentation

+

list of auditable events

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit record generation responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing audit record generation capability

+
+
+
+
+ + Assessment, Authorization, and Monitoring + + Policy and Procedures + + + + + + +

personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the assessment, authorization, and monitoring policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ assessment, authorization, and monitoring policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and

+
+ + +

Review and update the current assessment, authorization, and monitoring:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an assessment, authorization, and monitoring policy is developed and documented;

+ +
+ + +

the assessment, authorization, and monitoring policy is disseminated to ;

+ +
+ + +

assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;

+ +
+ + +

the assessment, authorization, and monitoring procedures are disseminated to ;

+ +
+ + + + + + +

the assessment, authorization, and monitoring policy addresses purpose;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses scope;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses roles;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses responsibilities;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses management commitment;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses coordination among organizational entities;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses compliance;

+ +
+ +
+ + +

the assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;

+ +
+ + + + + + +

the current assessment, authorization, and monitoring policy is reviewed and updated ;

+ +
+ + +

the current assessment, authorization, and monitoring policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current assessment, authorization, and monitoring procedures are reviewed and updated ;

+ +
+ + +

the current assessment, authorization, and monitoring procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with assessment, authorization, and monitoring policy responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Control Assessments + + + + +

at least annually

+
+
+ +

the frequency at which to assess controls in the system and its environment of operation is defined;

+
+ + + + + +

individuals or roles to include FedRAMP PMO

+
+
+ +

individuals or roles to whom control assessment results are to be provided are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Select the appropriate assessor or assessment team for the type of assessment to be conducted;

+
+ + +

Develop a control assessment plan that describes the scope of the assessment including:

+ + +

Controls and control enhancements under assessment;

+
+ + +

Assessment procedures to be used to determine control effectiveness; and

+
+ + +

Assessment environment, assessment team, and assessment roles and responsibilities;

+
+
+ + +

Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;

+
+ + +

Assess the controls in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;

+
+ + +

Produce a control assessment report that document the results of the assessment; and

+
+ + +

Provide the results of the control assessment to .

+
+ + CA-2 Additional FedRAMP Requirements and Guidance + + +

Reference FedRAMP Annual Assessment Guidance.

+
+
+
+ +

Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.

+

Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.

+

Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.

+

Organizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.

+

To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of CA-2.

+
+ + + + +

an appropriate assessor or assessment team is selected for the type of assessment to be conducted;

+ +
+ + + + +

a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;

+ +
+ + +

a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;

+ +
+ + + + +

a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;

+ +
+ + +

a control assessment plan is developed that describes the scope of the assessment, including the assessment team;

+ +
+ + +

a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;

+ +
+ +
+ +
+ + +

the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;

+ +
+ + + + +

controls are assessed in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

+ +
+ + +

controls are assessed in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;

+ +
+ +
+ + +

a control assessment report is produced that documents the results of the assessment;

+ +
+ + +

the results of the control assessment are provided to .

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing assessment planning

+

procedures addressing control assessments

+

control assessment plan

+

control assessment report

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with control assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting

+
+
+ + Independent Assessors + + + + + + + +

Employ independent assessors or assessment teams to conduct control assessments.

+
+ +

Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.

+

Independent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.

+

When organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments.

+
+ + +

independent assessors or assessment teams are employed to conduct control assessments.

+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing control assessments

+

previous control assessment plan

+

previous control assessment report

+

plan of action and milestones

+

existing authorization statement

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+
+ + Information Exchange + + + + + + +

the type of agreement used to approve and manage the exchange of information is defined (if selected);

+
+ + + + + +

at least annually and on input from JAB/AO

+
+
+ +

the frequency at which to review and update agreements is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + +

Approve and manage the exchange of information between the system and other systems using ;

+
+ + +

Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and

+
+ + +

Review and update the agreements .

+
+
+ +

System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in CA-6(1) or CA-6(2) , may help to communicate and reduce risk.

+

Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks.

+
+ + + + +

the exchange of information between the system and other systems is approved and managed using ;

+ +
+ + + + +

the interface characteristics are documented as part of each exchange agreement;

+ +
+ + +

security requirements are documented as part of each exchange agreement;

+ +
+ + +

privacy requirements are documented as part of each exchange agreement;

+ +
+ + +

controls are documented as part of each exchange agreement;

+ +
+ + +

responsibilities for each system are documented as part of each exchange agreement;

+ +
+ + +

the impact level of the information communicated is documented as part of each exchange agreement;

+ +
+ +
+ + +

agreements are reviewed and updated .

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing system connections

+

system and communications protection policy

+

system interconnection security agreements

+

information exchange security agreements

+

memoranda of understanding or agreements

+

service level agreements

+

non-disclosure agreements

+

system design documentation

+

enterprise architecture

+

system architecture

+

system configuration settings and associated documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements

+

organizational personnel with information security and privacy responsibilities

+

personnel managing the system(s) to which the interconnection security agreement applies

+
+
+
+ + Plan of Action and Milestones + + + + +

at least monthly

+
+
+ +

the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and

+
+ + +

Update existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

+
+ + CA-5 Additional FedRAMP Requirements and Guidance + + +

POA&Ms must be provided at least monthly.

+
+ + +

Reference FedRAMP-POAM-Template

+
+
+
+ +

Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB.

+
+ + + + +

a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;

+ +
+ + +

existing plan of action and milestones are updated based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing plan of action and milestones

+

control assessment plan

+

control assessment report

+

control assessment evidence

+

plan of action and milestones

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with plan of action and milestones development and implementation responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms for developing, implementing, and maintaining plan of action and milestones

+
+
+
+ + Authorization + + + + +

in accordance with OMB A-130 requirements or when a significant change occurs

+
+
+ +

frequency at which to update the authorizations is defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Assign a senior official as the authorizing official for the system;

+
+ + +

Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;

+
+ + +

Ensure that the authorizing official for the system, before commencing operations:

+ + +

Accepts the use of common controls inherited by the system; and

+
+ + +

Authorizes the system to operate;

+
+
+ + +

Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;

+
+ + +

Update the authorizations .

+
+ + CA-6 Additional FedRAMP Requirements and Guidance + + +

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

+
+
+
+ +

Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.

+

Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

+
+ + + + +

a senior official is assigned as the authorizing official for the system;

+ +
+ + +

a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;

+ +
+ + + + +

before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;

+ +
+ + +

before commencing operations, the authorizing official for the system authorizes the system to operate;

+ +
+ +
+ + +

the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;

+ +
+ + +

the authorizations are updated .

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing authorization

+

system security plan, privacy plan, assessment report, plan of action and milestones

+

authorization statement

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with authorization responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms that facilitate authorizations and updates

+
+
+
+ + Continuous Monitoring + + + + +

to include JAB/AO

+
+
+ + + + + + + +

system-level metrics to be monitored are defined;

+
+ + + + +

frequencies at which to monitor control effectiveness are defined;

+
+ + + + +

frequencies at which to assess control effectiveness are defined;

+
+ + + + +

personnel or roles to whom the security status of the system is reported are defined;

+
+ + + + +

frequency at which the security status of the system is reported is defined;

+
+ + + + +

personnel or roles to whom the privacy status of the system is reported are defined;

+
+ + + + +

frequency at which the privacy status of the system is reported is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

+ + +

Establishing the following system-level metrics to be monitored: ;

+
+ + +

Establishing for monitoring and for assessment of control effectiveness;

+
+ + +

Ongoing control assessments in accordance with the continuous monitoring strategy;

+
+ + +

Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

+
+ + +

Correlation and analysis of information generated by control assessments and monitoring;

+
+ + +

Response actions to address results of the analysis of control assessment and monitoring information; and

+
+ + +

Reporting the security and privacy status of the system to + .

+
+ + CA-7 Additional FedRAMP Requirements and Guidance + + +

Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

+
+ + +

CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight.

+
+ + +

FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.

+
+
+
+ +

Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.

+

Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b , and SI-4.

+
+ + + + +

a system-level continuous monitoring strategy is developed;

+ +
+ + +

system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;

+ +
+ + +

system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: ;

+ +
+ + + + +

system-level continuous monitoring includes established for monitoring;

+ +
+ + +

system-level continuous monitoring includes established for assessment of control effectiveness;

+ +
+ +
+ + +

system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;

+ +
+ + +

system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

+ +
+ + +

system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;

+ +
+ + +

system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;

+ +
+ + + + +

system-level continuous monitoring includes reporting the security status of the system to + ;

+ +
+ + +

system-level continuous monitoring includes reporting the privacy status of the system to + .

+ +
+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

organizational continuous monitoring strategy

+

system-level continuous monitoring strategy

+

procedures addressing continuous monitoring of system controls

+

procedures addressing configuration management

+

control assessment report

+

plan of action and milestones

+

system monitoring records

+

configuration management records

+

impact analyses

+

status reports

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with continuous monitoring responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing continuous monitoring

+

mechanisms supporting response actions to address assessment and monitoring results

+

mechanisms supporting security and privacy status reporting

+
+
+ + Risk Monitoring + + + + + + + + +

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

+ + +

Effectiveness monitoring;

+
+ + +

Compliance monitoring; and

+
+ + +

Change monitoring.

+
+
+ +

Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk.

+
+ + +

risk monitoring is an integral part of the continuous monitoring strategy;

+ + +

effectiveness monitoring is included in risk monitoring;

+ +
+ + +

compliance monitoring is included in risk monitoring;

+ +
+ + +

change monitoring is included in risk monitoring.

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

organizational continuous monitoring strategy

+

system-level continuous monitoring strategy

+

procedures addressing continuous monitoring of system controls

+

assessment report

+

plan of action and milestones

+

system monitoring records

+

impact analyses

+

status reports

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with continuous monitoring responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms supporting risk monitoring

+
+
+
+
+ + Penetration Testing + + + + +

at least annually

+
+
+ +

frequency at which to conduct penetration testing on systems or system components is defined;

+
+ + + + +

systems or system components on which penetration testing is to be conducted are defined;

+
+ + + + + + + + + + + + +

Conduct penetration testing on .

+ + CA-8 Additional FedRAMP Requirements and Guidance + + +

Scope can be limited to public facing applications in alignment with M-22-09. Reference the FedRAMP Penetration Test Guidance.

+
+
+
+ +

Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).

+

Organizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing.

+
+ + +

penetration testing is conducted on .

+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing penetration testing

+

assessment plan

+

penetration test report

+

assessment report

+

assessment evidence

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with control assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms supporting penetration testing

+
+
+
+ + Internal System Connections + + + +

system components or classes of components requiring internal connections to the system are defined;

+
+ + + + +

conditions requiring termination of internal connections are defined;

+
+ + + + +

frequency at which to review the continued need for each internal connection is defined;

+
+ + + + + + + + + + + + + + + + + + + +

Authorize internal connections of to the system;

+
+ + +

Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;

+
+ + +

Terminate internal system connections after ; and

+
+ + +

Review the continued need for each internal connection.

+
+
+ +

Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.

+
+ + + + +

internal connections of to the system are authorized;

+ +
+ + + + +

for each internal connection, the interface characteristics are documented;

+ +
+ + +

for each internal connection, the security requirements are documented;

+ +
+ + +

for each internal connection, the privacy requirements are documented;

+ +
+ + +

for each internal connection, the nature of the information communicated is documented;

+ +
+ +
+ + +

internal system connections are terminated after ;

+ +
+ + +

the continued need for each internal connection is reviewed .

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

access control policy

+

procedures addressing system connections

+

system and communications protection policy

+

system design documentation

+

system configuration settings and associated documentation

+

list of components or classes of components authorized as internal system connections

+

assessment report

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms supporting internal system connections

+
+
+
+
+ + Configuration Management + + Policy and Procedures + + + + + + +

personnel or roles to whom the configuration management policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the configuration management policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current configuration management policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current configuration management policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current configuration management procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require configuration management procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ configuration management policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the configuration management policy and procedures; and

+
+ + +

Review and update the current configuration management:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a configuration management policy is developed and documented;

+ +
+ + +

the configuration management policy is disseminated to ;

+ +
+ + +

configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;

+ +
+ + +

the configuration management procedures are disseminated to ;

+ +
+ + + + + + +

the of the configuration management policy addresses purpose;

+ +
+ + +

the of the configuration management policy addresses scope;

+ +
+ + +

the of the configuration management policy addresses roles;

+ +
+ + +

the of the configuration management policy addresses responsibilities;

+ +
+ + +

the of the configuration management policy addresses management commitment;

+ +
+ + +

the of the configuration management policy addresses coordination among organizational entities;

+ +
+ + +

the of the configuration management policy addresses compliance;

+ +
+ +
+ + +

the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;

+ +
+ + + + + + +

the current configuration management policy is reviewed and updated ;

+ +
+ + +

the current configuration management policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current configuration management procedures are reviewed and updated ;

+ +
+ + +

the current configuration management procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Configuration management policy and procedures

+

security and privacy program policies and procedures

+

assessment or audit findings

+

documentation of security incidents or breaches

+

system security plan

+

privacy plan

+

risk management strategy

+

other relevant artifacts, documents, or records

+
+
+ + + + +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Baseline Configuration + + + + +

at least annually and when a significant change occurs

+
+
+ +

the frequency of baseline configuration review and update is defined;

+
+ + + + + +

to include when directed by the JAB

+
+
+ +

the circumstances requiring baseline configuration review and update are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop, document, and maintain under configuration control, a current baseline configuration of the system; and

+
+ + +

Review and update the baseline configuration of the system:

+ + +

+ ;

+
+ + +

When required due to ; and

+
+ + +

When system components are installed or upgraded.

+
+
+ + CM-2 Additional FedRAMP Requirements and Guidance + + +

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

+
+
+
+ +

Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.

+
+ + + + + + +

a current baseline configuration of the system is developed and documented;

+ +
+ + +

a current baseline configuration of the system is maintained under configuration control;

+ +
+ +
+ + + + +

the baseline configuration of the system is reviewed and updated ;

+ +
+ + +

the baseline configuration of the system is reviewed and updated when required due to ;

+ +
+ + +

the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing the baseline configuration of the system

+

configuration management plan

+

enterprise architecture documentation

+

system design documentation

+

system security plan

+

privacy plan

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

system component inventory

+

change control records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing baseline configurations

+

mechanisms supporting configuration control of the baseline configuration

+
+
+
+ + Impact Analyses + + + + + + + + + + + + + + + + + + + +

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

+
+ +

Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required.

+
+ + + + +

changes to the system are analyzed to determine potential security impacts prior to change implementation;

+ +
+ + +

changes to the system are analyzed to determine potential privacy impacts prior to change implementation.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing security impact analyses for changes to the system

+

procedures addressing privacy impact analyses for changes to the system

+

configuration management plan

+

security impact analysis documentation

+

privacy impact analysis documentation

+

privacy impact assessment

+

privacy risk assessment documentation, system design documentation

+

analysis tools and associated outputs

+

change control records

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for conducting security impact analyses

+

organizational personnel with responsibility for conducting privacy impact analyses

+

organizational personnel with information security and privacy responsibilities

+

system developer

+

system/network administrators

+

members of change control board or similar

+
+
+ + + + +

Organizational processes for security impact analyses

+

organizational processes for privacy impact analyses

+
+
+
+ + Access Restrictions for Change + + + + + + + + + + + + + + + + + +

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

+
+ +

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3 ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

+
+ + + + +

physical access restrictions associated with changes to the system are defined and documented;

+ +
+ + +

physical access restrictions associated with changes to the system are approved;

+ +
+ + +

physical access restrictions associated with changes to the system are enforced;

+ +
+ + +

logical access restrictions associated with changes to the system are defined and documented;

+ +
+ + +

logical access restrictions associated with changes to the system are approved;

+ +
+ + +

logical access restrictions associated with changes to the system are enforced.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing access restrictions for changes to the system

+

configuration management plan

+

system design documentation

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

logical access approvals

+

physical access approvals

+

access credentials

+

change control records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with logical access control responsibilities

+

organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing access restrictions to change

+

mechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system

+
+
+
+ + Configuration Settings + + + +

common secure configurations to establish and document configuration settings for components employed within the system are defined;

+
+ + + + +

system components for which approval of deviations is needed are defined;

+
+ + + + +

operational requirements necessitating approval of deviations are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using ;

+
+ + +

Implement the configuration settings;

+
+ + +

Identify, document, and approve any deviations from established configuration settings for based on ; and

+
+ + +

Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

+
+ + CM-6 Additional FedRAMP Requirements and Guidance + + +

The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish configuration settings;

+
+ + +

The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

+
+ + +

Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP’s Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

+

During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

+
+
+
+ +

Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.

+

Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.

+

Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline USGCB and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7 . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.

+
+ + + + +

configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using ;

+ +
+ + +

the configuration settings documented in CM-06a are implemented;

+ +
+ + + + +

any deviations from established configuration settings for are identified and documented based on ;

+ +
+ + +

any deviations from established configuration settings for are approved;

+ +
+ +
+ + + + +

changes to the configuration settings are monitored in accordance with organizational policies and procedures;

+ +
+ + +

changes to the configuration settings are controlled in accordance with organizational policies and procedures.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing configuration settings for the system

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

common secure configuration checklists

+

system component inventory

+

evidence supporting approved deviations from established configuration settings

+

change control records

+

system data processing and retention permissions

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security configuration management responsibilities

+

organizational personnel with privacy configuration management responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing configuration settings

+

mechanisms that implement, monitor, and/or control system configuration settings

+

mechanisms that identify and/or document deviations from established configuration settings

+
+
+
+ + Least Functionality + + + + + + +

mission-essential capabilities for the system are defined;

+
+ + + + +

functions to be prohibited or restricted are defined;

+
+ + + + +

ports to be prohibited or restricted are defined;

+
+ + + + +

protocols to be prohibited or restricted are defined;

+
+ + + + +

software to be prohibited or restricted is defined;

+
+ + + + +

services to be prohibited or restricted are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Configure the system to provide only ; and

+
+ + +

Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: .

+
+ + CM-7 Additional FedRAMP Requirements and Guidance + + +

The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.

+
+
+
+ +

Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2 , and SC-3).

+
+ + + + +

the system is configured to provide only ;

+ +
+ + + + +

the use of is prohibited or restricted;

+ +
+ + +

the use of is prohibited or restricted;

+ +
+ + +

the use of is prohibited or restricted;

+ +
+ + +

the use of is prohibited or restricted;

+ +
+ + +

the use of is prohibited or restricted.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing least functionality in the system

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

system component inventory

+

common secure configuration checklists

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security configuration management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services

+

mechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services

+
+
+
+ + System Component Inventory + + + +

information deemed necessary to achieve effective system component accountability is defined;

+
+ + + + + +

at least monthly

+
+
+ +

frequency at which to review and update the system component inventory is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop and document an inventory of system components that:

+ + +

Accurately reflects the system;

+
+ + +

Includes all components within the system;

+
+ + +

Does not include duplicate accounting of components or components assigned to any other system;

+
+ + +

Is at the level of granularity deemed necessary for tracking and reporting; and

+
+ + +

Includes the following information to achieve system component accountability: ; and

+
+
+ + +

Review and update the system component inventory .

+
+ + CM-8 Additional FedRAMP Requirements and Guidance + + +

must be provided at least monthly or when there is a change.

+
+
+
+ +

System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.

+

Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components.

+
+ + + + + + +

an inventory of system components that accurately reflects the system is developed and documented;

+ +
+ + +

an inventory of system components that includes all components within the system is developed and documented;

+ +
+ + +

an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;

+ +
+ + +

an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;

+ +
+ + +

an inventory of system components that includes is developed and documented;

+ +
+ +
+ + +

the system component inventory is reviewed and updated .

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing system component inventory

+

configuration management plan

+

system security plan

+

system design documentation

+

system component inventory

+

inventory reviews and update records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with component inventory management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing the system component inventory

+

mechanisms supporting and/or implementing system component inventory

+
+
+
+ + Software Usage Restrictions + + + + + + + + + + + + + +

Use software and associated documentation in accordance with contract agreements and copyright laws;

+
+ + +

Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

+
+ + +

Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

+
+
+ +

Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements.

+
+ + + + +

software and associated documentation are used in accordance with contract agreements and copyright laws;

+ +
+ + +

the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;

+ +
+ + +

the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

+ +
+ +
+ + + + +

Configuration management policy

+

software usage restrictions

+

software contract agreements and copyright laws

+

site license documentation

+

list of software usage restrictions

+

software license tracking reports

+

configuration management plan

+

system security plan

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel operating, using, and/or maintaining the system

+

organizational personnel with software license management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for tracking the use of software protected by quantity licenses

+

organizational processes for controlling/documenting the use of peer-to-peer file sharing technology

+

mechanisms implementing software license tracking

+

mechanisms implementing and controlling the use of peer-to-peer files sharing technology

+
+
+
+ + User-installed Software + + + +

policies governing the installation of software by users are defined;

+
+ + + + +

methods used to enforce software installation policies are defined;

+
+ + + + + +

Continuously (via CM-7 (5))

+
+
+ +

frequency with which to monitor compliance is defined;

+
+ + + + + + + + + + + + + + + + + + + +

Establish governing the installation of software by users;

+
+ + +

Enforce software installation policies through the following methods: ; and

+
+ + +

Monitor policy compliance .

+
+
+ +

If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved app stores. Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.

+
+ + + + +

+ governing the installation of software by users are established;

+ +
+ + +

software installation policies are enforced through ;

+ +
+ + +

compliance with is monitored .

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing user-installed software

+

configuration management plan

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

list of rules governing user installed software

+

system monitoring records

+

system audit records

+

continuous monitoring strategy

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for governing user-installed software

+

organizational personnel operating, using, and/or maintaining the system

+

organizational personnel monitoring compliance with user-installed software policy

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes governing user-installed software on the system

+

mechanisms enforcing policies and methods for governing the installation of software by users

+

mechanisms monitoring policy compliance

+
+
+
+
+ + Contingency Planning + + Policy and Procedures + + + + + + +

personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the contingency planning policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current contingency planning policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current contingency planning policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current contingency planning procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ contingency planning policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and

+
+ + +

Review and update the current contingency planning:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a contingency planning policy is developed and documented;

+ +
+ + +

the contingency planning policy is disseminated to ;

+ +
+ + +

contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;

+ +
+ + +

the contingency planning procedures are disseminated to ;

+ +
+ + + + + + +

the contingency planning policy addresses purpose;

+ +
+ + +

the contingency planning policy addresses scope;

+ +
+ + +

the contingency planning policy addresses roles;

+ +
+ + +

the contingency planning policy addresses responsibilities;

+ +
+ + +

the contingency planning policy addresses management commitment;

+ +
+ + +

the contingency planning policy addresses coordination among organizational entities;

+ +
+ + +

the contingency planning policy addresses compliance;

+ +
+ +
+ + +

the contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;

+ +
+ + + + + + +

the current contingency planning policy is reviewed and updated ;

+ +
+ + +

the current contingency planning policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current contingency planning procedures are reviewed and updated ;

+ +
+ + +

the current contingency planning procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Contingency planning policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Contingency Plan + + + + + + + + + + + + +

personnel or roles to review a contingency plan is/are defined;

+
+ + + + +

personnel or roles to approve a contingency plan is/are defined;

+
+ + + + +

key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;

+
+ + + + +

key contingency organizational elements to which copies of the contingency plan are distributed are defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency of contingency plan review is defined;

+
+ + + + +

key contingency personnel (identified by name and/or by role) to communicate changes to are defined;

+
+ + + + +

key contingency organizational elements to communicate changes to are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop a contingency plan for the system that:

+ + +

Identifies essential mission and business functions and associated contingency requirements;

+
+ + +

Provides recovery objectives, restoration priorities, and metrics;

+
+ + +

Addresses contingency roles, responsibilities, assigned individuals with contact information;

+
+ + +

Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;

+
+ + +

Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;

+
+ + +

Addresses the sharing of contingency information; and

+
+ + +

Is reviewed and approved by ;

+
+
+ + +

Distribute copies of the contingency plan to ;

+
+ + +

Coordinate contingency planning activities with incident handling activities;

+
+ + +

Review the contingency plan for the system ;

+
+ + +

Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

+
+ + +

Communicate contingency plan changes to ;

+
+ + +

Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and

+
+ + +

Protect the contingency plan from unauthorized disclosure and modification.

+
+ + CP-2 Additional FedRAMP Requirements and Guidance + + +

For JAB authorizations the contingency lists include designated FedRAMP personnel.

+
+ + +

CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).

+
+
+
+ +

Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.

+

Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in IR-4(5) . Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family.

+
+ + + + + + +

a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;

+ +
+ + + + +

a contingency plan for the system is developed that provides recovery objectives;

+ +
+ + +

a contingency plan for the system is developed that provides restoration priorities;

+ +
+ + +

a contingency plan for the system is developed that provides metrics;

+ +
+ +
+ + + + +

a contingency plan for the system is developed that addresses contingency roles;

+ +
+ + +

a contingency plan for the system is developed that addresses contingency responsibilities;

+ +
+ + +

a contingency plan for the system is developed that addresses assigned individuals with contact information;

+ +
+ +
+ + +

a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;

+ +
+ + +

a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;

+ +
+ + +

a contingency plan for the system is developed that addresses the sharing of contingency information;

+ +
+ + + + +

a contingency plan for the system is developed that is reviewed by ;

+ +
+ + +

a contingency plan for the system is developed that is approved by ;

+ +
+ +
+ +
+ + + + +

copies of the contingency plan are distributed to ;

+ +
+ + +

copies of the contingency plan are distributed to ;

+ +
+ +
+ + +

contingency planning activities are coordinated with incident handling activities;

+ +
+ + +

the contingency plan for the system is reviewed ;

+ +
+ + + + +

the contingency plan is updated to address changes to the organization, system, or environment of operation;

+ +
+ + +

the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;

+ +
+ +
+ + + + +

contingency plan changes are communicated to ;

+ +
+ + +

contingency plan changes are communicated to ;

+ +
+ +
+ + + + +

lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;

+ +
+ + +

lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;

+ +
+ +
+ + + + +

the contingency plan is protected from unauthorized disclosure;

+ +
+ + +

the contingency plan is protected from unauthorized modification.

+ +
+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency operations for the system

+

contingency plan

+

evidence of contingency plan reviews and updates

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel with incident handling responsibilities

+

organizational personnel with knowledge of requirements for mission and business functions

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for contingency plan development, review, update, and protection

+

mechanisms for developing, reviewing, updating, and/or protecting the contingency plan

+
+
+
+ + Contingency Training + + + + +

*See Additional Requirements

+
+
+ +

the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to provide training to system users with a contingency role or responsibility is defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to review and update contingency training content is defined;

+
+ + + + +

events necessitating review and update of contingency training are defined;

+
+ + + + + + + + + + + + + + + + + + + +

Provide contingency training to system users consistent with assigned roles and responsibilities:

+ + +

Within of assuming a contingency role or responsibility;

+
+ + +

When required by system changes; and

+
+ + +

+ thereafter; and

+
+
+ + +

Review and update contingency training content and following .

+
+ + CP-3 Additional FedRAMP Requirements and Guidance + + +

Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.

+
+
+
+ +

Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements.

+
+ + + + + + +

contingency training is provided to system users consistent with assigned roles and responsibilities within of assuming a contingency role or responsibility;

+ +
+ + +

contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;

+ +
+ + +

contingency training is provided to system users consistent with assigned roles and responsibilities thereafter;

+ +
+ +
+ + + + +

the contingency plan training content is reviewed and updated ;

+ +
+ + +

the contingency plan training content is reviewed and updated following .

+ +
+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency training

+

contingency plan

+

contingency training curriculum

+

contingency training material

+

contingency training records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning, plan implementation, and training responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for contingency training

+
+
+
+ + Contingency Plan Testing + + + + +

classroom exercise/table top written tests

+
+
+ + + + + +

at least every 3 years

+
+
+ +

frequency of testing the contingency plan for the system is defined;

+
+ + + + +

tests for determining the effectiveness of the contingency plan are defined;

+
+ + + + +

tests for determining readiness to execute the contingency plan are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Test the contingency plan for the system using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: .

+
+ + +

Review the contingency plan test results; and

+
+ + +

Initiate corrective actions, if needed.

+
+ + CP-4 Additional FedRAMP Requirements and Guidance + + +

The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

+
+ + +

The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report).

+
+
+
+ +

Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

+
+ + + + + + +

the contingency plan for the system is tested ;

+ +
+ + +

+ are used to determine the effectiveness of the plan;

+ +
+ + +

+ are used to determine the readiness to execute the plan;

+ +
+ +
+ + +

the contingency plan test results are reviewed;

+ +
+ + +

corrective actions are initiated, if needed.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency plan testing

+

contingency plan

+

contingency plan test documentation

+

contingency plan test results

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for contingency plan testing

+

mechanisms supporting the contingency plan and/or contingency plan testing

+
+
+
+ + System Backup + + + +

system components for which to conduct backups of user-level information is defined;

+
+ + + + + +

daily incremental; weekly full

+
+
+ +

frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;

+
+ + + + + +

daily incremental; weekly full

+
+
+ +

frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;

+
+ + + + + +

daily incremental; weekly full

+
+
+ +

frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Conduct backups of user-level information contained in + ;

+
+ + +

Conduct backups of system-level information contained in the system ;

+
+ + +

Conduct backups of system documentation, including security- and privacy-related documentation ; and

+
+ + +

Protect the confidentiality, integrity, and availability of backup information.

+
+ + CP-9 Additional FedRAMP Requirements and Guidance + + +

The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

+
+ + +

The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.

+
+ + +

The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.

+
+ + +

The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

+
+
+
+ +

System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8 . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

+
+ + + + +

backups of user-level information contained in are conducted ;

+ +
+ + +

backups of system-level information contained in the system are conducted ;

+ +
+ + +

backups of system documentation, including security- and privacy-related documentation are conducted ;

+ +
+ + + + +

the confidentiality of backup information is protected;

+ +
+ + +

the integrity of backup information is protected;

+ +
+ + +

the availability of backup information is protected.

+ +
+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing system backup

+

contingency plan

+

backup storage location(s)

+

system backup logs or records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system backup responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for conducting system backups

+

mechanisms supporting and/or implementing system backups

+
+
+
+ + System Recovery and Reconstitution + + + + + + +

time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;

+
+ + + + +

time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;

+
+ + + + + + + + + + + + + + + + +

Provide for the recovery and reconstitution of the system to a known state within after a disruption, compromise, or failure.

+
+ +

Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning.

+
+ + + + +

the recovery of the system to a known state is provided within after a disruption, compromise, or failure;

+ +
+ + +

a reconstitution of the system to a known state is provided within after a disruption, compromise, or failure.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing system backup

+

contingency plan

+

system backup test results

+

contingency plan test results

+

contingency plan test documentation

+

redundant secondary system for system backups

+

location(s) of redundant secondary backup system(s)

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes implementing system recovery and reconstitution operations

+

mechanisms supporting and/or implementing system recovery and reconstitution operations

+
+
+
+
+ + Identification and Authentication + + Policy and Procedures + + + + + + +

personnel or roles to whom the identification and authentication policy is to be disseminated are defined;

+
+ + + + +

personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the identification and authentication policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current identification and authentication policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current identification and authentication policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current identification and authentication procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require identification and authentication procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ identification and authentication policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and

+
+ + +

Review and update the current identification and authentication:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an identification and authentication policy is developed and documented;

+ +
+ + +

the identification and authentication policy is disseminated to ;

+ +
+ + +

identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;

+ +
+ + +

the identification and authentication procedures are disseminated to ;

+ +
+ + + + + + +

the identification and authentication policy addresses purpose;

+ +
+ + +

the identification and authentication policy addresses scope;

+ +
+ + +

the identification and authentication policy addresses roles;

+ +
+ + +

the identification and authentication policy addresses responsibilities;

+ +
+ + +

the identification and authentication policy addresses management commitment;

+ +
+ + +

the identification and authentication policy addresses coordination among organizational entities;

+ +
+ + +

the identification and authentication policy addresses compliance;

+ +
+ +
+ + +

the identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;

+ +
+ + + + + + +

the current identification and authentication policy is reviewed and updated ;

+ +
+ + +

the current identification and authentication policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current identification and authentication procedures are reviewed and updated ;

+ +
+ + +

the current identification and authentication procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Identification and authentication policy and procedures

+

system security plan

+

privacy plan

+

risk management strategy documentation

+

list of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with identification and authentication responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Identification and Authentication (Organizational Users) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

+ + IA-2 Additional FedRAMP Requirements and Guidance + + +

For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.

+
+ + +

Multi-factor authentication must be phishing-resistant.

+
+ + +

"Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

+
+ + +

All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.

+
+
+
+ +

Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12 . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.

+

Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.

+

The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8.

+
+ + + + +

organizational users are uniquely identified and authenticated;

+ +
+ + +

the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.

+ +
+ +
+ + + + +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

system security plan, system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

organizational personnel with account management responsibilities

+

system developers

+
+
+ + + + +

Organizational processes for uniquely identifying and authenticating users

+

mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+ + Multi-factor Authentication to Privileged Accounts + + + + + + + + +

Implement multi-factor authentication for access to privileged accounts.

+ + IA-2 (1) Additional FedRAMP Requirements and Guidance + + +

According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

+
+ + +

Multi-factor authentication must be phishing-resistant.

+
+ + +

Multi-factor authentication to subsequent components in the same user domain is not required.

+
+
+
+ +

Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.

+
+ + +

multi-factor authentication is implemented for access to privileged accounts.

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing a multi-factor authentication capability

+
+
+
+ + Multi-factor Authentication to Non-privileged Accounts + + + + + + + +

Implement multi-factor authentication for access to non-privileged accounts.

+ + IA-2 (2) Additional FedRAMP Requirements and Guidance + + +

According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

+
+ + +

Multi-factor authentication must be phishing-resistant.

+
+ + +

Multi-factor authentication to subsequent components in the same user domain is not required.

+
+
+
+ +

Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.

+
+ + +

multi-factor authentication for access to non-privileged accounts is implemented.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing a multi-factor authentication capability

+
+
+
+ + Access to Accounts — Replay Resistant + + + + + + + + + +

Implement replay-resistant authentication mechanisms for access to .

+
+ +

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators.

+
+ + +

replay-resistant authentication mechanisms for access to are implemented.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of privileged system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+

Mechanisms supporting and/or implementing replay-resistant authentication mechanisms

+
+
+
+ + Acceptance of PIV Credentials + + + + + + +

Accept and electronically verify Personal Identity Verification-compliant credentials.

+ + IA-2 (12) Additional FedRAMP Requirements and Guidance + + +

Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

+
+
+
+ +

Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using SP 800-79-2 . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in SP 800-166 . The DOD Common Access Card (CAC) is an example of a PIV credential.

+
+ + +

Personal Identity Verification-compliant credentials are accepted and electronically verified.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

PIV verification records

+

evidence of PIV credentials

+

PIV credential authorizations

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing acceptance and verification of PIV credentials

+
+
+
+
+ + Identifier Management + + + + +

at a minimum, the ISSO (or similar role within the organization)

+
+
+ +

personnel or roles from whom authorization must be received to assign an identifier are defined;

+
+ + + + + +

at least two (2) years

+
+
+ +

a time period for preventing reuse of identifiers is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Manage system identifiers by:

+ + +

Receiving authorization from to assign an individual, group, role, service, or device identifier;

+
+ + +

Selecting an identifier that identifies an individual, group, role, service, or device;

+
+ + +

Assigning the identifier to the intended individual, group, role, service, or device; and

+
+ + +

Preventing reuse of identifiers for .

+
+
+ +

Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4 . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.

+
+ + + + +

system identifiers are managed by receiving authorization from to assign to an individual, group, role, or device identifier;

+ +
+ + +

system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;

+ +
+ + +

system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;

+ +
+ + +

system identifiers are managed by preventing reuse of identifiers for .

+ +
+ +
+ + + + +

Identification and authentication policy

+

procedures addressing identifier management

+

procedures addressing account management

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

list of system accounts

+

list of identifiers generated from physical access control devices

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with identifier management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing identifier management

+
+
+
+ + Authenticator Management + + + +

a time period for changing or refreshing authenticators by authenticator type is defined;

+
+ + + + +

events that trigger the change or refreshment of authenticators are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Manage system authenticators by:

+ + +

Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;

+
+ + +

Establishing initial authenticator content for any authenticators issued by the organization;

+
+ + +

Ensuring that authenticators have sufficient strength of mechanism for their intended use;

+
+ + +

Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;

+
+ + +

Changing default authenticators prior to first use;

+
+ + +

Changing or refreshing authenticators or when occur;

+
+ + +

Protecting authenticator content from unauthorized disclosure and modification;

+
+ + +

Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and

+
+ + +

Changing authenticators for group or role accounts when membership to those accounts changes.

+
+ + IA-5 Additional FedRAMP Requirements and Guidance + + +

Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link https://pages.nist.gov/800-63-3

+
+ + +

SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

+
+
+
+ +

Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6 , and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.

+

Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.

+
+ + + + +

system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;

+ +
+ + +

system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;

+ +
+ + +

system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;

+ +
+ + +

system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;

+ +
+ + +

system authenticators are managed through the change of default authenticators prior to first use;

+ +
+ + +

system authenticators are managed through the change or refreshment of authenticators or when occur;

+ +
+ + +

system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;

+ +
+ + + + +

system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;

+ +
+ + +

system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;

+ +
+ +
+ + +

system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.

+ +
+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

addressing authenticator management

+

system design documentation

+

system configuration settings and associated documentation

+

list of system authenticator types

+

change control records associated with managing system authenticators

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with authenticator management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms supporting and/or implementing authenticator management capability

+
+
+ + Password-based Authentication + + + +

the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;

+
+ + + + +

authenticator composition and complexity rules are defined;

+
+ + + + + + + + + +

For password-based authentication:

+ + +

Maintain a list of commonly-used, expected, or compromised passwords and update the list and when organizational passwords are suspected to have been compromised directly or indirectly;

+
+ + +

Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);

+
+ + +

Transmit passwords only over cryptographically-protected channels;

+
+ + +

Store passwords using an approved salted key derivation function, preferably using a keyed hash;

+
+ + +

Require immediate selection of a new password upon account recovery;

+
+ + +

Allow user selection of long passwords and passphrases, including spaces and all printable characters;

+
+ + +

Employ automated tools to assist the user in selecting strong password authenticators; and

+
+ + +

Enforce the following composition and complexity rules: .

+
+ + IA-5 (1) Additional FedRAMP Requirements and Guidance + + +

Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

+
+ + +

For cases where technology doesn’t allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

+

For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

+
+ + +

Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

+
+
+
+ +

Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.

+
+ + + + +

for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated and when organizational passwords are suspected to have been compromised directly or indirectly;

+ +
+ + +

for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);

+ +
+ + +

for password-based authentication, passwords are only transmitted over cryptographically protected channels;

+ +
+ + +

for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;

+ +
+ + +

for password-based authentication, immediate selection of a new password is required upon account recovery;

+ +
+ + +

for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;

+ +
+ + +

for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;

+ +
+ + +

for password-based authentication, are enforced.

+ +
+ +
+ + + + +

Identification and authentication policy

+

password policy

+

procedures addressing authenticator management

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

password configurations and associated documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with authenticator management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing password-based authenticator management capability

+
+
+
+
+ + Authentication Feedback + + + + + + +

Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

+
+ +

Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it.

+
+ + +

the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing authenticator feedback

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication

+
+
+
+ + Cryptographic Module Authentication + + + + + + + + + + + +

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

+
+ +

Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.

+
+ + +

mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing cryptographic module authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for cryptographic module authentication

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing cryptographic module authentication

+
+
+
+ + Identification and Authentication (Non-organizational Users) + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

+
+ +

Non-organizational users include system users other than organizational users explicitly covered by IA-2 . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14 . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.

+
+ + +

non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

privacy plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

organizational personnel with account management responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+ + Acceptance of PIV Credentials from Other Agencies + + + + + + + +

Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.

+
+ +

Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using SP 800-79-2.

+
+ + + + +

Personal Identity Verification-compliant credentials from other federal agencies are accepted;

+ +
+ + +

Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.

+ +
+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

PIV verification records

+

evidence of PIV credentials

+

PIV credential authorizations

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with account management responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+

mechanisms that accept and verify PIV credentials

+
+
+
+ + Acceptance of External Authenticators + + + + + + + + +

Accept only external authenticators that are NIST-compliant; and

+
+ + +

Document and maintain a list of accepted external authenticators.

+
+
+ +

Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with SP 800-63B . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level.

+
+ + + + +

only external authenticators that are NIST-compliant are accepted;

+ +
+ + + + +

a list of accepted external authenticators is documented;

+ +
+ + +

a list of accepted external authenticators is maintained.

+ +
+ +
+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of third-party credentialing products, components, or services procured and implemented by organization

+

third-party credential verification records

+

evidence of third-party credentials

+

third-party credential authorizations

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with account management responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+

mechanisms that accept external credentials

+
+
+
+ + Use of Defined Profiles + + + +

identity management profiles are defined;

+
+ + + + + + + +

Conform to the following profiles for identity management .

+
+ +

Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

+
+ + +

there is conformance with for identity management.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with account management responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+

mechanisms supporting and/or implementing conformance with profiles

+
+
+
+
+ + Re-authentication + + + +

circumstances or situations requiring re-authentication are defined;

+
+ + + + + + + + + + + + + +

Require users to re-authenticate when .

+ + IA-11 Additional FedRAMP Requirements and Guidance + + +

The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

+
    +
  • AAL1 (low baseline)
      +
    • 30 days of extended session
    • +
    • No limit on inactivity
    • +
    +
  • +
+
+
+
+ +

In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically.

+
+ + +

users are required to re-authenticate when .

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing user and device re-authentication

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

list of circumstances or situations requiring re-authentication

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with identification and authentication responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+
+
+ + Incident Response + + Policy and Procedures + + + + + + +

personnel or roles to whom the incident response policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the incident response procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the incident response policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current incident response policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current incident response policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current incident response procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the incident response procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ incident response policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the incident response policy and procedures; and

+
+ + +

Review and update the current incident response:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an incident response policy is developed and documented;

+ +
+ + +

the incident response policy is disseminated to ;

+ +
+ + +

incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;

+ +
+ + +

the incident response procedures are disseminated to ;

+ +
+ + + + + + +

the incident response policy addresses purpose;

+ +
+ + +

the incident response policy addresses scope;

+ +
+ + +

the incident response policy addresses roles;

+ +
+ + +

the incident response policy addresses responsibilities;

+ +
+ + +

the incident response policy addresses management commitment;

+ +
+ + +

the incident response policy addresses coordination among organizational entities;

+ +
+ + +

the incident response policy addresses compliance;

+ +
+ +
+ + +

the incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;

+ +
+ + + + + + +

the current incident response policy is reviewed and updated ;

+ +
+ + +

the current incident response policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current incident response procedures are reviewed and updated ;

+ +
+ + +

the current incident response procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Incident response policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Incident Response Training + + + + +

ten (10) days for privileged users, thirty (30) days for Incident Response roles

+
+
+ +

a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to provide incident response training to users is defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to review and update incident response training content is defined;

+
+ + + + +

events that initiate a review of the incident response training content are defined;

+
+ + + + + + + + + + + + + + + + + + + +

Provide incident response training to system users consistent with assigned roles and responsibilities:

+ + +

Within of assuming an incident response role or responsibility or acquiring system access;

+
+ + +

When required by system changes; and

+
+ + +

+ thereafter; and

+
+
+ + +

Review and update incident response training content and following .

+
+
+ +

Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3 . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + + + +

incident response training is provided to system users consistent with assigned roles and responsibilities within of assuming an incident response role or responsibility or acquiring system access;

+ +
+ + +

incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;

+ +
+ + +

incident response training is provided to system users consistent with assigned roles and responsibilities thereafter;

+ +
+ +
+ + + + +

incident response training content is reviewed and updated ;

+ +
+ + +

incident response training content is reviewed and updated following .

+ +
+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident response training

+

incident response training curriculum

+

incident response training materials

+

privacy plan

+

incident response plan

+

incident response training records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response training and operational responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Incident Handling + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;

+
+ + +

Coordinate incident handling activities with contingency planning activities;

+
+ + +

Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and

+
+ + +

Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

+
+ + IR-4 Additional FedRAMP Requirements and Guidance + + +

The FISMA definition of "incident" shall be used: "An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies."

+
+ + +

The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

+
+
+
+ +

Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes.

+
+ + + + + + +

an incident handling capability for incidents is implemented that is consistent with the incident response plan;

+ +
+ + +

the incident handling capability for incidents includes preparation;

+ +
+ + +

the incident handling capability for incidents includes detection and analysis;

+ +
+ + +

the incident handling capability for incidents includes containment;

+ +
+ + +

the incident handling capability for incidents includes eradication;

+ +
+ + +

the incident handling capability for incidents includes recovery;

+ +
+ +
+ + +

incident handling activities are coordinated with contingency planning activities;

+ +
+ + + + +

lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;

+ +
+ + +

the changes resulting from the incorporated lessons learned are implemented accordingly;

+ +
+ +
+ + + + +

the rigor of incident handling activities is comparable and predictable across the organization;

+ +
+ + +

the intensity of incident handling activities is comparable and predictable across the organization;

+ +
+ + +

the scope of incident handling activities is comparable and predictable across the organization;

+ +
+ + +

the results of incident handling activities are comparable and predictable across the organization.

+ +
+ +
+ +
+ + + + +

Incident response policy

+

contingency planning policy

+

procedures addressing incident handling

+

incident response plan

+

contingency plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident handling responsibilities

+

organizational personnel with contingency planning responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Incident handling capability for the organization

+
+
+
+ + Incident Monitoring + + + + + + + + + + + + + + + + + + + +

Track and document incidents.

+
+ +

Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. IR-4 provides information on the types of incidents that are appropriate for monitoring.

+
+ + + + +

incidents are tracked;

+ +
+ + +

incidents are documented.

+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident monitoring

+

incident response records and documentation

+

incident response plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident monitoring responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Incident monitoring capability for the organization

+

mechanisms supporting and/or implementing the tracking and documenting of system security incidents

+
+
+
+ + Incident Reporting + + + + +

US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)

+
+
+ +

time period for personnel to report suspected incidents to the organizational incident response capability is defined;

+
+ + + + +

authorities to whom incident information is to be reported are defined;

+
+ + + + + + + + + + + + + + + + + + +

Require personnel to report suspected incidents to the organizational incident response capability within ; and

+
+ + +

Report incident information to .

+
+ + IR-6 Additional FedRAMP Requirements and Guidance + + +

Reports security incident information according to FedRAMP Incident Communications Procedure.

+
+
+
+ +

The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products.

+
+ + + + +

personnel is/are required to report suspected incidents to the organizational incident response capability within ;

+ +
+ + +

incident information is reported to .

+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident reporting

+

incident reporting records and documentation

+

incident response plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident reporting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

personnel who have/should have reported incidents

+

personnel (authorities) to whom incident information is to be reported

+

system users

+
+
+ + + + +

Organizational processes for incident reporting

+

mechanisms supporting and/or implementing incident reporting

+
+
+
+ + Incident Response Assistance + + + + + + + + + + + + + + + + +

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.

+
+ +

Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required.

+
+ + + + +

an incident response support resource, integral to the organizational incident response capability, is provided;

+ +
+ + +

the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.

+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident response assistance

+

incident response plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response assistance and support responsibilities

+

organizational personnel with access to incident response support and assistance capability

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for incident response assistance

+

mechanisms supporting and/or implementing incident response assistance

+
+
+
+ + Incident Response Plan + + + + +

see additional FedRAMP Requirements and Guidance

+
+
+ + + + +

personnel or roles that review and approve the incident response plan is/are identified;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to review and approve the incident response plan is defined;

+
+ + + + +

entities, personnel, or roles with designated responsibility for incident response are defined;

+
+ + + + + +

see additional FedRAMP Requirements and Guidance

+
+
+ +

incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;

+
+ + + + +

organizational elements to which copies of the incident response plan are to be distributed are defined;

+
+ + + + +

incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;

+
+ + + + +

organizational elements to which changes to the incident response plan are communicated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Develop an incident response plan that:

+ + +

Provides the organization with a roadmap for implementing its incident response capability;

+
+ + +

Describes the structure and organization of the incident response capability;

+
+ + +

Provides a high-level approach for how the incident response capability fits into the overall organization;

+
+ + +

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

+
+ + +

Defines reportable incidents;

+
+ + +

Provides metrics for measuring the incident response capability within the organization;

+
+ + +

Defines the resources and management support needed to effectively maintain and mature an incident response capability;

+
+ + +

Addresses the sharing of incident information;

+
+ + +

Is reviewed and approved by + ; and

+
+ + +

Explicitly designates responsibility for incident response to .

+
+
+ + +

Distribute copies of the incident response plan to ;

+
+ + +

Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

+
+ + +

Communicate incident response plan changes to ; and

+
+ + +

Protect the incident response plan from unauthorized disclosure and modification.

+
+ + IR-8 Additional FedRAMP Requirements and Guidance + + +

The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

+
+ + +

The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

+
+
+
+ +

It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.

+
+ + + + + + +

an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;

+ +
+ + +

an incident response plan is developed that describes the structure and organization of the incident response capability;

+ +
+ + +

an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;

+ +
+ + +

an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;

+ +
+ + +

an incident response plan is developed that defines reportable incidents;

+ +
+ + +

an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;

+ +
+ + +

an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;

+ +
+ + +

an incident response plan is developed that addresses the sharing of incident information;

+ +
+ + +

an incident response plan is developed that is reviewed and approved by + ;

+ +
+ + +

an incident response plan is developed that explicitly designates responsibility for incident response to .

+ +
+ +
+ + + + +

copies of the incident response plan are distributed to ;

+ +
+ + +

copies of the incident response plan are distributed to ;

+ +
+ +
+ + +

the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

+ +
+ + + + +

incident response plan changes are communicated to ;

+ +
+ + +

incident response plan changes are communicated to ;

+ +
+ +
+ + + + +

the incident response plan is protected from unauthorized disclosure;

+ +
+ + +

the incident response plan is protected from unauthorized modification.

+ +
+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident response planning

+

incident response plan

+

system security plan

+

privacy plan

+

records of incident response plan reviews and approvals

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response planning responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational incident response plan and related organizational processes

+
+
+
+
+ + Maintenance + + Policy and Procedures + + + + + + +

personnel or roles to whom the maintenance policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the maintenance policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency with which the current maintenance policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current maintenance policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency with which the current maintenance procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the maintenance procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ maintenance policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the maintenance policy and procedures; and

+
+ + +

Review and update the current maintenance:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a maintenance policy is developed and documented;

+ +
+ + +

the maintenance policy is disseminated to ;

+ +
+ + +

maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;

+ +
+ + +

the maintenance procedures are disseminated to ;

+ +
+ + + + + + +

the maintenance policy addresses purpose;

+ +
+ + +

the maintenance policy addresses scope;

+ +
+ + +

the maintenance policy addresses roles;

+ +
+ + +

the maintenance policy addresses responsibilities;

+ +
+ + +

the maintenance policy addresses management commitment;

+ +
+ + +

the maintenance policy addresses coordination among organizational entities;

+ +
+ + +

the maintenance policy addresses compliance;

+ +
+ +
+ + +

the maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;

+ +
+ + + + + + +

the current maintenance policy is reviewed and updated ;

+ +
+ + +

the current maintenance policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current maintenance procedures are reviewed and updated ;

+ +
+ + +

the current maintenance procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Maintenance policy and procedures

+

system security plan

+

privacy plan

+

organizational risk management strategy

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with maintenance responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Controlled Maintenance + + + +

personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined;

+
+ + + + +

information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;

+
+ + + + +

information to be included in organizational maintenance records is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;

+
+ + +

Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;

+
+ + +

Require that explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;

+
+ + +

Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: ;

+
+ + +

Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and

+
+ + +

Include the following information in organizational maintenance records: .

+
+
+ +

Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems.

+
+ + + + + + +

maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;

+ +
+ + +

maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;

+ +
+ + +

records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;

+ +
+ +
+ + + + +

all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;

+ +
+ + +

all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;

+ +
+ +
+ + +

+ is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;

+ +
+ + +

equipment is sanitized to remove from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;

+ +
+ + +

all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;

+ +
+ + +

+ is included in organizational maintenance records.

+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing controlled system maintenance

+

maintenance records

+

manufacturer/vendor maintenance specifications

+

equipment sanitization records

+

media sanitization records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel responsible for media sanitization

+

system/network administrators

+
+
+ + + + +

Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system

+

organizational processes for sanitizing system components

+

mechanisms supporting and/or implementing controlled maintenance

+

mechanisms implementing the sanitization of system components

+
+
+
+ + Nonlocal Maintenance + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Approve and monitor nonlocal maintenance and diagnostic activities;

+
+ + +

Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;

+
+ + +

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;

+
+ + +

Maintain records for nonlocal maintenance and diagnostic activities; and

+
+ + +

Terminate session and network connections when nonlocal maintenance is completed.

+
+
+ +

Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2 . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished, in part, by other controls. SP 800-63B provides additional guidance on strong authentication and authenticators.

+
+ + + + + + +

nonlocal maintenance and diagnostic activities are approved;

+ +
+ + +

nonlocal maintenance and diagnostic activities are monitored;

+ +
+ +
+ + + + +

the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;

+ +
+ + +

the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;

+ +
+ +
+ + +

strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;

+ +
+ + +

records for nonlocal maintenance and diagnostic activities are maintained;

+ +
+ + + + +

session connections are terminated when nonlocal maintenance is completed;

+ +
+ + +

network connections are terminated when nonlocal maintenance is completed.

+ +
+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing nonlocal system maintenance

+

remote access policy

+

remote access procedures

+

system design documentation

+

system configuration settings and associated documentation

+

maintenance records

+

records of remote access

+

diagnostic records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing nonlocal maintenance

+

mechanisms implementing, supporting, and/or managing nonlocal maintenance

+

mechanisms for strong authentication of nonlocal maintenance diagnostic sessions

+

mechanisms for terminating nonlocal maintenance sessions and network connections

+
+
+
+ + Maintenance Personnel + + + + + + + + + + + + + + + + + + + +

Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;

+
+ + +

Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and

+
+ + +

Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

+
+
+ +

Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

+
+ + + + + + +

a process for maintenance personnel authorization is established;

+ +
+ + +

a list of authorized maintenance organizations or personnel is maintained;

+ +
+ +
+ + +

non-escorted personnel performing maintenance on the system possess the required access authorizations;

+ +
+ + +

organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.

+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing maintenance personnel

+

service provider contracts

+

service-level agreements

+

list of authorized personnel

+

maintenance records

+

access control records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for authorizing and managing maintenance personnel

+

mechanisms supporting and/or implementing authorization of maintenance personnel

+
+
+
+
+ + Media Protection + + Policy and Procedures + + + + + + +

personnel or roles to whom the media protection policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the media protection procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the media protection policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency with which the current media protection policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current media protection policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency with which the current media protection procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require media protection procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ media protection policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the media protection policy and procedures; and

+
+ + +

Review and update the current media protection:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a media protection policy is developed and documented;

+ +
+ + +

the media protection policy is disseminated to ;

+ +
+ + +

media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;

+ +
+ + +

the media protection procedures are disseminated to ;

+ +
+ + + + + + +

the media protection policy addresses purpose;

+ +
+ + +

the media protection policy addresses scope;

+ +
+ + +

the media protection policy addresses roles;

+ +
+ + +

the media protection policy addresses responsibilities;

+ +
+ + +

the media protection policy addresses management commitment;

+ +
+ + +

the media protection policy addresses coordination among organizational entities;

+ +
+ + +

the media protection policy compliance;

+ +
+ +
+ + +

the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.

+ +
+ + + + + + +

the current media protection policy is reviewed and updated ;

+ +
+ + +

the current media protection policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current media protection procedures are reviewed and updated ;

+ +
+ + +

the current media protection procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Media protection policy and procedures

+

organizational risk management strategy

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with media protection responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Media Access + + + + + + + + + +

types of digital media to which access is restricted are defined;

+
+ + + + +

personnel or roles authorized to access digital media is/are defined;

+
+ + + + +

types of non-digital media to which access is restricted are defined;

+
+ + + + +

personnel or roles authorized to access non-digital media is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Restrict access to to .

+
+ +

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media.

+
+ + + + +

access to is restricted to ;

+ +
+ + +

access to is restricted to .

+ +
+ +
+ + + + +

System media protection policy

+

procedures addressing media access restrictions

+

access control policy and procedures

+

physical and environmental protection policy and procedures

+

media storage facilities

+

access control records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media protection responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for restricting information media

+

mechanisms supporting and/or implementing media access restrictions

+
+
+
+ + Media Sanitization + + + + +

techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware

+
+
+ + + + + + + +

system media to be sanitized prior to disposal is defined;

+
+ + + + +

system media to be sanitized prior to release from organizational control is defined;

+
+ + + + +

system media to be sanitized prior to release for reuse is defined;

+
+ + + + +

sanitization techniques and procedures to be used for sanitization prior to disposal are defined;

+
+ + + + +

sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;

+
+ + + + +

sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Sanitize prior to disposal, release out of organizational control, or release for reuse using ; and

+
+ + +

Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

+
+
+ +

Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information.

+
+ + + + + + +

+ is sanitized using prior to disposal;

+ +
+ + +

+ is sanitized using prior to release from organizational control;

+ +
+ + +

+ is sanitized using prior to release for reuse;

+ +
+ +
+ + +

sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.

+ +
+ +
+ + + + +

System media protection policy

+

procedures addressing media sanitization and disposal

+

applicable federal standards and policies addressing media sanitization policy

+

media sanitization records

+

system audit records

+

system design documentation

+

records retention and disposition policy

+

records retention and disposition procedures

+

system configuration settings and associated documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with media sanitization responsibilities

+

organizational personnel with records retention and disposition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for media sanitization

+

mechanisms supporting and/or implementing media sanitization

+
+
+
+ + Media Use + + + +

types of system media to be restricted or prohibited from use on systems or system components are defined;

+
+ + + + + + + +

systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;

+
+ + + + +

controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;

+
+ + + + + + + + + + + + + + + + +

+ the use of on using ; and

+
+ + +

Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.

+
+
+ +

System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to MP-2 , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.

+
+ + + + +

the use of is on using ;

+ +
+ + +

the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.

+ +
+ +
+ + + + +

System media protection policy

+

system use policy

+

procedures addressing media usage restrictions

+

rules of behavior

+

system design documentation

+

system configuration settings and associated documentation

+

audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media use responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for media use

+

mechanisms restricting or prohibiting the use of system media on systems or system components

+
+
+
+
+ + Physical and Environmental Protection + + Policy and Procedures + + + + + + +

personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the physical and environmental protection policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current physical and environmental protection policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the physical and environmental protection procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ physical and environmental protection policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and

+
+ + +

Review and update the current physical and environmental protection:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a physical and environmental protection policy is developed and documented;

+ +
+ + +

the physical and environmental protection policy is disseminated to ;

+ +
+ + +

physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;

+ +
+ + +

the physical and environmental protection procedures are disseminated to ;

+ +
+ + + + + + +

the physical and environmental protection policy addresses purpose;

+ +
+ + +

the physical and environmental protection policy addresses scope;

+ +
+ + +

the physical and environmental protection policy addresses roles;

+ +
+ + +

the physical and environmental protection policy addresses responsibilities;

+ +
+ + +

the physical and environmental protection policy addresses management commitment;

+ +
+ + +

the physical and environmental protection policy addresses coordination among organizational entities;

+ +
+ + +

the physical and environmental protection policy addresses compliance;

+ +
+ +
+ + +

the physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;

+ +
+ + + + + + +

the current physical and environmental protection policy is reviewed and updated ;

+ +
+ + +

the current physical and environmental protection policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current physical and environmental protection procedures are reviewed and updated ;

+ +
+ + +

the current physical and environmental protection procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Physical and environmental protection policy and procedures

+

system security plan

+

privacy plan

+

organizational risk management strategy

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical and environmental protection responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Physical Access Authorizations + + + + +

at least annually

+
+
+ +

frequency at which to review the access list detailing authorized facility access by individuals is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;

+
+ + +

Issue authorization credentials for facility access;

+
+ + +

Review the access list detailing authorized facility access by individuals ; and

+
+ + +

Remove individuals from the facility access list when access is no longer required.

+
+
+ +

Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.

+
+ + + + + + +

a list of individuals with authorized access to the facility where the system resides has been developed;

+ +
+ + +

the list of individuals with authorized access to the facility where the system resides has been approved;

+ +
+ + +

the list of individuals with authorized access to the facility where the system resides has been maintained;

+ +
+ +
+ + +

authorization credentials are issued for facility access;

+ +
+ + +

the access list detailing authorized facility access by individuals is reviewed ;

+ +
+ + +

individuals are removed from the facility access list when access is no longer required.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing physical access authorizations

+

authorized personnel access list

+

authorization credentials

+

physical access list reviews

+

physical access termination records and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access authorization responsibilities

+

organizational personnel with physical access to system facility

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for physical access authorizations

+

mechanisms supporting and/or implementing physical access authorizations

+
+
+
+ + Physical Access Control + + + + +

at least annually

+
+
+ + + + +

entry and exit points to the facility in which the system resides are defined;

+
+ + + + +

CSP defined physical access control systems/devices AND guards

+
+
+ + + + + +

physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);

+
+ + + + +

entry or exit points for which physical access logs are maintained are defined;

+
+ + + + +

physical access controls to control access to areas within the facility designated as publicly accessible are defined;

+
+ + + + + +

in all circumstances within restricted access area where the information system resides

+
+
+ +

circumstances requiring visitor escorts and control of visitor activity are defined;

+
+ + + + + +

at least annually

+
+
+ +

physical access devices to be inventoried are defined;

+
+ + + + +

frequency at which to inventory physical access devices is defined;

+
+ + + + +

frequency at which to change combinations is defined;

+
+ + + + +

frequency at which to change keys is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Enforce physical access authorizations at by:

+ + +

Verifying individual access authorizations before granting access to the facility; and

+
+ + +

Controlling ingress and egress to the facility using ;

+
+
+ + +

Maintain physical access audit logs for ;

+
+ + +

Control access to areas within the facility designated as publicly accessible by implementing the following controls: ;

+
+ + +

Escort visitors and control visitor activity ;

+
+ + +

Secure keys, combinations, and other physical access devices;

+
+ + +

Inventory every ; and

+
+ + +

Change combinations and keys and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

+
+
+ +

Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.

+
+ + + + + + +

physical access authorizations are enforced at by verifying individual access authorizations before granting access to the facility;

+ +
+ + +

physical access authorizations are enforced at by controlling ingress and egress to the facility using ;

+ +
+ +
+ + +

physical access audit logs are maintained for ;

+ +
+ + +

access to areas within the facility designated as publicly accessible are maintained by implementing ;

+ +
+ + + + +

visitors are escorted;

+ +
+ + +

visitor activity is controlled ;

+ +
+ +
+ + + + +

keys are secured;

+ +
+ + +

combinations are secured;

+ +
+ + +

other physical access devices are secured;

+ +
+ +
+ + +

+ are inventoried ;

+ +
+ + + + +

combinations are changed , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;

+ +
+ + +

keys are changed , when keys are lost, or when individuals possessing the keys are transferred or terminated.

+ +
+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing physical access control

+

physical access control logs or records

+

inventory records of physical access control devices

+

system entry and exit points

+

records of key and lock combination changes

+

storage locations for physical access control devices

+

physical access control devices

+

list of security safeguards controlling access to designated publicly accessible areas within facility

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for physical access control

+

mechanisms supporting and/or implementing physical access control

+

physical access control devices

+
+
+
+ + Monitoring Physical Access + + + + +

at least monthly

+
+
+ +

the frequency at which to review physical access logs is defined;

+
+ + + + +

events or potential indication of events requiring physical access logs to be reviewed are defined;

+
+ + + + + + + + + + + + + + + + + +

Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;

+
+ + +

Review physical access logs and upon occurrence of ; and

+
+ + +

Coordinate results of reviews and investigations with the organizational incident response capability.

+
+
+ +

Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as AU-2 , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.

+
+ + + + +

physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;

+ +
+ + + + +

physical access logs are reviewed ;

+ +
+ + +

physical access logs are reviewed upon occurrence of ;

+ +
+ +
+ + + + +

results of reviews are coordinated with organizational incident response capabilities;

+ +
+ + +

results of investigations are coordinated with organizational incident response capabilities.

+ +
+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing physical access monitoring

+

physical access logs or records

+

physical access monitoring records

+

physical access log reviews

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access monitoring responsibilities

+

organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for monitoring physical access

+

mechanisms supporting and/or implementing physical access monitoring

+

mechanisms supporting and/or implementing the review of physical access logs

+
+
+
+ + Visitor Access Records + + + + +

for a minimum of one (1) year

+
+
+ +

time period for which to maintain visitor access records for the facility where the system resides is defined;

+
+ + + + + +

at least monthly

+
+
+ +

the frequency at which to review visitor access records is defined;

+
+ + + + +

personnel to whom visitor access records anomalies are reported to is/are defined;

+
+ + + + + + + + + + + + +

Maintain visitor access records to the facility where the system resides for ;

+
+ + +

Review visitor access records ; and

+
+ + +

Report anomalies in visitor access records to .

+
+
+ +

Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.

+
+ + + + +

visitor access records for the facility where the system resides are maintained for ;

+ +
+ + +

visitor access records are reviewed ;

+ +
+ + +

visitor access records anomalies are reported to .

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing visitor access records

+

visitor access control logs or records

+

visitor access record or log reviews

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with visitor access record responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for maintaining and reviewing visitor access records

+

mechanisms supporting and/or implementing the maintenance and review of visitor access records

+
+
+
+ + Emergency Lighting + + + + + + + +

Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

+
+ +

The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies.

+
+ + + + +

automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;

+ +
+ + +

automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;

+ +
+ + +

automatic emergency lighting for the system covers emergency exits within the facility;

+ +
+ + +

automatic emergency lighting for the system covers evacuation routes within the facility.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing emergency lighting

+

emergency lighting documentation

+

emergency lighting test records

+

emergency exits and evacuation routes

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with the responsibility for emergency lighting and/or planning

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing an emergency lighting capability

+
+
+
+ + Fire Protection + + + + + + +

Employ and maintain fire detection and suppression systems that are supported by an independent energy source.

+
+ +

The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility.

+
+ + + + +

fire detection systems are employed;

+ +
+ + +

employed fire detection systems are supported by an independent energy source;

+ +
+ + +

employed fire detection systems are maintained;

+ +
+ + +

fire suppression systems are employed;

+ +
+ + +

employed fire suppression systems are supported by an independent energy source;

+ +
+ + +

employed fire suppression systems are maintained.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing fire protection

+

fire suppression and detection devices/systems

+

fire suppression and detection devices/systems documentation

+

test records of fire suppression and detection devices/systems

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for fire detection and suppression devices/systems

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing fire suppression/detection devices/systems

+
+
+
+ + Environmental Controls + + + +

consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments

+
+
+ + + + + +

environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);

+
+ + + + +

acceptable levels for environmental controls are defined;

+
+ + + + + +

continuously

+
+
+ +

frequency at which to monitor environmental control levels is defined;

+
+ + + + + + + + + + +

Maintain levels within the facility where the system resides at ; and

+
+ + +

Monitor environmental control levels .

+
+ + PE-14 Additional FedRAMP Requirements and Guidance + + +

The service provider measures temperature at server inlets and humidity levels by dew point.

+
+
+
+ +

The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions.

+
+ + + + +

+ levels are maintained at within the facility where the system resides;

+ +
+ + +

environmental control levels are monitored .

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing temperature and humidity control

+

temperature and humidity controls

+

facility housing the system

+

temperature and humidity controls documentation

+

temperature and humidity records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for system environmental controls

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels

+
+
+
+ + Water Damage Protection + + + + + + + +

Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

+
+ +

The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations.

+
+ + + + +

the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;

+ +
+ + +

the master shutoff or isolation valves are accessible;

+ +
+ + +

the master shutoff or isolation valves are working properly;

+ +
+ + +

the master shutoff or isolation valves are known to key personnel.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing water damage protection

+

facility housing the system

+

master shutoff valves

+

list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system

+

master shutoff valve documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for system environmental controls

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Master water-shutoff valves

+

organizational process for activating master water shutoff

+
+
+
+ + Delivery and Removal + + + + +

all information system components

+
+
+ + + + +

types of system components to be authorized and controlled when entering the facility are defined;

+
+ + + + +

types of system components to be authorized and controlled when exiting the facility are defined;

+
+ + + + + + + + + + + + + + + + + + +

Authorize and control entering and exiting the facility; and

+
+ + +

Maintain records of the system components.

+
+
+ +

Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.

+
+ + + + + + +

+ are authorized when entering the facility;

+ +
+ + +

+ are controlled when entering the facility;

+ +
+ + +

+ are authorized when exiting the facility;

+ +
+ + +

+ are controlled when exiting the facility;

+ +
+ +
+ + +

records of the system components are maintained.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing the delivery and removal of system components from the facility

+

facility housing the system

+

records of items entering and exiting the facility

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for controlling system components entering and exiting the facility

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility

+

mechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility

+
+
+
+
+ + Planning + + Policy and Procedures + + + + + + +

personnel or roles to whom the planning policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the planning procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the planning policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency with which the current planning policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current planning policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency with which the current planning procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ planning policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the planning policy and the associated planning controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the planning policy and procedures; and

+
+ + +

Review and update the current planning:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a planning policy is developed and documented.

+ +
+ + +

the planning policy is disseminated to ;

+ +
+ + +

planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;

+ +
+ + +

the planning procedures are disseminated to ;

+ +
+ + + + + + +

the planning policy addresses purpose;

+ +
+ + +

the planning policy addresses scope;

+ +
+ + +

the planning policy addresses roles;

+ +
+ + +

the planning policy addresses responsibilities;

+ +
+ + +

the planning policy addresses management commitment;

+ +
+ + +

the planning policy addresses coordination among organizational entities;

+ +
+ + +

the planning policy addresses compliance;

+ +
+ +
+ + +

the planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the planning policy and procedures;

+ +
+ + + + + + +

the current planning policy is reviewed and updated ;

+ +
+ + +

the current planning policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current planning procedures are reviewed and updated ;

+ +
+ + +

the current planning procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Planning policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with planning responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + System Security and Privacy Plans + + + +

individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;

+
+ + + + +

personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;

+
+ + + + + +

at least annually

+
+
+ +

frequency to review system security and privacy plans is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop security and privacy plans for the system that:

+ + +

Are consistent with the organization’s enterprise architecture;

+
+ + +

Explicitly define the constituent system components;

+
+ + +

Describe the operational context of the system in terms of mission and business processes;

+
+ + +

Identify the individuals that fulfill system roles and responsibilities;

+
+ + +

Identify the information types processed, stored, and transmitted by the system;

+
+ + +

Provide the security categorization of the system, including supporting rationale;

+
+ + +

Describe any specific threats to the system that are of concern to the organization;

+
+ + +

Provide the results of a privacy risk assessment for systems processing personally identifiable information;

+
+ + +

Describe the operational environment for the system and any dependencies on or connections to other systems or system components;

+
+ + +

Provide an overview of the security and privacy requirements for the system;

+
+ + +

Identify any relevant control baselines or overlays, if applicable;

+
+ + +

Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;

+
+ + +

Include risk determinations for security and privacy architecture and design decisions;

+
+ + +

Include security- and privacy-related activities affecting the system that require planning and coordination with ; and

+
+ + +

Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.

+
+
+ + +

Distribute copies of the plans and communicate subsequent changes to the plans to ;

+
+ + +

Review the plans ;

+
+ + +

Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and

+
+ + +

Protect the plans from unauthorized disclosure and modification.

+
+
+ +

System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.

+

Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.

+

Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.

+

Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate.

+
+ + + + + + + + +

a security plan for the system is developed that is consistent with the organization’s enterprise architecture;

+ +
+ + +

a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;

+ +
+ +
+ + + + +

a security plan for the system is developed that explicitly defines the constituent system components;

+ +
+ + +

a privacy plan for the system is developed that explicitly defines the constituent system components;

+ +
+ +
+ + + + +

a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;

+ +
+ + +

a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;

+ +
+ +
+ + + + +

a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;

+ +
+ + +

a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;

+ +
+ +
+ + + + +

a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;

+ +
+ + +

a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;

+ +
+ +
+ + + + +

a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;

+ +
+ + +

a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;

+ +
+ +
+ + + + +

a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;

+ +
+ + +

a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;

+ +
+ +
+ + + + +

a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;

+ +
+ + +

a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;

+ +
+ +
+ + + + +

a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;

+ +
+ + +

a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;

+ +
+ +
+ + + + +

a security plan for the system is developed that provides an overview of the security requirements for the system;

+ +
+ + +

a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;

+ +
+ +
+ + + + +

a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;

+ +
+ + +

a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;

+ +
+ +
+ + + + +

a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;

+ +
+ + +

a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;

+ +
+ +
+ + + + +

a security plan for the system is developed that includes risk determinations for security architecture and design decisions;

+ +
+ + +

a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;

+ +
+ +
+ + + + +

a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with ;

+ +
+ + +

a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with ;

+ +
+ +
+ + + + +

a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

+ +
+ + +

a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.

+ +
+ +
+ +
+ + + + +

copies of the plans are distributed to ;

+ +
+ + +

subsequent changes to the plans are communicated to ;

+ +
+ +
+ + +

plans are reviewed ;

+ +
+ + + + +

plans are updated to address changes to the system and environment of operations;

+ +
+ + +

plans are updated to address problems identified during the plan implementation;

+ +
+ + +

plans are updated to address problems identified during control assessments;

+ +
+ +
+ + + + +

plans are protected from unauthorized disclosure;

+ +
+ + +

plans are protected from unauthorized modification.

+ +
+ +
+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing system security and privacy plan development and implementation

+

procedures addressing security and privacy plan reviews and updates

+

enterprise architecture documentation

+

system security plan

+

privacy plan

+

records of system security and privacy plan reviews and updates

+

security and privacy architecture and design documentation

+

risk assessments

+

risk assessment results

+

control assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system security and privacy planning and plan implementation responsibilities

+

system developers

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for system security and privacy plan development, review, update, and approval

+

mechanisms supporting the system security and privacy plan

+
+
+
+ + Rules of Behavior + + + + +

at least every 3 years

+
+
+ +

frequency for reviewing and updating the rules of behavior is defined;

+
+ + + + +

at least annually and when the rules are revised or changed

+
+
+ + + + + +

frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;

+
+ + +

Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;

+
+ + +

Review and update the rules of behavior ; and

+
+ + +

Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge .

+
+
+ +

Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6 ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8 . The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.

+
+ + + + + + +

rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;

+ +
+ + +

rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;

+ +
+ +
+ + +

before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;

+ +
+ + +

rules of behavior are reviewed and updated ;

+ +
+ + +

individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge .

+ +
+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing rules of behavior for system users

+

rules of behavior

+

signed acknowledgements

+

records for rules of behavior reviews and updates

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior

+

organizational personnel with responsibility for literacy training and awareness and role-based training

+

organizational personnel who are authorized users of the system and have signed and resigned rules of behavior

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior

+

mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior

+
+
+ + Social Media and External Site/Application Usage Restrictions + + + + + + + + + +

Include in the rules of behavior, restrictions on:

+ + +

Use of social media, social networking sites, and external sites/applications;

+
+ + +

Posting organizational information on public websites; and

+
+ + +

Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.

+
+
+ +

Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information.

+
+ + + + +

the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;

+ +
+ + +

the rules of behavior include restrictions on posting organizational information on public websites;

+ +
+ + +

the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.

+ +
+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing rules of behavior for system users

+

rules of behavior

+

training policy

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior

+

organizational personnel with responsibility for literacy training and awareness and role-based training

+

organizational personnel who are authorized users of the system and have signed rules of behavior

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for establishing rules of behavior

+

mechanisms supporting and/or implementing the establishment of rules of behavior

+
+
+
+
+ + Security and Privacy Architectures + + + + +

at least annually and when a significant change occurs

+
+
+ +

frequency for review and update to reflect changes in the enterprise architecture;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +

Develop security and privacy architectures for the system that:

+ + +

Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;

+
+ + +

Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;

+
+ + +

Describe how the architectures are integrated into and support the enterprise architecture; and

+
+ + +

Describe any assumptions about, and dependencies on, external systems and services;

+
+
+ + +

Review and update the architectures to reflect changes in the enterprise architecture; and

+
+ + +

Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.

+
+ + PL-8 Additional FedRAMP Requirements and Guidance + + +

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

+
+
+
+ +

The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in PM-7 , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.

+

+ SP 800-160-1 provides guidance on the use of security architectures as part of the system development life cycle process. OMB M-19-03 requires the use of the systems security engineering concepts described in SP 800-160-1 for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).

+

In today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.

+

+ PL-8 is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17 , which is complementary to PL-8 , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures.

+
+ + + + + + +

a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;

+ +
+ + +

a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;

+ +
+ + + + +

a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;

+ +
+ + +

a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;

+ +
+ +
+ + + + +

a security architecture for the system describes any assumptions about and dependencies on external systems and services;

+ +
+ + +

a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;

+ +
+ +
+ +
+ + +

changes in the enterprise architecture are reviewed and updated to reflect changes in the enterprise architecture;

+ +
+ + + + +

planned architecture changes are reflected in the security plan;

+ +
+ + +

planned architecture changes are reflected in the privacy plan;

+ +
+ + +

planned architecture changes are reflected in the Concept of Operations (CONOPS);

+ +
+ + +

planned architecture changes are reflected in criticality analysis;

+ +
+ + +

planned architecture changes are reflected in organizational procedures;

+ +
+ + +

planned architecture changes are reflected in procurements and acquisitions.

+ +
+ +
+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing information security and privacy architecture development

+

procedures addressing information security and privacy architecture reviews and updates

+

enterprise architecture documentation

+

information security and privacy architecture documentation

+

system security plan

+

privacy plan

+

security and privacy CONOPS for the system

+

records of information security and privacy architecture reviews and updates

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security and privacy planning and plan implementation responsibilities

+

organizational personnel with information security and privacy architecture development responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for developing, reviewing, and updating the information security and privacy architecture

+

mechanisms supporting and/or implementing the development, review, and update of the information security and privacy architecture

+
+
+
+ + Baseline Selection + + + + + + + + + + + + + + + + + + + + +

Select a control baseline for the system.

+ + PL-10 Additional FedRAMP Requirements and Guidance + + +

Select the appropriate FedRAMP Baseline

+
+
+
+ +

Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11 ). Federal control baselines are provided in SP 800-53B . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in SP 800-53B are based on the requirements from FISMA and PRIVACT . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. CNSSI 1253 provides guidance on control baselines for national security systems.

+
+ + +

a control baseline for the system is selected.

+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing system security and privacy plan development and implementation

+

procedures addressing system security and privacy plan reviews and updates

+

system design documentation

+

system architecture and configuration documentation

+

system categorization decision

+

information types stored, transmitted, and processed by the system

+

system element/component information

+

stakeholder needs analysis

+

list of security and privacy requirements allocated to the system, system elements, and environment of operation

+

list of contractual requirements allocated to external providers of the system or system element

+

business impact analysis or criticality analysis

+

risk assessments

+

risk management strategy

+

organizational security and privacy policy

+

federal or organization-approved or mandated baselines or overlays

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security and privacy planning and plan implementation responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with responsibility for organizational risk management activities

+
+
+
+ + Baseline Tailoring + + + + + + + + + + + + + + + + + + + + +

Tailor the selected control baseline by applying specified tailoring actions.

+
+ +

The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in SP 800-53B . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in SP 800-53B can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in SP 800-53B in accordance with the security and privacy requirements from FISMA, PRIVACT , and OMB A-130 . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in SP 800-53B to specialize or customize the controls that represent the specific needs and concerns of those entities.

+
+ + +

the selected control baseline is tailored by applying specified tailoring actions.

+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing system security and privacy plan development and implementation

+

system design documentation

+

system categorization decision

+

information types stored, transmitted, and processed by the system

+

system element/component information

+

stakeholder needs analysis

+

list of security and privacy requirements allocated to the system, system elements, and environment of operation

+

list of contractual requirements allocated to external providers of the system or system element

+

business impact analysis or criticality analysis

+

risk assessments

+

risk management strategy

+

organizational security and privacy policy

+

federal or organization-approved or mandated baselines or overlays

+

baseline tailoring rationale

+

system security plan

+

privacy plan

+

records of system security and privacy plan reviews and updates

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security and privacy planning and plan implementation responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+
+ + Personnel Security + + Policy and Procedures + + + + + + +

personnel or roles to whom the personnel security policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the personnel security policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current personnel security policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current personnel security policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current personnel security procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the personnel security procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ personnel security policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the personnel security policy and procedures; and

+
+ + +

Review and update the current personnel security:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a personnel security policy is developed and documented;

+ +
+ + +

the personnel security policy is disseminated to ;

+ +
+ + +

personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;

+ +
+ + +

the personnel security procedures are disseminated to ;

+ +
+ + + + + + +

the personnel security policy addresses purpose;

+ +
+ + +

the personnel security policy addresses scope;

+ +
+ + +

the personnel security policy addresses roles;

+ +
+ + +

the personnel security policy addresses responsibilities;

+ +
+ + +

the personnel security policy addresses management commitment;

+ +
+ + +

the personnel security policy addresses coordination among organizational entities;

+ +
+ + +

the personnel security policy addresses compliance;

+ +
+ +
+ + +

the personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;

+ +
+ + + + + + +

the current personnel security policy is reviewed and updated ;

+ +
+ + +

the current personnel security policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current personnel security procedures are reviewed and updated ;

+ +
+ + +

the current personnel security procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Personnel security policy

+

personnel security procedures

+

system security plan

+

privacy plan

+

risk management strategy documentation

+

audit findings

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security responsibilities

+
+
+
+ + Position Risk Designation + + + + +

at least every three years

+
+
+ +

the frequency at which to review and update position risk designations is defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Assign a risk designation to all organizational positions;

+
+ + +

Establish screening criteria for individuals filling those positions; and

+
+ + +

Review and update position risk designations .

+
+
+ +

Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.

+
+ + + + +

a risk designation is assigned to all organizational positions;

+ +
+ + +

screening criteria are established for individuals filling organizational positions;

+ +
+ + +

position risk designations are reviewed and updated .

+ +
+ +
+ + + + +

Personnel security policy

+

procedures addressing position categorization

+

appropriate codes of federal regulations

+

list of risk designations for organizational positions

+

records of position risk designation reviews and updates

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for assigning, reviewing, and updating position risk designations

+

organizational processes for establishing screening criteria

+
+
+
+ + Personnel Screening + + + + +

for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.

+

For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions

+
+
+ + + + +

conditions requiring rescreening of individuals are defined;

+
+ + + + +

the frequency of rescreening individuals where it is so indicated is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +

Screen individuals prior to authorizing access to the system; and

+
+ + +

Rescreen individuals in accordance with .

+
+
+ +

Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.

+
+ + + + +

individuals are screened prior to authorizing access to the system;

+ +
+ + + + +

individuals are rescreened in accordance with ;

+ +
+ + +

where rescreening is so indicated, individuals are rescreened .

+ +
+ +
+ +
+ + + + +

Personnel security policy

+

procedures addressing personnel screening

+

records of screened personnel

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for personnel screening

+
+
+
+ + Personnel Termination + + + + +

four (4) hours

+
+
+ +

a time period within which to disable system access is defined;

+
+ + + + +

information security topics to be discussed when conducting exit interviews are defined;

+
+ + + + + + + + + + + + +

Upon termination of individual employment:

+ + +

Disable system access within ;

+
+ + +

Terminate or revoke any authenticators and credentials associated with the individual;

+
+ + +

Conduct exit interviews that include a discussion of ;

+
+ + +

Retrieve all security-related organizational system-related property; and

+
+ + +

Retain access to organizational information and systems formerly controlled by terminated individual.

+
+
+ +

System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified.

+
+ + + + +

upon termination of individual employment, system access is disabled within ;

+ +
+ + +

upon termination of individual employment, any authenticators and credentials are terminated or revoked;

+ +
+ + +

upon termination of individual employment, exit interviews that include a discussion of are conducted;

+ +
+ + +

upon termination of individual employment, all security-related organizational system-related property is retrieved;

+ +
+ + +

upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.

+ +
+ +
+ + + + +

Personnel security policy

+

procedures addressing personnel termination

+

records of personnel termination actions

+

list of system accounts

+

records of terminated or revoked authenticators/credentials

+

records of exit interviews

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for personnel termination

+

mechanisms supporting and/or implementing personnel termination notifications

+

mechanisms for disabling system access/revoking authenticators

+
+
+
+ + Personnel Transfer + + + +

transfer or reassignment actions to be initiated following transfer or reassignment are defined;

+
+ + + + + +

twenty-four (24) hours

+
+
+ +

the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;

+
+ + + + +

personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined;

+
+ + + + + +

twenty-four (24) hours

+
+
+ +

time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;

+
+ + + + + + + + + + + + + + +

Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;

+
+ + +

Initiate within ;

+
+ + +

Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

+
+ + +

Notify within .

+
+
+ +

Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.

+
+ + + + +

the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;

+ +
+ + +

+ are initiated within ;

+ +
+ + +

access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;

+ +
+ + +

+ are notified within .

+ +
+ +
+ + + + +

Personnel security policy

+

procedures addressing personnel transfer

+

records of personnel transfer actions

+

list of system and facility access authorizations

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for personnel transfer

+

mechanisms supporting and/or implementing personnel transfer notifications

+

mechanisms for disabling system access/revoking authenticators

+
+
+
+ + Access Agreements + + + + +

at least annually

+
+
+ +

the frequency at which to review and update access agreements is defined;

+
+ + + + + +

at least annually and any time there is a change to the user's level of access

+
+
+ +

the frequency at which to re-sign access agreements to maintain access to organizational information is defined;

+
+ + + + + + + + + + + + + + + + + + + +

Develop and document access agreements for organizational systems;

+
+ + +

Review and update the access agreements ; and

+
+ + +

Verify that individuals requiring access to organizational information and systems:

+ + +

Sign appropriate access agreements prior to being granted access; and

+
+ + +

Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or .

+
+
+
+ +

Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

+
+ + + + +

access agreements are developed and documented for organizational systems;

+ +
+ + +

the access agreements are reviewed and updated ;

+ +
+ + + + +

individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;

+ +
+ + +

individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or .

+ +
+ +
+ +
+ + + + +

Personnel security policy

+

personnel security procedures

+

procedures addressing access agreements for organizational information and systems

+

access control policy

+

access control procedures

+

access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)

+

documentation of access agreement reviews, updates, and re-signing

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel who have signed/resigned access agreements

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for reviewing, updating, and re-signing access agreements

+

mechanisms supporting the reviewing, updating, and re-signing of access agreements

+
+
+
+ + External Personnel Security + + + + +

including access control personnel responsible for the system and/or facilities, as appropriate

+
+
+ +

personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;

+
+ + + + + +

within twenty-four (24) hours

+
+
+ +

time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Establish personnel security requirements, including security roles and responsibilities for external providers;

+
+ + +

Require external providers to comply with personnel security policies and procedures established by the organization;

+
+ + +

Document personnel security requirements;

+
+ + +

Require external providers to notify of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within ; and

+
+ + +

Monitor provider compliance with personnel security requirements.

+
+
+ +

External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.

+
+ + + + +

personnel security requirements are established, including security roles and responsibilities for external providers;

+ +
+ + +

external providers are required to comply with personnel security policies and procedures established by the organization;

+ +
+ + +

personnel security requirements are documented;

+ +
+ + +

external providers are required to notify of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within ;

+ +
+ + +

provider compliance with personnel security requirements is monitored.

+ +
+ +
+ + + + +

Personnel security policy

+

procedures addressing external personnel security

+

list of personnel security requirements

+

acquisition documents

+

service-level agreements

+

compliance monitoring process

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

external providers

+

system/network administrators

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for managing and monitoring external personnel security

+

mechanisms supporting and/or implementing the monitoring of provider compliance

+
+
+
+ + Personnel Sanctions + + + + +

at a minimum, the ISSO and/or similar role within the organization

+
+
+ +

personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;

+
+ + + + +

the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;

+
+ + + + + + + + + + + + +

Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and

+
+ + +

Notify within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

+
+
+ +

Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

+
+ + + + +

a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;

+ +
+ + +

+ is/are notified within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

+ +
+ +
+ + + + +

Personnel security policy

+

personnel security procedures

+

procedures addressing personnel sanctions

+

access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)

+

list of personnel or roles to be notified of formal employee sanctions

+

records or notifications of formal employee sanctions

+

system security plan

+

privacy plan

+

personally identifiable information processing policy

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

legal counsel

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for managing formal employee sanctions

+

mechanisms supporting and/or implementing formal employee sanctions notifications

+
+
+
+ + Position Descriptions + + + + + + +

Incorporate security and privacy roles and responsibilities into organizational position descriptions.

+
+ +

Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles.

+
+ + + + +

security roles and responsibilities are incorporated into organizational position descriptions;

+ +
+ + +

privacy roles and responsibilities are incorporated into organizational position descriptions.

+ +
+ +
+ + + + +

Personnel security policy

+

personnel security procedures

+

procedures addressing position descriptions

+

security and privacy position descriptions

+

system security plan

+

privacy plan

+

privacy program plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with human capital management responsibilities

+
+
+ + + + +

Organizational processes for managing position descriptions

+
+
+
+
+ + Risk Assessment + + Policy and Procedures + + + + + + +

personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the risk assessment policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current risk assessment policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current risk assessment policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current risk assessment procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require risk assessment procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ risk assessment policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and

+
+ + +

Review and update the current risk assessment:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a risk assessment policy is developed and documented;

+ +
+ + +

the risk assessment policy is disseminated to ;

+ +
+ + +

risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;

+ +
+ + +

the risk assessment procedures are disseminated to ;

+ +
+ + + + + + +

the risk assessment policy addresses purpose;

+ +
+ + +

the risk assessment policy addresses scope;

+ +
+ + +

the risk assessment policy addresses roles;

+ +
+ + +

the risk assessment policy addresses responsibilities;

+ +
+ + +

the risk assessment policy addresses management commitment;

+ +
+ + +

the risk assessment policy addresses coordination among organizational entities;

+ +
+ + +

the risk assessment policy addresses compliance;

+ +
+ +
+ + +

the risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;

+ +
+ + + + + + +

the current risk assessment policy is reviewed and updated ;

+ +
+ + +

the current risk assessment policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current risk assessment procedures are reviewed and updated ;

+ +
+ + +

the current risk assessment procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Risk assessment policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with risk assessment responsibilities

+

organizational personnel with security and privacy responsibilities

+
+
+
+ + Security Categorization + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Categorize the system and information it processes, stores, and transmits;

+
+ + +

Document the security categorization results, including supporting rationale, in the security plan for the system; and

+
+ + +

Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

+
+
+ +

Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. CNSSI 1253 provides additional guidance on categorization for national security systems.

+

Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with USA PATRIOT and Homeland Security Presidential Directives, potential national-level adverse impacts.

+

Security categorization processes facilitate the development of inventories of information assets and, along with CM-8 , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant.

+
+ + + + +

the system and the information it processes, stores, and transmits are categorized;

+ +
+ + +

the security categorization results, including supporting rationale, are documented in the security plan for the system;

+ +
+ + +

the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

+ +
+ +
+ + + + +

Risk assessment policy

+

security planning policy and procedures

+

procedures addressing security categorization of organizational information and systems

+

security categorization documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security categorization and risk assessment responsibilities

+

organizational personnel with security and privacy responsibilities

+
+
+ + + + +

Organizational processes for security categorization

+
+
+
+ + Risk Assessment + + + +

security assessment report

+
+
+ + + + + +

a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);

+
+ + + + + +

at least every three (3) years and when a significant change occurs

+
+
+ +

the frequency to review risk assessment results is defined;

+
+ + + + +

personnel or roles to whom risk assessment results are to be disseminated is/are defined;

+
+ + + + + +

at least every three (3) years

+
+
+ +

the frequency to update the risk assessment is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Conduct a risk assessment, including:

+ + +

Identifying threats to and vulnerabilities in the system;

+
+ + +

Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and

+
+ + +

Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

+
+
+ + +

Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;

+
+ + +

Document risk assessment results in ;

+
+ + +

Review risk assessment results ;

+
+ + +

Disseminate risk assessment results to ; and

+
+ + +

Update the risk assessment or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

+
+ + RA-3 Additional FedRAMP Requirements and Guidance + + +

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

+
+ + +

Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

+
+
+
+ +

Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.

+

Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.

+

Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.

+
+ + + + + + +

a risk assessment is conducted to identify threats to and vulnerabilities in the system;

+ +
+ + +

a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;

+ +
+ + +

a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

+ +
+ +
+ + +

risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;

+ +
+ + +

risk assessment results are documented in ;

+ +
+ + +

risk assessment results are reviewed ;

+ +
+ + +

risk assessment results are disseminated to ;

+ +
+ + +

the risk assessment is updated or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

+ +
+ +
+ + + + +

Risk assessment policy

+

risk assessment procedures

+

security and privacy planning policy and procedures

+

procedures addressing organizational assessments of risk

+

risk assessment

+

risk assessment results

+

risk assessment reviews

+

risk assessment updates

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with risk assessment responsibilities

+

organizational personnel with security and privacy responsibilities

+
+
+ + + + +

Organizational processes for risk assessment

+

mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment

+
+
+ + Supply Chain Risk Assessment + + + +

systems, system components, and system services to assess supply chain risks are defined;

+
+ + + + +

the frequency at which to update the supply chain risk assessment is defined;

+
+ + + + + + + + + + + + + + + +

Assess supply chain risks associated with ; and

+
+ + +

Update the supply chain risk assessment , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

+
+
+ +

Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.

+
+ + + + +

supply chain risks associated with are assessed;

+ +
+ + +

the supply chain risk assessment is updated , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

+ +
+ +
+ + + + +

Supply chain risk management policy

+

inventory of critical systems, system components, and system services

+

risk assessment policy

+

security planning policy and procedures

+

procedures addressing organizational assessments of supply chain risk

+

risk assessment

+

risk assessment results

+

risk assessment reviews

+

risk assessment updates

+

acquisition policy

+

system security plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with risk assessment responsibilities

+

organizational personnel with security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for risk assessment

+

mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment

+
+
+
+
+ + Vulnerability Monitoring and Scanning + + + + +

monthly operating system/infrastructure; monthly web applications (including APIs) and databases

+
+
+ + + + +

frequency for monitoring systems and hosted applications for vulnerabilities is defined;

+
+ + + + +

frequency for scanning systems and hosted applications for vulnerabilities is defined;

+
+ + + + + +

high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery

+
+
+ +

response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;

+
+ + + + +

personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Monitor and scan for vulnerabilities in the system and hosted applications and when new vulnerabilities potentially affecting the system are identified and reported;

+
+ + +

Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

+ + +

Enumerating platforms, software flaws, and improper configurations;

+
+ + +

Formatting checklists and test procedures; and

+
+ + +

Measuring vulnerability impact;

+
+
+ + +

Analyze vulnerability scan reports and results from vulnerability monitoring;

+
+ + +

Remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;

+
+ + +

Share information obtained from the vulnerability monitoring process and control assessments with to help eliminate similar vulnerabilities in other systems; and

+
+ + +

Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

+
+ + RA-5 Additional FedRAMP Requirements and Guidance + + +

See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

+
+ + +

an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

+
+ + +

If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

+
+ + +

to include all Authorizing Officials; for JAB authorizations to include FedRAMP

+
+ + +

Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

+

Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

+

Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a “warning” as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on “Tracking of Compliance Scans” in FAQs.

+
+
+
+ +

Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.

+

Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

+

Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.

+

Organizations may also employ the use of financial incentives (also known as bug bounties ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.

+
+ + + + + + +

systems and hosted applications are monitored for vulnerabilities and when new vulnerabilities potentially affecting the system are identified and reported;

+ +
+ + +

systems and hosted applications are scanned for vulnerabilities and when new vulnerabilities potentially affecting the system are identified and reported;

+ +
+ +
+ + +

vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;

+ + +

vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;

+ +
+ + +

vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;

+ +
+ + +

vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;

+ +
+ +
+ + +

vulnerability scan reports and results from vulnerability monitoring are analyzed;

+ +
+ + +

legitimate vulnerabilities are remediated in accordance with an organizational assessment of risk;

+ +
+ + +

information obtained from the vulnerability monitoring process and control assessments is shared with to help eliminate similar vulnerabilities in other systems;

+ +
+ + +

vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.

+ +
+ +
+ + + + +

Risk assessment policy

+

procedures addressing vulnerability scanning

+

risk assessment

+

assessment report

+

vulnerability scanning tools and associated configuration documentation

+

vulnerability scanning results

+

patch and vulnerability management records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with vulnerability remediation responsibilities

+

organizational personnel with security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for vulnerability scanning, analysis, remediation, and information sharing

+

mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing

+
+
+ + Update Vulnerabilities to Be Scanned + + + +

prior to a new scan

+
+
+ + + + + +

the frequency for updating the system vulnerabilities to be scanned is defined (if selected);

+
+ + + + + + + + + +

Update the system vulnerabilities to be scanned .

+
+ +

Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner.

+
+ + +

the system vulnerabilities to be scanned are updated .

+ +
+ + + + +

Procedures addressing vulnerability scanning

+

assessment report

+

vulnerability scanning tools and associated configuration documentation

+

vulnerability scanning results

+

patch and vulnerability management records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for vulnerability scanning

+

mechanisms/tools supporting and/or implementing vulnerability scanning

+
+
+
+ + Public Disclosure Program + + + + + + + +

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

+
+ +

The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.

+
+ + +

a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.

+ +
+ + + + +

Risk assessment policy

+

procedures addressing vulnerability scanning

+

risk assessment

+

vulnerability scanning tools and techniques documentation

+

vulnerability scanning results

+

vulnerability management records

+

audit records

+

public reporting channel

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with security responsibilities

+
+
+ + + + +

Organizational processes for vulnerability scanning

+

mechanisms/tools supporting and/or implementing vulnerability scanning

+

mechanisms implementing the public reporting of vulnerabilities

+
+
+
+
+ + Risk Response + + + + + + + + + + + + + + + + + + + +

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

+
+ +

Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated.

+
+ + + + +

findings from security assessments are responded to in accordance with organizational risk tolerance;

+ +
+ + +

findings from privacy assessments are responded to in accordance with organizational risk tolerance;

+ +
+ + +

findings from monitoring are responded to in accordance with organizational risk tolerance;

+ +
+ + +

findings from audits are responded to in accordance with organizational risk tolerance.

+ +
+ +
+ + + + +

Risk assessment policy

+

assessment reports

+

audit records/event logs

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with assessment and auditing responsibilities

+

system/network administrators

+

organizational personnel with security and privacy responsibilities

+
+
+ + + + +

Organizational processes for assessments and audits

+

mechanisms/tools supporting and/or implementing assessments and auditing

+
+
+
+
+ + System and Services Acquisition + + Policy and Procedures + + + + + + +

personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the system and services acquisition policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current system and services acquisition policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current system and services acquisition policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the system and services acquisition procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ system and services acquisition policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and

+
+ + +

Review and update the current system and services acquisition:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a system and services acquisition policy is developed and documented;

+ +
+ + +

the system and services acquisition policy is disseminated to ;

+ +
+ + +

system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;

+ +
+ + +

the system and services acquisition procedures are disseminated to ;

+ +
+ + + + + + +

the system and services acquisition policy addresses purpose;

+ +
+ + +

the system and services acquisition policy addresses scope;

+ +
+ + +

the system and services acquisition policy addresses roles;

+ +
+ + +

the system and services acquisition policy addresses responsibilities;

+ +
+ + +

the system and services acquisition policy addresses management commitment;

+ +
+ + +

the system and services acquisition policy addresses coordination among organizational entities;

+ +
+ + +

the system and services acquisition policy addresses compliance;

+ +
+ +
+ + +

the system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;

+ +
+ + + + + + +

the system and services acquisition policy is reviewed and updated ;

+ +
+ + +

the current system and services acquisition policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current system and services acquisition procedures are reviewed and updated ;

+ +
+ + +

the current system and services acquisition procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

supply chain risk management policy

+

supply chain risk management procedures

+

supply chain risk management plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and services acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+
+ + Allocation of Resources + + + + + + + + + + + + + + + + + +

Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;

+
+ + +

Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and

+
+ + +

Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.

+
+
+ +

Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle.

+
+ + + + + + +

the high-level information security requirements for the system or system service are determined in mission and business process planning;

+ +
+ + +

the high-level privacy requirements for the system or system service are determined in mission and business process planning;

+ +
+ +
+ + + + +

the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;

+ +
+ + +

the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;

+ +
+ +
+ + + + +

a discrete line item for information security is established in organizational programming and budgeting documentation;

+ +
+ + +

a discrete line item for privacy is established in organizational programming and budgeting documentation.

+ +
+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

system and services acquisition strategy and plans

+

procedures addressing the allocation of resources to information security and privacy requirements

+

procedures addressing capital planning and investment control

+

organizational programming and budgeting documentation

+

system security plan

+

privacy plan

+

supply chain risk management policy

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for determining information security and privacy requirements

+

organizational processes for capital planning, programming, and budgeting

+

mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting

+
+
+
+ + System Development Life Cycle + + + +

system development life cycle is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Acquire, develop, and manage the system using that incorporates information security and privacy considerations;

+
+ + +

Define and document information security and privacy roles and responsibilities throughout the system development life cycle;

+
+ + +

Identify individuals having information security and privacy roles and responsibilities; and

+
+ + +

Integrate the organizational information security and privacy risk management process into system development life cycle activities.

+
+
+ +

A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.

+

The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle.

+
+ + + + + + +

the system is acquired, developed, and managed using that incorporates information security considerations;

+ +
+ + +

the system is acquired, developed, and managed using that incorporates privacy considerations;

+ +
+ +
+ + + + +

information security roles and responsibilities are defined and documented throughout the system development life cycle;

+ +
+ + +

privacy roles and responsibilities are defined and documented throughout the system development life cycle;

+ +
+ +
+ + + + +

individuals with information security roles and responsibilities are identified;

+ +
+ + +

individuals with privacy roles and responsibilities are identified;

+ +
+ +
+ + + + +

organizational information security risk management processes are integrated into system development life cycle activities;

+ +
+ + +

organizational privacy risk management processes are integrated into system development life cycle activities.

+ +
+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process

+

system development life cycle documentation

+

organizational risk management strategy

+

information security and privacy risk management strategy documentation

+

system security plan

+

privacy plan

+

privacy program plan

+

enterprise architecture documentation

+

role-based security and privacy training program documentation

+

data mapping documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security and privacy responsibilities

+

organizational personnel with system life cycle development responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for defining and documenting the system development life cycle

+

organizational processes for identifying system development life cycle roles and responsibilities

+

organizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle

+

mechanisms supporting and/or implementing the system development life cycle

+
+
+
+ + Acquisition Process + + + + + + +

contract language is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service:

+ + +

Security and privacy functional requirements;

+
+ + +

Strength of mechanism requirements;

+
+ + +

Security and privacy assurance requirements;

+
+ + +

Controls needed to satisfy the security and privacy requirements.

+
+ + +

Security and privacy documentation requirements;

+
+ + +

Requirements for protecting security and privacy documentation;

+
+ + +

Description of the system development environment and environment in which the system is intended to operate;

+
+ + +

Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and

+
+ + +

Acceptance criteria.

+
+ + SA-4 Additional FedRAMP Requirements and Guidance + + +

The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

+
+ + +

The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

+

See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

+
+
+
+ +

Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2 . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. SP 800-160-1 describes the process of requirements engineering as part of the system development life cycle.

+

Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.

+

Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement.

+
+ + + + + + +

security functional requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

privacy functional requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ +
+ + +

strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + + + +

security assurance requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ +
+ + + + +

controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ +
+ + + + +

security documentation requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ +
+ + + + +

requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ +
+ + +

the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + + + +

the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using ;

+ +
+ + +

the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using ;

+ +
+ +
+ + +

acceptance criteria requirements and descriptions are included explicitly or by reference using in the acquisition contract for the system, system component, or system service.

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process

+

configuration management plan

+

acquisition contracts for the system, system component, or system service

+

system design documentation

+

system security plan

+

supply chain risk management plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for determining system security and privacy functional, strength, and assurance requirements

+

organizational processes for developing acquisition contracts

+

mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts

+
+
+ + Use of Approved PIV Products + + + + + + + + + + +

Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.

+
+ +

Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations.

+
+ + +

only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.

+ +
+ + + + +

Supply chain risk management plan

+

system and services acquisition policy

+

procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process

+

solicitation documentation

+

acquisition documentation

+

acquisition contracts for the system, system component, or system service

+

service level agreements

+

FIPS 201 approved products list

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with the responsibility for determining system security requirements

+

organizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for selecting and employing FIPS 201-approved products

+
+
+
+
+ + System Documentation + + + +

actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;

+
+ + + + + +

at a minimum, the ISSO (or similar role within the organization)

+
+
+ +

personnel or roles to distribute system documentation to is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Obtain or develop administrator documentation for the system, system component, or system service that describes:

+ + +

Secure configuration, installation, and operation of the system, component, or service;

+
+ + +

Effective use and maintenance of security and privacy functions and mechanisms; and

+
+ + +

Known vulnerabilities regarding configuration and use of administrative or privileged functions;

+
+
+ + +

Obtain or develop user documentation for the system, system component, or system service that describes:

+ + +

User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;

+
+ + +

Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and

+
+ + +

User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;

+
+
+ + +

Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take in response; and

+
+ + +

Distribute documentation to .

+
+
+ +

System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.

+
+ + + + + + + + +

administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;

+ +
+ +
+ + + + +

administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;

+ +
+ +
+ + + + +

administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;

+ +
+ +
+ +
+ + + + + + +

user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;

+ +
+ + +

user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;

+ +
+ + +

user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;

+ +
+ + +

user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;

+ +
+ +
+ + + + +

user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;

+ +
+ + +

user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;

+ +
+ +
+ + + + +

user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;

+ +
+ + +

user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;

+ +
+ +
+ +
+ + + + +

attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;

+ +
+ + +

after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, are taken in response;

+ +
+ +
+ + +

documentation is distributed to .

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing system documentation

+

system documentation, including administrator and user guides

+

system design documentation

+

records documenting attempts to obtain unavailable or nonexistent system documentation

+

list of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation

+

risk management strategy documentation

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system administrators

+

organizational personnel responsible for operating, using, and/or maintaining the system

+

system developers

+
+
+ + + + +

Organizational processes for obtaining, protecting, and distributing system administrator and user documentation

+
+
+
+ + Security and Privacy Engineering Principles + + + + + + +

systems security engineering principles are defined;

+
+ + + + +

privacy engineering principles are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: .

+
+ +

Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3 ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.

+

The application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.

+

Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design.

+
+ + + + +

+ are applied in the specification of the system and system components;

+ +
+ + +

+ are applied in the design of the system and system components;

+ +
+ + +

+ are applied in the development of the system and system components;

+ +
+ + +

+ are applied in the implementation of the system and system components;

+ +
+ + +

+ are applied in the modification of the system and system components;

+ +
+ + +

+ are applied in the specification of the system and system components;

+ +
+ + +

+ are applied in the design of the system and system components;

+ +
+ + +

+ are applied in the development of the system and system components;

+ +
+ + +

+ are applied in the implementation of the system and system components;

+ +
+ + +

+ are applied in the modification of the system and system components.

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

assessment and authorization procedures

+

procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system

+

system design documentation

+

security and privacy requirements and specifications for the system

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with system specification, design, development, implementation, and modification responsibilities

+

system developers

+
+
+ + + + +

Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification

+

mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification

+
+
+
+ + External System Services + + + + +

Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system

+
+
+ +

controls to be employed by external system service providers are defined;

+
+ + + + + +

Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored

+
+
+ +

processes, methods, and techniques employed to monitor control compliance by external service providers are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: ;

+
+ + +

Define and document organizational oversight and user roles and responsibilities with regard to external system services; and

+
+ + +

Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: .

+
+
+ +

External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

+
+ + + + + + +

providers of external system services comply with organizational security requirements;

+ +
+ + +

providers of external system services comply with organizational privacy requirements;

+ +
+ + +

providers of external system services employ ;

+ +
+ +
+ + + + +

organizational oversight with regard to external system services are defined and documented;

+ +
+ + +

user roles and responsibilities with regard to external system services are defined and documented;

+ +
+ +
+ + +

+ are employed to monitor control compliance by external service providers on an ongoing basis.

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing methods and techniques for monitoring control compliance by external service providers of system services

+

acquisition documentation

+

contracts

+

service level agreements

+

interagency agreements

+

licensing agreements

+

list of organizational security and privacy requirements for external provider services

+

control assessment results or reports from external providers of system services

+

system security plan

+

privacy plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

external providers of system services

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis

+

mechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis

+
+
+
+ + Unsupported System Components + + + + + + +

support from external providers is defined (if selected);

+
+ + + + + + + + + + + +

Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or

+
+ + +

Provide the following options for alternative sources for continued support for unsupported components .

+
+
+ +

Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.

+

Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation.

+
+ + + + +

system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;

+ +
+ + +

+ provide options for alternative sources for continued support for unsupported components.

+ +
+ +
+ + + + +

System and services acquisition policy

+

procedures addressing the replacement or continued use of unsupported system components

+

documented evidence of replacing unsupported system components

+

documented approvals (including justification) for the continued use of unsupported system components

+

system security plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with the responsibility for the system development life cycle

+

organizational personnel responsible for component replacement

+
+
+ + + + +

Organizational processes for replacing unsupported system components

+

mechanisms supporting and/or implementing the replacement of unsupported system components

+
+
+
+
+ + System and Communications Protection + + Policy and Procedures + + + + + + +

personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the system and communications protection policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current system and communications protection policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current system and communications protection policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current system and communications protection procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the system and communications protection procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ system and communications protection policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and

+
+ + +

Review and update the current system and communications protection:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a system and communications protection policy is developed and documented;

+ +
+ + +

the system and communications protection policy is disseminated to ;

+ +
+ + +

system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;

+ +
+ + +

the system and communications protection procedures are disseminated to ;

+ +
+ + + + + + +

the system and communications protection policy addresses purpose;

+ +
+ + +

the system and communications protection policy addresses scope;

+ +
+ + +

the system and communications protection policy addresses roles;

+ +
+ + +

the system and communications protection policy addresses responsibilities;

+ +
+ + +

the system and communications protection policy addresses management commitment;

+ +
+ + +

the system and communications protection policy addresses coordination among organizational entities;

+ +
+ + +

the system and communications protection policy addresses compliance;

+ +
+ +
+ + +

the system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;

+ +
+ + + + + + +

the current system and communications protection policy is reviewed and updated ;

+ +
+ + +

the current system and communications protection policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current system and communications protection procedures are reviewed and updated ;

+ +
+ + +

the current system and communications protection procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

System and communications protection policy

+

system and communications protection procedures

+

system security plan

+

privacy plan

+

risk management strategy documentation

+

audit findings

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and communications protection responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Denial-of-service Protection + + + + +

at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack

+
+
+ +

types of denial-of-service events to be protected against or limited are defined;

+
+ + + + +

Protect against

+
+
+ + + + + +

controls to achieve the denial-of-service objective by type of denial-of-service event are defined;

+
+ + + + + + + + + + + + + + +

+ the effects of the following types of denial-of-service events: ; and

+
+ + +

Employ the following controls to achieve the denial-of-service objective: .

+
+
+ +

Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events.

+
+ + + + +

the effects of are ;

+ +
+ + +

+ are employed to achieve the denial-of-service protection objective.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing denial-of-service protection

+

system design documentation

+

list of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks

+

list of security safeguards protecting against or limiting the effects of denial-of-service attacks

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with incident response responsibilities

+

system developer

+
+
+ + + + +

Mechanisms protecting against or limiting the effects of denial-of-service attacks

+
+
+
+ + Boundary Protection + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;

+
+ + +

Implement subnetworks for publicly accessible system components that are separated from internal organizational networks; and

+
+ + +

Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

+
+ + SC-7 Additional FedRAMP Requirements and Guidance + + +

SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information.

+
+
+
+ +

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. SP 800-189 provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).

+
+ + + + + + +

communications at external managed interfaces to the system are monitored;

+ +
+ + +

communications at external managed interfaces to the system are controlled;

+ +
+ + +

communications at key internal managed interfaces within the system are monitored;

+ +
+ + +

communications at key internal managed interfaces within the system are controlled;

+ +
+ +
+ + +

subnetworks for publicly accessible system components are separated from internal organizational networks;

+ +
+ + +

external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

list of key internal boundaries of the system

+

system design documentation

+

boundary protection hardware and software

+

system configuration settings and associated documentation

+

enterprise security architecture documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms implementing boundary protection capabilities

+
+
+
+ + Transmission Confidentiality and Integrity + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Protect the of transmitted information.

+ + SC-8 Additional FedRAMP Requirements and Guidance + + +

For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.

+

+

For clarity, this control applies to all data in transit. Examples include the following data flows:

+
    +
  • Crossing the system boundary
  • +
  • Between compute instances - including containers
  • +
  • From a compute instance to storage
  • +
  • Replication between availability zones
  • +
  • Transmission of backups to storage
  • +
  • From a load balancer to a compute instance
  • +
  • Flows from management tools required for their work – e.g. log collection, scanning, etc.
  • +
+

+

The following applies only when choosing SC-8 (5) in lieu of SC-8 (1).

+

FedRAMP-Defined Assignment / Selection Parameters

+

SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]

+

SC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]

+
+ + +

SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.

+

+

Hardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).

+

+

Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS’s Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS’ recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).

+

+

Note: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.

+

+

CNSSI No.7003 can be accessed here:

+

https://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf

+

+

DHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:

+

https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf

+
+
+
+ +

Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.

+

Organizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls.

+
+ + +

the of transmitted information is/are protected.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing transmission confidentiality and integrity

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Mechanisms supporting and/or implementing transmission confidentiality and/or integrity

+
+
+ + Cryptographic Protection + + + + + + + + + + + +

Implement cryptographic mechanisms to during transmission.

+ + SC-8 (1) Additional FedRAMP Requirements and Guidance + + +

Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control.

+
+ + +

See M-22-09, including "Agencies encrypt all DNS requests and HTTP traffic within their environment"

+

SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

+
+ + +

Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

+
+ + +

When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

+
+
+
+ +

Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes.

+
+ + +

cryptographic mechanisms are implemented to during transmission.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing transmission confidentiality and integrity

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity

+

mechanisms supporting and/or implementing alternative physical safeguards

+

organizational processes for defining and implementing alternative physical safeguards

+
+
+
+
+ + Cryptographic Key Establishment and Management + + + + +

In accordance with Federal requirements

+
+
+ +

requirements for key generation, distribution, storage, access, and destruction are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: .

+ + SC-12 Additional FedRAMP Requirements and Guidance + + +

See references in NIST 800-53 documentation.

+
+ + +

Must meet applicable Federal Cryptographic Requirements. See References Section of control.

+
+ + +

Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system.

+
+
+
+ +

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. NIST CMVP and NIST CAVP provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.

+
+ + + + +

cryptographic keys are established when cryptography is employed within the system in accordance with ;

+ +
+ + +

cryptographic keys are managed when cryptography is employed within the system in accordance with .

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing cryptographic key establishment and management

+

system design documentation

+

cryptographic mechanisms

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for cryptographic key establishment and/or management

+
+
+ + + + +

Mechanisms supporting and/or implementing cryptographic key establishment and management

+
+
+
+ + Cryptographic Protection + + + +

cryptographic uses are defined;

+
+ + + + + +

FIPS-validated or NSA-approved cryptography

+
+
+ +

types of cryptography for each specified cryptographic use are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Determine the ; and

+
+ + +

Implement the following types of cryptography required for each specified cryptographic use: .

+
+ + SC-13 Additional FedRAMP Requirements and Guidance + + +

This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:

+
    +
  • Encryption of data
  • +
  • Decryption of data
  • +
  • Generation of one time passwords (OTPs) for MFA
  • +
  • Protocols such as TLS, SSH, and HTTPS
  • +
+

+

The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

+

https://csrc.nist.gov/projects/cryptographic-module-validation-program

+
+ + +

For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:

+

https://www.niap-ccevs.org/Product/index.cfm

+
+ + +

When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

+
+ + +

Moving to non-FIPS CM or product is acceptable when:

+
    +
  • FIPS validated version has a known vulnerability
  • +
  • Feature with vulnerability is in use
  • +
  • Non-FIPS version fixes the vulnerability
  • +
  • Non-FIPS version is submitted to NIST for FIPS validation
  • +
  • POA&M is added to track approval, and deployment when ready
  • +
+
+ + +

At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

+
+
+
+ +

Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + +

+ are identified;

+ +
+ + +

+ for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing cryptographic protection

+

system design documentation

+

system configuration settings and associated documentation

+

cryptographic module validation certificates

+

list of FIPS-validated cryptographic modules

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with responsibilities for cryptographic protection

+
+
+ + + + +

Mechanisms supporting and/or implementing cryptographic protection

+
+
+
+ + Collaborative Computing Devices and Applications + + + + +

no exceptions for computing devices

+
+
+ +

exceptions where remote activation is to be allowed are defined;

+
+ + + + + + + + + + +

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: ; and

+
+ + +

Provide an explicit indication of use to users physically present at the devices.

+
+ + SC-15 Additional FedRAMP Requirements and Guidance + + +

The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

+
+
+
+ +

Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated.

+
+ + + + +

remote activation of collaborative computing devices and applications is prohibited except ;

+ +
+ + +

an explicit indication of use is provided to users physically present at the devices.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing collaborative computing

+

access control policy and procedures

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with responsibilities for managing collaborative computing devices

+
+
+ + + + +

Mechanisms supporting and/or implementing the management of remote activation of collaborative computing devices

+

mechanisms providing an indication of use of collaborative computing devices

+
+
+
+ + Secure Name/Address Resolution Service (Authoritative Source) + + + + + + + + + + + + + + + + +

Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

+
+ + +

Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

+
+ + SC-20 Additional FedRAMP Requirements and Guidance + + +

Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests.

+
+ + +

SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary.

+
+ + +

External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged.

+
+ + +

CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)

+
+
+
+ +

Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data.

+
+ + + + + + +

additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;

+ +
+ + +

integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;

+ +
+ +
+ + + + +

the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;

+ +
+ + +

the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.

+ +
+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing secure name/address resolution services (authoritative source)

+

system design documentation

+

system configuration settings and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for managing DNS

+
+
+ + + + +

Mechanisms supporting and/or implementing secure name/address resolution services

+
+
+
+ + Secure Name/Address Resolution Service (Recursive or Caching Resolver) + + + + + + + + +

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

+ + SC-21 Additional FedRAMP Requirements and Guidance + + +

Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.

+
    +
  • If the reply is signed, and fails DNSSEC, do not use the reply
  • +
  • If the reply is unsigned:
      +
    • CSP chooses the policy to apply
    • +
    +
  • +
+
+ + +

Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS.

+
+ + +

Accepting an unsigned reply is acceptable

+
+ + +

SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.

+
    +
  • DNSSEC resolution to access a component inside the boundary is excluded.
  • +
+
+
+
+ +

Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data.

+
+ + + + +

data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;

+ +
+ + +

data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;

+ +
+ + +

data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;

+ +
+ + +

data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing secure name/address resolution services (recursive or caching resolver)

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for managing DNS

+
+
+ + + + +

Mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services

+
+
+
+ + Architecture and Provisioning for Name/Address Resolution Service + + + + + + + + + + +

Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

+
+ +

Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists).

+
+ + + + +

the systems that collectively provide name/address resolution services for an organization are fault-tolerant;

+ +
+ + +

the systems that collectively provide name/address resolution services for an organization implement internal role separation;

+ +
+ + +

the systems that collectively provide name/address resolution services for an organization implement external role separation.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing architecture and provisioning for name/address resolution services

+

access control policy and procedures

+

system design documentation

+

assessment results from independent testing organizations

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for managing DNS

+
+
+ + + + +

Mechanisms supporting and/or implementing name/address resolution services for fault tolerance and role separation

+
+
+
+ + Protection of Information at Rest + + + + + + +

information at rest requiring protection is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Protect the of the following information at rest: .

+ + SC-28 Additional FedRAMP Requirements and Guidance + + +

The organization supports the capability to use cryptographic mechanisms to protect information at rest.

+
+ + +

When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

+
+ + +

Note that this enhancement requires the use of cryptography in accordance with SC-13.

+
+
+
+ +

Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage.

+
+ + +

the of is/are protected.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing the protection of information at rest

+

system design documentation

+

system configuration settings and associated documentation

+

cryptographic mechanisms and associated configuration documentation

+

list of information at rest requiring confidentiality and integrity protections

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest

+
+
+ + Cryptographic Protection + + + +

information requiring cryptographic protection is defined;

+
+ + + + + +

all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels

+
+
+ +

system components or media requiring cryptographic protection is/are defined;

+
+ + + + + + + + + + +

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on : .

+ + SC-28 (1) Additional FedRAMP Requirements and Guidance + + +

Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

+

Examples:

+

A. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.

+

B. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.

+

C. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate.

+
+
+
+ +

The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields.

+
+ + + + +

cryptographic mechanisms are implemented to prevent unauthorized disclosure of at rest on ;

+ +
+ + +

cryptographic mechanisms are implemented to prevent unauthorized modification of at rest on .

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing the protection of information at rest

+

system design documentation

+

system configuration settings and associated documentation

+

cryptographic mechanisms and associated configuration documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest

+
+
+
+
+ + Process Isolation + + + + + + + + + + + + + + + +

Maintain a separate execution domain for each executing system process.

+
+ +

Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies.

+
+ + +

a separate execution domain is maintained for each executing system process.

+ +
+ + + + +

System design documentation

+

system architecture

+

independent verification and validation documentation

+

testing and evaluation documentation

+

other relevant documents or records

+
+
+ + + + +

System developers/integrators

+

system security architect

+
+
+ + + + +

Mechanisms supporting and/or implementing separate execution domains for each executing process

+
+
+
+
+ + System and Information Integrity + + Policy and Procedures + + + + + + +

personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the system and information integrity policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current system and information integrity policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current system and information integrity policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current system and information integrity procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the system and information integrity procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ system and information integrity policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and

+
+ + +

Review and update the current system and information integrity:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a system and information integrity policy is developed and documented;

+ +
+ + +

the system and information integrity policy is disseminated to ;

+ +
+ + +

system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;

+ +
+ + +

the system and information integrity procedures are disseminated to ;

+ +
+ + + + + + +

the system and information integrity policy addresses purpose;

+ +
+ + +

the system and information integrity policy addresses scope;

+ +
+ + +

the system and information integrity policy addresses roles;

+ +
+ + +

the system and information integrity policy addresses responsibilities;

+ +
+ + +

the system and information integrity policy addresses management commitment;

+ +
+ + +

the system and information integrity policy addresses coordination among organizational entities;

+ +
+ + +

the system and information integrity policy addresses compliance;

+ +
+ +
+ + +

the system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;

+ +
+ + + + + + +

the current system and information integrity policy is reviewed and updated ;

+ +
+ + +

the current system and information integrity policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current system and information integrity procedures are reviewed and updated ;

+ +
+ + +

the current system and information integrity procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and information integrity responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Flaw Remediation + + + + +

within thirty (30) days of release of updates

+
+
+ +

time period within which to install security-relevant software updates after the release of the updates is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Identify, report, and correct system flaws;

+
+ + +

Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

+
+ + +

Install security-relevant software and firmware updates within of the release of the updates; and

+
+ + +

Incorporate flaw remediation into the organizational configuration management process.

+
+
+ +

The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.

+

Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

+
+ + + + + + +

system flaws are identified;

+ +
+ + +

system flaws are reported;

+ +
+ + +

system flaws are corrected;

+ +
+ +
+ + + + +

software updates related to flaw remediation are tested for effectiveness before installation;

+ +
+ + +

software updates related to flaw remediation are tested for potential side effects before installation;

+ +
+ + +

firmware updates related to flaw remediation are tested for effectiveness before installation;

+ +
+ + +

firmware updates related to flaw remediation are tested for potential side effects before installation;

+ +
+ +
+ + + + +

security-relevant software updates are installed within of the release of the updates;

+ +
+ + +

security-relevant firmware updates are installed within of the release of the updates;

+ +
+ +
+ + +

flaw remediation is incorporated into the organizational configuration management process.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing flaw remediation

+

procedures addressing configuration management

+

list of flaws and vulnerabilities potentially affecting the system

+

list of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)

+

test results from the installation of software and firmware updates to correct system flaws

+

installation/change control records for security-relevant software and firmware updates

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel responsible for installing, configuring, and/or maintaining the system

+

organizational personnel responsible for flaw remediation

+

organizational personnel with configuration management responsibilities

+
+
+ + + + +

Organizational processes for identifying, reporting, and correcting system flaws

+

organizational process for installing software and firmware updates

+

mechanisms supporting and/or implementing the reporting and correcting of system flaws

+

mechanisms supporting and/or implementing testing software and firmware updates

+
+
+
+ + Malicious Code Protection + + + +

signature based and non-signature based

+
+
+ + + + + + +

at least weekly

+
+
+ +

the frequency at which malicious code protection mechanisms perform scans is defined;

+
+ + + + +

to include endpoints and network entry and exit points

+
+
+ + + + + +

to include blocking and quarantining malicious code

+
+
+ + + + + + +

administrator or defined security personnel near-realtime

+
+
+ +

action to be taken in response to malicious code detection are defined (if selected);

+
+ + + + +

personnel or roles to be alerted when malicious code is detected is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;

+
+ + +

Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;

+
+ + +

Configure malicious code protection mechanisms to:

+ + +

Perform periodic scans of the system and real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy; and

+
+ + +

+ ; and send alert to in response to malicious code detection; and

+
+
+ + +

Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

+
+
+ +

System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.

+

Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.

+

In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files.

+
+ + + + + + +

+ malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;

+ +
+ + +

+ malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;

+ +
+ +
+ + +

malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;

+ +
+ + + + + + +

malicious code protection mechanisms are configured to perform periodic scans of the system ;

+ +
+ + +

malicious code protection mechanisms are configured to perform real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy;

+ +
+ +
+ + + + +

malicious code protection mechanisms are configured to in response to malicious code detection;

+ +
+ + +

malicious code protection mechanisms are configured to send alerts to in response to malicious code detection;

+ +
+ +
+ +
+ + +

the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

configuration management policy and procedures

+

procedures addressing malicious code protection

+

malicious code protection mechanisms

+

records of malicious code protection updates

+

system design documentation

+

system configuration settings and associated documentation

+

scan results from malicious code protection mechanisms

+

record of actions initiated by malicious code protection mechanisms in response to malicious code detection

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for malicious code protection

+

organizational personnel with configuration management responsibilities

+
+
+ + + + +

Organizational processes for employing, updating, and configuring malicious code protection mechanisms

+

organizational processes for addressing false positives and resulting potential impacts

+

mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms

+

mechanisms supporting and/or implementing malicious code scanning and subsequent actions

+
+
+
+ + System Monitoring + + + +

monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;

+
+ + + + +

techniques and methods used to identify unauthorized use of the system are defined;

+
+ + + + +

system monitoring information to be provided to personnel or roles is defined;

+
+ + + + +

personnel or roles to whom system monitoring information is to be provided is/are defined;

+
+ + + + + + + +

a frequency for providing system monitoring to personnel or roles is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Monitor the system to detect:

+ + +

Attacks and indicators of potential attacks in accordance with the following monitoring objectives: ; and

+
+ + +

Unauthorized local, network, and remote connections;

+
+
+ + +

Identify unauthorized use of the system through the following techniques and methods: ;

+
+ + +

Invoke internal monitoring capabilities or deploy monitoring devices:

+ + +

Strategically within the system to collect organization-determined essential information; and

+
+ + +

At ad hoc locations within the system to track specific types of transactions of interest to the organization;

+
+
+ + +

Analyze detected events and anomalies;

+
+ + +

Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

+
+ + +

Obtain legal opinion regarding system monitoring activities; and

+
+ + +

Provide to + .

+
+ + SI-4 Additional FedRAMP Requirements and Guidance + + +

See US-CERT Incident Response Reporting Guidelines.

+
+
+
+ +

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.

+

Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17 . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + + + +

the system is monitored to detect attacks and indicators of potential attacks in accordance with ;

+ +
+ + + + +

the system is monitored to detect unauthorized local connections;

+ +
+ + +

the system is monitored to detect unauthorized network connections;

+ +
+ + +

the system is monitored to detect unauthorized remote connections;

+ +
+ +
+ +
+ + +

unauthorized use of the system is identified through ;

+ +
+ + + + +

internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;

+ +
+ + +

internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;

+ +
+ +
+ + + + +

detected events are analyzed;

+ +
+ + +

detected anomalies are analyzed;

+ +
+ +
+ + +

the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

+ +
+ + +

a legal opinion regarding system monitoring activities is obtained;

+ +
+ + +

+ is provided to + .

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

continuous monitoring strategy

+

facility diagram/layout

+

system design documentation

+

system monitoring tools and techniques documentation

+

locations within the system where monitoring devices are deployed

+

system configuration settings and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+
+
+ + + + +

Organizational processes for system monitoring

+

mechanisms supporting and/or implementing system monitoring capabilities

+
+
+
+ + Security Alerts, Advisories, and Directives + + + + +

to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives

+
+
+ +

external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;

+
+ + + + +

to include system security personnel and administrators with configuration/patch-management responsibilities

+
+
+ + + + + +

personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected);

+
+ + + + +

elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);

+
+ + + + +

external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);

+
+ + + + + + + + + + + + + +

Receive system security alerts, advisories, and directives from on an ongoing basis;

+
+ + +

Generate internal security alerts, advisories, and directives as deemed necessary;

+
+ + +

Disseminate security alerts, advisories, and directives to: ; and

+
+ + +

Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

+
+ + SI-5 Additional FedRAMP Requirements and Guidance + +

Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status.

+
+
+ +

The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations.

+
+ + + + +

system security alerts, advisories, and directives are received from on an ongoing basis;

+ +
+ + +

internal security alerts, advisories, and directives are generated as deemed necessary;

+ +
+ + +

security alerts, advisories, and directives are disseminated to ;

+ +
+ + +

security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing security alerts, advisories, and directives

+

records of security alerts and advisories

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security alert and advisory responsibilities

+

organizational personnel implementing, operating, maintaining, and using the system

+

organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives

+

mechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives

+

mechanisms supporting and/or implementing security directives

+
+
+
+ + Information Management and Retention + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

+
+ +

Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, AC-6(9), AT-4, AU-12, CA-2, CA-3, CA-5, CA-6, CA-7, CA-8, CA-9, CM-2, CM-3, CM-4, CM-6, CM-8, CM-9, CM-12, CM-13, CP-2, IR-6, IR-8, MA-2, MA-4, PE-2, PE-8, PE-16, PE-17, PL-2, PL-4, PL-7, PL-8, PM-5, PM-8, PM-9, PM-18, PM-21, PM-27, PM-28, PM-30, PM-31, PS-2, PS-6, PS-7, PT-2, PT-3, PT-7, RA-2, RA-3, RA-5, RA-8, SA-4, SA-5, SA-8, SA-10, SI-4, SR-2, SR-4, SR-8.

+
+ + + + +

information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;

+ +
+ + +

information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;

+ +
+ + +

information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;

+ +
+ + +

information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

personally identifiable information processing policy

+

records retention and disposition policy

+

records retention and disposition procedures

+

federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention

+

media protection policy

+

media protection procedures

+

audit findings

+

system security plan

+

privacy plan

+

privacy program plan

+

personally identifiable information inventory

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information and records management, retention, and disposition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

network administrators

+
+
+ + + + +

Organizational processes for information management, retention, and disposition

+

automated mechanisms supporting and/or implementing information management, retention, and disposition

+
+
+
+
+ + Supply Chain Risk Management + + Policy and Procedures + + + + + + + +

to include chief privacy and ISSO and/or similar role or designees

+
+
+ +

personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;

+
+ + + + +

personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;

+
+ + + + + + + +

an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current supply chain risk management policy is reviewed and updated is defined;

+
+ + + + +

events that require the current supply chain risk management policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that require the supply chain risk management procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ supply chain risk management policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and

+
+ + +

Review and update the current supply chain risk management:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a supply chain risk management policy is developed and documented;

+ +
+ + +

the supply chain risk management policy is disseminated to ;

+ +
+ + +

supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;

+ +
+ + +

the supply chain risk management procedures are disseminated to .

+ +
+ + + + + + +

the supply chain risk management policy addresses purpose;

+ +
+ + +

the supply chain risk management policy addresses scope;

+ +
+ + +

+ supply chain risk management policy addresses roles;

+ +
+ + +

the supply chain risk management policy addresses responsibilities;

+ +
+ + +

the supply chain risk management policy addresses management commitment;

+ +
+ + +

the supply chain risk management policy addresses coordination among organizational entities;

+ +
+ + +

the supply chain risk management policy addresses compliance.

+ +
+ +
+ + +

the supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;

+ +
+ + + + + + +

the current supply chain risk management policy is reviewed and updated ;

+ +
+ + +

the current supply chain risk management policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current supply chain risk management procedures are reviewed and updated ;

+ +
+ + +

the current supply chain risk management procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Supply chain risk management policy

+

supply chain risk management procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with supply chain risk management responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with acquisition responsibilities

+

organizational personnel with enterprise risk management responsibilities

+
+
+
+ + Supply Chain Risk Management Plan + + + +

systems, system components, or system services for which a supply chain risk management plan is developed are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to review and update the supply chain risk management plan is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: ;

+
+ + +

Review and update the supply chain risk management plan or as required, to address threat, organizational or environmental changes; and

+
+ + +

Protect the supply chain risk management plan from unauthorized disclosure and modification.

+
+
+ +

The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.

+

Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8).

+
+ + + + + + +

a plan for managing supply chain risks is developed;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the research and development of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the design of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the manufacturing of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the acquisition of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the delivery of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the integration of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the operation and maintenance of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the disposal of ;

+ +
+ +
+ + +

the supply chain risk management plan is reviewed and updated or as required to address threat, organizational, or environmental changes;

+ +
+ + + + +

the supply chain risk management plan is protected from unauthorized disclosure;

+ +
+ + +

the supply chain risk management plan is protected from unauthorized modification.

+ +
+ +
+ +
+ + + + +

Supply chain risk management policy

+

supply chain risk management procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing supply chain protection

+

procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification

+

system development life cycle procedures

+

procedures addressing the integration of information security and privacy requirements into the acquisition process

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

list of supply chain threats

+

list of safeguards to be taken against supply chain threats

+

system life cycle documentation

+

inter-organizational agreements and procedures

+

system security plan

+

privacy plan

+

privacy program plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for defining and documenting the system development life cycle (SDLC)

+

organizational processes for identifying SDLC roles and responsibilities

+

organizational processes for integrating supply chain risk management into the SDLC

+

mechanisms supporting and/or implementing the SDLC

+
+
+ + Establish SCRM Team + + + +

the personnel, roles, and responsibilities of the supply chain risk management team are defined;

+
+ + + + +

supply chain risk management activities are defined;

+
+ + + + + + + + +

Establish a supply chain risk management team consisting of to lead and support the following SCRM activities: .

+
+ +

To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team.

+
+ + +

a supply chain risk management team consisting of is established to lead and support .

+ +
+ + + + +

Supply chain risk management policy

+

supply chain risk management procedures

+

supply chain risk management team charter documentation

+

supply chain risk management strategy

+

supply chain risk management implementation plan

+

procedures addressing supply chain protection

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+

organizational personnel with enterprise risk management responsibilities

+

legal counsel

+

organizational personnel with business continuity responsibilities

+
+
+
+
+ + Supply Chain Controls and Processes + + + +

the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;

+
+ + + + +

supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;

+
+ + + + +

supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;

+
+ + + + + + + +

the document identifying the selected and implemented supply chain processes and controls is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of in coordination with ;

+
+ + +

Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: ; and

+
+ + +

Document the selected and implemented supply chain processes and controls in .

+
+ + SR-3 Additional FedRAMP Requirements and Guidance + + +

CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary.

+
+
+
+ +

Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.

+
+ + + + + + +

a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of ;

+ +
+ + +

the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of is/are coordinated with ;

+ +
+ +
+ + +

+ are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;

+ +
+ + +

the selected and implemented supply chain processes and controls are documented in .

+ +
+ +
+ + + + +

Supply chain risk management policy

+

supply chain risk management procedures

+

supply chain risk management strategy

+

supply chain risk management plan

+

systems and critical system components inventory documentation

+

system and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing the integration of information security and privacy requirements into the acquisition process

+

solicitation documentation

+

acquisition documentation (including purchase orders)

+

service level agreements

+

acquisition contracts for systems or services

+

risk register documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for identifying and addressing supply chain element and process deficiencies

+
+
+
+ + Acquisition Strategies, Tools, and Methods + + + +

acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: .

+
+ +

The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.

+
+ + + + +

+ are employed to protect against supply chain risks;

+ +
+ + +

+ are employed to identify supply chain risks;

+ +
+ + +

+ are employed to mitigate supply chain risks.

+ +
+ +
+ + + + +

Supply chain risk management policy

+

supply chain risk management procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing supply chain protection

+

procedures addressing the integration of information security and privacy requirements into the acquisition process

+

solicitation documentation

+

acquisition documentation (including purchase orders)

+

service level agreements

+

acquisition contracts for systems, system components, or services

+

documentation of training, education, and awareness programs for personnel regarding supply chain risk

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods

+

mechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods

+
+
+
+ + Notification Agreements + + + +

notification of supply chain compromises and results of assessment or audits

+
+
+ + + + + +

information for which agreements and procedures are to be established are defined (if selected);

+
+ + + + + + + + + + + + + + + + + +

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the .

+ + SR-8 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities.

+
+
+
+ +

The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.

+
+ + +

agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for .

+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

procedures addressing supply chain protection

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

inter-organizational agreements and procedures

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

+
+
+
+ + Inspection of Systems or Components + + + +

systems or system components that require inspection are defined;

+
+ + + + + + + +

frequency at which to inspect systems or system components is defined (if selected);

+
+ + + + +

indications of the need for an inspection of systems or system components are defined (if selected);

+
+ + + + + + + + + + + + + + + + + +

Inspect the following systems or system components to detect tampering: .

+
+ +

The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations.

+
+ + +

+ are inspected to detect tampering.

+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

records of random inspections

+

inspection reports/results

+

assessment reports/results

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

inter-organizational agreements and procedures

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and services acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

+

organizational processes to inspect for tampering

+
+
+
+ + Component Authenticity + + + + + + +

external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);

+
+ + + + +

personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);

+
+ + + + + + + + + + + + + + + +

Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and

+
+ + +

Report counterfeit system components to .

+
+ + SR-11 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline.

+
+
+
+ +

Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.

+
+ + + + + + +

an anti-counterfeit policy is developed and implemented;

+ +
+ + +

anti-counterfeit procedures are developed and implemented;

+ +
+ + +

the anti-counterfeit procedures include the means to detect counterfeit components entering the system;

+ +
+ + +

the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;

+ +
+ +
+ + +

counterfeit system components are reported to .

+ +
+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

anti-counterfeit plan

+

anti-counterfeit policy and procedures

+

media disposal policy

+

media protection policy

+

incident response policy

+

reports notifying developers, manufacturers, vendors, contractors, and/or external reporting organizations of counterfeit system components

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

inter-organizational agreements and procedures

+

records of reported counterfeit system components

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+

organizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting

+
+
+ + + + +

Organizational processes for counterfeit prevention, detection, and reporting

+

mechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting

+
+
+ + Anti-counterfeit Training + + + +

personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;

+
+ + + + + + + + + +

Train to detect counterfeit system components (including hardware, software, and firmware).

+
+ +

None.

+
+ + +

+ are trained to detect counterfeit system components (including hardware, software, and firmware).

+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

anti-counterfeit plan

+

anti-counterfeit policy and procedures

+

media disposal policy

+

media protection policy

+

incident response policy

+

training materials addressing counterfeit system components

+

training records on the detection and prevention of counterfeit components entering the system

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+

organizational personnel with responsibilities for anti-counterfeit policies, procedures, and training

+
+
+ + + + +

Organizational processes for anti-counterfeit training

+
+
+
+ + Configuration Control for Component Service and Repair + + + + +

all

+
+
+ +

system components requiring configuration control are defined;

+
+ + + + + + + + + + + + +

Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: .

+
+ +

None.

+
+ + + + +

configuration control over awaiting service or repair is maintained;

+ +
+ + +

configuration control over serviced or repaired awaiting return to service is maintained.

+ +
+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

configuration control procedures

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system component

+

inter-organizational agreements and procedures

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and services acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

+

organizational configuration control processes

+
+
+
+
+ + Component Disposal + + + +

data, documentation, tools, or system components to be disposed of are defined;

+
+ + + + +

techniques and methods for disposing of data, documentation, tools, or system components are defined;

+
+ + + + + + + + +

Dispose of using the following techniques and methods: .

+
+ +

Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market.

+
+ + +

+ are disposed of using .

+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

disposal procedures addressing supply chain protection

+

media disposal policy

+

media protection policy

+

disposal records for system components

+

documentation of the system components identified for disposal

+

documentation of the disposal techniques and methods employed for system components

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system component disposal responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain protection responsibilities

+
+
+ + + + +

Organizational techniques and methods for system component disposal

+

mechanisms supporting and/or implementing system component disposal

+
+
+
+
+ + 32 CFR 2002 + + Code of Federal Regulations, Title 32, Controlled Unclassified Information (32 C.F.R. 2002). + + + + + 41 CFR 201 + + + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + + + + + 5 CFR 731 + + Code of Federal Regulations, Title 5, Administrative Personnel , Section 731.106, Designation of Public Trust Positions and Investigative Requirements (5 C.F.R. 731.106). + + + + + CNSSD 505 + + Committee on National Security Systems Directive No. 505, Supply Chain Risk Management (SCRM) , August 2017. + + + + + CNSSI 1253 + + Committee on National Security Systems Instruction No. 1253, Security Categorization and Control Selection for National Security Systems , March 2014. + + + + + DOD STIG + + Defense Information Systems Agency, Security Technical Implementation Guides (STIG). + + + + + EO 13526 + + Executive Order 13526, Classified National Security Information , December 2009. + + + + + EO 13587 + + Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information , October 2011. + + + + + EO 13873 + + Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain , May 2019. + + + + + FASC18 + + Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018. + + + + + FED PKI + + General Services Administration, Federal Public Key Infrastructure. + + + + + FIPS 140-3 + + National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. + + + + + FIPS 180-4 + + National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4. + + + + + FIPS 186-4 + + National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4. + + + + + FIPS 197 + + National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197. + + + + + FIPS 199 + + National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199. + + + + + FIPS 200 + + National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200. + + + + + FIPS 201-2 + + National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2. + + + + + FIPS 202 + + National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202. + + + + + FISMA + + Federal Information Security Modernization Act (P.L. 113-283), December 2014. + + + + + HSPD 12 + + Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004. + + + + + IR 7539 + + Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539. + + + + + IR 7559 + + Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559. + + + + + IR 7622 + + Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622. + + + + + IR 7676 + + Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. + + + + + IR 7788 + + Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788. + + + + + IR 7817 + + Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817. + + + + + IR 7849 + + Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849. + + + + + IR 7870 + + Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870. + + + + + IR 7874 + + Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874. + + + + + IR 7956 + + Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956. + + + + + IR 7966 + + Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966. + + + + + IR 8011-1 + + Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1. + + + + + IR 8011-2 + + Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2. + + + + + IR 8011-3 + + Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3. + + + + + IR 8011-4 + + Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4. + + + + + IR 8023 + + Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023. + + + + + IR 8040 + + Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040. + + + + + IR 8062 + + Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062. + + + + + IR 8179 + + Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179. + + + + + IR 8272 + + Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272. + + + + + ISO 15408-1 + + International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model , April 2017. + + + + + ISO 15408-2 + + International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements , April 2017. + + + + + ISO 15408-3 + + International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements , April 2017. + + + + + ISO 20243 + + International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations , February 2018. + + + + + ISO 27036 + + International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts , April 2014. + + + + + ISO 29147 + + International Organization for Standardization/International Electrotechnical Commission 29147:2018, Information technology—Security techniques—Vulnerability disclosure , October 2018. + + + + + ISO 29148 + + International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, Systems and software engineering—Life cycle processes—Requirements engineering , November 2018. + + + + + NARA CUI + + National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry. + + + + + NCPR + + National Institute of Standards and Technology (2020) National Checklist Program Repository . Available at + + + + + NIAP CCEVS + + National Information Assurance Partnership, Common Criteria Evaluation and Validation Scheme. + + + + + NIST CAVP + + National Institute of Standards and Technology (2020) Cryptographic Algorithm Validation Program . Available at + + + + + NIST CMVP + + National Institute of Standards and Technology (2020) Cryptographic Module Validation Program . Available at + + + + + NSA CSFC + + National Security Agency, Commercial Solutions for Classified Program (CSfC). + + + + + NSA MEDIA + + National Security Agency, Media Destruction Guidance. + + + + + ODNI CTF + + Office of the Director of National Intelligence (ODNI) Cyber Threat Framework. + + + + + OMB A-130 + + Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource , July 2016. + + + + + OMB M-17-12 + + Office of Management and Budget Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information , January 2017. + + + + + OMB M-19-03 + + Office of Management and Budget Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program , December 2018. + + + + + PRIVACT + + Privacy Act (P.L. 93-579), December 1974. + + + + + SP 800-100 + + Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007. + + + + + SP 800-101 + + Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. + + + + + SP 800-111 + + Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. + + + + + SP 800-113 + + Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113. + + + + + SP 800-114 + + Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1. + + + + + SP 800-115 + + Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115. + + + + + SP 800-116 + + Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1. + + + + + SP 800-121 + + Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2. + + + + + SP 800-124 + + Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1. + + + + + SP 800-125B + + Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B. + + + + + SP 800-126 + + Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3. + + + + + SP 800-128 + + Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019. + + + + + SP 800-12 + + Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. + + + + + SP 800-130 + + Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130. + + + + + SP 800-137A + + Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A. + + + + + SP 800-137 + + Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137. + + + + + SP 800-150 + + Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. + + + + + SP 800-152 + + Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152. + + + + + SP 800-156 + + Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156. + + + + + SP 800-160-1 + + Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018. + + + + + SP 800-160-2 + + Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2. + + + + + SP 800-161 + + Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161. + + + + + SP 800-162 + + Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019. + + + + + SP 800-166 + + Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166. + + + + + SP 800-167 + + Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167. + + + + + SP 800-171 + + Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2. + + + + + SP 800-172 + + Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172. + + + + + SP 800-177 + + Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1. + + + + + SP 800-178 + + Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178. + + + + + SP 800-181 + + Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1. + + + + + SP 800-184 + + Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184. + + + + + SP 800-189 + + Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189. + + + + + SP 800-18 + + Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. + + + + + SP 800-192 + + Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192. + + + + + SP 800-30 + + Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1. + + + + + SP 800-34 + + Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010. + + + + + SP 800-35 + + Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35. + + + + + SP 800-37 + + Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2. + + + + + SP 800-39 + + Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39. + + + + + SP 800-40 + + Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3. + + + + + SP 800-41 + + Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1. + + + + + SP 800-46 + + Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2. + + + + + SP 800-47 + + Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47. + + + + + SP 800-50 + + Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50. + + + + + SP 800-52 + + McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2. + + + + + SP 800-53A + + Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014. + + + + + SP 800-53B + + Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B. + + + + + SP 800-56A + + Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3. + + + + + SP 800-56B + + Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2. + + + + + SP 800-56C + + Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2. + + + + + SP 800-57-1 + + Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5. + + + + + SP 800-57-2 + + Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1. + + + + + SP 800-57-3 + + Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1. + + + + + SP 800-60-1 + + Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1. + + + + + SP 800-60-2 + + Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1. + + + + + SP 800-61 + + Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. + + + + + SP 800-63-3 + + Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. + + + + + SP 800-63B + + Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020. + + + + + SP 800-70 + + Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4. + + + + + SP 800-73-4 + + Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016. + + + + + SP 800-76-2 + + Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. + + + + + SP 800-77 + + Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1. + + + + + SP 800-78-4 + + Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. + + + + + SP 800-79-2 + + Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. + + + + + SP 800-81-2 + + Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. + + + + + SP 800-83 + + Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1. + + + + + SP 800-84 + + Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84. + + + + + SP 800-86 + + Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. + + + + + SP 800-88 + + Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1. + + + + + SP 800-92 + + Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92. + + + + + SP 800-94 + + Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94. + + + + + SP 800-97 + + Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97. + + + + + USA PATRIOT + + USA Patriot Act (P.L. 107-56), October 2001. + + + + + USC 2901 + + United States Code, 2008 Edition, Title 44 - Public Printing and Documents , Chapters 29, 31, and 33, January 2012. + + + + + USCERT IR + + Department of Homeland Security, US-CERT Federal Incident Notification Guidelines , April 2017. + + + + + USGCB + + National Institute of Standards and Technology (2020) United States Government Configuration Baseline . Available at + + + + + NIST Special Publication 800-53, Revision 5: <em> Security and Privacy Controls for Information Systems and Organizations</em> (PDF) + + FedRAMP Applicable Laws and Regulations diff --git a/dist/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml b/dist/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml index 66370a40d..9a6227c27 100644 --- a/dist/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml +++ b/dist/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml @@ -2252,7 +2252,7 @@ NIST Special Publication (SP) 800-53 - +
diff --git a/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.xml b/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.xml index e959b5601..76ba9af4c 100644 --- a/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.xml +++ b/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.xml @@ -1,10 +1,10 @@ + uuid="05787e43-fa8f-4f67-9a3b-2240fb4d9a78"> FedRAMP Rev 5 Moderate Baseline 2023-08-31T00:00:00Z - 2023-12-18T20:27:56.71703-05:00 + 2024-01-11T18:08:21.203723-05:00 5.1.1+fedramp-20231218-0 1.1.1 ca9ba80e-1342-4bfd-b32a-abac468c24b4 + + Access Control + + Policy and Procedures + + + + + + +

personnel or roles to whom the access control policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the access control procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the access control policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current access control policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current access control policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current access control procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ access control policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the access control policy and the associated access controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the access control policy and procedures; and

+
+ + +

Review and update the current access control:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an access control policy is developed and documented;

+ +
+ + +

the access control policy is disseminated to ;

+ +
+ + +

access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;

+ +
+ + +

the access control procedures are disseminated to ;

+ +
+ + + + + + +

the access control policy addresses purpose;

+ +
+ + +

the access control policy addresses scope;

+ +
+ + +

the access control policy addresses roles;

+ +
+ + +

the access control policy addresses responsibilities;

+ +
+ + +

the access control policy addresses management commitment;

+ +
+ + +

the access control policy addresses coordination among organizational entities;

+ +
+ + +

the access control policy addresses compliance;

+ +
+ +
+ + +

the access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the access control policy and procedures;

+ +
+ + + + + + +

the current access control policy is reviewed and updated ;

+ +
+ + +

the current access control policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current access control procedures are reviewed and updated ;

+ +
+ + +

the current access control procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Access control policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with access control responsibilities

+

organizational personnel with information security with information security and privacy responsibilities

+
+
+
+ + Account Management + + + +

prerequisites and criteria for group and role membership are defined;

+
+ + + + +

attributes (as required) for each account are defined;

+
+ + + + +

personnel or roles required to approve requests to create accounts is/are defined;

+
+ + + + +

policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;

+
+ + + + +

personnel or roles to be notified is/are defined;

+
+ + + + + +

twenty-four (24) hours

+
+
+ +

time period within which to notify account managers when accounts are no longer required is defined;

+
+ + + + + +

eight (8) hours

+
+
+ +

time period within which to notify account managers when users are terminated or transferred is defined;

+
+ + + + + +

eight (8) hours

+
+
+ +

time period within which to notify account managers when system usage or the need to know changes for an individual is defined;

+
+ + + + +

attributes needed to authorize system access (as required) are defined;

+
+ + + + + +

quarterly for privileged access, annually for non-privileged access

+
+
+ +

the frequency of account review is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Define and document the types of accounts allowed and specifically prohibited for use within the system;

+
+ + +

Assign account managers;

+
+ + +

Require for group and role membership;

+
+ + +

Specify:

+ + +

Authorized users of the system;

+
+ + +

Group and role membership; and

+
+ + +

Access authorizations (i.e., privileges) and for each account;

+
+
+ + +

Require approvals by for requests to create accounts;

+
+ + +

Create, enable, modify, disable, and remove accounts in accordance with ;

+
+ + +

Monitor the use of accounts;

+
+ + +

Notify account managers and within:

+ + +

+ when accounts are no longer required;

+
+ + +

+ when users are terminated or transferred; and

+
+ + +

+ when system usage or need-to-know changes for an individual;

+
+
+ + +

Authorize access to the system based on:

+ + +

A valid access authorization;

+
+ + +

Intended system usage; and

+
+ + +

+ ;

+
+
+ + +

Review accounts for compliance with account management requirements ;

+
+ + +

Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and

+
+ + +

Align account management processes with personnel termination and transfer processes.

+
+
+ +

Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.

+

Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.

+

Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.

+
+ + + + + + +

account types allowed for use within the system are defined and documented;

+ +
+ + +

account types specifically prohibited for use within the system are defined and documented;

+ +
+ +
+ + +

account managers are assigned;

+ +
+ + +

+ for group and role membership are required;

+ +
+ + + + +

authorized users of the system are specified;

+ +
+ + +

group and role membership are specified;

+ +
+ + + + +

access authorizations (i.e., privileges) are specified for each account;

+ +
+ + +

+ are specified for each account;

+ +
+ +
+ +
+ + +

approvals are required by for requests to create accounts;

+ +
+ + + + +

accounts are created in accordance with ;

+ +
+ + +

accounts are enabled in accordance with ;

+ +
+ + +

accounts are modified in accordance with ;

+ +
+ + +

accounts are disabled in accordance with ;

+ +
+ + +

accounts are removed in accordance with ;

+ +
+ +
+ + +

the use of accounts is monitored;

+ +
+ + + + +

account managers and are notified within when accounts are no longer required;

+ +
+ + +

account managers and are notified within when users are terminated or transferred;

+ +
+ + +

account managers and are notified within when system usage or the need to know changes for an individual;

+ +
+ +
+ + + + +

access to the system is authorized based on a valid access authorization;

+ +
+ + +

access to the system is authorized based on intended system usage;

+ +
+ + +

access to the system is authorized based on ;

+ +
+ +
+ + +

accounts are reviewed for compliance with account management requirements ;

+ +
+ + + + +

a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;

+ +
+ + +

a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;

+ +
+ +
+ + + + +

account management processes are aligned with personnel termination processes;

+ +
+ + +

account management processes are aligned with personnel transfer processes.

+ +
+ +
+ +
+ + + + +

Access control policy

+

personnel termination policy and procedure

+

personnel transfer policy and procedure

+

procedures for addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

list of active system accounts along with the name of the individual associated with each account

+

list of recently disabled system accounts and the name of the individual associated with each account

+

list of conditions for group and role membership

+

notifications of recent transfers, separations, or terminations of employees

+

access authorization records

+

account management compliance reviews

+

system monitoring records

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for account management on the system

+

mechanisms for implementing account management

+
+
+ + Automated System Account Management + + + +

automated mechanisms used to support the management of system accounts are defined;

+
+ + + + + + + +

Support the management of system accounts using .

+
+ +

Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications.

+
+ + +

the management of system accounts is supported using .

+ +
+ + + + +

Access control policy

+

procedures for addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security with information security responsibilities

+

system developers

+
+
+ + + + +

Automated mechanisms for implementing account management functions

+
+
+
+ + Automated Temporary and Emergency Account Management + + + +

Selection: disables

+
+
+ + + + + + +

no more than 96 hours from last use

+
+
+ +

the time period after which to automatically remove or disable temporary or emergency accounts is defined;

+
+ + + + + + + +

Automatically temporary and emergency accounts after .

+
+ +

Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation.

+
+ + +

temporary and emergency accounts are automatically after .

+ +
+ + + + +

Access control policy

+

procedures for addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

system-generated list of temporary accounts removed and/or disabled

+

system-generated list of emergency accounts removed and/or disabled

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security with information security responsibilities

+

system developers

+
+
+ + + + +

Automated mechanisms for implementing account management functions

+
+
+
+ + Disable Accounts + + + + +

24 hours for user accounts

+
+
+ +

time period within which to disable accounts is defined;

+
+ + + + + +

ninety (90) days (See additional requirements and guidance.)

+
+
+ +

time period for account inactivity before disabling is defined;

+
+ + + + + + + +

Disable accounts within when the accounts:

+ + +

Have expired;

+
+ + +

Are no longer associated with a user or individual;

+
+ + +

Are in violation of organizational policy; or

+
+ + +

Have been inactive for .

+
+ + AC-2 (3) Additional FedRAMP Requirements and Guidance + + +

The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.

+
+ + +

The service provider defines the time period of inactivity for device identifiers.

+
+ + +

For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/.

+
+
+
+ +

Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.

+
+ + + + +

accounts are disabled within when the accounts have expired;

+ +
+ + +

accounts are disabled within when the accounts are no longer associated with a user or individual;

+ +
+ + +

accounts are disabled within when the accounts are in violation of organizational policy;

+ +
+ + +

accounts are disabled within when the accounts have been inactive for .

+ +
+ +
+ + + + +

Access control policy

+

procedures for addressing account management

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

system-generated list of accounts removed

+

system-generated list of emergency accounts disabled

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Mechanisms for implementing account management functions

+
+
+
+ + Automated Audit Actions + + + + + + + + +

Automatically audit account creation, modification, enabling, disabling, and removal actions.

+
+ +

Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6.

+
+ + + + +

account creation is automatically audited;

+ +
+ + +

account modification is automatically audited;

+ +
+ + +

account enabling is automatically audited;

+ +
+ + +

account disabling is automatically audited;

+ +
+ + +

account removal actions are automatically audited.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

notifications/alerts of account creation, modification, enabling, disabling, and removal actions

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Automated mechanisms implementing account management functions

+
+
+
+ + Inactivity Logout + + + + +

for privileged users, it is the end of a user's standard work period

+
+
+ +

the time period of expected inactivity or description of when to log out is defined;

+
+ + + + + + + + + +

Require that users log out when .

+ + AC-2 (5) Additional FedRAMP Requirements and Guidance + + +

Should use a shorter timeframe than AC-12.

+
+
+
+ +

Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by AC-11.

+
+ + +

users are required to log out when .

+ +
+ + + + +

Access control policy

+

procedures addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

security violation reports

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+

users that must comply with inactivity logout policy

+
+
+
+ + Privileged User Accounts + + + + + + + + + + + +

Establish and administer privileged user accounts in accordance with ;

+
+ + +

Monitor privileged role or attribute assignments;

+
+ + +

Monitor changes to roles or attributes; and

+
+ + +

Revoke access when privileged role or attribute assignments are no longer appropriate.

+
+
+ +

Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.

+
+ + + + +

privileged user accounts are established and administered in accordance with ;

+ +
+ + +

privileged role or attribute assignments are monitored;

+ +
+ + +

changes to roles or attributes are monitored;

+ +
+ + +

access is revoked when privileged role or attribute assignments are no longer appropriate.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

system-generated list of privileged user accounts and associated roles

+

records of actions taken when privileged role assignments are no longer appropriate

+

system audit records

+

audit tracking and monitoring reports

+

system monitoring records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing account management functions

+

mechanisms monitoring privileged role assignments

+
+
+
+ + Restrictions on Use of Shared and Group Accounts + + + + +

organization-defined need with justification statement that explains why such accounts are necessary

+
+
+ +

conditions for establishing shared and group accounts are defined;

+
+ + + + + + + +

Only permit the use of shared and group accounts that meet .

+ + AC-2 (9) Additional FedRAMP Requirements and Guidance + + +

Required if shared/group accounts are deployed.

+
+
+
+ +

Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts.

+
+ + +

the use of shared and group accounts is only permitted if are met.

+ +
+ + + + +

Access control policy

+

procedures addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

system-generated list of shared/group accounts and associated roles

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing management of shared/group accounts

+
+
+
+ + Account Monitoring for Atypical Usage + + + +

atypical usage for which to monitor system accounts is defined;

+
+ + + + + +

at a minimum, the ISSO and/or similar role within the organization

+
+
+ +

personnel or roles to report atypical usage is/are defined;

+
+ + + + + + + + + + + + + + + +

Monitor system accounts for ; and

+
+ + +

Report atypical usage of system accounts to .

+
+ + AC-2 (12) Additional FedRAMP Requirements and Guidance + + +

Required for privileged accounts.

+
+ + +

Required for privileged accounts.

+
+
+
+ +

Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.

+
+ + + + +

system accounts are monitored for ;

+ +
+ + +

atypical usage of system accounts is reported to .

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

system monitoring records

+

system audit records

+

audit tracking and monitoring reports

+

privacy impact assessment

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing account management functions

+
+
+
+ + Disable Accounts for High-risk Individuals + + + + +

one (1) hour

+
+
+ +

time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;

+
+ + + + +

significant risks leading to disabling accounts are defined;

+
+ + + + + + + + + +

Disable accounts of individuals within of discovery of .

+
+ +

Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals.

+
+ + +

accounts of individuals are disabled within of discovery of .

+ +
+ + + + +

Access control policy

+

procedures addressing account management

+

system design documentation

+

system configuration settings and associated documentation

+

system-generated list of disabled accounts

+

list of user activities posing significant organizational risk

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing account management functions

+
+
+
+
+ + Access Enforcement + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

+
+ +

Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( PE ) family.

+
+ + +

approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.

+ +
+ + + + +

Access control policy

+

procedures addressing access enforcement

+

system design documentation

+

system configuration settings and associated documentation

+

list of approved authorizations (user privileges)

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with access enforcement responsibilities

+

system/network administrators

+

organizational personnel with information security and privacy responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing access control policy

+
+
+
+ + Information Flow Enforcement + + + +

information flow control policies within the system and between connected systems are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on .

+
+ +

Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3 ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.

+

Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS).

+
+ + +

approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on .

+ +
+ + + + +

Access control policy

+

information flow control policies

+

procedures addressing information flow enforcement

+

security architecture documentation

+

privacy architecture documentation

+

system design documentation

+

system configuration settings and associated documentation

+

system baseline configuration

+

list of information flow authorizations

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security and privacy architecture development responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing information flow enforcement policy

+
+
+ + Physical or Logical Separation of Information Flows + + + + + + +

mechanisms and/or techniques used to logically separate information flows are defined (if selected);

+
+ + + + +

mechanisms and/or techniques used to physically separate information flows are defined (if selected);

+
+ + + + +

required separations by types of information are defined;

+
+ + + + + + + + + +

Separate information flows logically or physically using to accomplish .

+
+ +

Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths that are not otherwise achievable. Types of separable information include inbound and outbound communications traffic, service requests and responses, and information of differing security impact or classification levels.

+
+ + + + +

information flows are separated logically using to accomplish ;

+ +
+ + +

information flows are separated physically using to accomplish .

+ +
+ +
+ + + + +

Information flow enforcement policy

+

information flow control policies

+

procedures addressing information flow enforcement

+

system design documentation

+

system configuration settings and associated documentation

+

list of required separation of information flows by information types

+

list of mechanisms and/or techniques used to logically or physically separate information flows

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information flow enforcement responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing information flow enforcement functions

+
+
+
+
+ + Separation of Duties + + + +

duties of individuals requiring separation are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + +

Identify and document ; and

+
+ + +

Define system access authorizations to support separation of duties.

+
+ + AC-5 Additional FedRAMP Requirements and Guidance + + +

CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

+
+
+
+ +

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in AC-2 , access control mechanisms in AC-3 , and identity management activities in IA-2, IA-4 , and IA-12.

+
+ + + + +

+ are identified and documented;

+ +
+ + +

system access authorizations to support separation of duties are defined.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing divisions of responsibility and separation of duties

+

system configuration settings and associated documentation

+

list of divisions of responsibility and separation of duties

+

system access authorizations

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing separation of duties policy

+
+
+
+ + Least Privilege + + + + + + + + + + + + + + + + + +

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

+
+ +

Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.

+
+ + +

the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

+ +
+ + + + +

Access control policy

+

procedures addressing least privilege

+

list of assigned access authorizations (user privileges)

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing least privilege functions

+
+
+ + Authorize Access to Security Functions + + + + + + +

individuals and roles with authorized access to security functions and security-relevant information are defined;

+
+ + + + +

security functions (deployed in hardware) for authorized access are defined;

+
+ + + + +

security functions (deployed in software) for authorized access are defined;

+
+ + + + +

security functions (deployed in firmware) for authorized access are defined;

+
+ + + + +

security-relevant information for authorized access is defined;

+
+ + + + + + + + + + + + +

Authorize access for to:

+ + +

+ ; and

+
+ + +

+ .

+
+
+ +

Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users.

+
+ + + + + + +

access is authorized for to ;

+ +
+ + +

access is authorized for to ;

+ +
+ + +

access is authorized for to ;

+ +
+ +
+ + +

access is authorized for to .

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing least privilege

+

list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing least privilege functions

+
+
+
+ + Non-privileged Access for Nonsecurity Functions + + + + +

all security functions

+
+
+ +

security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;

+
+ + + + + + + + + + + +

Require that users of system accounts (or roles) with access to use non-privileged accounts or roles, when accessing nonsecurity functions.

+ + AC-6 (2) Additional FedRAMP Requirements and Guidance + + +

Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

+
+
+
+ +

Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

+
+ + +

users of system accounts (or roles) with access to are required to use non-privileged accounts or roles when accessing non-security functions.

+ +
+ + + + +

Access control policy

+

procedures addressing least privilege

+

list of system-generated security functions or security-relevant information assigned to system accounts or roles

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing least privilege functions

+
+
+
+ + Privileged Accounts + + + +

personnel or roles to which privileged accounts on the system are to be restricted is/are defined;

+
+ + + + + + + + + + +

Restrict privileged accounts on the system to .

+
+ +

Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk.

+
+ + +

privileged accounts on the system are restricted to .

+ +
+ + + + +

Access control policy

+

procedures addressing least privilege

+

list of system-generated privileged accounts

+

list of system administration personnel

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing least privilege functions

+
+
+
+ + Review of User Privileges + + + + +

at a minimum, annually

+
+
+ +

the frequency at which to review the privileges assigned to roles or classes of users is defined;

+
+ + + + + +

all users with privileges

+
+
+ +

roles or classes of users to which privileges are assigned are defined;

+
+ + + + + + + + + + +

Review the privileges assigned to to validate the need for such privileges; and

+
+ + +

Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.

+
+
+ +

The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions.

+
+ + + + +

privileges assigned to are reviewed to validate the need for such privileges;

+ +
+ + +

privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing least privilege

+

list of system-generated roles or classes of users and assigned privileges

+

system design documentation

+

system configuration settings and associated documentation

+

validation reviews of privileges assigned to roles or classes or users

+

records of privilege removals or reassignments for roles or classes of users

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing review of user privileges

+
+
+
+ + Log Use of Privileged Functions + + + + + + + + + +

Log the execution of privileged functions.

+
+ +

The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat.

+
+ + +

the execution of privileged functions is logged.

+ +
+ + + + +

Access control policy

+

procedures addressing least privilege

+

system design documentation

+

system configuration settings and associated documentation

+

list of privileged functions to be audited

+

list of audited events

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms auditing the execution of least privilege functions

+
+
+
+ + Prohibit Non-privileged Users from Executing Privileged Functions + + + + + + +

Prevent non-privileged users from executing privileged functions.

+
+ +

Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by AC-3.

+
+ + +

non-privileged users are prevented from executing privileged functions.

+ +
+ + + + +

Access control policy

+

procedures addressing least privilege

+

system design documentation

+

system configuration settings and associated documentation

+

list of privileged functions and associated user account assignments

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing least privilege functions for non-privileged users

+
+
+
+
+ + Unsuccessful Logon Attempts + + + +

the number of consecutive invalid logon attempts by a user allowed during a time period is defined;

+
+ + + + +

the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;

+
+ + + + + + + +

time period for an account or node to be locked is defined (if selected);

+
+ + + + +

delay algorithm for the next logon prompt is defined (if selected);

+
+ + + + +

other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);

+
+ + + + + + + + + + + + + + + +

Enforce a limit of consecutive invalid logon attempts by a user during a ; and

+
+ + +

Automatically when the maximum number of unsuccessful attempts is exceeded.

+
+ + AC-7 Additional FedRAMP Requirements and Guidance + + +

In alignment with NIST SP 800-63B

+
+
+
+ +

The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.

+
+ + + + +

a limit of consecutive invalid logon attempts by a user during is enforced;

+ +
+ + +

automatically when the maximum number of unsuccessful attempts is exceeded.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing unsuccessful logon attempts

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security responsibilities

+

system developers

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing access control policy for unsuccessful logon attempts

+
+
+
+ + System Use Notification + + + + +

see additional Requirements and Guidance

+
+
+ +

system use notification message or banner to be displayed by the system to users before granting access to the system is defined;

+
+ + + + + +

see additional Requirements and Guidance

+
+
+ +

conditions for system use to be displayed by the system before granting further access are defined;

+
+ + + + + + + + + + + + +

Display to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:

+ + +

Users are accessing a U.S. Government system;

+
+ + +

System usage may be monitored, recorded, and subject to audit;

+
+ + +

Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and

+
+ + +

Use of the system indicates consent to monitoring and recording;

+
+
+ + +

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and

+
+ + +

For publicly accessible systems:

+ + +

Display system use information , before granting further access to the publicly accessible system;

+
+ + +

Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

+
+ + +

Include a description of the authorized uses of the system.

+
+
+ + AC-8 Additional FedRAMP Requirements and Guidance + + +

The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

+
+ + +

The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.

+
+ + +

If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

+
+ + +

If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

+
+
+
+ +

System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content.

+
+ + + + +

+ is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ + +

the system use notification states that users are accessing a U.S. Government system;

+ +
+ + +

the system use notification states that system usage may be monitored, recorded, and subject to audit;

+ +
+ + +

the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and

+ +
+ + +

the system use notification states that use of the system indicates consent to monitoring and recording;

+ +
+ +
+ + +

the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;

+ +
+ + + + +

for publicly accessible systems, system use information is displayed before granting further access to the publicly accessible system;

+ +
+ + +

for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;

+ +
+ + +

for publicly accessible systems, a description of the authorized uses of the system is included.

+ +
+ +
+ +
+ + + + +

Access control policy

+

privacy and security policies, procedures addressing system use notification

+

documented approval of system use notification messages or banners

+

system audit records

+

user acknowledgements of notification message or banner

+

system design documentation

+

system configuration settings and associated documentation

+

system use notification messages

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy assessment report

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security and privacy responsibilities

+

legal counsel

+

system developers

+
+
+ + + + +

Mechanisms implementing system use notification

+
+
+
+ + Device Lock + + + + + + + +

fifteen (15) minutes

+
+
+ +

time period of inactivity after which a device lock is initiated is defined (if selected);

+
+ + + + + + + + + + + + +

Prevent further access to the system by ; and

+
+ + +

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

+
+
+ +

Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays.

+
+ + + + +

further access to the system is prevented by ;

+ +
+ + +

device lock is retained until the user re-establishes access using established identification and authentication procedures.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing session lock

+

procedures addressing identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

security plan

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing access control policy for session lock

+
+
+ + Pattern-hiding Displays + + + + + + +

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

+
+ +

The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed.

+
+ + +

information previously visible on the display is concealed, via device lock, with a publicly viewable image.

+ +
+ + + + +

Access control policy

+

procedures addressing session lock

+

display screen with session lock activated

+

system design documentation

+

system configuration settings and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

System session lock mechanisms

+
+
+
+
+ + Session Termination + + + +

conditions or trigger events requiring session disconnect are defined;

+
+ + + + + + + + + +

Automatically terminate a user session after .

+
+ +

Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10 , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.

+
+ + +

a user session is automatically terminated after .

+ +
+ + + + +

Access control policy

+

procedures addressing session termination

+

system design documentation

+

system configuration settings and associated documentation

+

list of conditions or trigger events requiring session disconnect

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Automated mechanisms implementing user session termination

+
+
+
+ + Permitted Actions Without Identification or Authentication + + + +

user actions that can be performed on the system without identification or authentication are defined;

+
+ + + + + + + + + + + +

Identify that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and

+
+ + +

Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

+
+
+ +

Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be none. +

+
+ + + + +

+ that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;

+ +
+ + + + +

user actions not requiring identification or authentication are documented in the security plan for the system;

+ +
+ + +

a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.

+ +
+ +
+ +
+ + + + +

Access control policy

+

procedures addressing permitted actions without identification or authentication

+

system configuration settings and associated documentation

+

security plan

+

list of user actions that can be performed without identification or authentication

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+
+
+
+ + Remote Access + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

+
+ + +

Authorize each type of remote access to the system prior to allowing such connections.

+
+
+ +

Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3 . Enforcing access restrictions for remote access is addressed via AC-3.

+
+ + + + + + +

usage restrictions are established and documented for each type of remote access allowed;

+ +
+ + +

configuration/connection requirements are established and documented for each type of remote access allowed;

+ +
+ + +

implementation guidance is established and documented for each type of remote access allowed;

+ +
+ +
+ + +

each type of remote access to the system is authorized prior to allowing such connections.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing remote access implementation and usage (including restrictions)

+

configuration management plan

+

system configuration settings and associated documentation

+

remote access authorizations

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for managing remote access connections

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Remote access management capability for the system

+
+
+ + Monitoring and Control + + + + + + + + + + + +

Employ automated mechanisms to monitor and control remote access methods.

+
+ +

Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2 . Audit events are defined in AU-2a.

+
+ + + + +

automated mechanisms are employed to monitor remote access methods;

+ +
+ + +

automated mechanisms are employed to control remote access methods.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing remote access to the system

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system monitoring records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Automated mechanisms monitoring and controlling remote access methods

+
+
+
+ + Protection of Confidentiality and Integrity Using Encryption + + + + + + + + + +

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

+
+ +

Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions.

+
+ + +

cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.

+ +
+ + + + +

Access control policy

+

procedures addressing remote access to the system

+

system design documentation

+

system configuration settings and associated documentation

+

cryptographic mechanisms and associated configuration documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions

+
+
+
+ + Managed Access Control Points + + + + + + + +

Route remote accesses through authorized and managed network access control points.

+
+ +

Organizations consider the Trusted Internet Connections (TIC) initiative DHS TIC requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces.

+
+ + +

remote accesses are routed through authorized and managed network access control points.

+ +
+ + + + +

Access control policy

+

procedures addressing remote access to the system

+

system design documentation

+

list of all managed network access control points

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms routing all remote accesses through managed network access control points

+
+
+
+ + Privileged Commands and Access + + + + + + +

needs requiring execution of privileged commands via remote access are defined;

+
+ + + + +

needs requiring access to security-relevant information via remote access are defined;

+
+ + + + + + + + + + + + +

Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: ; and

+
+ + +

Document the rationale for remote access in the security plan for the system.

+
+
+ +

Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability.

+
+ + + + + + +

the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;

+ +
+ + +

access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;

+ +
+ + +

the execution of privileged commands via remote access is authorized only for the following needs: ;

+ +
+ + +

access to security-relevant information via remote access is authorized only for the following needs: ;

+ +
+ +
+ + +

the rationale for remote access is documented in the security plan for the system.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing remote access to the system

+

system configuration settings and associated documentation

+

security plan

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing remote access management

+
+
+
+
+ + Wireless Access + + + + + + + + + + + + + + + + + + + + + + +

Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and

+
+ + +

Authorize each type of wireless access to the system prior to allowing such connections.

+
+
+ +

Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication.

+
+ + + + + + +

configuration requirements are established for each type of wireless access;

+ +
+ + +

connection requirements are established for each type of wireless access;

+ +
+ + +

implementation guidance is established for each type of wireless access;

+ +
+ +
+ + +

each type of wireless access to the system is authorized prior to allowing such connections.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing wireless access implementation and usage (including restrictions)

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

wireless access authorizations

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for managing wireless access connections

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Wireless access management capability for the system

+
+
+ + Authentication and Encryption + + + + + + + + + + + + +

Protect wireless access to the system using authentication of and encryption.

+
+ +

Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies.

+
+ + + + +

wireless access to the system is protected using authentication of ;

+ +
+ + +

wireless access to the system is protected using encryption.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing wireless implementation and usage (including restrictions)

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+
+ + + + +

Mechanisms implementing wireless access protections to the system

+
+
+
+ + Disable Wireless Networking + + + + + + + +

Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.

+
+ +

Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies.

+
+ + +

when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.

+ +
+ + + + +

Access control policy

+

procedures addressing wireless implementation and usage (including restrictions)

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms managing the disabling of wireless networking capabilities internally embedded within system components

+
+
+
+
+ + Access Control for Mobile Devices + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and

+
+ + +

Authorize the connection of mobile devices to organizational systems.

+
+
+ +

A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.

+

Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.

+

Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in AC-19 . Many safeguards for mobile devices are reflected in other controls. AC-20 addresses mobile devices that are not organization-controlled.

+
+ + + + + + +

configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;

+ +
+ + +

connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;

+ +
+ + +

implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;

+ +
+ +
+ + +

the connection of mobile devices to organizational systems is authorized.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing access control for mobile device usage (including restrictions)

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

authorizations for mobile device connections to organizational systems

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel using mobile devices to access organizational systems

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Access control capability for mobile device connections to organizational systems

+

configurations of mobile devices

+
+
+ + Full Device or Container-based Encryption + + + + + + +

mobile devices on which to employ encryption are defined;

+
+ + + + + + + + + + +

Employ to protect the confidentiality and integrity of information on .

+
+ +

Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields.

+
+ + +

+ is employed to protect the confidentiality and integrity of information on .

+ +
+ + + + +

Access control policy

+

procedures addressing access control for mobile devices

+

system design documentation

+

system configuration settings and associated documentation

+

encryption mechanisms and associated configuration documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with access control responsibilities for mobile devices

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Encryption mechanisms protecting confidentiality and integrity of information on mobile devices

+
+
+
+
+ + Use of External Systems + + + + + + +

terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);

+
+ + + + +

controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);

+
+ + + + +

types of external systems prohibited from use are defined;

+
+ + + + + + + + + + + + + + + + + + + + +

+ , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:

+ + +

Access the system from external systems; and

+
+ + +

Process, store, or transmit organization-controlled information using external systems; or

+
+
+ + +

Prohibit the use of .

+
+ + AC-20 Additional FedRAMP Requirements and Guidance + + +

The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:

+

AC-20 describes system access to and from external systems.

+

CA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.

+

SA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3.

+
+
+
+ +

External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).

+

For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.

+

External systems used to access public interfaces to organizational systems are outside the scope of AC-20 . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

+
+ + + + + + +

+ is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);

+ +
+ + +

+ is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);

+ +
+ +
+ + +

the use of is prohibited (if applicable).

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing the use of external systems

+

external systems terms and conditions

+

list of types of applications accessible from external systems

+

maximum security categorization for information processed, stored, or transmitted on external systems

+

system configuration settings and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing terms and conditions on the use of external systems

+
+
+ + Limits on Authorized Use + + + + + + + +

Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:

+ + +

Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or

+
+ + +

Retention of approved system connection or processing agreements with the organizational entity hosting the external system.

+
+
+ +

Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations.

+
+ + + + +

authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);

+ +
+ + +

authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing the use of external systems

+

system connection or processing agreements

+

account management documents

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing limits on use of external systems

+
+
+
+ + Portable Storage Devices — Restricted Use + + + +

restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;

+
+ + + + + + + + + +

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using .

+
+ +

Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used.

+
+ + +

the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using .

+ +
+ + + + +

Access control policy

+

procedures addressing the use of external systems

+

system configuration settings and associated documentation

+

system connection or processing agreements

+

account management documents

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for restricting or prohibiting the use of organization-controlled storage devices on external systems

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing restrictions on the use of portable storage devices

+
+
+
+
+ + Information Sharing + + + +

information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined;

+
+ + + + +

automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;

+
+ + + + + + + + + + + + + + + + + + +

Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for ; and

+
+ + +

Employ to assist users in making information sharing and collaboration decisions.

+
+
+ +

Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions.

+
+ + + + +

authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for ;

+ +
+ + +

+ are employed to assist users in making information-sharing and collaboration decisions.

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing user-based collaboration and information sharing (including restrictions)

+

system design documentation

+

system configuration settings and associated documentation

+

list of users authorized to make information-sharing/collaboration decisions

+

list of information-sharing circumstances requiring user discretion

+

non-disclosure agreements

+

acquisitions/contractual agreements

+

system security plan

+

privacy plan

+

privacy impact assessment

+

security and privacy risk assessments

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for information-sharing/collaboration decisions

+

organizational personnel with responsibility for acquisitions/contractual agreements

+

system/network administrators

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Automated mechanisms or manual process implementing access authorizations supporting information-sharing/user collaboration decisions

+
+
+
+ + Publicly Accessible Content + + + + +

at least quarterly

+
+
+ +

the frequency at which to review the content on the publicly accessible system for non-public information is defined;

+
+ + + + + + + + + + + + + +

Designate individuals authorized to make information publicly accessible;

+
+ + +

Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

+
+ + +

Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and

+
+ + +

Review the content on the publicly accessible system for nonpublic information and remove such information, if discovered.

+
+
+ +

In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the PRIVACT and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible.

+
+ + + + +

designated individuals are authorized to make information publicly accessible;

+ +
+ + +

authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;

+ +
+ + +

the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;

+ +
+ + + + +

the content on the publicly accessible system is reviewed for non-public information ;

+ +
+ + +

non-public information is removed from the publicly accessible system, if discovered.

+ +
+ +
+ +
+ + + + +

Access control policy

+

procedures addressing publicly accessible content

+

list of users authorized to post publicly accessible content on organizational systems

+

training materials and/or records

+

records of publicly accessible information reviews

+

records of response to non-public information on public websites

+

system audit logs

+

security awareness training records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms implementing management of publicly accessible content

+
+
+
+
+ + Awareness and Training + + Policy and Procedures + + + + + + +

personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the awareness and training policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current awareness and training policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current awareness and training policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current awareness and training procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ awareness and training policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and

+
+ + +

Review and update the current awareness and training:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an awareness and training policy is developed and documented;

+ +
+ + +

the awareness and training policy is disseminated to ;

+ +
+ + +

awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;

+ +
+ + +

the awareness and training procedures are disseminated to .

+ +
+ + + + + + +

the awareness and training policy addresses purpose;

+ +
+ + +

the awareness and training policy addresses scope;

+ +
+ + +

the awareness and training policy addresses roles;

+ +
+ + +

the awareness and training policy addresses responsibilities;

+ +
+ + +

the awareness and training policy addresses management commitment;

+ +
+ + +

the awareness and training policy addresses coordination among organizational entities;

+ +
+ + +

the awareness and training policy addresses compliance; and

+ +
+ +
+ + +

the awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;

+ +
+ + + + + + +

the current awareness and training policy is reviewed and updated ;

+ +
+ + +

the current awareness and training policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current awareness and training procedures are reviewed and updated ;

+ +
+ + +

the current awareness and training procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

System security plan

+

privacy plan

+

awareness and training policy and procedures

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with awareness and training responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Literacy Training and Awareness + + + + +

at least annually

+
+
+ + + + + + + +

the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;

+
+ + + + +

the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;

+
+ + + + +

events that require security literacy training for system users are defined;

+
+ + + + +

events that require privacy literacy training for system users are defined;

+
+ + + + +

techniques to be employed to increase the security and privacy awareness of system users are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to update literacy training and awareness content is defined;

+
+ + + + +

events that would require literacy training and awareness content to be updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):

+ + +

As part of initial training for new users and thereafter; and

+
+ + +

When required by system changes or following ;

+
+
+ + +

Employ the following techniques to increase the security and privacy awareness of system users ;

+
+ + +

Update literacy training and awareness content and following ; and

+
+ + +

Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.

+
+
+ +

Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.

+

Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in AT-2a.1 is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + + + + + +

security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;

+ +
+ + +

privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;

+ +
+ + +

security literacy training is provided to system users (including managers, senior executives, and contractors) thereafter;

+ +
+ + +

privacy literacy training is provided to system users (including managers, senior executives, and contractors) thereafter;

+ +
+ +
+ + + + +

security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following ;

+ +
+ + +

privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following ;

+ +
+ +
+ +
+ + +

+ are employed to increase the security and privacy awareness of system users;

+ +
+ + + + +

literacy training and awareness content is updated ;

+ +
+ + +

literacy training and awareness content is updated following ;

+ +
+ +
+ + +

lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.

+ +
+ +
+ + + + +

System security plan

+

privacy plan

+

literacy training and awareness policy

+

procedures addressing literacy training and awareness implementation

+

appropriate codes of federal regulations

+

security and privacy literacy training curriculum

+

security and privacy literacy training materials

+

training records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for literacy training and awareness

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel comprising the general system user community

+
+
+ + + + +

Mechanisms managing information security and privacy literacy training

+
+
+ + Insider Threat + + + + + + + + +

Provide literacy training on recognizing and reporting potential indicators of insider threat.

+
+ +

Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations.

+
+ + + + +

literacy training on recognizing potential indicators of insider threat is provided;

+ +
+ + +

literacy training on reporting potential indicators of insider threat is provided.

+ +
+ +
+ + + + +

System security plan

+

privacy plan

+

literacy training and awareness policy

+

procedures addressing literacy training and awareness implementation

+

literacy training and awareness curriculum

+

literacy training and awareness materials

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel who receive literacy training and awareness

+

organizational personnel with responsibilities for literacy training and awareness

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Social Engineering and Mining + + + + + + + +

Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.

+
+ +

Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures.

+
+ + + + +

literacy training on recognizing potential and actual instances of social engineering is provided;

+ +
+ + +

literacy training on reporting potential and actual instances of social engineering is provided;

+ +
+ + +

literacy training on recognizing potential and actual instances of social mining is provided;

+ +
+ + +

literacy training on reporting potential and actual instances of social mining is provided.

+ +
+ +
+ + + + +

System security plan

+

privacy plan

+

literacy training and awareness policy

+

procedures addressing literacy training and awareness implementation

+

literacy training and awareness curriculum

+

literacy training and awareness materials

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel who receive literacy training and awareness

+

organizational personnel with responsibilities for literacy training and awareness

+

organizational personnel with information security and privacy responsibilities

+
+
+
+
+ + Role-based Training + + + + + + +

roles and responsibilities for role-based security training are defined;

+
+ + + + +

roles and responsibilities for role-based privacy training are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to update role-based training content is defined;

+
+ + + + +

events that require role-based training content to be updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Provide role-based security and privacy training to personnel with the following roles and responsibilities: :

+ + +

Before authorizing access to the system, information, or performing assigned duties, and thereafter; and

+
+ + +

When required by system changes;

+
+
+ + +

Update role-based training content and following ; and

+
+ + +

Incorporate lessons learned from internal or external security incidents or breaches into role-based training.

+
+
+ +

Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.

+

Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + + + + + +

role-based security training is provided to before authorizing access to the system, information, or performing assigned duties;

+ +
+ + +

role-based privacy training is provided to before authorizing access to the system, information, or performing assigned duties;

+ +
+ + +

role-based security training is provided to + thereafter;

+ +
+ + +

role-based privacy training is provided to + thereafter;

+ +
+ +
+ + + + +

role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;

+ +
+ + +

role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;

+ +
+ +
+ +
+ + + + +

role-based training content is updated ;

+ +
+ + +

role-based training content is updated following ;

+ +
+ +
+ + +

lessons learned from internal or external security incidents or breaches are incorporated into role-based training.

+ +
+ +
+ + + + +

System security plan

+

privacy plan

+

security and privacy awareness and training policy

+

procedures addressing security and privacy training implementation

+

codes of federal regulations

+

security and privacy training curriculum

+

security and privacy training materials

+

training records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for role-based security and privacy training

+

organizational personnel with assigned system security and privacy roles and responsibilities

+
+
+ + + + +

Mechanisms managing role-based security and privacy training

+
+
+
+ + Training Records + + + + +

at least one (1) year or 1 year after completion of a specific training program

+
+
+ +

time period for retaining individual training records is defined;

+
+ + + + + + + + + + + + + + + + +

Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and

+
+ + +

Retain individual training records for .

+
+
+ +

Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.

+
+ + + + + + +

information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;

+ +
+ + +

information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;

+ +
+ +
+ + +

individual training records are retained for .

+ +
+ +
+ + + + +

Security and privacy awareness and training policy

+

procedures addressing security and privacy training records

+

security and privacy awareness and training records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security and privacy training record retention responsibilities

+
+
+ + + + +

Mechanisms supporting the management of security and privacy training records

+
+
+
+
+ + Audit and Accountability + + Policy and Procedures + + + + + + +

personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the audit and accountability policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current audit and accountability policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current audit and accountability policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current audit and accountability procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require audit and accountability procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ audit and accountability policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and

+
+ + +

Review and update the current audit and accountability:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an audit and accountability policy is developed and documented;

+ +
+ + +

the audit and accountability policy is disseminated to ;

+ +
+ + +

audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;

+ +
+ + +

the audit and accountability procedures are disseminated to ;

+ +
+ + + + + + +

the of the audit and accountability policy addresses purpose;

+ +
+ + +

the of the audit and accountability policy addresses scope;

+ +
+ + +

the of the audit and accountability policy addresses roles;

+ +
+ + +

the of the audit and accountability policy addresses responsibilities;

+ +
+ + +

the of the audit and accountability policy addresses management commitment;

+ +
+ + +

the of the audit and accountability policy addresses coordination among organizational entities;

+ +
+ + +

the of the audit and accountability policy addresses compliance;

+ +
+ +
+ + +

the of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;

+ +
+ + + + + + +

the current audit and accountability policy is reviewed and updated ;

+ +
+ + +

the current audit and accountability policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current audit and accountability procedures are reviewed and updated ;

+ +
+ + +

the current audit and accountability procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Audit and accountability policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Event Logging + + + + +

organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.

+
+
+ + + + + +

successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes

+
+
+ +

the event types that the system is capable of logging in support of the audit function are defined;

+
+ + + + +

the event types (subset of AU-02_ODP[01]) for logging within the system are defined;

+
+ + + + +

the frequency or situation requiring logging for each specified event type is defined;

+
+ + + + + +

annually and whenever there is a change in the threat environment

+
+
+ +

the frequency of event types selected for logging are reviewed and updated;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Identify the types of events that the system is capable of logging in support of the audit function: ;

+
+ + +

Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;

+
+ + +

Specify the following event types for logging within the system: ;

+
+ + +

Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and

+
+ + +

Review and update the event types selected for logging .

+
+ + AU-2 Additional FedRAMP Requirements and Guidance + + +

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

+
+ + +

Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

+
+
+
+ +

An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.

+

To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.

+

Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3)(b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8) , and SI-10(1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.

+
+ + + + +

+ that the system is capable of logging are identified in support of the audit logging function;

+ +
+ + +

the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;

+ +
+ + + + +

+ are specified for logging within the system;

+ +
+ + +

the specified event types are logged within the system ;

+ +
+ +
+ + +

a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;

+ +
+ + +

the event types selected for logging are reviewed and updated .

+ +
+ +
+ + + + +

Audit and accountability policy

+

procedures addressing auditable events

+

system security plan

+

privacy plan

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system auditable events

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing system auditing

+
+
+
+ + Content of Audit Records + + + + + + + + + + + + + + + + +

Ensure that audit records contain information that establishes the following:

+ + +

What type of event occurred;

+
+ + +

When the event occurred;

+
+ + +

Where the event occurred;

+
+ + +

Source of the event;

+
+ + +

Outcome of the event; and

+
+ + +

Identity of any individuals, subjects, or objects/entities associated with the event.

+
+
+ +

Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage.

+
+ + + + +

audit records contain information that establishes what type of event occurred;

+ +
+ + +

audit records contain information that establishes when the event occurred;

+ +
+ + +

audit records contain information that establishes where the event occurred;

+ +
+ + +

audit records contain information that establishes the source of the event;

+ +
+ + +

audit records contain information that establishes the outcome of the event;

+ +
+ + +

audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing content of audit records

+

system design documentation

+

system configuration settings and associated documentation

+

list of organization-defined auditable events

+

system audit records

+

system incident reports

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing system auditing of auditable events

+
+
+ + Additional Audit Information + + + + +

session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands

+
+
+ +

additional information to be included in audit records is defined;

+
+ + + + + + + +

Generate audit records containing the following additional information: .

+ + AU-3 (1) Additional FedRAMP Requirements and Guidance + + +

For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

+
+
+
+ +

The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy.

+
+ + +

generated audit records contain the following .

+ +
+ + + + +

Audit and accountability policy

+

procedures addressing content of audit records

+

system security plan

+

privacy plan

+

system design documentation

+

system configuration settings and associated documentation

+

list of organization-defined auditable events

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

system audit capability

+
+
+
+
+ + Audit Log Storage Capacity + + + +

audit log retention requirements are defined;

+
+ + + + + + + + + + + + + + + + +

Allocate audit log storage capacity to accommodate .

+
+ +

Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.

+
+ + +

audit log storage capacity is allocated to accommodate .

+ +
+ + + + +

Audit and accountability policy

+

procedures addressing audit storage capacity

+

system security plan

+

privacy plan

+

system design documentation

+

system configuration settings and associated documentation

+

audit record storage requirements

+

audit record storage capability for system components

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Audit record storage capacity and related configuration settings

+
+
+
+ + Response to Audit Logging Process Failures + + + +

personnel or roles receiving audit logging process failure alerts are defined;

+
+ + + + +

time period for personnel or roles receiving audit logging process failure alerts is defined;

+
+ + + + + +

overwrite oldest record

+
+
+ +

additional actions to be taken in the event of an audit logging process failure are defined;

+
+ + + + + + + + + + + + + + + + + +

Alert within in the event of an audit logging process failure; and

+
+ + +

Take the following additional actions: .

+
+
+ +

Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.

+
+ + + + +

+ are alerted in the event of an audit logging process failure within ;

+ +
+ + +

+ are taken in the event of an audit logging process failure.

+ +
+ +
+ + + + +

Audit and accountability policy

+

procedures addressing response to audit processing failures

+

system design documentation

+

system security plan

+

privacy plan

+

system configuration settings and associated documentation

+

list of personnel to be notified in case of an audit processing failure

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing system response to audit processing failures

+
+
+
+ + Audit Record Review, Analysis, and Reporting + + + + +

at least weekly

+
+
+ +

frequency at which system audit records are reviewed and analyzed is defined;

+
+ + + + +

inappropriate or unusual activity is defined;

+
+ + + + +

personnel or roles to receive findings from reviews and analyses of system records is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Review and analyze system audit records for indications of and the potential impact of the inappropriate or unusual activity;

+
+ + +

Report findings to ; and

+
+ + +

Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

+
+ + AU-6 Additional FedRAMP Requirements and Guidance + + +

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

+
+
+
+ +

Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.

+
+ + + + +

system audit records are reviewed and analyzed for indications of and the potential impact of the inappropriate or unusual activity;

+ +
+ + +

findings are reported to ;

+ +
+ + +

the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing audit review, analysis, and reporting

+

reports of audit findings

+

records of actions taken in response to reviews/analyses of audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit review, analysis, and reporting responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + Automated Process Integration + + + +

automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;

+
+ + + + + + + + + +

Integrate audit record review, analysis, and reporting processes using .

+
+ +

Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits.

+
+ + +

audit record review, analysis, and reporting processes are integrated using .

+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing audit review, analysis, and reporting

+

procedures addressing investigation and response to suspicious activities

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit review, analysis, and reporting responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Automated mechanisms integrating audit review, analysis, and reporting processes

+
+
+
+ + Correlate Audit Record Repositories + + + + + + + + + +

Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.

+
+ +

Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness.

+
+ + +

audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.

+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing audit review, analysis, and reporting

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records across different repositories

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit review, analysis, and reporting responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms supporting the analysis and correlation of audit records

+
+
+
+
+ + Audit Record Reduction and Report Generation + + + + + + + + + + + + + + + + + + + +

Provide and implement an audit record reduction and report generation capability that:

+ + +

Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and

+
+ + +

Does not alter the original content or time ordering of audit records.

+
+
+ +

Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.

+
+ + + + + + +

an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;

+ +
+ + +

an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;

+ +
+ +
+ + + + +

an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;

+ +
+ + +

an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.

+ +
+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing audit reduction and report generation

+

system design documentation

+

system configuration settings and associated documentation

+

audit reduction, review, analysis, and reporting tools

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit reduction and report generation responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Audit reduction and report generation capability

+
+
+ + Automatic Processing + + + +

fields within audit records that can be processed, sorted, or searched are defined;

+
+ + + + + + + + +

Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: .

+
+ +

Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component.

+
+ + + + +

the capability to process, sort, and search audit records for events of interest based on are provided;

+ +
+ + +

the capability to process, sort, and search audit records for events of interest based on are implemented.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing audit reduction and report generation

+

system design documentation

+

system configuration settings and associated documentation

+

audit reduction, review, analysis, and reporting tools

+

audit record criteria (fields) establishing events of interest

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit reduction and report generation responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system developers

+
+
+ + + + +

Audit reduction and report generation capability

+
+
+
+
+ + Time Stamps + + + + +

one second granularity of time measurement

+
+
+ +

granularity of time measurement for audit record timestamps is defined;

+
+ + + + + + + + + + + + +

Use internal system clocks to generate time stamps for audit records; and

+
+ + +

Record time stamps for audit records that meet and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.

+
+
+ +

Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.

+
+ + + + +

internal system clocks are used to generate timestamps for audit records;

+ +
+ + +

timestamps are recorded for audit records that meet and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

procedures addressing timestamp generation

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing timestamp generation

+
+
+
+ + Protection of Audit Information + + + +

personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +

Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and

+
+ + +

Alert upon detection of unauthorized access, modification, or deletion of audit information.

+
+
+ +

Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.

+
+ + + + +

audit information and audit logging tools are protected from unauthorized access, modification, and deletion;

+ +
+ + +

+ are alerted upon detection of unauthorized access, modification, or deletion of audit information.

+ +
+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

access control policy and procedures

+

procedures addressing protection of audit information

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

audit tools

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing audit information protection

+
+
+ + Access by Subset of Privileged Users + + + +

a subset of privileged users or roles authorized to access management of audit logging functionality is defined;

+
+ + + + + + + + +

Authorize access to management of audit logging functionality to only .

+
+ +

Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges.

+
+ + +

access to management of audit logging functionality is authorized only to .

+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

access control policy and procedures

+

procedures addressing protection of audit information

+

system design documentation

+

system configuration settings and associated documentation

+

system-generated list of privileged users with access to management of audit functionality

+

access authorizations

+

access control list

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms managing access to audit functionality

+
+
+
+
+ + Audit Record Retention + + + + +

a time period in compliance with M-21-31

+
+
+ +

a time period to retain audit records that is consistent with the records retention policy is defined;

+
+ + + + + + + + + + + + + + + + +

Retain audit records for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

+ + AU-11 Additional FedRAMP Requirements and Guidance + + +

The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

+
+ + +

The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)

+
+ + +

The service provider is encouraged to align with M-21-31 where possible

+
+
+
+ +

Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention.

+
+ + +

audit records are retained for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

+ +
+ + + + +

Audit and accountability policy

+

system security plan

+

privacy plan

+

audit record retention policy and procedures

+

security plan

+

organization-defined retention period for audit records

+

audit record archives

+

audit logs

+

audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit record retention responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+
+ + Audit Record Generation + + + + +

all information system and network components where audit capability is deployed/available

+
+
+ +

system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;

+
+ + + + +

personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +

Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on ;

+
+ + +

Allow to select the event types that are to be logged by specific components of the system; and

+
+ + +

Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

+
+
+ +

Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.

+
+ + + + +

audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by ;

+ +
+ + +

+ is/are allowed to select the event types that are to be logged by specific components of the system;

+ +
+ + +

audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.

+ +
+ +
+ + + + +

Audit and accountability policy

+

procedures addressing audit record generation

+

system security plan

+

privacy plan

+

system design documentation

+

system configuration settings and associated documentation

+

list of auditable events

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with audit record generation responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms implementing audit record generation capability

+
+
+
+
+ + Assessment, Authorization, and Monitoring + + Policy and Procedures + + + + + + +

personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the assessment, authorization, and monitoring policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ assessment, authorization, and monitoring policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and

+
+ + +

Review and update the current assessment, authorization, and monitoring:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an assessment, authorization, and monitoring policy is developed and documented;

+ +
+ + +

the assessment, authorization, and monitoring policy is disseminated to ;

+ +
+ + +

assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;

+ +
+ + +

the assessment, authorization, and monitoring procedures are disseminated to ;

+ +
+ + + + + + +

the assessment, authorization, and monitoring policy addresses purpose;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses scope;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses roles;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses responsibilities;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses management commitment;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses coordination among organizational entities;

+ +
+ + +

the assessment, authorization, and monitoring policy addresses compliance;

+ +
+ +
+ + +

the assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;

+ +
+ + + + + + +

the current assessment, authorization, and monitoring policy is reviewed and updated ;

+ +
+ + +

the current assessment, authorization, and monitoring policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current assessment, authorization, and monitoring procedures are reviewed and updated ;

+ +
+ + +

the current assessment, authorization, and monitoring procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with assessment, authorization, and monitoring policy responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Control Assessments + + + + +

at least annually

+
+
+ +

the frequency at which to assess controls in the system and its environment of operation is defined;

+
+ + + + + +

individuals or roles to include FedRAMP PMO

+
+
+ +

individuals or roles to whom control assessment results are to be provided are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Select the appropriate assessor or assessment team for the type of assessment to be conducted;

+
+ + +

Develop a control assessment plan that describes the scope of the assessment including:

+ + +

Controls and control enhancements under assessment;

+
+ + +

Assessment procedures to be used to determine control effectiveness; and

+
+ + +

Assessment environment, assessment team, and assessment roles and responsibilities;

+
+
+ + +

Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;

+
+ + +

Assess the controls in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;

+
+ + +

Produce a control assessment report that document the results of the assessment; and

+
+ + +

Provide the results of the control assessment to .

+
+ + CA-2 Additional FedRAMP Requirements and Guidance + + +

Reference FedRAMP Annual Assessment Guidance.

+
+
+
+ +

Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.

+

Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.

+

Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.

+

Organizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.

+

To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of CA-2.

+
+ + + + +

an appropriate assessor or assessment team is selected for the type of assessment to be conducted;

+ +
+ + + + +

a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;

+ +
+ + +

a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;

+ +
+ + + + +

a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;

+ +
+ + +

a control assessment plan is developed that describes the scope of the assessment, including the assessment team;

+ +
+ + +

a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;

+ +
+ +
+ +
+ + +

the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;

+ +
+ + + + +

controls are assessed in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

+ +
+ + +

controls are assessed in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;

+ +
+ +
+ + +

a control assessment report is produced that documents the results of the assessment;

+ +
+ + +

the results of the control assessment are provided to .

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing assessment planning

+

procedures addressing control assessments

+

control assessment plan

+

control assessment report

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with control assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting

+
+
+ + Independent Assessors + + + + + + + +

Employ independent assessors or assessment teams to conduct control assessments.

+ + CA-2 (1) Additional FedRAMP Requirements and Guidance + + +

For JAB Authorization, must use an accredited 3PAO.

+
+
+
+ +

Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.

+

Independent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.

+

When organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments.

+
+ + +

independent assessors or assessment teams are employed to conduct control assessments.

+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing control assessments

+

previous control assessment plan

+

previous control assessment report

+

plan of action and milestones

+

existing authorization statement

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Leveraging Results from External Organizations + + + + +

any FedRAMP Accredited 3PAO

+
+
+ +

external organization(s) from which the results of control assessments are leveraged are defined;

+
+ + + + +

system on which a control assessment was performed by an external organization is defined;

+
+ + + + + +

the conditions of the JAB/AO in the FedRAMP Repository

+
+
+ +

requirements to be met by the control assessment performed by an external organization on the system are defined;

+
+ + + + + + + + + +

Leverage the results of control assessments performed by on when the assessment meets .

+
+ +

Organizations may rely on control assessments of organizational systems by other (external) organizations. Using such assessments and reusing existing assessment evidence can decrease the time and resources required for assessments by limiting the independent assessment activities that organizations need to perform. The factors that organizations consider in determining whether to accept assessment results from external organizations can vary. Such factors include the organization’s past experience with the organization that conducted the assessment, the reputation of the assessment organization, the level of detail of supporting assessment evidence provided, and mandates imposed by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Accredited testing laboratories that support the Common Criteria Program ISO 15408-1 , the NIST Cryptographic Module Validation Program (CMVP), or the NIST Cryptographic Algorithm Validation Program (CAVP) can provide independent assessment results that organizations can leverage.

+
+ + +

the results of control assessments performed by on are leveraged when the assessment meets .

+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing control assessments

+

control assessment requirements

+

control assessment plan

+

control assessment report

+

control assessment evidence

+

plan of action and milestones

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with control assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+

personnel performing control assessments for the specified external organization

+
+
+
+
+ + Information Exchange + + + + + + +

the type of agreement used to approve and manage the exchange of information is defined (if selected);

+
+ + + + + +

at least annually and on input from JAB/AO

+
+
+ +

the frequency at which to review and update agreements is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + +

Approve and manage the exchange of information between the system and other systems using ;

+
+ + +

Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and

+
+ + +

Review and update the agreements .

+
+
+ +

System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in CA-6(1) or CA-6(2) , may help to communicate and reduce risk.

+

Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks.

+
+ + + + +

the exchange of information between the system and other systems is approved and managed using ;

+ +
+ + + + +

the interface characteristics are documented as part of each exchange agreement;

+ +
+ + +

security requirements are documented as part of each exchange agreement;

+ +
+ + +

privacy requirements are documented as part of each exchange agreement;

+ +
+ + +

controls are documented as part of each exchange agreement;

+ +
+ + +

responsibilities for each system are documented as part of each exchange agreement;

+ +
+ + +

the impact level of the information communicated is documented as part of each exchange agreement;

+ +
+ +
+ + +

agreements are reviewed and updated .

+ +
+ +
+ + + + +

Access control policy

+

procedures addressing system connections

+

system and communications protection policy

+

system interconnection security agreements

+

information exchange security agreements

+

memoranda of understanding or agreements

+

service level agreements

+

non-disclosure agreements

+

system design documentation

+

enterprise architecture

+

system architecture

+

system configuration settings and associated documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements

+

organizational personnel with information security and privacy responsibilities

+

personnel managing the system(s) to which the interconnection security agreement applies

+
+
+
+ + Plan of Action and Milestones + + + + +

at least monthly

+
+
+ +

the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and

+
+ + +

Update existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

+
+ + CA-5 Additional FedRAMP Requirements and Guidance + + +

POA&Ms must be provided at least monthly.

+
+ + +

Reference FedRAMP-POAM-Template

+
+
+
+ +

Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB.

+
+ + + + +

a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;

+ +
+ + +

existing plan of action and milestones are updated based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing plan of action and milestones

+

control assessment plan

+

control assessment report

+

control assessment evidence

+

plan of action and milestones

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with plan of action and milestones development and implementation responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms for developing, implementing, and maintaining plan of action and milestones

+
+
+
+ + Authorization + + + + +

in accordance with OMB A-130 requirements or when a significant change occurs

+
+
+ +

frequency at which to update the authorizations is defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Assign a senior official as the authorizing official for the system;

+
+ + +

Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;

+
+ + +

Ensure that the authorizing official for the system, before commencing operations:

+ + +

Accepts the use of common controls inherited by the system; and

+
+ + +

Authorizes the system to operate;

+
+
+ + +

Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;

+
+ + +

Update the authorizations .

+
+ + CA-6 Additional FedRAMP Requirements and Guidance + + +

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

+
+
+
+ +

Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.

+

Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

+
+ + + + +

a senior official is assigned as the authorizing official for the system;

+ +
+ + +

a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;

+ +
+ + + + +

before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;

+ +
+ + +

before commencing operations, the authorizing official for the system authorizes the system to operate;

+ +
+ +
+ + +

the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;

+ +
+ + +

the authorizations are updated .

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing authorization

+

system security plan, privacy plan, assessment report, plan of action and milestones

+

authorization statement

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with authorization responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms that facilitate authorizations and updates

+
+
+
+ + Continuous Monitoring + + + + +

to include JAB/AO

+
+
+ + + + + + + +

system-level metrics to be monitored are defined;

+
+ + + + +

frequencies at which to monitor control effectiveness are defined;

+
+ + + + +

frequencies at which to assess control effectiveness are defined;

+
+ + + + +

personnel or roles to whom the security status of the system is reported are defined;

+
+ + + + +

frequency at which the security status of the system is reported is defined;

+
+ + + + +

personnel or roles to whom the privacy status of the system is reported are defined;

+
+ + + + +

frequency at which the privacy status of the system is reported is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

+ + +

Establishing the following system-level metrics to be monitored: ;

+
+ + +

Establishing for monitoring and for assessment of control effectiveness;

+
+ + +

Ongoing control assessments in accordance with the continuous monitoring strategy;

+
+ + +

Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

+
+ + +

Correlation and analysis of information generated by control assessments and monitoring;

+
+ + +

Response actions to address results of the analysis of control assessment and monitoring information; and

+
+ + +

Reporting the security and privacy status of the system to + .

+
+ + CA-7 Additional FedRAMP Requirements and Guidance + + +

Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

+
+ + +

CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (Con Mon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSPs authorized via the Agency path as each agency customer is responsible for performing Con Mon oversight. It does not apply to CSPs authorized via the JAB path because the JAB performs Con Mon oversight.

+
+ + +

FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.

+
+
+
+ +

Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.

+

Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b , and SI-4.

+
+ + + + +

a system-level continuous monitoring strategy is developed;

+ +
+ + +

system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;

+ +
+ + +

system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: ;

+ +
+ + + + +

system-level continuous monitoring includes established for monitoring;

+ +
+ + +

system-level continuous monitoring includes established for assessment of control effectiveness;

+ +
+ +
+ + +

system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;

+ +
+ + +

system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

+ +
+ + +

system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;

+ +
+ + +

system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;

+ +
+ + + + +

system-level continuous monitoring includes reporting the security status of the system to + ;

+ +
+ + +

system-level continuous monitoring includes reporting the privacy status of the system to + .

+ +
+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

organizational continuous monitoring strategy

+

system-level continuous monitoring strategy

+

procedures addressing continuous monitoring of system controls

+

procedures addressing configuration management

+

control assessment report

+

plan of action and milestones

+

system monitoring records

+

configuration management records

+

impact analyses

+

status reports

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with continuous monitoring responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms implementing continuous monitoring

+

mechanisms supporting response actions to address assessment and monitoring results

+

mechanisms supporting security and privacy status reporting

+
+
+ + Independent Assessment + + + + + + + +

Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.

+
+ +

Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services.

+
+ + +

independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.

+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

organizational continuous monitoring strategy

+

system-level continuous monitoring strategy

+

procedures addressing continuous monitoring of system controls

+

control assessment report

+

plan of action and milestones

+

system monitoring records

+

impact analyses

+

status reports

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with continuous monitoring responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Risk Monitoring + + + + + + + + +

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

+ + +

Effectiveness monitoring;

+
+ + +

Compliance monitoring; and

+
+ + +

Change monitoring.

+
+
+ +

Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk.

+
+ + +

risk monitoring is an integral part of the continuous monitoring strategy;

+ + +

effectiveness monitoring is included in risk monitoring;

+ +
+ + +

compliance monitoring is included in risk monitoring;

+ +
+ + +

change monitoring is included in risk monitoring.

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

organizational continuous monitoring strategy

+

system-level continuous monitoring strategy

+

procedures addressing continuous monitoring of system controls

+

assessment report

+

plan of action and milestones

+

system monitoring records

+

impact analyses

+

status reports

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with continuous monitoring responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms supporting risk monitoring

+
+
+
+
+ + Penetration Testing + + + + +

at least annually

+
+
+ +

frequency at which to conduct penetration testing on systems or system components is defined;

+
+ + + + +

systems or system components on which penetration testing is to be conducted are defined;

+
+ + + + + + + + + + + + +

Conduct penetration testing on .

+ + CA-8 Additional FedRAMP Requirements and Guidance + + +

Reference the FedRAMP Penetration Test Guidance.

+
+
+
+ +

Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).

+

Organizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing.

+
+ + +

penetration testing is conducted on .

+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing penetration testing

+

assessment plan

+

penetration test report

+

assessment report

+

assessment evidence

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with control assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms supporting penetration testing

+
+
+ + Independent Penetration Testing Agent or Team + + + + + + + + +

Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.

+
+ +

Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. CA-2(1) provides additional information on independent assessments that can be applied to penetration testing.

+
+ + +

an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.

+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing penetration testing

+

assessment plan

+

penetration test report

+

assessment report

+

security assessment evidence

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Red Team Exercises + + + +

red team exercises to simulate attempts by adversaries to compromise organizational systems are defined;

+
+ + + + + + + + +

Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: .

+ + CM-2 Additional FedRAMP Requirements and Guidance + + +

See the FedRAMP Documents page> Penetration Test Guidance

+

https://www.FedRAMP.gov/documents/

+
+
+
+ +

Red team exercises extend the objectives of penetration testing by examining the security and privacy posture of organizations and the capability to implement effective cyber defenses. Red team exercises simulate attempts by adversaries to compromise mission and business functions and provide a comprehensive assessment of the security and privacy posture of systems and organizations. Such attempts may include technology-based attacks and social engineering-based attacks. Technology-based attacks include interactions with hardware, software, or firmware components and/or mission and business processes. Social engineering-based attacks include interactions via email, telephone, shoulder surfing, or personal conversations. Red team exercises are most effective when conducted by penetration testing agents and teams with knowledge of and experience with current adversarial tactics, techniques, procedures, and tools. While penetration testing may be primarily laboratory-based testing, organizations can use red team exercises to provide more comprehensive assessments that reflect real-world conditions. The results from red team exercises can be used by organizations to improve security and privacy awareness and training and to assess control effectiveness.

+
+ + +

+ are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement.

+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

procedures addressing penetration testing

+

procedures addressing red team exercises

+

assessment plan

+

results of red team exercises

+

penetration test report

+

assessment report

+

rules of engagement

+

assessment evidence

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with assessment responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms supporting the employment of red team exercises

+
+
+
+
+ + Internal System Connections + + + +

system components or classes of components requiring internal connections to the system are defined;

+
+ + + + +

conditions requiring termination of internal connections are defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to review the continued need for each internal connection is defined;

+
+ + + + + + + + + + + + + + + + + + + +

Authorize internal connections of to the system;

+
+ + +

Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;

+
+ + +

Terminate internal system connections after ; and

+
+ + +

Review the continued need for each internal connection.

+
+
+ +

Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.

+
+ + + + +

internal connections of to the system are authorized;

+ +
+ + + + +

for each internal connection, the interface characteristics are documented;

+ +
+ + +

for each internal connection, the security requirements are documented;

+ +
+ + +

for each internal connection, the privacy requirements are documented;

+ +
+ + +

for each internal connection, the nature of the information communicated is documented;

+ +
+ +
+ + +

internal system connections are terminated after ;

+ +
+ + +

the continued need for each internal connection is reviewed .

+ +
+ +
+ + + + +

Assessment, authorization, and monitoring policy

+

access control policy

+

procedures addressing system connections

+

system and communications protection policy

+

system design documentation

+

system configuration settings and associated documentation

+

list of components or classes of components authorized as internal system connections

+

assessment report

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Mechanisms supporting internal system connections

+
+
+
+
+ + Configuration Management + + Policy and Procedures + + + + + + +

personnel or roles to whom the configuration management policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the configuration management policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current configuration management policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current configuration management policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current configuration management procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require configuration management procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ configuration management policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the configuration management policy and procedures; and

+
+ + +

Review and update the current configuration management:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a configuration management policy is developed and documented;

+ +
+ + +

the configuration management policy is disseminated to ;

+ +
+ + +

configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;

+ +
+ + +

the configuration management procedures are disseminated to ;

+ +
+ + + + + + +

the of the configuration management policy addresses purpose;

+ +
+ + +

the of the configuration management policy addresses scope;

+ +
+ + +

the of the configuration management policy addresses roles;

+ +
+ + +

the of the configuration management policy addresses responsibilities;

+ +
+ + +

the of the configuration management policy addresses management commitment;

+ +
+ + +

the of the configuration management policy addresses coordination among organizational entities;

+ +
+ + +

the of the configuration management policy addresses compliance;

+ +
+ +
+ + +

the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;

+ +
+ + + + + + +

the current configuration management policy is reviewed and updated ;

+ +
+ + +

the current configuration management policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current configuration management procedures are reviewed and updated ;

+ +
+ + +

the current configuration management procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Configuration management policy and procedures

+

security and privacy program policies and procedures

+

assessment or audit findings

+

documentation of security incidents or breaches

+

system security plan

+

privacy plan

+

risk management strategy

+

other relevant artifacts, documents, or records

+
+
+ + + + +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Baseline Configuration + + + + +

at least annually and when a significant change occurs

+
+
+ +

the frequency of baseline configuration review and update is defined;

+
+ + + + + +

to include when directed by the JAB

+
+
+ +

the circumstances requiring baseline configuration review and update are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop, document, and maintain under configuration control, a current baseline configuration of the system; and

+
+ + +

Review and update the baseline configuration of the system:

+ + +

+ ;

+
+ + +

When required due to ; and

+
+ + +

When system components are installed or upgraded.

+
+
+ + CM-2 Additional FedRAMP Requirements and Guidance + + +

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

+
+
+
+ +

Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.

+
+ + + + + + +

a current baseline configuration of the system is developed and documented;

+ +
+ + +

a current baseline configuration of the system is maintained under configuration control;

+ +
+ +
+ + + + +

the baseline configuration of the system is reviewed and updated ;

+ +
+ + +

the baseline configuration of the system is reviewed and updated when required due to ;

+ +
+ + +

the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing the baseline configuration of the system

+

configuration management plan

+

enterprise architecture documentation

+

system design documentation

+

system security plan

+

privacy plan

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

system component inventory

+

change control records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing baseline configurations

+

mechanisms supporting configuration control of the baseline configuration

+
+
+ + Automation Support for Accuracy and Currency + + + +

automated mechanisms for maintaining baseline configuration of the system are defined;

+
+ + + + + + + + + + + +

Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using .

+
+ +

Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of CM-8(2) for organizations that combine system component inventory and baseline configuration activities.

+
+ + + + +

the currency of the baseline configuration of the system is maintained using ;

+ +
+ + +

the completeness of the baseline configuration of the system is maintained using ;

+ +
+ + +

the accuracy of the baseline configuration of the system is maintained using ;

+ +
+ + +

the availability of the baseline configuration of the system is maintained using .

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing the baseline configuration of the system

+

configuration management plan

+

system design documentation

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

system component inventory

+

configuration change control records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing baseline configurations

+

automated mechanisms implementing baseline configuration maintenance

+
+
+
+ + Retention of Previous Configurations + + + +

the number of previous baseline configuration versions to be retained is defined;

+
+ + + + + + + + +

Retain of previous versions of baseline configurations of the system to support rollback.

+
+ +

Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, configuration records, and associated documentation.

+
+ + +

+ of previous baseline configuration version(s) of the system is/are retained to support rollback.

+ +
+ + + + +

Configuration management policy

+

procedures addressing the baseline configuration of the system

+

configuration management plan

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

copies of previous baseline configuration versions

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing baseline configurations

+
+
+
+ + Configure Systems and Components for High-risk Areas + + + +

the systems or system components to be issued when individuals travel to high-risk areas are defined;

+
+ + + + +

configurations for systems or system components to be issued when individuals travel to high-risk areas are defined;

+
+ + + + +

the controls to be applied when the individuals return from travel are defined;

+
+ + + + + + + + + + + + +

Issue with to individuals traveling to locations that the organization deems to be of significant risk; and

+
+ + +

Apply the following controls to the systems or components when the individuals return from travel: .

+
+
+ +

When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the MP (Media Protection) family.

+
+ + + + +

+ with are issued to individuals traveling to locations that the organization deems to be of significant risk;

+ +
+ + +

+ are applied to the systems or system components when the individuals return from travel.

+ +
+ +
+ + + + +

Configuration management policy

+

configuration management plan

+

procedures addressing the baseline configuration of the system

+

procedures addressing system component installations and upgrades

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

system component inventory

+

records of system baseline configuration reviews and updates

+

system component installations/upgrades and associated records

+

change control records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing baseline configurations

+
+
+
+
+ + Configuration Change Control + + + +

the time period to retain records of configuration-controlled changes is defined;

+
+ + + + +

the configuration change control element responsible for coordinating and overseeing change control activities is defined;

+
+ + + + + + + +

the frequency at which the configuration control element convenes is defined (if selected);

+
+ + + + +

configuration change conditions that prompt the configuration control element to convene are defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Determine and document the types of changes to the system that are configuration-controlled;

+
+ + +

Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;

+
+ + +

Document configuration change decisions associated with the system;

+
+ + +

Implement approved configuration-controlled changes to the system;

+
+ + +

Retain records of configuration-controlled changes to the system for ;

+
+ + +

Monitor and review activities associated with configuration-controlled changes to the system; and

+
+ + +

Coordinate and provide oversight for configuration change control activities through that convenes .

+
+ + CM-3 Additional FedRAMP Requirements and Guidance + + +

The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

+
+ + +

In accordance with record retention policies and procedures.

+
+
+
+ +

Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10.

+
+ + + + +

the types of changes to the system that are configuration-controlled are determined and documented;

+ +
+ + + + +

proposed configuration-controlled changes to the system are reviewed;

+ +
+ + +

proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;

+ +
+ +
+ + +

configuration change decisions associated with the system are documented;

+ +
+ + +

approved configuration-controlled changes to the system are implemented;

+ +
+ + +

records of configuration-controlled changes to the system are retained for ;

+ +
+ + + + +

activities associated with configuration-controlled changes to the system are monitored;

+ +
+ + +

activities associated with configuration-controlled changes to the system are reviewed;

+ +
+ +
+ + + + +

configuration change control activities are coordinated and overseen by ;

+ +
+ + +

the configuration control element convenes .

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing system configuration change control

+

configuration management plan

+

system architecture and configuration documentation

+

change control records

+

system audit records

+

change control audit and review reports

+

agenda/minutes/documentation from configuration change control oversight meetings

+

system security plan

+

privacy plan

+

privacy impact assessments

+

system of records notices

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration change control responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

members of change control board or similar

+
+
+ + + + +

Organizational processes for configuration change control

+

mechanisms that implement configuration change control

+
+
+ + Testing, Validation, and Documentation of Changes + + + + + + + +

Test, validate, and document changes to the system before finalizing the implementation of the changes.

+
+ +

Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6 . Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls.

+
+ + + + +

changes to the system are tested before finalizing the implementation of the changes;

+ +
+ + +

changes to the system are validated before finalizing the implementation of the changes;

+ +
+ + +

changes to the system are documented before finalizing the implementation of the changes.

+ +
+ +
+ + + + +

Configuration management policy

+

configuration management plan

+

procedures addressing system configuration change control

+

system design documentation

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

test records

+

validation records

+

change control records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration change control responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

members of change control board or similar

+
+
+ + + + +

Organizational processes for configuration change control

+

mechanisms supporting and/or implementing, testing, validating, and documenting system changes

+
+
+
+ + Security and Privacy Representatives + + + + + + +

security representatives required to be members of the change control element are defined;

+
+ + + + +

privacy representatives required to be members of the change control element are defined;

+
+ + + + + +

Configuration control board (CCB) or similar (as defined in CM-3)

+
+
+ +

the configuration change control element of which the security and privacy representatives are to be members is defined;

+
+ + + + + + + +

Require to be members of the .

+
+ +

Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in CM-3g.

+
+ + + + +

+ are required to be members of the ;

+ +
+ + +

+ are required to be members of the .

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing system configuration change control

+

configuration management plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with configuration change control responsibilities

+

organizational personnel with information security and privacy responsibilities

+

members of change control board or similar

+
+
+ + + + +

Organizational processes for configuration change control

+
+
+
+
+ + Impact Analyses + + + + + + + + + + + + + + + + + + + +

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

+
+ +

Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required.

+
+ + + + +

changes to the system are analyzed to determine potential security impacts prior to change implementation;

+ +
+ + +

changes to the system are analyzed to determine potential privacy impacts prior to change implementation.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing security impact analyses for changes to the system

+

procedures addressing privacy impact analyses for changes to the system

+

configuration management plan

+

security impact analysis documentation

+

privacy impact analysis documentation

+

privacy impact assessment

+

privacy risk assessment documentation, system design documentation

+

analysis tools and associated outputs

+

change control records

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for conducting security impact analyses

+

organizational personnel with responsibility for conducting privacy impact analyses

+

organizational personnel with information security and privacy responsibilities

+

system developer

+

system/network administrators

+

members of change control board or similar

+
+
+ + + + +

Organizational processes for security impact analyses

+

organizational processes for privacy impact analyses

+
+
+ + Verification of Controls + + + + + + + + + + +

After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.

+
+ +

Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls.

+
+ + + + +

the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;

+ +
+ + +

the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;

+ +
+ + +

the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;

+ +
+ + +

the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;

+ +
+ + +

the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;

+ +
+ + +

the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing security impact analyses for changes to the system

+

procedures addressing privacy impact analyses for changes to the system

+

privacy risk assessment documentation

+

configuration management plan

+

security and privacy impact analysis documentation

+

privacy impact assessment

+

analysis tools and associated outputs

+

change control records

+

control assessment results

+

system audit records

+

system component inventory

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for conducting security and privacy impact analyses

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

security and privacy assessors

+
+
+ + + + +

Organizational processes for security and privacy impact analyses

+

mechanisms supporting and/or implementing security and privacy impact analyses of changes

+
+
+
+
+ + Access Restrictions for Change + + + + + + + + + + + + + + + + + +

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

+
+ +

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3 ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

+
+ + + + +

physical access restrictions associated with changes to the system are defined and documented;

+ +
+ + +

physical access restrictions associated with changes to the system are approved;

+ +
+ + +

physical access restrictions associated with changes to the system are enforced;

+ +
+ + +

logical access restrictions associated with changes to the system are defined and documented;

+ +
+ + +

logical access restrictions associated with changes to the system are approved;

+ +
+ + +

logical access restrictions associated with changes to the system are enforced.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing access restrictions for changes to the system

+

configuration management plan

+

system design documentation

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

logical access approvals

+

physical access approvals

+

access credentials

+

change control records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with logical access control responsibilities

+

organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing access restrictions to change

+

mechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system

+
+
+ + Automated Access Enforcement and Audit Records + + + +

mechanisms used to automate the enforcement of access restrictions are defined;

+
+ + + + + + + + + + + + + + + + +

Enforce access restrictions using ; and

+
+ + +

Automatically generate audit records of the enforcement actions.

+
+
+ +

Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes.

+
+ + + + +

access restrictions for change are enforced using ;

+ +
+ + +

audit records of enforcement actions are automatically generated.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing access restrictions for changes to the system

+

system design documentation

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

change control records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with logical access control responsibilities

+

organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing access restrictions to change

+

automated mechanisms implementing the enforcement of access restrictions for changes to the system

+

automated mechanisms supporting auditing of enforcement actions

+
+
+
+ + Privilege Limitation for Production and Operation + + + + +

at least quarterly

+
+
+ + + + +

frequency at which to review privileges is defined;

+
+ + + + +

frequency at which to reevaluate privileges is defined;

+
+ + + + + + + + + + +

Limit privileges to change system components and system-related information within a production or operational environment; and

+
+ + +

Review and reevaluate privileges .

+
+
+ +

In many organizations, systems support multiple mission and business functions. Limiting privileges to change system components with respect to operational systems is necessary because changes to a system component may have far-reaching effects on mission and business processes supported by the system. The relationships between systems and mission/business processes are, in some cases, unknown to developers. System-related information includes operational procedures.

+
+ + + + + + +

privileges to change system components within a production or operational environment are limited;

+ +
+ + +

privileges to change system-related information within a production or operational environment are limited;

+ +
+ +
+ + + + +

privileges are reviewed ;

+ +
+ + +

privileges are reevaluated .

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing access restrictions for changes to the system

+

configuration management plan

+

system design documentation

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

user privilege reviews

+

user privilege recertifications

+

system component inventory

+

change control records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing access restrictions to change

+

mechanisms supporting and/or implementing access restrictions for change

+
+
+
+
+ + Configuration Settings + + + +

common secure configurations to establish and document configuration settings for components employed within the system are defined;

+
+ + + + +

system components for which approval of deviations is needed are defined;

+
+ + + + +

operational requirements necessitating approval of deviations are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using ;

+
+ + +

Implement the configuration settings;

+
+ + +

Identify, document, and approve any deviations from established configuration settings for based on ; and

+
+ + +

Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

+
+ + CM-6 Additional FedRAMP Requirements and Guidance + + +

The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.

+
+ + +

The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

+
+ + +

Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP’s Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

+

During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

+
+
+
+ +

Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.

+

Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.

+

Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline USGCB and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7 . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.

+
+ + + + +

configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using ;

+ +
+ + +

the configuration settings documented in CM-06a are implemented;

+ +
+ + + + +

any deviations from established configuration settings for are identified and documented based on ;

+ +
+ + +

any deviations from established configuration settings for are approved;

+ +
+ +
+ + + + +

changes to the configuration settings are monitored in accordance with organizational policies and procedures;

+ +
+ + +

changes to the configuration settings are controlled in accordance with organizational policies and procedures.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing configuration settings for the system

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

common secure configuration checklists

+

system component inventory

+

evidence supporting approved deviations from established configuration settings

+

change control records

+

system data processing and retention permissions

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security configuration management responsibilities

+

organizational personnel with privacy configuration management responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing configuration settings

+

mechanisms that implement, monitor, and/or control system configuration settings

+

mechanisms that identify and/or document deviations from established configuration settings

+
+
+ + Automated Management, Application, and Verification + + + + + + +

system components for which to manage, apply, and verify configuration settings are defined;

+
+ + + + +

automated mechanisms to manage configuration settings are defined;

+
+ + + + +

automated mechanisms to apply configuration settings are defined;

+
+ + + + +

automated mechanisms to verify configuration settings are defined;

+
+ + + + + + + + +

Manage, apply, and verify configuration settings for using .

+
+ +

Automated tools (e.g., hardening tools, baseline configuration tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization.

+
+ + + + +

configuration settings for are managed using ;

+ +
+ + +

configuration settings for are applied using ;

+ +
+ + +

configuration settings for are verified using .

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing configuration settings for the system

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

system component inventory

+

common secure configuration checklists

+

change control records

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security configuration management responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes for managing configuration settings

+

automated mechanisms implemented to manage, apply, and verify system configuration settings

+
+
+
+
+ + Least Functionality + + + + + + +

mission-essential capabilities for the system are defined;

+
+ + + + +

functions to be prohibited or restricted are defined;

+
+ + + + +

ports to be prohibited or restricted are defined;

+
+ + + + +

protocols to be prohibited or restricted are defined;

+
+ + + + +

software to be prohibited or restricted is defined;

+
+ + + + +

services to be prohibited or restricted are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Configure the system to provide only ; and

+
+ + +

Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: .

+
+ + CM-7 Additional FedRAMP Requirements and Guidance + + +

The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.

+
+
+
+ +

Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2 , and SC-3).

+
+ + + + +

the system is configured to provide only ;

+ +
+ + + + +

the use of is prohibited or restricted;

+ +
+ + +

the use of is prohibited or restricted;

+ +
+ + +

the use of is prohibited or restricted;

+ +
+ + +

the use of is prohibited or restricted;

+ +
+ + +

the use of is prohibited or restricted.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing least functionality in the system

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

system component inventory

+

common secure configuration checklists

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security configuration management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services

+

mechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services

+
+
+ + Periodic Review + + + + + + + +

at least annually

+
+
+ +

the frequency at which to review the system to identify unnecessary and/or non-secure functions, ports, protocols, software, and/or services is defined;

+
+ + + + +

functions to be disabled or removed when deemed unnecessary or non-secure are defined;

+
+ + + + +

ports to be disabled or removed when deemed unnecessary or non-secure are defined;

+
+ + + + +

protocols to be disabled or removed when deemed unnecessary or non-secure are defined;

+
+ + + + +

software to be disabled or removed when deemed unnecessary or non-secure is defined;

+
+ + + + +

services to be disabled or removed when deemed unnecessary or non-secure are defined;

+
+ + + + + + + + + + + +

Review the system to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and

+
+ + +

Disable or remove .

+
+
+ +

Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking.

+
+ + + + +

the system is reviewed to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:

+ +
+ + + + +

+ deemed to be unnecessary and/or non-secure are disabled or removed;

+ +
+ + +

+ deemed to be unnecessary and/or non-secure are disabled or removed;

+ +
+ + +

+ deemed to be unnecessary and/or non-secure are disabled or removed;

+ +
+ + +

+ deemed to be unnecessary and/or non-secure is disabled or removed;

+ +
+ + +

+ deemed to be unnecessary and/or non-secure are disabled or removed.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing least functionality in the system

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

common secure configuration checklists

+

documented reviews of functions, ports, protocols, and/or services

+

change control records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the system

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes for reviewing or disabling functions, ports, protocols, and services on the system

+

mechanisms implementing review and disabling of functions, ports, protocols, and/or services

+
+
+
+ + Prevent Program Execution + + + + + + +

policies, rules of behavior, and/or access agreements regarding software program usage and restrictions are defined (if selected);

+
+ + + + + + + + + + + + +

Prevent program execution in accordance with .

+ + CM-7 (2) Additional FedRAMP Requirements and Guidance + + +

This control refers to software deployment by CSP personnel into the production environment. The control requires a policy that states conditions for deploying software. This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. allow-listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

+
+
+
+ +

Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time.

+
+ + +

program execution is prevented in accordance with .

+ +
+ + + + +

Configuration management policy

+

procedures addressing least functionality in the system

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

system component inventory

+

common secure configuration checklists

+

specifications for preventing software program execution

+

change control records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes preventing program execution on the system

+

organizational processes for software program usage and restrictions

+

mechanisms preventing program execution on the system

+

mechanisms supporting and/or implementing software program usage and restrictions

+
+
+
+ + Authorized Software — Allow-by-exception + + + +

software programs authorized to execute on the system are defined;

+
+ + + + + +

at least quarterly or when there is a change

+
+
+ +

frequency at which to review and update the list of authorized software programs is defined;

+
+ + + + + + + + + + + + + + + + + + + +

Identify ;

+
+ + +

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and

+
+ + +

Review and update the list of authorized software programs .

+
+
+ +

Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in CA-3(5) and SC-7.

+
+ + + + +

+ are identified;

+ +
+ + +

a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;

+ +
+ + +

the list of authorized software programs is reviewed and updated .

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing least functionality in the system

+

configuration management plan

+

system design documentation

+

system configuration settings and associated documentation

+

list of software programs authorized to execute on the system

+

system component inventory

+

common secure configuration checklists

+

review and update records associated with list of authorized software programs

+

change control records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for identifying software authorized to execute on the system

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational process for identifying, reviewing, and updating programs authorized to execute on the system

+

organizational process for implementing authorized software policy

+

mechanisms supporting and/or implementing authorized software policy

+
+
+
+
+ + System Component Inventory + + + +

information deemed necessary to achieve effective system component accountability is defined;

+
+ + + + + +

at least monthly

+
+
+ +

frequency at which to review and update the system component inventory is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop and document an inventory of system components that:

+ + +

Accurately reflects the system;

+
+ + +

Includes all components within the system;

+
+ + +

Does not include duplicate accounting of components or components assigned to any other system;

+
+ + +

Is at the level of granularity deemed necessary for tracking and reporting; and

+
+ + +

Includes the following information to achieve system component accountability: ; and

+
+
+ + +

Review and update the system component inventory .

+
+ + CM-8 Additional FedRAMP Requirements and Guidance + + +

must be provided at least monthly or when there is a change.

+
+
+
+ +

System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.

+

Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components.

+
+ + + + + + +

an inventory of system components that accurately reflects the system is developed and documented;

+ +
+ + +

an inventory of system components that includes all components within the system is developed and documented;

+ +
+ + +

an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;

+ +
+ + +

an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;

+ +
+ + +

an inventory of system components that includes is developed and documented;

+ +
+ +
+ + +

the system component inventory is reviewed and updated .

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing system component inventory

+

configuration management plan

+

system security plan

+

system design documentation

+

system component inventory

+

inventory reviews and update records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with component inventory management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing the system component inventory

+

mechanisms supporting and/or implementing system component inventory

+
+
+ + Updates During Installation and Removal + + + + + + + + +

Update the inventory of system components as part of component installations, removals, and system updates.

+
+ +

Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated as part of component installations or removals or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components.

+
+ + + + +

the inventory of system components is updated as part of component installations;

+ +
+ + +

the inventory of system components is updated as part of component removals;

+ +
+ + +

the inventory of system components is updated as part of system updates.

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing system component inventory

+

configuration management plan

+

system security plan

+

system component inventory

+

inventory reviews and update records

+

change control records

+

component installation records

+

component removal records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with component inventory updating responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for updating the system component inventory

+

mechanisms supporting and/or implementing system component inventory updates

+
+
+
+ + Automated Unauthorized Component Detection + + + + +

automated mechanisms with a maximum five-minute delay in detection

+
+
+ + + + +

automated mechanisms used to detect the presence of unauthorized hardware within the system are defined;

+
+ + + + +

automated mechanisms used to detect the presence of unauthorized software within the system are defined;

+
+ + + + +

automated mechanisms used to detect the presence of unauthorized firmware within the system are defined;

+
+ + + + + +

continuously

+
+
+ +

frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined;

+
+ + + + + + + +

personnel or roles to be notified when unauthorized components are detected is/are defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + +

Detect the presence of unauthorized hardware, software, and firmware components within the system using + ; and

+
+ + +

Take the following actions when unauthorized components are detected: .

+
+
+ +

Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see CM-7(9) ). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as sandboxing. +

+
+ + + + + + +

the presence of unauthorized hardware within the system is detected using + ;

+ +
+ + +

the presence of unauthorized software within the system is detected using + ;

+ +
+ + +

the presence of unauthorized firmware within the system is detected using + ;

+ +
+ +
+ + + + +

+ are taken when unauthorized hardware is detected;

+ +
+ + +

+ are taken when unauthorized software is detected;

+ +
+ + +

+ are taken when unauthorized firmware is detected.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing system component inventory

+

configuration management plan

+

system design documentation

+

system security plan

+

system component inventory

+

change control records

+

alerts/notifications of unauthorized components within the system

+

system monitoring records

+

system maintenance records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with component inventory management responsibilities

+

organizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized system component detection

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes for detection of unauthorized system components

+

organizational processes for taking action when unauthorized system components are detected

+

automated mechanisms supporting and/or implementing the detection of unauthorized system components

+

automated mechanisms supporting and/or implementing actions taken when unauthorized system components are detected

+
+
+
+
+ + Configuration Management Plan + + + +

personnel or roles to review and approve the configuration management plan is/are defined;

+
+ + + + + + + + + + + + + + + + +

Develop, document, and implement a configuration management plan for the system that:

+ + +

Addresses roles, responsibilities, and configuration management processes and procedures;

+
+ + +

Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;

+
+ + +

Defines the configuration items for the system and places the configuration items under configuration management;

+
+ + +

Is reviewed and approved by ; and

+
+ + +

Protects the configuration management plan from unauthorized disclosure and modification.

+
+ + +

FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide

+
+
+ +

Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.

+

Configuration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.

+

Organizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control.

+
+ + + + +

a configuration management plan for the system is developed and documented;

+ +
+ + +

a configuration management plan for the system is implemented;

+ +
+ + + + +

the configuration management plan addresses roles;

+ +
+ + +

the configuration management plan addresses responsibilities;

+ +
+ + +

the configuration management plan addresses configuration management processes and procedures;

+ +
+ +
+ + + + +

the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;

+ +
+ + +

the configuration management plan establishes a process for managing the configuration of the configuration items;

+ +
+ +
+ + + + +

the configuration management plan defines the configuration items for the system;

+ +
+ + +

the configuration management plan places the configuration items under configuration management;

+ +
+ +
+ + +

the configuration management plan is reviewed and approved by ;

+ +
+ + + + +

the configuration management plan is protected from unauthorized disclosure;

+ +
+ + +

the configuration management plan is protected from unauthorized modification.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing configuration management planning

+

configuration management plan

+

system design documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for developing the configuration management plan

+

organizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan

+

organizational personnel with responsibilities for protecting the configuration management plan

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for developing and documenting the configuration management plan

+

organizational processes for identifying and managing configuration items

+

organizational processes for protecting the configuration management plan

+

mechanisms implementing the configuration management plan

+

mechanisms for managing configuration items

+

mechanisms for protecting the configuration management plan

+
+
+
+ + Software Usage Restrictions + + + + + + + + + + + + + +

Use software and associated documentation in accordance with contract agreements and copyright laws;

+
+ + +

Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

+
+ + +

Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

+
+
+ +

Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements.

+
+ + + + +

software and associated documentation are used in accordance with contract agreements and copyright laws;

+ +
+ + +

the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;

+ +
+ + +

the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

+ +
+ +
+ + + + +

Configuration management policy

+

software usage restrictions

+

software contract agreements and copyright laws

+

site license documentation

+

list of software usage restrictions

+

software license tracking reports

+

configuration management plan

+

system security plan

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel operating, using, and/or maintaining the system

+

organizational personnel with software license management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for tracking the use of software protected by quantity licenses

+

organizational processes for controlling/documenting the use of peer-to-peer file sharing technology

+

mechanisms implementing software license tracking

+

mechanisms implementing and controlling the use of peer-to-peer files sharing technology

+
+
+
+ + User-installed Software + + + +

policies governing the installation of software by users are defined;

+
+ + + + +

methods used to enforce software installation policies are defined;

+
+ + + + + +

Continuously (via CM-7 (5))

+
+
+ +

frequency with which to monitor compliance is defined;

+
+ + + + + + + + + + + + + + + + + + + +

Establish governing the installation of software by users;

+
+ + +

Enforce software installation policies through the following methods: ; and

+
+ + +

Monitor policy compliance .

+
+
+ +

If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved app stores. Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.

+
+ + + + +

+ governing the installation of software by users are established;

+ +
+ + +

software installation policies are enforced through ;

+ +
+ + +

compliance with is monitored .

+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing user-installed software

+

configuration management plan

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

list of rules governing user installed software

+

system monitoring records

+

system audit records

+

continuous monitoring strategy

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for governing user-installed software

+

organizational personnel operating, using, and/or maintaining the system

+

organizational personnel monitoring compliance with user-installed software policy

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes governing user-installed software on the system

+

mechanisms enforcing policies and methods for governing the installation of software by users

+

mechanisms monitoring policy compliance

+
+
+
+ + Information Location + + + +

information for which the location is to be identified and documented is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Identify and document the location of and the specific system components on which the information is processed and stored;

+
+ + +

Identify and document the users who have access to the system and system components where the information is processed and stored; and

+
+ + +

Document changes to the location (i.e., system or system components) where the information is processed and stored.

+
+ + CM-12 Additional FedRAMP Requirements and Guidance + + +

According to FedRAMP Authorization Boundary Guidance

+
+
+
+ +

Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199 ). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17).

+
+ + + + + + +

the location of is identified and documented;

+ +
+ + +

the specific system components on which is processed are identified and documented;

+ +
+ + +

the specific system components on which is stored are identified and documented;

+ +
+ +
+ + + + +

the users who have access to the system and system components where is processed are identified and documented;

+ +
+ + +

the users who have access to the system and system components where is stored are identified and documented;

+ +
+ +
+ + + + +

changes to the location (i.e., system or system components) where is processed are documented;

+ +
+ + +

changes to the location (i.e., system or system components) where is stored are documented.

+ +
+ +
+ +
+ + + + +

Configuration management policy

+

procedures addressing identification and documentation of information location

+

configuration management plan

+

system design documentation

+

system architecture documentation

+

PII inventory documentation

+

data mapping documentation

+

audit records

+

list of users with system and system component access

+

change control records

+

system component inventory

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for managing information location and user access to information

+

organizational personnel with responsibilities for operating, using, and/or maintaining the system

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes governing information location

+

mechanisms enforcing policies and methods for governing information location

+
+
+ + Automated Tools to Support Information Location + + + + +

Federal data and system data that must be protected at the High or Moderate impact levels

+
+
+ +

information to be protected is defined by information type;

+
+ + + + +

system components where the information is located are defined;

+
+ + + + + + + + +

Use automated tools to identify on to ensure controls are in place to protect organizational information and individual privacy.

+ + CM-12 (1) Additional FedRAMP Requirements and Guidance + + +

According to FedRAMP Authorization Boundary Guidance.

+
+
+
+ +

The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions.

+
+ + +

automated tools are used to identify on to ensure that controls are in place to protect organizational information and individual privacy.

+ +
+ + + + +

Configuration management policy

+

procedures addressing identification and documentation of information location

+

configuration management plan

+

system design documentation

+

PII inventory documentation

+

data mapping documentation

+

change control records

+

system component inventory

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for managing information location

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Organizational processes governing information location

+

automated mechanisms enforcing policies and methods for governing information location

+

automated tools used to identify information on system components

+
+
+
+
+
+ + Contingency Planning + + Policy and Procedures + + + + + + +

personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the contingency planning policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current contingency planning policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current contingency planning policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current contingency planning procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ contingency planning policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and

+
+ + +

Review and update the current contingency planning:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a contingency planning policy is developed and documented;

+ +
+ + +

the contingency planning policy is disseminated to ;

+ +
+ + +

contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;

+ +
+ + +

the contingency planning procedures are disseminated to ;

+ +
+ + + + + + +

the contingency planning policy addresses purpose;

+ +
+ + +

the contingency planning policy addresses scope;

+ +
+ + +

the contingency planning policy addresses roles;

+ +
+ + +

the contingency planning policy addresses responsibilities;

+ +
+ + +

the contingency planning policy addresses management commitment;

+ +
+ + +

the contingency planning policy addresses coordination among organizational entities;

+ +
+ + +

the contingency planning policy addresses compliance;

+ +
+ +
+ + +

the contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;

+ +
+ + + + + + +

the current contingency planning policy is reviewed and updated ;

+ +
+ + +

the current contingency planning policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current contingency planning procedures are reviewed and updated ;

+ +
+ + +

the current contingency planning procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Contingency planning policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Contingency Plan + + + + + + + + + + + + +

personnel or roles to review a contingency plan is/are defined;

+
+ + + + +

personnel or roles to approve a contingency plan is/are defined;

+
+ + + + +

key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;

+
+ + + + +

key contingency organizational elements to which copies of the contingency plan are distributed are defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency of contingency plan review is defined;

+
+ + + + +

key contingency personnel (identified by name and/or by role) to communicate changes to are defined;

+
+ + + + +

key contingency organizational elements to communicate changes to are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop a contingency plan for the system that:

+ + +

Identifies essential mission and business functions and associated contingency requirements;

+
+ + +

Provides recovery objectives, restoration priorities, and metrics;

+
+ + +

Addresses contingency roles, responsibilities, assigned individuals with contact information;

+
+ + +

Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;

+
+ + +

Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;

+
+ + +

Addresses the sharing of contingency information; and

+
+ + +

Is reviewed and approved by ;

+
+
+ + +

Distribute copies of the contingency plan to ;

+
+ + +

Coordinate contingency planning activities with incident handling activities;

+
+ + +

Review the contingency plan for the system ;

+
+ + +

Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

+
+ + +

Communicate contingency plan changes to ;

+
+ + +

Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and

+
+ + +

Protect the contingency plan from unauthorized disclosure and modification.

+
+ + CP-2 Additional FedRAMP Requirements and Guidance + + +

For JAB authorizations the contingency lists include designated FedRAMP personnel.

+
+ + +

CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).

+
+
+
+ +

Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.

+

Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in IR-4(5) . Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family.

+
+ + + + + + +

a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;

+ +
+ + + + +

a contingency plan for the system is developed that provides recovery objectives;

+ +
+ + +

a contingency plan for the system is developed that provides restoration priorities;

+ +
+ + +

a contingency plan for the system is developed that provides metrics;

+ +
+ +
+ + + + +

a contingency plan for the system is developed that addresses contingency roles;

+ +
+ + +

a contingency plan for the system is developed that addresses contingency responsibilities;

+ +
+ + +

a contingency plan for the system is developed that addresses assigned individuals with contact information;

+ +
+ +
+ + +

a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;

+ +
+ + +

a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;

+ +
+ + +

a contingency plan for the system is developed that addresses the sharing of contingency information;

+ +
+ + + + +

a contingency plan for the system is developed that is reviewed by ;

+ +
+ + +

a contingency plan for the system is developed that is approved by ;

+ +
+ +
+ +
+ + + + +

copies of the contingency plan are distributed to ;

+ +
+ + +

copies of the contingency plan are distributed to ;

+ +
+ +
+ + +

contingency planning activities are coordinated with incident handling activities;

+ +
+ + +

the contingency plan for the system is reviewed ;

+ +
+ + + + +

the contingency plan is updated to address changes to the organization, system, or environment of operation;

+ +
+ + +

the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;

+ +
+ +
+ + + + +

contingency plan changes are communicated to ;

+ +
+ + +

contingency plan changes are communicated to ;

+ +
+ +
+ + + + +

lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;

+ +
+ + +

lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;

+ +
+ +
+ + + + +

the contingency plan is protected from unauthorized disclosure;

+ +
+ + +

the contingency plan is protected from unauthorized modification.

+ +
+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency operations for the system

+

contingency plan

+

evidence of contingency plan reviews and updates

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel with incident handling responsibilities

+

organizational personnel with knowledge of requirements for mission and business functions

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for contingency plan development, review, update, and protection

+

mechanisms for developing, reviewing, updating, and/or protecting the contingency plan

+
+
+ + Coordinate with Related Plans + + + + + + +

Coordinate contingency plan development with organizational elements responsible for related plans.

+
+ +

Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Data Breach Response Plans, Cyber Incident Response Plans, Breach Response Plans, and Occupant Emergency Plans.

+
+ + +

contingency plan development is coordinated with organizational elements responsible for related plans.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency operations for the system

+

contingency plan

+

business contingency plans

+

disaster recovery plans

+

continuity of operations plans

+

crisis communications plans

+

critical infrastructure plans

+

cyber incident response plan

+

insider threat implementation plans

+

occupant emergency plans

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel with information security responsibilities

+

personnel with responsibility for related plans

+
+
+
+ + Resume Mission and Business Functions + + + +

all

+
+
+ + + + + + +

time period defined in service provider and organization SLA

+
+
+ +

the contingency plan activation time period within which to resume mission and business functions is defined;

+
+ + + + + + + +

Plan for the resumption of mission and business functions within of contingency plan activation.

+
+ +

Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure.

+
+ + +

the resumption of mission and business functions are planned for within of contingency plan activation.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency operations for the system

+

contingency plan

+

business impact assessment

+

system security plan

+

privacy plan

+

other related plans

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with knowledge of requirements for mission and business functions

+
+
+ + + + +

Organizational processes for resumption of missions and business functions

+
+
+
+ + Identify Critical Assets + + + + + + + + + + + +

Identify critical system assets supporting mission and business functions.

+
+ +

Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing CP-2(7) as a control enhancement.

+
+ + +

critical system assets supporting mission and business functions are identified.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency operations for the system

+

contingency plan

+

business impact assessment

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel with knowledge of requirements for mission and business functions

+

organizational personnel with information security responsibilities

+
+
+
+
+ + Contingency Training + + + + +

*See Additional Requirements

+
+
+ +

the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to provide training to system users with a contingency role or responsibility is defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to review and update contingency training content is defined;

+
+ + + + +

events necessitating review and update of contingency training are defined;

+
+ + + + + + + + + + + + + + + + + + + +

Provide contingency training to system users consistent with assigned roles and responsibilities:

+ + +

Within of assuming a contingency role or responsibility;

+
+ + +

When required by system changes; and

+
+ + +

+ thereafter; and

+
+
+ + +

Review and update contingency training content and following .

+
+ + CP-3 Additional FedRAMP Requirements and Guidance + + +

Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.

+
+
+
+ +

Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements.

+
+ + + + + + +

contingency training is provided to system users consistent with assigned roles and responsibilities within of assuming a contingency role or responsibility;

+ +
+ + +

contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;

+ +
+ + +

contingency training is provided to system users consistent with assigned roles and responsibilities thereafter;

+ +
+ +
+ + + + +

the contingency plan training content is reviewed and updated ;

+ +
+ + +

the contingency plan training content is reviewed and updated following .

+ +
+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency training

+

contingency plan

+

contingency training curriculum

+

contingency training material

+

contingency training records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning, plan implementation, and training responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for contingency training

+
+
+
+ + Contingency Plan Testing + + + + +

functional exercises

+
+
+ + + + + +

at least annually

+
+
+ +

frequency of testing the contingency plan for the system is defined;

+
+ + + + +

tests for determining the effectiveness of the contingency plan are defined;

+
+ + + + +

tests for determining readiness to execute the contingency plan are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Test the contingency plan for the system using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: .

+
+ + +

Review the contingency plan test results; and

+
+ + +

Initiate corrective actions, if needed.

+
+ + CP-4 Additional FedRAMP Requirements and Guidance + + +

The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

+
+ + +

The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report).

+
+
+
+ +

Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

+
+ + + + + + +

the contingency plan for the system is tested ;

+ +
+ + +

+ are used to determine the effectiveness of the plan;

+ +
+ + +

+ are used to determine the readiness to execute the plan;

+ +
+ +
+ + +

the contingency plan test results are reviewed;

+ +
+ + +

corrective actions are initiated, if needed.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing contingency plan testing

+

contingency plan

+

contingency plan test documentation

+

contingency plan test results

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for contingency plan testing

+

mechanisms supporting the contingency plan and/or contingency plan testing

+
+
+ + Coordinate with Related Plans + + + + + + + + + +

Coordinate contingency plan testing with organizational elements responsible for related plans.

+
+ +

Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements.

+
+ + +

contingency plan testing is coordinated with organizational elements responsible for related plans.

+ +
+ + + + +

Contingency planning policy

+

incident response policy

+

procedures addressing contingency plan testing

+

contingency plan testing documentation

+

contingency plan

+

business continuity plans

+

disaster recovery plans

+

continuity of operations plans

+

crisis communications plans

+

critical infrastructure plans

+

cyber incident response plans

+

occupant emergency plans

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan testing responsibilities

+

personnel with responsibilities for related plans

+

organizational personnel with information security responsibilities

+
+
+
+
+ + Alternate Storage Site + + + + + + + + + + + + + + + + + + +

Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and

+
+ + +

Ensure that the alternate storage site provides controls equivalent to that of the primary site.

+
+
+ +

Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems.

+
+ + + + + + +

an alternate storage site is established;

+ +
+ + +

establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;

+ +
+ +
+ + +

the alternate storage site provides controls equivalent to that of the primary site.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate storage sites

+

contingency plan

+

alternate storage site agreements

+

primary storage site agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan alternate storage site responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for storing and retrieving system backup information at the alternate storage site

+

mechanisms supporting and/or implementing the storage and retrieval of system backup information at the alternate storage site

+
+
+ + Separation from Primary Site + + + + + + + +

Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.

+
+ +

Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.

+
+ + +

an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate storage sites

+

contingency plan

+

alternate storage site

+

alternate storage site agreements

+

primary storage site agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan alternate storage site responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with information security responsibilities

+
+
+
+ + Accessibility + + + + + + + +

Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.

+
+ +

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted.

+
+ + + + +

potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;

+ +
+ + +

explicit mitigation actions to address identified accessibility problems are outlined.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate storage sites

+

contingency plan

+

alternate storage site

+

list of potential accessibility problems to alternate storage site

+

mitigation actions for accessibility problems to alternate storage site

+

organizational risk assessments

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan alternate storage site responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with information security responsibilities

+
+
+
+
+ + Alternate Processing Site + + + +

system operations for essential mission and business functions are defined;

+
+ + + + +

time period consistent with recovery time and recovery point objectives is defined;

+
+ + + + + + + + + + + + + + + + + + + + + +

Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of for essential mission and business functions within when the primary processing capabilities are unavailable;

+
+ + +

Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and

+
+ + +

Provide controls at the alternate processing site that are equivalent to those at the primary site.

+
+ + CP-7 Additional FedRAMP Requirements and Guidance + + +

The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

+
+
+
+ +

Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems.

+
+ + + + +

an alternate processing site, including necessary agreements to permit the transfer and resumption of for essential mission and business functions, is established within when the primary processing capabilities are unavailable;

+ +
+ + + + +

the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within for transfer;

+ +
+ + +

the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within for resumption;

+ +
+ +
+ + +

controls provided at the alternate processing site are equivalent to those at the primary site.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate processing sites

+

contingency plan

+

alternate processing site agreements

+

primary processing site agreements

+

spare equipment and supplies inventory at alternate processing site

+

equipment and supply contracts

+

service-level agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for contingency planning and/or alternate site arrangements

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for recovery at the alternate site

+

mechanisms supporting and/or implementing recovery at the alternate processing site

+
+
+ + Separation from Primary Site + + + + + + + +

Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.

+ + CP-7 (1) Additional FedRAMP Requirements and Guidance + + +

The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.

+
+
+
+ +

Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.

+
+ + +

an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate processing sites

+

contingency plan

+

alternate processing site

+

alternate processing site agreements

+

primary processing site agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan alternate processing site responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with information security responsibilities

+
+
+
+ + Accessibility + + + + + + + +

Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

+
+ +

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk.

+
+ + + + +

potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;

+ +
+ + +

explicit mitigation actions to address identified accessibility problems are outlined.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate processing sites

+

contingency plan

+

alternate processing site

+

alternate processing site agreements

+

primary processing site agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan alternate processing site responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with information security responsibilities

+
+
+
+ + Priority of Service + + + + + + +

Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).

+
+ +

Priority of service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning.

+
+ + +

alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate processing sites

+

contingency plan

+

alternate processing site agreements

+

service-level agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan alternate processing site responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibility for acquisitions/contractual agreements

+
+
+
+
+ + Telecommunications Services + + + +

system operations to be resumed for essential mission and business functions are defined;

+
+ + + + +

time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined;

+
+ + + + + + + + + + + + +

Establish alternate telecommunications services, including necessary agreements to permit the resumption of for essential mission and business functions within when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

+ + CP-8 Additional FedRAMP Requirements and Guidance + + +

The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

+
+
+
+ +

Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for CP-8 . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.

+
+ + +

alternate telecommunications services, including necessary agreements to permit the resumption of , are established for essential mission and business functions within when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing alternate telecommunications services

+

contingency plan

+

primary and alternate telecommunications service agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan telecommunications responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with knowledge of requirements for mission and business functions

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibility for acquisitions/contractual agreements

+
+
+ + + + +

Mechanisms supporting telecommunications

+
+
+ + Priority of Service Provisions + + + + + + + + +

Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and

+
+ + +

Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.

+
+
+ +

Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority of service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program, and the Department of Homeland Security manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program.

+
+ + + + + + +

primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;

+ +
+ + +

alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;

+ +
+ +
+ + +

Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing primary and alternate telecommunications services

+

contingency plan

+

primary and alternate telecommunications service agreements

+

Telecommunications Service Priority documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan telecommunications responsibilities

+

organizational personnel with system recovery responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibility for acquisitions/contractual agreements

+
+
+ + + + +

Mechanisms supporting telecommunications

+
+
+
+ + Single Points of Failure + + + + + + +

Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

+
+ +

In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services.

+
+ + +

alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing primary and alternate telecommunications services

+

contingency plan

+

primary and alternate telecommunications service agreements

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency plan telecommunications responsibilities

+

organizational personnel with system recovery responsibilities

+

primary and alternate telecommunications service providers

+

organizational personnel with information security responsibilities

+
+
+
+
+ + System Backup + + + +

system components for which to conduct backups of user-level information is defined;

+
+ + + + + +

daily incremental; weekly full

+
+
+ +

frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;

+
+ + + + + +

daily incremental; weekly full

+
+
+ +

frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;

+
+ + + + + +

daily incremental; weekly full

+
+
+ +

frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Conduct backups of user-level information contained in + ;

+
+ + +

Conduct backups of system-level information contained in the system ;

+
+ + +

Conduct backups of system documentation, including security- and privacy-related documentation ; and

+
+ + +

Protect the confidentiality, integrity, and availability of backup information.

+
+ + CP-9 Additional FedRAMP Requirements and Guidance + + +

The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

+
+ + +

The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.

+
+ + +

The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.

+
+ + +

The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

+
+
+
+ +

System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8 . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

+
+ + + + +

backups of user-level information contained in are conducted ;

+ +
+ + +

backups of system-level information contained in the system are conducted ;

+ +
+ + +

backups of system documentation, including security- and privacy-related documentation are conducted ;

+ +
+ + + + +

the confidentiality of backup information is protected;

+ +
+ + +

the integrity of backup information is protected;

+ +
+ + +

the availability of backup information is protected.

+ +
+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing system backup

+

contingency plan

+

backup storage location(s)

+

system backup logs or records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system backup responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for conducting system backups

+

mechanisms supporting and/or implementing system backups

+
+
+ + Testing for Reliability and Integrity + + + + +

at least annually

+
+
+ + + + +

frequency at which to test backup information for media reliability is defined;

+
+ + + + +

frequency at which to test backup information for information integrity is defined;

+
+ + + + + + + + +

Test backup information to verify media reliability and information integrity.

+
+ +

Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance.

+
+ + + + +

backup information is tested to verify media reliability;

+ +
+ + +

backup information is tested to verify information integrity.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing system backup

+

contingency plan

+

system backup test results

+

contingency plan test documentation

+

contingency plan test results

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system backup responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for conducting system backups

+

mechanisms supporting and/or implementing system backups

+
+
+
+ + Cryptographic Protection + + + + +

all backup files

+
+
+ +

backup information to protect against unauthorized disclosure and modification is defined;

+
+ + + + + + + + + + +

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of .

+ + CP-9 (8) Additional FedRAMP Requirements and Guidance + + +

Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

+
+
+
+ +

The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. Cryptographic protection applies to system backup information in storage at both primary and alternate locations. Organizations that implement cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions.

+
+ + +

cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of .

+ +
+ + + + +

Contingency planning policy

+

procedures addressing system backup

+

contingency plan

+

system design documentation

+

system configuration settings and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system backup responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing cryptographic protection of backup information

+
+
+
+
+ + System Recovery and Reconstitution + + + + + + +

time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;

+
+ + + + +

time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;

+
+ + + + + + + + + + + + + + + + +

Provide for the recovery and reconstitution of the system to a known state within after a disruption, compromise, or failure.

+
+ +

Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning.

+
+ + + + +

the recovery of the system to a known state is provided within after a disruption, compromise, or failure;

+ +
+ + +

a reconstitution of the system to a known state is provided within after a disruption, compromise, or failure.

+ +
+ +
+ + + + +

Contingency planning policy

+

procedures addressing system backup

+

contingency plan

+

system backup test results

+

contingency plan test results

+

contingency plan test documentation

+

redundant secondary system for system backups

+

location(s) of redundant secondary backup system(s)

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes implementing system recovery and reconstitution operations

+

mechanisms supporting and/or implementing system recovery and reconstitution operations

+
+
+ + Transaction Recovery + + + + + + +

Implement transaction recovery for systems that are transaction-based.

+
+ +

Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling.

+
+ + +

transaction recovery is implemented for systems that are transaction-based.

+ +
+ + + + +

Contingency planning policy

+

procedures addressing system recovery and reconstitution

+

contingency plan

+

system design documentation

+

system configuration settings and associated documentation

+

contingency plan test documentation

+

contingency plan test results

+

system transaction recovery records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for transaction recovery

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing transaction recovery capability

+
+
+
+
+
+ + Identification and Authentication + + Policy and Procedures + + + + + + +

personnel or roles to whom the identification and authentication policy is to be disseminated are defined;

+
+ + + + +

personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the identification and authentication policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current identification and authentication policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current identification and authentication policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current identification and authentication procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require identification and authentication procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ identification and authentication policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and

+
+ + +

Review and update the current identification and authentication:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an identification and authentication policy is developed and documented;

+ +
+ + +

the identification and authentication policy is disseminated to ;

+ +
+ + +

identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;

+ +
+ + +

the identification and authentication procedures are disseminated to ;

+ +
+ + + + + + +

the identification and authentication policy addresses purpose;

+ +
+ + +

the identification and authentication policy addresses scope;

+ +
+ + +

the identification and authentication policy addresses roles;

+ +
+ + +

the identification and authentication policy addresses responsibilities;

+ +
+ + +

the identification and authentication policy addresses management commitment;

+ +
+ + +

the identification and authentication policy addresses coordination among organizational entities;

+ +
+ + +

the identification and authentication policy addresses compliance;

+ +
+ +
+ + +

the identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;

+ +
+ + + + + + +

the current identification and authentication policy is reviewed and updated ;

+ +
+ + +

the current identification and authentication policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current identification and authentication procedures are reviewed and updated ;

+ +
+ + +

the current identification and authentication procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Identification and authentication policy and procedures

+

system security plan

+

privacy plan

+

risk management strategy documentation

+

list of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with identification and authentication responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Identification and Authentication (Organizational Users) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

+ + IA-2 Additional FedRAMP Requirements and Guidance + + +

For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.

+
+ + +

Multi-factor authentication must be phishing-resistant.

+
+ + +

All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.

+
+ + +

"Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

+
+
+
+ +

Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12 . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.

+

Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.

+

The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8.

+
+ + + + +

organizational users are uniquely identified and authenticated;

+ +
+ + +

the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.

+ +
+ +
+ + + + +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

system security plan, system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

organizational personnel with account management responsibilities

+

system developers

+
+
+ + + + +

Organizational processes for uniquely identifying and authenticating users

+

mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+ + Multi-factor Authentication to Privileged Accounts + + + + + + + + +

Implement multi-factor authentication for access to privileged accounts.

+ + IA-2 (1) Additional FedRAMP Requirements and Guidance + + +

According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

+
+ + +

Multi-factor authentication must be phishing-resistant.

+
+ + +

Multi-factor authentication to subsequent components in the same user domain is not required.

+
+
+
+ +

Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.

+
+ + +

multi-factor authentication is implemented for access to privileged accounts.

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing a multi-factor authentication capability

+
+
+
+ + Multi-factor Authentication to Non-privileged Accounts + + + + + + + +

Implement multi-factor authentication for access to non-privileged accounts.

+ + IA-2 (2) Additional FedRAMP Requirements and Guidance + + +

According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

+
+ + +

Multi-factor authentication must be phishing-resistant.

+
+ + +

Multi-factor authentication to subsequent components in the same user domain is not required.

+
+
+
+ +

Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.

+
+ + +

multi-factor authentication for access to non-privileged accounts is implemented.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing a multi-factor authentication capability

+
+
+
+ + Individual Authentication with Group Authentication + + + + + + + +

When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources.

+
+ +

Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators.

+
+ + +

users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing an authentication capability for group accounts

+
+
+
+ + Access to Accounts —separate Device + + + +

local, network and remote

+
+
+ + + + + +

privileged accounts; non-privileged accounts

+
+
+ + + + + + +

FIPS-validated or NSA-approved cryptography

+
+
+ +

the strength of mechanism requirements to be enforced by a device separate from the system gaining access to accounts is defined;

+
+ + + + + + + + +

Implement multi-factor authentication for access to such that:

+ + +

One of the factors is provided by a device separate from the system gaining access; and

+
+ + +

The device meets .

+
+ + IA-2 (6) Additional FedRAMP Requirements and Guidance + + +

PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.

+
+ + +

See SC-13 Guidance for more information on FIPS-validated or NSA-approved cryptography.

+
+
+
+ +

The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multi-factor authentication is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process.

+
+ + + + +

multi-factor authentication is implemented for access to such that one of the factors is provided by a device separate from the system gaining access;

+ +
+ + +

multi-factor authentication is implemented for access to such that the device meets .

+ +
+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing multi-factor authentication capability

+
+
+
+ + Access to Accounts — Replay Resistant + + + +

privileged accounts; non-privileged accounts

+
+
+ + + + + + + + +

Implement replay-resistant authentication mechanisms for access to .

+
+ +

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators.

+
+ + +

replay-resistant authentication mechanisms for access to are implemented.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of privileged system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+

Mechanisms supporting and/or implementing replay-resistant authentication mechanisms

+
+
+
+ + Acceptance of PIV Credentials + + + + + + +

Accept and electronically verify Personal Identity Verification-compliant credentials.

+ + IA-2 (12) Additional FedRAMP Requirements and Guidance + + +

Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

+
+
+
+ +

Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using SP 800-79-2 . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in SP 800-166 . The DOD Common Access Card (CAC) is an example of a PIV credential.

+
+ + +

Personal Identity Verification-compliant credentials are accepted and electronically verified.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

PIV verification records

+

evidence of PIV credentials

+

PIV credential authorizations

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing acceptance and verification of PIV credentials

+
+
+
+
+ + Device Identification and Authentication + + + +

devices and/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;

+
+ + + + + + + + + + + + + + + + + + + + + +

Uniquely identify and authenticate before establishing a connection.

+
+ +

Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number/type of devices based on mission or business needs.

+
+ + +

+ are uniquely identified and authenticated before establishing a connection.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing device identification and authentication

+

system design documentation

+

list of devices requiring unique identification and authentication

+

device connection reports

+

system configuration settings and associated documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with operational responsibilities for device identification and authentication

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing device identification and authentication capabilities

+
+
+
+ + Identifier Management + + + + +

at a minimum, the ISSO (or similar role within the organization)

+
+
+ +

personnel or roles from whom authorization must be received to assign an identifier are defined;

+
+ + + + + +

at least two (2) years

+
+
+ +

a time period for preventing reuse of identifiers is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Manage system identifiers by:

+ + +

Receiving authorization from to assign an individual, group, role, service, or device identifier;

+
+ + +

Selecting an identifier that identifies an individual, group, role, service, or device;

+
+ + +

Assigning the identifier to the intended individual, group, role, service, or device; and

+
+ + +

Preventing reuse of identifiers for .

+
+
+ +

Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4 . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.

+
+ + + + +

system identifiers are managed by receiving authorization from to assign to an individual, group, role, or device identifier;

+ +
+ + +

system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;

+ +
+ + +

system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;

+ +
+ + +

system identifiers are managed by preventing reuse of identifiers for .

+ +
+ +
+ + + + +

Identification and authentication policy

+

procedures addressing identifier management

+

procedures addressing account management

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

list of system accounts

+

list of identifiers generated from physical access control devices

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with identifier management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing identifier management

+
+
+ + Identify User Status + + + + +

contractors; foreign nationals

+
+
+ +

characteristics used to identify individual status is defined;

+
+ + + + + + + +

Manage individual identifiers by uniquely identifying each individual as .

+
+ +

Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor.

+
+ + +

individual identifiers are managed by uniquely identifying each individual as .

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing identifier management

+

procedures addressing account management

+

list of characteristics identifying individual status

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with identifier management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms supporting and/or implementing identifier management

+
+
+
+
+ + Authenticator Management + + + +

a time period for changing or refreshing authenticators by authenticator type is defined;

+
+ + + + +

events that trigger the change or refreshment of authenticators are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Manage system authenticators by:

+ + +

Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;

+
+ + +

Establishing initial authenticator content for any authenticators issued by the organization;

+
+ + +

Ensuring that authenticators have sufficient strength of mechanism for their intended use;

+
+ + +

Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;

+
+ + +

Changing default authenticators prior to first use;

+
+ + +

Changing or refreshing authenticators or when occur;

+
+ + +

Protecting authenticator content from unauthorized disclosure and modification;

+
+ + +

Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and

+
+ + +

Changing authenticators for group or role accounts when membership to those accounts changes.

+
+ + IA-5 Additional FedRAMP Requirements and Guidance + + +

Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3

+
+ + +

SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

+
+
+
+ +

Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6 , and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.

+

Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.

+
+ + + + +

system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;

+ +
+ + +

system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;

+ +
+ + +

system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;

+ +
+ + +

system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;

+ +
+ + +

system authenticators are managed through the change of default authenticators prior to first use;

+ +
+ + +

system authenticators are managed through the change or refreshment of authenticators or when occur;

+ +
+ + +

system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;

+ +
+ + + + +

system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;

+ +
+ + +

system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;

+ +
+ +
+ + +

system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.

+ +
+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

addressing authenticator management

+

system design documentation

+

system configuration settings and associated documentation

+

list of system authenticator types

+

change control records associated with managing system authenticators

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with authenticator management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms supporting and/or implementing authenticator management capability

+
+
+ + Password-based Authentication + + + +

the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;

+
+ + + + +

authenticator composition and complexity rules are defined;

+
+ + + + + + + + + +

For password-based authentication:

+ + +

Maintain a list of commonly-used, expected, or compromised passwords and update the list and when organizational passwords are suspected to have been compromised directly or indirectly;

+
+ + +

Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);

+
+ + +

Transmit passwords only over cryptographically-protected channels;

+
+ + +

Store passwords using an approved salted key derivation function, preferably using a keyed hash;

+
+ + +

Require immediate selection of a new password upon account recovery;

+
+ + +

Allow user selection of long passwords and passphrases, including spaces and all printable characters;

+
+ + +

Employ automated tools to assist the user in selecting strong password authenticators; and

+
+ + +

Enforce the following composition and complexity rules: .

+
+ + IA-5 (1) Additional FedRAMP Requirements and Guidance + + +

Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

+
+ + +

For cases where technology doesn’t allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

+

For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

+
+ + +

Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

+
+
+
+ +

Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.

+
+ + + + +

for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated and when organizational passwords are suspected to have been compromised directly or indirectly;

+ +
+ + +

for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);

+ +
+ + +

for password-based authentication, passwords are only transmitted over cryptographically protected channels;

+ +
+ + +

for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;

+ +
+ + +

for password-based authentication, immediate selection of a new password is required upon account recovery;

+ +
+ + +

for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;

+ +
+ + +

for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;

+ +
+ + +

for password-based authentication, are enforced.

+ +
+ +
+ + + + +

Identification and authentication policy

+

password policy

+

procedures addressing authenticator management

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

password configurations and associated documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with authenticator management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing password-based authenticator management capability

+
+
+
+ + Public Key-based Authentication + + + + + + + + + + +

For public key-based authentication:

+ + +

Enforce authorized access to the corresponding private key; and

+
+ + +

Map the authenticated identity to the account of the individual or group; and

+
+
+ + +

When public key infrastructure (PKI) is used:

+ + +

Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and

+
+ + +

Implement a local cache of revocation data to support path discovery and validation.

+
+
+
+ +

Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network.

+
+ + + + + + +

authorized access to the corresponding private key is enforced for public key-based authentication;

+ +
+ + +

the authenticated identity is mapped to the account of the individual or group for public key-based authentication;

+ +
+ +
+ + + + +

when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;

+ +
+ + +

when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.

+ +
+ +
+ +
+ + + + +

Identification and authentication policy

+

procedures addressing authenticator management

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

PKI certification validation records

+

PKI certification revocation lists

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with PKI-based, authenticator management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing PKI-based, authenticator management capability

+
+
+
+ + Protection of Authenticators + + + + + + + +

Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.

+
+ +

For systems that contain multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process.

+
+ + +

authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing authenticator management

+

security categorization documentation for the system

+

security assessments of authenticator protections

+

risk assessment results

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with authenticator management responsibilities

+

organizational personnel implementing and/or maintaining authenticator protections

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Mechanisms supporting and/or implementing authenticator management capability

+

mechanisms protecting authenticators

+
+
+
+ + No Embedded Unencrypted Static Authenticators + + + + + + +

Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.

+ + IA-5 (7) Additional FedRAMP Requirements and Guidance + + +

In this context, prohibited static storage refers to any storage where unencrypted authenticators, such as passwords, persist beyond the time required to complete the access process.

+
+
+
+ +

In addition to applications, other forms of static storage include access scripts and function keys. Organizations exercise caution when determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators.

+
+ + +

unencrypted static authenticators are not embedded in applications or other forms of static storage.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing authenticator management

+

system design documentation

+

system configuration settings and associated documentation

+

logical access scripts

+

application code reviews for detecting unencrypted static authenticators

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with authenticator management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing authenticator management capability

+

mechanisms implementing authentication in applications

+
+
+
+
+ + Authentication Feedback + + + + + + +

Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

+
+ +

Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it.

+
+ + +

the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing authenticator feedback

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication

+
+
+
+ + Cryptographic Module Authentication + + + + + + + + + + + +

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

+
+ +

Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.

+
+ + +

mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing cryptographic module authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for cryptographic module authentication

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+
+ + + + +

Mechanisms supporting and/or implementing cryptographic module authentication

+
+
+
+ + Identification and Authentication (Non-organizational Users) + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

+
+ +

Non-organizational users include system users other than organizational users explicitly covered by IA-2 . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14 . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.

+
+ + +

non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

privacy plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of system accounts

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

organizational personnel with account management responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+ + Acceptance of PIV Credentials from Other Agencies + + + + + + + +

Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.

+
+ +

Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using SP 800-79-2.

+
+ + + + +

Personal Identity Verification-compliant credentials from other federal agencies are accepted;

+ +
+ + +

Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.

+ +
+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

PIV verification records

+

evidence of PIV credentials

+

PIV credential authorizations

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with account management responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+

mechanisms that accept and verify PIV credentials

+
+
+
+ + Acceptance of External Authenticators + + + + + + + + +

Accept only external authenticators that are NIST-compliant; and

+
+ + +

Document and maintain a list of accepted external authenticators.

+
+
+ +

Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with SP 800-63B . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level.

+
+ + + + +

only external authenticators that are NIST-compliant are accepted;

+ +
+ + + + +

a list of accepted external authenticators is documented;

+ +
+ + +

a list of accepted external authenticators is maintained.

+ +
+ +
+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

procedures addressing user identification and authentication

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

list of third-party credentialing products, components, or services procured and implemented by organization

+

third-party credential verification records

+

evidence of third-party credentials

+

third-party credential authorizations

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with account management responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+

mechanisms that accept external credentials

+
+
+
+ + Use of Defined Profiles + + + +

identity management profiles are defined;

+
+ + + + + + + +

Conform to the following profiles for identity management .

+
+ +

Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

+
+ + +

there is conformance with for identity management.

+ +
+ + + + +

Identification and authentication policy

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with account management responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+

mechanisms supporting and/or implementing conformance with profiles

+
+
+
+
+ + Re-authentication + + + +

circumstances or situations requiring re-authentication are defined;

+
+ + + + + + + + + + + + + +

Require users to re-authenticate when .

+ + IA-11 Additional FedRAMP Requirements and Guidance + + +

The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

+
    +
  • AAL2 (moderate baseline)
      +
    • 12 hours or
    • +
    • 30 minutes of inactivity
    • +
    +
  • +
+
+
+
+ +

In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically.

+
+ + +

users are required to re-authenticate when .

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing user and device re-authentication

+

system security plan

+

system design documentation

+

system configuration settings and associated documentation

+

list of circumstances or situations requiring re-authentication

+

system audit records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with identification and authentication responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+
+ + Identity Proofing + + + + + + + + + + + + + + + + + + + + +

Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;

+
+ + +

Resolve user identities to a unique individual; and

+
+ + +

Collect, validate, and verify identity evidence.

+
+ + IA-12 Additional FedRAMP Requirements and Guidance + + +

In accordance with NIST SP 800-63A Enrollment and Identity Proofing

+
+
+
+ +

Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include SP 800-63-3 and SP 800-63A . Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

+
+ + + + +

users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;

+ +
+ + +

user identities are resolved to a unique individual;

+ +
+ + + + +

identity evidence is collected;

+ +
+ + +

identity evidence is validated;

+ +
+ + +

identity evidence is verified.

+ +
+ +
+ +
+ + + + +

Identification and authentication policy

+

procedures addressing identity proofing

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security and privacy responsibilities

+

legal counsel

+

system/network administrators

+

system developers

+

organizational personnel with identification and authentication responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+ + Identity Evidence + + + + + + +

Require evidence of individual identification be presented to the registration authority.

+
+ +

Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risks to the systems, roles, and privileges associated with the user’s account.

+
+ + +

evidence of individual identification is presented to the registration authority.

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing identity proofing

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with identification and authentication responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+
+ + Identity Evidence Validation and Verification + + + +

methods of validation and verification of identity evidence are defined;

+
+ + + + + + + +

Require that the presented identity evidence be validated and verified through .

+
+ +

Validation and verification of identity evidence increases the assurance that accounts and identifiers are being established for the correct user and authenticators are being bound to that user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risks to the systems, roles, and privileges associated with the users account.

+
+ + +

the presented identity evidence is validated and verified through .

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing identity proofing

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with identification and authentication responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+
+ + Address Confirmation + + + + + + + + + + +

Require that a be delivered through an out-of-band channel to verify the users address (physical or digital) of record.

+ + IA-12 (5) Additional FedRAMP Requirements and Guidance + + +

In accordance with NIST SP 800-63A Enrollment and Identity Proofing

+
+
+
+ +

To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to ensure that the individual associated with an address of record is the same individual that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts is obtained from records and not self-asserted by the user. The address can include a physical or digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses.

+
+ + +

a is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.

+ +
+ + + + +

Identification and authentication policy

+

procedures addressing identity proofing

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with identification and authentication responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing identification and authentication capabilities

+
+
+
+
+
+ + Incident Response + + Policy and Procedures + + + + + + +

personnel or roles to whom the incident response policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the incident response procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the incident response policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current incident response policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current incident response policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current incident response procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the incident response procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ incident response policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the incident response policy and procedures; and

+
+ + +

Review and update the current incident response:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

an incident response policy is developed and documented;

+ +
+ + +

the incident response policy is disseminated to ;

+ +
+ + +

incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;

+ +
+ + +

the incident response procedures are disseminated to ;

+ +
+ + + + + + +

the incident response policy addresses purpose;

+ +
+ + +

the incident response policy addresses scope;

+ +
+ + +

the incident response policy addresses roles;

+ +
+ + +

the incident response policy addresses responsibilities;

+ +
+ + +

the incident response policy addresses management commitment;

+ +
+ + +

the incident response policy addresses coordination among organizational entities;

+ +
+ + +

the incident response policy addresses compliance;

+ +
+ +
+ + +

the incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;

+ +
+ + + + + + +

the current incident response policy is reviewed and updated ;

+ +
+ + +

the current incident response policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current incident response procedures are reviewed and updated ;

+ +
+ + +

the current incident response procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Incident response policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Incident Response Training + + + + +

ten (10) days for privileged users, thirty (30) days for Incident Response roles

+
+
+ +

a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to provide incident response training to users is defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to review and update incident response training content is defined;

+
+ + + + +

events that initiate a review of the incident response training content are defined;

+
+ + + + + + + + + + + + + + + + + + + +

Provide incident response training to system users consistent with assigned roles and responsibilities:

+ + +

Within of assuming an incident response role or responsibility or acquiring system access;

+
+ + +

When required by system changes; and

+
+ + +

+ thereafter; and

+
+
+ + +

Review and update incident response training content and following .

+
+
+ +

Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3 . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + + + +

incident response training is provided to system users consistent with assigned roles and responsibilities within of assuming an incident response role or responsibility or acquiring system access;

+ +
+ + +

incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;

+ +
+ + +

incident response training is provided to system users consistent with assigned roles and responsibilities thereafter;

+ +
+ +
+ + + + +

incident response training content is reviewed and updated ;

+ +
+ + +

incident response training content is reviewed and updated following .

+ +
+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident response training

+

incident response training curriculum

+

incident response training materials

+

privacy plan

+

incident response plan

+

incident response training records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response training and operational responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Incident Response Testing + + + + +

functional, at least annually

+
+
+ +

frequency at which to test the effectiveness of the incident response capability for the system is defined;

+
+ + + + +

tests used to test the effectiveness of the incident response capability for the system are defined;

+
+ + + + + + + + + + + + + + + + +

Test the effectiveness of the incident response capability for the system using the following tests: .

+ + IR-3-2 Additional FedRAMP Requirements and Guidance + + +

The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.

+
+
+
+ +

Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes.

+
+ + +

the effectiveness of the incident response capability for the system is tested using .

+ +
+ + + + +

Incident response policy

+

contingency planning policy

+

procedures addressing incident response testing

+

procedures addressing contingency plan testing

+

incident response testing material

+

incident response test results

+

incident response test plan

+

incident response plan

+

contingency plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response testing responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + Coordination with Related Plans + + + + + + + +

Coordinate incident response testing with organizational elements responsible for related plans.

+
+ +

Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans.

+
+ + +

incident response testing is coordinated with organizational elements responsible for related plans.

+ +
+ + + + +

Incident response policy

+

contingency planning policy

+

procedures addressing incident response testing

+

incident response testing documentation

+

incident response plan

+

business continuity plans

+

contingency plans

+

disaster recovery plans

+

continuity of operations plans

+

crisis communications plans

+

critical infrastructure plans

+

occupant emergency plans

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response testing responsibilities

+

organizational personnel with responsibilities for testing organizational plans related to incident response testing

+

organizational personnel with information security and privacy responsibilities

+
+
+
+
+ + Incident Handling + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;

+
+ + +

Coordinate incident handling activities with contingency planning activities;

+
+ + +

Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and

+
+ + +

Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

+
+ + IR-4 Additional FedRAMP Requirements and Guidance + + +

The FISMA definition of "incident" shall be used: "An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies."

+
+ + +

The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

+
+
+
+ +

Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes.

+
+ + + + + + +

an incident handling capability for incidents is implemented that is consistent with the incident response plan;

+ +
+ + +

the incident handling capability for incidents includes preparation;

+ +
+ + +

the incident handling capability for incidents includes detection and analysis;

+ +
+ + +

the incident handling capability for incidents includes containment;

+ +
+ + +

the incident handling capability for incidents includes eradication;

+ +
+ + +

the incident handling capability for incidents includes recovery;

+ +
+ +
+ + +

incident handling activities are coordinated with contingency planning activities;

+ +
+ + + + +

lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;

+ +
+ + +

the changes resulting from the incorporated lessons learned are implemented accordingly;

+ +
+ +
+ + + + +

the rigor of incident handling activities is comparable and predictable across the organization;

+ +
+ + +

the intensity of incident handling activities is comparable and predictable across the organization;

+ +
+ + +

the scope of incident handling activities is comparable and predictable across the organization;

+ +
+ + +

the results of incident handling activities are comparable and predictable across the organization.

+ +
+ +
+ +
+ + + + +

Incident response policy

+

contingency planning policy

+

procedures addressing incident handling

+

incident response plan

+

contingency plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident handling responsibilities

+

organizational personnel with contingency planning responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Incident handling capability for the organization

+
+
+ + Automated Incident Handling Processes + + + +

automated mechanisms used to support the incident handling process are defined;

+
+ + + + + + + +

Support the incident handling process using .

+
+ +

Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis.

+
+ + +

the incident handling process is supported using .

+ +
+ + + + +

Incident response policy

+

procedures addressing incident handling

+

automated mechanisms supporting incident handling

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

incident response plan

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident handling responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Automated mechanisms that support and/or implement the incident handling process

+
+
+
+
+ + Incident Monitoring + + + + + + + + + + + + + + + + + + + +

Track and document incidents.

+
+ +

Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. IR-4 provides information on the types of incidents that are appropriate for monitoring.

+
+ + + + +

incidents are tracked;

+ +
+ + +

incidents are documented.

+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident monitoring

+

incident response records and documentation

+

incident response plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident monitoring responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Incident monitoring capability for the organization

+

mechanisms supporting and/or implementing the tracking and documenting of system security incidents

+
+
+
+ + Incident Reporting + + + + +

US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)

+
+
+ +

time period for personnel to report suspected incidents to the organizational incident response capability is defined;

+
+ + + + +

authorities to whom incident information is to be reported are defined;

+
+ + + + + + + + + + + + + + + + + + +

Require personnel to report suspected incidents to the organizational incident response capability within ; and

+
+ + +

Report incident information to .

+
+ + IR-6 Additional FedRAMP Requirements and Guidance + + +

Reports security incident information according to FedRAMP Incident Communications Procedure.

+
+
+
+ +

The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products.

+
+ + + + +

personnel is/are required to report suspected incidents to the organizational incident response capability within ;

+ +
+ + +

incident information is reported to .

+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident reporting

+

incident reporting records and documentation

+

incident response plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident reporting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

personnel who have/should have reported incidents

+

personnel (authorities) to whom incident information is to be reported

+

system users

+
+
+ + + + +

Organizational processes for incident reporting

+

mechanisms supporting and/or implementing incident reporting

+
+
+ + Automated Reporting + + + +

automated mechanisms used for reporting incidents are defined;

+
+ + + + + + + + +

Report incidents using .

+
+ +

The recipients of incident reports are specified in IR-6b . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs.

+
+ + +

incidents are reported using .

+ +
+ + + + +

Incident response policy

+

procedures addressing incident reporting

+

automated mechanisms supporting incident reporting

+

system design documentation

+

system configuration settings and associated documentation

+

incident response plan

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident reporting responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for incident reporting

+

automated mechanisms supporting and/or implementing the reporting of security incidents

+
+
+
+ + Supply Chain Coordination + + + + + + + +

Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

+
+ +

Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident.

+
+ + +

incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

+ +
+ + + + +

Incident response policy

+

procedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council

+

acquisition policy

+

acquisition contracts

+

service-level agreements

+

incident response plan

+

supply chain risk management plan

+

system security plan

+

plans of other organizations involved in supply chain activities

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident reporting responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+

organization personnel with acquisition responsibilities

+
+
+ + + + +

Organizational processes for incident reporting

+

organizational processes for supply chain risk information sharing

+

mechanisms supporting and/or implementing the reporting of incident information involved in the supply chain

+
+
+
+
+ + Incident Response Assistance + + + + + + + + + + + + + + + + +

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.

+
+ +

Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required.

+
+ + + + +

an incident response support resource, integral to the organizational incident response capability, is provided;

+ +
+ + +

the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.

+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident response assistance

+

incident response plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response assistance and support responsibilities

+

organizational personnel with access to incident response support and assistance capability

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for incident response assistance

+

mechanisms supporting and/or implementing incident response assistance

+
+
+ + Automation Support for Availability of Information and Support + + + +

automated mechanisms used to increase the availability of incident response information and support are defined;

+
+ + + + + + + +

Increase the availability of incident response information and support using .

+
+ +

Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support.

+
+ + +

the availability of incident response information and support is increased using .

+ +
+ + + + +

Incident response policy

+

procedures addressing incident response assistance

+

automated mechanisms supporting incident response support and assistance

+

system design documentation

+

system configuration settings and associated documentation

+

incident response plan

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response support and assistance responsibilities

+

organizational personnel with access to incident response support and assistance capability

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for incident response assistance

+

automated mechanisms supporting and/or implementing an increase in the availability of incident response information and support

+
+
+
+
+ + Incident Response Plan + + + + +

see additional FedRAMP Requirements and Guidance

+
+
+ + + + +

personnel or roles that review and approve the incident response plan is/are identified;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to review and approve the incident response plan is defined;

+
+ + + + +

entities, personnel, or roles with designated responsibility for incident response are defined;

+
+ + + + + +

see additional FedRAMP Requirements and Guidance

+
+
+ +

incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;

+
+ + + + +

organizational elements to which copies of the incident response plan are to be distributed are defined;

+
+ + + + +

incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;

+
+ + + + +

organizational elements to which changes to the incident response plan are communicated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Develop an incident response plan that:

+ + +

Provides the organization with a roadmap for implementing its incident response capability;

+
+ + +

Describes the structure and organization of the incident response capability;

+
+ + +

Provides a high-level approach for how the incident response capability fits into the overall organization;

+
+ + +

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

+
+ + +

Defines reportable incidents;

+
+ + +

Provides metrics for measuring the incident response capability within the organization;

+
+ + +

Defines the resources and management support needed to effectively maintain and mature an incident response capability;

+
+ + +

Addresses the sharing of incident information;

+
+ + +

Is reviewed and approved by + ; and

+
+ + +

Explicitly designates responsibility for incident response to .

+
+
+ + +

Distribute copies of the incident response plan to ;

+
+ + +

Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

+
+ + +

Communicate incident response plan changes to ; and

+
+ + +

Protect the incident response plan from unauthorized disclosure and modification.

+
+ + IR-8 Additional FedRAMP Requirements and Guidance + + +

The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

+
+ + +

The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

+
+
+
+ +

It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.

+
+ + + + + + +

an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;

+ +
+ + +

an incident response plan is developed that describes the structure and organization of the incident response capability;

+ +
+ + +

an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;

+ +
+ + +

an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;

+ +
+ + +

an incident response plan is developed that defines reportable incidents;

+ +
+ + +

an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;

+ +
+ + +

an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;

+ +
+ + +

an incident response plan is developed that addresses the sharing of incident information;

+ +
+ + +

an incident response plan is developed that is reviewed and approved by + ;

+ +
+ + +

an incident response plan is developed that explicitly designates responsibility for incident response to .

+ +
+ +
+ + + + +

copies of the incident response plan are distributed to ;

+ +
+ + +

copies of the incident response plan are distributed to ;

+ +
+ +
+ + +

the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

+ +
+ + + + +

incident response plan changes are communicated to ;

+ +
+ + +

incident response plan changes are communicated to ;

+ +
+ +
+ + + + +

the incident response plan is protected from unauthorized disclosure;

+ +
+ + +

the incident response plan is protected from unauthorized modification.

+ +
+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing incident response planning

+

incident response plan

+

system security plan

+

privacy plan

+

records of incident response plan reviews and approvals

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response planning responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational incident response plan and related organizational processes

+
+
+
+ + Information Spillage Response + + + +

personnel or roles assigned the responsibility for responding to information spills is/are defined;

+
+ + + + +

personnel or roles to be alerted of the information spill using a method of communication not associated with the spill is/are defined;

+
+ + + + +

actions to be performed are defined;

+
+ + + + + + + + + + + + + + +

Respond to information spills by:

+ + +

Assigning with responsibility for responding to information spills;

+
+ + +

Identifying the specific information involved in the system contamination;

+
+ + +

Alerting of the information spill using a method of communication not associated with the spill;

+
+ + +

Isolating the contaminated system or system component;

+
+ + +

Eradicating the information from the contaminated system or component;

+
+ + +

Identifying other systems or system components that may have been subsequently contaminated; and

+
+ + +

Performing the following additional actions: .

+
+
+ +

Information spillage refers to instances where information is placed on systems that are not authorized to process such information. Information spills occur when information that is thought to be a certain classification or impact level is transmitted to a system and subsequently is determined to be of a higher classification or impact level. At that point, corrective action is required. The nature of the response is based on the classification or impact level of the spilled information, the security capabilities of the system, the specific nature of the contaminated storage media, and the access authorizations of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated.

+
+ + + + +

+ is/are assigned the responsibility to respond to information spills;

+ +
+ + +

the specific information involved in the system contamination is identified in response to information spills;

+ +
+ + +

+ is/are alerted of the information spill using a method of communication not associated with the spill;

+ +
+ + +

the contaminated system or system component is isolated in response to information spills;

+ +
+ + +

the information is eradicated from the contaminated system or component in response to information spills;

+ +
+ + +

other systems or system components that may have been subsequently contaminated are identified in response to information spills;

+ +
+ + +

+ are performed in response to information spills.

+ +
+ +
+ + + + +

Incident response policy

+

procedures addressing information spillage

+

incident response plan

+

system security plan

+

records of information spillage alerts/notifications

+

list of personnel who should receive alerts of information spillage

+

list of actions to be performed regarding information spillage

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for information spillage response

+

mechanisms supporting and/or implementing information spillage response actions and related communications

+
+
+ + Training + + + + +

at least annually

+
+
+ +

frequency at which to provide information spillage response training is defined;

+
+ + + + + + + + + + + +

Provide information spillage response training .

+
+ +

Organizations establish requirements for responding to information spillage incidents in incident response plans. Incident response training on a regular basis helps to ensure that organizational personnel understand their individual responsibilities and what specific actions to take when spillage incidents occur.

+
+ + +

information spillage response training is provided .

+ +
+ + + + +

Incident response policy

+

procedures addressing information spillage response training

+

information spillage response training curriculum

+

information spillage response training materials

+

incident response plan

+

system security plan

+

information spillage response training records

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response training responsibilities

+

organizational personnel with information security responsibilities

+
+
+
+ + Post-spill Operations + + + +

procedures to be implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions are defined;

+
+ + + + + + + +

Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: .

+
+ +

Corrective actions for systems contaminated due to information spillages may be time-consuming. Personnel may not have access to the contaminated systems while corrective actions are being taken, which may potentially affect their ability to conduct organizational business.

+
+ + +

+ are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

+ +
+ + + + +

Incident response policy

+

procedures addressing incident response

+

procedures addressing information spillage

+

incident response plan

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for post-spill operations

+
+
+
+ + Exposure to Unauthorized Personnel + + + +

controls employed for personnel exposed to information not within assigned access authorizations are defined;

+
+ + + + + + + +

Employ the following controls for personnel exposed to information not within assigned access authorizations: .

+
+ +

Controls include ensuring that personnel who are exposed to spilled information are made aware of the laws, executive orders, directives, regulations, policies, standards, and guidelines regarding the information and the restrictions imposed based on exposure to such information.

+
+ + +

+ are employed for personnel exposed to information not within assigned access authorizations.

+ +
+ + + + +

Incident response policy

+

procedures addressing incident response

+

procedures addressing information spillage

+

incident response plan

+

system security plan

+

security safeguards regarding information spillage/exposure to unauthorized personnel

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for dealing with information exposed to unauthorized personnel

+

mechanisms supporting and/or implementing safeguards for personnel exposed to information not within assigned access authorizations

+
+
+
+
+
+ + Maintenance + + Policy and Procedures + + + + + + +

personnel or roles to whom the maintenance policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the maintenance policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency with which the current maintenance policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current maintenance policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency with which the current maintenance procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the maintenance procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ maintenance policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the maintenance policy and procedures; and

+
+ + +

Review and update the current maintenance:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a maintenance policy is developed and documented;

+ +
+ + +

the maintenance policy is disseminated to ;

+ +
+ + +

maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;

+ +
+ + +

the maintenance procedures are disseminated to ;

+ +
+ + + + + + +

the maintenance policy addresses purpose;

+ +
+ + +

the maintenance policy addresses scope;

+ +
+ + +

the maintenance policy addresses roles;

+ +
+ + +

the maintenance policy addresses responsibilities;

+ +
+ + +

the maintenance policy addresses management commitment;

+ +
+ + +

the maintenance policy addresses coordination among organizational entities;

+ +
+ + +

the maintenance policy addresses compliance;

+ +
+ +
+ + +

the maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;

+ +
+ + + + + + +

the current maintenance policy is reviewed and updated ;

+ +
+ + +

the current maintenance policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current maintenance procedures are reviewed and updated ;

+ +
+ + +

the current maintenance procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Maintenance policy and procedures

+

system security plan

+

privacy plan

+

organizational risk management strategy

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with maintenance responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Controlled Maintenance + + + +

personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined;

+
+ + + + +

information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;

+
+ + + + +

information to be included in organizational maintenance records is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;

+
+ + +

Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;

+
+ + +

Require that explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;

+
+ + +

Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: ;

+
+ + +

Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and

+
+ + +

Include the following information in organizational maintenance records: .

+
+
+ +

Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems.

+
+ + + + + + +

maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;

+ +
+ + +

maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;

+ +
+ + +

records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;

+ +
+ +
+ + + + +

all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;

+ +
+ + +

all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;

+ +
+ +
+ + +

+ is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;

+ +
+ + +

equipment is sanitized to remove from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;

+ +
+ + +

all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;

+ +
+ + +

+ is included in organizational maintenance records.

+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing controlled system maintenance

+

maintenance records

+

manufacturer/vendor maintenance specifications

+

equipment sanitization records

+

media sanitization records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel responsible for media sanitization

+

system/network administrators

+
+
+ + + + +

Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system

+

organizational processes for sanitizing system components

+

mechanisms supporting and/or implementing controlled maintenance

+

mechanisms implementing the sanitization of system components

+
+
+
+ + Maintenance Tools + + + + +

at least annually

+
+
+ +

frequency at which to review previously approved system maintenance tools is defined;

+
+ + + + + + + + + + + +

Approve, control, and monitor the use of system maintenance tools; and

+
+ + +

Review previously approved system maintenance tools .

+
+
+ +

Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as ping, + ls, + ipconfig, or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools.

+
+ + + + + + +

the use of system maintenance tools is approved;

+ +
+ + +

the use of system maintenance tools is controlled;

+ +
+ + +

the use of system maintenance tools is monitored;

+ +
+ +
+ + +

previously approved system maintenance tools are reviewed .

+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing system maintenance tools

+

system maintenance tools and associated documentation

+

maintenance records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for approving, controlling, and monitoring maintenance tools

+

mechanisms supporting and/or implementing the approval, control, and/or monitoring of maintenance tools

+
+
+ + Inspect Tools + + + + + + + +

Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.

+
+ +

Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.

+
+ + +

maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.

+ +
+ + + + +

Maintenance policy

+

procedures addressing system maintenance tools

+

system maintenance tools and associated documentation

+

maintenance tool inspection records

+

maintenance records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for inspecting maintenance tools

+

mechanisms supporting and/or implementing the inspection of maintenance tools

+
+
+
+ + Inspect Media + + + + + + + +

Check media containing diagnostic and test programs for malicious code before the media are used in the system.

+
+ +

If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures.

+
+ + +

media containing diagnostic and test programs are checked for malicious code before the media are used in the system.

+ +
+ + + + +

Maintenance policy

+

procedures addressing system maintenance tools

+

system maintenance tools and associated documentation

+

maintenance records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational process for inspecting media for malicious code

+

mechanisms supporting and/or implementing the inspection of media used for maintenance

+
+
+
+ + Prevent Unauthorized Removal + + + + +

the information owner

+
+
+ +

personnel or roles who can authorize removal of equipment from the facility is/are defined;

+
+ + + + + + + + +

Prevent the removal of maintenance equipment containing organizational information by:

+ + +

Verifying that there is no organizational information contained on the equipment;

+
+ + +

Sanitizing or destroying the equipment;

+
+ + +

Retaining the equipment within the facility; or

+
+ + +

Obtaining an exemption from explicitly authorizing removal of the equipment from the facility.

+
+
+ +

Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards.

+
+ + + + +

the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or

+ +
+ + +

the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or

+ +
+ + +

the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or

+ +
+ + +

the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from explicitly authorizing removal of the equipment from the facility.

+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing system maintenance tools

+

system maintenance tools and associated documentation

+

maintenance records

+

equipment sanitization records

+

media sanitization records

+

exemptions for equipment removal

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel responsible for media sanitization

+
+
+ + + + +

Organizational process for preventing unauthorized removal of information

+

mechanisms supporting media sanitization or destruction of equipment

+

mechanisms supporting verification of media sanitization

+
+
+
+
+ + Nonlocal Maintenance + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Approve and monitor nonlocal maintenance and diagnostic activities;

+
+ + +

Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;

+
+ + +

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;

+
+ + +

Maintain records for nonlocal maintenance and diagnostic activities; and

+
+ + +

Terminate session and network connections when nonlocal maintenance is completed.

+
+
+ +

Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2 . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished, in part, by other controls. SP 800-63B provides additional guidance on strong authentication and authenticators.

+
+ + + + + + +

nonlocal maintenance and diagnostic activities are approved;

+ +
+ + +

nonlocal maintenance and diagnostic activities are monitored;

+ +
+ +
+ + + + +

the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;

+ +
+ + +

the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;

+ +
+ +
+ + +

strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;

+ +
+ + +

records for nonlocal maintenance and diagnostic activities are maintained;

+ +
+ + + + +

session connections are terminated when nonlocal maintenance is completed;

+ +
+ + +

network connections are terminated when nonlocal maintenance is completed.

+ +
+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing nonlocal system maintenance

+

remote access policy

+

remote access procedures

+

system design documentation

+

system configuration settings and associated documentation

+

maintenance records

+

records of remote access

+

diagnostic records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing nonlocal maintenance

+

mechanisms implementing, supporting, and/or managing nonlocal maintenance

+

mechanisms for strong authentication of nonlocal maintenance diagnostic sessions

+

mechanisms for terminating nonlocal maintenance sessions and network connections

+
+
+
+ + Maintenance Personnel + + + + + + + + + + + + + + + + + + + +

Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;

+
+ + +

Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and

+
+ + +

Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

+
+
+ +

Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

+
+ + + + + + +

a process for maintenance personnel authorization is established;

+ +
+ + +

a list of authorized maintenance organizations or personnel is maintained;

+ +
+ +
+ + +

non-escorted personnel performing maintenance on the system possess the required access authorizations;

+ +
+ + +

organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.

+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing maintenance personnel

+

service provider contracts

+

service-level agreements

+

list of authorized personnel

+

maintenance records

+

access control records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for authorizing and managing maintenance personnel

+

mechanisms supporting and/or implementing authorization of maintenance personnel

+
+
+ + Individuals Without Appropriate Access + + + +

alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed, or disconnected from the system are defined;

+
+ + + + + + + + + + + +

Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:

+ + +

Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and

+
+ + +

Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and

+
+
+ + +

Develop and implement in the event a system component cannot be sanitized, removed, or disconnected from the system.

+
+ + MA-5 (1) Additional FedRAMP Requirements and Guidance + + +

Only MA-5 (1) (a) (1) is required by FedRAMP Moderate Baseline

+
+
+
+ +

Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems.

+
+ + + + + + +

procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;

+ +
+ + +

procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;

+ +
+ +
+ + +

+ are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.

+ +
+ +
+ + + + +

Maintenance policy

+

procedures addressing maintenance personnel

+

system media protection policy

+

physical and environmental protection policy

+

list of maintenance personnel requiring escort/supervision

+

maintenance records

+

access control records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with personnel security responsibilities

+

organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel responsible for media sanitization

+

system/network administrators

+
+
+ + + + +

Organizational processes for managing maintenance personnel without appropriate access

+

mechanisms supporting and/or implementing alternative security safeguards

+

mechanisms supporting and/or implementing information storage component sanitization

+
+
+
+
+ + Timely Maintenance + + + +

system components for which maintenance support and/or spare parts are obtained are defined;

+
+ + + + + +

a timeframe to support advertised uptime and availability

+
+
+ +

time period within which maintenance support and/or spare parts are to be obtained after a failure are defined;

+
+ + + + + + + + + + + + + + + +

Obtain maintenance support and/or spare parts for within of failure.

+
+ +

Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place.

+
+ + +

maintenance support and/or spare parts are obtained for within of failure.

+ +
+ + + + +

Maintenance policy

+

procedures addressing system maintenance

+

service provider contracts

+

service-level agreements

+

inventory and availability of spare parts

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system maintenance responsibilities

+

organizational personnel with acquisition responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for ensuring timely maintenance

+
+
+
+
+ + Media Protection + + Policy and Procedures + + + + + + +

personnel or roles to whom the media protection policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the media protection procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the media protection policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency with which the current media protection policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current media protection policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency with which the current media protection procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require media protection procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ media protection policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the media protection policy and procedures; and

+
+ + +

Review and update the current media protection:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a media protection policy is developed and documented;

+ +
+ + +

the media protection policy is disseminated to ;

+ +
+ + +

media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;

+ +
+ + +

the media protection procedures are disseminated to ;

+ +
+ + + + + + +

the media protection policy addresses purpose;

+ +
+ + +

the media protection policy addresses scope;

+ +
+ + +

the media protection policy addresses roles;

+ +
+ + +

the media protection policy addresses responsibilities;

+ +
+ + +

the media protection policy addresses management commitment;

+ +
+ + +

the media protection policy addresses coordination among organizational entities;

+ +
+ + +

the media protection policy compliance;

+ +
+ +
+ + +

the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.

+ +
+ + + + + + +

the current media protection policy is reviewed and updated ;

+ +
+ + +

the current media protection policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current media protection procedures are reviewed and updated ;

+ +
+ + +

the current media protection procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Media protection policy and procedures

+

organizational risk management strategy

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with media protection responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Media Access + + + + +

all types of digital and/or non-digital media containing sensitive information

+
+
+ + + + + + + +

types of digital media to which access is restricted are defined;

+
+ + + + +

personnel or roles authorized to access digital media is/are defined;

+
+ + + + +

types of non-digital media to which access is restricted are defined;

+
+ + + + +

personnel or roles authorized to access non-digital media is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Restrict access to to .

+
+ +

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media.

+
+ + + + +

access to is restricted to ;

+ +
+ + +

access to is restricted to .

+ +
+ +
+ + + + +

System media protection policy

+

procedures addressing media access restrictions

+

access control policy and procedures

+

physical and environmental protection policy and procedures

+

media storage facilities

+

access control records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media protection responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for restricting information media

+

mechanisms supporting and/or implementing media access restrictions

+
+
+
+ + Media Marking + + + + +

no removable media types

+
+
+ +

types of system media exempt from marking when remaining in controlled areas are defined;

+
+ + + + + +

organization-defined security safeguards not applicable

+
+
+ +

controlled areas where media is exempt from marking are defined;

+
+ + + + + + + + + + + + + + + + +

Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and

+
+ + +

Exempt from marking if the media remain within .

+
+ + MP-3 Additional FedRAMP Requirements and Guidance + + +

Second parameter not-applicable

+
+
+
+ +

Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in 32 CFR 2002 . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

+
+ + + + +

system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;

+ +
+ + +

+ remain within .

+ +
+ +
+ + + + +

System media protection policy

+

procedures addressing media marking

+

physical and environmental protection policy and procedures

+

list of system media marking security attributes

+

designated controlled areas

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media protection and marking responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for marking information media

+

mechanisms supporting and/or implementing media marking

+
+
+
+ + Media Storage + + + + +

all types of digital and non-digital media with sensitive information

+
+
+ + + + + +

see additional FedRAMP requirements and guidance

+
+
+ + + + +

types of digital media to be physically controlled are defined (if selected);

+
+ + + + +

types of non-digital media to be physically controlled are defined (if selected);

+
+ + + + +

types of digital media to be securely stored are defined (if selected);

+
+ + + + +

types of non-digital media to be securely stored are defined (if selected);

+
+ + + + +

controlled areas within which to securely store digital media are defined;

+
+ + + + +

controlled areas within which to securely store non-digital media are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Physically control and securely store within ; and

+
+ + +

Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

+
+ + MP-4 Additional FedRAMP Requirements and Guidance + + +

The service provider defines controlled areas within facilities where the information and information system reside.

+
+
+
+ +

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection.

+
+ + + + + + +

+ are physically controlled;

+ +
+ + +

+ are physically controlled;

+ +
+ + +

+ are securely stored within ;

+ +
+ + +

+ are securely stored within ;

+ +
+ +
+ + +

system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

+ +
+ +
+ + + + +

System media protection policy

+

procedures addressing media storage

+

physical and environmental protection policy and procedures

+

access control policy and procedures

+

system media

+

designated controlled areas

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media protection and storage responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for storing information media

+

mechanisms supporting and/or implementing secure media storage/media protection

+
+
+
+ + Media Transport + + + + +

prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or NSA approved cryptography (see SC-13.); for non-digital media, secured in locked container

+
+
+ + + + + +

all media with sensitive information

+
+
+ +

types of system media to protect and control during transport outside of controlled areas are defined;

+
+ + + + +

controls used to protect system media outside of controlled areas are defined;

+
+ + + + +

controls used to control system media outside of controlled areas are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Protect and control during transport outside of controlled areas using ;

+
+ + +

Maintain accountability for system media during transport outside of controlled areas;

+
+ + +

Document activities associated with the transport of system media; and

+
+ + +

Restrict the activities associated with the transport of system media to authorized personnel.

+
+ + MP-5 Additional FedRAMP Requirements and Guidance + + +

The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO.

+
+
+
+ +

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.

+
+ + + + + + +

+ are protected during transport outside of controlled areas using ;

+ +
+ + +

+ are controlled during transport outside of controlled areas using ;

+ +
+ +
+ + +

accountability for system media is maintained during transport outside of controlled areas;

+ +
+ + +

activities associated with the transport of system media are documented;

+ +
+ + + + +

personnel authorized to conduct media transport activities is/are identified;

+ +
+ + +

activities associated with the transport of system media are restricted to identified authorized personnel.

+ +
+ +
+ +
+ + + + +

System media protection policy

+

procedures addressing media storage

+

physical and environmental protection policy and procedures

+

access control policy and procedures

+

authorized personnel list

+

system media

+

designated controlled areas

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media protection and storage responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for storing information media

+

mechanisms supporting and/or implementing media storage/media protection

+
+
+
+ + Media Sanitization + + + + +

techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware

+
+
+ + + + + + + +

system media to be sanitized prior to disposal is defined;

+
+ + + + +

system media to be sanitized prior to release from organizational control is defined;

+
+ + + + +

system media to be sanitized prior to release for reuse is defined;

+
+ + + + +

sanitization techniques and procedures to be used for sanitization prior to disposal are defined;

+
+ + + + +

sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;

+
+ + + + +

sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Sanitize prior to disposal, release out of organizational control, or release for reuse using ; and

+
+ + +

Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

+
+
+ +

Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information.

+
+ + + + + + +

+ is sanitized using prior to disposal;

+ +
+ + +

+ is sanitized using prior to release from organizational control;

+ +
+ + +

+ is sanitized using prior to release for reuse;

+ +
+ +
+ + +

sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.

+ +
+ +
+ + + + +

System media protection policy

+

procedures addressing media sanitization and disposal

+

applicable federal standards and policies addressing media sanitization policy

+

media sanitization records

+

system audit records

+

system design documentation

+

records retention and disposition policy

+

records retention and disposition procedures

+

system configuration settings and associated documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with media sanitization responsibilities

+

organizational personnel with records retention and disposition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for media sanitization

+

mechanisms supporting and/or implementing media sanitization

+
+
+
+ + Media Use + + + +

types of system media to be restricted or prohibited from use on systems or system components are defined;

+
+ + + + + + + +

systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;

+
+ + + + +

controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;

+
+ + + + + + + + + + + + + + + + +

+ the use of on using ; and

+
+ + +

Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.

+
+
+ +

System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to MP-2 , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.

+
+ + + + +

the use of is on using ;

+ +
+ + +

the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.

+ +
+ +
+ + + + +

System media protection policy

+

system use policy

+

procedures addressing media usage restrictions

+

rules of behavior

+

system design documentation

+

system configuration settings and associated documentation

+

audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system media use responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for media use

+

mechanisms restricting or prohibiting the use of system media on systems or system components

+
+
+
+
+ + Physical and Environmental Protection + + Policy and Procedures + + + + + + +

personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the physical and environmental protection policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current physical and environmental protection policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the physical and environmental protection procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ physical and environmental protection policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and

+
+ + +

Review and update the current physical and environmental protection:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a physical and environmental protection policy is developed and documented;

+ +
+ + +

the physical and environmental protection policy is disseminated to ;

+ +
+ + +

physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;

+ +
+ + +

the physical and environmental protection procedures are disseminated to ;

+ +
+ + + + + + +

the physical and environmental protection policy addresses purpose;

+ +
+ + +

the physical and environmental protection policy addresses scope;

+ +
+ + +

the physical and environmental protection policy addresses roles;

+ +
+ + +

the physical and environmental protection policy addresses responsibilities;

+ +
+ + +

the physical and environmental protection policy addresses management commitment;

+ +
+ + +

the physical and environmental protection policy addresses coordination among organizational entities;

+ +
+ + +

the physical and environmental protection policy addresses compliance;

+ +
+ +
+ + +

the physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;

+ +
+ + + + + + +

the current physical and environmental protection policy is reviewed and updated ;

+ +
+ + +

the current physical and environmental protection policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current physical and environmental protection procedures are reviewed and updated ;

+ +
+ + +

the current physical and environmental protection procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Physical and environmental protection policy and procedures

+

system security plan

+

privacy plan

+

organizational risk management strategy

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical and environmental protection responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Physical Access Authorizations + + + + +

at least annually

+
+
+ +

frequency at which to review the access list detailing authorized facility access by individuals is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;

+
+ + +

Issue authorization credentials for facility access;

+
+ + +

Review the access list detailing authorized facility access by individuals ; and

+
+ + +

Remove individuals from the facility access list when access is no longer required.

+
+
+ +

Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.

+
+ + + + + + +

a list of individuals with authorized access to the facility where the system resides has been developed;

+ +
+ + +

the list of individuals with authorized access to the facility where the system resides has been approved;

+ +
+ + +

the list of individuals with authorized access to the facility where the system resides has been maintained;

+ +
+ +
+ + +

authorization credentials are issued for facility access;

+ +
+ + +

the access list detailing authorized facility access by individuals is reviewed ;

+ +
+ + +

individuals are removed from the facility access list when access is no longer required.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing physical access authorizations

+

authorized personnel access list

+

authorization credentials

+

physical access list reviews

+

physical access termination records and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access authorization responsibilities

+

organizational personnel with physical access to system facility

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for physical access authorizations

+

mechanisms supporting and/or implementing physical access authorizations

+
+
+
+ + Physical Access Control + + + + +

at least annually or earlier as required by a security relevant event.

+
+
+ + + + +

entry and exit points to the facility in which the system resides are defined;

+
+ + + + +

CSP defined physical access control systems/devices AND guards

+
+
+ + + + + +

physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);

+
+ + + + +

entry or exit points for which physical access logs are maintained are defined;

+
+ + + + +

physical access controls to control access to areas within the facility designated as publicly accessible are defined;

+
+ + + + + +

in all circumstances within restricted access area where the information system resides

+
+
+ +

circumstances requiring visitor escorts and control of visitor activity are defined;

+
+ + + + +

physical access devices to be inventoried are defined;

+
+ + + + + +

at least annually

+
+
+ +

frequency at which to inventory physical access devices is defined;

+
+ + + + +

frequency at which to change combinations is defined;

+
+ + + + +

frequency at which to change keys is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Enforce physical access authorizations at by:

+ + +

Verifying individual access authorizations before granting access to the facility; and

+
+ + +

Controlling ingress and egress to the facility using ;

+
+
+ + +

Maintain physical access audit logs for ;

+
+ + +

Control access to areas within the facility designated as publicly accessible by implementing the following controls: ;

+
+ + +

Escort visitors and control visitor activity ;

+
+ + +

Secure keys, combinations, and other physical access devices;

+
+ + +

Inventory every ; and

+
+ + +

Change combinations and keys and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

+
+
+ +

Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.

+
+ + + + + + +

physical access authorizations are enforced at by verifying individual access authorizations before granting access to the facility;

+ +
+ + +

physical access authorizations are enforced at by controlling ingress and egress to the facility using ;

+ +
+ +
+ + +

physical access audit logs are maintained for ;

+ +
+ + +

access to areas within the facility designated as publicly accessible are maintained by implementing ;

+ +
+ + + + +

visitors are escorted;

+ +
+ + +

visitor activity is controlled ;

+ +
+ +
+ + + + +

keys are secured;

+ +
+ + +

combinations are secured;

+ +
+ + +

other physical access devices are secured;

+ +
+ +
+ + +

+ are inventoried ;

+ +
+ + + + +

combinations are changed , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;

+ +
+ + +

keys are changed , when keys are lost, or when individuals possessing the keys are transferred or terminated.

+ +
+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing physical access control

+

physical access control logs or records

+

inventory records of physical access control devices

+

system entry and exit points

+

records of key and lock combination changes

+

storage locations for physical access control devices

+

physical access control devices

+

list of security safeguards controlling access to designated publicly accessible areas within facility

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for physical access control

+

mechanisms supporting and/or implementing physical access control

+

physical access control devices

+
+
+
+ + Access Control for Transmission + + + +

system distribution and transmission lines requiring physical access controls are defined;

+
+ + + + +

security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;

+
+ + + + + + + + + + + + + + + + +

Control physical access to within organizational facilities using .

+
+ +

Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors.

+
+ + +

physical access to within organizational facilities is controlled using .

+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing access control for transmission mediums

+

system design documentation

+

facility communications and wiring diagrams

+

list of physical security safeguards applied to system distribution and transmission lines

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for access control to distribution and transmission lines

+

mechanisms/security safeguards supporting and/or implementing access control to distribution and transmission lines

+
+
+
+ + Access Control for Output Devices + + + +

output devices that require physical access control to output are defined;

+
+ + + + + + + + + + + +

Control physical access to output from to prevent unauthorized individuals from obtaining the output.

+
+ +

Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.

+
+ + +

physical access to output from is controlled to prevent unauthorized individuals from obtaining the output.

+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing access control for display medium

+

facility layout of system components

+

actual displays from system components

+

list of output devices and associated outputs requiring physical access controls

+

physical access control logs or records for areas containing output devices and related outputs

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for access control to output devices

+

mechanisms supporting and/or implementing access control to output devices

+
+
+
+ + Monitoring Physical Access + + + + +

at least monthly

+
+
+ +

the frequency at which to review physical access logs is defined;

+
+ + + + +

events or potential indication of events requiring physical access logs to be reviewed are defined;

+
+ + + + + + + + + + + + + + + + + +

Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;

+
+ + +

Review physical access logs and upon occurrence of ; and

+
+ + +

Coordinate results of reviews and investigations with the organizational incident response capability.

+
+
+ +

Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as AU-2 , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.

+
+ + + + +

physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;

+ +
+ + + + +

physical access logs are reviewed ;

+ +
+ + +

physical access logs are reviewed upon occurrence of ;

+ +
+ +
+ + + + +

results of reviews are coordinated with organizational incident response capabilities;

+ +
+ + +

results of investigations are coordinated with organizational incident response capabilities.

+ +
+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing physical access monitoring

+

physical access logs or records

+

physical access monitoring records

+

physical access log reviews

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access monitoring responsibilities

+

organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for monitoring physical access

+

mechanisms supporting and/or implementing physical access monitoring

+

mechanisms supporting and/or implementing the review of physical access logs

+
+
+ + Intrusion Alarms and Surveillance Equipment + + + + + + + +

Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.

+
+ +

Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility.

+
+ + + + +

physical access to the facility where the system resides is monitored using physical intrusion alarms;

+ +
+ + +

physical access to the facility where the system resides is monitored using physical surveillance equipment.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing physical access monitoring

+

physical access logs or records

+

physical access monitoring records

+

physical access log reviews

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with physical access monitoring responsibilities

+

organizational personnel with incident response responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for monitoring physical intrusion alarms and surveillance equipment

+

mechanisms supporting and/or implementing physical access monitoring

+

mechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment

+
+
+
+
+ + Visitor Access Records + + + + +

for a minimum of one (1) year

+
+
+ +

time period for which to maintain visitor access records for the facility where the system resides is defined;

+
+ + + + + +

at least monthly

+
+
+ +

the frequency at which to review visitor access records is defined;

+
+ + + + +

personnel to whom visitor access records anomalies are reported to is/are defined;

+
+ + + + + + + + + + + + +

Maintain visitor access records to the facility where the system resides for ;

+
+ + +

Review visitor access records ; and

+
+ + +

Report anomalies in visitor access records to .

+
+
+ +

Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.

+
+ + + + +

visitor access records for the facility where the system resides are maintained for ;

+ +
+ + +

visitor access records are reviewed ;

+ +
+ + +

visitor access records anomalies are reported to .

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing visitor access records

+

visitor access control logs or records

+

visitor access record or log reviews

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with visitor access record responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for maintaining and reviewing visitor access records

+

mechanisms supporting and/or implementing the maintenance and review of visitor access records

+
+
+
+ + Power Equipment and Cabling + + + + + + +

Protect power equipment and power cabling for the system from damage and destruction.

+
+ +

Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems.

+
+ + + + +

power equipment for the system is protected from damage and destruction;

+ +
+ + +

power cabling for the system is protected from damage and destruction.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing power equipment/cabling protection

+

facilities housing power equipment/cabling

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with the responsibility to protect power equipment/cabling

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing the protection of power equipment/cabling

+
+
+
+ + Emergency Shutoff + + + +

system or individual system components that require the capability to shut off power in emergency situations is/are defined;

+
+ + + + + +

near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off

+
+
+ +

location of emergency shutoff switches or devices by system or system component is defined;

+
+ + + + + + + + + +

Provide the capability of shutting off power to in emergency situations;

+
+ + +

Place emergency shutoff switches or devices in to facilitate access for authorized personnel; and

+
+ + +

Protect emergency power shutoff capability from unauthorized activation.

+
+
+ +

Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery.

+
+ + + + +

the capability to shut off power to in emergency situations is provided;

+ +
+ + +

emergency shutoff switches or devices are placed in to facilitate access for authorized personnel;

+ +
+ + +

the emergency power shutoff capability is protected from unauthorized activation.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing power source emergency shutoff

+

emergency shutoff controls or switches

+

locations housing emergency shutoff switches and devices

+

security safeguards protecting the emergency power shutoff capability from unauthorized activation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with the responsibility for the emergency power shutoff capability (both implementing and using the capability)

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing emergency power shutoff

+
+
+
+ + Emergency Power + + + + + + + + + + + +

Provide an uninterruptible power supply to facilitate in the event of a primary power source loss.

+
+ +

An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system.

+
+ + +

an uninterruptible power supply is provided to facilitate in the event of a primary power source loss.

+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing emergency power

+

uninterruptible power supply

+

uninterruptible power supply documentation

+

uninterruptible power supply test records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with the responsibility for emergency power and/or planning

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing an uninterruptible power supply

+

the uninterruptable power supply

+
+
+
+ + Emergency Lighting + + + + + + + +

Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

+
+ +

The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies.

+
+ + + + +

automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;

+ +
+ + +

automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;

+ +
+ + +

automatic emergency lighting for the system covers emergency exits within the facility;

+ +
+ + +

automatic emergency lighting for the system covers evacuation routes within the facility.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing emergency lighting

+

emergency lighting documentation

+

emergency lighting test records

+

emergency exits and evacuation routes

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with the responsibility for emergency lighting and/or planning

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing an emergency lighting capability

+
+
+
+ + Fire Protection + + + + + + +

Employ and maintain fire detection and suppression systems that are supported by an independent energy source.

+
+ +

The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility.

+
+ + + + +

fire detection systems are employed;

+ +
+ + +

employed fire detection systems are supported by an independent energy source;

+ +
+ + +

employed fire detection systems are maintained;

+ +
+ + +

fire suppression systems are employed;

+ +
+ + +

employed fire suppression systems are supported by an independent energy source;

+ +
+ + +

employed fire suppression systems are maintained.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing fire protection

+

fire suppression and detection devices/systems

+

fire suppression and detection devices/systems documentation

+

test records of fire suppression and detection devices/systems

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for fire detection and suppression devices/systems

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing fire suppression/detection devices/systems

+
+
+ + Detection Systems — Automatic Activation and Notification + + + + +

service provider building maintenance/physical security personnel

+
+
+ +

personnel or roles to be notified in the event of a fire is/are defined;

+
+ + + + + +

service provider emergency responders with incident response responsibilities

+
+
+ +

emergency responders to be notified in the event of a fire are defined;

+
+ + + + + + + +

Employ fire detection systems that activate automatically and notify and in the event of a fire.

+
+ +

Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire.

+
+ + + + +

fire detection systems that activate automatically are employed in the event of a fire;

+ +
+ + +

fire detection systems that notify automatically are employed in the event of a fire;

+ +
+ + +

fire detection systems that notify automatically are employed in the event of a fire.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing fire protection

+

facility housing the information system

+

alarm service-level agreements

+

test records of fire suppression and detection devices/systems

+

fire suppression and detection devices/systems documentation

+

alerts/notifications of fire events

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for fire detection and suppression devices/systems

+

organizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing fire detection devices/systems

+

activation of fire detection devices/systems (simulated)

+

automated notifications

+
+
+
+ + Suppression Systems — Automatic Activation and Notification + + + +

personnel or roles to be notified in the event of a fire is/are defined;

+
+ + + + +

emergency responders to be notified in the event of a fire are defined;

+
+ + + + + + + + + +

Employ fire suppression systems that activate automatically and notify and ; and

+
+ + +

Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis.

+
+
+ +

Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and/or clearances (e.g., to enter to facilities where access is restricted due to the impact level or classification of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire.

+
+ + + + + + +

fire suppression systems that activate automatically are employed;

+ +
+ + +

fire suppression systems that notify automatically are employed;

+ +
+ + +

fire suppression systems that notify automatically are employed;

+ +
+ +
+ + +

an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing fire protection

+

fire suppression and detection devices/systems documentation

+

facility housing the system

+

alarm service-level agreements

+

test records of fire suppression and detection devices/systems

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for fire detection and suppression devices/systems

+

organizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Automated mechanisms supporting and/or implementing fire suppression devices/systems

+

activation of fire suppression devices/systems (simulated)

+

automated notifications

+
+
+
+
+ + Environmental Controls + + + +

consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments

+
+
+ + + + + +

environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);

+
+ + + + +

acceptable levels for environmental controls are defined;

+
+ + + + + +

continuously

+
+
+ +

frequency at which to monitor environmental control levels is defined;

+
+ + + + + + + + + + +

Maintain levels within the facility where the system resides at ; and

+
+ + +

Monitor environmental control levels .

+
+ + PE-14 Additional FedRAMP Requirements and Guidance + + +

The service provider measures temperature at server inlets and humidity levels by dew point.

+
+
+
+ +

The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions.

+
+ + + + +

+ levels are maintained at within the facility where the system resides;

+ +
+ + +

environmental control levels are monitored .

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing temperature and humidity control

+

temperature and humidity controls

+

facility housing the system

+

temperature and humidity controls documentation

+

temperature and humidity records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for system environmental controls

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels

+
+
+
+ + Water Damage Protection + + + + + + + +

Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

+
+ +

The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations.

+
+ + + + +

the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;

+ +
+ + +

the master shutoff or isolation valves are accessible;

+ +
+ + +

the master shutoff or isolation valves are working properly;

+ +
+ + +

the master shutoff or isolation valves are known to key personnel.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing water damage protection

+

facility housing the system

+

master shutoff valves

+

list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system

+

master shutoff valve documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for system environmental controls

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Master water-shutoff valves

+

organizational process for activating master water shutoff

+
+
+
+ + Delivery and Removal + + + + +

all information system components

+
+
+ + + + +

types of system components to be authorized and controlled when entering the facility are defined;

+
+ + + + +

types of system components to be authorized and controlled when exiting the facility are defined;

+
+ + + + + + + + + + + + + + + + + + +

Authorize and control entering and exiting the facility; and

+
+ + +

Maintain records of the system components.

+
+
+ +

Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.

+
+ + + + + + +

+ are authorized when entering the facility;

+ +
+ + +

+ are controlled when entering the facility;

+ +
+ + +

+ are authorized when exiting the facility;

+ +
+ + +

+ are controlled when exiting the facility;

+ +
+ +
+ + +

records of the system components are maintained.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing the delivery and removal of system components from the facility

+

facility housing the system

+

records of items entering and exiting the facility

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibilities for controlling system components entering and exiting the facility

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility

+

mechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility

+
+
+
+ + Alternate Work Site + + + +

alternate work sites allowed for use by employees are defined;

+
+ + + + +

controls to be employed at alternate work sites are defined;

+
+ + + + + + + + + + + + +

Determine and document the allowed for use by employees;

+
+ + +

Employ the following controls at alternate work sites: ;

+
+ + +

Assess the effectiveness of controls at alternate work sites; and

+
+ + +

Provide a means for employees to communicate with information security and privacy personnel in case of incidents.

+
+
+ +

Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.

+
+ + + + +

+ are determined and documented;

+ +
+ + +

+ are employed at alternate work sites;

+ +
+ + +

the effectiveness of controls at alternate work sites is assessed;

+ +
+ + +

a means for employees to communicate with information security and privacy personnel in case of incidents is provided.

+ +
+ +
+ + + + +

Physical and environmental protection policy

+

procedures addressing alternate work sites for organizational personnel

+

list of security controls required for alternate work sites

+

assessments of security controls at alternate work sites

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel approving the use of alternate work sites

+

organizational personnel using alternate work sites

+

organizational personnel assessing controls at alternate work sites

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for security and privacy at alternate work sites

+

mechanisms supporting alternate work sites

+

security and privacy controls employed at alternate work sites

+

means of communication between personnel at alternate work sites and security and privacy personnel

+
+
+
+
+ + Planning + + Policy and Procedures + + + + + + +

personnel or roles to whom the planning policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the planning procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the planning policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency with which the current planning policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current planning policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency with which the current planning procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ planning policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the planning policy and the associated planning controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the planning policy and procedures; and

+
+ + +

Review and update the current planning:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a planning policy is developed and documented.

+ +
+ + +

the planning policy is disseminated to ;

+ +
+ + +

planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;

+ +
+ + +

the planning procedures are disseminated to ;

+ +
+ + + + + + +

the planning policy addresses purpose;

+ +
+ + +

the planning policy addresses scope;

+ +
+ + +

the planning policy addresses roles;

+ +
+ + +

the planning policy addresses responsibilities;

+ +
+ + +

the planning policy addresses management commitment;

+ +
+ + +

the planning policy addresses coordination among organizational entities;

+ +
+ + +

the planning policy addresses compliance;

+ +
+ +
+ + +

the planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the planning policy and procedures;

+ +
+ + + + + + +

the current planning policy is reviewed and updated ;

+ +
+ + +

the current planning policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current planning procedures are reviewed and updated ;

+ +
+ + +

the current planning procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Planning policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with planning responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + System Security and Privacy Plans + + + + +

to include chief privacy and ISSO and/or similar role or designees

+
+
+ +

individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;

+
+ + + + + +

to include chief privacy and ISSO and/or similar role

+
+
+ +

personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;

+
+ + + + + +

at least annually

+
+
+ +

frequency to review system security and privacy plans is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop security and privacy plans for the system that:

+ + +

Are consistent with the organization’s enterprise architecture;

+
+ + +

Explicitly define the constituent system components;

+
+ + +

Describe the operational context of the system in terms of mission and business processes;

+
+ + +

Identify the individuals that fulfill system roles and responsibilities;

+
+ + +

Identify the information types processed, stored, and transmitted by the system;

+
+ + +

Provide the security categorization of the system, including supporting rationale;

+
+ + +

Describe any specific threats to the system that are of concern to the organization;

+
+ + +

Provide the results of a privacy risk assessment for systems processing personally identifiable information;

+
+ + +

Describe the operational environment for the system and any dependencies on or connections to other systems or system components;

+
+ + +

Provide an overview of the security and privacy requirements for the system;

+
+ + +

Identify any relevant control baselines or overlays, if applicable;

+
+ + +

Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;

+
+ + +

Include risk determinations for security and privacy architecture and design decisions;

+
+ + +

Include security- and privacy-related activities affecting the system that require planning and coordination with ; and

+
+ + +

Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.

+
+
+ + +

Distribute copies of the plans and communicate subsequent changes to the plans to ;

+
+ + +

Review the plans ;

+
+ + +

Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and

+
+ + +

Protect the plans from unauthorized disclosure and modification.

+
+
+ +

System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.

+

Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.

+

Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.

+

Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate.

+
+ + + + + + + + +

a security plan for the system is developed that is consistent with the organization’s enterprise architecture;

+ +
+ + +

a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;

+ +
+ +
+ + + + +

a security plan for the system is developed that explicitly defines the constituent system components;

+ +
+ + +

a privacy plan for the system is developed that explicitly defines the constituent system components;

+ +
+ +
+ + + + +

a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;

+ +
+ + +

a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;

+ +
+ +
+ + + + +

a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;

+ +
+ + +

a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;

+ +
+ +
+ + + + +

a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;

+ +
+ + +

a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;

+ +
+ +
+ + + + +

a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;

+ +
+ + +

a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;

+ +
+ +
+ + + + +

a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;

+ +
+ + +

a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;

+ +
+ +
+ + + + +

a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;

+ +
+ + +

a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;

+ +
+ +
+ + + + +

a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;

+ +
+ + +

a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;

+ +
+ +
+ + + + +

a security plan for the system is developed that provides an overview of the security requirements for the system;

+ +
+ + +

a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;

+ +
+ +
+ + + + +

a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;

+ +
+ + +

a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;

+ +
+ +
+ + + + +

a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;

+ +
+ + +

a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;

+ +
+ +
+ + + + +

a security plan for the system is developed that includes risk determinations for security architecture and design decisions;

+ +
+ + +

a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;

+ +
+ +
+ + + + +

a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with ;

+ +
+ + +

a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with ;

+ +
+ +
+ + + + +

a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

+ +
+ + +

a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.

+ +
+ +
+ +
+ + + + +

copies of the plans are distributed to ;

+ +
+ + +

subsequent changes to the plans are communicated to ;

+ +
+ +
+ + +

plans are reviewed ;

+ +
+ + + + +

plans are updated to address changes to the system and environment of operations;

+ +
+ + +

plans are updated to address problems identified during the plan implementation;

+ +
+ + +

plans are updated to address problems identified during control assessments;

+ +
+ +
+ + + + +

plans are protected from unauthorized disclosure;

+ +
+ + +

plans are protected from unauthorized modification.

+ +
+ +
+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing system security and privacy plan development and implementation

+

procedures addressing security and privacy plan reviews and updates

+

enterprise architecture documentation

+

system security plan

+

privacy plan

+

records of system security and privacy plan reviews and updates

+

security and privacy architecture and design documentation

+

risk assessments

+

risk assessment results

+

control assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system security and privacy planning and plan implementation responsibilities

+

system developers

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for system security and privacy plan development, review, update, and approval

+

mechanisms supporting the system security and privacy plan

+
+
+
+ + Rules of Behavior + + + + +

at least every 3 years

+
+
+ +

frequency for reviewing and updating the rules of behavior is defined;

+
+ + + + +

at least annually and when the rules are revised or changed

+
+
+ + + + + +

frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;

+
+ + +

Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;

+
+ + +

Review and update the rules of behavior ; and

+
+ + +

Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge .

+
+
+ +

Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6 ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8 . The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.

+
+ + + + + + +

rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;

+ +
+ + +

rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;

+ +
+ +
+ + +

before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;

+ +
+ + +

rules of behavior are reviewed and updated ;

+ +
+ + +

individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge .

+ +
+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing rules of behavior for system users

+

rules of behavior

+

signed acknowledgements

+

records for rules of behavior reviews and updates

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior

+

organizational personnel with responsibility for literacy training and awareness and role-based training

+

organizational personnel who are authorized users of the system and have signed and resigned rules of behavior

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior

+

mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior

+
+
+ + Social Media and External Site/Application Usage Restrictions + + + + + + + + + +

Include in the rules of behavior, restrictions on:

+ + +

Use of social media, social networking sites, and external sites/applications;

+
+ + +

Posting organizational information on public websites; and

+
+ + +

Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.

+
+
+ +

Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information.

+
+ + + + +

the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;

+ +
+ + +

the rules of behavior include restrictions on posting organizational information on public websites;

+ +
+ + +

the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.

+ +
+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing rules of behavior for system users

+

rules of behavior

+

training policy

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior

+

organizational personnel with responsibility for literacy training and awareness and role-based training

+

organizational personnel who are authorized users of the system and have signed rules of behavior

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for establishing rules of behavior

+

mechanisms supporting and/or implementing the establishment of rules of behavior

+
+
+
+
+ + Security and Privacy Architectures + + + + +

at least annually and when a significant change occurs

+
+
+ +

frequency for review and update to reflect changes in the enterprise architecture;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +

Develop security and privacy architectures for the system that:

+ + +

Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;

+
+ + +

Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;

+
+ + +

Describe how the architectures are integrated into and support the enterprise architecture; and

+
+ + +

Describe any assumptions about, and dependencies on, external systems and services;

+
+
+ + +

Review and update the architectures to reflect changes in the enterprise architecture; and

+
+ + +

Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.

+
+ + PL-8 Additional FedRAMP Requirements and Guidance + + +

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

+
+
+
+ +

The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in PM-7 , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.

+

+ SP 800-160-1 provides guidance on the use of security architectures as part of the system development life cycle process. OMB M-19-03 requires the use of the systems security engineering concepts described in SP 800-160-1 for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).

+

In today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.

+

+ PL-8 is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17 , which is complementary to PL-8 , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures.

+
+ + + + + + +

a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;

+ +
+ + +

a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;

+ +
+ + + + +

a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;

+ +
+ + +

a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;

+ +
+ +
+ + + + +

a security architecture for the system describes any assumptions about and dependencies on external systems and services;

+ +
+ + +

a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;

+ +
+ +
+ +
+ + +

changes in the enterprise architecture are reviewed and updated to reflect changes in the enterprise architecture;

+ +
+ + + + +

planned architecture changes are reflected in the security plan;

+ +
+ + +

planned architecture changes are reflected in the privacy plan;

+ +
+ + +

planned architecture changes are reflected in the Concept of Operations (CONOPS);

+ +
+ + +

planned architecture changes are reflected in criticality analysis;

+ +
+ + +

planned architecture changes are reflected in organizational procedures;

+ +
+ + +

planned architecture changes are reflected in procurements and acquisitions.

+ +
+ +
+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing information security and privacy architecture development

+

procedures addressing information security and privacy architecture reviews and updates

+

enterprise architecture documentation

+

information security and privacy architecture documentation

+

system security plan

+

privacy plan

+

security and privacy CONOPS for the system

+

records of information security and privacy architecture reviews and updates

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security and privacy planning and plan implementation responsibilities

+

organizational personnel with information security and privacy architecture development responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for developing, reviewing, and updating the information security and privacy architecture

+

mechanisms supporting and/or implementing the development, review, and update of the information security and privacy architecture

+
+
+
+ + Baseline Selection + + + + + + + + + + + + + + + + + + + + +

Select a control baseline for the system.

+ + PL-10 Additional FedRAMP Requirements and Guidance + + +

Select the appropriate FedRAMP Baseline

+
+
+
+ +

Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11 ). Federal control baselines are provided in SP 800-53B . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in SP 800-53B are based on the requirements from FISMA and PRIVACT . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. CNSSI 1253 provides guidance on control baselines for national security systems.

+
+ + +

a control baseline for the system is selected.

+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing system security and privacy plan development and implementation

+

procedures addressing system security and privacy plan reviews and updates

+

system design documentation

+

system architecture and configuration documentation

+

system categorization decision

+

information types stored, transmitted, and processed by the system

+

system element/component information

+

stakeholder needs analysis

+

list of security and privacy requirements allocated to the system, system elements, and environment of operation

+

list of contractual requirements allocated to external providers of the system or system element

+

business impact analysis or criticality analysis

+

risk assessments

+

risk management strategy

+

organizational security and privacy policy

+

federal or organization-approved or mandated baselines or overlays

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security and privacy planning and plan implementation responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with responsibility for organizational risk management activities

+
+
+
+ + Baseline Tailoring + + + + + + + + + + + + + + + + + + + + +

Tailor the selected control baseline by applying specified tailoring actions.

+
+ +

The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in SP 800-53B . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in SP 800-53B can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in SP 800-53B in accordance with the security and privacy requirements from FISMA, PRIVACT , and OMB A-130 . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in SP 800-53B to specialize or customize the controls that represent the specific needs and concerns of those entities.

+
+ + +

the selected control baseline is tailored by applying specified tailoring actions.

+ +
+ + + + +

Security and privacy planning policy

+

procedures addressing system security and privacy plan development and implementation

+

system design documentation

+

system categorization decision

+

information types stored, transmitted, and processed by the system

+

system element/component information

+

stakeholder needs analysis

+

list of security and privacy requirements allocated to the system, system elements, and environment of operation

+

list of contractual requirements allocated to external providers of the system or system element

+

business impact analysis or criticality analysis

+

risk assessments

+

risk management strategy

+

organizational security and privacy policy

+

federal or organization-approved or mandated baselines or overlays

+

baseline tailoring rationale

+

system security plan

+

privacy plan

+

records of system security and privacy plan reviews and updates

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security and privacy planning and plan implementation responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+
+ + Personnel Security + + Policy and Procedures + + + + + + +

personnel or roles to whom the personnel security policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the personnel security policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current personnel security policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current personnel security policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current personnel security procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the personnel security procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ personnel security policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the personnel security policy and procedures; and

+
+ + +

Review and update the current personnel security:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a personnel security policy is developed and documented;

+ +
+ + +

the personnel security policy is disseminated to ;

+ +
+ + +

personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;

+ +
+ + +

the personnel security procedures are disseminated to ;

+ +
+ + + + + + +

the personnel security policy addresses purpose;

+ +
+ + +

the personnel security policy addresses scope;

+ +
+ + +

the personnel security policy addresses roles;

+ +
+ + +

the personnel security policy addresses responsibilities;

+ +
+ + +

the personnel security policy addresses management commitment;

+ +
+ + +

the personnel security policy addresses coordination among organizational entities;

+ +
+ + +

the personnel security policy addresses compliance;

+ +
+ +
+ + +

the personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;

+ +
+ + + + + + +

the current personnel security policy is reviewed and updated ;

+ +
+ + +

the current personnel security policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current personnel security procedures are reviewed and updated ;

+ +
+ + +

the current personnel security procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Personnel security policy

+

personnel security procedures

+

system security plan

+

privacy plan

+

risk management strategy documentation

+

audit findings

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security responsibilities

+
+
+
+ + Position Risk Designation + + + + +

at least every three years

+
+
+ +

the frequency at which to review and update position risk designations is defined;

+
+ + + + + + + + + + + + + + + + + + + + +

Assign a risk designation to all organizational positions;

+
+ + +

Establish screening criteria for individuals filling those positions; and

+
+ + +

Review and update position risk designations .

+
+
+ +

Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.

+
+ + + + +

a risk designation is assigned to all organizational positions;

+ +
+ + +

screening criteria are established for individuals filling organizational positions;

+ +
+ + +

position risk designations are reviewed and updated .

+ +
+ +
+ + + + +

Personnel security policy

+

procedures addressing position categorization

+

appropriate codes of federal regulations

+

list of risk designations for organizational positions

+

records of position risk designation reviews and updates

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for assigning, reviewing, and updating position risk designations

+

organizational processes for establishing screening criteria

+
+
+
+ + Personnel Screening + + + + +

for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.

+

For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions

+
+
+ + + + +

conditions requiring rescreening of individuals are defined;

+
+ + + + +

the frequency of rescreening individuals where it is so indicated is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +

Screen individuals prior to authorizing access to the system; and

+
+ + +

Rescreen individuals in accordance with .

+
+
+ +

Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.

+
+ + + + +

individuals are screened prior to authorizing access to the system;

+ +
+ + + + +

individuals are rescreened in accordance with ;

+ +
+ + +

where rescreening is so indicated, individuals are rescreened .

+ +
+ +
+ +
+ + + + +

Personnel security policy

+

procedures addressing personnel screening

+

records of screened personnel

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for personnel screening

+
+
+ + Information Requiring Special Protective Measures + + + + +

personnel screening criteria – as required by specific information

+
+
+ +

additional personnel screening criteria to be satisfied for individuals accessing a system processing, storing, or transmitting information requiring special protection are defined;

+
+ + + + + + + +

Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection:

+ + +

Have valid access authorizations that are demonstrated by assigned official government duties; and

+
+ + +

Satisfy .

+
+
+ +

Organizational information that requires special protection includes controlled unclassified information. Personnel security criteria include position sensitivity background screening requirements.

+
+ + + + +

individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties;

+ +
+ + +

individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy .

+ +
+ +
+ + + + +

Personnel security policy

+

access control policy, procedures addressing personnel screening

+

records of screened personnel

+

screening criteria

+

records of access authorizations

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for ensuring valid access authorizations for information requiring special protection

+

organizational process for additional personnel screening for information requiring special protection

+
+
+
+
+ + Personnel Termination + + + + +

four (4) hours

+
+
+ +

a time period within which to disable system access is defined;

+
+ + + + +

information security topics to be discussed when conducting exit interviews are defined;

+
+ + + + + + + + + + + + +

Upon termination of individual employment:

+ + +

Disable system access within ;

+
+ + +

Terminate or revoke any authenticators and credentials associated with the individual;

+
+ + +

Conduct exit interviews that include a discussion of ;

+
+ + +

Retrieve all security-related organizational system-related property; and

+
+ + +

Retain access to organizational information and systems formerly controlled by terminated individual.

+
+
+ +

System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified.

+
+ + + + +

upon termination of individual employment, system access is disabled within ;

+ +
+ + +

upon termination of individual employment, any authenticators and credentials are terminated or revoked;

+ +
+ + +

upon termination of individual employment, exit interviews that include a discussion of are conducted;

+ +
+ + +

upon termination of individual employment, all security-related organizational system-related property is retrieved;

+ +
+ + +

upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.

+ +
+ +
+ + + + +

Personnel security policy

+

procedures addressing personnel termination

+

records of personnel termination actions

+

list of system accounts

+

records of terminated or revoked authenticators/credentials

+

records of exit interviews

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for personnel termination

+

mechanisms supporting and/or implementing personnel termination notifications

+

mechanisms for disabling system access/revoking authenticators

+
+
+
+ + Personnel Transfer + + + +

transfer or reassignment actions to be initiated following transfer or reassignment are defined;

+
+ + + + + +

twenty-four (24) hours

+
+
+ +

the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;

+
+ + + + + +

including access control personnel responsible for the system

+
+
+ +

personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined;

+
+ + + + + +

twenty-four (24) hours

+
+
+ +

time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;

+
+ + + + + + + + + + + + + + +

Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;

+
+ + +

Initiate within ;

+
+ + +

Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

+
+ + +

Notify within .

+
+
+ +

Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.

+
+ + + + +

the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;

+ +
+ + +

+ are initiated within ;

+ +
+ + +

access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;

+ +
+ + +

+ are notified within .

+ +
+ +
+ + + + +

Personnel security policy

+

procedures addressing personnel transfer

+

records of personnel transfer actions

+

list of system and facility access authorizations

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for personnel transfer

+

mechanisms supporting and/or implementing personnel transfer notifications

+

mechanisms for disabling system access/revoking authenticators

+
+
+
+ + Access Agreements + + + + +

at least annually

+
+
+ +

the frequency at which to review and update access agreements is defined;

+
+ + + + + +

at least annually and any time there is a change to the user's level of access

+
+
+ +

the frequency at which to re-sign access agreements to maintain access to organizational information is defined;

+
+ + + + + + + + + + + + + + + + + + + +

Develop and document access agreements for organizational systems;

+
+ + +

Review and update the access agreements ; and

+
+ + +

Verify that individuals requiring access to organizational information and systems:

+ + +

Sign appropriate access agreements prior to being granted access; and

+
+ + +

Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or .

+
+
+
+ +

Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

+
+ + + + +

access agreements are developed and documented for organizational systems;

+ +
+ + +

the access agreements are reviewed and updated ;

+ +
+ + + + +

individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;

+ +
+ + +

individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or .

+ +
+ +
+ +
+ + + + +

Personnel security policy

+

personnel security procedures

+

procedures addressing access agreements for organizational information and systems

+

access control policy

+

access control procedures

+

access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)

+

documentation of access agreement reviews, updates, and re-signing

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel who have signed/resigned access agreements

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for reviewing, updating, and re-signing access agreements

+

mechanisms supporting the reviewing, updating, and re-signing of access agreements

+
+
+
+ + External Personnel Security + + + + +

including access control personnel responsible for the system and/or facilities, as appropriate

+
+
+ +

personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;

+
+ + + + + +

within twenty-four (24) hours

+
+
+ +

time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + +

Establish personnel security requirements, including security roles and responsibilities for external providers;

+
+ + +

Require external providers to comply with personnel security policies and procedures established by the organization;

+
+ + +

Document personnel security requirements;

+
+ + +

Require external providers to notify of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within ; and

+
+ + +

Monitor provider compliance with personnel security requirements.

+
+
+ +

External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.

+
+ + + + +

personnel security requirements are established, including security roles and responsibilities for external providers;

+ +
+ + +

external providers are required to comply with personnel security policies and procedures established by the organization;

+ +
+ + +

personnel security requirements are documented;

+ +
+ + +

external providers are required to notify of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within ;

+ +
+ + +

provider compliance with personnel security requirements is monitored.

+ +
+ +
+ + + + +

Personnel security policy

+

procedures addressing external personnel security

+

list of personnel security requirements

+

acquisition documents

+

service-level agreements

+

compliance monitoring process

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

external providers

+

system/network administrators

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for managing and monitoring external personnel security

+

mechanisms supporting and/or implementing the monitoring of provider compliance

+
+
+
+ + Personnel Sanctions + + + + +

to include the ISSO and/or similar role within the organization

+
+
+ +

personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;

+
+ + + + + +

24 hours

+
+
+ +

the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;

+
+ + + + + + + + + + + + +

Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and

+
+ + +

Notify within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

+
+
+ +

Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

+
+ + + + +

a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;

+ +
+ + +

+ is/are notified within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

+ +
+ +
+ + + + +

Personnel security policy

+

personnel security procedures

+

procedures addressing personnel sanctions

+

access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)

+

list of personnel or roles to be notified of formal employee sanctions

+

records or notifications of formal employee sanctions

+

system security plan

+

privacy plan

+

personally identifiable information processing policy

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

legal counsel

+

organizational personnel with information security and privacy responsibilities

+
+
+ + + + +

Organizational processes for managing formal employee sanctions

+

mechanisms supporting and/or implementing formal employee sanctions notifications

+
+
+
+ + Position Descriptions + + + + + + +

Incorporate security and privacy roles and responsibilities into organizational position descriptions.

+
+ +

Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles.

+
+ + + + +

security roles and responsibilities are incorporated into organizational position descriptions;

+ +
+ + +

privacy roles and responsibilities are incorporated into organizational position descriptions.

+ +
+ +
+ + + + +

Personnel security policy

+

personnel security procedures

+

procedures addressing position descriptions

+

security and privacy position descriptions

+

system security plan

+

privacy plan

+

privacy program plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with human capital management responsibilities

+
+
+ + + + +

Organizational processes for managing position descriptions

+
+
+
+
+ + Risk Assessment + + Policy and Procedures + + + + + + +

personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the risk assessment policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current risk assessment policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current risk assessment policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current risk assessment procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require risk assessment procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ risk assessment policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and

+
+ + +

Review and update the current risk assessment:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a risk assessment policy is developed and documented;

+ +
+ + +

the risk assessment policy is disseminated to ;

+ +
+ + +

risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;

+ +
+ + +

the risk assessment procedures are disseminated to ;

+ +
+ + + + + + +

the risk assessment policy addresses purpose;

+ +
+ + +

the risk assessment policy addresses scope;

+ +
+ + +

the risk assessment policy addresses roles;

+ +
+ + +

the risk assessment policy addresses responsibilities;

+ +
+ + +

the risk assessment policy addresses management commitment;

+ +
+ + +

the risk assessment policy addresses coordination among organizational entities;

+ +
+ + +

the risk assessment policy addresses compliance;

+ +
+ +
+ + +

the risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;

+ +
+ + + + + + +

the current risk assessment policy is reviewed and updated ;

+ +
+ + +

the current risk assessment policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current risk assessment procedures are reviewed and updated ;

+ +
+ + +

the current risk assessment procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Risk assessment policy and procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with risk assessment responsibilities

+

organizational personnel with security and privacy responsibilities

+
+
+
+ + Security Categorization + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Categorize the system and information it processes, stores, and transmits;

+
+ + +

Document the security categorization results, including supporting rationale, in the security plan for the system; and

+
+ + +

Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

+
+
+ +

Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. CNSSI 1253 provides additional guidance on categorization for national security systems.

+

Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with USA PATRIOT and Homeland Security Presidential Directives, potential national-level adverse impacts.

+

Security categorization processes facilitate the development of inventories of information assets and, along with CM-8 , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant.

+
+ + + + +

the system and the information it processes, stores, and transmits are categorized;

+ +
+ + +

the security categorization results, including supporting rationale, are documented in the security plan for the system;

+ +
+ + +

the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

+ +
+ +
+ + + + +

Risk assessment policy

+

security planning policy and procedures

+

procedures addressing security categorization of organizational information and systems

+

security categorization documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security categorization and risk assessment responsibilities

+

organizational personnel with security and privacy responsibilities

+
+
+ + + + +

Organizational processes for security categorization

+
+
+
+ + Risk Assessment + + + +

security assessment report

+
+
+ + + + + +

a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);

+
+ + + + + +

at least every three (3) years and when a significant change occurs

+
+
+ +

the frequency to review risk assessment results is defined;

+
+ + + + +

personnel or roles to whom risk assessment results are to be disseminated is/are defined;

+
+ + + + + +

at least every three (3) years

+
+
+ +

the frequency to update the risk assessment is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Conduct a risk assessment, including:

+ + +

Identifying threats to and vulnerabilities in the system;

+
+ + +

Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and

+
+ + +

Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

+
+
+ + +

Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;

+
+ + +

Document risk assessment results in ;

+
+ + +

Review risk assessment results ;

+
+ + +

Disseminate risk assessment results to ; and

+
+ + +

Update the risk assessment or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

+
+ + RA-3 Additional FedRAMP Requirements and Guidance + + +

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

+
+ + +

Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

+
+
+
+ +

Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.

+

Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.

+

Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.

+
+ + + + + + +

a risk assessment is conducted to identify threats to and vulnerabilities in the system;

+ +
+ + +

a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;

+ +
+ + +

a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;

+ +
+ +
+ + +

risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;

+ +
+ + +

risk assessment results are documented in ;

+ +
+ + +

risk assessment results are reviewed ;

+ +
+ + +

risk assessment results are disseminated to ;

+ +
+ + +

the risk assessment is updated or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

+ +
+ +
+ + + + +

Risk assessment policy

+

risk assessment procedures

+

security and privacy planning policy and procedures

+

procedures addressing organizational assessments of risk

+

risk assessment

+

risk assessment results

+

risk assessment reviews

+

risk assessment updates

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with risk assessment responsibilities

+

organizational personnel with security and privacy responsibilities

+
+
+ + + + +

Organizational processes for risk assessment

+

mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment

+
+
+ + Supply Chain Risk Assessment + + + +

systems, system components, and system services to assess supply chain risks are defined;

+
+ + + + +

the frequency at which to update the supply chain risk assessment is defined;

+
+ + + + + + + + + + + + + + + +

Assess supply chain risks associated with ; and

+
+ + +

Update the supply chain risk assessment , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

+
+
+ +

Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.

+
+ + + + +

supply chain risks associated with are assessed;

+ +
+ + +

the supply chain risk assessment is updated , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

+ +
+ +
+ + + + +

Supply chain risk management policy

+

inventory of critical systems, system components, and system services

+

risk assessment policy

+

security planning policy and procedures

+

procedures addressing organizational assessments of supply chain risk

+

risk assessment

+

risk assessment results

+

risk assessment reviews

+

risk assessment updates

+

acquisition policy

+

system security plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with risk assessment responsibilities

+

organizational personnel with security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for risk assessment

+

mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment

+
+
+
+
+ + Vulnerability Monitoring and Scanning + + + + +

monthly operating system/infrastructure; monthly web applications (including APIs) and databases

+
+
+ + + + +

frequency for monitoring systems and hosted applications for vulnerabilities is defined;

+
+ + + + +

frequency for scanning systems and hosted applications for vulnerabilities is defined;

+
+ + + + + +

high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery

+
+
+ +

response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;

+
+ + + + +

personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Monitor and scan for vulnerabilities in the system and hosted applications and when new vulnerabilities potentially affecting the system are identified and reported;

+
+ + +

Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

+ + +

Enumerating platforms, software flaws, and improper configurations;

+
+ + +

Formatting checklists and test procedures; and

+
+ + +

Measuring vulnerability impact;

+
+
+ + +

Analyze vulnerability scan reports and results from vulnerability monitoring;

+
+ + +

Remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;

+
+ + +

Share information obtained from the vulnerability monitoring process and control assessments with to help eliminate similar vulnerabilities in other systems; and

+
+ + +

Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

+
+ + RA-5 Additional FedRAMP Requirements and Guidance + + +

See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

+
+ + +

an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

+
+ + +

If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

+
+ + +

to include all Authorizing Officials; for JAB authorizations to include FedRAMP

+
+ + +

Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

+

Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

+

Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a “warning” as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on “Tracking of Compliance Scans” in FAQs.

+
+
+
+ +

Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.

+

Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

+

Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.

+

Organizations may also employ the use of financial incentives (also known as bug bounties ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.

+
+ + + + + + +

systems and hosted applications are monitored for vulnerabilities and when new vulnerabilities potentially affecting the system are identified and reported;

+ +
+ + +

systems and hosted applications are scanned for vulnerabilities and when new vulnerabilities potentially affecting the system are identified and reported;

+ +
+ +
+ + +

vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;

+ + +

vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;

+ +
+ + +

vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;

+ +
+ + +

vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;

+ +
+ +
+ + +

vulnerability scan reports and results from vulnerability monitoring are analyzed;

+ +
+ + +

legitimate vulnerabilities are remediated in accordance with an organizational assessment of risk;

+ +
+ + +

information obtained from the vulnerability monitoring process and control assessments is shared with to help eliminate similar vulnerabilities in other systems;

+ +
+ + +

vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.

+ +
+ +
+ + + + +

Risk assessment policy

+

procedures addressing vulnerability scanning

+

risk assessment

+

assessment report

+

vulnerability scanning tools and associated configuration documentation

+

vulnerability scanning results

+

patch and vulnerability management records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with vulnerability remediation responsibilities

+

organizational personnel with security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for vulnerability scanning, analysis, remediation, and information sharing

+

mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing

+
+
+ + Update Vulnerabilities to Be Scanned + + + +

within 24 hours prior to running scans

+
+
+ + + + + +

the frequency for updating the system vulnerabilities to be scanned is defined (if selected);

+
+ + + + + + + + + +

Update the system vulnerabilities to be scanned .

+
+ +

Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner.

+
+ + +

the system vulnerabilities to be scanned are updated .

+ +
+ + + + +

Procedures addressing vulnerability scanning

+

assessment report

+

vulnerability scanning tools and associated configuration documentation

+

vulnerability scanning results

+

patch and vulnerability management records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with security responsibilities

+

system/network administrators

+
+
+ + + + +

Organizational processes for vulnerability scanning

+

mechanisms/tools supporting and/or implementing vulnerability scanning

+
+
+
+ + Breadth and Depth of Coverage + + + + + + + +

Define the breadth and depth of vulnerability scanning coverage.

+
+ +

The breadth of vulnerability scanning coverage can be expressed as a percentage of components within the system, by the particular types of systems, by the criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the depth of vulnerability scanning coverage can be expressed as the level of the system design that the organization intends to monitor (e.g., component, module, subsystem, element). Organizations can determine the sufficiency of vulnerability scanning coverage with regard to its risk tolerance and other factors. Scanning tools and how the tools are configured may affect the depth and coverage. Multiple scanning tools may be needed to achieve the desired depth and coverage. SP 800-53A provides additional information on the breadth and depth of coverage.

+
+ + +

the breadth and depth of vulnerability scanning coverage are defined.

+ +
+ + + + +

Procedures addressing vulnerability scanning

+

assessment report

+

vulnerability scanning tools and associated configuration documentation

+

vulnerability scanning results

+

patch and vulnerability management records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with security responsibilities

+
+
+ + + + +

Organizational processes for vulnerability scanning

+

mechanisms/tools supporting and/or implementing vulnerability scanning

+
+
+
+ + Privileged Access + + + + +

all components that support authentication

+
+
+ +

system components to which privileged access is authorized for selected vulnerability scanning activities are defined;

+
+ + + + + +

all scans

+
+
+ +

vulnerability scanning activities selected for privileged access authorization to system components are defined;

+
+ + + + + + + + +

Implement privileged access authorization to for .

+
+ +

In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning.

+
+ + +

privileged access authorization is implemented to for .

+ +
+ + + + +

Risk assessment policy

+

procedures addressing vulnerability scanning

+

system design documentation

+

system configuration settings and associated documentation

+

list of system components for vulnerability scanning

+

personnel access authorization list

+

authorization credentials

+

access authorization records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with vulnerability scanning responsibilities

+

system/network administrators

+

organizational personnel responsible for access control to the system

+

organizational personnel responsible for configuration management of the system

+

system developers

+

organizational personnel with security responsibilities

+
+
+ + + + +

Organizational processes for vulnerability scanning

+

organizational processes for access control

+

mechanisms supporting and/or implementing access control

+

mechanisms/tools supporting and/or implementing vulnerability scanning

+
+
+
+ + Public Disclosure Program + + + + + + + +

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

+
+ +

The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.

+
+ + +

a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.

+ +
+ + + + +

Risk assessment policy

+

procedures addressing vulnerability scanning

+

risk assessment

+

vulnerability scanning tools and techniques documentation

+

vulnerability scanning results

+

vulnerability management records

+

audit records

+

public reporting channel

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with security responsibilities

+
+
+ + + + +

Organizational processes for vulnerability scanning

+

mechanisms/tools supporting and/or implementing vulnerability scanning

+

mechanisms implementing the public reporting of vulnerabilities

+
+
+
+
+ + Risk Response + + + + + + + + + + + + + + + + + + + +

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

+
+ +

Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated.

+
+ + + + +

findings from security assessments are responded to in accordance with organizational risk tolerance;

+ +
+ + +

findings from privacy assessments are responded to in accordance with organizational risk tolerance;

+ +
+ + +

findings from monitoring are responded to in accordance with organizational risk tolerance;

+ +
+ + +

findings from audits are responded to in accordance with organizational risk tolerance.

+ +
+ +
+ + + + +

Risk assessment policy

+

assessment reports

+

audit records/event logs

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with assessment and auditing responsibilities

+

system/network administrators

+

organizational personnel with security and privacy responsibilities

+
+
+ + + + +

Organizational processes for assessments and audits

+

mechanisms/tools supporting and/or implementing assessments and auditing

+
+
+
+ + Criticality Analysis + + + +

systems, system components, or system services to be analyzed for criticality are defined;

+
+ + + + +

decision points in the system development life cycle when a criticality analysis is to be performed are defined;

+
+ + + + + + + + + + + + + + + + + + +

Identify critical system components and functions by performing a criticality analysis for at .

+
+ +

Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.

+

The operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions.

+

Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.

+
+ + +

critical system components and functions are identified by performing a criticality analysis for at .

+ +
+ + + + +

Risk assessment policy

+

assessment reports

+

criticality analysis/finalized criticality for each component/subcomponent

+

audit records/event logs

+

analysis reports

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with assessment and auditing responsibilities

+

organizational personnel with criticality analysis responsibilities

+

system/network administrators

+

organizational personnel with security responsibilities

+
+
+ + + + +

Organizational processes for assessments and audits

+

mechanisms/tools supporting and/or implementing assessments and auditing

+
+
+
+
+ + System and Services Acquisition + + Policy and Procedures + + + + + + +

personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the system and services acquisition policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current system and services acquisition policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current system and services acquisition policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the system and services acquisition procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ system and services acquisition policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and

+
+ + +

Review and update the current system and services acquisition:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a system and services acquisition policy is developed and documented;

+ +
+ + +

the system and services acquisition policy is disseminated to ;

+ +
+ + +

system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;

+ +
+ + +

the system and services acquisition procedures are disseminated to ;

+ +
+ + + + + + +

the system and services acquisition policy addresses purpose;

+ +
+ + +

the system and services acquisition policy addresses scope;

+ +
+ + +

the system and services acquisition policy addresses roles;

+ +
+ + +

the system and services acquisition policy addresses responsibilities;

+ +
+ + +

the system and services acquisition policy addresses management commitment;

+ +
+ + +

the system and services acquisition policy addresses coordination among organizational entities;

+ +
+ + +

the system and services acquisition policy addresses compliance;

+ +
+ +
+ + +

the system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;

+ +
+ + + + + + +

the system and services acquisition policy is reviewed and updated ;

+ +
+ + +

the current system and services acquisition policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current system and services acquisition procedures are reviewed and updated ;

+ +
+ + +

the current system and services acquisition procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

supply chain risk management policy

+

supply chain risk management procedures

+

supply chain risk management plan

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and services acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+
+ + Allocation of Resources + + + + + + + + + + + + + + + + + +

Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;

+
+ + +

Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and

+
+ + +

Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.

+
+
+ +

Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle.

+
+ + + + + + +

the high-level information security requirements for the system or system service are determined in mission and business process planning;

+ +
+ + +

the high-level privacy requirements for the system or system service are determined in mission and business process planning;

+ +
+ +
+ + + + +

the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;

+ +
+ + +

the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;

+ +
+ +
+ + + + +

a discrete line item for information security is established in organizational programming and budgeting documentation;

+ +
+ + +

a discrete line item for privacy is established in organizational programming and budgeting documentation.

+ +
+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

system and services acquisition strategy and plans

+

procedures addressing the allocation of resources to information security and privacy requirements

+

procedures addressing capital planning and investment control

+

organizational programming and budgeting documentation

+

system security plan

+

privacy plan

+

supply chain risk management policy

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for determining information security and privacy requirements

+

organizational processes for capital planning, programming, and budgeting

+

mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting

+
+
+
+ + System Development Life Cycle + + + +

system development life cycle is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Acquire, develop, and manage the system using that incorporates information security and privacy considerations;

+
+ + +

Define and document information security and privacy roles and responsibilities throughout the system development life cycle;

+
+ + +

Identify individuals having information security and privacy roles and responsibilities; and

+
+ + +

Integrate the organizational information security and privacy risk management process into system development life cycle activities.

+
+
+ +

A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.

+

The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle.

+
+ + + + + + +

the system is acquired, developed, and managed using that incorporates information security considerations;

+ +
+ + +

the system is acquired, developed, and managed using that incorporates privacy considerations;

+ +
+ +
+ + + + +

information security roles and responsibilities are defined and documented throughout the system development life cycle;

+ +
+ + +

privacy roles and responsibilities are defined and documented throughout the system development life cycle;

+ +
+ +
+ + + + +

individuals with information security roles and responsibilities are identified;

+ +
+ + +

individuals with privacy roles and responsibilities are identified;

+ +
+ +
+ + + + +

organizational information security risk management processes are integrated into system development life cycle activities;

+ +
+ + +

organizational privacy risk management processes are integrated into system development life cycle activities.

+ +
+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process

+

system development life cycle documentation

+

organizational risk management strategy

+

information security and privacy risk management strategy documentation

+

system security plan

+

privacy plan

+

privacy program plan

+

enterprise architecture documentation

+

role-based security and privacy training program documentation

+

data mapping documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security and privacy responsibilities

+

organizational personnel with system life cycle development responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for defining and documenting the system development life cycle

+

organizational processes for identifying system development life cycle roles and responsibilities

+

organizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle

+

mechanisms supporting and/or implementing the system development life cycle

+
+
+
+ + Acquisition Process + + + + + + +

contract language is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service:

+ + +

Security and privacy functional requirements;

+
+ + +

Strength of mechanism requirements;

+
+ + +

Security and privacy assurance requirements;

+
+ + +

Controls needed to satisfy the security and privacy requirements.

+
+ + +

Security and privacy documentation requirements;

+
+ + +

Requirements for protecting security and privacy documentation;

+
+ + +

Description of the system development environment and environment in which the system is intended to operate;

+
+ + +

Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and

+
+ + +

Acceptance criteria.

+
+ + SA-4 Additional FedRAMP Requirements and Guidance + + +

The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

+
+ + +

The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

+

See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

+
+
+
+ +

Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2 . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. SP 800-160-1 describes the process of requirements engineering as part of the system development life cycle.

+

Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.

+

Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement.

+
+ + + + + + +

security functional requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

privacy functional requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ +
+ + +

strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + + + +

security assurance requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ +
+ + + + +

controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ +
+ + + + +

security documentation requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ +
+ + + + +

requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ +
+ + +

the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + + + +

the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+ +
+ + +

the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using ;

+ +
+ + +

the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using ;

+ +
+ +
+ + +

acceptance criteria requirements and descriptions are included explicitly or by reference using in the acquisition contract for the system, system component, or system service.

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process

+

configuration management plan

+

acquisition contracts for the system, system component, or system service

+

system design documentation

+

system security plan

+

supply chain risk management plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for determining system security and privacy functional, strength, and assurance requirements

+

organizational processes for developing acquisition contracts

+

mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts

+
+
+ + Functional Properties of Controls + + + + + + + +

Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.

+
+ +

Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.

+
+ + +

the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.

+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process

+

solicitation documents

+

acquisition documentation

+

acquisition contracts for the system, system component, or system services

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system developers

+
+
+ + + + +

Organizational processes for determining system security functional requirements

+

organizational processes for developing acquisition contracts

+

mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts

+
+
+
+ + Design and Implementation Information for Controls + + + +

at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram;

+
+
+ + + + + +

design and implementation information is defined (if selected);

+
+ + + + +

level of detail is defined;

+
+ + + + + + + + +

Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: at .

+
+ +

Organizations may require different levels of detail in the documentation for the design and implementation of controls in organizational systems, system components, or system services based on mission and business requirements, requirements for resiliency and trustworthiness, and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system.

+
+ + +

the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using at .

+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process

+

solicitation documents

+

acquisition documentation

+

acquisition contracts for the system, system components, or system services

+

design and implementation information for controls employed in the system, system component, or system service

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with the responsibility to determine system security requirements

+

system developers or service provider

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for determining the level of detail for system design and controls

+

organizational processes for developing acquisition contracts

+

mechanisms supporting and/or implementing the development of system design details

+
+
+
+ + Functions, Ports, Protocols, and Services in Use + + + + + + + + + +

Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.

+
+ +

The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design stages) allows organizations to influence the design of the system, system component, or system service. This early involvement in the system development life cycle helps organizations avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. SA-9 describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources.

+
+ + + + +

the developer of the system, system component, or system service is required to identify the functions intended for organizational use;

+ +
+ + +

the developer of the system, system component, or system service is required to identify the ports intended for organizational use;

+ +
+ + +

the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;

+ +
+ + +

the developer of the system, system component, or system service is required to identify the services intended for organizational use.

+ +
+ +
+ + + + +

System and services acquisition policy

+

procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process

+

system design documentation

+

system documentation, including functions, ports, protocols, and services intended for organizational use

+

acquisition contracts for systems or services

+

acquisition documentation

+

solicitation documentation

+

service level agreements

+

organizational security requirements, descriptions, and criteria for developers of systems, system components, and system services

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with the responsibility for determining system security requirements

+

system/network administrators

+

organizational personnel operating, using, and/or maintaining the system

+

system developers

+

organizational personnel with information security responsibilities

+
+
+
+ + Use of Approved PIV Products + + + + + + + + + + +

Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.

+
+ +

Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations.

+
+ + +

only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.

+ +
+ + + + +

Supply chain risk management plan

+

system and services acquisition policy

+

procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process

+

solicitation documentation

+

acquisition documentation

+

acquisition contracts for the system, system component, or system service

+

service level agreements

+

FIPS 201 approved products list

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with the responsibility for determining system security requirements

+

organizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for selecting and employing FIPS 201-approved products

+
+
+
+
+ + System Documentation + + + +

actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;

+
+ + + + + +

at a minimum, the ISSO (or similar role within the organization)

+
+
+ +

personnel or roles to distribute system documentation to is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Obtain or develop administrator documentation for the system, system component, or system service that describes:

+ + +

Secure configuration, installation, and operation of the system, component, or service;

+
+ + +

Effective use and maintenance of security and privacy functions and mechanisms; and

+
+ + +

Known vulnerabilities regarding configuration and use of administrative or privileged functions;

+
+
+ + +

Obtain or develop user documentation for the system, system component, or system service that describes:

+ + +

User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;

+
+ + +

Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and

+
+ + +

User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;

+
+
+ + +

Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take in response; and

+
+ + +

Distribute documentation to .

+
+
+ +

System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.

+
+ + + + + + + + +

administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;

+ +
+ +
+ + + + +

administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;

+ +
+ +
+ + + + +

administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;

+ +
+ + +

administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;

+ +
+ +
+ +
+ + + + + + +

user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;

+ +
+ + +

user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;

+ +
+ + +

user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;

+ +
+ + +

user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;

+ +
+ +
+ + + + +

user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;

+ +
+ + +

user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;

+ +
+ +
+ + + + +

user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;

+ +
+ + +

user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;

+ +
+ +
+ +
+ + + + +

attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;

+ +
+ + +

after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, are taken in response;

+ +
+ +
+ + +

documentation is distributed to .

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing system documentation

+

system documentation, including administrator and user guides

+

system design documentation

+

records documenting attempts to obtain unavailable or nonexistent system documentation

+

list of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation

+

risk management strategy documentation

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system administrators

+

organizational personnel responsible for operating, using, and/or maintaining the system

+

system developers

+
+
+ + + + +

Organizational processes for obtaining, protecting, and distributing system administrator and user documentation

+
+
+
+ + Security and Privacy Engineering Principles + + + + + + +

systems security engineering principles are defined;

+
+ + + + +

privacy engineering principles are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: .

+
+ +

Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3 ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.

+

The application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.

+

Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design.

+
+ + + + +

+ are applied in the specification of the system and system components;

+ +
+ + +

+ are applied in the design of the system and system components;

+ +
+ + +

+ are applied in the development of the system and system components;

+ +
+ + +

+ are applied in the implementation of the system and system components;

+ +
+ + +

+ are applied in the modification of the system and system components;

+ +
+ + +

+ are applied in the specification of the system and system components;

+ +
+ + +

+ are applied in the design of the system and system components;

+ +
+ + +

+ are applied in the development of the system and system components;

+ +
+ + +

+ are applied in the implementation of the system and system components;

+ +
+ + +

+ are applied in the modification of the system and system components.

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

assessment and authorization procedures

+

procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system

+

system design documentation

+

security and privacy requirements and specifications for the system

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with system specification, design, development, implementation, and modification responsibilities

+

system developers

+
+
+ + + + +

Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification

+

mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification

+
+
+
+ + External System Services + + + + +

Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system

+
+
+ +

controls to be employed by external system service providers are defined;

+
+ + + + + +

Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored

+
+
+ +

processes, methods, and techniques employed to monitor control compliance by external service providers are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: ;

+
+ + +

Define and document organizational oversight and user roles and responsibilities with regard to external system services; and

+
+ + +

Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: .

+
+
+ +

External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

+
+ + + + + + +

providers of external system services comply with organizational security requirements;

+ +
+ + +

providers of external system services comply with organizational privacy requirements;

+ +
+ + +

providers of external system services employ ;

+ +
+ +
+ + + + +

organizational oversight with regard to external system services are defined and documented;

+ +
+ + +

user roles and responsibilities with regard to external system services are defined and documented;

+ +
+ +
+ + +

+ are employed to monitor control compliance by external service providers on an ongoing basis.

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing methods and techniques for monitoring control compliance by external service providers of system services

+

acquisition documentation

+

contracts

+

service level agreements

+

interagency agreements

+

licensing agreements

+

list of organizational security and privacy requirements for external provider services

+

control assessment results or reports from external providers of system services

+

system security plan

+

privacy plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

external providers of system services

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis

+

mechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis

+
+
+ + Risk Assessments and Organizational Approvals + + + +

personnel or roles that approve the acquisition or outsourcing of dedicated information security services is/are defined;

+
+ + + + + + + + + + + + + +

Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and

+
+ + +

Verify that the acquisition or outsourcing of dedicated information security services is approved by .

+
+
+ +

Information security services include the operation of security devices, such as firewalls or key management services as well as incident monitoring, analysis, and response. Risks assessed can include system, mission or business, security, privacy, or supply chain risks.

+
+ + + + +

an organizational assessment of risk is conducted prior to the acquisition or outsourcing of information security services;

+ +
+ + +

+ approve the acquisition or outsourcing of dedicated information security services.

+ +
+ +
+ + + + +

System and services acquisition policy

+

supply chain risk management policy and procedures

+

procedures addressing external system services

+

acquisition documentation

+

acquisition contracts for the system, system component, or system service

+

risk assessment reports

+

approval records for the acquisition or outsourcing of dedicated security services

+

system security plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with system security responsibilities

+

external providers of system services

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for conducting a risk assessment prior to acquiring or outsourcing dedicated security services

+

organizational processes for approving the outsourcing of dedicated security services

+

mechanisms supporting and/or implementing risk assessment

+

mechanisms supporting and/or implementing approval processes

+
+
+
+ + Identification of Functions, Ports, Protocols, and Services + + + + +

all external systems where Federal information is processed or stored

+
+
+ +

external system services that require the identification of functions, ports, protocols, and other services are defined;

+
+ + + + + + + + + + +

Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: .

+
+ +

Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols.

+
+ + +

providers of are required to identify the functions, ports, protocols, and other services required for the use of such services.

+ +
+ + + + +

System and services acquisition policy

+

supply chain risk management policy and procedures

+

procedures addressing external system services

+

acquisition contracts for the system, system component, or system service

+

acquisition documentation

+

solicitation documentation

+

service level agreements

+

organizational security requirements and security specifications for external service providers

+

list of required functions, ports, protocols, and other services

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

external providers of system services

+
+
+
+ + Processing, Storage, and Service Location + + + +

information processing, information or data, AND system services

+
+
+ + + + + +

locations where is/are to be restricted are defined;

+
+ + + + +

requirements or conditions for restricting the location of are defined;

+
+ + + + + + + + + + +

Restrict the location of to based on .

+
+ +

The location of information processing, information and data storage, or system services can have a direct impact on the ability of organizations to successfully execute their mission and business functions. The impact occurs when external providers control the location of processing, storage, or services. The criteria that external providers use for the selection of processing, storage, or service locations may be different from the criteria that organizations use. For example, organizations may desire that data or information storage locations be restricted to certain locations to help facilitate incident response activities in case of information security incidents or breaches. Incident response activities, including forensic analyses and after-the-fact investigations, may be adversely affected by the governing laws, policies, or protocols in the locations where processing and storage occur and/or the locations from which system services emanate.

+
+ + +

based on , is/are restricted to .

+ +
+ + + + +

System and services acquisition policy

+

procedures addressing external system services

+

acquisition contracts for the system, system component, or system service

+

solicitation documentation

+

acquisition documentation

+

service level agreements

+

restricted locations for information processing

+

information/data and/or system services

+

information processing, information/data, and/or system services to be maintained in restricted locations

+

organizational security requirements or conditions for external providers

+

system security plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

external providers of system services

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for defining the requirements to restrict locations of information processing, information/data, or information services

+

organizational processes for ensuring the location is restricted in accordance with requirements or conditions

+
+
+
+
+ + Developer Configuration Management + + + +

development, implementation, AND operation

+
+
+ + + + + +

configuration items under configuration management are defined;

+
+ + + + +

personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +

Require the developer of the system, system component, or system service to:

+ + +

Perform configuration management during system, component, or service ;

+
+ + +

Document, manage, and control the integrity of changes to ;

+
+ + +

Implement only organization-approved changes to the system, component, or service;

+
+ + +

Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and

+
+ + +

Track security flaws and flaw resolution within the system, component, or service and report findings to .

+
+ + SA-10 Additional FedRAMP Requirements and Guidance + + +

track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.

+
+
+
+ +

Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.

+

The configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle.

+
+ + + + +

the developer of the system, system component, or system service is required to perform configuration management during system, component, or service ;

+ +
+ + + + +

the developer of the system, system component, or system service is required to document the integrity of changes to ;

+ +
+ + +

the developer of the system, system component, or system service is required to manage the integrity of changes to ;

+ +
+ + +

the developer of the system, system component, or system service is required to control the integrity of changes to ;

+ +
+ +
+ + +

the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;

+ +
+ + + + +

the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;

+ +
+ + +

the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;

+ +
+ + +

the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;

+ +
+ +
+ + + + +

the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;

+ +
+ + +

the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;

+ +
+ + +

the developer of the system, system component, or system service is required to report findings to .

+ +
+ +
+ +
+ + + + +

System and services acquisition policy

+

procedures addressing system developer configuration management

+

solicitation documentation

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

system developer configuration management plan

+

security flaw and flaw resolution tracking records

+

system change authorization records

+

change control records

+

configuration management records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with configuration management responsibilities

+

system developers

+
+
+ + + + +

Organizational processes for monitoring developer configuration management

+

mechanisms supporting and/or implementing the monitoring of developer configuration management

+
+
+
+ + Developer Testing and Evaluation + + + + + + +

frequency at which to conduct testing/evaluation is defined;

+
+ + + + +

depth and coverage of testing/evaluation is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:

+ + +

Develop and implement a plan for ongoing security and privacy control assessments;

+
+ + +

Perform testing/evaluation at ;

+
+ + +

Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;

+
+ + +

Implement a verifiable flaw remediation process; and

+
+ + +

Correct flaws identified during testing and evaluation.

+
+
+ +

Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.

+

Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation.

+
+ + + + + + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;

+ +
+ + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;

+ +
+ + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;

+ +
+ + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;

+ +
+ +
+ + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform testing/evaluation at ;

+ +
+ + + + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;

+ +
+ + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;

+ +
+ +
+ + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;

+ +
+ + +

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing system developer security and privacy testing

+

procedures addressing flaw remediation

+

solicitation documentation

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

security and privacy architecture

+

system design documentation

+

system developer security and privacy assessment plans

+

results of developer security and privacy assessments for the system, system component, or system service

+

security and privacy flaw and remediation tracking records

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with developer security and privacy testing responsibilities

+

system developers

+
+
+ + + + +

Organizational processes for monitoring developer security testing and evaluation

+

mechanisms supporting and/or implementing the monitoring of developer security and privacy testing and evaluation

+
+
+ + Static Code Analysis + + + + + + + +

Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

+ + SA-11(1) Additional FedRAMP Requirements + + +

The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.

+

If Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))

+
+
+
+ +

Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources.

+
+ + + + +

the developer of the system, system component, or system service is required to employ static code analysis tools to identify common flaws;

+ +
+ + +

the developer of the system, system component, or system service is required to employ static code analysis tools to document the results of the analysis.

+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing system developer security testing

+

procedures addressing flaw remediation

+

solicitation documentation

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

security and privacy architecture

+

system design documentation

+

system developer security and privacy assessment plans

+

results of system developer security and privacy assessments

+

security flaw and remediation tracking records

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with developer security and privacy testing responsibilities

+

organizational personnel with configuration management responsibilities

+

system developers

+
+
+ + + + +

Organizational processes for monitoring developer security testing and evaluation

+

mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation

+

static code analysis tools

+
+
+
+ + Threat Modeling and Vulnerability Analyses + + + + + + + + + +

information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used as contextual information for threat modeling and vulnerability analyses is defined;

+
+ + + + +

the tools and methods to be employed for threat modeling and vulnerability analyses are defined;

+
+ + + + +

the breadth and depth of threat modeling to be conducted is defined;

+
+ + + + +

the breadth and depth of vulnerability analyses to be conducted is defined;

+
+ + + + +

acceptance criteria to be met by produced evidence for threat modeling are defined;

+
+ + + + +

acceptance criteria to be met by produced evidence for vulnerability analyses are defined;

+
+ + + + + + + + + + + +

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:

+ + +

Uses the following contextual information: ;

+
+ + +

Employs the following tools and methods: ;

+
+ + +

Conducts the modeling and analyses at the following level of rigor: ; and

+
+ + +

Produces evidence that meets the following acceptance criteria: .

+
+
+ +

Systems, system components, and system services may deviate significantly from the functional and design specifications created during the requirements and design stages of the system development life cycle. Therefore, updates to threat modeling and vulnerability analyses of those systems, system components, and system services during development and prior to delivery are critical to the effective operation of those systems, components, and services. Threat modeling and vulnerability analyses at this stage of the system development life cycle ensure that design and implementation changes have been accounted for and that vulnerabilities created because of those changes have been reviewed and mitigated.

+
+ + + + + + +

the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses ;

+ +
+ +
+ + + + +

the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs ;

+ +
+ +
+ + + + +

the developer of the system, system component, or system service is required to perform threat modeling at during development of the system, component, or service;

+ +
+ + +

the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses at ;

+ +
+ +
+ + + + +

the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets .

+ +
+ +
+ +
+ + + + +

System and services acquisition policy

+

procedures addressing system developer security testing

+

solicitation documentation

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

system developer security test plans

+

records of developer security testing results for the system, system component, or system service

+

vulnerability scanning results

+

system risk assessment reports

+

threat and vulnerability analysis reports

+

system security plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with developer security testing responsibilities

+

system developers

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for monitoring developer security testing and evaluation

+

mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation

+
+
+
+
+ + Development Process, Standards, and Tools + + + + + + + +

frequency at least annually

+
+
+ +

frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;

+
+ + + + + +

FedRAMP Security Authorization requirements

+
+
+ +

security requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;

+
+ + + + +

privacy requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Require the developer of the system, system component, or system service to follow a documented development process that:

+ + +

Explicitly addresses security and privacy requirements;

+
+ + +

Identifies the standards and tools used in the development process;

+
+ + +

Documents the specific tool options and tool configurations used in the development process; and

+
+ + +

Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and

+
+
+ + +

Review the development process, standards, tools, tool options, and tool configurations to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: .

+
+
+ +

Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.

+
+ + + + + + + + +

the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;

+ +
+ + +

the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;

+ +
+ +
+ + + + +

the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;

+ +
+ + +

the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;

+ +
+ +
+ + + + +

the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;

+ +
+ + +

the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;

+ +
+ +
+ + +

the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;

+ +
+ +
+ + + + +

the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy ;

+ +
+ + +

the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy .

+ +
+ +
+ +
+ + + + +

System and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing development process, standards, and tools

+

procedures addressing the integration of security and privacy requirements during the development process

+

solicitation documentation

+

acquisition documentation

+

critical component inventory documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

system developer documentation listing tool options/configuration guides

+

configuration management policy

+

configuration management records

+

documentation of development process reviews using maturity models

+

change control records

+

configuration control records

+

documented reviews of the development process, standards, tools, and tool options/configurations

+

system security plan

+

privacy plan

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

system developer

+
+
+ + Criticality Analysis + + + + + + +

decision points in the system development life cycle are defined;

+
+ + + + +

the breadth of criticality analysis is defined;

+
+ + + + +

the depth of criticality analysis is defined;

+
+ + + + + + + + + +

Require the developer of the system, system component, or system service to perform a criticality analysis:

+ + +

At the following decision points in the system development life cycle: ; and

+
+ + +

At the following level of rigor: .

+
+
+ +

Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, source code, and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses.

+
+ + + + +

the developer of the system, system component, or system service is required to perform a criticality analysis at in the system development life cycle;

+ +
+ + + + +

the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: ;

+ +
+ + +

the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: .

+ +
+ +
+ +
+ + + + +

Supply chain risk management plan

+

system and services acquisition policy

+

procedures addressing development process, standards, and tools

+

procedures addressing criticality analysis requirements for the system, system component, or system service

+

solicitation documentation

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

criticality analysis documentation

+

business impact analysis documentation

+

software development life cycle documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel responsible for performing criticality analysis

+

system developer

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for performing criticality analysis

+

mechanisms supporting and/or implementing criticality analysis

+
+
+
+
+ + Unsupported System Components + + + + + + +

support from external providers is defined (if selected);

+
+ + + + + + + + + + + +

Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or

+
+ + +

Provide the following options for alternative sources for continued support for unsupported components .

+
+
+ +

Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.

+

Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation.

+
+ + + + +

system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;

+ +
+ + +

+ provide options for alternative sources for continued support for unsupported components.

+ +
+ +
+ + + + +

System and services acquisition policy

+

procedures addressing the replacement or continued use of unsupported system components

+

documented evidence of replacing unsupported system components

+

documented approvals (including justification) for the continued use of unsupported system components

+

system security plan

+

supply chain risk management plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with the responsibility for the system development life cycle

+

organizational personnel responsible for component replacement

+
+
+ + + + +

Organizational processes for replacing unsupported system components

+

mechanisms supporting and/or implementing the replacement of unsupported system components

+
+
+
+
+ + System and Communications Protection + + Policy and Procedures + + + + + + +

personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the system and communications protection policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current system and communications protection policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current system and communications protection policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current system and communications protection procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the system and communications protection procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ system and communications protection policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and

+
+ + +

Review and update the current system and communications protection:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a system and communications protection policy is developed and documented;

+ +
+ + +

the system and communications protection policy is disseminated to ;

+ +
+ + +

system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;

+ +
+ + +

the system and communications protection procedures are disseminated to ;

+ +
+ + + + + + +

the system and communications protection policy addresses purpose;

+ +
+ + +

the system and communications protection policy addresses scope;

+ +
+ + +

the system and communications protection policy addresses roles;

+ +
+ + +

the system and communications protection policy addresses responsibilities;

+ +
+ + +

the system and communications protection policy addresses management commitment;

+ +
+ + +

the system and communications protection policy addresses coordination among organizational entities;

+ +
+ + +

the system and communications protection policy addresses compliance;

+ +
+ +
+ + +

the system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;

+ +
+ + + + + + +

the current system and communications protection policy is reviewed and updated ;

+ +
+ + +

the current system and communications protection policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current system and communications protection procedures are reviewed and updated ;

+ +
+ + +

the current system and communications protection procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

System and communications protection policy

+

system and communications protection procedures

+

system security plan

+

privacy plan

+

risk management strategy documentation

+

audit findings

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and communications protection responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Separation of System and User Functionality + + + + + + + + + + + + + + +

Separate user functionality, including user interface services, from system management functionality.

+
+ +

System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-8 , including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14) , and SA-8(18).

+
+ + +

user functionality, including user interface services, is separated from system management functionality.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing application partitioning

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Separation of user functionality from system management functionality

+
+
+
+ + Information in Shared System Resources + + + + + + + + +

Prevent unauthorized and unintended information transfer via shared system resources.

+
+ +

Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.

+
+ + + + +

unauthorized information transfer via shared system resources is prevented;

+ +
+ + +

unintended information transfer via shared system resources is prevented.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing information protection in shared system resources

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Mechanisms preventing the unauthorized and unintended transfer of information via shared system resources

+
+
+
+ + Denial-of-service Protection + + + + +

at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack

+
+
+ +

types of denial-of-service events to be protected against or limited are defined;

+
+ + + + +

Protect against

+
+
+ + + + + +

controls to achieve the denial-of-service objective by type of denial-of-service event are defined;

+
+ + + + + + + + + + + + + + +

+ the effects of the following types of denial-of-service events: ; and

+
+ + +

Employ the following controls to achieve the denial-of-service objective: .

+
+
+ +

Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events.

+
+ + + + +

the effects of are ;

+ +
+ + +

+ are employed to achieve the denial-of-service protection objective.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing denial-of-service protection

+

system design documentation

+

list of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks

+

list of security safeguards protecting against or limiting the effects of denial-of-service attacks

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with incident response responsibilities

+

system developer

+
+
+ + + + +

Mechanisms protecting against or limiting the effects of denial-of-service attacks

+
+
+
+ + Boundary Protection + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;

+
+ + +

Implement subnetworks for publicly accessible system components that are separated from internal organizational networks; and

+
+ + +

Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

+
+ + SC-7 Additional FedRAMP Requirements and Guidance + + +

SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information.

+
+
+
+ +

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. SP 800-189 provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).

+
+ + + + + + +

communications at external managed interfaces to the system are monitored;

+ +
+ + +

communications at external managed interfaces to the system are controlled;

+ +
+ + +

communications at key internal managed interfaces within the system are monitored;

+ +
+ + +

communications at key internal managed interfaces within the system are controlled;

+ +
+ +
+ + +

subnetworks for publicly accessible system components are separated from internal organizational networks;

+ +
+ + +

external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

list of key internal boundaries of the system

+

system design documentation

+

boundary protection hardware and software

+

system configuration settings and associated documentation

+

enterprise security architecture documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms implementing boundary protection capabilities

+
+
+ + Access Points + + + + + + +

Limit the number of external network connections to the system.

+
+ +

Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection DHS TIC initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system.

+
+ + +

the number of external network connections to the system is limited.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

system design documentation

+

boundary protection hardware and software

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

communications and network traffic monitoring logs

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms implementing boundary protection capabilities

+

mechanisms limiting the number of external network connections to the system

+
+
+
+ + External Telecommunications Services + + + + +

at least every 180 days or whenever there is a change in the threat environment that warrants a review of the exceptions

+
+
+ +

the frequency at which to review exceptions to traffic flow policy is defined;

+
+ + + + + + + + + + + + + + +

Implement a managed interface for each external telecommunication service;

+
+ + +

Establish a traffic flow policy for each managed interface;

+
+ + +

Protect the confidentiality and integrity of the information being transmitted across each interface;

+
+ + +

Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;

+
+ + +

Review exceptions to the traffic flow policy and remove exceptions that are no longer supported by an explicit mission or business need;

+
+ + +

Prevent unauthorized exchange of control plane traffic with external networks;

+
+ + +

Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and

+
+ + +

Filter unauthorized control plane traffic from external networks.

+
+
+ +

External telecommunications services can provide data and/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See SP 800-189 for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements.

+
+ + + + +

a managed interface is implemented for each external telecommunication service;

+ +
+ + +

a traffic flow policy is established for each managed interface;

+ +
+ + + + +

the confidentiality of the information being transmitted across each interface is protected;

+ +
+ + +

the integrity of the information being transmitted across each interface is protected;

+ +
+ +
+ + +

each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;

+ +
+ + + + +

exceptions to the traffic flow policy are reviewed ;

+ +
+ + +

exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;

+ +
+ +
+ + +

unauthorized exchanges of control plan traffic with external networks are prevented;

+ +
+ + +

information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;

+ +
+ + +

unauthorized control plane traffic is filtered from external networks.

+ +
+ +
+ + + + +

System and communications protection policy

+

traffic flow policy

+

information flow control policy

+

procedures addressing boundary protection

+

system security architecture

+

system design documentation

+

boundary protection hardware and software

+

system architecture and configuration documentation

+

system configuration settings and associated documentation

+

records of traffic flow policy exceptions

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Organizational processes for documenting and reviewing exceptions to the traffic flow policy

+

organizational processes for removing exceptions to the traffic flow policy

+

mechanisms implementing boundary protection capabilities

+

managed interfaces implementing traffic flow policy

+
+
+
+ + Deny by Default — Allow by Exception + + + +

any systems

+
+
+ + + + + +

systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined (if selected).

+
+ + + + + + + +

Deny network communications traffic by default and allow network communications traffic by exception .

+ + SC-7 (5) Additional FedRAMP Requirements and Guidance + + +

For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing

+
+
+
+ +

Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system.

+
+ + + + +

network communications traffic is denied by default ;

+ +
+ + +

network communications traffic is allowed by exception .

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms implementing traffic management at managed interfaces

+
+
+
+ + Split Tunneling for Remote Devices + + + +

safeguards to securely provision split tunneling are defined;

+
+ + + + + + + +

Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using .

+
+ +

Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and simultaneously, access uncontrolled networks. Split tunneling might be desirable by remote users to communicate with local system resources, such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of pre-approved addresses, without user control.

+
+ + +

split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using .

+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

system design documentation

+

system hardware and software

+

system architecture

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms implementing boundary protection capabilities

+

mechanisms supporting/restricting non-remote connections

+
+
+
+ + Route Traffic to Authenticated Proxy Servers + + + +

internal communications traffic to be routed to external networks is defined;

+
+ + + + + +

any network outside of organizational control and any network outside the authorization boundary

+
+
+ +

external networks to which internal communications traffic is to be routed are defined;

+
+ + + + + + + + +

Route to through authenticated proxy servers at managed interfaces.

+
+ +

External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for man-in-the-middle attacks (depending on the implementation).

+
+ + +

+ is routed to through authenticated proxy servers at managed interfaces.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

system design documentation

+

system hardware and software

+

system architecture

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms implementing traffic management through authenticated proxy servers at managed interfaces

+
+
+
+ + Host-based Protection + + + + +

Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall

+
+
+ +

host-based boundary protection mechanisms to be implemented are defined;

+
+ + + + +

system components where host-based boundary protection mechanisms are to be implemented are defined;

+
+ + + + + + + +

Implement at .

+
+ +

Host-based boundary protection mechanisms include host-based firewalls. System components that employ host-based boundary protection mechanisms include servers, workstations, notebook computers, and mobile devices.

+
+ + +

+ are implemented at .

+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

system design documentation

+

boundary protection hardware and software

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with boundary protection responsibilities

+

system users

+
+
+ + + + +

Mechanisms implementing host-based boundary protection capabilities

+
+
+
+ + Fail Secure + + + + + + + + + + +

Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.

+
+ +

Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways that reside on protected subnetworks (commonly referred to as demilitarized zones). Failures of boundary protection devices cannot lead to or cause information external to the devices to enter the devices nor can failures permit unauthorized information releases.

+
+ + +

systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing boundary protection

+

system design documentation

+

system architecture

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with boundary protection responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing secure failure

+
+
+
+
+ + Transmission Confidentiality and Integrity + + + +

confidentiality AND integrity

+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Protect the of transmitted information.

+ + SC-8 Additional FedRAMP Requirements and Guidance + + +

For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.

+

+

For clarity, this control applies to all data in transit. Examples include the following data flows:

+
    +
  • Crossing the system boundary
  • +
  • Between compute instances - including containers
  • +
  • From a compute instance to storage
  • +
  • Replication between availability zones
  • +
  • Transmission of backups to storage
  • +
  • From a load balancer to a compute instance
  • +
  • Flows from management tools required for their work – e.g. log collection, scanning, etc.
  • +
+

+

The following applies only when choosing SC-8 (5) in lieu of SC-8 (1).

+

FedRAMP-Defined Assignment / Selection Parameters

+

SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]

+

SC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]

+
+ + +

SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.

+

+

Hardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).

+

+

Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS’s Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS’ recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).

+

+

Note: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.

+

+

CNSSI No.7003 can be accessed here:

+

https://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf

+

+

DHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:

+

https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf

+
+
+
+ +

Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.

+

Organizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls.

+
+ + +

the of transmitted information is/are protected.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing transmission confidentiality and integrity

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Mechanisms supporting and/or implementing transmission confidentiality and/or integrity

+
+
+ + Cryptographic Protection + + + +

prevent unauthorized disclosure of information AND detect changes to information

+
+
+ + + + + + + + + + +

Implement cryptographic mechanisms to during transmission.

+ + SC-8 (1) Additional FedRAMP Requirements and Guidance + + +

Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control.

+
+ + +

See M-22-09, including "Agencies encrypt all DNS requests and HTTP traffic within their environment"

+

SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

+
+ + +

Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

+
+ + +

When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

+
+
+
+ +

Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes.

+
+ + +

cryptographic mechanisms are implemented to during transmission.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing transmission confidentiality and integrity

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity

+

mechanisms supporting and/or implementing alternative physical safeguards

+

organizational processes for defining and implementing alternative physical safeguards

+
+
+
+
+ + Network Disconnect + + + + +

no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions

+
+
+ +

a time period of inactivity after which the system terminates a network connection associated with a communication session is defined;

+
+ + + + + + + + +

Terminate the network connection associated with a communications session at the end of the session or after of inactivity.

+
+ +

Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.

+
+ + +

the network connection associated with a communication session is terminated at the end of the session or after of inactivity.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing network disconnect

+

system design documentation

+

security plan

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Mechanisms supporting and/or implementing a network disconnect capability

+
+
+
+ + Cryptographic Key Establishment and Management + + + + +

In accordance with Federal requirements

+
+
+ +

requirements for key generation, distribution, storage, access, and destruction are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: .

+ + SC-12 Additional FedRAMP Requirements and Guidance + + +

See references in NIST 800-53 documentation.

+
+ + +

Must meet applicable Federal Cryptographic Requirements. See References Section of control.

+
+ + +

Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system.

+
+
+
+ +

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. NIST CMVP and NIST CAVP provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.

+
+ + + + +

cryptographic keys are established when cryptography is employed within the system in accordance with ;

+ +
+ + +

cryptographic keys are managed when cryptography is employed within the system in accordance with .

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing cryptographic key establishment and management

+

system design documentation

+

cryptographic mechanisms

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for cryptographic key establishment and/or management

+
+
+ + + + +

Mechanisms supporting and/or implementing cryptographic key establishment and management

+
+
+
+ + Cryptographic Protection + + + +

cryptographic uses are defined;

+
+ + + + + +

FIPS-validated or NSA-approved cryptography

+
+
+ +

types of cryptography for each specified cryptographic use are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Determine the ; and

+
+ + +

Implement the following types of cryptography required for each specified cryptographic use: .

+
+ + SC-13 Additional FedRAMP Requirements and Guidance + + +

This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:

+
    +
  • Encryption of data
  • +
  • Decryption of data
  • +
  • Generation of one time passwords (OTPs) for MFA
  • +
  • Protocols such as TLS, SSH, and HTTPS
  • +
+

+

The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

+

https://csrc.nist.gov/projects/cryptographic-module-validation-program

+
+ + +

For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:

+

https://www.niap-ccevs.org/Product/index.cfm

+
+ + +

When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

+
+ + +

Moving to non-FIPS CM or product is acceptable when:

+
    +
  • FIPS validated version has a known vulnerability
  • +
  • Feature with vulnerability is in use
  • +
  • Non-FIPS version fixes the vulnerability
  • +
  • Non-FIPS version is submitted to NIST for FIPS validation
  • +
  • POA&M is added to track approval, and deployment when ready
  • +
+
+ + +

At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

+
+
+
+ +

Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + +

+ are identified;

+ +
+ + +

+ for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing cryptographic protection

+

system design documentation

+

system configuration settings and associated documentation

+

cryptographic module validation certificates

+

list of FIPS-validated cryptographic modules

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with responsibilities for cryptographic protection

+
+
+ + + + +

Mechanisms supporting and/or implementing cryptographic protection

+
+
+
+ + Collaborative Computing Devices and Applications + + + + +

no exceptions for computing devices

+
+
+ +

exceptions where remote activation is to be allowed are defined;

+
+ + + + + + + + + + +

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: ; and

+
+ + +

Provide an explicit indication of use to users physically present at the devices.

+
+ + SC-15 Additional FedRAMP Requirements and Guidance + + +

The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

+
+
+
+ +

Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated.

+
+ + + + +

remote activation of collaborative computing devices and applications is prohibited except ;

+ +
+ + +

an explicit indication of use is provided to users physically present at the devices.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing collaborative computing

+

access control policy and procedures

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with responsibilities for managing collaborative computing devices

+
+
+ + + + +

Mechanisms supporting and/or implementing the management of remote activation of collaborative computing devices

+

mechanisms providing an indication of use of collaborative computing devices

+
+
+
+ + Public Key Infrastructure Certificates + + + +

a certificate policy for issuing public key certificates is defined;

+
+ + + + + + + + + + + + + + + + + +

Issue public key certificates under an or obtain public key certificates from an approved service provider; and

+
+ + +

Include only approved trust anchors in trust stores or certificate stores managed by the organization.

+
+
+ +

Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates.

+
+ + + + +

public key certificates are issued under , or public key certificates are obtained from an approved service provider;

+ +
+ + +

only approved trust anchors are included in trust stores or certificate stores managed by the organization.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing public key infrastructure certificates

+

public key certificate policy or policies

+

public key issuing process

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for issuing public key certificates

+

service providers

+
+
+ + + + +

Mechanisms supporting and/or implementing the management of public key infrastructure certificates

+
+
+
+ + Mobile Code + + + + + + + + + + + + + +

Define acceptable and unacceptable mobile code and mobile code technologies; and

+
+ + +

Authorize, monitor, and control the use of mobile code within the system.

+
+
+ +

Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.

+
+ + + + + + +

acceptable mobile code is defined;

+ +
+ + +

unacceptable mobile code is defined;

+ +
+ + +

acceptable mobile code technologies are defined;

+ +
+ + +

unacceptable mobile code technologies are defined;

+ +
+ +
+ + + + +

the use of mobile code is authorized within the system;

+ +
+ + +

the use of mobile code is monitored within the system;

+ +
+ + +

the use of mobile code is controlled within the system.

+ +
+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing mobile code

+

mobile code implementation policy and procedures

+

list of acceptable mobile code and mobile code technologies

+

list of unacceptable mobile code and mobile technologies

+

authorization records

+

system monitoring records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for managing mobile code

+
+
+ + + + +

Organizational process for authorizing, monitoring, and controlling mobile code

+

mechanisms supporting and/or implementing the management of mobile code

+

mechanisms supporting and/or implementing the monitoring of mobile code

+
+
+
+ + Secure Name/Address Resolution Service (Authoritative Source) + + + + + + + + + + + + + + + + +

Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

+
+ + +

Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

+
+ + SC-20 Additional FedRAMP Requirements and Guidance + + +

Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests.

+
+ + +

SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary.

+
+ + +

External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged.

+
+ + +

CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)

+
+
+
+ +

Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data.

+
+ + + + + + +

additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;

+ +
+ + +

integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;

+ +
+ +
+ + + + +

the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;

+ +
+ + +

the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.

+ +
+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing secure name/address resolution services (authoritative source)

+

system design documentation

+

system configuration settings and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for managing DNS

+
+
+ + + + +

Mechanisms supporting and/or implementing secure name/address resolution services

+
+
+
+ + Secure Name/Address Resolution Service (Recursive or Caching Resolver) + + + + + + + + +

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

+ + SC-21 Additional FedRAMP Requirements and Guidance + + +

Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.

+
    +
  • If the reply is signed, and fails DNSSEC, do not use the reply
  • +
  • If the reply is unsigned:
      +
    • CSP chooses the policy to apply
    • +
    +
  • +
+
+ + +

Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS.

+
+ + +

Accepting an unsigned reply is acceptable

+
+ + +

SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.

+
    +
  • DNSSEC resolution to access a component inside the boundary is excluded.
  • +
+
+
+
+ +

Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data.

+
+ + + + +

data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;

+ +
+ + +

data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;

+ +
+ + +

data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;

+ +
+ + +

data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing secure name/address resolution services (recursive or caching resolver)

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for managing DNS

+
+
+ + + + +

Mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services

+
+
+
+ + Architecture and Provisioning for Name/Address Resolution Service + + + + + + + + + + +

Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

+
+ +

Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists).

+
+ + + + +

the systems that collectively provide name/address resolution services for an organization are fault-tolerant;

+ +
+ + +

the systems that collectively provide name/address resolution services for an organization implement internal role separation;

+ +
+ + +

the systems that collectively provide name/address resolution services for an organization implement external role separation.

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing architecture and provisioning for name/address resolution services

+

access control policy and procedures

+

system design documentation

+

assessment results from independent testing organizations

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for managing DNS

+
+
+ + + + +

Mechanisms supporting and/or implementing name/address resolution services for fault tolerance and role separation

+
+
+
+ + Session Authenticity + + + + + + + + + + + + + +

Protect the authenticity of communications sessions.

+
+ +

Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into sessions.

+
+ + +

the authenticity of communication sessions is protected.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing session authenticity

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Mechanisms supporting and/or implementing session authenticity

+
+
+
+ + Protection of Information at Rest + + + +

confidentiality AND integrity

+
+
+ + + + + +

information at rest requiring protection is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Protect the of the following information at rest: .

+ + SC-28 Additional FedRAMP Requirements and Guidance + + +

The organization supports the capability to use cryptographic mechanisms to protect information at rest.

+
+ + +

When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

+
+ + +

Note that this enhancement requires the use of cryptography in accordance with SC-13.

+
+
+
+ +

Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage.

+
+ + +

the of is/are protected.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing the protection of information at rest

+

system design documentation

+

system configuration settings and associated documentation

+

cryptographic mechanisms and associated configuration documentation

+

list of information at rest requiring confidentiality and integrity protections

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest

+
+
+ + Cryptographic Protection + + + +

information requiring cryptographic protection is defined;

+
+ + + + + +

all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels

+
+
+ +

system components or media requiring cryptographic protection is/are defined;

+
+ + + + + + + + + + +

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on : .

+ + SC-28 (1) Additional FedRAMP Requirements and Guidance + + +

Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

+

Examples:

+

A. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.

+

B. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.

+

C. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate.

+
+
+
+ +

The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields.

+
+ + + + +

cryptographic mechanisms are implemented to prevent unauthorized disclosure of at rest on ;

+ +
+ + +

cryptographic mechanisms are implemented to prevent unauthorized modification of at rest on .

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing the protection of information at rest

+

system design documentation

+

system configuration settings and associated documentation

+

cryptographic mechanisms and associated configuration documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+
+ + + + +

Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest

+
+
+
+
+ + Process Isolation + + + + + + + + + + + + + + + +

Maintain a separate execution domain for each executing system process.

+
+ +

Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies.

+
+ + +

a separate execution domain is maintained for each executing system process.

+ +
+ + + + +

System design documentation

+

system architecture

+

independent verification and validation documentation

+

testing and evaluation documentation

+

other relevant documents or records

+
+
+ + + + +

System developers/integrators

+

system security architect

+
+
+ + + + +

Mechanisms supporting and/or implementing separate execution domains for each executing process

+
+
+
+ + System Time Synchronization + + + + + + + + + + +

Synchronize system clocks within and between systems and system components.

+
+ +

Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities—such as access control and identification and authentication—depending on the nature of the mechanisms used to support the capabilities.

+
+ + +

system clocks are synchronized within and between systems and system components.

+ +
+ + + + +

System and communications protection policy

+

procedures addressing time synchronization

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+
+
+ + + + +

Mechanisms supporting and/or implementing system time synchronization

+
+
+ + Synchronization with Authoritative Time Source + + + + +

At least hourly

+
+
+ +

the frequency at which to compare the internal system clocks with the authoritative time source is defined;

+
+ + + + + +

http://tf.nist.gov/tf-cgi/servers.cgi

+
+
+ +

the authoritative time source to which internal system clocks are to be compared is defined;

+
+ + + + + +

any difference

+
+
+ +

the time period to compare the internal system clocks with the authoritative time source is defined;

+
+ + + + + + + + + +

Compare the internal system clocks with ; and

+
+ + +

Synchronize the internal system clocks to the authoritative time source when the time difference is greater than .

+
+ + SC-45(1) Additional FedRAMP Requirements and Guidance + + +

The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.

+
+ + +

The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.

+
+ + +

Synchronization of system clocks improves the accuracy of log analysis.

+
+
+
+ +

Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network.

+
+ + + + +

the internal system clocks are compared with ;

+ +
+ + +

the internal system clocks are synchronized with the authoritative time source when the time difference is greater than .

+ +
+ +
+ + + + +

System and communications protection policy

+

procedures addressing time synchronization

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+
+
+ + + + +

Mechanisms supporting and/or implementing system time synchronization

+
+
+
+
+
+ + System and Information Integrity + + Policy and Procedures + + + + + + +

personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined;

+
+ + + + +

personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined;

+
+ + + + + + + +

an official to manage the system and information integrity policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current system and information integrity policy is reviewed and updated is defined;

+
+ + + + +

events that would require the current system and information integrity policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current system and information integrity procedures are reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that would require the system and information integrity procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ system and information integrity policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and

+
+ + +

Review and update the current system and information integrity:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a system and information integrity policy is developed and documented;

+ +
+ + +

the system and information integrity policy is disseminated to ;

+ +
+ + +

system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;

+ +
+ + +

the system and information integrity procedures are disseminated to ;

+ +
+ + + + + + +

the system and information integrity policy addresses purpose;

+ +
+ + +

the system and information integrity policy addresses scope;

+ +
+ + +

the system and information integrity policy addresses roles;

+ +
+ + +

the system and information integrity policy addresses responsibilities;

+ +
+ + +

the system and information integrity policy addresses management commitment;

+ +
+ + +

the system and information integrity policy addresses coordination among organizational entities;

+ +
+ + +

the system and information integrity policy addresses compliance;

+ +
+ +
+ + +

the system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;

+ +
+ + + + + + +

the current system and information integrity policy is reviewed and updated ;

+ +
+ + +

the current system and information integrity policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current system and information integrity procedures are reviewed and updated ;

+ +
+ + +

the current system and information integrity procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and information integrity responsibilities

+

organizational personnel with information security and privacy responsibilities

+
+
+
+ + Flaw Remediation + + + + +

within thirty (30) days of release of updates

+
+
+ +

time period within which to install security-relevant software updates after the release of the updates is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Identify, report, and correct system flaws;

+
+ + +

Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

+
+ + +

Install security-relevant software and firmware updates within of the release of the updates; and

+
+ + +

Incorporate flaw remediation into the organizational configuration management process.

+
+
+ +

The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.

+

Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

+
+ + + + + + +

system flaws are identified;

+ +
+ + +

system flaws are reported;

+ +
+ + +

system flaws are corrected;

+ +
+ +
+ + + + +

software updates related to flaw remediation are tested for effectiveness before installation;

+ +
+ + +

software updates related to flaw remediation are tested for potential side effects before installation;

+ +
+ + +

firmware updates related to flaw remediation are tested for effectiveness before installation;

+ +
+ + +

firmware updates related to flaw remediation are tested for potential side effects before installation;

+ +
+ +
+ + + + +

security-relevant software updates are installed within of the release of the updates;

+ +
+ + +

security-relevant firmware updates are installed within of the release of the updates;

+ +
+ +
+ + +

flaw remediation is incorporated into the organizational configuration management process.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing flaw remediation

+

procedures addressing configuration management

+

list of flaws and vulnerabilities potentially affecting the system

+

list of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)

+

test results from the installation of software and firmware updates to correct system flaws

+

installation/change control records for security-relevant software and firmware updates

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel responsible for installing, configuring, and/or maintaining the system

+

organizational personnel responsible for flaw remediation

+

organizational personnel with configuration management responsibilities

+
+
+ + + + +

Organizational processes for identifying, reporting, and correcting system flaws

+

organizational process for installing software and firmware updates

+

mechanisms supporting and/or implementing the reporting and correcting of system flaws

+

mechanisms supporting and/or implementing testing software and firmware updates

+
+
+ + Automated Flaw Remediation Status + + + +

automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined;

+
+ + + + + +

at least monthly

+
+
+ +

the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined;

+
+ + + + + + + + + +

Determine if system components have applicable security-relevant software and firmware updates installed using + .

+
+ +

Automated mechanisms can track and determine the status of known flaws for system components.

+
+ + +

system components have applicable security-relevant software and firmware updates installed using .

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing flaw remediation

+

automated mechanisms supporting centralized management of flaw remediation

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for flaw remediation

+
+
+ + + + +

Automated mechanisms used to determine the state of system components with regard to flaw remediation

+
+
+
+ + Time to Remediate Flaws and Benchmarks for Corrective Actions + + + +

the benchmarks for taking corrective actions are defined;

+
+ + + + + + + + + +

Measure the time between flaw identification and flaw remediation; and

+
+ + +

Establish the following benchmarks for taking corrective actions: .

+
+
+ +

Organizations determine the time it takes on average to correct system flaws after such flaws have been identified and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by the type of flaw or the severity of the potential vulnerability if the flaw can be exploited.

+
+ + + + +

the time between flaw identification and flaw remediation is measured;

+ +
+ + +

+ for taking corrective actions have been established.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing flaw remediation

+

system design documentation

+

system configuration settings and associated documentation

+

list of benchmarks for taking corrective action on identified flaws

+

records that provide timestamps of flaw identification and subsequent flaw remediation activities

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for flaw remediation

+
+
+ + + + +

Organizational processes for identifying, reporting, and correcting system flaws

+

mechanisms used to measure the time between flaw identification and flaw remediation

+
+
+
+
+ + Malicious Code Protection + + + +

signature based and non-signature based

+
+
+ + + + + + +

at least weekly

+
+
+ +

the frequency at which malicious code protection mechanisms perform scans is defined;

+
+ + + + +

to include endpoints and network entry and exit points

+
+
+ + + + + +

to include blocking and quarantining malicious code

+
+
+ + + + + + +

administrator or defined security personnel near-realtime

+
+
+ +

action to be taken in response to malicious code detection are defined (if selected);

+
+ + + + +

personnel or roles to be alerted when malicious code is detected is/are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;

+
+ + +

Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;

+
+ + +

Configure malicious code protection mechanisms to:

+ + +

Perform periodic scans of the system and real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy; and

+
+ + +

+ ; and send alert to in response to malicious code detection; and

+
+
+ + +

Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

+
+
+ +

System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.

+

Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.

+

In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files.

+
+ + + + + + +

+ malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;

+ +
+ + +

+ malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;

+ +
+ +
+ + +

malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;

+ +
+ + + + + + +

malicious code protection mechanisms are configured to perform periodic scans of the system ;

+ +
+ + +

malicious code protection mechanisms are configured to perform real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy;

+ +
+ +
+ + + + +

malicious code protection mechanisms are configured to in response to malicious code detection;

+ +
+ + +

malicious code protection mechanisms are configured to send alerts to in response to malicious code detection;

+ +
+ +
+ +
+ + +

the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

configuration management policy and procedures

+

procedures addressing malicious code protection

+

malicious code protection mechanisms

+

records of malicious code protection updates

+

system design documentation

+

system configuration settings and associated documentation

+

scan results from malicious code protection mechanisms

+

record of actions initiated by malicious code protection mechanisms in response to malicious code detection

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for malicious code protection

+

organizational personnel with configuration management responsibilities

+
+
+ + + + +

Organizational processes for employing, updating, and configuring malicious code protection mechanisms

+

organizational processes for addressing false positives and resulting potential impacts

+

mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms

+

mechanisms supporting and/or implementing malicious code scanning and subsequent actions

+
+
+
+ + System Monitoring + + + +

monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;

+
+ + + + +

techniques and methods used to identify unauthorized use of the system are defined;

+
+ + + + +

system monitoring information to be provided to personnel or roles is defined;

+
+ + + + +

personnel or roles to whom system monitoring information is to be provided is/are defined;

+
+ + + + + + + +

a frequency for providing system monitoring to personnel or roles is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Monitor the system to detect:

+ + +

Attacks and indicators of potential attacks in accordance with the following monitoring objectives: ; and

+
+ + +

Unauthorized local, network, and remote connections;

+
+
+ + +

Identify unauthorized use of the system through the following techniques and methods: ;

+
+ + +

Invoke internal monitoring capabilities or deploy monitoring devices:

+ + +

Strategically within the system to collect organization-determined essential information; and

+
+ + +

At ad hoc locations within the system to track specific types of transactions of interest to the organization;

+
+
+ + +

Analyze detected events and anomalies;

+
+ + +

Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

+
+ + +

Obtain legal opinion regarding system monitoring activities; and

+
+ + +

Provide to + .

+
+ + SI-4 Additional FedRAMP Requirements and Guidance + + +

See US-CERT Incident Response Reporting Guidelines.

+
+
+
+ +

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.

+

Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17 . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+
+ + + + + + +

the system is monitored to detect attacks and indicators of potential attacks in accordance with ;

+ +
+ + + + +

the system is monitored to detect unauthorized local connections;

+ +
+ + +

the system is monitored to detect unauthorized network connections;

+ +
+ + +

the system is monitored to detect unauthorized remote connections;

+ +
+ +
+ +
+ + +

unauthorized use of the system is identified through ;

+ +
+ + + + +

internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;

+ +
+ + +

internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;

+ +
+ +
+ + + + +

detected events are analyzed;

+ +
+ + +

detected anomalies are analyzed;

+ +
+ +
+ + +

the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

+ +
+ + +

a legal opinion regarding system monitoring activities is obtained;

+ +
+ + +

+ is provided to + .

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

continuous monitoring strategy

+

facility diagram/layout

+

system design documentation

+

system monitoring tools and techniques documentation

+

locations within the system where monitoring devices are deployed

+

system configuration settings and associated documentation

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+
+
+ + + + +

Organizational processes for system monitoring

+

mechanisms supporting and/or implementing system monitoring capabilities

+
+
+ + System-wide Intrusion Detection System + + + + + + + + +

Connect and configure individual intrusion detection tools into a system-wide intrusion detection system.

+
+ +

Linking individual intrusion detection tools into a system-wide intrusion detection system provides additional coverage and effective detection capabilities. The information contained in one intrusion detection tool can be shared widely across the organization, making the system-wide detection capability more robust and powerful.

+
+ + + + +

individual intrusion detection tools are connected to a system-wide intrusion detection system;

+ +
+ + +

individual intrusion detection tools are configured into a system-wide intrusion detection system.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

organizational personnel responsible for the intrusion detection system

+
+
+ + + + +

Organizational processes for intrusion detection and system monitoring

+

mechanisms supporting and/or implementing intrusion detection capabilities

+
+
+
+ + Automated Tools and Mechanisms for Real-time Analysis + + + + + + + + + +

Employ automated tools and mechanisms to support near real-time analysis of events.

+
+ +

Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.

+
+ + +

automated tools and mechanisms are employed to support a near real-time analysis of events.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

privacy plan

+

privacy program plan

+

privacy impact assessment

+

privacy risk management documentation

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

organizational personnel responsible for incident response/management

+
+
+ + + + +

Organizational processes for the near real-time analysis of events

+

organizational processes for system monitoring

+

mechanisms supporting and/or implementing system monitoring

+

mechanisms/tools supporting and/or implementing an analysis of events

+
+
+
+ + Inbound and Outbound Communications Traffic + + + + +

continuously

+
+
+ + + + + + + +

the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined;

+
+ + + + +

unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined;

+
+ + + + +

the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined;

+
+ + + + +

unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined;

+
+ + + + + + + + + + +

Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;

+
+ + +

Monitor inbound and outbound communications traffic for .

+
+
+ +

Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components.

+
+ + + + + + +

criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;

+ +
+ + +

criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;

+ +
+ +
+ + + + +

inbound communications traffic is monitored for ;

+ +
+ + +

outbound communications traffic is monitored for .

+ +
+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

system protocols

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

organizational personnel responsible for the intrusion detection system

+
+
+ + + + +

Organizational processes for intrusion detection and system monitoring

+

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

+

mechanisms supporting and/or implementing the monitoring of inbound and outbound communications traffic

+
+
+
+ + System-generated Alerts + + + +

personnel or roles to be alerted when indications of compromise or potential compromise occur is/are defined;

+
+ + + + +

compromise indicators are defined;

+
+ + + + + + + + + + + +

Alert when the following system-generated indications of compromise or potential compromise occur: .

+ + SI-4 (5) Additional FedRAMP Requirements and Guidance + + +

In accordance with the incident response plan.

+
+
+
+ +

Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in SI-4(12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats.

+
+ + +

+ are alerted when system-generated occur.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

list of personnel selected to receive alerts

+

documentation of alerts generated based on compromise indicators

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security and privacy responsibilities

+

system developers

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

organizational personnel on the system alert notification list

+

organizational personnel responsible for the intrusion detection system

+
+
+ + + + +

Organizational processes for intrusion detection and system monitoring

+

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

+

mechanisms supporting and/or implementing alerts for compromise indicators

+
+
+
+ + Correlate Monitoring Information + + + + + + + + + +

Correlate information from monitoring tools and mechanisms employed throughout the system.

+
+ +

Correlating information from different system monitoring tools and mechanisms can provide a more comprehensive view of system activity. Correlating system monitoring tools and mechanisms that typically work in isolation—including malicious code protection software, host monitoring, and network monitoring—can provide an organization-wide monitoring view and may reveal otherwise unseen attack patterns. Understanding the capabilities and limitations of diverse monitoring tools and mechanisms and how to maximize the use of information generated by those tools and mechanisms can help organizations develop, operate, and maintain effective monitoring programs. The correlation of monitoring information is especially important during the transition from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).

+
+ + +

information from monitoring tools and mechanisms employed throughout the system is correlated.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

event correlation logs or records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

organizational personnel responsible for the intrusion detection system

+
+
+ + + + +

Organizational processes for intrusion detection and system monitoring

+

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

+

mechanisms supporting and/or implementing the correlation of information from monitoring tools

+
+
+
+ + Analyze Traffic and Covert Exfiltration + + + +

interior points within the system where communications traffic is to be analyzed are defined;

+
+ + + + + + + + + +

Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: .

+
+ +

Organization-defined interior points include subnetworks and subsystems. Covert means that can be used to exfiltrate information include steganography.

+
+ + + + +

outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information;

+ +
+ + +

outbound communications traffic is analyzed at to detect covert exfiltration of information.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

network diagram

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

system monitoring logs or records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring the system

+

organizational personnel responsible for the intrusion detection system

+
+
+ + + + +

Organizational processes for intrusion detection and system monitoring

+

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

+

mechanisms supporting and/or implementing an analysis of outbound communications traffic

+
+
+
+ + Host-based Devices + + + +

host-based monitoring mechanisms to be implemented on system components are defined;

+
+ + + + +

system components where host-based monitoring is to be implemented are defined;

+
+ + + + + + + + + + +

Implement the following host-based monitoring mechanisms at : .

+
+ +

Host-based monitoring collects information about the host (or system in which it resides). System components in which host-based monitoring can be implemented include servers, notebook computers, and mobile devices. Organizations may consider employing host-based monitoring mechanisms from multiple product developers or vendors.

+
+ + +

+ are implemented on .

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system monitoring tools and techniques

+

system design documentation

+

host-based monitoring mechanisms

+

system monitoring tools and techniques documentation

+

system configuration settings and associated documentation

+

list of system components requiring host-based monitoring

+

system monitoring logs or records

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the system

+

organizational personnel responsible for monitoring system hosts

+
+
+ + + + +

Organizational processes for system monitoring

+

mechanisms supporting and/or implementing a host-based monitoring capability

+
+
+
+
+ + Security Alerts, Advisories, and Directives + + + + +

to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives

+
+
+ +

external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;

+
+ + + + +

to include system security personnel and administrators with configuration/patch-management responsibilities

+
+
+ + + + + +

personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected);

+
+ + + + +

elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);

+
+ + + + +

external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);

+
+ + + + + + + + + + + + + +

Receive system security alerts, advisories, and directives from on an ongoing basis;

+
+ + +

Generate internal security alerts, advisories, and directives as deemed necessary;

+
+ + +

Disseminate security alerts, advisories, and directives to: ; and

+
+ + +

Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

+
+ + SI-5 Additional FedRAMP Requirements and Guidance + +

Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status.

+
+
+ +

The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations.

+
+ + + + +

system security alerts, advisories, and directives are received from on an ongoing basis;

+ +
+ + +

internal security alerts, advisories, and directives are generated as deemed necessary;

+ +
+ + +

security alerts, advisories, and directives are disseminated to ;

+ +
+ + +

security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing security alerts, advisories, and directives

+

records of security alerts and advisories

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security alert and advisory responsibilities

+

organizational personnel implementing, operating, maintaining, and using the system

+

organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + + + +

Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives

+

mechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives

+

mechanisms supporting and/or implementing security directives

+
+
+
+ + Security and Privacy Function Verification + + + + + + +

security functions to be verified for correct operation are defined;

+
+ + + + +

privacy functions to be verified for correct operation are defined;

+
+ + + + + + + + +

to include upon system startup and/or restart

+
+
+ +

system transitional states requiring the verification of security and privacy functions are defined; (if selected)

+
+ + + + + +

at least monthly

+
+
+ +

frequency at which to verify the correct operation of security and privacy functions is defined; (if selected)

+
+ + + + + +

to include system administrators and security personnel

+
+
+ +

personnel or roles to be alerted of failed security and privacy verification tests is/are defined;

+
+ + + + + + + +

alternative action(s) to be performed when anomalies are discovered are defined (if selected);

+
+ + + + + + + + + + + + + + +

Verify the correct operation of ;

+
+ + +

Perform the verification of the functions specified in SI-6a ;

+
+ + +

Alert to failed security and privacy verification tests; and

+
+ + +

+ when anomalies are discovered.

+
+
+ +

Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy or that privacy attributes are applied or used as expected.

+
+ + + + + + +

+ are verified to be operating correctly;

+ +
+ + +

+ are verified to be operating correctly;

+ +
+ +
+ + + + +

+ are verified ;

+ +
+ + +

+ are verified ;

+ +
+ +
+ + + + +

+ is/are alerted to failed security verification tests;

+ +
+ + +

+ is/are alerted to failed privacy verification tests;

+ +
+ +
+ + +

+ is/are initiated when anomalies are discovered.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing security and privacy function verification

+

system design documentation

+

system configuration settings and associated documentation

+

alerts/notifications of failed security verification tests

+

list of system transition states requiring security functionality verification

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with security and privacy function verification responsibilities

+

organizational personnel implementing, operating, and maintaining the system

+

system/network administrators

+

organizational personnel with information security and privacy responsibilities

+

system developer

+
+
+ + + + +

Organizational processes for security and privacy function verification

+

mechanisms supporting and/or implementing the security and privacy function verification capability

+
+
+
+ + Software, Firmware, and Information Integrity + + + + + + + + + +

software requiring integrity verification tools to be employed to detect unauthorized changes is defined;

+
+ + + + +

firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined;

+
+ + + + +

information requiring integrity verification tools to be employed to detect unauthorized changes is defined;

+
+ + + + +

actions to be taken when unauthorized changes to software are detected are defined;

+
+ + + + +

actions to be taken when unauthorized changes to firmware are detected are defined;

+
+ + + + +

actions to be taken when unauthorized changes to information are detected are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: ; and

+
+ + +

Take the following actions when unauthorized changes to the software, firmware, and information are detected: .

+
+
+ +

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications.

+
+ + + + + + +

integrity verification tools are employed to detect unauthorized changes to ;

+ +
+ + +

integrity verification tools are employed to detect unauthorized changes to ;

+ +
+ + +

integrity verification tools are employed to detect unauthorized changes to ;

+ +
+ +
+ + + + +

+ are taken when unauthorized changes to the software, are detected;

+ +
+ + +

+ are taken when unauthorized changes to the firmware are detected;

+ +
+ + +

+ are taken when unauthorized changes to the information are detected.

+ +
+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing software, firmware, and information integrity

+

personally identifiable information processing policy

+

system design documentation

+

system configuration settings and associated documentation

+

integrity verification tools and associated documentation

+

records generated or triggered by integrity verification tools regarding unauthorized software, firmware, and information changes

+

system audit records

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for software, firmware, and/or information integrity

+

organizational personnel with information security and privacy responsibilities

+

system/network administrators

+
+
+ + + + +

Software, firmware, and information integrity verification tools

+
+
+ + Integrity Checks + + + + + + + + + + +

selection to include security relevant event

+
+
+ + + + + +

at least monthly

+
+
+ + + + +

software on which an integrity check is to be performed is defined;

+
+ + + + + + + +

transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected);

+
+ + + + +

frequency with which to perform an integrity check (on software) is defined (if selected);

+
+ + + + +

firmware on which an integrity check is to be performed is defined;

+
+ + + + + + + +

transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected);

+
+ + + + +

frequency with which to perform an integrity check (on firmware) is defined (if selected);

+
+ + + + +

information on which an integrity check is to be performed is defined;

+
+ + + + + + + +

transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected);

+
+ + + + +

frequency with which to perform an integrity check (of information) is defined (if selected);

+
+ + + + + + + + +

Perform an integrity check of + .

+
+ +

Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort.

+
+ + + + +

an integrity check of is performed ;

+ +
+ + +

an integrity check of is performed ;

+ +
+ + +

an integrity check of is performed .

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing software, firmware, and information integrity testing

+

system design documentation

+

system configuration settings and associated documentation

+

integrity verification tools and associated documentation

+

records of integrity scans

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for software, firmware, and/or information integrity

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+
+ + + + +

Software, firmware, and information integrity verification tools

+
+
+
+ + Integration of Detection and Response + + + +

security-relevant changes to the system are defined;

+
+ + + + + + + + + + + + + +

Incorporate the detection of the following unauthorized changes into the organizational incident response capability: .

+
+ +

Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges.

+
+ + +

the detection of are incorporated into the organizational incident response capability.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing software, firmware, and information integrity

+

procedures addressing incident response

+

system design documentation

+

system configuration settings and associated documentation

+

incident response records

+

audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for software, firmware, and/or information integrity

+

organizational personnel with information security responsibilities

+

organizational personnel with incident response responsibilities

+
+
+ + + + +

Organizational processes for incorporating the detection of unauthorized security-relevant changes into the incident response capability

+

software, firmware, and information integrity verification tools

+

mechanisms supporting and/or implementing the incorporation of detection of unauthorized security-relevant changes into the incident response capability

+
+
+
+
+ + Spam Protection + + + + + + + + + + + + + + + +

Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and

+
+ + +

Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

+
+ + SI-8 Additional FedRAMP Requirements and Guidance + + +

When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.

+

https://cyber.dhs.gov/bod/18-01/

+
+ + +

CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients.

+
+
+
+ +

System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions.

+
+ + + + + + +

spam protection mechanisms are employed at system entry points to detect unsolicited messages;

+ +
+ + +

spam protection mechanisms are employed at system exit points to detect unsolicited messages;

+ +
+ + +

spam protection mechanisms are employed at system entry points to act on unsolicited messages;

+ +
+ + +

spam protection mechanisms are employed at system exit points to act on unsolicited messages;

+ +
+ +
+ + +

spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

configuration management policies and procedures (CM-01)

+

procedures addressing spam protection

+

spam protection mechanisms

+

records of spam protection updates

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for spam protection

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+
+ + + + +

Organizational processes for implementing spam protection

+

mechanisms supporting and/or implementing spam protection

+
+
+ + Automatic Updates + + + +

the frequency at which to automatically update spam protection mechanisms is defined;

+
+ + + + + + + +

Automatically update spam protection mechanisms .

+
+ +

Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capabilities.

+
+ + +

spam protection mechanisms are automatically updated .

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing spam protection

+

spam protection mechanisms

+

records of spam protection updates

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for spam protection

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+
+ + + + +

Organizational processes for spam protection

+

mechanisms supporting and/or implementing automatic updates to spam protection mechanisms

+
+
+
+
+ + Information Input Validation + + + +

information inputs to the system requiring validity checks are defined;

+
+ + + + + + + + +

Check the validity of the following information inputs: .

+ + SI-10 Additional FedRAMP Requirements and Guidance + + +

Validate all information inputs and document any exceptions

+
+
+
+ +

Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, + abc, or %K% are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks.

+
+ + +

the validity of the is checked.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

access control policy and procedures

+

separation of duties policy and procedures

+

procedures addressing information input validation

+

documentation for automated tools and applications to verify the validity of information

+

list of information inputs requiring validity checks

+

system design documentation

+

system configuration settings and associated documentation

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for information input validation

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+
+ + + + +

Mechanisms supporting and/or implementing validity checks on information inputs

+
+
+
+ + Error Handling + + + + +

to include the ISSO and/or similar role within the organization

+
+
+ +

personnel or roles to whom error messages are to be revealed is/are defined;

+
+ + + + + + + + + + + + + +

Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and

+
+ + +

Reveal error messages only to .

+
+
+ +

Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information.

+
+ + + + +

error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;

+ +
+ + +

error messages are revealed only to .

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing system error handling

+

system design documentation

+

system configuration settings and associated documentation

+

documentation providing the structure and content of error messages

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for information input validation

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+
+ + + + +

Organizational processes for error handling

+

automated mechanisms supporting and/or implementing error handling

+

automated mechanisms supporting and/or implementing the management of error messages

+
+
+
+ + Information Management and Retention + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

+
+ +

Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, AC-6(9), AT-4, AU-12, CA-2, CA-3, CA-5, CA-6, CA-7, CA-8, CA-9, CM-2, CM-3, CM-4, CM-6, CM-8, CM-9, CM-12, CM-13, CP-2, IR-6, IR-8, MA-2, MA-4, PE-2, PE-8, PE-16, PE-17, PL-2, PL-4, PL-7, PL-8, PM-5, PM-8, PM-9, PM-18, PM-21, PM-27, PM-28, PM-30, PM-31, PS-2, PS-6, PS-7, PT-2, PT-3, PT-7, RA-2, RA-3, RA-5, RA-8, SA-4, SA-5, SA-8, SA-10, SI-4, SR-2, SR-4, SR-8.

+
+ + + + +

information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;

+ +
+ + +

information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;

+ +
+ + +

information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;

+ +
+ + +

information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.

+ +
+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

personally identifiable information processing policy

+

records retention and disposition policy

+

records retention and disposition procedures

+

federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention

+

media protection policy

+

media protection procedures

+

audit findings

+

system security plan

+

privacy plan

+

privacy program plan

+

personally identifiable information inventory

+

privacy impact assessment

+

privacy risk assessment documentation

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information and records management, retention, and disposition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

network administrators

+
+
+ + + + +

Organizational processes for information management, retention, and disposition

+

automated mechanisms supporting and/or implementing information management, retention, and disposition

+
+
+
+ + Memory Protection + + + +

controls to be implemented to protect the system memory from unauthorized code execution are defined;

+
+ + + + + + + + + + +

Implement the following controls to protect the system memory from unauthorized code execution: .

+
+ +

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism.

+
+ + +

+ are implemented to protect the system memory from unauthorized code execution.

+ +
+ + + + +

System and information integrity policy

+

system and information integrity procedures

+

procedures addressing memory protection for the system

+

system design documentation

+

system configuration settings and associated documentation

+

list of security safeguards protecting system memory from unauthorized code execution

+

system audit records

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel responsible for memory protection

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+
+ + + + +

Automated mechanisms supporting and/or implementing safeguards to protect the system memory from unauthorized code execution

+
+
+
+
+ + Supply Chain Risk Management + + Policy and Procedures + + + + +

to include chief privacy and ISSO and/or similar role or designees

+
+
+ + + + +

personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;

+
+ + + + +

personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;

+
+ + + + + + + +

an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;

+
+ + + + + +

at least every 3 years

+
+
+ +

the frequency at which the current supply chain risk management policy is reviewed and updated is defined;

+
+ + + + +

events that require the current supply chain risk management policy to be reviewed and updated are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;

+
+ + + + + +

significant changes

+
+
+ +

events that require the supply chain risk management procedures to be reviewed and updated are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Develop, document, and disseminate to :

+ + +

+ supply chain risk management policy that:

+ + +

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + +

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

+
+
+ + +

Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;

+
+
+ + +

Designate an to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and

+
+ + +

Review and update the current supply chain risk management:

+ + +

Policy and following ; and

+
+ + +

Procedures and following .

+
+
+
+ +

Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

+
+ + + + + + +

a supply chain risk management policy is developed and documented;

+ +
+ + +

the supply chain risk management policy is disseminated to ;

+ +
+ + +

supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;

+ +
+ + +

the supply chain risk management procedures are disseminated to .

+ +
+ + + + + + +

the supply chain risk management policy addresses purpose;

+ +
+ + +

the supply chain risk management policy addresses scope;

+ +
+ + +

+ supply chain risk management policy addresses roles;

+ +
+ + +

the supply chain risk management policy addresses responsibilities;

+ +
+ + +

the supply chain risk management policy addresses management commitment;

+ +
+ + +

the supply chain risk management policy addresses coordination among organizational entities;

+ +
+ + +

the supply chain risk management policy addresses compliance.

+ +
+ +
+ + +

the supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+ +
+ +
+ +
+ + +

the is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;

+ +
+ + + + + + +

the current supply chain risk management policy is reviewed and updated ;

+ +
+ + +

the current supply chain risk management policy is reviewed and updated following ;

+ +
+ +
+ + + + +

the current supply chain risk management procedures are reviewed and updated ;

+ +
+ + +

the current supply chain risk management procedures are reviewed and updated following .

+ +
+ +
+ +
+ +
+ + + + +

Supply chain risk management policy

+

supply chain risk management procedures

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with supply chain risk management responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with acquisition responsibilities

+

organizational personnel with enterprise risk management responsibilities

+
+
+
+ + Supply Chain Risk Management Plan + + + +

systems, system components, or system services for which a supply chain risk management plan is developed are defined;

+
+ + + + + +

at least annually

+
+
+ +

the frequency at which to review and update the supply chain risk management plan is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: ;

+
+ + +

Review and update the supply chain risk management plan or as required, to address threat, organizational or environmental changes; and

+
+ + +

Protect the supply chain risk management plan from unauthorized disclosure and modification.

+
+
+ +

The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.

+

Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8).

+
+ + + + + + +

a plan for managing supply chain risks is developed;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the research and development of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the design of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the manufacturing of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the acquisition of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the delivery of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the integration of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the operation and maintenance of ;

+ +
+ + +

the supply chain risk management plan addresses risks associated with the disposal of ;

+ +
+ +
+ + +

the supply chain risk management plan is reviewed and updated or as required to address threat, organizational, or environmental changes;

+ +
+ + + + +

the supply chain risk management plan is protected from unauthorized disclosure;

+ +
+ + +

the supply chain risk management plan is protected from unauthorized modification.

+ +
+ +
+ +
+ + + + +

Supply chain risk management policy

+

supply chain risk management procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing supply chain protection

+

procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification

+

system development life cycle procedures

+

procedures addressing the integration of information security and privacy requirements into the acquisition process

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

list of supply chain threats

+

list of safeguards to be taken against supply chain threats

+

system life cycle documentation

+

inter-organizational agreements and procedures

+

system security plan

+

privacy plan

+

privacy program plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for defining and documenting the system development life cycle (SDLC)

+

organizational processes for identifying SDLC roles and responsibilities

+

organizational processes for integrating supply chain risk management into the SDLC

+

mechanisms supporting and/or implementing the SDLC

+
+
+ + Establish SCRM Team + + + +

the personnel, roles, and responsibilities of the supply chain risk management team are defined;

+
+ + + + +

supply chain risk management activities are defined;

+
+ + + + + + + + +

Establish a supply chain risk management team consisting of to lead and support the following SCRM activities: .

+
+ +

To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team.

+
+ + +

a supply chain risk management team consisting of is established to lead and support .

+ +
+ + + + +

Supply chain risk management policy

+

supply chain risk management procedures

+

supply chain risk management team charter documentation

+

supply chain risk management strategy

+

supply chain risk management implementation plan

+

procedures addressing supply chain protection

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+

organizational personnel with enterprise risk management responsibilities

+

legal counsel

+

organizational personnel with business continuity responsibilities

+
+
+
+
+ + Supply Chain Controls and Processes + + + +

the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;

+
+ + + + +

supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;

+
+ + + + +

supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;

+
+ + + + + + + +

the document identifying the selected and implemented supply chain processes and controls is defined (if selected);

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of in coordination with ;

+
+ + +

Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: ; and

+
+ + +

Document the selected and implemented supply chain processes and controls in .

+
+ + SR-3 Additional FedRAMP Requirements and Guidance + + +

CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary.

+
+
+
+ +

Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.

+
+ + + + + + +

a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of ;

+ +
+ + +

the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of is/are coordinated with ;

+ +
+ +
+ + +

+ are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;

+ +
+ + +

the selected and implemented supply chain processes and controls are documented in .

+ +
+ +
+ + + + +

Supply chain risk management policy

+

supply chain risk management procedures

+

supply chain risk management strategy

+

supply chain risk management plan

+

systems and critical system components inventory documentation

+

system and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing the integration of information security and privacy requirements into the acquisition process

+

solicitation documentation

+

acquisition documentation (including purchase orders)

+

service level agreements

+

acquisition contracts for systems or services

+

risk register documentation

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for identifying and addressing supply chain element and process deficiencies

+
+
+
+ + Acquisition Strategies, Tools, and Methods + + + +

acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: .

+
+ +

The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.

+
+ + + + +

+ are employed to protect against supply chain risks;

+ +
+ + +

+ are employed to identify supply chain risks;

+ +
+ + +

+ are employed to mitigate supply chain risks.

+ +
+ +
+ + + + +

Supply chain risk management policy

+

supply chain risk management procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

system and services acquisition procedures

+

procedures addressing supply chain protection

+

procedures addressing the integration of information security and privacy requirements into the acquisition process

+

solicitation documentation

+

acquisition documentation (including purchase orders)

+

service level agreements

+

acquisition contracts for systems, system components, or services

+

documentation of training, education, and awareness programs for personnel regarding supply chain risk

+

system security plan

+

privacy plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with acquisition responsibilities

+

organizational personnel with information security and privacy responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods

+

mechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods

+
+
+
+ + Supplier Assessments and Reviews + + + + +

at least annually

+
+
+ +

the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;

+
+ + + + + + + + + + + + + + + + + + + + + + +

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide .

+ + SR-6 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure that their supply chain vendors build and test their systems in alignment with NIST SP 800-171 or a commensurate security and compliance framework. CSOs must ensure that vendors are compliant with physical facility access and logical access controls to supplied products.

+
+
+
+ +

An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts.

+
+ + +

the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed .

+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management strategy

+

supply chain risk management plan

+

system and services acquisition policy

+

procedures addressing supply chain protection

+

procedures addressing the integration of information security requirements into the acquisition process

+

records of supplier due diligence reviews

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and services acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain protection responsibilities

+
+
+ + + + +

Organizational processes for conducting supplier reviews

+

mechanisms supporting and/or implementing supplier reviews

+
+
+
+ + Notification Agreements + + + +

notification of supply chain compromises and results of assessment or audits

+
+
+ + + + + +

information for which agreements and procedures are to be established are defined (if selected);

+
+ + + + + + + + + + + + + + + + + +

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the .

+ + SR-8 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities.

+
+
+
+ +

The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.

+
+ + +

agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for .

+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

procedures addressing supply chain protection

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

inter-organizational agreements and procedures

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

+
+
+
+ + Inspection of Systems or Components + + + +

systems or system components that require inspection are defined;

+
+ + + + + + + +

frequency at which to inspect systems or system components is defined (if selected);

+
+ + + + +

indications of the need for an inspection of systems or system components are defined (if selected);

+
+ + + + + + + + + + + + + + + + + +

Inspect the following systems or system components to detect tampering: .

+
+ +

The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations.

+
+ + +

+ are inspected to detect tampering.

+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

records of random inspections

+

inspection reports/results

+

assessment reports/results

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

inter-organizational agreements and procedures

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and services acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

+

organizational processes to inspect for tampering

+
+
+
+ + Component Authenticity + + + + + + +

external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);

+
+ + + + +

personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);

+
+ + + + + + + + + + + + + + + +

Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and

+
+ + +

Report counterfeit system components to .

+
+ + SR-11 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline.

+
+
+
+ +

Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.

+
+ + + + + + +

an anti-counterfeit policy is developed and implemented;

+ +
+ + +

anti-counterfeit procedures are developed and implemented;

+ +
+ + +

the anti-counterfeit procedures include the means to detect counterfeit components entering the system;

+ +
+ + +

the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;

+ +
+ +
+ + +

counterfeit system components are reported to .

+ +
+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

anti-counterfeit plan

+

anti-counterfeit policy and procedures

+

media disposal policy

+

media protection policy

+

incident response policy

+

reports notifying developers, manufacturers, vendors, contractors, and/or external reporting organizations of counterfeit system components

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system, system component, or system service

+

inter-organizational agreements and procedures

+

records of reported counterfeit system components

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and service acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+

organizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting

+
+
+ + + + +

Organizational processes for counterfeit prevention, detection, and reporting

+

mechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting

+
+
+ + Anti-counterfeit Training + + + +

personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;

+
+ + + + + + + + + +

Train to detect counterfeit system components (including hardware, software, and firmware).

+
+ +

None.

+
+ + +

+ are trained to detect counterfeit system components (including hardware, software, and firmware).

+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

system and services acquisition policy

+

anti-counterfeit plan

+

anti-counterfeit policy and procedures

+

media disposal policy

+

media protection policy

+

incident response policy

+

training materials addressing counterfeit system components

+

training records on the detection and prevention of counterfeit components entering the system

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+

organizational personnel with responsibilities for anti-counterfeit policies, procedures, and training

+
+
+ + + + +

Organizational processes for anti-counterfeit training

+
+
+
+ + Configuration Control for Component Service and Repair + + + + +

all

+
+
+ +

system components requiring configuration control are defined;

+
+ + + + + + + + + + + + +

Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: .

+
+ +

None.

+
+ + + + +

configuration control over awaiting service or repair is maintained;

+ +
+ + +

configuration control over serviced or repaired awaiting return to service is maintained.

+ +
+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

configuration control procedures

+

acquisition documentation

+

service level agreements

+

acquisition contracts for the system component

+

inter-organizational agreements and procedures

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system and services acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain risk management responsibilities

+
+
+ + + + +

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

+

organizational configuration control processes

+
+
+
+
+ + Component Disposal + + + +

data, documentation, tools, or system components to be disposed of are defined;

+
+ + + + +

techniques and methods for disposing of data, documentation, tools, or system components are defined;

+
+ + + + + + + + +

Dispose of using the following techniques and methods: .

+
+ +

Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market.

+
+ + +

+ are disposed of using .

+ +
+ + + + +

Supply chain risk management policy and procedures

+

supply chain risk management plan

+

disposal procedures addressing supply chain protection

+

media disposal policy

+

media protection policy

+

disposal records for system components

+

documentation of the system components identified for disposal

+

documentation of the disposal techniques and methods employed for system components

+

system security plan

+

other relevant documents or records

+
+
+ + + + +

Organizational personnel with system component disposal responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with supply chain protection responsibilities

+
+
+ + + + +

Organizational techniques and methods for system component disposal

+

mechanisms supporting and/or implementing system component disposal

+
+
+
+
+ + 32 CFR 2002 + + Code of Federal Regulations, Title 32, Controlled Unclassified Information (32 C.F.R. 2002). + + + + + 41 CFR 201 + + + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + + + + + 5 CFR 731 + + Code of Federal Regulations, Title 5, Administrative Personnel , Section 731.106, Designation of Public Trust Positions and Investigative Requirements (5 C.F.R. 731.106). + + + + + CNSSD 505 + + Committee on National Security Systems Directive No. 505, Supply Chain Risk Management (SCRM) , August 2017. + + + + + CNSSI 1253 + + Committee on National Security Systems Instruction No. 1253, Security Categorization and Control Selection for National Security Systems , March 2014. + + + + + DHS TIC + + Department of Homeland Security, Trusted Internet Connections (TIC). + + + + + DOD STIG + + Defense Information Systems Agency, Security Technical Implementation Guides (STIG). + + + + + EO 13526 + + Executive Order 13526, Classified National Security Information , December 2009. + + + + + EO 13556 + + Executive Order 13556, Controlled Unclassified Information , November 2010. + + + + + EO 13587 + + Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information , October 2011. + + + + + EO 13873 + + Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain , May 2019. + + + + + FASC18 + + Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018. + + + + + FED PKI + + General Services Administration, Federal Public Key Infrastructure. + + + + + FIPS 140-3 + + National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. + + + + + FIPS 180-4 + + National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4. + + + + + FIPS 186-4 + + National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4. + + + + + FIPS 197 + + National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197. + + + + + FIPS 199 + + National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199. + + + + + FIPS 200 + + National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200. + + + + + FIPS 201-2 + + National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2. + + + + + FIPS 202 + + National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202. + + + + + FISMA + + Federal Information Security Modernization Act (P.L. 113-283), December 2014. + + + + + HSPD 12 + + Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004. + + + + + IETF 5905 + + Internet Engineering Task Force (IETF), Request for Comments: 5905, Network Time Protocol Version 4: Protocol and Algorithms Specification , June 2010. + + + + + IR 7539 + + Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539. + + + + + IR 7559 + + Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559. + + + + + IR 7622 + + Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622. + + + + + IR 7676 + + Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. + + + + + IR 7788 + + Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788. + + + + + IR 7817 + + Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817. + + + + + IR 7849 + + Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849. + + + + + IR 7870 + + Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870. + + + + + IR 7874 + + Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874. + + + + + IR 7956 + + Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956. + + + + + IR 7966 + + Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966. + + + + + IR 8011-1 + + Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1. + + + + + IR 8011-2 + + Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2. + + + + + IR 8011-3 + + Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3. + + + + + IR 8011-4 + + Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4. + + + + + IR 8023 + + Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023. + + + + + IR 8040 + + Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040. + + + + + IR 8062 + + Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062. + + + + + IR 8112 + + Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112. + + + + + IR 8179 + + Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179. + + + + + IR 8272 + + Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272. + + + + + ISO 15408-1 + + International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model , April 2017. + + + + + ISO 15408-2 + + International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements , April 2017. + + + + + ISO 15408-3 + + International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements , April 2017. + + + + + ISO 20243 + + International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations , February 2018. + + + + + ISO 27036 + + International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts , April 2014. + + + + + ISO 29147 + + International Organization for Standardization/International Electrotechnical Commission 29147:2018, Information technology—Security techniques—Vulnerability disclosure , October 2018. + + + + + ISO 29148 + + International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, Systems and software engineering—Life cycle processes—Requirements engineering , November 2018. + + + + + NARA CUI + + National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry. + + + + + NCPR + + National Institute of Standards and Technology (2020) National Checklist Program Repository . Available at + + + + + NIAP CCEVS + + National Information Assurance Partnership, Common Criteria Evaluation and Validation Scheme. + + + + + NIST CAVP + + National Institute of Standards and Technology (2020) Cryptographic Algorithm Validation Program . Available at + + + + + NIST CMVP + + National Institute of Standards and Technology (2020) Cryptographic Module Validation Program . Available at + + + + + NSA CSFC + + National Security Agency, Commercial Solutions for Classified Program (CSfC). + + + + + NSA MEDIA + + National Security Agency, Media Destruction Guidance. + + + + + ODNI CTF + + Office of the Director of National Intelligence (ODNI) Cyber Threat Framework. + + + + + OMB A-130 + + Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource , July 2016. + + + + + OMB M-17-12 + + Office of Management and Budget Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information , January 2017. + + + + + OMB M-19-03 + + Office of Management and Budget Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program , December 2018. + + + + + PRIVACT + + Privacy Act (P.L. 93-579), December 1974. + + + + + SP 800-100 + + Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007. + + + + + SP 800-101 + + Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. + + + + + SP 800-111 + + Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. + + + + + SP 800-113 + + Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113. + + + + + SP 800-114 + + Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1. + + + + + SP 800-115 + + Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115. + + + + + SP 800-116 + + Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1. + + + + + SP 800-121 + + Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2. + + + + + SP 800-124 + + Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1. + + + + + SP 800-125B + + Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B. + + + + + SP 800-126 + + Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3. + + + + + SP 800-128 + + Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019. + + + + + SP 800-12 + + Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. + + + + + SP 800-130 + + Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130. + + + + + SP 800-137A + + Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A. + + + + + SP 800-137 + + Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137. + + + + + SP 800-147 + + Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147. + + + + + SP 800-150 + + Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. + + + + + SP 800-152 + + Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152. + + + + + SP 800-154 + + Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154. + + + + + SP 800-156 + + Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156. + + + + + SP 800-160-1 + + Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018. + + + + + SP 800-160-2 + + Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2. + + + + + SP 800-161 + + Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161. + + + + + SP 800-162 + + Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019. + + + + + SP 800-166 + + Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166. + + + + + SP 800-167 + + Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167. + + + + + SP 800-171 + + Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2. + + + + + SP 800-172 + + Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172. + + + + + SP 800-177 + + Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1. + + + + + SP 800-178 + + Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178. + + + + + SP 800-181 + + Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1. + + + + + SP 800-184 + + Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184. + + + + + SP 800-189 + + Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189. + + + + + SP 800-18 + + Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. + + + + + SP 800-192 + + Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192. + + + + + SP 800-28 + + Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2. + + + + + SP 800-30 + + Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1. + + + + + SP 800-32 + + Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32. + + + + + SP 800-34 + + Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010. + + + + + SP 800-35 + + Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35. + + + + + SP 800-37 + + Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2. + + + + + SP 800-39 + + Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39. + + + + + SP 800-40 + + Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3. + + + + + SP 800-41 + + Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1. + + + + + SP 800-45 + + Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2. + + + + + SP 800-46 + + Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2. + + + + + SP 800-47 + + Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47. + + + + + SP 800-50 + + Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50. + + + + + SP 800-52 + + McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2. + + + + + SP 800-53A + + Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014. + + + + + SP 800-53B + + Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B. + + + + + SP 800-56A + + Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3. + + + + + SP 800-56B + + Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2. + + + + + SP 800-56C + + Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2. + + + + + SP 800-57-1 + + Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5. + + + + + SP 800-57-2 + + Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1. + + + + + SP 800-57-3 + + Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1. + + + + + SP 800-60-1 + + Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1. + + + + + SP 800-60-2 + + Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1. + + + + + SP 800-61 + + Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. + + + + + SP 800-63-3 + + Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. + + + + + SP 800-63A + + Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020. + + + + + SP 800-63B + + Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020. + + + + + SP 800-70 + + Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4. + + + + + SP 800-73-4 + + Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016. + + + + + SP 800-76-2 + + Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. + + + + + SP 800-77 + + Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1. + + + + + SP 800-78-4 + + Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. + + + + + SP 800-79-2 + + Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. + + + + + SP 800-81-2 + + Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. + + + + + SP 800-83 + + Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1. + + + + + SP 800-84 + + Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84. + + + + + SP 800-86 + + Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. + + + + + SP 800-88 + + Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1. + + + + + SP 800-92 + + Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92. + + + + + SP 800-94 + + Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94. + + + + + SP 800-95 + + Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95. + + + + + SP 800-97 + + Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97. + + + + + USA PATRIOT + + USA Patriot Act (P.L. 107-56), October 2001. + + + + + USC 2901 + + United States Code, 2008 Edition, Title 44 - Public Printing and Documents , Chapters 29, 31, and 33, January 2012. + + + + + USCERT IR + + Department of Homeland Security, US-CERT Federal Incident Notification Guidelines , April 2017. + + + + + USGCB + + National Institute of Standards and Technology (2020) United States Government Configuration Baseline . Available at + + + + + NIST Special Publication 800-53, Revision 5: <em> Security and Privacy Controls for Information Systems and Organizations</em> (PDF) + + FedRAMP Applicable Laws and Regulations diff --git a/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml b/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml index c3b4e54a8..84d88fb21 100644 --- a/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml +++ b/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml @@ -3481,7 +3481,7 @@ NIST Special Publication (SP) 800-53 - +
diff --git a/dist/content/rev5/baselines/yaml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.yaml b/dist/content/rev5/baselines/yaml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.yaml index 30826cf7b..51ecffbb3 100644 --- a/dist/content/rev5/baselines/yaml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.yaml +++ b/dist/content/rev5/baselines/yaml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.yaml @@ -1,10 +1,10 @@ --- catalog: - uuid: 2c9e809f-1740-44a6-b1f2-3abfe11a0dfc + uuid: e07ece0d-7f46-4cc4-b7e2-fdf109d5541f metadata: title: FedRAMP Rev 5 High Baseline published: 2023-08-31T00:00:00Z - last-modified: 2023-12-18T20:27:34.203593-05:00 + last-modified: 2024-01-11T18:06:26.711765-05:00 version: 5.1.1+fedramp-20231218-0 oscal-version: 1.1.1 links: @@ -60,8 +60,87551 @@ catalog: - role-id: fedramp-jab party-uuids: - ca9ba80e-1342-4bfd-b32a-abac468c24b4 + groups: + - id: ac + class: family + title: Access Control + controls: + - id: ac-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ac-1_prm_1 + label: organization-defined personnel or roles + - id: ac-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the access control policy is to + be disseminated is/are defined; + - id: ac-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the access control procedures + are to be disseminated is/are defined; + - id: ac-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ac-01_odp.04 + label: official + guidelines: + - prose: an official to manage the access control policy and procedures + is defined; + - id: ac-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current access control policy + is reviewed and updated is defined; + - id: ac-01_odp.06 + label: events + guidelines: + - prose: events that would require the current access control policy + to be reviewed and updated are defined; + - id: ac-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current access control procedures + are reviewed and updated is defined; + - id: ac-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require procedures to be reviewed and updated + are defined; + props: + - name: label + value: AC-1 + - name: label + value: AC-01 + class: sp800-53a + - name: sort-id + value: ac-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#7f473f21-fdbf-4a6c-81a1-0ab95919609d" + rel: reference + - href: "#ia-1" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-24" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ac-1_smt + name: statement + parts: + - id: ac-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ac-1_prm_1 }}:" + parts: + - id: ac-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ac-01_odp.03 }} access control policy\ + \ that:" + parts: + - id: ac-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ac-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ac-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the access + control policy and the associated access controls; + - id: ac-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ac-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the access\ + \ control policy and procedures; and" + - id: ac-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current access control:" + parts: + - id: ac-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ac-01_odp.05 }} and following\ + \ {{ insert: param, ac-01_odp.06 }} ; and" + - id: ac-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ac-01_odp.07 }} and following\ + \ {{ insert: param, ac-01_odp.08 }}." + - id: ac-1_gdn + name: guidance + prose: Access control policy and procedures address the controls in + the AC family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of access control + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies reflecting the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to access control policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ac-1_obj + name: assessment-objective + props: + - name: label + value: AC-01 + class: sp800-53a + parts: + - id: ac-1_obj.a + name: assessment-objective + props: + - name: label + value: AC-01a. + class: sp800-53a + parts: + - id: ac-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-01a.[01] + class: sp800-53a + prose: an access control policy is developed and documented; + links: + - href: "#ac-1_smt.a" + rel: assessment-for + - id: ac-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-01a.[02] + class: sp800-53a + prose: "the access control policy is disseminated to {{ insert:\ + \ param, ac-01_odp.01 }};" + links: + - href: "#ac-1_smt.a" + rel: assessment-for + - id: ac-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-01a.[03] + class: sp800-53a + prose: access control procedures to facilitate the implementation + of the access control policy and associated controls are developed + and documented; + links: + - href: "#ac-1_smt.a" + rel: assessment-for + - id: ac-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: AC-01a.[04] + class: sp800-53a + prose: "the access control procedures are disseminated to {{\ + \ insert: param, ac-01_odp.02 }};" + links: + - href: "#ac-1_smt.a" + rel: assessment-for + - id: ac-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: AC-01a.01 + class: sp800-53a + parts: + - id: ac-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: AC-01a.01(a) + class: sp800-53a + parts: + - id: ac-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses purpose;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses scope;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses roles;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses responsibilities;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses management commitment;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses compliance;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: AC-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access control\ + \ policy is consistent with applicable laws, Executive\ + \ Orders, directives, regulations, policies, standards,\ + \ and guidelines;" + links: + - href: "#ac-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ac-1_smt.a.1" + rel: assessment-for + links: + - href: "#ac-1_smt.a" + rel: assessment-for + - id: ac-1_obj.b + name: assessment-objective + props: + - name: label + value: AC-01b. + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the access\ + \ control policy and procedures;" + links: + - href: "#ac-1_smt.b" + rel: assessment-for + - id: ac-1_obj.c + name: assessment-objective + props: + - name: label + value: AC-01c. + class: sp800-53a + parts: + - id: ac-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: AC-01c.01 + class: sp800-53a + parts: + - id: ac-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: AC-01c.01[01] + class: sp800-53a + prose: "the current access control policy is reviewed and\ + \ updated {{ insert: param, ac-01_odp.05 }};" + links: + - href: "#ac-1_smt.c.1" + rel: assessment-for + - id: ac-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: AC-01c.01[02] + class: sp800-53a + prose: "the current access control policy is reviewed and\ + \ updated following {{ insert: param, ac-01_odp.06 }};" + links: + - href: "#ac-1_smt.c.1" + rel: assessment-for + links: + - href: "#ac-1_smt.c.1" + rel: assessment-for + - id: ac-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: AC-01c.02 + class: sp800-53a + parts: + - id: ac-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: AC-01c.02[01] + class: sp800-53a + prose: "the current access control procedures are reviewed\ + \ and updated {{ insert: param, ac-01_odp.07 }};" + links: + - href: "#ac-1_smt.c.2" + rel: assessment-for + - id: ac-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: AC-01c.02[02] + class: sp800-53a + prose: "the current access control procedures are reviewed\ + \ and updated following {{ insert: param, ac-01_odp.08\ + \ }}." + links: + - href: "#ac-1_smt.c.2" + rel: assessment-for + links: + - href: "#ac-1_smt.c.2" + rel: assessment-for + links: + - href: "#ac-1_smt.c" + rel: assessment-for + links: + - href: "#ac-1_smt" + rel: assessment-for + - id: ac-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: ac-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with access control + responsibilities + + + organizational personnel with information security with information + security and privacy responsibilities + - id: ac-2 + class: SP800-53 + title: Account Management + params: + - id: ac-02_odp.01 + label: prerequisites and criteria + guidelines: + - prose: prerequisites and criteria for group and role membership + are defined; + - id: ac-02_odp.02 + label: attributes (as required) + guidelines: + - prose: attributes (as required) for each account are defined; + - id: ac-02_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles required to approve requests to create + accounts is/are defined; + - id: ac-02_odp.04 + label: policy, procedures, prerequisites, and criteria + guidelines: + - prose: policy, procedures, prerequisites, and criteria for account + creation, enabling, modification, disabling, and removal are defined; + - id: ac-02_odp.05 + label: personnel or roles + guidelines: + - prose: personnel or roles to be notified is/are defined; + - id: ac-02_odp.06 + label: time period + constraints: + - description: twenty-four (24) hours + guidelines: + - prose: time period within which to notify account managers when + accounts are no longer required is defined; + - id: ac-02_odp.07 + label: time period + constraints: + - description: eight (8) hours + guidelines: + - prose: "time period within which to notify account managers when\ + \ users are terminated or transferred is defined; " + - id: ac-02_odp.08 + label: time period + constraints: + - description: eight (8) hours + guidelines: + - prose: time period within which to notify account managers when + system usage or the need to know changes for an individual is + defined; + - id: ac-02_odp.09 + label: attributes (as required) + guidelines: + - prose: attributes needed to authorize system access (as required) + are defined; + - id: ac-02_odp.10 + label: frequency + constraints: + - description: monthly for privileged accessed, every six (6) months + for non-privileged access + guidelines: + - prose: the frequency of account review is defined; + props: + - name: label + value: AC-2 + - name: label + value: AC-02 + class: sp800-53a + - name: sort-id + value: ac-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#2956e175-f674-43f4-b1b9-e074ad9fc39c" + rel: reference + - href: "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f" + rel: reference + - href: "#53df282b-8b3f-483a-bad1-6a8b8ac00114" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-20" + rel: related + - href: "#ac-24" + rel: related + - href: "#au-2" + rel: related + - href: "#au-12" + rel: related + - href: "#cm-5" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-5" + rel: related + - href: "#ps-7" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-3" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-37" + rel: related + parts: + - id: ac-2_smt + name: statement + parts: + - id: ac-2_smt.a + name: item + props: + - name: label + value: a. + prose: Define and document the types of accounts allowed and specifically + prohibited for use within the system; + - id: ac-2_smt.b + name: item + props: + - name: label + value: b. + prose: Assign account managers; + - id: ac-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Require {{ insert: param, ac-02_odp.01 }} for group and\ + \ role membership;" + - id: ac-2_smt.d + name: item + props: + - name: label + value: d. + prose: "Specify:" + parts: + - id: ac-2_smt.d.1 + name: item + props: + - name: label + value: "1." + prose: Authorized users of the system; + - id: ac-2_smt.d.2 + name: item + props: + - name: label + value: "2." + prose: Group and role membership; and + - id: ac-2_smt.d.3 + name: item + props: + - name: label + value: "3." + prose: "Access authorizations (i.e., privileges) and {{ insert:\ + \ param, ac-02_odp.02 }} for each account;" + - id: ac-2_smt.e + name: item + props: + - name: label + value: e. + prose: "Require approvals by {{ insert: param, ac-02_odp.03 }} for\ + \ requests to create accounts;" + - id: ac-2_smt.f + name: item + props: + - name: label + value: f. + prose: "Create, enable, modify, disable, and remove accounts in\ + \ accordance with {{ insert: param, ac-02_odp.04 }};" + - id: ac-2_smt.g + name: item + props: + - name: label + value: g. + prose: Monitor the use of accounts; + - id: ac-2_smt.h + name: item + props: + - name: label + value: h. + prose: "Notify account managers and {{ insert: param, ac-02_odp.05\ + \ }} within:" + parts: + - id: ac-2_smt.h.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ac-02_odp.06 }} when accounts are\ + \ no longer required;" + - id: ac-2_smt.h.2 + name: item + props: + - name: label + value: "2." + prose: " {{ insert: param, ac-02_odp.07 }} when users are terminated\ + \ or transferred; and" + - id: ac-2_smt.h.3 + name: item + props: + - name: label + value: "3." + prose: " {{ insert: param, ac-02_odp.08 }} when system usage\ + \ or need-to-know changes for an individual;" + - id: ac-2_smt.i + name: item + props: + - name: label + value: i. + prose: "Authorize access to the system based on:" + parts: + - id: ac-2_smt.i.1 + name: item + props: + - name: label + value: "1." + prose: A valid access authorization; + - id: ac-2_smt.i.2 + name: item + props: + - name: label + value: "2." + prose: Intended system usage; and + - id: ac-2_smt.i.3 + name: item + props: + - name: label + value: "3." + prose: " {{ insert: param, ac-02_odp.09 }};" + - id: ac-2_smt.j + name: item + props: + - name: label + value: j. + prose: "Review accounts for compliance with account management requirements\ + \ {{ insert: param, ac-02_odp.10 }};" + - id: ac-2_smt.k + name: item + props: + - name: label + value: k. + prose: Establish and implement a process for changing shared or + group account authenticators (if deployed) when individuals are + removed from the group; and + - id: ac-2_smt.l + name: item + props: + - name: label + value: l. + prose: Align account management processes with personnel termination + and transfer processes. + - id: ac-2_gdn + name: guidance + prose: >- + Examples of system account types include individual, shared, + group, system, guest, anonymous, emergency, developer, + temporary, and service. Identification of authorized system + users and the specification of access privileges reflect the + requirements in other controls in the security plan. Users + requiring administrative privileges on system accounts receive + additional scrutiny by organizational personnel responsible for + approving such accounts and privileged access, including system + owner, mission or business owner, senior agency information + security officer, or senior agency official for privacy. Types + of accounts that organizations may wish to prohibit due to + increased risk include shared, group, emergency, anonymous, + temporary, and guest accounts. + + + Where access involves personally identifiable information, security + programs collaborate with the senior agency official for privacy to + establish the specific conditions for group and role membership; specify + authorized users, group and role membership, and access authorizations + for each account; and create, adjust, or remove system accounts in + accordance with organizational policies. Policies can include such + information as account expiration dates or other factors that trigger + the disabling of accounts. Organizations may choose to define access + privileges or other attributes by account, type of account, or a combination + of the two. Examples of other attributes required for authorizing + access include restrictions on time of day, day of week, and point + of origin. In defining other system account attributes, organizations + consider system-related requirements and mission/business requirements. + Failure to consider these factors could affect system availability. + + + Temporary and emergency accounts are intended for short-term use. + Organizations establish temporary accounts as part of normal account + activation procedures when there is a need for short-term accounts + without the demand for immediacy in account activation. Organizations + establish emergency accounts in response to crisis situations and + with the need for rapid account activation. Therefore, emergency account + activation may bypass normal account authorization processes. Emergency + and temporary accounts are not to be confused with infrequently used + accounts, including local logon accounts used for special tasks or + when network resources are unavailable (may also be known as accounts + of last resort). Such accounts remain available and are not subject + to automatic disabling or removal dates. Conditions for disabling + or deactivating accounts include when shared/group, emergency, or + temporary accounts are no longer required and when individuals are + transferred or terminated. Changing shared/group authenticators when + members leave the group is intended to ensure that former group members + do not retain access to the shared or group account. Some types of + system accounts may require specialized training. + - id: ac-2_obj + name: assessment-objective + props: + - name: label + value: AC-02 + class: sp800-53a + parts: + - id: ac-2_obj.a + name: assessment-objective + props: + - name: label + value: AC-02a. + class: sp800-53a + parts: + - id: ac-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-02a.[01] + class: sp800-53a + prose: account types allowed for use within the system are defined + and documented; + links: + - href: "#ac-2_smt.a" + rel: assessment-for + - id: ac-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-02a.[02] + class: sp800-53a + prose: account types specifically prohibited for use within + the system are defined and documented; + links: + - href: "#ac-2_smt.a" + rel: assessment-for + links: + - href: "#ac-2_smt.a" + rel: assessment-for + - id: ac-2_obj.b + name: assessment-objective + props: + - name: label + value: AC-02b. + class: sp800-53a + prose: account managers are assigned; + links: + - href: "#ac-2_smt.b" + rel: assessment-for + - id: ac-2_obj.c + name: assessment-objective + props: + - name: label + value: AC-02c. + class: sp800-53a + prose: " {{ insert: param, ac-02_odp.01 }} for group and role membership\ + \ are required;" + links: + - href: "#ac-2_smt.c" + rel: assessment-for + - id: ac-2_obj.d + name: assessment-objective + props: + - name: label + value: AC-02d. + class: sp800-53a + parts: + - id: ac-2_obj.d.1 + name: assessment-objective + props: + - name: label + value: AC-02d.01 + class: sp800-53a + prose: authorized users of the system are specified; + links: + - href: "#ac-2_smt.d.1" + rel: assessment-for + - id: ac-2_obj.d.2 + name: assessment-objective + props: + - name: label + value: AC-02d.02 + class: sp800-53a + prose: group and role membership are specified; + links: + - href: "#ac-2_smt.d.2" + rel: assessment-for + - id: ac-2_obj.d.3 + name: assessment-objective + props: + - name: label + value: AC-02d.03 + class: sp800-53a + parts: + - id: ac-2_obj.d.3-1 + name: assessment-objective + props: + - name: label + value: AC-02d.03[01] + class: sp800-53a + prose: access authorizations (i.e., privileges) are specified + for each account; + links: + - href: "#ac-2_smt.d.3" + rel: assessment-for + - id: ac-2_obj.d.3-2 + name: assessment-objective + props: + - name: label + value: AC-02d.03[02] + class: sp800-53a + prose: " {{ insert: param, ac-02_odp.02 }} are specified\ + \ for each account;" + links: + - href: "#ac-2_smt.d.3" + rel: assessment-for + links: + - href: "#ac-2_smt.d.3" + rel: assessment-for + links: + - href: "#ac-2_smt.d" + rel: assessment-for + - id: ac-2_obj.e + name: assessment-objective + props: + - name: label + value: AC-02e. + class: sp800-53a + prose: "approvals are required by {{ insert: param, ac-02_odp.03\ + \ }} for requests to create accounts;" + links: + - href: "#ac-2_smt.e" + rel: assessment-for + - id: ac-2_obj.f + name: assessment-objective + props: + - name: label + value: AC-02f. + class: sp800-53a + parts: + - id: ac-2_obj.f-1 + name: assessment-objective + props: + - name: label + value: AC-02f.[01] + class: sp800-53a + prose: "accounts are created in accordance with {{ insert: param,\ + \ ac-02_odp.04 }};" + links: + - href: "#ac-2_smt.f" + rel: assessment-for + - id: ac-2_obj.f-2 + name: assessment-objective + props: + - name: label + value: AC-02f.[02] + class: sp800-53a + prose: "accounts are enabled in accordance with {{ insert: param,\ + \ ac-02_odp.04 }};" + links: + - href: "#ac-2_smt.f" + rel: assessment-for + - id: ac-2_obj.f-3 + name: assessment-objective + props: + - name: label + value: AC-02f.[03] + class: sp800-53a + prose: "accounts are modified in accordance with {{ insert:\ + \ param, ac-02_odp.04 }};" + links: + - href: "#ac-2_smt.f" + rel: assessment-for + - id: ac-2_obj.f-4 + name: assessment-objective + props: + - name: label + value: AC-02f.[04] + class: sp800-53a + prose: "accounts are disabled in accordance with {{ insert:\ + \ param, ac-02_odp.04 }};" + links: + - href: "#ac-2_smt.f" + rel: assessment-for + - id: ac-2_obj.f-5 + name: assessment-objective + props: + - name: label + value: AC-02f.[05] + class: sp800-53a + prose: "accounts are removed in accordance with {{ insert: param,\ + \ ac-02_odp.04 }};" + links: + - href: "#ac-2_smt.f" + rel: assessment-for + links: + - href: "#ac-2_smt.f" + rel: assessment-for + - id: ac-2_obj.g + name: assessment-objective + props: + - name: label + value: AC-02g. + class: sp800-53a + prose: "the use of accounts is monitored; " + links: + - href: "#ac-2_smt.g" + rel: assessment-for + - id: ac-2_obj.h + name: assessment-objective + props: + - name: label + value: AC-02h. + class: sp800-53a + parts: + - id: ac-2_obj.h.1 + name: assessment-objective + props: + - name: label + value: AC-02h.01 + class: sp800-53a + prose: "account managers and {{ insert: param, ac-02_odp.05\ + \ }} are notified within {{ insert: param, ac-02_odp.06 }}\ + \ when accounts are no longer required;" + links: + - href: "#ac-2_smt.h.1" + rel: assessment-for + - id: ac-2_obj.h.2 + name: assessment-objective + props: + - name: label + value: AC-02h.02 + class: sp800-53a + prose: "account managers and {{ insert: param, ac-02_odp.05\ + \ }} are notified within {{ insert: param, ac-02_odp.07 }}\ + \ when users are terminated or transferred;" + links: + - href: "#ac-2_smt.h.2" + rel: assessment-for + - id: ac-2_obj.h.3 + name: assessment-objective + props: + - name: label + value: AC-02h.03 + class: sp800-53a + prose: "account managers and {{ insert: param, ac-02_odp.05\ + \ }} are notified within {{ insert: param, ac-02_odp.08 }}\ + \ when system usage or the need to know changes for an individual;" + links: + - href: "#ac-2_smt.h.3" + rel: assessment-for + links: + - href: "#ac-2_smt.h" + rel: assessment-for + - id: ac-2_obj.i + name: assessment-objective + props: + - name: label + value: AC-02i. + class: sp800-53a + parts: + - id: ac-2_obj.i.1 + name: assessment-objective + props: + - name: label + value: AC-02i.01 + class: sp800-53a + prose: access to the system is authorized based on a valid access + authorization; + links: + - href: "#ac-2_smt.i.1" + rel: assessment-for + - id: ac-2_obj.i.2 + name: assessment-objective + props: + - name: label + value: AC-02i.02 + class: sp800-53a + prose: access to the system is authorized based on intended + system usage; + links: + - href: "#ac-2_smt.i.2" + rel: assessment-for + - id: ac-2_obj.i.3 + name: assessment-objective + props: + - name: label + value: AC-02i.03 + class: sp800-53a + prose: "access to the system is authorized based on {{ insert:\ + \ param, ac-02_odp.09 }};" + links: + - href: "#ac-2_smt.i.3" + rel: assessment-for + links: + - href: "#ac-2_smt.i" + rel: assessment-for + - id: ac-2_obj.j + name: assessment-objective + props: + - name: label + value: AC-02j. + class: sp800-53a + prose: "accounts are reviewed for compliance with account management\ + \ requirements {{ insert: param, ac-02_odp.10 }};" + links: + - href: "#ac-2_smt.j" + rel: assessment-for + - id: ac-2_obj.k + name: assessment-objective + props: + - name: label + value: AC-02k. + class: sp800-53a + parts: + - id: ac-2_obj.k-1 + name: assessment-objective + props: + - name: label + value: AC-02k.[01] + class: sp800-53a + prose: a process is established for changing shared or group + account authenticators (if deployed) when individuals are + removed from the group; + links: + - href: "#ac-2_smt.k" + rel: assessment-for + - id: ac-2_obj.k-2 + name: assessment-objective + props: + - name: label + value: AC-02k.[02] + class: sp800-53a + prose: a process is implemented for changing shared or group + account authenticators (if deployed) when individuals are + removed from the group; + links: + - href: "#ac-2_smt.k" + rel: assessment-for + links: + - href: "#ac-2_smt.k" + rel: assessment-for + - id: ac-2_obj.l + name: assessment-objective + props: + - name: label + value: AC-02l. + class: sp800-53a + parts: + - id: ac-2_obj.l-1 + name: assessment-objective + props: + - name: label + value: AC-02l.[01] + class: sp800-53a + prose: account management processes are aligned with personnel + termination processes; + links: + - href: "#ac-2_smt.l" + rel: assessment-for + - id: ac-2_obj.l-2 + name: assessment-objective + props: + - name: label + value: AC-02l.[02] + class: sp800-53a + prose: account management processes are aligned with personnel + transfer processes. + links: + - href: "#ac-2_smt.l" + rel: assessment-for + links: + - href: "#ac-2_smt.l" + rel: assessment-for + links: + - href: "#ac-2_smt" + rel: assessment-for + - id: ac-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + personnel termination policy and procedure + + + personnel transfer policy and procedure + + + procedures for addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + list of active system accounts along with the name of the individual + associated with each account + + + list of recently disabled system accounts and the name of the + individual associated with each account + + + list of conditions for group and role membership + + + notifications of recent transfers, separations, or terminations + of employees + + + access authorization records + + + account management compliance reviews + + + system monitoring records + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ac-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security with information + security and privacy responsibilities + - id: ac-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for account management on the + system + + + mechanisms for implementing account management + controls: + - id: ac-2.1 + class: SP800-53-enhancement + title: Automated System Account Management + params: + - id: ac-02.01_odp + label: automated mechanisms + guidelines: + - prose: "automated mechanisms used to support the management\ + \ of system accounts are defined; " + props: + - name: label + value: AC-2(1) + - name: label + value: AC-02(01) + class: sp800-53a + - name: sort-id + value: ac-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: required + parts: + - id: ac-2.1_smt + name: statement + prose: "Support the management of system accounts using {{ insert:\ + \ param, ac-02.01_odp }}." + - id: ac-2.1_gdn + name: guidance + prose: Automated system account management includes using automated + mechanisms to create, enable, modify, disable, and remove accounts; + notify account managers when an account is created, enabled, modified, + disabled, or removed, or when users are terminated or transferred; + monitor system account usage; and report atypical system account + usage. Automated mechanisms can include internal system functions + and email, telephonic, and text messaging notifications. + - id: ac-2.1_obj + name: assessment-objective + props: + - name: label + value: AC-02(01) + class: sp800-53a + prose: "the management of system accounts is supported using {{\ + \ insert: param, ac-02.01_odp }}." + links: + - href: "#ac-2.1_smt" + rel: assessment-for + - id: ac-2.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures for addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-2.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security with information + security responsibilities + + + system developers + - id: ac-2.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms for implementing account management + functions + - id: ac-2.2 + class: SP800-53-enhancement + title: Automated Temporary and Emergency Account Management + params: + - id: ac-02.02_odp.01 + constraints: + - description: "Selection: disables" + select: + choice: + - remove + - disable + - id: ac-02.02_odp.02 + label: time period + constraints: + - description: no more than 24 hours from last use + guidelines: + - prose: the time period after which to automatically remove or + disable temporary or emergency accounts is defined; + props: + - name: label + value: AC-2(2) + - name: label + value: AC-02(02) + class: sp800-53a + - name: sort-id + value: ac-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-2" + rel: required + parts: + - id: ac-2.2_smt + name: statement + prose: "Automatically {{ insert: param, ac-02.02_odp.01 }} temporary\ + \ and emergency accounts after {{ insert: param, ac-02.02_odp.02\ + \ }}." + - id: ac-2.2_gdn + name: guidance + prose: Management of temporary and emergency accounts includes the + removal or disabling of such accounts automatically after a predefined + time period rather than at the convenience of the system administrator. + Automatic removal or disabling of accounts provides a more consistent + implementation. + - id: ac-2.2_obj + name: assessment-objective + props: + - name: label + value: AC-02(02) + class: sp800-53a + prose: "temporary and emergency accounts are automatically {{ insert:\ + \ param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02\ + \ }}." + links: + - href: "#ac-2.2_smt" + rel: assessment-for + - id: ac-2.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures for addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + system-generated list of temporary accounts removed and/or + disabled + + + system-generated list of emergency accounts removed and/or + disabled + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-2.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security with information + security responsibilities + + + system developers + - id: ac-2.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms for implementing account management + functions + - id: ac-2.3 + class: SP800-53-enhancement + title: Disable Accounts + params: + - id: ac-02.03_odp.01 + label: time period + constraints: + - description: 24 hours for user accounts + guidelines: + - prose: time period within which to disable accounts is defined; + - id: ac-02.03_odp.02 + label: time period + constraints: + - description: thirty-five (35) days (See additional requirements + and guidance.) + guidelines: + - prose: time period for account inactivity before disabling is + defined; + props: + - name: label + value: AC-2(3) + - name: label + value: AC-02(03) + class: sp800-53a + - name: sort-id + value: ac-02.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-2" + rel: required + parts: + - id: ac-2.3_smt + name: statement + prose: "Disable accounts within {{ insert: param, ac-02.03_odp.01\ + \ }} when the accounts:" + parts: + - id: ac-2.3_smt.a + name: item + props: + - name: label + value: (a) + prose: Have expired; + - id: ac-2.3_smt.b + name: item + props: + - name: label + value: (b) + prose: Are no longer associated with a user or individual; + - id: ac-2.3_smt.c + name: item + props: + - name: label + value: (c) + prose: Are in violation of organizational policy; or + - id: ac-2.3_smt.d + name: item + props: + - name: label + value: (d) + prose: "Have been inactive for {{ insert: param, ac-02.03_odp.02\ + \ }}." + - id: ac-2.3_fr + name: item + title: AC-2 (3) Additional FedRAMP Requirements and Guidance + parts: + - id: ac-2.3_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider defines the time period for + non-user accounts (e.g., accounts associated with devices). + The time periods are approved and accepted by the JAB/AO. + Where user management is a function of the service, reports + of activity of consumer users shall be made available. + - id: ac-2.3_fr_smt.2 + name: item + props: + - name: label + value: "(d) Requirement:" + prose: The service provider defines the time period of inactivity + for device identifiers. + - id: ac-2.3_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: For DoD clouds, see DoD cloud website for specific + DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/. + - id: ac-2.3_gdn + name: guidance + prose: Disabling expired, inactive, or otherwise anomalous accounts + supports the concepts of least privilege and least functionality + which reduce the attack surface of the system. + - id: ac-2.3_obj + name: assessment-objective + props: + - name: label + value: AC-02(03) + class: sp800-53a + parts: + - id: ac-2.3_obj.a + name: assessment-objective + props: + - name: label + value: AC-02(03)(a) + class: sp800-53a + prose: "accounts are disabled within {{ insert: param, ac-02.03_odp.01\ + \ }} when the accounts have expired;" + links: + - href: "#ac-2.3_smt.a" + rel: assessment-for + - id: ac-2.3_obj.b + name: assessment-objective + props: + - name: label + value: AC-02(03)(b) + class: sp800-53a + prose: "accounts are disabled within {{ insert: param, ac-02.03_odp.01\ + \ }} when the accounts are no longer associated with a user\ + \ or individual;" + links: + - href: "#ac-2.3_smt.b" + rel: assessment-for + - id: ac-2.3_obj.c + name: assessment-objective + props: + - name: label + value: AC-02(03)(c) + class: sp800-53a + prose: "accounts are disabled within {{ insert: param, ac-02.03_odp.01\ + \ }} when the accounts are in violation of organizational\ + \ policy;" + links: + - href: "#ac-2.3_smt.c" + rel: assessment-for + - id: ac-2.3_obj.d + name: assessment-objective + props: + - name: label + value: AC-02(03)(d) + class: sp800-53a + prose: "accounts are disabled within {{ insert: param, ac-02.03_odp.01\ + \ }} when the accounts have been inactive for {{ insert: param,\ + \ ac-02.03_odp.02 }}." + links: + - href: "#ac-2.3_smt.d" + rel: assessment-for + links: + - href: "#ac-2.3_smt" + rel: assessment-for + - id: ac-2.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures for addressing account management + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + system-generated list of accounts removed + + + system-generated list of emergency accounts disabled + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-2.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-2.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms for implementing account management functions + - id: ac-2.4 + class: SP800-53-enhancement + title: Automated Audit Actions + props: + - name: label + value: AC-2(4) + - name: label + value: AC-02(04) + class: sp800-53a + - name: sort-id + value: ac-02.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-2" + rel: required + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + parts: + - id: ac-2.4_smt + name: statement + prose: Automatically audit account creation, modification, enabling, + disabling, and removal actions. + - id: ac-2.4_gdn + name: guidance + prose: Account management audit records are defined in accordance + with [AU-2](#au-2) and reviewed, analyzed, and reported in accordance + with [AU-6](#au-6). + - id: ac-2.4_obj + name: assessment-objective + props: + - name: label + value: AC-02(04) + class: sp800-53a + parts: + - id: ac-2.4_obj-1 + name: assessment-objective + props: + - name: label + value: AC-02(04)[01] + class: sp800-53a + prose: account creation is automatically audited; + links: + - href: "#ac-2.4_smt" + rel: assessment-for + - id: ac-2.4_obj-2 + name: assessment-objective + props: + - name: label + value: AC-02(04)[02] + class: sp800-53a + prose: account modification is automatically audited; + links: + - href: "#ac-2.4_smt" + rel: assessment-for + - id: ac-2.4_obj-3 + name: assessment-objective + props: + - name: label + value: AC-02(04)[03] + class: sp800-53a + prose: account enabling is automatically audited; + links: + - href: "#ac-2.4_smt" + rel: assessment-for + - id: ac-2.4_obj-4 + name: assessment-objective + props: + - name: label + value: AC-02(04)[04] + class: sp800-53a + prose: account disabling is automatically audited; + links: + - href: "#ac-2.4_smt" + rel: assessment-for + - id: ac-2.4_obj-5 + name: assessment-objective + props: + - name: label + value: AC-02(04)[05] + class: sp800-53a + prose: account removal actions are automatically audited. + links: + - href: "#ac-2.4_smt" + rel: assessment-for + links: + - href: "#ac-2.4_smt" + rel: assessment-for + - id: ac-2.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + notifications/alerts of account creation, modification, enabling, + disabling, and removal actions + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-2.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-2.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms implementing account management + functions + - id: ac-2.5 + class: SP800-53-enhancement + title: Inactivity Logout + params: + - id: ac-02.05_odp + label: time period of expected inactivity or description of when + to log out + constraints: + - description: inactivity is anticipated to exceed Fifteen (15) + minutes + guidelines: + - prose: the time period of expected inactivity or description + of when to log out is defined; + props: + - name: label + value: AC-2(5) + - name: label + value: AC-02(05) + class: sp800-53a + - name: sort-id + value: ac-02.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-2" + rel: required + - href: "#ac-11" + rel: related + parts: + - id: ac-2.5_smt + name: statement + prose: "Require that users log out when {{ insert: param, ac-02.05_odp\ + \ }}." + parts: + - id: ac-2.5_fr + name: item + title: AC-2 (5) Additional FedRAMP Requirements and Guidance + parts: + - id: ac-2.5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Should use a shorter timeframe than AC-12. + - id: ac-2.5_gdn + name: guidance + prose: Inactivity logout is behavior- or policy-based and requires + users to take physical action to log out when they are expecting + inactivity longer than the defined period. Automatic enforcement + of inactivity logout is addressed by [AC-11](#ac-11). + - id: ac-2.5_obj + name: assessment-objective + props: + - name: label + value: AC-02(05) + class: sp800-53a + prose: "users are required to log out when {{ insert: param, ac-02.05_odp\ + \ }}." + links: + - href: "#ac-2.5_smt" + rel: assessment-for + - id: ac-2.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + security violation reports + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-2.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + + + users that must comply with inactivity logout policy + - id: ac-2.7 + class: SP800-53-enhancement + title: Privileged User Accounts + params: + - id: ac-02.07_odp + select: + choice: + - a role-based access scheme + - an attribute-based access scheme + props: + - name: label + value: AC-2(7) + - name: label + value: AC-02(07) + class: sp800-53a + - name: sort-id + value: ac-02.07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: required + parts: + - id: ac-2.7_smt + name: statement + parts: + - id: ac-2.7_smt.a + name: item + props: + - name: label + value: (a) + prose: "Establish and administer privileged user accounts in\ + \ accordance with {{ insert: param, ac-02.07_odp }};" + - id: ac-2.7_smt.b + name: item + props: + - name: label + value: (b) + prose: Monitor privileged role or attribute assignments; + - id: ac-2.7_smt.c + name: item + props: + - name: label + value: (c) + prose: Monitor changes to roles or attributes; and + - id: ac-2.7_smt.d + name: item + props: + - name: label + value: (d) + prose: Revoke access when privileged role or attribute assignments + are no longer appropriate. + - id: ac-2.7_gdn + name: guidance + prose: Privileged roles are organization-defined roles assigned + to individuals that allow those individuals to perform certain + security-relevant functions that ordinary users are not authorized + to perform. Privileged roles include key management, account management, + database administration, system and network administration, and + web administration. A role-based access scheme organizes permitted + system access and privileges into roles. In contrast, an attribute-based + access scheme specifies allowed system access and privileges based + on attributes. + - id: ac-2.7_obj + name: assessment-objective + props: + - name: label + value: AC-02(07) + class: sp800-53a + parts: + - id: ac-2.7_obj.a + name: assessment-objective + props: + - name: label + value: AC-02(07)(a) + class: sp800-53a + prose: "privileged user accounts are established and administered\ + \ in accordance with {{ insert: param, ac-02.07_odp }};" + links: + - href: "#ac-2.7_smt.a" + rel: assessment-for + - id: ac-2.7_obj.b + name: assessment-objective + props: + - name: label + value: AC-02(07)(b) + class: sp800-53a + prose: privileged role or attribute assignments are monitored; + links: + - href: "#ac-2.7_smt.b" + rel: assessment-for + - id: ac-2.7_obj.c + name: assessment-objective + props: + - name: label + value: AC-02(07)(c) + class: sp800-53a + prose: changes to roles or attributes are monitored; + links: + - href: "#ac-2.7_smt.c" + rel: assessment-for + - id: ac-2.7_obj.d + name: assessment-objective + props: + - name: label + value: AC-02(07)(d) + class: sp800-53a + prose: access is revoked when privileged role or attribute assignments + are no longer appropriate. + links: + - href: "#ac-2.7_smt.d" + rel: assessment-for + links: + - href: "#ac-2.7_smt" + rel: assessment-for + - id: ac-2.7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(07)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + system-generated list of privileged user accounts and associated + roles + + + records of actions taken when privileged role assignments + are no longer appropriate + + + system audit records + + + audit tracking and monitoring reports + + + system monitoring records + + + system security plan + + + other relevant documents or records + - id: ac-2.7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(07)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-2.7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(07)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Mechanisms implementing account management functions + + mechanisms monitoring privileged role assignments + - id: ac-2.9 + class: SP800-53-enhancement + title: Restrictions on Use of Shared and Group Accounts + params: + - id: ac-02.09_odp + label: conditions + constraints: + - description: organization-defined need with justification statement + that explains why such accounts are necessary + guidelines: + - prose: conditions for establishing shared and group accounts + are defined; + props: + - name: label + value: AC-2(9) + - name: label + value: AC-02(09) + class: sp800-53a + - name: sort-id + value: ac-02.09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: required + parts: + - id: ac-2.9_smt + name: statement + prose: "Only permit the use of shared and group accounts that meet\ + \ {{ insert: param, ac-02.09_odp }}." + parts: + - id: ac-2.9_fr + name: item + title: AC-2 (9) Additional FedRAMP Requirements and Guidance + parts: + - id: ac-2.9_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Required if shared/group accounts are deployed. + - id: ac-2.9_gdn + name: guidance + prose: Before permitting the use of shared or group accounts, organizations + consider the increased risk due to the lack of accountability + with such accounts. + - id: ac-2.9_obj + name: assessment-objective + props: + - name: label + value: AC-02(09) + class: sp800-53a + prose: "the use of shared and group accounts is only permitted if\ + \ {{ insert: param, ac-02.09_odp }} are met." + links: + - href: "#ac-2.9_smt" + rel: assessment-for + - id: ac-2.9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(09)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + system-generated list of shared/group accounts and associated + roles + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-2.9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(09)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-2.9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(09)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing management of shared/group accounts + - id: ac-2.11 + class: SP800-53-enhancement + title: Usage Conditions + params: + - id: ac-02.11_odp.01 + label: circumstances and/or usage conditions + guidelines: + - prose: circumstances and/or usage conditions to be enforced + for system accounts are defined; + - id: ac-02.11_odp.02 + label: system accounts + guidelines: + - prose: system accounts subject to enforcement of circumstances + and/or usage conditions are defined; + props: + - name: label + value: AC-2(11) + - name: label + value: AC-02(11) + class: sp800-53a + - name: sort-id + value: ac-02.11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-2" + rel: required + parts: + - id: ac-2.11_smt + name: statement + prose: "Enforce {{ insert: param, ac-02.11_odp.01 }} for {{ insert:\ + \ param, ac-02.11_odp.02 }}." + - id: ac-2.11_gdn + name: guidance + prose: Specifying and enforcing usage conditions helps to enforce + the principle of least privilege, increase user accountability, + and enable effective account monitoring. Account monitoring includes + alerts generated if the account is used in violation of organizational + parameters. Organizations can describe specific conditions or + circumstances under which system accounts can be used, such as + by restricting usage to certain days of the week, time of day, + or specific durations of time. + - id: ac-2.11_obj + name: assessment-objective + props: + - name: label + value: AC-02(11) + class: sp800-53a + prose: " {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param,\ + \ ac-02.11_odp.02 }} are enforced." + links: + - href: "#ac-2.11_smt" + rel: assessment-for + - id: ac-2.11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(11)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + system-generated list of system accounts and associated assignments + of usage circumstances and/or usage conditions + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-2.11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(11)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-2.11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(11)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing account management functions + - id: ac-2.12 + class: SP800-53-enhancement + title: Account Monitoring for Atypical Usage + params: + - id: ac-02.12_odp.01 + label: atypical usage + guidelines: + - prose: atypical usage for which to monitor system accounts is + defined; + - id: ac-02.12_odp.02 + label: personnel or roles + constraints: + - description: at a minimum, the ISSO and/or similar role within + the organization + guidelines: + - prose: personnel or roles to report atypical usage is/are defined; + props: + - name: label + value: AC-2(12) + - name: label + value: AC-02(12) + class: sp800-53a + - name: sort-id + value: ac-02.12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-2" + rel: required + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#ca-7" + rel: related + - href: "#ir-8" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-2.12_smt + name: statement + parts: + - id: ac-2.12_smt.a + name: item + props: + - name: label + value: (a) + prose: "Monitor system accounts for {{ insert: param, ac-02.12_odp.01\ + \ }} ; and" + - id: ac-2.12_smt.b + name: item + props: + - name: label + value: (b) + prose: "Report atypical usage of system accounts to {{ insert:\ + \ param, ac-02.12_odp.02 }}." + - id: ac-2.12_fr + name: item + title: AC-2 (12) Additional FedRAMP Requirements and Guidance + parts: + - id: ac-2.12_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: Required for privileged accounts. + - id: ac-2.12_fr_smt.2 + name: item + props: + - name: label + value: "(b) Requirement:" + prose: Required for privileged accounts. + - id: ac-2.12_gdn + name: guidance + prose: Atypical usage includes accessing systems at certain times + of the day or from locations that are not consistent with the + normal usage patterns of individuals. Monitoring for atypical + usage may reveal rogue behavior by individuals or an attack in + progress. Account monitoring may inadvertently create privacy + risks since data collected to identify atypical usage may reveal + previously unknown information about the behavior of individuals. + Organizations assess and document privacy risks from monitoring + accounts for atypical usage in their privacy impact assessment + and make determinations that are in alignment with their privacy + program plan. + - id: ac-2.12_obj + name: assessment-objective + props: + - name: label + value: AC-02(12) + class: sp800-53a + parts: + - id: ac-2.12_obj.a + name: assessment-objective + props: + - name: label + value: AC-02(12)(a) + class: sp800-53a + prose: "system accounts are monitored for {{ insert: param,\ + \ ac-02.12_odp.01 }}; " + links: + - href: "#ac-2.12_smt.a" + rel: assessment-for + - id: ac-2.12_obj.b + name: assessment-objective + props: + - name: label + value: AC-02(12)(b) + class: sp800-53a + prose: "atypical usage of system accounts is reported to {{\ + \ insert: param, ac-02.12_odp.02 }}." + links: + - href: "#ac-2.12_smt.b" + rel: assessment-for + links: + - href: "#ac-2.12_smt" + rel: assessment-for + - id: ac-2.12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(12)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + system monitoring records + + + system audit records + + + audit tracking and monitoring reports + + + privacy impact assessment + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ac-2.12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(12)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-2.12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(12)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing account management functions + - id: ac-2.13 + class: SP800-53-enhancement + title: Disable Accounts for High-risk Individuals + params: + - id: ac-02.13_odp.01 + label: time period + constraints: + - description: one (1) hour + guidelines: + - prose: time period within which to disable accounts of individuals + who are discovered to pose significant risk is defined; + - id: ac-02.13_odp.02 + label: significant risks + guidelines: + - prose: significant risks leading to disabling accounts are defined; + props: + - name: label + value: AC-2(13) + - name: label + value: AC-02(13) + class: sp800-53a + - name: sort-id + value: ac-02.13 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: required + - href: "#au-6" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-2.13_smt + name: statement + prose: "Disable accounts of individuals within {{ insert: param,\ + \ ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02\ + \ }}." + - id: ac-2.13_gdn + name: guidance + prose: Users who pose a significant security and/or privacy risk + include individuals for whom reliable evidence indicates either + the intention to use authorized access to systems to cause harm + or through whom adversaries will cause harm. Such harm includes + adverse impacts to organizational operations, organizational assets, + individuals, other organizations, or the Nation. Close coordination + among system administrators, legal staff, human resource managers, + and authorizing officials is essential when disabling system accounts + for high-risk individuals. + - id: ac-2.13_obj + name: assessment-objective + props: + - name: label + value: AC-02(13) + class: sp800-53a + prose: "accounts of individuals are disabled within {{ insert: param,\ + \ ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02\ + \ }}." + links: + - href: "#ac-2.13_smt" + rel: assessment-for + - id: ac-2.13_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(13)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + system-generated list of disabled accounts + + + list of user activities posing significant organizational + risk + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-2.13_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(13)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-2.13_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(13)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing account management functions + - id: ac-3 + class: SP800-53 + title: Access Enforcement + props: + - name: label + value: AC-3 + - name: label + value: AC-03 + class: sp800-53a + - name: sort-id + value: ac-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#18e71fec-c6fd-475a-925a-5d8495cf8455" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#2956e175-f674-43f4-b1b9-e074ad9fc39c" + rel: reference + - href: "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f" + rel: reference + - href: "#7f473f21-fdbf-4a6c-81a1-0ab95919609d" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-16" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#ac-21" + rel: related + - href: "#ac-22" + rel: related + - href: "#ac-24" + rel: related + - href: "#ac-25" + rel: related + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#au-9" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-6" + rel: related + - href: "#ia-7" + rel: related + - href: "#ia-11" + rel: related + - href: "#ia-13" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-4" + rel: related + - href: "#pm-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-3" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-3" + rel: related + - href: "#sc-4" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-31" + rel: related + - href: "#sc-34" + rel: related + - href: "#si-4" + rel: related + - href: "#si-8" + rel: related + parts: + - id: ac-3_smt + name: statement + prose: Enforce approved authorizations for logical access to information + and system resources in accordance with applicable access control + policies. + - id: ac-3_gdn + name: guidance + prose: Access control policies control access between active entities + or subjects (i.e., users or processes acting on behalf of users) and + passive entities or objects (i.e., devices, files, records, domains) + in organizational systems. In addition to enforcing authorized access + at the system level and recognizing that systems can host many applications + and services in support of mission and business functions, access + enforcement mechanisms can also be employed at the application and + service level to provide increased information security and privacy. + In contrast to logical access controls that are implemented within + the system, physical access controls are addressed by the controls + in the Physical and Environmental Protection ( [PE](#pe) ) family. + - id: ac-3_obj + name: assessment-objective + props: + - name: label + value: AC-03 + class: sp800-53a + prose: approved authorizations for logical access to information and + system resources are enforced in accordance with applicable access + control policies. + links: + - href: "#ac-3_smt" + rel: assessment-for + - id: ac-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing access enforcement + + system design documentation + + system configuration settings and associated documentation + + list of approved authorizations (user privileges) + + system audit records + + system security plan + + privacy plan + + other relevant documents or records + - id: ac-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with access enforcement + responsibilities + + + system/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + system developers + - id: ac-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing access control policy + - id: ac-4 + class: SP800-53 + title: Information Flow Enforcement + params: + - id: ac-04_odp + label: information flow control policies + guidelines: + - prose: information flow control policies within the system and between + connected systems are defined; + props: + - name: label + value: AC-4 + - name: label + value: AC-04 + class: sp800-53a + - name: sort-id + value: ac-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#2956e175-f674-43f4-b1b9-e074ad9fc39c" + rel: reference + - href: "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f" + rel: reference + - href: "#a2590922-82f3-4277-83c0-ca5bee06dba4" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-16" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-21" + rel: related + - href: "#au-10" + rel: related + - href: "#ca-3" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-7" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-24" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-4" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-16" + rel: related + - href: "#sc-31" + rel: related + parts: + - id: ac-4_smt + name: statement + prose: "Enforce approved authorizations for controlling the flow of\ + \ information within the system and between connected systems based\ + \ on {{ insert: param, ac-04_odp }}." + - id: ac-4_gdn + name: guidance + prose: >- + Information flow control regulates where information can travel + within a system and between systems (in contrast to who is + allowed to access the information) and without regard to + subsequent accesses to that information. Flow control + restrictions include blocking external traffic that claims to be + from within the organization, keeping export-controlled + information from being transmitted in the clear to the Internet, + restricting web requests that are not from the internal web + proxy server, and limiting information transfers between + organizations based on data structures and content. Transferring + information between organizations may require an agreement + specifying how the information flow is enforced (see + [CA-3](#ca-3) ). Transferring information between systems in + different security or privacy domains with different security or + privacy policies introduces the risk that such transfers violate + one or more domain security or privacy policies. In such + situations, information owners/stewards provide guidance at + designated policy enforcement points between connected systems. + Organizations consider mandating specific architectural + solutions to enforce specific security and privacy policies. + Enforcement includes prohibiting information transfers between + connected systems (i.e., allowing access only), verifying write + permissions before accepting information from another security + or privacy domain or connected system, employing hardware + mechanisms to enforce one-way information flows, and + implementing trustworthy regrading mechanisms to reassign + security or privacy attributes and labels. + + + Organizations commonly employ information flow control policies and + enforcement mechanisms to control the flow of information between + designated sources and destinations within systems and between connected + systems. Flow control is based on the characteristics of the information + and/or the information path. Enforcement occurs, for example, in boundary + protection devices that employ rule sets or establish configuration + settings that restrict system services, provide a packet-filtering + capability based on header information, or provide a message-filtering + capability based on message content. Organizations also consider the + trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, + firmware, and software components) that are critical to information + flow enforcement. Control enhancements 3 through 32 primarily address + cross-domain solution needs that focus on more advanced filtering + techniques, in-depth analysis, and stronger flow enforcement mechanisms + implemented in cross-domain products, such as high-assurance guards. + Such capabilities are generally not available in commercial off-the-shelf + products. Information flow enforcement also applies to control plane + traffic (e.g., routing and DNS). + - id: ac-4_obj + name: assessment-objective + props: + - name: label + value: AC-04 + class: sp800-53a + prose: "approved authorizations are enforced for controlling the flow\ + \ of information within the system and between connected systems based\ + \ on {{ insert: param, ac-04_odp }}." + links: + - href: "#ac-4_smt" + rel: assessment-for + - id: ac-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + information flow control policies + + procedures addressing information flow enforcement + + security architecture documentation + + privacy architecture documentation + + system design documentation + + system configuration settings and associated documentation + + system baseline configuration + + list of information flow authorizations + + system audit records + + system security plan + + privacy plan + + other relevant documents or records + - id: ac-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security and privacy + architecture development responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system developers + - id: ac-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing information flow enforcement policy + controls: + - id: ac-4.4 + class: SP800-53-enhancement + title: Flow Control of Encrypted Information + params: + - id: ac-04.04_odp.01 + label: information flow control mechanisms + constraints: + - description: intrusion detection mechanisms + guidelines: + - prose: information flow control mechanisms that encrypted information + is prevented from bypassing are defined; + - id: ac-04.04_odp.02 + select: + how-many: one-or-more + choice: + - decrypting the information + - blocking the flow of the encrypted information + - terminating communications sessions attempting to pass encrypted + information + - " {{ insert: param, ac-04.04_odp.03 }} " + - id: ac-04.04_odp.03 + label: organization-defined procedure or method + guidelines: + - prose: the organization-defined procedure or method used to + prevent encrypted information from bypassing information flow + control mechanisms is defined (if selected); + props: + - name: label + value: AC-4(4) + - name: label + value: AC-04(04) + class: sp800-53a + - name: sort-id + value: ac-04.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-4" + rel: required + - href: "#si-4" + rel: related + parts: + - id: ac-4.4_smt + name: statement + prose: "Prevent encrypted information from bypassing {{ insert:\ + \ param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02\ + \ }}." + parts: + - id: ac-4.4_fr + name: item + title: AC-4 (4) Additional FedRAMP Requirements and Guidance + parts: + - id: ac-4.4_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider must support Agency requirements + to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) + and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf). + - id: ac-4.4_gdn + name: guidance + prose: Flow control mechanisms include content checking, security + policy filters, and data type identifiers. The term encryption + is extended to cover encoded data not recognized by filtering + mechanisms. + - id: ac-4.4_obj + name: assessment-objective + props: + - name: label + value: AC-04(04) + class: sp800-53a + prose: "encrypted information is prevented from bypassing {{ insert:\ + \ param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02\ + \ }}." + links: + - href: "#ac-4.4_smt" + rel: assessment-for + - id: ac-4.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-04(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + information flow control policies + + + procedures addressing information flow enforcement + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-4.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-04(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-4.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-04(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing information flow enforcement + policy + - id: ac-4.21 + class: SP800-53-enhancement + title: Physical or Logical Separation of Information Flows + params: + - id: ac-4.21_prm_1 + label: organization-defined mechanisms and/or techniques + - id: ac-04.21_odp.01 + label: mechanisms and/or techniques + guidelines: + - prose: mechanisms and/or techniques used to logically separate + information flows are defined (if selected); + - id: ac-04.21_odp.02 + label: mechanisms and/or techniques + guidelines: + - prose: mechanisms and/or techniques used to physically separate + information flows are defined (if selected); + - id: ac-04.21_odp.03 + label: required separations + guidelines: + - prose: required separations by types of information are defined; + props: + - name: label + value: AC-4(21) + - name: label + value: AC-04(21) + class: sp800-53a + - name: sort-id + value: ac-04.21 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-4" + rel: required + - href: "#sc-32" + rel: related + parts: + - id: ac-4.21_smt + name: statement + prose: "Separate information flows logically or physically using\ + \ {{ insert: param, ac-4.21_prm_1 }} to accomplish {{ insert:\ + \ param, ac-04.21_odp.03 }}." + - id: ac-4.21_gdn + name: guidance + prose: Enforcing the separation of information flows associated + with defined types of data can enhance protection by ensuring + that information is not commingled while in transit and by enabling + flow control by transmission paths that are not otherwise achievable. + Types of separable information include inbound and outbound communications + traffic, service requests and responses, and information of differing + security impact or classification levels. + - id: ac-4.21_obj + name: assessment-objective + props: + - name: label + value: AC-04(21) + class: sp800-53a + parts: + - id: ac-4.21_obj-1 + name: assessment-objective + props: + - name: label + value: AC-04(21)[01] + class: sp800-53a + prose: "information flows are separated logically using {{ insert:\ + \ param, ac-04.21_odp.01 }} to accomplish {{ insert: param,\ + \ ac-04.21_odp.03 }};" + links: + - href: "#ac-4.21_smt" + rel: assessment-for + - id: ac-4.21_obj-2 + name: assessment-objective + props: + - name: label + value: AC-04(21)[02] + class: sp800-53a + prose: "information flows are separated physically using {{\ + \ insert: param, ac-04.21_odp.02 }} to accomplish {{ insert:\ + \ param, ac-04.21_odp.03 }}." + links: + - href: "#ac-4.21_smt" + rel: assessment-for + links: + - href: "#ac-4.21_smt" + rel: assessment-for + - id: ac-4.21_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-04(21)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Information flow enforcement policy + + + information flow control policies + + + procedures addressing information flow enforcement + + + system design documentation + + + system configuration settings and associated documentation + + + list of required separation of information flows by information + types + + + list of mechanisms and/or techniques used to logically or + physically separate information flows + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-4.21_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-04(21)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information flow + enforcement responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-4.21_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-04(21)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing information flow enforcement + functions + - id: ac-5 + class: SP800-53 + title: Separation of Duties + params: + - id: ac-05_odp + label: duties of individuals + guidelines: + - prose: duties of individuals requiring separation are defined; + props: + - name: label + value: AC-5 + - name: label + value: AC-05 + class: sp800-53a + - name: sort-id + value: ac-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#au-9" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-11" + rel: related + - href: "#cp-9" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-12" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-5" + rel: related + - href: "#ps-2" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-17" + rel: related + parts: + - id: ac-5_smt + name: statement + parts: + - id: ac-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Identify and document {{ insert: param, ac-05_odp }} ; and" + - id: ac-5_smt.b + name: item + props: + - name: label + value: b. + prose: Define system access authorizations to support separation + of duties. + - id: ac-5_fr + name: item + title: AC-5 Additional FedRAMP Requirements and Guidance + parts: + - id: ac-5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: CSPs have the option to provide a separation of duties + matrix as an attachment to the SSP. + - id: ac-5_gdn + name: guidance + prose: Separation of duties addresses the potential for abuse of authorized + privileges and helps to reduce the risk of malevolent activity without + collusion. Separation of duties includes dividing mission or business + functions and support functions among different individuals or roles, + conducting system support functions with different individuals, and + ensuring that security personnel who administer access control functions + do not also administer audit functions. Because separation of duty + violations can span systems and application domains, organizations + consider the entirety of systems and system components when developing + policy on separation of duties. Separation of duties is enforced through + the account management activities in [AC-2](#ac-2) , access control + mechanisms in [AC-3](#ac-3) , and identity management activities in + [IA-2](#ia-2), [IA-4](#ia-4) , and [IA-12](#ia-12). + - id: ac-5_obj + name: assessment-objective + props: + - name: label + value: AC-05 + class: sp800-53a + parts: + - id: ac-5_obj.a + name: assessment-objective + props: + - name: label + value: AC-05a. + class: sp800-53a + prose: " {{ insert: param, ac-05_odp }} are identified and documented;" + links: + - href: "#ac-5_smt.a" + rel: assessment-for + - id: ac-5_obj.b + name: assessment-objective + props: + - name: label + value: AC-05b. + class: sp800-53a + prose: system access authorizations to support separation of duties + are defined. + links: + - href: "#ac-5_smt.b" + rel: assessment-for + links: + - href: "#ac-5_smt" + rel: assessment-for + - id: ac-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing divisions of responsibility and separation + of duties + + + system configuration settings and associated documentation + + + list of divisions of responsibility and separation of duties + + + system access authorizations + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for defining + appropriate divisions of responsibility and separation of + duties + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ac-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing separation of duties policy + - id: ac-6 + class: SP800-53 + title: Least Privilege + props: + - name: label + value: AC-6 + - name: label + value: AC-06 + class: sp800-53a + - name: sort-id + value: ac-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-16" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-11" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-38" + rel: related + parts: + - id: ac-6_smt + name: statement + prose: Employ the principle of least privilege, allowing only authorized + accesses for users (or processes acting on behalf of users) that are + necessary to accomplish assigned organizational tasks. + - id: ac-6_gdn + name: guidance + prose: Organizations employ least privilege for specific duties and + systems. The principle of least privilege is also applied to system + processes, ensuring that the processes have access to systems and + operate at privilege levels no higher than necessary to accomplish + organizational missions or business functions. Organizations consider + the creation of additional processes, roles, and accounts as necessary + to achieve least privilege. Organizations apply least privilege to + the development, implementation, and operation of organizational systems. + - id: ac-6_obj + name: assessment-objective + props: + - name: label + value: AC-06 + class: sp800-53a + prose: the principle of least privilege is employed, allowing only authorized + accesses for users (or processes acting on behalf of users) that are + necessary to accomplish assigned organizational tasks. + links: + - href: "#ac-6_smt" + rel: assessment-for + - id: ac-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing least privilege + + list of assigned access authorizations (user privileges) + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: ac-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for defining + least privileges necessary to accomplish specified tasks + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ac-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing least privilege functions + controls: + - id: ac-6.1 + class: SP800-53-enhancement + title: Authorize Access to Security Functions + params: + - id: ac-6.1_prm_2 + label: organization-defined security functions (deployed in hardware, + software, and firmware) + constraints: + - description: all functions not publicly accessible + - id: ac-06.01_odp.01 + label: individuals and roles + guidelines: + - prose: individuals and roles with authorized access to security + functions and security-relevant information are defined; + - id: ac-06.01_odp.02 + label: security functions (deployed in hardware) + guidelines: + - prose: security functions (deployed in hardware) for authorized + access are defined; + - id: ac-06.01_odp.03 + label: security functions (deployed in software) + guidelines: + - prose: security functions (deployed in software) for authorized + access are defined; + - id: ac-06.01_odp.04 + label: security functions (deployed in firmware) + guidelines: + - prose: security functions (deployed in firmware) for authorized + access are defined; + - id: ac-06.01_odp.05 + label: security-relevant information + constraints: + - description: all security-relevant information not publicly + available + guidelines: + - prose: security-relevant information for authorized access is + defined; + props: + - name: label + value: AC-6(1) + - name: label + value: AC-06(01) + class: sp800-53a + - name: sort-id + value: ac-06.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-6" + rel: required + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#au-9" + rel: related + - href: "#pe-2" + rel: related + parts: + - id: ac-6.1_smt + name: statement + prose: "Authorize access for {{ insert: param, ac-06.01_odp.01 }}\ + \ to:" + parts: + - id: ac-6.1_smt.a + name: item + props: + - name: label + value: (a) + prose: " {{ insert: param, ac-6.1_prm_2 }} ; and" + - id: ac-6.1_smt.b + name: item + props: + - name: label + value: (b) + prose: " {{ insert: param, ac-06.01_odp.05 }}." + - id: ac-6.1_gdn + name: guidance + prose: Security functions include establishing system accounts, + configuring access authorizations (i.e., permissions, privileges), + configuring settings for events to be audited, and establishing + intrusion detection parameters. Security-relevant information + includes filtering rules for routers or firewalls, configuration + parameters for security services, cryptographic key management + information, and access control lists. Authorized personnel include + security administrators, system administrators, system security + officers, system programmers, and other privileged users. + - id: ac-6.1_obj + name: assessment-objective + props: + - name: label + value: AC-06(01) + class: sp800-53a + parts: + - id: ac-6.1_obj.a + name: assessment-objective + props: + - name: label + value: AC-06(01)(a) + class: sp800-53a + parts: + - id: ac-6.1_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-06(01)(a)[01] + class: sp800-53a + prose: "access is authorized for {{ insert: param, ac-06.01_odp.01\ + \ }} to {{ insert: param, ac-06.01_odp.02 }};" + links: + - href: "#ac-6.1_smt.a" + rel: assessment-for + - id: ac-6.1_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-06(01)(a)[02] + class: sp800-53a + prose: "access is authorized for {{ insert: param, ac-06.01_odp.01\ + \ }} to {{ insert: param, ac-06.01_odp.03 }};" + links: + - href: "#ac-6.1_smt.a" + rel: assessment-for + - id: ac-6.1_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-06(01)(a)[03] + class: sp800-53a + prose: "access is authorized for {{ insert: param, ac-06.01_odp.01\ + \ }} to {{ insert: param, ac-06.01_odp.04 }};" + links: + - href: "#ac-6.1_smt.a" + rel: assessment-for + links: + - href: "#ac-6.1_smt.a" + rel: assessment-for + - id: ac-6.1_obj.b + name: assessment-objective + props: + - name: label + value: AC-06(01)(b) + class: sp800-53a + prose: "access is authorized for {{ insert: param, ac-06.01_odp.01\ + \ }} to {{ insert: param, ac-06.01_odp.05 }}." + links: + - href: "#ac-6.1_smt.b" + rel: assessment-for + links: + - href: "#ac-6.1_smt" + rel: assessment-for + - id: ac-6.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-06(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing least privilege + + + list of security functions (deployed in hardware, software, + and firmware) and security-relevant information for which + access must be explicitly authorized + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-6.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-06(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + defining least privileges necessary to accomplish + specified tasks + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ac-6.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-06(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing least privilege functions + - id: ac-6.2 + class: SP800-53-enhancement + title: Non-privileged Access for Nonsecurity Functions + params: + - id: ac-06.02_odp + label: security functions or security-relevant information + constraints: + - description: all security functions + guidelines: + - prose: security functions or security-relevant information, + the access to which requires users to use non-privileged accounts + to access non-security functions, are defined; + props: + - name: label + value: AC-6(2) + - name: label + value: AC-06(02) + class: sp800-53a + - name: sort-id + value: ac-06.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-6" + rel: required + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#pl-4" + rel: related + parts: + - id: ac-6.2_smt + name: statement + prose: "Require that users of system accounts (or roles) with access\ + \ to {{ insert: param, ac-06.02_odp }} use non-privileged accounts\ + \ or roles, when accessing nonsecurity functions." + parts: + - id: ac-6.2_fr + name: item + title: AC-6 (2) Additional FedRAMP Requirements and Guidance + parts: + - id: ac-6.2_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "Examples of security functions include but are not\ + \ limited to: establishing system accounts, configuring\ + \ access authorizations (i.e., permissions, privileges),\ + \ setting events to be audited, and setting intrusion\ + \ detection parameters, system programming, system and\ + \ security administration, other privileged functions." + - id: ac-6.2_gdn + name: guidance + prose: Requiring the use of non-privileged accounts when accessing + nonsecurity functions limits exposure when operating from within + privileged accounts or roles. The inclusion of roles addresses + situations where organizations implement access control policies, + such as role-based access control, and where a change of role + provides the same degree of assurance in the change of access + authorizations for the user and the processes acting on behalf + of the user as would be provided by a change between a privileged + and non-privileged account. + - id: ac-6.2_obj + name: assessment-objective + props: + - name: label + value: AC-06(02) + class: sp800-53a + prose: "users of system accounts (or roles) with access to {{ insert:\ + \ param, ac-06.02_odp }} are required to use non-privileged accounts\ + \ or roles when accessing non-security functions." + links: + - href: "#ac-6.2_smt" + rel: assessment-for + - id: ac-6.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-06(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing least privilege + + + list of system-generated security functions or security-relevant + information assigned to system accounts or roles + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-6.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-06(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + defining least privileges necessary to accomplish + specified tasks + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ac-6.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-06(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing least privilege functions + - id: ac-6.3 + class: SP800-53-enhancement + title: Network Access to Privileged Commands + params: + - id: ac-06.03_odp.01 + label: privileged commands + constraints: + - description: all privileged commands + guidelines: + - prose: privileged commands to which network access is to be + authorized only for compelling operational needs are defined; + - id: ac-06.03_odp.02 + label: compelling operational needs + guidelines: + - prose: compelling operational needs necessitating network access + to privileged commands are defined; + props: + - name: label + value: AC-6(3) + - name: label + value: AC-06(03) + class: sp800-53a + - name: sort-id + value: ac-06.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-6" + rel: required + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + parts: + - id: ac-6.3_smt + name: statement + prose: "Authorize network access to {{ insert: param, ac-06.03_odp.01\ + \ }} only for {{ insert: param, ac-06.03_odp.02 }} and document\ + \ the rationale for such access in the security plan for the system." + - id: ac-6.3_gdn + name: guidance + prose: Network access is any access across a network connection + in lieu of local access (i.e., user being physically present at + the device). + - id: ac-6.3_obj + name: assessment-objective + props: + - name: label + value: AC-06(03) + class: sp800-53a + parts: + - id: ac-6.3_obj-1 + name: assessment-objective + props: + - name: label + value: AC-06(03)[01] + class: sp800-53a + prose: "network access to {{ insert: param, ac-06.03_odp.01\ + \ }} is authorized only for {{ insert: param, ac-06.03_odp.02\ + \ }};" + links: + - href: "#ac-6.3_smt" + rel: assessment-for + - id: ac-6.3_obj-2 + name: assessment-objective + props: + - name: label + value: AC-06(03)[02] + class: sp800-53a + prose: the rationale for authorizing network access to privileged + commands is documented in the security plan for the system. + links: + - href: "#ac-6.3_smt" + rel: assessment-for + links: + - href: "#ac-6.3_smt" + rel: assessment-for + - id: ac-6.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-06(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing least privilege + + + system configuration settings and associated documentation + + + system audit records + + + list of operational needs for authorizing network access to + privileged commands + + + system security plan + + + other relevant documents or records + - id: ac-6.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-06(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + defining least privileges necessary to accomplish + specified tasks + + + organizational personnel with information security responsibilities + - id: ac-6.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-06(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing least privilege functions + - id: ac-6.5 + class: SP800-53-enhancement + title: Privileged Accounts + params: + - id: ac-06.05_odp + label: personnel or roles + guidelines: + - prose: personnel or roles to which privileged accounts on the + system are to be restricted is/are defined; + props: + - name: label + value: AC-6(5) + - name: label + value: AC-06(05) + class: sp800-53a + - name: sort-id + value: ac-06.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-6" + rel: required + - href: "#ia-2" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + parts: + - id: ac-6.5_smt + name: statement + prose: "Restrict privileged accounts on the system to {{ insert:\ + \ param, ac-06.05_odp }}." + - id: ac-6.5_gdn + name: guidance + prose: Privileged accounts, including super user accounts, are typically + described as system administrator for various types of commercial + off-the-shelf operating systems. Restricting privileged accounts + to specific personnel or roles prevents day-to-day users from + accessing privileged information or privileged functions. Organizations + may differentiate in the application of restricting privileged + accounts between allowed privileges for local accounts and for + domain accounts provided that they retain the ability to control + system configurations for key parameters and as otherwise necessary + to sufficiently mitigate risk. + - id: ac-6.5_obj + name: assessment-objective + props: + - name: label + value: AC-06(05) + class: sp800-53a + prose: "privileged accounts on the system are restricted to {{ insert:\ + \ param, ac-06.05_odp }}." + links: + - href: "#ac-6.5_smt" + rel: assessment-for + - id: ac-6.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-06(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing least privilege + + + list of system-generated privileged accounts + + + list of system administration personnel + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-6.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-06(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + defining least privileges necessary to accomplish + specified tasks + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ac-6.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-06(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing least privilege functions + - id: ac-6.7 + class: SP800-53-enhancement + title: Review of User Privileges + params: + - id: ac-06.07_odp.01 + label: frequency + constraints: + - description: at a minimum, annually + guidelines: + - prose: the frequency at which to review the privileges assigned + to roles or classes of users is defined; + - id: ac-06.07_odp.02 + label: roles and classes + constraints: + - description: all users with privileges + guidelines: + - prose: roles or classes of users to which privileges are assigned + are defined; + props: + - name: label + value: AC-6(7) + - name: label + value: AC-06(07) + class: sp800-53a + - name: sort-id + value: ac-06.07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-6" + rel: required + - href: "#ca-7" + rel: related + parts: + - id: ac-6.7_smt + name: statement + parts: + - id: ac-6.7_smt.a + name: item + props: + - name: label + value: (a) + prose: "Review {{ insert: param, ac-06.07_odp.01 }} the privileges\ + \ assigned to {{ insert: param, ac-06.07_odp.02 }} to validate\ + \ the need for such privileges; and" + - id: ac-6.7_smt.b + name: item + props: + - name: label + value: (b) + prose: Reassign or remove privileges, if necessary, to correctly + reflect organizational mission and business needs. + - id: ac-6.7_gdn + name: guidance + prose: The need for certain assigned user privileges may change + over time to reflect changes in organizational mission and business + functions, environments of operation, technologies, or threats. + A periodic review of assigned user privileges is necessary to + determine if the rationale for assigning such privileges remains + valid. If the need cannot be revalidated, organizations take appropriate + corrective actions. + - id: ac-6.7_obj + name: assessment-objective + props: + - name: label + value: AC-06(07) + class: sp800-53a + parts: + - id: ac-6.7_obj.a + name: assessment-objective + props: + - name: label + value: AC-06(07)(a) + class: sp800-53a + prose: "privileges assigned to {{ insert: param, ac-06.07_odp.02\ + \ }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to\ + \ validate the need for such privileges;" + links: + - href: "#ac-6.7_smt.a" + rel: assessment-for + - id: ac-6.7_obj.b + name: assessment-objective + props: + - name: label + value: AC-06(07)(b) + class: sp800-53a + prose: privileges are reassigned or removed, if necessary, to + correctly reflect organizational mission and business needs. + links: + - href: "#ac-6.7_smt.b" + rel: assessment-for + links: + - href: "#ac-6.7_smt" + rel: assessment-for + - id: ac-6.7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-06(07)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing least privilege + + + list of system-generated roles or classes of users and assigned + privileges + + + system design documentation + + + system configuration settings and associated documentation + + + validation reviews of privileges assigned to roles or classes + or users + + + records of privilege removals or reassignments for roles or + classes of users + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-6.7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-06(07)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + reviewing least privileges necessary to accomplish + specified tasks + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ac-6.7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-06(07)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing review of user privileges + - id: ac-6.8 + class: SP800-53-enhancement + title: Privilege Levels for Code Execution + params: + - id: ac-06.08_odp + label: software + constraints: + - description: any software except software explicitly documented + guidelines: + - prose: software to be prevented from executing at higher privilege + levels than users executing the software is defined; + props: + - name: label + value: AC-6(8) + - name: label + value: AC-06(08) + class: sp800-53a + - name: sort-id + value: ac-06.08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-6" + rel: required + parts: + - id: ac-6.8_smt + name: statement + prose: "Prevent the following software from executing at higher\ + \ privilege levels than users executing the software: {{ insert:\ + \ param, ac-06.08_odp }}." + - id: ac-6.8_gdn + name: guidance + prose: In certain situations, software applications or programs + need to execute with elevated privileges to perform required functions. + However, depending on the software functionality and configuration, + if the privileges required for execution are at a higher level + than the privileges assigned to organizational users invoking + such applications or programs, those users may indirectly be provided + with greater privileges than assigned. + - id: ac-6.8_obj + name: assessment-objective + props: + - name: label + value: AC-06(08) + class: sp800-53a + prose: " {{ insert: param, ac-06.08_odp }} is prevented from executing\ + \ at higher privilege levels than users executing the software." + links: + - href: "#ac-6.8_smt" + rel: assessment-for + - id: ac-6.8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-06(08)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing least privilege + + + list of software that should not execute at higher privilege + levels than users executing software + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-6.8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-06(08)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + defining least privileges necessary to accomplish + specified tasks + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ac-6.8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-06(08)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing least privilege functions for + software execution + - id: ac-6.9 + class: SP800-53-enhancement + title: Log Use of Privileged Functions + props: + - name: label + value: AC-6(9) + - name: label + value: AC-06(09) + class: sp800-53a + - name: sort-id + value: ac-06.09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-6" + rel: required + - href: "#au-2" + rel: related + - href: "#au-3" + rel: related + - href: "#au-12" + rel: related + parts: + - id: ac-6.9_smt + name: statement + prose: Log the execution of privileged functions. + - id: ac-6.9_gdn + name: guidance + prose: The misuse of privileged functions, either intentionally + or unintentionally by authorized users or by unauthorized external + entities that have compromised system accounts, is a serious and + ongoing concern and can have significant adverse impacts on organizations. + Logging and analyzing the use of privileged functions is one way + to detect such misuse and, in doing so, help mitigate the risk + from insider threats and the advanced persistent threat. + - id: ac-6.9_obj + name: assessment-objective + props: + - name: label + value: AC-06(09) + class: sp800-53a + prose: the execution of privileged functions is logged. + links: + - href: "#ac-6.9_smt" + rel: assessment-for + - id: ac-6.9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-06(09)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing least privilege + + + system design documentation + + + system configuration settings and associated documentation + + + list of privileged functions to be audited + + + list of audited events + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-6.9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-06(09)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + reviewing least privileges necessary to accomplish + specified tasks + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ac-6.9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-06(09)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms auditing the execution of least privilege + functions + - id: ac-6.10 + class: SP800-53-enhancement + title: Prohibit Non-privileged Users from Executing Privileged Functions + props: + - name: label + value: AC-6(10) + - name: label + value: AC-06(10) + class: sp800-53a + - name: sort-id + value: ac-06.10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-6" + rel: required + parts: + - id: ac-6.10_smt + name: statement + prose: Prevent non-privileged users from executing privileged functions. + - id: ac-6.10_gdn + name: guidance + prose: Privileged functions include disabling, circumventing, or + altering implemented security or privacy controls, establishing + system accounts, performing system integrity checks, and administering + cryptographic key management activities. Non-privileged users + are individuals who do not possess appropriate authorizations. + Privileged functions that require protection from non-privileged + users include circumventing intrusion detection and prevention + mechanisms or malicious code protection mechanisms. Preventing + non-privileged users from executing privileged functions is enforced + by [AC-3](#ac-3). + - id: ac-6.10_obj + name: assessment-objective + props: + - name: label + value: AC-06(10) + class: sp800-53a + prose: non-privileged users are prevented from executing privileged + functions. + links: + - href: "#ac-6.10_smt" + rel: assessment-for + - id: ac-6.10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-06(10)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing least privilege + + + system design documentation + + + system configuration settings and associated documentation + + + list of privileged functions and associated user account assignments + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-6.10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-06(10)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + defining least privileges necessary to accomplish + specified tasks + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-6.10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-06(10)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing least privilege functions for + non-privileged users + - id: ac-7 + class: SP800-53 + title: Unsuccessful Logon Attempts + params: + - id: ac-07_odp.01 + label: number + guidelines: + - prose: the number of consecutive invalid logon attempts by a user + allowed during a time period is defined; + - id: ac-07_odp.02 + label: time period + guidelines: + - prose: the time period to which the number of consecutive invalid + logon attempts by a user is limited is defined; + - id: ac-07_odp.03 + select: + how-many: one-or-more + choice: + - "lock the account or node for {{ insert: param, ac-07_odp.04 }} " + - lock the account or node until released by an administrator + - "delay next logon prompt per {{ insert: param, ac-07_odp.05 }} " + - notify system administrator + - "take other {{ insert: param, ac-07_odp.06 }} " + - id: ac-07_odp.04 + label: time period + guidelines: + - prose: time period for an account or node to be locked is defined + (if selected); + - id: ac-07_odp.05 + label: delay algorithm + guidelines: + - prose: delay algorithm for the next logon prompt is defined (if + selected); + - id: ac-07_odp.06 + label: action + guidelines: + - prose: other action to be taken when the maximum number of unsuccessful + attempts is exceeded is defined (if selected); + props: + - name: label + value: AC-7 + - name: label + value: AC-07 + class: sp800-53a + - name: sort-id + value: ac-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-9" + rel: related + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#ia-5" + rel: related + parts: + - id: ac-7_smt + name: statement + parts: + - id: ac-7_smt.a + name: item + props: + - name: label + value: a. + prose: "Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive\ + \ invalid logon attempts by a user during a {{ insert: param,\ + \ ac-07_odp.02 }} ; and" + - id: ac-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Automatically {{ insert: param, ac-07_odp.03 }} when the\ + \ maximum number of unsuccessful attempts is exceeded." + - id: ac-7_fr + name: item + title: AC-7 Additional FedRAMP Requirements and Guidance + parts: + - id: ac-7_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: In alignment with NIST SP 800-63B. + - id: ac-7_gdn + name: guidance + prose: The need to limit unsuccessful logon attempts and take subsequent + action when the maximum number of attempts is exceeded applies regardless + of whether the logon occurs via a local or network connection. Due + to the potential for denial of service, automatic lockouts initiated + by systems are usually temporary and automatically release after a + predetermined, organization-defined time period. If a delay algorithm + is selected, organizations may employ different algorithms for different + components of the system based on the capabilities of those components. + Responses to unsuccessful logon attempts may be implemented at the + operating system and the application levels. Organization-defined + actions that may be taken when the number of allowed consecutive invalid + logon attempts is exceeded include prompting the user to answer a + secret question in addition to the username and password, invoking + a lockdown mode with limited user capabilities (instead of full lockout), + allowing users to only logon from specified Internet Protocol (IP) + addresses, requiring a CAPTCHA to prevent automated attacks, or applying + user profiles such as location, time of day, IP address, device, or + Media Access Control (MAC) address. If automatic system lockout or + execution of a delay algorithm is not implemented in support of the + availability objective, organizations consider a combination of other + actions to help prevent brute force attacks. In addition to the above, + organizations can prompt users to respond to a secret question before + the number of allowed unsuccessful logon attempts is exceeded. Automatically + unlocking an account after a specified period of time is generally + not permitted. However, exceptions may be required based on operational + mission or need. + - id: ac-7_obj + name: assessment-objective + props: + - name: label + value: AC-07 + class: sp800-53a + parts: + - id: ac-7_obj.a + name: assessment-objective + props: + - name: label + value: AC-07a. + class: sp800-53a + prose: "a limit of {{ insert: param, ac-07_odp.01 }} consecutive\ + \ invalid logon attempts by a user during {{ insert: param, ac-07_odp.02\ + \ }} is enforced;" + links: + - href: "#ac-7_smt.a" + rel: assessment-for + - id: ac-7_obj.b + name: assessment-objective + props: + - name: label + value: AC-07b. + class: sp800-53a + prose: "automatically {{ insert: param, ac-07_odp.03 }} when the\ + \ maximum number of unsuccessful attempts is exceeded." + links: + - href: "#ac-7_smt.b" + rel: assessment-for + links: + - href: "#ac-7_smt" + rel: assessment-for + - id: ac-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing unsuccessful logon attempts + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: ac-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security + responsibilities + + + system developers + + + system/network administrators + - id: ac-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing access control policy for unsuccessful + logon attempts + - id: ac-8 + class: SP800-53 + title: System Use Notification + params: + - id: ac-08_odp.01 + label: system use notification + constraints: + - description: see additional Requirements and Guidance + guidelines: + - prose: system use notification message or banner to be displayed + by the system to users before granting access to the system is + defined; + - id: ac-08_odp.02 + label: conditions + constraints: + - description: see additional Requirements and Guidance + guidelines: + - prose: conditions for system use to be displayed by the system before + granting further access are defined; + props: + - name: label + value: AC-8 + - name: label + value: AC-08 + class: sp800-53a + - name: sort-id + value: ac-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-14" + rel: related + - href: "#pl-4" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-8_smt + name: statement + parts: + - id: ac-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Display {{ insert: param, ac-08_odp.01 }} to users before\ + \ granting access to the system that provides privacy and security\ + \ notices consistent with applicable laws, executive orders, directives,\ + \ regulations, policies, standards, and guidelines and state that:" + parts: + - id: ac-8_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Users are accessing a U.S. Government system; + - id: ac-8_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: System usage may be monitored, recorded, and subject + to audit; + - id: ac-8_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Unauthorized use of the system is prohibited and subject + to criminal and civil penalties; and + - id: ac-8_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Use of the system indicates consent to monitoring and + recording; + - id: ac-8_smt.b + name: item + props: + - name: label + value: b. + prose: Retain the notification message or banner on the screen until + users acknowledge the usage conditions and take explicit actions + to log on to or further access the system; and + - id: ac-8_smt.c + name: item + props: + - name: label + value: c. + prose: "For publicly accessible systems:" + parts: + - id: ac-8_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Display system use information {{ insert: param, ac-08_odp.02\ + \ }} , before granting further access to the publicly accessible\ + \ system;" + - id: ac-8_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: Display references, if any, to monitoring, recording, + or auditing that are consistent with privacy accommodations + for such systems that generally prohibit those activities; + and + - id: ac-8_smt.c.3 + name: item + props: + - name: label + value: "3." + prose: Include a description of the authorized uses of the system. + - id: ac-8_fr + name: item + title: AC-8 Additional FedRAMP Requirements and Guidance + parts: + - id: ac-8_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider shall determine elements of the + cloud environment that require the System Use Notification + control. The elements of the cloud environment that require + System Use Notification are approved and accepted by the JAB/AO. + - id: ac-8_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider shall determine how System Use Notification + is going to be verified and provide appropriate periodicity + of the check. The System Use Notification verification and + periodicity are approved and accepted by the JAB/AO. + - id: ac-8_fr_smt.3 + name: item + props: + - name: label + value: "Requirement:" + prose: If not performed as part of a Configuration Baseline + check, then there must be documented agreement on how to provide + results of verification and the necessary periodicity of the + verification by the service provider. The documented agreement + on how to provide verification of the results are approved + and accepted by the JAB/AO. + - id: ac-8_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: If performed as part of a Configuration Baseline check, + then the % of items requiring setting that are checked and + that pass (or fail) check can be provided. + - id: ac-8_gdn + name: guidance + prose: System use notifications can be implemented using messages or + warning banners displayed before individuals log in to systems. System + use notifications are used only for access via logon interfaces with + human users. Notifications are not required when human interfaces + do not exist. Based on an assessment of risk, organizations consider + whether or not a secondary system use notification is needed to access + applications or other system resources after the initial network logon. + Organizations consider system use notification messages or banners + displayed in multiple languages based on organizational needs and + the demographics of system users. Organizations consult with the privacy + office for input regarding privacy messaging and the Office of the + General Counsel or organizational equivalent for legal review and + approval of warning banner content. + - id: ac-8_obj + name: assessment-objective + props: + - name: label + value: AC-08 + class: sp800-53a + parts: + - id: ac-8_obj.a + name: assessment-objective + props: + - name: label + value: AC-08a. + class: sp800-53a + prose: " {{ insert: param, ac-08_odp.01 }} is displayed to users\ + \ before granting access to the system that provides privacy and\ + \ security notices consistent with applicable laws, Executive\ + \ Orders, directives, regulations, policies, standards, and guidelines;" + parts: + - id: ac-8_obj.a.1 + name: assessment-objective + props: + - name: label + value: AC-08a.01 + class: sp800-53a + prose: the system use notification states that users are accessing + a U.S. Government system; + links: + - href: "#ac-8_smt.a.1" + rel: assessment-for + - id: ac-8_obj.a.2 + name: assessment-objective + props: + - name: label + value: AC-08a.02 + class: sp800-53a + prose: the system use notification states that system usage + may be monitored, recorded, and subject to audit; + links: + - href: "#ac-8_smt.a.2" + rel: assessment-for + - id: ac-8_obj.a.3 + name: assessment-objective + props: + - name: label + value: AC-08a.03 + class: sp800-53a + prose: the system use notification states that unauthorized + use of the system is prohibited and subject to criminal and + civil penalties; and + links: + - href: "#ac-8_smt.a.3" + rel: assessment-for + - id: ac-8_obj.a.4 + name: assessment-objective + props: + - name: label + value: AC-08a.04 + class: sp800-53a + prose: the system use notification states that use of the system + indicates consent to monitoring and recording; + links: + - href: "#ac-8_smt.a.4" + rel: assessment-for + links: + - href: "#ac-8_smt.a" + rel: assessment-for + - id: ac-8_obj.b + name: assessment-objective + props: + - name: label + value: AC-08b. + class: sp800-53a + prose: the notification message or banner is retained on the screen + until users acknowledge the usage conditions and take explicit + actions to log on to or further access the system; + links: + - href: "#ac-8_smt.b" + rel: assessment-for + - id: ac-8_obj.c + name: assessment-objective + props: + - name: label + value: AC-08c. + class: sp800-53a + parts: + - id: ac-8_obj.c.1 + name: assessment-objective + props: + - name: label + value: AC-08c.01 + class: sp800-53a + prose: "for publicly accessible systems, system use information\ + \ {{ insert: param, ac-08_odp.02 }} is displayed before granting\ + \ further access to the publicly accessible system;" + links: + - href: "#ac-8_smt.c.1" + rel: assessment-for + - id: ac-8_obj.c.2 + name: assessment-objective + props: + - name: label + value: AC-08c.02 + class: sp800-53a + prose: for publicly accessible systems, any references to monitoring, + recording, or auditing that are consistent with privacy accommodations + for such systems that generally prohibit those activities + are displayed; + links: + - href: "#ac-8_smt.c.2" + rel: assessment-for + - id: ac-8_obj.c.3 + name: assessment-objective + props: + - name: label + value: AC-08c.03 + class: sp800-53a + prose: for publicly accessible systems, a description of the + authorized uses of the system is included. + links: + - href: "#ac-8_smt.c.3" + rel: assessment-for + links: + - href: "#ac-8_smt.c" + rel: assessment-for + links: + - href: "#ac-8_smt" + rel: assessment-for + - id: ac-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + privacy and security policies, procedures addressing system use + notification + + + documented approval of system use notification messages or banners + + + system audit records + + + user acknowledgements of notification message or banner + + + system design documentation + + + system configuration settings and associated documentation + + + system use notification messages + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy assessment report + + + other relevant documents or records + - id: ac-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + legal counsel + + + system developers + - id: ac-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing system use notification + - id: ac-10 + class: SP800-53 + title: Concurrent Session Control + params: + - id: ac-10_odp.01 + label: account and/or account types + guidelines: + - prose: accounts and/or account types for which to limit the number + of concurrent sessions is defined; + - id: ac-10_odp.02 + label: number + constraints: + - description: three (3) sessions for privileged access and two (2) + sessions for non-privileged access + guidelines: + - prose: the number of concurrent sessions to be allowed for each + account and/or account type is defined; + props: + - name: label + value: AC-10 + - name: label + value: AC-10 + class: sp800-53a + - name: sort-id + value: ac-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-23" + rel: related + parts: + - id: ac-10_smt + name: statement + prose: "Limit the number of concurrent sessions for each {{ insert:\ + \ param, ac-10_odp.01 }} to {{ insert: param, ac-10_odp.02 }}." + - id: ac-10_gdn + name: guidance + prose: Organizations may define the maximum number of concurrent sessions + for system accounts globally, by account type, by account, or any + combination thereof. For example, organizations may limit the number + of concurrent sessions for system administrators or other individuals + working in particularly sensitive domains or mission-critical applications. + Concurrent session control addresses concurrent sessions for system + accounts. It does not, however, address concurrent sessions by single + users via multiple system accounts. + - id: ac-10_obj + name: assessment-objective + props: + - name: label + value: AC-10 + class: sp800-53a + prose: "the number of concurrent sessions for each {{ insert: param,\ + \ ac-10_odp.01 }} is limited to {{ insert: param, ac-10_odp.02 }}." + links: + - href: "#ac-10_smt" + rel: assessment-for + - id: ac-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing concurrent session control + + system design documentation + + system configuration settings and associated documentation + + security plan + + system security plan + + other relevant documents or records + - id: ac-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing access control policy for concurrent + session control + - id: ac-11 + class: SP800-53 + title: Device Lock + params: + - id: ac-11_odp.01 + select: + how-many: one-or-more + choice: + - "initiating a device lock after {{ insert: param, ac-11_odp.02\ + \ }} of inactivity" + - requiring the user to initiate a device lock before leaving the + system unattended + - id: ac-11_odp.02 + label: time period + constraints: + - description: fifteen (15) minutes + guidelines: + - prose: time period of inactivity after which a device lock is initiated + is defined (if selected); + props: + - name: label + value: AC-11 + - name: label + value: AC-11 + class: sp800-53a + - name: sort-id + value: ac-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-2" + rel: related + - href: "#ac-7" + rel: related + - href: "#ia-11" + rel: related + - href: "#pl-4" + rel: related + parts: + - id: ac-11_smt + name: statement + parts: + - id: ac-11_smt.a + name: item + props: + - name: label + value: a. + prose: "Prevent further access to the system by {{ insert: param,\ + \ ac-11_odp.01 }} ; and" + - id: ac-11_smt.b + name: item + props: + - name: label + value: b. + prose: Retain the device lock until the user reestablishes access + using established identification and authentication procedures. + - id: ac-11_gdn + name: guidance + prose: Device locks are temporary actions taken to prevent logical access + to organizational systems when users stop work and move away from + the immediate vicinity of those systems but do not want to log out + because of the temporary nature of their absences. Device locks can + be implemented at the operating system level or at the application + level. A proximity lock may be used to initiate the device lock (e.g., + via a Bluetooth-enabled device or dongle). User-initiated device locking + is behavior or policy-based and, as such, requires users to take physical + action to initiate the device lock. Device locks are not an acceptable + substitute for logging out of systems, such as when organizations + require users to log out at the end of workdays. + - id: ac-11_obj + name: assessment-objective + props: + - name: label + value: AC-11 + class: sp800-53a + parts: + - id: ac-11_obj.a + name: assessment-objective + props: + - name: label + value: AC-11a. + class: sp800-53a + prose: "further access to the system is prevented by {{ insert:\ + \ param, ac-11_odp.01 }};" + links: + - href: "#ac-11_smt.a" + rel: assessment-for + - id: ac-11_obj.b + name: assessment-objective + props: + - name: label + value: AC-11b. + class: sp800-53a + prose: device lock is retained until the user re-establishes access + using established identification and authentication procedures. + links: + - href: "#ac-11_smt.b" + rel: assessment-for + links: + - href: "#ac-11_smt" + rel: assessment-for + - id: ac-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing session lock + + procedures addressing identification and authentication + + system design documentation + + system configuration settings and associated documentation + + security plan + + system security plan + + other relevant documents or records + - id: ac-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing access control policy for session + lock + controls: + - id: ac-11.1 + class: SP800-53-enhancement + title: Pattern-hiding Displays + props: + - name: label + value: AC-11(1) + - name: label + value: AC-11(01) + class: sp800-53a + - name: sort-id + value: ac-11.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-11" + rel: required + parts: + - id: ac-11.1_smt + name: statement + prose: Conceal, via the device lock, information previously visible + on the display with a publicly viewable image. + - id: ac-11.1_gdn + name: guidance + prose: The pattern-hiding display can include static or dynamic + images, such as patterns used with screen savers, photographic + images, solid colors, clock, battery life indicator, or a blank + screen with the caveat that controlled unclassified information + is not displayed. + - id: ac-11.1_obj + name: assessment-objective + props: + - name: label + value: AC-11(01) + class: sp800-53a + prose: information previously visible on the display is concealed, + via device lock, with a publicly viewable image. + links: + - href: "#ac-11.1_smt" + rel: assessment-for + - id: ac-11.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-11(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing session lock + + + display screen with session lock activated + + + system design documentation + + + system configuration settings and associated documentation + + + system security plan + + + other relevant documents or records + - id: ac-11.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-11(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-11.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-11(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: System session lock mechanisms + - id: ac-12 + class: SP800-53 + title: Session Termination + params: + - id: ac-12_odp + label: conditions or trigger events + guidelines: + - prose: conditions or trigger events requiring session disconnect + are defined; + props: + - name: label + value: AC-12 + - name: label + value: AC-12 + class: sp800-53a + - name: sort-id + value: ac-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ma-4" + rel: related + - href: "#sc-10" + rel: related + - href: "#sc-23" + rel: related + parts: + - id: ac-12_smt + name: statement + prose: "Automatically terminate a user session after {{ insert: param,\ + \ ac-12_odp }}." + - id: ac-12_gdn + name: guidance + prose: Session termination addresses the termination of user-initiated + logical sessions (in contrast to [SC-10](#sc-10) , which addresses + the termination of network connections associated with communications + sessions (i.e., network disconnect)). A logical session (for local, + network, and remote access) is initiated whenever a user (or process + acting on behalf of a user) accesses an organizational system. Such + user sessions can be terminated without terminating network sessions. + Session termination ends all processes associated with a user’s logical + session except for those processes that are specifically created by + the user (i.e., session owner) to continue after the session is terminated. + Conditions or trigger events that require automatic termination of + the session include organization-defined periods of user inactivity, + targeted responses to certain types of incidents, or time-of-day restrictions + on system use. + - id: ac-12_obj + name: assessment-objective + props: + - name: label + value: AC-12 + class: sp800-53a + prose: "a user session is automatically terminated after {{ insert:\ + \ param, ac-12_odp }}." + links: + - href: "#ac-12_smt" + rel: assessment-for + - id: ac-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing session termination + + + system design documentation + + + system configuration settings and associated documentation + + + list of conditions or trigger events requiring session disconnect + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms implementing user session termination + - id: ac-14 + class: SP800-53 + title: Permitted Actions Without Identification or Authentication + params: + - id: ac-14_odp + label: user actions + guidelines: + - prose: user actions that can be performed on the system without + identification or authentication are defined; + props: + - name: label + value: AC-14 + - name: label + value: AC-14 + class: sp800-53a + - name: sort-id + value: ac-14 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-8" + rel: related + - href: "#ia-2" + rel: related + - href: "#pl-2" + rel: related + parts: + - id: ac-14_smt + name: statement + parts: + - id: ac-14_smt.a + name: item + props: + - name: label + value: a. + prose: "Identify {{ insert: param, ac-14_odp }} that can be performed\ + \ on the system without identification or authentication consistent\ + \ with organizational mission and business functions; and" + - id: ac-14_smt.b + name: item + props: + - name: label + value: b. + prose: Document and provide supporting rationale in the security + plan for the system, user actions not requiring identification + or authentication. + - id: ac-14_gdn + name: guidance + prose: 'Specific user actions may be permitted without identification + or authentication if organizations determine that identification and + authentication are not required for the specified user actions. Organizations + may allow a limited number of user actions without identification + or authentication, including when individuals access public websites + or other publicly accessible federal systems, when individuals use + mobile phones to receive calls, or when facsimiles are received. Organizations + identify actions that normally require identification or authentication + but may, under certain circumstances, allow identification or authentication + mechanisms to be bypassed. Such bypasses may occur, for example, via + a software-readable physical switch that commands bypass of the logon + functionality and is protected from accidental or unmonitored use. + Permitting actions without identification or authentication does not + apply to situations where identification and authentication have already + occurred and are not repeated but rather to situations where identification + and authentication have not yet occurred. Organizations may decide + that there are no user actions that can be performed on organizational + systems without identification and authentication, and therefore, + the value for the assignment operation can be "none." ' + - id: ac-14_obj + name: assessment-objective + props: + - name: label + value: AC-14 + class: sp800-53a + parts: + - id: ac-14_obj.a + name: assessment-objective + props: + - name: label + value: AC-14a. + class: sp800-53a + prose: " {{ insert: param, ac-14_odp }} that can be performed on\ + \ the system without identification or authentication consistent\ + \ with organizational mission and business functions are identified;" + links: + - href: "#ac-14_smt.a" + rel: assessment-for + - id: ac-14_obj.b + name: assessment-objective + props: + - name: label + value: AC-14b. + class: sp800-53a + parts: + - id: ac-14_obj.b-1 + name: assessment-objective + props: + - name: label + value: AC-14b.[01] + class: sp800-53a + prose: user actions not requiring identification or authentication + are documented in the security plan for the system; + links: + - href: "#ac-14_smt.b" + rel: assessment-for + - id: ac-14_obj.b-2 + name: assessment-objective + props: + - name: label + value: AC-14b.[02] + class: sp800-53a + prose: a rationale for user actions not requiring identification + or authentication is provided in the security plan for the + system. + links: + - href: "#ac-14_smt.b" + rel: assessment-for + links: + - href: "#ac-14_smt.b" + rel: assessment-for + links: + - href: "#ac-14_smt" + rel: assessment-for + - id: ac-14_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-14-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing permitted actions without identification + or authentication + + + system configuration settings and associated documentation + + + security plan + + + list of user actions that can be performed without identification + or authentication + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-14_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-14-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + - id: ac-17 + class: SP800-53 + title: Remote Access + props: + - name: label + value: AC-17 + - name: label + value: AC-17 + class: sp800-53a + - name: sort-id + value: ac-17 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#83b9d63b-66b1-467c-9f3b-3a0b108771e9" + rel: reference + - href: "#d4d7c760-2907-403b-8b2a-767ca5370ecd" + rel: reference + - href: "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4" + rel: reference + - href: "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99" + rel: reference + - href: "#d17ebd7a-ffab-499d-bfff-e705bbb01fa6" + rel: reference + - href: "#3915a084-b87b-4f02-83d4-c369e746292f" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#ca-3" + rel: related + - href: "#cm-10" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-17" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#sc-10" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-17_smt + name: statement + parts: + - id: ac-17_smt.a + name: item + props: + - name: label + value: a. + prose: Establish and document usage restrictions, configuration/connection + requirements, and implementation guidance for each type of remote + access allowed; and + - id: ac-17_smt.b + name: item + props: + - name: label + value: b. + prose: Authorize each type of remote access to the system prior + to allowing such connections. + - id: ac-17_gdn + name: guidance + prose: Remote access is access to organizational systems (or processes + acting on behalf of users) that communicate through external networks + such as the Internet. Types of remote access include dial-up, broadband, + and wireless. Organizations use encrypted virtual private networks + (VPNs) to enhance confidentiality and integrity for remote connections. + The use of encrypted VPNs provides sufficient assurance to the organization + that it can effectively treat such connections as internal networks + if the cryptographic mechanisms used are implemented in accordance + with applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines. Still, VPN connections traverse external + networks, and the encrypted VPN does not enhance the availability + of remote connections. VPNs with encrypted tunnels can also affect + the ability to adequately monitor network communications traffic for + malicious code. Remote access controls apply to systems other than + public web servers or systems designed for public access. Authorization + of each remote access type addresses authorization prior to allowing + remote access without specifying the specific formats for such authorization. + While organizations may use information exchange and system connection + security agreements to manage remote access connections to other systems, + such agreements are addressed as part of [CA-3](#ca-3) . Enforcing + access restrictions for remote access is addressed via [AC-3](#ac-3). + - id: ac-17_obj + name: assessment-objective + props: + - name: label + value: AC-17 + class: sp800-53a + parts: + - id: ac-17_obj.a + name: assessment-objective + props: + - name: label + value: AC-17a. + class: sp800-53a + parts: + - id: ac-17_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-17a.[01] + class: sp800-53a + prose: usage restrictions are established and documented for + each type of remote access allowed; + links: + - href: "#ac-17_smt.a" + rel: assessment-for + - id: ac-17_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-17a.[02] + class: sp800-53a + prose: configuration/connection requirements are established + and documented for each type of remote access allowed; + links: + - href: "#ac-17_smt.a" + rel: assessment-for + - id: ac-17_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-17a.[03] + class: sp800-53a + prose: implementation guidance is established and documented + for each type of remote access allowed; + links: + - href: "#ac-17_smt.a" + rel: assessment-for + links: + - href: "#ac-17_smt.a" + rel: assessment-for + - id: ac-17_obj.b + name: assessment-objective + props: + - name: label + value: AC-17b. + class: sp800-53a + prose: each type of remote access to the system is authorized prior + to allowing such connections. + links: + - href: "#ac-17_smt.b" + rel: assessment-for + links: + - href: "#ac-17_smt" + rel: assessment-for + - id: ac-17_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-17-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing remote access implementation and usage (including + restrictions) + + + configuration management plan + + + system configuration settings and associated documentation + + + remote access authorizations + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-17_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-17-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for managing + remote access connections + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-17_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-17-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Remote access management capability for the system + controls: + - id: ac-17.1 + class: SP800-53-enhancement + title: Monitoring and Control + props: + - name: label + value: AC-17(1) + - name: label + value: AC-17(01) + class: sp800-53a + - name: sort-id + value: ac-17.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-17" + rel: required + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + parts: + - id: ac-17.1_smt + name: statement + prose: Employ automated mechanisms to monitor and control remote + access methods. + - id: ac-17.1_gdn + name: guidance + prose: Monitoring and control of remote access methods allows organizations + to detect attacks and help ensure compliance with remote access + policies by auditing the connection activities of remote users + on a variety of system components, including servers, notebook + computers, workstations, smart phones, and tablets. Audit logging + for remote access is enforced by [AU-2](#au-2) . Audit events + are defined in [AU-2a](#au-2_smt.a). + - id: ac-17.1_obj + name: assessment-objective + props: + - name: label + value: AC-17(01) + class: sp800-53a + parts: + - id: ac-17.1_obj-1 + name: assessment-objective + props: + - name: label + value: AC-17(01)[01] + class: sp800-53a + prose: automated mechanisms are employed to monitor remote access + methods; + links: + - href: "#ac-17.1_smt" + rel: assessment-for + - id: ac-17.1_obj-2 + name: assessment-objective + props: + - name: label + value: AC-17(01)[02] + class: sp800-53a + prose: automated mechanisms are employed to control remote access + methods. + links: + - href: "#ac-17.1_smt" + rel: assessment-for + links: + - href: "#ac-17.1_smt" + rel: assessment-for + - id: ac-17.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-17(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing remote access to the system + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system monitoring records + + + system security plan + + + other relevant documents or records + - id: ac-17.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-17(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-17.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-17(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms monitoring and controlling remote + access methods + - id: ac-17.2 + class: SP800-53-enhancement + title: Protection of Confidentiality and Integrity Using Encryption + props: + - name: label + value: AC-17(2) + - name: label + value: AC-17(02) + class: sp800-53a + - name: sort-id + value: ac-17.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-17" + rel: required + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: ac-17.2_smt + name: statement + prose: Implement cryptographic mechanisms to protect the confidentiality + and integrity of remote access sessions. + - id: ac-17.2_gdn + name: guidance + prose: Virtual private networks can be used to protect the confidentiality + and integrity of remote access sessions. Transport Layer Security + (TLS) is an example of a cryptographic protocol that provides + end-to-end communications security over networks and is used for + Internet communications and online transactions. + - id: ac-17.2_obj + name: assessment-objective + props: + - name: label + value: AC-17(02) + class: sp800-53a + prose: cryptographic mechanisms are implemented to protect the confidentiality + and integrity of remote access sessions. + links: + - href: "#ac-17.2_smt" + rel: assessment-for + - id: ac-17.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-17(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing remote access to the system + + + system design documentation + + + system configuration settings and associated documentation + + + cryptographic mechanisms and associated configuration documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-17.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-17(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-17.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-17(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Cryptographic mechanisms protecting confidentiality and + integrity of remote access sessions + - id: ac-17.3 + class: SP800-53-enhancement + title: Managed Access Control Points + props: + - name: label + value: AC-17(3) + - name: label + value: AC-17(03) + class: sp800-53a + - name: sort-id + value: ac-17.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-17" + rel: required + - href: "#sc-7" + rel: related + parts: + - id: ac-17.3_smt + name: statement + prose: Route remote accesses through authorized and managed network + access control points. + - id: ac-17.3_gdn + name: guidance + prose: Organizations consider the Trusted Internet Connections (TIC) + initiative [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) requirements + for external network connections since limiting the number of + access control points for remote access reduces attack surfaces. + - id: ac-17.3_obj + name: assessment-objective + props: + - name: label + value: AC-17(03) + class: sp800-53a + prose: remote accesses are routed through authorized and managed + network access control points. + links: + - href: "#ac-17.3_smt" + rel: assessment-for + - id: ac-17.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-17(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing remote access to the system + + + system design documentation + + + list of all managed network access control points + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-17.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-17(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + - id: ac-17.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-17(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms routing all remote accesses through managed + network access control points + - id: ac-17.4 + class: SP800-53-enhancement + title: Privileged Commands and Access + params: + - id: ac-17.4_prm_1 + label: organization-defined needs + - id: ac-17.04_odp.01 + label: needs requiring remote access + guidelines: + - prose: needs requiring execution of privileged commands via + remote access are defined; + - id: ac-17.04_odp.02 + label: needs requiring remote access + guidelines: + - prose: needs requiring access to security-relevant information + via remote access are defined; + props: + - name: label + value: AC-17(4) + - name: label + value: AC-17(04) + class: sp800-53a + - name: sort-id + value: ac-17.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-17" + rel: required + - href: "#ac-6" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: ac-17.4_smt + name: statement + parts: + - id: ac-17.4_smt.a + name: item + props: + - name: label + value: (a) + prose: "Authorize the execution of privileged commands and access\ + \ to security-relevant information via remote access only\ + \ in a format that provides assessable evidence and for the\ + \ following needs: {{ insert: param, ac-17.4_prm_1 }} ; and" + - id: ac-17.4_smt.b + name: item + props: + - name: label + value: (b) + prose: Document the rationale for remote access in the security + plan for the system. + - id: ac-17.4_gdn + name: guidance + prose: Remote access to systems represents a significant potential + vulnerability that can be exploited by adversaries. As such, restricting + the execution of privileged commands and access to security-relevant + information via remote access reduces the exposure of the organization + and the susceptibility to threats by adversaries to the remote + access capability. + - id: ac-17.4_obj + name: assessment-objective + props: + - name: label + value: AC-17(04) + class: sp800-53a + parts: + - id: ac-17.4_obj.a + name: assessment-objective + props: + - name: label + value: AC-17(04)(a) + class: sp800-53a + parts: + - id: ac-17.4_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-17(04)(a)[01] + class: sp800-53a + prose: the execution of privileged commands via remote access + is authorized only in a format that provides assessable + evidence; + links: + - href: "#ac-17.4_smt.a" + rel: assessment-for + - id: ac-17.4_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-17(04)(a)[02] + class: sp800-53a + prose: access to security-relevant information via remote + access is authorized only in a format that provides assessable + evidence; + links: + - href: "#ac-17.4_smt.a" + rel: assessment-for + - id: ac-17.4_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-17(04)(a)[03] + class: sp800-53a + prose: "the execution of privileged commands via remote\ + \ access is authorized only for the following needs: {{\ + \ insert: param, ac-17.04_odp.01 }};" + links: + - href: "#ac-17.4_smt.a" + rel: assessment-for + - id: ac-17.4_obj.a-4 + name: assessment-objective + props: + - name: label + value: AC-17(04)(a)[04] + class: sp800-53a + prose: "access to security-relevant information via remote\ + \ access is authorized only for the following needs: {{\ + \ insert: param, ac-17.04_odp.02 }};" + links: + - href: "#ac-17.4_smt.a" + rel: assessment-for + links: + - href: "#ac-17.4_smt.a" + rel: assessment-for + - id: ac-17.4_obj.b + name: assessment-objective + props: + - name: label + value: AC-17(04)(b) + class: sp800-53a + prose: the rationale for remote access is documented in the + security plan for the system. + links: + - href: "#ac-17.4_smt.b" + rel: assessment-for + links: + - href: "#ac-17.4_smt" + rel: assessment-for + - id: ac-17.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-17(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing remote access to the system + + + system configuration settings and associated documentation + + + security plan + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-17.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-17(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + - id: ac-17.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-17(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing remote access management + - id: ac-18 + class: SP800-53 + title: Wireless Access + props: + - name: label + value: AC-18 + - name: label + value: AC-18 + class: sp800-53a + - name: sort-id + value: ac-18 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#25e3e57b-dc2f-4934-af9b-050b020c6f0e" + rel: reference + - href: "#03fb73bc-1b12-4182-bd96-e5719254ea61" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-19" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-7" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-8" + rel: related + - href: "#pl-4" + rel: related + - href: "#sc-40" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-18_smt + name: statement + parts: + - id: ac-18_smt.a + name: item + props: + - name: label + value: a. + prose: Establish configuration requirements, connection requirements, + and implementation guidance for each type of wireless access; + and + - id: ac-18_smt.b + name: item + props: + - name: label + value: b. + prose: Authorize each type of wireless access to the system prior + to allowing such connections. + - id: ac-18_gdn + name: guidance + prose: Wireless technologies include microwave, packet radio (ultra-high + frequency or very high frequency), 802.11x, and Bluetooth. Wireless + networks use authentication protocols that provide authenticator protection + and mutual authentication. + - id: ac-18_obj + name: assessment-objective + props: + - name: label + value: AC-18 + class: sp800-53a + parts: + - id: ac-18_obj.a + name: assessment-objective + props: + - name: label + value: AC-18a. + class: sp800-53a + parts: + - id: ac-18_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-18a.[01] + class: sp800-53a + prose: configuration requirements are established for each type + of wireless access; + links: + - href: "#ac-18_smt.a" + rel: assessment-for + - id: ac-18_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-18a.[02] + class: sp800-53a + prose: connection requirements are established for each type + of wireless access; + links: + - href: "#ac-18_smt.a" + rel: assessment-for + - id: ac-18_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-18a.[03] + class: sp800-53a + prose: implementation guidance is established for each type + of wireless access; + links: + - href: "#ac-18_smt.a" + rel: assessment-for + links: + - href: "#ac-18_smt.a" + rel: assessment-for + - id: ac-18_obj.b + name: assessment-objective + props: + - name: label + value: AC-18b. + class: sp800-53a + prose: each type of wireless access to the system is authorized + prior to allowing such connections. + links: + - href: "#ac-18_smt.b" + rel: assessment-for + links: + - href: "#ac-18_smt" + rel: assessment-for + - id: ac-18_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-18-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing wireless access implementation and usage + (including restrictions) + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + wireless access authorizations + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-18_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-18-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for managing + wireless access connections + + + organizational personnel with information security responsibilities + - id: ac-18_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-18-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Wireless access management capability for the system + controls: + - id: ac-18.1 + class: SP800-53-enhancement + title: Authentication and Encryption + params: + - id: ac-18.01_odp + select: + how-many: one-or-more + choice: + - users + - devices + props: + - name: label + value: AC-18(1) + - name: label + value: AC-18(01) + class: sp800-53a + - name: sort-id + value: ac-18.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-18" + rel: required + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: ac-18.1_smt + name: statement + prose: "Protect wireless access to the system using authentication\ + \ of {{ insert: param, ac-18.01_odp }} and encryption." + - id: ac-18.1_gdn + name: guidance + prose: Wireless networking capabilities represent a significant + potential vulnerability that can be exploited by adversaries. + To protect systems with wireless access points, strong authentication + of users and devices along with strong encryption can reduce susceptibility + to threats by adversaries involving wireless technologies. + - id: ac-18.1_obj + name: assessment-objective + props: + - name: label + value: AC-18(01) + class: sp800-53a + parts: + - id: ac-18.1_obj-1 + name: assessment-objective + props: + - name: label + value: AC-18(01)[01] + class: sp800-53a + prose: "wireless access to the system is protected using authentication\ + \ of {{ insert: param, ac-18.01_odp }};" + links: + - href: "#ac-18.1_smt" + rel: assessment-for + - id: ac-18.1_obj-2 + name: assessment-objective + props: + - name: label + value: AC-18(01)[02] + class: sp800-53a + prose: wireless access to the system is protected using encryption. + links: + - href: "#ac-18.1_smt" + rel: assessment-for + links: + - href: "#ac-18.1_smt" + rel: assessment-for + - id: ac-18.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-18(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing wireless implementation and usage (including + restrictions) + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-18.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-18(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-18.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-18(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing wireless access protections to + the system + - id: ac-18.3 + class: SP800-53-enhancement + title: Disable Wireless Networking + props: + - name: label + value: AC-18(3) + - name: label + value: AC-18(03) + class: sp800-53a + - name: sort-id + value: ac-18.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-18" + rel: required + parts: + - id: ac-18.3_smt + name: statement + prose: Disable, when not intended for use, wireless networking capabilities + embedded within system components prior to issuance and deployment. + - id: ac-18.3_gdn + name: guidance + prose: Wireless networking capabilities that are embedded within + system components represent a significant potential vulnerability + that can be exploited by adversaries. Disabling wireless capabilities + when not needed for essential organizational missions or functions + can reduce susceptibility to threats by adversaries involving + wireless technologies. + - id: ac-18.3_obj + name: assessment-objective + props: + - name: label + value: AC-18(03) + class: sp800-53a + prose: when not intended for use, wireless networking capabilities + embedded within system components are disabled prior to issuance + and deployment. + links: + - href: "#ac-18.3_smt" + rel: assessment-for + - id: ac-18.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-18(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing wireless implementation and usage (including + restrictions) + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-18.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-18(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + - id: ac-18.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-18(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms managing the disabling of wireless networking + capabilities internally embedded within system components + - id: ac-18.4 + class: SP800-53-enhancement + title: Restrict Configurations by Users + props: + - name: label + value: AC-18(4) + - name: label + value: AC-18(04) + class: sp800-53a + - name: sort-id + value: ac-18.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-18" + rel: required + - href: "#sc-7" + rel: related + - href: "#sc-15" + rel: related + parts: + - id: ac-18.4_smt + name: statement + prose: Identify and explicitly authorize users allowed to independently + configure wireless networking capabilities. + - id: ac-18.4_gdn + name: guidance + prose: Organizational authorizations to allow selected users to + configure wireless networking capabilities are enforced, in part, + by the access enforcement mechanisms employed within organizational + systems. + - id: ac-18.4_obj + name: assessment-objective + props: + - name: label + value: AC-18(04) + class: sp800-53a + parts: + - id: ac-18.4_obj-1 + name: assessment-objective + props: + - name: label + value: AC-18(04)[01] + class: sp800-53a + prose: users allowed to independently configure wireless networking + capabilities are identified; + links: + - href: "#ac-18.4_smt" + rel: assessment-for + - id: ac-18.4_obj-2 + name: assessment-objective + props: + - name: label + value: AC-18(04)[02] + class: sp800-53a + prose: users allowed to independently configure wireless networking + capabilities are explicitly authorized. + links: + - href: "#ac-18.4_smt" + rel: assessment-for + links: + - href: "#ac-18.4_smt" + rel: assessment-for + - id: ac-18.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-18(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing wireless implementation and usage (including + restrictions) + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-18.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-18(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + - id: ac-18.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-18(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms authorizing independent user configuration + of wireless networking capabilities + - id: ac-18.5 + class: SP800-53-enhancement + title: Antennas and Transmission Power Levels + props: + - name: label + value: AC-18(5) + - name: label + value: AC-18(05) + class: sp800-53a + - name: sort-id + value: ac-18.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-18" + rel: required + - href: "#pe-19" + rel: related + parts: + - id: ac-18.5_smt + name: statement + prose: Select radio antennas and calibrate transmission power levels + to reduce the probability that signals from wireless access points + can be received outside of organization-controlled boundaries. + - id: ac-18.5_gdn + name: guidance + prose: Actions that may be taken to limit unauthorized use of wireless + communications outside of organization-controlled boundaries include + reducing the power of wireless transmissions so that the transmissions + are less likely to emit a signal that can be captured outside + of the physical perimeters of the organization, employing measures + such as emissions security to control wireless emanations, and + using directional or beamforming antennas that reduce the likelihood + that unintended receivers will be able to intercept signals. Prior + to taking such mitigating actions, organizations can conduct periodic + wireless surveys to understand the radio frequency profile of + organizational systems as well as other systems that may be operating + in the area. + - id: ac-18.5_obj + name: assessment-objective + props: + - name: label + value: AC-18(05) + class: sp800-53a + parts: + - id: ac-18.5_obj-1 + name: assessment-objective + props: + - name: label + value: AC-18(05)[01] + class: sp800-53a + prose: radio antennas are selected to reduce the probability + that signals from wireless access points can be received outside + of organization-controlled boundaries; + links: + - href: "#ac-18.5_smt" + rel: assessment-for + - id: ac-18.5_obj-2 + name: assessment-objective + props: + - name: label + value: AC-18(05)[02] + class: sp800-53a + prose: transmission power levels are calibrated to reduce the + probability that signals from wireless access points can be + received outside of organization-controlled boundaries. + links: + - href: "#ac-18.5_smt" + rel: assessment-for + links: + - href: "#ac-18.5_smt" + rel: assessment-for + - id: ac-18.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-18(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing wireless implementation and usage (including + restrictions) + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-18.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-18(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + - id: ac-18.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-18(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Calibration of transmission power levels for wireless + access + + + radio antenna signals for wireless access + + + wireless access reception outside of organization-controlled + boundaries + - id: ac-19 + class: SP800-53 + title: Access Control for Mobile Devices + props: + - name: label + value: AC-19 + - name: label + value: AC-19 + class: sp800-53a + - name: sort-id + value: ac-19 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99" + rel: reference + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-7" + rel: related + - href: "#ac-11" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-20" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-6" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#mp-7" + rel: related + - href: "#pl-4" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-34" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-19_smt + name: statement + parts: + - id: ac-19_smt.a + name: item + props: + - name: label + value: a. + prose: Establish configuration requirements, connection requirements, + and implementation guidance for organization-controlled mobile + devices, to include when such devices are outside of controlled + areas; and + - id: ac-19_smt.b + name: item + props: + - name: label + value: b. + prose: Authorize the connection of mobile devices to organizational + systems. + - id: ac-19_gdn + name: guidance + prose: >- + A mobile device is a computing device that has a small form + factor such that it can easily be carried by a single + individual; is designed to operate without a physical + connection; possesses local, non-removable or removable data + storage; and includes a self-contained power source. Mobile + device functionality may also include voice communication + capabilities, on-board sensors that allow the device to capture + information, and/or built-in features for synchronizing local + data with remote locations. Examples include smart phones and + tablets. Mobile devices are typically associated with a single + individual. The processing, storage, and transmission capability + of the mobile device may be comparable to or merely a subset of + notebook/desktop systems, depending on the nature and intended + purpose of the device. Protection and control of mobile devices + is behavior or policy-based and requires users to take physical + action to protect and control such devices when outside of + controlled areas. Controlled areas are spaces for which + organizations provide physical or procedural controls to meet + the requirements established for protecting information and + systems. + + + Due to the large variety of mobile devices with different characteristics + and capabilities, organizational restrictions may vary for the different + classes or types of such devices. Usage restrictions and specific + implementation guidance for mobile devices include configuration management, + device identification and authentication, implementation of mandatory + protective software, scanning devices for malicious code, updating + virus protection software, scanning for critical software updates + and patches, conducting primary operating system (and possibly other + resident software) integrity checks, and disabling unnecessary hardware. + + + Usage restrictions and authorization to connect may vary among organizational + systems. For example, the organization may authorize the connection + of mobile devices to its network and impose a set of usage restrictions, + while a system owner may withhold authorization for mobile device + connection to specific applications or impose additional usage restrictions + before allowing mobile device connections to a system. Adequate security + for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) + . Many safeguards for mobile devices are reflected in other controls. + [AC-20](#ac-20) addresses mobile devices that are not organization-controlled. + - id: ac-19_obj + name: assessment-objective + props: + - name: label + value: AC-19 + class: sp800-53a + parts: + - id: ac-19_obj.a + name: assessment-objective + props: + - name: label + value: AC-19a. + class: sp800-53a + parts: + - id: ac-19_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-19a.[01] + class: sp800-53a + prose: configuration requirements are established for organization-controlled + mobile devices, including when such devices are outside of + the controlled area; + links: + - href: "#ac-19_smt.a" + rel: assessment-for + - id: ac-19_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-19a.[02] + class: sp800-53a + prose: connection requirements are established for organization-controlled + mobile devices, including when such devices are outside of + the controlled area; + links: + - href: "#ac-19_smt.a" + rel: assessment-for + - id: ac-19_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-19a.[03] + class: sp800-53a + prose: implementation guidance is established for organization-controlled + mobile devices, including when such devices are outside of + the controlled area; + links: + - href: "#ac-19_smt.a" + rel: assessment-for + links: + - href: "#ac-19_smt.a" + rel: assessment-for + - id: ac-19_obj.b + name: assessment-objective + props: + - name: label + value: AC-19b. + class: sp800-53a + prose: the connection of mobile devices to organizational systems + is authorized. + links: + - href: "#ac-19_smt.b" + rel: assessment-for + links: + - href: "#ac-19_smt" + rel: assessment-for + - id: ac-19_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-19-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing access control for mobile device usage (including + restrictions) + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + authorizations for mobile device connections to organizational + systems + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-19_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-19-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel using mobile devices to access + organizational systems + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-19_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-19-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control capability for mobile device connections to + organizational systems + + + configurations of mobile devices + controls: + - id: ac-19.5 + class: SP800-53-enhancement + title: Full Device or Container-based Encryption + params: + - id: ac-19.05_odp.01 + select: + choice: + - full-device encryption + - container-based encryption + - id: ac-19.05_odp.02 + label: mobile devices + guidelines: + - prose: mobile devices on which to employ encryption are defined; + props: + - name: label + value: AC-19(5) + - name: label + value: AC-19(05) + class: sp800-53a + - name: sort-id + value: ac-19.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-19" + rel: required + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-28" + rel: related + parts: + - id: ac-19.5_smt + name: statement + prose: "Employ {{ insert: param, ac-19.05_odp.01 }} to protect the\ + \ confidentiality and integrity of information on {{ insert: param,\ + \ ac-19.05_odp.02 }}." + - id: ac-19.5_gdn + name: guidance + prose: Container-based encryption provides a more fine-grained approach + to data and information encryption on mobile devices, including + encrypting selected data structures such as files, records, or + fields. + - id: ac-19.5_obj + name: assessment-objective + props: + - name: label + value: AC-19(05) + class: sp800-53a + prose: " {{ insert: param, ac-19.05_odp.01 }} is employed to protect\ + \ the confidentiality and integrity of information on {{ insert:\ + \ param, ac-19.05_odp.02 }}." + links: + - href: "#ac-19.5_smt" + rel: assessment-for + - id: ac-19.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-19(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing access control for mobile devices + + + system design documentation + + + system configuration settings and associated documentation + + + encryption mechanisms and associated configuration documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-19.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-19(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with access control + responsibilities for mobile devices + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-19.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-19(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Encryption mechanisms protecting confidentiality and + integrity of information on mobile devices + - id: ac-20 + class: SP800-53 + title: Use of External Systems + params: + - id: ac-20_odp.01 + select: + how-many: one-or-more + choice: + - "establish {{ insert: param, ac-20_odp.02 }} " + - "identify {{ insert: param, ac-20_odp.03 }} " + - id: ac-20_odp.02 + label: terms and conditions + guidelines: + - prose: terms and conditions consistent with the trust relationships + established with other organizations owning, operating, and/or + maintaining external systems are defined (if selected); + - id: ac-20_odp.03 + label: controls asserted + guidelines: + - prose: controls asserted to be implemented on external systems consistent + with the trust relationships established with other organizations + owning, operating, and/or maintaining external systems are defined + (if selected); + - id: ac-20_odp.04 + label: prohibited types of external systems + guidelines: + - prose: types of external systems prohibited from use are defined; + props: + - name: label + value: AC-20 + - name: label + value: AC-20 + class: sp800-53a + - name: sort-id + value: ac-20 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849" + rel: reference + - href: "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-19" + rel: related + - href: "#ca-3" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-7" + rel: related + parts: + - id: ac-20_smt + name: statement + parts: + - id: ac-20_smt.a + name: item + props: + - name: label + value: a. + prose: " {{ insert: param, ac-20_odp.01 }} , consistent with the\ + \ trust relationships established with other organizations owning,\ + \ operating, and/or maintaining external systems, allowing authorized\ + \ individuals to:" + parts: + - id: ac-20_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Access the system from external systems; and + - id: ac-20_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Process, store, or transmit organization-controlled information + using external systems; or + - id: ac-20_smt.b + name: item + props: + - name: label + value: b. + prose: "Prohibit the use of {{ insert: param, ac-20_odp.04 }}." + - id: ac-20_fr + name: item + title: AC-20 Additional FedRAMP Requirements and Guidance + parts: + - id: ac-20_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + The interrelated controls of AC-20, CA-3, and SA-9 + should be differentiated as follows: + + + AC-20 describes system access to and from external systems. + + + CA-3 describes documentation of an agreement between the respective + system owners when data is exchanged between the CSO and an + external system. + + + SA-9 describes the responsibilities of external system owners. + These responsibilities would typically be captured in the + agreement required by CA-3. + - id: ac-20_gdn + name: guidance + prose: >- + External systems are systems that are used by but not part of + organizational systems, and for which the organization has no + direct control over the implementation of required controls or + the assessment of control effectiveness. External systems + include personally owned systems, components, or devices; + privately owned computing and communications devices in + commercial or public facilities; systems owned or controlled by + nonfederal organizations; systems managed by contractors; and + federal information systems that are not owned by, operated by, + or under the direct supervision or authority of the + organization. External systems also include systems owned or + operated by other components within the same organization and + systems within the organization with different authorization + boundaries. Organizations have the option to prohibit the use of + any type of external system or prohibit the use of specified + types of external systems, (e.g., prohibit the use of any + external system that is not organizationally owned or prohibit + the use of personally-owned systems). + + + For some external systems (i.e., systems operated by other organizations), + the trust relationships that have been established between those organizations + and the originating organization may be such that no explicit terms + and conditions are required. Systems within these organizations may + not be considered external. These situations occur when, for example, + there are pre-existing information exchange agreements (either implicit + or explicit) established between organizations or components or when + such agreements are specified by applicable laws, executive orders, + directives, regulations, policies, or standards. Authorized individuals + include organizational personnel, contractors, or other individuals + with authorized access to organizational systems and over which organizations + have the authority to impose specific rules of behavior regarding + system access. Restrictions that organizations impose on authorized + individuals need not be uniform, as the restrictions may vary depending + on trust relationships between organizations. Therefore, organizations + may choose to impose different security restrictions on contractors + than on state, local, or tribal governments. + + + External systems used to access public interfaces to organizational + systems are outside the scope of [AC-20](#ac-20) . Organizations establish + specific terms and conditions for the use of external systems in accordance + with organizational security policies and procedures. At a minimum, + terms and conditions address the specific types of applications that + can be accessed on organizational systems from external systems and + the highest security category of information that can be processed, + stored, or transmitted on external systems. If the terms and conditions + with the owners of the external systems cannot be established, organizations + may impose restrictions on organizational personnel using those external + systems. + - id: ac-20_obj + name: assessment-objective + props: + - name: label + value: AC-20 + class: sp800-53a + parts: + - id: ac-20_obj.a + name: assessment-objective + props: + - name: label + value: AC-20a. + class: sp800-53a + parts: + - id: ac-20_obj.a.1 + name: assessment-objective + props: + - name: label + value: AC-20a.01 + class: sp800-53a + prose: " {{ insert: param, ac-20_odp.01 }} is/are consistent\ + \ with the trust relationships established with other organizations\ + \ owning, operating, and/or maintaining external systems,\ + \ allowing authorized individuals to access the system from\ + \ external systems (if applicable);" + links: + - href: "#ac-20_smt.a.1" + rel: assessment-for + - id: ac-20_obj.a.2 + name: assessment-objective + props: + - name: label + value: AC-20a.02 + class: sp800-53a + prose: " {{ insert: param, ac-20_odp.01 }} is/are consistent\ + \ with the trust relationships established with other organizations\ + \ owning, operating, and/or maintaining external systems,\ + \ allowing authorized individuals to process, store, or transmit\ + \ organization-controlled information using external systems\ + \ (if applicable);" + links: + - href: "#ac-20_smt.a.2" + rel: assessment-for + links: + - href: "#ac-20_smt.a" + rel: assessment-for + - id: ac-20_obj.b + name: assessment-objective + props: + - name: label + value: AC-20b. + class: sp800-53a + prose: "the use of {{ insert: param, ac-20_odp.04 }} is prohibited\ + \ (if applicable)." + links: + - href: "#ac-20_smt.b" + rel: assessment-for + links: + - href: "#ac-20_smt" + rel: assessment-for + - id: ac-20_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-20-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing the use of external systems + + + external systems terms and conditions + + + list of types of applications accessible from external systems + + + maximum security categorization for information processed, stored, + or transmitted on external systems + + + system configuration settings and associated documentation + + + system security plan + + + other relevant documents or records + - id: ac-20_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-20-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for defining + terms and conditions for use of external systems to access + organizational systems + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-20_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-20-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing terms and conditions on the use of + external systems + controls: + - id: ac-20.1 + class: SP800-53-enhancement + title: Limits on Authorized Use + props: + - name: label + value: AC-20(1) + - name: label + value: AC-20(01) + class: sp800-53a + - name: sort-id + value: ac-20.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-20" + rel: required + - href: "#ca-2" + rel: related + parts: + - id: ac-20.1_smt + name: statement + prose: "Permit authorized individuals to use an external system\ + \ to access the system or to process, store, or transmit organization-controlled\ + \ information only after:" + parts: + - id: ac-20.1_smt.a + name: item + props: + - name: label + value: (a) + prose: Verification of the implementation of controls on the + external system as specified in the organization’s security + and privacy policies and security and privacy plans; or + - id: ac-20.1_smt.b + name: item + props: + - name: label + value: (b) + prose: Retention of approved system connection or processing + agreements with the organizational entity hosting the external + system. + - id: ac-20.1_gdn + name: guidance + prose: Limiting authorized use recognizes circumstances where individuals + using external systems may need to access organizational systems. + Organizations need assurance that the external systems contain + the necessary controls so as not to compromise, damage, or otherwise + harm organizational systems. Verification that the required controls + have been implemented can be achieved by external, independent + assessments, attestations, or other means, depending on the confidence + level required by organizations. + - id: ac-20.1_obj + name: assessment-objective + props: + - name: label + value: AC-20(01) + class: sp800-53a + parts: + - id: ac-20.1_obj.a + name: assessment-objective + props: + - name: label + value: AC-20(01)(a) + class: sp800-53a + prose: authorized individuals are permitted to use an external + system to access the system or to process, store, or transmit + organization-controlled information only after verification + of the implementation of controls on the external system as + specified in the organization’s security and privacy policies + and security and privacy plans (if applicable); + links: + - href: "#ac-20.1_smt.a" + rel: assessment-for + - id: ac-20.1_obj.b + name: assessment-objective + props: + - name: label + value: AC-20(01)(b) + class: sp800-53a + prose: authorized individuals are permitted to use an external + system to access the system or to process, store, or transmit + organization-controlled information only after retention of + approved system connection or processing agreements with the + organizational entity hosting the external system (if applicable). + links: + - href: "#ac-20.1_smt.b" + rel: assessment-for + links: + - href: "#ac-20.1_smt" + rel: assessment-for + - id: ac-20.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-20(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing the use of external systems + + system connection or processing agreements + + account management documents + + system security plan + + other relevant documents or records + - id: ac-20.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-20(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + - id: ac-20.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-20(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing limits on use of external systems + - id: ac-20.2 + class: SP800-53-enhancement + title: Portable Storage Devices — Restricted Use + params: + - id: ac-20.02_odp + label: restrictions + guidelines: + - prose: restrictions on the use of organization-controlled portable + storage devices by authorized individuals on external systems + are defined; + props: + - name: label + value: AC-20(2) + - name: label + value: AC-20(02) + class: sp800-53a + - name: sort-id + value: ac-20.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-20" + rel: required + - href: "#mp-7" + rel: related + - href: "#sc-41" + rel: related + parts: + - id: ac-20.2_smt + name: statement + prose: "Restrict the use of organization-controlled portable storage\ + \ devices by authorized individuals on external systems using\ + \ {{ insert: param, ac-20.02_odp }}." + - id: ac-20.2_gdn + name: guidance + prose: Limits on the use of organization-controlled portable storage + devices in external systems include restrictions on how the devices + may be used and under what conditions the devices may be used. + - id: ac-20.2_obj + name: assessment-objective + props: + - name: label + value: AC-20(02) + class: sp800-53a + prose: "the use of organization-controlled portable storage devices\ + \ by authorized individuals is restricted on external systems\ + \ using {{ insert: param, ac-20.02_odp }}." + links: + - href: "#ac-20.2_smt" + rel: assessment-for + - id: ac-20.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-20(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing the use of external systems + + + system configuration settings and associated documentation + + + system connection or processing agreements + + + account management documents + + + system security plan + + + other relevant documents or records + - id: ac-20.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-20(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + restricting or prohibiting the use of + organization-controlled storage devices on external + systems + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-20.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-20(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing restrictions on the use of portable + storage devices + - id: ac-21 + class: SP800-53 + title: Information Sharing + params: + - id: ac-21_odp.01 + label: information-sharing circumstances + guidelines: + - prose: information-sharing circumstances where user discretion is + required to determine whether access authorizations assigned to + a sharing partner match the information’s access and use restrictions + are defined; + - id: ac-21_odp.02 + label: automated mechanisms + guidelines: + - prose: automated mechanisms or manual processes that assist users + in making information-sharing and collaboration decisions are + defined; + props: + - name: label + value: AC-21 + - name: label + value: AC-21 + class: sp800-53a + - name: sort-id + value: ac-21 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-16" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#sc-15" + rel: related + parts: + - id: ac-21_smt + name: statement + parts: + - id: ac-21_smt.a + name: item + props: + - name: label + value: a. + prose: "Enable authorized users to determine whether access authorizations\ + \ assigned to a sharing partner match the information’s access\ + \ and use restrictions for {{ insert: param, ac-21_odp.01 }} ;\ + \ and" + - id: ac-21_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ {{ insert: param, ac-21_odp.02 }} to assist users\ + \ in making information sharing and collaboration decisions." + - id: ac-21_gdn + name: guidance + prose: Information sharing applies to information that may be restricted + in some manner based on some formal or administrative determination. + Examples of such information include, contract-sensitive information, + classified information related to special access programs or compartments, + privileged information, proprietary information, and personally identifiable + information. Security and privacy risk assessments as well as applicable + laws, regulations, and policies can provide useful inputs to these + determinations. Depending on the circumstances, sharing partners may + be defined at the individual, group, or organizational level. Information + may be defined by content, type, security category, or special access + program or compartment. Access restrictions may include non-disclosure + agreements (NDA). Information flow techniques and security attributes + may be used to provide automated assistance to users making sharing + and collaboration decisions. + - id: ac-21_obj + name: assessment-objective + props: + - name: label + value: AC-21 + class: sp800-53a + parts: + - id: ac-21_obj.a + name: assessment-objective + props: + - name: label + value: AC-21a. + class: sp800-53a + prose: "authorized users are enabled to determine whether access\ + \ authorizations assigned to a sharing partner match the information’s\ + \ access and use restrictions for {{ insert: param, ac-21_odp.01\ + \ }};" + links: + - href: "#ac-21_smt.a" + rel: assessment-for + - id: ac-21_obj.b + name: assessment-objective + props: + - name: label + value: AC-21b. + class: sp800-53a + prose: " {{ insert: param, ac-21_odp.02 }} are employed to assist\ + \ users in making information-sharing and collaboration decisions." + links: + - href: "#ac-21_smt.b" + rel: assessment-for + links: + - href: "#ac-21_smt" + rel: assessment-for + - id: ac-21_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-21-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing user-based collaboration and information + sharing (including restrictions) + + + system design documentation + + + system configuration settings and associated documentation + + + list of users authorized to make information-sharing/collaboration + decisions + + + list of information-sharing circumstances requiring user discretion + + + non-disclosure agreements + + + acquisitions/contractual agreements + + + system security plan + + + privacy plan + + + privacy impact assessment + + + security and privacy risk assessments + + + other relevant documents or records + - id: ac-21_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-21-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for + information-sharing/collaboration decisions + + + organizational personnel with responsibility for acquisitions/contractual + agreements + + + system/network administrators + + + organizational personnel with information security and privacy + responsibilities + - id: ac-21_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-21-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms or manual process implementing access + authorizations supporting information-sharing/user collaboration + decisions + - id: ac-22 + class: SP800-53 + title: Publicly Accessible Content + params: + - id: ac-22_odp + label: frequency + constraints: + - description: at least quarterly + guidelines: + - prose: the frequency at which to review the content on the publicly + accessible system for non-public information is defined; + props: + - name: label + value: AC-22 + - name: label + value: AC-22 + class: sp800-53a + - name: sort-id + value: ac-22 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#18e71fec-c6fd-475a-925a-5d8495cf8455" + rel: reference + - href: "#ac-3" + rel: related + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#au-13" + rel: related + parts: + - id: ac-22_smt + name: statement + parts: + - id: ac-22_smt.a + name: item + props: + - name: label + value: a. + prose: Designate individuals authorized to make information publicly + accessible; + - id: ac-22_smt.b + name: item + props: + - name: label + value: b. + prose: Train authorized individuals to ensure that publicly accessible + information does not contain nonpublic information; + - id: ac-22_smt.c + name: item + props: + - name: label + value: c. + prose: Review the proposed content of information prior to posting + onto the publicly accessible system to ensure that nonpublic information + is not included; and + - id: ac-22_smt.d + name: item + props: + - name: label + value: d. + prose: "Review the content on the publicly accessible system for\ + \ nonpublic information {{ insert: param, ac-22_odp }} and remove\ + \ such information, if discovered." + - id: ac-22_gdn + name: guidance + prose: In accordance with applicable laws, executive orders, directives, + policies, regulations, standards, and guidelines, the public is not + authorized to have access to nonpublic information, including information + protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) + and proprietary information. Publicly accessible content addresses + systems that are controlled by the organization and accessible to + the public, typically without identification or authentication. Posting + information on non-organizational systems (e.g., non-organizational + public websites, forums, and social media) is covered by organizational + policy. While organizations may have individuals who are responsible + for developing and implementing policies about the information that + can be made publicly accessible, publicly accessible content addresses + the management of the individuals who make such information publicly + accessible. + - id: ac-22_obj + name: assessment-objective + props: + - name: label + value: AC-22 + class: sp800-53a + parts: + - id: ac-22_obj.a + name: assessment-objective + props: + - name: label + value: AC-22a. + class: sp800-53a + prose: designated individuals are authorized to make information + publicly accessible; + links: + - href: "#ac-22_smt.a" + rel: assessment-for + - id: ac-22_obj.b + name: assessment-objective + props: + - name: label + value: AC-22b. + class: sp800-53a + prose: authorized individuals are trained to ensure that publicly + accessible information does not contain non-public information; + links: + - href: "#ac-22_smt.b" + rel: assessment-for + - id: ac-22_obj.c + name: assessment-objective + props: + - name: label + value: AC-22c. + class: sp800-53a + prose: the proposed content of information is reviewed prior to + posting onto the publicly accessible system to ensure that non-public + information is not included; + links: + - href: "#ac-22_smt.c" + rel: assessment-for + - id: ac-22_obj.d + name: assessment-objective + props: + - name: label + value: AC-22d. + class: sp800-53a + parts: + - id: ac-22_obj.d-1 + name: assessment-objective + props: + - name: label + value: AC-22d.[01] + class: sp800-53a + prose: "the content on the publicly accessible system is reviewed\ + \ for non-public information {{ insert: param, ac-22_odp }};" + links: + - href: "#ac-22_smt.d" + rel: assessment-for + - id: ac-22_obj.d-2 + name: assessment-objective + props: + - name: label + value: AC-22d.[02] + class: sp800-53a + prose: non-public information is removed from the publicly accessible + system, if discovered. + links: + - href: "#ac-22_smt.d" + rel: assessment-for + links: + - href: "#ac-22_smt.d" + rel: assessment-for + links: + - href: "#ac-22_smt" + rel: assessment-for + - id: ac-22_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-22-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing publicly accessible content + + + list of users authorized to post publicly accessible content on + organizational systems + + + training materials and/or records + + + records of publicly accessible information reviews + + + records of response to non-public information on public websites + + + system audit logs + + + security awareness training records + + + system security plan + + + other relevant documents or records + - id: ac-22_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-22-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for managing + publicly accessible information posted on organizational + systems + + + organizational personnel with information security responsibilities + - id: ac-22_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-22-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing management of publicly accessible + content + - id: at + class: family + title: Awareness and Training + controls: + - id: at-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: at-1_prm_1 + label: organization-defined personnel or roles + - id: at-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the awareness and training policy + is to be disseminated is/are defined; + - id: at-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the awareness and training procedures + are to be disseminated is/are defined; + - id: at-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: at-01_odp.04 + label: official + guidelines: + - prose: an official to manage the awareness and training policy and + procedures is defined; + - id: at-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current awareness and training + policy is reviewed and updated is defined; + - id: at-01_odp.06 + label: events + guidelines: + - prose: events that would require the current awareness and training + policy to be reviewed and updated are defined; + - id: at-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current awareness and training + procedures are reviewed and updated is defined; + - id: at-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require procedures to be reviewed and updated + are defined; + props: + - name: label + value: AT-1 + - name: label + value: AT-01 + class: sp800-53a + - name: sort-id + value: at-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: at-1_smt + name: statement + parts: + - id: at-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ at-1_prm_1 }}:" + parts: + - id: at-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, at-01_odp.03 }} awareness and training\ + \ policy that:" + parts: + - id: at-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: at-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: at-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the awareness + and training policy and the associated awareness and training + controls; + - id: at-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, at-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the awareness\ + \ and training policy and procedures; and" + - id: at-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current awareness and training:" + parts: + - id: at-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, at-01_odp.05 }} and following\ + \ {{ insert: param, at-01_odp.06 }} ; and" + - id: at-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, at-01_odp.07 }} and following\ + \ {{ insert: param, at-01_odp.08 }}." + - id: at-1_gdn + name: guidance + prose: Awareness and training policy and procedures address the controls + in the AT family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of awareness and + training policy and procedures. Security and privacy program policies + and procedures at the organization level are preferable, in general, + and may obviate the need for mission- or system-specific policies + and procedures. The policy can be included as part of the general + security and privacy policy or be represented by multiple policies + that reflect the complex nature of organizations. Procedures can be + established for security and privacy programs, for mission or business + processes, and for systems, if needed. Procedures describe how the + policies or controls are implemented and can be directed at the individual + or role that is the object of the procedure. Procedures can be documented + in system security and privacy plans or in one or more separate documents. + Events that may precipitate an update to awareness and training policy + and procedures include assessment or audit findings, security incidents + or breaches, or changes in applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines. Simply restating + controls does not constitute an organizational policy or procedure. + - id: at-1_obj + name: assessment-objective + props: + - name: label + value: AT-01 + class: sp800-53a + parts: + - id: at-1_obj.a + name: assessment-objective + props: + - name: label + value: AT-01a. + class: sp800-53a + parts: + - id: at-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: AT-01a.[01] + class: sp800-53a + prose: "an awareness and training policy is developed and documented; " + links: + - href: "#at-1_smt.a" + rel: assessment-for + - id: at-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: AT-01a.[02] + class: sp800-53a + prose: "the awareness and training policy is disseminated to\ + \ {{ insert: param, at-01_odp.01 }};" + links: + - href: "#at-1_smt.a" + rel: assessment-for + - id: at-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: AT-01a.[03] + class: sp800-53a + prose: awareness and training procedures to facilitate the implementation + of the awareness and training policy and associated access + controls are developed and documented; + links: + - href: "#at-1_smt.a" + rel: assessment-for + - id: at-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: AT-01a.[04] + class: sp800-53a + prose: "the awareness and training procedures are disseminated\ + \ to {{ insert: param, at-01_odp.02 }}." + links: + - href: "#at-1_smt.a" + rel: assessment-for + - id: at-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: AT-01a.01 + class: sp800-53a + parts: + - id: at-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: AT-01a.01(a) + class: sp800-53a + parts: + - id: at-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses purpose;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses scope;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses roles;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses responsibilities;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses management commitment;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses coordination among\ + \ organizational entities;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses compliance; and" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: AT-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy is consistent with applicable laws,\ + \ Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines; and" + links: + - href: "#at-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#at-1_smt.a.1" + rel: assessment-for + links: + - href: "#at-1_smt.a" + rel: assessment-for + - id: at-1_obj.b + name: assessment-objective + props: + - name: label + value: AT-01b. + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the awareness\ + \ and training policy and procedures;" + links: + - href: "#at-1_smt.b" + rel: assessment-for + - id: at-1_obj.c + name: assessment-objective + props: + - name: label + value: AT-01c. + class: sp800-53a + parts: + - id: at-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: AT-01c.01 + class: sp800-53a + parts: + - id: at-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: AT-01c.01[01] + class: sp800-53a + prose: "the current awareness and training policy is reviewed\ + \ and updated {{ insert: param, at-01_odp.05 }}; " + links: + - href: "#at-1_smt.c.1" + rel: assessment-for + - id: at-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: AT-01c.01[02] + class: sp800-53a + prose: "the current awareness and training policy is reviewed\ + \ and updated following {{ insert: param, at-01_odp.06\ + \ }};" + links: + - href: "#at-1_smt.c.1" + rel: assessment-for + links: + - href: "#at-1_smt.c.1" + rel: assessment-for + - id: at-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: AT-01c.02 + class: sp800-53a + parts: + - id: at-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: AT-01c.02[01] + class: sp800-53a + prose: "the current awareness and training procedures are\ + \ reviewed and updated {{ insert: param, at-01_odp.07\ + \ }};" + links: + - href: "#at-1_smt.c.2" + rel: assessment-for + - id: at-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: AT-01c.02[02] + class: sp800-53a + prose: "the current awareness and training procedures are\ + \ reviewed and updated following {{ insert: param, at-01_odp.08\ + \ }}." + links: + - href: "#at-1_smt.c.2" + rel: assessment-for + links: + - href: "#at-1_smt.c.2" + rel: assessment-for + links: + - href: "#at-1_smt.c" + rel: assessment-for + links: + - href: "#at-1_smt" + rel: assessment-for + - id: at-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System security plan + + privacy plan + + awareness and training policy and procedures + + other relevant documents or records + - id: at-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with awareness and training + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: at-2 + class: SP800-53 + title: Literacy Training and Awareness + params: + - id: at-2_prm_1 + label: organization-defined frequency + constraints: + - description: at least annually + - id: at-2_prm_2 + label: organization-defined events + - id: at-02_odp.01 + label: frequency + guidelines: + - prose: the frequency at which to provide security literacy training + to system users (including managers, senior executives, and contractors) + after initial training is defined; + - id: at-02_odp.02 + label: frequency + guidelines: + - prose: the frequency at which to provide privacy literacy training + to system users (including managers, senior executives, and contractors) + after initial training is defined; + - id: at-02_odp.03 + label: events + guidelines: + - prose: events that require security literacy training for system + users are defined; + - id: at-02_odp.04 + label: events + guidelines: + - prose: events that require privacy literacy training for system + users are defined; + - id: at-02_odp.05 + label: awareness techniques + guidelines: + - prose: techniques to be employed to increase the security and privacy + awareness of system users are defined; + - id: at-02_odp.06 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to update literacy training and awareness + content is defined; + - id: at-02_odp.07 + label: events + guidelines: + - prose: events that would require literacy training and awareness + content to be updated are defined; + props: + - name: label + value: AT-2 + - name: label + value: AT-02 + class: sp800-53a + - name: sort-id + value: at-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + - href: "#89f2a08d-fc49-46d0-856e-bf974c9b1573" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-22" + rel: related + - href: "#at-3" + rel: related + - href: "#at-4" + rel: related + - href: "#cp-3" + rel: related + - href: "#ia-4" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-7" + rel: related + - href: "#ir-9" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-13" + rel: related + - href: "#pm-21" + rel: related + - href: "#ps-7" + rel: related + - href: "#pt-2" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-16" + rel: related + parts: + - id: at-2_smt + name: statement + parts: + - id: at-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide security and privacy literacy training to system\ + \ users (including managers, senior executives, and contractors):" + parts: + - id: at-2_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "As part of initial training for new users and {{ insert:\ + \ param, at-2_prm_1 }} thereafter; and" + - id: at-2_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: "When required by system changes or following {{ insert:\ + \ param, at-2_prm_2 }};" + - id: at-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ the following techniques to increase the security\ + \ and privacy awareness of system users {{ insert: param, at-02_odp.05\ + \ }};" + - id: at-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Update literacy training and awareness content {{ insert:\ + \ param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07\ + \ }} ; and" + - id: at-2_smt.d + name: item + props: + - name: label + value: d. + prose: Incorporate lessons learned from internal or external security + incidents or breaches into literacy training and awareness techniques. + - id: at-2_gdn + name: guidance + prose: >- + Organizations provide basic and advanced levels of literacy + training to system users, including measures to test the + knowledge level of users. Organizations determine the content of + literacy training and awareness based on specific organizational + requirements, the systems to which personnel have authorized + access, and work environments (e.g., telework). The content + includes an understanding of the need for security and privacy + as well as actions by users to maintain security and personal + privacy and to respond to suspected incidents. The content + addresses the need for operations security and the handling of + personally identifiable information. + + + Awareness techniques include displaying posters, offering supplies + inscribed with security and privacy reminders, displaying logon screen + messages, generating email advisories or notices from organizational + officials, and conducting awareness events. Literacy training after + the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted + at a minimum frequency consistent with applicable laws, directives, + regulations, and policies. Subsequent literacy training may be satisfied + by one or more short ad hoc sessions and include topical information + on recent attack schemes, changes to organizational security and privacy + policies, revised security and privacy expectations, or a subset of + topics from the initial training. Updating literacy training and awareness + content on a regular basis helps to ensure that the content remains + relevant. Events that may precipitate an update to literacy training + and awareness content include, but are not limited to, assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. + - id: at-2_obj + name: assessment-objective + props: + - name: label + value: AT-02 + class: sp800-53a + parts: + - id: at-2_obj.a + name: assessment-objective + props: + - name: label + value: AT-02a. + class: sp800-53a + parts: + - id: at-2_obj.a.1 + name: assessment-objective + props: + - name: label + value: AT-02a.01 + class: sp800-53a + parts: + - id: at-2_obj.a.1-1 + name: assessment-objective + props: + - name: label + value: AT-02a.01[01] + class: sp800-53a + prose: security literacy training is provided to system + users (including managers, senior executives, and contractors) + as part of initial training for new users; + links: + - href: "#at-2_smt.a.1" + rel: assessment-for + - id: at-2_obj.a.1-2 + name: assessment-objective + props: + - name: label + value: AT-02a.01[02] + class: sp800-53a + prose: privacy literacy training is provided to system users + (including managers, senior executives, and contractors) + as part of initial training for new users; + links: + - href: "#at-2_smt.a.1" + rel: assessment-for + - id: at-2_obj.a.1-3 + name: assessment-objective + props: + - name: label + value: AT-02a.01[03] + class: sp800-53a + prose: "security literacy training is provided to system\ + \ users (including managers, senior executives, and contractors)\ + \ {{ insert: param, at-02_odp.01 }} thereafter;" + links: + - href: "#at-2_smt.a.1" + rel: assessment-for + - id: at-2_obj.a.1-4 + name: assessment-objective + props: + - name: label + value: AT-02a.01[04] + class: sp800-53a + prose: "privacy literacy training is provided to system\ + \ users (including managers, senior executives, and contractors)\ + \ {{ insert: param, at-02_odp.02 }} thereafter;" + links: + - href: "#at-2_smt.a.1" + rel: assessment-for + links: + - href: "#at-2_smt.a.1" + rel: assessment-for + - id: at-2_obj.a.2 + name: assessment-objective + props: + - name: label + value: AT-02a.02 + class: sp800-53a + parts: + - id: at-2_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: AT-02a.02[01] + class: sp800-53a + prose: "security literacy training is provided to system\ + \ users (including managers, senior executives, and contractors)\ + \ when required by system changes or following {{ insert:\ + \ param, at-02_odp.03 }};" + links: + - href: "#at-2_smt.a.2" + rel: assessment-for + - id: at-2_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: AT-02a.02[02] + class: sp800-53a + prose: "privacy literacy training is provided to system\ + \ users (including managers, senior executives, and contractors)\ + \ when required by system changes or following {{ insert:\ + \ param, at-02_odp.04 }};" + links: + - href: "#at-2_smt.a.2" + rel: assessment-for + links: + - href: "#at-2_smt.a.2" + rel: assessment-for + links: + - href: "#at-2_smt.a" + rel: assessment-for + - id: at-2_obj.b + name: assessment-objective + props: + - name: label + value: AT-02b. + class: sp800-53a + prose: " {{ insert: param, at-02_odp.05 }} are employed to increase\ + \ the security and privacy awareness of system users;" + links: + - href: "#at-2_smt.b" + rel: assessment-for + - id: at-2_obj.c + name: assessment-objective + props: + - name: label + value: AT-02c. + class: sp800-53a + parts: + - id: at-2_obj.c-1 + name: assessment-objective + props: + - name: label + value: AT-02c.[01] + class: sp800-53a + prose: "literacy training and awareness content is updated {{\ + \ insert: param, at-02_odp.06 }};" + links: + - href: "#at-2_smt.c" + rel: assessment-for + - id: at-2_obj.c-2 + name: assessment-objective + props: + - name: label + value: AT-02c.[02] + class: sp800-53a + prose: "literacy training and awareness content is updated following\ + \ {{ insert: param, at-02_odp.07 }};" + links: + - href: "#at-2_smt.c" + rel: assessment-for + links: + - href: "#at-2_smt.c" + rel: assessment-for + - id: at-2_obj.d + name: assessment-objective + props: + - name: label + value: AT-02d. + class: sp800-53a + prose: lessons learned from internal or external security incidents + or breaches are incorporated into literacy training and awareness + techniques. + links: + - href: "#at-2_smt.d" + rel: assessment-for + links: + - href: "#at-2_smt" + rel: assessment-for + - id: at-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System security plan + + + privacy plan + + + literacy training and awareness policy + + + procedures addressing literacy training and awareness implementation + + + appropriate codes of federal regulations + + + security and privacy literacy training curriculum + + + security and privacy literacy training materials + + + training records + + + other relevant documents or records + - id: at-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for literacy + training and awareness + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel comprising the general system user community + - id: at-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AT-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms managing information security and privacy literacy + training + controls: + - id: at-2.2 + class: SP800-53-enhancement + title: Insider Threat + props: + - name: label + value: AT-2(2) + - name: label + value: AT-02(02) + class: sp800-53a + - name: sort-id + value: at-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#at-2" + rel: required + - href: "#pm-12" + rel: related + parts: + - id: at-2.2_smt + name: statement + prose: Provide literacy training on recognizing and reporting potential + indicators of insider threat. + - id: at-2.2_gdn + name: guidance + prose: Potential indicators and possible precursors of insider threat + can include behaviors such as inordinate, long-term job dissatisfaction; + attempts to gain access to information not required for job performance; + unexplained access to financial resources; bullying or harassment + of fellow employees; workplace violence; and other serious violations + of policies, procedures, directives, regulations, rules, or practices. + Literacy training includes how to communicate the concerns of + employees and management regarding potential indicators of insider + threat through channels established by the organization and in + accordance with established policies and procedures. Organizations + may consider tailoring insider threat awareness topics to the + role. For example, training for managers may be focused on changes + in the behavior of team members, while training for employees + may be focused on more general observations. + - id: at-2.2_obj + name: assessment-objective + props: + - name: label + value: AT-02(02) + class: sp800-53a + parts: + - id: at-2.2_obj-1 + name: assessment-objective + props: + - name: label + value: AT-02(02)[01] + class: sp800-53a + prose: literacy training on recognizing potential indicators + of insider threat is provided; + links: + - href: "#at-2.2_smt" + rel: assessment-for + - id: at-2.2_obj-2 + name: assessment-objective + props: + - name: label + value: AT-02(02)[02] + class: sp800-53a + prose: literacy training on reporting potential indicators of + insider threat is provided. + links: + - href: "#at-2.2_smt" + rel: assessment-for + links: + - href: "#at-2.2_smt" + rel: assessment-for + - id: at-2.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-02(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System security plan + + + privacy plan + + + literacy training and awareness policy + + + procedures addressing literacy training and awareness implementation + + + literacy training and awareness curriculum + + + literacy training and awareness materials + + + other relevant documents or records + - id: at-2.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-02(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel who receive literacy training + and awareness + + + organizational personnel with responsibilities for literacy + training and awareness + + + organizational personnel with information security and privacy + responsibilities + - id: at-2.3 + class: SP800-53-enhancement + title: Social Engineering and Mining + props: + - name: label + value: AT-2(3) + - name: label + value: AT-02(03) + class: sp800-53a + - name: sort-id + value: at-02.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#at-2" + rel: required + parts: + - id: at-2.3_smt + name: statement + prose: Provide literacy training on recognizing and reporting potential + and actual instances of social engineering and social mining. + - id: at-2.3_gdn + name: guidance + prose: Social engineering is an attempt to trick an individual into + revealing information or taking an action that can be used to + breach, compromise, or otherwise adversely impact a system. Social + engineering includes phishing, pretexting, impersonation, baiting, + quid pro quo, thread-jacking, social media exploitation, and tailgating. + Social mining is an attempt to gather information about the organization + that may be used to support future attacks. Literacy training + includes information on how to communicate the concerns of employees + and management regarding potential and actual instances of social + engineering and data mining through organizational channels based + on established policies and procedures. + - id: at-2.3_obj + name: assessment-objective + props: + - name: label + value: AT-02(03) + class: sp800-53a + parts: + - id: at-2.3_obj-1 + name: assessment-objective + props: + - name: label + value: AT-02(03)[01] + class: sp800-53a + prose: literacy training on recognizing potential and actual + instances of social engineering is provided; + links: + - href: "#at-2.3_smt" + rel: assessment-for + - id: at-2.3_obj-2 + name: assessment-objective + props: + - name: label + value: AT-02(03)[02] + class: sp800-53a + prose: literacy training on reporting potential and actual instances + of social engineering is provided; + links: + - href: "#at-2.3_smt" + rel: assessment-for + - id: at-2.3_obj-3 + name: assessment-objective + props: + - name: label + value: AT-02(03)[03] + class: sp800-53a + prose: literacy training on recognizing potential and actual + instances of social mining is provided; + links: + - href: "#at-2.3_smt" + rel: assessment-for + - id: at-2.3_obj-4 + name: assessment-objective + props: + - name: label + value: AT-02(03)[04] + class: sp800-53a + prose: literacy training on reporting potential and actual instances + of social mining is provided. + links: + - href: "#at-2.3_smt" + rel: assessment-for + links: + - href: "#at-2.3_smt" + rel: assessment-for + - id: at-2.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-02(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System security plan + + + privacy plan + + + literacy training and awareness policy + + + procedures addressing literacy training and awareness implementation + + + literacy training and awareness curriculum + + + literacy training and awareness materials + + + other relevant documents or records + - id: at-2.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-02(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel who receive literacy training + and awareness + + + organizational personnel with responsibilities for literacy + training and awareness + + + organizational personnel with information security and privacy + responsibilities + - id: at-3 + class: SP800-53 + title: Role-based Training + params: + - id: at-3_prm_1 + label: organization-defined roles and responsibilities + - id: at-03_odp.01 + label: roles and responsibilities + guidelines: + - prose: roles and responsibilities for role-based security training + are defined; + - id: at-03_odp.02 + label: roles and responsibilities + guidelines: + - prose: roles and responsibilities for role-based privacy training + are defined; + - id: at-03_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to provide role-based security and + privacy training to assigned personnel after initial training + is defined; + - id: at-03_odp.04 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to update role-based training content + is defined; + - id: at-03_odp.05 + label: events + guidelines: + - prose: events that require role-based training content to be updated + are defined; + props: + - name: label + value: AT-3 + - name: label + value: AT-03 + class: sp800-53a + - name: sort-id + value: at-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-22" + rel: related + - href: "#at-2" + rel: related + - href: "#at-4" + rel: related + - href: "#cp-3" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-7" + rel: related + - href: "#ir-9" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-13" + rel: related + - href: "#pm-23" + rel: related + - href: "#ps-7" + rel: related + - href: "#ps-9" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-16" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: at-3_smt + name: statement + parts: + - id: at-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide role-based security and privacy training to personnel\ + \ with the following roles and responsibilities: {{ insert: param,\ + \ at-3_prm_1 }}:" + parts: + - id: at-3_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "Before authorizing access to the system, information,\ + \ or performing assigned duties, and {{ insert: param, at-03_odp.03\ + \ }} thereafter; and" + - id: at-3_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: When required by system changes; + - id: at-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Update role-based training content {{ insert: param, at-03_odp.04\ + \ }} and following {{ insert: param, at-03_odp.05 }} ; and" + - id: at-3_smt.c + name: item + props: + - name: label + value: c. + prose: Incorporate lessons learned from internal or external security + incidents or breaches into role-based training. + - id: at-3_gdn + name: guidance + prose: >- + Organizations determine the content of training based on the + assigned roles and responsibilities of individuals as well as + the security and privacy requirements of organizations and the + systems to which personnel have authorized access, including + technical training specifically tailored for assigned duties. + Roles that may require role-based training include senior + leaders or management officials (e.g., head of agency/chief + executive officer, chief information officer, senior accountable + official for risk management, senior agency information security + officer, senior agency official for privacy), system owners; + authorizing officials; system security officers; privacy + officers; acquisition and procurement officials; enterprise + architects; systems engineers; software developers; systems + security engineers; privacy engineers; system, network, and + database administrators; auditors; personnel conducting + configuration management activities; personnel performing + verification and validation activities; personnel with access to + system-level software; control assessors; personnel with + contingency planning and incident response duties; personnel + with privacy management responsibilities; and personnel with + access to personally identifiable information. + + + Comprehensive role-based training addresses management, operational, + and technical roles and responsibilities covering physical, personnel, + and technical controls. Role-based training also includes policies, + procedures, tools, methods, and artifacts for the security and privacy + roles defined. Organizations provide the training necessary for individuals + to fulfill their responsibilities related to operations and supply + chain risk management within the context of organizational security + and privacy programs. Role-based training also applies to contractors + who provide services to federal agencies. Types of training include + web-based and computer-based training, classroom-style training, and + hands-on training (including micro-training). Updating role-based + training on a regular basis helps to ensure that the content remains + relevant and effective. Events that may precipitate an update to role-based + training content include, but are not limited to, assessment or audit + findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. + - id: at-3_obj + name: assessment-objective + props: + - name: label + value: AT-03 + class: sp800-53a + parts: + - id: at-3_obj.a + name: assessment-objective + props: + - name: label + value: AT-03a. + class: sp800-53a + parts: + - id: at-3_obj.a.1 + name: assessment-objective + props: + - name: label + value: AT-03a.01 + class: sp800-53a + parts: + - id: at-3_obj.a.1-1 + name: assessment-objective + props: + - name: label + value: AT-03a.01[01] + class: sp800-53a + prose: "role-based security training is provided to {{ insert:\ + \ param, at-03_odp.01 }} before authorizing access to\ + \ the system, information, or performing assigned duties;" + links: + - href: "#at-3_smt.a.1" + rel: assessment-for + - id: at-3_obj.a.1-2 + name: assessment-objective + props: + - name: label + value: AT-03a.01[02] + class: sp800-53a + prose: "role-based privacy training is provided to {{ insert:\ + \ param, at-03_odp.02 }} before authorizing access to\ + \ the system, information, or performing assigned duties;" + links: + - href: "#at-3_smt.a.1" + rel: assessment-for + - id: at-3_obj.a.1-3 + name: assessment-objective + props: + - name: label + value: AT-03a.01[03] + class: sp800-53a + prose: "role-based security training is provided to {{ insert:\ + \ param, at-03_odp.01 }} {{ insert: param, at-03_odp.03\ + \ }} thereafter;" + links: + - href: "#at-3_smt.a.1" + rel: assessment-for + - id: at-3_obj.a.1-4 + name: assessment-objective + props: + - name: label + value: AT-03a.01[04] + class: sp800-53a + prose: "role-based privacy training is provided to {{ insert:\ + \ param, at-03_odp.02 }} {{ insert: param, at-03_odp.03\ + \ }} thereafter;" + links: + - href: "#at-3_smt.a.1" + rel: assessment-for + links: + - href: "#at-3_smt.a.1" + rel: assessment-for + - id: at-3_obj.a.2 + name: assessment-objective + props: + - name: label + value: AT-03a.02 + class: sp800-53a + parts: + - id: at-3_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: AT-03a.02[01] + class: sp800-53a + prose: role-based security training is provided to personnel + with assigned security roles and responsibilities when + required by system changes; + links: + - href: "#at-3_smt.a.2" + rel: assessment-for + - id: at-3_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: AT-03a.02[02] + class: sp800-53a + prose: role-based privacy training is provided to personnel + with assigned security roles and responsibilities when + required by system changes; + links: + - href: "#at-3_smt.a.2" + rel: assessment-for + links: + - href: "#at-3_smt.a.2" + rel: assessment-for + links: + - href: "#at-3_smt.a" + rel: assessment-for + - id: at-3_obj.b + name: assessment-objective + props: + - name: label + value: AT-03b. + class: sp800-53a + parts: + - id: at-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: AT-03b.[01] + class: sp800-53a + prose: "role-based training content is updated {{ insert: param,\ + \ at-03_odp.04 }};" + links: + - href: "#at-3_smt.b" + rel: assessment-for + - id: at-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: AT-03b.[02] + class: sp800-53a + prose: "role-based training content is updated following {{\ + \ insert: param, at-03_odp.05 }};" + links: + - href: "#at-3_smt.b" + rel: assessment-for + links: + - href: "#at-3_smt.b" + rel: assessment-for + - id: at-3_obj.c + name: assessment-objective + props: + - name: label + value: AT-03c. + class: sp800-53a + prose: lessons learned from internal or external security incidents + or breaches are incorporated into role-based training. + links: + - href: "#at-3_smt.c" + rel: assessment-for + links: + - href: "#at-3_smt" + rel: assessment-for + - id: at-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System security plan + + + privacy plan + + + security and privacy awareness and training policy + + + procedures addressing security and privacy training implementation + + + codes of federal regulations + + + security and privacy training curriculum + + + security and privacy training materials + + + training records + + + other relevant documents or records + - id: at-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + role-based security and privacy training + + + organizational personnel with assigned system security and privacy + roles and responsibilities + - id: at-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AT-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms managing role-based security and privacy training + - id: at-4 + class: SP800-53 + title: Training Records + params: + - id: at-04_odp + label: time period + constraints: + - description: five (5) years or 5 years after completion of a specific + training program + guidelines: + - prose: time period for retaining individual training records is + defined; + props: + - name: label + value: AT-4 + - name: label + value: AT-04 + class: sp800-53a + - name: sort-id + value: at-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#cp-3" + rel: related + - href: "#ir-2" + rel: related + - href: "#pm-14" + rel: related + - href: "#si-12" + rel: related + parts: + - id: at-4_smt + name: statement + parts: + - id: at-4_smt.a + name: item + props: + - name: label + value: a. + prose: Document and monitor information security and privacy training + activities, including security and privacy awareness training + and specific role-based security and privacy training; and + - id: at-4_smt.b + name: item + props: + - name: label + value: b. + prose: "Retain individual training records for {{ insert: param,\ + \ at-04_odp }}." + - id: at-4_gdn + name: guidance + prose: Documentation for specialized training may be maintained by individual + supervisors at the discretion of the organization. The National Archives + and Records Administration provides guidance on records retention + for federal agencies. + - id: at-4_obj + name: assessment-objective + props: + - name: label + value: AT-04 + class: sp800-53a + parts: + - id: at-4_obj.a + name: assessment-objective + props: + - name: label + value: AT-04a. + class: sp800-53a + parts: + - id: at-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: AT-04a.[01] + class: sp800-53a + prose: information security and privacy training activities, + including security and privacy awareness training and specific + role-based security and privacy training, are documented; + links: + - href: "#at-4_smt.a" + rel: assessment-for + - id: at-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: AT-04a.[02] + class: sp800-53a + prose: information security and privacy training activities, + including security and privacy awareness training and specific + role-based security and privacy training, are monitored; + links: + - href: "#at-4_smt.a" + rel: assessment-for + links: + - href: "#at-4_smt.a" + rel: assessment-for + - id: at-4_obj.b + name: assessment-objective + props: + - name: label + value: AT-04b. + class: sp800-53a + prose: "individual training records are retained for {{ insert:\ + \ param, at-04_odp }}." + links: + - href: "#at-4_smt.b" + rel: assessment-for + links: + - href: "#at-4_smt" + rel: assessment-for + - id: at-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Security and privacy awareness and training policy + + procedures addressing security and privacy training records + + security and privacy awareness and training records + + system security plan + + privacy plan + + other relevant documents or records + - id: at-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational personnel with information security and privacy + training record retention responsibilities + - id: at-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AT-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting the management of security and privacy + training records + - id: au + class: family + title: Audit and Accountability + controls: + - id: au-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: au-1_prm_1 + label: organization-defined personnel or roles + - id: au-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the audit and accountability policy + is to be disseminated is/are defined; + - id: au-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the audit and accountability procedures + are to be disseminated is/are defined; + - id: au-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: au-01_odp.04 + label: official + guidelines: + - prose: an official to manage the audit and accountability policy + and procedures is defined; + - id: au-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current audit and accountability + policy is reviewed and updated is defined; + - id: au-01_odp.06 + label: events + guidelines: + - prose: events that would require the current audit and accountability + policy to be reviewed and updated are defined; + - id: au-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current audit and accountability + procedures are reviewed and updated is defined; + - id: au-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require audit and accountability procedures + to be reviewed and updated are defined; + props: + - name: label + value: AU-1 + - name: label + value: AU-01 + class: sp800-53a + - name: sort-id + value: au-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: au-1_smt + name: statement + parts: + - id: au-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ au-1_prm_1 }}:" + parts: + - id: au-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, au-01_odp.03 }} audit and accountability\ + \ policy that:" + parts: + - id: au-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: au-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: au-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the audit + and accountability policy and the associated audit and accountability + controls; + - id: au-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, au-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the audit\ + \ and accountability policy and procedures; and" + - id: au-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current audit and accountability:" + parts: + - id: au-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, au-01_odp.05 }} and following\ + \ {{ insert: param, au-01_odp.06 }} ; and" + - id: au-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, au-01_odp.07 }} and following\ + \ {{ insert: param, au-01_odp.08 }}." + - id: au-1_gdn + name: guidance + prose: Audit and accountability policy and procedures address the controls + in the AU family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of audit and accountability + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to audit and accountability policy and procedures + include assessment or audit findings, security incidents or breaches, + or changes in applicable laws, executive orders, directives, regulations, + policies, standards, and guidelines. Simply restating controls does + not constitute an organizational policy or procedure. + - id: au-1_obj + name: assessment-objective + props: + - name: label + value: AU-01 + class: sp800-53a + parts: + - id: au-1_obj.a + name: assessment-objective + props: + - name: label + value: AU-01a. + class: sp800-53a + parts: + - id: au-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: AU-01a.[01] + class: sp800-53a + prose: an audit and accountability policy is developed and documented; + links: + - href: "#au-1_smt.a" + rel: assessment-for + - id: au-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: AU-01a.[02] + class: sp800-53a + prose: "the audit and accountability policy is disseminated\ + \ to {{ insert: param, au-01_odp.01 }};" + links: + - href: "#au-1_smt.a" + rel: assessment-for + - id: au-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: AU-01a.[03] + class: sp800-53a + prose: audit and accountability procedures to facilitate the + implementation of the audit and accountability policy and + associated audit and accountability controls are developed + and documented; + links: + - href: "#au-1_smt.a" + rel: assessment-for + - id: au-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: AU-01a.[04] + class: sp800-53a + prose: "the audit and accountability procedures are disseminated\ + \ to {{ insert: param, au-01_odp.02 }};" + links: + - href: "#au-1_smt.a" + rel: assessment-for + - id: au-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: AU-01a.01 + class: sp800-53a + parts: + - id: au-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: AU-01a.01(a) + class: sp800-53a + parts: + - id: au-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses purpose;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses scope;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses roles;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses responsibilities;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses management\ + \ commitment;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses compliance;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: AU-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the audit\ + \ and accountability policy is consistent with applicable\ + \ laws, executive orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#au-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#au-1_smt.a.1" + rel: assessment-for + links: + - href: "#au-1_smt.a" + rel: assessment-for + - id: au-1_obj.b + name: assessment-objective + props: + - name: label + value: AU-01b. + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the audit\ + \ and accountability policy and procedures;" + links: + - href: "#au-1_smt.b" + rel: assessment-for + - id: au-1_obj.c + name: assessment-objective + props: + - name: label + value: AU-01c. + class: sp800-53a + parts: + - id: au-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: AU-01c.01 + class: sp800-53a + parts: + - id: au-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: AU-01c.01[01] + class: sp800-53a + prose: "the current audit and accountability policy is reviewed\ + \ and updated {{ insert: param, au-01_odp.05 }};" + links: + - href: "#au-1_smt.c.1" + rel: assessment-for + - id: au-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: AU-01c.01[02] + class: sp800-53a + prose: "the current audit and accountability policy is reviewed\ + \ and updated following {{ insert: param, au-01_odp.06\ + \ }};" + links: + - href: "#au-1_smt.c.1" + rel: assessment-for + links: + - href: "#au-1_smt.c.1" + rel: assessment-for + - id: au-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: AU-01c.02 + class: sp800-53a + parts: + - id: au-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: AU-01c.02[01] + class: sp800-53a + prose: "the current audit and accountability procedures\ + \ are reviewed and updated {{ insert: param, au-01_odp.07\ + \ }};" + links: + - href: "#au-1_smt.c.2" + rel: assessment-for + - id: au-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: AU-01c.02[02] + class: sp800-53a + prose: "the current audit and accountability procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ au-01_odp.08 }}." + links: + - href: "#au-1_smt.c.2" + rel: assessment-for + links: + - href: "#au-1_smt.c.2" + rel: assessment-for + links: + - href: "#au-1_smt.c" + rel: assessment-for + links: + - href: "#au-1_smt" + rel: assessment-for + - id: au-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: au-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: au-2 + class: SP800-53 + title: Event Logging + params: + - id: au-2_prm_2 + label: organization-defined event types (subset of the event types defined + in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation + requiring) logging for each identified event type + constraints: + - description: organization-defined subset of the auditable events + defined in AU-2a to be audited continually for each identified + event. + - id: au-02_odp.01 + label: event types + constraints: + - description: "successful and unsuccessful account logon events,\ + \ account management events, object access, policy change, privilege\ + \ functions, process tracking, and system events. For Web applications:\ + \ all administrator activity, authentication checks, authorization\ + \ checks, data deletions, data access, data changes, and permission\ + \ changes" + guidelines: + - prose: the event types that the system is capable of logging in + support of the audit function are defined; + - id: au-02_odp.02 + label: event types (subset of AU-02_ODP[01]) + guidelines: + - prose: the event types (subset of AU-02_ODP[01]) for logging within + the system are defined; + - id: au-02_odp.03 + label: frequency or situation + guidelines: + - prose: the frequency or situation requiring logging for each specified + event type is defined; + - id: au-02_odp.04 + label: frequency + constraints: + - description: annually and whenever there is a change in the threat + environment + guidelines: + - prose: the frequency of event types selected for logging are reviewed + and updated; + props: + - name: label + value: AU-2 + - name: label + value: AU-02 + class: sp800-53a + - name: sort-id + value: au-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#5eee45d8-3313-4fdc-8d54-1742092bbdd6" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-7" + rel: related + - href: "#ac-8" + rel: related + - href: "#ac-16" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-3" + rel: related + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-11" + rel: related + - href: "#au-12" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-13" + rel: related + - href: "#ia-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-3" + rel: related + - href: "#pm-21" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-18" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#si-10" + rel: related + - href: "#si-11" + rel: related + parts: + - id: au-2_smt + name: statement + parts: + - id: au-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Identify the types of events that the system is capable\ + \ of logging in support of the audit function: {{ insert: param,\ + \ au-02_odp.01 }};" + - id: au-2_smt.b + name: item + props: + - name: label + value: b. + prose: Coordinate the event logging function with other organizational + entities requiring audit-related information to guide and inform + the selection criteria for events to be logged; + - id: au-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Specify the following event types for logging within the\ + \ system: {{ insert: param, au-2_prm_2 }};" + - id: au-2_smt.d + name: item + props: + - name: label + value: d. + prose: Provide a rationale for why the event types selected for + logging are deemed to be adequate to support after-the-fact investigations + of incidents; and + - id: au-2_smt.e + name: item + props: + - name: label + value: e. + prose: "Review and update the event types selected for logging {{\ + \ insert: param, au-02_odp.04 }}." + - id: au-2_fr + name: item + title: AU-2 Additional FedRAMP Requirements and Guidance + parts: + - id: au-2_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Coordination between service provider and consumer shall + be documented and accepted by the JAB/AO. + - id: au-2_fr_gdn.1 + name: guidance + props: + - name: label + value: "(e) Guidance:" + prose: Annually or whenever changes in the threat environment + are communicated to the service provider by the JAB/AO. + - id: au-2_gdn + name: guidance + prose: >- + An event is an observable occurrence in a system. The types of + events that require logging are those events that are + significant and relevant to the security of systems and the + privacy of individuals. Event logging also supports specific + monitoring and auditing needs. Event types include password + changes, failed logons or failed accesses related to systems, + security or privacy attribute changes, administrative privilege + usage, PIV credential usage, data action changes, query + parameters, or external credential usage. In determining the set + of event types that require logging, organizations consider the + monitoring and auditing appropriate for each of the controls to + be implemented. For completeness, event logging includes all + protocols that are operational and supported by the system. + + + To balance monitoring and auditing requirements with other system + needs, event logging requires identifying the subset of event types + that are logged at a given point in time. For example, organizations + may determine that systems need the capability to log every file access + successful and unsuccessful, but not activate that capability except + for specific circumstances due to the potential burden on system performance. + The types of events that organizations desire to be logged may change. + Reviewing and updating the set of logged events is necessary to help + ensure that the events remain relevant and continue to support the + needs of the organization. Organizations consider how the types of + logging events can reveal information about individuals that may give + rise to privacy risk and how best to mitigate such risks. For example, + there is the potential to reveal personally identifiable information + in the audit trail, especially if the logging event is based on patterns + or time of usage. + + + Event logging requirements, including the need to log specific event + types, may be referenced in other controls and control enhancements. + These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), + [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), + [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), + [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), + [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and + [SI-10(1)](#si-10.1) . Organizations include event types that are + required by applicable laws, executive orders, directives, policies, + regulations, standards, and guidelines. Audit records can be generated + at various levels, including at the packet level as information traverses + the network. Selecting the appropriate level of event logging is an + important part of a monitoring and auditing capability and can identify + the root causes of problems. When defining event types, organizations + consider the logging necessary to cover related event types, such + as the steps in distributed, transaction-based processes and the actions + that occur in service-oriented architectures. + - id: au-2_obj + name: assessment-objective + props: + - name: label + value: AU-02 + class: sp800-53a + parts: + - id: au-2_obj.a + name: assessment-objective + props: + - name: label + value: AU-02a. + class: sp800-53a + prose: " {{ insert: param, au-02_odp.01 }} that the system is capable\ + \ of logging are identified in support of the audit logging function;" + links: + - href: "#au-2_smt.a" + rel: assessment-for + - id: au-2_obj.b + name: assessment-objective + props: + - name: label + value: AU-02b. + class: sp800-53a + prose: the event logging function is coordinated with other organizational + entities requiring audit-related information to guide and inform + the selection criteria for events to be logged; + links: + - href: "#au-2_smt.b" + rel: assessment-for + - id: au-2_obj.c + name: assessment-objective + props: + - name: label + value: AU-02c. + class: sp800-53a + parts: + - id: au-2_obj.c-1 + name: assessment-objective + props: + - name: label + value: AU-02c.[01] + class: sp800-53a + prose: " {{ insert: param, au-02_odp.02 }} are specified for\ + \ logging within the system;" + links: + - href: "#au-2_smt.c" + rel: assessment-for + - id: au-2_obj.c-2 + name: assessment-objective + props: + - name: label + value: AU-02c.[02] + class: sp800-53a + prose: "the specified event types are logged within the system\ + \ {{ insert: param, au-02_odp.03 }};" + links: + - href: "#au-2_smt.c" + rel: assessment-for + links: + - href: "#au-2_smt.c" + rel: assessment-for + - id: au-2_obj.d + name: assessment-objective + props: + - name: label + value: AU-02d. + class: sp800-53a + prose: a rationale is provided for why the event types selected + for logging are deemed to be adequate to support after-the-fact + investigations of incidents; + links: + - href: "#au-2_smt.d" + rel: assessment-for + - id: au-2_obj.e + name: assessment-objective + props: + - name: label + value: AU-02e. + class: sp800-53a + prose: "the event types selected for logging are reviewed and updated\ + \ {{ insert: param, au-02_odp.04 }}." + links: + - href: "#au-2_smt.e" + rel: assessment-for + links: + - href: "#au-2_smt" + rel: assessment-for + - id: au-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + procedures addressing auditable events + + system security plan + + privacy plan + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system auditable events + + other relevant documents or records + - id: au-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: au-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing system auditing + - id: au-3 + class: SP800-53 + title: Content of Audit Records + props: + - name: label + value: AU-3 + - name: label + value: AU-03 + class: sp800-53a + - name: sort-id + value: au-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#au-2" + rel: related + - href: "#au-8" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + - href: "#ma-4" + rel: related + - href: "#pl-9" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-7" + rel: related + - href: "#si-11" + rel: related + parts: + - id: au-3_smt + name: statement + prose: "Ensure that audit records contain information that establishes\ + \ the following:" + parts: + - id: au-3_smt.a + name: item + props: + - name: label + value: a. + prose: What type of event occurred; + - id: au-3_smt.b + name: item + props: + - name: label + value: b. + prose: When the event occurred; + - id: au-3_smt.c + name: item + props: + - name: label + value: c. + prose: Where the event occurred; + - id: au-3_smt.d + name: item + props: + - name: label + value: d. + prose: Source of the event; + - id: au-3_smt.e + name: item + props: + - name: label + value: e. + prose: Outcome of the event; and + - id: au-3_smt.f + name: item + props: + - name: label + value: f. + prose: Identity of any individuals, subjects, or objects/entities + associated with the event. + - id: au-3_gdn + name: guidance + prose: Audit record content that may be necessary to support the auditing + function includes event descriptions (item a), time stamps (item b), + source and destination addresses (item c), user or process identifiers + (items d and f), success or fail indications (item e), and filenames + involved (items a, c, e, and f) . Event outcomes include indicators + of event success or failure and event-specific results, such as the + system security and privacy posture after the event occurred. Organizations + consider how audit records can reveal information about individuals + that may give rise to privacy risks and how best to mitigate such + risks. For example, there is the potential to reveal personally identifiable + information in the audit trail, especially if the trail records inputs + or is based on patterns or time of usage. + - id: au-3_obj + name: assessment-objective + props: + - name: label + value: AU-03 + class: sp800-53a + parts: + - id: au-3_obj.a + name: assessment-objective + props: + - name: label + value: AU-03a. + class: sp800-53a + prose: audit records contain information that establishes what type + of event occurred; + links: + - href: "#au-3_smt.a" + rel: assessment-for + - id: au-3_obj.b + name: assessment-objective + props: + - name: label + value: AU-03b. + class: sp800-53a + prose: audit records contain information that establishes when the + event occurred; + links: + - href: "#au-3_smt.b" + rel: assessment-for + - id: au-3_obj.c + name: assessment-objective + props: + - name: label + value: AU-03c. + class: sp800-53a + prose: audit records contain information that establishes where + the event occurred; + links: + - href: "#au-3_smt.c" + rel: assessment-for + - id: au-3_obj.d + name: assessment-objective + props: + - name: label + value: AU-03d. + class: sp800-53a + prose: audit records contain information that establishes the source + of the event; + links: + - href: "#au-3_smt.d" + rel: assessment-for + - id: au-3_obj.e + name: assessment-objective + props: + - name: label + value: AU-03e. + class: sp800-53a + prose: audit records contain information that establishes the outcome + of the event; + links: + - href: "#au-3_smt.e" + rel: assessment-for + - id: au-3_obj.f + name: assessment-objective + props: + - name: label + value: AU-03f. + class: sp800-53a + prose: audit records contain information that establishes the identity + of any individuals, subjects, or objects/entities associated with + the event. + links: + - href: "#au-3_smt.f" + rel: assessment-for + links: + - href: "#au-3_smt" + rel: assessment-for + - id: au-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + system security plan + + privacy plan + + procedures addressing content of audit records + + system design documentation + + system configuration settings and associated documentation + + list of organization-defined auditable events + + system audit records + + system incident reports + + other relevant documents or records + - id: au-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: au-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing system auditing of auditable events + controls: + - id: au-3.1 + class: SP800-53-enhancement + title: Additional Audit Information + params: + - id: au-03.01_odp + label: additional information + constraints: + - description: session, connection, transaction, or activity duration; + for client-server transactions, the number of bytes received + and bytes sent; additional informational messages to diagnose + or identify the event; characteristics that describe or identify + the object or resource being acted upon; individual identities + of group account users; full-text of privileged commands + guidelines: + - prose: additional information to be included in audit records + is defined; + props: + - name: label + value: AU-3(1) + - name: label + value: AU-03(01) + class: sp800-53a + - name: sort-id + value: au-03.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-3" + rel: required + parts: + - id: au-3.1_smt + name: statement + prose: "Generate audit records containing the following additional\ + \ information: {{ insert: param, au-03.01_odp }}." + parts: + - id: au-3.1_fr + name: item + title: AU-3 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: au-3.1_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: For client-server transactions, the number of bytes + sent and received gives bidirectional transfer information + that can be helpful during an investigation or inquiry. + - id: au-3.1_gdn + name: guidance + prose: The ability to add information generated in audit records + is dependent on system functionality to configure the audit record + content. Organizations may consider additional information in + audit records including, but not limited to, access control or + flow control rules invoked and individual identities of group + account users. Organizations may also consider limiting additional + audit record information to only information that is explicitly + needed for audit requirements. This facilitates the use of audit + trails and audit logs by not including information in audit records + that could potentially be misleading, make it more difficult to + locate information of interest, or increase the risk to individuals' + privacy. + - id: au-3.1_obj + name: assessment-objective + props: + - name: label + value: AU-03(01) + class: sp800-53a + prose: "generated audit records contain the following {{ insert:\ + \ param, au-03.01_odp }}." + links: + - href: "#au-3.1_smt" + rel: assessment-for + - id: au-3.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-03(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + procedures addressing content of audit records + + + system security plan + + + privacy plan + + + system design documentation + + + system configuration settings and associated documentation + + + list of organization-defined auditable events + + + system audit records + + + other relevant documents or records + - id: au-3.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-03(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-3.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-03(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: system audit capability + - id: au-4 + class: SP800-53 + title: Audit Log Storage Capacity + params: + - id: au-04_odp + label: audit log retention requirements + guidelines: + - prose: audit log retention requirements are defined; + props: + - name: label + value: AU-4 + - name: label + value: AU-04 + class: sp800-53a + - name: sort-id + value: au-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-2" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-9" + rel: related + - href: "#au-11" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + - href: "#si-4" + rel: related + parts: + - id: au-4_smt + name: statement + prose: "Allocate audit log storage capacity to accommodate {{ insert:\ + \ param, au-04_odp }}." + - id: au-4_gdn + name: guidance + prose: Organizations consider the types of audit logging to be performed + and the audit log processing requirements when allocating audit log + storage capacity. Allocating sufficient audit log storage capacity + reduces the likelihood of such capacity being exceeded and resulting + in the potential loss or reduction of audit logging capability. + - id: au-4_obj + name: assessment-objective + props: + - name: label + value: AU-04 + class: sp800-53a + prose: "audit log storage capacity is allocated to accommodate {{ insert:\ + \ param, au-04_odp }}." + links: + - href: "#au-4_smt" + rel: assessment-for + - id: au-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + procedures addressing audit storage capacity + + system security plan + + privacy plan + + system design documentation + + system configuration settings and associated documentation + + audit record storage requirements + + audit record storage capability for system components + + system audit records + + other relevant documents or records + - id: au-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Audit record storage capacity and related configuration settings + - id: au-5 + class: SP800-53 + title: Response to Audit Logging Process Failures + params: + - id: au-05_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles receiving audit logging process failure + alerts are defined; + - id: au-05_odp.02 + label: time period + guidelines: + - prose: time period for personnel or roles receiving audit logging + process failure alerts is defined; + - id: au-05_odp.03 + label: additional actions + constraints: + - description: overwrite oldest record + guidelines: + - prose: additional actions to be taken in the event of an audit logging + process failure are defined; + props: + - name: label + value: AU-5 + - name: label + value: AU-05 + class: sp800-53a + - name: sort-id + value: au-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-2" + rel: related + - href: "#au-4" + rel: related + - href: "#au-7" + rel: related + - href: "#au-9" + rel: related + - href: "#au-11" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + - href: "#si-4" + rel: related + - href: "#si-12" + rel: related + parts: + - id: au-5_smt + name: statement + parts: + - id: au-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Alert {{ insert: param, au-05_odp.01 }} within {{ insert:\ + \ param, au-05_odp.02 }} in the event of an audit logging process\ + \ failure; and" + - id: au-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Take the following additional actions: {{ insert: param,\ + \ au-05_odp.03 }}." + - id: au-5_gdn + name: guidance + prose: Audit logging process failures include software and hardware + errors, failures in audit log capturing mechanisms, and reaching or + exceeding audit log storage capacity. Organization-defined actions + include overwriting oldest audit records, shutting down the system, + and stopping the generation of audit records. Organizations may choose + to define additional actions for audit logging process failures based + on the type of failure, the location of the failure, the severity + of the failure, or a combination of such factors. When the audit logging + process failure is related to storage, the response is carried out + for the audit log storage repository (i.e., the distinct system component + where the audit logs are stored), the system on which the audit logs + reside, the total audit log storage capacity of the organization (i.e., + all audit log storage repositories combined), or all three. Organizations + may decide to take no additional actions after alerting designated + roles or personnel. + - id: au-5_obj + name: assessment-objective + props: + - name: label + value: AU-05 + class: sp800-53a + parts: + - id: au-5_obj.a + name: assessment-objective + props: + - name: label + value: AU-05a. + class: sp800-53a + prose: " {{ insert: param, au-05_odp.01 }} are alerted in the event\ + \ of an audit logging process failure within {{ insert: param,\ + \ au-05_odp.02 }};" + links: + - href: "#au-5_smt.a" + rel: assessment-for + - id: au-5_obj.b + name: assessment-objective + props: + - name: label + value: AU-05b. + class: sp800-53a + prose: " {{ insert: param, au-05_odp.03 }} are taken in the event\ + \ of an audit logging process failure." + links: + - href: "#au-5_smt.b" + rel: assessment-for + links: + - href: "#au-5_smt" + rel: assessment-for + - id: au-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + procedures addressing response to audit processing failures + + + system design documentation + + + system security plan + + + privacy plan + + + system configuration settings and associated documentation + + + list of personnel to be notified in case of an audit processing + failure + + + system audit records + + + other relevant documents or records + - id: au-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing system response to audit processing + failures + controls: + - id: au-5.1 + class: SP800-53-enhancement + title: Storage Capacity Warning + params: + - id: au-05.01_odp.01 + label: personnel, roles, and/or locations + guidelines: + - prose: personnel, roles, and/or locations to be warned when + allocated audit log storage volume reaches a percentage of + repository maximum audit log storage capacity. + - id: au-05.01_odp.02 + label: time period + guidelines: + - prose: time period for defined personnel, roles, and/or locations + to be warned when allocated audit log storage volume reaches + a percentage of repository maximum audit log storage capacity + is defined; + - id: au-05.01_odp.03 + label: percentage + constraints: + - description: 75%, or one month before expected negative impact + guidelines: + - prose: percentage of repository maximum audit log storage capacity + is defined; + props: + - name: label + value: AU-5(1) + - name: label + value: AU-05(01) + class: sp800-53a + - name: sort-id + value: au-05.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-5" + rel: required + parts: + - id: au-5.1_smt + name: statement + prose: "Provide a warning to {{ insert: param, au-05.01_odp.01 }}\ + \ within {{ insert: param, au-05.01_odp.02 }} when allocated audit\ + \ log storage volume reaches {{ insert: param, au-05.01_odp.03\ + \ }} of repository maximum audit log storage capacity." + - id: au-5.1_gdn + name: guidance + prose: Organizations may have multiple audit log storage repositories + distributed across multiple system components with each repository + having different storage volume capacities. + - id: au-5.1_obj + name: assessment-objective + props: + - name: label + value: AU-05(01) + class: sp800-53a + prose: "a warning is provided to {{ insert: param, au-05.01_odp.01\ + \ }} within {{ insert: param, au-05.01_odp.02 }} when allocated\ + \ audit log storage volume reaches {{ insert: param, au-05.01_odp.03\ + \ }} of repository maximum audit log storage capacity." + links: + - href: "#au-5.1_smt" + rel: assessment-for + - id: au-5.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-05(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + procedures addressing response to audit processing failures + + + system design documentation + + + system security plan + + + privacy system configuration settings and associated documentation + + + system audit records + + + other relevant documents or records + - id: au-5.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-05(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-5.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-05(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing audit storage limit warnings + - id: au-5.2 + class: SP800-53-enhancement + title: Real-time Alerts + params: + - id: au-05.02_odp.01 + label: real-time period + constraints: + - description: real-time + guidelines: + - prose: real-time period requiring alerts when audit failure + events (defined in AU-05(02)_ODP[03]) occur is defined; + - id: au-05.02_odp.02 + label: personnel, roles, and/or locations + constraints: + - description: service provider personnel with authority to address + failed audit events + guidelines: + - prose: personnel, roles, and/or locations to be alerted in real + time when audit failure events (defined in AU-05(02)_ODP[03]) + occur is/are defined; + - id: au-05.02_odp.03 + label: audit logging failure events requiring real-time alerts + constraints: + - description: audit failure events requiring real-time alerts, + as defined by organization audit policy + guidelines: + - prose: audit logging failure events requiring real-time alerts + are defined; + props: + - name: label + value: AU-5(2) + - name: label + value: AU-05(02) + class: sp800-53a + - name: sort-id + value: au-05.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-5" + rel: required + parts: + - id: au-5.2_smt + name: statement + prose: "Provide an alert within {{ insert: param, au-05.02_odp.01\ + \ }} to {{ insert: param, au-05.02_odp.02 }} when the following\ + \ audit failure events occur: {{ insert: param, au-05.02_odp.03\ + \ }}." + - id: au-5.2_gdn + name: guidance + prose: Alerts provide organizations with urgent messages. Real-time + alerts provide these messages at information technology speed + (i.e., the time from event detection to alert occurs in seconds + or less). + - id: au-5.2_obj + name: assessment-objective + props: + - name: label + value: AU-05(02) + class: sp800-53a + prose: "an alert is provided within {{ insert: param, au-05.02_odp.01\ + \ }} to {{ insert: param, au-05.02_odp.02 }} when {{ insert: param,\ + \ au-05.02_odp.03 }} occur." + links: + - href: "#au-5.2_smt" + rel: assessment-for + - id: au-5.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-05(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + procedures addressing response to audit processing failures + + + system design documentation + + + system security plan + + + privacy plan + + + system configuration settings and associated documentation + + + system audit records + + + other relevant documents or records + - id: au-5.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-05(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-6 + class: SP800-53 + title: Audit Record Review, Analysis, and Reporting + params: + - id: au-06_odp.01 + label: frequency + constraints: + - description: at least weekly + guidelines: + - prose: frequency at which system audit records are reviewed and + analyzed is defined; + - id: au-06_odp.02 + label: inappropriate or unusual activity + guidelines: + - prose: inappropriate or unusual activity is defined; + - id: au-06_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles to receive findings from reviews and analyses + of system records is/are defined; + props: + - name: label + value: AU-6 + - name: label + value: AU-06 + class: sp800-53a + - name: sort-id + value: au-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cfdb1858-c473-46b3-89f9-a700308d0be2" + rel: reference + - href: "#10cf2fad-a216-41f9-bb1a-531b7e3119e3" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-7" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-7" + rel: related + - href: "#au-16" + rel: related + - href: "#ca-2" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-10" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ir-5" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-6" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: au-6_smt + name: statement + parts: + - id: au-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Review and analyze system audit records {{ insert: param,\ + \ au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02\ + \ }} and the potential impact of the inappropriate or unusual\ + \ activity;" + - id: au-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Report findings to {{ insert: param, au-06_odp.03 }} ; and" + - id: au-6_smt.c + name: item + props: + - name: label + value: c. + prose: Adjust the level of audit record review, analysis, and reporting + within the system when there is a change in risk based on law + enforcement information, intelligence information, or other credible + sources of information. + - id: au-6_fr + name: item + title: AU-6 Additional FedRAMP Requirements and Guidance + parts: + - id: au-6_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Coordination between service provider and consumer shall + be documented and accepted by the JAB/AO. In multi-tenant + environments, capability and means for providing review, analysis, + and reporting to consumer for data pertaining to consumer + shall be documented. + - id: au-6_gdn + name: guidance + prose: Audit record review, analysis, and reporting covers information + security- and privacy-related logging performed by organizations, + including logging that results from the monitoring of account usage, + remote access, wireless connectivity, mobile device connection, configuration + settings, system component inventory, use of maintenance tools and + non-local maintenance, physical access, temperature and humidity, + equipment delivery and removal, communications at system interfaces, + and use of mobile code or Voice over Internet Protocol (VoIP). Findings + can be reported to organizational entities that include the incident + response team, help desk, and security or privacy offices. If organizations + are prohibited from reviewing and analyzing audit records or unable + to conduct such activities, the review or analysis may be carried + out by other organizations granted such authority. The frequency, + scope, and/or depth of the audit record review, analysis, and reporting + may be adjusted to meet organizational needs based on new information + received. + - id: au-6_obj + name: assessment-objective + props: + - name: label + value: AU-06 + class: sp800-53a + parts: + - id: au-6_obj.a + name: assessment-objective + props: + - name: label + value: AU-06a. + class: sp800-53a + prose: "system audit records are reviewed and analyzed {{ insert:\ + \ param, au-06_odp.01 }} for indications of {{ insert: param,\ + \ au-06_odp.02 }} and the potential impact of the inappropriate\ + \ or unusual activity;" + links: + - href: "#au-6_smt.a" + rel: assessment-for + - id: au-6_obj.b + name: assessment-objective + props: + - name: label + value: AU-06b. + class: sp800-53a + prose: "findings are reported to {{ insert: param, au-06_odp.03\ + \ }};" + links: + - href: "#au-6_smt.b" + rel: assessment-for + - id: au-6_obj.c + name: assessment-objective + props: + - name: label + value: AU-06c. + class: sp800-53a + prose: the level of audit record review, analysis, and reporting + within the system is adjusted when there is a change in risk based + on law enforcement information, intelligence information, or other + credible sources of information. + links: + - href: "#au-6_smt.c" + rel: assessment-for + links: + - href: "#au-6_smt" + rel: assessment-for + - id: au-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + procedures addressing audit review, analysis, and reporting + + + reports of audit findings + + + records of actions taken in response to reviews/analyses of audit + records + + + other relevant documents or records + - id: au-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit review, analysis, and + reporting responsibilities + + + organizational personnel with information security and privacy + responsibilities + controls: + - id: au-6.1 + class: SP800-53-enhancement + title: Automated Process Integration + params: + - id: au-06.01_odp + label: automated mechanisms + guidelines: + - prose: automated mechanisms used for integrating audit record + review, analysis, and reporting processes are defined; + props: + - name: label + value: AU-6(1) + - name: label + value: AU-06(01) + class: sp800-53a + - name: sort-id + value: au-06.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#au-6" + rel: required + - href: "#pm-7" + rel: related + parts: + - id: au-6.1_smt + name: statement + prose: "Integrate audit record review, analysis, and reporting processes\ + \ using {{ insert: param, au-06.01_odp }}." + - id: au-6.1_gdn + name: guidance + prose: Organizational processes that benefit from integrated audit + record review, analysis, and reporting include incident response, + continuous monitoring, contingency planning, investigation and + response to suspicious activities, and Inspector General audits. + - id: au-6.1_obj + name: assessment-objective + props: + - name: label + value: AU-06(01) + class: sp800-53a + prose: "audit record review, analysis, and reporting processes are\ + \ integrated using {{ insert: param, au-06.01_odp }}." + links: + - href: "#au-6.1_smt" + rel: assessment-for + - id: au-6.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-06(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + procedures addressing audit review, analysis, and reporting + + + procedures addressing investigation and response to suspicious + activities + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + other relevant documents or records + - id: au-6.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-06(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit review, analysis, + and reporting responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: au-6.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-06(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms integrating audit review, analysis, + and reporting processes + - id: au-6.3 + class: SP800-53-enhancement + title: Correlate Audit Record Repositories + props: + - name: label + value: AU-6(3) + - name: label + value: AU-06(03) + class: sp800-53a + - name: sort-id + value: au-06.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#au-6" + rel: required + - href: "#au-12" + rel: related + - href: "#ir-4" + rel: related + parts: + - id: au-6.3_smt + name: statement + prose: Analyze and correlate audit records across different repositories + to gain organization-wide situational awareness. + - id: au-6.3_gdn + name: guidance + prose: Organization-wide situational awareness includes awareness + across all three levels of risk management (i.e., organizational + level, mission/business process level, and information system + level) and supports cross-organization awareness. + - id: au-6.3_obj + name: assessment-objective + props: + - name: label + value: AU-06(03) + class: sp800-53a + prose: audit records across different repositories are analyzed + and correlated to gain organization-wide situational awareness. + links: + - href: "#au-6.3_smt" + rel: assessment-for + - id: au-6.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-06(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + procedures addressing audit review, analysis, and reporting + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records across different repositories + + + other relevant documents or records + - id: au-6.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-06(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit review, analysis, + and reporting responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: au-6.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-06(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting the analysis and correlation of + audit records + - id: au-6.4 + class: SP800-53-enhancement + title: Central Review and Analysis + props: + - name: label + value: AU-6(4) + - name: label + value: AU-06(04) + class: sp800-53a + - name: sort-id + value: au-06.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#au-6" + rel: required + - href: "#au-2" + rel: related + - href: "#au-12" + rel: related + parts: + - id: au-6.4_smt + name: statement + prose: Provide and implement the capability to centrally review + and analyze audit records from multiple components within the + system. + - id: au-6.4_gdn + name: guidance + prose: Automated mechanisms for centralized reviews and analyses + include Security Information and Event Management products. + - id: au-6.4_obj + name: assessment-objective + props: + - name: label + value: AU-06(04) + class: sp800-53a + parts: + - id: au-6.4_obj-1 + name: assessment-objective + props: + - name: label + value: AU-06(04)[01] + class: sp800-53a + prose: the capability to centrally review and analyze audit + records from multiple components within the system is provided; + links: + - href: "#au-6.4_smt" + rel: assessment-for + - id: au-6.4_obj-2 + name: assessment-objective + props: + - name: label + value: AU-06(04)[02] + class: sp800-53a + prose: the capability to centrally review and analyze audit + records from multiple components within the system is implemented. + links: + - href: "#au-6.4_smt" + rel: assessment-for + links: + - href: "#au-6.4_smt" + rel: assessment-for + - id: au-6.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-06(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + procedures addressing audit review, analysis, and reporting + + + system design documentation + + + system configuration settings and associated documentation + + + system security plan + + + privacy plan + + + system audit records + + + other relevant documents or records + - id: au-6.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-06(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit review, analysis, + and reporting responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system developers + - id: au-6.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-06(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: System capability to centralize review and analysis of + audit records + - id: au-6.5 + class: SP800-53-enhancement + title: Integrated Analysis of Audit Records + params: + - id: au-06.05_odp.01 + constraints: + - description: "vulnerability scanning information; performance\ + \ data; information system monitoring information; penetration\ + \ test data; {{ insert: param, au-06.05_odp.02 }} " + select: + how-many: one-or-more + choice: + - vulnerability scanning information + - performance data + - system monitoring information + - " {{ insert: param, au-06.05_odp.02 }} " + - id: au-06.05_odp.02 + label: data/information collected from other sources + guidelines: + - prose: data/information collected from other sources to be analyzed + is defined (if selected); + props: + - name: label + value: AU-6(5) + - name: label + value: AU-06(05) + class: sp800-53a + - name: sort-id + value: au-06.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#au-6" + rel: required + - href: "#au-12" + rel: related + - href: "#ir-4" + rel: related + parts: + - id: au-6.5_smt + name: statement + prose: "Integrate analysis of audit records with analysis of {{\ + \ insert: param, au-06.05_odp.01 }} to further enhance the ability\ + \ to identify inappropriate or unusual activity." + - id: au-6.5_gdn + name: guidance + prose: Integrated analysis of audit records does not require vulnerability + scanning, the generation of performance data, or system monitoring. + Rather, integrated analysis requires that the analysis of information + generated by scanning, monitoring, or other data collection activities + is integrated with the analysis of audit record information. Security + Information and Event Management tools can facilitate audit record + aggregation or consolidation from multiple system components as + well as audit record correlation and analysis. The use of standardized + audit record analysis scripts developed by organizations (with + localized script adjustments, as necessary) provides more cost-effective + approaches for analyzing audit record information collected. The + correlation of audit record information with vulnerability scanning + information is important in determining the veracity of vulnerability + scans of the system and in correlating attack detection events + with scanning results. Correlation with performance data can uncover + denial-of-service attacks or other types of attacks that result + in the unauthorized use of resources. Correlation with system + monitoring information can assist in uncovering attacks and in + better relating audit information to operational situations. + - id: au-6.5_obj + name: assessment-objective + props: + - name: label + value: AU-06(05) + class: sp800-53a + prose: "analysis of audit records is integrated with analysis of\ + \ {{ insert: param, au-06.05_odp.01 }} to further enhance the\ + \ ability to identify inappropriate or unusual activity." + links: + - href: "#au-6.5_smt" + rel: assessment-for + - id: au-6.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-06(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + procedures addressing audit review, analysis, and reporting + + + system design documentation + + + system configuration settings and associated documentation + + + integrated analysis of audit records, vulnerability scanning + information, performance data, network monitoring information, + and associated documentation + + + other relevant documents or records + - id: au-6.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-06(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit review, analysis, + and reporting responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: au-6.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-06(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing the capability to integrate analysis + of audit records with analysis of data/information sources + - id: au-6.6 + class: SP800-53-enhancement + title: Correlation with Physical Monitoring + props: + - name: label + value: AU-6(6) + - name: label + value: AU-06(06) + class: sp800-53a + - name: sort-id + value: au-06.06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#au-6" + rel: required + parts: + - id: au-6.6_smt + name: statement + prose: Correlate information from audit records with information + obtained from monitoring physical access to further enhance the + ability to identify suspicious, inappropriate, unusual, or malevolent + activity. + parts: + - id: au-6.6_fr + name: item + title: AU-6 (6) Additional FedRAMP Requirements and Guidance + parts: + - id: au-6.6_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Coordination between service provider and consumer + shall be documented and accepted by the JAB/AO. + - id: au-6.6_gdn + name: guidance + prose: The correlation of physical audit record information and + the audit records from systems may assist organizations in identifying + suspicious behavior or supporting evidence of such behavior. For + example, the correlation of an individual’s identity for logical + access to certain systems with the additional physical security + information that the individual was present at the facility when + the logical access occurred may be useful in investigations. + - id: au-6.6_obj + name: assessment-objective + props: + - name: label + value: AU-06(06) + class: sp800-53a + prose: information from audit records is correlated with information + obtained from monitoring physical access to further enhance the + ability to identify suspicious, inappropriate, unusual, or malevolent + activity. + links: + - href: "#au-6.6_smt" + rel: assessment-for + - id: au-6.6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-06(06)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + procedures addressing audit review, analysis, and reporting + + + procedures addressing physical access monitoring + + + system design documentation + + + system configuration settings and associated documentation + + + documentation providing evidence of correlated information + obtained from audit records and physical access monitoring + records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: au-6.6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-06(06)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit review, analysis, + and reporting responsibilities + + + organizational personnel with physical access monitoring responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: au-6.6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-06(06)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing the capability to correlate information + from audit records with information from monitoring physical + access + - id: au-6.7 + class: SP800-53-enhancement + title: Permitted Actions + params: + - id: au-06.07_odp + constraints: + - description: information system process; role; user + select: + how-many: one-or-more + choice: + - system process + - role + - user + props: + - name: label + value: AU-6(7) + - name: label + value: AU-06(07) + class: sp800-53a + - name: sort-id + value: au-06.07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#au-6" + rel: required + parts: + - id: au-6.7_smt + name: statement + prose: "Specify the permitted actions for each {{ insert: param,\ + \ au-06.07_odp }} associated with the review, analysis, and reporting\ + \ of audit record information." + - id: au-6.7_gdn + name: guidance + prose: Organizations specify permitted actions for system processes, + roles, and users associated with the review, analysis, and reporting + of audit records through system account management activities. + Specifying permitted actions on audit record information is a + way to enforce the principle of least privilege. Permitted actions + are enforced by the system and include read, write, execute, append, + and delete. + - id: au-6.7_obj + name: assessment-objective + props: + - name: label + value: AU-06(07) + class: sp800-53a + prose: "the permitted actions for each {{ insert: param, au-06.07_odp\ + \ }} associated with the review, analysis, and reporting of audit\ + \ record information are specified." + links: + - href: "#au-6.7_smt" + rel: assessment-for + - id: au-6.7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-06(07)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + procedures addressing process, role and/or user permitted + actions from audit review, analysis, and reporting + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: au-6.7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-06(07)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit review, analysis, + and reporting responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: au-6.7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-06(07)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting permitted actions for the review, + analysis, and reporting of audit information + - id: au-7 + class: SP800-53 + title: Audit Record Reduction and Report Generation + props: + - name: label + value: AU-7 + - name: label + value: AU-07 + class: sp800-53a + - name: sort-id + value: au-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ac-2" + rel: related + - href: "#au-2" + rel: related + - href: "#au-3" + rel: related + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-12" + rel: related + - href: "#au-16" + rel: related + - href: "#cm-5" + rel: related + - href: "#ia-5" + rel: related + - href: "#ir-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#si-4" + rel: related + parts: + - id: au-7_smt + name: statement + prose: "Provide and implement an audit record reduction and report generation\ + \ capability that:" + parts: + - id: au-7_smt.a + name: item + props: + - name: label + value: a. + prose: Supports on-demand audit record review, analysis, and reporting + requirements and after-the-fact investigations of incidents; and + - id: au-7_smt.b + name: item + props: + - name: label + value: b. + prose: Does not alter the original content or time ordering of audit + records. + - id: au-7_gdn + name: guidance + prose: Audit record reduction is a process that manipulates collected + audit log information and organizes it into a summary format that + is more meaningful to analysts. Audit record reduction and report + generation capabilities do not always emanate from the same system + or from the same organizational entities that conduct audit logging + activities. The audit record reduction capability includes modern + data mining techniques with advanced data filters to identify anomalous + behavior in audit records. The report generation capability provided + by the system can generate customizable reports. Time ordering of + audit records can be an issue if the granularity of the timestamp + in the record is insufficient. + - id: au-7_obj + name: assessment-objective + props: + - name: label + value: AU-07 + class: sp800-53a + parts: + - id: au-7_obj.a + name: assessment-objective + props: + - name: label + value: AU-07a. + class: sp800-53a + parts: + - id: au-7_obj.a-1 + name: assessment-objective + props: + - name: label + value: AU-07a.[01] + class: sp800-53a + prose: an audit record reduction and report generation capability + is provided that supports on-demand audit record review, analysis, + and reporting requirements and after-the-fact investigations + of incidents; + links: + - href: "#au-7_smt.a" + rel: assessment-for + - id: au-7_obj.a-2 + name: assessment-objective + props: + - name: label + value: AU-07a.[02] + class: sp800-53a + prose: an audit record reduction and report generation capability + is implemented that supports on-demand audit record review, + analysis, and reporting requirements and after-the-fact investigations + of incidents; + links: + - href: "#au-7_smt.a" + rel: assessment-for + links: + - href: "#au-7_smt.a" + rel: assessment-for + - id: au-7_obj.b + name: assessment-objective + props: + - name: label + value: AU-07b. + class: sp800-53a + parts: + - id: au-7_obj.b-1 + name: assessment-objective + props: + - name: label + value: AU-07b.[01] + class: sp800-53a + prose: an audit record reduction and report generation capability + is provided that does not alter the original content or time + ordering of audit records; + links: + - href: "#au-7_smt.b" + rel: assessment-for + - id: au-7_obj.b-2 + name: assessment-objective + props: + - name: label + value: AU-07b.[02] + class: sp800-53a + prose: an audit record reduction and report generation capability + is implemented that does not alter the original content or + time ordering of audit records. + links: + - href: "#au-7_smt.b" + rel: assessment-for + links: + - href: "#au-7_smt.b" + rel: assessment-for + links: + - href: "#au-7_smt" + rel: assessment-for + - id: au-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + system security plan + + privacy plan + + procedures addressing audit reduction and report generation + + system design documentation + + system configuration settings and associated documentation + + audit reduction, review, analysis, and reporting tools + + system audit records + + other relevant documents or records + - id: au-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit reduction and report + generation responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: au-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Audit reduction and report generation capability + controls: + - id: au-7.1 + class: SP800-53-enhancement + title: Automatic Processing + params: + - id: au-07.01_odp + label: fields within audit records + guidelines: + - prose: fields within audit records that can be processed, sorted, + or searched are defined; + props: + - name: label + value: AU-7(1) + - name: label + value: AU-07(01) + class: sp800-53a + - name: sort-id + value: au-07.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#au-7" + rel: required + parts: + - id: au-7.1_smt + name: statement + prose: "Provide and implement the capability to process, sort, and\ + \ search audit records for events of interest based on the following\ + \ content: {{ insert: param, au-07.01_odp }}." + - id: au-7.1_gdn + name: guidance + prose: Events of interest can be identified by the content of audit + records, including system resources involved, information objects + accessed, identities of individuals, event types, event locations, + event dates and times, Internet Protocol addresses involved, or + event success or failure. Organizations may define event criteria + to any degree of granularity required, such as locations selectable + by a general networking location or by specific system component. + - id: au-7.1_obj + name: assessment-objective + props: + - name: label + value: AU-07(01) + class: sp800-53a + parts: + - id: au-7.1_obj-1 + name: assessment-objective + props: + - name: label + value: AU-07(01)[01] + class: sp800-53a + prose: "the capability to process, sort, and search audit records\ + \ for events of interest based on {{ insert: param, au-07.01_odp\ + \ }} are provided;" + links: + - href: "#au-7.1_smt" + rel: assessment-for + - id: au-7.1_obj-2 + name: assessment-objective + props: + - name: label + value: AU-07(01)[02] + class: sp800-53a + prose: "the capability to process, sort, and search audit records\ + \ for events of interest based on {{ insert: param, au-07.01_odp\ + \ }} are implemented." + links: + - href: "#au-7.1_smt" + rel: assessment-for + links: + - href: "#au-7.1_smt" + rel: assessment-for + - id: au-7.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-07(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + procedures addressing audit reduction and report generation + + + system design documentation + + + system configuration settings and associated documentation + + + audit reduction, review, analysis, and reporting tools + + + audit record criteria (fields) establishing events of interest + + + system audit records + + + other relevant documents or records + - id: au-7.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-07(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit reduction and report + generation responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system developers + - id: au-7.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-07(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Audit reduction and report generation capability + - id: au-8 + class: SP800-53 + title: Time Stamps + params: + - id: au-08_odp + label: granularity of time measurement + constraints: + - description: one second granularity of time measurement + guidelines: + - prose: granularity of time measurement for audit record timestamps + is defined; + props: + - name: label + value: AU-8 + - name: label + value: AU-08 + class: sp800-53a + - name: sort-id + value: au-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-3" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + - href: "#sc-45" + rel: related + parts: + - id: au-8_smt + name: statement + parts: + - id: au-8_smt.a + name: item + props: + - name: label + value: a. + prose: Use internal system clocks to generate time stamps for audit + records; and + - id: au-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Record time stamps for audit records that meet {{ insert:\ + \ param, au-08_odp }} and that use Coordinated Universal Time,\ + \ have a fixed local time offset from Coordinated Universal Time,\ + \ or that include the local time offset as part of the time stamp." + - id: au-8_gdn + name: guidance + prose: Time stamps generated by the system include date and time. Time + is commonly expressed in Coordinated Universal Time (UTC), a modern + continuation of Greenwich Mean Time (GMT), or local time with an offset + from UTC. Granularity of time measurements refers to the degree of + synchronization between system clocks and reference clocks (e.g., + clocks synchronizing within hundreds of milliseconds or tens of milliseconds). + Organizations may define different time granularities for different + system components. Time service can be critical to other security + capabilities such as access control and identification and authentication, + depending on the nature of the mechanisms used to support those capabilities. + - id: au-8_obj + name: assessment-objective + props: + - name: label + value: AU-08 + class: sp800-53a + parts: + - id: au-8_obj.a + name: assessment-objective + props: + - name: label + value: AU-08a. + class: sp800-53a + prose: internal system clocks are used to generate timestamps for + audit records; + links: + - href: "#au-8_smt.a" + rel: assessment-for + - id: au-8_obj.b + name: assessment-objective + props: + - name: label + value: AU-08b. + class: sp800-53a + prose: "timestamps are recorded for audit records that meet {{ insert:\ + \ param, au-08_odp }} and that use Coordinated Universal Time,\ + \ have a fixed local time offset from Coordinated Universal Time,\ + \ or include the local time offset as part of the timestamp." + links: + - href: "#au-8_smt.b" + rel: assessment-for + links: + - href: "#au-8_smt" + rel: assessment-for + - id: au-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + system security plan + + privacy plan + + procedures addressing timestamp generation + + system design documentation + + system configuration settings and associated documentation + + system audit records + + other relevant documents or records + - id: au-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security and + privacy responsibilities + + + system/network administrators + + + system developers + - id: au-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing timestamp generation + - id: au-9 + class: SP800-53 + title: Protection of Audit Information + params: + - id: au-09_odp + label: personnel or roles + guidelines: + - prose: personnel or roles to be alerted upon detection of unauthorized + access, modification, or deletion of audit information is/are + defined; + props: + - name: label + value: AU-9 + - name: label + value: AU-09 + class: sp800-53a + - name: sort-id + value: au-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#au-6" + rel: related + - href: "#au-11" + rel: related + - href: "#au-14" + rel: related + - href: "#au-15" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-6" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-8" + rel: related + - href: "#si-4" + rel: related + parts: + - id: au-9_smt + name: statement + parts: + - id: au-9_smt.a + name: item + props: + - name: label + value: a. + prose: Protect audit information and audit logging tools from unauthorized + access, modification, and deletion; and + - id: au-9_smt.b + name: item + props: + - name: label + value: b. + prose: "Alert {{ insert: param, au-09_odp }} upon detection of unauthorized\ + \ access, modification, or deletion of audit information." + - id: au-9_gdn + name: guidance + prose: Audit information includes all information needed to successfully + audit system activity, such as audit records, audit log settings, + audit reports, and personally identifiable information. Audit logging + tools are those programs and devices used to conduct system audit + and logging activities. Protection of audit information focuses on + technical protection and limits the ability to access and execute + audit logging tools to authorized individuals. Physical protection + of audit information is addressed by both media protection controls + and physical and environmental protection controls. + - id: au-9_obj + name: assessment-objective + props: + - name: label + value: AU-09 + class: sp800-53a + parts: + - id: au-9_obj.a + name: assessment-objective + props: + - name: label + value: AU-09a. + class: sp800-53a + prose: audit information and audit logging tools are protected from + unauthorized access, modification, and deletion; + links: + - href: "#au-9_smt.a" + rel: assessment-for + - id: au-9_obj.b + name: assessment-objective + props: + - name: label + value: AU-09b. + class: sp800-53a + prose: " {{ insert: param, au-09_odp }} are alerted upon detection\ + \ of unauthorized access, modification, or deletion of audit information." + links: + - href: "#au-9_smt.b" + rel: assessment-for + links: + - href: "#au-9_smt" + rel: assessment-for + - id: au-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + system security plan + + privacy plan + + access control policy and procedures + + procedures addressing protection of audit information + + system design documentation + + system configuration settings and associated documentation + + system audit records + + audit tools + + other relevant documents or records + - id: au-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing audit information protection + controls: + - id: au-9.2 + class: SP800-53-enhancement + title: Store on Separate Physical Systems or Components + params: + - id: au-09.02_odp + label: frequency + constraints: + - description: at least weekly + guidelines: + - prose: the frequency of storing audit records in a repository + is defined; + props: + - name: label + value: AU-9(2) + - name: label + value: AU-09(02) + class: sp800-53a + - name: sort-id + value: au-09.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-9" + rel: required + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + parts: + - id: au-9.2_smt + name: statement + prose: "Store audit records {{ insert: param, au-09.02_odp }} in\ + \ a repository that is part of a physically different system or\ + \ system component than the system or component being audited." + - id: au-9.2_gdn + name: guidance + prose: Storing audit records in a repository separate from the audited + system or system component helps to ensure that a compromise of + the system being audited does not also result in a compromise + of the audit records. Storing audit records on separate physical + systems or components also preserves the confidentiality and integrity + of audit records and facilitates the management of audit records + as an organization-wide activity. Storing audit records on separate + systems or components applies to initial generation as well as + backup or long-term storage of audit records. + - id: au-9.2_obj + name: assessment-objective + props: + - name: label + value: AU-09(02) + class: sp800-53a + prose: "audit records are stored {{ insert: param, au-09.02_odp\ + \ }} in a repository that is part of a physically different system\ + \ or system component than the system or component being audited." + links: + - href: "#au-9.2_smt" + rel: assessment-for + - id: au-9.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-09(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + procedures addressing protection of audit information + + + system design documentation + + + system configuration settings and associated documentation + + + system or media storing backups of system audit records + + + system audit records + + + other relevant documents or records + - id: au-9.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-09(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-9.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-09(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing the backing up of audit records + - id: au-9.3 + class: SP800-53-enhancement + title: Cryptographic Protection + props: + - name: label + value: AU-9(3) + - name: label + value: AU-09(03) + class: sp800-53a + - name: sort-id + value: au-09.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-9" + rel: required + - href: "#au-10" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: au-9.3_smt + name: statement + prose: Implement cryptographic mechanisms to protect the integrity + of audit information and audit tools. + parts: + - id: au-9.3_fr + name: item + title: AU-9 (3) Additional FedRAMP Requirements and Guidance + parts: + - id: au-9.3_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Note that this enhancement requires the use of cryptography + which must be compliant with Federal requirements and + utilize FIPS validated or NSA approved cryptography (see + SC-13.) + - id: au-9.3_gdn + name: guidance + prose: Cryptographic mechanisms used for protecting the integrity + of audit information include signed hash functions using asymmetric + cryptography. This enables the distribution of the public key + to verify the hash information while maintaining the confidentiality + of the secret key used to generate the hash. + - id: au-9.3_obj + name: assessment-objective + props: + - name: label + value: AU-09(03) + class: sp800-53a + prose: cryptographic mechanisms to protect the integrity of audit + information and audit tools are implemented. + links: + - href: "#au-9.3_smt" + rel: assessment-for + - id: au-9.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-09(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + access control policy and procedures + + + procedures addressing protection of audit information + + + system design documentation + + + system hardware settings + + + system configuration settings and associated documentation + + + system audit records + + + other relevant documents or records + - id: au-9.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-09(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-9.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-09(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Cryptographic mechanisms protecting the integrity of + audit information and tools + - id: au-9.4 + class: SP800-53-enhancement + title: Access by Subset of Privileged Users + params: + - id: au-09.04_odp + label: subset of privileged users or roles + guidelines: + - prose: a subset of privileged users or roles authorized to access + management of audit logging functionality is defined; + props: + - name: label + value: AU-9(4) + - name: label + value: AU-09(04) + class: sp800-53a + - name: sort-id + value: au-09.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#au-9" + rel: required + - href: "#ac-5" + rel: related + parts: + - id: au-9.4_smt + name: statement + prose: "Authorize access to management of audit logging functionality\ + \ to only {{ insert: param, au-09.04_odp }}." + - id: au-9.4_gdn + name: guidance + prose: Individuals or roles with privileged access to a system and + who are also the subject of an audit by that system may affect + the reliability of the audit information by inhibiting audit activities + or modifying audit records. Requiring privileged access to be + further defined between audit-related privileges and other privileges + limits the number of users or roles with audit-related privileges. + - id: au-9.4_obj + name: assessment-objective + props: + - name: label + value: AU-09(04) + class: sp800-53a + prose: "access to management of audit logging functionality is authorized\ + \ only to {{ insert: param, au-09.04_odp }}." + links: + - href: "#au-9.4_smt" + rel: assessment-for + - id: au-9.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-09(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + access control policy and procedures + + + procedures addressing protection of audit information + + + system design documentation + + + system configuration settings and associated documentation + + + system-generated list of privileged users with access to management + of audit functionality + + + access authorizations + + + access control list + + + system audit records + + + other relevant documents or records + - id: au-9.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-09(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: au-9.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-09(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms managing access to audit functionality + - id: au-10 + class: SP800-53 + title: Non-repudiation + params: + - id: au-10_odp + label: actions + constraints: + - description: minimum actions including the addition, modification, + deletion, approval, sending, or receiving of data + guidelines: + - prose: actions to be covered by non-repudiation are defined; + props: + - name: label + value: AU-10 + - name: label + value: AU-10 + class: sp800-53a + - name: sort-id + value: au-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#1c71b420-2bd9-4e52-9fc8-390f58b85b59" + rel: reference + - href: "#au-9" + rel: related + - href: "#pm-12" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-16" + rel: related + - href: "#sc-17" + rel: related + - href: "#sc-23" + rel: related + parts: + - id: au-10_smt + name: statement + prose: "Provide irrefutable evidence that an individual (or process\ + \ acting on behalf of an individual) has performed {{ insert: param,\ + \ au-10_odp }}." + - id: au-10_gdn + name: guidance + prose: Types of individual actions covered by non-repudiation include + creating information, sending and receiving messages, and approving + information. Non-repudiation protects against claims by authors of + not having authored certain documents, senders of not having transmitted + messages, receivers of not having received messages, and signatories + of not having signed documents. Non-repudiation services can be used + to determine if information originated from an individual or if an + individual took specific actions (e.g., sending an email, signing + a contract, approving a procurement request, or receiving specific + information). Organizations obtain non-repudiation services by employing + various techniques or mechanisms, including digital signatures and + digital message receipts. + - id: au-10_obj + name: assessment-objective + props: + - name: label + value: AU-10 + class: sp800-53a + prose: "irrefutable evidence is provided that an individual (or process\ + \ acting on behalf of an individual) has performed {{ insert: param,\ + \ au-10_odp }}." + links: + - href: "#au-10_smt" + rel: assessment-for + - id: au-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + system security plan + + privacy plan + + procedures addressing non-repudiation + + system design documentation + + system configuration settings and associated documentation + + system audit records + + other relevant documents or records + - id: au-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security and + privacy responsibilities + + + system/network administrators + + + system developers + - id: au-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing non-repudiation capability + - id: au-11 + class: SP800-53 + title: Audit Record Retention + params: + - id: au-11_odp + label: time period + constraints: + - description: a time period in compliance with M-21-31 + guidelines: + - prose: a time period to retain audit records that is consistent + with the records retention policy is defined; + props: + - name: label + value: AU-11 + - name: label + value: AU-11 + class: sp800-53a + - name: sort-id + value: au-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#au-2" + rel: related + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-9" + rel: related + - href: "#au-14" + rel: related + - href: "#mp-6" + rel: related + - href: "#ra-5" + rel: related + - href: "#si-12" + rel: related + parts: + - id: au-11_smt + name: statement + prose: "Retain audit records for {{ insert: param, au-11_odp }} to provide\ + \ support for after-the-fact investigations of incidents and to meet\ + \ regulatory and organizational information retention requirements." + parts: + - id: au-11_fr + name: item + title: AU-11 Additional FedRAMP Requirements and Guidance + parts: + - id: au-11_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider retains audit records on-line for + at least ninety days and further preserves audit records off-line + for a period that is in accordance with NARA requirements. + - id: au-11_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider must support Agency requirements + to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) + - id: au-11_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: The service provider is encouraged to align with M-21-31 + where possible + - id: au-11_gdn + name: guidance + prose: Organizations retain audit records until it is determined that + the records are no longer needed for administrative, legal, audit, + or other operational purposes. This includes the retention and availability + of audit records relative to Freedom of Information Act (FOIA) requests, + subpoenas, and law enforcement actions. Organizations develop standard + categories of audit records relative to such types of actions and + standard response processes for each type of action. The National + Archives and Records Administration (NARA) General Records Schedules + provide federal policy on records retention. + - id: au-11_obj + name: assessment-objective + props: + - name: label + value: AU-11 + class: sp800-53a + prose: "audit records are retained for {{ insert: param, au-11_odp }}\ + \ to provide support for after-the-fact investigations of incidents\ + \ and to meet regulatory and organizational information retention\ + \ requirements." + links: + - href: "#au-11_smt" + rel: assessment-for + - id: au-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + system security plan + + privacy plan + + audit record retention policy and procedures + + security plan + + organization-defined retention period for audit records + + audit record archives + + audit logs + + audit records + + other relevant documents or records + - id: au-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit record retention + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: au-12 + class: SP800-53 + title: Audit Record Generation + params: + - id: au-12_odp.01 + label: system components + constraints: + - description: all information system and network components where + audit capability is deployed/available + guidelines: + - prose: system components that provide an audit record generation + capability for the events types (defined in AU-02_ODP[02]) are + defined; + - id: au-12_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles allowed to select the event types that + are to be logged by specific components of the system is/are defined; + props: + - name: label + value: AU-12 + - name: label + value: AU-12 + class: sp800-53a + - name: sort-id + value: au-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-6" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-2" + rel: related + - href: "#au-3" + rel: related + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-14" + rel: related + - href: "#cm-5" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-18" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#si-10" + rel: related + parts: + - id: au-12_smt + name: statement + parts: + - id: au-12_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide audit record generation capability for the event\ + \ types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a)\ + \ on {{ insert: param, au-12_odp.01 }};" + - id: au-12_smt.b + name: item + props: + - name: label + value: b. + prose: "Allow {{ insert: param, au-12_odp.02 }} to select the event\ + \ types that are to be logged by specific components of the system;\ + \ and" + - id: au-12_smt.c + name: item + props: + - name: label + value: c. + prose: Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) + that include the audit record content defined in [AU-3](#au-3). + - id: au-12_gdn + name: guidance + prose: Audit records can be generated from many different system components. + The event types specified in [AU-2d](#au-2_smt.d) are the event types + for which audit logs are to be generated and are a subset of all event + types for which the system can generate audit records. + - id: au-12_obj + name: assessment-objective + props: + - name: label + value: AU-12 + class: sp800-53a + parts: + - id: au-12_obj.a + name: assessment-objective + props: + - name: label + value: AU-12a. + class: sp800-53a + prose: "audit record generation capability for the event types the\ + \ system is capable of auditing (defined in AU-02_ODP[01]) is\ + \ provided by {{ insert: param, au-12_odp.01 }};" + links: + - href: "#au-12_smt.a" + rel: assessment-for + - id: au-12_obj.b + name: assessment-objective + props: + - name: label + value: AU-12b. + class: sp800-53a + prose: " {{ insert: param, au-12_odp.02 }} is/are allowed to select\ + \ the event types that are to be logged by specific components\ + \ of the system;" + links: + - href: "#au-12_smt.b" + rel: assessment-for + - id: au-12_obj.c + name: assessment-objective + props: + - name: label + value: AU-12c. + class: sp800-53a + prose: audit records for the event types defined in AU-02_ODP[02] + that include the audit record content defined in AU-03 are generated. + links: + - href: "#au-12_smt.c" + rel: assessment-for + links: + - href: "#au-12_smt" + rel: assessment-for + - id: au-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + procedures addressing audit record generation + + system security plan + + privacy plan + + system design documentation + + system configuration settings and associated documentation + + list of auditable events + + system audit records + + other relevant documents or records + - id: au-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit record generation + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing audit record generation capability + controls: + - id: au-12.1 + class: SP800-53-enhancement + title: System-wide and Time-correlated Audit Trail + params: + - id: au-12.01_odp.01 + label: system components + constraints: + - description: all network, data storage, and computing devices + guidelines: + - prose: system components from which audit records are to be + compiled into a system-wide (logical or physical) audit trail + are defined; + - id: au-12.01_odp.02 + label: level of tolerance + guidelines: + - prose: level of tolerance for the relationship between timestamps + of individual records in the audit trail is defined; + props: + - name: label + value: AU-12(1) + - name: label + value: AU-12(01) + class: sp800-53a + - name: sort-id + value: au-12.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-12" + rel: required + - href: "#au-8" + rel: related + - href: "#sc-45" + rel: related + parts: + - id: au-12.1_smt + name: statement + prose: "Compile audit records from {{ insert: param, au-12.01_odp.01\ + \ }} into a system-wide (logical or physical) audit trail that\ + \ is time-correlated to within {{ insert: param, au-12.01_odp.02\ + \ }}." + - id: au-12.1_gdn + name: guidance + prose: Audit trails are time-correlated if the time stamps in the + individual audit records can be reliably related to the time stamps + in other audit records to achieve a time ordering of the records + within organizational tolerances. + - id: au-12.1_obj + name: assessment-objective + props: + - name: label + value: AU-12(01) + class: sp800-53a + prose: "audit records from {{ insert: param, au-12.01_odp.01 }}\ + \ are compiled into a system-wide (logical or physical) audit\ + \ trail that is time-correlated to within {{ insert: param, au-12.01_odp.02\ + \ }}." + links: + - href: "#au-12.1_smt" + rel: assessment-for + - id: au-12.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-12(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + procedures addressing audit record generation + + + system design documentation + + + system configuration settings and associated documentation + + + system-wide audit trail (logical or physical) + + + system audit records + + + other relevant documents or records + - id: au-12.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-12(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit record generation + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-12.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-12(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing audit record generation capability + - id: au-12.3 + class: SP800-53-enhancement + title: Changes by Authorized Individuals + params: + - id: au-12.03_odp.01 + label: individuals or roles + constraints: + - description: service provider-defined individuals or roles with + audit configuration responsibilities + guidelines: + - prose: individuals or roles authorized to change the logging + on system components are defined; + - id: au-12.03_odp.02 + label: system components + constraints: + - description: all network, data storage, and computing devices + guidelines: + - prose: system components on which logging is to be performed + are defined; + - id: au-12.03_odp.03 + label: selectable event criteria + guidelines: + - prose: selectable event criteria with which change logging is + to be performed are defined; + - id: au-12.03_odp.04 + label: time thresholds + guidelines: + - prose: time thresholds in which logging actions are to change + is defined; + props: + - name: label + value: AU-12(3) + - name: label + value: AU-12(03) + class: sp800-53a + - name: sort-id + value: au-12.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-12" + rel: required + - href: "#ac-3" + rel: related + parts: + - id: au-12.3_smt + name: statement + prose: "Provide and implement the capability for {{ insert: param,\ + \ au-12.03_odp.01 }} to change the logging to be performed on\ + \ {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param,\ + \ au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04\ + \ }}." + - id: au-12.3_gdn + name: guidance + prose: Permitting authorized individuals to make changes to system + logging enables organizations to extend or limit logging as necessary + to meet organizational requirements. Logging that is limited to + conserve system resources may be extended (either temporarily + or permanently) to address certain threat situations. In addition, + logging may be limited to a specific set of event types to facilitate + audit reduction, analysis, and reporting. Organizations can establish + time thresholds in which logging actions are changed (e.g., near + real-time, within minutes, or within hours). + - id: au-12.3_obj + name: assessment-objective + props: + - name: label + value: AU-12(03) + class: sp800-53a + parts: + - id: au-12.3_obj-1 + name: assessment-objective + props: + - name: label + value: AU-12(03)[01] + class: sp800-53a + prose: "the capability for {{ insert: param, au-12.03_odp.01\ + \ }} to change the logging to be performed on {{ insert: param,\ + \ au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03\ + \ }} within {{ insert: param, au-12.03_odp.04 }} is provided;" + links: + - href: "#au-12.3_smt" + rel: assessment-for + - id: au-12.3_obj-2 + name: assessment-objective + props: + - name: label + value: AU-12(03)[02] + class: sp800-53a + prose: "the capability for {{ insert: param, au-12.03_odp.01\ + \ }} to change the logging to be performed on {{ insert: param,\ + \ au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03\ + \ }} within {{ insert: param, au-12.03_odp.04 }} is implemented." + links: + - href: "#au-12.3_smt" + rel: assessment-for + links: + - href: "#au-12.3_smt" + rel: assessment-for + - id: au-12.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-12(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + procedures addressing audit record generation + + + system design documentation + + + system configuration settings and associated documentation + + + system-generated list of individuals or roles authorized to + change auditing to be performed + + + system audit records + + + other relevant documents or records + - id: au-12.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-12(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit record generation + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-12.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-12(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing audit record generation capability + - id: ca + class: family + title: Assessment, Authorization, and Monitoring + controls: + - id: ca-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ca-1_prm_1 + label: organization-defined personnel or roles + - id: ca-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the assessment, authorization, + and monitoring policy is to be disseminated is/are defined; + - id: ca-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the assessment, authorization, + and monitoring procedures are to be disseminated is/are defined; + - id: ca-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ca-01_odp.04 + label: official + guidelines: + - prose: an official to manage the assessment, authorization, and + monitoring policy and procedures is defined; + - id: ca-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current assessment, authorization, + and monitoring policy is reviewed and updated is defined; + - id: ca-01_odp.06 + label: events + guidelines: + - prose: events that would require the current assessment, authorization, + and monitoring policy to be reviewed and updated are defined; + - id: ca-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current assessment, authorization, + and monitoring procedures are reviewed and updated is defined; + - id: ca-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require assessment, authorization, and + monitoring procedures to be reviewed and updated are defined; + props: + - name: label + value: CA-1 + - name: label + value: CA-01 + class: sp800-53a + - name: sort-id + value: ca-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#62ea77ca-e450-4323-b210-e0d75390e785" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-1_smt + name: statement + parts: + - id: ca-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ca-1_prm_1 }}:" + parts: + - id: ca-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ca-01_odp.03 }} assessment, authorization,\ + \ and monitoring policy that:" + parts: + - id: ca-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ca-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ca-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the assessment, + authorization, and monitoring policy and the associated assessment, + authorization, and monitoring controls; + - id: ca-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ca-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the assessment,\ + \ authorization, and monitoring policy and procedures; and" + - id: ca-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current assessment, authorization,\ + \ and monitoring:" + parts: + - id: ca-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ca-01_odp.05 }} and following\ + \ {{ insert: param, ca-01_odp.06 }} ; and" + - id: ca-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ca-01_odp.07 }} and following\ + \ {{ insert: param, ca-01_odp.08 }}." + - id: ca-1_gdn + name: guidance + prose: Assessment, authorization, and monitoring policy and procedures + address the controls in the CA family that are implemented within + systems and organizations. The risk management strategy is an important + factor in establishing such policies and procedures. Policies and + procedures contribute to security and privacy assurance. Therefore, + it is important that security and privacy programs collaborate on + the development of assessment, authorization, and monitoring policy + and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to assessment, authorization, and monitoring + policy and procedures include assessment or audit findings, security + incidents or breaches, or changes in applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines. Simply + restating controls does not constitute an organizational policy or + procedure. + - id: ca-1_obj + name: assessment-objective + props: + - name: label + value: CA-01 + class: sp800-53a + parts: + - id: ca-1_obj.a + name: assessment-objective + props: + - name: label + value: CA-01a. + class: sp800-53a + parts: + - id: ca-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: CA-01a.[01] + class: sp800-53a + prose: an assessment, authorization, and monitoring policy is + developed and documented; + links: + - href: "#ca-1_smt.a" + rel: assessment-for + - id: ca-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: CA-01a.[02] + class: sp800-53a + prose: "the assessment, authorization, and monitoring policy\ + \ is disseminated to {{ insert: param, ca-01_odp.01 }};" + links: + - href: "#ca-1_smt.a" + rel: assessment-for + - id: ca-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: CA-01a.[03] + class: sp800-53a + prose: assessment, authorization, and monitoring procedures + to facilitate the implementation of the assessment, authorization, + and monitoring policy and associated assessment, authorization, + and monitoring controls are developed and documented; + links: + - href: "#ca-1_smt.a" + rel: assessment-for + - id: ca-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: CA-01a.[04] + class: sp800-53a + prose: "the assessment, authorization, and monitoring procedures\ + \ are disseminated to {{ insert: param, ca-01_odp.02 }};" + links: + - href: "#ca-1_smt.a" + rel: assessment-for + - id: ca-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: CA-01a.01 + class: sp800-53a + parts: + - id: ca-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: CA-01a.01(a) + class: sp800-53a + parts: + - id: ca-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses purpose;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses scope;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses roles;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses responsibilities;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses management\ + \ commitment;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses compliance;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: CA-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy is consistent with\ + \ applicable laws, executive orders, directives, regulations,\ + \ policies, standards, and guidelines;" + links: + - href: "#ca-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ca-1_smt.a.1" + rel: assessment-for + links: + - href: "#ca-1_smt.a" + rel: assessment-for + - id: ca-1_obj.b + name: assessment-objective + props: + - name: label + value: CA-01b. + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the assessment,\ + \ authorization, and monitoring policy and procedures;" + links: + - href: "#ca-1_smt.b" + rel: assessment-for + - id: ca-1_obj.c + name: assessment-objective + props: + - name: label + value: CA-01c. + class: sp800-53a + parts: + - id: ca-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: CA-01c.01 + class: sp800-53a + parts: + - id: ca-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: CA-01c.01[01] + class: sp800-53a + prose: "the current assessment, authorization, and monitoring\ + \ policy is reviewed and updated {{ insert: param, ca-01_odp.05\ + \ }}; " + links: + - href: "#ca-1_smt.c.1" + rel: assessment-for + - id: ca-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: CA-01c.01[02] + class: sp800-53a + prose: "the current assessment, authorization, and monitoring\ + \ policy is reviewed and updated following {{ insert:\ + \ param, ca-01_odp.06 }};" + links: + - href: "#ca-1_smt.c.1" + rel: assessment-for + links: + - href: "#ca-1_smt.c.1" + rel: assessment-for + - id: ca-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: CA-01c.02 + class: sp800-53a + parts: + - id: ca-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: CA-01c.02[01] + class: sp800-53a + prose: "the current assessment, authorization, and monitoring\ + \ procedures are reviewed and updated {{ insert: param,\ + \ ca-01_odp.07 }}; " + links: + - href: "#ca-1_smt.c.2" + rel: assessment-for + - id: ca-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: CA-01c.02[02] + class: sp800-53a + prose: "the current assessment, authorization, and monitoring\ + \ procedures are reviewed and updated following {{ insert:\ + \ param, ca-01_odp.08 }}." + links: + - href: "#ca-1_smt.c.2" + rel: assessment-for + links: + - href: "#ca-1_smt.c.2" + rel: assessment-for + links: + - href: "#ca-1_smt.c" + rel: assessment-for + links: + - href: "#ca-1_smt" + rel: assessment-for + - id: ca-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy and + procedures + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with assessment, authorization, and + monitoring policy responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-2 + class: SP800-53 + title: Control Assessments + params: + - id: ca-02_odp.01 + label: assessment frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to assess controls in the system and + its environment of operation is defined; + - id: ca-02_odp.02 + label: individuals or roles + constraints: + - description: individuals or roles to include FedRAMP PMO + guidelines: + - prose: individuals or roles to whom control assessment results are + to be provided are defined; + props: + - name: label + value: CA-2 + - name: label + value: CA-02 + class: sp800-53a + - name: sort-id + value: ca-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#30eb758a-2707-4bca-90ad-949a74d4eb16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#122177fa-c4ed-485d-8345-3082c0fb9a06" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#ac-20" + rel: related + - href: "#ca-5" + rel: related + - href: "#ca-6" + rel: related + - href: "#ca-7" + rel: related + - href: "#pm-9" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-3" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-3" + rel: related + parts: + - id: ca-2_smt + name: statement + parts: + - id: ca-2_smt.a + name: item + props: + - name: label + value: a. + prose: Select the appropriate assessor or assessment team for the + type of assessment to be conducted; + - id: ca-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Develop a control assessment plan that describes the scope\ + \ of the assessment including:" + parts: + - id: ca-2_smt.b.1 + name: item + props: + - name: label + value: "1." + prose: Controls and control enhancements under assessment; + - id: ca-2_smt.b.2 + name: item + props: + - name: label + value: "2." + prose: Assessment procedures to be used to determine control + effectiveness; and + - id: ca-2_smt.b.3 + name: item + props: + - name: label + value: "3." + prose: Assessment environment, assessment team, and assessment + roles and responsibilities; + - id: ca-2_smt.c + name: item + props: + - name: label + value: c. + prose: Ensure the control assessment plan is reviewed and approved + by the authorizing official or designated representative prior + to conducting the assessment; + - id: ca-2_smt.d + name: item + props: + - name: label + value: d. + prose: "Assess the controls in the system and its environment of\ + \ operation {{ insert: param, ca-02_odp.01 }} to determine the\ + \ extent to which the controls are implemented correctly, operating\ + \ as intended, and producing the desired outcome with respect\ + \ to meeting established security and privacy requirements;" + - id: ca-2_smt.e + name: item + props: + - name: label + value: e. + prose: Produce a control assessment report that document the results + of the assessment; and + - id: ca-2_smt.f + name: item + props: + - name: label + value: f. + prose: "Provide the results of the control assessment to {{ insert:\ + \ param, ca-02_odp.02 }}." + - id: ca-2_fr + name: item + title: CA-2 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-2_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Reference FedRAMP Annual Assessment Guidance. + - id: ca-2_gdn + name: guidance + prose: >- + Organizations ensure that control assessors possess the required + skills and technical expertise to develop effective assessment + plans and to conduct assessments of system-specific, hybrid, + common, and program management controls, as appropriate. The + required skills include general knowledge of risk management + concepts and approaches as well as comprehensive knowledge of + and experience with the hardware, software, and firmware system + components implemented. + + + Organizations assess controls in systems and the environments in which + those systems operate as part of initial and ongoing authorizations, + continuous monitoring, FISMA annual assessments, system design and + development, systems security engineering, privacy engineering, and + the system development life cycle. Assessments help to ensure that + organizations meet information security and privacy requirements, + identify weaknesses and deficiencies in the system design and development + process, provide essential information needed to make risk-based decisions + as part of authorization processes, and comply with vulnerability + mitigation procedures. Organizations conduct assessments on the implemented + controls as documented in security and privacy plans. Assessments + can also be conducted throughout the system development life cycle + as part of systems engineering and systems security engineering processes. + The design for controls can be assessed as RFPs are developed, responses + assessed, and design reviews conducted. If a design to implement controls + and subsequent implementation in accordance with the design are assessed + during development, the final control testing can be a simple confirmation + utilizing previously completed control assessment and aggregating + the outcomes. + + + Organizations may develop a single, consolidated security and privacy + assessment plan for the system or maintain separate plans. A consolidated + assessment plan clearly delineates the roles and responsibilities + for control assessment. If multiple organizations participate in assessing + a system, a coordinated approach can reduce redundancies and associated + costs. + + + Organizations can use other types of assessment activities, such as + vulnerability scanning and system monitoring, to maintain the security + and privacy posture of systems during the system life cycle. Assessment + reports document assessment results in sufficient detail, as deemed + necessary by organizations, to determine the accuracy and completeness + of the reports and whether the controls are implemented correctly, + operating as intended, and producing the desired outcome with respect + to meeting requirements. Assessment results are provided to the individuals + or roles appropriate for the types of assessments being conducted. + For example, assessments conducted in support of authorization decisions + are provided to authorizing officials, senior agency officials for + privacy, senior agency information security officers, and authorizing + official designated representatives. + + + To satisfy annual assessment requirements, organizations can use assessment + results from the following sources: initial or ongoing system authorizations, + continuous monitoring, systems engineering processes, or system development + life cycle activities. Organizations ensure that assessment results + are current, relevant to the determination of control effectiveness, + and obtained with the appropriate level of assessor independence. + Existing control assessment results can be reused to the extent that + the results are still valid and can also be supplemented with additional + assessments as needed. After the initial authorizations, organizations + assess controls during continuous monitoring. Organizations also establish + the frequency for ongoing assessments in accordance with organizational + continuous monitoring strategies. External audits, including audits + by external entities such as regulatory agencies, are outside of the + scope of [CA-2](#ca-2). + - id: ca-2_obj + name: assessment-objective + props: + - name: label + value: CA-02 + class: sp800-53a + parts: + - id: ca-2_obj.a + name: assessment-objective + props: + - name: label + value: CA-02a. + class: sp800-53a + prose: an appropriate assessor or assessment team is selected for + the type of assessment to be conducted; + links: + - href: "#ca-2_smt.a" + rel: assessment-for + - id: ca-2_obj.b + name: assessment-objective + props: + - name: label + value: CA-02b. + class: sp800-53a + parts: + - id: ca-2_obj.b.1 + name: assessment-objective + props: + - name: label + value: CA-02b.01 + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including controls and control + enhancements under assessment; + links: + - href: "#ca-2_smt.b.1" + rel: assessment-for + - id: ca-2_obj.b.2 + name: assessment-objective + props: + - name: label + value: CA-02b.02 + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including assessment procedures + to be used to determine control effectiveness; + links: + - href: "#ca-2_smt.b.2" + rel: assessment-for + - id: ca-2_obj.b.3 + name: assessment-objective + props: + - name: label + value: CA-02b.03 + class: sp800-53a + parts: + - id: ca-2_obj.b.3-1 + name: assessment-objective + props: + - name: label + value: CA-02b.03[01] + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including the assessment + environment; + links: + - href: "#ca-2_smt.b.3" + rel: assessment-for + - id: ca-2_obj.b.3-2 + name: assessment-objective + props: + - name: label + value: CA-02b.03[02] + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including the assessment + team; + links: + - href: "#ca-2_smt.b.3" + rel: assessment-for + - id: ca-2_obj.b.3-3 + name: assessment-objective + props: + - name: label + value: CA-02b.03[03] + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including assessment roles + and responsibilities; + links: + - href: "#ca-2_smt.b.3" + rel: assessment-for + links: + - href: "#ca-2_smt.b.3" + rel: assessment-for + links: + - href: "#ca-2_smt.b" + rel: assessment-for + - id: ca-2_obj.c + name: assessment-objective + props: + - name: label + value: CA-02c. + class: sp800-53a + prose: the control assessment plan is reviewed and approved by the + authorizing official or designated representative prior to conducting + the assessment; + links: + - href: "#ca-2_smt.c" + rel: assessment-for + - id: ca-2_obj.d + name: assessment-objective + props: + - name: label + value: CA-02d. + class: sp800-53a + parts: + - id: ca-2_obj.d-1 + name: assessment-objective + props: + - name: label + value: CA-02d.[01] + class: sp800-53a + prose: "controls are assessed in the system and its environment\ + \ of operation {{ insert: param, ca-02_odp.01 }} to determine\ + \ the extent to which the controls are implemented correctly,\ + \ operating as intended, and producing the desired outcome\ + \ with respect to meeting established security requirements;" + links: + - href: "#ca-2_smt.d" + rel: assessment-for + - id: ca-2_obj.d-2 + name: assessment-objective + props: + - name: label + value: CA-02d.[02] + class: sp800-53a + prose: "controls are assessed in the system and its environment\ + \ of operation {{ insert: param, ca-02_odp.01 }} to determine\ + \ the extent to which the controls are implemented correctly,\ + \ operating as intended, and producing the desired outcome\ + \ with respect to meeting established privacy requirements;" + links: + - href: "#ca-2_smt.d" + rel: assessment-for + links: + - href: "#ca-2_smt.d" + rel: assessment-for + - id: ca-2_obj.e + name: assessment-objective + props: + - name: label + value: CA-02e. + class: sp800-53a + prose: a control assessment report is produced that documents the + results of the assessment; + links: + - href: "#ca-2_smt.e" + rel: assessment-for + - id: ca-2_obj.f + name: assessment-objective + props: + - name: label + value: CA-02f. + class: sp800-53a + prose: "the results of the control assessment are provided to {{\ + \ insert: param, ca-02_odp.02 }}." + links: + - href: "#ca-2_smt.f" + rel: assessment-for + links: + - href: "#ca-2_smt" + rel: assessment-for + - id: ca-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing assessment planning + + procedures addressing control assessments + + control assessment plan + + control assessment report + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with control assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting control assessment, control assessment + plan development, and/or control assessment reporting + controls: + - id: ca-2.1 + class: SP800-53-enhancement + title: Independent Assessors + props: + - name: label + value: CA-2(1) + - name: label + value: CA-02(01) + class: sp800-53a + - name: sort-id + value: ca-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ca-2" + rel: required + parts: + - id: ca-2.1_smt + name: statement + prose: Employ independent assessors or assessment teams to conduct + control assessments. + parts: + - id: ca-2.1_fr + name: item + title: CA-2 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: ca-2.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: For JAB Authorization, must use an accredited 3PAO. + - id: ca-2.1_gdn + name: guidance + prose: >- + Independent assessors or assessment teams are individuals or + groups who conduct impartial assessments of systems. + Impartiality means that assessors are free from any + perceived or actual conflicts of interest regarding the + development, operation, sustainment, or management of the + systems under assessment or the determination of control + effectiveness. To achieve impartiality, assessors do not + create a mutual or conflicting interest with the + organizations where the assessments are being conducted, + assess their own work, act as management or employees of the + organizations they are serving, or place themselves in + positions of advocacy for the organizations acquiring their + services. + + + Independent assessments can be obtained from elements within organizations + or be contracted to public or private sector entities outside + of organizations. Authorizing officials determine the required + level of independence based on the security categories of systems + and/or the risk to organizational operations, organizational assets, + or individuals. Authorizing officials also determine if the level + of assessor independence provides sufficient assurance that the + results are sound and can be used to make credible, risk-based + decisions. Assessor independence determination includes whether + contracted assessment services have sufficient independence, such + as when system owners are not directly involved in contracting + processes or cannot influence the impartiality of the assessors + conducting the assessments. During the system design and development + phase, having independent assessors is analogous to having independent + SMEs involved in design reviews. + + + When organizations that own the systems are small or the structures + of the organizations require that assessments be conducted by + individuals that are in the developmental, operational, or management + chain of the system owners, independence in assessment processes + can be achieved by ensuring that assessment results are carefully + reviewed and analyzed by independent teams of experts to validate + the completeness, accuracy, integrity, and reliability of the + results. Assessments performed for purposes other than to support + authorization decisions are more likely to be useable for such + decisions when performed by assessors with sufficient independence, + thereby reducing the need to repeat assessments. + - id: ca-2.1_obj + name: assessment-objective + props: + - name: label + value: CA-02(01) + class: sp800-53a + prose: independent assessors or assessment teams are employed to + conduct control assessments. + links: + - href: "#ca-2.1_smt" + rel: assessment-for + - id: ca-2.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-02(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing control assessments + + previous control assessment plan + + previous control assessment report + + plan of action and milestones + + existing authorization statement + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-2.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-02(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-2.2 + class: SP800-53-enhancement + title: Specialized Assessments + params: + - id: ca-02.02_odp.01 + label: specialized assessment frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to include specialized assessments + as part of the control assessment is defined; + - id: ca-02.02_odp.02 + select: + choice: + - announced + - unannounced + - id: ca-02.02_odp.03 + select: + how-many: one-or-more + choice: + - in-depth monitoring + - security instrumentation + - automated security test cases + - vulnerability scanning + - malicious user testing + - insider threat assessment + - performance and load testing + - data leakage or data loss assessment + - " {{ insert: param, ca-02.02_odp.04 }} " + - id: ca-02.02_odp.04 + label: other forms of assessment + guidelines: + - prose: other forms of assessment are defined (if selected); + props: + - name: label + value: CA-2(2) + - name: label + value: CA-02(02) + class: sp800-53a + - name: sort-id + value: ca-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ca-2" + rel: required + - href: "#pe-3" + rel: related + - href: "#si-2" + rel: related + parts: + - id: ca-2.2_smt + name: statement + prose: "Include as part of control assessments, {{ insert: param,\ + \ ca-02.02_odp.01 }}, {{ insert: param, ca-02.02_odp.02 }}, {{\ + \ insert: param, ca-02.02_odp.03 }}." + parts: + - id: ca-2.2_fr + name: item + title: CA-2 (2) Additional FedRAMP Requirements and Guidance + parts: + - id: ca-2.2_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: To include 'announced', 'vulnerability scanning' + - id: ca-2.2_gdn + name: guidance + prose: Organizations can conduct specialized assessments, including + verification and validation, system monitoring, insider threat + assessments, malicious user testing, and other forms of testing. + These assessments can improve readiness by exercising organizational + capabilities and indicating current levels of performance as a + means of focusing actions to improve security and privacy. Organizations + conduct specialized assessments in accordance with applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Authorizing officials approve the assessment methods + in coordination with the organizational risk executive function. + Organizations can include vulnerabilities uncovered during assessments + into vulnerability remediation processes. Specialized assessments + can also be conducted early in the system development life cycle + (e.g., during initial design, development, and unit testing). + - id: ca-2.2_obj + name: assessment-objective + props: + - name: label + value: CA-02(02) + class: sp800-53a + prose: " {{ insert: param, ca-02.02_odp.01 }} {{ insert: param,\ + \ ca-02.02_odp.02 }} {{ insert: param, ca-02.02_odp.03 }} are\ + \ included as part of control assessments." + links: + - href: "#ca-2.2_smt" + rel: assessment-for + - id: ca-2.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-02(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing control assessments + + control assessment plan + + control assessment report + + control assessment evidence + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-2.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-02(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with control assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-2.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-02(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting control assessment + - id: ca-2.3 + class: SP800-53-enhancement + title: Leveraging Results from External Organizations + params: + - id: ca-02.03_odp.01 + label: external organization(s) + constraints: + - description: any FedRAMP Accredited 3PAO + guidelines: + - prose: external organization(s) from which the results of control + assessments are leveraged are defined; + - id: ca-02.03_odp.02 + label: system + guidelines: + - prose: system on which a control assessment was performed by + an external organization is defined; + - id: ca-02.03_odp.03 + label: requirements + constraints: + - description: the conditions of the JAB/AO in the FedRAMP Repository + guidelines: + - prose: requirements to be met by the control assessment performed + by an external organization on the system are defined; + props: + - name: label + value: CA-2(3) + - name: label + value: CA-02(03) + class: sp800-53a + - name: sort-id + value: ca-02.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ca-2" + rel: required + - href: "#sa-4" + rel: related + parts: + - id: ca-2.3_smt + name: statement + prose: "Leverage the results of control assessments performed by\ + \ {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02\ + \ }} when the assessment meets {{ insert: param, ca-02.03_odp.03\ + \ }}." + - id: ca-2.3_gdn + name: guidance + prose: Organizations may rely on control assessments of organizational + systems by other (external) organizations. Using such assessments + and reusing existing assessment evidence can decrease the time + and resources required for assessments by limiting the independent + assessment activities that organizations need to perform. The + factors that organizations consider in determining whether to + accept assessment results from external organizations can vary. + Such factors include the organization’s past experience with the + organization that conducted the assessment, the reputation of + the assessment organization, the level of detail of supporting + assessment evidence provided, and mandates imposed by applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Accredited testing laboratories that support the + Common Criteria Program [ISO 15408-1](#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73) + , the NIST Cryptographic Module Validation Program (CMVP), or + the NIST Cryptographic Algorithm Validation Program (CAVP) can + provide independent assessment results that organizations can + leverage. + - id: ca-2.3_obj + name: assessment-objective + props: + - name: label + value: CA-02(03) + class: sp800-53a + prose: "the results of control assessments performed by {{ insert:\ + \ param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02\ + \ }} are leveraged when the assessment meets {{ insert: param,\ + \ ca-02.03_odp.03 }}." + links: + - href: "#ca-2.3_smt" + rel: assessment-for + - id: ca-2.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-02(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing control assessments + + control assessment requirements + + control assessment plan + + control assessment report + + control assessment evidence + + plan of action and milestones + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-2.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-02(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with control assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + personnel performing control assessments for the specified + external organization + - id: ca-3 + class: SP800-53 + title: Information Exchange + params: + - id: ca-03_odp.01 + select: + how-many: one-or-more + choice: + - interconnection security agreements + - information exchange security agreements + - memoranda of understanding or agreement + - service level agreements + - user agreements + - non-disclosure agreements + - " {{ insert: param, ca-03_odp.02 }} " + - id: ca-03_odp.02 + label: type of agreement + guidelines: + - prose: the type of agreement used to approve and manage the exchange + of information is defined (if selected); + - id: ca-03_odp.03 + label: frequency + constraints: + - description: at least annually and on input from JAB/AO + guidelines: + - prose: the frequency at which to review and update agreements is + defined; + props: + - name: label + value: CA-3 + - name: label + value: CA-03 + class: sp800-53a + - name: sort-id + value: ca-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#c3a76872-e160-4267-99e8-6952de967d04" + rel: reference + - href: "#ac-4" + rel: related + - href: "#ac-20" + rel: related + - href: "#au-16" + rel: related + - href: "#ca-6" + rel: related + - href: "#ia-3" + rel: related + - href: "#ir-4" + rel: related + - href: "#pl-2" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-3_smt + name: statement + parts: + - id: ca-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Approve and manage the exchange of information between the\ + \ system and other systems using {{ insert: param, ca-03_odp.01\ + \ }};" + - id: ca-3_smt.b + name: item + props: + - name: label + value: b. + prose: Document, as part of each exchange agreement, the interface + characteristics, security and privacy requirements, controls, + and responsibilities for each system, and the impact level of + the information communicated; and + - id: ca-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the agreements {{ insert: param, ca-03_odp.03\ + \ }}." + - id: ca-3_gdn + name: guidance + prose: >- + System information exchange requirements apply to information + exchanges between two or more systems. System information + exchanges include connections via leased lines or virtual + private networks, connections to internet service providers, + database sharing or exchanges of database transaction + information, connections and exchanges with cloud services, + exchanges via web-based services, or exchanges of files via file + transfer protocols, network protocols (e.g., IPv4, IPv6), email, + or other organization-to-organization communications. + Organizations consider the risk related to new or increased + threats that may be introduced when systems exchange information + with other systems that may have different security and privacy + requirements and controls. This includes systems within the same + organization and systems that are external to the organization. + A joint authorization of the systems exchanging information, as + described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help + to communicate and reduce risk. + + + Authorizing officials determine the risk associated with system information + exchange and the controls needed for appropriate risk mitigation. + The types of agreements selected are based on factors such as the + impact level of the information being exchanged, the relationship + between the organizations exchanging information (e.g., government + to government, government to business, business to business, government + or business to service provider, government or business to individual), + or the level of access to the organizational system by users of the + other system. If systems that exchange information have the same authorizing + official, organizations need not develop agreements. Instead, the + interface characteristics between the systems (e.g., how the information + is being exchanged. how the information is protected) are described + in the respective security and privacy plans. If the systems that + exchange information have different authorizing officials within the + same organization, the organizations can develop agreements or provide + the same information that would be provided in the appropriate agreement + type from [CA-3a](#ca-3_smt.a) in the respective security and privacy + plans for the systems. Organizations may incorporate agreement information + into formal contracts, especially for information exchanges established + between federal agencies and nonfederal organizations (including service + providers, contractors, system developers, and system integrators). + Risk considerations include systems that share the same networks. + - id: ca-3_obj + name: assessment-objective + props: + - name: label + value: CA-03 + class: sp800-53a + parts: + - id: ca-3_obj.a + name: assessment-objective + props: + - name: label + value: CA-03a. + class: sp800-53a + prose: "the exchange of information between the system and other\ + \ systems is approved and managed using {{ insert: param, ca-03_odp.01\ + \ }};" + links: + - href: "#ca-3_smt.a" + rel: assessment-for + - id: ca-3_obj.b + name: assessment-objective + props: + - name: label + value: CA-03b. + class: sp800-53a + parts: + - id: ca-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: CA-03b.[01] + class: sp800-53a + prose: the interface characteristics are documented as part + of each exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: CA-03b.[02] + class: sp800-53a + prose: security requirements are documented as part of each + exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-3 + name: assessment-objective + props: + - name: label + value: CA-03b.[03] + class: sp800-53a + prose: privacy requirements are documented as part of each exchange + agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-4 + name: assessment-objective + props: + - name: label + value: CA-03b.[04] + class: sp800-53a + prose: controls are documented as part of each exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-5 + name: assessment-objective + props: + - name: label + value: CA-03b.[05] + class: sp800-53a + prose: responsibilities for each system are documented as part + of each exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-6 + name: assessment-objective + props: + - name: label + value: CA-03b.[06] + class: sp800-53a + prose: the impact level of the information communicated is documented + as part of each exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.c + name: assessment-objective + props: + - name: label + value: CA-03c. + class: sp800-53a + prose: "agreements are reviewed and updated {{ insert: param, ca-03_odp.03\ + \ }}." + links: + - href: "#ca-3_smt.c" + rel: assessment-for + links: + - href: "#ca-3_smt" + rel: assessment-for + - id: ca-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing system connections + + system and communications protection policy + + system interconnection security agreements + + information exchange security agreements + + memoranda of understanding or agreements + + service level agreements + + non-disclosure agreements + + system design documentation + + enterprise architecture + + system architecture + + system configuration settings and associated documentation + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + developing, implementing, or approving system + interconnection agreements + + + organizational personnel with information security and privacy + responsibilities + + + personnel managing the system(s) to which the interconnection + security agreement applies + controls: + - id: ca-3.6 + class: SP800-53-enhancement + title: Transfer Authorizations + props: + - name: label + value: CA-3(6) + - name: label + value: CA-03(06) + class: sp800-53a + - name: sort-id + value: ca-03.06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ca-3" + rel: required + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + parts: + - id: ca-3.6_smt + name: statement + prose: Verify that individuals or systems transferring data between + interconnecting systems have the requisite authorizations (i.e., + write permissions or privileges) prior to accepting such data. + - id: ca-3.6_gdn + name: guidance + prose: To prevent unauthorized individuals and systems from making + information transfers to protected systems, the protected system + verifies—via independent means— whether the individual or system + attempting to transfer information is authorized to do so. Verification + of the authorization to transfer information also applies to control + plane traffic (e.g., routing and DNS) and services (e.g., authenticated + SMTP relays). + - id: ca-3.6_obj + name: assessment-objective + props: + - name: label + value: CA-03(06) + class: sp800-53a + prose: individuals or systems transferring data between interconnecting + systems have the requisite authorizations (i.e., write permissions + or privileges) prior to accepting such data. + links: + - href: "#ca-3.6_smt" + rel: assessment-for + - id: ca-3.6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-03(06)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing system connections + + + system and communications protection policy + + + system interconnection agreements + + + information exchange security agreements + + + memoranda of understanding or agreements + + + service level agreements + + + non-disclosure agreements + + + system design documentation + + + system configuration settings and associated documentation + + + control assessment report + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-3.6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-03(06)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + managing connections to external systems + + + network administrators + + + organizational personnel with information security and privacy + responsibilities + - id: ca-3.6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-03(06)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing restrictions on external system + connections + - id: ca-5 + class: SP800-53 + title: Plan of Action and Milestones + params: + - id: ca-05_odp + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: the frequency at which to update an existing plan of action + and milestones based on the findings from control assessments, + independent audits or reviews, and continuous monitoring activities + is defined; + props: + - name: label + value: CA-5 + - name: label + value: CA-05 + class: sp800-53a + - name: sort-id + value: ca-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ca-7" + rel: related + - href: "#pm-4" + rel: related + - href: "#pm-9" + rel: related + - href: "#ra-7" + rel: related + - href: "#si-2" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-5_smt + name: statement + parts: + - id: ca-5_smt.a + name: item + props: + - name: label + value: a. + prose: Develop a plan of action and milestones for the system to + document the planned remediation actions of the organization to + correct weaknesses or deficiencies noted during the assessment + of the controls and to reduce or eliminate known vulnerabilities + in the system; and + - id: ca-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Update existing plan of action and milestones {{ insert:\ + \ param, ca-05_odp }} based on the findings from control assessments,\ + \ independent audits or reviews, and continuous monitoring activities." + - id: ca-5_fr + name: item + title: CA-5 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-5_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: POA&Ms must be provided at least monthly. + - id: ca-5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Reference FedRAMP-POAM-Template + - id: ca-5_gdn + name: guidance + prose: Plans of action and milestones are useful for any type of organization + to track planned remedial actions. Plans of action and milestones + are required in authorization packages and subject to federal reporting + requirements established by OMB. + - id: ca-5_obj + name: assessment-objective + props: + - name: label + value: CA-05 + class: sp800-53a + parts: + - id: ca-5_obj.a + name: assessment-objective + props: + - name: label + value: CA-05a. + class: sp800-53a + prose: a plan of action and milestones for the system is developed + to document the planned remediation actions of the organization + to correct weaknesses or deficiencies noted during the assessment + of the controls and to reduce or eliminate known vulnerabilities + in the system; + links: + - href: "#ca-5_smt.a" + rel: assessment-for + - id: ca-5_obj.b + name: assessment-objective + props: + - name: label + value: CA-05b. + class: sp800-53a + prose: "existing plan of action and milestones are updated {{ insert:\ + \ param, ca-05_odp }} based on the findings from control assessments,\ + \ independent audits or reviews, and continuous monitoring activities." + links: + - href: "#ca-5_smt.b" + rel: assessment-for + links: + - href: "#ca-5_smt" + rel: assessment-for + - id: ca-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing plan of action and milestones + + control assessment plan + + control assessment report + + control assessment evidence + + plan of action and milestones + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with plan of action and milestones + development and implementation responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms for developing, implementing, and maintaining + plan of action and milestones + - id: ca-6 + class: SP800-53 + title: Authorization + params: + - id: ca-06_odp + label: frequency + constraints: + - description: in accordance with OMB A-130 requirements or when a + significant change occurs + guidelines: + - prose: frequency at which to update the authorizations is defined; + props: + - name: label + value: CA-6 + - name: label + value: CA-06 + class: sp800-53a + - name: sort-id + value: ca-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ca-3" + rel: related + - href: "#ca-7" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-10" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-10" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-6_smt + name: statement + parts: + - id: ca-6_smt.a + name: item + props: + - name: label + value: a. + prose: Assign a senior official as the authorizing official for + the system; + - id: ca-6_smt.b + name: item + props: + - name: label + value: b. + prose: Assign a senior official as the authorizing official for + common controls available for inheritance by organizational systems; + - id: ca-6_smt.c + name: item + props: + - name: label + value: c. + prose: "Ensure that the authorizing official for the system, before\ + \ commencing operations:" + parts: + - id: ca-6_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: Accepts the use of common controls inherited by the system; + and + - id: ca-6_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: Authorizes the system to operate; + - id: ca-6_smt.d + name: item + props: + - name: label + value: d. + prose: Ensure that the authorizing official for common controls + authorizes the use of those controls for inheritance by organizational + systems; + - id: ca-6_smt.e + name: item + props: + - name: label + value: e. + prose: "Update the authorizations {{ insert: param, ca-06_odp }}." + - id: ca-6_fr + name: item + title: CA-6 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-6_fr_gdn.1 + name: guidance + props: + - name: label + value: "(e) Guidance:" + prose: Significant change is defined in NIST Special Publication + 800-37 Revision 2, Appendix F and according to FedRAMP Significant + Change Policies and Procedures. The service provider describes + the types of changes to the information system or the environment + of operations that would impact the risk posture. The types + of changes are approved and accepted by the JAB/AO. + - id: ca-6_gdn + name: guidance + prose: >- + Authorizations are official management decisions by senior + officials to authorize operation of systems, authorize the use + of common controls for inheritance by organizational systems, + and explicitly accept the risk to organizational operations and + assets, individuals, other organizations, and the Nation based + on the implementation of agreed-upon controls. Authorizing + officials provide budgetary oversight for organizational systems + and common controls or assume responsibility for the mission and + business functions supported by those systems or common + controls. The authorization process is a federal responsibility, + and therefore, authorizing officials must be federal employees. + Authorizing officials are both responsible and accountable for + security and privacy risks associated with the operation and use + of organizational systems. Nonfederal organizations may have + similar processes to authorize systems and senior officials that + assume the authorization role and associated responsibilities. + + + Authorizing officials issue ongoing authorizations of systems based + on evidence produced from implemented continuous monitoring programs. + Robust continuous monitoring programs reduce the need for separate + reauthorization processes. Through the employment of comprehensive + continuous monitoring processes, the information contained in authorization + packages (i.e., security and privacy plans, assessment reports, and + plans of action and milestones) is updated on an ongoing basis. This + provides authorizing officials, common control providers, and system + owners with an up-to-date status of the security and privacy posture + of their systems, controls, and operating environments. To reduce + the cost of reauthorization, authorizing officials can leverage the + results of continuous monitoring processes to the maximum extent possible + as the basis for rendering reauthorization decisions. + - id: ca-6_obj + name: assessment-objective + props: + - name: label + value: CA-06 + class: sp800-53a + parts: + - id: ca-6_obj.a + name: assessment-objective + props: + - name: label + value: CA-06a. + class: sp800-53a + prose: a senior official is assigned as the authorizing official + for the system; + links: + - href: "#ca-6_smt.a" + rel: assessment-for + - id: ca-6_obj.b + name: assessment-objective + props: + - name: label + value: CA-06b. + class: sp800-53a + prose: a senior official is assigned as the authorizing official + for common controls available for inheritance by organizational + systems; + links: + - href: "#ca-6_smt.b" + rel: assessment-for + - id: ca-6_obj.c + name: assessment-objective + props: + - name: label + value: CA-06c. + class: sp800-53a + parts: + - id: ca-6_obj.c.1 + name: assessment-objective + props: + - name: label + value: CA-06c.01 + class: sp800-53a + prose: before commencing operations, the authorizing official + for the system accepts the use of common controls inherited + by the system; + links: + - href: "#ca-6_smt.c.1" + rel: assessment-for + - id: ca-6_obj.c.2 + name: assessment-objective + props: + - name: label + value: CA-06c.02 + class: sp800-53a + prose: before commencing operations, the authorizing official + for the system authorizes the system to operate; + links: + - href: "#ca-6_smt.c.2" + rel: assessment-for + links: + - href: "#ca-6_smt.c" + rel: assessment-for + - id: ca-6_obj.d + name: assessment-objective + props: + - name: label + value: CA-06d. + class: sp800-53a + prose: the authorizing official for common controls authorizes the + use of those controls for inheritance by organizational systems; + links: + - href: "#ca-6_smt.d" + rel: assessment-for + - id: ca-6_obj.e + name: assessment-objective + props: + - name: label + value: CA-06e. + class: sp800-53a + prose: "the authorizations are updated {{ insert: param, ca-06_odp\ + \ }}." + links: + - href: "#ca-6_smt.e" + rel: assessment-for + links: + - href: "#ca-6_smt" + rel: assessment-for + - id: ca-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + procedures addressing authorization + + + system security plan, privacy plan, assessment report, plan of + action and milestones + + + authorization statement + + + other relevant documents or records + - id: ca-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with authorization responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms that facilitate authorizations and updates + - id: ca-7 + class: SP800-53 + title: Continuous Monitoring + params: + - id: ca-7_prm_4 + label: organization-defined personnel or roles + constraints: + - description: to include JAB/AO + - id: ca-7_prm_5 + label: organization-defined frequency + - id: ca-07_odp.01 + label: system-level metrics + guidelines: + - prose: system-level metrics to be monitored are defined; + - id: ca-07_odp.02 + label: frequencies + guidelines: + - prose: frequencies at which to monitor control effectiveness are + defined; + - id: ca-07_odp.03 + label: frequencies + guidelines: + - prose: frequencies at which to assess control effectiveness are + defined; + - id: ca-07_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the security status of the system + is reported are defined; + - id: ca-07_odp.05 + label: frequency + guidelines: + - prose: frequency at which the security status of the system is reported + is defined; + - id: ca-07_odp.06 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the privacy status of the system + is reported are defined; + - id: ca-07_odp.07 + label: frequency + guidelines: + - prose: frequency at which the privacy status of the system is reported + is defined; + props: + - name: label + value: CA-7 + - name: label + value: CA-07 + class: sp800-53a + - name: sort-id + value: ca-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#122177fa-c4ed-485d-8345-3082c0fb9a06" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-17" + rel: related + - href: "#at-4" + rel: related + - href: "#au-6" + rel: related + - href: "#au-13" + rel: related + - href: "#ca-2" + rel: related + - href: "#ca-5" + rel: related + - href: "#ca-6" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-5" + rel: related + - href: "#ir-5" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-6" + rel: related + - href: "#pe-14" + rel: related + - href: "#pe-16" + rel: related + - href: "#pe-20" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-4" + rel: related + - href: "#pm-6" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-10" + rel: related + - href: "#pm-12" + rel: related + - href: "#pm-14" + rel: related + - href: "#pm-23" + rel: related + - href: "#pm-28" + rel: related + - href: "#pm-31" + rel: related + - href: "#ps-7" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-7" + rel: related + - href: "#ra-10" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-11" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-18" + rel: related + - href: "#sc-38" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-6" + rel: related + parts: + - id: ca-7_smt + name: statement + prose: "Develop a system-level continuous monitoring strategy and implement\ + \ continuous monitoring in accordance with the organization-level\ + \ continuous monitoring strategy that includes:" + parts: + - id: ca-7_smt.a + name: item + props: + - name: label + value: a. + prose: "Establishing the following system-level metrics to be monitored:\ + \ {{ insert: param, ca-07_odp.01 }};" + - id: ca-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Establishing {{ insert: param, ca-07_odp.02 }} for monitoring\ + \ and {{ insert: param, ca-07_odp.03 }} for assessment of control\ + \ effectiveness;" + - id: ca-7_smt.c + name: item + props: + - name: label + value: c. + prose: Ongoing control assessments in accordance with the continuous + monitoring strategy; + - id: ca-7_smt.d + name: item + props: + - name: label + value: d. + prose: Ongoing monitoring of system and organization-defined metrics + in accordance with the continuous monitoring strategy; + - id: ca-7_smt.e + name: item + props: + - name: label + value: e. + prose: Correlation and analysis of information generated by control + assessments and monitoring; + - id: ca-7_smt.f + name: item + props: + - name: label + value: f. + prose: Response actions to address results of the analysis of control + assessment and monitoring information; and + - id: ca-7_smt.g + name: item + props: + - name: label + value: g. + prose: "Reporting the security and privacy status of the system\ + \ to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5\ + \ }}." + - id: ca-7_fr + name: item + title: CA-7 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-7_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: "Operating System, Database, Web Application, Container,\ + \ and Service Configuration Scans: at least monthly. All scans\ + \ performed by Independent Assessor: at least annually." + - id: ca-7_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: CSOs with more than one agency ATO must implement a collaborative + Continuous Monitoring (ConMon) approach described in the FedRAMP + Guide for Multi-Agency Continuous Monitoring. This requirement + applies to CSOs authorized via the Agency path as each agency + customer is responsible for performing ConMon oversight. It + does not apply to CSOs authorized via the JAB path because + the JAB performs ConMon oversight. + - id: ca-7_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: FedRAMP does not provide a template for the Continuous + Monitoring Plan. CSPs should reference the FedRAMP Continuous + Monitoring Strategy Guide when developing the Continuous Monitoring + Plan. + - id: ca-7_gdn + name: guidance + prose: >- + Continuous monitoring at the system level facilitates ongoing + awareness of the system security and privacy posture to support + organizational risk management decisions. The terms "continuous" + and "ongoing" imply that organizations assess and monitor their + controls and risks at a frequency sufficient to support + risk-based decisions. Different types of controls may require + different monitoring frequencies. The results of continuous + monitoring generate risk response actions by organizations. When + monitoring the effectiveness of multiple controls that have been + grouped into capabilities, a root-cause analysis may be needed + to determine the specific control that has failed. Continuous + monitoring programs allow organizations to maintain the + authorizations of systems and common controls in highly dynamic + environments of operation with changing mission and business + needs, threats, vulnerabilities, and technologies. Having access + to security and privacy information on a continuing basis + through reports and dashboards gives organizational officials + the ability to make effective and timely risk management + decisions, including ongoing authorization decisions. + + + Automation supports more frequent updates to hardware, software, and + firmware inventories, authorization packages, and other system information. + Effectiveness is further enhanced when continuous monitoring outputs + are formatted to provide information that is specific, measurable, + actionable, relevant, and timely. Continuous monitoring activities + are scaled in accordance with the security categories of systems. + Monitoring requirements, including the need for specific monitoring, + may be referenced in other controls and control enhancements, such + as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), + [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), + [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), + [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), + [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), + [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), + [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), + [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), + [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), + [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4). + - id: ca-7_obj + name: assessment-objective + props: + - name: label + value: CA-07 + class: sp800-53a + parts: + - id: ca-7_obj-1 + name: assessment-objective + props: + - name: label + value: CA-07[01] + class: sp800-53a + prose: a system-level continuous monitoring strategy is developed; + links: + - href: "#ca-7_smt" + rel: assessment-for + - id: ca-7_obj-2 + name: assessment-objective + props: + - name: label + value: CA-07[02] + class: sp800-53a + prose: system-level continuous monitoring is implemented in accordance + with the organization-level continuous monitoring strategy; + links: + - href: "#ca-7_smt" + rel: assessment-for + - id: ca-7_obj.a + name: assessment-objective + props: + - name: label + value: CA-07a. + class: sp800-53a + prose: "system-level continuous monitoring includes establishment\ + \ of the following system-level metrics to be monitored: {{ insert:\ + \ param, ca-07_odp.01 }};" + links: + - href: "#ca-7_smt.a" + rel: assessment-for + - id: ca-7_obj.b + name: assessment-objective + props: + - name: label + value: CA-07b. + class: sp800-53a + parts: + - id: ca-7_obj.b-1 + name: assessment-objective + props: + - name: label + value: CA-07b.[01] + class: sp800-53a + prose: "system-level continuous monitoring includes established\ + \ {{ insert: param, ca-07_odp.02 }} for monitoring;" + links: + - href: "#ca-7_smt.b" + rel: assessment-for + - id: ca-7_obj.b-2 + name: assessment-objective + props: + - name: label + value: CA-07b.[02] + class: sp800-53a + prose: "system-level continuous monitoring includes established\ + \ {{ insert: param, ca-07_odp.03 }} for assessment of control\ + \ effectiveness;" + links: + - href: "#ca-7_smt.b" + rel: assessment-for + links: + - href: "#ca-7_smt.b" + rel: assessment-for + - id: ca-7_obj.c + name: assessment-objective + props: + - name: label + value: CA-07c. + class: sp800-53a + prose: system-level continuous monitoring includes ongoing control + assessments in accordance with the continuous monitoring strategy; + links: + - href: "#ca-7_smt.c" + rel: assessment-for + - id: ca-7_obj.d + name: assessment-objective + props: + - name: label + value: CA-07d. + class: sp800-53a + prose: system-level continuous monitoring includes ongoing monitoring + of system and organization-defined metrics in accordance with + the continuous monitoring strategy; + links: + - href: "#ca-7_smt.d" + rel: assessment-for + - id: ca-7_obj.e + name: assessment-objective + props: + - name: label + value: CA-07e. + class: sp800-53a + prose: system-level continuous monitoring includes correlation and + analysis of information generated by control assessments and monitoring; + links: + - href: "#ca-7_smt.e" + rel: assessment-for + - id: ca-7_obj.f + name: assessment-objective + props: + - name: label + value: CA-07f. + class: sp800-53a + prose: system-level continuous monitoring includes response actions + to address the results of the analysis of control assessment and + monitoring information; + links: + - href: "#ca-7_smt.f" + rel: assessment-for + - id: ca-7_obj.g + name: assessment-objective + props: + - name: label + value: CA-07g. + class: sp800-53a + parts: + - id: ca-7_obj.g-1 + name: assessment-objective + props: + - name: label + value: CA-07g.[01] + class: sp800-53a + prose: "system-level continuous monitoring includes reporting\ + \ the security status of the system to {{ insert: param, ca-07_odp.04\ + \ }} {{ insert: param, ca-07_odp.05 }};" + links: + - href: "#ca-7_smt.g" + rel: assessment-for + - id: ca-7_obj.g-2 + name: assessment-objective + props: + - name: label + value: CA-07g.[02] + class: sp800-53a + prose: "system-level continuous monitoring includes reporting\ + \ the privacy status of the system to {{ insert: param, ca-07_odp.06\ + \ }} {{ insert: param, ca-07_odp.07 }}." + links: + - href: "#ca-7_smt.g" + rel: assessment-for + links: + - href: "#ca-7_smt.g" + rel: assessment-for + links: + - href: "#ca-7_smt" + rel: assessment-for + - id: ca-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + organizational continuous monitoring strategy + + + system-level continuous monitoring strategy + + + procedures addressing continuous monitoring of system controls + + + procedures addressing configuration management + + + control assessment report + + + plan of action and milestones + + + system monitoring records + + + configuration management records + + + impact analyses + + + status reports + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with continuous monitoring + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: ca-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms implementing continuous monitoring + + + mechanisms supporting response actions to address assessment and + monitoring results + + + mechanisms supporting security and privacy status reporting + controls: + - id: ca-7.1 + class: SP800-53-enhancement + title: Independent Assessment + props: + - name: label + value: CA-7(1) + - name: label + value: CA-07(01) + class: sp800-53a + - name: sort-id + value: ca-07.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ca-7" + rel: required + parts: + - id: ca-7.1_smt + name: statement + prose: Employ independent assessors or assessment teams to monitor + the controls in the system on an ongoing basis. + - id: ca-7.1_gdn + name: guidance + prose: Organizations maximize the value of control assessments by + requiring that assessments be conducted by assessors with appropriate + levels of independence. The level of required independence is + based on organizational continuous monitoring strategies. Assessor + independence provides a degree of impartiality to the monitoring + process. To achieve such impartiality, assessors do not create + a mutual or conflicting interest with the organizations where + the assessments are being conducted, assess their own work, act + as management or employees of the organizations they are serving, + or place themselves in advocacy positions for the organizations + acquiring their services. + - id: ca-7.1_obj + name: assessment-objective + props: + - name: label + value: CA-07(01) + class: sp800-53a + prose: independent assessors or assessment teams are employed to + monitor the controls in the system on an ongoing basis. + links: + - href: "#ca-7.1_smt" + rel: assessment-for + - id: ca-7.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-07(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + organizational continuous monitoring strategy + + + system-level continuous monitoring strategy + + + procedures addressing continuous monitoring of system controls + + + control assessment report + + + plan of action and milestones + + + system monitoring records + + + impact analyses + + + status reports + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-7.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-07(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with continuous monitoring + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-7.4 + class: SP800-53-enhancement + title: Risk Monitoring + props: + - name: label + value: CA-7(4) + - name: label + value: CA-07(04) + class: sp800-53a + - name: sort-id + value: ca-07.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ca-7" + rel: required + parts: + - id: ca-7.4_smt + name: statement + prose: "Ensure risk monitoring is an integral part of the continuous\ + \ monitoring strategy that includes the following:" + parts: + - id: ca-7.4_smt.a + name: item + props: + - name: label + value: (a) + prose: Effectiveness monitoring; + - id: ca-7.4_smt.b + name: item + props: + - name: label + value: (b) + prose: Compliance monitoring; and + - id: ca-7.4_smt.c + name: item + props: + - name: label + value: (c) + prose: Change monitoring. + - id: ca-7.4_gdn + name: guidance + prose: Risk monitoring is informed by the established organizational + risk tolerance. Effectiveness monitoring determines the ongoing + effectiveness of the implemented risk response measures. Compliance + monitoring verifies that required risk response measures are implemented. + It also verifies that security and privacy requirements are satisfied. + Change monitoring identifies changes to organizational systems + and environments of operation that may affect security and privacy + risk. + - id: ca-7.4_obj + name: assessment-objective + props: + - name: label + value: CA-07(04) + class: sp800-53a + prose: risk monitoring is an integral part of the continuous monitoring + strategy; + parts: + - id: ca-7.4_obj.a + name: assessment-objective + props: + - name: label + value: CA-07(04)(a) + class: sp800-53a + prose: effectiveness monitoring is included in risk monitoring; + links: + - href: "#ca-7.4_smt.a" + rel: assessment-for + - id: ca-7.4_obj.b + name: assessment-objective + props: + - name: label + value: CA-07(04)(b) + class: sp800-53a + prose: compliance monitoring is included in risk monitoring; + links: + - href: "#ca-7.4_smt.b" + rel: assessment-for + - id: ca-7.4_obj.c + name: assessment-objective + props: + - name: label + value: CA-07(04)(c) + class: sp800-53a + prose: change monitoring is included in risk monitoring. + links: + - href: "#ca-7.4_smt.c" + rel: assessment-for + links: + - href: "#ca-7.4_smt" + rel: assessment-for + - id: ca-7.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-07(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + organizational continuous monitoring strategy + + + system-level continuous monitoring strategy + + + procedures addressing continuous monitoring of system controls + + + assessment report + + + plan of action and milestones + + + system monitoring records + + + impact analyses + + + status reports + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-7.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-07(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with continuous monitoring + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-7.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-07(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting risk monitoring + - id: ca-8 + class: SP800-53 + title: Penetration Testing + params: + - id: ca-08_odp.01 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to conduct penetration testing on systems + or system components is defined; + - id: ca-08_odp.02 + label: system(s) or system components + guidelines: + - prose: systems or system components on which penetration testing + is to be conducted are defined; + props: + - name: label + value: CA-8 + - name: label + value: CA-08 + class: sp800-53a + - name: sort-id + value: ca-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-5" + rel: related + - href: "#ra-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-6" + rel: related + parts: + - id: ca-8_smt + name: statement + prose: "Conduct penetration testing {{ insert: param, ca-08_odp.01 }}\ + \ on {{ insert: param, ca-08_odp.02 }}." + parts: + - id: ca-8_fr + name: item + title: CA-8 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-8_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Reference the FedRAMP Penetration Test Guidance. + - id: ca-8_gdn + name: guidance + prose: >- + Penetration testing is a specialized type of assessment + conducted on systems or individual system components to identify + vulnerabilities that could be exploited by adversaries. + Penetration testing goes beyond automated vulnerability scanning + and is conducted by agents and teams with demonstrable skills + and experience that include technical expertise in network, + operating system, and/or application level security. Penetration + testing can be used to validate vulnerabilities or determine the + degree of penetration resistance of systems to adversaries + within specified constraints. Such constraints include time, + resources, and skills. Penetration testing attempts to duplicate + the actions of adversaries and provides a more in-depth analysis + of security- and privacy-related weaknesses or deficiencies. + Penetration testing is especially important when organizations + are transitioning from older technologies to newer technologies + (e.g., transitioning from IPv4 to IPv6 network protocols). + + + Organizations can use the results of vulnerability analyses to support + penetration testing activities. Penetration testing can be conducted + internally or externally on the hardware, software, or firmware components + of a system and can exercise both physical and technical controls. + A standard method for penetration testing includes a pretest analysis + based on full knowledge of the system, pretest identification of potential + vulnerabilities based on the pretest analysis, and testing designed + to determine the exploitability of vulnerabilities. All parties agree + to the rules of engagement before commencing penetration testing scenarios. + Organizations correlate the rules of engagement for the penetration + tests with the tools, techniques, and procedures that are anticipated + to be employed by adversaries. Penetration testing may result in the + exposure of information that is protected by laws or regulations, + to individuals conducting the testing. Rules of engagement, contracts, + or other appropriate mechanisms can be used to communicate expectations + for how to protect this information. Risk assessments guide the decisions + on the level of independence required for the personnel conducting + penetration testing. + - id: ca-8_obj + name: assessment-objective + props: + - name: label + value: CA-08 + class: sp800-53a + prose: "penetration testing is conducted {{ insert: param, ca-08_odp.01\ + \ }} on {{ insert: param, ca-08_odp.02 }}." + links: + - href: "#ca-8_smt" + rel: assessment-for + - id: ca-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing penetration testing + + assessment plan + + penetration test report + + assessment report + + assessment evidence + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with control assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: ca-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting penetration testing + controls: + - id: ca-8.1 + class: SP800-53-enhancement + title: Independent Penetration Testing Agent or Team + props: + - name: label + value: CA-8(1) + - name: label + value: CA-08(01) + class: sp800-53a + - name: sort-id + value: ca-08.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ca-8" + rel: required + - href: "#ca-2" + rel: related + parts: + - id: ca-8.1_smt + name: statement + prose: Employ an independent penetration testing agent or team to + perform penetration testing on the system or system components. + - id: ca-8.1_gdn + name: guidance + prose: Independent penetration testing agents or teams are individuals + or groups who conduct impartial penetration testing of organizational + systems. Impartiality implies that penetration testing agents + or teams are free from perceived or actual conflicts of interest + with respect to the development, operation, or management of the + systems that are the targets of the penetration testing. [CA-2(1)](#ca-2.1) + provides additional information on independent assessments that + can be applied to penetration testing. + - id: ca-8.1_obj + name: assessment-objective + props: + - name: label + value: CA-08(01) + class: sp800-53a + prose: an independent penetration testing agent or team is employed + to perform penetration testing on the system or system components. + links: + - href: "#ca-8.1_smt" + rel: assessment-for + - id: ca-8.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-08(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing penetration testing + + assessment plan + + penetration test report + + assessment report + + security assessment evidence + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-8.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-08(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-8.2 + class: SP800-53-enhancement + title: Red Team Exercises + params: + - id: ca-08.02_odp + label: red team exercises + guidelines: + - prose: red team exercises to simulate attempts by adversaries + to compromise organizational systems are defined; + props: + - name: label + value: CA-8(2) + - name: label + value: CA-08(02) + class: sp800-53a + - name: sort-id + value: ca-08.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ca-8" + rel: required + parts: + - id: ca-8.2_smt + name: statement + prose: "Employ the following red-team exercises to simulate attempts\ + \ by adversaries to compromise organizational systems in accordance\ + \ with applicable rules of engagement: {{ insert: param, ca-08.02_odp\ + \ }}." + parts: + - id: ca-8.2_fr + name: item + title: CM-2 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-8.2_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + See the FedRAMP Documents page> Penetration Test + Guidance + + + https://www.FedRAMP.gov/documents/ + - id: ca-8.2_gdn + name: guidance + prose: Red team exercises extend the objectives of penetration testing + by examining the security and privacy posture of organizations + and the capability to implement effective cyber defenses. Red + team exercises simulate attempts by adversaries to compromise + mission and business functions and provide a comprehensive assessment + of the security and privacy posture of systems and organizations. + Such attempts may include technology-based attacks and social + engineering-based attacks. Technology-based attacks include interactions + with hardware, software, or firmware components and/or mission + and business processes. Social engineering-based attacks include + interactions via email, telephone, shoulder surfing, or personal + conversations. Red team exercises are most effective when conducted + by penetration testing agents and teams with knowledge of and + experience with current adversarial tactics, techniques, procedures, + and tools. While penetration testing may be primarily laboratory-based + testing, organizations can use red team exercises to provide more + comprehensive assessments that reflect real-world conditions. + The results from red team exercises can be used by organizations + to improve security and privacy awareness and training and to + assess control effectiveness. + - id: ca-8.2_obj + name: assessment-objective + props: + - name: label + value: CA-08(02) + class: sp800-53a + prose: " {{ insert: param, ca-08.02_odp }} are employed to simulate\ + \ attempts by adversaries to compromise organizational systems\ + \ in accordance with applicable rules of engagement." + links: + - href: "#ca-8.2_smt" + rel: assessment-for + - id: ca-8.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-08(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing penetration testing + + procedures addressing red team exercises + + assessment plan + + results of red team exercises + + penetration test report + + assessment report + + rules of engagement + + assessment evidence + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-8.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-08(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: ca-8.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-08(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting the employment of red team exercises + - id: ca-9 + class: SP800-53 + title: Internal System Connections + params: + - id: ca-09_odp.01 + label: system components + guidelines: + - prose: system components or classes of components requiring internal + connections to the system are defined; + - id: ca-09_odp.02 + label: conditions + guidelines: + - prose: conditions requiring termination of internal connections + are defined; + - id: ca-09_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to review the continued need for each + internal connection is defined; + props: + - name: label + value: CA-9 + - name: label + value: CA-09 + class: sp800-53a + - name: sort-id + value: ca-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#cm-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-9_smt + name: statement + parts: + - id: ca-9_smt.a + name: item + props: + - name: label + value: a. + prose: "Authorize internal connections of {{ insert: param, ca-09_odp.01\ + \ }} to the system;" + - id: ca-9_smt.b + name: item + props: + - name: label + value: b. + prose: Document, for each internal connection, the interface characteristics, + security and privacy requirements, and the nature of the information + communicated; + - id: ca-9_smt.c + name: item + props: + - name: label + value: c. + prose: "Terminate internal system connections after {{ insert: param,\ + \ ca-09_odp.02 }} ; and" + - id: ca-9_smt.d + name: item + props: + - name: label + value: d. + prose: "Review {{ insert: param, ca-09_odp.03 }} the continued need\ + \ for each internal connection." + - id: ca-9_gdn + name: guidance + prose: Internal system connections are connections between organizational + systems and separate constituent system components (i.e., connections + between components that are part of the same system) including components + used for system development. Intra-system connections include connections + with mobile devices, notebook and desktop computers, tablets, printers, + copiers, facsimile machines, scanners, sensors, and servers. Instead + of authorizing each internal system connection individually, organizations + can authorize internal connections for a class of system components + with common characteristics and/or configurations, including printers, + scanners, and copiers with a specified processing, transmission, and + storage capability or smart phones and tablets with a specific baseline + configuration. The continued need for an internal system connection + is reviewed from the perspective of whether it provides support for + organizational missions or business functions. + - id: ca-9_obj + name: assessment-objective + props: + - name: label + value: CA-09 + class: sp800-53a + parts: + - id: ca-9_obj.a + name: assessment-objective + props: + - name: label + value: CA-09a. + class: sp800-53a + prose: "internal connections of {{ insert: param, ca-09_odp.01 }}\ + \ to the system are authorized;" + links: + - href: "#ca-9_smt.a" + rel: assessment-for + - id: ca-9_obj.b + name: assessment-objective + props: + - name: label + value: CA-09b. + class: sp800-53a + parts: + - id: ca-9_obj.b-1 + name: assessment-objective + props: + - name: label + value: CA-09b.[01] + class: sp800-53a + prose: for each internal connection, the interface characteristics + are documented; + links: + - href: "#ca-9_smt.b" + rel: assessment-for + - id: ca-9_obj.b-2 + name: assessment-objective + props: + - name: label + value: CA-09b.[02] + class: sp800-53a + prose: for each internal connection, the security requirements + are documented; + links: + - href: "#ca-9_smt.b" + rel: assessment-for + - id: ca-9_obj.b-3 + name: assessment-objective + props: + - name: label + value: CA-09b.[03] + class: sp800-53a + prose: for each internal connection, the privacy requirements + are documented; + links: + - href: "#ca-9_smt.b" + rel: assessment-for + - id: ca-9_obj.b-4 + name: assessment-objective + props: + - name: label + value: CA-09b.[04] + class: sp800-53a + prose: for each internal connection, the nature of the information + communicated is documented; + links: + - href: "#ca-9_smt.b" + rel: assessment-for + links: + - href: "#ca-9_smt.b" + rel: assessment-for + - id: ca-9_obj.c + name: assessment-objective + props: + - name: label + value: CA-09c. + class: sp800-53a + prose: "internal system connections are terminated after {{ insert:\ + \ param, ca-09_odp.02 }};" + links: + - href: "#ca-9_smt.c" + rel: assessment-for + - id: ca-9_obj.d + name: assessment-objective + props: + - name: label + value: CA-09d. + class: sp800-53a + prose: "the continued need for each internal connection is reviewed\ + \ {{ insert: param, ca-09_odp.03 }}." + links: + - href: "#ca-9_smt.d" + rel: assessment-for + links: + - href: "#ca-9_smt" + rel: assessment-for + - id: ca-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + access control policy + + + procedures addressing system connections + + + system and communications protection policy + + + system design documentation + + + system configuration settings and associated documentation + + + list of components or classes of components authorized as internal + system connections + + + assessment report + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + developing, implementing, or authorizing internal system + connections + + + organizational personnel with information security and privacy + responsibilities + - id: ca-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting internal system connections + - id: cm + class: family + title: Configuration Management + controls: + - id: cm-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: cm-1_prm_1 + label: organization-defined personnel or roles + - id: cm-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the configuration management policy + is to be disseminated is/are defined; + - id: cm-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the configuration management procedures + are to be disseminated is/are defined; + - id: cm-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: cm-01_odp.04 + label: official + guidelines: + - prose: an official to manage the configuration management policy + and procedures is defined; + - id: cm-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current configuration management + policy is reviewed and updated is defined; + - id: cm-01_odp.06 + label: events + guidelines: + - prose: events that would require the current configuration management + policy to be reviewed and updated are defined; + - id: cm-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current configuration management + procedures are reviewed and updated is defined; + - id: cm-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require configuration management procedures + to be reviewed and updated are defined; + props: + - name: label + value: CM-1 + - name: label + value: CM-01 + class: sp800-53a + - name: sort-id + value: cm-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: cm-1_smt + name: statement + parts: + - id: cm-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ cm-1_prm_1 }}:" + parts: + - id: cm-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, cm-01_odp.03 }} configuration management\ + \ policy that:" + parts: + - id: cm-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: cm-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: cm-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the configuration + management policy and the associated configuration management + controls; + - id: cm-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, cm-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the configuration\ + \ management policy and procedures; and" + - id: cm-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current configuration management:" + parts: + - id: cm-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, cm-01_odp.05 }} and following\ + \ {{ insert: param, cm-01_odp.06 }} ; and" + - id: cm-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, cm-01_odp.07 }} and following\ + \ {{ insert: param, cm-01_odp.08 }}." + - id: cm-1_gdn + name: guidance + prose: Configuration management policy and procedures address the controls + in the CM family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of configuration + management policy and procedures. Security and privacy program policies + and procedures at the organization level are preferable, in general, + and may obviate the need for mission- or system-specific policies + and procedures. The policy can be included as part of the general + security and privacy policy or be represented by multiple policies + that reflect the complex nature of organizations. Procedures can be + established for security and privacy programs, for mission/business + processes, and for systems, if needed. Procedures describe how the + policies or controls are implemented and can be directed at the individual + or role that is the object of the procedure. Procedures can be documented + in system security and privacy plans or in one or more separate documents. + Events that may precipitate an update to configuration management + policy and procedures include, but are not limited to, assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: cm-1_obj + name: assessment-objective + props: + - name: label + value: CM-01 + class: sp800-53a + parts: + - id: cm-1_obj.a + name: assessment-objective + props: + - name: label + value: CM-01a. + class: sp800-53a + parts: + - id: cm-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: CM-01a.[01] + class: sp800-53a + prose: a configuration management policy is developed and documented; + links: + - href: "#cm-1_smt.a" + rel: assessment-for + - id: cm-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: CM-01a.[02] + class: sp800-53a + prose: "the configuration management policy is disseminated\ + \ to {{ insert: param, cm-01_odp.01 }};" + links: + - href: "#cm-1_smt.a" + rel: assessment-for + - id: cm-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: CM-01a.[03] + class: sp800-53a + prose: configuration management procedures to facilitate the + implementation of the configuration management policy and + associated configuration management controls are developed + and documented; + links: + - href: "#cm-1_smt.a" + rel: assessment-for + - id: cm-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: CM-01a.[04] + class: sp800-53a + prose: "the configuration management procedures are disseminated\ + \ to {{ insert: param, cm-01_odp.02 }};" + links: + - href: "#cm-1_smt.a" + rel: assessment-for + - id: cm-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: CM-01a.01 + class: sp800-53a + parts: + - id: cm-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: CM-01a.01(a) + class: sp800-53a + parts: + - id: cm-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses purpose;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses scope;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses roles;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses responsibilities;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses management\ + \ commitment;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses compliance;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: CM-01a.01(b) + class: sp800-53a + prose: the configuration management policy is consistent + with applicable laws, Executive Orders, directives, regulations, + policies, standards, and guidelines; + links: + - href: "#cm-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#cm-1_smt.a.1" + rel: assessment-for + links: + - href: "#cm-1_smt.a" + rel: assessment-for + - id: cm-1_obj.b + name: assessment-objective + props: + - name: label + value: CM-01b. + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the configuration\ + \ management policy and procedures;" + links: + - href: "#cm-1_smt.b" + rel: assessment-for + - id: cm-1_obj.c + name: assessment-objective + props: + - name: label + value: CM-01c. + class: sp800-53a + parts: + - id: cm-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: CM-01c.01 + class: sp800-53a + parts: + - id: cm-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: CM-01c.01[01] + class: sp800-53a + prose: "the current configuration management policy is reviewed\ + \ and updated {{ insert: param, cm-01_odp.05 }}; " + links: + - href: "#cm-1_smt.c.1" + rel: assessment-for + - id: cm-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: CM-01c.01[02] + class: sp800-53a + prose: "the current configuration management policy is reviewed\ + \ and updated following {{ insert: param, cm-01_odp.06\ + \ }};" + links: + - href: "#cm-1_smt.c.1" + rel: assessment-for + links: + - href: "#cm-1_smt.c.1" + rel: assessment-for + - id: cm-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: CM-01c.02 + class: sp800-53a + parts: + - id: cm-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: CM-01c.02[01] + class: sp800-53a + prose: "the current configuration management procedures\ + \ are reviewed and updated {{ insert: param, cm-01_odp.07\ + \ }}; " + links: + - href: "#cm-1_smt.c.2" + rel: assessment-for + - id: cm-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: CM-01c.02[02] + class: sp800-53a + prose: "the current configuration management procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ cm-01_odp.08 }}." + links: + - href: "#cm-1_smt.c.2" + rel: assessment-for + links: + - href: "#cm-1_smt.c.2" + rel: assessment-for + links: + - href: "#cm-1_smt.c" + rel: assessment-for + links: + - href: "#cm-1_smt" + rel: assessment-for + - id: cm-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy and procedures + + security and privacy program policies and procedures + + assessment or audit findings + + documentation of security incidents or breaches + + system security plan + + privacy plan + + risk management strategy + + other relevant artifacts, documents, or records + - id: cm-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration management + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: cm-2 + class: SP800-53 + title: Baseline Configuration + params: + - id: cm-02_odp.01 + label: frequency + constraints: + - description: at least annually and when a significant change occurs + guidelines: + - prose: the frequency of baseline configuration review and update + is defined; + - id: cm-02_odp.02 + label: circumstances + constraints: + - description: to include when directed by the JAB + guidelines: + - prose: the circumstances requiring baseline configuration review + and update are defined; + props: + - name: label + value: CM-2 + - name: label + value: CM-02 + class: sp800-53a + - name: sort-id + value: cm-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#ac-19" + rel: related + - href: "#au-6" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-1" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#cm-9" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#cp-12" + rel: related + - href: "#ma-2" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-15" + rel: related + - href: "#sc-18" + rel: related + parts: + - id: cm-2_smt + name: statement + parts: + - id: cm-2_smt.a + name: item + props: + - name: label + value: a. + prose: Develop, document, and maintain under configuration control, + a current baseline configuration of the system; and + - id: cm-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the baseline configuration of the system:" + parts: + - id: cm-2_smt.b.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, cm-02_odp.01 }};" + - id: cm-2_smt.b.2 + name: item + props: + - name: label + value: "2." + prose: "When required due to {{ insert: param, cm-02_odp.02\ + \ }} ; and" + - id: cm-2_smt.b.3 + name: item + props: + - name: label + value: "3." + prose: When system components are installed or upgraded. + - id: cm-2_fr + name: item + title: CM-2 Additional FedRAMP Requirements and Guidance + parts: + - id: cm-2_fr_gdn.1 + name: guidance + props: + - name: label + value: "(b)(1) Guidance:" + prose: Significant change is defined in NIST Special Publication + 800-37 Revision 2, Appendix F. + - id: cm-2_gdn + name: guidance + prose: Baseline configurations for systems and system components include + connectivity, operational, and communications aspects of systems. + Baseline configurations are documented, formally reviewed, and agreed-upon + specifications for systems or configuration items within those systems. + Baseline configurations serve as a basis for future builds, releases, + or changes to systems and include security and privacy control implementations, + operational procedures, information about system components, network + topology, and logical placement of components in the system architecture. + Maintaining baseline configurations requires creating new baselines + as organizational systems change over time. Baseline configurations + of systems reflect the current enterprise architecture. + - id: cm-2_obj + name: assessment-objective + props: + - name: label + value: CM-02 + class: sp800-53a + parts: + - id: cm-2_obj.a + name: assessment-objective + props: + - name: label + value: CM-02a. + class: sp800-53a + parts: + - id: cm-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: CM-02a.[01] + class: sp800-53a + prose: a current baseline configuration of the system is developed + and documented; + links: + - href: "#cm-2_smt.a" + rel: assessment-for + - id: cm-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: CM-02a.[02] + class: sp800-53a + prose: a current baseline configuration of the system is maintained + under configuration control; + links: + - href: "#cm-2_smt.a" + rel: assessment-for + links: + - href: "#cm-2_smt.a" + rel: assessment-for + - id: cm-2_obj.b + name: assessment-objective + props: + - name: label + value: CM-02b. + class: sp800-53a + parts: + - id: cm-2_obj.b.1 + name: assessment-objective + props: + - name: label + value: CM-02b.01 + class: sp800-53a + prose: "the baseline configuration of the system is reviewed\ + \ and updated {{ insert: param, cm-02_odp.01 }};" + links: + - href: "#cm-2_smt.b.1" + rel: assessment-for + - id: cm-2_obj.b.2 + name: assessment-objective + props: + - name: label + value: CM-02b.02 + class: sp800-53a + prose: "the baseline configuration of the system is reviewed\ + \ and updated when required due to {{ insert: param, cm-02_odp.02\ + \ }};" + links: + - href: "#cm-2_smt.b.2" + rel: assessment-for + - id: cm-2_obj.b.3 + name: assessment-objective + props: + - name: label + value: CM-02b.03 + class: sp800-53a + prose: the baseline configuration of the system is reviewed + and updated when system components are installed or upgraded. + links: + - href: "#cm-2_smt.b.3" + rel: assessment-for + links: + - href: "#cm-2_smt.b" + rel: assessment-for + links: + - href: "#cm-2_smt" + rel: assessment-for + - id: cm-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing the baseline configuration of the system + + + configuration management plan + + + enterprise architecture documentation + + + system design documentation + + + system security plan + + + privacy plan + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + system component inventory + + + change control records + + + other relevant documents or records + - id: cm-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration management + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: cm-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing baseline + configurations + + + mechanisms supporting configuration control of the baseline configuration + controls: + - id: cm-2.2 + class: SP800-53-enhancement + title: Automation Support for Accuracy and Currency + params: + - id: cm-02.02_odp + label: automated mechanisms + guidelines: + - prose: automated mechanisms for maintaining baseline configuration + of the system are defined; + props: + - name: label + value: CM-2(2) + - name: label + value: CM-02(02) + class: sp800-53a + - name: sort-id + value: cm-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-2" + rel: required + - href: "#cm-7" + rel: related + - href: "#ia-3" + rel: related + - href: "#ra-5" + rel: related + parts: + - id: cm-2.2_smt + name: statement + prose: "Maintain the currency, completeness, accuracy, and availability\ + \ of the baseline configuration of the system using {{ insert:\ + \ param, cm-02.02_odp }}." + - id: cm-2.2_gdn + name: guidance + prose: Automated mechanisms that help organizations maintain consistent + baseline configurations for systems include configuration management + tools, hardware, software, firmware inventory tools, and network + management tools. Automated tools can be used at the organization + level, mission and business process level, or system level on + workstations, servers, notebook computers, network components, + or mobile devices. Tools can be used to track version numbers + on operating systems, applications, types of software installed, + and current patch levels. Automation support for accuracy and + currency can be satisfied by the implementation of [CM-8(2)](#cm-8.2) + for organizations that combine system component inventory and + baseline configuration activities. + - id: cm-2.2_obj + name: assessment-objective + props: + - name: label + value: CM-02(02) + class: sp800-53a + parts: + - id: cm-2.2_obj-1 + name: assessment-objective + props: + - name: label + value: CM-02(02)[01] + class: sp800-53a + prose: "the currency of the baseline configuration of the system\ + \ is maintained using {{ insert: param, cm-02.02_odp }};" + links: + - href: "#cm-2.2_smt" + rel: assessment-for + - id: cm-2.2_obj-2 + name: assessment-objective + props: + - name: label + value: CM-02(02)[02] + class: sp800-53a + prose: "the completeness of the baseline configuration of the\ + \ system is maintained using {{ insert: param, cm-02.02_odp\ + \ }};" + links: + - href: "#cm-2.2_smt" + rel: assessment-for + - id: cm-2.2_obj-3 + name: assessment-objective + props: + - name: label + value: CM-02(02)[03] + class: sp800-53a + prose: "the accuracy of the baseline configuration of the system\ + \ is maintained using {{ insert: param, cm-02.02_odp }};" + links: + - href: "#cm-2.2_smt" + rel: assessment-for + - id: cm-2.2_obj-4 + name: assessment-objective + props: + - name: label + value: CM-02(02)[04] + class: sp800-53a + prose: "the availability of the baseline configuration of the\ + \ system is maintained using {{ insert: param, cm-02.02_odp\ + \ }}." + links: + - href: "#cm-2.2_smt" + rel: assessment-for + links: + - href: "#cm-2.2_smt" + rel: assessment-for + - id: cm-2.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-02(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing the baseline configuration of the system + + + configuration management plan + + + system design documentation + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + system component inventory + + + configuration change control records + + + system security plan + + + other relevant documents or records + - id: cm-2.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-02(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-2.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-02(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing baseline + configurations + + + automated mechanisms implementing baseline configuration maintenance + - id: cm-2.3 + class: SP800-53-enhancement + title: Retention of Previous Configurations + params: + - id: cm-02.03_odp + label: number + constraints: + - description: organization-defined number of previous versions + of baseline configurations of the previously approved baseline + configuration of IS components + guidelines: + - prose: the number of previous baseline configuration versions + to be retained is defined; + props: + - name: label + value: CM-2(3) + - name: label + value: CM-02(03) + class: sp800-53a + - name: sort-id + value: cm-02.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-2" + rel: required + parts: + - id: cm-2.3_smt + name: statement + prose: "Retain {{ insert: param, cm-02.03_odp }} of previous versions\ + \ of baseline configurations of the system to support rollback." + - id: cm-2.3_gdn + name: guidance + prose: Retaining previous versions of baseline configurations to + support rollback include hardware, software, firmware, configuration + files, configuration records, and associated documentation. + - id: cm-2.3_obj + name: assessment-objective + props: + - name: label + value: CM-02(03) + class: sp800-53a + prose: " {{ insert: param, cm-02.03_odp }} of previous baseline\ + \ configuration version(s) of the system is/are retained to support\ + \ rollback." + links: + - href: "#cm-2.3_smt" + rel: assessment-for + - id: cm-2.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-02(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing the baseline configuration of the system + + + configuration management plan + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + copies of previous baseline configuration versions + + + system security plan + + + other relevant documents or records + - id: cm-2.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-02(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-2.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-02(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for managing baseline configurations + - id: cm-2.7 + class: SP800-53-enhancement + title: Configure Systems and Components for High-risk Areas + params: + - id: cm-02.07_odp.01 + label: systems or system components + guidelines: + - prose: the systems or system components to be issued when individuals + travel to high-risk areas are defined; + - id: cm-02.07_odp.02 + label: configurations + guidelines: + - prose: configurations for systems or system components to be + issued when individuals travel to high-risk areas are defined; + - id: cm-02.07_odp.03 + label: controls + guidelines: + - prose: the controls to be applied when the individuals return + from travel are defined; + props: + - name: label + value: CM-2(7) + - name: label + value: CM-02(07) + class: sp800-53a + - name: sort-id + value: cm-02.07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-2" + rel: required + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + parts: + - id: cm-2.7_smt + name: statement + parts: + - id: cm-2.7_smt.a + name: item + props: + - name: label + value: (a) + prose: "Issue {{ insert: param, cm-02.07_odp.01 }} with {{ insert:\ + \ param, cm-02.07_odp.02 }} to individuals traveling to locations\ + \ that the organization deems to be of significant risk; and" + - id: cm-2.7_smt.b + name: item + props: + - name: label + value: (b) + prose: "Apply the following controls to the systems or components\ + \ when the individuals return from travel: {{ insert: param,\ + \ cm-02.07_odp.03 }}." + - id: cm-2.7_gdn + name: guidance + prose: When it is known that systems or system components will be + in high-risk areas external to the organization, additional controls + may be implemented to counter the increased threat in such areas. + For example, organizations can take actions for notebook computers + used by individuals departing on and returning from travel. Actions + include determining the locations that are of concern, defining + the required configurations for the components, ensuring that + components are configured as intended before travel is initiated, + and applying controls to the components after travel is completed. + Specially configured notebook computers include computers with + sanitized hard drives, limited applications, and more stringent + configuration settings. Controls applied to mobile devices upon + return from travel include examining the mobile device for signs + of physical tampering and purging and reimaging disk drives. Protecting + information that resides on mobile devices is addressed in the + [MP](#mp) (Media Protection) family. + - id: cm-2.7_obj + name: assessment-objective + props: + - name: label + value: CM-02(07) + class: sp800-53a + parts: + - id: cm-2.7_obj.a + name: assessment-objective + props: + - name: label + value: CM-02(07)(a) + class: sp800-53a + prose: " {{ insert: param, cm-02.07_odp.01 }} with {{ insert:\ + \ param, cm-02.07_odp.02 }} are issued to individuals traveling\ + \ to locations that the organization deems to be of significant\ + \ risk;" + links: + - href: "#cm-2.7_smt.a" + rel: assessment-for + - id: cm-2.7_obj.b + name: assessment-objective + props: + - name: label + value: CM-02(07)(b) + class: sp800-53a + prose: " {{ insert: param, cm-02.07_odp.03 }} are applied to\ + \ the systems or system components when the individuals return\ + \ from travel." + links: + - href: "#cm-2.7_smt.b" + rel: assessment-for + links: + - href: "#cm-2.7_smt" + rel: assessment-for + - id: cm-2.7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-02(07)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + configuration management plan + + + procedures addressing the baseline configuration of the system + + + procedures addressing system component installations and upgrades + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + system component inventory + + + records of system baseline configuration reviews and updates + + + system component installations/upgrades and associated records + + + change control records + + + system security plan + + + other relevant documents or records + - id: cm-2.7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-02(07)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-2.7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-02(07)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for managing baseline configurations + - id: cm-3 + class: SP800-53 + title: Configuration Change Control + params: + - id: cm-03_odp.01 + label: time period + guidelines: + - prose: the time period to retain records of configuration-controlled + changes is defined; + - id: cm-03_odp.02 + label: configuration change control element + guidelines: + - prose: the configuration change control element responsible for + coordinating and overseeing change control activities is defined; + - id: cm-03_odp.03 + select: + how-many: one-or-more + choice: + - " {{ insert: param, cm-03_odp.04 }} " + - "when {{ insert: param, cm-03_odp.05 }} " + - id: cm-03_odp.04 + label: frequency + guidelines: + - prose: the frequency at which the configuration control element + convenes is defined (if selected); + - id: cm-03_odp.05 + label: configuration change conditions + guidelines: + - prose: configuration change conditions that prompt the configuration + control element to convene are defined (if selected); + props: + - name: label + value: CM-3 + - name: label + value: CM-03 + class: sp800-53a + - name: sort-id + value: cm-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#ca-7" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-9" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-3" + rel: related + - href: "#ma-2" + rel: related + - href: "#pe-16" + rel: related + - href: "#pt-6" + rel: related + - href: "#ra-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-34" + rel: related + - href: "#sc-37" + rel: related + - href: "#si-2" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#si-10" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: cm-3_smt + name: statement + parts: + - id: cm-3_smt.a + name: item + props: + - name: label + value: a. + prose: Determine and document the types of changes to the system + that are configuration-controlled; + - id: cm-3_smt.b + name: item + props: + - name: label + value: b. + prose: Review proposed configuration-controlled changes to the system + and approve or disapprove such changes with explicit consideration + for security and privacy impact analyses; + - id: cm-3_smt.c + name: item + props: + - name: label + value: c. + prose: Document configuration change decisions associated with the + system; + - id: cm-3_smt.d + name: item + props: + - name: label + value: d. + prose: Implement approved configuration-controlled changes to the + system; + - id: cm-3_smt.e + name: item + props: + - name: label + value: e. + prose: "Retain records of configuration-controlled changes to the\ + \ system for {{ insert: param, cm-03_odp.01 }};" + - id: cm-3_smt.f + name: item + props: + - name: label + value: f. + prose: Monitor and review activities associated with configuration-controlled + changes to the system; and + - id: cm-3_smt.g + name: item + props: + - name: label + value: g. + prose: "Coordinate and provide oversight for configuration change\ + \ control activities through {{ insert: param, cm-03_odp.02 }}\ + \ that convenes {{ insert: param, cm-03_odp.03 }}." + - id: cm-3_fr + name: item + title: CM-3 Additional FedRAMP Requirements and Guidance + parts: + - id: cm-3_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider establishes a central means of communicating + major changes to or developments in the information system + or environment of operations that may affect its services + to the federal government and associated service consumers + (e.g., electronic bulletin board, web status page). The means + of communication are approved and accepted by the JAB/AO. + - id: cm-3_fr_gdn.1 + name: guidance + props: + - name: label + value: "(e) Guidance:" + prose: In accordance with record retention policies and procedures. + - id: cm-3_gdn + name: guidance + prose: Configuration change control for organizational systems involves + the systematic proposal, justification, implementation, testing, review, + and disposition of system changes, including system upgrades and modifications. + Configuration change control includes changes to baseline configurations, + configuration items of systems, operational procedures, configuration + settings for system components, remediate vulnerabilities, and unscheduled + or unauthorized changes. Processes for managing configuration changes + to systems include Configuration Control Boards or Change Advisory + Boards that review and approve proposed changes. For changes that + impact privacy risk, the senior agency official for privacy updates + privacy impact assessments and system of records notices. For new + systems or major upgrades, organizations consider including representatives + from the development organizations on the Configuration Control Boards + or Change Advisory Boards. Auditing of changes includes activities + before and after changes are made to systems and the auditing activities + required to implement such changes. See also [SA-10](#sa-10). + - id: cm-3_obj + name: assessment-objective + props: + - name: label + value: CM-03 + class: sp800-53a + parts: + - id: cm-3_obj.a + name: assessment-objective + props: + - name: label + value: CM-03a. + class: sp800-53a + prose: the types of changes to the system that are configuration-controlled + are determined and documented; + links: + - href: "#cm-3_smt.a" + rel: assessment-for + - id: cm-3_obj.b + name: assessment-objective + props: + - name: label + value: CM-03b. + class: sp800-53a + parts: + - id: cm-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: CM-03b.[01] + class: sp800-53a + prose: proposed configuration-controlled changes to the system + are reviewed; + links: + - href: "#cm-3_smt.b" + rel: assessment-for + - id: cm-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: CM-03b.[02] + class: sp800-53a + prose: proposed configuration-controlled changes to the system + are approved or disapproved with explicit consideration for + security and privacy impact analyses; + links: + - href: "#cm-3_smt.b" + rel: assessment-for + links: + - href: "#cm-3_smt.b" + rel: assessment-for + - id: cm-3_obj.c + name: assessment-objective + props: + - name: label + value: CM-03c. + class: sp800-53a + prose: configuration change decisions associated with the system + are documented; + links: + - href: "#cm-3_smt.c" + rel: assessment-for + - id: cm-3_obj.d + name: assessment-objective + props: + - name: label + value: CM-03d. + class: sp800-53a + prose: approved configuration-controlled changes to the system are + implemented; + links: + - href: "#cm-3_smt.d" + rel: assessment-for + - id: cm-3_obj.e + name: assessment-objective + props: + - name: label + value: CM-03e. + class: sp800-53a + prose: "records of configuration-controlled changes to the system\ + \ are retained for {{ insert: param, cm-03_odp.01 }};" + links: + - href: "#cm-3_smt.e" + rel: assessment-for + - id: cm-3_obj.f + name: assessment-objective + props: + - name: label + value: CM-03f. + class: sp800-53a + parts: + - id: cm-3_obj.f-1 + name: assessment-objective + props: + - name: label + value: CM-03f.[01] + class: sp800-53a + prose: activities associated with configuration-controlled changes + to the system are monitored; + links: + - href: "#cm-3_smt.f" + rel: assessment-for + - id: cm-3_obj.f-2 + name: assessment-objective + props: + - name: label + value: CM-03f.[02] + class: sp800-53a + prose: activities associated with configuration-controlled changes + to the system are reviewed; + links: + - href: "#cm-3_smt.f" + rel: assessment-for + links: + - href: "#cm-3_smt.f" + rel: assessment-for + - id: cm-3_obj.g + name: assessment-objective + props: + - name: label + value: CM-03g. + class: sp800-53a + parts: + - id: cm-3_obj.g-1 + name: assessment-objective + props: + - name: label + value: CM-03g.[01] + class: sp800-53a + prose: "configuration change control activities are coordinated\ + \ and overseen by {{ insert: param, cm-03_odp.02 }};" + links: + - href: "#cm-3_smt.g" + rel: assessment-for + - id: cm-3_obj.g-2 + name: assessment-objective + props: + - name: label + value: CM-03g.[02] + class: sp800-53a + prose: "the configuration control element convenes {{ insert:\ + \ param, cm-03_odp.03 }}." + links: + - href: "#cm-3_smt.g" + rel: assessment-for + links: + - href: "#cm-3_smt.g" + rel: assessment-for + links: + - href: "#cm-3_smt" + rel: assessment-for + - id: cm-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing system configuration change control + + + configuration management plan + + + system architecture and configuration documentation + + + change control records + + + system audit records + + + change control audit and review reports + + + agenda/minutes/documentation from configuration change control + oversight meetings + + + system security plan + + + privacy plan + + + privacy impact assessments + + + system of records notices + + + other relevant documents or records + - id: cm-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration change control + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + members of change control board or similar + - id: cm-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for configuration change control + + mechanisms that implement configuration change control + controls: + - id: cm-3.1 + class: SP800-53-enhancement + title: Automated Documentation, Notification, and Prohibition of Changes + params: + - id: cm-03.01_odp.01 + label: automated mechanisms + guidelines: + - prose: mechanisms used to automate configuration change control + are defined; + - id: cm-03.01_odp.02 + label: approval authorities + guidelines: + - prose: approval authorities to be notified of and request approval + for proposed changes to the system are defined; + - id: cm-03.01_odp.03 + label: time period + constraints: + - description: organization agreed upon time period + guidelines: + - prose: the time period after which to highlight changes that + have not been approved or disapproved is defined; + - id: cm-03.01_odp.04 + label: personnel + constraints: + - description: organization defined configuration management approval + authorities + guidelines: + - prose: personnel to be notified when approved changes are complete + is/are defined; + props: + - name: label + value: CM-3(1) + - name: label + value: CM-03(01) + class: sp800-53a + - name: sort-id + value: cm-03.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-3" + rel: required + parts: + - id: cm-3.1_smt + name: statement + prose: "Use {{ insert: param, cm-03.01_odp.01 }} to:" + parts: + - id: cm-3.1_smt.a + name: item + props: + - name: label + value: (a) + prose: Document proposed changes to the system; + - id: cm-3.1_smt.b + name: item + props: + - name: label + value: (b) + prose: "Notify {{ insert: param, cm-03.01_odp.02 }} of proposed\ + \ changes to the system and request change approval;" + - id: cm-3.1_smt.c + name: item + props: + - name: label + value: (c) + prose: "Highlight proposed changes to the system that have not\ + \ been approved or disapproved within {{ insert: param, cm-03.01_odp.03\ + \ }};" + - id: cm-3.1_smt.d + name: item + props: + - name: label + value: (d) + prose: Prohibit changes to the system until designated approvals + are received; + - id: cm-3.1_smt.e + name: item + props: + - name: label + value: (e) + prose: Document all changes to the system; and + - id: cm-3.1_smt.f + name: item + props: + - name: label + value: (f) + prose: "Notify {{ insert: param, cm-03.01_odp.04 }} when approved\ + \ changes to the system are completed." + - id: cm-3.1_gdn + name: guidance + prose: None. + - id: cm-3.1_obj + name: assessment-objective + props: + - name: label + value: CM-03(01) + class: sp800-53a + parts: + - id: cm-3.1_obj.a + name: assessment-objective + props: + - name: label + value: CM-03(01)(a) + class: sp800-53a + prose: " {{ insert: param, cm-03.01_odp.01 }} are used to document\ + \ proposed changes to the system;" + links: + - href: "#cm-3.1_smt.a" + rel: assessment-for + - id: cm-3.1_obj.b + name: assessment-objective + props: + - name: label + value: CM-03(01)(b) + class: sp800-53a + prose: " {{ insert: param, cm-03.01_odp.01 }} are used to notify\ + \ {{ insert: param, cm-03.01_odp.02 }} of proposed changes\ + \ to the system and request change approval;" + links: + - href: "#cm-3.1_smt.b" + rel: assessment-for + - id: cm-3.1_obj.c + name: assessment-objective + props: + - name: label + value: CM-03(01)(c) + class: sp800-53a + prose: " {{ insert: param, cm-03.01_odp.01 }} are used to highlight\ + \ proposed changes to the system that have not been approved\ + \ or disapproved within {{ insert: param, cm-03.01_odp.03\ + \ }};" + links: + - href: "#cm-3.1_smt.c" + rel: assessment-for + - id: cm-3.1_obj.d + name: assessment-objective + props: + - name: label + value: CM-03(01)(d) + class: sp800-53a + prose: " {{ insert: param, cm-03.01_odp.01 }} are used to prohibit\ + \ changes to the system until designated approvals are received;" + links: + - href: "#cm-3.1_smt.d" + rel: assessment-for + - id: cm-3.1_obj.e + name: assessment-objective + props: + - name: label + value: CM-03(01)(e) + class: sp800-53a + prose: " {{ insert: param, cm-03.01_odp.01 }} are used to document\ + \ all changes to the system;" + links: + - href: "#cm-3.1_smt.e" + rel: assessment-for + - id: cm-3.1_obj.f + name: assessment-objective + props: + - name: label + value: CM-03(01)(f) + class: sp800-53a + prose: " {{ insert: param, cm-03.01_odp.01 }} are used to notify\ + \ {{ insert: param, cm-03.01_odp.04 }} when approved changes\ + \ to the system are completed." + links: + - href: "#cm-3.1_smt.f" + rel: assessment-for + links: + - href: "#cm-3.1_smt" + rel: assessment-for + - id: cm-3.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-03(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing system configuration change control + + + configuration management plan + + + system design documentation + + + system architecture and configuration documentation + + + automated configuration control mechanisms + + + system configuration settings and associated documentation + + + change control records + + + system audit records + + + change approval requests + + + change approvals + + + system security plan + + + other relevant documents or records + - id: cm-3.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-03(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration change + control responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + members of change control board or similar + - id: cm-3.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-03(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for configuration change + control + + + automated mechanisms implementing configuration change control + activities + - id: cm-3.2 + class: SP800-53-enhancement + title: Testing, Validation, and Documentation of Changes + props: + - name: label + value: CM-3(2) + - name: label + value: CM-03(02) + class: sp800-53a + - name: sort-id + value: cm-03.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-3" + rel: required + parts: + - id: cm-3.2_smt + name: statement + prose: Test, validate, and document changes to the system before + finalizing the implementation of the changes. + - id: cm-3.2_gdn + name: guidance + prose: Changes to systems include modifications to hardware, software, + or firmware components and configuration settings defined in [CM-6](#cm-6) + . Organizations ensure that testing does not interfere with system + operations that support organizational mission and business functions. + Individuals or groups conducting tests understand security and + privacy policies and procedures, system security and privacy policies + and procedures, and the health, safety, and environmental risks + associated with specific facilities or processes. Operational + systems may need to be taken offline, or replicated to the extent + feasible, before testing can be conducted. If systems must be + taken offline for testing, the tests are scheduled to occur during + planned system outages whenever possible. If the testing cannot + be conducted on operational systems, organizations employ compensating + controls. + - id: cm-3.2_obj + name: assessment-objective + props: + - name: label + value: CM-03(02) + class: sp800-53a + parts: + - id: cm-3.2_obj-1 + name: assessment-objective + props: + - name: label + value: CM-03(02)[01] + class: sp800-53a + prose: changes to the system are tested before finalizing the + implementation of the changes; + links: + - href: "#cm-3.2_smt" + rel: assessment-for + - id: cm-3.2_obj-2 + name: assessment-objective + props: + - name: label + value: CM-03(02)[02] + class: sp800-53a + prose: changes to the system are validated before finalizing + the implementation of the changes; + links: + - href: "#cm-3.2_smt" + rel: assessment-for + - id: cm-3.2_obj-3 + name: assessment-objective + props: + - name: label + value: CM-03(02)[03] + class: sp800-53a + prose: changes to the system are documented before finalizing + the implementation of the changes. + links: + - href: "#cm-3.2_smt" + rel: assessment-for + links: + - href: "#cm-3.2_smt" + rel: assessment-for + - id: cm-3.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-03(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + configuration management plan + + + procedures addressing system configuration change control + + + system design documentation + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + test records + + + validation records + + + change control records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-3.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-03(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration change + control responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + members of change control board or similar + - id: cm-3.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-03(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for configuration change + control + + + mechanisms supporting and/or implementing, testing, validating, + and documenting system changes + - id: cm-3.4 + class: SP800-53-enhancement + title: Security and Privacy Representatives + params: + - id: cm-3.4_prm_1 + label: organization-defined security and privacy representatives + - id: cm-03.04_odp.01 + label: security representatives + guidelines: + - prose: security representatives required to be members of the + change control element are defined; + - id: cm-03.04_odp.02 + label: privacy representatives + guidelines: + - prose: privacy representatives required to be members of the + change control element are defined; + - id: cm-03.04_odp.03 + label: configuration change control element + constraints: + - description: Configuration control board (CCB) or similar (as + defined in CM-3) + guidelines: + - prose: the configuration change control element of which the + security and privacy representatives are to be members is + defined; + props: + - name: label + value: CM-3(4) + - name: label + value: CM-03(04) + class: sp800-53a + - name: sort-id + value: cm-03.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cm-3" + rel: required + parts: + - id: cm-3.4_smt + name: statement + prose: "Require {{ insert: param, cm-3.4_prm_1 }} to be members\ + \ of the {{ insert: param, cm-03.04_odp.03 }}." + - id: cm-3.4_gdn + name: guidance + prose: Information security and privacy representatives include + system security officers, senior agency information security officers, + senior agency officials for privacy, or system privacy officers. + Representation by personnel with information security and privacy + expertise is important because changes to system configurations + can have unintended side effects, some of which may be security- + or privacy-relevant. Detecting such changes early in the process + can help avoid unintended, negative consequences that could ultimately + affect the security and privacy posture of systems. The configuration + change control element referred to in the second organization-defined + parameter reflects the change control elements defined by organizations + in [CM-3g](#cm-3_smt.g). + - id: cm-3.4_obj + name: assessment-objective + props: + - name: label + value: CM-03(04) + class: sp800-53a + parts: + - id: cm-3.4_obj-1 + name: assessment-objective + props: + - name: label + value: CM-03(04)[01] + class: sp800-53a + prose: " {{ insert: param, cm-03.04_odp.01 }} are required to\ + \ be members of the {{ insert: param, cm-03.04_odp.03 }};" + links: + - href: "#cm-3.4_smt" + rel: assessment-for + - id: cm-3.4_obj-2 + name: assessment-objective + props: + - name: label + value: CM-03(04)[02] + class: sp800-53a + prose: " {{ insert: param, cm-03.04_odp.02 }} are required to\ + \ be members of the {{ insert: param, cm-03.04_odp.03 }}." + links: + - href: "#cm-3.4_smt" + rel: assessment-for + links: + - href: "#cm-3.4_smt" + rel: assessment-for + - id: cm-3.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-03(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing system configuration change control + + + configuration management plan + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-3.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-03(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration change + control responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + members of change control board or similar + - id: cm-3.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-03(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for configuration change control + - id: cm-3.6 + class: SP800-53-enhancement + title: Cryptography Management + params: + - id: cm-03.06_odp + label: controls + constraints: + - description: All security safeguards that rely on cryptography + guidelines: + - prose: controls provided by cryptographic mechanisms that are + to be under configuration management are defined; + props: + - name: label + value: CM-3(6) + - name: label + value: CM-03(06) + class: sp800-53a + - name: sort-id + value: cm-03.06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cm-3" + rel: required + - href: "#sc-12" + rel: related + parts: + - id: cm-3.6_smt + name: statement + prose: "Ensure that cryptographic mechanisms used to provide the\ + \ following controls are under configuration management: {{ insert:\ + \ param, cm-03.06_odp }}." + - id: cm-3.6_gdn + name: guidance + prose: The controls referenced in the control enhancement refer + to security and privacy controls from the control catalog. Regardless + of the cryptographic mechanisms employed, processes and procedures + are in place to manage those mechanisms. For example, if system + components use certificates for identification and authentication, + a process is implemented to address the expiration of those certificates. + - id: cm-3.6_obj + name: assessment-objective + props: + - name: label + value: CM-03(06) + class: sp800-53a + prose: "cryptographic mechanisms used to provide {{ insert: param,\ + \ cm-03.06_odp }} are under configuration management." + links: + - href: "#cm-3.6_smt" + rel: assessment-for + - id: cm-3.6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-03(06)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing system configuration change control + + + configuration management plan + + + system design documentation + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + system security plan + + + other relevant documents or records + - id: cm-3.6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-03(06)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration change + control responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + members of change control board or similar + - id: cm-3.6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-03(06)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for configuration change + control + + + cryptographic mechanisms implementing organizational security + safeguards (controls) + - id: cm-4 + class: SP800-53 + title: Impact Analyses + props: + - name: label + value: CM-4 + - name: label + value: CM-04 + class: sp800-53a + - name: sort-id + value: cm-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#ca-7" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-8" + rel: related + - href: "#cm-9" + rel: related + - href: "#ma-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-8" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#si-2" + rel: related + parts: + - id: cm-4_smt + name: statement + prose: Analyze changes to the system to determine potential security + and privacy impacts prior to change implementation. + - id: cm-4_gdn + name: guidance + prose: Organizational personnel with security or privacy responsibilities + conduct impact analyses. Individuals conducting impact analyses possess + the necessary skills and technical expertise to analyze the changes + to systems as well as the security or privacy ramifications. Impact + analyses include reviewing security and privacy plans, policies, and + procedures to understand control requirements; reviewing system design + documentation and operational procedures to understand control implementation + and how specific system changes might affect the controls; reviewing + the impact of changes on organizational supply chain partners with + stakeholders; and determining how potential changes to a system create + new risks to the privacy of individuals and the ability of implemented + controls to mitigate those risks. Impact analyses also include risk + assessments to understand the impact of the changes and determine + if additional controls are required. + - id: cm-4_obj + name: assessment-objective + props: + - name: label + value: CM-04 + class: sp800-53a + parts: + - id: cm-4_obj-1 + name: assessment-objective + props: + - name: label + value: CM-04[01] + class: sp800-53a + prose: changes to the system are analyzed to determine potential + security impacts prior to change implementation; + links: + - href: "#cm-4_smt" + rel: assessment-for + - id: cm-4_obj-2 + name: assessment-objective + props: + - name: label + value: CM-04[02] + class: sp800-53a + prose: changes to the system are analyzed to determine potential + privacy impacts prior to change implementation. + links: + - href: "#cm-4_smt" + rel: assessment-for + links: + - href: "#cm-4_smt" + rel: assessment-for + - id: cm-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing security impact analyses for changes to + the system + + + procedures addressing privacy impact analyses for changes to the + system + + + configuration management plan + + + security impact analysis documentation + + + privacy impact analysis documentation + + + privacy impact assessment + + + privacy risk assessment documentation, system design documentation + + + analysis tools and associated outputs + + + change control records + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for conducting + security impact analyses + + + organizational personnel with responsibility for conducting privacy + impact analyses + + + organizational personnel with information security and privacy + responsibilities + + + system developer + + + system/network administrators + + + members of change control board or similar + - id: cm-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for security impact analyses + + organizational processes for privacy impact analyses + controls: + - id: cm-4.1 + class: SP800-53-enhancement + title: Separate Test Environments + props: + - name: label + value: CM-4(1) + - name: label + value: CM-04(01) + class: sp800-53a + - name: sort-id + value: cm-04.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-4" + rel: required + - href: "#sa-11" + rel: related + - href: "#sc-7" + rel: related + parts: + - id: cm-4.1_smt + name: statement + prose: Analyze changes to the system in a separate test environment + before implementation in an operational environment, looking for + security and privacy impacts due to flaws, weaknesses, incompatibility, + or intentional malice. + - id: cm-4.1_gdn + name: guidance + prose: A separate test environment requires an environment that + is physically or logically separate and distinct from the operational + environment. The separation is sufficient to ensure that activities + in the test environment do not impact activities in the operational + environment and that information in the operational environment + is not inadvertently transmitted to the test environment. Separate + environments can be achieved by physical or logical means. If + physically separate test environments are not implemented, organizations + determine the strength of mechanism required when implementing + logical separation. + - id: cm-4.1_obj + name: assessment-objective + props: + - name: label + value: CM-04(01) + class: sp800-53a + parts: + - id: cm-4.1_obj-1 + name: assessment-objective + props: + - name: label + value: CM-04(01)[01] + class: sp800-53a + prose: changes to the system are analyzed in a separate test + environment before implementation in an operational environment; + links: + - href: "#cm-4.1_smt" + rel: assessment-for + - id: cm-4.1_obj-2 + name: assessment-objective + props: + - name: label + value: CM-04(01)[02] + class: sp800-53a + prose: changes to the system are analyzed for security impacts + due to flaws; + links: + - href: "#cm-4.1_smt" + rel: assessment-for + - id: cm-4.1_obj-3 + name: assessment-objective + props: + - name: label + value: CM-04(01)[03] + class: sp800-53a + prose: changes to the system are analyzed for privacy impacts + due to flaws; + links: + - href: "#cm-4.1_smt" + rel: assessment-for + - id: cm-4.1_obj-4 + name: assessment-objective + props: + - name: label + value: CM-04(01)[04] + class: sp800-53a + prose: changes to the system are analyzed for security impacts + due to weaknesses; + links: + - href: "#cm-4.1_smt" + rel: assessment-for + - id: cm-4.1_obj-5 + name: assessment-objective + props: + - name: label + value: CM-04(01)[05] + class: sp800-53a + prose: changes to the system are analyzed for privacy impacts + due to weaknesses; + links: + - href: "#cm-4.1_smt" + rel: assessment-for + - id: cm-4.1_obj-6 + name: assessment-objective + props: + - name: label + value: CM-04(01)[06] + class: sp800-53a + prose: changes to the system are analyzed for security impacts + due to incompatibility; + links: + - href: "#cm-4.1_smt" + rel: assessment-for + - id: cm-4.1_obj-7 + name: assessment-objective + props: + - name: label + value: CM-04(01)[07] + class: sp800-53a + prose: changes to the system are analyzed for privacy impacts + due to incompatibility; + links: + - href: "#cm-4.1_smt" + rel: assessment-for + - id: cm-4.1_obj-8 + name: assessment-objective + props: + - name: label + value: CM-04(01)[08] + class: sp800-53a + prose: changes to the system are analyzed for security impacts + due to intentional malice; + links: + - href: "#cm-4.1_smt" + rel: assessment-for + - id: cm-4.1_obj-9 + name: assessment-objective + props: + - name: label + value: CM-04(01)[09] + class: sp800-53a + prose: changes to the system are analyzed for privacy impacts + due to intentional malice. + links: + - href: "#cm-4.1_smt" + rel: assessment-for + links: + - href: "#cm-4.1_smt" + rel: assessment-for + - id: cm-4.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-04(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing security impact analyses for changes + to the system + + + procedures addressing privacy impact analyses for changes + to the system + + + configuration management plan + + + security impact analysis documentation + + + privacy impact analysis documentation + + + privacy impact assessment + + + privacy risk assessment documentation + + + analysis tools and associated outputs system design documentation + + + system architecture and configuration documentation + + + change control records + + + procedures addressing the authority to test with PII + + + system audit records + + + documentation of separate test and operational environments + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-4.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-04(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for + conducting security and privacy impact analyses + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + members of change control board or similar + - id: cm-4.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-04(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for security and privacy impact + analyses + + + mechanisms supporting and/or implementing security and privacy + impact analyses of changes + - id: cm-4.2 + class: SP800-53-enhancement + title: Verification of Controls + props: + - name: label + value: CM-4(2) + - name: label + value: CM-04(02) + class: sp800-53a + - name: sort-id + value: cm-04.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-4" + rel: required + - href: "#sa-11" + rel: related + - href: "#sc-3" + rel: related + - href: "#si-6" + rel: related + parts: + - id: cm-4.2_smt + name: statement + prose: After system changes, verify that the impacted controls are + implemented correctly, operating as intended, and producing the + desired outcome with regard to meeting the security and privacy + requirements for the system. + - id: cm-4.2_gdn + name: guidance + prose: Implementation in this context refers to installing changed + code in the operational system that may have an impact on security + or privacy controls. + - id: cm-4.2_obj + name: assessment-objective + props: + - name: label + value: CM-04(02) + class: sp800-53a + parts: + - id: cm-4.2_obj-1 + name: assessment-objective + props: + - name: label + value: CM-04(02)[01] + class: sp800-53a + prose: the impacted controls are implemented correctly with + regard to meeting the security requirements for the system + after system changes; + links: + - href: "#cm-4.2_smt" + rel: assessment-for + - id: cm-4.2_obj-2 + name: assessment-objective + props: + - name: label + value: CM-04(02)[02] + class: sp800-53a + prose: the impacted controls are implemented correctly with + regard to meeting the privacy requirements for the system + after system changes; + links: + - href: "#cm-4.2_smt" + rel: assessment-for + - id: cm-4.2_obj-3 + name: assessment-objective + props: + - name: label + value: CM-04(02)[03] + class: sp800-53a + prose: the impacted controls are operating as intended with + regard to meeting the security requirements for the system + after system changes; + links: + - href: "#cm-4.2_smt" + rel: assessment-for + - id: cm-4.2_obj-4 + name: assessment-objective + props: + - name: label + value: CM-04(02)[04] + class: sp800-53a + prose: the impacted controls are operating as intended with + regard to meeting the privacy requirements for the system + after system changes; + links: + - href: "#cm-4.2_smt" + rel: assessment-for + - id: cm-4.2_obj-5 + name: assessment-objective + props: + - name: label + value: CM-04(02)[05] + class: sp800-53a + prose: the impacted controls are producing the desired outcome + with regard to meeting the security requirements for the system + after system changes; + links: + - href: "#cm-4.2_smt" + rel: assessment-for + - id: cm-4.2_obj-6 + name: assessment-objective + props: + - name: label + value: CM-04(02)[06] + class: sp800-53a + prose: the impacted controls are producing the desired outcome + with regard to meeting the privacy requirements for the system + after system changes. + links: + - href: "#cm-4.2_smt" + rel: assessment-for + links: + - href: "#cm-4.2_smt" + rel: assessment-for + - id: cm-4.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-04(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing security impact analyses for changes + to the system + + + procedures addressing privacy impact analyses for changes + to the system + + + privacy risk assessment documentation + + + configuration management plan + + + security and privacy impact analysis documentation + + + privacy impact assessment + + + analysis tools and associated outputs + + + change control records + + + control assessment results + + + system audit records + + + system component inventory + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-4.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-04(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for + conducting security and privacy impact analyses + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + security and privacy assessors + - id: cm-4.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-04(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for security and privacy impact + analyses + + + mechanisms supporting and/or implementing security and privacy + impact analyses of changes + - id: cm-5 + class: SP800-53 + title: Access Restrictions for Change + props: + - name: label + value: CM-5 + - name: label + value: CM-05 + class: sp800-53a + - name: sort-id + value: cm-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#cm-9" + rel: related + - href: "#pe-3" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-34" + rel: related + - href: "#sc-37" + rel: related + - href: "#si-2" + rel: related + - href: "#si-10" + rel: related + parts: + - id: cm-5_smt + name: statement + prose: Define, document, approve, and enforce physical and logical access + restrictions associated with changes to the system. + - id: cm-5_gdn + name: guidance + prose: Changes to the hardware, software, or firmware components of + systems or the operational procedures related to the system can potentially + have significant effects on the security of the systems or individuals’ + privacy. Therefore, organizations permit only qualified and authorized + individuals to access systems for purposes of initiating changes. + Access restrictions include physical and logical access controls (see + [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, + media libraries, abstract layers (i.e., changes implemented into external + interfaces rather than directly into systems), and change windows + (i.e., changes occur only during specified times). + - id: cm-5_obj + name: assessment-objective + props: + - name: label + value: CM-05 + class: sp800-53a + parts: + - id: cm-5_obj-1 + name: assessment-objective + props: + - name: label + value: CM-05[01] + class: sp800-53a + prose: physical access restrictions associated with changes to the + system are defined and documented; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-2 + name: assessment-objective + props: + - name: label + value: CM-05[02] + class: sp800-53a + prose: physical access restrictions associated with changes to the + system are approved; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-3 + name: assessment-objective + props: + - name: label + value: CM-05[03] + class: sp800-53a + prose: physical access restrictions associated with changes to the + system are enforced; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-4 + name: assessment-objective + props: + - name: label + value: CM-05[04] + class: sp800-53a + prose: logical access restrictions associated with changes to the + system are defined and documented; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-5 + name: assessment-objective + props: + - name: label + value: CM-05[05] + class: sp800-53a + prose: logical access restrictions associated with changes to the + system are approved; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-6 + name: assessment-objective + props: + - name: label + value: CM-05[06] + class: sp800-53a + prose: logical access restrictions associated with changes to the + system are enforced. + links: + - href: "#cm-5_smt" + rel: assessment-for + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing access restrictions for changes to the system + + + configuration management plan + + + system design documentation + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + logical access approvals + + + physical access approvals + + + access credentials + + + change control records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with logical access control + responsibilities + + + organizational personnel with physical access control responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing access restrictions to + change + + + mechanisms supporting, implementing, or enforcing access restrictions + associated with changes to the system + controls: + - id: cm-5.1 + class: SP800-53-enhancement + title: Automated Access Enforcement and Audit Records + params: + - id: cm-05.01_odp + label: automated mechanisms + guidelines: + - prose: mechanisms used to automate the enforcement of access + restrictions are defined; + props: + - name: label + value: CM-5(1) + - name: label + value: CM-05(01) + class: sp800-53a + - name: sort-id + value: cm-05.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#cm-5" + rel: required + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-12" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-11" + rel: related + - href: "#si-12" + rel: related + parts: + - id: cm-5.1_smt + name: statement + parts: + - id: cm-5.1_smt.a + name: item + props: + - name: label + value: (a) + prose: "Enforce access restrictions using {{ insert: param,\ + \ cm-05.01_odp }} ; and" + - id: cm-5.1_smt.b + name: item + props: + - name: label + value: (b) + prose: Automatically generate audit records of the enforcement + actions. + - id: cm-5.1_gdn + name: guidance + prose: Organizations log system accesses associated with applying + configuration changes to ensure that configuration change control + is implemented and to support after-the-fact actions should organizations + discover any unauthorized changes. + - id: cm-5.1_obj + name: assessment-objective + props: + - name: label + value: CM-05(01) + class: sp800-53a + parts: + - id: cm-5.1_obj.a + name: assessment-objective + props: + - name: label + value: CM-05(01)(a) + class: sp800-53a + prose: "access restrictions for change are enforced using {{\ + \ insert: param, cm-05.01_odp }};" + links: + - href: "#cm-5.1_smt.a" + rel: assessment-for + - id: cm-5.1_obj.b + name: assessment-objective + props: + - name: label + value: CM-05(01)(b) + class: sp800-53a + prose: audit records of enforcement actions are automatically + generated. + links: + - href: "#cm-5.1_smt.b" + rel: assessment-for + links: + - href: "#cm-5.1_smt" + rel: assessment-for + - id: cm-5.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-05(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing access restrictions for changes to the + system + + + system design documentation + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + change control records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-5.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-05(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with logical access control + responsibilities + + + organizational personnel with physical access control responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-5.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-05(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing access + restrictions to change + + + automated mechanisms implementing the enforcement of access + restrictions for changes to the system + + + automated mechanisms supporting auditing of enforcement actions + - id: cm-5.5 + class: SP800-53-enhancement + title: Privilege Limitation for Production and Operation + params: + - id: cm-5.5_prm_1 + label: organization-defined frequency + constraints: + - description: at least quarterly + - id: cm-05.05_odp.01 + label: frequency + guidelines: + - prose: frequency at which to review privileges is defined; + - id: cm-05.05_odp.02 + label: frequency + guidelines: + - prose: frequency at which to reevaluate privileges is defined; + props: + - name: label + value: CM-5(5) + - name: label + value: CM-05(05) + class: sp800-53a + - name: sort-id + value: cm-05.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cm-5" + rel: required + - href: "#ac-2" + rel: related + parts: + - id: cm-5.5_smt + name: statement + parts: + - id: cm-5.5_smt.a + name: item + props: + - name: label + value: (a) + prose: Limit privileges to change system components and system-related + information within a production or operational environment; + and + - id: cm-5.5_smt.b + name: item + props: + - name: label + value: (b) + prose: "Review and reevaluate privileges {{ insert: param, cm-5.5_prm_1\ + \ }}." + - id: cm-5.5_gdn + name: guidance + prose: In many organizations, systems support multiple mission and + business functions. Limiting privileges to change system components + with respect to operational systems is necessary because changes + to a system component may have far-reaching effects on mission + and business processes supported by the system. The relationships + between systems and mission/business processes are, in some cases, + unknown to developers. System-related information includes operational + procedures. + - id: cm-5.5_obj + name: assessment-objective + props: + - name: label + value: CM-05(05) + class: sp800-53a + parts: + - id: cm-5.5_obj.a + name: assessment-objective + props: + - name: label + value: CM-05(05)(a) + class: sp800-53a + parts: + - id: cm-5.5_obj.a-1 + name: assessment-objective + props: + - name: label + value: CM-05(05)(a)[01] + class: sp800-53a + prose: privileges to change system components within a production + or operational environment are limited; + links: + - href: "#cm-5.5_smt.a" + rel: assessment-for + - id: cm-5.5_obj.a-2 + name: assessment-objective + props: + - name: label + value: CM-05(05)(a)[02] + class: sp800-53a + prose: privileges to change system-related information within + a production or operational environment are limited; + links: + - href: "#cm-5.5_smt.a" + rel: assessment-for + links: + - href: "#cm-5.5_smt.a" + rel: assessment-for + - id: cm-5.5_obj.b + name: assessment-objective + props: + - name: label + value: CM-05(05)(b) + class: sp800-53a + parts: + - id: cm-5.5_obj.b-1 + name: assessment-objective + props: + - name: label + value: CM-05(05)(b)[01] + class: sp800-53a + prose: "privileges are reviewed {{ insert: param, cm-05.05_odp.01\ + \ }};" + links: + - href: "#cm-5.5_smt.b" + rel: assessment-for + - id: cm-5.5_obj.b-2 + name: assessment-objective + props: + - name: label + value: CM-05(05)(b)[02] + class: sp800-53a + prose: "privileges are reevaluated {{ insert: param, cm-05.05_odp.02\ + \ }}." + links: + - href: "#cm-5.5_smt.b" + rel: assessment-for + links: + - href: "#cm-5.5_smt.b" + rel: assessment-for + links: + - href: "#cm-5.5_smt" + rel: assessment-for + - id: cm-5.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-05(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing access restrictions for changes to the + system + + + configuration management plan + + + system design documentation + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + user privilege reviews + + + user privilege recertifications + + + system component inventory + + + change control records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-5.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-05(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security + responsibilities + + + system/network administrators + - id: cm-5.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-05(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing access + restrictions to change + + + mechanisms supporting and/or implementing access restrictions + for change + - id: cm-6 + class: SP800-53 + title: Configuration Settings + params: + - id: cm-06_odp.01 + label: common secure configurations + guidelines: + - prose: common secure configurations to establish and document configuration + settings for components employed within the system are defined; + - id: cm-06_odp.02 + label: system components + guidelines: + - prose: system components for which approval of deviations is needed + are defined; + - id: cm-06_odp.03 + label: operational requirements + guidelines: + - prose: operational requirements necessitating approval of deviations + are defined; + props: + - name: label + value: CM-6 + - name: label + value: CM-06 + class: sp800-53a + - name: sort-id + value: cm-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#4895b4cd-34c5-4667-bf8a-27d443c12047" + rel: reference + - href: "#8016d2ed-d30f-4416-9c45-0f42c7aa3232" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#98498928-3ca3-44b3-8b1e-f48685373087" + rel: reference + - href: "#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e" + rel: reference + - href: "#aa66e14f-e7cb-4a37-99d2-07578dfd4608" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-19" + rel: related + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-11" + rel: related + - href: "#cp-7" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#pl-8" + rel: related + - href: "#pl-9" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-18" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-2" + rel: related + - href: "#si-4" + rel: related + - href: "#si-6" + rel: related + parts: + - id: cm-6_smt + name: statement + parts: + - id: cm-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Establish and document configuration settings for components\ + \ employed within the system that reflect the most restrictive\ + \ mode consistent with operational requirements using {{ insert:\ + \ param, cm-06_odp.01 }};" + - id: cm-6_smt.b + name: item + props: + - name: label + value: b. + prose: Implement the configuration settings; + - id: cm-6_smt.c + name: item + props: + - name: label + value: c. + prose: "Identify, document, and approve any deviations from established\ + \ configuration settings for {{ insert: param, cm-06_odp.02 }}\ + \ based on {{ insert: param, cm-06_odp.03 }} ; and" + - id: cm-6_smt.d + name: item + props: + - name: label + value: d. + prose: Monitor and control changes to the configuration settings + in accordance with organizational policies and procedures. + - id: cm-6_fr + name: item + title: CM-6 Additional FedRAMP Requirements and Guidance + parts: + - id: cm-6_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement 1:" + prose: The service provider shall use the DoD STIGs to establish + configuration settings; Center for Internet Security up to + Level 2 (CIS Level 2) guidelines shall be used if STIGs are + not available; Custom baselines shall be used if CIS is not + available. + - id: cm-6_fr_smt.2 + name: item + props: + - name: label + value: "(a) Requirement 2:" + prose: The service provider shall ensure that checklists for + configuration settings are Security Content Automation Protocol + (SCAP) validated or SCAP compatible (if validated checklists + are not available). + - id: cm-6_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + Compliance checks are used to evaluate configuration + settings and provide general insight into the overall + effectiveness of configuration management activities. + CSPs and 3PAOs typically combine compliance check + findings into a single CM-6 finding, which is + acceptable. However, for initial assessments, annual + assessments, and significant change requests, FedRAMP + requires a clear understanding, on a per-control basis, + where risks exist. Therefore, 3PAOs must also analyze + compliance check findings as part of the controls + assessment. Where a direct mapping exists, the 3PAO must + document additional findings per control in the + corresponding SAR Risk Exposure Table (RET), which are + then documented in the CSP’s Plan of Action and + Milestones (POA&M). This will likely result in the + details of individual control findings overlapping with + those in the combined CM-6 finding, which is acceptable. + + + During monthly continuous monitoring, new findings from CSP + compliance checks may be combined into a single CM-6 POA&M + item. CSPs are not required to map the findings to specific + controls because controls are only assessed during initial + assessments, annual assessments, and significant change requests. + - id: cm-6_gdn + name: guidance + prose: >- + Configuration settings are the parameters that can be changed in + the hardware, software, or firmware components of the system + that affect the security and privacy posture or functionality of + the system. Information technology products for which + configuration settings can be defined include mainframe + computers, servers, workstations, operating systems, mobile + devices, input/output devices, protocols, and applications. + Parameters that impact the security posture of systems include + registry settings; account, file, or directory permission + settings; and settings for functions, protocols, ports, + services, and remote connections. Privacy parameters are + parameters impacting the privacy posture of systems, including + the parameters required to satisfy other privacy controls. + Privacy parameters include settings for access controls, data + processing preferences, and processing and retention + permissions. Organizations establish organization-wide + configuration settings and subsequently derive specific + configuration settings for systems. The established settings + become part of the configuration baseline for the system. + + + Common secure configurations (also known as security configuration + checklists, lockdown and hardening guides, and security reference + guides) provide recognized, standardized, and established benchmarks + that stipulate secure configuration settings for information technology + products and platforms as well as instructions for configuring those + products or platforms to meet operational requirements. Common secure + configurations can be developed by a variety of organizations, including + information technology product developers, manufacturers, vendors, + federal agencies, consortia, academia, industry, and other organizations + in the public and private sectors. + + + Implementation of a common secure configuration may be mandated at + the organization level, mission and business process level, system + level, or at a higher level, including by a regulatory agency. Common + secure configurations include the United States Government Configuration + Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security + technical implementation guides (STIGs), which affect the implementation + of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) + . The Security Content Automation Protocol (SCAP) and the defined + standards within the protocol provide an effective method to uniquely + identify, track, and control configuration settings. + - id: cm-6_obj + name: assessment-objective + props: + - name: label + value: CM-06 + class: sp800-53a + parts: + - id: cm-6_obj.a + name: assessment-objective + props: + - name: label + value: CM-06a. + class: sp800-53a + prose: "configuration settings that reflect the most restrictive\ + \ mode consistent with operational requirements are established\ + \ and documented for components employed within the system using\ + \ {{ insert: param, cm-06_odp.01 }};" + links: + - href: "#cm-6_smt.a" + rel: assessment-for + - id: cm-6_obj.b + name: assessment-objective + props: + - name: label + value: CM-06b. + class: sp800-53a + prose: the configuration settings documented in CM-06a are implemented; + links: + - href: "#cm-6_smt.b" + rel: assessment-for + - id: cm-6_obj.c + name: assessment-objective + props: + - name: label + value: CM-06c. + class: sp800-53a + parts: + - id: cm-6_obj.c-1 + name: assessment-objective + props: + - name: label + value: CM-06c.[01] + class: sp800-53a + prose: "any deviations from established configuration settings\ + \ for {{ insert: param, cm-06_odp.02 }} are identified and\ + \ documented based on {{ insert: param, cm-06_odp.03 }};" + links: + - href: "#cm-6_smt.c" + rel: assessment-for + - id: cm-6_obj.c-2 + name: assessment-objective + props: + - name: label + value: CM-06c.[02] + class: sp800-53a + prose: "any deviations from established configuration settings\ + \ for {{ insert: param, cm-06_odp.02 }} are approved;" + links: + - href: "#cm-6_smt.c" + rel: assessment-for + links: + - href: "#cm-6_smt.c" + rel: assessment-for + - id: cm-6_obj.d + name: assessment-objective + props: + - name: label + value: CM-06d. + class: sp800-53a + parts: + - id: cm-6_obj.d-1 + name: assessment-objective + props: + - name: label + value: CM-06d.[01] + class: sp800-53a + prose: changes to the configuration settings are monitored in + accordance with organizational policies and procedures; + links: + - href: "#cm-6_smt.d" + rel: assessment-for + - id: cm-6_obj.d-2 + name: assessment-objective + props: + - name: label + value: CM-06d.[02] + class: sp800-53a + prose: changes to the configuration settings are controlled + in accordance with organizational policies and procedures. + links: + - href: "#cm-6_smt.d" + rel: assessment-for + links: + - href: "#cm-6_smt.d" + rel: assessment-for + links: + - href: "#cm-6_smt" + rel: assessment-for + - id: cm-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing configuration settings for the system + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + common secure configuration checklists + + + system component inventory + + + evidence supporting approved deviations from established configuration + settings + + + change control records + + + system data processing and retention permissions + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security configuration + management responsibilities + + + organizational personnel with privacy configuration management + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: cm-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing configuration settings + + + mechanisms that implement, monitor, and/or control system configuration + settings + + + mechanisms that identify and/or document deviations from established + configuration settings + controls: + - id: cm-6.1 + class: SP800-53-enhancement + title: Automated Management, Application, and Verification + params: + - id: cm-6.1_prm_2 + label: organization-defined automated mechanisms + - id: cm-06.01_odp.01 + label: system components + guidelines: + - prose: system components for which to manage, apply, and verify + configuration settings are defined; + - id: cm-06.01_odp.02 + label: automated mechanisms + guidelines: + - prose: automated mechanisms to manage configuration settings + are defined; + - id: cm-06.01_odp.03 + label: automated mechanisms + guidelines: + - prose: automated mechanisms to apply configuration settings + are defined; + - id: cm-06.01_odp.04 + label: automated mechanisms + guidelines: + - prose: automated mechanisms to verify configuration settings + are defined; + props: + - name: label + value: CM-6(1) + - name: label + value: CM-06(01) + class: sp800-53a + - name: sort-id + value: cm-06.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cm-6" + rel: required + - href: "#ca-7" + rel: related + parts: + - id: cm-6.1_smt + name: statement + prose: "Manage, apply, and verify configuration settings for {{\ + \ insert: param, cm-06.01_odp.01 }} using {{ insert: param, cm-6.1_prm_2\ + \ }}." + - id: cm-6.1_gdn + name: guidance + prose: Automated tools (e.g., hardening tools, baseline configuration + tools) can improve the accuracy, consistency, and availability + of configuration settings information. Automation can also provide + data aggregation and data correlation capabilities, alerting mechanisms, + and dashboards to support risk-based decision-making within the + organization. + - id: cm-6.1_obj + name: assessment-objective + props: + - name: label + value: CM-06(01) + class: sp800-53a + parts: + - id: cm-6.1_obj-1 + name: assessment-objective + props: + - name: label + value: CM-06(01)[01] + class: sp800-53a + prose: "configuration settings for {{ insert: param, cm-06.01_odp.01\ + \ }} are managed using {{ insert: param, cm-06.01_odp.02 }};" + links: + - href: "#cm-6.1_smt" + rel: assessment-for + - id: cm-6.1_obj-2 + name: assessment-objective + props: + - name: label + value: CM-06(01)[02] + class: sp800-53a + prose: "configuration settings for {{ insert: param, cm-06.01_odp.01\ + \ }} are applied using {{ insert: param, cm-06.01_odp.03 }};" + links: + - href: "#cm-6.1_smt" + rel: assessment-for + - id: cm-6.1_obj-3 + name: assessment-objective + props: + - name: label + value: CM-06(01)[03] + class: sp800-53a + prose: "configuration settings for {{ insert: param, cm-06.01_odp.01\ + \ }} are verified using {{ insert: param, cm-06.01_odp.04\ + \ }}." + links: + - href: "#cm-6.1_smt" + rel: assessment-for + links: + - href: "#cm-6.1_smt" + rel: assessment-for + - id: cm-6.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-06(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing configuration settings for the system + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + system component inventory + + + common secure configuration checklists + + + change control records + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-6.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-06(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security configuration + management responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: cm-6.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-06(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing configuration + settings + + + automated mechanisms implemented to manage, apply, and verify + system configuration settings + - id: cm-6.2 + class: SP800-53-enhancement + title: Respond to Unauthorized Changes + params: + - id: cm-06.02_odp.01 + label: actions + guidelines: + - prose: actions to be taken upon an unauthorized change are defined; + - id: cm-06.02_odp.02 + label: configuration settings + guidelines: + - prose: configuration settings requiring action upon an unauthorized + change are defined; + props: + - name: label + value: CM-6(2) + - name: label + value: CM-06(02) + class: sp800-53a + - name: sort-id + value: cm-06.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cm-6" + rel: required + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#si-7" + rel: related + parts: + - id: cm-6.2_smt + name: statement + prose: "Take the following actions in response to unauthorized changes\ + \ to {{ insert: param, cm-06.02_odp.02 }}: {{ insert: param, cm-06.02_odp.01\ + \ }}." + - id: cm-6.2_gdn + name: guidance + prose: Responses to unauthorized changes to configuration settings + include alerting designated organizational personnel, restoring + established configuration settings, or—in extreme cases—halting + affected system processing. + - id: cm-6.2_obj + name: assessment-objective + props: + - name: label + value: CM-06(02) + class: sp800-53a + prose: " {{ insert: param, cm-06.02_odp.01 }} are taken in response\ + \ to unauthorized changes to {{ insert: param, cm-06.02_odp.02\ + \ }}." + links: + - href: "#cm-6.2_smt" + rel: assessment-for + - id: cm-6.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-06(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System security plan + + + privacy plan + + + configuration management policy + + + procedures addressing configuration settings for the system + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + alerts/notifications of unauthorized changes to system configuration + settings + + + system component inventory + + + documented responses to unauthorized changes to system configuration + settings + + + change control records + + + system audit records + + + other relevant documents or records + - id: cm-6.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-06(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security configuration + management responsibilities + + + organizational personnel with security and privacy responsibilities + + + system/network administrators + - id: cm-6.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-06(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational process for responding to unauthorized + changes to system configuration settings + + + mechanisms supporting and/or implementing actions in response + to unauthorized changes + - id: cm-7 + class: SP800-53 + title: Least Functionality + params: + - id: cm-7_prm_2 + label: organization-defined prohibited or restricted functions, system + ports, protocols, software, and/or services + - id: cm-07_odp.01 + label: mission-essential capabilities + guidelines: + - prose: mission-essential capabilities for the system are defined; + - id: cm-07_odp.02 + label: functions + guidelines: + - prose: functions to be prohibited or restricted are defined; + - id: cm-07_odp.03 + label: ports + guidelines: + - prose: ports to be prohibited or restricted are defined; + - id: cm-07_odp.04 + label: protocols + guidelines: + - prose: protocols to be prohibited or restricted are defined; + - id: cm-07_odp.05 + label: software + guidelines: + - prose: software to be prohibited or restricted is defined; + - id: cm-07_odp.06 + label: services + guidelines: + - prose: services to be prohibited or restricted are defined; + props: + - name: label + value: CM-7 + - name: label + value: CM-07 + class: sp800-53a + - name: sort-id + value: cm-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#38f39739-1ebd-43b1-8b8c-00f591d89ebd" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-11" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-15" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-3" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-37" + rel: related + - href: "#si-4" + rel: related + parts: + - id: cm-7_smt + name: statement + parts: + - id: cm-7_smt.a + name: item + props: + - name: label + value: a. + prose: "Configure the system to provide only {{ insert: param, cm-07_odp.01\ + \ }} ; and" + - id: cm-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Prohibit or restrict the use of the following functions,\ + \ ports, protocols, software, and/or services: {{ insert: param,\ + \ cm-7_prm_2 }}." + - id: cm-7_fr + name: item + title: CM-7 Additional FedRAMP Requirements and Guidance + parts: + - id: cm-7_fr_smt.1 + name: item + props: + - name: label + value: "(b) Requirement:" + prose: The service provider shall use Security guidelines (See + CM-6) to establish list of prohibited or restricted functions, + ports, protocols, and/or services or establishes its own list + of prohibited or restricted functions, ports, protocols, and/or + services if STIGs or CIS is not available. + - id: cm-7_gdn + name: guidance + prose: Systems provide a wide variety of functions and services. Some + of the functions and services routinely provided by default may not + be necessary to support essential organizational missions, functions, + or operations. Additionally, it is sometimes convenient to provide + multiple services from a single system component, but doing so increases + risk over limiting the services provided by that single component. + Where feasible, organizations limit component functionality to a single + function per component. Organizations consider removing unused or + unnecessary software and disabling unused or unnecessary physical + and logical ports and protocols to prevent unauthorized connection + of components, transfer of information, and tunneling. Organizations + employ network scanning tools, intrusion detection and prevention + systems, and end-point protection technologies, such as firewalls + and host-based intrusion detection systems, to identify and prevent + the use of prohibited functions, protocols, ports, and services. Least + functionality can also be achieved as part of the fundamental design + and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , + and [SC-3](#sc-3)). + - id: cm-7_obj + name: assessment-objective + props: + - name: label + value: CM-07 + class: sp800-53a + parts: + - id: cm-7_obj.a + name: assessment-objective + props: + - name: label + value: CM-07a. + class: sp800-53a + prose: "the system is configured to provide only {{ insert: param,\ + \ cm-07_odp.01 }};" + links: + - href: "#cm-7_smt.a" + rel: assessment-for + - id: cm-7_obj.b + name: assessment-objective + props: + - name: label + value: CM-07b. + class: sp800-53a + parts: + - id: cm-7_obj.b-1 + name: assessment-objective + props: + - name: label + value: CM-07b.[01] + class: sp800-53a + prose: "the use of {{ insert: param, cm-07_odp.02 }} is prohibited\ + \ or restricted;" + links: + - href: "#cm-7_smt.b" + rel: assessment-for + - id: cm-7_obj.b-2 + name: assessment-objective + props: + - name: label + value: CM-07b.[02] + class: sp800-53a + prose: "the use of {{ insert: param, cm-07_odp.03 }} is prohibited\ + \ or restricted;" + links: + - href: "#cm-7_smt.b" + rel: assessment-for + - id: cm-7_obj.b-3 + name: assessment-objective + props: + - name: label + value: CM-07b.[03] + class: sp800-53a + prose: "the use of {{ insert: param, cm-07_odp.04 }} is prohibited\ + \ or restricted;" + links: + - href: "#cm-7_smt.b" + rel: assessment-for + - id: cm-7_obj.b-4 + name: assessment-objective + props: + - name: label + value: CM-07b.[04] + class: sp800-53a + prose: "the use of {{ insert: param, cm-07_odp.05 }} is prohibited\ + \ or restricted;" + links: + - href: "#cm-7_smt.b" + rel: assessment-for + - id: cm-7_obj.b-5 + name: assessment-objective + props: + - name: label + value: CM-07b.[05] + class: sp800-53a + prose: "the use of {{ insert: param, cm-07_odp.06 }} is prohibited\ + \ or restricted." + links: + - href: "#cm-7_smt.b" + rel: assessment-for + links: + - href: "#cm-7_smt.b" + rel: assessment-for + links: + - href: "#cm-7_smt" + rel: assessment-for + - id: cm-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + procedures addressing least functionality in the system + + configuration management plan + + system design documentation + + system configuration settings and associated documentation + + system component inventory + + common secure configuration checklists + + system security plan + + other relevant documents or records + - id: cm-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security configuration + management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: cm-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes prohibiting or restricting + functions, ports, protocols, software, and/or services + + + mechanisms implementing restrictions or prohibition of functions, + ports, protocols, software, and/or services + controls: + - id: cm-7.1 + class: SP800-53-enhancement + title: Periodic Review + params: + - id: cm-7.1_prm_2 + label: organization-defined functions, ports, protocols, software, + and services within the system deemed to be unnecessary and/or + nonsecure + - id: cm-07.01_odp.01 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to review the system to identify + unnecessary and/or non-secure functions, ports, protocols, + software, and/or services is defined; + - id: cm-07.01_odp.02 + label: functions + guidelines: + - prose: functions to be disabled or removed when deemed unnecessary + or non-secure are defined; + - id: cm-07.01_odp.03 + label: ports + guidelines: + - prose: ports to be disabled or removed when deemed unnecessary + or non-secure are defined; + - id: cm-07.01_odp.04 + label: protocols + guidelines: + - prose: protocols to be disabled or removed when deemed unnecessary + or non-secure are defined; + - id: cm-07.01_odp.05 + label: software + guidelines: + - prose: software to be disabled or removed when deemed unnecessary + or non-secure is defined; + - id: cm-07.01_odp.06 + label: services + guidelines: + - prose: services to be disabled or removed when deemed unnecessary + or non-secure are defined; + props: + - name: label + value: CM-7(1) + - name: label + value: CM-07(01) + class: sp800-53a + - name: sort-id + value: cm-07.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#cm-7" + rel: required + - href: "#ac-18" + rel: related + parts: + - id: cm-7.1_smt + name: statement + parts: + - id: cm-7.1_smt.a + name: item + props: + - name: label + value: (a) + prose: "Review the system {{ insert: param, cm-07.01_odp.01\ + \ }} to identify unnecessary and/or nonsecure functions, ports,\ + \ protocols, software, and services; and" + - id: cm-7.1_smt.b + name: item + props: + - name: label + value: (b) + prose: "Disable or remove {{ insert: param, cm-7.1_prm_2 }}." + - id: cm-7.1_gdn + name: guidance + prose: Organizations review functions, ports, protocols, and services + provided by systems or system components to determine the functions + and services that are candidates for elimination. Such reviews + are especially important during transition periods from older + technologies to newer technologies (e.g., transition from IPv4 + to IPv6). These technology transitions may require implementing + the older and newer technologies simultaneously during the transition + period and returning to minimum essential functions, ports, protocols, + and services at the earliest opportunity. Organizations can either + decide the relative security of the function, port, protocol, + and/or service or base the security decision on the assessment + of other entities. Unsecure protocols include Bluetooth, FTP, + and peer-to-peer networking. + - id: cm-7.1_obj + name: assessment-objective + props: + - name: label + value: CM-07(01) + class: sp800-53a + parts: + - id: cm-7.1_obj.a + name: assessment-objective + props: + - name: label + value: CM-07(01)(a) + class: sp800-53a + prose: "the system is reviewed {{ insert: param, cm-07.01_odp.01\ + \ }} to identify unnecessary and/or non-secure functions,\ + \ ports, protocols, software, and services:" + links: + - href: "#cm-7.1_smt.a" + rel: assessment-for + - id: cm-7.1_obj.b + name: assessment-objective + props: + - name: label + value: CM-07(01)(b) + class: sp800-53a + parts: + - id: cm-7.1_obj.b-1 + name: assessment-objective + props: + - name: label + value: CM-07(01)(b)[01] + class: sp800-53a + prose: " {{ insert: param, cm-07.01_odp.02 }} deemed to\ + \ be unnecessary and/or non-secure are disabled or removed;" + links: + - href: "#cm-7.1_smt.b" + rel: assessment-for + - id: cm-7.1_obj.b-2 + name: assessment-objective + props: + - name: label + value: CM-07(01)(b)[02] + class: sp800-53a + prose: " {{ insert: param, cm-07.01_odp.03 }} deemed to\ + \ be unnecessary and/or non-secure are disabled or removed;" + links: + - href: "#cm-7.1_smt.b" + rel: assessment-for + - id: cm-7.1_obj.b-3 + name: assessment-objective + props: + - name: label + value: CM-07(01)(b)[03] + class: sp800-53a + prose: " {{ insert: param, cm-07.01_odp.04 }} deemed to\ + \ be unnecessary and/or non-secure are disabled or removed;" + links: + - href: "#cm-7.1_smt.b" + rel: assessment-for + - id: cm-7.1_obj.b-4 + name: assessment-objective + props: + - name: label + value: CM-07(01)(b)[04] + class: sp800-53a + prose: " {{ insert: param, cm-07.01_odp.05 }} deemed to\ + \ be unnecessary and/or non-secure is disabled or removed;" + links: + - href: "#cm-7.1_smt.b" + rel: assessment-for + - id: cm-7.1_obj.b-5 + name: assessment-objective + props: + - name: label + value: CM-07(01)(b)[05] + class: sp800-53a + prose: " {{ insert: param, cm-07.01_odp.06 }} deemed to\ + \ be unnecessary and/or non-secure are disabled or removed." + links: + - href: "#cm-7.1_smt.b" + rel: assessment-for + links: + - href: "#cm-7.1_smt.b" + rel: assessment-for + links: + - href: "#cm-7.1_smt" + rel: assessment-for + - id: cm-7.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-07(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing least functionality in the system + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + common secure configuration checklists + + + documented reviews of functions, ports, protocols, and/or + services + + + change control records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-7.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-07(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + reviewing functions, ports, protocols, and services on + the system + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: cm-7.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-07(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for reviewing or disabling + functions, ports, protocols, and services on the system + + + mechanisms implementing review and disabling of functions, + ports, protocols, and/or services + - id: cm-7.2 + class: SP800-53-enhancement + title: Prevent Program Execution + params: + - id: cm-07.02_odp.01 + select: + how-many: one-or-more + choice: + - " {{ insert: param, cm-07.02_odp.02 }} " + - rules authorizing the terms and conditions of software program + usage + - id: cm-07.02_odp.02 + label: policies, rules of behavior, and/or access agreements regarding + software program usage and restrictions + guidelines: + - prose: policies, rules of behavior, and/or access agreements + regarding software program usage and restrictions are defined + (if selected); + props: + - name: label + value: CM-7(2) + - name: label + value: CM-07(02) + class: sp800-53a + - name: sort-id + value: cm-07.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#cm-7" + rel: required + - href: "#cm-8" + rel: related + - href: "#pl-4" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-5" + rel: related + - href: "#ps-6" + rel: related + parts: + - id: cm-7.2_smt + name: statement + prose: "Prevent program execution in accordance with {{ insert:\ + \ param, cm-07.02_odp.01 }}." + parts: + - id: cm-7.2_fr + name: item + title: CM-7 (2) Additional FedRAMP Requirements and Guidance + parts: + - id: cm-7.2_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: This control refers to software deployment by CSP + personnel into the production environment. The control + requires a policy that states conditions for deploying + software. This control shall be implemented in a technical + manner on the information system to only allow programs + to run that adhere to the policy (i.e. allow-listing). + This control is not to be based off of strictly written + policy on what is allowed or not allowed to run. + - id: cm-7.2_gdn + name: guidance + prose: Prevention of program execution addresses organizational + policies, rules of behavior, and/or access agreements that restrict + software usage and the terms and conditions imposed by the developer + or manufacturer, including software licensing and copyrights. + Restrictions include prohibiting auto-execute features, restricting + roles allowed to approve program execution, permitting or prohibiting + specific software programs, or restricting the number of program + instances executed at the same time. + - id: cm-7.2_obj + name: assessment-objective + props: + - name: label + value: CM-07(02) + class: sp800-53a + prose: "program execution is prevented in accordance with {{ insert:\ + \ param, cm-07.02_odp.01 }}." + links: + - href: "#cm-7.2_smt" + rel: assessment-for + - id: cm-7.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-07(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing least functionality in the system + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + system component inventory + + + common secure configuration checklists + + + specifications for preventing software program execution + + + change control records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-7.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-07(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security + responsibilities + + + system/network administrators + + + system developers + - id: cm-7.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-07(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes preventing program execution on + the system + + + organizational processes for software program usage and restrictions + + + mechanisms preventing program execution on the system + + + mechanisms supporting and/or implementing software program + usage and restrictions + - id: cm-7.5 + class: SP800-53-enhancement + title: Authorized Software — Allow-by-exception + params: + - id: cm-07.05_odp.01 + label: software programs + guidelines: + - prose: software programs authorized to execute on the system + are defined; + - id: cm-07.05_odp.02 + label: frequency + constraints: + - description: at least quarterly or when there is a change + guidelines: + - prose: frequency at which to review and update the list of authorized + software programs is defined; + props: + - name: label + value: CM-7(5) + - name: label + value: CM-07(05) + class: sp800-53a + - name: sort-id + value: cm-07.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#cm-7" + rel: required + - href: "#cm-2" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#cm-10" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-5" + rel: related + - href: "#sa-10" + rel: related + - href: "#sc-34" + rel: related + - href: "#si-7" + rel: related + parts: + - id: cm-7.5_smt + name: statement + parts: + - id: cm-7.5_smt.a + name: item + props: + - name: label + value: (a) + prose: "Identify {{ insert: param, cm-07.05_odp.01 }};" + - id: cm-7.5_smt.b + name: item + props: + - name: label + value: (b) + prose: Employ a deny-all, permit-by-exception policy to allow + the execution of authorized software programs on the system; + and + - id: cm-7.5_smt.c + name: item + props: + - name: label + value: (c) + prose: "Review and update the list of authorized software programs\ + \ {{ insert: param, cm-07.05_odp.02 }}." + - id: cm-7.5_gdn + name: guidance + prose: Authorized software programs can be limited to specific versions + or from a specific source. To facilitate a comprehensive authorized + software process and increase the strength of protection for attacks + that bypass application level authorized software, software programs + may be decomposed into and monitored at different levels of detail. + These levels include applications, application programming interfaces, + application modules, scripts, system processes, system services, + kernel functions, registries, drivers, and dynamic link libraries. + The concept of permitting the execution of authorized software + may also be applied to user actions, system ports and protocols, + IP addresses/ranges, websites, and MAC addresses. Organizations + consider verifying the integrity of authorized software programs + using digital signatures, cryptographic checksums, or hash functions. + Verification of authorized software can occur either prior to + execution or at system startup. The identification of authorized + URLs for websites is addressed in [CA-3(5)](#ca-3.5) and [SC-7](#sc-7). + - id: cm-7.5_obj + name: assessment-objective + props: + - name: label + value: CM-07(05) + class: sp800-53a + parts: + - id: cm-7.5_obj.a + name: assessment-objective + props: + - name: label + value: CM-07(05)(a) + class: sp800-53a + prose: " {{ insert: param, cm-07.05_odp.01 }} are identified;" + links: + - href: "#cm-7.5_smt.a" + rel: assessment-for + - id: cm-7.5_obj.b + name: assessment-objective + props: + - name: label + value: CM-07(05)(b) + class: sp800-53a + prose: a deny-all, permit-by-exception policy to allow the execution + of authorized software programs on the system is employed; + links: + - href: "#cm-7.5_smt.b" + rel: assessment-for + - id: cm-7.5_obj.c + name: assessment-objective + props: + - name: label + value: CM-07(05)(c) + class: sp800-53a + prose: "the list of authorized software programs is reviewed\ + \ and updated {{ insert: param, cm-07.05_odp.02 }}." + links: + - href: "#cm-7.5_smt.c" + rel: assessment-for + links: + - href: "#cm-7.5_smt" + rel: assessment-for + - id: cm-7.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-07(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing least functionality in the system + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + list of software programs authorized to execute on the system + + + system component inventory + + + common secure configuration checklists + + + review and update records associated with list of authorized + software programs + + + change control records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-7.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-07(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + identifying software authorized to execute on the system + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-7.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-07(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational process for identifying, reviewing, and + updating programs authorized to execute on the system + + + organizational process for implementing authorized software + policy + + + mechanisms supporting and/or implementing authorized software + policy + - id: cm-8 + class: SP800-53 + title: System Component Inventory + params: + - id: cm-08_odp.01 + label: information + guidelines: + - prose: information deemed necessary to achieve effective system + component accountability is defined; + - id: cm-08_odp.02 + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: frequency at which to review and update the system component + inventory is defined; + props: + - name: label + value: CM-8 + - name: label + value: CM-08 + class: sp800-53a + - name: sort-id + value: cm-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#70402863-5078-43af-9a6c-e11b0f3ec370" + rel: reference + - href: "#996241f8-f692-42d5-91f1-ce8b752e39e6" + rel: reference + - href: "#cm-2" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-9" + rel: related + - href: "#cm-10" + rel: related + - href: "#cm-11" + rel: related + - href: "#cm-13" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-9" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-6" + rel: related + - href: "#pe-20" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#si-2" + rel: related + - href: "#sr-4" + rel: related + parts: + - id: cm-8_smt + name: statement + parts: + - id: cm-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop and document an inventory of system components that:" + parts: + - id: cm-8_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Accurately reflects the system; + - id: cm-8_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Includes all components within the system; + - id: cm-8_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Does not include duplicate accounting of components or + components assigned to any other system; + - id: cm-8_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Is at the level of granularity deemed necessary for tracking + and reporting; and + - id: cm-8_smt.a.5 + name: item + props: + - name: label + value: "5." + prose: "Includes the following information to achieve system\ + \ component accountability: {{ insert: param, cm-08_odp.01\ + \ }} ; and" + - id: cm-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the system component inventory {{ insert:\ + \ param, cm-08_odp.02 }}." + - id: cm-8_fr + name: item + title: CM-8 Additional FedRAMP Requirements and Guidance + parts: + - id: cm-8_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: must be provided at least monthly or when there is a + change. + - id: cm-8_gdn + name: guidance + prose: >- + System components are discrete, identifiable information + technology assets that include hardware, software, and firmware. + Organizations may choose to implement centralized system + component inventories that include components from all + organizational systems. In such situations, organizations ensure + that the inventories include system-specific information + required for component accountability. The information necessary + for effective accountability of system components includes the + system name, software owners, software version numbers, hardware + inventory specifications, software license information, and for + networked components, the machine names and network addresses + across all implemented protocols (e.g., IPv4, IPv6). Inventory + specifications include date of receipt, cost, model, serial + number, manufacturer, supplier information, component type, and + physical location. + + + Preventing duplicate accounting of system components addresses the + lack of accountability that occurs when component ownership and system + association is not known, especially in large or complex connected + systems. Effective prevention of duplicate accounting of system components + necessitates use of a unique identifier for each component. For software + inventory, centrally managed software that is accessed via other systems + is addressed as a component of the system on which it is installed + and managed. Software installed on multiple organizational systems + and managed at the system level is addressed for each individual system + and may appear more than once in a centralized component inventory, + necessitating a system association for each software instance in the + centralized inventory to avoid duplicate accounting of components. + Scanning systems implementing multiple network protocols (e.g., IPv4 + and IPv6) can result in duplicate components being identified in different + address spaces. The implementation of [CM-8(7)](#cm-8.7) can help + to eliminate duplicate accounting of components. + - id: cm-8_obj + name: assessment-objective + props: + - name: label + value: CM-08 + class: sp800-53a + parts: + - id: cm-8_obj.a + name: assessment-objective + props: + - name: label + value: CM-08a. + class: sp800-53a + parts: + - id: cm-8_obj.a.1 + name: assessment-objective + props: + - name: label + value: CM-08a.01 + class: sp800-53a + prose: an inventory of system components that accurately reflects + the system is developed and documented; + links: + - href: "#cm-8_smt.a.1" + rel: assessment-for + - id: cm-8_obj.a.2 + name: assessment-objective + props: + - name: label + value: CM-08a.02 + class: sp800-53a + prose: an inventory of system components that includes all components + within the system is developed and documented; + links: + - href: "#cm-8_smt.a.2" + rel: assessment-for + - id: cm-8_obj.a.3 + name: assessment-objective + props: + - name: label + value: CM-08a.03 + class: sp800-53a + prose: an inventory of system components that does not include + duplicate accounting of components or components assigned + to any other system is developed and documented; + links: + - href: "#cm-8_smt.a.3" + rel: assessment-for + - id: cm-8_obj.a.4 + name: assessment-objective + props: + - name: label + value: CM-08a.04 + class: sp800-53a + prose: an inventory of system components that is at the level + of granularity deemed necessary for tracking and reporting + is developed and documented; + links: + - href: "#cm-8_smt.a.4" + rel: assessment-for + - id: cm-8_obj.a.5 + name: assessment-objective + props: + - name: label + value: CM-08a.05 + class: sp800-53a + prose: "an inventory of system components that includes {{ insert:\ + \ param, cm-08_odp.01 }} is developed and documented;" + links: + - href: "#cm-8_smt.a.5" + rel: assessment-for + links: + - href: "#cm-8_smt.a" + rel: assessment-for + - id: cm-8_obj.b + name: assessment-objective + props: + - name: label + value: CM-08b. + class: sp800-53a + prose: "the system component inventory is reviewed and updated {{\ + \ insert: param, cm-08_odp.02 }}." + links: + - href: "#cm-8_smt.b" + rel: assessment-for + links: + - href: "#cm-8_smt" + rel: assessment-for + - id: cm-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + procedures addressing system component inventory + + configuration management plan + + system security plan + + system design documentation + + system component inventory + + inventory reviews and update records + + system security plan + + other relevant documents or records + - id: cm-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with component inventory management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing the system component + inventory + + + mechanisms supporting and/or implementing system component inventory + controls: + - id: cm-8.1 + class: SP800-53-enhancement + title: Updates During Installation and Removal + props: + - name: label + value: CM-8(1) + - name: label + value: CM-08(01) + class: sp800-53a + - name: sort-id + value: cm-08.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-8" + rel: required + - href: "#pm-16" + rel: related + parts: + - id: cm-8.1_smt + name: statement + prose: Update the inventory of system components as part of component + installations, removals, and system updates. + - id: cm-8.1_gdn + name: guidance + prose: Organizations can improve the accuracy, completeness, and + consistency of system component inventories if the inventories + are updated as part of component installations or removals or + during general system updates. If inventories are not updated + at these key times, there is a greater likelihood that the information + will not be appropriately captured and documented. System updates + include hardware, software, and firmware components. + - id: cm-8.1_obj + name: assessment-objective + props: + - name: label + value: CM-08(01) + class: sp800-53a + parts: + - id: cm-8.1_obj-1 + name: assessment-objective + props: + - name: label + value: CM-08(01)[01] + class: sp800-53a + prose: the inventory of system components is updated as part + of component installations; + links: + - href: "#cm-8.1_smt" + rel: assessment-for + - id: cm-8.1_obj-2 + name: assessment-objective + props: + - name: label + value: CM-08(01)[02] + class: sp800-53a + prose: the inventory of system components is updated as part + of component removals; + links: + - href: "#cm-8.1_smt" + rel: assessment-for + - id: cm-8.1_obj-3 + name: assessment-objective + props: + - name: label + value: CM-08(01)[03] + class: sp800-53a + prose: the inventory of system components is updated as part + of system updates. + links: + - href: "#cm-8.1_smt" + rel: assessment-for + links: + - href: "#cm-8.1_smt" + rel: assessment-for + - id: cm-8.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-08(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + procedures addressing system component inventory + + configuration management plan + + system security plan + + system component inventory + + inventory reviews and update records + + change control records + + component installation records + + component removal records + + system security plan + + other relevant documents or records + - id: cm-8.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-08(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with component inventory + updating responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-8.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-08(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for updating the system + component inventory + + + mechanisms supporting and/or implementing system component + inventory updates + - id: cm-8.2 + class: SP800-53-enhancement + title: Automated Maintenance + params: + - id: cm-8.2_prm_1 + label: organization-defined automated mechanisms + - id: cm-08.02_odp.01 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to maintain the currency of + the system component inventory are defined; + - id: cm-08.02_odp.02 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to maintain the completeness + of the system component inventory are defined; + - id: cm-08.02_odp.03 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to maintain the accuracy of + the system component inventory are defined; + - id: cm-08.02_odp.04 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to maintain the availability + of the system component inventory are defined; + props: + - name: label + value: CM-8(2) + - name: label + value: CM-08(02) + class: sp800-53a + - name: sort-id + value: cm-08.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-8" + rel: required + parts: + - id: cm-8.2_smt + name: statement + prose: "Maintain the currency, completeness, accuracy, and availability\ + \ of the inventory of system components using {{ insert: param,\ + \ cm-8.2_prm_1 }}." + - id: cm-8.2_gdn + name: guidance + prose: Organizations maintain system inventories to the extent feasible. + For example, virtual machines can be difficult to monitor because + such machines are not visible to the network when not in use. + In such cases, organizations maintain as up-to-date, complete, + and accurate an inventory as is deemed reasonable. Automated maintenance + can be achieved by the implementation of [CM-2(2)](#cm-2.2) for + organizations that combine system component inventory and baseline + configuration activities. + - id: cm-8.2_obj + name: assessment-objective + props: + - name: label + value: CM-08(02) + class: sp800-53a + parts: + - id: cm-8.2_obj-1 + name: assessment-objective + props: + - name: label + value: CM-08(02)[01] + class: sp800-53a + prose: " {{ insert: param, cm-08.02_odp.01 }} are used to maintain\ + \ the currency of the system component inventory;" + links: + - href: "#cm-8.2_smt" + rel: assessment-for + - id: cm-8.2_obj-2 + name: assessment-objective + props: + - name: label + value: CM-08(02)[02] + class: sp800-53a + prose: " {{ insert: param, cm-08.02_odp.02 }} are used to maintain\ + \ the completeness of the system component inventory;" + links: + - href: "#cm-8.2_smt" + rel: assessment-for + - id: cm-8.2_obj-3 + name: assessment-objective + props: + - name: label + value: CM-08(02)[03] + class: sp800-53a + prose: " {{ insert: param, cm-08.02_odp.03 }} are used to maintain\ + \ the accuracy of the system component inventory;" + links: + - href: "#cm-8.2_smt" + rel: assessment-for + - id: cm-8.2_obj-4 + name: assessment-objective + props: + - name: label + value: CM-08(02)[04] + class: sp800-53a + prose: " {{ insert: param, cm-08.02_odp.04 }} are used to maintain\ + \ the availability of the system component inventory." + links: + - href: "#cm-8.2_smt" + rel: assessment-for + links: + - href: "#cm-8.2_smt" + rel: assessment-for + - id: cm-8.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-08(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + procedures addressing system component inventory + + configuration management plan + + system design documentation + + system security plan + + system component inventory + + change control records + + system maintenance records + + system audit records + + system security plan + + other relevant documents or records + - id: cm-8.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-08(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with component inventory + management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: cm-8.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-08(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for maintaining the system + component inventory + + + automated mechanisms supporting and/or implementing the system + component inventory + - id: cm-8.3 + class: SP800-53-enhancement + title: Automated Unauthorized Component Detection + params: + - id: cm-8.3_prm_1 + label: organization-defined automated mechanisms + constraints: + - description: automated mechanisms with a maximum five-minute + delay in detection + - id: cm-08.03_odp.01 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to detect the presence of unauthorized + hardware within the system are defined; + - id: cm-08.03_odp.02 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to detect the presence of unauthorized + software within the system are defined; + - id: cm-08.03_odp.03 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to detect the presence of unauthorized + firmware within the system are defined; + - id: cm-08.03_odp.04 + label: frequency + constraints: + - description: continuously + guidelines: + - prose: frequency at which automated mechanisms are used to detect + the presence of unauthorized system components within the + system is defined; + - id: cm-08.03_odp.05 + select: + how-many: one-or-more + choice: + - disable network access by unauthorized components + - isolate unauthorized components + - "notify {{ insert: param, cm-08.03_odp.06 }} " + - id: cm-08.03_odp.06 + label: personnel or roles + guidelines: + - prose: personnel or roles to be notified when unauthorized components + are detected is/are defined (if selected); + props: + - name: label + value: CM-8(3) + - name: label + value: CM-08(03) + class: sp800-53a + - name: sort-id + value: cm-08.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-8" + rel: required + - href: "#ac-19" + rel: related + - href: "#ca-7" + rel: related + - href: "#ra-5" + rel: related + - href: "#sc-3" + rel: related + - href: "#sc-39" + rel: related + - href: "#sc-44" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: cm-8.3_smt + name: statement + parts: + - id: cm-8.3_smt.a + name: item + props: + - name: label + value: (a) + prose: "Detect the presence of unauthorized hardware, software,\ + \ and firmware components within the system using {{ insert:\ + \ param, cm-8.3_prm_1 }} {{ insert: param, cm-08.03_odp.04\ + \ }} ; and" + - id: cm-8.3_smt.b + name: item + props: + - name: label + value: (b) + prose: "Take the following actions when unauthorized components\ + \ are detected: {{ insert: param, cm-08.03_odp.05 }}." + - id: cm-8.3_gdn + name: guidance + prose: 'Automated unauthorized component detection is applied in + addition to the monitoring for unauthorized remote connections + and mobile devices. Monitoring for unauthorized system components + may be accomplished on an ongoing basis or by the periodic scanning + of systems for that purpose. Automated mechanisms may also be + used to prevent the connection of unauthorized components (see + [CM-7(9)](#cm-7.9) ). Automated mechanisms can be implemented + in systems or in separate system components. When acquiring and + implementing automated mechanisms, organizations consider whether + such mechanisms depend on the ability of the system component + to support an agent or supplicant in order to be detected since + some types of components do not have or cannot support agents + (e.g., IoT devices, sensors). Isolation can be achieved , for + example, by placing unauthorized system components in separate + domains or subnets or quarantining such components. This type + of component isolation is commonly referred to as "sandboxing." ' + - id: cm-8.3_obj + name: assessment-objective + props: + - name: label + value: CM-08(03) + class: sp800-53a + parts: + - id: cm-8.3_obj.a + name: assessment-objective + props: + - name: label + value: CM-08(03)(a) + class: sp800-53a + parts: + - id: cm-8.3_obj.a-1 + name: assessment-objective + props: + - name: label + value: CM-08(03)(a)[01] + class: sp800-53a + prose: "the presence of unauthorized hardware within the\ + \ system is detected using {{ insert: param, cm-08.03_odp.01\ + \ }} {{ insert: param, cm-08.03_odp.04 }};" + links: + - href: "#cm-8.3_smt.a" + rel: assessment-for + - id: cm-8.3_obj.a-2 + name: assessment-objective + props: + - name: label + value: CM-08(03)(a)[02] + class: sp800-53a + prose: "the presence of unauthorized software within the\ + \ system is detected using {{ insert: param, cm-08.03_odp.02\ + \ }} {{ insert: param, cm-08.03_odp.04 }};" + links: + - href: "#cm-8.3_smt.a" + rel: assessment-for + - id: cm-8.3_obj.a-3 + name: assessment-objective + props: + - name: label + value: CM-08(03)(a)[03] + class: sp800-53a + prose: "the presence of unauthorized firmware within the\ + \ system is detected using {{ insert: param, cm-08.03_odp.03\ + \ }} {{ insert: param, cm-08.03_odp.04 }};" + links: + - href: "#cm-8.3_smt.a" + rel: assessment-for + links: + - href: "#cm-8.3_smt.a" + rel: assessment-for + - id: cm-8.3_obj.b + name: assessment-objective + props: + - name: label + value: CM-08(03)(b) + class: sp800-53a + parts: + - id: cm-8.3_obj.b-1 + name: assessment-objective + props: + - name: label + value: CM-08(03)(b)[01] + class: sp800-53a + prose: " {{ insert: param, cm-08.03_odp.05 }} are taken\ + \ when unauthorized hardware is detected;" + links: + - href: "#cm-8.3_smt.b" + rel: assessment-for + - id: cm-8.3_obj.b-2 + name: assessment-objective + props: + - name: label + value: CM-08(03)(b)[02] + class: sp800-53a + prose: " {{ insert: param, cm-08.03_odp.05 }} are taken\ + \ when unauthorized software is detected;" + links: + - href: "#cm-8.3_smt.b" + rel: assessment-for + - id: cm-8.3_obj.b-3 + name: assessment-objective + props: + - name: label + value: CM-08(03)(b)[03] + class: sp800-53a + prose: " {{ insert: param, cm-08.03_odp.05 }} are taken\ + \ when unauthorized firmware is detected." + links: + - href: "#cm-8.3_smt.b" + rel: assessment-for + links: + - href: "#cm-8.3_smt.b" + rel: assessment-for + links: + - href: "#cm-8.3_smt" + rel: assessment-for + - id: cm-8.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-08(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing system component inventory + + + configuration management plan + + + system design documentation + + + system security plan + + + system component inventory + + + change control records + + + alerts/notifications of unauthorized components within the + system + + + system monitoring records + + + system maintenance records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-8.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-08(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with component inventory + management responsibilities + + + organizational personnel with responsibilities for managing + the automated mechanisms implementing unauthorized system + component detection + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: cm-8.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-08(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for detection of unauthorized + system components + + + organizational processes for taking action when unauthorized + system components are detected + + + automated mechanisms supporting and/or implementing the detection + of unauthorized system components + + + automated mechanisms supporting and/or implementing actions + taken when unauthorized system components are detected + - id: cm-8.4 + class: SP800-53-enhancement + title: Accountability Information + params: + - id: cm-08.04_odp + constraints: + - description: position and role + select: + how-many: one-or-more + choice: + - name + - position + - role + props: + - name: label + value: CM-8(4) + - name: label + value: CM-08(04) + class: sp800-53a + - name: sort-id + value: cm-08.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-8" + rel: required + - href: "#ac-3" + rel: related + parts: + - id: cm-8.4_smt + name: statement + prose: "Include in the system component inventory information, a\ + \ means for identifying by {{ insert: param, cm-08.04_odp }} ,\ + \ individuals responsible and accountable for administering those\ + \ components." + - id: cm-8.4_gdn + name: guidance + prose: Identifying individuals who are responsible and accountable + for administering system components ensures that the assigned + components are properly administered and that organizations can + contact those individuals if some action is required (e.g., when + the component is determined to be the source of a breach, needs + to be recalled or replaced, or needs to be relocated). + - id: cm-8.4_obj + name: assessment-objective + props: + - name: label + value: CM-08(04) + class: sp800-53a + prose: "individuals responsible and accountable for administering\ + \ system components are identified by {{ insert: param, cm-08.04_odp\ + \ }} in the system component inventory." + links: + - href: "#cm-8.4_smt" + rel: assessment-for + - id: cm-8.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-08(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + procedures addressing system component inventory + + configuration management plan + + system security plan + + system component inventory + + system security plan + + other relevant documents or records + - id: cm-8.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-08(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with component inventory + management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-8.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-08(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing the system + component inventory + + + mechanisms supporting and/or implementing the system component + inventory + - id: cm-9 + class: SP800-53 + title: Configuration Management Plan + params: + - id: cm-09_odp + label: personnel or roles + guidelines: + - prose: personnel or roles to review and approve the configuration + management plan is/are defined; + props: + - name: label + value: CM-9 + - name: label + value: CM-09 + class: sp800-53a + - name: sort-id + value: cm-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#cm-2" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-8" + rel: related + - href: "#pl-2" + rel: related + - href: "#ra-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#si-12" + rel: related + parts: + - id: cm-9_smt + name: statement + prose: "Develop, document, and implement a configuration management\ + \ plan for the system that:" + parts: + - id: cm-9_smt.a + name: item + props: + - name: label + value: a. + prose: Addresses roles, responsibilities, and configuration management + processes and procedures; + - id: cm-9_smt.b + name: item + props: + - name: label + value: b. + prose: Establishes a process for identifying configuration items + throughout the system development life cycle and for managing + the configuration of the configuration items; + - id: cm-9_smt.c + name: item + props: + - name: label + value: c. + prose: Defines the configuration items for the system and places + the configuration items under configuration management; + - id: cm-9_smt.d + name: item + props: + - name: label + value: d. + prose: "Is reviewed and approved by {{ insert: param, cm-09_odp\ + \ }} ; and" + - id: cm-9_smt.e + name: item + props: + - name: label + value: e. + prose: Protects the configuration management plan from unauthorized + disclosure and modification. + - id: cm-9_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: FedRAMP does not provide a template for the Configuration + Management Plan. However, NIST SP 800-128, Guide for Security-Focused + Configuration Management of Information Systems, provides guidelines + for the implementation of CM controls as well as a sample CMP + outline in Appendix D of the Guide + - id: cm-9_gdn + name: guidance + prose: >- + Configuration management activities occur throughout the system + development life cycle. As such, there are developmental + configuration management activities (e.g., the control of code + and software libraries) and operational configuration management + activities (e.g., control of installed components and how the + components are configured). Configuration management plans + satisfy the requirements in configuration management policies + while being tailored to individual systems. Configuration + management plans define processes and procedures for how + configuration management is used to support system development + life cycle activities. + + + Configuration management plans are generated during the development + and acquisition stage of the system development life cycle. The plans + describe how to advance changes through change management processes; + update configuration settings and baselines; maintain component inventories; + control development, test, and operational environments; and develop, + release, and update key documents. + + + Organizations can employ templates to help ensure the consistent and + timely development and implementation of configuration management + plans. Templates can represent a configuration management plan for + the organization with subsets of the plan implemented on a system + by system basis. Configuration management approval processes include + the designation of key stakeholders responsible for reviewing and + approving proposed changes to systems, and personnel who conduct security + and privacy impact analyses prior to the implementation of changes + to the systems. Configuration items are the system components, such + as the hardware, software, firmware, and documentation to be configuration-managed. + As systems continue through the system development life cycle, new + configuration items may be identified, and some existing configuration + items may no longer need to be under configuration control. + - id: cm-9_obj + name: assessment-objective + props: + - name: label + value: CM-09 + class: sp800-53a + parts: + - id: cm-9_obj-1 + name: assessment-objective + props: + - name: label + value: CM-09[01] + class: sp800-53a + prose: a configuration management plan for the system is developed + and documented; + links: + - href: "#cm-9_smt" + rel: assessment-for + - id: cm-9_obj-2 + name: assessment-objective + props: + - name: label + value: CM-09[02] + class: sp800-53a + prose: a configuration management plan for the system is implemented; + links: + - href: "#cm-9_smt" + rel: assessment-for + - id: cm-9_obj.a + name: assessment-objective + props: + - name: label + value: CM-09a. + class: sp800-53a + parts: + - id: cm-9_obj.a-1 + name: assessment-objective + props: + - name: label + value: CM-09a.[01] + class: sp800-53a + prose: the configuration management plan addresses roles; + links: + - href: "#cm-9_smt.a" + rel: assessment-for + - id: cm-9_obj.a-2 + name: assessment-objective + props: + - name: label + value: CM-09a.[02] + class: sp800-53a + prose: the configuration management plan addresses responsibilities; + links: + - href: "#cm-9_smt.a" + rel: assessment-for + - id: cm-9_obj.a-3 + name: assessment-objective + props: + - name: label + value: CM-09a.[03] + class: sp800-53a + prose: the configuration management plan addresses configuration + management processes and procedures; + links: + - href: "#cm-9_smt.a" + rel: assessment-for + links: + - href: "#cm-9_smt.a" + rel: assessment-for + - id: cm-9_obj.b + name: assessment-objective + props: + - name: label + value: CM-09b. + class: sp800-53a + parts: + - id: cm-9_obj.b-1 + name: assessment-objective + props: + - name: label + value: CM-09b.[01] + class: sp800-53a + prose: the configuration management plan establishes a process + for identifying configuration items throughout the system + development life cycle; + links: + - href: "#cm-9_smt.b" + rel: assessment-for + - id: cm-9_obj.b-2 + name: assessment-objective + props: + - name: label + value: CM-09b.[02] + class: sp800-53a + prose: the configuration management plan establishes a process + for managing the configuration of the configuration items; + links: + - href: "#cm-9_smt.b" + rel: assessment-for + links: + - href: "#cm-9_smt.b" + rel: assessment-for + - id: cm-9_obj.c + name: assessment-objective + props: + - name: label + value: CM-09c. + class: sp800-53a + parts: + - id: cm-9_obj.c-1 + name: assessment-objective + props: + - name: label + value: CM-09c.[01] + class: sp800-53a + prose: the configuration management plan defines the configuration + items for the system; + links: + - href: "#cm-9_smt.c" + rel: assessment-for + - id: cm-9_obj.c-2 + name: assessment-objective + props: + - name: label + value: CM-09c.[02] + class: sp800-53a + prose: the configuration management plan places the configuration + items under configuration management; + links: + - href: "#cm-9_smt.c" + rel: assessment-for + links: + - href: "#cm-9_smt.c" + rel: assessment-for + - id: cm-9_obj.d + name: assessment-objective + props: + - name: label + value: CM-09d. + class: sp800-53a + prose: "the configuration management plan is reviewed and approved\ + \ by {{ insert: param, cm-09_odp }};" + links: + - href: "#cm-9_smt.d" + rel: assessment-for + - id: cm-9_obj.e + name: assessment-objective + props: + - name: label + value: CM-09e. + class: sp800-53a + parts: + - id: cm-9_obj.e-1 + name: assessment-objective + props: + - name: label + value: CM-09e.[01] + class: sp800-53a + prose: the configuration management plan is protected from unauthorized + disclosure; + links: + - href: "#cm-9_smt.e" + rel: assessment-for + - id: cm-9_obj.e-2 + name: assessment-objective + props: + - name: label + value: CM-09e.[02] + class: sp800-53a + prose: the configuration management plan is protected from unauthorized + modification. + links: + - href: "#cm-9_smt.e" + rel: assessment-for + links: + - href: "#cm-9_smt.e" + rel: assessment-for + links: + - href: "#cm-9_smt" + rel: assessment-for + - id: cm-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + procedures addressing configuration management planning + + configuration management plan + + system design documentation + + system security plan + + privacy plan + + other relevant documents or records + - id: cm-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + developing the configuration management plan + + + organizational personnel with responsibilities for implementing + and managing processes defined in the configuration management + plan + + + organizational personnel with responsibilities for protecting + the configuration management plan + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: cm-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for developing and documenting the + configuration management plan + + + organizational processes for identifying and managing configuration + items + + + organizational processes for protecting the configuration management + plan + + + mechanisms implementing the configuration management plan + + + mechanisms for managing configuration items + + + mechanisms for protecting the configuration management plan + - id: cm-10 + class: SP800-53 + title: Software Usage Restrictions + props: + - name: label + value: CM-10 + - name: label + value: CM-10 + class: sp800-53a + - name: sort-id + value: cm-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-17" + rel: related + - href: "#au-6" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-8" + rel: related + - href: "#pm-30" + rel: related + - href: "#sc-7" + rel: related + parts: + - id: cm-10_smt + name: statement + parts: + - id: cm-10_smt.a + name: item + props: + - name: label + value: a. + prose: Use software and associated documentation in accordance with + contract agreements and copyright laws; + - id: cm-10_smt.b + name: item + props: + - name: label + value: b. + prose: Track the use of software and associated documentation protected + by quantity licenses to control copying and distribution; and + - id: cm-10_smt.c + name: item + props: + - name: label + value: c. + prose: Control and document the use of peer-to-peer file sharing + technology to ensure that this capability is not used for the + unauthorized distribution, display, performance, or reproduction + of copyrighted work. + - id: cm-10_gdn + name: guidance + prose: Software license tracking can be accomplished by manual or automated + methods, depending on organizational needs. Examples of contract agreements + include software license agreements and non-disclosure agreements. + - id: cm-10_obj + name: assessment-objective + props: + - name: label + value: CM-10 + class: sp800-53a + parts: + - id: cm-10_obj.a + name: assessment-objective + props: + - name: label + value: CM-10a. + class: sp800-53a + prose: software and associated documentation are used in accordance + with contract agreements and copyright laws; + links: + - href: "#cm-10_smt.a" + rel: assessment-for + - id: cm-10_obj.b + name: assessment-objective + props: + - name: label + value: CM-10b. + class: sp800-53a + prose: the use of software and associated documentation protected + by quantity licenses is tracked to control copying and distribution; + links: + - href: "#cm-10_smt.b" + rel: assessment-for + - id: cm-10_obj.c + name: assessment-objective + props: + - name: label + value: CM-10c. + class: sp800-53a + prose: the use of peer-to-peer file sharing technology is controlled + and documented to ensure that peer-to-peer file sharing is not + used for the unauthorized distribution, display, performance, + or reproduction of copyrighted work. + links: + - href: "#cm-10_smt.c" + rel: assessment-for + links: + - href: "#cm-10_smt" + rel: assessment-for + - id: cm-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + software usage restrictions + + software contract agreements and copyright laws + + site license documentation + + list of software usage restrictions + + software license tracking reports + + configuration management plan + + system security plan + + system security plan + + other relevant documents or records + - id: cm-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel operating, using, and/or + maintaining the system + + + organizational personnel with software license management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for tracking the use of software + protected by quantity licenses + + + organizational processes for controlling/documenting the use of + peer-to-peer file sharing technology + + + mechanisms implementing software license tracking + + + mechanisms implementing and controlling the use of peer-to-peer + files sharing technology + - id: cm-11 + class: SP800-53 + title: User-installed Software + params: + - id: cm-11_odp.01 + label: policies + guidelines: + - prose: policies governing the installation of software by users + are defined; + - id: cm-11_odp.02 + label: methods + guidelines: + - prose: methods used to enforce software installation policies are + defined; + - id: cm-11_odp.03 + label: frequency + constraints: + - description: Continuously (via CM-7 (5)) + guidelines: + - prose: frequency with which to monitor compliance is defined; + props: + - name: label + value: CM-11 + - name: label + value: CM-11 + class: sp800-53a + - name: sort-id + value: cm-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-3" + rel: related + - href: "#au-6" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-8" + rel: related + - href: "#pl-4" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: cm-11_smt + name: statement + parts: + - id: cm-11_smt.a + name: item + props: + - name: label + value: a. + prose: "Establish {{ insert: param, cm-11_odp.01 }} governing the\ + \ installation of software by users;" + - id: cm-11_smt.b + name: item + props: + - name: label + value: b. + prose: "Enforce software installation policies through the following\ + \ methods: {{ insert: param, cm-11_odp.02 }} ; and" + - id: cm-11_smt.c + name: item + props: + - name: label + value: c. + prose: "Monitor policy compliance {{ insert: param, cm-11_odp.03\ + \ }}." + - id: cm-11_gdn + name: guidance + prose: If provided the necessary privileges, users can install software + in organizational systems. To maintain control over the software installed, + organizations identify permitted and prohibited actions regarding + software installation. Permitted software installations include updates + and security patches to existing software and downloading new applications + from organization-approved "app stores." Prohibited software installations + include software with unknown or suspect pedigrees or software that + organizations consider potentially malicious. Policies selected for + governing user-installed software are organization-developed or provided + by some external entity. Policy enforcement methods can include procedural + methods and automated methods. + - id: cm-11_obj + name: assessment-objective + props: + - name: label + value: CM-11 + class: sp800-53a + parts: + - id: cm-11_obj.a + name: assessment-objective + props: + - name: label + value: CM-11a. + class: sp800-53a + prose: " {{ insert: param, cm-11_odp.01 }} governing the installation\ + \ of software by users are established;" + links: + - href: "#cm-11_smt.a" + rel: assessment-for + - id: cm-11_obj.b + name: assessment-objective + props: + - name: label + value: CM-11b. + class: sp800-53a + prose: "software installation policies are enforced through {{ insert:\ + \ param, cm-11_odp.02 }};" + links: + - href: "#cm-11_smt.b" + rel: assessment-for + - id: cm-11_obj.c + name: assessment-objective + props: + - name: label + value: CM-11c. + class: sp800-53a + prose: "compliance with {{ insert: param, cm-11_odp.01 }} is monitored\ + \ {{ insert: param, cm-11_odp.03 }}." + links: + - href: "#cm-11_smt.c" + rel: assessment-for + links: + - href: "#cm-11_smt" + rel: assessment-for + - id: cm-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + procedures addressing user-installed software + + configuration management plan + + system security plan + + system design documentation + + system configuration settings and associated documentation + + list of rules governing user installed software + + system monitoring records + + system audit records + + continuous monitoring strategy + + system security plan + + other relevant documents or records + - id: cm-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for governing + user-installed software + + + organizational personnel operating, using, and/or maintaining + the system + + + organizational personnel monitoring compliance with user-installed + software policy + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes governing user-installed software + on the system + + + mechanisms enforcing policies and methods for governing the installation + of software by users + + + mechanisms monitoring policy compliance + - id: cm-12 + class: SP800-53 + title: Information Location + params: + - id: cm-12_odp + label: information + guidelines: + - prose: information for which the location is to be identified and + documented is defined; + props: + - name: label + value: CM-12 + - name: label + value: CM-12 + class: sp800-53a + - name: sort-id + value: cm-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-23" + rel: related + - href: "#cm-8" + rel: related + - href: "#pm-5" + rel: related + - href: "#ra-2" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-4" + rel: related + - href: "#sc-16" + rel: related + - href: "#sc-28" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: cm-12_smt + name: statement + parts: + - id: cm-12_smt.a + name: item + props: + - name: label + value: a. + prose: "Identify and document the location of {{ insert: param,\ + \ cm-12_odp }} and the specific system components on which the\ + \ information is processed and stored;" + - id: cm-12_smt.b + name: item + props: + - name: label + value: b. + prose: Identify and document the users who have access to the system + and system components where the information is processed and stored; + and + - id: cm-12_smt.c + name: item + props: + - name: label + value: c. + prose: Document changes to the location (i.e., system or system + components) where the information is processed and stored. + - id: cm-12_fr + name: item + title: CM-12 Additional FedRAMP Requirements and Guidance + parts: + - id: cm-12_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: According to FedRAMP Authorization Boundary Guidance + - id: cm-12_gdn + name: guidance + prose: Information location addresses the need to understand where information + is being processed and stored. Information location includes identifying + where specific information types and information reside in system + components and how information is being processed so that information + flow can be understood and adequate protection and policy management + provided for such information and system components. The security + category of the information is also a factor in determining the controls + necessary to protect the information and the system component where + the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) + ). The location of the information and system components is also a + factor in the architecture and design of the system (see [SA-4](#sa-4), + [SA-8](#sa-8), [SA-17](#sa-17)). + - id: cm-12_obj + name: assessment-objective + props: + - name: label + value: CM-12 + class: sp800-53a + parts: + - id: cm-12_obj.a + name: assessment-objective + props: + - name: label + value: CM-12a. + class: sp800-53a + parts: + - id: cm-12_obj.a-1 + name: assessment-objective + props: + - name: label + value: CM-12a.[01] + class: sp800-53a + prose: "the location of {{ insert: param, cm-12_odp }} is identified\ + \ and documented;" + links: + - href: "#cm-12_smt.a" + rel: assessment-for + - id: cm-12_obj.a-2 + name: assessment-objective + props: + - name: label + value: CM-12a.[02] + class: sp800-53a + prose: "the specific system components on which {{ insert: param,\ + \ cm-12_odp }} is processed are identified and documented;" + links: + - href: "#cm-12_smt.a" + rel: assessment-for + - id: cm-12_obj.a-3 + name: assessment-objective + props: + - name: label + value: CM-12a.[03] + class: sp800-53a + prose: "the specific system components on which {{ insert: param,\ + \ cm-12_odp }} is stored are identified and documented;" + links: + - href: "#cm-12_smt.a" + rel: assessment-for + links: + - href: "#cm-12_smt.a" + rel: assessment-for + - id: cm-12_obj.b + name: assessment-objective + props: + - name: label + value: CM-12b. + class: sp800-53a + parts: + - id: cm-12_obj.b-1 + name: assessment-objective + props: + - name: label + value: CM-12b.[01] + class: sp800-53a + prose: "the users who have access to the system and system components\ + \ where {{ insert: param, cm-12_odp }} is processed are identified\ + \ and documented;" + links: + - href: "#cm-12_smt.b" + rel: assessment-for + - id: cm-12_obj.b-2 + name: assessment-objective + props: + - name: label + value: CM-12b.[02] + class: sp800-53a + prose: "the users who have access to the system and system components\ + \ where {{ insert: param, cm-12_odp }} is stored are identified\ + \ and documented;" + links: + - href: "#cm-12_smt.b" + rel: assessment-for + links: + - href: "#cm-12_smt.b" + rel: assessment-for + - id: cm-12_obj.c + name: assessment-objective + props: + - name: label + value: CM-12c. + class: sp800-53a + parts: + - id: cm-12_obj.c-1 + name: assessment-objective + props: + - name: label + value: CM-12c.[01] + class: sp800-53a + prose: "changes to the location (i.e., system or system components)\ + \ where {{ insert: param, cm-12_odp }} is processed are documented;" + links: + - href: "#cm-12_smt.c" + rel: assessment-for + - id: cm-12_obj.c-2 + name: assessment-objective + props: + - name: label + value: CM-12c.[02] + class: sp800-53a + prose: "changes to the location (i.e., system or system components)\ + \ where {{ insert: param, cm-12_odp }} is stored are documented." + links: + - href: "#cm-12_smt.c" + rel: assessment-for + links: + - href: "#cm-12_smt.c" + rel: assessment-for + links: + - href: "#cm-12_smt" + rel: assessment-for + - id: cm-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing identification and documentation of information + location + + + configuration management plan + + + system design documentation + + + system architecture documentation + + + PII inventory documentation + + + data mapping documentation + + + audit records + + + list of users with system and system component access + + + change control records + + + system component inventory + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for managing + information location and user access to information + + + organizational personnel with responsibilities for operating, + using, and/or maintaining the system + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: cm-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes governing information location + + + mechanisms enforcing policies and methods for governing information + location + controls: + - id: cm-12.1 + class: SP800-53-enhancement + title: Automated Tools to Support Information Location + params: + - id: cm-12.01_odp.01 + label: information by information type + constraints: + - description: Federal data and system data that must be protected + at the High or Moderate impact levels + guidelines: + - prose: information to be protected is defined by information + type; + - id: cm-12.01_odp.02 + label: system components + guidelines: + - prose: system components where the information is located are + defined; + props: + - name: label + value: CM-12(1) + - name: label + value: CM-12(01) + class: sp800-53a + - name: sort-id + value: cm-12.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-12" + rel: required + parts: + - id: cm-12.1_smt + name: statement + prose: "Use automated tools to identify {{ insert: param, cm-12.01_odp.01\ + \ }} on {{ insert: param, cm-12.01_odp.02 }} to ensure controls\ + \ are in place to protect organizational information and individual\ + \ privacy." + parts: + - id: cm-12.1_fr + name: item + title: CM-12 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: cm-12.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: According to FedRAMP Authorization Boundary Guidance. + - id: cm-12.1_gdn + name: guidance + prose: The use of automated tools helps to increase the effectiveness + and efficiency of the information location capability implemented + within the system. Automation also helps organizations manage + the data produced during information location activities and share + such information across the organization. The output of automated + information location tools can be used to guide and inform system + architecture and design decisions. + - id: cm-12.1_obj + name: assessment-objective + props: + - name: label + value: CM-12(01) + class: sp800-53a + prose: "automated tools are used to identify {{ insert: param, cm-12.01_odp.01\ + \ }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls\ + \ are in place to protect organizational information and individual\ + \ privacy." + links: + - href: "#cm-12.1_smt" + rel: assessment-for + - id: cm-12.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-12(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing identification and documentation of + information location + + + configuration management plan + + + system design documentation + + + PII inventory documentation + + + data mapping documentation + + + change control records + + + system component inventory + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-12.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-12(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + managing information location + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: cm-12.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-12(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes governing information location + + + automated mechanisms enforcing policies and methods for governing + information location + + + automated tools used to identify information on system components + - id: cm-14 + class: SP800-53 + title: Signed Components + params: + - id: cm-14_prm_1 + label: organization-defined software and firmware components + - id: cm-14_odp.01 + label: software components + guidelines: + - prose: software components requiring verification of a digitally + signed certificate before installation are defined; + - id: cm-14_odp.02 + label: firmware components + guidelines: + - prose: firmware components requiring verification of a digitally + signed certificate before installation are defined; + props: + - name: label + value: CM-14 + - name: label + value: CM-14 + class: sp800-53a + - name: sort-id + value: cm-14 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#cm-7" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#si-7" + rel: related + parts: + - id: cm-14_smt + name: statement + prose: "Prevent the installation of {{ insert: param, cm-14_prm_1 }}\ + \ without verification that the component has been digitally signed\ + \ using a certificate that is recognized and approved by the organization." + parts: + - id: cm-14_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: If digital signatures/certificates are unavailable, alternative + cryptographic integrity checks (hashes, self-signed certs, etc.) + can be utilized. + - id: cm-14_gdn + name: guidance + prose: Software and firmware components prevented from installation + unless signed with recognized and approved certificates include software + and firmware version updates, patches, service packs, device drivers, + and basic input/output system updates. Organizations can identify + applicable software and firmware components by type, by specific items, + or a combination of both. Digital signatures and organizational verification + of such signatures is a method of code authentication. + - id: cm-14_obj + name: assessment-objective + props: + - name: label + value: CM-14 + class: sp800-53a + parts: + - id: cm-14_obj-1 + name: assessment-objective + props: + - name: label + value: CM-14[01] + class: sp800-53a + prose: "the installation of {{ insert: param, cm-14_odp.01 }} is\ + \ prevented unless it is verified that the software has been digitally\ + \ signed using a certificate recognized and approved by the organization;" + links: + - href: "#cm-14_smt" + rel: assessment-for + - id: cm-14_obj-2 + name: assessment-objective + props: + - name: label + value: CM-14[02] + class: sp800-53a + prose: "the installation of {{ insert: param, cm-14_odp.02 }} is\ + \ prevented unless it is verified that the firmware has been digitally\ + \ signed using a certificate recognized and approved by the organization." + links: + - href: "#cm-14_smt" + rel: assessment-for + links: + - href: "#cm-14_smt" + rel: assessment-for + - id: cm-14_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-14-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing digitally signed certificates for software + and firmware components + + + configuration management plan + + + system security plan + + + system design documentation + + + change control records + + + system component inventory + + + system security plan + + + other relevant documents or records + - id: cm-14_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-14-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for verifying + digitally signed certificates for software and firmware + component installation + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: cm-14_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-14-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes governing information location + + + mechanisms enforcing policies and methods for governing information + location + + + automated tools supporting or implementing digitally signatures + for software and firmware components + + + automated tools supporting or implementing verification of digital + signatures for software and firmware component installation + - id: cp + class: family + title: Contingency Planning + controls: + - id: cp-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: cp-1_prm_1 + label: organization-defined personnel or roles + - id: cp-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the contingency planning policy + is to be disseminated is/are defined; + - id: cp-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the contingency planning procedures + are to be disseminated is/are defined; + - id: cp-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: cp-01_odp.04 + label: official + guidelines: + - prose: an official to manage the contingency planning policy and + procedures is defined; + - id: cp-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current contingency planning policy + is reviewed and updated is defined; + - id: cp-01_odp.06 + label: events + guidelines: + - prose: events that would require the current contingency planning + policy to be reviewed and updated are defined; + - id: cp-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current contingency planning procedures + are reviewed and updated is defined; + - id: cp-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require procedures to be reviewed and updated + are defined; + props: + - name: label + value: CP-1 + - name: label + value: CP-01 + class: sp800-53a + - name: sort-id + value: cp-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: cp-1_smt + name: statement + parts: + - id: cp-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ cp-1_prm_1 }}:" + parts: + - id: cp-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, cp-01_odp.03 }} contingency planning\ + \ policy that:" + parts: + - id: cp-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: cp-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: cp-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the contingency + planning policy and the associated contingency planning controls; + - id: cp-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, cp-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the contingency\ + \ planning policy and procedures; and" + - id: cp-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current contingency planning:" + parts: + - id: cp-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, cp-01_odp.05 }} and following\ + \ {{ insert: param, cp-01_odp.06 }} ; and" + - id: cp-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, cp-01_odp.07 }} and following\ + \ {{ insert: param, cp-01_odp.08 }}." + - id: cp-1_gdn + name: guidance + prose: Contingency planning policy and procedures address the controls + in the CP family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of contingency + planning policy and procedures. Security and privacy program policies + and procedures at the organization level are preferable, in general, + and may obviate the need for mission- or system-specific policies + and procedures. The policy can be included as part of the general + security and privacy policy or be represented by multiple policies + that reflect the complex nature of organizations. Procedures can be + established for security and privacy programs, for mission or business + processes, and for systems, if needed. Procedures describe how the + policies or controls are implemented and can be directed at the individual + or role that is the object of the procedure. Procedures can be documented + in system security and privacy plans or in one or more separate documents. + Events that may precipitate an update to contingency planning policy + and procedures include assessment or audit findings, security incidents + or breaches, or changes in laws, executive orders, directives, regulations, + policies, standards, and guidelines. Simply restating controls does + not constitute an organizational policy or procedure. + - id: cp-1_obj + name: assessment-objective + props: + - name: label + value: CP-01 + class: sp800-53a + parts: + - id: cp-1_obj.a + name: assessment-objective + props: + - name: label + value: CP-01a. + class: sp800-53a + parts: + - id: cp-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: CP-01a.[01] + class: sp800-53a + prose: a contingency planning policy is developed and documented; + links: + - href: "#cp-1_smt.a" + rel: assessment-for + - id: cp-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: CP-01a.[02] + class: sp800-53a + prose: "the contingency planning policy is disseminated to {{\ + \ insert: param, cp-01_odp.01 }};" + links: + - href: "#cp-1_smt.a" + rel: assessment-for + - id: cp-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: CP-01a.[03] + class: sp800-53a + prose: contingency planning procedures to facilitate the implementation + of the contingency planning policy and associated contingency + planning controls are developed and documented; + links: + - href: "#cp-1_smt.a" + rel: assessment-for + - id: cp-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: CP-01a.[04] + class: sp800-53a + prose: "the contingency planning procedures are disseminated\ + \ to {{ insert: param, cp-01_odp.02 }};" + links: + - href: "#cp-1_smt.a" + rel: assessment-for + - id: cp-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: CP-01a.01 + class: sp800-53a + parts: + - id: cp-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: CP-01a.01(a) + class: sp800-53a + parts: + - id: cp-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses purpose;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses scope;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses roles;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses responsibilities;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses management commitment;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses compliance;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: CP-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy is consistent with applicable laws,\ + \ Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#cp-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#cp-1_smt.a.1" + rel: assessment-for + links: + - href: "#cp-1_smt.a" + rel: assessment-for + - id: cp-1_obj.b + name: assessment-objective + props: + - name: label + value: CP-01b. + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the contingency\ + \ planning policy and procedures;" + links: + - href: "#cp-1_smt.b" + rel: assessment-for + - id: cp-1_obj.c + name: assessment-objective + props: + - name: label + value: CP-01c. + class: sp800-53a + parts: + - id: cp-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: CP-01c.01 + class: sp800-53a + parts: + - id: cp-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: CP-01c.01[01] + class: sp800-53a + prose: "the current contingency planning policy is reviewed\ + \ and updated {{ insert: param, cp-01_odp.05 }};" + links: + - href: "#cp-1_smt.c.1" + rel: assessment-for + - id: cp-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: CP-01c.01[02] + class: sp800-53a + prose: "the current contingency planning policy is reviewed\ + \ and updated following {{ insert: param, cp-01_odp.06\ + \ }};" + links: + - href: "#cp-1_smt.c.1" + rel: assessment-for + links: + - href: "#cp-1_smt.c.1" + rel: assessment-for + - id: cp-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: CP-01c.02 + class: sp800-53a + parts: + - id: cp-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: CP-01c.02[01] + class: sp800-53a + prose: "the current contingency planning procedures are\ + \ reviewed and updated {{ insert: param, cp-01_odp.07\ + \ }};" + links: + - href: "#cp-1_smt.c.2" + rel: assessment-for + - id: cp-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: CP-01c.02[02] + class: sp800-53a + prose: "the current contingency planning procedures are\ + \ reviewed and updated following {{ insert: param, cp-01_odp.08\ + \ }}." + links: + - href: "#cp-1_smt.c.2" + rel: assessment-for + links: + - href: "#cp-1_smt.c.2" + rel: assessment-for + links: + - href: "#cp-1_smt.c" + rel: assessment-for + links: + - href: "#cp-1_smt" + rel: assessment-for + - id: cp-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: cp-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: cp-2 + class: SP800-53 + title: Contingency Plan + params: + - id: cp-2_prm_1 + label: organization-defined personnel or roles + - id: cp-2_prm_2 + label: organization-defined key contingency personnel (identified by + name and/or by role) and organizational elements + - id: cp-2_prm_4 + label: organization-defined key contingency personnel (identified by + name and/or by role) and organizational elements + - id: cp-02_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to review a contingency plan is/are defined; + - id: cp-02_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to approve a contingency plan is/are defined; + - id: cp-02_odp.03 + label: key contingency personnel + guidelines: + - prose: key contingency personnel (identified by name and/or by role) + to whom copies of the contingency plan are distributed are defined; + - id: cp-02_odp.04 + label: organizational elements + guidelines: + - prose: key contingency organizational elements to which copies of + the contingency plan are distributed are defined; + - id: cp-02_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency of contingency plan review is defined; + - id: cp-02_odp.06 + label: key contingency personnel + guidelines: + - prose: key contingency personnel (identified by name and/or by role) + to communicate changes to are defined; + - id: cp-02_odp.07 + label: organizational elements + guidelines: + - prose: key contingency organizational elements to communicate changes + to are defined; + props: + - name: label + value: CP-2 + - name: label + value: CP-02 + class: sp800-53a + - name: sort-id + value: cp-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#d4296805-2dca-4c63-a95f-eeccaa826aec" + rel: reference + - href: "#cp-3" + rel: related + - href: "#cp-4" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-7" + rel: related + - href: "#cp-8" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#cp-11" + rel: related + - href: "#cp-13" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + - href: "#ir-9" + rel: related + - href: "#ma-6" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-8" + rel: related + - href: "#pm-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-20" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-23" + rel: related + - href: "#si-12" + rel: related + parts: + - id: cp-2_smt + name: statement + parts: + - id: cp-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop a contingency plan for the system that:" + parts: + - id: cp-2_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Identifies essential mission and business functions and + associated contingency requirements; + - id: cp-2_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Provides recovery objectives, restoration priorities, + and metrics; + - id: cp-2_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Addresses contingency roles, responsibilities, assigned + individuals with contact information; + - id: cp-2_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Addresses maintaining essential mission and business + functions despite a system disruption, compromise, or failure; + - id: cp-2_smt.a.5 + name: item + props: + - name: label + value: "5." + prose: Addresses eventual, full system restoration without deterioration + of the controls originally planned and implemented; + - id: cp-2_smt.a.6 + name: item + props: + - name: label + value: "6." + prose: Addresses the sharing of contingency information; and + - id: cp-2_smt.a.7 + name: item + props: + - name: label + value: "7." + prose: "Is reviewed and approved by {{ insert: param, cp-2_prm_1\ + \ }};" + - id: cp-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Distribute copies of the contingency plan to {{ insert:\ + \ param, cp-2_prm_2 }};" + - id: cp-2_smt.c + name: item + props: + - name: label + value: c. + prose: Coordinate contingency planning activities with incident + handling activities; + - id: cp-2_smt.d + name: item + props: + - name: label + value: d. + prose: "Review the contingency plan for the system {{ insert: param,\ + \ cp-02_odp.05 }};" + - id: cp-2_smt.e + name: item + props: + - name: label + value: e. + prose: Update the contingency plan to address changes to the organization, + system, or environment of operation and problems encountered during + contingency plan implementation, execution, or testing; + - id: cp-2_smt.f + name: item + props: + - name: label + value: f. + prose: "Communicate contingency plan changes to {{ insert: param,\ + \ cp-2_prm_4 }};" + - id: cp-2_smt.g + name: item + props: + - name: label + value: g. + prose: Incorporate lessons learned from contingency plan testing, + training, or actual contingency activities into contingency testing + and training; and + - id: cp-2_smt.h + name: item + props: + - name: label + value: h. + prose: Protect the contingency plan from unauthorized disclosure + and modification. + - id: cp-2_fr + name: item + title: CP-2 Additional FedRAMP Requirements and Guidance + parts: + - id: cp-2_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: For JAB authorizations the contingency lists include + designated FedRAMP personnel. + - id: cp-2_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: "CSPs must use the FedRAMP Information System Contingency\ + \ Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx)." + - id: cp-2_gdn + name: guidance + prose: >- + Contingency planning for systems is part of an overall program + for achieving continuity of operations for organizational + mission and business functions. Contingency planning addresses + system restoration and implementation of alternative mission or + business processes when systems are compromised or breached. + Contingency planning is considered throughout the system + development life cycle and is a fundamental part of the system + design. Systems can be designed for redundancy, to provide + backup capabilities, and for resilience. Contingency plans + reflect the degree of restoration required for organizational + systems since not all systems need to fully recover to achieve + the level of continuity of operations desired. System recovery + objectives reflect applicable laws, executive orders, + directives, regulations, policies, standards, guidelines, + organizational risk tolerance, and system impact level. + + + Actions addressed in contingency plans include orderly system degradation, + system shutdown, fallback to a manual mode, alternate information + flows, and operating in modes reserved for when systems are under + attack. By coordinating contingency planning with incident handling + activities, organizations ensure that the necessary planning activities + are in place and activated in the event of an incident. Organizations + consider whether continuity of operations during an incident conflicts + with the capability to automatically disable the system, as specified + in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency + planning for organizations and is addressed in the [IR](#ir) (Incident + Response) family. + - id: cp-2_obj + name: assessment-objective + props: + - name: label + value: CP-02 + class: sp800-53a + parts: + - id: cp-2_obj.a + name: assessment-objective + props: + - name: label + value: CP-02a. + class: sp800-53a + parts: + - id: cp-2_obj.a.1 + name: assessment-objective + props: + - name: label + value: CP-02a.01 + class: sp800-53a + prose: a contingency plan for the system is developed that identifies + essential mission and business functions and associated contingency + requirements; + links: + - href: "#cp-2_smt.a.1" + rel: assessment-for + - id: cp-2_obj.a.2 + name: assessment-objective + props: + - name: label + value: CP-02a.02 + class: sp800-53a + parts: + - id: cp-2_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: CP-02a.02[01] + class: sp800-53a + prose: a contingency plan for the system is developed that + provides recovery objectives; + links: + - href: "#cp-2_smt.a.2" + rel: assessment-for + - id: cp-2_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: CP-02a.02[02] + class: sp800-53a + prose: a contingency plan for the system is developed that + provides restoration priorities; + links: + - href: "#cp-2_smt.a.2" + rel: assessment-for + - id: cp-2_obj.a.2-3 + name: assessment-objective + props: + - name: label + value: CP-02a.02[03] + class: sp800-53a + prose: a contingency plan for the system is developed that + provides metrics; + links: + - href: "#cp-2_smt.a.2" + rel: assessment-for + links: + - href: "#cp-2_smt.a.2" + rel: assessment-for + - id: cp-2_obj.a.3 + name: assessment-objective + props: + - name: label + value: CP-02a.03 + class: sp800-53a + parts: + - id: cp-2_obj.a.3-1 + name: assessment-objective + props: + - name: label + value: CP-02a.03[01] + class: sp800-53a + prose: a contingency plan for the system is developed that + addresses contingency roles; + links: + - href: "#cp-2_smt.a.3" + rel: assessment-for + - id: cp-2_obj.a.3-2 + name: assessment-objective + props: + - name: label + value: CP-02a.03[02] + class: sp800-53a + prose: a contingency plan for the system is developed that + addresses contingency responsibilities; + links: + - href: "#cp-2_smt.a.3" + rel: assessment-for + - id: cp-2_obj.a.3-3 + name: assessment-objective + props: + - name: label + value: CP-02a.03[03] + class: sp800-53a + prose: a contingency plan for the system is developed that + addresses assigned individuals with contact information; + links: + - href: "#cp-2_smt.a.3" + rel: assessment-for + links: + - href: "#cp-2_smt.a.3" + rel: assessment-for + - id: cp-2_obj.a.4 + name: assessment-objective + props: + - name: label + value: CP-02a.04 + class: sp800-53a + prose: a contingency plan for the system is developed that addresses + maintaining essential mission and business functions despite + a system disruption, compromise, or failure; + links: + - href: "#cp-2_smt.a.4" + rel: assessment-for + - id: cp-2_obj.a.5 + name: assessment-objective + props: + - name: label + value: CP-02a.05 + class: sp800-53a + prose: a contingency plan for the system is developed that addresses + eventual, full-system restoration without deterioration of + the controls originally planned and implemented; + links: + - href: "#cp-2_smt.a.5" + rel: assessment-for + - id: cp-2_obj.a.6 + name: assessment-objective + props: + - name: label + value: CP-02a.06 + class: sp800-53a + prose: a contingency plan for the system is developed that addresses + the sharing of contingency information; + links: + - href: "#cp-2_smt.a.6" + rel: assessment-for + - id: cp-2_obj.a.7 + name: assessment-objective + props: + - name: label + value: CP-02a.07 + class: sp800-53a + parts: + - id: cp-2_obj.a.7-1 + name: assessment-objective + props: + - name: label + value: CP-02a.07[01] + class: sp800-53a + prose: "a contingency plan for the system is developed that\ + \ is reviewed by {{ insert: param, cp-02_odp.01 }};" + links: + - href: "#cp-2_smt.a.7" + rel: assessment-for + - id: cp-2_obj.a.7-2 + name: assessment-objective + props: + - name: label + value: CP-02a.07[02] + class: sp800-53a + prose: "a contingency plan for the system is developed that\ + \ is approved by {{ insert: param, cp-02_odp.02 }};" + links: + - href: "#cp-2_smt.a.7" + rel: assessment-for + links: + - href: "#cp-2_smt.a.7" + rel: assessment-for + links: + - href: "#cp-2_smt.a" + rel: assessment-for + - id: cp-2_obj.b + name: assessment-objective + props: + - name: label + value: CP-02b. + class: sp800-53a + parts: + - id: cp-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: CP-02b.[01] + class: sp800-53a + prose: "copies of the contingency plan are distributed to {{\ + \ insert: param, cp-02_odp.03 }};" + links: + - href: "#cp-2_smt.b" + rel: assessment-for + - id: cp-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: CP-02b.[02] + class: sp800-53a + prose: "copies of the contingency plan are distributed to {{\ + \ insert: param, cp-02_odp.04 }};" + links: + - href: "#cp-2_smt.b" + rel: assessment-for + links: + - href: "#cp-2_smt.b" + rel: assessment-for + - id: cp-2_obj.c + name: assessment-objective + props: + - name: label + value: CP-02c. + class: sp800-53a + prose: contingency planning activities are coordinated with incident + handling activities; + links: + - href: "#cp-2_smt.c" + rel: assessment-for + - id: cp-2_obj.d + name: assessment-objective + props: + - name: label + value: CP-02d. + class: sp800-53a + prose: "the contingency plan for the system is reviewed {{ insert:\ + \ param, cp-02_odp.05 }};" + links: + - href: "#cp-2_smt.d" + rel: assessment-for + - id: cp-2_obj.e + name: assessment-objective + props: + - name: label + value: CP-02e. + class: sp800-53a + parts: + - id: cp-2_obj.e-1 + name: assessment-objective + props: + - name: label + value: CP-02e.[01] + class: sp800-53a + prose: the contingency plan is updated to address changes to + the organization, system, or environment of operation; + links: + - href: "#cp-2_smt.e" + rel: assessment-for + - id: cp-2_obj.e-2 + name: assessment-objective + props: + - name: label + value: CP-02e.[02] + class: sp800-53a + prose: the contingency plan is updated to address problems encountered + during contingency plan implementation, execution, or testing; + links: + - href: "#cp-2_smt.e" + rel: assessment-for + links: + - href: "#cp-2_smt.e" + rel: assessment-for + - id: cp-2_obj.f + name: assessment-objective + props: + - name: label + value: CP-02f. + class: sp800-53a + parts: + - id: cp-2_obj.f-1 + name: assessment-objective + props: + - name: label + value: CP-02f.[01] + class: sp800-53a + prose: "contingency plan changes are communicated to {{ insert:\ + \ param, cp-02_odp.06 }};" + links: + - href: "#cp-2_smt.f" + rel: assessment-for + - id: cp-2_obj.f-2 + name: assessment-objective + props: + - name: label + value: CP-02f.[02] + class: sp800-53a + prose: "contingency plan changes are communicated to {{ insert:\ + \ param, cp-02_odp.07 }};" + links: + - href: "#cp-2_smt.f" + rel: assessment-for + links: + - href: "#cp-2_smt.f" + rel: assessment-for + - id: cp-2_obj.g + name: assessment-objective + props: + - name: label + value: CP-02g. + class: sp800-53a + parts: + - id: cp-2_obj.g-1 + name: assessment-objective + props: + - name: label + value: CP-02g.[01] + class: sp800-53a + prose: lessons learned from contingency plan testing or actual + contingency activities are incorporated into contingency testing; + links: + - href: "#cp-2_smt.g" + rel: assessment-for + - id: cp-2_obj.g-2 + name: assessment-objective + props: + - name: label + value: CP-02g.[02] + class: sp800-53a + prose: lessons learned from contingency plan training or actual + contingency activities are incorporated into contingency testing + and training; + links: + - href: "#cp-2_smt.g" + rel: assessment-for + links: + - href: "#cp-2_smt.g" + rel: assessment-for + - id: cp-2_obj.h + name: assessment-objective + props: + - name: label + value: CP-02h. + class: sp800-53a + parts: + - id: cp-2_obj.h-1 + name: assessment-objective + props: + - name: label + value: CP-02h.[01] + class: sp800-53a + prose: the contingency plan is protected from unauthorized disclosure; + links: + - href: "#cp-2_smt.h" + rel: assessment-for + - id: cp-2_obj.h-2 + name: assessment-objective + props: + - name: label + value: CP-02h.[02] + class: sp800-53a + prose: the contingency plan is protected from unauthorized modification. + links: + - href: "#cp-2_smt.h" + rel: assessment-for + links: + - href: "#cp-2_smt.h" + rel: assessment-for + links: + - href: "#cp-2_smt" + rel: assessment-for + - id: cp-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing contingency operations for the system + + contingency plan + + evidence of contingency plan reviews and updates + + system security plan + + other relevant documents or records + - id: cp-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning and plan + implementation responsibilities + + + organizational personnel with incident handling responsibilities + + + organizational personnel with knowledge of requirements for mission + and business functions + + + organizational personnel with information security responsibilities + - id: cp-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for contingency plan development, + review, update, and protection + + + mechanisms for developing, reviewing, updating, and/or protecting + the contingency plan + controls: + - id: cp-2.1 + class: SP800-53-enhancement + title: Coordinate with Related Plans + props: + - name: label + value: CP-2(1) + - name: label + value: CP-02(01) + class: sp800-53a + - name: sort-id + value: cp-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-2" + rel: required + parts: + - id: cp-2.1_smt + name: statement + prose: Coordinate contingency plan development with organizational + elements responsible for related plans. + - id: cp-2.1_gdn + name: guidance + prose: Plans that are related to contingency plans include Business + Continuity Plans, Disaster Recovery Plans, Critical Infrastructure + Plans, Continuity of Operations Plans, Crisis Communications Plans, + Insider Threat Implementation Plans, Data Breach Response Plans, + Cyber Incident Response Plans, Breach Response Plans, and Occupant + Emergency Plans. + - id: cp-2.1_obj + name: assessment-objective + props: + - name: label + value: CP-02(01) + class: sp800-53a + prose: contingency plan development is coordinated with organizational + elements responsible for related plans. + links: + - href: "#cp-2.1_smt" + rel: assessment-for + - id: cp-2.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-02(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing contingency operations for the system + + + contingency plan + + + business contingency plans + + + disaster recovery plans + + + continuity of operations plans + + + crisis communications plans + + + critical infrastructure plans + + + cyber incident response plan + + + insider threat implementation plans + + + occupant emergency plans + + + system security plan + + + other relevant documents or records + - id: cp-2.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-02(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning and + plan implementation responsibilities + + + organizational personnel with information security responsibilities + + + personnel with responsibility for related plans + - id: cp-2.2 + class: SP800-53-enhancement + title: Capacity Planning + props: + - name: label + value: CP-2(2) + - name: label + value: CP-02(02) + class: sp800-53a + - name: sort-id + value: cp-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-2" + rel: required + - href: "#pe-11" + rel: related + - href: "#pe-12" + rel: related + - href: "#pe-13" + rel: related + - href: "#pe-14" + rel: related + - href: "#pe-18" + rel: related + - href: "#sc-5" + rel: related + parts: + - id: cp-2.2_smt + name: statement + prose: Conduct capacity planning so that necessary capacity for + information processing, telecommunications, and environmental + support exists during contingency operations. + - id: cp-2.2_gdn + name: guidance + prose: Capacity planning is needed because different threats can + result in a reduction of the available processing, telecommunications, + and support services intended to support essential mission and + business functions. Organizations anticipate degraded operations + during contingency operations and factor the degradation into + capacity planning. For capacity planning, environmental support + refers to any environmental factor for which the organization + determines that it needs to provide support in a contingency situation, + even if in a degraded state. Such determinations are based on + an organizational assessment of risk, system categorization (impact + level), and organizational risk tolerance. + - id: cp-2.2_obj + name: assessment-objective + props: + - name: label + value: CP-02(02) + class: sp800-53a + parts: + - id: cp-2.2_obj-1 + name: assessment-objective + props: + - name: label + value: CP-02(02)[01] + class: sp800-53a + prose: capacity planning is conducted so that the necessary + capacity exists during contingency operations for information + processing; + links: + - href: "#cp-2.2_smt" + rel: assessment-for + - id: cp-2.2_obj-2 + name: assessment-objective + props: + - name: label + value: CP-02(02)[02] + class: sp800-53a + prose: capacity planning is conducted so that the necessary + capacity exists during contingency operations for telecommunications; + links: + - href: "#cp-2.2_smt" + rel: assessment-for + - id: cp-2.2_obj-3 + name: assessment-objective + props: + - name: label + value: CP-02(02)[03] + class: sp800-53a + prose: capacity planning is conducted so that the necessary + capacity exists during contingency operations for environmental + support. + links: + - href: "#cp-2.2_smt" + rel: assessment-for + links: + - href: "#cp-2.2_smt" + rel: assessment-for + - id: cp-2.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-02(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing contingency operations for the system + + + contingency plan + + + capacity planning documents + + + system security plan + + + other relevant documents or records + - id: cp-2.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-02(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning and + plan implementation responsibilities + + + organizational personnel responsible for capacity planning + + + organizational personnel with information security responsibilities + - id: cp-2.3 + class: SP800-53-enhancement + title: Resume Mission and Business Functions + params: + - id: cp-02.03_odp.01 + constraints: + - description: all + select: + choice: + - all + - essential + - id: cp-02.03_odp.02 + label: time period + constraints: + - description: time period defined in service provider and organization + SLA + guidelines: + - prose: the contingency plan activation time period within which + to resume mission and business functions is defined; + props: + - name: label + value: CP-2(3) + - name: label + value: CP-02(03) + class: sp800-53a + - name: sort-id + value: cp-02.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-2" + rel: required + parts: + - id: cp-2.3_smt + name: statement + prose: "Plan for the resumption of {{ insert: param, cp-02.03_odp.01\ + \ }} mission and business functions within {{ insert: param, cp-02.03_odp.02\ + \ }} of contingency plan activation." + - id: cp-2.3_gdn + name: guidance + prose: Organizations may choose to conduct contingency planning + activities to resume mission and business functions as part of + business continuity planning or as part of business impact analyses. + Organizations prioritize the resumption of mission and business + functions. The time period for resuming mission and business functions + may be dependent on the severity and extent of the disruptions + to the system and its supporting infrastructure. + - id: cp-2.3_obj + name: assessment-objective + props: + - name: label + value: CP-02(03) + class: sp800-53a + prose: "the resumption of {{ insert: param, cp-02.03_odp.01 }} mission\ + \ and business functions are planned for within {{ insert: param,\ + \ cp-02.03_odp.02 }} of contingency plan activation." + links: + - href: "#cp-2.3_smt" + rel: assessment-for + - id: cp-2.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-02(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing contingency operations for the system + + + contingency plan + + + business impact assessment + + + system security plan + + + privacy plan + + + other related plans + + + system security plan + + + other relevant documents or records + - id: cp-2.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-02(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning and + plan implementation responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with knowledge of requirements for + mission and business functions + - id: cp-2.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-02(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for resumption of missions and + business functions + - id: cp-2.5 + class: SP800-53-enhancement + title: Continue Mission and Business Functions + params: + - id: cp-02.05_odp + constraints: + - description: essential + select: + choice: + - all + - essential + props: + - name: label + value: CP-2(5) + - name: label + value: CP-02(05) + class: sp800-53a + - name: sort-id + value: cp-02.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-2" + rel: required + parts: + - id: cp-2.5_smt + name: statement + prose: "Plan for the continuance of {{ insert: param, cp-02.05_odp\ + \ }} mission and business functions with minimal or no loss of\ + \ operational continuity and sustains that continuity until full\ + \ system restoration at primary processing and/or storage sites." + - id: cp-2.5_gdn + name: guidance + prose: Organizations may choose to conduct the contingency planning + activities to continue mission and business functions as part + of business continuity planning or business impact analyses. Primary + processing and/or storage sites defined by organizations as part + of contingency planning may change depending on the circumstances + associated with the contingency. + - id: cp-2.5_obj + name: assessment-objective + props: + - name: label + value: CP-02(05) + class: sp800-53a + parts: + - id: cp-2.5_obj-1 + name: assessment-objective + props: + - name: label + value: CP-02(05)[01] + class: sp800-53a + prose: "the continuance of {{ insert: param, cp-02.05_odp }}\ + \ mission and business functions with minimal or no loss of\ + \ operational continuity is planned for;" + links: + - href: "#cp-2.5_smt" + rel: assessment-for + - id: cp-2.5_obj-2 + name: assessment-objective + props: + - name: label + value: CP-02(05)[02] + class: sp800-53a + prose: continuity is sustained until full system restoration + at primary processing and/or storage sites. + links: + - href: "#cp-2.5_smt" + rel: assessment-for + links: + - href: "#cp-2.5_smt" + rel: assessment-for + - id: cp-2.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-02(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing contingency operations for the system + + + contingency plan + + + business impact assessment + + + primary processing site agreements + + + primary storage site agreements + + + alternate processing site agreements + + + alternate storage site agreements + + + contingency plan test documentation + + + contingency plan test results + + + system security plan + + + other relevant documents or records + - id: cp-2.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-02(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning and + plan implementation responsibilities + + + organizational personnel with knowledge of requirements for + mission and business functions + + + organizational personnel with information security responsibilities + - id: cp-2.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-02(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for continuing missions and + business functions + - id: cp-2.8 + class: SP800-53-enhancement + title: Identify Critical Assets + params: + - id: cp-02.08_odp + select: + choice: + - all + - essential + props: + - name: label + value: CP-2(8) + - name: label + value: CP-02(08) + class: sp800-53a + - name: sort-id + value: cp-02.08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-2" + rel: required + - href: "#cm-8" + rel: related + - href: "#ra-9" + rel: related + parts: + - id: cp-2.8_smt + name: statement + prose: "Identify critical system assets supporting {{ insert: param,\ + \ cp-02.08_odp }} mission and business functions." + - id: cp-2.8_gdn + name: guidance + prose: Organizations may choose to identify critical assets as part + of criticality analysis, business continuity planning, or business + impact analyses. Organizations identify critical system assets + so that additional controls can be employed (beyond the controls + routinely implemented) to help ensure that organizational mission + and business functions can continue to be conducted during contingency + operations. The identification of critical information assets + also facilitates the prioritization of organizational resources. + Critical system assets include technical and operational aspects. + Technical aspects include system components, information technology + services, information technology products, and mechanisms. Operational + aspects include procedures (i.e., manually executed operations) + and personnel (i.e., individuals operating technical controls + and/or executing manual procedures). Organizational program protection + plans can assist in identifying critical assets. If critical assets + are resident within or supported by external service providers, + organizations consider implementing [CP-2(7)](#cp-2.7) as a control + enhancement. + - id: cp-2.8_obj + name: assessment-objective + props: + - name: label + value: CP-02(08) + class: sp800-53a + prose: "critical system assets supporting {{ insert: param, cp-02.08_odp\ + \ }} mission and business functions are identified." + links: + - href: "#cp-2.8_smt" + rel: assessment-for + - id: cp-2.8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-02(08)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing contingency operations for the system + + + contingency plan + + + business impact assessment + + + system security plan + + + other relevant documents or records + - id: cp-2.8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-02(08)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning and + plan implementation responsibilities + + + organizational personnel with knowledge of requirements for + mission and business functions + + + organizational personnel with information security responsibilities + - id: cp-3 + class: SP800-53 + title: Contingency Training + params: + - id: cp-03_odp.01 + label: time period + constraints: + - description: \*See Additional Requirements + guidelines: + - prose: the time period within which to provide contingency training + after assuming a contingency role or responsibility is defined; + - id: cp-03_odp.02 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to provide training to system users with + a contingency role or responsibility is defined; + - id: cp-03_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to review and update contingency training + content is defined; + - id: cp-03_odp.04 + label: events + guidelines: + - prose: events necessitating review and update of contingency training + are defined; + props: + - name: label + value: CP-3 + - name: label + value: CP-03 + class: sp800-53a + - name: sort-id + value: cp-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#at-4" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#cp-8" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-9" + rel: related + parts: + - id: cp-3_smt + name: statement + parts: + - id: cp-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide contingency training to system users consistent\ + \ with assigned roles and responsibilities:" + parts: + - id: cp-3_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "Within {{ insert: param, cp-03_odp.01 }} of assuming\ + \ a contingency role or responsibility;" + - id: cp-3_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: When required by system changes; and + - id: cp-3_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: " {{ insert: param, cp-03_odp.02 }} thereafter; and" + - id: cp-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update contingency training content {{ insert:\ + \ param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04\ + \ }}." + - id: cp-3_fr + name: item + title: CP-3 Additional FedRAMP Requirements and Guidance + parts: + - id: cp-3_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: Privileged admins and engineers must take the basic contingency + training within 10 days. Consideration must be given for those + privileged admins and engineers with critical contingency-related + roles, to gain enough system context and situational awareness + to understand the full impact of contingency training as it + applies to their respective level. Newly hired critical contingency + personnel must take this more in-depth training within 60 + days of hire date when the training will have more impact. + - id: cp-3_gdn + name: guidance + prose: Contingency training provided by organizations is linked to the + assigned roles and responsibilities of organizational personnel to + ensure that the appropriate content and level of detail is included + in such training. For example, some individuals may only need to know + when and where to report for duty during contingency operations and + if normal duties are affected; system administrators may require additional + training on how to establish systems at alternate processing and storage + sites; and organizational officials may receive more specific training + on how to conduct mission-essential functions in designated off-site + locations and how to establish communications with other governmental + entities for purposes of coordination on contingency-related activities. + Training for contingency roles or responsibilities reflects the specific + continuity requirements in the contingency plan. Events that may precipitate + an update to contingency training content include, but are not limited + to, contingency plan testing or an actual contingency (lessons learned), + assessment or audit findings, security incidents or breaches, or changes + in laws, executive orders, directives, regulations, policies, standards, + and guidelines. At the discretion of the organization, participation + in a contingency plan test or exercise, including lessons learned + sessions subsequent to the test or exercise, may satisfy contingency + plan training requirements. + - id: cp-3_obj + name: assessment-objective + props: + - name: label + value: CP-03 + class: sp800-53a + parts: + - id: cp-3_obj.a + name: assessment-objective + props: + - name: label + value: CP-03a. + class: sp800-53a + parts: + - id: cp-3_obj.a.1 + name: assessment-objective + props: + - name: label + value: CP-03a.01 + class: sp800-53a + prose: "contingency training is provided to system users consistent\ + \ with assigned roles and responsibilities within {{ insert:\ + \ param, cp-03_odp.01 }} of assuming a contingency role or\ + \ responsibility;" + links: + - href: "#cp-3_smt.a.1" + rel: assessment-for + - id: cp-3_obj.a.2 + name: assessment-objective + props: + - name: label + value: CP-03a.02 + class: sp800-53a + prose: contingency training is provided to system users consistent + with assigned roles and responsibilities when required by + system changes; + links: + - href: "#cp-3_smt.a.2" + rel: assessment-for + - id: cp-3_obj.a.3 + name: assessment-objective + props: + - name: label + value: CP-03a.03 + class: sp800-53a + prose: "contingency training is provided to system users consistent\ + \ with assigned roles and responsibilities {{ insert: param,\ + \ cp-03_odp.02 }} thereafter;" + links: + - href: "#cp-3_smt.a.3" + rel: assessment-for + links: + - href: "#cp-3_smt.a" + rel: assessment-for + - id: cp-3_obj.b + name: assessment-objective + props: + - name: label + value: CP-03b. + class: sp800-53a + parts: + - id: cp-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: CP-03b.[01] + class: sp800-53a + prose: "the contingency plan training content is reviewed and\ + \ updated {{ insert: param, cp-03_odp.03 }};" + links: + - href: "#cp-3_smt.b" + rel: assessment-for + - id: cp-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: CP-03b.[02] + class: sp800-53a + prose: "the contingency plan training content is reviewed and\ + \ updated following {{ insert: param, cp-03_odp.04 }}." + links: + - href: "#cp-3_smt.b" + rel: assessment-for + links: + - href: "#cp-3_smt.b" + rel: assessment-for + links: + - href: "#cp-3_smt" + rel: assessment-for + - id: cp-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing contingency training + + contingency plan + + contingency training curriculum + + contingency training material + + contingency training records + + system security plan + + other relevant documents or records + - id: cp-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning, plan + implementation, and training responsibilities + + + organizational personnel with information security responsibilities + - id: cp-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for contingency training + controls: + - id: cp-3.1 + class: SP800-53-enhancement + title: Simulated Events + props: + - name: label + value: CP-3(1) + - name: label + value: CP-03(01) + class: sp800-53a + - name: sort-id + value: cp-03.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cp-3" + rel: required + parts: + - id: cp-3.1_smt + name: statement + prose: Incorporate simulated events into contingency training to + facilitate effective response by personnel in crisis situations. + - id: cp-3.1_gdn + name: guidance + prose: The use of simulated events creates an environment for personnel + to experience actual threat events, including cyber-attacks that + disable websites, ransomware attacks that encrypt organizational + data on servers, hurricanes that damage or destroy organizational + facilities, or hardware or software failures. + - id: cp-3.1_obj + name: assessment-objective + props: + - name: label + value: CP-03(01) + class: sp800-53a + prose: simulated events are incorporated into contingency training + to facilitate effective response by personnel in crisis situations. + links: + - href: "#cp-3.1_smt" + rel: assessment-for + - id: cp-3.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-03(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing contingency training + + contingency plan + + contingency training curriculum + + contingency training material + + system security plan + + other relevant documents or records + - id: cp-3.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-03(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning, plan + implementation, and training responsibilities + + + organizational personnel with information security responsibilities + - id: cp-3.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-03(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for contingency training + + mechanisms for simulating contingency events + - id: cp-4 + class: SP800-53 + title: Contingency Plan Testing + params: + - id: cp-4_prm_2 + label: organization-defined tests + constraints: + - description: functional exercises + - id: cp-04_odp.01 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency of testing the contingency plan for the system + is defined; + - id: cp-04_odp.02 + label: tests + guidelines: + - prose: tests for determining the effectiveness of the contingency + plan are defined; + - id: cp-04_odp.03 + label: tests + guidelines: + - prose: tests for determining readiness to execute the contingency + plan are defined; + props: + - name: label + value: CP-4 + - name: label + value: CP-04 + class: sp800-53a + - name: sort-id + value: cp-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#at-3" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-3" + rel: related + - href: "#cp-8" + rel: related + - href: "#cp-9" + rel: related + - href: "#ir-3" + rel: related + - href: "#ir-4" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-14" + rel: related + - href: "#sr-2" + rel: related + parts: + - id: cp-4_smt + name: statement + parts: + - id: cp-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Test the contingency plan for the system {{ insert: param,\ + \ cp-04_odp.01 }} using the following tests to determine the effectiveness\ + \ of the plan and the readiness to execute the plan: {{ insert:\ + \ param, cp-4_prm_2 }}." + - id: cp-4_smt.b + name: item + props: + - name: label + value: b. + prose: Review the contingency plan test results; and + - id: cp-4_smt.c + name: item + props: + - name: label + value: c. + prose: Initiate corrective actions, if needed. + - id: cp-4_fr + name: item + title: CP-4 Additional FedRAMP Requirements and Guidance + parts: + - id: cp-4_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: The service provider develops test plans in accordance + with NIST Special Publication 800-34 (as amended); plans are + approved by the JAB/AO prior to initiating testing. + - id: cp-4_fr_smt.1 + name: item + props: + - name: label + value: "(b) Requirement:" + prose: The service provider must include the Contingency Plan + test results with the security package within the Contingency + Plan-designated appendix (Appendix G, Contingency Plan Test + Report). + - id: cp-4_gdn + name: guidance + prose: Methods for testing contingency plans to determine the effectiveness + of the plans and identify potential weaknesses include checklists, + walk-through and tabletop exercises, simulations (parallel or full + interrupt), and comprehensive exercises. Organizations conduct testing + based on the requirements in contingency plans and include a determination + of the effects on organizational operations, assets, and individuals + due to contingency operations. Organizations have flexibility and + discretion in the breadth, depth, and timelines of corrective actions. + - id: cp-4_obj + name: assessment-objective + props: + - name: label + value: CP-04 + class: sp800-53a + parts: + - id: cp-4_obj.a + name: assessment-objective + props: + - name: label + value: CP-04a. + class: sp800-53a + parts: + - id: cp-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: CP-04a.[01] + class: sp800-53a + prose: "the contingency plan for the system is tested {{ insert:\ + \ param, cp-04_odp.01 }};" + links: + - href: "#cp-4_smt.a" + rel: assessment-for + - id: cp-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: CP-04a.[02] + class: sp800-53a + prose: " {{ insert: param, cp-04_odp.02 }} are used to determine\ + \ the effectiveness of the plan;" + links: + - href: "#cp-4_smt.a" + rel: assessment-for + - id: cp-4_obj.a-3 + name: assessment-objective + props: + - name: label + value: CP-04a.[03] + class: sp800-53a + prose: " {{ insert: param, cp-04_odp.03 }} are used to determine\ + \ the readiness to execute the plan;" + links: + - href: "#cp-4_smt.a" + rel: assessment-for + links: + - href: "#cp-4_smt.a" + rel: assessment-for + - id: cp-4_obj.b + name: assessment-objective + props: + - name: label + value: CP-04b. + class: sp800-53a + prose: the contingency plan test results are reviewed; + links: + - href: "#cp-4_smt.b" + rel: assessment-for + - id: cp-4_obj.c + name: assessment-objective + props: + - name: label + value: CP-04c. + class: sp800-53a + prose: corrective actions are initiated, if needed. + links: + - href: "#cp-4_smt.c" + rel: assessment-for + links: + - href: "#cp-4_smt" + rel: assessment-for + - id: cp-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing contingency plan testing + + contingency plan + + contingency plan test documentation + + contingency plan test results + + system security plan + + other relevant documents or records + - id: cp-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + contingency plan testing, reviewing, or responding to + contingency plan tests + + + organizational personnel with information security responsibilities + - id: cp-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for contingency plan testing + + + mechanisms supporting the contingency plan and/or contingency + plan testing + controls: + - id: cp-4.1 + class: SP800-53-enhancement + title: Coordinate with Related Plans + props: + - name: label + value: CP-4(1) + - name: label + value: CP-04(01) + class: sp800-53a + - name: sort-id + value: cp-04.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cp-4" + rel: required + - href: "#ir-8" + rel: related + - href: "#pm-8" + rel: related + parts: + - id: cp-4.1_smt + name: statement + prose: Coordinate contingency plan testing with organizational elements + responsible for related plans. + - id: cp-4.1_gdn + name: guidance + prose: Plans related to contingency planning for organizational + systems include Business Continuity Plans, Disaster Recovery Plans, + Continuity of Operations Plans, Crisis Communications Plans, Critical + Infrastructure Plans, Cyber Incident Response Plans, and Occupant + Emergency Plans. Coordination of contingency plan testing does + not require organizations to create organizational elements to + handle related plans or to align such elements with specific plans. + However, it does require that if such organizational elements + are responsible for related plans, organizations coordinate with + those elements. + - id: cp-4.1_obj + name: assessment-objective + props: + - name: label + value: CP-04(01) + class: sp800-53a + prose: contingency plan testing is coordinated with organizational + elements responsible for related plans. + links: + - href: "#cp-4.1_smt" + rel: assessment-for + - id: cp-4.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-04(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + incident response policy + + procedures addressing contingency plan testing + + contingency plan testing documentation + + contingency plan + + business continuity plans + + disaster recovery plans + + continuity of operations plans + + crisis communications plans + + critical infrastructure plans + + cyber incident response plans + + occupant emergency plans + + system security plan + + other relevant documents or records + - id: cp-4.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-04(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan testing + responsibilities + + + personnel with responsibilities for related plans + + + organizational personnel with information security responsibilities + - id: cp-4.2 + class: SP800-53-enhancement + title: Alternate Processing Site + props: + - name: label + value: CP-4(2) + - name: label + value: CP-04(02) + class: sp800-53a + - name: sort-id + value: cp-04.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cp-4" + rel: required + - href: "#cp-7" + rel: related + parts: + - id: cp-4.2_smt + name: statement + prose: "Test the contingency plan at the alternate processing site:" + parts: + - id: cp-4.2_smt.a + name: item + props: + - name: label + value: (a) + prose: To familiarize contingency personnel with the facility + and available resources; and + - id: cp-4.2_smt.b + name: item + props: + - name: label + value: (b) + prose: To evaluate the capabilities of the alternate processing + site to support contingency operations. + - id: cp-4.2_gdn + name: guidance + prose: Conditions at the alternate processing site may be significantly + different than the conditions at the primary site. Having the + opportunity to visit the alternate site and experience the actual + capabilities available at the site can provide valuable information + on potential vulnerabilities that could affect essential organizational + mission and business functions. The on-site visit can also provide + an opportunity to refine the contingency plan to address the vulnerabilities + discovered during testing. + - id: cp-4.2_obj + name: assessment-objective + props: + - name: label + value: CP-04(02) + class: sp800-53a + parts: + - id: cp-4.2_obj.a + name: assessment-objective + props: + - name: label + value: CP-04(02)(a) + class: sp800-53a + prose: the contingency plan is tested at the alternate processing + site to familiarize contingency personnel with the facility + and available resources; + links: + - href: "#cp-4.2_smt.a" + rel: assessment-for + - id: cp-4.2_obj.b + name: assessment-objective + props: + - name: label + value: CP-04(02)(b) + class: sp800-53a + prose: the contingency plan is tested at the alternate processing + site to evaluate the capabilities of the alternate processing + site to support contingency operations. + links: + - href: "#cp-4.2_smt.b" + rel: assessment-for + links: + - href: "#cp-4.2_smt" + rel: assessment-for + - id: cp-4.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-04(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing contingency plan testing + + contingency plan + + contingency plan test documentation + + contingency plan test results + + alternate processing site agreements + + service-level agreements + + system security plan + + other relevant documents or records + - id: cp-4.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-04(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning and + plan implementation responsibilities + + + organizational personnel with information security responsibilities + - id: cp-4.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-04(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for contingency plan testing + + + mechanisms supporting the contingency plan and/or contingency + plan testing + - id: cp-6 + class: SP800-53 + title: Alternate Storage Site + props: + - name: label + value: CP-6 + - name: label + value: CP-06 + class: sp800-53a + - name: sort-id + value: cp-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#cp-2" + rel: related + - href: "#cp-7" + rel: related + - href: "#cp-8" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#pe-3" + rel: related + - href: "#sc-36" + rel: related + - href: "#si-13" + rel: related + parts: + - id: cp-6_smt + name: statement + parts: + - id: cp-6_smt.a + name: item + props: + - name: label + value: a. + prose: Establish an alternate storage site, including necessary + agreements to permit the storage and retrieval of system backup + information; and + - id: cp-6_smt.b + name: item + props: + - name: label + value: b. + prose: Ensure that the alternate storage site provides controls + equivalent to that of the primary site. + - id: cp-6_gdn + name: guidance + prose: Alternate storage sites are geographically distinct from primary + storage sites and maintain duplicate copies of information and data + if the primary storage site is not available. Similarly, alternate + processing sites provide processing capability if the primary processing + site is not available. Geographically distributed architectures that + support contingency requirements may be considered alternate storage + sites. Items covered by alternate storage site agreements include + environmental conditions at the alternate sites, access rules for + systems and facilities, physical and environmental protection requirements, + and coordination of delivery and retrieval of backup media. Alternate + storage sites reflect the requirements in contingency plans so that + organizations can maintain essential mission and business functions + despite compromise, failure, or disruption in organizational systems. + - id: cp-6_obj + name: assessment-objective + props: + - name: label + value: CP-06 + class: sp800-53a + parts: + - id: cp-6_obj.a + name: assessment-objective + props: + - name: label + value: CP-06a. + class: sp800-53a + parts: + - id: cp-6_obj.a-1 + name: assessment-objective + props: + - name: label + value: CP-06a.[01] + class: sp800-53a + prose: an alternate storage site is established; + links: + - href: "#cp-6_smt.a" + rel: assessment-for + - id: cp-6_obj.a-2 + name: assessment-objective + props: + - name: label + value: CP-06a.[02] + class: sp800-53a + prose: establishment of the alternate storage site includes + necessary agreements to permit the storage and retrieval of + system backup information; + links: + - href: "#cp-6_smt.a" + rel: assessment-for + links: + - href: "#cp-6_smt.a" + rel: assessment-for + - id: cp-6_obj.b + name: assessment-objective + props: + - name: label + value: CP-06b. + class: sp800-53a + prose: the alternate storage site provides controls equivalent to + that of the primary site. + links: + - href: "#cp-6_smt.b" + rel: assessment-for + links: + - href: "#cp-6_smt" + rel: assessment-for + - id: cp-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing alternate storage sites + + contingency plan + + alternate storage site agreements + + primary storage site agreements + + system security plan + + other relevant documents or records + - id: cp-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan alternate + storage site responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with information security responsibilities + - id: cp-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for storing and retrieving system + backup information at the alternate storage site + + + mechanisms supporting and/or implementing the storage and retrieval + of system backup information at the alternate storage site + controls: + - id: cp-6.1 + class: SP800-53-enhancement + title: Separation from Primary Site + props: + - name: label + value: CP-6(1) + - name: label + value: CP-06(01) + class: sp800-53a + - name: sort-id + value: cp-06.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-6" + rel: required + - href: "#ra-3" + rel: related + parts: + - id: cp-6.1_smt + name: statement + prose: Identify an alternate storage site that is sufficiently separated + from the primary storage site to reduce susceptibility to the + same threats. + - id: cp-6.1_gdn + name: guidance + prose: Threats that affect alternate storage sites are defined in + organizational risk assessments and include natural disasters, + structural failures, hostile attacks, and errors of omission or + commission. Organizations determine what is considered a sufficient + degree of separation between primary and alternate storage sites + based on the types of threats that are of concern. For threats + such as hostile attacks, the degree of separation between sites + is less relevant. + - id: cp-6.1_obj + name: assessment-objective + props: + - name: label + value: CP-06(01) + class: sp800-53a + prose: an alternate storage site that is sufficiently separated + from the primary storage site is identified to reduce susceptibility + to the same threats. + links: + - href: "#cp-6.1_smt" + rel: assessment-for + - id: cp-6.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-06(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing alternate storage sites + + contingency plan + + alternate storage site + + alternate storage site agreements + + primary storage site agreements + + system security plan + + other relevant documents or records + - id: cp-6.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-06(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan alternate + storage site responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with information security responsibilities + - id: cp-6.2 + class: SP800-53-enhancement + title: Recovery Time and Recovery Point Objectives + props: + - name: label + value: CP-6(2) + - name: label + value: CP-06(02) + class: sp800-53a + - name: sort-id + value: cp-06.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-6" + rel: required + parts: + - id: cp-6.2_smt + name: statement + prose: Configure the alternate storage site to facilitate recovery + operations in accordance with recovery time and recovery point + objectives. + - id: cp-6.2_gdn + name: guidance + prose: Organizations establish recovery time and recovery point + objectives as part of contingency planning. Configuration of the + alternate storage site includes physical facilities and the systems + supporting recovery operations that ensure accessibility and correct + execution. + - id: cp-6.2_obj + name: assessment-objective + props: + - name: label + value: CP-06(02) + class: sp800-53a + parts: + - id: cp-6.2_obj-1 + name: assessment-objective + props: + - name: label + value: CP-06(02)[01] + class: sp800-53a + prose: the alternate storage site is configured to facilitate + recovery operations in accordance with recovery time objectives; + links: + - href: "#cp-6.2_smt" + rel: assessment-for + - id: cp-6.2_obj-2 + name: assessment-objective + props: + - name: label + value: CP-06(02)[02] + class: sp800-53a + prose: the alternate storage site is configured to facilitate + recovery operations in accordance with recovery point objectives. + links: + - href: "#cp-6.2_smt" + rel: assessment-for + links: + - href: "#cp-6.2_smt" + rel: assessment-for + - id: cp-6.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-06(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing alternate storage sites + + contingency plan + + alternate storage site + + alternate storage site agreements + + alternate storage site configurations + + system security plan + + other relevant documents or records + - id: cp-6.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-06(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan testing + responsibilities + + + organizational personnel with responsibilities for testing + related plans + + + organizational personnel with information security responsibilities + - id: cp-6.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-06(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for contingency plan testing + + mechanisms supporting recovery time and point objectives + - id: cp-6.3 + class: SP800-53-enhancement + title: Accessibility + props: + - name: label + value: CP-6(3) + - name: label + value: CP-06(03) + class: sp800-53a + - name: sort-id + value: cp-06.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-6" + rel: required + - href: "#ra-3" + rel: related + parts: + - id: cp-6.3_smt + name: statement + prose: Identify potential accessibility problems to the alternate + storage site in the event of an area-wide disruption or disaster + and outline explicit mitigation actions. + - id: cp-6.3_gdn + name: guidance + prose: Area-wide disruptions refer to those types of disruptions + that are broad in geographic scope with such determinations made + by organizations based on organizational assessments of risk. + Explicit mitigation actions include duplicating backup information + at other alternate storage sites if access problems occur at originally + designated alternate sites or planning for physical access to + retrieve backup information if electronic accessibility to the + alternate site is disrupted. + - id: cp-6.3_obj + name: assessment-objective + props: + - name: label + value: CP-06(03) + class: sp800-53a + parts: + - id: cp-6.3_obj-1 + name: assessment-objective + props: + - name: label + value: CP-06(03)[01] + class: sp800-53a + prose: potential accessibility problems to the alternate storage + site in the event of an area-wide disruption or disaster are + identified; + links: + - href: "#cp-6.3_smt" + rel: assessment-for + - id: cp-6.3_obj-2 + name: assessment-objective + props: + - name: label + value: CP-06(03)[02] + class: sp800-53a + prose: explicit mitigation actions to address identified accessibility + problems are outlined. + links: + - href: "#cp-6.3_smt" + rel: assessment-for + links: + - href: "#cp-6.3_smt" + rel: assessment-for + - id: cp-6.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-06(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing alternate storage sites + + + contingency plan + + + alternate storage site + + + list of potential accessibility problems to alternate storage + site + + + mitigation actions for accessibility problems to alternate + storage site + + + organizational risk assessments + + + system security plan + + + other relevant documents or records + - id: cp-6.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-06(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan alternate + storage site responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with information security responsibilities + - id: cp-7 + class: SP800-53 + title: Alternate Processing Site + params: + - id: cp-07_odp.01 + label: system operations + guidelines: + - prose: system operations for essential mission and business functions + are defined; + - id: cp-07_odp.02 + label: time period + guidelines: + - prose: time period consistent with recovery time and recovery point + objectives is defined; + props: + - name: label + value: CP-7 + - name: label + value: CP-07 + class: sp800-53a + - name: sort-id + value: cp-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#cp-2" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-8" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#ma-6" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-11" + rel: related + - href: "#pe-12" + rel: related + - href: "#pe-17" + rel: related + - href: "#sc-36" + rel: related + - href: "#si-13" + rel: related + parts: + - id: cp-7_smt + name: statement + parts: + - id: cp-7_smt.a + name: item + props: + - name: label + value: a. + prose: "Establish an alternate processing site, including necessary\ + \ agreements to permit the transfer and resumption of {{ insert:\ + \ param, cp-07_odp.01 }} for essential mission and business functions\ + \ within {{ insert: param, cp-07_odp.02 }} when the primary processing\ + \ capabilities are unavailable;" + - id: cp-7_smt.b + name: item + props: + - name: label + value: b. + prose: Make available at the alternate processing site, the equipment + and supplies required to transfer and resume operations or put + contracts in place to support delivery to the site within the + organization-defined time period for transfer and resumption; + and + - id: cp-7_smt.c + name: item + props: + - name: label + value: c. + prose: Provide controls at the alternate processing site that are + equivalent to those at the primary site. + - id: cp-7_fr + name: item + title: CP-7 Additional FedRAMP Requirements and Guidance + parts: + - id: cp-7_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: The service provider defines a time period consistent + with the recovery time objectives and business impact analysis. + - id: cp-7_gdn + name: guidance + prose: Alternate processing sites are geographically distinct from primary + processing sites and provide processing capability if the primary + processing site is not available. The alternate processing capability + may be addressed using a physical processing site or other alternatives, + such as failover to a cloud-based service provider or other internally + or externally provided processing service. Geographically distributed + architectures that support contingency requirements may also be considered + alternate processing sites. Controls that are covered by alternate + processing site agreements include the environmental conditions at + alternate sites, access rules, physical and environmental protection + requirements, and the coordination for the transfer and assignment + of personnel. Requirements are allocated to alternate processing sites + that reflect the requirements in contingency plans to maintain essential + mission and business functions despite disruption, compromise, or + failure in organizational systems. + - id: cp-7_obj + name: assessment-objective + props: + - name: label + value: CP-07 + class: sp800-53a + parts: + - id: cp-7_obj.a + name: assessment-objective + props: + - name: label + value: CP-07a. + class: sp800-53a + prose: "an alternate processing site, including necessary agreements\ + \ to permit the transfer and resumption of {{ insert: param, cp-07_odp.01\ + \ }} for essential mission and business functions, is established\ + \ within {{ insert: param, cp-07_odp.02 }} when the primary processing\ + \ capabilities are unavailable;" + links: + - href: "#cp-7_smt.a" + rel: assessment-for + - id: cp-7_obj.b + name: assessment-objective + props: + - name: label + value: CP-07b. + class: sp800-53a + parts: + - id: cp-7_obj.b-1 + name: assessment-objective + props: + - name: label + value: CP-07b.[01] + class: sp800-53a + prose: "the equipment and supplies required to transfer operations\ + \ are made available at the alternate processing site or if\ + \ contracts are in place to support delivery to the site within\ + \ {{ insert: param, cp-07_odp.02 }} for transfer;" + links: + - href: "#cp-7_smt.b" + rel: assessment-for + - id: cp-7_obj.b-2 + name: assessment-objective + props: + - name: label + value: CP-07b.[02] + class: sp800-53a + prose: "the equipment and supplies required to resume operations\ + \ are made available at the alternate processing site or if\ + \ contracts are in place to support delivery to the site within\ + \ {{ insert: param, cp-07_odp.02 }} for resumption;" + links: + - href: "#cp-7_smt.b" + rel: assessment-for + links: + - href: "#cp-7_smt.b" + rel: assessment-for + - id: cp-7_obj.c + name: assessment-objective + props: + - name: label + value: CP-07c. + class: sp800-53a + prose: controls provided at the alternate processing site are equivalent + to those at the primary site. + links: + - href: "#cp-7_smt.c" + rel: assessment-for + links: + - href: "#cp-7_smt" + rel: assessment-for + - id: cp-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing alternate processing sites + + + contingency plan + + + alternate processing site agreements + + + primary processing site agreements + + + spare equipment and supplies inventory at alternate processing + site + + + equipment and supply contracts + + + service-level agreements + + + system security plan + + + other relevant documents or records + - id: cp-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + contingency planning and/or alternate site arrangements + + + organizational personnel with information security responsibilities + - id: cp-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for recovery at the alternate site + + + mechanisms supporting and/or implementing recovery at the alternate + processing site + controls: + - id: cp-7.1 + class: SP800-53-enhancement + title: Separation from Primary Site + props: + - name: label + value: CP-7(1) + - name: label + value: CP-07(01) + class: sp800-53a + - name: sort-id + value: cp-07.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-7" + rel: required + - href: "#ra-3" + rel: related + parts: + - id: cp-7.1_smt + name: statement + prose: Identify an alternate processing site that is sufficiently + separated from the primary processing site to reduce susceptibility + to the same threats. + parts: + - id: cp-7.1_fr + name: item + title: CP-7 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: cp-7.1_fr_smt.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: The service provider may determine what is considered + a sufficient degree of separation between the primary + and alternate processing sites, based on the types of + threats that are of concern. For one particular type of + threat (i.e., hostile cyber attack), the degree of separation + between sites will be less relevant. + - id: cp-7.1_gdn + name: guidance + prose: Threats that affect alternate processing sites are defined + in organizational assessments of risk and include natural disasters, + structural failures, hostile attacks, and errors of omission or + commission. Organizations determine what is considered a sufficient + degree of separation between primary and alternate processing + sites based on the types of threats that are of concern. For threats + such as hostile attacks, the degree of separation between sites + is less relevant. + - id: cp-7.1_obj + name: assessment-objective + props: + - name: label + value: CP-07(01) + class: sp800-53a + prose: an alternate processing site that is sufficiently separated + from the primary processing site to reduce susceptibility to the + same threats is identified. + links: + - href: "#cp-7.1_smt" + rel: assessment-for + - id: cp-7.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-07(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing alternate processing sites + + contingency plan + + alternate processing site + + alternate processing site agreements + + primary processing site agreements + + system security plan + + other relevant documents or records + - id: cp-7.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-07(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan alternate + processing site responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with information security responsibilities + - id: cp-7.2 + class: SP800-53-enhancement + title: Accessibility + props: + - name: label + value: CP-7(2) + - name: label + value: CP-07(02) + class: sp800-53a + - name: sort-id + value: cp-07.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-7" + rel: required + - href: "#ra-3" + rel: related + parts: + - id: cp-7.2_smt + name: statement + prose: Identify potential accessibility problems to alternate processing + sites in the event of an area-wide disruption or disaster and + outlines explicit mitigation actions. + - id: cp-7.2_gdn + name: guidance + prose: Area-wide disruptions refer to those types of disruptions + that are broad in geographic scope with such determinations made + by organizations based on organizational assessments of risk. + - id: cp-7.2_obj + name: assessment-objective + props: + - name: label + value: CP-07(02) + class: sp800-53a + parts: + - id: cp-7.2_obj-1 + name: assessment-objective + props: + - name: label + value: CP-07(02)[01] + class: sp800-53a + prose: potential accessibility problems to alternate processing + sites in the event of an area-wide disruption or disaster + are identified; + links: + - href: "#cp-7.2_smt" + rel: assessment-for + - id: cp-7.2_obj-2 + name: assessment-objective + props: + - name: label + value: CP-07(02)[02] + class: sp800-53a + prose: explicit mitigation actions to address identified accessibility + problems are outlined. + links: + - href: "#cp-7.2_smt" + rel: assessment-for + links: + - href: "#cp-7.2_smt" + rel: assessment-for + - id: cp-7.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-07(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing alternate processing sites + + contingency plan + + alternate processing site + + alternate processing site agreements + + primary processing site agreements + + system security plan + + other relevant documents or records + - id: cp-7.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-07(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan alternate + processing site responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with information security responsibilities + - id: cp-7.3 + class: SP800-53-enhancement + title: Priority of Service + props: + - name: label + value: CP-7(3) + - name: label + value: CP-07(03) + class: sp800-53a + - name: sort-id + value: cp-07.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-7" + rel: required + parts: + - id: cp-7.3_smt + name: statement + prose: Develop alternate processing site agreements that contain + priority-of-service provisions in accordance with availability + requirements (including recovery time objectives). + - id: cp-7.3_gdn + name: guidance + prose: Priority of service agreements refer to negotiated agreements + with service providers that ensure that organizations receive + priority treatment consistent with their availability requirements + and the availability of information resources for logical alternate + processing and/or at the physical alternate processing site. Organizations + establish recovery time objectives as part of contingency planning. + - id: cp-7.3_obj + name: assessment-objective + props: + - name: label + value: CP-07(03) + class: sp800-53a + prose: alternate processing site agreements that contain priority-of-service + provisions in accordance with availability requirements (including + recovery time objectives) are developed. + links: + - href: "#cp-7.3_smt" + rel: assessment-for + - id: cp-7.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-07(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing alternate processing sites + + contingency plan + + alternate processing site agreements + + service-level agreements + + system security plan + + other relevant documents or records + - id: cp-7.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-07(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan alternate + processing site responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibility for acquisitions/contractual + agreements + - id: cp-7.4 + class: SP800-53-enhancement + title: Preparation for Use + props: + - name: label + value: CP-7(4) + - name: label + value: CP-07(04) + class: sp800-53a + - name: sort-id + value: cp-07.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-7" + rel: required + - href: "#cm-2" + rel: related + - href: "#cm-6" + rel: related + - href: "#cp-4" + rel: related + parts: + - id: cp-7.4_smt + name: statement + prose: Prepare the alternate processing site so that the site can + serve as the operational site supporting essential mission and + business functions. + - id: cp-7.4_gdn + name: guidance + prose: Site preparation includes establishing configuration settings + for systems at the alternate processing site consistent with the + requirements for such settings at the primary site and ensuring + that essential supplies and logistical considerations are in place. + - id: cp-7.4_obj + name: assessment-objective + props: + - name: label + value: CP-07(04) + class: sp800-53a + prose: the alternate processing site is prepared so that the site + can serve as the operational site supporting essential mission + and business functions. + links: + - href: "#cp-7.4_smt" + rel: assessment-for + - id: cp-7.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-07(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing alternate processing sites + + contingency plan + + alternate processing site + + alternate processing site agreements + + alternate processing site configurations + + system security plan + + other relevant documents or records + - id: cp-7.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-07(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan alternate + processing site responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with information security responsibilities + - id: cp-7.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-07(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing recovery at + the alternate processing site + - id: cp-8 + class: SP800-53 + title: Telecommunications Services + params: + - id: cp-08_odp.01 + label: system operations + guidelines: + - prose: system operations to be resumed for essential mission and + business functions are defined; + - id: cp-08_odp.02 + label: time period + guidelines: + - prose: time period within which to resume essential mission and + business functions when the primary telecommunications capabilities + are unavailable is defined; + props: + - name: label + value: CP-8 + - name: label + value: CP-08 + class: sp800-53a + - name: sort-id + value: cp-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#cp-2" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-7" + rel: related + - href: "#cp-11" + rel: related + - href: "#sc-7" + rel: related + parts: + - id: cp-8_smt + name: statement + prose: "Establish alternate telecommunications services, including necessary\ + \ agreements to permit the resumption of {{ insert: param, cp-08_odp.01\ + \ }} for essential mission and business functions within {{ insert:\ + \ param, cp-08_odp.02 }} when the primary telecommunications capabilities\ + \ are unavailable at either the primary or alternate processing or\ + \ storage sites." + parts: + - id: cp-8_fr + name: item + title: CP-8 Additional FedRAMP Requirements and Guidance + parts: + - id: cp-8_fr_gdn.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider defines a time period consistent + with the recovery time objectives and business impact analysis. + - id: cp-8_gdn + name: guidance + prose: Telecommunications services (for data and voice) for primary + and alternate processing and storage sites are in scope for [CP-8](#cp-8) + . Alternate telecommunications services reflect the continuity requirements + in contingency plans to maintain essential mission and business functions + despite the loss of primary telecommunications services. Organizations + may specify different time periods for primary or alternate sites. + Alternate telecommunications services include additional organizational + or commercial ground-based circuits or lines, network-based approaches + to telecommunications, or the use of satellites. Organizations consider + factors such as availability, quality of service, and access when + entering into alternate telecommunications agreements. + - id: cp-8_obj + name: assessment-objective + props: + - name: label + value: CP-08 + class: sp800-53a + prose: "alternate telecommunications services, including necessary agreements\ + \ to permit the resumption of {{ insert: param, cp-08_odp.01 }} ,\ + \ are established for essential mission and business functions within\ + \ {{ insert: param, cp-08_odp.02 }} when the primary telecommunications\ + \ capabilities are unavailable at either the primary or alternate\ + \ processing or storage sites." + links: + - href: "#cp-8_smt" + rel: assessment-for + - id: cp-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing alternate telecommunications services + + contingency plan + + primary and alternate telecommunications service agreements + + system security plan + + other relevant documents or records + - id: cp-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan + telecommunications responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with knowledge of requirements for mission + and business functions + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibility for acquisitions/contractual + agreements + - id: cp-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting telecommunications + controls: + - id: cp-8.1 + class: SP800-53-enhancement + title: Priority of Service Provisions + props: + - name: label + value: CP-8(1) + - name: label + value: CP-08(01) + class: sp800-53a + - name: sort-id + value: cp-08.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-8" + rel: required + parts: + - id: cp-8.1_smt + name: statement + parts: + - id: cp-8.1_smt.a + name: item + props: + - name: label + value: (a) + prose: Develop primary and alternate telecommunications service + agreements that contain priority-of-service provisions in + accordance with availability requirements (including recovery + time objectives); and + - id: cp-8.1_smt.b + name: item + props: + - name: label + value: (b) + prose: Request Telecommunications Service Priority for all telecommunications + services used for national security emergency preparedness + if the primary and/or alternate telecommunications services + are provided by a common carrier. + - id: cp-8.1_gdn + name: guidance + prose: Organizations consider the potential mission or business + impact in situations where telecommunications service providers + are servicing other organizations with similar priority of service + provisions. Telecommunications Service Priority (TSP) is a Federal + Communications Commission (FCC) program that directs telecommunications + service providers (e.g., wireline and wireless phone companies) + to give preferential treatment to users enrolled in the program + when they need to add new lines or have their lines restored following + a disruption of service, regardless of the cause. The FCC sets + the rules and policies for the TSP program, and the Department + of Homeland Security manages the TSP program. The TSP program + is always in effect and not contingent on a major disaster or + attack taking place. Federal sponsorship is required to enroll + in the TSP program. + - id: cp-8.1_obj + name: assessment-objective + props: + - name: label + value: CP-08(01) + class: sp800-53a + parts: + - id: cp-8.1_obj.a + name: assessment-objective + props: + - name: label + value: CP-08(01)(a) + class: sp800-53a + parts: + - id: cp-8.1_obj.a-1 + name: assessment-objective + props: + - name: label + value: CP-08(01)(a)[01] + class: sp800-53a + prose: primary telecommunications service agreements that + contain priority-of-service provisions in accordance with + availability requirements (including recovery time objectives) + are developed; + links: + - href: "#cp-8.1_smt.a" + rel: assessment-for + - id: cp-8.1_obj.a-2 + name: assessment-objective + props: + - name: label + value: CP-08(01)(a)[02] + class: sp800-53a + prose: alternate telecommunications service agreements that + contain priority-of-service provisions in accordance with + availability requirements (including recovery time objectives) + are developed; + links: + - href: "#cp-8.1_smt.a" + rel: assessment-for + links: + - href: "#cp-8.1_smt.a" + rel: assessment-for + - id: cp-8.1_obj.b + name: assessment-objective + props: + - name: label + value: CP-08(01)(b) + class: sp800-53a + prose: Telecommunications Service Priority is requested for + all telecommunications services used for national security + emergency preparedness if the primary and/or alternate telecommunications + services are provided by a common carrier. + links: + - href: "#cp-8.1_smt.b" + rel: assessment-for + links: + - href: "#cp-8.1_smt" + rel: assessment-for + - id: cp-8.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-08(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing primary and alternate telecommunications + services + + + contingency plan + + + primary and alternate telecommunications service agreements + + + Telecommunications Service Priority documentation + + + system security plan + + + other relevant documents or records + - id: cp-8.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-08(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan + telecommunications responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibility for acquisitions/contractual + agreements + - id: cp-8.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-08(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting telecommunications + - id: cp-8.2 + class: SP800-53-enhancement + title: Single Points of Failure + props: + - name: label + value: CP-8(2) + - name: label + value: CP-08(02) + class: sp800-53a + - name: sort-id + value: cp-08.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-8" + rel: required + parts: + - id: cp-8.2_smt + name: statement + prose: Obtain alternate telecommunications services to reduce the + likelihood of sharing a single point of failure with primary telecommunications + services. + - id: cp-8.2_gdn + name: guidance + prose: In certain circumstances, telecommunications service providers + or services may share the same physical lines, which increases + the vulnerability of a single failure point. It is important to + have provider transparency for the actual physical transmission + capability for telecommunication services. + - id: cp-8.2_obj + name: assessment-objective + props: + - name: label + value: CP-08(02) + class: sp800-53a + prose: alternate telecommunications services to reduce the likelihood + of sharing a single point of failure with primary telecommunications + services are obtained. + links: + - href: "#cp-8.2_smt" + rel: assessment-for + - id: cp-8.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-08(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing primary and alternate telecommunications + services + + + contingency plan + + + primary and alternate telecommunications service agreements + + + system security plan + + + other relevant documents or records + - id: cp-8.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-08(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan + telecommunications responsibilities + + + organizational personnel with system recovery responsibilities + + + primary and alternate telecommunications service providers + + + organizational personnel with information security responsibilities + - id: cp-8.3 + class: SP800-53-enhancement + title: Separation of Primary and Alternate Providers + props: + - name: label + value: CP-8(3) + - name: label + value: CP-08(03) + class: sp800-53a + - name: sort-id + value: cp-08.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-8" + rel: required + parts: + - id: cp-8.3_smt + name: statement + prose: Obtain alternate telecommunications services from providers + that are separated from primary service providers to reduce susceptibility + to the same threats. + - id: cp-8.3_gdn + name: guidance + prose: Threats that affect telecommunications services are defined + in organizational assessments of risk and include natural disasters, + structural failures, cyber or physical attacks, and errors of + omission or commission. Organizations can reduce common susceptibilities + by minimizing shared infrastructure among telecommunications service + providers and achieving sufficient geographic separation between + services. Organizations may consider using a single service provider + in situations where the service provider can provide alternate + telecommunications services that meet the separation needs addressed + in the risk assessment. + - id: cp-8.3_obj + name: assessment-objective + props: + - name: label + value: CP-08(03) + class: sp800-53a + prose: alternate telecommunications services from providers that + are separated from primary service providers are obtained to reduce + susceptibility to the same threats. + links: + - href: "#cp-8.3_smt" + rel: assessment-for + - id: cp-8.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-08(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing primary and alternate telecommunications + services + + + contingency plan + + + primary and alternate telecommunications service agreements + + + alternate telecommunications service provider site + + + primary telecommunications service provider site + + + other relevant documents or records + - id: cp-8.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-08(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan + telecommunications responsibilities + + + organizational personnel with system recovery responsibilities + + + primary and alternate telecommunications service providers + + + organizational personnel with information security responsibilities + - id: cp-8.4 + class: SP800-53-enhancement + title: Provider Contingency Plan + params: + - id: cp-8.4_prm_1 + label: organization-defined frequency + constraints: + - description: annually + - id: cp-08.04_odp.01 + label: frequency + guidelines: + - prose: frequency at which to obtain evidence of contingency + testing by providers is defined; + - id: cp-08.04_odp.02 + label: frequency + guidelines: + - prose: frequency at which to obtain evidence of contingency + training by providers is defined; + props: + - name: label + value: CP-8(4) + - name: label + value: CP-08(04) + class: sp800-53a + - name: sort-id + value: cp-08.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-8" + rel: required + - href: "#cp-3" + rel: related + - href: "#cp-4" + rel: related + parts: + - id: cp-8.4_smt + name: statement + parts: + - id: cp-8.4_smt.a + name: item + props: + - name: label + value: (a) + prose: Require primary and alternate telecommunications service + providers to have contingency plans; + - id: cp-8.4_smt.b + name: item + props: + - name: label + value: (b) + prose: Review provider contingency plans to ensure that the + plans meet organizational contingency requirements; and + - id: cp-8.4_smt.c + name: item + props: + - name: label + value: (c) + prose: "Obtain evidence of contingency testing and training\ + \ by providers {{ insert: param, cp-8.4_prm_1 }}." + - id: cp-8.4_gdn + name: guidance + prose: Reviews of provider contingency plans consider the proprietary + nature of such plans. In some situations, a summary of provider + contingency plans may be sufficient evidence for organizations + to satisfy the review requirement. Telecommunications service + providers may also participate in ongoing disaster recovery exercises + in coordination with the Department of Homeland Security and state + and local governments. Organizations may use these types of activities + to satisfy evidentiary requirements related to service provider + contingency plan reviews, testing, and training. + - id: cp-8.4_obj + name: assessment-objective + props: + - name: label + value: CP-08(04) + class: sp800-53a + parts: + - id: cp-8.4_obj.a + name: assessment-objective + props: + - name: label + value: CP-08(04)(a) + class: sp800-53a + parts: + - id: cp-8.4_obj.a-1 + name: assessment-objective + props: + - name: label + value: CP-08(04)(a)[01] + class: sp800-53a + prose: primary telecommunications service providers are + required to have contingency plans; + links: + - href: "#cp-8.4_smt.a" + rel: assessment-for + - id: cp-8.4_obj.a-2 + name: assessment-objective + props: + - name: label + value: CP-08(04)(a)[02] + class: sp800-53a + prose: alternate telecommunications service providers are + required to have contingency plans; + links: + - href: "#cp-8.4_smt.a" + rel: assessment-for + links: + - href: "#cp-8.4_smt.a" + rel: assessment-for + - id: cp-8.4_obj.b + name: assessment-objective + props: + - name: label + value: CP-08(04)(b) + class: sp800-53a + prose: provider contingency plans are reviewed to ensure that + the plans meet organizational contingency requirements; + links: + - href: "#cp-8.4_smt.b" + rel: assessment-for + - id: cp-8.4_obj.c + name: assessment-objective + props: + - name: label + value: CP-08(04)(c) + class: sp800-53a + parts: + - id: cp-8.4_obj.c-1 + name: assessment-objective + props: + - name: label + value: CP-08(04)(c)[01] + class: sp800-53a + prose: "evidence of contingency testing by providers is\ + \ obtained {{ insert: param, cp-08.04_odp.01 }}." + links: + - href: "#cp-8.4_smt.c" + rel: assessment-for + - id: cp-8.4_obj.c-2 + name: assessment-objective + props: + - name: label + value: CP-08(04)(c)[02] + class: sp800-53a + prose: "evidence of contingency training by providers is\ + \ obtained {{ insert: param, cp-08.04_odp.02 }}." + links: + - href: "#cp-8.4_smt.c" + rel: assessment-for + links: + - href: "#cp-8.4_smt.c" + rel: assessment-for + links: + - href: "#cp-8.4_smt" + rel: assessment-for + - id: cp-8.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-08(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing primary and alternate telecommunications + services + + + contingency plan + + + provider contingency plans + + + evidence of contingency testing/training by providers + + + primary and alternate telecommunications service agreements + + + system security plan + + + other relevant documents or records + - id: cp-8.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-08(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning, plan + implementation, and testing responsibilities + + + primary and alternate telecommunications service providers + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibility for acquisitions/contractual + agreements + - id: cp-9 + class: SP800-53 + title: System Backup + params: + - id: cp-09_odp.01 + label: system components + guidelines: + - prose: system components for which to conduct backups of user-level + information is defined; + - id: cp-09_odp.02 + label: frequency + constraints: + - description: daily incremental; weekly full + guidelines: + - prose: frequency at which to conduct backups of user-level information + consistent with recovery time and recovery point objectives is + defined; + - id: cp-09_odp.03 + label: frequency + constraints: + - description: daily incremental; weekly full + guidelines: + - prose: frequency at which to conduct backups of system-level information + consistent with recovery time and recovery point objectives is + defined; + - id: cp-09_odp.04 + label: frequency + constraints: + - description: daily incremental; weekly full + guidelines: + - prose: frequency at which to conduct backups of system documentation + consistent with recovery time and recovery point objectives is + defined; + props: + - name: label + value: CP-9 + - name: label + value: CP-09 + class: sp800-53a + - name: sort-id + value: cp-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#3653e316-8923-430e-8943-b3b2b2562fc6" + rel: reference + - href: "#2494df28-9049-4196-b233-540e7440993f" + rel: reference + - href: "#cp-2" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-10" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#si-4" + rel: related + - href: "#si-13" + rel: related + parts: + - id: cp-9_smt + name: statement + parts: + - id: cp-9_smt.a + name: item + props: + - name: label + value: a. + prose: "Conduct backups of user-level information contained in {{\ + \ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02\ + \ }};" + - id: cp-9_smt.b + name: item + props: + - name: label + value: b. + prose: "Conduct backups of system-level information contained in\ + \ the system {{ insert: param, cp-09_odp.03 }};" + - id: cp-9_smt.c + name: item + props: + - name: label + value: c. + prose: "Conduct backups of system documentation, including security-\ + \ and privacy-related documentation {{ insert: param, cp-09_odp.04\ + \ }} ; and" + - id: cp-9_smt.d + name: item + props: + - name: label + value: d. + prose: Protect the confidentiality, integrity, and availability + of backup information. + - id: cp-9_fr + name: item + title: CP-9 Additional FedRAMP Requirements and Guidance + parts: + - id: cp-9_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider shall determine what elements of + the cloud environment require the Information System Backup + control. The service provider shall determine how Information + System Backup is going to be verified and appropriate periodicity + of the check. + - id: cp-9_fr_smt.2 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: The service provider maintains at least three backup + copies of user-level information (at least one of which is + available online) or provides an equivalent alternative. + - id: cp-9_fr_smt.3 + name: item + props: + - name: label + value: "(b) Requirement:" + prose: The service provider maintains at least three backup + copies of system-level information (at least one of which + is available online) or provides an equivalent alternative. + - id: cp-9_fr_smt.4 + name: item + props: + - name: label + value: "(c) Requirement:" + prose: The service provider maintains at least three backup + copies of information system documentation including security + information (at least one of which is available online) or + provides an equivalent alternative. + - id: cp-9_gdn + name: guidance + prose: System-level information includes system state information, operating + system software, middleware, application software, and licenses. User-level + information includes information other than system-level information. + Mechanisms employed to protect the integrity of system backups include + digital signatures and cryptographic hashes. Protection of system + backup information while in transit is addressed by [MP-5](#mp-5) + and [SC-8](#sc-8) . System backups reflect the requirements in contingency + plans as well as other organizational requirements for backing up + information. Organizations may be subject to laws, executive orders, + directives, regulations, or policies with requirements regarding specific + categories of information (e.g., personal health information). Organizational + personnel consult with the senior agency official for privacy and + legal counsel regarding such requirements. + - id: cp-9_obj + name: assessment-objective + props: + - name: label + value: CP-09 + class: sp800-53a + parts: + - id: cp-9_obj.a + name: assessment-objective + props: + - name: label + value: CP-09a. + class: sp800-53a + prose: "backups of user-level information contained in {{ insert:\ + \ param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02\ + \ }};" + links: + - href: "#cp-9_smt.a" + rel: assessment-for + - id: cp-9_obj.b + name: assessment-objective + props: + - name: label + value: CP-09b. + class: sp800-53a + prose: "backups of system-level information contained in the system\ + \ are conducted {{ insert: param, cp-09_odp.03 }};" + links: + - href: "#cp-9_smt.b" + rel: assessment-for + - id: cp-9_obj.c + name: assessment-objective + props: + - name: label + value: CP-09c. + class: sp800-53a + prose: "backups of system documentation, including security- and\ + \ privacy-related documentation are conducted {{ insert: param,\ + \ cp-09_odp.04 }};" + links: + - href: "#cp-9_smt.c" + rel: assessment-for + - id: cp-9_obj.d + name: assessment-objective + props: + - name: label + value: CP-09d. + class: sp800-53a + parts: + - id: cp-9_obj.d-1 + name: assessment-objective + props: + - name: label + value: CP-09d.[01] + class: sp800-53a + prose: the confidentiality of backup information is protected; + links: + - href: "#cp-9_smt.d" + rel: assessment-for + - id: cp-9_obj.d-2 + name: assessment-objective + props: + - name: label + value: CP-09d.[02] + class: sp800-53a + prose: the integrity of backup information is protected; + links: + - href: "#cp-9_smt.d" + rel: assessment-for + - id: cp-9_obj.d-3 + name: assessment-objective + props: + - name: label + value: CP-09d.[03] + class: sp800-53a + prose: the availability of backup information is protected. + links: + - href: "#cp-9_smt.d" + rel: assessment-for + links: + - href: "#cp-9_smt.d" + rel: assessment-for + links: + - href: "#cp-9_smt" + rel: assessment-for + - id: cp-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing system backup + + contingency plan + + backup storage location(s) + + system backup logs or records + + system security plan + + privacy plan + + other relevant documents or records + - id: cp-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system backup responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: cp-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for conducting system backups + + mechanisms supporting and/or implementing system backups + controls: + - id: cp-9.1 + class: SP800-53-enhancement + title: Testing for Reliability and Integrity + params: + - id: cp-9.1_prm_1 + label: organization-defined frequency + constraints: + - description: at least monthly + - id: cp-09.01_odp.01 + label: frequency + guidelines: + - prose: frequency at which to test backup information for media + reliability is defined; + - id: cp-09.01_odp.02 + label: frequency + guidelines: + - prose: frequency at which to test backup information for information + integrity is defined; + props: + - name: label + value: CP-9(1) + - name: label + value: CP-09(01) + class: sp800-53a + - name: sort-id + value: cp-09.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-9" + rel: required + - href: "#cp-4" + rel: related + parts: + - id: cp-9.1_smt + name: statement + prose: "Test backup information {{ insert: param, cp-9.1_prm_1 }}\ + \ to verify media reliability and information integrity." + - id: cp-9.1_gdn + name: guidance + prose: Organizations need assurance that backup information can + be reliably retrieved. Reliability pertains to the systems and + system components where the backup information is stored, the + operations used to retrieve the information, and the integrity + of the information being retrieved. Independent and specialized + tests can be used for each of the aspects of reliability. For + example, decrypting and transporting (or transmitting) a random + sample of backup files from the alternate storage or backup site + and comparing the information to the same information at the primary + processing site can provide such assurance. + - id: cp-9.1_obj + name: assessment-objective + props: + - name: label + value: CP-09(01) + class: sp800-53a + parts: + - id: cp-9.1_obj-1 + name: assessment-objective + props: + - name: label + value: CP-09(01)[01] + class: sp800-53a + prose: "backup information is tested {{ insert: param, cp-09.01_odp.01\ + \ }} to verify media reliability;" + links: + - href: "#cp-9.1_smt" + rel: assessment-for + - id: cp-9.1_obj-2 + name: assessment-objective + props: + - name: label + value: CP-09(01)[02] + class: sp800-53a + prose: "backup information is tested {{ insert: param, cp-09.01_odp.02\ + \ }} to verify information integrity." + links: + - href: "#cp-9.1_smt" + rel: assessment-for + links: + - href: "#cp-9.1_smt" + rel: assessment-for + - id: cp-9.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-09(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing system backup + + contingency plan + + system backup test results + + contingency plan test documentation + + contingency plan test results + + system security plan + + other relevant documents or records + - id: cp-9.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-09(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system backup + responsibilities + + + organizational personnel with information security responsibilities + - id: cp-9.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-09(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for conducting system backups + + mechanisms supporting and/or implementing system backups + - id: cp-9.2 + class: SP800-53-enhancement + title: Test Restoration Using Sampling + props: + - name: label + value: CP-9(2) + - name: label + value: CP-09(02) + class: sp800-53a + - name: sort-id + value: cp-09.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-9" + rel: required + - href: "#cp-4" + rel: related + parts: + - id: cp-9.2_smt + name: statement + prose: Use a sample of backup information in the restoration of + selected system functions as part of contingency plan testing. + - id: cp-9.2_gdn + name: guidance + prose: Organizations need assurance that system functions can be + restored correctly and can support established organizational + missions. To ensure that the selected system functions are thoroughly + exercised during contingency plan testing, a sample of backup + information is retrieved to determine whether the functions are + operating as intended. Organizations can determine the sample + size for the functions and backup information based on the level + of assurance needed. + - id: cp-9.2_obj + name: assessment-objective + props: + - name: label + value: CP-09(02) + class: sp800-53a + prose: a sample of backup information in the restoration of selected + system functions is used as part of contingency plan testing. + links: + - href: "#cp-9.2_smt" + rel: assessment-for + - id: cp-9.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-09(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing system backup + + contingency plan + + system backup test results + + contingency plan test documentation + + contingency plan test results + + system security plan + + other relevant documents or records + - id: cp-9.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-09(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system backup + responsibilities + + + organizational personnel with contingency planning/contingency + plan testing responsibilities + + + organizational personnel with information security responsibilities + - id: cp-9.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-09(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for conducting system backups + + mechanisms supporting and/or implementing system backups + - id: cp-9.3 + class: SP800-53-enhancement + title: Separate Storage for Critical Information + params: + - id: cp-09.03_odp + label: critical system software and other security-related information + guidelines: + - prose: critical system software and other security-related information + backups to be stored in a separate facility are defined; + props: + - name: label + value: CP-9(3) + - name: label + value: CP-09(03) + class: sp800-53a + - name: sort-id + value: cp-09.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-9" + rel: required + - href: "#cm-2" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + parts: + - id: cp-9.3_smt + name: statement + prose: "Store backup copies of {{ insert: param, cp-09.03_odp }}\ + \ in a separate facility or in a fire rated container that is\ + \ not collocated with the operational system." + - id: cp-9.3_gdn + name: guidance + prose: Separate storage for critical information applies to all + critical information regardless of the type of backup storage + media. Critical system software includes operating systems, middleware, + cryptographic key management systems, and intrusion detection + systems. Security-related information includes inventories of + system hardware, software, and firmware components. Alternate + storage sites, including geographically distributed architectures, + serve as separate storage facilities for organizations. Organizations + may provide separate storage by implementing automated backup + processes at alternative storage sites (e.g., data centers). The + General Services Administration (GSA) establishes standards and + specifications for security and fire rated containers. + - id: cp-9.3_obj + name: assessment-objective + props: + - name: label + value: CP-09(03) + class: sp800-53a + prose: "backup copies of {{ insert: param, cp-09.03_odp }} are stored\ + \ in a separate facility or in a fire rated container that is\ + \ not collocated with the operational system." + links: + - href: "#cp-9.3_smt" + rel: assessment-for + - id: cp-9.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-09(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing system backup + + + contingency plan + + + backup storage location(s) + + + system backup configurations and associated documentation + + + system backup logs or records + + + system security plan + + + other relevant documents or records + - id: cp-9.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-09(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning and + plan implementation responsibilities + + + organizational personnel with system backup responsibilities + + + organizational personnel with information security responsibilities + - id: cp-9.5 + class: SP800-53-enhancement + title: Transfer to Alternate Storage Site + params: + - id: cp-9.5_prm_1 + label: organization-defined time period and transfer rate consistent + with the recovery time and recovery point objectives + constraints: + - description: time period and transfer rate consistent with the + recovery time and recovery point objectives defined in the + service provider and organization SLA. + - id: cp-09.05_odp.01 + label: time period + guidelines: + - prose: time period consistent with recovery time and recovery + point objectives is defined; + - id: cp-09.05_odp.02 + label: transfer rate + guidelines: + - prose: transfer rate consistent with recovery time and recovery + point objectives is defined; + props: + - name: label + value: CP-9(5) + - name: label + value: CP-09(05) + class: sp800-53a + - name: sort-id + value: cp-09.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-9" + rel: required + - href: "#cp-7" + rel: related + - href: "#mp-3" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + parts: + - id: cp-9.5_smt + name: statement + prose: "Transfer system backup information to the alternate storage\ + \ site {{ insert: param, cp-9.5_prm_1 }}." + - id: cp-9.5_gdn + name: guidance + prose: System backup information can be transferred to alternate + storage sites either electronically or by the physical shipment + of storage media. + - id: cp-9.5_obj + name: assessment-objective + props: + - name: label + value: CP-09(05) + class: sp800-53a + parts: + - id: cp-9.5_obj-1 + name: assessment-objective + props: + - name: label + value: CP-09(05)[01] + class: sp800-53a + prose: "system backup information is transferred to the alternate\ + \ storage site for {{ insert: param, cp-09.05_odp.01 }};" + links: + - href: "#cp-9.5_smt" + rel: assessment-for + - id: cp-9.5_obj-2 + name: assessment-objective + props: + - name: label + value: CP-09(05)[02] + class: sp800-53a + prose: "system backup information is transferred to the alternate\ + \ storage site {{ insert: param, cp-09.05_odp.02 }}." + links: + - href: "#cp-9.5_smt" + rel: assessment-for + links: + - href: "#cp-9.5_smt" + rel: assessment-for + - id: cp-9.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-09(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing system backup + + + contingency plan + + + system backup logs or records + + + evidence of system backup information transferred to alternate + storage site + + + alternate storage site agreements + + + system security plan + + + other relevant documents or records + - id: cp-9.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-09(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system backup + responsibilities + + + organizational personnel with information security responsibilities + - id: cp-9.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-09(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for transferring system backups + to the alternate storage site + + + mechanisms supporting and/or implementing system backups + + + mechanisms supporting and/or implementing information transfer + to the alternate storage site + - id: cp-9.8 + class: SP800-53-enhancement + title: Cryptographic Protection + params: + - id: cp-09.08_odp + label: backup information + constraints: + - description: all backup files + guidelines: + - prose: backup information to protect against unauthorized disclosure + and modification is defined; + props: + - name: label + value: CP-9(8) + - name: label + value: CP-09(08) + class: sp800-53a + - name: sort-id + value: cp-09.08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-9" + rel: required + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-28" + rel: related + parts: + - id: cp-9.8_smt + name: statement + prose: "Implement cryptographic mechanisms to prevent unauthorized\ + \ disclosure and modification of {{ insert: param, cp-09.08_odp\ + \ }}." + parts: + - id: cp-9.8_fr + name: item + title: CP-9 (8) Additional FedRAMP Requirements and Guidance + parts: + - id: cp-9.8_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Note that this enhancement requires the use of cryptography + which must be compliant with Federal requirements and + utilize FIPS validated or NSA approved cryptography (see + SC-13.) + - id: cp-9.8_gdn + name: guidance + prose: The selection of cryptographic mechanisms is based on the + need to protect the confidentiality and integrity of backup information. + The strength of mechanisms selected is commensurate with the security + category or classification of the information. Cryptographic protection + applies to system backup information in storage at both primary + and alternate locations. Organizations that implement cryptographic + mechanisms to protect information at rest also consider cryptographic + key management solutions. + - id: cp-9.8_obj + name: assessment-objective + props: + - name: label + value: CP-09(08) + class: sp800-53a + prose: "cryptographic mechanisms are implemented to prevent unauthorized\ + \ disclosure and modification of {{ insert: param, cp-09.08_odp\ + \ }}." + links: + - href: "#cp-9.8_smt" + rel: assessment-for + - id: cp-9.8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-09(08)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing system backup + + + contingency plan + + + system design documentation + + + system configuration settings and associated documentation + + + system security plan + + + other relevant documents or records + - id: cp-9.8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-09(08)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system backup + responsibilities + + + organizational personnel with information security responsibilities + - id: cp-9.8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-09(08)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing cryptographic + protection of backup information + - id: cp-10 + class: SP800-53 + title: System Recovery and Reconstitution + params: + - id: cp-10_prm_1 + label: organization-defined time period consistent with recovery time + and recovery point objectives + - id: cp-10_odp.01 + label: time period + guidelines: + - prose: time period consistent with recovery time and recovery point + objectives for the recovery of the system is determined; + - id: cp-10_odp.02 + label: time period + guidelines: + - prose: time period consistent with recovery time and recovery point + objectives for the reconstitution of the system is determined; + props: + - name: label + value: CP-10 + - name: label + value: CP-10 + class: sp800-53a + - name: sort-id + value: cp-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-7" + rel: related + - href: "#cp-9" + rel: related + - href: "#ir-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-24" + rel: related + - href: "#si-13" + rel: related + parts: + - id: cp-10_smt + name: statement + prose: "Provide for the recovery and reconstitution of the system to\ + \ a known state within {{ insert: param, cp-10_prm_1 }} after a disruption,\ + \ compromise, or failure." + - id: cp-10_gdn + name: guidance + prose: Recovery is executing contingency plan activities to restore + organizational mission and business functions. Reconstitution takes + place following recovery and includes activities for returning systems + to fully operational states. Recovery and reconstitution operations + reflect mission and business priorities; recovery point, recovery + time, and reconstitution objectives; and organizational metrics consistent + with contingency plan requirements. Reconstitution includes the deactivation + of interim system capabilities that may have been needed during recovery + operations. Reconstitution also includes assessments of fully restored + system capabilities, reestablishment of continuous monitoring activities, + system reauthorization (if required), and activities to prepare the + system and organization for future disruptions, breaches, compromises, + or failures. Recovery and reconstitution capabilities can include + automated mechanisms and manual procedures. Organizations establish + recovery time and recovery point objectives as part of contingency + planning. + - id: cp-10_obj + name: assessment-objective + props: + - name: label + value: CP-10 + class: sp800-53a + parts: + - id: cp-10_obj-1 + name: assessment-objective + props: + - name: label + value: CP-10[01] + class: sp800-53a + prose: "the recovery of the system to a known state is provided\ + \ within {{ insert: param, cp-10_odp.01 }} after a disruption,\ + \ compromise, or failure;" + links: + - href: "#cp-10_smt" + rel: assessment-for + - id: cp-10_obj-2 + name: assessment-objective + props: + - name: label + value: CP-10[02] + class: sp800-53a + prose: "a reconstitution of the system to a known state is provided\ + \ within {{ insert: param, cp-10_odp.02 }} after a disruption,\ + \ compromise, or failure." + links: + - href: "#cp-10_smt" + rel: assessment-for + links: + - href: "#cp-10_smt" + rel: assessment-for + - id: cp-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing system backup + + contingency plan + + system backup test results + + contingency plan test results + + contingency plan test documentation + + redundant secondary system for system backups + + location(s) of redundant secondary backup system(s) + + system security plan + + other relevant documents or records + - id: cp-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning, + recovery, and/or reconstitution responsibilities + + + organizational personnel with information security responsibilities + - id: cp-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes implementing system recovery and + reconstitution operations + + + mechanisms supporting and/or implementing system recovery and + reconstitution operations + controls: + - id: cp-10.2 + class: SP800-53-enhancement + title: Transaction Recovery + props: + - name: label + value: CP-10(2) + - name: label + value: CP-10(02) + class: sp800-53a + - name: sort-id + value: cp-10.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-10" + rel: required + parts: + - id: cp-10.2_smt + name: statement + prose: Implement transaction recovery for systems that are transaction-based. + - id: cp-10.2_gdn + name: guidance + prose: Transaction-based systems include database management systems + and transaction processing systems. Mechanisms supporting transaction + recovery include transaction rollback and transaction journaling. + - id: cp-10.2_obj + name: assessment-objective + props: + - name: label + value: CP-10(02) + class: sp800-53a + prose: transaction recovery is implemented for systems that are + transaction-based. + links: + - href: "#cp-10.2_smt" + rel: assessment-for + - id: cp-10.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-10(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing system recovery and reconstitution + + + contingency plan + + + system design documentation + + + system configuration settings and associated documentation + + + contingency plan test documentation + + + contingency plan test results + + + system transaction recovery records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cp-10.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-10(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for + transaction recovery + + + organizational personnel with information security responsibilities + - id: cp-10.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-10(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing transaction + recovery capability + - id: cp-10.4 + class: SP800-53-enhancement + title: Restore Within Time Period + params: + - id: cp-10.04_odp + label: restoration time periods + constraints: + - description: time period consistent with the restoration time-periods + defined in the service provider and organization SLA + guidelines: + - prose: restoration time period within which to restore system + components to a known, operational state is defined; + props: + - name: label + value: CP-10(4) + - name: label + value: CP-10(04) + class: sp800-53a + - name: sort-id + value: cp-10.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-10" + rel: required + - href: "#cm-2" + rel: related + - href: "#cm-6" + rel: related + parts: + - id: cp-10.4_smt + name: statement + prose: "Provide the capability to restore system components within\ + \ {{ insert: param, cp-10.04_odp }} from configuration-controlled\ + \ and integrity-protected information representing a known, operational\ + \ state for the components." + - id: cp-10.4_gdn + name: guidance + prose: Restoration of system components includes reimaging, which + restores the components to known, operational states. + - id: cp-10.4_obj + name: assessment-objective + props: + - name: label + value: CP-10(04) + class: sp800-53a + prose: "the capability to restore system components within {{ insert:\ + \ param, cp-10.04_odp }} from configuration-controlled and integrity-protected\ + \ information representing a known, operational state for the\ + \ components is provided." + links: + - href: "#cp-10.4_smt" + rel: assessment-for + - id: cp-10.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-10(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing system recovery and reconstitution + + + contingency plan + + + system design documentation + + + system configuration settings and associated documentation + + + contingency plan test documentation + + + contingency plan test results + + + evidence of system recovery and reconstitution operations + + + system security plan + + + other relevant documents or records + - id: cp-10.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-10(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system recovery and + reconstitution responsibilities + + + organizational personnel with information security responsibilities + - id: cp-10.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-10(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing the recovery/reconstitution + of system information + - id: ia + class: family + title: Identification and Authentication + controls: + - id: ia-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ia-1_prm_1 + label: organization-defined personnel or roles + - id: ia-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the identification and authentication + policy is to be disseminated are defined; + - id: ia-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the identification and authentication + procedures are to be disseminated is/are defined; + - id: ia-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ia-01_odp.04 + label: official + guidelines: + - prose: an official to manage the identification and authentication + policy and procedures is defined; + - id: ia-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current identification and authentication + policy is reviewed and updated is defined; + - id: ia-01_odp.06 + label: events + guidelines: + - prose: events that would require the current identification and + authentication policy to be reviewed and updated are defined; + - id: ia-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current identification and authentication + procedures are reviewed and updated is defined; + - id: ia-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require identification and authentication + procedures to be reviewed and updated are defined; + props: + - name: label + value: IA-1 + - name: label + value: IA-01 + class: sp800-53a + - name: sort-id + value: ia-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#7f473f21-fdbf-4a6c-81a1-0ab95919609d" + rel: reference + - href: "#ac-1" + rel: related + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ia-1_smt + name: statement + parts: + - id: ia-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ia-1_prm_1 }}:" + parts: + - id: ia-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ia-01_odp.03 }} identification and\ + \ authentication policy that:" + parts: + - id: ia-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ia-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ia-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the identification + and authentication policy and the associated identification + and authentication controls; + - id: ia-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ia-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the identification\ + \ and authentication policy and procedures; and" + - id: ia-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current identification and authentication:" + parts: + - id: ia-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ia-01_odp.05 }} and following\ + \ {{ insert: param, ia-01_odp.06 }} ; and" + - id: ia-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ia-01_odp.07 }} and following\ + \ {{ insert: param, ia-01_odp.08 }}." + - id: ia-1_gdn + name: guidance + prose: Identification and authentication policy and procedures address + the controls in the IA family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of identification and authentication policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + identification and authentication policy and procedures include assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ia-1_obj + name: assessment-objective + props: + - name: label + value: IA-01 + class: sp800-53a + parts: + - id: ia-1_obj.a + name: assessment-objective + props: + - name: label + value: IA-01a. + class: sp800-53a + parts: + - id: ia-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: IA-01a.[01] + class: sp800-53a + prose: an identification and authentication policy is developed + and documented; + links: + - href: "#ia-1_smt.a" + rel: assessment-for + - id: ia-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: IA-01a.[02] + class: sp800-53a + prose: "the identification and authentication policy is disseminated\ + \ to {{ insert: param, ia-01_odp.01 }};" + links: + - href: "#ia-1_smt.a" + rel: assessment-for + - id: ia-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: IA-01a.[03] + class: sp800-53a + prose: identification and authentication procedures to facilitate + the implementation of the identification and authentication + policy and associated identification and authentication controls + are developed and documented; + links: + - href: "#ia-1_smt.a" + rel: assessment-for + - id: ia-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: IA-01a.[04] + class: sp800-53a + prose: "the identification and authentication procedures are\ + \ disseminated to {{ insert: param, ia-01_odp.02 }};" + links: + - href: "#ia-1_smt.a" + rel: assessment-for + - id: ia-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: IA-01a.01 + class: sp800-53a + parts: + - id: ia-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: IA-01a.01(a) + class: sp800-53a + parts: + - id: ia-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses purpose;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses scope;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses roles;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses responsibilities;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses management commitment;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses compliance;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: IA-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy is consistent with applicable\ + \ laws, executive orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#ia-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ia-1_smt.a.1" + rel: assessment-for + links: + - href: "#ia-1_smt.a" + rel: assessment-for + - id: ia-1_obj.b + name: assessment-objective + props: + - name: label + value: IA-01b. + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the identification\ + \ and authentication policy and procedures;" + links: + - href: "#ia-1_smt.b" + rel: assessment-for + - id: ia-1_obj.c + name: assessment-objective + props: + - name: label + value: IA-01c. + class: sp800-53a + parts: + - id: ia-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: IA-01c.01 + class: sp800-53a + parts: + - id: ia-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: IA-01c.01[01] + class: sp800-53a + prose: "the current identification and authentication policy\ + \ is reviewed and updated {{ insert: param, ia-01_odp.05\ + \ }};" + links: + - href: "#ia-1_smt.c.1" + rel: assessment-for + - id: ia-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: IA-01c.01[02] + class: sp800-53a + prose: "the current identification and authentication policy\ + \ is reviewed and updated following {{ insert: param,\ + \ ia-01_odp.06 }};" + links: + - href: "#ia-1_smt.c.1" + rel: assessment-for + links: + - href: "#ia-1_smt.c.1" + rel: assessment-for + - id: ia-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: IA-01c.02 + class: sp800-53a + parts: + - id: ia-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: IA-01c.02[01] + class: sp800-53a + prose: "the current identification and authentication procedures\ + \ are reviewed and updated {{ insert: param, ia-01_odp.07\ + \ }};" + links: + - href: "#ia-1_smt.c.2" + rel: assessment-for + - id: ia-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: IA-01c.02[02] + class: sp800-53a + prose: "the current identification and authentication procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ ia-01_odp.08 }}." + links: + - href: "#ia-1_smt.c.2" + rel: assessment-for + links: + - href: "#ia-1_smt.c.2" + rel: assessment-for + links: + - href: "#ia-1_smt.c" + rel: assessment-for + links: + - href: "#ia-1_smt" + rel: assessment-for + - id: ia-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy and procedures + + + system security plan + + + privacy plan + + + risk management strategy documentation + + + list of events requiring identification and authentication procedures + to be reviewed and updated (e.g., audit findings) + + + other relevant documents or records + - id: ia-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with identification and + authentication responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ia-2 + class: SP800-53 + title: Identification and Authentication (Organizational Users) + props: + - name: label + value: IA-2 + - name: label + value: IA-02 + class: sp800-53a + - name: sort-id + value: ia-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#10963761-58fc-4b20-b3d6-b44a54daba03" + rel: reference + - href: "#d9e036ba-6eec-46a6-9340-b0bf1fea23b4" + rel: reference + - href: "#e8552d48-cf41-40aa-8b06-f45f7fb4706c" + rel: reference + - href: "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c" + rel: reference + - href: "#4b38e961-1125-4a5b-aa35-1d6c02846dad" + rel: reference + - href: "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c" + rel: reference + - href: "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617" + rel: reference + - href: "#604774da-9e1d-48eb-9c62-4e959dc80737" + rel: reference + - href: "#7f473f21-fdbf-4a6c-81a1-0ab95919609d" + rel: reference + - href: "#3915a084-b87b-4f02-83d4-c369e746292f" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-14" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#au-1" + rel: related + - href: "#au-6" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-13" + rel: related + - href: "#ma-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + parts: + - id: ia-2_smt + name: statement + prose: Uniquely identify and authenticate organizational users and associate + that unique identification with processes acting on behalf of those + users. + parts: + - id: ia-2_fr + name: item + title: IA-2 Additional FedRAMP Requirements and Guidance + parts: + - id: ia-2_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: For all control enhancements that specify multifactor + authentication, the implementation must adhere to the Digital + Identity Guidelines specified in NIST Special Publication + 800-63B. + - id: ia-2_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: Multi-factor authentication must be phishing-resistant. + - id: ia-2_fr_smt.3 + name: item + props: + - name: label + value: "Requirement:" + prose: All uses of encrypted virtual private networks must meet + all applicable Federal requirements and architecture, dataflow, + and security and privacy controls must be documented, assessed, + and authorized to operate. + - id: ia-2_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: \"Phishing-resistant\" authentication refers to authentication + processes designed to detect and prevent disclosure of authentication + secrets and outputs to a website or application masquerading + as a legitimate system. + - id: ia-2_gdn + name: guidance + prose: >- + Organizations can satisfy the identification and authentication + requirements by complying with the requirements in [HSPD + 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational + users include employees or individuals who organizations + consider to have an equivalent status to employees (e.g., + contractors and guest researchers). Unique identification and + authentication of users applies to all accesses other than those + that are explicitly identified in [AC-14](#ac-14) and that occur + through the authorized use of group authenticators without + individual authentication. Since processes execute on behalf of + groups and roles, organizations may require unique + identification of individuals in group accounts or for detailed + accountability of individual activity. + + + Organizations employ passwords, physical authenticators, or biometrics + to authenticate user identities or, in the case of multi-factor authentication, + some combination thereof. Access to organizational systems is defined + as either local access or network access. Local access is any access + to organizational systems by users or processes acting on behalf of + users, where access is obtained through direct connections without + the use of networks. Network access is access to organizational systems + by users (or processes acting on behalf of users) where access is + obtained through network connections (i.e., nonlocal accesses). Remote + access is a type of network access that involves communication through + external networks. Internal networks include local area networks and + wide area networks. + + + The use of encrypted virtual private networks for network connections + between organization-controlled endpoints and non-organization-controlled + endpoints may be treated as internal networks with respect to protecting + the confidentiality and integrity of information traversing the network. + Identification and authentication requirements for non-organizational + users are described in [IA-8](#ia-8). + - id: ia-2_obj + name: assessment-objective + props: + - name: label + value: IA-02 + class: sp800-53a + parts: + - id: ia-2_obj-1 + name: assessment-objective + props: + - name: label + value: IA-02[01] + class: sp800-53a + prose: organizational users are uniquely identified and authenticated; + links: + - href: "#ia-2_smt" + rel: assessment-for + - id: ia-2_obj-2 + name: assessment-objective + props: + - name: label + value: IA-02[02] + class: sp800-53a + prose: the unique identification of authenticated organizational + users is associated with processes acting on behalf of those users. + links: + - href: "#ia-2_smt" + rel: assessment-for + links: + - href: "#ia-2_smt" + rel: assessment-for + - id: ia-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + procedures addressing user identification and authentication + + system security plan, system design documentation + + system configuration settings and associated documentation + + system audit records + + list of system accounts + + other relevant documents or records + - id: ia-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + organizational personnel with account management responsibilities + + + system developers + - id: ia-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for uniquely identifying and + authenticating users + + + mechanisms supporting and/or implementing identification and authentication + capabilities + controls: + - id: ia-2.1 + class: SP800-53-enhancement + title: Multi-factor Authentication to Privileged Accounts + props: + - name: label + value: IA-2(1) + - name: label + value: IA-02(01) + class: sp800-53a + - name: sort-id + value: ia-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-2" + rel: required + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + parts: + - id: ia-2.1_smt + name: statement + prose: Implement multi-factor authentication for access to privileged + accounts. + parts: + - id: ia-2.1_fr + name: item + title: IA-2 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-2.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B + (AAL), and SP 800-63C (FAL). + - id: ia-2.1_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: Multi-factor authentication must be phishing-resistant. + - id: ia-2.1_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Multi-factor authentication to subsequent components + in the same user domain is not required. + - id: ia-2.1_gdn + name: guidance + prose: "Multi-factor authentication requires the use of two or more\ + \ different factors to achieve authentication. The authentication\ + \ factors are defined as follows: something you know (e.g., a\ + \ personal identification number [PIN]), something you have (e.g.,\ + \ a physical authenticator such as a cryptographic private key),\ + \ or something you are (e.g., a biometric). Multi-factor authentication\ + \ solutions that feature physical authenticators include hardware\ + \ authenticators that provide time-based or challenge-response\ + \ outputs and smart cards such as the U.S. Government Personal\ + \ Identity Verification (PIV) card or the Department of Defense\ + \ (DoD) Common Access Card (CAC). In addition to authenticating\ + \ users at the system level (i.e., at logon), organizations may\ + \ employ authentication mechanisms at the application level, at\ + \ their discretion, to provide increased security. Regardless\ + \ of the type of access (i.e., local, network, remote), privileged\ + \ accounts are authenticated using multi-factor options appropriate\ + \ for the level of risk. Organizations can add additional security\ + \ measures, such as additional or more rigorous authentication\ + \ mechanisms, for specific types of access." + - id: ia-2.1_obj + name: assessment-objective + props: + - name: label + value: IA-02(01) + class: sp800-53a + prose: multi-factor authentication is implemented for access to + privileged accounts. + links: + - href: "#ia-2.1_smt" + rel: assessment-for + - id: ia-2.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + procedures addressing user identification and authentication + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of system accounts + + + other relevant documents or records + - id: ia-2.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing a multi-factor + authentication capability + - id: ia-2.2 + class: SP800-53-enhancement + title: Multi-factor Authentication to Non-privileged Accounts + props: + - name: label + value: IA-2(2) + - name: label + value: IA-02(02) + class: sp800-53a + - name: sort-id + value: ia-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-2" + rel: required + - href: "#ac-5" + rel: related + parts: + - id: ia-2.2_smt + name: statement + prose: Implement multi-factor authentication for access to non-privileged + accounts. + parts: + - id: ia-2.2_fr + name: item + title: IA-2 (2) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-2.2_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B + (AAL), and SP 800-63C (FAL). + - id: ia-2.2_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: Multi-factor authentication must be phishing-resistant. + - id: ia-2.2_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Multi-factor authentication to subsequent components + in the same user domain is not required. + - id: ia-2.2_gdn + name: guidance + prose: "Multi-factor authentication requires the use of two or more\ + \ different factors to achieve authentication. The authentication\ + \ factors are defined as follows: something you know (e.g., a\ + \ personal identification number [PIN]), something you have (e.g.,\ + \ a physical authenticator such as a cryptographic private key),\ + \ or something you are (e.g., a biometric). Multi-factor authentication\ + \ solutions that feature physical authenticators include hardware\ + \ authenticators that provide time-based or challenge-response\ + \ outputs and smart cards such as the U.S. Government Personal\ + \ Identity Verification card or the DoD Common Access Card. In\ + \ addition to authenticating users at the system level, organizations\ + \ may also employ authentication mechanisms at the application\ + \ level, at their discretion, to provide increased information\ + \ security. Regardless of the type of access (i.e., local, network,\ + \ remote), non-privileged accounts are authenticated using multi-factor\ + \ options appropriate for the level of risk. Organizations can\ + \ provide additional security measures, such as additional or\ + \ more rigorous authentication mechanisms, for specific types\ + \ of access." + - id: ia-2.2_obj + name: assessment-objective + props: + - name: label + value: IA-02(02) + class: sp800-53a + prose: multi-factor authentication for access to non-privileged + accounts is implemented. + links: + - href: "#ia-2.2_smt" + rel: assessment-for + - id: ia-2.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of system accounts + + + other relevant documents or records + - id: ia-2.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing a multi-factor + authentication capability + - id: ia-2.5 + class: SP800-53-enhancement + title: Individual Authentication with Group Authentication + props: + - name: label + value: IA-2(5) + - name: label + value: IA-02(05) + class: sp800-53a + - name: sort-id + value: ia-02.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-2" + rel: required + parts: + - id: ia-2.5_smt + name: statement + prose: When shared accounts or authenticators are employed, require + users to be individually authenticated before granting access + to the shared accounts or resources. + - id: ia-2.5_gdn + name: guidance + prose: Individual authentication prior to shared group authentication + mitigates the risk of using group accounts or authenticators. + - id: ia-2.5_obj + name: assessment-objective + props: + - name: label + value: IA-02(05) + class: sp800-53a + prose: users are required to be individually authenticated before + granting access to the shared accounts or resources when shared + accounts or authenticators are employed. + links: + - href: "#ia-2.5_smt" + rel: assessment-for + - id: ia-2.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of system accounts + + + other relevant documents or records + - id: ia-2.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing an authentication + capability for group accounts + - id: ia-2.6 + class: SP800-53-enhancement + title: Access to Accounts —separate Device + params: + - id: ia-02.06_odp.01 + constraints: + - description: local, network and remote + select: + how-many: one-or-more + choice: + - local + - network + - remote + - id: ia-02.06_odp.02 + constraints: + - description: privileged accounts; non-privileged accounts + select: + how-many: one-or-more + choice: + - privileged accounts + - non-privileged accounts + - id: ia-02.06_odp.03 + label: strength of mechanism requirements + constraints: + - description: FIPS-validated or NSA-approved cryptography + guidelines: + - prose: the strength of mechanism requirements to be enforced + by a device separate from the system gaining access to accounts + is defined; + props: + - name: label + value: IA-2(6) + - name: label + value: IA-02(06) + class: sp800-53a + - name: sort-id + value: ia-02.06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-2" + rel: required + - href: "#ac-6" + rel: related + parts: + - id: ia-2.6_smt + name: statement + prose: "Implement multi-factor authentication for {{ insert: param,\ + \ ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02\ + \ }} such that:" + parts: + - id: ia-2.6_smt.a + name: item + props: + - name: label + value: (a) + prose: One of the factors is provided by a device separate from + the system gaining access; and + - id: ia-2.6_smt.b + name: item + props: + - name: label + value: (b) + prose: "The device meets {{ insert: param, ia-02.06_odp.03 }}." + - id: ia-2.6_fr + name: item + title: IA-2 (6) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-2.6_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: PIV=separate device. Please refer to NIST SP 800-157 + Guidelines for Derived Personal Identity Verification + (PIV) Credentials. + - id: ia-2.6_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: See SC-13 Guidance for more information on FIPS-validated + or NSA-approved cryptography. + - id: ia-2.6_gdn + name: guidance + prose: The purpose of requiring a device that is separate from the + system to which the user is attempting to gain access for one + of the factors during multi-factor authentication is to reduce + the likelihood of compromising authenticators or credentials stored + on the system. Adversaries may be able to compromise such authenticators + or credentials and subsequently impersonate authorized users. + Implementing one of the factors on a separate device (e.g., a + hardware token), provides a greater strength of mechanism and + an increased level of assurance in the authentication process. + - id: ia-2.6_obj + name: assessment-objective + props: + - name: label + value: IA-02(06) + class: sp800-53a + parts: + - id: ia-2.6_obj.a + name: assessment-objective + props: + - name: label + value: IA-02(06)(a) + class: sp800-53a + prose: "multi-factor authentication is implemented for {{ insert:\ + \ param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02\ + \ }} such that one of the factors is provided by a device\ + \ separate from the system gaining access;" + links: + - href: "#ia-2.6_smt.a" + rel: assessment-for + - id: ia-2.6_obj.b + name: assessment-objective + props: + - name: label + value: IA-02(06)(b) + class: sp800-53a + prose: "multi-factor authentication is implemented for {{ insert:\ + \ param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02\ + \ }} such that the device meets {{ insert: param, ia-02.06_odp.03\ + \ }}." + links: + - href: "#ia-2.6_smt.b" + rel: assessment-for + links: + - href: "#ia-2.6_smt" + rel: assessment-for + - id: ia-2.6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(06)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of system accounts + + + other relevant documents or records + - id: ia-2.6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(06)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(06)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing multi-factor + authentication capability + - id: ia-2.8 + class: SP800-53-enhancement + title: Access to Accounts — Replay Resistant + params: + - id: ia-02.08_odp + constraints: + - description: privileged accounts; non-privileged accounts + select: + how-many: one-or-more + choice: + - privileged accounts + - non-privileged accounts + props: + - name: label + value: IA-2(8) + - name: label + value: IA-02(08) + class: sp800-53a + - name: sort-id + value: ia-02.08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-2" + rel: required + parts: + - id: ia-2.8_smt + name: statement + prose: "Implement replay-resistant authentication mechanisms for\ + \ access to {{ insert: param, ia-02.08_odp }}." + - id: ia-2.8_gdn + name: guidance + prose: Authentication processes resist replay attacks if it is impractical + to achieve successful authentications by replaying previous authentication + messages. Replay-resistant techniques include protocols that use + nonces or challenges such as time synchronous or cryptographic + authenticators. + - id: ia-2.8_obj + name: assessment-objective + props: + - name: label + value: IA-02(08) + class: sp800-53a + prose: "replay-resistant authentication mechanisms for access to\ + \ {{ insert: param, ia-02.08_odp }} are implemented." + links: + - href: "#ia-2.8_smt" + rel: assessment-for + - id: ia-2.8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(08)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of privileged system accounts + + + other relevant documents or records + - id: ia-2.8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(08)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(08)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing identification + and authentication capabilities + + + Mechanisms supporting and/or implementing replay-resistant + authentication mechanisms + - id: ia-2.12 + class: SP800-53-enhancement + title: Acceptance of PIV Credentials + props: + - name: label + value: IA-2(12) + - name: label + value: IA-02(12) + class: sp800-53a + - name: sort-id + value: ia-02.12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-2" + rel: required + parts: + - id: ia-2.12_smt + name: statement + prose: Accept and electronically verify Personal Identity Verification-compliant + credentials. + parts: + - id: ia-2.12_fr + name: item + title: IA-2 (12) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-2.12_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Include Common Access Card (CAC), i.e., the DoD technical + implementation of PIV/FIPS 201/HSPD-12. + - id: ia-2.12_gdn + name: guidance + prose: Acceptance of Personal Identity Verification (PIV)-compliant + credentials applies to organizations implementing logical access + control and physical access control systems. PIV-compliant credentials + are those credentials issued by federal agencies that conform + to FIPS Publication 201 and supporting guidance documents. The + adequacy and reliability of PIV card issuers are authorized using + [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance + of PIV-compliant credentials includes derived PIV credentials, + the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) + . The DOD Common Access Card (CAC) is an example of a PIV credential. + - id: ia-2.12_obj + name: assessment-objective + props: + - name: label + value: IA-02(12) + class: sp800-53a + prose: Personal Identity Verification-compliant credentials are + accepted and electronically verified. + links: + - href: "#ia-2.12_smt" + rel: assessment-for + - id: ia-2.12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(12)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + PIV verification records + + + evidence of PIV credentials + + + PIV credential authorizations + + + other relevant documents or records + - id: ia-2.12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(12)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(12)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing acceptance + and verification of PIV credentials + - id: ia-3 + class: SP800-53 + title: Device Identification and Authentication + params: + - id: ia-03_odp.01 + label: devices and/or types of devices + guidelines: + - prose: devices and/or types of devices to be uniquely identified + and authenticated before establishing a connection are defined; + - id: ia-03_odp.02 + select: + how-many: one-or-more + choice: + - local + - remote + - network + props: + - name: label + value: IA-3 + - name: label + value: IA-03 + class: sp800-53a + - name: sort-id + value: ia-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#au-6" + rel: related + - href: "#ca-3" + rel: related + - href: "#ca-9" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-9" + rel: related + - href: "#ia-11" + rel: related + - href: "#ia-13" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ia-3_smt + name: statement + prose: "Uniquely identify and authenticate {{ insert: param, ia-03_odp.01\ + \ }} before establishing a {{ insert: param, ia-03_odp.02 }} connection." + - id: ia-3_gdn + name: guidance + prose: Devices that require unique device-to-device identification and + authentication are defined by type, device, or a combination of type + and device. Organization-defined device types include devices that + are not owned by the organization. Systems use shared known information + (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet + Protocol [TCP/IP] addresses) for device identification or organizational + authentication solutions (e.g., Institute of Electrical and Electronics + Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], + RADIUS server with EAP-Transport Layer Security [TLS] authentication, + Kerberos) to identify and authenticate devices on local and wide area + networks. Organizations determine the required strength of authentication + mechanisms based on the security categories of systems and mission + or business requirements. Because of the challenges of implementing + device authentication on a large scale, organizations can restrict + the application of the control to a limited number/type of devices + based on mission or business needs. + - id: ia-3_obj + name: assessment-objective + props: + - name: label + value: IA-03 + class: sp800-53a + prose: " {{ insert: param, ia-03_odp.01 }} are uniquely identified and\ + \ authenticated before establishing a {{ insert: param, ia-03_odp.02\ + \ }} connection." + links: + - href: "#ia-3_smt" + rel: assessment-for + - id: ia-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing device identification and authentication + + + system design documentation + + + list of devices requiring unique identification and authentication + + + device connection reports + + + system configuration settings and associated documentation + + + other relevant documents or records + - id: ia-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with operational responsibilities + for device identification and authentication + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing device identification + and authentication capabilities + - id: ia-4 + class: SP800-53 + title: Identifier Management + params: + - id: ia-04_odp.01 + label: personnel or roles + constraints: + - description: at a minimum, the ISSO (or similar role within the + organization) + guidelines: + - prose: personnel or roles from whom authorization must be received + to assign an identifier are defined; + - id: ia-04_odp.02 + label: time period + constraints: + - description: at least two (2) years + guidelines: + - prose: a time period for preventing reuse of identifiers is defined; + props: + - name: label + value: IA-4 + - name: label + value: IA-04 + class: sp800-53a + - name: sort-id + value: ia-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#ac-5" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-9" + rel: related + - href: "#ia-12" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-4" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-5" + rel: related + - href: "#sc-37" + rel: related + parts: + - id: ia-4_smt + name: statement + prose: "Manage system identifiers by:" + parts: + - id: ia-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Receiving authorization from {{ insert: param, ia-04_odp.01\ + \ }} to assign an individual, group, role, service, or device\ + \ identifier;" + - id: ia-4_smt.b + name: item + props: + - name: label + value: b. + prose: Selecting an identifier that identifies an individual, group, + role, service, or device; + - id: ia-4_smt.c + name: item + props: + - name: label + value: c. + prose: Assigning the identifier to the intended individual, group, + role, service, or device; and + - id: ia-4_smt.d + name: item + props: + - name: label + value: d. + prose: "Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02\ + \ }}." + - id: ia-4_gdn + name: guidance + prose: Common device identifiers include Media Access Control (MAC) + addresses, Internet Protocol (IP) addresses, or device-unique token + identifiers. The management of individual identifiers is not applicable + to shared system accounts. Typically, individual identifiers are the + usernames of the system accounts assigned to those individuals. In + such instances, the account management activities of [AC-2](#ac-2) + use account names provided by [IA-4](#ia-4) . Identifier management + also addresses individual identifiers not necessarily associated with + system accounts. Preventing the reuse of identifiers implies preventing + the assignment of previously used individual, group, role, service, + or device identifiers to different individuals, groups, roles, services, + or devices. + - id: ia-4_obj + name: assessment-objective + props: + - name: label + value: IA-04 + class: sp800-53a + parts: + - id: ia-4_obj.a + name: assessment-objective + props: + - name: label + value: IA-04a. + class: sp800-53a + prose: "system identifiers are managed by receiving authorization\ + \ from {{ insert: param, ia-04_odp.01 }} to assign to an individual,\ + \ group, role, or device identifier;" + links: + - href: "#ia-4_smt.a" + rel: assessment-for + - id: ia-4_obj.b + name: assessment-objective + props: + - name: label + value: IA-04b. + class: sp800-53a + prose: system identifiers are managed by selecting an identifier + that identifies an individual, group, role, service, or device; + links: + - href: "#ia-4_smt.b" + rel: assessment-for + - id: ia-4_obj.c + name: assessment-objective + props: + - name: label + value: IA-04c. + class: sp800-53a + prose: system identifiers are managed by assigning the identifier + to the intended individual, group, role, service, or device; + links: + - href: "#ia-4_smt.c" + rel: assessment-for + - id: ia-4_obj.d + name: assessment-objective + props: + - name: label + value: IA-04d. + class: sp800-53a + prose: "system identifiers are managed by preventing reuse of identifiers\ + \ for {{ insert: param, ia-04_odp.02 }}." + links: + - href: "#ia-4_smt.d" + rel: assessment-for + links: + - href: "#ia-4_smt" + rel: assessment-for + - id: ia-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + procedures addressing identifier management + + + procedures addressing account management + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + list of system accounts + + + list of identifiers generated from physical access control devices + + + other relevant documents or records + - id: ia-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with identifier management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identifier management + controls: + - id: ia-4.4 + class: SP800-53-enhancement + title: Identify User Status + params: + - id: ia-04.04_odp + label: characteristics + constraints: + - description: contractors; foreign nationals + guidelines: + - prose: characteristics used to identify individual status is + defined; + props: + - name: label + value: IA-4(4) + - name: label + value: IA-04(04) + class: sp800-53a + - name: sort-id + value: ia-04.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ia-4" + rel: required + parts: + - id: ia-4.4_smt + name: statement + prose: "Manage individual identifiers by uniquely identifying each\ + \ individual as {{ insert: param, ia-04.04_odp }}." + - id: ia-4.4_gdn + name: guidance + prose: Characteristics that identify the status of individuals include + contractors, foreign nationals, and non-organizational users. + Identifying the status of individuals by these characteristics + provides additional information about the people with whom organizational + personnel are communicating. For example, it might be useful for + a government employee to know that one of the individuals on an + email message is a contractor. + - id: ia-4.4_obj + name: assessment-objective + props: + - name: label + value: IA-04(04) + class: sp800-53a + prose: "individual identifiers are managed by uniquely identifying\ + \ each individual as {{ insert: param, ia-04.04_odp }}." + links: + - href: "#ia-4.4_smt" + rel: assessment-for + - id: ia-4.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-04(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + system security plan + + procedures addressing identifier management + + procedures addressing account management + + list of characteristics identifying individual status + + other relevant documents or records + - id: ia-4.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-04(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with identifier management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ia-4.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-04(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identifier + management + - id: ia-5 + class: SP800-53 + title: Authenticator Management + params: + - id: ia-05_odp.01 + label: time period by authenticator type + guidelines: + - prose: a time period for changing or refreshing authenticators by + authenticator type is defined; + - id: ia-05_odp.02 + label: events + guidelines: + - prose: events that trigger the change or refreshment of authenticators + are defined; + props: + - name: label + value: IA-5 + - name: label + value: IA-05 + class: sp800-53a + - name: sort-id + value: ia-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c" + rel: reference + - href: "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c" + rel: reference + - href: "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617" + rel: reference + - href: "#604774da-9e1d-48eb-9c62-4e959dc80737" + rel: reference + - href: "#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#cm-6" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-7" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-9" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: ia-5_smt + name: statement + prose: "Manage system authenticators by:" + parts: + - id: ia-5_smt.a + name: item + props: + - name: label + value: a. + prose: Verifying, as part of the initial authenticator distribution, + the identity of the individual, group, role, service, or device + receiving the authenticator; + - id: ia-5_smt.b + name: item + props: + - name: label + value: b. + prose: Establishing initial authenticator content for any authenticators + issued by the organization; + - id: ia-5_smt.c + name: item + props: + - name: label + value: c. + prose: Ensuring that authenticators have sufficient strength of + mechanism for their intended use; + - id: ia-5_smt.d + name: item + props: + - name: label + value: d. + prose: Establishing and implementing administrative procedures for + initial authenticator distribution, for lost or compromised or + damaged authenticators, and for revoking authenticators; + - id: ia-5_smt.e + name: item + props: + - name: label + value: e. + prose: Changing default authenticators prior to first use; + - id: ia-5_smt.f + name: item + props: + - name: label + value: f. + prose: "Changing or refreshing authenticators {{ insert: param,\ + \ ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;" + - id: ia-5_smt.g + name: item + props: + - name: label + value: g. + prose: Protecting authenticator content from unauthorized disclosure + and modification; + - id: ia-5_smt.h + name: item + props: + - name: label + value: h. + prose: Requiring individuals to take, and having devices implement, + specific controls to protect authenticators; and + - id: ia-5_smt.i + name: item + props: + - name: label + value: i. + prose: Changing authenticators for group or role accounts when membership + to those accounts changes. + - id: ia-5_fr + name: item + title: IA-5 Additional FedRAMP Requirements and Guidance + parts: + - id: ia-5_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Authenticators must be compliant with NIST SP 800-63-3 + Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3 + - id: ia-5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: SP 800-63C Section 6.2.3 Encrypted Assertion requires + that authentication assertions be encrypted when passed through + third parties, such as a browser. For example, a SAML assertion + can be encrypted using XML-Encryption, or an OpenID Connect + ID Token can be encrypted using JSON Web Encryption (JWE). + - id: ia-5_gdn + name: guidance + prose: >- + Authenticators include passwords, cryptographic devices, + biometrics, certificates, one-time password devices, and ID + badges. Device authenticators include certificates and + passwords. Initial authenticator content is the actual content + of the authenticator (e.g., the initial password). In contrast, + the requirements for authenticator content contain specific + criteria or characteristics (e.g., minimum password length). + Developers may deliver system components with factory default + authentication credentials (i.e., passwords) to allow for + initial installation and configuration. Default authentication + credentials are often well known, easily discoverable, and + present a significant risk. The requirement to protect + individual authenticators may be implemented via control + [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the + possession of individuals and by controls [AC-3](#ac-3), + [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in + organizational systems, including passwords stored in hashed or + encrypted formats or files containing encrypted or hashed + passwords accessible with administrator privileges. + + + Systems support authenticator management by organization-defined settings + and restrictions for various authenticator characteristics (e.g., + minimum password length, validation time window for time synchronous + one-time tokens, and number of allowed rejections during the verification + stage of biometric authentication). Actions can be taken to safeguard + individual authenticators, including maintaining possession of authenticators, + not sharing authenticators with others, and immediately reporting + lost, stolen, or compromised authenticators. Authenticator management + includes issuing and revoking authenticators for temporary access + when no longer needed. + - id: ia-5_obj + name: assessment-objective + props: + - name: label + value: IA-05 + class: sp800-53a + parts: + - id: ia-5_obj.a + name: assessment-objective + props: + - name: label + value: IA-05a. + class: sp800-53a + prose: system authenticators are managed through the verification + of the identity of the individual, group, role, service, or device + receiving the authenticator as part of the initial authenticator + distribution; + links: + - href: "#ia-5_smt.a" + rel: assessment-for + - id: ia-5_obj.b + name: assessment-objective + props: + - name: label + value: IA-05b. + class: sp800-53a + prose: system authenticators are managed through the establishment + of initial authenticator content for any authenticators issued + by the organization; + links: + - href: "#ia-5_smt.b" + rel: assessment-for + - id: ia-5_obj.c + name: assessment-objective + props: + - name: label + value: IA-05c. + class: sp800-53a + prose: system authenticators are managed to ensure that authenticators + have sufficient strength of mechanism for their intended use; + links: + - href: "#ia-5_smt.c" + rel: assessment-for + - id: ia-5_obj.d + name: assessment-objective + props: + - name: label + value: IA-05d. + class: sp800-53a + prose: system authenticators are managed through the establishment + and implementation of administrative procedures for initial authenticator + distribution; lost, compromised, or damaged authenticators; and + the revocation of authenticators; + links: + - href: "#ia-5_smt.d" + rel: assessment-for + - id: ia-5_obj.e + name: assessment-objective + props: + - name: label + value: IA-05e. + class: sp800-53a + prose: system authenticators are managed through the change of default + authenticators prior to first use; + links: + - href: "#ia-5_smt.e" + rel: assessment-for + - id: ia-5_obj.f + name: assessment-objective + props: + - name: label + value: IA-05f. + class: sp800-53a + prose: "system authenticators are managed through the change or\ + \ refreshment of authenticators {{ insert: param, ia-05_odp.01\ + \ }} or when {{ insert: param, ia-05_odp.02 }} occur;" + links: + - href: "#ia-5_smt.f" + rel: assessment-for + - id: ia-5_obj.g + name: assessment-objective + props: + - name: label + value: IA-05g. + class: sp800-53a + prose: system authenticators are managed through the protection + of authenticator content from unauthorized disclosure and modification; + links: + - href: "#ia-5_smt.g" + rel: assessment-for + - id: ia-5_obj.h + name: assessment-objective + props: + - name: label + value: IA-05h. + class: sp800-53a + parts: + - id: ia-5_obj.h-1 + name: assessment-objective + props: + - name: label + value: IA-05h.[01] + class: sp800-53a + prose: system authenticators are managed through the requirement + for individuals to take specific controls to protect authenticators; + links: + - href: "#ia-5_smt.h" + rel: assessment-for + - id: ia-5_obj.h-2 + name: assessment-objective + props: + - name: label + value: IA-05h.[02] + class: sp800-53a + prose: system authenticators are managed through the requirement + for devices to implement specific controls to protect authenticators; + links: + - href: "#ia-5_smt.h" + rel: assessment-for + links: + - href: "#ia-5_smt.h" + rel: assessment-for + - id: ia-5_obj.i + name: assessment-objective + props: + - name: label + value: IA-05i. + class: sp800-53a + prose: system authenticators are managed through the change of authenticators + for group or role accounts when membership to those accounts changes. + links: + - href: "#ia-5_smt.i" + rel: assessment-for + links: + - href: "#ia-5_smt" + rel: assessment-for + - id: ia-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + addressing authenticator management + + + system design documentation + + + system configuration settings and associated documentation + + + list of system authenticator types + + + change control records associated with managing system authenticators + + + system audit records + + + other relevant documents or records + - id: ia-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with authenticator management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ia-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing authenticator management + capability + controls: + - id: ia-5.1 + class: SP800-53-enhancement + title: Password-based Authentication + params: + - id: ia-05.01_odp.01 + label: frequency + guidelines: + - prose: the frequency at which to update the list of commonly + used, expected, or compromised passwords is defined; + - id: ia-05.01_odp.02 + label: composition and complexity rules + guidelines: + - prose: authenticator composition and complexity rules are defined; + props: + - name: label + value: IA-5(1) + - name: label + value: IA-05(01) + class: sp800-53a + - name: sort-id + value: ia-05.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-5" + rel: required + - href: "#ia-6" + rel: related + parts: + - id: ia-5.1_smt + name: statement + prose: "For password-based authentication:" + parts: + - id: ia-5.1_smt.a + name: item + props: + - name: label + value: (a) + prose: "Maintain a list of commonly-used, expected, or compromised\ + \ passwords and update the list {{ insert: param, ia-05.01_odp.01\ + \ }} and when organizational passwords are suspected to have\ + \ been compromised directly or indirectly;" + - id: ia-5.1_smt.b + name: item + props: + - name: label + value: (b) + prose: Verify, when users create or update passwords, that the + passwords are not found on the list of commonly-used, expected, + or compromised passwords in IA-5(1)(a); + - id: ia-5.1_smt.c + name: item + props: + - name: label + value: (c) + prose: Transmit passwords only over cryptographically-protected + channels; + - id: ia-5.1_smt.d + name: item + props: + - name: label + value: (d) + prose: Store passwords using an approved salted key derivation + function, preferably using a keyed hash; + - id: ia-5.1_smt.e + name: item + props: + - name: label + value: (e) + prose: Require immediate selection of a new password upon account + recovery; + - id: ia-5.1_smt.f + name: item + props: + - name: label + value: (f) + prose: Allow user selection of long passwords and passphrases, + including spaces and all printable characters; + - id: ia-5.1_smt.g + name: item + props: + - name: label + value: (g) + prose: Employ automated tools to assist the user in selecting + strong password authenticators; and + - id: ia-5.1_smt.h + name: item + props: + - name: label + value: (h) + prose: "Enforce the following composition and complexity rules:\ + \ {{ insert: param, ia-05.01_odp.02 }}." + - id: ia-5.1_fr + name: item + title: IA-5 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-5.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Password policies must be compliant with NIST SP + 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords + (OTP). Password policies shall not enforce special character + or minimum password rotation requirements for memorized + secrets of users. + - id: ia-5.1_fr_smt.2 + name: item + props: + - name: label + value: "(h) Requirement:" + prose: >- + For cases where technology doesn’t allow + multi-factor authentication, these rules should be + enforced: must have a minimum length of 14 + characters and must support all printable ASCII + characters. + + + For emergency use accounts, these rules should be enforced: + must have a minimum length of 14 characters, must support + all printable ASCII characters, and passwords must be + changed if used. + - id: ia-5.1_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Note that (c) and (d) require the use of cryptography + which must be compliant with Federal requirements and + utilize FIPS validated or NSA approved cryptography (see + SC-13). + - id: ia-5.1_gdn + name: guidance + prose: Password-based authentication applies to passwords regardless + of whether they are used in single-factor or multi-factor authentication. + Long passwords or passphrases are preferable over shorter passwords. + Enforced composition rules provide marginal security benefits + while decreasing usability. However, organizations may choose + to establish certain rules for password generation (e.g., minimum + character length for long passwords) under certain circumstances + and can enforce this requirement in IA-5(1)(h). Account recovery + can occur, for example, in situations when a password is forgotten. + Cryptographically protected passwords include salted one-way cryptographic + hashes of passwords. The list of commonly used, compromised, or + expected passwords includes passwords obtained from previous breach + corpuses, dictionary words, and repetitive or sequential characters. + The list includes context-specific words, such as the name of + the service, username, and derivatives thereof. + - id: ia-5.1_obj + name: assessment-objective + props: + - name: label + value: IA-05(01) + class: sp800-53a + parts: + - id: ia-5.1_obj.a + name: assessment-objective + props: + - name: label + value: IA-05(01)(a) + class: sp800-53a + prose: "for password-based authentication, a list of commonly\ + \ used, expected, or compromised passwords is maintained and\ + \ updated {{ insert: param, ia-05.01_odp.01 }} and when organizational\ + \ passwords are suspected to have been compromised directly\ + \ or indirectly;" + links: + - href: "#ia-5.1_smt.a" + rel: assessment-for + - id: ia-5.1_obj.b + name: assessment-objective + props: + - name: label + value: IA-05(01)(b) + class: sp800-53a + prose: for password-based authentication when passwords are + created or updated by users, the passwords are verified not + to be found on the list of commonly used, expected, or compromised + passwords in IA-05(01)(a); + links: + - href: "#ia-5.1_smt.b" + rel: assessment-for + - id: ia-5.1_obj.c + name: assessment-objective + props: + - name: label + value: IA-05(01)(c) + class: sp800-53a + prose: for password-based authentication, passwords are only + transmitted over cryptographically protected channels; + links: + - href: "#ia-5.1_smt.c" + rel: assessment-for + - id: ia-5.1_obj.d + name: assessment-objective + props: + - name: label + value: IA-05(01)(d) + class: sp800-53a + prose: for password-based authentication, passwords are stored + using an approved salted key derivation function, preferably + using a keyed hash; + links: + - href: "#ia-5.1_smt.d" + rel: assessment-for + - id: ia-5.1_obj.e + name: assessment-objective + props: + - name: label + value: IA-05(01)(e) + class: sp800-53a + prose: for password-based authentication, immediate selection + of a new password is required upon account recovery; + links: + - href: "#ia-5.1_smt.e" + rel: assessment-for + - id: ia-5.1_obj.f + name: assessment-objective + props: + - name: label + value: IA-05(01)(f) + class: sp800-53a + prose: for password-based authentication, user selection of + long passwords and passphrases is allowed, including spaces + and all printable characters; + links: + - href: "#ia-5.1_smt.f" + rel: assessment-for + - id: ia-5.1_obj.g + name: assessment-objective + props: + - name: label + value: IA-05(01)(g) + class: sp800-53a + prose: for password-based authentication, automated tools are + employed to assist the user in selecting strong password authenticators; + links: + - href: "#ia-5.1_smt.g" + rel: assessment-for + - id: ia-5.1_obj.h + name: assessment-objective + props: + - name: label + value: IA-05(01)(h) + class: sp800-53a + prose: "for password-based authentication, {{ insert: param,\ + \ ia-05.01_odp.02 }} are enforced." + links: + - href: "#ia-5.1_smt.h" + rel: assessment-for + links: + - href: "#ia-5.1_smt" + rel: assessment-for + - id: ia-5.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-05(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + password policy + + + procedures addressing authenticator management + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + password configurations and associated documentation + + + other relevant documents or records + - id: ia-5.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-05(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with authenticator management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-5.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-05(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing password-based + authenticator management capability + - id: ia-5.2 + class: SP800-53-enhancement + title: Public Key-based Authentication + props: + - name: label + value: IA-5(2) + - name: label + value: IA-05(02) + class: sp800-53a + - name: sort-id + value: ia-05.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-5" + rel: required + - href: "#ia-3" + rel: related + - href: "#sc-17" + rel: related + parts: + - id: ia-5.2_smt + name: statement + parts: + - id: ia-5.2_smt.a + name: item + props: + - name: label + value: (a) + prose: "For public key-based authentication:" + parts: + - id: ia-5.2_smt.a.1 + name: item + props: + - name: label + value: (1) + prose: Enforce authorized access to the corresponding private + key; and + - id: ia-5.2_smt.a.2 + name: item + props: + - name: label + value: (2) + prose: Map the authenticated identity to the account of + the individual or group; and + - id: ia-5.2_smt.b + name: item + props: + - name: label + value: (b) + prose: "When public key infrastructure (PKI) is used:" + parts: + - id: ia-5.2_smt.b.1 + name: item + props: + - name: label + value: (1) + prose: Validate certificates by constructing and verifying + a certification path to an accepted trust anchor, including + checking certificate status information; and + - id: ia-5.2_smt.b.2 + name: item + props: + - name: label + value: (2) + prose: Implement a local cache of revocation data to support + path discovery and validation. + - id: ia-5.2_gdn + name: guidance + prose: Public key cryptography is a valid authentication mechanism + for individuals, machines, and devices. For PKI solutions, status + information for certification paths includes certificate revocation + lists or certificate status protocol responses. For PIV cards, + certificate validation involves the construction and verification + of a certification path to the Common Policy Root trust anchor, + which includes certificate policy processing. Implementing a local + cache of revocation data to support path discovery and validation + also supports system availability in situations where organizations + are unable to access revocation information via the network. + - id: ia-5.2_obj + name: assessment-objective + props: + - name: label + value: IA-05(02) + class: sp800-53a + parts: + - id: ia-5.2_obj.a + name: assessment-objective + props: + - name: label + value: IA-05(02)(a) + class: sp800-53a + parts: + - id: ia-5.2_obj.a.1 + name: assessment-objective + props: + - name: label + value: IA-05(02)(a)(01) + class: sp800-53a + prose: authorized access to the corresponding private key + is enforced for public key-based authentication; + links: + - href: "#ia-5.2_smt.a.1" + rel: assessment-for + - id: ia-5.2_obj.a.2 + name: assessment-objective + props: + - name: label + value: IA-05(02)(a)(02) + class: sp800-53a + prose: the authenticated identity is mapped to the account + of the individual or group for public key-based authentication; + links: + - href: "#ia-5.2_smt.a.2" + rel: assessment-for + links: + - href: "#ia-5.2_smt.a" + rel: assessment-for + - id: ia-5.2_obj.b + name: assessment-objective + props: + - name: label + value: IA-05(02)(b) + class: sp800-53a + parts: + - id: ia-5.2_obj.b.1 + name: assessment-objective + props: + - name: label + value: IA-05(02)(b)(01) + class: sp800-53a + prose: when public key infrastructure (PKI) is used, certificates + are validated by constructing and verifying a certification + path to an accepted trust anchor, including checking certificate + status information; + links: + - href: "#ia-5.2_smt.b.1" + rel: assessment-for + - id: ia-5.2_obj.b.2 + name: assessment-objective + props: + - name: label + value: IA-05(02)(b)(02) + class: sp800-53a + prose: when public key infrastructure (PKI) is used, a local + cache of revocation data is implemented to support path + discovery and validation. + links: + - href: "#ia-5.2_smt.b.2" + rel: assessment-for + links: + - href: "#ia-5.2_smt.b" + rel: assessment-for + links: + - href: "#ia-5.2_smt" + rel: assessment-for + - id: ia-5.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-05(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + procedures addressing authenticator management + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + PKI certification validation records + + + PKI certification revocation lists + + + other relevant documents or records + - id: ia-5.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-05(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with PKI-based, authenticator + management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-5.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-05(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing PKI-based, + authenticator management capability + - id: ia-5.6 + class: SP800-53-enhancement + title: Protection of Authenticators + props: + - name: label + value: IA-5(6) + - name: label + value: IA-05(06) + class: sp800-53a + - name: sort-id + value: ia-05.06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ia-5" + rel: required + - href: "#ra-2" + rel: related + parts: + - id: ia-5.6_smt + name: statement + prose: Protect authenticators commensurate with the security category + of the information to which use of the authenticator permits access. + - id: ia-5.6_gdn + name: guidance + prose: For systems that contain multiple security categories of + information without reliable physical or logical separation between + categories, authenticators used to grant access to the systems + are protected commensurate with the highest security category + of information on the systems. Security categories of information + are determined as part of the security categorization process. + - id: ia-5.6_obj + name: assessment-objective + props: + - name: label + value: IA-05(06) + class: sp800-53a + prose: authenticators are protected commensurate with the security + category of the information to which use of the authenticator + permits access. + links: + - href: "#ia-5.6_smt" + rel: assessment-for + - id: ia-5.6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-05(06)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + procedures addressing authenticator management + + security categorization documentation for the system + + security assessments of authenticator protections + + risk assessment results + + system security plan + + other relevant documents or records + - id: ia-5.6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-05(06)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with authenticator management + responsibilities + + + organizational personnel implementing and/or maintaining authenticator + protections + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ia-5.6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-05(06)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing authenticator + management capability + + + mechanisms protecting authenticators + - id: ia-5.7 + class: SP800-53-enhancement + title: No Embedded Unencrypted Static Authenticators + props: + - name: label + value: IA-5(7) + - name: label + value: IA-05(07) + class: sp800-53a + - name: sort-id + value: ia-05.07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ia-5" + rel: required + parts: + - id: ia-5.7_smt + name: statement + prose: Ensure that unencrypted static authenticators are not embedded + in applications or other forms of static storage. + parts: + - id: ia-5.7_fr + name: item + title: IA-5 (7) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-5.7_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: In this context, prohibited static storage refers + to any storage where unencrypted authenticators, such + as passwords, persist beyond the time required to complete + the access process. + - id: ia-5.7_gdn + name: guidance + prose: In addition to applications, other forms of static storage + include access scripts and function keys. Organizations exercise + caution when determining whether embedded or stored authenticators + are in encrypted or unencrypted form. If authenticators are used + in the manner stored, then those representations are considered + unencrypted authenticators. + - id: ia-5.7_obj + name: assessment-objective + props: + - name: label + value: IA-05(07) + class: sp800-53a + prose: unencrypted static authenticators are not embedded in applications + or other forms of static storage. + links: + - href: "#ia-5.7_smt" + rel: assessment-for + - id: ia-5.7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-05(07)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing authenticator management + + + system design documentation + + + system configuration settings and associated documentation + + + logical access scripts + + + application code reviews for detecting unencrypted static + authenticators + + + other relevant documents or records + - id: ia-5.7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-05(07)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with authenticator management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-5.7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-05(07)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing authenticator + management capability + + + mechanisms implementing authentication in applications + - id: ia-5.8 + class: SP800-53-enhancement + title: Multiple System Accounts + params: + - id: ia-05.08_odp + label: security controls + constraints: + - description: different authenticators in different user authentication + domains + guidelines: + - prose: security controls implemented to manage the risk of compromise + due to individuals having accounts on multiple systems are + defined; + props: + - name: label + value: IA-5(8) + - name: label + value: IA-05(08) + class: sp800-53a + - name: sort-id + value: ia-05.08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ia-5" + rel: required + - href: "#ps-6" + rel: related + parts: + - id: ia-5.8_smt + name: statement + prose: "Implement {{ insert: param, ia-05.08_odp }} to manage the\ + \ risk of compromise due to individuals having accounts on multiple\ + \ systems." + parts: + - id: ia-5.8_fr + name: item + title: IA-5 (8) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-5.8_fr_gdn.x + name: guidance + props: + - name: label + value: "Guidance:" + prose: If a single user authentication domain is used to + access multiple systems, such as in single-sign-on, then + only a single authenticator is required. + - id: ia-5.8_gdn + name: guidance + prose: When individuals have accounts on multiple systems and use + the same authenticators such as passwords, there is the risk that + a compromise of one account may lead to the compromise of other + accounts. Alternative approaches include having different authenticators + (passwords) on all systems, employing a single sign-on or federation + mechanism, or using some form of one-time passwords on all systems. + Organizations can also use rules of behavior (see [PL-4](#pl-4) + ) and access agreements (see [PS-6](#ps-6) ) to mitigate the risk + of multiple system accounts. + - id: ia-5.8_obj + name: assessment-objective + props: + - name: label + value: IA-05(08) + class: sp800-53a + prose: " {{ insert: param, ia-05.08_odp }} are implemented to manage\ + \ the risk of compromise due to individuals having accounts on\ + \ multiple systems." + links: + - href: "#ia-5.8_smt" + rel: assessment-for + - id: ia-5.8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-05(08)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + procedures addressing authenticator management + + + system security plan + + + list of individuals having accounts on multiple systems + + + list of security safeguards intended to manage risk of compromise + due to individuals having accounts on multiple systems + + + other relevant documents or records + - id: ia-5.8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-05(08)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with authenticator management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ia-5.8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-05(08)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing safeguards + for authenticator management + - id: ia-5.13 + class: SP800-53-enhancement + title: Expiration of Cached Authenticators + params: + - id: ia-05.13_odp + label: time period + guidelines: + - prose: the time period after which the use of cached authenticators + is prohibited is defined; + props: + - name: label + value: IA-5(13) + - name: label + value: IA-05(13) + class: sp800-53a + - name: sort-id + value: ia-05.13 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-5" + rel: required + parts: + - id: ia-5.13_smt + name: statement + prose: "Prohibit the use of cached authenticators after {{ insert:\ + \ param, ia-05.13_odp }}." + parts: + - id: ia-5.13_fr + name: item + title: IA-5 (13) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-5.13_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: For components subject to configuration baseline(s) + (such as STIG or CIS,) the time period should conform + to the baseline standard. + - id: ia-5.13_gdn + name: guidance + prose: Cached authenticators are used to authenticate to the local + machine when the network is not available. If cached authentication + information is out of date, the validity of the authentication + information may be questionable. + - id: ia-5.13_obj + name: assessment-objective + props: + - name: label + value: IA-05(13) + class: sp800-53a + prose: "the use of cached authenticators is prohibited after {{\ + \ insert: param, ia-05.13_odp }}." + links: + - href: "#ia-5.13_smt" + rel: assessment-for + - id: ia-5.13_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-05(13)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + procedures addressing authenticator management + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + other relevant documents or records + - id: ia-5.13_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-05(13)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with authenticator management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-5.13_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-05(13)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing authenticator + management capability + - id: ia-6 + class: SP800-53 + title: Authentication Feedback + props: + - name: label + value: IA-6 + - name: label + value: IA-06 + class: sp800-53a + - name: sort-id + value: ia-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-3" + rel: related + parts: + - id: ia-6_smt + name: statement + prose: Obscure feedback of authentication information during the authentication + process to protect the information from possible exploitation and + use by unauthorized individuals. + - id: ia-6_gdn + name: guidance + prose: Authentication feedback from systems does not provide information + that would allow unauthorized individuals to compromise authentication + mechanisms. For some types of systems, such as desktops or notebooks + with relatively large monitors, the threat (referred to as shoulder + surfing) may be significant. For other types of systems, such as mobile + devices with small displays, the threat may be less significant and + is balanced against the increased likelihood of typographic input + errors due to small keyboards. Thus, the means for obscuring authentication + feedback is selected accordingly. Obscuring authentication feedback + includes displaying asterisks when users type passwords into input + devices or displaying feedback for a very limited time before obscuring + it. + - id: ia-6_obj + name: assessment-objective + props: + - name: label + value: IA-06 + class: sp800-53a + prose: the feedback of authentication information is obscured during + the authentication process to protect the information from possible + exploitation and use by unauthorized individuals. + links: + - href: "#ia-6_smt" + rel: assessment-for + - id: ia-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + system security plan + + procedures addressing authenticator feedback + + system design documentation + + system configuration settings and associated documentation + + system audit records + + other relevant documents or records + - id: ia-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security + responsibilities + + + system/network administrators + + + system developers + - id: ia-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing the obscuring of + feedback of authentication information during authentication + - id: ia-7 + class: SP800-53 + title: Cryptographic Module Authentication + props: + - name: label + value: IA-7 + - name: label + value: IA-07 + class: sp800-53a + - name: sort-id + value: ia-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: ia-7_smt + name: statement + prose: Implement mechanisms for authentication to a cryptographic module + that meet the requirements of applicable laws, executive orders, directives, + policies, regulations, standards, and guidelines for such authentication. + - id: ia-7_gdn + name: guidance + prose: Authentication mechanisms may be required within a cryptographic + module to authenticate an operator accessing the module and to verify + that the operator is authorized to assume the requested role and perform + services within that role. + - id: ia-7_obj + name: assessment-objective + props: + - name: label + value: IA-07 + class: sp800-53a + prose: mechanisms for authentication to a cryptographic module are implemented + that meet the requirements of applicable laws, executive orders, directives, + policies, regulations, standards, and guidelines for such authentication. + links: + - href: "#ia-7_smt" + rel: assessment-for + - id: ia-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + system security plan + + procedures addressing cryptographic module authentication + + system design documentation + + system configuration settings and associated documentation + + system audit records + + other relevant documents or records + - id: ia-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for + cryptographic module authentication + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing cryptographic module + authentication + - id: ia-8 + class: SP800-53 + title: Identification and Authentication (Non-organizational Users) + props: + - name: label + value: IA-8 + - name: label + value: IA-08 + class: sp800-53a + - name: sort-id + value: ia-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#a1555677-2b9d-4868-a97b-a1363aff32f5" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#10963761-58fc-4b20-b3d6-b44a54daba03" + rel: reference + - href: "#2100332a-16a5-4598-bacf-7261baea9711" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-14" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#au-6" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-10" + rel: related + - href: "#ia-11" + rel: related + - href: "#ia-13" + rel: related + - href: "#ma-4" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sc-8" + rel: related + parts: + - id: ia-8_smt + name: statement + prose: Uniquely identify and authenticate non-organizational users or + processes acting on behalf of non-organizational users. + - id: ia-8_gdn + name: guidance + prose: Non-organizational users include system users other than organizational + users explicitly covered by [IA-2](#ia-2) . Non-organizational users + are uniquely identified and authenticated for accesses other than + those explicitly identified and documented in [AC-14](#ac-14) . Identification + and authentication of non-organizational users accessing federal systems + may be required to protect federal, proprietary, or privacy-related + information (with exceptions noted for national security systems). + Organizations consider many factors—including security, privacy, scalability, + and practicality—when balancing the need to ensure ease of use for + access to federal information and systems with the need to protect + and adequately mitigate risk. + - id: ia-8_obj + name: assessment-objective + props: + - name: label + value: IA-08 + class: sp800-53a + prose: non-organizational users or processes acting on behalf of non-organizational + users are uniquely identified and authenticated. + links: + - href: "#ia-8_smt" + rel: assessment-for + - id: ia-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + system security plan + + privacy plan + + procedures addressing user identification and authentication + + system design documentation + + system configuration settings and associated documentation + + system audit records + + list of system accounts + + other relevant documents or records + - id: ia-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + organizational personnel with account management responsibilities + - id: ia-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identification + and authentication capabilities + controls: + - id: ia-8.1 + class: SP800-53-enhancement + title: Acceptance of PIV Credentials from Other Agencies + props: + - name: label + value: IA-8(1) + - name: label + value: IA-08(01) + class: sp800-53a + - name: sort-id + value: ia-08.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-8" + rel: required + - href: "#pe-3" + rel: related + parts: + - id: ia-8.1_smt + name: statement + prose: Accept and electronically verify Personal Identity Verification-compliant + credentials from other federal agencies. + - id: ia-8.1_gdn + name: guidance + prose: Acceptance of Personal Identity Verification (PIV) credentials + from other federal agencies applies to both logical and physical + access control systems. PIV credentials are those credentials + issued by federal agencies that conform to FIPS Publication 201 + and supporting guidelines. The adequacy and reliability of PIV + card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03). + - id: ia-8.1_obj + name: assessment-objective + props: + - name: label + value: IA-08(01) + class: sp800-53a + parts: + - id: ia-8.1_obj-1 + name: assessment-objective + props: + - name: label + value: IA-08(01)[01] + class: sp800-53a + prose: Personal Identity Verification-compliant credentials + from other federal agencies are accepted; + links: + - href: "#ia-8.1_smt" + rel: assessment-for + - id: ia-8.1_obj-2 + name: assessment-objective + props: + - name: label + value: IA-08(01)[02] + class: sp800-53a + prose: Personal Identity Verification-compliant credentials + from other federal agencies are electronically verified. + links: + - href: "#ia-8.1_smt" + rel: assessment-for + links: + - href: "#ia-8.1_smt" + rel: assessment-for + - id: ia-8.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-08(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + PIV verification records + + + evidence of PIV credentials + + + PIV credential authorizations + + + other relevant documents or records + - id: ia-8.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-08(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with account management responsibilities + - id: ia-8.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-08(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing identification + and authentication capabilities + + + mechanisms that accept and verify PIV credentials + - id: ia-8.2 + class: SP800-53-enhancement + title: Acceptance of External Authenticators + props: + - name: label + value: IA-8(2) + - name: label + value: IA-08(02) + class: sp800-53a + - name: sort-id + value: ia-08.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-8" + rel: required + parts: + - id: ia-8.2_smt + name: statement + parts: + - id: ia-8.2_smt.a + name: item + props: + - name: label + value: (a) + prose: Accept only external authenticators that are NIST-compliant; + and + - id: ia-8.2_smt.b + name: item + props: + - name: label + value: (b) + prose: Document and maintain a list of accepted external authenticators. + - id: ia-8.2_gdn + name: guidance + prose: Acceptance of only NIST-compliant external authenticators + applies to organizational systems that are accessible to the public + (e.g., public-facing websites). External authenticators are issued + by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) + . Approved external authenticators meet or exceed the minimum + Federal Government-wide technical, security, privacy, and organizational + maturity requirements. Meeting or exceeding Federal requirements + allows Federal Government relying parties to trust external authenticators + in connection with an authentication transaction at a specified + authenticator assurance level. + - id: ia-8.2_obj + name: assessment-objective + props: + - name: label + value: IA-08(02) + class: sp800-53a + parts: + - id: ia-8.2_obj.a + name: assessment-objective + props: + - name: label + value: IA-08(02)(a) + class: sp800-53a + prose: only external authenticators that are NIST-compliant + are accepted; + links: + - href: "#ia-8.2_smt.a" + rel: assessment-for + - id: ia-8.2_obj.b + name: assessment-objective + props: + - name: label + value: IA-08(02)(b) + class: sp800-53a + parts: + - id: ia-8.2_obj.b-1 + name: assessment-objective + props: + - name: label + value: IA-08(02)(b)[01] + class: sp800-53a + prose: a list of accepted external authenticators is documented; + links: + - href: "#ia-8.2_smt.b" + rel: assessment-for + - id: ia-8.2_obj.b-2 + name: assessment-objective + props: + - name: label + value: IA-08(02)(b)[02] + class: sp800-53a + prose: a list of accepted external authenticators is maintained. + links: + - href: "#ia-8.2_smt.b" + rel: assessment-for + links: + - href: "#ia-8.2_smt.b" + rel: assessment-for + links: + - href: "#ia-8.2_smt" + rel: assessment-for + - id: ia-8.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-08(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of third-party credentialing products, components, or + services procured and implemented by organization + + + third-party credential verification records + + + evidence of third-party credentials + + + third-party credential authorizations + + + other relevant documents or records + - id: ia-8.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-08(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with account management responsibilities + - id: ia-8.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-08(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing identification + and authentication capabilities + + + mechanisms that accept external credentials + - id: ia-8.4 + class: SP800-53-enhancement + title: Use of Defined Profiles + params: + - id: ia-08.04_odp + label: identity management profiles + guidelines: + - prose: identity management profiles are defined; + props: + - name: label + value: IA-8(4) + - name: label + value: IA-08(04) + class: sp800-53a + - name: sort-id + value: ia-08.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-8" + rel: required + parts: + - id: ia-8.4_smt + name: statement + prose: "Conform to the following profiles for identity management\ + \ {{ insert: param, ia-08.04_odp }}." + - id: ia-8.4_gdn + name: guidance + prose: Organizations define profiles for identity management based + on open identity management standards. To ensure that open identity + management standards are viable, robust, reliable, sustainable, + and interoperable as documented, the Federal Government assesses + and scopes the standards and technology implementations against + applicable laws, executive orders, directives, policies, regulations, + standards, and guidelines. + - id: ia-8.4_obj + name: assessment-objective + props: + - name: label + value: IA-08(04) + class: sp800-53a + prose: "there is conformance with {{ insert: param, ia-08.04_odp\ + \ }} for identity management." + links: + - href: "#ia-8.4_smt" + rel: assessment-for + - id: ia-8.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-08(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + other relevant documents or records + - id: ia-8.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-08(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with account management responsibilities + - id: ia-8.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-08(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing identification + and authentication capabilities + + + mechanisms supporting and/or implementing conformance with + profiles + - id: ia-11 + class: SP800-53 + title: Re-authentication + params: + - id: ia-11_odp + label: circumstances or situations + guidelines: + - prose: circumstances or situations requiring re-authentication are + defined; + props: + - name: label + value: IA-11 + - name: label + value: IA-11 + class: sp800-53a + - name: sort-id + value: ia-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-3" + rel: related + - href: "#ac-11" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-8" + rel: related + parts: + - id: ia-11_smt + name: statement + prose: "Require users to re-authenticate when {{ insert: param, ia-11_odp\ + \ }}." + parts: + - id: ia-11_fr + name: item + title: IA-11 Additional FedRAMP Requirements and Guidance + parts: + - id: ia-11_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: > + The fixed time period cannot exceed the limits set in SP + 800-63. At this writing they are: + + + * AAL3 (high baseline) * 12 hours or * 15 minutes of + inactivity + - id: ia-11_gdn + name: guidance + prose: In addition to the re-authentication requirements associated + with device locks, organizations may require re-authentication of + individuals in certain situations, including when roles, authenticators + or credentials change, when security categories of systems change, + when the execution of privileged functions occurs, after a fixed time + period, or periodically. + - id: ia-11_obj + name: assessment-objective + props: + - name: label + value: IA-11 + class: sp800-53a + prose: "users are required to re-authenticate when {{ insert: param,\ + \ ia-11_odp }}." + links: + - href: "#ia-11_smt" + rel: assessment-for + - id: ia-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + procedures addressing user and device re-authentication + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + list of circumstances or situations requiring re-authentication + + + system audit records + + + other relevant documents or records + - id: ia-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with identification and authentication + responsibilities + - id: ia-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identification + and authentication capabilities + - id: ia-12 + class: SP800-53 + title: Identity Proofing + props: + - name: label + value: IA-12 + - name: label + value: IA-12 + class: sp800-53a + - name: sort-id + value: ia-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#9099ed2c-922a-493d-bcb4-d896192243ff" + rel: reference + - href: "#10963761-58fc-4b20-b3d6-b44a54daba03" + rel: reference + - href: "#ac-5" + rel: related + - href: "#ia-1" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-6" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-13" + rel: related + parts: + - id: ia-12_smt + name: statement + parts: + - id: ia-12_smt.a + name: item + props: + - name: label + value: a. + prose: Identity proof users that require accounts for logical access + to systems based on appropriate identity assurance level requirements + as specified in applicable standards and guidelines; + - id: ia-12_smt.b + name: item + props: + - name: label + value: b. + prose: Resolve user identities to a unique individual; and + - id: ia-12_smt.c + name: item + props: + - name: label + value: c. + prose: Collect, validate, and verify identity evidence. + - id: ia-12_fr + name: item + title: IA-12 Additional FedRAMP Requirements and Guidance + parts: + - id: ia-12_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: In accordance with NIST SP 800-63A Enrollment and Identity + Proofing + - id: ia-12_gdn + name: guidance + prose: Identity proofing is the process of collecting, validating, and + verifying a user’s identity information for the purposes of establishing + credentials for accessing a system. Identity proofing is intended + to mitigate threats to the registration of users and the establishment + of their accounts. Standards and guidelines specifying identity assurance + levels for identity proofing include [SP 800-63-3](#737513fa-6758-403f-831d-5ddab5e23cb3) + and [SP 800-63A](#9099ed2c-922a-493d-bcb4-d896192243ff) . Organizations + may be subject to laws, executive orders, directives, regulations, + or policies that address the collection of identity evidence. Organizational + personnel consult with the senior agency official for privacy and + legal counsel regarding such requirements. + - id: ia-12_obj + name: assessment-objective + props: + - name: label + value: IA-12 + class: sp800-53a + parts: + - id: ia-12_obj.a + name: assessment-objective + props: + - name: label + value: IA-12a. + class: sp800-53a + prose: users who require accounts for logical access to systems + based on appropriate identity assurance level requirements as + specified in applicable standards and guidelines are identity + proofed; + links: + - href: "#ia-12_smt.a" + rel: assessment-for + - id: ia-12_obj.b + name: assessment-objective + props: + - name: label + value: IA-12b. + class: sp800-53a + prose: user identities are resolved to a unique individual; + links: + - href: "#ia-12_smt.b" + rel: assessment-for + - id: ia-12_obj.c + name: assessment-objective + props: + - name: label + value: IA-12c. + class: sp800-53a + parts: + - id: ia-12_obj.c-1 + name: assessment-objective + props: + - name: label + value: IA-12c.[01] + class: sp800-53a + prose: identity evidence is collected; + links: + - href: "#ia-12_smt.c" + rel: assessment-for + - id: ia-12_obj.c-2 + name: assessment-objective + props: + - name: label + value: IA-12c.[02] + class: sp800-53a + prose: identity evidence is validated; + links: + - href: "#ia-12_smt.c" + rel: assessment-for + - id: ia-12_obj.c-3 + name: assessment-objective + props: + - name: label + value: IA-12c.[03] + class: sp800-53a + prose: identity evidence is verified. + links: + - href: "#ia-12_smt.c" + rel: assessment-for + links: + - href: "#ia-12_smt.c" + rel: assessment-for + links: + - href: "#ia-12_smt" + rel: assessment-for + - id: ia-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + procedures addressing identity proofing + + system security plan + + privacy plan + + other relevant documents or records + - id: ia-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + legal counsel + + + system/network administrators + + + system developers + + + organizational personnel with identification and authentication + responsibilities + - id: ia-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identification + and authentication capabilities + controls: + - id: ia-12.2 + class: SP800-53-enhancement + title: Identity Evidence + props: + - name: label + value: IA-12(2) + - name: label + value: IA-12(02) + class: sp800-53a + - name: sort-id + value: ia-12.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ia-12" + rel: required + parts: + - id: ia-12.2_smt + name: statement + prose: Require evidence of individual identification be presented + to the registration authority. + - id: ia-12.2_gdn + name: guidance + prose: Identity evidence, such as documentary evidence or a combination + of documents and biometrics, reduces the likelihood of individuals + using fraudulent identification to establish an identity or at + least increases the work factor of potential adversaries. The + forms of acceptable evidence are consistent with the risks to + the systems, roles, and privileges associated with the user’s + account. + - id: ia-12.2_obj + name: assessment-objective + props: + - name: label + value: IA-12(02) + class: sp800-53a + prose: evidence of individual identification is presented to the + registration authority. + links: + - href: "#ia-12.2_smt" + rel: assessment-for + - id: ia-12.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-12(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + procedures addressing identity proofing + + system security plan + + other relevant documents or records + - id: ia-12.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-12(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with identification and authentication + responsibilities + - id: ia-12.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-12(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identification + and authentication capabilities + - id: ia-12.3 + class: SP800-53-enhancement + title: Identity Evidence Validation and Verification + params: + - id: ia-12.03_odp + label: methods of validation and verification + guidelines: + - prose: methods of validation and verification of identity evidence + are defined; + props: + - name: label + value: IA-12(3) + - name: label + value: IA-12(03) + class: sp800-53a + - name: sort-id + value: ia-12.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ia-12" + rel: required + parts: + - id: ia-12.3_smt + name: statement + prose: "Require that the presented identity evidence be validated\ + \ and verified through {{ insert: param, ia-12.03_odp }}." + - id: ia-12.3_gdn + name: guidance + prose: Validation and verification of identity evidence increases + the assurance that accounts and identifiers are being established + for the correct user and authenticators are being bound to that + user. Validation refers to the process of confirming that the + evidence is genuine and authentic, and the data contained in the + evidence is correct, current, and related to an individual. Verification + confirms and establishes a linkage between the claimed identity + and the actual existence of the user presenting the evidence. + Acceptable methods for validating and verifying identity evidence + are consistent with the risks to the systems, roles, and privileges + associated with the users account. + - id: ia-12.3_obj + name: assessment-objective + props: + - name: label + value: IA-12(03) + class: sp800-53a + prose: "the presented identity evidence is validated and verified\ + \ through {{ insert: param, ia-12.03_odp }}." + links: + - href: "#ia-12.3_smt" + rel: assessment-for + - id: ia-12.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-12(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + procedures addressing identity proofing + + system security plan + + other relevant documents or records + - id: ia-12.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-12(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with identification and authentication + responsibilities + - id: ia-12.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-12(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identification + and authentication capabilities + - id: ia-12.4 + class: SP800-53-enhancement + title: In-person Validation and Verification + props: + - name: label + value: IA-12(4) + - name: label + value: IA-12(04) + class: sp800-53a + - name: sort-id + value: ia-12.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ia-12" + rel: required + parts: + - id: ia-12.4_smt + name: statement + prose: Require that the validation and verification of identity + evidence be conducted in person before a designated registration + authority. + - id: ia-12.4_gdn + name: guidance + prose: In-person proofing reduces the likelihood of fraudulent credentials + being issued because it requires the physical presence of individuals, + the presentation of physical identity documents, and actual face-to-face + interactions with designated registration authorities. + - id: ia-12.4_obj + name: assessment-objective + props: + - name: label + value: IA-12(04) + class: sp800-53a + prose: the validation and verification of identity evidence is conducted + in person before a designated registration authority. + links: + - href: "#ia-12.4_smt" + rel: assessment-for + - id: ia-12.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-12(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + procedures addressing identity proofing + + system security plan + + other relevant documents or records + - id: ia-12.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-12(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with identification and authentication + responsibilities + - id: ia-12.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-12(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identification + and authentication capabilities + - id: ia-12.5 + class: SP800-53-enhancement + title: Address Confirmation + params: + - id: ia-12.05_odp + select: + choice: + - registration code + - notice of proofing + props: + - name: label + value: IA-12(5) + - name: label + value: IA-12(05) + class: sp800-53a + - name: sort-id + value: ia-12.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ia-12" + rel: required + - href: "#ia-12" + rel: related + parts: + - id: ia-12.5_smt + name: statement + prose: "Require that a {{ insert: param, ia-12.05_odp }} be delivered\ + \ through an out-of-band channel to verify the users address (physical\ + \ or digital) of record." + parts: + - id: ia-12.5_fr + name: item + title: IA-12 (5) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-12.5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: In accordance with NIST SP 800-63A Enrollment and + Identity Proofing + - id: ia-12.5_gdn + name: guidance + prose: To make it more difficult for adversaries to pose as legitimate + users during the identity proofing process, organizations can + use out-of-band methods to ensure that the individual associated + with an address of record is the same individual that participated + in the registration. Confirmation can take the form of a temporary + enrollment code or a notice of proofing. The delivery address + for these artifacts is obtained from records and not self-asserted + by the user. The address can include a physical or digital address. + A home address is an example of a physical address. Email addresses + and telephone numbers are examples of digital addresses. + - id: ia-12.5_obj + name: assessment-objective + props: + - name: label + value: IA-12(05) + class: sp800-53a + prose: "a {{ insert: param, ia-12.05_odp }} is delivered through\ + \ an out-of-band channel to verify the user’s address (physical\ + \ or digital) of record." + links: + - href: "#ia-12.5_smt" + rel: assessment-for + - id: ia-12.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-12(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + procedures addressing identity proofing + + system security plan + + other relevant documents or records + - id: ia-12.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-12(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with identification and authentication + responsibilities + - id: ia-12.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-12(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identification + and authentication capabilities + - id: ir + class: family + title: Incident Response + controls: + - id: ir-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ir-1_prm_1 + label: organization-defined personnel or roles + - id: ir-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the incident response policy is + to be disseminated is/are defined; + - id: ir-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the incident response procedures + are to be disseminated is/are defined; + - id: ir-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ir-01_odp.04 + label: official + guidelines: + - prose: an official to manage the incident response policy and procedures + is defined; + - id: ir-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current incident response policy + is reviewed and updated is defined; + - id: ir-01_odp.06 + label: events + guidelines: + - prose: events that would require the current incident response policy + to be reviewed and updated are defined; + - id: ir-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current incident response procedures + are reviewed and updated is defined; + - id: ir-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the incident response procedures + to be reviewed and updated are defined; + props: + - name: label + value: IR-1 + - name: label + value: IR-01 + class: sp800-53a + - name: sort-id + value: ir-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ir-1_smt + name: statement + parts: + - id: ir-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ir-1_prm_1 }}:" + parts: + - id: ir-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ir-01_odp.03 }} incident response\ + \ policy that:" + parts: + - id: ir-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ir-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ir-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the incident + response policy and the associated incident response controls; + - id: ir-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ir-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the incident\ + \ response policy and procedures; and" + - id: ir-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current incident response:" + parts: + - id: ir-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ir-01_odp.05 }} and following\ + \ {{ insert: param, ir-01_odp.06 }} ; and" + - id: ir-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ir-01_odp.07 }} and following\ + \ {{ insert: param, ir-01_odp.08 }}." + - id: ir-1_gdn + name: guidance + prose: Incident response policy and procedures address the controls + in the IR family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of incident response + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to incident response policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ir-1_obj + name: assessment-objective + props: + - name: label + value: IR-01 + class: sp800-53a + parts: + - id: ir-1_obj.a + name: assessment-objective + props: + - name: label + value: IR-01a. + class: sp800-53a + parts: + - id: ir-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: IR-01a.[01] + class: sp800-53a + prose: an incident response policy is developed and documented; + links: + - href: "#ir-1_smt.a" + rel: assessment-for + - id: ir-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: IR-01a.[02] + class: sp800-53a + prose: "the incident response policy is disseminated to {{ insert:\ + \ param, ir-01_odp.01 }};" + links: + - href: "#ir-1_smt.a" + rel: assessment-for + - id: ir-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: IR-01a.[03] + class: sp800-53a + prose: incident response procedures to facilitate the implementation + of the incident response policy and associated incident response + controls are developed and documented; + links: + - href: "#ir-1_smt.a" + rel: assessment-for + - id: ir-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: IR-01a.[04] + class: sp800-53a + prose: "the incident response procedures are disseminated to\ + \ {{ insert: param, ir-01_odp.02 }};" + links: + - href: "#ir-1_smt.a" + rel: assessment-for + - id: ir-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: IR-01a.01 + class: sp800-53a + parts: + - id: ir-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: IR-01a.01(a) + class: sp800-53a + parts: + - id: ir-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses purpose;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses scope;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses roles;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses responsibilities;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses management commitment;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses compliance;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: IR-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident response\ + \ policy is consistent with applicable laws, Executive\ + \ Orders, directives, regulations, policies, standards,\ + \ and guidelines;" + links: + - href: "#ir-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ir-1_smt.a.1" + rel: assessment-for + links: + - href: "#ir-1_smt.a" + rel: assessment-for + - id: ir-1_obj.b + name: assessment-objective + props: + - name: label + value: IR-01b. + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the incident\ + \ response policy and procedures;" + links: + - href: "#ir-1_smt.b" + rel: assessment-for + - id: ir-1_obj.c + name: assessment-objective + props: + - name: label + value: IR-01c. + class: sp800-53a + parts: + - id: ir-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: IR-01c.01 + class: sp800-53a + parts: + - id: ir-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: IR-01c.01[01] + class: sp800-53a + prose: "the current incident response policy is reviewed\ + \ and updated {{ insert: param, ir-01_odp.05 }};" + links: + - href: "#ir-1_smt.c.1" + rel: assessment-for + - id: ir-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: IR-01c.01[02] + class: sp800-53a + prose: "the current incident response policy is reviewed\ + \ and updated following {{ insert: param, ir-01_odp.06\ + \ }};" + links: + - href: "#ir-1_smt.c.1" + rel: assessment-for + links: + - href: "#ir-1_smt.c.1" + rel: assessment-for + - id: ir-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: IR-01c.02 + class: sp800-53a + parts: + - id: ir-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: IR-01c.02[01] + class: sp800-53a + prose: "the current incident response procedures are reviewed\ + \ and updated {{ insert: param, ir-01_odp.07 }};" + links: + - href: "#ir-1_smt.c.2" + rel: assessment-for + - id: ir-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: IR-01c.02[02] + class: sp800-53a + prose: "the current incident response procedures are reviewed\ + \ and updated following {{ insert: param, ir-01_odp.08\ + \ }}." + links: + - href: "#ir-1_smt.c.2" + rel: assessment-for + links: + - href: "#ir-1_smt.c.2" + rel: assessment-for + links: + - href: "#ir-1_smt.c" + rel: assessment-for + links: + - href: "#ir-1_smt" + rel: assessment-for + - id: ir-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-2 + class: SP800-53 + title: Incident Response Training + params: + - id: ir-02_odp.01 + label: time period + constraints: + - description: ten (10) days for privileged users, thirty (30) days + for Incident Response roles + guidelines: + - prose: a time period within which incident response training is + to be provided to system users assuming an incident response role + or responsibility is defined; + - id: ir-02_odp.02 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to provide incident response training + to users is defined; + - id: ir-02_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to review and update incident response + training content is defined; + - id: ir-02_odp.04 + label: events + guidelines: + - prose: events that initiate a review of the incident response training + content are defined; + props: + - name: label + value: IR-2 + - name: label + value: IR-02 + class: sp800-53a + - name: sort-id + value: ir-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#5f4705ac-8d17-438c-b23a-ac7f12362ae4" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#at-4" + rel: related + - href: "#cp-3" + rel: related + - href: "#ir-3" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-8" + rel: related + - href: "#ir-9" + rel: related + parts: + - id: ir-2_smt + name: statement + parts: + - id: ir-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide incident response training to system users consistent\ + \ with assigned roles and responsibilities:" + parts: + - id: ir-2_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "Within {{ insert: param, ir-02_odp.01 }} of assuming\ + \ an incident response role or responsibility or acquiring\ + \ system access;" + - id: ir-2_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: When required by system changes; and + - id: ir-2_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: " {{ insert: param, ir-02_odp.02 }} thereafter; and" + - id: ir-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update incident response training content {{\ + \ insert: param, ir-02_odp.03 }} and following {{ insert: param,\ + \ ir-02_odp.04 }}." + - id: ir-2_gdn + name: guidance + prose: Incident response training is associated with the assigned roles + and responsibilities of organizational personnel to ensure that the + appropriate content and level of detail are included in such training. + For example, users may only need to know who to call or how to recognize + an incident; system administrators may require additional training + on how to handle incidents; and incident responders may receive more + specific training on forensics, data collection techniques, reporting, + system recovery, and system restoration. Incident response training + includes user training in identifying and reporting suspicious activities + from external and internal sources. Incident response training for + users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . + Events that may precipitate an update to incident response training + content include, but are not limited to, incident response plan testing + or response to an actual incident (lessons learned), assessment or + audit findings, or changes in applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines. + - id: ir-2_obj + name: assessment-objective + props: + - name: label + value: IR-02 + class: sp800-53a + parts: + - id: ir-2_obj.a + name: assessment-objective + props: + - name: label + value: IR-02a. + class: sp800-53a + parts: + - id: ir-2_obj.a.1 + name: assessment-objective + props: + - name: label + value: IR-02a.01 + class: sp800-53a + prose: "incident response training is provided to system users\ + \ consistent with assigned roles and responsibilities within\ + \ {{ insert: param, ir-02_odp.01 }} of assuming an incident\ + \ response role or responsibility or acquiring system access;" + links: + - href: "#ir-2_smt.a.1" + rel: assessment-for + - id: ir-2_obj.a.2 + name: assessment-objective + props: + - name: label + value: IR-02a.02 + class: sp800-53a + prose: incident response training is provided to system users + consistent with assigned roles and responsibilities when required + by system changes; + links: + - href: "#ir-2_smt.a.2" + rel: assessment-for + - id: ir-2_obj.a.3 + name: assessment-objective + props: + - name: label + value: IR-02a.03 + class: sp800-53a + prose: "incident response training is provided to system users\ + \ consistent with assigned roles and responsibilities {{ insert:\ + \ param, ir-02_odp.02 }} thereafter;" + links: + - href: "#ir-2_smt.a.3" + rel: assessment-for + links: + - href: "#ir-2_smt.a" + rel: assessment-for + - id: ir-2_obj.b + name: assessment-objective + props: + - name: label + value: IR-02b. + class: sp800-53a + parts: + - id: ir-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: IR-02b.[01] + class: sp800-53a + prose: "incident response training content is reviewed and updated\ + \ {{ insert: param, ir-02_odp.03 }};" + links: + - href: "#ir-2_smt.b" + rel: assessment-for + - id: ir-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: IR-02b.[02] + class: sp800-53a + prose: "incident response training content is reviewed and updated\ + \ following {{ insert: param, ir-02_odp.04 }}." + links: + - href: "#ir-2_smt.b" + rel: assessment-for + links: + - href: "#ir-2_smt.b" + rel: assessment-for + links: + - href: "#ir-2_smt" + rel: assessment-for + - id: ir-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident response training + + incident response training curriculum + + incident response training materials + + privacy plan + + incident response plan + + incident response training records + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response training and + operational responsibilities + + + organizational personnel with information security and privacy + responsibilities + controls: + - id: ir-2.1 + class: SP800-53-enhancement + title: Simulated Events + props: + - name: label + value: IR-2(1) + - name: label + value: IR-02(01) + class: sp800-53a + - name: sort-id + value: ir-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ir-2" + rel: required + parts: + - id: ir-2.1_smt + name: statement + prose: Incorporate simulated events into incident response training + to facilitate the required response by personnel in crisis situations. + - id: ir-2.1_gdn + name: guidance + prose: Organizations establish requirements for responding to incidents + in incident response plans. Incorporating simulated events into + incident response training helps to ensure that personnel understand + their individual responsibilities and what specific actions to + take in crisis situations. + - id: ir-2.1_obj + name: assessment-objective + props: + - name: label + value: IR-02(01) + class: sp800-53a + prose: simulated events are incorporated into incident response + training to facilitate the required response by personnel in crisis + situations. + links: + - href: "#ir-2.1_smt" + rel: assessment-for + - id: ir-2.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-02(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident response training + + incident response training curriculum + + incident response training materials + + incident response plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-2.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-02(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response training + and operational responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-2.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-02(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms that support and/or implement simulated events + for incident response training + - id: ir-2.2 + class: SP800-53-enhancement + title: Automated Training Environments + params: + - id: ir-02.02_odp + label: automated mechanisms + guidelines: + - prose: automated mechanisms used in an incident response training + environment are defined; + props: + - name: label + value: IR-2(2) + - name: label + value: IR-02(02) + class: sp800-53a + - name: sort-id + value: ir-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ir-2" + rel: required + parts: + - id: ir-2.2_smt + name: statement + prose: "Provide an incident response training environment using\ + \ {{ insert: param, ir-02.02_odp }}." + - id: ir-2.2_gdn + name: guidance + prose: Automated mechanisms can provide a more thorough and realistic + incident response training environment. This can be accomplished, + for example, by providing more complete coverage of incident response + issues, selecting more realistic training scenarios and environments, + and stressing the response capability. + - id: ir-2.2_obj + name: assessment-objective + props: + - name: label + value: IR-02(02) + class: sp800-53a + prose: "an incident response training environment is provided using\ + \ {{ insert: param, ir-02.02_odp }}." + links: + - href: "#ir-2.2_smt" + rel: assessment-for + - id: ir-2.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-02(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing incident response training + + + incident response training curriculum + + + incident response training materials + + + automated mechanisms supporting incident response training + + + incident response plan + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ir-2.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-02(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response training + and operational responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-2.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-02(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms that provide a thorough and realistic + incident response training environment + - id: ir-3 + class: SP800-53 + title: Incident Response Testing + params: + - id: ir-03_odp.01 + label: frequency + constraints: + - description: at least every six (6) months, including functional + at least annually + guidelines: + - prose: frequency at which to test the effectiveness of the incident + response capability for the system is defined; + - id: ir-03_odp.02 + label: tests + guidelines: + - prose: tests used to test the effectiveness of the incident response + capability for the system are defined; + props: + - name: label + value: IR-3 + - name: label + value: IR-03 + class: sp800-53a + - name: sort-id + value: ir-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098" + rel: reference + - href: "#122177fa-c4ed-485d-8345-3082c0fb9a06" + rel: reference + - href: "#cp-3" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-8" + rel: related + - href: "#pm-14" + rel: related + parts: + - id: ir-3_smt + name: statement + prose: "Test the effectiveness of the incident response capability for\ + \ the system {{ insert: param, ir-03_odp.01 }} using the following\ + \ tests: {{ insert: param, ir-03_odp.02 }}." + parts: + - id: ir-3_fr + name: item + title: IR-3-2 Additional FedRAMP Requirements and Guidance + parts: + - id: ir-3_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider defines tests and/or exercises in + accordance with NIST Special Publication 800-61 (as amended). + Functional testing must occur prior to testing for initial + authorization. Annual functional testing may be concurrent + with required penetration tests (see CA-8). The service provider + provides test plans to the JAB/AO annually. Test plans are + approved and accepted by the JAB/AO prior to test commencing. + - id: ir-3_gdn + name: guidance + prose: Organizations test incident response capabilities to determine + their effectiveness and identify potential weaknesses or deficiencies. + Incident response testing includes the use of checklists, walk-through + or tabletop exercises, and simulations (parallel or full interrupt). + Incident response testing can include a determination of the effects + on organizational operations and assets and individuals due to incident + response. The use of qualitative and quantitative data aids in determining + the effectiveness of incident response processes. + - id: ir-3_obj + name: assessment-objective + props: + - name: label + value: IR-03 + class: sp800-53a + prose: "the effectiveness of the incident response capability for the\ + \ system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert:\ + \ param, ir-03_odp.02 }}." + links: + - href: "#ir-3_smt" + rel: assessment-for + - id: ir-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + contingency planning policy + + procedures addressing incident response testing + + procedures addressing contingency plan testing + + incident response testing material + + incident response test results + + incident response test plan + + incident response plan + + contingency plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response testing + responsibilities + + + organizational personnel with information security and privacy + responsibilities + controls: + - id: ir-3.2 + class: SP800-53-enhancement + title: Coordination with Related Plans + props: + - name: label + value: IR-3(2) + - name: label + value: IR-03(02) + class: sp800-53a + - name: sort-id + value: ir-03.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ir-3" + rel: required + parts: + - id: ir-3.2_smt + name: statement + prose: Coordinate incident response testing with organizational + elements responsible for related plans. + - id: ir-3.2_gdn + name: guidance + prose: Organizational plans related to incident response testing + include business continuity plans, disaster recovery plans, continuity + of operations plans, contingency plans, crisis communications + plans, critical infrastructure plans, and occupant emergency plans. + - id: ir-3.2_obj + name: assessment-objective + props: + - name: label + value: IR-03(02) + class: sp800-53a + prose: incident response testing is coordinated with organizational + elements responsible for related plans. + links: + - href: "#ir-3.2_smt" + rel: assessment-for + - id: ir-3.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-03(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + contingency planning policy + + procedures addressing incident response testing + + incident response testing documentation + + incident response plan + + business continuity plans + + contingency plans + + disaster recovery plans + + continuity of operations plans + + crisis communications plans + + critical infrastructure plans + + occupant emergency plans + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-3.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-03(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response testing + responsibilities + + + organizational personnel with responsibilities for testing + organizational plans related to incident response testing + + + organizational personnel with information security and privacy + responsibilities + - id: ir-4 + class: SP800-53 + title: Incident Handling + props: + - name: label + value: IR-4 + - name: label + value: IR-04 + class: sp800-53a + - name: sort-id + value: ir-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#5f4705ac-8d17-438c-b23a-ac7f12362ae4" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#cfdb1858-c473-46b3-89f9-a700308d0be2" + rel: reference + - href: "#10cf2fad-a216-41f9-bb1a-531b7e3119e3" + rel: reference + - href: "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#31ae65ab-3f26-46b7-9d64-f25a4dac5778" + rel: reference + - href: "#2be7b163-e50a-435c-8906-f1162f2a457a" + rel: reference + - href: "#ac-19" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#cm-6" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-3" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-3" + rel: related + - href: "#ir-5" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + - href: "#pe-6" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: ir-4_smt + name: statement + parts: + - id: ir-4_smt.a + name: item + props: + - name: label + value: a. + prose: Implement an incident handling capability for incidents that + is consistent with the incident response plan and includes preparation, + detection and analysis, containment, eradication, and recovery; + - id: ir-4_smt.b + name: item + props: + - name: label + value: b. + prose: Coordinate incident handling activities with contingency + planning activities; + - id: ir-4_smt.c + name: item + props: + - name: label + value: c. + prose: Incorporate lessons learned from ongoing incident handling + activities into incident response procedures, training, and testing, + and implement the resulting changes accordingly; and + - id: ir-4_smt.d + name: item + props: + - name: label + value: d. + prose: Ensure the rigor, intensity, scope, and results of incident + handling activities are comparable and predictable across the + organization. + - id: ir-4_fr + name: item + title: IR-4 Additional FedRAMP Requirements and Guidance + parts: + - id: ir-4_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: 'The FISMA definition of \"incident\" shall be used: + \"An occurrence that actually or imminently jeopardizes, without + lawful authority, the confidentiality, integrity, or availability + of information or an information system; or constitutes a + violation or imminent threat of violation of law, security + policies, security procedures, or acceptable use policies.\"' + - id: ir-4_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider ensures that individuals conducting + incident handling meet personnel security requirements commensurate + with the criticality/sensitivity of the information being + processed, stored, and transmitted by the information system. + - id: ir-4_gdn + name: guidance + prose: Organizations recognize that incident response capabilities are + dependent on the capabilities of organizational systems and the mission + and business processes being supported by those systems. Organizations + consider incident response as part of the definition, design, and + development of mission and business processes and systems. Incident-related + information can be obtained from a variety of sources, including audit + monitoring, physical access monitoring, and network monitoring; user + or administrator reports; and reported supply chain events. An effective + incident handling capability includes coordination among many organizational + entities (e.g., mission or business owners, system owners, authorizing + officials, human resources offices, physical security offices, personnel + security offices, legal departments, risk executive [function], operations + personnel, procurement offices). Suspected security incidents include + the receipt of suspicious email communications that can contain malicious + code. Suspected supply chain incidents include the insertion of counterfeit + hardware or malicious code into organizational systems or system components. + For federal agencies, an incident that involves personally identifiable + information is considered a breach. A breach results in unauthorized + disclosure, the loss of control, unauthorized acquisition, compromise, + or a similar occurrence where a person other than an authorized user + accesses or potentially accesses personally identifiable information + or an authorized user accesses or potentially accesses such information + for other than authorized purposes. + - id: ir-4_obj + name: assessment-objective + props: + - name: label + value: IR-04 + class: sp800-53a + parts: + - id: ir-4_obj.a + name: assessment-objective + props: + - name: label + value: IR-04a. + class: sp800-53a + parts: + - id: ir-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: IR-04a.[01] + class: sp800-53a + prose: an incident handling capability for incidents is implemented + that is consistent with the incident response plan; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: IR-04a.[02] + class: sp800-53a + prose: the incident handling capability for incidents includes + preparation; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-3 + name: assessment-objective + props: + - name: label + value: IR-04a.[03] + class: sp800-53a + prose: the incident handling capability for incidents includes + detection and analysis; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-4 + name: assessment-objective + props: + - name: label + value: IR-04a.[04] + class: sp800-53a + prose: the incident handling capability for incidents includes + containment; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-5 + name: assessment-objective + props: + - name: label + value: IR-04a.[05] + class: sp800-53a + prose: the incident handling capability for incidents includes + eradication; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-6 + name: assessment-objective + props: + - name: label + value: IR-04a.[06] + class: sp800-53a + prose: the incident handling capability for incidents includes + recovery; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.b + name: assessment-objective + props: + - name: label + value: IR-04b. + class: sp800-53a + prose: incident handling activities are coordinated with contingency + planning activities; + links: + - href: "#ir-4_smt.b" + rel: assessment-for + - id: ir-4_obj.c + name: assessment-objective + props: + - name: label + value: IR-04c. + class: sp800-53a + parts: + - id: ir-4_obj.c-1 + name: assessment-objective + props: + - name: label + value: IR-04c.[01] + class: sp800-53a + prose: lessons learned from ongoing incident handling activities + are incorporated into incident response procedures, training, + and testing; + links: + - href: "#ir-4_smt.c" + rel: assessment-for + - id: ir-4_obj.c-2 + name: assessment-objective + props: + - name: label + value: IR-04c.[02] + class: sp800-53a + prose: the changes resulting from the incorporated lessons learned + are implemented accordingly; + links: + - href: "#ir-4_smt.c" + rel: assessment-for + links: + - href: "#ir-4_smt.c" + rel: assessment-for + - id: ir-4_obj.d + name: assessment-objective + props: + - name: label + value: IR-04d. + class: sp800-53a + parts: + - id: ir-4_obj.d-1 + name: assessment-objective + props: + - name: label + value: IR-04d.[01] + class: sp800-53a + prose: the rigor of incident handling activities is comparable + and predictable across the organization; + links: + - href: "#ir-4_smt.d" + rel: assessment-for + - id: ir-4_obj.d-2 + name: assessment-objective + props: + - name: label + value: IR-04d.[02] + class: sp800-53a + prose: the intensity of incident handling activities is comparable + and predictable across the organization; + links: + - href: "#ir-4_smt.d" + rel: assessment-for + - id: ir-4_obj.d-3 + name: assessment-objective + props: + - name: label + value: IR-04d.[03] + class: sp800-53a + prose: the scope of incident handling activities is comparable + and predictable across the organization; + links: + - href: "#ir-4_smt.d" + rel: assessment-for + - id: ir-4_obj.d-4 + name: assessment-objective + props: + - name: label + value: IR-04d.[04] + class: sp800-53a + prose: the results of incident handling activities are comparable + and predictable across the organization. + links: + - href: "#ir-4_smt.d" + rel: assessment-for + links: + - href: "#ir-4_smt.d" + rel: assessment-for + links: + - href: "#ir-4_smt" + rel: assessment-for + - id: ir-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + contingency planning policy + + procedures addressing incident handling + + incident response plan + + contingency plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident handling + responsibilities + + + organizational personnel with contingency planning responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Incident handling capability for the organization + controls: + - id: ir-4.1 + class: SP800-53-enhancement + title: Automated Incident Handling Processes + params: + - id: ir-04.01_odp + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to support the incident handling + process are defined; + props: + - name: label + value: IR-4(1) + - name: label + value: IR-04(01) + class: sp800-53a + - name: sort-id + value: ir-04.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-4" + rel: required + parts: + - id: ir-4.1_smt + name: statement + prose: "Support the incident handling process using {{ insert: param,\ + \ ir-04.01_odp }}." + - id: ir-4.1_gdn + name: guidance + prose: Automated mechanisms that support incident handling processes + include online incident management systems and tools that support + the collection of live response data, full network packet capture, + and forensic analysis. + - id: ir-4.1_obj + name: assessment-objective + props: + - name: label + value: IR-04(01) + class: sp800-53a + prose: "the incident handling process is supported using {{ insert:\ + \ param, ir-04.01_odp }}." + links: + - href: "#ir-4.1_smt" + rel: assessment-for + - id: ir-4.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-04(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing incident handling + + + automated mechanisms supporting incident handling + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + incident response plan + + + system security plan + + + other relevant documents or records + - id: ir-4.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-04(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident handling + responsibilities + + + organizational personnel with information security responsibilities + - id: ir-4.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-04(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms that support and/or implement the + incident handling process + - id: ir-4.2 + class: SP800-53-enhancement + title: Dynamic Reconfiguration + params: + - id: ir-04.02_odp.01 + label: types of dynamic reconfiguration + guidelines: + - prose: types of dynamic reconfiguration for system components + are defined; + - id: ir-04.02_odp.02 + label: system components + constraints: + - description: all network, data storage, and computing devices + guidelines: + - prose: system components that require dynamic reconfiguration + are defined; + props: + - name: label + value: IR-4(2) + - name: label + value: IR-04(02) + class: sp800-53a + - name: sort-id + value: ir-04.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-4" + rel: required + - href: "#ac-2" + rel: related + - href: "#ac-4" + rel: related + - href: "#cm-2" + rel: related + parts: + - id: ir-4.2_smt + name: statement + prose: "Include the following types of dynamic reconfiguration for\ + \ {{ insert: param, ir-04.02_odp.02 }} as part of the incident\ + \ response capability: {{ insert: param, ir-04.02_odp.01 }}." + - id: ir-4.2_gdn + name: guidance + prose: Dynamic reconfiguration includes changes to router rules, + access control lists, intrusion detection or prevention system + parameters, and filter rules for guards or firewalls. Organizations + may perform dynamic reconfiguration of systems to stop attacks, + misdirect attackers, and isolate components of systems, thus limiting + the extent of the damage from breaches or compromises. Organizations + include specific time frames for achieving the reconfiguration + of systems in the definition of the reconfiguration capability, + considering the potential need for rapid response to effectively + address cyber threats. + - id: ir-4.2_obj + name: assessment-objective + props: + - name: label + value: IR-04(02) + class: sp800-53a + prose: " {{ insert: param, ir-04.02_odp.01 }} for {{ insert: param,\ + \ ir-04.02_odp.02 }} are included as part of the incident response\ + \ capability." + links: + - href: "#ir-4.2_smt" + rel: assessment-for + - id: ir-4.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-04(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing incident handling + + + mechanisms supporting incident handling + + + list of system components to be dynamically reconfigured as + part of incident response capability + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + incident response plan + + + system security plan + + + other relevant documents or records + - id: ir-4.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-04(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident handling + responsibilities + + + organizational personnel with information security responsibilities + - id: ir-4.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-04(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms that support and/or implement the dynamic + reconfiguration of components as part of incident response + - id: ir-4.4 + class: SP800-53-enhancement + title: Information Correlation + props: + - name: label + value: IR-4(4) + - name: label + value: IR-04(04) + class: sp800-53a + - name: sort-id + value: ir-04.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-4" + rel: required + parts: + - id: ir-4.4_smt + name: statement + prose: Correlate incident information and individual incident responses + to achieve an organization-wide perspective on incident awareness + and response. + - id: ir-4.4_gdn + name: guidance + prose: Sometimes, a threat event, such as a hostile cyber-attack, + can only be observed by bringing together information from different + sources, including various reports and reporting procedures established + by organizations. + - id: ir-4.4_obj + name: assessment-objective + props: + - name: label + value: IR-04(04) + class: sp800-53a + prose: incident information and individual incident responses are + correlated to achieve an organization-wide perspective on incident + awareness and response. + links: + - href: "#ir-4.4_smt" + rel: assessment-for + - id: ir-4.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-04(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing incident handling + + + incident response plan + + + privacy plan + + + mechanisms supporting incident and event correlation + + + system design documentation + + + system configuration settings and associated documentation + + + system security plan + + + privacy plan + + + incident management correlation logs + + + event management correlation logs + + + security information and event management logs + + + incident management correlation reports + + + event management correlation reports + + + security information and event management reports + + + audit records + + + other relevant documents or records + - id: ir-4.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-04(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident handling + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with whom incident information and + individual incident responses are to be correlated + - id: ir-4.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-04(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for correlating incident + information and individual incident responses + + + mechanisms that support and or implement the correlation of + incident response information with individual incident responses + - id: ir-4.6 + class: SP800-53-enhancement + title: Insider Threats + props: + - name: label + value: IR-4(6) + - name: label + value: IR-04(06) + class: sp800-53a + - name: sort-id + value: ir-04.06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-4" + rel: required + parts: + - id: ir-4.6_smt + name: statement + prose: Implement an incident handling capability for incidents involving + insider threats. + - id: ir-4.6_gdn + name: guidance + prose: Explicit focus on handling incidents involving insider threats + provides additional emphasis on this type of threat and the need + for specific incident handling capabilities to provide appropriate + and timely responses. + - id: ir-4.6_obj + name: assessment-objective + props: + - name: label + value: IR-04(06) + class: sp800-53a + prose: an incident handling capability is implemented for incidents + involving insider threats. + links: + - href: "#ir-4.6_smt" + rel: assessment-for + - id: ir-4.6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-04(06)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing incident handling + + + mechanisms supporting incident handling + + + system design documentation + + + system configuration settings and associated documentation + + + incident response plan + + + system security plan + + + audit records + + + other relevant documents or records + - id: ir-4.6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-04(06)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident handling + responsibilities + + + organizational personnel with information security responsibilities + - id: ir-4.6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-04(06)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Incident handling capability for the organization + - id: ir-4.11 + class: SP800-53-enhancement + title: Integrated Incident Response Team + params: + - id: ir-04.11_odp + label: time period + guidelines: + - prose: the time period within which an integrated incident response + team can be deployed is defined; + props: + - name: label + value: IR-4(11) + - name: label + value: IR-04(11) + class: sp800-53a + - name: sort-id + value: ir-04.11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-4" + rel: required + - href: "#at-3" + rel: related + parts: + - id: ir-4.11_smt + name: statement + prose: "Establish and maintain an integrated incident response team\ + \ that can be deployed to any location identified by the organization\ + \ in {{ insert: param, ir-04.11_odp }}." + - id: ir-4.11_gdn + name: guidance + prose: >- + An integrated incident response team is a team of experts + that assesses, documents, and responds to incidents so that + organizational systems and networks can recover quickly and + implement the necessary controls to avoid future incidents. + Incident response team personnel include forensic and + malicious code analysts, tool developers, systems security + and privacy engineers, and real-time operations personnel. + The incident handling capability includes performing rapid + forensic preservation of evidence and analysis of and + response to intrusions. For some organizations, the incident + response team can be a cross-organizational entity. + + + An integrated incident response team facilitates information sharing + and allows organizational personnel (e.g., developers, implementers, + and operators) to leverage team knowledge of the threat and implement + defensive measures that enable organizations to deter intrusions + more effectively. Moreover, integrated teams promote the rapid + detection of intrusions, the development of appropriate mitigations, + and the deployment of effective defensive measures. For example, + when an intrusion is detected, the integrated team can rapidly + develop an appropriate response for operators to implement, correlate + the new incident with information on past intrusions, and augment + ongoing cyber intelligence development. Integrated incident response + teams are better able to identify adversary tactics, techniques, + and procedures that are linked to the operations tempo or specific + mission and business functions and to define responsive actions + in a way that does not disrupt those mission and business functions. + Incident response teams can be distributed within organizations + to make the capability resilient. + - id: ir-4.11_obj + name: assessment-objective + props: + - name: label + value: IR-04(11) + class: sp800-53a + parts: + - id: ir-4.11_obj-1 + name: assessment-objective + props: + - name: label + value: IR-04(11)[01] + class: sp800-53a + prose: an integrated incident response team is established and + maintained; + links: + - href: "#ir-4.11_smt" + rel: assessment-for + - id: ir-4.11_obj-2 + name: assessment-objective + props: + - name: label + value: IR-04(11)[02] + class: sp800-53a + prose: "the integrated incident response team can be deployed\ + \ to any location identified by the organization in {{ insert:\ + \ param, ir-04.11_odp }}." + links: + - href: "#ir-4.11_smt" + rel: assessment-for + links: + - href: "#ir-4.11_smt" + rel: assessment-for + - id: ir-4.11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-04(11)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident handling + + procedures addressing incident response planning + + incident response plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-4.11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-04(11)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident handling + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + members of the integrated incident response team + - id: ir-5 + class: SP800-53 + title: Incident Monitoring + props: + - name: label + value: IR-5 + - name: label + value: IR-05 + class: sp800-53a + - name: sort-id + value: ir-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + - href: "#pe-6" + rel: related + - href: "#pm-5" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: ir-5_smt + name: statement + prose: Track and document incidents. + - id: ir-5_gdn + name: guidance + prose: Documenting incidents includes maintaining records about each + incident, the status of the incident, and other pertinent information + necessary for forensics as well as evaluating incident details, trends, + and handling. Incident information can be obtained from a variety + of sources, including network monitoring, incident reports, incident + response teams, user complaints, supply chain partners, audit monitoring, + physical access monitoring, and user and administrator reports. [IR-4](#ir-4) + provides information on the types of incidents that are appropriate + for monitoring. + - id: ir-5_obj + name: assessment-objective + props: + - name: label + value: IR-05 + class: sp800-53a + parts: + - id: ir-5_obj-1 + name: assessment-objective + props: + - name: label + value: IR-05[01] + class: sp800-53a + prose: incidents are tracked; + links: + - href: "#ir-5_smt" + rel: assessment-for + - id: ir-5_obj-2 + name: assessment-objective + props: + - name: label + value: IR-05[02] + class: sp800-53a + prose: incidents are documented. + links: + - href: "#ir-5_smt" + rel: assessment-for + links: + - href: "#ir-5_smt" + rel: assessment-for + - id: ir-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident monitoring + + incident response records and documentation + + incident response plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident monitoring + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident monitoring capability for the organization + + + mechanisms supporting and/or implementing the tracking and documenting + of system security incidents + controls: + - id: ir-5.1 + class: SP800-53-enhancement + title: Automated Tracking, Data Collection, and Analysis + params: + - id: ir-5.1_prm_1 + label: organization-defined automated mechanisms + - id: ir-05.01_odp.01 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to track incidents are defined; + - id: ir-05.01_odp.02 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to collect incident information + are defined; + - id: ir-05.01_odp.03 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to analyze incident information + are defined; + props: + - name: label + value: IR-5(1) + - name: label + value: IR-05(01) + class: sp800-53a + - name: sort-id + value: ir-05.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ir-5" + rel: required + parts: + - id: ir-5.1_smt + name: statement + prose: "Track incidents and collect and analyze incident information\ + \ using {{ insert: param, ir-5.1_prm_1 }}." + - id: ir-5.1_gdn + name: guidance + prose: Automated mechanisms for tracking incidents and collecting + and analyzing incident information include Computer Incident Response + Centers or other electronic databases of incidents and network + monitoring devices. + - id: ir-5.1_obj + name: assessment-objective + props: + - name: label + value: IR-05(01) + class: sp800-53a + parts: + - id: ir-5.1_obj-1 + name: assessment-objective + props: + - name: label + value: IR-05(01)[01] + class: sp800-53a + prose: "incidents are tracked using {{ insert: param, ir-05.01_odp.01\ + \ }};" + links: + - href: "#ir-5.1_smt" + rel: assessment-for + - id: ir-5.1_obj-2 + name: assessment-objective + props: + - name: label + value: IR-05(01)[02] + class: sp800-53a + prose: "incident information is collected using {{ insert: param,\ + \ ir-05.01_odp.02 }};" + links: + - href: "#ir-5.1_smt" + rel: assessment-for + - id: ir-5.1_obj-3 + name: assessment-objective + props: + - name: label + value: IR-05(01)[03] + class: sp800-53a + prose: "incident information is analyzed using {{ insert: param,\ + \ ir-05.01_odp.03 }}." + links: + - href: "#ir-5.1_smt" + rel: assessment-for + links: + - href: "#ir-5.1_smt" + rel: assessment-for + - id: ir-5.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-05(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident monitoring + + incident response records and documentation + + system security plan + + incident response plan + + other relevant documents or records + - id: ir-5.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-05(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident monitoring + responsibilities + + + organizational personnel with information security responsibilities + - id: ir-5.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-05(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident monitoring capability for the organization + + + automated mechanisms supporting and/or implementing the tracking + and documenting of system security incidents + - id: ir-6 + class: SP800-53 + title: Incident Reporting + params: + - id: ir-06_odp.01 + label: time period + constraints: + - description: US-CERT incident reporting timelines as specified in + NIST Special Publication 800-61 (as amended) + guidelines: + - prose: time period for personnel to report suspected incidents to + the organizational incident response capability is defined; + - id: ir-06_odp.02 + label: authorities + guidelines: + - prose: authorities to whom incident information is to be reported + are defined; + props: + - name: label + value: IR-6 + - name: label + value: IR-06 + class: sp800-53a + - name: sort-id + value: ir-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#40b78258-c892-480e-9af8-77ac36648301" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#cm-6" + rel: related + - href: "#cp-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-5" + rel: related + - href: "#ir-8" + rel: related + - href: "#ir-9" + rel: related + parts: + - id: ir-6_smt + name: statement + parts: + - id: ir-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Require personnel to report suspected incidents to the organizational\ + \ incident response capability within {{ insert: param, ir-06_odp.01\ + \ }} ; and" + - id: ir-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Report incident information to {{ insert: param, ir-06_odp.02\ + \ }}." + - id: ir-6_fr + name: item + title: IR-6 Additional FedRAMP Requirements and Guidance + parts: + - id: ir-6_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Reports security incident information according to FedRAMP + Incident Communications Procedure. + - id: ir-6_gdn + name: guidance + prose: The types of incidents reported, the content and timeliness of + the reports, and the designated reporting authorities reflect applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Incident information can inform risk assessments, + control effectiveness assessments, security requirements for acquisitions, + and selection criteria for technology products. + - id: ir-6_obj + name: assessment-objective + props: + - name: label + value: IR-06 + class: sp800-53a + parts: + - id: ir-6_obj.a + name: assessment-objective + props: + - name: label + value: IR-06a. + class: sp800-53a + prose: "personnel is/are required to report suspected incidents\ + \ to the organizational incident response capability within {{\ + \ insert: param, ir-06_odp.01 }};" + links: + - href: "#ir-6_smt.a" + rel: assessment-for + - id: ir-6_obj.b + name: assessment-objective + props: + - name: label + value: IR-06b. + class: sp800-53a + prose: "incident information is reported to {{ insert: param, ir-06_odp.02\ + \ }}." + links: + - href: "#ir-6_smt.b" + rel: assessment-for + links: + - href: "#ir-6_smt" + rel: assessment-for + - id: ir-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident reporting + + incident reporting records and documentation + + incident response plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident reporting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + personnel who have/should have reported incidents + + + personnel (authorities) to whom incident information is to be + reported + + + system users + - id: ir-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for incident reporting + + mechanisms supporting and/or implementing incident reporting + controls: + - id: ir-6.1 + class: SP800-53-enhancement + title: Automated Reporting + params: + - id: ir-06.01_odp + label: automated mechanisms + guidelines: + - prose: automated mechanisms used for reporting incidents are + defined; + props: + - name: label + value: IR-6(1) + - name: label + value: IR-06(01) + class: sp800-53a + - name: sort-id + value: ir-06.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-6" + rel: required + - href: "#ir-7" + rel: related + parts: + - id: ir-6.1_smt + name: statement + prose: "Report incidents using {{ insert: param, ir-06.01_odp }}." + - id: ir-6.1_gdn + name: guidance + prose: The recipients of incident reports are specified in [IR-6b](#ir-6_smt.b) + . Automated reporting mechanisms include email, posting on websites + (with automatic updates), and automated incident response tools + and programs. + - id: ir-6.1_obj + name: assessment-objective + props: + - name: label + value: IR-06(01) + class: sp800-53a + prose: "incidents are reported using {{ insert: param, ir-06.01_odp\ + \ }}." + links: + - href: "#ir-6.1_smt" + rel: assessment-for + - id: ir-6.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-06(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing incident reporting + + + automated mechanisms supporting incident reporting + + + system design documentation + + + system configuration settings and associated documentation + + + incident response plan + + + system security plan + + + other relevant documents or records + - id: ir-6.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-06(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident reporting + responsibilities + + + organizational personnel with information security responsibilities + - id: ir-6.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-06(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for incident reporting + + + automated mechanisms supporting and/or implementing the reporting + of security incidents + - id: ir-6.3 + class: SP800-53-enhancement + title: Supply Chain Coordination + props: + - name: label + value: IR-6(3) + - name: label + value: IR-06(03) + class: sp800-53a + - name: sort-id + value: ir-06.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-6" + rel: required + - href: "#sr-8" + rel: related + parts: + - id: ir-6.3_smt + name: statement + prose: Provide incident information to the provider of the product + or service and other organizations involved in the supply chain + or supply chain governance for systems or system components related + to the incident. + - id: ir-6.3_gdn + name: guidance + prose: Organizations involved in supply chain activities include + product developers, system integrators, manufacturers, packagers, + assemblers, distributors, vendors, and resellers. Entities that + provide supply chain governance include the Federal Acquisition + Security Council (FASC). Supply chain incidents include compromises + or breaches that involve information technology products, system + components, development processes or personnel, distribution processes, + or warehousing facilities. Organizations determine the appropriate + information to share and consider the value gained from informing + external organizations about supply chain incidents, including + the ability to improve processes or to identify the root cause + of an incident. + - id: ir-6.3_obj + name: assessment-objective + props: + - name: label + value: IR-06(03) + class: sp800-53a + prose: incident information is provided to the provider of the product + or service and other organizations involved in the supply chain + or supply chain governance for systems or system components related + to the incident. + links: + - href: "#ir-6.3_smt" + rel: assessment-for + - id: ir-6.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-06(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing supply chain coordination and supply + chain risk information sharing with the Federal Acquisition + Security Council + + + acquisition policy + + + acquisition contracts + + + service-level agreements + + + incident response plan + + + supply chain risk management plan + + + system security plan + + + plans of other organizations involved in supply chain activities + + + other relevant documents or records + - id: ir-6.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-06(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident reporting + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management + responsibilities + + + organization personnel with acquisition responsibilities + - id: ir-6.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-06(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for incident reporting + + + organizational processes for supply chain risk information + sharing + + + mechanisms supporting and/or implementing the reporting of + incident information involved in the supply chain + - id: ir-7 + class: SP800-53 + title: Incident Response Assistance + props: + - name: label + value: IR-7 + - name: label + value: IR-07 + class: sp800-53a + - name: sort-id + value: ir-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#2be7b163-e50a-435c-8906-f1162f2a457a" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + - href: "#pm-22" + rel: related + - href: "#pm-26" + rel: related + - href: "#sa-9" + rel: related + - href: "#si-18" + rel: related + parts: + - id: ir-7_smt + name: statement + prose: Provide an incident response support resource, integral to the + organizational incident response capability, that offers advice and + assistance to users of the system for the handling and reporting of + incidents. + - id: ir-7_gdn + name: guidance + prose: Incident response support resources provided by organizations + include help desks, assistance groups, automated ticketing systems + to open and track incident response tickets, and access to forensics + services or consumer redress services, when required. + - id: ir-7_obj + name: assessment-objective + props: + - name: label + value: IR-07 + class: sp800-53a + parts: + - id: ir-7_obj-1 + name: assessment-objective + props: + - name: label + value: IR-07[01] + class: sp800-53a + prose: an incident response support resource, integral to the organizational + incident response capability, is provided; + links: + - href: "#ir-7_smt" + rel: assessment-for + - id: ir-7_obj-2 + name: assessment-objective + props: + - name: label + value: IR-07[02] + class: sp800-53a + prose: the incident response support resource offers advice and + assistance to users of the system for the response and reporting + of incidents. + links: + - href: "#ir-7_smt" + rel: assessment-for + links: + - href: "#ir-7_smt" + rel: assessment-for + - id: ir-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident response assistance + + incident response plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response assistance + and support responsibilities + + + organizational personnel with access to incident response support + and assistance capability + + + organizational personnel with information security and privacy + responsibilities + - id: ir-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for incident response assistance + + + mechanisms supporting and/or implementing incident response assistance + controls: + - id: ir-7.1 + class: SP800-53-enhancement + title: Automation Support for Availability of Information and Support + params: + - id: ir-07.01_odp + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to increase the availability + of incident response information and support are defined; + props: + - name: label + value: IR-7(1) + - name: label + value: IR-07(01) + class: sp800-53a + - name: sort-id + value: ir-07.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-7" + rel: required + parts: + - id: ir-7.1_smt + name: statement + prose: "Increase the availability of incident response information\ + \ and support using {{ insert: param, ir-07.01_odp }}." + - id: ir-7.1_gdn + name: guidance + prose: Automated mechanisms can provide a push or pull capability + for users to obtain incident response assistance. For example, + individuals may have access to a website to query the assistance + capability, or the assistance capability can proactively send + incident response information to users (general distribution or + targeted) as part of increasing understanding of current response + capabilities and support. + - id: ir-7.1_obj + name: assessment-objective + props: + - name: label + value: IR-07(01) + class: sp800-53a + prose: "the availability of incident response information and support\ + \ is increased using {{ insert: param, ir-07.01_odp }}." + links: + - href: "#ir-7.1_smt" + rel: assessment-for + - id: ir-7.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-07(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing incident response assistance + + + automated mechanisms supporting incident response support + and assistance + + + system design documentation + + + system configuration settings and associated documentation + + + incident response plan + + + system security plan + + + other relevant documents or records + - id: ir-7.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-07(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response support + and assistance responsibilities + + + organizational personnel with access to incident response + support and assistance capability + + + organizational personnel with information security responsibilities + - id: ir-7.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-07(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for incident response + assistance + + + automated mechanisms supporting and/or implementing an increase + in the availability of incident response information and support + - id: ir-8 + class: SP800-53 + title: Incident Response Plan + params: + - id: ir-8_prm_5 + label: organization-defined incident response personnel (identified + by name and/or by role) and organizational elements + constraints: + - description: see additional FedRAMP Requirements and Guidance + - id: ir-08_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles that review and approve the incident response + plan is/are identified; + - id: ir-08_odp.02 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to review and approve the incident + response plan is defined; + - id: ir-08_odp.03 + label: entities, personnel, or roles + guidelines: + - prose: entities, personnel, or roles with designated responsibility + for incident response are defined; + - id: ir-08_odp.04 + label: incident response personnel + constraints: + - description: see additional FedRAMP Requirements and Guidance + guidelines: + - prose: incident response personnel (identified by name and/or by + role) to whom copies of the incident response plan are to be distributed + is/are defined; + - id: ir-08_odp.05 + label: organizational elements + guidelines: + - prose: organizational elements to which copies of the incident response + plan are to be distributed are defined; + - id: ir-08_odp.06 + label: incident response personnel + guidelines: + - prose: incident response personnel (identified by name and/or by + role) to whom changes to the incident response plan is/are communicated + are defined; + - id: ir-08_odp.07 + label: organizational elements + guidelines: + - prose: organizational elements to which changes to the incident + response plan are communicated are defined; + props: + - name: label + value: IR-8 + - name: label + value: IR-08 + class: sp800-53a + - name: sort-id + value: ir-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#5f4705ac-8d17-438c-b23a-ac7f12362ae4" + rel: reference + - href: "#ac-2" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-7" + rel: related + - href: "#ir-9" + rel: related + - href: "#pe-6" + rel: related + - href: "#pl-2" + rel: related + - href: "#sa-15" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-8" + rel: related + parts: + - id: ir-8_smt + name: statement + parts: + - id: ir-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop an incident response plan that:" + parts: + - id: ir-8_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Provides the organization with a roadmap for implementing + its incident response capability; + - id: ir-8_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Describes the structure and organization of the incident + response capability; + - id: ir-8_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Provides a high-level approach for how the incident response + capability fits into the overall organization; + - id: ir-8_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Meets the unique requirements of the organization, which + relate to mission, size, structure, and functions; + - id: ir-8_smt.a.5 + name: item + props: + - name: label + value: "5." + prose: Defines reportable incidents; + - id: ir-8_smt.a.6 + name: item + props: + - name: label + value: "6." + prose: Provides metrics for measuring the incident response + capability within the organization; + - id: ir-8_smt.a.7 + name: item + props: + - name: label + value: "7." + prose: Defines the resources and management support needed to + effectively maintain and mature an incident response capability; + - id: ir-8_smt.a.8 + name: item + props: + - name: label + value: "8." + prose: Addresses the sharing of incident information; + - id: ir-8_smt.a.9 + name: item + props: + - name: label + value: "9." + prose: "Is reviewed and approved by {{ insert: param, ir-08_odp.01\ + \ }} {{ insert: param, ir-08_odp.02 }} ; and" + - id: ir-8_smt.a.10 + name: item + props: + - name: label + value: "10." + prose: "Explicitly designates responsibility for incident response\ + \ to {{ insert: param, ir-08_odp.03 }}." + - id: ir-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Distribute copies of the incident response plan to {{ insert:\ + \ param, ir-08_odp.04 }};" + - id: ir-8_smt.c + name: item + props: + - name: label + value: c. + prose: Update the incident response plan to address system and organizational + changes or problems encountered during plan implementation, execution, + or testing; + - id: ir-8_smt.d + name: item + props: + - name: label + value: d. + prose: "Communicate incident response plan changes to {{ insert:\ + \ param, ir-8_prm_5 }} ; and" + - id: ir-8_smt.e + name: item + props: + - name: label + value: e. + prose: Protect the incident response plan from unauthorized disclosure + and modification. + - id: ir-8_fr + name: item + title: IR-8 Additional FedRAMP Requirements and Guidance + parts: + - id: ir-8_fr_smt.1 + name: item + props: + - name: label + value: "(b) Requirement:" + prose: The service provider defines a list of incident response + personnel (identified by name and/or by role) and organizational + elements. The incident response list includes designated FedRAMP + personnel. + - id: ir-8_fr_smt.2 + name: item + props: + - name: label + value: "(d) Requirement:" + prose: The service provider defines a list of incident response + personnel (identified by name and/or by role) and organizational + elements. The incident response list includes designated FedRAMP + personnel. + - id: ir-8_gdn + name: guidance + prose: It is important that organizations develop and implement a coordinated + approach to incident response. Organizational mission and business + functions determine the structure of incident response capabilities. + As part of the incident response capabilities, organizations consider + the coordination and sharing of information with external organizations, + including external service providers and other organizations involved + in the supply chain. For incidents involving personally identifiable + information (i.e., breaches), include a process to determine whether + notice to oversight organizations or affected individuals is appropriate + and provide that notice accordingly. + - id: ir-8_obj + name: assessment-objective + props: + - name: label + value: IR-08 + class: sp800-53a + parts: + - id: ir-8_obj.a + name: assessment-objective + props: + - name: label + value: IR-08a. + class: sp800-53a + parts: + - id: ir-8_obj.a.1 + name: assessment-objective + props: + - name: label + value: IR-08a.01 + class: sp800-53a + prose: an incident response plan is developed that provides + the organization with a roadmap for implementing its incident + response capability; + links: + - href: "#ir-8_smt.a.1" + rel: assessment-for + - id: ir-8_obj.a.2 + name: assessment-objective + props: + - name: label + value: IR-08a.02 + class: sp800-53a + prose: an incident response plan is developed that describes + the structure and organization of the incident response capability; + links: + - href: "#ir-8_smt.a.2" + rel: assessment-for + - id: ir-8_obj.a.3 + name: assessment-objective + props: + - name: label + value: IR-08a.03 + class: sp800-53a + prose: an incident response plan is developed that provides + a high-level approach for how the incident response capability + fits into the overall organization; + links: + - href: "#ir-8_smt.a.3" + rel: assessment-for + - id: ir-8_obj.a.4 + name: assessment-objective + props: + - name: label + value: IR-08a.04 + class: sp800-53a + prose: an incident response plan is developed that meets the + unique requirements of the organization with regard to mission, + size, structure, and functions; + links: + - href: "#ir-8_smt.a.4" + rel: assessment-for + - id: ir-8_obj.a.5 + name: assessment-objective + props: + - name: label + value: IR-08a.05 + class: sp800-53a + prose: an incident response plan is developed that defines reportable + incidents; + links: + - href: "#ir-8_smt.a.5" + rel: assessment-for + - id: ir-8_obj.a.6 + name: assessment-objective + props: + - name: label + value: IR-08a.06 + class: sp800-53a + prose: an incident response plan is developed that provides + metrics for measuring the incident response capability within + the organization; + links: + - href: "#ir-8_smt.a.6" + rel: assessment-for + - id: ir-8_obj.a.7 + name: assessment-objective + props: + - name: label + value: IR-08a.07 + class: sp800-53a + prose: an incident response plan is developed that defines the + resources and management support needed to effectively maintain + and mature an incident response capability; + links: + - href: "#ir-8_smt.a.7" + rel: assessment-for + - id: ir-8_obj.a.8 + name: assessment-objective + props: + - name: label + value: IR-08a.08 + class: sp800-53a + prose: an incident response plan is developed that addresses + the sharing of incident information; + links: + - href: "#ir-8_smt.a.8" + rel: assessment-for + - id: ir-8_obj.a.9 + name: assessment-objective + props: + - name: label + value: IR-08a.09 + class: sp800-53a + prose: "an incident response plan is developed that is reviewed\ + \ and approved by {{ insert: param, ir-08_odp.01 }} {{ insert:\ + \ param, ir-08_odp.02 }};" + links: + - href: "#ir-8_smt.a.9" + rel: assessment-for + - id: ir-8_obj.a.10 + name: assessment-objective + props: + - name: label + value: IR-08a.10 + class: sp800-53a + prose: "an incident response plan is developed that explicitly\ + \ designates responsibility for incident response to {{ insert:\ + \ param, ir-08_odp.03 }}." + links: + - href: "#ir-8_smt.a.10" + rel: assessment-for + links: + - href: "#ir-8_smt.a" + rel: assessment-for + - id: ir-8_obj.b + name: assessment-objective + props: + - name: label + value: IR-08b. + class: sp800-53a + parts: + - id: ir-8_obj.b-1 + name: assessment-objective + props: + - name: label + value: IR-08b.[01] + class: sp800-53a + prose: "copies of the incident response plan are distributed\ + \ to {{ insert: param, ir-08_odp.04 }};" + links: + - href: "#ir-8_smt.b" + rel: assessment-for + - id: ir-8_obj.b-2 + name: assessment-objective + props: + - name: label + value: IR-08b.[02] + class: sp800-53a + prose: "copies of the incident response plan are distributed\ + \ to {{ insert: param, ir-08_odp.05 }};" + links: + - href: "#ir-8_smt.b" + rel: assessment-for + links: + - href: "#ir-8_smt.b" + rel: assessment-for + - id: ir-8_obj.c + name: assessment-objective + props: + - name: label + value: IR-08c. + class: sp800-53a + prose: the incident response plan is updated to address system and + organizational changes or problems encountered during plan implementation, + execution, or testing; + links: + - href: "#ir-8_smt.c" + rel: assessment-for + - id: ir-8_obj.d + name: assessment-objective + props: + - name: label + value: IR-08d. + class: sp800-53a + parts: + - id: ir-8_obj.d-1 + name: assessment-objective + props: + - name: label + value: IR-08d.[01] + class: sp800-53a + prose: "incident response plan changes are communicated to {{\ + \ insert: param, ir-08_odp.06 }};" + links: + - href: "#ir-8_smt.d" + rel: assessment-for + - id: ir-8_obj.d-2 + name: assessment-objective + props: + - name: label + value: IR-08d.[02] + class: sp800-53a + prose: "incident response plan changes are communicated to {{\ + \ insert: param, ir-08_odp.07 }};" + links: + - href: "#ir-8_smt.d" + rel: assessment-for + links: + - href: "#ir-8_smt.d" + rel: assessment-for + - id: ir-8_obj.e + name: assessment-objective + props: + - name: label + value: IR-08e. + class: sp800-53a + parts: + - id: ir-8_obj.e-1 + name: assessment-objective + props: + - name: label + value: IR-08e.[01] + class: sp800-53a + prose: the incident response plan is protected from unauthorized + disclosure; + links: + - href: "#ir-8_smt.e" + rel: assessment-for + - id: ir-8_obj.e-2 + name: assessment-objective + props: + - name: label + value: IR-08e.[02] + class: sp800-53a + prose: the incident response plan is protected from unauthorized + modification. + links: + - href: "#ir-8_smt.e" + rel: assessment-for + links: + - href: "#ir-8_smt.e" + rel: assessment-for + links: + - href: "#ir-8_smt" + rel: assessment-for + - id: ir-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident response planning + + incident response plan + + system security plan + + privacy plan + + records of incident response plan reviews and approvals + + other relevant documents or records + - id: ir-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response planning + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational incident response plan and related organizational + processes + - id: ir-9 + class: SP800-53 + title: Information Spillage Response + params: + - id: ir-09_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles assigned the responsibility for responding + to information spills is/are defined; + - id: ir-09_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to be alerted of the information spill + using a method of communication not associated with the spill + is/are defined; + - id: ir-09_odp.03 + label: actions + guidelines: + - prose: actions to be performed are defined; + props: + - name: label + value: IR-9 + - name: label + value: IR-09 + class: sp800-53a + - name: sort-id + value: ir-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-2" + rel: related + - href: "#ir-6" + rel: related + - href: "#pm-26" + rel: related + - href: "#pm-27" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-3" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-7" + rel: related + parts: + - id: ir-9_smt + name: statement + prose: "Respond to information spills by:" + parts: + - id: ir-9_smt.a + name: item + props: + - name: label + value: a. + prose: "Assigning {{ insert: param, ir-09_odp.01 }} with responsibility\ + \ for responding to information spills;" + - id: ir-9_smt.b + name: item + props: + - name: label + value: b. + prose: Identifying the specific information involved in the system + contamination; + - id: ir-9_smt.c + name: item + props: + - name: label + value: c. + prose: "Alerting {{ insert: param, ir-09_odp.02 }} of the information\ + \ spill using a method of communication not associated with the\ + \ spill;" + - id: ir-9_smt.d + name: item + props: + - name: label + value: d. + prose: Isolating the contaminated system or system component; + - id: ir-9_smt.e + name: item + props: + - name: label + value: e. + prose: Eradicating the information from the contaminated system + or component; + - id: ir-9_smt.f + name: item + props: + - name: label + value: f. + prose: Identifying other systems or system components that may have + been subsequently contaminated; and + - id: ir-9_smt.g + name: item + props: + - name: label + value: g. + prose: "Performing the following additional actions: {{ insert:\ + \ param, ir-09_odp.03 }}." + - id: ir-9_gdn + name: guidance + prose: Information spillage refers to instances where information is + placed on systems that are not authorized to process such information. + Information spills occur when information that is thought to be a + certain classification or impact level is transmitted to a system + and subsequently is determined to be of a higher classification or + impact level. At that point, corrective action is required. The nature + of the response is based on the classification or impact level of + the spilled information, the security capabilities of the system, + the specific nature of the contaminated storage media, and the access + authorizations of individuals with authorized access to the contaminated + system. The methods used to communicate information about the spill + after the fact do not involve methods directly associated with the + actual spill to minimize the risk of further spreading the contamination + before such contamination is isolated and eradicated. + - id: ir-9_obj + name: assessment-objective + props: + - name: label + value: IR-09 + class: sp800-53a + parts: + - id: ir-9_obj.a + name: assessment-objective + props: + - name: label + value: IR-09a. + class: sp800-53a + prose: " {{ insert: param, ir-09_odp.01 }} is/are assigned the responsibility\ + \ to respond to information spills;" + links: + - href: "#ir-9_smt.a" + rel: assessment-for + - id: ir-9_obj.b + name: assessment-objective + props: + - name: label + value: IR-09b. + class: sp800-53a + prose: the specific information involved in the system contamination + is identified in response to information spills; + links: + - href: "#ir-9_smt.b" + rel: assessment-for + - id: ir-9_obj.c + name: assessment-objective + props: + - name: label + value: IR-09c. + class: sp800-53a + prose: " {{ insert: param, ir-09_odp.02 }} is/are alerted of the\ + \ information spill using a method of communication not associated\ + \ with the spill;" + links: + - href: "#ir-9_smt.c" + rel: assessment-for + - id: ir-9_obj.d + name: assessment-objective + props: + - name: label + value: IR-09d. + class: sp800-53a + prose: the contaminated system or system component is isolated in + response to information spills; + links: + - href: "#ir-9_smt.d" + rel: assessment-for + - id: ir-9_obj.e + name: assessment-objective + props: + - name: label + value: IR-09e. + class: sp800-53a + prose: the information is eradicated from the contaminated system + or component in response to information spills; + links: + - href: "#ir-9_smt.e" + rel: assessment-for + - id: ir-9_obj.f + name: assessment-objective + props: + - name: label + value: IR-09f. + class: sp800-53a + prose: other systems or system components that may have been subsequently + contaminated are identified in response to information spills; + links: + - href: "#ir-9_smt.f" + rel: assessment-for + - id: ir-9_obj.g + name: assessment-objective + props: + - name: label + value: IR-09g. + class: sp800-53a + prose: " {{ insert: param, ir-09_odp.03 }} are performed in response\ + \ to information spills." + links: + - href: "#ir-9_smt.g" + rel: assessment-for + links: + - href: "#ir-9_smt" + rel: assessment-for + - id: ir-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing information spillage + + + incident response plan + + + system security plan + + + records of information spillage alerts/notifications + + + list of personnel who should receive alerts of information spillage + + + list of actions to be performed regarding information spillage + + + other relevant documents or records + - id: ir-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response + responsibilities + + + organizational personnel with information security responsibilities + - id: ir-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for information spillage response + + + mechanisms supporting and/or implementing information spillage + response actions and related communications + controls: + - id: ir-9.2 + class: SP800-53-enhancement + title: Training + params: + - id: ir-09.02_odp + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to provide information spillage response + training is defined; + props: + - name: label + value: IR-9(2) + - name: label + value: IR-09(02) + class: sp800-53a + - name: sort-id + value: ir-09.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-9" + rel: required + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#cp-3" + rel: related + - href: "#ir-2" + rel: related + parts: + - id: ir-9.2_smt + name: statement + prose: "Provide information spillage response training {{ insert:\ + \ param, ir-09.02_odp }}." + - id: ir-9.2_gdn + name: guidance + prose: Organizations establish requirements for responding to information + spillage incidents in incident response plans. Incident response + training on a regular basis helps to ensure that organizational + personnel understand their individual responsibilities and what + specific actions to take when spillage incidents occur. + - id: ir-9.2_obj + name: assessment-objective + props: + - name: label + value: IR-09(02) + class: sp800-53a + prose: "information spillage response training is provided {{ insert:\ + \ param, ir-09.02_odp }}." + links: + - href: "#ir-9.2_smt" + rel: assessment-for + - id: ir-9.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-09(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing information spillage response training + + + information spillage response training curriculum + + + information spillage response training materials + + + incident response plan + + + system security plan + + + information spillage response training records + + + other relevant documents or records + - id: ir-9.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-09(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response training + responsibilities + + + organizational personnel with information security responsibilities + - id: ir-9.3 + class: SP800-53-enhancement + title: Post-spill Operations + params: + - id: ir-09.03_odp + label: procedures + guidelines: + - prose: procedures to be implemented to ensure that organizational + personnel impacted by information spills can continue to carry + out assigned tasks while contaminated systems are undergoing + corrective actions are defined; + props: + - name: label + value: IR-9(3) + - name: label + value: IR-09(03) + class: sp800-53a + - name: sort-id + value: ir-09.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-9" + rel: required + parts: + - id: ir-9.3_smt + name: statement + prose: "Implement the following procedures to ensure that organizational\ + \ personnel impacted by information spills can continue to carry\ + \ out assigned tasks while contaminated systems are undergoing\ + \ corrective actions: {{ insert: param, ir-09.03_odp }}." + - id: ir-9.3_gdn + name: guidance + prose: Corrective actions for systems contaminated due to information + spillages may be time-consuming. Personnel may not have access + to the contaminated systems while corrective actions are being + taken, which may potentially affect their ability to conduct organizational + business. + - id: ir-9.3_obj + name: assessment-objective + props: + - name: label + value: IR-09(03) + class: sp800-53a + prose: " {{ insert: param, ir-09.03_odp }} are implemented to ensure\ + \ that organizational personnel impacted by information spills\ + \ can continue to carry out assigned tasks while contaminated\ + \ systems are undergoing corrective actions." + links: + - href: "#ir-9.3_smt" + rel: assessment-for + - id: ir-9.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-09(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident response + + procedures addressing information spillage + + incident response plan + + system security plan + + other relevant documents or records + - id: ir-9.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-09(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response + responsibilities + + + organizational personnel with information security responsibilities + - id: ir-9.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-09(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for post-spill operations + - id: ir-9.4 + class: SP800-53-enhancement + title: Exposure to Unauthorized Personnel + params: + - id: ir-09.04_odp + label: controls + guidelines: + - prose: controls employed for personnel exposed to information + not within assigned access authorizations are defined; + props: + - name: label + value: IR-9(4) + - name: label + value: IR-09(04) + class: sp800-53a + - name: sort-id + value: ir-09.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-9" + rel: required + parts: + - id: ir-9.4_smt + name: statement + prose: "Employ the following controls for personnel exposed to information\ + \ not within assigned access authorizations: {{ insert: param,\ + \ ir-09.04_odp }}." + - id: ir-9.4_gdn + name: guidance + prose: Controls include ensuring that personnel who are exposed + to spilled information are made aware of the laws, executive orders, + directives, regulations, policies, standards, and guidelines regarding + the information and the restrictions imposed based on exposure + to such information. + - id: ir-9.4_obj + name: assessment-objective + props: + - name: label + value: IR-09(04) + class: sp800-53a + prose: " {{ insert: param, ir-09.04_odp }} are employed for personnel\ + \ exposed to information not within assigned access authorizations." + links: + - href: "#ir-9.4_smt" + rel: assessment-for + - id: ir-9.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-09(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing incident response + + + procedures addressing information spillage + + + incident response plan + + + system security plan + + + security safeguards regarding information spillage/exposure + to unauthorized personnel + + + other relevant documents or records + - id: ir-9.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-09(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response + responsibilities + + + organizational personnel with information security responsibilities + - id: ir-9.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-09(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for dealing with information + exposed to unauthorized personnel + + + mechanisms supporting and/or implementing safeguards for personnel + exposed to information not within assigned access authorizations + - id: ma + class: family + title: Maintenance + controls: + - id: ma-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ma-1_prm_1 + label: organization-defined personnel or roles + - id: ma-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the maintenance policy is to be + disseminated is/are defined; + - id: ma-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the maintenance procedures are + to be disseminated is/are defined; + - id: ma-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ma-01_odp.04 + label: official + guidelines: + - prose: an official to manage the maintenance policy and procedures + is defined; + - id: ma-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency with which the current maintenance policy is + reviewed and updated is defined; + - id: ma-01_odp.06 + label: events + guidelines: + - prose: events that would require the current maintenance policy + to be reviewed and updated are defined; + - id: ma-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency with which the current maintenance procedures + are reviewed and updated is defined; + - id: ma-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the maintenance procedures to be + reviewed and updated are defined; + props: + - name: label + value: MA-1 + - name: label + value: MA-01 + class: sp800-53a + - name: sort-id + value: ma-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ma-1_smt + name: statement + parts: + - id: ma-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ma-1_prm_1 }}:" + parts: + - id: ma-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ma-01_odp.03 }} maintenance policy\ + \ that:" + parts: + - id: ma-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ma-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ma-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the maintenance + policy and the associated maintenance controls; + - id: ma-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ma-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the maintenance\ + \ policy and procedures; and" + - id: ma-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current maintenance:" + parts: + - id: ma-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ma-01_odp.05 }} and following\ + \ {{ insert: param, ma-01_odp.06 }} ; and" + - id: ma-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ma-01_odp.07 }} and following\ + \ {{ insert: param, ma-01_odp.08 }}." + - id: ma-1_gdn + name: guidance + prose: Maintenance policy and procedures address the controls in the + MA family that are implemented within systems and organizations. The + risk management strategy is an important factor in establishing such + policies and procedures. Policies and procedures contribute to security + and privacy assurance. Therefore, it is important that security and + privacy programs collaborate on the development of maintenance policy + and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to maintenance policy and procedures assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ma-1_obj + name: assessment-objective + props: + - name: label + value: MA-01 + class: sp800-53a + parts: + - id: ma-1_obj.a + name: assessment-objective + props: + - name: label + value: MA-01a. + class: sp800-53a + parts: + - id: ma-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-01a.[01] + class: sp800-53a + prose: a maintenance policy is developed and documented; + links: + - href: "#ma-1_smt.a" + rel: assessment-for + - id: ma-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-01a.[02] + class: sp800-53a + prose: "the maintenance policy is disseminated to {{ insert:\ + \ param, ma-01_odp.01 }};" + links: + - href: "#ma-1_smt.a" + rel: assessment-for + - id: ma-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: MA-01a.[03] + class: sp800-53a + prose: maintenance procedures to facilitate the implementation + of the maintenance policy and associated maintenance controls + are developed and documented; + links: + - href: "#ma-1_smt.a" + rel: assessment-for + - id: ma-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: MA-01a.[04] + class: sp800-53a + prose: "the maintenance procedures are disseminated to {{ insert:\ + \ param, ma-01_odp.02 }};" + links: + - href: "#ma-1_smt.a" + rel: assessment-for + - id: ma-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: MA-01a.01 + class: sp800-53a + parts: + - id: ma-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: MA-01a.01(a) + class: sp800-53a + parts: + - id: ma-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses purpose;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses scope;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses roles;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses responsibilities;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses management commitment;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses compliance;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: MA-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy is consistent with applicable laws, Executive\ + \ Orders, directives, regulations, policies, standards,\ + \ and guidelines;" + links: + - href: "#ma-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ma-1_smt.a.1" + rel: assessment-for + links: + - href: "#ma-1_smt.a" + rel: assessment-for + - id: ma-1_obj.b + name: assessment-objective + props: + - name: label + value: MA-01b. + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the maintenance\ + \ policy and procedures;" + links: + - href: "#ma-1_smt.b" + rel: assessment-for + - id: ma-1_obj.c + name: assessment-objective + props: + - name: label + value: MA-01c. + class: sp800-53a + parts: + - id: ma-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: MA-01c.01 + class: sp800-53a + parts: + - id: ma-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: MA-01c.01[01] + class: sp800-53a + prose: "the current maintenance policy is reviewed and updated\ + \ {{ insert: param, ma-01_odp.05 }};" + links: + - href: "#ma-1_smt.c.1" + rel: assessment-for + - id: ma-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: MA-01c.01[02] + class: sp800-53a + prose: "the current maintenance policy is reviewed and updated\ + \ following {{ insert: param, ma-01_odp.06 }};" + links: + - href: "#ma-1_smt.c.1" + rel: assessment-for + links: + - href: "#ma-1_smt.c.1" + rel: assessment-for + - id: ma-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: MA-01c.02 + class: sp800-53a + parts: + - id: ma-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: MA-01c.02[01] + class: sp800-53a + prose: "the current maintenance procedures are reviewed\ + \ and updated {{ insert: param, ma-01_odp.07 }};" + links: + - href: "#ma-1_smt.c.2" + rel: assessment-for + - id: ma-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: MA-01c.02[02] + class: sp800-53a + prose: "the current maintenance procedures are reviewed\ + \ and updated following {{ insert: param, ma-01_odp.08\ + \ }}." + links: + - href: "#ma-1_smt.c.2" + rel: assessment-for + links: + - href: "#ma-1_smt.c.2" + rel: assessment-for + links: + - href: "#ma-1_smt.c" + rel: assessment-for + links: + - href: "#ma-1_smt" + rel: assessment-for + - id: ma-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy and procedures + + system security plan + + privacy plan + + organizational risk management strategy + + other relevant documents or records + - id: ma-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with maintenance responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ma-2 + class: SP800-53 + title: Controlled Maintenance + params: + - id: ma-02_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles required to explicitly approve the removal + of the system or system components from organizational facilities + for off-site maintenance or repairs is/are defined; + - id: ma-02_odp.02 + label: information + guidelines: + - prose: information to be removed from associated media prior to + removal from organizational facilities for off-site maintenance, + repair, or replacement is defined; + - id: ma-02_odp.03 + label: information + guidelines: + - prose: information to be included in organizational maintenance + records is defined; + props: + - name: label + value: MA-2 + - name: label + value: MA-02 + class: sp800-53a + - name: sort-id + value: ma-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#cm-2" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-8" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-6" + rel: related + - href: "#pe-16" + rel: related + - href: "#si-2" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: ma-2_smt + name: statement + parts: + - id: ma-2_smt.a + name: item + props: + - name: label + value: a. + prose: Schedule, document, and review records of maintenance, repair, + and replacement on system components in accordance with manufacturer + or vendor specifications and/or organizational requirements; + - id: ma-2_smt.b + name: item + props: + - name: label + value: b. + prose: Approve and monitor all maintenance activities, whether performed + on site or remotely and whether the system or system components + are serviced on site or removed to another location; + - id: ma-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Require that {{ insert: param, ma-02_odp.01 }} explicitly\ + \ approve the removal of the system or system components from\ + \ organizational facilities for off-site maintenance, repair,\ + \ or replacement;" + - id: ma-2_smt.d + name: item + props: + - name: label + value: d. + prose: "Sanitize equipment to remove the following information from\ + \ associated media prior to removal from organizational facilities\ + \ for off-site maintenance, repair, or replacement: {{ insert:\ + \ param, ma-02_odp.02 }};" + - id: ma-2_smt.e + name: item + props: + - name: label + value: e. + prose: Check all potentially impacted controls to verify that the + controls are still functioning properly following maintenance, + repair, or replacement actions; and + - id: ma-2_smt.f + name: item + props: + - name: label + value: f. + prose: "Include the following information in organizational maintenance\ + \ records: {{ insert: param, ma-02_odp.03 }}." + - id: ma-2_gdn + name: guidance + prose: Controlling system maintenance addresses the information security + aspects of the system maintenance program and applies to all types + of maintenance to system components conducted by local or nonlocal + entities. Maintenance includes peripherals such as scanners, copiers, + and printers. Information necessary for creating effective maintenance + records includes the date and time of maintenance, a description of + the maintenance performed, names of the individuals or group performing + the maintenance, name of the escort, and system components or equipment + that are removed or replaced. Organizations consider supply chain-related + risks associated with replacement components for systems. + - id: ma-2_obj + name: assessment-objective + props: + - name: label + value: MA-02 + class: sp800-53a + parts: + - id: ma-2_obj.a + name: assessment-objective + props: + - name: label + value: MA-02a. + class: sp800-53a + parts: + - id: ma-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-02a.[01] + class: sp800-53a + prose: maintenance, repair, and replacement of system components + are scheduled in accordance with manufacturer or vendor specifications + and/or organizational requirements; + links: + - href: "#ma-2_smt.a" + rel: assessment-for + - id: ma-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-02a.[02] + class: sp800-53a + prose: maintenance, repair, and replacement of system components + are documented in accordance with manufacturer or vendor specifications + and/or organizational requirements; + links: + - href: "#ma-2_smt.a" + rel: assessment-for + - id: ma-2_obj.a-3 + name: assessment-objective + props: + - name: label + value: MA-02a.[03] + class: sp800-53a + prose: records of maintenance, repair, and replacement of system + components are reviewed in accordance with manufacturer or + vendor specifications and/or organizational requirements; + links: + - href: "#ma-2_smt.a" + rel: assessment-for + links: + - href: "#ma-2_smt.a" + rel: assessment-for + - id: ma-2_obj.b + name: assessment-objective + props: + - name: label + value: MA-02b. + class: sp800-53a + parts: + - id: ma-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: MA-02b.[01] + class: sp800-53a + prose: all maintenance activities, whether performed on site + or remotely and whether the system or system components are + serviced on site or removed to another location, are approved; + links: + - href: "#ma-2_smt.b" + rel: assessment-for + - id: ma-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: MA-02b.[02] + class: sp800-53a + prose: all maintenance activities, whether performed on site + or remotely and whether the system or system components are + serviced on site or removed to another location, are monitored; + links: + - href: "#ma-2_smt.b" + rel: assessment-for + links: + - href: "#ma-2_smt.b" + rel: assessment-for + - id: ma-2_obj.c + name: assessment-objective + props: + - name: label + value: MA-02c. + class: sp800-53a + prose: " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly\ + \ approve the removal of the system or system components from\ + \ organizational facilities for off-site maintenance, repair,\ + \ or replacement;" + links: + - href: "#ma-2_smt.c" + rel: assessment-for + - id: ma-2_obj.d + name: assessment-objective + props: + - name: label + value: MA-02d. + class: sp800-53a + prose: "equipment is sanitized to remove {{ insert: param, ma-02_odp.02\ + \ }} from associated media prior to removal from organizational\ + \ facilities for off-site maintenance, repair, or replacement;" + links: + - href: "#ma-2_smt.d" + rel: assessment-for + - id: ma-2_obj.e + name: assessment-objective + props: + - name: label + value: MA-02e. + class: sp800-53a + prose: all potentially impacted controls are checked to verify that + the controls are still functioning properly following maintenance, + repair, or replacement actions; + links: + - href: "#ma-2_smt.e" + rel: assessment-for + - id: ma-2_obj.f + name: assessment-objective + props: + - name: label + value: MA-02f. + class: sp800-53a + prose: " {{ insert: param, ma-02_odp.03 }} is included in organizational\ + \ maintenance records." + links: + - href: "#ma-2_smt.f" + rel: assessment-for + links: + - href: "#ma-2_smt" + rel: assessment-for + - id: ma-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing controlled system maintenance + + maintenance records + + manufacturer/vendor maintenance specifications + + equipment sanitization records + + media sanitization records + + system security plan + + other relevant documents or records + - id: ma-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel responsible for media sanitization + + + system/network administrators + - id: ma-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for scheduling, performing, + documenting, reviewing, approving, and monitoring + maintenance and repairs for the system + + + organizational processes for sanitizing system components + + + mechanisms supporting and/or implementing controlled maintenance + + + mechanisms implementing the sanitization of system components + controls: + - id: ma-2.2 + class: SP800-53-enhancement + title: Automated Maintenance Activities + params: + - id: ma-2.2_prm_1 + label: organization-defined automated mechanisms + - id: ma-02.02_odp.01 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to schedule maintenance, repair, + and replacement actions for the system are defined; + - id: ma-02.02_odp.02 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to conduct maintenance, repair, + and replacement actions for the system are defined; + - id: ma-02.02_odp.03 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to document maintenance, repair, + and replacement actions for the system are defined; + props: + - name: label + value: MA-2(2) + - name: label + value: MA-02(02) + class: sp800-53a + - name: sort-id + value: ma-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ma-2" + rel: required + - href: "#ma-3" + rel: related + parts: + - id: ma-2.2_smt + name: statement + parts: + - id: ma-2.2_smt.a + name: item + props: + - name: label + value: (a) + prose: "Schedule, conduct, and document maintenance, repair,\ + \ and replacement actions for the system using {{ insert:\ + \ param, ma-2.2_prm_1 }} ; and" + - id: ma-2.2_smt.b + name: item + props: + - name: label + value: (b) + prose: Produce up-to date, accurate, and complete records of + all maintenance, repair, and replacement actions requested, + scheduled, in process, and completed. + - id: ma-2.2_gdn + name: guidance + prose: The use of automated mechanisms to manage and control system + maintenance programs and activities helps to ensure the generation + of timely, accurate, complete, and consistent maintenance records. + - id: ma-2.2_obj + name: assessment-objective + props: + - name: label + value: MA-02(02) + class: sp800-53a + parts: + - id: ma-2.2_obj.a + name: assessment-objective + props: + - name: label + value: MA-02(02)(a) + class: sp800-53a + parts: + - id: ma-2.2_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-02(02)(a)[01] + class: sp800-53a + prose: " {{ insert: param, ma-02.02_odp.01 }} are used to\ + \ schedule maintenance, repair, and replacement actions\ + \ for the system;" + links: + - href: "#ma-2.2_smt.a" + rel: assessment-for + - id: ma-2.2_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-02(02)(a)[02] + class: sp800-53a + prose: " {{ insert: param, ma-02.02_odp.02 }} are used to\ + \ conduct maintenance, repair, and replacement actions\ + \ for the system;" + links: + - href: "#ma-2.2_smt.a" + rel: assessment-for + - id: ma-2.2_obj.a-3 + name: assessment-objective + props: + - name: label + value: MA-02(02)(a)[03] + class: sp800-53a + prose: " {{ insert: param, ma-02.02_odp.03 }} are used to\ + \ document maintenance, repair, and replacement actions\ + \ for the system;" + links: + - href: "#ma-2.2_smt.a" + rel: assessment-for + links: + - href: "#ma-2.2_smt.a" + rel: assessment-for + - id: ma-2.2_obj.b + name: assessment-objective + props: + - name: label + value: MA-02(02)(b) + class: sp800-53a + parts: + - id: ma-2.2_obj.b-1 + name: assessment-objective + props: + - name: label + value: MA-02(02)(b)[01] + class: sp800-53a + prose: up-to date, accurate, and complete records of all + maintenance actions requested, scheduled, in process, + and completed are produced. + links: + - href: "#ma-2.2_smt.b" + rel: assessment-for + - id: ma-2.2_obj.b-2 + name: assessment-objective + props: + - name: label + value: MA-02(02)(b)[02] + class: sp800-53a + prose: up-to date, accurate, and complete records of all + repair actions requested, scheduled, in process, and completed + are produced. + links: + - href: "#ma-2.2_smt.b" + rel: assessment-for + - id: ma-2.2_obj.b-3 + name: assessment-objective + props: + - name: label + value: MA-02(02)(b)[03] + class: sp800-53a + prose: up-to date, accurate, and complete records of all + replacement actions requested, scheduled, in process, + and completed are produced. + links: + - href: "#ma-2.2_smt.b" + rel: assessment-for + links: + - href: "#ma-2.2_smt.b" + rel: assessment-for + links: + - href: "#ma-2.2_smt" + rel: assessment-for + - id: ma-2.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-02(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Maintenance policy + + + procedures addressing controlled system maintenance + + + automated mechanisms supporting system maintenance activities + + + system configuration settings and associated documentation + + + maintenance records + + + system security plan + + + other relevant documents or records + - id: ma-2.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-02(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ma-2.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-02(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Automated mechanisms supporting and/or implementing + controlled maintenance + + + automated mechanisms supporting and/or implementing the production + of records of maintenance and repair actions + - id: ma-3 + class: SP800-53 + title: Maintenance Tools + params: + - id: ma-03_odp + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to review previously approved system maintenance + tools is defined; + props: + - name: label + value: MA-3 + - name: label + value: MA-03 + class: sp800-53a + - name: sort-id + value: ma-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6" + rel: reference + - href: "#ma-2" + rel: related + - href: "#pe-16" + rel: related + parts: + - id: ma-3_smt + name: statement + parts: + - id: ma-3_smt.a + name: item + props: + - name: label + value: a. + prose: Approve, control, and monitor the use of system maintenance + tools; and + - id: ma-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Review previously approved system maintenance tools {{ insert:\ + \ param, ma-03_odp }}." + - id: ma-3_gdn + name: guidance + prose: Approving, controlling, monitoring, and reviewing maintenance + tools address security-related issues associated with maintenance + tools that are not within system authorization boundaries and are + used specifically for diagnostic and repair actions on organizational + systems. Organizations have flexibility in determining roles for the + approval of maintenance tools and how that approval is documented. + A periodic review of maintenance tools facilitates the withdrawal + of approval for outdated, unsupported, irrelevant, or no-longer-used + tools. Maintenance tools can include hardware, software, and firmware + items and may be pre-installed, brought in with maintenance personnel + on media, cloud-based, or downloaded from a website. Such tools can + be vehicles for transporting malicious code, either intentionally + or unintentionally, into a facility and subsequently into systems. + Maintenance tools can include hardware and software diagnostic test + equipment and packet sniffers. The hardware and software components + that support maintenance and are a part of the system (including the + software implementing utilities such as "ping," "ls," "ipconfig," + or the hardware and software implementing the monitoring port of an + Ethernet switch) are not addressed by maintenance tools. + - id: ma-3_obj + name: assessment-objective + props: + - name: label + value: MA-03 + class: sp800-53a + parts: + - id: ma-3_obj.a + name: assessment-objective + props: + - name: label + value: MA-03a. + class: sp800-53a + parts: + - id: ma-3_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-03a.[01] + class: sp800-53a + prose: the use of system maintenance tools is approved; + links: + - href: "#ma-3_smt.a" + rel: assessment-for + - id: ma-3_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-03a.[02] + class: sp800-53a + prose: the use of system maintenance tools is controlled; + links: + - href: "#ma-3_smt.a" + rel: assessment-for + - id: ma-3_obj.a-3 + name: assessment-objective + props: + - name: label + value: MA-03a.[03] + class: sp800-53a + prose: the use of system maintenance tools is monitored; + links: + - href: "#ma-3_smt.a" + rel: assessment-for + links: + - href: "#ma-3_smt.a" + rel: assessment-for + - id: ma-3_obj.b + name: assessment-objective + props: + - name: label + value: MA-03b. + class: sp800-53a + prose: "previously approved system maintenance tools are reviewed\ + \ {{ insert: param, ma-03_odp }}." + links: + - href: "#ma-3_smt.b" + rel: assessment-for + links: + - href: "#ma-3_smt" + rel: assessment-for + - id: ma-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing system maintenance tools + + system maintenance tools and associated documentation + + maintenance records + + system security plan + + other relevant documents or records + - id: ma-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + - id: ma-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for approving, controlling, and + monitoring maintenance tools + + + mechanisms supporting and/or implementing the approval, control, + and/or monitoring of maintenance tools + controls: + - id: ma-3.1 + class: SP800-53-enhancement + title: Inspect Tools + props: + - name: label + value: MA-3(1) + - name: label + value: MA-03(01) + class: sp800-53a + - name: sort-id + value: ma-03.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ma-3" + rel: required + - href: "#si-7" + rel: related + parts: + - id: ma-3.1_smt + name: statement + prose: Inspect the maintenance tools used by maintenance personnel + for improper or unauthorized modifications. + - id: ma-3.1_gdn + name: guidance + prose: Maintenance tools can be directly brought into a facility + by maintenance personnel or downloaded from a vendor’s website. + If, upon inspection of the maintenance tools, organizations determine + that the tools have been modified in an improper manner or the + tools contain malicious code, the incident is handled consistent + with organizational policies and procedures for incident handling. + - id: ma-3.1_obj + name: assessment-objective + props: + - name: label + value: MA-03(01) + class: sp800-53a + prose: maintenance tools used by maintenance personnel are inspected + for improper or unauthorized modifications. + links: + - href: "#ma-3.1_smt" + rel: assessment-for + - id: ma-3.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-03(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing system maintenance tools + + system maintenance tools and associated documentation + + maintenance tool inspection records + + maintenance records + + system security plan + + other relevant documents or records + - id: ma-3.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-03(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + - id: ma-3.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-03(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for inspecting maintenance + tools + + + mechanisms supporting and/or implementing the inspection of + maintenance tools + - id: ma-3.2 + class: SP800-53-enhancement + title: Inspect Media + props: + - name: label + value: MA-3(2) + - name: label + value: MA-03(02) + class: sp800-53a + - name: sort-id + value: ma-03.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ma-3" + rel: required + - href: "#si-3" + rel: related + parts: + - id: ma-3.2_smt + name: statement + prose: Check media containing diagnostic and test programs for malicious + code before the media are used in the system. + - id: ma-3.2_gdn + name: guidance + prose: If, upon inspection of media containing maintenance, diagnostic, + and test programs, organizations determine that the media contains + malicious code, the incident is handled consistent with organizational + incident handling policies and procedures. + - id: ma-3.2_obj + name: assessment-objective + props: + - name: label + value: MA-03(02) + class: sp800-53a + prose: media containing diagnostic and test programs are checked + for malicious code before the media are used in the system. + links: + - href: "#ma-3.2_smt" + rel: assessment-for + - id: ma-3.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-03(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing system maintenance tools + + system maintenance tools and associated documentation + + maintenance records + + system security plan + + other relevant documents or records + - id: ma-3.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-03(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + - id: ma-3.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-03(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational process for inspecting media for + malicious code + + + mechanisms supporting and/or implementing the inspection of + media used for maintenance + - id: ma-3.3 + class: SP800-53-enhancement + title: Prevent Unauthorized Removal + params: + - id: ma-03.03_odp + label: personnel or roles + constraints: + - description: the information owner + guidelines: + - prose: personnel or roles who can authorize removal of equipment + from the facility is/are defined; + props: + - name: label + value: MA-3(3) + - name: label + value: MA-03(03) + class: sp800-53a + - name: sort-id + value: ma-03.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ma-3" + rel: required + - href: "#mp-6" + rel: related + parts: + - id: ma-3.3_smt + name: statement + prose: "Prevent the removal of maintenance equipment containing\ + \ organizational information by:" + parts: + - id: ma-3.3_smt.a + name: item + props: + - name: label + value: (a) + prose: Verifying that there is no organizational information + contained on the equipment; + - id: ma-3.3_smt.b + name: item + props: + - name: label + value: (b) + prose: Sanitizing or destroying the equipment; + - id: ma-3.3_smt.c + name: item + props: + - name: label + value: (c) + prose: Retaining the equipment within the facility; or + - id: ma-3.3_smt.d + name: item + props: + - name: label + value: (d) + prose: "Obtaining an exemption from {{ insert: param, ma-03.03_odp\ + \ }} explicitly authorizing removal of the equipment from\ + \ the facility." + - id: ma-3.3_gdn + name: guidance + prose: Organizational information includes all information owned + by organizations and any information provided to organizations + for which the organizations serve as information stewards. + - id: ma-3.3_obj + name: assessment-objective + props: + - name: label + value: MA-03(03) + class: sp800-53a + parts: + - id: ma-3.3_obj.a + name: assessment-objective + props: + - name: label + value: MA-03(03)(a) + class: sp800-53a + prose: the removal of maintenance equipment containing organizational + information is prevented by verifying that there is no organizational + information contained on the equipment; or + links: + - href: "#ma-3.3_smt.a" + rel: assessment-for + - id: ma-3.3_obj.b + name: assessment-objective + props: + - name: label + value: MA-03(03)(b) + class: sp800-53a + prose: the removal of maintenance equipment containing organizational + information is prevented by sanitizing or destroying the equipment; + or + links: + - href: "#ma-3.3_smt.b" + rel: assessment-for + - id: ma-3.3_obj.c + name: assessment-objective + props: + - name: label + value: MA-03(03)(c) + class: sp800-53a + prose: the removal of maintenance equipment containing organizational + information is prevented by retaining the equipment within + the facility; or + links: + - href: "#ma-3.3_smt.c" + rel: assessment-for + - id: ma-3.3_obj.d + name: assessment-objective + props: + - name: label + value: MA-03(03)(d) + class: sp800-53a + prose: "the removal of maintenance equipment containing organizational\ + \ information is prevented by obtaining an exemption from\ + \ {{ insert: param, ma-03.03_odp }} explicitly authorizing\ + \ removal of the equipment from the facility." + links: + - href: "#ma-3.3_smt.d" + rel: assessment-for + links: + - href: "#ma-3.3_smt" + rel: assessment-for + - id: ma-3.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-03(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing system maintenance tools + + system maintenance tools and associated documentation + + maintenance records + + equipment sanitization records + + media sanitization records + + exemptions for equipment removal + + system security plan + + other relevant documents or records + - id: ma-3.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-03(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel responsible for media sanitization + - id: ma-3.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-03(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational process for preventing unauthorized + removal of information + + + mechanisms supporting media sanitization or destruction of + equipment + + + mechanisms supporting verification of media sanitization + - id: ma-4 + class: SP800-53 + title: Nonlocal Maintenance + props: + - name: label + value: MA-4 + - name: label + value: MA-04 + class: sp800-53a + - name: sort-id + value: ma-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#736d6310-e403-4b57-a79d-9967970c66d7" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-2" + rel: related + - href: "#au-3" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-5" + rel: related + - href: "#pl-2" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-10" + rel: related + parts: + - id: ma-4_smt + name: statement + parts: + - id: ma-4_smt.a + name: item + props: + - name: label + value: a. + prose: Approve and monitor nonlocal maintenance and diagnostic activities; + - id: ma-4_smt.b + name: item + props: + - name: label + value: b. + prose: Allow the use of nonlocal maintenance and diagnostic tools + only as consistent with organizational policy and documented in + the security plan for the system; + - id: ma-4_smt.c + name: item + props: + - name: label + value: c. + prose: Employ strong authentication in the establishment of nonlocal + maintenance and diagnostic sessions; + - id: ma-4_smt.d + name: item + props: + - name: label + value: d. + prose: Maintain records for nonlocal maintenance and diagnostic + activities; and + - id: ma-4_smt.e + name: item + props: + - name: label + value: e. + prose: Terminate session and network connections when nonlocal maintenance + is completed. + - id: ma-4_gdn + name: guidance + prose: Nonlocal maintenance and diagnostic activities are conducted + by individuals who communicate through either an external or internal + network. Local maintenance and diagnostic activities are carried out + by individuals who are physically present at the system location and + not communicating across a network connection. Authentication techniques + used to establish nonlocal maintenance and diagnostic sessions reflect + the network access requirements in [IA-2](#ia-2) . Strong authentication + requires authenticators that are resistant to replay attacks and employ + multi-factor authentication. Strong authenticators include PKI where + certificates are stored on a token protected by a password, passphrase, + or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, + in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) + provides additional guidance on strong authentication and authenticators. + - id: ma-4_obj + name: assessment-objective + props: + - name: label + value: MA-04 + class: sp800-53a + parts: + - id: ma-4_obj.a + name: assessment-objective + props: + - name: label + value: MA-04a. + class: sp800-53a + parts: + - id: ma-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-04a.[01] + class: sp800-53a + prose: nonlocal maintenance and diagnostic activities are approved; + links: + - href: "#ma-4_smt.a" + rel: assessment-for + - id: ma-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-04a.[02] + class: sp800-53a + prose: nonlocal maintenance and diagnostic activities are monitored; + links: + - href: "#ma-4_smt.a" + rel: assessment-for + links: + - href: "#ma-4_smt.a" + rel: assessment-for + - id: ma-4_obj.b + name: assessment-objective + props: + - name: label + value: MA-04b. + class: sp800-53a + parts: + - id: ma-4_obj.b-1 + name: assessment-objective + props: + - name: label + value: MA-04b.[01] + class: sp800-53a + prose: the use of nonlocal maintenance and diagnostic tools + are allowed only as consistent with organizational policy; + links: + - href: "#ma-4_smt.b" + rel: assessment-for + - id: ma-4_obj.b-2 + name: assessment-objective + props: + - name: label + value: MA-04b.[02] + class: sp800-53a + prose: the use of nonlocal maintenance and diagnostic tools + are documented in the security plan for the system; + links: + - href: "#ma-4_smt.b" + rel: assessment-for + links: + - href: "#ma-4_smt.b" + rel: assessment-for + - id: ma-4_obj.c + name: assessment-objective + props: + - name: label + value: MA-04c. + class: sp800-53a + prose: strong authentication is employed in the establishment of + nonlocal maintenance and diagnostic sessions; + links: + - href: "#ma-4_smt.c" + rel: assessment-for + - id: ma-4_obj.d + name: assessment-objective + props: + - name: label + value: MA-04d. + class: sp800-53a + prose: records for nonlocal maintenance and diagnostic activities + are maintained; + links: + - href: "#ma-4_smt.d" + rel: assessment-for + - id: ma-4_obj.e + name: assessment-objective + props: + - name: label + value: MA-04e. + class: sp800-53a + parts: + - id: ma-4_obj.e-1 + name: assessment-objective + props: + - name: label + value: MA-04e.[01] + class: sp800-53a + prose: session connections are terminated when nonlocal maintenance + is completed; + links: + - href: "#ma-4_smt.e" + rel: assessment-for + - id: ma-4_obj.e-2 + name: assessment-objective + props: + - name: label + value: MA-04e.[02] + class: sp800-53a + prose: network connections are terminated when nonlocal maintenance + is completed. + links: + - href: "#ma-4_smt.e" + rel: assessment-for + links: + - href: "#ma-4_smt.e" + rel: assessment-for + links: + - href: "#ma-4_smt" + rel: assessment-for + - id: ma-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing nonlocal system maintenance + + remote access policy + + remote access procedures + + system design documentation + + system configuration settings and associated documentation + + maintenance records + + records of remote access + + diagnostic records + + system security plan + + other relevant documents or records + - id: ma-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ma-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing nonlocal maintenance + + + mechanisms implementing, supporting, and/or managing nonlocal + maintenance + + + mechanisms for strong authentication of nonlocal maintenance diagnostic + sessions + + + mechanisms for terminating nonlocal maintenance sessions and network + connections + controls: + - id: ma-4.3 + class: SP800-53-enhancement + title: Comparable Security and Sanitization + props: + - name: label + value: MA-4(3) + - name: label + value: MA-04(03) + class: sp800-53a + - name: sort-id + value: ma-04.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ma-4" + rel: required + - href: "#mp-6" + rel: related + - href: "#si-3" + rel: related + - href: "#si-7" + rel: related + parts: + - id: ma-4.3_smt + name: statement + parts: + - id: ma-4.3_smt.a + name: item + props: + - name: label + value: (a) + prose: Require that nonlocal maintenance and diagnostic services + be performed from a system that implements a security capability + comparable to the capability implemented on the system being + serviced; or + - id: ma-4.3_smt.b + name: item + props: + - name: label + value: (b) + prose: Remove the component to be serviced from the system prior + to nonlocal maintenance or diagnostic services; sanitize the + component (for organizational information); and after the + service is performed, inspect and sanitize the component (for + potentially malicious software) before reconnecting the component + to the system. + - id: ma-4.3_gdn + name: guidance + prose: Comparable security capability on systems, diagnostic tools, + and equipment providing maintenance services implies that the + implemented controls on those systems, tools, and equipment are + at least as comprehensive as the controls on the system being + serviced. + - id: ma-4.3_obj + name: assessment-objective + props: + - name: label + value: MA-04(03) + class: sp800-53a + parts: + - id: ma-4.3_obj.a + name: assessment-objective + props: + - name: label + value: MA-04(03)(a) + class: sp800-53a + parts: + - id: ma-4.3_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-04(03)(a)[01] + class: sp800-53a + prose: nonlocal maintenance services are required to be + performed from a system that implements a security capability + comparable to the capability implemented on the system + being serviced; + links: + - href: "#ma-4.3_smt.a" + rel: assessment-for + - id: ma-4.3_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-04(03)(a)[02] + class: sp800-53a + prose: nonlocal diagnostic services are required to be performed + from a system that implements a security capability comparable + to the capability implemented on the system being serviced; + or + links: + - href: "#ma-4.3_smt.a" + rel: assessment-for + links: + - href: "#ma-4.3_smt.a" + rel: assessment-for + - id: ma-4.3_obj.b + name: assessment-objective + props: + - name: label + value: MA-04(03)(b) + class: sp800-53a + parts: + - id: ma-4.3_obj.b-1 + name: assessment-objective + props: + - name: label + value: MA-04(03)(b)[01] + class: sp800-53a + prose: the component to be serviced is removed from the + system prior to nonlocal maintenance or diagnostic services; + links: + - href: "#ma-4.3_smt.b" + rel: assessment-for + - id: ma-4.3_obj.b-2 + name: assessment-objective + props: + - name: label + value: MA-04(03)(b)[02] + class: sp800-53a + prose: the component to be serviced is sanitized (for organizational + information); + links: + - href: "#ma-4.3_smt.b" + rel: assessment-for + - id: ma-4.3_obj.b-3 + name: assessment-objective + props: + - name: label + value: MA-04(03)(b)[03] + class: sp800-53a + prose: the component is inspected and sanitized (for potentially + malicious software) after the service is performed and + before reconnecting the component to the system. + links: + - href: "#ma-4.3_smt.b" + rel: assessment-for + links: + - href: "#ma-4.3_smt.b" + rel: assessment-for + links: + - href: "#ma-4.3_smt" + rel: assessment-for + - id: ma-4.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-04(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Maintenance policy + + + procedures addressing nonlocal system maintenance + + + service provider contracts and/or service-level agreements + + + maintenance records + + + inspection records + + + audit records + + + equipment sanitization records + + + media sanitization records + + + system security plan + + + other relevant documents or records + - id: ma-4.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-04(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + system maintenance provider + + + organizational personnel with information security responsibilities + + + organizational personnel responsible for media sanitization + + + system/network administrators + - id: ma-4.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-04(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for comparable security and + sanitization for nonlocal maintenance + + + organizational processes for the removal, sanitization, and + inspection of components serviced via nonlocal maintenance + + + mechanisms supporting and/or implementing component sanitization + and inspection + - id: ma-5 + class: SP800-53 + title: Maintenance Personnel + props: + - name: label + value: MA-5 + - name: label + value: MA-05 + class: sp800-53a + - name: sort-id + value: ma-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-2" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#ps-7" + rel: related + - href: "#ra-3" + rel: related + parts: + - id: ma-5_smt + name: statement + parts: + - id: ma-5_smt.a + name: item + props: + - name: label + value: a. + prose: Establish a process for maintenance personnel authorization + and maintain a list of authorized maintenance organizations or + personnel; + - id: ma-5_smt.b + name: item + props: + - name: label + value: b. + prose: Verify that non-escorted personnel performing maintenance + on the system possess the required access authorizations; and + - id: ma-5_smt.c + name: item + props: + - name: label + value: c. + prose: Designate organizational personnel with required access authorizations + and technical competence to supervise the maintenance activities + of personnel who do not possess the required access authorizations. + - id: ma-5_gdn + name: guidance + prose: Maintenance personnel refers to individuals who perform hardware + or software maintenance on organizational systems, while [PE-2](#pe-2) + addresses physical access for individuals whose maintenance duties + place them within the physical protection perimeter of the systems. + Technical competence of supervising individuals relates to the maintenance + performed on the systems, while having required access authorizations + refers to maintenance on and near the systems. Individuals not previously + identified as authorized maintenance personnel—such as information + technology manufacturers, vendors, systems integrators, and consultants—may + require privileged access to organizational systems, such as when + they are required to conduct maintenance activities with little or + no notice. Based on organizational assessments of risk, organizations + may issue temporary credentials to these individuals. Temporary credentials + may be for one-time use or for very limited time periods. + - id: ma-5_obj + name: assessment-objective + props: + - name: label + value: MA-05 + class: sp800-53a + parts: + - id: ma-5_obj.a + name: assessment-objective + props: + - name: label + value: MA-05a. + class: sp800-53a + parts: + - id: ma-5_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-05a.[01] + class: sp800-53a + prose: a process for maintenance personnel authorization is + established; + links: + - href: "#ma-5_smt.a" + rel: assessment-for + - id: ma-5_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-05a.[02] + class: sp800-53a + prose: a list of authorized maintenance organizations or personnel + is maintained; + links: + - href: "#ma-5_smt.a" + rel: assessment-for + links: + - href: "#ma-5_smt.a" + rel: assessment-for + - id: ma-5_obj.b + name: assessment-objective + props: + - name: label + value: MA-05b. + class: sp800-53a + prose: non-escorted personnel performing maintenance on the system + possess the required access authorizations; + links: + - href: "#ma-5_smt.b" + rel: assessment-for + - id: ma-5_obj.c + name: assessment-objective + props: + - name: label + value: MA-05c. + class: sp800-53a + prose: organizational personnel with required access authorizations + and technical competence is/are designated to supervise the maintenance + activities of personnel who do not possess the required access + authorizations. + links: + - href: "#ma-5_smt.c" + rel: assessment-for + links: + - href: "#ma-5_smt" + rel: assessment-for + - id: ma-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing maintenance personnel + + service provider contracts + + service-level agreements + + list of authorized personnel + + maintenance records + + access control records + + system security plan + + other relevant documents or records + - id: ma-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + - id: ma-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for authorizing and managing + maintenance personnel + + + mechanisms supporting and/or implementing authorization of maintenance + personnel + controls: + - id: ma-5.1 + class: SP800-53-enhancement + title: Individuals Without Appropriate Access + params: + - id: ma-05.01_odp + label: alternate controls + guidelines: + - prose: alternate controls to be developed and implemented in + the event that a system component cannot be sanitized, removed, + or disconnected from the system are defined; + props: + - name: label + value: MA-5(1) + - name: label + value: MA-05(01) + class: sp800-53a + - name: sort-id + value: ma-05.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ma-5" + rel: required + - href: "#mp-6" + rel: related + - href: "#pl-2" + rel: related + parts: + - id: ma-5.1_smt + name: statement + parts: + - id: ma-5.1_smt.a + name: item + props: + - name: label + value: (a) + prose: "Implement procedures for the use of maintenance personnel\ + \ that lack appropriate security clearances or are not U.S.\ + \ citizens, that include the following requirements:" + parts: + - id: ma-5.1_smt.a.1 + name: item + props: + - name: label + value: (1) + prose: Maintenance personnel who do not have needed access + authorizations, clearances, or formal access approvals + are escorted and supervised during the performance of + maintenance and diagnostic activities on the system by + approved organizational personnel who are fully cleared, + have appropriate access authorizations, and are technically + qualified; and + - id: ma-5.1_smt.a.2 + name: item + props: + - name: label + value: (2) + prose: Prior to initiating maintenance or diagnostic activities + by personnel who do not have needed access authorizations, + clearances or formal access approvals, all volatile information + storage components within the system are sanitized and + all nonvolatile storage media are removed or physically + disconnected from the system and secured; and + - id: ma-5.1_smt.b + name: item + props: + - name: label + value: (b) + prose: "Develop and implement {{ insert: param, ma-05.01_odp\ + \ }} in the event a system component cannot be sanitized,\ + \ removed, or disconnected from the system." + - id: ma-5.1_gdn + name: guidance + prose: Procedures for individuals who lack appropriate security + clearances or who are not U.S. citizens are intended to deny visual + and electronic access to classified or controlled unclassified + information contained on organizational systems. Procedures for + the use of maintenance personnel can be documented in security + plans for the systems. + - id: ma-5.1_obj + name: assessment-objective + props: + - name: label + value: MA-05(01) + class: sp800-53a + parts: + - id: ma-5.1_obj.a + name: assessment-objective + props: + - name: label + value: MA-05(01)(a) + class: sp800-53a + parts: + - id: ma-5.1_obj.a.1 + name: assessment-objective + props: + - name: label + value: MA-05(01)(a)(01) + class: sp800-53a + prose: procedures for the use of maintenance personnel who + lack appropriate security clearances or are not U.S. citizens + are implemented and include approved organizational personnel + who are fully cleared, have appropriate access authorizations, + and are technically qualified escorting and supervising + maintenance personnel without the needed access authorization + during the performance of maintenance and diagnostic activities; + links: + - href: "#ma-5.1_smt.a.1" + rel: assessment-for + - id: ma-5.1_obj.a.2 + name: assessment-objective + props: + - name: label + value: MA-05(01)(a)(02) + class: sp800-53a + prose: procedures for the use of maintenance personnel who + lack appropriate security clearances or are not U.S. citizens + are implemented and include all volatile information storage + components within the system being sanitized and all non-volatile + storage media being removed or physically disconnected + from the system and secured prior to initiating maintenance + or diagnostic activities; + links: + - href: "#ma-5.1_smt.a.2" + rel: assessment-for + links: + - href: "#ma-5.1_smt.a" + rel: assessment-for + - id: ma-5.1_obj.b + name: assessment-objective + props: + - name: label + value: MA-05(01)(b) + class: sp800-53a + prose: " {{ insert: param, ma-05.01_odp }} are developed and\ + \ implemented in the event that a system cannot be sanitized,\ + \ removed, or disconnected from the system." + links: + - href: "#ma-5.1_smt.b" + rel: assessment-for + links: + - href: "#ma-5.1_smt" + rel: assessment-for + - id: ma-5.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-05(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Maintenance policy + + + procedures addressing maintenance personnel + + + system media protection policy + + + physical and environmental protection policy + + + list of maintenance personnel requiring escort/supervision + + + maintenance records + + + access control records + + + system security plan + + + other relevant documents or records + - id: ma-5.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-05(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with personnel security responsibilities + + + organizational personnel with physical access control responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel responsible for media sanitization + + + system/network administrators + - id: ma-5.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-05(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing maintenance + personnel without appropriate access + + + mechanisms supporting and/or implementing alternative security + safeguards + + + mechanisms supporting and/or implementing information storage + component sanitization + - id: ma-6 + class: SP800-53 + title: Timely Maintenance + params: + - id: ma-06_odp.01 + label: system components + guidelines: + - prose: system components for which maintenance support and/or spare + parts are obtained are defined; + - id: ma-06_odp.02 + label: time period + constraints: + - description: a timeframe to support advertised uptime and availability + guidelines: + - prose: time period within which maintenance support and/or spare + parts are to be obtained after a failure are defined; + props: + - name: label + value: MA-6 + - name: label + value: MA-06 + class: sp800-53a + - name: sort-id + value: ma-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cm-8" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-7" + rel: related + - href: "#ra-7" + rel: related + - href: "#sa-15" + rel: related + - href: "#si-13" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + parts: + - id: ma-6_smt + name: statement + prose: "Obtain maintenance support and/or spare parts for {{ insert:\ + \ param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }}\ + \ of failure." + - id: ma-6_gdn + name: guidance + prose: Organizations specify the system components that result in increased + risk to organizational operations and assets, individuals, other organizations, + or the Nation when the functionality provided by those components + is not operational. Organizational actions to obtain maintenance support + include having appropriate contracts in place. + - id: ma-6_obj + name: assessment-objective + props: + - name: label + value: MA-06 + class: sp800-53a + prose: "maintenance support and/or spare parts are obtained for {{ insert:\ + \ param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }}\ + \ of failure." + links: + - href: "#ma-6_smt" + rel: assessment-for + - id: ma-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing system maintenance + + service provider contracts + + service-level agreements + + inventory and availability of spare parts + + system security plan + + other relevant documents or records + - id: ma-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with acquisition responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ma-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for ensuring timely maintenance + - id: mp + class: family + title: Media Protection + controls: + - id: mp-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: mp-1_prm_1 + label: organization-defined personnel or roles + - id: mp-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the media protection policy is + to be disseminated is/are defined; + - id: mp-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the media protection procedures + are to be disseminated is/are defined; + - id: mp-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: mp-01_odp.04 + label: official + guidelines: + - prose: an official to manage the media protection policy and procedures + is defined; + - id: mp-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency with which the current media protection policy + is reviewed and updated is defined; + - id: mp-01_odp.06 + label: events + guidelines: + - prose: events that would require the current media protection policy + to be reviewed and updated are defined; + - id: mp-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency with which the current media protection procedures + are reviewed and updated is defined; + - id: mp-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require media protection procedures to + be reviewed and updated are defined; + props: + - name: label + value: MP-1 + - name: label + value: MP-01 + class: sp800-53a + - name: sort-id + value: mp-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: mp-1_smt + name: statement + parts: + - id: mp-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ mp-1_prm_1 }}:" + parts: + - id: mp-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, mp-01_odp.03 }} media protection\ + \ policy that:" + parts: + - id: mp-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: mp-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: mp-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the media + protection policy and the associated media protection controls; + - id: mp-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, mp-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the media\ + \ protection policy and procedures; and" + - id: mp-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current media protection:" + parts: + - id: mp-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, mp-01_odp.05 }} and following\ + \ {{ insert: param, mp-01_odp.06 }} ; and" + - id: mp-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, mp-01_odp.07 }} and following\ + \ {{ insert: param, mp-01_odp.08 }}." + - id: mp-1_gdn + name: guidance + prose: Media protection policy and procedures address the controls in + the MP family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of media protection + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to media protection policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines. Simply restating controls does not constitute + an organizational policy or procedure. + - id: mp-1_obj + name: assessment-objective + props: + - name: label + value: MP-01 + class: sp800-53a + parts: + - id: mp-1_obj.a + name: assessment-objective + props: + - name: label + value: MP-01a. + class: sp800-53a + parts: + - id: mp-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: MP-01a.[01] + class: sp800-53a + prose: a media protection policy is developed and documented; + links: + - href: "#mp-1_smt.a" + rel: assessment-for + - id: mp-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: MP-01a.[02] + class: sp800-53a + prose: "the media protection policy is disseminated to {{ insert:\ + \ param, mp-01_odp.01 }};" + links: + - href: "#mp-1_smt.a" + rel: assessment-for + - id: mp-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: MP-01a.[03] + class: sp800-53a + prose: media protection procedures to facilitate the implementation + of the media protection policy and associated media protection + controls are developed and documented; + links: + - href: "#mp-1_smt.a" + rel: assessment-for + - id: mp-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: MP-01a.[04] + class: sp800-53a + prose: "the media protection procedures are disseminated to\ + \ {{ insert: param, mp-01_odp.02 }};" + links: + - href: "#mp-1_smt.a" + rel: assessment-for + - id: mp-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: MP-01a.01 + class: sp800-53a + parts: + - id: mp-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: MP-01a.01(a) + class: sp800-53a + parts: + - id: mp-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses purpose;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses scope;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses roles;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses responsibilities;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses management commitment;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy compliance;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: MP-01a.01(b) + class: sp800-53a + prose: the media protection policy is consistent with applicable + laws, Executive Orders, directives, regulations, policies, + standards, and guidelines; + links: + - href: "#mp-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#mp-1_smt.a.1" + rel: assessment-for + links: + - href: "#mp-1_smt.a" + rel: assessment-for + - id: mp-1_obj.b + name: assessment-objective + props: + - name: label + value: MP-01b. + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the media\ + \ protection policy and procedures." + links: + - href: "#mp-1_smt.b" + rel: assessment-for + - id: mp-1_obj.c + name: assessment-objective + props: + - name: label + value: MP-01c. + class: sp800-53a + parts: + - id: mp-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: MP-01c.01 + class: sp800-53a + parts: + - id: mp-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: MP-01c.01[01] + class: sp800-53a + prose: "the current media protection policy is reviewed\ + \ and updated {{ insert: param, mp-01_odp.05 }}; " + links: + - href: "#mp-1_smt.c.1" + rel: assessment-for + - id: mp-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: MP-01c.01[02] + class: sp800-53a + prose: "the current media protection policy is reviewed\ + \ and updated following {{ insert: param, mp-01_odp.06\ + \ }};" + links: + - href: "#mp-1_smt.c.1" + rel: assessment-for + links: + - href: "#mp-1_smt.c.1" + rel: assessment-for + - id: mp-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: MP-01c.02 + class: sp800-53a + parts: + - id: mp-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: MP-01c.02[01] + class: sp800-53a + prose: "the current media protection procedures are reviewed\ + \ and updated {{ insert: param, mp-01_odp.07 }}; " + links: + - href: "#mp-1_smt.c.2" + rel: assessment-for + - id: mp-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: MP-01c.02[02] + class: sp800-53a + prose: "the current media protection procedures are reviewed\ + \ and updated following {{ insert: param, mp-01_odp.08\ + \ }}." + links: + - href: "#mp-1_smt.c.2" + rel: assessment-for + links: + - href: "#mp-1_smt.c.2" + rel: assessment-for + links: + - href: "#mp-1_smt.c" + rel: assessment-for + links: + - href: "#mp-1_smt" + rel: assessment-for + - id: mp-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Media protection policy and procedures + + organizational risk management strategy + + system security plan + + privacy plan + + other relevant documents or records + - id: mp-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with media protection + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: mp-2 + class: SP800-53 + title: Media Access + params: + - id: mp-2_prm_1 + label: organization-defined types of digital and/or non-digital media + constraints: + - description: all types of digital and/or non-digital media containing + sensitive information + - id: mp-2_prm_2 + label: organization-defined personnel or roles + - id: mp-02_odp.01 + label: types of digital media + guidelines: + - prose: types of digital media to which access is restricted are + defined; + - id: mp-02_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles authorized to access digital media is/are + defined; + - id: mp-02_odp.03 + label: types of non-digital media + guidelines: + - prose: types of non-digital media to which access is restricted + are defined; + - id: mp-02_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles authorized to access non-digital media + is/are defined; + props: + - name: label + value: MP-2 + - name: label + value: MP-02 + class: sp800-53a + - name: sort-id + value: mp-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#22f2d4f0-4365-4e88-a30d-275c1f5473ea" + rel: reference + - href: "#ac-19" + rel: related + - href: "#au-9" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-6" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-34" + rel: related + - href: "#si-12" + rel: related + parts: + - id: mp-2_smt + name: statement + prose: "Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert:\ + \ param, mp-2_prm_2 }}." + - id: mp-2_gdn + name: guidance + prose: System media includes digital and non-digital media. Digital + media includes flash drives, diskettes, magnetic tapes, external or + removable hard disk drives (e.g., solid state, magnetic), compact + discs, and digital versatile discs. Non-digital media includes paper + and microfilm. Denying access to patient medical records in a community + hospital unless the individuals seeking access to such records are + authorized healthcare providers is an example of restricting access + to non-digital media. Limiting access to the design specifications + stored on compact discs in the media library to individuals on the + system development team is an example of restricting access to digital + media. + - id: mp-2_obj + name: assessment-objective + props: + - name: label + value: MP-02 + class: sp800-53a + parts: + - id: mp-2_obj-1 + name: assessment-objective + props: + - name: label + value: MP-02[01] + class: sp800-53a + prose: "access to {{ insert: param, mp-02_odp.01 }} is restricted\ + \ to {{ insert: param, mp-02_odp.02 }};" + links: + - href: "#mp-2_smt" + rel: assessment-for + - id: mp-2_obj-2 + name: assessment-objective + props: + - name: label + value: MP-02[02] + class: sp800-53a + prose: "access to {{ insert: param, mp-02_odp.03 }} is restricted\ + \ to {{ insert: param, mp-02_odp.04 }}." + links: + - href: "#mp-2_smt" + rel: assessment-for + links: + - href: "#mp-2_smt" + rel: assessment-for + - id: mp-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System media protection policy + + procedures addressing media access restrictions + + access control policy and procedures + + physical and environmental protection policy and procedures + + media storage facilities + + access control records + + system security plan + + other relevant documents or records + - id: mp-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media protection + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: mp-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for restricting information media + + + mechanisms supporting and/or implementing media access restrictions + - id: mp-3 + class: SP800-53 + title: Media Marking + params: + - id: mp-03_odp.01 + label: types of media exempted from marking + constraints: + - description: no removable media types + guidelines: + - prose: types of system media exempt from marking when remaining + in controlled areas are defined; + - id: mp-03_odp.02 + label: controlled areas + constraints: + - description: organization-defined security safeguards not applicable + guidelines: + - prose: controlled areas where media is exempt from marking are defined; + props: + - name: label + value: MP-3 + - name: label + value: MP-03 + class: sp800-53a + - name: sort-id + value: mp-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#34a5571f-e252-4309-a8a1-2fdb2faefbcd" + rel: reference + - href: "#91f992fb-f668-4c91-a50f-0f05b95ccee3" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#ac-16" + rel: related + - href: "#cp-9" + rel: related + - href: "#mp-5" + rel: related + - href: "#pe-22" + rel: related + - href: "#si-12" + rel: related + parts: + - id: mp-3_smt + name: statement + parts: + - id: mp-3_smt.a + name: item + props: + - name: label + value: a. + prose: Mark system media indicating the distribution limitations, + handling caveats, and applicable security markings (if any) of + the information; and + - id: mp-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Exempt {{ insert: param, mp-03_odp.01 }} from marking if\ + \ the media remain within {{ insert: param, mp-03_odp.02 }}." + - id: mp-3_fr + name: item + title: MP-3 Additional FedRAMP Requirements and Guidance + parts: + - id: mp-3_fr_gdn.1 + name: guidance + props: + - name: label + value: "(b) Guidance:" + prose: Second parameter not-applicable + - id: mp-3_gdn + name: guidance + prose: Security marking refers to the application or use of human-readable + security attributes. Digital media includes diskettes, magnetic tapes, + external or removable hard disk drives (e.g., solid state, magnetic), + flash drives, compact discs, and digital versatile discs. Non-digital + media includes paper and microfilm. Controlled unclassified information + is defined by the National Archives and Records Administration along + with the appropriate safeguarding and dissemination requirements for + such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) + . Security markings are generally not required for media that contains + information determined by organizations to be in the public domain + or to be publicly releasable. Some organizations may require markings + for public information indicating that the information is publicly + releasable. System media marking reflects applicable laws, executive + orders, directives, policies, regulations, standards, and guidelines. + - id: mp-3_obj + name: assessment-objective + props: + - name: label + value: MP-03 + class: sp800-53a + parts: + - id: mp-3_obj.a + name: assessment-objective + props: + - name: label + value: MP-03a. + class: sp800-53a + prose: system media is marked to indicate distribution limitations, + handling caveats, and applicable security markings (if any) of + the information; + links: + - href: "#mp-3_smt.a" + rel: assessment-for + - id: mp-3_obj.b + name: assessment-objective + props: + - name: label + value: MP-03b. + class: sp800-53a + prose: " {{ insert: param, mp-03_odp.01 }} remain within {{ insert:\ + \ param, mp-03_odp.02 }}." + links: + - href: "#mp-3_smt.b" + rel: assessment-for + links: + - href: "#mp-3_smt" + rel: assessment-for + - id: mp-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System media protection policy + + procedures addressing media marking + + physical and environmental protection policy and procedures + + list of system media marking security attributes + + designated controlled areas + + system security plan + + other relevant documents or records + - id: mp-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media protection and + marking responsibilities + + + organizational personnel with information security responsibilities + - id: mp-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for marking information media + + mechanisms supporting and/or implementing media marking + - id: mp-4 + class: SP800-53 + title: Media Storage + params: + - id: mp-4_prm_1 + label: organization-defined types of digital and/or non-digital media + constraints: + - description: all types of digital and non-digital media with sensitive + information + - id: mp-4_prm_2 + label: organization-defined controlled areas + constraints: + - description: see additional FedRAMP requirements and guidance + - id: mp-04_odp.01 + label: types of digital media + guidelines: + - prose: types of digital media to be physically controlled are defined + (if selected); + - id: mp-04_odp.02 + label: types of non-digital media + guidelines: + - prose: types of non-digital media to be physically controlled are + defined (if selected); + - id: mp-04_odp.03 + label: types of digital media + guidelines: + - prose: types of digital media to be securely stored are defined + (if selected); + - id: mp-04_odp.04 + label: types of non-digital media + guidelines: + - prose: types of non-digital media to be securely stored are defined + (if selected); + - id: mp-04_odp.05 + label: controlled areas + guidelines: + - prose: controlled areas within which to securely store digital media + are defined; + - id: mp-04_odp.06 + label: controlled areas + guidelines: + - prose: controlled areas within which to securely store non-digital + media are defined; + props: + - name: label + value: MP-4 + - name: label + value: MP-04 + class: sp800-53a + - name: sort-id + value: mp-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e" + rel: reference + - href: "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75" + rel: reference + - href: "#eef62b16-c796-4554-955c-505824135b8a" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#22f2d4f0-4365-4e88-a30d-275c1f5473ea" + rel: reference + - href: "#ac-19" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-7" + rel: related + - href: "#pe-3" + rel: related + - href: "#pl-2" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-34" + rel: related + - href: "#si-12" + rel: related + parts: + - id: mp-4_smt + name: statement + parts: + - id: mp-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Physically control and securely store {{ insert: param,\ + \ mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }} ; and" + - id: mp-4_smt.b + name: item + props: + - name: label + value: b. + prose: Protect system media types defined in MP-4a until the media + are destroyed or sanitized using approved equipment, techniques, + and procedures. + - id: mp-4_fr + name: item + title: MP-4 Additional FedRAMP Requirements and Guidance + parts: + - id: mp-4_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: The service provider defines controlled areas within + facilities where the information and information system reside. + - id: mp-4_gdn + name: guidance + prose: System media includes digital and non-digital media. Digital + media includes flash drives, diskettes, magnetic tapes, external or + removable hard disk drives (e.g., solid state, magnetic), compact + discs, and digital versatile discs. Non-digital media includes paper + and microfilm. Physically controlling stored media includes conducting + inventories, ensuring procedures are in place to allow individuals + to check out and return media to the library, and maintaining accountability + for stored media. Secure storage includes a locked drawer, desk, or + cabinet or a controlled media library. The type of media storage is + commensurate with the security category or classification of the information + on the media. Controlled areas are spaces that provide physical and + procedural controls to meet the requirements established for protecting + information and systems. Fewer controls may be needed for media that + contains information determined to be in the public domain, publicly + releasable, or have limited adverse impacts on organizations, operations, + or individuals if accessed by other than authorized personnel. In + these situations, physical access controls provide adequate protection. + - id: mp-4_obj + name: assessment-objective + props: + - name: label + value: MP-04 + class: sp800-53a + parts: + - id: mp-4_obj.a + name: assessment-objective + props: + - name: label + value: MP-04a. + class: sp800-53a + parts: + - id: mp-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: MP-04a.[01] + class: sp800-53a + prose: " {{ insert: param, mp-04_odp.01 }} are physically controlled;" + links: + - href: "#mp-4_smt.a" + rel: assessment-for + - id: mp-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: MP-04a.[02] + class: sp800-53a + prose: " {{ insert: param, mp-04_odp.02 }} are physically controlled;" + links: + - href: "#mp-4_smt.a" + rel: assessment-for + - id: mp-4_obj.a-3 + name: assessment-objective + props: + - name: label + value: MP-04a.[03] + class: sp800-53a + prose: " {{ insert: param, mp-04_odp.03 }} are securely stored\ + \ within {{ insert: param, mp-04_odp.05 }};" + links: + - href: "#mp-4_smt.a" + rel: assessment-for + - id: mp-4_obj.a-4 + name: assessment-objective + props: + - name: label + value: MP-04a.[04] + class: sp800-53a + prose: " {{ insert: param, mp-04_odp.04 }} are securely stored\ + \ within {{ insert: param, mp-04_odp.06 }};" + links: + - href: "#mp-4_smt.a" + rel: assessment-for + links: + - href: "#mp-4_smt.a" + rel: assessment-for + - id: mp-4_obj.b + name: assessment-objective + props: + - name: label + value: MP-04b. + class: sp800-53a + prose: system media types (defined in MP-04_ODP[01], MP-04_ODP[02], + MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are + destroyed or sanitized using approved equipment, techniques, and + procedures. + links: + - href: "#mp-4_smt.b" + rel: assessment-for + links: + - href: "#mp-4_smt" + rel: assessment-for + - id: mp-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System media protection policy + + procedures addressing media storage + + physical and environmental protection policy and procedures + + access control policy and procedures + + system media + + designated controlled areas + + system security plan + + other relevant documents or records + - id: mp-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media protection and + storage responsibilities + + + organizational personnel with information security responsibilities + - id: mp-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for storing information media + + + mechanisms supporting and/or implementing secure media storage/media + protection + - id: mp-5 + class: SP800-53 + title: Media Transport + params: + - id: mp-5_prm_2 + label: organization-defined controls + constraints: + - description: "prior to leaving secure/controlled environment: for\ + \ digital media, encryption in compliance with Federal requirements\ + \ and utilizes FIPS validated or NSA approved cryptography (see\ + \ SC-13.); for non-digital media, secured in locked container" + - id: mp-05_odp.01 + label: types of system media + constraints: + - description: all media with sensitive information + guidelines: + - prose: types of system media to protect and control during transport + outside of controlled areas are defined; + - id: mp-05_odp.02 + label: controls + guidelines: + - prose: controls used to protect system media outside of controlled + areas are defined; + - id: mp-05_odp.03 + label: controls + guidelines: + - prose: controls used to control system media outside of controlled + areas are defined; + props: + - name: label + value: MP-5 + - name: label + value: MP-05 + class: sp800-53a + - name: sort-id + value: mp-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#ac-7" + rel: related + - href: "#ac-19" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-9" + rel: related + - href: "#mp-3" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-16" + rel: related + - href: "#pl-2" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-34" + rel: related + parts: + - id: mp-5_smt + name: statement + parts: + - id: mp-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Protect and control {{ insert: param, mp-05_odp.01 }} during\ + \ transport outside of controlled areas using {{ insert: param,\ + \ mp-5_prm_2 }};" + - id: mp-5_smt.b + name: item + props: + - name: label + value: b. + prose: Maintain accountability for system media during transport + outside of controlled areas; + - id: mp-5_smt.c + name: item + props: + - name: label + value: c. + prose: Document activities associated with the transport of system + media; and + - id: mp-5_smt.d + name: item + props: + - name: label + value: d. + prose: Restrict the activities associated with the transport of + system media to authorized personnel. + - id: mp-5_fr + name: item + title: MP-5 Additional FedRAMP Requirements and Guidance + parts: + - id: mp-5_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: The service provider defines security measures to protect + digital and non-digital media in transport. The security measures + are approved and accepted by the JAB/AO. + - id: mp-5_gdn + name: guidance + prose: System media includes digital and non-digital media. Digital + media includes flash drives, diskettes, magnetic tapes, external or + removable hard disk drives (e.g., solid state and magnetic), compact + discs, and digital versatile discs. Non-digital media includes microfilm + and paper. Controlled areas are spaces for which organizations provide + physical or procedural controls to meet requirements established for + protecting information and systems. Controls to protect media during + transport include cryptography and locked containers. Cryptographic + mechanisms can provide confidentiality and integrity protections depending + on the mechanisms implemented. Activities associated with media transport + include releasing media for transport, ensuring that media enters + the appropriate transport processes, and the actual transport. Authorized + transport and courier personnel may include individuals external to + the organization. Maintaining accountability of media during transport + includes restricting transport activities to authorized personnel + and tracking and/or obtaining records of transport activities as the + media moves through the transportation system to prevent and detect + loss, destruction, or tampering. Organizations establish documentation + requirements for activities associated with the transport of system + media in accordance with organizational assessments of risk. Organizations + maintain the flexibility to define record-keeping methods for the + different types of media transport as part of a system of transport-related + records. + - id: mp-5_obj + name: assessment-objective + props: + - name: label + value: MP-05 + class: sp800-53a + parts: + - id: mp-5_obj.a + name: assessment-objective + props: + - name: label + value: MP-05a. + class: sp800-53a + parts: + - id: mp-5_obj.a-1 + name: assessment-objective + props: + - name: label + value: MP-05a.[01] + class: sp800-53a + prose: " {{ insert: param, mp-05_odp.01 }} are protected during\ + \ transport outside of controlled areas using {{ insert: param,\ + \ mp-05_odp.02 }};" + links: + - href: "#mp-5_smt.a" + rel: assessment-for + - id: mp-5_obj.a-2 + name: assessment-objective + props: + - name: label + value: MP-05a.[02] + class: sp800-53a + prose: " {{ insert: param, mp-05_odp.01 }} are controlled during\ + \ transport outside of controlled areas using {{ insert: param,\ + \ mp-05_odp.03 }};" + links: + - href: "#mp-5_smt.a" + rel: assessment-for + links: + - href: "#mp-5_smt.a" + rel: assessment-for + - id: mp-5_obj.b + name: assessment-objective + props: + - name: label + value: MP-05b. + class: sp800-53a + prose: accountability for system media is maintained during transport + outside of controlled areas; + links: + - href: "#mp-5_smt.b" + rel: assessment-for + - id: mp-5_obj.c + name: assessment-objective + props: + - name: label + value: MP-05c. + class: sp800-53a + prose: activities associated with the transport of system media + are documented; + links: + - href: "#mp-5_smt.c" + rel: assessment-for + - id: mp-5_obj.d + name: assessment-objective + props: + - name: label + value: MP-05d. + class: sp800-53a + parts: + - id: mp-5_obj.d-1 + name: assessment-objective + props: + - name: label + value: MP-05d.[01] + class: sp800-53a + prose: personnel authorized to conduct media transport activities + is/are identified; + links: + - href: "#mp-5_smt.d" + rel: assessment-for + - id: mp-5_obj.d-2 + name: assessment-objective + props: + - name: label + value: MP-05d.[02] + class: sp800-53a + prose: activities associated with the transport of system media + are restricted to identified authorized personnel. + links: + - href: "#mp-5_smt.d" + rel: assessment-for + links: + - href: "#mp-5_smt.d" + rel: assessment-for + links: + - href: "#mp-5_smt" + rel: assessment-for + - id: mp-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System media protection policy + + procedures addressing media storage + + physical and environmental protection policy and procedures + + access control policy and procedures + + authorized personnel list + + system media + + designated controlled areas + + system security plan + + other relevant documents or records + - id: mp-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media protection and + storage responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: mp-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for storing information media + + + mechanisms supporting and/or implementing media storage/media + protection + - id: mp-6 + class: SP800-53 + title: Media Sanitization + params: + - id: mp-6_prm_1 + label: organization-defined system media + constraints: + - description: "techniques and procedures IAW NIST SP 800-88 Section\ + \ 4: Reuse and Disposal of Storage Media and Hardware" + - id: mp-6_prm_2 + label: organization-defined sanitization techniques and procedures + - id: mp-06_odp.01 + label: system media + guidelines: + - prose: system media to be sanitized prior to disposal is defined; + - id: mp-06_odp.02 + label: system media + guidelines: + - prose: system media to be sanitized prior to release from organizational + control is defined; + - id: mp-06_odp.03 + label: system media + guidelines: + - prose: system media to be sanitized prior to release for reuse is + defined; + - id: mp-06_odp.04 + label: sanitization techniques and procedures + guidelines: + - prose: sanitization techniques and procedures to be used for sanitization + prior to disposal are defined; + - id: mp-06_odp.05 + label: sanitization techniques and procedures + guidelines: + - prose: sanitization techniques and procedures to be used for sanitization + prior to release from organizational control are defined; + - id: mp-06_odp.06 + label: sanitization techniques and procedures + guidelines: + - prose: sanitization techniques and procedures to be used for sanitization + prior to release for reuse are defined; + props: + - name: label + value: MP-6 + - name: label + value: MP-06 + class: sp800-53a + - name: sort-id + value: mp-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#91f992fb-f668-4c91-a50f-0f05b95ccee3" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6" + rel: reference + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-7" + rel: related + - href: "#au-11" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#pm-22" + rel: related + - href: "#si-12" + rel: related + - href: "#si-18" + rel: related + - href: "#si-19" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: mp-6_smt + name: statement + parts: + - id: mp-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal,\ + \ release out of organizational control, or release for reuse\ + \ using {{ insert: param, mp-6_prm_2 }} ; and" + - id: mp-6_smt.b + name: item + props: + - name: label + value: b. + prose: Employ sanitization mechanisms with the strength and integrity + commensurate with the security category or classification of the + information. + - id: mp-6_gdn + name: guidance + prose: Media sanitization applies to all digital and non-digital system + media subject to disposal or reuse, whether or not the media is considered + removable. Examples include digital media in scanners, copiers, printers, + notebook computers, workstations, network components, mobile devices, + and non-digital media (e.g., paper and microfilm). The sanitization + process removes information from system media such that the information + cannot be retrieved or reconstructed. Sanitization techniques—including + clearing, purging, cryptographic erase, de-identification of personally + identifiable information, and destruction—prevent the disclosure of + information to unauthorized individuals when such media is reused + or released for disposal. Organizations determine the appropriate + sanitization methods, recognizing that destruction is sometimes necessary + when other methods cannot be applied to media requiring sanitization. + Organizations use discretion on the employment of approved sanitization + techniques and procedures for media that contains information deemed + to be in the public domain or publicly releasable or information deemed + to have no adverse impact on organizations or individuals if released + for reuse or disposal. Sanitization of non-digital media includes + destruction, removing a classified appendix from an otherwise unclassified + document, or redacting selected sections or words from a document + by obscuring the redacted sections or words in a manner equivalent + in effectiveness to removing them from the document. NSA standards + and policies control the sanitization process for media that contains + classified information. NARA policies control the sanitization process + for controlled unclassified information. + - id: mp-6_obj + name: assessment-objective + props: + - name: label + value: MP-06 + class: sp800-53a + parts: + - id: mp-6_obj.a + name: assessment-objective + props: + - name: label + value: MP-06a. + class: sp800-53a + parts: + - id: mp-6_obj.a-1 + name: assessment-objective + props: + - name: label + value: MP-06a.[01] + class: sp800-53a + prose: " {{ insert: param, mp-06_odp.01 }} is sanitized using\ + \ {{ insert: param, mp-06_odp.04 }} prior to disposal;" + links: + - href: "#mp-6_smt.a" + rel: assessment-for + - id: mp-6_obj.a-2 + name: assessment-objective + props: + - name: label + value: MP-06a.[02] + class: sp800-53a + prose: " {{ insert: param, mp-06_odp.02 }} is sanitized using\ + \ {{ insert: param, mp-06_odp.05 }} prior to release from\ + \ organizational control;" + links: + - href: "#mp-6_smt.a" + rel: assessment-for + - id: mp-6_obj.a-3 + name: assessment-objective + props: + - name: label + value: MP-06a.[03] + class: sp800-53a + prose: " {{ insert: param, mp-06_odp.03 }} is sanitized using\ + \ {{ insert: param, mp-06_odp.06 }} prior to release for reuse;" + links: + - href: "#mp-6_smt.a" + rel: assessment-for + links: + - href: "#mp-6_smt.a" + rel: assessment-for + - id: mp-6_obj.b + name: assessment-objective + props: + - name: label + value: MP-06b. + class: sp800-53a + prose: sanitization mechanisms with strength and integrity commensurate + with the security category or classification of the information + are employed. + links: + - href: "#mp-6_smt.b" + rel: assessment-for + links: + - href: "#mp-6_smt" + rel: assessment-for + - id: mp-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System media protection policy + + + procedures addressing media sanitization and disposal + + + applicable federal standards and policies addressing media sanitization + policy + + + media sanitization records + + + system audit records + + + system design documentation + + + records retention and disposition policy + + + records retention and disposition procedures + + + system configuration settings and associated documentation + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: mp-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with media sanitization + responsibilities + + + organizational personnel with records retention and disposition + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: mp-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for media sanitization + + mechanisms supporting and/or implementing media sanitization + controls: + - id: mp-6.1 + class: SP800-53-enhancement + title: Review, Approve, Track, Document, and Verify + props: + - name: label + value: MP-6(1) + - name: label + value: MP-06(01) + class: sp800-53a + - name: sort-id + value: mp-06.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#mp-6" + rel: required + parts: + - id: mp-6.1_smt + name: statement + prose: Review, approve, track, document, and verify media sanitization + and disposal actions. + parts: + - id: mp-6.1_fr + name: item + title: MP-6 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: mp-6.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Must comply with NIST SP 800-88 + - id: mp-6.1_gdn + name: guidance + prose: Organizations review and approve media to be sanitized to + ensure compliance with records retention policies. Tracking and + documenting actions include listing personnel who reviewed and + approved sanitization and disposal actions, types of media sanitized, + files stored on the media, sanitization methods used, date and + time of the sanitization actions, personnel who performed the + sanitization, verification actions taken and personnel who performed + the verification, and the disposal actions taken. Organizations + verify that the sanitization of the media was effective prior + to disposal. + - id: mp-6.1_obj + name: assessment-objective + props: + - name: label + value: MP-06(01) + class: sp800-53a + parts: + - id: mp-6.1_obj-1 + name: assessment-objective + props: + - name: label + value: MP-06(01)[01] + class: sp800-53a + prose: media sanitization and disposal actions are reviewed; + links: + - href: "#mp-6.1_smt" + rel: assessment-for + - id: mp-6.1_obj-2 + name: assessment-objective + props: + - name: label + value: MP-06(01)[02] + class: sp800-53a + prose: media sanitization and disposal actions are approved; + links: + - href: "#mp-6.1_smt" + rel: assessment-for + - id: mp-6.1_obj-3 + name: assessment-objective + props: + - name: label + value: MP-06(01)[03] + class: sp800-53a + prose: media sanitization and disposal actions are tracked; + links: + - href: "#mp-6.1_smt" + rel: assessment-for + - id: mp-6.1_obj-4 + name: assessment-objective + props: + - name: label + value: MP-06(01)[04] + class: sp800-53a + prose: media sanitization and disposal actions are documented; + links: + - href: "#mp-6.1_smt" + rel: assessment-for + - id: mp-6.1_obj-5 + name: assessment-objective + props: + - name: label + value: MP-06(01)[05] + class: sp800-53a + prose: media sanitization and disposal actions are verified. + links: + - href: "#mp-6.1_smt" + rel: assessment-for + links: + - href: "#mp-6.1_smt" + rel: assessment-for + - id: mp-6.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-06(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System media protection policy + + + procedures addressing media sanitization and disposal + + + records retention and disposition policy + + + records retention and disposition procedures + + + media sanitization and disposal records + + + review records for media sanitization and disposal actions + + + approvals for media sanitization and disposal actions + + + tracking records + + + verification records + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: mp-6.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-06(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media sanitization + and disposal responsibilities + + + organizational personnel with records retention and disposition + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: mp-6.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-06(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for media sanitization + + + mechanisms supporting and/or implementing media sanitization + + + mechanisms supporting and/or implementing verification of + media sanitization + - id: mp-6.2 + class: SP800-53-enhancement + title: Equipment Testing + params: + - id: mp-6.2_prm_1 + label: organization-defined frequency + constraints: + - description: at least every six (6) months + - id: mp-06.02_odp.01 + label: frequency + guidelines: + - prose: frequency with which to test sanitization equipment is + defined; + - id: mp-06.02_odp.02 + label: frequency + guidelines: + - prose: frequency with which to test sanitization procedures + is defined; + props: + - name: label + value: MP-6(2) + - name: label + value: MP-06(02) + class: sp800-53a + - name: sort-id + value: mp-06.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#mp-6" + rel: required + parts: + - id: mp-6.2_smt + name: statement + prose: "Test sanitization equipment and procedures {{ insert: param,\ + \ mp-6.2_prm_1 }} to ensure that the intended sanitization is\ + \ being achieved." + parts: + - id: mp-6.2_fr + name: item + title: MP-6 (2) Additional FedRAMP Requirements and Guidance + parts: + - id: mp-6.2_fr_smt.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Equipment and procedures may be tested or validated + for effectiveness + - id: mp-6.2_gdn + name: guidance + prose: Testing of sanitization equipment and procedures may be conducted + by qualified and authorized external entities, including federal + agencies or external service providers. + - id: mp-6.2_obj + name: assessment-objective + props: + - name: label + value: MP-06(02) + class: sp800-53a + parts: + - id: mp-6.2_obj-1 + name: assessment-objective + props: + - name: label + value: MP-06(02)[01] + class: sp800-53a + prose: "sanitization equipment is tested {{ insert: param, mp-06.02_odp.01\ + \ }} to ensure that the intended sanitization is being achieved;" + links: + - href: "#mp-6.2_smt" + rel: assessment-for + - id: mp-6.2_obj-2 + name: assessment-objective + props: + - name: label + value: MP-06(02)[02] + class: sp800-53a + prose: "sanitization procedures are tested {{ insert: param,\ + \ mp-06.02_odp.02 }} to ensure that the intended sanitization\ + \ is being achieved." + links: + - href: "#mp-6.2_smt" + rel: assessment-for + links: + - href: "#mp-6.2_smt" + rel: assessment-for + - id: mp-6.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-06(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System media protection policy + + + procedures addressing media sanitization and disposal + + + procedures addressing testing of media sanitization equipment + + + results of media sanitization equipment and procedures testing + + + system audit records + + + records retention and disposition policy + + + records retention and disposition procedures + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: mp-6.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-06(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media sanitization + responsibilities + + + organizational personnel with records retention and disposition + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: mp-6.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-06(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for media sanitization + + + automated mechanisms supporting and/or implementing media + sanitization + + + automated mechanisms supporting and/or implementing media + sanitization procedures + + + sanitization equipment + - id: mp-6.3 + class: SP800-53-enhancement + title: Nondestructive Techniques + params: + - id: mp-06.03_odp + label: circumstances + guidelines: + - prose: circumstances requiring sanitization of portable storage + devices are defined; + props: + - name: label + value: MP-6(3) + - name: label + value: MP-06(03) + class: sp800-53a + - name: sort-id + value: mp-06.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#mp-6" + rel: required + parts: + - id: mp-6.3_smt + name: statement + prose: "Apply nondestructive sanitization techniques to portable\ + \ storage devices prior to connecting such devices to the system\ + \ under the following circumstances: {{ insert: param, mp-06.03_odp\ + \ }}." + parts: + - id: mp-6.3_fr + name: item + title: MP-6 (3) Additional FedRAMP Requirements and Guidance + parts: + - id: mp-6.3_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Must comply with NIST SP 800-88 + - id: mp-6.3_gdn + name: guidance + prose: Portable storage devices include external or removable hard + disk drives (e.g., solid state, magnetic), optical discs, magnetic + or optical tapes, flash memory devices, flash memory cards, and + other external or removable disks. Portable storage devices can + be obtained from untrustworthy sources and contain malicious code + that can be inserted into or transferred to organizational systems + through USB ports or other entry portals. While scanning storage + devices is recommended, sanitization provides additional assurance + that such devices are free of malicious code. Organizations consider + nondestructive sanitization of portable storage devices when the + devices are purchased from manufacturers or vendors prior to initial + use or when organizations cannot maintain a positive chain of + custody for the devices. + - id: mp-6.3_obj + name: assessment-objective + props: + - name: label + value: MP-06(03) + class: sp800-53a + prose: "non-destructive sanitization techniques are applied to portable\ + \ storage devices prior to connecting such devices to the system\ + \ under {{ insert: param, mp-06.03_odp }}." + links: + - href: "#mp-6.3_smt" + rel: assessment-for + - id: mp-6.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-06(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System media protection policy + + + procedures addressing media sanitization and disposal + + + information on portable storage devices for the system + + + list of circumstances requiring sanitization of portable storage + devices + + + media sanitization records + + + audit records + + + system security plan + + + other relevant documents or records + - id: mp-6.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-06(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media sanitization + responsibilities + + + organizational personnel with information security responsibilities + - id: mp-6.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-06(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for media sanitization of + portable storage devices + + + mechanisms supporting and/or implementing media sanitization + - id: mp-7 + class: SP800-53 + title: Media Use + params: + - id: mp-07_odp.01 + label: types of system media + guidelines: + - prose: types of system media to be restricted or prohibited from + use on systems or system components are defined; + - id: mp-07_odp.02 + select: + choice: + - restrict + - prohibit + - id: mp-07_odp.03 + label: systems or system components + guidelines: + - prose: systems or system components on which the use of specific + types of system media to be restricted or prohibited are defined; + - id: mp-07_odp.04 + label: controls + guidelines: + - prose: controls to restrict or prohibit the use of specific types + of system media on systems or system components are defined; + props: + - name: label + value: MP-7 + - name: label + value: MP-07 + class: sp800-53a + - name: sort-id + value: mp-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#22f2d4f0-4365-4e88-a30d-275c1f5473ea" + rel: reference + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#sc-34" + rel: related + - href: "#sc-41" + rel: related + parts: + - id: mp-7_smt + name: statement + parts: + - id: mp-7_smt.a + name: item + props: + - name: label + value: a. + prose: " {{ insert: param, mp-07_odp.02 }} the use of {{ insert:\ + \ param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }}\ + \ using {{ insert: param, mp-07_odp.04 }} ; and" + - id: mp-7_smt.b + name: item + props: + - name: label + value: b. + prose: Prohibit the use of portable storage devices in organizational + systems when such devices have no identifiable owner. + - id: mp-7_gdn + name: guidance + prose: System media includes both digital and non-digital media. Digital + media includes diskettes, magnetic tapes, flash drives, compact discs, + digital versatile discs, and removable hard disk drives. Non-digital + media includes paper and microfilm. Media use protections also apply + to mobile devices with information storage capabilities. In contrast + to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts + the use of certain types of media on systems, for example, restricting + or prohibiting the use of flash drives or external hard disk drives. + Organizations use technical and nontechnical controls to restrict + the use of system media. Organizations may restrict the use of portable + storage devices, for example, by using physical cages on workstations + to prohibit access to certain external ports or disabling or removing + the ability to insert, read, or write to such devices. Organizations + may also limit the use of portable storage devices to only approved + devices, including devices provided by the organization, devices provided + by other approved organizations, and devices that are not personally + owned. Finally, organizations may restrict the use of portable storage + devices based on the type of device, such as by prohibiting the use + of writeable, portable storage devices and implementing this restriction + by disabling or removing the capability to write to such devices. + Requiring identifiable owners for storage devices reduces the risk + of using such devices by allowing organizations to assign responsibility + for addressing known vulnerabilities in the devices. + - id: mp-7_obj + name: assessment-objective + props: + - name: label + value: MP-07 + class: sp800-53a + parts: + - id: mp-7_obj.a + name: assessment-objective + props: + - name: label + value: MP-07a. + class: sp800-53a + prose: "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert:\ + \ param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }}\ + \ using {{ insert: param, mp-07_odp.04 }};" + links: + - href: "#mp-7_smt.a" + rel: assessment-for + - id: mp-7_obj.b + name: assessment-objective + props: + - name: label + value: MP-07b. + class: sp800-53a + prose: the use of portable storage devices in organizational systems + is prohibited when such devices have no identifiable owner. + links: + - href: "#mp-7_smt.b" + rel: assessment-for + links: + - href: "#mp-7_smt" + rel: assessment-for + - id: mp-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System media protection policy + + system use policy + + procedures addressing media usage restrictions + + rules of behavior + + system design documentation + + system configuration settings and associated documentation + + audit records + + system security plan + + other relevant documents or records + - id: mp-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media use + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: mp-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for media use + + + mechanisms restricting or prohibiting the use of system media + on systems or system components + - id: pe + class: family + title: Physical and Environmental Protection + controls: + - id: pe-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: pe-1_prm_1 + label: organization-defined personnel or roles + - id: pe-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the physical and environmental + protection policy is to be disseminated is/are defined; + - id: pe-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the physical and environmental + protection procedures are to be disseminated is/are defined; + - id: pe-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: pe-01_odp.04 + label: official + guidelines: + - prose: an official to manage the physical and environmental protection + policy and procedures is defined; + - id: pe-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current physical and environmental + protection policy is reviewed and updated is defined; + - id: pe-01_odp.06 + label: events + guidelines: + - prose: events that would require the current physical and environmental + protection policy to be reviewed and updated are defined; + - id: pe-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current physical and environmental + protection procedures are reviewed and updated is defined; + - id: pe-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the physical and environmental + protection procedures to be reviewed and updated are defined; + props: + - name: label + value: PE-1 + - name: label + value: PE-01 + class: sp800-53a + - name: sort-id + value: pe-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#at-3" + rel: related + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: pe-1_smt + name: statement + parts: + - id: pe-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ pe-1_prm_1 }}:" + parts: + - id: pe-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, pe-01_odp.03 }} physical and environmental\ + \ protection policy that:" + parts: + - id: pe-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: pe-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: pe-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the physical + and environmental protection policy and the associated physical + and environmental protection controls; + - id: pe-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, pe-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the physical\ + \ and environmental protection policy and procedures; and" + - id: pe-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current physical and environmental\ + \ protection:" + parts: + - id: pe-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, pe-01_odp.05 }} and following\ + \ {{ insert: param, pe-01_odp.06 }} ; and" + - id: pe-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, pe-01_odp.07 }} and following\ + \ {{ insert: param, pe-01_odp.08 }}." + - id: pe-1_gdn + name: guidance + prose: Physical and environmental protection policy and procedures address + the controls in the PE family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of physical and environmental protection policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + physical and environmental protection policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines. Simply restating controls does not constitute + an organizational policy or procedure. + - id: pe-1_obj + name: assessment-objective + props: + - name: label + value: PE-01 + class: sp800-53a + parts: + - id: pe-1_obj.a + name: assessment-objective + props: + - name: label + value: PE-01a. + class: sp800-53a + parts: + - id: pe-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: PE-01a.[01] + class: sp800-53a + prose: a physical and environmental protection policy is developed + and documented; + links: + - href: "#pe-1_smt.a" + rel: assessment-for + - id: pe-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: PE-01a.[02] + class: sp800-53a + prose: "the physical and environmental protection policy is\ + \ disseminated to {{ insert: param, pe-01_odp.01 }};" + links: + - href: "#pe-1_smt.a" + rel: assessment-for + - id: pe-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: PE-01a.[03] + class: sp800-53a + prose: physical and environmental protection procedures to facilitate + the implementation of the physical and environmental protection + policy and associated physical and environmental protection + controls are developed and documented; + links: + - href: "#pe-1_smt.a" + rel: assessment-for + - id: pe-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: PE-01a.[04] + class: sp800-53a + prose: "the physical and environmental protection procedures\ + \ are disseminated to {{ insert: param, pe-01_odp.02 }};" + links: + - href: "#pe-1_smt.a" + rel: assessment-for + - id: pe-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: PE-01a.01 + class: sp800-53a + parts: + - id: pe-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: PE-01a.01(a) + class: sp800-53a + parts: + - id: pe-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses purpose;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses scope;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses roles;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses responsibilities;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses management\ + \ commitment;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses compliance;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: PE-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical and\ + \ environmental protection policy is consistent with applicable\ + \ laws, Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#pe-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#pe-1_smt.a.1" + rel: assessment-for + links: + - href: "#pe-1_smt.a" + rel: assessment-for + - id: pe-1_obj.b + name: assessment-objective + props: + - name: label + value: PE-01b. + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the physical\ + \ and environmental protection policy and procedures;" + links: + - href: "#pe-1_smt.b" + rel: assessment-for + - id: pe-1_obj.c + name: assessment-objective + props: + - name: label + value: PE-01c. + class: sp800-53a + parts: + - id: pe-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: PE-01c.01 + class: sp800-53a + parts: + - id: pe-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: PE-01c.01[01] + class: sp800-53a + prose: "the current physical and environmental protection\ + \ policy is reviewed and updated {{ insert: param, pe-01_odp.05\ + \ }};" + links: + - href: "#pe-1_smt.c.1" + rel: assessment-for + - id: pe-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: PE-01c.01[02] + class: sp800-53a + prose: "the current physical and environmental protection\ + \ policy is reviewed and updated following {{ insert:\ + \ param, pe-01_odp.06 }};" + links: + - href: "#pe-1_smt.c.1" + rel: assessment-for + links: + - href: "#pe-1_smt.c.1" + rel: assessment-for + - id: pe-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: PE-01c.02 + class: sp800-53a + parts: + - id: pe-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: PE-01c.02[01] + class: sp800-53a + prose: "the current physical and environmental protection\ + \ procedures are reviewed and updated {{ insert: param,\ + \ pe-01_odp.07 }};" + links: + - href: "#pe-1_smt.c.2" + rel: assessment-for + - id: pe-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: PE-01c.02[02] + class: sp800-53a + prose: "the current physical and environmental protection\ + \ procedures are reviewed and updated following {{ insert:\ + \ param, pe-01_odp.08 }}." + links: + - href: "#pe-1_smt.c.2" + rel: assessment-for + links: + - href: "#pe-1_smt.c.2" + rel: assessment-for + links: + - href: "#pe-1_smt.c" + rel: assessment-for + links: + - href: "#pe-1_smt" + rel: assessment-for + - id: pe-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy and procedures + + system security plan + + privacy plan + + organizational risk management strategy + + other relevant documents or records + - id: pe-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical and environmental + protection responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pe-2 + class: SP800-53 + title: Physical Access Authorizations + params: + - id: pe-02_odp + label: frequency + constraints: + - description: at least every ninety (90) days + guidelines: + - prose: frequency at which to review the access list detailing authorized + facility access by individuals is defined; + props: + - name: label + value: PE-2 + - name: label + value: PE-02 + class: sp800-53a + - name: sort-id + value: pe-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#at-3" + rel: related + - href: "#au-9" + rel: related + - href: "#ia-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-4" + rel: related + - href: "#pe-5" + rel: related + - href: "#pe-8" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-5" + rel: related + - href: "#ps-6" + rel: related + parts: + - id: pe-2_smt + name: statement + parts: + - id: pe-2_smt.a + name: item + props: + - name: label + value: a. + prose: Develop, approve, and maintain a list of individuals with + authorized access to the facility where the system resides; + - id: pe-2_smt.b + name: item + props: + - name: label + value: b. + prose: Issue authorization credentials for facility access; + - id: pe-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Review the access list detailing authorized facility access\ + \ by individuals {{ insert: param, pe-02_odp }} ; and" + - id: pe-2_smt.d + name: item + props: + - name: label + value: d. + prose: Remove individuals from the facility access list when access + is no longer required. + - id: pe-2_gdn + name: guidance + prose: Physical access authorizations apply to employees and visitors. + Individuals with permanent physical access authorization credentials + are not considered visitors. Authorization credentials include ID + badges, identification cards, and smart cards. Organizations determine + the strength of authorization credentials needed consistent with applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Physical access authorizations may not be necessary + to access certain areas within facilities that are designated as publicly + accessible. + - id: pe-2_obj + name: assessment-objective + props: + - name: label + value: PE-02 + class: sp800-53a + parts: + - id: pe-2_obj.a + name: assessment-objective + props: + - name: label + value: PE-02a. + class: sp800-53a + parts: + - id: pe-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: PE-02a.[01] + class: sp800-53a + prose: a list of individuals with authorized access to the facility + where the system resides has been developed; + links: + - href: "#pe-2_smt.a" + rel: assessment-for + - id: pe-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: PE-02a.[02] + class: sp800-53a + prose: the list of individuals with authorized access to the + facility where the system resides has been approved; + links: + - href: "#pe-2_smt.a" + rel: assessment-for + - id: pe-2_obj.a-3 + name: assessment-objective + props: + - name: label + value: PE-02a.[03] + class: sp800-53a + prose: the list of individuals with authorized access to the + facility where the system resides has been maintained; + links: + - href: "#pe-2_smt.a" + rel: assessment-for + links: + - href: "#pe-2_smt.a" + rel: assessment-for + - id: pe-2_obj.b + name: assessment-objective + props: + - name: label + value: PE-02b. + class: sp800-53a + prose: authorization credentials are issued for facility access; + links: + - href: "#pe-2_smt.b" + rel: assessment-for + - id: pe-2_obj.c + name: assessment-objective + props: + - name: label + value: PE-02c. + class: sp800-53a + prose: "the access list detailing authorized facility access by\ + \ individuals is reviewed {{ insert: param, pe-02_odp }};" + links: + - href: "#pe-2_smt.c" + rel: assessment-for + - id: pe-2_obj.d + name: assessment-objective + props: + - name: label + value: PE-02d. + class: sp800-53a + prose: individuals are removed from the facility access list when + access is no longer required. + links: + - href: "#pe-2_smt.d" + rel: assessment-for + links: + - href: "#pe-2_smt" + rel: assessment-for + - id: pe-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing physical access authorizations + + + authorized personnel access list + + + authorization credentials + + + physical access list reviews + + + physical access termination records and associated documentation + + + system security plan + + + other relevant documents or records + - id: pe-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access authorization + responsibilities + + + organizational personnel with physical access to system facility + + + organizational personnel with information security responsibilities + - id: pe-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for physical access authorizations + + + mechanisms supporting and/or implementing physical access authorizations + - id: pe-3 + class: SP800-53 + title: Physical Access Control + params: + - id: pe-3_prm_9 + label: organization-defined frequency + constraints: + - description: at least annually or earlier as required by a security + relevant event. + - id: pe-03_odp.01 + label: entry and exit points + guidelines: + - prose: entry and exit points to the facility in which the system + resides are defined; + - id: pe-03_odp.02 + constraints: + - description: CSP defined physical access control systems/devices + AND guards + select: + how-many: one-or-more + choice: + - " {{ insert: param, pe-03_odp.03 }} " + - guards + - id: pe-03_odp.03 + label: systems or devices + guidelines: + - prose: physical access control systems or devices used to control + ingress and egress to the facility are defined (if selected); + - id: pe-03_odp.04 + label: entry or exit points + guidelines: + - prose: entry or exit points for which physical access logs are maintained + are defined; + - id: pe-03_odp.05 + label: physical access controls + guidelines: + - prose: physical access controls to control access to areas within + the facility designated as publicly accessible are defined; + - id: pe-03_odp.06 + label: circumstances + constraints: + - description: in all circumstances within restricted access area + where the information system resides + guidelines: + - prose: circumstances requiring visitor escorts and control of visitor + activity are defined; + - id: pe-03_odp.07 + label: physical access devices + guidelines: + - prose: physical access devices to be inventoried are defined; + - id: pe-03_odp.08 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to inventory physical access devices is + defined; + - id: pe-03_odp.09 + label: frequency + guidelines: + - prose: frequency at which to change combinations is defined; + - id: pe-03_odp.10 + label: frequency + guidelines: + - prose: frequency at which to change keys is defined; + props: + - name: label + value: PE-3 + - name: label + value: PE-03 + class: sp800-53a + - name: sort-id + value: pe-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#2100332a-16a5-4598-bacf-7261baea9711" + rel: reference + - href: "#at-3" + rel: related + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#au-9" + rel: related + - href: "#au-13" + rel: related + - href: "#cp-10" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-4" + rel: related + - href: "#pe-5" + rel: related + - href: "#pe-8" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#sc-28" + rel: related + - href: "#si-4" + rel: related + - href: "#sr-3" + rel: related + parts: + - id: pe-3_smt + name: statement + parts: + - id: pe-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Enforce physical access authorizations at {{ insert: param,\ + \ pe-03_odp.01 }} by:" + parts: + - id: pe-3_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Verifying individual access authorizations before granting + access to the facility; and + - id: pe-3_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: "Controlling ingress and egress to the facility using\ + \ {{ insert: param, pe-03_odp.02 }};" + - id: pe-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Maintain physical access audit logs for {{ insert: param,\ + \ pe-03_odp.04 }};" + - id: pe-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Control access to areas within the facility designated as\ + \ publicly accessible by implementing the following controls:\ + \ {{ insert: param, pe-03_odp.05 }};" + - id: pe-3_smt.d + name: item + props: + - name: label + value: d. + prose: "Escort visitors and control visitor activity {{ insert:\ + \ param, pe-03_odp.06 }};" + - id: pe-3_smt.e + name: item + props: + - name: label + value: e. + prose: Secure keys, combinations, and other physical access devices; + - id: pe-3_smt.f + name: item + props: + - name: label + value: f. + prose: "Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert:\ + \ param, pe-03_odp.08 }} ; and" + - id: pe-3_smt.g + name: item + props: + - name: label + value: g. + prose: "Change combinations and keys {{ insert: param, pe-3_prm_9\ + \ }} and/or when keys are lost, combinations are compromised,\ + \ or when individuals possessing the keys or combinations are\ + \ transferred or terminated." + - id: pe-3_gdn + name: guidance + prose: Physical access control applies to employees and visitors. Individuals + with permanent physical access authorizations are not considered visitors. + Physical access controls for publicly accessible areas may include + physical access control logs/records, guards, or physical access devices + and barriers to prevent movement from publicly accessible areas to + non-public areas. Organizations determine the types of guards needed, + including professional security staff, system users, or administrative + staff. Physical access devices include keys, locks, combinations, + biometric readers, and card readers. Physical access control systems + comply with applicable laws, executive orders, directives, policies, + regulations, standards, and guidelines. Organizations have flexibility + in the types of audit logs employed. Audit logs can be procedural, + automated, or some combination thereof. Physical access points can + include facility access points, interior access points to systems + that require supplemental access controls, or both. Components of + systems may be in areas designated as publicly accessible with organizations + controlling access to the components. + - id: pe-3_obj + name: assessment-objective + props: + - name: label + value: PE-03 + class: sp800-53a + parts: + - id: pe-3_obj.a + name: assessment-objective + props: + - name: label + value: PE-03a. + class: sp800-53a + parts: + - id: pe-3_obj.a.1 + name: assessment-objective + props: + - name: label + value: PE-03a.01 + class: sp800-53a + prose: "physical access authorizations are enforced at {{ insert:\ + \ param, pe-03_odp.01 }} by verifying individual access authorizations\ + \ before granting access to the facility;" + links: + - href: "#pe-3_smt.a.1" + rel: assessment-for + - id: pe-3_obj.a.2 + name: assessment-objective + props: + - name: label + value: PE-03a.02 + class: sp800-53a + prose: "physical access authorizations are enforced at {{ insert:\ + \ param, pe-03_odp.01 }} by controlling ingress and egress\ + \ to the facility using {{ insert: param, pe-03_odp.02 }};" + links: + - href: "#pe-3_smt.a.2" + rel: assessment-for + links: + - href: "#pe-3_smt.a" + rel: assessment-for + - id: pe-3_obj.b + name: assessment-objective + props: + - name: label + value: PE-03b. + class: sp800-53a + prose: "physical access audit logs are maintained for {{ insert:\ + \ param, pe-03_odp.04 }};" + links: + - href: "#pe-3_smt.b" + rel: assessment-for + - id: pe-3_obj.c + name: assessment-objective + props: + - name: label + value: PE-03c. + class: sp800-53a + prose: "access to areas within the facility designated as publicly\ + \ accessible are maintained by implementing {{ insert: param,\ + \ pe-03_odp.05 }};" + links: + - href: "#pe-3_smt.c" + rel: assessment-for + - id: pe-3_obj.d + name: assessment-objective + props: + - name: label + value: PE-03d. + class: sp800-53a + parts: + - id: pe-3_obj.d-1 + name: assessment-objective + props: + - name: label + value: PE-03d.[01] + class: sp800-53a + prose: visitors are escorted; + links: + - href: "#pe-3_smt.d" + rel: assessment-for + - id: pe-3_obj.d-2 + name: assessment-objective + props: + - name: label + value: PE-03d.[02] + class: sp800-53a + prose: "visitor activity is controlled {{ insert: param, pe-03_odp.06\ + \ }};" + links: + - href: "#pe-3_smt.d" + rel: assessment-for + links: + - href: "#pe-3_smt.d" + rel: assessment-for + - id: pe-3_obj.e + name: assessment-objective + props: + - name: label + value: PE-03e. + class: sp800-53a + parts: + - id: pe-3_obj.e-1 + name: assessment-objective + props: + - name: label + value: PE-03e.[01] + class: sp800-53a + prose: keys are secured; + links: + - href: "#pe-3_smt.e" + rel: assessment-for + - id: pe-3_obj.e-2 + name: assessment-objective + props: + - name: label + value: PE-03e.[02] + class: sp800-53a + prose: combinations are secured; + links: + - href: "#pe-3_smt.e" + rel: assessment-for + - id: pe-3_obj.e-3 + name: assessment-objective + props: + - name: label + value: PE-03e.[03] + class: sp800-53a + prose: other physical access devices are secured; + links: + - href: "#pe-3_smt.e" + rel: assessment-for + links: + - href: "#pe-3_smt.e" + rel: assessment-for + - id: pe-3_obj.f + name: assessment-objective + props: + - name: label + value: PE-03f. + class: sp800-53a + prose: " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert:\ + \ param, pe-03_odp.08 }};" + links: + - href: "#pe-3_smt.f" + rel: assessment-for + - id: pe-3_obj.g + name: assessment-objective + props: + - name: label + value: PE-03g. + class: sp800-53a + parts: + - id: pe-3_obj.g-1 + name: assessment-objective + props: + - name: label + value: PE-03g.[01] + class: sp800-53a + prose: "combinations are changed {{ insert: param, pe-03_odp.09\ + \ }} , when combinations are compromised, or when individuals\ + \ possessing the combinations are transferred or terminated;" + links: + - href: "#pe-3_smt.g" + rel: assessment-for + - id: pe-3_obj.g-2 + name: assessment-objective + props: + - name: label + value: PE-03g.[02] + class: sp800-53a + prose: "keys are changed {{ insert: param, pe-03_odp.10 }} ,\ + \ when keys are lost, or when individuals possessing the keys\ + \ are transferred or terminated." + links: + - href: "#pe-3_smt.g" + rel: assessment-for + links: + - href: "#pe-3_smt.g" + rel: assessment-for + links: + - href: "#pe-3_smt" + rel: assessment-for + - id: pe-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing physical access control + + + physical access control logs or records + + + inventory records of physical access control devices + + + system entry and exit points + + + records of key and lock combination changes + + + storage locations for physical access control devices + + + physical access control devices + + + list of security safeguards controlling access to designated publicly + accessible areas within facility + + + system security plan + + + other relevant documents or records + - id: pe-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access control + responsibilities + + + organizational personnel with information security responsibilities + - id: pe-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for physical access control + + + mechanisms supporting and/or implementing physical access control + + + physical access control devices + controls: + - id: pe-3.1 + class: SP800-53-enhancement + title: System Access + params: + - id: pe-03.01_odp + label: physical spaces + guidelines: + - prose: physical spaces containing one or more components of + the system are defined; + props: + - name: label + value: PE-3(1) + - name: label + value: PE-03(01) + class: sp800-53a + - name: sort-id + value: pe-03.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#pe-3" + rel: required + parts: + - id: pe-3.1_smt + name: statement + prose: "Enforce physical access authorizations to the system in\ + \ addition to the physical access controls for the facility at\ + \ {{ insert: param, pe-03.01_odp }}." + - id: pe-3.1_gdn + name: guidance + prose: Control of physical access to the system provides additional + physical security for those areas within facilities where there + is a concentration of system components. + - id: pe-3.1_obj + name: assessment-objective + props: + - name: label + value: PE-03(01) + class: sp800-53a + parts: + - id: pe-3.1_obj-1 + name: assessment-objective + props: + - name: label + value: PE-03(01)[01] + class: sp800-53a + prose: physical access authorizations to the system are enforced; + links: + - href: "#pe-3.1_smt" + rel: assessment-for + - id: pe-3.1_obj.2 + name: assessment-objective + props: + - name: label + value: PE-03(01)[02] + class: sp800-53a + prose: "physical access controls are enforced for the facility\ + \ at {{ insert: param, pe-03.01_odp }}." + links: + - href: "#pe-3.1_smt" + rel: assessment-for + links: + - href: "#pe-3.1_smt" + rel: assessment-for + - id: pe-3.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-03(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing physical access control + + + physical access control logs or records + + + physical access control devices + + + access authorizations + + + access credentials + + + system entry and exit points + + + list of areas within the facility containing concentrations + of system components or system components requiring additional + physical protection + + + system security plan + + + other relevant documents or records + - id: pe-3.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-03(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access + authorization responsibilities + + + organizational personnel with information security responsibilities + - id: pe-3.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-03(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for physical access control to + the information system/components + + + mechanisms supporting and/or implementing physical access + control for facility areas containing system components + - id: pe-4 + class: SP800-53 + title: Access Control for Transmission + params: + - id: pe-04_odp.01 + label: system distribution and transmission lines + guidelines: + - prose: system distribution and transmission lines requiring physical + access controls are defined; + - id: pe-04_odp.02 + label: security controls + guidelines: + - prose: security controls to be implemented to control physical access + to system distribution and transmission lines within the organizational + facility are defined; + props: + - name: label + value: PE-4 + - name: label + value: PE-04 + class: sp800-53a + - name: sort-id + value: pe-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#at-3" + rel: related + - href: "#ia-4" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-5" + rel: related + - href: "#pe-9" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-8" + rel: related + parts: + - id: pe-4_smt + name: statement + prose: "Control physical access to {{ insert: param, pe-04_odp.01 }}\ + \ within organizational facilities using {{ insert: param, pe-04_odp.02\ + \ }}." + - id: pe-4_gdn + name: guidance + prose: Security controls applied to system distribution and transmission + lines prevent accidental damage, disruption, and physical tampering. + Such controls may also be necessary to prevent eavesdropping or modification + of unencrypted transmissions. Security controls used to control physical + access to system distribution and transmission lines include disconnected + or locked spare jacks, locked wiring closets, protection of cabling + by conduit or cable trays, and wiretapping sensors. + - id: pe-4_obj + name: assessment-objective + props: + - name: label + value: PE-04 + class: sp800-53a + prose: "physical access to {{ insert: param, pe-04_odp.01 }} within\ + \ organizational facilities is controlled using {{ insert: param,\ + \ pe-04_odp.02 }}." + links: + - href: "#pe-4_smt" + rel: assessment-for + - id: pe-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing access control for transmission mediums + + + system design documentation + + + facility communications and wiring diagrams + + + list of physical security safeguards applied to system distribution + and transmission lines + + + system security plan + + + other relevant documents or records + - id: pe-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access control + responsibilities + + + organizational personnel with information security responsibilities + - id: pe-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for access control to distribution + and transmission lines + + + mechanisms/security safeguards supporting and/or implementing + access control to distribution and transmission lines + - id: pe-5 + class: SP800-53 + title: Access Control for Output Devices + params: + - id: pe-05_odp + label: output devices + guidelines: + - prose: output devices that require physical access control to output + are defined; + props: + - name: label + value: PE-5 + - name: label + value: PE-05 + class: sp800-53a + - name: sort-id + value: pe-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-4" + rel: related + - href: "#pe-18" + rel: related + parts: + - id: pe-5_smt + name: statement + prose: "Control physical access to output from {{ insert: param, pe-05_odp\ + \ }} to prevent unauthorized individuals from obtaining the output." + - id: pe-5_gdn + name: guidance + prose: Controlling physical access to output devices includes placing + output devices in locked rooms or other secured areas with keypad + or card reader access controls and allowing access to authorized individuals + only, placing output devices in locations that can be monitored by + personnel, installing monitor or screen filters, and using headphones. + Examples of output devices include monitors, printers, scanners, audio + devices, facsimile machines, and copiers. + - id: pe-5_obj + name: assessment-objective + props: + - name: label + value: PE-05 + class: sp800-53a + prose: "physical access to output from {{ insert: param, pe-05_odp }}\ + \ is controlled to prevent unauthorized individuals from obtaining\ + \ the output." + links: + - href: "#pe-5_smt" + rel: assessment-for + - id: pe-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing access control for display medium + + + facility layout of system components + + + actual displays from system components + + + list of output devices and associated outputs requiring physical + access controls + + + physical access control logs or records for areas containing output + devices and related outputs + + + system security plan + + + other relevant documents or records + - id: pe-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access control + responsibilities + + + organizational personnel with information security responsibilities + - id: pe-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for access control to output + devices + + + mechanisms supporting and/or implementing access control to output + devices + - id: pe-6 + class: SP800-53 + title: Monitoring Physical Access + params: + - id: pe-06_odp.01 + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: the frequency at which to review physical access logs is + defined; + - id: pe-06_odp.02 + label: events + guidelines: + - prose: events or potential indication of events requiring physical + access logs to be reviewed are defined; + props: + - name: label + value: PE-6 + - name: label + value: PE-06 + class: sp800-53a + - name: sort-id + value: pe-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#au-9" + rel: related + - href: "#au-12" + rel: related + - href: "#ca-7" + rel: related + - href: "#cp-10" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-8" + rel: related + parts: + - id: pe-6_smt + name: statement + parts: + - id: pe-6_smt.a + name: item + props: + - name: label + value: a. + prose: Monitor physical access to the facility where the system + resides to detect and respond to physical security incidents; + - id: pe-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Review physical access logs {{ insert: param, pe-06_odp.01\ + \ }} and upon occurrence of {{ insert: param, pe-06_odp.02 }}\ + \ ; and" + - id: pe-6_smt.c + name: item + props: + - name: label + value: c. + prose: Coordinate results of reviews and investigations with the + organizational incident response capability. + - id: pe-6_gdn + name: guidance + prose: Physical access monitoring includes publicly accessible areas + within organizational facilities. Examples of physical access monitoring + include the employment of guards, video surveillance equipment (i.e., + cameras), and sensor devices. Reviewing physical access logs can help + identify suspicious activity, anomalous events, or potential threats. + The reviews can be supported by audit logging controls, such as [AU-2](#au-2) + , if the access logs are part of an automated system. Organizational + incident response capabilities include investigations of physical + security incidents and responses to the incidents. Incidents include + security violations or suspicious physical access activities. Suspicious + physical access activities include accesses outside of normal work + hours, repeated accesses to areas not normally accessed, accesses + for unusual lengths of time, and out-of-sequence accesses. + - id: pe-6_obj + name: assessment-objective + props: + - name: label + value: PE-06 + class: sp800-53a + parts: + - id: pe-6_obj.a + name: assessment-objective + props: + - name: label + value: PE-06a. + class: sp800-53a + prose: physical access to the facility where the system resides + is monitored to detect and respond to physical security incidents; + links: + - href: "#pe-6_smt.a" + rel: assessment-for + - id: pe-6_obj.b + name: assessment-objective + props: + - name: label + value: PE-06b. + class: sp800-53a + parts: + - id: pe-6_obj.b-1 + name: assessment-objective + props: + - name: label + value: PE-06b.[01] + class: sp800-53a + prose: "physical access logs are reviewed {{ insert: param,\ + \ pe-06_odp.01 }};" + links: + - href: "#pe-6_smt.b" + rel: assessment-for + - id: pe-6_obj.b-2 + name: assessment-objective + props: + - name: label + value: PE-06b.[02] + class: sp800-53a + prose: "physical access logs are reviewed upon occurrence of\ + \ {{ insert: param, pe-06_odp.02 }};" + links: + - href: "#pe-6_smt.b" + rel: assessment-for + links: + - href: "#pe-6_smt.b" + rel: assessment-for + - id: pe-6_obj.c + name: assessment-objective + props: + - name: label + value: PE-06c. + class: sp800-53a + parts: + - id: pe-6_obj.c-1 + name: assessment-objective + props: + - name: label + value: PE-06c.[01] + class: sp800-53a + prose: results of reviews are coordinated with organizational + incident response capabilities; + links: + - href: "#pe-6_smt.c" + rel: assessment-for + - id: pe-6_obj.c-2 + name: assessment-objective + props: + - name: label + value: PE-06c.[02] + class: sp800-53a + prose: results of investigations are coordinated with organizational + incident response capabilities. + links: + - href: "#pe-6_smt.c" + rel: assessment-for + links: + - href: "#pe-6_smt.c" + rel: assessment-for + links: + - href: "#pe-6_smt" + rel: assessment-for + - id: pe-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing physical access monitoring + + physical access logs or records + + physical access monitoring records + + physical access log reviews + + system security plan + + other relevant documents or records + - id: pe-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access monitoring + responsibilities + + + organizational personnel with incident response responsibilities + + + organizational personnel with information security responsibilities + - id: pe-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring physical access + + + mechanisms supporting and/or implementing physical access monitoring + + + mechanisms supporting and/or implementing the review of physical + access logs + controls: + - id: pe-6.1 + class: SP800-53-enhancement + title: Intrusion Alarms and Surveillance Equipment + props: + - name: label + value: PE-6(1) + - name: label + value: PE-06(01) + class: sp800-53a + - name: sort-id + value: pe-06.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#pe-6" + rel: required + parts: + - id: pe-6.1_smt + name: statement + prose: Monitor physical access to the facility where the system + resides using physical intrusion alarms and surveillance equipment. + - id: pe-6.1_gdn + name: guidance + prose: Physical intrusion alarms can be employed to alert security + personnel when unauthorized access to the facility is attempted. + Alarm systems work in conjunction with physical barriers, physical + access control systems, and security guards by triggering a response + when these other forms of security have been compromised or breached. + Physical intrusion alarms can include different types of sensor + devices, such as motion sensors, contact sensors, and broken glass + sensors. Surveillance equipment includes video cameras installed + at strategic locations throughout the facility. + - id: pe-6.1_obj + name: assessment-objective + props: + - name: label + value: PE-06(01) + class: sp800-53a + parts: + - id: pe-6.1_obj-1 + name: assessment-objective + props: + - name: label + value: PE-06(01)[01] + class: sp800-53a + prose: physical access to the facility where the system resides + is monitored using physical intrusion alarms; + links: + - href: "#pe-6.1_smt" + rel: assessment-for + - id: pe-6.1_obj-2 + name: assessment-objective + props: + - name: label + value: PE-06(01)[02] + class: sp800-53a + prose: physical access to the facility where the system resides + is monitored using physical surveillance equipment. + links: + - href: "#pe-6.1_smt" + rel: assessment-for + links: + - href: "#pe-6.1_smt" + rel: assessment-for + - id: pe-6.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-06(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing physical access monitoring + + physical access logs or records + + physical access monitoring records + + physical access log reviews + + system security plan + + privacy plan + + privacy impact assessment + + privacy risk assessment documentation + + other relevant documents or records + - id: pe-6.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-06(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access monitoring + responsibilities + + + organizational personnel with incident response responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pe-6.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-06(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring physical + intrusion alarms and surveillance equipment + + + mechanisms supporting and/or implementing physical access + monitoring + + + mechanisms supporting and/or implementing physical intrusion + alarms and surveillance equipment + - id: pe-6.4 + class: SP800-53-enhancement + title: Monitoring Physical Access to Systems + params: + - id: pe-06.04_odp + label: physical spaces + guidelines: + - prose: physical spaces containing one or more components of + the system are defined; + props: + - name: label + value: PE-6(4) + - name: label + value: PE-06(04) + class: sp800-53a + - name: sort-id + value: pe-06.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#pe-6" + rel: required + parts: + - id: pe-6.4_smt + name: statement + prose: "Monitor physical access to the system in addition to the\ + \ physical access monitoring of the facility at {{ insert: param,\ + \ pe-06.04_odp }}." + - id: pe-6.4_gdn + name: guidance + prose: Monitoring physical access to systems provides additional + monitoring for those areas within facilities where there is a + concentration of system components, including server rooms, media + storage areas, and communications centers. Physical access monitoring + can be coordinated with intrusion detection systems and system + monitoring capabilities to provide comprehensive and integrated + threat coverage for the organization. + - id: pe-6.4_obj + name: assessment-objective + props: + - name: label + value: PE-06(04) + class: sp800-53a + prose: "physical access to the system is monitored in addition to\ + \ the physical access monitoring of the facility at {{ insert:\ + \ param, pe-06.04_odp }}." + links: + - href: "#pe-6.4_smt" + rel: assessment-for + - id: pe-6.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-06(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing physical access monitoring + + + physical access control logs or records + + + physical access control devices + + + access authorizations + + + access credentials + + + list of areas within the facility containing concentrations + of system components or system components requiring additional + physical access monitoring + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: pe-6.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-06(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access monitoring + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pe-6.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-06(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring physical access + to the system + + + mechanisms supporting and/or implementing physical access + monitoring for facility areas containing system components + - id: pe-8 + class: SP800-53 + title: Visitor Access Records + params: + - id: pe-08_odp.01 + label: time period + constraints: + - description: for a minimum of one (1) year + guidelines: + - prose: time period for which to maintain visitor access records + for the facility where the system resides is defined; + - id: pe-08_odp.02 + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: the frequency at which to review visitor access records is + defined; + - id: pe-08_odp.03 + label: personnel + guidelines: + - prose: personnel to whom visitor access records anomalies are reported + to is/are defined; + props: + - name: label + value: PE-8 + - name: label + value: PE-08 + class: sp800-53a + - name: sort-id + value: pe-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-6" + rel: related + parts: + - id: pe-8_smt + name: statement + parts: + - id: pe-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Maintain visitor access records to the facility where the\ + \ system resides for {{ insert: param, pe-08_odp.01 }};" + - id: pe-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Review visitor access records {{ insert: param, pe-08_odp.02\ + \ }} ; and" + - id: pe-8_smt.c + name: item + props: + - name: label + value: c. + prose: "Report anomalies in visitor access records to {{ insert:\ + \ param, pe-08_odp.03 }}." + - id: pe-8_gdn + name: guidance + prose: Visitor access records include the names and organizations of + individuals visiting, visitor signatures, forms of identification, + dates of access, entry and departure times, purpose of visits, and + the names and organizations of individuals visited. Access record + reviews determine if access authorizations are current and are still + required to support organizational mission and business functions. + Access records are not required for publicly accessible areas. + - id: pe-8_obj + name: assessment-objective + props: + - name: label + value: PE-08 + class: sp800-53a + parts: + - id: pe-8_obj.a + name: assessment-objective + props: + - name: label + value: PE-08a. + class: sp800-53a + prose: "visitor access records for the facility where the system\ + \ resides are maintained for {{ insert: param, pe-08_odp.01 }};" + links: + - href: "#pe-8_smt.a" + rel: assessment-for + - id: pe-8_obj.b + name: assessment-objective + props: + - name: label + value: PE-08b. + class: sp800-53a + prose: "visitor access records are reviewed {{ insert: param, pe-08_odp.02\ + \ }};" + links: + - href: "#pe-8_smt.b" + rel: assessment-for + - id: pe-8_obj.c + name: assessment-objective + props: + - name: label + value: PE-08c. + class: sp800-53a + prose: "visitor access records anomalies are reported to {{ insert:\ + \ param, pe-08_odp.03 }}." + links: + - href: "#pe-8_smt.c" + rel: assessment-for + links: + - href: "#pe-8_smt" + rel: assessment-for + - id: pe-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing visitor access records + + visitor access control logs or records + + visitor access record or log reviews + + system security plan + + privacy plan + + privacy impact assessment + + privacy risk assessment documentation + + other relevant documents or records + - id: pe-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with visitor access record + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pe-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for maintaining and reviewing + visitor access records + + + mechanisms supporting and/or implementing the maintenance and + review of visitor access records + controls: + - id: pe-8.1 + class: SP800-53-enhancement + title: Automated Records Maintenance and Review + params: + - id: pe-8.1_prm_1 + label: organization-defined automated mechanisms + - id: pe-08.01_odp.01 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to maintain visitor access + records are defined; + - id: pe-08.01_odp.02 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to review visitor access records + are defined; + props: + - name: label + value: PE-8(1) + - name: label + value: PE-08(01) + class: sp800-53a + - name: sort-id + value: pe-08.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#pe-8" + rel: required + parts: + - id: pe-8.1_smt + name: statement + prose: "Maintain and review visitor access records using {{ insert:\ + \ param, pe-8.1_prm_1 }}." + - id: pe-8.1_gdn + name: guidance + prose: Visitor access records may be stored and maintained in a + database management system that is accessible by organizational + personnel. Automated access to such records facilitates record + reviews on a regular basis to determine if access authorizations + are current and still required to support organizational mission + and business functions. + - id: pe-8.1_obj + name: assessment-objective + props: + - name: label + value: PE-08(01) + class: sp800-53a + parts: + - id: pe-8.1_obj-1 + name: assessment-objective + props: + - name: label + value: PE-08(01)[01] + class: sp800-53a + prose: "visitor access records are maintained using {{ insert:\ + \ param, pe-08.01_odp.01 }};" + links: + - href: "#pe-8.1_smt" + rel: assessment-for + - id: pe-8.1_obj-2 + name: assessment-objective + props: + - name: label + value: PE-08(01)[02] + class: sp800-53a + prose: "visitor access records are reviewed using {{ insert:\ + \ param, pe-08.01_odp.02 }}." + links: + - href: "#pe-8.1_smt" + rel: assessment-for + links: + - href: "#pe-8.1_smt" + rel: assessment-for + - id: pe-8.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-08(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing visitor access records + + + automated mechanisms supporting management of visitor access + records + + + visitor access control logs or records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: pe-8.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-08(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with visitor access record + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pe-8.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-08(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for maintaining and reviewing + visitor access records + + + automated mechanisms supporting and/or implementing the maintenance + and review of visitor access records + - id: pe-9 + class: SP800-53 + title: Power Equipment and Cabling + props: + - name: label + value: PE-9 + - name: label + value: PE-09 + class: sp800-53a + - name: sort-id + value: pe-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#pe-4" + rel: related + parts: + - id: pe-9_smt + name: statement + prose: Protect power equipment and power cabling for the system from + damage and destruction. + - id: pe-9_gdn + name: guidance + prose: Organizations determine the types of protection necessary for + the power equipment and cabling employed at different locations that + are both internal and external to organizational facilities and environments + of operation. Types of power equipment and cabling include internal + cabling and uninterruptable power sources in offices or data centers, + generators and power cabling outside of buildings, and power sources + for self-contained components such as satellites, vehicles, and other + deployable systems. + - id: pe-9_obj + name: assessment-objective + props: + - name: label + value: PE-09 + class: sp800-53a + parts: + - id: pe-9_obj-1 + name: assessment-objective + props: + - name: label + value: PE-09[01] + class: sp800-53a + prose: power equipment for the system is protected from damage and + destruction; + links: + - href: "#pe-9_smt" + rel: assessment-for + - id: pe-9_obj-2 + name: assessment-objective + props: + - name: label + value: PE-09[02] + class: sp800-53a + prose: power cabling for the system is protected from damage and + destruction. + links: + - href: "#pe-9_smt" + rel: assessment-for + links: + - href: "#pe-9_smt" + rel: assessment-for + - id: pe-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing power equipment/cabling protection + + facilities housing power equipment/cabling + + system security plan + + other relevant documents or records + - id: pe-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with the responsibility to protect + power equipment/cabling + + + organizational personnel with information security responsibilities + - id: pe-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing the protection + of power equipment/cabling + - id: pe-10 + class: SP800-53 + title: Emergency Shutoff + params: + - id: pe-10_odp.01 + label: system or individual system components + guidelines: + - prose: system or individual system components that require the capability + to shut off power in emergency situations is/are defined; + - id: pe-10_odp.02 + label: location + constraints: + - description: near more than one egress point of the IT area and + ensures it is labeled and protected by a cover to prevent accidental + shut-off + guidelines: + - prose: location of emergency shutoff switches or devices by system + or system component is defined; + props: + - name: label + value: PE-10 + - name: label + value: PE-10 + class: sp800-53a + - name: sort-id + value: pe-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#pe-15" + rel: related + parts: + - id: pe-10_smt + name: statement + parts: + - id: pe-10_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide the capability of shutting off power to {{ insert:\ + \ param, pe-10_odp.01 }} in emergency situations;" + - id: pe-10_smt.b + name: item + props: + - name: label + value: b. + prose: "Place emergency shutoff switches or devices in {{ insert:\ + \ param, pe-10_odp.02 }} to facilitate access for authorized personnel;\ + \ and" + - id: pe-10_smt.c + name: item + props: + - name: label + value: c. + prose: Protect emergency power shutoff capability from unauthorized + activation. + - id: pe-10_gdn + name: guidance + prose: Emergency power shutoff primarily applies to organizational facilities + that contain concentrations of system resources, including data centers, + mainframe computer rooms, server rooms, and areas with computer-controlled + machinery. + - id: pe-10_obj + name: assessment-objective + props: + - name: label + value: PE-10 + class: sp800-53a + parts: + - id: pe-10_obj.a + name: assessment-objective + props: + - name: label + value: PE-10a. + class: sp800-53a + prose: "the capability to shut off power to {{ insert: param, pe-10_odp.01\ + \ }} in emergency situations is provided;" + links: + - href: "#pe-10_smt.a" + rel: assessment-for + - id: pe-10_obj.b + name: assessment-objective + props: + - name: label + value: PE-10b. + class: sp800-53a + prose: "emergency shutoff switches or devices are placed in {{ insert:\ + \ param, pe-10_odp.02 }} to facilitate access for authorized personnel;" + links: + - href: "#pe-10_smt.b" + rel: assessment-for + - id: pe-10_obj.c + name: assessment-objective + props: + - name: label + value: PE-10c. + class: sp800-53a + prose: the emergency power shutoff capability is protected from + unauthorized activation. + links: + - href: "#pe-10_smt.c" + rel: assessment-for + links: + - href: "#pe-10_smt" + rel: assessment-for + - id: pe-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing power source emergency shutoff + + + emergency shutoff controls or switches + + + locations housing emergency shutoff switches and devices + + + security safeguards protecting the emergency power shutoff capability + from unauthorized activation + + + system security plan + + + other relevant documents or records + - id: pe-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with the responsibility for the + emergency power shutoff capability (both implementing and + using the capability) + + + organizational personnel with information security responsibilities + - id: pe-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing emergency power + shutoff + - id: pe-11 + class: SP800-53 + title: Emergency Power + params: + - id: pe-11_odp + select: + choice: + - an orderly shutdown of the system + - transition of the system to long-term alternate power + props: + - name: label + value: PE-11 + - name: label + value: PE-11 + class: sp800-53a + - name: sort-id + value: pe-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#at-3" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-7" + rel: related + parts: + - id: pe-11_smt + name: statement + prose: "Provide an uninterruptible power supply to facilitate {{ insert:\ + \ param, pe-11_odp }} in the event of a primary power source loss." + - id: pe-11_gdn + name: guidance + prose: An uninterruptible power supply (UPS) is an electrical system + or mechanism that provides emergency power when there is a failure + of the main power source. A UPS is typically used to protect computers, + data centers, telecommunication equipment, or other electrical equipment + where an unexpected power disruption could cause injuries, fatalities, + serious mission or business disruption, or loss of data or information. + A UPS differs from an emergency power system or backup generator in + that the UPS provides near-instantaneous protection from unanticipated + power interruptions from the main power source by providing energy + stored in batteries, supercapacitors, or flywheels. The battery duration + of a UPS is relatively short but provides sufficient time to start + a standby power source, such as a backup generator, or properly shut + down the system. + - id: pe-11_obj + name: assessment-objective + props: + - name: label + value: PE-11 + class: sp800-53a + prose: "an uninterruptible power supply is provided to facilitate {{\ + \ insert: param, pe-11_odp }} in the event of a primary power source\ + \ loss." + links: + - href: "#pe-11_smt" + rel: assessment-for + - id: pe-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing emergency power + + uninterruptible power supply + + uninterruptible power supply documentation + + uninterruptible power supply test records + + system security plan + + other relevant documents or records + - id: pe-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with the responsibility for + emergency power and/or planning + + + organizational personnel with information security responsibilities + - id: pe-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing an uninterruptible + power supply + + + the uninterruptable power supply + controls: + - id: pe-11.1 + class: SP800-53-enhancement + title: Alternate Power Supply — Minimal Operational Capability + params: + - id: pe-11.01_odp + constraints: + - description: automatically + select: + choice: + - manually + - automatically + props: + - name: label + value: PE-11(1) + - name: label + value: PE-11(01) + class: sp800-53a + - name: sort-id + value: pe-11.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#pe-11" + rel: required + parts: + - id: pe-11.1_smt + name: statement + prose: "Provide an alternate power supply for the system that is\ + \ activated {{ insert: param, pe-11.01_odp }} and that can maintain\ + \ minimally required operational capability in the event of an\ + \ extended loss of the primary power source." + - id: pe-11.1_gdn + name: guidance + prose: Provision of an alternate power supply with minimal operating + capability can be satisfied by accessing a secondary commercial + power supply or other external power supply. + - id: pe-11.1_obj + name: assessment-objective + props: + - name: label + value: PE-11(01) + class: sp800-53a + parts: + - id: pe-11.1_obj-1 + name: assessment-objective + props: + - name: label + value: PE-11(01)[01] + class: sp800-53a + prose: "an alternate power supply provided for the system is\ + \ activated {{ insert: param, pe-11.01_odp }};" + links: + - href: "#pe-11.1_smt" + rel: assessment-for + - id: pe-11.1_obj-2 + name: assessment-objective + props: + - name: label + value: PE-11(01)[02] + class: sp800-53a + prose: the alternate power supply provided for the system can + maintain minimally required operational capability in the + event of an extended loss of the primary power source. + links: + - href: "#pe-11.1_smt" + rel: assessment-for + links: + - href: "#pe-11.1_smt" + rel: assessment-for + - id: pe-11.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-11(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing emergency power + + alternate power supply + + alternate power supply documentation + + alternate power supply test records + + system security plan + + other relevant documents or records + - id: pe-11.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-11(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with the responsibility for + emergency power and/or planning + + + organizational personnel with information security responsibilities + - id: pe-11.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-11(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing an alternate + power supply + + + the alternate power supply + - id: pe-12 + class: SP800-53 + title: Emergency Lighting + props: + - name: label + value: PE-12 + - name: label + value: PE-12 + class: sp800-53a + - name: sort-id + value: pe-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-2" + rel: related + - href: "#cp-7" + rel: related + parts: + - id: pe-12_smt + name: statement + prose: Employ and maintain automatic emergency lighting for the system + that activates in the event of a power outage or disruption and that + covers emergency exits and evacuation routes within the facility. + - id: pe-12_gdn + name: guidance + prose: The provision of emergency lighting applies primarily to organizational + facilities that contain concentrations of system resources, including + data centers, server rooms, and mainframe computer rooms. Emergency + lighting provisions for the system are described in the contingency + plan for the organization. If emergency lighting for the system fails + or cannot be provided, organizations consider alternate processing + sites for power-related contingencies. + - id: pe-12_obj + name: assessment-objective + props: + - name: label + value: PE-12 + class: sp800-53a + parts: + - id: pe-12_obj-1 + name: assessment-objective + props: + - name: label + value: PE-12[01] + class: sp800-53a + prose: automatic emergency lighting that activates in the event + of a power outage or disruption is employed for the system; + links: + - href: "#pe-12_smt" + rel: assessment-for + - id: pe-12_obj-2 + name: assessment-objective + props: + - name: label + value: PE-12[02] + class: sp800-53a + prose: automatic emergency lighting that activates in the event + of a power outage or disruption is maintained for the system; + links: + - href: "#pe-12_smt" + rel: assessment-for + - id: pe-12_obj-3 + name: assessment-objective + props: + - name: label + value: PE-12[03] + class: sp800-53a + prose: automatic emergency lighting for the system covers emergency + exits within the facility; + links: + - href: "#pe-12_smt" + rel: assessment-for + - id: pe-12_obj-4 + name: assessment-objective + props: + - name: label + value: PE-12[04] + class: sp800-53a + prose: automatic emergency lighting for the system covers evacuation + routes within the facility. + links: + - href: "#pe-12_smt" + rel: assessment-for + links: + - href: "#pe-12_smt" + rel: assessment-for + - id: pe-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing emergency lighting + + emergency lighting documentation + + emergency lighting test records + + emergency exits and evacuation routes + + system security plan + + other relevant documents or records + - id: pe-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with the responsibility for + emergency lighting and/or planning + + + organizational personnel with information security responsibilities + - id: pe-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing an emergency lighting + capability + - id: pe-13 + class: SP800-53 + title: Fire Protection + props: + - name: label + value: PE-13 + - name: label + value: PE-13 + class: sp800-53a + - name: sort-id + value: pe-13 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#at-3" + rel: related + parts: + - id: pe-13_smt + name: statement + prose: Employ and maintain fire detection and suppression systems that + are supported by an independent energy source. + - id: pe-13_gdn + name: guidance + prose: The provision of fire detection and suppression systems applies + primarily to organizational facilities that contain concentrations + of system resources, including data centers, server rooms, and mainframe + computer rooms. Fire detection and suppression systems that may require + an independent energy source include sprinkler systems and smoke detectors. + An independent energy source is an energy source, such as a microgrid, + that is separate, or can be separated, from the energy sources providing + power for the other parts of the facility. + - id: pe-13_obj + name: assessment-objective + props: + - name: label + value: PE-13 + class: sp800-53a + parts: + - id: pe-13_obj-1 + name: assessment-objective + props: + - name: label + value: PE-13[01] + class: sp800-53a + prose: fire detection systems are employed; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-2 + name: assessment-objective + props: + - name: label + value: PE-13[02] + class: sp800-53a + prose: employed fire detection systems are supported by an independent + energy source; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-3 + name: assessment-objective + props: + - name: label + value: PE-13[03] + class: sp800-53a + prose: employed fire detection systems are maintained; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-4 + name: assessment-objective + props: + - name: label + value: PE-13[04] + class: sp800-53a + prose: fire suppression systems are employed; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-5 + name: assessment-objective + props: + - name: label + value: PE-13[05] + class: sp800-53a + prose: employed fire suppression systems are supported by an independent + energy source; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-6 + name: assessment-objective + props: + - name: label + value: PE-13[06] + class: sp800-53a + prose: employed fire suppression systems are maintained. + links: + - href: "#pe-13_smt" + rel: assessment-for + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-13-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing fire protection + + + fire suppression and detection devices/systems + + + fire suppression and detection devices/systems documentation + + + test records of fire suppression and detection devices/systems + + + system security plan + + + other relevant documents or records + - id: pe-13_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-13-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for fire + detection and suppression devices/systems + + + organizational personnel with information security responsibilities + - id: pe-13_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-13-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing fire suppression/detection + devices/systems + controls: + - id: pe-13.1 + class: SP800-53-enhancement + title: Detection Systems — Automatic Activation and Notification + params: + - id: pe-13.01_odp.01 + label: personnel or roles + constraints: + - description: service provider building maintenance/physical + security personnel + guidelines: + - prose: personnel or roles to be notified in the event of a fire + is/are defined; + - id: pe-13.01_odp.02 + label: emergency responders + constraints: + - description: service provider emergency responders with incident + response responsibilities + guidelines: + - prose: emergency responders to be notified in the event of a + fire are defined; + props: + - name: label + value: PE-13(1) + - name: label + value: PE-13(01) + class: sp800-53a + - name: sort-id + value: pe-13.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#pe-13" + rel: required + parts: + - id: pe-13.1_smt + name: statement + prose: "Employ fire detection systems that activate automatically\ + \ and notify {{ insert: param, pe-13.01_odp.01 }} and {{ insert:\ + \ param, pe-13.01_odp.02 }} in the event of a fire." + - id: pe-13.1_gdn + name: guidance + prose: Organizations can identify personnel, roles, and emergency + responders if individuals on the notification list need to have + access authorizations or clearances (e.g., to enter to facilities + where access is restricted due to the classification or impact + level of information within the facility). Notification mechanisms + may require independent energy sources to ensure that the notification + capability is not adversely affected by the fire. + - id: pe-13.1_obj + name: assessment-objective + props: + - name: label + value: PE-13(01) + class: sp800-53a + parts: + - id: pe-13.1_obj-1 + name: assessment-objective + props: + - name: label + value: PE-13(01)[01] + class: sp800-53a + prose: fire detection systems that activate automatically are + employed in the event of a fire; + links: + - href: "#pe-13.1_smt" + rel: assessment-for + - id: pe-13.1_obj-2 + name: assessment-objective + props: + - name: label + value: PE-13(01)[02] + class: sp800-53a + prose: "fire detection systems that notify {{ insert: param,\ + \ pe-13.01_odp.01 }} automatically are employed in the event\ + \ of a fire;" + links: + - href: "#pe-13.1_smt" + rel: assessment-for + - id: pe-13.1_obj-3 + name: assessment-objective + props: + - name: label + value: PE-13(01)[03] + class: sp800-53a + prose: "fire detection systems that notify {{ insert: param,\ + \ pe-13.01_odp.02 }} automatically are employed in the event\ + \ of a fire." + links: + - href: "#pe-13.1_smt" + rel: assessment-for + links: + - href: "#pe-13.1_smt" + rel: assessment-for + - id: pe-13.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-13(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing fire protection + + + facility housing the information system + + + alarm service-level agreements + + + test records of fire suppression and detection devices/systems + + + fire suppression and detection devices/systems documentation + + + alerts/notifications of fire events + + + system security plan + + + other relevant documents or records + - id: pe-13.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-13(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for fire + detection and suppression devices/systems + + + organizational personnel with responsibilities for notifying + appropriate personnel, roles, and emergency responders of + fires + + + organizational personnel with information security responsibilities + - id: pe-13.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-13(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing fire detection + devices/systems + + + activation of fire detection devices/systems (simulated) + + + automated notifications + - id: pe-13.2 + class: SP800-53-enhancement + title: Suppression Systems — Automatic Activation and Notification + params: + - id: pe-13.02_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to be notified in the event of a fire + is/are defined; + - id: pe-13.02_odp.02 + label: emergency responders + guidelines: + - prose: emergency responders to be notified in the event of a + fire are defined; + props: + - name: label + value: PE-13(2) + - name: label + value: PE-13(02) + class: sp800-53a + - name: sort-id + value: pe-13.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#pe-13" + rel: required + parts: + - id: pe-13.2_smt + name: statement + parts: + - id: pe-13.2_smt.a + name: item + props: + - name: label + value: (a) + prose: "Employ fire suppression systems that activate automatically\ + \ and notify {{ insert: param, pe-13.02_odp.01 }} and {{ insert:\ + \ param, pe-13.02_odp.02 }} ; and" + - id: pe-13.2_smt.b + name: item + props: + - name: label + value: (b) + prose: Employ an automatic fire suppression capability when + the facility is not staffed on a continuous basis. + - id: pe-13.2_gdn + name: guidance + prose: Organizations can identify specific personnel, roles, and + emergency responders if individuals on the notification list need + to have appropriate access authorizations and/or clearances (e.g., + to enter to facilities where access is restricted due to the impact + level or classification of information within the facility). Notification + mechanisms may require independent energy sources to ensure that + the notification capability is not adversely affected by the fire. + - id: pe-13.2_obj + name: assessment-objective + props: + - name: label + value: PE-13(02) + class: sp800-53a + parts: + - id: pe-13.2_obj.a + name: assessment-objective + props: + - name: label + value: PE-13(02)(a) + class: sp800-53a + parts: + - id: pe-13.2_obj.a-1 + name: assessment-objective + props: + - name: label + value: PE-13(02)(a)[01] + class: sp800-53a + prose: fire suppression systems that activate automatically + are employed; + links: + - href: "#pe-13.2_smt.a" + rel: assessment-for + - id: pe-13.2_obj.a-2 + name: assessment-objective + props: + - name: label + value: PE-13(02)(a)[02] + class: sp800-53a + prose: "fire suppression systems that notify {{ insert:\ + \ param, pe-13.02_odp.01 }} automatically are employed;" + links: + - href: "#pe-13.2_smt.a" + rel: assessment-for + - id: pe-13.2_obj.a-3 + name: assessment-objective + props: + - name: label + value: PE-13(02)(a)[03] + class: sp800-53a + prose: "fire suppression systems that notify {{ insert:\ + \ param, pe-13.02_odp.02 }} automatically are employed;" + links: + - href: "#pe-13.2_smt.a" + rel: assessment-for + links: + - href: "#pe-13.2_smt.a" + rel: assessment-for + - id: pe-13.2_obj.b + name: assessment-objective + props: + - name: label + value: PE-13(02)(b) + class: sp800-53a + prose: an automatic fire suppression capability is employed + when the facility is not staffed on a continuous basis. + links: + - href: "#pe-13.2_smt.b" + rel: assessment-for + links: + - href: "#pe-13.2_smt" + rel: assessment-for + - id: pe-13.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-13(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing fire protection + + + fire suppression and detection devices/systems documentation + + + facility housing the system + + + alarm service-level agreements + + + test records of fire suppression and detection devices/systems + + + system security plan + + + other relevant documents or records + - id: pe-13.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-13(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for fire + detection and suppression devices/systems + + + organizational personnel with responsibilities for providing + automatic notifications of any activation of fire suppression + devices/systems to appropriate personnel, roles, and emergency + responders + + + organizational personnel with information security responsibilities + - id: pe-13.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-13(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Automated mechanisms supporting and/or implementing fire + suppression devices/systems + + + activation of fire suppression devices/systems (simulated) + + + automated notifications + - id: pe-14 + class: SP800-53 + title: Environmental Controls + params: + - id: pe-14_odp.01 + constraints: + - description: consistent with American Society of Heating, Refrigerating + and Air-conditioning Engineers (ASHRAE) document entitled Thermal + Guidelines for Data Processing Environments + select: + how-many: one-or-more + choice: + - temperature + - humidity + - pressure + - radiation + - " {{ insert: param, pe-14_odp.02 }} " + - id: pe-14_odp.02 + label: environmental control + guidelines: + - prose: environmental control(s) for which to maintain a specified + level in the facility where the system resides are defined (if + selected); + - id: pe-14_odp.03 + label: acceptable levels + guidelines: + - prose: acceptable levels for environmental controls are defined; + - id: pe-14_odp.04 + label: frequency + constraints: + - description: continuously + guidelines: + - prose: frequency at which to monitor environmental control levels + is defined; + props: + - name: label + value: PE-14 + - name: label + value: PE-14 + class: sp800-53a + - name: sort-id + value: pe-14 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#at-3" + rel: related + - href: "#cp-2" + rel: related + parts: + - id: pe-14_smt + name: statement + parts: + - id: pe-14_smt.a + name: item + props: + - name: label + value: a. + prose: "Maintain {{ insert: param, pe-14_odp.01 }} levels within\ + \ the facility where the system resides at {{ insert: param, pe-14_odp.03\ + \ }} ; and" + - id: pe-14_smt.b + name: item + props: + - name: label + value: b. + prose: "Monitor environmental control levels {{ insert: param, pe-14_odp.04\ + \ }}." + - id: pe-14_fr + name: item + title: PE-14 Additional FedRAMP Requirements and Guidance + parts: + - id: pe-14_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: The service provider measures temperature at server inlets + and humidity levels by dew point. + - id: pe-14_gdn + name: guidance + prose: The provision of environmental controls applies primarily to + organizational facilities that contain concentrations of system resources + (e.g., data centers, mainframe computer rooms, and server rooms). + Insufficient environmental controls, especially in very harsh environments, + can have a significant adverse impact on the availability of systems + and system components that are needed to support organizational mission + and business functions. + - id: pe-14_obj + name: assessment-objective + props: + - name: label + value: PE-14 + class: sp800-53a + parts: + - id: pe-14_obj.a + name: assessment-objective + props: + - name: label + value: PE-14a. + class: sp800-53a + prose: " {{ insert: param, pe-14_odp.01 }} levels are maintained\ + \ at {{ insert: param, pe-14_odp.03 }} within the facility where\ + \ the system resides;" + links: + - href: "#pe-14_smt.a" + rel: assessment-for + - id: pe-14_obj.b + name: assessment-objective + props: + - name: label + value: PE-14b. + class: sp800-53a + prose: "environmental control levels are monitored {{ insert: param,\ + \ pe-14_odp.04 }}." + links: + - href: "#pe-14_smt.b" + rel: assessment-for + links: + - href: "#pe-14_smt" + rel: assessment-for + - id: pe-14_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-14-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing temperature and humidity control + + temperature and humidity controls + + facility housing the system + + temperature and humidity controls documentation + + temperature and humidity records + + system security plan + + other relevant documents or records + - id: pe-14_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-14-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for system + environmental controls + + + organizational personnel with information security responsibilities + - id: pe-14_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-14-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing the maintenance + and monitoring of temperature and humidity levels + controls: + - id: pe-14.2 + class: SP800-53-enhancement + title: Monitoring with Alarms and Notifications + params: + - id: pe-14.02_odp + label: personnel or roles + guidelines: + - prose: personnel or roles to be notified by environmental control + monitoring when environmental changes are potentially harmful + to personnel or equipment is/are defined; + props: + - name: label + value: PE-14(2) + - name: label + value: PE-14(02) + class: sp800-53a + - name: sort-id + value: pe-14.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#pe-14" + rel: required + parts: + - id: pe-14.2_smt + name: statement + prose: "Employ environmental control monitoring that provides an\ + \ alarm or notification of changes potentially harmful to personnel\ + \ or equipment to {{ insert: param, pe-14.02_odp }}." + - id: pe-14.2_gdn + name: guidance + prose: The alarm or notification may be an audible alarm or a visual + message in real time to personnel or roles defined by the organization. + Such alarms and notifications can help minimize harm to individuals + and damage to organizational assets by facilitating a timely incident + response. + - id: pe-14.2_obj + name: assessment-objective + props: + - name: label + value: PE-14(02) + class: sp800-53a + parts: + - id: pe-14.2_obj-1 + name: assessment-objective + props: + - name: label + value: PE-14(02)[01] + class: sp800-53a + prose: environmental control monitoring is employed; + links: + - href: "#pe-14.2_smt" + rel: assessment-for + - id: pe-14.2_obj-2 + name: assessment-objective + props: + - name: label + value: PE-14(02)[02] + class: sp800-53a + prose: "the environmental control monitoring capability provides\ + \ an alarm or notification to {{ insert: param, pe-14.02_odp\ + \ }} when changes are potentially harmful to personnel or\ + \ equipment." + links: + - href: "#pe-14.2_smt" + rel: assessment-for + links: + - href: "#pe-14.2_smt" + rel: assessment-for + - id: pe-14.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-14(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing temperature and humidity monitoring + + + facility housing the system + + + logs or records of temperature and humidity monitoring + + + records of changes to temperature and humidity levels that + generate alarms or notifications + + + system security plan + + + other relevant documents or records + - id: pe-14.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-14(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + system environmental controls + + + organizational personnel with information security responsibilities + - id: pe-14.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-14(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing temperature + and humidity monitoring + - id: pe-15 + class: SP800-53 + title: Water Damage Protection + props: + - name: label + value: PE-15 + - name: label + value: PE-15 + class: sp800-53a + - name: sort-id + value: pe-15 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#at-3" + rel: related + - href: "#pe-10" + rel: related + parts: + - id: pe-15_smt + name: statement + prose: Protect the system from damage resulting from water leakage by + providing master shutoff or isolation valves that are accessible, + working properly, and known to key personnel. + - id: pe-15_gdn + name: guidance + prose: The provision of water damage protection primarily applies to + organizational facilities that contain concentrations of system resources, + including data centers, server rooms, and mainframe computer rooms. + Isolation valves can be employed in addition to or in lieu of master + shutoff valves to shut off water supplies in specific areas of concern + without affecting entire organizations. + - id: pe-15_obj + name: assessment-objective + props: + - name: label + value: PE-15 + class: sp800-53a + parts: + - id: pe-15_obj-1 + name: assessment-objective + props: + - name: label + value: PE-15[01] + class: sp800-53a + prose: the system is protected from damage resulting from water + leakage by providing master shutoff or isolation valves; + links: + - href: "#pe-15_smt" + rel: assessment-for + - id: pe-15_obj-2 + name: assessment-objective + props: + - name: label + value: PE-15[02] + class: sp800-53a + prose: the master shutoff or isolation valves are accessible; + links: + - href: "#pe-15_smt" + rel: assessment-for + - id: pe-15_obj-3 + name: assessment-objective + props: + - name: label + value: PE-15[03] + class: sp800-53a + prose: the master shutoff or isolation valves are working properly; + links: + - href: "#pe-15_smt" + rel: assessment-for + - id: pe-15_obj-4 + name: assessment-objective + props: + - name: label + value: PE-15[04] + class: sp800-53a + prose: the master shutoff or isolation valves are known to key personnel. + links: + - href: "#pe-15_smt" + rel: assessment-for + links: + - href: "#pe-15_smt" + rel: assessment-for + - id: pe-15_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-15-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing water damage protection + + + facility housing the system + + + master shutoff valves + + + list of key personnel with knowledge of location and activation + procedures for master shutoff valves for the plumbing system + + + master shutoff valve documentation + + + system security plan + + + other relevant documents or records + - id: pe-15_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-15-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for system + environmental controls + + + organizational personnel with information security responsibilities + - id: pe-15_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-15-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Master water-shutoff valves + + organizational process for activating master water shutoff + controls: + - id: pe-15.1 + class: SP800-53-enhancement + title: Automation Support + params: + - id: pe-15.01_odp.01 + label: personnel or roles + constraints: + - description: service provider building maintenance/physical + security personnel + guidelines: + - prose: personnel or roles to be alerted when the presence of + water is detected near the system is/are defined; + - id: pe-15.01_odp.02 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to detect the presence of water + near the system are defined; + props: + - name: label + value: PE-15(1) + - name: label + value: PE-15(01) + class: sp800-53a + - name: sort-id + value: pe-15.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#pe-15" + rel: required + parts: + - id: pe-15.1_smt + name: statement + prose: "Detect the presence of water near the system and alert {{\ + \ insert: param, pe-15.01_odp.01 }} using {{ insert: param, pe-15.01_odp.02\ + \ }}." + - id: pe-15.1_gdn + name: guidance + prose: Automated mechanisms include notification systems, water + detection sensors, and alarms. + - id: pe-15.1_obj + name: assessment-objective + props: + - name: label + value: PE-15(01) + class: sp800-53a + parts: + - id: pe-15.1_obj-1 + name: assessment-objective + props: + - name: label + value: PE-15(01)[01] + class: sp800-53a + prose: the presence of water near the system can be detected + automatically; + links: + - href: "#pe-15.1_smt" + rel: assessment-for + - id: pe-15.1_obj-2 + name: assessment-objective + props: + - name: label + value: PE-15(01)[02] + class: sp800-53a + prose: " {{ insert: param, pe-15.01_odp.01 }} is/are alerted\ + \ using {{ insert: param, pe-15.01_odp.02 }}." + links: + - href: "#pe-15.1_smt" + rel: assessment-for + links: + - href: "#pe-15.1_smt" + rel: assessment-for + - id: pe-15.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-15(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing water damage protection + + + facility housing the system + + + automated mechanisms for water shutoff valves + + + automated mechanisms for detecting the presence of water in + the vicinity of the system + + + alerts/notifications of water detection in system facility + + + system security plan + + + other relevant documents or records + - id: pe-15.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-15(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + system environmental controls + + + organizational personnel with information security responsibilities + - id: pe-15.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-15(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms supporting and/or implementing water + detection capabilities and alerts for the system + - id: pe-16 + class: SP800-53 + title: Delivery and Removal + params: + - id: pe-16_prm_1 + label: organization-defined types of system components + constraints: + - description: all information system components + - id: pe-16_odp.01 + label: types of system components + guidelines: + - prose: types of system components to be authorized and controlled + when entering the facility are defined; + - id: pe-16_odp.02 + label: types of system components + guidelines: + - prose: types of system components to be authorized and controlled + when exiting the facility are defined; + props: + - name: label + value: PE-16 + - name: label + value: PE-16 + class: sp800-53a + - name: sort-id + value: pe-16 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cm-3" + rel: related + - href: "#cm-8" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-3" + rel: related + - href: "#mp-5" + rel: related + - href: "#pe-20" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-6" + rel: related + parts: + - id: pe-16_smt + name: statement + parts: + - id: pe-16_smt.a + name: item + props: + - name: label + value: a. + prose: "Authorize and control {{ insert: param, pe-16_prm_1 }} entering\ + \ and exiting the facility; and" + - id: pe-16_smt.b + name: item + props: + - name: label + value: b. + prose: Maintain records of the system components. + - id: pe-16_gdn + name: guidance + prose: Enforcing authorizations for entry and exit of system components + may require restricting access to delivery areas and isolating the + areas from the system and media libraries. + - id: pe-16_obj + name: assessment-objective + props: + - name: label + value: PE-16 + class: sp800-53a + parts: + - id: pe-16_obj.a + name: assessment-objective + props: + - name: label + value: PE-16a. + class: sp800-53a + parts: + - id: pe-16_obj.a-1 + name: assessment-objective + props: + - name: label + value: PE-16a.[01] + class: sp800-53a + prose: " {{ insert: param, pe-16_odp.01 }} are authorized when\ + \ entering the facility;" + links: + - href: "#pe-16_smt.a" + rel: assessment-for + - id: pe-16_obj.a-2 + name: assessment-objective + props: + - name: label + value: PE-16a.[02] + class: sp800-53a + prose: " {{ insert: param, pe-16_odp.01 }} are controlled when\ + \ entering the facility;" + links: + - href: "#pe-16_smt.a" + rel: assessment-for + - id: pe-16_obj.a-3 + name: assessment-objective + props: + - name: label + value: PE-16a.[03] + class: sp800-53a + prose: " {{ insert: param, pe-16_odp.02 }} are authorized when\ + \ exiting the facility;" + links: + - href: "#pe-16_smt.a" + rel: assessment-for + - id: pe-16_obj.a-4 + name: assessment-objective + props: + - name: label + value: PE-16a.[04] + class: sp800-53a + prose: " {{ insert: param, pe-16_odp.02 }} are controlled when\ + \ exiting the facility;" + links: + - href: "#pe-16_smt.a" + rel: assessment-for + links: + - href: "#pe-16_smt.a" + rel: assessment-for + - id: pe-16_obj.b + name: assessment-objective + props: + - name: label + value: PE-16b. + class: sp800-53a + prose: records of the system components are maintained. + links: + - href: "#pe-16_smt.b" + rel: assessment-for + links: + - href: "#pe-16_smt" + rel: assessment-for + - id: pe-16_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-16-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing the delivery and removal of system components + from the facility + + + facility housing the system + + + records of items entering and exiting the facility + + + system security plan + + + other relevant documents or records + - id: pe-16_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-16-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + controlling system components entering and exiting the + facility + + + organizational personnel with information security responsibilities + - id: pe-16_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-16-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational process for authorizing, monitoring, and + controlling system-related items entering and exiting the + facility + + + mechanisms supporting and/or implementing, authorizing, monitoring, + and controlling system-related items entering and exiting the + facility + - id: pe-17 + class: SP800-53 + title: Alternate Work Site + params: + - id: pe-17_odp.01 + label: alternate work sites + guidelines: + - prose: alternate work sites allowed for use by employees are defined; + - id: pe-17_odp.02 + label: controls + guidelines: + - prose: controls to be employed at alternate work sites are defined; + props: + - name: label + value: PE-17 + - name: label + value: PE-17 + class: sp800-53a + - name: sort-id + value: pe-17 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#83b9d63b-66b1-467c-9f3b-3a0b108771e9" + rel: reference + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#cp-7" + rel: related + parts: + - id: pe-17_smt + name: statement + parts: + - id: pe-17_smt.a + name: item + props: + - name: label + value: a. + prose: "Determine and document the {{ insert: param, pe-17_odp.01\ + \ }} allowed for use by employees;" + - id: pe-17_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ the following controls at alternate work sites: {{\ + \ insert: param, pe-17_odp.02 }};" + - id: pe-17_smt.c + name: item + props: + - name: label + value: c. + prose: Assess the effectiveness of controls at alternate work sites; + and + - id: pe-17_smt.d + name: item + props: + - name: label + value: d. + prose: Provide a means for employees to communicate with information + security and privacy personnel in case of incidents. + - id: pe-17_gdn + name: guidance + prose: Alternate work sites include government facilities or the private + residences of employees. While distinct from alternative processing + sites, alternate work sites can provide readily available alternate + locations during contingency operations. Organizations can define + different sets of controls for specific alternate work sites or types + of sites depending on the work-related activities conducted at the + sites. Implementing and assessing the effectiveness of organization-defined + controls and providing a means to communicate incidents at alternate + work sites supports the contingency planning activities of organizations. + - id: pe-17_obj + name: assessment-objective + props: + - name: label + value: PE-17 + class: sp800-53a + parts: + - id: pe-17_obj.a + name: assessment-objective + props: + - name: label + value: PE-17a. + class: sp800-53a + prose: " {{ insert: param, pe-17_odp.01 }} are determined and documented;" + links: + - href: "#pe-17_smt.a" + rel: assessment-for + - id: pe-17_obj.b + name: assessment-objective + props: + - name: label + value: PE-17b. + class: sp800-53a + prose: " {{ insert: param, pe-17_odp.02 }} are employed at alternate\ + \ work sites;" + links: + - href: "#pe-17_smt.b" + rel: assessment-for + - id: pe-17_obj.c + name: assessment-objective + props: + - name: label + value: PE-17c. + class: sp800-53a + prose: the effectiveness of controls at alternate work sites is + assessed; + links: + - href: "#pe-17_smt.c" + rel: assessment-for + - id: pe-17_obj.d + name: assessment-objective + props: + - name: label + value: PE-17d. + class: sp800-53a + prose: a means for employees to communicate with information security + and privacy personnel in case of incidents is provided. + links: + - href: "#pe-17_smt.d" + rel: assessment-for + links: + - href: "#pe-17_smt" + rel: assessment-for + - id: pe-17_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-17-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing alternate work sites for organizational + personnel + + + list of security controls required for alternate work sites + + + assessments of security controls at alternate work sites + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: pe-17_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-17-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel approving the use of alternate work + sites + + + organizational personnel using alternate work sites + + + organizational personnel assessing controls at alternate work + sites + + + organizational personnel with information security and privacy + responsibilities + - id: pe-17_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-17-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for security and privacy at + alternate work sites + + + mechanisms supporting alternate work sites + + + security and privacy controls employed at alternate work sites + + + means of communication between personnel at alternate work sites + and security and privacy personnel + - id: pe-18 + class: SP800-53 + title: Location of System Components + params: + - id: pe-18_odp + label: physical and environmental hazards + constraints: + - description: physical and environmental hazards identified during + threat assessment + guidelines: + - prose: physical and environmental hazards that could result in potential + damage to system components within the facility are defined; + props: + - name: label + value: PE-18 + - name: label + value: PE-18 + class: sp800-53a + - name: sort-id + value: pe-18 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-2" + rel: related + - href: "#pe-5" + rel: related + - href: "#pe-19" + rel: related + - href: "#pe-20" + rel: related + - href: "#ra-3" + rel: related + parts: + - id: pe-18_smt + name: statement + prose: "Position system components within the facility to minimize potential\ + \ damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity\ + \ for unauthorized access." + - id: pe-18_gdn + name: guidance + prose: Physical and environmental hazards include floods, fires, tornadoes, + earthquakes, hurricanes, terrorism, vandalism, an electromagnetic + pulse, electrical interference, and other forms of incoming electromagnetic + radiation. Organizations consider the location of entry points where + unauthorized individuals, while not being granted access, might nonetheless + be near systems. Such proximity can increase the risk of unauthorized + access to organizational communications using wireless packet sniffers + or microphones, or unauthorized disclosure of information. + - id: pe-18_obj + name: assessment-objective + props: + - name: label + value: PE-18 + class: sp800-53a + prose: "system components are positioned within the facility to minimize\ + \ potential damage from {{ insert: param, pe-18_odp }} and to minimize\ + \ the opportunity for unauthorized access." + links: + - href: "#pe-18_smt" + rel: assessment-for + - id: pe-18_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-18-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing the positioning of system components + + + documentation providing the location and position of system components + within the facility + + + locations housing system components within the facility + + + list of physical and environmental hazards with the potential + to damage system components within the facility + + + system security plan + + + other relevant documents or records + - id: pe-18_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-18-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + positioning system components + + + organizational personnel with information security responsibilities + - id: pe-18_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-18-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for positioning system components + - id: pl + class: family + title: Planning + controls: + - id: pl-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: pl-1_prm_1 + label: organization-defined personnel or roles + - id: pl-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the planning policy is to be disseminated + is/are defined; + - id: pl-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the planning procedures are to + be disseminated is/are defined; + - id: pl-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: pl-01_odp.04 + label: official + guidelines: + - prose: an official to manage the planning policy and procedures + is defined; + - id: pl-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency with which the current planning policy is reviewed + and updated is defined; + - id: pl-01_odp.06 + label: events + guidelines: + - prose: events that would require the current planning policy to + be reviewed and updated are defined; + - id: pl-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency with which the current planning procedures + are reviewed and updated is defined; + - id: pl-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require procedures to be reviewed and updated + are defined; + props: + - name: label + value: PL-1 + - name: label + value: PL-01 + class: sp800-53a + - name: sort-id + value: pl-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#30eb758a-2707-4bca-90ad-949a74d4eb16" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: pl-1_smt + name: statement + parts: + - id: pl-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ pl-1_prm_1 }}:" + parts: + - id: pl-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, pl-01_odp.03 }} planning policy that:" + parts: + - id: pl-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: pl-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: pl-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the planning + policy and the associated planning controls; + - id: pl-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, pl-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the planning\ + \ policy and procedures; and" + - id: pl-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current planning:" + parts: + - id: pl-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, pl-01_odp.05 }} and following\ + \ {{ insert: param, pl-01_odp.06 }} ; and" + - id: pl-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, pl-01_odp.07 }} and following\ + \ {{ insert: param, pl-01_odp.08 }}." + - id: pl-1_gdn + name: guidance + prose: Planning policy and procedures for the controls in the PL family + implemented within systems and organizations. The risk management + strategy is an important factor in establishing such policies and + procedures. Policies and procedures contribute to security and privacy + assurance. Therefore, it is important that security and privacy programs + collaborate on their development. Security and privacy program policies + and procedures at the organization level are preferable, in general, + and may obviate the need for mission level or system-specific policies + and procedures. The policy can be included as part of the general + security and privacy policy or be represented by multiple policies + that reflect the complex nature of organizations. Procedures can be + established for security and privacy programs, for mission/business + processes, and for systems, if needed. Procedures describe how the + policies or controls are implemented and can be directed at the individual + or role that is the object of the procedure. Procedures can be documented + in system security and privacy plans or in one or more separate documents. + Events that may precipitate an update to planning policy and procedures + include, but are not limited to, assessment or audit findings, security + incidents or breaches, or changes in laws, executive orders, directives, + regulations, policies, standards, and guidelines. Simply restating + controls does not constitute an organizational policy or procedure. + - id: pl-1_obj + name: assessment-objective + props: + - name: label + value: PL-01 + class: sp800-53a + parts: + - id: pl-1_obj.a + name: assessment-objective + props: + - name: label + value: PL-01a. + class: sp800-53a + parts: + - id: pl-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: PL-01a.[01] + class: sp800-53a + prose: a planning policy is developed and documented. + links: + - href: "#pl-1_smt.a" + rel: assessment-for + - id: pl-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: PL-01a.[02] + class: sp800-53a + prose: "the planning policy is disseminated to {{ insert: param,\ + \ pl-01_odp.01 }};" + links: + - href: "#pl-1_smt.a" + rel: assessment-for + - id: pl-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: PL-01a.[03] + class: sp800-53a + prose: planning procedures to facilitate the implementation + of the planning policy and associated planning controls are + developed and documented; + links: + - href: "#pl-1_smt.a" + rel: assessment-for + - id: pl-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: PL-01a.[04] + class: sp800-53a + prose: "the planning procedures are disseminated to {{ insert:\ + \ param, pl-01_odp.02 }};" + links: + - href: "#pl-1_smt.a" + rel: assessment-for + - id: pl-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: PL-01a.01 + class: sp800-53a + parts: + - id: pl-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: PL-01a.01(a) + class: sp800-53a + parts: + - id: pl-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses purpose;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses scope;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses roles;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses responsibilities;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses management commitment;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses compliance;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: PL-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning policy\ + \ is consistent with applicable laws, Executive Orders,\ + \ directives, regulations, policies, standards, and guidelines;" + links: + - href: "#pl-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#pl-1_smt.a.1" + rel: assessment-for + links: + - href: "#pl-1_smt.a" + rel: assessment-for + - id: pl-1_obj.b + name: assessment-objective + props: + - name: label + value: PL-01b. + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the planning\ + \ policy and procedures;" + links: + - href: "#pl-1_smt.b" + rel: assessment-for + - id: pl-1_obj.c + name: assessment-objective + props: + - name: label + value: PL-01c. + class: sp800-53a + parts: + - id: pl-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: PL-01c.01 + class: sp800-53a + parts: + - id: pl-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: PL-01c.01[01] + class: sp800-53a + prose: "the current planning policy is reviewed and updated\ + \ {{ insert: param, pl-01_odp.05 }};" + links: + - href: "#pl-1_smt.c.1" + rel: assessment-for + - id: pl-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: PL-01c.01[02] + class: sp800-53a + prose: "the current planning policy is reviewed and updated\ + \ following {{ insert: param, pl-01_odp.06 }};" + links: + - href: "#pl-1_smt.c.1" + rel: assessment-for + links: + - href: "#pl-1_smt.c.1" + rel: assessment-for + - id: pl-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: PL-01c.02 + class: sp800-53a + parts: + - id: pl-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: PL-01c.02[01] + class: sp800-53a + prose: "the current planning procedures are reviewed and\ + \ updated {{ insert: param, pl-01_odp.07 }};" + links: + - href: "#pl-1_smt.c.2" + rel: assessment-for + - id: pl-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: PL-01c.02[02] + class: sp800-53a + prose: "the current planning procedures are reviewed and\ + \ updated following {{ insert: param, pl-01_odp.08 }}." + links: + - href: "#pl-1_smt.c.2" + rel: assessment-for + links: + - href: "#pl-1_smt.c.2" + rel: assessment-for + links: + - href: "#pl-1_smt.c" + rel: assessment-for + links: + - href: "#pl-1_smt" + rel: assessment-for + - id: pl-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Planning policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: pl-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with planning responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pl-2 + class: SP800-53 + title: System Security and Privacy Plans + params: + - id: pl-02_odp.01 + label: individuals or groups + constraints: + - description: to include chief privacy and ISSO and/or similar role + or designees + guidelines: + - prose: individuals or groups with whom security and privacy-related + activities affecting the system that require planning and coordination + is/are assigned; + - id: pl-02_odp.02 + label: personnel or roles + constraints: + - description: to include chief privacy and ISSO and/or similar role + guidelines: + - prose: personnel or roles to receive distributed copies of the system + security and privacy plans is/are assigned; + - id: pl-02_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency to review system security and privacy plans is + defined; + props: + - name: label + value: PL-2 + - name: label + value: PL-02 + class: sp800-53a + - name: sort-id + value: pl-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#30eb758a-2707-4bca-90ad-949a74d4eb16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-14" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-20" + rel: related + - href: "#ca-2" + rel: related + - href: "#ca-3" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-9" + rel: related + - href: "#cm-13" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-8" + rel: related + - href: "#ma-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#pl-7" + rel: related + - href: "#pl-8" + rel: related + - href: "#pl-10" + rel: related + - href: "#pl-11" + rel: related + - href: "#pm-1" + rel: related + - href: "#pm-7" + rel: related + - href: "#pm-8" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-10" + rel: related + - href: "#pm-11" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-8" + rel: related + - href: "#ra-9" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-17" + rel: related + - href: "#sa-22" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-4" + rel: related + parts: + - id: pl-2_smt + name: statement + parts: + - id: pl-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop security and privacy plans for the system that:" + parts: + - id: pl-2_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Are consistent with the organization’s enterprise architecture; + - id: pl-2_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Explicitly define the constituent system components; + - id: pl-2_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Describe the operational context of the system in terms + of mission and business processes; + - id: pl-2_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Identify the individuals that fulfill system roles and + responsibilities; + - id: pl-2_smt.a.5 + name: item + props: + - name: label + value: "5." + prose: Identify the information types processed, stored, and + transmitted by the system; + - id: pl-2_smt.a.6 + name: item + props: + - name: label + value: "6." + prose: Provide the security categorization of the system, including + supporting rationale; + - id: pl-2_smt.a.7 + name: item + props: + - name: label + value: "7." + prose: Describe any specific threats to the system that are + of concern to the organization; + - id: pl-2_smt.a.8 + name: item + props: + - name: label + value: "8." + prose: Provide the results of a privacy risk assessment for + systems processing personally identifiable information; + - id: pl-2_smt.a.9 + name: item + props: + - name: label + value: "9." + prose: Describe the operational environment for the system and + any dependencies on or connections to other systems or system + components; + - id: pl-2_smt.a.10 + name: item + props: + - name: label + value: "10." + prose: Provide an overview of the security and privacy requirements + for the system; + - id: pl-2_smt.a.11 + name: item + props: + - name: label + value: "11." + prose: Identify any relevant control baselines or overlays, + if applicable; + - id: pl-2_smt.a.12 + name: item + props: + - name: label + value: "12." + prose: Describe the controls in place or planned for meeting + the security and privacy requirements, including a rationale + for any tailoring decisions; + - id: pl-2_smt.a.13 + name: item + props: + - name: label + value: "13." + prose: Include risk determinations for security and privacy + architecture and design decisions; + - id: pl-2_smt.a.14 + name: item + props: + - name: label + value: "14." + prose: "Include security- and privacy-related activities affecting\ + \ the system that require planning and coordination with {{\ + \ insert: param, pl-02_odp.01 }} ; and" + - id: pl-2_smt.a.15 + name: item + props: + - name: label + value: "15." + prose: Are reviewed and approved by the authorizing official + or designated representative prior to plan implementation. + - id: pl-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Distribute copies of the plans and communicate subsequent\ + \ changes to the plans to {{ insert: param, pl-02_odp.02 }};" + - id: pl-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Review the plans {{ insert: param, pl-02_odp.03 }};" + - id: pl-2_smt.d + name: item + props: + - name: label + value: d. + prose: Update the plans to address changes to the system and environment + of operation or problems identified during plan implementation + or control assessments; and + - id: pl-2_smt.e + name: item + props: + - name: label + value: e. + prose: Protect the plans from unauthorized disclosure and modification. + - id: pl-2_gdn + name: guidance + prose: >- + System security and privacy plans are scoped to the system and + system components within the defined authorization boundary and + contain an overview of the security and privacy requirements for + the system and the controls selected to satisfy the + requirements. The plans describe the intended application of + each selected control in the context of the system with a + sufficient level of detail to correctly implement the control + and to subsequently assess the effectiveness of the control. The + control documentation describes how system-specific and hybrid + controls are implemented and the plans and expectations + regarding the functionality of the system. System security and + privacy plans can also be used in the design and development of + systems in support of life cycle-based security and privacy + engineering processes. System security and privacy plans are + living documents that are updated and adapted throughout the + system development life cycle (e.g., during capability + determination, analysis of alternatives, requests for proposal, + and design reviews). [Section + 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the + different types of requirements that are relevant to + organizations during the system development life cycle and the + relationship between requirements and controls. + + + Organizations may develop a single, integrated security and privacy + plan or maintain separate plans. Security and privacy plans relate + security and privacy requirements to a set of controls and control + enhancements. The plans describe how the controls and control enhancements + meet the security and privacy requirements but do not provide detailed, + technical descriptions of the design or implementation of the controls + and control enhancements. Security and privacy plans contain sufficient + information (including specifications of control parameter values + for selection and assignment operations explicitly or by reference) + to enable a design and implementation that is unambiguously compliant + with the intent of the plans and subsequent determinations of risk + to organizational operations and assets, individuals, other organizations, + and the Nation if the plan is implemented. + + + Security and privacy plans need not be single documents. The plans + can be a collection of various documents, including documents that + already exist. Effective security and privacy plans make extensive + use of references to policies, procedures, and additional documents, + including design and implementation specifications where more detailed + information can be obtained. The use of references helps reduce the + documentation associated with security and privacy programs and maintains + the security- and privacy-related information in other established + management and operational areas, including enterprise architecture, + system development life cycle, systems engineering, and acquisition. + Security and privacy plans need not contain detailed contingency plan + or incident response plan information but can instead provide—explicitly + or by reference—sufficient information to define what needs to be + accomplished by those plans. + + + Security- and privacy-related activities that may require coordination + and planning with other individuals or groups within the organization + include assessments, audits, inspections, hardware and software maintenance, + acquisition and supply chain risk management, patch management, and + contingency plan testing. Planning and coordination include emergency + and nonemergency (i.e., planned or non-urgent unplanned) situations. + The process defined by organizations to plan and coordinate security- + and privacy-related activities can also be included in other documents, + as appropriate. + - id: pl-2_obj + name: assessment-objective + props: + - name: label + value: PL-02 + class: sp800-53a + parts: + - id: pl-2_obj.a + name: assessment-objective + props: + - name: label + value: PL-02a. + class: sp800-53a + parts: + - id: pl-2_obj.a.1 + name: assessment-objective + props: + - name: label + value: PL-02a.01 + class: sp800-53a + parts: + - id: pl-2_obj.a.1-1 + name: assessment-objective + props: + - name: label + value: PL-02a.01[01] + class: sp800-53a + prose: a security plan for the system is developed that + is consistent with the organization’s enterprise architecture; + links: + - href: "#pl-2_smt.a.1" + rel: assessment-for + - id: pl-2_obj.a.1-2 + name: assessment-objective + props: + - name: label + value: PL-02a.01[02] + class: sp800-53a + prose: a privacy plan for the system is developed that is + consistent with the organization’s enterprise architecture; + links: + - href: "#pl-2_smt.a.1" + rel: assessment-for + links: + - href: "#pl-2_smt.a.1" + rel: assessment-for + - id: pl-2_obj.a.2 + name: assessment-objective + props: + - name: label + value: PL-02a.02 + class: sp800-53a + parts: + - id: pl-2_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: PL-02a.02[01] + class: sp800-53a + prose: a security plan for the system is developed that + explicitly defines the constituent system components; + links: + - href: "#pl-2_smt.a.2" + rel: assessment-for + - id: pl-2_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: PL-02a.02[02] + class: sp800-53a + prose: a privacy plan for the system is developed that explicitly + defines the constituent system components; + links: + - href: "#pl-2_smt.a.2" + rel: assessment-for + links: + - href: "#pl-2_smt.a.2" + rel: assessment-for + - id: pl-2_obj.a.3 + name: assessment-objective + props: + - name: label + value: PL-02a.03 + class: sp800-53a + parts: + - id: pl-2_obj.a.3-1 + name: assessment-objective + props: + - name: label + value: PL-02a.03[01] + class: sp800-53a + prose: a security plan for the system is developed that + describes the operational context of the system in terms + of mission and business processes; + links: + - href: "#pl-2_smt.a.3" + rel: assessment-for + - id: pl-2_obj.a.3-2 + name: assessment-objective + props: + - name: label + value: PL-02a.03[02] + class: sp800-53a + prose: a privacy plan for the system is developed that describes + the operational context of the system in terms of mission + and business processes; + links: + - href: "#pl-2_smt.a.3" + rel: assessment-for + links: + - href: "#pl-2_smt.a.3" + rel: assessment-for + - id: pl-2_obj.a.4 + name: assessment-objective + props: + - name: label + value: PL-02a.04 + class: sp800-53a + parts: + - id: pl-2_obj.a.4-1 + name: assessment-objective + props: + - name: label + value: PL-02a.04[01] + class: sp800-53a + prose: a security plan for the system is developed that + identifies the individuals that fulfill system roles and + responsibilities; + links: + - href: "#pl-2_smt.a.4" + rel: assessment-for + - id: pl-2_obj.a.4-2 + name: assessment-objective + props: + - name: label + value: PL-02a.04[02] + class: sp800-53a + prose: a privacy plan for the system is developed that identifies + the individuals that fulfill system roles and responsibilities; + links: + - href: "#pl-2_smt.a.4" + rel: assessment-for + links: + - href: "#pl-2_smt.a.4" + rel: assessment-for + - id: pl-2_obj.a.5 + name: assessment-objective + props: + - name: label + value: PL-02a.05 + class: sp800-53a + parts: + - id: pl-2_obj.a.5-1 + name: assessment-objective + props: + - name: label + value: PL-02a.05[01] + class: sp800-53a + prose: a security plan for the system is developed that + identifies the information types processed, stored, and + transmitted by the system; + links: + - href: "#pl-2_smt.a.5" + rel: assessment-for + - id: pl-2_obj.a.5-2 + name: assessment-objective + props: + - name: label + value: PL-02a.05[02] + class: sp800-53a + prose: a privacy plan for the system is developed that identifies + the information types processed, stored, and transmitted + by the system; + links: + - href: "#pl-2_smt.a.5" + rel: assessment-for + links: + - href: "#pl-2_smt.a.5" + rel: assessment-for + - id: pl-2_obj.a.6 + name: assessment-objective + props: + - name: label + value: PL-02a.06 + class: sp800-53a + parts: + - id: pl-2_obj.a.6-1 + name: assessment-objective + props: + - name: label + value: PL-02a.06[01] + class: sp800-53a + prose: a security plan for the system is developed that + provides the security categorization of the system, including + supporting rationale; + links: + - href: "#pl-2_smt.a.6" + rel: assessment-for + - id: pl-2_obj.a.6-2 + name: assessment-objective + props: + - name: label + value: PL-02a.06[02] + class: sp800-53a + prose: a privacy plan for the system is developed that provides + the security categorization of the system, including supporting + rationale; + links: + - href: "#pl-2_smt.a.6" + rel: assessment-for + links: + - href: "#pl-2_smt.a.6" + rel: assessment-for + - id: pl-2_obj.a.7 + name: assessment-objective + props: + - name: label + value: PL-02a.07 + class: sp800-53a + parts: + - id: pl-2_obj.a.7-1 + name: assessment-objective + props: + - name: label + value: PL-02a.07[01] + class: sp800-53a + prose: a security plan for the system is developed that + describes any specific threats to the system that are + of concern to the organization; + links: + - href: "#pl-2_smt.a.7" + rel: assessment-for + - id: pl-2_obj.a.7-2 + name: assessment-objective + props: + - name: label + value: PL-02a.07[02] + class: sp800-53a + prose: a privacy plan for the system is developed that describes + any specific threats to the system that are of concern + to the organization; + links: + - href: "#pl-2_smt.a.7" + rel: assessment-for + links: + - href: "#pl-2_smt.a.7" + rel: assessment-for + - id: pl-2_obj.a.8 + name: assessment-objective + props: + - name: label + value: PL-02a.08 + class: sp800-53a + parts: + - id: pl-2_obj.a.8-1 + name: assessment-objective + props: + - name: label + value: PL-02a.08[01] + class: sp800-53a + prose: a security plan for the system is developed that + provides the results of a privacy risk assessment for + systems processing personally identifiable information; + links: + - href: "#pl-2_smt.a.8" + rel: assessment-for + - id: pl-2_obj.a.8-2 + name: assessment-objective + props: + - name: label + value: PL-02a.08[02] + class: sp800-53a + prose: a privacy plan for the system is developed that provides + the results of a privacy risk assessment for systems processing + personally identifiable information; + links: + - href: "#pl-2_smt.a.8" + rel: assessment-for + links: + - href: "#pl-2_smt.a.8" + rel: assessment-for + - id: pl-2_obj.a.9 + name: assessment-objective + props: + - name: label + value: PL-02a.09 + class: sp800-53a + parts: + - id: pl-2_obj.a.9-1 + name: assessment-objective + props: + - name: label + value: PL-02a.09[01] + class: sp800-53a + prose: a security plan for the system is developed that + describes the operational environment for the system and + any dependencies on or connections to other systems or + system components; + links: + - href: "#pl-2_smt.a.9" + rel: assessment-for + - id: pl-2_obj.a.9-2 + name: assessment-objective + props: + - name: label + value: PL-02a.09[02] + class: sp800-53a + prose: a privacy plan for the system is developed that describes + the operational environment for the system and any dependencies + on or connections to other systems or system components; + links: + - href: "#pl-2_smt.a.9" + rel: assessment-for + links: + - href: "#pl-2_smt.a.9" + rel: assessment-for + - id: pl-2_obj.a.10 + name: assessment-objective + props: + - name: label + value: PL-02a.10 + class: sp800-53a + parts: + - id: pl-2_obj.a.10-1 + name: assessment-objective + props: + - name: label + value: PL-02a.10[01] + class: sp800-53a + prose: a security plan for the system is developed that + provides an overview of the security requirements for + the system; + links: + - href: "#pl-2_smt.a.10" + rel: assessment-for + - id: pl-2_obj.a.10-2 + name: assessment-objective + props: + - name: label + value: PL-02a.10[02] + class: sp800-53a + prose: a privacy plan for the system is developed that provides + an overview of the privacy requirements for the system; + links: + - href: "#pl-2_smt.a.10" + rel: assessment-for + links: + - href: "#pl-2_smt.a.10" + rel: assessment-for + - id: pl-2_obj.a.11 + name: assessment-objective + props: + - name: label + value: PL-02a.11 + class: sp800-53a + parts: + - id: pl-2_obj.a.11-1 + name: assessment-objective + props: + - name: label + value: PL-02a.11[01] + class: sp800-53a + prose: a security plan for the system is developed that + identifies any relevant control baselines or overlays, + if applicable; + links: + - href: "#pl-2_smt.a.11" + rel: assessment-for + - id: pl-2_obj.a.11-2 + name: assessment-objective + props: + - name: label + value: PL-02a.11[02] + class: sp800-53a + prose: a privacy plan for the system is developed that identifies + any relevant control baselines or overlays, if applicable; + links: + - href: "#pl-2_smt.a.11" + rel: assessment-for + links: + - href: "#pl-2_smt.a.11" + rel: assessment-for + - id: pl-2_obj.a.12 + name: assessment-objective + props: + - name: label + value: PL-02a.12 + class: sp800-53a + parts: + - id: pl-2_obj.a.12-1 + name: assessment-objective + props: + - name: label + value: PL-02a.12[01] + class: sp800-53a + prose: a security plan for the system is developed that + describes the controls in place or planned for meeting + the security requirements, including rationale for any + tailoring decisions; + links: + - href: "#pl-2_smt.a.12" + rel: assessment-for + - id: pl-2_obj.a.12-2 + name: assessment-objective + props: + - name: label + value: PL-02a.12[02] + class: sp800-53a + prose: a privacy plan for the system is developed that describes + the controls in place or planned for meeting the privacy + requirements, including rationale for any tailoring decisions; + links: + - href: "#pl-2_smt.a.12" + rel: assessment-for + links: + - href: "#pl-2_smt.a.12" + rel: assessment-for + - id: pl-2_obj.a.13 + name: assessment-objective + props: + - name: label + value: PL-02a.13 + class: sp800-53a + parts: + - id: pl-2_obj.a.13-1 + name: assessment-objective + props: + - name: label + value: PL-02a.13[01] + class: sp800-53a + prose: a security plan for the system is developed that + includes risk determinations for security architecture + and design decisions; + links: + - href: "#pl-2_smt.a.13" + rel: assessment-for + - id: pl-2_obj.a.13-2 + name: assessment-objective + props: + - name: label + value: PL-02a.13[02] + class: sp800-53a + prose: a privacy plan for the system is developed that includes + risk determinations for privacy architecture and design + decisions; + links: + - href: "#pl-2_smt.a.13" + rel: assessment-for + links: + - href: "#pl-2_smt.a.13" + rel: assessment-for + - id: pl-2_obj.a.14 + name: assessment-objective + props: + - name: label + value: PL-02a.14 + class: sp800-53a + parts: + - id: pl-2_obj.a.14-1 + name: assessment-objective + props: + - name: label + value: PL-02a.14[01] + class: sp800-53a + prose: "a security plan for the system is developed that\ + \ includes security-related activities affecting the system\ + \ that require planning and coordination with {{ insert:\ + \ param, pl-02_odp.01 }};" + links: + - href: "#pl-2_smt.a.14" + rel: assessment-for + - id: pl-2_obj.a.14-2 + name: assessment-objective + props: + - name: label + value: PL-02a.14[02] + class: sp800-53a + prose: "a privacy plan for the system is developed that\ + \ includes privacy-related activities affecting the system\ + \ that require planning and coordination with {{ insert:\ + \ param, pl-02_odp.01 }};" + links: + - href: "#pl-2_smt.a.14" + rel: assessment-for + links: + - href: "#pl-2_smt.a.14" + rel: assessment-for + - id: pl-2_obj.a.15 + name: assessment-objective + props: + - name: label + value: PL-02a.15 + class: sp800-53a + parts: + - id: pl-2_obj.a.15-1 + name: assessment-objective + props: + - name: label + value: PL-02a.15[01] + class: sp800-53a + prose: a security plan for the system is developed that + is reviewed and approved by the authorizing official or + designated representative prior to plan implementation; + links: + - href: "#pl-2_smt.a.15" + rel: assessment-for + - id: pl-2_obj.a.15-2 + name: assessment-objective + props: + - name: label + value: PL-02a.15[02] + class: sp800-53a + prose: a privacy plan for the system is developed that is + reviewed and approved by the authorizing official or designated + representative prior to plan implementation. + links: + - href: "#pl-2_smt.a.15" + rel: assessment-for + links: + - href: "#pl-2_smt.a.15" + rel: assessment-for + links: + - href: "#pl-2_smt.a" + rel: assessment-for + - id: pl-2_obj.b + name: assessment-objective + props: + - name: label + value: PL-02b. + class: sp800-53a + parts: + - id: pl-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: PL-02b.[01] + class: sp800-53a + prose: "copies of the plans are distributed to {{ insert: param,\ + \ pl-02_odp.02 }};" + links: + - href: "#pl-2_smt.b" + rel: assessment-for + - id: pl-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: PL-02b.[02] + class: sp800-53a + prose: "subsequent changes to the plans are communicated to\ + \ {{ insert: param, pl-02_odp.02 }};" + links: + - href: "#pl-2_smt.b" + rel: assessment-for + links: + - href: "#pl-2_smt.b" + rel: assessment-for + - id: pl-2_obj.c + name: assessment-objective + props: + - name: label + value: PL-02c. + class: sp800-53a + prose: "plans are reviewed {{ insert: param, pl-02_odp.03 }};" + links: + - href: "#pl-2_smt.c" + rel: assessment-for + - id: pl-2_obj.d + name: assessment-objective + props: + - name: label + value: PL-02d. + class: sp800-53a + parts: + - id: pl-2_obj.d-1 + name: assessment-objective + props: + - name: label + value: PL-02d.[01] + class: sp800-53a + prose: plans are updated to address changes to the system and + environment of operations; + links: + - href: "#pl-2_smt.d" + rel: assessment-for + - id: pl-2_obj.d-2 + name: assessment-objective + props: + - name: label + value: PL-02d.[02] + class: sp800-53a + prose: plans are updated to address problems identified during + the plan implementation; + links: + - href: "#pl-2_smt.d" + rel: assessment-for + - id: pl-2_obj.d-3 + name: assessment-objective + props: + - name: label + value: PL-02d.[03] + class: sp800-53a + prose: plans are updated to address problems identified during + control assessments; + links: + - href: "#pl-2_smt.d" + rel: assessment-for + links: + - href: "#pl-2_smt.d" + rel: assessment-for + - id: pl-2_obj.e + name: assessment-objective + props: + - name: label + value: PL-02e. + class: sp800-53a + parts: + - id: pl-2_obj.e-1 + name: assessment-objective + props: + - name: label + value: PL-02e.[01] + class: sp800-53a + prose: plans are protected from unauthorized disclosure; + links: + - href: "#pl-2_smt.e" + rel: assessment-for + - id: pl-2_obj.e-2 + name: assessment-objective + props: + - name: label + value: PL-02e.[02] + class: sp800-53a + prose: plans are protected from unauthorized modification. + links: + - href: "#pl-2_smt.e" + rel: assessment-for + links: + - href: "#pl-2_smt.e" + rel: assessment-for + links: + - href: "#pl-2_smt" + rel: assessment-for + - id: pl-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Security and privacy planning policy + + + procedures addressing system security and privacy plan development + and implementation + + + procedures addressing security and privacy plan reviews and updates + + + enterprise architecture documentation + + + system security plan + + + privacy plan + + + records of system security and privacy plan reviews and updates + + + security and privacy architecture and design documentation + + + risk assessments + + + risk assessment results + + + control assessment documentation + + + other relevant documents or records + - id: pl-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system security and privacy + planning and plan implementation responsibilities + + + system developers + + + organizational personnel with information security and privacy + responsibilities + - id: pl-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PL-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for system security and privacy + plan development, review, update, and approval + + + mechanisms supporting the system security and privacy plan + - id: pl-4 + class: SP800-53 + title: Rules of Behavior + params: + - id: pl-04_odp.01 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency for reviewing and updating the rules of behavior + is defined; + - id: pl-04_odp.02 + constraints: + - description: at least annually and when the rules are revised or + changed + select: + how-many: one-or-more + choice: + - " {{ insert: param, pl-04_odp.03 }} " + - when the rules are revised or updated + - id: pl-04_odp.03 + label: frequency + guidelines: + - prose: frequency for individuals to read and re-acknowledge the + rules of behavior is defined (if selected); + props: + - name: label + value: PL-4 + - name: label + value: PL-04 + class: sp800-53a + - name: sort-id + value: pl-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#30eb758a-2707-4bca-90ad-949a74d4eb16" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-8" + rel: related + - href: "#ac-9" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#mp-7" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-5" + rel: related + - href: "#si-12" + rel: related + parts: + - id: pl-4_smt + name: statement + parts: + - id: pl-4_smt.a + name: item + props: + - name: label + value: a. + prose: Establish and provide to individuals requiring access to + the system, the rules that describe their responsibilities and + expected behavior for information and system usage, security, + and privacy; + - id: pl-4_smt.b + name: item + props: + - name: label + value: b. + prose: Receive a documented acknowledgment from such individuals, + indicating that they have read, understand, and agree to abide + by the rules of behavior, before authorizing access to information + and the system; + - id: pl-4_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the rules of behavior {{ insert: param,\ + \ pl-04_odp.01 }} ; and" + - id: pl-4_smt.d + name: item + props: + - name: label + value: d. + prose: "Require individuals who have acknowledged a previous version\ + \ of the rules of behavior to read and re-acknowledge {{ insert:\ + \ param, pl-04_odp.02 }}." + - id: pl-4_gdn + name: guidance + prose: Rules of behavior represent a type of access agreement for organizational + users. Other types of access agreements include nondisclosure agreements, + conflict-of-interest agreements, and acceptable use agreements (see + [PS-6](#ps-6) ). Organizations consider rules of behavior based on + individual user roles and responsibilities and differentiate between + rules that apply to privileged users and rules that apply to general + users. Establishing rules of behavior for some types of non-organizational + users, including individuals who receive information from federal + systems, is often not feasible given the large number of such users + and the limited nature of their interactions with the systems. Rules + of behavior for organizational and non-organizational users can also + be established in [AC-8](#ac-8) . The related controls section provides + a list of controls that are relevant to organizational rules of behavior. + [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the + control, may be satisfied by the literacy training and awareness and + role-based training programs conducted by organizations if such training + includes rules of behavior. Documented acknowledgements for rules + of behavior include electronic or physical signatures and electronic + agreement check boxes or radio buttons. + - id: pl-4_obj + name: assessment-objective + props: + - name: label + value: PL-04 + class: sp800-53a + parts: + - id: pl-4_obj.a + name: assessment-objective + props: + - name: label + value: PL-04a. + class: sp800-53a + parts: + - id: pl-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: PL-04a.[01] + class: sp800-53a + prose: rules that describe responsibilities and expected behavior + for information and system usage, security, and privacy are + established for individuals requiring access to the system; + links: + - href: "#pl-4_smt.a" + rel: assessment-for + - id: pl-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: PL-04a.[02] + class: sp800-53a + prose: rules that describe responsibilities and expected behavior + for information and system usage, security, and privacy are + provided to individuals requiring access to the system; + links: + - href: "#pl-4_smt.a" + rel: assessment-for + links: + - href: "#pl-4_smt.a" + rel: assessment-for + - id: pl-4_obj.b + name: assessment-objective + props: + - name: label + value: PL-04b. + class: sp800-53a + prose: before authorizing access to information and the system, + a documented acknowledgement from such individuals indicating + that they have read, understand, and agree to abide by the rules + of behavior is received; + links: + - href: "#pl-4_smt.b" + rel: assessment-for + - id: pl-4_obj.c + name: assessment-objective + props: + - name: label + value: PL-04c. + class: sp800-53a + prose: "rules of behavior are reviewed and updated {{ insert: param,\ + \ pl-04_odp.01 }};" + links: + - href: "#pl-4_smt.c" + rel: assessment-for + - id: pl-4_obj.d + name: assessment-objective + props: + - name: label + value: PL-04d. + class: sp800-53a + prose: "individuals who have acknowledged a previous version of\ + \ the rules of behavior are required to read and reacknowledge\ + \ {{ insert: param, pl-04_odp.02 }}." + links: + - href: "#pl-4_smt.d" + rel: assessment-for + links: + - href: "#pl-4_smt" + rel: assessment-for + - id: pl-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Security and privacy planning policy + + procedures addressing rules of behavior for system users + + rules of behavior + + signed acknowledgements + + records for rules of behavior reviews and updates + + other relevant documents or records + - id: pl-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for + establishing, reviewing, and updating rules of behavior + + + organizational personnel with responsibility for literacy training + and awareness and role-based training + + + organizational personnel who are authorized users of the system + and have signed and resigned rules of behavior + + + organizational personnel with information security and privacy + responsibilities + - id: pl-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PL-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for establishing, reviewing, + disseminating, and updating rules of behavior + + + mechanisms supporting and/or implementing the establishment, review, + dissemination, and update of rules of behavior + controls: + - id: pl-4.1 + class: SP800-53-enhancement + title: Social Media and External Site/Application Usage Restrictions + props: + - name: label + value: PL-4(1) + - name: label + value: PL-04(01) + class: sp800-53a + - name: sort-id + value: pl-04.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#pl-4" + rel: required + - href: "#ac-22" + rel: related + - href: "#au-13" + rel: related + parts: + - id: pl-4.1_smt + name: statement + prose: "Include in the rules of behavior, restrictions on:" + parts: + - id: pl-4.1_smt.a + name: item + props: + - name: label + value: (a) + prose: Use of social media, social networking sites, and external + sites/applications; + - id: pl-4.1_smt.b + name: item + props: + - name: label + value: (b) + prose: Posting organizational information on public websites; + and + - id: pl-4.1_smt.c + name: item + props: + - name: label + value: (c) + prose: Use of organization-provided identifiers (e.g., email + addresses) and authentication secrets (e.g., passwords) for + creating accounts on external sites/applications. + - id: pl-4.1_gdn + name: guidance + prose: Social media, social networking, and external site/application + usage restrictions address rules of behavior related to the use + of social media, social networking, and external sites when organizational + personnel are using such sites for official duties or in the conduct + of official business, when organizational information is involved + in social media and social networking transactions, and when personnel + access social media and networking sites from organizational systems. + Organizations also address specific rules that prevent unauthorized + entities from obtaining non-public organizational information + from social media and networking sites either directly or through + inference. Non-public information includes personally identifiable + information and system account information. + - id: pl-4.1_obj + name: assessment-objective + props: + - name: label + value: PL-04(01) + class: sp800-53a + parts: + - id: pl-4.1_obj.a + name: assessment-objective + props: + - name: label + value: PL-04(01)(a) + class: sp800-53a + prose: the rules of behavior include restrictions on the use + of social media, social networking sites, and external sites/applications; + links: + - href: "#pl-4.1_smt.a" + rel: assessment-for + - id: pl-4.1_obj.b + name: assessment-objective + props: + - name: label + value: PL-04(01)(b) + class: sp800-53a + prose: the rules of behavior include restrictions on posting + organizational information on public websites; + links: + - href: "#pl-4.1_smt.b" + rel: assessment-for + - id: pl-4.1_obj.c + name: assessment-objective + props: + - name: label + value: PL-04(01)(c) + class: sp800-53a + prose: the rules of behavior include restrictions on the use + of organization-provided identifiers (e.g., email addresses) + and authentication secrets (e.g., passwords) for creating + accounts on external sites/applications. + links: + - href: "#pl-4.1_smt.c" + rel: assessment-for + links: + - href: "#pl-4.1_smt" + rel: assessment-for + - id: pl-4.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-04(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Security and privacy planning policy + + procedures addressing rules of behavior for system users + + rules of behavior + + training policy + + other relevant documents or records + - id: pl-4.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-04(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for + establishing, reviewing, and updating rules of behavior + + + organizational personnel with responsibility for literacy + training and awareness and role-based training + + + organizational personnel who are authorized users of the system + and have signed rules of behavior + + + organizational personnel with information security and privacy + responsibilities + - id: pl-4.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PL-04(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for establishing rules of + behavior + + + mechanisms supporting and/or implementing the establishment + of rules of behavior + - id: pl-8 + class: SP800-53 + title: Security and Privacy Architectures + params: + - id: pl-08_odp + label: frequency + constraints: + - description: at least annually and when a significant change occurs + guidelines: + - prose: frequency for review and update to reflect changes in the + enterprise architecture; + props: + - name: label + value: PL-8 + - name: label + value: PL-08 + class: sp800-53a + - name: sort-id + value: pl-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#cm-2" + rel: related + - href: "#cm-6" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-7" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-5" + rel: related + - href: "#pm-7" + rel: related + - href: "#ra-9" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-7" + rel: related + parts: + - id: pl-8_smt + name: statement + parts: + - id: pl-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop security and privacy architectures for the system\ + \ that:" + parts: + - id: pl-8_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Describe the requirements and approach to be taken for + protecting the confidentiality, integrity, and availability + of organizational information; + - id: pl-8_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Describe the requirements and approach to be taken for + processing personally identifiable information to minimize + privacy risk to individuals; + - id: pl-8_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Describe how the architectures are integrated into and + support the enterprise architecture; and + - id: pl-8_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Describe any assumptions about, and dependencies on, + external systems and services; + - id: pl-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the architectures {{ insert: param, pl-08_odp\ + \ }} to reflect changes in the enterprise architecture; and" + - id: pl-8_smt.c + name: item + props: + - name: label + value: c. + prose: Reflect planned architecture changes in security and privacy + plans, Concept of Operations (CONOPS), criticality analysis, organizational + procedures, and procurements and acquisitions. + - id: pl-8_fr + name: item + title: PL-8 Additional FedRAMP Requirements and Guidance + parts: + - id: pl-8_fr_gdn.1 + name: guidance + props: + - name: label + value: "(b) Guidance:" + prose: Significant change is defined in NIST Special Publication + 800-37 Revision 2, Appendix F. + - id: pl-8_gdn + name: guidance + prose: >- + The security and privacy architectures at the system level are + consistent with the organization-wide security and privacy + architectures described in [PM-7](#pm-7) , which are integral to + and developed as part of the enterprise architecture. The + architectures include an architectural description, the + allocation of security and privacy functionality (including + controls), security- and privacy-related information for + external interfaces, information being exchanged across the + interfaces, and the protection mechanisms associated with each + interface. The architectures can also include other information, + such as user roles and the access privileges assigned to each + role; security and privacy requirements; types of information + processed, stored, and transmitted by the system; supply chain + risk management requirements; restoration priorities of + information and system services; and other protection needs. + + [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance + on the use of security architectures as part of the system development + life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) + requires the use of the systems security engineering concepts described + in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high + value assets. Security and privacy architectures are reviewed and + updated throughout the system development life cycle, from analysis + of alternatives through review of the proposed architecture in the + RFP responses to the design reviews before and during implementation + (e.g., during preliminary design reviews and critical design reviews). + + In today’s modern computing architectures, it is becoming less common + for organizations to control all information resources. There may + be key dependencies on external information services and service providers. + Describing such dependencies in the security and privacy architectures + is necessary for developing a comprehensive mission and business protection + strategy. Establishing, developing, documenting, and maintaining under + configuration control a baseline configuration for organizational + systems is critical to implementing and maintaining effective architectures. + The development of the architectures is coordinated with the senior + agency information security officer and the senior agency official + for privacy to ensure that the controls needed to support security + and privacy requirements are identified and effectively implemented. + In many circumstances, there may be no distinction between the security + and privacy architecture for a system. In other circumstances, security + objectives may be adequately satisfied, but privacy objectives may + only be partially satisfied by the security requirements. In these + cases, consideration of the privacy requirements needed to achieve + satisfaction will result in a distinct privacy architecture. The documentation, + however, may simply reflect the combined architectures. + + [PL-8](#pl-8) is primarily directed at organizations to ensure that + architectures are developed for the system and, moreover, that the + architectures are integrated with or tightly coupled to the enterprise + architecture. In contrast, [SA-17](#sa-17) is primarily directed at + the external information technology product and system developers + and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) + , is selected when organizations outsource the development of systems + or components to external entities and when there is a need to demonstrate + consistency with the organization’s enterprise architecture and security + and privacy architectures. + - id: pl-8_obj + name: assessment-objective + props: + - name: label + value: PL-08 + class: sp800-53a + parts: + - id: pl-8_obj.a + name: assessment-objective + props: + - name: label + value: PL-08a. + class: sp800-53a + parts: + - id: pl-8_obj.a.1 + name: assessment-objective + props: + - name: label + value: PL-08a.01 + class: sp800-53a + prose: a security architecture for the system describes the + requirements and approach to be taken for protecting the confidentiality, + integrity, and availability of organizational information; + links: + - href: "#pl-8_smt.a.1" + rel: assessment-for + - id: pl-8_obj.a.2 + name: assessment-objective + props: + - name: label + value: PL-08a.02 + class: sp800-53a + prose: a privacy architecture describes the requirements and + approach to be taken for processing personally identifiable + information to minimize privacy risk to individuals; + links: + - href: "#pl-8_smt.a.2" + rel: assessment-for + - id: pl-8_obj.a.3 + name: assessment-objective + props: + - name: label + value: PL-08a.03 + class: sp800-53a + parts: + - id: pl-8_obj.a.3-1 + name: assessment-objective + props: + - name: label + value: PL-08a.03[01] + class: sp800-53a + prose: a security architecture for the system describes + how the architecture is integrated into and supports the + enterprise architecture; + links: + - href: "#pl-8_smt.a.3" + rel: assessment-for + - id: pl-8_obj.a.3-2 + name: assessment-objective + props: + - name: label + value: PL-08a.03[02] + class: sp800-53a + prose: a privacy architecture for the system describes how + the architecture is integrated into and supports the enterprise + architecture; + links: + - href: "#pl-8_smt.a.3" + rel: assessment-for + links: + - href: "#pl-8_smt.a.3" + rel: assessment-for + - id: pl-8_obj.a.4 + name: assessment-objective + props: + - name: label + value: PL-08a.04 + class: sp800-53a + parts: + - id: pl-8_obj.a.4-1 + name: assessment-objective + props: + - name: label + value: PL-08a.04[01] + class: sp800-53a + prose: a security architecture for the system describes + any assumptions about and dependencies on external systems + and services; + links: + - href: "#pl-8_smt.a.4" + rel: assessment-for + - id: pl-8_obj.a.4-2 + name: assessment-objective + props: + - name: label + value: PL-08a.04[02] + class: sp800-53a + prose: a privacy architecture for the system describes any + assumptions about and dependencies on external systems + and services; + links: + - href: "#pl-8_smt.a.4" + rel: assessment-for + links: + - href: "#pl-8_smt.a.4" + rel: assessment-for + links: + - href: "#pl-8_smt.a" + rel: assessment-for + - id: pl-8_obj.b + name: assessment-objective + props: + - name: label + value: PL-08b. + class: sp800-53a + prose: "changes in the enterprise architecture are reviewed and\ + \ updated {{ insert: param, pl-08_odp }} to reflect changes in\ + \ the enterprise architecture;" + links: + - href: "#pl-8_smt.b" + rel: assessment-for + - id: pl-8_obj.c + name: assessment-objective + props: + - name: label + value: PL-08c. + class: sp800-53a + parts: + - id: pl-8_obj.c-1 + name: assessment-objective + props: + - name: label + value: PL-08c.[01] + class: sp800-53a + prose: planned architecture changes are reflected in the security + plan; + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-2 + name: assessment-objective + props: + - name: label + value: PL-08c.[02] + class: sp800-53a + prose: planned architecture changes are reflected in the privacy + plan; + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-3 + name: assessment-objective + props: + - name: label + value: PL-08c.[03] + class: sp800-53a + prose: planned architecture changes are reflected in the Concept + of Operations (CONOPS); + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-4 + name: assessment-objective + props: + - name: label + value: PL-08c.[04] + class: sp800-53a + prose: planned architecture changes are reflected in criticality + analysis; + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-5 + name: assessment-objective + props: + - name: label + value: PL-08c.[05] + class: sp800-53a + prose: planned architecture changes are reflected in organizational + procedures; + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-6 + name: assessment-objective + props: + - name: label + value: PL-08c.[06] + class: sp800-53a + prose: planned architecture changes are reflected in procurements + and acquisitions. + links: + - href: "#pl-8_smt.c" + rel: assessment-for + links: + - href: "#pl-8_smt.c" + rel: assessment-for + links: + - href: "#pl-8_smt" + rel: assessment-for + - id: pl-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Security and privacy planning policy + + + procedures addressing information security and privacy architecture + development + + + procedures addressing information security and privacy architecture + reviews and updates + + + enterprise architecture documentation + + + information security and privacy architecture documentation + + + system security plan + + + privacy plan + + + security and privacy CONOPS for the system + + + records of information security and privacy architecture reviews + and updates + + + other relevant documents or records + - id: pl-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security and privacy planning + and plan implementation responsibilities + + + organizational personnel with information security and privacy + architecture development responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pl-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PL-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for developing, reviewing, and + updating the information security and privacy architecture + + + mechanisms supporting and/or implementing the development, review, + and update of the information security and privacy architecture + - id: pl-10 + class: SP800-53 + title: Baseline Selection + props: + - name: label + value: PL-10 + - name: label + value: PL-10 + class: sp800-53a + - name: sort-id + value: pl-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#46d9e201-840e-440e-987c-2c773333c752" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#4e4fbc93-333d-45e6-a875-de36b878b6b9" + rel: reference + - href: "#pl-2" + rel: related + - href: "#pl-11" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-8" + rel: related + parts: + - id: pl-10_smt + name: statement + prose: Select a control baseline for the system. + parts: + - id: pl-10_fr + name: item + title: PL-10 Additional FedRAMP Requirements and Guidance + parts: + - id: pl-10_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Select the appropriate FedRAMP Baseline + - id: pl-10_gdn + name: guidance + prose: Control baselines are predefined sets of controls specifically + assembled to address the protection needs of a group, organization, + or community of interest. Controls are chosen for baselines to either + satisfy mandates imposed by laws, executive orders, directives, regulations, + policies, standards, and guidelines or address threats common to all + users of the baseline under the assumptions specific to the baseline. + Baselines represent a starting point for the protection of individuals’ + privacy, information, and information systems with subsequent tailoring + actions to manage risk in accordance with mission, business, or other + constraints (see [PL-11](#pl-11) ). Federal control baselines are + provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . + The selection of a control baseline is determined by the needs of + stakeholders. Stakeholder needs consider mission and business requirements + as well as mandates imposed by applicable laws, executive orders, + directives, policies, regulations, standards, and guidelines. For + example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) + are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) + and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, + along with the NIST standards and guidelines implementing the legislation, + direct organizations to select one of the control baselines after + the reviewing the information types and the information that is processed, + stored, and transmitted on the system; analyzing the potential adverse + impact of the loss or compromise of the information or system on the + organization’s operations and assets, individuals, other organizations, + or the Nation; and considering the results from system and organizational + risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) + provides guidance on control baselines for national security systems. + - id: pl-10_obj + name: assessment-objective + props: + - name: label + value: PL-10 + class: sp800-53a + prose: a control baseline for the system is selected. + links: + - href: "#pl-10_smt" + rel: assessment-for + - id: pl-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Security and privacy planning policy + + + procedures addressing system security and privacy plan development + and implementation + + + procedures addressing system security and privacy plan reviews + and updates + + + system design documentation + + + system architecture and configuration documentation + + + system categorization decision + + + information types stored, transmitted, and processed by the system + + + system element/component information + + + stakeholder needs analysis + + + list of security and privacy requirements allocated to the system, + system elements, and environment of operation + + + list of contractual requirements allocated to external providers + of the system or system element + + + business impact analysis or criticality analysis + + + risk assessments + + + risk management strategy + + + organizational security and privacy policy + + + federal or organization-approved or mandated baselines or overlays + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: pl-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security and privacy planning + and plan implementation responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with responsibility for organizational + risk management activities + - id: pl-11 + class: SP800-53 + title: Baseline Tailoring + props: + - name: label + value: PL-11 + - name: label + value: PL-11 + class: sp800-53a + - name: sort-id + value: pl-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#46d9e201-840e-440e-987c-2c773333c752" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#4e4fbc93-333d-45e6-a875-de36b878b6b9" + rel: reference + - href: "#pl-10" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-9" + rel: related + - href: "#sa-8" + rel: related + parts: + - id: pl-11_smt + name: statement + prose: Tailor the selected control baseline by applying specified tailoring + actions. + - id: pl-11_gdn + name: guidance + prose: The concept of tailoring allows organizations to specialize or + customize a set of baseline controls by applying a defined set of + tailoring actions. Tailoring actions facilitate such specialization + and customization by allowing organizations to develop security and + privacy plans that reflect their specific mission and business functions, + the environments where their systems operate, the threats and vulnerabilities + that can affect their systems, and any other conditions or situations + that can impact their mission or business success. Tailoring guidance + is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) + . Tailoring a control baseline is accomplished by identifying and + designating common controls, applying scoping considerations, selecting + compensating controls, assigning values to control parameters, supplementing + the control baseline with additional controls as needed, and providing + information for control implementation. The general tailoring actions + in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented + with additional actions based on the needs of organizations. Tailoring + actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) + in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), + [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) + . Alternatively, other communities of interest adopting different + control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) + to specialize or customize the controls that represent the specific + needs and concerns of those entities. + - id: pl-11_obj + name: assessment-objective + props: + - name: label + value: PL-11 + class: sp800-53a + prose: the selected control baseline is tailored by applying specified + tailoring actions. + links: + - href: "#pl-11_smt" + rel: assessment-for + - id: pl-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Security and privacy planning policy + + + procedures addressing system security and privacy plan development + and implementation + + + system design documentation + + + system categorization decision + + + information types stored, transmitted, and processed by the system + + + system element/component information + + + stakeholder needs analysis + + + list of security and privacy requirements allocated to the system, + system elements, and environment of operation + + + list of contractual requirements allocated to external providers + of the system or system element + + + business impact analysis or criticality analysis + + + risk assessments + + + risk management strategy + + + organizational security and privacy policy + + + federal or organization-approved or mandated baselines or overlays + + + baseline tailoring rationale + + + system security plan + + + privacy plan + + + records of system security and privacy plan reviews and updates + + + other relevant documents or records + - id: pl-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security and privacy planning + and plan implementation responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ps + class: family + title: Personnel Security + controls: + - id: ps-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ps-1_prm_1 + label: organization-defined personnel or roles + - id: ps-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the personnel security policy + is to be disseminated is/are defined; + - id: ps-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the personnel security procedures + are to be disseminated is/are defined; + - id: ps-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ps-01_odp.04 + label: official + guidelines: + - prose: an official to manage the personnel security policy and procedures + is defined; + - id: ps-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current personnel security policy + is reviewed and updated is defined; + - id: ps-01_odp.06 + label: events + guidelines: + - prose: events that would require the current personnel security + policy to be reviewed and updated are defined; + - id: ps-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current personnel security procedures + are reviewed and updated is defined; + - id: ps-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the personnel security procedures + to be reviewed and updated are defined; + props: + - name: label + value: PS-1 + - name: label + value: PS-01 + class: sp800-53a + - name: sort-id + value: ps-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ps-1_smt + name: statement + parts: + - id: ps-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ps-1_prm_1 }}:" + parts: + - id: ps-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ps-01_odp.03 }} personnel security\ + \ policy that:" + parts: + - id: ps-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ps-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ps-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the personnel + security policy and the associated personnel security controls; + - id: ps-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ps-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the personnel\ + \ security policy and procedures; and" + - id: ps-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current personnel security:" + parts: + - id: ps-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ps-01_odp.05 }} and following\ + \ {{ insert: param, ps-01_odp.06 }} ; and" + - id: ps-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ps-01_odp.07 }} and following\ + \ {{ insert: param, ps-01_odp.08 }}." + - id: ps-1_gdn + name: guidance + prose: Personnel security policy and procedures for the controls in + the PS family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on their development. Security and + privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission level + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies reflecting the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission/business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + personnel security policy and procedures include, but are not limited + to, assessment or audit findings, security incidents or breaches, + or changes in applicable laws, executive orders, directives, regulations, + policies, standards, and guidelines. Simply restating controls does + not constitute an organizational policy or procedure. + - id: ps-1_obj + name: assessment-objective + props: + - name: label + value: PS-01 + class: sp800-53a + parts: + - id: ps-1_obj.a + name: assessment-objective + props: + - name: label + value: PS-01a. + class: sp800-53a + parts: + - id: ps-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: PS-01a.[01] + class: sp800-53a + prose: a personnel security policy is developed and documented; + links: + - href: "#ps-1_smt.a" + rel: assessment-for + - id: ps-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: PS-01a.[02] + class: sp800-53a + prose: "the personnel security policy is disseminated to {{\ + \ insert: param, ps-01_odp.01 }};" + links: + - href: "#ps-1_smt.a" + rel: assessment-for + - id: ps-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: PS-01a.[03] + class: sp800-53a + prose: personnel security procedures to facilitate the implementation + of the personnel security policy and associated personnel + security controls are developed and documented; + links: + - href: "#ps-1_smt.a" + rel: assessment-for + - id: ps-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: PS-01a.[04] + class: sp800-53a + prose: "the personnel security procedures are disseminated to\ + \ {{ insert: param, ps-01_odp.02 }};" + links: + - href: "#ps-1_smt.a" + rel: assessment-for + - id: ps-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: PS-01a.01 + class: sp800-53a + parts: + - id: ps-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: PS-01a.01(a) + class: sp800-53a + parts: + - id: ps-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses purpose;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses scope;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses roles;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses responsibilities;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses management commitment;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses compliance;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: PS-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy is consistent with applicable laws,\ + \ Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#ps-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ps-1_smt.a.1" + rel: assessment-for + links: + - href: "#ps-1_smt.a" + rel: assessment-for + - id: ps-1_obj.b + name: assessment-objective + props: + - name: label + value: PS-01b. + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the personnel\ + \ security policy and procedures;" + links: + - href: "#ps-1_smt.b" + rel: assessment-for + - id: ps-1_obj.c + name: assessment-objective + props: + - name: label + value: PS-01c. + class: sp800-53a + parts: + - id: ps-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: PS-01c.01 + class: sp800-53a + parts: + - id: ps-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: PS-01c.01[01] + class: sp800-53a + prose: "the current personnel security policy is reviewed\ + \ and updated {{ insert: param, ps-01_odp.05 }};" + links: + - href: "#ps-1_smt.c.1" + rel: assessment-for + - id: ps-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: PS-01c.01[02] + class: sp800-53a + prose: "the current personnel security policy is reviewed\ + \ and updated following {{ insert: param, ps-01_odp.06\ + \ }};" + links: + - href: "#ps-1_smt.c.1" + rel: assessment-for + links: + - href: "#ps-1_smt.c.1" + rel: assessment-for + - id: ps-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: PS-01c.02 + class: sp800-53a + parts: + - id: ps-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: PS-01c.02[01] + class: sp800-53a + prose: "the current personnel security procedures are reviewed\ + \ and updated {{ insert: param, ps-01_odp.07 }};" + links: + - href: "#ps-1_smt.c.2" + rel: assessment-for + - id: ps-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: PS-01c.02[02] + class: sp800-53a + prose: "the current personnel security procedures are reviewed\ + \ and updated following {{ insert: param, ps-01_odp.08\ + \ }}." + links: + - href: "#ps-1_smt.c.2" + rel: assessment-for + links: + - href: "#ps-1_smt.c.2" + rel: assessment-for + links: + - href: "#ps-1_smt.c" + rel: assessment-for + links: + - href: "#ps-1_smt" + rel: assessment-for + - id: ps-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + personnel security procedures + + system security plan + + privacy plan + + risk management strategy documentation + + audit findings + + other relevant documents or records + - id: ps-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with information security responsibilities + - id: ps-2 + class: SP800-53 + title: Position Risk Designation + params: + - id: ps-02_odp + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to review and update position risk + designations is defined; + props: + - name: label + value: PS-2 + - name: label + value: PS-02 + class: sp800-53a + - name: sort-id + value: ps-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#a5ef5e56-5c1a-4911-b419-37dddc1b3581" + rel: reference + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + - href: "#ac-5" + rel: related + - href: "#at-3" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pl-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-6" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-21" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ps-2_smt + name: statement + parts: + - id: ps-2_smt.a + name: item + props: + - name: label + value: a. + prose: Assign a risk designation to all organizational positions; + - id: ps-2_smt.b + name: item + props: + - name: label + value: b. + prose: Establish screening criteria for individuals filling those + positions; and + - id: ps-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update position risk designations {{ insert:\ + \ param, ps-02_odp }}." + - id: ps-2_gdn + name: guidance + prose: Position risk designations reflect Office of Personnel Management + (OPM) policy and guidance. Proper position designation is the foundation + of an effective and consistent suitability and personnel security + program. The Position Designation System (PDS) assesses the duties + and responsibilities of a position to determine the degree of potential + damage to the efficiency or integrity of the service due to misconduct + of an incumbent of a position and establishes the risk level of that + position. The PDS assessment also determines if the duties and responsibilities + of the position present the potential for position incumbents to bring + about a material adverse effect on national security and the degree + of that potential effect, which establishes the sensitivity level + of a position. The results of the assessment determine what level + of investigation is conducted for a position. Risk designations can + guide and inform the types of authorizations that individuals receive + when accessing organizational information and information systems. + Position screening criteria include explicit information security + role appointment requirements. Parts 1400 and 731 of Title 5, Code + of Federal Regulations, establish the requirements for organizations + to evaluate relevant covered positions for a position sensitivity + and position risk designation commensurate with the duties and responsibilities + of those positions. + - id: ps-2_obj + name: assessment-objective + props: + - name: label + value: PS-02 + class: sp800-53a + parts: + - id: ps-2_obj.a + name: assessment-objective + props: + - name: label + value: PS-02a. + class: sp800-53a + prose: a risk designation is assigned to all organizational positions; + links: + - href: "#ps-2_smt.a" + rel: assessment-for + - id: ps-2_obj.b + name: assessment-objective + props: + - name: label + value: PS-02b. + class: sp800-53a + prose: screening criteria are established for individuals filling + organizational positions; + links: + - href: "#ps-2_smt.b" + rel: assessment-for + - id: ps-2_obj.c + name: assessment-objective + props: + - name: label + value: PS-02c. + class: sp800-53a + prose: "position risk designations are reviewed and updated {{ insert:\ + \ param, ps-02_odp }}." + links: + - href: "#ps-2_smt.c" + rel: assessment-for + links: + - href: "#ps-2_smt" + rel: assessment-for + - id: ps-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + procedures addressing position categorization + + appropriate codes of federal regulations + + list of risk designations for organizational positions + + records of position risk designation reviews and updates + + system security plan + + other relevant documents or records + - id: ps-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with information security responsibilities + - id: ps-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for assigning, reviewing, and + updating position risk designations + + + organizational processes for establishing screening criteria + - id: ps-3 + class: SP800-53 + title: Personnel Screening + params: + - id: ps-3_prm_1 + label: organization-defined conditions requiring rescreening and, where + rescreening is so indicated, the frequency of rescreening + constraints: + - description: >- + for national security clearances; a reinvestigation is + required during the fifth (5th) year for top secret security + clearance, the tenth (10th) year for secret security + clearance, and fifteenth (15th) year for confidential + security clearance. + + + For moderate risk law enforcement and high impact public trust + level, a reinvestigation is required during the fifth (5th) year. + There is no reinvestigation for other moderate risk positions + or any low risk positions + - id: ps-03_odp.01 + label: conditions requiring rescreening + guidelines: + - prose: conditions requiring rescreening of individuals are defined; + - id: ps-03_odp.02 + label: frequency + guidelines: + - prose: the frequency of rescreening individuals where it is so indicated + is defined; + props: + - name: label + value: PS-3 + - name: label + value: PS-03 + class: sp800-53a + - name: sort-id + value: ps-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#55b0c93a-5e48-457a-baa6-5ce81c239c49" + rel: reference + - href: "#0af071a6-cf8e-48ee-8c82-fe91efa20f94" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + - href: "#sa-21" + rel: related + parts: + - id: ps-3_smt + name: statement + parts: + - id: ps-3_smt.a + name: item + props: + - name: label + value: a. + prose: Screen individuals prior to authorizing access to the system; + and + - id: ps-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Rescreen individuals in accordance with {{ insert: param,\ + \ ps-3_prm_1 }}." + - id: ps-3_gdn + name: guidance + prose: Personnel screening and rescreening activities reflect applicable + laws, executive orders, directives, regulations, policies, standards, + guidelines, and specific criteria established for the risk designations + of assigned positions. Examples of personnel screening include background + investigations and agency checks. Organizations may define different + rescreening conditions and frequencies for personnel accessing systems + based on types of information processed, stored, or transmitted by + the systems. + - id: ps-3_obj + name: assessment-objective + props: + - name: label + value: PS-03 + class: sp800-53a + parts: + - id: ps-3_obj.a + name: assessment-objective + props: + - name: label + value: PS-03a. + class: sp800-53a + prose: individuals are screened prior to authorizing access to the + system; + links: + - href: "#ps-3_smt.a" + rel: assessment-for + - id: ps-3_obj.b + name: assessment-objective + props: + - name: label + value: PS-03b. + class: sp800-53a + parts: + - id: ps-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: PS-03b.[01] + class: sp800-53a + prose: "individuals are rescreened in accordance with {{ insert:\ + \ param, ps-03_odp.01 }};" + links: + - href: "#ps-3_smt.b" + rel: assessment-for + - id: ps-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: PS-03b.[02] + class: sp800-53a + prose: "where rescreening is so indicated, individuals are rescreened\ + \ {{ insert: param, ps-03_odp.02 }}." + links: + - href: "#ps-3_smt.b" + rel: assessment-for + links: + - href: "#ps-3_smt.b" + rel: assessment-for + links: + - href: "#ps-3_smt" + rel: assessment-for + - id: ps-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + procedures addressing personnel screening + + records of screened personnel + + system security plan + + other relevant documents or records + - id: ps-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with information security responsibilities + - id: ps-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for personnel screening + controls: + - id: ps-3.3 + class: SP800-53-enhancement + title: Information Requiring Special Protective Measures + params: + - id: ps-03.03_odp + label: additional personnel screening criteria + constraints: + - description: personnel screening criteria – as required by specific + information + guidelines: + - prose: additional personnel screening criteria to be satisfied + for individuals accessing a system processing, storing, or + transmitting information requiring special protection are + defined; + props: + - name: label + value: PS-3(3) + - name: label + value: PS-03(03) + class: sp800-53a + - name: sort-id + value: ps-03.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ps-3" + rel: required + parts: + - id: ps-3.3_smt + name: statement + prose: "Verify that individuals accessing a system processing, storing,\ + \ or transmitting information requiring special protection:" + parts: + - id: ps-3.3_smt.a + name: item + props: + - name: label + value: (a) + prose: Have valid access authorizations that are demonstrated + by assigned official government duties; and + - id: ps-3.3_smt.b + name: item + props: + - name: label + value: (b) + prose: "Satisfy {{ insert: param, ps-03.03_odp }}." + - id: ps-3.3_gdn + name: guidance + prose: Organizational information that requires special protection + includes controlled unclassified information. Personnel security + criteria include position sensitivity background screening requirements. + - id: ps-3.3_obj + name: assessment-objective + props: + - name: label + value: PS-03(03) + class: sp800-53a + parts: + - id: ps-3.3_obj.a + name: assessment-objective + props: + - name: label + value: PS-03(03)(a) + class: sp800-53a + prose: individuals accessing a system processing, storing, or + transmitting information requiring special protection have + valid access authorizations that are demonstrated by assigned + official government duties; + links: + - href: "#ps-3.3_smt.a" + rel: assessment-for + - id: ps-3.3_obj.b + name: assessment-objective + props: + - name: label + value: PS-03(03)(b) + class: sp800-53a + prose: "individuals accessing a system processing, storing,\ + \ or transmitting information requiring special protection\ + \ satisfy {{ insert: param, ps-03.03_odp }}." + links: + - href: "#ps-3.3_smt.b" + rel: assessment-for + links: + - href: "#ps-3.3_smt" + rel: assessment-for + - id: ps-3.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-03(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Personnel security policy + + + access control policy, procedures addressing personnel screening + + + records of screened personnel + + + screening criteria + + + records of access authorizations + + + system security plan + + + other relevant documents or records + - id: ps-3.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-03(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with information security responsibilities + - id: ps-3.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-03(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for ensuring valid access + authorizations for information requiring special + protection + + + organizational process for additional personnel screening + for information requiring special protection + - id: ps-4 + class: SP800-53 + title: Personnel Termination + params: + - id: ps-04_odp.01 + label: time period + constraints: + - description: one (1) hour + guidelines: + - prose: a time period within which to disable system access is defined; + - id: ps-04_odp.02 + label: information security topics + guidelines: + - prose: information security topics to be discussed when conducting + exit interviews are defined; + props: + - name: label + value: PS-4 + - name: label + value: PS-04 + class: sp800-53a + - name: sort-id + value: ps-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + parts: + - id: ps-4_smt + name: statement + prose: "Upon termination of individual employment:" + parts: + - id: ps-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Disable system access within {{ insert: param, ps-04_odp.01\ + \ }};" + - id: ps-4_smt.b + name: item + props: + - name: label + value: b. + prose: Terminate or revoke any authenticators and credentials associated + with the individual; + - id: ps-4_smt.c + name: item + props: + - name: label + value: c. + prose: "Conduct exit interviews that include a discussion of {{\ + \ insert: param, ps-04_odp.02 }};" + - id: ps-4_smt.d + name: item + props: + - name: label + value: d. + prose: Retrieve all security-related organizational system-related + property; and + - id: ps-4_smt.e + name: item + props: + - name: label + value: e. + prose: Retain access to organizational information and systems formerly + controlled by terminated individual. + - id: ps-4_gdn + name: guidance + prose: System property includes hardware authentication tokens, system + administration technical manuals, keys, identification cards, and + building passes. Exit interviews ensure that terminated individuals + understand the security constraints imposed by being former employees + and that proper accountability is achieved for system-related property. + Security topics at exit interviews include reminding individuals of + nondisclosure agreements and potential limitations on future employment. + Exit interviews may not always be possible for some individuals, including + in cases related to the unavailability of supervisors, illnesses, + or job abandonment. Exit interviews are important for individuals + with security clearances. The timely execution of termination actions + is essential for individuals who have been terminated for cause. In + certain situations, organizations consider disabling the system accounts + of individuals who are being terminated prior to the individuals being + notified. + - id: ps-4_obj + name: assessment-objective + props: + - name: label + value: PS-04 + class: sp800-53a + parts: + - id: ps-4_obj.a + name: assessment-objective + props: + - name: label + value: PS-04a. + class: sp800-53a + prose: "upon termination of individual employment, system access\ + \ is disabled within {{ insert: param, ps-04_odp.01 }};" + links: + - href: "#ps-4_smt.a" + rel: assessment-for + - id: ps-4_obj.b + name: assessment-objective + props: + - name: label + value: PS-04b. + class: sp800-53a + prose: upon termination of individual employment, any authenticators + and credentials are terminated or revoked; + links: + - href: "#ps-4_smt.b" + rel: assessment-for + - id: ps-4_obj.c + name: assessment-objective + props: + - name: label + value: PS-04c. + class: sp800-53a + prose: "upon termination of individual employment, exit interviews\ + \ that include a discussion of {{ insert: param, ps-04_odp.02\ + \ }} are conducted;" + links: + - href: "#ps-4_smt.c" + rel: assessment-for + - id: ps-4_obj.d + name: assessment-objective + props: + - name: label + value: PS-04d. + class: sp800-53a + prose: upon termination of individual employment, all security-related + organizational system-related property is retrieved; + links: + - href: "#ps-4_smt.d" + rel: assessment-for + - id: ps-4_obj.e + name: assessment-objective + props: + - name: label + value: PS-04e. + class: sp800-53a + prose: upon termination of individual employment, access to organizational + information and systems formerly controlled by the terminated + individual are retained. + links: + - href: "#ps-4_smt.e" + rel: assessment-for + links: + - href: "#ps-4_smt" + rel: assessment-for + - id: ps-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + procedures addressing personnel termination + + records of personnel termination actions + + list of system accounts + + records of terminated or revoked authenticators/credentials + + records of exit interviews + + system security plan + + other relevant documents or records + - id: ps-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with account management responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ps-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for personnel termination + + + mechanisms supporting and/or implementing personnel termination + notifications + + + mechanisms for disabling system access/revoking authenticators + controls: + - id: ps-4.2 + class: SP800-53-enhancement + title: Automated Actions + params: + - id: ps-04.02_odp.01 + label: automated mechanisms + guidelines: + - prose: automated mechanisms to notify personnel or roles of + individual termination actions and/or to disable access to + system resources are defined; + - id: ps-04.02_odp.02 + constraints: + - description: access control personnel responsible for disabling + access to the system + select: + how-many: one-or-more + choice: + - "notify {{ insert: param, ps-04.02_odp.03 }} of individual\ + \ termination actions" + - disable access to system resources + - id: ps-04.02_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles to be notified upon termination of + an individual is/are defined (if selected); + props: + - name: label + value: PS-4(2) + - name: label + value: PS-04(02) + class: sp800-53a + - name: sort-id + value: ps-04.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ps-4" + rel: required + parts: + - id: ps-4.2_smt + name: statement + prose: "Use {{ insert: param, ps-04.02_odp.01 }} to {{ insert: param,\ + \ ps-04.02_odp.02 }}." + - id: ps-4.2_gdn + name: guidance + prose: In organizations with many employees, not all personnel who + need to know about termination actions receive the appropriate + notifications, or if such notifications are received, they may + not occur in a timely manner. Automated mechanisms can be used + to send automatic alerts or notifications to organizational personnel + or roles when individuals are terminated. Such automatic alerts + or notifications can be conveyed in a variety of ways, including + via telephone, electronic mail, text message, or websites. Automated + mechanisms can also be employed to quickly and thoroughly disable + access to system resources after an employee is terminated. + - id: ps-4.2_obj + name: assessment-objective + props: + - name: label + value: PS-04(02) + class: sp800-53a + prose: " {{ insert: param, ps-04.02_odp.01 }} are used to {{ insert:\ + \ param, ps-04.02_odp.02 }}." + links: + - href: "#ps-4.2_smt" + rel: assessment-for + - id: ps-4.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-04(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Personnel security policy + + + procedures addressing personnel termination + + + system design documentation + + + system configuration settings and associated documentation + + + records of personnel termination actions + + + automated notifications of employee terminations + + + system security plan + + + other relevant documents or records + - id: ps-4.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-04(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with information security responsibilities + - id: ps-4.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-04(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for personnel termination + + + automated mechanisms supporting and/or implementing personnel + termination notifications + - id: ps-5 + class: SP800-53 + title: Personnel Transfer + params: + - id: ps-05_odp.01 + label: transfer or reassignment actions + guidelines: + - prose: transfer or reassignment actions to be initiated following + transfer or reassignment are defined; + - id: ps-05_odp.02 + label: time period following the formal transfer action + constraints: + - description: twenty-four (24) hours + guidelines: + - prose: the time period within which transfer or reassignment actions + must occur following transfer or reassignment is defined; + - id: ps-05_odp.03 + label: personnel or roles + constraints: + - description: including access control personnel responsible for + the system + guidelines: + - prose: personnel or roles to be notified when individuals are reassigned + or transferred to other positions within the organization is/are + defined; + - id: ps-05_odp.04 + label: time period + constraints: + - description: twenty-four (24) hours + guidelines: + - prose: time period within which to notify organization-defined personnel + or roles when individuals are reassigned or transferred to other + positions within the organization is defined; + props: + - name: label + value: PS-5 + - name: label + value: PS-05 + class: sp800-53a + - name: sort-id + value: ps-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-7" + rel: related + parts: + - id: ps-5_smt + name: statement + parts: + - id: ps-5_smt.a + name: item + props: + - name: label + value: a. + prose: Review and confirm ongoing operational need for current logical + and physical access authorizations to systems and facilities when + individuals are reassigned or transferred to other positions within + the organization; + - id: ps-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert:\ + \ param, ps-05_odp.02 }};" + - id: ps-5_smt.c + name: item + props: + - name: label + value: c. + prose: Modify access authorization as needed to correspond with + any changes in operational need due to reassignment or transfer; + and + - id: ps-5_smt.d + name: item + props: + - name: label + value: d. + prose: "Notify {{ insert: param, ps-05_odp.03 }} within {{ insert:\ + \ param, ps-05_odp.04 }}." + - id: ps-5_gdn + name: guidance + prose: Personnel transfer applies when reassignments or transfers of + individuals are permanent or of such extended duration as to make + the actions warranted. Organizations define actions appropriate for + the types of reassignments or transfers, whether permanent or extended. + Actions that may be required for personnel transfers or reassignments + to other positions within organizations include returning old and + issuing new keys, identification cards, and building passes; closing + system accounts and establishing new accounts; changing system access + authorizations (i.e., privileges); and providing for access to official + records to which individuals had access at previous work locations + and in previous system accounts. + - id: ps-5_obj + name: assessment-objective + props: + - name: label + value: PS-05 + class: sp800-53a + parts: + - id: ps-5_obj.a + name: assessment-objective + props: + - name: label + value: PS-05a. + class: sp800-53a + prose: the ongoing operational need for current logical and physical + access authorizations to systems and facilities are reviewed and + confirmed when individuals are reassigned or transferred to other + positions within the organization; + links: + - href: "#ps-5_smt.a" + rel: assessment-for + - id: ps-5_obj.b + name: assessment-objective + props: + - name: label + value: PS-05b. + class: sp800-53a + prose: " {{ insert: param, ps-05_odp.01 }} are initiated within\ + \ {{ insert: param, ps-05_odp.02 }};" + links: + - href: "#ps-5_smt.b" + rel: assessment-for + - id: ps-5_obj.c + name: assessment-objective + props: + - name: label + value: PS-05c. + class: sp800-53a + prose: access authorization is modified as needed to correspond + with any changes in operational need due to reassignment or transfer; + links: + - href: "#ps-5_smt.c" + rel: assessment-for + - id: ps-5_obj.d + name: assessment-objective + props: + - name: label + value: PS-05d. + class: sp800-53a + prose: " {{ insert: param, ps-05_odp.03 }} are notified within {{\ + \ insert: param, ps-05_odp.04 }}." + links: + - href: "#ps-5_smt.d" + rel: assessment-for + links: + - href: "#ps-5_smt" + rel: assessment-for + - id: ps-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + procedures addressing personnel transfer + + records of personnel transfer actions + + list of system and facility access authorizations + + system security plan + + other relevant documents or records + - id: ps-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with account management responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ps-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for personnel transfer + + + mechanisms supporting and/or implementing personnel transfer notifications + + + mechanisms for disabling system access/revoking authenticators + - id: ps-6 + class: SP800-53 + title: Access Agreements + params: + - id: ps-06_odp.01 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to review and update access agreements + is defined; + - id: ps-06_odp.02 + label: frequency + constraints: + - description: at least annually and any time there is a change to + the user's level of access + guidelines: + - prose: the frequency at which to re-sign access agreements to maintain + access to organizational information is defined; + props: + - name: label + value: PS-6 + - name: label + value: PS-06 + class: sp800-53a + - name: sort-id + value: ps-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ac-17" + rel: related + - href: "#pe-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-21" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ps-6_smt + name: statement + parts: + - id: ps-6_smt.a + name: item + props: + - name: label + value: a. + prose: Develop and document access agreements for organizational + systems; + - id: ps-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the access agreements {{ insert: param,\ + \ ps-06_odp.01 }} ; and" + - id: ps-6_smt.c + name: item + props: + - name: label + value: c. + prose: "Verify that individuals requiring access to organizational\ + \ information and systems:" + parts: + - id: ps-6_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: Sign appropriate access agreements prior to being granted + access; and + - id: ps-6_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Re-sign access agreements to maintain access to organizational\ + \ systems when access agreements have been updated or {{ insert:\ + \ param, ps-06_odp.02 }}." + - id: ps-6_gdn + name: guidance + prose: Access agreements include nondisclosure agreements, acceptable + use agreements, rules of behavior, and conflict-of-interest agreements. + Signed access agreements include an acknowledgement that individuals + have read, understand, and agree to abide by the constraints associated + with organizational systems to which access is authorized. Organizations + can use electronic signatures to acknowledge access agreements unless + specifically prohibited by organizational policy. + - id: ps-6_obj + name: assessment-objective + props: + - name: label + value: PS-06 + class: sp800-53a + parts: + - id: ps-6_obj.a + name: assessment-objective + props: + - name: label + value: PS-06a. + class: sp800-53a + prose: access agreements are developed and documented for organizational + systems; + links: + - href: "#ps-6_smt.a" + rel: assessment-for + - id: ps-6_obj.b + name: assessment-objective + props: + - name: label + value: PS-06b. + class: sp800-53a + prose: "the access agreements are reviewed and updated {{ insert:\ + \ param, ps-06_odp.01 }};" + links: + - href: "#ps-6_smt.b" + rel: assessment-for + - id: ps-6_obj.c + name: assessment-objective + props: + - name: label + value: PS-06c. + class: sp800-53a + parts: + - id: ps-6_obj.c.1 + name: assessment-objective + props: + - name: label + value: PS-06c.01 + class: sp800-53a + prose: individuals requiring access to organizational information + and systems sign appropriate access agreements prior to being + granted access; + links: + - href: "#ps-6_smt.c.1" + rel: assessment-for + - id: ps-6_obj.c.2 + name: assessment-objective + props: + - name: label + value: PS-06c.02 + class: sp800-53a + prose: "individuals requiring access to organizational information\ + \ and systems re-sign access agreements to maintain access\ + \ to organizational systems when access agreements have been\ + \ updated or {{ insert: param, ps-06_odp.02 }}." + links: + - href: "#ps-6_smt.c.2" + rel: assessment-for + links: + - href: "#ps-6_smt.c" + rel: assessment-for + links: + - href: "#ps-6_smt" + rel: assessment-for + - id: ps-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Personnel security policy + + + personnel security procedures + + + procedures addressing access agreements for organizational information + and systems + + + access control policy + + + access control procedures + + + access agreements (including non-disclosure agreements, acceptable + use agreements, rules of behavior, and conflict-of-interest agreements) + + + documentation of access agreement reviews, updates, and re-signing + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ps-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel who have signed/resigned access agreements + + + organizational personnel with information security and privacy + responsibilities + - id: ps-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for reviewing, updating, and + re-signing access agreements + + + mechanisms supporting the reviewing, updating, and re-signing + of access agreements + - id: ps-7 + class: SP800-53 + title: External Personnel Security + params: + - id: ps-07_odp.01 + label: personnel or roles + constraints: + - description: including access control personnel responsible for + the system and/or facilities, as appropriate + guidelines: + - prose: personnel or roles to be notified of any personnel transfers + or terminations of external personnel who possess organizational + credentials and/or badges or who have system privileges is/are + defined; + - id: ps-07_odp.02 + label: time period + constraints: + - description: "terminations: immediately; transfers: within twenty-four\ + \ (24) hours" + guidelines: + - prose: time period within which third-party providers are required + to notify organization-defined personnel or roles of any personnel + transfers or terminations of external personnel who possess organizational + credentials and/or badges or who have system privileges is defined; + props: + - name: label + value: PS-7 + - name: label + value: PS-07 + class: sp800-53a + - name: sort-id + value: ps-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#77faf0bc-c394-44ad-9154-bbac3b79c8ad" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-3" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-5" + rel: related + - href: "#ps-6" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-21" + rel: related + parts: + - id: ps-7_smt + name: statement + parts: + - id: ps-7_smt.a + name: item + props: + - name: label + value: a. + prose: Establish personnel security requirements, including security + roles and responsibilities for external providers; + - id: ps-7_smt.b + name: item + props: + - name: label + value: b. + prose: Require external providers to comply with personnel security + policies and procedures established by the organization; + - id: ps-7_smt.c + name: item + props: + - name: label + value: c. + prose: Document personnel security requirements; + - id: ps-7_smt.d + name: item + props: + - name: label + value: d. + prose: "Require external providers to notify {{ insert: param, ps-07_odp.01\ + \ }} of any personnel transfers or terminations of external personnel\ + \ who possess organizational credentials and/or badges, or who\ + \ have system privileges within {{ insert: param, ps-07_odp.02\ + \ }} ; and" + - id: ps-7_smt.e + name: item + props: + - name: label + value: e. + prose: Monitor provider compliance with personnel security requirements. + - id: ps-7_gdn + name: guidance + prose: External provider refers to organizations other than the organization + operating or acquiring the system. External providers include service + bureaus, contractors, and other organizations that provide system + development, information technology services, testing or assessment + services, outsourced applications, and network/security management. + Organizations explicitly include personnel security requirements in + acquisition-related documents. External providers may have personnel + working at organizational facilities with credentials, badges, or + system privileges issued by organizations. Notifications of external + personnel changes ensure the appropriate termination of privileges + and credentials. Organizations define the transfers and terminations + deemed reportable by security-related characteristics that include + functions, roles, and the nature of credentials or privileges associated + with transferred or terminated individuals. + - id: ps-7_obj + name: assessment-objective + props: + - name: label + value: PS-07 + class: sp800-53a + parts: + - id: ps-7_obj.a + name: assessment-objective + props: + - name: label + value: PS-07a. + class: sp800-53a + prose: personnel security requirements are established, including + security roles and responsibilities for external providers; + links: + - href: "#ps-7_smt.a" + rel: assessment-for + - id: ps-7_obj.b + name: assessment-objective + props: + - name: label + value: PS-07b. + class: sp800-53a + prose: external providers are required to comply with personnel + security policies and procedures established by the organization; + links: + - href: "#ps-7_smt.b" + rel: assessment-for + - id: ps-7_obj.c + name: assessment-objective + props: + - name: label + value: PS-07c. + class: sp800-53a + prose: personnel security requirements are documented; + links: + - href: "#ps-7_smt.c" + rel: assessment-for + - id: ps-7_obj.d + name: assessment-objective + props: + - name: label + value: PS-07d. + class: sp800-53a + prose: "external providers are required to notify {{ insert: param,\ + \ ps-07_odp.01 }} of any personnel transfers or terminations of\ + \ external personnel who possess organizational credentials and/or\ + \ badges or who have system privileges within {{ insert: param,\ + \ ps-07_odp.02 }};" + links: + - href: "#ps-7_smt.d" + rel: assessment-for + - id: ps-7_obj.e + name: assessment-objective + props: + - name: label + value: PS-07e. + class: sp800-53a + prose: provider compliance with personnel security requirements + is monitored. + links: + - href: "#ps-7_smt.e" + rel: assessment-for + links: + - href: "#ps-7_smt" + rel: assessment-for + - id: ps-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + procedures addressing external personnel security + + list of personnel security requirements + + acquisition documents + + service-level agreements + + compliance monitoring process + + system security plan + + other relevant documents or records + - id: ps-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + external providers + + + system/network administrators + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + - id: ps-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing and monitoring + external personnel security + + + mechanisms supporting and/or implementing the monitoring of provider + compliance + - id: ps-8 + class: SP800-53 + title: Personnel Sanctions + params: + - id: ps-08_odp.01 + label: personnel or roles + constraints: + - description: to include the ISSO and/or similar role within the + organization + guidelines: + - prose: personnel or roles to be notified when a formal employee + sanctions process is initiated is/are defined; + - id: ps-08_odp.02 + label: time period + constraints: + - description: 24 hours + guidelines: + - prose: the time period within which organization-defined personnel + or roles must be notified when a formal employee sanctions process + is initiated is defined; + props: + - name: label + value: PS-8 + - name: label + value: PS-08 + class: sp800-53a + - name: sort-id + value: ps-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#pl-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-6" + rel: related + - href: "#pt-1" + rel: related + parts: + - id: ps-8_smt + name: statement + parts: + - id: ps-8_smt.a + name: item + props: + - name: label + value: a. + prose: Employ a formal sanctions process for individuals failing + to comply with established information security and privacy policies + and procedures; and + - id: ps-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Notify {{ insert: param, ps-08_odp.01 }} within {{ insert:\ + \ param, ps-08_odp.02 }} when a formal employee sanctions process\ + \ is initiated, identifying the individual sanctioned and the\ + \ reason for the sanction." + - id: ps-8_gdn + name: guidance + prose: Organizational sanctions reflect applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines. Sanctions + processes are described in access agreements and can be included as + part of general personnel policies for organizations and/or specified + in security and privacy policies. Organizations consult with the Office + of the General Counsel regarding matters of employee sanctions. + - id: ps-8_obj + name: assessment-objective + props: + - name: label + value: PS-08 + class: sp800-53a + parts: + - id: ps-8_obj.a + name: assessment-objective + props: + - name: label + value: PS-08a. + class: sp800-53a + prose: a formal sanctions process is employed for individuals failing + to comply with established information security and privacy policies + and procedures; + links: + - href: "#ps-8_smt.a" + rel: assessment-for + - id: ps-8_obj.b + name: assessment-objective + props: + - name: label + value: PS-08b. + class: sp800-53a + prose: " {{ insert: param, ps-08_odp.01 }} is/are notified within\ + \ {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions\ + \ process is initiated, identifying the individual sanctioned\ + \ and the reason for the sanction." + links: + - href: "#ps-8_smt.b" + rel: assessment-for + links: + - href: "#ps-8_smt" + rel: assessment-for + - id: ps-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Personnel security policy + + + personnel security procedures + + + procedures addressing personnel sanctions + + + access agreements (including non-disclosure agreements, acceptable + use agreements, rules of behavior, and conflict-of-interest agreements) + + + list of personnel or roles to be notified of formal employee sanctions + + + records or notifications of formal employee sanctions + + + system security plan + + + privacy plan + + + personally identifiable information processing policy + + + other relevant documents or records + - id: ps-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + legal counsel + + + organizational personnel with information security and privacy + responsibilities + - id: ps-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing formal employee + sanctions + + + mechanisms supporting and/or implementing formal employee sanctions + notifications + - id: ps-9 + class: SP800-53 + title: Position Descriptions + props: + - name: label + value: PS-9 + - name: label + value: PS-09 + class: sp800-53a + - name: sort-id + value: ps-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + parts: + - id: ps-9_smt + name: statement + prose: Incorporate security and privacy roles and responsibilities into + organizational position descriptions. + - id: ps-9_gdn + name: guidance + prose: Specification of security and privacy roles in individual organizational + position descriptions facilitates clarity in understanding the security + or privacy responsibilities associated with the roles and the role-based + security and privacy training requirements for the roles. + - id: ps-9_obj + name: assessment-objective + props: + - name: label + value: PS-09 + class: sp800-53a + parts: + - id: ps-9_obj-1 + name: assessment-objective + props: + - name: label + value: PS-09[01] + class: sp800-53a + prose: security roles and responsibilities are incorporated into + organizational position descriptions; + links: + - href: "#ps-9_smt" + rel: assessment-for + - id: ps-9_obj-2 + name: assessment-objective + props: + - name: label + value: PS-09[02] + class: sp800-53a + prose: privacy roles and responsibilities are incorporated into + organizational position descriptions. + links: + - href: "#ps-9_smt" + rel: assessment-for + links: + - href: "#ps-9_smt" + rel: assessment-for + - id: ps-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + personnel security procedures + + procedures addressing position descriptions + + security and privacy position descriptions + + system security plan + + privacy plan + + privacy program plan + + other relevant documents or records + - id: ps-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with human capital management responsibilities + - id: ps-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for managing position descriptions + - id: ra + class: family + title: Risk Assessment + controls: + - id: ra-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ra-1_prm_1 + label: organization-defined personnel or roles + - id: ra-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the risk assessment policy is + to be disseminated is/are defined; + - id: ra-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the risk assessment procedures + are to be disseminated is/are defined; + - id: ra-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ra-01_odp.04 + label: official + guidelines: + - prose: an official to manage the risk assessment policy and procedures + is defined; + - id: ra-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current risk assessment policy + is reviewed and updated is defined; + - id: ra-01_odp.06 + label: events + guidelines: + - prose: events that would require the current risk assessment policy + to be reviewed and updated are defined; + - id: ra-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current risk assessment procedures + are reviewed and updated is defined; + - id: ra-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require risk assessment procedures to be + reviewed and updated are defined; + props: + - name: label + value: RA-1 + - name: label + value: RA-01 + class: sp800-53a + - name: sort-id + value: ra-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ra-1_smt + name: statement + parts: + - id: ra-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ra-1_prm_1 }}:" + parts: + - id: ra-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ra-01_odp.03 }} risk assessment policy\ + \ that:" + parts: + - id: ra-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ra-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ra-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the risk + assessment policy and the associated risk assessment controls; + - id: ra-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ra-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the risk\ + \ assessment policy and procedures; and" + - id: ra-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current risk assessment:" + parts: + - id: ra-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ra-01_odp.05 }} and following\ + \ {{ insert: param, ra-01_odp.06 }} ; and" + - id: ra-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ra-01_odp.07 }} and following\ + \ {{ insert: param, ra-01_odp.08 }}." + - id: ra-1_gdn + name: guidance + prose: Risk assessment policy and procedures address the controls in + the RA family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of risk assessment + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies reflecting the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to risk assessment policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ra-1_obj + name: assessment-objective + props: + - name: label + value: RA-01 + class: sp800-53a + parts: + - id: ra-1_obj.a + name: assessment-objective + props: + - name: label + value: RA-01a. + class: sp800-53a + parts: + - id: ra-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: RA-01a.[01] + class: sp800-53a + prose: a risk assessment policy is developed and documented; + links: + - href: "#ra-1_smt.a" + rel: assessment-for + - id: ra-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: RA-01a.[02] + class: sp800-53a + prose: "the risk assessment policy is disseminated to {{ insert:\ + \ param, ra-01_odp.01 }};" + links: + - href: "#ra-1_smt.a" + rel: assessment-for + - id: ra-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: RA-01a.[03] + class: sp800-53a + prose: risk assessment procedures to facilitate the implementation + of the risk assessment policy and associated risk assessment + controls are developed and documented; + links: + - href: "#ra-1_smt.a" + rel: assessment-for + - id: ra-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: RA-01a.[04] + class: sp800-53a + prose: "the risk assessment procedures are disseminated to {{\ + \ insert: param, ra-01_odp.02 }};" + links: + - href: "#ra-1_smt.a" + rel: assessment-for + - id: ra-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: RA-01a.01 + class: sp800-53a + parts: + - id: ra-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: RA-01a.01(a) + class: sp800-53a + parts: + - id: ra-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses purpose;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses scope;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses roles;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses responsibilities;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses management commitment;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses compliance;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: RA-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy is consistent with applicable laws, executive\ + \ orders, directives, regulations, policies, standards,\ + \ and guidelines;" + links: + - href: "#ra-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ra-1_smt.a.1" + rel: assessment-for + links: + - href: "#ra-1_smt.a" + rel: assessment-for + - id: ra-1_obj.b + name: assessment-objective + props: + - name: label + value: RA-01b. + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the risk\ + \ assessment policy and procedures;" + links: + - href: "#ra-1_smt.b" + rel: assessment-for + - id: ra-1_obj.c + name: assessment-objective + props: + - name: label + value: RA-01c. + class: sp800-53a + parts: + - id: ra-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: RA-01c.01 + class: sp800-53a + parts: + - id: ra-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: RA-01c.01[01] + class: sp800-53a + prose: "the current risk assessment policy is reviewed and\ + \ updated {{ insert: param, ra-01_odp.05 }};" + links: + - href: "#ra-1_smt.c.1" + rel: assessment-for + - id: ra-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: RA-01c.01[02] + class: sp800-53a + prose: "the current risk assessment policy is reviewed and\ + \ updated following {{ insert: param, ra-01_odp.06 }};" + links: + - href: "#ra-1_smt.c.1" + rel: assessment-for + links: + - href: "#ra-1_smt.c.1" + rel: assessment-for + - id: ra-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: RA-01c.02 + class: sp800-53a + parts: + - id: ra-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: RA-01c.02[01] + class: sp800-53a + prose: "the current risk assessment procedures are reviewed\ + \ and updated {{ insert: param, ra-01_odp.07 }};" + links: + - href: "#ra-1_smt.c.2" + rel: assessment-for + - id: ra-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: RA-01c.02[02] + class: sp800-53a + prose: "the current risk assessment procedures are reviewed\ + \ and updated following {{ insert: param, ra-01_odp.08\ + \ }}." + links: + - href: "#ra-1_smt.c.2" + rel: assessment-for + links: + - href: "#ra-1_smt.c.2" + rel: assessment-for + links: + - href: "#ra-1_smt.c" + rel: assessment-for + links: + - href: "#ra-1_smt" + rel: assessment-for + - id: ra-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Risk assessment policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: ra-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with risk assessment + responsibilities + + + organizational personnel with security and privacy responsibilities + - id: ra-2 + class: SP800-53 + title: Security Categorization + props: + - name: label + value: RA-2 + - name: label + value: RA-02 + class: sp800-53a + - name: sort-id + value: ra-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#4e4fbc93-333d-45e6-a875-de36b878b6b9" + rel: reference + - href: "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94" + rel: reference + - href: "#cm-8" + rel: related + - href: "#mp-4" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-10" + rel: related + - href: "#pl-11" + rel: related + - href: "#pm-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-7" + rel: related + - href: "#ra-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ra-2_smt + name: statement + parts: + - id: ra-2_smt.a + name: item + props: + - name: label + value: a. + prose: Categorize the system and information it processes, stores, + and transmits; + - id: ra-2_smt.b + name: item + props: + - name: label + value: b. + prose: Document the security categorization results, including supporting + rationale, in the security plan for the system; and + - id: ra-2_smt.c + name: item + props: + - name: label + value: c. + prose: Verify that the authorizing official or authorizing official + designated representative reviews and approves the security categorization + decision. + - id: ra-2_gdn + name: guidance + prose: >- + Security categories describe the potential adverse impacts or + negative consequences to organizational operations, + organizational assets, and individuals if organizational + information and systems are compromised through a loss of + confidentiality, integrity, or availability. Security + categorization is also a type of asset loss characterization in + systems security engineering processes that is carried out + throughout the system development life cycle. Organizations can + use privacy risk assessments or privacy impact assessments to + better understand the potential adverse effects on individuals. + [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides + additional guidance on categorization for national security + systems. + + + Organizations conduct the security categorization process as an organization-wide + activity with the direct involvement of chief information officers, + senior agency information security officers, senior agency officials + for privacy, system owners, mission and business owners, and information + owners or stewards. Organizations consider the potential adverse impacts + to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) + and Homeland Security Presidential Directives, potential national-level + adverse impacts. + + + Security categorization processes facilitate the development of inventories + of information assets and, along with [CM-8](#cm-8) , mappings to + specific system components where information is processed, stored, + or transmitted. The security categorization process is revisited throughout + the system development life cycle to ensure that the security categories + remain accurate and relevant. + - id: ra-2_obj + name: assessment-objective + props: + - name: label + value: RA-02 + class: sp800-53a + parts: + - id: ra-2_obj.a + name: assessment-objective + props: + - name: label + value: RA-02a. + class: sp800-53a + prose: the system and the information it processes, stores, and + transmits are categorized; + links: + - href: "#ra-2_smt.a" + rel: assessment-for + - id: ra-2_obj.b + name: assessment-objective + props: + - name: label + value: RA-02b. + class: sp800-53a + prose: the security categorization results, including supporting + rationale, are documented in the security plan for the system; + links: + - href: "#ra-2_smt.b" + rel: assessment-for + - id: ra-2_obj.c + name: assessment-objective + props: + - name: label + value: RA-02c. + class: sp800-53a + prose: the authorizing official or authorizing official designated + representative reviews and approves the security categorization + decision. + links: + - href: "#ra-2_smt.c" + rel: assessment-for + links: + - href: "#ra-2_smt" + rel: assessment-for + - id: ra-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Risk assessment policy + + + security planning policy and procedures + + + procedures addressing security categorization of organizational + information and systems + + + security categorization documentation + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ra-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security categorization and + risk assessment responsibilities + + + organizational personnel with security and privacy responsibilities + - id: ra-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for security categorization + - id: ra-3 + class: SP800-53 + title: Risk Assessment + params: + - id: ra-03_odp.01 + constraints: + - description: security assessment report + select: + choice: + - security and privacy plans + - risk assessment report + - " {{ insert: param, ra-03_odp.02 }} " + - id: ra-03_odp.02 + label: document + guidelines: + - prose: a document in which risk assessment results are to be documented + (if not documented in the security and privacy plans or risk assessment + report) is defined (if selected); + - id: ra-03_odp.03 + label: frequency + constraints: + - description: at least annually and whenever a significant change + occurs + guidelines: + - prose: the frequency to review risk assessment results is defined; + - id: ra-03_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom risk assessment results are to + be disseminated is/are defined; + - id: ra-03_odp.05 + label: frequency + constraints: + - description: annually + guidelines: + - prose: the frequency to update the risk assessment is defined; + props: + - name: label + value: RA-3 + - name: label + value: RA-03 + class: sp800-53a + - name: sort-id + value: ra-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#38ff38f0-1366-4f50-a4c9-26a39aacee16" + rel: reference + - href: "#ca-3" + rel: related + - href: "#ca-6" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-13" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-7" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-8" + rel: related + - href: "#pe-18" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-10" + rel: related + - href: "#pl-11" + rel: related + - href: "#pm-8" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-28" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-7" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ra-3_smt + name: statement + parts: + - id: ra-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Conduct a risk assessment, including:" + parts: + - id: ra-3_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Identifying threats to and vulnerabilities in the system; + - id: ra-3_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Determining the likelihood and magnitude of harm from + unauthorized access, use, disclosure, disruption, modification, + or destruction of the system, the information it processes, + stores, or transmits, and any related information; and + - id: ra-3_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Determining the likelihood and impact of adverse effects + on individuals arising from the processing of personally identifiable + information; + - id: ra-3_smt.b + name: item + props: + - name: label + value: b. + prose: Integrate risk assessment results and risk management decisions + from the organization and mission or business process perspectives + with system-level risk assessments; + - id: ra-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Document risk assessment results in {{ insert: param, ra-03_odp.01\ + \ }};" + - id: ra-3_smt.d + name: item + props: + - name: label + value: d. + prose: "Review risk assessment results {{ insert: param, ra-03_odp.03\ + \ }};" + - id: ra-3_smt.e + name: item + props: + - name: label + value: e. + prose: "Disseminate risk assessment results to {{ insert: param,\ + \ ra-03_odp.04 }} ; and" + - id: ra-3_smt.f + name: item + props: + - name: label + value: f. + prose: "Update the risk assessment {{ insert: param, ra-03_odp.05\ + \ }} or when there are significant changes to the system, its\ + \ environment of operation, or other conditions that may impact\ + \ the security or privacy state of the system." + - id: ra-3_fr + name: item + title: RA-3 Additional FedRAMP Requirements and Guidance + parts: + - id: ra-3_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Significant change is defined in NIST Special Publication + 800-37 Revision 2, Appendix F. + - id: ra-3_fr_smt.1 + name: item + props: + - name: label + value: "(e) Requirement:" + prose: Include all Authorizing Officials; for JAB authorizations + to include FedRAMP. + - id: ra-3_gdn + name: guidance + prose: >- + Risk assessments consider threats, vulnerabilities, likelihood, + and impact to organizational operations and assets, individuals, + other organizations, and the Nation. Risk assessments also + consider risk from external parties, including contractors who + operate systems on behalf of the organization, individuals who + access organizational systems, service providers, and + outsourcing entities. + + + Organizations can conduct risk assessments at all three levels in + the risk management hierarchy (i.e., organization level, mission/business + process level, or information system level) and at any stage in the + system development life cycle. Risk assessments can also be conducted + at various steps in the Risk Management Framework, including preparation, + categorization, control selection, control implementation, control + assessment, authorization, and control monitoring. Risk assessment + is an ongoing activity carried out throughout the system development + life cycle. + + + Risk assessments can also address information related to the system, + including system design, the intended use of the system, testing results, + and supply chain-related information or artifacts. Risk assessments + can play an important role in control selection processes, particularly + during the application of tailoring guidance and in the earliest phases + of capability determination. + - id: ra-3_obj + name: assessment-objective + props: + - name: label + value: RA-03 + class: sp800-53a + parts: + - id: ra-3_obj.a + name: assessment-objective + props: + - name: label + value: RA-03a. + class: sp800-53a + parts: + - id: ra-3_obj.a.1 + name: assessment-objective + props: + - name: label + value: RA-03a.01 + class: sp800-53a + prose: a risk assessment is conducted to identify threats to + and vulnerabilities in the system; + links: + - href: "#ra-3_smt.a.1" + rel: assessment-for + - id: ra-3_obj.a.2 + name: assessment-objective + props: + - name: label + value: RA-03a.02 + class: sp800-53a + prose: a risk assessment is conducted to determine the likelihood + and magnitude of harm from unauthorized access, use, disclosure, + disruption, modification, or destruction of the system; the + information it processes, stores, or transmits; and any related + information; + links: + - href: "#ra-3_smt.a.2" + rel: assessment-for + - id: ra-3_obj.a.3 + name: assessment-objective + props: + - name: label + value: RA-03a.03 + class: sp800-53a + prose: a risk assessment is conducted to determine the likelihood + and impact of adverse effects on individuals arising from + the processing of personally identifiable information; + links: + - href: "#ra-3_smt.a.3" + rel: assessment-for + links: + - href: "#ra-3_smt.a" + rel: assessment-for + - id: ra-3_obj.b + name: assessment-objective + props: + - name: label + value: RA-03b. + class: sp800-53a + prose: risk assessment results and risk management decisions from + the organization and mission or business process perspectives + are integrated with system-level risk assessments; + links: + - href: "#ra-3_smt.b" + rel: assessment-for + - id: ra-3_obj.c + name: assessment-objective + props: + - name: label + value: RA-03c. + class: sp800-53a + prose: "risk assessment results are documented in {{ insert: param,\ + \ ra-03_odp.01 }};" + links: + - href: "#ra-3_smt.c" + rel: assessment-for + - id: ra-3_obj.d + name: assessment-objective + props: + - name: label + value: RA-03d. + class: sp800-53a + prose: "risk assessment results are reviewed {{ insert: param, ra-03_odp.03\ + \ }};" + links: + - href: "#ra-3_smt.d" + rel: assessment-for + - id: ra-3_obj.e + name: assessment-objective + props: + - name: label + value: RA-03e. + class: sp800-53a + prose: "risk assessment results are disseminated to {{ insert: param,\ + \ ra-03_odp.04 }};" + links: + - href: "#ra-3_smt.e" + rel: assessment-for + - id: ra-3_obj.f + name: assessment-objective + props: + - name: label + value: RA-03f. + class: sp800-53a + prose: "the risk assessment is updated {{ insert: param, ra-03_odp.05\ + \ }} or when there are significant changes to the system, its\ + \ environment of operation, or other conditions that may impact\ + \ the security or privacy state of the system." + links: + - href: "#ra-3_smt.f" + rel: assessment-for + links: + - href: "#ra-3_smt" + rel: assessment-for + - id: ra-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Risk assessment policy + + risk assessment procedures + + security and privacy planning policy and procedures + + procedures addressing organizational assessments of risk + + risk assessment + + risk assessment results + + risk assessment reviews + + risk assessment updates + + system security plan + + privacy plan + + other relevant documents or records + - id: ra-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with risk assessment + responsibilities + + + organizational personnel with security and privacy responsibilities + - id: ra-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for risk assessment + + + mechanisms supporting and/or conducting, documenting, reviewing, + disseminating, and updating the risk assessment + controls: + - id: ra-3.1 + class: SP800-53-enhancement + title: Supply Chain Risk Assessment + params: + - id: ra-03.01_odp.01 + label: systems, system components, and system services + guidelines: + - prose: systems, system components, and system services to assess + supply chain risks are defined; + - id: ra-03.01_odp.02 + label: frequency + guidelines: + - prose: the frequency at which to update the supply chain risk + assessment is defined; + props: + - name: label + value: RA-3(1) + - name: label + value: RA-03(01) + class: sp800-53a + - name: sort-id + value: ra-03.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-3" + rel: required + - href: "#ra-2" + rel: related + - href: "#ra-9" + rel: related + - href: "#pm-17" + rel: related + - href: "#pm-30" + rel: related + - href: "#sr-2" + rel: related + parts: + - id: ra-3.1_smt + name: statement + parts: + - id: ra-3.1_smt.a + name: item + props: + - name: label + value: (a) + prose: "Assess supply chain risks associated with {{ insert:\ + \ param, ra-03.01_odp.01 }} ; and" + - id: ra-3.1_smt.b + name: item + props: + - name: label + value: (b) + prose: "Update the supply chain risk assessment {{ insert: param,\ + \ ra-03.01_odp.02 }} , when there are significant changes\ + \ to the relevant supply chain, or when changes to the system,\ + \ environments of operation, or other conditions may necessitate\ + \ a change in the supply chain." + - id: ra-3.1_gdn + name: guidance + prose: Supply chain-related events include disruption, use of defective + components, insertion of counterfeits, theft, malicious development + practices, improper delivery practices, and insertion of malicious + code. These events can have a significant impact on the confidentiality, + integrity, or availability of a system and its information and, + therefore, can also adversely impact organizational operations + (including mission, functions, image, or reputation), organizational + assets, individuals, other organizations, and the Nation. The + supply chain-related events may be unintentional or malicious + and can occur at any point during the system life cycle. An analysis + of supply chain risk can help an organization identify systems + or components for which additional supply chain risk mitigations + are required. + - id: ra-3.1_obj + name: assessment-objective + props: + - name: label + value: RA-03(01) + class: sp800-53a + parts: + - id: ra-3.1_obj.a + name: assessment-objective + props: + - name: label + value: RA-03(01)(a) + class: sp800-53a + prose: "supply chain risks associated with {{ insert: param,\ + \ ra-03.01_odp.01 }} are assessed;" + links: + - href: "#ra-3.1_smt.a" + rel: assessment-for + - id: ra-3.1_obj.b + name: assessment-objective + props: + - name: label + value: RA-03(01)(b) + class: sp800-53a + prose: "the supply chain risk assessment is updated {{ insert:\ + \ param, ra-03.01_odp.02 }} , when there are significant changes\ + \ to the relevant supply chain, or when changes to the system,\ + \ environments of operation, or other conditions may necessitate\ + \ a change in the supply chain." + links: + - href: "#ra-3.1_smt.b" + rel: assessment-for + links: + - href: "#ra-3.1_smt" + rel: assessment-for + - id: ra-3.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-03(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy + + + inventory of critical systems, system components, and system + services + + + risk assessment policy + + + security planning policy and procedures + + + procedures addressing organizational assessments of supply + chain risk + + + risk assessment + + + risk assessment results + + + risk assessment reviews + + + risk assessment updates + + + acquisition policy + + + system security plan + + + supply chain risk management plan + + + other relevant documents or records + - id: ra-3.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-03(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with risk assessment + responsibilities + + + organizational personnel with security responsibilities + + + organizational personnel with supply chain risk management + responsibilities + - id: ra-3.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-03(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for risk assessment + + + mechanisms supporting and/or conducting, documenting, reviewing, + disseminating, and updating the supply chain risk assessment + - id: ra-5 + class: SP800-53 + title: Vulnerability Monitoring and Scanning + params: + - id: ra-5_prm_1 + label: organization-defined frequency and/or randomly in accordance + with organization-defined process + constraints: + - description: monthly operating system/infrastructure; monthly web + applications (including APIs) and databases + - id: ra-05_odp.01 + label: frequency and/or randomly in accordance with organization-defined + process + guidelines: + - prose: frequency for monitoring systems and hosted applications + for vulnerabilities is defined; + - id: ra-05_odp.02 + label: frequency and/or randomly in accordance with organization-defined + process + guidelines: + - prose: frequency for scanning systems and hosted applications for + vulnerabilities is defined; + - id: ra-05_odp.03 + label: response times + constraints: + - description: high-risk vulnerabilities mitigated within thirty (30) + days from date of discovery; moderate-risk vulnerabilities mitigated + within ninety (90) days from date of discovery; low risk vulnerabilities + mitigated within one hundred and eighty (180) days from date of + discovery + guidelines: + - prose: response times to remediate legitimate vulnerabilities in + accordance with an organizational assessment of risk are defined; + - id: ra-05_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles with whom information obtained from the + vulnerability scanning process and control assessments is to be + shared; + props: + - name: label + value: RA-5 + - name: label + value: RA-05 + class: sp800-53a + - name: sort-id + value: ra-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#8df72805-2e5c-4731-a73e-81db0f0318d0" + rel: reference + - href: "#155f941a-cba9-4afd-9ca6-5d040d697ba9" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#4895b4cd-34c5-4667-bf8a-27d443c12047" + rel: reference + - href: "#122177fa-c4ed-485d-8345-3082c0fb9a06" + rel: reference + - href: "#8016d2ed-d30f-4416-9c45-0f42c7aa3232" + rel: reference + - href: "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c" + rel: reference + - href: "#d2ebec9b-f868-4ee1-a2bd-0b2282aed248" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ca-7" + rel: related + - href: "#ca-8" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-2" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: ra-5_smt + name: statement + parts: + - id: ra-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Monitor and scan for vulnerabilities in the system and hosted\ + \ applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities\ + \ potentially affecting the system are identified and reported;" + - id: ra-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ vulnerability monitoring tools and techniques that\ + \ facilitate interoperability among tools and automate parts of\ + \ the vulnerability management process by using standards for:" + parts: + - id: ra-5_smt.b.1 + name: item + props: + - name: label + value: "1." + prose: Enumerating platforms, software flaws, and improper configurations; + - id: ra-5_smt.b.2 + name: item + props: + - name: label + value: "2." + prose: Formatting checklists and test procedures; and + - id: ra-5_smt.b.3 + name: item + props: + - name: label + value: "3." + prose: Measuring vulnerability impact; + - id: ra-5_smt.c + name: item + props: + - name: label + value: c. + prose: Analyze vulnerability scan reports and results from vulnerability + monitoring; + - id: ra-5_smt.d + name: item + props: + - name: label + value: d. + prose: "Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03\ + \ }} in accordance with an organizational assessment of risk;" + - id: ra-5_smt.e + name: item + props: + - name: label + value: e. + prose: "Share information obtained from the vulnerability monitoring\ + \ process and control assessments with {{ insert: param, ra-05_odp.04\ + \ }} to help eliminate similar vulnerabilities in other systems;\ + \ and" + - id: ra-5_smt.f + name: item + props: + - name: label + value: f. + prose: Employ vulnerability monitoring tools that include the capability + to readily update the vulnerabilities to be scanned. + - id: ra-5_fr + name: item + title: RA-5 Additional FedRAMP Requirements and Guidance + parts: + - id: ra-5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: See the FedRAMP Documents page> Vulnerability Scanning + Requirements https://www.FedRAMP.gov/documents/ + - id: ra-5_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: an accredited independent assessor scans operating systems/infrastructure, + web applications, and databases once annually. + - id: ra-5_fr_smt.2 + name: item + props: + - name: label + value: "(d) Requirement:" + prose: If a vulnerability is listed among the CISA Known Exploited + Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) + the KEV remediation date supersedes the FedRAMP parameter + requirement. + - id: ra-5_fr_smt.3 + name: item + props: + - name: label + value: "(e) Requirement:" + prose: to include all Authorizing Officials; for JAB authorizations + to include FedRAMP + - id: ra-5_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + Informational findings from a scanner are detailed as a + returned result that holds no vulnerability risk or + severity and for FedRAMP does not require an entry onto + the POA&M or entry onto the RET during any assessment + phase. + + + Warning findings, on the other hand, are given a risk rating + (low, moderate, high or critical) by the scanning solution + and should be treated like any other finding with a risk or + severity rating for tracking purposes onto either the POA&M + or RET depending on when the findings originated (during assessments + or during monthly continuous monitoring). If a warning is + received during scanning, but further validation turns up + no actual issue then this item should be categorized as a + false positive. If this situation presents itself during an + assessment phase (initial assessment, annual assessment or + any SCR), follow guidance on how to report false positives + in the Security Assessment Report (SAR). If this situation + happens during monthly continuous monitoring, a deviation + request will need to be submitted per the FedRAMP Vulnerability + Deviation Request Form. + + + Warnings are commonly associated with scanning solutions that + also perform compliance scans, and if the scanner reports + a “warning” as part of the compliance scanning of a CSO, follow + guidance surrounding the tracking of compliance findings during + either the assessment phases (initial assessment, annual assessment + or any SCR) or monthly continuous monitoring as it applies. + Guidance on compliance scan findings can be found by searching + on “Tracking of Compliance Scans” in FAQs. + - id: ra-5_gdn + name: guidance + prose: >- + Security categorization of information and systems guides the + frequency and comprehensiveness of vulnerability monitoring + (including scans). Organizations determine the required + vulnerability monitoring for system components, ensuring that + the potential sources of vulnerabilities—such as infrastructure + components (e.g., switches, routers, guards, sensors), networked + printers, scanners, and copiers—are not overlooked. The + capability to readily update vulnerability monitoring tools as + new vulnerabilities are discovered and announced and as new + scanning methods are developed helps to ensure that new + vulnerabilities are not missed by employed vulnerability + monitoring tools. The vulnerability monitoring tool update + process helps to ensure that potential vulnerabilities in the + system are identified and addressed as quickly as possible. + Vulnerability monitoring and analyses for custom software may + require additional approaches, such as static analysis, dynamic + analysis, binary analysis, or a hybrid of the three approaches. + Organizations can use these analysis approaches in source code + reviews and in a variety of tools, including web-based + application scanners, static analysis tools, and binary + analyzers. + + + Vulnerability monitoring includes scanning for patch levels; scanning + for functions, ports, protocols, and services that should not be accessible + to users or devices; and scanning for flow control mechanisms that + are improperly configured or operating incorrectly. Vulnerability + monitoring may also include continuous vulnerability monitoring tools + that use instrumentation to continuously analyze components. Instrumentation-based + tools may improve accuracy and may be run throughout an organization + without scanning. Vulnerability monitoring tools that facilitate interoperability + include tools that are Security Content Automated Protocol (SCAP)-validated. + Thus, organizations consider using scanning tools that express vulnerabilities + in the Common Vulnerabilities and Exposures (CVE) naming convention + and that employ the Open Vulnerability Assessment Language (OVAL) + to determine the presence of vulnerabilities. Sources for vulnerability + information include the Common Weakness Enumeration (CWE) listing + and the National Vulnerability Database (NVD). Control assessments, + such as red team exercises, provide additional sources of potential + vulnerabilities for which to scan. Organizations also consider using + scanning tools that express vulnerability impact by the Common Vulnerability + Scoring System (CVSS). + + + Vulnerability monitoring includes a channel and process for receiving + reports of security vulnerabilities from the public at-large. Vulnerability + disclosure programs can be as simple as publishing a monitored email + address or web form that can receive reports, including notification + authorizing good-faith research and disclosure of security vulnerabilities. + Organizations generally expect that such research is happening with + or without their authorization and can use public vulnerability disclosure + channels to increase the likelihood that discovered vulnerabilities + are reported directly to the organization for remediation. + + + Organizations may also employ the use of financial incentives (also + known as "bug bounties" ) to further encourage external security researchers + to report discovered vulnerabilities. Bug bounty programs can be tailored + to the organization’s needs. Bounties can be operated indefinitely + or over a defined period of time and can be offered to the general + public or to a curated group. Organizations may run public and private + bounties simultaneously and could choose to offer partially credentialed + access to certain participants in order to evaluate security vulnerabilities + from privileged vantage points. + - id: ra-5_obj + name: assessment-objective + props: + - name: label + value: RA-05 + class: sp800-53a + parts: + - id: ra-5_obj.a + name: assessment-objective + props: + - name: label + value: RA-05a. + class: sp800-53a + parts: + - id: ra-5_obj.a-1 + name: assessment-objective + props: + - name: label + value: RA-05a.[01] + class: sp800-53a + prose: "systems and hosted applications are monitored for vulnerabilities\ + \ {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities\ + \ potentially affecting the system are identified and reported;" + links: + - href: "#ra-5_smt.a" + rel: assessment-for + - id: ra-5_obj.a-2 + name: assessment-objective + props: + - name: label + value: RA-05a.[02] + class: sp800-53a + prose: "systems and hosted applications are scanned for vulnerabilities\ + \ {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities\ + \ potentially affecting the system are identified and reported;" + links: + - href: "#ra-5_smt.a" + rel: assessment-for + links: + - href: "#ra-5_smt.a" + rel: assessment-for + - id: ra-5_obj.b + name: assessment-objective + props: + - name: label + value: RA-05b. + class: sp800-53a + prose: vulnerability monitoring tools and techniques are employed + to facilitate interoperability among tools; + parts: + - id: ra-5_obj.b.1 + name: assessment-objective + props: + - name: label + value: RA-05b.01 + class: sp800-53a + prose: vulnerability monitoring tools and techniques are employed + to automate parts of the vulnerability management process + by using standards for enumerating platforms, software flaws, + and improper configurations; + links: + - href: "#ra-5_smt.b.1" + rel: assessment-for + - id: ra-5_obj.b.2 + name: assessment-objective + props: + - name: label + value: RA-05b.02 + class: sp800-53a + prose: vulnerability monitoring tools and techniques are employed + to facilitate interoperability among tools and to automate + parts of the vulnerability management process by using standards + for formatting checklists and test procedures; + links: + - href: "#ra-5_smt.b.2" + rel: assessment-for + - id: ra-5_obj.b.3 + name: assessment-objective + props: + - name: label + value: RA-05b.03 + class: sp800-53a + prose: vulnerability monitoring tools and techniques are employed + to facilitate interoperability among tools and to automate + parts of the vulnerability management process by using standards + for measuring vulnerability impact; + links: + - href: "#ra-5_smt.b.3" + rel: assessment-for + links: + - href: "#ra-5_smt.b" + rel: assessment-for + - id: ra-5_obj.c + name: assessment-objective + props: + - name: label + value: RA-05c. + class: sp800-53a + prose: vulnerability scan reports and results from vulnerability + monitoring are analyzed; + links: + - href: "#ra-5_smt.c" + rel: assessment-for + - id: ra-5_obj.d + name: assessment-objective + props: + - name: label + value: RA-05d. + class: sp800-53a + prose: "legitimate vulnerabilities are remediated {{ insert: param,\ + \ ra-05_odp.03 }} in accordance with an organizational assessment\ + \ of risk;" + links: + - href: "#ra-5_smt.d" + rel: assessment-for + - id: ra-5_obj.e + name: assessment-objective + props: + - name: label + value: RA-05e. + class: sp800-53a + prose: "information obtained from the vulnerability monitoring process\ + \ and control assessments is shared with {{ insert: param, ra-05_odp.04\ + \ }} to help eliminate similar vulnerabilities in other systems;" + links: + - href: "#ra-5_smt.e" + rel: assessment-for + - id: ra-5_obj.f + name: assessment-objective + props: + - name: label + value: RA-05f. + class: sp800-53a + prose: vulnerability monitoring tools that include the capability + to readily update the vulnerabilities to be scanned are employed. + links: + - href: "#ra-5_smt.f" + rel: assessment-for + links: + - href: "#ra-5_smt" + rel: assessment-for + - id: ra-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Risk assessment policy + + + procedures addressing vulnerability scanning + + + risk assessment + + + assessment report + + + vulnerability scanning tools and associated configuration documentation + + + vulnerability scanning results + + + patch and vulnerability management records + + + system security plan + + + other relevant documents or records + - id: ra-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with risk assessment, control + assessment, and vulnerability scanning responsibilities + + + organizational personnel with vulnerability scan analysis responsibilities + + + organizational personnel with vulnerability remediation responsibilities + + + organizational personnel with security responsibilities + + + system/network administrators + - id: ra-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning, + analysis, remediation, and information sharing + + + mechanisms supporting and/or implementing vulnerability scanning, + analysis, remediation, and information sharing + controls: + - id: ra-5.2 + class: SP800-53-enhancement + title: Update Vulnerabilities to Be Scanned + params: + - id: ra-05.02_odp.01 + constraints: + - description: within 24 hours prior to running scans + select: + how-many: one-or-more + choice: + - " {{ insert: param, ra-05.02_odp.02 }} " + - prior to a new scan + - when new vulnerabilities are identified and reported + - id: ra-05.02_odp.02 + label: frequency + guidelines: + - prose: the frequency for updating the system vulnerabilities + to be scanned is defined (if selected); + props: + - name: label + value: RA-5(2) + - name: label + value: RA-05(02) + class: sp800-53a + - name: sort-id + value: ra-05.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-5" + rel: required + - href: "#si-5" + rel: related + parts: + - id: ra-5.2_smt + name: statement + prose: "Update the system vulnerabilities to be scanned {{ insert:\ + \ param, ra-05.02_odp.01 }}." + - id: ra-5.2_gdn + name: guidance + prose: Due to the complexity of modern software, systems, and other + factors, new vulnerabilities are discovered on a regular basis. + It is important that newly discovered vulnerabilities are added + to the list of vulnerabilities to be scanned to ensure that the + organization can take steps to mitigate those vulnerabilities + in a timely manner. + - id: ra-5.2_obj + name: assessment-objective + props: + - name: label + value: RA-05(02) + class: sp800-53a + prose: "the system vulnerabilities to be scanned are updated {{\ + \ insert: param, ra-05.02_odp.01 }}." + links: + - href: "#ra-5.2_smt" + rel: assessment-for + - id: ra-5.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Procedures addressing vulnerability scanning + + + assessment report + + + vulnerability scanning tools and associated configuration + documentation + + + vulnerability scanning results + + + patch and vulnerability management records + + + system security plan + + + other relevant documents or records + - id: ra-5.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with vulnerability scanning + responsibilities + + + organizational personnel with vulnerability scan analysis + responsibilities + + + organizational personnel with security responsibilities + + + system/network administrators + - id: ra-5.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning + + + mechanisms/tools supporting and/or implementing vulnerability + scanning + - id: ra-5.3 + class: SP800-53-enhancement + title: Breadth and Depth of Coverage + props: + - name: label + value: RA-5(3) + - name: label + value: RA-05(03) + class: sp800-53a + - name: sort-id + value: ra-05.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-5" + rel: required + parts: + - id: ra-5.3_smt + name: statement + prose: Define the breadth and depth of vulnerability scanning coverage. + - id: ra-5.3_gdn + name: guidance + prose: The breadth of vulnerability scanning coverage can be expressed + as a percentage of components within the system, by the particular + types of systems, by the criticality of systems, or by the number + of vulnerabilities to be checked. Conversely, the depth of vulnerability + scanning coverage can be expressed as the level of the system + design that the organization intends to monitor (e.g., component, + module, subsystem, element). Organizations can determine the sufficiency + of vulnerability scanning coverage with regard to its risk tolerance + and other factors. Scanning tools and how the tools are configured + may affect the depth and coverage. Multiple scanning tools may + be needed to achieve the desired depth and coverage. [SP 800-53A](#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d) + provides additional information on the breadth and depth of coverage. + - id: ra-5.3_obj + name: assessment-objective + props: + - name: label + value: RA-05(03) + class: sp800-53a + prose: the breadth and depth of vulnerability scanning coverage + are defined. + links: + - href: "#ra-5.3_smt" + rel: assessment-for + - id: ra-5.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Procedures addressing vulnerability scanning + + + assessment report + + + vulnerability scanning tools and associated configuration + documentation + + + vulnerability scanning results + + + patch and vulnerability management records + + + system security plan + + + other relevant documents or records + - id: ra-5.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with vulnerability scanning + responsibilities + + + organizational personnel with vulnerability scan analysis + responsibilities + + + organizational personnel with security responsibilities + - id: ra-5.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning + + + mechanisms/tools supporting and/or implementing vulnerability + scanning + - id: ra-5.4 + class: SP800-53-enhancement + title: Discoverable Information + params: + - id: ra-05.04_odp + label: corrective actions + constraints: + - description: notify appropriate service provider personnel and + follow procedures for organization and service provider-defined + corrective actions + guidelines: + - prose: corrective actions to be taken if information about the + system is discoverable are defined; + props: + - name: label + value: RA-5(4) + - name: label + value: RA-05(04) + class: sp800-53a + - name: sort-id + value: ra-05.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-5" + rel: required + - href: "#au-13" + rel: related + - href: "#sc-26" + rel: related + parts: + - id: ra-5.4_smt + name: statement + prose: "Determine information about the system that is discoverable\ + \ and take {{ insert: param, ra-05.04_odp }}." + - id: ra-5.4_gdn + name: guidance + prose: Discoverable information includes information that adversaries + could obtain without compromising or breaching the system, such + as by collecting information that the system is exposing or by + conducting extensive web searches. Corrective actions include + notifying appropriate organizational personnel, removing designated + information, or changing the system to make the designated information + less relevant or attractive to adversaries. This enhancement excludes + intentionally discoverable information that may be part of a decoy + capability (e.g., honeypots, honeynets, or deception nets) deployed + by the organization. + - id: ra-5.4_obj + name: assessment-objective + props: + - name: label + value: RA-05(04) + class: sp800-53a + parts: + - id: ra-5.4_obj-1 + name: assessment-objective + props: + - name: label + value: RA-05(04)[01] + class: sp800-53a + prose: information about the system is discoverable; + links: + - href: "#ra-5.4_smt" + rel: assessment-for + - id: ra-5.4_obj-2 + name: assessment-objective + props: + - name: label + value: RA-05(04)[02] + class: sp800-53a + prose: " {{ insert: param, ra-05.04_odp }} are taken when information\ + \ about the system is confirmed as discoverable." + links: + - href: "#ra-5.4_smt" + rel: assessment-for + links: + - href: "#ra-5.4_smt" + rel: assessment-for + - id: ra-5.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Procedures addressing vulnerability scanning + + assessment report + + penetration test results + + vulnerability scanning results + + risk assessment report + + records of corrective actions taken + + incident response records + + audit records + + system security plan + + other relevant documents or records + - id: ra-5.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with vulnerability scanning + and/or penetration testing responsibilities + + + organizational personnel with vulnerability scan analysis + responsibilities + + + organizational personnel responsible for risk response + + + organizational personnel responsible for incident management + and response + + + organizational personnel with security responsibilities + - id: ra-5.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning + + + organizational processes for risk response + + + organizational processes for incident management and response + + + mechanisms/tools supporting and/or implementing vulnerability + scanning + + + mechanisms supporting and/or implementing risk response + + + mechanisms supporting and/or implementing incident management + and response + - id: ra-5.5 + class: SP800-53-enhancement + title: Privileged Access + params: + - id: ra-05.05_odp.01 + label: system components + constraints: + - description: all components that support authentication + guidelines: + - prose: system components to which privileged access is authorized + for selected vulnerability scanning activities are defined; + - id: ra-05.05_odp.02 + label: vulnerability scanning activities + constraints: + - description: all scans + guidelines: + - prose: vulnerability scanning activities selected for privileged + access authorization to system components are defined; + props: + - name: label + value: RA-5(5) + - name: label + value: RA-05(05) + class: sp800-53a + - name: sort-id + value: ra-05.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-5" + rel: required + parts: + - id: ra-5.5_smt + name: statement + prose: "Implement privileged access authorization to {{ insert:\ + \ param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02\ + \ }}." + - id: ra-5.5_gdn + name: guidance + prose: In certain situations, the nature of the vulnerability scanning + may be more intrusive, or the system component that is the subject + of the scanning may contain classified or controlled unclassified + information, such as personally identifiable information. Privileged + access authorization to selected system components facilitates + more thorough vulnerability scanning and protects the sensitive + nature of such scanning. + - id: ra-5.5_obj + name: assessment-objective + props: + - name: label + value: RA-05(05) + class: sp800-53a + prose: "privileged access authorization is implemented to {{ insert:\ + \ param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02\ + \ }}." + links: + - href: "#ra-5.5_smt" + rel: assessment-for + - id: ra-5.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Risk assessment policy + + + procedures addressing vulnerability scanning + + + system design documentation + + + system configuration settings and associated documentation + + + list of system components for vulnerability scanning + + + personnel access authorization list + + + authorization credentials + + + access authorization records + + + system security plan + + + other relevant documents or records + - id: ra-5.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with vulnerability scanning + responsibilities + + + system/network administrators + + + organizational personnel responsible for access control to + the system + + + organizational personnel responsible for configuration management + of the system + + + system developers + + + organizational personnel with security responsibilities + - id: ra-5.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning + + + organizational processes for access control + + + mechanisms supporting and/or implementing access control + + + mechanisms/tools supporting and/or implementing vulnerability + scanning + - id: ra-5.8 + class: SP800-53-enhancement + title: Review Historic Audit Logs + params: + - id: ra-05.08_odp.01 + label: system + guidelines: + - prose: a system whose historic audit logs are to be reviewed + is defined; + - id: ra-05.08_odp.02 + label: time period + guidelines: + - prose: a time period for a potential previous exploit of a system + is defined; + props: + - name: label + value: RA-5(8) + - name: label + value: RA-05(08) + class: sp800-53a + - name: sort-id + value: ra-05.08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-5" + rel: required + - href: "#au-6" + rel: related + - href: "#au-11" + rel: related + parts: + - id: ra-5.8_smt + name: statement + prose: "Review historic audit logs to determine if a vulnerability\ + \ identified in a {{ insert: param, ra-05.08_odp.01 }} has been\ + \ previously exploited within an {{ insert: param, ra-05.08_odp.02\ + \ }}." + parts: + - id: ra-5.8_fr + name: item + title: RA-5(8) Additional FedRAMP Requirement + parts: + - id: ra-5.8_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: This enhancement is required for all high (or critical) + vulnerability scan findings. + - id: ra-5.8_gdn + name: guidance + prose: Reviewing historic audit logs to determine if a recently + detected vulnerability in a system has been previously exploited + by an adversary can provide important information for forensic + analyses. Such analyses can help identify, for example, the extent + of a previous intrusion, the trade craft employed during the attack, + organizational information exfiltrated or modified, mission or + business capabilities affected, and the duration of the attack. + - id: ra-5.8_obj + name: assessment-objective + props: + - name: label + value: RA-05(08) + class: sp800-53a + prose: "historic audit logs are reviewed to determine if a vulnerability\ + \ identified in a {{ insert: param, ra-05.08_odp.01 }} has been\ + \ previously exploited within {{ insert: param, ra-05.08_odp.02\ + \ }}." + links: + - href: "#ra-5.8_smt" + rel: assessment-for + - id: ra-5.8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05(08)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Risk assessment policy + + procedures addressing vulnerability scanning + + audit logs + + records of audit log reviews + + vulnerability scanning results + + patch and vulnerability management records + + system security plan + + other relevant documents or records + - id: ra-5.8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05(08)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with vulnerability scanning + responsibilities + + + organizational personnel with vulnerability scan analysis + responsibilities + + + organizational personnel with audit record review responsibilities + + + system/network administrators + + + organizational personnel with security responsibilities + - id: ra-5.8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05(08)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning + + + organizational process for audit record review and response + + + mechanisms/tools supporting and/or implementing vulnerability + scanning + + + mechanisms supporting and/or implementing audit record review + - id: ra-5.11 + class: SP800-53-enhancement + title: Public Disclosure Program + props: + - name: label + value: RA-5(11) + - name: label + value: RA-05(11) + class: sp800-53a + - name: sort-id + value: ra-05.11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-5" + rel: required + parts: + - id: ra-5.11_smt + name: statement + prose: Establish a public reporting channel for receiving reports + of vulnerabilities in organizational systems and system components. + - id: ra-5.11_gdn + name: guidance + prose: The reporting channel is publicly discoverable and contains + clear language authorizing good-faith research and the disclosure + of vulnerabilities to the organization. The organization does + not condition its authorization on an expectation of indefinite + non-disclosure to the public by the reporting entity but may request + a specific time period to properly remediate the vulnerability. + - id: ra-5.11_obj + name: assessment-objective + props: + - name: label + value: RA-05(11) + class: sp800-53a + prose: a public reporting channel is established for receiving reports + of vulnerabilities in organizational systems and system components. + links: + - href: "#ra-5.11_smt" + rel: assessment-for + - id: ra-5.11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05(11)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Risk assessment policy + + + procedures addressing vulnerability scanning + + + risk assessment + + + vulnerability scanning tools and techniques documentation + + + vulnerability scanning results + + + vulnerability management records + + + audit records + + + public reporting channel + + + system security plan + + + other relevant documents or records + - id: ra-5.11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05(11)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with vulnerability scanning + responsibilities + + + organizational personnel with vulnerability scan analysis + responsibilities + + + organizational personnel with security responsibilities + - id: ra-5.11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05(11)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning + + + mechanisms/tools supporting and/or implementing vulnerability + scanning + + + mechanisms implementing the public reporting of vulnerabilities + - id: ra-7 + class: SP800-53 + title: Risk Response + props: + - name: label + value: RA-7 + - name: label + value: RA-07 + class: sp800-53a + - name: sort-id + value: ra-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#ca-5" + rel: related + - href: "#ir-9" + rel: related + - href: "#pm-4" + rel: related + - href: "#pm-28" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#sr-2" + rel: related + parts: + - id: ra-7_smt + name: statement + prose: Respond to findings from security and privacy assessments, monitoring, + and audits in accordance with organizational risk tolerance. + - id: ra-7_gdn + name: guidance + prose: Organizations have many options for responding to risk including + mitigating risk by implementing new controls or strengthening existing + controls, accepting risk with appropriate justification or rationale, + sharing or transferring risk, or avoiding risk. The risk tolerance + of the organization influences risk response decisions and actions. + Risk response addresses the need to determine an appropriate response + to risk before generating a plan of action and milestones entry. For + example, the response may be to accept risk or reject risk, or it + may be possible to mitigate the risk immediately so that a plan of + action and milestones entry is not needed. However, if the risk response + is to mitigate the risk, and the mitigation cannot be completed immediately, + a plan of action and milestones entry is generated. + - id: ra-7_obj + name: assessment-objective + props: + - name: label + value: RA-07 + class: sp800-53a + parts: + - id: ra-7_obj-1 + name: assessment-objective + props: + - name: label + value: RA-07[01] + class: sp800-53a + prose: findings from security assessments are responded to in accordance + with organizational risk tolerance; + links: + - href: "#ra-7_smt" + rel: assessment-for + - id: ra-7_obj-2 + name: assessment-objective + props: + - name: label + value: RA-07[02] + class: sp800-53a + prose: findings from privacy assessments are responded to in accordance + with organizational risk tolerance; + links: + - href: "#ra-7_smt" + rel: assessment-for + - id: ra-7_obj-3 + name: assessment-objective + props: + - name: label + value: RA-07[03] + class: sp800-53a + prose: findings from monitoring are responded to in accordance with + organizational risk tolerance; + links: + - href: "#ra-7_smt" + rel: assessment-for + - id: ra-7_obj-4 + name: assessment-objective + props: + - name: label + value: RA-07[04] + class: sp800-53a + prose: findings from audits are responded to in accordance with + organizational risk tolerance. + links: + - href: "#ra-7_smt" + rel: assessment-for + links: + - href: "#ra-7_smt" + rel: assessment-for + - id: ra-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Risk assessment policy + + assessment reports + + audit records/event logs + + system security plan + + privacy plan + + other relevant documents or records + - id: ra-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with assessment and auditing + responsibilities + + + system/network administrators + + + organizational personnel with security and privacy responsibilities + - id: ra-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for assessments and audits + + + mechanisms/tools supporting and/or implementing assessments and + auditing + - id: ra-9 + class: SP800-53 + title: Criticality Analysis + params: + - id: ra-09_odp.01 + label: systems, system components, or system services + guidelines: + - prose: systems, system components, or system services to be analyzed + for criticality are defined; + - id: ra-09_odp.02 + label: decision points in the system development life cycle + guidelines: + - prose: decision points in the system development life cycle when + a criticality analysis is to be performed are defined; + props: + - name: label + value: RA-9 + - name: label + value: RA-09 + class: sp800-53a + - name: sort-id + value: ra-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#d4296805-2dca-4c63-a95f-eeccaa826aec" + rel: reference + - href: "#cp-2" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-8" + rel: related + - href: "#pl-11" + rel: related + - href: "#pm-1" + rel: related + - href: "#pm-11" + rel: related + - href: "#ra-2" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-20" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: ra-9_smt + name: statement + prose: "Identify critical system components and functions by performing\ + \ a criticality analysis for {{ insert: param, ra-09_odp.01 }} at\ + \ {{ insert: param, ra-09_odp.02 }}." + - id: ra-9_gdn + name: guidance + prose: >- + Not all system components, functions, or services necessarily + require significant protections. For example, criticality + analysis is a key tenet of supply chain risk management and + informs the prioritization of protection activities. The + identification of critical system components and functions + considers applicable laws, executive orders, regulations, + directives, policies, standards, system functionality + requirements, system and component interfaces, and system and + component dependencies. Systems engineers conduct a functional + decomposition of a system to identify mission-critical functions + and components. The functional decomposition includes the + identification of organizational missions supported by the + system, decomposition into the specific functions to perform + those missions, and traceability to the hardware, software, and + firmware components that implement those functions, including + when the functions are shared by many components within and + external to the system. + + + The operational environment of a system or a system component may + impact the criticality, including the connections to and dependencies + on cyber-physical systems, devices, system-of-systems, and outsourced + IT services. System components that allow unmediated access to critical + system components or functions are considered critical due to the + inherent vulnerabilities that such components create. Component and + function criticality are assessed in terms of the impact of a component + or function failure on the organizational missions that are supported + by the system that contains the components and functions. + + + Criticality analysis is performed when an architecture or design is + being developed, modified, or upgraded. If such analysis is performed + early in the system development life cycle, organizations may be able + to modify the system design to reduce the critical nature of these + components and functions, such as by adding redundancy or alternate + paths into the system design. Criticality analysis can also influence + the protection measures required by development contractors. In addition + to criticality analysis for systems, system components, and system + services, criticality analysis of information is an important consideration. + Such analysis is conducted as part of security categorization in [RA-2](#ra-2). + - id: ra-9_obj + name: assessment-objective + props: + - name: label + value: RA-09 + class: sp800-53a + prose: "critical system components and functions are identified by performing\ + \ a criticality analysis for {{ insert: param, ra-09_odp.01 }} at\ + \ {{ insert: param, ra-09_odp.02 }}." + links: + - href: "#ra-9_smt" + rel: assessment-for + - id: ra-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Risk assessment policy + + + assessment reports + + + criticality analysis/finalized criticality for each component/subcomponent + + + audit records/event logs + + + analysis reports + + + system security plan + + + other relevant documents or records + - id: ra-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with assessment and auditing + responsibilities + + + organizational personnel with criticality analysis responsibilities + + + system/network administrators + + + organizational personnel with security responsibilities + - id: ra-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for assessments and audits + + + mechanisms/tools supporting and/or implementing assessments and + auditing + - id: sa + class: family + title: System and Services Acquisition + controls: + - id: sa-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: sa-1_prm_1 + label: organization-defined personnel or roles + - id: sa-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and services acquisition + policy is to be disseminated is/are defined; + - id: sa-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and services acquisition + procedures are to be disseminated is/are defined; + - id: sa-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: sa-01_odp.04 + label: official + guidelines: + - prose: an official to manage the system and services acquisition + policy and procedures is defined; + - id: sa-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current system and services acquisition + policy is reviewed and updated is defined; + - id: sa-01_odp.06 + label: events + guidelines: + - prose: events that would require the current system and services + acquisition policy to be reviewed and updated are defined; + - id: sa-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current system and services acquisition + procedures are reviewed and updated is defined; + - id: sa-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the system and services acquisition + procedures to be reviewed and updated are defined; + props: + - name: label + value: SA-1 + - name: label + value: SA-01 + class: sp800-53a + - name: sort-id + value: sa-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: sa-1_smt + name: statement + parts: + - id: sa-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ sa-1_prm_1 }}:" + parts: + - id: sa-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, sa-01_odp.03 }} system and services\ + \ acquisition policy that:" + parts: + - id: sa-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: sa-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: sa-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the system + and services acquisition policy and the associated system + and services acquisition controls; + - id: sa-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, sa-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the system\ + \ and services acquisition policy and procedures; and" + - id: sa-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current system and services acquisition:" + parts: + - id: sa-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, sa-01_odp.05 }} and following\ + \ {{ insert: param, sa-01_odp.06 }} ; and" + - id: sa-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, sa-01_odp.07 }} and following\ + \ {{ insert: param, sa-01_odp.08 }}." + - id: sa-1_gdn + name: guidance + prose: System and services acquisition policy and procedures address + the controls in the SA family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of system and services acquisition policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + system and services acquisition policy and procedures include assessment + or audit findings, security incidents or breaches, or changes in laws, + executive orders, directives, regulations, policies, standards, and + guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: sa-1_obj + name: assessment-objective + props: + - name: label + value: SA-01 + class: sp800-53a + parts: + - id: sa-1_obj.a + name: assessment-objective + props: + - name: label + value: SA-01a. + class: sp800-53a + parts: + - id: sa-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-01a.[01] + class: sp800-53a + prose: a system and services acquisition policy is developed + and documented; + links: + - href: "#sa-1_smt.a" + rel: assessment-for + - id: sa-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-01a.[02] + class: sp800-53a + prose: "the system and services acquisition policy is disseminated\ + \ to {{ insert: param, sa-01_odp.01 }};" + links: + - href: "#sa-1_smt.a" + rel: assessment-for + - id: sa-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: SA-01a.[03] + class: sp800-53a + prose: system and services acquisition procedures to facilitate + the implementation of the system and services acquisition + policy and associated system and services acquisition controls + are developed and documented; + links: + - href: "#sa-1_smt.a" + rel: assessment-for + - id: sa-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: SA-01a.[04] + class: sp800-53a + prose: "the system and services acquisition procedures are disseminated\ + \ to {{ insert: param, sa-01_odp.02 }};" + links: + - href: "#sa-1_smt.a" + rel: assessment-for + - id: sa-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: SA-01a.01 + class: sp800-53a + parts: + - id: sa-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: SA-01a.01(a) + class: sp800-53a + parts: + - id: sa-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses purpose;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses scope;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses roles;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses responsibilities;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses management\ + \ commitment;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses compliance;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: SA-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system and\ + \ services acquisition policy is consistent with applicable\ + \ laws, Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#sa-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#sa-1_smt.a.1" + rel: assessment-for + links: + - href: "#sa-1_smt.a" + rel: assessment-for + - id: sa-1_obj.b + name: assessment-objective + props: + - name: label + value: SA-01b. + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the system\ + \ and services acquisition policy and procedures;" + links: + - href: "#sa-1_smt.b" + rel: assessment-for + - id: sa-1_obj.c + name: assessment-objective + props: + - name: label + value: SA-01c. + class: sp800-53a + parts: + - id: sa-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: SA-01c.01 + class: sp800-53a + parts: + - id: sa-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: SA-01c.01[01] + class: sp800-53a + prose: "the system and services acquisition policy is reviewed\ + \ and updated {{ insert: param, sa-01_odp.05 }};" + links: + - href: "#sa-1_smt.c.1" + rel: assessment-for + - id: sa-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: SA-01c.01[02] + class: sp800-53a + prose: "the current system and services acquisition policy\ + \ is reviewed and updated following {{ insert: param,\ + \ sa-01_odp.06 }};" + links: + - href: "#sa-1_smt.c.1" + rel: assessment-for + links: + - href: "#sa-1_smt.c.1" + rel: assessment-for + - id: sa-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: SA-01c.02 + class: sp800-53a + parts: + - id: sa-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: SA-01c.02[01] + class: sp800-53a + prose: "the current system and services acquisition procedures\ + \ are reviewed and updated {{ insert: param, sa-01_odp.07\ + \ }};" + links: + - href: "#sa-1_smt.c.2" + rel: assessment-for + - id: sa-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: SA-01c.02[02] + class: sp800-53a + prose: "the current system and services acquisition procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ sa-01_odp.08 }}." + links: + - href: "#sa-1_smt.c.2" + rel: assessment-for + links: + - href: "#sa-1_smt.c.2" + rel: assessment-for + links: + - href: "#sa-1_smt.c" + rel: assessment-for + links: + - href: "#sa-1_smt" + rel: assessment-for + - id: sa-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and services acquisition policy + + system and services acquisition procedures + + supply chain risk management policy + + supply chain risk management procedures + + supply chain risk management plan + + system security plan + + privacy plan + + other relevant documents or records + - id: sa-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and services + acquisition responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sa-2 + class: SP800-53 + title: Allocation of Resources + props: + - name: label + value: SA-2 + - name: label + value: SA-02 + class: sp800-53a + - name: sort-id + value: sa-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#pl-7" + rel: related + - href: "#pm-3" + rel: related + - href: "#pm-11" + rel: related + - href: "#sa-9" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sa-2_smt + name: statement + parts: + - id: sa-2_smt.a + name: item + props: + - name: label + value: a. + prose: Determine the high-level information security and privacy + requirements for the system or system service in mission and business + process planning; + - id: sa-2_smt.b + name: item + props: + - name: label + value: b. + prose: Determine, document, and allocate the resources required + to protect the system or system service as part of the organizational + capital planning and investment control process; and + - id: sa-2_smt.c + name: item + props: + - name: label + value: c. + prose: Establish a discrete line item for information security and + privacy in organizational programming and budgeting documentation. + - id: sa-2_gdn + name: guidance + prose: Resource allocation for information security and privacy includes + funding for system and services acquisition, sustainment, and supply + chain-related risks throughout the system development life cycle. + - id: sa-2_obj + name: assessment-objective + props: + - name: label + value: SA-02 + class: sp800-53a + parts: + - id: sa-2_obj.a + name: assessment-objective + props: + - name: label + value: SA-02a. + class: sp800-53a + parts: + - id: sa-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-02a.[01] + class: sp800-53a + prose: the high-level information security requirements for + the system or system service are determined in mission and + business process planning; + links: + - href: "#sa-2_smt.a" + rel: assessment-for + - id: sa-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-02a.[02] + class: sp800-53a + prose: the high-level privacy requirements for the system or + system service are determined in mission and business process + planning; + links: + - href: "#sa-2_smt.a" + rel: assessment-for + links: + - href: "#sa-2_smt.a" + rel: assessment-for + - id: sa-2_obj.b + name: assessment-objective + props: + - name: label + value: SA-02b. + class: sp800-53a + parts: + - id: sa-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-02b.[01] + class: sp800-53a + prose: the resources required to protect the system or system + service are determined and documented as part of the organizational + capital planning and investment control process; + links: + - href: "#sa-2_smt.b" + rel: assessment-for + - id: sa-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-02b.[02] + class: sp800-53a + prose: the resources required to protect the system or system + service are allocated as part of the organizational capital + planning and investment control process; + links: + - href: "#sa-2_smt.b" + rel: assessment-for + links: + - href: "#sa-2_smt.b" + rel: assessment-for + - id: sa-2_obj.c + name: assessment-objective + props: + - name: label + value: SA-02c. + class: sp800-53a + parts: + - id: sa-2_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-02c.[01] + class: sp800-53a + prose: a discrete line item for information security is established + in organizational programming and budgeting documentation; + links: + - href: "#sa-2_smt.c" + rel: assessment-for + - id: sa-2_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-02c.[02] + class: sp800-53a + prose: a discrete line item for privacy is established in organizational + programming and budgeting documentation. + links: + - href: "#sa-2_smt.c" + rel: assessment-for + links: + - href: "#sa-2_smt.c" + rel: assessment-for + links: + - href: "#sa-2_smt" + rel: assessment-for + - id: sa-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + system and services acquisition strategy and plans + + + procedures addressing the allocation of resources to information + security and privacy requirements + + + procedures addressing capital planning and investment control + + + organizational programming and budgeting documentation + + + system security plan + + + privacy plan + + + supply chain risk management policy + + + other relevant documents or records + - id: sa-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with capital planning, investment + control, organizational programming, and budgeting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sa-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for determining information + security and privacy requirements + + + organizational processes for capital planning, programming, and + budgeting + + + mechanisms supporting and/or implementing organizational capital + planning, programming, and budgeting + - id: sa-3 + class: SP800-53 + title: System Development Life Cycle + params: + - id: sa-03_odp + label: system-development life cycle + guidelines: + - prose: system development life cycle is defined; + props: + - name: label + value: SA-3 + - name: label + value: SA-03 + class: sp800-53a + - name: sort-id + value: sa-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849" + rel: reference + - href: "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e" + rel: reference + - href: "#at-3" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-7" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-17" + rel: related + - href: "#sa-22" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-9" + rel: related + parts: + - id: sa-3_smt + name: statement + parts: + - id: sa-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Acquire, develop, and manage the system using {{ insert:\ + \ param, sa-03_odp }} that incorporates information security and\ + \ privacy considerations;" + - id: sa-3_smt.b + name: item + props: + - name: label + value: b. + prose: Define and document information security and privacy roles + and responsibilities throughout the system development life cycle; + - id: sa-3_smt.c + name: item + props: + - name: label + value: c. + prose: Identify individuals having information security and privacy + roles and responsibilities; and + - id: sa-3_smt.d + name: item + props: + - name: label + value: d. + prose: Integrate the organizational information security and privacy + risk management process into system development life cycle activities. + - id: sa-3_gdn + name: guidance + prose: >- + A system development life cycle process provides the foundation + for the successful development, implementation, and operation of + organizational systems. The integration of security and privacy + considerations early in the system development life cycle is a + foundational principle of systems security engineering and + privacy engineering. To apply the required controls within the + system development life cycle requires a basic understanding of + information security and privacy, threats, vulnerabilities, + adverse impacts, and risk to critical mission and business + functions. The security engineering principles in [SA-8](#sa-8) + help individuals properly design, code, and test systems and + system components. Organizations include qualified personnel + (e.g., senior agency information security officers, senior + agency officials for privacy, security and privacy architects, + and security and privacy engineers) in system development life + cycle processes to ensure that established security and privacy + requirements are incorporated into organizational systems. + Role-based security and privacy training programs can ensure + that individuals with key security and privacy roles and + responsibilities have the experience, skills, and expertise to + conduct assigned system development life cycle activities. + + + The effective integration of security and privacy requirements into + enterprise architecture also helps to ensure that important security + and privacy considerations are addressed throughout the system life + cycle and that those considerations are directly related to organizational + mission and business processes. This process also facilitates the + integration of the information security and privacy architectures + into the enterprise architecture, consistent with the risk management + strategy of the organization. Because the system development life + cycle involves multiple organizations, (e.g., external suppliers, + developers, integrators, service providers), acquisition and supply + chain risk management functions and controls play significant roles + in the effective management of the system during the life cycle. + - id: sa-3_obj + name: assessment-objective + props: + - name: label + value: SA-03 + class: sp800-53a + parts: + - id: sa-3_obj.a + name: assessment-objective + props: + - name: label + value: SA-03a. + class: sp800-53a + parts: + - id: sa-3_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-03a.[01] + class: sp800-53a + prose: "the system is acquired, developed, and managed using\ + \ {{ insert: param, sa-03_odp }} that incorporates information\ + \ security considerations;" + links: + - href: "#sa-3_smt.a" + rel: assessment-for + - id: sa-3_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-03a.[02] + class: sp800-53a + prose: "the system is acquired, developed, and managed using\ + \ {{ insert: param, sa-03_odp }} that incorporates privacy\ + \ considerations;" + links: + - href: "#sa-3_smt.a" + rel: assessment-for + links: + - href: "#sa-3_smt.a" + rel: assessment-for + - id: sa-3_obj.b + name: assessment-objective + props: + - name: label + value: SA-03b. + class: sp800-53a + parts: + - id: sa-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-03b.[01] + class: sp800-53a + prose: information security roles and responsibilities are defined + and documented throughout the system development life cycle; + links: + - href: "#sa-3_smt.b" + rel: assessment-for + - id: sa-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-03b.[02] + class: sp800-53a + prose: privacy roles and responsibilities are defined and documented + throughout the system development life cycle; + links: + - href: "#sa-3_smt.b" + rel: assessment-for + links: + - href: "#sa-3_smt.b" + rel: assessment-for + - id: sa-3_obj.c + name: assessment-objective + props: + - name: label + value: SA-03c. + class: sp800-53a + parts: + - id: sa-3_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-03c.[01] + class: sp800-53a + prose: individuals with information security roles and responsibilities + are identified; + links: + - href: "#sa-3_smt.c" + rel: assessment-for + - id: sa-3_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-03c.[02] + class: sp800-53a + prose: individuals with privacy roles and responsibilities are + identified; + links: + - href: "#sa-3_smt.c" + rel: assessment-for + links: + - href: "#sa-3_smt.c" + rel: assessment-for + - id: sa-3_obj.d + name: assessment-objective + props: + - name: label + value: SA-03d. + class: sp800-53a + parts: + - id: sa-3_obj.d-1 + name: assessment-objective + props: + - name: label + value: SA-03d.[01] + class: sp800-53a + prose: organizational information security risk management processes + are integrated into system development life cycle activities; + links: + - href: "#sa-3_smt.d" + rel: assessment-for + - id: sa-3_obj.d-2 + name: assessment-objective + props: + - name: label + value: SA-03d.[02] + class: sp800-53a + prose: organizational privacy risk management processes are + integrated into system development life cycle activities. + links: + - href: "#sa-3_smt.d" + rel: assessment-for + links: + - href: "#sa-3_smt.d" + rel: assessment-for + links: + - href: "#sa-3_smt" + rel: assessment-for + - id: sa-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing the integration of information security + and privacy and supply chain risk management into the system development + life cycle process + + + system development life cycle documentation + + + organizational risk management strategy + + + information security and privacy risk management strategy documentation + + + system security plan + + + privacy plan + + + privacy program plan + + + enterprise architecture documentation + + + role-based security and privacy training program documentation + + + data mapping documentation + + + other relevant documents or records + - id: sa-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security and + privacy responsibilities + + + organizational personnel with system life cycle development responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sa-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for defining and documenting the + system development life cycle + + + organizational processes for identifying system development life + cycle roles and responsibilities + + + organizational processes for integrating information security + and privacy and supply chain risk management into the system development + life cycle + + + mechanisms supporting and/or implementing the system development + life cycle + - id: sa-4 + class: SP800-53 + title: Acquisition Process + params: + - id: sa-04_odp.01 + select: + how-many: one-or-more + choice: + - standardized contract language + - " {{ insert: param, sa-04_odp.02 }} " + - id: sa-04_odp.02 + label: contract language + guidelines: + - prose: contract language is defined (if selected); + props: + - name: label + value: SA-4 + - name: label + value: SA-04 + class: sp800-53a + - name: sort-id + value: sa-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#18e71fec-c6fd-475a-925a-5d8495cf8455" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73" + rel: reference + - href: "#87087451-2af5-43d4-88c1-d66ad850f614" + rel: reference + - href: "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f" + rel: reference + - href: "#06ce9216-bd54-4054-a422-94f358b50a5d" + rel: reference + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#77faf0bc-c394-44ad-9154-bbac3b79c8ad" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#4895b4cd-34c5-4667-bf8a-27d443c12047" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#4b38e961-1125-4a5b-aa35-1d6c02846dad" + rel: reference + - href: "#604774da-9e1d-48eb-9c62-4e959dc80737" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#795aff72-3e6c-4b6b-a80a-b14d84b7f544" + rel: reference + - href: "#3d575737-98cb-459d-b41c-d7e82b73ad78" + rel: reference + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#ps-7" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-16" + rel: related + - href: "#sa-17" + rel: related + - href: "#sa-21" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sa-4_smt + name: statement + prose: "Include the following requirements, descriptions, and criteria,\ + \ explicitly or by reference, using {{ insert: param, sa-04_odp.01\ + \ }} in the acquisition contract for the system, system component,\ + \ or system service:" + parts: + - id: sa-4_smt.a + name: item + props: + - name: label + value: a. + prose: Security and privacy functional requirements; + - id: sa-4_smt.b + name: item + props: + - name: label + value: b. + prose: Strength of mechanism requirements; + - id: sa-4_smt.c + name: item + props: + - name: label + value: c. + prose: Security and privacy assurance requirements; + - id: sa-4_smt.d + name: item + props: + - name: label + value: d. + prose: Controls needed to satisfy the security and privacy requirements. + - id: sa-4_smt.e + name: item + props: + - name: label + value: e. + prose: Security and privacy documentation requirements; + - id: sa-4_smt.f + name: item + props: + - name: label + value: f. + prose: Requirements for protecting security and privacy documentation; + - id: sa-4_smt.g + name: item + props: + - name: label + value: g. + prose: Description of the system development environment and environment + in which the system is intended to operate; + - id: sa-4_smt.h + name: item + props: + - name: label + value: h. + prose: Allocation of responsibility or identification of parties + responsible for information security, privacy, and supply chain + risk management; and + - id: sa-4_smt.i + name: item + props: + - name: label + value: i. + prose: Acceptance criteria. + - id: sa-4_fr + name: item + title: SA-4 Additional FedRAMP Requirements and Guidance + parts: + - id: sa-4_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider must comply with Federal Acquisition + Regulation (FAR) Subpart 7.103, and Section 889 of the John + S. McCain National Defense Authorization Act (NDAA) for Fiscal + Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements + Section 889 (as well as any added updates related to FISMA + to address security concerns in the system acquisitions process). + - id: sa-4_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + The use of Common Criteria (ISO/IEC 15408) evaluated + products is strongly preferred. + + + See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/. + - id: sa-4_gdn + name: guidance + prose: >- + Security and privacy functional requirements are typically + derived from the high-level security and privacy requirements + described in [SA-2](#sa-2) . The derived requirements include + security and privacy capabilities, functions, and mechanisms. + Strength requirements associated with such capabilities, + functions, and mechanisms include degree of correctness, + completeness, resistance to tampering or bypass, and resistance + to direct attack. Assurance requirements include development + processes, procedures, and methodologies as well as the evidence + from development and assessment activities that provide grounds + for confidence that the required functionality is implemented + and possesses the required strength of mechanism. [SP + 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the + process of requirements engineering as part of the system + development life cycle. + + + Controls can be viewed as descriptions of the safeguards and protection + capabilities appropriate for achieving the particular security and + privacy objectives of the organization and for reflecting the security + and privacy requirements of stakeholders. Controls are selected and + implemented in order to satisfy system requirements and include developer + and organizational responsibilities. Controls can include technical, + administrative, and physical aspects. In some cases, the selection + and implementation of a control may necessitate additional specification + by the organization in the form of derived requirements or instantiated + control parameter values. The derived requirements and control parameter + values may be necessary to provide the appropriate level of implementation + detail for controls within the system development life cycle. + + + Security and privacy documentation requirements address all stages + of the system development life cycle. Documentation provides user + and administrator guidance for the implementation and operation of + controls. The level of detail required in such documentation is based + on the security categorization or classification level of the system + and the degree to which organizations depend on the capabilities, + functions, or mechanisms to meet risk response expectations. Requirements + can include mandated configuration settings that specify allowed functions, + ports, protocols, and services. Acceptance criteria for systems, system + components, and system services are defined in the same manner as + the criteria for any organizational acquisition or procurement. + - id: sa-4_obj + name: assessment-objective + props: + - name: label + value: SA-04 + class: sp800-53a + parts: + - id: sa-4_obj.a + name: assessment-objective + props: + - name: label + value: SA-04a. + class: sp800-53a + parts: + - id: sa-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-04a.[01] + class: sp800-53a + prose: "security functional requirements, descriptions, and\ + \ criteria are included explicitly or by reference using {{\ + \ insert: param, sa-04_odp.01 }} in the acquisition contract\ + \ for the system, system component, or system service;" + links: + - href: "#sa-4_smt.a" + rel: assessment-for + - id: sa-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-04a.[02] + class: sp800-53a + prose: "privacy functional requirements, descriptions, and criteria\ + \ are included explicitly or by reference using {{ insert:\ + \ param, sa-04_odp.01 }} in the acquisition contract for the\ + \ system, system component, or system service;" + links: + - href: "#sa-4_smt.a" + rel: assessment-for + links: + - href: "#sa-4_smt.a" + rel: assessment-for + - id: sa-4_obj.b + name: assessment-objective + props: + - name: label + value: SA-04b. + class: sp800-53a + prose: "strength of mechanism requirements, descriptions, and criteria\ + \ are included explicitly or by reference using {{ insert: param,\ + \ sa-04_odp.01 }} in the acquisition contract for the system,\ + \ system component, or system service;" + links: + - href: "#sa-4_smt.b" + rel: assessment-for + - id: sa-4_obj.c + name: assessment-objective + props: + - name: label + value: SA-04c. + class: sp800-53a + parts: + - id: sa-4_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-04c.[01] + class: sp800-53a + prose: "security assurance requirements, descriptions, and criteria\ + \ are included explicitly or by reference using {{ insert:\ + \ param, sa-04_odp.01 }} in the acquisition contract for the\ + \ system, system component, or system service;" + links: + - href: "#sa-4_smt.c" + rel: assessment-for + - id: sa-4_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-04c.[02] + class: sp800-53a + prose: "privacy assurance requirements, descriptions, and criteria\ + \ are included explicitly or by reference using {{ insert:\ + \ param, sa-04_odp.01 }} in the acquisition contract for the\ + \ system, system component, or system service;" + links: + - href: "#sa-4_smt.c" + rel: assessment-for + links: + - href: "#sa-4_smt.c" + rel: assessment-for + - id: sa-4_obj.d + name: assessment-objective + props: + - name: label + value: SA-04d. + class: sp800-53a + parts: + - id: sa-4_obj.d-1 + name: assessment-objective + props: + - name: label + value: SA-04d.[01] + class: sp800-53a + prose: "controls needed to satisfy the security requirements,\ + \ descriptions, and criteria are included explicitly or by\ + \ reference using {{ insert: param, sa-04_odp.01 }} in the\ + \ acquisition contract for the system, system component, or\ + \ system service;" + links: + - href: "#sa-4_smt.d" + rel: assessment-for + - id: sa-4_obj.d-2 + name: assessment-objective + props: + - name: label + value: SA-04d.[02] + class: sp800-53a + prose: "controls needed to satisfy the privacy requirements,\ + \ descriptions, and criteria are included explicitly or by\ + \ reference using {{ insert: param, sa-04_odp.01 }} in the\ + \ acquisition contract for the system, system component, or\ + \ system service;" + links: + - href: "#sa-4_smt.d" + rel: assessment-for + links: + - href: "#sa-4_smt.d" + rel: assessment-for + - id: sa-4_obj.e + name: assessment-objective + props: + - name: label + value: SA-04e. + class: sp800-53a + parts: + - id: sa-4_obj.e-1 + name: assessment-objective + props: + - name: label + value: SA-04e.[01] + class: sp800-53a + prose: "security documentation requirements, descriptions, and\ + \ criteria are included explicitly or by reference using {{\ + \ insert: param, sa-04_odp.01 }} in the acquisition contract\ + \ for the system, system component, or system service;" + links: + - href: "#sa-4_smt.e" + rel: assessment-for + - id: sa-4_obj.e-2 + name: assessment-objective + props: + - name: label + value: SA-04e.[02] + class: sp800-53a + prose: "privacy documentation requirements, descriptions, and\ + \ criteria are included explicitly or by reference using {{\ + \ insert: param, sa-04_odp.01 }} in the acquisition contract\ + \ for the system, system component, or system service;" + links: + - href: "#sa-4_smt.e" + rel: assessment-for + links: + - href: "#sa-4_smt.e" + rel: assessment-for + - id: sa-4_obj.f + name: assessment-objective + props: + - name: label + value: SA-04f. + class: sp800-53a + parts: + - id: sa-4_obj.f-1 + name: assessment-objective + props: + - name: label + value: SA-04f.[01] + class: sp800-53a + prose: "requirements for protecting security documentation,\ + \ descriptions, and criteria are included explicitly or by\ + \ reference using {{ insert: param, sa-04_odp.01 }} in the\ + \ acquisition contract for the system, system component, or\ + \ system service;" + links: + - href: "#sa-4_smt.f" + rel: assessment-for + - id: sa-4_obj.f-2 + name: assessment-objective + props: + - name: label + value: SA-04f.[02] + class: sp800-53a + prose: "requirements for protecting privacy documentation, descriptions,\ + \ and criteria are included explicitly or by reference using\ + \ {{ insert: param, sa-04_odp.01 }} in the acquisition contract\ + \ for the system, system component, or system service;" + links: + - href: "#sa-4_smt.f" + rel: assessment-for + links: + - href: "#sa-4_smt.f" + rel: assessment-for + - id: sa-4_obj.g + name: assessment-objective + props: + - name: label + value: SA-04g. + class: sp800-53a + prose: "the description of the system development environment and\ + \ environment in which the system is intended to operate, requirements,\ + \ and criteria are included explicitly or by reference using {{\ + \ insert: param, sa-04_odp.01 }} in the acquisition contract for\ + \ the system, system component, or system service;" + links: + - href: "#sa-4_smt.g" + rel: assessment-for + - id: sa-4_obj.h + name: assessment-objective + props: + - name: label + value: SA-04h. + class: sp800-53a + parts: + - id: sa-4_obj.h-1 + name: assessment-objective + props: + - name: label + value: SA-04h.[01] + class: sp800-53a + prose: "the allocation of responsibility or identification of\ + \ parties responsible for information security requirements,\ + \ descriptions, and criteria are included explicitly or by\ + \ reference using {{ insert: param, sa-04_odp.01 }} in the\ + \ acquisition contract for the system, system component, or\ + \ system service;" + links: + - href: "#sa-4_smt.h" + rel: assessment-for + - id: sa-4_obj.h-2 + name: assessment-objective + props: + - name: label + value: SA-04h.[02] + class: sp800-53a + prose: "the allocation of responsibility or identification of\ + \ parties responsible for privacy requirements, descriptions,\ + \ and criteria are included explicitly or by reference using\ + \ {{ insert: param, sa-04_odp.01 }};" + links: + - href: "#sa-4_smt.h" + rel: assessment-for + - id: sa-4_obj.h-3 + name: assessment-objective + props: + - name: label + value: SA-04h.[03] + class: sp800-53a + prose: "the allocation of responsibility or identification of\ + \ parties responsible for supply chain risk management requirements,\ + \ descriptions, and criteria are included explicitly or by\ + \ reference using {{ insert: param, sa-04_odp.01 }};" + links: + - href: "#sa-4_smt.h" + rel: assessment-for + links: + - href: "#sa-4_smt.h" + rel: assessment-for + - id: sa-4_obj.i + name: assessment-objective + props: + - name: label + value: SA-04i. + class: sp800-53a + prose: "acceptance criteria requirements and descriptions are included\ + \ explicitly or by reference using {{ insert: param, sa-04_odp.01\ + \ }} in the acquisition contract for the system, system component,\ + \ or system service." + links: + - href: "#sa-4_smt.i" + rel: assessment-for + links: + - href: "#sa-4_smt" + rel: assessment-for + - id: sa-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing the integration of information security + and privacy and supply chain risk management into the acquisition + process + + + configuration management plan + + + acquisition contracts for the system, system component, or system + service + + + system design documentation + + + system security plan + + + supply chain risk management plan + + + privacy plan + + + other relevant documents or records + - id: sa-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + organizational personnel with supply chain risk management responsibilities + - id: sa-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for determining system security and + privacy functional, strength, and assurance requirements + + + organizational processes for developing acquisition contracts + + + mechanisms supporting and/or implementing acquisitions and the + inclusion of security and privacy requirements in contracts + controls: + - id: sa-4.1 + class: SP800-53-enhancement + title: Functional Properties of Controls + props: + - name: label + value: SA-4(1) + - name: label + value: SA-04(01) + class: sp800-53a + - name: sort-id + value: sa-04.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-4" + rel: required + parts: + - id: sa-4.1_smt + name: statement + prose: Require the developer of the system, system component, or + system service to provide a description of the functional properties + of the controls to be implemented. + - id: sa-4.1_gdn + name: guidance + prose: Functional properties of security and privacy controls describe + the functionality (i.e., security or privacy capability, functions, + or mechanisms) visible at the interfaces of the controls and specifically + exclude functionality and data structures internal to the operation + of the controls. + - id: sa-4.1_obj + name: assessment-objective + props: + - name: label + value: SA-04(01) + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to provide a description of the functional + properties of the controls to be implemented. + links: + - href: "#sa-4.1_smt" + rel: assessment-for + - id: sa-4.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-04(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing the integration of security and privacy + requirements, descriptions, and criteria into the acquisition + process + + + solicitation documents + + + acquisition documentation + + + acquisition contracts for the system, system component, or + system services + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: sa-4.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-04(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system developers + - id: sa-4.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-04(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for determining system security + functional requirements + + + organizational processes for developing acquisition contracts + + + mechanisms supporting and/or implementing acquisitions and + the inclusion of security and privacy requirements in contracts + - id: sa-4.2 + class: SP800-53-enhancement + title: Design and Implementation Information for Controls + params: + - id: sa-04.02_odp.01 + constraints: + - description: >- + at a minimum to include security-relevant external + system interfaces; high-level design; low-level design; + source code or network and data flow diagram; + + + organization-defined design/implementation information + select: + how-many: one-or-more + choice: + - security-relevant external system interfaces + - high-level design + - low-level design + - source code or hardware schematics + - " {{ insert: param, sa-04.02_odp.02 }} " + - id: sa-04.02_odp.02 + label: design and implementation information + guidelines: + - prose: design and implementation information is defined (if + selected); + - id: sa-04.02_odp.03 + label: level of detail + guidelines: + - prose: level of detail is defined; + props: + - name: label + value: SA-4(2) + - name: label + value: SA-04(02) + class: sp800-53a + - name: sort-id + value: sa-04.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-4" + rel: required + parts: + - id: sa-4.2_smt + name: statement + prose: "Require the developer of the system, system component, or\ + \ system service to provide design and implementation information\ + \ for the controls that includes: {{ insert: param, sa-04.02_odp.01\ + \ }} at {{ insert: param, sa-04.02_odp.03 }}." + - id: sa-4.2_gdn + name: guidance + prose: Organizations may require different levels of detail in the + documentation for the design and implementation of controls in + organizational systems, system components, or system services + based on mission and business requirements, requirements for resiliency + and trustworthiness, and requirements for analysis and testing. + Systems can be partitioned into multiple subsystems. Each subsystem + within the system can contain one or more modules. The high-level + design for the system is expressed in terms of subsystems and + the interfaces between subsystems providing security-relevant + functionality. The low-level design for the system is expressed + in terms of modules and the interfaces between modules providing + security-relevant functionality. Design and implementation documentation + can include manufacturer, version, serial number, verification + hash signature, software libraries used, date of purchase or download, + and the vendor or download source. Source code and hardware schematics + are referred to as the implementation representation of the system. + - id: sa-4.2_obj + name: assessment-objective + props: + - name: label + value: SA-04(02) + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to provide design and implementation information\ + \ for the controls that includes using {{ insert: param, sa-04.02_odp.01\ + \ }} at {{ insert: param, sa-04.02_odp.03 }}." + links: + - href: "#sa-4.2_smt" + rel: assessment-for + - id: sa-4.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-04(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing the integration of security requirements, + descriptions, and criteria into the acquisition process + + + solicitation documents + + + acquisition documentation + + + acquisition contracts for the system, system components, or + system services + + + design and implementation information for controls employed + in the system, system component, or system service + + + system security plan + + + other relevant documents or records + - id: sa-4.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-04(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with the responsibility to determine + system security requirements + + + system developers or service provider + + + organizational personnel with information security responsibilities + - id: sa-4.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-04(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for determining the level of + detail for system design and controls + + + organizational processes for developing acquisition contracts + + + mechanisms supporting and/or implementing the development + of system design details + - id: sa-4.5 + class: SP800-53-enhancement + title: System, Component, and Service Configurations + params: + - id: sa-04.05_odp + label: security configurations + constraints: + - description: The service provider shall use the DoD STIGs to + establish configuration settings; Center for Internet Security + up to Level 2 (CIS Level 2) guidelines shall be used if STIGs + are not available; Custom baselines shall be used if CIS is + not available. + guidelines: + - prose: security configurations for the system, component, or + service are defined; + props: + - name: label + value: SA-4(5) + - name: label + value: SA-04(05) + class: sp800-53a + - name: sort-id + value: sa-04.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-4" + rel: required + parts: + - id: sa-4.5_smt + name: statement + prose: "Require the developer of the system, system component, or\ + \ system service to:" + parts: + - id: sa-4.5_smt.a + name: item + props: + - name: label + value: (a) + prose: "Deliver the system, component, or service with {{ insert:\ + \ param, sa-04.05_odp }} implemented; and" + - id: sa-4.5_smt.b + name: item + props: + - name: label + value: (b) + prose: Use the configurations as the default for any subsequent + system, component, or service reinstallation or upgrade. + - id: sa-4.5_gdn + name: guidance + prose: Examples of security configurations include the U.S. Government + Configuration Baseline (USGCB), Security Technical Implementation + Guides (STIGs), and any limitations on functions, ports, protocols, + and services. Security characteristics can include requiring that + default passwords have been changed. + - id: sa-4.5_obj + name: assessment-objective + props: + - name: label + value: SA-04(05) + class: sp800-53a + parts: + - id: sa-4.5_obj.a + name: assessment-objective + props: + - name: label + value: SA-04(05)(a) + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to deliver the system, component, or\ + \ service with {{ insert: param, sa-04.05_odp }} implemented;" + links: + - href: "#sa-4.5_smt.a" + rel: assessment-for + - id: sa-4.5_obj.b + name: assessment-objective + props: + - name: label + value: SA-04(05)(b) + class: sp800-53a + prose: the configurations are used as the default for any subsequent + system, component, or service reinstallation or upgrade. + links: + - href: "#sa-4.5_smt.b" + rel: assessment-for + links: + - href: "#sa-4.5_smt" + rel: assessment-for + - id: sa-4.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-04(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + procedures addressing the integration of security requirements, + descriptions, and criteria into the acquisition process + + + solicitation documents + + + acquisition documentation + + + acquisition contracts for the system, system component, or + system service + + + security configurations to be implemented by the developer + of the system, system component, or system service + + + service level agreements + + + system security plan + + + other relevant documents or records + - id: sa-4.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-04(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with the responsibility to determine + system security requirements + + + system developers or service provider + + + organizational personnel with information security responsibilities + - id: sa-4.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-04(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms used to verify that the configuration of the + system, component, or service is delivered as specified + - id: sa-4.9 + class: SP800-53-enhancement + title: Functions, Ports, Protocols, and Services in Use + props: + - name: label + value: SA-4(9) + - name: label + value: SA-04(09) + class: sp800-53a + - name: sort-id + value: sa-04.09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-4" + rel: required + - href: "#cm-7" + rel: related + - href: "#sa-9" + rel: related + parts: + - id: sa-4.9_smt + name: statement + prose: Require the developer of the system, system component, or + system service to identify the functions, ports, protocols, and + services intended for organizational use. + - id: sa-4.9_gdn + name: guidance + prose: The identification of functions, ports, protocols, and services + early in the system development life cycle (e.g., during the initial + requirements definition and design stages) allows organizations + to influence the design of the system, system component, or system + service. This early involvement in the system development life + cycle helps organizations avoid or minimize the use of functions, + ports, protocols, or services that pose unnecessarily high risks + and understand the trade-offs involved in blocking specific ports, + protocols, or services or requiring system service providers to + do so. Early identification of functions, ports, protocols, and + services avoids costly retrofitting of controls after the system, + component, or system service has been implemented. [SA-9](#sa-9) + describes the requirements for external system services. Organizations + identify which functions, ports, protocols, and services are provided + from external sources. + - id: sa-4.9_obj + name: assessment-objective + props: + - name: label + value: SA-04(09) + class: sp800-53a + parts: + - id: sa-4.9_obj-1 + name: assessment-objective + props: + - name: label + value: SA-04(09)[01] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to identify the functions intended for + organizational use; + links: + - href: "#sa-4.9_smt" + rel: assessment-for + - id: sa-4.9_obj-2 + name: assessment-objective + props: + - name: label + value: SA-04(09)[02] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to identify the ports intended for organizational + use; + links: + - href: "#sa-4.9_smt" + rel: assessment-for + - id: sa-4.9_obj-3 + name: assessment-objective + props: + - name: label + value: SA-04(09)[03] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to identify the protocols intended for + organizational use; + links: + - href: "#sa-4.9_smt" + rel: assessment-for + - id: sa-4.9_obj-4 + name: assessment-objective + props: + - name: label + value: SA-04(09)[04] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to identify the services intended for + organizational use. + links: + - href: "#sa-4.9_smt" + rel: assessment-for + links: + - href: "#sa-4.9_smt" + rel: assessment-for + - id: sa-4.9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-04(09)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + procedures addressing the integration of security requirements, + descriptions, and criteria into the acquisition process + + + system design documentation + + + system documentation, including functions, ports, protocols, + and services intended for organizational use + + + acquisition contracts for systems or services + + + acquisition documentation + + + solicitation documentation + + + service level agreements + + + organizational security requirements, descriptions, and criteria + for developers of systems, system components, and system services + + + system security plan + + + other relevant documents or records + - id: sa-4.9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-04(09)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with the responsibility for determining + system security requirements + + + system/network administrators + + + organizational personnel operating, using, and/or maintaining + the system + + + system developers + + + organizational personnel with information security responsibilities + - id: sa-4.10 + class: SP800-53-enhancement + title: Use of Approved PIV Products + props: + - name: label + value: SA-4(10) + - name: label + value: SA-04(10) + class: sp800-53a + - name: sort-id + value: sa-04.10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-4" + rel: required + - href: "#ia-2" + rel: related + - href: "#ia-8" + rel: related + - href: "#pm-9" + rel: related + parts: + - id: sa-4.10_smt + name: statement + prose: Employ only information technology products on the FIPS 201-approved + products list for Personal Identity Verification (PIV) capability + implemented within organizational systems. + - id: sa-4.10_gdn + name: guidance + prose: Products on the FIPS 201-approved products list meet NIST + requirements for Personal Identity Verification (PIV) of Federal + Employees and Contractors. PIV cards are used for multi-factor + authentication in systems and organizations. + - id: sa-4.10_obj + name: assessment-objective + props: + - name: label + value: SA-04(10) + class: sp800-53a + prose: only information technology products on the FIPS 201-approved + products list for the Personal Identity Verification (PIV) capability + implemented within organizational systems are employed. + links: + - href: "#sa-4.10_smt" + rel: assessment-for + - id: sa-4.10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-04(10)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management plan + + + system and services acquisition policy + + + procedures addressing the integration of security requirements, + descriptions, and criteria into the acquisition process + + + solicitation documentation + + + acquisition documentation + + + acquisition contracts for the system, system component, or + system service + + + service level agreements + + + FIPS 201 approved products list + + + system security plan + + + other relevant documents or records + - id: sa-4.10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-04(10)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with the responsibility for determining + system security requirements + + + organizational personnel with the responsibility for ensuring + that only FIPS 201- approved products are implemented + + + organizational personnel with information security responsibilities + - id: sa-4.10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-04(10)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for selecting and employing + FIPS 201-approved products + - id: sa-5 + class: SP800-53 + title: System Documentation + params: + - id: sa-05_odp.01 + label: actions + guidelines: + - prose: actions to take when system, system component, or system + service documentation is either unavailable or nonexistent are + defined; + - id: sa-05_odp.02 + label: personnel or roles + constraints: + - description: at a minimum, the ISSO (or similar role within the + organization) + guidelines: + - prose: personnel or roles to distribute system documentation to + is/are defined; + props: + - name: label + value: SA-5 + - name: label + value: SA-05 + class: sp800-53a + - name: sort-id + value: sa-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#cm-4" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-8" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#pl-8" + rel: related + - href: "#ps-2" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-16" + rel: related + - href: "#sa-17" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-3" + rel: related + parts: + - id: sa-5_smt + name: statement + parts: + - id: sa-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Obtain or develop administrator documentation for the system,\ + \ system component, or system service that describes:" + parts: + - id: sa-5_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Secure configuration, installation, and operation of + the system, component, or service; + - id: sa-5_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Effective use and maintenance of security and privacy + functions and mechanisms; and + - id: sa-5_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Known vulnerabilities regarding configuration and use + of administrative or privileged functions; + - id: sa-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Obtain or develop user documentation for the system, system\ + \ component, or system service that describes:" + parts: + - id: sa-5_smt.b.1 + name: item + props: + - name: label + value: "1." + prose: User-accessible security and privacy functions and mechanisms + and how to effectively use those functions and mechanisms; + - id: sa-5_smt.b.2 + name: item + props: + - name: label + value: "2." + prose: Methods for user interaction, which enables individuals + to use the system, component, or service in a more secure + manner and protect individual privacy; and + - id: sa-5_smt.b.3 + name: item + props: + - name: label + value: "3." + prose: User responsibilities in maintaining the security of + the system, component, or service and privacy of individuals; + - id: sa-5_smt.c + name: item + props: + - name: label + value: c. + prose: "Document attempts to obtain system, system component, or\ + \ system service documentation when such documentation is either\ + \ unavailable or nonexistent and take {{ insert: param, sa-05_odp.01\ + \ }} in response; and" + - id: sa-5_smt.d + name: item + props: + - name: label + value: d. + prose: "Distribute documentation to {{ insert: param, sa-05_odp.02\ + \ }}." + - id: sa-5_gdn + name: guidance + prose: System documentation helps personnel understand the implementation + and operation of controls. Organizations consider establishing specific + measures to determine the quality and completeness of the content + provided. System documentation may be used to support the management + of supply chain risk, incident response, and other functions. Personnel + or roles that require documentation include system owners, system + security officers, and system administrators. Attempts to obtain documentation + include contacting manufacturers or suppliers and conducting web-based + searches. The inability to obtain documentation may occur due to the + age of the system or component or the lack of support from developers + and contractors. When documentation cannot be obtained, organizations + may need to recreate the documentation if it is essential to the implementation + or operation of the controls. The protection provided for the documentation + is commensurate with the security category or classification of the + system. Documentation that addresses system vulnerabilities may require + an increased level of protection. Secure operation of the system includes + initially starting the system and resuming secure system operation + after a lapse in system operation. + - id: sa-5_obj + name: assessment-objective + props: + - name: label + value: SA-05 + class: sp800-53a + parts: + - id: sa-5_obj.a + name: assessment-objective + props: + - name: label + value: SA-05a. + class: sp800-53a + parts: + - id: sa-5_obj.a.1 + name: assessment-objective + props: + - name: label + value: SA-05a.01 + class: sp800-53a + parts: + - id: sa-5_obj.a.1-1 + name: assessment-objective + props: + - name: label + value: SA-05a.01[01] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the secure + configuration of the system, component, or service is + obtained or developed; + links: + - href: "#sa-5_smt.a.1" + rel: assessment-for + - id: sa-5_obj.a.1-2 + name: assessment-objective + props: + - name: label + value: SA-05a.01[02] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the secure + installation of the system, component, or service is obtained + or developed; + links: + - href: "#sa-5_smt.a.1" + rel: assessment-for + - id: sa-5_obj.a.1-3 + name: assessment-objective + props: + - name: label + value: SA-05a.01[03] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the secure + operation of the system, component, or service is obtained + or developed; + links: + - href: "#sa-5_smt.a.1" + rel: assessment-for + links: + - href: "#sa-5_smt.a.1" + rel: assessment-for + - id: sa-5_obj.a.2 + name: assessment-objective + props: + - name: label + value: SA-05a.02 + class: sp800-53a + parts: + - id: sa-5_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: SA-05a.02[01] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the effective + use of security functions and mechanisms is obtained or + developed; + links: + - href: "#sa-5_smt.a.2" + rel: assessment-for + - id: sa-5_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: SA-05a.02[02] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the effective + maintenance of security functions and mechanisms is obtained + or developed; + links: + - href: "#sa-5_smt.a.2" + rel: assessment-for + - id: sa-5_obj.a.2-3 + name: assessment-objective + props: + - name: label + value: SA-05a.02[03] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the effective + use of privacy functions and mechanisms is obtained or + developed; + links: + - href: "#sa-5_smt.a.2" + rel: assessment-for + - id: sa-5_obj.a.2-4 + name: assessment-objective + props: + - name: label + value: SA-05a.02[04] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the effective + maintenance of privacy functions and mechanisms is obtained + or developed; + links: + - href: "#sa-5_smt.a.2" + rel: assessment-for + links: + - href: "#sa-5_smt.a.2" + rel: assessment-for + - id: sa-5_obj.a.3 + name: assessment-objective + props: + - name: label + value: SA-05a.03 + class: sp800-53a + parts: + - id: sa-5_obj.a.3-1 + name: assessment-objective + props: + - name: label + value: SA-05a.03[01] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes known vulnerabilities + regarding the configuration of administrative or privileged + functions is obtained or developed; + links: + - href: "#sa-5_smt.a.3" + rel: assessment-for + - id: sa-5_obj.a.3-2 + name: assessment-objective + props: + - name: label + value: SA-05a.03[02] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes known vulnerabilities + regarding the use of administrative or privileged functions + is obtained or developed; + links: + - href: "#sa-5_smt.a.3" + rel: assessment-for + links: + - href: "#sa-5_smt.a.3" + rel: assessment-for + links: + - href: "#sa-5_smt.a" + rel: assessment-for + - id: sa-5_obj.b + name: assessment-objective + props: + - name: label + value: SA-05b. + class: sp800-53a + parts: + - id: sa-5_obj.b.1 + name: assessment-objective + props: + - name: label + value: SA-05b.01 + class: sp800-53a + parts: + - id: sa-5_obj.b.1-1 + name: assessment-objective + props: + - name: label + value: SA-05b.01[01] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes user-accessible security + functions and mechanisms is obtained or developed; + links: + - href: "#sa-5_smt.b.1" + rel: assessment-for + - id: sa-5_obj.b.1-2 + name: assessment-objective + props: + - name: label + value: SA-05b.01[02] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes how to effectively use + those (user-accessible security) functions and mechanisms + is obtained or developed; + links: + - href: "#sa-5_smt.b.1" + rel: assessment-for + - id: sa-5_obj.b.1-3 + name: assessment-objective + props: + - name: label + value: SA-05b.01[03] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes user-accessible privacy + functions and mechanisms is obtained or developed; + links: + - href: "#sa-5_smt.b.1" + rel: assessment-for + - id: sa-5_obj.b.1-4 + name: assessment-objective + props: + - name: label + value: SA-05b.01[04] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes how to effectively use + those (user-accessible privacy) functions and mechanisms + is obtained or developed; + links: + - href: "#sa-5_smt.b.1" + rel: assessment-for + links: + - href: "#sa-5_smt.b.1" + rel: assessment-for + - id: sa-5_obj.b.2 + name: assessment-objective + props: + - name: label + value: SA-05b.02 + class: sp800-53a + parts: + - id: sa-5_obj.b.2-1 + name: assessment-objective + props: + - name: label + value: SA-05b.02[01] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes methods for user interaction, + which enable individuals to use the system, component, + or service in a more secure manner is obtained or developed; + links: + - href: "#sa-5_smt.b.2" + rel: assessment-for + - id: sa-5_obj.b.2-2 + name: assessment-objective + props: + - name: label + value: SA-05b.02[02] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes methods for user interaction, + which enable individuals to use the system, component, + or service to protect individual privacy is obtained or + developed; + links: + - href: "#sa-5_smt.b.2" + rel: assessment-for + links: + - href: "#sa-5_smt.b.2" + rel: assessment-for + - id: sa-5_obj.b.3 + name: assessment-objective + props: + - name: label + value: SA-05b.03 + class: sp800-53a + parts: + - id: sa-5_obj.b.3-1 + name: assessment-objective + props: + - name: label + value: SA-05b.03[01] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes user responsibilities + for maintaining the security of the system, component, + or service is obtained or developed; + links: + - href: "#sa-5_smt.b.3" + rel: assessment-for + - id: sa-5_obj.b.3-2 + name: assessment-objective + props: + - name: label + value: SA-05b.03[02] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes user responsibilities + for maintaining the privacy of individuals is obtained + or developed; + links: + - href: "#sa-5_smt.b.3" + rel: assessment-for + links: + - href: "#sa-5_smt.b.3" + rel: assessment-for + links: + - href: "#sa-5_smt.b" + rel: assessment-for + - id: sa-5_obj.c + name: assessment-objective + props: + - name: label + value: SA-05c. + class: sp800-53a + parts: + - id: sa-5_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-05c.[01] + class: sp800-53a + prose: attempts to obtain system, system component, or system + service documentation when such documentation is either unavailable + or nonexistent is documented; + links: + - href: "#sa-5_smt.c" + rel: assessment-for + - id: sa-5_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-05c.[02] + class: sp800-53a + prose: "after attempts to obtain system, system component, or\ + \ system service documentation when such documentation is\ + \ either unavailable or nonexistent, {{ insert: param, sa-05_odp.01\ + \ }} are taken in response;" + links: + - href: "#sa-5_smt.c" + rel: assessment-for + links: + - href: "#sa-5_smt.c" + rel: assessment-for + - id: sa-5_obj.d + name: assessment-objective + props: + - name: label + value: SA-05d. + class: sp800-53a + prose: "documentation is distributed to {{ insert: param, sa-05_odp.02\ + \ }}." + links: + - href: "#sa-5_smt.d" + rel: assessment-for + links: + - href: "#sa-5_smt" + rel: assessment-for + - id: sa-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing system documentation + + + system documentation, including administrator and user guides + + + system design documentation + + + records documenting attempts to obtain unavailable or nonexistent + system documentation + + + list of actions to be taken in response to documented attempts + to obtain system, system component, or system service documentation + + + risk management strategy documentation + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: sa-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system administrators + + + organizational personnel responsible for operating, using, and/or + maintaining the system + + + system developers + - id: sa-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for obtaining, protecting, and distributing + system administrator and user documentation + - id: sa-8 + class: SP800-53 + title: Security and Privacy Engineering Principles + params: + - id: sa-8_prm_1 + label: organization-defined systems security and privacy engineering + principles + - id: sa-08_odp.01 + label: systems security engineering principles + guidelines: + - prose: systems security engineering principles are defined; + - id: sa-08_odp.02 + label: privacy engineering principles + guidelines: + - prose: privacy engineering principles are defined; + props: + - name: label + value: SA-8 + - name: label + value: SA-08 + class: sp800-53a + - name: sort-id + value: sa-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#18e71fec-c6fd-475a-925a-5d8495cf8455" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#pl-8" + rel: related + - href: "#pm-7" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-9" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-17" + rel: related + - href: "#sa-20" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-3" + rel: related + - href: "#sc-32" + rel: related + - href: "#sc-39" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sa-8_smt + name: statement + prose: "Apply the following systems security and privacy engineering\ + \ principles in the specification, design, development, implementation,\ + \ and modification of the system and system components: {{ insert:\ + \ param, sa-8_prm_1 }}." + - id: sa-8_gdn + name: guidance + prose: >- + Systems security and privacy engineering principles are closely + related to and implemented throughout the system development + life cycle (see [SA-3](#sa-3) ). Organizations can apply systems + security and privacy engineering principles to new systems under + development or to systems undergoing upgrades. For existing + systems, organizations apply systems security and privacy + engineering principles to system upgrades and modifications to + the extent feasible, given the current state of hardware, + software, and firmware components within those systems. + + + The application of systems security and privacy engineering principles + helps organizations develop trustworthy, secure, and resilient systems + and reduces the susceptibility to disruptions, hazards, threats, and + the creation of privacy problems for individuals. Examples of system + security engineering principles include: developing layered protections; + establishing security and privacy policies, architecture, and controls + as the foundation for design and development; incorporating security + and privacy requirements into the system development life cycle; delineating + physical and logical security boundaries; ensuring that developers + are trained on how to build secure software; tailoring controls to + meet organizational needs; and performing threat modeling to identify + use cases, threat agents, attack vectors and patterns, design patterns, + and compensating controls needed to mitigate risk. + + + Organizations that apply systems security and privacy engineering + concepts and principles can facilitate the development of trustworthy, + secure systems, system components, and system services; reduce risk + to acceptable levels; and make informed risk management decisions. + System security engineering principles can also be used to protect + against certain supply chain risks, including incorporating tamper-resistant + hardware into a design. + - id: sa-8_obj + name: assessment-objective + props: + - name: label + value: SA-08 + class: sp800-53a + parts: + - id: sa-8_obj-1 + name: assessment-objective + props: + - name: label + value: SA-08[01] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.01 }} are applied in the specification\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-2 + name: assessment-objective + props: + - name: label + value: SA-08[02] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.01 }} are applied in the design\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-3 + name: assessment-objective + props: + - name: label + value: SA-08[03] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.01 }} are applied in the development\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-4 + name: assessment-objective + props: + - name: label + value: SA-08[04] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.01 }} are applied in the implementation\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-5 + name: assessment-objective + props: + - name: label + value: SA-08[05] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.01 }} are applied in the modification\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-6 + name: assessment-objective + props: + - name: label + value: SA-08[06] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.02 }} are applied in the specification\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-7 + name: assessment-objective + props: + - name: label + value: SA-08[07] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.02 }} are applied in the design\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-8 + name: assessment-objective + props: + - name: label + value: SA-08[08] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.02 }} are applied in the development\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-9 + name: assessment-objective + props: + - name: label + value: SA-08[09] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.02 }} are applied in the implementation\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-10 + name: assessment-objective + props: + - name: label + value: SA-08[10] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.02 }} are applied in the modification\ + \ of the system and system components." + links: + - href: "#sa-8_smt" + rel: assessment-for + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + assessment and authorization procedures + + + procedures addressing security and privacy engineering principles + used in the specification, design, development, implementation, + and modification of the system + + + system design documentation + + + security and privacy requirements and specifications for the system + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: sa-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with system specification, design, development, + implementation, and modification responsibilities + + + system developers + - id: sa-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for applying security and privacy + engineering principles in system specification, design, + development, implementation, and modification + + + mechanisms supporting the application of security and privacy + engineering principles in system specification, design, development, + implementation, and modification + - id: sa-9 + class: SP800-53 + title: External System Services + params: + - id: sa-09_odp.01 + label: controls + constraints: + - description: Appropriate FedRAMP Security Controls Baseline (s) + if Federal information is processed or stored within the external + system + guidelines: + - prose: controls to be employed by external system service providers + are defined; + - id: sa-09_odp.02 + label: processes, methods, and techniques + constraints: + - description: Federal/FedRAMP Continuous Monitoring requirements + must be met for external systems where Federal information is + processed or stored + guidelines: + - prose: processes, methods, and techniques employed to monitor control + compliance by external service providers are defined; + props: + - name: label + value: SA-9 + - name: label + value: SA-09 + class: sp800-53a + - name: sort-id + value: sa-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#77faf0bc-c394-44ad-9154-bbac3b79c8ad" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849" + rel: reference + - href: "#ac-20" + rel: related + - href: "#ca-3" + rel: related + - href: "#cp-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-7" + rel: related + - href: "#pl-10" + rel: related + - href: "#pl-11" + rel: related + - href: "#ps-7" + rel: related + - href: "#sa-2" + rel: related + - href: "#sa-4" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sa-9_smt + name: statement + parts: + - id: sa-9_smt.a + name: item + props: + - name: label + value: a. + prose: "Require that providers of external system services comply\ + \ with organizational security and privacy requirements and employ\ + \ the following controls: {{ insert: param, sa-09_odp.01 }};" + - id: sa-9_smt.b + name: item + props: + - name: label + value: b. + prose: Define and document organizational oversight and user roles + and responsibilities with regard to external system services; + and + - id: sa-9_smt.c + name: item + props: + - name: label + value: c. + prose: "Employ the following processes, methods, and techniques\ + \ to monitor control compliance by external service providers\ + \ on an ongoing basis: {{ insert: param, sa-09_odp.02 }}." + - id: sa-9_gdn + name: guidance + prose: External system services are provided by an external provider, + and the organization has no direct control over the implementation + of the required controls or the assessment of control effectiveness. + Organizations establish relationships with external service providers + in a variety of ways, including through business partnerships, contracts, + interagency agreements, lines of business arrangements, licensing + agreements, joint ventures, and supply chain exchanges. The responsibility + for managing risks from the use of external system services remains + with authorizing officials. For services external to organizations, + a chain of trust requires that organizations establish and retain + a certain level of confidence that each provider in the consumer-provider + relationship provides adequate protection for the services rendered. + The extent and nature of this chain of trust vary based on relationships + between organizations and the external providers. Organizations document + the basis for the trust relationships so that the relationships can + be monitored. External system services documentation includes government, + service providers, end user security roles and responsibilities, and + service-level agreements. Service-level agreements define the expectations + of performance for implemented controls, describe measurable outcomes, + and identify remedies and response requirements for identified instances + of noncompliance. + - id: sa-9_obj + name: assessment-objective + props: + - name: label + value: SA-09 + class: sp800-53a + parts: + - id: sa-9_obj.a + name: assessment-objective + props: + - name: label + value: SA-09a. + class: sp800-53a + parts: + - id: sa-9_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-09a.[01] + class: sp800-53a + prose: providers of external system services comply with organizational + security requirements; + links: + - href: "#sa-9_smt.a" + rel: assessment-for + - id: sa-9_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-09a.[02] + class: sp800-53a + prose: providers of external system services comply with organizational + privacy requirements; + links: + - href: "#sa-9_smt.a" + rel: assessment-for + - id: sa-9_obj.a-3 + name: assessment-objective + props: + - name: label + value: SA-09a.[03] + class: sp800-53a + prose: "providers of external system services employ {{ insert:\ + \ param, sa-09_odp.01 }};" + links: + - href: "#sa-9_smt.a" + rel: assessment-for + links: + - href: "#sa-9_smt.a" + rel: assessment-for + - id: sa-9_obj.b + name: assessment-objective + props: + - name: label + value: SA-09b. + class: sp800-53a + parts: + - id: sa-9_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-09b.[01] + class: sp800-53a + prose: organizational oversight with regard to external system + services are defined and documented; + links: + - href: "#sa-9_smt.b" + rel: assessment-for + - id: sa-9_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-09b.[02] + class: sp800-53a + prose: user roles and responsibilities with regard to external + system services are defined and documented; + links: + - href: "#sa-9_smt.b" + rel: assessment-for + links: + - href: "#sa-9_smt.b" + rel: assessment-for + - id: sa-9_obj.c + name: assessment-objective + props: + - name: label + value: SA-09c. + class: sp800-53a + prose: " {{ insert: param, sa-09_odp.02 }} are employed to monitor\ + \ control compliance by external service providers on an ongoing\ + \ basis." + links: + - href: "#sa-9_smt.c" + rel: assessment-for + links: + - href: "#sa-9_smt" + rel: assessment-for + - id: sa-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing methods and techniques for monitoring control + compliance by external service providers of system services + + + acquisition documentation + + + contracts + + + service level agreements + + + interagency agreements + + + licensing agreements + + + list of organizational security and privacy requirements for external + provider services + + + control assessment results or reports from external providers + of system services + + + system security plan + + + privacy plan + + + supply chain risk management plan + + + other relevant documents or records + - id: sa-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition responsibilities + + + external providers of system services + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sa-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring security and privacy + control compliance by external service providers on an + ongoing basis + + + mechanisms for monitoring security and privacy control compliance + by external service providers on an ongoing basis + controls: + - id: sa-9.1 + class: SP800-53-enhancement + title: Risk Assessments and Organizational Approvals + params: + - id: sa-09.01_odp + label: personnel or roles + guidelines: + - prose: personnel or roles that approve the acquisition or outsourcing + of dedicated information security services is/are defined; + props: + - name: label + value: SA-9(1) + - name: label + value: SA-09(01) + class: sp800-53a + - name: sort-id + value: sa-09.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-9" + rel: required + - href: "#ca-6" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-8" + rel: related + parts: + - id: sa-9.1_smt + name: statement + parts: + - id: sa-9.1_smt.a + name: item + props: + - name: label + value: (a) + prose: Conduct an organizational assessment of risk prior to + the acquisition or outsourcing of information security services; + and + - id: sa-9.1_smt.b + name: item + props: + - name: label + value: (b) + prose: "Verify that the acquisition or outsourcing of dedicated\ + \ information security services is approved by {{ insert:\ + \ param, sa-09.01_odp }}." + - id: sa-9.1_gdn + name: guidance + prose: Information security services include the operation of security + devices, such as firewalls or key management services as well + as incident monitoring, analysis, and response. Risks assessed + can include system, mission or business, security, privacy, or + supply chain risks. + - id: sa-9.1_obj + name: assessment-objective + props: + - name: label + value: SA-09(01) + class: sp800-53a + parts: + - id: sa-9.1_obj.a + name: assessment-objective + props: + - name: label + value: SA-09(01)(a) + class: sp800-53a + prose: an organizational assessment of risk is conducted prior + to the acquisition or outsourcing of information security + services; + links: + - href: "#sa-9.1_smt.a" + rel: assessment-for + - id: sa-9.1_obj.b + name: assessment-objective + props: + - name: label + value: SA-09(01)(b) + class: sp800-53a + prose: " {{ insert: param, sa-09.01_odp }} approve the acquisition\ + \ or outsourcing of dedicated information security services." + links: + - href: "#sa-9.1_smt.b" + rel: assessment-for + links: + - href: "#sa-9.1_smt" + rel: assessment-for + - id: sa-9.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-09(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + supply chain risk management policy and procedures + + + procedures addressing external system services + + + acquisition documentation + + + acquisition contracts for the system, system component, or + system service + + + risk assessment reports + + + approval records for the acquisition or outsourcing of dedicated + security services + + + system security plan + + + supply chain risk management plan + + + other relevant documents or records + - id: sa-9.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-09(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service + acquisition responsibilities + + + organizational personnel with system security responsibilities + + + external providers of system services + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management + responsibilities + - id: sa-9.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-09(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for conducting a risk + assessment prior to acquiring or outsourcing dedicated + security services + + + organizational processes for approving the outsourcing of + dedicated security services + + + mechanisms supporting and/or implementing risk assessment + + + mechanisms supporting and/or implementing approval processes + - id: sa-9.2 + class: SP800-53-enhancement + title: Identification of Functions, Ports, Protocols, and Services + params: + - id: sa-09.02_odp + label: external system services + constraints: + - description: all external systems where Federal information + is processed or stored + guidelines: + - prose: external system services that require the identification + of functions, ports, protocols, and other services are defined; + props: + - name: label + value: SA-9(2) + - name: label + value: SA-09(02) + class: sp800-53a + - name: sort-id + value: sa-09.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-9" + rel: required + - href: "#cm-6" + rel: related + - href: "#cm-7" + rel: related + parts: + - id: sa-9.2_smt + name: statement + prose: "Require providers of the following external system services\ + \ to identify the functions, ports, protocols, and other services\ + \ required for the use of such services: {{ insert: param, sa-09.02_odp\ + \ }}." + - id: sa-9.2_gdn + name: guidance + prose: Information from external service providers regarding the + specific functions, ports, protocols, and services used in the + provision of such services can be useful when the need arises + to understand the trade-offs involved in restricting certain functions + and services or blocking certain ports and protocols. + - id: sa-9.2_obj + name: assessment-objective + props: + - name: label + value: SA-09(02) + class: sp800-53a + prose: "providers of {{ insert: param, sa-09.02_odp }} are required\ + \ to identify the functions, ports, protocols, and other services\ + \ required for the use of such services." + links: + - href: "#sa-9.2_smt" + rel: assessment-for + - id: sa-9.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-09(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + supply chain risk management policy and procedures + + + procedures addressing external system services + + + acquisition contracts for the system, system component, or + system service + + + acquisition documentation + + + solicitation documentation + + + service level agreements + + + organizational security requirements and security specifications + for external service providers + + + list of required functions, ports, protocols, and other services + + + system security plan + + + other relevant documents or records + - id: sa-9.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-09(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + external providers of system services + - id: sa-9.5 + class: SP800-53-enhancement + title: Processing, Storage, and Service Location + params: + - id: sa-09.05_odp.01 + constraints: + - description: information processing, information or data, AND + system services + select: + how-many: one-or-more + choice: + - information processing + - information or data + - system services + - id: sa-09.05_odp.02 + label: locations + constraints: + - description: U.S./U.S. Territories or geographic locations where + there is U.S. jurisdiction + guidelines: + - prose: "locations where {{ insert: param, sa-09.05_odp.01 }}\ + \ is/are to be restricted are defined;" + - id: sa-09.05_odp.03 + label: requirements + constraints: + - description: all High impact data, systems, or services + guidelines: + - prose: "requirements or conditions for restricting the location\ + \ of {{ insert: param, sa-09.05_odp.01 }} are defined;" + props: + - name: label + value: SA-9(5) + - name: label + value: SA-09(05) + class: sp800-53a + - name: sort-id + value: sa-09.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-9" + rel: required + - href: "#sa-5" + rel: related + - href: "#sr-4" + rel: related + parts: + - id: sa-9.5_smt + name: statement + prose: "Restrict the location of {{ insert: param, sa-09.05_odp.01\ + \ }} to {{ insert: param, sa-09.05_odp.02 }} based on {{ insert:\ + \ param, sa-09.05_odp.03 }}." + - id: sa-9.5_gdn + name: guidance + prose: The location of information processing, information and data + storage, or system services can have a direct impact on the ability + of organizations to successfully execute their mission and business + functions. The impact occurs when external providers control the + location of processing, storage, or services. The criteria that + external providers use for the selection of processing, storage, + or service locations may be different from the criteria that organizations + use. For example, organizations may desire that data or information + storage locations be restricted to certain locations to help facilitate + incident response activities in case of information security incidents + or breaches. Incident response activities, including forensic + analyses and after-the-fact investigations, may be adversely affected + by the governing laws, policies, or protocols in the locations + where processing and storage occur and/or the locations from which + system services emanate. + - id: sa-9.5_obj + name: assessment-objective + props: + - name: label + value: SA-09(05) + class: sp800-53a + prose: "based on {{ insert: param, sa-09.05_odp.03 }}, {{ insert:\ + \ param, sa-09.05_odp.01 }} is/are restricted to {{ insert: param,\ + \ sa-09.05_odp.02 }}." + links: + - href: "#sa-9.5_smt" + rel: assessment-for + - id: sa-9.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-09(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + procedures addressing external system services + + + acquisition contracts for the system, system component, or + system service + + + solicitation documentation + + + acquisition documentation + + + service level agreements + + + restricted locations for information processing + + + information/data and/or system services + + + information processing, information/data, and/or system services + to be maintained in restricted locations + + + organizational security requirements or conditions for external + providers + + + system security plan + + + supply chain risk management plan + + + other relevant documents or records + - id: sa-9.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-09(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + external providers of system services + + + organizational personnel with supply chain risk management + responsibilities + - id: sa-9.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-09(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for defining the requirements + to restrict locations of information processing, + information/data, or information services + + + organizational processes for ensuring the location is restricted + in accordance with requirements or conditions + - id: sa-10 + class: SP800-53 + title: Developer Configuration Management + params: + - id: sa-10_odp.01 + constraints: + - description: development, implementation, AND operation + select: + how-many: one-or-more + choice: + - design + - development + - implementation + - operation + - disposal + - id: sa-10_odp.02 + label: configuration items + guidelines: + - prose: configuration items under configuration management are defined; + - id: sa-10_odp.03 + label: personnel + guidelines: + - prose: personnel to whom security flaws and flaw resolutions within + the system, component, or service are reported is/are defined; + props: + - name: label + value: SA-10 + - name: label + value: SA-10 + class: sp800-53a + - name: sort-id + value: sa-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#cm-2" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-9" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-15" + rel: related + - href: "#si-2" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-6" + rel: related + parts: + - id: sa-10_smt + name: statement + prose: "Require the developer of the system, system component, or system\ + \ service to:" + parts: + - id: sa-10_smt.a + name: item + props: + - name: label + value: a. + prose: "Perform configuration management during system, component,\ + \ or service {{ insert: param, sa-10_odp.01 }};" + - id: sa-10_smt.b + name: item + props: + - name: label + value: b. + prose: "Document, manage, and control the integrity of changes to\ + \ {{ insert: param, sa-10_odp.02 }};" + - id: sa-10_smt.c + name: item + props: + - name: label + value: c. + prose: Implement only organization-approved changes to the system, + component, or service; + - id: sa-10_smt.d + name: item + props: + - name: label + value: d. + prose: Document approved changes to the system, component, or service + and the potential security and privacy impacts of such changes; + and + - id: sa-10_smt.e + name: item + props: + - name: label + value: e. + prose: "Track security flaws and flaw resolution within the system,\ + \ component, or service and report findings to {{ insert: param,\ + \ sa-10_odp.03 }}." + - id: sa-10_fr + name: item + title: SA-10 Additional FedRAMP Requirements and Guidance + parts: + - id: sa-10_fr_smt.1 + name: item + props: + - name: label + value: "(e) Requirement:" + prose: track security flaws and flaw resolution within the system, + component, or service and report findings to organization-defined + personnel, to include FedRAMP. + - id: sa-10_gdn + name: guidance + prose: >- + Organizations consider the quality and completeness of + configuration management activities conducted by developers as + direct evidence of applying effective security controls. + Controls include protecting the master copies of material used + to generate security-relevant portions of the system hardware, + software, and firmware from unauthorized modification or + destruction. Maintaining the integrity of changes to the system, + system component, or system service requires strict + configuration control throughout the system development life + cycle to track authorized changes and prevent unauthorized + changes. + + + The configuration items that are placed under configuration management + include the formal model; the functional, high-level, and low-level + design specifications; other design data; implementation documentation; + source code and hardware schematics; the current running version of + the object code; tools for comparing new versions of security-relevant + hardware descriptions and source code with previous versions; and + test fixtures and documentation. Depending on the mission and business + needs of organizations and the nature of the contractual relationships + in place, developers may provide configuration management support + during the operations and maintenance stage of the system development + life cycle. + - id: sa-10_obj + name: assessment-objective + props: + - name: label + value: SA-10 + class: sp800-53a + parts: + - id: sa-10_obj.a + name: assessment-objective + props: + - name: label + value: SA-10a. + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to perform configuration management during\ + \ system, component, or service {{ insert: param, sa-10_odp.01\ + \ }};" + links: + - href: "#sa-10_smt.a" + rel: assessment-for + - id: sa-10_obj.b + name: assessment-objective + props: + - name: label + value: SA-10b. + class: sp800-53a + parts: + - id: sa-10_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-10b.[01] + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to document the integrity of changes\ + \ to {{ insert: param, sa-10_odp.02 }};" + links: + - href: "#sa-10_smt.b" + rel: assessment-for + - id: sa-10_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-10b.[02] + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to manage the integrity of changes to\ + \ {{ insert: param, sa-10_odp.02 }};" + links: + - href: "#sa-10_smt.b" + rel: assessment-for + - id: sa-10_obj.b-3 + name: assessment-objective + props: + - name: label + value: SA-10b.[03] + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to control the integrity of changes\ + \ to {{ insert: param, sa-10_odp.02 }};" + links: + - href: "#sa-10_smt.b" + rel: assessment-for + links: + - href: "#sa-10_smt.b" + rel: assessment-for + - id: sa-10_obj.c + name: assessment-objective + props: + - name: label + value: SA-10c. + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to implement only organization-approved changes + to the system, component, or service; + links: + - href: "#sa-10_smt.c" + rel: assessment-for + - id: sa-10_obj.d + name: assessment-objective + props: + - name: label + value: SA-10d. + class: sp800-53a + parts: + - id: sa-10_obj.d-1 + name: assessment-objective + props: + - name: label + value: SA-10d.[01] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to document approved changes to the system, + component, or service; + links: + - href: "#sa-10_smt.d" + rel: assessment-for + - id: sa-10_obj.d-2 + name: assessment-objective + props: + - name: label + value: SA-10d.[02] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to document the potential security impacts + of approved changes; + links: + - href: "#sa-10_smt.d" + rel: assessment-for + - id: sa-10_obj.d-3 + name: assessment-objective + props: + - name: label + value: SA-10d.[03] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to document the potential privacy impacts + of approved changes; + links: + - href: "#sa-10_smt.d" + rel: assessment-for + links: + - href: "#sa-10_smt.d" + rel: assessment-for + - id: sa-10_obj.e + name: assessment-objective + props: + - name: label + value: SA-10e. + class: sp800-53a + parts: + - id: sa-10_obj.e-1 + name: assessment-objective + props: + - name: label + value: SA-10e.[01] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to track security flaws within the system, + component, or service; + links: + - href: "#sa-10_smt.e" + rel: assessment-for + - id: sa-10_obj.e-2 + name: assessment-objective + props: + - name: label + value: SA-10e.[02] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to track security flaw resolutions within + the system, component, or service; + links: + - href: "#sa-10_smt.e" + rel: assessment-for + - id: sa-10_obj.e-3 + name: assessment-objective + props: + - name: label + value: SA-10e.[03] + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to report findings to {{ insert: param,\ + \ sa-10_odp.03 }}." + links: + - href: "#sa-10_smt.e" + rel: assessment-for + links: + - href: "#sa-10_smt.e" + rel: assessment-for + links: + - href: "#sa-10_smt" + rel: assessment-for + - id: sa-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + procedures addressing system developer configuration management + + + solicitation documentation + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + system developer configuration management plan + + + security flaw and flaw resolution tracking records + + + system change authorization records + + + change control records + + + configuration management records + + + system security plan + + + other relevant documents or records + - id: sa-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with configuration management responsibilities + + + system developers + - id: sa-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring developer + configuration management + + + mechanisms supporting and/or implementing the monitoring of developer + configuration management + - id: sa-11 + class: SP800-53 + title: Developer Testing and Evaluation + params: + - id: sa-11_odp.01 + select: + how-many: one-or-more + choice: + - unit + - integration + - system + - regression + - id: sa-11_odp.02 + label: frequency to conduct + guidelines: + - prose: "frequency at which to conduct {{ insert: param, sa-11_odp.01\ + \ }} testing/evaluation is defined;" + - id: sa-11_odp.03 + label: depth and coverage + guidelines: + - prose: "depth and coverage of {{ insert: param, sa-11_odp.01 }}\ + \ testing/evaluation is defined;" + props: + - name: label + value: SA-11 + - name: label + value: SA-11 + class: sp800-53a + - name: sort-id + value: sa-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#708b94e1-3d5e-4b22-ab43-1c69f3a97e37" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-4" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-17" + rel: related + - href: "#si-2" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-7" + rel: related + parts: + - id: sa-11_smt + name: statement + prose: "Require the developer of the system, system component, or system\ + \ service, at all post-design stages of the system development life\ + \ cycle, to:" + parts: + - id: sa-11_smt.a + name: item + props: + - name: label + value: a. + prose: Develop and implement a plan for ongoing security and privacy + control assessments; + - id: sa-11_smt.b + name: item + props: + - name: label + value: b. + prose: "Perform {{ insert: param, sa-11_odp.01 }} testing/evaluation\ + \ {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03\ + \ }};" + - id: sa-11_smt.c + name: item + props: + - name: label + value: c. + prose: Produce evidence of the execution of the assessment plan + and the results of the testing and evaluation; + - id: sa-11_smt.d + name: item + props: + - name: label + value: d. + prose: Implement a verifiable flaw remediation process; and + - id: sa-11_smt.e + name: item + props: + - name: label + value: e. + prose: Correct flaws identified during testing and evaluation. + - id: sa-11_gdn + name: guidance + prose: >- + Developmental testing and evaluation confirms that the required + controls are implemented correctly, operating as intended, + enforcing the desired security and privacy policies, and meeting + established security and privacy requirements. Security + properties of systems and the privacy of individuals may be + affected by the interconnection of system components or changes + to those components. The interconnections or changes—including + upgrading or replacing applications, operating systems, and + firmware—may adversely affect previously implemented controls. + Ongoing assessment during development allows for additional + types of testing and evaluation that developers can conduct to + reduce or eliminate potential flaws. Testing custom software + applications may require approaches such as manual code review, + security architecture review, and penetration testing, as well + as and static analysis, dynamic analysis, binary analysis, or a + hybrid of the three analysis approaches. + + + Developers can use the analysis approaches, along with security instrumentation + and fuzzing, in a variety of tools and in source code reviews. The + security and privacy assessment plans include the specific activities + that developers plan to carry out, including the types of analyses, + testing, evaluation, and reviews of software and firmware components; + the degree of rigor to be applied; the frequency of the ongoing testing + and evaluation; and the types of artifacts produced during those processes. + The depth of testing and evaluation refers to the rigor and level + of detail associated with the assessment process. The coverage of + testing and evaluation refers to the scope (i.e., number and type) + of the artifacts included in the assessment process. Contracts specify + the acceptance criteria for security and privacy assessment plans, + flaw remediation processes, and the evidence that the plans and processes + have been diligently applied. Methods for reviewing and protecting + assessment plans, evidence, and documentation are commensurate with + the security category or classification level of the system. Contracts + may specify protection requirements for documentation. + - id: sa-11_obj + name: assessment-objective + props: + - name: label + value: SA-11 + class: sp800-53a + parts: + - id: sa-11_obj.a + name: assessment-objective + props: + - name: label + value: SA-11a. + class: sp800-53a + parts: + - id: sa-11_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-11a.[01] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required at all post-design stages of the system + development life cycle to develop a plan for ongoing security + assessments; + links: + - href: "#sa-11_smt.a" + rel: assessment-for + - id: sa-11_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-11a.[02] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required at all post-design stages of the system + development life cycle to implement a plan for ongoing security + assessments; + links: + - href: "#sa-11_smt.a" + rel: assessment-for + - id: sa-11_obj.a-3 + name: assessment-objective + props: + - name: label + value: SA-11a.[03] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required at all post-design stages of the system + development life cycle to develop a plan for privacy assessments; + links: + - href: "#sa-11_smt.a" + rel: assessment-for + - id: sa-11_obj.a-4 + name: assessment-objective + props: + - name: label + value: SA-11a.[04] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required at all post-design stages of the system + development life cycle to implement a plan for ongoing privacy + assessments; + links: + - href: "#sa-11_smt.a" + rel: assessment-for + links: + - href: "#sa-11_smt.a" + rel: assessment-for + - id: sa-11_obj.b + name: assessment-objective + props: + - name: label + value: SA-11b. + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required at all post-design stages of the system\ + \ development life cycle to perform {{ insert: param, sa-11_odp.01\ + \ }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{\ + \ insert: param, sa-11_odp.03 }};" + links: + - href: "#sa-11_smt.b" + rel: assessment-for + - id: sa-11_obj.c + name: assessment-objective + props: + - name: label + value: SA-11c. + class: sp800-53a + parts: + - id: sa-11_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-11c.[01] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required at all post-design stages of the system + development life cycle to produce evidence of the execution + of the assessment plan; + links: + - href: "#sa-11_smt.c" + rel: assessment-for + - id: sa-11_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-11c.[02] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required at all post-design stages of the system + development life cycle to produce the results of the testing + and evaluation; + links: + - href: "#sa-11_smt.c" + rel: assessment-for + links: + - href: "#sa-11_smt.c" + rel: assessment-for + - id: sa-11_obj.d + name: assessment-objective + props: + - name: label + value: SA-11d. + class: sp800-53a + prose: the developer of the system, system component, or system + service is required at all post-design stages of the system development + life cycle to implement a verifiable flaw remediation process; + links: + - href: "#sa-11_smt.d" + rel: assessment-for + - id: sa-11_obj.e + name: assessment-objective + props: + - name: label + value: SA-11e. + class: sp800-53a + prose: the developer of the system, system component, or system + service is required at all post-design stages of the system development + life cycle to correct flaws identified during testing and evaluation. + links: + - href: "#sa-11_smt.e" + rel: assessment-for + links: + - href: "#sa-11_smt" + rel: assessment-for + - id: sa-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing system developer security and privacy testing + + + procedures addressing flaw remediation + + + solicitation documentation + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + security and privacy architecture + + + system design documentation + + + system developer security and privacy assessment plans + + + results of developer security and privacy assessments for the + system, system component, or system service + + + security and privacy flaw and remediation tracking records + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: sa-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with developer security and privacy testing + responsibilities + + + system developers + - id: sa-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring developer security + testing and evaluation + + + mechanisms supporting and/or implementing the monitoring of developer + security and privacy testing and evaluation + controls: + - id: sa-11.1 + class: SP800-53-enhancement + title: Static Code Analysis + props: + - name: label + value: SA-11(1) + - name: label + value: SA-11(01) + class: sp800-53a + - name: sort-id + value: sa-11.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-11" + rel: required + parts: + - id: sa-11.1_smt + name: statement + prose: Require the developer of the system, system component, or + system service to employ static code analysis tools to identify + common flaws and document the results of the analysis. + parts: + - id: sa-11.1_fr + name: item + title: SA-11(1) Additional FedRAMP Requirements + parts: + - id: sa-11.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: >- + The service provider must document its methodology + for reviewing newly developed code for the Service + in its Continuous Monitoring Plan. + + + If Static code analysis cannot be performed (for example, + when the source code is not available), then dynamic code + analysis must be performed (see SA-11 (8)) + - id: sa-11.1_gdn + name: guidance + prose: Static code analysis provides a technology and methodology + for security reviews and includes checking for weaknesses in the + code as well as for the incorporation of libraries or other included + code with known vulnerabilities or that are out-of-date and not + supported. Static code analysis can be used to identify vulnerabilities + and enforce secure coding practices. It is most effective when + used early in the development process, when each code change can + automatically be scanned for potential weaknesses. Static code + analysis can provide clear remediation guidance and identify defects + for developers to fix. Evidence of the correct implementation + of static analysis can include aggregate defect density for critical + defect types, evidence that defects were inspected by developers + or security professionals, and evidence that defects were remediated. + A high density of ignored findings, commonly referred to as false + positives, indicates a potential problem with the analysis process + or the analysis tool. In such cases, organizations weigh the validity + of the evidence against evidence from other sources. + - id: sa-11.1_obj + name: assessment-objective + props: + - name: label + value: SA-11(01) + class: sp800-53a + parts: + - id: sa-11.1_obj-1 + name: assessment-objective + props: + - name: label + value: SA-11(01)[01] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to employ static code analysis tools to + identify common flaws; + links: + - href: "#sa-11.1_smt" + rel: assessment-for + - id: sa-11.1_obj-2 + name: assessment-objective + props: + - name: label + value: SA-11(01)[02] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to employ static code analysis tools to + document the results of the analysis. + links: + - href: "#sa-11.1_smt" + rel: assessment-for + links: + - href: "#sa-11.1_smt" + rel: assessment-for + - id: sa-11.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-11(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing system developer security testing + + + procedures addressing flaw remediation + + + solicitation documentation + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or + system service + + + security and privacy architecture + + + system design documentation + + + system developer security and privacy assessment plans + + + results of system developer security and privacy assessments + + + security flaw and remediation tracking records + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: sa-11.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-11(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with developer security and privacy + testing responsibilities + + + organizational personnel with configuration management responsibilities + + + system developers + - id: sa-11.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-11(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring developer + security testing and evaluation + + + mechanisms supporting and/or implementing the monitoring of + developer security testing and evaluation + + + static code analysis tools + - id: sa-11.2 + class: SP800-53-enhancement + title: Threat Modeling and Vulnerability Analyses + params: + - id: sa-11.2_prm_3 + label: organization-defined breadth and depth of modeling and analyses + - id: sa-11.2_prm_4 + label: organization-defined acceptance criteria + - id: sa-11.02_odp.01 + label: information + guidelines: + - prose: information concerning impact, environment of operations, + known or assumed threats, and acceptable risk levels to be + used as contextual information for threat modeling and vulnerability + analyses is defined; + - id: sa-11.02_odp.02 + label: tools and methods + guidelines: + - prose: the tools and methods to be employed for threat modeling + and vulnerability analyses are defined; + - id: sa-11.02_odp.03 + label: breadth and depth + guidelines: + - prose: the breadth and depth of threat modeling to be conducted + is defined; + - id: sa-11.02_odp.04 + label: breadth and depth + guidelines: + - prose: the breadth and depth of vulnerability analyses to be + conducted is defined; + - id: sa-11.02_odp.05 + label: acceptance criteria + guidelines: + - prose: acceptance criteria to be met by produced evidence for + threat modeling are defined; + - id: sa-11.02_odp.06 + label: acceptance criteria + guidelines: + - prose: acceptance criteria to be met by produced evidence for + vulnerability analyses are defined; + props: + - name: label + value: SA-11(2) + - name: label + value: SA-11(02) + class: sp800-53a + - name: sort-id + value: sa-11.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-11" + rel: required + - href: "#pm-15" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-5" + rel: related + parts: + - id: sa-11.2_smt + name: statement + prose: "Require the developer of the system, system component, or\ + \ system service to perform threat modeling and vulnerability\ + \ analyses during development and the subsequent testing and evaluation\ + \ of the system, component, or service that:" + parts: + - id: sa-11.2_smt.a + name: item + props: + - name: label + value: (a) + prose: "Uses the following contextual information: {{ insert:\ + \ param, sa-11.02_odp.01 }};" + - id: sa-11.2_smt.b + name: item + props: + - name: label + value: (b) + prose: "Employs the following tools and methods: {{ insert:\ + \ param, sa-11.02_odp.02 }};" + - id: sa-11.2_smt.c + name: item + props: + - name: label + value: (c) + prose: "Conducts the modeling and analyses at the following\ + \ level of rigor: {{ insert: param, sa-11.2_prm_3 }} ; and" + - id: sa-11.2_smt.d + name: item + props: + - name: label + value: (d) + prose: "Produces evidence that meets the following acceptance\ + \ criteria: {{ insert: param, sa-11.2_prm_4 }}." + - id: sa-11.2_gdn + name: guidance + prose: Systems, system components, and system services may deviate + significantly from the functional and design specifications created + during the requirements and design stages of the system development + life cycle. Therefore, updates to threat modeling and vulnerability + analyses of those systems, system components, and system services + during development and prior to delivery are critical to the effective + operation of those systems, components, and services. Threat modeling + and vulnerability analyses at this stage of the system development + life cycle ensure that design and implementation changes have + been accounted for and that vulnerabilities created because of + those changes have been reviewed and mitigated. + - id: sa-11.2_obj + name: assessment-objective + props: + - name: label + value: SA-11(02) + class: sp800-53a + parts: + - id: sa-11.2_obj.a + name: assessment-objective + props: + - name: label + value: SA-11(02)(a) + class: sp800-53a + parts: + - id: sa-11.2_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-11(02)(a)[01] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform threat modeling\ + \ during development of the system, component, or service\ + \ that uses {{ insert: param, sa-11.02_odp.01 }};" + links: + - href: "#sa-11.2_smt.a" + rel: assessment-for + - id: sa-11.2_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-11(02)(a)[02] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform vulnerability\ + \ analyses during development of the system, component,\ + \ or service that uses {{ insert: param, sa-11.02_odp.01\ + \ }};" + links: + - href: "#sa-11.2_smt.a" + rel: assessment-for + - id: sa-11.2_obj.a-3 + name: assessment-objective + props: + - name: label + value: SA-11(02)(a)[03] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform threat modeling\ + \ during the subsequent testing and evaluation of the\ + \ system, component, or service that uses {{ insert: param,\ + \ sa-11.02_odp.01 }};" + links: + - href: "#sa-11.2_smt.a" + rel: assessment-for + - id: sa-11.2_obj.a-4 + name: assessment-objective + props: + - name: label + value: SA-11(02)(a)[04] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform vulnerability\ + \ analyses during the subsequent testing and evaluation\ + \ of the system, component, or service that uses {{ insert:\ + \ param, sa-11.02_odp.01 }};" + links: + - href: "#sa-11.2_smt.a" + rel: assessment-for + links: + - href: "#sa-11.2_smt.a" + rel: assessment-for + - id: sa-11.2_obj.b + name: assessment-objective + props: + - name: label + value: SA-11(02)(b) + class: sp800-53a + parts: + - id: sa-11.2_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-11(02)(b)[01] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform threat modeling\ + \ during development of the system, component, or service\ + \ that employs {{ insert: param, sa-11.02_odp.02 }};" + links: + - href: "#sa-11.2_smt.b" + rel: assessment-for + - id: sa-11.2_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-11(02)(b)[02] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform threat modeling\ + \ during the subsequent testing and evaluation of the\ + \ system, component, or service that employs {{ insert:\ + \ param, sa-11.02_odp.02 }};" + links: + - href: "#sa-11.2_smt.b" + rel: assessment-for + - id: sa-11.2_obj.b-3 + name: assessment-objective + props: + - name: label + value: SA-11(02)(b)[03] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform vulnerability\ + \ analyses during development of the system, component,\ + \ or service that employs {{ insert: param, sa-11.02_odp.02\ + \ }};" + links: + - href: "#sa-11.2_smt.b" + rel: assessment-for + - id: sa-11.2_obj.b-4 + name: assessment-objective + props: + - name: label + value: SA-11(02)(b)[04] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform vulnerability\ + \ analyses during the subsequent testing and evaluation\ + \ of the system, component, or service that employs {{\ + \ insert: param, sa-11.02_odp.02 }};" + links: + - href: "#sa-11.2_smt.b" + rel: assessment-for + links: + - href: "#sa-11.2_smt.b" + rel: assessment-for + - id: sa-11.2_obj.c + name: assessment-objective + props: + - name: label + value: SA-11(02)(c) + class: sp800-53a + parts: + - id: sa-11.2_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-11(02)(c)[01] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform threat modeling\ + \ at {{ insert: param, sa-11.02_odp.03 }} during development\ + \ of the system, component, or service;" + links: + - href: "#sa-11.2_smt.c" + rel: assessment-for + - id: sa-11.2_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-11(02)(c)[02] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform vulnerability\ + \ analyses during the subsequent testing and evaluation\ + \ of the system, component, or service that conducts modeling\ + \ and analyses at {{ insert: param, sa-11.02_odp.04 }};" + links: + - href: "#sa-11.2_smt.c" + rel: assessment-for + links: + - href: "#sa-11.2_smt.c" + rel: assessment-for + - id: sa-11.2_obj.d + name: assessment-objective + props: + - name: label + value: SA-11(02)(d) + class: sp800-53a + parts: + - id: sa-11.2_obj.d-1 + name: assessment-objective + props: + - name: label + value: SA-11(02)(d)[01] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform threat modeling\ + \ during development of the system, component, or service\ + \ that produces evidence that meets {{ insert: param,\ + \ sa-11.02_odp.05 }};" + links: + - href: "#sa-11.2_smt.d" + rel: assessment-for + - id: sa-11.2_obj.d-2 + name: assessment-objective + props: + - name: label + value: SA-11(02)(d)[02] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform threat modeling\ + \ during the subsequent testing and evaluation of the\ + \ system, component, or service that produces evidence\ + \ that meets {{ insert: param, sa-11.02_odp.05 }};" + links: + - href: "#sa-11.2_smt.d" + rel: assessment-for + - id: sa-11.2_obj.d-3 + name: assessment-objective + props: + - name: label + value: SA-11(02)(d)[03] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform vulnerability\ + \ analyses during development of the system, component,\ + \ or service that produces evidence that meets {{ insert:\ + \ param, sa-11.02_odp.06 }};" + links: + - href: "#sa-11.2_smt.d" + rel: assessment-for + - id: sa-11.2_obj.d-4 + name: assessment-objective + props: + - name: label + value: SA-11(02)(d)[04] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform vulnerability\ + \ analyses during the subsequent testing and evaluation\ + \ of the system, component, or service that produces evidence\ + \ that meets {{ insert: param, sa-11.02_odp.06 }}." + links: + - href: "#sa-11.2_smt.d" + rel: assessment-for + links: + - href: "#sa-11.2_smt.d" + rel: assessment-for + links: + - href: "#sa-11.2_smt" + rel: assessment-for + - id: sa-11.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-11(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + procedures addressing system developer security testing + + + solicitation documentation + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or + system service + + + system developer security test plans + + + records of developer security testing results for the system, + system component, or system service + + + vulnerability scanning results + + + system risk assessment reports + + + threat and vulnerability analysis reports + + + system security plan + + + supply chain risk management plan + + + other relevant documents or records + - id: sa-11.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-11(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with developer security testing responsibilities + + + system developers + + + organizational personnel with supply chain risk management + responsibilities + - id: sa-11.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-11(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring developer + security testing and evaluation + + + mechanisms supporting and/or implementing the monitoring of + developer security testing and evaluation + - id: sa-15 + class: SP800-53 + title: Development Process, Standards, and Tools + params: + - id: sa-15_prm_2 + label: organization-defined security and privacy requirements + - id: sa-15_odp.01 + label: frequency + constraints: + - description: frequency as before first use and annually thereafter + guidelines: + - prose: frequency at which to review the development process, standards, + tools, tool options, and tool configurations is defined; + - id: sa-15_odp.02 + label: security requirements + constraints: + - description: FedRAMP Security Authorization requirements + guidelines: + - prose: security requirements to be satisfied by the process, standards, + tools, tool options, and tool configurations are defined; + - id: sa-15_odp.03 + label: privacy requirements + guidelines: + - prose: privacy requirements to be satisfied by the process, standards, + tools, tool options, and tool configurations are defined; + props: + - name: label + value: SA-15 + - name: label + value: SA-15 + class: sp800-53a + - name: sort-id + value: sa-15 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#d4296805-2dca-4c63-a95f-eeccaa826aec" + rel: reference + - href: "#ma-6" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-9" + rel: related + parts: + - id: sa-15_smt + name: statement + parts: + - id: sa-15_smt.a + name: item + props: + - name: label + value: a. + prose: "Require the developer of the system, system component, or\ + \ system service to follow a documented development process that:" + parts: + - id: sa-15_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Explicitly addresses security and privacy requirements; + - id: sa-15_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Identifies the standards and tools used in the development + process; + - id: sa-15_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Documents the specific tool options and tool configurations + used in the development process; and + - id: sa-15_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Documents, manages, and ensures the integrity of changes + to the process and/or tools used in development; and + - id: sa-15_smt.b + name: item + props: + - name: label + value: b. + prose: "Review the development process, standards, tools, tool options,\ + \ and tool configurations {{ insert: param, sa-15_odp.01 }} to\ + \ determine if the process, standards, tools, tool options and\ + \ tool configurations selected and employed can satisfy the following\ + \ security and privacy requirements: {{ insert: param, sa-15_prm_2\ + \ }}." + - id: sa-15_gdn + name: guidance + prose: Development tools include programming languages and computer-aided + design systems. Reviews of development processes include the use of + maturity models to determine the potential effectiveness of such processes. + Maintaining the integrity of changes to tools and processes facilitates + effective supply chain risk assessment and mitigation. Such integrity + requires configuration control throughout the system development life + cycle to track authorized changes and prevent unauthorized changes. + - id: sa-15_obj + name: assessment-objective + props: + - name: label + value: SA-15 + class: sp800-53a + parts: + - id: sa-15_obj.a + name: assessment-objective + props: + - name: label + value: SA-15a. + class: sp800-53a + parts: + - id: sa-15_obj.a.1 + name: assessment-objective + props: + - name: label + value: SA-15a.01 + class: sp800-53a + parts: + - id: sa-15_obj.a.1-1 + name: assessment-objective + props: + - name: label + value: SA-15a.01[01] + class: sp800-53a + prose: the developer of the system, system component, or + system service is required to follow a documented development + process that explicitly addresses security requirements; + links: + - href: "#sa-15_smt.a.1" + rel: assessment-for + - id: sa-15_obj.a.1-2 + name: assessment-objective + props: + - name: label + value: SA-15a.01[02] + class: sp800-53a + prose: the developer of the system, system component, or + system service is required to follow a documented development + process that explicitly addresses privacy requirements; + links: + - href: "#sa-15_smt.a.1" + rel: assessment-for + links: + - href: "#sa-15_smt.a.1" + rel: assessment-for + - id: sa-15_obj.a.2 + name: assessment-objective + props: + - name: label + value: SA-15a.02 + class: sp800-53a + parts: + - id: sa-15_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: SA-15a.02[01] + class: sp800-53a + prose: the developer of the system, system component, or + system service is required to follow a documented development + process that identifies the standards used in the development + process; + links: + - href: "#sa-15_smt.a.2" + rel: assessment-for + - id: sa-15_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: SA-15a.02[02] + class: sp800-53a + prose: the developer of the system, system component, or + system service is required to follow a documented development + process that identifies the tools used in the development + process; + links: + - href: "#sa-15_smt.a.2" + rel: assessment-for + links: + - href: "#sa-15_smt.a.2" + rel: assessment-for + - id: sa-15_obj.a.3 + name: assessment-objective + props: + - name: label + value: SA-15a.03 + class: sp800-53a + parts: + - id: sa-15_obj.a.3-1 + name: assessment-objective + props: + - name: label + value: SA-15a.03[01] + class: sp800-53a + prose: the developer of the system, system component, or + system service is required to follow a documented development + process that documents the specific tool used in the development + process; + links: + - href: "#sa-15_smt.a.3" + rel: assessment-for + - id: sa-15_obj.a.3-2 + name: assessment-objective + props: + - name: label + value: SA-15a.03[02] + class: sp800-53a + prose: the developer of the system, system component, or + system service is required to follow a documented development + process that documents the specific tool configurations + used in the development process; + links: + - href: "#sa-15_smt.a.3" + rel: assessment-for + links: + - href: "#sa-15_smt.a.3" + rel: assessment-for + - id: sa-15_obj.a.4 + name: assessment-objective + props: + - name: label + value: SA-15a.04 + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to follow a documented development process + that documents, manages, and ensures the integrity of changes + to the process and/or tools used in development; + links: + - href: "#sa-15_smt.a.4" + rel: assessment-for + links: + - href: "#sa-15_smt.a" + rel: assessment-for + - id: sa-15_obj.b + name: assessment-objective + props: + - name: label + value: SA-15b. + class: sp800-53a + parts: + - id: sa-15_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-15b.[01] + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to follow a documented development process\ + \ in which the development process, standards, tools, tool\ + \ options, and tool configurations are reviewed {{ insert:\ + \ param, sa-15_odp.01 }} to determine that the process, standards,\ + \ tools, tool options, and tool configurations selected and\ + \ employed satisfy {{ insert: param, sa-15_odp.02 }};" + links: + - href: "#sa-15_smt.b" + rel: assessment-for + - id: sa-15_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-15b.[02] + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to follow a documented development process\ + \ in which the development process, standards, tools, tool\ + \ options, and tool configurations are reviewed {{ insert:\ + \ param, sa-15_odp.01 }} to determine that the process, standards,\ + \ tools, tool options, and tool configurations selected and\ + \ employed satisfy {{ insert: param, sa-15_odp.03 }}." + links: + - href: "#sa-15_smt.b" + rel: assessment-for + links: + - href: "#sa-15_smt.b" + rel: assessment-for + links: + - href: "#sa-15_smt" + rel: assessment-for + - id: sa-15_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-15-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing development process, standards, and tools + + + procedures addressing the integration of security and privacy + requirements during the development process + + + solicitation documentation + + + acquisition documentation + + + critical component inventory documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + system developer documentation listing tool options/configuration + guides + + + configuration management policy + + + configuration management records + + + documentation of development process reviews using maturity models + + + change control records + + + configuration control records + + + documented reviews of the development process, standards, tools, + and tool options/configurations + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: sa-15_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-15-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system developer + controls: + - id: sa-15.3 + class: SP800-53-enhancement + title: Criticality Analysis + params: + - id: sa-15.3_prm_2 + label: organization-defined breadth and depth of criticality analysis + - id: sa-15.03_odp.01 + label: decision points + guidelines: + - prose: decision points in the system development life cycle + are defined; + - id: sa-15.03_odp.02 + label: breadth + guidelines: + - prose: the breadth of criticality analysis is defined; + - id: sa-15.03_odp.03 + label: depth + guidelines: + - prose: the depth of criticality analysis is defined; + props: + - name: label + value: SA-15(3) + - name: label + value: SA-15(03) + class: sp800-53a + - name: sort-id + value: sa-15.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-15" + rel: required + - href: "#ra-9" + rel: related + parts: + - id: sa-15.3_smt + name: statement + prose: "Require the developer of the system, system component, or\ + \ system service to perform a criticality analysis:" + parts: + - id: sa-15.3_smt.a + name: item + props: + - name: label + value: (a) + prose: "At the following decision points in the system development\ + \ life cycle: {{ insert: param, sa-15.03_odp.01 }} ; and" + - id: sa-15.3_smt.b + name: item + props: + - name: label + value: (b) + prose: "At the following level of rigor: {{ insert: param, sa-15.3_prm_2\ + \ }}." + - id: sa-15.3_gdn + name: guidance + prose: Criticality analysis performed by the developer provides + input to the criticality analysis performed by organizations. + Developer input is essential to organizational criticality analysis + because organizations may not have access to detailed design documentation + for system components that are developed as commercial off-the-shelf + products. Such design documentation includes functional specifications, + high-level designs, low-level designs, source code, and hardware + schematics. Criticality analysis is important for organizational + systems that are designated as high value assets. High value assets + can be moderate- or high-impact systems due to heightened adversarial + interest or potential adverse effects on the federal enterprise. + Developer input is especially important when organizations conduct + supply chain criticality analyses. + - id: sa-15.3_obj + name: assessment-objective + props: + - name: label + value: SA-15(03) + class: sp800-53a + parts: + - id: sa-15.3_obj.a + name: assessment-objective + props: + - name: label + value: SA-15(03)(a) + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to perform a criticality analysis at\ + \ {{ insert: param, sa-15.03_odp.01 }} in the system development\ + \ life cycle;" + links: + - href: "#sa-15.3_smt.a" + rel: assessment-for + - id: sa-15.3_obj.b + name: assessment-objective + props: + - name: label + value: SA-15(03)(b) + class: sp800-53a + parts: + - id: sa-15.3_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-15(03)(b)[01] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform a criticality\ + \ analysis at the following rigor level: {{ insert: param,\ + \ sa-15.03_odp.02 }};" + links: + - href: "#sa-15.3_smt.b" + rel: assessment-for + - id: sa-15.3_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-15(03)(b)[02] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform a criticality\ + \ analysis at the following rigor level: {{ insert: param,\ + \ sa-15.03_odp.03 }} ." + links: + - href: "#sa-15.3_smt.b" + rel: assessment-for + links: + - href: "#sa-15.3_smt.b" + rel: assessment-for + links: + - href: "#sa-15.3_smt" + rel: assessment-for + - id: sa-15.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-15(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management plan + + + system and services acquisition policy + + + procedures addressing development process, standards, and + tools + + + procedures addressing criticality analysis requirements for + the system, system component, or system service + + + solicitation documentation + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or + system service + + + criticality analysis documentation + + + business impact analysis documentation + + + software development life cycle documentation + + + system security plan + + + other relevant documents or records + - id: sa-15.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-15(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel responsible for performing criticality + analysis + + + system developer + + + organizational personnel with supply chain risk management + responsibilities + - id: sa-15.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-15(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for performing criticality + analysis + + + mechanisms supporting and/or implementing criticality analysis + - id: sa-16 + class: SP800-53 + title: Developer-provided Training + params: + - id: sa-16_odp + label: training + guidelines: + - prose: training on the correct use and operation of the implemented + security and privacy functions, controls, and/or mechanisms provided + by the developer of the system, system component, or system service + is defined; + props: + - name: label + value: SA-16 + - name: label + value: SA-16 + class: sp800-53a + - name: sort-id + value: sa-16 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#pe-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + parts: + - id: sa-16_smt + name: statement + prose: "Require the developer of the system, system component, or system\ + \ service to provide the following training on the correct use and\ + \ operation of the implemented security and privacy functions, controls,\ + \ and/or mechanisms: {{ insert: param, sa-16_odp }}." + - id: sa-16_gdn + name: guidance + prose: Developer-provided training applies to external and internal + (in-house) developers. Training personnel is essential to ensuring + the effectiveness of the controls implemented within organizational + systems. Types of training include web-based and computer-based training, + classroom-style training, and hands-on training (including micro-training). + Organizations can also request training materials from developers + to conduct in-house training or offer self-training to organizational + personnel. Organizations determine the type of training necessary + and may require different types of training for different security + and privacy functions, controls, and mechanisms. + - id: sa-16_obj + name: assessment-objective + props: + - name: label + value: SA-16 + class: sp800-53a + prose: "the developer of the system, system component, or system service\ + \ is required to provide {{ insert: param, sa-16_odp }} on the correct\ + \ use and operation of the implemented security and privacy functions,\ + \ controls, and/or mechanisms." + links: + - href: "#sa-16_smt" + rel: assessment-for + - id: sa-16_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-16-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing developer-provided training + + + solicitation documentation + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + organizational security and privacy training policy + + + developer-provided training materials + + + training records + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: sa-16_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-16-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system developer + + + external or internal (in-house) developers with training responsibilities + for the system, system component, or information system service + - id: sa-17 + class: SP800-53 + title: Developer Security and Privacy Architecture and Design + props: + - name: label + value: SA-17 + - name: label + value: SA-17 + class: sp800-53a + - name: sort-id + value: sa-17 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#87087451-2af5-43d4-88c1-d66ad850f614" + rel: reference + - href: "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#pl-2" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-7" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + parts: + - id: sa-17_smt + name: statement + prose: "Require the developer of the system, system component, or system\ + \ service to produce a design specification and security and privacy\ + \ architecture that:" + parts: + - id: sa-17_smt.a + name: item + props: + - name: label + value: a. + prose: Is consistent with the organization’s security and privacy + architecture that is an integral part the organization’s enterprise + architecture; + - id: sa-17_smt.b + name: item + props: + - name: label + value: b. + prose: Accurately and completely describes the required security + and privacy functionality, and the allocation of controls among + physical and logical components; and + - id: sa-17_smt.c + name: item + props: + - name: label + value: c. + prose: Expresses how individual security and privacy functions, + mechanisms, and services work together to provide required security + and privacy capabilities and a unified approach to protection. + - id: sa-17_gdn + name: guidance + prose: Developer security and privacy architecture and design are directed + at external developers, although they could also be applied to internal + (in-house) development. In contrast, [PL-8](#pl-8) is directed at + internal developers to ensure that organizations develop a security + and privacy architecture that is integrated with the enterprise architecture. + The distinction between SA-17 and [PL-8](#pl-8) is especially important + when organizations outsource the development of systems, system components, + or system services and when there is a requirement to demonstrate + consistency with the enterprise architecture and security and privacy + architecture of the organization. [ISO 15408-2](#87087451-2af5-43d4-88c1-d66ad850f614), + [ISO 15408-3](#4452efc0-e79e-47b8-aa30-b54f3ef61c2f) , and [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) + provide information on security architecture and design, including + formal policy models, security-relevant components, formal and informal + correspondence, conceptually simple design, and structuring for least + privilege and testing. + - id: sa-17_obj + name: assessment-objective + props: + - name: label + value: SA-17 + class: sp800-53a + parts: + - id: sa-17_obj.a + name: assessment-objective + props: + - name: label + value: SA-17(a) + class: sp800-53a + parts: + - id: sa-17_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-17(a)[01] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to produce a design specification and + security architecture that are consistent with the organization’s + security architecture, which is an integral part the organization’s + enterprise architecture; + links: + - href: "#sa-17_smt.a" + rel: assessment-for + - id: sa-17_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-17(a)[02] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to produce a design specification and + privacy architecture that are consistent with the organization’s + privacy architecture, which is an integral part the organization’s + enterprise architecture; + links: + - href: "#sa-17_smt.a" + rel: assessment-for + links: + - href: "#sa-17_smt.a" + rel: assessment-for + - id: sa-17_obj.b + name: assessment-objective + props: + - name: label + value: SA-17(b) + class: sp800-53a + parts: + - id: sa-17_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-17(b)[01] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to produce a design specification and + security architecture that accurately and completely describe + the required security functionality and the allocation of + controls among physical and logical components; + links: + - href: "#sa-17_smt.b" + rel: assessment-for + - id: sa-17_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-17(b)[02] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to produce a design specification and + privacy architecture that accurately and completely describe + the required privacy functionality and the allocation of controls + among physical and logical components; + links: + - href: "#sa-17_smt.b" + rel: assessment-for + links: + - href: "#sa-17_smt.b" + rel: assessment-for + - id: sa-17_obj.c + name: assessment-objective + props: + - name: label + value: SA-17(c) + class: sp800-53a + parts: + - id: sa-17_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-17(c)[01] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to produce a design specification and + security architecture that express how individual security + functions, mechanisms, and services work together to provide + required security capabilities and a unified approach to protection; + links: + - href: "#sa-17_smt.c" + rel: assessment-for + - id: sa-17_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-17(c)[02] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to produce a design specification and + privacy architecture that express how individual privacy functions, + mechanisms, and services work together to provide required + privacy capabilities and a unified approach to protection. + links: + - href: "#sa-17_smt.c" + rel: assessment-for + links: + - href: "#sa-17_smt.c" + rel: assessment-for + links: + - href: "#sa-17_smt" + rel: assessment-for + - id: sa-17_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-17-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + enterprise architecture policy + + + enterprise architecture documentation + + + procedures addressing developer security and privacy architecture + and design specifications for the system + + + solicitation documentation + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + system design documentation + + + information system configuration settings and associated documentation + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: sa-17_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-17-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system developer + - id: sa-21 + class: SP800-53 + title: Developer Screening + params: + - id: sa-21_odp.01 + label: system, systems component, or system service + guidelines: + - prose: the system, systems component, or system service that the + developer has access to is/are defined; + - id: sa-21_odp.02 + label: official government duties + guidelines: + - prose: official government duties assigned to the developer are + defined; + - id: sa-21_odp.03 + label: additional personnel screening criteria + guidelines: + - prose: additional personnel screening criteria for the developer + are defined; + props: + - name: label + value: SA-21 + - name: label + value: SA-21 + class: sp800-53a + - name: sort-id + value: sa-21 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ps-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + - href: "#sa-4" + rel: related + - href: "#sr-6" + rel: related + parts: + - id: sa-21_smt + name: statement + prose: "Require that the developer of {{ insert: param, sa-21_odp.01\ + \ }}:" + parts: + - id: sa-21_smt.a + name: item + props: + - name: label + value: a. + prose: "Has appropriate access authorizations as determined by assigned\ + \ {{ insert: param, sa-21_odp.02 }} ; and" + - id: sa-21_smt.b + name: item + props: + - name: label + value: b. + prose: "Satisfies the following additional personnel screening criteria:\ + \ {{ insert: param, sa-21_odp.03 }}." + - id: sa-21_gdn + name: guidance + prose: Developer screening is directed at external developers. Internal + developer screening is addressed by [PS-3](#ps-3) . Because the system, + system component, or system service may be used in critical activities + essential to the national or economic security interests of the United + States, organizations have a strong interest in ensuring that developers + are trustworthy. The degree of trust required of developers may need + to be consistent with that of the individuals who access the systems, + system components, or system services once deployed. Authorization + and personnel screening criteria include clearances, background checks, + citizenship, and nationality. Developer trustworthiness may also include + a review and analysis of company ownership and relationships that + the company has with entities that may potentially affect the quality + and reliability of the systems, components, or services being developed. + Satisfying the required access authorizations and personnel screening + criteria includes providing a list of all individuals who are authorized + to perform development activities on the selected system, system component, + or system service so that organizations can validate that the developer + has satisfied the authorization and screening requirements. + - id: sa-21_obj + name: assessment-objective + props: + - name: label + value: SA-21 + class: sp800-53a + parts: + - id: sa-21_obj.a + name: assessment-objective + props: + - name: label + value: SA-21a. + class: sp800-53a + prose: "the developer of {{ insert: param, sa-21_odp.01 }} is required\ + \ to have appropriate access authorizations as determined by assigned\ + \ {{ insert: param, sa-21_odp.02 }};" + links: + - href: "#sa-21_smt.a" + rel: assessment-for + - id: sa-21_obj.b + name: assessment-objective + props: + - name: label + value: SA-21b. + class: sp800-53a + prose: "the developer of {{ insert: param, sa-21_odp.01 }} is required\ + \ to satisfy {{ insert: param, sa-21_odp.03 }}." + links: + - href: "#sa-21_smt.b" + rel: assessment-for + links: + - href: "#sa-21_smt" + rel: assessment-for + - id: sa-21_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-21-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + personnel security policy and procedures + + + procedures addressing personnel screening + + + system design documentation + + + acquisition documentation + + + service level agreements + + + acquisition contracts for developer services + + + system configuration settings and associated documentation + + + list of appropriate access authorizations required by the developers + of the system + + + personnel screening criteria and associated documentation + + + system security plan + + + supply chain risk management plan + + + other relevant documents or records + - id: sa-21_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-21-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel responsible for developer screening + - id: sa-21_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-21-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for developer screening + + mechanisms supporting developer screening + - id: sa-22 + class: SP800-53 + title: Unsupported System Components + params: + - id: sa-22_odp.01 + select: + how-many: one-or-more + choice: + - in-house support + - " {{ insert: param, sa-22_odp.02 }} " + - id: sa-22_odp.02 + label: support from external providers + guidelines: + - prose: support from external providers is defined (if selected); + props: + - name: label + value: SA-22 + - name: label + value: SA-22 + class: sp800-53a + - name: sort-id + value: sa-22 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#pl-2" + rel: related + - href: "#sa-3" + rel: related + parts: + - id: sa-22_smt + name: statement + parts: + - id: sa-22_smt.a + name: item + props: + - name: label + value: a. + prose: Replace system components when support for the components + is no longer available from the developer, vendor, or manufacturer; + or + - id: sa-22_smt.b + name: item + props: + - name: label + value: b. + prose: "Provide the following options for alternative sources for\ + \ continued support for unsupported components {{ insert: param,\ + \ sa-22_odp.01 }}." + - id: sa-22_gdn + name: guidance + prose: >- + Support for system components includes software patches, + firmware updates, replacement parts, and maintenance contracts. + An example of unsupported components includes when vendors no + longer provide critical software patches or product updates, + which can result in an opportunity for adversaries to exploit + weaknesses in the installed components. Exceptions to replacing + unsupported system components include systems that provide + critical mission or business capabilities where newer + technologies are not available or where the systems are so + isolated that installing replacement components is not an + option. + + + Alternative sources for support address the need to provide continued + support for system components that are no longer supported by the + original manufacturers, developers, or vendors when such components + remain essential to organizational mission and business functions. + If necessary, organizations can establish in-house support by developing + customized patches for critical software components or, alternatively, + obtain the services of external providers who provide ongoing support + for the designated unsupported components through contractual relationships. + Such contractual relationships can include open-source software value-added + vendors. The increased risk of using unsupported system components + can be mitigated, for example, by prohibiting the connection of such + components to public or uncontrolled networks, or implementing other + forms of isolation. + - id: sa-22_obj + name: assessment-objective + props: + - name: label + value: SA-22 + class: sp800-53a + parts: + - id: sa-22_obj.a + name: assessment-objective + props: + - name: label + value: SA-22a. + class: sp800-53a + prose: system components are replaced when support for the components + is no longer available from the developer, vendor, or manufacturer; + links: + - href: "#sa-22_smt.a" + rel: assessment-for + - id: sa-22_obj.b + name: assessment-objective + props: + - name: label + value: SA-22b. + class: sp800-53a + prose: " {{ insert: param, sa-22_odp.01 }} provide options for alternative\ + \ sources for continued support for unsupported components." + links: + - href: "#sa-22_smt.b" + rel: assessment-for + links: + - href: "#sa-22_smt" + rel: assessment-for + - id: sa-22_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-22-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + procedures addressing the replacement or continued use of unsupported + system components + + + documented evidence of replacing unsupported system components + + + documented approvals (including justification) for the continued + use of unsupported system components + + + system security plan + + + supply chain risk management plan + + + other relevant documents or records + - id: sa-22_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-22-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with the responsibility for the system + development life cycle + + + organizational personnel responsible for component replacement + - id: sa-22_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-22-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for replacing unsupported system + components + + + mechanisms supporting and/or implementing the replacement of unsupported + system components + - id: sc + class: family + title: System and Communications Protection + controls: + - id: sc-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: sc-1_prm_1 + label: organization-defined personnel or roles + - id: sc-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and communications + protection policy is to be disseminated is/are defined; + - id: sc-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and communications + protection procedures are to be disseminated is/are defined; + - id: sc-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business-process-level + - system-level + - id: sc-01_odp.04 + label: official + guidelines: + - prose: an official to manage the system and communications protection + policy and procedures is defined; + - id: sc-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current system and communications + protection policy is reviewed and updated is defined; + - id: sc-01_odp.06 + label: events + guidelines: + - prose: events that would require the current system and communications + protection policy to be reviewed and updated are defined; + - id: sc-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current system and communications + protection procedures are reviewed and updated is defined; + - id: sc-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the system and communications protection + procedures to be reviewed and updated are defined; + props: + - name: label + value: SC-1 + - name: label + value: SC-01 + class: sp800-53a + - name: sort-id + value: sc-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: sc-1_smt + name: statement + parts: + - id: sc-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ sc-1_prm_1 }}:" + parts: + - id: sc-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, sc-01_odp.03 }} system and communications\ + \ protection policy that:" + parts: + - id: sc-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: sc-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: sc-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the system + and communications protection policy and the associated system + and communications protection controls; + - id: sc-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, sc-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the system\ + \ and communications protection policy and procedures; and" + - id: sc-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current system and communications\ + \ protection:" + parts: + - id: sc-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, sc-01_odp.05 }} and following\ + \ {{ insert: param, sc-01_odp.06 }} ; and" + - id: sc-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, sc-01_odp.07 }} and following\ + \ {{ insert: param, sc-01_odp.08 }}." + - id: sc-1_gdn + name: guidance + prose: System and communications protection policy and procedures address + the controls in the SC family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of system and communications protection policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + system and communications protection policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines. Simply restating controls does not constitute + an organizational policy or procedure. + - id: sc-1_obj + name: assessment-objective + props: + - name: label + value: SC-01 + class: sp800-53a + parts: + - id: sc-1_obj.a + name: assessment-objective + props: + - name: label + value: SC-01a. + class: sp800-53a + parts: + - id: sc-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: SC-01a.[01] + class: sp800-53a + prose: a system and communications protection policy is developed + and documented; + links: + - href: "#sc-1_smt.a" + rel: assessment-for + - id: sc-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: SC-01a.[02] + class: sp800-53a + prose: "the system and communications protection policy is disseminated\ + \ to {{ insert: param, sc-01_odp.01 }};" + links: + - href: "#sc-1_smt.a" + rel: assessment-for + - id: sc-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: SC-01a.[03] + class: sp800-53a + prose: system and communications protection procedures to facilitate + the implementation of the system and communications protection + policy and associated system and communications protection + controls are developed and documented; + links: + - href: "#sc-1_smt.a" + rel: assessment-for + - id: sc-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: SC-01a.[04] + class: sp800-53a + prose: "the system and communications protection procedures\ + \ are disseminated to {{ insert: param, sc-01_odp.02 }};" + links: + - href: "#sc-1_smt.a" + rel: assessment-for + - id: sc-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: SC-01a.01 + class: sp800-53a + parts: + - id: sc-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: SC-01a.01(a) + class: sp800-53a + parts: + - id: sc-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses purpose;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses scope;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses roles;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses responsibilities;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses management\ + \ commitment;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses compliance;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: SC-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system and\ + \ communications protection policy is consistent with\ + \ applicable laws, Executive Orders, directives, regulations,\ + \ policies, standards, and guidelines;" + links: + - href: "#sc-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#sc-1_smt.a.1" + rel: assessment-for + links: + - href: "#sc-1_smt.a" + rel: assessment-for + - id: sc-1_obj.b + name: assessment-objective + props: + - name: label + value: SC-01b. + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the system\ + \ and communications protection policy and procedures;" + links: + - href: "#sc-1_smt.b" + rel: assessment-for + - id: sc-1_obj.c + name: assessment-objective + props: + - name: label + value: SC-01c. + class: sp800-53a + parts: + - id: sc-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: SC-01c.01 + class: sp800-53a + parts: + - id: sc-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: SC-01c.01[01] + class: sp800-53a + prose: "the current system and communications protection\ + \ policy is reviewed and updated {{ insert: param, sc-01_odp.05\ + \ }};" + links: + - href: "#sc-1_smt.c.1" + rel: assessment-for + - id: sc-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: SC-01c.01[02] + class: sp800-53a + prose: "the current system and communications protection\ + \ policy is reviewed and updated following {{ insert:\ + \ param, sc-01_odp.06 }};" + links: + - href: "#sc-1_smt.c.1" + rel: assessment-for + links: + - href: "#sc-1_smt.c.1" + rel: assessment-for + - id: sc-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: SC-01c.02 + class: sp800-53a + parts: + - id: sc-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: SC-01c.02[01] + class: sp800-53a + prose: "the current system and communications protection\ + \ procedures are reviewed and updated {{ insert: param,\ + \ sc-01_odp.07 }};" + links: + - href: "#sc-1_smt.c.2" + rel: assessment-for + - id: sc-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: SC-01c.02[02] + class: sp800-53a + prose: "the current system and communications protection\ + \ procedures are reviewed and updated following {{ insert:\ + \ param, sc-01_odp.08 }}." + links: + - href: "#sc-1_smt.c.2" + rel: assessment-for + links: + - href: "#sc-1_smt.c.2" + rel: assessment-for + links: + - href: "#sc-1_smt.c" + rel: assessment-for + links: + - href: "#sc-1_smt" + rel: assessment-for + - id: sc-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + system and communications protection procedures + + system security plan + + privacy plan + + risk management strategy documentation + + audit findings + + other relevant documents or records + - id: sc-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and communications + protection responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: sc-2 + class: SP800-53 + title: Separation of System and User Functionality + props: + - name: label + value: SC-2 + - name: label + value: SC-02 + class: sp800-53a + - name: sort-id + value: sc-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ac-6" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-3" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-22" + rel: related + - href: "#sc-32" + rel: related + - href: "#sc-39" + rel: related + parts: + - id: sc-2_smt + name: statement + prose: Separate user functionality, including user interface services, + from system management functionality. + - id: sc-2_gdn + name: guidance + prose: System management functionality includes functions that are necessary + to administer databases, network components, workstations, or servers. + These functions typically require privileged user access. The separation + of user functions from system management functions is physical or + logical. Organizations may separate system management functions from + user functions by using different computers, instances of operating + systems, central processing units, or network addresses; by employing + virtualization techniques; or some combination of these or other methods. + Separation of system management functions from user functions includes + web administrative interfaces that employ separate authentication + methods for users of any other system resources. Separation of system + and user functions may include isolating administrative interfaces + on different domains and with additional access controls. The separation + of system and user functionality can be achieved by applying the systems + security engineering design principles in [SA-8](#sa-8) , including + [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), + [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , + and [SA-8(18)](#sa-8.18). + - id: sc-2_obj + name: assessment-objective + props: + - name: label + value: SC-02 + class: sp800-53a + prose: user functionality, including user interface services, is separated + from system management functionality. + links: + - href: "#sc-2_smt" + rel: assessment-for + - id: sc-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing application partitioning + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: sc-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Separation of user functionality from system management functionality + - id: sc-3 + class: SP800-53 + title: Security Function Isolation + props: + - name: label + value: SC-3 + - name: label + value: SC-03 + class: sp800-53a + - name: sort-id + value: sc-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-25" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-4" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-32" + rel: related + - href: "#sc-39" + rel: related + - href: "#si-16" + rel: related + parts: + - id: sc-3_smt + name: statement + prose: Isolate security functions from nonsecurity functions. + - id: sc-3_gdn + name: guidance + prose: Security functions are isolated from nonsecurity functions by + means of an isolation boundary implemented within a system via partitions + and domains. The isolation boundary controls access to and protects + the integrity of the hardware, software, and firmware that perform + system security functions. Systems implement code separation in many + ways, such as through the provision of security kernels via processor + rings or processor modes. For non-kernel code, security function isolation + is often achieved through file system protections that protect the + code on disk and address space protections that protect executing + code. Systems can restrict access to security functions using access + control mechanisms and by implementing least privilege capabilities. + While the ideal is for all code within the defined security function + isolation boundary to only contain security-relevant code, it is sometimes + necessary to include nonsecurity functions as an exception. The isolation + of security functions from nonsecurity functions can be achieved by + applying the systems security engineering design principles in [SA-8](#sa-8) + , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), + [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), + [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18). + - id: sc-3_obj + name: assessment-objective + props: + - name: label + value: SC-03 + class: sp800-53a + prose: security functions are isolated from non-security functions. + links: + - href: "#sc-3_smt" + rel: assessment-for + - id: sc-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing security function isolation + + + list of security functions to be isolated from non-security functions + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Separation of security functions from non-security functions + within the system + - id: sc-4 + class: SP800-53 + title: Information in Shared System Resources + props: + - name: label + value: SC-4 + - name: label + value: SC-04 + class: sp800-53a + - name: sort-id + value: sc-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#sa-8" + rel: related + parts: + - id: sc-4_smt + name: statement + prose: Prevent unauthorized and unintended information transfer via + shared system resources. + - id: sc-4_gdn + name: guidance + prose: Preventing unauthorized and unintended information transfer via + shared system resources stops information produced by the actions + of prior users or roles (or the actions of processes acting on behalf + of prior users or roles) from being available to current users or + roles (or current processes acting on behalf of current users or roles) + that obtain access to shared system resources after those resources + have been released back to the system. Information in shared system + resources also applies to encrypted representations of information. + In other contexts, control of information in shared system resources + is referred to as object reuse and residual information protection. + Information in shared system resources does not address information + remanence, which refers to the residual representation of data that + has been nominally deleted; covert channels (including storage and + timing channels), where shared system resources are manipulated to + violate information flow restrictions; or components within systems + for which there are only single users or roles. + - id: sc-4_obj + name: assessment-objective + props: + - name: label + value: SC-04 + class: sp800-53a + parts: + - id: sc-4_obj-1 + name: assessment-objective + props: + - name: label + value: SC-04[01] + class: sp800-53a + prose: unauthorized information transfer via shared system resources + is prevented; + links: + - href: "#sc-4_smt" + rel: assessment-for + - id: sc-4_obj-2 + name: assessment-objective + props: + - name: label + value: SC-04[02] + class: sp800-53a + prose: unintended information transfer via shared system resources + is prevented. + links: + - href: "#sc-4_smt" + rel: assessment-for + links: + - href: "#sc-4_smt" + rel: assessment-for + - id: sc-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing information protection in shared system + resources + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms preventing the unauthorized and unintended transfer + of information via shared system resources + - id: sc-5 + class: SP800-53 + title: Denial-of-service Protection + params: + - id: sc-05_odp.01 + label: types of denial-of-service events + constraints: + - description: "at a minimum: ICMP (ping) flood, SYN flood, slowloris,\ + \ buffer overflow attack, and volume attack" + guidelines: + - prose: types of denial-of-service events to be protected against + or limited are defined; + - id: sc-05_odp.02 + constraints: + - description: Protect against + select: + choice: + - protect against + - limit + - id: sc-05_odp.03 + label: controls by type of denial-of-service event + guidelines: + - prose: controls to achieve the denial-of-service objective by type + of denial-of-service event are defined; + props: + - name: label + value: SC-5 + - name: label + value: SC-05 + class: sp800-53a + - name: sort-id + value: sc-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72" + rel: reference + - href: "#cp-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#sc-6" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-40" + rel: related + parts: + - id: sc-5_smt + name: statement + parts: + - id: sc-5_smt.a + name: item + props: + - name: label + value: a. + prose: " {{ insert: param, sc-05_odp.02 }} the effects of the following\ + \ types of denial-of-service events: {{ insert: param, sc-05_odp.01\ + \ }} ; and" + - id: sc-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ the following controls to achieve the denial-of-service\ + \ objective: {{ insert: param, sc-05_odp.03 }}." + - id: sc-5_gdn + name: guidance + prose: Denial-of-service events may occur due to a variety of internal + and external causes, such as an attack by an adversary or a lack of + planning to support organizational needs with respect to capacity + and bandwidth. Such attacks can occur across a wide range of network + protocols (e.g., IPv4, IPv6). A variety of technologies are available + to limit or eliminate the origination and effects of denial-of-service + events. For example, boundary protection devices can filter certain + types of packets to protect system components on internal networks + from being directly affected by or the source of denial-of-service + attacks. Employing increased network capacity and bandwidth combined + with service redundancy also reduces the susceptibility to denial-of-service + events. + - id: sc-5_obj + name: assessment-objective + props: + - name: label + value: SC-05 + class: sp800-53a + parts: + - id: sc-5_obj.a + name: assessment-objective + props: + - name: label + value: SC-05a. + class: sp800-53a + prose: "the effects of {{ insert: param, sc-05_odp.01 }} are {{\ + \ insert: param, sc-05_odp.02 }};" + links: + - href: "#sc-5_smt.a" + rel: assessment-for + - id: sc-5_obj.b + name: assessment-objective + props: + - name: label + value: SC-05b. + class: sp800-53a + prose: " {{ insert: param, sc-05_odp.03 }} are employed to achieve\ + \ the denial-of-service protection objective." + links: + - href: "#sc-5_smt.b" + rel: assessment-for + links: + - href: "#sc-5_smt" + rel: assessment-for + - id: sc-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing denial-of-service protection + + + system design documentation + + + list of denial-of-service attacks requiring employment of security + safeguards to protect against or limit effects of such attacks + + + list of security safeguards protecting against or limiting the + effects of denial-of-service attacks + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with incident response responsibilities + + + system developer + - id: sc-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms protecting against or limiting the effects of + denial-of-service attacks + - id: sc-7 + class: SP800-53 + title: Boundary Protection + params: + - id: sc-07_odp + select: + choice: + - physically + - logically + props: + - name: label + value: SC-7 + - name: label + value: SC-07 + class: sp800-53a + - name: sort-id + value: sc-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#a7f0e897-29a3-45c4-bd88-40dfef0e034a" + rel: reference + - href: "#d4d7c760-2907-403b-8b2a-767ca5370ecd" + rel: reference + - href: "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72" + rel: reference + - href: "#ac-4" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#au-13" + rel: related + - href: "#ca-3" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-10" + rel: related + - href: "#cp-8" + rel: related + - href: "#cp-10" + rel: related + - href: "#ir-4" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-3" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-12" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-26" + rel: related + - href: "#sc-32" + rel: related + - href: "#sc-35" + rel: related + - href: "#sc-43" + rel: related + parts: + - id: sc-7_smt + name: statement + parts: + - id: sc-7_smt.a + name: item + props: + - name: label + value: a. + prose: Monitor and control communications at the external managed + interfaces to the system and at key internal managed interfaces + within the system; + - id: sc-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Implement subnetworks for publicly accessible system components\ + \ that are {{ insert: param, sc-07_odp }} separated from internal\ + \ organizational networks; and" + - id: sc-7_smt.c + name: item + props: + - name: label + value: c. + prose: Connect to external networks or systems only through managed + interfaces consisting of boundary protection devices arranged + in accordance with an organizational security and privacy architecture. + - id: sc-7_fr + name: item + title: SC-7 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-7_fr_gdn.1 + name: guidance + props: + - name: label + value: "(b) Guidance:" + prose: SC-7 (b) should be met by subnet isolation. A subnetwork + (subnet) is a physically or logically segmented section of + a larger network defined at TCP/IP Layer 3, to both minimize + traffic and, important for a FedRAMP Authorization, add a + crucial layer of network isolation. Subnets are distinct from + VLANs (Layer 2), security groups, and VPCs and are specifically + required to satisfy SC-7 part b and other controls. See the + FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) + for additional information. + - id: sc-7_gdn + name: guidance + prose: Managed interfaces include gateways, routers, firewalls, guards, + network-based malicious code analysis, virtualization systems, or + encrypted tunnels implemented within a security architecture. Subnetworks + that are physically or logically separated from internal networks + are referred to as demilitarized zones or DMZs. Restricting or prohibiting + interfaces within organizational systems includes restricting external + web traffic to designated web servers within managed interfaces, prohibiting + external traffic that appears to be spoofing internal addresses, and + prohibiting internal traffic that appears to be spoofing external + addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides + additional information on source address validation techniques to + prevent ingress and egress of traffic with spoofed addresses. Commercial + telecommunications services are provided by network components and + consolidated management systems shared by customers. These services + may also include third party-provided access lines and other service + elements. Such services may represent sources of increased risk despite + contract security provisions. Boundary protection may be implemented + as a common control for all or part of an organizational network such + that the boundary to be protected is greater than a system-specific + boundary (i.e., an authorization boundary). + - id: sc-7_obj + name: assessment-objective + props: + - name: label + value: SC-07 + class: sp800-53a + parts: + - id: sc-7_obj.a + name: assessment-objective + props: + - name: label + value: SC-07a. + class: sp800-53a + parts: + - id: sc-7_obj.a-1 + name: assessment-objective + props: + - name: label + value: SC-07a.[01] + class: sp800-53a + prose: communications at external managed interfaces to the + system are monitored; + links: + - href: "#sc-7_smt.a" + rel: assessment-for + - id: sc-7_obj.a-2 + name: assessment-objective + props: + - name: label + value: SC-07a.[02] + class: sp800-53a + prose: communications at external managed interfaces to the + system are controlled; + links: + - href: "#sc-7_smt.a" + rel: assessment-for + - id: sc-7_obj.a-3 + name: assessment-objective + props: + - name: label + value: SC-07a.[03] + class: sp800-53a + prose: communications at key internal managed interfaces within + the system are monitored; + links: + - href: "#sc-7_smt.a" + rel: assessment-for + - id: sc-7_obj.a-4 + name: assessment-objective + props: + - name: label + value: SC-07a.[04] + class: sp800-53a + prose: communications at key internal managed interfaces within + the system are controlled; + links: + - href: "#sc-7_smt.a" + rel: assessment-for + links: + - href: "#sc-7_smt.a" + rel: assessment-for + - id: sc-7_obj.b + name: assessment-objective + props: + - name: label + value: SC-07b. + class: sp800-53a + prose: "subnetworks for publicly accessible system components are\ + \ {{ insert: param, sc-07_odp }} separated from internal organizational\ + \ networks;" + links: + - href: "#sc-7_smt.b" + rel: assessment-for + - id: sc-7_obj.c + name: assessment-objective + props: + - name: label + value: SC-07c. + class: sp800-53a + prose: external networks or systems are only connected to through + managed interfaces consisting of boundary protection devices arranged + in accordance with an organizational security and privacy architecture. + links: + - href: "#sc-7_smt.c" + rel: assessment-for + links: + - href: "#sc-7_smt" + rel: assessment-for + - id: sc-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing boundary protection + + list of key internal boundaries of the system + + system design documentation + + boundary protection hardware and software + + system configuration settings and associated documentation + + enterprise security architecture documentation + + system audit records + + system security plan + + other relevant documents or records + - id: sc-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with boundary protection responsibilities + - id: sc-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing boundary protection capabilities + controls: + - id: sc-7.3 + class: SP800-53-enhancement + title: Access Points + props: + - name: label + value: SC-7(3) + - name: label + value: SC-07(03) + class: sp800-53a + - name: sort-id + value: sc-07.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-7" + rel: required + parts: + - id: sc-7.3_smt + name: statement + prose: Limit the number of external network connections to the system. + - id: sc-7.3_gdn + name: guidance + prose: Limiting the number of external network connections facilitates + monitoring of inbound and outbound communications traffic. The + Trusted Internet Connection [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) + initiative is an example of a federal guideline that requires + limits on the number of external network connections. Limiting + the number of external network connections to the system is important + during transition periods from older to newer technologies (e.g., + transitioning from IPv4 to IPv6 network protocols). Such transitions + may require implementing the older and newer technologies simultaneously + during the transition period and thus increase the number of access + points to the system. + - id: sc-7.3_obj + name: assessment-objective + props: + - name: label + value: SC-07(03) + class: sp800-53a + prose: the number of external network connections to the system + is limited. + links: + - href: "#sc-7.3_smt" + rel: assessment-for + - id: sc-7.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing boundary protection + + + system design documentation + + + boundary protection hardware and software + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + communications and network traffic monitoring logs + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with boundary protection responsibilities + - id: sc-7.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms implementing boundary protection capabilities + + + mechanisms limiting the number of external network connections + to the system + - id: sc-7.4 + class: SP800-53-enhancement + title: External Telecommunications Services + params: + - id: sc-07.04_odp + label: frequency + constraints: + - description: at least every ninety (90) days or whenever there + is a change in the threat environment that warrants a review + of the exceptions + guidelines: + - prose: the frequency at which to review exceptions to traffic + flow policy is defined; + props: + - name: label + value: SC-7(4) + - name: label + value: SC-07(04) + class: sp800-53a + - name: sort-id + value: sc-07.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#sc-7" + rel: required + - href: "#ac-3" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-21" + rel: related + - href: "#sc-22" + rel: related + parts: + - id: sc-7.4_smt + name: statement + parts: + - id: sc-7.4_smt.a + name: item + props: + - name: label + value: (a) + prose: Implement a managed interface for each external telecommunication + service; + - id: sc-7.4_smt.b + name: item + props: + - name: label + value: (b) + prose: Establish a traffic flow policy for each managed interface; + - id: sc-7.4_smt.c + name: item + props: + - name: label + value: (c) + prose: Protect the confidentiality and integrity of the information + being transmitted across each interface; + - id: sc-7.4_smt.d + name: item + props: + - name: label + value: (d) + prose: Document each exception to the traffic flow policy with + a supporting mission or business need and duration of that + need; + - id: sc-7.4_smt.e + name: item + props: + - name: label + value: (e) + prose: "Review exceptions to the traffic flow policy {{ insert:\ + \ param, sc-07.04_odp }} and remove exceptions that are no\ + \ longer supported by an explicit mission or business need;" + - id: sc-7.4_smt.f + name: item + props: + - name: label + value: (f) + prose: Prevent unauthorized exchange of control plane traffic + with external networks; + - id: sc-7.4_smt.g + name: item + props: + - name: label + value: (g) + prose: Publish information to enable remote networks to detect + unauthorized control plane traffic from internal networks; + and + - id: sc-7.4_smt.h + name: item + props: + - name: label + value: (h) + prose: Filter unauthorized control plane traffic from external + networks. + - id: sc-7.4_gdn + name: guidance + prose: External telecommunications services can provide data and/or + voice communications services. Examples of control plane traffic + include Border Gateway Protocol (BGP) routing, Domain Name System + (DNS), and management protocols. See [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) + for additional information on the use of the resource public key + infrastructure (RPKI) to protect BGP routes and detect unauthorized + BGP announcements. + - id: sc-7.4_obj + name: assessment-objective + props: + - name: label + value: SC-07(04) + class: sp800-53a + parts: + - id: sc-7.4_obj.a + name: assessment-objective + props: + - name: label + value: SC-07(04)(a) + class: sp800-53a + prose: a managed interface is implemented for each external + telecommunication service; + links: + - href: "#sc-7.4_smt.a" + rel: assessment-for + - id: sc-7.4_obj.b + name: assessment-objective + props: + - name: label + value: SC-07(04)(b) + class: sp800-53a + prose: a traffic flow policy is established for each managed + interface; + links: + - href: "#sc-7.4_smt.b" + rel: assessment-for + - id: sc-7.4_obj.c + name: assessment-objective + props: + - name: label + value: SC-07(04)(c) + class: sp800-53a + parts: + - id: sc-7.4_obj.c-1 + name: assessment-objective + props: + - name: label + value: SC-07(04)(c)[01] + class: sp800-53a + prose: the confidentiality of the information being transmitted + across each interface is protected; + links: + - href: "#sc-7.4_smt.c" + rel: assessment-for + - id: sc-7.4_obj.c-2 + name: assessment-objective + props: + - name: label + value: SC-07(04)(c)[02] + class: sp800-53a + prose: the integrity of the information being transmitted + across each interface is protected; + links: + - href: "#sc-7.4_smt.c" + rel: assessment-for + links: + - href: "#sc-7.4_smt.c" + rel: assessment-for + - id: sc-7.4_obj.d + name: assessment-objective + props: + - name: label + value: SC-07(04)(d) + class: sp800-53a + prose: each exception to the traffic flow policy is documented + with a supporting mission or business need and duration of + that need; + links: + - href: "#sc-7.4_smt.d" + rel: assessment-for + - id: sc-7.4_obj.e + name: assessment-objective + props: + - name: label + value: SC-07(04)(e) + class: sp800-53a + parts: + - id: sc-7.4_obj.e-1 + name: assessment-objective + props: + - name: label + value: SC-07(04)(e)[01] + class: sp800-53a + prose: "exceptions to the traffic flow policy are reviewed\ + \ {{ insert: param, sc-07.04_odp }};" + links: + - href: "#sc-7.4_smt.e" + rel: assessment-for + - id: sc-7.4_obj.e-2 + name: assessment-objective + props: + - name: label + value: SC-07(04)(e)[02] + class: sp800-53a + prose: exceptions to the traffic flow policy that are no + longer supported by an explicit mission or business need + are removed; + links: + - href: "#sc-7.4_smt.e" + rel: assessment-for + links: + - href: "#sc-7.4_smt.e" + rel: assessment-for + - id: sc-7.4_obj.f + name: assessment-objective + props: + - name: label + value: SC-07(04)(f) + class: sp800-53a + prose: unauthorized exchanges of control plan traffic with external + networks are prevented; + links: + - href: "#sc-7.4_smt.f" + rel: assessment-for + - id: sc-7.4_obj.g + name: assessment-objective + props: + - name: label + value: SC-07(04)(g) + class: sp800-53a + prose: information is published to enable remote networks to + detect unauthorized control plane traffic from internal networks; + links: + - href: "#sc-7.4_smt.g" + rel: assessment-for + - id: sc-7.4_obj.h + name: assessment-objective + props: + - name: label + value: SC-07(04)(h) + class: sp800-53a + prose: unauthorized control plane traffic is filtered from external + networks. + links: + - href: "#sc-7.4_smt.h" + rel: assessment-for + links: + - href: "#sc-7.4_smt" + rel: assessment-for + - id: sc-7.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + traffic flow policy + + + information flow control policy + + + procedures addressing boundary protection + + + system security architecture + + + system design documentation + + + boundary protection hardware and software + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + records of traffic flow policy exceptions + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with boundary protection responsibilities + - id: sc-7.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for documenting and reviewing + exceptions to the traffic flow policy + + + organizational processes for removing exceptions to the traffic + flow policy + + + mechanisms implementing boundary protection capabilities + + + managed interfaces implementing traffic flow policy + - id: sc-7.5 + class: SP800-53-enhancement + title: Deny by Default — Allow by Exception + params: + - id: sc-07.05_odp.01 + constraints: + - description: any systems + select: + how-many: one-or-more + choice: + - at managed interfaces + - "for {{ insert: param, sc-07.05_odp.02 }} " + - id: sc-07.05_odp.02 + label: systems + guidelines: + - prose: systems for which network communications traffic is denied + by default and network communications traffic is allowed by + exception are defined (if selected). + props: + - name: label + value: SC-7(5) + - name: label + value: SC-07(05) + class: sp800-53a + - name: sort-id + value: sc-07.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-7" + rel: required + parts: + - id: sc-7.5_smt + name: statement + prose: "Deny network communications traffic by default and allow\ + \ network communications traffic by exception {{ insert: param,\ + \ sc-07.05_odp.01 }}." + parts: + - id: sc-7.5_fr + name: item + title: SC-7 (5) Additional FedRAMP Requirements and Guidance + parts: + - id: sc-7.5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: For JAB Authorization, CSPs shall include details + of this control in their Architecture Briefing + - id: sc-7.5_gdn + name: guidance + prose: Denying by default and allowing by exception applies to inbound + and outbound network communications traffic. A deny-all, permit-by-exception + network communications traffic policy ensures that only those + system connections that are essential and approved are allowed. + Deny by default, allow by exception also applies to a system that + is connected to an external system. + - id: sc-7.5_obj + name: assessment-objective + props: + - name: label + value: SC-07(05) + class: sp800-53a + parts: + - id: sc-7.5_obj-1 + name: assessment-objective + props: + - name: label + value: SC-07(05)[01] + class: sp800-53a + prose: "network communications traffic is denied by default\ + \ {{ insert: param, sc-07.05_odp.01 }};" + links: + - href: "#sc-7.5_smt" + rel: assessment-for + - id: sc-7.5_obj-2 + name: assessment-objective + props: + - name: label + value: SC-07(05)[02] + class: sp800-53a + prose: "network communications traffic is allowed by exception\ + \ {{ insert: param, sc-07.05_odp.01 }}." + links: + - href: "#sc-7.5_smt" + rel: assessment-for + links: + - href: "#sc-7.5_smt" + rel: assessment-for + - id: sc-7.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing boundary protection + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with boundary protection responsibilities + - id: sc-7.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing traffic management at managed + interfaces + - id: sc-7.7 + class: SP800-53-enhancement + title: Split Tunneling for Remote Devices + params: + - id: sc-07.07_odp + label: safeguards + guidelines: + - prose: safeguards to securely provision split tunneling are + defined; + props: + - name: label + value: SC-7(7) + - name: label + value: SC-07(07) + class: sp800-53a + - name: sort-id + value: sc-07.07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-7" + rel: required + parts: + - id: sc-7.7_smt + name: statement + prose: "Prevent split tunneling for remote devices connecting to\ + \ organizational systems unless the split tunnel is securely provisioned\ + \ using {{ insert: param, sc-07.07_odp }}." + - id: sc-7.7_gdn + name: guidance + prose: Split tunneling is the process of allowing a remote user + or device to establish a non-remote connection with a system and + simultaneously communicate via some other connection to a resource + in an external network. This method of network access enables + a user to access remote devices and simultaneously, access uncontrolled + networks. Split tunneling might be desirable by remote users to + communicate with local system resources, such as printers or file + servers. However, split tunneling can facilitate unauthorized + external connections, making the system vulnerable to attack and + to exfiltration of organizational information. Split tunneling + can be prevented by disabling configuration settings that allow + such capability in remote devices and by preventing those configuration + settings from being configurable by users. Prevention can also + be achieved by the detection of split tunneling (or of configuration + settings that allow split tunneling) in the remote device, and + by prohibiting the connection if the remote device is using split + tunneling. A virtual private network (VPN) can be used to securely + provision a split tunnel. A securely provisioned VPN includes + locking connectivity to exclusive, managed, and named environments, + or to a specific set of pre-approved addresses, without user control. + - id: sc-7.7_obj + name: assessment-objective + props: + - name: label + value: SC-07(07) + class: sp800-53a + prose: "split tunneling is prevented for remote devices connecting\ + \ to organizational systems unless the split tunnel is securely\ + \ provisioned using {{ insert: param, sc-07.07_odp }}." + links: + - href: "#sc-7.7_smt" + rel: assessment-for + - id: sc-7.7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(07)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing boundary protection + + + system design documentation + + + system hardware and software + + + system architecture + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(07)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with boundary protection responsibilities + - id: sc-7.7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(07)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Mechanisms implementing boundary protection capabilities + + mechanisms supporting/restricting non-remote connections + - id: sc-7.8 + class: SP800-53-enhancement + title: Route Traffic to Authenticated Proxy Servers + params: + - id: sc-07.08_odp.01 + label: internal communications traffic + guidelines: + - prose: internal communications traffic to be routed to external + networks is defined; + - id: sc-07.08_odp.02 + label: external networks + constraints: + - description: any network outside of organizational control and + any network outside the authorization boundary + guidelines: + - prose: external networks to which internal communications traffic + is to be routed are defined; + props: + - name: label + value: SC-7(8) + - name: label + value: SC-07(08) + class: sp800-53a + - name: sort-id + value: sc-07.08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-7" + rel: required + - href: "#ac-3" + rel: related + parts: + - id: sc-7.8_smt + name: statement + prose: "Route {{ insert: param, sc-07.08_odp.01 }} to {{ insert:\ + \ param, sc-07.08_odp.02 }} through authenticated proxy servers\ + \ at managed interfaces." + - id: sc-7.8_gdn + name: guidance + prose: External networks are networks outside of organizational + control. A proxy server is a server (i.e., system or application) + that acts as an intermediary for clients requesting system resources + from non-organizational or other organizational servers. System + resources that may be requested include files, connections, web + pages, or services. Client requests established through a connection + to a proxy server are assessed to manage complexity and provide + additional protection by limiting direct connectivity. Web content + filtering devices are one of the most common proxy servers that + provide access to the Internet. Proxy servers can support the + logging of Transmission Control Protocol sessions and the blocking + of specific Uniform Resource Locators, Internet Protocol addresses, + and domain names. Web proxies can be configured with organization-defined + lists of authorized and unauthorized websites. Note that proxy + servers may inhibit the use of virtual private networks (VPNs) + and create the potential for "man-in-the-middle" attacks (depending + on the implementation). + - id: sc-7.8_obj + name: assessment-objective + props: + - name: label + value: SC-07(08) + class: sp800-53a + prose: " {{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert:\ + \ param, sc-07.08_odp.02 }} through authenticated proxy servers\ + \ at managed interfaces." + links: + - href: "#sc-7.8_smt" + rel: assessment-for + - id: sc-7.8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(08)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing boundary protection + + + system design documentation + + + system hardware and software + + + system architecture + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(08)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with boundary protection responsibilities + - id: sc-7.8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(08)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing traffic management through authenticated + proxy servers at managed interfaces + - id: sc-7.10 + class: SP800-53-enhancement + title: Prevent Exfiltration + params: + - id: sc-07.10_odp + label: frequency + guidelines: + - prose: the frequency for conducting exfiltration tests is defined; + props: + - name: label + value: SC-7(10) + - name: label + value: SC-07(10) + class: sp800-53a + - name: sort-id + value: sc-07.10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-7" + rel: required + - href: "#ac-2" + rel: related + - href: "#ca-8" + rel: related + - href: "#si-3" + rel: related + parts: + - id: sc-7.10_smt + name: statement + parts: + - id: sc-7.10_smt.a + name: item + props: + - name: label + value: (a) + prose: Prevent the exfiltration of information; and + - id: sc-7.10_smt.b + name: item + props: + - name: label + value: (b) + prose: "Conduct exfiltration tests {{ insert: param, sc-07.10_odp\ + \ }}." + - id: sc-7.10_gdn + name: guidance + prose: Prevention of exfiltration applies to both the intentional + and unintentional exfiltration of information. Techniques used + to prevent the exfiltration of information from systems may be + implemented at internal endpoints, external boundaries, and across + managed interfaces and include adherence to protocol formats, + monitoring for beaconing activity from systems, disconnecting + external network interfaces except when explicitly needed, employing + traffic profile analysis to detect deviations from the volume + and types of traffic expected, call backs to command and control + centers, conducting penetration testing, monitoring for steganography, + disassembling and reassembling packet headers, and using data + loss and data leakage prevention tools. Devices that enforce strict + adherence to protocol formats include deep packet inspection firewalls + and Extensible Markup Language (XML) gateways. The devices verify + adherence to protocol formats and specifications at the application + layer and identify vulnerabilities that cannot be detected by + devices that operate at the network or transport layers. The prevention + of exfiltration is similar to data loss prevention or data leakage + prevention and is closely associated with cross-domain solutions + and system guards that enforce information flow requirements. + - id: sc-7.10_obj + name: assessment-objective + props: + - name: label + value: SC-07(10) + class: sp800-53a + parts: + - id: sc-7.10_obj.a + name: assessment-objective + props: + - name: label + value: SC-07(10)(a) + class: sp800-53a + prose: the exfiltration of information is prevented; + links: + - href: "#sc-7.10_smt.a" + rel: assessment-for + - id: sc-7.10_obj.b + name: assessment-objective + props: + - name: label + value: SC-07(10)(b) + class: sp800-53a + prose: "exfiltration tests are conducted {{ insert: param, sc-07.10_odp\ + \ }}." + links: + - href: "#sc-7.10_smt.b" + rel: assessment-for + links: + - href: "#sc-7.10_smt" + rel: assessment-for + - id: sc-7.10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(10)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing boundary protection + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(10)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with boundary protection responsibilities + - id: sc-7.10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(10)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing boundary protection capabilities + that prevent the unauthorized exfiltration of information + across managed interfaces + - id: sc-7.12 + class: SP800-53-enhancement + title: Host-based Protection + params: + - id: sc-07.12_odp.01 + label: host-based boundary protection mechanisms + constraints: + - description: Host Intrusion Prevention System (HIPS), Host Intrusion + Detection System (HIDS), or minimally a host-based firewall + guidelines: + - prose: host-based boundary protection mechanisms to be implemented + are defined; + - id: sc-07.12_odp.02 + label: system components + guidelines: + - prose: system components where host-based boundary protection + mechanisms are to be implemented are defined; + props: + - name: label + value: SC-7(12) + - name: label + value: SC-07(12) + class: sp800-53a + - name: sort-id + value: sc-07.12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-7" + rel: required + parts: + - id: sc-7.12_smt + name: statement + prose: "Implement {{ insert: param, sc-07.12_odp.01 }} at {{ insert:\ + \ param, sc-07.12_odp.02 }}." + - id: sc-7.12_gdn + name: guidance + prose: Host-based boundary protection mechanisms include host-based + firewalls. System components that employ host-based boundary protection + mechanisms include servers, workstations, notebook computers, + and mobile devices. + - id: sc-7.12_obj + name: assessment-objective + props: + - name: label + value: SC-07(12) + class: sp800-53a + prose: " {{ insert: param, sc-07.12_odp.01 }} are implemented at\ + \ {{ insert: param, sc-07.12_odp.02 }}." + links: + - href: "#sc-7.12_smt" + rel: assessment-for + - id: sc-7.12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(12)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing boundary protection + + + system design documentation + + + boundary protection hardware and software + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(12)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with boundary protection responsibilities + + + system users + - id: sc-7.12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(12)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing host-based boundary protection + capabilities + - id: sc-7.18 + class: SP800-53-enhancement + title: Fail Secure + props: + - name: label + value: SC-7(18) + - name: label + value: SC-07(18) + class: sp800-53a + - name: sort-id + value: sc-07.18 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sc-7" + rel: required + - href: "#cp-2" + rel: related + - href: "#cp-12" + rel: related + - href: "#sc-24" + rel: related + parts: + - id: sc-7.18_smt + name: statement + prose: Prevent systems from entering unsecure states in the event + of an operational failure of a boundary protection device. + - id: sc-7.18_gdn + name: guidance + prose: Fail secure is a condition achieved by employing mechanisms + to ensure that in the event of operational failures of boundary + protection devices at managed interfaces, systems do not enter + into unsecure states where intended security properties no longer + hold. Managed interfaces include routers, firewalls, and application + gateways that reside on protected subnetworks (commonly referred + to as demilitarized zones). Failures of boundary protection devices + cannot lead to or cause information external to the devices to + enter the devices nor can failures permit unauthorized information + releases. + - id: sc-7.18_obj + name: assessment-objective + props: + - name: label + value: SC-07(18) + class: sp800-53a + prose: systems are prevented from entering unsecure states in the + event of an operational failure of a boundary protection device. + links: + - href: "#sc-7.18_smt" + rel: assessment-for + - id: sc-7.18_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(18)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing boundary protection + + + system design documentation + + + system architecture + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.18_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(18)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with boundary protection responsibilities + - id: sc-7.18_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(18)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing secure failure + - id: sc-7.20 + class: SP800-53-enhancement + title: Dynamic Isolation and Segregation + params: + - id: sc-07.20_odp + label: system components + guidelines: + - prose: system components to be dynamically isolated from other + system components are defined; + props: + - name: label + value: SC-7(20) + - name: label + value: SC-07(20) + class: sp800-53a + - name: sort-id + value: sc-07.20 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-7" + rel: required + parts: + - id: sc-7.20_smt + name: statement + prose: "Provide the capability to dynamically isolate {{ insert:\ + \ param, sc-07.20_odp }} from other system components." + - id: sc-7.20_gdn + name: guidance + prose: The capability to dynamically isolate certain internal system + components is useful when it is necessary to partition or separate + system components of questionable origin from components that + possess greater trustworthiness. Component isolation reduces the + attack surface of organizational systems. Isolating selected system + components can also limit the damage from successful attacks when + such attacks occur. + - id: sc-7.20_obj + name: assessment-objective + props: + - name: label + value: SC-07(20) + class: sp800-53a + prose: "the capability to dynamically isolate {{ insert: param,\ + \ sc-07.20_odp }} from other system components is provided." + links: + - href: "#sc-7.20_smt" + rel: assessment-for + - id: sc-7.20_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(20)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing boundary protection + + + system design documentation + + + system hardware and software + + + system architecture + + + system configuration settings and associated documentation + + + list of system components to be dynamically isolated/segregated + from other components of the system + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.20_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(20)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with boundary protection responsibilities + - id: sc-7.20_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(20)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing the capability + to dynamically isolate/segregate system components + - id: sc-7.21 + class: SP800-53-enhancement + title: Isolation of System Components + params: + - id: sc-07.21_odp.01 + label: system components + guidelines: + - prose: system components to be isolated by boundary protection + mechanisms are defined; + - id: sc-07.21_odp.02 + label: missions and/or business functions + guidelines: + - prose: missions and/or business functions to be supported by + system components isolated by boundary protection mechanisms + are defined; + props: + - name: label + value: SC-7(21) + - name: label + value: SC-07(21) + class: sp800-53a + - name: sort-id + value: sc-07.21 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sc-7" + rel: required + - href: "#ca-9" + rel: related + parts: + - id: sc-7.21_smt + name: statement + prose: "Employ boundary protection mechanisms to isolate {{ insert:\ + \ param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02\ + \ }}." + - id: sc-7.21_gdn + name: guidance + prose: Organizations can isolate system components that perform + different mission or business functions. Such isolation limits + unauthorized information flows among system components and provides + the opportunity to deploy greater levels of protection for selected + system components. Isolating system components with boundary protection + mechanisms provides the capability for increased protection of + individual system components and to more effectively control information + flows between those components. Isolating system components provides + enhanced protection that limits the potential harm from hostile + cyber-attacks and errors. The degree of isolation varies depending + upon the mechanisms chosen. Boundary protection mechanisms include + routers, gateways, and firewalls that separate system components + into physically separate networks or subnetworks; cross-domain + devices that separate subnetworks; virtualization techniques; + and the encryption of information flows among system components + using distinct encryption keys. + - id: sc-7.21_obj + name: assessment-objective + props: + - name: label + value: SC-07(21) + class: sp800-53a + prose: "boundary protection mechanisms are employed to isolate {{\ + \ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param,\ + \ sc-07.21_odp.02 }}." + links: + - href: "#sc-7.21_smt" + rel: assessment-for + - id: sc-7.21_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(21)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing boundary protection + + + system design documentation + + + system hardware and software + + + enterprise architecture documentation + + + system architecture + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.21_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(21)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with boundary protection responsibilities + - id: sc-7.21_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(21)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing the capability + to separate system components supporting organizational missions + and/or business functions + - id: sc-8 + class: SP800-53 + title: Transmission Confidentiality and Integrity + params: + - id: sc-08_odp + constraints: + - description: confidentiality AND integrity + select: + how-many: one-or-more + choice: + - confidentiality + - integrity + props: + - name: label + value: SC-8 + - name: label + value: SC-08 + class: sp800-53a + - name: sort-id + value: sc-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#736d6310-e403-4b57-a79d-9967970c66d7" + rel: reference + - href: "#7537638e-2837-407d-844b-40fb3fafdd99" + rel: reference + - href: "#d4d7c760-2907-403b-8b2a-767ca5370ecd" + rel: reference + - href: "#fe209006-bfd4-4033-a79a-9fee1adaf372" + rel: reference + - href: "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4" + rel: reference + - href: "#1c71b420-2bd9-4e52-9fc8-390f58b85b59" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#au-10" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-9" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-4" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-16" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-23" + rel: related + - href: "#sc-28" + rel: related + parts: + - id: sc-8_smt + name: statement + prose: "Protect the {{ insert: param, sc-08_odp }} of transmitted information." + parts: + - id: sc-8_fr + name: item + title: SC-8 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-8_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + For each instance of data in transit, confidentiality + AND integrity should be through cryptography as + specified in SC-8 (1), physical means as specified in + SC-8 (5), or in combination. + + + + + For clarity, this control applies to all data in transit. + Examples include the following data flows: + + + * Crossing the system boundary + + * Between compute instances - including containers + + * From a compute instance to storage + + * Replication between availability zones + + * Transmission of backups to storage + + * From a load balancer to a compute instance + + * Flows from management tools required for their work – e.g. + log collection, scanning, etc. + + + + + + The following applies only when choosing SC-8 (5) in lieu + of SC-8 (1). + + + FedRAMP-Defined Assignment / Selection Parameters + + + SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution + System (PDS) when outside of Controlled Access Area (CAA)] + + + SC-8 (5)-2 [prevent unauthorized disclosure of information + AND detect changes to information] + - id: sc-8_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + SC-8 (5) applies when physical protection has been + selected as the method to protect confidentiality and + integrity. For physical protection, data in transit must + be in either a Controlled Access Area (CAA), or a + Hardened or alarmed PDS. + + + + + Hardened or alarmed PDS: Shall be as defined in SECTION X + - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled + PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 + Section VIII, PDS must originate and terminate in a Controlled + Access Area (CAA). + + + + + Controlled Access Area (CAA): Data will be considered physically + protected, and in a CAA if it meets Section 2.3 of the DHS’s + Recommended Practice: Improving Industrial Control System + Cybersecurity with Defense-in-Depth Strategies. CSPs can meet + Section 2.3 of the DHS’ recommended practice by satisfactory + implementation of the following controls PE-2 (1), PE-2 (2), + PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3). + + + + + Note: When selecting SC-8 (5), the above SC-8(5), and the + above referenced PE controls must be added to the SSP. + + + + + CNSSI No.7003 can be accessed here: + + + https://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf + + + + + DHS Recommended Practice: Improving Industrial Control System + Cybersecurity with Defense-in-Depth Strategies can be accessed + here: + + + https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf + - id: sc-8_gdn + name: guidance + prose: >- + Protecting the confidentiality and integrity of transmitted + information applies to internal and external networks as well as + any system components that can transmit information, including + servers, notebook computers, desktop computers, mobile devices, + printers, copiers, scanners, facsimile machines, and radios. + Unprotected communication paths are exposed to the possibility + of interception and modification. Protecting the confidentiality + and integrity of information can be accomplished by physical or + logical means. Physical protection can be achieved by using + protected distribution systems. A protected distribution system + is a wireline or fiber-optics telecommunications system that + includes terminals and adequate electromagnetic, acoustical, + electrical, and physical controls to permit its use for the + unencrypted transmission of classified information. Logical + protection can be achieved by employing encryption techniques. + + + Organizations that rely on commercial providers who offer transmission + services as commodity services rather than as fully dedicated services + may find it difficult to obtain the necessary assurances regarding + the implementation of needed controls for transmission confidentiality + and integrity. In such situations, organizations determine what types + of confidentiality or integrity services are available in standard, + commercial telecommunications service packages. If it is not feasible + to obtain the necessary controls and assurances of control effectiveness + through appropriate contracting vehicles, organizations can implement + appropriate compensating controls. + - id: sc-8_obj + name: assessment-objective + props: + - name: label + value: SC-08 + class: sp800-53a + prose: "the {{ insert: param, sc-08_odp }} of transmitted information\ + \ is/are protected." + links: + - href: "#sc-8_smt" + rel: assessment-for + - id: sc-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing transmission confidentiality and integrity + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing transmission confidentiality + and/or integrity + controls: + - id: sc-8.1 + class: SP800-53-enhancement + title: Cryptographic Protection + params: + - id: sc-08.01_odp + constraints: + - description: prevent unauthorized disclosure of information + AND detect changes to information + select: + how-many: one-or-more + choice: + - prevent unauthorized disclosure of information + - detect changes to information + props: + - name: label + value: SC-8(1) + - name: label + value: SC-08(01) + class: sp800-53a + - name: sort-id + value: sc-08.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-8" + rel: required + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: sc-8.1_smt + name: statement + prose: "Implement cryptographic mechanisms to {{ insert: param,\ + \ sc-08.01_odp }} during transmission." + parts: + - id: sc-8.1_fr + name: item + title: SC-8 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: sc-8.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Please ensure SSP Section 10.3 Cryptographic Modules + Implemented for Data At Rest (DAR) and Data In Transit + (DIT) is fully populated for reference in this control. + - id: sc-8.1_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + See M-22-09, including \"Agencies encrypt all DNS + requests and HTTP traffic within their environment\" + + + SC-8 (1) applies when encryption has been selected as + the method to protect confidentiality and integrity. Otherwise + refer to SC-8 (5). SC-8 (1) is strongly encouraged. + - id: sc-8.1_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Note that this enhancement requires the use of cryptography + which must be compliant with Federal requirements and + utilize FIPS validated or NSA approved cryptography (see + SC-13.) + - id: sc-8.1_fr_gdn.3 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "When leveraging encryption from the underlying IaaS/PaaS:\ + \ While some IaaS/PaaS services provide encryption by\ + \ default, many require encryption to be configured, and\ + \ enabled by the customer. The CSP has the responsibility\ + \ to verify encryption is properly configured." + - id: sc-8.1_gdn + name: guidance + prose: Encryption protects information from unauthorized disclosure + and modification during transmission. Cryptographic mechanisms + that protect the confidentiality and integrity of information + during transmission include TLS and IPSec. Cryptographic mechanisms + used to protect information integrity include cryptographic hash + functions that have applications in digital signatures, checksums, + and message authentication codes. + - id: sc-8.1_obj + name: assessment-objective + props: + - name: label + value: SC-08(01) + class: sp800-53a + prose: "cryptographic mechanisms are implemented to {{ insert: param,\ + \ sc-08.01_odp }} during transmission." + links: + - href: "#sc-8.1_smt" + rel: assessment-for + - id: sc-8.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-08(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing transmission confidentiality and integrity + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-8.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-08(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-8.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-08(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Cryptographic mechanisms supporting and/or implementing + transmission confidentiality and/or integrity + + + mechanisms supporting and/or implementing alternative physical + safeguards + + + organizational processes for defining and implementing alternative + physical safeguards + - id: sc-10 + class: SP800-53 + title: Network Disconnect + params: + - id: sc-10_odp + label: time period + constraints: + - description: no longer than ten (10) minutes for privileged sessions + and no longer than fifteen (15) minutes for user sessions + guidelines: + - prose: a time period of inactivity after which the system terminates + a network connection associated with a communication session is + defined; + props: + - name: label + value: SC-10 + - name: label + value: SC-10 + class: sp800-53a + - name: sort-id + value: sc-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-17" + rel: related + - href: "#sc-23" + rel: related + parts: + - id: sc-10_smt + name: statement + prose: "Terminate the network connection associated with a communications\ + \ session at the end of the session or after {{ insert: param, sc-10_odp\ + \ }} of inactivity." + - id: sc-10_gdn + name: guidance + prose: Network disconnect applies to internal and external networks. + Terminating network connections associated with specific communications + sessions includes de-allocating TCP/IP address or port pairs at the + operating system level and de-allocating the networking assignments + at the application level if multiple application sessions are using + a single operating system-level network connection. Periods of inactivity + may be established by organizations and include time periods by type + of network access or for specific network accesses. + - id: sc-10_obj + name: assessment-objective + props: + - name: label + value: SC-10 + class: sp800-53a + prose: "the network connection associated with a communication session\ + \ is terminated at the end of the session or after {{ insert: param,\ + \ sc-10_odp }} of inactivity." + links: + - href: "#sc-10_smt" + rel: assessment-for + - id: sc-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing network disconnect + + system design documentation + + security plan + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: sc-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing a network disconnect + capability + - id: sc-12 + class: SP800-53 + title: Cryptographic Key Establishment and Management + params: + - id: sc-12_odp + label: requirements + constraints: + - description: In accordance with Federal requirements + guidelines: + - prose: requirements for key generation, distribution, storage, access, + and destruction are defined; + props: + - name: label + value: SC-12 + - name: label + value: SC-12 + class: sp800-53a + - name: sort-id + value: sc-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e" + rel: reference + - href: "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75" + rel: reference + - href: "#eef62b16-c796-4554-955c-505824135b8a" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#849b2358-683f-4d97-b111-1cc3d522ded5" + rel: reference + - href: "#3915a084-b87b-4f02-83d4-c369e746292f" + rel: reference + - href: "#ac-17" + rel: related + - href: "#au-9" + rel: related + - href: "#au-10" + rel: related + - href: "#cm-3" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-7" + rel: related + - href: "#ia-13" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-11" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-17" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-37" + rel: related + - href: "#sc-40" + rel: related + - href: "#si-3" + rel: related + - href: "#si-7" + rel: related + parts: + - id: sc-12_smt + name: statement + prose: "Establish and manage cryptographic keys when cryptography is\ + \ employed within the system in accordance with the following key\ + \ management requirements: {{ insert: param, sc-12_odp }}." + parts: + - id: sc-12_fr + name: item + title: SC-12 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-12_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: See references in NIST 800-53 documentation. + - id: sc-12_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Must meet applicable Federal Cryptographic Requirements. + See References Section of control. + - id: sc-12_fr_gdn.3 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Wildcard certificates may be used internally within the + system, but are not permitted for external customer access + to the system. + - id: sc-12_gdn + name: guidance + prose: Cryptographic key management and establishment can be performed + using manual procedures or automated mechanisms with supporting manual + procedures. Organizations define key management requirements in accordance + with applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines and specify appropriate options, parameters, + and levels. Organizations manage trust stores to ensure that only + approved trust anchors are part of such trust stores. This includes + certificates with visibility external to organizational systems and + certificates related to the internal operations of systems. [NIST + CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) + provide additional information on validated cryptographic modules + and algorithms that can be used in cryptographic key management and + establishment. + - id: sc-12_obj + name: assessment-objective + props: + - name: label + value: SC-12 + class: sp800-53a + parts: + - id: sc-12_obj-1 + name: assessment-objective + props: + - name: label + value: SC-12[01] + class: sp800-53a + prose: "cryptographic keys are established when cryptography is\ + \ employed within the system in accordance with {{ insert: param,\ + \ sc-12_odp }};" + links: + - href: "#sc-12_smt" + rel: assessment-for + - id: sc-12_obj-2 + name: assessment-objective + props: + - name: label + value: SC-12[02] + class: sp800-53a + prose: "cryptographic keys are managed when cryptography is employed\ + \ within the system in accordance with {{ insert: param, sc-12_odp\ + \ }}." + links: + - href: "#sc-12_smt" + rel: assessment-for + links: + - href: "#sc-12_smt" + rel: assessment-for + - id: sc-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing cryptographic key establishment and management + + + system design documentation + + + cryptographic mechanisms + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for cryptographic + key establishment and/or management + - id: sc-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing cryptographic key + establishment and management + controls: + - id: sc-12.1 + class: SP800-53-enhancement + title: Availability + props: + - name: label + value: SC-12(1) + - name: label + value: SC-12(01) + class: sp800-53a + - name: sort-id + value: sc-12.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-12" + rel: required + parts: + - id: sc-12.1_smt + name: statement + prose: Maintain availability of information in the event of the + loss of cryptographic keys by users. + - id: sc-12.1_gdn + name: guidance + prose: Escrowing of encryption keys is a common practice for ensuring + availability in the event of key loss. A forgotten passphrase + is an example of losing a cryptographic key. + - id: sc-12.1_obj + name: assessment-objective + props: + - name: label + value: SC-12(01) + class: sp800-53a + prose: information availability is maintained in the event of the + loss of cryptographic keys by users. + links: + - href: "#sc-12.1_smt" + rel: assessment-for + - id: sc-12.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-12(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing cryptographic key establishment, management, + and recovery + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-12.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-12(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for cryptographic + key establishment or management + - id: sc-12.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-12(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing cryptographic + key establishment and management + - id: sc-13 + class: SP800-53 + title: Cryptographic Protection + params: + - id: sc-13_odp.01 + label: cryptographic uses + guidelines: + - prose: cryptographic uses are defined; + - id: sc-13_odp.02 + label: types of cryptography + constraints: + - description: FIPS-validated or NSA-approved cryptography + guidelines: + - prose: types of cryptography for each specified cryptographic use + are defined; + props: + - name: label + value: SC-13 + - name: label + value: SC-13 + class: sp800-53a + - name: sort-id + value: sc-13 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-7" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#au-9" + rel: related + - href: "#au-10" + rel: related + - href: "#cm-11" + rel: related + - href: "#cp-9" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-7" + rel: related + - href: "#ia-13" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-23" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-40" + rel: related + - href: "#si-3" + rel: related + - href: "#si-7" + rel: related + parts: + - id: sc-13_smt + name: statement + parts: + - id: sc-13_smt.a + name: item + props: + - name: label + value: a. + prose: "Determine the {{ insert: param, sc-13_odp.01 }} ; and" + - id: sc-13_smt.b + name: item + props: + - name: label + value: b. + prose: "Implement the following types of cryptography required for\ + \ each specified cryptographic use: {{ insert: param, sc-13_odp.02\ + \ }}." + - id: sc-13_fr + name: item + title: SC-13 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-13_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + This control applies to all use of cryptography. In + addition to encryption, this includes functions such as + hashing, random number generation, and key generation. + Examples include the following: + + + * Encryption of data + + * Decryption of data + + * Generation of one time passwords (OTPs) for MFA + + * Protocols such as TLS, SSH, and HTTPS + + + + + + The requirement for FIPS 140 validation, as well as timelines + for acceptance of FIPS 140-2, and 140-3 can be found at the + NIST Cryptographic Module Validation Program (CMVP). + + + https://csrc.nist.gov/projects/cryptographic-module-validation-program + - id: sc-13_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + For NSA-approved cryptography, the National Information + Assurance Partnership (NIAP) oversees a national program + to evaluate Commercial IT Products for Use in National + Security Systems. The NIAP Product Compliant List can be + found at the following location: + + + https://www.niap-ccevs.org/Product/index.cfm + - id: sc-13_fr_gdn.3 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "When leveraging encryption from underlying IaaS/PaaS:\ + \ While some IaaS/PaaS provide encryption by default, many\ + \ require encryption to be configured, and enabled by the\ + \ customer. The CSP has the responsibility to verify encryption\ + \ is properly configured." + - id: sc-13_fr_gdn.4 + name: guidance + props: + - name: label + value: "Guidance:" + prose: > + Moving to non-FIPS CM or product is acceptable when: + + + * FIPS validated version has a known vulnerability + + * Feature with vulnerability is in use + + * Non-FIPS version fixes the vulnerability + + * Non-FIPS version is submitted to NIST for FIPS validation + + * POA&M is added to track approval, and deployment when ready + - id: sc-13_fr_gdn.5 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "At a minimum, this control applies to cryptography in\ + \ use for the following controls: AU-9(3), CP-9(8), IA-2(6),\ + \ IA-5(1), MP-5, SC-8(1), and SC-28(1)." + - id: sc-13_gdn + name: guidance + prose: Cryptography can be employed to support a variety of security + solutions, including the protection of classified information and + controlled unclassified information, the provision and implementation + of digital signatures, and the enforcement of information separation + when authorized individuals have the necessary clearances but lack + the necessary formal access approvals. Cryptography can also be used + to support random number and hash generation. Generally applicable + cryptographic standards include FIPS-validated cryptography and NSA-approved + cryptography. For example, organizations that need to protect classified + information may specify the use of NSA-approved cryptography. Organizations + that need to provision and implement digital signatures may specify + the use of FIPS-validated cryptography. Cryptography is implemented + in accordance with applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines. + - id: sc-13_obj + name: assessment-objective + props: + - name: label + value: SC-13 + class: sp800-53a + parts: + - id: sc-13_obj.a + name: assessment-objective + props: + - name: label + value: SC-13a. + class: sp800-53a + prose: " {{ insert: param, sc-13_odp.01 }} are identified;" + links: + - href: "#sc-13_smt.a" + rel: assessment-for + - id: sc-13_obj.b + name: assessment-objective + props: + - name: label + value: SC-13b. + class: sp800-53a + prose: " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic\ + \ use (defined in SC-13_ODP[01]) are implemented." + links: + - href: "#sc-13_smt.b" + rel: assessment-for + links: + - href: "#sc-13_smt" + rel: assessment-for + - id: sc-13_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-13-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing cryptographic protection + + system design documentation + + system configuration settings and associated documentation + + cryptographic module validation certificates + + list of FIPS-validated cryptographic modules + + system audit records + + system security plan + + other relevant documents or records + - id: sc-13_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-13-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with responsibilities for cryptographic + protection + - id: sc-13_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-13-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing cryptographic protection + - id: sc-15 + class: SP800-53 + title: Collaborative Computing Devices and Applications + params: + - id: sc-15_odp + label: exceptions where remote activation is to be allowed + constraints: + - description: no exceptions for computing devices + guidelines: + - prose: exceptions where remote activation is to be allowed are defined; + props: + - name: label + value: SC-15 + - name: label + value: SC-15 + class: sp800-53a + - name: sort-id + value: sc-15 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-21" + rel: related + - href: "#sc-42" + rel: related + parts: + - id: sc-15_smt + name: statement + parts: + - id: sc-15_smt.a + name: item + props: + - name: label + value: a. + prose: "Prohibit remote activation of collaborative computing devices\ + \ and applications with the following exceptions: {{ insert: param,\ + \ sc-15_odp }} ; and" + - id: sc-15_smt.b + name: item + props: + - name: label + value: b. + prose: Provide an explicit indication of use to users physically + present at the devices. + - id: sc-15_fr + name: item + title: SC-15 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-15_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The information system provides disablement (instead + of physical disconnect) of collaborative computing devices + in a manner that supports ease of use. + - id: sc-15_gdn + name: guidance + prose: Collaborative computing devices and applications include remote + meeting devices and applications, networked white boards, cameras, + and microphones. The explicit indication of use includes signals to + users when collaborative computing devices and applications are activated. + - id: sc-15_obj + name: assessment-objective + props: + - name: label + value: SC-15 + class: sp800-53a + parts: + - id: sc-15_obj.a + name: assessment-objective + props: + - name: label + value: SC-15a. + class: sp800-53a + prose: "remote activation of collaborative computing devices and\ + \ applications is prohibited except {{ insert: param, sc-15_odp\ + \ }};" + links: + - href: "#sc-15_smt.a" + rel: assessment-for + - id: sc-15_obj.b + name: assessment-objective + props: + - name: label + value: SC-15b. + class: sp800-53a + prose: an explicit indication of use is provided to users physically + present at the devices. + links: + - href: "#sc-15_smt.b" + rel: assessment-for + links: + - href: "#sc-15_smt" + rel: assessment-for + - id: sc-15_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-15-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing collaborative computing + + access control policy and procedures + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: sc-15_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-15-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with responsibilities for managing collaborative + computing devices + - id: sc-15_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-15-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing the management of + remote activation of collaborative computing devices + + + mechanisms providing an indication of use of collaborative computing + devices + - id: sc-17 + class: SP800-53 + title: Public Key Infrastructure Certificates + params: + - id: sc-17_odp + label: certificate policy + guidelines: + - prose: a certificate policy for issuing public key certificates + is defined; + props: + - name: label + value: SC-17 + - name: label + value: SC-17 + class: sp800-53a + - name: sort-id + value: sc-17 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#8cb338a4-e493-4177-818f-3af18983ddc5" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#au-10" + rel: related + - href: "#ia-5" + rel: related + - href: "#sc-12" + rel: related + parts: + - id: sc-17_smt + name: statement + parts: + - id: sc-17_smt.a + name: item + props: + - name: label + value: a. + prose: "Issue public key certificates under an {{ insert: param,\ + \ sc-17_odp }} or obtain public key certificates from an approved\ + \ service provider; and" + - id: sc-17_smt.b + name: item + props: + - name: label + value: b. + prose: Include only approved trust anchors in trust stores or certificate + stores managed by the organization. + - id: sc-17_gdn + name: guidance + prose: Public key infrastructure (PKI) certificates are certificates + with visibility external to organizational systems and certificates + related to the internal operations of systems, such as application-specific + time services. In cryptographic systems with a hierarchical structure, + a trust anchor is an authoritative source (i.e., a certificate authority) + for which trust is assumed and not derived. A root certificate for + a PKI system is an example of a trust anchor. A trust store or certificate + store maintains a list of trusted root certificates. + - id: sc-17_obj + name: assessment-objective + props: + - name: label + value: SC-17 + class: sp800-53a + parts: + - id: sc-17_obj.a + name: assessment-objective + props: + - name: label + value: SC-17a. + class: sp800-53a + prose: "public key certificates are issued under {{ insert: param,\ + \ sc-17_odp }} , or public key certificates are obtained from\ + \ an approved service provider;" + links: + - href: "#sc-17_smt.a" + rel: assessment-for + - id: sc-17_obj.b + name: assessment-objective + props: + - name: label + value: SC-17b. + class: sp800-53a + prose: only approved trust anchors are included in trust stores + or certificate stores managed by the organization. + links: + - href: "#sc-17_smt.b" + rel: assessment-for + links: + - href: "#sc-17_smt" + rel: assessment-for + - id: sc-17_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-17-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing public key infrastructure certificates + + public key certificate policy or policies + + public key issuing process + + system security plan + + other relevant documents or records + - id: sc-17_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-17-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for issuing public + key certificates + + + service providers + - id: sc-17_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-17-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing the management + of public key infrastructure certificates + - id: sc-18 + class: SP800-53 + title: Mobile Code + props: + - name: label + value: SC-18 + - name: label + value: SC-18 + class: sp800-53a + - name: sort-id + value: sc-18 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#f641309f-a3ad-48be-8c67-2b318648b2f5" + rel: reference + - href: "#au-2" + rel: related + - href: "#au-12" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-6" + rel: related + - href: "#si-3" + rel: related + parts: + - id: sc-18_smt + name: statement + parts: + - id: sc-18_smt.a + name: item + props: + - name: label + value: a. + prose: Define acceptable and unacceptable mobile code and mobile + code technologies; and + - id: sc-18_smt.b + name: item + props: + - name: label + value: b. + prose: Authorize, monitor, and control the use of mobile code within + the system. + - id: sc-18_gdn + name: guidance + prose: Mobile code includes any program, application, or content that + can be transmitted across a network (e.g., embedded in an email, document, + or website) and executed on a remote system. Decisions regarding the + use of mobile code within organizational systems are based on the + potential for the code to cause damage to the systems if used maliciously. + Mobile code technologies include Java applets, JavaScript, HTML5, + WebGL, and VBScript. Usage restrictions and implementation guidelines + apply to both the selection and use of mobile code installed on servers + and mobile code downloaded and executed on individual workstations + and devices, including notebook computers and smart phones. Mobile + code policy and procedures address specific actions taken to prevent + the development, acquisition, and introduction of unacceptable mobile + code within organizational systems, including requiring mobile code + to be digitally signed by a trusted source. + - id: sc-18_obj + name: assessment-objective + props: + - name: label + value: SC-18 + class: sp800-53a + parts: + - id: sc-18_obj.a + name: assessment-objective + props: + - name: label + value: SC-18a. + class: sp800-53a + parts: + - id: sc-18_obj.a-1 + name: assessment-objective + props: + - name: label + value: SC-18a.[01] + class: sp800-53a + prose: acceptable mobile code is defined; + links: + - href: "#sc-18_smt.a" + rel: assessment-for + - id: sc-18_obj.a-2 + name: assessment-objective + props: + - name: label + value: SC-18a.[02] + class: sp800-53a + prose: unacceptable mobile code is defined; + links: + - href: "#sc-18_smt.a" + rel: assessment-for + - id: sc-18_obj.a-3 + name: assessment-objective + props: + - name: label + value: SC-18a.[03] + class: sp800-53a + prose: acceptable mobile code technologies are defined; + links: + - href: "#sc-18_smt.a" + rel: assessment-for + - id: sc-18_obj.a-4 + name: assessment-objective + props: + - name: label + value: SC-18a.[04] + class: sp800-53a + prose: unacceptable mobile code technologies are defined; + links: + - href: "#sc-18_smt.a" + rel: assessment-for + links: + - href: "#sc-18_smt.a" + rel: assessment-for + - id: sc-18_obj.b + name: assessment-objective + props: + - name: label + value: SC-18b. + class: sp800-53a + parts: + - id: sc-18_obj.b-1 + name: assessment-objective + props: + - name: label + value: SC-18b.[01] + class: sp800-53a + prose: the use of mobile code is authorized within the system; + links: + - href: "#sc-18_smt.b" + rel: assessment-for + - id: sc-18_obj.b-2 + name: assessment-objective + props: + - name: label + value: SC-18b.[02] + class: sp800-53a + prose: the use of mobile code is monitored within the system; + links: + - href: "#sc-18_smt.b" + rel: assessment-for + - id: sc-18_obj.b-3 + name: assessment-objective + props: + - name: label + value: SC-18b.[03] + class: sp800-53a + prose: the use of mobile code is controlled within the system. + links: + - href: "#sc-18_smt.b" + rel: assessment-for + links: + - href: "#sc-18_smt.b" + rel: assessment-for + links: + - href: "#sc-18_smt" + rel: assessment-for + - id: sc-18_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-18-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing mobile code + + mobile code implementation policy and procedures + + list of acceptable mobile code and mobile code technologies + + list of unacceptable mobile code and mobile technologies + + authorization records + + system monitoring records + + system audit records + + system security plan + + other relevant documents or records + - id: sc-18_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-18-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for managing mobile + code + - id: sc-18_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-18-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational process for authorizing, monitoring, and + controlling mobile code + + + mechanisms supporting and/or implementing the management of mobile + code + + + mechanisms supporting and/or implementing the monitoring of mobile + code + - id: sc-20 + class: SP800-53 + title: Secure Name/Address Resolution Service (Authoritative Source) + props: + - name: label + value: SC-20 + - name: label + value: SC-20 + class: sp800-53a + - name: sort-id + value: sc-20 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#fe209006-bfd4-4033-a79a-9fee1adaf372" + rel: reference + - href: "#au-10" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-21" + rel: related + - href: "#sc-22" + rel: related + parts: + - id: sc-20_smt + name: statement + parts: + - id: sc-20_smt.a + name: item + props: + - name: label + value: a. + prose: Provide additional data origin authentication and integrity + verification artifacts along with the authoritative name resolution + data the system returns in response to external name/address resolution + queries; and + - id: sc-20_smt.b + name: item + props: + - name: label + value: b. + prose: Provide the means to indicate the security status of child + zones and (if the child supports secure resolution services) to + enable verification of a chain of trust among parent and child + domains, when operating as part of a distributed, hierarchical + namespace. + - id: sc-20_fr + name: item + title: SC-20 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-20_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Control Description should include how DNSSEC is implemented + on authoritative DNS servers to supply valid responses to + external DNSSEC requests. + - id: sc-20_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: Authoritative DNS servers must be geolocated in accordance + with SA-9 (5). + - id: sc-20_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: SC-20 applies to use of external authoritative DNS to + access a CSO from outside the boundary. + - id: sc-20_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: External authoritative DNS servers may be located outside + an authorized environment. Positioning these servers inside + an authorized boundary is encouraged. + - id: sc-20_fr_gdn.3 + name: guidance + props: + - name: label + value: "Guidance:" + prose: CSPs are recommended to self-check DNSSEC configuration + through one of many available analyzers such as Sandia National + Labs (https://dnsviz.net) + - id: sc-20_gdn + name: guidance + prose: Providing authoritative source information enables external clients, + including remote Internet clients, to obtain origin authentication + and integrity verification assurances for the host/service name to + network address resolution information obtained through the service. + Systems that provide name and address resolution services include + domain name system (DNS) servers. Additional artifacts include DNS + Security Extensions (DNSSEC) digital signatures and cryptographic + keys. Authoritative data includes DNS resource records. The means + for indicating the security status of child zones include the use + of delegation signer resource records in the DNS. Systems that use + technologies other than the DNS to map between host and service names + and network addresses provide other means to assure the authenticity + and integrity of response data. + - id: sc-20_obj + name: assessment-objective + props: + - name: label + value: SC-20 + class: sp800-53a + parts: + - id: sc-20_obj.a + name: assessment-objective + props: + - name: label + value: SC-20a. + class: sp800-53a + parts: + - id: sc-20_obj.a-1 + name: assessment-objective + props: + - name: label + value: SC-20a.[01] + class: sp800-53a + prose: additional data origin authentication is provided along + with the authoritative name resolution data that the system + returns in response to external name/address resolution queries; + links: + - href: "#sc-20_smt.a" + rel: assessment-for + - id: sc-20_obj.a-2 + name: assessment-objective + props: + - name: label + value: SC-20a.[02] + class: sp800-53a + prose: integrity verification artifacts are provided along with + the authoritative name resolution data that the system returns + in response to external name/address resolution queries; + links: + - href: "#sc-20_smt.a" + rel: assessment-for + links: + - href: "#sc-20_smt.a" + rel: assessment-for + - id: sc-20_obj.b + name: assessment-objective + props: + - name: label + value: SC-20b. + class: sp800-53a + parts: + - id: sc-20_obj.b-1 + name: assessment-objective + props: + - name: label + value: SC-20b.[01] + class: sp800-53a + prose: the means to indicate the security status of child zones + (and if the child supports secure resolution services) is + provided when operating as part of a distributed, hierarchical + namespace; + links: + - href: "#sc-20_smt.b" + rel: assessment-for + - id: sc-20_obj.b-2 + name: assessment-objective + props: + - name: label + value: SC-20b.[02] + class: sp800-53a + prose: the means to enable verification of a chain of trust + among parent and child domains when operating as part of a + distributed, hierarchical namespace is provided. + links: + - href: "#sc-20_smt.b" + rel: assessment-for + links: + - href: "#sc-20_smt.b" + rel: assessment-for + links: + - href: "#sc-20_smt" + rel: assessment-for + - id: sc-20_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-20-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing secure name/address resolution services + (authoritative source) + + + system design documentation + + + system configuration settings and associated documentation + + + system security plan + + + other relevant documents or records + - id: sc-20_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-20-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for managing DNS + - id: sc-20_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-20-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing secure name/address + resolution services + - id: sc-21 + class: SP800-53 + title: Secure Name/Address Resolution Service (Recursive or Caching Resolver) + props: + - name: label + value: SC-21 + - name: label + value: SC-21 + class: sp800-53a + - name: sort-id + value: sc-21 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#fe209006-bfd4-4033-a79a-9fee1adaf372" + rel: reference + - href: "#sc-20" + rel: related + - href: "#sc-22" + rel: related + parts: + - id: sc-21_smt + name: statement + prose: Request and perform data origin authentication and data integrity + verification on the name/address resolution responses the system receives + from authoritative sources. + parts: + - id: sc-21_fr + name: item + title: SC-21 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-21_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: > + Control description should include how DNSSEC is + implemented on recursive DNS servers to make DNSSEC + requests when resolving DNS requests from internal + components to domains external to the CSO boundary. + + + * If the reply is signed, and fails DNSSEC, do not use the + reply + + * If the reply is unsigned: * CSP chooses the policy to + apply + - id: sc-21_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: Internal recursive DNS servers must be located inside + an authorized environment. It is typically within the boundary, + or leveraged from an underlying IaaS/PaaS. + - id: sc-21_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Accepting an unsigned reply is acceptable + - id: sc-21_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + SC-21 applies to use of internal recursive DNS to access + a domain outside the boundary by a component inside the + boundary. + + + - DNSSEC resolution to access a component inside the boundary + is excluded. + - id: sc-21_gdn + name: guidance + prose: Each client of name resolution services either performs this + validation on its own or has authenticated channels to trusted validation + providers. Systems that provide name and address resolution services + for local clients include recursive resolving or caching domain name + system (DNS) servers. DNS client resolvers either perform validation + of DNSSEC signatures, or clients use authenticated channels to recursive + resolvers that perform such validations. Systems that use technologies + other than the DNS to map between host and service names and network + addresses provide some other means to enable clients to verify the + authenticity and integrity of response data. + - id: sc-21_obj + name: assessment-objective + props: + - name: label + value: SC-21 + class: sp800-53a + parts: + - id: sc-21_obj-1 + name: assessment-objective + props: + - name: label + value: SC-21[01] + class: sp800-53a + prose: data origin authentication is requested for the name/address + resolution responses that the system receives from authoritative + sources; + links: + - href: "#sc-21_smt" + rel: assessment-for + - id: sc-21_obj-2 + name: assessment-objective + props: + - name: label + value: SC-21[02] + class: sp800-53a + prose: data origin authentication is performed on the name/address + resolution responses that the system receives from authoritative + sources; + links: + - href: "#sc-21_smt" + rel: assessment-for + - id: sc-21_obj-3 + name: assessment-objective + props: + - name: label + value: SC-21[03] + class: sp800-53a + prose: data integrity verification is requested for the name/address + resolution responses that the system receives from authoritative + sources; + links: + - href: "#sc-21_smt" + rel: assessment-for + - id: sc-21_obj-4 + name: assessment-objective + props: + - name: label + value: SC-21[04] + class: sp800-53a + prose: data integrity verification is performed on the name/address + resolution responses that the system receives from authoritative + sources. + links: + - href: "#sc-21_smt" + rel: assessment-for + links: + - href: "#sc-21_smt" + rel: assessment-for + - id: sc-21_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-21-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing secure name/address resolution services + (recursive or caching resolver) + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-21_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-21-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for managing DNS + - id: sc-21_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-21-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing data origin authentication + and data integrity verification for name/address resolution services + - id: sc-22 + class: SP800-53 + title: Architecture and Provisioning for Name/Address Resolution Service + props: + - name: label + value: SC-22 + - name: label + value: SC-22 + class: sp800-53a + - name: sort-id + value: sc-22 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#fe209006-bfd4-4033-a79a-9fee1adaf372" + rel: reference + - href: "#sc-2" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-21" + rel: related + - href: "#sc-24" + rel: related + parts: + - id: sc-22_smt + name: statement + prose: Ensure the systems that collectively provide name/address resolution + service for an organization are fault-tolerant and implement internal + and external role separation. + - id: sc-22_gdn + name: guidance + prose: Systems that provide name and address resolution services include + domain name system (DNS) servers. To eliminate single points of failure + in systems and enhance redundancy, organizations employ at least two + authoritative domain name system servers—one configured as the primary + server and the other configured as the secondary server. Additionally, + organizations typically deploy the servers in two geographically separated + network subnetworks (i.e., not located in the same physical facility). + For role separation, DNS servers with internal roles only process + name and address resolution requests from within organizations (i.e., + from internal clients). DNS servers with external roles only process + name and address resolution information requests from clients external + to organizations (i.e., on external networks, including the Internet). + Organizations specify clients that can access authoritative DNS servers + in certain roles (e.g., by address ranges and explicit lists). + - id: sc-22_obj + name: assessment-objective + props: + - name: label + value: SC-22 + class: sp800-53a + parts: + - id: sc-22_obj-1 + name: assessment-objective + props: + - name: label + value: SC-22[01] + class: sp800-53a + prose: the systems that collectively provide name/address resolution + services for an organization are fault-tolerant; + links: + - href: "#sc-22_smt" + rel: assessment-for + - id: sc-22_obj-2 + name: assessment-objective + props: + - name: label + value: SC-22[02] + class: sp800-53a + prose: the systems that collectively provide name/address resolution + services for an organization implement internal role separation; + links: + - href: "#sc-22_smt" + rel: assessment-for + - id: sc-22_obj-3 + name: assessment-objective + props: + - name: label + value: SC-22[03] + class: sp800-53a + prose: the systems that collectively provide name/address resolution + services for an organization implement external role separation. + links: + - href: "#sc-22_smt" + rel: assessment-for + links: + - href: "#sc-22_smt" + rel: assessment-for + - id: sc-22_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-22-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing architecture and provisioning for name/address + resolution services + + + access control policy and procedures + + + system design documentation + + + assessment results from independent testing organizations + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-22_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-22-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for managing DNS + - id: sc-22_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-22-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing name/address resolution + services for fault tolerance and role separation + - id: sc-23 + class: SP800-53 + title: Session Authenticity + props: + - name: label + value: SC-23 + - name: label + value: SC-23 + class: sp800-53a + - name: sort-id + value: sc-23 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#7537638e-2837-407d-844b-40fb3fafdd99" + rel: reference + - href: "#d4d7c760-2907-403b-8b2a-767ca5370ecd" + rel: reference + - href: "#a6b9907a-2a14-4bb4-a142-d4c73026a8b4" + rel: reference + - href: "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4" + rel: reference + - href: "#au-10" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-10" + rel: related + - href: "#sc-11" + rel: related + parts: + - id: sc-23_smt + name: statement + prose: Protect the authenticity of communications sessions. + - id: sc-23_gdn + name: guidance + prose: Protecting session authenticity addresses communications protection + at the session level, not at the packet level. Such protection establishes + grounds for confidence at both ends of communications sessions in + the ongoing identities of other parties and the validity of transmitted + information. Authenticity protection includes protecting against "man-in-the-middle" + attacks, session hijacking, and the insertion of false information + into sessions. + - id: sc-23_obj + name: assessment-objective + props: + - name: label + value: SC-23 + class: sp800-53a + prose: the authenticity of communication sessions is protected. + links: + - href: "#sc-23_smt" + rel: assessment-for + - id: sc-23_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-23-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing session authenticity + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: sc-23_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-23-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + - id: sc-23_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-23-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing session authenticity + - id: sc-24 + class: SP800-53 + title: Fail in Known State + params: + - id: sc-24_odp.01 + label: types of system failures on system components + guidelines: + - prose: types of system failures for which the system components + fail to a known state are defined; + - id: sc-24_odp.02 + label: known system state + guidelines: + - prose: known system state to which system components fail in the + event of a system failure is defined; + - id: sc-24_odp.03 + label: system state information + guidelines: + - prose: system state information to be preserved in the event of + a system failure is defined; + props: + - name: label + value: SC-24 + - name: label + value: SC-24 + class: sp800-53a + - name: sort-id + value: sc-24 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#cp-10" + rel: related + - href: "#cp-12" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-22" + rel: related + - href: "#si-13" + rel: related + parts: + - id: sc-24_smt + name: statement + prose: "Fail to a {{ insert: param, sc-24_odp.02 }} for the following\ + \ failures on the indicated components while preserving {{ insert:\ + \ param, sc-24_odp.03 }} in failure: {{ insert: param, sc-24_odp.01\ + \ }}." + - id: sc-24_gdn + name: guidance + prose: Failure in a known state addresses security concerns in accordance + with the mission and business needs of organizations. Failure in a + known state prevents the loss of confidentiality, integrity, or availability + of information in the event of failures of organizational systems + or system components. Failure in a known safe state helps to prevent + systems from failing to a state that may cause injury to individuals + or destruction to property. Preserving system state information facilitates + system restart and return to the operational mode with less disruption + of mission and business processes. + - id: sc-24_obj + name: assessment-objective + props: + - name: label + value: SC-24 + class: sp800-53a + prose: " {{ insert: param, sc-24_odp.01 }} fail to a {{ insert: param,\ + \ sc-24_odp.02 }} while preserving {{ insert: param, sc-24_odp.03\ + \ }} in failure." + links: + - href: "#sc-24_smt" + rel: assessment-for + - id: sc-24_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-24-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing system failure to known state + + system design documentation + + system configuration settings and associated documentation + + list of failures requiring system to fail in a known state + + state information to be preserved in system failure + + system audit records + + system security plan + + other relevant documents or records + - id: sc-24_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-24-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-24_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-24-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing the fail in known + state capability + + + mechanisms preserving system state information in the event of + a system failure + - id: sc-28 + class: SP800-53 + title: Protection of Information at Rest + params: + - id: sc-28_odp.01 + constraints: + - description: confidentiality AND integrity + select: + how-many: one-or-more + choice: + - confidentiality + - integrity + - id: sc-28_odp.02 + label: information at rest + guidelines: + - prose: information at rest requiring protection is defined; + props: + - name: label + value: SC-28 + - name: label + value: SC-28 + class: sp800-53a + - name: sort-id + value: sc-28 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e" + rel: reference + - href: "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75" + rel: reference + - href: "#eef62b16-c796-4554-955c-505824135b8a" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#22f2d4f0-4365-4e88-a30d-275c1f5473ea" + rel: reference + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-19" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cp-9" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#pe-3" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-34" + rel: related + - href: "#si-3" + rel: related + - href: "#si-7" + rel: related + - href: "#si-16" + rel: related + parts: + - id: sc-28_smt + name: statement + prose: "Protect the {{ insert: param, sc-28_odp.01 }} of the following\ + \ information at rest: {{ insert: param, sc-28_odp.02 }}." + parts: + - id: sc-28_fr + name: item + title: SC-28 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-28_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: The organization supports the capability to use cryptographic + mechanisms to protect information at rest. + - id: sc-28_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "When leveraging encryption from underlying IaaS/PaaS:\ + \ While some IaaS/PaaS services provide encryption by default,\ + \ many require encryption to be configured, and enabled by\ + \ the customer. The CSP has the responsibility to verify encryption\ + \ is properly configured." + - id: sc-28_fr_gdn.3 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Note that this enhancement requires the use of cryptography + in accordance with SC-13. + - id: sc-28_gdn + name: guidance + prose: Information at rest refers to the state of information when it + is not in process or in transit and is located on system components. + Such components include internal or external hard disk drives, storage + area network devices, or databases. However, the focus of protecting + information at rest is not on the type of storage device or frequency + of access but rather on the state of the information. Information + at rest addresses the confidentiality and integrity of information + and covers user information and system information. System-related + information that requires protection includes configurations or rule + sets for firewalls, intrusion detection and prevention systems, filtering + routers, and authentication information. Organizations may employ + different mechanisms to achieve confidentiality and integrity protections, + including the use of cryptographic mechanisms and file share scanning. + Integrity protection can be achieved, for example, by implementing + write-once-read-many (WORM) technologies. When adequate protection + of information at rest cannot otherwise be achieved, organizations + may employ other controls, including frequent scanning to identify + malicious code at rest and secure offline storage in lieu of online + storage. + - id: sc-28_obj + name: assessment-objective + props: + - name: label + value: SC-28 + class: sp800-53a + prose: "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02\ + \ }} is/are protected." + links: + - href: "#sc-28_smt" + rel: assessment-for + - id: sc-28_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-28-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing the protection of information at rest + + + system design documentation + + + system configuration settings and associated documentation + + + cryptographic mechanisms and associated configuration documentation + + + list of information at rest requiring confidentiality and integrity + protections + + + system security plan + + + other relevant documents or records + - id: sc-28_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-28-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-28_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-28-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing confidentiality + and integrity protections for information at rest + controls: + - id: sc-28.1 + class: SP800-53-enhancement + title: Cryptographic Protection + params: + - id: sc-28.01_odp.01 + label: information + guidelines: + - prose: information requiring cryptographic protection is defined; + - id: sc-28.01_odp.02 + label: system components or media + constraints: + - description: all information system components storing Federal + data or system data that must be protected at the High or + Moderate impact levels + guidelines: + - prose: system components or media requiring cryptographic protection + is/are defined; + props: + - name: label + value: SC-28(1) + - name: label + value: SC-28(01) + class: sp800-53a + - name: sort-id + value: sc-28.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-28" + rel: required + - href: "#ac-19" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: sc-28.1_smt + name: statement + prose: "Implement cryptographic mechanisms to prevent unauthorized\ + \ disclosure and modification of the following information at\ + \ rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param,\ + \ sc-28.01_odp.01 }}." + parts: + - id: sc-28.1_fr + name: item + title: SC-28 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: sc-28.1_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + Organizations should select a mode of protection + that is targeted towards the relevant threat + scenarios. + + + Examples: + + + A. Organizations may apply full disk encryption (FDE) + to a mobile device where the primary threat is loss of + the device while storage is locked. + + + B. For a database application housing data for a single + customer, encryption at the file system level would often + provide more protection than FDE against the more likely + threat of an intruder on the operating system accessing + the storage. + + + C. For a database application housing data for multiple + customers, encryption with unique keys for each customer + at the database record level may be more appropriate. + - id: sc-28.1_gdn + name: guidance + prose: The selection of cryptographic mechanisms is based on the + need to protect the confidentiality and integrity of organizational + information. The strength of mechanism is commensurate with the + security category or classification of the information. Organizations + have the flexibility to encrypt information on system components + or media or encrypt data structures, including files, records, + or fields. + - id: sc-28.1_obj + name: assessment-objective + props: + - name: label + value: SC-28(01) + class: sp800-53a + parts: + - id: sc-28.1_obj-1 + name: assessment-objective + props: + - name: label + value: SC-28(01)[01] + class: sp800-53a + prose: "cryptographic mechanisms are implemented to prevent\ + \ unauthorized disclosure of {{ insert: param, sc-28.01_odp.01\ + \ }} at rest on {{ insert: param, sc-28.01_odp.02 }};" + links: + - href: "#sc-28.1_smt" + rel: assessment-for + - id: sc-28.1_obj-2 + name: assessment-objective + props: + - name: label + value: SC-28(01)[02] + class: sp800-53a + prose: "cryptographic mechanisms are implemented to prevent\ + \ unauthorized modification of {{ insert: param, sc-28.01_odp.01\ + \ }} at rest on {{ insert: param, sc-28.01_odp.02 }}." + links: + - href: "#sc-28.1_smt" + rel: assessment-for + links: + - href: "#sc-28.1_smt" + rel: assessment-for + - id: sc-28.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-28(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing the protection of information at rest + + + system design documentation + + + system configuration settings and associated documentation + + + cryptographic mechanisms and associated configuration documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-28.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-28(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-28.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-28(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Cryptographic mechanisms implementing confidentiality + and integrity protections for information at rest + - id: sc-39 + class: SP800-53 + title: Process Isolation + props: + - name: label + value: SC-39 + - name: label + value: SC-39 + class: sp800-53a + - name: sort-id + value: sc-39 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-25" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-3" + rel: related + - href: "#si-16" + rel: related + parts: + - id: sc-39_smt + name: statement + prose: Maintain a separate execution domain for each executing system + process. + - id: sc-39_gdn + name: guidance + prose: Systems can maintain separate execution domains for each executing + process by assigning each process a separate address space. Each system + process has a distinct address space so that communication between + processes is performed in a manner controlled through the security + functions, and one process cannot modify the executing code of another + process. Maintaining separate execution domains for executing processes + can be achieved, for example, by implementing separate address spaces. + Process isolation technologies, including sandboxing or virtualization, + logically separate software and firmware from other software, firmware, + and data. Process isolation helps limit the access of potentially + untrusted software to other system resources. The capability to maintain + separate execution domains is available in commercial operating systems + that employ multi-state processor technologies. + - id: sc-39_obj + name: assessment-objective + props: + - name: label + value: SC-39 + class: sp800-53a + prose: a separate execution domain is maintained for each executing + system process. + links: + - href: "#sc-39_smt" + rel: assessment-for + - id: sc-39_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-39-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System design documentation + + system architecture + + independent verification and validation documentation + + testing and evaluation documentation + + other relevant documents or records + - id: sc-39_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-39-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System developers/integrators + + system security architect + - id: sc-39_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-39-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing separate execution + domains for each executing process + - id: sc-45 + class: SP800-53 + title: System Time Synchronization + props: + - name: label + value: SC-45 + - name: label + value: SC-45 + class: sp800-53a + - name: sort-id + value: sc-45 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#e4d37285-1e79-4029-8b6a-42df39cace30" + rel: reference + - href: "#ac-3" + rel: related + - href: "#au-8" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-8" + rel: related + parts: + - id: sc-45_smt + name: statement + prose: Synchronize system clocks within and between systems and system + components. + - id: sc-45_gdn + name: guidance + prose: Time synchronization of system clocks is essential for the correct + execution of many system services, including identification and authentication + processes that involve certificates and time-of-day restrictions as + part of access control. Denial of service or failure to deny expired + credentials may result without properly synchronized clocks within + and between systems and system components. Time is commonly expressed + in Coordinated Universal Time (UTC), a modern continuation of Greenwich + Mean Time (GMT), or local time with an offset from UTC. The granularity + of time measurements refers to the degree of synchronization between + system clocks and reference clocks, such as clocks synchronizing within + hundreds of milliseconds or tens of milliseconds. Organizations may + define different time granularities for system components. Time service + can be critical to other security capabilities—such as access control + and identification and authentication—depending on the nature of the + mechanisms used to support the capabilities. + - id: sc-45_obj + name: assessment-objective + props: + - name: label + value: SC-45 + class: sp800-53a + prose: system clocks are synchronized within and between systems and + system components. + links: + - href: "#sc-45_smt" + rel: assessment-for + - id: sc-45_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-45-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing time synchronization + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: sc-45_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-45-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + - id: sc-45_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-45-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing system time synchronization + controls: + - id: sc-45.1 + class: SP800-53-enhancement + title: Synchronization with Authoritative Time Source + params: + - id: sc-45.01_odp.01 + label: frequency + constraints: + - description: At least hourly + guidelines: + - prose: the frequency at which to compare the internal system + clocks with the authoritative time source is defined; + - id: sc-45.01_odp.02 + label: authoritative time source + constraints: + - description: http://tf.nist.gov/tf-cgi/servers.cgi + guidelines: + - prose: the authoritative time source to which internal system + clocks are to be compared is defined; + - id: sc-45.01_odp.03 + label: time period + constraints: + - description: any difference + guidelines: + - prose: the time period to compare the internal system clocks + with the authoritative time source is defined; + props: + - name: label + value: SC-45(1) + - name: label + value: SC-45(01) + class: sp800-53a + - name: sort-id + value: sc-45.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-45" + rel: required + parts: + - id: sc-45.1_smt + name: statement + parts: + - id: sc-45.1_smt.a + name: item + props: + - name: label + value: (a) + prose: "Compare the internal system clocks {{ insert: param,\ + \ sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02\ + \ }} ; and" + - id: sc-45.1_smt.b + name: item + props: + - name: label + value: (b) + prose: "Synchronize the internal system clocks to the authoritative\ + \ time source when the time difference is greater than {{\ + \ insert: param, sc-45.01_odp.03 }}." + - id: sc-45.1_fr + name: item + title: SC-45(1) Additional FedRAMP Requirements and Guidance + parts: + - id: sc-45.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider selects primary and secondary + time servers used by the NIST Internet time service. The + secondary server is selected from a different geographic + region than the primary server. + - id: sc-45.1_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider synchronizes the system clocks + of network computers that run operating systems other + than Windows to the Windows Server Domain Controller emulator + or to the same time source for that server. + - id: sc-45.1_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Synchronization of system clocks improves the accuracy + of log analysis. + - id: sc-45.1_gdn + name: guidance + prose: Synchronization of internal system clocks with an authoritative + source provides uniformity of time stamps for systems with multiple + system clocks and systems connected over a network. + - id: sc-45.1_obj + name: assessment-objective + props: + - name: label + value: SC-45(01) + class: sp800-53a + parts: + - id: sc-45.1_obj.a + name: assessment-objective + props: + - name: label + value: SC-45(01)(a) + class: sp800-53a + prose: "the internal system clocks are compared {{ insert: param,\ + \ sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02\ + \ }};" + links: + - href: "#sc-45.1_smt.a" + rel: assessment-for + - id: sc-45.1_obj.b + name: assessment-objective + props: + - name: label + value: SC-45(01)(b) + class: sp800-53a + prose: "the internal system clocks are synchronized with the\ + \ authoritative time source when the time difference is greater\ + \ than {{ insert: param, sc-45.01_odp.03 }}." + links: + - href: "#sc-45.1_smt.b" + rel: assessment-for + links: + - href: "#sc-45.1_smt" + rel: assessment-for + - id: sc-45.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-45(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing time synchronization + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-45.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-45(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + - id: sc-45.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-45(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing system time + synchronization + - id: si + class: family + title: System and Information Integrity + controls: + - id: si-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: si-1_prm_1 + label: organization-defined personnel or roles + - id: si-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and information integrity + policy is to be disseminated is/are defined; + - id: si-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and information integrity + procedures are to be disseminated is/are defined; + - id: si-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: si-01_odp.04 + label: official + guidelines: + - prose: an official to manage the system and information integrity + policy and procedures is defined; + - id: si-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current system and information + integrity policy is reviewed and updated is defined; + - id: si-01_odp.06 + label: events + guidelines: + - prose: events that would require the current system and information + integrity policy to be reviewed and updated are defined; + - id: si-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current system and information + integrity procedures are reviewed and updated is defined; + - id: si-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the system and information integrity + procedures to be reviewed and updated are defined; + props: + - name: label + value: SI-1 + - name: label + value: SI-01 + class: sp800-53a + - name: sort-id + value: si-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: si-1_smt + name: statement + parts: + - id: si-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ si-1_prm_1 }}:" + parts: + - id: si-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, si-01_odp.03 }} system and information\ + \ integrity policy that:" + parts: + - id: si-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: si-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: si-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the system + and information integrity policy and the associated system + and information integrity controls; + - id: si-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, si-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the system\ + \ and information integrity policy and procedures; and" + - id: si-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current system and information integrity:" + parts: + - id: si-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, si-01_odp.05 }} and following\ + \ {{ insert: param, si-01_odp.06 }} ; and" + - id: si-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, si-01_odp.07 }} and following\ + \ {{ insert: param, si-01_odp.08 }}." + - id: si-1_gdn + name: guidance + prose: System and information integrity policy and procedures address + the controls in the SI family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of system and information integrity policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + system and information integrity policy and procedures include assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: si-1_obj + name: assessment-objective + props: + - name: label + value: SI-01 + class: sp800-53a + parts: + - id: si-1_obj.a + name: assessment-objective + props: + - name: label + value: SI-01a. + class: sp800-53a + parts: + - id: si-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-01a.[01] + class: sp800-53a + prose: a system and information integrity policy is developed + and documented; + links: + - href: "#si-1_smt.a" + rel: assessment-for + - id: si-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-01a.[02] + class: sp800-53a + prose: "the system and information integrity policy is disseminated\ + \ to {{ insert: param, si-01_odp.01 }};" + links: + - href: "#si-1_smt.a" + rel: assessment-for + - id: si-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: SI-01a.[03] + class: sp800-53a + prose: system and information integrity procedures to facilitate + the implementation of the system and information integrity + policy and associated system and information integrity controls + are developed and documented; + links: + - href: "#si-1_smt.a" + rel: assessment-for + - id: si-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: SI-01a.[04] + class: sp800-53a + prose: "the system and information integrity procedures are\ + \ disseminated to {{ insert: param, si-01_odp.02 }};" + links: + - href: "#si-1_smt.a" + rel: assessment-for + - id: si-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: SI-01a.01 + class: sp800-53a + parts: + - id: si-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: SI-01a.01(a) + class: sp800-53a + parts: + - id: si-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses purpose;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses scope;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses roles;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses responsibilities;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses management\ + \ commitment;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses compliance;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: SI-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system and\ + \ information integrity policy is consistent with applicable\ + \ laws, Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#si-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#si-1_smt.a.1" + rel: assessment-for + links: + - href: "#si-1_smt.a" + rel: assessment-for + - id: si-1_obj.b + name: assessment-objective + props: + - name: label + value: SI-01b. + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the system\ + \ and information integrity policy and procedures;" + links: + - href: "#si-1_smt.b" + rel: assessment-for + - id: si-1_obj.c + name: assessment-objective + props: + - name: label + value: SI-01c. + class: sp800-53a + parts: + - id: si-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: SI-01c.01 + class: sp800-53a + parts: + - id: si-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: SI-01c.01[01] + class: sp800-53a + prose: "the current system and information integrity policy\ + \ is reviewed and updated {{ insert: param, si-01_odp.05\ + \ }};" + links: + - href: "#si-1_smt.c.1" + rel: assessment-for + - id: si-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: SI-01c.01[02] + class: sp800-53a + prose: "the current system and information integrity policy\ + \ is reviewed and updated following {{ insert: param,\ + \ si-01_odp.06 }};" + links: + - href: "#si-1_smt.c.1" + rel: assessment-for + links: + - href: "#si-1_smt.c.1" + rel: assessment-for + - id: si-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: SI-01c.02 + class: sp800-53a + parts: + - id: si-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: SI-01c.02[01] + class: sp800-53a + prose: "the current system and information integrity procedures\ + \ are reviewed and updated {{ insert: param, si-01_odp.07\ + \ }};" + links: + - href: "#si-1_smt.c.2" + rel: assessment-for + - id: si-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: SI-01c.02[02] + class: sp800-53a + prose: "the current system and information integrity procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ si-01_odp.08 }}." + links: + - href: "#si-1_smt.c.2" + rel: assessment-for + links: + - href: "#si-1_smt.c.2" + rel: assessment-for + links: + - href: "#si-1_smt.c" + rel: assessment-for + links: + - href: "#si-1_smt" + rel: assessment-for + - id: si-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and information integrity policy + + system and information integrity procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: si-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and information + integrity responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: si-2 + class: SP800-53 + title: Flaw Remediation + params: + - id: si-02_odp + label: time period + constraints: + - description: within thirty (30) days of release of updates + guidelines: + - prose: time period within which to install security-relevant software + updates after the release of the updates is defined; + props: + - name: label + value: SI-2 + - name: label + value: SI-02 + class: sp800-53a + - name: sort-id + value: si-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#155f941a-cba9-4afd-9ca6-5d040d697ba9" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c" + rel: reference + - href: "#ca-5" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#ma-2" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#si-3" + rel: related + - href: "#si-5" + rel: related + - href: "#si-7" + rel: related + - href: "#si-11" + rel: related + parts: + - id: si-2_smt + name: statement + parts: + - id: si-2_smt.a + name: item + props: + - name: label + value: a. + prose: Identify, report, and correct system flaws; + - id: si-2_smt.b + name: item + props: + - name: label + value: b. + prose: Test software and firmware updates related to flaw remediation + for effectiveness and potential side effects before installation; + - id: si-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Install security-relevant software and firmware updates\ + \ within {{ insert: param, si-02_odp }} of the release of the\ + \ updates; and" + - id: si-2_smt.d + name: item + props: + - name: label + value: d. + prose: Incorporate flaw remediation into the organizational configuration + management process. + - id: si-2_gdn + name: guidance + prose: >- + The need to remediate system flaws applies to all types of + software and firmware. Organizations identify systems affected + by software flaws, including potential vulnerabilities resulting + from those flaws, and report this information to designated + organizational personnel with information security and privacy + responsibilities. Security-relevant updates include patches, + service packs, and malicious code signatures. Organizations also + address flaws discovered during assessments, continuous + monitoring, incident response activities, and system error + handling. By incorporating flaw remediation into configuration + management processes, required remediation actions can be + tracked and verified. + + + Organization-defined time periods for updating security-relevant software + and firmware may vary based on a variety of risk factors, including + the security category of the system, the criticality of the update + (i.e., severity of the vulnerability related to the discovered flaw), + the organizational risk tolerance, the mission supported by the system, + or the threat environment. Some types of flaw remediation may require + more testing than other types. Organizations determine the type of + testing needed for the specific type of flaw remediation activity + under consideration and the types of changes that are to be configuration-managed. + In some situations, organizations may determine that the testing of + software or firmware updates is not necessary or practical, such as + when implementing simple malicious code signature updates. In testing + decisions, organizations consider whether security-relevant software + or firmware updates are obtained from authorized sources with appropriate + digital signatures. + - id: si-2_obj + name: assessment-objective + props: + - name: label + value: SI-02 + class: sp800-53a + parts: + - id: si-2_obj.a + name: assessment-objective + props: + - name: label + value: SI-02a. + class: sp800-53a + parts: + - id: si-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-02a.[01] + class: sp800-53a + prose: system flaws are identified; + links: + - href: "#si-2_smt.a" + rel: assessment-for + - id: si-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-02a.[02] + class: sp800-53a + prose: system flaws are reported; + links: + - href: "#si-2_smt.a" + rel: assessment-for + - id: si-2_obj.a-3 + name: assessment-objective + props: + - name: label + value: SI-02a.[03] + class: sp800-53a + prose: system flaws are corrected; + links: + - href: "#si-2_smt.a" + rel: assessment-for + links: + - href: "#si-2_smt.a" + rel: assessment-for + - id: si-2_obj.b + name: assessment-objective + props: + - name: label + value: SI-02b. + class: sp800-53a + parts: + - id: si-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: SI-02b.[01] + class: sp800-53a + prose: software updates related to flaw remediation are tested + for effectiveness before installation; + links: + - href: "#si-2_smt.b" + rel: assessment-for + - id: si-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: SI-02b.[02] + class: sp800-53a + prose: software updates related to flaw remediation are tested + for potential side effects before installation; + links: + - href: "#si-2_smt.b" + rel: assessment-for + - id: si-2_obj.b-3 + name: assessment-objective + props: + - name: label + value: SI-02b.[03] + class: sp800-53a + prose: firmware updates related to flaw remediation are tested + for effectiveness before installation; + links: + - href: "#si-2_smt.b" + rel: assessment-for + - id: si-2_obj.b-4 + name: assessment-objective + props: + - name: label + value: SI-02b.[04] + class: sp800-53a + prose: firmware updates related to flaw remediation are tested + for potential side effects before installation; + links: + - href: "#si-2_smt.b" + rel: assessment-for + links: + - href: "#si-2_smt.b" + rel: assessment-for + - id: si-2_obj.c + name: assessment-objective + props: + - name: label + value: SI-02c. + class: sp800-53a + parts: + - id: si-2_obj.c-1 + name: assessment-objective + props: + - name: label + value: SI-02c.[01] + class: sp800-53a + prose: "security-relevant software updates are installed within\ + \ {{ insert: param, si-02_odp }} of the release of the updates;" + links: + - href: "#si-2_smt.c" + rel: assessment-for + - id: si-2_obj.c-2 + name: assessment-objective + props: + - name: label + value: SI-02c.[02] + class: sp800-53a + prose: "security-relevant firmware updates are installed within\ + \ {{ insert: param, si-02_odp }} of the release of the updates;" + links: + - href: "#si-2_smt.c" + rel: assessment-for + links: + - href: "#si-2_smt.c" + rel: assessment-for + - id: si-2_obj.d + name: assessment-objective + props: + - name: label + value: SI-02d. + class: sp800-53a + prose: flaw remediation is incorporated into the organizational + configuration management process. + links: + - href: "#si-2_smt.d" + rel: assessment-for + links: + - href: "#si-2_smt" + rel: assessment-for + - id: si-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing flaw remediation + + + procedures addressing configuration management + + + list of flaws and vulnerabilities potentially affecting the system + + + list of recent security flaw remediation actions performed on + the system (e.g., list of installed patches, service packs, hot + fixes, and other software updates to correct system flaws) + + + test results from the installation of software and firmware updates + to correct system flaws + + + installation/change control records for security-relevant software + and firmware updates + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: si-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel responsible for installing, configuring, + and/or maintaining the system + + + organizational personnel responsible for flaw remediation + + + organizational personnel with configuration management responsibilities + - id: si-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for identifying, reporting, and + correcting system flaws + + + organizational process for installing software and firmware updates + + + mechanisms supporting and/or implementing the reporting and correcting + of system flaws + + + mechanisms supporting and/or implementing testing software and + firmware updates + controls: + - id: si-2.2 + class: SP800-53-enhancement + title: Automated Flaw Remediation Status + params: + - id: si-02.02_odp.01 + label: automated mechanisms + guidelines: + - prose: automated mechanisms to determine if applicable security-relevant + software and firmware updates are installed on system components + are defined; + - id: si-02.02_odp.02 + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: the frequency at which to determine if applicable security-relevant + software and firmware updates are installed on system components + is defined; + props: + - name: label + value: SI-2(2) + - name: label + value: SI-02(02) + class: sp800-53a + - name: sort-id + value: si-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#si-2" + rel: required + - href: "#ca-7" + rel: related + - href: "#si-4" + rel: related + parts: + - id: si-2.2_smt + name: statement + prose: "Determine if system components have applicable security-relevant\ + \ software and firmware updates installed using {{ insert: param,\ + \ si-02.02_odp.01 }} {{ insert: param, si-02.02_odp.02 }}." + - id: si-2.2_gdn + name: guidance + prose: Automated mechanisms can track and determine the status of + known flaws for system components. + - id: si-2.2_obj + name: assessment-objective + props: + - name: label + value: SI-02(02) + class: sp800-53a + prose: "system components have applicable security-relevant software\ + \ and firmware updates installed {{ insert: param, si-02.02_odp.02\ + \ }} using {{ insert: param, si-02.02_odp.01 }}." + links: + - href: "#si-2.2_smt" + rel: assessment-for + - id: si-2.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-02(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing flaw remediation + + + automated mechanisms supporting centralized management of + flaw remediation + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-2.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-02(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for flaw remediation + - id: si-2.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-02(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms used to determine the state of system + components with regard to flaw remediation + - id: si-2.3 + class: SP800-53-enhancement + title: Time to Remediate Flaws and Benchmarks for Corrective Actions + params: + - id: si-02.03_odp + label: benchmarks + guidelines: + - prose: the benchmarks for taking corrective actions are defined; + props: + - name: label + value: SI-2(3) + - name: label + value: SI-02(03) + class: sp800-53a + - name: sort-id + value: si-02.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#si-2" + rel: required + parts: + - id: si-2.3_smt + name: statement + parts: + - id: si-2.3_smt.a + name: item + props: + - name: label + value: (a) + prose: Measure the time between flaw identification and flaw + remediation; and + - id: si-2.3_smt.b + name: item + props: + - name: label + value: (b) + prose: "Establish the following benchmarks for taking corrective\ + \ actions: {{ insert: param, si-02.03_odp }}." + - id: si-2.3_gdn + name: guidance + prose: Organizations determine the time it takes on average to correct + system flaws after such flaws have been identified and subsequently + establish organizational benchmarks (i.e., time frames) for taking + corrective actions. Benchmarks can be established by the type + of flaw or the severity of the potential vulnerability if the + flaw can be exploited. + - id: si-2.3_obj + name: assessment-objective + props: + - name: label + value: SI-02(03) + class: sp800-53a + parts: + - id: si-2.3_obj.a + name: assessment-objective + props: + - name: label + value: SI-02(03)(a) + class: sp800-53a + prose: the time between flaw identification and flaw remediation + is measured; + links: + - href: "#si-2.3_smt.a" + rel: assessment-for + - id: si-2.3_obj.b + name: assessment-objective + props: + - name: label + value: SI-02(03)(b) + class: sp800-53a + prose: " {{ insert: param, si-02.03_odp }} for taking corrective\ + \ actions have been established." + links: + - href: "#si-2.3_smt.b" + rel: assessment-for + links: + - href: "#si-2.3_smt" + rel: assessment-for + - id: si-2.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-02(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing flaw remediation + + + system design documentation + + + system configuration settings and associated documentation + + + list of benchmarks for taking corrective action on identified + flaws + + + records that provide timestamps of flaw identification and + subsequent flaw remediation activities + + + system security plan + + + other relevant documents or records + - id: si-2.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-02(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for flaw remediation + - id: si-2.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-02(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for identifying, reporting, and + correcting system flaws + + + mechanisms used to measure the time between flaw identification + and flaw remediation + - id: si-3 + class: SP800-53 + title: Malicious Code Protection + params: + - id: si-03_odp.01 + constraints: + - description: signature based and non-signature based + select: + how-many: one-or-more + choice: + - signature-based + - non-signature-based + - id: si-03_odp.02 + label: frequency + constraints: + - description: at least weekly + guidelines: + - prose: the frequency at which malicious code protection mechanisms + perform scans is defined; + - id: si-03_odp.03 + constraints: + - description: to include endpoints and network entry and exit points + select: + how-many: one-or-more + choice: + - endpoint + - network entry and exit points + - id: si-03_odp.04 + constraints: + - description: to include blocking and quarantining malicious code + select: + how-many: one-or-more + choice: + - block malicious code + - quarantine malicious code + - "take {{ insert: param, si-03_odp.05 }} " + - id: si-03_odp.05 + label: action + constraints: + - description: administrator or defined security personnel near-realtime + guidelines: + - prose: action to be taken in response to malicious code detection + are defined (if selected); + - id: si-03_odp.06 + label: personnel or roles + guidelines: + - prose: personnel or roles to be alerted when malicious code is detected + is/are defined; + props: + - name: label + value: SI-3 + - name: label + value: SI-03 + class: sp800-53a + - name: sort-id + value: si-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff" + rel: reference + - href: "#88660532-2dcf-442e-845c-03340ce48999" + rel: reference + - href: "#1c71b420-2bd9-4e52-9fc8-390f58b85b59" + rel: reference + - href: "#ac-4" + rel: related + - href: "#ac-19" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-8" + rel: related + - href: "#ir-4" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#pl-9" + rel: related + - href: "#ra-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-23" + rel: related + - href: "#sc-26" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-44" + rel: related + - href: "#si-2" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#si-8" + rel: related + - href: "#si-15" + rel: related + parts: + - id: si-3_smt + name: statement + parts: + - id: si-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Implement {{ insert: param, si-03_odp.01 }} malicious code\ + \ protection mechanisms at system entry and exit points to detect\ + \ and eradicate malicious code;" + - id: si-3_smt.b + name: item + props: + - name: label + value: b. + prose: Automatically update malicious code protection mechanisms + as new releases are available in accordance with organizational + configuration management policy and procedures; + - id: si-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Configure malicious code protection mechanisms to:" + parts: + - id: si-3_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Perform periodic scans of the system {{ insert: param,\ + \ si-03_odp.02 }} and real-time scans of files from external\ + \ sources at {{ insert: param, si-03_odp.03 }} as the files\ + \ are downloaded, opened, or executed in accordance with organizational\ + \ policy; and" + - id: si-3_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: " {{ insert: param, si-03_odp.04 }} ; and send alert\ + \ to {{ insert: param, si-03_odp.06 }} in response to malicious\ + \ code detection; and" + - id: si-3_smt.d + name: item + props: + - name: label + value: d. + prose: Address the receipt of false positives during malicious code + detection and eradication and the resulting potential impact on + the availability of the system. + - id: si-3_gdn + name: guidance + prose: >- + System entry and exit points include firewalls, remote access + servers, workstations, electronic mail servers, web servers, + proxy servers, notebook computers, and mobile devices. Malicious + code includes viruses, worms, Trojan horses, and spyware. + Malicious code can also be encoded in various formats contained + within compressed or hidden files or hidden in files using + techniques such as steganography. Malicious code can be inserted + into systems in a variety of ways, including by electronic mail, + the world-wide web, and portable storage devices. Malicious code + insertions occur through the exploitation of system + vulnerabilities. A variety of technologies and methods exist to + limit or eliminate the effects of malicious code. + + + Malicious code protection mechanisms include both signature- and nonsignature-based + technologies. Nonsignature-based detection mechanisms include artificial + intelligence techniques that use heuristics to detect, analyze, and + describe the characteristics or behavior of malicious code and to + provide controls against such code for which signatures do not yet + exist or for which existing signatures may not be effective. Malicious + code for which active signatures do not yet exist or may be ineffective + includes polymorphic malicious code (i.e., code that changes signatures + when it replicates). Nonsignature-based mechanisms also include reputation-based + technologies. In addition to the above technologies, pervasive configuration + management, comprehensive software integrity controls, and anti-exploitation + software may be effective in preventing the execution of unauthorized + code. Malicious code may be present in commercial off-the-shelf software + as well as custom-built software and could include logic bombs, backdoors, + and other types of attacks that could affect organizational mission + and business functions. + + + In situations where malicious code cannot be detected by detection + methods or technologies, organizations rely on other types of controls, + including secure coding practices, configuration management and control, + trusted procurement processes, and monitoring practices to ensure + that software does not perform functions other than the functions + intended. Organizations may determine that, in response to the detection + of malicious code, different actions may be warranted. For example, + organizations can define actions in response to malicious code detection + during periodic scans, the detection of malicious downloads, or the + detection of maliciousness when attempting to open or execute files. + - id: si-3_obj + name: assessment-objective + props: + - name: label + value: SI-03 + class: sp800-53a + parts: + - id: si-3_obj.a + name: assessment-objective + props: + - name: label + value: SI-03a. + class: sp800-53a + parts: + - id: si-3_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-03a.[01] + class: sp800-53a + prose: " {{ insert: param, si-03_odp.01 }} malicious code protection\ + \ mechanisms are implemented at system entry and exit points\ + \ to detect malicious code;" + links: + - href: "#si-3_smt.a" + rel: assessment-for + - id: si-3_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-03a.[02] + class: sp800-53a + prose: " {{ insert: param, si-03_odp.01 }} malicious code protection\ + \ mechanisms are implemented at system entry and exit points\ + \ to eradicate malicious code;" + links: + - href: "#si-3_smt.a" + rel: assessment-for + links: + - href: "#si-3_smt.a" + rel: assessment-for + - id: si-3_obj.b + name: assessment-objective + props: + - name: label + value: SI-03b. + class: sp800-53a + prose: malicious code protection mechanisms are updated automatically + as new releases are available in accordance with organizational + configuration management policy and procedures; + links: + - href: "#si-3_smt.b" + rel: assessment-for + - id: si-3_obj.c + name: assessment-objective + props: + - name: label + value: SI-03c. + class: sp800-53a + parts: + - id: si-3_obj.c.1 + name: assessment-objective + props: + - name: label + value: SI-03c.01 + class: sp800-53a + parts: + - id: si-3_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: SI-03c.01[01] + class: sp800-53a + prose: "malicious code protection mechanisms are configured\ + \ to perform periodic scans of the system {{ insert: param,\ + \ si-03_odp.02 }};" + links: + - href: "#si-3_smt.c.1" + rel: assessment-for + - id: si-3_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: SI-03c.01[02] + class: sp800-53a + prose: "malicious code protection mechanisms are configured\ + \ to perform real-time scans of files from external sources\ + \ at {{ insert: param, si-03_odp.03 }} as the files are\ + \ downloaded, opened, or executed in accordance with organizational\ + \ policy;" + links: + - href: "#si-3_smt.c.1" + rel: assessment-for + links: + - href: "#si-3_smt.c.1" + rel: assessment-for + - id: si-3_obj.c.2 + name: assessment-objective + props: + - name: label + value: SI-03c.02 + class: sp800-53a + parts: + - id: si-3_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: SI-03c.02[01] + class: sp800-53a + prose: "malicious code protection mechanisms are configured\ + \ to {{ insert: param, si-03_odp.04 }} in response to\ + \ malicious code detection;" + links: + - href: "#si-3_smt.c.2" + rel: assessment-for + - id: si-3_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: SI-03c.02[02] + class: sp800-53a + prose: "malicious code protection mechanisms are configured\ + \ to send alerts to {{ insert: param, si-03_odp.06 }}\ + \ in response to malicious code detection;" + links: + - href: "#si-3_smt.c.2" + rel: assessment-for + links: + - href: "#si-3_smt.c.2" + rel: assessment-for + links: + - href: "#si-3_smt.c" + rel: assessment-for + - id: si-3_obj.d + name: assessment-objective + props: + - name: label + value: SI-03d. + class: sp800-53a + prose: the receipt of false positives during malicious code detection + and eradication and the resulting potential impact on the availability + of the system are addressed. + links: + - href: "#si-3_smt.d" + rel: assessment-for + links: + - href: "#si-3_smt" + rel: assessment-for + - id: si-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + configuration management policy and procedures + + + procedures addressing malicious code protection + + + malicious code protection mechanisms + + + records of malicious code protection updates + + + system design documentation + + + system configuration settings and associated documentation + + + scan results from malicious code protection mechanisms + + + record of actions initiated by malicious code protection mechanisms + in response to malicious code detection + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for malicious code protection + + + organizational personnel with configuration management responsibilities + - id: si-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for employing, updating, and + configuring malicious code protection mechanisms + + + organizational processes for addressing false positives and resulting + potential impacts + + + mechanisms supporting and/or implementing, employing, updating, + and configuring malicious code protection mechanisms + + + mechanisms supporting and/or implementing malicious code scanning + and subsequent actions + - id: si-4 + class: SP800-53 + title: System Monitoring + params: + - id: si-04_odp.01 + label: monitoring objectives + guidelines: + - prose: monitoring objectives to detect attacks and indicators of + potential attacks on the system are defined; + - id: si-04_odp.02 + label: techniques and methods + guidelines: + - prose: techniques and methods used to identify unauthorized use + of the system are defined; + - id: si-04_odp.03 + label: system monitoring information + guidelines: + - prose: system monitoring information to be provided to personnel + or roles is defined; + - id: si-04_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom system monitoring information + is to be provided is/are defined; + - id: si-04_odp.05 + select: + how-many: one-or-more + choice: + - as needed + - " {{ insert: param, si-04_odp.06 }} " + - id: si-04_odp.06 + label: frequency + guidelines: + - prose: a frequency for providing system monitoring to personnel + or roles is defined (if selected); + props: + - name: label + value: SI-4 + - name: label + value: SI-04 + class: sp800-53a + - name: sort-id + value: si-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff" + rel: reference + - href: "#5eee45d8-3313-4fdc-8d54-1742092bbdd6" + rel: reference + - href: "#25e3e57b-dc2f-4934-af9b-050b020c6f0e" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-8" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-9" + rel: related + - href: "#au-12" + rel: related + - href: "#au-13" + rel: related + - href: "#au-14" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-10" + rel: related + - href: "#ir-4" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-12" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-10" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-18" + rel: related + - href: "#sc-26" + rel: related + - href: "#sc-31" + rel: related + - href: "#sc-35" + rel: related + - href: "#sc-36" + rel: related + - href: "#sc-37" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-3" + rel: related + - href: "#si-6" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-10" + rel: related + parts: + - id: si-4_smt + name: statement + parts: + - id: si-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Monitor the system to detect:" + parts: + - id: si-4_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "Attacks and indicators of potential attacks in accordance\ + \ with the following monitoring objectives: {{ insert: param,\ + \ si-04_odp.01 }} ; and" + - id: si-4_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Unauthorized local, network, and remote connections; + - id: si-4_smt.b + name: item + props: + - name: label + value: b. + prose: "Identify unauthorized use of the system through the following\ + \ techniques and methods: {{ insert: param, si-04_odp.02 }};" + - id: si-4_smt.c + name: item + props: + - name: label + value: c. + prose: "Invoke internal monitoring capabilities or deploy monitoring\ + \ devices:" + parts: + - id: si-4_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: Strategically within the system to collect organization-determined + essential information; and + - id: si-4_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: At ad hoc locations within the system to track specific + types of transactions of interest to the organization; + - id: si-4_smt.d + name: item + props: + - name: label + value: d. + prose: Analyze detected events and anomalies; + - id: si-4_smt.e + name: item + props: + - name: label + value: e. + prose: Adjust the level of system monitoring activity when there + is a change in risk to organizational operations and assets, individuals, + other organizations, or the Nation; + - id: si-4_smt.f + name: item + props: + - name: label + value: f. + prose: Obtain legal opinion regarding system monitoring activities; + and + - id: si-4_smt.g + name: item + props: + - name: label + value: g. + prose: "Provide {{ insert: param, si-04_odp.03 }} to {{ insert:\ + \ param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." + - id: si-4_fr + name: item + title: SI-4 Additional FedRAMP Requirements and Guidance + parts: + - id: si-4_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: See US-CERT Incident Response Reporting Guidelines. + - id: si-4_gdn + name: guidance + prose: >- + System monitoring includes external and internal monitoring. + External monitoring includes the observation of events occurring + at external interfaces to the system. Internal monitoring + includes the observation of events occurring within the system. + Organizations monitor systems by observing audit activities in + real time or by observing other system aspects such as access + patterns, characteristics of access, and other actions. The + monitoring objectives guide and inform the determination of the + events. System monitoring capabilities are achieved through a + variety of tools and techniques, including intrusion detection + and prevention systems, malicious code protection software, + scanning tools, audit record monitoring software, and network + monitoring software. + + + Depending on the security architecture, the distribution and configuration + of monitoring devices may impact throughput at key internal and external + boundaries as well as at other locations across a network due to the + introduction of network throughput latency. If throughput management + is needed, such devices are strategically located and deployed as + part of an established organization-wide security architecture. Strategic + locations for monitoring devices include selected perimeter locations + and near key servers and server farms that support critical applications. + Monitoring devices are typically employed at the managed interfaces + associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information + collected is a function of the organizational monitoring objectives + and the capability of systems to support such objectives. Specific + types of transactions of interest include Hypertext Transfer Protocol + (HTTP) traffic that bypasses HTTP proxies. System monitoring is an + integral part of organizational continuous monitoring and incident + response programs, and output from system monitoring serves as input + to those programs. System monitoring requirements, including the need + for specific types of system monitoring, may be referenced in other + controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), + [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), + [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), + [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), + [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) + ). Adjustments to levels of system monitoring are based on law enforcement + information, intelligence information, or other sources of information. + The legality of system monitoring activities is based on applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. + - id: si-4_obj + name: assessment-objective + props: + - name: label + value: SI-04 + class: sp800-53a + parts: + - id: si-4_obj.a + name: assessment-objective + props: + - name: label + value: SI-04a. + class: sp800-53a + parts: + - id: si-4_obj.a.1 + name: assessment-objective + props: + - name: label + value: SI-04a.01 + class: sp800-53a + prose: "the system is monitored to detect attacks and indicators\ + \ of potential attacks in accordance with {{ insert: param,\ + \ si-04_odp.01 }};" + links: + - href: "#si-4_smt.a.1" + rel: assessment-for + - id: si-4_obj.a.2 + name: assessment-objective + props: + - name: label + value: SI-04a.02 + class: sp800-53a + parts: + - id: si-4_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: SI-04a.02[01] + class: sp800-53a + prose: the system is monitored to detect unauthorized local + connections; + links: + - href: "#si-4_smt.a.2" + rel: assessment-for + - id: si-4_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: SI-04a.02[02] + class: sp800-53a + prose: the system is monitored to detect unauthorized network + connections; + links: + - href: "#si-4_smt.a.2" + rel: assessment-for + - id: si-4_obj.a.2-3 + name: assessment-objective + props: + - name: label + value: SI-04a.02[03] + class: sp800-53a + prose: the system is monitored to detect unauthorized remote + connections; + links: + - href: "#si-4_smt.a.2" + rel: assessment-for + links: + - href: "#si-4_smt.a.2" + rel: assessment-for + links: + - href: "#si-4_smt.a" + rel: assessment-for + - id: si-4_obj.b + name: assessment-objective + props: + - name: label + value: SI-04b. + class: sp800-53a + prose: "unauthorized use of the system is identified through {{\ + \ insert: param, si-04_odp.02 }};" + links: + - href: "#si-4_smt.b" + rel: assessment-for + - id: si-4_obj.c + name: assessment-objective + props: + - name: label + value: SI-04c. + class: sp800-53a + parts: + - id: si-4_obj.c.1 + name: assessment-objective + props: + - name: label + value: SI-04c.01 + class: sp800-53a + prose: internal monitoring capabilities are invoked or monitoring + devices are deployed strategically within the system to collect + organization-determined essential information; + links: + - href: "#si-4_smt.c.1" + rel: assessment-for + - id: si-4_obj.c.2 + name: assessment-objective + props: + - name: label + value: SI-04c.02 + class: sp800-53a + prose: internal monitoring capabilities are invoked or monitoring + devices are deployed at ad hoc locations within the system + to track specific types of transactions of interest to the + organization; + links: + - href: "#si-4_smt.c.2" + rel: assessment-for + links: + - href: "#si-4_smt.c" + rel: assessment-for + - id: si-4_obj.d + name: assessment-objective + props: + - name: label + value: SI-04d. + class: sp800-53a + parts: + - id: si-4_obj.d-1 + name: assessment-objective + props: + - name: label + value: SI-04d.[01] + class: sp800-53a + prose: detected events are analyzed; + links: + - href: "#si-4_smt.d" + rel: assessment-for + - id: si-4_obj.d-2 + name: assessment-objective + props: + - name: label + value: SI-04d.[02] + class: sp800-53a + prose: detected anomalies are analyzed; + links: + - href: "#si-4_smt.d" + rel: assessment-for + links: + - href: "#si-4_smt.d" + rel: assessment-for + - id: si-4_obj.e + name: assessment-objective + props: + - name: label + value: SI-04e. + class: sp800-53a + prose: the level of system monitoring activity is adjusted when + there is a change in risk to organizational operations and assets, + individuals, other organizations, or the Nation; + links: + - href: "#si-4_smt.e" + rel: assessment-for + - id: si-4_obj.f + name: assessment-objective + props: + - name: label + value: SI-04f. + class: sp800-53a + prose: a legal opinion regarding system monitoring activities is + obtained; + links: + - href: "#si-4_smt.f" + rel: assessment-for + - id: si-4_obj.g + name: assessment-objective + props: + - name: label + value: SI-04g. + class: sp800-53a + prose: " {{ insert: param, si-04_odp.03 }} is provided to {{ insert:\ + \ param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." + links: + - href: "#si-4_smt.g" + rel: assessment-for + links: + - href: "#si-4_smt" + rel: assessment-for + - id: si-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + continuous monitoring strategy + + + facility diagram/layout + + + system design documentation + + + system monitoring tools and techniques documentation + + + locations within the system where monitoring devices are deployed + + + system configuration settings and associated documentation + + + system security plan + + + other relevant documents or records + - id: si-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + - id: si-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for system monitoring + + + mechanisms supporting and/or implementing system monitoring capabilities + controls: + - id: si-4.1 + class: SP800-53-enhancement + title: System-wide Intrusion Detection System + props: + - name: label + value: SI-4(1) + - name: label + value: SI-04(01) + class: sp800-53a + - name: sort-id + value: si-04.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + parts: + - id: si-4.1_smt + name: statement + prose: Connect and configure individual intrusion detection tools + into a system-wide intrusion detection system. + - id: si-4.1_gdn + name: guidance + prose: Linking individual intrusion detection tools into a system-wide + intrusion detection system provides additional coverage and effective + detection capabilities. The information contained in one intrusion + detection tool can be shared widely across the organization, making + the system-wide detection capability more robust and powerful. + - id: si-4.1_obj + name: assessment-objective + props: + - name: label + value: SI-04(01) + class: sp800-53a + parts: + - id: si-4.1_obj-1 + name: assessment-objective + props: + - name: label + value: SI-04(01)[01] + class: sp800-53a + prose: individual intrusion detection tools are connected to + a system-wide intrusion detection system; + links: + - href: "#si-4.1_smt" + rel: assessment-for + - id: si-4.1_obj-2 + name: assessment-objective + props: + - name: label + value: SI-04(01)[02] + class: sp800-53a + prose: individual intrusion detection tools are configured into + a system-wide intrusion detection system. + links: + - href: "#si-4.1_smt" + rel: assessment-for + links: + - href: "#si-4.1_smt" + rel: assessment-for + - id: si-4.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-4.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + organizational personnel responsible for the intrusion detection + system + - id: si-4.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for intrusion detection and + system monitoring + + + mechanisms supporting and/or implementing intrusion detection + capabilities + - id: si-4.2 + class: SP800-53-enhancement + title: Automated Tools and Mechanisms for Real-time Analysis + props: + - name: label + value: SI-4(2) + - name: label + value: SI-04(02) + class: sp800-53a + - name: sort-id + value: si-04.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + - href: "#pm-23" + rel: related + - href: "#pm-25" + rel: related + parts: + - id: si-4.2_smt + name: statement + prose: Employ automated tools and mechanisms to support near real-time + analysis of events. + - id: si-4.2_gdn + name: guidance + prose: Automated tools and mechanisms include host-based, network-based, + transport-based, or storage-based event monitoring tools and mechanisms + or security information and event management (SIEM) technologies + that provide real-time analysis of alerts and notifications generated + by organizational systems. Automated monitoring techniques can + create unintended privacy risks because automated controls may + connect to external or otherwise unrelated systems. The matching + of records between these systems may create linkages with unintended + consequences. Organizations assess and document these risks in + their privacy impact assessment and make determinations that are + in alignment with their privacy program plan. + - id: si-4.2_obj + name: assessment-objective + props: + - name: label + value: SI-04(02) + class: sp800-53a + prose: automated tools and mechanisms are employed to support a + near real-time analysis of events. + links: + - href: "#si-4.2_smt" + rel: assessment-for + - id: si-4.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + privacy plan + + + privacy program plan + + + privacy impact assessment + + + privacy risk management documentation + + + other relevant documents or records + - id: si-4.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + organizational personnel responsible for incident response/management + - id: si-4.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for the near real-time analysis + of events + + + organizational processes for system monitoring + + + mechanisms supporting and/or implementing system monitoring + + + mechanisms/tools supporting and/or implementing an analysis + of events + - id: si-4.4 + class: SP800-53-enhancement + title: Inbound and Outbound Communications Traffic + params: + - id: si-4.4_prm_1 + label: organization-defined frequency + constraints: + - description: continuously + - id: si-4.4_prm_2 + label: organization-defined unusual or unauthorized activities or + conditions + - id: si-04.04_odp.01 + label: frequency + guidelines: + - prose: the frequency at which to monitor inbound communications + traffic for unusual or unauthorized activities or conditions + is defined; + - id: si-04.04_odp.02 + label: unusual or unauthorized activities or conditions + guidelines: + - prose: unusual or unauthorized activities or conditions that + are to be monitored in inbound communications traffic are + defined; + - id: si-04.04_odp.03 + label: frequency + guidelines: + - prose: the frequency at which to monitor outbound communications + traffic for unusual or unauthorized activities or conditions + is defined; + - id: si-04.04_odp.04 + label: unusual or unauthorized activities or conditions + guidelines: + - prose: unusual or unauthorized activities or conditions that + are to be monitored in outbound communications traffic are + defined; + props: + - name: label + value: SI-4(4) + - name: label + value: SI-04(04) + class: sp800-53a + - name: sort-id + value: si-04.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + parts: + - id: si-4.4_smt + name: statement + parts: + - id: si-4.4_smt.a + name: item + props: + - name: label + value: (a) + prose: Determine criteria for unusual or unauthorized activities + or conditions for inbound and outbound communications traffic; + - id: si-4.4_smt.b + name: item + props: + - name: label + value: (b) + prose: "Monitor inbound and outbound communications traffic\ + \ {{ insert: param, si-4.4_prm_1 }} for {{ insert: param,\ + \ si-4.4_prm_2 }}." + - id: si-4.4_gdn + name: guidance + prose: Unusual or unauthorized activities or conditions related + to system inbound and outbound communications traffic includes + internal traffic that indicates the presence of malicious code + or unauthorized use of legitimate code or credentials within organizational + systems or propagating among system components, signaling to external + systems, and the unauthorized exporting of information. Evidence + of malicious code or unauthorized use of legitimate code or credentials + is used to identify potentially compromised systems or system + components. + - id: si-4.4_obj + name: assessment-objective + props: + - name: label + value: SI-04(04) + class: sp800-53a + parts: + - id: si-4.4_obj.a + name: assessment-objective + props: + - name: label + value: SI-04(04)(a) + class: sp800-53a + parts: + - id: si-4.4_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-04(04)(a)[01] + class: sp800-53a + prose: criteria for unusual or unauthorized activities or + conditions for inbound communications traffic are defined; + links: + - href: "#si-4.4_smt.a" + rel: assessment-for + - id: si-4.4_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-04(04)(a)[02] + class: sp800-53a + prose: criteria for unusual or unauthorized activities or + conditions for outbound communications traffic are defined; + links: + - href: "#si-4.4_smt.a" + rel: assessment-for + links: + - href: "#si-4.4_smt.a" + rel: assessment-for + - id: si-4.4_obj.b + name: assessment-objective + props: + - name: label + value: SI-04(04)(b) + class: sp800-53a + parts: + - id: si-4.4_obj.b-1 + name: assessment-objective + props: + - name: label + value: SI-04(04)(b)[01] + class: sp800-53a + prose: "inbound communications traffic is monitored {{ insert:\ + \ param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02\ + \ }};" + links: + - href: "#si-4.4_smt.b" + rel: assessment-for + - id: si-4.4_obj.b-2 + name: assessment-objective + props: + - name: label + value: SI-04(04)(b)[02] + class: sp800-53a + prose: "outbound communications traffic is monitored {{\ + \ insert: param, si-04.04_odp.03 }} for {{ insert: param,\ + \ si-04.04_odp.04 }}." + links: + - href: "#si-4.4_smt.b" + rel: assessment-for + links: + - href: "#si-4.4_smt.b" + rel: assessment-for + links: + - href: "#si-4.4_smt" + rel: assessment-for + - id: si-4.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + system protocols + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-4.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + organizational personnel responsible for the intrusion detection + system + - id: si-4.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for intrusion detection and + system monitoring + + + mechanisms supporting and/or implementing intrusion detection + and system monitoring capabilities + + + mechanisms supporting and/or implementing the monitoring of + inbound and outbound communications traffic + - id: si-4.5 + class: SP800-53-enhancement + title: System-generated Alerts + params: + - id: si-04.05_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to be alerted when indications of + compromise or potential compromise occur is/are defined; + - id: si-04.05_odp.02 + label: compromise indicators + guidelines: + - prose: compromise indicators are defined; + props: + - name: label + value: SI-4(5) + - name: label + value: SI-04(05) + class: sp800-53a + - name: sort-id + value: si-04.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + - href: "#pe-6" + rel: related + parts: + - id: si-4.5_smt + name: statement + prose: "Alert {{ insert: param, si-04.05_odp.01 }} when the following\ + \ system-generated indications of compromise or potential compromise\ + \ occur: {{ insert: param, si-04.05_odp.02 }}." + parts: + - id: si-4.5_fr + name: item + title: SI-4 (5) Additional FedRAMP Requirements and Guidance + parts: + - id: si-4.5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: In accordance with the incident response plan. + - id: si-4.5_gdn + name: guidance + prose: Alerts may be generated from a variety of sources, including + audit records or inputs from malicious code protection mechanisms, + intrusion detection or prevention mechanisms, or boundary protection + devices such as firewalls, gateways, and routers. Alerts can be + automated and may be transmitted telephonically, by electronic + mail messages, or by text messaging. Organizational personnel + on the alert notification list can include system administrators, + mission or business owners, system owners, information owners/stewards, + senior agency information security officers, senior agency officials + for privacy, system security officers, or privacy officers. In + contrast to alerts generated by the system, alerts generated by + organizations in [SI-4(12)](#si-4.12) focus on information sources + external to the system, such as suspicious activity reports and + reports on potential insider threats. + - id: si-4.5_obj + name: assessment-objective + props: + - name: label + value: SI-04(05) + class: sp800-53a + prose: " {{ insert: param, si-04.05_odp.01 }} are alerted when system-generated\ + \ {{ insert: param, si-04.05_odp.02 }} occur." + links: + - href: "#si-4.5_smt" + rel: assessment-for + - id: si-4.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + list of personnel selected to receive alerts + + + documentation of alerts generated based on compromise indicators + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: si-4.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + system developers + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + organizational personnel on the system alert notification + list + + + organizational personnel responsible for the intrusion detection + system + - id: si-4.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for intrusion detection and + system monitoring + + + mechanisms supporting and/or implementing intrusion detection + and system monitoring capabilities + + + mechanisms supporting and/or implementing alerts for compromise + indicators + - id: si-4.10 + class: SP800-53-enhancement + title: Visibility of Encrypted Communications + params: + - id: si-04.10_odp.01 + label: encrypted communications traffic + guidelines: + - prose: encrypted communications traffic to be made visible to + system monitoring tools and mechanisms is defined; + - id: si-04.10_odp.02 + label: system monitoring tools and mechanisms + guidelines: + - prose: system monitoring tools and mechanisms to be provided + access to encrypted communications traffic are defined; + props: + - name: label + value: SI-4(10) + - name: label + value: SI-04(10) + class: sp800-53a + - name: sort-id + value: si-04.10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + parts: + - id: si-4.10_smt + name: statement + prose: "Make provisions so that {{ insert: param, si-04.10_odp.01\ + \ }} is visible to {{ insert: param, si-04.10_odp.02 }}." + parts: + - id: si-4.10_fr + name: item + title: SI-4 (10) Additional FedRAMP Requirements and Guidance + parts: + - id: si-4.10_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider must support Agency requirements + to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) + and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf). + - id: si-4.10_gdn + name: guidance + prose: Organizations balance the need to encrypt communications + traffic to protect data confidentiality with the need to maintain + visibility into such traffic from a monitoring perspective. Organizations + determine whether the visibility requirement applies to internal + encrypted traffic, encrypted traffic intended for external destinations, + or a subset of the traffic types. + - id: si-4.10_obj + name: assessment-objective + props: + - name: label + value: SI-04(10) + class: sp800-53a + prose: "provisions are made so that {{ insert: param, si-04.10_odp.01\ + \ }} is visible to {{ insert: param, si-04.10_odp.02 }}." + links: + - href: "#si-4.10_smt" + rel: assessment-for + - id: si-4.10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(10)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + system protocols + + + system security plan + + + other relevant documents or records + - id: si-4.10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(10)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + organizational personnel responsible for the intrusion detection + system + - id: si-4.10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(10)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for intrusion detection and + system monitoring + + + mechanisms supporting and/or implementing intrusion detection + and system monitoring capabilities + + + mechanisms supporting and/or implementing the visibility of + encrypted communications traffic to monitoring tools + - id: si-4.11 + class: SP800-53-enhancement + title: Analyze Communications Traffic Anomalies + params: + - id: si-04.11_odp + label: interior points + guidelines: + - prose: interior points within the system where communications + traffic is to be analyzed are defined; + props: + - name: label + value: SI-4(11) + - name: label + value: SI-04(11) + class: sp800-53a + - name: sort-id + value: si-04.11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + parts: + - id: si-4.11_smt + name: statement + prose: "Analyze outbound communications traffic at the external\ + \ interfaces to the system and selected {{ insert: param, si-04.11_odp\ + \ }} to discover anomalies." + - id: si-4.11_gdn + name: guidance + prose: Organization-defined interior points include subnetworks + and subsystems. Anomalies within organizational systems include + large file transfers, long-time persistent connections, attempts + to access information from unexpected locations, the use of unusual + protocols and ports, the use of unmonitored network protocols + (e.g., IPv6 usage during IPv4 transition), and attempted communications + with suspected malicious external addresses. + - id: si-4.11_obj + name: assessment-objective + props: + - name: label + value: SI-04(11) + class: sp800-53a + parts: + - id: si-4.11_obj-1 + name: assessment-objective + props: + - name: label + value: SI-04(11)[01] + class: sp800-53a + prose: outbound communications traffic at the external interfaces + to the system is analyzed to discover anomalies; + links: + - href: "#si-4.11_smt" + rel: assessment-for + - id: si-4.11_obj-2 + name: assessment-objective + props: + - name: label + value: SI-04(11)[02] + class: sp800-53a + prose: "outbound communications traffic at {{ insert: param,\ + \ si-04.11_odp }} is analyzed to discover anomalies." + links: + - href: "#si-4.11_smt" + rel: assessment-for + links: + - href: "#si-4.11_smt" + rel: assessment-for + - id: si-4.11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(11)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + network diagram + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + system monitoring logs or records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-4.11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(11)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + organizational personnel responsible for the intrusion detection + system + - id: si-4.11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(11)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for intrusion detection and + system monitoring + + + mechanisms supporting and/or implementing intrusion detection + and system monitoring capabilities + + + mechanisms supporting and/or implementing the analysis of + communications traffic + - id: si-4.12 + class: SP800-53-enhancement + title: Automated Organization-generated Alerts + params: + - id: si-04.12_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to be alerted when indications of + inappropriate or unusual activity with security or privacy + implications occur is/are defined; + - id: si-04.12_odp.02 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to alert personnel or roles + are defined; + - id: si-04.12_odp.03 + label: activities that trigger alerts + guidelines: + - prose: activities that trigger alerts to personnel or are defined; + props: + - name: label + value: SI-4(12) + - name: label + value: SI-04(12) + class: sp800-53a + - name: sort-id + value: si-04.12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + parts: + - id: si-4.12_smt + name: statement + prose: "Alert {{ insert: param, si-04.12_odp.01 }} using {{ insert:\ + \ param, si-04.12_odp.02 }} when the following indications of\ + \ inappropriate or unusual activities with security or privacy\ + \ implications occur: {{ insert: param, si-04.12_odp.03 }}." + - id: si-4.12_gdn + name: guidance + prose: Organizational personnel on the system alert notification + list include system administrators, mission or business owners, + system owners, senior agency information security officer, senior + agency official for privacy, system security officers, or privacy + officers. Automated organization-generated alerts are the security + alerts generated by organizations and transmitted using automated + means. The sources for organization-generated alerts are focused + on other entities such as suspicious activity reports and reports + on potential insider threats. In contrast to alerts generated + by the organization, alerts generated by the system in [SI-4(5)](#si-4.5) + focus on information sources that are internal to the systems, + such as audit records. + - id: si-4.12_obj + name: assessment-objective + props: + - name: label + value: SI-04(12) + class: sp800-53a + prose: " {{ insert: param, si-04.12_odp.01 }} is/are alerted using\ + \ {{ insert: param, si-04.12_odp.02 }} when {{ insert: param,\ + \ si-04.12_odp.03 }} indicate inappropriate or unusual activities\ + \ with security or privacy implications." + links: + - href: "#si-4.12_smt" + rel: assessment-for + - id: si-4.12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(12)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + list of inappropriate or unusual activities with security + and privacy implications that trigger alerts + + + suspicious activity reports + + + alerts provided to security and privacy personnel + + + system monitoring logs or records + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: si-4.12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(12)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + system developers + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + organizational personnel responsible for the intrusion detection + system + - id: si-4.12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(12)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for intrusion detection and + system monitoring + + + automated mechanisms supporting and/or implementing intrusion + detection and system monitoring capabilities + + + automated mechanisms supporting and/or implementing automated + alerts to security personnel + - id: si-4.14 + class: SP800-53-enhancement + title: Wireless Intrusion Detection + props: + - name: label + value: SI-4(14) + - name: label + value: SI-04(14) + class: sp800-53a + - name: sort-id + value: si-04.14 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + - href: "#ac-18" + rel: related + - href: "#ia-3" + rel: related + parts: + - id: si-4.14_smt + name: statement + prose: Employ a wireless intrusion detection system to identify + rogue wireless devices and to detect attack attempts and potential + compromises or breaches to the system. + - id: si-4.14_gdn + name: guidance + prose: Wireless signals may radiate beyond organizational facilities. + Organizations proactively search for unauthorized wireless connections, + including the conduct of thorough scans for unauthorized wireless + access points. Wireless scans are not limited to those areas within + facilities containing systems but also include areas outside of + facilities to verify that unauthorized wireless access points + are not connected to organizational systems. + - id: si-4.14_obj + name: assessment-objective + props: + - name: label + value: SI-04(14) + class: sp800-53a + parts: + - id: si-4.14_obj-1 + name: assessment-objective + props: + - name: label + value: SI-04(14)[01] + class: sp800-53a + prose: a wireless intrusion detection system is employed to + identify rogue wireless devices; + links: + - href: "#si-4.14_smt" + rel: assessment-for + - id: si-4.14_obj-2 + name: assessment-objective + props: + - name: label + value: SI-04(14)[02] + class: sp800-53a + prose: a wireless intrusion detection system is employed to + detect attack attempts on the system; + links: + - href: "#si-4.14_smt" + rel: assessment-for + - id: si-4.14_obj-3 + name: assessment-objective + props: + - name: label + value: SI-04(14)[03] + class: sp800-53a + prose: a wireless intrusion detection system is employed to + detect potential compromises or breaches to the system. + links: + - href: "#si-4.14_smt" + rel: assessment-for + links: + - href: "#si-4.14_smt" + rel: assessment-for + - id: si-4.14_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(14)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + system protocols + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-4.14_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(14)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + organizational personnel responsible for the intrusion detection + system + - id: si-4.14_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(14)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for intrusion detection + + + mechanisms supporting and/or implementing a wireless intrusion + detection capability + - id: si-4.16 + class: SP800-53-enhancement + title: Correlate Monitoring Information + props: + - name: label + value: SI-4(16) + - name: label + value: SI-04(16) + class: sp800-53a + - name: sort-id + value: si-04.16 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + - href: "#au-6" + rel: related + parts: + - id: si-4.16_smt + name: statement + prose: Correlate information from monitoring tools and mechanisms + employed throughout the system. + - id: si-4.16_gdn + name: guidance + prose: Correlating information from different system monitoring + tools and mechanisms can provide a more comprehensive view of + system activity. Correlating system monitoring tools and mechanisms + that typically work in isolation—including malicious code protection + software, host monitoring, and network monitoring—can provide + an organization-wide monitoring view and may reveal otherwise + unseen attack patterns. Understanding the capabilities and limitations + of diverse monitoring tools and mechanisms and how to maximize + the use of information generated by those tools and mechanisms + can help organizations develop, operate, and maintain effective + monitoring programs. The correlation of monitoring information + is especially important during the transition from older to newer + technologies (e.g., transitioning from IPv4 to IPv6 network protocols). + - id: si-4.16_obj + name: assessment-objective + props: + - name: label + value: SI-04(16) + class: sp800-53a + prose: information from monitoring tools and mechanisms employed + throughout the system is correlated. + links: + - href: "#si-4.16_smt" + rel: assessment-for + - id: si-4.16_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(16)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + event correlation logs or records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-4.16_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(16)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + organizational personnel responsible for the intrusion detection + system + - id: si-4.16_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(16)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for intrusion detection and + system monitoring + + + mechanisms supporting and/or implementing intrusion detection + and system monitoring capabilities + + + mechanisms supporting and/or implementing the correlation + of information from monitoring tools + - id: si-4.18 + class: SP800-53-enhancement + title: Analyze Traffic and Covert Exfiltration + params: + - id: si-04.18_odp + label: interior points + guidelines: + - prose: interior points within the system where communications + traffic is to be analyzed are defined; + props: + - name: label + value: SI-4(18) + - name: label + value: SI-04(18) + class: sp800-53a + - name: sort-id + value: si-04.18 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + parts: + - id: si-4.18_smt + name: statement + prose: "Analyze outbound communications traffic at external interfaces\ + \ to the system and at the following interior points to detect\ + \ covert exfiltration of information: {{ insert: param, si-04.18_odp\ + \ }}." + - id: si-4.18_gdn + name: guidance + prose: Organization-defined interior points include subnetworks + and subsystems. Covert means that can be used to exfiltrate information + include steganography. + - id: si-4.18_obj + name: assessment-objective + props: + - name: label + value: SI-04(18) + class: sp800-53a + parts: + - id: si-4.18_obj-1 + name: assessment-objective + props: + - name: label + value: SI-04(18)[01] + class: sp800-53a + prose: outbound communications traffic is analyzed at interfaces + external to the system to detect covert exfiltration of information; + links: + - href: "#si-4.18_smt" + rel: assessment-for + - id: si-4.18_obj-2 + name: assessment-objective + props: + - name: label + value: SI-04(18)[02] + class: sp800-53a + prose: "outbound communications traffic is analyzed at {{ insert:\ + \ param, si-04.18_odp }} to detect covert exfiltration of\ + \ information." + links: + - href: "#si-4.18_smt" + rel: assessment-for + links: + - href: "#si-4.18_smt" + rel: assessment-for + - id: si-4.18_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(18)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + network diagram + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + system monitoring logs or records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-4.18_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(18)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + organizational personnel responsible for the intrusion detection + system + - id: si-4.18_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(18)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for intrusion detection and + system monitoring + + + mechanisms supporting and/or implementing intrusion detection + and system monitoring capabilities + + + mechanisms supporting and/or implementing an analysis of outbound + communications traffic + - id: si-4.19 + class: SP800-53-enhancement + title: Risk for Individuals + params: + - id: si-04.19_odp.01 + label: additional monitoring + guidelines: + - prose: additional monitoring of individuals who have been identified + as posing an increased level of risk is defined; + - id: si-04.19_odp.02 + label: sources + guidelines: + - prose: sources that identify individuals who pose an increased + level of risk are defined; + props: + - name: label + value: SI-4(19) + - name: label + value: SI-04(19) + class: sp800-53a + - name: sort-id + value: si-04.19 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + parts: + - id: si-4.19_smt + name: statement + prose: "Implement {{ insert: param, si-04.19_odp.01 }} of individuals\ + \ who have been identified by {{ insert: param, si-04.19_odp.02\ + \ }} as posing an increased level of risk." + - id: si-4.19_gdn + name: guidance + prose: Indications of increased risk from individuals can be obtained + from different sources, including personnel records, intelligence + agencies, law enforcement organizations, and other sources. The + monitoring of individuals is coordinated with the management, + legal, security, privacy, and human resource officials who conduct + such monitoring. Monitoring is conducted in accordance with applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. + - id: si-4.19_obj + name: assessment-objective + props: + - name: label + value: SI-04(19) + class: sp800-53a + prose: " {{ insert: param, si-04.19_odp.01 }} is implemented on\ + \ individuals who have been identified by {{ insert: param, si-04.19_odp.02\ + \ }} as posing an increased level of risk." + links: + - href: "#si-4.19_smt" + rel: assessment-for + - id: si-4.19_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(19)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring + + + system design documentation + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: si-4.19_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(19)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + legal counsel + + + human resource officials + + + organizational personnel with personnel security responsibilities + - id: si-4.19_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(19)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for system monitoring + + + mechanisms supporting and/or implementing a system monitoring + capability + - id: si-4.20 + class: SP800-53-enhancement + title: Privileged Users + params: + - id: si-04.20_odp + label: additional monitoring + guidelines: + - prose: additional monitoring of privileged users is defined; + props: + - name: label + value: SI-4(20) + - name: label + value: SI-04(20) + class: sp800-53a + - name: sort-id + value: si-04.20 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + - href: "#ac-18" + rel: related + parts: + - id: si-4.20_smt + name: statement + prose: "Implement the following additional monitoring of privileged\ + \ users: {{ insert: param, si-04.20_odp }}." + - id: si-4.20_gdn + name: guidance + prose: Privileged users have access to more sensitive information, + including security-related information, than the general user + population. Access to such information means that privileged users + can potentially do greater damage to systems and organizations + than non-privileged users. Therefore, implementing additional + monitoring on privileged users helps to ensure that organizations + can identify malicious activity at the earliest possible time + and take appropriate actions. + - id: si-4.20_obj + name: assessment-objective + props: + - name: label + value: SI-04(20) + class: sp800-53a + prose: " {{ insert: param, si-04.20_odp }} of privileged users is\ + \ implemented." + links: + - href: "#si-4.20_smt" + rel: assessment-for + - id: si-4.20_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(20)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + system monitoring logs or records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-4.20_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(20)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + - id: si-4.20_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(20)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for system monitoring + + + mechanisms supporting and/or implementing a system monitoring + capability + - id: si-4.22 + class: SP800-53-enhancement + title: Unauthorized Network Services + params: + - id: si-04.22_odp.01 + label: authorization or approval processes + guidelines: + - prose: authorization or approval processes for network services + are defined; + - id: si-04.22_odp.02 + select: + how-many: one-or-more + choice: + - audit + - "alert {{ insert: param, si-04.22_odp.03 }} " + - id: si-04.22_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles to be alerted upon the detection of + network services that have not been authorized or approved + by authorization or approval processes is/are defined (if + selected); + props: + - name: label + value: SI-4(22) + - name: label + value: SI-04(22) + class: sp800-53a + - name: sort-id + value: si-04.22 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + - href: "#cm-7" + rel: related + parts: + - id: si-4.22_smt + name: statement + parts: + - id: si-4.22_smt.a + name: item + props: + - name: label + value: (a) + prose: "Detect network services that have not been authorized\ + \ or approved by {{ insert: param, si-04.22_odp.01 }} ; and" + - id: si-4.22_smt.b + name: item + props: + - name: label + value: (b) + prose: " {{ insert: param, si-04.22_odp.02 }} when detected." + - id: si-4.22_gdn + name: guidance + prose: Unauthorized or unapproved network services include services + in service-oriented architectures that lack organizational verification + or validation and may therefore be unreliable or serve as malicious + rogues for valid services. + - id: si-4.22_obj + name: assessment-objective + props: + - name: label + value: SI-04(22) + class: sp800-53a + parts: + - id: si-4.22_obj.a + name: assessment-objective + props: + - name: label + value: SI-04(22)(a) + class: sp800-53a + prose: "network services that have not been authorized or approved\ + \ by {{ insert: param, si-04.22_odp.01 }} are detected;" + links: + - href: "#si-4.22_smt.a" + rel: assessment-for + - id: si-4.22_obj.b + name: assessment-objective + props: + - name: label + value: SI-04(22)(b) + class: sp800-53a + prose: " {{ insert: param, si-04.22_odp.02 }} is/are initiated\ + \ when network services that have not been authorized or approved\ + \ by authorization or approval processes are detected." + links: + - href: "#si-4.22_smt.b" + rel: assessment-for + links: + - href: "#si-4.22_smt" + rel: assessment-for + - id: si-4.22_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(22)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + documented authorization/approval of network services + + + notifications or alerts of unauthorized network services + + + system monitoring logs or records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-4.22_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(22)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + - id: si-4.22_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(22)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for system monitoring + + + mechanisms supporting and/or implementing a system monitoring + capability + + + mechanisms for auditing network services + + + mechanisms for providing alerts + - id: si-4.23 + class: SP800-53-enhancement + title: Host-based Devices + params: + - id: si-04.23_odp.01 + label: host-based monitoring mechanisms + guidelines: + - prose: host-based monitoring mechanisms to be implemented on + system components are defined; + - id: si-04.23_odp.02 + label: system components + guidelines: + - prose: system components where host-based monitoring is to be + implemented are defined; + props: + - name: label + value: SI-4(23) + - name: label + value: SI-04(23) + class: sp800-53a + - name: sort-id + value: si-04.23 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + parts: + - id: si-4.23_smt + name: statement + prose: "Implement the following host-based monitoring mechanisms\ + \ at {{ insert: param, si-04.23_odp.02 }}: {{ insert: param, si-04.23_odp.01\ + \ }}." + - id: si-4.23_gdn + name: guidance + prose: Host-based monitoring collects information about the host + (or system in which it resides). System components in which host-based + monitoring can be implemented include servers, notebook computers, + and mobile devices. Organizations may consider employing host-based + monitoring mechanisms from multiple product developers or vendors. + - id: si-4.23_obj + name: assessment-objective + props: + - name: label + value: SI-04(23) + class: sp800-53a + prose: " {{ insert: param, si-04.23_odp.01 }} are implemented on\ + \ {{ insert: param, si-04.23_odp.02 }}." + links: + - href: "#si-4.23_smt" + rel: assessment-for + - id: si-4.23_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(23)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + host-based monitoring mechanisms + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + list of system components requiring host-based monitoring + + + system monitoring logs or records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-4.23_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(23)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring system + hosts + - id: si-4.23_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(23)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for system monitoring + + + mechanisms supporting and/or implementing a host-based monitoring + capability + - id: si-5 + class: SP800-53 + title: Security Alerts, Advisories, and Directives + params: + - id: si-05_odp.01 + label: external organizations + constraints: + - description: to include US-CERT and Cybersecurity and Infrastructure + Security Agency (CISA) Directives + guidelines: + - prose: external organizations from whom system security alerts, + advisories, and directives are to be received on an ongoing basis + are defined; + - id: si-05_odp.02 + constraints: + - description: to include system security personnel and administrators + with configuration/patch-management responsibilities + select: + how-many: one-or-more + choice: + - " {{ insert: param, si-05_odp.03 }} " + - " {{ insert: param, si-05_odp.04 }} " + - " {{ insert: param, si-05_odp.05 }} " + - id: si-05_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom security alerts, advisories, and + directives are to be disseminated is/are defined (if selected); + - id: si-05_odp.04 + label: elements + guidelines: + - prose: elements within the organization to whom security alerts, + advisories, and directives are to be disseminated are defined + (if selected); + - id: si-05_odp.05 + label: external organizations + guidelines: + - prose: external organizations to whom security alerts, advisories, + and directives are to be disseminated are defined (if selected); + props: + - name: label + value: SI-5 + - name: label + value: SI-05 + class: sp800-53a + - name: sort-id + value: si-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#155f941a-cba9-4afd-9ca6-5d040d697ba9" + rel: reference + - href: "#pm-15" + rel: related + - href: "#ra-5" + rel: related + - href: "#si-2" + rel: related + parts: + - id: si-5_smt + name: statement + parts: + - id: si-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Receive system security alerts, advisories, and directives\ + \ from {{ insert: param, si-05_odp.01 }} on an ongoing basis;" + - id: si-5_smt.b + name: item + props: + - name: label + value: b. + prose: Generate internal security alerts, advisories, and directives + as deemed necessary; + - id: si-5_smt.c + name: item + props: + - name: label + value: c. + prose: "Disseminate security alerts, advisories, and directives\ + \ to: {{ insert: param, si-05_odp.02 }} ; and" + - id: si-5_smt.d + name: item + props: + - name: label + value: d. + prose: Implement security directives in accordance with established + time frames, or notify the issuing organization of the degree + of noncompliance. + - id: si-5_fr_smt.1 + name: item + title: SI-5 Additional FedRAMP Requirements and Guidance + props: + - name: label + value: "Requirement:" + prose: Service Providers must address the CISA Emergency and Binding + Operational Directives applicable to their cloud service offering + per FedRAMP guidance. This includes listing the applicable directives + and stating compliance status. + - id: si-5_gdn + name: guidance + prose: The Cybersecurity and Infrastructure Security Agency (CISA) generates + security alerts and advisories to maintain situational awareness throughout + the Federal Government. Security directives are issued by OMB or other + designated organizations with the responsibility and authority to + issue such directives. Compliance with security directives is essential + due to the critical nature of many of these directives and the potential + (immediate) adverse effects on organizational operations and assets, + individuals, other organizations, and the Nation should the directives + not be implemented in a timely manner. External organizations include + supply chain partners, external mission or business partners, external + service providers, and other peer or supporting organizations. + - id: si-5_obj + name: assessment-objective + props: + - name: label + value: SI-05 + class: sp800-53a + parts: + - id: si-5_obj.a + name: assessment-objective + props: + - name: label + value: SI-05a. + class: sp800-53a + prose: "system security alerts, advisories, and directives are received\ + \ from {{ insert: param, si-05_odp.01 }} on an ongoing basis;" + links: + - href: "#si-5_smt.a" + rel: assessment-for + - id: si-5_obj.b + name: assessment-objective + props: + - name: label + value: SI-05b. + class: sp800-53a + prose: internal security alerts, advisories, and directives are + generated as deemed necessary; + links: + - href: "#si-5_smt.b" + rel: assessment-for + - id: si-5_obj.c + name: assessment-objective + props: + - name: label + value: SI-05c. + class: sp800-53a + prose: "security alerts, advisories, and directives are disseminated\ + \ to {{ insert: param, si-05_odp.02 }};" + links: + - href: "#si-5_smt.c" + rel: assessment-for + - id: si-5_obj.d + name: assessment-objective + props: + - name: label + value: SI-05d. + class: sp800-53a + prose: security directives are implemented in accordance with established + time frames or if the issuing organization is notified of the + degree of noncompliance. + links: + - href: "#si-5_smt.d" + rel: assessment-for + links: + - href: "#si-5_smt" + rel: assessment-for + - id: si-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing security alerts, advisories, and directives + + + records of security alerts and advisories + + + system security plan + + + other relevant documents or records + - id: si-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security alert and advisory + responsibilities + + + organizational personnel implementing, operating, maintaining, + and using the system + + + organizational personnel, organizational elements, and/or external + organizations to whom alerts, advisories, and directives are to + be disseminated + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: si-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for defining, receiving, + generating, disseminating, and complying with security + alerts, advisories, and directives + + + mechanisms supporting and/or implementing the definition, receipt, + generation, and dissemination of security alerts, advisories, + and directives + + + mechanisms supporting and/or implementing security directives + controls: + - id: si-5.1 + class: SP800-53-enhancement + title: Automated Alerts and Advisories + params: + - id: si-05.01_odp + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to broadcast security alert + and advisory information throughout the organization are defined; + props: + - name: label + value: SI-5(1) + - name: label + value: SI-05(01) + class: sp800-53a + - name: sort-id + value: si-05.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-5" + rel: required + parts: + - id: si-5.1_smt + name: statement + prose: "Broadcast security alert and advisory information throughout\ + \ the organization using {{ insert: param, si-05.01_odp }}." + - id: si-5.1_gdn + name: guidance + prose: The significant number of changes to organizational systems + and environments of operation requires the dissemination of security-related + information to a variety of organizational entities that have + a direct interest in the success of organizational mission and + business functions. Based on information provided by security + alerts and advisories, changes may be required at one or more + of the three levels related to the management of risk, including + the governance level, mission and business process level, and + the information system level. + - id: si-5.1_obj + name: assessment-objective + props: + - name: label + value: SI-05(01) + class: sp800-53a + prose: " {{ insert: param, si-05.01_odp }} are used to broadcast\ + \ security alert and advisory information throughout the organization." + links: + - href: "#si-5.1_smt" + rel: assessment-for + - id: si-5.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-05(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing security alerts, advisories, and directives + + + system design documentation + + + system configuration settings and associated documentation + + + automated mechanisms supporting the distribution of security + alert and advisory information + + + records of security alerts and advisories + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-5.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-05(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security alert and + advisory responsibilities + + + organizational personnel implementing, operating, maintaining, + and using the system + + + organizational personnel, organizational elements, and/or + external organizations to whom alerts and advisories are to + be disseminated + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: si-5.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-05(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for defining, receiving, + generating, and disseminating security alerts and + advisories + + + automated mechanisms supporting and/or implementing the dissemination + of security alerts and advisories + - id: si-6 + class: SP800-53 + title: Security and Privacy Function Verification + params: + - id: si-6_prm_1 + label: organization-defined security and privacy functions + - id: si-06_odp.01 + label: security functions + guidelines: + - prose: security functions to be verified for correct operation are + defined; + - id: si-06_odp.02 + label: privacy functions + guidelines: + - prose: privacy functions to be verified for correct operation are + defined; + - id: si-06_odp.03 + select: + how-many: one-or-more + choice: + - " {{ insert: param, si-06_odp.04 }} " + - upon command by user with appropriate privilege + - " {{ insert: param, si-06_odp.05 }} " + - id: si-06_odp.04 + label: system transitional states + constraints: + - description: to include upon system startup and/or restart + guidelines: + - prose: system transitional states requiring the verification of + security and privacy functions are defined; (if selected) + - id: si-06_odp.05 + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: frequency at which to verify the correct operation of security + and privacy functions is defined; (if selected) + - id: si-06_odp.06 + label: personnel or roles + constraints: + - description: to include system administrators and security personnel + guidelines: + - prose: personnel or roles to be alerted of failed security and privacy + verification tests is/are defined; + - id: si-06_odp.07 + select: + how-many: one-or-more + choice: + - shut the system down + - restart the system + - " {{ insert: param, si-06_odp.08 }} " + - id: si-06_odp.08 + label: alternative action(s) + guidelines: + - prose: alternative action(s) to be performed when anomalies are + discovered are defined (if selected); + props: + - name: label + value: SI-6 + - name: label + value: SI-06 + class: sp800-53a + - name: sort-id + value: si-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#ca-7" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-6" + rel: related + - href: "#si-7" + rel: related + parts: + - id: si-6_smt + name: statement + parts: + - id: si-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Verify the correct operation of {{ insert: param, si-6_prm_1\ + \ }};" + - id: si-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Perform the verification of the functions specified in SI-6a\ + \ {{ insert: param, si-06_odp.03 }};" + - id: si-6_smt.c + name: item + props: + - name: label + value: c. + prose: "Alert {{ insert: param, si-06_odp.06 }} to failed security\ + \ and privacy verification tests; and" + - id: si-6_smt.d + name: item + props: + - name: label + value: d. + prose: " {{ insert: param, si-06_odp.07 }} when anomalies are discovered." + - id: si-6_gdn + name: guidance + prose: Transitional states for systems include system startup, restart, + shutdown, and abort. System notifications include hardware indicator + lights, electronic alerts to system administrators, and messages to + local computer consoles. In contrast to security function verification, + privacy function verification ensures that privacy functions operate + as expected and are approved by the senior agency official for privacy + or that privacy attributes are applied or used as expected. + - id: si-6_obj + name: assessment-objective + props: + - name: label + value: SI-06 + class: sp800-53a + parts: + - id: si-6_obj.a + name: assessment-objective + props: + - name: label + value: SI-06a. + class: sp800-53a + parts: + - id: si-6_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-06a.[01] + class: sp800-53a + prose: " {{ insert: param, si-06_odp.01 }} are verified to be\ + \ operating correctly;" + links: + - href: "#si-6_smt.a" + rel: assessment-for + - id: si-6_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-06a.[02] + class: sp800-53a + prose: " {{ insert: param, si-06_odp.02 }} are verified to be\ + \ operating correctly;" + links: + - href: "#si-6_smt.a" + rel: assessment-for + links: + - href: "#si-6_smt.a" + rel: assessment-for + - id: si-6_obj.b + name: assessment-objective + props: + - name: label + value: SI-06b. + class: sp800-53a + parts: + - id: si-6_obj.b-1 + name: assessment-objective + props: + - name: label + value: SI-06b.[01] + class: sp800-53a + prose: " {{ insert: param, si-06_odp.01 }} are verified {{ insert:\ + \ param, si-06_odp.03 }};" + links: + - href: "#si-6_smt.b" + rel: assessment-for + - id: si-6_obj.b-2 + name: assessment-objective + props: + - name: label + value: SI-06b.[02] + class: sp800-53a + prose: " {{ insert: param, si-06_odp.02 }} are verified {{ insert:\ + \ param, si-06_odp.03 }};" + links: + - href: "#si-6_smt.b" + rel: assessment-for + links: + - href: "#si-6_smt.b" + rel: assessment-for + - id: si-6_obj.c + name: assessment-objective + props: + - name: label + value: SI-06c. + class: sp800-53a + parts: + - id: si-6_obj.c-1 + name: assessment-objective + props: + - name: label + value: SI-06c.[01] + class: sp800-53a + prose: " {{ insert: param, si-06_odp.06 }} is/are alerted to\ + \ failed security verification tests;" + links: + - href: "#si-6_smt.c" + rel: assessment-for + - id: si-6_obj.c-2 + name: assessment-objective + props: + - name: label + value: SI-06c.[02] + class: sp800-53a + prose: " {{ insert: param, si-06_odp.06 }} is/are alerted to\ + \ failed privacy verification tests;" + links: + - href: "#si-6_smt.c" + rel: assessment-for + links: + - href: "#si-6_smt.c" + rel: assessment-for + - id: si-6_obj.d + name: assessment-objective + props: + - name: label + value: SI-06d. + class: sp800-53a + prose: " {{ insert: param, si-06_odp.07 }} is/are initiated when\ + \ anomalies are discovered." + links: + - href: "#si-6_smt.d" + rel: assessment-for + links: + - href: "#si-6_smt" + rel: assessment-for + - id: si-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing security and privacy function verification + + + system design documentation + + + system configuration settings and associated documentation + + + alerts/notifications of failed security verification tests + + + list of system transition states requiring security functionality + verification + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: si-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security and privacy function + verification responsibilities + + + organizational personnel implementing, operating, and maintaining + the system + + + system/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + system developer + - id: si-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for security and privacy function + verification + + + mechanisms supporting and/or implementing the security and privacy + function verification capability + - id: si-7 + class: SP800-53 + title: Software, Firmware, and Information Integrity + params: + - id: si-7_prm_1 + label: organization-defined software, firmware, and information + - id: si-7_prm_2 + label: organization-defined actions + - id: si-07_odp.01 + label: software + guidelines: + - prose: software requiring integrity verification tools to be employed + to detect unauthorized changes is defined; + - id: si-07_odp.02 + label: firmware + guidelines: + - prose: firmware requiring integrity verification tools to be employed + to detect unauthorized changes is defined; + - id: si-07_odp.03 + label: information + guidelines: + - prose: information requiring integrity verification tools to be + employed to detect unauthorized changes is defined; + - id: si-07_odp.04 + label: actions + guidelines: + - prose: actions to be taken when unauthorized changes to software + are detected are defined; + - id: si-07_odp.05 + label: actions + guidelines: + - prose: actions to be taken when unauthorized changes to firmware + are detected are defined; + - id: si-07_odp.06 + label: actions + guidelines: + - prose: actions to be taken when unauthorized changes to information + are detected are defined; + props: + - name: label + value: SI-7 + - name: label + value: SI-07 + class: sp800-53a + - name: sort-id + value: si-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#4895b4cd-34c5-4667-bf8a-27d443c12047" + rel: reference + - href: "#e47ee630-9cbc-4133-880e-e013f83ccd51" + rel: reference + - href: "#ac-4" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-8" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-10" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-37" + rel: related + - href: "#si-3" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-10" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: si-7_smt + name: statement + parts: + - id: si-7_smt.a + name: item + props: + - name: label + value: a. + prose: "Employ integrity verification tools to detect unauthorized\ + \ changes to the following software, firmware, and information:\ + \ {{ insert: param, si-7_prm_1 }} ; and" + - id: si-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Take the following actions when unauthorized changes to\ + \ the software, firmware, and information are detected: {{ insert:\ + \ param, si-7_prm_2 }}." + - id: si-7_gdn + name: guidance + prose: Unauthorized changes to software, firmware, and information can + occur due to errors or malicious activity. Software includes operating + systems (with key internal components, such as kernels or drivers), + middleware, and applications. Firmware interfaces include Unified + Extensible Firmware Interface (UEFI) and Basic Input/Output System + (BIOS). Information includes personally identifiable information and + metadata that contains security and privacy attributes associated + with information. Integrity-checking mechanisms—including parity checks, + cyclical redundancy checks, cryptographic hashes, and associated tools—can + automatically monitor the integrity of systems and hosted applications. + - id: si-7_obj + name: assessment-objective + props: + - name: label + value: SI-07 + class: sp800-53a + parts: + - id: si-7_obj.a + name: assessment-objective + props: + - name: label + value: SI-07a. + class: sp800-53a + parts: + - id: si-7_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-07a.[01] + class: sp800-53a + prose: "integrity verification tools are employed to detect\ + \ unauthorized changes to {{ insert: param, si-07_odp.01 }};" + links: + - href: "#si-7_smt.a" + rel: assessment-for + - id: si-7_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-07a.[02] + class: sp800-53a + prose: "integrity verification tools are employed to detect\ + \ unauthorized changes to {{ insert: param, si-07_odp.02 }};" + links: + - href: "#si-7_smt.a" + rel: assessment-for + - id: si-7_obj.a-3 + name: assessment-objective + props: + - name: label + value: SI-07a.[03] + class: sp800-53a + prose: "integrity verification tools are employed to detect\ + \ unauthorized changes to {{ insert: param, si-07_odp.03 }};" + links: + - href: "#si-7_smt.a" + rel: assessment-for + links: + - href: "#si-7_smt.a" + rel: assessment-for + - id: si-7_obj.b + name: assessment-objective + props: + - name: label + value: SI-07b. + class: sp800-53a + parts: + - id: si-7_obj.b-1 + name: assessment-objective + props: + - name: label + value: SI-07b.[01] + class: sp800-53a + prose: " {{ insert: param, si-07_odp.04 }} are taken when unauthorized\ + \ changes to the software, are detected;" + links: + - href: "#si-7_smt.b" + rel: assessment-for + - id: si-7_obj.b-2 + name: assessment-objective + props: + - name: label + value: SI-07b.[02] + class: sp800-53a + prose: " {{ insert: param, si-07_odp.05 }} are taken when unauthorized\ + \ changes to the firmware are detected;" + links: + - href: "#si-7_smt.b" + rel: assessment-for + - id: si-7_obj.b-3 + name: assessment-objective + props: + - name: label + value: SI-07b.[03] + class: sp800-53a + prose: " {{ insert: param, si-07_odp.06 }} are taken when unauthorized\ + \ changes to the information are detected." + links: + - href: "#si-7_smt.b" + rel: assessment-for + links: + - href: "#si-7_smt.b" + rel: assessment-for + links: + - href: "#si-7_smt" + rel: assessment-for + - id: si-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing software, firmware, and information integrity + + + personally identifiable information processing policy + + + system design documentation + + + system configuration settings and associated documentation + + + integrity verification tools and associated documentation + + + records generated or triggered by integrity verification tools + regarding unauthorized software, firmware, and information changes + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: si-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for software, firmware, + and/or information integrity + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: si-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Software, firmware, and information integrity verification + tools + controls: + - id: si-7.1 + class: SP800-53-enhancement + title: Integrity Checks + params: + - id: si-7.1_prm_1 + label: organization-defined software, firmware, and information + - id: si-7.1_prm_2 + select: + how-many: one-or-more + choice: + - at startup + - "at {{ insert: param, si-7.1_prm_3 }} " + - " {{ insert: param, si-7.1_prm_4 }} " + - id: si-7.1_prm_3 + label: organization-defined transitional states or security-relevant + events + constraints: + - description: selection to include security relevant event + - id: si-7.1_prm_4 + label: organization-defined frequency + constraints: + - description: at least monthly + - id: si-07.01_odp.01 + label: software + guidelines: + - prose: software on which an integrity check is to be performed + is defined; + - id: si-07.01_odp.02 + select: + how-many: one-or-more + choice: + - at startup + - "at {{ insert: param, si-07.01_odp.03 }} " + - " {{ insert: param, si-07.01_odp.04 }} " + - id: si-07.01_odp.03 + label: transitional states or security-relevant events + guidelines: + - prose: transitional states or security-relevant events requiring + integrity checks (on software) are defined (if selected); + - id: si-07.01_odp.04 + label: frequency + guidelines: + - prose: frequency with which to perform an integrity check (on + software) is defined (if selected); + - id: si-07.01_odp.05 + label: firmware + guidelines: + - prose: firmware on which an integrity check is to be performed + is defined; + - id: si-07.01_odp.06 + select: + how-many: one-or-more + choice: + - at startup + - "at {{ insert: param, si-07.01_odp.07 }} " + - " {{ insert: param, si-07.01_odp.08 }} " + - id: si-07.01_odp.07 + label: transitional states or security-relevant events + guidelines: + - prose: transitional states or security-relevant events requiring + integrity checks (on firmware) are defined (if selected); + - id: si-07.01_odp.08 + label: frequency + guidelines: + - prose: frequency with which to perform an integrity check (on + firmware) is defined (if selected); + - id: si-07.01_odp.09 + label: information + guidelines: + - prose: information on which an integrity check is to be performed + is defined; + - id: si-07.01_odp.10 + select: + how-many: one-or-more + choice: + - at startup + - "at {{ insert: param, si-07.01_odp.11 }} " + - " {{ insert: param, si-07.01_odp.12 }} " + - id: si-07.01_odp.11 + label: transitional states or security-relevant events + guidelines: + - prose: transitional states or security-relevant events requiring + integrity checks (of information) are defined (if selected); + - id: si-07.01_odp.12 + label: frequency + guidelines: + - prose: frequency with which to perform an integrity check (of + information) is defined (if selected); + props: + - name: label + value: SI-7(1) + - name: label + value: SI-07(01) + class: sp800-53a + - name: sort-id + value: si-07.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-7" + rel: required + parts: + - id: si-7.1_smt + name: statement + prose: "Perform an integrity check of {{ insert: param, si-7.1_prm_1\ + \ }} {{ insert: param, si-7.1_prm_2 }}." + - id: si-7.1_gdn + name: guidance + prose: Security-relevant events include the identification of new + threats to which organizational systems are susceptible and the + installation of new hardware, software, or firmware. Transitional + states include system startup, restart, shutdown, and abort. + - id: si-7.1_obj + name: assessment-objective + props: + - name: label + value: SI-07(01) + class: sp800-53a + parts: + - id: si-7.1_obj-1 + name: assessment-objective + props: + - name: label + value: SI-07(01)[01] + class: sp800-53a + prose: "an integrity check of {{ insert: param, si-07.01_odp.01\ + \ }} is performed {{ insert: param, si-07.01_odp.02 }};" + links: + - href: "#si-7.1_smt" + rel: assessment-for + - id: si-7.1_obj-2 + name: assessment-objective + props: + - name: label + value: SI-07(01)[02] + class: sp800-53a + prose: "an integrity check of {{ insert: param, si-07.01_odp.05\ + \ }} is performed {{ insert: param, si-07.01_odp.06 }};" + links: + - href: "#si-7.1_smt" + rel: assessment-for + - id: si-7.1_obj-3 + name: assessment-objective + props: + - name: label + value: SI-07(01)[03] + class: sp800-53a + prose: "an integrity check of {{ insert: param, si-07.01_odp.09\ + \ }} is performed {{ insert: param, si-07.01_odp.10 }}." + links: + - href: "#si-7.1_smt" + rel: assessment-for + links: + - href: "#si-7.1_smt" + rel: assessment-for + - id: si-7.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-07(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing software, firmware, and information + integrity testing + + + system design documentation + + + system configuration settings and associated documentation + + + integrity verification tools and associated documentation + + + records of integrity scans + + + system security plan + + + other relevant documents or records + - id: si-7.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-07(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for software, + firmware, and/or information integrity + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developer + - id: si-7.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-07(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Software, firmware, and information integrity verification + tools + - id: si-7.2 + class: SP800-53-enhancement + title: Automated Notifications of Integrity Violations + params: + - id: si-07.02_odp + label: personnel or roles + constraints: + - description: to include the ISSO and/or similar role within + the organization + guidelines: + - prose: personnel or roles to whom notification is to be provided + upon discovering discrepancies during integrity verification + is/are defined; + props: + - name: label + value: SI-7(2) + - name: label + value: SI-07(02) + class: sp800-53a + - name: sort-id + value: si-07.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-7" + rel: required + parts: + - id: si-7.2_smt + name: statement + prose: "Employ automated tools that provide notification to {{ insert:\ + \ param, si-07.02_odp }} upon discovering discrepancies during\ + \ integrity verification." + - id: si-7.2_gdn + name: guidance + prose: The employment of automated tools to report system and information + integrity violations and to notify organizational personnel in + a timely matter is essential to effective risk response. Personnel + with an interest in system and information integrity violations + include mission and business owners, system owners, senior agency + information security official, senior agency official for privacy, + system administrators, software developers, systems integrators, + information security officers, and privacy officers. + - id: si-7.2_obj + name: assessment-objective + props: + - name: label + value: SI-07(02) + class: sp800-53a + prose: "automated tools that provide notification to {{ insert:\ + \ param, si-07.02_odp }} upon discovering discrepancies during\ + \ integrity verification are employed." + links: + - href: "#si-7.2_smt" + rel: assessment-for + - id: si-7.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-07(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing software, firmware, and information + integrity + + + personally identifiable information processing policy + + + system design documentation + + + system configuration settings and associated documentation + + + integrity verification tools and associated documentation + + + records of integrity scans + + + automated tools supporting alerts and notifications for integrity + discrepancies + + + notifications provided upon discovering discrepancies during + integrity verifications + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: si-7.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-07(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for software, + firmware, and/or information integrity + + + organizational personnel with information security and privacy + responsibilities + + + system administrators + + + software developers + - id: si-7.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-07(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Software, firmware, and information integrity + verification tools + + + mechanisms providing integrity discrepancy notifications + - id: si-7.5 + class: SP800-53-enhancement + title: Automated Response to Integrity Violations + params: + - id: si-07.05_odp.01 + select: + how-many: one-or-more + choice: + - shut down the system + - restart the system + - "implement {{ insert: param, si-07.05_odp.02 }} " + - id: si-07.05_odp.02 + label: controls + guidelines: + - prose: controls to be implemented automatically when integrity + violations are discovered are defined (if selected); + props: + - name: label + value: SI-7(5) + - name: label + value: SI-07(05) + class: sp800-53a + - name: sort-id + value: si-07.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-7" + rel: required + parts: + - id: si-7.5_smt + name: statement + prose: "Automatically {{ insert: param, si-07.05_odp.01 }} when\ + \ integrity violations are discovered." + - id: si-7.5_gdn + name: guidance + prose: Organizations may define different integrity-checking responses + by type of information, specific information, or a combination + of both. Types of information include firmware, software, and + user data. Specific information includes boot firmware for certain + types of machines. The automatic implementation of controls within + organizational systems includes reversing the changes, halting + the system, or triggering audit alerts when unauthorized modifications + to critical security files occur. + - id: si-7.5_obj + name: assessment-objective + props: + - name: label + value: SI-07(05) + class: sp800-53a + prose: " {{ insert: param, si-07.05_odp.01 }} are automatically\ + \ performed when integrity violations are discovered." + links: + - href: "#si-7.5_smt" + rel: assessment-for + - id: si-7.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-07(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing software, firmware, and information + integrity + + + system design documentation + + + system configuration settings and associated documentation + + + integrity verification tools and associated documentation + + + records of integrity scans + + + records of integrity checks and responses to integrity violations + + + audit records + + + system security plan + + + other relevant documents or records + - id: si-7.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-07(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for software, + firmware, and/or information integrity + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developer + - id: si-7.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-07(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Software, firmware, and information integrity + verification tools + + + mechanisms providing an automated response to integrity violations + + + mechanisms supporting and/or implementing security safeguards + to be implemented when integrity violations are discovered + - id: si-7.7 + class: SP800-53-enhancement + title: Integration of Detection and Response + params: + - id: si-07.07_odp + label: changes + guidelines: + - prose: security-relevant changes to the system are defined; + props: + - name: label + value: SI-7(7) + - name: label + value: SI-07(07) + class: sp800-53a + - name: sort-id + value: si-07.07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-7" + rel: required + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-5" + rel: related + - href: "#si-4" + rel: related + parts: + - id: si-7.7_smt + name: statement + prose: "Incorporate the detection of the following unauthorized\ + \ changes into the organizational incident response capability:\ + \ {{ insert: param, si-07.07_odp }}." + - id: si-7.7_gdn + name: guidance + prose: Integrating detection and response helps to ensure that detected + events are tracked, monitored, corrected, and available for historical + purposes. Maintaining historical records is important for being + able to identify and discern adversary actions over an extended + time period and for possible legal actions. Security-relevant + changes include unauthorized changes to established configuration + settings or the unauthorized elevation of system privileges. + - id: si-7.7_obj + name: assessment-objective + props: + - name: label + value: SI-07(07) + class: sp800-53a + prose: "the detection of {{ insert: param, si-07.07_odp }} are incorporated\ + \ into the organizational incident response capability." + links: + - href: "#si-7.7_smt" + rel: assessment-for + - id: si-7.7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-07(07)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing software, firmware, and information + integrity + + + procedures addressing incident response + + + system design documentation + + + system configuration settings and associated documentation + + + incident response records + + + audit records + + + system security plan + + + other relevant documents or records + - id: si-7.7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-07(07)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for software, + firmware, and/or information integrity + + + organizational personnel with information security responsibilities + + + organizational personnel with incident response responsibilities + - id: si-7.7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-07(07)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for incorporating the detection + of unauthorized security-relevant changes into the + incident response capability + + + software, firmware, and information integrity verification + tools + + + mechanisms supporting and/or implementing the incorporation + of detection of unauthorized security-relevant changes into + the incident response capability + - id: si-7.15 + class: SP800-53-enhancement + title: Code Authentication + params: + - id: si-07.15_odp + label: software or firmware components + constraints: + - description: to include all software and firmware inside the + boundary + guidelines: + - prose: software or firmware components to be authenticated by + cryptographic mechanisms prior to installation are defined; + props: + - name: label + value: SI-7(15) + - name: label + value: SI-07(15) + class: sp800-53a + - name: sort-id + value: si-07.15 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-7" + rel: required + - href: "#cm-5" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: si-7.15_smt + name: statement + prose: "Implement cryptographic mechanisms to authenticate the following\ + \ software or firmware components prior to installation: {{ insert:\ + \ param, si-07.15_odp }}." + - id: si-7.15_gdn + name: guidance + prose: Cryptographic authentication includes verifying that software + or firmware components have been digitally signed using certificates + recognized and approved by organizations. Code signing is an effective + method to protect against malicious code. Organizations that employ + cryptographic mechanisms also consider cryptographic key management + solutions. + - id: si-7.15_obj + name: assessment-objective + props: + - name: label + value: SI-07(15) + class: sp800-53a + prose: "cryptographic mechanisms are implemented to authenticate\ + \ {{ insert: param, si-07.15_odp }} prior to installation." + links: + - href: "#si-7.15_smt" + rel: assessment-for + - id: si-7.15_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-07(15)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing software, firmware, and information + integrity + + + system design documentation + + + system configuration settings and associated documentation + + + cryptographic mechanisms and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-7.15_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-07(15)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for software, + firmware, and/or information integrity + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developer + - id: si-7.15_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-07(15)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Cryptographic mechanisms authenticating software and + firmware prior to installation + - id: si-8 + class: SP800-53 + title: Spam Protection + props: + - name: label + value: SI-8 + - name: label + value: SI-08 + class: sp800-53a + - name: sort-id + value: si-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#314e33cb-3681-4b50-a2a2-3fae9604accd" + rel: reference + - href: "#1c71b420-2bd9-4e52-9fc8-390f58b85b59" + rel: reference + - href: "#pl-9" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + parts: + - id: si-8_smt + name: statement + parts: + - id: si-8_smt.a + name: item + props: + - name: label + value: a. + prose: Employ spam protection mechanisms at system entry and exit + points to detect and act on unsolicited messages; and + - id: si-8_smt.b + name: item + props: + - name: label + value: b. + prose: Update spam protection mechanisms when new releases are available + in accordance with organizational configuration management policy + and procedures. + - id: si-8_fr + name: item + title: SI-8 Additional FedRAMP Requirements and Guidance + parts: + - id: si-8_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + When CSO sends email on behalf of the government as part + of the business offering, Control Description should + include implementation of Domain-based Message + Authentication, Reporting & Conformance (DMARC) on the + sending domain for outgoing messages as described in DHS + Binding Operational Directive (BOD) 18-01. + + + https://cyber.dhs.gov/bod/18-01/ + - id: si-8_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "CSPs should confirm DMARC configuration (where appropriate)\ + \ to ensure that policy=reject and the rua parameter includes\ + \ reports@dmarc.cyber.dhs.gov. DMARC compliance should be\ + \ documented in the SI-08 control implementation solution\ + \ description, and list the FROM: domain(s) that will be seen\ + \ by email recipients." + - id: si-8_gdn + name: guidance + prose: System entry and exit points include firewalls, remote-access + servers, electronic mail servers, web servers, proxy servers, workstations, + notebook computers, and mobile devices. Spam can be transported by + different means, including email, email attachments, and web accesses. + Spam protection mechanisms include signature definitions. + - id: si-8_obj + name: assessment-objective + props: + - name: label + value: SI-08 + class: sp800-53a + parts: + - id: si-8_obj.a + name: assessment-objective + props: + - name: label + value: SI-08a. + class: sp800-53a + parts: + - id: si-8_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-08a.[01] + class: sp800-53a + prose: spam protection mechanisms are employed at system entry + points to detect unsolicited messages; + links: + - href: "#si-8_smt.a" + rel: assessment-for + - id: si-8_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-08a.[02] + class: sp800-53a + prose: spam protection mechanisms are employed at system exit + points to detect unsolicited messages; + links: + - href: "#si-8_smt.a" + rel: assessment-for + - id: si-8_obj.a-3 + name: assessment-objective + props: + - name: label + value: SI-08a.[03] + class: sp800-53a + prose: spam protection mechanisms are employed at system entry + points to act on unsolicited messages; + links: + - href: "#si-8_smt.a" + rel: assessment-for + - id: si-8_obj.a-4 + name: assessment-objective + props: + - name: label + value: SI-08a.[04] + class: sp800-53a + prose: spam protection mechanisms are employed at system exit + points to act on unsolicited messages; + links: + - href: "#si-8_smt.a" + rel: assessment-for + links: + - href: "#si-8_smt.a" + rel: assessment-for + - id: si-8_obj.b + name: assessment-objective + props: + - name: label + value: SI-08b. + class: sp800-53a + prose: spam protection mechanisms are updated when new releases + are available in accordance with organizational configuration + management policies and procedures. + links: + - href: "#si-8_smt.b" + rel: assessment-for + links: + - href: "#si-8_smt" + rel: assessment-for + - id: si-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and information integrity policy + + system and information integrity procedures + + configuration management policies and procedures (CM-01) + + procedures addressing spam protection + + spam protection mechanisms + + records of spam protection updates + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: si-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for spam protection + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developer + - id: si-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for implementing spam protection + + mechanisms supporting and/or implementing spam protection + controls: + - id: si-8.2 + class: SP800-53-enhancement + title: Automatic Updates + params: + - id: si-08.02_odp + label: frequency + guidelines: + - prose: the frequency at which to automatically update spam protection + mechanisms is defined; + props: + - name: label + value: SI-8(2) + - name: label + value: SI-08(02) + class: sp800-53a + - name: sort-id + value: si-08.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#si-8" + rel: required + parts: + - id: si-8.2_smt + name: statement + prose: "Automatically update spam protection mechanisms {{ insert:\ + \ param, si-08.02_odp }}." + - id: si-8.2_gdn + name: guidance + prose: Using automated mechanisms to update spam protection mechanisms + helps to ensure that updates occur on a regular basis and provide + the latest content and protection capabilities. + - id: si-8.2_obj + name: assessment-objective + props: + - name: label + value: SI-08(02) + class: sp800-53a + prose: "spam protection mechanisms are automatically updated {{\ + \ insert: param, si-08.02_odp }}." + links: + - href: "#si-8.2_smt" + rel: assessment-for + - id: si-8.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-08(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing spam protection + + + spam protection mechanisms + + + records of spam protection updates + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-8.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-08(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for spam protection + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developer + - id: si-8.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-08(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for spam protection + + + mechanisms supporting and/or implementing automatic updates + to spam protection mechanisms + - id: si-10 + class: SP800-53 + title: Information Input Validation + params: + - id: si-10_odp + label: information inputs + guidelines: + - prose: information inputs to the system requiring validity checks + are defined; + props: + - name: label + value: SI-10 + - name: label + value: SI-10 + class: sp800-53a + - name: sort-id + value: si-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + parts: + - id: si-10_smt + name: statement + prose: "Check the validity of the following information inputs: {{ insert:\ + \ param, si-10_odp }}." + parts: + - id: si-10_fr + name: item + title: SI-10 Additional FedRAMP Requirements and Guidance + parts: + - id: si-10_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Validate all information inputs and document any exceptions + - id: si-10_gdn + name: guidance + prose: Checking the valid syntax and semantics of system inputs—including + character set, length, numerical range, and acceptable values—verifies + that inputs match specified definitions for format and content. For + example, if the organization specifies that numerical values between + 1-100 are the only acceptable inputs for a field in a given application, + inputs of "387," "abc," or "%K%" are invalid inputs and are not accepted + as input to the system. Valid inputs are likely to vary from field + to field within a software application. Applications typically follow + well-defined protocols that use structured messages (i.e., commands + or queries) to communicate between software modules or system components. + Structured messages can contain raw or unstructured data interspersed + with metadata or control information. If software applications use + attacker-supplied inputs to construct structured messages without + properly encoding such messages, then the attacker could insert malicious + commands or special characters that can cause the data to be interpreted + as control information or metadata. Consequently, the module or component + that receives the corrupted output will perform the wrong operations + or otherwise interpret the data incorrectly. Prescreening inputs prior + to passing them to interpreters prevents the content from being unintentionally + interpreted as commands. Input validation ensures accurate and correct + inputs and prevents attacks such as cross-site scripting and a variety + of injection attacks. + - id: si-10_obj + name: assessment-objective + props: + - name: label + value: SI-10 + class: sp800-53a + prose: "the validity of the {{ insert: param, si-10_odp }} is checked." + links: + - href: "#si-10_smt" + rel: assessment-for + - id: si-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + access control policy and procedures + + + separation of duties policy and procedures + + + procedures addressing information input validation + + + documentation for automated tools and applications to verify the + validity of information + + + list of information inputs requiring validity checks + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for information input + validation + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developer + - id: si-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing validity checks + on information inputs + - id: si-11 + class: SP800-53 + title: Error Handling + params: + - id: si-11_odp + label: personnel or roles + constraints: + - description: to include the ISSO and/or similar role within the + organization + guidelines: + - prose: personnel or roles to whom error messages are to be revealed + is/are defined; + props: + - name: label + value: SI-11 + - name: label + value: SI-11 + class: sp800-53a + - name: sort-id + value: si-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-2" + rel: related + - href: "#au-3" + rel: related + - href: "#sc-31" + rel: related + - href: "#si-2" + rel: related + - href: "#si-15" + rel: related + parts: + - id: si-11_smt + name: statement + parts: + - id: si-11_smt.a + name: item + props: + - name: label + value: a. + prose: Generate error messages that provide information necessary + for corrective actions without revealing information that could + be exploited; and + - id: si-11_smt.b + name: item + props: + - name: label + value: b. + prose: "Reveal error messages only to {{ insert: param, si-11_odp\ + \ }}." + - id: si-11_gdn + name: guidance + prose: Organizations consider the structure and content of error messages. + The extent to which systems can handle error conditions is guided + and informed by organizational policy and operational requirements. + Exploitable information includes stack traces and implementation details; + erroneous logon attempts with passwords mistakenly entered as the + username; mission or business information that can be derived from, + if not stated explicitly by, the information recorded; and personally + identifiable information, such as account numbers, social security + numbers, and credit card numbers. Error messages may also provide + a covert channel for transmitting information. + - id: si-11_obj + name: assessment-objective + props: + - name: label + value: SI-11 + class: sp800-53a + parts: + - id: si-11_obj.a + name: assessment-objective + props: + - name: label + value: SI-11a. + class: sp800-53a + prose: error messages that provide the information necessary for + corrective actions are generated without revealing information + that could be exploited; + links: + - href: "#si-11_smt.a" + rel: assessment-for + - id: si-11_obj.b + name: assessment-objective + props: + - name: label + value: SI-11b. + class: sp800-53a + prose: "error messages are revealed only to {{ insert: param, si-11_odp\ + \ }}." + links: + - href: "#si-11_smt.b" + rel: assessment-for + links: + - href: "#si-11_smt" + rel: assessment-for + - id: si-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system error handling + + + system design documentation + + + system configuration settings and associated documentation + + + documentation providing the structure and content of error messages + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for information input + validation + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developer + - id: si-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for error handling + + + automated mechanisms supporting and/or implementing error handling + + + automated mechanisms supporting and/or implementing the management + of error messages + - id: si-12 + class: SP800-53 + title: Information Management and Retention + props: + - name: label + value: SI-12 + - name: label + value: SI-12 + class: sp800-53a + - name: sort-id + value: si-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#e922fc50-b1f9-469f-92ef-ed7d9803611c" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#ac-16" + rel: related + - href: "#au-5" + rel: related + - href: "#au-11" + rel: related + - href: "#ca-2" + rel: related + - href: "#ca-3" + rel: related + - href: "#ca-5" + rel: related + - href: "#ca-6" + rel: related + - href: "#ca-7" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-9" + rel: related + - href: "#cp-2" + rel: related + - href: "#ir-8" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-3" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-6" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-4" + rel: related + - href: "#pm-8" + rel: related + - href: "#pm-9" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-6" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-3" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sr-2" + rel: related + parts: + - id: si-12_smt + name: statement + prose: Manage and retain information within the system and information + output from the system in accordance with applicable laws, executive + orders, directives, regulations, policies, standards, guidelines and + operational requirements. + - id: si-12_gdn + name: guidance + prose: "Information management and retention requirements cover the\ + \ full life cycle of information, in some cases extending beyond system\ + \ disposal. Information to be retained may also include policies,\ + \ procedures, plans, reports, data output from control implementation,\ + \ and other types of administrative information. The National Archives\ + \ and Records Administration (NARA) provides federal policy and guidance\ + \ on records retention and schedules. If organizations have a records\ + \ management office, consider coordinating with records management\ + \ personnel. Records produced from the output of implemented controls\ + \ that may require management and retention include, but are not limited\ + \ to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12),\ + \ [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7),\ + \ [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4),\ + \ [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13),\ + \ [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4),\ + \ [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17),\ + \ [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5),\ + \ [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21),\ + \ [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31),\ + \ [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3),\ + \ [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8),\ + \ [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4),\ + \ [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)." + - id: si-12_obj + name: assessment-objective + props: + - name: label + value: SI-12 + class: sp800-53a + parts: + - id: si-12_obj-1 + name: assessment-objective + props: + - name: label + value: SI-12[01] + class: sp800-53a + prose: information within the system is managed in accordance with + applicable laws, Executive Orders, directives, regulations, policies, + standards, guidelines, and operational requirements; + links: + - href: "#si-12_smt" + rel: assessment-for + - id: si-12_obj-2 + name: assessment-objective + props: + - name: label + value: SI-12[02] + class: sp800-53a + prose: information within the system is retained in accordance with + applicable laws, Executive Orders, directives, regulations, policies, + standards, guidelines, and operational requirements; + links: + - href: "#si-12_smt" + rel: assessment-for + - id: si-12_obj-3 + name: assessment-objective + props: + - name: label + value: SI-12[03] + class: sp800-53a + prose: information output from the system is managed in accordance + with applicable laws, Executive Orders, directives, regulations, + policies, standards, guidelines, and operational requirements; + links: + - href: "#si-12_smt" + rel: assessment-for + - id: si-12_obj-4 + name: assessment-objective + props: + - name: label + value: SI-12[04] + class: sp800-53a + prose: information output from the system is retained in accordance + with applicable laws, Executive Orders, directives, regulations, + policies, standards, guidelines, and operational requirements. + links: + - href: "#si-12_smt" + rel: assessment-for + links: + - href: "#si-12_smt" + rel: assessment-for + - id: si-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + personally identifiable information processing policy + + + records retention and disposition policy + + + records retention and disposition procedures + + + federal laws, Executive Orders, directives, policies, regulations, + standards, and operational requirements applicable to information + management and retention + + + media protection policy + + + media protection procedures + + + audit findings + + + system security plan + + + privacy plan + + + privacy program plan + + + personally identifiable information inventory + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: si-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information and records + management, retention, and disposition responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + network administrators + - id: si-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for information management, + retention, and disposition + + + automated mechanisms supporting and/or implementing information + management, retention, and disposition + - id: si-16 + class: SP800-53 + title: Memory Protection + params: + - id: si-16_odp + label: controls + guidelines: + - prose: controls to be implemented to protect the system memory from + unauthorized code execution are defined; + props: + - name: label + value: SI-16 + - name: label + value: SI-16 + class: sp800-53a + - name: sort-id + value: si-16 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ac-25" + rel: related + - href: "#sc-3" + rel: related + - href: "#si-7" + rel: related + parts: + - id: si-16_smt + name: statement + prose: "Implement the following controls to protect the system memory\ + \ from unauthorized code execution: {{ insert: param, si-16_odp }}." + - id: si-16_gdn + name: guidance + prose: Some adversaries launch attacks with the intent of executing + code in non-executable regions of memory or in memory locations that + are prohibited. Controls employed to protect memory include data execution + prevention and address space layout randomization. Data execution + prevention controls can either be hardware-enforced or software-enforced + with hardware enforcement providing the greater strength of mechanism. + - id: si-16_obj + name: assessment-objective + props: + - name: label + value: SI-16 + class: sp800-53a + prose: " {{ insert: param, si-16_odp }} are implemented to protect the\ + \ system memory from unauthorized code execution." + links: + - href: "#si-16_smt" + rel: assessment-for + - id: si-16_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-16-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing memory protection for the system + + + system design documentation + + + system configuration settings and associated documentation + + + list of security safeguards protecting system memory from unauthorized + code execution + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-16_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-16-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for memory protection + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developer + - id: si-16_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-16-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms supporting and/or implementing safeguards + to protect the system memory from unauthorized code execution + - id: sr + class: family + title: Supply Chain Risk Management + controls: + - id: sr-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: sr-1_prm_1 + label: organization-defined personnel or roles + constraints: + - description: to include chief privacy and ISSO and/or similar role + or designees + - id: sr-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom supply chain risk management policy + is to be disseminated to is/are defined; + - id: sr-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom supply chain risk management procedures + are disseminated to is/are defined; + - id: sr-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: sr-01_odp.04 + label: official + guidelines: + - prose: an official to manage the development, documentation, and + dissemination of the supply chain risk management policy and procedures + is defined; + - id: sr-01_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current supply chain risk management + policy is reviewed and updated is defined; + - id: sr-01_odp.06 + label: events + guidelines: + - prose: events that require the current supply chain risk management + policy to be reviewed and updated are defined; + - id: sr-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current supply chain risk management + procedure is reviewed and updated is defined; + - id: sr-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that require the supply chain risk management procedures + to be reviewed and updated are defined; + props: + - name: label + value: SR-1 + - name: label + value: SR-01 + class: sp800-53a + - name: sort-id + value: sr-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#031cc4b7-9adf-4835-98f1-f1ca493519cf" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#pm-9" + rel: related + - href: "#pm-30" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: sr-1_smt + name: statement + parts: + - id: sr-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ sr-1_prm_1 }}:" + parts: + - id: sr-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, sr-01_odp.03 }} supply chain risk\ + \ management policy that:" + parts: + - id: sr-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: sr-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: sr-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the supply + chain risk management policy and the associated supply chain + risk management controls; + - id: sr-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, sr-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the supply\ + \ chain risk management policy and procedures; and" + - id: sr-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current supply chain risk management:" + parts: + - id: sr-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, sr-01_odp.05 }} and following\ + \ {{ insert: param, sr-01_odp.06 }} ; and" + - id: sr-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, sr-01_odp.07 }} and following\ + \ {{ insert: param, sr-01_odp.08 }}." + - id: sr-1_gdn + name: guidance + prose: Supply chain risk management policy and procedures address the + controls in the SR family as well as supply chain-related controls + in other families that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of supply chain + risk management policy and procedures. Security and privacy program + policies and procedures at the organization level are preferable, + in general, and may obviate the need for mission- or system-specific + policies and procedures. The policy can be included as part of the + general security and privacy policy or be represented by multiple + policies that reflect the complex nature of organizations. Procedures + can be established for security and privacy programs, for mission + or business processes, and for systems, if needed. Procedures describe + how the policies or controls are implemented and can be directed at + the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + supply chain risk management policy and procedures include assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: sr-1_obj + name: assessment-objective + props: + - name: label + value: SR-01 + class: sp800-53a + parts: + - id: sr-1_obj.a + name: assessment-objective + props: + - name: label + value: SR-01a. + class: sp800-53a + parts: + - id: sr-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: SR-01a.[01] + class: sp800-53a + prose: a supply chain risk management policy is developed and + documented; + links: + - href: "#sr-1_smt.a" + rel: assessment-for + - id: sr-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: SR-01a.[02] + class: sp800-53a + prose: "the supply chain risk management policy is disseminated\ + \ to {{ insert: param, sr-01_odp.01 }};" + links: + - href: "#sr-1_smt.a" + rel: assessment-for + - id: sr-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: SR-01a.[03] + class: sp800-53a + prose: supply chain risk management procedures to facilitate + the implementation of the supply chain risk management policy + and the associated supply chain risk management controls are + developed and documented; + links: + - href: "#sr-1_smt.a" + rel: assessment-for + - id: sr-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: SR-01a.[04] + class: sp800-53a + prose: "the supply chain risk management procedures are disseminated\ + \ to {{ insert: param, sr-01_odp.02 }}." + links: + - href: "#sr-1_smt.a" + rel: assessment-for + - id: sr-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: SR-01a.01 + class: sp800-53a + parts: + - id: sr-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: SR-01a.01(a) + class: sp800-53a + parts: + - id: sr-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses purpose;" + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses scope; " + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[03] + class: sp800-53a + prose: " {{ insert: param, sr-01_odp.03 }} supply chain\ + \ risk management policy addresses roles;" + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses responsibilities;" + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses management\ + \ commitment;" + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses compliance." + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: SR-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply chain\ + \ risk management policy is consistent with applicable\ + \ laws, Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#sr-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#sr-1_smt.a.1" + rel: assessment-for + links: + - href: "#sr-1_smt.a" + rel: assessment-for + - id: sr-1_obj.b + name: assessment-objective + props: + - name: label + value: SR-01b. + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the supply\ + \ chain risk management policy and procedures;" + links: + - href: "#sr-1_smt.b" + rel: assessment-for + - id: sr-1_obj.c + name: assessment-objective + props: + - name: label + value: SR-01c. + class: sp800-53a + parts: + - id: sr-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: SR-01c.01 + class: sp800-53a + parts: + - id: sr-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: SR-01c.01[01] + class: sp800-53a + prose: "the current supply chain risk management policy\ + \ is reviewed and updated {{ insert: param, sr-01_odp.05\ + \ }};" + links: + - href: "#sr-1_smt.c.1" + rel: assessment-for + - id: sr-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: SR-01c.01[02] + class: sp800-53a + prose: "the current supply chain risk management policy\ + \ is reviewed and updated following {{ insert: param,\ + \ sr-01_odp.06 }};" + links: + - href: "#sr-1_smt.c.1" + rel: assessment-for + links: + - href: "#sr-1_smt.c.1" + rel: assessment-for + - id: sr-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: SR-01c.02 + class: sp800-53a + parts: + - id: sr-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: SR-01c.02[01] + class: sp800-53a + prose: "the current supply chain risk management procedures\ + \ are reviewed and updated {{ insert: param, sr-01_odp.07\ + \ }};" + links: + - href: "#sr-1_smt.c.2" + rel: assessment-for + - id: sr-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: SR-01c.02[02] + class: sp800-53a + prose: "the current supply chain risk management procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ sr-01_odp.08 }}." + links: + - href: "#sr-1_smt.c.2" + rel: assessment-for + links: + - href: "#sr-1_smt.c.2" + rel: assessment-for + links: + - href: "#sr-1_smt.c" + rel: assessment-for + links: + - href: "#sr-1_smt" + rel: assessment-for + - id: sr-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Supply chain risk management policy + + supply chain risk management procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: sr-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with supply chain risk management + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with acquisition responsibilities + + + organizational personnel with enterprise risk management responsibilities + - id: sr-2 + class: SP800-53 + title: Supply Chain Risk Management Plan + params: + - id: sr-02_odp.01 + label: systems, system components, or system services + guidelines: + - prose: systems, system components, or system services for which + a supply chain risk management plan is developed are defined; + - id: sr-02_odp.02 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to review and update the supply chain + risk management plan is defined; + props: + - name: label + value: SR-2 + - name: label + value: SR-02 + class: sp800-53a + - name: sort-id + value: sr-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#031cc4b7-9adf-4835-98f1-f1ca493519cf" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#38ff38f0-1366-4f50-a4c9-26a39aacee16" + rel: reference + - href: "#ca-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-4" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-6" + rel: related + - href: "#pe-16" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-30" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-7" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-4" + rel: related + parts: + - id: sr-2_smt + name: statement + parts: + - id: sr-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop a plan for managing supply chain risks associated\ + \ with the research and development, design, manufacturing, acquisition,\ + \ delivery, integration, operations and maintenance, and disposal\ + \ of the following systems, system components or system services:\ + \ {{ insert: param, sr-02_odp.01 }};" + - id: sr-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the supply chain risk management plan\ + \ {{ insert: param, sr-02_odp.02 }} or as required, to address\ + \ threat, organizational or environmental changes; and" + - id: sr-2_smt.c + name: item + props: + - name: label + value: c. + prose: Protect the supply chain risk management plan from unauthorized + disclosure and modification. + - id: sr-2_gdn + name: guidance + prose: >- + The dependence on products, systems, and services from external + providers, as well as the nature of the relationships with those + providers, present an increasing level of risk to an + organization. Threat actions that may increase security or + privacy risks include unauthorized production, the insertion or + use of counterfeits, tampering, theft, insertion of malicious + software and hardware, and poor manufacturing and development + practices in the supply chain. Supply chain risks can be endemic + or systemic within a system element or component, a system, an + organization, a sector, or the Nation. Managing supply chain + risk is a complex, multifaceted undertaking that requires a + coordinated effort across an organization to build trust + relationships and communicate with internal and external + stakeholders. Supply chain risk management (SCRM) activities + include identifying and assessing risks, determining appropriate + risk response actions, developing SCRM plans to document + response actions, and monitoring performance against plans. The + SCRM plan (at the system-level) is implementation specific, + providing policy implementation, requirements, constraints and + implications. It can either be stand-alone, or incorporated into + system security and privacy plans. The SCRM plan addresses + managing, implementation, and monitoring of SCRM controls and + the development/sustainment of systems across the SDLC to + support mission and business functions. + + + Because supply chains can differ significantly across and within organizations, + SCRM plans are tailored to the individual program, organizational, + and operational contexts. Tailored SCRM plans provide the basis for + determining whether a technology, service, system component, or system + is fit for purpose, and as such, the controls need to be tailored + accordingly. Tailored SCRM plans help organizations focus their resources + on the most critical mission and business functions based on mission + and business requirements and their risk environment. Supply chain + risk management plans include an expression of the supply chain risk + tolerance for the organization, acceptable supply chain risk mitigation + strategies or controls, a process for consistently evaluating and + monitoring supply chain risk, approaches for implementing and communicating + the plan, a description of and justification for supply chain risk + mitigation measures taken, and associated roles and responsibilities. + Finally, supply chain risk management plans address requirements for + developing trustworthy, secure, privacy-protective, and resilient + system components and systems, including the application of the security + design principles implemented as part of life cycle-based systems + security engineering processes (see [SA-8](#sa-8)). + - id: sr-2_obj + name: assessment-objective + props: + - name: label + value: SR-02 + class: sp800-53a + parts: + - id: sr-2_obj.a + name: assessment-objective + props: + - name: label + value: SR-02a. + class: sp800-53a + parts: + - id: sr-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: SR-02a.[01] + class: sp800-53a + prose: a plan for managing supply chain risks is developed; + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: SR-02a.[02] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the research and development of {{ insert:\ + \ param, sr-02_odp.01 }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-3 + name: assessment-objective + props: + - name: label + value: SR-02a.[03] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the design of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-4 + name: assessment-objective + props: + - name: label + value: SR-02a.[04] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the manufacturing of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-5 + name: assessment-objective + props: + - name: label + value: SR-02a.[05] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the acquisition of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-6 + name: assessment-objective + props: + - name: label + value: SR-02a.[06] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the delivery of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-7 + name: assessment-objective + props: + - name: label + value: SR-02a.[07] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the integration of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-8 + name: assessment-objective + props: + - name: label + value: SR-02a.[08] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the operation and maintenance of {{ insert:\ + \ param, sr-02_odp.01 }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-9 + name: assessment-objective + props: + - name: label + value: SR-02a.[09] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the disposal of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.b + name: assessment-objective + props: + - name: label + value: SR-02b. + class: sp800-53a + prose: "the supply chain risk management plan is reviewed and updated\ + \ {{ insert: param, sr-02_odp.02 }} or as required to address\ + \ threat, organizational, or environmental changes;" + links: + - href: "#sr-2_smt.b" + rel: assessment-for + - id: sr-2_obj.c + name: assessment-objective + props: + - name: label + value: SR-02c. + class: sp800-53a + parts: + - id: sr-2_obj.c-1 + name: assessment-objective + props: + - name: label + value: SR-02c.[01] + class: sp800-53a + prose: the supply chain risk management plan is protected from + unauthorized disclosure; + links: + - href: "#sr-2_smt.c" + rel: assessment-for + - id: sr-2_obj.c-2 + name: assessment-objective + props: + - name: label + value: SR-02c.[02] + class: sp800-53a + prose: the supply chain risk management plan is protected from + unauthorized modification. + links: + - href: "#sr-2_smt.c" + rel: assessment-for + links: + - href: "#sr-2_smt.c" + rel: assessment-for + links: + - href: "#sr-2_smt" + rel: assessment-for + - id: sr-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy + + + supply chain risk management procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing supply chain protection + + + procedures for protecting the supply chain risk management plan + from unauthorized disclosure and modification + + + system development life cycle procedures + + + procedures addressing the integration of information security + and privacy requirements into the acquisition process + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + list of supply chain threats + + + list of safeguards to be taken against supply chain threats + + + system life cycle documentation + + + inter-organizational agreements and procedures + + + system security plan + + + privacy plan + + + privacy program plan + + + other relevant documents or records + - id: sr-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sr-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for defining and documenting the + system development life cycle (SDLC) + + + organizational processes for identifying SDLC roles and responsibilities + + + organizational processes for integrating supply chain risk management + into the SDLC + + + mechanisms supporting and/or implementing the SDLC + controls: + - id: sr-2.1 + class: SP800-53-enhancement + title: Establish SCRM Team + params: + - id: sr-02.01_odp.01 + label: personnel, roles and responsibilities + guidelines: + - prose: the personnel, roles, and responsibilities of the supply + chain risk management team are defined; + - id: sr-02.01_odp.02 + label: supply chain risk management activities + guidelines: + - prose: supply chain risk management activities are defined; + props: + - name: label + value: SR-2(1) + - name: label + value: SR-02(01) + class: sp800-53a + - name: sort-id + value: sr-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sr-2" + rel: required + parts: + - id: sr-2.1_smt + name: statement + prose: "Establish a supply chain risk management team consisting\ + \ of {{ insert: param, sr-02.01_odp.01 }} to lead and support\ + \ the following SCRM activities: {{ insert: param, sr-02.01_odp.02\ + \ }}." + - id: sr-2.1_gdn + name: guidance + prose: To implement supply chain risk management plans, organizations + establish a coordinated, team-based approach to identify and assess + supply chain risks and manage these risks by using programmatic + and technical mitigation techniques. The team approach enables + organizations to conduct an analysis of their supply chain, communicate + with internal and external partners or stakeholders, and gain + broad consensus regarding the appropriate resources for SCRM. + The SCRM team consists of organizational personnel with diverse + roles and responsibilities for leading and supporting SCRM activities, + including risk executive, information technology, contracting, + information security, privacy, mission or business, legal, supply + chain and logistics, acquisition, business continuity, and other + relevant functions. Members of the SCRM team are involved in various + aspects of the SDLC and, collectively, have an awareness of and + provide expertise in acquisition processes, legal practices, vulnerabilities, + threats, and attack vectors, as well as an understanding of the + technical aspects and dependencies of systems. The SCRM team can + be an extension of the security and privacy risk management processes + or be included as part of an organizational risk management team. + - id: sr-2.1_obj + name: assessment-objective + props: + - name: label + value: SR-02(01) + class: sp800-53a + prose: "a supply chain risk management team consisting of {{ insert:\ + \ param, sr-02.01_odp.01 }} is established to lead and support\ + \ {{ insert: param, sr-02.01_odp.02 }}." + links: + - href: "#sr-2.1_smt" + rel: assessment-for + - id: sr-2.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-02(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Supply chain risk management policy + + supply chain risk management procedures + + supply chain risk management team charter documentation + + supply chain risk management strategy + + supply chain risk management implementation plan + + procedures addressing supply chain protection + + system security plan + + privacy plan + + other relevant documents or records + - id: sr-2.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-02(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management + responsibilities + + + organizational personnel with enterprise risk management responsibilities + + + legal counsel + + + organizational personnel with business continuity responsibilities + - id: sr-3 + class: SP800-53 + title: Supply Chain Controls and Processes + params: + - id: sr-03_odp.01 + label: system or system component + guidelines: + - prose: the system or system component requiring a process or processes + to identify and address weaknesses or deficiencies is defined; + - id: sr-03_odp.02 + label: supply chain personnel + guidelines: + - prose: supply chain personnel with whom to coordinate the process + or processes to identify and address weaknesses or deficiencies + in the supply chain elements and processes is/are defined; + - id: sr-03_odp.03 + label: supply chain controls + guidelines: + - prose: supply chain controls employed to protect against supply + chain risks to the system, system component, or system service + and to limit the harm or consequences from supply chain-related + events are defined; + - id: sr-03_odp.04 + select: + how-many: one-or-more + choice: + - security and privacy plans + - supply chain risk management plan + - " {{ insert: param, sr-03_odp.05 }} " + - id: sr-03_odp.05 + label: document + guidelines: + - prose: the document identifying the selected and implemented supply + chain processes and controls is defined (if selected); + props: + - name: label + value: SR-3 + - name: label + value: SR-03 + class: sp800-53a + - name: sort-id + value: sr-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-6" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-16" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-30" + rel: related + - href: "#sa-2" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-15" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-29" + rel: related + - href: "#sc-30" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: sr-3_smt + name: statement + parts: + - id: sr-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Establish a process or processes to identify and address\ + \ weaknesses or deficiencies in the supply chain elements and\ + \ processes of {{ insert: param, sr-03_odp.01 }} in coordination\ + \ with {{ insert: param, sr-03_odp.02 }};" + - id: sr-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ the following controls to protect against supply\ + \ chain risks to the system, system component, or system service\ + \ and to limit the harm or consequences from supply chain-related\ + \ events: {{ insert: param, sr-03_odp.03 }} ; and" + - id: sr-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Document the selected and implemented supply chain processes\ + \ and controls in {{ insert: param, sr-03_odp.04 }}." + - id: sr-3_fr + name: item + title: SR-3 Additional FedRAMP Requirements and Guidance + parts: + - id: sr-3_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: CSO must document and maintain the supply chain custody, + including replacement devices, to ensure the integrity of + the devices before being introduced to the boundary. + - id: sr-3_gdn + name: guidance + prose: Supply chain elements include organizations, entities, or tools + employed for the research and development, design, manufacturing, + acquisition, delivery, integration, operations and maintenance, and + disposal of systems and system components. Supply chain processes + include hardware, software, and firmware development processes; shipping + and handling procedures; personnel security and physical security + programs; configuration management tools, techniques, and measures + to maintain provenance; or other programs, processes, or procedures + associated with the development, acquisition, maintenance and disposal + of systems and system components. Supply chain elements and processes + may be provided by organizations, system integrators, or external + providers. Weaknesses or deficiencies in supply chain elements or + processes represent potential vulnerabilities that can be exploited + by adversaries to cause harm to the organization and affect its ability + to carry out its core missions or business functions. Supply chain + personnel are individuals with roles and responsibilities in the supply + chain. + - id: sr-3_obj + name: assessment-objective + props: + - name: label + value: SR-03 + class: sp800-53a + parts: + - id: sr-3_obj.a + name: assessment-objective + props: + - name: label + value: SR-03a. + class: sp800-53a + parts: + - id: sr-3_obj.a-1 + name: assessment-objective + props: + - name: label + value: SR-03a.[01] + class: sp800-53a + prose: "a process or processes is/are established to identify\ + \ and address weaknesses or deficiencies in the supply chain\ + \ elements and processes of {{ insert: param, sr-03_odp.01\ + \ }};" + links: + - href: "#sr-3_smt.a" + rel: assessment-for + - id: sr-3_obj.a-2 + name: assessment-objective + props: + - name: label + value: SR-03a.[02] + class: sp800-53a + prose: "the process or processes to identify and address weaknesses\ + \ or deficiencies in the supply chain elements and processes\ + \ of {{ insert: param, sr-03_odp.01 }} is/are coordinated\ + \ with {{ insert: param, sr-03_odp.02 }};" + links: + - href: "#sr-3_smt.a" + rel: assessment-for + links: + - href: "#sr-3_smt.a" + rel: assessment-for + - id: sr-3_obj.b + name: assessment-objective + props: + - name: label + value: SR-03b. + class: sp800-53a + prose: " {{ insert: param, sr-03_odp.03 }} are employed to protect\ + \ against supply chain risks to the system, system component,\ + \ or system service and to limit the harm or consequences from\ + \ supply chain-related events;" + links: + - href: "#sr-3_smt.b" + rel: assessment-for + - id: sr-3_obj.c + name: assessment-objective + props: + - name: label + value: SR-03c. + class: sp800-53a + prose: "the selected and implemented supply chain processes and\ + \ controls are documented in {{ insert: param, sr-03_odp.04 }}." + links: + - href: "#sr-3_smt.c" + rel: assessment-for + links: + - href: "#sr-3_smt" + rel: assessment-for + - id: sr-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy + + + supply chain risk management procedures + + + supply chain risk management strategy + + + supply chain risk management plan + + + systems and critical system components inventory documentation + + + system and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing the integration of information security + and privacy requirements into the acquisition process + + + solicitation documentation + + + acquisition documentation (including purchase orders) + + + service level agreements + + + acquisition contracts for systems or services + + + risk register documentation + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: sr-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sr-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for identifying and addressing supply + chain element and process deficiencies + - id: sr-5 + class: SP800-53 + title: Acquisition Strategies, Tools, and Methods + params: + - id: sr-05_odp + label: strategies, tools, and methods + guidelines: + - prose: acquisition strategies, contract tools, and procurement methods + to protect against, identify, and mitigate supply chain risks + are defined; + props: + - name: label + value: SR-5 + - name: label + value: SR-05 + class: sp800-53a + - name: sort-id + value: sr-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#863caf2a-978a-4260-9e8d-4a8929bce40c" + rel: reference + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#38ff38f0-1366-4f50-a4c9-26a39aacee16" + rel: reference + - href: "#at-3" + rel: related + - href: "#sa-2" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-15" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-10" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: sr-5_smt + name: statement + prose: "Employ the following acquisition strategies, contract tools,\ + \ and procurement methods to protect against, identify, and mitigate\ + \ supply chain risks: {{ insert: param, sr-05_odp }}." + - id: sr-5_gdn + name: guidance + prose: The use of the acquisition process provides an important vehicle + to protect the supply chain. There are many useful tools and techniques + available, including obscuring the end use of a system or system component, + using blind or filtered buys, requiring tamper-evident packaging, + or using trusted or controlled distribution. The results from a supply + chain risk assessment can guide and inform the strategies, tools, + and methods that are most applicable to the situation. Tools and techniques + may provide protections against unauthorized production, theft, tampering, + insertion of counterfeits, insertion of malicious software or backdoors, + and poor development practices throughout the system development life + cycle. Organizations also consider providing incentives for suppliers + who implement controls, promote transparency into their processes + and security and privacy practices, provide contract language that + addresses the prohibition of tainted or counterfeit components, and + restrict purchases from untrustworthy suppliers. Organizations consider + providing training, education, and awareness programs for personnel + regarding supply chain risk, available mitigation strategies, and + when the programs should be employed. Methods for reviewing and protecting + development plans, documentation, and evidence are commensurate with + the security and privacy requirements of the organization. Contracts + may specify documentation protection requirements. + - id: sr-5_obj + name: assessment-objective + props: + - name: label + value: SR-05 + class: sp800-53a + parts: + - id: sr-5_obj-1 + name: assessment-objective + props: + - name: label + value: SR-05[01] + class: sp800-53a + prose: " {{ insert: param, sr-05_odp }} are employed to protect\ + \ against supply chain risks;" + links: + - href: "#sr-5_smt" + rel: assessment-for + - id: sr-5_obj-2 + name: assessment-objective + props: + - name: label + value: SR-05[02] + class: sp800-53a + prose: " {{ insert: param, sr-05_odp }} are employed to identify\ + \ supply chain risks;" + links: + - href: "#sr-5_smt" + rel: assessment-for + - id: sr-5_obj-3 + name: assessment-objective + props: + - name: label + value: SR-05[03] + class: sp800-53a + prose: " {{ insert: param, sr-05_odp }} are employed to mitigate\ + \ supply chain risks." + links: + - href: "#sr-5_smt" + rel: assessment-for + links: + - href: "#sr-5_smt" + rel: assessment-for + - id: sr-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy + + + supply chain risk management procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing supply chain protection + + + procedures addressing the integration of information security + and privacy requirements into the acquisition process + + + solicitation documentation + + + acquisition documentation (including purchase orders) + + + service level agreements + + + acquisition contracts for systems, system components, or services + + + documentation of training, education, and awareness programs for + personnel regarding supply chain risk + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: sr-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sr-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for defining and employing tailored + acquisition strategies, contract tools, and procurement + methods + + + mechanisms supporting and/or implementing the definition and employment + of tailored acquisition strategies, contract tools, and procurement + methods + - id: sr-6 + class: SP800-53 + title: Supplier Assessments and Reviews + params: + - id: sr-06_odp + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to assess and review the supply chain-related + risks associated with suppliers or contractors and the systems, + system components, or system services they provide is defined; + props: + - name: label + value: SR-6 + - name: label + value: SR-06 + class: sp800-53a + - name: sort-id + value: sr-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#863caf2a-978a-4260-9e8d-4a8929bce40c" + rel: reference + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#38ff38f0-1366-4f50-a4c9-26a39aacee16" + rel: reference + - href: "#sr-3" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sr-6_smt + name: statement + prose: "Assess and review the supply chain-related risks associated\ + \ with suppliers or contractors and the system, system component,\ + \ or system service they provide {{ insert: param, sr-06_odp }}." + parts: + - id: sr-6_fr + name: item + title: SR-6 Additional FedRAMP Requirements and Guidance + parts: + - id: sr-6_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: CSOs must ensure that their supply chain vendors build + and test their systems in alignment with NIST SP 800-171 or + a commensurate security and compliance framework. CSOs must + ensure that vendors are compliant with physical facility access + and logical access controls to supplied products. + - id: sr-6_gdn + name: guidance + prose: An assessment and review of supplier risk includes security and + supply chain risk management processes, foreign ownership, control + or influence (FOCI), and the ability of the supplier to effectively + assess subordinate second-tier and third-tier suppliers and contractors. + The reviews may be conducted by the organization or by an independent + third party. The reviews consider documented processes, documented + controls, all-source intelligence, and publicly available information + related to the supplier or contractor. Organizations can use open-source + information to monitor for indications of stolen information, poor + development and quality control practices, information spillage, or + counterfeits. In some cases, it may be appropriate or required to + share assessment and review results with other organizations in accordance + with any applicable rules, policies, or inter-organizational agreements + or contracts. + - id: sr-6_obj + name: assessment-objective + props: + - name: label + value: SR-06 + class: sp800-53a + prose: "the supply chain-related risks associated with suppliers or\ + \ contractors and the systems, system components, or system services\ + \ they provide are assessed and reviewed {{ insert: param, sr-06_odp\ + \ }}." + links: + - href: "#sr-6_smt" + rel: assessment-for + - id: sr-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management strategy + + + supply chain risk management plan + + + system and services acquisition policy + + + procedures addressing supply chain protection + + + procedures addressing the integration of information security + requirements into the acquisition process + + + records of supplier due diligence reviews + + + system security plan + + + other relevant documents or records + - id: sr-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and services + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain protection responsibilities + - id: sr-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for conducting supplier reviews + + mechanisms supporting and/or implementing supplier reviews + - id: sr-8 + class: SP800-53 + title: Notification Agreements + params: + - id: sr-08_odp.01 + constraints: + - description: notification of supply chain compromises and results + of assessment or audits + select: + how-many: one-or-more + choice: + - notification of supply chain compromises + - " {{ insert: param, sr-08_odp.02 }} " + - id: sr-08_odp.02 + label: results of assessments or audits + guidelines: + - prose: information for which agreements and procedures are to be + established are defined (if selected); + props: + - name: label + value: SR-8 + - name: label + value: SR-08 + class: sp800-53a + - name: sort-id + value: sr-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#863caf2a-978a-4260-9e8d-4a8929bce40c" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + parts: + - id: sr-8_smt + name: statement + prose: "Establish agreements and procedures with entities involved in\ + \ the supply chain for the system, system component, or system service\ + \ for the {{ insert: param, sr-08_odp.01 }}." + parts: + - id: sr-8_fr + name: item + title: SR-8 Additional FedRAMP Requirements and Guidance + parts: + - id: sr-8_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: CSOs must ensure and document how they receive notifications + from their supply chain vendor of newly discovered vulnerabilities + including zero-day vulnerabilities. + - id: sr-8_gdn + name: guidance + prose: The establishment of agreements and procedures facilitates communications + among supply chain entities. Early notification of compromises and + potential compromises in the supply chain that can potentially adversely + affect or have adversely affected organizational systems or system + components is essential for organizations to effectively respond to + such incidents. The results of assessments or audits may include open-source + information that contributed to a decision or result and could be + used to help the supply chain entity resolve a concern or improve + its processes. + - id: sr-8_obj + name: assessment-objective + props: + - name: label + value: SR-08 + class: sp800-53a + prose: "agreements and procedures are established with entities involved\ + \ in the supply chain for the system, system components, or system\ + \ service for {{ insert: param, sr-08_odp.01 }}." + links: + - href: "#sr-8_smt" + rel: assessment-for + - id: sr-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + procedures addressing supply chain protection + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + inter-organizational agreements and procedures + + + system security plan + + + other relevant documents or records + - id: sr-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sr-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for establishing inter-organizational + agreements and procedures with supply chain entities + - id: sr-9 + class: SP800-53 + title: Tamper Resistance and Detection + props: + - name: label + value: SR-9 + - name: label + value: SR-09 + class: sp800-53a + - name: sort-id + value: sr-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#pe-3" + rel: related + - href: "#pm-30" + rel: related + - href: "#sa-15" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-10" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: sr-9_smt + name: statement + prose: Implement a tamper protection program for the system, system + component, or system service. + parts: + - id: sr-9_fr + name: item + title: SR-9 Additional FedRAMP Requirements and Guidance + parts: + - id: sr-9_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: CSOs must ensure vendors provide authenticity of software + and patches supplied to the service provider including documenting + the safeguards in place. + - id: sr-9_gdn + name: guidance + prose: Anti-tamper technologies, tools, and techniques provide a level + of protection for systems, system components, and services against + many threats, including reverse engineering, modification, and substitution. + Strong identification combined with tamper resistance and/or tamper + detection is essential to protecting systems and components during + distribution and when in use. + - id: sr-9_obj + name: assessment-objective + props: + - name: label + value: SR-09 + class: sp800-53a + prose: a tamper protection program is implemented for the system, system + component, or system service. + links: + - href: "#sr-9_smt" + rel: assessment-for + - id: sr-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + procedures addressing supply chain protection + + + procedures addressing tamper resistance and detection + + + tamper protection program documentation + + + tamper protection tools and techniques documentation + + + tamper resistance and detection tools and techniques documentation + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + system security plan + + + other relevant documents or records + - id: sr-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with tamper protection program + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sr-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for the implementation of the + tamper protection program + + + mechanisms supporting and/or implementing the tamper protection + program + controls: + - id: sr-9.1 + class: SP800-53-enhancement + title: Multiple Stages of System Development Life Cycle + props: + - name: label + value: SR-9(1) + - name: label + value: SR-09(01) + class: sp800-53a + - name: sort-id + value: sr-09.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sr-9" + rel: required + - href: "#sa-3" + rel: related + parts: + - id: sr-9.1_smt + name: statement + prose: Employ anti-tamper technologies, tools, and techniques throughout + the system development life cycle. + - id: sr-9.1_gdn + name: guidance + prose: The system development life cycle includes research and development, + design, manufacturing, acquisition, delivery, integration, operations + and maintenance, and disposal. Organizations use a combination + of hardware and software techniques for tamper resistance and + detection. Organizations use obfuscation and self-checking to + make reverse engineering and modifications more difficult, time-consuming, + and expensive for adversaries. The customization of systems and + system components can make substitutions easier to detect and + therefore limit damage. + - id: sr-9.1_obj + name: assessment-objective + props: + - name: label + value: SR-09(01) + class: sp800-53a + prose: anti-tamper technologies, tools, and techniques are employed + throughout the system development life cycle. + links: + - href: "#sr-9.1_smt" + rel: assessment-for + - id: sr-9.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-09(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + procedures addressing tamper resistance and detection + + + tamper protection program documentation + + + tamper protection tools and techniques documentation + + + tamper resistance and detection tools (technologies) and techniques + documentation + + + system development life cycle documentation + + + procedures addressing supply chain protection + + + system development life cycle procedures + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or + system service + + + inter-organizational agreements and procedures + + + system security plan + + + other relevant documents or records + - id: sr-9.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-09(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and services + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management + responsibilities + + + organizational personnel with SDLC responsibilities + - id: sr-9.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-09(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for employing anti-tamper + technologies + + + mechanisms supporting and/or implementing anti-tamper technologies + - id: sr-10 + class: SP800-53 + title: Inspection of Systems or Components + params: + - id: sr-10_odp.01 + label: systems or system components + guidelines: + - prose: systems or system components that require inspection are + defined; + - id: sr-10_odp.02 + select: + how-many: one-or-more + choice: + - at random + - "at {{ insert: param, sr-10_odp.03 }} " + - "upon {{ insert: param, sr-10_odp.04 }} " + - id: sr-10_odp.03 + label: frequency + guidelines: + - prose: frequency at which to inspect systems or system components + is defined (if selected); + - id: sr-10_odp.04 + label: indications of need for inspection + guidelines: + - prose: indications of the need for an inspection of systems or system + components are defined (if selected); + props: + - name: label + value: SR-10 + - name: label + value: SR-10 + class: sp800-53a + - name: sort-id + value: sr-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#at-3" + rel: related + - href: "#pm-30" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: sr-10_smt + name: statement + prose: "Inspect the following systems or system components {{ insert:\ + \ param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01\ + \ }}." + - id: sr-10_gdn + name: guidance + prose: The inspection of systems or systems components for tamper resistance + and detection addresses physical and logical tampering and is applied + to systems and system components removed from organization-controlled + areas. Indications of a need for inspection include changes in packaging, + specifications, factory location, or entity in which the part is purchased, + and when individuals return from travel to high-risk locations. + - id: sr-10_obj + name: assessment-objective + props: + - name: label + value: SR-10 + class: sp800-53a + prose: " {{ insert: param, sr-10_odp.01 }} are inspected {{ insert:\ + \ param, sr-10_odp.02 }} to detect tampering." + links: + - href: "#sr-10_smt" + rel: assessment-for + - id: sr-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + records of random inspections + + + inspection reports/results + + + assessment reports/results + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + inter-organizational agreements and procedures + + + system security plan + + + other relevant documents or records + - id: sr-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and services + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sr-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for establishing + inter-organizational agreements and procedures with supply + chain entities + + + organizational processes to inspect for tampering + - id: sr-11 + class: SP800-53 + title: Component Authenticity + params: + - id: sr-11_odp.01 + select: + how-many: one-or-more + choice: + - source of counterfeit component + - " {{ insert: param, sr-11_odp.02 }} " + - " {{ insert: param, sr-11_odp.03 }} " + - id: sr-11_odp.02 + label: external reporting organizations + guidelines: + - prose: external reporting organizations to whom counterfeit system + components are to be reported is/are defined (if selected); + - id: sr-11_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom counterfeit system components + are to be reported is/are defined (if selected); + props: + - name: label + value: SR-11 + - name: label + value: SR-11 + class: sp800-53a + - name: sort-id + value: sr-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#pe-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-10" + rel: related + parts: + - id: sr-11_smt + name: statement + parts: + - id: sr-11_smt.a + name: item + props: + - name: label + value: a. + prose: Develop and implement anti-counterfeit policy and procedures + that include the means to detect and prevent counterfeit components + from entering the system; and + - id: sr-11_smt.b + name: item + props: + - name: label + value: b. + prose: "Report counterfeit system components to {{ insert: param,\ + \ sr-11_odp.01 }}." + - id: sr-11_fr + name: item + title: SR-11 Additional FedRAMP Requirements and Guidance + parts: + - id: sr-11_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: CSOs must ensure that their supply chain vendors provide + authenticity of software and patches and the vendor must have + a plan to protect the development pipeline. + - id: sr-11_gdn + name: guidance + prose: Sources of counterfeit components include manufacturers, developers, + vendors, and contractors. Anti-counterfeiting policies and procedures + support tamper resistance and provide a level of protection against + the introduction of malicious code. External reporting organizations + include CISA. + - id: sr-11_obj + name: assessment-objective + props: + - name: label + value: SR-11 + class: sp800-53a + parts: + - id: sr-11_obj.a + name: assessment-objective + props: + - name: label + value: SR-11a. + class: sp800-53a + parts: + - id: sr-11_obj.a-1 + name: assessment-objective + props: + - name: label + value: SR-11a.[01] + class: sp800-53a + prose: an anti-counterfeit policy is developed and implemented; + links: + - href: "#sr-11_smt.a" + rel: assessment-for + - id: sr-11_obj.a-2 + name: assessment-objective + props: + - name: label + value: SR-11a.[02] + class: sp800-53a + prose: anti-counterfeit procedures are developed and implemented; + links: + - href: "#sr-11_smt.a" + rel: assessment-for + - id: sr-11_obj.a-3 + name: assessment-objective + props: + - name: label + value: SR-11a.[03] + class: sp800-53a + prose: the anti-counterfeit procedures include the means to + detect counterfeit components entering the system; + links: + - href: "#sr-11_smt.a" + rel: assessment-for + - id: sr-11_obj.a-4 + name: assessment-objective + props: + - name: label + value: SR-11a.[04] + class: sp800-53a + prose: the anti-counterfeit procedures include the means to + prevent counterfeit components from entering the system; + links: + - href: "#sr-11_smt.a" + rel: assessment-for + links: + - href: "#sr-11_smt.a" + rel: assessment-for + - id: sr-11_obj.b + name: assessment-objective + props: + - name: label + value: SR-11b. + class: sp800-53a + prose: "counterfeit system components are reported to {{ insert:\ + \ param, sr-11_odp.01 }}." + links: + - href: "#sr-11_smt.b" + rel: assessment-for + links: + - href: "#sr-11_smt" + rel: assessment-for + - id: sr-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + anti-counterfeit plan + + + anti-counterfeit policy and procedures + + + media disposal policy + + + media protection policy + + + incident response policy + + + reports notifying developers, manufacturers, vendors, contractors, + and/or external reporting organizations of counterfeit system + components + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + inter-organizational agreements and procedures + + + records of reported counterfeit system components + + + system security plan + + + other relevant documents or records + - id: sr-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management responsibilities + + + organizational personnel with responsibilities for anti-counterfeit + policies, procedures, and reporting + - id: sr-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for counterfeit prevention, + detection, and reporting + + + mechanisms supporting and/or implementing anti-counterfeit detection, + prevention, and reporting + controls: + - id: sr-11.1 + class: SP800-53-enhancement + title: Anti-counterfeit Training + params: + - id: sr-11.01_odp + label: personnel or roles + guidelines: + - prose: personnel or roles requiring training to detect counterfeit + system components (including hardware, software, and firmware) + is/are defined; + props: + - name: label + value: SR-11(1) + - name: label + value: SR-11(01) + class: sp800-53a + - name: sort-id + value: sr-11.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sr-11" + rel: required + - href: "#at-3" + rel: related + parts: + - id: sr-11.1_smt + name: statement + prose: "Train {{ insert: param, sr-11.01_odp }} to detect counterfeit\ + \ system components (including hardware, software, and firmware)." + - id: sr-11.1_gdn + name: guidance + prose: None. + - id: sr-11.1_obj + name: assessment-objective + props: + - name: label + value: SR-11(01) + class: sp800-53a + prose: " {{ insert: param, sr-11.01_odp }} are trained to detect\ + \ counterfeit system components (including hardware, software,\ + \ and firmware)." + links: + - href: "#sr-11.1_smt" + rel: assessment-for + - id: sr-11.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-11(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + anti-counterfeit plan + + + anti-counterfeit policy and procedures + + + media disposal policy + + + media protection policy + + + incident response policy + + + training materials addressing counterfeit system components + + + training records on the detection and prevention of counterfeit + components entering the system + + + system security plan + + + other relevant documents or records + - id: sr-11.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-11(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security + responsibilities + + + organizational personnel with supply chain risk management + responsibilities + + + organizational personnel with responsibilities for anti-counterfeit + policies, procedures, and training + - id: sr-11.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-11(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for anti-counterfeit training + - id: sr-11.2 + class: SP800-53-enhancement + title: Configuration Control for Component Service and Repair + params: + - id: sr-11.02_odp + label: system components + constraints: + - description: all + guidelines: + - prose: system components requiring configuration control are + defined; + props: + - name: label + value: SR-11(2) + - name: label + value: SR-11(02) + class: sp800-53a + - name: sort-id + value: sr-11.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sr-11" + rel: required + - href: "#cm-3" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-4" + rel: related + - href: "#sa-10" + rel: related + parts: + - id: sr-11.2_smt + name: statement + prose: "Maintain configuration control over the following system\ + \ components awaiting service or repair and serviced or repaired\ + \ components awaiting return to service: {{ insert: param, sr-11.02_odp\ + \ }}." + - id: sr-11.2_gdn + name: guidance + prose: None. + - id: sr-11.2_obj + name: assessment-objective + props: + - name: label + value: SR-11(02) + class: sp800-53a + parts: + - id: sr-11.2_obj-1 + name: assessment-objective + props: + - name: label + value: SR-11(02)[01] + class: sp800-53a + prose: "configuration control over {{ insert: param, sr-11.02_odp\ + \ }} awaiting service or repair is maintained;" + links: + - href: "#sr-11.2_smt" + rel: assessment-for + - id: sr-11.2_obj-2 + name: assessment-objective + props: + - name: label + value: SR-11(02)[02] + class: sp800-53a + prose: "configuration control over serviced or repaired {{ insert:\ + \ param, sr-11.02_odp }} awaiting return to service is maintained." + links: + - href: "#sr-11.2_smt" + rel: assessment-for + links: + - href: "#sr-11.2_smt" + rel: assessment-for + - id: sr-11.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-11(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Supply chain risk management policy and procedures + + supply chain risk management plan + + configuration control procedures + + acquisition documentation + + service level agreements + + acquisition contracts for the system component + + inter-organizational agreements and procedures + + system security plan + + other relevant documents or records + - id: sr-11.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-11(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and services + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management + responsibilities + - id: sr-11.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-11(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for establishing + inter-organizational agreements and procedures with + supply chain entities + + + organizational configuration control processes + - id: sr-12 + class: SP800-53 + title: Component Disposal + params: + - id: sr-12_odp.01 + label: data, documentation, tools, or system components + guidelines: + - prose: data, documentation, tools, or system components to be disposed + of are defined; + - id: sr-12_odp.02 + label: techniques and methods + guidelines: + - prose: techniques and methods for disposing of data, documentation, + tools, or system components are defined; + props: + - name: label + value: SR-12 + - name: label + value: SR-12 + class: sp800-53a + - name: sort-id + value: sr-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#mp-6" + rel: related + parts: + - id: sr-12_smt + name: statement + prose: "Dispose of {{ insert: param, sr-12_odp.01 }} using the following\ + \ techniques and methods: {{ insert: param, sr-12_odp.02 }}." + - id: sr-12_gdn + name: guidance + prose: Data, documentation, tools, or system components can be disposed + of at any time during the system development life cycle (not only + in the disposal or retirement phase of the life cycle). For example, + disposal can occur during research and development, design, prototyping, + or operations/maintenance and include methods such as disk cleaning, + removal of cryptographic keys, partial reuse of components. Opportunities + for compromise during disposal affect physical and logical data, including + system documentation in paper-based or digital files; shipping and + delivery documentation; memory sticks with software code; or complete + routers or servers that include permanent media, which contain sensitive + or proprietary information. Additionally, proper disposal of system + components helps to prevent such components from entering the gray + market. + - id: sr-12_obj + name: assessment-objective + props: + - name: label + value: SR-12 + class: sp800-53a + prose: " {{ insert: param, sr-12_odp.01 }} are disposed of using {{\ + \ insert: param, sr-12_odp.02 }}." + links: + - href: "#sr-12_smt" + rel: assessment-for + - id: sr-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + disposal procedures addressing supply chain protection + + + media disposal policy + + + media protection policy + + + disposal records for system components + + + documentation of the system components identified for disposal + + + documentation of the disposal techniques and methods employed + for system components + + + system security plan + + + other relevant documents or records + - id: sr-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system component disposal + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain protection responsibilities + - id: sr-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational techniques and methods for system component + disposal + + + mechanisms supporting and/or implementing system component disposal back-matter: resources: + - uuid: 91f992fb-f668-4c91-a50f-0f05b95ccee3 + title: 32 CFR 2002 + citation: + text: Code of Federal Regulations, Title 32, *Controlled Unclassified Information* + (32 C.F.R. 2002). + rlinks: + - href: https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information + - uuid: 0f963c17-ab5a-432a-a867-91eac550309b + title: 41 CFR 201 + citation: + text: ' "Federal Acquisition Supply Chain Security Act; Rule," 85 Federal + Register 54263 (September 1, 2020), pp 54263-54271.' + rlinks: + - href: https://www.federalregister.gov/d/2020-18939 + - uuid: a5ef5e56-5c1a-4911-b419-37dddc1b3581 + title: 5 CFR 731 + citation: + text: Code of Federal Regulations, Title 5, *Administrative Personnel* , + Section 731.106, *Designation of Public Trust Positions and Investigative + Requirements* (5 C.F.R. 731.106). + rlinks: + - href: https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf + - uuid: 031cc4b7-9adf-4835-98f1-f1ca493519cf + title: CNSSD 505 + citation: + text: Committee on National Security Systems Directive No. 505, *Supply + Chain Risk Management (SCRM)* , August 2017. + rlinks: + - href: https://www.cnss.gov/CNSS/issuances/Directives.cfm + - uuid: 4e4fbc93-333d-45e6-a875-de36b878b6b9 + title: CNSSI 1253 + citation: + text: Committee on National Security Systems Instruction No. 1253, *Security + Categorization and Control Selection for National Security Systems* , + March 2014. + rlinks: + - href: https://www.cnss.gov/CNSS/issuances/Instructions.cfm + - uuid: 4f42ee6e-86cc-403b-a51f-76c2b4f81b54 + title: DHS TIC + citation: + text: Department of Homeland Security, *Trusted Internet Connections (TIC)*. + rlinks: + - href: https://www.dhs.gov/trusted-internet-connections + - uuid: aa66e14f-e7cb-4a37-99d2-07578dfd4608 + title: DOD STIG + citation: + text: Defense Information Systems Agency, *Security Technical Implementation + Guides (STIG)*. + rlinks: + - href: https://public.cyber.mil/stigs + - uuid: 55b0c93a-5e48-457a-baa6-5ce81c239c49 + title: EO 13526 + citation: + text: Executive Order 13526, *Classified National Security Information* + , December 2009. + rlinks: + - href: https://www.archives.gov/isoo/policy-documents/cnsi-eo.html + - uuid: 34a5571f-e252-4309-a8a1-2fdb2faefbcd + title: EO 13556 + citation: + text: Executive Order 13556, *Controlled Unclassified Information* , November + 2010. + rlinks: + - href: https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information + - uuid: 0af071a6-cf8e-48ee-8c82-fe91efa20f94 + title: EO 13587 + citation: + text: Executive Order 13587, *Structural Reforms to Improve the Security + of Classified Networks and the Responsible Sharing and Safeguarding of + Classified Information* , October 2011. + rlinks: + - href: https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net + - uuid: 21caa535-1154-4369-ba7b-32c309fee0f7 + title: EO 13873 + citation: + text: Executive Order 13873, *Executive Order on Securing the Information + and Communications Technology and Services Supply Chain* , May 2019. + rlinks: + - href: https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain + - uuid: 4ff10ed3-d8fe-4246-99e3-443045e27482 + title: FASC18 + citation: + text: Secure Technology Act [includes Federal Acquisition Supply Chain Security + Act] (P.L. 115-390), December 2018. + rlinks: + - href: https://www.congress.gov/bill/115th-congress/senate-bill/3085 + - uuid: a1555677-2b9d-4868-a97b-a1363aff32f5 + title: FED PKI + citation: + text: General Services Administration, *Federal Public Key Infrastructure*. + rlinks: + - href: https://www.idmanagement.gov/topics/fpki + - uuid: 678e3d6c-150b-4393-aec5-6e3481eb1e00 + title: FIPS 140-3 + citation: + text: "National Institute of Standards and Technology (2019) Security Requirements\ + \ for Cryptographic Modules. (U.S. Department of Commerce, Washington,\ + \ D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. " + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.140-3 + - uuid: eea3c092-42ed-4382-a6f4-1adadef01b9d + title: FIPS 180-4 + citation: + text: National Institute of Standards and Technology (2015) Secure Hash + Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal + Information Processing Standards Publication (FIPS) 180-4. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.180-4 + - uuid: 7c37a38d-21d7-40d8-bc3d-b5e27eac17e1 + title: FIPS 186-4 + citation: + text: National Institute of Standards and Technology (2013) Digital Signature + Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal + Information Processing Standards Publication (FIPS) 186-4. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.186-4 + - uuid: 736d6310-e403-4b57-a79d-9967970c66d7 + title: FIPS 197 + citation: + text: National Institute of Standards and Technology (2001) Advanced Encryption + Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal + Information Processing Standards Publication (FIPS) 197. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.197 + - uuid: 628d22a1-6a11-4784-bc59-5cd9497b5445 + title: FIPS 199 + citation: + text: National Institute of Standards and Technology (2004) Standards for + Security Categorization of Federal Information and Information Systems. + (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing + Standards Publication (FIPS) 199. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.199 + - uuid: 599fb53d-5041-444e-a7fe-640d6d30ad05 + title: FIPS 200 + citation: + text: National Institute of Standards and Technology (2006) Minimum Security + Requirements for Federal Information and Information Systems. (U.S. Department + of Commerce, Washington, D.C.), Federal Information Processing Standards + Publication (FIPS) 200. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.200 + - uuid: 7ba1d91c-3934-4d5a-8532-b32f864ad34c + title: FIPS 201-2 + citation: + text: National Institute of Standards and Technology (2013) Personal Identity + Verification (PIV) of Federal Employees and Contractors. (U.S. Department + of Commerce, Washington, D.C.), Federal Information Processing Standards + Publication (FIPS) 201-2. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.201-2 + - uuid: a295ca19-8c75-4b4c-8800-98024732e181 + title: FIPS 202 + citation: + text: "National Institute of Standards and Technology (2015) SHA-3 Standard:\ + \ Permutation-Based Hash and Extendable-Output Functions. (U.S. Department\ + \ of Commerce, Washington, D.C.), Federal Information Processing Standards\ + \ Publication (FIPS) 202." + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.202 + - uuid: 0c67b2a9-bede-43d2-b86d-5f35b8be36e9 + title: FISMA + citation: + text: Federal Information Security Modernization Act (P.L. 113-283), December + 2014. + rlinks: + - href: https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf + - uuid: f16e438e-7114-4144-bfe2-2dfcad8cb2d0 + title: HSPD 12 + citation: + text: Homeland Security Presidential Directive 12, Policy for a Common Identification + Standard for Federal Employees and Contractors, August 2004. + rlinks: + - href: https://www.dhs.gov/homeland-security-presidential-directive-12 + - uuid: e4d37285-1e79-4029-8b6a-42df39cace30 + title: IETF 5905 + citation: + text: "Internet Engineering Task Force (IETF), Request for Comments: 5905,\ + \ *Network Time Protocol Version 4: Protocol and Algorithms Specification*\ + \ , June 2010." + rlinks: + - href: https://tools.ietf.org/pdf/rfc5905.pdf + - uuid: 15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c + title: IR 7539 + citation: + text: Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart + Cards. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Interagency or Internal Report (IR) 7539. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7539 + - uuid: 2be7b163-e50a-435c-8906-f1162f2a457a + title: IR 7559 + citation: + text: Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services + (FWS). (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Interagency or Internal Report (IR) 7559. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7559 + - uuid: e24b06cc-9129-4998-a76a-65c3d7a576ba + title: IR 7622 + citation: + text: Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional + Supply Chain Risk Management Practices for Federal Information Systems. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Interagency or Internal Report (IR) 7622. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7622 + - uuid: 4b38e961-1125-4a5b-aa35-1d6c02846dad + title: IR 7676 + citation: + text: Cooper DA (2010) Maintaining and Using Key History on Personal Identity + Verification (PIV) Cards. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7676 + - uuid: aa5d04e0-6090-4e17-84d4-b9963d55fc2c + title: IR 7788 + citation: + text: Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks + Using Probabilistic Attack Graphs. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) + 7788. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7788 + - uuid: 91701292-8bcd-4d2e-a5bd-59ab61e34b3c + title: IR 7817 + citation: + text: Ferraiolo H (2012) A Credential Reliability and Revocation Model for + Federated Identities. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7817 + - uuid: 4f5f51ac-2b8d-4b90-a3c7-46f56e967617 + title: IR 7849 + citation: + text: Chandramouli R (2014) A Methodology for Developing Authentication + Assurance Level Taxonomy for Smart Card-based Identity Verification. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency + or Internal Report (IR) 7849. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7849 + - uuid: 604774da-9e1d-48eb-9c62-4e959dc80737 + title: IR 7870 + citation: + text: Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Interagency or Internal Report (IR) 7870. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7870 + - uuid: 7f473f21-fdbf-4a6c-81a1-0ab95919609d + title: IR 7874 + citation: + text: Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation + Metrics. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Interagency or Internal Report (IR) 7874. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7874 + - uuid: 849b2358-683f-4d97-b111-1cc3d522ded5 + title: IR 7956 + citation: + text: Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management + Issues & Challenges in Cloud Services. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Interagency or Internal Report + (IR) 7956. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7956 + - uuid: 3915a084-b87b-4f02-83d4-c369e746292f + title: IR 7966 + citation: + text: Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive + and Automated Access Management Using Secure Shell (SSH). (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal + Report (IR) 7966. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7966 + - uuid: bbac9fc2-df5b-4f2d-bf99-90d0ade45349 + title: IR 8011-1 + citation: + text: "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security\ + \ Control Assessments: Volume 1: Overview. (National Institute of Standards\ + \ and Technology, Gaithersburg, MD), NIST Interagency or Internal Report\ + \ (IR) 8011, Volume 1." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8011-1 + - uuid: 70402863-5078-43af-9a6c-e11b0f3ec370 + title: IR 8011-2 + citation: + text: "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security\ + \ Control Assessments: Volume 2: Hardware Asset Management. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency\ + \ or Internal Report (IR) 8011, Volume 2." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8011-2 + - uuid: 996241f8-f692-42d5-91f1-ce8b752e39e6 + title: IR 8011-3 + citation: + text: "Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for\ + \ Security Control Assessments: Volume 3: Software Asset Management. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency\ + \ or Internal Report (IR) 8011, Volume 3." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8011-3 + - uuid: d2ebec9b-f868-4ee1-a2bd-0b2282aed248 + title: IR 8011-4 + citation: + text: "Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support\ + \ for Security Control Assessments: Volume 4: Software Vulnerability Management.\ + \ (National Institute of Standards and Technology, Gaithersburg, MD),\ + \ NIST Interagency or Internal Report (IR) 8011, Volume 4." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8011-4 + - uuid: 4c501da5-9d79-4cb6-ba80-97260e1ce327 + title: IR 8023 + citation: + text: Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Interagency or Internal Report (IR) 8023. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8023 + - uuid: 81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5 + title: IR 8040 + citation: + text: Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and + Security of Permuted Passwords on Mobile Platforms. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal + Report (IR) 8040. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8040 + - uuid: 98d415ca-7281-4064-9931-0c366637e324 + title: IR 8062 + citation: + text: Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction + to Privacy Engineering and Risk Management in Federal Systems. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency + or Internal Report (IR) 8062. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8062 + - uuid: a2590922-82f3-4277-83c0-ca5bee06dba4 + title: IR 8112 + citation: + text: "Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute\ + \ Metadata: A Proposed Schema for Evaluating Federated Attributes. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency\ + \ or Internal Report (IR) 8112." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8112 + - uuid: d4296805-2dca-4c63-a95f-eeccaa826aec + title: IR 8179 + citation: + text: "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis\ + \ Process Model: Prioritizing Systems and Components. (National Institute\ + \ of Standards and Technology, Gaithersburg, MD), NIST Interagency or\ + \ Internal Report (IR) 8179." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8179 + - uuid: 38ff38f0-1366-4f50-a4c9-26a39aacee16 + title: IR 8272 + citation: + text: Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis + Tool for Interdependent Cyber Supply Chain Risks. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal + Report (IR) 8272. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8272 + - uuid: 6afc1b04-c9d6-4023-adbc-f8fbe33a3c73 + title: ISO 15408-1 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 15408-1:2009, *Information technology —Security techniques\ + \ — Evaluation criteria for IT security — Part 1: Introduction and general\ + \ model* , April 2017." + rlinks: + - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf + - uuid: 87087451-2af5-43d4-88c1-d66ad850f614 + title: ISO 15408-2 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 15408-2:2008, *Information technology —Security techniques\ + \ — Evaluation criteria for IT security — Part 2: Security functional\ + \ requirements* , April 2017." + rlinks: + - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf + - uuid: 4452efc0-e79e-47b8-aa30-b54f3ef61c2f + title: ISO 15408-3 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 15408-3:2008, *Information technology—Security techniques\ + \ — Evaluation criteria for IT security — Part 3: Security assurance requirements*\ + \ , April 2017." + rlinks: + - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf + - uuid: 15a95e24-65b6-4686-bc18-90855a10457d + title: ISO 20243 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 20243-1:2018, *Information technology — Open Trusted Technology\ + \ Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit\ + \ products — Part 1: Requirements and recommendations* , February 2018." + rlinks: + - href: https://www.iso.org/standard/74399.html + - uuid: 863caf2a-978a-4260-9e8d-4a8929bce40c + title: ISO 27036 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 27036-1:2014, *Information technology—Security techniques—Information\ + \ security for supplier relationships, Part 1: Overview and concepts*\ + \ , April 2014." + rlinks: + - href: https://www.iso.org/standard/59648.html + - uuid: 8df72805-2e5c-4731-a73e-81db0f0318d0 + title: ISO 29147 + citation: + text: International Organization for Standardization/International Electrotechnical + Commission 29147:2018, *Information technology—Security techniques—Vulnerability + disclosure* , October 2018. + rlinks: + - href: https://www.iso.org/standard/72311.html + - uuid: 06ce9216-bd54-4054-a422-94f358b50a5d + title: ISO 29148 + citation: + text: International Organization for Standardization/International Electrotechnical + Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) + 29148:2018, *Systems and software engineering—Life cycle processes—Requirements + engineering* , November 2018. + rlinks: + - href: https://www.iso.org/standard/72089.html + - uuid: c28ae9a8-1121-42a9-a85e-00cfcc9b9a94 + title: NARA CUI + citation: + text: National Archives and Records Administration, Controlled Unclassified + Information (CUI) Registry. + rlinks: + - href: https://www.archives.gov/cui + - uuid: d744d9a3-73eb-4085-b9ff-79e82e9e2d6e + title: NCPR + citation: + text: National Institute of Standards and Technology (2020) *National Checklist + Program Repository* . Available at + rlinks: + - href: https://nvd.nist.gov/ncp/repository + - uuid: 795aff72-3e6c-4b6b-a80a-b14d84b7f544 + title: NIAP CCEVS + citation: + text: National Information Assurance Partnership, *Common Criteria Evaluation + and Validation Scheme*. + rlinks: + - href: https://www.niap-ccevs.org + - uuid: 84dc1b0c-acb7-4269-84c4-00dbabacd78c + title: NIST CAVP + citation: + text: National Institute of Standards and Technology (2020) *Cryptographic + Algorithm Validation Program* . Available at + rlinks: + - href: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program + - uuid: 1acdc775-aafb-4d11-9341-dc6a822e9d38 + title: NIST CMVP + citation: + text: National Institute of Standards and Technology (2020) *Cryptographic + Module Validation Program* . Available at + rlinks: + - href: https://csrc.nist.gov/projects/cryptographic-module-validation-program + - uuid: 3d575737-98cb-459d-b41c-d7e82b73ad78 + title: NSA CSFC + citation: + text: National Security Agency, *Commercial Solutions for Classified Program + (CSfC)*. + rlinks: + - href: https://www.nsa.gov/resources/everyone/csfc + - uuid: df9f87e9-71e7-4c74-9ac3-3cabd4e92f21 + title: NSA MEDIA + citation: + text: National Security Agency, *Media Destruction Guidance*. + rlinks: + - href: https://www.nsa.gov/resources/everyone/media-destruction + - uuid: 89f2a08d-fc49-46d0-856e-bf974c9b1573 + title: ODNI CTF + citation: + text: Office of the Director of National Intelligence (ODNI) Cyber Threat + Framework. + rlinks: + - href: https://www.dni.gov/index.php/cyber-threat-framework + - uuid: 27847491-5ce1-4f6a-a1e4-9e483782f0ef + title: OMB A-130 + citation: + text: Office of Management and Budget Memorandum Circular A-130, *Managing + Information as a Strategic Resource* , July 2016. + rlinks: + - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf + - uuid: 5f4705ac-8d17-438c-b23a-ac7f12362ae4 + title: OMB M-17-12 + citation: + text: Office of Management and Budget Memorandum M-17-12, *Preparing for + and Responding to a Breach of Personally Identifiable Information* , January + 2017. + rlinks: + - href: https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf + - uuid: c5e11048-1d38-4af3-b00b-0d88dc26860c + title: OMB M-19-03 + citation: + text: Office of Management and Budget Memorandum M-19-03, *Strengthening + the Cybersecurity of Federal Agencies by Enhancing the High Value Asset + Program* , December 2018. + rlinks: + - href: https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf + - uuid: 18e71fec-c6fd-475a-925a-5d8495cf8455 + title: PRIVACT + citation: + text: Privacy Act (P.L. 93-579), December 1974. + rlinks: + - href: https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf + - uuid: 4c0ec2ee-a0d6-428a-9043-4504bc3ade6f + title: SP 800-100 + citation: + text: "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A\ + \ Guide for Managers. (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates\ + \ as of March 7, 2007." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-100 + - uuid: 10cf2fad-a216-41f9-bb1a-531b7e3119e3 + title: SP 800-101 + citation: + text: Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device + Forensics. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-101, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-101r1 + - uuid: 22f2d4f0-4365-4e88-a30d-275c1f5473ea + title: SP 800-111 + citation: + text: Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption + Technologies for End User Devices. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-111 + - uuid: 6bc4d137-aece-42a8-8081-9ecb1ebe9fb4 + title: SP 800-113 + citation: + text: Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-113. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-113 + - uuid: 42e37e51-7cc0-4ffa-81c9-0ac942da7e99 + title: SP 800-114 + citation: + text: Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring + Your Own Device (BYOD) Security. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, + Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-114r1 + - uuid: 122177fa-c4ed-485d-8345-3082c0fb9a06 + title: SP 800-115 + citation: + text: Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide + to Information Security Testing and Assessment. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-115. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-115 + - uuid: 2100332a-16a5-4598-bacf-7261baea9711 + title: SP 800-116 + citation: + text: Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) + A Recommendation for the Use of PIV Credentials in Physical Access Control + Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-116, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-116r1 + - uuid: d17ebd7a-ffab-499d-bfff-e705bbb01fa6 + title: SP 800-121 + citation: + text: Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone + KA (2017) Guide to Bluetooth Security. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, + Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-121r2 + - uuid: 0f66be67-85e7-4ca6-bd19-39453e9f4394 + title: SP 800-124 + citation: + text: Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security + of Mobile Devices in the Enterprise. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, + Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-124r1 + - uuid: 88660532-2dcf-442e-845c-03340ce48999 + title: SP 800-125B + citation: + text: Chandramouli R (2016) Secure Virtual Network Configuration for Virtual + Machine (VM) Protection. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-125B. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-125B + - uuid: 8016d2ed-d30f-4416-9c45-0f42c7aa3232 + title: SP 800-126 + citation: + text: "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018)\ + \ The Technical Specification for the Security Content Automation Protocol\ + \ (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-126r3 + - uuid: 20db4e66-e257-450c-b2e4-2bb9a62a2c88 + title: SP 800-128 + citation: + text: Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for + Security-Focused Configuration Management of Information Systems. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-128, Includes updates as of October 10, 2019. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-128 + - uuid: c7ac44e8-10db-4b64-b2b9-9e32ec1efed0 + title: SP 800-12 + citation: + text: Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information + Security. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-12, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-12r1 + - uuid: 3653e316-8923-430e-8943-b3b2b2562fc6 + title: SP 800-130 + citation: + text: Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for + Designing Cryptographic Key Management Systems. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-130. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-130 + - uuid: 62ea77ca-e450-4323-b210-e0d75390e785 + title: SP 800-137A + citation: + text: "Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S\ + \ (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs:\ + \ Developing an ISCM Program Assessment. (National Institute of Standards\ + \ and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-137A + - uuid: 067223d8-1ec7-45c5-b21b-c848da6de8fb + title: SP 800-137 + citation: + text: Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh + AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring + (ISCM) for Federal Information Systems and Organizations. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-137. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-137 + - uuid: e47ee630-9cbc-4133-880e-e013f83ccd51 + title: SP 800-147 + citation: + text: Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection + Guidelines. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-147. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-147 + - uuid: 9ef4b43c-42a4-4316-87dc-ffaf528bc05c + title: SP 800-150 + citation: + text: Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) + Guide to Cyber Threat Information Sharing. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-150 + - uuid: 2494df28-9049-4196-b233-540e7440993f + title: SP 800-152 + citation: + text: Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal + Cryptographic Key Management Systems (CKMS). (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-152 + - uuid: 708b94e1-3d5e-4b22-ab43-1c69f3a97e37 + title: SP 800-154 + citation: + text: Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat + Modeling. (National Institute of Standards and Technology, Gaithersburg, + MD), Draft NIST Special Publication (SP) 800-154. + rlinks: + - href: https://csrc.nist.gov/publications/detail/sp/800-154/draft + - uuid: d9e036ba-6eec-46a6-9340-b0bf1fea23b4 + title: SP 800-156 + citation: + text: Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady + S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-156. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-156 + - uuid: e3cc0520-a366-4fc9-abc2-5272db7e3564 + title: SP 800-160-1 + citation: + text: "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering:\ + \ Considerations for a Multidisciplinary Approach in the Engineering of\ + \ Trustworthy Secure Systems. (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes\ + \ updates as of March 21, 2018." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-160v1 + - uuid: 61ccf0f4-d3e7-42db-9796-ce6cb1c85989 + title: SP 800-160-2 + citation: + text: "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing\ + \ Cyber Resilient Systems: A Systems Security Engineering Approach. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Special\ + \ Publication (SP) 800-160, Vol. 2." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-160v2 + - uuid: e8e84963-14fc-4c3a-be05-b412a5d37cd2 + title: SP 800-161 + citation: + text: Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk + Management Practices for Federal Information Systems and Organizations. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-161. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-161 + - uuid: 2956e175-f674-43f4-b1b9-e074ad9fc39c + title: SP 800-162 + citation: + text: Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone + KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and + Considerations. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-162, Includes updates as of August + 2, 2019. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-162 + - uuid: e8552d48-cf41-40aa-8b06-f45f7fb4706c + title: SP 800-166 + citation: + text: Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady + S (2016) Derived PIV Application and Data Model Test Guidelines. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-166. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-166 + - uuid: 38f39739-1ebd-43b1-8b8c-00f591d89ebd + title: SP 800-167 + citation: + text: Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application + Whitelisting. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-167. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-167 + - uuid: 7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849 + title: SP 800-171 + citation: + text: Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting + Controlled Unclassified Information in Nonfederal Systems and Organizations. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-171, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-171r2 + - uuid: f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e + title: SP 800-172 + citation: + text: "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau\ + \ D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified\ + \ Information: A Supplement to NIST Special Publication 800-171 (Final\ + \ Public Draft). (National Institute of Standards and Technology, Gaithersburg,\ + \ MD), NIST Special Publication (SP) 800-172." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-172-draft + - uuid: 1c71b420-2bd9-4e52-9fc8-390f58b85b59 + title: SP 800-177 + citation: + text: Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy + Email. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-177, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-177r1 + - uuid: 388a3aa2-5d85-4bad-b8a3-77db80d63c4f + title: SP 800-178 + citation: + text: "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of\ + \ Attribute Based Access Control (ABAC) Standards for Data Service Applications:\ + \ Extensible Access Control Markup Language (XACML) and Next Generation\ + \ Access Control (NGAC). (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-178." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-178 + - uuid: 276bd50a-7e58-48e5-a405-8c8cb91d7a5f + title: SP 800-181 + citation: + text: Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce + Framework for Cybersecurity (NICE Framework). (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, + Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-181r1 + - uuid: 31ae65ab-3f26-46b7-9d64-f25a4dac5778 + title: SP 800-184 + citation: + text: Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya + MP (2016) Guide for Cybersecurity Event Recovery. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-184. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-184 + - uuid: f5edfe51-d1f2-422e-9b27-5d0e90b49c72 + title: SP 800-189 + citation: + text: "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange:\ + \ BGP Security and DDoS Mitigation. (National Institute of Standards and\ + \ Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-189 + - uuid: 30eb758a-2707-4bca-90ad-949a74d4eb16 + title: SP 800-18 + citation: + text: Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans + for Federal Information Systems. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. + 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-18r1 + - uuid: 53df282b-8b3f-483a-bad1-6a8b8ac00114 + title: SP 800-192 + citation: + text: Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access + Control Policies/Models. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-192. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-192 + - uuid: f641309f-a3ad-48be-8c67-2b318648b2f5 + title: SP 800-28 + citation: + text: Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content + and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-28, Version 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-28ver2 + - uuid: 08b07465-dbdc-48d6-8a0b-37279602ac16 + title: SP 800-30 + citation: + text: Joint Task Force Transformation Initiative (2012) Guide for Conducting + Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-30, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-30r1 + - uuid: 8cb338a4-e493-4177-818f-3af18983ddc5 + title: SP 800-32 + citation: + text: Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key + Technology and the Federal PKI Infrastructure. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-32. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-32 + - uuid: bc39f179-c735-4da2-b7a7-b2b622119755 + title: SP 800-34 + citation: + text: Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency + Planning Guide for Federal Information Systems. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-34r1 + - uuid: 77faf0bc-c394-44ad-9154-bbac3b79c8ad + title: SP 800-35 + citation: + text: Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information + Technology Security Services. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-35. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-35 + - uuid: 482e4c99-9dc4-41ad-bba8-0f3f0032c1f8 + title: SP 800-37 + citation: + text: "Joint Task Force (2018) Risk Management Framework for Information\ + \ Systems and Organizations: A System Life Cycle Approach for Security\ + \ and Privacy. (National Institute of Standards and Technology, Gaithersburg,\ + \ MD), NIST Special Publication (SP) 800-37, Rev. 2." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-37r2 + - uuid: cec037f3-8aba-4c97-84b4-4082f9e515d2 + title: SP 800-39 + citation: + text: "Joint Task Force Transformation Initiative (2011) Managing Information\ + \ Security Risk: Organization, Mission, and Information System View. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Special\ + \ Publication (SP) 800-39." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-39 + - uuid: 155f941a-cba9-4afd-9ca6-5d040d697ba9 + title: SP 800-40 + citation: + text: Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management + Technologies. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-40, Rev. 3. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-40r3 + - uuid: a7f0e897-29a3-45c4-bd88-40dfef0e034a + title: SP 800-41 + citation: + text: Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall + Policy. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-41, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-41r1 + - uuid: 314e33cb-3681-4b50-a2a2-3fae9604accd + title: SP 800-45 + citation: + text: Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on + Electronic Mail Security. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-45ver2 + - uuid: 83b9d63b-66b1-467c-9f3b-3a0b108771e9 + title: SP 800-46 + citation: + text: Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote + Access, and Bring Your Own Device (BYOD) Security. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-46, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-46r2 + - uuid: c3a76872-e160-4267-99e8-6952de967d04 + title: SP 800-47 + citation: + text: Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide + for Interconnecting Information Technology Systems. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-47. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-47 + - uuid: 511f6832-23ca-49a3-8c0f-ce493373cab8 + title: SP 800-50 + citation: + text: Wilson M, Hash J (2003) Building an Information Technology Security + Awareness and Training Program. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-50. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-50 + - uuid: 7537638e-2837-407d-844b-40fb3fafdd99 + title: SP 800-52 + citation: + text: McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, + and Use of Transport Layer Security (TLS) Implementations. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-52, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-52r2 + - uuid: a21aef46-7330-48a0-b2e1-c5bb8b2dd11d + title: SP 800-53A + citation: + text: "Joint Task Force Transformation Initiative (2014) Assessing Security\ + \ and Privacy Controls in Federal Information Systems and Organizations:\ + \ Building Effective Assessment Plans. (National Institute of Standards\ + \ and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A,\ + \ Rev. 4, Includes updates as of December 18, 2014." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-53Ar4 + - uuid: 46d9e201-840e-440e-987c-2c773333c752 + title: SP 800-53B + citation: + text: Joint Task Force (2020) Control Baselines and Tailoring Guidance for + Federal Information Systems and Organizations. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-53B. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-53B + - uuid: 20957dbb-6a1e-40a2-b38a-66f67d33ac2e + title: SP 800-56A + citation: + text: Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation + for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-56A, Rev. 3. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-56Ar3 + - uuid: 0d083d8a-5cc6-46f1-8d79-3081d42bcb75 + title: SP 800-56B + citation: + text: Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) + Recommendation for Pair-Wise Key-Establishment Using Integer Factorization + Cryptography. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-56B, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-56Br2 + - uuid: eef62b16-c796-4554-955c-505824135b8a + title: SP 800-56C + citation: + text: Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation + Methods in Key-Establishment Schemes. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, + Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-56Cr2 + - uuid: 110e26af-4765-49e1-8740-6750f83fcda1 + title: SP 800-57-1 + citation: + text: "Barker EB (2020) Recommendation for Key Management: Part 1 – General.\ + \ (National Institute of Standards and Technology, Gaithersburg, MD),\ + \ NIST Special Publication (SP) 800-57 Part 1, Rev. 5." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-57pt1r5 + - uuid: e7942589-e267-4a5a-a3d9-f39a7aae81f0 + title: SP 800-57-2 + citation: + text: "Barker EB, Barker WC (2019) Recommendation for Key Management: Part\ + \ 2 – Best Practices for Key Management Organizations. (National Institute\ + \ of Standards and Technology, Gaithersburg, MD), NIST Special Publication\ + \ (SP) 800-57 Part 2, Rev. 1." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-57pt2r1 + - uuid: 8306620b-1920-4d73-8b21-12008528595f + title: SP 800-57-3 + citation: + text: "Barker EB, Dang QH (2015) Recommendation for Key Management, Part\ + \ 3: Application-Specific Key Management Guidance. (National Institute\ + \ of Standards and Technology, Gaithersburg, MD), NIST Special Publication\ + \ (SP) 800-57 Part 3, Rev. 1." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-57pt3r1 + - uuid: e72fde0b-6fc2-497e-a9db-d8fce5a11b8a + title: SP 800-60-1 + citation: + text: Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide + for Mapping Types of Information and Information Systems to Security Categories. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-60, Vol. 1, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-60v1r1 + - uuid: 9be5d661-421f-41ad-854e-86f98b811891 + title: SP 800-60-2 + citation: + text: "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for\ + \ Mapping Types of Information and Information Systems to Security Categories:\ + \ Appendices. (National Institute of Standards and Technology, Gaithersburg,\ + \ MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-60v2r1 + - uuid: 49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb + title: SP 800-61 + citation: + text: Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security + Incident Handling Guide. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-61r2 + - uuid: 737513fa-6758-403f-831d-5ddab5e23cb3 + title: SP 800-63-3 + citation: + text: Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-63-3 + - uuid: 9099ed2c-922a-493d-bcb4-d896192243ff + title: SP 800-63A + citation: + text: "Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene\ + \ KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and\ + \ Identity Proofing. (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates\ + \ as of March 2, 2020." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-63a + - uuid: e59c5a7c-8b1f-49ca-8de0-6ee0882180ce + title: SP 800-63B + citation: + text: "Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr\ + \ WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos\ + \ MF (2017) Digital Identity Guidelines: Authentication and Lifecycle\ + \ Management. (National Institute of Standards and Technology, Gaithersburg,\ + \ MD), NIST Special Publication (SP) 800-63B, Includes updates as of March\ + \ 2, 2020." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-63b + - uuid: 4895b4cd-34c5-4667-bf8a-27d443c12047 + title: SP 800-70 + citation: + text: "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist\ + \ Program for IT Products: Guidelines for Checklist Users and Developers.\ + \ (National Institute of Standards and Technology, Gaithersburg, MD),\ + \ NIST Special Publication (SP) 800-70, Rev. 4." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-70r4 + - uuid: 858705be-3c1f-48aa-a328-0ce398d95ef0 + title: SP 800-73-4 + citation: + text: Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, + Mohler J (2015) Interfaces for Personal Identity Verification. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-73-4, Includes updates as of February 8, 2016. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-73-4 + - uuid: 7af2e6ec-9f7e-4232-ad3f-09888eb0793a + title: SP 800-76-2 + citation: + text: Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications + for Personal Identity Verification. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-76-2 + - uuid: d4d7c760-2907-403b-8b2a-767ca5370ecd + title: SP 800-77 + citation: + text: Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide + to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-77, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-77r1 + - uuid: 828856bd-d7c4-427b-8b51-815517ec382d + title: SP 800-78-4 + citation: + text: Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic + Algorithms and Key Sizes for Personal Identity Verification. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-78-4. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-78-4 + - uuid: 10963761-58fc-4b20-b3d6-b44a54daba03 + title: SP 800-79-2 + citation: + text: Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) + Guidelines for the Authorization of Personal Identity Verification Card + Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-79-2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-79-2 + - uuid: fe209006-bfd4-4033-a79a-9fee1adaf372 + title: SP 800-81-2 + citation: + text: Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment + Guide. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-81-2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-81-2 + - uuid: 3dd249b0-f57d-44ba-a03e-c3eab1b835ff + title: SP 800-83 + citation: + text: Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention + and Handling for Desktops and Laptops. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, + Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-83r1 + - uuid: 53be2fcf-cfd1-4bcb-896b-9a3b65c22098 + title: SP 800-84 + citation: + text: Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide + to Test, Training, and Exercise Programs for IT Plans and Capabilities. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-84. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-84 + - uuid: cfdb1858-c473-46b3-89f9-a700308d0be2 + title: SP 800-86 + citation: + text: Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating + Forensic Techniques into Incident Response. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-86 + - uuid: a5b1d18d-e670-4586-9e6d-4a88b7ba3df6 + title: SP 800-88 + citation: + text: Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for + Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-88, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-88r1 + - uuid: 5eee45d8-3313-4fdc-8d54-1742092bbdd6 + title: SP 800-92 + citation: + text: Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-92. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-92 + - uuid: 25e3e57b-dc2f-4934-af9b-050b020c6f0e + title: SP 800-94 + citation: + text: Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention + Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-94. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-94 + - uuid: a6b9907a-2a14-4bb4-a142-d4c73026a8b4 + title: SP 800-95 + citation: + text: Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-95. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-95 + - uuid: 03fb73bc-1b12-4182-bd96-e5719254ea61 + title: SP 800-97 + citation: + text: "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless\ + \ Robust Security Networks: A Guide to IEEE 802.11i. (National Institute\ + \ of Standards and Technology, Gaithersburg, MD), NIST Special Publication\ + \ (SP) 800-97." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-97 + - uuid: 13f0c39d-eaf7-417a-baef-69a041878bb5 + title: USA PATRIOT + citation: + text: USA Patriot Act (P.L. 107-56), October 2001. + rlinks: + - href: https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf + - uuid: e922fc50-b1f9-469f-92ef-ed7d9803611c + title: USC 2901 + citation: + text: United States Code, 2008 Edition, Title 44 - *Public Printing and + Documents* , Chapters 29, 31, and 33, January 2012. + rlinks: + - href: https://www.govinfo.gov/content/pkg/USCODE-2011-title44/pdf/USCODE-2011-title44-chap29-sec2901.pdf + - uuid: 40b78258-c892-480e-9af8-77ac36648301 + title: USCERT IR + citation: + text: Department of Homeland Security, *US-CERT Federal Incident Notification + Guidelines* , April 2017. + rlinks: + - href: https://us-cert.cisa.gov/incident-notification-guidelines + - uuid: 98498928-3ca3-44b3-8b1e-f48685373087 + title: USGCB + citation: + text: National Institute of Standards and Technology (2020) *United States + Government Configuration Baseline* . Available at + rlinks: + - href: https://csrc.nist.gov/projects/united-states-government-configuration-baseline + - uuid: c3397cc9-83c6-4459-adb2-836739dc1b94 + title: "NIST Special Publication 800-53, Revision 5: * Security and Privacy\ + \ Controls for Information Systems and Organizations* (PDF)" + rlinks: + - href: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf + media-type: application/pdf - uuid: 985475ee-d4d6-4581-8fdf-d84d3d8caa48 title: FedRAMP Applicable Laws and Regulations rlinks: diff --git a/dist/content/rev5/baselines/yaml/FedRAMP_rev5_HIGH-baseline_profile.yaml b/dist/content/rev5/baselines/yaml/FedRAMP_rev5_HIGH-baseline_profile.yaml index 9f77050a0..de1ec8f24 100644 --- a/dist/content/rev5/baselines/yaml/FedRAMP_rev5_HIGH-baseline_profile.yaml +++ b/dist/content/rev5/baselines/yaml/FedRAMP_rev5_HIGH-baseline_profile.yaml @@ -3782,5 +3782,5 @@ profile: - name: version value: 5.1.1 rlinks: - - href: https://github.com/usnistgov/oscal-content/blob/v1.2.0/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml + - href: https://raw.githubusercontent.com/usnistgov/oscal-content/v1.2.0/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml media-type: application/yaml diff --git a/dist/content/rev5/baselines/yaml/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog.yaml b/dist/content/rev5/baselines/yaml/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog.yaml index 19b4ed06e..a29031eab 100644 --- a/dist/content/rev5/baselines/yaml/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog.yaml +++ b/dist/content/rev5/baselines/yaml/FedRAMP_rev5_LI-SaaS-baseline-resolved-profile_catalog.yaml @@ -1,10 +1,10 @@ --- catalog: - uuid: 4aec79b6-d24f-45e5-9eb8-364a00656b9e + uuid: f64f62d2-ae80-4908-9674-da5201f1b2d7 metadata: title: FedRAMP Rev 5 Tailored Low Impact Software as a Service (LI-SaaS) Baseline published: 2023-08-31T00:00:00Z - last-modified: 2023-12-18T20:27:42.148396-05:00 + last-modified: 2024-01-11T18:07:19.115856-05:00 version: 5.1.1+fedramp-20231218-0 oscal-version: 1.1.1 links: @@ -60,8 +60,29576 @@ catalog: - role-id: fedramp-jab party-uuids: - ca9ba80e-1342-4bfd-b32a-abac468c24b4 + groups: + - id: ac + class: family + title: Access Control + controls: + - id: ac-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ac-1_prm_1 + label: organization-defined personnel or roles + - id: ac-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the access control policy is to + be disseminated is/are defined; + - id: ac-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the access control procedures + are to be disseminated is/are defined; + - id: ac-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ac-01_odp.04 + label: official + guidelines: + - prose: an official to manage the access control policy and procedures + is defined; + - id: ac-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current access control policy + is reviewed and updated is defined; + - id: ac-01_odp.06 + label: events + guidelines: + - prose: events that would require the current access control policy + to be reviewed and updated are defined; + - id: ac-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current access control procedures + are reviewed and updated is defined; + - id: ac-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require procedures to be reviewed and updated + are defined; + props: + - name: label + value: AC-1 + - name: label + value: AC-01 + class: sp800-53a + - name: sort-id + value: ac-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#7f473f21-fdbf-4a6c-81a1-0ab95919609d" + rel: reference + - href: "#ia-1" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-24" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ac-1_smt + name: statement + parts: + - id: ac-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ac-1_prm_1 }}:" + parts: + - id: ac-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ac-01_odp.03 }} access control policy\ + \ that:" + parts: + - id: ac-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ac-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ac-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the access + control policy and the associated access controls; + - id: ac-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ac-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the access\ + \ control policy and procedures; and" + - id: ac-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current access control:" + parts: + - id: ac-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ac-01_odp.05 }} and following\ + \ {{ insert: param, ac-01_odp.06 }} ; and" + - id: ac-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ac-01_odp.07 }} and following\ + \ {{ insert: param, ac-01_odp.08 }}." + - id: ac-1_gdn + name: guidance + prose: Access control policy and procedures address the controls in + the AC family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of access control + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies reflecting the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to access control policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ac-2 + class: SP800-53 + title: Account Management + params: + - id: ac-02_odp.01 + label: prerequisites and criteria + guidelines: + - prose: prerequisites and criteria for group and role membership + are defined; + - id: ac-02_odp.02 + label: attributes (as required) + guidelines: + - prose: attributes (as required) for each account are defined; + - id: ac-02_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles required to approve requests to create + accounts is/are defined; + - id: ac-02_odp.04 + label: policy, procedures, prerequisites, and criteria + guidelines: + - prose: policy, procedures, prerequisites, and criteria for account + creation, enabling, modification, disabling, and removal are defined; + - id: ac-02_odp.05 + label: personnel or roles + guidelines: + - prose: personnel or roles to be notified is/are defined; + - id: ac-02_odp.06 + label: time period + constraints: + - description: twenty-four (24) hours + guidelines: + - prose: time period within which to notify account managers when + accounts are no longer required is defined; + - id: ac-02_odp.07 + label: time period + constraints: + - description: eight (8) hours + guidelines: + - prose: "time period within which to notify account managers when\ + \ users are terminated or transferred is defined; " + - id: ac-02_odp.08 + label: time period + constraints: + - description: eight (8) hours + guidelines: + - prose: time period within which to notify account managers when + system usage or the need to know changes for an individual is + defined; + - id: ac-02_odp.09 + label: attributes (as required) + guidelines: + - prose: attributes needed to authorize system access (as required) + are defined; + - id: ac-02_odp.10 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency of account review is defined; + props: + - name: label + value: AC-2 + - name: label + value: AC-02 + class: sp800-53a + - name: sort-id + value: ac-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#2956e175-f674-43f4-b1b9-e074ad9fc39c" + rel: reference + - href: "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f" + rel: reference + - href: "#53df282b-8b3f-483a-bad1-6a8b8ac00114" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-20" + rel: related + - href: "#ac-24" + rel: related + - href: "#au-2" + rel: related + - href: "#au-12" + rel: related + - href: "#cm-5" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-5" + rel: related + - href: "#ps-7" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-3" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-37" + rel: related + parts: + - id: ac-2_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ac-2_smt.a + name: item + props: + - name: label + value: a. + prose: Define and document the types of accounts allowed and specifically + prohibited for use within the system; + - id: ac-2_smt.f + name: item + props: + - name: label + value: f. + prose: "Create, enable, modify, disable, and remove accounts in\ + \ accordance with {{ insert: param, ac-02_odp.04 }};" + - id: ac-2_smt.g + name: item + props: + - name: label + value: g. + prose: Monitor the use of accounts; + - id: ac-2_smt.h + name: item + props: + - name: label + value: h. + prose: "Notify account managers and {{ insert: param, ac-02_odp.05\ + \ }} within:" + parts: + - id: ac-2_smt.h.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ac-02_odp.06 }} when accounts are\ + \ no longer required;" + - id: ac-2_smt.h.2 + name: item + props: + - name: label + value: "2." + prose: " {{ insert: param, ac-02_odp.07 }} when users are terminated\ + \ or transferred; and" + - id: ac-2_smt.h.3 + name: item + props: + - name: label + value: "3." + prose: " {{ insert: param, ac-02_odp.08 }} when system usage\ + \ or need-to-know changes for an individual;" + - id: ac-2_gdn + name: guidance + prose: >- + Examples of system account types include individual, shared, + group, system, guest, anonymous, emergency, developer, + temporary, and service. Identification of authorized system + users and the specification of access privileges reflect the + requirements in other controls in the security plan. Users + requiring administrative privileges on system accounts receive + additional scrutiny by organizational personnel responsible for + approving such accounts and privileged access, including system + owner, mission or business owner, senior agency information + security officer, or senior agency official for privacy. Types + of accounts that organizations may wish to prohibit due to + increased risk include shared, group, emergency, anonymous, + temporary, and guest accounts. + + + Where access involves personally identifiable information, security + programs collaborate with the senior agency official for privacy to + establish the specific conditions for group and role membership; specify + authorized users, group and role membership, and access authorizations + for each account; and create, adjust, or remove system accounts in + accordance with organizational policies. Policies can include such + information as account expiration dates or other factors that trigger + the disabling of accounts. Organizations may choose to define access + privileges or other attributes by account, type of account, or a combination + of the two. Examples of other attributes required for authorizing + access include restrictions on time of day, day of week, and point + of origin. In defining other system account attributes, organizations + consider system-related requirements and mission/business requirements. + Failure to consider these factors could affect system availability. + + + Temporary and emergency accounts are intended for short-term use. + Organizations establish temporary accounts as part of normal account + activation procedures when there is a need for short-term accounts + without the demand for immediacy in account activation. Organizations + establish emergency accounts in response to crisis situations and + with the need for rapid account activation. Therefore, emergency account + activation may bypass normal account authorization processes. Emergency + and temporary accounts are not to be confused with infrequently used + accounts, including local logon accounts used for special tasks or + when network resources are unavailable (may also be known as accounts + of last resort). Such accounts remain available and are not subject + to automatic disabling or removal dates. Conditions for disabling + or deactivating accounts include when shared/group, emergency, or + temporary accounts are no longer required and when individuals are + transferred or terminated. Changing shared/group authenticators when + members leave the group is intended to ensure that former group members + do not retain access to the shared or group account. Some types of + system accounts may require specialized training. + - id: ac-2_obj_fr + name: assessment-objective + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + class: fedramp + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + class: fedramp + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + class: fedramp + prose: Determine if the organization defines information system account + types to be identified and selected to support organizational missions/business + functions. + - id: ac-2_asmt_fr.1 + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + parts: + - name: assessment-objects + prose: Access control policy; procedures addressing account management; + security plan; information system design documentation; information + system configuration settings and associated documentation; list + of active system accounts along with the name of the individual + associated with each account; list of conditions for group and + role membership; notifications or records of recently transferred, + separated, or terminated employees; list of recently disabled + information system accounts along with the name of the individual + associated with each account; access authorization records; account + management compliance reviews; information system monitoring records; + information system audit records; other relevant documents or + records. + - id: ac-2_asmt_fr.2 + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + parts: + - name: assessment-objects + prose: Organizational personnel with account management responsibilities; + system/network administrators; organizational personnel with information + security responsibilities. + - id: ac-2_asmt_fr.3 + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + parts: + - name: assessment-objects + prose: Organizational processes for account management on the information + system; automated mechanisms for implementing account management. + - id: ac-3 + class: SP800-53 + title: Access Enforcement + props: + - name: label + value: AC-3 + - name: label + value: AC-03 + class: sp800-53a + - name: sort-id + value: ac-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#18e71fec-c6fd-475a-925a-5d8495cf8455" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#2956e175-f674-43f4-b1b9-e074ad9fc39c" + rel: reference + - href: "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f" + rel: reference + - href: "#7f473f21-fdbf-4a6c-81a1-0ab95919609d" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-16" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#ac-21" + rel: related + - href: "#ac-22" + rel: related + - href: "#ac-24" + rel: related + - href: "#ac-25" + rel: related + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#au-9" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-6" + rel: related + - href: "#ia-7" + rel: related + - href: "#ia-11" + rel: related + - href: "#ia-13" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-4" + rel: related + - href: "#pm-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-3" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-3" + rel: related + - href: "#sc-4" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-31" + rel: related + - href: "#sc-34" + rel: related + - href: "#si-4" + rel: related + - href: "#si-8" + rel: related + parts: + - id: ac-3_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: Enforce approved authorizations for logical access to information + and system resources in accordance with applicable access control + policies. + - id: ac-3_gdn + name: guidance + prose: Access control policies control access between active entities + or subjects (i.e., users or processes acting on behalf of users) and + passive entities or objects (i.e., devices, files, records, domains) + in organizational systems. In addition to enforcing authorized access + at the system level and recognizing that systems can host many applications + and services in support of mission and business functions, access + enforcement mechanisms can also be employed at the application and + service level to provide increased information security and privacy. + In contrast to logical access controls that are implemented within + the system, physical access controls are addressed by the controls + in the Physical and Environmental Protection ( [PE](#pe) ) family. + - id: ac-3_obj + name: assessment-objective + props: + - name: label + value: AC-03 + class: sp800-53a + prose: approved authorizations for logical access to information and + system resources are enforced in accordance with applicable access + control policies. + links: + - href: "#ac-3_smt" + rel: assessment-for + - id: ac-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing access enforcement + + system design documentation + + system configuration settings and associated documentation + + list of approved authorizations (user privileges) + + system audit records + + system security plan + + privacy plan + + other relevant documents or records + - id: ac-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with access enforcement + responsibilities + + + system/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + system developers + - id: ac-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing access control policy + - id: ac-7 + class: SP800-53 + title: Unsuccessful Logon Attempts + params: + - id: ac-07_odp.01 + label: number + guidelines: + - prose: the number of consecutive invalid logon attempts by a user + allowed during a time period is defined; + - id: ac-07_odp.02 + label: time period + guidelines: + - prose: the time period to which the number of consecutive invalid + logon attempts by a user is limited is defined; + - id: ac-07_odp.03 + select: + how-many: one-or-more + choice: + - "lock the account or node for {{ insert: param, ac-07_odp.04 }} " + - lock the account or node until released by an administrator + - "delay next logon prompt per {{ insert: param, ac-07_odp.05 }} " + - notify system administrator + - "take other {{ insert: param, ac-07_odp.06 }} " + - id: ac-07_odp.04 + label: time period + guidelines: + - prose: time period for an account or node to be locked is defined + (if selected); + - id: ac-07_odp.05 + label: delay algorithm + guidelines: + - prose: delay algorithm for the next logon prompt is defined (if + selected); + - id: ac-07_odp.06 + label: action + guidelines: + - prose: other action to be taken when the maximum number of unsuccessful + attempts is exceeded is defined (if selected); + props: + - name: label + value: AC-7 + - name: label + value: AC-07 + class: sp800-53a + - name: sort-id + value: ac-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: NSO + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-9" + rel: related + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#ia-5" + rel: related + parts: + - id: ac-7_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ac-7_smt.a + name: item + props: + - name: label + value: a. + prose: "Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive\ + \ invalid logon attempts by a user during a {{ insert: param,\ + \ ac-07_odp.02 }} ; and" + - id: ac-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Automatically {{ insert: param, ac-07_odp.03 }} when the\ + \ maximum number of unsuccessful attempts is exceeded." + - id: ac-7_gdn + name: guidance + prose: The need to limit unsuccessful logon attempts and take subsequent + action when the maximum number of attempts is exceeded applies regardless + of whether the logon occurs via a local or network connection. Due + to the potential for denial of service, automatic lockouts initiated + by systems are usually temporary and automatically release after a + predetermined, organization-defined time period. If a delay algorithm + is selected, organizations may employ different algorithms for different + components of the system based on the capabilities of those components. + Responses to unsuccessful logon attempts may be implemented at the + operating system and the application levels. Organization-defined + actions that may be taken when the number of allowed consecutive invalid + logon attempts is exceeded include prompting the user to answer a + secret question in addition to the username and password, invoking + a lockdown mode with limited user capabilities (instead of full lockout), + allowing users to only logon from specified Internet Protocol (IP) + addresses, requiring a CAPTCHA to prevent automated attacks, or applying + user profiles such as location, time of day, IP address, device, or + Media Access Control (MAC) address. If automatic system lockout or + execution of a delay algorithm is not implemented in support of the + availability objective, organizations consider a combination of other + actions to help prevent brute force attacks. In addition to the above, + organizations can prompt users to respond to a secret question before + the number of allowed unsuccessful logon attempts is exceeded. Automatically + unlocking an account after a specified period of time is generally + not permitted. However, exceptions may be required based on operational + mission or need. + - id: ac-7_obj + name: assessment-objective + props: + - name: label + value: AC-07 + class: sp800-53a + parts: + - id: ac-7_obj.a + name: assessment-objective + props: + - name: label + value: AC-07a. + class: sp800-53a + prose: "a limit of {{ insert: param, ac-07_odp.01 }} consecutive\ + \ invalid logon attempts by a user during {{ insert: param, ac-07_odp.02\ + \ }} is enforced;" + links: + - href: "#ac-7_smt.a" + rel: assessment-for + - id: ac-7_obj.b + name: assessment-objective + props: + - name: label + value: AC-07b. + class: sp800-53a + prose: "automatically {{ insert: param, ac-07_odp.03 }} when the\ + \ maximum number of unsuccessful attempts is exceeded." + links: + - href: "#ac-7_smt.b" + rel: assessment-for + links: + - href: "#ac-7_smt" + rel: assessment-for + - id: ac-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing unsuccessful logon attempts + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: ac-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security + responsibilities + + + system developers + + + system/network administrators + - id: ac-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing access control policy for unsuccessful + logon attempts + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: NSO for non-privileged users. Attestation for privileged users + related to multi-factor identification and authentication. + - id: ac-8 + class: SP800-53 + title: System Use Notification + params: + - id: ac-08_odp.01 + label: system use notification + constraints: + - description: see additional Requirements and Guidance + guidelines: + - prose: system use notification message or banner to be displayed + by the system to users before granting access to the system is + defined; + - id: ac-08_odp.02 + label: conditions + constraints: + - description: see additional Requirements and Guidance + guidelines: + - prose: conditions for system use to be displayed by the system before + granting further access are defined; + props: + - name: label + value: AC-8 + - name: label + value: AC-08 + class: sp800-53a + - name: sort-id + value: ac-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: FED + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ac-14" + rel: related + - href: "#pl-4" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-8_smt + name: statement + parts: + - id: ac-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Display {{ insert: param, ac-08_odp.01 }} to users before\ + \ granting access to the system that provides privacy and security\ + \ notices consistent with applicable laws, executive orders, directives,\ + \ regulations, policies, standards, and guidelines and state that:" + parts: + - id: ac-8_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Users are accessing a U.S. Government system; + - id: ac-8_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: System usage may be monitored, recorded, and subject + to audit; + - id: ac-8_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Unauthorized use of the system is prohibited and subject + to criminal and civil penalties; and + - id: ac-8_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Use of the system indicates consent to monitoring and + recording; + - id: ac-8_smt.b + name: item + props: + - name: label + value: b. + prose: Retain the notification message or banner on the screen until + users acknowledge the usage conditions and take explicit actions + to log on to or further access the system; and + - id: ac-8_smt.c + name: item + props: + - name: label + value: c. + prose: "For publicly accessible systems:" + parts: + - id: ac-8_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Display system use information {{ insert: param, ac-08_odp.02\ + \ }} , before granting further access to the publicly accessible\ + \ system;" + - id: ac-8_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: Display references, if any, to monitoring, recording, + or auditing that are consistent with privacy accommodations + for such systems that generally prohibit those activities; + and + - id: ac-8_smt.c.3 + name: item + props: + - name: label + value: "3." + prose: Include a description of the authorized uses of the system. + - id: ac-8_gdn + name: guidance + prose: System use notifications can be implemented using messages or + warning banners displayed before individuals log in to systems. System + use notifications are used only for access via logon interfaces with + human users. Notifications are not required when human interfaces + do not exist. Based on an assessment of risk, organizations consider + whether or not a secondary system use notification is needed to access + applications or other system resources after the initial network logon. + Organizations consider system use notification messages or banners + displayed in multiple languages based on organizational needs and + the demographics of system users. Organizations consult with the privacy + office for input regarding privacy messaging and the Office of the + General Counsel or organizational equivalent for legal review and + approval of warning banner content. + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: FED - This is related to agency data and agency policy solution. + - id: ac-14 + class: SP800-53 + title: Permitted Actions Without Identification or Authentication + params: + - id: ac-14_odp + label: user actions + guidelines: + - prose: user actions that can be performed on the system without + identification or authentication are defined; + props: + - name: label + value: AC-14 + - name: label + value: AC-14 + class: sp800-53a + - name: sort-id + value: ac-14 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: FED + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ac-8" + rel: related + - href: "#ia-2" + rel: related + - href: "#pl-2" + rel: related + parts: + - id: ac-14_smt + name: statement + parts: + - id: ac-14_smt.a + name: item + props: + - name: label + value: a. + prose: "Identify {{ insert: param, ac-14_odp }} that can be performed\ + \ on the system without identification or authentication consistent\ + \ with organizational mission and business functions; and" + - id: ac-14_smt.b + name: item + props: + - name: label + value: b. + prose: Document and provide supporting rationale in the security + plan for the system, user actions not requiring identification + or authentication. + - id: ac-14_gdn + name: guidance + prose: 'Specific user actions may be permitted without identification + or authentication if organizations determine that identification and + authentication are not required for the specified user actions. Organizations + may allow a limited number of user actions without identification + or authentication, including when individuals access public websites + or other publicly accessible federal systems, when individuals use + mobile phones to receive calls, or when facsimiles are received. Organizations + identify actions that normally require identification or authentication + but may, under certain circumstances, allow identification or authentication + mechanisms to be bypassed. Such bypasses may occur, for example, via + a software-readable physical switch that commands bypass of the logon + functionality and is protected from accidental or unmonitored use. + Permitting actions without identification or authentication does not + apply to situations where identification and authentication have already + occurred and are not repeated but rather to situations where identification + and authentication have not yet occurred. Organizations may decide + that there are no user actions that can be performed on organizational + systems without identification and authentication, and therefore, + the value for the assignment operation can be "none." ' + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: FED - This is related to agency data and agency policy solution. + - id: ac-17 + class: SP800-53 + title: Remote Access + props: + - name: label + value: AC-17 + - name: label + value: AC-17 + class: sp800-53a + - name: sort-id + value: ac-17 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#83b9d63b-66b1-467c-9f3b-3a0b108771e9" + rel: reference + - href: "#d4d7c760-2907-403b-8b2a-767ca5370ecd" + rel: reference + - href: "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4" + rel: reference + - href: "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99" + rel: reference + - href: "#d17ebd7a-ffab-499d-bfff-e705bbb01fa6" + rel: reference + - href: "#3915a084-b87b-4f02-83d4-c369e746292f" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#ca-3" + rel: related + - href: "#cm-10" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-17" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#sc-10" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-17_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ac-17_smt.a + name: item + props: + - name: label + value: a. + prose: Establish and document usage restrictions, configuration/connection + requirements, and implementation guidance for each type of remote + access allowed; and + - id: ac-17_smt.b + name: item + props: + - name: label + value: b. + prose: Authorize each type of remote access to the system prior + to allowing such connections. + - id: ac-17_gdn + name: guidance + prose: Remote access is access to organizational systems (or processes + acting on behalf of users) that communicate through external networks + such as the Internet. Types of remote access include dial-up, broadband, + and wireless. Organizations use encrypted virtual private networks + (VPNs) to enhance confidentiality and integrity for remote connections. + The use of encrypted VPNs provides sufficient assurance to the organization + that it can effectively treat such connections as internal networks + if the cryptographic mechanisms used are implemented in accordance + with applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines. Still, VPN connections traverse external + networks, and the encrypted VPN does not enhance the availability + of remote connections. VPNs with encrypted tunnels can also affect + the ability to adequately monitor network communications traffic for + malicious code. Remote access controls apply to systems other than + public web servers or systems designed for public access. Authorization + of each remote access type addresses authorization prior to allowing + remote access without specifying the specific formats for such authorization. + While organizations may use information exchange and system connection + security agreements to manage remote access connections to other systems, + such agreements are addressed as part of [CA-3](#ca-3) . Enforcing + access restrictions for remote access is addressed via [AC-3](#ac-3). + - id: ac-17_obj + name: assessment-objective + props: + - name: label + value: AC-17 + class: sp800-53a + parts: + - id: ac-17_obj.a + name: assessment-objective + props: + - name: label + value: AC-17a. + class: sp800-53a + parts: + - id: ac-17_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-17a.[01] + class: sp800-53a + prose: usage restrictions are established and documented for + each type of remote access allowed; + links: + - href: "#ac-17_smt.a" + rel: assessment-for + - id: ac-17_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-17a.[02] + class: sp800-53a + prose: configuration/connection requirements are established + and documented for each type of remote access allowed; + links: + - href: "#ac-17_smt.a" + rel: assessment-for + - id: ac-17_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-17a.[03] + class: sp800-53a + prose: implementation guidance is established and documented + for each type of remote access allowed; + links: + - href: "#ac-17_smt.a" + rel: assessment-for + links: + - href: "#ac-17_smt.a" + rel: assessment-for + - id: ac-17_obj.b + name: assessment-objective + props: + - name: label + value: AC-17b. + class: sp800-53a + prose: each type of remote access to the system is authorized prior + to allowing such connections. + links: + - href: "#ac-17_smt.b" + rel: assessment-for + links: + - href: "#ac-17_smt" + rel: assessment-for + - id: ac-17_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-17-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing remote access implementation and usage (including + restrictions) + + + configuration management plan + + + system configuration settings and associated documentation + + + remote access authorizations + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-17_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-17-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for managing + remote access connections + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-17_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-17-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Remote access management capability for the system + - id: ac-18 + class: SP800-53 + title: Wireless Access + props: + - name: label + value: AC-18 + - name: label + value: AC-18 + class: sp800-53a + - name: sort-id + value: ac-18 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: NSO + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#25e3e57b-dc2f-4934-af9b-050b020c6f0e" + rel: reference + - href: "#03fb73bc-1b12-4182-bd96-e5719254ea61" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-19" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-7" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-8" + rel: related + - href: "#pl-4" + rel: related + - href: "#sc-40" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-18_smt + name: statement + parts: + - id: ac-18_smt.a + name: item + props: + - name: label + value: a. + prose: Establish configuration requirements, connection requirements, + and implementation guidance for each type of wireless access; + and + - id: ac-18_smt.b + name: item + props: + - name: label + value: b. + prose: Authorize each type of wireless access to the system prior + to allowing such connections. + - id: ac-18_gdn + name: guidance + prose: Wireless technologies include microwave, packet radio (ultra-high + frequency or very high frequency), 802.11x, and Bluetooth. Wireless + networks use authentication protocols that provide authenticator protection + and mutual authentication. + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: NSO - All access to Cloud SaaS are via web services and/or API. + The device accessed from or whether via wired or wireless connection + is out of scope. Regardless of device accessed from, must utilize + approved remote access methods (AC-17), secure communication with + strong encryption (SC-13), key management (SC-12), and multi-factor + authentication for privileged access (IA-2[1]). + - id: ac-19 + class: SP800-53 + title: Access Control for Mobile Devices + props: + - name: label + value: AC-19 + - name: label + value: AC-19 + class: sp800-53a + - name: sort-id + value: ac-19 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: NSO + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99" + rel: reference + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-7" + rel: related + - href: "#ac-11" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-20" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-6" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#mp-7" + rel: related + - href: "#pl-4" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-34" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-19_smt + name: statement + parts: + - id: ac-19_smt.a + name: item + props: + - name: label + value: a. + prose: Establish configuration requirements, connection requirements, + and implementation guidance for organization-controlled mobile + devices, to include when such devices are outside of controlled + areas; and + - id: ac-19_smt.b + name: item + props: + - name: label + value: b. + prose: Authorize the connection of mobile devices to organizational + systems. + - id: ac-19_gdn + name: guidance + prose: >- + A mobile device is a computing device that has a small form + factor such that it can easily be carried by a single + individual; is designed to operate without a physical + connection; possesses local, non-removable or removable data + storage; and includes a self-contained power source. Mobile + device functionality may also include voice communication + capabilities, on-board sensors that allow the device to capture + information, and/or built-in features for synchronizing local + data with remote locations. Examples include smart phones and + tablets. Mobile devices are typically associated with a single + individual. The processing, storage, and transmission capability + of the mobile device may be comparable to or merely a subset of + notebook/desktop systems, depending on the nature and intended + purpose of the device. Protection and control of mobile devices + is behavior or policy-based and requires users to take physical + action to protect and control such devices when outside of + controlled areas. Controlled areas are spaces for which + organizations provide physical or procedural controls to meet + the requirements established for protecting information and + systems. + + + Due to the large variety of mobile devices with different characteristics + and capabilities, organizational restrictions may vary for the different + classes or types of such devices. Usage restrictions and specific + implementation guidance for mobile devices include configuration management, + device identification and authentication, implementation of mandatory + protective software, scanning devices for malicious code, updating + virus protection software, scanning for critical software updates + and patches, conducting primary operating system (and possibly other + resident software) integrity checks, and disabling unnecessary hardware. + + + Usage restrictions and authorization to connect may vary among organizational + systems. For example, the organization may authorize the connection + of mobile devices to its network and impose a set of usage restrictions, + while a system owner may withhold authorization for mobile device + connection to specific applications or impose additional usage restrictions + before allowing mobile device connections to a system. Adequate security + for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) + . Many safeguards for mobile devices are reflected in other controls. + [AC-20](#ac-20) addresses mobile devices that are not organization-controlled. + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: NSO - All access to Cloud SaaS are via web service and/or API. + The device accessed from is out of the scope. Regardless of device + accessed from, must utilize approved remote access methods (AC-17), + secure communication with strong encryption (SC-13), key management + (SC-12), and multi-factor authentication for privileged access (IA-2 + [1]). + - id: ac-20 + class: SP800-53 + title: Use of External Systems + params: + - id: ac-20_odp.01 + select: + how-many: one-or-more + choice: + - "establish {{ insert: param, ac-20_odp.02 }} " + - "identify {{ insert: param, ac-20_odp.03 }} " + - id: ac-20_odp.02 + label: terms and conditions + guidelines: + - prose: terms and conditions consistent with the trust relationships + established with other organizations owning, operating, and/or + maintaining external systems are defined (if selected); + - id: ac-20_odp.03 + label: controls asserted + guidelines: + - prose: controls asserted to be implemented on external systems consistent + with the trust relationships established with other organizations + owning, operating, and/or maintaining external systems are defined + (if selected); + - id: ac-20_odp.04 + label: prohibited types of external systems + guidelines: + - prose: types of external systems prohibited from use are defined; + props: + - name: label + value: AC-20 + - name: label + value: AC-20 + class: sp800-53a + - name: sort-id + value: ac-20 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849" + rel: reference + - href: "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-19" + rel: related + - href: "#ca-3" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-7" + rel: related + parts: + - id: ac-20_smt + name: statement + parts: + - id: ac-20_smt.a + name: item + props: + - name: label + value: a. + prose: " {{ insert: param, ac-20_odp.01 }} , consistent with the\ + \ trust relationships established with other organizations owning,\ + \ operating, and/or maintaining external systems, allowing authorized\ + \ individuals to:" + parts: + - id: ac-20_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Access the system from external systems; and + - id: ac-20_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Process, store, or transmit organization-controlled information + using external systems; or + - id: ac-20_smt.b + name: item + props: + - name: label + value: b. + prose: "Prohibit the use of {{ insert: param, ac-20_odp.04 }}." + - id: ac-20_gdn + name: guidance + prose: >- + External systems are systems that are used by but not part of + organizational systems, and for which the organization has no + direct control over the implementation of required controls or + the assessment of control effectiveness. External systems + include personally owned systems, components, or devices; + privately owned computing and communications devices in + commercial or public facilities; systems owned or controlled by + nonfederal organizations; systems managed by contractors; and + federal information systems that are not owned by, operated by, + or under the direct supervision or authority of the + organization. External systems also include systems owned or + operated by other components within the same organization and + systems within the organization with different authorization + boundaries. Organizations have the option to prohibit the use of + any type of external system or prohibit the use of specified + types of external systems, (e.g., prohibit the use of any + external system that is not organizationally owned or prohibit + the use of personally-owned systems). + + + For some external systems (i.e., systems operated by other organizations), + the trust relationships that have been established between those organizations + and the originating organization may be such that no explicit terms + and conditions are required. Systems within these organizations may + not be considered external. These situations occur when, for example, + there are pre-existing information exchange agreements (either implicit + or explicit) established between organizations or components or when + such agreements are specified by applicable laws, executive orders, + directives, regulations, policies, or standards. Authorized individuals + include organizational personnel, contractors, or other individuals + with authorized access to organizational systems and over which organizations + have the authority to impose specific rules of behavior regarding + system access. Restrictions that organizations impose on authorized + individuals need not be uniform, as the restrictions may vary depending + on trust relationships between organizations. Therefore, organizations + may choose to impose different security restrictions on contractors + than on state, local, or tribal governments. + + + External systems used to access public interfaces to organizational + systems are outside the scope of [AC-20](#ac-20) . Organizations establish + specific terms and conditions for the use of external systems in accordance + with organizational security policies and procedures. At a minimum, + terms and conditions address the specific types of applications that + can be accessed on organizational systems from external systems and + the highest security category of information that can be processed, + stored, or transmitted on external systems. If the terms and conditions + with the owners of the external systems cannot be established, organizations + may impose restrictions on organizational personnel using those external + systems. + - id: ac-22 + class: SP800-53 + title: Publicly Accessible Content + params: + - id: ac-22_odp + label: frequency + constraints: + - description: at least quarterly + guidelines: + - prose: the frequency at which to review the content on the publicly + accessible system for non-public information is defined; + props: + - name: label + value: AC-22 + - name: label + value: AC-22 + class: sp800-53a + - name: sort-id + value: ac-22 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#18e71fec-c6fd-475a-925a-5d8495cf8455" + rel: reference + - href: "#ac-3" + rel: related + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#au-13" + rel: related + parts: + - id: ac-22_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ac-22_smt.a + name: item + props: + - name: label + value: a. + prose: Designate individuals authorized to make information publicly + accessible; + - id: ac-22_smt.b + name: item + props: + - name: label + value: b. + prose: Train authorized individuals to ensure that publicly accessible + information does not contain nonpublic information; + - id: ac-22_smt.c + name: item + props: + - name: label + value: c. + prose: Review the proposed content of information prior to posting + onto the publicly accessible system to ensure that nonpublic information + is not included; and + - id: ac-22_smt.d + name: item + props: + - name: label + value: d. + prose: "Review the content on the publicly accessible system for\ + \ nonpublic information {{ insert: param, ac-22_odp }} and remove\ + \ such information, if discovered." + - id: ac-22_gdn + name: guidance + prose: In accordance with applicable laws, executive orders, directives, + policies, regulations, standards, and guidelines, the public is not + authorized to have access to nonpublic information, including information + protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) + and proprietary information. Publicly accessible content addresses + systems that are controlled by the organization and accessible to + the public, typically without identification or authentication. Posting + information on non-organizational systems (e.g., non-organizational + public websites, forums, and social media) is covered by organizational + policy. While organizations may have individuals who are responsible + for developing and implementing policies about the information that + can be made publicly accessible, publicly accessible content addresses + the management of the individuals who make such information publicly + accessible. + - id: ac-22_obj + name: assessment-objective + props: + - name: label + value: AC-22 + class: sp800-53a + parts: + - id: ac-22_obj.a + name: assessment-objective + props: + - name: label + value: AC-22a. + class: sp800-53a + prose: designated individuals are authorized to make information + publicly accessible; + links: + - href: "#ac-22_smt.a" + rel: assessment-for + - id: ac-22_obj.b + name: assessment-objective + props: + - name: label + value: AC-22b. + class: sp800-53a + prose: authorized individuals are trained to ensure that publicly + accessible information does not contain non-public information; + links: + - href: "#ac-22_smt.b" + rel: assessment-for + - id: ac-22_obj.c + name: assessment-objective + props: + - name: label + value: AC-22c. + class: sp800-53a + prose: the proposed content of information is reviewed prior to + posting onto the publicly accessible system to ensure that non-public + information is not included; + links: + - href: "#ac-22_smt.c" + rel: assessment-for + - id: ac-22_obj.d + name: assessment-objective + props: + - name: label + value: AC-22d. + class: sp800-53a + parts: + - id: ac-22_obj.d-1 + name: assessment-objective + props: + - name: label + value: AC-22d.[01] + class: sp800-53a + prose: "the content on the publicly accessible system is reviewed\ + \ for non-public information {{ insert: param, ac-22_odp }};" + links: + - href: "#ac-22_smt.d" + rel: assessment-for + - id: ac-22_obj.d-2 + name: assessment-objective + props: + - name: label + value: AC-22d.[02] + class: sp800-53a + prose: non-public information is removed from the publicly accessible + system, if discovered. + links: + - href: "#ac-22_smt.d" + rel: assessment-for + links: + - href: "#ac-22_smt.d" + rel: assessment-for + links: + - href: "#ac-22_smt" + rel: assessment-for + - id: ac-22_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-22-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing publicly accessible content + + + list of users authorized to post publicly accessible content on + organizational systems + + + training materials and/or records + + + records of publicly accessible information reviews + + + records of response to non-public information on public websites + + + system audit logs + + + security awareness training records + + + system security plan + + + other relevant documents or records + - id: ac-22_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-22-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for managing + publicly accessible information posted on organizational + systems + + + organizational personnel with information security responsibilities + - id: ac-22_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-22-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing management of publicly accessible + content + - id: at + class: family + title: Awareness and Training + controls: + - id: at-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: at-1_prm_1 + label: organization-defined personnel or roles + - id: at-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the awareness and training policy + is to be disseminated is/are defined; + - id: at-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the awareness and training procedures + are to be disseminated is/are defined; + - id: at-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: at-01_odp.04 + label: official + guidelines: + - prose: an official to manage the awareness and training policy and + procedures is defined; + - id: at-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current awareness and training + policy is reviewed and updated is defined; + - id: at-01_odp.06 + label: events + guidelines: + - prose: events that would require the current awareness and training + policy to be reviewed and updated are defined; + - id: at-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current awareness and training + procedures are reviewed and updated is defined; + - id: at-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require procedures to be reviewed and updated + are defined; + props: + - name: label + value: AT-1 + - name: label + value: AT-01 + class: sp800-53a + - name: sort-id + value: at-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: at-1_smt + name: statement + parts: + - id: at-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ at-1_prm_1 }}:" + parts: + - id: at-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, at-01_odp.03 }} awareness and training\ + \ policy that:" + parts: + - id: at-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: at-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: at-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the awareness + and training policy and the associated awareness and training + controls; + - id: at-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, at-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the awareness\ + \ and training policy and procedures; and" + - id: at-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current awareness and training:" + parts: + - id: at-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, at-01_odp.05 }} and following\ + \ {{ insert: param, at-01_odp.06 }} ; and" + - id: at-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, at-01_odp.07 }} and following\ + \ {{ insert: param, at-01_odp.08 }}." + - id: at-1_gdn + name: guidance + prose: Awareness and training policy and procedures address the controls + in the AT family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of awareness and + training policy and procedures. Security and privacy program policies + and procedures at the organization level are preferable, in general, + and may obviate the need for mission- or system-specific policies + and procedures. The policy can be included as part of the general + security and privacy policy or be represented by multiple policies + that reflect the complex nature of organizations. Procedures can be + established for security and privacy programs, for mission or business + processes, and for systems, if needed. Procedures describe how the + policies or controls are implemented and can be directed at the individual + or role that is the object of the procedure. Procedures can be documented + in system security and privacy plans or in one or more separate documents. + Events that may precipitate an update to awareness and training policy + and procedures include assessment or audit findings, security incidents + or breaches, or changes in applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines. Simply restating + controls does not constitute an organizational policy or procedure. + - id: at-2 + class: SP800-53 + title: Literacy Training and Awareness + params: + - id: at-2_prm_1 + label: organization-defined frequency + constraints: + - description: at least annually + - id: at-2_prm_2 + label: organization-defined events + - id: at-02_odp.01 + label: frequency + guidelines: + - prose: the frequency at which to provide security literacy training + to system users (including managers, senior executives, and contractors) + after initial training is defined; + - id: at-02_odp.02 + label: frequency + guidelines: + - prose: the frequency at which to provide privacy literacy training + to system users (including managers, senior executives, and contractors) + after initial training is defined; + - id: at-02_odp.03 + label: events + guidelines: + - prose: events that require security literacy training for system + users are defined; + - id: at-02_odp.04 + label: events + guidelines: + - prose: events that require privacy literacy training for system + users are defined; + - id: at-02_odp.05 + label: awareness techniques + guidelines: + - prose: techniques to be employed to increase the security and privacy + awareness of system users are defined; + - id: at-02_odp.06 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to update literacy training and awareness + content is defined; + - id: at-02_odp.07 + label: events + guidelines: + - prose: events that would require literacy training and awareness + content to be updated are defined; + props: + - name: label + value: AT-2 + - name: label + value: AT-02 + class: sp800-53a + - name: sort-id + value: at-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + - href: "#89f2a08d-fc49-46d0-856e-bf974c9b1573" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-22" + rel: related + - href: "#at-3" + rel: related + - href: "#at-4" + rel: related + - href: "#cp-3" + rel: related + - href: "#ia-4" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-7" + rel: related + - href: "#ir-9" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-13" + rel: related + - href: "#pm-21" + rel: related + - href: "#ps-7" + rel: related + - href: "#pt-2" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-16" + rel: related + parts: + - id: at-2_smt + name: statement + parts: + - id: at-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide security and privacy literacy training to system\ + \ users (including managers, senior executives, and contractors):" + parts: + - id: at-2_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "As part of initial training for new users and {{ insert:\ + \ param, at-2_prm_1 }} thereafter; and" + - id: at-2_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: "When required by system changes or following {{ insert:\ + \ param, at-2_prm_2 }};" + - id: at-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ the following techniques to increase the security\ + \ and privacy awareness of system users {{ insert: param, at-02_odp.05\ + \ }};" + - id: at-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Update literacy training and awareness content {{ insert:\ + \ param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07\ + \ }} ; and" + - id: at-2_smt.d + name: item + props: + - name: label + value: d. + prose: Incorporate lessons learned from internal or external security + incidents or breaches into literacy training and awareness techniques. + - id: at-2_gdn + name: guidance + prose: >- + Organizations provide basic and advanced levels of literacy + training to system users, including measures to test the + knowledge level of users. Organizations determine the content of + literacy training and awareness based on specific organizational + requirements, the systems to which personnel have authorized + access, and work environments (e.g., telework). The content + includes an understanding of the need for security and privacy + as well as actions by users to maintain security and personal + privacy and to respond to suspected incidents. The content + addresses the need for operations security and the handling of + personally identifiable information. + + + Awareness techniques include displaying posters, offering supplies + inscribed with security and privacy reminders, displaying logon screen + messages, generating email advisories or notices from organizational + officials, and conducting awareness events. Literacy training after + the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted + at a minimum frequency consistent with applicable laws, directives, + regulations, and policies. Subsequent literacy training may be satisfied + by one or more short ad hoc sessions and include topical information + on recent attack schemes, changes to organizational security and privacy + policies, revised security and privacy expectations, or a subset of + topics from the initial training. Updating literacy training and awareness + content on a regular basis helps to ensure that the content remains + relevant. Events that may precipitate an update to literacy training + and awareness content include, but are not limited to, assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. + controls: + - id: at-2.2 + class: SP800-53-enhancement + title: Insider Threat + props: + - name: label + value: AT-2(2) + - name: label + value: AT-02(02) + class: sp800-53a + - name: sort-id + value: at-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#at-2" + rel: required + - href: "#pm-12" + rel: related + parts: + - id: at-2.2_smt + name: statement + prose: Provide literacy training on recognizing and reporting potential + indicators of insider threat. + - id: at-2.2_gdn + name: guidance + prose: Potential indicators and possible precursors of insider threat + can include behaviors such as inordinate, long-term job dissatisfaction; + attempts to gain access to information not required for job performance; + unexplained access to financial resources; bullying or harassment + of fellow employees; workplace violence; and other serious violations + of policies, procedures, directives, regulations, rules, or practices. + Literacy training includes how to communicate the concerns of + employees and management regarding potential indicators of insider + threat through channels established by the organization and in + accordance with established policies and procedures. Organizations + may consider tailoring insider threat awareness topics to the + role. For example, training for managers may be focused on changes + in the behavior of team members, while training for employees + may be focused on more general observations. + - id: at-3 + class: SP800-53 + title: Role-based Training + params: + - id: at-3_prm_1 + label: organization-defined roles and responsibilities + - id: at-03_odp.01 + label: roles and responsibilities + guidelines: + - prose: roles and responsibilities for role-based security training + are defined; + - id: at-03_odp.02 + label: roles and responsibilities + guidelines: + - prose: roles and responsibilities for role-based privacy training + are defined; + - id: at-03_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to provide role-based security and + privacy training to assigned personnel after initial training + is defined; + - id: at-03_odp.04 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to update role-based training content + is defined; + - id: at-03_odp.05 + label: events + guidelines: + - prose: events that require role-based training content to be updated + are defined; + props: + - name: label + value: AT-3 + - name: label + value: AT-03 + class: sp800-53a + - name: sort-id + value: at-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-22" + rel: related + - href: "#at-2" + rel: related + - href: "#at-4" + rel: related + - href: "#cp-3" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-7" + rel: related + - href: "#ir-9" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-13" + rel: related + - href: "#pm-23" + rel: related + - href: "#ps-7" + rel: related + - href: "#ps-9" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-16" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: at-3_smt + name: statement + parts: + - id: at-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide role-based security and privacy training to personnel\ + \ with the following roles and responsibilities: {{ insert: param,\ + \ at-3_prm_1 }}:" + parts: + - id: at-3_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "Before authorizing access to the system, information,\ + \ or performing assigned duties, and {{ insert: param, at-03_odp.03\ + \ }} thereafter; and" + - id: at-3_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: When required by system changes; + - id: at-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Update role-based training content {{ insert: param, at-03_odp.04\ + \ }} and following {{ insert: param, at-03_odp.05 }} ; and" + - id: at-3_smt.c + name: item + props: + - name: label + value: c. + prose: Incorporate lessons learned from internal or external security + incidents or breaches into role-based training. + - id: at-3_gdn + name: guidance + prose: >- + Organizations determine the content of training based on the + assigned roles and responsibilities of individuals as well as + the security and privacy requirements of organizations and the + systems to which personnel have authorized access, including + technical training specifically tailored for assigned duties. + Roles that may require role-based training include senior + leaders or management officials (e.g., head of agency/chief + executive officer, chief information officer, senior accountable + official for risk management, senior agency information security + officer, senior agency official for privacy), system owners; + authorizing officials; system security officers; privacy + officers; acquisition and procurement officials; enterprise + architects; systems engineers; software developers; systems + security engineers; privacy engineers; system, network, and + database administrators; auditors; personnel conducting + configuration management activities; personnel performing + verification and validation activities; personnel with access to + system-level software; control assessors; personnel with + contingency planning and incident response duties; personnel + with privacy management responsibilities; and personnel with + access to personally identifiable information. + + + Comprehensive role-based training addresses management, operational, + and technical roles and responsibilities covering physical, personnel, + and technical controls. Role-based training also includes policies, + procedures, tools, methods, and artifacts for the security and privacy + roles defined. Organizations provide the training necessary for individuals + to fulfill their responsibilities related to operations and supply + chain risk management within the context of organizational security + and privacy programs. Role-based training also applies to contractors + who provide services to federal agencies. Types of training include + web-based and computer-based training, classroom-style training, and + hands-on training (including micro-training). Updating role-based + training on a regular basis helps to ensure that the content remains + relevant and effective. Events that may precipitate an update to role-based + training content include, but are not limited to, assessment or audit + findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. + - id: at-4 + class: SP800-53 + title: Training Records + params: + - id: at-04_odp + label: time period + constraints: + - description: at least one (1) year or 1 year after completion of + a specific training program + guidelines: + - prose: time period for retaining individual training records is + defined; + props: + - name: label + value: AT-4 + - name: label + value: AT-04 + class: sp800-53a + - name: sort-id + value: at-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#cp-3" + rel: related + - href: "#ir-2" + rel: related + - href: "#pm-14" + rel: related + - href: "#si-12" + rel: related + parts: + - id: at-4_smt + name: statement + parts: + - id: at-4_smt.a + name: item + props: + - name: label + value: a. + prose: Document and monitor information security and privacy training + activities, including security and privacy awareness training + and specific role-based security and privacy training; and + - id: at-4_smt.b + name: item + props: + - name: label + value: b. + prose: "Retain individual training records for {{ insert: param,\ + \ at-04_odp }}." + - id: at-4_gdn + name: guidance + prose: Documentation for specialized training may be maintained by individual + supervisors at the discretion of the organization. The National Archives + and Records Administration provides guidance on records retention + for federal agencies. + - id: au + class: family + title: Audit and Accountability + controls: + - id: au-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: au-1_prm_1 + label: organization-defined personnel or roles + - id: au-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the audit and accountability policy + is to be disseminated is/are defined; + - id: au-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the audit and accountability procedures + are to be disseminated is/are defined; + - id: au-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: au-01_odp.04 + label: official + guidelines: + - prose: an official to manage the audit and accountability policy + and procedures is defined; + - id: au-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current audit and accountability + policy is reviewed and updated is defined; + - id: au-01_odp.06 + label: events + guidelines: + - prose: events that would require the current audit and accountability + policy to be reviewed and updated are defined; + - id: au-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current audit and accountability + procedures are reviewed and updated is defined; + - id: au-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require audit and accountability procedures + to be reviewed and updated are defined; + props: + - name: label + value: AU-1 + - name: label + value: AU-01 + class: sp800-53a + - name: sort-id + value: au-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: au-1_smt + name: statement + parts: + - id: au-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ au-1_prm_1 }}:" + parts: + - id: au-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, au-01_odp.03 }} audit and accountability\ + \ policy that:" + parts: + - id: au-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: au-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: au-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the audit + and accountability policy and the associated audit and accountability + controls; + - id: au-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, au-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the audit\ + \ and accountability policy and procedures; and" + - id: au-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current audit and accountability:" + parts: + - id: au-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, au-01_odp.05 }} and following\ + \ {{ insert: param, au-01_odp.06 }} ; and" + - id: au-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, au-01_odp.07 }} and following\ + \ {{ insert: param, au-01_odp.08 }}." + - id: au-1_gdn + name: guidance + prose: Audit and accountability policy and procedures address the controls + in the AU family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of audit and accountability + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to audit and accountability policy and procedures + include assessment or audit findings, security incidents or breaches, + or changes in applicable laws, executive orders, directives, regulations, + policies, standards, and guidelines. Simply restating controls does + not constitute an organizational policy or procedure. + - id: au-2 + class: SP800-53 + title: Event Logging + params: + - id: au-2_prm_2 + label: organization-defined event types (subset of the event types defined + in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation + requiring) logging for each identified event type + constraints: + - description: organization-defined subset of the auditable events + defined in AU-2a to be audited continually for each identified + event. + - id: au-02_odp.01 + label: event types + constraints: + - description: "successful and unsuccessful account logon events,\ + \ account management events, object access, policy change, privilege\ + \ functions, process tracking, and system events. For Web applications:\ + \ all administrator activity, authentication checks, authorization\ + \ checks, data deletions, data access, data changes, and permission\ + \ changes" + guidelines: + - prose: the event types that the system is capable of logging in + support of the audit function are defined; + - id: au-02_odp.02 + label: event types (subset of AU-02_ODP[01]) + guidelines: + - prose: the event types (subset of AU-02_ODP[01]) for logging within + the system are defined; + - id: au-02_odp.03 + label: frequency or situation + guidelines: + - prose: the frequency or situation requiring logging for each specified + event type is defined; + - id: au-02_odp.04 + label: frequency + constraints: + - description: annually and whenever there is a change in the threat + environment + guidelines: + - prose: the frequency of event types selected for logging are reviewed + and updated; + props: + - name: label + value: AU-2 + - name: label + value: AU-02 + class: sp800-53a + - name: sort-id + value: au-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#5eee45d8-3313-4fdc-8d54-1742092bbdd6" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-7" + rel: related + - href: "#ac-8" + rel: related + - href: "#ac-16" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-3" + rel: related + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-11" + rel: related + - href: "#au-12" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-13" + rel: related + - href: "#ia-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-3" + rel: related + - href: "#pm-21" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-18" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#si-10" + rel: related + - href: "#si-11" + rel: related + parts: + - id: au-2_smt + name: statement + parts: + - id: au-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Identify the types of events that the system is capable\ + \ of logging in support of the audit function: {{ insert: param,\ + \ au-02_odp.01 }};" + - id: au-2_smt.b + name: item + props: + - name: label + value: b. + prose: Coordinate the event logging function with other organizational + entities requiring audit-related information to guide and inform + the selection criteria for events to be logged; + - id: au-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Specify the following event types for logging within the\ + \ system: {{ insert: param, au-2_prm_2 }};" + - id: au-2_smt.d + name: item + props: + - name: label + value: d. + prose: Provide a rationale for why the event types selected for + logging are deemed to be adequate to support after-the-fact investigations + of incidents; and + - id: au-2_smt.e + name: item + props: + - name: label + value: e. + prose: "Review and update the event types selected for logging {{\ + \ insert: param, au-02_odp.04 }}." + - id: au-2_gdn + name: guidance + prose: >- + An event is an observable occurrence in a system. The types of + events that require logging are those events that are + significant and relevant to the security of systems and the + privacy of individuals. Event logging also supports specific + monitoring and auditing needs. Event types include password + changes, failed logons or failed accesses related to systems, + security or privacy attribute changes, administrative privilege + usage, PIV credential usage, data action changes, query + parameters, or external credential usage. In determining the set + of event types that require logging, organizations consider the + monitoring and auditing appropriate for each of the controls to + be implemented. For completeness, event logging includes all + protocols that are operational and supported by the system. + + + To balance monitoring and auditing requirements with other system + needs, event logging requires identifying the subset of event types + that are logged at a given point in time. For example, organizations + may determine that systems need the capability to log every file access + successful and unsuccessful, but not activate that capability except + for specific circumstances due to the potential burden on system performance. + The types of events that organizations desire to be logged may change. + Reviewing and updating the set of logged events is necessary to help + ensure that the events remain relevant and continue to support the + needs of the organization. Organizations consider how the types of + logging events can reveal information about individuals that may give + rise to privacy risk and how best to mitigate such risks. For example, + there is the potential to reveal personally identifiable information + in the audit trail, especially if the logging event is based on patterns + or time of usage. + + + Event logging requirements, including the need to log specific event + types, may be referenced in other controls and control enhancements. + These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), + [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), + [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), + [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), + [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and + [SI-10(1)](#si-10.1) . Organizations include event types that are + required by applicable laws, executive orders, directives, policies, + regulations, standards, and guidelines. Audit records can be generated + at various levels, including at the packet level as information traverses + the network. Selecting the appropriate level of event logging is an + important part of a monitoring and auditing capability and can identify + the root causes of problems. When defining event types, organizations + consider the logging necessary to cover related event types, such + as the steps in distributed, transaction-based processes and the actions + that occur in service-oriented architectures. + - id: au-3 + class: SP800-53 + title: Content of Audit Records + props: + - name: label + value: AU-3 + - name: label + value: AU-03 + class: sp800-53a + - name: sort-id + value: au-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#au-2" + rel: related + - href: "#au-8" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + - href: "#ma-4" + rel: related + - href: "#pl-9" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-7" + rel: related + - href: "#si-11" + rel: related + parts: + - id: au-3_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: "Ensure that audit records contain information that establishes\ + \ the following:" + parts: + - id: au-3_smt.a + name: item + props: + - name: label + value: a. + prose: What type of event occurred; + - id: au-3_smt.b + name: item + props: + - name: label + value: b. + prose: When the event occurred; + - id: au-3_smt.c + name: item + props: + - name: label + value: c. + prose: Where the event occurred; + - id: au-3_smt.d + name: item + props: + - name: label + value: d. + prose: Source of the event; + - id: au-3_smt.e + name: item + props: + - name: label + value: e. + prose: Outcome of the event; and + - id: au-3_smt.f + name: item + props: + - name: label + value: f. + prose: Identity of any individuals, subjects, or objects/entities + associated with the event. + - id: au-3_gdn + name: guidance + prose: Audit record content that may be necessary to support the auditing + function includes event descriptions (item a), time stamps (item b), + source and destination addresses (item c), user or process identifiers + (items d and f), success or fail indications (item e), and filenames + involved (items a, c, e, and f) . Event outcomes include indicators + of event success or failure and event-specific results, such as the + system security and privacy posture after the event occurred. Organizations + consider how audit records can reveal information about individuals + that may give rise to privacy risks and how best to mitigate such + risks. For example, there is the potential to reveal personally identifiable + information in the audit trail, especially if the trail records inputs + or is based on patterns or time of usage. + - id: au-3_obj + name: assessment-objective + props: + - name: label + value: AU-03 + class: sp800-53a + parts: + - id: au-3_obj.a + name: assessment-objective + props: + - name: label + value: AU-03a. + class: sp800-53a + prose: audit records contain information that establishes what type + of event occurred; + links: + - href: "#au-3_smt.a" + rel: assessment-for + - id: au-3_obj.b + name: assessment-objective + props: + - name: label + value: AU-03b. + class: sp800-53a + prose: audit records contain information that establishes when the + event occurred; + links: + - href: "#au-3_smt.b" + rel: assessment-for + - id: au-3_obj.c + name: assessment-objective + props: + - name: label + value: AU-03c. + class: sp800-53a + prose: audit records contain information that establishes where + the event occurred; + links: + - href: "#au-3_smt.c" + rel: assessment-for + - id: au-3_obj.d + name: assessment-objective + props: + - name: label + value: AU-03d. + class: sp800-53a + prose: audit records contain information that establishes the source + of the event; + links: + - href: "#au-3_smt.d" + rel: assessment-for + - id: au-3_obj.e + name: assessment-objective + props: + - name: label + value: AU-03e. + class: sp800-53a + prose: audit records contain information that establishes the outcome + of the event; + links: + - href: "#au-3_smt.e" + rel: assessment-for + - id: au-3_obj.f + name: assessment-objective + props: + - name: label + value: AU-03f. + class: sp800-53a + prose: audit records contain information that establishes the identity + of any individuals, subjects, or objects/entities associated with + the event. + links: + - href: "#au-3_smt.f" + rel: assessment-for + links: + - href: "#au-3_smt" + rel: assessment-for + - id: au-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + system security plan + + privacy plan + + procedures addressing content of audit records + + system design documentation + + system configuration settings and associated documentation + + list of organization-defined auditable events + + system audit records + + system incident reports + + other relevant documents or records + - id: au-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: au-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing system auditing of auditable events + - id: au-4 + class: SP800-53 + title: Audit Log Storage Capacity + params: + - id: au-04_odp + label: audit log retention requirements + guidelines: + - prose: audit log retention requirements are defined; + props: + - name: label + value: AU-4 + - name: label + value: AU-04 + class: sp800-53a + - name: sort-id + value: au-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: NSO + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#au-2" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-9" + rel: related + - href: "#au-11" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + - href: "#si-4" + rel: related + parts: + - id: au-4_smt + name: statement + prose: "Allocate audit log storage capacity to accommodate {{ insert:\ + \ param, au-04_odp }}." + - id: au-4_gdn + name: guidance + prose: Organizations consider the types of audit logging to be performed + and the audit log processing requirements when allocating audit log + storage capacity. Allocating sufficient audit log storage capacity + reduces the likelihood of such capacity being exceeded and resulting + in the potential loss or reduction of audit logging capability. + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: NSO - Loss of availability of the audit data has been determined + to have little or no impact to government business/mission needs. + - id: au-5 + class: SP800-53 + title: Response to Audit Logging Process Failures + params: + - id: au-05_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles receiving audit logging process failure + alerts are defined; + - id: au-05_odp.02 + label: time period + guidelines: + - prose: time period for personnel or roles receiving audit logging + process failure alerts is defined; + - id: au-05_odp.03 + label: additional actions + constraints: + - description: overwrite oldest record + guidelines: + - prose: additional actions to be taken in the event of an audit logging + process failure are defined; + props: + - name: label + value: AU-5 + - name: label + value: AU-05 + class: sp800-53a + - name: sort-id + value: au-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#au-2" + rel: related + - href: "#au-4" + rel: related + - href: "#au-7" + rel: related + - href: "#au-9" + rel: related + - href: "#au-11" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + - href: "#si-4" + rel: related + - href: "#si-12" + rel: related + parts: + - id: au-5_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: au-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Alert {{ insert: param, au-05_odp.01 }} within {{ insert:\ + \ param, au-05_odp.02 }} in the event of an audit logging process\ + \ failure; and" + - id: au-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Take the following additional actions: {{ insert: param,\ + \ au-05_odp.03 }}." + - id: au-5_gdn + name: guidance + prose: Audit logging process failures include software and hardware + errors, failures in audit log capturing mechanisms, and reaching or + exceeding audit log storage capacity. Organization-defined actions + include overwriting oldest audit records, shutting down the system, + and stopping the generation of audit records. Organizations may choose + to define additional actions for audit logging process failures based + on the type of failure, the location of the failure, the severity + of the failure, or a combination of such factors. When the audit logging + process failure is related to storage, the response is carried out + for the audit log storage repository (i.e., the distinct system component + where the audit logs are stored), the system on which the audit logs + reside, the total audit log storage capacity of the organization (i.e., + all audit log storage repositories combined), or all three. Organizations + may decide to take no additional actions after alerting designated + roles or personnel. + - id: au-5_obj + name: assessment-objective + props: + - name: label + value: AU-05 + class: sp800-53a + parts: + - id: au-5_obj.a + name: assessment-objective + props: + - name: label + value: AU-05a. + class: sp800-53a + prose: " {{ insert: param, au-05_odp.01 }} are alerted in the event\ + \ of an audit logging process failure within {{ insert: param,\ + \ au-05_odp.02 }};" + links: + - href: "#au-5_smt.a" + rel: assessment-for + - id: au-5_obj.b + name: assessment-objective + props: + - name: label + value: AU-05b. + class: sp800-53a + prose: " {{ insert: param, au-05_odp.03 }} are taken in the event\ + \ of an audit logging process failure." + links: + - href: "#au-5_smt.b" + rel: assessment-for + links: + - href: "#au-5_smt" + rel: assessment-for + - id: au-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + procedures addressing response to audit processing failures + + + system design documentation + + + system security plan + + + privacy plan + + + system configuration settings and associated documentation + + + list of personnel to be notified in case of an audit processing + failure + + + system audit records + + + other relevant documents or records + - id: au-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing system response to audit processing + failures + - id: au-6 + class: SP800-53 + title: Audit Record Review, Analysis, and Reporting + params: + - id: au-06_odp.01 + label: frequency + constraints: + - description: at least weekly + guidelines: + - prose: frequency at which system audit records are reviewed and + analyzed is defined; + - id: au-06_odp.02 + label: inappropriate or unusual activity + guidelines: + - prose: inappropriate or unusual activity is defined; + - id: au-06_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles to receive findings from reviews and analyses + of system records is/are defined; + props: + - name: label + value: AU-6 + - name: label + value: AU-06 + class: sp800-53a + - name: sort-id + value: au-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#cfdb1858-c473-46b3-89f9-a700308d0be2" + rel: reference + - href: "#10cf2fad-a216-41f9-bb1a-531b7e3119e3" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-7" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-7" + rel: related + - href: "#au-16" + rel: related + - href: "#ca-2" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-10" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ir-5" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-6" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: au-6_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: au-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Review and analyze system audit records {{ insert: param,\ + \ au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02\ + \ }} and the potential impact of the inappropriate or unusual\ + \ activity;" + - id: au-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Report findings to {{ insert: param, au-06_odp.03 }} ; and" + - id: au-6_smt.c + name: item + props: + - name: label + value: c. + prose: Adjust the level of audit record review, analysis, and reporting + within the system when there is a change in risk based on law + enforcement information, intelligence information, or other credible + sources of information. + - id: au-6_gdn + name: guidance + prose: Audit record review, analysis, and reporting covers information + security- and privacy-related logging performed by organizations, + including logging that results from the monitoring of account usage, + remote access, wireless connectivity, mobile device connection, configuration + settings, system component inventory, use of maintenance tools and + non-local maintenance, physical access, temperature and humidity, + equipment delivery and removal, communications at system interfaces, + and use of mobile code or Voice over Internet Protocol (VoIP). Findings + can be reported to organizational entities that include the incident + response team, help desk, and security or privacy offices. If organizations + are prohibited from reviewing and analyzing audit records or unable + to conduct such activities, the review or analysis may be carried + out by other organizations granted such authority. The frequency, + scope, and/or depth of the audit record review, analysis, and reporting + may be adjusted to meet organizational needs based on new information + received. + - id: au-6_obj + name: assessment-objective + props: + - name: label + value: AU-06 + class: sp800-53a + parts: + - id: au-6_obj.a + name: assessment-objective + props: + - name: label + value: AU-06a. + class: sp800-53a + prose: "system audit records are reviewed and analyzed {{ insert:\ + \ param, au-06_odp.01 }} for indications of {{ insert: param,\ + \ au-06_odp.02 }} and the potential impact of the inappropriate\ + \ or unusual activity;" + links: + - href: "#au-6_smt.a" + rel: assessment-for + - id: au-6_obj.b + name: assessment-objective + props: + - name: label + value: AU-06b. + class: sp800-53a + prose: "findings are reported to {{ insert: param, au-06_odp.03\ + \ }};" + links: + - href: "#au-6_smt.b" + rel: assessment-for + - id: au-6_obj.c + name: assessment-objective + props: + - name: label + value: AU-06c. + class: sp800-53a + prose: the level of audit record review, analysis, and reporting + within the system is adjusted when there is a change in risk based + on law enforcement information, intelligence information, or other + credible sources of information. + links: + - href: "#au-6_smt.c" + rel: assessment-for + links: + - href: "#au-6_smt" + rel: assessment-for + - id: au-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + procedures addressing audit review, analysis, and reporting + + + reports of audit findings + + + records of actions taken in response to reviews/analyses of audit + records + + + other relevant documents or records + - id: au-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit review, analysis, and + reporting responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: au-8 + class: SP800-53 + title: Time Stamps + params: + - id: au-08_odp + label: granularity of time measurement + constraints: + - description: one second granularity of time measurement + guidelines: + - prose: granularity of time measurement for audit record timestamps + is defined; + props: + - name: label + value: AU-8 + - name: label + value: AU-08 + class: sp800-53a + - name: sort-id + value: au-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#au-3" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + - href: "#sc-45" + rel: related + parts: + - id: au-8_smt + name: statement + parts: + - id: au-8_smt.a + name: item + props: + - name: label + value: a. + prose: Use internal system clocks to generate time stamps for audit + records; and + - id: au-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Record time stamps for audit records that meet {{ insert:\ + \ param, au-08_odp }} and that use Coordinated Universal Time,\ + \ have a fixed local time offset from Coordinated Universal Time,\ + \ or that include the local time offset as part of the time stamp." + - id: au-8_gdn + name: guidance + prose: Time stamps generated by the system include date and time. Time + is commonly expressed in Coordinated Universal Time (UTC), a modern + continuation of Greenwich Mean Time (GMT), or local time with an offset + from UTC. Granularity of time measurements refers to the degree of + synchronization between system clocks and reference clocks (e.g., + clocks synchronizing within hundreds of milliseconds or tens of milliseconds). + Organizations may define different time granularities for different + system components. Time service can be critical to other security + capabilities such as access control and identification and authentication, + depending on the nature of the mechanisms used to support those capabilities. + - id: au-9 + class: SP800-53 + title: Protection of Audit Information + params: + - id: au-09_odp + label: personnel or roles + guidelines: + - prose: personnel or roles to be alerted upon detection of unauthorized + access, modification, or deletion of audit information is/are + defined; + props: + - name: label + value: AU-9 + - name: label + value: AU-09 + class: sp800-53a + - name: sort-id + value: au-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#au-6" + rel: related + - href: "#au-11" + rel: related + - href: "#au-14" + rel: related + - href: "#au-15" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-6" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-8" + rel: related + - href: "#si-4" + rel: related + parts: + - id: au-9_smt + name: statement + parts: + - id: au-9_smt.a + name: item + props: + - name: label + value: a. + prose: Protect audit information and audit logging tools from unauthorized + access, modification, and deletion; and + - id: au-9_smt.b + name: item + props: + - name: label + value: b. + prose: "Alert {{ insert: param, au-09_odp }} upon detection of unauthorized\ + \ access, modification, or deletion of audit information." + - id: au-9_gdn + name: guidance + prose: Audit information includes all information needed to successfully + audit system activity, such as audit records, audit log settings, + audit reports, and personally identifiable information. Audit logging + tools are those programs and devices used to conduct system audit + and logging activities. Protection of audit information focuses on + technical protection and limits the ability to access and execute + audit logging tools to authorized individuals. Physical protection + of audit information is addressed by both media protection controls + and physical and environmental protection controls. + - id: au-11 + class: SP800-53 + title: Audit Record Retention + params: + - id: au-11_odp + label: time period + constraints: + - description: a time period in compliance with M-21-31 + guidelines: + - prose: a time period to retain audit records that is consistent + with the records retention policy is defined; + props: + - name: label + value: AU-11 + - name: label + value: AU-11 + class: sp800-53a + - name: sort-id + value: au-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: NSO + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#au-2" + rel: related + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-9" + rel: related + - href: "#au-14" + rel: related + - href: "#mp-6" + rel: related + - href: "#ra-5" + rel: related + - href: "#si-12" + rel: related + parts: + - id: au-11_smt + name: statement + prose: "Retain audit records for {{ insert: param, au-11_odp }} to provide\ + \ support for after-the-fact investigations of incidents and to meet\ + \ regulatory and organizational information retention requirements." + - id: au-11_gdn + name: guidance + prose: Organizations retain audit records until it is determined that + the records are no longer needed for administrative, legal, audit, + or other operational purposes. This includes the retention and availability + of audit records relative to Freedom of Information Act (FOIA) requests, + subpoenas, and law enforcement actions. Organizations develop standard + categories of audit records relative to such types of actions and + standard response processes for each type of action. The National + Archives and Records Administration (NARA) General Records Schedules + provide federal policy on records retention. + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: NSO - Loss of availability of the audit data has been determined + as little or no impact to government business/mission needs. + - id: au-12 + class: SP800-53 + title: Audit Record Generation + params: + - id: au-12_odp.01 + label: system components + constraints: + - description: all information system and network components where + audit capability is deployed/available + guidelines: + - prose: system components that provide an audit record generation + capability for the events types (defined in AU-02_ODP[02]) are + defined; + - id: au-12_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles allowed to select the event types that + are to be logged by specific components of the system is/are defined; + props: + - name: label + value: AU-12 + - name: label + value: AU-12 + class: sp800-53a + - name: sort-id + value: au-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ac-6" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-2" + rel: related + - href: "#au-3" + rel: related + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-14" + rel: related + - href: "#cm-5" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-18" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#si-10" + rel: related + parts: + - id: au-12_smt + name: statement + parts: + - id: au-12_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide audit record generation capability for the event\ + \ types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a)\ + \ on {{ insert: param, au-12_odp.01 }};" + - id: au-12_smt.b + name: item + props: + - name: label + value: b. + prose: "Allow {{ insert: param, au-12_odp.02 }} to select the event\ + \ types that are to be logged by specific components of the system;\ + \ and" + - id: au-12_smt.c + name: item + props: + - name: label + value: c. + prose: Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) + that include the audit record content defined in [AU-3](#au-3). + - id: au-12_gdn + name: guidance + prose: Audit records can be generated from many different system components. + The event types specified in [AU-2d](#au-2_smt.d) are the event types + for which audit logs are to be generated and are a subset of all event + types for which the system can generate audit records. + - id: ca + class: family + title: Assessment, Authorization, and Monitoring + controls: + - id: ca-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ca-1_prm_1 + label: organization-defined personnel or roles + - id: ca-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the assessment, authorization, + and monitoring policy is to be disseminated is/are defined; + - id: ca-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the assessment, authorization, + and monitoring procedures are to be disseminated is/are defined; + - id: ca-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ca-01_odp.04 + label: official + guidelines: + - prose: an official to manage the assessment, authorization, and + monitoring policy and procedures is defined; + - id: ca-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current assessment, authorization, + and monitoring policy is reviewed and updated is defined; + - id: ca-01_odp.06 + label: events + guidelines: + - prose: events that would require the current assessment, authorization, + and monitoring policy to be reviewed and updated are defined; + - id: ca-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current assessment, authorization, + and monitoring procedures are reviewed and updated is defined; + - id: ca-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require assessment, authorization, and + monitoring procedures to be reviewed and updated are defined; + props: + - name: label + value: CA-1 + - name: label + value: CA-01 + class: sp800-53a + - name: sort-id + value: ca-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#62ea77ca-e450-4323-b210-e0d75390e785" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-1_smt + name: statement + parts: + - id: ca-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ca-1_prm_1 }}:" + parts: + - id: ca-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ca-01_odp.03 }} assessment, authorization,\ + \ and monitoring policy that:" + parts: + - id: ca-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ca-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ca-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the assessment, + authorization, and monitoring policy and the associated assessment, + authorization, and monitoring controls; + - id: ca-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ca-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the assessment,\ + \ authorization, and monitoring policy and procedures; and" + - id: ca-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current assessment, authorization,\ + \ and monitoring:" + parts: + - id: ca-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ca-01_odp.05 }} and following\ + \ {{ insert: param, ca-01_odp.06 }} ; and" + - id: ca-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ca-01_odp.07 }} and following\ + \ {{ insert: param, ca-01_odp.08 }}." + - id: ca-1_gdn + name: guidance + prose: Assessment, authorization, and monitoring policy and procedures + address the controls in the CA family that are implemented within + systems and organizations. The risk management strategy is an important + factor in establishing such policies and procedures. Policies and + procedures contribute to security and privacy assurance. Therefore, + it is important that security and privacy programs collaborate on + the development of assessment, authorization, and monitoring policy + and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to assessment, authorization, and monitoring + policy and procedures include assessment or audit findings, security + incidents or breaches, or changes in applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines. Simply + restating controls does not constitute an organizational policy or + procedure. + - id: ca-2 + class: SP800-53 + title: Control Assessments + params: + - id: ca-02_odp.01 + label: assessment frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to assess controls in the system and + its environment of operation is defined; + - id: ca-02_odp.02 + label: individuals or roles + constraints: + - description: individuals or roles to include FedRAMP PMO + guidelines: + - prose: individuals or roles to whom control assessment results are + to be provided are defined; + props: + - name: label + value: CA-2 + - name: label + value: CA-02 + class: sp800-53a + - name: sort-id + value: ca-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#30eb758a-2707-4bca-90ad-949a74d4eb16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#122177fa-c4ed-485d-8345-3082c0fb9a06" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#ac-20" + rel: related + - href: "#ca-5" + rel: related + - href: "#ca-6" + rel: related + - href: "#ca-7" + rel: related + - href: "#pm-9" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-3" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-3" + rel: related + parts: + - id: ca-2_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ca-2_smt.a + name: item + props: + - name: label + value: a. + prose: Select the appropriate assessor or assessment team for the + type of assessment to be conducted; + - id: ca-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Develop a control assessment plan that describes the scope\ + \ of the assessment including:" + parts: + - id: ca-2_smt.b.1 + name: item + props: + - name: label + value: "1." + prose: Controls and control enhancements under assessment; + - id: ca-2_smt.b.2 + name: item + props: + - name: label + value: "2." + prose: Assessment procedures to be used to determine control + effectiveness; and + - id: ca-2_smt.b.3 + name: item + props: + - name: label + value: "3." + prose: Assessment environment, assessment team, and assessment + roles and responsibilities; + - id: ca-2_smt.c + name: item + props: + - name: label + value: c. + prose: Ensure the control assessment plan is reviewed and approved + by the authorizing official or designated representative prior + to conducting the assessment; + - id: ca-2_smt.d + name: item + props: + - name: label + value: d. + prose: "Assess the controls in the system and its environment of\ + \ operation {{ insert: param, ca-02_odp.01 }} to determine the\ + \ extent to which the controls are implemented correctly, operating\ + \ as intended, and producing the desired outcome with respect\ + \ to meeting established security and privacy requirements;" + - id: ca-2_smt.e + name: item + props: + - name: label + value: e. + prose: Produce a control assessment report that document the results + of the assessment; and + - id: ca-2_smt.f + name: item + props: + - name: label + value: f. + prose: "Provide the results of the control assessment to {{ insert:\ + \ param, ca-02_odp.02 }}." + - id: ca-2_gdn + name: guidance + prose: >- + Organizations ensure that control assessors possess the required + skills and technical expertise to develop effective assessment + plans and to conduct assessments of system-specific, hybrid, + common, and program management controls, as appropriate. The + required skills include general knowledge of risk management + concepts and approaches as well as comprehensive knowledge of + and experience with the hardware, software, and firmware system + components implemented. + + + Organizations assess controls in systems and the environments in which + those systems operate as part of initial and ongoing authorizations, + continuous monitoring, FISMA annual assessments, system design and + development, systems security engineering, privacy engineering, and + the system development life cycle. Assessments help to ensure that + organizations meet information security and privacy requirements, + identify weaknesses and deficiencies in the system design and development + process, provide essential information needed to make risk-based decisions + as part of authorization processes, and comply with vulnerability + mitigation procedures. Organizations conduct assessments on the implemented + controls as documented in security and privacy plans. Assessments + can also be conducted throughout the system development life cycle + as part of systems engineering and systems security engineering processes. + The design for controls can be assessed as RFPs are developed, responses + assessed, and design reviews conducted. If a design to implement controls + and subsequent implementation in accordance with the design are assessed + during development, the final control testing can be a simple confirmation + utilizing previously completed control assessment and aggregating + the outcomes. + + + Organizations may develop a single, consolidated security and privacy + assessment plan for the system or maintain separate plans. A consolidated + assessment plan clearly delineates the roles and responsibilities + for control assessment. If multiple organizations participate in assessing + a system, a coordinated approach can reduce redundancies and associated + costs. + + + Organizations can use other types of assessment activities, such as + vulnerability scanning and system monitoring, to maintain the security + and privacy posture of systems during the system life cycle. Assessment + reports document assessment results in sufficient detail, as deemed + necessary by organizations, to determine the accuracy and completeness + of the reports and whether the controls are implemented correctly, + operating as intended, and producing the desired outcome with respect + to meeting requirements. Assessment results are provided to the individuals + or roles appropriate for the types of assessments being conducted. + For example, assessments conducted in support of authorization decisions + are provided to authorizing officials, senior agency officials for + privacy, senior agency information security officers, and authorizing + official designated representatives. + + + To satisfy annual assessment requirements, organizations can use assessment + results from the following sources: initial or ongoing system authorizations, + continuous monitoring, systems engineering processes, or system development + life cycle activities. Organizations ensure that assessment results + are current, relevant to the determination of control effectiveness, + and obtained with the appropriate level of assessor independence. + Existing control assessment results can be reused to the extent that + the results are still valid and can also be supplemented with additional + assessments as needed. After the initial authorizations, organizations + assess controls during continuous monitoring. Organizations also establish + the frequency for ongoing assessments in accordance with organizational + continuous monitoring strategies. External audits, including audits + by external entities such as regulatory agencies, are outside of the + scope of [CA-2](#ca-2). + - id: ca-2_obj + name: assessment-objective + props: + - name: label + value: CA-02 + class: sp800-53a + parts: + - id: ca-2_obj.a + name: assessment-objective + props: + - name: label + value: CA-02a. + class: sp800-53a + prose: an appropriate assessor or assessment team is selected for + the type of assessment to be conducted; + links: + - href: "#ca-2_smt.a" + rel: assessment-for + - id: ca-2_obj.b + name: assessment-objective + props: + - name: label + value: CA-02b. + class: sp800-53a + parts: + - id: ca-2_obj.b.1 + name: assessment-objective + props: + - name: label + value: CA-02b.01 + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including controls and control + enhancements under assessment; + links: + - href: "#ca-2_smt.b.1" + rel: assessment-for + - id: ca-2_obj.b.2 + name: assessment-objective + props: + - name: label + value: CA-02b.02 + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including assessment procedures + to be used to determine control effectiveness; + links: + - href: "#ca-2_smt.b.2" + rel: assessment-for + - id: ca-2_obj.b.3 + name: assessment-objective + props: + - name: label + value: CA-02b.03 + class: sp800-53a + parts: + - id: ca-2_obj.b.3-1 + name: assessment-objective + props: + - name: label + value: CA-02b.03[01] + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including the assessment + environment; + links: + - href: "#ca-2_smt.b.3" + rel: assessment-for + - id: ca-2_obj.b.3-2 + name: assessment-objective + props: + - name: label + value: CA-02b.03[02] + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including the assessment + team; + links: + - href: "#ca-2_smt.b.3" + rel: assessment-for + - id: ca-2_obj.b.3-3 + name: assessment-objective + props: + - name: label + value: CA-02b.03[03] + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including assessment roles + and responsibilities; + links: + - href: "#ca-2_smt.b.3" + rel: assessment-for + links: + - href: "#ca-2_smt.b.3" + rel: assessment-for + links: + - href: "#ca-2_smt.b" + rel: assessment-for + - id: ca-2_obj.c + name: assessment-objective + props: + - name: label + value: CA-02c. + class: sp800-53a + prose: the control assessment plan is reviewed and approved by the + authorizing official or designated representative prior to conducting + the assessment; + links: + - href: "#ca-2_smt.c" + rel: assessment-for + - id: ca-2_obj.d + name: assessment-objective + props: + - name: label + value: CA-02d. + class: sp800-53a + parts: + - id: ca-2_obj.d-1 + name: assessment-objective + props: + - name: label + value: CA-02d.[01] + class: sp800-53a + prose: "controls are assessed in the system and its environment\ + \ of operation {{ insert: param, ca-02_odp.01 }} to determine\ + \ the extent to which the controls are implemented correctly,\ + \ operating as intended, and producing the desired outcome\ + \ with respect to meeting established security requirements;" + links: + - href: "#ca-2_smt.d" + rel: assessment-for + - id: ca-2_obj.d-2 + name: assessment-objective + props: + - name: label + value: CA-02d.[02] + class: sp800-53a + prose: "controls are assessed in the system and its environment\ + \ of operation {{ insert: param, ca-02_odp.01 }} to determine\ + \ the extent to which the controls are implemented correctly,\ + \ operating as intended, and producing the desired outcome\ + \ with respect to meeting established privacy requirements;" + links: + - href: "#ca-2_smt.d" + rel: assessment-for + links: + - href: "#ca-2_smt.d" + rel: assessment-for + - id: ca-2_obj.e + name: assessment-objective + props: + - name: label + value: CA-02e. + class: sp800-53a + prose: a control assessment report is produced that documents the + results of the assessment; + links: + - href: "#ca-2_smt.e" + rel: assessment-for + - id: ca-2_obj.f + name: assessment-objective + props: + - name: label + value: CA-02f. + class: sp800-53a + prose: "the results of the control assessment are provided to {{\ + \ insert: param, ca-02_odp.02 }}." + links: + - href: "#ca-2_smt.f" + rel: assessment-for + links: + - href: "#ca-2_smt" + rel: assessment-for + - id: ca-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing assessment planning + + procedures addressing control assessments + + control assessment plan + + control assessment report + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with control assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting control assessment, control assessment + plan development, and/or control assessment reporting + controls: + - id: ca-2.1 + class: SP800-53-enhancement + title: Independent Assessors + props: + - name: label + value: CA-2(1) + - name: label + value: CA-02(01) + class: sp800-53a + - name: sort-id + value: ca-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ca-2" + rel: required + parts: + - id: ca-2.1_smt + name: statement + prose: Employ independent assessors or assessment teams to conduct + control assessments. + - id: ca-2.1_gdn + name: guidance + prose: >- + Independent assessors or assessment teams are individuals or + groups who conduct impartial assessments of systems. + Impartiality means that assessors are free from any + perceived or actual conflicts of interest regarding the + development, operation, sustainment, or management of the + systems under assessment or the determination of control + effectiveness. To achieve impartiality, assessors do not + create a mutual or conflicting interest with the + organizations where the assessments are being conducted, + assess their own work, act as management or employees of the + organizations they are serving, or place themselves in + positions of advocacy for the organizations acquiring their + services. + + + Independent assessments can be obtained from elements within organizations + or be contracted to public or private sector entities outside + of organizations. Authorizing officials determine the required + level of independence based on the security categories of systems + and/or the risk to organizational operations, organizational assets, + or individuals. Authorizing officials also determine if the level + of assessor independence provides sufficient assurance that the + results are sound and can be used to make credible, risk-based + decisions. Assessor independence determination includes whether + contracted assessment services have sufficient independence, such + as when system owners are not directly involved in contracting + processes or cannot influence the impartiality of the assessors + conducting the assessments. During the system design and development + phase, having independent assessors is analogous to having independent + SMEs involved in design reviews. + + + When organizations that own the systems are small or the structures + of the organizations require that assessments be conducted by + individuals that are in the developmental, operational, or management + chain of the system owners, independence in assessment processes + can be achieved by ensuring that assessment results are carefully + reviewed and analyzed by independent teams of experts to validate + the completeness, accuracy, integrity, and reliability of the + results. Assessments performed for purposes other than to support + authorization decisions are more likely to be useable for such + decisions when performed by assessors with sufficient independence, + thereby reducing the need to repeat assessments. + - id: ca-3 + class: SP800-53 + title: Information Exchange + params: + - id: ca-03_odp.01 + select: + how-many: one-or-more + choice: + - interconnection security agreements + - information exchange security agreements + - memoranda of understanding or agreement + - service level agreements + - user agreements + - non-disclosure agreements + - " {{ insert: param, ca-03_odp.02 }} " + - id: ca-03_odp.02 + label: type of agreement + guidelines: + - prose: the type of agreement used to approve and manage the exchange + of information is defined (if selected); + - id: ca-03_odp.03 + label: frequency + constraints: + - description: at least annually and on input from JAB/AO + guidelines: + - prose: the frequency at which to review and update agreements is + defined; + props: + - name: label + value: CA-3 + - name: label + value: CA-03 + class: sp800-53a + - name: sort-id + value: ca-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#c3a76872-e160-4267-99e8-6952de967d04" + rel: reference + - href: "#ac-4" + rel: related + - href: "#ac-20" + rel: related + - href: "#au-16" + rel: related + - href: "#ca-6" + rel: related + - href: "#ia-3" + rel: related + - href: "#ir-4" + rel: related + - href: "#pl-2" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-3_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ca-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Approve and manage the exchange of information between the\ + \ system and other systems using {{ insert: param, ca-03_odp.01\ + \ }};" + - id: ca-3_smt.b + name: item + props: + - name: label + value: b. + prose: Document, as part of each exchange agreement, the interface + characteristics, security and privacy requirements, controls, + and responsibilities for each system, and the impact level of + the information communicated; and + - id: ca-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the agreements {{ insert: param, ca-03_odp.03\ + \ }}." + - id: ca-3_gdn + name: guidance + prose: >- + System information exchange requirements apply to information + exchanges between two or more systems. System information + exchanges include connections via leased lines or virtual + private networks, connections to internet service providers, + database sharing or exchanges of database transaction + information, connections and exchanges with cloud services, + exchanges via web-based services, or exchanges of files via file + transfer protocols, network protocols (e.g., IPv4, IPv6), email, + or other organization-to-organization communications. + Organizations consider the risk related to new or increased + threats that may be introduced when systems exchange information + with other systems that may have different security and privacy + requirements and controls. This includes systems within the same + organization and systems that are external to the organization. + A joint authorization of the systems exchanging information, as + described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help + to communicate and reduce risk. + + + Authorizing officials determine the risk associated with system information + exchange and the controls needed for appropriate risk mitigation. + The types of agreements selected are based on factors such as the + impact level of the information being exchanged, the relationship + between the organizations exchanging information (e.g., government + to government, government to business, business to business, government + or business to service provider, government or business to individual), + or the level of access to the organizational system by users of the + other system. If systems that exchange information have the same authorizing + official, organizations need not develop agreements. Instead, the + interface characteristics between the systems (e.g., how the information + is being exchanged. how the information is protected) are described + in the respective security and privacy plans. If the systems that + exchange information have different authorizing officials within the + same organization, the organizations can develop agreements or provide + the same information that would be provided in the appropriate agreement + type from [CA-3a](#ca-3_smt.a) in the respective security and privacy + plans for the systems. Organizations may incorporate agreement information + into formal contracts, especially for information exchanges established + between federal agencies and nonfederal organizations (including service + providers, contractors, system developers, and system integrators). + Risk considerations include systems that share the same networks. + - id: ca-3_obj + name: assessment-objective + props: + - name: label + value: CA-03 + class: sp800-53a + parts: + - id: ca-3_obj.a + name: assessment-objective + props: + - name: label + value: CA-03a. + class: sp800-53a + prose: "the exchange of information between the system and other\ + \ systems is approved and managed using {{ insert: param, ca-03_odp.01\ + \ }};" + links: + - href: "#ca-3_smt.a" + rel: assessment-for + - id: ca-3_obj.b + name: assessment-objective + props: + - name: label + value: CA-03b. + class: sp800-53a + parts: + - id: ca-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: CA-03b.[01] + class: sp800-53a + prose: the interface characteristics are documented as part + of each exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: CA-03b.[02] + class: sp800-53a + prose: security requirements are documented as part of each + exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-3 + name: assessment-objective + props: + - name: label + value: CA-03b.[03] + class: sp800-53a + prose: privacy requirements are documented as part of each exchange + agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-4 + name: assessment-objective + props: + - name: label + value: CA-03b.[04] + class: sp800-53a + prose: controls are documented as part of each exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-5 + name: assessment-objective + props: + - name: label + value: CA-03b.[05] + class: sp800-53a + prose: responsibilities for each system are documented as part + of each exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-6 + name: assessment-objective + props: + - name: label + value: CA-03b.[06] + class: sp800-53a + prose: the impact level of the information communicated is documented + as part of each exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.c + name: assessment-objective + props: + - name: label + value: CA-03c. + class: sp800-53a + prose: "agreements are reviewed and updated {{ insert: param, ca-03_odp.03\ + \ }}." + links: + - href: "#ca-3_smt.c" + rel: assessment-for + links: + - href: "#ca-3_smt" + rel: assessment-for + - id: ca-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing system connections + + system and communications protection policy + + system interconnection security agreements + + information exchange security agreements + + memoranda of understanding or agreements + + service level agreements + + non-disclosure agreements + + system design documentation + + enterprise architecture + + system architecture + + system configuration settings and associated documentation + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + developing, implementing, or approving system + interconnection agreements + + + organizational personnel with information security and privacy + responsibilities + + + personnel managing the system(s) to which the interconnection + security agreement applies + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: There are connection(s) to external systems. Connections\ + \ (if any) shall be authorized and must: 1) Identify the interface/connection.\ + \ 2) Detail what data is involved and its sensitivity. 3) Determine\ + \ whether the connection is one-way or bi-directional. 4) Identify\ + \ how the connection is secured." + - id: ca-5 + class: SP800-53 + title: Plan of Action and Milestones + params: + - id: ca-05_odp + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: the frequency at which to update an existing plan of action + and milestones based on the findings from control assessments, + independent audits or reviews, and continuous monitoring activities + is defined; + props: + - name: label + value: CA-5 + - name: label + value: CA-05 + class: sp800-53a + - name: sort-id + value: ca-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ca-7" + rel: related + - href: "#pm-4" + rel: related + - href: "#pm-9" + rel: related + - href: "#ra-7" + rel: related + - href: "#si-2" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-5_smt + name: statement + parts: + - id: ca-5_smt.a + name: item + props: + - name: label + value: a. + prose: Develop a plan of action and milestones for the system to + document the planned remediation actions of the organization to + correct weaknesses or deficiencies noted during the assessment + of the controls and to reduce or eliminate known vulnerabilities + in the system; and + - id: ca-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Update existing plan of action and milestones {{ insert:\ + \ param, ca-05_odp }} based on the findings from control assessments,\ + \ independent audits or reviews, and continuous monitoring activities." + - id: ca-5_gdn + name: guidance + prose: Plans of action and milestones are useful for any type of organization + to track planned remedial actions. Plans of action and milestones + are required in authorization packages and subject to federal reporting + requirements established by OMB. + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous + Monitoring Requirements. + - id: ca-6 + class: SP800-53 + title: Authorization + params: + - id: ca-06_odp + label: frequency + constraints: + - description: in accordance with OMB A-130 requirements or when a + significant change occurs + guidelines: + - prose: frequency at which to update the authorizations is defined; + props: + - name: label + value: CA-6 + - name: label + value: CA-06 + class: sp800-53a + - name: sort-id + value: ca-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ca-3" + rel: related + - href: "#ca-7" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-10" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-10" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-6_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ca-6_smt.a + name: item + props: + - name: label + value: a. + prose: Assign a senior official as the authorizing official for + the system; + - id: ca-6_smt.b + name: item + props: + - name: label + value: b. + prose: Assign a senior official as the authorizing official for + common controls available for inheritance by organizational systems; + - id: ca-6_smt.c + name: item + props: + - name: label + value: c. + prose: "Ensure that the authorizing official for the system, before\ + \ commencing operations:" + parts: + - id: ca-6_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: Accepts the use of common controls inherited by the system; + and + - id: ca-6_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: Authorizes the system to operate; + - id: ca-6_smt.d + name: item + props: + - name: label + value: d. + prose: Ensure that the authorizing official for common controls + authorizes the use of those controls for inheritance by organizational + systems; + - id: ca-6_smt.e + name: item + props: + - name: label + value: e. + prose: "Update the authorizations {{ insert: param, ca-06_odp }}." + - id: ca-6_gdn + name: guidance + prose: >- + Authorizations are official management decisions by senior + officials to authorize operation of systems, authorize the use + of common controls for inheritance by organizational systems, + and explicitly accept the risk to organizational operations and + assets, individuals, other organizations, and the Nation based + on the implementation of agreed-upon controls. Authorizing + officials provide budgetary oversight for organizational systems + and common controls or assume responsibility for the mission and + business functions supported by those systems or common + controls. The authorization process is a federal responsibility, + and therefore, authorizing officials must be federal employees. + Authorizing officials are both responsible and accountable for + security and privacy risks associated with the operation and use + of organizational systems. Nonfederal organizations may have + similar processes to authorize systems and senior officials that + assume the authorization role and associated responsibilities. + + + Authorizing officials issue ongoing authorizations of systems based + on evidence produced from implemented continuous monitoring programs. + Robust continuous monitoring programs reduce the need for separate + reauthorization processes. Through the employment of comprehensive + continuous monitoring processes, the information contained in authorization + packages (i.e., security and privacy plans, assessment reports, and + plans of action and milestones) is updated on an ongoing basis. This + provides authorizing officials, common control providers, and system + owners with an up-to-date status of the security and privacy posture + of their systems, controls, and operating environments. To reduce + the cost of reauthorization, authorizing officials can leverage the + results of continuous monitoring processes to the maximum extent possible + as the basis for rendering reauthorization decisions. + - id: ca-6_obj + name: assessment-objective + props: + - name: label + value: CA-06 + class: sp800-53a + parts: + - id: ca-6_obj.a + name: assessment-objective + props: + - name: label + value: CA-06a. + class: sp800-53a + prose: a senior official is assigned as the authorizing official + for the system; + links: + - href: "#ca-6_smt.a" + rel: assessment-for + - id: ca-6_obj.b + name: assessment-objective + props: + - name: label + value: CA-06b. + class: sp800-53a + prose: a senior official is assigned as the authorizing official + for common controls available for inheritance by organizational + systems; + links: + - href: "#ca-6_smt.b" + rel: assessment-for + - id: ca-6_obj.c + name: assessment-objective + props: + - name: label + value: CA-06c. + class: sp800-53a + parts: + - id: ca-6_obj.c.1 + name: assessment-objective + props: + - name: label + value: CA-06c.01 + class: sp800-53a + prose: before commencing operations, the authorizing official + for the system accepts the use of common controls inherited + by the system; + links: + - href: "#ca-6_smt.c.1" + rel: assessment-for + - id: ca-6_obj.c.2 + name: assessment-objective + props: + - name: label + value: CA-06c.02 + class: sp800-53a + prose: before commencing operations, the authorizing official + for the system authorizes the system to operate; + links: + - href: "#ca-6_smt.c.2" + rel: assessment-for + links: + - href: "#ca-6_smt.c" + rel: assessment-for + - id: ca-6_obj.d + name: assessment-objective + props: + - name: label + value: CA-06d. + class: sp800-53a + prose: the authorizing official for common controls authorizes the + use of those controls for inheritance by organizational systems; + links: + - href: "#ca-6_smt.d" + rel: assessment-for + - id: ca-6_obj.e + name: assessment-objective + props: + - name: label + value: CA-06e. + class: sp800-53a + prose: "the authorizations are updated {{ insert: param, ca-06_odp\ + \ }}." + links: + - href: "#ca-6_smt.e" + rel: assessment-for + links: + - href: "#ca-6_smt" + rel: assessment-for + - id: ca-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + procedures addressing authorization + + + system security plan, privacy plan, assessment report, plan of + action and milestones + + + authorization statement + + + other relevant documents or records + - id: ca-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with authorization responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms that facilitate authorizations and updates + - id: ca-7 + class: SP800-53 + title: Continuous Monitoring + params: + - id: ca-7_prm_4 + label: organization-defined personnel or roles + constraints: + - description: to include JAB/AO + - id: ca-7_prm_5 + label: organization-defined frequency + - id: ca-07_odp.01 + label: system-level metrics + guidelines: + - prose: system-level metrics to be monitored are defined; + - id: ca-07_odp.02 + label: frequencies + guidelines: + - prose: frequencies at which to monitor control effectiveness are + defined; + - id: ca-07_odp.03 + label: frequencies + guidelines: + - prose: frequencies at which to assess control effectiveness are + defined; + - id: ca-07_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the security status of the system + is reported are defined; + - id: ca-07_odp.05 + label: frequency + guidelines: + - prose: frequency at which the security status of the system is reported + is defined; + - id: ca-07_odp.06 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the privacy status of the system + is reported are defined; + - id: ca-07_odp.07 + label: frequency + guidelines: + - prose: frequency at which the privacy status of the system is reported + is defined; + props: + - name: label + value: CA-7 + - name: label + value: CA-07 + class: sp800-53a + - name: sort-id + value: ca-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#122177fa-c4ed-485d-8345-3082c0fb9a06" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-17" + rel: related + - href: "#at-4" + rel: related + - href: "#au-6" + rel: related + - href: "#au-13" + rel: related + - href: "#ca-2" + rel: related + - href: "#ca-5" + rel: related + - href: "#ca-6" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-5" + rel: related + - href: "#ir-5" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-6" + rel: related + - href: "#pe-14" + rel: related + - href: "#pe-16" + rel: related + - href: "#pe-20" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-4" + rel: related + - href: "#pm-6" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-10" + rel: related + - href: "#pm-12" + rel: related + - href: "#pm-14" + rel: related + - href: "#pm-23" + rel: related + - href: "#pm-28" + rel: related + - href: "#pm-31" + rel: related + - href: "#ps-7" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-7" + rel: related + - href: "#ra-10" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-11" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-18" + rel: related + - href: "#sc-38" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-6" + rel: related + parts: + - id: ca-7_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: "Develop a system-level continuous monitoring strategy and implement\ + \ continuous monitoring in accordance with the organization-level\ + \ continuous monitoring strategy that includes:" + parts: + - id: ca-7_smt.a + name: item + props: + - name: label + value: a. + prose: "Establishing the following system-level metrics to be monitored:\ + \ {{ insert: param, ca-07_odp.01 }};" + - id: ca-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Establishing {{ insert: param, ca-07_odp.02 }} for monitoring\ + \ and {{ insert: param, ca-07_odp.03 }} for assessment of control\ + \ effectiveness;" + - id: ca-7_smt.c + name: item + props: + - name: label + value: c. + prose: Ongoing control assessments in accordance with the continuous + monitoring strategy; + - id: ca-7_smt.d + name: item + props: + - name: label + value: d. + prose: Ongoing monitoring of system and organization-defined metrics + in accordance with the continuous monitoring strategy; + - id: ca-7_smt.e + name: item + props: + - name: label + value: e. + prose: Correlation and analysis of information generated by control + assessments and monitoring; + - id: ca-7_smt.f + name: item + props: + - name: label + value: f. + prose: Response actions to address results of the analysis of control + assessment and monitoring information; and + - id: ca-7_smt.g + name: item + props: + - name: label + value: g. + prose: "Reporting the security and privacy status of the system\ + \ to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5\ + \ }}." + - id: ca-7_gdn + name: guidance + prose: >- + Continuous monitoring at the system level facilitates ongoing + awareness of the system security and privacy posture to support + organizational risk management decisions. The terms "continuous" + and "ongoing" imply that organizations assess and monitor their + controls and risks at a frequency sufficient to support + risk-based decisions. Different types of controls may require + different monitoring frequencies. The results of continuous + monitoring generate risk response actions by organizations. When + monitoring the effectiveness of multiple controls that have been + grouped into capabilities, a root-cause analysis may be needed + to determine the specific control that has failed. Continuous + monitoring programs allow organizations to maintain the + authorizations of systems and common controls in highly dynamic + environments of operation with changing mission and business + needs, threats, vulnerabilities, and technologies. Having access + to security and privacy information on a continuing basis + through reports and dashboards gives organizational officials + the ability to make effective and timely risk management + decisions, including ongoing authorization decisions. + + + Automation supports more frequent updates to hardware, software, and + firmware inventories, authorization packages, and other system information. + Effectiveness is further enhanced when continuous monitoring outputs + are formatted to provide information that is specific, measurable, + actionable, relevant, and timely. Continuous monitoring activities + are scaled in accordance with the security categories of systems. + Monitoring requirements, including the need for specific monitoring, + may be referenced in other controls and control enhancements, such + as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), + [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), + [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), + [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), + [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), + [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), + [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), + [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), + [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), + [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4). + - id: ca-7_obj + name: assessment-objective + props: + - name: label + value: CA-07 + class: sp800-53a + parts: + - id: ca-7_obj-1 + name: assessment-objective + props: + - name: label + value: CA-07[01] + class: sp800-53a + prose: a system-level continuous monitoring strategy is developed; + links: + - href: "#ca-7_smt" + rel: assessment-for + - id: ca-7_obj-2 + name: assessment-objective + props: + - name: label + value: CA-07[02] + class: sp800-53a + prose: system-level continuous monitoring is implemented in accordance + with the organization-level continuous monitoring strategy; + links: + - href: "#ca-7_smt" + rel: assessment-for + - id: ca-7_obj.a + name: assessment-objective + props: + - name: label + value: CA-07a. + class: sp800-53a + prose: "system-level continuous monitoring includes establishment\ + \ of the following system-level metrics to be monitored: {{ insert:\ + \ param, ca-07_odp.01 }};" + links: + - href: "#ca-7_smt.a" + rel: assessment-for + - id: ca-7_obj.b + name: assessment-objective + props: + - name: label + value: CA-07b. + class: sp800-53a + parts: + - id: ca-7_obj.b-1 + name: assessment-objective + props: + - name: label + value: CA-07b.[01] + class: sp800-53a + prose: "system-level continuous monitoring includes established\ + \ {{ insert: param, ca-07_odp.02 }} for monitoring;" + links: + - href: "#ca-7_smt.b" + rel: assessment-for + - id: ca-7_obj.b-2 + name: assessment-objective + props: + - name: label + value: CA-07b.[02] + class: sp800-53a + prose: "system-level continuous monitoring includes established\ + \ {{ insert: param, ca-07_odp.03 }} for assessment of control\ + \ effectiveness;" + links: + - href: "#ca-7_smt.b" + rel: assessment-for + links: + - href: "#ca-7_smt.b" + rel: assessment-for + - id: ca-7_obj.c + name: assessment-objective + props: + - name: label + value: CA-07c. + class: sp800-53a + prose: system-level continuous monitoring includes ongoing control + assessments in accordance with the continuous monitoring strategy; + links: + - href: "#ca-7_smt.c" + rel: assessment-for + - id: ca-7_obj.d + name: assessment-objective + props: + - name: label + value: CA-07d. + class: sp800-53a + prose: system-level continuous monitoring includes ongoing monitoring + of system and organization-defined metrics in accordance with + the continuous monitoring strategy; + links: + - href: "#ca-7_smt.d" + rel: assessment-for + - id: ca-7_obj.e + name: assessment-objective + props: + - name: label + value: CA-07e. + class: sp800-53a + prose: system-level continuous monitoring includes correlation and + analysis of information generated by control assessments and monitoring; + links: + - href: "#ca-7_smt.e" + rel: assessment-for + - id: ca-7_obj.f + name: assessment-objective + props: + - name: label + value: CA-07f. + class: sp800-53a + prose: system-level continuous monitoring includes response actions + to address the results of the analysis of control assessment and + monitoring information; + links: + - href: "#ca-7_smt.f" + rel: assessment-for + - id: ca-7_obj.g + name: assessment-objective + props: + - name: label + value: CA-07g. + class: sp800-53a + parts: + - id: ca-7_obj.g-1 + name: assessment-objective + props: + - name: label + value: CA-07g.[01] + class: sp800-53a + prose: "system-level continuous monitoring includes reporting\ + \ the security status of the system to {{ insert: param, ca-07_odp.04\ + \ }} {{ insert: param, ca-07_odp.05 }};" + links: + - href: "#ca-7_smt.g" + rel: assessment-for + - id: ca-7_obj.g-2 + name: assessment-objective + props: + - name: label + value: CA-07g.[02] + class: sp800-53a + prose: "system-level continuous monitoring includes reporting\ + \ the privacy status of the system to {{ insert: param, ca-07_odp.06\ + \ }} {{ insert: param, ca-07_odp.07 }}." + links: + - href: "#ca-7_smt.g" + rel: assessment-for + links: + - href: "#ca-7_smt.g" + rel: assessment-for + links: + - href: "#ca-7_smt" + rel: assessment-for + - id: ca-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + organizational continuous monitoring strategy + + + system-level continuous monitoring strategy + + + procedures addressing continuous monitoring of system controls + + + procedures addressing configuration management + + + control assessment report + + + plan of action and milestones + + + system monitoring records + + + configuration management records + + + impact analyses + + + status reports + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with continuous monitoring + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: ca-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms implementing continuous monitoring + + + mechanisms supporting response actions to address assessment and + monitoring results + + + mechanisms supporting security and privacy status reporting + controls: + - id: ca-7.4 + class: SP800-53-enhancement + title: Risk Monitoring + props: + - name: label + value: CA-7(4) + - name: label + value: CA-07(04) + class: sp800-53a + - name: sort-id + value: ca-07.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ca-7" + rel: required + parts: + - id: ca-7.4_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: "Ensure risk monitoring is an integral part of the continuous\ + \ monitoring strategy that includes the following:" + parts: + - id: ca-7.4_smt.a + name: item + props: + - name: label + value: (a) + prose: Effectiveness monitoring; + - id: ca-7.4_smt.b + name: item + props: + - name: label + value: (b) + prose: Compliance monitoring; and + - id: ca-7.4_smt.c + name: item + props: + - name: label + value: (c) + prose: Change monitoring. + - id: ca-7.4_gdn + name: guidance + prose: Risk monitoring is informed by the established organizational + risk tolerance. Effectiveness monitoring determines the ongoing + effectiveness of the implemented risk response measures. Compliance + monitoring verifies that required risk response measures are implemented. + It also verifies that security and privacy requirements are satisfied. + Change monitoring identifies changes to organizational systems + and environments of operation that may affect security and privacy + risk. + - id: ca-7.4_obj + name: assessment-objective + props: + - name: label + value: CA-07(04) + class: sp800-53a + prose: risk monitoring is an integral part of the continuous monitoring + strategy; + parts: + - id: ca-7.4_obj.a + name: assessment-objective + props: + - name: label + value: CA-07(04)(a) + class: sp800-53a + prose: effectiveness monitoring is included in risk monitoring; + links: + - href: "#ca-7.4_smt.a" + rel: assessment-for + - id: ca-7.4_obj.b + name: assessment-objective + props: + - name: label + value: CA-07(04)(b) + class: sp800-53a + prose: compliance monitoring is included in risk monitoring; + links: + - href: "#ca-7.4_smt.b" + rel: assessment-for + - id: ca-7.4_obj.c + name: assessment-objective + props: + - name: label + value: CA-07(04)(c) + class: sp800-53a + prose: change monitoring is included in risk monitoring. + links: + - href: "#ca-7.4_smt.c" + rel: assessment-for + links: + - href: "#ca-7.4_smt" + rel: assessment-for + - id: ca-7.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-07(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + organizational continuous monitoring strategy + + + system-level continuous monitoring strategy + + + procedures addressing continuous monitoring of system controls + + + assessment report + + + plan of action and milestones + + + system monitoring records + + + impact analyses + + + status reports + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-7.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-07(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with continuous monitoring + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-7.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-07(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting risk monitoring + - id: ca-8 + class: SP800-53 + title: Penetration Testing + params: + - id: ca-08_odp.01 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to conduct penetration testing on systems + or system components is defined; + - id: ca-08_odp.02 + label: system(s) or system components + guidelines: + - prose: systems or system components on which penetration testing + is to be conducted are defined; + props: + - name: label + value: CA-8 + - name: label + value: CA-08 + class: sp800-53a + - name: sort-id + value: ca-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ra-5" + rel: related + - href: "#ra-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-6" + rel: related + parts: + - id: ca-8_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: "Conduct penetration testing {{ insert: param, ca-08_odp.01 }}\ + \ on {{ insert: param, ca-08_odp.02 }}." + - id: ca-8_gdn + name: guidance + prose: >- + Penetration testing is a specialized type of assessment + conducted on systems or individual system components to identify + vulnerabilities that could be exploited by adversaries. + Penetration testing goes beyond automated vulnerability scanning + and is conducted by agents and teams with demonstrable skills + and experience that include technical expertise in network, + operating system, and/or application level security. Penetration + testing can be used to validate vulnerabilities or determine the + degree of penetration resistance of systems to adversaries + within specified constraints. Such constraints include time, + resources, and skills. Penetration testing attempts to duplicate + the actions of adversaries and provides a more in-depth analysis + of security- and privacy-related weaknesses or deficiencies. + Penetration testing is especially important when organizations + are transitioning from older technologies to newer technologies + (e.g., transitioning from IPv4 to IPv6 network protocols). + + + Organizations can use the results of vulnerability analyses to support + penetration testing activities. Penetration testing can be conducted + internally or externally on the hardware, software, or firmware components + of a system and can exercise both physical and technical controls. + A standard method for penetration testing includes a pretest analysis + based on full knowledge of the system, pretest identification of potential + vulnerabilities based on the pretest analysis, and testing designed + to determine the exploitability of vulnerabilities. All parties agree + to the rules of engagement before commencing penetration testing scenarios. + Organizations correlate the rules of engagement for the penetration + tests with the tools, techniques, and procedures that are anticipated + to be employed by adversaries. Penetration testing may result in the + exposure of information that is protected by laws or regulations, + to individuals conducting the testing. Rules of engagement, contracts, + or other appropriate mechanisms can be used to communicate expectations + for how to protect this information. Risk assessments guide the decisions + on the level of independence required for the personnel conducting + penetration testing. + - id: ca-8_obj + name: assessment-objective + props: + - name: label + value: CA-08 + class: sp800-53a + prose: "penetration testing is conducted {{ insert: param, ca-08_odp.01\ + \ }} on {{ insert: param, ca-08_odp.02 }}." + links: + - href: "#ca-8_smt" + rel: assessment-for + - id: ca-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing penetration testing + + assessment plan + + penetration test report + + assessment report + + assessment evidence + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with control assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: ca-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting penetration testing + - id: ca-9 + class: SP800-53 + title: Internal System Connections + params: + - id: ca-09_odp.01 + label: system components + guidelines: + - prose: system components or classes of components requiring internal + connections to the system are defined; + - id: ca-09_odp.02 + label: conditions + guidelines: + - prose: conditions requiring termination of internal connections + are defined; + - id: ca-09_odp.03 + label: frequency + guidelines: + - prose: frequency at which to review the continued need for each + internal connection is defined; + props: + - name: label + value: CA-9 + - name: label + value: CA-09 + class: sp800-53a + - name: sort-id + value: ca-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#cm-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-9_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ca-9_smt.a + name: item + props: + - name: label + value: a. + prose: "Authorize internal connections of {{ insert: param, ca-09_odp.01\ + \ }} to the system;" + - id: ca-9_smt.b + name: item + props: + - name: label + value: b. + prose: Document, for each internal connection, the interface characteristics, + security and privacy requirements, and the nature of the information + communicated; + - id: ca-9_smt.c + name: item + props: + - name: label + value: c. + prose: "Terminate internal system connections after {{ insert: param,\ + \ ca-09_odp.02 }} ; and" + - id: ca-9_smt.d + name: item + props: + - name: label + value: d. + prose: "Review {{ insert: param, ca-09_odp.03 }} the continued need\ + \ for each internal connection." + - id: ca-9_gdn + name: guidance + prose: Internal system connections are connections between organizational + systems and separate constituent system components (i.e., connections + between components that are part of the same system) including components + used for system development. Intra-system connections include connections + with mobile devices, notebook and desktop computers, tablets, printers, + copiers, facsimile machines, scanners, sensors, and servers. Instead + of authorizing each internal system connection individually, organizations + can authorize internal connections for a class of system components + with common characteristics and/or configurations, including printers, + scanners, and copiers with a specified processing, transmission, and + storage capability or smart phones and tablets with a specific baseline + configuration. The continued need for an internal system connection + is reviewed from the perspective of whether it provides support for + organizational missions or business functions. + - id: ca-9_obj + name: assessment-objective + props: + - name: label + value: CA-09 + class: sp800-53a + parts: + - id: ca-9_obj.a + name: assessment-objective + props: + - name: label + value: CA-09a. + class: sp800-53a + prose: "internal connections of {{ insert: param, ca-09_odp.01 }}\ + \ to the system are authorized;" + links: + - href: "#ca-9_smt.a" + rel: assessment-for + - id: ca-9_obj.b + name: assessment-objective + props: + - name: label + value: CA-09b. + class: sp800-53a + parts: + - id: ca-9_obj.b-1 + name: assessment-objective + props: + - name: label + value: CA-09b.[01] + class: sp800-53a + prose: for each internal connection, the interface characteristics + are documented; + links: + - href: "#ca-9_smt.b" + rel: assessment-for + - id: ca-9_obj.b-2 + name: assessment-objective + props: + - name: label + value: CA-09b.[02] + class: sp800-53a + prose: for each internal connection, the security requirements + are documented; + links: + - href: "#ca-9_smt.b" + rel: assessment-for + - id: ca-9_obj.b-3 + name: assessment-objective + props: + - name: label + value: CA-09b.[03] + class: sp800-53a + prose: for each internal connection, the privacy requirements + are documented; + links: + - href: "#ca-9_smt.b" + rel: assessment-for + - id: ca-9_obj.b-4 + name: assessment-objective + props: + - name: label + value: CA-09b.[04] + class: sp800-53a + prose: for each internal connection, the nature of the information + communicated is documented; + links: + - href: "#ca-9_smt.b" + rel: assessment-for + links: + - href: "#ca-9_smt.b" + rel: assessment-for + - id: ca-9_obj.c + name: assessment-objective + props: + - name: label + value: CA-09c. + class: sp800-53a + prose: "internal system connections are terminated after {{ insert:\ + \ param, ca-09_odp.02 }};" + links: + - href: "#ca-9_smt.c" + rel: assessment-for + - id: ca-9_obj.d + name: assessment-objective + props: + - name: label + value: CA-09d. + class: sp800-53a + prose: "the continued need for each internal connection is reviewed\ + \ {{ insert: param, ca-09_odp.03 }}." + links: + - href: "#ca-9_smt.d" + rel: assessment-for + links: + - href: "#ca-9_smt" + rel: assessment-for + - id: ca-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + access control policy + + + procedures addressing system connections + + + system and communications protection policy + + + system design documentation + + + system configuration settings and associated documentation + + + list of components or classes of components authorized as internal + system connections + + + assessment report + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + developing, implementing, or authorizing internal system + connections + + + organizational personnel with information security and privacy + responsibilities + - id: ca-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting internal system connections + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: There are connection(s) to external systems. Connections\ + \ (if any) shall be authorized and must: 1) Identify the interface/connection.\ + \ 2) Detail what data is involved and its sensitivity. 3) Determine\ + \ whether the connection is one-way or bi-directional. 4) Identify\ + \ how the connection is secured." + - id: cm + class: family + title: Configuration Management + controls: + - id: cm-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: cm-1_prm_1 + label: organization-defined personnel or roles + - id: cm-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the configuration management policy + is to be disseminated is/are defined; + - id: cm-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the configuration management procedures + are to be disseminated is/are defined; + - id: cm-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: cm-01_odp.04 + label: official + guidelines: + - prose: an official to manage the configuration management policy + and procedures is defined; + - id: cm-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current configuration management + policy is reviewed and updated is defined; + - id: cm-01_odp.06 + label: events + guidelines: + - prose: events that would require the current configuration management + policy to be reviewed and updated are defined; + - id: cm-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current configuration management + procedures are reviewed and updated is defined; + - id: cm-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require configuration management procedures + to be reviewed and updated are defined; + props: + - name: label + value: CM-1 + - name: label + value: CM-01 + class: sp800-53a + - name: sort-id + value: cm-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: cm-1_smt + name: statement + parts: + - id: cm-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ cm-1_prm_1 }}:" + parts: + - id: cm-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, cm-01_odp.03 }} configuration management\ + \ policy that:" + parts: + - id: cm-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: cm-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: cm-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the configuration + management policy and the associated configuration management + controls; + - id: cm-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, cm-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the configuration\ + \ management policy and procedures; and" + - id: cm-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current configuration management:" + parts: + - id: cm-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, cm-01_odp.05 }} and following\ + \ {{ insert: param, cm-01_odp.06 }} ; and" + - id: cm-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, cm-01_odp.07 }} and following\ + \ {{ insert: param, cm-01_odp.08 }}." + - id: cm-1_gdn + name: guidance + prose: Configuration management policy and procedures address the controls + in the CM family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of configuration + management policy and procedures. Security and privacy program policies + and procedures at the organization level are preferable, in general, + and may obviate the need for mission- or system-specific policies + and procedures. The policy can be included as part of the general + security and privacy policy or be represented by multiple policies + that reflect the complex nature of organizations. Procedures can be + established for security and privacy programs, for mission/business + processes, and for systems, if needed. Procedures describe how the + policies or controls are implemented and can be directed at the individual + or role that is the object of the procedure. Procedures can be documented + in system security and privacy plans or in one or more separate documents. + Events that may precipitate an update to configuration management + policy and procedures include, but are not limited to, assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: cm-2 + class: SP800-53 + title: Baseline Configuration + params: + - id: cm-02_odp.01 + label: frequency + constraints: + - description: at least annually and when a significant change occurs + guidelines: + - prose: the frequency of baseline configuration review and update + is defined; + - id: cm-02_odp.02 + label: circumstances + constraints: + - description: to include when directed by the JAB + guidelines: + - prose: the circumstances requiring baseline configuration review + and update are defined; + props: + - name: label + value: CM-2 + - name: label + value: CM-02 + class: sp800-53a + - name: sort-id + value: cm-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#ac-19" + rel: related + - href: "#au-6" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-1" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#cm-9" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#cp-12" + rel: related + - href: "#ma-2" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-15" + rel: related + - href: "#sc-18" + rel: related + parts: + - id: cm-2_smt + name: statement + parts: + - id: cm-2_smt.a + name: item + props: + - name: label + value: a. + prose: Develop, document, and maintain under configuration control, + a current baseline configuration of the system; and + - id: cm-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the baseline configuration of the system:" + parts: + - id: cm-2_smt.b.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, cm-02_odp.01 }};" + - id: cm-2_smt.b.2 + name: item + props: + - name: label + value: "2." + prose: "When required due to {{ insert: param, cm-02_odp.02\ + \ }} ; and" + - id: cm-2_smt.b.3 + name: item + props: + - name: label + value: "3." + prose: When system components are installed or upgraded. + - id: cm-2_gdn + name: guidance + prose: Baseline configurations for systems and system components include + connectivity, operational, and communications aspects of systems. + Baseline configurations are documented, formally reviewed, and agreed-upon + specifications for systems or configuration items within those systems. + Baseline configurations serve as a basis for future builds, releases, + or changes to systems and include security and privacy control implementations, + operational procedures, information about system components, network + topology, and logical placement of components in the system architecture. + Maintaining baseline configurations requires creating new baselines + as organizational systems change over time. Baseline configurations + of systems reflect the current enterprise architecture. + - id: cm-4 + class: SP800-53 + title: Impact Analyses + props: + - name: label + value: CM-4 + - name: label + value: CM-04 + class: sp800-53a + - name: sort-id + value: cm-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#ca-7" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-8" + rel: related + - href: "#cm-9" + rel: related + - href: "#ma-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-8" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#si-2" + rel: related + parts: + - id: cm-4_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: Analyze changes to the system to determine potential security + and privacy impacts prior to change implementation. + - id: cm-4_gdn + name: guidance + prose: Organizational personnel with security or privacy responsibilities + conduct impact analyses. Individuals conducting impact analyses possess + the necessary skills and technical expertise to analyze the changes + to systems as well as the security or privacy ramifications. Impact + analyses include reviewing security and privacy plans, policies, and + procedures to understand control requirements; reviewing system design + documentation and operational procedures to understand control implementation + and how specific system changes might affect the controls; reviewing + the impact of changes on organizational supply chain partners with + stakeholders; and determining how potential changes to a system create + new risks to the privacy of individuals and the ability of implemented + controls to mitigate those risks. Impact analyses also include risk + assessments to understand the impact of the changes and determine + if additional controls are required. + - id: cm-4_obj + name: assessment-objective + props: + - name: label + value: CM-04 + class: sp800-53a + parts: + - id: cm-4_obj-1 + name: assessment-objective + props: + - name: label + value: CM-04[01] + class: sp800-53a + prose: changes to the system are analyzed to determine potential + security impacts prior to change implementation; + links: + - href: "#cm-4_smt" + rel: assessment-for + - id: cm-4_obj-2 + name: assessment-objective + props: + - name: label + value: CM-04[02] + class: sp800-53a + prose: changes to the system are analyzed to determine potential + privacy impacts prior to change implementation. + links: + - href: "#cm-4_smt" + rel: assessment-for + links: + - href: "#cm-4_smt" + rel: assessment-for + - id: cm-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing security impact analyses for changes to + the system + + + procedures addressing privacy impact analyses for changes to the + system + + + configuration management plan + + + security impact analysis documentation + + + privacy impact analysis documentation + + + privacy impact assessment + + + privacy risk assessment documentation, system design documentation + + + analysis tools and associated outputs + + + change control records + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for conducting + security impact analyses + + + organizational personnel with responsibility for conducting privacy + impact analyses + + + organizational personnel with information security and privacy + responsibilities + + + system developer + + + system/network administrators + + + members of change control board or similar + - id: cm-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for security impact analyses + + organizational processes for privacy impact analyses + - id: cm-5 + class: SP800-53 + title: Access Restrictions for Change + props: + - name: label + value: CM-5 + - name: label + value: CM-05 + class: sp800-53a + - name: sort-id + value: cm-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#cm-9" + rel: related + - href: "#pe-3" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-34" + rel: related + - href: "#sc-37" + rel: related + - href: "#si-2" + rel: related + - href: "#si-10" + rel: related + parts: + - id: cm-5_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: Define, document, approve, and enforce physical and logical access + restrictions associated with changes to the system. + - id: cm-5_gdn + name: guidance + prose: Changes to the hardware, software, or firmware components of + systems or the operational procedures related to the system can potentially + have significant effects on the security of the systems or individuals’ + privacy. Therefore, organizations permit only qualified and authorized + individuals to access systems for purposes of initiating changes. + Access restrictions include physical and logical access controls (see + [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, + media libraries, abstract layers (i.e., changes implemented into external + interfaces rather than directly into systems), and change windows + (i.e., changes occur only during specified times). + - id: cm-5_obj + name: assessment-objective + props: + - name: label + value: CM-05 + class: sp800-53a + parts: + - id: cm-5_obj-1 + name: assessment-objective + props: + - name: label + value: CM-05[01] + class: sp800-53a + prose: physical access restrictions associated with changes to the + system are defined and documented; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-2 + name: assessment-objective + props: + - name: label + value: CM-05[02] + class: sp800-53a + prose: physical access restrictions associated with changes to the + system are approved; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-3 + name: assessment-objective + props: + - name: label + value: CM-05[03] + class: sp800-53a + prose: physical access restrictions associated with changes to the + system are enforced; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-4 + name: assessment-objective + props: + - name: label + value: CM-05[04] + class: sp800-53a + prose: logical access restrictions associated with changes to the + system are defined and documented; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-5 + name: assessment-objective + props: + - name: label + value: CM-05[05] + class: sp800-53a + prose: logical access restrictions associated with changes to the + system are approved; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-6 + name: assessment-objective + props: + - name: label + value: CM-05[06] + class: sp800-53a + prose: logical access restrictions associated with changes to the + system are enforced. + links: + - href: "#cm-5_smt" + rel: assessment-for + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing access restrictions for changes to the system + + + configuration management plan + + + system design documentation + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + logical access approvals + + + physical access approvals + + + access credentials + + + change control records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with logical access control + responsibilities + + + organizational personnel with physical access control responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing access restrictions to + change + + + mechanisms supporting, implementing, or enforcing access restrictions + associated with changes to the system + - id: cm-6 + class: SP800-53 + title: Configuration Settings + params: + - id: cm-06_odp.01 + label: common secure configurations + guidelines: + - prose: common secure configurations to establish and document configuration + settings for components employed within the system are defined; + - id: cm-06_odp.02 + label: system components + guidelines: + - prose: system components for which approval of deviations is needed + are defined; + - id: cm-06_odp.03 + label: operational requirements + guidelines: + - prose: operational requirements necessitating approval of deviations + are defined; + props: + - name: label + value: CM-6 + - name: label + value: CM-06 + class: sp800-53a + - name: sort-id + value: cm-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#4895b4cd-34c5-4667-bf8a-27d443c12047" + rel: reference + - href: "#8016d2ed-d30f-4416-9c45-0f42c7aa3232" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#98498928-3ca3-44b3-8b1e-f48685373087" + rel: reference + - href: "#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e" + rel: reference + - href: "#aa66e14f-e7cb-4a37-99d2-07578dfd4608" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-19" + rel: related + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-11" + rel: related + - href: "#cp-7" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#pl-8" + rel: related + - href: "#pl-9" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-18" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-2" + rel: related + - href: "#si-4" + rel: related + - href: "#si-6" + rel: related + parts: + - id: cm-6_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: cm-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Establish and document configuration settings for components\ + \ employed within the system that reflect the most restrictive\ + \ mode consistent with operational requirements using {{ insert:\ + \ param, cm-06_odp.01 }};" + - id: cm-6_smt.b + name: item + props: + - name: label + value: b. + prose: Implement the configuration settings; + - id: cm-6_smt.c + name: item + props: + - name: label + value: c. + prose: "Identify, document, and approve any deviations from established\ + \ configuration settings for {{ insert: param, cm-06_odp.02 }}\ + \ based on {{ insert: param, cm-06_odp.03 }} ; and" + - id: cm-6_smt.d + name: item + props: + - name: label + value: d. + prose: Monitor and control changes to the configuration settings + in accordance with organizational policies and procedures. + - id: cm-6_gdn + name: guidance + prose: >- + Configuration settings are the parameters that can be changed in + the hardware, software, or firmware components of the system + that affect the security and privacy posture or functionality of + the system. Information technology products for which + configuration settings can be defined include mainframe + computers, servers, workstations, operating systems, mobile + devices, input/output devices, protocols, and applications. + Parameters that impact the security posture of systems include + registry settings; account, file, or directory permission + settings; and settings for functions, protocols, ports, + services, and remote connections. Privacy parameters are + parameters impacting the privacy posture of systems, including + the parameters required to satisfy other privacy controls. + Privacy parameters include settings for access controls, data + processing preferences, and processing and retention + permissions. Organizations establish organization-wide + configuration settings and subsequently derive specific + configuration settings for systems. The established settings + become part of the configuration baseline for the system. + + + Common secure configurations (also known as security configuration + checklists, lockdown and hardening guides, and security reference + guides) provide recognized, standardized, and established benchmarks + that stipulate secure configuration settings for information technology + products and platforms as well as instructions for configuring those + products or platforms to meet operational requirements. Common secure + configurations can be developed by a variety of organizations, including + information technology product developers, manufacturers, vendors, + federal agencies, consortia, academia, industry, and other organizations + in the public and private sectors. + + + Implementation of a common secure configuration may be mandated at + the organization level, mission and business process level, system + level, or at a higher level, including by a regulatory agency. Common + secure configurations include the United States Government Configuration + Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security + technical implementation guides (STIGs), which affect the implementation + of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) + . The Security Content Automation Protocol (SCAP) and the defined + standards within the protocol provide an effective method to uniquely + identify, track, and control configuration settings. + - id: cm-6_obj + name: assessment-objective + props: + - name: label + value: CM-06 + class: sp800-53a + parts: + - id: cm-6_obj.a + name: assessment-objective + props: + - name: label + value: CM-06a. + class: sp800-53a + prose: "configuration settings that reflect the most restrictive\ + \ mode consistent with operational requirements are established\ + \ and documented for components employed within the system using\ + \ {{ insert: param, cm-06_odp.01 }};" + links: + - href: "#cm-6_smt.a" + rel: assessment-for + - id: cm-6_obj.b + name: assessment-objective + props: + - name: label + value: CM-06b. + class: sp800-53a + prose: the configuration settings documented in CM-06a are implemented; + links: + - href: "#cm-6_smt.b" + rel: assessment-for + - id: cm-6_obj.c + name: assessment-objective + props: + - name: label + value: CM-06c. + class: sp800-53a + parts: + - id: cm-6_obj.c-1 + name: assessment-objective + props: + - name: label + value: CM-06c.[01] + class: sp800-53a + prose: "any deviations from established configuration settings\ + \ for {{ insert: param, cm-06_odp.02 }} are identified and\ + \ documented based on {{ insert: param, cm-06_odp.03 }};" + links: + - href: "#cm-6_smt.c" + rel: assessment-for + - id: cm-6_obj.c-2 + name: assessment-objective + props: + - name: label + value: CM-06c.[02] + class: sp800-53a + prose: "any deviations from established configuration settings\ + \ for {{ insert: param, cm-06_odp.02 }} are approved;" + links: + - href: "#cm-6_smt.c" + rel: assessment-for + links: + - href: "#cm-6_smt.c" + rel: assessment-for + - id: cm-6_obj.d + name: assessment-objective + props: + - name: label + value: CM-06d. + class: sp800-53a + parts: + - id: cm-6_obj.d-1 + name: assessment-objective + props: + - name: label + value: CM-06d.[01] + class: sp800-53a + prose: changes to the configuration settings are monitored in + accordance with organizational policies and procedures; + links: + - href: "#cm-6_smt.d" + rel: assessment-for + - id: cm-6_obj.d-2 + name: assessment-objective + props: + - name: label + value: CM-06d.[02] + class: sp800-53a + prose: changes to the configuration settings are controlled + in accordance with organizational policies and procedures. + links: + - href: "#cm-6_smt.d" + rel: assessment-for + links: + - href: "#cm-6_smt.d" + rel: assessment-for + links: + - href: "#cm-6_smt" + rel: assessment-for + - id: cm-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing configuration settings for the system + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + common secure configuration checklists + + + system component inventory + + + evidence supporting approved deviations from established configuration + settings + + + change control records + + + system data processing and retention permissions + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security configuration + management responsibilities + + + organizational personnel with privacy configuration management + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: cm-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing configuration settings + + + mechanisms that implement, monitor, and/or control system configuration + settings + + + mechanisms that identify and/or document deviations from established + configuration settings + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: Required - Specifically include details of least functionality. + - id: cm-6_fr + name: item + title: CM-6(a) Additional FedRAMP Requirements and Guidance + parts: + - id: cm-6_fr_smt.1 + name: item + props: + - name: label + value: "Requirement 1:" + prose: The service provider shall use the Center for Internet Security + guidelines (Level 1) to establish configuration settings or establishes + its own configuration settings if USGCB is not available. + - id: cm-6_fr_smt.2 + name: item + props: + - name: label + value: "Requirement 2:" + prose: The service provider shall ensure that checklists for configuration + settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) + validated or SCAP compatible (if validated checklists are not + available). + - id: cm-6_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)." + - id: cm-7 + class: SP800-53 + title: Least Functionality + params: + - id: cm-7_prm_2 + label: organization-defined prohibited or restricted functions, system + ports, protocols, software, and/or services + - id: cm-07_odp.01 + label: mission-essential capabilities + guidelines: + - prose: mission-essential capabilities for the system are defined; + - id: cm-07_odp.02 + label: functions + guidelines: + - prose: functions to be prohibited or restricted are defined; + - id: cm-07_odp.03 + label: ports + guidelines: + - prose: ports to be prohibited or restricted are defined; + - id: cm-07_odp.04 + label: protocols + guidelines: + - prose: protocols to be prohibited or restricted are defined; + - id: cm-07_odp.05 + label: software + guidelines: + - prose: software to be prohibited or restricted is defined; + - id: cm-07_odp.06 + label: services + guidelines: + - prose: services to be prohibited or restricted are defined; + props: + - name: label + value: CM-7 + - name: label + value: CM-07 + class: sp800-53a + - name: sort-id + value: cm-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#38f39739-1ebd-43b1-8b8c-00f591d89ebd" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-11" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-15" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-3" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-37" + rel: related + - href: "#si-4" + rel: related + parts: + - id: cm-7_smt + name: statement + parts: + - id: cm-7_smt.a + name: item + props: + - name: label + value: a. + prose: "Configure the system to provide only {{ insert: param, cm-07_odp.01\ + \ }} ; and" + - id: cm-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Prohibit or restrict the use of the following functions,\ + \ ports, protocols, software, and/or services: {{ insert: param,\ + \ cm-7_prm_2 }}." + - id: cm-7_gdn + name: guidance + prose: Systems provide a wide variety of functions and services. Some + of the functions and services routinely provided by default may not + be necessary to support essential organizational missions, functions, + or operations. Additionally, it is sometimes convenient to provide + multiple services from a single system component, but doing so increases + risk over limiting the services provided by that single component. + Where feasible, organizations limit component functionality to a single + function per component. Organizations consider removing unused or + unnecessary software and disabling unused or unnecessary physical + and logical ports and protocols to prevent unauthorized connection + of components, transfer of information, and tunneling. Organizations + employ network scanning tools, intrusion detection and prevention + systems, and end-point protection technologies, such as firewalls + and host-based intrusion detection systems, to identify and prevent + the use of prohibited functions, protocols, ports, and services. Least + functionality can also be achieved as part of the fundamental design + and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , + and [SC-3](#sc-3)). + - id: cm-8 + class: SP800-53 + title: System Component Inventory + params: + - id: cm-08_odp.01 + label: information + guidelines: + - prose: information deemed necessary to achieve effective system + component accountability is defined; + - id: cm-08_odp.02 + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: frequency at which to review and update the system component + inventory is defined; + props: + - name: label + value: CM-8 + - name: label + value: CM-08 + class: sp800-53a + - name: sort-id + value: cm-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#70402863-5078-43af-9a6c-e11b0f3ec370" + rel: reference + - href: "#996241f8-f692-42d5-91f1-ce8b752e39e6" + rel: reference + - href: "#cm-2" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-9" + rel: related + - href: "#cm-10" + rel: related + - href: "#cm-11" + rel: related + - href: "#cm-13" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-9" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-6" + rel: related + - href: "#pe-20" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#si-2" + rel: related + - href: "#sr-4" + rel: related + parts: + - id: cm-8_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: cm-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop and document an inventory of system components that:" + parts: + - id: cm-8_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Accurately reflects the system; + - id: cm-8_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Includes all components within the system; + - id: cm-8_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Does not include duplicate accounting of components or + components assigned to any other system; + - id: cm-8_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Is at the level of granularity deemed necessary for tracking + and reporting; and + - id: cm-8_smt.a.5 + name: item + props: + - name: label + value: "5." + prose: "Includes the following information to achieve system\ + \ component accountability: {{ insert: param, cm-08_odp.01\ + \ }} ; and" + - id: cm-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the system component inventory {{ insert:\ + \ param, cm-08_odp.02 }}." + - id: cm-8_gdn + name: guidance + prose: >- + System components are discrete, identifiable information + technology assets that include hardware, software, and firmware. + Organizations may choose to implement centralized system + component inventories that include components from all + organizational systems. In such situations, organizations ensure + that the inventories include system-specific information + required for component accountability. The information necessary + for effective accountability of system components includes the + system name, software owners, software version numbers, hardware + inventory specifications, software license information, and for + networked components, the machine names and network addresses + across all implemented protocols (e.g., IPv4, IPv6). Inventory + specifications include date of receipt, cost, model, serial + number, manufacturer, supplier information, component type, and + physical location. + + + Preventing duplicate accounting of system components addresses the + lack of accountability that occurs when component ownership and system + association is not known, especially in large or complex connected + systems. Effective prevention of duplicate accounting of system components + necessitates use of a unique identifier for each component. For software + inventory, centrally managed software that is accessed via other systems + is addressed as a component of the system on which it is installed + and managed. Software installed on multiple organizational systems + and managed at the system level is addressed for each individual system + and may appear more than once in a centralized component inventory, + necessitating a system association for each software instance in the + centralized inventory to avoid duplicate accounting of components. + Scanning systems implementing multiple network protocols (e.g., IPv4 + and IPv6) can result in duplicate components being identified in different + address spaces. The implementation of [CM-8(7)](#cm-8.7) can help + to eliminate duplicate accounting of components. + - id: cm-8_obj + name: assessment-objective + props: + - name: label + value: CM-08 + class: sp800-53a + parts: + - id: cm-8_obj.a + name: assessment-objective + props: + - name: label + value: CM-08a. + class: sp800-53a + parts: + - id: cm-8_obj.a.1 + name: assessment-objective + props: + - name: label + value: CM-08a.01 + class: sp800-53a + prose: an inventory of system components that accurately reflects + the system is developed and documented; + links: + - href: "#cm-8_smt.a.1" + rel: assessment-for + - id: cm-8_obj.a.2 + name: assessment-objective + props: + - name: label + value: CM-08a.02 + class: sp800-53a + prose: an inventory of system components that includes all components + within the system is developed and documented; + links: + - href: "#cm-8_smt.a.2" + rel: assessment-for + - id: cm-8_obj.a.3 + name: assessment-objective + props: + - name: label + value: CM-08a.03 + class: sp800-53a + prose: an inventory of system components that does not include + duplicate accounting of components or components assigned + to any other system is developed and documented; + links: + - href: "#cm-8_smt.a.3" + rel: assessment-for + - id: cm-8_obj.a.4 + name: assessment-objective + props: + - name: label + value: CM-08a.04 + class: sp800-53a + prose: an inventory of system components that is at the level + of granularity deemed necessary for tracking and reporting + is developed and documented; + links: + - href: "#cm-8_smt.a.4" + rel: assessment-for + - id: cm-8_obj.a.5 + name: assessment-objective + props: + - name: label + value: CM-08a.05 + class: sp800-53a + prose: "an inventory of system components that includes {{ insert:\ + \ param, cm-08_odp.01 }} is developed and documented;" + links: + - href: "#cm-8_smt.a.5" + rel: assessment-for + links: + - href: "#cm-8_smt.a" + rel: assessment-for + - id: cm-8_obj.b + name: assessment-objective + props: + - name: label + value: CM-08b. + class: sp800-53a + prose: "the system component inventory is reviewed and updated {{\ + \ insert: param, cm-08_odp.02 }}." + links: + - href: "#cm-8_smt.b" + rel: assessment-for + links: + - href: "#cm-8_smt" + rel: assessment-for + - id: cm-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + procedures addressing system component inventory + + configuration management plan + + system security plan + + system design documentation + + system component inventory + + inventory reviews and update records + + system security plan + + other relevant documents or records + - id: cm-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with component inventory management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing the system component + inventory + + + mechanisms supporting and/or implementing system component inventory + - id: cm-10 + class: SP800-53 + title: Software Usage Restrictions + props: + - name: label + value: CM-10 + - name: label + value: CM-10 + class: sp800-53a + - name: sort-id + value: cm-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: NSO + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ac-17" + rel: related + - href: "#au-6" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-8" + rel: related + - href: "#pm-30" + rel: related + - href: "#sc-7" + rel: related + parts: + - id: cm-10_smt + name: statement + parts: + - id: cm-10_smt.a + name: item + props: + - name: label + value: a. + prose: Use software and associated documentation in accordance with + contract agreements and copyright laws; + - id: cm-10_smt.b + name: item + props: + - name: label + value: b. + prose: Track the use of software and associated documentation protected + by quantity licenses to control copying and distribution; and + - id: cm-10_smt.c + name: item + props: + - name: label + value: c. + prose: Control and document the use of peer-to-peer file sharing + technology to ensure that this capability is not used for the + unauthorized distribution, display, performance, or reproduction + of copyrighted work. + - id: cm-10_gdn + name: guidance + prose: Software license tracking can be accomplished by manual or automated + methods, depending on organizational needs. Examples of contract agreements + include software license agreements and non-disclosure agreements. + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: NSO- Not directly related to protection of the data. + - id: cm-11 + class: SP800-53 + title: User-installed Software + params: + - id: cm-11_odp.01 + label: policies + guidelines: + - prose: policies governing the installation of software by users + are defined; + - id: cm-11_odp.02 + label: methods + guidelines: + - prose: methods used to enforce software installation policies are + defined; + - id: cm-11_odp.03 + label: frequency + constraints: + - description: Continuously (via CM-7 (5)) + guidelines: + - prose: frequency with which to monitor compliance is defined; + props: + - name: label + value: CM-11 + - name: label + value: CM-11 + class: sp800-53a + - name: sort-id + value: cm-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: NSO + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ac-3" + rel: related + - href: "#au-6" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-8" + rel: related + - href: "#pl-4" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: cm-11_smt + name: statement + parts: + - id: cm-11_smt.a + name: item + props: + - name: label + value: a. + prose: "Establish {{ insert: param, cm-11_odp.01 }} governing the\ + \ installation of software by users;" + - id: cm-11_smt.b + name: item + props: + - name: label + value: b. + prose: "Enforce software installation policies through the following\ + \ methods: {{ insert: param, cm-11_odp.02 }} ; and" + - id: cm-11_smt.c + name: item + props: + - name: label + value: c. + prose: "Monitor policy compliance {{ insert: param, cm-11_odp.03\ + \ }}." + - id: cm-11_gdn + name: guidance + prose: If provided the necessary privileges, users can install software + in organizational systems. To maintain control over the software installed, + organizations identify permitted and prohibited actions regarding + software installation. Permitted software installations include updates + and security patches to existing software and downloading new applications + from organization-approved "app stores." Prohibited software installations + include software with unknown or suspect pedigrees or software that + organizations consider potentially malicious. Policies selected for + governing user-installed software are organization-developed or provided + by some external entity. Policy enforcement methods can include procedural + methods and automated methods. + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: NSO - Boundary is specific to SaaS environment; all access is + via web services; users' machine or internal network are not contemplated. + External services (SA-9), internal connection (CA-9), remote access + (AC-17), and secure access (SC-12 and SC-13), and privileged authentication + (IA-2[1]) are considerations. + - id: cp + class: family + title: Contingency Planning + controls: + - id: cp-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: cp-1_prm_1 + label: organization-defined personnel or roles + - id: cp-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the contingency planning policy + is to be disseminated is/are defined; + - id: cp-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the contingency planning procedures + are to be disseminated is/are defined; + - id: cp-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: cp-01_odp.04 + label: official + guidelines: + - prose: an official to manage the contingency planning policy and + procedures is defined; + - id: cp-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current contingency planning policy + is reviewed and updated is defined; + - id: cp-01_odp.06 + label: events + guidelines: + - prose: events that would require the current contingency planning + policy to be reviewed and updated are defined; + - id: cp-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current contingency planning procedures + are reviewed and updated is defined; + - id: cp-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require procedures to be reviewed and updated + are defined; + props: + - name: label + value: CP-1 + - name: label + value: CP-01 + class: sp800-53a + - name: sort-id + value: cp-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: cp-1_smt + name: statement + parts: + - id: cp-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ cp-1_prm_1 }}:" + parts: + - id: cp-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, cp-01_odp.03 }} contingency planning\ + \ policy that:" + parts: + - id: cp-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: cp-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: cp-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the contingency + planning policy and the associated contingency planning controls; + - id: cp-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, cp-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the contingency\ + \ planning policy and procedures; and" + - id: cp-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current contingency planning:" + parts: + - id: cp-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, cp-01_odp.05 }} and following\ + \ {{ insert: param, cp-01_odp.06 }} ; and" + - id: cp-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, cp-01_odp.07 }} and following\ + \ {{ insert: param, cp-01_odp.08 }}." + - id: cp-1_gdn + name: guidance + prose: Contingency planning policy and procedures address the controls + in the CP family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of contingency + planning policy and procedures. Security and privacy program policies + and procedures at the organization level are preferable, in general, + and may obviate the need for mission- or system-specific policies + and procedures. The policy can be included as part of the general + security and privacy policy or be represented by multiple policies + that reflect the complex nature of organizations. Procedures can be + established for security and privacy programs, for mission or business + processes, and for systems, if needed. Procedures describe how the + policies or controls are implemented and can be directed at the individual + or role that is the object of the procedure. Procedures can be documented + in system security and privacy plans or in one or more separate documents. + Events that may precipitate an update to contingency planning policy + and procedures include assessment or audit findings, security incidents + or breaches, or changes in laws, executive orders, directives, regulations, + policies, standards, and guidelines. Simply restating controls does + not constitute an organizational policy or procedure. + - id: cp-2 + class: SP800-53 + title: Contingency Plan + params: + - id: cp-2_prm_1 + label: organization-defined personnel or roles + - id: cp-2_prm_2 + label: organization-defined key contingency personnel (identified by + name and/or by role) and organizational elements + - id: cp-2_prm_4 + label: organization-defined key contingency personnel (identified by + name and/or by role) and organizational elements + - id: cp-02_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to review a contingency plan is/are defined; + - id: cp-02_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to approve a contingency plan is/are defined; + - id: cp-02_odp.03 + label: key contingency personnel + guidelines: + - prose: key contingency personnel (identified by name and/or by role) + to whom copies of the contingency plan are distributed are defined; + - id: cp-02_odp.04 + label: organizational elements + guidelines: + - prose: key contingency organizational elements to which copies of + the contingency plan are distributed are defined; + - id: cp-02_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency of contingency plan review is defined; + - id: cp-02_odp.06 + label: key contingency personnel + guidelines: + - prose: key contingency personnel (identified by name and/or by role) + to communicate changes to are defined; + - id: cp-02_odp.07 + label: organizational elements + guidelines: + - prose: key contingency organizational elements to communicate changes + to are defined; + props: + - name: label + value: CP-2 + - name: label + value: CP-02 + class: sp800-53a + - name: sort-id + value: cp-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: NSO + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#d4296805-2dca-4c63-a95f-eeccaa826aec" + rel: reference + - href: "#cp-3" + rel: related + - href: "#cp-4" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-7" + rel: related + - href: "#cp-8" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#cp-11" + rel: related + - href: "#cp-13" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + - href: "#ir-9" + rel: related + - href: "#ma-6" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-8" + rel: related + - href: "#pm-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-20" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-23" + rel: related + - href: "#si-12" + rel: related + parts: + - id: cp-2_smt + name: statement + parts: + - id: cp-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop a contingency plan for the system that:" + parts: + - id: cp-2_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Identifies essential mission and business functions and + associated contingency requirements; + - id: cp-2_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Provides recovery objectives, restoration priorities, + and metrics; + - id: cp-2_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Addresses contingency roles, responsibilities, assigned + individuals with contact information; + - id: cp-2_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Addresses maintaining essential mission and business + functions despite a system disruption, compromise, or failure; + - id: cp-2_smt.a.5 + name: item + props: + - name: label + value: "5." + prose: Addresses eventual, full system restoration without deterioration + of the controls originally planned and implemented; + - id: cp-2_smt.a.6 + name: item + props: + - name: label + value: "6." + prose: Addresses the sharing of contingency information; and + - id: cp-2_smt.a.7 + name: item + props: + - name: label + value: "7." + prose: "Is reviewed and approved by {{ insert: param, cp-2_prm_1\ + \ }};" + - id: cp-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Distribute copies of the contingency plan to {{ insert:\ + \ param, cp-2_prm_2 }};" + - id: cp-2_smt.c + name: item + props: + - name: label + value: c. + prose: Coordinate contingency planning activities with incident + handling activities; + - id: cp-2_smt.d + name: item + props: + - name: label + value: d. + prose: "Review the contingency plan for the system {{ insert: param,\ + \ cp-02_odp.05 }};" + - id: cp-2_smt.e + name: item + props: + - name: label + value: e. + prose: Update the contingency plan to address changes to the organization, + system, or environment of operation and problems encountered during + contingency plan implementation, execution, or testing; + - id: cp-2_smt.f + name: item + props: + - name: label + value: f. + prose: "Communicate contingency plan changes to {{ insert: param,\ + \ cp-2_prm_4 }};" + - id: cp-2_smt.g + name: item + props: + - name: label + value: g. + prose: Incorporate lessons learned from contingency plan testing, + training, or actual contingency activities into contingency testing + and training; and + - id: cp-2_smt.h + name: item + props: + - name: label + value: h. + prose: Protect the contingency plan from unauthorized disclosure + and modification. + - id: cp-2_gdn + name: guidance + prose: >- + Contingency planning for systems is part of an overall program + for achieving continuity of operations for organizational + mission and business functions. Contingency planning addresses + system restoration and implementation of alternative mission or + business processes when systems are compromised or breached. + Contingency planning is considered throughout the system + development life cycle and is a fundamental part of the system + design. Systems can be designed for redundancy, to provide + backup capabilities, and for resilience. Contingency plans + reflect the degree of restoration required for organizational + systems since not all systems need to fully recover to achieve + the level of continuity of operations desired. System recovery + objectives reflect applicable laws, executive orders, + directives, regulations, policies, standards, guidelines, + organizational risk tolerance, and system impact level. + + + Actions addressed in contingency plans include orderly system degradation, + system shutdown, fallback to a manual mode, alternate information + flows, and operating in modes reserved for when systems are under + attack. By coordinating contingency planning with incident handling + activities, organizations ensure that the necessary planning activities + are in place and activated in the event of an incident. Organizations + consider whether continuity of operations during an incident conflicts + with the capability to automatically disable the system, as specified + in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency + planning for organizations and is addressed in the [IR](#ir) (Incident + Response) family. + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: NSO - Loss of availability of the SaaS has been determined as + little or no impact to government business/mission needs. + - id: cp-3 + class: SP800-53 + title: Contingency Training + params: + - id: cp-03_odp.01 + label: time period + constraints: + - description: \*See Additional Requirements + guidelines: + - prose: the time period within which to provide contingency training + after assuming a contingency role or responsibility is defined; + - id: cp-03_odp.02 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to provide training to system users with + a contingency role or responsibility is defined; + - id: cp-03_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to review and update contingency training + content is defined; + - id: cp-03_odp.04 + label: events + guidelines: + - prose: events necessitating review and update of contingency training + are defined; + props: + - name: label + value: CP-3 + - name: label + value: CP-03 + class: sp800-53a + - name: sort-id + value: cp-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: NSO + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#at-4" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#cp-8" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-9" + rel: related + parts: + - id: cp-3_smt + name: statement + parts: + - id: cp-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide contingency training to system users consistent\ + \ with assigned roles and responsibilities:" + parts: + - id: cp-3_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "Within {{ insert: param, cp-03_odp.01 }} of assuming\ + \ a contingency role or responsibility;" + - id: cp-3_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: When required by system changes; and + - id: cp-3_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: " {{ insert: param, cp-03_odp.02 }} thereafter; and" + - id: cp-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update contingency training content {{ insert:\ + \ param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04\ + \ }}." + - id: cp-3_gdn + name: guidance + prose: Contingency training provided by organizations is linked to the + assigned roles and responsibilities of organizational personnel to + ensure that the appropriate content and level of detail is included + in such training. For example, some individuals may only need to know + when and where to report for duty during contingency operations and + if normal duties are affected; system administrators may require additional + training on how to establish systems at alternate processing and storage + sites; and organizational officials may receive more specific training + on how to conduct mission-essential functions in designated off-site + locations and how to establish communications with other governmental + entities for purposes of coordination on contingency-related activities. + Training for contingency roles or responsibilities reflects the specific + continuity requirements in the contingency plan. Events that may precipitate + an update to contingency training content include, but are not limited + to, contingency plan testing or an actual contingency (lessons learned), + assessment or audit findings, security incidents or breaches, or changes + in laws, executive orders, directives, regulations, policies, standards, + and guidelines. At the discretion of the organization, participation + in a contingency plan test or exercise, including lessons learned + sessions subsequent to the test or exercise, may satisfy contingency + plan training requirements. + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: NSO - Loss of availability of the SaaS has been determined as + little or no impact to government business/mission needs. + - id: cp-4 + class: SP800-53 + title: Contingency Plan Testing + params: + - id: cp-4_prm_2 + label: organization-defined tests + constraints: + - description: classroom exercise/table top written tests + - id: cp-04_odp.01 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: frequency of testing the contingency plan for the system + is defined; + - id: cp-04_odp.02 + label: tests + guidelines: + - prose: tests for determining the effectiveness of the contingency + plan are defined; + - id: cp-04_odp.03 + label: tests + guidelines: + - prose: tests for determining readiness to execute the contingency + plan are defined; + props: + - name: label + value: CP-4 + - name: label + value: CP-04 + class: sp800-53a + - name: sort-id + value: cp-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: NSO + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#at-3" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-3" + rel: related + - href: "#cp-8" + rel: related + - href: "#cp-9" + rel: related + - href: "#ir-3" + rel: related + - href: "#ir-4" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-14" + rel: related + - href: "#sr-2" + rel: related + parts: + - id: cp-4_smt + name: statement + parts: + - id: cp-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Test the contingency plan for the system {{ insert: param,\ + \ cp-04_odp.01 }} using the following tests to determine the effectiveness\ + \ of the plan and the readiness to execute the plan: {{ insert:\ + \ param, cp-4_prm_2 }}." + - id: cp-4_smt.b + name: item + props: + - name: label + value: b. + prose: Review the contingency plan test results; and + - id: cp-4_smt.c + name: item + props: + - name: label + value: c. + prose: Initiate corrective actions, if needed. + - id: cp-4_gdn + name: guidance + prose: Methods for testing contingency plans to determine the effectiveness + of the plans and identify potential weaknesses include checklists, + walk-through and tabletop exercises, simulations (parallel or full + interrupt), and comprehensive exercises. Organizations conduct testing + based on the requirements in contingency plans and include a determination + of the effects on organizational operations, assets, and individuals + due to contingency operations. Organizations have flexibility and + discretion in the breadth, depth, and timelines of corrective actions. + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: NSO - Loss of availability of the SaaS has been determined as + little or no impact to government business/mission needs. + - id: cp-9 + class: SP800-53 + title: System Backup + params: + - id: cp-09_odp.01 + label: system components + guidelines: + - prose: system components for which to conduct backups of user-level + information is defined; + - id: cp-09_odp.02 + label: frequency + constraints: + - description: daily incremental; weekly full + guidelines: + - prose: frequency at which to conduct backups of user-level information + consistent with recovery time and recovery point objectives is + defined; + - id: cp-09_odp.03 + label: frequency + constraints: + - description: daily incremental; weekly full + guidelines: + - prose: frequency at which to conduct backups of system-level information + consistent with recovery time and recovery point objectives is + defined; + - id: cp-09_odp.04 + label: frequency + constraints: + - description: daily incremental; weekly full + guidelines: + - prose: frequency at which to conduct backups of system documentation + consistent with recovery time and recovery point objectives is + defined; + props: + - name: label + value: CP-9 + - name: label + value: CP-09 + class: sp800-53a + - name: sort-id + value: cp-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#3653e316-8923-430e-8943-b3b2b2562fc6" + rel: reference + - href: "#2494df28-9049-4196-b233-540e7440993f" + rel: reference + - href: "#cp-2" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-10" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#si-4" + rel: related + - href: "#si-13" + rel: related + parts: + - id: cp-9_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: cp-9_smt.a + name: item + props: + - name: label + value: a. + prose: "Conduct backups of user-level information contained in {{\ + \ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02\ + \ }};" + - id: cp-9_smt.b + name: item + props: + - name: label + value: b. + prose: "Conduct backups of system-level information contained in\ + \ the system {{ insert: param, cp-09_odp.03 }};" + - id: cp-9_smt.c + name: item + props: + - name: label + value: c. + prose: "Conduct backups of system documentation, including security-\ + \ and privacy-related documentation {{ insert: param, cp-09_odp.04\ + \ }} ; and" + - id: cp-9_smt.d + name: item + props: + - name: label + value: d. + prose: Protect the confidentiality, integrity, and availability + of backup information. + - id: cp-9_gdn + name: guidance + prose: System-level information includes system state information, operating + system software, middleware, application software, and licenses. User-level + information includes information other than system-level information. + Mechanisms employed to protect the integrity of system backups include + digital signatures and cryptographic hashes. Protection of system + backup information while in transit is addressed by [MP-5](#mp-5) + and [SC-8](#sc-8) . System backups reflect the requirements in contingency + plans as well as other organizational requirements for backing up + information. Organizations may be subject to laws, executive orders, + directives, regulations, or policies with requirements regarding specific + categories of information (e.g., personal health information). Organizational + personnel consult with the senior agency official for privacy and + legal counsel regarding such requirements. + - id: cp-9_obj + name: assessment-objective + props: + - name: label + value: CP-09 + class: sp800-53a + parts: + - id: cp-9_obj.a + name: assessment-objective + props: + - name: label + value: CP-09a. + class: sp800-53a + prose: "backups of user-level information contained in {{ insert:\ + \ param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02\ + \ }};" + links: + - href: "#cp-9_smt.a" + rel: assessment-for + - id: cp-9_obj.b + name: assessment-objective + props: + - name: label + value: CP-09b. + class: sp800-53a + prose: "backups of system-level information contained in the system\ + \ are conducted {{ insert: param, cp-09_odp.03 }};" + links: + - href: "#cp-9_smt.b" + rel: assessment-for + - id: cp-9_obj.c + name: assessment-objective + props: + - name: label + value: CP-09c. + class: sp800-53a + prose: "backups of system documentation, including security- and\ + \ privacy-related documentation are conducted {{ insert: param,\ + \ cp-09_odp.04 }};" + links: + - href: "#cp-9_smt.c" + rel: assessment-for + - id: cp-9_obj.d + name: assessment-objective + props: + - name: label + value: CP-09d. + class: sp800-53a + parts: + - id: cp-9_obj.d-1 + name: assessment-objective + props: + - name: label + value: CP-09d.[01] + class: sp800-53a + prose: the confidentiality of backup information is protected; + links: + - href: "#cp-9_smt.d" + rel: assessment-for + - id: cp-9_obj.d-2 + name: assessment-objective + props: + - name: label + value: CP-09d.[02] + class: sp800-53a + prose: the integrity of backup information is protected; + links: + - href: "#cp-9_smt.d" + rel: assessment-for + - id: cp-9_obj.d-3 + name: assessment-objective + props: + - name: label + value: CP-09d.[03] + class: sp800-53a + prose: the availability of backup information is protected. + links: + - href: "#cp-9_smt.d" + rel: assessment-for + links: + - href: "#cp-9_smt.d" + rel: assessment-for + links: + - href: "#cp-9_smt" + rel: assessment-for + - id: cp-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing system backup + + contingency plan + + backup storage location(s) + + system backup logs or records + + system security plan + + privacy plan + + other relevant documents or records + - id: cp-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system backup responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: cp-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for conducting system backups + + mechanisms supporting and/or implementing system backups + - id: cp-10 + class: SP800-53 + title: System Recovery and Reconstitution + params: + - id: cp-10_prm_1 + label: organization-defined time period consistent with recovery time + and recovery point objectives + - id: cp-10_odp.01 + label: time period + guidelines: + - prose: time period consistent with recovery time and recovery point + objectives for the recovery of the system is determined; + - id: cp-10_odp.02 + label: time period + guidelines: + - prose: time period consistent with recovery time and recovery point + objectives for the reconstitution of the system is determined; + props: + - name: label + value: CP-10 + - name: label + value: CP-10 + class: sp800-53a + - name: sort-id + value: cp-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: NSO + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-7" + rel: related + - href: "#cp-9" + rel: related + - href: "#ir-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-24" + rel: related + - href: "#si-13" + rel: related + parts: + - id: cp-10_smt + name: statement + prose: "Provide for the recovery and reconstitution of the system to\ + \ a known state within {{ insert: param, cp-10_prm_1 }} after a disruption,\ + \ compromise, or failure." + - id: cp-10_gdn + name: guidance + prose: Recovery is executing contingency plan activities to restore + organizational mission and business functions. Reconstitution takes + place following recovery and includes activities for returning systems + to fully operational states. Recovery and reconstitution operations + reflect mission and business priorities; recovery point, recovery + time, and reconstitution objectives; and organizational metrics consistent + with contingency plan requirements. Reconstitution includes the deactivation + of interim system capabilities that may have been needed during recovery + operations. Reconstitution also includes assessments of fully restored + system capabilities, reestablishment of continuous monitoring activities, + system reauthorization (if required), and activities to prepare the + system and organization for future disruptions, breaches, compromises, + or failures. Recovery and reconstitution capabilities can include + automated mechanisms and manual procedures. Organizations establish + recovery time and recovery point objectives as part of contingency + planning. + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: NSO - Loss of availability of the SaaS has been determined as + little or no impact to government business/mission needs. + - id: ia + class: family + title: Identification and Authentication + controls: + - id: ia-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ia-1_prm_1 + label: organization-defined personnel or roles + - id: ia-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the identification and authentication + policy is to be disseminated are defined; + - id: ia-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the identification and authentication + procedures are to be disseminated is/are defined; + - id: ia-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ia-01_odp.04 + label: official + guidelines: + - prose: an official to manage the identification and authentication + policy and procedures is defined; + - id: ia-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current identification and authentication + policy is reviewed and updated is defined; + - id: ia-01_odp.06 + label: events + guidelines: + - prose: events that would require the current identification and + authentication policy to be reviewed and updated are defined; + - id: ia-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current identification and authentication + procedures are reviewed and updated is defined; + - id: ia-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require identification and authentication + procedures to be reviewed and updated are defined; + props: + - name: label + value: IA-1 + - name: label + value: IA-01 + class: sp800-53a + - name: sort-id + value: ia-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#7f473f21-fdbf-4a6c-81a1-0ab95919609d" + rel: reference + - href: "#ac-1" + rel: related + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ia-1_smt + name: statement + parts: + - id: ia-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ia-1_prm_1 }}:" + parts: + - id: ia-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ia-01_odp.03 }} identification and\ + \ authentication policy that:" + parts: + - id: ia-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ia-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ia-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the identification + and authentication policy and the associated identification + and authentication controls; + - id: ia-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ia-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the identification\ + \ and authentication policy and procedures; and" + - id: ia-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current identification and authentication:" + parts: + - id: ia-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ia-01_odp.05 }} and following\ + \ {{ insert: param, ia-01_odp.06 }} ; and" + - id: ia-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ia-01_odp.07 }} and following\ + \ {{ insert: param, ia-01_odp.08 }}." + - id: ia-1_gdn + name: guidance + prose: Identification and authentication policy and procedures address + the controls in the IA family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of identification and authentication policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + identification and authentication policy and procedures include assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ia-2 + class: SP800-53 + title: Identification and Authentication (Organizational Users) + props: + - name: label + value: IA-2 + - name: label + value: IA-02 + class: sp800-53a + - name: sort-id + value: ia-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: NSO + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#10963761-58fc-4b20-b3d6-b44a54daba03" + rel: reference + - href: "#d9e036ba-6eec-46a6-9340-b0bf1fea23b4" + rel: reference + - href: "#e8552d48-cf41-40aa-8b06-f45f7fb4706c" + rel: reference + - href: "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c" + rel: reference + - href: "#4b38e961-1125-4a5b-aa35-1d6c02846dad" + rel: reference + - href: "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c" + rel: reference + - href: "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617" + rel: reference + - href: "#604774da-9e1d-48eb-9c62-4e959dc80737" + rel: reference + - href: "#7f473f21-fdbf-4a6c-81a1-0ab95919609d" + rel: reference + - href: "#3915a084-b87b-4f02-83d4-c369e746292f" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-14" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#au-1" + rel: related + - href: "#au-6" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-13" + rel: related + - href: "#ma-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + parts: + - id: ia-2_smt + name: statement + prose: Uniquely identify and authenticate organizational users and associate + that unique identification with processes acting on behalf of those + users. + - id: ia-2_gdn + name: guidance + prose: >- + Organizations can satisfy the identification and authentication + requirements by complying with the requirements in [HSPD + 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational + users include employees or individuals who organizations + consider to have an equivalent status to employees (e.g., + contractors and guest researchers). Unique identification and + authentication of users applies to all accesses other than those + that are explicitly identified in [AC-14](#ac-14) and that occur + through the authorized use of group authenticators without + individual authentication. Since processes execute on behalf of + groups and roles, organizations may require unique + identification of individuals in group accounts or for detailed + accountability of individual activity. + + + Organizations employ passwords, physical authenticators, or biometrics + to authenticate user identities or, in the case of multi-factor authentication, + some combination thereof. Access to organizational systems is defined + as either local access or network access. Local access is any access + to organizational systems by users or processes acting on behalf of + users, where access is obtained through direct connections without + the use of networks. Network access is access to organizational systems + by users (or processes acting on behalf of users) where access is + obtained through network connections (i.e., nonlocal accesses). Remote + access is a type of network access that involves communication through + external networks. Internal networks include local area networks and + wide area networks. + + + The use of encrypted virtual private networks for network connections + between organization-controlled endpoints and non-organization-controlled + endpoints may be treated as internal networks with respect to protecting + the confidentiality and integrity of information traversing the network. + Identification and authentication requirements for non-organizational + users are described in [IA-8](#ia-8). + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: NSO for non-privileged users. Attestation for privileged users + related to multi-factor identification and authentication - specifically + include description of management of service accounts. + controls: + - id: ia-2.1 + class: SP800-53-enhancement + title: Multi-factor Authentication to Privileged Accounts + props: + - name: label + value: IA-2(1) + - name: label + value: IA-02(01) + class: sp800-53a + - name: sort-id + value: ia-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ia-2" + rel: required + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + parts: + - id: ia-2.1_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: Implement multi-factor authentication for access to privileged + accounts. + - id: ia-2.1_gdn + name: guidance + prose: "Multi-factor authentication requires the use of two or more\ + \ different factors to achieve authentication. The authentication\ + \ factors are defined as follows: something you know (e.g., a\ + \ personal identification number [PIN]), something you have (e.g.,\ + \ a physical authenticator such as a cryptographic private key),\ + \ or something you are (e.g., a biometric). Multi-factor authentication\ + \ solutions that feature physical authenticators include hardware\ + \ authenticators that provide time-based or challenge-response\ + \ outputs and smart cards such as the U.S. Government Personal\ + \ Identity Verification (PIV) card or the Department of Defense\ + \ (DoD) Common Access Card (CAC). In addition to authenticating\ + \ users at the system level (i.e., at logon), organizations may\ + \ employ authentication mechanisms at the application level, at\ + \ their discretion, to provide increased security. Regardless\ + \ of the type of access (i.e., local, network, remote), privileged\ + \ accounts are authenticated using multi-factor options appropriate\ + \ for the level of risk. Organizations can add additional security\ + \ measures, such as additional or more rigorous authentication\ + \ mechanisms, for specific types of access." + - id: ia-2.1_obj + name: assessment-objective + props: + - name: label + value: IA-02(01) + class: sp800-53a + prose: multi-factor authentication is implemented for access to + privileged accounts. + links: + - href: "#ia-2.1_smt" + rel: assessment-for + - id: ia-2.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + procedures addressing user identification and authentication + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of system accounts + + + other relevant documents or records + - id: ia-2.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing a multi-factor + authentication capability + - id: ia-2.1_fr + name: item + title: IA-2(1) Additional FedRAMP Requirements and Guidance + parts: + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: FedRAMP requires a minimum of multi-factor authentication + for all Federal privileged users, if acceptance of PIV credentials + is not supported. The implementation status and details of + how this control is implemented must be clearly defined by + the CSP. + - id: ia-2.2 + class: SP800-53-enhancement + title: Multi-factor Authentication to Non-privileged Accounts + props: + - name: label + value: IA-2(2) + - name: label + value: IA-02(02) + class: sp800-53a + - name: sort-id + value: ia-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ia-2" + rel: required + - href: "#ac-5" + rel: related + parts: + - id: ia-2.2_smt + name: statement + prose: Implement multi-factor authentication for access to non-privileged + accounts. + - id: ia-2.2_gdn + name: guidance + prose: "Multi-factor authentication requires the use of two or more\ + \ different factors to achieve authentication. The authentication\ + \ factors are defined as follows: something you know (e.g., a\ + \ personal identification number [PIN]), something you have (e.g.,\ + \ a physical authenticator such as a cryptographic private key),\ + \ or something you are (e.g., a biometric). Multi-factor authentication\ + \ solutions that feature physical authenticators include hardware\ + \ authenticators that provide time-based or challenge-response\ + \ outputs and smart cards such as the U.S. Government Personal\ + \ Identity Verification card or the DoD Common Access Card. In\ + \ addition to authenticating users at the system level, organizations\ + \ may also employ authentication mechanisms at the application\ + \ level, at their discretion, to provide increased information\ + \ security. Regardless of the type of access (i.e., local, network,\ + \ remote), non-privileged accounts are authenticated using multi-factor\ + \ options appropriate for the level of risk. Organizations can\ + \ provide additional security measures, such as additional or\ + \ more rigorous authentication mechanisms, for specific types\ + \ of access." + - id: ia-2.8 + class: SP800-53-enhancement + title: Access to Accounts — Replay Resistant + params: + - id: ia-02.08_odp + select: + how-many: one-or-more + choice: + - privileged accounts + - non-privileged accounts + props: + - name: label + value: IA-2(8) + - name: label + value: IA-02(08) + class: sp800-53a + - name: sort-id + value: ia-02.08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ia-2" + rel: required + parts: + - id: ia-2.8_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: "Implement replay-resistant authentication mechanisms for\ + \ access to {{ insert: param, ia-02.08_odp }}." + - id: ia-2.8_gdn + name: guidance + prose: Authentication processes resist replay attacks if it is impractical + to achieve successful authentications by replaying previous authentication + messages. Replay-resistant techniques include protocols that use + nonces or challenges such as time synchronous or cryptographic + authenticators. + - id: ia-2.8_obj + name: assessment-objective + props: + - name: label + value: IA-02(08) + class: sp800-53a + prose: "replay-resistant authentication mechanisms for access to\ + \ {{ insert: param, ia-02.08_odp }} are implemented." + links: + - href: "#ia-2.8_smt" + rel: assessment-for + - id: ia-2.8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(08)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of privileged system accounts + + + other relevant documents or records + - id: ia-2.8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(08)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(08)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing identification + and authentication capabilities + + + Mechanisms supporting and/or implementing replay-resistant + authentication mechanisms + - id: ia-2.12 + class: SP800-53-enhancement + title: Acceptance of PIV Credentials + props: + - name: label + value: IA-2(12) + - name: label + value: IA-02(12) + class: sp800-53a + - name: sort-id + value: ia-02.12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ia-2" + rel: required + parts: + - id: ia-2.12_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: Accept and electronically verify Personal Identity Verification-compliant + credentials. + - id: ia-2.12_gdn + name: guidance + prose: Acceptance of Personal Identity Verification (PIV)-compliant + credentials applies to organizations implementing logical access + control and physical access control systems. PIV-compliant credentials + are those credentials issued by federal agencies that conform + to FIPS Publication 201 and supporting guidance documents. The + adequacy and reliability of PIV card issuers are authorized using + [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance + of PIV-compliant credentials includes derived PIV credentials, + the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) + . The DOD Common Access Card (CAC) is an example of a PIV credential. + - id: ia-2.12_obj + name: assessment-objective + props: + - name: label + value: IA-02(12) + class: sp800-53a + prose: Personal Identity Verification-compliant credentials are + accepted and electronically verified. + links: + - href: "#ia-2.12_smt" + rel: assessment-for + - id: ia-2.12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(12)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + PIV verification records + + + evidence of PIV credentials + + + PIV credential authorizations + + + other relevant documents or records + - id: ia-2.12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(12)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(12)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing acceptance + and verification of PIV credentials + - id: ia-2.12_obj_fr + name: objective + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + class: fedramp + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + class: fedramp + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + class: fedramp + prose: | + Determine if the information system: + + * Accepts PIV credentials. + * Electronically verifies PIV credentials. + - id: ia-4 + class: SP800-53 + title: Identifier Management + params: + - id: ia-04_odp.01 + label: personnel or roles + constraints: + - description: at a minimum, the ISSO (or similar role within the + organization) + guidelines: + - prose: personnel or roles from whom authorization must be received + to assign an identifier are defined; + - id: ia-04_odp.02 + label: time period + constraints: + - description: at least two (2) years + guidelines: + - prose: a time period for preventing reuse of identifiers is defined; + props: + - name: label + value: IA-4 + - name: label + value: IA-04 + class: sp800-53a + - name: sort-id + value: ia-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#ac-5" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-9" + rel: related + - href: "#ia-12" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-4" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-5" + rel: related + - href: "#sc-37" + rel: related + parts: + - id: ia-4_smt + name: statement + prose: "Manage system identifiers by:" + parts: + - id: ia-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Receiving authorization from {{ insert: param, ia-04_odp.01\ + \ }} to assign an individual, group, role, service, or device\ + \ identifier;" + - id: ia-4_smt.b + name: item + props: + - name: label + value: b. + prose: Selecting an identifier that identifies an individual, group, + role, service, or device; + - id: ia-4_smt.c + name: item + props: + - name: label + value: c. + prose: Assigning the identifier to the intended individual, group, + role, service, or device; and + - id: ia-4_smt.d + name: item + props: + - name: label + value: d. + prose: "Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02\ + \ }}." + - id: ia-4_gdn + name: guidance + prose: Common device identifiers include Media Access Control (MAC) + addresses, Internet Protocol (IP) addresses, or device-unique token + identifiers. The management of individual identifiers is not applicable + to shared system accounts. Typically, individual identifiers are the + usernames of the system accounts assigned to those individuals. In + such instances, the account management activities of [AC-2](#ac-2) + use account names provided by [IA-4](#ia-4) . Identifier management + also addresses individual identifiers not necessarily associated with + system accounts. Preventing the reuse of identifiers implies preventing + the assignment of previously used individual, group, role, service, + or device identifiers to different individuals, groups, roles, services, + or devices. + - id: ia-5 + class: SP800-53 + title: Authenticator Management + params: + - id: ia-05_odp.01 + label: time period by authenticator type + guidelines: + - prose: a time period for changing or refreshing authenticators by + authenticator type is defined; + - id: ia-05_odp.02 + label: events + guidelines: + - prose: events that trigger the change or refreshment of authenticators + are defined; + props: + - name: label + value: IA-5 + - name: label + value: IA-05 + class: sp800-53a + - name: sort-id + value: ia-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c" + rel: reference + - href: "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c" + rel: reference + - href: "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617" + rel: reference + - href: "#604774da-9e1d-48eb-9c62-4e959dc80737" + rel: reference + - href: "#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#cm-6" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-7" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-9" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: ia-5_smt + name: statement + prose: "Manage system authenticators by:" + parts: + - id: ia-5_smt.a + name: item + props: + - name: label + value: a. + prose: Verifying, as part of the initial authenticator distribution, + the identity of the individual, group, role, service, or device + receiving the authenticator; + - id: ia-5_smt.b + name: item + props: + - name: label + value: b. + prose: Establishing initial authenticator content for any authenticators + issued by the organization; + - id: ia-5_smt.c + name: item + props: + - name: label + value: c. + prose: Ensuring that authenticators have sufficient strength of + mechanism for their intended use; + - id: ia-5_smt.d + name: item + props: + - name: label + value: d. + prose: Establishing and implementing administrative procedures for + initial authenticator distribution, for lost or compromised or + damaged authenticators, and for revoking authenticators; + - id: ia-5_smt.e + name: item + props: + - name: label + value: e. + prose: Changing default authenticators prior to first use; + - id: ia-5_smt.f + name: item + props: + - name: label + value: f. + prose: "Changing or refreshing authenticators {{ insert: param,\ + \ ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;" + - id: ia-5_smt.g + name: item + props: + - name: label + value: g. + prose: Protecting authenticator content from unauthorized disclosure + and modification; + - id: ia-5_smt.h + name: item + props: + - name: label + value: h. + prose: Requiring individuals to take, and having devices implement, + specific controls to protect authenticators; and + - id: ia-5_smt.i + name: item + props: + - name: label + value: i. + prose: Changing authenticators for group or role accounts when membership + to those accounts changes. + - id: ia-5_gdn + name: guidance + prose: >- + Authenticators include passwords, cryptographic devices, + biometrics, certificates, one-time password devices, and ID + badges. Device authenticators include certificates and + passwords. Initial authenticator content is the actual content + of the authenticator (e.g., the initial password). In contrast, + the requirements for authenticator content contain specific + criteria or characteristics (e.g., minimum password length). + Developers may deliver system components with factory default + authentication credentials (i.e., passwords) to allow for + initial installation and configuration. Default authentication + credentials are often well known, easily discoverable, and + present a significant risk. The requirement to protect + individual authenticators may be implemented via control + [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the + possession of individuals and by controls [AC-3](#ac-3), + [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in + organizational systems, including passwords stored in hashed or + encrypted formats or files containing encrypted or hashed + passwords accessible with administrator privileges. + + + Systems support authenticator management by organization-defined settings + and restrictions for various authenticator characteristics (e.g., + minimum password length, validation time window for time synchronous + one-time tokens, and number of allowed rejections during the verification + stage of biometric authentication). Actions can be taken to safeguard + individual authenticators, including maintaining possession of authenticators, + not sharing authenticators with others, and immediately reporting + lost, stolen, or compromised authenticators. Authenticator management + includes issuing and revoking authenticators for temporary access + when no longer needed. + controls: + - id: ia-5.1 + class: SP800-53-enhancement + title: Password-based Authentication + params: + - id: ia-05.01_odp.01 + label: frequency + guidelines: + - prose: the frequency at which to update the list of commonly + used, expected, or compromised passwords is defined; + - id: ia-05.01_odp.02 + label: composition and complexity rules + guidelines: + - prose: authenticator composition and complexity rules are defined; + props: + - name: label + value: IA-5(1) + - name: label + value: IA-05(01) + class: sp800-53a + - name: sort-id + value: ia-05.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ia-5" + rel: required + - href: "#ia-6" + rel: related + parts: + - id: ia-5.1_smt + name: statement + prose: "For password-based authentication:" + parts: + - id: ia-5.1_smt.a + name: item + props: + - name: label + value: (a) + prose: "Maintain a list of commonly-used, expected, or compromised\ + \ passwords and update the list {{ insert: param, ia-05.01_odp.01\ + \ }} and when organizational passwords are suspected to have\ + \ been compromised directly or indirectly;" + - id: ia-5.1_smt.b + name: item + props: + - name: label + value: (b) + prose: Verify, when users create or update passwords, that the + passwords are not found on the list of commonly-used, expected, + or compromised passwords in IA-5(1)(a); + - id: ia-5.1_smt.c + name: item + props: + - name: label + value: (c) + prose: Transmit passwords only over cryptographically-protected + channels; + - id: ia-5.1_smt.d + name: item + props: + - name: label + value: (d) + prose: Store passwords using an approved salted key derivation + function, preferably using a keyed hash; + - id: ia-5.1_smt.e + name: item + props: + - name: label + value: (e) + prose: Require immediate selection of a new password upon account + recovery; + - id: ia-5.1_smt.f + name: item + props: + - name: label + value: (f) + prose: Allow user selection of long passwords and passphrases, + including spaces and all printable characters; + - id: ia-5.1_smt.g + name: item + props: + - name: label + value: (g) + prose: Employ automated tools to assist the user in selecting + strong password authenticators; and + - id: ia-5.1_smt.h + name: item + props: + - name: label + value: (h) + prose: "Enforce the following composition and complexity rules:\ + \ {{ insert: param, ia-05.01_odp.02 }}." + - id: ia-5.1_gdn + name: guidance + prose: Password-based authentication applies to passwords regardless + of whether they are used in single-factor or multi-factor authentication. + Long passwords or passphrases are preferable over shorter passwords. + Enforced composition rules provide marginal security benefits + while decreasing usability. However, organizations may choose + to establish certain rules for password generation (e.g., minimum + character length for long passwords) under certain circumstances + and can enforce this requirement in IA-5(1)(h). Account recovery + can occur, for example, in situations when a password is forgotten. + Cryptographically protected passwords include salted one-way cryptographic + hashes of passwords. The list of commonly used, compromised, or + expected passwords includes passwords obtained from previous breach + corpuses, dictionary words, and repetitive or sequential characters. + The list includes context-specific words, such as the name of + the service, username, and derivatives thereof. + - id: ia-6 + class: SP800-53 + title: Authentication Feedback + props: + - name: label + value: IA-6 + - name: label + value: IA-06 + class: sp800-53a + - name: sort-id + value: ia-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ac-3" + rel: related + parts: + - id: ia-6_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: Obscure feedback of authentication information during the authentication + process to protect the information from possible exploitation and + use by unauthorized individuals. + - id: ia-6_gdn + name: guidance + prose: Authentication feedback from systems does not provide information + that would allow unauthorized individuals to compromise authentication + mechanisms. For some types of systems, such as desktops or notebooks + with relatively large monitors, the threat (referred to as shoulder + surfing) may be significant. For other types of systems, such as mobile + devices with small displays, the threat may be less significant and + is balanced against the increased likelihood of typographic input + errors due to small keyboards. Thus, the means for obscuring authentication + feedback is selected accordingly. Obscuring authentication feedback + includes displaying asterisks when users type passwords into input + devices or displaying feedback for a very limited time before obscuring + it. + - id: ia-6_obj + name: assessment-objective + props: + - name: label + value: IA-06 + class: sp800-53a + prose: the feedback of authentication information is obscured during + the authentication process to protect the information from possible + exploitation and use by unauthorized individuals. + links: + - href: "#ia-6_smt" + rel: assessment-for + - id: ia-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + system security plan + + procedures addressing authenticator feedback + + system design documentation + + system configuration settings and associated documentation + + system audit records + + other relevant documents or records + - id: ia-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security + responsibilities + + + system/network administrators + + + system developers + - id: ia-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing the obscuring of + feedback of authentication information during authentication + - id: ia-7 + class: SP800-53 + title: Cryptographic Module Authentication + props: + - name: label + value: IA-7 + - name: label + value: IA-07 + class: sp800-53a + - name: sort-id + value: ia-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: ia-7_smt + name: statement + prose: Implement mechanisms for authentication to a cryptographic module + that meet the requirements of applicable laws, executive orders, directives, + policies, regulations, standards, and guidelines for such authentication. + - id: ia-7_gdn + name: guidance + prose: Authentication mechanisms may be required within a cryptographic + module to authenticate an operator accessing the module and to verify + that the operator is authorized to assume the requested role and perform + services within that role. + - id: ia-8 + class: SP800-53 + title: Identification and Authentication (Non-organizational Users) + props: + - name: label + value: IA-8 + - name: label + value: IA-08 + class: sp800-53a + - name: sort-id + value: ia-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#a1555677-2b9d-4868-a97b-a1363aff32f5" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#10963761-58fc-4b20-b3d6-b44a54daba03" + rel: reference + - href: "#2100332a-16a5-4598-bacf-7261baea9711" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-14" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#au-6" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-10" + rel: related + - href: "#ia-11" + rel: related + - href: "#ia-13" + rel: related + - href: "#ma-4" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sc-8" + rel: related + parts: + - id: ia-8_smt + name: statement + prose: Uniquely identify and authenticate non-organizational users or + processes acting on behalf of non-organizational users. + - id: ia-8_gdn + name: guidance + prose: Non-organizational users include system users other than organizational + users explicitly covered by [IA-2](#ia-2) . Non-organizational users + are uniquely identified and authenticated for accesses other than + those explicitly identified and documented in [AC-14](#ac-14) . Identification + and authentication of non-organizational users accessing federal systems + may be required to protect federal, proprietary, or privacy-related + information (with exceptions noted for national security systems). + Organizations consider many factors—including security, privacy, scalability, + and practicality—when balancing the need to ensure ease of use for + access to federal information and systems with the need to protect + and adequately mitigate risk. + controls: + - id: ia-8.1 + class: SP800-53-enhancement + title: Acceptance of PIV Credentials from Other Agencies + props: + - name: label + value: IA-8(1) + - name: label + value: IA-08(01) + class: sp800-53a + - name: sort-id + value: ia-08.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ia-8" + rel: required + - href: "#pe-3" + rel: related + parts: + - id: ia-8.1_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: Accept and electronically verify Personal Identity Verification-compliant + credentials from other federal agencies. + - id: ia-8.1_gdn + name: guidance + prose: Acceptance of Personal Identity Verification (PIV) credentials + from other federal agencies applies to both logical and physical + access control systems. PIV credentials are those credentials + issued by federal agencies that conform to FIPS Publication 201 + and supporting guidelines. The adequacy and reliability of PIV + card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03). + - id: ia-8.1_obj + name: assessment-objective + props: + - name: label + value: IA-08(01) + class: sp800-53a + parts: + - id: ia-8.1_obj-1 + name: assessment-objective + props: + - name: label + value: IA-08(01)[01] + class: sp800-53a + prose: Personal Identity Verification-compliant credentials + from other federal agencies are accepted; + links: + - href: "#ia-8.1_smt" + rel: assessment-for + - id: ia-8.1_obj-2 + name: assessment-objective + props: + - name: label + value: IA-08(01)[02] + class: sp800-53a + prose: Personal Identity Verification-compliant credentials + from other federal agencies are electronically verified. + links: + - href: "#ia-8.1_smt" + rel: assessment-for + links: + - href: "#ia-8.1_smt" + rel: assessment-for + - id: ia-8.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-08(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + PIV verification records + + + evidence of PIV credentials + + + PIV credential authorizations + + + other relevant documents or records + - id: ia-8.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-08(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with account management responsibilities + - id: ia-8.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-08(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing identification + and authentication capabilities + + + mechanisms that accept and verify PIV credentials + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: Must document and assess for privileged users.\ + \ May attest to this control for non-privileged users. FedRAMP\ + \ requires a minimum of multi-factor authentication for all Federal\ + \ privileged users, if acceptance of PIV credentials is not supported.\ + \ The implementation status and details of how this control is\ + \ implemented must be clearly defined by the CSP." + - id: ia-8.2 + class: SP800-53-enhancement + title: Acceptance of External Authenticators + props: + - name: label + value: IA-8(2) + - name: label + value: IA-08(02) + class: sp800-53a + - name: sort-id + value: ia-08.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ia-8" + rel: required + parts: + - id: ia-8.2_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ia-8.2_smt.a + name: item + props: + - name: label + value: (a) + prose: Accept only external authenticators that are NIST-compliant; + and + - id: ia-8.2_smt.b + name: item + props: + - name: label + value: (b) + prose: Document and maintain a list of accepted external authenticators. + - id: ia-8.2_gdn + name: guidance + prose: Acceptance of only NIST-compliant external authenticators + applies to organizational systems that are accessible to the public + (e.g., public-facing websites). External authenticators are issued + by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) + . Approved external authenticators meet or exceed the minimum + Federal Government-wide technical, security, privacy, and organizational + maturity requirements. Meeting or exceeding Federal requirements + allows Federal Government relying parties to trust external authenticators + in connection with an authentication transaction at a specified + authenticator assurance level. + - id: ia-8.2_obj + name: assessment-objective + props: + - name: label + value: IA-08(02) + class: sp800-53a + parts: + - id: ia-8.2_obj.a + name: assessment-objective + props: + - name: label + value: IA-08(02)(a) + class: sp800-53a + prose: only external authenticators that are NIST-compliant + are accepted; + links: + - href: "#ia-8.2_smt.a" + rel: assessment-for + - id: ia-8.2_obj.b + name: assessment-objective + props: + - name: label + value: IA-08(02)(b) + class: sp800-53a + parts: + - id: ia-8.2_obj.b-1 + name: assessment-objective + props: + - name: label + value: IA-08(02)(b)[01] + class: sp800-53a + prose: a list of accepted external authenticators is documented; + links: + - href: "#ia-8.2_smt.b" + rel: assessment-for + - id: ia-8.2_obj.b-2 + name: assessment-objective + props: + - name: label + value: IA-08(02)(b)[02] + class: sp800-53a + prose: a list of accepted external authenticators is maintained. + links: + - href: "#ia-8.2_smt.b" + rel: assessment-for + links: + - href: "#ia-8.2_smt.b" + rel: assessment-for + links: + - href: "#ia-8.2_smt" + rel: assessment-for + - id: ia-8.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-08(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of third-party credentialing products, components, or + services procured and implemented by organization + + + third-party credential verification records + + + evidence of third-party credentials + + + third-party credential authorizations + + + other relevant documents or records + - id: ia-8.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-08(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with account management responsibilities + - id: ia-8.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-08(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing identification + and authentication capabilities + + + mechanisms that accept external credentials + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: Must document and assess for privileged users.\ + \ May attest to this control for non-privileged users. FedRAMP\ + \ requires a minimum of multi-factor authentication for all Federal\ + \ privileged users, if acceptance of PIV credentials is not supported.\ + \ The implementation status and details of how this control is\ + \ implemented must be clearly defined by the CSP." + - id: ia-8.4 + class: SP800-53-enhancement + title: Use of Defined Profiles + params: + - id: ia-08.04_odp + label: identity management profiles + guidelines: + - prose: identity management profiles are defined; + props: + - name: label + value: IA-8(4) + - name: label + value: IA-08(04) + class: sp800-53a + - name: sort-id + value: ia-08.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ia-8" + rel: required + parts: + - id: ia-8.4_smt + name: statement + prose: "Conform to the following profiles for identity management\ + \ {{ insert: param, ia-08.04_odp }}." + - id: ia-8.4_gdn + name: guidance + prose: Organizations define profiles for identity management based + on open identity management standards. To ensure that open identity + management standards are viable, robust, reliable, sustainable, + and interoperable as documented, the Federal Government assesses + and scopes the standards and technology implementations against + applicable laws, executive orders, directives, policies, regulations, + standards, and guidelines. + - id: ia-11 + class: SP800-53 + title: Re-authentication + params: + - id: ia-11_odp + label: circumstances or situations + guidelines: + - prose: circumstances or situations requiring re-authentication are + defined; + props: + - name: label + value: IA-11 + - name: label + value: IA-11 + class: sp800-53a + - name: sort-id + value: ia-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ac-3" + rel: related + - href: "#ac-11" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-8" + rel: related + parts: + - id: ia-11_smt + name: statement + prose: "Require users to re-authenticate when {{ insert: param, ia-11_odp\ + \ }}." + - id: ia-11_gdn + name: guidance + prose: In addition to the re-authentication requirements associated + with device locks, organizations may require re-authentication of + individuals in certain situations, including when roles, authenticators + or credentials change, when security categories of systems change, + when the execution of privileged functions occurs, after a fixed time + period, or periodically. + - id: ir + class: family + title: Incident Response + controls: + - id: ir-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ir-1_prm_1 + label: organization-defined personnel or roles + - id: ir-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the incident response policy is + to be disseminated is/are defined; + - id: ir-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the incident response procedures + are to be disseminated is/are defined; + - id: ir-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ir-01_odp.04 + label: official + guidelines: + - prose: an official to manage the incident response policy and procedures + is defined; + - id: ir-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current incident response policy + is reviewed and updated is defined; + - id: ir-01_odp.06 + label: events + guidelines: + - prose: events that would require the current incident response policy + to be reviewed and updated are defined; + - id: ir-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current incident response procedures + are reviewed and updated is defined; + - id: ir-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the incident response procedures + to be reviewed and updated are defined; + props: + - name: label + value: IR-1 + - name: label + value: IR-01 + class: sp800-53a + - name: sort-id + value: ir-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ir-1_smt + name: statement + parts: + - id: ir-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ir-1_prm_1 }}:" + parts: + - id: ir-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ir-01_odp.03 }} incident response\ + \ policy that:" + parts: + - id: ir-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ir-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ir-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the incident + response policy and the associated incident response controls; + - id: ir-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ir-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the incident\ + \ response policy and procedures; and" + - id: ir-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current incident response:" + parts: + - id: ir-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ir-01_odp.05 }} and following\ + \ {{ insert: param, ir-01_odp.06 }} ; and" + - id: ir-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ir-01_odp.07 }} and following\ + \ {{ insert: param, ir-01_odp.08 }}." + - id: ir-1_gdn + name: guidance + prose: Incident response policy and procedures address the controls + in the IR family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of incident response + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to incident response policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ir-2 + class: SP800-53 + title: Incident Response Training + params: + - id: ir-02_odp.01 + label: time period + constraints: + - description: ten (10) days for privileged users, thirty (30) days + for Incident Response roles + guidelines: + - prose: a time period within which incident response training is + to be provided to system users assuming an incident response role + or responsibility is defined; + - id: ir-02_odp.02 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to provide incident response training + to users is defined; + - id: ir-02_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to review and update incident response + training content is defined; + - id: ir-02_odp.04 + label: events + guidelines: + - prose: events that initiate a review of the incident response training + content are defined; + props: + - name: label + value: IR-2 + - name: label + value: IR-02 + class: sp800-53a + - name: sort-id + value: ir-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#5f4705ac-8d17-438c-b23a-ac7f12362ae4" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#at-4" + rel: related + - href: "#cp-3" + rel: related + - href: "#ir-3" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-8" + rel: related + - href: "#ir-9" + rel: related + parts: + - id: ir-2_smt + name: statement + parts: + - id: ir-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide incident response training to system users consistent\ + \ with assigned roles and responsibilities:" + parts: + - id: ir-2_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "Within {{ insert: param, ir-02_odp.01 }} of assuming\ + \ an incident response role or responsibility or acquiring\ + \ system access;" + - id: ir-2_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: When required by system changes; and + - id: ir-2_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: " {{ insert: param, ir-02_odp.02 }} thereafter; and" + - id: ir-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update incident response training content {{\ + \ insert: param, ir-02_odp.03 }} and following {{ insert: param,\ + \ ir-02_odp.04 }}." + - id: ir-2_gdn + name: guidance + prose: Incident response training is associated with the assigned roles + and responsibilities of organizational personnel to ensure that the + appropriate content and level of detail are included in such training. + For example, users may only need to know who to call or how to recognize + an incident; system administrators may require additional training + on how to handle incidents; and incident responders may receive more + specific training on forensics, data collection techniques, reporting, + system recovery, and system restoration. Incident response training + includes user training in identifying and reporting suspicious activities + from external and internal sources. Incident response training for + users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . + Events that may precipitate an update to incident response training + content include, but are not limited to, incident response plan testing + or response to an actual incident (lessons learned), assessment or + audit findings, or changes in applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines. + - id: ir-4 + class: SP800-53 + title: Incident Handling + props: + - name: label + value: IR-4 + - name: label + value: IR-04 + class: sp800-53a + - name: sort-id + value: ir-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#5f4705ac-8d17-438c-b23a-ac7f12362ae4" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#cfdb1858-c473-46b3-89f9-a700308d0be2" + rel: reference + - href: "#10cf2fad-a216-41f9-bb1a-531b7e3119e3" + rel: reference + - href: "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#31ae65ab-3f26-46b7-9d64-f25a4dac5778" + rel: reference + - href: "#2be7b163-e50a-435c-8906-f1162f2a457a" + rel: reference + - href: "#ac-19" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#cm-6" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-3" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-3" + rel: related + - href: "#ir-5" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + - href: "#pe-6" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: ir-4_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ir-4_smt.a + name: item + props: + - name: label + value: a. + prose: Implement an incident handling capability for incidents that + is consistent with the incident response plan and includes preparation, + detection and analysis, containment, eradication, and recovery; + - id: ir-4_smt.b + name: item + props: + - name: label + value: b. + prose: Coordinate incident handling activities with contingency + planning activities; + - id: ir-4_smt.c + name: item + props: + - name: label + value: c. + prose: Incorporate lessons learned from ongoing incident handling + activities into incident response procedures, training, and testing, + and implement the resulting changes accordingly; and + - id: ir-4_smt.d + name: item + props: + - name: label + value: d. + prose: Ensure the rigor, intensity, scope, and results of incident + handling activities are comparable and predictable across the + organization. + - id: ir-4_gdn + name: guidance + prose: Organizations recognize that incident response capabilities are + dependent on the capabilities of organizational systems and the mission + and business processes being supported by those systems. Organizations + consider incident response as part of the definition, design, and + development of mission and business processes and systems. Incident-related + information can be obtained from a variety of sources, including audit + monitoring, physical access monitoring, and network monitoring; user + or administrator reports; and reported supply chain events. An effective + incident handling capability includes coordination among many organizational + entities (e.g., mission or business owners, system owners, authorizing + officials, human resources offices, physical security offices, personnel + security offices, legal departments, risk executive [function], operations + personnel, procurement offices). Suspected security incidents include + the receipt of suspicious email communications that can contain malicious + code. Suspected supply chain incidents include the insertion of counterfeit + hardware or malicious code into organizational systems or system components. + For federal agencies, an incident that involves personally identifiable + information is considered a breach. A breach results in unauthorized + disclosure, the loss of control, unauthorized acquisition, compromise, + or a similar occurrence where a person other than an authorized user + accesses or potentially accesses personally identifiable information + or an authorized user accesses or potentially accesses such information + for other than authorized purposes. + - id: ir-4_obj + name: assessment-objective + props: + - name: label + value: IR-04 + class: sp800-53a + parts: + - id: ir-4_obj.a + name: assessment-objective + props: + - name: label + value: IR-04a. + class: sp800-53a + parts: + - id: ir-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: IR-04a.[01] + class: sp800-53a + prose: an incident handling capability for incidents is implemented + that is consistent with the incident response plan; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: IR-04a.[02] + class: sp800-53a + prose: the incident handling capability for incidents includes + preparation; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-3 + name: assessment-objective + props: + - name: label + value: IR-04a.[03] + class: sp800-53a + prose: the incident handling capability for incidents includes + detection and analysis; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-4 + name: assessment-objective + props: + - name: label + value: IR-04a.[04] + class: sp800-53a + prose: the incident handling capability for incidents includes + containment; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-5 + name: assessment-objective + props: + - name: label + value: IR-04a.[05] + class: sp800-53a + prose: the incident handling capability for incidents includes + eradication; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-6 + name: assessment-objective + props: + - name: label + value: IR-04a.[06] + class: sp800-53a + prose: the incident handling capability for incidents includes + recovery; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.b + name: assessment-objective + props: + - name: label + value: IR-04b. + class: sp800-53a + prose: incident handling activities are coordinated with contingency + planning activities; + links: + - href: "#ir-4_smt.b" + rel: assessment-for + - id: ir-4_obj.c + name: assessment-objective + props: + - name: label + value: IR-04c. + class: sp800-53a + parts: + - id: ir-4_obj.c-1 + name: assessment-objective + props: + - name: label + value: IR-04c.[01] + class: sp800-53a + prose: lessons learned from ongoing incident handling activities + are incorporated into incident response procedures, training, + and testing; + links: + - href: "#ir-4_smt.c" + rel: assessment-for + - id: ir-4_obj.c-2 + name: assessment-objective + props: + - name: label + value: IR-04c.[02] + class: sp800-53a + prose: the changes resulting from the incorporated lessons learned + are implemented accordingly; + links: + - href: "#ir-4_smt.c" + rel: assessment-for + links: + - href: "#ir-4_smt.c" + rel: assessment-for + - id: ir-4_obj.d + name: assessment-objective + props: + - name: label + value: IR-04d. + class: sp800-53a + parts: + - id: ir-4_obj.d-1 + name: assessment-objective + props: + - name: label + value: IR-04d.[01] + class: sp800-53a + prose: the rigor of incident handling activities is comparable + and predictable across the organization; + links: + - href: "#ir-4_smt.d" + rel: assessment-for + - id: ir-4_obj.d-2 + name: assessment-objective + props: + - name: label + value: IR-04d.[02] + class: sp800-53a + prose: the intensity of incident handling activities is comparable + and predictable across the organization; + links: + - href: "#ir-4_smt.d" + rel: assessment-for + - id: ir-4_obj.d-3 + name: assessment-objective + props: + - name: label + value: IR-04d.[03] + class: sp800-53a + prose: the scope of incident handling activities is comparable + and predictable across the organization; + links: + - href: "#ir-4_smt.d" + rel: assessment-for + - id: ir-4_obj.d-4 + name: assessment-objective + props: + - name: label + value: IR-04d.[04] + class: sp800-53a + prose: the results of incident handling activities are comparable + and predictable across the organization. + links: + - href: "#ir-4_smt.d" + rel: assessment-for + links: + - href: "#ir-4_smt.d" + rel: assessment-for + links: + - href: "#ir-4_smt" + rel: assessment-for + - id: ir-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + contingency planning policy + + procedures addressing incident handling + + incident response plan + + contingency plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident handling + responsibilities + + + organizational personnel with contingency planning responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Incident handling capability for the organization + - id: ir-5 + class: SP800-53 + title: Incident Monitoring + props: + - name: label + value: IR-5 + - name: label + value: IR-05 + class: sp800-53a + - name: sort-id + value: ir-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + - href: "#pe-6" + rel: related + - href: "#pm-5" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: ir-5_smt + name: statement + prose: Track and document incidents. + - id: ir-5_gdn + name: guidance + prose: Documenting incidents includes maintaining records about each + incident, the status of the incident, and other pertinent information + necessary for forensics as well as evaluating incident details, trends, + and handling. Incident information can be obtained from a variety + of sources, including network monitoring, incident reports, incident + response teams, user complaints, supply chain partners, audit monitoring, + physical access monitoring, and user and administrator reports. [IR-4](#ir-4) + provides information on the types of incidents that are appropriate + for monitoring. + - id: ir-6 + class: SP800-53 + title: Incident Reporting + params: + - id: ir-06_odp.01 + label: time period + constraints: + - description: US-CERT incident reporting timelines as specified in + NIST Special Publication 800-61 (as amended) + guidelines: + - prose: time period for personnel to report suspected incidents to + the organizational incident response capability is defined; + - id: ir-06_odp.02 + label: authorities + guidelines: + - prose: authorities to whom incident information is to be reported + are defined; + props: + - name: label + value: IR-6 + - name: label + value: IR-06 + class: sp800-53a + - name: sort-id + value: ir-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#40b78258-c892-480e-9af8-77ac36648301" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#cm-6" + rel: related + - href: "#cp-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-5" + rel: related + - href: "#ir-8" + rel: related + - href: "#ir-9" + rel: related + parts: + - id: ir-6_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ir-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Require personnel to report suspected incidents to the organizational\ + \ incident response capability within {{ insert: param, ir-06_odp.01\ + \ }} ; and" + - id: ir-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Report incident information to {{ insert: param, ir-06_odp.02\ + \ }}." + - id: ir-6_gdn + name: guidance + prose: The types of incidents reported, the content and timeliness of + the reports, and the designated reporting authorities reflect applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Incident information can inform risk assessments, + control effectiveness assessments, security requirements for acquisitions, + and selection criteria for technology products. + - id: ir-6_obj + name: assessment-objective + props: + - name: label + value: IR-06 + class: sp800-53a + parts: + - id: ir-6_obj.a + name: assessment-objective + props: + - name: label + value: IR-06a. + class: sp800-53a + prose: "personnel is/are required to report suspected incidents\ + \ to the organizational incident response capability within {{\ + \ insert: param, ir-06_odp.01 }};" + links: + - href: "#ir-6_smt.a" + rel: assessment-for + - id: ir-6_obj.b + name: assessment-objective + props: + - name: label + value: IR-06b. + class: sp800-53a + prose: "incident information is reported to {{ insert: param, ir-06_odp.02\ + \ }}." + links: + - href: "#ir-6_smt.b" + rel: assessment-for + links: + - href: "#ir-6_smt" + rel: assessment-for + - id: ir-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident reporting + + incident reporting records and documentation + + incident response plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident reporting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + personnel who have/should have reported incidents + + + personnel (authorities) to whom incident information is to be + reported + + + system users + - id: ir-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for incident reporting + + mechanisms supporting and/or implementing incident reporting + - id: ir-7 + class: SP800-53 + title: Incident Response Assistance + props: + - name: label + value: IR-7 + - name: label + value: IR-07 + class: sp800-53a + - name: sort-id + value: ir-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#2be7b163-e50a-435c-8906-f1162f2a457a" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + - href: "#pm-22" + rel: related + - href: "#pm-26" + rel: related + - href: "#sa-9" + rel: related + - href: "#si-18" + rel: related + parts: + - id: ir-7_smt + name: statement + prose: Provide an incident response support resource, integral to the + organizational incident response capability, that offers advice and + assistance to users of the system for the handling and reporting of + incidents. + - id: ir-7_gdn + name: guidance + prose: Incident response support resources provided by organizations + include help desks, assistance groups, automated ticketing systems + to open and track incident response tickets, and access to forensics + services or consumer redress services, when required. + - id: ir-8 + class: SP800-53 + title: Incident Response Plan + params: + - id: ir-8_prm_5 + label: organization-defined incident response personnel (identified + by name and/or by role) and organizational elements + constraints: + - description: see additional FedRAMP Requirements and Guidance + - id: ir-08_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles that review and approve the incident response + plan is/are identified; + - id: ir-08_odp.02 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to review and approve the incident + response plan is defined; + - id: ir-08_odp.03 + label: entities, personnel, or roles + guidelines: + - prose: entities, personnel, or roles with designated responsibility + for incident response are defined; + - id: ir-08_odp.04 + label: incident response personnel + constraints: + - description: see additional FedRAMP Requirements and Guidance + guidelines: + - prose: incident response personnel (identified by name and/or by + role) to whom copies of the incident response plan are to be distributed + is/are defined; + - id: ir-08_odp.05 + label: organizational elements + guidelines: + - prose: organizational elements to which copies of the incident response + plan are to be distributed are defined; + - id: ir-08_odp.06 + label: incident response personnel + guidelines: + - prose: incident response personnel (identified by name and/or by + role) to whom changes to the incident response plan is/are communicated + are defined; + - id: ir-08_odp.07 + label: organizational elements + guidelines: + - prose: organizational elements to which changes to the incident + response plan are communicated are defined; + props: + - name: label + value: IR-8 + - name: label + value: IR-08 + class: sp800-53a + - name: sort-id + value: ir-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#5f4705ac-8d17-438c-b23a-ac7f12362ae4" + rel: reference + - href: "#ac-2" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-7" + rel: related + - href: "#ir-9" + rel: related + - href: "#pe-6" + rel: related + - href: "#pl-2" + rel: related + - href: "#sa-15" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-8" + rel: related + parts: + - id: ir-8_smt + name: statement + parts: + - id: ir-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop an incident response plan that:" + parts: + - id: ir-8_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Provides the organization with a roadmap for implementing + its incident response capability; + - id: ir-8_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Describes the structure and organization of the incident + response capability; + - id: ir-8_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Provides a high-level approach for how the incident response + capability fits into the overall organization; + - id: ir-8_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Meets the unique requirements of the organization, which + relate to mission, size, structure, and functions; + - id: ir-8_smt.a.5 + name: item + props: + - name: label + value: "5." + prose: Defines reportable incidents; + - id: ir-8_smt.a.6 + name: item + props: + - name: label + value: "6." + prose: Provides metrics for measuring the incident response + capability within the organization; + - id: ir-8_smt.a.7 + name: item + props: + - name: label + value: "7." + prose: Defines the resources and management support needed to + effectively maintain and mature an incident response capability; + - id: ir-8_smt.a.8 + name: item + props: + - name: label + value: "8." + prose: Addresses the sharing of incident information; + - id: ir-8_smt.a.9 + name: item + props: + - name: label + value: "9." + prose: "Is reviewed and approved by {{ insert: param, ir-08_odp.01\ + \ }} {{ insert: param, ir-08_odp.02 }} ; and" + - id: ir-8_smt.a.10 + name: item + props: + - name: label + value: "10." + prose: "Explicitly designates responsibility for incident response\ + \ to {{ insert: param, ir-08_odp.03 }}." + - id: ir-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Distribute copies of the incident response plan to {{ insert:\ + \ param, ir-08_odp.04 }};" + - id: ir-8_smt.c + name: item + props: + - name: label + value: c. + prose: Update the incident response plan to address system and organizational + changes or problems encountered during plan implementation, execution, + or testing; + - id: ir-8_smt.d + name: item + props: + - name: label + value: d. + prose: "Communicate incident response plan changes to {{ insert:\ + \ param, ir-8_prm_5 }} ; and" + - id: ir-8_smt.e + name: item + props: + - name: label + value: e. + prose: Protect the incident response plan from unauthorized disclosure + and modification. + - id: ir-8_gdn + name: guidance + prose: It is important that organizations develop and implement a coordinated + approach to incident response. Organizational mission and business + functions determine the structure of incident response capabilities. + As part of the incident response capabilities, organizations consider + the coordination and sharing of information with external organizations, + including external service providers and other organizations involved + in the supply chain. For incidents involving personally identifiable + information (i.e., breaches), include a process to determine whether + notice to oversight organizations or affected individuals is appropriate + and provide that notice accordingly. + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: Attestation - Specifically attest to US-CERT compliance. + - id: ma + class: family + title: Maintenance + controls: + - id: ma-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ma-1_prm_1 + label: organization-defined personnel or roles + - id: ma-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the maintenance policy is to be + disseminated is/are defined; + - id: ma-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the maintenance procedures are + to be disseminated is/are defined; + - id: ma-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ma-01_odp.04 + label: official + guidelines: + - prose: an official to manage the maintenance policy and procedures + is defined; + - id: ma-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency with which the current maintenance policy is + reviewed and updated is defined; + - id: ma-01_odp.06 + label: events + guidelines: + - prose: events that would require the current maintenance policy + to be reviewed and updated are defined; + - id: ma-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency with which the current maintenance procedures + are reviewed and updated is defined; + - id: ma-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the maintenance procedures to be + reviewed and updated are defined; + props: + - name: label + value: MA-1 + - name: label + value: MA-01 + class: sp800-53a + - name: sort-id + value: ma-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ma-1_smt + name: statement + parts: + - id: ma-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ma-1_prm_1 }}:" + parts: + - id: ma-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ma-01_odp.03 }} maintenance policy\ + \ that:" + parts: + - id: ma-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ma-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ma-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the maintenance + policy and the associated maintenance controls; + - id: ma-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ma-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the maintenance\ + \ policy and procedures; and" + - id: ma-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current maintenance:" + parts: + - id: ma-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ma-01_odp.05 }} and following\ + \ {{ insert: param, ma-01_odp.06 }} ; and" + - id: ma-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ma-01_odp.07 }} and following\ + \ {{ insert: param, ma-01_odp.08 }}." + - id: ma-1_gdn + name: guidance + prose: Maintenance policy and procedures address the controls in the + MA family that are implemented within systems and organizations. The + risk management strategy is an important factor in establishing such + policies and procedures. Policies and procedures contribute to security + and privacy assurance. Therefore, it is important that security and + privacy programs collaborate on the development of maintenance policy + and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to maintenance policy and procedures assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ma-2 + class: SP800-53 + title: Controlled Maintenance + params: + - id: ma-02_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles required to explicitly approve the removal + of the system or system components from organizational facilities + for off-site maintenance or repairs is/are defined; + - id: ma-02_odp.02 + label: information + guidelines: + - prose: information to be removed from associated media prior to + removal from organizational facilities for off-site maintenance, + repair, or replacement is defined; + - id: ma-02_odp.03 + label: information + guidelines: + - prose: information to be included in organizational maintenance + records is defined; + props: + - name: label + value: MA-2 + - name: label + value: MA-02 + class: sp800-53a + - name: sort-id + value: ma-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#cm-2" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-8" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-6" + rel: related + - href: "#pe-16" + rel: related + - href: "#si-2" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: ma-2_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ma-2_smt.a + name: item + props: + - name: label + value: a. + prose: Schedule, document, and review records of maintenance, repair, + and replacement on system components in accordance with manufacturer + or vendor specifications and/or organizational requirements; + - id: ma-2_smt.b + name: item + props: + - name: label + value: b. + prose: Approve and monitor all maintenance activities, whether performed + on site or remotely and whether the system or system components + are serviced on site or removed to another location; + - id: ma-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Require that {{ insert: param, ma-02_odp.01 }} explicitly\ + \ approve the removal of the system or system components from\ + \ organizational facilities for off-site maintenance, repair,\ + \ or replacement;" + - id: ma-2_smt.d + name: item + props: + - name: label + value: d. + prose: "Sanitize equipment to remove the following information from\ + \ associated media prior to removal from organizational facilities\ + \ for off-site maintenance, repair, or replacement: {{ insert:\ + \ param, ma-02_odp.02 }};" + - id: ma-2_smt.e + name: item + props: + - name: label + value: e. + prose: Check all potentially impacted controls to verify that the + controls are still functioning properly following maintenance, + repair, or replacement actions; and + - id: ma-2_smt.f + name: item + props: + - name: label + value: f. + prose: "Include the following information in organizational maintenance\ + \ records: {{ insert: param, ma-02_odp.03 }}." + - id: ma-2_gdn + name: guidance + prose: Controlling system maintenance addresses the information security + aspects of the system maintenance program and applies to all types + of maintenance to system components conducted by local or nonlocal + entities. Maintenance includes peripherals such as scanners, copiers, + and printers. Information necessary for creating effective maintenance + records includes the date and time of maintenance, a description of + the maintenance performed, names of the individuals or group performing + the maintenance, name of the escort, and system components or equipment + that are removed or replaced. Organizations consider supply chain-related + risks associated with replacement components for systems. + - id: ma-2_obj + name: assessment-objective + props: + - name: label + value: MA-02 + class: sp800-53a + parts: + - id: ma-2_obj.a + name: assessment-objective + props: + - name: label + value: MA-02a. + class: sp800-53a + parts: + - id: ma-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-02a.[01] + class: sp800-53a + prose: maintenance, repair, and replacement of system components + are scheduled in accordance with manufacturer or vendor specifications + and/or organizational requirements; + links: + - href: "#ma-2_smt.a" + rel: assessment-for + - id: ma-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-02a.[02] + class: sp800-53a + prose: maintenance, repair, and replacement of system components + are documented in accordance with manufacturer or vendor specifications + and/or organizational requirements; + links: + - href: "#ma-2_smt.a" + rel: assessment-for + - id: ma-2_obj.a-3 + name: assessment-objective + props: + - name: label + value: MA-02a.[03] + class: sp800-53a + prose: records of maintenance, repair, and replacement of system + components are reviewed in accordance with manufacturer or + vendor specifications and/or organizational requirements; + links: + - href: "#ma-2_smt.a" + rel: assessment-for + links: + - href: "#ma-2_smt.a" + rel: assessment-for + - id: ma-2_obj.b + name: assessment-objective + props: + - name: label + value: MA-02b. + class: sp800-53a + parts: + - id: ma-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: MA-02b.[01] + class: sp800-53a + prose: all maintenance activities, whether performed on site + or remotely and whether the system or system components are + serviced on site or removed to another location, are approved; + links: + - href: "#ma-2_smt.b" + rel: assessment-for + - id: ma-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: MA-02b.[02] + class: sp800-53a + prose: all maintenance activities, whether performed on site + or remotely and whether the system or system components are + serviced on site or removed to another location, are monitored; + links: + - href: "#ma-2_smt.b" + rel: assessment-for + links: + - href: "#ma-2_smt.b" + rel: assessment-for + - id: ma-2_obj.c + name: assessment-objective + props: + - name: label + value: MA-02c. + class: sp800-53a + prose: " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly\ + \ approve the removal of the system or system components from\ + \ organizational facilities for off-site maintenance, repair,\ + \ or replacement;" + links: + - href: "#ma-2_smt.c" + rel: assessment-for + - id: ma-2_obj.d + name: assessment-objective + props: + - name: label + value: MA-02d. + class: sp800-53a + prose: "equipment is sanitized to remove {{ insert: param, ma-02_odp.02\ + \ }} from associated media prior to removal from organizational\ + \ facilities for off-site maintenance, repair, or replacement;" + links: + - href: "#ma-2_smt.d" + rel: assessment-for + - id: ma-2_obj.e + name: assessment-objective + props: + - name: label + value: MA-02e. + class: sp800-53a + prose: all potentially impacted controls are checked to verify that + the controls are still functioning properly following maintenance, + repair, or replacement actions; + links: + - href: "#ma-2_smt.e" + rel: assessment-for + - id: ma-2_obj.f + name: assessment-objective + props: + - name: label + value: MA-02f. + class: sp800-53a + prose: " {{ insert: param, ma-02_odp.03 }} is included in organizational\ + \ maintenance records." + links: + - href: "#ma-2_smt.f" + rel: assessment-for + links: + - href: "#ma-2_smt" + rel: assessment-for + - id: ma-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing controlled system maintenance + + maintenance records + + manufacturer/vendor maintenance specifications + + equipment sanitization records + + media sanitization records + + system security plan + + other relevant documents or records + - id: ma-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel responsible for media sanitization + + + system/network administrators + - id: ma-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for scheduling, performing, + documenting, reviewing, approving, and monitoring + maintenance and repairs for the system + + + organizational processes for sanitizing system components + + + mechanisms supporting and/or implementing controlled maintenance + + + mechanisms implementing the sanitization of system components + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: Control is not inherited from a FedRAMP-authorized\ + \ PaaS or IaaS." + - id: ma-4 + class: SP800-53 + title: Nonlocal Maintenance + props: + - name: label + value: MA-4 + - name: label + value: MA-04 + class: sp800-53a + - name: sort-id + value: ma-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#736d6310-e403-4b57-a79d-9967970c66d7" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-2" + rel: related + - href: "#au-3" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-5" + rel: related + - href: "#pl-2" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-10" + rel: related + parts: + - id: ma-4_smt + name: statement + parts: + - id: ma-4_smt.a + name: item + props: + - name: label + value: a. + prose: Approve and monitor nonlocal maintenance and diagnostic activities; + - id: ma-4_smt.b + name: item + props: + - name: label + value: b. + prose: Allow the use of nonlocal maintenance and diagnostic tools + only as consistent with organizational policy and documented in + the security plan for the system; + - id: ma-4_smt.c + name: item + props: + - name: label + value: c. + prose: Employ strong authentication in the establishment of nonlocal + maintenance and diagnostic sessions; + - id: ma-4_smt.d + name: item + props: + - name: label + value: d. + prose: Maintain records for nonlocal maintenance and diagnostic + activities; and + - id: ma-4_smt.e + name: item + props: + - name: label + value: e. + prose: Terminate session and network connections when nonlocal maintenance + is completed. + - id: ma-4_gdn + name: guidance + prose: Nonlocal maintenance and diagnostic activities are conducted + by individuals who communicate through either an external or internal + network. Local maintenance and diagnostic activities are carried out + by individuals who are physically present at the system location and + not communicating across a network connection. Authentication techniques + used to establish nonlocal maintenance and diagnostic sessions reflect + the network access requirements in [IA-2](#ia-2) . Strong authentication + requires authenticators that are resistant to replay attacks and employ + multi-factor authentication. Strong authenticators include PKI where + certificates are stored on a token protected by a password, passphrase, + or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, + in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) + provides additional guidance on strong authentication and authenticators. + - id: ma-5 + class: SP800-53 + title: Maintenance Personnel + props: + - name: label + value: MA-5 + - name: label + value: MA-05 + class: sp800-53a + - name: sort-id + value: ma-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-2" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#ps-7" + rel: related + - href: "#ra-3" + rel: related + parts: + - id: ma-5_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ma-5_smt.a + name: item + props: + - name: label + value: a. + prose: Establish a process for maintenance personnel authorization + and maintain a list of authorized maintenance organizations or + personnel; + - id: ma-5_smt.b + name: item + props: + - name: label + value: b. + prose: Verify that non-escorted personnel performing maintenance + on the system possess the required access authorizations; and + - id: ma-5_smt.c + name: item + props: + - name: label + value: c. + prose: Designate organizational personnel with required access authorizations + and technical competence to supervise the maintenance activities + of personnel who do not possess the required access authorizations. + - id: ma-5_gdn + name: guidance + prose: Maintenance personnel refers to individuals who perform hardware + or software maintenance on organizational systems, while [PE-2](#pe-2) + addresses physical access for individuals whose maintenance duties + place them within the physical protection perimeter of the systems. + Technical competence of supervising individuals relates to the maintenance + performed on the systems, while having required access authorizations + refers to maintenance on and near the systems. Individuals not previously + identified as authorized maintenance personnel—such as information + technology manufacturers, vendors, systems integrators, and consultants—may + require privileged access to organizational systems, such as when + they are required to conduct maintenance activities with little or + no notice. Based on organizational assessments of risk, organizations + may issue temporary credentials to these individuals. Temporary credentials + may be for one-time use or for very limited time periods. + - id: ma-5_obj + name: assessment-objective + props: + - name: label + value: MA-05 + class: sp800-53a + parts: + - id: ma-5_obj.a + name: assessment-objective + props: + - name: label + value: MA-05a. + class: sp800-53a + parts: + - id: ma-5_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-05a.[01] + class: sp800-53a + prose: a process for maintenance personnel authorization is + established; + links: + - href: "#ma-5_smt.a" + rel: assessment-for + - id: ma-5_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-05a.[02] + class: sp800-53a + prose: a list of authorized maintenance organizations or personnel + is maintained; + links: + - href: "#ma-5_smt.a" + rel: assessment-for + links: + - href: "#ma-5_smt.a" + rel: assessment-for + - id: ma-5_obj.b + name: assessment-objective + props: + - name: label + value: MA-05b. + class: sp800-53a + prose: non-escorted personnel performing maintenance on the system + possess the required access authorizations; + links: + - href: "#ma-5_smt.b" + rel: assessment-for + - id: ma-5_obj.c + name: assessment-objective + props: + - name: label + value: MA-05c. + class: sp800-53a + prose: organizational personnel with required access authorizations + and technical competence is/are designated to supervise the maintenance + activities of personnel who do not possess the required access + authorizations. + links: + - href: "#ma-5_smt.c" + rel: assessment-for + links: + - href: "#ma-5_smt" + rel: assessment-for + - id: ma-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing maintenance personnel + + service provider contracts + + service-level agreements + + list of authorized personnel + + maintenance records + + access control records + + system security plan + + other relevant documents or records + - id: ma-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + - id: ma-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for authorizing and managing + maintenance personnel + + + mechanisms supporting and/or implementing authorization of maintenance + personnel + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: Control is not inherited from a FedRAMP-authorized\ + \ PaaS or IaaS." + - id: mp + class: family + title: Media Protection + controls: + - id: mp-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: mp-1_prm_1 + label: organization-defined personnel or roles + - id: mp-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the media protection policy is + to be disseminated is/are defined; + - id: mp-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the media protection procedures + are to be disseminated is/are defined; + - id: mp-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: mp-01_odp.04 + label: official + guidelines: + - prose: an official to manage the media protection policy and procedures + is defined; + - id: mp-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency with which the current media protection policy + is reviewed and updated is defined; + - id: mp-01_odp.06 + label: events + guidelines: + - prose: events that would require the current media protection policy + to be reviewed and updated are defined; + - id: mp-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency with which the current media protection procedures + are reviewed and updated is defined; + - id: mp-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require media protection procedures to + be reviewed and updated are defined; + props: + - name: label + value: MP-1 + - name: label + value: MP-01 + class: sp800-53a + - name: sort-id + value: mp-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: mp-1_smt + name: statement + parts: + - id: mp-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ mp-1_prm_1 }}:" + parts: + - id: mp-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, mp-01_odp.03 }} media protection\ + \ policy that:" + parts: + - id: mp-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: mp-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: mp-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the media + protection policy and the associated media protection controls; + - id: mp-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, mp-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the media\ + \ protection policy and procedures; and" + - id: mp-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current media protection:" + parts: + - id: mp-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, mp-01_odp.05 }} and following\ + \ {{ insert: param, mp-01_odp.06 }} ; and" + - id: mp-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, mp-01_odp.07 }} and following\ + \ {{ insert: param, mp-01_odp.08 }}." + - id: mp-1_gdn + name: guidance + prose: Media protection policy and procedures address the controls in + the MP family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of media protection + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to media protection policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines. Simply restating controls does not constitute + an organizational policy or procedure. + - id: mp-2 + class: SP800-53 + title: Media Access + params: + - id: mp-2_prm_1 + label: organization-defined types of digital and/or non-digital media + - id: mp-2_prm_2 + label: organization-defined personnel or roles + - id: mp-02_odp.01 + label: types of digital media + guidelines: + - prose: types of digital media to which access is restricted are + defined; + - id: mp-02_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles authorized to access digital media is/are + defined; + - id: mp-02_odp.03 + label: types of non-digital media + guidelines: + - prose: types of non-digital media to which access is restricted + are defined; + - id: mp-02_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles authorized to access non-digital media + is/are defined; + props: + - name: label + value: MP-2 + - name: label + value: MP-02 + class: sp800-53a + - name: sort-id + value: mp-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#22f2d4f0-4365-4e88-a30d-275c1f5473ea" + rel: reference + - href: "#ac-19" + rel: related + - href: "#au-9" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-6" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-34" + rel: related + - href: "#si-12" + rel: related + parts: + - id: mp-2_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: "Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert:\ + \ param, mp-2_prm_2 }}." + - id: mp-2_gdn + name: guidance + prose: System media includes digital and non-digital media. Digital + media includes flash drives, diskettes, magnetic tapes, external or + removable hard disk drives (e.g., solid state, magnetic), compact + discs, and digital versatile discs. Non-digital media includes paper + and microfilm. Denying access to patient medical records in a community + hospital unless the individuals seeking access to such records are + authorized healthcare providers is an example of restricting access + to non-digital media. Limiting access to the design specifications + stored on compact discs in the media library to individuals on the + system development team is an example of restricting access to digital + media. + - id: mp-2_obj + name: assessment-objective + props: + - name: label + value: MP-02 + class: sp800-53a + parts: + - id: mp-2_obj-1 + name: assessment-objective + props: + - name: label + value: MP-02[01] + class: sp800-53a + prose: "access to {{ insert: param, mp-02_odp.01 }} is restricted\ + \ to {{ insert: param, mp-02_odp.02 }};" + links: + - href: "#mp-2_smt" + rel: assessment-for + - id: mp-2_obj-2 + name: assessment-objective + props: + - name: label + value: MP-02[02] + class: sp800-53a + prose: "access to {{ insert: param, mp-02_odp.03 }} is restricted\ + \ to {{ insert: param, mp-02_odp.04 }}." + links: + - href: "#mp-2_smt" + rel: assessment-for + links: + - href: "#mp-2_smt" + rel: assessment-for + - id: mp-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System media protection policy + + procedures addressing media access restrictions + + access control policy and procedures + + physical and environmental protection policy and procedures + + media storage facilities + + access control records + + system security plan + + other relevant documents or records + - id: mp-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media protection + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: mp-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for restricting information media + + + mechanisms supporting and/or implementing media access restrictions + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: Control is not inherited from a FedRAMP-authorized\ + \ PaaS or IaaS." + - id: mp-6 + class: SP800-53 + title: Media Sanitization + params: + - id: mp-6_prm_1 + label: organization-defined system media + constraints: + - description: "techniques and procedures IAW NIST SP 800-88 Section\ + \ 4: Reuse and Disposal of Storage Media and Hardware" + - id: mp-6_prm_2 + label: organization-defined sanitization techniques and procedures + - id: mp-06_odp.01 + label: system media + guidelines: + - prose: system media to be sanitized prior to disposal is defined; + - id: mp-06_odp.02 + label: system media + guidelines: + - prose: system media to be sanitized prior to release from organizational + control is defined; + - id: mp-06_odp.03 + label: system media + guidelines: + - prose: system media to be sanitized prior to release for reuse is + defined; + - id: mp-06_odp.04 + label: sanitization techniques and procedures + guidelines: + - prose: sanitization techniques and procedures to be used for sanitization + prior to disposal are defined; + - id: mp-06_odp.05 + label: sanitization techniques and procedures + guidelines: + - prose: sanitization techniques and procedures to be used for sanitization + prior to release from organizational control are defined; + - id: mp-06_odp.06 + label: sanitization techniques and procedures + guidelines: + - prose: sanitization techniques and procedures to be used for sanitization + prior to release for reuse are defined; + props: + - name: label + value: MP-6 + - name: label + value: MP-06 + class: sp800-53a + - name: sort-id + value: mp-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#91f992fb-f668-4c91-a50f-0f05b95ccee3" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6" + rel: reference + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-7" + rel: related + - href: "#au-11" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#pm-22" + rel: related + - href: "#si-12" + rel: related + - href: "#si-18" + rel: related + - href: "#si-19" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: mp-6_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: mp-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal,\ + \ release out of organizational control, or release for reuse\ + \ using {{ insert: param, mp-6_prm_2 }} ; and" + - id: mp-6_smt.b + name: item + props: + - name: label + value: b. + prose: Employ sanitization mechanisms with the strength and integrity + commensurate with the security category or classification of the + information. + - id: mp-6_gdn + name: guidance + prose: Media sanitization applies to all digital and non-digital system + media subject to disposal or reuse, whether or not the media is considered + removable. Examples include digital media in scanners, copiers, printers, + notebook computers, workstations, network components, mobile devices, + and non-digital media (e.g., paper and microfilm). The sanitization + process removes information from system media such that the information + cannot be retrieved or reconstructed. Sanitization techniques—including + clearing, purging, cryptographic erase, de-identification of personally + identifiable information, and destruction—prevent the disclosure of + information to unauthorized individuals when such media is reused + or released for disposal. Organizations determine the appropriate + sanitization methods, recognizing that destruction is sometimes necessary + when other methods cannot be applied to media requiring sanitization. + Organizations use discretion on the employment of approved sanitization + techniques and procedures for media that contains information deemed + to be in the public domain or publicly releasable or information deemed + to have no adverse impact on organizations or individuals if released + for reuse or disposal. Sanitization of non-digital media includes + destruction, removing a classified appendix from an otherwise unclassified + document, or redacting selected sections or words from a document + by obscuring the redacted sections or words in a manner equivalent + in effectiveness to removing them from the document. NSA standards + and policies control the sanitization process for media that contains + classified information. NARA policies control the sanitization process + for controlled unclassified information. + - id: mp-6_obj + name: assessment-objective + props: + - name: label + value: MP-06 + class: sp800-53a + parts: + - id: mp-6_obj.a + name: assessment-objective + props: + - name: label + value: MP-06a. + class: sp800-53a + parts: + - id: mp-6_obj.a-1 + name: assessment-objective + props: + - name: label + value: MP-06a.[01] + class: sp800-53a + prose: " {{ insert: param, mp-06_odp.01 }} is sanitized using\ + \ {{ insert: param, mp-06_odp.04 }} prior to disposal;" + links: + - href: "#mp-6_smt.a" + rel: assessment-for + - id: mp-6_obj.a-2 + name: assessment-objective + props: + - name: label + value: MP-06a.[02] + class: sp800-53a + prose: " {{ insert: param, mp-06_odp.02 }} is sanitized using\ + \ {{ insert: param, mp-06_odp.05 }} prior to release from\ + \ organizational control;" + links: + - href: "#mp-6_smt.a" + rel: assessment-for + - id: mp-6_obj.a-3 + name: assessment-objective + props: + - name: label + value: MP-06a.[03] + class: sp800-53a + prose: " {{ insert: param, mp-06_odp.03 }} is sanitized using\ + \ {{ insert: param, mp-06_odp.06 }} prior to release for reuse;" + links: + - href: "#mp-6_smt.a" + rel: assessment-for + links: + - href: "#mp-6_smt.a" + rel: assessment-for + - id: mp-6_obj.b + name: assessment-objective + props: + - name: label + value: MP-06b. + class: sp800-53a + prose: sanitization mechanisms with strength and integrity commensurate + with the security category or classification of the information + are employed. + links: + - href: "#mp-6_smt.b" + rel: assessment-for + links: + - href: "#mp-6_smt" + rel: assessment-for + - id: mp-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System media protection policy + + + procedures addressing media sanitization and disposal + + + applicable federal standards and policies addressing media sanitization + policy + + + media sanitization records + + + system audit records + + + system design documentation + + + records retention and disposition policy + + + records retention and disposition procedures + + + system configuration settings and associated documentation + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: mp-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with media sanitization + responsibilities + + + organizational personnel with records retention and disposition + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: mp-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for media sanitization + + mechanisms supporting and/or implementing media sanitization + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: Control is not inherited from a FedRAMP-authorized\ + \ PaaS or IaaS." + - id: mp-7 + class: SP800-53 + title: Media Use + params: + - id: mp-07_odp.01 + label: types of system media + guidelines: + - prose: types of system media to be restricted or prohibited from + use on systems or system components are defined; + - id: mp-07_odp.02 + select: + choice: + - restrict + - prohibit + - id: mp-07_odp.03 + label: systems or system components + guidelines: + - prose: systems or system components on which the use of specific + types of system media to be restricted or prohibited are defined; + - id: mp-07_odp.04 + label: controls + guidelines: + - prose: controls to restrict or prohibit the use of specific types + of system media on systems or system components are defined; + props: + - name: label + value: MP-7 + - name: label + value: MP-07 + class: sp800-53a + - name: sort-id + value: mp-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#22f2d4f0-4365-4e88-a30d-275c1f5473ea" + rel: reference + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#sc-34" + rel: related + - href: "#sc-41" + rel: related + parts: + - id: mp-7_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: mp-7_smt.a + name: item + props: + - name: label + value: a. + prose: " {{ insert: param, mp-07_odp.02 }} the use of {{ insert:\ + \ param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }}\ + \ using {{ insert: param, mp-07_odp.04 }} ; and" + - id: mp-7_smt.b + name: item + props: + - name: label + value: b. + prose: Prohibit the use of portable storage devices in organizational + systems when such devices have no identifiable owner. + - id: mp-7_gdn + name: guidance + prose: System media includes both digital and non-digital media. Digital + media includes diskettes, magnetic tapes, flash drives, compact discs, + digital versatile discs, and removable hard disk drives. Non-digital + media includes paper and microfilm. Media use protections also apply + to mobile devices with information storage capabilities. In contrast + to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts + the use of certain types of media on systems, for example, restricting + or prohibiting the use of flash drives or external hard disk drives. + Organizations use technical and nontechnical controls to restrict + the use of system media. Organizations may restrict the use of portable + storage devices, for example, by using physical cages on workstations + to prohibit access to certain external ports or disabling or removing + the ability to insert, read, or write to such devices. Organizations + may also limit the use of portable storage devices to only approved + devices, including devices provided by the organization, devices provided + by other approved organizations, and devices that are not personally + owned. Finally, organizations may restrict the use of portable storage + devices based on the type of device, such as by prohibiting the use + of writeable, portable storage devices and implementing this restriction + by disabling or removing the capability to write to such devices. + Requiring identifiable owners for storage devices reduces the risk + of using such devices by allowing organizations to assign responsibility + for addressing known vulnerabilities in the devices. + - id: mp-7_obj + name: assessment-objective + props: + - name: label + value: MP-07 + class: sp800-53a + parts: + - id: mp-7_obj.a + name: assessment-objective + props: + - name: label + value: MP-07a. + class: sp800-53a + prose: "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert:\ + \ param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }}\ + \ using {{ insert: param, mp-07_odp.04 }};" + links: + - href: "#mp-7_smt.a" + rel: assessment-for + - id: mp-7_obj.b + name: assessment-objective + props: + - name: label + value: MP-07b. + class: sp800-53a + prose: the use of portable storage devices in organizational systems + is prohibited when such devices have no identifiable owner. + links: + - href: "#mp-7_smt.b" + rel: assessment-for + links: + - href: "#mp-7_smt" + rel: assessment-for + - id: mp-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System media protection policy + + system use policy + + procedures addressing media usage restrictions + + rules of behavior + + system design documentation + + system configuration settings and associated documentation + + audit records + + system security plan + + other relevant documents or records + - id: mp-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media use + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: mp-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for media use + + + mechanisms restricting or prohibiting the use of system media + on systems or system components + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: Control is not inherited from a FedRAMP-authorized\ + \ PaaS or IaaS." + - id: pe + class: family + title: Physical and Environmental Protection + controls: + - id: pe-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: pe-1_prm_1 + label: organization-defined personnel or roles + - id: pe-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the physical and environmental + protection policy is to be disseminated is/are defined; + - id: pe-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the physical and environmental + protection procedures are to be disseminated is/are defined; + - id: pe-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: pe-01_odp.04 + label: official + guidelines: + - prose: an official to manage the physical and environmental protection + policy and procedures is defined; + - id: pe-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current physical and environmental + protection policy is reviewed and updated is defined; + - id: pe-01_odp.06 + label: events + guidelines: + - prose: events that would require the current physical and environmental + protection policy to be reviewed and updated are defined; + - id: pe-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current physical and environmental + protection procedures are reviewed and updated is defined; + - id: pe-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the physical and environmental + protection procedures to be reviewed and updated are defined; + props: + - name: label + value: PE-1 + - name: label + value: PE-01 + class: sp800-53a + - name: sort-id + value: pe-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#at-3" + rel: related + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: pe-1_smt + name: statement + parts: + - id: pe-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ pe-1_prm_1 }}:" + parts: + - id: pe-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, pe-01_odp.03 }} physical and environmental\ + \ protection policy that:" + parts: + - id: pe-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: pe-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: pe-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the physical + and environmental protection policy and the associated physical + and environmental protection controls; + - id: pe-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, pe-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the physical\ + \ and environmental protection policy and procedures; and" + - id: pe-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current physical and environmental\ + \ protection:" + parts: + - id: pe-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, pe-01_odp.05 }} and following\ + \ {{ insert: param, pe-01_odp.06 }} ; and" + - id: pe-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, pe-01_odp.07 }} and following\ + \ {{ insert: param, pe-01_odp.08 }}." + - id: pe-1_gdn + name: guidance + prose: Physical and environmental protection policy and procedures address + the controls in the PE family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of physical and environmental protection policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + physical and environmental protection policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines. Simply restating controls does not constitute + an organizational policy or procedure. + - id: pe-2 + class: SP800-53 + title: Physical Access Authorizations + params: + - id: pe-02_odp + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to review the access list detailing authorized + facility access by individuals is defined; + props: + - name: label + value: PE-2 + - name: label + value: PE-02 + class: sp800-53a + - name: sort-id + value: pe-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#at-3" + rel: related + - href: "#au-9" + rel: related + - href: "#ia-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-4" + rel: related + - href: "#pe-5" + rel: related + - href: "#pe-8" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-5" + rel: related + - href: "#ps-6" + rel: related + parts: + - id: pe-2_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: pe-2_smt.a + name: item + props: + - name: label + value: a. + prose: Develop, approve, and maintain a list of individuals with + authorized access to the facility where the system resides; + - id: pe-2_smt.b + name: item + props: + - name: label + value: b. + prose: Issue authorization credentials for facility access; + - id: pe-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Review the access list detailing authorized facility access\ + \ by individuals {{ insert: param, pe-02_odp }} ; and" + - id: pe-2_smt.d + name: item + props: + - name: label + value: d. + prose: Remove individuals from the facility access list when access + is no longer required. + - id: pe-2_gdn + name: guidance + prose: Physical access authorizations apply to employees and visitors. + Individuals with permanent physical access authorization credentials + are not considered visitors. Authorization credentials include ID + badges, identification cards, and smart cards. Organizations determine + the strength of authorization credentials needed consistent with applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Physical access authorizations may not be necessary + to access certain areas within facilities that are designated as publicly + accessible. + - id: pe-2_obj + name: assessment-objective + props: + - name: label + value: PE-02 + class: sp800-53a + parts: + - id: pe-2_obj.a + name: assessment-objective + props: + - name: label + value: PE-02a. + class: sp800-53a + parts: + - id: pe-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: PE-02a.[01] + class: sp800-53a + prose: a list of individuals with authorized access to the facility + where the system resides has been developed; + links: + - href: "#pe-2_smt.a" + rel: assessment-for + - id: pe-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: PE-02a.[02] + class: sp800-53a + prose: the list of individuals with authorized access to the + facility where the system resides has been approved; + links: + - href: "#pe-2_smt.a" + rel: assessment-for + - id: pe-2_obj.a-3 + name: assessment-objective + props: + - name: label + value: PE-02a.[03] + class: sp800-53a + prose: the list of individuals with authorized access to the + facility where the system resides has been maintained; + links: + - href: "#pe-2_smt.a" + rel: assessment-for + links: + - href: "#pe-2_smt.a" + rel: assessment-for + - id: pe-2_obj.b + name: assessment-objective + props: + - name: label + value: PE-02b. + class: sp800-53a + prose: authorization credentials are issued for facility access; + links: + - href: "#pe-2_smt.b" + rel: assessment-for + - id: pe-2_obj.c + name: assessment-objective + props: + - name: label + value: PE-02c. + class: sp800-53a + prose: "the access list detailing authorized facility access by\ + \ individuals is reviewed {{ insert: param, pe-02_odp }};" + links: + - href: "#pe-2_smt.c" + rel: assessment-for + - id: pe-2_obj.d + name: assessment-objective + props: + - name: label + value: PE-02d. + class: sp800-53a + prose: individuals are removed from the facility access list when + access is no longer required. + links: + - href: "#pe-2_smt.d" + rel: assessment-for + links: + - href: "#pe-2_smt" + rel: assessment-for + - id: pe-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing physical access authorizations + + + authorized personnel access list + + + authorization credentials + + + physical access list reviews + + + physical access termination records and associated documentation + + + system security plan + + + other relevant documents or records + - id: pe-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access authorization + responsibilities + + + organizational personnel with physical access to system facility + + + organizational personnel with information security responsibilities + - id: pe-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for physical access authorizations + + + mechanisms supporting and/or implementing physical access authorizations + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: Control is not inherited from a FedRAMP-authorized\ + \ PaaS or IaaS." + - id: pe-3 + class: SP800-53 + title: Physical Access Control + params: + - id: pe-3_prm_9 + label: organization-defined frequency + constraints: + - description: at least annually + - id: pe-03_odp.01 + label: entry and exit points + guidelines: + - prose: entry and exit points to the facility in which the system + resides are defined; + - id: pe-03_odp.02 + constraints: + - description: CSP defined physical access control systems/devices + AND guards + select: + how-many: one-or-more + choice: + - " {{ insert: param, pe-03_odp.03 }} " + - guards + - id: pe-03_odp.03 + label: systems or devices + guidelines: + - prose: physical access control systems or devices used to control + ingress and egress to the facility are defined (if selected); + - id: pe-03_odp.04 + label: entry or exit points + guidelines: + - prose: entry or exit points for which physical access logs are maintained + are defined; + - id: pe-03_odp.05 + label: physical access controls + guidelines: + - prose: physical access controls to control access to areas within + the facility designated as publicly accessible are defined; + - id: pe-03_odp.06 + label: circumstances + constraints: + - description: in all circumstances within restricted access area + where the information system resides + guidelines: + - prose: circumstances requiring visitor escorts and control of visitor + activity are defined; + - id: pe-03_odp.07 + label: physical access devices + constraints: + - description: at least annually + guidelines: + - prose: physical access devices to be inventoried are defined; + - id: pe-03_odp.08 + label: frequency + guidelines: + - prose: frequency at which to inventory physical access devices is + defined; + - id: pe-03_odp.09 + label: frequency + guidelines: + - prose: frequency at which to change combinations is defined; + - id: pe-03_odp.10 + label: frequency + guidelines: + - prose: frequency at which to change keys is defined; + props: + - name: label + value: PE-3 + - name: label + value: PE-03 + class: sp800-53a + - name: sort-id + value: pe-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#2100332a-16a5-4598-bacf-7261baea9711" + rel: reference + - href: "#at-3" + rel: related + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#au-9" + rel: related + - href: "#au-13" + rel: related + - href: "#cp-10" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-4" + rel: related + - href: "#pe-5" + rel: related + - href: "#pe-8" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#sc-28" + rel: related + - href: "#si-4" + rel: related + - href: "#sr-3" + rel: related + parts: + - id: pe-3_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: pe-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Enforce physical access authorizations at {{ insert: param,\ + \ pe-03_odp.01 }} by:" + parts: + - id: pe-3_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Verifying individual access authorizations before granting + access to the facility; and + - id: pe-3_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: "Controlling ingress and egress to the facility using\ + \ {{ insert: param, pe-03_odp.02 }};" + - id: pe-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Maintain physical access audit logs for {{ insert: param,\ + \ pe-03_odp.04 }};" + - id: pe-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Control access to areas within the facility designated as\ + \ publicly accessible by implementing the following controls:\ + \ {{ insert: param, pe-03_odp.05 }};" + - id: pe-3_smt.d + name: item + props: + - name: label + value: d. + prose: "Escort visitors and control visitor activity {{ insert:\ + \ param, pe-03_odp.06 }};" + - id: pe-3_smt.e + name: item + props: + - name: label + value: e. + prose: Secure keys, combinations, and other physical access devices; + - id: pe-3_smt.f + name: item + props: + - name: label + value: f. + prose: "Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert:\ + \ param, pe-03_odp.08 }} ; and" + - id: pe-3_smt.g + name: item + props: + - name: label + value: g. + prose: "Change combinations and keys {{ insert: param, pe-3_prm_9\ + \ }} and/or when keys are lost, combinations are compromised,\ + \ or when individuals possessing the keys or combinations are\ + \ transferred or terminated." + - id: pe-3_gdn + name: guidance + prose: Physical access control applies to employees and visitors. Individuals + with permanent physical access authorizations are not considered visitors. + Physical access controls for publicly accessible areas may include + physical access control logs/records, guards, or physical access devices + and barriers to prevent movement from publicly accessible areas to + non-public areas. Organizations determine the types of guards needed, + including professional security staff, system users, or administrative + staff. Physical access devices include keys, locks, combinations, + biometric readers, and card readers. Physical access control systems + comply with applicable laws, executive orders, directives, policies, + regulations, standards, and guidelines. Organizations have flexibility + in the types of audit logs employed. Audit logs can be procedural, + automated, or some combination thereof. Physical access points can + include facility access points, interior access points to systems + that require supplemental access controls, or both. Components of + systems may be in areas designated as publicly accessible with organizations + controlling access to the components. + - id: pe-3_obj + name: assessment-objective + props: + - name: label + value: PE-03 + class: sp800-53a + parts: + - id: pe-3_obj.a + name: assessment-objective + props: + - name: label + value: PE-03a. + class: sp800-53a + parts: + - id: pe-3_obj.a.1 + name: assessment-objective + props: + - name: label + value: PE-03a.01 + class: sp800-53a + prose: "physical access authorizations are enforced at {{ insert:\ + \ param, pe-03_odp.01 }} by verifying individual access authorizations\ + \ before granting access to the facility;" + links: + - href: "#pe-3_smt.a.1" + rel: assessment-for + - id: pe-3_obj.a.2 + name: assessment-objective + props: + - name: label + value: PE-03a.02 + class: sp800-53a + prose: "physical access authorizations are enforced at {{ insert:\ + \ param, pe-03_odp.01 }} by controlling ingress and egress\ + \ to the facility using {{ insert: param, pe-03_odp.02 }};" + links: + - href: "#pe-3_smt.a.2" + rel: assessment-for + links: + - href: "#pe-3_smt.a" + rel: assessment-for + - id: pe-3_obj.b + name: assessment-objective + props: + - name: label + value: PE-03b. + class: sp800-53a + prose: "physical access audit logs are maintained for {{ insert:\ + \ param, pe-03_odp.04 }};" + links: + - href: "#pe-3_smt.b" + rel: assessment-for + - id: pe-3_obj.c + name: assessment-objective + props: + - name: label + value: PE-03c. + class: sp800-53a + prose: "access to areas within the facility designated as publicly\ + \ accessible are maintained by implementing {{ insert: param,\ + \ pe-03_odp.05 }};" + links: + - href: "#pe-3_smt.c" + rel: assessment-for + - id: pe-3_obj.d + name: assessment-objective + props: + - name: label + value: PE-03d. + class: sp800-53a + parts: + - id: pe-3_obj.d-1 + name: assessment-objective + props: + - name: label + value: PE-03d.[01] + class: sp800-53a + prose: visitors are escorted; + links: + - href: "#pe-3_smt.d" + rel: assessment-for + - id: pe-3_obj.d-2 + name: assessment-objective + props: + - name: label + value: PE-03d.[02] + class: sp800-53a + prose: "visitor activity is controlled {{ insert: param, pe-03_odp.06\ + \ }};" + links: + - href: "#pe-3_smt.d" + rel: assessment-for + links: + - href: "#pe-3_smt.d" + rel: assessment-for + - id: pe-3_obj.e + name: assessment-objective + props: + - name: label + value: PE-03e. + class: sp800-53a + parts: + - id: pe-3_obj.e-1 + name: assessment-objective + props: + - name: label + value: PE-03e.[01] + class: sp800-53a + prose: keys are secured; + links: + - href: "#pe-3_smt.e" + rel: assessment-for + - id: pe-3_obj.e-2 + name: assessment-objective + props: + - name: label + value: PE-03e.[02] + class: sp800-53a + prose: combinations are secured; + links: + - href: "#pe-3_smt.e" + rel: assessment-for + - id: pe-3_obj.e-3 + name: assessment-objective + props: + - name: label + value: PE-03e.[03] + class: sp800-53a + prose: other physical access devices are secured; + links: + - href: "#pe-3_smt.e" + rel: assessment-for + links: + - href: "#pe-3_smt.e" + rel: assessment-for + - id: pe-3_obj.f + name: assessment-objective + props: + - name: label + value: PE-03f. + class: sp800-53a + prose: " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert:\ + \ param, pe-03_odp.08 }};" + links: + - href: "#pe-3_smt.f" + rel: assessment-for + - id: pe-3_obj.g + name: assessment-objective + props: + - name: label + value: PE-03g. + class: sp800-53a + parts: + - id: pe-3_obj.g-1 + name: assessment-objective + props: + - name: label + value: PE-03g.[01] + class: sp800-53a + prose: "combinations are changed {{ insert: param, pe-03_odp.09\ + \ }} , when combinations are compromised, or when individuals\ + \ possessing the combinations are transferred or terminated;" + links: + - href: "#pe-3_smt.g" + rel: assessment-for + - id: pe-3_obj.g-2 + name: assessment-objective + props: + - name: label + value: PE-03g.[02] + class: sp800-53a + prose: "keys are changed {{ insert: param, pe-03_odp.10 }} ,\ + \ when keys are lost, or when individuals possessing the keys\ + \ are transferred or terminated." + links: + - href: "#pe-3_smt.g" + rel: assessment-for + links: + - href: "#pe-3_smt.g" + rel: assessment-for + links: + - href: "#pe-3_smt" + rel: assessment-for + - id: pe-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing physical access control + + + physical access control logs or records + + + inventory records of physical access control devices + + + system entry and exit points + + + records of key and lock combination changes + + + storage locations for physical access control devices + + + physical access control devices + + + list of security safeguards controlling access to designated publicly + accessible areas within facility + + + system security plan + + + other relevant documents or records + - id: pe-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access control + responsibilities + + + organizational personnel with information security responsibilities + - id: pe-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for physical access control + + + mechanisms supporting and/or implementing physical access control + + + physical access control devices + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: Control is not inherited from a FedRAMP-authorized\ + \ PaaS or IaaS." + - id: pe-6 + class: SP800-53 + title: Monitoring Physical Access + params: + - id: pe-06_odp.01 + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: the frequency at which to review physical access logs is + defined; + - id: pe-06_odp.02 + label: events + guidelines: + - prose: events or potential indication of events requiring physical + access logs to be reviewed are defined; + props: + - name: label + value: PE-6 + - name: label + value: PE-06 + class: sp800-53a + - name: sort-id + value: pe-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#au-9" + rel: related + - href: "#au-12" + rel: related + - href: "#ca-7" + rel: related + - href: "#cp-10" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-8" + rel: related + parts: + - id: pe-6_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: pe-6_smt.a + name: item + props: + - name: label + value: a. + prose: Monitor physical access to the facility where the system + resides to detect and respond to physical security incidents; + - id: pe-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Review physical access logs {{ insert: param, pe-06_odp.01\ + \ }} and upon occurrence of {{ insert: param, pe-06_odp.02 }}\ + \ ; and" + - id: pe-6_smt.c + name: item + props: + - name: label + value: c. + prose: Coordinate results of reviews and investigations with the + organizational incident response capability. + - id: pe-6_gdn + name: guidance + prose: Physical access monitoring includes publicly accessible areas + within organizational facilities. Examples of physical access monitoring + include the employment of guards, video surveillance equipment (i.e., + cameras), and sensor devices. Reviewing physical access logs can help + identify suspicious activity, anomalous events, or potential threats. + The reviews can be supported by audit logging controls, such as [AU-2](#au-2) + , if the access logs are part of an automated system. Organizational + incident response capabilities include investigations of physical + security incidents and responses to the incidents. Incidents include + security violations or suspicious physical access activities. Suspicious + physical access activities include accesses outside of normal work + hours, repeated accesses to areas not normally accessed, accesses + for unusual lengths of time, and out-of-sequence accesses. + - id: pe-6_obj + name: assessment-objective + props: + - name: label + value: PE-06 + class: sp800-53a + parts: + - id: pe-6_obj.a + name: assessment-objective + props: + - name: label + value: PE-06a. + class: sp800-53a + prose: physical access to the facility where the system resides + is monitored to detect and respond to physical security incidents; + links: + - href: "#pe-6_smt.a" + rel: assessment-for + - id: pe-6_obj.b + name: assessment-objective + props: + - name: label + value: PE-06b. + class: sp800-53a + parts: + - id: pe-6_obj.b-1 + name: assessment-objective + props: + - name: label + value: PE-06b.[01] + class: sp800-53a + prose: "physical access logs are reviewed {{ insert: param,\ + \ pe-06_odp.01 }};" + links: + - href: "#pe-6_smt.b" + rel: assessment-for + - id: pe-6_obj.b-2 + name: assessment-objective + props: + - name: label + value: PE-06b.[02] + class: sp800-53a + prose: "physical access logs are reviewed upon occurrence of\ + \ {{ insert: param, pe-06_odp.02 }};" + links: + - href: "#pe-6_smt.b" + rel: assessment-for + links: + - href: "#pe-6_smt.b" + rel: assessment-for + - id: pe-6_obj.c + name: assessment-objective + props: + - name: label + value: PE-06c. + class: sp800-53a + parts: + - id: pe-6_obj.c-1 + name: assessment-objective + props: + - name: label + value: PE-06c.[01] + class: sp800-53a + prose: results of reviews are coordinated with organizational + incident response capabilities; + links: + - href: "#pe-6_smt.c" + rel: assessment-for + - id: pe-6_obj.c-2 + name: assessment-objective + props: + - name: label + value: PE-06c.[02] + class: sp800-53a + prose: results of investigations are coordinated with organizational + incident response capabilities. + links: + - href: "#pe-6_smt.c" + rel: assessment-for + links: + - href: "#pe-6_smt.c" + rel: assessment-for + links: + - href: "#pe-6_smt" + rel: assessment-for + - id: pe-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing physical access monitoring + + physical access logs or records + + physical access monitoring records + + physical access log reviews + + system security plan + + other relevant documents or records + - id: pe-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access monitoring + responsibilities + + + organizational personnel with incident response responsibilities + + + organizational personnel with information security responsibilities + - id: pe-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring physical access + + + mechanisms supporting and/or implementing physical access monitoring + + + mechanisms supporting and/or implementing the review of physical + access logs + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: Control is not inherited from a FedRAMP-authorized\ + \ PaaS or IaaS." + - id: pe-8 + class: SP800-53 + title: Visitor Access Records + params: + - id: pe-08_odp.01 + label: time period + constraints: + - description: for a minimum of one (1) year + guidelines: + - prose: time period for which to maintain visitor access records + for the facility where the system resides is defined; + - id: pe-08_odp.02 + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: the frequency at which to review visitor access records is + defined; + - id: pe-08_odp.03 + label: personnel + guidelines: + - prose: personnel to whom visitor access records anomalies are reported + to is/are defined; + props: + - name: label + value: PE-8 + - name: label + value: PE-08 + class: sp800-53a + - name: sort-id + value: pe-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-6" + rel: related + parts: + - id: pe-8_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: pe-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Maintain visitor access records to the facility where the\ + \ system resides for {{ insert: param, pe-08_odp.01 }};" + - id: pe-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Review visitor access records {{ insert: param, pe-08_odp.02\ + \ }} ; and" + - id: pe-8_smt.c + name: item + props: + - name: label + value: c. + prose: "Report anomalies in visitor access records to {{ insert:\ + \ param, pe-08_odp.03 }}." + - id: pe-8_gdn + name: guidance + prose: Visitor access records include the names and organizations of + individuals visiting, visitor signatures, forms of identification, + dates of access, entry and departure times, purpose of visits, and + the names and organizations of individuals visited. Access record + reviews determine if access authorizations are current and are still + required to support organizational mission and business functions. + Access records are not required for publicly accessible areas. + - id: pe-8_obj + name: assessment-objective + props: + - name: label + value: PE-08 + class: sp800-53a + parts: + - id: pe-8_obj.a + name: assessment-objective + props: + - name: label + value: PE-08a. + class: sp800-53a + prose: "visitor access records for the facility where the system\ + \ resides are maintained for {{ insert: param, pe-08_odp.01 }};" + links: + - href: "#pe-8_smt.a" + rel: assessment-for + - id: pe-8_obj.b + name: assessment-objective + props: + - name: label + value: PE-08b. + class: sp800-53a + prose: "visitor access records are reviewed {{ insert: param, pe-08_odp.02\ + \ }};" + links: + - href: "#pe-8_smt.b" + rel: assessment-for + - id: pe-8_obj.c + name: assessment-objective + props: + - name: label + value: PE-08c. + class: sp800-53a + prose: "visitor access records anomalies are reported to {{ insert:\ + \ param, pe-08_odp.03 }}." + links: + - href: "#pe-8_smt.c" + rel: assessment-for + links: + - href: "#pe-8_smt" + rel: assessment-for + - id: pe-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing visitor access records + + visitor access control logs or records + + visitor access record or log reviews + + system security plan + + privacy plan + + privacy impact assessment + + privacy risk assessment documentation + + other relevant documents or records + - id: pe-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with visitor access record + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pe-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for maintaining and reviewing + visitor access records + + + mechanisms supporting and/or implementing the maintenance and + review of visitor access records + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: Control is not inherited from a FedRAMP-authorized\ + \ PaaS or IaaS." + - id: pe-12 + class: SP800-53 + title: Emergency Lighting + props: + - name: label + value: PE-12 + - name: label + value: PE-12 + class: sp800-53a + - name: sort-id + value: pe-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#cp-2" + rel: related + - href: "#cp-7" + rel: related + parts: + - id: pe-12_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: Employ and maintain automatic emergency lighting for the system + that activates in the event of a power outage or disruption and that + covers emergency exits and evacuation routes within the facility. + - id: pe-12_gdn + name: guidance + prose: The provision of emergency lighting applies primarily to organizational + facilities that contain concentrations of system resources, including + data centers, server rooms, and mainframe computer rooms. Emergency + lighting provisions for the system are described in the contingency + plan for the organization. If emergency lighting for the system fails + or cannot be provided, organizations consider alternate processing + sites for power-related contingencies. + - id: pe-12_obj + name: assessment-objective + props: + - name: label + value: PE-12 + class: sp800-53a + parts: + - id: pe-12_obj-1 + name: assessment-objective + props: + - name: label + value: PE-12[01] + class: sp800-53a + prose: automatic emergency lighting that activates in the event + of a power outage or disruption is employed for the system; + links: + - href: "#pe-12_smt" + rel: assessment-for + - id: pe-12_obj-2 + name: assessment-objective + props: + - name: label + value: PE-12[02] + class: sp800-53a + prose: automatic emergency lighting that activates in the event + of a power outage or disruption is maintained for the system; + links: + - href: "#pe-12_smt" + rel: assessment-for + - id: pe-12_obj-3 + name: assessment-objective + props: + - name: label + value: PE-12[03] + class: sp800-53a + prose: automatic emergency lighting for the system covers emergency + exits within the facility; + links: + - href: "#pe-12_smt" + rel: assessment-for + - id: pe-12_obj-4 + name: assessment-objective + props: + - name: label + value: PE-12[04] + class: sp800-53a + prose: automatic emergency lighting for the system covers evacuation + routes within the facility. + links: + - href: "#pe-12_smt" + rel: assessment-for + links: + - href: "#pe-12_smt" + rel: assessment-for + - id: pe-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing emergency lighting + + emergency lighting documentation + + emergency lighting test records + + emergency exits and evacuation routes + + system security plan + + other relevant documents or records + - id: pe-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with the responsibility for + emergency lighting and/or planning + + + organizational personnel with information security responsibilities + - id: pe-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing an emergency lighting + capability + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: Control is not inherited from a FedRAMP-authorized\ + \ PaaS or IaaS." + - id: pe-13 + class: SP800-53 + title: Fire Protection + props: + - name: label + value: PE-13 + - name: label + value: PE-13 + class: sp800-53a + - name: sort-id + value: pe-13 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#at-3" + rel: related + parts: + - id: pe-13_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: Employ and maintain fire detection and suppression systems that + are supported by an independent energy source. + - id: pe-13_gdn + name: guidance + prose: The provision of fire detection and suppression systems applies + primarily to organizational facilities that contain concentrations + of system resources, including data centers, server rooms, and mainframe + computer rooms. Fire detection and suppression systems that may require + an independent energy source include sprinkler systems and smoke detectors. + An independent energy source is an energy source, such as a microgrid, + that is separate, or can be separated, from the energy sources providing + power for the other parts of the facility. + - id: pe-13_obj + name: assessment-objective + props: + - name: label + value: PE-13 + class: sp800-53a + parts: + - id: pe-13_obj-1 + name: assessment-objective + props: + - name: label + value: PE-13[01] + class: sp800-53a + prose: fire detection systems are employed; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-2 + name: assessment-objective + props: + - name: label + value: PE-13[02] + class: sp800-53a + prose: employed fire detection systems are supported by an independent + energy source; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-3 + name: assessment-objective + props: + - name: label + value: PE-13[03] + class: sp800-53a + prose: employed fire detection systems are maintained; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-4 + name: assessment-objective + props: + - name: label + value: PE-13[04] + class: sp800-53a + prose: fire suppression systems are employed; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-5 + name: assessment-objective + props: + - name: label + value: PE-13[05] + class: sp800-53a + prose: employed fire suppression systems are supported by an independent + energy source; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-6 + name: assessment-objective + props: + - name: label + value: PE-13[06] + class: sp800-53a + prose: employed fire suppression systems are maintained. + links: + - href: "#pe-13_smt" + rel: assessment-for + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-13-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing fire protection + + + fire suppression and detection devices/systems + + + fire suppression and detection devices/systems documentation + + + test records of fire suppression and detection devices/systems + + + system security plan + + + other relevant documents or records + - id: pe-13_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-13-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for fire + detection and suppression devices/systems + + + organizational personnel with information security responsibilities + - id: pe-13_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-13-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing fire suppression/detection + devices/systems + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: Control is not inherited from a FedRAMP-authorized\ + \ PaaS or IaaS." + - id: pe-14 + class: SP800-53 + title: Environmental Controls + params: + - id: pe-14_odp.01 + constraints: + - description: consistent with American Society of Heating, Refrigerating + and Air-conditioning Engineers (ASHRAE) document entitled Thermal + Guidelines for Data Processing Environments + select: + how-many: one-or-more + choice: + - temperature + - humidity + - pressure + - radiation + - " {{ insert: param, pe-14_odp.02 }} " + - id: pe-14_odp.02 + label: environmental control + guidelines: + - prose: environmental control(s) for which to maintain a specified + level in the facility where the system resides are defined (if + selected); + - id: pe-14_odp.03 + label: acceptable levels + guidelines: + - prose: acceptable levels for environmental controls are defined; + - id: pe-14_odp.04 + label: frequency + constraints: + - description: continuously + guidelines: + - prose: frequency at which to monitor environmental control levels + is defined; + props: + - name: label + value: PE-14 + - name: label + value: PE-14 + class: sp800-53a + - name: sort-id + value: pe-14 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#at-3" + rel: related + - href: "#cp-2" + rel: related + parts: + - id: pe-14_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: pe-14_smt.a + name: item + props: + - name: label + value: a. + prose: "Maintain {{ insert: param, pe-14_odp.01 }} levels within\ + \ the facility where the system resides at {{ insert: param, pe-14_odp.03\ + \ }} ; and" + - id: pe-14_smt.b + name: item + props: + - name: label + value: b. + prose: "Monitor environmental control levels {{ insert: param, pe-14_odp.04\ + \ }}." + - id: pe-14_fr + name: item + title: PE-14(a) Additional FedRAMP Requirements and Guidance + parts: + - id: pe-14_fr_smt.a + name: item + props: + - name: label + value: "(a) Requirement:" + prose: The service provider measures temperature at server inlets + and humidity levels by dew point. + - id: pe-14_gdn + name: guidance + prose: The provision of environmental controls applies primarily to + organizational facilities that contain concentrations of system resources + (e.g., data centers, mainframe computer rooms, and server rooms). + Insufficient environmental controls, especially in very harsh environments, + can have a significant adverse impact on the availability of systems + and system components that are needed to support organizational mission + and business functions. + - id: pe-14_obj + name: assessment-objective + props: + - name: label + value: PE-14 + class: sp800-53a + parts: + - id: pe-14_obj.a + name: assessment-objective + props: + - name: label + value: PE-14a. + class: sp800-53a + prose: " {{ insert: param, pe-14_odp.01 }} levels are maintained\ + \ at {{ insert: param, pe-14_odp.03 }} within the facility where\ + \ the system resides;" + links: + - href: "#pe-14_smt.a" + rel: assessment-for + - id: pe-14_obj.b + name: assessment-objective + props: + - name: label + value: PE-14b. + class: sp800-53a + prose: "environmental control levels are monitored {{ insert: param,\ + \ pe-14_odp.04 }}." + links: + - href: "#pe-14_smt.b" + rel: assessment-for + links: + - href: "#pe-14_smt" + rel: assessment-for + - id: pe-14_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-14-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing temperature and humidity control + + temperature and humidity controls + + facility housing the system + + temperature and humidity controls documentation + + temperature and humidity records + + system security plan + + other relevant documents or records + - id: pe-14_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-14-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for system + environmental controls + + + organizational personnel with information security responsibilities + - id: pe-14_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-14-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing the maintenance + and monitoring of temperature and humidity levels + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: Control is not inherited from a FedRAMP-authorized\ + \ PaaS or IaaS." + - id: pe-15 + class: SP800-53 + title: Water Damage Protection + props: + - name: label + value: PE-15 + - name: label + value: PE-15 + class: sp800-53a + - name: sort-id + value: pe-15 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#at-3" + rel: related + - href: "#pe-10" + rel: related + parts: + - id: pe-15_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: Protect the system from damage resulting from water leakage by + providing master shutoff or isolation valves that are accessible, + working properly, and known to key personnel. + - id: pe-15_gdn + name: guidance + prose: The provision of water damage protection primarily applies to + organizational facilities that contain concentrations of system resources, + including data centers, server rooms, and mainframe computer rooms. + Isolation valves can be employed in addition to or in lieu of master + shutoff valves to shut off water supplies in specific areas of concern + without affecting entire organizations. + - id: pe-15_obj + name: assessment-objective + props: + - name: label + value: PE-15 + class: sp800-53a + parts: + - id: pe-15_obj-1 + name: assessment-objective + props: + - name: label + value: PE-15[01] + class: sp800-53a + prose: the system is protected from damage resulting from water + leakage by providing master shutoff or isolation valves; + links: + - href: "#pe-15_smt" + rel: assessment-for + - id: pe-15_obj-2 + name: assessment-objective + props: + - name: label + value: PE-15[02] + class: sp800-53a + prose: the master shutoff or isolation valves are accessible; + links: + - href: "#pe-15_smt" + rel: assessment-for + - id: pe-15_obj-3 + name: assessment-objective + props: + - name: label + value: PE-15[03] + class: sp800-53a + prose: the master shutoff or isolation valves are working properly; + links: + - href: "#pe-15_smt" + rel: assessment-for + - id: pe-15_obj-4 + name: assessment-objective + props: + - name: label + value: PE-15[04] + class: sp800-53a + prose: the master shutoff or isolation valves are known to key personnel. + links: + - href: "#pe-15_smt" + rel: assessment-for + links: + - href: "#pe-15_smt" + rel: assessment-for + - id: pe-15_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-15-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing water damage protection + + + facility housing the system + + + master shutoff valves + + + list of key personnel with knowledge of location and activation + procedures for master shutoff valves for the plumbing system + + + master shutoff valve documentation + + + system security plan + + + other relevant documents or records + - id: pe-15_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-15-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for system + environmental controls + + + organizational personnel with information security responsibilities + - id: pe-15_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-15-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Master water-shutoff valves + + organizational process for activating master water shutoff + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: Control is not inherited from a FedRAMP-authorized\ + \ PaaS or IaaS." + - id: pe-16 + class: SP800-53 + title: Delivery and Removal + params: + - id: pe-16_prm_1 + label: organization-defined types of system components + constraints: + - description: all information system components + - id: pe-16_odp.01 + label: types of system components + guidelines: + - prose: types of system components to be authorized and controlled + when entering the facility are defined; + - id: pe-16_odp.02 + label: types of system components + guidelines: + - prose: types of system components to be authorized and controlled + when exiting the facility are defined; + props: + - name: label + value: PE-16 + - name: label + value: PE-16 + class: sp800-53a + - name: sort-id + value: pe-16 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#cm-3" + rel: related + - href: "#cm-8" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-3" + rel: related + - href: "#mp-5" + rel: related + - href: "#pe-20" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-6" + rel: related + parts: + - id: pe-16_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: pe-16_smt.a + name: item + props: + - name: label + value: a. + prose: "Authorize and control {{ insert: param, pe-16_prm_1 }} entering\ + \ and exiting the facility; and" + - id: pe-16_smt.b + name: item + props: + - name: label + value: b. + prose: Maintain records of the system components. + - id: pe-16_gdn + name: guidance + prose: Enforcing authorizations for entry and exit of system components + may require restricting access to delivery areas and isolating the + areas from the system and media libraries. + - id: pe-16_obj + name: assessment-objective + props: + - name: label + value: PE-16 + class: sp800-53a + parts: + - id: pe-16_obj.a + name: assessment-objective + props: + - name: label + value: PE-16a. + class: sp800-53a + parts: + - id: pe-16_obj.a-1 + name: assessment-objective + props: + - name: label + value: PE-16a.[01] + class: sp800-53a + prose: " {{ insert: param, pe-16_odp.01 }} are authorized when\ + \ entering the facility;" + links: + - href: "#pe-16_smt.a" + rel: assessment-for + - id: pe-16_obj.a-2 + name: assessment-objective + props: + - name: label + value: PE-16a.[02] + class: sp800-53a + prose: " {{ insert: param, pe-16_odp.01 }} are controlled when\ + \ entering the facility;" + links: + - href: "#pe-16_smt.a" + rel: assessment-for + - id: pe-16_obj.a-3 + name: assessment-objective + props: + - name: label + value: PE-16a.[03] + class: sp800-53a + prose: " {{ insert: param, pe-16_odp.02 }} are authorized when\ + \ exiting the facility;" + links: + - href: "#pe-16_smt.a" + rel: assessment-for + - id: pe-16_obj.a-4 + name: assessment-objective + props: + - name: label + value: PE-16a.[04] + class: sp800-53a + prose: " {{ insert: param, pe-16_odp.02 }} are controlled when\ + \ exiting the facility;" + links: + - href: "#pe-16_smt.a" + rel: assessment-for + links: + - href: "#pe-16_smt.a" + rel: assessment-for + - id: pe-16_obj.b + name: assessment-objective + props: + - name: label + value: PE-16b. + class: sp800-53a + prose: records of the system components are maintained. + links: + - href: "#pe-16_smt.b" + rel: assessment-for + links: + - href: "#pe-16_smt" + rel: assessment-for + - id: pe-16_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-16-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing the delivery and removal of system components + from the facility + + + facility housing the system + + + records of items entering and exiting the facility + + + system security plan + + + other relevant documents or records + - id: pe-16_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-16-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + controlling system components entering and exiting the + facility + + + organizational personnel with information security responsibilities + - id: pe-16_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-16-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational process for authorizing, monitoring, and + controlling system-related items entering and exiting the + facility + + + mechanisms supporting and/or implementing, authorizing, monitoring, + and controlling system-related items entering and exiting the + facility + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: Control is not inherited from a FedRAMP-authorized\ + \ PaaS or IaaS." + - id: pl + class: family + title: Planning + controls: + - id: pl-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: pl-1_prm_1 + label: organization-defined personnel or roles + - id: pl-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the planning policy is to be disseminated + is/are defined; + - id: pl-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the planning procedures are to + be disseminated is/are defined; + - id: pl-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: pl-01_odp.04 + label: official + guidelines: + - prose: an official to manage the planning policy and procedures + is defined; + - id: pl-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency with which the current planning policy is reviewed + and updated is defined; + - id: pl-01_odp.06 + label: events + guidelines: + - prose: events that would require the current planning policy to + be reviewed and updated are defined; + - id: pl-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency with which the current planning procedures + are reviewed and updated is defined; + - id: pl-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require procedures to be reviewed and updated + are defined; + props: + - name: label + value: PL-1 + - name: label + value: PL-01 + class: sp800-53a + - name: sort-id + value: pl-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#30eb758a-2707-4bca-90ad-949a74d4eb16" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: pl-1_smt + name: statement + parts: + - id: pl-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ pl-1_prm_1 }}:" + parts: + - id: pl-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, pl-01_odp.03 }} planning policy that:" + parts: + - id: pl-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: pl-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: pl-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the planning + policy and the associated planning controls; + - id: pl-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, pl-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the planning\ + \ policy and procedures; and" + - id: pl-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current planning:" + parts: + - id: pl-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, pl-01_odp.05 }} and following\ + \ {{ insert: param, pl-01_odp.06 }} ; and" + - id: pl-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, pl-01_odp.07 }} and following\ + \ {{ insert: param, pl-01_odp.08 }}." + - id: pl-1_gdn + name: guidance + prose: Planning policy and procedures for the controls in the PL family + implemented within systems and organizations. The risk management + strategy is an important factor in establishing such policies and + procedures. Policies and procedures contribute to security and privacy + assurance. Therefore, it is important that security and privacy programs + collaborate on their development. Security and privacy program policies + and procedures at the organization level are preferable, in general, + and may obviate the need for mission level or system-specific policies + and procedures. The policy can be included as part of the general + security and privacy policy or be represented by multiple policies + that reflect the complex nature of organizations. Procedures can be + established for security and privacy programs, for mission/business + processes, and for systems, if needed. Procedures describe how the + policies or controls are implemented and can be directed at the individual + or role that is the object of the procedure. Procedures can be documented + in system security and privacy plans or in one or more separate documents. + Events that may precipitate an update to planning policy and procedures + include, but are not limited to, assessment or audit findings, security + incidents or breaches, or changes in laws, executive orders, directives, + regulations, policies, standards, and guidelines. Simply restating + controls does not constitute an organizational policy or procedure. + - id: pl-2 + class: SP800-53 + title: System Security and Privacy Plans + params: + - id: pl-02_odp.01 + label: individuals or groups + guidelines: + - prose: individuals or groups with whom security and privacy-related + activities affecting the system that require planning and coordination + is/are assigned; + - id: pl-02_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to receive distributed copies of the system + security and privacy plans is/are assigned; + - id: pl-02_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency to review system security and privacy plans is + defined; + props: + - name: label + value: PL-2 + - name: label + value: PL-02 + class: sp800-53a + - name: sort-id + value: pl-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#30eb758a-2707-4bca-90ad-949a74d4eb16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-14" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-20" + rel: related + - href: "#ca-2" + rel: related + - href: "#ca-3" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-9" + rel: related + - href: "#cm-13" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-8" + rel: related + - href: "#ma-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#pl-7" + rel: related + - href: "#pl-8" + rel: related + - href: "#pl-10" + rel: related + - href: "#pl-11" + rel: related + - href: "#pm-1" + rel: related + - href: "#pm-7" + rel: related + - href: "#pm-8" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-10" + rel: related + - href: "#pm-11" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-8" + rel: related + - href: "#ra-9" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-17" + rel: related + - href: "#sa-22" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-4" + rel: related + parts: + - id: pl-2_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: pl-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop security and privacy plans for the system that:" + parts: + - id: pl-2_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Are consistent with the organization’s enterprise architecture; + - id: pl-2_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Explicitly define the constituent system components; + - id: pl-2_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Describe the operational context of the system in terms + of mission and business processes; + - id: pl-2_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Identify the individuals that fulfill system roles and + responsibilities; + - id: pl-2_smt.a.5 + name: item + props: + - name: label + value: "5." + prose: Identify the information types processed, stored, and + transmitted by the system; + - id: pl-2_smt.a.6 + name: item + props: + - name: label + value: "6." + prose: Provide the security categorization of the system, including + supporting rationale; + - id: pl-2_smt.a.7 + name: item + props: + - name: label + value: "7." + prose: Describe any specific threats to the system that are + of concern to the organization; + - id: pl-2_smt.a.8 + name: item + props: + - name: label + value: "8." + prose: Provide the results of a privacy risk assessment for + systems processing personally identifiable information; + - id: pl-2_smt.a.9 + name: item + props: + - name: label + value: "9." + prose: Describe the operational environment for the system and + any dependencies on or connections to other systems or system + components; + - id: pl-2_smt.a.10 + name: item + props: + - name: label + value: "10." + prose: Provide an overview of the security and privacy requirements + for the system; + - id: pl-2_smt.a.11 + name: item + props: + - name: label + value: "11." + prose: Identify any relevant control baselines or overlays, + if applicable; + - id: pl-2_smt.a.12 + name: item + props: + - name: label + value: "12." + prose: Describe the controls in place or planned for meeting + the security and privacy requirements, including a rationale + for any tailoring decisions; + - id: pl-2_smt.a.13 + name: item + props: + - name: label + value: "13." + prose: Include risk determinations for security and privacy + architecture and design decisions; + - id: pl-2_smt.a.14 + name: item + props: + - name: label + value: "14." + prose: "Include security- and privacy-related activities affecting\ + \ the system that require planning and coordination with {{\ + \ insert: param, pl-02_odp.01 }} ; and" + - id: pl-2_smt.a.15 + name: item + props: + - name: label + value: "15." + prose: Are reviewed and approved by the authorizing official + or designated representative prior to plan implementation. + - id: pl-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Distribute copies of the plans and communicate subsequent\ + \ changes to the plans to {{ insert: param, pl-02_odp.02 }};" + - id: pl-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Review the plans {{ insert: param, pl-02_odp.03 }};" + - id: pl-2_smt.d + name: item + props: + - name: label + value: d. + prose: Update the plans to address changes to the system and environment + of operation or problems identified during plan implementation + or control assessments; and + - id: pl-2_smt.e + name: item + props: + - name: label + value: e. + prose: Protect the plans from unauthorized disclosure and modification. + - id: pl-2_gdn + name: guidance + prose: >- + System security and privacy plans are scoped to the system and + system components within the defined authorization boundary and + contain an overview of the security and privacy requirements for + the system and the controls selected to satisfy the + requirements. The plans describe the intended application of + each selected control in the context of the system with a + sufficient level of detail to correctly implement the control + and to subsequently assess the effectiveness of the control. The + control documentation describes how system-specific and hybrid + controls are implemented and the plans and expectations + regarding the functionality of the system. System security and + privacy plans can also be used in the design and development of + systems in support of life cycle-based security and privacy + engineering processes. System security and privacy plans are + living documents that are updated and adapted throughout the + system development life cycle (e.g., during capability + determination, analysis of alternatives, requests for proposal, + and design reviews). [Section + 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the + different types of requirements that are relevant to + organizations during the system development life cycle and the + relationship between requirements and controls. + + + Organizations may develop a single, integrated security and privacy + plan or maintain separate plans. Security and privacy plans relate + security and privacy requirements to a set of controls and control + enhancements. The plans describe how the controls and control enhancements + meet the security and privacy requirements but do not provide detailed, + technical descriptions of the design or implementation of the controls + and control enhancements. Security and privacy plans contain sufficient + information (including specifications of control parameter values + for selection and assignment operations explicitly or by reference) + to enable a design and implementation that is unambiguously compliant + with the intent of the plans and subsequent determinations of risk + to organizational operations and assets, individuals, other organizations, + and the Nation if the plan is implemented. + + + Security and privacy plans need not be single documents. The plans + can be a collection of various documents, including documents that + already exist. Effective security and privacy plans make extensive + use of references to policies, procedures, and additional documents, + including design and implementation specifications where more detailed + information can be obtained. The use of references helps reduce the + documentation associated with security and privacy programs and maintains + the security- and privacy-related information in other established + management and operational areas, including enterprise architecture, + system development life cycle, systems engineering, and acquisition. + Security and privacy plans need not contain detailed contingency plan + or incident response plan information but can instead provide—explicitly + or by reference—sufficient information to define what needs to be + accomplished by those plans. + + + Security- and privacy-related activities that may require coordination + and planning with other individuals or groups within the organization + include assessments, audits, inspections, hardware and software maintenance, + acquisition and supply chain risk management, patch management, and + contingency plan testing. Planning and coordination include emergency + and nonemergency (i.e., planned or non-urgent unplanned) situations. + The process defined by organizations to plan and coordinate security- + and privacy-related activities can also be included in other documents, + as appropriate. + - id: pl-2_obj + name: assessment-objective + props: + - name: label + value: PL-02 + class: sp800-53a + parts: + - id: pl-2_obj.a + name: assessment-objective + props: + - name: label + value: PL-02a. + class: sp800-53a + parts: + - id: pl-2_obj.a.1 + name: assessment-objective + props: + - name: label + value: PL-02a.01 + class: sp800-53a + parts: + - id: pl-2_obj.a.1-1 + name: assessment-objective + props: + - name: label + value: PL-02a.01[01] + class: sp800-53a + prose: a security plan for the system is developed that + is consistent with the organization’s enterprise architecture; + links: + - href: "#pl-2_smt.a.1" + rel: assessment-for + - id: pl-2_obj.a.1-2 + name: assessment-objective + props: + - name: label + value: PL-02a.01[02] + class: sp800-53a + prose: a privacy plan for the system is developed that is + consistent with the organization’s enterprise architecture; + links: + - href: "#pl-2_smt.a.1" + rel: assessment-for + links: + - href: "#pl-2_smt.a.1" + rel: assessment-for + - id: pl-2_obj.a.2 + name: assessment-objective + props: + - name: label + value: PL-02a.02 + class: sp800-53a + parts: + - id: pl-2_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: PL-02a.02[01] + class: sp800-53a + prose: a security plan for the system is developed that + explicitly defines the constituent system components; + links: + - href: "#pl-2_smt.a.2" + rel: assessment-for + - id: pl-2_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: PL-02a.02[02] + class: sp800-53a + prose: a privacy plan for the system is developed that explicitly + defines the constituent system components; + links: + - href: "#pl-2_smt.a.2" + rel: assessment-for + links: + - href: "#pl-2_smt.a.2" + rel: assessment-for + - id: pl-2_obj.a.3 + name: assessment-objective + props: + - name: label + value: PL-02a.03 + class: sp800-53a + parts: + - id: pl-2_obj.a.3-1 + name: assessment-objective + props: + - name: label + value: PL-02a.03[01] + class: sp800-53a + prose: a security plan for the system is developed that + describes the operational context of the system in terms + of mission and business processes; + links: + - href: "#pl-2_smt.a.3" + rel: assessment-for + - id: pl-2_obj.a.3-2 + name: assessment-objective + props: + - name: label + value: PL-02a.03[02] + class: sp800-53a + prose: a privacy plan for the system is developed that describes + the operational context of the system in terms of mission + and business processes; + links: + - href: "#pl-2_smt.a.3" + rel: assessment-for + links: + - href: "#pl-2_smt.a.3" + rel: assessment-for + - id: pl-2_obj.a.4 + name: assessment-objective + props: + - name: label + value: PL-02a.04 + class: sp800-53a + parts: + - id: pl-2_obj.a.4-1 + name: assessment-objective + props: + - name: label + value: PL-02a.04[01] + class: sp800-53a + prose: a security plan for the system is developed that + identifies the individuals that fulfill system roles and + responsibilities; + links: + - href: "#pl-2_smt.a.4" + rel: assessment-for + - id: pl-2_obj.a.4-2 + name: assessment-objective + props: + - name: label + value: PL-02a.04[02] + class: sp800-53a + prose: a privacy plan for the system is developed that identifies + the individuals that fulfill system roles and responsibilities; + links: + - href: "#pl-2_smt.a.4" + rel: assessment-for + links: + - href: "#pl-2_smt.a.4" + rel: assessment-for + - id: pl-2_obj.a.5 + name: assessment-objective + props: + - name: label + value: PL-02a.05 + class: sp800-53a + parts: + - id: pl-2_obj.a.5-1 + name: assessment-objective + props: + - name: label + value: PL-02a.05[01] + class: sp800-53a + prose: a security plan for the system is developed that + identifies the information types processed, stored, and + transmitted by the system; + links: + - href: "#pl-2_smt.a.5" + rel: assessment-for + - id: pl-2_obj.a.5-2 + name: assessment-objective + props: + - name: label + value: PL-02a.05[02] + class: sp800-53a + prose: a privacy plan for the system is developed that identifies + the information types processed, stored, and transmitted + by the system; + links: + - href: "#pl-2_smt.a.5" + rel: assessment-for + links: + - href: "#pl-2_smt.a.5" + rel: assessment-for + - id: pl-2_obj.a.6 + name: assessment-objective + props: + - name: label + value: PL-02a.06 + class: sp800-53a + parts: + - id: pl-2_obj.a.6-1 + name: assessment-objective + props: + - name: label + value: PL-02a.06[01] + class: sp800-53a + prose: a security plan for the system is developed that + provides the security categorization of the system, including + supporting rationale; + links: + - href: "#pl-2_smt.a.6" + rel: assessment-for + - id: pl-2_obj.a.6-2 + name: assessment-objective + props: + - name: label + value: PL-02a.06[02] + class: sp800-53a + prose: a privacy plan for the system is developed that provides + the security categorization of the system, including supporting + rationale; + links: + - href: "#pl-2_smt.a.6" + rel: assessment-for + links: + - href: "#pl-2_smt.a.6" + rel: assessment-for + - id: pl-2_obj.a.7 + name: assessment-objective + props: + - name: label + value: PL-02a.07 + class: sp800-53a + parts: + - id: pl-2_obj.a.7-1 + name: assessment-objective + props: + - name: label + value: PL-02a.07[01] + class: sp800-53a + prose: a security plan for the system is developed that + describes any specific threats to the system that are + of concern to the organization; + links: + - href: "#pl-2_smt.a.7" + rel: assessment-for + - id: pl-2_obj.a.7-2 + name: assessment-objective + props: + - name: label + value: PL-02a.07[02] + class: sp800-53a + prose: a privacy plan for the system is developed that describes + any specific threats to the system that are of concern + to the organization; + links: + - href: "#pl-2_smt.a.7" + rel: assessment-for + links: + - href: "#pl-2_smt.a.7" + rel: assessment-for + - id: pl-2_obj.a.8 + name: assessment-objective + props: + - name: label + value: PL-02a.08 + class: sp800-53a + parts: + - id: pl-2_obj.a.8-1 + name: assessment-objective + props: + - name: label + value: PL-02a.08[01] + class: sp800-53a + prose: a security plan for the system is developed that + provides the results of a privacy risk assessment for + systems processing personally identifiable information; + links: + - href: "#pl-2_smt.a.8" + rel: assessment-for + - id: pl-2_obj.a.8-2 + name: assessment-objective + props: + - name: label + value: PL-02a.08[02] + class: sp800-53a + prose: a privacy plan for the system is developed that provides + the results of a privacy risk assessment for systems processing + personally identifiable information; + links: + - href: "#pl-2_smt.a.8" + rel: assessment-for + links: + - href: "#pl-2_smt.a.8" + rel: assessment-for + - id: pl-2_obj.a.9 + name: assessment-objective + props: + - name: label + value: PL-02a.09 + class: sp800-53a + parts: + - id: pl-2_obj.a.9-1 + name: assessment-objective + props: + - name: label + value: PL-02a.09[01] + class: sp800-53a + prose: a security plan for the system is developed that + describes the operational environment for the system and + any dependencies on or connections to other systems or + system components; + links: + - href: "#pl-2_smt.a.9" + rel: assessment-for + - id: pl-2_obj.a.9-2 + name: assessment-objective + props: + - name: label + value: PL-02a.09[02] + class: sp800-53a + prose: a privacy plan for the system is developed that describes + the operational environment for the system and any dependencies + on or connections to other systems or system components; + links: + - href: "#pl-2_smt.a.9" + rel: assessment-for + links: + - href: "#pl-2_smt.a.9" + rel: assessment-for + - id: pl-2_obj.a.10 + name: assessment-objective + props: + - name: label + value: PL-02a.10 + class: sp800-53a + parts: + - id: pl-2_obj.a.10-1 + name: assessment-objective + props: + - name: label + value: PL-02a.10[01] + class: sp800-53a + prose: a security plan for the system is developed that + provides an overview of the security requirements for + the system; + links: + - href: "#pl-2_smt.a.10" + rel: assessment-for + - id: pl-2_obj.a.10-2 + name: assessment-objective + props: + - name: label + value: PL-02a.10[02] + class: sp800-53a + prose: a privacy plan for the system is developed that provides + an overview of the privacy requirements for the system; + links: + - href: "#pl-2_smt.a.10" + rel: assessment-for + links: + - href: "#pl-2_smt.a.10" + rel: assessment-for + - id: pl-2_obj.a.11 + name: assessment-objective + props: + - name: label + value: PL-02a.11 + class: sp800-53a + parts: + - id: pl-2_obj.a.11-1 + name: assessment-objective + props: + - name: label + value: PL-02a.11[01] + class: sp800-53a + prose: a security plan for the system is developed that + identifies any relevant control baselines or overlays, + if applicable; + links: + - href: "#pl-2_smt.a.11" + rel: assessment-for + - id: pl-2_obj.a.11-2 + name: assessment-objective + props: + - name: label + value: PL-02a.11[02] + class: sp800-53a + prose: a privacy plan for the system is developed that identifies + any relevant control baselines or overlays, if applicable; + links: + - href: "#pl-2_smt.a.11" + rel: assessment-for + links: + - href: "#pl-2_smt.a.11" + rel: assessment-for + - id: pl-2_obj.a.12 + name: assessment-objective + props: + - name: label + value: PL-02a.12 + class: sp800-53a + parts: + - id: pl-2_obj.a.12-1 + name: assessment-objective + props: + - name: label + value: PL-02a.12[01] + class: sp800-53a + prose: a security plan for the system is developed that + describes the controls in place or planned for meeting + the security requirements, including rationale for any + tailoring decisions; + links: + - href: "#pl-2_smt.a.12" + rel: assessment-for + - id: pl-2_obj.a.12-2 + name: assessment-objective + props: + - name: label + value: PL-02a.12[02] + class: sp800-53a + prose: a privacy plan for the system is developed that describes + the controls in place or planned for meeting the privacy + requirements, including rationale for any tailoring decisions; + links: + - href: "#pl-2_smt.a.12" + rel: assessment-for + links: + - href: "#pl-2_smt.a.12" + rel: assessment-for + - id: pl-2_obj.a.13 + name: assessment-objective + props: + - name: label + value: PL-02a.13 + class: sp800-53a + parts: + - id: pl-2_obj.a.13-1 + name: assessment-objective + props: + - name: label + value: PL-02a.13[01] + class: sp800-53a + prose: a security plan for the system is developed that + includes risk determinations for security architecture + and design decisions; + links: + - href: "#pl-2_smt.a.13" + rel: assessment-for + - id: pl-2_obj.a.13-2 + name: assessment-objective + props: + - name: label + value: PL-02a.13[02] + class: sp800-53a + prose: a privacy plan for the system is developed that includes + risk determinations for privacy architecture and design + decisions; + links: + - href: "#pl-2_smt.a.13" + rel: assessment-for + links: + - href: "#pl-2_smt.a.13" + rel: assessment-for + - id: pl-2_obj.a.14 + name: assessment-objective + props: + - name: label + value: PL-02a.14 + class: sp800-53a + parts: + - id: pl-2_obj.a.14-1 + name: assessment-objective + props: + - name: label + value: PL-02a.14[01] + class: sp800-53a + prose: "a security plan for the system is developed that\ + \ includes security-related activities affecting the system\ + \ that require planning and coordination with {{ insert:\ + \ param, pl-02_odp.01 }};" + links: + - href: "#pl-2_smt.a.14" + rel: assessment-for + - id: pl-2_obj.a.14-2 + name: assessment-objective + props: + - name: label + value: PL-02a.14[02] + class: sp800-53a + prose: "a privacy plan for the system is developed that\ + \ includes privacy-related activities affecting the system\ + \ that require planning and coordination with {{ insert:\ + \ param, pl-02_odp.01 }};" + links: + - href: "#pl-2_smt.a.14" + rel: assessment-for + links: + - href: "#pl-2_smt.a.14" + rel: assessment-for + - id: pl-2_obj.a.15 + name: assessment-objective + props: + - name: label + value: PL-02a.15 + class: sp800-53a + parts: + - id: pl-2_obj.a.15-1 + name: assessment-objective + props: + - name: label + value: PL-02a.15[01] + class: sp800-53a + prose: a security plan for the system is developed that + is reviewed and approved by the authorizing official or + designated representative prior to plan implementation; + links: + - href: "#pl-2_smt.a.15" + rel: assessment-for + - id: pl-2_obj.a.15-2 + name: assessment-objective + props: + - name: label + value: PL-02a.15[02] + class: sp800-53a + prose: a privacy plan for the system is developed that is + reviewed and approved by the authorizing official or designated + representative prior to plan implementation. + links: + - href: "#pl-2_smt.a.15" + rel: assessment-for + links: + - href: "#pl-2_smt.a.15" + rel: assessment-for + links: + - href: "#pl-2_smt.a" + rel: assessment-for + - id: pl-2_obj.b + name: assessment-objective + props: + - name: label + value: PL-02b. + class: sp800-53a + parts: + - id: pl-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: PL-02b.[01] + class: sp800-53a + prose: "copies of the plans are distributed to {{ insert: param,\ + \ pl-02_odp.02 }};" + links: + - href: "#pl-2_smt.b" + rel: assessment-for + - id: pl-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: PL-02b.[02] + class: sp800-53a + prose: "subsequent changes to the plans are communicated to\ + \ {{ insert: param, pl-02_odp.02 }};" + links: + - href: "#pl-2_smt.b" + rel: assessment-for + links: + - href: "#pl-2_smt.b" + rel: assessment-for + - id: pl-2_obj.c + name: assessment-objective + props: + - name: label + value: PL-02c. + class: sp800-53a + prose: "plans are reviewed {{ insert: param, pl-02_odp.03 }};" + links: + - href: "#pl-2_smt.c" + rel: assessment-for + - id: pl-2_obj.d + name: assessment-objective + props: + - name: label + value: PL-02d. + class: sp800-53a + parts: + - id: pl-2_obj.d-1 + name: assessment-objective + props: + - name: label + value: PL-02d.[01] + class: sp800-53a + prose: plans are updated to address changes to the system and + environment of operations; + links: + - href: "#pl-2_smt.d" + rel: assessment-for + - id: pl-2_obj.d-2 + name: assessment-objective + props: + - name: label + value: PL-02d.[02] + class: sp800-53a + prose: plans are updated to address problems identified during + the plan implementation; + links: + - href: "#pl-2_smt.d" + rel: assessment-for + - id: pl-2_obj.d-3 + name: assessment-objective + props: + - name: label + value: PL-02d.[03] + class: sp800-53a + prose: plans are updated to address problems identified during + control assessments; + links: + - href: "#pl-2_smt.d" + rel: assessment-for + links: + - href: "#pl-2_smt.d" + rel: assessment-for + - id: pl-2_obj.e + name: assessment-objective + props: + - name: label + value: PL-02e. + class: sp800-53a + parts: + - id: pl-2_obj.e-1 + name: assessment-objective + props: + - name: label + value: PL-02e.[01] + class: sp800-53a + prose: plans are protected from unauthorized disclosure; + links: + - href: "#pl-2_smt.e" + rel: assessment-for + - id: pl-2_obj.e-2 + name: assessment-objective + props: + - name: label + value: PL-02e.[02] + class: sp800-53a + prose: plans are protected from unauthorized modification. + links: + - href: "#pl-2_smt.e" + rel: assessment-for + links: + - href: "#pl-2_smt.e" + rel: assessment-for + links: + - href: "#pl-2_smt" + rel: assessment-for + - id: pl-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Security and privacy planning policy + + + procedures addressing system security and privacy plan development + and implementation + + + procedures addressing security and privacy plan reviews and updates + + + enterprise architecture documentation + + + system security plan + + + privacy plan + + + records of system security and privacy plan reviews and updates + + + security and privacy architecture and design documentation + + + risk assessments + + + risk assessment results + + + control assessment documentation + + + other relevant documents or records + - id: pl-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system security and privacy + planning and plan implementation responsibilities + + + system developers + + + organizational personnel with information security and privacy + responsibilities + - id: pl-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PL-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for system security and privacy + plan development, review, update, and approval + + + mechanisms supporting the system security and privacy plan + - id: pl-4 + class: SP800-53 + title: Rules of Behavior + params: + - id: pl-04_odp.01 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: frequency for reviewing and updating the rules of behavior + is defined; + - id: pl-04_odp.02 + constraints: + - description: at least annually and when the rules are revised or + changed + select: + how-many: one-or-more + choice: + - " {{ insert: param, pl-04_odp.03 }} " + - when the rules are revised or updated + - id: pl-04_odp.03 + label: frequency + guidelines: + - prose: frequency for individuals to read and re-acknowledge the + rules of behavior is defined (if selected); + props: + - name: label + value: PL-4 + - name: label + value: PL-04 + class: sp800-53a + - name: sort-id + value: pl-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#30eb758a-2707-4bca-90ad-949a74d4eb16" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-8" + rel: related + - href: "#ac-9" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#mp-7" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-5" + rel: related + - href: "#si-12" + rel: related + parts: + - id: pl-4_smt + name: statement + parts: + - id: pl-4_smt.a + name: item + props: + - name: label + value: a. + prose: Establish and provide to individuals requiring access to + the system, the rules that describe their responsibilities and + expected behavior for information and system usage, security, + and privacy; + - id: pl-4_smt.b + name: item + props: + - name: label + value: b. + prose: Receive a documented acknowledgment from such individuals, + indicating that they have read, understand, and agree to abide + by the rules of behavior, before authorizing access to information + and the system; + - id: pl-4_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the rules of behavior {{ insert: param,\ + \ pl-04_odp.01 }} ; and" + - id: pl-4_smt.d + name: item + props: + - name: label + value: d. + prose: "Require individuals who have acknowledged a previous version\ + \ of the rules of behavior to read and re-acknowledge {{ insert:\ + \ param, pl-04_odp.02 }}." + - id: pl-4_gdn + name: guidance + prose: Rules of behavior represent a type of access agreement for organizational + users. Other types of access agreements include nondisclosure agreements, + conflict-of-interest agreements, and acceptable use agreements (see + [PS-6](#ps-6) ). Organizations consider rules of behavior based on + individual user roles and responsibilities and differentiate between + rules that apply to privileged users and rules that apply to general + users. Establishing rules of behavior for some types of non-organizational + users, including individuals who receive information from federal + systems, is often not feasible given the large number of such users + and the limited nature of their interactions with the systems. Rules + of behavior for organizational and non-organizational users can also + be established in [AC-8](#ac-8) . The related controls section provides + a list of controls that are relevant to organizational rules of behavior. + [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the + control, may be satisfied by the literacy training and awareness and + role-based training programs conducted by organizations if such training + includes rules of behavior. Documented acknowledgements for rules + of behavior include electronic or physical signatures and electronic + agreement check boxes or radio buttons. + controls: + - id: pl-4.1 + class: SP800-53-enhancement + title: Social Media and External Site/Application Usage Restrictions + props: + - name: label + value: PL-4(1) + - name: label + value: PL-04(01) + class: sp800-53a + - name: sort-id + value: pl-04.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#pl-4" + rel: required + - href: "#ac-22" + rel: related + - href: "#au-13" + rel: related + parts: + - id: pl-4.1_smt + name: statement + prose: "Include in the rules of behavior, restrictions on:" + parts: + - id: pl-4.1_smt.a + name: item + props: + - name: label + value: (a) + prose: Use of social media, social networking sites, and external + sites/applications; + - id: pl-4.1_smt.b + name: item + props: + - name: label + value: (b) + prose: Posting organizational information on public websites; + and + - id: pl-4.1_smt.c + name: item + props: + - name: label + value: (c) + prose: Use of organization-provided identifiers (e.g., email + addresses) and authentication secrets (e.g., passwords) for + creating accounts on external sites/applications. + - id: pl-4.1_gdn + name: guidance + prose: Social media, social networking, and external site/application + usage restrictions address rules of behavior related to the use + of social media, social networking, and external sites when organizational + personnel are using such sites for official duties or in the conduct + of official business, when organizational information is involved + in social media and social networking transactions, and when personnel + access social media and networking sites from organizational systems. + Organizations also address specific rules that prevent unauthorized + entities from obtaining non-public organizational information + from social media and networking sites either directly or through + inference. Non-public information includes personally identifiable + information and system account information. + - id: pl-8 + class: SP800-53 + title: Security and Privacy Architectures + params: + - id: pl-08_odp + label: frequency + constraints: + - description: at least annually and when a significant change occurs + guidelines: + - prose: frequency for review and update to reflect changes in the + enterprise architecture; + props: + - name: label + value: PL-8 + - name: label + value: PL-08 + class: sp800-53a + - name: sort-id + value: pl-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#cm-2" + rel: related + - href: "#cm-6" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-7" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-5" + rel: related + - href: "#pm-7" + rel: related + - href: "#ra-9" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-7" + rel: related + parts: + - id: pl-8_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: pl-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop security and privacy architectures for the system\ + \ that:" + parts: + - id: pl-8_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Describe the requirements and approach to be taken for + protecting the confidentiality, integrity, and availability + of organizational information; + - id: pl-8_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Describe the requirements and approach to be taken for + processing personally identifiable information to minimize + privacy risk to individuals; + - id: pl-8_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Describe how the architectures are integrated into and + support the enterprise architecture; and + - id: pl-8_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Describe any assumptions about, and dependencies on, + external systems and services; + - id: pl-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the architectures {{ insert: param, pl-08_odp\ + \ }} to reflect changes in the enterprise architecture; and" + - id: pl-8_smt.c + name: item + props: + - name: label + value: c. + prose: Reflect planned architecture changes in security and privacy + plans, Concept of Operations (CONOPS), criticality analysis, organizational + procedures, and procurements and acquisitions. + - id: pl-8_gdn + name: guidance + prose: >- + The security and privacy architectures at the system level are + consistent with the organization-wide security and privacy + architectures described in [PM-7](#pm-7) , which are integral to + and developed as part of the enterprise architecture. The + architectures include an architectural description, the + allocation of security and privacy functionality (including + controls), security- and privacy-related information for + external interfaces, information being exchanged across the + interfaces, and the protection mechanisms associated with each + interface. The architectures can also include other information, + such as user roles and the access privileges assigned to each + role; security and privacy requirements; types of information + processed, stored, and transmitted by the system; supply chain + risk management requirements; restoration priorities of + information and system services; and other protection needs. + + [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance + on the use of security architectures as part of the system development + life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) + requires the use of the systems security engineering concepts described + in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high + value assets. Security and privacy architectures are reviewed and + updated throughout the system development life cycle, from analysis + of alternatives through review of the proposed architecture in the + RFP responses to the design reviews before and during implementation + (e.g., during preliminary design reviews and critical design reviews). + + In today’s modern computing architectures, it is becoming less common + for organizations to control all information resources. There may + be key dependencies on external information services and service providers. + Describing such dependencies in the security and privacy architectures + is necessary for developing a comprehensive mission and business protection + strategy. Establishing, developing, documenting, and maintaining under + configuration control a baseline configuration for organizational + systems is critical to implementing and maintaining effective architectures. + The development of the architectures is coordinated with the senior + agency information security officer and the senior agency official + for privacy to ensure that the controls needed to support security + and privacy requirements are identified and effectively implemented. + In many circumstances, there may be no distinction between the security + and privacy architecture for a system. In other circumstances, security + objectives may be adequately satisfied, but privacy objectives may + only be partially satisfied by the security requirements. In these + cases, consideration of the privacy requirements needed to achieve + satisfaction will result in a distinct privacy architecture. The documentation, + however, may simply reflect the combined architectures. + + [PL-8](#pl-8) is primarily directed at organizations to ensure that + architectures are developed for the system and, moreover, that the + architectures are integrated with or tightly coupled to the enterprise + architecture. In contrast, [SA-17](#sa-17) is primarily directed at + the external information technology product and system developers + and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) + , is selected when organizations outsource the development of systems + or components to external entities and when there is a need to demonstrate + consistency with the organization’s enterprise architecture and security + and privacy architectures. + - id: pl-8_obj + name: assessment-objective + props: + - name: label + value: PL-08 + class: sp800-53a + parts: + - id: pl-8_obj.a + name: assessment-objective + props: + - name: label + value: PL-08a. + class: sp800-53a + parts: + - id: pl-8_obj.a.1 + name: assessment-objective + props: + - name: label + value: PL-08a.01 + class: sp800-53a + prose: a security architecture for the system describes the + requirements and approach to be taken for protecting the confidentiality, + integrity, and availability of organizational information; + links: + - href: "#pl-8_smt.a.1" + rel: assessment-for + - id: pl-8_obj.a.2 + name: assessment-objective + props: + - name: label + value: PL-08a.02 + class: sp800-53a + prose: a privacy architecture describes the requirements and + approach to be taken for processing personally identifiable + information to minimize privacy risk to individuals; + links: + - href: "#pl-8_smt.a.2" + rel: assessment-for + - id: pl-8_obj.a.3 + name: assessment-objective + props: + - name: label + value: PL-08a.03 + class: sp800-53a + parts: + - id: pl-8_obj.a.3-1 + name: assessment-objective + props: + - name: label + value: PL-08a.03[01] + class: sp800-53a + prose: a security architecture for the system describes + how the architecture is integrated into and supports the + enterprise architecture; + links: + - href: "#pl-8_smt.a.3" + rel: assessment-for + - id: pl-8_obj.a.3-2 + name: assessment-objective + props: + - name: label + value: PL-08a.03[02] + class: sp800-53a + prose: a privacy architecture for the system describes how + the architecture is integrated into and supports the enterprise + architecture; + links: + - href: "#pl-8_smt.a.3" + rel: assessment-for + links: + - href: "#pl-8_smt.a.3" + rel: assessment-for + - id: pl-8_obj.a.4 + name: assessment-objective + props: + - name: label + value: PL-08a.04 + class: sp800-53a + parts: + - id: pl-8_obj.a.4-1 + name: assessment-objective + props: + - name: label + value: PL-08a.04[01] + class: sp800-53a + prose: a security architecture for the system describes + any assumptions about and dependencies on external systems + and services; + links: + - href: "#pl-8_smt.a.4" + rel: assessment-for + - id: pl-8_obj.a.4-2 + name: assessment-objective + props: + - name: label + value: PL-08a.04[02] + class: sp800-53a + prose: a privacy architecture for the system describes any + assumptions about and dependencies on external systems + and services; + links: + - href: "#pl-8_smt.a.4" + rel: assessment-for + links: + - href: "#pl-8_smt.a.4" + rel: assessment-for + links: + - href: "#pl-8_smt.a" + rel: assessment-for + - id: pl-8_obj.b + name: assessment-objective + props: + - name: label + value: PL-08b. + class: sp800-53a + prose: "changes in the enterprise architecture are reviewed and\ + \ updated {{ insert: param, pl-08_odp }} to reflect changes in\ + \ the enterprise architecture;" + links: + - href: "#pl-8_smt.b" + rel: assessment-for + - id: pl-8_obj.c + name: assessment-objective + props: + - name: label + value: PL-08c. + class: sp800-53a + parts: + - id: pl-8_obj.c-1 + name: assessment-objective + props: + - name: label + value: PL-08c.[01] + class: sp800-53a + prose: planned architecture changes are reflected in the security + plan; + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-2 + name: assessment-objective + props: + - name: label + value: PL-08c.[02] + class: sp800-53a + prose: planned architecture changes are reflected in the privacy + plan; + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-3 + name: assessment-objective + props: + - name: label + value: PL-08c.[03] + class: sp800-53a + prose: planned architecture changes are reflected in the Concept + of Operations (CONOPS); + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-4 + name: assessment-objective + props: + - name: label + value: PL-08c.[04] + class: sp800-53a + prose: planned architecture changes are reflected in criticality + analysis; + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-5 + name: assessment-objective + props: + - name: label + value: PL-08c.[05] + class: sp800-53a + prose: planned architecture changes are reflected in organizational + procedures; + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-6 + name: assessment-objective + props: + - name: label + value: PL-08c.[06] + class: sp800-53a + prose: planned architecture changes are reflected in procurements + and acquisitions. + links: + - href: "#pl-8_smt.c" + rel: assessment-for + links: + - href: "#pl-8_smt.c" + rel: assessment-for + links: + - href: "#pl-8_smt" + rel: assessment-for + - id: pl-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Security and privacy planning policy + + + procedures addressing information security and privacy architecture + development + + + procedures addressing information security and privacy architecture + reviews and updates + + + enterprise architecture documentation + + + information security and privacy architecture documentation + + + system security plan + + + privacy plan + + + security and privacy CONOPS for the system + + + records of information security and privacy architecture reviews + and updates + + + other relevant documents or records + - id: pl-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security and privacy planning + and plan implementation responsibilities + + + organizational personnel with information security and privacy + architecture development responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pl-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PL-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for developing, reviewing, and + updating the information security and privacy architecture + + + mechanisms supporting and/or implementing the development, review, + and update of the information security and privacy architecture + - id: pl-10 + class: SP800-53 + title: Baseline Selection + props: + - name: label + value: PL-10 + - name: label + value: PL-10 + class: sp800-53a + - name: sort-id + value: pl-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#46d9e201-840e-440e-987c-2c773333c752" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#4e4fbc93-333d-45e6-a875-de36b878b6b9" + rel: reference + - href: "#pl-2" + rel: related + - href: "#pl-11" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-8" + rel: related + parts: + - id: pl-10_smt + name: statement + prose: Select a control baseline for the system. + - id: pl-10_gdn + name: guidance + prose: Control baselines are predefined sets of controls specifically + assembled to address the protection needs of a group, organization, + or community of interest. Controls are chosen for baselines to either + satisfy mandates imposed by laws, executive orders, directives, regulations, + policies, standards, and guidelines or address threats common to all + users of the baseline under the assumptions specific to the baseline. + Baselines represent a starting point for the protection of individuals’ + privacy, information, and information systems with subsequent tailoring + actions to manage risk in accordance with mission, business, or other + constraints (see [PL-11](#pl-11) ). Federal control baselines are + provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . + The selection of a control baseline is determined by the needs of + stakeholders. Stakeholder needs consider mission and business requirements + as well as mandates imposed by applicable laws, executive orders, + directives, policies, regulations, standards, and guidelines. For + example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) + are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) + and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, + along with the NIST standards and guidelines implementing the legislation, + direct organizations to select one of the control baselines after + the reviewing the information types and the information that is processed, + stored, and transmitted on the system; analyzing the potential adverse + impact of the loss or compromise of the information or system on the + organization’s operations and assets, individuals, other organizations, + or the Nation; and considering the results from system and organizational + risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) + provides guidance on control baselines for national security systems. + - id: pl-11 + class: SP800-53 + title: Baseline Tailoring + props: + - name: label + value: PL-11 + - name: label + value: PL-11 + class: sp800-53a + - name: sort-id + value: pl-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#46d9e201-840e-440e-987c-2c773333c752" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#4e4fbc93-333d-45e6-a875-de36b878b6b9" + rel: reference + - href: "#pl-10" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-9" + rel: related + - href: "#sa-8" + rel: related + parts: + - id: pl-11_smt + name: statement + prose: Tailor the selected control baseline by applying specified tailoring + actions. + - id: pl-11_gdn + name: guidance + prose: The concept of tailoring allows organizations to specialize or + customize a set of baseline controls by applying a defined set of + tailoring actions. Tailoring actions facilitate such specialization + and customization by allowing organizations to develop security and + privacy plans that reflect their specific mission and business functions, + the environments where their systems operate, the threats and vulnerabilities + that can affect their systems, and any other conditions or situations + that can impact their mission or business success. Tailoring guidance + is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) + . Tailoring a control baseline is accomplished by identifying and + designating common controls, applying scoping considerations, selecting + compensating controls, assigning values to control parameters, supplementing + the control baseline with additional controls as needed, and providing + information for control implementation. The general tailoring actions + in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented + with additional actions based on the needs of organizations. Tailoring + actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) + in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), + [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) + . Alternatively, other communities of interest adopting different + control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) + to specialize or customize the controls that represent the specific + needs and concerns of those entities. + - id: ps + class: family + title: Personnel Security + controls: + - id: ps-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ps-1_prm_1 + label: organization-defined personnel or roles + - id: ps-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the personnel security policy + is to be disseminated is/are defined; + - id: ps-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the personnel security procedures + are to be disseminated is/are defined; + - id: ps-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ps-01_odp.04 + label: official + guidelines: + - prose: an official to manage the personnel security policy and procedures + is defined; + - id: ps-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current personnel security policy + is reviewed and updated is defined; + - id: ps-01_odp.06 + label: events + guidelines: + - prose: events that would require the current personnel security + policy to be reviewed and updated are defined; + - id: ps-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current personnel security procedures + are reviewed and updated is defined; + - id: ps-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the personnel security procedures + to be reviewed and updated are defined; + props: + - name: label + value: PS-1 + - name: label + value: PS-01 + class: sp800-53a + - name: sort-id + value: ps-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ps-1_smt + name: statement + parts: + - id: ps-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ps-1_prm_1 }}:" + parts: + - id: ps-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ps-01_odp.03 }} personnel security\ + \ policy that:" + parts: + - id: ps-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ps-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ps-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the personnel + security policy and the associated personnel security controls; + - id: ps-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ps-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the personnel\ + \ security policy and procedures; and" + - id: ps-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current personnel security:" + parts: + - id: ps-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ps-01_odp.05 }} and following\ + \ {{ insert: param, ps-01_odp.06 }} ; and" + - id: ps-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ps-01_odp.07 }} and following\ + \ {{ insert: param, ps-01_odp.08 }}." + - id: ps-1_gdn + name: guidance + prose: Personnel security policy and procedures for the controls in + the PS family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on their development. Security and + privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission level + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies reflecting the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission/business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + personnel security policy and procedures include, but are not limited + to, assessment or audit findings, security incidents or breaches, + or changes in applicable laws, executive orders, directives, regulations, + policies, standards, and guidelines. Simply restating controls does + not constitute an organizational policy or procedure. + - id: ps-2 + class: SP800-53 + title: Position Risk Designation + params: + - id: ps-02_odp + label: frequency + constraints: + - description: at least every three years + guidelines: + - prose: the frequency at which to review and update position risk + designations is defined; + props: + - name: label + value: PS-2 + - name: label + value: PS-02 + class: sp800-53a + - name: sort-id + value: ps-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: FED + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#a5ef5e56-5c1a-4911-b419-37dddc1b3581" + rel: reference + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + - href: "#ac-5" + rel: related + - href: "#at-3" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pl-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-6" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-21" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ps-2_smt + name: statement + parts: + - id: ps-2_smt.a + name: item + props: + - name: label + value: a. + prose: Assign a risk designation to all organizational positions; + - id: ps-2_smt.b + name: item + props: + - name: label + value: b. + prose: Establish screening criteria for individuals filling those + positions; and + - id: ps-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update position risk designations {{ insert:\ + \ param, ps-02_odp }}." + - id: ps-2_gdn + name: guidance + prose: Position risk designations reflect Office of Personnel Management + (OPM) policy and guidance. Proper position designation is the foundation + of an effective and consistent suitability and personnel security + program. The Position Designation System (PDS) assesses the duties + and responsibilities of a position to determine the degree of potential + damage to the efficiency or integrity of the service due to misconduct + of an incumbent of a position and establishes the risk level of that + position. The PDS assessment also determines if the duties and responsibilities + of the position present the potential for position incumbents to bring + about a material adverse effect on national security and the degree + of that potential effect, which establishes the sensitivity level + of a position. The results of the assessment determine what level + of investigation is conducted for a position. Risk designations can + guide and inform the types of authorizations that individuals receive + when accessing organizational information and information systems. + Position screening criteria include explicit information security + role appointment requirements. Parts 1400 and 731 of Title 5, Code + of Federal Regulations, establish the requirements for organizations + to evaluate relevant covered positions for a position sensitivity + and position risk designation commensurate with the duties and responsibilities + of those positions. + - id: ps-3 + class: SP800-53 + title: Personnel Screening + params: + - id: ps-3_prm_1 + label: organization-defined conditions requiring rescreening and, where + rescreening is so indicated, the frequency of rescreening + constraints: + - description: >- + for national security clearances; a reinvestigation is + required during the fifth (5th) year for top secret security + clearance, the tenth (10th) year for secret security + clearance, and fifteenth (15th) year for confidential + security clearance. + + + For moderate risk law enforcement and high impact public trust + level, a reinvestigation is required during the fifth (5th) year. + There is no reinvestigation for other moderate risk positions + or any low risk positions + - id: ps-03_odp.01 + label: conditions requiring rescreening + guidelines: + - prose: conditions requiring rescreening of individuals are defined; + - id: ps-03_odp.02 + label: frequency + guidelines: + - prose: the frequency of rescreening individuals where it is so indicated + is defined; + props: + - name: label + value: PS-3 + - name: label + value: PS-03 + class: sp800-53a + - name: sort-id + value: ps-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#55b0c93a-5e48-457a-baa6-5ce81c239c49" + rel: reference + - href: "#0af071a6-cf8e-48ee-8c82-fe91efa20f94" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + - href: "#sa-21" + rel: related + parts: + - id: ps-3_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ps-3_smt.a + name: item + props: + - name: label + value: a. + prose: Screen individuals prior to authorizing access to the system; + and + - id: ps-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Rescreen individuals in accordance with {{ insert: param,\ + \ ps-3_prm_1 }}." + - id: ps-3_gdn + name: guidance + prose: Personnel screening and rescreening activities reflect applicable + laws, executive orders, directives, regulations, policies, standards, + guidelines, and specific criteria established for the risk designations + of assigned positions. Examples of personnel screening include background + investigations and agency checks. Organizations may define different + rescreening conditions and frequencies for personnel accessing systems + based on types of information processed, stored, or transmitted by + the systems. + - id: ps-3_obj + name: assessment-objective + props: + - name: label + value: PS-03 + class: sp800-53a + parts: + - id: ps-3_obj.a + name: assessment-objective + props: + - name: label + value: PS-03a. + class: sp800-53a + prose: individuals are screened prior to authorizing access to the + system; + links: + - href: "#ps-3_smt.a" + rel: assessment-for + - id: ps-3_obj.b + name: assessment-objective + props: + - name: label + value: PS-03b. + class: sp800-53a + parts: + - id: ps-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: PS-03b.[01] + class: sp800-53a + prose: "individuals are rescreened in accordance with {{ insert:\ + \ param, ps-03_odp.01 }};" + links: + - href: "#ps-3_smt.b" + rel: assessment-for + - id: ps-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: PS-03b.[02] + class: sp800-53a + prose: "where rescreening is so indicated, individuals are rescreened\ + \ {{ insert: param, ps-03_odp.02 }}." + links: + - href: "#ps-3_smt.b" + rel: assessment-for + links: + - href: "#ps-3_smt.b" + rel: assessment-for + links: + - href: "#ps-3_smt" + rel: assessment-for + - id: ps-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + procedures addressing personnel screening + + records of screened personnel + + system security plan + + other relevant documents or records + - id: ps-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with information security responsibilities + - id: ps-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for personnel screening + - id: ps-4 + class: SP800-53 + title: Personnel Termination + params: + - id: ps-04_odp.01 + label: time period + constraints: + - description: four (4) hours + guidelines: + - prose: a time period within which to disable system access is defined; + - id: ps-04_odp.02 + label: information security topics + guidelines: + - prose: information security topics to be discussed when conducting + exit interviews are defined; + props: + - name: label + value: PS-4 + - name: label + value: PS-04 + class: sp800-53a + - name: sort-id + value: ps-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ac-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + parts: + - id: ps-4_smt + name: statement + prose: "Upon termination of individual employment:" + parts: + - id: ps-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Disable system access within {{ insert: param, ps-04_odp.01\ + \ }};" + - id: ps-4_smt.b + name: item + props: + - name: label + value: b. + prose: Terminate or revoke any authenticators and credentials associated + with the individual; + - id: ps-4_smt.c + name: item + props: + - name: label + value: c. + prose: "Conduct exit interviews that include a discussion of {{\ + \ insert: param, ps-04_odp.02 }};" + - id: ps-4_smt.d + name: item + props: + - name: label + value: d. + prose: Retrieve all security-related organizational system-related + property; and + - id: ps-4_smt.e + name: item + props: + - name: label + value: e. + prose: Retain access to organizational information and systems formerly + controlled by terminated individual. + - id: ps-4_gdn + name: guidance + prose: System property includes hardware authentication tokens, system + administration technical manuals, keys, identification cards, and + building passes. Exit interviews ensure that terminated individuals + understand the security constraints imposed by being former employees + and that proper accountability is achieved for system-related property. + Security topics at exit interviews include reminding individuals of + nondisclosure agreements and potential limitations on future employment. + Exit interviews may not always be possible for some individuals, including + in cases related to the unavailability of supervisors, illnesses, + or job abandonment. Exit interviews are important for individuals + with security clearances. The timely execution of termination actions + is essential for individuals who have been terminated for cause. In + certain situations, organizations consider disabling the system accounts + of individuals who are being terminated prior to the individuals being + notified. + - id: ps-5 + class: SP800-53 + title: Personnel Transfer + params: + - id: ps-05_odp.01 + label: transfer or reassignment actions + guidelines: + - prose: transfer or reassignment actions to be initiated following + transfer or reassignment are defined; + - id: ps-05_odp.02 + label: time period following the formal transfer action + constraints: + - description: twenty-four (24) hours + guidelines: + - prose: the time period within which transfer or reassignment actions + must occur following transfer or reassignment is defined; + - id: ps-05_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles to be notified when individuals are reassigned + or transferred to other positions within the organization is/are + defined; + - id: ps-05_odp.04 + label: time period + constraints: + - description: twenty-four (24) hours + guidelines: + - prose: time period within which to notify organization-defined personnel + or roles when individuals are reassigned or transferred to other + positions within the organization is defined; + props: + - name: label + value: PS-5 + - name: label + value: PS-05 + class: sp800-53a + - name: sort-id + value: ps-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ac-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-7" + rel: related + parts: + - id: ps-5_smt + name: statement + parts: + - id: ps-5_smt.a + name: item + props: + - name: label + value: a. + prose: Review and confirm ongoing operational need for current logical + and physical access authorizations to systems and facilities when + individuals are reassigned or transferred to other positions within + the organization; + - id: ps-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert:\ + \ param, ps-05_odp.02 }};" + - id: ps-5_smt.c + name: item + props: + - name: label + value: c. + prose: Modify access authorization as needed to correspond with + any changes in operational need due to reassignment or transfer; + and + - id: ps-5_smt.d + name: item + props: + - name: label + value: d. + prose: "Notify {{ insert: param, ps-05_odp.03 }} within {{ insert:\ + \ param, ps-05_odp.04 }}." + - id: ps-5_gdn + name: guidance + prose: Personnel transfer applies when reassignments or transfers of + individuals are permanent or of such extended duration as to make + the actions warranted. Organizations define actions appropriate for + the types of reassignments or transfers, whether permanent or extended. + Actions that may be required for personnel transfers or reassignments + to other positions within organizations include returning old and + issuing new keys, identification cards, and building passes; closing + system accounts and establishing new accounts; changing system access + authorizations (i.e., privileges); and providing for access to official + records to which individuals had access at previous work locations + and in previous system accounts. + - id: ps-6 + class: SP800-53 + title: Access Agreements + params: + - id: ps-06_odp.01 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to review and update access agreements + is defined; + - id: ps-06_odp.02 + label: frequency + constraints: + - description: at least annually and any time there is a change to + the user's level of access + guidelines: + - prose: the frequency at which to re-sign access agreements to maintain + access to organizational information is defined; + props: + - name: label + value: PS-6 + - name: label + value: PS-06 + class: sp800-53a + - name: sort-id + value: ps-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ac-17" + rel: related + - href: "#pe-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-21" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ps-6_smt + name: statement + parts: + - id: ps-6_smt.a + name: item + props: + - name: label + value: a. + prose: Develop and document access agreements for organizational + systems; + - id: ps-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the access agreements {{ insert: param,\ + \ ps-06_odp.01 }} ; and" + - id: ps-6_smt.c + name: item + props: + - name: label + value: c. + prose: "Verify that individuals requiring access to organizational\ + \ information and systems:" + parts: + - id: ps-6_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: Sign appropriate access agreements prior to being granted + access; and + - id: ps-6_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Re-sign access agreements to maintain access to organizational\ + \ systems when access agreements have been updated or {{ insert:\ + \ param, ps-06_odp.02 }}." + - id: ps-6_gdn + name: guidance + prose: Access agreements include nondisclosure agreements, acceptable + use agreements, rules of behavior, and conflict-of-interest agreements. + Signed access agreements include an acknowledgement that individuals + have read, understand, and agree to abide by the constraints associated + with organizational systems to which access is authorized. Organizations + can use electronic signatures to acknowledge access agreements unless + specifically prohibited by organizational policy. + - id: ps-7 + class: SP800-53 + title: External Personnel Security + params: + - id: ps-07_odp.01 + label: personnel or roles + constraints: + - description: including access control personnel responsible for + the system and/or facilities, as appropriate + guidelines: + - prose: personnel or roles to be notified of any personnel transfers + or terminations of external personnel who possess organizational + credentials and/or badges or who have system privileges is/are + defined; + - id: ps-07_odp.02 + label: time period + constraints: + - description: within twenty-four (24) hours + guidelines: + - prose: time period within which third-party providers are required + to notify organization-defined personnel or roles of any personnel + transfers or terminations of external personnel who possess organizational + credentials and/or badges or who have system privileges is defined; + props: + - name: label + value: PS-7 + - name: label + value: PS-07 + class: sp800-53a + - name: sort-id + value: ps-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#77faf0bc-c394-44ad-9154-bbac3b79c8ad" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-3" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-5" + rel: related + - href: "#ps-6" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-21" + rel: related + parts: + - id: ps-7_smt + name: statement + parts: + - id: ps-7_smt.a + name: item + props: + - name: label + value: a. + prose: Establish personnel security requirements, including security + roles and responsibilities for external providers; + - id: ps-7_smt.b + name: item + props: + - name: label + value: b. + prose: Require external providers to comply with personnel security + policies and procedures established by the organization; + - id: ps-7_smt.c + name: item + props: + - name: label + value: c. + prose: Document personnel security requirements; + - id: ps-7_smt.d + name: item + props: + - name: label + value: d. + prose: "Require external providers to notify {{ insert: param, ps-07_odp.01\ + \ }} of any personnel transfers or terminations of external personnel\ + \ who possess organizational credentials and/or badges, or who\ + \ have system privileges within {{ insert: param, ps-07_odp.02\ + \ }} ; and" + - id: ps-7_smt.e + name: item + props: + - name: label + value: e. + prose: Monitor provider compliance with personnel security requirements. + - id: ps-7_gdn + name: guidance + prose: External provider refers to organizations other than the organization + operating or acquiring the system. External providers include service + bureaus, contractors, and other organizations that provide system + development, information technology services, testing or assessment + services, outsourced applications, and network/security management. + Organizations explicitly include personnel security requirements in + acquisition-related documents. External providers may have personnel + working at organizational facilities with credentials, badges, or + system privileges issued by organizations. Notifications of external + personnel changes ensure the appropriate termination of privileges + and credentials. Organizations define the transfers and terminations + deemed reportable by security-related characteristics that include + functions, roles, and the nature of credentials or privileges associated + with transferred or terminated individuals. + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: Attestation - Specifically stating that any third-party security + personnel are treated as CSP employees. + - id: ps-8 + class: SP800-53 + title: Personnel Sanctions + params: + - id: ps-08_odp.01 + label: personnel or roles + constraints: + - description: at a minimum, the ISSO and/or similar role within the + organization + guidelines: + - prose: personnel or roles to be notified when a formal employee + sanctions process is initiated is/are defined; + - id: ps-08_odp.02 + label: time period + guidelines: + - prose: the time period within which organization-defined personnel + or roles must be notified when a formal employee sanctions process + is initiated is defined; + props: + - name: label + value: PS-8 + - name: label + value: PS-08 + class: sp800-53a + - name: sort-id + value: ps-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#pl-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-6" + rel: related + - href: "#pt-1" + rel: related + parts: + - id: ps-8_smt + name: statement + parts: + - id: ps-8_smt.a + name: item + props: + - name: label + value: a. + prose: Employ a formal sanctions process for individuals failing + to comply with established information security and privacy policies + and procedures; and + - id: ps-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Notify {{ insert: param, ps-08_odp.01 }} within {{ insert:\ + \ param, ps-08_odp.02 }} when a formal employee sanctions process\ + \ is initiated, identifying the individual sanctioned and the\ + \ reason for the sanction." + - id: ps-8_gdn + name: guidance + prose: Organizational sanctions reflect applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines. Sanctions + processes are described in access agreements and can be included as + part of general personnel policies for organizations and/or specified + in security and privacy policies. Organizations consult with the Office + of the General Counsel regarding matters of employee sanctions. + - id: ps-9 + class: SP800-53 + title: Position Descriptions + props: + - name: label + value: PS-9 + - name: label + value: PS-09 + class: sp800-53a + - name: sort-id + value: ps-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + parts: + - id: ps-9_smt + name: statement + prose: Incorporate security and privacy roles and responsibilities into + organizational position descriptions. + - id: ps-9_gdn + name: guidance + prose: Specification of security and privacy roles in individual organizational + position descriptions facilitates clarity in understanding the security + or privacy responsibilities associated with the roles and the role-based + security and privacy training requirements for the roles. + - id: ra + class: family + title: Risk Assessment + controls: + - id: ra-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ra-1_prm_1 + label: organization-defined personnel or roles + - id: ra-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the risk assessment policy is + to be disseminated is/are defined; + - id: ra-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the risk assessment procedures + are to be disseminated is/are defined; + - id: ra-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ra-01_odp.04 + label: official + guidelines: + - prose: an official to manage the risk assessment policy and procedures + is defined; + - id: ra-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current risk assessment policy + is reviewed and updated is defined; + - id: ra-01_odp.06 + label: events + guidelines: + - prose: events that would require the current risk assessment policy + to be reviewed and updated are defined; + - id: ra-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current risk assessment procedures + are reviewed and updated is defined; + - id: ra-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require risk assessment procedures to be + reviewed and updated are defined; + props: + - name: label + value: RA-1 + - name: label + value: RA-01 + class: sp800-53a + - name: sort-id + value: ra-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ra-1_smt + name: statement + parts: + - id: ra-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ra-1_prm_1 }}:" + parts: + - id: ra-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ra-01_odp.03 }} risk assessment policy\ + \ that:" + parts: + - id: ra-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ra-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ra-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the risk + assessment policy and the associated risk assessment controls; + - id: ra-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ra-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the risk\ + \ assessment policy and procedures; and" + - id: ra-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current risk assessment:" + parts: + - id: ra-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ra-01_odp.05 }} and following\ + \ {{ insert: param, ra-01_odp.06 }} ; and" + - id: ra-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ra-01_odp.07 }} and following\ + \ {{ insert: param, ra-01_odp.08 }}." + - id: ra-1_gdn + name: guidance + prose: Risk assessment policy and procedures address the controls in + the RA family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of risk assessment + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies reflecting the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to risk assessment policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ra-2 + class: SP800-53 + title: Security Categorization + props: + - name: label + value: RA-2 + - name: label + value: RA-02 + class: sp800-53a + - name: sort-id + value: ra-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#4e4fbc93-333d-45e6-a875-de36b878b6b9" + rel: reference + - href: "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94" + rel: reference + - href: "#cm-8" + rel: related + - href: "#mp-4" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-10" + rel: related + - href: "#pl-11" + rel: related + - href: "#pm-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-7" + rel: related + - href: "#ra-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ra-2_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ra-2_smt.a + name: item + props: + - name: label + value: a. + prose: Categorize the system and information it processes, stores, + and transmits; + - id: ra-2_smt.b + name: item + props: + - name: label + value: b. + prose: Document the security categorization results, including supporting + rationale, in the security plan for the system; and + - id: ra-2_smt.c + name: item + props: + - name: label + value: c. + prose: Verify that the authorizing official or authorizing official + designated representative reviews and approves the security categorization + decision. + - id: ra-2_gdn + name: guidance + prose: >- + Security categories describe the potential adverse impacts or + negative consequences to organizational operations, + organizational assets, and individuals if organizational + information and systems are compromised through a loss of + confidentiality, integrity, or availability. Security + categorization is also a type of asset loss characterization in + systems security engineering processes that is carried out + throughout the system development life cycle. Organizations can + use privacy risk assessments or privacy impact assessments to + better understand the potential adverse effects on individuals. + [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides + additional guidance on categorization for national security + systems. + + + Organizations conduct the security categorization process as an organization-wide + activity with the direct involvement of chief information officers, + senior agency information security officers, senior agency officials + for privacy, system owners, mission and business owners, and information + owners or stewards. Organizations consider the potential adverse impacts + to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) + and Homeland Security Presidential Directives, potential national-level + adverse impacts. + + + Security categorization processes facilitate the development of inventories + of information assets and, along with [CM-8](#cm-8) , mappings to + specific system components where information is processed, stored, + or transmitted. The security categorization process is revisited throughout + the system development life cycle to ensure that the security categories + remain accurate and relevant. + - id: ra-3 + class: SP800-53 + title: Risk Assessment + params: + - id: ra-03_odp.01 + constraints: + - description: security assessment report + select: + choice: + - security and privacy plans + - risk assessment report + - " {{ insert: param, ra-03_odp.02 }} " + - id: ra-03_odp.02 + label: document + guidelines: + - prose: a document in which risk assessment results are to be documented + (if not documented in the security and privacy plans or risk assessment + report) is defined (if selected); + - id: ra-03_odp.03 + label: frequency + constraints: + - description: at least every three (3) years and when a significant + change occurs + guidelines: + - prose: the frequency to review risk assessment results is defined; + - id: ra-03_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom risk assessment results are to + be disseminated is/are defined; + - id: ra-03_odp.05 + label: frequency + constraints: + - description: at least every three (3) years + guidelines: + - prose: the frequency to update the risk assessment is defined; + props: + - name: label + value: RA-3 + - name: label + value: RA-03 + class: sp800-53a + - name: sort-id + value: ra-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#38ff38f0-1366-4f50-a4c9-26a39aacee16" + rel: reference + - href: "#ca-3" + rel: related + - href: "#ca-6" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-13" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-7" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-8" + rel: related + - href: "#pe-18" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-10" + rel: related + - href: "#pl-11" + rel: related + - href: "#pm-8" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-28" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-7" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ra-3_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ra-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Conduct a risk assessment, including:" + parts: + - id: ra-3_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Identifying threats to and vulnerabilities in the system; + - id: ra-3_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Determining the likelihood and magnitude of harm from + unauthorized access, use, disclosure, disruption, modification, + or destruction of the system, the information it processes, + stores, or transmits, and any related information; and + - id: ra-3_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Determining the likelihood and impact of adverse effects + on individuals arising from the processing of personally identifiable + information; + - id: ra-3_smt.b + name: item + props: + - name: label + value: b. + prose: Integrate risk assessment results and risk management decisions + from the organization and mission or business process perspectives + with system-level risk assessments; + - id: ra-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Document risk assessment results in {{ insert: param, ra-03_odp.01\ + \ }};" + - id: ra-3_smt.d + name: item + props: + - name: label + value: d. + prose: "Review risk assessment results {{ insert: param, ra-03_odp.03\ + \ }};" + - id: ra-3_smt.e + name: item + props: + - name: label + value: e. + prose: "Disseminate risk assessment results to {{ insert: param,\ + \ ra-03_odp.04 }} ; and" + - id: ra-3_smt.f + name: item + props: + - name: label + value: f. + prose: "Update the risk assessment {{ insert: param, ra-03_odp.05\ + \ }} or when there are significant changes to the system, its\ + \ environment of operation, or other conditions that may impact\ + \ the security or privacy state of the system." + - id: ra-3_gdn + name: guidance + prose: >- + Risk assessments consider threats, vulnerabilities, likelihood, + and impact to organizational operations and assets, individuals, + other organizations, and the Nation. Risk assessments also + consider risk from external parties, including contractors who + operate systems on behalf of the organization, individuals who + access organizational systems, service providers, and + outsourcing entities. + + + Organizations can conduct risk assessments at all three levels in + the risk management hierarchy (i.e., organization level, mission/business + process level, or information system level) and at any stage in the + system development life cycle. Risk assessments can also be conducted + at various steps in the Risk Management Framework, including preparation, + categorization, control selection, control implementation, control + assessment, authorization, and control monitoring. Risk assessment + is an ongoing activity carried out throughout the system development + life cycle. + + + Risk assessments can also address information related to the system, + including system design, the intended use of the system, testing results, + and supply chain-related information or artifacts. Risk assessments + can play an important role in control selection processes, particularly + during the application of tailoring guidance and in the earliest phases + of capability determination. + - id: ra-3_obj + name: assessment-objective + props: + - name: label + value: RA-03 + class: sp800-53a + parts: + - id: ra-3_obj.a + name: assessment-objective + props: + - name: label + value: RA-03a. + class: sp800-53a + parts: + - id: ra-3_obj.a.1 + name: assessment-objective + props: + - name: label + value: RA-03a.01 + class: sp800-53a + prose: a risk assessment is conducted to identify threats to + and vulnerabilities in the system; + links: + - href: "#ra-3_smt.a.1" + rel: assessment-for + - id: ra-3_obj.a.2 + name: assessment-objective + props: + - name: label + value: RA-03a.02 + class: sp800-53a + prose: a risk assessment is conducted to determine the likelihood + and magnitude of harm from unauthorized access, use, disclosure, + disruption, modification, or destruction of the system; the + information it processes, stores, or transmits; and any related + information; + links: + - href: "#ra-3_smt.a.2" + rel: assessment-for + - id: ra-3_obj.a.3 + name: assessment-objective + props: + - name: label + value: RA-03a.03 + class: sp800-53a + prose: a risk assessment is conducted to determine the likelihood + and impact of adverse effects on individuals arising from + the processing of personally identifiable information; + links: + - href: "#ra-3_smt.a.3" + rel: assessment-for + links: + - href: "#ra-3_smt.a" + rel: assessment-for + - id: ra-3_obj.b + name: assessment-objective + props: + - name: label + value: RA-03b. + class: sp800-53a + prose: risk assessment results and risk management decisions from + the organization and mission or business process perspectives + are integrated with system-level risk assessments; + links: + - href: "#ra-3_smt.b" + rel: assessment-for + - id: ra-3_obj.c + name: assessment-objective + props: + - name: label + value: RA-03c. + class: sp800-53a + prose: "risk assessment results are documented in {{ insert: param,\ + \ ra-03_odp.01 }};" + links: + - href: "#ra-3_smt.c" + rel: assessment-for + - id: ra-3_obj.d + name: assessment-objective + props: + - name: label + value: RA-03d. + class: sp800-53a + prose: "risk assessment results are reviewed {{ insert: param, ra-03_odp.03\ + \ }};" + links: + - href: "#ra-3_smt.d" + rel: assessment-for + - id: ra-3_obj.e + name: assessment-objective + props: + - name: label + value: RA-03e. + class: sp800-53a + prose: "risk assessment results are disseminated to {{ insert: param,\ + \ ra-03_odp.04 }};" + links: + - href: "#ra-3_smt.e" + rel: assessment-for + - id: ra-3_obj.f + name: assessment-objective + props: + - name: label + value: RA-03f. + class: sp800-53a + prose: "the risk assessment is updated {{ insert: param, ra-03_odp.05\ + \ }} or when there are significant changes to the system, its\ + \ environment of operation, or other conditions that may impact\ + \ the security or privacy state of the system." + links: + - href: "#ra-3_smt.f" + rel: assessment-for + links: + - href: "#ra-3_smt" + rel: assessment-for + - id: ra-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Risk assessment policy + + risk assessment procedures + + security and privacy planning policy and procedures + + procedures addressing organizational assessments of risk + + risk assessment + + risk assessment results + + risk assessment reviews + + risk assessment updates + + system security plan + + privacy plan + + other relevant documents or records + - id: ra-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with risk assessment + responsibilities + + + organizational personnel with security and privacy responsibilities + - id: ra-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for risk assessment + + + mechanisms supporting and/or conducting, documenting, reviewing, + disseminating, and updating the risk assessment + controls: + - id: ra-3.1 + class: SP800-53-enhancement + title: Supply Chain Risk Assessment + params: + - id: ra-03.01_odp.01 + label: systems, system components, and system services + guidelines: + - prose: systems, system components, and system services to assess + supply chain risks are defined; + - id: ra-03.01_odp.02 + label: frequency + guidelines: + - prose: the frequency at which to update the supply chain risk + assessment is defined; + props: + - name: label + value: RA-3(1) + - name: label + value: RA-03(01) + class: sp800-53a + - name: sort-id + value: ra-03.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ra-3" + rel: required + - href: "#ra-2" + rel: related + - href: "#ra-9" + rel: related + - href: "#pm-17" + rel: related + - href: "#pm-30" + rel: related + - href: "#sr-2" + rel: related + parts: + - id: ra-3.1_smt + name: statement + parts: + - id: ra-3.1_smt.a + name: item + props: + - name: label + value: (a) + prose: "Assess supply chain risks associated with {{ insert:\ + \ param, ra-03.01_odp.01 }} ; and" + - id: ra-3.1_smt.b + name: item + props: + - name: label + value: (b) + prose: "Update the supply chain risk assessment {{ insert: param,\ + \ ra-03.01_odp.02 }} , when there are significant changes\ + \ to the relevant supply chain, or when changes to the system,\ + \ environments of operation, or other conditions may necessitate\ + \ a change in the supply chain." + - id: ra-3.1_gdn + name: guidance + prose: Supply chain-related events include disruption, use of defective + components, insertion of counterfeits, theft, malicious development + practices, improper delivery practices, and insertion of malicious + code. These events can have a significant impact on the confidentiality, + integrity, or availability of a system and its information and, + therefore, can also adversely impact organizational operations + (including mission, functions, image, or reputation), organizational + assets, individuals, other organizations, and the Nation. The + supply chain-related events may be unintentional or malicious + and can occur at any point during the system life cycle. An analysis + of supply chain risk can help an organization identify systems + or components for which additional supply chain risk mitigations + are required. + - id: ra-5 + class: SP800-53 + title: Vulnerability Monitoring and Scanning + params: + - id: ra-5_prm_1 + label: organization-defined frequency and/or randomly in accordance + with organization-defined process + constraints: + - description: monthly operating system/infrastructure; monthly web + applications (including APIs) and databases + - id: ra-05_odp.01 + label: frequency and/or randomly in accordance with organization-defined + process + guidelines: + - prose: frequency for monitoring systems and hosted applications + for vulnerabilities is defined; + - id: ra-05_odp.02 + label: frequency and/or randomly in accordance with organization-defined + process + guidelines: + - prose: frequency for scanning systems and hosted applications for + vulnerabilities is defined; + - id: ra-05_odp.03 + label: response times + constraints: + - description: high-risk vulnerabilities mitigated within thirty (30) + days from date of discovery; moderate-risk vulnerabilities mitigated + within ninety (90) days from date of discovery; low risk vulnerabilities + mitigated within one hundred and eighty (180) days from date of + discovery + guidelines: + - prose: response times to remediate legitimate vulnerabilities in + accordance with an organizational assessment of risk are defined; + - id: ra-05_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles with whom information obtained from the + vulnerability scanning process and control assessments is to be + shared; + props: + - name: label + value: RA-5 + - name: label + value: RA-05 + class: sp800-53a + - name: sort-id + value: ra-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#8df72805-2e5c-4731-a73e-81db0f0318d0" + rel: reference + - href: "#155f941a-cba9-4afd-9ca6-5d040d697ba9" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#4895b4cd-34c5-4667-bf8a-27d443c12047" + rel: reference + - href: "#122177fa-c4ed-485d-8345-3082c0fb9a06" + rel: reference + - href: "#8016d2ed-d30f-4416-9c45-0f42c7aa3232" + rel: reference + - href: "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c" + rel: reference + - href: "#d2ebec9b-f868-4ee1-a2bd-0b2282aed248" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ca-7" + rel: related + - href: "#ca-8" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-2" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: ra-5_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: ra-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Monitor and scan for vulnerabilities in the system and hosted\ + \ applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities\ + \ potentially affecting the system are identified and reported;" + - id: ra-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ vulnerability monitoring tools and techniques that\ + \ facilitate interoperability among tools and automate parts of\ + \ the vulnerability management process by using standards for:" + parts: + - id: ra-5_smt.b.1 + name: item + props: + - name: label + value: "1." + prose: Enumerating platforms, software flaws, and improper configurations; + - id: ra-5_smt.b.2 + name: item + props: + - name: label + value: "2." + prose: Formatting checklists and test procedures; and + - id: ra-5_smt.b.3 + name: item + props: + - name: label + value: "3." + prose: Measuring vulnerability impact; + - id: ra-5_smt.c + name: item + props: + - name: label + value: c. + prose: Analyze vulnerability scan reports and results from vulnerability + monitoring; + - id: ra-5_smt.d + name: item + props: + - name: label + value: d. + prose: "Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03\ + \ }} in accordance with an organizational assessment of risk;" + - id: ra-5_smt.e + name: item + props: + - name: label + value: e. + prose: "Share information obtained from the vulnerability monitoring\ + \ process and control assessments with {{ insert: param, ra-05_odp.04\ + \ }} to help eliminate similar vulnerabilities in other systems;\ + \ and" + - id: ra-5_smt.f + name: item + props: + - name: label + value: f. + prose: Employ vulnerability monitoring tools that include the capability + to readily update the vulnerabilities to be scanned. + - id: ra-5_gdn + name: guidance + prose: >- + Security categorization of information and systems guides the + frequency and comprehensiveness of vulnerability monitoring + (including scans). Organizations determine the required + vulnerability monitoring for system components, ensuring that + the potential sources of vulnerabilities—such as infrastructure + components (e.g., switches, routers, guards, sensors), networked + printers, scanners, and copiers—are not overlooked. The + capability to readily update vulnerability monitoring tools as + new vulnerabilities are discovered and announced and as new + scanning methods are developed helps to ensure that new + vulnerabilities are not missed by employed vulnerability + monitoring tools. The vulnerability monitoring tool update + process helps to ensure that potential vulnerabilities in the + system are identified and addressed as quickly as possible. + Vulnerability monitoring and analyses for custom software may + require additional approaches, such as static analysis, dynamic + analysis, binary analysis, or a hybrid of the three approaches. + Organizations can use these analysis approaches in source code + reviews and in a variety of tools, including web-based + application scanners, static analysis tools, and binary + analyzers. + + + Vulnerability monitoring includes scanning for patch levels; scanning + for functions, ports, protocols, and services that should not be accessible + to users or devices; and scanning for flow control mechanisms that + are improperly configured or operating incorrectly. Vulnerability + monitoring may also include continuous vulnerability monitoring tools + that use instrumentation to continuously analyze components. Instrumentation-based + tools may improve accuracy and may be run throughout an organization + without scanning. Vulnerability monitoring tools that facilitate interoperability + include tools that are Security Content Automated Protocol (SCAP)-validated. + Thus, organizations consider using scanning tools that express vulnerabilities + in the Common Vulnerabilities and Exposures (CVE) naming convention + and that employ the Open Vulnerability Assessment Language (OVAL) + to determine the presence of vulnerabilities. Sources for vulnerability + information include the Common Weakness Enumeration (CWE) listing + and the National Vulnerability Database (NVD). Control assessments, + such as red team exercises, provide additional sources of potential + vulnerabilities for which to scan. Organizations also consider using + scanning tools that express vulnerability impact by the Common Vulnerability + Scoring System (CVSS). + + + Vulnerability monitoring includes a channel and process for receiving + reports of security vulnerabilities from the public at-large. Vulnerability + disclosure programs can be as simple as publishing a monitored email + address or web form that can receive reports, including notification + authorizing good-faith research and disclosure of security vulnerabilities. + Organizations generally expect that such research is happening with + or without their authorization and can use public vulnerability disclosure + channels to increase the likelihood that discovered vulnerabilities + are reported directly to the organization for remediation. + + + Organizations may also employ the use of financial incentives (also + known as "bug bounties" ) to further encourage external security researchers + to report discovered vulnerabilities. Bug bounty programs can be tailored + to the organization’s needs. Bounties can be operated indefinitely + or over a defined period of time and can be offered to the general + public or to a curated group. Organizations may run public and private + bounties simultaneously and could choose to offer partially credentialed + access to certain participants in order to evaluate security vulnerabilities + from privileged vantage points. + - id: ra-5_obj + name: assessment-objective + props: + - name: label + value: RA-05 + class: sp800-53a + parts: + - id: ra-5_obj.a + name: assessment-objective + props: + - name: label + value: RA-05a. + class: sp800-53a + parts: + - id: ra-5_obj.a-1 + name: assessment-objective + props: + - name: label + value: RA-05a.[01] + class: sp800-53a + prose: "systems and hosted applications are monitored for vulnerabilities\ + \ {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities\ + \ potentially affecting the system are identified and reported;" + links: + - href: "#ra-5_smt.a" + rel: assessment-for + - id: ra-5_obj.a-2 + name: assessment-objective + props: + - name: label + value: RA-05a.[02] + class: sp800-53a + prose: "systems and hosted applications are scanned for vulnerabilities\ + \ {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities\ + \ potentially affecting the system are identified and reported;" + links: + - href: "#ra-5_smt.a" + rel: assessment-for + links: + - href: "#ra-5_smt.a" + rel: assessment-for + - id: ra-5_obj.b + name: assessment-objective + props: + - name: label + value: RA-05b. + class: sp800-53a + prose: vulnerability monitoring tools and techniques are employed + to facilitate interoperability among tools; + parts: + - id: ra-5_obj.b.1 + name: assessment-objective + props: + - name: label + value: RA-05b.01 + class: sp800-53a + prose: vulnerability monitoring tools and techniques are employed + to automate parts of the vulnerability management process + by using standards for enumerating platforms, software flaws, + and improper configurations; + links: + - href: "#ra-5_smt.b.1" + rel: assessment-for + - id: ra-5_obj.b.2 + name: assessment-objective + props: + - name: label + value: RA-05b.02 + class: sp800-53a + prose: vulnerability monitoring tools and techniques are employed + to facilitate interoperability among tools and to automate + parts of the vulnerability management process by using standards + for formatting checklists and test procedures; + links: + - href: "#ra-5_smt.b.2" + rel: assessment-for + - id: ra-5_obj.b.3 + name: assessment-objective + props: + - name: label + value: RA-05b.03 + class: sp800-53a + prose: vulnerability monitoring tools and techniques are employed + to facilitate interoperability among tools and to automate + parts of the vulnerability management process by using standards + for measuring vulnerability impact; + links: + - href: "#ra-5_smt.b.3" + rel: assessment-for + links: + - href: "#ra-5_smt.b" + rel: assessment-for + - id: ra-5_obj.c + name: assessment-objective + props: + - name: label + value: RA-05c. + class: sp800-53a + prose: vulnerability scan reports and results from vulnerability + monitoring are analyzed; + links: + - href: "#ra-5_smt.c" + rel: assessment-for + - id: ra-5_obj.d + name: assessment-objective + props: + - name: label + value: RA-05d. + class: sp800-53a + prose: "legitimate vulnerabilities are remediated {{ insert: param,\ + \ ra-05_odp.03 }} in accordance with an organizational assessment\ + \ of risk;" + links: + - href: "#ra-5_smt.d" + rel: assessment-for + - id: ra-5_obj.e + name: assessment-objective + props: + - name: label + value: RA-05e. + class: sp800-53a + prose: "information obtained from the vulnerability monitoring process\ + \ and control assessments is shared with {{ insert: param, ra-05_odp.04\ + \ }} to help eliminate similar vulnerabilities in other systems;" + links: + - href: "#ra-5_smt.e" + rel: assessment-for + - id: ra-5_obj.f + name: assessment-objective + props: + - name: label + value: RA-05f. + class: sp800-53a + prose: vulnerability monitoring tools that include the capability + to readily update the vulnerabilities to be scanned are employed. + links: + - href: "#ra-5_smt.f" + rel: assessment-for + links: + - href: "#ra-5_smt" + rel: assessment-for + - id: ra-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Risk assessment policy + + + procedures addressing vulnerability scanning + + + risk assessment + + + assessment report + + + vulnerability scanning tools and associated configuration documentation + + + vulnerability scanning results + + + patch and vulnerability management records + + + system security plan + + + other relevant documents or records + - id: ra-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with risk assessment, control + assessment, and vulnerability scanning responsibilities + + + organizational personnel with vulnerability scan analysis responsibilities + + + organizational personnel with vulnerability remediation responsibilities + + + organizational personnel with security responsibilities + + + system/network administrators + - id: ra-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning, + analysis, remediation, and information sharing + + + mechanisms supporting and/or implementing vulnerability scanning, + analysis, remediation, and information sharing + controls: + - id: ra-5.2 + class: SP800-53-enhancement + title: Update Vulnerabilities to Be Scanned + params: + - id: ra-05.02_odp.01 + constraints: + - description: prior to a new scan + select: + how-many: one-or-more + choice: + - " {{ insert: param, ra-05.02_odp.02 }} " + - prior to a new scan + - when new vulnerabilities are identified and reported + - id: ra-05.02_odp.02 + label: frequency + guidelines: + - prose: the frequency for updating the system vulnerabilities + to be scanned is defined (if selected); + props: + - name: label + value: RA-5(2) + - name: label + value: RA-05(02) + class: sp800-53a + - name: sort-id + value: ra-05.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ra-5" + rel: required + - href: "#si-5" + rel: related + parts: + - id: ra-5.2_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: "Update the system vulnerabilities to be scanned {{ insert:\ + \ param, ra-05.02_odp.01 }}." + - id: ra-5.2_gdn + name: guidance + prose: Due to the complexity of modern software, systems, and other + factors, new vulnerabilities are discovered on a regular basis. + It is important that newly discovered vulnerabilities are added + to the list of vulnerabilities to be scanned to ensure that the + organization can take steps to mitigate those vulnerabilities + in a timely manner. + - id: ra-5.2_obj + name: assessment-objective + props: + - name: label + value: RA-05(02) + class: sp800-53a + prose: "the system vulnerabilities to be scanned are updated {{\ + \ insert: param, ra-05.02_odp.01 }}." + links: + - href: "#ra-5.2_smt" + rel: assessment-for + - id: ra-5.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Procedures addressing vulnerability scanning + + + assessment report + + + vulnerability scanning tools and associated configuration + documentation + + + vulnerability scanning results + + + patch and vulnerability management records + + + system security plan + + + other relevant documents or records + - id: ra-5.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with vulnerability scanning + responsibilities + + + organizational personnel with vulnerability scan analysis + responsibilities + + + organizational personnel with security responsibilities + + + system/network administrators + - id: ra-5.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning + + + mechanisms/tools supporting and/or implementing vulnerability + scanning + - id: ra-5.11 + class: SP800-53-enhancement + title: Public Disclosure Program + props: + - name: label + value: RA-5(11) + - name: label + value: RA-05(11) + class: sp800-53a + - name: sort-id + value: ra-05.11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ra-5" + rel: required + parts: + - id: ra-5.11_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: Establish a public reporting channel for receiving reports + of vulnerabilities in organizational systems and system components. + - id: ra-5.11_gdn + name: guidance + prose: The reporting channel is publicly discoverable and contains + clear language authorizing good-faith research and the disclosure + of vulnerabilities to the organization. The organization does + not condition its authorization on an expectation of indefinite + non-disclosure to the public by the reporting entity but may request + a specific time period to properly remediate the vulnerability. + - id: ra-5.11_obj + name: assessment-objective + props: + - name: label + value: RA-05(11) + class: sp800-53a + prose: a public reporting channel is established for receiving reports + of vulnerabilities in organizational systems and system components. + links: + - href: "#ra-5.11_smt" + rel: assessment-for + - id: ra-5.11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05(11)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Risk assessment policy + + + procedures addressing vulnerability scanning + + + risk assessment + + + vulnerability scanning tools and techniques documentation + + + vulnerability scanning results + + + vulnerability management records + + + audit records + + + public reporting channel + + + system security plan + + + other relevant documents or records + - id: ra-5.11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05(11)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with vulnerability scanning + responsibilities + + + organizational personnel with vulnerability scan analysis + responsibilities + + + organizational personnel with security responsibilities + - id: ra-5.11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05(11)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning + + + mechanisms/tools supporting and/or implementing vulnerability + scanning + + + mechanisms implementing the public reporting of vulnerabilities + - id: ra-7 + class: SP800-53 + title: Risk Response + props: + - name: label + value: RA-7 + - name: label + value: RA-07 + class: sp800-53a + - name: sort-id + value: ra-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#ca-5" + rel: related + - href: "#ir-9" + rel: related + - href: "#pm-4" + rel: related + - href: "#pm-28" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#sr-2" + rel: related + parts: + - id: ra-7_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: Respond to findings from security and privacy assessments, monitoring, + and audits in accordance with organizational risk tolerance. + - id: ra-7_gdn + name: guidance + prose: Organizations have many options for responding to risk including + mitigating risk by implementing new controls or strengthening existing + controls, accepting risk with appropriate justification or rationale, + sharing or transferring risk, or avoiding risk. The risk tolerance + of the organization influences risk response decisions and actions. + Risk response addresses the need to determine an appropriate response + to risk before generating a plan of action and milestones entry. For + example, the response may be to accept risk or reject risk, or it + may be possible to mitigate the risk immediately so that a plan of + action and milestones entry is not needed. However, if the risk response + is to mitigate the risk, and the mitigation cannot be completed immediately, + a plan of action and milestones entry is generated. + - id: ra-7_obj + name: assessment-objective + props: + - name: label + value: RA-07 + class: sp800-53a + parts: + - id: ra-7_obj-1 + name: assessment-objective + props: + - name: label + value: RA-07[01] + class: sp800-53a + prose: findings from security assessments are responded to in accordance + with organizational risk tolerance; + links: + - href: "#ra-7_smt" + rel: assessment-for + - id: ra-7_obj-2 + name: assessment-objective + props: + - name: label + value: RA-07[02] + class: sp800-53a + prose: findings from privacy assessments are responded to in accordance + with organizational risk tolerance; + links: + - href: "#ra-7_smt" + rel: assessment-for + - id: ra-7_obj-3 + name: assessment-objective + props: + - name: label + value: RA-07[03] + class: sp800-53a + prose: findings from monitoring are responded to in accordance with + organizational risk tolerance; + links: + - href: "#ra-7_smt" + rel: assessment-for + - id: ra-7_obj-4 + name: assessment-objective + props: + - name: label + value: RA-07[04] + class: sp800-53a + prose: findings from audits are responded to in accordance with + organizational risk tolerance. + links: + - href: "#ra-7_smt" + rel: assessment-for + links: + - href: "#ra-7_smt" + rel: assessment-for + - id: ra-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Risk assessment policy + + assessment reports + + audit records/event logs + + system security plan + + privacy plan + + other relevant documents or records + - id: ra-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with assessment and auditing + responsibilities + + + system/network administrators + + + organizational personnel with security and privacy responsibilities + - id: ra-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for assessments and audits + + + mechanisms/tools supporting and/or implementing assessments and + auditing + - id: sa + class: family + title: System and Services Acquisition + controls: + - id: sa-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: sa-1_prm_1 + label: organization-defined personnel or roles + - id: sa-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and services acquisition + policy is to be disseminated is/are defined; + - id: sa-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and services acquisition + procedures are to be disseminated is/are defined; + - id: sa-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: sa-01_odp.04 + label: official + guidelines: + - prose: an official to manage the system and services acquisition + policy and procedures is defined; + - id: sa-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current system and services acquisition + policy is reviewed and updated is defined; + - id: sa-01_odp.06 + label: events + guidelines: + - prose: events that would require the current system and services + acquisition policy to be reviewed and updated are defined; + - id: sa-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current system and services acquisition + procedures are reviewed and updated is defined; + - id: sa-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the system and services acquisition + procedures to be reviewed and updated are defined; + props: + - name: label + value: SA-1 + - name: label + value: SA-01 + class: sp800-53a + - name: sort-id + value: sa-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: sa-1_smt + name: statement + parts: + - id: sa-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ sa-1_prm_1 }}:" + parts: + - id: sa-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, sa-01_odp.03 }} system and services\ + \ acquisition policy that:" + parts: + - id: sa-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: sa-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: sa-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the system + and services acquisition policy and the associated system + and services acquisition controls; + - id: sa-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, sa-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the system\ + \ and services acquisition policy and procedures; and" + - id: sa-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current system and services acquisition:" + parts: + - id: sa-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, sa-01_odp.05 }} and following\ + \ {{ insert: param, sa-01_odp.06 }} ; and" + - id: sa-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, sa-01_odp.07 }} and following\ + \ {{ insert: param, sa-01_odp.08 }}." + - id: sa-1_gdn + name: guidance + prose: System and services acquisition policy and procedures address + the controls in the SA family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of system and services acquisition policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + system and services acquisition policy and procedures include assessment + or audit findings, security incidents or breaches, or changes in laws, + executive orders, directives, regulations, policies, standards, and + guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: sa-2 + class: SP800-53 + title: Allocation of Resources + props: + - name: label + value: SA-2 + - name: label + value: SA-02 + class: sp800-53a + - name: sort-id + value: sa-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#pl-7" + rel: related + - href: "#pm-3" + rel: related + - href: "#pm-11" + rel: related + - href: "#sa-9" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sa-2_smt + name: statement + parts: + - id: sa-2_smt.a + name: item + props: + - name: label + value: a. + prose: Determine the high-level information security and privacy + requirements for the system or system service in mission and business + process planning; + - id: sa-2_smt.b + name: item + props: + - name: label + value: b. + prose: Determine, document, and allocate the resources required + to protect the system or system service as part of the organizational + capital planning and investment control process; and + - id: sa-2_smt.c + name: item + props: + - name: label + value: c. + prose: Establish a discrete line item for information security and + privacy in organizational programming and budgeting documentation. + - id: sa-2_gdn + name: guidance + prose: Resource allocation for information security and privacy includes + funding for system and services acquisition, sustainment, and supply + chain-related risks throughout the system development life cycle. + - id: sa-3 + class: SP800-53 + title: System Development Life Cycle + params: + - id: sa-03_odp + label: system-development life cycle + guidelines: + - prose: system development life cycle is defined; + props: + - name: label + value: SA-3 + - name: label + value: SA-03 + class: sp800-53a + - name: sort-id + value: sa-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849" + rel: reference + - href: "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e" + rel: reference + - href: "#at-3" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-7" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-17" + rel: related + - href: "#sa-22" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-9" + rel: related + parts: + - id: sa-3_smt + name: statement + parts: + - id: sa-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Acquire, develop, and manage the system using {{ insert:\ + \ param, sa-03_odp }} that incorporates information security and\ + \ privacy considerations;" + - id: sa-3_smt.b + name: item + props: + - name: label + value: b. + prose: Define and document information security and privacy roles + and responsibilities throughout the system development life cycle; + - id: sa-3_smt.c + name: item + props: + - name: label + value: c. + prose: Identify individuals having information security and privacy + roles and responsibilities; and + - id: sa-3_smt.d + name: item + props: + - name: label + value: d. + prose: Integrate the organizational information security and privacy + risk management process into system development life cycle activities. + - id: sa-3_gdn + name: guidance + prose: >- + A system development life cycle process provides the foundation + for the successful development, implementation, and operation of + organizational systems. The integration of security and privacy + considerations early in the system development life cycle is a + foundational principle of systems security engineering and + privacy engineering. To apply the required controls within the + system development life cycle requires a basic understanding of + information security and privacy, threats, vulnerabilities, + adverse impacts, and risk to critical mission and business + functions. The security engineering principles in [SA-8](#sa-8) + help individuals properly design, code, and test systems and + system components. Organizations include qualified personnel + (e.g., senior agency information security officers, senior + agency officials for privacy, security and privacy architects, + and security and privacy engineers) in system development life + cycle processes to ensure that established security and privacy + requirements are incorporated into organizational systems. + Role-based security and privacy training programs can ensure + that individuals with key security and privacy roles and + responsibilities have the experience, skills, and expertise to + conduct assigned system development life cycle activities. + + + The effective integration of security and privacy requirements into + enterprise architecture also helps to ensure that important security + and privacy considerations are addressed throughout the system life + cycle and that those considerations are directly related to organizational + mission and business processes. This process also facilitates the + integration of the information security and privacy architectures + into the enterprise architecture, consistent with the risk management + strategy of the organization. Because the system development life + cycle involves multiple organizations, (e.g., external suppliers, + developers, integrators, service providers), acquisition and supply + chain risk management functions and controls play significant roles + in the effective management of the system during the life cycle. + - id: sa-4 + class: SP800-53 + title: Acquisition Process + params: + - id: sa-04_odp.01 + select: + how-many: one-or-more + choice: + - standardized contract language + - " {{ insert: param, sa-04_odp.02 }} " + - id: sa-04_odp.02 + label: contract language + guidelines: + - prose: contract language is defined (if selected); + props: + - name: label + value: SA-4 + - name: label + value: SA-04 + class: sp800-53a + - name: sort-id + value: sa-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#18e71fec-c6fd-475a-925a-5d8495cf8455" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73" + rel: reference + - href: "#87087451-2af5-43d4-88c1-d66ad850f614" + rel: reference + - href: "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f" + rel: reference + - href: "#06ce9216-bd54-4054-a422-94f358b50a5d" + rel: reference + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#77faf0bc-c394-44ad-9154-bbac3b79c8ad" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#4895b4cd-34c5-4667-bf8a-27d443c12047" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#4b38e961-1125-4a5b-aa35-1d6c02846dad" + rel: reference + - href: "#604774da-9e1d-48eb-9c62-4e959dc80737" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#795aff72-3e6c-4b6b-a80a-b14d84b7f544" + rel: reference + - href: "#3d575737-98cb-459d-b41c-d7e82b73ad78" + rel: reference + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#ps-7" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-16" + rel: related + - href: "#sa-17" + rel: related + - href: "#sa-21" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sa-4_smt + name: statement + prose: "Include the following requirements, descriptions, and criteria,\ + \ explicitly or by reference, using {{ insert: param, sa-04_odp.01\ + \ }} in the acquisition contract for the system, system component,\ + \ or system service:" + parts: + - id: sa-4_smt.a + name: item + props: + - name: label + value: a. + prose: Security and privacy functional requirements; + - id: sa-4_smt.b + name: item + props: + - name: label + value: b. + prose: Strength of mechanism requirements; + - id: sa-4_smt.c + name: item + props: + - name: label + value: c. + prose: Security and privacy assurance requirements; + - id: sa-4_smt.d + name: item + props: + - name: label + value: d. + prose: Controls needed to satisfy the security and privacy requirements. + - id: sa-4_smt.e + name: item + props: + - name: label + value: e. + prose: Security and privacy documentation requirements; + - id: sa-4_smt.f + name: item + props: + - name: label + value: f. + prose: Requirements for protecting security and privacy documentation; + - id: sa-4_smt.g + name: item + props: + - name: label + value: g. + prose: Description of the system development environment and environment + in which the system is intended to operate; + - id: sa-4_smt.h + name: item + props: + - name: label + value: h. + prose: Allocation of responsibility or identification of parties + responsible for information security, privacy, and supply chain + risk management; and + - id: sa-4_smt.i + name: item + props: + - name: label + value: i. + prose: Acceptance criteria. + - id: sa-4_gdn + name: guidance + prose: >- + Security and privacy functional requirements are typically + derived from the high-level security and privacy requirements + described in [SA-2](#sa-2) . The derived requirements include + security and privacy capabilities, functions, and mechanisms. + Strength requirements associated with such capabilities, + functions, and mechanisms include degree of correctness, + completeness, resistance to tampering or bypass, and resistance + to direct attack. Assurance requirements include development + processes, procedures, and methodologies as well as the evidence + from development and assessment activities that provide grounds + for confidence that the required functionality is implemented + and possesses the required strength of mechanism. [SP + 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the + process of requirements engineering as part of the system + development life cycle. + + + Controls can be viewed as descriptions of the safeguards and protection + capabilities appropriate for achieving the particular security and + privacy objectives of the organization and for reflecting the security + and privacy requirements of stakeholders. Controls are selected and + implemented in order to satisfy system requirements and include developer + and organizational responsibilities. Controls can include technical, + administrative, and physical aspects. In some cases, the selection + and implementation of a control may necessitate additional specification + by the organization in the form of derived requirements or instantiated + control parameter values. The derived requirements and control parameter + values may be necessary to provide the appropriate level of implementation + detail for controls within the system development life cycle. + + + Security and privacy documentation requirements address all stages + of the system development life cycle. Documentation provides user + and administrator guidance for the implementation and operation of + controls. The level of detail required in such documentation is based + on the security categorization or classification level of the system + and the degree to which organizations depend on the capabilities, + functions, or mechanisms to meet risk response expectations. Requirements + can include mandated configuration settings that specify allowed functions, + ports, protocols, and services. Acceptance criteria for systems, system + components, and system services are defined in the same manner as + the criteria for any organizational acquisition or procurement. + controls: + - id: sa-4.10 + class: SP800-53-enhancement + title: Use of Approved PIV Products + props: + - name: label + value: SA-4(10) + - name: label + value: SA-04(10) + class: sp800-53a + - name: sort-id + value: sa-04.10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#sa-4" + rel: required + - href: "#ia-2" + rel: related + - href: "#ia-8" + rel: related + - href: "#pm-9" + rel: related + parts: + - id: sa-4.10_smt + name: statement + prose: Employ only information technology products on the FIPS 201-approved + products list for Personal Identity Verification (PIV) capability + implemented within organizational systems. + - id: sa-4.10_gdn + name: guidance + prose: Products on the FIPS 201-approved products list meet NIST + requirements for Personal Identity Verification (PIV) of Federal + Employees and Contractors. PIV cards are used for multi-factor + authentication in systems and organizations. + - id: sa-5 + class: SP800-53 + title: System Documentation + params: + - id: sa-05_odp.01 + label: actions + guidelines: + - prose: actions to take when system, system component, or system + service documentation is either unavailable or nonexistent are + defined; + - id: sa-05_odp.02 + label: personnel or roles + constraints: + - description: at a minimum, the ISSO (or similar role within the + organization) + guidelines: + - prose: personnel or roles to distribute system documentation to + is/are defined; + props: + - name: label + value: SA-5 + - name: label + value: SA-05 + class: sp800-53a + - name: sort-id + value: sa-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#cm-4" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-8" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#pl-8" + rel: related + - href: "#ps-2" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-16" + rel: related + - href: "#sa-17" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-3" + rel: related + parts: + - id: sa-5_smt + name: statement + parts: + - id: sa-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Obtain or develop administrator documentation for the system,\ + \ system component, or system service that describes:" + parts: + - id: sa-5_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Secure configuration, installation, and operation of + the system, component, or service; + - id: sa-5_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Effective use and maintenance of security and privacy + functions and mechanisms; and + - id: sa-5_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Known vulnerabilities regarding configuration and use + of administrative or privileged functions; + - id: sa-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Obtain or develop user documentation for the system, system\ + \ component, or system service that describes:" + parts: + - id: sa-5_smt.b.1 + name: item + props: + - name: label + value: "1." + prose: User-accessible security and privacy functions and mechanisms + and how to effectively use those functions and mechanisms; + - id: sa-5_smt.b.2 + name: item + props: + - name: label + value: "2." + prose: Methods for user interaction, which enables individuals + to use the system, component, or service in a more secure + manner and protect individual privacy; and + - id: sa-5_smt.b.3 + name: item + props: + - name: label + value: "3." + prose: User responsibilities in maintaining the security of + the system, component, or service and privacy of individuals; + - id: sa-5_smt.c + name: item + props: + - name: label + value: c. + prose: "Document attempts to obtain system, system component, or\ + \ system service documentation when such documentation is either\ + \ unavailable or nonexistent and take {{ insert: param, sa-05_odp.01\ + \ }} in response; and" + - id: sa-5_smt.d + name: item + props: + - name: label + value: d. + prose: "Distribute documentation to {{ insert: param, sa-05_odp.02\ + \ }}." + - id: sa-5_gdn + name: guidance + prose: System documentation helps personnel understand the implementation + and operation of controls. Organizations consider establishing specific + measures to determine the quality and completeness of the content + provided. System documentation may be used to support the management + of supply chain risk, incident response, and other functions. Personnel + or roles that require documentation include system owners, system + security officers, and system administrators. Attempts to obtain documentation + include contacting manufacturers or suppliers and conducting web-based + searches. The inability to obtain documentation may occur due to the + age of the system or component or the lack of support from developers + and contractors. When documentation cannot be obtained, organizations + may need to recreate the documentation if it is essential to the implementation + or operation of the controls. The protection provided for the documentation + is commensurate with the security category or classification of the + system. Documentation that addresses system vulnerabilities may require + an increased level of protection. Secure operation of the system includes + initially starting the system and resuming secure system operation + after a lapse in system operation. + - id: sa-8 + class: SP800-53 + title: Security and Privacy Engineering Principles + params: + - id: sa-8_prm_1 + label: organization-defined systems security and privacy engineering + principles + - id: sa-08_odp.01 + label: systems security engineering principles + guidelines: + - prose: systems security engineering principles are defined; + - id: sa-08_odp.02 + label: privacy engineering principles + guidelines: + - prose: privacy engineering principles are defined; + props: + - name: label + value: SA-8 + - name: label + value: SA-08 + class: sp800-53a + - name: sort-id + value: sa-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#18e71fec-c6fd-475a-925a-5d8495cf8455" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#pl-8" + rel: related + - href: "#pm-7" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-9" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-17" + rel: related + - href: "#sa-20" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-3" + rel: related + - href: "#sc-32" + rel: related + - href: "#sc-39" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sa-8_smt + name: statement + prose: "Apply the following systems security and privacy engineering\ + \ principles in the specification, design, development, implementation,\ + \ and modification of the system and system components: {{ insert:\ + \ param, sa-8_prm_1 }}." + - id: sa-8_gdn + name: guidance + prose: >- + Systems security and privacy engineering principles are closely + related to and implemented throughout the system development + life cycle (see [SA-3](#sa-3) ). Organizations can apply systems + security and privacy engineering principles to new systems under + development or to systems undergoing upgrades. For existing + systems, organizations apply systems security and privacy + engineering principles to system upgrades and modifications to + the extent feasible, given the current state of hardware, + software, and firmware components within those systems. + + + The application of systems security and privacy engineering principles + helps organizations develop trustworthy, secure, and resilient systems + and reduces the susceptibility to disruptions, hazards, threats, and + the creation of privacy problems for individuals. Examples of system + security engineering principles include: developing layered protections; + establishing security and privacy policies, architecture, and controls + as the foundation for design and development; incorporating security + and privacy requirements into the system development life cycle; delineating + physical and logical security boundaries; ensuring that developers + are trained on how to build secure software; tailoring controls to + meet organizational needs; and performing threat modeling to identify + use cases, threat agents, attack vectors and patterns, design patterns, + and compensating controls needed to mitigate risk. + + + Organizations that apply systems security and privacy engineering + concepts and principles can facilitate the development of trustworthy, + secure systems, system components, and system services; reduce risk + to acceptable levels; and make informed risk management decisions. + System security engineering principles can also be used to protect + against certain supply chain risks, including incorporating tamper-resistant + hardware into a design. + - id: sa-9 + class: SP800-53 + title: External System Services + params: + - id: sa-09_odp.01 + label: controls + constraints: + - description: Appropriate FedRAMP Security Controls Baseline (s) + if Federal information is processed or stored within the external + system + guidelines: + - prose: controls to be employed by external system service providers + are defined; + - id: sa-09_odp.02 + label: processes, methods, and techniques + constraints: + - description: Federal/FedRAMP Continuous Monitoring requirements + must be met for external systems where Federal information is + processed or stored + guidelines: + - prose: processes, methods, and techniques employed to monitor control + compliance by external service providers are defined; + props: + - name: label + value: SA-9 + - name: label + value: SA-09 + class: sp800-53a + - name: sort-id + value: sa-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#77faf0bc-c394-44ad-9154-bbac3b79c8ad" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849" + rel: reference + - href: "#ac-20" + rel: related + - href: "#ca-3" + rel: related + - href: "#cp-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-7" + rel: related + - href: "#pl-10" + rel: related + - href: "#pl-11" + rel: related + - href: "#ps-7" + rel: related + - href: "#sa-2" + rel: related + - href: "#sa-4" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sa-9_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: sa-9_smt.a + name: item + props: + - name: label + value: a. + prose: "Require that providers of external system services comply\ + \ with organizational security and privacy requirements and employ\ + \ the following controls: {{ insert: param, sa-09_odp.01 }};" + - id: sa-9_smt.b + name: item + props: + - name: label + value: b. + prose: Define and document organizational oversight and user roles + and responsibilities with regard to external system services; + and + - id: sa-9_smt.c + name: item + props: + - name: label + value: c. + prose: "Employ the following processes, methods, and techniques\ + \ to monitor control compliance by external service providers\ + \ on an ongoing basis: {{ insert: param, sa-09_odp.02 }}." + - id: sa-9_gdn + name: guidance + prose: External system services are provided by an external provider, + and the organization has no direct control over the implementation + of the required controls or the assessment of control effectiveness. + Organizations establish relationships with external service providers + in a variety of ways, including through business partnerships, contracts, + interagency agreements, lines of business arrangements, licensing + agreements, joint ventures, and supply chain exchanges. The responsibility + for managing risks from the use of external system services remains + with authorizing officials. For services external to organizations, + a chain of trust requires that organizations establish and retain + a certain level of confidence that each provider in the consumer-provider + relationship provides adequate protection for the services rendered. + The extent and nature of this chain of trust vary based on relationships + between organizations and the external providers. Organizations document + the basis for the trust relationships so that the relationships can + be monitored. External system services documentation includes government, + service providers, end user security roles and responsibilities, and + service-level agreements. Service-level agreements define the expectations + of performance for implemented controls, describe measurable outcomes, + and identify remedies and response requirements for identified instances + of noncompliance. + - id: sa-9_obj + name: assessment-objective + props: + - name: label + value: SA-09 + class: sp800-53a + parts: + - id: sa-9_obj.a + name: assessment-objective + props: + - name: label + value: SA-09a. + class: sp800-53a + parts: + - id: sa-9_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-09a.[01] + class: sp800-53a + prose: providers of external system services comply with organizational + security requirements; + links: + - href: "#sa-9_smt.a" + rel: assessment-for + - id: sa-9_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-09a.[02] + class: sp800-53a + prose: providers of external system services comply with organizational + privacy requirements; + links: + - href: "#sa-9_smt.a" + rel: assessment-for + - id: sa-9_obj.a-3 + name: assessment-objective + props: + - name: label + value: SA-09a.[03] + class: sp800-53a + prose: "providers of external system services employ {{ insert:\ + \ param, sa-09_odp.01 }};" + links: + - href: "#sa-9_smt.a" + rel: assessment-for + links: + - href: "#sa-9_smt.a" + rel: assessment-for + - id: sa-9_obj.b + name: assessment-objective + props: + - name: label + value: SA-09b. + class: sp800-53a + parts: + - id: sa-9_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-09b.[01] + class: sp800-53a + prose: organizational oversight with regard to external system + services are defined and documented; + links: + - href: "#sa-9_smt.b" + rel: assessment-for + - id: sa-9_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-09b.[02] + class: sp800-53a + prose: user roles and responsibilities with regard to external + system services are defined and documented; + links: + - href: "#sa-9_smt.b" + rel: assessment-for + links: + - href: "#sa-9_smt.b" + rel: assessment-for + - id: sa-9_obj.c + name: assessment-objective + props: + - name: label + value: SA-09c. + class: sp800-53a + prose: " {{ insert: param, sa-09_odp.02 }} are employed to monitor\ + \ control compliance by external service providers on an ongoing\ + \ basis." + links: + - href: "#sa-9_smt.c" + rel: assessment-for + links: + - href: "#sa-9_smt" + rel: assessment-for + - id: sa-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing methods and techniques for monitoring control + compliance by external service providers of system services + + + acquisition documentation + + + contracts + + + service level agreements + + + interagency agreements + + + licensing agreements + + + list of organizational security and privacy requirements for external + provider services + + + control assessment results or reports from external providers + of system services + + + system security plan + + + privacy plan + + + supply chain risk management plan + + + other relevant documents or records + - id: sa-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition responsibilities + + + external providers of system services + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sa-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring security and privacy + control compliance by external service providers on an + ongoing basis + + + mechanisms for monitoring security and privacy control compliance + by external service providers on an ongoing basis + - id: sa-22 + class: SP800-53 + title: Unsupported System Components + params: + - id: sa-22_odp.01 + select: + how-many: one-or-more + choice: + - in-house support + - " {{ insert: param, sa-22_odp.02 }} " + - id: sa-22_odp.02 + label: support from external providers + guidelines: + - prose: support from external providers is defined (if selected); + props: + - name: label + value: SA-22 + - name: label + value: SA-22 + class: sp800-53a + - name: sort-id + value: sa-22 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#pl-2" + rel: related + - href: "#sa-3" + rel: related + parts: + - id: sa-22_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: sa-22_smt.a + name: item + props: + - name: label + value: a. + prose: Replace system components when support for the components + is no longer available from the developer, vendor, or manufacturer; + or + - id: sa-22_smt.b + name: item + props: + - name: label + value: b. + prose: "Provide the following options for alternative sources for\ + \ continued support for unsupported components {{ insert: param,\ + \ sa-22_odp.01 }}." + - id: sa-22_gdn + name: guidance + prose: >- + Support for system components includes software patches, + firmware updates, replacement parts, and maintenance contracts. + An example of unsupported components includes when vendors no + longer provide critical software patches or product updates, + which can result in an opportunity for adversaries to exploit + weaknesses in the installed components. Exceptions to replacing + unsupported system components include systems that provide + critical mission or business capabilities where newer + technologies are not available or where the systems are so + isolated that installing replacement components is not an + option. + + + Alternative sources for support address the need to provide continued + support for system components that are no longer supported by the + original manufacturers, developers, or vendors when such components + remain essential to organizational mission and business functions. + If necessary, organizations can establish in-house support by developing + customized patches for critical software components or, alternatively, + obtain the services of external providers who provide ongoing support + for the designated unsupported components through contractual relationships. + Such contractual relationships can include open-source software value-added + vendors. The increased risk of using unsupported system components + can be mitigated, for example, by prohibiting the connection of such + components to public or uncontrolled networks, or implementing other + forms of isolation. + - id: sa-22_obj + name: assessment-objective + props: + - name: label + value: SA-22 + class: sp800-53a + parts: + - id: sa-22_obj.a + name: assessment-objective + props: + - name: label + value: SA-22a. + class: sp800-53a + prose: system components are replaced when support for the components + is no longer available from the developer, vendor, or manufacturer; + links: + - href: "#sa-22_smt.a" + rel: assessment-for + - id: sa-22_obj.b + name: assessment-objective + props: + - name: label + value: SA-22b. + class: sp800-53a + prose: " {{ insert: param, sa-22_odp.01 }} provide options for alternative\ + \ sources for continued support for unsupported components." + links: + - href: "#sa-22_smt.b" + rel: assessment-for + links: + - href: "#sa-22_smt" + rel: assessment-for + - id: sa-22_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-22-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + procedures addressing the replacement or continued use of unsupported + system components + + + documented evidence of replacing unsupported system components + + + documented approvals (including justification) for the continued + use of unsupported system components + + + system security plan + + + supply chain risk management plan + + + other relevant documents or records + - id: sa-22_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-22-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with the responsibility for the system + development life cycle + + + organizational personnel responsible for component replacement + - id: sa-22_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-22-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for replacing unsupported system + components + + + mechanisms supporting and/or implementing the replacement of unsupported + system components + - id: sc + class: family + title: System and Communications Protection + controls: + - id: sc-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: sc-1_prm_1 + label: organization-defined personnel or roles + - id: sc-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and communications + protection policy is to be disseminated is/are defined; + - id: sc-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and communications + protection procedures are to be disseminated is/are defined; + - id: sc-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business-process-level + - system-level + - id: sc-01_odp.04 + label: official + guidelines: + - prose: an official to manage the system and communications protection + policy and procedures is defined; + - id: sc-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current system and communications + protection policy is reviewed and updated is defined; + - id: sc-01_odp.06 + label: events + guidelines: + - prose: events that would require the current system and communications + protection policy to be reviewed and updated are defined; + - id: sc-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current system and communications + protection procedures are reviewed and updated is defined; + - id: sc-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the system and communications protection + procedures to be reviewed and updated are defined; + props: + - name: label + value: SC-1 + - name: label + value: SC-01 + class: sp800-53a + - name: sort-id + value: sc-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: sc-1_smt + name: statement + parts: + - id: sc-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ sc-1_prm_1 }}:" + parts: + - id: sc-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, sc-01_odp.03 }} system and communications\ + \ protection policy that:" + parts: + - id: sc-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: sc-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: sc-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the system + and communications protection policy and the associated system + and communications protection controls; + - id: sc-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, sc-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the system\ + \ and communications protection policy and procedures; and" + - id: sc-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current system and communications\ + \ protection:" + parts: + - id: sc-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, sc-01_odp.05 }} and following\ + \ {{ insert: param, sc-01_odp.06 }} ; and" + - id: sc-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, sc-01_odp.07 }} and following\ + \ {{ insert: param, sc-01_odp.08 }}." + - id: sc-1_gdn + name: guidance + prose: System and communications protection policy and procedures address + the controls in the SC family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of system and communications protection policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + system and communications protection policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines. Simply restating controls does not constitute + an organizational policy or procedure. + - id: sc-5 + class: SP800-53 + title: Denial-of-service Protection + params: + - id: sc-05_odp.01 + label: types of denial-of-service events + constraints: + - description: "at a minimum: ICMP (ping) flood, SYN flood, slowloris,\ + \ buffer overflow attack, and volume attack" + guidelines: + - prose: types of denial-of-service events to be protected against + or limited are defined; + - id: sc-05_odp.02 + constraints: + - description: Protect against + select: + choice: + - protect against + - limit + - id: sc-05_odp.03 + label: controls by type of denial-of-service event + guidelines: + - prose: controls to achieve the denial-of-service objective by type + of denial-of-service event are defined; + props: + - name: label + value: SC-5 + - name: label + value: SC-05 + class: sp800-53a + - name: sort-id + value: sc-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72" + rel: reference + - href: "#cp-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#sc-6" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-40" + rel: related + parts: + - id: sc-5_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: sc-5_smt.a + name: item + props: + - name: label + value: a. + prose: " {{ insert: param, sc-05_odp.02 }} the effects of the following\ + \ types of denial-of-service events: {{ insert: param, sc-05_odp.01\ + \ }} ; and" + - id: sc-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ the following controls to achieve the denial-of-service\ + \ objective: {{ insert: param, sc-05_odp.03 }}." + - id: sc-5_gdn + name: guidance + prose: Denial-of-service events may occur due to a variety of internal + and external causes, such as an attack by an adversary or a lack of + planning to support organizational needs with respect to capacity + and bandwidth. Such attacks can occur across a wide range of network + protocols (e.g., IPv4, IPv6). A variety of technologies are available + to limit or eliminate the origination and effects of denial-of-service + events. For example, boundary protection devices can filter certain + types of packets to protect system components on internal networks + from being directly affected by or the source of denial-of-service + attacks. Employing increased network capacity and bandwidth combined + with service redundancy also reduces the susceptibility to denial-of-service + events. + - id: sc-5_obj + name: assessment-objective + props: + - name: label + value: SC-05 + class: sp800-53a + parts: + - id: sc-5_obj.a + name: assessment-objective + props: + - name: label + value: SC-05a. + class: sp800-53a + prose: "the effects of {{ insert: param, sc-05_odp.01 }} are {{\ + \ insert: param, sc-05_odp.02 }};" + links: + - href: "#sc-5_smt.a" + rel: assessment-for + - id: sc-5_obj.b + name: assessment-objective + props: + - name: label + value: SC-05b. + class: sp800-53a + prose: " {{ insert: param, sc-05_odp.03 }} are employed to achieve\ + \ the denial-of-service protection objective." + links: + - href: "#sc-5_smt.b" + rel: assessment-for + links: + - href: "#sc-5_smt" + rel: assessment-for + - id: sc-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing denial-of-service protection + + + system design documentation + + + list of denial-of-service attacks requiring employment of security + safeguards to protect against or limit effects of such attacks + + + list of security safeguards protecting against or limiting the + effects of denial-of-service attacks + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with incident response responsibilities + + + system developer + - id: sc-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms protecting against or limiting the effects of + denial-of-service attacks + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: If availability is a requirement, define protections\ + \ in place as per control requirement." + - id: sc-7 + class: SP800-53 + title: Boundary Protection + params: + - id: sc-07_odp + select: + choice: + - physically + - logically + props: + - name: label + value: SC-7 + - name: label + value: SC-07 + class: sp800-53a + - name: sort-id + value: sc-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#a7f0e897-29a3-45c4-bd88-40dfef0e034a" + rel: reference + - href: "#d4d7c760-2907-403b-8b2a-767ca5370ecd" + rel: reference + - href: "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72" + rel: reference + - href: "#ac-4" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#au-13" + rel: related + - href: "#ca-3" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-10" + rel: related + - href: "#cp-8" + rel: related + - href: "#cp-10" + rel: related + - href: "#ir-4" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-3" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-12" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-26" + rel: related + - href: "#sc-32" + rel: related + - href: "#sc-35" + rel: related + - href: "#sc-43" + rel: related + parts: + - id: sc-7_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: sc-7_smt.a + name: item + props: + - name: label + value: a. + prose: Monitor and control communications at the external managed + interfaces to the system and at key internal managed interfaces + within the system; + - id: sc-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Implement subnetworks for publicly accessible system components\ + \ that are {{ insert: param, sc-07_odp }} separated from internal\ + \ organizational networks; and" + - id: sc-7_smt.c + name: item + props: + - name: label + value: c. + prose: Connect to external networks or systems only through managed + interfaces consisting of boundary protection devices arranged + in accordance with an organizational security and privacy architecture. + - id: sc-7_gdn + name: guidance + prose: Managed interfaces include gateways, routers, firewalls, guards, + network-based malicious code analysis, virtualization systems, or + encrypted tunnels implemented within a security architecture. Subnetworks + that are physically or logically separated from internal networks + are referred to as demilitarized zones or DMZs. Restricting or prohibiting + interfaces within organizational systems includes restricting external + web traffic to designated web servers within managed interfaces, prohibiting + external traffic that appears to be spoofing internal addresses, and + prohibiting internal traffic that appears to be spoofing external + addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides + additional information on source address validation techniques to + prevent ingress and egress of traffic with spoofed addresses. Commercial + telecommunications services are provided by network components and + consolidated management systems shared by customers. These services + may also include third party-provided access lines and other service + elements. Such services may represent sources of increased risk despite + contract security provisions. Boundary protection may be implemented + as a common control for all or part of an organizational network such + that the boundary to be protected is greater than a system-specific + boundary (i.e., an authorization boundary). + - id: sc-7_obj + name: assessment-objective + props: + - name: label + value: SC-07 + class: sp800-53a + parts: + - id: sc-7_obj.a + name: assessment-objective + props: + - name: label + value: SC-07a. + class: sp800-53a + parts: + - id: sc-7_obj.a-1 + name: assessment-objective + props: + - name: label + value: SC-07a.[01] + class: sp800-53a + prose: communications at external managed interfaces to the + system are monitored; + links: + - href: "#sc-7_smt.a" + rel: assessment-for + - id: sc-7_obj.a-2 + name: assessment-objective + props: + - name: label + value: SC-07a.[02] + class: sp800-53a + prose: communications at external managed interfaces to the + system are controlled; + links: + - href: "#sc-7_smt.a" + rel: assessment-for + - id: sc-7_obj.a-3 + name: assessment-objective + props: + - name: label + value: SC-07a.[03] + class: sp800-53a + prose: communications at key internal managed interfaces within + the system are monitored; + links: + - href: "#sc-7_smt.a" + rel: assessment-for + - id: sc-7_obj.a-4 + name: assessment-objective + props: + - name: label + value: SC-07a.[04] + class: sp800-53a + prose: communications at key internal managed interfaces within + the system are controlled; + links: + - href: "#sc-7_smt.a" + rel: assessment-for + links: + - href: "#sc-7_smt.a" + rel: assessment-for + - id: sc-7_obj.b + name: assessment-objective + props: + - name: label + value: SC-07b. + class: sp800-53a + prose: "subnetworks for publicly accessible system components are\ + \ {{ insert: param, sc-07_odp }} separated from internal organizational\ + \ networks;" + links: + - href: "#sc-7_smt.b" + rel: assessment-for + - id: sc-7_obj.c + name: assessment-objective + props: + - name: label + value: SC-07c. + class: sp800-53a + prose: external networks or systems are only connected to through + managed interfaces consisting of boundary protection devices arranged + in accordance with an organizational security and privacy architecture. + links: + - href: "#sc-7_smt.c" + rel: assessment-for + links: + - href: "#sc-7_smt" + rel: assessment-for + - id: sc-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing boundary protection + + list of key internal boundaries of the system + + system design documentation + + boundary protection hardware and software + + system configuration settings and associated documentation + + enterprise security architecture documentation + + system audit records + + system security plan + + other relevant documents or records + - id: sc-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with boundary protection responsibilities + - id: sc-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing boundary protection capabilities + - id: sc-8 + class: SP800-53 + title: Transmission Confidentiality and Integrity + params: + - id: sc-08_odp + select: + how-many: one-or-more + choice: + - confidentiality + - integrity + props: + - name: label + value: SC-8 + - name: label + value: SC-08 + class: sp800-53a + - name: sort-id + value: sc-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#736d6310-e403-4b57-a79d-9967970c66d7" + rel: reference + - href: "#7537638e-2837-407d-844b-40fb3fafdd99" + rel: reference + - href: "#d4d7c760-2907-403b-8b2a-767ca5370ecd" + rel: reference + - href: "#fe209006-bfd4-4033-a79a-9fee1adaf372" + rel: reference + - href: "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4" + rel: reference + - href: "#1c71b420-2bd9-4e52-9fc8-390f58b85b59" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#au-10" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-9" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-4" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-16" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-23" + rel: related + - href: "#sc-28" + rel: related + parts: + - id: sc-8_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: "Protect the {{ insert: param, sc-08_odp }} of transmitted information." + - id: sc-8_gdn + name: guidance + prose: >- + Protecting the confidentiality and integrity of transmitted + information applies to internal and external networks as well as + any system components that can transmit information, including + servers, notebook computers, desktop computers, mobile devices, + printers, copiers, scanners, facsimile machines, and radios. + Unprotected communication paths are exposed to the possibility + of interception and modification. Protecting the confidentiality + and integrity of information can be accomplished by physical or + logical means. Physical protection can be achieved by using + protected distribution systems. A protected distribution system + is a wireline or fiber-optics telecommunications system that + includes terminals and adequate electromagnetic, acoustical, + electrical, and physical controls to permit its use for the + unencrypted transmission of classified information. Logical + protection can be achieved by employing encryption techniques. + + + Organizations that rely on commercial providers who offer transmission + services as commodity services rather than as fully dedicated services + may find it difficult to obtain the necessary assurances regarding + the implementation of needed controls for transmission confidentiality + and integrity. In such situations, organizations determine what types + of confidentiality or integrity services are available in standard, + commercial telecommunications service packages. If it is not feasible + to obtain the necessary controls and assurances of control effectiveness + through appropriate contracting vehicles, organizations can implement + appropriate compensating controls. + - id: sc-8_obj + name: assessment-objective + props: + - name: label + value: SC-08 + class: sp800-53a + prose: "the {{ insert: param, sc-08_odp }} of transmitted information\ + \ is/are protected." + links: + - href: "#sc-8_smt" + rel: assessment-for + - id: sc-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing transmission confidentiality and integrity + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing transmission confidentiality + and/or integrity + controls: + - id: sc-8.1 + class: SP800-53-enhancement + title: Cryptographic Protection + params: + - id: sc-08.01_odp + select: + how-many: one-or-more + choice: + - prevent unauthorized disclosure of information + - detect changes to information + props: + - name: label + value: SC-8(1) + - name: label + value: SC-08(01) + class: sp800-53a + - name: sort-id + value: sc-08.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#sc-8" + rel: required + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: sc-8.1_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: "Implement cryptographic mechanisms to {{ insert: param,\ + \ sc-08.01_odp }} during transmission." + - id: sc-8.1_gdn + name: guidance + prose: Encryption protects information from unauthorized disclosure + and modification during transmission. Cryptographic mechanisms + that protect the confidentiality and integrity of information + during transmission include TLS and IPSec. Cryptographic mechanisms + used to protect information integrity include cryptographic hash + functions that have applications in digital signatures, checksums, + and message authentication codes. + - id: sc-8.1_obj + name: assessment-objective + props: + - name: label + value: SC-08(01) + class: sp800-53a + prose: "cryptographic mechanisms are implemented to {{ insert: param,\ + \ sc-08.01_odp }} during transmission." + links: + - href: "#sc-8.1_smt" + rel: assessment-for + - id: sc-8.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-08(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing transmission confidentiality and integrity + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-8.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-08(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-8.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-08(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Cryptographic mechanisms supporting and/or implementing + transmission confidentiality and/or integrity + + + mechanisms supporting and/or implementing alternative physical + safeguards + + + organizational processes for defining and implementing alternative + physical safeguards + - id: sc-12 + class: SP800-53 + title: Cryptographic Key Establishment and Management + params: + - id: sc-12_odp + label: requirements + constraints: + - description: In accordance with Federal requirements + guidelines: + - prose: requirements for key generation, distribution, storage, access, + and destruction are defined; + props: + - name: label + value: SC-12 + - name: label + value: SC-12 + class: sp800-53a + - name: sort-id + value: sc-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e" + rel: reference + - href: "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75" + rel: reference + - href: "#eef62b16-c796-4554-955c-505824135b8a" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#849b2358-683f-4d97-b111-1cc3d522ded5" + rel: reference + - href: "#3915a084-b87b-4f02-83d4-c369e746292f" + rel: reference + - href: "#ac-17" + rel: related + - href: "#au-9" + rel: related + - href: "#au-10" + rel: related + - href: "#cm-3" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-7" + rel: related + - href: "#ia-13" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-11" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-17" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-37" + rel: related + - href: "#sc-40" + rel: related + - href: "#si-3" + rel: related + - href: "#si-7" + rel: related + parts: + - id: sc-12_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: "Establish and manage cryptographic keys when cryptography is\ + \ employed within the system in accordance with the following key\ + \ management requirements: {{ insert: param, sc-12_odp }}." + - id: sc-12_gdn + name: guidance + prose: Cryptographic key management and establishment can be performed + using manual procedures or automated mechanisms with supporting manual + procedures. Organizations define key management requirements in accordance + with applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines and specify appropriate options, parameters, + and levels. Organizations manage trust stores to ensure that only + approved trust anchors are part of such trust stores. This includes + certificates with visibility external to organizational systems and + certificates related to the internal operations of systems. [NIST + CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) + provide additional information on validated cryptographic modules + and algorithms that can be used in cryptographic key management and + establishment. + - id: sc-12_obj + name: assessment-objective + props: + - name: label + value: SC-12 + class: sp800-53a + parts: + - id: sc-12_obj-1 + name: assessment-objective + props: + - name: label + value: SC-12[01] + class: sp800-53a + prose: "cryptographic keys are established when cryptography is\ + \ employed within the system in accordance with {{ insert: param,\ + \ sc-12_odp }};" + links: + - href: "#sc-12_smt" + rel: assessment-for + - id: sc-12_obj-2 + name: assessment-objective + props: + - name: label + value: SC-12[02] + class: sp800-53a + prose: "cryptographic keys are managed when cryptography is employed\ + \ within the system in accordance with {{ insert: param, sc-12_odp\ + \ }}." + links: + - href: "#sc-12_smt" + rel: assessment-for + links: + - href: "#sc-12_smt" + rel: assessment-for + - id: sc-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing cryptographic key establishment and management + + + system design documentation + + + cryptographic mechanisms + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for cryptographic + key establishment and/or management + - id: sc-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing cryptographic key + establishment and management + - id: sc-13 + class: SP800-53 + title: Cryptographic Protection + params: + - id: sc-13_odp.01 + label: cryptographic uses + guidelines: + - prose: cryptographic uses are defined; + - id: sc-13_odp.02 + label: types of cryptography + constraints: + - description: FIPS-validated or NSA-approved cryptography + guidelines: + - prose: types of cryptography for each specified cryptographic use + are defined; + props: + - name: label + value: SC-13 + - name: label + value: SC-13 + class: sp800-53a + - name: sort-id + value: sc-13 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: CONDITIONAL + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-7" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#au-9" + rel: related + - href: "#au-10" + rel: related + - href: "#cm-11" + rel: related + - href: "#cp-9" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-7" + rel: related + - href: "#ia-13" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-23" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-40" + rel: related + - href: "#si-3" + rel: related + - href: "#si-7" + rel: related + parts: + - id: sc-13_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: sc-13_smt.a + name: item + props: + - name: label + value: a. + prose: "Determine the {{ insert: param, sc-13_odp.01 }} ; and" + - id: sc-13_smt.b + name: item + props: + - name: label + value: b. + prose: "Implement the following types of cryptography required for\ + \ each specified cryptographic use: {{ insert: param, sc-13_odp.02\ + \ }}." + - id: sc-13_gdn + name: guidance + prose: Cryptography can be employed to support a variety of security + solutions, including the protection of classified information and + controlled unclassified information, the provision and implementation + of digital signatures, and the enforcement of information separation + when authorized individuals have the necessary clearances but lack + the necessary formal access approvals. Cryptography can also be used + to support random number and hash generation. Generally applicable + cryptographic standards include FIPS-validated cryptography and NSA-approved + cryptography. For example, organizations that need to protect classified + information may specify the use of NSA-approved cryptography. Organizations + that need to provision and implement digital signatures may specify + the use of FIPS-validated cryptography. Cryptography is implemented + in accordance with applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines. + - id: sc-13_obj + name: assessment-objective + props: + - name: label + value: SC-13 + class: sp800-53a + parts: + - id: sc-13_obj.a + name: assessment-objective + props: + - name: label + value: SC-13a. + class: sp800-53a + prose: " {{ insert: param, sc-13_odp.01 }} are identified;" + links: + - href: "#sc-13_smt.a" + rel: assessment-for + - id: sc-13_obj.b + name: assessment-objective + props: + - name: label + value: SC-13b. + class: sp800-53a + prose: " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic\ + \ use (defined in SC-13_ODP[01]) are implemented." + links: + - href: "#sc-13_smt.b" + rel: assessment-for + links: + - href: "#sc-13_smt" + rel: assessment-for + - id: sc-13_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-13-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing cryptographic protection + + system design documentation + + system configuration settings and associated documentation + + cryptographic module validation certificates + + list of FIPS-validated cryptographic modules + + system audit records + + system security plan + + other relevant documents or records + - id: sc-13_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-13-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with responsibilities for cryptographic + protection + - id: sc-13_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-13-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing cryptographic protection + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: "Condition: If implementing need to detail how they meet it or\ + \ don't meet it." + - id: sc-15 + class: SP800-53 + title: Collaborative Computing Devices and Applications + params: + - id: sc-15_odp + label: exceptions where remote activation is to be allowed + constraints: + - description: no exceptions for computing devices + guidelines: + - prose: exceptions where remote activation is to be allowed are defined; + props: + - name: label + value: SC-15 + - name: label + value: SC-15 + class: sp800-53a + - name: sort-id + value: sc-15 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: NSO + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#ac-21" + rel: related + - href: "#sc-42" + rel: related + parts: + - id: sc-15_smt + name: statement + parts: + - id: sc-15_smt.a + name: item + props: + - name: label + value: a. + prose: "Prohibit remote activation of collaborative computing devices\ + \ and applications with the following exceptions: {{ insert: param,\ + \ sc-15_odp }} ; and" + - id: sc-15_smt.b + name: item + props: + - name: label + value: b. + prose: Provide an explicit indication of use to users physically + present at the devices. + - id: sc-15_gdn + name: guidance + prose: Collaborative computing devices and applications include remote + meeting devices and applications, networked white boards, cameras, + and microphones. The explicit indication of use includes signals to + users when collaborative computing devices and applications are activated. + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: NSO - Not directly related to the security of the SaaS. + - id: sc-20 + class: SP800-53 + title: Secure Name/Address Resolution Service (Authoritative Source) + props: + - name: label + value: SC-20 + - name: label + value: SC-20 + class: sp800-53a + - name: sort-id + value: sc-20 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#fe209006-bfd4-4033-a79a-9fee1adaf372" + rel: reference + - href: "#au-10" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-21" + rel: related + - href: "#sc-22" + rel: related + parts: + - id: sc-20_smt + name: statement + parts: + - id: sc-20_smt.a + name: item + props: + - name: label + value: a. + prose: Provide additional data origin authentication and integrity + verification artifacts along with the authoritative name resolution + data the system returns in response to external name/address resolution + queries; and + - id: sc-20_smt.b + name: item + props: + - name: label + value: b. + prose: Provide the means to indicate the security status of child + zones and (if the child supports secure resolution services) to + enable verification of a chain of trust among parent and child + domains, when operating as part of a distributed, hierarchical + namespace. + - id: sc-20_gdn + name: guidance + prose: Providing authoritative source information enables external clients, + including remote Internet clients, to obtain origin authentication + and integrity verification assurances for the host/service name to + network address resolution information obtained through the service. + Systems that provide name and address resolution services include + domain name system (DNS) servers. Additional artifacts include DNS + Security Extensions (DNSSEC) digital signatures and cryptographic + keys. Authoritative data includes DNS resource records. The means + for indicating the security status of child zones include the use + of delegation signer resource records in the DNS. Systems that use + technologies other than the DNS to map between host and service names + and network addresses provide other means to assure the authenticity + and integrity of response data. + - id: sc-21 + class: SP800-53 + title: Secure Name/Address Resolution Service (Recursive or Caching Resolver) + props: + - name: label + value: SC-21 + - name: label + value: SC-21 + class: sp800-53a + - name: sort-id + value: sc-21 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#fe209006-bfd4-4033-a79a-9fee1adaf372" + rel: reference + - href: "#sc-20" + rel: related + - href: "#sc-22" + rel: related + parts: + - id: sc-21_smt + name: statement + prose: Request and perform data origin authentication and data integrity + verification on the name/address resolution responses the system receives + from authoritative sources. + - id: sc-21_gdn + name: guidance + prose: Each client of name resolution services either performs this + validation on its own or has authenticated channels to trusted validation + providers. Systems that provide name and address resolution services + for local clients include recursive resolving or caching domain name + system (DNS) servers. DNS client resolvers either perform validation + of DNSSEC signatures, or clients use authenticated channels to recursive + resolvers that perform such validations. Systems that use technologies + other than the DNS to map between host and service names and network + addresses provide some other means to enable clients to verify the + authenticity and integrity of response data. + - id: sc-22 + class: SP800-53 + title: Architecture and Provisioning for Name/Address Resolution Service + props: + - name: label + value: SC-22 + - name: label + value: SC-22 + class: sp800-53a + - name: sort-id + value: sc-22 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#fe209006-bfd4-4033-a79a-9fee1adaf372" + rel: reference + - href: "#sc-2" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-21" + rel: related + - href: "#sc-24" + rel: related + parts: + - id: sc-22_smt + name: statement + prose: Ensure the systems that collectively provide name/address resolution + service for an organization are fault-tolerant and implement internal + and external role separation. + - id: sc-22_gdn + name: guidance + prose: Systems that provide name and address resolution services include + domain name system (DNS) servers. To eliminate single points of failure + in systems and enhance redundancy, organizations employ at least two + authoritative domain name system servers—one configured as the primary + server and the other configured as the secondary server. Additionally, + organizations typically deploy the servers in two geographically separated + network subnetworks (i.e., not located in the same physical facility). + For role separation, DNS servers with internal roles only process + name and address resolution requests from within organizations (i.e., + from internal clients). DNS servers with external roles only process + name and address resolution information requests from clients external + to organizations (i.e., on external networks, including the Internet). + Organizations specify clients that can access authoritative DNS servers + in certain roles (e.g., by address ranges and explicit lists). + - id: sc-28 + class: SP800-53 + title: Protection of Information at Rest + params: + - id: sc-28_odp.01 + select: + how-many: one-or-more + choice: + - confidentiality + - integrity + - id: sc-28_odp.02 + label: information at rest + guidelines: + - prose: information at rest requiring protection is defined; + props: + - name: label + value: SC-28 + - name: label + value: SC-28 + class: sp800-53a + - name: sort-id + value: sc-28 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e" + rel: reference + - href: "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75" + rel: reference + - href: "#eef62b16-c796-4554-955c-505824135b8a" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#22f2d4f0-4365-4e88-a30d-275c1f5473ea" + rel: reference + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-19" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cp-9" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#pe-3" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-34" + rel: related + - href: "#si-3" + rel: related + - href: "#si-7" + rel: related + - href: "#si-16" + rel: related + parts: + - id: sc-28_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: "Protect the {{ insert: param, sc-28_odp.01 }} of the following\ + \ information at rest: {{ insert: param, sc-28_odp.02 }}." + - id: sc-28_gdn + name: guidance + prose: Information at rest refers to the state of information when it + is not in process or in transit and is located on system components. + Such components include internal or external hard disk drives, storage + area network devices, or databases. However, the focus of protecting + information at rest is not on the type of storage device or frequency + of access but rather on the state of the information. Information + at rest addresses the confidentiality and integrity of information + and covers user information and system information. System-related + information that requires protection includes configurations or rule + sets for firewalls, intrusion detection and prevention systems, filtering + routers, and authentication information. Organizations may employ + different mechanisms to achieve confidentiality and integrity protections, + including the use of cryptographic mechanisms and file share scanning. + Integrity protection can be achieved, for example, by implementing + write-once-read-many (WORM) technologies. When adequate protection + of information at rest cannot otherwise be achieved, organizations + may employ other controls, including frequent scanning to identify + malicious code at rest and secure offline storage in lieu of online + storage. + - id: sc-28_obj + name: assessment-objective + props: + - name: label + value: SC-28 + class: sp800-53a + prose: "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02\ + \ }} is/are protected." + links: + - href: "#sc-28_smt" + rel: assessment-for + - id: sc-28_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-28-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing the protection of information at rest + + + system design documentation + + + system configuration settings and associated documentation + + + cryptographic mechanisms and associated configuration documentation + + + list of information at rest requiring confidentiality and integrity + protections + + + system security plan + + + other relevant documents or records + - id: sc-28_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-28-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-28_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-28-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing confidentiality + and integrity protections for information at rest + controls: + - id: sc-28.1 + class: SP800-53-enhancement + title: Cryptographic Protection + params: + - id: sc-28.01_odp.01 + label: information + guidelines: + - prose: information requiring cryptographic protection is defined; + - id: sc-28.01_odp.02 + label: system components or media + constraints: + - description: all information system components storing Federal + data or system data that must be protected at the High or + Moderate impact levels + guidelines: + - prose: system components or media requiring cryptographic protection + is/are defined; + props: + - name: label + value: SC-28(1) + - name: label + value: SC-28(01) + class: sp800-53a + - name: sort-id + value: sc-28.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#sc-28" + rel: required + - href: "#ac-19" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: sc-28.1_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + prose: "Implement cryptographic mechanisms to prevent unauthorized\ + \ disclosure and modification of the following information at\ + \ rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param,\ + \ sc-28.01_odp.01 }}." + - id: sc-28.1_gdn + name: guidance + prose: The selection of cryptographic mechanisms is based on the + need to protect the confidentiality and integrity of organizational + information. The strength of mechanism is commensurate with the + security category or classification of the information. Organizations + have the flexibility to encrypt information on system components + or media or encrypt data structures, including files, records, + or fields. + - id: sc-28.1_obj + name: assessment-objective + props: + - name: label + value: SC-28(01) + class: sp800-53a + parts: + - id: sc-28.1_obj-1 + name: assessment-objective + props: + - name: label + value: SC-28(01)[01] + class: sp800-53a + prose: "cryptographic mechanisms are implemented to prevent\ + \ unauthorized disclosure of {{ insert: param, sc-28.01_odp.01\ + \ }} at rest on {{ insert: param, sc-28.01_odp.02 }};" + links: + - href: "#sc-28.1_smt" + rel: assessment-for + - id: sc-28.1_obj-2 + name: assessment-objective + props: + - name: label + value: SC-28(01)[02] + class: sp800-53a + prose: "cryptographic mechanisms are implemented to prevent\ + \ unauthorized modification of {{ insert: param, sc-28.01_odp.01\ + \ }} at rest on {{ insert: param, sc-28.01_odp.02 }}." + links: + - href: "#sc-28.1_smt" + rel: assessment-for + links: + - href: "#sc-28.1_smt" + rel: assessment-for + - id: sc-28.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-28(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing the protection of information at rest + + + system design documentation + + + system configuration settings and associated documentation + + + cryptographic mechanisms and associated configuration documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-28.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-28(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-28.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-28(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Cryptographic mechanisms implementing confidentiality + and integrity protections for information at rest + - id: sc-39 + class: SP800-53 + title: Process Isolation + props: + - name: label + value: SC-39 + - name: label + value: SC-39 + class: sp800-53a + - name: sort-id + value: sc-39 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-25" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-3" + rel: related + - href: "#si-16" + rel: related + parts: + - id: sc-39_smt + name: statement + prose: Maintain a separate execution domain for each executing system + process. + - id: sc-39_gdn + name: guidance + prose: Systems can maintain separate execution domains for each executing + process by assigning each process a separate address space. Each system + process has a distinct address space so that communication between + processes is performed in a manner controlled through the security + functions, and one process cannot modify the executing code of another + process. Maintaining separate execution domains for executing processes + can be achieved, for example, by implementing separate address spaces. + Process isolation technologies, including sandboxing or virtualization, + logically separate software and firmware from other software, firmware, + and data. Process isolation helps limit the access of potentially + untrusted software to other system resources. The capability to maintain + separate execution domains is available in commercial operating systems + that employ multi-state processor technologies. + - id: si + class: family + title: System and Information Integrity + controls: + - id: si-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: si-1_prm_1 + label: organization-defined personnel or roles + - id: si-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and information integrity + policy is to be disseminated is/are defined; + - id: si-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and information integrity + procedures are to be disseminated is/are defined; + - id: si-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: si-01_odp.04 + label: official + guidelines: + - prose: an official to manage the system and information integrity + policy and procedures is defined; + - id: si-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current system and information + integrity policy is reviewed and updated is defined; + - id: si-01_odp.06 + label: events + guidelines: + - prose: events that would require the current system and information + integrity policy to be reviewed and updated are defined; + - id: si-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current system and information + integrity procedures are reviewed and updated is defined; + - id: si-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the system and information integrity + procedures to be reviewed and updated are defined; + props: + - name: label + value: SI-1 + - name: label + value: SI-01 + class: sp800-53a + - name: sort-id + value: si-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: si-1_smt + name: statement + parts: + - id: si-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ si-1_prm_1 }}:" + parts: + - id: si-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, si-01_odp.03 }} system and information\ + \ integrity policy that:" + parts: + - id: si-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: si-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: si-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the system + and information integrity policy and the associated system + and information integrity controls; + - id: si-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, si-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the system\ + \ and information integrity policy and procedures; and" + - id: si-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current system and information integrity:" + parts: + - id: si-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, si-01_odp.05 }} and following\ + \ {{ insert: param, si-01_odp.06 }} ; and" + - id: si-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, si-01_odp.07 }} and following\ + \ {{ insert: param, si-01_odp.08 }}." + - id: si-1_gdn + name: guidance + prose: System and information integrity policy and procedures address + the controls in the SI family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of system and information integrity policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + system and information integrity policy and procedures include assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: si-2 + class: SP800-53 + title: Flaw Remediation + params: + - id: si-02_odp + label: time period + constraints: + - description: within thirty (30) days of release of updates + guidelines: + - prose: time period within which to install security-relevant software + updates after the release of the updates is defined; + props: + - name: label + value: SI-2 + - name: label + value: SI-02 + class: sp800-53a + - name: sort-id + value: si-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#155f941a-cba9-4afd-9ca6-5d040d697ba9" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c" + rel: reference + - href: "#ca-5" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#ma-2" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#si-3" + rel: related + - href: "#si-5" + rel: related + - href: "#si-7" + rel: related + - href: "#si-11" + rel: related + parts: + - id: si-2_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: si-2_smt.a + name: item + props: + - name: label + value: a. + prose: Identify, report, and correct system flaws; + - id: si-2_smt.b + name: item + props: + - name: label + value: b. + prose: Test software and firmware updates related to flaw remediation + for effectiveness and potential side effects before installation; + - id: si-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Install security-relevant software and firmware updates\ + \ within {{ insert: param, si-02_odp }} of the release of the\ + \ updates; and" + - id: si-2_smt.d + name: item + props: + - name: label + value: d. + prose: Incorporate flaw remediation into the organizational configuration + management process. + - id: si-2_gdn + name: guidance + prose: >- + The need to remediate system flaws applies to all types of + software and firmware. Organizations identify systems affected + by software flaws, including potential vulnerabilities resulting + from those flaws, and report this information to designated + organizational personnel with information security and privacy + responsibilities. Security-relevant updates include patches, + service packs, and malicious code signatures. Organizations also + address flaws discovered during assessments, continuous + monitoring, incident response activities, and system error + handling. By incorporating flaw remediation into configuration + management processes, required remediation actions can be + tracked and verified. + + + Organization-defined time periods for updating security-relevant software + and firmware may vary based on a variety of risk factors, including + the security category of the system, the criticality of the update + (i.e., severity of the vulnerability related to the discovered flaw), + the organizational risk tolerance, the mission supported by the system, + or the threat environment. Some types of flaw remediation may require + more testing than other types. Organizations determine the type of + testing needed for the specific type of flaw remediation activity + under consideration and the types of changes that are to be configuration-managed. + In some situations, organizations may determine that the testing of + software or firmware updates is not necessary or practical, such as + when implementing simple malicious code signature updates. In testing + decisions, organizations consider whether security-relevant software + or firmware updates are obtained from authorized sources with appropriate + digital signatures. + - id: si-2_obj + name: assessment-objective + props: + - name: label + value: SI-02 + class: sp800-53a + parts: + - id: si-2_obj.a + name: assessment-objective + props: + - name: label + value: SI-02a. + class: sp800-53a + parts: + - id: si-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-02a.[01] + class: sp800-53a + prose: system flaws are identified; + links: + - href: "#si-2_smt.a" + rel: assessment-for + - id: si-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-02a.[02] + class: sp800-53a + prose: system flaws are reported; + links: + - href: "#si-2_smt.a" + rel: assessment-for + - id: si-2_obj.a-3 + name: assessment-objective + props: + - name: label + value: SI-02a.[03] + class: sp800-53a + prose: system flaws are corrected; + links: + - href: "#si-2_smt.a" + rel: assessment-for + links: + - href: "#si-2_smt.a" + rel: assessment-for + - id: si-2_obj.b + name: assessment-objective + props: + - name: label + value: SI-02b. + class: sp800-53a + parts: + - id: si-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: SI-02b.[01] + class: sp800-53a + prose: software updates related to flaw remediation are tested + for effectiveness before installation; + links: + - href: "#si-2_smt.b" + rel: assessment-for + - id: si-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: SI-02b.[02] + class: sp800-53a + prose: software updates related to flaw remediation are tested + for potential side effects before installation; + links: + - href: "#si-2_smt.b" + rel: assessment-for + - id: si-2_obj.b-3 + name: assessment-objective + props: + - name: label + value: SI-02b.[03] + class: sp800-53a + prose: firmware updates related to flaw remediation are tested + for effectiveness before installation; + links: + - href: "#si-2_smt.b" + rel: assessment-for + - id: si-2_obj.b-4 + name: assessment-objective + props: + - name: label + value: SI-02b.[04] + class: sp800-53a + prose: firmware updates related to flaw remediation are tested + for potential side effects before installation; + links: + - href: "#si-2_smt.b" + rel: assessment-for + links: + - href: "#si-2_smt.b" + rel: assessment-for + - id: si-2_obj.c + name: assessment-objective + props: + - name: label + value: SI-02c. + class: sp800-53a + parts: + - id: si-2_obj.c-1 + name: assessment-objective + props: + - name: label + value: SI-02c.[01] + class: sp800-53a + prose: "security-relevant software updates are installed within\ + \ {{ insert: param, si-02_odp }} of the release of the updates;" + links: + - href: "#si-2_smt.c" + rel: assessment-for + - id: si-2_obj.c-2 + name: assessment-objective + props: + - name: label + value: SI-02c.[02] + class: sp800-53a + prose: "security-relevant firmware updates are installed within\ + \ {{ insert: param, si-02_odp }} of the release of the updates;" + links: + - href: "#si-2_smt.c" + rel: assessment-for + links: + - href: "#si-2_smt.c" + rel: assessment-for + - id: si-2_obj.d + name: assessment-objective + props: + - name: label + value: SI-02d. + class: sp800-53a + prose: flaw remediation is incorporated into the organizational + configuration management process. + links: + - href: "#si-2_smt.d" + rel: assessment-for + links: + - href: "#si-2_smt" + rel: assessment-for + - id: si-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing flaw remediation + + + procedures addressing configuration management + + + list of flaws and vulnerabilities potentially affecting the system + + + list of recent security flaw remediation actions performed on + the system (e.g., list of installed patches, service packs, hot + fixes, and other software updates to correct system flaws) + + + test results from the installation of software and firmware updates + to correct system flaws + + + installation/change control records for security-relevant software + and firmware updates + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: si-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel responsible for installing, configuring, + and/or maintaining the system + + + organizational personnel responsible for flaw remediation + + + organizational personnel with configuration management responsibilities + - id: si-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for identifying, reporting, and + correcting system flaws + + + organizational process for installing software and firmware updates + + + mechanisms supporting and/or implementing the reporting and correcting + of system flaws + + + mechanisms supporting and/or implementing testing software and + firmware updates + - id: si-3 + class: SP800-53 + title: Malicious Code Protection + params: + - id: si-03_odp.01 + constraints: + - description: signature based and non-signature based + select: + how-many: one-or-more + choice: + - signature-based + - non-signature-based + - id: si-03_odp.02 + label: frequency + constraints: + - description: at least weekly + guidelines: + - prose: the frequency at which malicious code protection mechanisms + perform scans is defined; + - id: si-03_odp.03 + constraints: + - description: to include endpoints and network entry and exit points + select: + how-many: one-or-more + choice: + - endpoint + - network entry and exit points + - id: si-03_odp.04 + constraints: + - description: to include blocking and quarantining malicious code + select: + how-many: one-or-more + choice: + - block malicious code + - quarantine malicious code + - "take {{ insert: param, si-03_odp.05 }} " + - id: si-03_odp.05 + label: action + constraints: + - description: administrator or defined security personnel near-realtime + guidelines: + - prose: action to be taken in response to malicious code detection + are defined (if selected); + - id: si-03_odp.06 + label: personnel or roles + guidelines: + - prose: personnel or roles to be alerted when malicious code is detected + is/are defined; + props: + - name: label + value: SI-3 + - name: label + value: SI-03 + class: sp800-53a + - name: sort-id + value: si-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff" + rel: reference + - href: "#88660532-2dcf-442e-845c-03340ce48999" + rel: reference + - href: "#1c71b420-2bd9-4e52-9fc8-390f58b85b59" + rel: reference + - href: "#ac-4" + rel: related + - href: "#ac-19" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-8" + rel: related + - href: "#ir-4" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#pl-9" + rel: related + - href: "#ra-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-23" + rel: related + - href: "#sc-26" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-44" + rel: related + - href: "#si-2" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#si-8" + rel: related + - href: "#si-15" + rel: related + parts: + - id: si-3_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: si-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Implement {{ insert: param, si-03_odp.01 }} malicious code\ + \ protection mechanisms at system entry and exit points to detect\ + \ and eradicate malicious code;" + - id: si-3_smt.b + name: item + props: + - name: label + value: b. + prose: Automatically update malicious code protection mechanisms + as new releases are available in accordance with organizational + configuration management policy and procedures; + - id: si-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Configure malicious code protection mechanisms to:" + parts: + - id: si-3_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Perform periodic scans of the system {{ insert: param,\ + \ si-03_odp.02 }} and real-time scans of files from external\ + \ sources at {{ insert: param, si-03_odp.03 }} as the files\ + \ are downloaded, opened, or executed in accordance with organizational\ + \ policy; and" + - id: si-3_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: " {{ insert: param, si-03_odp.04 }} ; and send alert\ + \ to {{ insert: param, si-03_odp.06 }} in response to malicious\ + \ code detection; and" + - id: si-3_smt.d + name: item + props: + - name: label + value: d. + prose: Address the receipt of false positives during malicious code + detection and eradication and the resulting potential impact on + the availability of the system. + - id: si-3_gdn + name: guidance + prose: >- + System entry and exit points include firewalls, remote access + servers, workstations, electronic mail servers, web servers, + proxy servers, notebook computers, and mobile devices. Malicious + code includes viruses, worms, Trojan horses, and spyware. + Malicious code can also be encoded in various formats contained + within compressed or hidden files or hidden in files using + techniques such as steganography. Malicious code can be inserted + into systems in a variety of ways, including by electronic mail, + the world-wide web, and portable storage devices. Malicious code + insertions occur through the exploitation of system + vulnerabilities. A variety of technologies and methods exist to + limit or eliminate the effects of malicious code. + + + Malicious code protection mechanisms include both signature- and nonsignature-based + technologies. Nonsignature-based detection mechanisms include artificial + intelligence techniques that use heuristics to detect, analyze, and + describe the characteristics or behavior of malicious code and to + provide controls against such code for which signatures do not yet + exist or for which existing signatures may not be effective. Malicious + code for which active signatures do not yet exist or may be ineffective + includes polymorphic malicious code (i.e., code that changes signatures + when it replicates). Nonsignature-based mechanisms also include reputation-based + technologies. In addition to the above technologies, pervasive configuration + management, comprehensive software integrity controls, and anti-exploitation + software may be effective in preventing the execution of unauthorized + code. Malicious code may be present in commercial off-the-shelf software + as well as custom-built software and could include logic bombs, backdoors, + and other types of attacks that could affect organizational mission + and business functions. + + + In situations where malicious code cannot be detected by detection + methods or technologies, organizations rely on other types of controls, + including secure coding practices, configuration management and control, + trusted procurement processes, and monitoring practices to ensure + that software does not perform functions other than the functions + intended. Organizations may determine that, in response to the detection + of malicious code, different actions may be warranted. For example, + organizations can define actions in response to malicious code detection + during periodic scans, the detection of malicious downloads, or the + detection of maliciousness when attempting to open or execute files. + - id: si-3_obj + name: assessment-objective + props: + - name: label + value: SI-03 + class: sp800-53a + parts: + - id: si-3_obj.a + name: assessment-objective + props: + - name: label + value: SI-03a. + class: sp800-53a + parts: + - id: si-3_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-03a.[01] + class: sp800-53a + prose: " {{ insert: param, si-03_odp.01 }} malicious code protection\ + \ mechanisms are implemented at system entry and exit points\ + \ to detect malicious code;" + links: + - href: "#si-3_smt.a" + rel: assessment-for + - id: si-3_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-03a.[02] + class: sp800-53a + prose: " {{ insert: param, si-03_odp.01 }} malicious code protection\ + \ mechanisms are implemented at system entry and exit points\ + \ to eradicate malicious code;" + links: + - href: "#si-3_smt.a" + rel: assessment-for + links: + - href: "#si-3_smt.a" + rel: assessment-for + - id: si-3_obj.b + name: assessment-objective + props: + - name: label + value: SI-03b. + class: sp800-53a + prose: malicious code protection mechanisms are updated automatically + as new releases are available in accordance with organizational + configuration management policy and procedures; + links: + - href: "#si-3_smt.b" + rel: assessment-for + - id: si-3_obj.c + name: assessment-objective + props: + - name: label + value: SI-03c. + class: sp800-53a + parts: + - id: si-3_obj.c.1 + name: assessment-objective + props: + - name: label + value: SI-03c.01 + class: sp800-53a + parts: + - id: si-3_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: SI-03c.01[01] + class: sp800-53a + prose: "malicious code protection mechanisms are configured\ + \ to perform periodic scans of the system {{ insert: param,\ + \ si-03_odp.02 }};" + links: + - href: "#si-3_smt.c.1" + rel: assessment-for + - id: si-3_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: SI-03c.01[02] + class: sp800-53a + prose: "malicious code protection mechanisms are configured\ + \ to perform real-time scans of files from external sources\ + \ at {{ insert: param, si-03_odp.03 }} as the files are\ + \ downloaded, opened, or executed in accordance with organizational\ + \ policy;" + links: + - href: "#si-3_smt.c.1" + rel: assessment-for + links: + - href: "#si-3_smt.c.1" + rel: assessment-for + - id: si-3_obj.c.2 + name: assessment-objective + props: + - name: label + value: SI-03c.02 + class: sp800-53a + parts: + - id: si-3_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: SI-03c.02[01] + class: sp800-53a + prose: "malicious code protection mechanisms are configured\ + \ to {{ insert: param, si-03_odp.04 }} in response to\ + \ malicious code detection;" + links: + - href: "#si-3_smt.c.2" + rel: assessment-for + - id: si-3_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: SI-03c.02[02] + class: sp800-53a + prose: "malicious code protection mechanisms are configured\ + \ to send alerts to {{ insert: param, si-03_odp.06 }}\ + \ in response to malicious code detection;" + links: + - href: "#si-3_smt.c.2" + rel: assessment-for + links: + - href: "#si-3_smt.c.2" + rel: assessment-for + links: + - href: "#si-3_smt.c" + rel: assessment-for + - id: si-3_obj.d + name: assessment-objective + props: + - name: label + value: SI-03d. + class: sp800-53a + prose: the receipt of false positives during malicious code detection + and eradication and the resulting potential impact on the availability + of the system are addressed. + links: + - href: "#si-3_smt.d" + rel: assessment-for + links: + - href: "#si-3_smt" + rel: assessment-for + - id: si-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + configuration management policy and procedures + + + procedures addressing malicious code protection + + + malicious code protection mechanisms + + + records of malicious code protection updates + + + system design documentation + + + system configuration settings and associated documentation + + + scan results from malicious code protection mechanisms + + + record of actions initiated by malicious code protection mechanisms + in response to malicious code detection + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for malicious code protection + + + organizational personnel with configuration management responsibilities + - id: si-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for employing, updating, and + configuring malicious code protection mechanisms + + + organizational processes for addressing false positives and resulting + potential impacts + + + mechanisms supporting and/or implementing, employing, updating, + and configuring malicious code protection mechanisms + + + mechanisms supporting and/or implementing malicious code scanning + and subsequent actions + - id: si-4 + class: SP800-53 + title: System Monitoring + params: + - id: si-04_odp.01 + label: monitoring objectives + guidelines: + - prose: monitoring objectives to detect attacks and indicators of + potential attacks on the system are defined; + - id: si-04_odp.02 + label: techniques and methods + guidelines: + - prose: techniques and methods used to identify unauthorized use + of the system are defined; + - id: si-04_odp.03 + label: system monitoring information + guidelines: + - prose: system monitoring information to be provided to personnel + or roles is defined; + - id: si-04_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom system monitoring information + is to be provided is/are defined; + - id: si-04_odp.05 + select: + how-many: one-or-more + choice: + - as needed + - " {{ insert: param, si-04_odp.06 }} " + - id: si-04_odp.06 + label: frequency + guidelines: + - prose: a frequency for providing system monitoring to personnel + or roles is defined (if selected); + props: + - name: label + value: SI-4 + - name: label + value: SI-04 + class: sp800-53a + - name: sort-id + value: si-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ASSESS + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff" + rel: reference + - href: "#5eee45d8-3313-4fdc-8d54-1742092bbdd6" + rel: reference + - href: "#25e3e57b-dc2f-4934-af9b-050b020c6f0e" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-8" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-9" + rel: related + - href: "#au-12" + rel: related + - href: "#au-13" + rel: related + - href: "#au-14" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-10" + rel: related + - href: "#ir-4" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-12" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-10" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-18" + rel: related + - href: "#sc-26" + rel: related + - href: "#sc-31" + rel: related + - href: "#sc-35" + rel: related + - href: "#sc-36" + rel: related + - href: "#sc-37" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-3" + rel: related + - href: "#si-6" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-10" + rel: related + parts: + - id: si-4_smt + name: statement + props: + - name: response-point + ns: https://fedramp.gov/ns/oscal + value: Required + parts: + - id: si-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Monitor the system to detect:" + parts: + - id: si-4_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "Attacks and indicators of potential attacks in accordance\ + \ with the following monitoring objectives: {{ insert: param,\ + \ si-04_odp.01 }} ; and" + - id: si-4_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Unauthorized local, network, and remote connections; + - id: si-4_smt.b + name: item + props: + - name: label + value: b. + prose: "Identify unauthorized use of the system through the following\ + \ techniques and methods: {{ insert: param, si-04_odp.02 }};" + - id: si-4_smt.c + name: item + props: + - name: label + value: c. + prose: "Invoke internal monitoring capabilities or deploy monitoring\ + \ devices:" + parts: + - id: si-4_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: Strategically within the system to collect organization-determined + essential information; and + - id: si-4_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: At ad hoc locations within the system to track specific + types of transactions of interest to the organization; + - id: si-4_smt.d + name: item + props: + - name: label + value: d. + prose: Analyze detected events and anomalies; + - id: si-4_smt.e + name: item + props: + - name: label + value: e. + prose: Adjust the level of system monitoring activity when there + is a change in risk to organizational operations and assets, individuals, + other organizations, or the Nation; + - id: si-4_smt.f + name: item + props: + - name: label + value: f. + prose: Obtain legal opinion regarding system monitoring activities; + and + - id: si-4_smt.g + name: item + props: + - name: label + value: g. + prose: "Provide {{ insert: param, si-04_odp.03 }} to {{ insert:\ + \ param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." + - id: si-4_gdn + name: guidance + prose: >- + System monitoring includes external and internal monitoring. + External monitoring includes the observation of events occurring + at external interfaces to the system. Internal monitoring + includes the observation of events occurring within the system. + Organizations monitor systems by observing audit activities in + real time or by observing other system aspects such as access + patterns, characteristics of access, and other actions. The + monitoring objectives guide and inform the determination of the + events. System monitoring capabilities are achieved through a + variety of tools and techniques, including intrusion detection + and prevention systems, malicious code protection software, + scanning tools, audit record monitoring software, and network + monitoring software. + + + Depending on the security architecture, the distribution and configuration + of monitoring devices may impact throughput at key internal and external + boundaries as well as at other locations across a network due to the + introduction of network throughput latency. If throughput management + is needed, such devices are strategically located and deployed as + part of an established organization-wide security architecture. Strategic + locations for monitoring devices include selected perimeter locations + and near key servers and server farms that support critical applications. + Monitoring devices are typically employed at the managed interfaces + associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information + collected is a function of the organizational monitoring objectives + and the capability of systems to support such objectives. Specific + types of transactions of interest include Hypertext Transfer Protocol + (HTTP) traffic that bypasses HTTP proxies. System monitoring is an + integral part of organizational continuous monitoring and incident + response programs, and output from system monitoring serves as input + to those programs. System monitoring requirements, including the need + for specific types of system monitoring, may be referenced in other + controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), + [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), + [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), + [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), + [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) + ). Adjustments to levels of system monitoring are based on law enforcement + information, intelligence information, or other sources of information. + The legality of system monitoring activities is based on applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. + - id: si-4_obj + name: assessment-objective + props: + - name: label + value: SI-04 + class: sp800-53a + parts: + - id: si-4_obj.a + name: assessment-objective + props: + - name: label + value: SI-04a. + class: sp800-53a + parts: + - id: si-4_obj.a.1 + name: assessment-objective + props: + - name: label + value: SI-04a.01 + class: sp800-53a + prose: "the system is monitored to detect attacks and indicators\ + \ of potential attacks in accordance with {{ insert: param,\ + \ si-04_odp.01 }};" + links: + - href: "#si-4_smt.a.1" + rel: assessment-for + - id: si-4_obj.a.2 + name: assessment-objective + props: + - name: label + value: SI-04a.02 + class: sp800-53a + parts: + - id: si-4_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: SI-04a.02[01] + class: sp800-53a + prose: the system is monitored to detect unauthorized local + connections; + links: + - href: "#si-4_smt.a.2" + rel: assessment-for + - id: si-4_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: SI-04a.02[02] + class: sp800-53a + prose: the system is monitored to detect unauthorized network + connections; + links: + - href: "#si-4_smt.a.2" + rel: assessment-for + - id: si-4_obj.a.2-3 + name: assessment-objective + props: + - name: label + value: SI-04a.02[03] + class: sp800-53a + prose: the system is monitored to detect unauthorized remote + connections; + links: + - href: "#si-4_smt.a.2" + rel: assessment-for + links: + - href: "#si-4_smt.a.2" + rel: assessment-for + links: + - href: "#si-4_smt.a" + rel: assessment-for + - id: si-4_obj.b + name: assessment-objective + props: + - name: label + value: SI-04b. + class: sp800-53a + prose: "unauthorized use of the system is identified through {{\ + \ insert: param, si-04_odp.02 }};" + links: + - href: "#si-4_smt.b" + rel: assessment-for + - id: si-4_obj.c + name: assessment-objective + props: + - name: label + value: SI-04c. + class: sp800-53a + parts: + - id: si-4_obj.c.1 + name: assessment-objective + props: + - name: label + value: SI-04c.01 + class: sp800-53a + prose: internal monitoring capabilities are invoked or monitoring + devices are deployed strategically within the system to collect + organization-determined essential information; + links: + - href: "#si-4_smt.c.1" + rel: assessment-for + - id: si-4_obj.c.2 + name: assessment-objective + props: + - name: label + value: SI-04c.02 + class: sp800-53a + prose: internal monitoring capabilities are invoked or monitoring + devices are deployed at ad hoc locations within the system + to track specific types of transactions of interest to the + organization; + links: + - href: "#si-4_smt.c.2" + rel: assessment-for + links: + - href: "#si-4_smt.c" + rel: assessment-for + - id: si-4_obj.d + name: assessment-objective + props: + - name: label + value: SI-04d. + class: sp800-53a + parts: + - id: si-4_obj.d-1 + name: assessment-objective + props: + - name: label + value: SI-04d.[01] + class: sp800-53a + prose: detected events are analyzed; + links: + - href: "#si-4_smt.d" + rel: assessment-for + - id: si-4_obj.d-2 + name: assessment-objective + props: + - name: label + value: SI-04d.[02] + class: sp800-53a + prose: detected anomalies are analyzed; + links: + - href: "#si-4_smt.d" + rel: assessment-for + links: + - href: "#si-4_smt.d" + rel: assessment-for + - id: si-4_obj.e + name: assessment-objective + props: + - name: label + value: SI-04e. + class: sp800-53a + prose: the level of system monitoring activity is adjusted when + there is a change in risk to organizational operations and assets, + individuals, other organizations, or the Nation; + links: + - href: "#si-4_smt.e" + rel: assessment-for + - id: si-4_obj.f + name: assessment-objective + props: + - name: label + value: SI-04f. + class: sp800-53a + prose: a legal opinion regarding system monitoring activities is + obtained; + links: + - href: "#si-4_smt.f" + rel: assessment-for + - id: si-4_obj.g + name: assessment-objective + props: + - name: label + value: SI-04g. + class: sp800-53a + prose: " {{ insert: param, si-04_odp.03 }} is provided to {{ insert:\ + \ param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." + links: + - href: "#si-4_smt.g" + rel: assessment-for + links: + - href: "#si-4_smt" + rel: assessment-for + - id: si-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + continuous monitoring strategy + + + facility diagram/layout + + + system design documentation + + + system monitoring tools and techniques documentation + + + locations within the system where monitoring devices are deployed + + + system configuration settings and associated documentation + + + system security plan + + + other relevant documents or records + - id: si-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + - id: si-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for system monitoring + + + mechanisms supporting and/or implementing system monitoring capabilities + - id: si-5 + class: SP800-53 + title: Security Alerts, Advisories, and Directives + params: + - id: si-05_odp.01 + label: external organizations + constraints: + - description: to include US-CERT and Cybersecurity and Infrastructure + Security Agency (CISA) Directives + guidelines: + - prose: external organizations from whom system security alerts, + advisories, and directives are to be received on an ongoing basis + are defined; + - id: si-05_odp.02 + constraints: + - description: to include system security personnel and administrators + with configuration/patch-management responsibilities + select: + how-many: one-or-more + choice: + - " {{ insert: param, si-05_odp.03 }} " + - " {{ insert: param, si-05_odp.04 }} " + - " {{ insert: param, si-05_odp.05 }} " + - id: si-05_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom security alerts, advisories, and + directives are to be disseminated is/are defined (if selected); + - id: si-05_odp.04 + label: elements + guidelines: + - prose: elements within the organization to whom security alerts, + advisories, and directives are to be disseminated are defined + (if selected); + - id: si-05_odp.05 + label: external organizations + guidelines: + - prose: external organizations to whom security alerts, advisories, + and directives are to be disseminated are defined (if selected); + props: + - name: label + value: SI-5 + - name: label + value: SI-05 + class: sp800-53a + - name: sort-id + value: si-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#155f941a-cba9-4afd-9ca6-5d040d697ba9" + rel: reference + - href: "#pm-15" + rel: related + - href: "#ra-5" + rel: related + - href: "#si-2" + rel: related + parts: + - id: si-5_smt + name: statement + parts: + - id: si-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Receive system security alerts, advisories, and directives\ + \ from {{ insert: param, si-05_odp.01 }} on an ongoing basis;" + - id: si-5_smt.b + name: item + props: + - name: label + value: b. + prose: Generate internal security alerts, advisories, and directives + as deemed necessary; + - id: si-5_smt.c + name: item + props: + - name: label + value: c. + prose: "Disseminate security alerts, advisories, and directives\ + \ to: {{ insert: param, si-05_odp.02 }} ; and" + - id: si-5_smt.d + name: item + props: + - name: label + value: d. + prose: Implement security directives in accordance with established + time frames, or notify the issuing organization of the degree + of noncompliance. + - id: si-5_gdn + name: guidance + prose: The Cybersecurity and Infrastructure Security Agency (CISA) generates + security alerts and advisories to maintain situational awareness throughout + the Federal Government. Security directives are issued by OMB or other + designated organizations with the responsibility and authority to + issue such directives. Compliance with security directives is essential + due to the critical nature of many of these directives and the potential + (immediate) adverse effects on organizational operations and assets, + individuals, other organizations, and the Nation should the directives + not be implemented in a timely manner. External organizations include + supply chain partners, external mission or business partners, external + service providers, and other peer or supporting organizations. + - id: si-12 + class: SP800-53 + title: Information Management and Retention + props: + - name: label + value: SI-12 + - name: label + value: SI-12 + class: sp800-53a + - name: sort-id + value: si-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#e922fc50-b1f9-469f-92ef-ed7d9803611c" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#ac-16" + rel: related + - href: "#au-5" + rel: related + - href: "#au-11" + rel: related + - href: "#ca-2" + rel: related + - href: "#ca-3" + rel: related + - href: "#ca-5" + rel: related + - href: "#ca-6" + rel: related + - href: "#ca-7" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-9" + rel: related + - href: "#cp-2" + rel: related + - href: "#ir-8" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-3" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-6" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-4" + rel: related + - href: "#pm-8" + rel: related + - href: "#pm-9" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-6" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-3" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sr-2" + rel: related + parts: + - id: si-12_smt + name: statement + prose: Manage and retain information within the system and information + output from the system in accordance with applicable laws, executive + orders, directives, regulations, policies, standards, guidelines and + operational requirements. + - id: si-12_gdn + name: guidance + prose: "Information management and retention requirements cover the\ + \ full life cycle of information, in some cases extending beyond system\ + \ disposal. Information to be retained may also include policies,\ + \ procedures, plans, reports, data output from control implementation,\ + \ and other types of administrative information. The National Archives\ + \ and Records Administration (NARA) provides federal policy and guidance\ + \ on records retention and schedules. If organizations have a records\ + \ management office, consider coordinating with records management\ + \ personnel. Records produced from the output of implemented controls\ + \ that may require management and retention include, but are not limited\ + \ to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12),\ + \ [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7),\ + \ [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4),\ + \ [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13),\ + \ [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4),\ + \ [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17),\ + \ [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5),\ + \ [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21),\ + \ [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31),\ + \ [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3),\ + \ [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8),\ + \ [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4),\ + \ [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)." + - name: guidance + class: FedRAMP-Tailored-LI-SaaS + prose: Attestation - Specifically related to US-CERT and FedRAMP communications + procedures. + - id: sr + class: family + title: Supply Chain Risk Management + controls: + - id: sr-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: sr-1_prm_1 + label: organization-defined personnel or roles + - id: sr-01_odp.01 + label: personnel or roles + constraints: + - description: to include chief privacy and ISSO and/or similar role + or designees + guidelines: + - prose: personnel or roles to whom supply chain risk management policy + is to be disseminated to is/are defined; + - id: sr-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom supply chain risk management procedures + are disseminated to is/are defined; + - id: sr-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: sr-01_odp.04 + label: official + guidelines: + - prose: an official to manage the development, documentation, and + dissemination of the supply chain risk management policy and procedures + is defined; + - id: sr-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current supply chain risk management + policy is reviewed and updated is defined; + - id: sr-01_odp.06 + label: events + guidelines: + - prose: events that require the current supply chain risk management + policy to be reviewed and updated are defined; + - id: sr-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current supply chain risk management + procedure is reviewed and updated is defined; + - id: sr-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that require the supply chain risk management procedures + to be reviewed and updated are defined; + props: + - name: label + value: SR-1 + - name: label + value: SR-01 + class: sp800-53a + - name: sort-id + value: sr-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#031cc4b7-9adf-4835-98f1-f1ca493519cf" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#pm-9" + rel: related + - href: "#pm-30" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: sr-1_smt + name: statement + parts: + - id: sr-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ sr-1_prm_1 }}:" + parts: + - id: sr-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, sr-01_odp.03 }} supply chain risk\ + \ management policy that:" + parts: + - id: sr-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: sr-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: sr-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the supply + chain risk management policy and the associated supply chain + risk management controls; + - id: sr-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, sr-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the supply\ + \ chain risk management policy and procedures; and" + - id: sr-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current supply chain risk management:" + parts: + - id: sr-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, sr-01_odp.05 }} and following\ + \ {{ insert: param, sr-01_odp.06 }} ; and" + - id: sr-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, sr-01_odp.07 }} and following\ + \ {{ insert: param, sr-01_odp.08 }}." + - id: sr-1_gdn + name: guidance + prose: Supply chain risk management policy and procedures address the + controls in the SR family as well as supply chain-related controls + in other families that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of supply chain + risk management policy and procedures. Security and privacy program + policies and procedures at the organization level are preferable, + in general, and may obviate the need for mission- or system-specific + policies and procedures. The policy can be included as part of the + general security and privacy policy or be represented by multiple + policies that reflect the complex nature of organizations. Procedures + can be established for security and privacy programs, for mission + or business processes, and for systems, if needed. Procedures describe + how the policies or controls are implemented and can be directed at + the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + supply chain risk management policy and procedures include assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: sr-2 + class: SP800-53 + title: Supply Chain Risk Management Plan + params: + - id: sr-02_odp.01 + label: systems, system components, or system services + guidelines: + - prose: systems, system components, or system services for which + a supply chain risk management plan is developed are defined; + - id: sr-02_odp.02 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to review and update the supply chain + risk management plan is defined; + props: + - name: label + value: SR-2 + - name: label + value: SR-02 + class: sp800-53a + - name: sort-id + value: sr-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#031cc4b7-9adf-4835-98f1-f1ca493519cf" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#38ff38f0-1366-4f50-a4c9-26a39aacee16" + rel: reference + - href: "#ca-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-4" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-6" + rel: related + - href: "#pe-16" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-30" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-7" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-4" + rel: related + parts: + - id: sr-2_smt + name: statement + parts: + - id: sr-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop a plan for managing supply chain risks associated\ + \ with the research and development, design, manufacturing, acquisition,\ + \ delivery, integration, operations and maintenance, and disposal\ + \ of the following systems, system components or system services:\ + \ {{ insert: param, sr-02_odp.01 }};" + - id: sr-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the supply chain risk management plan\ + \ {{ insert: param, sr-02_odp.02 }} or as required, to address\ + \ threat, organizational or environmental changes; and" + - id: sr-2_smt.c + name: item + props: + - name: label + value: c. + prose: Protect the supply chain risk management plan from unauthorized + disclosure and modification. + - id: sr-2_gdn + name: guidance + prose: >- + The dependence on products, systems, and services from external + providers, as well as the nature of the relationships with those + providers, present an increasing level of risk to an + organization. Threat actions that may increase security or + privacy risks include unauthorized production, the insertion or + use of counterfeits, tampering, theft, insertion of malicious + software and hardware, and poor manufacturing and development + practices in the supply chain. Supply chain risks can be endemic + or systemic within a system element or component, a system, an + organization, a sector, or the Nation. Managing supply chain + risk is a complex, multifaceted undertaking that requires a + coordinated effort across an organization to build trust + relationships and communicate with internal and external + stakeholders. Supply chain risk management (SCRM) activities + include identifying and assessing risks, determining appropriate + risk response actions, developing SCRM plans to document + response actions, and monitoring performance against plans. The + SCRM plan (at the system-level) is implementation specific, + providing policy implementation, requirements, constraints and + implications. It can either be stand-alone, or incorporated into + system security and privacy plans. The SCRM plan addresses + managing, implementation, and monitoring of SCRM controls and + the development/sustainment of systems across the SDLC to + support mission and business functions. + + + Because supply chains can differ significantly across and within organizations, + SCRM plans are tailored to the individual program, organizational, + and operational contexts. Tailored SCRM plans provide the basis for + determining whether a technology, service, system component, or system + is fit for purpose, and as such, the controls need to be tailored + accordingly. Tailored SCRM plans help organizations focus their resources + on the most critical mission and business functions based on mission + and business requirements and their risk environment. Supply chain + risk management plans include an expression of the supply chain risk + tolerance for the organization, acceptable supply chain risk mitigation + strategies or controls, a process for consistently evaluating and + monitoring supply chain risk, approaches for implementing and communicating + the plan, a description of and justification for supply chain risk + mitigation measures taken, and associated roles and responsibilities. + Finally, supply chain risk management plans address requirements for + developing trustworthy, secure, privacy-protective, and resilient + system components and systems, including the application of the security + design principles implemented as part of life cycle-based systems + security engineering processes (see [SA-8](#sa-8)). + controls: + - id: sr-2.1 + class: SP800-53-enhancement + title: Establish SCRM Team + params: + - id: sr-02.01_odp.01 + label: personnel, roles and responsibilities + guidelines: + - prose: the personnel, roles, and responsibilities of the supply + chain risk management team are defined; + - id: sr-02.01_odp.02 + label: supply chain risk management activities + guidelines: + - prose: supply chain risk management activities are defined; + props: + - name: label + value: SR-2(1) + - name: label + value: SR-02(01) + class: sp800-53a + - name: sort-id + value: sr-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#sr-2" + rel: required + parts: + - id: sr-2.1_smt + name: statement + prose: "Establish a supply chain risk management team consisting\ + \ of {{ insert: param, sr-02.01_odp.01 }} to lead and support\ + \ the following SCRM activities: {{ insert: param, sr-02.01_odp.02\ + \ }}." + - id: sr-2.1_gdn + name: guidance + prose: To implement supply chain risk management plans, organizations + establish a coordinated, team-based approach to identify and assess + supply chain risks and manage these risks by using programmatic + and technical mitigation techniques. The team approach enables + organizations to conduct an analysis of their supply chain, communicate + with internal and external partners or stakeholders, and gain + broad consensus regarding the appropriate resources for SCRM. + The SCRM team consists of organizational personnel with diverse + roles and responsibilities for leading and supporting SCRM activities, + including risk executive, information technology, contracting, + information security, privacy, mission or business, legal, supply + chain and logistics, acquisition, business continuity, and other + relevant functions. Members of the SCRM team are involved in various + aspects of the SDLC and, collectively, have an awareness of and + provide expertise in acquisition processes, legal practices, vulnerabilities, + threats, and attack vectors, as well as an understanding of the + technical aspects and dependencies of systems. The SCRM team can + be an extension of the security and privacy risk management processes + or be included as part of an organizational risk management team. + - id: sr-3 + class: SP800-53 + title: Supply Chain Controls and Processes + params: + - id: sr-03_odp.01 + label: system or system component + guidelines: + - prose: the system or system component requiring a process or processes + to identify and address weaknesses or deficiencies is defined; + - id: sr-03_odp.02 + label: supply chain personnel + guidelines: + - prose: supply chain personnel with whom to coordinate the process + or processes to identify and address weaknesses or deficiencies + in the supply chain elements and processes is/are defined; + - id: sr-03_odp.03 + label: supply chain controls + guidelines: + - prose: supply chain controls employed to protect against supply + chain risks to the system, system component, or system service + and to limit the harm or consequences from supply chain-related + events are defined; + - id: sr-03_odp.04 + select: + how-many: one-or-more + choice: + - security and privacy plans + - supply chain risk management plan + - " {{ insert: param, sr-03_odp.05 }} " + - id: sr-03_odp.05 + label: document + guidelines: + - prose: the document identifying the selected and implemented supply + chain processes and controls is defined (if selected); + props: + - name: label + value: SR-3 + - name: label + value: SR-03 + class: sp800-53a + - name: sort-id + value: sr-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-6" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-16" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-30" + rel: related + - href: "#sa-2" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-15" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-29" + rel: related + - href: "#sc-30" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: sr-3_smt + name: statement + parts: + - id: sr-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Establish a process or processes to identify and address\ + \ weaknesses or deficiencies in the supply chain elements and\ + \ processes of {{ insert: param, sr-03_odp.01 }} in coordination\ + \ with {{ insert: param, sr-03_odp.02 }};" + - id: sr-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ the following controls to protect against supply\ + \ chain risks to the system, system component, or system service\ + \ and to limit the harm or consequences from supply chain-related\ + \ events: {{ insert: param, sr-03_odp.03 }} ; and" + - id: sr-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Document the selected and implemented supply chain processes\ + \ and controls in {{ insert: param, sr-03_odp.04 }}." + - id: sr-3_gdn + name: guidance + prose: Supply chain elements include organizations, entities, or tools + employed for the research and development, design, manufacturing, + acquisition, delivery, integration, operations and maintenance, and + disposal of systems and system components. Supply chain processes + include hardware, software, and firmware development processes; shipping + and handling procedures; personnel security and physical security + programs; configuration management tools, techniques, and measures + to maintain provenance; or other programs, processes, or procedures + associated with the development, acquisition, maintenance and disposal + of systems and system components. Supply chain elements and processes + may be provided by organizations, system integrators, or external + providers. Weaknesses or deficiencies in supply chain elements or + processes represent potential vulnerabilities that can be exploited + by adversaries to cause harm to the organization and affect its ability + to carry out its core missions or business functions. Supply chain + personnel are individuals with roles and responsibilities in the supply + chain. + - id: sr-5 + class: SP800-53 + title: Acquisition Strategies, Tools, and Methods + params: + - id: sr-05_odp + label: strategies, tools, and methods + guidelines: + - prose: acquisition strategies, contract tools, and procurement methods + to protect against, identify, and mitigate supply chain risks + are defined; + props: + - name: label + value: SR-5 + - name: label + value: SR-05 + class: sp800-53a + - name: sort-id + value: sr-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#863caf2a-978a-4260-9e8d-4a8929bce40c" + rel: reference + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#38ff38f0-1366-4f50-a4c9-26a39aacee16" + rel: reference + - href: "#at-3" + rel: related + - href: "#sa-2" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-15" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-10" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: sr-5_smt + name: statement + prose: "Employ the following acquisition strategies, contract tools,\ + \ and procurement methods to protect against, identify, and mitigate\ + \ supply chain risks: {{ insert: param, sr-05_odp }}." + - id: sr-5_gdn + name: guidance + prose: The use of the acquisition process provides an important vehicle + to protect the supply chain. There are many useful tools and techniques + available, including obscuring the end use of a system or system component, + using blind or filtered buys, requiring tamper-evident packaging, + or using trusted or controlled distribution. The results from a supply + chain risk assessment can guide and inform the strategies, tools, + and methods that are most applicable to the situation. Tools and techniques + may provide protections against unauthorized production, theft, tampering, + insertion of counterfeits, insertion of malicious software or backdoors, + and poor development practices throughout the system development life + cycle. Organizations also consider providing incentives for suppliers + who implement controls, promote transparency into their processes + and security and privacy practices, provide contract language that + addresses the prohibition of tainted or counterfeit components, and + restrict purchases from untrustworthy suppliers. Organizations consider + providing training, education, and awareness programs for personnel + regarding supply chain risk, available mitigation strategies, and + when the programs should be employed. Methods for reviewing and protecting + development plans, documentation, and evidence are commensurate with + the security and privacy requirements of the organization. Contracts + may specify documentation protection requirements. + - id: sr-8 + class: SP800-53 + title: Notification Agreements + params: + - id: sr-08_odp.01 + constraints: + - description: notification of supply chain compromises and results + of assessment or audits + select: + how-many: one-or-more + choice: + - notification of supply chain compromises + - " {{ insert: param, sr-08_odp.02 }} " + - id: sr-08_odp.02 + label: results of assessments or audits + guidelines: + - prose: information for which agreements and procedures are to be + established are defined (if selected); + props: + - name: label + value: SR-8 + - name: label + value: SR-08 + class: sp800-53a + - name: sort-id + value: sr-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#863caf2a-978a-4260-9e8d-4a8929bce40c" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + parts: + - id: sr-8_smt + name: statement + prose: "Establish agreements and procedures with entities involved in\ + \ the supply chain for the system, system component, or system service\ + \ for the {{ insert: param, sr-08_odp.01 }}." + - id: sr-8_gdn + name: guidance + prose: The establishment of agreements and procedures facilitates communications + among supply chain entities. Early notification of compromises and + potential compromises in the supply chain that can potentially adversely + affect or have adversely affected organizational systems or system + components is essential for organizations to effectively respond to + such incidents. The results of assessments or audits may include open-source + information that contributed to a decision or result and could be + used to help the supply chain entity resolve a concern or improve + its processes. + - id: sr-10 + class: SP800-53 + title: Inspection of Systems or Components + params: + - id: sr-10_odp.01 + label: systems or system components + guidelines: + - prose: systems or system components that require inspection are + defined; + - id: sr-10_odp.02 + select: + how-many: one-or-more + choice: + - at random + - "at {{ insert: param, sr-10_odp.03 }} " + - "upon {{ insert: param, sr-10_odp.04 }} " + - id: sr-10_odp.03 + label: frequency + guidelines: + - prose: frequency at which to inspect systems or system components + is defined (if selected); + - id: sr-10_odp.04 + label: indications of need for inspection + guidelines: + - prose: indications of the need for an inspection of systems or system + components are defined (if selected); + props: + - name: label + value: SR-10 + - name: label + value: SR-10 + class: sp800-53a + - name: sort-id + value: sr-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#at-3" + rel: related + - href: "#pm-30" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: sr-10_smt + name: statement + prose: "Inspect the following systems or system components {{ insert:\ + \ param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01\ + \ }}." + - id: sr-10_gdn + name: guidance + prose: The inspection of systems or systems components for tamper resistance + and detection addresses physical and logical tampering and is applied + to systems and system components removed from organization-controlled + areas. Indications of a need for inspection include changes in packaging, + specifications, factory location, or entity in which the part is purchased, + and when individuals return from travel to high-risk locations. + - id: sr-11 + class: SP800-53 + title: Component Authenticity + params: + - id: sr-11_odp.01 + select: + how-many: one-or-more + choice: + - source of counterfeit component + - " {{ insert: param, sr-11_odp.02 }} " + - " {{ insert: param, sr-11_odp.03 }} " + - id: sr-11_odp.02 + label: external reporting organizations + guidelines: + - prose: external reporting organizations to whom counterfeit system + components are to be reported is/are defined (if selected); + - id: sr-11_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom counterfeit system components + are to be reported is/are defined (if selected); + props: + - name: label + value: SR-11 + - name: label + value: SR-11 + class: sp800-53a + - name: sort-id + value: sr-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#pe-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-10" + rel: related + parts: + - id: sr-11_smt + name: statement + parts: + - id: sr-11_smt.a + name: item + props: + - name: label + value: a. + prose: Develop and implement anti-counterfeit policy and procedures + that include the means to detect and prevent counterfeit components + from entering the system; and + - id: sr-11_smt.b + name: item + props: + - name: label + value: b. + prose: "Report counterfeit system components to {{ insert: param,\ + \ sr-11_odp.01 }}." + - id: sr-11_gdn + name: guidance + prose: Sources of counterfeit components include manufacturers, developers, + vendors, and contractors. Anti-counterfeiting policies and procedures + support tamper resistance and provide a level of protection against + the introduction of malicious code. External reporting organizations + include CISA. + controls: + - id: sr-11.1 + class: SP800-53-enhancement + title: Anti-counterfeit Training + params: + - id: sr-11.01_odp + label: personnel or roles + guidelines: + - prose: personnel or roles requiring training to detect counterfeit + system components (including hardware, software, and firmware) + is/are defined; + props: + - name: label + value: SR-11(1) + - name: label + value: SR-11(01) + class: sp800-53a + - name: sort-id + value: sr-11.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#sr-11" + rel: required + - href: "#at-3" + rel: related + parts: + - id: sr-11.1_smt + name: statement + prose: "Train {{ insert: param, sr-11.01_odp }} to detect counterfeit\ + \ system components (including hardware, software, and firmware)." + - id: sr-11.1_gdn + name: guidance + prose: None. + - id: sr-11.2 + class: SP800-53-enhancement + title: Configuration Control for Component Service and Repair + params: + - id: sr-11.02_odp + label: system components + constraints: + - description: all + guidelines: + - prose: system components requiring configuration control are + defined; + props: + - name: label + value: SR-11(2) + - name: label + value: SR-11(02) + class: sp800-53a + - name: sort-id + value: sr-11.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#sr-11" + rel: required + - href: "#cm-3" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-4" + rel: related + - href: "#sa-10" + rel: related + parts: + - id: sr-11.2_smt + name: statement + prose: "Maintain configuration control over the following system\ + \ components awaiting service or repair and serviced or repaired\ + \ components awaiting return to service: {{ insert: param, sr-11.02_odp\ + \ }}." + - id: sr-11.2_gdn + name: guidance + prose: None. + - id: sr-12 + class: SP800-53 + title: Component Disposal + params: + - id: sr-12_odp.01 + label: data, documentation, tools, or system components + guidelines: + - prose: data, documentation, tools, or system components to be disposed + of are defined; + - id: sr-12_odp.02 + label: techniques and methods + guidelines: + - prose: techniques and methods for disposing of data, documentation, + tools, or system components are defined; + props: + - name: label + value: SR-12 + - name: label + value: SR-12 + class: sp800-53a + - name: sort-id + value: sr-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: ATTEST + class: FedRAMP-Tailored-LI-SaaS + links: + - href: "#mp-6" + rel: related + parts: + - id: sr-12_smt + name: statement + prose: "Dispose of {{ insert: param, sr-12_odp.01 }} using the following\ + \ techniques and methods: {{ insert: param, sr-12_odp.02 }}." + - id: sr-12_gdn + name: guidance + prose: Data, documentation, tools, or system components can be disposed + of at any time during the system development life cycle (not only + in the disposal or retirement phase of the life cycle). For example, + disposal can occur during research and development, design, prototyping, + or operations/maintenance and include methods such as disk cleaning, + removal of cryptographic keys, partial reuse of components. Opportunities + for compromise during disposal affect physical and logical data, including + system documentation in paper-based or digital files; shipping and + delivery documentation; memory sticks with software code; or complete + routers or servers that include permanent media, which contain sensitive + or proprietary information. Additionally, proper disposal of system + components helps to prevent such components from entering the gray + market. back-matter: resources: + - uuid: 91f992fb-f668-4c91-a50f-0f05b95ccee3 + title: 32 CFR 2002 + citation: + text: Code of Federal Regulations, Title 32, *Controlled Unclassified Information* + (32 C.F.R. 2002). + rlinks: + - href: https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information + - uuid: 0f963c17-ab5a-432a-a867-91eac550309b + title: 41 CFR 201 + citation: + text: ' "Federal Acquisition Supply Chain Security Act; Rule," 85 Federal + Register 54263 (September 1, 2020), pp 54263-54271.' + rlinks: + - href: https://www.federalregister.gov/d/2020-18939 + - uuid: a5ef5e56-5c1a-4911-b419-37dddc1b3581 + title: 5 CFR 731 + citation: + text: Code of Federal Regulations, Title 5, *Administrative Personnel* , + Section 731.106, *Designation of Public Trust Positions and Investigative + Requirements* (5 C.F.R. 731.106). + rlinks: + - href: https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf + - uuid: 031cc4b7-9adf-4835-98f1-f1ca493519cf + title: CNSSD 505 + citation: + text: Committee on National Security Systems Directive No. 505, *Supply + Chain Risk Management (SCRM)* , August 2017. + rlinks: + - href: https://www.cnss.gov/CNSS/issuances/Directives.cfm + - uuid: 4e4fbc93-333d-45e6-a875-de36b878b6b9 + title: CNSSI 1253 + citation: + text: Committee on National Security Systems Instruction No. 1253, *Security + Categorization and Control Selection for National Security Systems* , + March 2014. + rlinks: + - href: https://www.cnss.gov/CNSS/issuances/Instructions.cfm + - uuid: aa66e14f-e7cb-4a37-99d2-07578dfd4608 + title: DOD STIG + citation: + text: Defense Information Systems Agency, *Security Technical Implementation + Guides (STIG)*. + rlinks: + - href: https://public.cyber.mil/stigs + - uuid: 55b0c93a-5e48-457a-baa6-5ce81c239c49 + title: EO 13526 + citation: + text: Executive Order 13526, *Classified National Security Information* + , December 2009. + rlinks: + - href: https://www.archives.gov/isoo/policy-documents/cnsi-eo.html + - uuid: 0af071a6-cf8e-48ee-8c82-fe91efa20f94 + title: EO 13587 + citation: + text: Executive Order 13587, *Structural Reforms to Improve the Security + of Classified Networks and the Responsible Sharing and Safeguarding of + Classified Information* , October 2011. + rlinks: + - href: https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net + - uuid: 21caa535-1154-4369-ba7b-32c309fee0f7 + title: EO 13873 + citation: + text: Executive Order 13873, *Executive Order on Securing the Information + and Communications Technology and Services Supply Chain* , May 2019. + rlinks: + - href: https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain + - uuid: 4ff10ed3-d8fe-4246-99e3-443045e27482 + title: FASC18 + citation: + text: Secure Technology Act [includes Federal Acquisition Supply Chain Security + Act] (P.L. 115-390), December 2018. + rlinks: + - href: https://www.congress.gov/bill/115th-congress/senate-bill/3085 + - uuid: a1555677-2b9d-4868-a97b-a1363aff32f5 + title: FED PKI + citation: + text: General Services Administration, *Federal Public Key Infrastructure*. + rlinks: + - href: https://www.idmanagement.gov/topics/fpki + - uuid: 678e3d6c-150b-4393-aec5-6e3481eb1e00 + title: FIPS 140-3 + citation: + text: "National Institute of Standards and Technology (2019) Security Requirements\ + \ for Cryptographic Modules. (U.S. Department of Commerce, Washington,\ + \ D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. " + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.140-3 + - uuid: eea3c092-42ed-4382-a6f4-1adadef01b9d + title: FIPS 180-4 + citation: + text: National Institute of Standards and Technology (2015) Secure Hash + Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal + Information Processing Standards Publication (FIPS) 180-4. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.180-4 + - uuid: 7c37a38d-21d7-40d8-bc3d-b5e27eac17e1 + title: FIPS 186-4 + citation: + text: National Institute of Standards and Technology (2013) Digital Signature + Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal + Information Processing Standards Publication (FIPS) 186-4. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.186-4 + - uuid: 736d6310-e403-4b57-a79d-9967970c66d7 + title: FIPS 197 + citation: + text: National Institute of Standards and Technology (2001) Advanced Encryption + Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal + Information Processing Standards Publication (FIPS) 197. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.197 + - uuid: 628d22a1-6a11-4784-bc59-5cd9497b5445 + title: FIPS 199 + citation: + text: National Institute of Standards and Technology (2004) Standards for + Security Categorization of Federal Information and Information Systems. + (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing + Standards Publication (FIPS) 199. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.199 + - uuid: 599fb53d-5041-444e-a7fe-640d6d30ad05 + title: FIPS 200 + citation: + text: National Institute of Standards and Technology (2006) Minimum Security + Requirements for Federal Information and Information Systems. (U.S. Department + of Commerce, Washington, D.C.), Federal Information Processing Standards + Publication (FIPS) 200. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.200 + - uuid: 7ba1d91c-3934-4d5a-8532-b32f864ad34c + title: FIPS 201-2 + citation: + text: National Institute of Standards and Technology (2013) Personal Identity + Verification (PIV) of Federal Employees and Contractors. (U.S. Department + of Commerce, Washington, D.C.), Federal Information Processing Standards + Publication (FIPS) 201-2. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.201-2 + - uuid: a295ca19-8c75-4b4c-8800-98024732e181 + title: FIPS 202 + citation: + text: "National Institute of Standards and Technology (2015) SHA-3 Standard:\ + \ Permutation-Based Hash and Extendable-Output Functions. (U.S. Department\ + \ of Commerce, Washington, D.C.), Federal Information Processing Standards\ + \ Publication (FIPS) 202." + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.202 + - uuid: 0c67b2a9-bede-43d2-b86d-5f35b8be36e9 + title: FISMA + citation: + text: Federal Information Security Modernization Act (P.L. 113-283), December + 2014. + rlinks: + - href: https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf + - uuid: f16e438e-7114-4144-bfe2-2dfcad8cb2d0 + title: HSPD 12 + citation: + text: Homeland Security Presidential Directive 12, Policy for a Common Identification + Standard for Federal Employees and Contractors, August 2004. + rlinks: + - href: https://www.dhs.gov/homeland-security-presidential-directive-12 + - uuid: 15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c + title: IR 7539 + citation: + text: Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart + Cards. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Interagency or Internal Report (IR) 7539. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7539 + - uuid: 2be7b163-e50a-435c-8906-f1162f2a457a + title: IR 7559 + citation: + text: Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services + (FWS). (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Interagency or Internal Report (IR) 7559. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7559 + - uuid: e24b06cc-9129-4998-a76a-65c3d7a576ba + title: IR 7622 + citation: + text: Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional + Supply Chain Risk Management Practices for Federal Information Systems. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Interagency or Internal Report (IR) 7622. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7622 + - uuid: 4b38e961-1125-4a5b-aa35-1d6c02846dad + title: IR 7676 + citation: + text: Cooper DA (2010) Maintaining and Using Key History on Personal Identity + Verification (PIV) Cards. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7676 + - uuid: aa5d04e0-6090-4e17-84d4-b9963d55fc2c + title: IR 7788 + citation: + text: Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks + Using Probabilistic Attack Graphs. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) + 7788. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7788 + - uuid: 91701292-8bcd-4d2e-a5bd-59ab61e34b3c + title: IR 7817 + citation: + text: Ferraiolo H (2012) A Credential Reliability and Revocation Model for + Federated Identities. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7817 + - uuid: 4f5f51ac-2b8d-4b90-a3c7-46f56e967617 + title: IR 7849 + citation: + text: Chandramouli R (2014) A Methodology for Developing Authentication + Assurance Level Taxonomy for Smart Card-based Identity Verification. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency + or Internal Report (IR) 7849. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7849 + - uuid: 604774da-9e1d-48eb-9c62-4e959dc80737 + title: IR 7870 + citation: + text: Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Interagency or Internal Report (IR) 7870. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7870 + - uuid: 7f473f21-fdbf-4a6c-81a1-0ab95919609d + title: IR 7874 + citation: + text: Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation + Metrics. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Interagency or Internal Report (IR) 7874. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7874 + - uuid: 849b2358-683f-4d97-b111-1cc3d522ded5 + title: IR 7956 + citation: + text: Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management + Issues & Challenges in Cloud Services. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Interagency or Internal Report + (IR) 7956. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7956 + - uuid: 3915a084-b87b-4f02-83d4-c369e746292f + title: IR 7966 + citation: + text: Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive + and Automated Access Management Using Secure Shell (SSH). (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal + Report (IR) 7966. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7966 + - uuid: bbac9fc2-df5b-4f2d-bf99-90d0ade45349 + title: IR 8011-1 + citation: + text: "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security\ + \ Control Assessments: Volume 1: Overview. (National Institute of Standards\ + \ and Technology, Gaithersburg, MD), NIST Interagency or Internal Report\ + \ (IR) 8011, Volume 1." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8011-1 + - uuid: 70402863-5078-43af-9a6c-e11b0f3ec370 + title: IR 8011-2 + citation: + text: "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security\ + \ Control Assessments: Volume 2: Hardware Asset Management. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency\ + \ or Internal Report (IR) 8011, Volume 2." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8011-2 + - uuid: 996241f8-f692-42d5-91f1-ce8b752e39e6 + title: IR 8011-3 + citation: + text: "Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for\ + \ Security Control Assessments: Volume 3: Software Asset Management. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency\ + \ or Internal Report (IR) 8011, Volume 3." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8011-3 + - uuid: d2ebec9b-f868-4ee1-a2bd-0b2282aed248 + title: IR 8011-4 + citation: + text: "Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support\ + \ for Security Control Assessments: Volume 4: Software Vulnerability Management.\ + \ (National Institute of Standards and Technology, Gaithersburg, MD),\ + \ NIST Interagency or Internal Report (IR) 8011, Volume 4." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8011-4 + - uuid: 4c501da5-9d79-4cb6-ba80-97260e1ce327 + title: IR 8023 + citation: + text: Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Interagency or Internal Report (IR) 8023. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8023 + - uuid: 81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5 + title: IR 8040 + citation: + text: Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and + Security of Permuted Passwords on Mobile Platforms. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal + Report (IR) 8040. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8040 + - uuid: 98d415ca-7281-4064-9931-0c366637e324 + title: IR 8062 + citation: + text: Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction + to Privacy Engineering and Risk Management in Federal Systems. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency + or Internal Report (IR) 8062. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8062 + - uuid: d4296805-2dca-4c63-a95f-eeccaa826aec + title: IR 8179 + citation: + text: "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis\ + \ Process Model: Prioritizing Systems and Components. (National Institute\ + \ of Standards and Technology, Gaithersburg, MD), NIST Interagency or\ + \ Internal Report (IR) 8179." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8179 + - uuid: 38ff38f0-1366-4f50-a4c9-26a39aacee16 + title: IR 8272 + citation: + text: Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis + Tool for Interdependent Cyber Supply Chain Risks. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal + Report (IR) 8272. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8272 + - uuid: 6afc1b04-c9d6-4023-adbc-f8fbe33a3c73 + title: ISO 15408-1 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 15408-1:2009, *Information technology —Security techniques\ + \ — Evaluation criteria for IT security — Part 1: Introduction and general\ + \ model* , April 2017." + rlinks: + - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf + - uuid: 87087451-2af5-43d4-88c1-d66ad850f614 + title: ISO 15408-2 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 15408-2:2008, *Information technology —Security techniques\ + \ — Evaluation criteria for IT security — Part 2: Security functional\ + \ requirements* , April 2017." + rlinks: + - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf + - uuid: 4452efc0-e79e-47b8-aa30-b54f3ef61c2f + title: ISO 15408-3 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 15408-3:2008, *Information technology—Security techniques\ + \ — Evaluation criteria for IT security — Part 3: Security assurance requirements*\ + \ , April 2017." + rlinks: + - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf + - uuid: 15a95e24-65b6-4686-bc18-90855a10457d + title: ISO 20243 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 20243-1:2018, *Information technology — Open Trusted Technology\ + \ Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit\ + \ products — Part 1: Requirements and recommendations* , February 2018." + rlinks: + - href: https://www.iso.org/standard/74399.html + - uuid: 863caf2a-978a-4260-9e8d-4a8929bce40c + title: ISO 27036 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 27036-1:2014, *Information technology—Security techniques—Information\ + \ security for supplier relationships, Part 1: Overview and concepts*\ + \ , April 2014." + rlinks: + - href: https://www.iso.org/standard/59648.html + - uuid: 8df72805-2e5c-4731-a73e-81db0f0318d0 + title: ISO 29147 + citation: + text: International Organization for Standardization/International Electrotechnical + Commission 29147:2018, *Information technology—Security techniques—Vulnerability + disclosure* , October 2018. + rlinks: + - href: https://www.iso.org/standard/72311.html + - uuid: 06ce9216-bd54-4054-a422-94f358b50a5d + title: ISO 29148 + citation: + text: International Organization for Standardization/International Electrotechnical + Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) + 29148:2018, *Systems and software engineering—Life cycle processes—Requirements + engineering* , November 2018. + rlinks: + - href: https://www.iso.org/standard/72089.html + - uuid: c28ae9a8-1121-42a9-a85e-00cfcc9b9a94 + title: NARA CUI + citation: + text: National Archives and Records Administration, Controlled Unclassified + Information (CUI) Registry. + rlinks: + - href: https://www.archives.gov/cui + - uuid: d744d9a3-73eb-4085-b9ff-79e82e9e2d6e + title: NCPR + citation: + text: National Institute of Standards and Technology (2020) *National Checklist + Program Repository* . Available at + rlinks: + - href: https://nvd.nist.gov/ncp/repository + - uuid: 795aff72-3e6c-4b6b-a80a-b14d84b7f544 + title: NIAP CCEVS + citation: + text: National Information Assurance Partnership, *Common Criteria Evaluation + and Validation Scheme*. + rlinks: + - href: https://www.niap-ccevs.org + - uuid: 84dc1b0c-acb7-4269-84c4-00dbabacd78c + title: NIST CAVP + citation: + text: National Institute of Standards and Technology (2020) *Cryptographic + Algorithm Validation Program* . Available at + rlinks: + - href: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program + - uuid: 1acdc775-aafb-4d11-9341-dc6a822e9d38 + title: NIST CMVP + citation: + text: National Institute of Standards and Technology (2020) *Cryptographic + Module Validation Program* . Available at + rlinks: + - href: https://csrc.nist.gov/projects/cryptographic-module-validation-program + - uuid: 3d575737-98cb-459d-b41c-d7e82b73ad78 + title: NSA CSFC + citation: + text: National Security Agency, *Commercial Solutions for Classified Program + (CSfC)*. + rlinks: + - href: https://www.nsa.gov/resources/everyone/csfc + - uuid: df9f87e9-71e7-4c74-9ac3-3cabd4e92f21 + title: NSA MEDIA + citation: + text: National Security Agency, *Media Destruction Guidance*. + rlinks: + - href: https://www.nsa.gov/resources/everyone/media-destruction + - uuid: 89f2a08d-fc49-46d0-856e-bf974c9b1573 + title: ODNI CTF + citation: + text: Office of the Director of National Intelligence (ODNI) Cyber Threat + Framework. + rlinks: + - href: https://www.dni.gov/index.php/cyber-threat-framework + - uuid: 27847491-5ce1-4f6a-a1e4-9e483782f0ef + title: OMB A-130 + citation: + text: Office of Management and Budget Memorandum Circular A-130, *Managing + Information as a Strategic Resource* , July 2016. + rlinks: + - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf + - uuid: 5f4705ac-8d17-438c-b23a-ac7f12362ae4 + title: OMB M-17-12 + citation: + text: Office of Management and Budget Memorandum M-17-12, *Preparing for + and Responding to a Breach of Personally Identifiable Information* , January + 2017. + rlinks: + - href: https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf + - uuid: c5e11048-1d38-4af3-b00b-0d88dc26860c + title: OMB M-19-03 + citation: + text: Office of Management and Budget Memorandum M-19-03, *Strengthening + the Cybersecurity of Federal Agencies by Enhancing the High Value Asset + Program* , December 2018. + rlinks: + - href: https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf + - uuid: 18e71fec-c6fd-475a-925a-5d8495cf8455 + title: PRIVACT + citation: + text: Privacy Act (P.L. 93-579), December 1974. + rlinks: + - href: https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf + - uuid: 4c0ec2ee-a0d6-428a-9043-4504bc3ade6f + title: SP 800-100 + citation: + text: "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A\ + \ Guide for Managers. (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates\ + \ as of March 7, 2007." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-100 + - uuid: 10cf2fad-a216-41f9-bb1a-531b7e3119e3 + title: SP 800-101 + citation: + text: Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device + Forensics. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-101, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-101r1 + - uuid: 22f2d4f0-4365-4e88-a30d-275c1f5473ea + title: SP 800-111 + citation: + text: Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption + Technologies for End User Devices. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-111 + - uuid: 6bc4d137-aece-42a8-8081-9ecb1ebe9fb4 + title: SP 800-113 + citation: + text: Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-113. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-113 + - uuid: 42e37e51-7cc0-4ffa-81c9-0ac942da7e99 + title: SP 800-114 + citation: + text: Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring + Your Own Device (BYOD) Security. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, + Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-114r1 + - uuid: 122177fa-c4ed-485d-8345-3082c0fb9a06 + title: SP 800-115 + citation: + text: Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide + to Information Security Testing and Assessment. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-115. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-115 + - uuid: 2100332a-16a5-4598-bacf-7261baea9711 + title: SP 800-116 + citation: + text: Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) + A Recommendation for the Use of PIV Credentials in Physical Access Control + Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-116, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-116r1 + - uuid: d17ebd7a-ffab-499d-bfff-e705bbb01fa6 + title: SP 800-121 + citation: + text: Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone + KA (2017) Guide to Bluetooth Security. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, + Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-121r2 + - uuid: 0f66be67-85e7-4ca6-bd19-39453e9f4394 + title: SP 800-124 + citation: + text: Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security + of Mobile Devices in the Enterprise. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, + Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-124r1 + - uuid: 88660532-2dcf-442e-845c-03340ce48999 + title: SP 800-125B + citation: + text: Chandramouli R (2016) Secure Virtual Network Configuration for Virtual + Machine (VM) Protection. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-125B. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-125B + - uuid: 8016d2ed-d30f-4416-9c45-0f42c7aa3232 + title: SP 800-126 + citation: + text: "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018)\ + \ The Technical Specification for the Security Content Automation Protocol\ + \ (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-126r3 + - uuid: 20db4e66-e257-450c-b2e4-2bb9a62a2c88 + title: SP 800-128 + citation: + text: Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for + Security-Focused Configuration Management of Information Systems. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-128, Includes updates as of October 10, 2019. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-128 + - uuid: c7ac44e8-10db-4b64-b2b9-9e32ec1efed0 + title: SP 800-12 + citation: + text: Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information + Security. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-12, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-12r1 + - uuid: 3653e316-8923-430e-8943-b3b2b2562fc6 + title: SP 800-130 + citation: + text: Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for + Designing Cryptographic Key Management Systems. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-130. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-130 + - uuid: 62ea77ca-e450-4323-b210-e0d75390e785 + title: SP 800-137A + citation: + text: "Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S\ + \ (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs:\ + \ Developing an ISCM Program Assessment. (National Institute of Standards\ + \ and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-137A + - uuid: 067223d8-1ec7-45c5-b21b-c848da6de8fb + title: SP 800-137 + citation: + text: Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh + AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring + (ISCM) for Federal Information Systems and Organizations. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-137. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-137 + - uuid: 9ef4b43c-42a4-4316-87dc-ffaf528bc05c + title: SP 800-150 + citation: + text: Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) + Guide to Cyber Threat Information Sharing. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-150 + - uuid: 2494df28-9049-4196-b233-540e7440993f + title: SP 800-152 + citation: + text: Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal + Cryptographic Key Management Systems (CKMS). (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-152 + - uuid: d9e036ba-6eec-46a6-9340-b0bf1fea23b4 + title: SP 800-156 + citation: + text: Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady + S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-156. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-156 + - uuid: e3cc0520-a366-4fc9-abc2-5272db7e3564 + title: SP 800-160-1 + citation: + text: "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering:\ + \ Considerations for a Multidisciplinary Approach in the Engineering of\ + \ Trustworthy Secure Systems. (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes\ + \ updates as of March 21, 2018." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-160v1 + - uuid: 61ccf0f4-d3e7-42db-9796-ce6cb1c85989 + title: SP 800-160-2 + citation: + text: "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing\ + \ Cyber Resilient Systems: A Systems Security Engineering Approach. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Special\ + \ Publication (SP) 800-160, Vol. 2." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-160v2 + - uuid: e8e84963-14fc-4c3a-be05-b412a5d37cd2 + title: SP 800-161 + citation: + text: Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk + Management Practices for Federal Information Systems and Organizations. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-161. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-161 + - uuid: 2956e175-f674-43f4-b1b9-e074ad9fc39c + title: SP 800-162 + citation: + text: Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone + KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and + Considerations. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-162, Includes updates as of August + 2, 2019. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-162 + - uuid: e8552d48-cf41-40aa-8b06-f45f7fb4706c + title: SP 800-166 + citation: + text: Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady + S (2016) Derived PIV Application and Data Model Test Guidelines. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-166. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-166 + - uuid: 38f39739-1ebd-43b1-8b8c-00f591d89ebd + title: SP 800-167 + citation: + text: Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application + Whitelisting. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-167. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-167 + - uuid: 7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849 + title: SP 800-171 + citation: + text: Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting + Controlled Unclassified Information in Nonfederal Systems and Organizations. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-171, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-171r2 + - uuid: f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e + title: SP 800-172 + citation: + text: "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau\ + \ D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified\ + \ Information: A Supplement to NIST Special Publication 800-171 (Final\ + \ Public Draft). (National Institute of Standards and Technology, Gaithersburg,\ + \ MD), NIST Special Publication (SP) 800-172." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-172-draft + - uuid: 1c71b420-2bd9-4e52-9fc8-390f58b85b59 + title: SP 800-177 + citation: + text: Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy + Email. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-177, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-177r1 + - uuid: 388a3aa2-5d85-4bad-b8a3-77db80d63c4f + title: SP 800-178 + citation: + text: "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of\ + \ Attribute Based Access Control (ABAC) Standards for Data Service Applications:\ + \ Extensible Access Control Markup Language (XACML) and Next Generation\ + \ Access Control (NGAC). (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-178." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-178 + - uuid: 276bd50a-7e58-48e5-a405-8c8cb91d7a5f + title: SP 800-181 + citation: + text: Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce + Framework for Cybersecurity (NICE Framework). (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, + Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-181r1 + - uuid: 31ae65ab-3f26-46b7-9d64-f25a4dac5778 + title: SP 800-184 + citation: + text: Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya + MP (2016) Guide for Cybersecurity Event Recovery. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-184. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-184 + - uuid: f5edfe51-d1f2-422e-9b27-5d0e90b49c72 + title: SP 800-189 + citation: + text: "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange:\ + \ BGP Security and DDoS Mitigation. (National Institute of Standards and\ + \ Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-189 + - uuid: 30eb758a-2707-4bca-90ad-949a74d4eb16 + title: SP 800-18 + citation: + text: Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans + for Federal Information Systems. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. + 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-18r1 + - uuid: 53df282b-8b3f-483a-bad1-6a8b8ac00114 + title: SP 800-192 + citation: + text: Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access + Control Policies/Models. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-192. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-192 + - uuid: 08b07465-dbdc-48d6-8a0b-37279602ac16 + title: SP 800-30 + citation: + text: Joint Task Force Transformation Initiative (2012) Guide for Conducting + Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-30, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-30r1 + - uuid: bc39f179-c735-4da2-b7a7-b2b622119755 + title: SP 800-34 + citation: + text: Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency + Planning Guide for Federal Information Systems. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-34r1 + - uuid: 77faf0bc-c394-44ad-9154-bbac3b79c8ad + title: SP 800-35 + citation: + text: Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information + Technology Security Services. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-35. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-35 + - uuid: 482e4c99-9dc4-41ad-bba8-0f3f0032c1f8 + title: SP 800-37 + citation: + text: "Joint Task Force (2018) Risk Management Framework for Information\ + \ Systems and Organizations: A System Life Cycle Approach for Security\ + \ and Privacy. (National Institute of Standards and Technology, Gaithersburg,\ + \ MD), NIST Special Publication (SP) 800-37, Rev. 2." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-37r2 + - uuid: cec037f3-8aba-4c97-84b4-4082f9e515d2 + title: SP 800-39 + citation: + text: "Joint Task Force Transformation Initiative (2011) Managing Information\ + \ Security Risk: Organization, Mission, and Information System View. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Special\ + \ Publication (SP) 800-39." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-39 + - uuid: 155f941a-cba9-4afd-9ca6-5d040d697ba9 + title: SP 800-40 + citation: + text: Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management + Technologies. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-40, Rev. 3. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-40r3 + - uuid: a7f0e897-29a3-45c4-bd88-40dfef0e034a + title: SP 800-41 + citation: + text: Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall + Policy. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-41, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-41r1 + - uuid: 83b9d63b-66b1-467c-9f3b-3a0b108771e9 + title: SP 800-46 + citation: + text: Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote + Access, and Bring Your Own Device (BYOD) Security. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-46, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-46r2 + - uuid: c3a76872-e160-4267-99e8-6952de967d04 + title: SP 800-47 + citation: + text: Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide + for Interconnecting Information Technology Systems. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-47. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-47 + - uuid: 511f6832-23ca-49a3-8c0f-ce493373cab8 + title: SP 800-50 + citation: + text: Wilson M, Hash J (2003) Building an Information Technology Security + Awareness and Training Program. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-50. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-50 + - uuid: 7537638e-2837-407d-844b-40fb3fafdd99 + title: SP 800-52 + citation: + text: McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, + and Use of Transport Layer Security (TLS) Implementations. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-52, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-52r2 + - uuid: a21aef46-7330-48a0-b2e1-c5bb8b2dd11d + title: SP 800-53A + citation: + text: "Joint Task Force Transformation Initiative (2014) Assessing Security\ + \ and Privacy Controls in Federal Information Systems and Organizations:\ + \ Building Effective Assessment Plans. (National Institute of Standards\ + \ and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A,\ + \ Rev. 4, Includes updates as of December 18, 2014." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-53Ar4 + - uuid: 46d9e201-840e-440e-987c-2c773333c752 + title: SP 800-53B + citation: + text: Joint Task Force (2020) Control Baselines and Tailoring Guidance for + Federal Information Systems and Organizations. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-53B. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-53B + - uuid: 20957dbb-6a1e-40a2-b38a-66f67d33ac2e + title: SP 800-56A + citation: + text: Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation + for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-56A, Rev. 3. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-56Ar3 + - uuid: 0d083d8a-5cc6-46f1-8d79-3081d42bcb75 + title: SP 800-56B + citation: + text: Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) + Recommendation for Pair-Wise Key-Establishment Using Integer Factorization + Cryptography. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-56B, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-56Br2 + - uuid: eef62b16-c796-4554-955c-505824135b8a + title: SP 800-56C + citation: + text: Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation + Methods in Key-Establishment Schemes. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, + Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-56Cr2 + - uuid: 110e26af-4765-49e1-8740-6750f83fcda1 + title: SP 800-57-1 + citation: + text: "Barker EB (2020) Recommendation for Key Management: Part 1 – General.\ + \ (National Institute of Standards and Technology, Gaithersburg, MD),\ + \ NIST Special Publication (SP) 800-57 Part 1, Rev. 5." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-57pt1r5 + - uuid: e7942589-e267-4a5a-a3d9-f39a7aae81f0 + title: SP 800-57-2 + citation: + text: "Barker EB, Barker WC (2019) Recommendation for Key Management: Part\ + \ 2 – Best Practices for Key Management Organizations. (National Institute\ + \ of Standards and Technology, Gaithersburg, MD), NIST Special Publication\ + \ (SP) 800-57 Part 2, Rev. 1." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-57pt2r1 + - uuid: 8306620b-1920-4d73-8b21-12008528595f + title: SP 800-57-3 + citation: + text: "Barker EB, Dang QH (2015) Recommendation for Key Management, Part\ + \ 3: Application-Specific Key Management Guidance. (National Institute\ + \ of Standards and Technology, Gaithersburg, MD), NIST Special Publication\ + \ (SP) 800-57 Part 3, Rev. 1." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-57pt3r1 + - uuid: e72fde0b-6fc2-497e-a9db-d8fce5a11b8a + title: SP 800-60-1 + citation: + text: Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide + for Mapping Types of Information and Information Systems to Security Categories. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-60, Vol. 1, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-60v1r1 + - uuid: 9be5d661-421f-41ad-854e-86f98b811891 + title: SP 800-60-2 + citation: + text: "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for\ + \ Mapping Types of Information and Information Systems to Security Categories:\ + \ Appendices. (National Institute of Standards and Technology, Gaithersburg,\ + \ MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-60v2r1 + - uuid: 49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb + title: SP 800-61 + citation: + text: Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security + Incident Handling Guide. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-61r2 + - uuid: 737513fa-6758-403f-831d-5ddab5e23cb3 + title: SP 800-63-3 + citation: + text: Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-63-3 + - uuid: e59c5a7c-8b1f-49ca-8de0-6ee0882180ce + title: SP 800-63B + citation: + text: "Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr\ + \ WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos\ + \ MF (2017) Digital Identity Guidelines: Authentication and Lifecycle\ + \ Management. (National Institute of Standards and Technology, Gaithersburg,\ + \ MD), NIST Special Publication (SP) 800-63B, Includes updates as of March\ + \ 2, 2020." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-63b + - uuid: 4895b4cd-34c5-4667-bf8a-27d443c12047 + title: SP 800-70 + citation: + text: "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist\ + \ Program for IT Products: Guidelines for Checklist Users and Developers.\ + \ (National Institute of Standards and Technology, Gaithersburg, MD),\ + \ NIST Special Publication (SP) 800-70, Rev. 4." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-70r4 + - uuid: 858705be-3c1f-48aa-a328-0ce398d95ef0 + title: SP 800-73-4 + citation: + text: Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, + Mohler J (2015) Interfaces for Personal Identity Verification. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-73-4, Includes updates as of February 8, 2016. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-73-4 + - uuid: 7af2e6ec-9f7e-4232-ad3f-09888eb0793a + title: SP 800-76-2 + citation: + text: Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications + for Personal Identity Verification. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-76-2 + - uuid: d4d7c760-2907-403b-8b2a-767ca5370ecd + title: SP 800-77 + citation: + text: Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide + to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-77, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-77r1 + - uuid: 828856bd-d7c4-427b-8b51-815517ec382d + title: SP 800-78-4 + citation: + text: Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic + Algorithms and Key Sizes for Personal Identity Verification. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-78-4. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-78-4 + - uuid: 10963761-58fc-4b20-b3d6-b44a54daba03 + title: SP 800-79-2 + citation: + text: Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) + Guidelines for the Authorization of Personal Identity Verification Card + Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-79-2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-79-2 + - uuid: fe209006-bfd4-4033-a79a-9fee1adaf372 + title: SP 800-81-2 + citation: + text: Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment + Guide. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-81-2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-81-2 + - uuid: 3dd249b0-f57d-44ba-a03e-c3eab1b835ff + title: SP 800-83 + citation: + text: Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention + and Handling for Desktops and Laptops. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, + Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-83r1 + - uuid: 53be2fcf-cfd1-4bcb-896b-9a3b65c22098 + title: SP 800-84 + citation: + text: Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide + to Test, Training, and Exercise Programs for IT Plans and Capabilities. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-84. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-84 + - uuid: cfdb1858-c473-46b3-89f9-a700308d0be2 + title: SP 800-86 + citation: + text: Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating + Forensic Techniques into Incident Response. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-86 + - uuid: a5b1d18d-e670-4586-9e6d-4a88b7ba3df6 + title: SP 800-88 + citation: + text: Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for + Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-88, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-88r1 + - uuid: 5eee45d8-3313-4fdc-8d54-1742092bbdd6 + title: SP 800-92 + citation: + text: Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-92. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-92 + - uuid: 25e3e57b-dc2f-4934-af9b-050b020c6f0e + title: SP 800-94 + citation: + text: Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention + Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-94. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-94 + - uuid: 03fb73bc-1b12-4182-bd96-e5719254ea61 + title: SP 800-97 + citation: + text: "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless\ + \ Robust Security Networks: A Guide to IEEE 802.11i. (National Institute\ + \ of Standards and Technology, Gaithersburg, MD), NIST Special Publication\ + \ (SP) 800-97." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-97 + - uuid: 13f0c39d-eaf7-417a-baef-69a041878bb5 + title: USA PATRIOT + citation: + text: USA Patriot Act (P.L. 107-56), October 2001. + rlinks: + - href: https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf + - uuid: e922fc50-b1f9-469f-92ef-ed7d9803611c + title: USC 2901 + citation: + text: United States Code, 2008 Edition, Title 44 - *Public Printing and + Documents* , Chapters 29, 31, and 33, January 2012. + rlinks: + - href: https://www.govinfo.gov/content/pkg/USCODE-2011-title44/pdf/USCODE-2011-title44-chap29-sec2901.pdf + - uuid: 40b78258-c892-480e-9af8-77ac36648301 + title: USCERT IR + citation: + text: Department of Homeland Security, *US-CERT Federal Incident Notification + Guidelines* , April 2017. + rlinks: + - href: https://us-cert.cisa.gov/incident-notification-guidelines + - uuid: 98498928-3ca3-44b3-8b1e-f48685373087 + title: USGCB + citation: + text: National Institute of Standards and Technology (2020) *United States + Government Configuration Baseline* . Available at + rlinks: + - href: https://csrc.nist.gov/projects/united-states-government-configuration-baseline + - uuid: c3397cc9-83c6-4459-adb2-836739dc1b94 + title: "NIST Special Publication 800-53, Revision 5: * Security and Privacy\ + \ Controls for Information Systems and Organizations* (PDF)" + rlinks: + - href: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf + media-type: application/pdf - uuid: 985475ee-d4d6-4581-8fdf-d84d3d8caa48 title: FedRAMP Applicable Laws and Regulations rlinks: diff --git a/dist/content/rev5/baselines/yaml/FedRAMP_rev5_LI-SaaS-baseline_profile.yaml b/dist/content/rev5/baselines/yaml/FedRAMP_rev5_LI-SaaS-baseline_profile.yaml index 4b1c47189..d314ec065 100644 --- a/dist/content/rev5/baselines/yaml/FedRAMP_rev5_LI-SaaS-baseline_profile.yaml +++ b/dist/content/rev5/baselines/yaml/FedRAMP_rev5_LI-SaaS-baseline_profile.yaml @@ -3123,5 +3123,5 @@ profile: - name: version value: 5.1.1 rlinks: - - href: https://github.com/usnistgov/oscal-content/blob/v1.2.0/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml + - href: https://raw.githubusercontent.com/usnistgov/oscal-content/v1.2.0/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml media-type: application/oscal+yaml diff --git a/dist/content/rev5/baselines/yaml/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog.yaml b/dist/content/rev5/baselines/yaml/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog.yaml index a26174a85..e386d07b4 100644 --- a/dist/content/rev5/baselines/yaml/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog.yaml +++ b/dist/content/rev5/baselines/yaml/FedRAMP_rev5_LOW-baseline-resolved-profile_catalog.yaml @@ -1,10 +1,10 @@ --- catalog: - uuid: 3692455f-a09d-4523-b9c7-8f4630c06ba4 + uuid: 35042880-1779-490e-aca6-409ea1086471 metadata: title: FedRAMP Rev 5 Low Baseline published: 2023-08-31T00:00:00Z - last-modified: 2023-12-18T20:27:49.732066-05:00 + last-modified: 2024-01-11T18:07:47.981586-05:00 version: 5.1.1+fedramp-20231218-0 oscal-version: 1.1.1 links: @@ -60,8 +60,46202 @@ catalog: - role-id: fedramp-jab party-uuids: - ca9ba80e-1342-4bfd-b32a-abac468c24b4 + groups: + - id: ac + class: family + title: Access Control + controls: + - id: ac-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ac-1_prm_1 + label: organization-defined personnel or roles + - id: ac-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the access control policy is to + be disseminated is/are defined; + - id: ac-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the access control procedures + are to be disseminated is/are defined; + - id: ac-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ac-01_odp.04 + label: official + guidelines: + - prose: an official to manage the access control policy and procedures + is defined; + - id: ac-01_odp.05 + label: frequency + constraints: + - description: "at least every 3 years " + guidelines: + - prose: the frequency at which the current access control policy + is reviewed and updated is defined; + - id: ac-01_odp.06 + label: events + guidelines: + - prose: events that would require the current access control policy + to be reviewed and updated are defined; + - id: ac-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current access control procedures + are reviewed and updated is defined; + - id: ac-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require procedures to be reviewed and updated + are defined; + props: + - name: label + value: AC-1 + - name: label + value: AC-01 + class: sp800-53a + - name: sort-id + value: ac-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#7f473f21-fdbf-4a6c-81a1-0ab95919609d" + rel: reference + - href: "#ia-1" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-24" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ac-1_smt + name: statement + parts: + - id: ac-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ac-1_prm_1 }}:" + parts: + - id: ac-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ac-01_odp.03 }} access control policy\ + \ that:" + parts: + - id: ac-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ac-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ac-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the access + control policy and the associated access controls; + - id: ac-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ac-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the access\ + \ control policy and procedures; and" + - id: ac-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current access control:" + parts: + - id: ac-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ac-01_odp.05 }} and following\ + \ {{ insert: param, ac-01_odp.06 }} ; and" + - id: ac-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ac-01_odp.07 }} and following\ + \ {{ insert: param, ac-01_odp.08 }}." + - id: ac-1_gdn + name: guidance + prose: Access control policy and procedures address the controls in + the AC family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of access control + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies reflecting the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to access control policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ac-1_obj + name: assessment-objective + props: + - name: label + value: AC-01 + class: sp800-53a + parts: + - id: ac-1_obj.a + name: assessment-objective + props: + - name: label + value: AC-01a. + class: sp800-53a + parts: + - id: ac-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-01a.[01] + class: sp800-53a + prose: an access control policy is developed and documented; + links: + - href: "#ac-1_smt.a" + rel: assessment-for + - id: ac-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-01a.[02] + class: sp800-53a + prose: "the access control policy is disseminated to {{ insert:\ + \ param, ac-01_odp.01 }};" + links: + - href: "#ac-1_smt.a" + rel: assessment-for + - id: ac-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-01a.[03] + class: sp800-53a + prose: access control procedures to facilitate the implementation + of the access control policy and associated controls are developed + and documented; + links: + - href: "#ac-1_smt.a" + rel: assessment-for + - id: ac-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: AC-01a.[04] + class: sp800-53a + prose: "the access control procedures are disseminated to {{\ + \ insert: param, ac-01_odp.02 }};" + links: + - href: "#ac-1_smt.a" + rel: assessment-for + - id: ac-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: AC-01a.01 + class: sp800-53a + parts: + - id: ac-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: AC-01a.01(a) + class: sp800-53a + parts: + - id: ac-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses purpose;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses scope;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses roles;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses responsibilities;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses management commitment;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses compliance;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: AC-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access control\ + \ policy is consistent with applicable laws, Executive\ + \ Orders, directives, regulations, policies, standards,\ + \ and guidelines;" + links: + - href: "#ac-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ac-1_smt.a.1" + rel: assessment-for + links: + - href: "#ac-1_smt.a" + rel: assessment-for + - id: ac-1_obj.b + name: assessment-objective + props: + - name: label + value: AC-01b. + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the access\ + \ control policy and procedures;" + links: + - href: "#ac-1_smt.b" + rel: assessment-for + - id: ac-1_obj.c + name: assessment-objective + props: + - name: label + value: AC-01c. + class: sp800-53a + parts: + - id: ac-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: AC-01c.01 + class: sp800-53a + parts: + - id: ac-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: AC-01c.01[01] + class: sp800-53a + prose: "the current access control policy is reviewed and\ + \ updated {{ insert: param, ac-01_odp.05 }};" + links: + - href: "#ac-1_smt.c.1" + rel: assessment-for + - id: ac-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: AC-01c.01[02] + class: sp800-53a + prose: "the current access control policy is reviewed and\ + \ updated following {{ insert: param, ac-01_odp.06 }};" + links: + - href: "#ac-1_smt.c.1" + rel: assessment-for + links: + - href: "#ac-1_smt.c.1" + rel: assessment-for + - id: ac-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: AC-01c.02 + class: sp800-53a + parts: + - id: ac-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: AC-01c.02[01] + class: sp800-53a + prose: "the current access control procedures are reviewed\ + \ and updated {{ insert: param, ac-01_odp.07 }};" + links: + - href: "#ac-1_smt.c.2" + rel: assessment-for + - id: ac-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: AC-01c.02[02] + class: sp800-53a + prose: "the current access control procedures are reviewed\ + \ and updated following {{ insert: param, ac-01_odp.08\ + \ }}." + links: + - href: "#ac-1_smt.c.2" + rel: assessment-for + links: + - href: "#ac-1_smt.c.2" + rel: assessment-for + links: + - href: "#ac-1_smt.c" + rel: assessment-for + links: + - href: "#ac-1_smt" + rel: assessment-for + - id: ac-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: ac-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with access control + responsibilities + + + organizational personnel with information security with information + security and privacy responsibilities + - id: ac-2 + class: SP800-53 + title: Account Management + params: + - id: ac-02_odp.01 + label: prerequisites and criteria + guidelines: + - prose: prerequisites and criteria for group and role membership + are defined; + - id: ac-02_odp.02 + label: attributes (as required) + guidelines: + - prose: attributes (as required) for each account are defined; + - id: ac-02_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles required to approve requests to create + accounts is/are defined; + - id: ac-02_odp.04 + label: policy, procedures, prerequisites, and criteria + guidelines: + - prose: policy, procedures, prerequisites, and criteria for account + creation, enabling, modification, disabling, and removal are defined; + - id: ac-02_odp.05 + label: personnel or roles + guidelines: + - prose: personnel or roles to be notified is/are defined; + - id: ac-02_odp.06 + label: time period + constraints: + - description: twenty-four (24) hours + guidelines: + - prose: time period within which to notify account managers when + accounts are no longer required is defined; + - id: ac-02_odp.07 + label: time period + constraints: + - description: eight (8) hours + guidelines: + - prose: "time period within which to notify account managers when\ + \ users are terminated or transferred is defined; " + - id: ac-02_odp.08 + label: time period + constraints: + - description: eight (8) hours + guidelines: + - prose: time period within which to notify account managers when + system usage or the need to know changes for an individual is + defined; + - id: ac-02_odp.09 + label: attributes (as required) + guidelines: + - prose: attributes needed to authorize system access (as required) + are defined; + - id: ac-02_odp.10 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency of account review is defined; + props: + - name: label + value: AC-2 + - name: label + value: AC-02 + class: sp800-53a + - name: sort-id + value: ac-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#2956e175-f674-43f4-b1b9-e074ad9fc39c" + rel: reference + - href: "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f" + rel: reference + - href: "#53df282b-8b3f-483a-bad1-6a8b8ac00114" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-20" + rel: related + - href: "#ac-24" + rel: related + - href: "#au-2" + rel: related + - href: "#au-12" + rel: related + - href: "#cm-5" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-5" + rel: related + - href: "#ps-7" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-3" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-37" + rel: related + parts: + - id: ac-2_smt + name: statement + parts: + - id: ac-2_smt.a + name: item + props: + - name: label + value: a. + prose: Define and document the types of accounts allowed and specifically + prohibited for use within the system; + - id: ac-2_smt.b + name: item + props: + - name: label + value: b. + prose: Assign account managers; + - id: ac-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Require {{ insert: param, ac-02_odp.01 }} for group and\ + \ role membership;" + - id: ac-2_smt.d + name: item + props: + - name: label + value: d. + prose: "Specify:" + parts: + - id: ac-2_smt.d.1 + name: item + props: + - name: label + value: "1." + prose: Authorized users of the system; + - id: ac-2_smt.d.2 + name: item + props: + - name: label + value: "2." + prose: Group and role membership; and + - id: ac-2_smt.d.3 + name: item + props: + - name: label + value: "3." + prose: "Access authorizations (i.e., privileges) and {{ insert:\ + \ param, ac-02_odp.02 }} for each account;" + - id: ac-2_smt.e + name: item + props: + - name: label + value: e. + prose: "Require approvals by {{ insert: param, ac-02_odp.03 }} for\ + \ requests to create accounts;" + - id: ac-2_smt.f + name: item + props: + - name: label + value: f. + prose: "Create, enable, modify, disable, and remove accounts in\ + \ accordance with {{ insert: param, ac-02_odp.04 }};" + - id: ac-2_smt.g + name: item + props: + - name: label + value: g. + prose: Monitor the use of accounts; + - id: ac-2_smt.h + name: item + props: + - name: label + value: h. + prose: "Notify account managers and {{ insert: param, ac-02_odp.05\ + \ }} within:" + parts: + - id: ac-2_smt.h.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ac-02_odp.06 }} when accounts are\ + \ no longer required;" + - id: ac-2_smt.h.2 + name: item + props: + - name: label + value: "2." + prose: " {{ insert: param, ac-02_odp.07 }} when users are terminated\ + \ or transferred; and" + - id: ac-2_smt.h.3 + name: item + props: + - name: label + value: "3." + prose: " {{ insert: param, ac-02_odp.08 }} when system usage\ + \ or need-to-know changes for an individual;" + - id: ac-2_smt.i + name: item + props: + - name: label + value: i. + prose: "Authorize access to the system based on:" + parts: + - id: ac-2_smt.i.1 + name: item + props: + - name: label + value: "1." + prose: A valid access authorization; + - id: ac-2_smt.i.2 + name: item + props: + - name: label + value: "2." + prose: Intended system usage; and + - id: ac-2_smt.i.3 + name: item + props: + - name: label + value: "3." + prose: " {{ insert: param, ac-02_odp.09 }};" + - id: ac-2_smt.j + name: item + props: + - name: label + value: j. + prose: "Review accounts for compliance with account management requirements\ + \ {{ insert: param, ac-02_odp.10 }};" + - id: ac-2_smt.k + name: item + props: + - name: label + value: k. + prose: Establish and implement a process for changing shared or + group account authenticators (if deployed) when individuals are + removed from the group; and + - id: ac-2_smt.l + name: item + props: + - name: label + value: l. + prose: Align account management processes with personnel termination + and transfer processes. + - id: ac-2_gdn + name: guidance + prose: >- + Examples of system account types include individual, shared, + group, system, guest, anonymous, emergency, developer, + temporary, and service. Identification of authorized system + users and the specification of access privileges reflect the + requirements in other controls in the security plan. Users + requiring administrative privileges on system accounts receive + additional scrutiny by organizational personnel responsible for + approving such accounts and privileged access, including system + owner, mission or business owner, senior agency information + security officer, or senior agency official for privacy. Types + of accounts that organizations may wish to prohibit due to + increased risk include shared, group, emergency, anonymous, + temporary, and guest accounts. + + + Where access involves personally identifiable information, security + programs collaborate with the senior agency official for privacy to + establish the specific conditions for group and role membership; specify + authorized users, group and role membership, and access authorizations + for each account; and create, adjust, or remove system accounts in + accordance with organizational policies. Policies can include such + information as account expiration dates or other factors that trigger + the disabling of accounts. Organizations may choose to define access + privileges or other attributes by account, type of account, or a combination + of the two. Examples of other attributes required for authorizing + access include restrictions on time of day, day of week, and point + of origin. In defining other system account attributes, organizations + consider system-related requirements and mission/business requirements. + Failure to consider these factors could affect system availability. + + + Temporary and emergency accounts are intended for short-term use. + Organizations establish temporary accounts as part of normal account + activation procedures when there is a need for short-term accounts + without the demand for immediacy in account activation. Organizations + establish emergency accounts in response to crisis situations and + with the need for rapid account activation. Therefore, emergency account + activation may bypass normal account authorization processes. Emergency + and temporary accounts are not to be confused with infrequently used + accounts, including local logon accounts used for special tasks or + when network resources are unavailable (may also be known as accounts + of last resort). Such accounts remain available and are not subject + to automatic disabling or removal dates. Conditions for disabling + or deactivating accounts include when shared/group, emergency, or + temporary accounts are no longer required and when individuals are + transferred or terminated. Changing shared/group authenticators when + members leave the group is intended to ensure that former group members + do not retain access to the shared or group account. Some types of + system accounts may require specialized training. + - id: ac-2_obj + name: assessment-objective + props: + - name: label + value: AC-02 + class: sp800-53a + parts: + - id: ac-2_obj.a + name: assessment-objective + props: + - name: label + value: AC-02a. + class: sp800-53a + parts: + - id: ac-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-02a.[01] + class: sp800-53a + prose: account types allowed for use within the system are defined + and documented; + links: + - href: "#ac-2_smt.a" + rel: assessment-for + - id: ac-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-02a.[02] + class: sp800-53a + prose: account types specifically prohibited for use within + the system are defined and documented; + links: + - href: "#ac-2_smt.a" + rel: assessment-for + links: + - href: "#ac-2_smt.a" + rel: assessment-for + - id: ac-2_obj.b + name: assessment-objective + props: + - name: label + value: AC-02b. + class: sp800-53a + prose: account managers are assigned; + links: + - href: "#ac-2_smt.b" + rel: assessment-for + - id: ac-2_obj.c + name: assessment-objective + props: + - name: label + value: AC-02c. + class: sp800-53a + prose: " {{ insert: param, ac-02_odp.01 }} for group and role membership\ + \ are required;" + links: + - href: "#ac-2_smt.c" + rel: assessment-for + - id: ac-2_obj.d + name: assessment-objective + props: + - name: label + value: AC-02d. + class: sp800-53a + parts: + - id: ac-2_obj.d.1 + name: assessment-objective + props: + - name: label + value: AC-02d.01 + class: sp800-53a + prose: authorized users of the system are specified; + links: + - href: "#ac-2_smt.d.1" + rel: assessment-for + - id: ac-2_obj.d.2 + name: assessment-objective + props: + - name: label + value: AC-02d.02 + class: sp800-53a + prose: group and role membership are specified; + links: + - href: "#ac-2_smt.d.2" + rel: assessment-for + - id: ac-2_obj.d.3 + name: assessment-objective + props: + - name: label + value: AC-02d.03 + class: sp800-53a + parts: + - id: ac-2_obj.d.3-1 + name: assessment-objective + props: + - name: label + value: AC-02d.03[01] + class: sp800-53a + prose: access authorizations (i.e., privileges) are specified + for each account; + links: + - href: "#ac-2_smt.d.3" + rel: assessment-for + - id: ac-2_obj.d.3-2 + name: assessment-objective + props: + - name: label + value: AC-02d.03[02] + class: sp800-53a + prose: " {{ insert: param, ac-02_odp.02 }} are specified\ + \ for each account;" + links: + - href: "#ac-2_smt.d.3" + rel: assessment-for + links: + - href: "#ac-2_smt.d.3" + rel: assessment-for + links: + - href: "#ac-2_smt.d" + rel: assessment-for + - id: ac-2_obj.e + name: assessment-objective + props: + - name: label + value: AC-02e. + class: sp800-53a + prose: "approvals are required by {{ insert: param, ac-02_odp.03\ + \ }} for requests to create accounts;" + links: + - href: "#ac-2_smt.e" + rel: assessment-for + - id: ac-2_obj.f + name: assessment-objective + props: + - name: label + value: AC-02f. + class: sp800-53a + parts: + - id: ac-2_obj.f-1 + name: assessment-objective + props: + - name: label + value: AC-02f.[01] + class: sp800-53a + prose: "accounts are created in accordance with {{ insert: param,\ + \ ac-02_odp.04 }};" + links: + - href: "#ac-2_smt.f" + rel: assessment-for + - id: ac-2_obj.f-2 + name: assessment-objective + props: + - name: label + value: AC-02f.[02] + class: sp800-53a + prose: "accounts are enabled in accordance with {{ insert: param,\ + \ ac-02_odp.04 }};" + links: + - href: "#ac-2_smt.f" + rel: assessment-for + - id: ac-2_obj.f-3 + name: assessment-objective + props: + - name: label + value: AC-02f.[03] + class: sp800-53a + prose: "accounts are modified in accordance with {{ insert:\ + \ param, ac-02_odp.04 }};" + links: + - href: "#ac-2_smt.f" + rel: assessment-for + - id: ac-2_obj.f-4 + name: assessment-objective + props: + - name: label + value: AC-02f.[04] + class: sp800-53a + prose: "accounts are disabled in accordance with {{ insert:\ + \ param, ac-02_odp.04 }};" + links: + - href: "#ac-2_smt.f" + rel: assessment-for + - id: ac-2_obj.f-5 + name: assessment-objective + props: + - name: label + value: AC-02f.[05] + class: sp800-53a + prose: "accounts are removed in accordance with {{ insert: param,\ + \ ac-02_odp.04 }};" + links: + - href: "#ac-2_smt.f" + rel: assessment-for + links: + - href: "#ac-2_smt.f" + rel: assessment-for + - id: ac-2_obj.g + name: assessment-objective + props: + - name: label + value: AC-02g. + class: sp800-53a + prose: "the use of accounts is monitored; " + links: + - href: "#ac-2_smt.g" + rel: assessment-for + - id: ac-2_obj.h + name: assessment-objective + props: + - name: label + value: AC-02h. + class: sp800-53a + parts: + - id: ac-2_obj.h.1 + name: assessment-objective + props: + - name: label + value: AC-02h.01 + class: sp800-53a + prose: "account managers and {{ insert: param, ac-02_odp.05\ + \ }} are notified within {{ insert: param, ac-02_odp.06 }}\ + \ when accounts are no longer required;" + links: + - href: "#ac-2_smt.h.1" + rel: assessment-for + - id: ac-2_obj.h.2 + name: assessment-objective + props: + - name: label + value: AC-02h.02 + class: sp800-53a + prose: "account managers and {{ insert: param, ac-02_odp.05\ + \ }} are notified within {{ insert: param, ac-02_odp.07 }}\ + \ when users are terminated or transferred;" + links: + - href: "#ac-2_smt.h.2" + rel: assessment-for + - id: ac-2_obj.h.3 + name: assessment-objective + props: + - name: label + value: AC-02h.03 + class: sp800-53a + prose: "account managers and {{ insert: param, ac-02_odp.05\ + \ }} are notified within {{ insert: param, ac-02_odp.08 }}\ + \ when system usage or the need to know changes for an individual;" + links: + - href: "#ac-2_smt.h.3" + rel: assessment-for + links: + - href: "#ac-2_smt.h" + rel: assessment-for + - id: ac-2_obj.i + name: assessment-objective + props: + - name: label + value: AC-02i. + class: sp800-53a + parts: + - id: ac-2_obj.i.1 + name: assessment-objective + props: + - name: label + value: AC-02i.01 + class: sp800-53a + prose: access to the system is authorized based on a valid access + authorization; + links: + - href: "#ac-2_smt.i.1" + rel: assessment-for + - id: ac-2_obj.i.2 + name: assessment-objective + props: + - name: label + value: AC-02i.02 + class: sp800-53a + prose: access to the system is authorized based on intended + system usage; + links: + - href: "#ac-2_smt.i.2" + rel: assessment-for + - id: ac-2_obj.i.3 + name: assessment-objective + props: + - name: label + value: AC-02i.03 + class: sp800-53a + prose: "access to the system is authorized based on {{ insert:\ + \ param, ac-02_odp.09 }};" + links: + - href: "#ac-2_smt.i.3" + rel: assessment-for + links: + - href: "#ac-2_smt.i" + rel: assessment-for + - id: ac-2_obj.j + name: assessment-objective + props: + - name: label + value: AC-02j. + class: sp800-53a + prose: "accounts are reviewed for compliance with account management\ + \ requirements {{ insert: param, ac-02_odp.10 }};" + links: + - href: "#ac-2_smt.j" + rel: assessment-for + - id: ac-2_obj.k + name: assessment-objective + props: + - name: label + value: AC-02k. + class: sp800-53a + parts: + - id: ac-2_obj.k-1 + name: assessment-objective + props: + - name: label + value: AC-02k.[01] + class: sp800-53a + prose: a process is established for changing shared or group + account authenticators (if deployed) when individuals are + removed from the group; + links: + - href: "#ac-2_smt.k" + rel: assessment-for + - id: ac-2_obj.k-2 + name: assessment-objective + props: + - name: label + value: AC-02k.[02] + class: sp800-53a + prose: a process is implemented for changing shared or group + account authenticators (if deployed) when individuals are + removed from the group; + links: + - href: "#ac-2_smt.k" + rel: assessment-for + links: + - href: "#ac-2_smt.k" + rel: assessment-for + - id: ac-2_obj.l + name: assessment-objective + props: + - name: label + value: AC-02l. + class: sp800-53a + parts: + - id: ac-2_obj.l-1 + name: assessment-objective + props: + - name: label + value: AC-02l.[01] + class: sp800-53a + prose: account management processes are aligned with personnel + termination processes; + links: + - href: "#ac-2_smt.l" + rel: assessment-for + - id: ac-2_obj.l-2 + name: assessment-objective + props: + - name: label + value: AC-02l.[02] + class: sp800-53a + prose: account management processes are aligned with personnel + transfer processes. + links: + - href: "#ac-2_smt.l" + rel: assessment-for + links: + - href: "#ac-2_smt.l" + rel: assessment-for + links: + - href: "#ac-2_smt" + rel: assessment-for + - id: ac-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + personnel termination policy and procedure + + + personnel transfer policy and procedure + + + procedures for addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + list of active system accounts along with the name of the individual + associated with each account + + + list of recently disabled system accounts and the name of the + individual associated with each account + + + list of conditions for group and role membership + + + notifications of recent transfers, separations, or terminations + of employees + + + access authorization records + + + account management compliance reviews + + + system monitoring records + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ac-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security with information + security and privacy responsibilities + - id: ac-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for account management on the + system + + + mechanisms for implementing account management + - id: ac-3 + class: SP800-53 + title: Access Enforcement + props: + - name: label + value: AC-3 + - name: label + value: AC-03 + class: sp800-53a + - name: sort-id + value: ac-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#18e71fec-c6fd-475a-925a-5d8495cf8455" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#2956e175-f674-43f4-b1b9-e074ad9fc39c" + rel: reference + - href: "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f" + rel: reference + - href: "#7f473f21-fdbf-4a6c-81a1-0ab95919609d" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-16" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#ac-21" + rel: related + - href: "#ac-22" + rel: related + - href: "#ac-24" + rel: related + - href: "#ac-25" + rel: related + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#au-9" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-6" + rel: related + - href: "#ia-7" + rel: related + - href: "#ia-11" + rel: related + - href: "#ia-13" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-4" + rel: related + - href: "#pm-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-3" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-3" + rel: related + - href: "#sc-4" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-31" + rel: related + - href: "#sc-34" + rel: related + - href: "#si-4" + rel: related + - href: "#si-8" + rel: related + parts: + - id: ac-3_smt + name: statement + prose: Enforce approved authorizations for logical access to information + and system resources in accordance with applicable access control + policies. + - id: ac-3_gdn + name: guidance + prose: Access control policies control access between active entities + or subjects (i.e., users or processes acting on behalf of users) and + passive entities or objects (i.e., devices, files, records, domains) + in organizational systems. In addition to enforcing authorized access + at the system level and recognizing that systems can host many applications + and services in support of mission and business functions, access + enforcement mechanisms can also be employed at the application and + service level to provide increased information security and privacy. + In contrast to logical access controls that are implemented within + the system, physical access controls are addressed by the controls + in the Physical and Environmental Protection ( [PE](#pe) ) family. + - id: ac-3_obj + name: assessment-objective + props: + - name: label + value: AC-03 + class: sp800-53a + prose: approved authorizations for logical access to information and + system resources are enforced in accordance with applicable access + control policies. + links: + - href: "#ac-3_smt" + rel: assessment-for + - id: ac-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing access enforcement + + system design documentation + + system configuration settings and associated documentation + + list of approved authorizations (user privileges) + + system audit records + + system security plan + + privacy plan + + other relevant documents or records + - id: ac-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with access enforcement + responsibilities + + + system/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + system developers + - id: ac-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing access control policy + - id: ac-7 + class: SP800-53 + title: Unsuccessful Logon Attempts + params: + - id: ac-07_odp.01 + label: number + guidelines: + - prose: the number of consecutive invalid logon attempts by a user + allowed during a time period is defined; + - id: ac-07_odp.02 + label: time period + guidelines: + - prose: the time period to which the number of consecutive invalid + logon attempts by a user is limited is defined; + - id: ac-07_odp.03 + select: + how-many: one-or-more + choice: + - "lock the account or node for {{ insert: param, ac-07_odp.04 }} " + - lock the account or node until released by an administrator + - "delay next logon prompt per {{ insert: param, ac-07_odp.05 }} " + - notify system administrator + - "take other {{ insert: param, ac-07_odp.06 }} " + - id: ac-07_odp.04 + label: time period + guidelines: + - prose: time period for an account or node to be locked is defined + (if selected); + - id: ac-07_odp.05 + label: delay algorithm + guidelines: + - prose: delay algorithm for the next logon prompt is defined (if + selected); + - id: ac-07_odp.06 + label: action + guidelines: + - prose: other action to be taken when the maximum number of unsuccessful + attempts is exceeded is defined (if selected); + props: + - name: label + value: AC-7 + - name: label + value: AC-07 + class: sp800-53a + - name: sort-id + value: ac-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-9" + rel: related + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#ia-5" + rel: related + parts: + - id: ac-7_smt + name: statement + parts: + - id: ac-7_smt.a + name: item + props: + - name: label + value: a. + prose: "Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive\ + \ invalid logon attempts by a user during a {{ insert: param,\ + \ ac-07_odp.02 }} ; and" + - id: ac-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Automatically {{ insert: param, ac-07_odp.03 }} when the\ + \ maximum number of unsuccessful attempts is exceeded." + - id: ac-7_fr + name: item + title: AC-7 Additional FedRAMP Requirements and Guidance + parts: + - id: ac-7_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: In alignment with NIST SP 800-63B + - id: ac-7_gdn + name: guidance + prose: The need to limit unsuccessful logon attempts and take subsequent + action when the maximum number of attempts is exceeded applies regardless + of whether the logon occurs via a local or network connection. Due + to the potential for denial of service, automatic lockouts initiated + by systems are usually temporary and automatically release after a + predetermined, organization-defined time period. If a delay algorithm + is selected, organizations may employ different algorithms for different + components of the system based on the capabilities of those components. + Responses to unsuccessful logon attempts may be implemented at the + operating system and the application levels. Organization-defined + actions that may be taken when the number of allowed consecutive invalid + logon attempts is exceeded include prompting the user to answer a + secret question in addition to the username and password, invoking + a lockdown mode with limited user capabilities (instead of full lockout), + allowing users to only logon from specified Internet Protocol (IP) + addresses, requiring a CAPTCHA to prevent automated attacks, or applying + user profiles such as location, time of day, IP address, device, or + Media Access Control (MAC) address. If automatic system lockout or + execution of a delay algorithm is not implemented in support of the + availability objective, organizations consider a combination of other + actions to help prevent brute force attacks. In addition to the above, + organizations can prompt users to respond to a secret question before + the number of allowed unsuccessful logon attempts is exceeded. Automatically + unlocking an account after a specified period of time is generally + not permitted. However, exceptions may be required based on operational + mission or need. + - id: ac-7_obj + name: assessment-objective + props: + - name: label + value: AC-07 + class: sp800-53a + parts: + - id: ac-7_obj.a + name: assessment-objective + props: + - name: label + value: AC-07a. + class: sp800-53a + prose: "a limit of {{ insert: param, ac-07_odp.01 }} consecutive\ + \ invalid logon attempts by a user during {{ insert: param, ac-07_odp.02\ + \ }} is enforced;" + links: + - href: "#ac-7_smt.a" + rel: assessment-for + - id: ac-7_obj.b + name: assessment-objective + props: + - name: label + value: AC-07b. + class: sp800-53a + prose: "automatically {{ insert: param, ac-07_odp.03 }} when the\ + \ maximum number of unsuccessful attempts is exceeded." + links: + - href: "#ac-7_smt.b" + rel: assessment-for + links: + - href: "#ac-7_smt" + rel: assessment-for + - id: ac-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing unsuccessful logon attempts + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: ac-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security + responsibilities + + + system developers + + + system/network administrators + - id: ac-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing access control policy for unsuccessful + logon attempts + - id: ac-8 + class: SP800-53 + title: System Use Notification + params: + - id: ac-08_odp.01 + label: system use notification + constraints: + - description: see additional Requirements and Guidance + guidelines: + - prose: system use notification message or banner to be displayed + by the system to users before granting access to the system is + defined; + - id: ac-08_odp.02 + label: conditions + constraints: + - description: see additional Requirements and Guidance + guidelines: + - prose: conditions for system use to be displayed by the system before + granting further access are defined; + props: + - name: label + value: AC-8 + - name: label + value: AC-08 + class: sp800-53a + - name: sort-id + value: ac-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-14" + rel: related + - href: "#pl-4" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-8_smt + name: statement + parts: + - id: ac-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Display {{ insert: param, ac-08_odp.01 }} to users before\ + \ granting access to the system that provides privacy and security\ + \ notices consistent with applicable laws, executive orders, directives,\ + \ regulations, policies, standards, and guidelines and state that:" + parts: + - id: ac-8_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Users are accessing a U.S. Government system; + - id: ac-8_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: System usage may be monitored, recorded, and subject + to audit; + - id: ac-8_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Unauthorized use of the system is prohibited and subject + to criminal and civil penalties; and + - id: ac-8_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Use of the system indicates consent to monitoring and + recording; + - id: ac-8_smt.b + name: item + props: + - name: label + value: b. + prose: Retain the notification message or banner on the screen until + users acknowledge the usage conditions and take explicit actions + to log on to or further access the system; and + - id: ac-8_smt.c + name: item + props: + - name: label + value: c. + prose: "For publicly accessible systems:" + parts: + - id: ac-8_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Display system use information {{ insert: param, ac-08_odp.02\ + \ }} , before granting further access to the publicly accessible\ + \ system;" + - id: ac-8_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: Display references, if any, to monitoring, recording, + or auditing that are consistent with privacy accommodations + for such systems that generally prohibit those activities; + and + - id: ac-8_smt.c.3 + name: item + props: + - name: label + value: "3." + prose: Include a description of the authorized uses of the system. + - id: ac-8_fr + name: item + title: AC-8 Additional FedRAMP Requirements and Guidance + parts: + - id: ac-8_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: "The service provider shall determine elements of the\ + \ cloud environment that require the System Use Notification\ + \ control. The elements of the cloud environment that require\ + \ System Use Notification are approved and accepted by the\ + \ JAB/AO. " + - id: ac-8_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider shall determine how System Use Notification + is going to be verified and provide appropriate periodicity + of the check. The System Use Notification verification and + periodicity are approved and accepted by the JAB/AO. + - id: ac-8_fr_smt.3 + name: item + props: + - name: label + value: "Requirement:" + prose: If not performed as part of a Configuration Baseline + check, then there must be documented agreement on how to provide + results of verification and the necessary periodicity of the + verification by the service provider. The documented agreement + on how to provide verification of the results are approved + and accepted by the JAB/AO. + - id: ac-8_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: If performed as part of a Configuration Baseline check, + then the % of items requiring setting that are checked and + that pass (or fail) check can be provided. + - id: ac-8_gdn + name: guidance + prose: System use notifications can be implemented using messages or + warning banners displayed before individuals log in to systems. System + use notifications are used only for access via logon interfaces with + human users. Notifications are not required when human interfaces + do not exist. Based on an assessment of risk, organizations consider + whether or not a secondary system use notification is needed to access + applications or other system resources after the initial network logon. + Organizations consider system use notification messages or banners + displayed in multiple languages based on organizational needs and + the demographics of system users. Organizations consult with the privacy + office for input regarding privacy messaging and the Office of the + General Counsel or organizational equivalent for legal review and + approval of warning banner content. + - id: ac-8_obj + name: assessment-objective + props: + - name: label + value: AC-08 + class: sp800-53a + parts: + - id: ac-8_obj.a + name: assessment-objective + props: + - name: label + value: AC-08a. + class: sp800-53a + prose: " {{ insert: param, ac-08_odp.01 }} is displayed to users\ + \ before granting access to the system that provides privacy and\ + \ security notices consistent with applicable laws, Executive\ + \ Orders, directives, regulations, policies, standards, and guidelines;" + parts: + - id: ac-8_obj.a.1 + name: assessment-objective + props: + - name: label + value: AC-08a.01 + class: sp800-53a + prose: the system use notification states that users are accessing + a U.S. Government system; + links: + - href: "#ac-8_smt.a.1" + rel: assessment-for + - id: ac-8_obj.a.2 + name: assessment-objective + props: + - name: label + value: AC-08a.02 + class: sp800-53a + prose: the system use notification states that system usage + may be monitored, recorded, and subject to audit; + links: + - href: "#ac-8_smt.a.2" + rel: assessment-for + - id: ac-8_obj.a.3 + name: assessment-objective + props: + - name: label + value: AC-08a.03 + class: sp800-53a + prose: the system use notification states that unauthorized + use of the system is prohibited and subject to criminal and + civil penalties; and + links: + - href: "#ac-8_smt.a.3" + rel: assessment-for + - id: ac-8_obj.a.4 + name: assessment-objective + props: + - name: label + value: AC-08a.04 + class: sp800-53a + prose: the system use notification states that use of the system + indicates consent to monitoring and recording; + links: + - href: "#ac-8_smt.a.4" + rel: assessment-for + links: + - href: "#ac-8_smt.a" + rel: assessment-for + - id: ac-8_obj.b + name: assessment-objective + props: + - name: label + value: AC-08b. + class: sp800-53a + prose: the notification message or banner is retained on the screen + until users acknowledge the usage conditions and take explicit + actions to log on to or further access the system; + links: + - href: "#ac-8_smt.b" + rel: assessment-for + - id: ac-8_obj.c + name: assessment-objective + props: + - name: label + value: AC-08c. + class: sp800-53a + parts: + - id: ac-8_obj.c.1 + name: assessment-objective + props: + - name: label + value: AC-08c.01 + class: sp800-53a + prose: "for publicly accessible systems, system use information\ + \ {{ insert: param, ac-08_odp.02 }} is displayed before granting\ + \ further access to the publicly accessible system;" + links: + - href: "#ac-8_smt.c.1" + rel: assessment-for + - id: ac-8_obj.c.2 + name: assessment-objective + props: + - name: label + value: AC-08c.02 + class: sp800-53a + prose: for publicly accessible systems, any references to monitoring, + recording, or auditing that are consistent with privacy accommodations + for such systems that generally prohibit those activities + are displayed; + links: + - href: "#ac-8_smt.c.2" + rel: assessment-for + - id: ac-8_obj.c.3 + name: assessment-objective + props: + - name: label + value: AC-08c.03 + class: sp800-53a + prose: for publicly accessible systems, a description of the + authorized uses of the system is included. + links: + - href: "#ac-8_smt.c.3" + rel: assessment-for + links: + - href: "#ac-8_smt.c" + rel: assessment-for + links: + - href: "#ac-8_smt" + rel: assessment-for + - id: ac-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + privacy and security policies, procedures addressing system use + notification + + + documented approval of system use notification messages or banners + + + system audit records + + + user acknowledgements of notification message or banner + + + system design documentation + + + system configuration settings and associated documentation + + + system use notification messages + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy assessment report + + + other relevant documents or records + - id: ac-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + legal counsel + + + system developers + - id: ac-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing system use notification + - id: ac-14 + class: SP800-53 + title: Permitted Actions Without Identification or Authentication + params: + - id: ac-14_odp + label: user actions + guidelines: + - prose: user actions that can be performed on the system without + identification or authentication are defined; + props: + - name: label + value: AC-14 + - name: label + value: AC-14 + class: sp800-53a + - name: sort-id + value: ac-14 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-8" + rel: related + - href: "#ia-2" + rel: related + - href: "#pl-2" + rel: related + parts: + - id: ac-14_smt + name: statement + parts: + - id: ac-14_smt.a + name: item + props: + - name: label + value: a. + prose: "Identify {{ insert: param, ac-14_odp }} that can be performed\ + \ on the system without identification or authentication consistent\ + \ with organizational mission and business functions; and" + - id: ac-14_smt.b + name: item + props: + - name: label + value: b. + prose: Document and provide supporting rationale in the security + plan for the system, user actions not requiring identification + or authentication. + - id: ac-14_gdn + name: guidance + prose: 'Specific user actions may be permitted without identification + or authentication if organizations determine that identification and + authentication are not required for the specified user actions. Organizations + may allow a limited number of user actions without identification + or authentication, including when individuals access public websites + or other publicly accessible federal systems, when individuals use + mobile phones to receive calls, or when facsimiles are received. Organizations + identify actions that normally require identification or authentication + but may, under certain circumstances, allow identification or authentication + mechanisms to be bypassed. Such bypasses may occur, for example, via + a software-readable physical switch that commands bypass of the logon + functionality and is protected from accidental or unmonitored use. + Permitting actions without identification or authentication does not + apply to situations where identification and authentication have already + occurred and are not repeated but rather to situations where identification + and authentication have not yet occurred. Organizations may decide + that there are no user actions that can be performed on organizational + systems without identification and authentication, and therefore, + the value for the assignment operation can be "none." ' + - id: ac-14_obj + name: assessment-objective + props: + - name: label + value: AC-14 + class: sp800-53a + parts: + - id: ac-14_obj.a + name: assessment-objective + props: + - name: label + value: AC-14a. + class: sp800-53a + prose: " {{ insert: param, ac-14_odp }} that can be performed on\ + \ the system without identification or authentication consistent\ + \ with organizational mission and business functions are identified;" + links: + - href: "#ac-14_smt.a" + rel: assessment-for + - id: ac-14_obj.b + name: assessment-objective + props: + - name: label + value: AC-14b. + class: sp800-53a + parts: + - id: ac-14_obj.b-1 + name: assessment-objective + props: + - name: label + value: AC-14b.[01] + class: sp800-53a + prose: user actions not requiring identification or authentication + are documented in the security plan for the system; + links: + - href: "#ac-14_smt.b" + rel: assessment-for + - id: ac-14_obj.b-2 + name: assessment-objective + props: + - name: label + value: AC-14b.[02] + class: sp800-53a + prose: a rationale for user actions not requiring identification + or authentication is provided in the security plan for the + system. + links: + - href: "#ac-14_smt.b" + rel: assessment-for + links: + - href: "#ac-14_smt.b" + rel: assessment-for + links: + - href: "#ac-14_smt" + rel: assessment-for + - id: ac-14_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-14-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing permitted actions without identification + or authentication + + + system configuration settings and associated documentation + + + security plan + + + list of user actions that can be performed without identification + or authentication + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-14_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-14-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + - id: ac-17 + class: SP800-53 + title: Remote Access + props: + - name: label + value: AC-17 + - name: label + value: AC-17 + class: sp800-53a + - name: sort-id + value: ac-17 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#83b9d63b-66b1-467c-9f3b-3a0b108771e9" + rel: reference + - href: "#d4d7c760-2907-403b-8b2a-767ca5370ecd" + rel: reference + - href: "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4" + rel: reference + - href: "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99" + rel: reference + - href: "#d17ebd7a-ffab-499d-bfff-e705bbb01fa6" + rel: reference + - href: "#3915a084-b87b-4f02-83d4-c369e746292f" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#ca-3" + rel: related + - href: "#cm-10" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-17" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#sc-10" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-17_smt + name: statement + parts: + - id: ac-17_smt.a + name: item + props: + - name: label + value: a. + prose: Establish and document usage restrictions, configuration/connection + requirements, and implementation guidance for each type of remote + access allowed; and + - id: ac-17_smt.b + name: item + props: + - name: label + value: b. + prose: Authorize each type of remote access to the system prior + to allowing such connections. + - id: ac-17_gdn + name: guidance + prose: Remote access is access to organizational systems (or processes + acting on behalf of users) that communicate through external networks + such as the Internet. Types of remote access include dial-up, broadband, + and wireless. Organizations use encrypted virtual private networks + (VPNs) to enhance confidentiality and integrity for remote connections. + The use of encrypted VPNs provides sufficient assurance to the organization + that it can effectively treat such connections as internal networks + if the cryptographic mechanisms used are implemented in accordance + with applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines. Still, VPN connections traverse external + networks, and the encrypted VPN does not enhance the availability + of remote connections. VPNs with encrypted tunnels can also affect + the ability to adequately monitor network communications traffic for + malicious code. Remote access controls apply to systems other than + public web servers or systems designed for public access. Authorization + of each remote access type addresses authorization prior to allowing + remote access without specifying the specific formats for such authorization. + While organizations may use information exchange and system connection + security agreements to manage remote access connections to other systems, + such agreements are addressed as part of [CA-3](#ca-3) . Enforcing + access restrictions for remote access is addressed via [AC-3](#ac-3). + - id: ac-17_obj + name: assessment-objective + props: + - name: label + value: AC-17 + class: sp800-53a + parts: + - id: ac-17_obj.a + name: assessment-objective + props: + - name: label + value: AC-17a. + class: sp800-53a + parts: + - id: ac-17_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-17a.[01] + class: sp800-53a + prose: usage restrictions are established and documented for + each type of remote access allowed; + links: + - href: "#ac-17_smt.a" + rel: assessment-for + - id: ac-17_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-17a.[02] + class: sp800-53a + prose: configuration/connection requirements are established + and documented for each type of remote access allowed; + links: + - href: "#ac-17_smt.a" + rel: assessment-for + - id: ac-17_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-17a.[03] + class: sp800-53a + prose: implementation guidance is established and documented + for each type of remote access allowed; + links: + - href: "#ac-17_smt.a" + rel: assessment-for + links: + - href: "#ac-17_smt.a" + rel: assessment-for + - id: ac-17_obj.b + name: assessment-objective + props: + - name: label + value: AC-17b. + class: sp800-53a + prose: each type of remote access to the system is authorized prior + to allowing such connections. + links: + - href: "#ac-17_smt.b" + rel: assessment-for + links: + - href: "#ac-17_smt" + rel: assessment-for + - id: ac-17_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-17-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing remote access implementation and usage (including + restrictions) + + + configuration management plan + + + system configuration settings and associated documentation + + + remote access authorizations + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-17_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-17-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for managing + remote access connections + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-17_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-17-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Remote access management capability for the system + - id: ac-18 + class: SP800-53 + title: Wireless Access + props: + - name: label + value: AC-18 + - name: label + value: AC-18 + class: sp800-53a + - name: sort-id + value: ac-18 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#25e3e57b-dc2f-4934-af9b-050b020c6f0e" + rel: reference + - href: "#03fb73bc-1b12-4182-bd96-e5719254ea61" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-19" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-7" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-8" + rel: related + - href: "#pl-4" + rel: related + - href: "#sc-40" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-18_smt + name: statement + parts: + - id: ac-18_smt.a + name: item + props: + - name: label + value: a. + prose: Establish configuration requirements, connection requirements, + and implementation guidance for each type of wireless access; + and + - id: ac-18_smt.b + name: item + props: + - name: label + value: b. + prose: Authorize each type of wireless access to the system prior + to allowing such connections. + - id: ac-18_gdn + name: guidance + prose: Wireless technologies include microwave, packet radio (ultra-high + frequency or very high frequency), 802.11x, and Bluetooth. Wireless + networks use authentication protocols that provide authenticator protection + and mutual authentication. + - id: ac-18_obj + name: assessment-objective + props: + - name: label + value: AC-18 + class: sp800-53a + parts: + - id: ac-18_obj.a + name: assessment-objective + props: + - name: label + value: AC-18a. + class: sp800-53a + parts: + - id: ac-18_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-18a.[01] + class: sp800-53a + prose: configuration requirements are established for each type + of wireless access; + links: + - href: "#ac-18_smt.a" + rel: assessment-for + - id: ac-18_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-18a.[02] + class: sp800-53a + prose: connection requirements are established for each type + of wireless access; + links: + - href: "#ac-18_smt.a" + rel: assessment-for + - id: ac-18_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-18a.[03] + class: sp800-53a + prose: implementation guidance is established for each type + of wireless access; + links: + - href: "#ac-18_smt.a" + rel: assessment-for + links: + - href: "#ac-18_smt.a" + rel: assessment-for + - id: ac-18_obj.b + name: assessment-objective + props: + - name: label + value: AC-18b. + class: sp800-53a + prose: each type of wireless access to the system is authorized + prior to allowing such connections. + links: + - href: "#ac-18_smt.b" + rel: assessment-for + links: + - href: "#ac-18_smt" + rel: assessment-for + - id: ac-18_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-18-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing wireless access implementation and usage + (including restrictions) + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + wireless access authorizations + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-18_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-18-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for managing + wireless access connections + + + organizational personnel with information security responsibilities + - id: ac-18_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-18-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Wireless access management capability for the system + - id: ac-19 + class: SP800-53 + title: Access Control for Mobile Devices + props: + - name: label + value: AC-19 + - name: label + value: AC-19 + class: sp800-53a + - name: sort-id + value: ac-19 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99" + rel: reference + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-7" + rel: related + - href: "#ac-11" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-20" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-6" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#mp-7" + rel: related + - href: "#pl-4" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-34" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-19_smt + name: statement + parts: + - id: ac-19_smt.a + name: item + props: + - name: label + value: a. + prose: Establish configuration requirements, connection requirements, + and implementation guidance for organization-controlled mobile + devices, to include when such devices are outside of controlled + areas; and + - id: ac-19_smt.b + name: item + props: + - name: label + value: b. + prose: Authorize the connection of mobile devices to organizational + systems. + - id: ac-19_gdn + name: guidance + prose: >- + A mobile device is a computing device that has a small form + factor such that it can easily be carried by a single + individual; is designed to operate without a physical + connection; possesses local, non-removable or removable data + storage; and includes a self-contained power source. Mobile + device functionality may also include voice communication + capabilities, on-board sensors that allow the device to capture + information, and/or built-in features for synchronizing local + data with remote locations. Examples include smart phones and + tablets. Mobile devices are typically associated with a single + individual. The processing, storage, and transmission capability + of the mobile device may be comparable to or merely a subset of + notebook/desktop systems, depending on the nature and intended + purpose of the device. Protection and control of mobile devices + is behavior or policy-based and requires users to take physical + action to protect and control such devices when outside of + controlled areas. Controlled areas are spaces for which + organizations provide physical or procedural controls to meet + the requirements established for protecting information and + systems. + + + Due to the large variety of mobile devices with different characteristics + and capabilities, organizational restrictions may vary for the different + classes or types of such devices. Usage restrictions and specific + implementation guidance for mobile devices include configuration management, + device identification and authentication, implementation of mandatory + protective software, scanning devices for malicious code, updating + virus protection software, scanning for critical software updates + and patches, conducting primary operating system (and possibly other + resident software) integrity checks, and disabling unnecessary hardware. + + + Usage restrictions and authorization to connect may vary among organizational + systems. For example, the organization may authorize the connection + of mobile devices to its network and impose a set of usage restrictions, + while a system owner may withhold authorization for mobile device + connection to specific applications or impose additional usage restrictions + before allowing mobile device connections to a system. Adequate security + for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) + . Many safeguards for mobile devices are reflected in other controls. + [AC-20](#ac-20) addresses mobile devices that are not organization-controlled. + - id: ac-19_obj + name: assessment-objective + props: + - name: label + value: AC-19 + class: sp800-53a + parts: + - id: ac-19_obj.a + name: assessment-objective + props: + - name: label + value: AC-19a. + class: sp800-53a + parts: + - id: ac-19_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-19a.[01] + class: sp800-53a + prose: configuration requirements are established for organization-controlled + mobile devices, including when such devices are outside of + the controlled area; + links: + - href: "#ac-19_smt.a" + rel: assessment-for + - id: ac-19_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-19a.[02] + class: sp800-53a + prose: connection requirements are established for organization-controlled + mobile devices, including when such devices are outside of + the controlled area; + links: + - href: "#ac-19_smt.a" + rel: assessment-for + - id: ac-19_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-19a.[03] + class: sp800-53a + prose: implementation guidance is established for organization-controlled + mobile devices, including when such devices are outside of + the controlled area; + links: + - href: "#ac-19_smt.a" + rel: assessment-for + links: + - href: "#ac-19_smt.a" + rel: assessment-for + - id: ac-19_obj.b + name: assessment-objective + props: + - name: label + value: AC-19b. + class: sp800-53a + prose: the connection of mobile devices to organizational systems + is authorized. + links: + - href: "#ac-19_smt.b" + rel: assessment-for + links: + - href: "#ac-19_smt" + rel: assessment-for + - id: ac-19_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-19-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing access control for mobile device usage (including + restrictions) + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + authorizations for mobile device connections to organizational + systems + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-19_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-19-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel using mobile devices to access + organizational systems + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-19_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-19-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control capability for mobile device connections to + organizational systems + + + configurations of mobile devices + - id: ac-20 + class: SP800-53 + title: Use of External Systems + params: + - id: ac-20_odp.01 + select: + how-many: one-or-more + choice: + - "establish {{ insert: param, ac-20_odp.02 }} " + - "identify {{ insert: param, ac-20_odp.03 }} " + - id: ac-20_odp.02 + label: terms and conditions + guidelines: + - prose: terms and conditions consistent with the trust relationships + established with other organizations owning, operating, and/or + maintaining external systems are defined (if selected); + - id: ac-20_odp.03 + label: controls asserted + guidelines: + - prose: controls asserted to be implemented on external systems consistent + with the trust relationships established with other organizations + owning, operating, and/or maintaining external systems are defined + (if selected); + - id: ac-20_odp.04 + label: prohibited types of external systems + guidelines: + - prose: types of external systems prohibited from use are defined; + props: + - name: label + value: AC-20 + - name: label + value: AC-20 + class: sp800-53a + - name: sort-id + value: ac-20 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849" + rel: reference + - href: "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-19" + rel: related + - href: "#ca-3" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-7" + rel: related + parts: + - id: ac-20_smt + name: statement + parts: + - id: ac-20_smt.a + name: item + props: + - name: label + value: a. + prose: " {{ insert: param, ac-20_odp.01 }} , consistent with the\ + \ trust relationships established with other organizations owning,\ + \ operating, and/or maintaining external systems, allowing authorized\ + \ individuals to:" + parts: + - id: ac-20_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Access the system from external systems; and + - id: ac-20_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Process, store, or transmit organization-controlled information + using external systems; or + - id: ac-20_smt.b + name: item + props: + - name: label + value: b. + prose: "Prohibit the use of {{ insert: param, ac-20_odp.04 }}." + - id: ac-20_fr + name: item + title: AC-20 Additional FedRAMP Requirements and Guidance + parts: + - id: ac-20_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + The interrelated controls of AC-20, CA-3, and SA-9 + should be differentiated as follows: + + + AC-20 describes system access to and from external systems. + + + CA-3 describes documentation of an agreement between the respective + system owners when data is exchanged between the CSO and an + external system. + + + SA-9 describes the responsibilities of external system owners. + These responsibilities would typically be captured in the + agreement required by CA-3. + - id: ac-20_gdn + name: guidance + prose: >- + External systems are systems that are used by but not part of + organizational systems, and for which the organization has no + direct control over the implementation of required controls or + the assessment of control effectiveness. External systems + include personally owned systems, components, or devices; + privately owned computing and communications devices in + commercial or public facilities; systems owned or controlled by + nonfederal organizations; systems managed by contractors; and + federal information systems that are not owned by, operated by, + or under the direct supervision or authority of the + organization. External systems also include systems owned or + operated by other components within the same organization and + systems within the organization with different authorization + boundaries. Organizations have the option to prohibit the use of + any type of external system or prohibit the use of specified + types of external systems, (e.g., prohibit the use of any + external system that is not organizationally owned or prohibit + the use of personally-owned systems). + + + For some external systems (i.e., systems operated by other organizations), + the trust relationships that have been established between those organizations + and the originating organization may be such that no explicit terms + and conditions are required. Systems within these organizations may + not be considered external. These situations occur when, for example, + there are pre-existing information exchange agreements (either implicit + or explicit) established between organizations or components or when + such agreements are specified by applicable laws, executive orders, + directives, regulations, policies, or standards. Authorized individuals + include organizational personnel, contractors, or other individuals + with authorized access to organizational systems and over which organizations + have the authority to impose specific rules of behavior regarding + system access. Restrictions that organizations impose on authorized + individuals need not be uniform, as the restrictions may vary depending + on trust relationships between organizations. Therefore, organizations + may choose to impose different security restrictions on contractors + than on state, local, or tribal governments. + + + External systems used to access public interfaces to organizational + systems are outside the scope of [AC-20](#ac-20) . Organizations establish + specific terms and conditions for the use of external systems in accordance + with organizational security policies and procedures. At a minimum, + terms and conditions address the specific types of applications that + can be accessed on organizational systems from external systems and + the highest security category of information that can be processed, + stored, or transmitted on external systems. If the terms and conditions + with the owners of the external systems cannot be established, organizations + may impose restrictions on organizational personnel using those external + systems. + - id: ac-20_obj + name: assessment-objective + props: + - name: label + value: AC-20 + class: sp800-53a + parts: + - id: ac-20_obj.a + name: assessment-objective + props: + - name: label + value: AC-20a. + class: sp800-53a + parts: + - id: ac-20_obj.a.1 + name: assessment-objective + props: + - name: label + value: AC-20a.01 + class: sp800-53a + prose: " {{ insert: param, ac-20_odp.01 }} is/are consistent\ + \ with the trust relationships established with other organizations\ + \ owning, operating, and/or maintaining external systems,\ + \ allowing authorized individuals to access the system from\ + \ external systems (if applicable);" + links: + - href: "#ac-20_smt.a.1" + rel: assessment-for + - id: ac-20_obj.a.2 + name: assessment-objective + props: + - name: label + value: AC-20a.02 + class: sp800-53a + prose: " {{ insert: param, ac-20_odp.01 }} is/are consistent\ + \ with the trust relationships established with other organizations\ + \ owning, operating, and/or maintaining external systems,\ + \ allowing authorized individuals to process, store, or transmit\ + \ organization-controlled information using external systems\ + \ (if applicable);" + links: + - href: "#ac-20_smt.a.2" + rel: assessment-for + links: + - href: "#ac-20_smt.a" + rel: assessment-for + - id: ac-20_obj.b + name: assessment-objective + props: + - name: label + value: AC-20b. + class: sp800-53a + prose: "the use of {{ insert: param, ac-20_odp.04 }} is prohibited\ + \ (if applicable)." + links: + - href: "#ac-20_smt.b" + rel: assessment-for + links: + - href: "#ac-20_smt" + rel: assessment-for + - id: ac-20_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-20-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing the use of external systems + + + external systems terms and conditions + + + list of types of applications accessible from external systems + + + maximum security categorization for information processed, stored, + or transmitted on external systems + + + system configuration settings and associated documentation + + + system security plan + + + other relevant documents or records + - id: ac-20_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-20-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for defining + terms and conditions for use of external systems to access + organizational systems + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-20_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-20-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing terms and conditions on the use of + external systems + - id: ac-22 + class: SP800-53 + title: Publicly Accessible Content + params: + - id: ac-22_odp + label: frequency + constraints: + - description: at least quarterly + guidelines: + - prose: the frequency at which to review the content on the publicly + accessible system for non-public information is defined; + props: + - name: label + value: AC-22 + - name: label + value: AC-22 + class: sp800-53a + - name: sort-id + value: ac-22 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#18e71fec-c6fd-475a-925a-5d8495cf8455" + rel: reference + - href: "#ac-3" + rel: related + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#au-13" + rel: related + parts: + - id: ac-22_smt + name: statement + parts: + - id: ac-22_smt.a + name: item + props: + - name: label + value: a. + prose: Designate individuals authorized to make information publicly + accessible; + - id: ac-22_smt.b + name: item + props: + - name: label + value: b. + prose: Train authorized individuals to ensure that publicly accessible + information does not contain nonpublic information; + - id: ac-22_smt.c + name: item + props: + - name: label + value: c. + prose: Review the proposed content of information prior to posting + onto the publicly accessible system to ensure that nonpublic information + is not included; and + - id: ac-22_smt.d + name: item + props: + - name: label + value: d. + prose: "Review the content on the publicly accessible system for\ + \ nonpublic information {{ insert: param, ac-22_odp }} and remove\ + \ such information, if discovered." + - id: ac-22_gdn + name: guidance + prose: In accordance with applicable laws, executive orders, directives, + policies, regulations, standards, and guidelines, the public is not + authorized to have access to nonpublic information, including information + protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) + and proprietary information. Publicly accessible content addresses + systems that are controlled by the organization and accessible to + the public, typically without identification or authentication. Posting + information on non-organizational systems (e.g., non-organizational + public websites, forums, and social media) is covered by organizational + policy. While organizations may have individuals who are responsible + for developing and implementing policies about the information that + can be made publicly accessible, publicly accessible content addresses + the management of the individuals who make such information publicly + accessible. + - id: ac-22_obj + name: assessment-objective + props: + - name: label + value: AC-22 + class: sp800-53a + parts: + - id: ac-22_obj.a + name: assessment-objective + props: + - name: label + value: AC-22a. + class: sp800-53a + prose: designated individuals are authorized to make information + publicly accessible; + links: + - href: "#ac-22_smt.a" + rel: assessment-for + - id: ac-22_obj.b + name: assessment-objective + props: + - name: label + value: AC-22b. + class: sp800-53a + prose: authorized individuals are trained to ensure that publicly + accessible information does not contain non-public information; + links: + - href: "#ac-22_smt.b" + rel: assessment-for + - id: ac-22_obj.c + name: assessment-objective + props: + - name: label + value: AC-22c. + class: sp800-53a + prose: the proposed content of information is reviewed prior to + posting onto the publicly accessible system to ensure that non-public + information is not included; + links: + - href: "#ac-22_smt.c" + rel: assessment-for + - id: ac-22_obj.d + name: assessment-objective + props: + - name: label + value: AC-22d. + class: sp800-53a + parts: + - id: ac-22_obj.d-1 + name: assessment-objective + props: + - name: label + value: AC-22d.[01] + class: sp800-53a + prose: "the content on the publicly accessible system is reviewed\ + \ for non-public information {{ insert: param, ac-22_odp }};" + links: + - href: "#ac-22_smt.d" + rel: assessment-for + - id: ac-22_obj.d-2 + name: assessment-objective + props: + - name: label + value: AC-22d.[02] + class: sp800-53a + prose: non-public information is removed from the publicly accessible + system, if discovered. + links: + - href: "#ac-22_smt.d" + rel: assessment-for + links: + - href: "#ac-22_smt.d" + rel: assessment-for + links: + - href: "#ac-22_smt" + rel: assessment-for + - id: ac-22_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-22-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing publicly accessible content + + + list of users authorized to post publicly accessible content on + organizational systems + + + training materials and/or records + + + records of publicly accessible information reviews + + + records of response to non-public information on public websites + + + system audit logs + + + security awareness training records + + + system security plan + + + other relevant documents or records + - id: ac-22_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-22-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for managing + publicly accessible information posted on organizational + systems + + + organizational personnel with information security responsibilities + - id: ac-22_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-22-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing management of publicly accessible + content + - id: at + class: family + title: Awareness and Training + controls: + - id: at-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: at-1_prm_1 + label: organization-defined personnel or roles + - id: at-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the awareness and training policy + is to be disseminated is/are defined; + - id: at-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the awareness and training procedures + are to be disseminated is/are defined; + - id: at-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: at-01_odp.04 + label: official + guidelines: + - prose: an official to manage the awareness and training policy and + procedures is defined; + - id: at-01_odp.05 + label: frequency + constraints: + - description: "at least every 3 years " + guidelines: + - prose: the frequency at which the current awareness and training + policy is reviewed and updated is defined; + - id: at-01_odp.06 + label: events + guidelines: + - prose: events that would require the current awareness and training + policy to be reviewed and updated are defined; + - id: at-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current awareness and training + procedures are reviewed and updated is defined; + - id: at-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require procedures to be reviewed and updated + are defined; + props: + - name: label + value: AT-1 + - name: label + value: AT-01 + class: sp800-53a + - name: sort-id + value: at-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: at-1_smt + name: statement + parts: + - id: at-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ at-1_prm_1 }}:" + parts: + - id: at-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, at-01_odp.03 }} awareness and training\ + \ policy that:" + parts: + - id: at-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: at-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: at-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the awareness + and training policy and the associated awareness and training + controls; + - id: at-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, at-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the awareness\ + \ and training policy and procedures; and" + - id: at-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current awareness and training:" + parts: + - id: at-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, at-01_odp.05 }} and following\ + \ {{ insert: param, at-01_odp.06 }} ; and" + - id: at-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, at-01_odp.07 }} and following\ + \ {{ insert: param, at-01_odp.08 }}." + - id: at-1_gdn + name: guidance + prose: Awareness and training policy and procedures address the controls + in the AT family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of awareness and + training policy and procedures. Security and privacy program policies + and procedures at the organization level are preferable, in general, + and may obviate the need for mission- or system-specific policies + and procedures. The policy can be included as part of the general + security and privacy policy or be represented by multiple policies + that reflect the complex nature of organizations. Procedures can be + established for security and privacy programs, for mission or business + processes, and for systems, if needed. Procedures describe how the + policies or controls are implemented and can be directed at the individual + or role that is the object of the procedure. Procedures can be documented + in system security and privacy plans or in one or more separate documents. + Events that may precipitate an update to awareness and training policy + and procedures include assessment or audit findings, security incidents + or breaches, or changes in applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines. Simply restating + controls does not constitute an organizational policy or procedure. + - id: at-1_obj + name: assessment-objective + props: + - name: label + value: AT-01 + class: sp800-53a + parts: + - id: at-1_obj.a + name: assessment-objective + props: + - name: label + value: AT-01a. + class: sp800-53a + parts: + - id: at-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: AT-01a.[01] + class: sp800-53a + prose: "an awareness and training policy is developed and documented; " + links: + - href: "#at-1_smt.a" + rel: assessment-for + - id: at-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: AT-01a.[02] + class: sp800-53a + prose: "the awareness and training policy is disseminated to\ + \ {{ insert: param, at-01_odp.01 }};" + links: + - href: "#at-1_smt.a" + rel: assessment-for + - id: at-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: AT-01a.[03] + class: sp800-53a + prose: awareness and training procedures to facilitate the implementation + of the awareness and training policy and associated access + controls are developed and documented; + links: + - href: "#at-1_smt.a" + rel: assessment-for + - id: at-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: AT-01a.[04] + class: sp800-53a + prose: "the awareness and training procedures are disseminated\ + \ to {{ insert: param, at-01_odp.02 }}." + links: + - href: "#at-1_smt.a" + rel: assessment-for + - id: at-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: AT-01a.01 + class: sp800-53a + parts: + - id: at-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: AT-01a.01(a) + class: sp800-53a + parts: + - id: at-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses purpose;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses scope;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses roles;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses responsibilities;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses management commitment;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses coordination among\ + \ organizational entities;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses compliance; and" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: AT-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy is consistent with applicable laws,\ + \ Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines; and" + links: + - href: "#at-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#at-1_smt.a.1" + rel: assessment-for + links: + - href: "#at-1_smt.a" + rel: assessment-for + - id: at-1_obj.b + name: assessment-objective + props: + - name: label + value: AT-01b. + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the awareness\ + \ and training policy and procedures;" + links: + - href: "#at-1_smt.b" + rel: assessment-for + - id: at-1_obj.c + name: assessment-objective + props: + - name: label + value: AT-01c. + class: sp800-53a + parts: + - id: at-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: AT-01c.01 + class: sp800-53a + parts: + - id: at-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: AT-01c.01[01] + class: sp800-53a + prose: "the current awareness and training policy is reviewed\ + \ and updated {{ insert: param, at-01_odp.05 }}; " + links: + - href: "#at-1_smt.c.1" + rel: assessment-for + - id: at-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: AT-01c.01[02] + class: sp800-53a + prose: "the current awareness and training policy is reviewed\ + \ and updated following {{ insert: param, at-01_odp.06\ + \ }};" + links: + - href: "#at-1_smt.c.1" + rel: assessment-for + links: + - href: "#at-1_smt.c.1" + rel: assessment-for + - id: at-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: AT-01c.02 + class: sp800-53a + parts: + - id: at-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: AT-01c.02[01] + class: sp800-53a + prose: "the current awareness and training procedures are\ + \ reviewed and updated {{ insert: param, at-01_odp.07\ + \ }};" + links: + - href: "#at-1_smt.c.2" + rel: assessment-for + - id: at-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: AT-01c.02[02] + class: sp800-53a + prose: "the current awareness and training procedures are\ + \ reviewed and updated following {{ insert: param, at-01_odp.08\ + \ }}." + links: + - href: "#at-1_smt.c.2" + rel: assessment-for + links: + - href: "#at-1_smt.c.2" + rel: assessment-for + links: + - href: "#at-1_smt.c" + rel: assessment-for + links: + - href: "#at-1_smt" + rel: assessment-for + - id: at-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System security plan + + privacy plan + + awareness and training policy and procedures + + other relevant documents or records + - id: at-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with awareness and training + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: at-2 + class: SP800-53 + title: Literacy Training and Awareness + params: + - id: at-2_prm_1 + label: organization-defined frequency + constraints: + - description: at least annually + - id: at-2_prm_2 + label: organization-defined events + - id: at-02_odp.01 + label: frequency + guidelines: + - prose: the frequency at which to provide security literacy training + to system users (including managers, senior executives, and contractors) + after initial training is defined; + - id: at-02_odp.02 + label: frequency + guidelines: + - prose: the frequency at which to provide privacy literacy training + to system users (including managers, senior executives, and contractors) + after initial training is defined; + - id: at-02_odp.03 + label: events + guidelines: + - prose: events that require security literacy training for system + users are defined; + - id: at-02_odp.04 + label: events + guidelines: + - prose: events that require privacy literacy training for system + users are defined; + - id: at-02_odp.05 + label: awareness techniques + guidelines: + - prose: techniques to be employed to increase the security and privacy + awareness of system users are defined; + - id: at-02_odp.06 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to update literacy training and awareness + content is defined; + - id: at-02_odp.07 + label: events + guidelines: + - prose: events that would require literacy training and awareness + content to be updated are defined; + props: + - name: label + value: AT-2 + - name: label + value: AT-02 + class: sp800-53a + - name: sort-id + value: at-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + - href: "#89f2a08d-fc49-46d0-856e-bf974c9b1573" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-22" + rel: related + - href: "#at-3" + rel: related + - href: "#at-4" + rel: related + - href: "#cp-3" + rel: related + - href: "#ia-4" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-7" + rel: related + - href: "#ir-9" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-13" + rel: related + - href: "#pm-21" + rel: related + - href: "#ps-7" + rel: related + - href: "#pt-2" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-16" + rel: related + parts: + - id: at-2_smt + name: statement + parts: + - id: at-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide security and privacy literacy training to system\ + \ users (including managers, senior executives, and contractors):" + parts: + - id: at-2_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "As part of initial training for new users and {{ insert:\ + \ param, at-2_prm_1 }} thereafter; and" + - id: at-2_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: "When required by system changes or following {{ insert:\ + \ param, at-2_prm_2 }};" + - id: at-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ the following techniques to increase the security\ + \ and privacy awareness of system users {{ insert: param, at-02_odp.05\ + \ }};" + - id: at-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Update literacy training and awareness content {{ insert:\ + \ param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07\ + \ }} ; and" + - id: at-2_smt.d + name: item + props: + - name: label + value: d. + prose: Incorporate lessons learned from internal or external security + incidents or breaches into literacy training and awareness techniques. + - id: at-2_gdn + name: guidance + prose: >- + Organizations provide basic and advanced levels of literacy + training to system users, including measures to test the + knowledge level of users. Organizations determine the content of + literacy training and awareness based on specific organizational + requirements, the systems to which personnel have authorized + access, and work environments (e.g., telework). The content + includes an understanding of the need for security and privacy + as well as actions by users to maintain security and personal + privacy and to respond to suspected incidents. The content + addresses the need for operations security and the handling of + personally identifiable information. + + + Awareness techniques include displaying posters, offering supplies + inscribed with security and privacy reminders, displaying logon screen + messages, generating email advisories or notices from organizational + officials, and conducting awareness events. Literacy training after + the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted + at a minimum frequency consistent with applicable laws, directives, + regulations, and policies. Subsequent literacy training may be satisfied + by one or more short ad hoc sessions and include topical information + on recent attack schemes, changes to organizational security and privacy + policies, revised security and privacy expectations, or a subset of + topics from the initial training. Updating literacy training and awareness + content on a regular basis helps to ensure that the content remains + relevant. Events that may precipitate an update to literacy training + and awareness content include, but are not limited to, assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. + - id: at-2_obj + name: assessment-objective + props: + - name: label + value: AT-02 + class: sp800-53a + parts: + - id: at-2_obj.a + name: assessment-objective + props: + - name: label + value: AT-02a. + class: sp800-53a + parts: + - id: at-2_obj.a.1 + name: assessment-objective + props: + - name: label + value: AT-02a.01 + class: sp800-53a + parts: + - id: at-2_obj.a.1-1 + name: assessment-objective + props: + - name: label + value: AT-02a.01[01] + class: sp800-53a + prose: security literacy training is provided to system + users (including managers, senior executives, and contractors) + as part of initial training for new users; + links: + - href: "#at-2_smt.a.1" + rel: assessment-for + - id: at-2_obj.a.1-2 + name: assessment-objective + props: + - name: label + value: AT-02a.01[02] + class: sp800-53a + prose: privacy literacy training is provided to system users + (including managers, senior executives, and contractors) + as part of initial training for new users; + links: + - href: "#at-2_smt.a.1" + rel: assessment-for + - id: at-2_obj.a.1-3 + name: assessment-objective + props: + - name: label + value: AT-02a.01[03] + class: sp800-53a + prose: "security literacy training is provided to system\ + \ users (including managers, senior executives, and contractors)\ + \ {{ insert: param, at-02_odp.01 }} thereafter;" + links: + - href: "#at-2_smt.a.1" + rel: assessment-for + - id: at-2_obj.a.1-4 + name: assessment-objective + props: + - name: label + value: AT-02a.01[04] + class: sp800-53a + prose: "privacy literacy training is provided to system\ + \ users (including managers, senior executives, and contractors)\ + \ {{ insert: param, at-02_odp.02 }} thereafter;" + links: + - href: "#at-2_smt.a.1" + rel: assessment-for + links: + - href: "#at-2_smt.a.1" + rel: assessment-for + - id: at-2_obj.a.2 + name: assessment-objective + props: + - name: label + value: AT-02a.02 + class: sp800-53a + parts: + - id: at-2_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: AT-02a.02[01] + class: sp800-53a + prose: "security literacy training is provided to system\ + \ users (including managers, senior executives, and contractors)\ + \ when required by system changes or following {{ insert:\ + \ param, at-02_odp.03 }};" + links: + - href: "#at-2_smt.a.2" + rel: assessment-for + - id: at-2_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: AT-02a.02[02] + class: sp800-53a + prose: "privacy literacy training is provided to system\ + \ users (including managers, senior executives, and contractors)\ + \ when required by system changes or following {{ insert:\ + \ param, at-02_odp.04 }};" + links: + - href: "#at-2_smt.a.2" + rel: assessment-for + links: + - href: "#at-2_smt.a.2" + rel: assessment-for + links: + - href: "#at-2_smt.a" + rel: assessment-for + - id: at-2_obj.b + name: assessment-objective + props: + - name: label + value: AT-02b. + class: sp800-53a + prose: " {{ insert: param, at-02_odp.05 }} are employed to increase\ + \ the security and privacy awareness of system users;" + links: + - href: "#at-2_smt.b" + rel: assessment-for + - id: at-2_obj.c + name: assessment-objective + props: + - name: label + value: AT-02c. + class: sp800-53a + parts: + - id: at-2_obj.c-1 + name: assessment-objective + props: + - name: label + value: AT-02c.[01] + class: sp800-53a + prose: "literacy training and awareness content is updated {{\ + \ insert: param, at-02_odp.06 }};" + links: + - href: "#at-2_smt.c" + rel: assessment-for + - id: at-2_obj.c-2 + name: assessment-objective + props: + - name: label + value: AT-02c.[02] + class: sp800-53a + prose: "literacy training and awareness content is updated following\ + \ {{ insert: param, at-02_odp.07 }};" + links: + - href: "#at-2_smt.c" + rel: assessment-for + links: + - href: "#at-2_smt.c" + rel: assessment-for + - id: at-2_obj.d + name: assessment-objective + props: + - name: label + value: AT-02d. + class: sp800-53a + prose: lessons learned from internal or external security incidents + or breaches are incorporated into literacy training and awareness + techniques. + links: + - href: "#at-2_smt.d" + rel: assessment-for + links: + - href: "#at-2_smt" + rel: assessment-for + - id: at-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System security plan + + + privacy plan + + + literacy training and awareness policy + + + procedures addressing literacy training and awareness implementation + + + appropriate codes of federal regulations + + + security and privacy literacy training curriculum + + + security and privacy literacy training materials + + + training records + + + other relevant documents or records + - id: at-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for literacy + training and awareness + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel comprising the general system user community + - id: at-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AT-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms managing information security and privacy literacy + training + controls: + - id: at-2.2 + class: SP800-53-enhancement + title: Insider Threat + props: + - name: label + value: AT-2(2) + - name: label + value: AT-02(02) + class: sp800-53a + - name: sort-id + value: at-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#at-2" + rel: required + - href: "#pm-12" + rel: related + parts: + - id: at-2.2_smt + name: statement + prose: Provide literacy training on recognizing and reporting potential + indicators of insider threat. + - id: at-2.2_gdn + name: guidance + prose: Potential indicators and possible precursors of insider threat + can include behaviors such as inordinate, long-term job dissatisfaction; + attempts to gain access to information not required for job performance; + unexplained access to financial resources; bullying or harassment + of fellow employees; workplace violence; and other serious violations + of policies, procedures, directives, regulations, rules, or practices. + Literacy training includes how to communicate the concerns of + employees and management regarding potential indicators of insider + threat through channels established by the organization and in + accordance with established policies and procedures. Organizations + may consider tailoring insider threat awareness topics to the + role. For example, training for managers may be focused on changes + in the behavior of team members, while training for employees + may be focused on more general observations. + - id: at-2.2_obj + name: assessment-objective + props: + - name: label + value: AT-02(02) + class: sp800-53a + parts: + - id: at-2.2_obj-1 + name: assessment-objective + props: + - name: label + value: AT-02(02)[01] + class: sp800-53a + prose: literacy training on recognizing potential indicators + of insider threat is provided; + links: + - href: "#at-2.2_smt" + rel: assessment-for + - id: at-2.2_obj-2 + name: assessment-objective + props: + - name: label + value: AT-02(02)[02] + class: sp800-53a + prose: literacy training on reporting potential indicators of + insider threat is provided. + links: + - href: "#at-2.2_smt" + rel: assessment-for + links: + - href: "#at-2.2_smt" + rel: assessment-for + - id: at-2.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-02(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System security plan + + + privacy plan + + + literacy training and awareness policy + + + procedures addressing literacy training and awareness implementation + + + literacy training and awareness curriculum + + + literacy training and awareness materials + + + other relevant documents or records + - id: at-2.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-02(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel who receive literacy training + and awareness + + + organizational personnel with responsibilities for literacy + training and awareness + + + organizational personnel with information security and privacy + responsibilities + - id: at-3 + class: SP800-53 + title: Role-based Training + params: + - id: at-3_prm_1 + label: organization-defined roles and responsibilities + - id: at-03_odp.01 + label: roles and responsibilities + guidelines: + - prose: roles and responsibilities for role-based security training + are defined; + - id: at-03_odp.02 + label: roles and responsibilities + guidelines: + - prose: roles and responsibilities for role-based privacy training + are defined; + - id: at-03_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to provide role-based security and + privacy training to assigned personnel after initial training + is defined; + - id: at-03_odp.04 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to update role-based training content + is defined; + - id: at-03_odp.05 + label: events + guidelines: + - prose: events that require role-based training content to be updated + are defined; + props: + - name: label + value: AT-3 + - name: label + value: AT-03 + class: sp800-53a + - name: sort-id + value: at-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-22" + rel: related + - href: "#at-2" + rel: related + - href: "#at-4" + rel: related + - href: "#cp-3" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-7" + rel: related + - href: "#ir-9" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-13" + rel: related + - href: "#pm-23" + rel: related + - href: "#ps-7" + rel: related + - href: "#ps-9" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-16" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: at-3_smt + name: statement + parts: + - id: at-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide role-based security and privacy training to personnel\ + \ with the following roles and responsibilities: {{ insert: param,\ + \ at-3_prm_1 }}:" + parts: + - id: at-3_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "Before authorizing access to the system, information,\ + \ or performing assigned duties, and {{ insert: param, at-03_odp.03\ + \ }} thereafter; and" + - id: at-3_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: When required by system changes; + - id: at-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Update role-based training content {{ insert: param, at-03_odp.04\ + \ }} and following {{ insert: param, at-03_odp.05 }} ; and" + - id: at-3_smt.c + name: item + props: + - name: label + value: c. + prose: Incorporate lessons learned from internal or external security + incidents or breaches into role-based training. + - id: at-3_gdn + name: guidance + prose: >- + Organizations determine the content of training based on the + assigned roles and responsibilities of individuals as well as + the security and privacy requirements of organizations and the + systems to which personnel have authorized access, including + technical training specifically tailored for assigned duties. + Roles that may require role-based training include senior + leaders or management officials (e.g., head of agency/chief + executive officer, chief information officer, senior accountable + official for risk management, senior agency information security + officer, senior agency official for privacy), system owners; + authorizing officials; system security officers; privacy + officers; acquisition and procurement officials; enterprise + architects; systems engineers; software developers; systems + security engineers; privacy engineers; system, network, and + database administrators; auditors; personnel conducting + configuration management activities; personnel performing + verification and validation activities; personnel with access to + system-level software; control assessors; personnel with + contingency planning and incident response duties; personnel + with privacy management responsibilities; and personnel with + access to personally identifiable information. + + + Comprehensive role-based training addresses management, operational, + and technical roles and responsibilities covering physical, personnel, + and technical controls. Role-based training also includes policies, + procedures, tools, methods, and artifacts for the security and privacy + roles defined. Organizations provide the training necessary for individuals + to fulfill their responsibilities related to operations and supply + chain risk management within the context of organizational security + and privacy programs. Role-based training also applies to contractors + who provide services to federal agencies. Types of training include + web-based and computer-based training, classroom-style training, and + hands-on training (including micro-training). Updating role-based + training on a regular basis helps to ensure that the content remains + relevant and effective. Events that may precipitate an update to role-based + training content include, but are not limited to, assessment or audit + findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. + - id: at-3_obj + name: assessment-objective + props: + - name: label + value: AT-03 + class: sp800-53a + parts: + - id: at-3_obj.a + name: assessment-objective + props: + - name: label + value: AT-03a. + class: sp800-53a + parts: + - id: at-3_obj.a.1 + name: assessment-objective + props: + - name: label + value: AT-03a.01 + class: sp800-53a + parts: + - id: at-3_obj.a.1-1 + name: assessment-objective + props: + - name: label + value: AT-03a.01[01] + class: sp800-53a + prose: "role-based security training is provided to {{ insert:\ + \ param, at-03_odp.01 }} before authorizing access to\ + \ the system, information, or performing assigned duties;" + links: + - href: "#at-3_smt.a.1" + rel: assessment-for + - id: at-3_obj.a.1-2 + name: assessment-objective + props: + - name: label + value: AT-03a.01[02] + class: sp800-53a + prose: "role-based privacy training is provided to {{ insert:\ + \ param, at-03_odp.02 }} before authorizing access to\ + \ the system, information, or performing assigned duties;" + links: + - href: "#at-3_smt.a.1" + rel: assessment-for + - id: at-3_obj.a.1-3 + name: assessment-objective + props: + - name: label + value: AT-03a.01[03] + class: sp800-53a + prose: "role-based security training is provided to {{ insert:\ + \ param, at-03_odp.01 }} {{ insert: param, at-03_odp.03\ + \ }} thereafter;" + links: + - href: "#at-3_smt.a.1" + rel: assessment-for + - id: at-3_obj.a.1-4 + name: assessment-objective + props: + - name: label + value: AT-03a.01[04] + class: sp800-53a + prose: "role-based privacy training is provided to {{ insert:\ + \ param, at-03_odp.02 }} {{ insert: param, at-03_odp.03\ + \ }} thereafter;" + links: + - href: "#at-3_smt.a.1" + rel: assessment-for + links: + - href: "#at-3_smt.a.1" + rel: assessment-for + - id: at-3_obj.a.2 + name: assessment-objective + props: + - name: label + value: AT-03a.02 + class: sp800-53a + parts: + - id: at-3_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: AT-03a.02[01] + class: sp800-53a + prose: role-based security training is provided to personnel + with assigned security roles and responsibilities when + required by system changes; + links: + - href: "#at-3_smt.a.2" + rel: assessment-for + - id: at-3_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: AT-03a.02[02] + class: sp800-53a + prose: role-based privacy training is provided to personnel + with assigned security roles and responsibilities when + required by system changes; + links: + - href: "#at-3_smt.a.2" + rel: assessment-for + links: + - href: "#at-3_smt.a.2" + rel: assessment-for + links: + - href: "#at-3_smt.a" + rel: assessment-for + - id: at-3_obj.b + name: assessment-objective + props: + - name: label + value: AT-03b. + class: sp800-53a + parts: + - id: at-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: AT-03b.[01] + class: sp800-53a + prose: "role-based training content is updated {{ insert: param,\ + \ at-03_odp.04 }};" + links: + - href: "#at-3_smt.b" + rel: assessment-for + - id: at-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: AT-03b.[02] + class: sp800-53a + prose: "role-based training content is updated following {{\ + \ insert: param, at-03_odp.05 }};" + links: + - href: "#at-3_smt.b" + rel: assessment-for + links: + - href: "#at-3_smt.b" + rel: assessment-for + - id: at-3_obj.c + name: assessment-objective + props: + - name: label + value: AT-03c. + class: sp800-53a + prose: lessons learned from internal or external security incidents + or breaches are incorporated into role-based training. + links: + - href: "#at-3_smt.c" + rel: assessment-for + links: + - href: "#at-3_smt" + rel: assessment-for + - id: at-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System security plan + + + privacy plan + + + security and privacy awareness and training policy + + + procedures addressing security and privacy training implementation + + + codes of federal regulations + + + security and privacy training curriculum + + + security and privacy training materials + + + training records + + + other relevant documents or records + - id: at-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + role-based security and privacy training + + + organizational personnel with assigned system security and privacy + roles and responsibilities + - id: at-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AT-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms managing role-based security and privacy training + - id: at-4 + class: SP800-53 + title: Training Records + params: + - id: at-04_odp + label: time period + constraints: + - description: at least one (1) year or 1 year after completion of + a specific training program + guidelines: + - prose: time period for retaining individual training records is + defined; + props: + - name: label + value: AT-4 + - name: label + value: AT-04 + class: sp800-53a + - name: sort-id + value: at-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#cp-3" + rel: related + - href: "#ir-2" + rel: related + - href: "#pm-14" + rel: related + - href: "#si-12" + rel: related + parts: + - id: at-4_smt + name: statement + parts: + - id: at-4_smt.a + name: item + props: + - name: label + value: a. + prose: Document and monitor information security and privacy training + activities, including security and privacy awareness training + and specific role-based security and privacy training; and + - id: at-4_smt.b + name: item + props: + - name: label + value: b. + prose: "Retain individual training records for {{ insert: param,\ + \ at-04_odp }}." + - id: at-4_gdn + name: guidance + prose: Documentation for specialized training may be maintained by individual + supervisors at the discretion of the organization. The National Archives + and Records Administration provides guidance on records retention + for federal agencies. + - id: at-4_obj + name: assessment-objective + props: + - name: label + value: AT-04 + class: sp800-53a + parts: + - id: at-4_obj.a + name: assessment-objective + props: + - name: label + value: AT-04a. + class: sp800-53a + parts: + - id: at-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: AT-04a.[01] + class: sp800-53a + prose: information security and privacy training activities, + including security and privacy awareness training and specific + role-based security and privacy training, are documented; + links: + - href: "#at-4_smt.a" + rel: assessment-for + - id: at-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: AT-04a.[02] + class: sp800-53a + prose: information security and privacy training activities, + including security and privacy awareness training and specific + role-based security and privacy training, are monitored; + links: + - href: "#at-4_smt.a" + rel: assessment-for + links: + - href: "#at-4_smt.a" + rel: assessment-for + - id: at-4_obj.b + name: assessment-objective + props: + - name: label + value: AT-04b. + class: sp800-53a + prose: "individual training records are retained for {{ insert:\ + \ param, at-04_odp }}." + links: + - href: "#at-4_smt.b" + rel: assessment-for + links: + - href: "#at-4_smt" + rel: assessment-for + - id: at-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Security and privacy awareness and training policy + + procedures addressing security and privacy training records + + security and privacy awareness and training records + + system security plan + + privacy plan + + other relevant documents or records + - id: at-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational personnel with information security and privacy + training record retention responsibilities + - id: at-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AT-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting the management of security and privacy + training records + - id: au + class: family + title: Audit and Accountability + controls: + - id: au-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: au-1_prm_1 + label: organization-defined personnel or roles + - id: au-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the audit and accountability policy + is to be disseminated is/are defined; + - id: au-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the audit and accountability procedures + are to be disseminated is/are defined; + - id: au-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: au-01_odp.04 + label: official + guidelines: + - prose: an official to manage the audit and accountability policy + and procedures is defined; + - id: au-01_odp.05 + label: frequency + constraints: + - description: "at least every 3 years " + guidelines: + - prose: the frequency at which the current audit and accountability + policy is reviewed and updated is defined; + - id: au-01_odp.06 + label: events + guidelines: + - prose: events that would require the current audit and accountability + policy to be reviewed and updated are defined; + - id: au-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current audit and accountability + procedures are reviewed and updated is defined; + - id: au-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require audit and accountability procedures + to be reviewed and updated are defined; + props: + - name: label + value: AU-1 + - name: label + value: AU-01 + class: sp800-53a + - name: sort-id + value: au-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: au-1_smt + name: statement + parts: + - id: au-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ au-1_prm_1 }}:" + parts: + - id: au-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, au-01_odp.03 }} audit and accountability\ + \ policy that:" + parts: + - id: au-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: au-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: au-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the audit + and accountability policy and the associated audit and accountability + controls; + - id: au-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, au-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the audit\ + \ and accountability policy and procedures; and" + - id: au-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current audit and accountability:" + parts: + - id: au-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, au-01_odp.05 }} and following\ + \ {{ insert: param, au-01_odp.06 }} ; and" + - id: au-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, au-01_odp.07 }} and following\ + \ {{ insert: param, au-01_odp.08 }}." + - id: au-1_gdn + name: guidance + prose: Audit and accountability policy and procedures address the controls + in the AU family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of audit and accountability + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to audit and accountability policy and procedures + include assessment or audit findings, security incidents or breaches, + or changes in applicable laws, executive orders, directives, regulations, + policies, standards, and guidelines. Simply restating controls does + not constitute an organizational policy or procedure. + - id: au-1_obj + name: assessment-objective + props: + - name: label + value: AU-01 + class: sp800-53a + parts: + - id: au-1_obj.a + name: assessment-objective + props: + - name: label + value: AU-01a. + class: sp800-53a + parts: + - id: au-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: AU-01a.[01] + class: sp800-53a + prose: an audit and accountability policy is developed and documented; + links: + - href: "#au-1_smt.a" + rel: assessment-for + - id: au-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: AU-01a.[02] + class: sp800-53a + prose: "the audit and accountability policy is disseminated\ + \ to {{ insert: param, au-01_odp.01 }};" + links: + - href: "#au-1_smt.a" + rel: assessment-for + - id: au-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: AU-01a.[03] + class: sp800-53a + prose: audit and accountability procedures to facilitate the + implementation of the audit and accountability policy and + associated audit and accountability controls are developed + and documented; + links: + - href: "#au-1_smt.a" + rel: assessment-for + - id: au-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: AU-01a.[04] + class: sp800-53a + prose: "the audit and accountability procedures are disseminated\ + \ to {{ insert: param, au-01_odp.02 }};" + links: + - href: "#au-1_smt.a" + rel: assessment-for + - id: au-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: AU-01a.01 + class: sp800-53a + parts: + - id: au-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: AU-01a.01(a) + class: sp800-53a + parts: + - id: au-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses purpose;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses scope;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses roles;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses responsibilities;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses management\ + \ commitment;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses compliance;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: AU-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the audit\ + \ and accountability policy is consistent with applicable\ + \ laws, executive orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#au-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#au-1_smt.a.1" + rel: assessment-for + links: + - href: "#au-1_smt.a" + rel: assessment-for + - id: au-1_obj.b + name: assessment-objective + props: + - name: label + value: AU-01b. + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the audit\ + \ and accountability policy and procedures;" + links: + - href: "#au-1_smt.b" + rel: assessment-for + - id: au-1_obj.c + name: assessment-objective + props: + - name: label + value: AU-01c. + class: sp800-53a + parts: + - id: au-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: AU-01c.01 + class: sp800-53a + parts: + - id: au-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: AU-01c.01[01] + class: sp800-53a + prose: "the current audit and accountability policy is reviewed\ + \ and updated {{ insert: param, au-01_odp.05 }};" + links: + - href: "#au-1_smt.c.1" + rel: assessment-for + - id: au-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: AU-01c.01[02] + class: sp800-53a + prose: "the current audit and accountability policy is reviewed\ + \ and updated following {{ insert: param, au-01_odp.06\ + \ }};" + links: + - href: "#au-1_smt.c.1" + rel: assessment-for + links: + - href: "#au-1_smt.c.1" + rel: assessment-for + - id: au-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: AU-01c.02 + class: sp800-53a + parts: + - id: au-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: AU-01c.02[01] + class: sp800-53a + prose: "the current audit and accountability procedures\ + \ are reviewed and updated {{ insert: param, au-01_odp.07\ + \ }};" + links: + - href: "#au-1_smt.c.2" + rel: assessment-for + - id: au-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: AU-01c.02[02] + class: sp800-53a + prose: "the current audit and accountability procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ au-01_odp.08 }}." + links: + - href: "#au-1_smt.c.2" + rel: assessment-for + links: + - href: "#au-1_smt.c.2" + rel: assessment-for + links: + - href: "#au-1_smt.c" + rel: assessment-for + links: + - href: "#au-1_smt" + rel: assessment-for + - id: au-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: au-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: au-2 + class: SP800-53 + title: Event Logging + params: + - id: au-2_prm_2 + label: organization-defined event types (subset of the event types defined + in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation + requiring) logging for each identified event type + constraints: + - description: organization-defined subset of the auditable events + defined in AU-2a to be audited continually for each identified + event. + - id: au-02_odp.01 + label: event types + constraints: + - description: "successful and unsuccessful account logon events,\ + \ account management events, object access, policy change, privilege\ + \ functions, process tracking, and system events. For Web applications:\ + \ all administrator activity, authentication checks, authorization\ + \ checks, data deletions, data access, data changes, and permission\ + \ changes" + guidelines: + - prose: the event types that the system is capable of logging in + support of the audit function are defined; + - id: au-02_odp.02 + label: event types (subset of AU-02_ODP[01]) + guidelines: + - prose: the event types (subset of AU-02_ODP[01]) for logging within + the system are defined; + - id: au-02_odp.03 + label: frequency or situation + guidelines: + - prose: the frequency or situation requiring logging for each specified + event type is defined; + - id: au-02_odp.04 + label: frequency + constraints: + - description: annually and whenever there is a change in the threat + environment + guidelines: + - prose: the frequency of event types selected for logging are reviewed + and updated; + props: + - name: label + value: AU-2 + - name: label + value: AU-02 + class: sp800-53a + - name: sort-id + value: au-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#5eee45d8-3313-4fdc-8d54-1742092bbdd6" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-7" + rel: related + - href: "#ac-8" + rel: related + - href: "#ac-16" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-3" + rel: related + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-11" + rel: related + - href: "#au-12" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-13" + rel: related + - href: "#ia-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-3" + rel: related + - href: "#pm-21" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-18" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#si-10" + rel: related + - href: "#si-11" + rel: related + parts: + - id: au-2_smt + name: statement + parts: + - id: au-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Identify the types of events that the system is capable\ + \ of logging in support of the audit function: {{ insert: param,\ + \ au-02_odp.01 }};" + - id: au-2_smt.b + name: item + props: + - name: label + value: b. + prose: Coordinate the event logging function with other organizational + entities requiring audit-related information to guide and inform + the selection criteria for events to be logged; + - id: au-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Specify the following event types for logging within the\ + \ system: {{ insert: param, au-2_prm_2 }};" + - id: au-2_smt.d + name: item + props: + - name: label + value: d. + prose: Provide a rationale for why the event types selected for + logging are deemed to be adequate to support after-the-fact investigations + of incidents; and + - id: au-2_smt.e + name: item + props: + - name: label + value: e. + prose: "Review and update the event types selected for logging {{\ + \ insert: param, au-02_odp.04 }}." + - id: au-2_fr + name: item + title: AU-2 Additional FedRAMP Requirements and Guidance + parts: + - id: au-2_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Coordination between service provider and consumer shall + be documented and accepted by the JAB/AO. + - id: au-2_fr_gdn.1 + name: guidance + props: + - name: label + value: "(e) Guidance:" + prose: Annually or whenever changes in the threat environment + are communicated to the service provider by the JAB/AO. + - id: au-2_gdn + name: guidance + prose: >- + An event is an observable occurrence in a system. The types of + events that require logging are those events that are + significant and relevant to the security of systems and the + privacy of individuals. Event logging also supports specific + monitoring and auditing needs. Event types include password + changes, failed logons or failed accesses related to systems, + security or privacy attribute changes, administrative privilege + usage, PIV credential usage, data action changes, query + parameters, or external credential usage. In determining the set + of event types that require logging, organizations consider the + monitoring and auditing appropriate for each of the controls to + be implemented. For completeness, event logging includes all + protocols that are operational and supported by the system. + + + To balance monitoring and auditing requirements with other system + needs, event logging requires identifying the subset of event types + that are logged at a given point in time. For example, organizations + may determine that systems need the capability to log every file access + successful and unsuccessful, but not activate that capability except + for specific circumstances due to the potential burden on system performance. + The types of events that organizations desire to be logged may change. + Reviewing and updating the set of logged events is necessary to help + ensure that the events remain relevant and continue to support the + needs of the organization. Organizations consider how the types of + logging events can reveal information about individuals that may give + rise to privacy risk and how best to mitigate such risks. For example, + there is the potential to reveal personally identifiable information + in the audit trail, especially if the logging event is based on patterns + or time of usage. + + + Event logging requirements, including the need to log specific event + types, may be referenced in other controls and control enhancements. + These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), + [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), + [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), + [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), + [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and + [SI-10(1)](#si-10.1) . Organizations include event types that are + required by applicable laws, executive orders, directives, policies, + regulations, standards, and guidelines. Audit records can be generated + at various levels, including at the packet level as information traverses + the network. Selecting the appropriate level of event logging is an + important part of a monitoring and auditing capability and can identify + the root causes of problems. When defining event types, organizations + consider the logging necessary to cover related event types, such + as the steps in distributed, transaction-based processes and the actions + that occur in service-oriented architectures. + - id: au-2_obj + name: assessment-objective + props: + - name: label + value: AU-02 + class: sp800-53a + parts: + - id: au-2_obj.a + name: assessment-objective + props: + - name: label + value: AU-02a. + class: sp800-53a + prose: " {{ insert: param, au-02_odp.01 }} that the system is capable\ + \ of logging are identified in support of the audit logging function;" + links: + - href: "#au-2_smt.a" + rel: assessment-for + - id: au-2_obj.b + name: assessment-objective + props: + - name: label + value: AU-02b. + class: sp800-53a + prose: the event logging function is coordinated with other organizational + entities requiring audit-related information to guide and inform + the selection criteria for events to be logged; + links: + - href: "#au-2_smt.b" + rel: assessment-for + - id: au-2_obj.c + name: assessment-objective + props: + - name: label + value: AU-02c. + class: sp800-53a + parts: + - id: au-2_obj.c-1 + name: assessment-objective + props: + - name: label + value: AU-02c.[01] + class: sp800-53a + prose: " {{ insert: param, au-02_odp.02 }} are specified for\ + \ logging within the system;" + links: + - href: "#au-2_smt.c" + rel: assessment-for + - id: au-2_obj.c-2 + name: assessment-objective + props: + - name: label + value: AU-02c.[02] + class: sp800-53a + prose: "the specified event types are logged within the system\ + \ {{ insert: param, au-02_odp.03 }};" + links: + - href: "#au-2_smt.c" + rel: assessment-for + links: + - href: "#au-2_smt.c" + rel: assessment-for + - id: au-2_obj.d + name: assessment-objective + props: + - name: label + value: AU-02d. + class: sp800-53a + prose: a rationale is provided for why the event types selected + for logging are deemed to be adequate to support after-the-fact + investigations of incidents; + links: + - href: "#au-2_smt.d" + rel: assessment-for + - id: au-2_obj.e + name: assessment-objective + props: + - name: label + value: AU-02e. + class: sp800-53a + prose: "the event types selected for logging are reviewed and updated\ + \ {{ insert: param, au-02_odp.04 }}." + links: + - href: "#au-2_smt.e" + rel: assessment-for + links: + - href: "#au-2_smt" + rel: assessment-for + - id: au-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + procedures addressing auditable events + + system security plan + + privacy plan + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system auditable events + + other relevant documents or records + - id: au-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: au-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing system auditing + - id: au-3 + class: SP800-53 + title: Content of Audit Records + props: + - name: label + value: AU-3 + - name: label + value: AU-03 + class: sp800-53a + - name: sort-id + value: au-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#au-2" + rel: related + - href: "#au-8" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + - href: "#ma-4" + rel: related + - href: "#pl-9" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-7" + rel: related + - href: "#si-11" + rel: related + parts: + - id: au-3_smt + name: statement + prose: "Ensure that audit records contain information that establishes\ + \ the following:" + parts: + - id: au-3_smt.a + name: item + props: + - name: label + value: a. + prose: What type of event occurred; + - id: au-3_smt.b + name: item + props: + - name: label + value: b. + prose: When the event occurred; + - id: au-3_smt.c + name: item + props: + - name: label + value: c. + prose: Where the event occurred; + - id: au-3_smt.d + name: item + props: + - name: label + value: d. + prose: Source of the event; + - id: au-3_smt.e + name: item + props: + - name: label + value: e. + prose: Outcome of the event; and + - id: au-3_smt.f + name: item + props: + - name: label + value: f. + prose: Identity of any individuals, subjects, or objects/entities + associated with the event. + - id: au-3_gdn + name: guidance + prose: Audit record content that may be necessary to support the auditing + function includes event descriptions (item a), time stamps (item b), + source and destination addresses (item c), user or process identifiers + (items d and f), success or fail indications (item e), and filenames + involved (items a, c, e, and f) . Event outcomes include indicators + of event success or failure and event-specific results, such as the + system security and privacy posture after the event occurred. Organizations + consider how audit records can reveal information about individuals + that may give rise to privacy risks and how best to mitigate such + risks. For example, there is the potential to reveal personally identifiable + information in the audit trail, especially if the trail records inputs + or is based on patterns or time of usage. + - id: au-3_obj + name: assessment-objective + props: + - name: label + value: AU-03 + class: sp800-53a + parts: + - id: au-3_obj.a + name: assessment-objective + props: + - name: label + value: AU-03a. + class: sp800-53a + prose: audit records contain information that establishes what type + of event occurred; + links: + - href: "#au-3_smt.a" + rel: assessment-for + - id: au-3_obj.b + name: assessment-objective + props: + - name: label + value: AU-03b. + class: sp800-53a + prose: audit records contain information that establishes when the + event occurred; + links: + - href: "#au-3_smt.b" + rel: assessment-for + - id: au-3_obj.c + name: assessment-objective + props: + - name: label + value: AU-03c. + class: sp800-53a + prose: audit records contain information that establishes where + the event occurred; + links: + - href: "#au-3_smt.c" + rel: assessment-for + - id: au-3_obj.d + name: assessment-objective + props: + - name: label + value: AU-03d. + class: sp800-53a + prose: audit records contain information that establishes the source + of the event; + links: + - href: "#au-3_smt.d" + rel: assessment-for + - id: au-3_obj.e + name: assessment-objective + props: + - name: label + value: AU-03e. + class: sp800-53a + prose: audit records contain information that establishes the outcome + of the event; + links: + - href: "#au-3_smt.e" + rel: assessment-for + - id: au-3_obj.f + name: assessment-objective + props: + - name: label + value: AU-03f. + class: sp800-53a + prose: audit records contain information that establishes the identity + of any individuals, subjects, or objects/entities associated with + the event. + links: + - href: "#au-3_smt.f" + rel: assessment-for + links: + - href: "#au-3_smt" + rel: assessment-for + - id: au-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + system security plan + + privacy plan + + procedures addressing content of audit records + + system design documentation + + system configuration settings and associated documentation + + list of organization-defined auditable events + + system audit records + + system incident reports + + other relevant documents or records + - id: au-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: au-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing system auditing of auditable events + - id: au-4 + class: SP800-53 + title: Audit Log Storage Capacity + params: + - id: au-04_odp + label: audit log retention requirements + guidelines: + - prose: audit log retention requirements are defined; + props: + - name: label + value: AU-4 + - name: label + value: AU-04 + class: sp800-53a + - name: sort-id + value: au-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-2" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-9" + rel: related + - href: "#au-11" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + - href: "#si-4" + rel: related + parts: + - id: au-4_smt + name: statement + prose: "Allocate audit log storage capacity to accommodate {{ insert:\ + \ param, au-04_odp }}." + - id: au-4_gdn + name: guidance + prose: Organizations consider the types of audit logging to be performed + and the audit log processing requirements when allocating audit log + storage capacity. Allocating sufficient audit log storage capacity + reduces the likelihood of such capacity being exceeded and resulting + in the potential loss or reduction of audit logging capability. + - id: au-4_obj + name: assessment-objective + props: + - name: label + value: AU-04 + class: sp800-53a + prose: "audit log storage capacity is allocated to accommodate {{ insert:\ + \ param, au-04_odp }}." + links: + - href: "#au-4_smt" + rel: assessment-for + - id: au-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + procedures addressing audit storage capacity + + system security plan + + privacy plan + + system design documentation + + system configuration settings and associated documentation + + audit record storage requirements + + audit record storage capability for system components + + system audit records + + other relevant documents or records + - id: au-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Audit record storage capacity and related configuration settings + - id: au-5 + class: SP800-53 + title: Response to Audit Logging Process Failures + params: + - id: au-05_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles receiving audit logging process failure + alerts are defined; + - id: au-05_odp.02 + label: time period + guidelines: + - prose: time period for personnel or roles receiving audit logging + process failure alerts is defined; + - id: au-05_odp.03 + label: additional actions + constraints: + - description: overwrite oldest record + guidelines: + - prose: additional actions to be taken in the event of an audit logging + process failure are defined; + props: + - name: label + value: AU-5 + - name: label + value: AU-05 + class: sp800-53a + - name: sort-id + value: au-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-2" + rel: related + - href: "#au-4" + rel: related + - href: "#au-7" + rel: related + - href: "#au-9" + rel: related + - href: "#au-11" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + - href: "#si-4" + rel: related + - href: "#si-12" + rel: related + parts: + - id: au-5_smt + name: statement + parts: + - id: au-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Alert {{ insert: param, au-05_odp.01 }} within {{ insert:\ + \ param, au-05_odp.02 }} in the event of an audit logging process\ + \ failure; and" + - id: au-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Take the following additional actions: {{ insert: param,\ + \ au-05_odp.03 }}." + - id: au-5_gdn + name: guidance + prose: Audit logging process failures include software and hardware + errors, failures in audit log capturing mechanisms, and reaching or + exceeding audit log storage capacity. Organization-defined actions + include overwriting oldest audit records, shutting down the system, + and stopping the generation of audit records. Organizations may choose + to define additional actions for audit logging process failures based + on the type of failure, the location of the failure, the severity + of the failure, or a combination of such factors. When the audit logging + process failure is related to storage, the response is carried out + for the audit log storage repository (i.e., the distinct system component + where the audit logs are stored), the system on which the audit logs + reside, the total audit log storage capacity of the organization (i.e., + all audit log storage repositories combined), or all three. Organizations + may decide to take no additional actions after alerting designated + roles or personnel. + - id: au-5_obj + name: assessment-objective + props: + - name: label + value: AU-05 + class: sp800-53a + parts: + - id: au-5_obj.a + name: assessment-objective + props: + - name: label + value: AU-05a. + class: sp800-53a + prose: " {{ insert: param, au-05_odp.01 }} are alerted in the event\ + \ of an audit logging process failure within {{ insert: param,\ + \ au-05_odp.02 }};" + links: + - href: "#au-5_smt.a" + rel: assessment-for + - id: au-5_obj.b + name: assessment-objective + props: + - name: label + value: AU-05b. + class: sp800-53a + prose: " {{ insert: param, au-05_odp.03 }} are taken in the event\ + \ of an audit logging process failure." + links: + - href: "#au-5_smt.b" + rel: assessment-for + links: + - href: "#au-5_smt" + rel: assessment-for + - id: au-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + procedures addressing response to audit processing failures + + + system design documentation + + + system security plan + + + privacy plan + + + system configuration settings and associated documentation + + + list of personnel to be notified in case of an audit processing + failure + + + system audit records + + + other relevant documents or records + - id: au-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing system response to audit processing + failures + - id: au-6 + class: SP800-53 + title: Audit Record Review, Analysis, and Reporting + params: + - id: au-06_odp.01 + label: frequency + constraints: + - description: at least weekly + guidelines: + - prose: frequency at which system audit records are reviewed and + analyzed is defined; + - id: au-06_odp.02 + label: inappropriate or unusual activity + guidelines: + - prose: inappropriate or unusual activity is defined; + - id: au-06_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles to receive findings from reviews and analyses + of system records is/are defined; + props: + - name: label + value: AU-6 + - name: label + value: AU-06 + class: sp800-53a + - name: sort-id + value: au-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cfdb1858-c473-46b3-89f9-a700308d0be2" + rel: reference + - href: "#10cf2fad-a216-41f9-bb1a-531b7e3119e3" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-7" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-7" + rel: related + - href: "#au-16" + rel: related + - href: "#ca-2" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-10" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ir-5" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-6" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: au-6_smt + name: statement + parts: + - id: au-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Review and analyze system audit records {{ insert: param,\ + \ au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02\ + \ }} and the potential impact of the inappropriate or unusual\ + \ activity;" + - id: au-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Report findings to {{ insert: param, au-06_odp.03 }} ; and" + - id: au-6_smt.c + name: item + props: + - name: label + value: c. + prose: Adjust the level of audit record review, analysis, and reporting + within the system when there is a change in risk based on law + enforcement information, intelligence information, or other credible + sources of information. + - id: au-6_fr + name: item + title: AU-6 Additional FedRAMP Requirements and Guidance + parts: + - id: au-6_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Coordination between service provider and consumer shall + be documented and accepted by the JAB/AO. In multi-tenant + environments, capability and means for providing review, analysis, + and reporting to consumer for data pertaining to consumer + shall be documented. + - id: au-6_gdn + name: guidance + prose: Audit record review, analysis, and reporting covers information + security- and privacy-related logging performed by organizations, + including logging that results from the monitoring of account usage, + remote access, wireless connectivity, mobile device connection, configuration + settings, system component inventory, use of maintenance tools and + non-local maintenance, physical access, temperature and humidity, + equipment delivery and removal, communications at system interfaces, + and use of mobile code or Voice over Internet Protocol (VoIP). Findings + can be reported to organizational entities that include the incident + response team, help desk, and security or privacy offices. If organizations + are prohibited from reviewing and analyzing audit records or unable + to conduct such activities, the review or analysis may be carried + out by other organizations granted such authority. The frequency, + scope, and/or depth of the audit record review, analysis, and reporting + may be adjusted to meet organizational needs based on new information + received. + - id: au-6_obj + name: assessment-objective + props: + - name: label + value: AU-06 + class: sp800-53a + parts: + - id: au-6_obj.a + name: assessment-objective + props: + - name: label + value: AU-06a. + class: sp800-53a + prose: "system audit records are reviewed and analyzed {{ insert:\ + \ param, au-06_odp.01 }} for indications of {{ insert: param,\ + \ au-06_odp.02 }} and the potential impact of the inappropriate\ + \ or unusual activity;" + links: + - href: "#au-6_smt.a" + rel: assessment-for + - id: au-6_obj.b + name: assessment-objective + props: + - name: label + value: AU-06b. + class: sp800-53a + prose: "findings are reported to {{ insert: param, au-06_odp.03\ + \ }};" + links: + - href: "#au-6_smt.b" + rel: assessment-for + - id: au-6_obj.c + name: assessment-objective + props: + - name: label + value: AU-06c. + class: sp800-53a + prose: the level of audit record review, analysis, and reporting + within the system is adjusted when there is a change in risk based + on law enforcement information, intelligence information, or other + credible sources of information. + links: + - href: "#au-6_smt.c" + rel: assessment-for + links: + - href: "#au-6_smt" + rel: assessment-for + - id: au-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + procedures addressing audit review, analysis, and reporting + + + reports of audit findings + + + records of actions taken in response to reviews/analyses of audit + records + + + other relevant documents or records + - id: au-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit review, analysis, and + reporting responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: au-8 + class: SP800-53 + title: Time Stamps + params: + - id: au-08_odp + label: granularity of time measurement + constraints: + - description: one second granularity of time measurement + guidelines: + - prose: granularity of time measurement for audit record timestamps + is defined; + props: + - name: label + value: AU-8 + - name: label + value: AU-08 + class: sp800-53a + - name: sort-id + value: au-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-3" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + - href: "#sc-45" + rel: related + parts: + - id: au-8_smt + name: statement + parts: + - id: au-8_smt.a + name: item + props: + - name: label + value: a. + prose: Use internal system clocks to generate time stamps for audit + records; and + - id: au-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Record time stamps for audit records that meet {{ insert:\ + \ param, au-08_odp }} and that use Coordinated Universal Time,\ + \ have a fixed local time offset from Coordinated Universal Time,\ + \ or that include the local time offset as part of the time stamp." + - id: au-8_gdn + name: guidance + prose: Time stamps generated by the system include date and time. Time + is commonly expressed in Coordinated Universal Time (UTC), a modern + continuation of Greenwich Mean Time (GMT), or local time with an offset + from UTC. Granularity of time measurements refers to the degree of + synchronization between system clocks and reference clocks (e.g., + clocks synchronizing within hundreds of milliseconds or tens of milliseconds). + Organizations may define different time granularities for different + system components. Time service can be critical to other security + capabilities such as access control and identification and authentication, + depending on the nature of the mechanisms used to support those capabilities. + - id: au-8_obj + name: assessment-objective + props: + - name: label + value: AU-08 + class: sp800-53a + parts: + - id: au-8_obj.a + name: assessment-objective + props: + - name: label + value: AU-08a. + class: sp800-53a + prose: internal system clocks are used to generate timestamps for + audit records; + links: + - href: "#au-8_smt.a" + rel: assessment-for + - id: au-8_obj.b + name: assessment-objective + props: + - name: label + value: AU-08b. + class: sp800-53a + prose: "timestamps are recorded for audit records that meet {{ insert:\ + \ param, au-08_odp }} and that use Coordinated Universal Time,\ + \ have a fixed local time offset from Coordinated Universal Time,\ + \ or include the local time offset as part of the timestamp." + links: + - href: "#au-8_smt.b" + rel: assessment-for + links: + - href: "#au-8_smt" + rel: assessment-for + - id: au-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + system security plan + + privacy plan + + procedures addressing timestamp generation + + system design documentation + + system configuration settings and associated documentation + + system audit records + + other relevant documents or records + - id: au-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security and + privacy responsibilities + + + system/network administrators + + + system developers + - id: au-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing timestamp generation + - id: au-9 + class: SP800-53 + title: Protection of Audit Information + params: + - id: au-09_odp + label: personnel or roles + guidelines: + - prose: personnel or roles to be alerted upon detection of unauthorized + access, modification, or deletion of audit information is/are + defined; + props: + - name: label + value: AU-9 + - name: label + value: AU-09 + class: sp800-53a + - name: sort-id + value: au-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#au-6" + rel: related + - href: "#au-11" + rel: related + - href: "#au-14" + rel: related + - href: "#au-15" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-6" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-8" + rel: related + - href: "#si-4" + rel: related + parts: + - id: au-9_smt + name: statement + parts: + - id: au-9_smt.a + name: item + props: + - name: label + value: a. + prose: Protect audit information and audit logging tools from unauthorized + access, modification, and deletion; and + - id: au-9_smt.b + name: item + props: + - name: label + value: b. + prose: "Alert {{ insert: param, au-09_odp }} upon detection of unauthorized\ + \ access, modification, or deletion of audit information." + - id: au-9_gdn + name: guidance + prose: Audit information includes all information needed to successfully + audit system activity, such as audit records, audit log settings, + audit reports, and personally identifiable information. Audit logging + tools are those programs and devices used to conduct system audit + and logging activities. Protection of audit information focuses on + technical protection and limits the ability to access and execute + audit logging tools to authorized individuals. Physical protection + of audit information is addressed by both media protection controls + and physical and environmental protection controls. + - id: au-9_obj + name: assessment-objective + props: + - name: label + value: AU-09 + class: sp800-53a + parts: + - id: au-9_obj.a + name: assessment-objective + props: + - name: label + value: AU-09a. + class: sp800-53a + prose: audit information and audit logging tools are protected from + unauthorized access, modification, and deletion; + links: + - href: "#au-9_smt.a" + rel: assessment-for + - id: au-9_obj.b + name: assessment-objective + props: + - name: label + value: AU-09b. + class: sp800-53a + prose: " {{ insert: param, au-09_odp }} are alerted upon detection\ + \ of unauthorized access, modification, or deletion of audit information." + links: + - href: "#au-9_smt.b" + rel: assessment-for + links: + - href: "#au-9_smt" + rel: assessment-for + - id: au-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + system security plan + + privacy plan + + access control policy and procedures + + procedures addressing protection of audit information + + system design documentation + + system configuration settings and associated documentation + + system audit records + + audit tools + + other relevant documents or records + - id: au-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing audit information protection + - id: au-11 + class: SP800-53 + title: Audit Record Retention + params: + - id: au-11_odp + label: time period + constraints: + - description: a time period in compliance with M-21-31 + guidelines: + - prose: a time period to retain audit records that is consistent + with the records retention policy is defined; + props: + - name: label + value: AU-11 + - name: label + value: AU-11 + class: sp800-53a + - name: sort-id + value: au-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#au-2" + rel: related + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-9" + rel: related + - href: "#au-14" + rel: related + - href: "#mp-6" + rel: related + - href: "#ra-5" + rel: related + - href: "#si-12" + rel: related + parts: + - id: au-11_smt + name: statement + prose: "Retain audit records for {{ insert: param, au-11_odp }} to provide\ + \ support for after-the-fact investigations of incidents and to meet\ + \ regulatory and organizational information retention requirements." + parts: + - id: au-11_fr + name: item + title: AU-11 Additional FedRAMP Requirements and Guidance + parts: + - id: au-11_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider retains audit records on-line for + at least ninety days and further preserves audit records off-line + for a period that is in accordance with NARA requirements. + - id: au-11_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider must support Agency requirements + to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) + - id: au-11_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: The service provider is encouraged to align with M-21-31 + where possible + - id: au-11_gdn + name: guidance + prose: Organizations retain audit records until it is determined that + the records are no longer needed for administrative, legal, audit, + or other operational purposes. This includes the retention and availability + of audit records relative to Freedom of Information Act (FOIA) requests, + subpoenas, and law enforcement actions. Organizations develop standard + categories of audit records relative to such types of actions and + standard response processes for each type of action. The National + Archives and Records Administration (NARA) General Records Schedules + provide federal policy on records retention. + - id: au-11_obj + name: assessment-objective + props: + - name: label + value: AU-11 + class: sp800-53a + prose: "audit records are retained for {{ insert: param, au-11_odp }}\ + \ to provide support for after-the-fact investigations of incidents\ + \ and to meet regulatory and organizational information retention\ + \ requirements." + links: + - href: "#au-11_smt" + rel: assessment-for + - id: au-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + system security plan + + privacy plan + + audit record retention policy and procedures + + security plan + + organization-defined retention period for audit records + + audit record archives + + audit logs + + audit records + + other relevant documents or records + - id: au-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit record retention + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: au-12 + class: SP800-53 + title: Audit Record Generation + params: + - id: au-12_odp.01 + label: system components + constraints: + - description: all information system and network components where + audit capability is deployed/available + guidelines: + - prose: system components that provide an audit record generation + capability for the events types (defined in AU-02_ODP[02]) are + defined; + - id: au-12_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles allowed to select the event types that + are to be logged by specific components of the system is/are defined; + props: + - name: label + value: AU-12 + - name: label + value: AU-12 + class: sp800-53a + - name: sort-id + value: au-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-6" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-2" + rel: related + - href: "#au-3" + rel: related + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-14" + rel: related + - href: "#cm-5" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-18" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#si-10" + rel: related + parts: + - id: au-12_smt + name: statement + parts: + - id: au-12_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide audit record generation capability for the event\ + \ types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a)\ + \ on {{ insert: param, au-12_odp.01 }};" + - id: au-12_smt.b + name: item + props: + - name: label + value: b. + prose: "Allow {{ insert: param, au-12_odp.02 }} to select the event\ + \ types that are to be logged by specific components of the system;\ + \ and" + - id: au-12_smt.c + name: item + props: + - name: label + value: c. + prose: Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) + that include the audit record content defined in [AU-3](#au-3). + - id: au-12_gdn + name: guidance + prose: Audit records can be generated from many different system components. + The event types specified in [AU-2d](#au-2_smt.d) are the event types + for which audit logs are to be generated and are a subset of all event + types for which the system can generate audit records. + - id: au-12_obj + name: assessment-objective + props: + - name: label + value: AU-12 + class: sp800-53a + parts: + - id: au-12_obj.a + name: assessment-objective + props: + - name: label + value: AU-12a. + class: sp800-53a + prose: "audit record generation capability for the event types the\ + \ system is capable of auditing (defined in AU-02_ODP[01]) is\ + \ provided by {{ insert: param, au-12_odp.01 }};" + links: + - href: "#au-12_smt.a" + rel: assessment-for + - id: au-12_obj.b + name: assessment-objective + props: + - name: label + value: AU-12b. + class: sp800-53a + prose: " {{ insert: param, au-12_odp.02 }} is/are allowed to select\ + \ the event types that are to be logged by specific components\ + \ of the system;" + links: + - href: "#au-12_smt.b" + rel: assessment-for + - id: au-12_obj.c + name: assessment-objective + props: + - name: label + value: AU-12c. + class: sp800-53a + prose: audit records for the event types defined in AU-02_ODP[02] + that include the audit record content defined in AU-03 are generated. + links: + - href: "#au-12_smt.c" + rel: assessment-for + links: + - href: "#au-12_smt" + rel: assessment-for + - id: au-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + procedures addressing audit record generation + + system security plan + + privacy plan + + system design documentation + + system configuration settings and associated documentation + + list of auditable events + + system audit records + + other relevant documents or records + - id: au-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit record generation + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing audit record generation capability + - id: ca + class: family + title: Assessment, Authorization, and Monitoring + controls: + - id: ca-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ca-1_prm_1 + label: organization-defined personnel or roles + - id: ca-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the assessment, authorization, + and monitoring policy is to be disseminated is/are defined; + - id: ca-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the assessment, authorization, + and monitoring procedures are to be disseminated is/are defined; + - id: ca-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ca-01_odp.04 + label: official + guidelines: + - prose: an official to manage the assessment, authorization, and + monitoring policy and procedures is defined; + - id: ca-01_odp.05 + label: frequency + constraints: + - description: "at least every 3 years " + guidelines: + - prose: the frequency at which the current assessment, authorization, + and monitoring policy is reviewed and updated is defined; + - id: ca-01_odp.06 + label: events + guidelines: + - prose: events that would require the current assessment, authorization, + and monitoring policy to be reviewed and updated are defined; + - id: ca-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current assessment, authorization, + and monitoring procedures are reviewed and updated is defined; + - id: ca-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require assessment, authorization, and + monitoring procedures to be reviewed and updated are defined; + props: + - name: label + value: CA-1 + - name: label + value: CA-01 + class: sp800-53a + - name: sort-id + value: ca-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#62ea77ca-e450-4323-b210-e0d75390e785" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-1_smt + name: statement + parts: + - id: ca-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ca-1_prm_1 }}:" + parts: + - id: ca-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ca-01_odp.03 }} assessment, authorization,\ + \ and monitoring policy that:" + parts: + - id: ca-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ca-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ca-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the assessment, + authorization, and monitoring policy and the associated assessment, + authorization, and monitoring controls; + - id: ca-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ca-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the assessment,\ + \ authorization, and monitoring policy and procedures; and" + - id: ca-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current assessment, authorization,\ + \ and monitoring:" + parts: + - id: ca-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ca-01_odp.05 }} and following\ + \ {{ insert: param, ca-01_odp.06 }} ; and" + - id: ca-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ca-01_odp.07 }} and following\ + \ {{ insert: param, ca-01_odp.08 }}." + - id: ca-1_gdn + name: guidance + prose: Assessment, authorization, and monitoring policy and procedures + address the controls in the CA family that are implemented within + systems and organizations. The risk management strategy is an important + factor in establishing such policies and procedures. Policies and + procedures contribute to security and privacy assurance. Therefore, + it is important that security and privacy programs collaborate on + the development of assessment, authorization, and monitoring policy + and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to assessment, authorization, and monitoring + policy and procedures include assessment or audit findings, security + incidents or breaches, or changes in applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines. Simply + restating controls does not constitute an organizational policy or + procedure. + - id: ca-1_obj + name: assessment-objective + props: + - name: label + value: CA-01 + class: sp800-53a + parts: + - id: ca-1_obj.a + name: assessment-objective + props: + - name: label + value: CA-01a. + class: sp800-53a + parts: + - id: ca-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: CA-01a.[01] + class: sp800-53a + prose: an assessment, authorization, and monitoring policy is + developed and documented; + links: + - href: "#ca-1_smt.a" + rel: assessment-for + - id: ca-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: CA-01a.[02] + class: sp800-53a + prose: "the assessment, authorization, and monitoring policy\ + \ is disseminated to {{ insert: param, ca-01_odp.01 }};" + links: + - href: "#ca-1_smt.a" + rel: assessment-for + - id: ca-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: CA-01a.[03] + class: sp800-53a + prose: assessment, authorization, and monitoring procedures + to facilitate the implementation of the assessment, authorization, + and monitoring policy and associated assessment, authorization, + and monitoring controls are developed and documented; + links: + - href: "#ca-1_smt.a" + rel: assessment-for + - id: ca-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: CA-01a.[04] + class: sp800-53a + prose: "the assessment, authorization, and monitoring procedures\ + \ are disseminated to {{ insert: param, ca-01_odp.02 }};" + links: + - href: "#ca-1_smt.a" + rel: assessment-for + - id: ca-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: CA-01a.01 + class: sp800-53a + parts: + - id: ca-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: CA-01a.01(a) + class: sp800-53a + parts: + - id: ca-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses purpose;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses scope;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses roles;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses responsibilities;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses management\ + \ commitment;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses compliance;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: CA-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy is consistent with\ + \ applicable laws, executive orders, directives, regulations,\ + \ policies, standards, and guidelines;" + links: + - href: "#ca-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ca-1_smt.a.1" + rel: assessment-for + links: + - href: "#ca-1_smt.a" + rel: assessment-for + - id: ca-1_obj.b + name: assessment-objective + props: + - name: label + value: CA-01b. + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the assessment,\ + \ authorization, and monitoring policy and procedures;" + links: + - href: "#ca-1_smt.b" + rel: assessment-for + - id: ca-1_obj.c + name: assessment-objective + props: + - name: label + value: CA-01c. + class: sp800-53a + parts: + - id: ca-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: CA-01c.01 + class: sp800-53a + parts: + - id: ca-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: CA-01c.01[01] + class: sp800-53a + prose: "the current assessment, authorization, and monitoring\ + \ policy is reviewed and updated {{ insert: param, ca-01_odp.05\ + \ }}; " + links: + - href: "#ca-1_smt.c.1" + rel: assessment-for + - id: ca-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: CA-01c.01[02] + class: sp800-53a + prose: "the current assessment, authorization, and monitoring\ + \ policy is reviewed and updated following {{ insert:\ + \ param, ca-01_odp.06 }};" + links: + - href: "#ca-1_smt.c.1" + rel: assessment-for + links: + - href: "#ca-1_smt.c.1" + rel: assessment-for + - id: ca-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: CA-01c.02 + class: sp800-53a + parts: + - id: ca-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: CA-01c.02[01] + class: sp800-53a + prose: "the current assessment, authorization, and monitoring\ + \ procedures are reviewed and updated {{ insert: param,\ + \ ca-01_odp.07 }}; " + links: + - href: "#ca-1_smt.c.2" + rel: assessment-for + - id: ca-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: CA-01c.02[02] + class: sp800-53a + prose: "the current assessment, authorization, and monitoring\ + \ procedures are reviewed and updated following {{ insert:\ + \ param, ca-01_odp.08 }}." + links: + - href: "#ca-1_smt.c.2" + rel: assessment-for + links: + - href: "#ca-1_smt.c.2" + rel: assessment-for + links: + - href: "#ca-1_smt.c" + rel: assessment-for + links: + - href: "#ca-1_smt" + rel: assessment-for + - id: ca-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy and + procedures + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with assessment, authorization, and + monitoring policy responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-2 + class: SP800-53 + title: Control Assessments + params: + - id: ca-02_odp.01 + label: assessment frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to assess controls in the system and + its environment of operation is defined; + - id: ca-02_odp.02 + label: individuals or roles + constraints: + - description: individuals or roles to include FedRAMP PMO + guidelines: + - prose: individuals or roles to whom control assessment results are + to be provided are defined; + props: + - name: label + value: CA-2 + - name: label + value: CA-02 + class: sp800-53a + - name: sort-id + value: ca-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#30eb758a-2707-4bca-90ad-949a74d4eb16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#122177fa-c4ed-485d-8345-3082c0fb9a06" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#ac-20" + rel: related + - href: "#ca-5" + rel: related + - href: "#ca-6" + rel: related + - href: "#ca-7" + rel: related + - href: "#pm-9" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-3" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-3" + rel: related + parts: + - id: ca-2_smt + name: statement + parts: + - id: ca-2_smt.a + name: item + props: + - name: label + value: a. + prose: Select the appropriate assessor or assessment team for the + type of assessment to be conducted; + - id: ca-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Develop a control assessment plan that describes the scope\ + \ of the assessment including:" + parts: + - id: ca-2_smt.b.1 + name: item + props: + - name: label + value: "1." + prose: Controls and control enhancements under assessment; + - id: ca-2_smt.b.2 + name: item + props: + - name: label + value: "2." + prose: Assessment procedures to be used to determine control + effectiveness; and + - id: ca-2_smt.b.3 + name: item + props: + - name: label + value: "3." + prose: Assessment environment, assessment team, and assessment + roles and responsibilities; + - id: ca-2_smt.c + name: item + props: + - name: label + value: c. + prose: Ensure the control assessment plan is reviewed and approved + by the authorizing official or designated representative prior + to conducting the assessment; + - id: ca-2_smt.d + name: item + props: + - name: label + value: d. + prose: "Assess the controls in the system and its environment of\ + \ operation {{ insert: param, ca-02_odp.01 }} to determine the\ + \ extent to which the controls are implemented correctly, operating\ + \ as intended, and producing the desired outcome with respect\ + \ to meeting established security and privacy requirements;" + - id: ca-2_smt.e + name: item + props: + - name: label + value: e. + prose: Produce a control assessment report that document the results + of the assessment; and + - id: ca-2_smt.f + name: item + props: + - name: label + value: f. + prose: "Provide the results of the control assessment to {{ insert:\ + \ param, ca-02_odp.02 }}." + - id: ca-2_fr + name: item + title: CA-2 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-2_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Reference FedRAMP Annual Assessment Guidance. + - id: ca-2_gdn + name: guidance + prose: >- + Organizations ensure that control assessors possess the required + skills and technical expertise to develop effective assessment + plans and to conduct assessments of system-specific, hybrid, + common, and program management controls, as appropriate. The + required skills include general knowledge of risk management + concepts and approaches as well as comprehensive knowledge of + and experience with the hardware, software, and firmware system + components implemented. + + + Organizations assess controls in systems and the environments in which + those systems operate as part of initial and ongoing authorizations, + continuous monitoring, FISMA annual assessments, system design and + development, systems security engineering, privacy engineering, and + the system development life cycle. Assessments help to ensure that + organizations meet information security and privacy requirements, + identify weaknesses and deficiencies in the system design and development + process, provide essential information needed to make risk-based decisions + as part of authorization processes, and comply with vulnerability + mitigation procedures. Organizations conduct assessments on the implemented + controls as documented in security and privacy plans. Assessments + can also be conducted throughout the system development life cycle + as part of systems engineering and systems security engineering processes. + The design for controls can be assessed as RFPs are developed, responses + assessed, and design reviews conducted. If a design to implement controls + and subsequent implementation in accordance with the design are assessed + during development, the final control testing can be a simple confirmation + utilizing previously completed control assessment and aggregating + the outcomes. + + + Organizations may develop a single, consolidated security and privacy + assessment plan for the system or maintain separate plans. A consolidated + assessment plan clearly delineates the roles and responsibilities + for control assessment. If multiple organizations participate in assessing + a system, a coordinated approach can reduce redundancies and associated + costs. + + + Organizations can use other types of assessment activities, such as + vulnerability scanning and system monitoring, to maintain the security + and privacy posture of systems during the system life cycle. Assessment + reports document assessment results in sufficient detail, as deemed + necessary by organizations, to determine the accuracy and completeness + of the reports and whether the controls are implemented correctly, + operating as intended, and producing the desired outcome with respect + to meeting requirements. Assessment results are provided to the individuals + or roles appropriate for the types of assessments being conducted. + For example, assessments conducted in support of authorization decisions + are provided to authorizing officials, senior agency officials for + privacy, senior agency information security officers, and authorizing + official designated representatives. + + + To satisfy annual assessment requirements, organizations can use assessment + results from the following sources: initial or ongoing system authorizations, + continuous monitoring, systems engineering processes, or system development + life cycle activities. Organizations ensure that assessment results + are current, relevant to the determination of control effectiveness, + and obtained with the appropriate level of assessor independence. + Existing control assessment results can be reused to the extent that + the results are still valid and can also be supplemented with additional + assessments as needed. After the initial authorizations, organizations + assess controls during continuous monitoring. Organizations also establish + the frequency for ongoing assessments in accordance with organizational + continuous monitoring strategies. External audits, including audits + by external entities such as regulatory agencies, are outside of the + scope of [CA-2](#ca-2). + - id: ca-2_obj + name: assessment-objective + props: + - name: label + value: CA-02 + class: sp800-53a + parts: + - id: ca-2_obj.a + name: assessment-objective + props: + - name: label + value: CA-02a. + class: sp800-53a + prose: an appropriate assessor or assessment team is selected for + the type of assessment to be conducted; + links: + - href: "#ca-2_smt.a" + rel: assessment-for + - id: ca-2_obj.b + name: assessment-objective + props: + - name: label + value: CA-02b. + class: sp800-53a + parts: + - id: ca-2_obj.b.1 + name: assessment-objective + props: + - name: label + value: CA-02b.01 + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including controls and control + enhancements under assessment; + links: + - href: "#ca-2_smt.b.1" + rel: assessment-for + - id: ca-2_obj.b.2 + name: assessment-objective + props: + - name: label + value: CA-02b.02 + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including assessment procedures + to be used to determine control effectiveness; + links: + - href: "#ca-2_smt.b.2" + rel: assessment-for + - id: ca-2_obj.b.3 + name: assessment-objective + props: + - name: label + value: CA-02b.03 + class: sp800-53a + parts: + - id: ca-2_obj.b.3-1 + name: assessment-objective + props: + - name: label + value: CA-02b.03[01] + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including the assessment + environment; + links: + - href: "#ca-2_smt.b.3" + rel: assessment-for + - id: ca-2_obj.b.3-2 + name: assessment-objective + props: + - name: label + value: CA-02b.03[02] + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including the assessment + team; + links: + - href: "#ca-2_smt.b.3" + rel: assessment-for + - id: ca-2_obj.b.3-3 + name: assessment-objective + props: + - name: label + value: CA-02b.03[03] + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including assessment roles + and responsibilities; + links: + - href: "#ca-2_smt.b.3" + rel: assessment-for + links: + - href: "#ca-2_smt.b.3" + rel: assessment-for + links: + - href: "#ca-2_smt.b" + rel: assessment-for + - id: ca-2_obj.c + name: assessment-objective + props: + - name: label + value: CA-02c. + class: sp800-53a + prose: the control assessment plan is reviewed and approved by the + authorizing official or designated representative prior to conducting + the assessment; + links: + - href: "#ca-2_smt.c" + rel: assessment-for + - id: ca-2_obj.d + name: assessment-objective + props: + - name: label + value: CA-02d. + class: sp800-53a + parts: + - id: ca-2_obj.d-1 + name: assessment-objective + props: + - name: label + value: CA-02d.[01] + class: sp800-53a + prose: "controls are assessed in the system and its environment\ + \ of operation {{ insert: param, ca-02_odp.01 }} to determine\ + \ the extent to which the controls are implemented correctly,\ + \ operating as intended, and producing the desired outcome\ + \ with respect to meeting established security requirements;" + links: + - href: "#ca-2_smt.d" + rel: assessment-for + - id: ca-2_obj.d-2 + name: assessment-objective + props: + - name: label + value: CA-02d.[02] + class: sp800-53a + prose: "controls are assessed in the system and its environment\ + \ of operation {{ insert: param, ca-02_odp.01 }} to determine\ + \ the extent to which the controls are implemented correctly,\ + \ operating as intended, and producing the desired outcome\ + \ with respect to meeting established privacy requirements;" + links: + - href: "#ca-2_smt.d" + rel: assessment-for + links: + - href: "#ca-2_smt.d" + rel: assessment-for + - id: ca-2_obj.e + name: assessment-objective + props: + - name: label + value: CA-02e. + class: sp800-53a + prose: a control assessment report is produced that documents the + results of the assessment; + links: + - href: "#ca-2_smt.e" + rel: assessment-for + - id: ca-2_obj.f + name: assessment-objective + props: + - name: label + value: CA-02f. + class: sp800-53a + prose: "the results of the control assessment are provided to {{\ + \ insert: param, ca-02_odp.02 }}." + links: + - href: "#ca-2_smt.f" + rel: assessment-for + links: + - href: "#ca-2_smt" + rel: assessment-for + - id: ca-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing assessment planning + + procedures addressing control assessments + + control assessment plan + + control assessment report + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with control assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting control assessment, control assessment + plan development, and/or control assessment reporting + controls: + - id: ca-2.1 + class: SP800-53-enhancement + title: Independent Assessors + props: + - name: label + value: CA-2(1) + - name: label + value: CA-02(01) + class: sp800-53a + - name: sort-id + value: ca-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ca-2" + rel: required + parts: + - id: ca-2.1_smt + name: statement + prose: Employ independent assessors or assessment teams to conduct + control assessments. + - id: ca-2.1_gdn + name: guidance + prose: >- + Independent assessors or assessment teams are individuals or + groups who conduct impartial assessments of systems. + Impartiality means that assessors are free from any + perceived or actual conflicts of interest regarding the + development, operation, sustainment, or management of the + systems under assessment or the determination of control + effectiveness. To achieve impartiality, assessors do not + create a mutual or conflicting interest with the + organizations where the assessments are being conducted, + assess their own work, act as management or employees of the + organizations they are serving, or place themselves in + positions of advocacy for the organizations acquiring their + services. + + + Independent assessments can be obtained from elements within organizations + or be contracted to public or private sector entities outside + of organizations. Authorizing officials determine the required + level of independence based on the security categories of systems + and/or the risk to organizational operations, organizational assets, + or individuals. Authorizing officials also determine if the level + of assessor independence provides sufficient assurance that the + results are sound and can be used to make credible, risk-based + decisions. Assessor independence determination includes whether + contracted assessment services have sufficient independence, such + as when system owners are not directly involved in contracting + processes or cannot influence the impartiality of the assessors + conducting the assessments. During the system design and development + phase, having independent assessors is analogous to having independent + SMEs involved in design reviews. + + + When organizations that own the systems are small or the structures + of the organizations require that assessments be conducted by + individuals that are in the developmental, operational, or management + chain of the system owners, independence in assessment processes + can be achieved by ensuring that assessment results are carefully + reviewed and analyzed by independent teams of experts to validate + the completeness, accuracy, integrity, and reliability of the + results. Assessments performed for purposes other than to support + authorization decisions are more likely to be useable for such + decisions when performed by assessors with sufficient independence, + thereby reducing the need to repeat assessments. + - id: ca-2.1_obj + name: assessment-objective + props: + - name: label + value: CA-02(01) + class: sp800-53a + prose: independent assessors or assessment teams are employed to + conduct control assessments. + links: + - href: "#ca-2.1_smt" + rel: assessment-for + - id: ca-2.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-02(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing control assessments + + previous control assessment plan + + previous control assessment report + + plan of action and milestones + + existing authorization statement + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-2.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-02(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-3 + class: SP800-53 + title: Information Exchange + params: + - id: ca-03_odp.01 + select: + how-many: one-or-more + choice: + - interconnection security agreements + - information exchange security agreements + - memoranda of understanding or agreement + - service level agreements + - user agreements + - non-disclosure agreements + - " {{ insert: param, ca-03_odp.02 }} " + - id: ca-03_odp.02 + label: type of agreement + guidelines: + - prose: the type of agreement used to approve and manage the exchange + of information is defined (if selected); + - id: ca-03_odp.03 + label: frequency + constraints: + - description: at least annually and on input from JAB/AO + guidelines: + - prose: the frequency at which to review and update agreements is + defined; + props: + - name: label + value: CA-3 + - name: label + value: CA-03 + class: sp800-53a + - name: sort-id + value: ca-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#c3a76872-e160-4267-99e8-6952de967d04" + rel: reference + - href: "#ac-4" + rel: related + - href: "#ac-20" + rel: related + - href: "#au-16" + rel: related + - href: "#ca-6" + rel: related + - href: "#ia-3" + rel: related + - href: "#ir-4" + rel: related + - href: "#pl-2" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-3_smt + name: statement + parts: + - id: ca-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Approve and manage the exchange of information between the\ + \ system and other systems using {{ insert: param, ca-03_odp.01\ + \ }};" + - id: ca-3_smt.b + name: item + props: + - name: label + value: b. + prose: Document, as part of each exchange agreement, the interface + characteristics, security and privacy requirements, controls, + and responsibilities for each system, and the impact level of + the information communicated; and + - id: ca-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the agreements {{ insert: param, ca-03_odp.03\ + \ }}." + - id: ca-3_gdn + name: guidance + prose: >- + System information exchange requirements apply to information + exchanges between two or more systems. System information + exchanges include connections via leased lines or virtual + private networks, connections to internet service providers, + database sharing or exchanges of database transaction + information, connections and exchanges with cloud services, + exchanges via web-based services, or exchanges of files via file + transfer protocols, network protocols (e.g., IPv4, IPv6), email, + or other organization-to-organization communications. + Organizations consider the risk related to new or increased + threats that may be introduced when systems exchange information + with other systems that may have different security and privacy + requirements and controls. This includes systems within the same + organization and systems that are external to the organization. + A joint authorization of the systems exchanging information, as + described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help + to communicate and reduce risk. + + + Authorizing officials determine the risk associated with system information + exchange and the controls needed for appropriate risk mitigation. + The types of agreements selected are based on factors such as the + impact level of the information being exchanged, the relationship + between the organizations exchanging information (e.g., government + to government, government to business, business to business, government + or business to service provider, government or business to individual), + or the level of access to the organizational system by users of the + other system. If systems that exchange information have the same authorizing + official, organizations need not develop agreements. Instead, the + interface characteristics between the systems (e.g., how the information + is being exchanged. how the information is protected) are described + in the respective security and privacy plans. If the systems that + exchange information have different authorizing officials within the + same organization, the organizations can develop agreements or provide + the same information that would be provided in the appropriate agreement + type from [CA-3a](#ca-3_smt.a) in the respective security and privacy + plans for the systems. Organizations may incorporate agreement information + into formal contracts, especially for information exchanges established + between federal agencies and nonfederal organizations (including service + providers, contractors, system developers, and system integrators). + Risk considerations include systems that share the same networks. + - id: ca-3_obj + name: assessment-objective + props: + - name: label + value: CA-03 + class: sp800-53a + parts: + - id: ca-3_obj.a + name: assessment-objective + props: + - name: label + value: CA-03a. + class: sp800-53a + prose: "the exchange of information between the system and other\ + \ systems is approved and managed using {{ insert: param, ca-03_odp.01\ + \ }};" + links: + - href: "#ca-3_smt.a" + rel: assessment-for + - id: ca-3_obj.b + name: assessment-objective + props: + - name: label + value: CA-03b. + class: sp800-53a + parts: + - id: ca-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: CA-03b.[01] + class: sp800-53a + prose: the interface characteristics are documented as part + of each exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: CA-03b.[02] + class: sp800-53a + prose: security requirements are documented as part of each + exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-3 + name: assessment-objective + props: + - name: label + value: CA-03b.[03] + class: sp800-53a + prose: privacy requirements are documented as part of each exchange + agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-4 + name: assessment-objective + props: + - name: label + value: CA-03b.[04] + class: sp800-53a + prose: controls are documented as part of each exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-5 + name: assessment-objective + props: + - name: label + value: CA-03b.[05] + class: sp800-53a + prose: responsibilities for each system are documented as part + of each exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-6 + name: assessment-objective + props: + - name: label + value: CA-03b.[06] + class: sp800-53a + prose: the impact level of the information communicated is documented + as part of each exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.c + name: assessment-objective + props: + - name: label + value: CA-03c. + class: sp800-53a + prose: "agreements are reviewed and updated {{ insert: param, ca-03_odp.03\ + \ }}." + links: + - href: "#ca-3_smt.c" + rel: assessment-for + links: + - href: "#ca-3_smt" + rel: assessment-for + - id: ca-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing system connections + + system and communications protection policy + + system interconnection security agreements + + information exchange security agreements + + memoranda of understanding or agreements + + service level agreements + + non-disclosure agreements + + system design documentation + + enterprise architecture + + system architecture + + system configuration settings and associated documentation + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + developing, implementing, or approving system + interconnection agreements + + + organizational personnel with information security and privacy + responsibilities + + + personnel managing the system(s) to which the interconnection + security agreement applies + - id: ca-5 + class: SP800-53 + title: Plan of Action and Milestones + params: + - id: ca-05_odp + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: the frequency at which to update an existing plan of action + and milestones based on the findings from control assessments, + independent audits or reviews, and continuous monitoring activities + is defined; + props: + - name: label + value: CA-5 + - name: label + value: CA-05 + class: sp800-53a + - name: sort-id + value: ca-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ca-7" + rel: related + - href: "#pm-4" + rel: related + - href: "#pm-9" + rel: related + - href: "#ra-7" + rel: related + - href: "#si-2" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-5_smt + name: statement + parts: + - id: ca-5_smt.a + name: item + props: + - name: label + value: a. + prose: Develop a plan of action and milestones for the system to + document the planned remediation actions of the organization to + correct weaknesses or deficiencies noted during the assessment + of the controls and to reduce or eliminate known vulnerabilities + in the system; and + - id: ca-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Update existing plan of action and milestones {{ insert:\ + \ param, ca-05_odp }} based on the findings from control assessments,\ + \ independent audits or reviews, and continuous monitoring activities." + - id: ca-5_fr + name: item + title: CA-5 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-5_fr_gdn.1 + name: item + props: + - name: label + value: "Requirement:" + prose: POA&Ms must be provided at least monthly. + - id: ca-5_fr_smt.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Reference FedRAMP-POAM-Template + - id: ca-5_gdn + name: guidance + prose: Plans of action and milestones are useful for any type of organization + to track planned remedial actions. Plans of action and milestones + are required in authorization packages and subject to federal reporting + requirements established by OMB. + - id: ca-5_obj + name: assessment-objective + props: + - name: label + value: CA-05 + class: sp800-53a + parts: + - id: ca-5_obj.a + name: assessment-objective + props: + - name: label + value: CA-05a. + class: sp800-53a + prose: a plan of action and milestones for the system is developed + to document the planned remediation actions of the organization + to correct weaknesses or deficiencies noted during the assessment + of the controls and to reduce or eliminate known vulnerabilities + in the system; + links: + - href: "#ca-5_smt.a" + rel: assessment-for + - id: ca-5_obj.b + name: assessment-objective + props: + - name: label + value: CA-05b. + class: sp800-53a + prose: "existing plan of action and milestones are updated {{ insert:\ + \ param, ca-05_odp }} based on the findings from control assessments,\ + \ independent audits or reviews, and continuous monitoring activities." + links: + - href: "#ca-5_smt.b" + rel: assessment-for + links: + - href: "#ca-5_smt" + rel: assessment-for + - id: ca-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing plan of action and milestones + + control assessment plan + + control assessment report + + control assessment evidence + + plan of action and milestones + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with plan of action and milestones + development and implementation responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms for developing, implementing, and maintaining + plan of action and milestones + - id: ca-6 + class: SP800-53 + title: Authorization + params: + - id: ca-06_odp + label: frequency + constraints: + - description: in accordance with OMB A-130 requirements or when a + significant change occurs + guidelines: + - prose: frequency at which to update the authorizations is defined; + props: + - name: label + value: CA-6 + - name: label + value: CA-06 + class: sp800-53a + - name: sort-id + value: ca-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ca-3" + rel: related + - href: "#ca-7" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-10" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-10" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-6_smt + name: statement + parts: + - id: ca-6_smt.a + name: item + props: + - name: label + value: a. + prose: Assign a senior official as the authorizing official for + the system; + - id: ca-6_smt.b + name: item + props: + - name: label + value: b. + prose: Assign a senior official as the authorizing official for + common controls available for inheritance by organizational systems; + - id: ca-6_smt.c + name: item + props: + - name: label + value: c. + prose: "Ensure that the authorizing official for the system, before\ + \ commencing operations:" + parts: + - id: ca-6_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: Accepts the use of common controls inherited by the system; + and + - id: ca-6_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: Authorizes the system to operate; + - id: ca-6_smt.d + name: item + props: + - name: label + value: d. + prose: Ensure that the authorizing official for common controls + authorizes the use of those controls for inheritance by organizational + systems; + - id: ca-6_smt.e + name: item + props: + - name: label + value: e. + prose: "Update the authorizations {{ insert: param, ca-06_odp }}." + - id: ca-6_fr + name: item + title: CA-6 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-6_fr_gdn.1 + name: guidance + props: + - name: label + value: "(e) Guidance:" + prose: Significant change is defined in NIST Special Publication + 800-37 Revision 2, Appendix F and according to FedRAMP Significant + Change Policies and Procedures. The service provider describes + the types of changes to the information system or the environment + of operations that would impact the risk posture. The types + of changes are approved and accepted by the JAB/AO. + - id: ca-6_gdn + name: guidance + prose: >- + Authorizations are official management decisions by senior + officials to authorize operation of systems, authorize the use + of common controls for inheritance by organizational systems, + and explicitly accept the risk to organizational operations and + assets, individuals, other organizations, and the Nation based + on the implementation of agreed-upon controls. Authorizing + officials provide budgetary oversight for organizational systems + and common controls or assume responsibility for the mission and + business functions supported by those systems or common + controls. The authorization process is a federal responsibility, + and therefore, authorizing officials must be federal employees. + Authorizing officials are both responsible and accountable for + security and privacy risks associated with the operation and use + of organizational systems. Nonfederal organizations may have + similar processes to authorize systems and senior officials that + assume the authorization role and associated responsibilities. + + + Authorizing officials issue ongoing authorizations of systems based + on evidence produced from implemented continuous monitoring programs. + Robust continuous monitoring programs reduce the need for separate + reauthorization processes. Through the employment of comprehensive + continuous monitoring processes, the information contained in authorization + packages (i.e., security and privacy plans, assessment reports, and + plans of action and milestones) is updated on an ongoing basis. This + provides authorizing officials, common control providers, and system + owners with an up-to-date status of the security and privacy posture + of their systems, controls, and operating environments. To reduce + the cost of reauthorization, authorizing officials can leverage the + results of continuous monitoring processes to the maximum extent possible + as the basis for rendering reauthorization decisions. + - id: ca-6_obj + name: assessment-objective + props: + - name: label + value: CA-06 + class: sp800-53a + parts: + - id: ca-6_obj.a + name: assessment-objective + props: + - name: label + value: CA-06a. + class: sp800-53a + prose: a senior official is assigned as the authorizing official + for the system; + links: + - href: "#ca-6_smt.a" + rel: assessment-for + - id: ca-6_obj.b + name: assessment-objective + props: + - name: label + value: CA-06b. + class: sp800-53a + prose: a senior official is assigned as the authorizing official + for common controls available for inheritance by organizational + systems; + links: + - href: "#ca-6_smt.b" + rel: assessment-for + - id: ca-6_obj.c + name: assessment-objective + props: + - name: label + value: CA-06c. + class: sp800-53a + parts: + - id: ca-6_obj.c.1 + name: assessment-objective + props: + - name: label + value: CA-06c.01 + class: sp800-53a + prose: before commencing operations, the authorizing official + for the system accepts the use of common controls inherited + by the system; + links: + - href: "#ca-6_smt.c.1" + rel: assessment-for + - id: ca-6_obj.c.2 + name: assessment-objective + props: + - name: label + value: CA-06c.02 + class: sp800-53a + prose: before commencing operations, the authorizing official + for the system authorizes the system to operate; + links: + - href: "#ca-6_smt.c.2" + rel: assessment-for + links: + - href: "#ca-6_smt.c" + rel: assessment-for + - id: ca-6_obj.d + name: assessment-objective + props: + - name: label + value: CA-06d. + class: sp800-53a + prose: the authorizing official for common controls authorizes the + use of those controls for inheritance by organizational systems; + links: + - href: "#ca-6_smt.d" + rel: assessment-for + - id: ca-6_obj.e + name: assessment-objective + props: + - name: label + value: CA-06e. + class: sp800-53a + prose: "the authorizations are updated {{ insert: param, ca-06_odp\ + \ }}." + links: + - href: "#ca-6_smt.e" + rel: assessment-for + links: + - href: "#ca-6_smt" + rel: assessment-for + - id: ca-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + procedures addressing authorization + + + system security plan, privacy plan, assessment report, plan of + action and milestones + + + authorization statement + + + other relevant documents or records + - id: ca-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with authorization responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms that facilitate authorizations and updates + - id: ca-7 + class: SP800-53 + title: Continuous Monitoring + params: + - id: ca-7_prm_4 + label: organization-defined personnel or roles + constraints: + - description: to include JAB/AO + - id: ca-7_prm_5 + label: organization-defined frequency + - id: ca-07_odp.01 + label: system-level metrics + guidelines: + - prose: system-level metrics to be monitored are defined; + - id: ca-07_odp.02 + label: frequencies + guidelines: + - prose: frequencies at which to monitor control effectiveness are + defined; + - id: ca-07_odp.03 + label: frequencies + guidelines: + - prose: frequencies at which to assess control effectiveness are + defined; + - id: ca-07_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the security status of the system + is reported are defined; + - id: ca-07_odp.05 + label: frequency + guidelines: + - prose: frequency at which the security status of the system is reported + is defined; + - id: ca-07_odp.06 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the privacy status of the system + is reported are defined; + - id: ca-07_odp.07 + label: frequency + guidelines: + - prose: frequency at which the privacy status of the system is reported + is defined; + props: + - name: label + value: CA-7 + - name: label + value: CA-07 + class: sp800-53a + - name: sort-id + value: ca-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#122177fa-c4ed-485d-8345-3082c0fb9a06" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-17" + rel: related + - href: "#at-4" + rel: related + - href: "#au-6" + rel: related + - href: "#au-13" + rel: related + - href: "#ca-2" + rel: related + - href: "#ca-5" + rel: related + - href: "#ca-6" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-5" + rel: related + - href: "#ir-5" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-6" + rel: related + - href: "#pe-14" + rel: related + - href: "#pe-16" + rel: related + - href: "#pe-20" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-4" + rel: related + - href: "#pm-6" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-10" + rel: related + - href: "#pm-12" + rel: related + - href: "#pm-14" + rel: related + - href: "#pm-23" + rel: related + - href: "#pm-28" + rel: related + - href: "#pm-31" + rel: related + - href: "#ps-7" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-7" + rel: related + - href: "#ra-10" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-11" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-18" + rel: related + - href: "#sc-38" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-6" + rel: related + parts: + - id: ca-7_smt + name: statement + prose: "Develop a system-level continuous monitoring strategy and implement\ + \ continuous monitoring in accordance with the organization-level\ + \ continuous monitoring strategy that includes:" + parts: + - id: ca-7_smt.a + name: item + props: + - name: label + value: a. + prose: "Establishing the following system-level metrics to be monitored:\ + \ {{ insert: param, ca-07_odp.01 }};" + - id: ca-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Establishing {{ insert: param, ca-07_odp.02 }} for monitoring\ + \ and {{ insert: param, ca-07_odp.03 }} for assessment of control\ + \ effectiveness;" + - id: ca-7_smt.c + name: item + props: + - name: label + value: c. + prose: Ongoing control assessments in accordance with the continuous + monitoring strategy; + - id: ca-7_smt.d + name: item + props: + - name: label + value: d. + prose: Ongoing monitoring of system and organization-defined metrics + in accordance with the continuous monitoring strategy; + - id: ca-7_smt.e + name: item + props: + - name: label + value: e. + prose: Correlation and analysis of information generated by control + assessments and monitoring; + - id: ca-7_smt.f + name: item + props: + - name: label + value: f. + prose: Response actions to address results of the analysis of control + assessment and monitoring information; and + - id: ca-7_smt.g + name: item + props: + - name: label + value: g. + prose: "Reporting the security and privacy status of the system\ + \ to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5\ + \ }}." + - id: ca-7_fr + name: item + title: CA-7 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-7_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: "Operating System, Database, Web Application, Container,\ + \ and Service Configuration Scans: at least monthly. All scans\ + \ performed by Independent Assessor: at least annually." + - id: ca-7_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: CSOs with more than one agency ATO must implement a collaborative + Continuous Monitoring (ConMon) approach described in the FedRAMP + Guide for Multi-Agency Continuous Monitoring. This requirement + applies to CSOs authorized via the Agency path as each agency + customer is responsible for performing ConMon oversight. It + does not apply to CSOs authorized via the JAB path because + the JAB performs ConMon oversight. + - id: ca-7_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: FedRAMP does not provide a template for the Continuous + Monitoring Plan. CSPs should reference the FedRAMP Continuous + Monitoring Strategy Guide when developing the Continuous Monitoring + Plan. + - id: ca-7_gdn + name: guidance + prose: >- + Continuous monitoring at the system level facilitates ongoing + awareness of the system security and privacy posture to support + organizational risk management decisions. The terms "continuous" + and "ongoing" imply that organizations assess and monitor their + controls and risks at a frequency sufficient to support + risk-based decisions. Different types of controls may require + different monitoring frequencies. The results of continuous + monitoring generate risk response actions by organizations. When + monitoring the effectiveness of multiple controls that have been + grouped into capabilities, a root-cause analysis may be needed + to determine the specific control that has failed. Continuous + monitoring programs allow organizations to maintain the + authorizations of systems and common controls in highly dynamic + environments of operation with changing mission and business + needs, threats, vulnerabilities, and technologies. Having access + to security and privacy information on a continuing basis + through reports and dashboards gives organizational officials + the ability to make effective and timely risk management + decisions, including ongoing authorization decisions. + + + Automation supports more frequent updates to hardware, software, and + firmware inventories, authorization packages, and other system information. + Effectiveness is further enhanced when continuous monitoring outputs + are formatted to provide information that is specific, measurable, + actionable, relevant, and timely. Continuous monitoring activities + are scaled in accordance with the security categories of systems. + Monitoring requirements, including the need for specific monitoring, + may be referenced in other controls and control enhancements, such + as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), + [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), + [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), + [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), + [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), + [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), + [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), + [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), + [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), + [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4). + - id: ca-7_obj + name: assessment-objective + props: + - name: label + value: CA-07 + class: sp800-53a + parts: + - id: ca-7_obj-1 + name: assessment-objective + props: + - name: label + value: CA-07[01] + class: sp800-53a + prose: a system-level continuous monitoring strategy is developed; + links: + - href: "#ca-7_smt" + rel: assessment-for + - id: ca-7_obj-2 + name: assessment-objective + props: + - name: label + value: CA-07[02] + class: sp800-53a + prose: system-level continuous monitoring is implemented in accordance + with the organization-level continuous monitoring strategy; + links: + - href: "#ca-7_smt" + rel: assessment-for + - id: ca-7_obj.a + name: assessment-objective + props: + - name: label + value: CA-07a. + class: sp800-53a + prose: "system-level continuous monitoring includes establishment\ + \ of the following system-level metrics to be monitored: {{ insert:\ + \ param, ca-07_odp.01 }};" + links: + - href: "#ca-7_smt.a" + rel: assessment-for + - id: ca-7_obj.b + name: assessment-objective + props: + - name: label + value: CA-07b. + class: sp800-53a + parts: + - id: ca-7_obj.b-1 + name: assessment-objective + props: + - name: label + value: CA-07b.[01] + class: sp800-53a + prose: "system-level continuous monitoring includes established\ + \ {{ insert: param, ca-07_odp.02 }} for monitoring;" + links: + - href: "#ca-7_smt.b" + rel: assessment-for + - id: ca-7_obj.b-2 + name: assessment-objective + props: + - name: label + value: CA-07b.[02] + class: sp800-53a + prose: "system-level continuous monitoring includes established\ + \ {{ insert: param, ca-07_odp.03 }} for assessment of control\ + \ effectiveness;" + links: + - href: "#ca-7_smt.b" + rel: assessment-for + links: + - href: "#ca-7_smt.b" + rel: assessment-for + - id: ca-7_obj.c + name: assessment-objective + props: + - name: label + value: CA-07c. + class: sp800-53a + prose: system-level continuous monitoring includes ongoing control + assessments in accordance with the continuous monitoring strategy; + links: + - href: "#ca-7_smt.c" + rel: assessment-for + - id: ca-7_obj.d + name: assessment-objective + props: + - name: label + value: CA-07d. + class: sp800-53a + prose: system-level continuous monitoring includes ongoing monitoring + of system and organization-defined metrics in accordance with + the continuous monitoring strategy; + links: + - href: "#ca-7_smt.d" + rel: assessment-for + - id: ca-7_obj.e + name: assessment-objective + props: + - name: label + value: CA-07e. + class: sp800-53a + prose: system-level continuous monitoring includes correlation and + analysis of information generated by control assessments and monitoring; + links: + - href: "#ca-7_smt.e" + rel: assessment-for + - id: ca-7_obj.f + name: assessment-objective + props: + - name: label + value: CA-07f. + class: sp800-53a + prose: system-level continuous monitoring includes response actions + to address the results of the analysis of control assessment and + monitoring information; + links: + - href: "#ca-7_smt.f" + rel: assessment-for + - id: ca-7_obj.g + name: assessment-objective + props: + - name: label + value: CA-07g. + class: sp800-53a + parts: + - id: ca-7_obj.g-1 + name: assessment-objective + props: + - name: label + value: CA-07g.[01] + class: sp800-53a + prose: "system-level continuous monitoring includes reporting\ + \ the security status of the system to {{ insert: param, ca-07_odp.04\ + \ }} {{ insert: param, ca-07_odp.05 }};" + links: + - href: "#ca-7_smt.g" + rel: assessment-for + - id: ca-7_obj.g-2 + name: assessment-objective + props: + - name: label + value: CA-07g.[02] + class: sp800-53a + prose: "system-level continuous monitoring includes reporting\ + \ the privacy status of the system to {{ insert: param, ca-07_odp.06\ + \ }} {{ insert: param, ca-07_odp.07 }}." + links: + - href: "#ca-7_smt.g" + rel: assessment-for + links: + - href: "#ca-7_smt.g" + rel: assessment-for + links: + - href: "#ca-7_smt" + rel: assessment-for + - id: ca-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + organizational continuous monitoring strategy + + + system-level continuous monitoring strategy + + + procedures addressing continuous monitoring of system controls + + + procedures addressing configuration management + + + control assessment report + + + plan of action and milestones + + + system monitoring records + + + configuration management records + + + impact analyses + + + status reports + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with continuous monitoring + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: ca-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms implementing continuous monitoring + + + mechanisms supporting response actions to address assessment and + monitoring results + + + mechanisms supporting security and privacy status reporting + controls: + - id: ca-7.4 + class: SP800-53-enhancement + title: Risk Monitoring + props: + - name: label + value: CA-7(4) + - name: label + value: CA-07(04) + class: sp800-53a + - name: sort-id + value: ca-07.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ca-7" + rel: required + parts: + - id: ca-7.4_smt + name: statement + prose: "Ensure risk monitoring is an integral part of the continuous\ + \ monitoring strategy that includes the following:" + parts: + - id: ca-7.4_smt.a + name: item + props: + - name: label + value: (a) + prose: Effectiveness monitoring; + - id: ca-7.4_smt.b + name: item + props: + - name: label + value: (b) + prose: Compliance monitoring; and + - id: ca-7.4_smt.c + name: item + props: + - name: label + value: (c) + prose: Change monitoring. + - id: ca-7.4_gdn + name: guidance + prose: Risk monitoring is informed by the established organizational + risk tolerance. Effectiveness monitoring determines the ongoing + effectiveness of the implemented risk response measures. Compliance + monitoring verifies that required risk response measures are implemented. + It also verifies that security and privacy requirements are satisfied. + Change monitoring identifies changes to organizational systems + and environments of operation that may affect security and privacy + risk. + - id: ca-7.4_obj + name: assessment-objective + props: + - name: label + value: CA-07(04) + class: sp800-53a + prose: risk monitoring is an integral part of the continuous monitoring + strategy; + parts: + - id: ca-7.4_obj.a + name: assessment-objective + props: + - name: label + value: CA-07(04)(a) + class: sp800-53a + prose: effectiveness monitoring is included in risk monitoring; + links: + - href: "#ca-7.4_smt.a" + rel: assessment-for + - id: ca-7.4_obj.b + name: assessment-objective + props: + - name: label + value: CA-07(04)(b) + class: sp800-53a + prose: compliance monitoring is included in risk monitoring; + links: + - href: "#ca-7.4_smt.b" + rel: assessment-for + - id: ca-7.4_obj.c + name: assessment-objective + props: + - name: label + value: CA-07(04)(c) + class: sp800-53a + prose: change monitoring is included in risk monitoring. + links: + - href: "#ca-7.4_smt.c" + rel: assessment-for + links: + - href: "#ca-7.4_smt" + rel: assessment-for + - id: ca-7.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-07(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + organizational continuous monitoring strategy + + + system-level continuous monitoring strategy + + + procedures addressing continuous monitoring of system controls + + + assessment report + + + plan of action and milestones + + + system monitoring records + + + impact analyses + + + status reports + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-7.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-07(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with continuous monitoring + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-7.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-07(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting risk monitoring + - id: ca-8 + class: SP800-53 + title: Penetration Testing + params: + - id: ca-08_odp.01 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to conduct penetration testing on systems + or system components is defined; + - id: ca-08_odp.02 + label: system(s) or system components + guidelines: + - prose: systems or system components on which penetration testing + is to be conducted are defined; + props: + - name: label + value: CA-8 + - name: label + value: CA-08 + class: sp800-53a + - name: sort-id + value: ca-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-5" + rel: related + - href: "#ra-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-6" + rel: related + parts: + - id: ca-8_smt + name: statement + prose: "Conduct penetration testing {{ insert: param, ca-08_odp.01 }}\ + \ on {{ insert: param, ca-08_odp.02 }}." + parts: + - id: ca-8_fr + name: item + title: CA-8 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-8_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Scope can be limited to public facing applications in + alignment with M-22-09. Reference the FedRAMP Penetration + Test Guidance. + - id: ca-8_gdn + name: guidance + prose: >- + Penetration testing is a specialized type of assessment + conducted on systems or individual system components to identify + vulnerabilities that could be exploited by adversaries. + Penetration testing goes beyond automated vulnerability scanning + and is conducted by agents and teams with demonstrable skills + and experience that include technical expertise in network, + operating system, and/or application level security. Penetration + testing can be used to validate vulnerabilities or determine the + degree of penetration resistance of systems to adversaries + within specified constraints. Such constraints include time, + resources, and skills. Penetration testing attempts to duplicate + the actions of adversaries and provides a more in-depth analysis + of security- and privacy-related weaknesses or deficiencies. + Penetration testing is especially important when organizations + are transitioning from older technologies to newer technologies + (e.g., transitioning from IPv4 to IPv6 network protocols). + + + Organizations can use the results of vulnerability analyses to support + penetration testing activities. Penetration testing can be conducted + internally or externally on the hardware, software, or firmware components + of a system and can exercise both physical and technical controls. + A standard method for penetration testing includes a pretest analysis + based on full knowledge of the system, pretest identification of potential + vulnerabilities based on the pretest analysis, and testing designed + to determine the exploitability of vulnerabilities. All parties agree + to the rules of engagement before commencing penetration testing scenarios. + Organizations correlate the rules of engagement for the penetration + tests with the tools, techniques, and procedures that are anticipated + to be employed by adversaries. Penetration testing may result in the + exposure of information that is protected by laws or regulations, + to individuals conducting the testing. Rules of engagement, contracts, + or other appropriate mechanisms can be used to communicate expectations + for how to protect this information. Risk assessments guide the decisions + on the level of independence required for the personnel conducting + penetration testing. + - id: ca-8_obj + name: assessment-objective + props: + - name: label + value: CA-08 + class: sp800-53a + prose: "penetration testing is conducted {{ insert: param, ca-08_odp.01\ + \ }} on {{ insert: param, ca-08_odp.02 }}." + links: + - href: "#ca-8_smt" + rel: assessment-for + - id: ca-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing penetration testing + + assessment plan + + penetration test report + + assessment report + + assessment evidence + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with control assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: ca-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting penetration testing + - id: ca-9 + class: SP800-53 + title: Internal System Connections + params: + - id: ca-09_odp.01 + label: system components + guidelines: + - prose: system components or classes of components requiring internal + connections to the system are defined; + - id: ca-09_odp.02 + label: conditions + guidelines: + - prose: conditions requiring termination of internal connections + are defined; + - id: ca-09_odp.03 + label: frequency + guidelines: + - prose: frequency at which to review the continued need for each + internal connection is defined; + props: + - name: label + value: CA-9 + - name: label + value: CA-09 + class: sp800-53a + - name: sort-id + value: ca-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#cm-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-9_smt + name: statement + parts: + - id: ca-9_smt.a + name: item + props: + - name: label + value: a. + prose: "Authorize internal connections of {{ insert: param, ca-09_odp.01\ + \ }} to the system;" + - id: ca-9_smt.b + name: item + props: + - name: label + value: b. + prose: Document, for each internal connection, the interface characteristics, + security and privacy requirements, and the nature of the information + communicated; + - id: ca-9_smt.c + name: item + props: + - name: label + value: c. + prose: "Terminate internal system connections after {{ insert: param,\ + \ ca-09_odp.02 }} ; and" + - id: ca-9_smt.d + name: item + props: + - name: label + value: d. + prose: "Review {{ insert: param, ca-09_odp.03 }} the continued need\ + \ for each internal connection." + - id: ca-9_gdn + name: guidance + prose: Internal system connections are connections between organizational + systems and separate constituent system components (i.e., connections + between components that are part of the same system) including components + used for system development. Intra-system connections include connections + with mobile devices, notebook and desktop computers, tablets, printers, + copiers, facsimile machines, scanners, sensors, and servers. Instead + of authorizing each internal system connection individually, organizations + can authorize internal connections for a class of system components + with common characteristics and/or configurations, including printers, + scanners, and copiers with a specified processing, transmission, and + storage capability or smart phones and tablets with a specific baseline + configuration. The continued need for an internal system connection + is reviewed from the perspective of whether it provides support for + organizational missions or business functions. + - id: ca-9_obj + name: assessment-objective + props: + - name: label + value: CA-09 + class: sp800-53a + parts: + - id: ca-9_obj.a + name: assessment-objective + props: + - name: label + value: CA-09a. + class: sp800-53a + prose: "internal connections of {{ insert: param, ca-09_odp.01 }}\ + \ to the system are authorized;" + links: + - href: "#ca-9_smt.a" + rel: assessment-for + - id: ca-9_obj.b + name: assessment-objective + props: + - name: label + value: CA-09b. + class: sp800-53a + parts: + - id: ca-9_obj.b-1 + name: assessment-objective + props: + - name: label + value: CA-09b.[01] + class: sp800-53a + prose: for each internal connection, the interface characteristics + are documented; + links: + - href: "#ca-9_smt.b" + rel: assessment-for + - id: ca-9_obj.b-2 + name: assessment-objective + props: + - name: label + value: CA-09b.[02] + class: sp800-53a + prose: for each internal connection, the security requirements + are documented; + links: + - href: "#ca-9_smt.b" + rel: assessment-for + - id: ca-9_obj.b-3 + name: assessment-objective + props: + - name: label + value: CA-09b.[03] + class: sp800-53a + prose: for each internal connection, the privacy requirements + are documented; + links: + - href: "#ca-9_smt.b" + rel: assessment-for + - id: ca-9_obj.b-4 + name: assessment-objective + props: + - name: label + value: CA-09b.[04] + class: sp800-53a + prose: for each internal connection, the nature of the information + communicated is documented; + links: + - href: "#ca-9_smt.b" + rel: assessment-for + links: + - href: "#ca-9_smt.b" + rel: assessment-for + - id: ca-9_obj.c + name: assessment-objective + props: + - name: label + value: CA-09c. + class: sp800-53a + prose: "internal system connections are terminated after {{ insert:\ + \ param, ca-09_odp.02 }};" + links: + - href: "#ca-9_smt.c" + rel: assessment-for + - id: ca-9_obj.d + name: assessment-objective + props: + - name: label + value: CA-09d. + class: sp800-53a + prose: "the continued need for each internal connection is reviewed\ + \ {{ insert: param, ca-09_odp.03 }}." + links: + - href: "#ca-9_smt.d" + rel: assessment-for + links: + - href: "#ca-9_smt" + rel: assessment-for + - id: ca-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + access control policy + + + procedures addressing system connections + + + system and communications protection policy + + + system design documentation + + + system configuration settings and associated documentation + + + list of components or classes of components authorized as internal + system connections + + + assessment report + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + developing, implementing, or authorizing internal system + connections + + + organizational personnel with information security and privacy + responsibilities + - id: ca-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting internal system connections + - id: cm + class: family + title: Configuration Management + controls: + - id: cm-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: cm-1_prm_1 + label: organization-defined personnel or roles + - id: cm-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the configuration management policy + is to be disseminated is/are defined; + - id: cm-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the configuration management procedures + are to be disseminated is/are defined; + - id: cm-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: cm-01_odp.04 + label: official + guidelines: + - prose: an official to manage the configuration management policy + and procedures is defined; + - id: cm-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current configuration management + policy is reviewed and updated is defined; + - id: cm-01_odp.06 + label: events + guidelines: + - prose: events that would require the current configuration management + policy to be reviewed and updated are defined; + - id: cm-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current configuration management + procedures are reviewed and updated is defined; + - id: cm-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require configuration management procedures + to be reviewed and updated are defined; + props: + - name: label + value: CM-1 + - name: label + value: CM-01 + class: sp800-53a + - name: sort-id + value: cm-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: cm-1_smt + name: statement + parts: + - id: cm-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ cm-1_prm_1 }}:" + parts: + - id: cm-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, cm-01_odp.03 }} configuration management\ + \ policy that:" + parts: + - id: cm-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: cm-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: cm-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the configuration + management policy and the associated configuration management + controls; + - id: cm-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, cm-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the configuration\ + \ management policy and procedures; and" + - id: cm-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current configuration management:" + parts: + - id: cm-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, cm-01_odp.05 }} and following\ + \ {{ insert: param, cm-01_odp.06 }} ; and" + - id: cm-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, cm-01_odp.07 }} and following\ + \ {{ insert: param, cm-01_odp.08 }}." + - id: cm-1_gdn + name: guidance + prose: Configuration management policy and procedures address the controls + in the CM family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of configuration + management policy and procedures. Security and privacy program policies + and procedures at the organization level are preferable, in general, + and may obviate the need for mission- or system-specific policies + and procedures. The policy can be included as part of the general + security and privacy policy or be represented by multiple policies + that reflect the complex nature of organizations. Procedures can be + established for security and privacy programs, for mission/business + processes, and for systems, if needed. Procedures describe how the + policies or controls are implemented and can be directed at the individual + or role that is the object of the procedure. Procedures can be documented + in system security and privacy plans or in one or more separate documents. + Events that may precipitate an update to configuration management + policy and procedures include, but are not limited to, assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: cm-1_obj + name: assessment-objective + props: + - name: label + value: CM-01 + class: sp800-53a + parts: + - id: cm-1_obj.a + name: assessment-objective + props: + - name: label + value: CM-01a. + class: sp800-53a + parts: + - id: cm-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: CM-01a.[01] + class: sp800-53a + prose: a configuration management policy is developed and documented; + links: + - href: "#cm-1_smt.a" + rel: assessment-for + - id: cm-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: CM-01a.[02] + class: sp800-53a + prose: "the configuration management policy is disseminated\ + \ to {{ insert: param, cm-01_odp.01 }};" + links: + - href: "#cm-1_smt.a" + rel: assessment-for + - id: cm-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: CM-01a.[03] + class: sp800-53a + prose: configuration management procedures to facilitate the + implementation of the configuration management policy and + associated configuration management controls are developed + and documented; + links: + - href: "#cm-1_smt.a" + rel: assessment-for + - id: cm-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: CM-01a.[04] + class: sp800-53a + prose: "the configuration management procedures are disseminated\ + \ to {{ insert: param, cm-01_odp.02 }};" + links: + - href: "#cm-1_smt.a" + rel: assessment-for + - id: cm-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: CM-01a.01 + class: sp800-53a + parts: + - id: cm-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: CM-01a.01(a) + class: sp800-53a + parts: + - id: cm-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses purpose;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses scope;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses roles;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses responsibilities;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses management\ + \ commitment;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses compliance;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: CM-01a.01(b) + class: sp800-53a + prose: the configuration management policy is consistent + with applicable laws, Executive Orders, directives, regulations, + policies, standards, and guidelines; + links: + - href: "#cm-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#cm-1_smt.a.1" + rel: assessment-for + links: + - href: "#cm-1_smt.a" + rel: assessment-for + - id: cm-1_obj.b + name: assessment-objective + props: + - name: label + value: CM-01b. + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the configuration\ + \ management policy and procedures;" + links: + - href: "#cm-1_smt.b" + rel: assessment-for + - id: cm-1_obj.c + name: assessment-objective + props: + - name: label + value: CM-01c. + class: sp800-53a + parts: + - id: cm-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: CM-01c.01 + class: sp800-53a + parts: + - id: cm-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: CM-01c.01[01] + class: sp800-53a + prose: "the current configuration management policy is reviewed\ + \ and updated {{ insert: param, cm-01_odp.05 }}; " + links: + - href: "#cm-1_smt.c.1" + rel: assessment-for + - id: cm-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: CM-01c.01[02] + class: sp800-53a + prose: "the current configuration management policy is reviewed\ + \ and updated following {{ insert: param, cm-01_odp.06\ + \ }};" + links: + - href: "#cm-1_smt.c.1" + rel: assessment-for + links: + - href: "#cm-1_smt.c.1" + rel: assessment-for + - id: cm-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: CM-01c.02 + class: sp800-53a + parts: + - id: cm-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: CM-01c.02[01] + class: sp800-53a + prose: "the current configuration management procedures\ + \ are reviewed and updated {{ insert: param, cm-01_odp.07\ + \ }}; " + links: + - href: "#cm-1_smt.c.2" + rel: assessment-for + - id: cm-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: CM-01c.02[02] + class: sp800-53a + prose: "the current configuration management procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ cm-01_odp.08 }}." + links: + - href: "#cm-1_smt.c.2" + rel: assessment-for + links: + - href: "#cm-1_smt.c.2" + rel: assessment-for + links: + - href: "#cm-1_smt.c" + rel: assessment-for + links: + - href: "#cm-1_smt" + rel: assessment-for + - id: cm-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy and procedures + + security and privacy program policies and procedures + + assessment or audit findings + + documentation of security incidents or breaches + + system security plan + + privacy plan + + risk management strategy + + other relevant artifacts, documents, or records + - id: cm-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration management + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: cm-2 + class: SP800-53 + title: Baseline Configuration + params: + - id: cm-02_odp.01 + label: frequency + constraints: + - description: at least annually and when a significant change occurs + guidelines: + - prose: the frequency of baseline configuration review and update + is defined; + - id: cm-02_odp.02 + label: circumstances + constraints: + - description: to include when directed by the JAB + guidelines: + - prose: the circumstances requiring baseline configuration review + and update are defined; + props: + - name: label + value: CM-2 + - name: label + value: CM-02 + class: sp800-53a + - name: sort-id + value: cm-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#ac-19" + rel: related + - href: "#au-6" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-1" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#cm-9" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#cp-12" + rel: related + - href: "#ma-2" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-15" + rel: related + - href: "#sc-18" + rel: related + parts: + - id: cm-2_smt + name: statement + parts: + - id: cm-2_smt.a + name: item + props: + - name: label + value: a. + prose: Develop, document, and maintain under configuration control, + a current baseline configuration of the system; and + - id: cm-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the baseline configuration of the system:" + parts: + - id: cm-2_smt.b.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, cm-02_odp.01 }};" + - id: cm-2_smt.b.2 + name: item + props: + - name: label + value: "2." + prose: "When required due to {{ insert: param, cm-02_odp.02\ + \ }} ; and" + - id: cm-2_smt.b.3 + name: item + props: + - name: label + value: "3." + prose: When system components are installed or upgraded. + - id: cm-2_fr + name: item + title: CM-2 Additional FedRAMP Requirements and Guidance + parts: + - id: cm-2_fr_gdn.1 + name: guidance + props: + - name: label + value: "(b) (1) Guidance:" + prose: Significant change is defined in NIST Special Publication + 800-37 Revision 2, Appendix F. + - id: cm-2_gdn + name: guidance + prose: Baseline configurations for systems and system components include + connectivity, operational, and communications aspects of systems. + Baseline configurations are documented, formally reviewed, and agreed-upon + specifications for systems or configuration items within those systems. + Baseline configurations serve as a basis for future builds, releases, + or changes to systems and include security and privacy control implementations, + operational procedures, information about system components, network + topology, and logical placement of components in the system architecture. + Maintaining baseline configurations requires creating new baselines + as organizational systems change over time. Baseline configurations + of systems reflect the current enterprise architecture. + - id: cm-2_obj + name: assessment-objective + props: + - name: label + value: CM-02 + class: sp800-53a + parts: + - id: cm-2_obj.a + name: assessment-objective + props: + - name: label + value: CM-02a. + class: sp800-53a + parts: + - id: cm-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: CM-02a.[01] + class: sp800-53a + prose: a current baseline configuration of the system is developed + and documented; + links: + - href: "#cm-2_smt.a" + rel: assessment-for + - id: cm-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: CM-02a.[02] + class: sp800-53a + prose: a current baseline configuration of the system is maintained + under configuration control; + links: + - href: "#cm-2_smt.a" + rel: assessment-for + links: + - href: "#cm-2_smt.a" + rel: assessment-for + - id: cm-2_obj.b + name: assessment-objective + props: + - name: label + value: CM-02b. + class: sp800-53a + parts: + - id: cm-2_obj.b.1 + name: assessment-objective + props: + - name: label + value: CM-02b.01 + class: sp800-53a + prose: "the baseline configuration of the system is reviewed\ + \ and updated {{ insert: param, cm-02_odp.01 }};" + links: + - href: "#cm-2_smt.b.1" + rel: assessment-for + - id: cm-2_obj.b.2 + name: assessment-objective + props: + - name: label + value: CM-02b.02 + class: sp800-53a + prose: "the baseline configuration of the system is reviewed\ + \ and updated when required due to {{ insert: param, cm-02_odp.02\ + \ }};" + links: + - href: "#cm-2_smt.b.2" + rel: assessment-for + - id: cm-2_obj.b.3 + name: assessment-objective + props: + - name: label + value: CM-02b.03 + class: sp800-53a + prose: the baseline configuration of the system is reviewed + and updated when system components are installed or upgraded. + links: + - href: "#cm-2_smt.b.3" + rel: assessment-for + links: + - href: "#cm-2_smt.b" + rel: assessment-for + links: + - href: "#cm-2_smt" + rel: assessment-for + - id: cm-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing the baseline configuration of the system + + + configuration management plan + + + enterprise architecture documentation + + + system design documentation + + + system security plan + + + privacy plan + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + system component inventory + + + change control records + + + other relevant documents or records + - id: cm-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration management + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: cm-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing baseline + configurations + + + mechanisms supporting configuration control of the baseline configuration + - id: cm-4 + class: SP800-53 + title: Impact Analyses + props: + - name: label + value: CM-4 + - name: label + value: CM-04 + class: sp800-53a + - name: sort-id + value: cm-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#ca-7" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-8" + rel: related + - href: "#cm-9" + rel: related + - href: "#ma-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-8" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#si-2" + rel: related + parts: + - id: cm-4_smt + name: statement + prose: Analyze changes to the system to determine potential security + and privacy impacts prior to change implementation. + - id: cm-4_gdn + name: guidance + prose: Organizational personnel with security or privacy responsibilities + conduct impact analyses. Individuals conducting impact analyses possess + the necessary skills and technical expertise to analyze the changes + to systems as well as the security or privacy ramifications. Impact + analyses include reviewing security and privacy plans, policies, and + procedures to understand control requirements; reviewing system design + documentation and operational procedures to understand control implementation + and how specific system changes might affect the controls; reviewing + the impact of changes on organizational supply chain partners with + stakeholders; and determining how potential changes to a system create + new risks to the privacy of individuals and the ability of implemented + controls to mitigate those risks. Impact analyses also include risk + assessments to understand the impact of the changes and determine + if additional controls are required. + - id: cm-4_obj + name: assessment-objective + props: + - name: label + value: CM-04 + class: sp800-53a + parts: + - id: cm-4_obj-1 + name: assessment-objective + props: + - name: label + value: CM-04[01] + class: sp800-53a + prose: changes to the system are analyzed to determine potential + security impacts prior to change implementation; + links: + - href: "#cm-4_smt" + rel: assessment-for + - id: cm-4_obj-2 + name: assessment-objective + props: + - name: label + value: CM-04[02] + class: sp800-53a + prose: changes to the system are analyzed to determine potential + privacy impacts prior to change implementation. + links: + - href: "#cm-4_smt" + rel: assessment-for + links: + - href: "#cm-4_smt" + rel: assessment-for + - id: cm-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing security impact analyses for changes to + the system + + + procedures addressing privacy impact analyses for changes to the + system + + + configuration management plan + + + security impact analysis documentation + + + privacy impact analysis documentation + + + privacy impact assessment + + + privacy risk assessment documentation, system design documentation + + + analysis tools and associated outputs + + + change control records + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for conducting + security impact analyses + + + organizational personnel with responsibility for conducting privacy + impact analyses + + + organizational personnel with information security and privacy + responsibilities + + + system developer + + + system/network administrators + + + members of change control board or similar + - id: cm-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for security impact analyses + + organizational processes for privacy impact analyses + - id: cm-5 + class: SP800-53 + title: Access Restrictions for Change + props: + - name: label + value: CM-5 + - name: label + value: CM-05 + class: sp800-53a + - name: sort-id + value: cm-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#cm-9" + rel: related + - href: "#pe-3" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-34" + rel: related + - href: "#sc-37" + rel: related + - href: "#si-2" + rel: related + - href: "#si-10" + rel: related + parts: + - id: cm-5_smt + name: statement + prose: Define, document, approve, and enforce physical and logical access + restrictions associated with changes to the system. + - id: cm-5_gdn + name: guidance + prose: Changes to the hardware, software, or firmware components of + systems or the operational procedures related to the system can potentially + have significant effects on the security of the systems or individuals’ + privacy. Therefore, organizations permit only qualified and authorized + individuals to access systems for purposes of initiating changes. + Access restrictions include physical and logical access controls (see + [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, + media libraries, abstract layers (i.e., changes implemented into external + interfaces rather than directly into systems), and change windows + (i.e., changes occur only during specified times). + - id: cm-5_obj + name: assessment-objective + props: + - name: label + value: CM-05 + class: sp800-53a + parts: + - id: cm-5_obj-1 + name: assessment-objective + props: + - name: label + value: CM-05[01] + class: sp800-53a + prose: physical access restrictions associated with changes to the + system are defined and documented; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-2 + name: assessment-objective + props: + - name: label + value: CM-05[02] + class: sp800-53a + prose: physical access restrictions associated with changes to the + system are approved; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-3 + name: assessment-objective + props: + - name: label + value: CM-05[03] + class: sp800-53a + prose: physical access restrictions associated with changes to the + system are enforced; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-4 + name: assessment-objective + props: + - name: label + value: CM-05[04] + class: sp800-53a + prose: logical access restrictions associated with changes to the + system are defined and documented; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-5 + name: assessment-objective + props: + - name: label + value: CM-05[05] + class: sp800-53a + prose: logical access restrictions associated with changes to the + system are approved; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-6 + name: assessment-objective + props: + - name: label + value: CM-05[06] + class: sp800-53a + prose: logical access restrictions associated with changes to the + system are enforced. + links: + - href: "#cm-5_smt" + rel: assessment-for + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing access restrictions for changes to the system + + + configuration management plan + + + system design documentation + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + logical access approvals + + + physical access approvals + + + access credentials + + + change control records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with logical access control + responsibilities + + + organizational personnel with physical access control responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing access restrictions to + change + + + mechanisms supporting, implementing, or enforcing access restrictions + associated with changes to the system + - id: cm-6 + class: SP800-53 + title: Configuration Settings + params: + - id: cm-06_odp.01 + label: common secure configurations + guidelines: + - prose: common secure configurations to establish and document configuration + settings for components employed within the system are defined; + - id: cm-06_odp.02 + label: system components + guidelines: + - prose: system components for which approval of deviations is needed + are defined; + - id: cm-06_odp.03 + label: operational requirements + guidelines: + - prose: operational requirements necessitating approval of deviations + are defined; + props: + - name: label + value: CM-6 + - name: label + value: CM-06 + class: sp800-53a + - name: sort-id + value: cm-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#4895b4cd-34c5-4667-bf8a-27d443c12047" + rel: reference + - href: "#8016d2ed-d30f-4416-9c45-0f42c7aa3232" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#98498928-3ca3-44b3-8b1e-f48685373087" + rel: reference + - href: "#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e" + rel: reference + - href: "#aa66e14f-e7cb-4a37-99d2-07578dfd4608" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-19" + rel: related + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-11" + rel: related + - href: "#cp-7" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#pl-8" + rel: related + - href: "#pl-9" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-18" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-2" + rel: related + - href: "#si-4" + rel: related + - href: "#si-6" + rel: related + parts: + - id: cm-6_smt + name: statement + parts: + - id: cm-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Establish and document configuration settings for components\ + \ employed within the system that reflect the most restrictive\ + \ mode consistent with operational requirements using {{ insert:\ + \ param, cm-06_odp.01 }};" + - id: cm-6_smt.b + name: item + props: + - name: label + value: b. + prose: Implement the configuration settings; + - id: cm-6_smt.c + name: item + props: + - name: label + value: c. + prose: "Identify, document, and approve any deviations from established\ + \ configuration settings for {{ insert: param, cm-06_odp.02 }}\ + \ based on {{ insert: param, cm-06_odp.03 }} ; and" + - id: cm-6_smt.d + name: item + props: + - name: label + value: d. + prose: Monitor and control changes to the configuration settings + in accordance with organizational policies and procedures. + - id: cm-6_fr + name: item + title: CM-6 Additional FedRAMP Requirements and Guidance + parts: + - id: cm-6_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement 1:" + prose: The service provider shall use the DoD STIGs or Center + for Internet Security guidelines to establish configuration + settings; + - id: cm-6_fr_smt.2 + name: item + props: + - name: label + value: "(a) Requirement 2:" + prose: The service provider shall ensure that checklists for + configuration settings are Security Content Automation Protocol + (SCAP) validated or SCAP compatible (if validated checklists + are not available). + - id: cm-6_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + Compliance checks are used to evaluate configuration + settings and provide general insight into the overall + effectiveness of configuration management activities. + CSPs and 3PAOs typically combine compliance check + findings into a single CM-6 finding, which is + acceptable. However, for initial assessments, annual + assessments, and significant change requests, FedRAMP + requires a clear understanding, on a per-control basis, + where risks exist. Therefore, 3PAOs must also analyze + compliance check findings as part of the controls + assessment. Where a direct mapping exists, the 3PAO must + document additional findings per control in the + corresponding SAR Risk Exposure Table (RET), which are + then documented in the CSP’s Plan of Action and + Milestones (POA&M). This will likely result in the + details of individual control findings overlapping with + those in the combined CM-6 finding, which is acceptable. + + + During monthly continuous monitoring, new findings from CSP + compliance checks may be combined into a single CM-6 POA&M + item. CSPs are not required to map the findings to specific + controls because controls are only assessed during initial + assessments, annual assessments, and significant change requests. + - id: cm-6_gdn + name: guidance + prose: >- + Configuration settings are the parameters that can be changed in + the hardware, software, or firmware components of the system + that affect the security and privacy posture or functionality of + the system. Information technology products for which + configuration settings can be defined include mainframe + computers, servers, workstations, operating systems, mobile + devices, input/output devices, protocols, and applications. + Parameters that impact the security posture of systems include + registry settings; account, file, or directory permission + settings; and settings for functions, protocols, ports, + services, and remote connections. Privacy parameters are + parameters impacting the privacy posture of systems, including + the parameters required to satisfy other privacy controls. + Privacy parameters include settings for access controls, data + processing preferences, and processing and retention + permissions. Organizations establish organization-wide + configuration settings and subsequently derive specific + configuration settings for systems. The established settings + become part of the configuration baseline for the system. + + + Common secure configurations (also known as security configuration + checklists, lockdown and hardening guides, and security reference + guides) provide recognized, standardized, and established benchmarks + that stipulate secure configuration settings for information technology + products and platforms as well as instructions for configuring those + products or platforms to meet operational requirements. Common secure + configurations can be developed by a variety of organizations, including + information technology product developers, manufacturers, vendors, + federal agencies, consortia, academia, industry, and other organizations + in the public and private sectors. + + + Implementation of a common secure configuration may be mandated at + the organization level, mission and business process level, system + level, or at a higher level, including by a regulatory agency. Common + secure configurations include the United States Government Configuration + Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security + technical implementation guides (STIGs), which affect the implementation + of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) + . The Security Content Automation Protocol (SCAP) and the defined + standards within the protocol provide an effective method to uniquely + identify, track, and control configuration settings. + - id: cm-6_obj + name: assessment-objective + props: + - name: label + value: CM-06 + class: sp800-53a + parts: + - id: cm-6_obj.a + name: assessment-objective + props: + - name: label + value: CM-06a. + class: sp800-53a + prose: "configuration settings that reflect the most restrictive\ + \ mode consistent with operational requirements are established\ + \ and documented for components employed within the system using\ + \ {{ insert: param, cm-06_odp.01 }};" + links: + - href: "#cm-6_smt.a" + rel: assessment-for + - id: cm-6_obj.b + name: assessment-objective + props: + - name: label + value: CM-06b. + class: sp800-53a + prose: the configuration settings documented in CM-06a are implemented; + links: + - href: "#cm-6_smt.b" + rel: assessment-for + - id: cm-6_obj.c + name: assessment-objective + props: + - name: label + value: CM-06c. + class: sp800-53a + parts: + - id: cm-6_obj.c-1 + name: assessment-objective + props: + - name: label + value: CM-06c.[01] + class: sp800-53a + prose: "any deviations from established configuration settings\ + \ for {{ insert: param, cm-06_odp.02 }} are identified and\ + \ documented based on {{ insert: param, cm-06_odp.03 }};" + links: + - href: "#cm-6_smt.c" + rel: assessment-for + - id: cm-6_obj.c-2 + name: assessment-objective + props: + - name: label + value: CM-06c.[02] + class: sp800-53a + prose: "any deviations from established configuration settings\ + \ for {{ insert: param, cm-06_odp.02 }} are approved;" + links: + - href: "#cm-6_smt.c" + rel: assessment-for + links: + - href: "#cm-6_smt.c" + rel: assessment-for + - id: cm-6_obj.d + name: assessment-objective + props: + - name: label + value: CM-06d. + class: sp800-53a + parts: + - id: cm-6_obj.d-1 + name: assessment-objective + props: + - name: label + value: CM-06d.[01] + class: sp800-53a + prose: changes to the configuration settings are monitored in + accordance with organizational policies and procedures; + links: + - href: "#cm-6_smt.d" + rel: assessment-for + - id: cm-6_obj.d-2 + name: assessment-objective + props: + - name: label + value: CM-06d.[02] + class: sp800-53a + prose: changes to the configuration settings are controlled + in accordance with organizational policies and procedures. + links: + - href: "#cm-6_smt.d" + rel: assessment-for + links: + - href: "#cm-6_smt.d" + rel: assessment-for + links: + - href: "#cm-6_smt" + rel: assessment-for + - id: cm-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing configuration settings for the system + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + common secure configuration checklists + + + system component inventory + + + evidence supporting approved deviations from established configuration + settings + + + change control records + + + system data processing and retention permissions + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security configuration + management responsibilities + + + organizational personnel with privacy configuration management + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: cm-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing configuration settings + + + mechanisms that implement, monitor, and/or control system configuration + settings + + + mechanisms that identify and/or document deviations from established + configuration settings + - id: cm-7 + class: SP800-53 + title: Least Functionality + params: + - id: cm-7_prm_2 + label: organization-defined prohibited or restricted functions, system + ports, protocols, software, and/or services + - id: cm-07_odp.01 + label: mission-essential capabilities + guidelines: + - prose: mission-essential capabilities for the system are defined; + - id: cm-07_odp.02 + label: functions + guidelines: + - prose: functions to be prohibited or restricted are defined; + - id: cm-07_odp.03 + label: ports + guidelines: + - prose: ports to be prohibited or restricted are defined; + - id: cm-07_odp.04 + label: protocols + guidelines: + - prose: protocols to be prohibited or restricted are defined; + - id: cm-07_odp.05 + label: software + guidelines: + - prose: software to be prohibited or restricted is defined; + - id: cm-07_odp.06 + label: services + guidelines: + - prose: services to be prohibited or restricted are defined; + props: + - name: label + value: CM-7 + - name: label + value: CM-07 + class: sp800-53a + - name: sort-id + value: cm-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#38f39739-1ebd-43b1-8b8c-00f591d89ebd" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-11" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-15" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-3" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-37" + rel: related + - href: "#si-4" + rel: related + parts: + - id: cm-7_smt + name: statement + parts: + - id: cm-7_smt.a + name: item + props: + - name: label + value: a. + prose: "Configure the system to provide only {{ insert: param, cm-07_odp.01\ + \ }} ; and" + - id: cm-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Prohibit or restrict the use of the following functions,\ + \ ports, protocols, software, and/or services: {{ insert: param,\ + \ cm-7_prm_2 }}." + - id: cm-7_fr + name: item + title: CM-7 Additional FedRAMP Requirements and Guidance + parts: + - id: cm-7_fr_smt.1 + name: item + props: + - name: label + value: "(b) Requirement:" + prose: The service provider shall use Security guidelines (See + CM-6) to establish list of prohibited or restricted functions, + ports, protocols, and/or services or establishes its own list + of prohibited or restricted functions, ports, protocols, and/or + services if STIGs or CIS is not available. + - id: cm-7_gdn + name: guidance + prose: Systems provide a wide variety of functions and services. Some + of the functions and services routinely provided by default may not + be necessary to support essential organizational missions, functions, + or operations. Additionally, it is sometimes convenient to provide + multiple services from a single system component, but doing so increases + risk over limiting the services provided by that single component. + Where feasible, organizations limit component functionality to a single + function per component. Organizations consider removing unused or + unnecessary software and disabling unused or unnecessary physical + and logical ports and protocols to prevent unauthorized connection + of components, transfer of information, and tunneling. Organizations + employ network scanning tools, intrusion detection and prevention + systems, and end-point protection technologies, such as firewalls + and host-based intrusion detection systems, to identify and prevent + the use of prohibited functions, protocols, ports, and services. Least + functionality can also be achieved as part of the fundamental design + and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , + and [SC-3](#sc-3)). + - id: cm-7_obj + name: assessment-objective + props: + - name: label + value: CM-07 + class: sp800-53a + parts: + - id: cm-7_obj.a + name: assessment-objective + props: + - name: label + value: CM-07a. + class: sp800-53a + prose: "the system is configured to provide only {{ insert: param,\ + \ cm-07_odp.01 }};" + links: + - href: "#cm-7_smt.a" + rel: assessment-for + - id: cm-7_obj.b + name: assessment-objective + props: + - name: label + value: CM-07b. + class: sp800-53a + parts: + - id: cm-7_obj.b-1 + name: assessment-objective + props: + - name: label + value: CM-07b.[01] + class: sp800-53a + prose: "the use of {{ insert: param, cm-07_odp.02 }} is prohibited\ + \ or restricted;" + links: + - href: "#cm-7_smt.b" + rel: assessment-for + - id: cm-7_obj.b-2 + name: assessment-objective + props: + - name: label + value: CM-07b.[02] + class: sp800-53a + prose: "the use of {{ insert: param, cm-07_odp.03 }} is prohibited\ + \ or restricted;" + links: + - href: "#cm-7_smt.b" + rel: assessment-for + - id: cm-7_obj.b-3 + name: assessment-objective + props: + - name: label + value: CM-07b.[03] + class: sp800-53a + prose: "the use of {{ insert: param, cm-07_odp.04 }} is prohibited\ + \ or restricted;" + links: + - href: "#cm-7_smt.b" + rel: assessment-for + - id: cm-7_obj.b-4 + name: assessment-objective + props: + - name: label + value: CM-07b.[04] + class: sp800-53a + prose: "the use of {{ insert: param, cm-07_odp.05 }} is prohibited\ + \ or restricted;" + links: + - href: "#cm-7_smt.b" + rel: assessment-for + - id: cm-7_obj.b-5 + name: assessment-objective + props: + - name: label + value: CM-07b.[05] + class: sp800-53a + prose: "the use of {{ insert: param, cm-07_odp.06 }} is prohibited\ + \ or restricted." + links: + - href: "#cm-7_smt.b" + rel: assessment-for + links: + - href: "#cm-7_smt.b" + rel: assessment-for + links: + - href: "#cm-7_smt" + rel: assessment-for + - id: cm-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + procedures addressing least functionality in the system + + configuration management plan + + system design documentation + + system configuration settings and associated documentation + + system component inventory + + common secure configuration checklists + + system security plan + + other relevant documents or records + - id: cm-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security configuration + management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: cm-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes prohibiting or restricting + functions, ports, protocols, software, and/or services + + + mechanisms implementing restrictions or prohibition of functions, + ports, protocols, software, and/or services + - id: cm-8 + class: SP800-53 + title: System Component Inventory + params: + - id: cm-08_odp.01 + label: information + guidelines: + - prose: information deemed necessary to achieve effective system + component accountability is defined; + - id: cm-08_odp.02 + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: frequency at which to review and update the system component + inventory is defined; + props: + - name: label + value: CM-8 + - name: label + value: CM-08 + class: sp800-53a + - name: sort-id + value: cm-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#70402863-5078-43af-9a6c-e11b0f3ec370" + rel: reference + - href: "#996241f8-f692-42d5-91f1-ce8b752e39e6" + rel: reference + - href: "#cm-2" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-9" + rel: related + - href: "#cm-10" + rel: related + - href: "#cm-11" + rel: related + - href: "#cm-13" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-9" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-6" + rel: related + - href: "#pe-20" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#si-2" + rel: related + - href: "#sr-4" + rel: related + parts: + - id: cm-8_smt + name: statement + parts: + - id: cm-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop and document an inventory of system components that:" + parts: + - id: cm-8_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Accurately reflects the system; + - id: cm-8_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Includes all components within the system; + - id: cm-8_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Does not include duplicate accounting of components or + components assigned to any other system; + - id: cm-8_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Is at the level of granularity deemed necessary for tracking + and reporting; and + - id: cm-8_smt.a.5 + name: item + props: + - name: label + value: "5." + prose: "Includes the following information to achieve system\ + \ component accountability: {{ insert: param, cm-08_odp.01\ + \ }} ; and" + - id: cm-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the system component inventory {{ insert:\ + \ param, cm-08_odp.02 }}." + - id: cm-8_fr + name: item + title: CM-8 Additional FedRAMP Requirements and Guidance + parts: + - id: cm-8_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: must be provided at least monthly or when there is a + change. + - id: cm-8_gdn + name: guidance + prose: >- + System components are discrete, identifiable information + technology assets that include hardware, software, and firmware. + Organizations may choose to implement centralized system + component inventories that include components from all + organizational systems. In such situations, organizations ensure + that the inventories include system-specific information + required for component accountability. The information necessary + for effective accountability of system components includes the + system name, software owners, software version numbers, hardware + inventory specifications, software license information, and for + networked components, the machine names and network addresses + across all implemented protocols (e.g., IPv4, IPv6). Inventory + specifications include date of receipt, cost, model, serial + number, manufacturer, supplier information, component type, and + physical location. + + + Preventing duplicate accounting of system components addresses the + lack of accountability that occurs when component ownership and system + association is not known, especially in large or complex connected + systems. Effective prevention of duplicate accounting of system components + necessitates use of a unique identifier for each component. For software + inventory, centrally managed software that is accessed via other systems + is addressed as a component of the system on which it is installed + and managed. Software installed on multiple organizational systems + and managed at the system level is addressed for each individual system + and may appear more than once in a centralized component inventory, + necessitating a system association for each software instance in the + centralized inventory to avoid duplicate accounting of components. + Scanning systems implementing multiple network protocols (e.g., IPv4 + and IPv6) can result in duplicate components being identified in different + address spaces. The implementation of [CM-8(7)](#cm-8.7) can help + to eliminate duplicate accounting of components. + - id: cm-8_obj + name: assessment-objective + props: + - name: label + value: CM-08 + class: sp800-53a + parts: + - id: cm-8_obj.a + name: assessment-objective + props: + - name: label + value: CM-08a. + class: sp800-53a + parts: + - id: cm-8_obj.a.1 + name: assessment-objective + props: + - name: label + value: CM-08a.01 + class: sp800-53a + prose: an inventory of system components that accurately reflects + the system is developed and documented; + links: + - href: "#cm-8_smt.a.1" + rel: assessment-for + - id: cm-8_obj.a.2 + name: assessment-objective + props: + - name: label + value: CM-08a.02 + class: sp800-53a + prose: an inventory of system components that includes all components + within the system is developed and documented; + links: + - href: "#cm-8_smt.a.2" + rel: assessment-for + - id: cm-8_obj.a.3 + name: assessment-objective + props: + - name: label + value: CM-08a.03 + class: sp800-53a + prose: an inventory of system components that does not include + duplicate accounting of components or components assigned + to any other system is developed and documented; + links: + - href: "#cm-8_smt.a.3" + rel: assessment-for + - id: cm-8_obj.a.4 + name: assessment-objective + props: + - name: label + value: CM-08a.04 + class: sp800-53a + prose: an inventory of system components that is at the level + of granularity deemed necessary for tracking and reporting + is developed and documented; + links: + - href: "#cm-8_smt.a.4" + rel: assessment-for + - id: cm-8_obj.a.5 + name: assessment-objective + props: + - name: label + value: CM-08a.05 + class: sp800-53a + prose: "an inventory of system components that includes {{ insert:\ + \ param, cm-08_odp.01 }} is developed and documented;" + links: + - href: "#cm-8_smt.a.5" + rel: assessment-for + links: + - href: "#cm-8_smt.a" + rel: assessment-for + - id: cm-8_obj.b + name: assessment-objective + props: + - name: label + value: CM-08b. + class: sp800-53a + prose: "the system component inventory is reviewed and updated {{\ + \ insert: param, cm-08_odp.02 }}." + links: + - href: "#cm-8_smt.b" + rel: assessment-for + links: + - href: "#cm-8_smt" + rel: assessment-for + - id: cm-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + procedures addressing system component inventory + + configuration management plan + + system security plan + + system design documentation + + system component inventory + + inventory reviews and update records + + system security plan + + other relevant documents or records + - id: cm-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with component inventory management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing the system component + inventory + + + mechanisms supporting and/or implementing system component inventory + - id: cm-10 + class: SP800-53 + title: Software Usage Restrictions + props: + - name: label + value: CM-10 + - name: label + value: CM-10 + class: sp800-53a + - name: sort-id + value: cm-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-17" + rel: related + - href: "#au-6" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-8" + rel: related + - href: "#pm-30" + rel: related + - href: "#sc-7" + rel: related + parts: + - id: cm-10_smt + name: statement + parts: + - id: cm-10_smt.a + name: item + props: + - name: label + value: a. + prose: Use software and associated documentation in accordance with + contract agreements and copyright laws; + - id: cm-10_smt.b + name: item + props: + - name: label + value: b. + prose: Track the use of software and associated documentation protected + by quantity licenses to control copying and distribution; and + - id: cm-10_smt.c + name: item + props: + - name: label + value: c. + prose: Control and document the use of peer-to-peer file sharing + technology to ensure that this capability is not used for the + unauthorized distribution, display, performance, or reproduction + of copyrighted work. + - id: cm-10_gdn + name: guidance + prose: Software license tracking can be accomplished by manual or automated + methods, depending on organizational needs. Examples of contract agreements + include software license agreements and non-disclosure agreements. + - id: cm-10_obj + name: assessment-objective + props: + - name: label + value: CM-10 + class: sp800-53a + parts: + - id: cm-10_obj.a + name: assessment-objective + props: + - name: label + value: CM-10a. + class: sp800-53a + prose: software and associated documentation are used in accordance + with contract agreements and copyright laws; + links: + - href: "#cm-10_smt.a" + rel: assessment-for + - id: cm-10_obj.b + name: assessment-objective + props: + - name: label + value: CM-10b. + class: sp800-53a + prose: the use of software and associated documentation protected + by quantity licenses is tracked to control copying and distribution; + links: + - href: "#cm-10_smt.b" + rel: assessment-for + - id: cm-10_obj.c + name: assessment-objective + props: + - name: label + value: CM-10c. + class: sp800-53a + prose: the use of peer-to-peer file sharing technology is controlled + and documented to ensure that peer-to-peer file sharing is not + used for the unauthorized distribution, display, performance, + or reproduction of copyrighted work. + links: + - href: "#cm-10_smt.c" + rel: assessment-for + links: + - href: "#cm-10_smt" + rel: assessment-for + - id: cm-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + software usage restrictions + + software contract agreements and copyright laws + + site license documentation + + list of software usage restrictions + + software license tracking reports + + configuration management plan + + system security plan + + system security plan + + other relevant documents or records + - id: cm-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel operating, using, and/or + maintaining the system + + + organizational personnel with software license management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for tracking the use of software + protected by quantity licenses + + + organizational processes for controlling/documenting the use of + peer-to-peer file sharing technology + + + mechanisms implementing software license tracking + + + mechanisms implementing and controlling the use of peer-to-peer + files sharing technology + - id: cm-11 + class: SP800-53 + title: User-installed Software + params: + - id: cm-11_odp.01 + label: policies + guidelines: + - prose: policies governing the installation of software by users + are defined; + - id: cm-11_odp.02 + label: methods + guidelines: + - prose: methods used to enforce software installation policies are + defined; + - id: cm-11_odp.03 + label: frequency + constraints: + - description: Continuously (via CM-7 (5)) + guidelines: + - prose: frequency with which to monitor compliance is defined; + props: + - name: label + value: CM-11 + - name: label + value: CM-11 + class: sp800-53a + - name: sort-id + value: cm-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-3" + rel: related + - href: "#au-6" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-8" + rel: related + - href: "#pl-4" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: cm-11_smt + name: statement + parts: + - id: cm-11_smt.a + name: item + props: + - name: label + value: a. + prose: "Establish {{ insert: param, cm-11_odp.01 }} governing the\ + \ installation of software by users;" + - id: cm-11_smt.b + name: item + props: + - name: label + value: b. + prose: "Enforce software installation policies through the following\ + \ methods: {{ insert: param, cm-11_odp.02 }} ; and" + - id: cm-11_smt.c + name: item + props: + - name: label + value: c. + prose: "Monitor policy compliance {{ insert: param, cm-11_odp.03\ + \ }}." + - id: cm-11_gdn + name: guidance + prose: If provided the necessary privileges, users can install software + in organizational systems. To maintain control over the software installed, + organizations identify permitted and prohibited actions regarding + software installation. Permitted software installations include updates + and security patches to existing software and downloading new applications + from organization-approved "app stores." Prohibited software installations + include software with unknown or suspect pedigrees or software that + organizations consider potentially malicious. Policies selected for + governing user-installed software are organization-developed or provided + by some external entity. Policy enforcement methods can include procedural + methods and automated methods. + - id: cm-11_obj + name: assessment-objective + props: + - name: label + value: CM-11 + class: sp800-53a + parts: + - id: cm-11_obj.a + name: assessment-objective + props: + - name: label + value: CM-11a. + class: sp800-53a + prose: " {{ insert: param, cm-11_odp.01 }} governing the installation\ + \ of software by users are established;" + links: + - href: "#cm-11_smt.a" + rel: assessment-for + - id: cm-11_obj.b + name: assessment-objective + props: + - name: label + value: CM-11b. + class: sp800-53a + prose: "software installation policies are enforced through {{ insert:\ + \ param, cm-11_odp.02 }};" + links: + - href: "#cm-11_smt.b" + rel: assessment-for + - id: cm-11_obj.c + name: assessment-objective + props: + - name: label + value: CM-11c. + class: sp800-53a + prose: "compliance with {{ insert: param, cm-11_odp.01 }} is monitored\ + \ {{ insert: param, cm-11_odp.03 }}." + links: + - href: "#cm-11_smt.c" + rel: assessment-for + links: + - href: "#cm-11_smt" + rel: assessment-for + - id: cm-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + procedures addressing user-installed software + + configuration management plan + + system security plan + + system design documentation + + system configuration settings and associated documentation + + list of rules governing user installed software + + system monitoring records + + system audit records + + continuous monitoring strategy + + system security plan + + other relevant documents or records + - id: cm-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for governing + user-installed software + + + organizational personnel operating, using, and/or maintaining + the system + + + organizational personnel monitoring compliance with user-installed + software policy + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes governing user-installed software + on the system + + + mechanisms enforcing policies and methods for governing the installation + of software by users + + + mechanisms monitoring policy compliance + - id: cp + class: family + title: Contingency Planning + controls: + - id: cp-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: cp-1_prm_1 + label: organization-defined personnel or roles + - id: cp-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the contingency planning policy + is to be disseminated is/are defined; + - id: cp-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the contingency planning procedures + are to be disseminated is/are defined; + - id: cp-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: cp-01_odp.04 + label: official + guidelines: + - prose: an official to manage the contingency planning policy and + procedures is defined; + - id: cp-01_odp.05 + label: frequency + constraints: + - description: "at least every 3 years " + guidelines: + - prose: the frequency at which the current contingency planning policy + is reviewed and updated is defined; + - id: cp-01_odp.06 + label: events + guidelines: + - prose: events that would require the current contingency planning + policy to be reviewed and updated are defined; + - id: cp-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current contingency planning procedures + are reviewed and updated is defined; + - id: cp-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require procedures to be reviewed and updated + are defined; + props: + - name: label + value: CP-1 + - name: label + value: CP-01 + class: sp800-53a + - name: sort-id + value: cp-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: cp-1_smt + name: statement + parts: + - id: cp-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ cp-1_prm_1 }}:" + parts: + - id: cp-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, cp-01_odp.03 }} contingency planning\ + \ policy that:" + parts: + - id: cp-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: cp-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: cp-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the contingency + planning policy and the associated contingency planning controls; + - id: cp-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, cp-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the contingency\ + \ planning policy and procedures; and" + - id: cp-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current contingency planning:" + parts: + - id: cp-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, cp-01_odp.05 }} and following\ + \ {{ insert: param, cp-01_odp.06 }} ; and" + - id: cp-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, cp-01_odp.07 }} and following\ + \ {{ insert: param, cp-01_odp.08 }}." + - id: cp-1_gdn + name: guidance + prose: Contingency planning policy and procedures address the controls + in the CP family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of contingency + planning policy and procedures. Security and privacy program policies + and procedures at the organization level are preferable, in general, + and may obviate the need for mission- or system-specific policies + and procedures. The policy can be included as part of the general + security and privacy policy or be represented by multiple policies + that reflect the complex nature of organizations. Procedures can be + established for security and privacy programs, for mission or business + processes, and for systems, if needed. Procedures describe how the + policies or controls are implemented and can be directed at the individual + or role that is the object of the procedure. Procedures can be documented + in system security and privacy plans or in one or more separate documents. + Events that may precipitate an update to contingency planning policy + and procedures include assessment or audit findings, security incidents + or breaches, or changes in laws, executive orders, directives, regulations, + policies, standards, and guidelines. Simply restating controls does + not constitute an organizational policy or procedure. + - id: cp-1_obj + name: assessment-objective + props: + - name: label + value: CP-01 + class: sp800-53a + parts: + - id: cp-1_obj.a + name: assessment-objective + props: + - name: label + value: CP-01a. + class: sp800-53a + parts: + - id: cp-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: CP-01a.[01] + class: sp800-53a + prose: a contingency planning policy is developed and documented; + links: + - href: "#cp-1_smt.a" + rel: assessment-for + - id: cp-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: CP-01a.[02] + class: sp800-53a + prose: "the contingency planning policy is disseminated to {{\ + \ insert: param, cp-01_odp.01 }};" + links: + - href: "#cp-1_smt.a" + rel: assessment-for + - id: cp-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: CP-01a.[03] + class: sp800-53a + prose: contingency planning procedures to facilitate the implementation + of the contingency planning policy and associated contingency + planning controls are developed and documented; + links: + - href: "#cp-1_smt.a" + rel: assessment-for + - id: cp-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: CP-01a.[04] + class: sp800-53a + prose: "the contingency planning procedures are disseminated\ + \ to {{ insert: param, cp-01_odp.02 }};" + links: + - href: "#cp-1_smt.a" + rel: assessment-for + - id: cp-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: CP-01a.01 + class: sp800-53a + parts: + - id: cp-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: CP-01a.01(a) + class: sp800-53a + parts: + - id: cp-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses purpose;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses scope;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses roles;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses responsibilities;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses management commitment;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses compliance;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: CP-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy is consistent with applicable laws,\ + \ Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#cp-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#cp-1_smt.a.1" + rel: assessment-for + links: + - href: "#cp-1_smt.a" + rel: assessment-for + - id: cp-1_obj.b + name: assessment-objective + props: + - name: label + value: CP-01b. + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the contingency\ + \ planning policy and procedures;" + links: + - href: "#cp-1_smt.b" + rel: assessment-for + - id: cp-1_obj.c + name: assessment-objective + props: + - name: label + value: CP-01c. + class: sp800-53a + parts: + - id: cp-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: CP-01c.01 + class: sp800-53a + parts: + - id: cp-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: CP-01c.01[01] + class: sp800-53a + prose: "the current contingency planning policy is reviewed\ + \ and updated {{ insert: param, cp-01_odp.05 }};" + links: + - href: "#cp-1_smt.c.1" + rel: assessment-for + - id: cp-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: CP-01c.01[02] + class: sp800-53a + prose: "the current contingency planning policy is reviewed\ + \ and updated following {{ insert: param, cp-01_odp.06\ + \ }};" + links: + - href: "#cp-1_smt.c.1" + rel: assessment-for + links: + - href: "#cp-1_smt.c.1" + rel: assessment-for + - id: cp-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: CP-01c.02 + class: sp800-53a + parts: + - id: cp-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: CP-01c.02[01] + class: sp800-53a + prose: "the current contingency planning procedures are\ + \ reviewed and updated {{ insert: param, cp-01_odp.07\ + \ }};" + links: + - href: "#cp-1_smt.c.2" + rel: assessment-for + - id: cp-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: CP-01c.02[02] + class: sp800-53a + prose: "the current contingency planning procedures are\ + \ reviewed and updated following {{ insert: param, cp-01_odp.08\ + \ }}." + links: + - href: "#cp-1_smt.c.2" + rel: assessment-for + links: + - href: "#cp-1_smt.c.2" + rel: assessment-for + links: + - href: "#cp-1_smt.c" + rel: assessment-for + links: + - href: "#cp-1_smt" + rel: assessment-for + - id: cp-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: cp-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: cp-2 + class: SP800-53 + title: Contingency Plan + params: + - id: cp-2_prm_1 + label: organization-defined personnel or roles + - id: cp-2_prm_2 + label: organization-defined key contingency personnel (identified by + name and/or by role) and organizational elements + - id: cp-2_prm_4 + label: organization-defined key contingency personnel (identified by + name and/or by role) and organizational elements + - id: cp-02_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to review a contingency plan is/are defined; + - id: cp-02_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to approve a contingency plan is/are defined; + - id: cp-02_odp.03 + label: key contingency personnel + guidelines: + - prose: key contingency personnel (identified by name and/or by role) + to whom copies of the contingency plan are distributed are defined; + - id: cp-02_odp.04 + label: organizational elements + guidelines: + - prose: key contingency organizational elements to which copies of + the contingency plan are distributed are defined; + - id: cp-02_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency of contingency plan review is defined; + - id: cp-02_odp.06 + label: key contingency personnel + guidelines: + - prose: key contingency personnel (identified by name and/or by role) + to communicate changes to are defined; + - id: cp-02_odp.07 + label: organizational elements + guidelines: + - prose: key contingency organizational elements to communicate changes + to are defined; + props: + - name: label + value: CP-2 + - name: label + value: CP-02 + class: sp800-53a + - name: sort-id + value: cp-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#d4296805-2dca-4c63-a95f-eeccaa826aec" + rel: reference + - href: "#cp-3" + rel: related + - href: "#cp-4" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-7" + rel: related + - href: "#cp-8" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#cp-11" + rel: related + - href: "#cp-13" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + - href: "#ir-9" + rel: related + - href: "#ma-6" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-8" + rel: related + - href: "#pm-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-20" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-23" + rel: related + - href: "#si-12" + rel: related + parts: + - id: cp-2_smt + name: statement + parts: + - id: cp-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop a contingency plan for the system that:" + parts: + - id: cp-2_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Identifies essential mission and business functions and + associated contingency requirements; + - id: cp-2_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Provides recovery objectives, restoration priorities, + and metrics; + - id: cp-2_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Addresses contingency roles, responsibilities, assigned + individuals with contact information; + - id: cp-2_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Addresses maintaining essential mission and business + functions despite a system disruption, compromise, or failure; + - id: cp-2_smt.a.5 + name: item + props: + - name: label + value: "5." + prose: Addresses eventual, full system restoration without deterioration + of the controls originally planned and implemented; + - id: cp-2_smt.a.6 + name: item + props: + - name: label + value: "6." + prose: Addresses the sharing of contingency information; and + - id: cp-2_smt.a.7 + name: item + props: + - name: label + value: "7." + prose: "Is reviewed and approved by {{ insert: param, cp-2_prm_1\ + \ }};" + - id: cp-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Distribute copies of the contingency plan to {{ insert:\ + \ param, cp-2_prm_2 }};" + - id: cp-2_smt.c + name: item + props: + - name: label + value: c. + prose: Coordinate contingency planning activities with incident + handling activities; + - id: cp-2_smt.d + name: item + props: + - name: label + value: d. + prose: "Review the contingency plan for the system {{ insert: param,\ + \ cp-02_odp.05 }};" + - id: cp-2_smt.e + name: item + props: + - name: label + value: e. + prose: Update the contingency plan to address changes to the organization, + system, or environment of operation and problems encountered during + contingency plan implementation, execution, or testing; + - id: cp-2_smt.f + name: item + props: + - name: label + value: f. + prose: "Communicate contingency plan changes to {{ insert: param,\ + \ cp-2_prm_4 }};" + - id: cp-2_smt.g + name: item + props: + - name: label + value: g. + prose: Incorporate lessons learned from contingency plan testing, + training, or actual contingency activities into contingency testing + and training; and + - id: cp-2_smt.h + name: item + props: + - name: label + value: h. + prose: Protect the contingency plan from unauthorized disclosure + and modification. + - id: cp-2_fr + name: item + title: CP-2 Additional FedRAMP Requirements and Guidance + parts: + - id: cp-2_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: For JAB authorizations the contingency lists include + designated FedRAMP personnel. + - id: cp-2_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: "CSPs must use the FedRAMP Information System Contingency\ + \ Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx)." + - id: cp-2_gdn + name: guidance + prose: >- + Contingency planning for systems is part of an overall program + for achieving continuity of operations for organizational + mission and business functions. Contingency planning addresses + system restoration and implementation of alternative mission or + business processes when systems are compromised or breached. + Contingency planning is considered throughout the system + development life cycle and is a fundamental part of the system + design. Systems can be designed for redundancy, to provide + backup capabilities, and for resilience. Contingency plans + reflect the degree of restoration required for organizational + systems since not all systems need to fully recover to achieve + the level of continuity of operations desired. System recovery + objectives reflect applicable laws, executive orders, + directives, regulations, policies, standards, guidelines, + organizational risk tolerance, and system impact level. + + + Actions addressed in contingency plans include orderly system degradation, + system shutdown, fallback to a manual mode, alternate information + flows, and operating in modes reserved for when systems are under + attack. By coordinating contingency planning with incident handling + activities, organizations ensure that the necessary planning activities + are in place and activated in the event of an incident. Organizations + consider whether continuity of operations during an incident conflicts + with the capability to automatically disable the system, as specified + in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency + planning for organizations and is addressed in the [IR](#ir) (Incident + Response) family. + - id: cp-2_obj + name: assessment-objective + props: + - name: label + value: CP-02 + class: sp800-53a + parts: + - id: cp-2_obj.a + name: assessment-objective + props: + - name: label + value: CP-02a. + class: sp800-53a + parts: + - id: cp-2_obj.a.1 + name: assessment-objective + props: + - name: label + value: CP-02a.01 + class: sp800-53a + prose: a contingency plan for the system is developed that identifies + essential mission and business functions and associated contingency + requirements; + links: + - href: "#cp-2_smt.a.1" + rel: assessment-for + - id: cp-2_obj.a.2 + name: assessment-objective + props: + - name: label + value: CP-02a.02 + class: sp800-53a + parts: + - id: cp-2_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: CP-02a.02[01] + class: sp800-53a + prose: a contingency plan for the system is developed that + provides recovery objectives; + links: + - href: "#cp-2_smt.a.2" + rel: assessment-for + - id: cp-2_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: CP-02a.02[02] + class: sp800-53a + prose: a contingency plan for the system is developed that + provides restoration priorities; + links: + - href: "#cp-2_smt.a.2" + rel: assessment-for + - id: cp-2_obj.a.2-3 + name: assessment-objective + props: + - name: label + value: CP-02a.02[03] + class: sp800-53a + prose: a contingency plan for the system is developed that + provides metrics; + links: + - href: "#cp-2_smt.a.2" + rel: assessment-for + links: + - href: "#cp-2_smt.a.2" + rel: assessment-for + - id: cp-2_obj.a.3 + name: assessment-objective + props: + - name: label + value: CP-02a.03 + class: sp800-53a + parts: + - id: cp-2_obj.a.3-1 + name: assessment-objective + props: + - name: label + value: CP-02a.03[01] + class: sp800-53a + prose: a contingency plan for the system is developed that + addresses contingency roles; + links: + - href: "#cp-2_smt.a.3" + rel: assessment-for + - id: cp-2_obj.a.3-2 + name: assessment-objective + props: + - name: label + value: CP-02a.03[02] + class: sp800-53a + prose: a contingency plan for the system is developed that + addresses contingency responsibilities; + links: + - href: "#cp-2_smt.a.3" + rel: assessment-for + - id: cp-2_obj.a.3-3 + name: assessment-objective + props: + - name: label + value: CP-02a.03[03] + class: sp800-53a + prose: a contingency plan for the system is developed that + addresses assigned individuals with contact information; + links: + - href: "#cp-2_smt.a.3" + rel: assessment-for + links: + - href: "#cp-2_smt.a.3" + rel: assessment-for + - id: cp-2_obj.a.4 + name: assessment-objective + props: + - name: label + value: CP-02a.04 + class: sp800-53a + prose: a contingency plan for the system is developed that addresses + maintaining essential mission and business functions despite + a system disruption, compromise, or failure; + links: + - href: "#cp-2_smt.a.4" + rel: assessment-for + - id: cp-2_obj.a.5 + name: assessment-objective + props: + - name: label + value: CP-02a.05 + class: sp800-53a + prose: a contingency plan for the system is developed that addresses + eventual, full-system restoration without deterioration of + the controls originally planned and implemented; + links: + - href: "#cp-2_smt.a.5" + rel: assessment-for + - id: cp-2_obj.a.6 + name: assessment-objective + props: + - name: label + value: CP-02a.06 + class: sp800-53a + prose: a contingency plan for the system is developed that addresses + the sharing of contingency information; + links: + - href: "#cp-2_smt.a.6" + rel: assessment-for + - id: cp-2_obj.a.7 + name: assessment-objective + props: + - name: label + value: CP-02a.07 + class: sp800-53a + parts: + - id: cp-2_obj.a.7-1 + name: assessment-objective + props: + - name: label + value: CP-02a.07[01] + class: sp800-53a + prose: "a contingency plan for the system is developed that\ + \ is reviewed by {{ insert: param, cp-02_odp.01 }};" + links: + - href: "#cp-2_smt.a.7" + rel: assessment-for + - id: cp-2_obj.a.7-2 + name: assessment-objective + props: + - name: label + value: CP-02a.07[02] + class: sp800-53a + prose: "a contingency plan for the system is developed that\ + \ is approved by {{ insert: param, cp-02_odp.02 }};" + links: + - href: "#cp-2_smt.a.7" + rel: assessment-for + links: + - href: "#cp-2_smt.a.7" + rel: assessment-for + links: + - href: "#cp-2_smt.a" + rel: assessment-for + - id: cp-2_obj.b + name: assessment-objective + props: + - name: label + value: CP-02b. + class: sp800-53a + parts: + - id: cp-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: CP-02b.[01] + class: sp800-53a + prose: "copies of the contingency plan are distributed to {{\ + \ insert: param, cp-02_odp.03 }};" + links: + - href: "#cp-2_smt.b" + rel: assessment-for + - id: cp-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: CP-02b.[02] + class: sp800-53a + prose: "copies of the contingency plan are distributed to {{\ + \ insert: param, cp-02_odp.04 }};" + links: + - href: "#cp-2_smt.b" + rel: assessment-for + links: + - href: "#cp-2_smt.b" + rel: assessment-for + - id: cp-2_obj.c + name: assessment-objective + props: + - name: label + value: CP-02c. + class: sp800-53a + prose: contingency planning activities are coordinated with incident + handling activities; + links: + - href: "#cp-2_smt.c" + rel: assessment-for + - id: cp-2_obj.d + name: assessment-objective + props: + - name: label + value: CP-02d. + class: sp800-53a + prose: "the contingency plan for the system is reviewed {{ insert:\ + \ param, cp-02_odp.05 }};" + links: + - href: "#cp-2_smt.d" + rel: assessment-for + - id: cp-2_obj.e + name: assessment-objective + props: + - name: label + value: CP-02e. + class: sp800-53a + parts: + - id: cp-2_obj.e-1 + name: assessment-objective + props: + - name: label + value: CP-02e.[01] + class: sp800-53a + prose: the contingency plan is updated to address changes to + the organization, system, or environment of operation; + links: + - href: "#cp-2_smt.e" + rel: assessment-for + - id: cp-2_obj.e-2 + name: assessment-objective + props: + - name: label + value: CP-02e.[02] + class: sp800-53a + prose: the contingency plan is updated to address problems encountered + during contingency plan implementation, execution, or testing; + links: + - href: "#cp-2_smt.e" + rel: assessment-for + links: + - href: "#cp-2_smt.e" + rel: assessment-for + - id: cp-2_obj.f + name: assessment-objective + props: + - name: label + value: CP-02f. + class: sp800-53a + parts: + - id: cp-2_obj.f-1 + name: assessment-objective + props: + - name: label + value: CP-02f.[01] + class: sp800-53a + prose: "contingency plan changes are communicated to {{ insert:\ + \ param, cp-02_odp.06 }};" + links: + - href: "#cp-2_smt.f" + rel: assessment-for + - id: cp-2_obj.f-2 + name: assessment-objective + props: + - name: label + value: CP-02f.[02] + class: sp800-53a + prose: "contingency plan changes are communicated to {{ insert:\ + \ param, cp-02_odp.07 }};" + links: + - href: "#cp-2_smt.f" + rel: assessment-for + links: + - href: "#cp-2_smt.f" + rel: assessment-for + - id: cp-2_obj.g + name: assessment-objective + props: + - name: label + value: CP-02g. + class: sp800-53a + parts: + - id: cp-2_obj.g-1 + name: assessment-objective + props: + - name: label + value: CP-02g.[01] + class: sp800-53a + prose: lessons learned from contingency plan testing or actual + contingency activities are incorporated into contingency testing; + links: + - href: "#cp-2_smt.g" + rel: assessment-for + - id: cp-2_obj.g-2 + name: assessment-objective + props: + - name: label + value: CP-02g.[02] + class: sp800-53a + prose: lessons learned from contingency plan training or actual + contingency activities are incorporated into contingency testing + and training; + links: + - href: "#cp-2_smt.g" + rel: assessment-for + links: + - href: "#cp-2_smt.g" + rel: assessment-for + - id: cp-2_obj.h + name: assessment-objective + props: + - name: label + value: CP-02h. + class: sp800-53a + parts: + - id: cp-2_obj.h-1 + name: assessment-objective + props: + - name: label + value: CP-02h.[01] + class: sp800-53a + prose: the contingency plan is protected from unauthorized disclosure; + links: + - href: "#cp-2_smt.h" + rel: assessment-for + - id: cp-2_obj.h-2 + name: assessment-objective + props: + - name: label + value: CP-02h.[02] + class: sp800-53a + prose: the contingency plan is protected from unauthorized modification. + links: + - href: "#cp-2_smt.h" + rel: assessment-for + links: + - href: "#cp-2_smt.h" + rel: assessment-for + links: + - href: "#cp-2_smt" + rel: assessment-for + - id: cp-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing contingency operations for the system + + contingency plan + + evidence of contingency plan reviews and updates + + system security plan + + other relevant documents or records + - id: cp-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning and plan + implementation responsibilities + + + organizational personnel with incident handling responsibilities + + + organizational personnel with knowledge of requirements for mission + and business functions + + + organizational personnel with information security responsibilities + - id: cp-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for contingency plan development, + review, update, and protection + + + mechanisms for developing, reviewing, updating, and/or protecting + the contingency plan + - id: cp-3 + class: SP800-53 + title: Contingency Training + params: + - id: cp-03_odp.01 + label: time period + constraints: + - description: \*See Additional Requirements + guidelines: + - prose: the time period within which to provide contingency training + after assuming a contingency role or responsibility is defined; + - id: cp-03_odp.02 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to provide training to system users with + a contingency role or responsibility is defined; + - id: cp-03_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to review and update contingency training + content is defined; + - id: cp-03_odp.04 + label: events + guidelines: + - prose: events necessitating review and update of contingency training + are defined; + props: + - name: label + value: CP-3 + - name: label + value: CP-03 + class: sp800-53a + - name: sort-id + value: cp-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#at-4" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#cp-8" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-9" + rel: related + parts: + - id: cp-3_smt + name: statement + parts: + - id: cp-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide contingency training to system users consistent\ + \ with assigned roles and responsibilities:" + parts: + - id: cp-3_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "Within {{ insert: param, cp-03_odp.01 }} of assuming\ + \ a contingency role or responsibility;" + - id: cp-3_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: When required by system changes; and + - id: cp-3_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: " {{ insert: param, cp-03_odp.02 }} thereafter; and" + - id: cp-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update contingency training content {{ insert:\ + \ param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04\ + \ }}." + - id: cp-3_fr + name: item + title: CP-3 Additional FedRAMP Requirements and Guidance + parts: + - id: cp-3_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: Privileged admins and engineers must take the basic contingency + training within 10 days. Consideration must be given for those + privileged admins and engineers with critical contingency-related + roles, to gain enough system context and situational awareness + to understand the full impact of contingency training as it + applies to their respective level. Newly hired critical contingency + personnel must take this more in-depth training within 60 + days of hire date when the training will have more impact. + - id: cp-3_gdn + name: guidance + prose: Contingency training provided by organizations is linked to the + assigned roles and responsibilities of organizational personnel to + ensure that the appropriate content and level of detail is included + in such training. For example, some individuals may only need to know + when and where to report for duty during contingency operations and + if normal duties are affected; system administrators may require additional + training on how to establish systems at alternate processing and storage + sites; and organizational officials may receive more specific training + on how to conduct mission-essential functions in designated off-site + locations and how to establish communications with other governmental + entities for purposes of coordination on contingency-related activities. + Training for contingency roles or responsibilities reflects the specific + continuity requirements in the contingency plan. Events that may precipitate + an update to contingency training content include, but are not limited + to, contingency plan testing or an actual contingency (lessons learned), + assessment or audit findings, security incidents or breaches, or changes + in laws, executive orders, directives, regulations, policies, standards, + and guidelines. At the discretion of the organization, participation + in a contingency plan test or exercise, including lessons learned + sessions subsequent to the test or exercise, may satisfy contingency + plan training requirements. + - id: cp-3_obj + name: assessment-objective + props: + - name: label + value: CP-03 + class: sp800-53a + parts: + - id: cp-3_obj.a + name: assessment-objective + props: + - name: label + value: CP-03a. + class: sp800-53a + parts: + - id: cp-3_obj.a.1 + name: assessment-objective + props: + - name: label + value: CP-03a.01 + class: sp800-53a + prose: "contingency training is provided to system users consistent\ + \ with assigned roles and responsibilities within {{ insert:\ + \ param, cp-03_odp.01 }} of assuming a contingency role or\ + \ responsibility;" + links: + - href: "#cp-3_smt.a.1" + rel: assessment-for + - id: cp-3_obj.a.2 + name: assessment-objective + props: + - name: label + value: CP-03a.02 + class: sp800-53a + prose: contingency training is provided to system users consistent + with assigned roles and responsibilities when required by + system changes; + links: + - href: "#cp-3_smt.a.2" + rel: assessment-for + - id: cp-3_obj.a.3 + name: assessment-objective + props: + - name: label + value: CP-03a.03 + class: sp800-53a + prose: "contingency training is provided to system users consistent\ + \ with assigned roles and responsibilities {{ insert: param,\ + \ cp-03_odp.02 }} thereafter;" + links: + - href: "#cp-3_smt.a.3" + rel: assessment-for + links: + - href: "#cp-3_smt.a" + rel: assessment-for + - id: cp-3_obj.b + name: assessment-objective + props: + - name: label + value: CP-03b. + class: sp800-53a + parts: + - id: cp-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: CP-03b.[01] + class: sp800-53a + prose: "the contingency plan training content is reviewed and\ + \ updated {{ insert: param, cp-03_odp.03 }};" + links: + - href: "#cp-3_smt.b" + rel: assessment-for + - id: cp-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: CP-03b.[02] + class: sp800-53a + prose: "the contingency plan training content is reviewed and\ + \ updated following {{ insert: param, cp-03_odp.04 }}." + links: + - href: "#cp-3_smt.b" + rel: assessment-for + links: + - href: "#cp-3_smt.b" + rel: assessment-for + links: + - href: "#cp-3_smt" + rel: assessment-for + - id: cp-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing contingency training + + contingency plan + + contingency training curriculum + + contingency training material + + contingency training records + + system security plan + + other relevant documents or records + - id: cp-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning, plan + implementation, and training responsibilities + + + organizational personnel with information security responsibilities + - id: cp-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for contingency training + - id: cp-4 + class: SP800-53 + title: Contingency Plan Testing + params: + - id: cp-4_prm_2 + label: organization-defined tests + constraints: + - description: classroom exercise/table top written tests + - id: cp-04_odp.01 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: frequency of testing the contingency plan for the system + is defined; + - id: cp-04_odp.02 + label: tests + guidelines: + - prose: tests for determining the effectiveness of the contingency + plan are defined; + - id: cp-04_odp.03 + label: tests + guidelines: + - prose: tests for determining readiness to execute the contingency + plan are defined; + props: + - name: label + value: CP-4 + - name: label + value: CP-04 + class: sp800-53a + - name: sort-id + value: cp-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#at-3" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-3" + rel: related + - href: "#cp-8" + rel: related + - href: "#cp-9" + rel: related + - href: "#ir-3" + rel: related + - href: "#ir-4" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-14" + rel: related + - href: "#sr-2" + rel: related + parts: + - id: cp-4_smt + name: statement + parts: + - id: cp-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Test the contingency plan for the system {{ insert: param,\ + \ cp-04_odp.01 }} using the following tests to determine the effectiveness\ + \ of the plan and the readiness to execute the plan: {{ insert:\ + \ param, cp-4_prm_2 }}." + - id: cp-4_smt.b + name: item + props: + - name: label + value: b. + prose: Review the contingency plan test results; and + - id: cp-4_smt.c + name: item + props: + - name: label + value: c. + prose: Initiate corrective actions, if needed. + - id: cp-4_fr + name: item + title: CP-4 Additional FedRAMP Requirements and Guidance + parts: + - id: cp-4_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: The service provider develops test plans in accordance + with NIST Special Publication 800-34 (as amended); plans are + approved by the JAB/AO prior to initiating testing. + - id: cp-4_fr_smt.2 + name: item + props: + - name: label + value: "(b) Requirement:" + prose: The service provider must include the Contingency Plan + test results with the security package within the Contingency + Plan-designated appendix (Appendix G, Contingency Plan Test + Report). + - id: cp-4_gdn + name: guidance + prose: Methods for testing contingency plans to determine the effectiveness + of the plans and identify potential weaknesses include checklists, + walk-through and tabletop exercises, simulations (parallel or full + interrupt), and comprehensive exercises. Organizations conduct testing + based on the requirements in contingency plans and include a determination + of the effects on organizational operations, assets, and individuals + due to contingency operations. Organizations have flexibility and + discretion in the breadth, depth, and timelines of corrective actions. + - id: cp-4_obj + name: assessment-objective + props: + - name: label + value: CP-04 + class: sp800-53a + parts: + - id: cp-4_obj.a + name: assessment-objective + props: + - name: label + value: CP-04a. + class: sp800-53a + parts: + - id: cp-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: CP-04a.[01] + class: sp800-53a + prose: "the contingency plan for the system is tested {{ insert:\ + \ param, cp-04_odp.01 }};" + links: + - href: "#cp-4_smt.a" + rel: assessment-for + - id: cp-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: CP-04a.[02] + class: sp800-53a + prose: " {{ insert: param, cp-04_odp.02 }} are used to determine\ + \ the effectiveness of the plan;" + links: + - href: "#cp-4_smt.a" + rel: assessment-for + - id: cp-4_obj.a-3 + name: assessment-objective + props: + - name: label + value: CP-04a.[03] + class: sp800-53a + prose: " {{ insert: param, cp-04_odp.03 }} are used to determine\ + \ the readiness to execute the plan;" + links: + - href: "#cp-4_smt.a" + rel: assessment-for + links: + - href: "#cp-4_smt.a" + rel: assessment-for + - id: cp-4_obj.b + name: assessment-objective + props: + - name: label + value: CP-04b. + class: sp800-53a + prose: the contingency plan test results are reviewed; + links: + - href: "#cp-4_smt.b" + rel: assessment-for + - id: cp-4_obj.c + name: assessment-objective + props: + - name: label + value: CP-04c. + class: sp800-53a + prose: corrective actions are initiated, if needed. + links: + - href: "#cp-4_smt.c" + rel: assessment-for + links: + - href: "#cp-4_smt" + rel: assessment-for + - id: cp-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing contingency plan testing + + contingency plan + + contingency plan test documentation + + contingency plan test results + + system security plan + + other relevant documents or records + - id: cp-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + contingency plan testing, reviewing, or responding to + contingency plan tests + + + organizational personnel with information security responsibilities + - id: cp-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for contingency plan testing + + + mechanisms supporting the contingency plan and/or contingency + plan testing + - id: cp-9 + class: SP800-53 + title: System Backup + params: + - id: cp-09_odp.01 + label: system components + guidelines: + - prose: system components for which to conduct backups of user-level + information is defined; + - id: cp-09_odp.02 + label: frequency + constraints: + - description: daily incremental; weekly full + guidelines: + - prose: frequency at which to conduct backups of user-level information + consistent with recovery time and recovery point objectives is + defined; + - id: cp-09_odp.03 + label: frequency + constraints: + - description: daily incremental; weekly full + guidelines: + - prose: frequency at which to conduct backups of system-level information + consistent with recovery time and recovery point objectives is + defined; + - id: cp-09_odp.04 + label: frequency + constraints: + - description: daily incremental; weekly full + guidelines: + - prose: frequency at which to conduct backups of system documentation + consistent with recovery time and recovery point objectives is + defined; + props: + - name: label + value: CP-9 + - name: label + value: CP-09 + class: sp800-53a + - name: sort-id + value: cp-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#3653e316-8923-430e-8943-b3b2b2562fc6" + rel: reference + - href: "#2494df28-9049-4196-b233-540e7440993f" + rel: reference + - href: "#cp-2" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-10" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#si-4" + rel: related + - href: "#si-13" + rel: related + parts: + - id: cp-9_smt + name: statement + parts: + - id: cp-9_smt.a + name: item + props: + - name: label + value: a. + prose: "Conduct backups of user-level information contained in {{\ + \ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02\ + \ }};" + - id: cp-9_smt.b + name: item + props: + - name: label + value: b. + prose: "Conduct backups of system-level information contained in\ + \ the system {{ insert: param, cp-09_odp.03 }};" + - id: cp-9_smt.c + name: item + props: + - name: label + value: c. + prose: "Conduct backups of system documentation, including security-\ + \ and privacy-related documentation {{ insert: param, cp-09_odp.04\ + \ }} ; and" + - id: cp-9_smt.d + name: item + props: + - name: label + value: d. + prose: Protect the confidentiality, integrity, and availability + of backup information. + - id: cp-9_fr + name: item + title: CP-9 Additional FedRAMP Requirements and Guidance + parts: + - id: cp-9_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider shall determine what elements of + the cloud environment require the Information System Backup + control. The service provider shall determine how Information + System Backup is going to be verified and appropriate periodicity + of the check. + - id: cp-9_fr_smt.2 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: The service provider maintains at least three backup + copies of user-level information (at least one of which is + available online) or provides an equivalent alternative. + - id: cp-9_fr_smt.3 + name: item + props: + - name: label + value: "(b) Requirement:" + prose: The service provider maintains at least three backup + copies of system-level information (at least one of which + is available online) or provides an equivalent alternative. + - id: cp-9_fr_smt.4 + name: item + props: + - name: label + value: "(c) Requirement:" + prose: The service provider maintains at least three backup + copies of information system documentation including security + information (at least one of which is available online) or + provides an equivalent alternative. + - id: cp-9_gdn + name: guidance + prose: System-level information includes system state information, operating + system software, middleware, application software, and licenses. User-level + information includes information other than system-level information. + Mechanisms employed to protect the integrity of system backups include + digital signatures and cryptographic hashes. Protection of system + backup information while in transit is addressed by [MP-5](#mp-5) + and [SC-8](#sc-8) . System backups reflect the requirements in contingency + plans as well as other organizational requirements for backing up + information. Organizations may be subject to laws, executive orders, + directives, regulations, or policies with requirements regarding specific + categories of information (e.g., personal health information). Organizational + personnel consult with the senior agency official for privacy and + legal counsel regarding such requirements. + - id: cp-9_obj + name: assessment-objective + props: + - name: label + value: CP-09 + class: sp800-53a + parts: + - id: cp-9_obj.a + name: assessment-objective + props: + - name: label + value: CP-09a. + class: sp800-53a + prose: "backups of user-level information contained in {{ insert:\ + \ param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02\ + \ }};" + links: + - href: "#cp-9_smt.a" + rel: assessment-for + - id: cp-9_obj.b + name: assessment-objective + props: + - name: label + value: CP-09b. + class: sp800-53a + prose: "backups of system-level information contained in the system\ + \ are conducted {{ insert: param, cp-09_odp.03 }};" + links: + - href: "#cp-9_smt.b" + rel: assessment-for + - id: cp-9_obj.c + name: assessment-objective + props: + - name: label + value: CP-09c. + class: sp800-53a + prose: "backups of system documentation, including security- and\ + \ privacy-related documentation are conducted {{ insert: param,\ + \ cp-09_odp.04 }};" + links: + - href: "#cp-9_smt.c" + rel: assessment-for + - id: cp-9_obj.d + name: assessment-objective + props: + - name: label + value: CP-09d. + class: sp800-53a + parts: + - id: cp-9_obj.d-1 + name: assessment-objective + props: + - name: label + value: CP-09d.[01] + class: sp800-53a + prose: the confidentiality of backup information is protected; + links: + - href: "#cp-9_smt.d" + rel: assessment-for + - id: cp-9_obj.d-2 + name: assessment-objective + props: + - name: label + value: CP-09d.[02] + class: sp800-53a + prose: the integrity of backup information is protected; + links: + - href: "#cp-9_smt.d" + rel: assessment-for + - id: cp-9_obj.d-3 + name: assessment-objective + props: + - name: label + value: CP-09d.[03] + class: sp800-53a + prose: the availability of backup information is protected. + links: + - href: "#cp-9_smt.d" + rel: assessment-for + links: + - href: "#cp-9_smt.d" + rel: assessment-for + links: + - href: "#cp-9_smt" + rel: assessment-for + - id: cp-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing system backup + + contingency plan + + backup storage location(s) + + system backup logs or records + + system security plan + + privacy plan + + other relevant documents or records + - id: cp-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system backup responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: cp-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for conducting system backups + + mechanisms supporting and/or implementing system backups + - id: cp-10 + class: SP800-53 + title: System Recovery and Reconstitution + params: + - id: cp-10_prm_1 + label: organization-defined time period consistent with recovery time + and recovery point objectives + - id: cp-10_odp.01 + label: time period + guidelines: + - prose: time period consistent with recovery time and recovery point + objectives for the recovery of the system is determined; + - id: cp-10_odp.02 + label: time period + guidelines: + - prose: time period consistent with recovery time and recovery point + objectives for the reconstitution of the system is determined; + props: + - name: label + value: CP-10 + - name: label + value: CP-10 + class: sp800-53a + - name: sort-id + value: cp-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-7" + rel: related + - href: "#cp-9" + rel: related + - href: "#ir-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-24" + rel: related + - href: "#si-13" + rel: related + parts: + - id: cp-10_smt + name: statement + prose: "Provide for the recovery and reconstitution of the system to\ + \ a known state within {{ insert: param, cp-10_prm_1 }} after a disruption,\ + \ compromise, or failure." + - id: cp-10_gdn + name: guidance + prose: Recovery is executing contingency plan activities to restore + organizational mission and business functions. Reconstitution takes + place following recovery and includes activities for returning systems + to fully operational states. Recovery and reconstitution operations + reflect mission and business priorities; recovery point, recovery + time, and reconstitution objectives; and organizational metrics consistent + with contingency plan requirements. Reconstitution includes the deactivation + of interim system capabilities that may have been needed during recovery + operations. Reconstitution also includes assessments of fully restored + system capabilities, reestablishment of continuous monitoring activities, + system reauthorization (if required), and activities to prepare the + system and organization for future disruptions, breaches, compromises, + or failures. Recovery and reconstitution capabilities can include + automated mechanisms and manual procedures. Organizations establish + recovery time and recovery point objectives as part of contingency + planning. + - id: cp-10_obj + name: assessment-objective + props: + - name: label + value: CP-10 + class: sp800-53a + parts: + - id: cp-10_obj-1 + name: assessment-objective + props: + - name: label + value: CP-10[01] + class: sp800-53a + prose: "the recovery of the system to a known state is provided\ + \ within {{ insert: param, cp-10_odp.01 }} after a disruption,\ + \ compromise, or failure;" + links: + - href: "#cp-10_smt" + rel: assessment-for + - id: cp-10_obj-2 + name: assessment-objective + props: + - name: label + value: CP-10[02] + class: sp800-53a + prose: "a reconstitution of the system to a known state is provided\ + \ within {{ insert: param, cp-10_odp.02 }} after a disruption,\ + \ compromise, or failure." + links: + - href: "#cp-10_smt" + rel: assessment-for + links: + - href: "#cp-10_smt" + rel: assessment-for + - id: cp-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing system backup + + contingency plan + + system backup test results + + contingency plan test results + + contingency plan test documentation + + redundant secondary system for system backups + + location(s) of redundant secondary backup system(s) + + system security plan + + other relevant documents or records + - id: cp-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning, + recovery, and/or reconstitution responsibilities + + + organizational personnel with information security responsibilities + - id: cp-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes implementing system recovery and + reconstitution operations + + + mechanisms supporting and/or implementing system recovery and + reconstitution operations + - id: ia + class: family + title: Identification and Authentication + controls: + - id: ia-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ia-1_prm_1 + label: organization-defined personnel or roles + - id: ia-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the identification and authentication + policy is to be disseminated are defined; + - id: ia-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the identification and authentication + procedures are to be disseminated is/are defined; + - id: ia-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ia-01_odp.04 + label: official + guidelines: + - prose: an official to manage the identification and authentication + policy and procedures is defined; + - id: ia-01_odp.05 + label: frequency + constraints: + - description: "at least every 3 years " + guidelines: + - prose: the frequency at which the current identification and authentication + policy is reviewed and updated is defined; + - id: ia-01_odp.06 + label: events + guidelines: + - prose: events that would require the current identification and + authentication policy to be reviewed and updated are defined; + - id: ia-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current identification and authentication + procedures are reviewed and updated is defined; + - id: ia-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require identification and authentication + procedures to be reviewed and updated are defined; + props: + - name: label + value: IA-1 + - name: label + value: IA-01 + class: sp800-53a + - name: sort-id + value: ia-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#7f473f21-fdbf-4a6c-81a1-0ab95919609d" + rel: reference + - href: "#ac-1" + rel: related + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ia-1_smt + name: statement + parts: + - id: ia-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ia-1_prm_1 }}:" + parts: + - id: ia-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ia-01_odp.03 }} identification and\ + \ authentication policy that:" + parts: + - id: ia-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ia-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ia-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the identification + and authentication policy and the associated identification + and authentication controls; + - id: ia-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ia-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the identification\ + \ and authentication policy and procedures; and" + - id: ia-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current identification and authentication:" + parts: + - id: ia-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ia-01_odp.05 }} and following\ + \ {{ insert: param, ia-01_odp.06 }} ; and" + - id: ia-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ia-01_odp.07 }} and following\ + \ {{ insert: param, ia-01_odp.08 }}." + - id: ia-1_gdn + name: guidance + prose: Identification and authentication policy and procedures address + the controls in the IA family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of identification and authentication policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + identification and authentication policy and procedures include assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ia-1_obj + name: assessment-objective + props: + - name: label + value: IA-01 + class: sp800-53a + parts: + - id: ia-1_obj.a + name: assessment-objective + props: + - name: label + value: IA-01a. + class: sp800-53a + parts: + - id: ia-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: IA-01a.[01] + class: sp800-53a + prose: an identification and authentication policy is developed + and documented; + links: + - href: "#ia-1_smt.a" + rel: assessment-for + - id: ia-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: IA-01a.[02] + class: sp800-53a + prose: "the identification and authentication policy is disseminated\ + \ to {{ insert: param, ia-01_odp.01 }};" + links: + - href: "#ia-1_smt.a" + rel: assessment-for + - id: ia-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: IA-01a.[03] + class: sp800-53a + prose: identification and authentication procedures to facilitate + the implementation of the identification and authentication + policy and associated identification and authentication controls + are developed and documented; + links: + - href: "#ia-1_smt.a" + rel: assessment-for + - id: ia-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: IA-01a.[04] + class: sp800-53a + prose: "the identification and authentication procedures are\ + \ disseminated to {{ insert: param, ia-01_odp.02 }};" + links: + - href: "#ia-1_smt.a" + rel: assessment-for + - id: ia-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: IA-01a.01 + class: sp800-53a + parts: + - id: ia-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: IA-01a.01(a) + class: sp800-53a + parts: + - id: ia-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses purpose;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses scope;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses roles;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses responsibilities;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses management commitment;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses compliance;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: IA-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy is consistent with applicable\ + \ laws, executive orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#ia-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ia-1_smt.a.1" + rel: assessment-for + links: + - href: "#ia-1_smt.a" + rel: assessment-for + - id: ia-1_obj.b + name: assessment-objective + props: + - name: label + value: IA-01b. + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the identification\ + \ and authentication policy and procedures;" + links: + - href: "#ia-1_smt.b" + rel: assessment-for + - id: ia-1_obj.c + name: assessment-objective + props: + - name: label + value: IA-01c. + class: sp800-53a + parts: + - id: ia-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: IA-01c.01 + class: sp800-53a + parts: + - id: ia-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: IA-01c.01[01] + class: sp800-53a + prose: "the current identification and authentication policy\ + \ is reviewed and updated {{ insert: param, ia-01_odp.05\ + \ }};" + links: + - href: "#ia-1_smt.c.1" + rel: assessment-for + - id: ia-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: IA-01c.01[02] + class: sp800-53a + prose: "the current identification and authentication policy\ + \ is reviewed and updated following {{ insert: param,\ + \ ia-01_odp.06 }};" + links: + - href: "#ia-1_smt.c.1" + rel: assessment-for + links: + - href: "#ia-1_smt.c.1" + rel: assessment-for + - id: ia-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: IA-01c.02 + class: sp800-53a + parts: + - id: ia-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: IA-01c.02[01] + class: sp800-53a + prose: "the current identification and authentication procedures\ + \ are reviewed and updated {{ insert: param, ia-01_odp.07\ + \ }};" + links: + - href: "#ia-1_smt.c.2" + rel: assessment-for + - id: ia-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: IA-01c.02[02] + class: sp800-53a + prose: "the current identification and authentication procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ ia-01_odp.08 }}." + links: + - href: "#ia-1_smt.c.2" + rel: assessment-for + links: + - href: "#ia-1_smt.c.2" + rel: assessment-for + links: + - href: "#ia-1_smt.c" + rel: assessment-for + links: + - href: "#ia-1_smt" + rel: assessment-for + - id: ia-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy and procedures + + + system security plan + + + privacy plan + + + risk management strategy documentation + + + list of events requiring identification and authentication procedures + to be reviewed and updated (e.g., audit findings) + + + other relevant documents or records + - id: ia-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with identification and + authentication responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ia-2 + class: SP800-53 + title: Identification and Authentication (Organizational Users) + props: + - name: label + value: IA-2 + - name: label + value: IA-02 + class: sp800-53a + - name: sort-id + value: ia-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#10963761-58fc-4b20-b3d6-b44a54daba03" + rel: reference + - href: "#d9e036ba-6eec-46a6-9340-b0bf1fea23b4" + rel: reference + - href: "#e8552d48-cf41-40aa-8b06-f45f7fb4706c" + rel: reference + - href: "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c" + rel: reference + - href: "#4b38e961-1125-4a5b-aa35-1d6c02846dad" + rel: reference + - href: "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c" + rel: reference + - href: "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617" + rel: reference + - href: "#604774da-9e1d-48eb-9c62-4e959dc80737" + rel: reference + - href: "#7f473f21-fdbf-4a6c-81a1-0ab95919609d" + rel: reference + - href: "#3915a084-b87b-4f02-83d4-c369e746292f" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-14" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#au-1" + rel: related + - href: "#au-6" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-13" + rel: related + - href: "#ma-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + parts: + - id: ia-2_smt + name: statement + prose: Uniquely identify and authenticate organizational users and associate + that unique identification with processes acting on behalf of those + users. + parts: + - id: ia-2_fr + name: item + title: IA-2 Additional FedRAMP Requirements and Guidance + parts: + - id: ia-2_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: For all control enhancements that specify multifactor + authentication, the implementation must adhere to the Digital + Identity Guidelines specified in NIST Special Publication + 800-63B. + - id: ia-2_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: Multi-factor authentication must be phishing-resistant. + - id: ia-2_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: \"Phishing-resistant\" authentication refers to authentication + processes designed to detect and prevent disclosure of authentication + secrets and outputs to a website or application masquerading + as a legitimate system. + - id: ia-2_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: All uses of encrypted virtual private networks must meet + all applicable Federal requirements and architecture, dataflow, + and security and privacy controls must be documented, assessed, + and authorized to operate. + - id: ia-2_gdn + name: guidance + prose: >- + Organizations can satisfy the identification and authentication + requirements by complying with the requirements in [HSPD + 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational + users include employees or individuals who organizations + consider to have an equivalent status to employees (e.g., + contractors and guest researchers). Unique identification and + authentication of users applies to all accesses other than those + that are explicitly identified in [AC-14](#ac-14) and that occur + through the authorized use of group authenticators without + individual authentication. Since processes execute on behalf of + groups and roles, organizations may require unique + identification of individuals in group accounts or for detailed + accountability of individual activity. + + + Organizations employ passwords, physical authenticators, or biometrics + to authenticate user identities or, in the case of multi-factor authentication, + some combination thereof. Access to organizational systems is defined + as either local access or network access. Local access is any access + to organizational systems by users or processes acting on behalf of + users, where access is obtained through direct connections without + the use of networks. Network access is access to organizational systems + by users (or processes acting on behalf of users) where access is + obtained through network connections (i.e., nonlocal accesses). Remote + access is a type of network access that involves communication through + external networks. Internal networks include local area networks and + wide area networks. + + + The use of encrypted virtual private networks for network connections + between organization-controlled endpoints and non-organization-controlled + endpoints may be treated as internal networks with respect to protecting + the confidentiality and integrity of information traversing the network. + Identification and authentication requirements for non-organizational + users are described in [IA-8](#ia-8). + - id: ia-2_obj + name: assessment-objective + props: + - name: label + value: IA-02 + class: sp800-53a + parts: + - id: ia-2_obj-1 + name: assessment-objective + props: + - name: label + value: IA-02[01] + class: sp800-53a + prose: organizational users are uniquely identified and authenticated; + links: + - href: "#ia-2_smt" + rel: assessment-for + - id: ia-2_obj-2 + name: assessment-objective + props: + - name: label + value: IA-02[02] + class: sp800-53a + prose: the unique identification of authenticated organizational + users is associated with processes acting on behalf of those users. + links: + - href: "#ia-2_smt" + rel: assessment-for + links: + - href: "#ia-2_smt" + rel: assessment-for + - id: ia-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + procedures addressing user identification and authentication + + system security plan, system design documentation + + system configuration settings and associated documentation + + system audit records + + list of system accounts + + other relevant documents or records + - id: ia-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + organizational personnel with account management responsibilities + + + system developers + - id: ia-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for uniquely identifying and + authenticating users + + + mechanisms supporting and/or implementing identification and authentication + capabilities + controls: + - id: ia-2.1 + class: SP800-53-enhancement + title: Multi-factor Authentication to Privileged Accounts + props: + - name: label + value: IA-2(1) + - name: label + value: IA-02(01) + class: sp800-53a + - name: sort-id + value: ia-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-2" + rel: required + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + parts: + - id: ia-2.1_smt + name: statement + prose: Implement multi-factor authentication for access to privileged + accounts. + parts: + - id: ia-2.1_fr + name: item + title: IA-2 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-2.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B + (AAL), and SP 800-63C (FAL). + - id: ia-2.1_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: Multi-factor authentication must be phishing-resistant. + - id: ia-2.1_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Multi-factor authentication to subsequent components + in the same user domain is not required. + - id: ia-2.1_gdn + name: guidance + prose: "Multi-factor authentication requires the use of two or more\ + \ different factors to achieve authentication. The authentication\ + \ factors are defined as follows: something you know (e.g., a\ + \ personal identification number [PIN]), something you have (e.g.,\ + \ a physical authenticator such as a cryptographic private key),\ + \ or something you are (e.g., a biometric). Multi-factor authentication\ + \ solutions that feature physical authenticators include hardware\ + \ authenticators that provide time-based or challenge-response\ + \ outputs and smart cards such as the U.S. Government Personal\ + \ Identity Verification (PIV) card or the Department of Defense\ + \ (DoD) Common Access Card (CAC). In addition to authenticating\ + \ users at the system level (i.e., at logon), organizations may\ + \ employ authentication mechanisms at the application level, at\ + \ their discretion, to provide increased security. Regardless\ + \ of the type of access (i.e., local, network, remote), privileged\ + \ accounts are authenticated using multi-factor options appropriate\ + \ for the level of risk. Organizations can add additional security\ + \ measures, such as additional or more rigorous authentication\ + \ mechanisms, for specific types of access." + - id: ia-2.1_obj + name: assessment-objective + props: + - name: label + value: IA-02(01) + class: sp800-53a + prose: multi-factor authentication is implemented for access to + privileged accounts. + links: + - href: "#ia-2.1_smt" + rel: assessment-for + - id: ia-2.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + procedures addressing user identification and authentication + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of system accounts + + + other relevant documents or records + - id: ia-2.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing a multi-factor + authentication capability + - id: ia-2.2 + class: SP800-53-enhancement + title: Multi-factor Authentication to Non-privileged Accounts + props: + - name: label + value: IA-2(2) + - name: label + value: IA-02(02) + class: sp800-53a + - name: sort-id + value: ia-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-2" + rel: required + - href: "#ac-5" + rel: related + parts: + - id: ia-2.2_smt + name: statement + prose: Implement multi-factor authentication for access to non-privileged + accounts. + parts: + - id: ia-2.2_fr + name: item + title: IA-2 (2) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-2.2_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B + (AAL), and SP 800-63C (FAL). + - id: ia-2.2_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: Multi-factor authentication must be phishing-resistant. + - id: ia-2.2_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Multi-factor authentication to subsequent components + in the same user domain is not required. + - id: ia-2.2_gdn + name: guidance + prose: "Multi-factor authentication requires the use of two or more\ + \ different factors to achieve authentication. The authentication\ + \ factors are defined as follows: something you know (e.g., a\ + \ personal identification number [PIN]), something you have (e.g.,\ + \ a physical authenticator such as a cryptographic private key),\ + \ or something you are (e.g., a biometric). Multi-factor authentication\ + \ solutions that feature physical authenticators include hardware\ + \ authenticators that provide time-based or challenge-response\ + \ outputs and smart cards such as the U.S. Government Personal\ + \ Identity Verification card or the DoD Common Access Card. In\ + \ addition to authenticating users at the system level, organizations\ + \ may also employ authentication mechanisms at the application\ + \ level, at their discretion, to provide increased information\ + \ security. Regardless of the type of access (i.e., local, network,\ + \ remote), non-privileged accounts are authenticated using multi-factor\ + \ options appropriate for the level of risk. Organizations can\ + \ provide additional security measures, such as additional or\ + \ more rigorous authentication mechanisms, for specific types\ + \ of access." + - id: ia-2.2_obj + name: assessment-objective + props: + - name: label + value: IA-02(02) + class: sp800-53a + prose: multi-factor authentication for access to non-privileged + accounts is implemented. + links: + - href: "#ia-2.2_smt" + rel: assessment-for + - id: ia-2.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of system accounts + + + other relevant documents or records + - id: ia-2.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing a multi-factor + authentication capability + - id: ia-2.8 + class: SP800-53-enhancement + title: Access to Accounts — Replay Resistant + params: + - id: ia-02.08_odp + select: + how-many: one-or-more + choice: + - privileged accounts + - non-privileged accounts + props: + - name: label + value: IA-2(8) + - name: label + value: IA-02(08) + class: sp800-53a + - name: sort-id + value: ia-02.08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-2" + rel: required + parts: + - id: ia-2.8_smt + name: statement + prose: "Implement replay-resistant authentication mechanisms for\ + \ access to {{ insert: param, ia-02.08_odp }}." + - id: ia-2.8_gdn + name: guidance + prose: Authentication processes resist replay attacks if it is impractical + to achieve successful authentications by replaying previous authentication + messages. Replay-resistant techniques include protocols that use + nonces or challenges such as time synchronous or cryptographic + authenticators. + - id: ia-2.8_obj + name: assessment-objective + props: + - name: label + value: IA-02(08) + class: sp800-53a + prose: "replay-resistant authentication mechanisms for access to\ + \ {{ insert: param, ia-02.08_odp }} are implemented." + links: + - href: "#ia-2.8_smt" + rel: assessment-for + - id: ia-2.8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(08)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of privileged system accounts + + + other relevant documents or records + - id: ia-2.8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(08)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(08)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing identification + and authentication capabilities + + + Mechanisms supporting and/or implementing replay-resistant + authentication mechanisms + - id: ia-2.12 + class: SP800-53-enhancement + title: Acceptance of PIV Credentials + props: + - name: label + value: IA-2(12) + - name: label + value: IA-02(12) + class: sp800-53a + - name: sort-id + value: ia-02.12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-2" + rel: required + parts: + - id: ia-2.12_smt + name: statement + prose: Accept and electronically verify Personal Identity Verification-compliant + credentials. + parts: + - id: ia-2.12_fr + name: item + title: IA-2 (12) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-2.12_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Include Common Access Card (CAC), i.e., the DoD technical + implementation of PIV/FIPS 201/HSPD-12. + - id: ia-2.12_gdn + name: guidance + prose: Acceptance of Personal Identity Verification (PIV)-compliant + credentials applies to organizations implementing logical access + control and physical access control systems. PIV-compliant credentials + are those credentials issued by federal agencies that conform + to FIPS Publication 201 and supporting guidance documents. The + adequacy and reliability of PIV card issuers are authorized using + [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance + of PIV-compliant credentials includes derived PIV credentials, + the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) + . The DOD Common Access Card (CAC) is an example of a PIV credential. + - id: ia-2.12_obj + name: assessment-objective + props: + - name: label + value: IA-02(12) + class: sp800-53a + prose: Personal Identity Verification-compliant credentials are + accepted and electronically verified. + links: + - href: "#ia-2.12_smt" + rel: assessment-for + - id: ia-2.12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(12)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + PIV verification records + + + evidence of PIV credentials + + + PIV credential authorizations + + + other relevant documents or records + - id: ia-2.12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(12)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(12)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing acceptance + and verification of PIV credentials + - id: ia-4 + class: SP800-53 + title: Identifier Management + params: + - id: ia-04_odp.01 + label: personnel or roles + constraints: + - description: "at a minimum, the ISSO (or similar role within the\ + \ organization) " + guidelines: + - prose: personnel or roles from whom authorization must be received + to assign an identifier are defined; + - id: ia-04_odp.02 + label: time period + constraints: + - description: at least two (2) years + guidelines: + - prose: a time period for preventing reuse of identifiers is defined; + props: + - name: label + value: IA-4 + - name: label + value: IA-04 + class: sp800-53a + - name: sort-id + value: ia-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#ac-5" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-9" + rel: related + - href: "#ia-12" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-4" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-5" + rel: related + - href: "#sc-37" + rel: related + parts: + - id: ia-4_smt + name: statement + prose: "Manage system identifiers by:" + parts: + - id: ia-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Receiving authorization from {{ insert: param, ia-04_odp.01\ + \ }} to assign an individual, group, role, service, or device\ + \ identifier;" + - id: ia-4_smt.b + name: item + props: + - name: label + value: b. + prose: Selecting an identifier that identifies an individual, group, + role, service, or device; + - id: ia-4_smt.c + name: item + props: + - name: label + value: c. + prose: Assigning the identifier to the intended individual, group, + role, service, or device; and + - id: ia-4_smt.d + name: item + props: + - name: label + value: d. + prose: "Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02\ + \ }}." + - id: ia-4_gdn + name: guidance + prose: Common device identifiers include Media Access Control (MAC) + addresses, Internet Protocol (IP) addresses, or device-unique token + identifiers. The management of individual identifiers is not applicable + to shared system accounts. Typically, individual identifiers are the + usernames of the system accounts assigned to those individuals. In + such instances, the account management activities of [AC-2](#ac-2) + use account names provided by [IA-4](#ia-4) . Identifier management + also addresses individual identifiers not necessarily associated with + system accounts. Preventing the reuse of identifiers implies preventing + the assignment of previously used individual, group, role, service, + or device identifiers to different individuals, groups, roles, services, + or devices. + - id: ia-4_obj + name: assessment-objective + props: + - name: label + value: IA-04 + class: sp800-53a + parts: + - id: ia-4_obj.a + name: assessment-objective + props: + - name: label + value: IA-04a. + class: sp800-53a + prose: "system identifiers are managed by receiving authorization\ + \ from {{ insert: param, ia-04_odp.01 }} to assign to an individual,\ + \ group, role, or device identifier;" + links: + - href: "#ia-4_smt.a" + rel: assessment-for + - id: ia-4_obj.b + name: assessment-objective + props: + - name: label + value: IA-04b. + class: sp800-53a + prose: system identifiers are managed by selecting an identifier + that identifies an individual, group, role, service, or device; + links: + - href: "#ia-4_smt.b" + rel: assessment-for + - id: ia-4_obj.c + name: assessment-objective + props: + - name: label + value: IA-04c. + class: sp800-53a + prose: system identifiers are managed by assigning the identifier + to the intended individual, group, role, service, or device; + links: + - href: "#ia-4_smt.c" + rel: assessment-for + - id: ia-4_obj.d + name: assessment-objective + props: + - name: label + value: IA-04d. + class: sp800-53a + prose: "system identifiers are managed by preventing reuse of identifiers\ + \ for {{ insert: param, ia-04_odp.02 }}." + links: + - href: "#ia-4_smt.d" + rel: assessment-for + links: + - href: "#ia-4_smt" + rel: assessment-for + - id: ia-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + procedures addressing identifier management + + + procedures addressing account management + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + list of system accounts + + + list of identifiers generated from physical access control devices + + + other relevant documents or records + - id: ia-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with identifier management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identifier management + - id: ia-5 + class: SP800-53 + title: Authenticator Management + params: + - id: ia-05_odp.01 + label: time period by authenticator type + guidelines: + - prose: a time period for changing or refreshing authenticators by + authenticator type is defined; + - id: ia-05_odp.02 + label: events + guidelines: + - prose: events that trigger the change or refreshment of authenticators + are defined; + props: + - name: label + value: IA-5 + - name: label + value: IA-05 + class: sp800-53a + - name: sort-id + value: ia-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c" + rel: reference + - href: "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c" + rel: reference + - href: "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617" + rel: reference + - href: "#604774da-9e1d-48eb-9c62-4e959dc80737" + rel: reference + - href: "#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#cm-6" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-7" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-9" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: ia-5_smt + name: statement + prose: "Manage system authenticators by:" + parts: + - id: ia-5_smt.a + name: item + props: + - name: label + value: a. + prose: Verifying, as part of the initial authenticator distribution, + the identity of the individual, group, role, service, or device + receiving the authenticator; + - id: ia-5_smt.b + name: item + props: + - name: label + value: b. + prose: Establishing initial authenticator content for any authenticators + issued by the organization; + - id: ia-5_smt.c + name: item + props: + - name: label + value: c. + prose: Ensuring that authenticators have sufficient strength of + mechanism for their intended use; + - id: ia-5_smt.d + name: item + props: + - name: label + value: d. + prose: Establishing and implementing administrative procedures for + initial authenticator distribution, for lost or compromised or + damaged authenticators, and for revoking authenticators; + - id: ia-5_smt.e + name: item + props: + - name: label + value: e. + prose: Changing default authenticators prior to first use; + - id: ia-5_smt.f + name: item + props: + - name: label + value: f. + prose: "Changing or refreshing authenticators {{ insert: param,\ + \ ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;" + - id: ia-5_smt.g + name: item + props: + - name: label + value: g. + prose: Protecting authenticator content from unauthorized disclosure + and modification; + - id: ia-5_smt.h + name: item + props: + - name: label + value: h. + prose: Requiring individuals to take, and having devices implement, + specific controls to protect authenticators; and + - id: ia-5_smt.i + name: item + props: + - name: label + value: i. + prose: Changing authenticators for group or role accounts when membership + to those accounts changes. + - id: ia-5_fr + name: item + title: IA-5 Additional FedRAMP Requirements and Guidance + parts: + - id: ia-5_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Authenticators must be compliant with NIST SP 800-63-3 + Digital Identity Guidelines IAL, AAL, FAL level 1. Link https://pages.nist.gov/800-63-3 + - id: ia-5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: SP 800-63C Section 6.2.3 Encrypted Assertion requires + that authentication assertions be encrypted when passed through + third parties, such as a browser. For example, a SAML assertion + can be encrypted using XML-Encryption, or an OpenID Connect + ID Token can be encrypted using JSON Web Encryption (JWE). + - id: ia-5_gdn + name: guidance + prose: >- + Authenticators include passwords, cryptographic devices, + biometrics, certificates, one-time password devices, and ID + badges. Device authenticators include certificates and + passwords. Initial authenticator content is the actual content + of the authenticator (e.g., the initial password). In contrast, + the requirements for authenticator content contain specific + criteria or characteristics (e.g., minimum password length). + Developers may deliver system components with factory default + authentication credentials (i.e., passwords) to allow for + initial installation and configuration. Default authentication + credentials are often well known, easily discoverable, and + present a significant risk. The requirement to protect + individual authenticators may be implemented via control + [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the + possession of individuals and by controls [AC-3](#ac-3), + [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in + organizational systems, including passwords stored in hashed or + encrypted formats or files containing encrypted or hashed + passwords accessible with administrator privileges. + + + Systems support authenticator management by organization-defined settings + and restrictions for various authenticator characteristics (e.g., + minimum password length, validation time window for time synchronous + one-time tokens, and number of allowed rejections during the verification + stage of biometric authentication). Actions can be taken to safeguard + individual authenticators, including maintaining possession of authenticators, + not sharing authenticators with others, and immediately reporting + lost, stolen, or compromised authenticators. Authenticator management + includes issuing and revoking authenticators for temporary access + when no longer needed. + - id: ia-5_obj + name: assessment-objective + props: + - name: label + value: IA-05 + class: sp800-53a + parts: + - id: ia-5_obj.a + name: assessment-objective + props: + - name: label + value: IA-05a. + class: sp800-53a + prose: system authenticators are managed through the verification + of the identity of the individual, group, role, service, or device + receiving the authenticator as part of the initial authenticator + distribution; + links: + - href: "#ia-5_smt.a" + rel: assessment-for + - id: ia-5_obj.b + name: assessment-objective + props: + - name: label + value: IA-05b. + class: sp800-53a + prose: system authenticators are managed through the establishment + of initial authenticator content for any authenticators issued + by the organization; + links: + - href: "#ia-5_smt.b" + rel: assessment-for + - id: ia-5_obj.c + name: assessment-objective + props: + - name: label + value: IA-05c. + class: sp800-53a + prose: system authenticators are managed to ensure that authenticators + have sufficient strength of mechanism for their intended use; + links: + - href: "#ia-5_smt.c" + rel: assessment-for + - id: ia-5_obj.d + name: assessment-objective + props: + - name: label + value: IA-05d. + class: sp800-53a + prose: system authenticators are managed through the establishment + and implementation of administrative procedures for initial authenticator + distribution; lost, compromised, or damaged authenticators; and + the revocation of authenticators; + links: + - href: "#ia-5_smt.d" + rel: assessment-for + - id: ia-5_obj.e + name: assessment-objective + props: + - name: label + value: IA-05e. + class: sp800-53a + prose: system authenticators are managed through the change of default + authenticators prior to first use; + links: + - href: "#ia-5_smt.e" + rel: assessment-for + - id: ia-5_obj.f + name: assessment-objective + props: + - name: label + value: IA-05f. + class: sp800-53a + prose: "system authenticators are managed through the change or\ + \ refreshment of authenticators {{ insert: param, ia-05_odp.01\ + \ }} or when {{ insert: param, ia-05_odp.02 }} occur;" + links: + - href: "#ia-5_smt.f" + rel: assessment-for + - id: ia-5_obj.g + name: assessment-objective + props: + - name: label + value: IA-05g. + class: sp800-53a + prose: system authenticators are managed through the protection + of authenticator content from unauthorized disclosure and modification; + links: + - href: "#ia-5_smt.g" + rel: assessment-for + - id: ia-5_obj.h + name: assessment-objective + props: + - name: label + value: IA-05h. + class: sp800-53a + parts: + - id: ia-5_obj.h-1 + name: assessment-objective + props: + - name: label + value: IA-05h.[01] + class: sp800-53a + prose: system authenticators are managed through the requirement + for individuals to take specific controls to protect authenticators; + links: + - href: "#ia-5_smt.h" + rel: assessment-for + - id: ia-5_obj.h-2 + name: assessment-objective + props: + - name: label + value: IA-05h.[02] + class: sp800-53a + prose: system authenticators are managed through the requirement + for devices to implement specific controls to protect authenticators; + links: + - href: "#ia-5_smt.h" + rel: assessment-for + links: + - href: "#ia-5_smt.h" + rel: assessment-for + - id: ia-5_obj.i + name: assessment-objective + props: + - name: label + value: IA-05i. + class: sp800-53a + prose: system authenticators are managed through the change of authenticators + for group or role accounts when membership to those accounts changes. + links: + - href: "#ia-5_smt.i" + rel: assessment-for + links: + - href: "#ia-5_smt" + rel: assessment-for + - id: ia-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + addressing authenticator management + + + system design documentation + + + system configuration settings and associated documentation + + + list of system authenticator types + + + change control records associated with managing system authenticators + + + system audit records + + + other relevant documents or records + - id: ia-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with authenticator management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ia-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing authenticator management + capability + controls: + - id: ia-5.1 + class: SP800-53-enhancement + title: Password-based Authentication + params: + - id: ia-05.01_odp.01 + label: frequency + guidelines: + - prose: the frequency at which to update the list of commonly + used, expected, or compromised passwords is defined; + - id: ia-05.01_odp.02 + label: composition and complexity rules + guidelines: + - prose: authenticator composition and complexity rules are defined; + props: + - name: label + value: IA-5(1) + - name: label + value: IA-05(01) + class: sp800-53a + - name: sort-id + value: ia-05.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-5" + rel: required + - href: "#ia-6" + rel: related + parts: + - id: ia-5.1_smt + name: statement + prose: "For password-based authentication:" + parts: + - id: ia-5.1_smt.a + name: item + props: + - name: label + value: (a) + prose: "Maintain a list of commonly-used, expected, or compromised\ + \ passwords and update the list {{ insert: param, ia-05.01_odp.01\ + \ }} and when organizational passwords are suspected to have\ + \ been compromised directly or indirectly;" + - id: ia-5.1_smt.b + name: item + props: + - name: label + value: (b) + prose: Verify, when users create or update passwords, that the + passwords are not found on the list of commonly-used, expected, + or compromised passwords in IA-5(1)(a); + - id: ia-5.1_smt.c + name: item + props: + - name: label + value: (c) + prose: Transmit passwords only over cryptographically-protected + channels; + - id: ia-5.1_smt.d + name: item + props: + - name: label + value: (d) + prose: Store passwords using an approved salted key derivation + function, preferably using a keyed hash; + - id: ia-5.1_smt.e + name: item + props: + - name: label + value: (e) + prose: Require immediate selection of a new password upon account + recovery; + - id: ia-5.1_smt.f + name: item + props: + - name: label + value: (f) + prose: Allow user selection of long passwords and passphrases, + including spaces and all printable characters; + - id: ia-5.1_smt.g + name: item + props: + - name: label + value: (g) + prose: Employ automated tools to assist the user in selecting + strong password authenticators; and + - id: ia-5.1_smt.h + name: item + props: + - name: label + value: (h) + prose: "Enforce the following composition and complexity rules:\ + \ {{ insert: param, ia-05.01_odp.02 }}." + - id: ia-5.1_fr + name: item + title: IA-5 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-5.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Password policies must be compliant with NIST SP + 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords + (OTP). Password policies shall not enforce special character + or minimum password rotation requirements for memorized + secrets of users. + - id: ia-5.1_fr_smt.2 + name: item + props: + - name: label + value: "(h) Requirement:" + prose: >- + For cases where technology doesn’t allow + multi-factor authentication, these rules should be + enforced: must have a minimum length of 14 + characters and must support all printable ASCII + characters. + + + For emergency use accounts, these rules should be enforced: + must have a minimum length of 14 characters, must support + all printable ASCII characters, and passwords must be + changed if used. + - id: ia-5.1_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Note that (c) and (d) require the use of cryptography + which must be compliant with Federal requirements and + utilize FIPS validated or NSA approved cryptography (see + SC-13). + - id: ia-5.1_gdn + name: guidance + prose: Password-based authentication applies to passwords regardless + of whether they are used in single-factor or multi-factor authentication. + Long passwords or passphrases are preferable over shorter passwords. + Enforced composition rules provide marginal security benefits + while decreasing usability. However, organizations may choose + to establish certain rules for password generation (e.g., minimum + character length for long passwords) under certain circumstances + and can enforce this requirement in IA-5(1)(h). Account recovery + can occur, for example, in situations when a password is forgotten. + Cryptographically protected passwords include salted one-way cryptographic + hashes of passwords. The list of commonly used, compromised, or + expected passwords includes passwords obtained from previous breach + corpuses, dictionary words, and repetitive or sequential characters. + The list includes context-specific words, such as the name of + the service, username, and derivatives thereof. + - id: ia-5.1_obj + name: assessment-objective + props: + - name: label + value: IA-05(01) + class: sp800-53a + parts: + - id: ia-5.1_obj.a + name: assessment-objective + props: + - name: label + value: IA-05(01)(a) + class: sp800-53a + prose: "for password-based authentication, a list of commonly\ + \ used, expected, or compromised passwords is maintained and\ + \ updated {{ insert: param, ia-05.01_odp.01 }} and when organizational\ + \ passwords are suspected to have been compromised directly\ + \ or indirectly;" + links: + - href: "#ia-5.1_smt.a" + rel: assessment-for + - id: ia-5.1_obj.b + name: assessment-objective + props: + - name: label + value: IA-05(01)(b) + class: sp800-53a + prose: for password-based authentication when passwords are + created or updated by users, the passwords are verified not + to be found on the list of commonly used, expected, or compromised + passwords in IA-05(01)(a); + links: + - href: "#ia-5.1_smt.b" + rel: assessment-for + - id: ia-5.1_obj.c + name: assessment-objective + props: + - name: label + value: IA-05(01)(c) + class: sp800-53a + prose: for password-based authentication, passwords are only + transmitted over cryptographically protected channels; + links: + - href: "#ia-5.1_smt.c" + rel: assessment-for + - id: ia-5.1_obj.d + name: assessment-objective + props: + - name: label + value: IA-05(01)(d) + class: sp800-53a + prose: for password-based authentication, passwords are stored + using an approved salted key derivation function, preferably + using a keyed hash; + links: + - href: "#ia-5.1_smt.d" + rel: assessment-for + - id: ia-5.1_obj.e + name: assessment-objective + props: + - name: label + value: IA-05(01)(e) + class: sp800-53a + prose: for password-based authentication, immediate selection + of a new password is required upon account recovery; + links: + - href: "#ia-5.1_smt.e" + rel: assessment-for + - id: ia-5.1_obj.f + name: assessment-objective + props: + - name: label + value: IA-05(01)(f) + class: sp800-53a + prose: for password-based authentication, user selection of + long passwords and passphrases is allowed, including spaces + and all printable characters; + links: + - href: "#ia-5.1_smt.f" + rel: assessment-for + - id: ia-5.1_obj.g + name: assessment-objective + props: + - name: label + value: IA-05(01)(g) + class: sp800-53a + prose: for password-based authentication, automated tools are + employed to assist the user in selecting strong password authenticators; + links: + - href: "#ia-5.1_smt.g" + rel: assessment-for + - id: ia-5.1_obj.h + name: assessment-objective + props: + - name: label + value: IA-05(01)(h) + class: sp800-53a + prose: "for password-based authentication, {{ insert: param,\ + \ ia-05.01_odp.02 }} are enforced." + links: + - href: "#ia-5.1_smt.h" + rel: assessment-for + links: + - href: "#ia-5.1_smt" + rel: assessment-for + - id: ia-5.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-05(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + password policy + + + procedures addressing authenticator management + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + password configurations and associated documentation + + + other relevant documents or records + - id: ia-5.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-05(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with authenticator management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-5.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-05(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing password-based + authenticator management capability + - id: ia-6 + class: SP800-53 + title: Authentication Feedback + props: + - name: label + value: IA-6 + - name: label + value: IA-06 + class: sp800-53a + - name: sort-id + value: ia-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-3" + rel: related + parts: + - id: ia-6_smt + name: statement + prose: Obscure feedback of authentication information during the authentication + process to protect the information from possible exploitation and + use by unauthorized individuals. + - id: ia-6_gdn + name: guidance + prose: Authentication feedback from systems does not provide information + that would allow unauthorized individuals to compromise authentication + mechanisms. For some types of systems, such as desktops or notebooks + with relatively large monitors, the threat (referred to as shoulder + surfing) may be significant. For other types of systems, such as mobile + devices with small displays, the threat may be less significant and + is balanced against the increased likelihood of typographic input + errors due to small keyboards. Thus, the means for obscuring authentication + feedback is selected accordingly. Obscuring authentication feedback + includes displaying asterisks when users type passwords into input + devices or displaying feedback for a very limited time before obscuring + it. + - id: ia-6_obj + name: assessment-objective + props: + - name: label + value: IA-06 + class: sp800-53a + prose: the feedback of authentication information is obscured during + the authentication process to protect the information from possible + exploitation and use by unauthorized individuals. + links: + - href: "#ia-6_smt" + rel: assessment-for + - id: ia-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + system security plan + + procedures addressing authenticator feedback + + system design documentation + + system configuration settings and associated documentation + + system audit records + + other relevant documents or records + - id: ia-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security + responsibilities + + + system/network administrators + + + system developers + - id: ia-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing the obscuring of + feedback of authentication information during authentication + - id: ia-7 + class: SP800-53 + title: Cryptographic Module Authentication + props: + - name: label + value: IA-7 + - name: label + value: IA-07 + class: sp800-53a + - name: sort-id + value: ia-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: ia-7_smt + name: statement + prose: Implement mechanisms for authentication to a cryptographic module + that meet the requirements of applicable laws, executive orders, directives, + policies, regulations, standards, and guidelines for such authentication. + - id: ia-7_gdn + name: guidance + prose: Authentication mechanisms may be required within a cryptographic + module to authenticate an operator accessing the module and to verify + that the operator is authorized to assume the requested role and perform + services within that role. + - id: ia-7_obj + name: assessment-objective + props: + - name: label + value: IA-07 + class: sp800-53a + prose: mechanisms for authentication to a cryptographic module are implemented + that meet the requirements of applicable laws, executive orders, directives, + policies, regulations, standards, and guidelines for such authentication. + links: + - href: "#ia-7_smt" + rel: assessment-for + - id: ia-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + system security plan + + procedures addressing cryptographic module authentication + + system design documentation + + system configuration settings and associated documentation + + system audit records + + other relevant documents or records + - id: ia-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for + cryptographic module authentication + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing cryptographic module + authentication + - id: ia-8 + class: SP800-53 + title: Identification and Authentication (Non-organizational Users) + props: + - name: label + value: IA-8 + - name: label + value: IA-08 + class: sp800-53a + - name: sort-id + value: ia-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#a1555677-2b9d-4868-a97b-a1363aff32f5" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#10963761-58fc-4b20-b3d6-b44a54daba03" + rel: reference + - href: "#2100332a-16a5-4598-bacf-7261baea9711" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-14" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#au-6" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-10" + rel: related + - href: "#ia-11" + rel: related + - href: "#ia-13" + rel: related + - href: "#ma-4" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sc-8" + rel: related + parts: + - id: ia-8_smt + name: statement + prose: Uniquely identify and authenticate non-organizational users or + processes acting on behalf of non-organizational users. + - id: ia-8_gdn + name: guidance + prose: Non-organizational users include system users other than organizational + users explicitly covered by [IA-2](#ia-2) . Non-organizational users + are uniquely identified and authenticated for accesses other than + those explicitly identified and documented in [AC-14](#ac-14) . Identification + and authentication of non-organizational users accessing federal systems + may be required to protect federal, proprietary, or privacy-related + information (with exceptions noted for national security systems). + Organizations consider many factors—including security, privacy, scalability, + and practicality—when balancing the need to ensure ease of use for + access to federal information and systems with the need to protect + and adequately mitigate risk. + - id: ia-8_obj + name: assessment-objective + props: + - name: label + value: IA-08 + class: sp800-53a + prose: non-organizational users or processes acting on behalf of non-organizational + users are uniquely identified and authenticated. + links: + - href: "#ia-8_smt" + rel: assessment-for + - id: ia-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + system security plan + + privacy plan + + procedures addressing user identification and authentication + + system design documentation + + system configuration settings and associated documentation + + system audit records + + list of system accounts + + other relevant documents or records + - id: ia-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + organizational personnel with account management responsibilities + - id: ia-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identification + and authentication capabilities + controls: + - id: ia-8.1 + class: SP800-53-enhancement + title: Acceptance of PIV Credentials from Other Agencies + props: + - name: label + value: IA-8(1) + - name: label + value: IA-08(01) + class: sp800-53a + - name: sort-id + value: ia-08.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-8" + rel: required + - href: "#pe-3" + rel: related + parts: + - id: ia-8.1_smt + name: statement + prose: Accept and electronically verify Personal Identity Verification-compliant + credentials from other federal agencies. + - id: ia-8.1_gdn + name: guidance + prose: Acceptance of Personal Identity Verification (PIV) credentials + from other federal agencies applies to both logical and physical + access control systems. PIV credentials are those credentials + issued by federal agencies that conform to FIPS Publication 201 + and supporting guidelines. The adequacy and reliability of PIV + card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03). + - id: ia-8.1_obj + name: assessment-objective + props: + - name: label + value: IA-08(01) + class: sp800-53a + parts: + - id: ia-8.1_obj-1 + name: assessment-objective + props: + - name: label + value: IA-08(01)[01] + class: sp800-53a + prose: Personal Identity Verification-compliant credentials + from other federal agencies are accepted; + links: + - href: "#ia-8.1_smt" + rel: assessment-for + - id: ia-8.1_obj-2 + name: assessment-objective + props: + - name: label + value: IA-08(01)[02] + class: sp800-53a + prose: Personal Identity Verification-compliant credentials + from other federal agencies are electronically verified. + links: + - href: "#ia-8.1_smt" + rel: assessment-for + links: + - href: "#ia-8.1_smt" + rel: assessment-for + - id: ia-8.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-08(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + PIV verification records + + + evidence of PIV credentials + + + PIV credential authorizations + + + other relevant documents or records + - id: ia-8.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-08(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with account management responsibilities + - id: ia-8.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-08(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing identification + and authentication capabilities + + + mechanisms that accept and verify PIV credentials + - id: ia-8.2 + class: SP800-53-enhancement + title: Acceptance of External Authenticators + props: + - name: label + value: IA-8(2) + - name: label + value: IA-08(02) + class: sp800-53a + - name: sort-id + value: ia-08.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-8" + rel: required + parts: + - id: ia-8.2_smt + name: statement + parts: + - id: ia-8.2_smt.a + name: item + props: + - name: label + value: (a) + prose: Accept only external authenticators that are NIST-compliant; + and + - id: ia-8.2_smt.b + name: item + props: + - name: label + value: (b) + prose: Document and maintain a list of accepted external authenticators. + - id: ia-8.2_gdn + name: guidance + prose: Acceptance of only NIST-compliant external authenticators + applies to organizational systems that are accessible to the public + (e.g., public-facing websites). External authenticators are issued + by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) + . Approved external authenticators meet or exceed the minimum + Federal Government-wide technical, security, privacy, and organizational + maturity requirements. Meeting or exceeding Federal requirements + allows Federal Government relying parties to trust external authenticators + in connection with an authentication transaction at a specified + authenticator assurance level. + - id: ia-8.2_obj + name: assessment-objective + props: + - name: label + value: IA-08(02) + class: sp800-53a + parts: + - id: ia-8.2_obj.a + name: assessment-objective + props: + - name: label + value: IA-08(02)(a) + class: sp800-53a + prose: only external authenticators that are NIST-compliant + are accepted; + links: + - href: "#ia-8.2_smt.a" + rel: assessment-for + - id: ia-8.2_obj.b + name: assessment-objective + props: + - name: label + value: IA-08(02)(b) + class: sp800-53a + parts: + - id: ia-8.2_obj.b-1 + name: assessment-objective + props: + - name: label + value: IA-08(02)(b)[01] + class: sp800-53a + prose: a list of accepted external authenticators is documented; + links: + - href: "#ia-8.2_smt.b" + rel: assessment-for + - id: ia-8.2_obj.b-2 + name: assessment-objective + props: + - name: label + value: IA-08(02)(b)[02] + class: sp800-53a + prose: a list of accepted external authenticators is maintained. + links: + - href: "#ia-8.2_smt.b" + rel: assessment-for + links: + - href: "#ia-8.2_smt.b" + rel: assessment-for + links: + - href: "#ia-8.2_smt" + rel: assessment-for + - id: ia-8.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-08(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of third-party credentialing products, components, or + services procured and implemented by organization + + + third-party credential verification records + + + evidence of third-party credentials + + + third-party credential authorizations + + + other relevant documents or records + - id: ia-8.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-08(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with account management responsibilities + - id: ia-8.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-08(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing identification + and authentication capabilities + + + mechanisms that accept external credentials + - id: ia-8.4 + class: SP800-53-enhancement + title: Use of Defined Profiles + params: + - id: ia-08.04_odp + label: identity management profiles + guidelines: + - prose: identity management profiles are defined; + props: + - name: label + value: IA-8(4) + - name: label + value: IA-08(04) + class: sp800-53a + - name: sort-id + value: ia-08.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-8" + rel: required + parts: + - id: ia-8.4_smt + name: statement + prose: "Conform to the following profiles for identity management\ + \ {{ insert: param, ia-08.04_odp }}." + - id: ia-8.4_gdn + name: guidance + prose: Organizations define profiles for identity management based + on open identity management standards. To ensure that open identity + management standards are viable, robust, reliable, sustainable, + and interoperable as documented, the Federal Government assesses + and scopes the standards and technology implementations against + applicable laws, executive orders, directives, policies, regulations, + standards, and guidelines. + - id: ia-8.4_obj + name: assessment-objective + props: + - name: label + value: IA-08(04) + class: sp800-53a + prose: "there is conformance with {{ insert: param, ia-08.04_odp\ + \ }} for identity management." + links: + - href: "#ia-8.4_smt" + rel: assessment-for + - id: ia-8.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-08(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + other relevant documents or records + - id: ia-8.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-08(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with account management responsibilities + - id: ia-8.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-08(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing identification + and authentication capabilities + + + mechanisms supporting and/or implementing conformance with + profiles + - id: ia-11 + class: SP800-53 + title: Re-authentication + params: + - id: ia-11_odp + label: circumstances or situations + guidelines: + - prose: circumstances or situations requiring re-authentication are + defined; + props: + - name: label + value: IA-11 + - name: label + value: IA-11 + class: sp800-53a + - name: sort-id + value: ia-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-3" + rel: related + - href: "#ac-11" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-8" + rel: related + parts: + - id: ia-11_smt + name: statement + prose: "Require users to re-authenticate when {{ insert: param, ia-11_odp\ + \ }}." + parts: + - id: ia-11_fr + name: item + title: IA-11 Additional FedRAMP Requirements and Guidance + parts: + - id: ia-11_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: > + The fixed time period cannot exceed the limits set in SP + 800-63. At this writing they are: + + + * AAL1 (low baseline) * 30 days of extended session * + No limit on inactivity + - id: ia-11_gdn + name: guidance + prose: In addition to the re-authentication requirements associated + with device locks, organizations may require re-authentication of + individuals in certain situations, including when roles, authenticators + or credentials change, when security categories of systems change, + when the execution of privileged functions occurs, after a fixed time + period, or periodically. + - id: ia-11_obj + name: assessment-objective + props: + - name: label + value: IA-11 + class: sp800-53a + prose: "users are required to re-authenticate when {{ insert: param,\ + \ ia-11_odp }}." + links: + - href: "#ia-11_smt" + rel: assessment-for + - id: ia-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + procedures addressing user and device re-authentication + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + list of circumstances or situations requiring re-authentication + + + system audit records + + + other relevant documents or records + - id: ia-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with identification and authentication + responsibilities + - id: ia-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identification + and authentication capabilities + - id: ir + class: family + title: Incident Response + controls: + - id: ir-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ir-1_prm_1 + label: organization-defined personnel or roles + - id: ir-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the incident response policy is + to be disseminated is/are defined; + - id: ir-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the incident response procedures + are to be disseminated is/are defined; + - id: ir-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ir-01_odp.04 + label: official + guidelines: + - prose: an official to manage the incident response policy and procedures + is defined; + - id: ir-01_odp.05 + label: frequency + constraints: + - description: "at least every 3 years " + guidelines: + - prose: the frequency at which the current incident response policy + is reviewed and updated is defined; + - id: ir-01_odp.06 + label: events + guidelines: + - prose: events that would require the current incident response policy + to be reviewed and updated are defined; + - id: ir-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current incident response procedures + are reviewed and updated is defined; + - id: ir-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the incident response procedures + to be reviewed and updated are defined; + props: + - name: label + value: IR-1 + - name: label + value: IR-01 + class: sp800-53a + - name: sort-id + value: ir-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ir-1_smt + name: statement + parts: + - id: ir-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ir-1_prm_1 }}:" + parts: + - id: ir-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ir-01_odp.03 }} incident response\ + \ policy that:" + parts: + - id: ir-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ir-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ir-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the incident + response policy and the associated incident response controls; + - id: ir-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ir-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the incident\ + \ response policy and procedures; and" + - id: ir-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current incident response:" + parts: + - id: ir-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ir-01_odp.05 }} and following\ + \ {{ insert: param, ir-01_odp.06 }} ; and" + - id: ir-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ir-01_odp.07 }} and following\ + \ {{ insert: param, ir-01_odp.08 }}." + - id: ir-1_gdn + name: guidance + prose: Incident response policy and procedures address the controls + in the IR family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of incident response + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to incident response policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ir-1_obj + name: assessment-objective + props: + - name: label + value: IR-01 + class: sp800-53a + parts: + - id: ir-1_obj.a + name: assessment-objective + props: + - name: label + value: IR-01a. + class: sp800-53a + parts: + - id: ir-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: IR-01a.[01] + class: sp800-53a + prose: an incident response policy is developed and documented; + links: + - href: "#ir-1_smt.a" + rel: assessment-for + - id: ir-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: IR-01a.[02] + class: sp800-53a + prose: "the incident response policy is disseminated to {{ insert:\ + \ param, ir-01_odp.01 }};" + links: + - href: "#ir-1_smt.a" + rel: assessment-for + - id: ir-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: IR-01a.[03] + class: sp800-53a + prose: incident response procedures to facilitate the implementation + of the incident response policy and associated incident response + controls are developed and documented; + links: + - href: "#ir-1_smt.a" + rel: assessment-for + - id: ir-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: IR-01a.[04] + class: sp800-53a + prose: "the incident response procedures are disseminated to\ + \ {{ insert: param, ir-01_odp.02 }};" + links: + - href: "#ir-1_smt.a" + rel: assessment-for + - id: ir-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: IR-01a.01 + class: sp800-53a + parts: + - id: ir-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: IR-01a.01(a) + class: sp800-53a + parts: + - id: ir-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses purpose;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses scope;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses roles;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses responsibilities;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses management commitment;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses compliance;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: IR-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident response\ + \ policy is consistent with applicable laws, Executive\ + \ Orders, directives, regulations, policies, standards,\ + \ and guidelines;" + links: + - href: "#ir-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ir-1_smt.a.1" + rel: assessment-for + links: + - href: "#ir-1_smt.a" + rel: assessment-for + - id: ir-1_obj.b + name: assessment-objective + props: + - name: label + value: IR-01b. + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the incident\ + \ response policy and procedures;" + links: + - href: "#ir-1_smt.b" + rel: assessment-for + - id: ir-1_obj.c + name: assessment-objective + props: + - name: label + value: IR-01c. + class: sp800-53a + parts: + - id: ir-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: IR-01c.01 + class: sp800-53a + parts: + - id: ir-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: IR-01c.01[01] + class: sp800-53a + prose: "the current incident response policy is reviewed\ + \ and updated {{ insert: param, ir-01_odp.05 }};" + links: + - href: "#ir-1_smt.c.1" + rel: assessment-for + - id: ir-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: IR-01c.01[02] + class: sp800-53a + prose: "the current incident response policy is reviewed\ + \ and updated following {{ insert: param, ir-01_odp.06\ + \ }};" + links: + - href: "#ir-1_smt.c.1" + rel: assessment-for + links: + - href: "#ir-1_smt.c.1" + rel: assessment-for + - id: ir-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: IR-01c.02 + class: sp800-53a + parts: + - id: ir-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: IR-01c.02[01] + class: sp800-53a + prose: "the current incident response procedures are reviewed\ + \ and updated {{ insert: param, ir-01_odp.07 }};" + links: + - href: "#ir-1_smt.c.2" + rel: assessment-for + - id: ir-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: IR-01c.02[02] + class: sp800-53a + prose: "the current incident response procedures are reviewed\ + \ and updated following {{ insert: param, ir-01_odp.08\ + \ }}." + links: + - href: "#ir-1_smt.c.2" + rel: assessment-for + links: + - href: "#ir-1_smt.c.2" + rel: assessment-for + links: + - href: "#ir-1_smt.c" + rel: assessment-for + links: + - href: "#ir-1_smt" + rel: assessment-for + - id: ir-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-2 + class: SP800-53 + title: Incident Response Training + params: + - id: ir-02_odp.01 + label: time period + constraints: + - description: ten (10) days for privileged users, thirty (30) days + for Incident Response roles + guidelines: + - prose: a time period within which incident response training is + to be provided to system users assuming an incident response role + or responsibility is defined; + - id: ir-02_odp.02 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to provide incident response training + to users is defined; + - id: ir-02_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to review and update incident response + training content is defined; + - id: ir-02_odp.04 + label: events + guidelines: + - prose: events that initiate a review of the incident response training + content are defined; + props: + - name: label + value: IR-2 + - name: label + value: IR-02 + class: sp800-53a + - name: sort-id + value: ir-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#5f4705ac-8d17-438c-b23a-ac7f12362ae4" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#at-4" + rel: related + - href: "#cp-3" + rel: related + - href: "#ir-3" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-8" + rel: related + - href: "#ir-9" + rel: related + parts: + - id: ir-2_smt + name: statement + parts: + - id: ir-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide incident response training to system users consistent\ + \ with assigned roles and responsibilities:" + parts: + - id: ir-2_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "Within {{ insert: param, ir-02_odp.01 }} of assuming\ + \ an incident response role or responsibility or acquiring\ + \ system access;" + - id: ir-2_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: When required by system changes; and + - id: ir-2_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: " {{ insert: param, ir-02_odp.02 }} thereafter; and" + - id: ir-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update incident response training content {{\ + \ insert: param, ir-02_odp.03 }} and following {{ insert: param,\ + \ ir-02_odp.04 }}." + - id: ir-2_gdn + name: guidance + prose: Incident response training is associated with the assigned roles + and responsibilities of organizational personnel to ensure that the + appropriate content and level of detail are included in such training. + For example, users may only need to know who to call or how to recognize + an incident; system administrators may require additional training + on how to handle incidents; and incident responders may receive more + specific training on forensics, data collection techniques, reporting, + system recovery, and system restoration. Incident response training + includes user training in identifying and reporting suspicious activities + from external and internal sources. Incident response training for + users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . + Events that may precipitate an update to incident response training + content include, but are not limited to, incident response plan testing + or response to an actual incident (lessons learned), assessment or + audit findings, or changes in applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines. + - id: ir-2_obj + name: assessment-objective + props: + - name: label + value: IR-02 + class: sp800-53a + parts: + - id: ir-2_obj.a + name: assessment-objective + props: + - name: label + value: IR-02a. + class: sp800-53a + parts: + - id: ir-2_obj.a.1 + name: assessment-objective + props: + - name: label + value: IR-02a.01 + class: sp800-53a + prose: "incident response training is provided to system users\ + \ consistent with assigned roles and responsibilities within\ + \ {{ insert: param, ir-02_odp.01 }} of assuming an incident\ + \ response role or responsibility or acquiring system access;" + links: + - href: "#ir-2_smt.a.1" + rel: assessment-for + - id: ir-2_obj.a.2 + name: assessment-objective + props: + - name: label + value: IR-02a.02 + class: sp800-53a + prose: incident response training is provided to system users + consistent with assigned roles and responsibilities when required + by system changes; + links: + - href: "#ir-2_smt.a.2" + rel: assessment-for + - id: ir-2_obj.a.3 + name: assessment-objective + props: + - name: label + value: IR-02a.03 + class: sp800-53a + prose: "incident response training is provided to system users\ + \ consistent with assigned roles and responsibilities {{ insert:\ + \ param, ir-02_odp.02 }} thereafter;" + links: + - href: "#ir-2_smt.a.3" + rel: assessment-for + links: + - href: "#ir-2_smt.a" + rel: assessment-for + - id: ir-2_obj.b + name: assessment-objective + props: + - name: label + value: IR-02b. + class: sp800-53a + parts: + - id: ir-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: IR-02b.[01] + class: sp800-53a + prose: "incident response training content is reviewed and updated\ + \ {{ insert: param, ir-02_odp.03 }};" + links: + - href: "#ir-2_smt.b" + rel: assessment-for + - id: ir-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: IR-02b.[02] + class: sp800-53a + prose: "incident response training content is reviewed and updated\ + \ following {{ insert: param, ir-02_odp.04 }}." + links: + - href: "#ir-2_smt.b" + rel: assessment-for + links: + - href: "#ir-2_smt.b" + rel: assessment-for + links: + - href: "#ir-2_smt" + rel: assessment-for + - id: ir-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident response training + + incident response training curriculum + + incident response training materials + + privacy plan + + incident response plan + + incident response training records + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response training and + operational responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-4 + class: SP800-53 + title: Incident Handling + props: + - name: label + value: IR-4 + - name: label + value: IR-04 + class: sp800-53a + - name: sort-id + value: ir-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#5f4705ac-8d17-438c-b23a-ac7f12362ae4" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#cfdb1858-c473-46b3-89f9-a700308d0be2" + rel: reference + - href: "#10cf2fad-a216-41f9-bb1a-531b7e3119e3" + rel: reference + - href: "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#31ae65ab-3f26-46b7-9d64-f25a4dac5778" + rel: reference + - href: "#2be7b163-e50a-435c-8906-f1162f2a457a" + rel: reference + - href: "#ac-19" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#cm-6" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-3" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-3" + rel: related + - href: "#ir-5" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + - href: "#pe-6" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: ir-4_smt + name: statement + parts: + - id: ir-4_smt.a + name: item + props: + - name: label + value: a. + prose: Implement an incident handling capability for incidents that + is consistent with the incident response plan and includes preparation, + detection and analysis, containment, eradication, and recovery; + - id: ir-4_smt.b + name: item + props: + - name: label + value: b. + prose: Coordinate incident handling activities with contingency + planning activities; + - id: ir-4_smt.c + name: item + props: + - name: label + value: c. + prose: Incorporate lessons learned from ongoing incident handling + activities into incident response procedures, training, and testing, + and implement the resulting changes accordingly; and + - id: ir-4_smt.d + name: item + props: + - name: label + value: d. + prose: Ensure the rigor, intensity, scope, and results of incident + handling activities are comparable and predictable across the + organization. + - id: ir-4_fr + name: item + title: IR-4 Additional FedRAMP Requirements and Guidance + parts: + - id: ir-4_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: 'The FISMA definition of \"incident\" shall be used: + \"An occurrence that actually or imminently jeopardizes, without + lawful authority, the confidentiality, integrity, or availability + of information or an information system; or constitutes a + violation or imminent threat of violation of law, security + policies, security procedures, or acceptable use policies.\"' + - id: ir-4_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider ensures that individuals conducting + incident handling meet personnel security requirements commensurate + with the criticality/sensitivity of the information being + processed, stored, and transmitted by the information system. + - id: ir-4_gdn + name: guidance + prose: Organizations recognize that incident response capabilities are + dependent on the capabilities of organizational systems and the mission + and business processes being supported by those systems. Organizations + consider incident response as part of the definition, design, and + development of mission and business processes and systems. Incident-related + information can be obtained from a variety of sources, including audit + monitoring, physical access monitoring, and network monitoring; user + or administrator reports; and reported supply chain events. An effective + incident handling capability includes coordination among many organizational + entities (e.g., mission or business owners, system owners, authorizing + officials, human resources offices, physical security offices, personnel + security offices, legal departments, risk executive [function], operations + personnel, procurement offices). Suspected security incidents include + the receipt of suspicious email communications that can contain malicious + code. Suspected supply chain incidents include the insertion of counterfeit + hardware or malicious code into organizational systems or system components. + For federal agencies, an incident that involves personally identifiable + information is considered a breach. A breach results in unauthorized + disclosure, the loss of control, unauthorized acquisition, compromise, + or a similar occurrence where a person other than an authorized user + accesses or potentially accesses personally identifiable information + or an authorized user accesses or potentially accesses such information + for other than authorized purposes. + - id: ir-4_obj + name: assessment-objective + props: + - name: label + value: IR-04 + class: sp800-53a + parts: + - id: ir-4_obj.a + name: assessment-objective + props: + - name: label + value: IR-04a. + class: sp800-53a + parts: + - id: ir-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: IR-04a.[01] + class: sp800-53a + prose: an incident handling capability for incidents is implemented + that is consistent with the incident response plan; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: IR-04a.[02] + class: sp800-53a + prose: the incident handling capability for incidents includes + preparation; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-3 + name: assessment-objective + props: + - name: label + value: IR-04a.[03] + class: sp800-53a + prose: the incident handling capability for incidents includes + detection and analysis; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-4 + name: assessment-objective + props: + - name: label + value: IR-04a.[04] + class: sp800-53a + prose: the incident handling capability for incidents includes + containment; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-5 + name: assessment-objective + props: + - name: label + value: IR-04a.[05] + class: sp800-53a + prose: the incident handling capability for incidents includes + eradication; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-6 + name: assessment-objective + props: + - name: label + value: IR-04a.[06] + class: sp800-53a + prose: the incident handling capability for incidents includes + recovery; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.b + name: assessment-objective + props: + - name: label + value: IR-04b. + class: sp800-53a + prose: incident handling activities are coordinated with contingency + planning activities; + links: + - href: "#ir-4_smt.b" + rel: assessment-for + - id: ir-4_obj.c + name: assessment-objective + props: + - name: label + value: IR-04c. + class: sp800-53a + parts: + - id: ir-4_obj.c-1 + name: assessment-objective + props: + - name: label + value: IR-04c.[01] + class: sp800-53a + prose: lessons learned from ongoing incident handling activities + are incorporated into incident response procedures, training, + and testing; + links: + - href: "#ir-4_smt.c" + rel: assessment-for + - id: ir-4_obj.c-2 + name: assessment-objective + props: + - name: label + value: IR-04c.[02] + class: sp800-53a + prose: the changes resulting from the incorporated lessons learned + are implemented accordingly; + links: + - href: "#ir-4_smt.c" + rel: assessment-for + links: + - href: "#ir-4_smt.c" + rel: assessment-for + - id: ir-4_obj.d + name: assessment-objective + props: + - name: label + value: IR-04d. + class: sp800-53a + parts: + - id: ir-4_obj.d-1 + name: assessment-objective + props: + - name: label + value: IR-04d.[01] + class: sp800-53a + prose: the rigor of incident handling activities is comparable + and predictable across the organization; + links: + - href: "#ir-4_smt.d" + rel: assessment-for + - id: ir-4_obj.d-2 + name: assessment-objective + props: + - name: label + value: IR-04d.[02] + class: sp800-53a + prose: the intensity of incident handling activities is comparable + and predictable across the organization; + links: + - href: "#ir-4_smt.d" + rel: assessment-for + - id: ir-4_obj.d-3 + name: assessment-objective + props: + - name: label + value: IR-04d.[03] + class: sp800-53a + prose: the scope of incident handling activities is comparable + and predictable across the organization; + links: + - href: "#ir-4_smt.d" + rel: assessment-for + - id: ir-4_obj.d-4 + name: assessment-objective + props: + - name: label + value: IR-04d.[04] + class: sp800-53a + prose: the results of incident handling activities are comparable + and predictable across the organization. + links: + - href: "#ir-4_smt.d" + rel: assessment-for + links: + - href: "#ir-4_smt.d" + rel: assessment-for + links: + - href: "#ir-4_smt" + rel: assessment-for + - id: ir-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + contingency planning policy + + procedures addressing incident handling + + incident response plan + + contingency plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident handling + responsibilities + + + organizational personnel with contingency planning responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Incident handling capability for the organization + - id: ir-5 + class: SP800-53 + title: Incident Monitoring + props: + - name: label + value: IR-5 + - name: label + value: IR-05 + class: sp800-53a + - name: sort-id + value: ir-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + - href: "#pe-6" + rel: related + - href: "#pm-5" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: ir-5_smt + name: statement + prose: Track and document incidents. + - id: ir-5_gdn + name: guidance + prose: Documenting incidents includes maintaining records about each + incident, the status of the incident, and other pertinent information + necessary for forensics as well as evaluating incident details, trends, + and handling. Incident information can be obtained from a variety + of sources, including network monitoring, incident reports, incident + response teams, user complaints, supply chain partners, audit monitoring, + physical access monitoring, and user and administrator reports. [IR-4](#ir-4) + provides information on the types of incidents that are appropriate + for monitoring. + - id: ir-5_obj + name: assessment-objective + props: + - name: label + value: IR-05 + class: sp800-53a + parts: + - id: ir-5_obj-1 + name: assessment-objective + props: + - name: label + value: IR-05[01] + class: sp800-53a + prose: incidents are tracked; + links: + - href: "#ir-5_smt" + rel: assessment-for + - id: ir-5_obj-2 + name: assessment-objective + props: + - name: label + value: IR-05[02] + class: sp800-53a + prose: incidents are documented. + links: + - href: "#ir-5_smt" + rel: assessment-for + links: + - href: "#ir-5_smt" + rel: assessment-for + - id: ir-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident monitoring + + incident response records and documentation + + incident response plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident monitoring + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident monitoring capability for the organization + + + mechanisms supporting and/or implementing the tracking and documenting + of system security incidents + - id: ir-6 + class: SP800-53 + title: Incident Reporting + params: + - id: ir-06_odp.01 + label: time period + constraints: + - description: US-CERT incident reporting timelines as specified in + NIST Special Publication 800-61 (as amended) + guidelines: + - prose: time period for personnel to report suspected incidents to + the organizational incident response capability is defined; + - id: ir-06_odp.02 + label: authorities + guidelines: + - prose: authorities to whom incident information is to be reported + are defined; + props: + - name: label + value: IR-6 + - name: label + value: IR-06 + class: sp800-53a + - name: sort-id + value: ir-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#40b78258-c892-480e-9af8-77ac36648301" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#cm-6" + rel: related + - href: "#cp-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-5" + rel: related + - href: "#ir-8" + rel: related + - href: "#ir-9" + rel: related + parts: + - id: ir-6_smt + name: statement + parts: + - id: ir-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Require personnel to report suspected incidents to the organizational\ + \ incident response capability within {{ insert: param, ir-06_odp.01\ + \ }} ; and" + - id: ir-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Report incident information to {{ insert: param, ir-06_odp.02\ + \ }}." + - id: ir-6_fr + name: item + title: IR-6 Additional FedRAMP Requirements and Guidance + parts: + - id: ir-6_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Reports security incident information according to FedRAMP + Incident Communications Procedure. + - id: ir-6_gdn + name: guidance + prose: The types of incidents reported, the content and timeliness of + the reports, and the designated reporting authorities reflect applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Incident information can inform risk assessments, + control effectiveness assessments, security requirements for acquisitions, + and selection criteria for technology products. + - id: ir-6_obj + name: assessment-objective + props: + - name: label + value: IR-06 + class: sp800-53a + parts: + - id: ir-6_obj.a + name: assessment-objective + props: + - name: label + value: IR-06a. + class: sp800-53a + prose: "personnel is/are required to report suspected incidents\ + \ to the organizational incident response capability within {{\ + \ insert: param, ir-06_odp.01 }};" + links: + - href: "#ir-6_smt.a" + rel: assessment-for + - id: ir-6_obj.b + name: assessment-objective + props: + - name: label + value: IR-06b. + class: sp800-53a + prose: "incident information is reported to {{ insert: param, ir-06_odp.02\ + \ }}." + links: + - href: "#ir-6_smt.b" + rel: assessment-for + links: + - href: "#ir-6_smt" + rel: assessment-for + - id: ir-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident reporting + + incident reporting records and documentation + + incident response plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident reporting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + personnel who have/should have reported incidents + + + personnel (authorities) to whom incident information is to be + reported + + + system users + - id: ir-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for incident reporting + + mechanisms supporting and/or implementing incident reporting + - id: ir-7 + class: SP800-53 + title: Incident Response Assistance + props: + - name: label + value: IR-7 + - name: label + value: IR-07 + class: sp800-53a + - name: sort-id + value: ir-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#2be7b163-e50a-435c-8906-f1162f2a457a" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + - href: "#pm-22" + rel: related + - href: "#pm-26" + rel: related + - href: "#sa-9" + rel: related + - href: "#si-18" + rel: related + parts: + - id: ir-7_smt + name: statement + prose: Provide an incident response support resource, integral to the + organizational incident response capability, that offers advice and + assistance to users of the system for the handling and reporting of + incidents. + - id: ir-7_gdn + name: guidance + prose: Incident response support resources provided by organizations + include help desks, assistance groups, automated ticketing systems + to open and track incident response tickets, and access to forensics + services or consumer redress services, when required. + - id: ir-7_obj + name: assessment-objective + props: + - name: label + value: IR-07 + class: sp800-53a + parts: + - id: ir-7_obj-1 + name: assessment-objective + props: + - name: label + value: IR-07[01] + class: sp800-53a + prose: an incident response support resource, integral to the organizational + incident response capability, is provided; + links: + - href: "#ir-7_smt" + rel: assessment-for + - id: ir-7_obj-2 + name: assessment-objective + props: + - name: label + value: IR-07[02] + class: sp800-53a + prose: the incident response support resource offers advice and + assistance to users of the system for the response and reporting + of incidents. + links: + - href: "#ir-7_smt" + rel: assessment-for + links: + - href: "#ir-7_smt" + rel: assessment-for + - id: ir-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident response assistance + + incident response plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response assistance + and support responsibilities + + + organizational personnel with access to incident response support + and assistance capability + + + organizational personnel with information security and privacy + responsibilities + - id: ir-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for incident response assistance + + + mechanisms supporting and/or implementing incident response assistance + - id: ir-8 + class: SP800-53 + title: Incident Response Plan + params: + - id: ir-8_prm_5 + label: organization-defined incident response personnel (identified + by name and/or by role) and organizational elements + constraints: + - description: see additional FedRAMP Requirements and Guidance + - id: ir-08_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles that review and approve the incident response + plan is/are identified; + - id: ir-08_odp.02 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to review and approve the incident + response plan is defined; + - id: ir-08_odp.03 + label: entities, personnel, or roles + guidelines: + - prose: entities, personnel, or roles with designated responsibility + for incident response are defined; + - id: ir-08_odp.04 + label: incident response personnel + constraints: + - description: see additional FedRAMP Requirements and Guidance + guidelines: + - prose: incident response personnel (identified by name and/or by + role) to whom copies of the incident response plan are to be distributed + is/are defined; + - id: ir-08_odp.05 + label: organizational elements + guidelines: + - prose: organizational elements to which copies of the incident response + plan are to be distributed are defined; + - id: ir-08_odp.06 + label: incident response personnel + guidelines: + - prose: incident response personnel (identified by name and/or by + role) to whom changes to the incident response plan is/are communicated + are defined; + - id: ir-08_odp.07 + label: organizational elements + guidelines: + - prose: organizational elements to which changes to the incident + response plan are communicated are defined; + props: + - name: label + value: IR-8 + - name: label + value: IR-08 + class: sp800-53a + - name: sort-id + value: ir-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#5f4705ac-8d17-438c-b23a-ac7f12362ae4" + rel: reference + - href: "#ac-2" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-7" + rel: related + - href: "#ir-9" + rel: related + - href: "#pe-6" + rel: related + - href: "#pl-2" + rel: related + - href: "#sa-15" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-8" + rel: related + parts: + - id: ir-8_smt + name: statement + parts: + - id: ir-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop an incident response plan that:" + parts: + - id: ir-8_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Provides the organization with a roadmap for implementing + its incident response capability; + - id: ir-8_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Describes the structure and organization of the incident + response capability; + - id: ir-8_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Provides a high-level approach for how the incident response + capability fits into the overall organization; + - id: ir-8_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Meets the unique requirements of the organization, which + relate to mission, size, structure, and functions; + - id: ir-8_smt.a.5 + name: item + props: + - name: label + value: "5." + prose: Defines reportable incidents; + - id: ir-8_smt.a.6 + name: item + props: + - name: label + value: "6." + prose: Provides metrics for measuring the incident response + capability within the organization; + - id: ir-8_smt.a.7 + name: item + props: + - name: label + value: "7." + prose: Defines the resources and management support needed to + effectively maintain and mature an incident response capability; + - id: ir-8_smt.a.8 + name: item + props: + - name: label + value: "8." + prose: Addresses the sharing of incident information; + - id: ir-8_smt.a.9 + name: item + props: + - name: label + value: "9." + prose: "Is reviewed and approved by {{ insert: param, ir-08_odp.01\ + \ }} {{ insert: param, ir-08_odp.02 }} ; and" + - id: ir-8_smt.a.10 + name: item + props: + - name: label + value: "10." + prose: "Explicitly designates responsibility for incident response\ + \ to {{ insert: param, ir-08_odp.03 }}." + - id: ir-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Distribute copies of the incident response plan to {{ insert:\ + \ param, ir-08_odp.04 }};" + - id: ir-8_smt.c + name: item + props: + - name: label + value: c. + prose: Update the incident response plan to address system and organizational + changes or problems encountered during plan implementation, execution, + or testing; + - id: ir-8_smt.d + name: item + props: + - name: label + value: d. + prose: "Communicate incident response plan changes to {{ insert:\ + \ param, ir-8_prm_5 }} ; and" + - id: ir-8_smt.e + name: item + props: + - name: label + value: e. + prose: Protect the incident response plan from unauthorized disclosure + and modification. + - id: ir-8_fr + name: item + title: IR-8 Additional FedRAMP Requirements and Guidance + parts: + - id: ir-8_fr_smt.1 + name: item + props: + - name: label + value: "(b) Requirement:" + prose: The service provider defines a list of incident response + personnel (identified by name and/or by role) and organizational + elements. The incident response list includes designated FedRAMP + personnel. + - id: ir-8_fr_smt.2 + name: item + props: + - name: label + value: "(d) Requirement:" + prose: The service provider defines a list of incident response + personnel (identified by name and/or by role) and organizational + elements. The incident response list includes designated FedRAMP + personnel. + - id: ir-8_gdn + name: guidance + prose: It is important that organizations develop and implement a coordinated + approach to incident response. Organizational mission and business + functions determine the structure of incident response capabilities. + As part of the incident response capabilities, organizations consider + the coordination and sharing of information with external organizations, + including external service providers and other organizations involved + in the supply chain. For incidents involving personally identifiable + information (i.e., breaches), include a process to determine whether + notice to oversight organizations or affected individuals is appropriate + and provide that notice accordingly. + - id: ir-8_obj + name: assessment-objective + props: + - name: label + value: IR-08 + class: sp800-53a + parts: + - id: ir-8_obj.a + name: assessment-objective + props: + - name: label + value: IR-08a. + class: sp800-53a + parts: + - id: ir-8_obj.a.1 + name: assessment-objective + props: + - name: label + value: IR-08a.01 + class: sp800-53a + prose: an incident response plan is developed that provides + the organization with a roadmap for implementing its incident + response capability; + links: + - href: "#ir-8_smt.a.1" + rel: assessment-for + - id: ir-8_obj.a.2 + name: assessment-objective + props: + - name: label + value: IR-08a.02 + class: sp800-53a + prose: an incident response plan is developed that describes + the structure and organization of the incident response capability; + links: + - href: "#ir-8_smt.a.2" + rel: assessment-for + - id: ir-8_obj.a.3 + name: assessment-objective + props: + - name: label + value: IR-08a.03 + class: sp800-53a + prose: an incident response plan is developed that provides + a high-level approach for how the incident response capability + fits into the overall organization; + links: + - href: "#ir-8_smt.a.3" + rel: assessment-for + - id: ir-8_obj.a.4 + name: assessment-objective + props: + - name: label + value: IR-08a.04 + class: sp800-53a + prose: an incident response plan is developed that meets the + unique requirements of the organization with regard to mission, + size, structure, and functions; + links: + - href: "#ir-8_smt.a.4" + rel: assessment-for + - id: ir-8_obj.a.5 + name: assessment-objective + props: + - name: label + value: IR-08a.05 + class: sp800-53a + prose: an incident response plan is developed that defines reportable + incidents; + links: + - href: "#ir-8_smt.a.5" + rel: assessment-for + - id: ir-8_obj.a.6 + name: assessment-objective + props: + - name: label + value: IR-08a.06 + class: sp800-53a + prose: an incident response plan is developed that provides + metrics for measuring the incident response capability within + the organization; + links: + - href: "#ir-8_smt.a.6" + rel: assessment-for + - id: ir-8_obj.a.7 + name: assessment-objective + props: + - name: label + value: IR-08a.07 + class: sp800-53a + prose: an incident response plan is developed that defines the + resources and management support needed to effectively maintain + and mature an incident response capability; + links: + - href: "#ir-8_smt.a.7" + rel: assessment-for + - id: ir-8_obj.a.8 + name: assessment-objective + props: + - name: label + value: IR-08a.08 + class: sp800-53a + prose: an incident response plan is developed that addresses + the sharing of incident information; + links: + - href: "#ir-8_smt.a.8" + rel: assessment-for + - id: ir-8_obj.a.9 + name: assessment-objective + props: + - name: label + value: IR-08a.09 + class: sp800-53a + prose: "an incident response plan is developed that is reviewed\ + \ and approved by {{ insert: param, ir-08_odp.01 }} {{ insert:\ + \ param, ir-08_odp.02 }};" + links: + - href: "#ir-8_smt.a.9" + rel: assessment-for + - id: ir-8_obj.a.10 + name: assessment-objective + props: + - name: label + value: IR-08a.10 + class: sp800-53a + prose: "an incident response plan is developed that explicitly\ + \ designates responsibility for incident response to {{ insert:\ + \ param, ir-08_odp.03 }}." + links: + - href: "#ir-8_smt.a.10" + rel: assessment-for + links: + - href: "#ir-8_smt.a" + rel: assessment-for + - id: ir-8_obj.b + name: assessment-objective + props: + - name: label + value: IR-08b. + class: sp800-53a + parts: + - id: ir-8_obj.b-1 + name: assessment-objective + props: + - name: label + value: IR-08b.[01] + class: sp800-53a + prose: "copies of the incident response plan are distributed\ + \ to {{ insert: param, ir-08_odp.04 }};" + links: + - href: "#ir-8_smt.b" + rel: assessment-for + - id: ir-8_obj.b-2 + name: assessment-objective + props: + - name: label + value: IR-08b.[02] + class: sp800-53a + prose: "copies of the incident response plan are distributed\ + \ to {{ insert: param, ir-08_odp.05 }};" + links: + - href: "#ir-8_smt.b" + rel: assessment-for + links: + - href: "#ir-8_smt.b" + rel: assessment-for + - id: ir-8_obj.c + name: assessment-objective + props: + - name: label + value: IR-08c. + class: sp800-53a + prose: the incident response plan is updated to address system and + organizational changes or problems encountered during plan implementation, + execution, or testing; + links: + - href: "#ir-8_smt.c" + rel: assessment-for + - id: ir-8_obj.d + name: assessment-objective + props: + - name: label + value: IR-08d. + class: sp800-53a + parts: + - id: ir-8_obj.d-1 + name: assessment-objective + props: + - name: label + value: IR-08d.[01] + class: sp800-53a + prose: "incident response plan changes are communicated to {{\ + \ insert: param, ir-08_odp.06 }};" + links: + - href: "#ir-8_smt.d" + rel: assessment-for + - id: ir-8_obj.d-2 + name: assessment-objective + props: + - name: label + value: IR-08d.[02] + class: sp800-53a + prose: "incident response plan changes are communicated to {{\ + \ insert: param, ir-08_odp.07 }};" + links: + - href: "#ir-8_smt.d" + rel: assessment-for + links: + - href: "#ir-8_smt.d" + rel: assessment-for + - id: ir-8_obj.e + name: assessment-objective + props: + - name: label + value: IR-08e. + class: sp800-53a + parts: + - id: ir-8_obj.e-1 + name: assessment-objective + props: + - name: label + value: IR-08e.[01] + class: sp800-53a + prose: the incident response plan is protected from unauthorized + disclosure; + links: + - href: "#ir-8_smt.e" + rel: assessment-for + - id: ir-8_obj.e-2 + name: assessment-objective + props: + - name: label + value: IR-08e.[02] + class: sp800-53a + prose: the incident response plan is protected from unauthorized + modification. + links: + - href: "#ir-8_smt.e" + rel: assessment-for + links: + - href: "#ir-8_smt.e" + rel: assessment-for + links: + - href: "#ir-8_smt" + rel: assessment-for + - id: ir-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident response planning + + incident response plan + + system security plan + + privacy plan + + records of incident response plan reviews and approvals + + other relevant documents or records + - id: ir-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response planning + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational incident response plan and related organizational + processes + - id: ma + class: family + title: Maintenance + controls: + - id: ma-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ma-1_prm_1 + label: organization-defined personnel or roles + - id: ma-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the maintenance policy is to be + disseminated is/are defined; + - id: ma-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the maintenance procedures are + to be disseminated is/are defined; + - id: ma-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ma-01_odp.04 + label: official + guidelines: + - prose: an official to manage the maintenance policy and procedures + is defined; + - id: ma-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency with which the current maintenance policy is + reviewed and updated is defined; + - id: ma-01_odp.06 + label: events + guidelines: + - prose: events that would require the current maintenance policy + to be reviewed and updated are defined; + - id: ma-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency with which the current maintenance procedures + are reviewed and updated is defined; + - id: ma-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the maintenance procedures to be + reviewed and updated are defined; + props: + - name: label + value: MA-1 + - name: label + value: MA-01 + class: sp800-53a + - name: sort-id + value: ma-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ma-1_smt + name: statement + parts: + - id: ma-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ma-1_prm_1 }}:" + parts: + - id: ma-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ma-01_odp.03 }} maintenance policy\ + \ that:" + parts: + - id: ma-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ma-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ma-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the maintenance + policy and the associated maintenance controls; + - id: ma-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ma-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the maintenance\ + \ policy and procedures; and" + - id: ma-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current maintenance:" + parts: + - id: ma-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ma-01_odp.05 }} and following\ + \ {{ insert: param, ma-01_odp.06 }} ; and" + - id: ma-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ma-01_odp.07 }} and following\ + \ {{ insert: param, ma-01_odp.08 }}." + - id: ma-1_gdn + name: guidance + prose: Maintenance policy and procedures address the controls in the + MA family that are implemented within systems and organizations. The + risk management strategy is an important factor in establishing such + policies and procedures. Policies and procedures contribute to security + and privacy assurance. Therefore, it is important that security and + privacy programs collaborate on the development of maintenance policy + and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to maintenance policy and procedures assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ma-1_obj + name: assessment-objective + props: + - name: label + value: MA-01 + class: sp800-53a + parts: + - id: ma-1_obj.a + name: assessment-objective + props: + - name: label + value: MA-01a. + class: sp800-53a + parts: + - id: ma-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-01a.[01] + class: sp800-53a + prose: a maintenance policy is developed and documented; + links: + - href: "#ma-1_smt.a" + rel: assessment-for + - id: ma-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-01a.[02] + class: sp800-53a + prose: "the maintenance policy is disseminated to {{ insert:\ + \ param, ma-01_odp.01 }};" + links: + - href: "#ma-1_smt.a" + rel: assessment-for + - id: ma-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: MA-01a.[03] + class: sp800-53a + prose: maintenance procedures to facilitate the implementation + of the maintenance policy and associated maintenance controls + are developed and documented; + links: + - href: "#ma-1_smt.a" + rel: assessment-for + - id: ma-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: MA-01a.[04] + class: sp800-53a + prose: "the maintenance procedures are disseminated to {{ insert:\ + \ param, ma-01_odp.02 }};" + links: + - href: "#ma-1_smt.a" + rel: assessment-for + - id: ma-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: MA-01a.01 + class: sp800-53a + parts: + - id: ma-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: MA-01a.01(a) + class: sp800-53a + parts: + - id: ma-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses purpose;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses scope;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses roles;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses responsibilities;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses management commitment;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses compliance;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: MA-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy is consistent with applicable laws, Executive\ + \ Orders, directives, regulations, policies, standards,\ + \ and guidelines;" + links: + - href: "#ma-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ma-1_smt.a.1" + rel: assessment-for + links: + - href: "#ma-1_smt.a" + rel: assessment-for + - id: ma-1_obj.b + name: assessment-objective + props: + - name: label + value: MA-01b. + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the maintenance\ + \ policy and procedures;" + links: + - href: "#ma-1_smt.b" + rel: assessment-for + - id: ma-1_obj.c + name: assessment-objective + props: + - name: label + value: MA-01c. + class: sp800-53a + parts: + - id: ma-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: MA-01c.01 + class: sp800-53a + parts: + - id: ma-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: MA-01c.01[01] + class: sp800-53a + prose: "the current maintenance policy is reviewed and updated\ + \ {{ insert: param, ma-01_odp.05 }};" + links: + - href: "#ma-1_smt.c.1" + rel: assessment-for + - id: ma-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: MA-01c.01[02] + class: sp800-53a + prose: "the current maintenance policy is reviewed and updated\ + \ following {{ insert: param, ma-01_odp.06 }};" + links: + - href: "#ma-1_smt.c.1" + rel: assessment-for + links: + - href: "#ma-1_smt.c.1" + rel: assessment-for + - id: ma-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: MA-01c.02 + class: sp800-53a + parts: + - id: ma-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: MA-01c.02[01] + class: sp800-53a + prose: "the current maintenance procedures are reviewed\ + \ and updated {{ insert: param, ma-01_odp.07 }};" + links: + - href: "#ma-1_smt.c.2" + rel: assessment-for + - id: ma-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: MA-01c.02[02] + class: sp800-53a + prose: "the current maintenance procedures are reviewed\ + \ and updated following {{ insert: param, ma-01_odp.08\ + \ }}." + links: + - href: "#ma-1_smt.c.2" + rel: assessment-for + links: + - href: "#ma-1_smt.c.2" + rel: assessment-for + links: + - href: "#ma-1_smt.c" + rel: assessment-for + links: + - href: "#ma-1_smt" + rel: assessment-for + - id: ma-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy and procedures + + system security plan + + privacy plan + + organizational risk management strategy + + other relevant documents or records + - id: ma-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with maintenance responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ma-2 + class: SP800-53 + title: Controlled Maintenance + params: + - id: ma-02_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles required to explicitly approve the removal + of the system or system components from organizational facilities + for off-site maintenance or repairs is/are defined; + - id: ma-02_odp.02 + label: information + guidelines: + - prose: information to be removed from associated media prior to + removal from organizational facilities for off-site maintenance, + repair, or replacement is defined; + - id: ma-02_odp.03 + label: information + guidelines: + - prose: information to be included in organizational maintenance + records is defined; + props: + - name: label + value: MA-2 + - name: label + value: MA-02 + class: sp800-53a + - name: sort-id + value: ma-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#cm-2" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-8" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-6" + rel: related + - href: "#pe-16" + rel: related + - href: "#si-2" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: ma-2_smt + name: statement + parts: + - id: ma-2_smt.a + name: item + props: + - name: label + value: a. + prose: Schedule, document, and review records of maintenance, repair, + and replacement on system components in accordance with manufacturer + or vendor specifications and/or organizational requirements; + - id: ma-2_smt.b + name: item + props: + - name: label + value: b. + prose: Approve and monitor all maintenance activities, whether performed + on site or remotely and whether the system or system components + are serviced on site or removed to another location; + - id: ma-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Require that {{ insert: param, ma-02_odp.01 }} explicitly\ + \ approve the removal of the system or system components from\ + \ organizational facilities for off-site maintenance, repair,\ + \ or replacement;" + - id: ma-2_smt.d + name: item + props: + - name: label + value: d. + prose: "Sanitize equipment to remove the following information from\ + \ associated media prior to removal from organizational facilities\ + \ for off-site maintenance, repair, or replacement: {{ insert:\ + \ param, ma-02_odp.02 }};" + - id: ma-2_smt.e + name: item + props: + - name: label + value: e. + prose: Check all potentially impacted controls to verify that the + controls are still functioning properly following maintenance, + repair, or replacement actions; and + - id: ma-2_smt.f + name: item + props: + - name: label + value: f. + prose: "Include the following information in organizational maintenance\ + \ records: {{ insert: param, ma-02_odp.03 }}." + - id: ma-2_gdn + name: guidance + prose: Controlling system maintenance addresses the information security + aspects of the system maintenance program and applies to all types + of maintenance to system components conducted by local or nonlocal + entities. Maintenance includes peripherals such as scanners, copiers, + and printers. Information necessary for creating effective maintenance + records includes the date and time of maintenance, a description of + the maintenance performed, names of the individuals or group performing + the maintenance, name of the escort, and system components or equipment + that are removed or replaced. Organizations consider supply chain-related + risks associated with replacement components for systems. + - id: ma-2_obj + name: assessment-objective + props: + - name: label + value: MA-02 + class: sp800-53a + parts: + - id: ma-2_obj.a + name: assessment-objective + props: + - name: label + value: MA-02a. + class: sp800-53a + parts: + - id: ma-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-02a.[01] + class: sp800-53a + prose: maintenance, repair, and replacement of system components + are scheduled in accordance with manufacturer or vendor specifications + and/or organizational requirements; + links: + - href: "#ma-2_smt.a" + rel: assessment-for + - id: ma-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-02a.[02] + class: sp800-53a + prose: maintenance, repair, and replacement of system components + are documented in accordance with manufacturer or vendor specifications + and/or organizational requirements; + links: + - href: "#ma-2_smt.a" + rel: assessment-for + - id: ma-2_obj.a-3 + name: assessment-objective + props: + - name: label + value: MA-02a.[03] + class: sp800-53a + prose: records of maintenance, repair, and replacement of system + components are reviewed in accordance with manufacturer or + vendor specifications and/or organizational requirements; + links: + - href: "#ma-2_smt.a" + rel: assessment-for + links: + - href: "#ma-2_smt.a" + rel: assessment-for + - id: ma-2_obj.b + name: assessment-objective + props: + - name: label + value: MA-02b. + class: sp800-53a + parts: + - id: ma-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: MA-02b.[01] + class: sp800-53a + prose: all maintenance activities, whether performed on site + or remotely and whether the system or system components are + serviced on site or removed to another location, are approved; + links: + - href: "#ma-2_smt.b" + rel: assessment-for + - id: ma-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: MA-02b.[02] + class: sp800-53a + prose: all maintenance activities, whether performed on site + or remotely and whether the system or system components are + serviced on site or removed to another location, are monitored; + links: + - href: "#ma-2_smt.b" + rel: assessment-for + links: + - href: "#ma-2_smt.b" + rel: assessment-for + - id: ma-2_obj.c + name: assessment-objective + props: + - name: label + value: MA-02c. + class: sp800-53a + prose: " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly\ + \ approve the removal of the system or system components from\ + \ organizational facilities for off-site maintenance, repair,\ + \ or replacement;" + links: + - href: "#ma-2_smt.c" + rel: assessment-for + - id: ma-2_obj.d + name: assessment-objective + props: + - name: label + value: MA-02d. + class: sp800-53a + prose: "equipment is sanitized to remove {{ insert: param, ma-02_odp.02\ + \ }} from associated media prior to removal from organizational\ + \ facilities for off-site maintenance, repair, or replacement;" + links: + - href: "#ma-2_smt.d" + rel: assessment-for + - id: ma-2_obj.e + name: assessment-objective + props: + - name: label + value: MA-02e. + class: sp800-53a + prose: all potentially impacted controls are checked to verify that + the controls are still functioning properly following maintenance, + repair, or replacement actions; + links: + - href: "#ma-2_smt.e" + rel: assessment-for + - id: ma-2_obj.f + name: assessment-objective + props: + - name: label + value: MA-02f. + class: sp800-53a + prose: " {{ insert: param, ma-02_odp.03 }} is included in organizational\ + \ maintenance records." + links: + - href: "#ma-2_smt.f" + rel: assessment-for + links: + - href: "#ma-2_smt" + rel: assessment-for + - id: ma-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing controlled system maintenance + + maintenance records + + manufacturer/vendor maintenance specifications + + equipment sanitization records + + media sanitization records + + system security plan + + other relevant documents or records + - id: ma-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel responsible for media sanitization + + + system/network administrators + - id: ma-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for scheduling, performing, + documenting, reviewing, approving, and monitoring + maintenance and repairs for the system + + + organizational processes for sanitizing system components + + + mechanisms supporting and/or implementing controlled maintenance + + + mechanisms implementing the sanitization of system components + - id: ma-4 + class: SP800-53 + title: Nonlocal Maintenance + props: + - name: label + value: MA-4 + - name: label + value: MA-04 + class: sp800-53a + - name: sort-id + value: ma-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#736d6310-e403-4b57-a79d-9967970c66d7" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-2" + rel: related + - href: "#au-3" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-5" + rel: related + - href: "#pl-2" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-10" + rel: related + parts: + - id: ma-4_smt + name: statement + parts: + - id: ma-4_smt.a + name: item + props: + - name: label + value: a. + prose: Approve and monitor nonlocal maintenance and diagnostic activities; + - id: ma-4_smt.b + name: item + props: + - name: label + value: b. + prose: Allow the use of nonlocal maintenance and diagnostic tools + only as consistent with organizational policy and documented in + the security plan for the system; + - id: ma-4_smt.c + name: item + props: + - name: label + value: c. + prose: Employ strong authentication in the establishment of nonlocal + maintenance and diagnostic sessions; + - id: ma-4_smt.d + name: item + props: + - name: label + value: d. + prose: Maintain records for nonlocal maintenance and diagnostic + activities; and + - id: ma-4_smt.e + name: item + props: + - name: label + value: e. + prose: Terminate session and network connections when nonlocal maintenance + is completed. + - id: ma-4_gdn + name: guidance + prose: Nonlocal maintenance and diagnostic activities are conducted + by individuals who communicate through either an external or internal + network. Local maintenance and diagnostic activities are carried out + by individuals who are physically present at the system location and + not communicating across a network connection. Authentication techniques + used to establish nonlocal maintenance and diagnostic sessions reflect + the network access requirements in [IA-2](#ia-2) . Strong authentication + requires authenticators that are resistant to replay attacks and employ + multi-factor authentication. Strong authenticators include PKI where + certificates are stored on a token protected by a password, passphrase, + or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, + in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) + provides additional guidance on strong authentication and authenticators. + - id: ma-4_obj + name: assessment-objective + props: + - name: label + value: MA-04 + class: sp800-53a + parts: + - id: ma-4_obj.a + name: assessment-objective + props: + - name: label + value: MA-04a. + class: sp800-53a + parts: + - id: ma-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-04a.[01] + class: sp800-53a + prose: nonlocal maintenance and diagnostic activities are approved; + links: + - href: "#ma-4_smt.a" + rel: assessment-for + - id: ma-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-04a.[02] + class: sp800-53a + prose: nonlocal maintenance and diagnostic activities are monitored; + links: + - href: "#ma-4_smt.a" + rel: assessment-for + links: + - href: "#ma-4_smt.a" + rel: assessment-for + - id: ma-4_obj.b + name: assessment-objective + props: + - name: label + value: MA-04b. + class: sp800-53a + parts: + - id: ma-4_obj.b-1 + name: assessment-objective + props: + - name: label + value: MA-04b.[01] + class: sp800-53a + prose: the use of nonlocal maintenance and diagnostic tools + are allowed only as consistent with organizational policy; + links: + - href: "#ma-4_smt.b" + rel: assessment-for + - id: ma-4_obj.b-2 + name: assessment-objective + props: + - name: label + value: MA-04b.[02] + class: sp800-53a + prose: the use of nonlocal maintenance and diagnostic tools + are documented in the security plan for the system; + links: + - href: "#ma-4_smt.b" + rel: assessment-for + links: + - href: "#ma-4_smt.b" + rel: assessment-for + - id: ma-4_obj.c + name: assessment-objective + props: + - name: label + value: MA-04c. + class: sp800-53a + prose: strong authentication is employed in the establishment of + nonlocal maintenance and diagnostic sessions; + links: + - href: "#ma-4_smt.c" + rel: assessment-for + - id: ma-4_obj.d + name: assessment-objective + props: + - name: label + value: MA-04d. + class: sp800-53a + prose: records for nonlocal maintenance and diagnostic activities + are maintained; + links: + - href: "#ma-4_smt.d" + rel: assessment-for + - id: ma-4_obj.e + name: assessment-objective + props: + - name: label + value: MA-04e. + class: sp800-53a + parts: + - id: ma-4_obj.e-1 + name: assessment-objective + props: + - name: label + value: MA-04e.[01] + class: sp800-53a + prose: session connections are terminated when nonlocal maintenance + is completed; + links: + - href: "#ma-4_smt.e" + rel: assessment-for + - id: ma-4_obj.e-2 + name: assessment-objective + props: + - name: label + value: MA-04e.[02] + class: sp800-53a + prose: network connections are terminated when nonlocal maintenance + is completed. + links: + - href: "#ma-4_smt.e" + rel: assessment-for + links: + - href: "#ma-4_smt.e" + rel: assessment-for + links: + - href: "#ma-4_smt" + rel: assessment-for + - id: ma-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing nonlocal system maintenance + + remote access policy + + remote access procedures + + system design documentation + + system configuration settings and associated documentation + + maintenance records + + records of remote access + + diagnostic records + + system security plan + + other relevant documents or records + - id: ma-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ma-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing nonlocal maintenance + + + mechanisms implementing, supporting, and/or managing nonlocal + maintenance + + + mechanisms for strong authentication of nonlocal maintenance diagnostic + sessions + + + mechanisms for terminating nonlocal maintenance sessions and network + connections + - id: ma-5 + class: SP800-53 + title: Maintenance Personnel + props: + - name: label + value: MA-5 + - name: label + value: MA-05 + class: sp800-53a + - name: sort-id + value: ma-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-2" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#ps-7" + rel: related + - href: "#ra-3" + rel: related + parts: + - id: ma-5_smt + name: statement + parts: + - id: ma-5_smt.a + name: item + props: + - name: label + value: a. + prose: Establish a process for maintenance personnel authorization + and maintain a list of authorized maintenance organizations or + personnel; + - id: ma-5_smt.b + name: item + props: + - name: label + value: b. + prose: Verify that non-escorted personnel performing maintenance + on the system possess the required access authorizations; and + - id: ma-5_smt.c + name: item + props: + - name: label + value: c. + prose: Designate organizational personnel with required access authorizations + and technical competence to supervise the maintenance activities + of personnel who do not possess the required access authorizations. + - id: ma-5_gdn + name: guidance + prose: Maintenance personnel refers to individuals who perform hardware + or software maintenance on organizational systems, while [PE-2](#pe-2) + addresses physical access for individuals whose maintenance duties + place them within the physical protection perimeter of the systems. + Technical competence of supervising individuals relates to the maintenance + performed on the systems, while having required access authorizations + refers to maintenance on and near the systems. Individuals not previously + identified as authorized maintenance personnel—such as information + technology manufacturers, vendors, systems integrators, and consultants—may + require privileged access to organizational systems, such as when + they are required to conduct maintenance activities with little or + no notice. Based on organizational assessments of risk, organizations + may issue temporary credentials to these individuals. Temporary credentials + may be for one-time use or for very limited time periods. + - id: ma-5_obj + name: assessment-objective + props: + - name: label + value: MA-05 + class: sp800-53a + parts: + - id: ma-5_obj.a + name: assessment-objective + props: + - name: label + value: MA-05a. + class: sp800-53a + parts: + - id: ma-5_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-05a.[01] + class: sp800-53a + prose: a process for maintenance personnel authorization is + established; + links: + - href: "#ma-5_smt.a" + rel: assessment-for + - id: ma-5_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-05a.[02] + class: sp800-53a + prose: a list of authorized maintenance organizations or personnel + is maintained; + links: + - href: "#ma-5_smt.a" + rel: assessment-for + links: + - href: "#ma-5_smt.a" + rel: assessment-for + - id: ma-5_obj.b + name: assessment-objective + props: + - name: label + value: MA-05b. + class: sp800-53a + prose: non-escorted personnel performing maintenance on the system + possess the required access authorizations; + links: + - href: "#ma-5_smt.b" + rel: assessment-for + - id: ma-5_obj.c + name: assessment-objective + props: + - name: label + value: MA-05c. + class: sp800-53a + prose: organizational personnel with required access authorizations + and technical competence is/are designated to supervise the maintenance + activities of personnel who do not possess the required access + authorizations. + links: + - href: "#ma-5_smt.c" + rel: assessment-for + links: + - href: "#ma-5_smt" + rel: assessment-for + - id: ma-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing maintenance personnel + + service provider contracts + + service-level agreements + + list of authorized personnel + + maintenance records + + access control records + + system security plan + + other relevant documents or records + - id: ma-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + - id: ma-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for authorizing and managing + maintenance personnel + + + mechanisms supporting and/or implementing authorization of maintenance + personnel + - id: mp + class: family + title: Media Protection + controls: + - id: mp-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: mp-1_prm_1 + label: organization-defined personnel or roles + - id: mp-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the media protection policy is + to be disseminated is/are defined; + - id: mp-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the media protection procedures + are to be disseminated is/are defined; + - id: mp-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: mp-01_odp.04 + label: official + guidelines: + - prose: an official to manage the media protection policy and procedures + is defined; + - id: mp-01_odp.05 + label: frequency + constraints: + - description: "at least every 3 years " + guidelines: + - prose: the frequency with which the current media protection policy + is reviewed and updated is defined; + - id: mp-01_odp.06 + label: events + guidelines: + - prose: events that would require the current media protection policy + to be reviewed and updated are defined; + - id: mp-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency with which the current media protection procedures + are reviewed and updated is defined; + - id: mp-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require media protection procedures to + be reviewed and updated are defined; + props: + - name: label + value: MP-1 + - name: label + value: MP-01 + class: sp800-53a + - name: sort-id + value: mp-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: mp-1_smt + name: statement + parts: + - id: mp-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ mp-1_prm_1 }}:" + parts: + - id: mp-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, mp-01_odp.03 }} media protection\ + \ policy that:" + parts: + - id: mp-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: mp-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: mp-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the media + protection policy and the associated media protection controls; + - id: mp-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, mp-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the media\ + \ protection policy and procedures; and" + - id: mp-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current media protection:" + parts: + - id: mp-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, mp-01_odp.05 }} and following\ + \ {{ insert: param, mp-01_odp.06 }} ; and" + - id: mp-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, mp-01_odp.07 }} and following\ + \ {{ insert: param, mp-01_odp.08 }}." + - id: mp-1_gdn + name: guidance + prose: Media protection policy and procedures address the controls in + the MP family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of media protection + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to media protection policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines. Simply restating controls does not constitute + an organizational policy or procedure. + - id: mp-1_obj + name: assessment-objective + props: + - name: label + value: MP-01 + class: sp800-53a + parts: + - id: mp-1_obj.a + name: assessment-objective + props: + - name: label + value: MP-01a. + class: sp800-53a + parts: + - id: mp-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: MP-01a.[01] + class: sp800-53a + prose: a media protection policy is developed and documented; + links: + - href: "#mp-1_smt.a" + rel: assessment-for + - id: mp-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: MP-01a.[02] + class: sp800-53a + prose: "the media protection policy is disseminated to {{ insert:\ + \ param, mp-01_odp.01 }};" + links: + - href: "#mp-1_smt.a" + rel: assessment-for + - id: mp-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: MP-01a.[03] + class: sp800-53a + prose: media protection procedures to facilitate the implementation + of the media protection policy and associated media protection + controls are developed and documented; + links: + - href: "#mp-1_smt.a" + rel: assessment-for + - id: mp-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: MP-01a.[04] + class: sp800-53a + prose: "the media protection procedures are disseminated to\ + \ {{ insert: param, mp-01_odp.02 }};" + links: + - href: "#mp-1_smt.a" + rel: assessment-for + - id: mp-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: MP-01a.01 + class: sp800-53a + parts: + - id: mp-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: MP-01a.01(a) + class: sp800-53a + parts: + - id: mp-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses purpose;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses scope;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses roles;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses responsibilities;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses management commitment;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy compliance;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: MP-01a.01(b) + class: sp800-53a + prose: the media protection policy is consistent with applicable + laws, Executive Orders, directives, regulations, policies, + standards, and guidelines; + links: + - href: "#mp-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#mp-1_smt.a.1" + rel: assessment-for + links: + - href: "#mp-1_smt.a" + rel: assessment-for + - id: mp-1_obj.b + name: assessment-objective + props: + - name: label + value: MP-01b. + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the media\ + \ protection policy and procedures." + links: + - href: "#mp-1_smt.b" + rel: assessment-for + - id: mp-1_obj.c + name: assessment-objective + props: + - name: label + value: MP-01c. + class: sp800-53a + parts: + - id: mp-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: MP-01c.01 + class: sp800-53a + parts: + - id: mp-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: MP-01c.01[01] + class: sp800-53a + prose: "the current media protection policy is reviewed\ + \ and updated {{ insert: param, mp-01_odp.05 }}; " + links: + - href: "#mp-1_smt.c.1" + rel: assessment-for + - id: mp-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: MP-01c.01[02] + class: sp800-53a + prose: "the current media protection policy is reviewed\ + \ and updated following {{ insert: param, mp-01_odp.06\ + \ }};" + links: + - href: "#mp-1_smt.c.1" + rel: assessment-for + links: + - href: "#mp-1_smt.c.1" + rel: assessment-for + - id: mp-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: MP-01c.02 + class: sp800-53a + parts: + - id: mp-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: MP-01c.02[01] + class: sp800-53a + prose: "the current media protection procedures are reviewed\ + \ and updated {{ insert: param, mp-01_odp.07 }}; " + links: + - href: "#mp-1_smt.c.2" + rel: assessment-for + - id: mp-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: MP-01c.02[02] + class: sp800-53a + prose: "the current media protection procedures are reviewed\ + \ and updated following {{ insert: param, mp-01_odp.08\ + \ }}." + links: + - href: "#mp-1_smt.c.2" + rel: assessment-for + links: + - href: "#mp-1_smt.c.2" + rel: assessment-for + links: + - href: "#mp-1_smt.c" + rel: assessment-for + links: + - href: "#mp-1_smt" + rel: assessment-for + - id: mp-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Media protection policy and procedures + + organizational risk management strategy + + system security plan + + privacy plan + + other relevant documents or records + - id: mp-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with media protection + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: mp-2 + class: SP800-53 + title: Media Access + params: + - id: mp-2_prm_1 + label: organization-defined types of digital and/or non-digital media + - id: mp-2_prm_2 + label: organization-defined personnel or roles + - id: mp-02_odp.01 + label: types of digital media + guidelines: + - prose: types of digital media to which access is restricted are + defined; + - id: mp-02_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles authorized to access digital media is/are + defined; + - id: mp-02_odp.03 + label: types of non-digital media + guidelines: + - prose: types of non-digital media to which access is restricted + are defined; + - id: mp-02_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles authorized to access non-digital media + is/are defined; + props: + - name: label + value: MP-2 + - name: label + value: MP-02 + class: sp800-53a + - name: sort-id + value: mp-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#22f2d4f0-4365-4e88-a30d-275c1f5473ea" + rel: reference + - href: "#ac-19" + rel: related + - href: "#au-9" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-6" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-34" + rel: related + - href: "#si-12" + rel: related + parts: + - id: mp-2_smt + name: statement + prose: "Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert:\ + \ param, mp-2_prm_2 }}." + - id: mp-2_gdn + name: guidance + prose: System media includes digital and non-digital media. Digital + media includes flash drives, diskettes, magnetic tapes, external or + removable hard disk drives (e.g., solid state, magnetic), compact + discs, and digital versatile discs. Non-digital media includes paper + and microfilm. Denying access to patient medical records in a community + hospital unless the individuals seeking access to such records are + authorized healthcare providers is an example of restricting access + to non-digital media. Limiting access to the design specifications + stored on compact discs in the media library to individuals on the + system development team is an example of restricting access to digital + media. + - id: mp-2_obj + name: assessment-objective + props: + - name: label + value: MP-02 + class: sp800-53a + parts: + - id: mp-2_obj-1 + name: assessment-objective + props: + - name: label + value: MP-02[01] + class: sp800-53a + prose: "access to {{ insert: param, mp-02_odp.01 }} is restricted\ + \ to {{ insert: param, mp-02_odp.02 }};" + links: + - href: "#mp-2_smt" + rel: assessment-for + - id: mp-2_obj-2 + name: assessment-objective + props: + - name: label + value: MP-02[02] + class: sp800-53a + prose: "access to {{ insert: param, mp-02_odp.03 }} is restricted\ + \ to {{ insert: param, mp-02_odp.04 }}." + links: + - href: "#mp-2_smt" + rel: assessment-for + links: + - href: "#mp-2_smt" + rel: assessment-for + - id: mp-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System media protection policy + + procedures addressing media access restrictions + + access control policy and procedures + + physical and environmental protection policy and procedures + + media storage facilities + + access control records + + system security plan + + other relevant documents or records + - id: mp-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media protection + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: mp-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for restricting information media + + + mechanisms supporting and/or implementing media access restrictions + - id: mp-6 + class: SP800-53 + title: Media Sanitization + params: + - id: mp-6_prm_1 + label: organization-defined system media + constraints: + - description: "techniques and procedures IAW NIST SP 800-88 Section\ + \ 4: Reuse and Disposal of Storage Media and Hardware" + - id: mp-6_prm_2 + label: organization-defined sanitization techniques and procedures + - id: mp-06_odp.01 + label: system media + guidelines: + - prose: system media to be sanitized prior to disposal is defined; + - id: mp-06_odp.02 + label: system media + guidelines: + - prose: system media to be sanitized prior to release from organizational + control is defined; + - id: mp-06_odp.03 + label: system media + guidelines: + - prose: system media to be sanitized prior to release for reuse is + defined; + - id: mp-06_odp.04 + label: sanitization techniques and procedures + guidelines: + - prose: sanitization techniques and procedures to be used for sanitization + prior to disposal are defined; + - id: mp-06_odp.05 + label: sanitization techniques and procedures + guidelines: + - prose: sanitization techniques and procedures to be used for sanitization + prior to release from organizational control are defined; + - id: mp-06_odp.06 + label: sanitization techniques and procedures + guidelines: + - prose: sanitization techniques and procedures to be used for sanitization + prior to release for reuse are defined; + props: + - name: label + value: MP-6 + - name: label + value: MP-06 + class: sp800-53a + - name: sort-id + value: mp-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#91f992fb-f668-4c91-a50f-0f05b95ccee3" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6" + rel: reference + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-7" + rel: related + - href: "#au-11" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#pm-22" + rel: related + - href: "#si-12" + rel: related + - href: "#si-18" + rel: related + - href: "#si-19" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: mp-6_smt + name: statement + parts: + - id: mp-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal,\ + \ release out of organizational control, or release for reuse\ + \ using {{ insert: param, mp-6_prm_2 }} ; and" + - id: mp-6_smt.b + name: item + props: + - name: label + value: b. + prose: Employ sanitization mechanisms with the strength and integrity + commensurate with the security category or classification of the + information. + - id: mp-6_gdn + name: guidance + prose: Media sanitization applies to all digital and non-digital system + media subject to disposal or reuse, whether or not the media is considered + removable. Examples include digital media in scanners, copiers, printers, + notebook computers, workstations, network components, mobile devices, + and non-digital media (e.g., paper and microfilm). The sanitization + process removes information from system media such that the information + cannot be retrieved or reconstructed. Sanitization techniques—including + clearing, purging, cryptographic erase, de-identification of personally + identifiable information, and destruction—prevent the disclosure of + information to unauthorized individuals when such media is reused + or released for disposal. Organizations determine the appropriate + sanitization methods, recognizing that destruction is sometimes necessary + when other methods cannot be applied to media requiring sanitization. + Organizations use discretion on the employment of approved sanitization + techniques and procedures for media that contains information deemed + to be in the public domain or publicly releasable or information deemed + to have no adverse impact on organizations or individuals if released + for reuse or disposal. Sanitization of non-digital media includes + destruction, removing a classified appendix from an otherwise unclassified + document, or redacting selected sections or words from a document + by obscuring the redacted sections or words in a manner equivalent + in effectiveness to removing them from the document. NSA standards + and policies control the sanitization process for media that contains + classified information. NARA policies control the sanitization process + for controlled unclassified information. + - id: mp-6_obj + name: assessment-objective + props: + - name: label + value: MP-06 + class: sp800-53a + parts: + - id: mp-6_obj.a + name: assessment-objective + props: + - name: label + value: MP-06a. + class: sp800-53a + parts: + - id: mp-6_obj.a-1 + name: assessment-objective + props: + - name: label + value: MP-06a.[01] + class: sp800-53a + prose: " {{ insert: param, mp-06_odp.01 }} is sanitized using\ + \ {{ insert: param, mp-06_odp.04 }} prior to disposal;" + links: + - href: "#mp-6_smt.a" + rel: assessment-for + - id: mp-6_obj.a-2 + name: assessment-objective + props: + - name: label + value: MP-06a.[02] + class: sp800-53a + prose: " {{ insert: param, mp-06_odp.02 }} is sanitized using\ + \ {{ insert: param, mp-06_odp.05 }} prior to release from\ + \ organizational control;" + links: + - href: "#mp-6_smt.a" + rel: assessment-for + - id: mp-6_obj.a-3 + name: assessment-objective + props: + - name: label + value: MP-06a.[03] + class: sp800-53a + prose: " {{ insert: param, mp-06_odp.03 }} is sanitized using\ + \ {{ insert: param, mp-06_odp.06 }} prior to release for reuse;" + links: + - href: "#mp-6_smt.a" + rel: assessment-for + links: + - href: "#mp-6_smt.a" + rel: assessment-for + - id: mp-6_obj.b + name: assessment-objective + props: + - name: label + value: MP-06b. + class: sp800-53a + prose: sanitization mechanisms with strength and integrity commensurate + with the security category or classification of the information + are employed. + links: + - href: "#mp-6_smt.b" + rel: assessment-for + links: + - href: "#mp-6_smt" + rel: assessment-for + - id: mp-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System media protection policy + + + procedures addressing media sanitization and disposal + + + applicable federal standards and policies addressing media sanitization + policy + + + media sanitization records + + + system audit records + + + system design documentation + + + records retention and disposition policy + + + records retention and disposition procedures + + + system configuration settings and associated documentation + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: mp-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with media sanitization + responsibilities + + + organizational personnel with records retention and disposition + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: mp-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for media sanitization + + mechanisms supporting and/or implementing media sanitization + - id: mp-7 + class: SP800-53 + title: Media Use + params: + - id: mp-07_odp.01 + label: types of system media + guidelines: + - prose: types of system media to be restricted or prohibited from + use on systems or system components are defined; + - id: mp-07_odp.02 + select: + choice: + - restrict + - prohibit + - id: mp-07_odp.03 + label: systems or system components + guidelines: + - prose: systems or system components on which the use of specific + types of system media to be restricted or prohibited are defined; + - id: mp-07_odp.04 + label: controls + guidelines: + - prose: controls to restrict or prohibit the use of specific types + of system media on systems or system components are defined; + props: + - name: label + value: MP-7 + - name: label + value: MP-07 + class: sp800-53a + - name: sort-id + value: mp-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#22f2d4f0-4365-4e88-a30d-275c1f5473ea" + rel: reference + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#sc-34" + rel: related + - href: "#sc-41" + rel: related + parts: + - id: mp-7_smt + name: statement + parts: + - id: mp-7_smt.a + name: item + props: + - name: label + value: a. + prose: " {{ insert: param, mp-07_odp.02 }} the use of {{ insert:\ + \ param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }}\ + \ using {{ insert: param, mp-07_odp.04 }} ; and" + - id: mp-7_smt.b + name: item + props: + - name: label + value: b. + prose: Prohibit the use of portable storage devices in organizational + systems when such devices have no identifiable owner. + - id: mp-7_gdn + name: guidance + prose: System media includes both digital and non-digital media. Digital + media includes diskettes, magnetic tapes, flash drives, compact discs, + digital versatile discs, and removable hard disk drives. Non-digital + media includes paper and microfilm. Media use protections also apply + to mobile devices with information storage capabilities. In contrast + to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts + the use of certain types of media on systems, for example, restricting + or prohibiting the use of flash drives or external hard disk drives. + Organizations use technical and nontechnical controls to restrict + the use of system media. Organizations may restrict the use of portable + storage devices, for example, by using physical cages on workstations + to prohibit access to certain external ports or disabling or removing + the ability to insert, read, or write to such devices. Organizations + may also limit the use of portable storage devices to only approved + devices, including devices provided by the organization, devices provided + by other approved organizations, and devices that are not personally + owned. Finally, organizations may restrict the use of portable storage + devices based on the type of device, such as by prohibiting the use + of writeable, portable storage devices and implementing this restriction + by disabling or removing the capability to write to such devices. + Requiring identifiable owners for storage devices reduces the risk + of using such devices by allowing organizations to assign responsibility + for addressing known vulnerabilities in the devices. + - id: mp-7_obj + name: assessment-objective + props: + - name: label + value: MP-07 + class: sp800-53a + parts: + - id: mp-7_obj.a + name: assessment-objective + props: + - name: label + value: MP-07a. + class: sp800-53a + prose: "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert:\ + \ param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }}\ + \ using {{ insert: param, mp-07_odp.04 }};" + links: + - href: "#mp-7_smt.a" + rel: assessment-for + - id: mp-7_obj.b + name: assessment-objective + props: + - name: label + value: MP-07b. + class: sp800-53a + prose: the use of portable storage devices in organizational systems + is prohibited when such devices have no identifiable owner. + links: + - href: "#mp-7_smt.b" + rel: assessment-for + links: + - href: "#mp-7_smt" + rel: assessment-for + - id: mp-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System media protection policy + + system use policy + + procedures addressing media usage restrictions + + rules of behavior + + system design documentation + + system configuration settings and associated documentation + + audit records + + system security plan + + other relevant documents or records + - id: mp-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media use + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: mp-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for media use + + + mechanisms restricting or prohibiting the use of system media + on systems or system components + - id: pe + class: family + title: Physical and Environmental Protection + controls: + - id: pe-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: pe-1_prm_1 + label: organization-defined personnel or roles + - id: pe-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the physical and environmental + protection policy is to be disseminated is/are defined; + - id: pe-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the physical and environmental + protection procedures are to be disseminated is/are defined; + - id: pe-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: pe-01_odp.04 + label: official + guidelines: + - prose: an official to manage the physical and environmental protection + policy and procedures is defined; + - id: pe-01_odp.05 + label: frequency + constraints: + - description: "at least every 3 years " + guidelines: + - prose: the frequency at which the current physical and environmental + protection policy is reviewed and updated is defined; + - id: pe-01_odp.06 + label: events + guidelines: + - prose: events that would require the current physical and environmental + protection policy to be reviewed and updated are defined; + - id: pe-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current physical and environmental + protection procedures are reviewed and updated is defined; + - id: pe-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the physical and environmental + protection procedures to be reviewed and updated are defined; + props: + - name: label + value: PE-1 + - name: label + value: PE-01 + class: sp800-53a + - name: sort-id + value: pe-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#at-3" + rel: related + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: pe-1_smt + name: statement + parts: + - id: pe-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ pe-1_prm_1 }}:" + parts: + - id: pe-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, pe-01_odp.03 }} physical and environmental\ + \ protection policy that:" + parts: + - id: pe-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: pe-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: pe-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the physical + and environmental protection policy and the associated physical + and environmental protection controls; + - id: pe-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, pe-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the physical\ + \ and environmental protection policy and procedures; and" + - id: pe-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current physical and environmental\ + \ protection:" + parts: + - id: pe-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, pe-01_odp.05 }} and following\ + \ {{ insert: param, pe-01_odp.06 }} ; and" + - id: pe-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, pe-01_odp.07 }} and following\ + \ {{ insert: param, pe-01_odp.08 }}." + - id: pe-1_gdn + name: guidance + prose: Physical and environmental protection policy and procedures address + the controls in the PE family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of physical and environmental protection policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + physical and environmental protection policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines. Simply restating controls does not constitute + an organizational policy or procedure. + - id: pe-1_obj + name: assessment-objective + props: + - name: label + value: PE-01 + class: sp800-53a + parts: + - id: pe-1_obj.a + name: assessment-objective + props: + - name: label + value: PE-01a. + class: sp800-53a + parts: + - id: pe-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: PE-01a.[01] + class: sp800-53a + prose: a physical and environmental protection policy is developed + and documented; + links: + - href: "#pe-1_smt.a" + rel: assessment-for + - id: pe-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: PE-01a.[02] + class: sp800-53a + prose: "the physical and environmental protection policy is\ + \ disseminated to {{ insert: param, pe-01_odp.01 }};" + links: + - href: "#pe-1_smt.a" + rel: assessment-for + - id: pe-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: PE-01a.[03] + class: sp800-53a + prose: physical and environmental protection procedures to facilitate + the implementation of the physical and environmental protection + policy and associated physical and environmental protection + controls are developed and documented; + links: + - href: "#pe-1_smt.a" + rel: assessment-for + - id: pe-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: PE-01a.[04] + class: sp800-53a + prose: "the physical and environmental protection procedures\ + \ are disseminated to {{ insert: param, pe-01_odp.02 }};" + links: + - href: "#pe-1_smt.a" + rel: assessment-for + - id: pe-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: PE-01a.01 + class: sp800-53a + parts: + - id: pe-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: PE-01a.01(a) + class: sp800-53a + parts: + - id: pe-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses purpose;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses scope;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses roles;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses responsibilities;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses management\ + \ commitment;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses compliance;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: PE-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical and\ + \ environmental protection policy is consistent with applicable\ + \ laws, Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#pe-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#pe-1_smt.a.1" + rel: assessment-for + links: + - href: "#pe-1_smt.a" + rel: assessment-for + - id: pe-1_obj.b + name: assessment-objective + props: + - name: label + value: PE-01b. + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the physical\ + \ and environmental protection policy and procedures;" + links: + - href: "#pe-1_smt.b" + rel: assessment-for + - id: pe-1_obj.c + name: assessment-objective + props: + - name: label + value: PE-01c. + class: sp800-53a + parts: + - id: pe-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: PE-01c.01 + class: sp800-53a + parts: + - id: pe-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: PE-01c.01[01] + class: sp800-53a + prose: "the current physical and environmental protection\ + \ policy is reviewed and updated {{ insert: param, pe-01_odp.05\ + \ }};" + links: + - href: "#pe-1_smt.c.1" + rel: assessment-for + - id: pe-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: PE-01c.01[02] + class: sp800-53a + prose: "the current physical and environmental protection\ + \ policy is reviewed and updated following {{ insert:\ + \ param, pe-01_odp.06 }};" + links: + - href: "#pe-1_smt.c.1" + rel: assessment-for + links: + - href: "#pe-1_smt.c.1" + rel: assessment-for + - id: pe-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: PE-01c.02 + class: sp800-53a + parts: + - id: pe-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: PE-01c.02[01] + class: sp800-53a + prose: "the current physical and environmental protection\ + \ procedures are reviewed and updated {{ insert: param,\ + \ pe-01_odp.07 }};" + links: + - href: "#pe-1_smt.c.2" + rel: assessment-for + - id: pe-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: PE-01c.02[02] + class: sp800-53a + prose: "the current physical and environmental protection\ + \ procedures are reviewed and updated following {{ insert:\ + \ param, pe-01_odp.08 }}." + links: + - href: "#pe-1_smt.c.2" + rel: assessment-for + links: + - href: "#pe-1_smt.c.2" + rel: assessment-for + links: + - href: "#pe-1_smt.c" + rel: assessment-for + links: + - href: "#pe-1_smt" + rel: assessment-for + - id: pe-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy and procedures + + system security plan + + privacy plan + + organizational risk management strategy + + other relevant documents or records + - id: pe-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical and environmental + protection responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pe-2 + class: SP800-53 + title: Physical Access Authorizations + params: + - id: pe-02_odp + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to review the access list detailing authorized + facility access by individuals is defined; + props: + - name: label + value: PE-2 + - name: label + value: PE-02 + class: sp800-53a + - name: sort-id + value: pe-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#at-3" + rel: related + - href: "#au-9" + rel: related + - href: "#ia-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-4" + rel: related + - href: "#pe-5" + rel: related + - href: "#pe-8" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-5" + rel: related + - href: "#ps-6" + rel: related + parts: + - id: pe-2_smt + name: statement + parts: + - id: pe-2_smt.a + name: item + props: + - name: label + value: a. + prose: Develop, approve, and maintain a list of individuals with + authorized access to the facility where the system resides; + - id: pe-2_smt.b + name: item + props: + - name: label + value: b. + prose: Issue authorization credentials for facility access; + - id: pe-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Review the access list detailing authorized facility access\ + \ by individuals {{ insert: param, pe-02_odp }} ; and" + - id: pe-2_smt.d + name: item + props: + - name: label + value: d. + prose: Remove individuals from the facility access list when access + is no longer required. + - id: pe-2_gdn + name: guidance + prose: Physical access authorizations apply to employees and visitors. + Individuals with permanent physical access authorization credentials + are not considered visitors. Authorization credentials include ID + badges, identification cards, and smart cards. Organizations determine + the strength of authorization credentials needed consistent with applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Physical access authorizations may not be necessary + to access certain areas within facilities that are designated as publicly + accessible. + - id: pe-2_obj + name: assessment-objective + props: + - name: label + value: PE-02 + class: sp800-53a + parts: + - id: pe-2_obj.a + name: assessment-objective + props: + - name: label + value: PE-02a. + class: sp800-53a + parts: + - id: pe-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: PE-02a.[01] + class: sp800-53a + prose: a list of individuals with authorized access to the facility + where the system resides has been developed; + links: + - href: "#pe-2_smt.a" + rel: assessment-for + - id: pe-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: PE-02a.[02] + class: sp800-53a + prose: the list of individuals with authorized access to the + facility where the system resides has been approved; + links: + - href: "#pe-2_smt.a" + rel: assessment-for + - id: pe-2_obj.a-3 + name: assessment-objective + props: + - name: label + value: PE-02a.[03] + class: sp800-53a + prose: the list of individuals with authorized access to the + facility where the system resides has been maintained; + links: + - href: "#pe-2_smt.a" + rel: assessment-for + links: + - href: "#pe-2_smt.a" + rel: assessment-for + - id: pe-2_obj.b + name: assessment-objective + props: + - name: label + value: PE-02b. + class: sp800-53a + prose: authorization credentials are issued for facility access; + links: + - href: "#pe-2_smt.b" + rel: assessment-for + - id: pe-2_obj.c + name: assessment-objective + props: + - name: label + value: PE-02c. + class: sp800-53a + prose: "the access list detailing authorized facility access by\ + \ individuals is reviewed {{ insert: param, pe-02_odp }};" + links: + - href: "#pe-2_smt.c" + rel: assessment-for + - id: pe-2_obj.d + name: assessment-objective + props: + - name: label + value: PE-02d. + class: sp800-53a + prose: individuals are removed from the facility access list when + access is no longer required. + links: + - href: "#pe-2_smt.d" + rel: assessment-for + links: + - href: "#pe-2_smt" + rel: assessment-for + - id: pe-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing physical access authorizations + + + authorized personnel access list + + + authorization credentials + + + physical access list reviews + + + physical access termination records and associated documentation + + + system security plan + + + other relevant documents or records + - id: pe-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access authorization + responsibilities + + + organizational personnel with physical access to system facility + + + organizational personnel with information security responsibilities + - id: pe-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for physical access authorizations + + + mechanisms supporting and/or implementing physical access authorizations + - id: pe-3 + class: SP800-53 + title: Physical Access Control + params: + - id: pe-3_prm_9 + label: organization-defined frequency + constraints: + - description: at least annually + - id: pe-03_odp.01 + label: entry and exit points + guidelines: + - prose: entry and exit points to the facility in which the system + resides are defined; + - id: pe-03_odp.02 + constraints: + - description: CSP defined physical access control systems/devices + AND guards + select: + how-many: one-or-more + choice: + - " {{ insert: param, pe-03_odp.03 }} " + - guards + - id: pe-03_odp.03 + label: systems or devices + guidelines: + - prose: physical access control systems or devices used to control + ingress and egress to the facility are defined (if selected); + - id: pe-03_odp.04 + label: entry or exit points + guidelines: + - prose: entry or exit points for which physical access logs are maintained + are defined; + - id: pe-03_odp.05 + label: physical access controls + guidelines: + - prose: physical access controls to control access to areas within + the facility designated as publicly accessible are defined; + - id: pe-03_odp.06 + label: circumstances + constraints: + - description: in all circumstances within restricted access area + where the information system resides + guidelines: + - prose: circumstances requiring visitor escorts and control of visitor + activity are defined; + - id: pe-03_odp.07 + label: physical access devices + constraints: + - description: at least annually + guidelines: + - prose: physical access devices to be inventoried are defined; + - id: pe-03_odp.08 + label: frequency + guidelines: + - prose: frequency at which to inventory physical access devices is + defined; + - id: pe-03_odp.09 + label: frequency + guidelines: + - prose: frequency at which to change combinations is defined; + - id: pe-03_odp.10 + label: frequency + guidelines: + - prose: frequency at which to change keys is defined; + props: + - name: label + value: PE-3 + - name: label + value: PE-03 + class: sp800-53a + - name: sort-id + value: pe-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#2100332a-16a5-4598-bacf-7261baea9711" + rel: reference + - href: "#at-3" + rel: related + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#au-9" + rel: related + - href: "#au-13" + rel: related + - href: "#cp-10" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-4" + rel: related + - href: "#pe-5" + rel: related + - href: "#pe-8" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#sc-28" + rel: related + - href: "#si-4" + rel: related + - href: "#sr-3" + rel: related + parts: + - id: pe-3_smt + name: statement + parts: + - id: pe-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Enforce physical access authorizations at {{ insert: param,\ + \ pe-03_odp.01 }} by:" + parts: + - id: pe-3_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Verifying individual access authorizations before granting + access to the facility; and + - id: pe-3_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: "Controlling ingress and egress to the facility using\ + \ {{ insert: param, pe-03_odp.02 }};" + - id: pe-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Maintain physical access audit logs for {{ insert: param,\ + \ pe-03_odp.04 }};" + - id: pe-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Control access to areas within the facility designated as\ + \ publicly accessible by implementing the following controls:\ + \ {{ insert: param, pe-03_odp.05 }};" + - id: pe-3_smt.d + name: item + props: + - name: label + value: d. + prose: "Escort visitors and control visitor activity {{ insert:\ + \ param, pe-03_odp.06 }};" + - id: pe-3_smt.e + name: item + props: + - name: label + value: e. + prose: Secure keys, combinations, and other physical access devices; + - id: pe-3_smt.f + name: item + props: + - name: label + value: f. + prose: "Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert:\ + \ param, pe-03_odp.08 }} ; and" + - id: pe-3_smt.g + name: item + props: + - name: label + value: g. + prose: "Change combinations and keys {{ insert: param, pe-3_prm_9\ + \ }} and/or when keys are lost, combinations are compromised,\ + \ or when individuals possessing the keys or combinations are\ + \ transferred or terminated." + - id: pe-3_gdn + name: guidance + prose: Physical access control applies to employees and visitors. Individuals + with permanent physical access authorizations are not considered visitors. + Physical access controls for publicly accessible areas may include + physical access control logs/records, guards, or physical access devices + and barriers to prevent movement from publicly accessible areas to + non-public areas. Organizations determine the types of guards needed, + including professional security staff, system users, or administrative + staff. Physical access devices include keys, locks, combinations, + biometric readers, and card readers. Physical access control systems + comply with applicable laws, executive orders, directives, policies, + regulations, standards, and guidelines. Organizations have flexibility + in the types of audit logs employed. Audit logs can be procedural, + automated, or some combination thereof. Physical access points can + include facility access points, interior access points to systems + that require supplemental access controls, or both. Components of + systems may be in areas designated as publicly accessible with organizations + controlling access to the components. + - id: pe-3_obj + name: assessment-objective + props: + - name: label + value: PE-03 + class: sp800-53a + parts: + - id: pe-3_obj.a + name: assessment-objective + props: + - name: label + value: PE-03a. + class: sp800-53a + parts: + - id: pe-3_obj.a.1 + name: assessment-objective + props: + - name: label + value: PE-03a.01 + class: sp800-53a + prose: "physical access authorizations are enforced at {{ insert:\ + \ param, pe-03_odp.01 }} by verifying individual access authorizations\ + \ before granting access to the facility;" + links: + - href: "#pe-3_smt.a.1" + rel: assessment-for + - id: pe-3_obj.a.2 + name: assessment-objective + props: + - name: label + value: PE-03a.02 + class: sp800-53a + prose: "physical access authorizations are enforced at {{ insert:\ + \ param, pe-03_odp.01 }} by controlling ingress and egress\ + \ to the facility using {{ insert: param, pe-03_odp.02 }};" + links: + - href: "#pe-3_smt.a.2" + rel: assessment-for + links: + - href: "#pe-3_smt.a" + rel: assessment-for + - id: pe-3_obj.b + name: assessment-objective + props: + - name: label + value: PE-03b. + class: sp800-53a + prose: "physical access audit logs are maintained for {{ insert:\ + \ param, pe-03_odp.04 }};" + links: + - href: "#pe-3_smt.b" + rel: assessment-for + - id: pe-3_obj.c + name: assessment-objective + props: + - name: label + value: PE-03c. + class: sp800-53a + prose: "access to areas within the facility designated as publicly\ + \ accessible are maintained by implementing {{ insert: param,\ + \ pe-03_odp.05 }};" + links: + - href: "#pe-3_smt.c" + rel: assessment-for + - id: pe-3_obj.d + name: assessment-objective + props: + - name: label + value: PE-03d. + class: sp800-53a + parts: + - id: pe-3_obj.d-1 + name: assessment-objective + props: + - name: label + value: PE-03d.[01] + class: sp800-53a + prose: visitors are escorted; + links: + - href: "#pe-3_smt.d" + rel: assessment-for + - id: pe-3_obj.d-2 + name: assessment-objective + props: + - name: label + value: PE-03d.[02] + class: sp800-53a + prose: "visitor activity is controlled {{ insert: param, pe-03_odp.06\ + \ }};" + links: + - href: "#pe-3_smt.d" + rel: assessment-for + links: + - href: "#pe-3_smt.d" + rel: assessment-for + - id: pe-3_obj.e + name: assessment-objective + props: + - name: label + value: PE-03e. + class: sp800-53a + parts: + - id: pe-3_obj.e-1 + name: assessment-objective + props: + - name: label + value: PE-03e.[01] + class: sp800-53a + prose: keys are secured; + links: + - href: "#pe-3_smt.e" + rel: assessment-for + - id: pe-3_obj.e-2 + name: assessment-objective + props: + - name: label + value: PE-03e.[02] + class: sp800-53a + prose: combinations are secured; + links: + - href: "#pe-3_smt.e" + rel: assessment-for + - id: pe-3_obj.e-3 + name: assessment-objective + props: + - name: label + value: PE-03e.[03] + class: sp800-53a + prose: other physical access devices are secured; + links: + - href: "#pe-3_smt.e" + rel: assessment-for + links: + - href: "#pe-3_smt.e" + rel: assessment-for + - id: pe-3_obj.f + name: assessment-objective + props: + - name: label + value: PE-03f. + class: sp800-53a + prose: " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert:\ + \ param, pe-03_odp.08 }};" + links: + - href: "#pe-3_smt.f" + rel: assessment-for + - id: pe-3_obj.g + name: assessment-objective + props: + - name: label + value: PE-03g. + class: sp800-53a + parts: + - id: pe-3_obj.g-1 + name: assessment-objective + props: + - name: label + value: PE-03g.[01] + class: sp800-53a + prose: "combinations are changed {{ insert: param, pe-03_odp.09\ + \ }} , when combinations are compromised, or when individuals\ + \ possessing the combinations are transferred or terminated;" + links: + - href: "#pe-3_smt.g" + rel: assessment-for + - id: pe-3_obj.g-2 + name: assessment-objective + props: + - name: label + value: PE-03g.[02] + class: sp800-53a + prose: "keys are changed {{ insert: param, pe-03_odp.10 }} ,\ + \ when keys are lost, or when individuals possessing the keys\ + \ are transferred or terminated." + links: + - href: "#pe-3_smt.g" + rel: assessment-for + links: + - href: "#pe-3_smt.g" + rel: assessment-for + links: + - href: "#pe-3_smt" + rel: assessment-for + - id: pe-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing physical access control + + + physical access control logs or records + + + inventory records of physical access control devices + + + system entry and exit points + + + records of key and lock combination changes + + + storage locations for physical access control devices + + + physical access control devices + + + list of security safeguards controlling access to designated publicly + accessible areas within facility + + + system security plan + + + other relevant documents or records + - id: pe-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access control + responsibilities + + + organizational personnel with information security responsibilities + - id: pe-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for physical access control + + + mechanisms supporting and/or implementing physical access control + + + physical access control devices + - id: pe-6 + class: SP800-53 + title: Monitoring Physical Access + params: + - id: pe-06_odp.01 + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: the frequency at which to review physical access logs is + defined; + - id: pe-06_odp.02 + label: events + guidelines: + - prose: events or potential indication of events requiring physical + access logs to be reviewed are defined; + props: + - name: label + value: PE-6 + - name: label + value: PE-06 + class: sp800-53a + - name: sort-id + value: pe-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#au-9" + rel: related + - href: "#au-12" + rel: related + - href: "#ca-7" + rel: related + - href: "#cp-10" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-8" + rel: related + parts: + - id: pe-6_smt + name: statement + parts: + - id: pe-6_smt.a + name: item + props: + - name: label + value: a. + prose: Monitor physical access to the facility where the system + resides to detect and respond to physical security incidents; + - id: pe-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Review physical access logs {{ insert: param, pe-06_odp.01\ + \ }} and upon occurrence of {{ insert: param, pe-06_odp.02 }}\ + \ ; and" + - id: pe-6_smt.c + name: item + props: + - name: label + value: c. + prose: Coordinate results of reviews and investigations with the + organizational incident response capability. + - id: pe-6_gdn + name: guidance + prose: Physical access monitoring includes publicly accessible areas + within organizational facilities. Examples of physical access monitoring + include the employment of guards, video surveillance equipment (i.e., + cameras), and sensor devices. Reviewing physical access logs can help + identify suspicious activity, anomalous events, or potential threats. + The reviews can be supported by audit logging controls, such as [AU-2](#au-2) + , if the access logs are part of an automated system. Organizational + incident response capabilities include investigations of physical + security incidents and responses to the incidents. Incidents include + security violations or suspicious physical access activities. Suspicious + physical access activities include accesses outside of normal work + hours, repeated accesses to areas not normally accessed, accesses + for unusual lengths of time, and out-of-sequence accesses. + - id: pe-6_obj + name: assessment-objective + props: + - name: label + value: PE-06 + class: sp800-53a + parts: + - id: pe-6_obj.a + name: assessment-objective + props: + - name: label + value: PE-06a. + class: sp800-53a + prose: physical access to the facility where the system resides + is monitored to detect and respond to physical security incidents; + links: + - href: "#pe-6_smt.a" + rel: assessment-for + - id: pe-6_obj.b + name: assessment-objective + props: + - name: label + value: PE-06b. + class: sp800-53a + parts: + - id: pe-6_obj.b-1 + name: assessment-objective + props: + - name: label + value: PE-06b.[01] + class: sp800-53a + prose: "physical access logs are reviewed {{ insert: param,\ + \ pe-06_odp.01 }};" + links: + - href: "#pe-6_smt.b" + rel: assessment-for + - id: pe-6_obj.b-2 + name: assessment-objective + props: + - name: label + value: PE-06b.[02] + class: sp800-53a + prose: "physical access logs are reviewed upon occurrence of\ + \ {{ insert: param, pe-06_odp.02 }};" + links: + - href: "#pe-6_smt.b" + rel: assessment-for + links: + - href: "#pe-6_smt.b" + rel: assessment-for + - id: pe-6_obj.c + name: assessment-objective + props: + - name: label + value: PE-06c. + class: sp800-53a + parts: + - id: pe-6_obj.c-1 + name: assessment-objective + props: + - name: label + value: PE-06c.[01] + class: sp800-53a + prose: results of reviews are coordinated with organizational + incident response capabilities; + links: + - href: "#pe-6_smt.c" + rel: assessment-for + - id: pe-6_obj.c-2 + name: assessment-objective + props: + - name: label + value: PE-06c.[02] + class: sp800-53a + prose: results of investigations are coordinated with organizational + incident response capabilities. + links: + - href: "#pe-6_smt.c" + rel: assessment-for + links: + - href: "#pe-6_smt.c" + rel: assessment-for + links: + - href: "#pe-6_smt" + rel: assessment-for + - id: pe-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing physical access monitoring + + physical access logs or records + + physical access monitoring records + + physical access log reviews + + system security plan + + other relevant documents or records + - id: pe-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access monitoring + responsibilities + + + organizational personnel with incident response responsibilities + + + organizational personnel with information security responsibilities + - id: pe-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring physical access + + + mechanisms supporting and/or implementing physical access monitoring + + + mechanisms supporting and/or implementing the review of physical + access logs + - id: pe-8 + class: SP800-53 + title: Visitor Access Records + params: + - id: pe-08_odp.01 + label: time period + constraints: + - description: for a minimum of one (1) year + guidelines: + - prose: time period for which to maintain visitor access records + for the facility where the system resides is defined; + - id: pe-08_odp.02 + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: the frequency at which to review visitor access records is + defined; + - id: pe-08_odp.03 + label: personnel + guidelines: + - prose: personnel to whom visitor access records anomalies are reported + to is/are defined; + props: + - name: label + value: PE-8 + - name: label + value: PE-08 + class: sp800-53a + - name: sort-id + value: pe-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-6" + rel: related + parts: + - id: pe-8_smt + name: statement + parts: + - id: pe-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Maintain visitor access records to the facility where the\ + \ system resides for {{ insert: param, pe-08_odp.01 }};" + - id: pe-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Review visitor access records {{ insert: param, pe-08_odp.02\ + \ }} ; and" + - id: pe-8_smt.c + name: item + props: + - name: label + value: c. + prose: "Report anomalies in visitor access records to {{ insert:\ + \ param, pe-08_odp.03 }}." + - id: pe-8_gdn + name: guidance + prose: Visitor access records include the names and organizations of + individuals visiting, visitor signatures, forms of identification, + dates of access, entry and departure times, purpose of visits, and + the names and organizations of individuals visited. Access record + reviews determine if access authorizations are current and are still + required to support organizational mission and business functions. + Access records are not required for publicly accessible areas. + - id: pe-8_obj + name: assessment-objective + props: + - name: label + value: PE-08 + class: sp800-53a + parts: + - id: pe-8_obj.a + name: assessment-objective + props: + - name: label + value: PE-08a. + class: sp800-53a + prose: "visitor access records for the facility where the system\ + \ resides are maintained for {{ insert: param, pe-08_odp.01 }};" + links: + - href: "#pe-8_smt.a" + rel: assessment-for + - id: pe-8_obj.b + name: assessment-objective + props: + - name: label + value: PE-08b. + class: sp800-53a + prose: "visitor access records are reviewed {{ insert: param, pe-08_odp.02\ + \ }};" + links: + - href: "#pe-8_smt.b" + rel: assessment-for + - id: pe-8_obj.c + name: assessment-objective + props: + - name: label + value: PE-08c. + class: sp800-53a + prose: "visitor access records anomalies are reported to {{ insert:\ + \ param, pe-08_odp.03 }}." + links: + - href: "#pe-8_smt.c" + rel: assessment-for + links: + - href: "#pe-8_smt" + rel: assessment-for + - id: pe-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing visitor access records + + visitor access control logs or records + + visitor access record or log reviews + + system security plan + + privacy plan + + privacy impact assessment + + privacy risk assessment documentation + + other relevant documents or records + - id: pe-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with visitor access record + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pe-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for maintaining and reviewing + visitor access records + + + mechanisms supporting and/or implementing the maintenance and + review of visitor access records + - id: pe-12 + class: SP800-53 + title: Emergency Lighting + props: + - name: label + value: PE-12 + - name: label + value: PE-12 + class: sp800-53a + - name: sort-id + value: pe-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-2" + rel: related + - href: "#cp-7" + rel: related + parts: + - id: pe-12_smt + name: statement + prose: Employ and maintain automatic emergency lighting for the system + that activates in the event of a power outage or disruption and that + covers emergency exits and evacuation routes within the facility. + - id: pe-12_gdn + name: guidance + prose: The provision of emergency lighting applies primarily to organizational + facilities that contain concentrations of system resources, including + data centers, server rooms, and mainframe computer rooms. Emergency + lighting provisions for the system are described in the contingency + plan for the organization. If emergency lighting for the system fails + or cannot be provided, organizations consider alternate processing + sites for power-related contingencies. + - id: pe-12_obj + name: assessment-objective + props: + - name: label + value: PE-12 + class: sp800-53a + parts: + - id: pe-12_obj-1 + name: assessment-objective + props: + - name: label + value: PE-12[01] + class: sp800-53a + prose: automatic emergency lighting that activates in the event + of a power outage or disruption is employed for the system; + links: + - href: "#pe-12_smt" + rel: assessment-for + - id: pe-12_obj-2 + name: assessment-objective + props: + - name: label + value: PE-12[02] + class: sp800-53a + prose: automatic emergency lighting that activates in the event + of a power outage or disruption is maintained for the system; + links: + - href: "#pe-12_smt" + rel: assessment-for + - id: pe-12_obj-3 + name: assessment-objective + props: + - name: label + value: PE-12[03] + class: sp800-53a + prose: automatic emergency lighting for the system covers emergency + exits within the facility; + links: + - href: "#pe-12_smt" + rel: assessment-for + - id: pe-12_obj-4 + name: assessment-objective + props: + - name: label + value: PE-12[04] + class: sp800-53a + prose: automatic emergency lighting for the system covers evacuation + routes within the facility. + links: + - href: "#pe-12_smt" + rel: assessment-for + links: + - href: "#pe-12_smt" + rel: assessment-for + - id: pe-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing emergency lighting + + emergency lighting documentation + + emergency lighting test records + + emergency exits and evacuation routes + + system security plan + + other relevant documents or records + - id: pe-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with the responsibility for + emergency lighting and/or planning + + + organizational personnel with information security responsibilities + - id: pe-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing an emergency lighting + capability + - id: pe-13 + class: SP800-53 + title: Fire Protection + props: + - name: label + value: PE-13 + - name: label + value: PE-13 + class: sp800-53a + - name: sort-id + value: pe-13 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#at-3" + rel: related + parts: + - id: pe-13_smt + name: statement + prose: Employ and maintain fire detection and suppression systems that + are supported by an independent energy source. + - id: pe-13_gdn + name: guidance + prose: The provision of fire detection and suppression systems applies + primarily to organizational facilities that contain concentrations + of system resources, including data centers, server rooms, and mainframe + computer rooms. Fire detection and suppression systems that may require + an independent energy source include sprinkler systems and smoke detectors. + An independent energy source is an energy source, such as a microgrid, + that is separate, or can be separated, from the energy sources providing + power for the other parts of the facility. + - id: pe-13_obj + name: assessment-objective + props: + - name: label + value: PE-13 + class: sp800-53a + parts: + - id: pe-13_obj-1 + name: assessment-objective + props: + - name: label + value: PE-13[01] + class: sp800-53a + prose: fire detection systems are employed; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-2 + name: assessment-objective + props: + - name: label + value: PE-13[02] + class: sp800-53a + prose: employed fire detection systems are supported by an independent + energy source; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-3 + name: assessment-objective + props: + - name: label + value: PE-13[03] + class: sp800-53a + prose: employed fire detection systems are maintained; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-4 + name: assessment-objective + props: + - name: label + value: PE-13[04] + class: sp800-53a + prose: fire suppression systems are employed; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-5 + name: assessment-objective + props: + - name: label + value: PE-13[05] + class: sp800-53a + prose: employed fire suppression systems are supported by an independent + energy source; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-6 + name: assessment-objective + props: + - name: label + value: PE-13[06] + class: sp800-53a + prose: employed fire suppression systems are maintained. + links: + - href: "#pe-13_smt" + rel: assessment-for + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-13-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing fire protection + + + fire suppression and detection devices/systems + + + fire suppression and detection devices/systems documentation + + + test records of fire suppression and detection devices/systems + + + system security plan + + + other relevant documents or records + - id: pe-13_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-13-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for fire + detection and suppression devices/systems + + + organizational personnel with information security responsibilities + - id: pe-13_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-13-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing fire suppression/detection + devices/systems + - id: pe-14 + class: SP800-53 + title: Environmental Controls + params: + - id: pe-14_odp.01 + constraints: + - description: consistent with American Society of Heating, Refrigerating + and Air-conditioning Engineers (ASHRAE) document entitled Thermal + Guidelines for Data Processing Environments + select: + how-many: one-or-more + choice: + - temperature + - humidity + - pressure + - radiation + - " {{ insert: param, pe-14_odp.02 }} " + - id: pe-14_odp.02 + label: environmental control + guidelines: + - prose: environmental control(s) for which to maintain a specified + level in the facility where the system resides are defined (if + selected); + - id: pe-14_odp.03 + label: acceptable levels + guidelines: + - prose: acceptable levels for environmental controls are defined; + - id: pe-14_odp.04 + label: frequency + constraints: + - description: continuously + guidelines: + - prose: frequency at which to monitor environmental control levels + is defined; + props: + - name: label + value: PE-14 + - name: label + value: PE-14 + class: sp800-53a + - name: sort-id + value: pe-14 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#at-3" + rel: related + - href: "#cp-2" + rel: related + parts: + - id: pe-14_smt + name: statement + parts: + - id: pe-14_smt.a + name: item + props: + - name: label + value: a. + prose: "Maintain {{ insert: param, pe-14_odp.01 }} levels within\ + \ the facility where the system resides at {{ insert: param, pe-14_odp.03\ + \ }} ; and" + - id: pe-14_smt.b + name: item + props: + - name: label + value: b. + prose: "Monitor environmental control levels {{ insert: param, pe-14_odp.04\ + \ }}." + - id: pe-14_fr + name: item + title: PE-14 Additional FedRAMP Requirements and Guidance + parts: + - id: pe-14_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: The service provider measures temperature at server inlets + and humidity levels by dew point. + - id: pe-14_gdn + name: guidance + prose: The provision of environmental controls applies primarily to + organizational facilities that contain concentrations of system resources + (e.g., data centers, mainframe computer rooms, and server rooms). + Insufficient environmental controls, especially in very harsh environments, + can have a significant adverse impact on the availability of systems + and system components that are needed to support organizational mission + and business functions. + - id: pe-14_obj + name: assessment-objective + props: + - name: label + value: PE-14 + class: sp800-53a + parts: + - id: pe-14_obj.a + name: assessment-objective + props: + - name: label + value: PE-14a. + class: sp800-53a + prose: " {{ insert: param, pe-14_odp.01 }} levels are maintained\ + \ at {{ insert: param, pe-14_odp.03 }} within the facility where\ + \ the system resides;" + links: + - href: "#pe-14_smt.a" + rel: assessment-for + - id: pe-14_obj.b + name: assessment-objective + props: + - name: label + value: PE-14b. + class: sp800-53a + prose: "environmental control levels are monitored {{ insert: param,\ + \ pe-14_odp.04 }}." + links: + - href: "#pe-14_smt.b" + rel: assessment-for + links: + - href: "#pe-14_smt" + rel: assessment-for + - id: pe-14_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-14-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing temperature and humidity control + + temperature and humidity controls + + facility housing the system + + temperature and humidity controls documentation + + temperature and humidity records + + system security plan + + other relevant documents or records + - id: pe-14_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-14-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for system + environmental controls + + + organizational personnel with information security responsibilities + - id: pe-14_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-14-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing the maintenance + and monitoring of temperature and humidity levels + - id: pe-15 + class: SP800-53 + title: Water Damage Protection + props: + - name: label + value: PE-15 + - name: label + value: PE-15 + class: sp800-53a + - name: sort-id + value: pe-15 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#at-3" + rel: related + - href: "#pe-10" + rel: related + parts: + - id: pe-15_smt + name: statement + prose: Protect the system from damage resulting from water leakage by + providing master shutoff or isolation valves that are accessible, + working properly, and known to key personnel. + - id: pe-15_gdn + name: guidance + prose: The provision of water damage protection primarily applies to + organizational facilities that contain concentrations of system resources, + including data centers, server rooms, and mainframe computer rooms. + Isolation valves can be employed in addition to or in lieu of master + shutoff valves to shut off water supplies in specific areas of concern + without affecting entire organizations. + - id: pe-15_obj + name: assessment-objective + props: + - name: label + value: PE-15 + class: sp800-53a + parts: + - id: pe-15_obj-1 + name: assessment-objective + props: + - name: label + value: PE-15[01] + class: sp800-53a + prose: the system is protected from damage resulting from water + leakage by providing master shutoff or isolation valves; + links: + - href: "#pe-15_smt" + rel: assessment-for + - id: pe-15_obj-2 + name: assessment-objective + props: + - name: label + value: PE-15[02] + class: sp800-53a + prose: the master shutoff or isolation valves are accessible; + links: + - href: "#pe-15_smt" + rel: assessment-for + - id: pe-15_obj-3 + name: assessment-objective + props: + - name: label + value: PE-15[03] + class: sp800-53a + prose: the master shutoff or isolation valves are working properly; + links: + - href: "#pe-15_smt" + rel: assessment-for + - id: pe-15_obj-4 + name: assessment-objective + props: + - name: label + value: PE-15[04] + class: sp800-53a + prose: the master shutoff or isolation valves are known to key personnel. + links: + - href: "#pe-15_smt" + rel: assessment-for + links: + - href: "#pe-15_smt" + rel: assessment-for + - id: pe-15_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-15-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing water damage protection + + + facility housing the system + + + master shutoff valves + + + list of key personnel with knowledge of location and activation + procedures for master shutoff valves for the plumbing system + + + master shutoff valve documentation + + + system security plan + + + other relevant documents or records + - id: pe-15_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-15-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for system + environmental controls + + + organizational personnel with information security responsibilities + - id: pe-15_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-15-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Master water-shutoff valves + + organizational process for activating master water shutoff + - id: pe-16 + class: SP800-53 + title: Delivery and Removal + params: + - id: pe-16_prm_1 + label: organization-defined types of system components + constraints: + - description: all information system components + - id: pe-16_odp.01 + label: types of system components + guidelines: + - prose: types of system components to be authorized and controlled + when entering the facility are defined; + - id: pe-16_odp.02 + label: types of system components + guidelines: + - prose: types of system components to be authorized and controlled + when exiting the facility are defined; + props: + - name: label + value: PE-16 + - name: label + value: PE-16 + class: sp800-53a + - name: sort-id + value: pe-16 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cm-3" + rel: related + - href: "#cm-8" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-3" + rel: related + - href: "#mp-5" + rel: related + - href: "#pe-20" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-6" + rel: related + parts: + - id: pe-16_smt + name: statement + parts: + - id: pe-16_smt.a + name: item + props: + - name: label + value: a. + prose: "Authorize and control {{ insert: param, pe-16_prm_1 }} entering\ + \ and exiting the facility; and" + - id: pe-16_smt.b + name: item + props: + - name: label + value: b. + prose: Maintain records of the system components. + - id: pe-16_gdn + name: guidance + prose: Enforcing authorizations for entry and exit of system components + may require restricting access to delivery areas and isolating the + areas from the system and media libraries. + - id: pe-16_obj + name: assessment-objective + props: + - name: label + value: PE-16 + class: sp800-53a + parts: + - id: pe-16_obj.a + name: assessment-objective + props: + - name: label + value: PE-16a. + class: sp800-53a + parts: + - id: pe-16_obj.a-1 + name: assessment-objective + props: + - name: label + value: PE-16a.[01] + class: sp800-53a + prose: " {{ insert: param, pe-16_odp.01 }} are authorized when\ + \ entering the facility;" + links: + - href: "#pe-16_smt.a" + rel: assessment-for + - id: pe-16_obj.a-2 + name: assessment-objective + props: + - name: label + value: PE-16a.[02] + class: sp800-53a + prose: " {{ insert: param, pe-16_odp.01 }} are controlled when\ + \ entering the facility;" + links: + - href: "#pe-16_smt.a" + rel: assessment-for + - id: pe-16_obj.a-3 + name: assessment-objective + props: + - name: label + value: PE-16a.[03] + class: sp800-53a + prose: " {{ insert: param, pe-16_odp.02 }} are authorized when\ + \ exiting the facility;" + links: + - href: "#pe-16_smt.a" + rel: assessment-for + - id: pe-16_obj.a-4 + name: assessment-objective + props: + - name: label + value: PE-16a.[04] + class: sp800-53a + prose: " {{ insert: param, pe-16_odp.02 }} are controlled when\ + \ exiting the facility;" + links: + - href: "#pe-16_smt.a" + rel: assessment-for + links: + - href: "#pe-16_smt.a" + rel: assessment-for + - id: pe-16_obj.b + name: assessment-objective + props: + - name: label + value: PE-16b. + class: sp800-53a + prose: records of the system components are maintained. + links: + - href: "#pe-16_smt.b" + rel: assessment-for + links: + - href: "#pe-16_smt" + rel: assessment-for + - id: pe-16_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-16-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing the delivery and removal of system components + from the facility + + + facility housing the system + + + records of items entering and exiting the facility + + + system security plan + + + other relevant documents or records + - id: pe-16_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-16-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + controlling system components entering and exiting the + facility + + + organizational personnel with information security responsibilities + - id: pe-16_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-16-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational process for authorizing, monitoring, and + controlling system-related items entering and exiting the + facility + + + mechanisms supporting and/or implementing, authorizing, monitoring, + and controlling system-related items entering and exiting the + facility + - id: pl + class: family + title: Planning + controls: + - id: pl-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: pl-1_prm_1 + label: organization-defined personnel or roles + - id: pl-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the planning policy is to be disseminated + is/are defined; + - id: pl-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the planning procedures are to + be disseminated is/are defined; + - id: pl-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: pl-01_odp.04 + label: official + guidelines: + - prose: an official to manage the planning policy and procedures + is defined; + - id: pl-01_odp.05 + label: frequency + constraints: + - description: "at least every 3 years " + guidelines: + - prose: the frequency with which the current planning policy is reviewed + and updated is defined; + - id: pl-01_odp.06 + label: events + guidelines: + - prose: events that would require the current planning policy to + be reviewed and updated are defined; + - id: pl-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency with which the current planning procedures + are reviewed and updated is defined; + - id: pl-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require procedures to be reviewed and updated + are defined; + props: + - name: label + value: PL-1 + - name: label + value: PL-01 + class: sp800-53a + - name: sort-id + value: pl-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#30eb758a-2707-4bca-90ad-949a74d4eb16" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: pl-1_smt + name: statement + parts: + - id: pl-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ pl-1_prm_1 }}:" + parts: + - id: pl-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, pl-01_odp.03 }} planning policy that:" + parts: + - id: pl-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: pl-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: pl-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the planning + policy and the associated planning controls; + - id: pl-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, pl-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the planning\ + \ policy and procedures; and" + - id: pl-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current planning:" + parts: + - id: pl-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, pl-01_odp.05 }} and following\ + \ {{ insert: param, pl-01_odp.06 }} ; and" + - id: pl-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, pl-01_odp.07 }} and following\ + \ {{ insert: param, pl-01_odp.08 }}." + - id: pl-1_gdn + name: guidance + prose: Planning policy and procedures for the controls in the PL family + implemented within systems and organizations. The risk management + strategy is an important factor in establishing such policies and + procedures. Policies and procedures contribute to security and privacy + assurance. Therefore, it is important that security and privacy programs + collaborate on their development. Security and privacy program policies + and procedures at the organization level are preferable, in general, + and may obviate the need for mission level or system-specific policies + and procedures. The policy can be included as part of the general + security and privacy policy or be represented by multiple policies + that reflect the complex nature of organizations. Procedures can be + established for security and privacy programs, for mission/business + processes, and for systems, if needed. Procedures describe how the + policies or controls are implemented and can be directed at the individual + or role that is the object of the procedure. Procedures can be documented + in system security and privacy plans or in one or more separate documents. + Events that may precipitate an update to planning policy and procedures + include, but are not limited to, assessment or audit findings, security + incidents or breaches, or changes in laws, executive orders, directives, + regulations, policies, standards, and guidelines. Simply restating + controls does not constitute an organizational policy or procedure. + - id: pl-1_obj + name: assessment-objective + props: + - name: label + value: PL-01 + class: sp800-53a + parts: + - id: pl-1_obj.a + name: assessment-objective + props: + - name: label + value: PL-01a. + class: sp800-53a + parts: + - id: pl-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: PL-01a.[01] + class: sp800-53a + prose: a planning policy is developed and documented. + links: + - href: "#pl-1_smt.a" + rel: assessment-for + - id: pl-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: PL-01a.[02] + class: sp800-53a + prose: "the planning policy is disseminated to {{ insert: param,\ + \ pl-01_odp.01 }};" + links: + - href: "#pl-1_smt.a" + rel: assessment-for + - id: pl-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: PL-01a.[03] + class: sp800-53a + prose: planning procedures to facilitate the implementation + of the planning policy and associated planning controls are + developed and documented; + links: + - href: "#pl-1_smt.a" + rel: assessment-for + - id: pl-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: PL-01a.[04] + class: sp800-53a + prose: "the planning procedures are disseminated to {{ insert:\ + \ param, pl-01_odp.02 }};" + links: + - href: "#pl-1_smt.a" + rel: assessment-for + - id: pl-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: PL-01a.01 + class: sp800-53a + parts: + - id: pl-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: PL-01a.01(a) + class: sp800-53a + parts: + - id: pl-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses purpose;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses scope;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses roles;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses responsibilities;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses management commitment;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses compliance;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: PL-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning policy\ + \ is consistent with applicable laws, Executive Orders,\ + \ directives, regulations, policies, standards, and guidelines;" + links: + - href: "#pl-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#pl-1_smt.a.1" + rel: assessment-for + links: + - href: "#pl-1_smt.a" + rel: assessment-for + - id: pl-1_obj.b + name: assessment-objective + props: + - name: label + value: PL-01b. + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the planning\ + \ policy and procedures;" + links: + - href: "#pl-1_smt.b" + rel: assessment-for + - id: pl-1_obj.c + name: assessment-objective + props: + - name: label + value: PL-01c. + class: sp800-53a + parts: + - id: pl-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: PL-01c.01 + class: sp800-53a + parts: + - id: pl-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: PL-01c.01[01] + class: sp800-53a + prose: "the current planning policy is reviewed and updated\ + \ {{ insert: param, pl-01_odp.05 }};" + links: + - href: "#pl-1_smt.c.1" + rel: assessment-for + - id: pl-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: PL-01c.01[02] + class: sp800-53a + prose: "the current planning policy is reviewed and updated\ + \ following {{ insert: param, pl-01_odp.06 }};" + links: + - href: "#pl-1_smt.c.1" + rel: assessment-for + links: + - href: "#pl-1_smt.c.1" + rel: assessment-for + - id: pl-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: PL-01c.02 + class: sp800-53a + parts: + - id: pl-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: PL-01c.02[01] + class: sp800-53a + prose: "the current planning procedures are reviewed and\ + \ updated {{ insert: param, pl-01_odp.07 }};" + links: + - href: "#pl-1_smt.c.2" + rel: assessment-for + - id: pl-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: PL-01c.02[02] + class: sp800-53a + prose: "the current planning procedures are reviewed and\ + \ updated following {{ insert: param, pl-01_odp.08 }}." + links: + - href: "#pl-1_smt.c.2" + rel: assessment-for + links: + - href: "#pl-1_smt.c.2" + rel: assessment-for + links: + - href: "#pl-1_smt.c" + rel: assessment-for + links: + - href: "#pl-1_smt" + rel: assessment-for + - id: pl-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Planning policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: pl-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with planning responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pl-2 + class: SP800-53 + title: System Security and Privacy Plans + params: + - id: pl-02_odp.01 + label: individuals or groups + guidelines: + - prose: individuals or groups with whom security and privacy-related + activities affecting the system that require planning and coordination + is/are assigned; + - id: pl-02_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to receive distributed copies of the system + security and privacy plans is/are assigned; + - id: pl-02_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency to review system security and privacy plans is + defined; + props: + - name: label + value: PL-2 + - name: label + value: PL-02 + class: sp800-53a + - name: sort-id + value: pl-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#30eb758a-2707-4bca-90ad-949a74d4eb16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-14" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-20" + rel: related + - href: "#ca-2" + rel: related + - href: "#ca-3" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-9" + rel: related + - href: "#cm-13" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-8" + rel: related + - href: "#ma-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#pl-7" + rel: related + - href: "#pl-8" + rel: related + - href: "#pl-10" + rel: related + - href: "#pl-11" + rel: related + - href: "#pm-1" + rel: related + - href: "#pm-7" + rel: related + - href: "#pm-8" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-10" + rel: related + - href: "#pm-11" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-8" + rel: related + - href: "#ra-9" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-17" + rel: related + - href: "#sa-22" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-4" + rel: related + parts: + - id: pl-2_smt + name: statement + parts: + - id: pl-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop security and privacy plans for the system that:" + parts: + - id: pl-2_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Are consistent with the organization’s enterprise architecture; + - id: pl-2_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Explicitly define the constituent system components; + - id: pl-2_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Describe the operational context of the system in terms + of mission and business processes; + - id: pl-2_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Identify the individuals that fulfill system roles and + responsibilities; + - id: pl-2_smt.a.5 + name: item + props: + - name: label + value: "5." + prose: Identify the information types processed, stored, and + transmitted by the system; + - id: pl-2_smt.a.6 + name: item + props: + - name: label + value: "6." + prose: Provide the security categorization of the system, including + supporting rationale; + - id: pl-2_smt.a.7 + name: item + props: + - name: label + value: "7." + prose: Describe any specific threats to the system that are + of concern to the organization; + - id: pl-2_smt.a.8 + name: item + props: + - name: label + value: "8." + prose: Provide the results of a privacy risk assessment for + systems processing personally identifiable information; + - id: pl-2_smt.a.9 + name: item + props: + - name: label + value: "9." + prose: Describe the operational environment for the system and + any dependencies on or connections to other systems or system + components; + - id: pl-2_smt.a.10 + name: item + props: + - name: label + value: "10." + prose: Provide an overview of the security and privacy requirements + for the system; + - id: pl-2_smt.a.11 + name: item + props: + - name: label + value: "11." + prose: Identify any relevant control baselines or overlays, + if applicable; + - id: pl-2_smt.a.12 + name: item + props: + - name: label + value: "12." + prose: Describe the controls in place or planned for meeting + the security and privacy requirements, including a rationale + for any tailoring decisions; + - id: pl-2_smt.a.13 + name: item + props: + - name: label + value: "13." + prose: Include risk determinations for security and privacy + architecture and design decisions; + - id: pl-2_smt.a.14 + name: item + props: + - name: label + value: "14." + prose: "Include security- and privacy-related activities affecting\ + \ the system that require planning and coordination with {{\ + \ insert: param, pl-02_odp.01 }} ; and" + - id: pl-2_smt.a.15 + name: item + props: + - name: label + value: "15." + prose: Are reviewed and approved by the authorizing official + or designated representative prior to plan implementation. + - id: pl-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Distribute copies of the plans and communicate subsequent\ + \ changes to the plans to {{ insert: param, pl-02_odp.02 }};" + - id: pl-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Review the plans {{ insert: param, pl-02_odp.03 }};" + - id: pl-2_smt.d + name: item + props: + - name: label + value: d. + prose: Update the plans to address changes to the system and environment + of operation or problems identified during plan implementation + or control assessments; and + - id: pl-2_smt.e + name: item + props: + - name: label + value: e. + prose: Protect the plans from unauthorized disclosure and modification. + - id: pl-2_gdn + name: guidance + prose: >- + System security and privacy plans are scoped to the system and + system components within the defined authorization boundary and + contain an overview of the security and privacy requirements for + the system and the controls selected to satisfy the + requirements. The plans describe the intended application of + each selected control in the context of the system with a + sufficient level of detail to correctly implement the control + and to subsequently assess the effectiveness of the control. The + control documentation describes how system-specific and hybrid + controls are implemented and the plans and expectations + regarding the functionality of the system. System security and + privacy plans can also be used in the design and development of + systems in support of life cycle-based security and privacy + engineering processes. System security and privacy plans are + living documents that are updated and adapted throughout the + system development life cycle (e.g., during capability + determination, analysis of alternatives, requests for proposal, + and design reviews). [Section + 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the + different types of requirements that are relevant to + organizations during the system development life cycle and the + relationship between requirements and controls. + + + Organizations may develop a single, integrated security and privacy + plan or maintain separate plans. Security and privacy plans relate + security and privacy requirements to a set of controls and control + enhancements. The plans describe how the controls and control enhancements + meet the security and privacy requirements but do not provide detailed, + technical descriptions of the design or implementation of the controls + and control enhancements. Security and privacy plans contain sufficient + information (including specifications of control parameter values + for selection and assignment operations explicitly or by reference) + to enable a design and implementation that is unambiguously compliant + with the intent of the plans and subsequent determinations of risk + to organizational operations and assets, individuals, other organizations, + and the Nation if the plan is implemented. + + + Security and privacy plans need not be single documents. The plans + can be a collection of various documents, including documents that + already exist. Effective security and privacy plans make extensive + use of references to policies, procedures, and additional documents, + including design and implementation specifications where more detailed + information can be obtained. The use of references helps reduce the + documentation associated with security and privacy programs and maintains + the security- and privacy-related information in other established + management and operational areas, including enterprise architecture, + system development life cycle, systems engineering, and acquisition. + Security and privacy plans need not contain detailed contingency plan + or incident response plan information but can instead provide—explicitly + or by reference—sufficient information to define what needs to be + accomplished by those plans. + + + Security- and privacy-related activities that may require coordination + and planning with other individuals or groups within the organization + include assessments, audits, inspections, hardware and software maintenance, + acquisition and supply chain risk management, patch management, and + contingency plan testing. Planning and coordination include emergency + and nonemergency (i.e., planned or non-urgent unplanned) situations. + The process defined by organizations to plan and coordinate security- + and privacy-related activities can also be included in other documents, + as appropriate. + - id: pl-2_obj + name: assessment-objective + props: + - name: label + value: PL-02 + class: sp800-53a + parts: + - id: pl-2_obj.a + name: assessment-objective + props: + - name: label + value: PL-02a. + class: sp800-53a + parts: + - id: pl-2_obj.a.1 + name: assessment-objective + props: + - name: label + value: PL-02a.01 + class: sp800-53a + parts: + - id: pl-2_obj.a.1-1 + name: assessment-objective + props: + - name: label + value: PL-02a.01[01] + class: sp800-53a + prose: a security plan for the system is developed that + is consistent with the organization’s enterprise architecture; + links: + - href: "#pl-2_smt.a.1" + rel: assessment-for + - id: pl-2_obj.a.1-2 + name: assessment-objective + props: + - name: label + value: PL-02a.01[02] + class: sp800-53a + prose: a privacy plan for the system is developed that is + consistent with the organization’s enterprise architecture; + links: + - href: "#pl-2_smt.a.1" + rel: assessment-for + links: + - href: "#pl-2_smt.a.1" + rel: assessment-for + - id: pl-2_obj.a.2 + name: assessment-objective + props: + - name: label + value: PL-02a.02 + class: sp800-53a + parts: + - id: pl-2_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: PL-02a.02[01] + class: sp800-53a + prose: a security plan for the system is developed that + explicitly defines the constituent system components; + links: + - href: "#pl-2_smt.a.2" + rel: assessment-for + - id: pl-2_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: PL-02a.02[02] + class: sp800-53a + prose: a privacy plan for the system is developed that explicitly + defines the constituent system components; + links: + - href: "#pl-2_smt.a.2" + rel: assessment-for + links: + - href: "#pl-2_smt.a.2" + rel: assessment-for + - id: pl-2_obj.a.3 + name: assessment-objective + props: + - name: label + value: PL-02a.03 + class: sp800-53a + parts: + - id: pl-2_obj.a.3-1 + name: assessment-objective + props: + - name: label + value: PL-02a.03[01] + class: sp800-53a + prose: a security plan for the system is developed that + describes the operational context of the system in terms + of mission and business processes; + links: + - href: "#pl-2_smt.a.3" + rel: assessment-for + - id: pl-2_obj.a.3-2 + name: assessment-objective + props: + - name: label + value: PL-02a.03[02] + class: sp800-53a + prose: a privacy plan for the system is developed that describes + the operational context of the system in terms of mission + and business processes; + links: + - href: "#pl-2_smt.a.3" + rel: assessment-for + links: + - href: "#pl-2_smt.a.3" + rel: assessment-for + - id: pl-2_obj.a.4 + name: assessment-objective + props: + - name: label + value: PL-02a.04 + class: sp800-53a + parts: + - id: pl-2_obj.a.4-1 + name: assessment-objective + props: + - name: label + value: PL-02a.04[01] + class: sp800-53a + prose: a security plan for the system is developed that + identifies the individuals that fulfill system roles and + responsibilities; + links: + - href: "#pl-2_smt.a.4" + rel: assessment-for + - id: pl-2_obj.a.4-2 + name: assessment-objective + props: + - name: label + value: PL-02a.04[02] + class: sp800-53a + prose: a privacy plan for the system is developed that identifies + the individuals that fulfill system roles and responsibilities; + links: + - href: "#pl-2_smt.a.4" + rel: assessment-for + links: + - href: "#pl-2_smt.a.4" + rel: assessment-for + - id: pl-2_obj.a.5 + name: assessment-objective + props: + - name: label + value: PL-02a.05 + class: sp800-53a + parts: + - id: pl-2_obj.a.5-1 + name: assessment-objective + props: + - name: label + value: PL-02a.05[01] + class: sp800-53a + prose: a security plan for the system is developed that + identifies the information types processed, stored, and + transmitted by the system; + links: + - href: "#pl-2_smt.a.5" + rel: assessment-for + - id: pl-2_obj.a.5-2 + name: assessment-objective + props: + - name: label + value: PL-02a.05[02] + class: sp800-53a + prose: a privacy plan for the system is developed that identifies + the information types processed, stored, and transmitted + by the system; + links: + - href: "#pl-2_smt.a.5" + rel: assessment-for + links: + - href: "#pl-2_smt.a.5" + rel: assessment-for + - id: pl-2_obj.a.6 + name: assessment-objective + props: + - name: label + value: PL-02a.06 + class: sp800-53a + parts: + - id: pl-2_obj.a.6-1 + name: assessment-objective + props: + - name: label + value: PL-02a.06[01] + class: sp800-53a + prose: a security plan for the system is developed that + provides the security categorization of the system, including + supporting rationale; + links: + - href: "#pl-2_smt.a.6" + rel: assessment-for + - id: pl-2_obj.a.6-2 + name: assessment-objective + props: + - name: label + value: PL-02a.06[02] + class: sp800-53a + prose: a privacy plan for the system is developed that provides + the security categorization of the system, including supporting + rationale; + links: + - href: "#pl-2_smt.a.6" + rel: assessment-for + links: + - href: "#pl-2_smt.a.6" + rel: assessment-for + - id: pl-2_obj.a.7 + name: assessment-objective + props: + - name: label + value: PL-02a.07 + class: sp800-53a + parts: + - id: pl-2_obj.a.7-1 + name: assessment-objective + props: + - name: label + value: PL-02a.07[01] + class: sp800-53a + prose: a security plan for the system is developed that + describes any specific threats to the system that are + of concern to the organization; + links: + - href: "#pl-2_smt.a.7" + rel: assessment-for + - id: pl-2_obj.a.7-2 + name: assessment-objective + props: + - name: label + value: PL-02a.07[02] + class: sp800-53a + prose: a privacy plan for the system is developed that describes + any specific threats to the system that are of concern + to the organization; + links: + - href: "#pl-2_smt.a.7" + rel: assessment-for + links: + - href: "#pl-2_smt.a.7" + rel: assessment-for + - id: pl-2_obj.a.8 + name: assessment-objective + props: + - name: label + value: PL-02a.08 + class: sp800-53a + parts: + - id: pl-2_obj.a.8-1 + name: assessment-objective + props: + - name: label + value: PL-02a.08[01] + class: sp800-53a + prose: a security plan for the system is developed that + provides the results of a privacy risk assessment for + systems processing personally identifiable information; + links: + - href: "#pl-2_smt.a.8" + rel: assessment-for + - id: pl-2_obj.a.8-2 + name: assessment-objective + props: + - name: label + value: PL-02a.08[02] + class: sp800-53a + prose: a privacy plan for the system is developed that provides + the results of a privacy risk assessment for systems processing + personally identifiable information; + links: + - href: "#pl-2_smt.a.8" + rel: assessment-for + links: + - href: "#pl-2_smt.a.8" + rel: assessment-for + - id: pl-2_obj.a.9 + name: assessment-objective + props: + - name: label + value: PL-02a.09 + class: sp800-53a + parts: + - id: pl-2_obj.a.9-1 + name: assessment-objective + props: + - name: label + value: PL-02a.09[01] + class: sp800-53a + prose: a security plan for the system is developed that + describes the operational environment for the system and + any dependencies on or connections to other systems or + system components; + links: + - href: "#pl-2_smt.a.9" + rel: assessment-for + - id: pl-2_obj.a.9-2 + name: assessment-objective + props: + - name: label + value: PL-02a.09[02] + class: sp800-53a + prose: a privacy plan for the system is developed that describes + the operational environment for the system and any dependencies + on or connections to other systems or system components; + links: + - href: "#pl-2_smt.a.9" + rel: assessment-for + links: + - href: "#pl-2_smt.a.9" + rel: assessment-for + - id: pl-2_obj.a.10 + name: assessment-objective + props: + - name: label + value: PL-02a.10 + class: sp800-53a + parts: + - id: pl-2_obj.a.10-1 + name: assessment-objective + props: + - name: label + value: PL-02a.10[01] + class: sp800-53a + prose: a security plan for the system is developed that + provides an overview of the security requirements for + the system; + links: + - href: "#pl-2_smt.a.10" + rel: assessment-for + - id: pl-2_obj.a.10-2 + name: assessment-objective + props: + - name: label + value: PL-02a.10[02] + class: sp800-53a + prose: a privacy plan for the system is developed that provides + an overview of the privacy requirements for the system; + links: + - href: "#pl-2_smt.a.10" + rel: assessment-for + links: + - href: "#pl-2_smt.a.10" + rel: assessment-for + - id: pl-2_obj.a.11 + name: assessment-objective + props: + - name: label + value: PL-02a.11 + class: sp800-53a + parts: + - id: pl-2_obj.a.11-1 + name: assessment-objective + props: + - name: label + value: PL-02a.11[01] + class: sp800-53a + prose: a security plan for the system is developed that + identifies any relevant control baselines or overlays, + if applicable; + links: + - href: "#pl-2_smt.a.11" + rel: assessment-for + - id: pl-2_obj.a.11-2 + name: assessment-objective + props: + - name: label + value: PL-02a.11[02] + class: sp800-53a + prose: a privacy plan for the system is developed that identifies + any relevant control baselines or overlays, if applicable; + links: + - href: "#pl-2_smt.a.11" + rel: assessment-for + links: + - href: "#pl-2_smt.a.11" + rel: assessment-for + - id: pl-2_obj.a.12 + name: assessment-objective + props: + - name: label + value: PL-02a.12 + class: sp800-53a + parts: + - id: pl-2_obj.a.12-1 + name: assessment-objective + props: + - name: label + value: PL-02a.12[01] + class: sp800-53a + prose: a security plan for the system is developed that + describes the controls in place or planned for meeting + the security requirements, including rationale for any + tailoring decisions; + links: + - href: "#pl-2_smt.a.12" + rel: assessment-for + - id: pl-2_obj.a.12-2 + name: assessment-objective + props: + - name: label + value: PL-02a.12[02] + class: sp800-53a + prose: a privacy plan for the system is developed that describes + the controls in place or planned for meeting the privacy + requirements, including rationale for any tailoring decisions; + links: + - href: "#pl-2_smt.a.12" + rel: assessment-for + links: + - href: "#pl-2_smt.a.12" + rel: assessment-for + - id: pl-2_obj.a.13 + name: assessment-objective + props: + - name: label + value: PL-02a.13 + class: sp800-53a + parts: + - id: pl-2_obj.a.13-1 + name: assessment-objective + props: + - name: label + value: PL-02a.13[01] + class: sp800-53a + prose: a security plan for the system is developed that + includes risk determinations for security architecture + and design decisions; + links: + - href: "#pl-2_smt.a.13" + rel: assessment-for + - id: pl-2_obj.a.13-2 + name: assessment-objective + props: + - name: label + value: PL-02a.13[02] + class: sp800-53a + prose: a privacy plan for the system is developed that includes + risk determinations for privacy architecture and design + decisions; + links: + - href: "#pl-2_smt.a.13" + rel: assessment-for + links: + - href: "#pl-2_smt.a.13" + rel: assessment-for + - id: pl-2_obj.a.14 + name: assessment-objective + props: + - name: label + value: PL-02a.14 + class: sp800-53a + parts: + - id: pl-2_obj.a.14-1 + name: assessment-objective + props: + - name: label + value: PL-02a.14[01] + class: sp800-53a + prose: "a security plan for the system is developed that\ + \ includes security-related activities affecting the system\ + \ that require planning and coordination with {{ insert:\ + \ param, pl-02_odp.01 }};" + links: + - href: "#pl-2_smt.a.14" + rel: assessment-for + - id: pl-2_obj.a.14-2 + name: assessment-objective + props: + - name: label + value: PL-02a.14[02] + class: sp800-53a + prose: "a privacy plan for the system is developed that\ + \ includes privacy-related activities affecting the system\ + \ that require planning and coordination with {{ insert:\ + \ param, pl-02_odp.01 }};" + links: + - href: "#pl-2_smt.a.14" + rel: assessment-for + links: + - href: "#pl-2_smt.a.14" + rel: assessment-for + - id: pl-2_obj.a.15 + name: assessment-objective + props: + - name: label + value: PL-02a.15 + class: sp800-53a + parts: + - id: pl-2_obj.a.15-1 + name: assessment-objective + props: + - name: label + value: PL-02a.15[01] + class: sp800-53a + prose: a security plan for the system is developed that + is reviewed and approved by the authorizing official or + designated representative prior to plan implementation; + links: + - href: "#pl-2_smt.a.15" + rel: assessment-for + - id: pl-2_obj.a.15-2 + name: assessment-objective + props: + - name: label + value: PL-02a.15[02] + class: sp800-53a + prose: a privacy plan for the system is developed that is + reviewed and approved by the authorizing official or designated + representative prior to plan implementation. + links: + - href: "#pl-2_smt.a.15" + rel: assessment-for + links: + - href: "#pl-2_smt.a.15" + rel: assessment-for + links: + - href: "#pl-2_smt.a" + rel: assessment-for + - id: pl-2_obj.b + name: assessment-objective + props: + - name: label + value: PL-02b. + class: sp800-53a + parts: + - id: pl-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: PL-02b.[01] + class: sp800-53a + prose: "copies of the plans are distributed to {{ insert: param,\ + \ pl-02_odp.02 }};" + links: + - href: "#pl-2_smt.b" + rel: assessment-for + - id: pl-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: PL-02b.[02] + class: sp800-53a + prose: "subsequent changes to the plans are communicated to\ + \ {{ insert: param, pl-02_odp.02 }};" + links: + - href: "#pl-2_smt.b" + rel: assessment-for + links: + - href: "#pl-2_smt.b" + rel: assessment-for + - id: pl-2_obj.c + name: assessment-objective + props: + - name: label + value: PL-02c. + class: sp800-53a + prose: "plans are reviewed {{ insert: param, pl-02_odp.03 }};" + links: + - href: "#pl-2_smt.c" + rel: assessment-for + - id: pl-2_obj.d + name: assessment-objective + props: + - name: label + value: PL-02d. + class: sp800-53a + parts: + - id: pl-2_obj.d-1 + name: assessment-objective + props: + - name: label + value: PL-02d.[01] + class: sp800-53a + prose: plans are updated to address changes to the system and + environment of operations; + links: + - href: "#pl-2_smt.d" + rel: assessment-for + - id: pl-2_obj.d-2 + name: assessment-objective + props: + - name: label + value: PL-02d.[02] + class: sp800-53a + prose: plans are updated to address problems identified during + the plan implementation; + links: + - href: "#pl-2_smt.d" + rel: assessment-for + - id: pl-2_obj.d-3 + name: assessment-objective + props: + - name: label + value: PL-02d.[03] + class: sp800-53a + prose: plans are updated to address problems identified during + control assessments; + links: + - href: "#pl-2_smt.d" + rel: assessment-for + links: + - href: "#pl-2_smt.d" + rel: assessment-for + - id: pl-2_obj.e + name: assessment-objective + props: + - name: label + value: PL-02e. + class: sp800-53a + parts: + - id: pl-2_obj.e-1 + name: assessment-objective + props: + - name: label + value: PL-02e.[01] + class: sp800-53a + prose: plans are protected from unauthorized disclosure; + links: + - href: "#pl-2_smt.e" + rel: assessment-for + - id: pl-2_obj.e-2 + name: assessment-objective + props: + - name: label + value: PL-02e.[02] + class: sp800-53a + prose: plans are protected from unauthorized modification. + links: + - href: "#pl-2_smt.e" + rel: assessment-for + links: + - href: "#pl-2_smt.e" + rel: assessment-for + links: + - href: "#pl-2_smt" + rel: assessment-for + - id: pl-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Security and privacy planning policy + + + procedures addressing system security and privacy plan development + and implementation + + + procedures addressing security and privacy plan reviews and updates + + + enterprise architecture documentation + + + system security plan + + + privacy plan + + + records of system security and privacy plan reviews and updates + + + security and privacy architecture and design documentation + + + risk assessments + + + risk assessment results + + + control assessment documentation + + + other relevant documents or records + - id: pl-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system security and privacy + planning and plan implementation responsibilities + + + system developers + + + organizational personnel with information security and privacy + responsibilities + - id: pl-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PL-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for system security and privacy + plan development, review, update, and approval + + + mechanisms supporting the system security and privacy plan + - id: pl-4 + class: SP800-53 + title: Rules of Behavior + params: + - id: pl-04_odp.01 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: frequency for reviewing and updating the rules of behavior + is defined; + - id: pl-04_odp.02 + constraints: + - description: at least annually and when the rules are revised or + changed + select: + how-many: one-or-more + choice: + - " {{ insert: param, pl-04_odp.03 }} " + - when the rules are revised or updated + - id: pl-04_odp.03 + label: frequency + guidelines: + - prose: frequency for individuals to read and re-acknowledge the + rules of behavior is defined (if selected); + props: + - name: label + value: PL-4 + - name: label + value: PL-04 + class: sp800-53a + - name: sort-id + value: pl-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#30eb758a-2707-4bca-90ad-949a74d4eb16" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-8" + rel: related + - href: "#ac-9" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#mp-7" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-5" + rel: related + - href: "#si-12" + rel: related + parts: + - id: pl-4_smt + name: statement + parts: + - id: pl-4_smt.a + name: item + props: + - name: label + value: a. + prose: Establish and provide to individuals requiring access to + the system, the rules that describe their responsibilities and + expected behavior for information and system usage, security, + and privacy; + - id: pl-4_smt.b + name: item + props: + - name: label + value: b. + prose: Receive a documented acknowledgment from such individuals, + indicating that they have read, understand, and agree to abide + by the rules of behavior, before authorizing access to information + and the system; + - id: pl-4_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the rules of behavior {{ insert: param,\ + \ pl-04_odp.01 }} ; and" + - id: pl-4_smt.d + name: item + props: + - name: label + value: d. + prose: "Require individuals who have acknowledged a previous version\ + \ of the rules of behavior to read and re-acknowledge {{ insert:\ + \ param, pl-04_odp.02 }}." + - id: pl-4_gdn + name: guidance + prose: Rules of behavior represent a type of access agreement for organizational + users. Other types of access agreements include nondisclosure agreements, + conflict-of-interest agreements, and acceptable use agreements (see + [PS-6](#ps-6) ). Organizations consider rules of behavior based on + individual user roles and responsibilities and differentiate between + rules that apply to privileged users and rules that apply to general + users. Establishing rules of behavior for some types of non-organizational + users, including individuals who receive information from federal + systems, is often not feasible given the large number of such users + and the limited nature of their interactions with the systems. Rules + of behavior for organizational and non-organizational users can also + be established in [AC-8](#ac-8) . The related controls section provides + a list of controls that are relevant to organizational rules of behavior. + [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the + control, may be satisfied by the literacy training and awareness and + role-based training programs conducted by organizations if such training + includes rules of behavior. Documented acknowledgements for rules + of behavior include electronic or physical signatures and electronic + agreement check boxes or radio buttons. + - id: pl-4_obj + name: assessment-objective + props: + - name: label + value: PL-04 + class: sp800-53a + parts: + - id: pl-4_obj.a + name: assessment-objective + props: + - name: label + value: PL-04a. + class: sp800-53a + parts: + - id: pl-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: PL-04a.[01] + class: sp800-53a + prose: rules that describe responsibilities and expected behavior + for information and system usage, security, and privacy are + established for individuals requiring access to the system; + links: + - href: "#pl-4_smt.a" + rel: assessment-for + - id: pl-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: PL-04a.[02] + class: sp800-53a + prose: rules that describe responsibilities and expected behavior + for information and system usage, security, and privacy are + provided to individuals requiring access to the system; + links: + - href: "#pl-4_smt.a" + rel: assessment-for + links: + - href: "#pl-4_smt.a" + rel: assessment-for + - id: pl-4_obj.b + name: assessment-objective + props: + - name: label + value: PL-04b. + class: sp800-53a + prose: before authorizing access to information and the system, + a documented acknowledgement from such individuals indicating + that they have read, understand, and agree to abide by the rules + of behavior is received; + links: + - href: "#pl-4_smt.b" + rel: assessment-for + - id: pl-4_obj.c + name: assessment-objective + props: + - name: label + value: PL-04c. + class: sp800-53a + prose: "rules of behavior are reviewed and updated {{ insert: param,\ + \ pl-04_odp.01 }};" + links: + - href: "#pl-4_smt.c" + rel: assessment-for + - id: pl-4_obj.d + name: assessment-objective + props: + - name: label + value: PL-04d. + class: sp800-53a + prose: "individuals who have acknowledged a previous version of\ + \ the rules of behavior are required to read and reacknowledge\ + \ {{ insert: param, pl-04_odp.02 }}." + links: + - href: "#pl-4_smt.d" + rel: assessment-for + links: + - href: "#pl-4_smt" + rel: assessment-for + - id: pl-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Security and privacy planning policy + + procedures addressing rules of behavior for system users + + rules of behavior + + signed acknowledgements + + records for rules of behavior reviews and updates + + other relevant documents or records + - id: pl-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for + establishing, reviewing, and updating rules of behavior + + + organizational personnel with responsibility for literacy training + and awareness and role-based training + + + organizational personnel who are authorized users of the system + and have signed and resigned rules of behavior + + + organizational personnel with information security and privacy + responsibilities + - id: pl-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PL-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for establishing, reviewing, + disseminating, and updating rules of behavior + + + mechanisms supporting and/or implementing the establishment, review, + dissemination, and update of rules of behavior + controls: + - id: pl-4.1 + class: SP800-53-enhancement + title: Social Media and External Site/Application Usage Restrictions + props: + - name: label + value: PL-4(1) + - name: label + value: PL-04(01) + class: sp800-53a + - name: sort-id + value: pl-04.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#pl-4" + rel: required + - href: "#ac-22" + rel: related + - href: "#au-13" + rel: related + parts: + - id: pl-4.1_smt + name: statement + prose: "Include in the rules of behavior, restrictions on:" + parts: + - id: pl-4.1_smt.a + name: item + props: + - name: label + value: (a) + prose: Use of social media, social networking sites, and external + sites/applications; + - id: pl-4.1_smt.b + name: item + props: + - name: label + value: (b) + prose: Posting organizational information on public websites; + and + - id: pl-4.1_smt.c + name: item + props: + - name: label + value: (c) + prose: Use of organization-provided identifiers (e.g., email + addresses) and authentication secrets (e.g., passwords) for + creating accounts on external sites/applications. + - id: pl-4.1_gdn + name: guidance + prose: Social media, social networking, and external site/application + usage restrictions address rules of behavior related to the use + of social media, social networking, and external sites when organizational + personnel are using such sites for official duties or in the conduct + of official business, when organizational information is involved + in social media and social networking transactions, and when personnel + access social media and networking sites from organizational systems. + Organizations also address specific rules that prevent unauthorized + entities from obtaining non-public organizational information + from social media and networking sites either directly or through + inference. Non-public information includes personally identifiable + information and system account information. + - id: pl-4.1_obj + name: assessment-objective + props: + - name: label + value: PL-04(01) + class: sp800-53a + parts: + - id: pl-4.1_obj.a + name: assessment-objective + props: + - name: label + value: PL-04(01)(a) + class: sp800-53a + prose: the rules of behavior include restrictions on the use + of social media, social networking sites, and external sites/applications; + links: + - href: "#pl-4.1_smt.a" + rel: assessment-for + - id: pl-4.1_obj.b + name: assessment-objective + props: + - name: label + value: PL-04(01)(b) + class: sp800-53a + prose: the rules of behavior include restrictions on posting + organizational information on public websites; + links: + - href: "#pl-4.1_smt.b" + rel: assessment-for + - id: pl-4.1_obj.c + name: assessment-objective + props: + - name: label + value: PL-04(01)(c) + class: sp800-53a + prose: the rules of behavior include restrictions on the use + of organization-provided identifiers (e.g., email addresses) + and authentication secrets (e.g., passwords) for creating + accounts on external sites/applications. + links: + - href: "#pl-4.1_smt.c" + rel: assessment-for + links: + - href: "#pl-4.1_smt" + rel: assessment-for + - id: pl-4.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-04(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Security and privacy planning policy + + procedures addressing rules of behavior for system users + + rules of behavior + + training policy + + other relevant documents or records + - id: pl-4.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-04(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for + establishing, reviewing, and updating rules of behavior + + + organizational personnel with responsibility for literacy + training and awareness and role-based training + + + organizational personnel who are authorized users of the system + and have signed rules of behavior + + + organizational personnel with information security and privacy + responsibilities + - id: pl-4.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PL-04(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for establishing rules of + behavior + + + mechanisms supporting and/or implementing the establishment + of rules of behavior + - id: pl-8 + class: SP800-53 + title: Security and Privacy Architectures + params: + - id: pl-08_odp + label: frequency + constraints: + - description: at least annually and when a significant change occurs + guidelines: + - prose: frequency for review and update to reflect changes in the + enterprise architecture; + props: + - name: label + value: PL-8 + - name: label + value: PL-08 + class: sp800-53a + - name: sort-id + value: pl-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#cm-2" + rel: related + - href: "#cm-6" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-7" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-5" + rel: related + - href: "#pm-7" + rel: related + - href: "#ra-9" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-7" + rel: related + parts: + - id: pl-8_smt + name: statement + parts: + - id: pl-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop security and privacy architectures for the system\ + \ that:" + parts: + - id: pl-8_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Describe the requirements and approach to be taken for + protecting the confidentiality, integrity, and availability + of organizational information; + - id: pl-8_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Describe the requirements and approach to be taken for + processing personally identifiable information to minimize + privacy risk to individuals; + - id: pl-8_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Describe how the architectures are integrated into and + support the enterprise architecture; and + - id: pl-8_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Describe any assumptions about, and dependencies on, + external systems and services; + - id: pl-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the architectures {{ insert: param, pl-08_odp\ + \ }} to reflect changes in the enterprise architecture; and" + - id: pl-8_smt.c + name: item + props: + - name: label + value: c. + prose: Reflect planned architecture changes in security and privacy + plans, Concept of Operations (CONOPS), criticality analysis, organizational + procedures, and procurements and acquisitions. + - id: pl-8_fr + name: item + title: PL-8 Additional FedRAMP Requirements and Guidance + parts: + - id: pl-8_fr_gdn.1 + name: guidance + props: + - name: label + value: "(b) Guidance:" + prose: Significant change is defined in NIST Special Publication + 800-37 Revision 2, Appendix F. + - id: pl-8_gdn + name: guidance + prose: >- + The security and privacy architectures at the system level are + consistent with the organization-wide security and privacy + architectures described in [PM-7](#pm-7) , which are integral to + and developed as part of the enterprise architecture. The + architectures include an architectural description, the + allocation of security and privacy functionality (including + controls), security- and privacy-related information for + external interfaces, information being exchanged across the + interfaces, and the protection mechanisms associated with each + interface. The architectures can also include other information, + such as user roles and the access privileges assigned to each + role; security and privacy requirements; types of information + processed, stored, and transmitted by the system; supply chain + risk management requirements; restoration priorities of + information and system services; and other protection needs. + + [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance + on the use of security architectures as part of the system development + life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) + requires the use of the systems security engineering concepts described + in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high + value assets. Security and privacy architectures are reviewed and + updated throughout the system development life cycle, from analysis + of alternatives through review of the proposed architecture in the + RFP responses to the design reviews before and during implementation + (e.g., during preliminary design reviews and critical design reviews). + + In today’s modern computing architectures, it is becoming less common + for organizations to control all information resources. There may + be key dependencies on external information services and service providers. + Describing such dependencies in the security and privacy architectures + is necessary for developing a comprehensive mission and business protection + strategy. Establishing, developing, documenting, and maintaining under + configuration control a baseline configuration for organizational + systems is critical to implementing and maintaining effective architectures. + The development of the architectures is coordinated with the senior + agency information security officer and the senior agency official + for privacy to ensure that the controls needed to support security + and privacy requirements are identified and effectively implemented. + In many circumstances, there may be no distinction between the security + and privacy architecture for a system. In other circumstances, security + objectives may be adequately satisfied, but privacy objectives may + only be partially satisfied by the security requirements. In these + cases, consideration of the privacy requirements needed to achieve + satisfaction will result in a distinct privacy architecture. The documentation, + however, may simply reflect the combined architectures. + + [PL-8](#pl-8) is primarily directed at organizations to ensure that + architectures are developed for the system and, moreover, that the + architectures are integrated with or tightly coupled to the enterprise + architecture. In contrast, [SA-17](#sa-17) is primarily directed at + the external information technology product and system developers + and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) + , is selected when organizations outsource the development of systems + or components to external entities and when there is a need to demonstrate + consistency with the organization’s enterprise architecture and security + and privacy architectures. + - id: pl-8_obj + name: assessment-objective + props: + - name: label + value: PL-08 + class: sp800-53a + parts: + - id: pl-8_obj.a + name: assessment-objective + props: + - name: label + value: PL-08a. + class: sp800-53a + parts: + - id: pl-8_obj.a.1 + name: assessment-objective + props: + - name: label + value: PL-08a.01 + class: sp800-53a + prose: a security architecture for the system describes the + requirements and approach to be taken for protecting the confidentiality, + integrity, and availability of organizational information; + links: + - href: "#pl-8_smt.a.1" + rel: assessment-for + - id: pl-8_obj.a.2 + name: assessment-objective + props: + - name: label + value: PL-08a.02 + class: sp800-53a + prose: a privacy architecture describes the requirements and + approach to be taken for processing personally identifiable + information to minimize privacy risk to individuals; + links: + - href: "#pl-8_smt.a.2" + rel: assessment-for + - id: pl-8_obj.a.3 + name: assessment-objective + props: + - name: label + value: PL-08a.03 + class: sp800-53a + parts: + - id: pl-8_obj.a.3-1 + name: assessment-objective + props: + - name: label + value: PL-08a.03[01] + class: sp800-53a + prose: a security architecture for the system describes + how the architecture is integrated into and supports the + enterprise architecture; + links: + - href: "#pl-8_smt.a.3" + rel: assessment-for + - id: pl-8_obj.a.3-2 + name: assessment-objective + props: + - name: label + value: PL-08a.03[02] + class: sp800-53a + prose: a privacy architecture for the system describes how + the architecture is integrated into and supports the enterprise + architecture; + links: + - href: "#pl-8_smt.a.3" + rel: assessment-for + links: + - href: "#pl-8_smt.a.3" + rel: assessment-for + - id: pl-8_obj.a.4 + name: assessment-objective + props: + - name: label + value: PL-08a.04 + class: sp800-53a + parts: + - id: pl-8_obj.a.4-1 + name: assessment-objective + props: + - name: label + value: PL-08a.04[01] + class: sp800-53a + prose: a security architecture for the system describes + any assumptions about and dependencies on external systems + and services; + links: + - href: "#pl-8_smt.a.4" + rel: assessment-for + - id: pl-8_obj.a.4-2 + name: assessment-objective + props: + - name: label + value: PL-08a.04[02] + class: sp800-53a + prose: a privacy architecture for the system describes any + assumptions about and dependencies on external systems + and services; + links: + - href: "#pl-8_smt.a.4" + rel: assessment-for + links: + - href: "#pl-8_smt.a.4" + rel: assessment-for + links: + - href: "#pl-8_smt.a" + rel: assessment-for + - id: pl-8_obj.b + name: assessment-objective + props: + - name: label + value: PL-08b. + class: sp800-53a + prose: "changes in the enterprise architecture are reviewed and\ + \ updated {{ insert: param, pl-08_odp }} to reflect changes in\ + \ the enterprise architecture;" + links: + - href: "#pl-8_smt.b" + rel: assessment-for + - id: pl-8_obj.c + name: assessment-objective + props: + - name: label + value: PL-08c. + class: sp800-53a + parts: + - id: pl-8_obj.c-1 + name: assessment-objective + props: + - name: label + value: PL-08c.[01] + class: sp800-53a + prose: planned architecture changes are reflected in the security + plan; + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-2 + name: assessment-objective + props: + - name: label + value: PL-08c.[02] + class: sp800-53a + prose: planned architecture changes are reflected in the privacy + plan; + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-3 + name: assessment-objective + props: + - name: label + value: PL-08c.[03] + class: sp800-53a + prose: planned architecture changes are reflected in the Concept + of Operations (CONOPS); + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-4 + name: assessment-objective + props: + - name: label + value: PL-08c.[04] + class: sp800-53a + prose: planned architecture changes are reflected in criticality + analysis; + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-5 + name: assessment-objective + props: + - name: label + value: PL-08c.[05] + class: sp800-53a + prose: planned architecture changes are reflected in organizational + procedures; + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-6 + name: assessment-objective + props: + - name: label + value: PL-08c.[06] + class: sp800-53a + prose: planned architecture changes are reflected in procurements + and acquisitions. + links: + - href: "#pl-8_smt.c" + rel: assessment-for + links: + - href: "#pl-8_smt.c" + rel: assessment-for + links: + - href: "#pl-8_smt" + rel: assessment-for + - id: pl-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Security and privacy planning policy + + + procedures addressing information security and privacy architecture + development + + + procedures addressing information security and privacy architecture + reviews and updates + + + enterprise architecture documentation + + + information security and privacy architecture documentation + + + system security plan + + + privacy plan + + + security and privacy CONOPS for the system + + + records of information security and privacy architecture reviews + and updates + + + other relevant documents or records + - id: pl-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security and privacy planning + and plan implementation responsibilities + + + organizational personnel with information security and privacy + architecture development responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pl-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PL-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for developing, reviewing, and + updating the information security and privacy architecture + + + mechanisms supporting and/or implementing the development, review, + and update of the information security and privacy architecture + - id: pl-10 + class: SP800-53 + title: Baseline Selection + props: + - name: label + value: PL-10 + - name: label + value: PL-10 + class: sp800-53a + - name: sort-id + value: pl-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#46d9e201-840e-440e-987c-2c773333c752" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#4e4fbc93-333d-45e6-a875-de36b878b6b9" + rel: reference + - href: "#pl-2" + rel: related + - href: "#pl-11" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-8" + rel: related + parts: + - id: pl-10_smt + name: statement + prose: Select a control baseline for the system. + parts: + - id: pl-10_fr + name: item + title: PL-10 Additional FedRAMP Requirements and Guidance + parts: + - id: pl-10_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Select the appropriate FedRAMP Baseline + - id: pl-10_gdn + name: guidance + prose: Control baselines are predefined sets of controls specifically + assembled to address the protection needs of a group, organization, + or community of interest. Controls are chosen for baselines to either + satisfy mandates imposed by laws, executive orders, directives, regulations, + policies, standards, and guidelines or address threats common to all + users of the baseline under the assumptions specific to the baseline. + Baselines represent a starting point for the protection of individuals’ + privacy, information, and information systems with subsequent tailoring + actions to manage risk in accordance with mission, business, or other + constraints (see [PL-11](#pl-11) ). Federal control baselines are + provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . + The selection of a control baseline is determined by the needs of + stakeholders. Stakeholder needs consider mission and business requirements + as well as mandates imposed by applicable laws, executive orders, + directives, policies, regulations, standards, and guidelines. For + example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) + are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) + and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, + along with the NIST standards and guidelines implementing the legislation, + direct organizations to select one of the control baselines after + the reviewing the information types and the information that is processed, + stored, and transmitted on the system; analyzing the potential adverse + impact of the loss or compromise of the information or system on the + organization’s operations and assets, individuals, other organizations, + or the Nation; and considering the results from system and organizational + risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) + provides guidance on control baselines for national security systems. + - id: pl-10_obj + name: assessment-objective + props: + - name: label + value: PL-10 + class: sp800-53a + prose: a control baseline for the system is selected. + links: + - href: "#pl-10_smt" + rel: assessment-for + - id: pl-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Security and privacy planning policy + + + procedures addressing system security and privacy plan development + and implementation + + + procedures addressing system security and privacy plan reviews + and updates + + + system design documentation + + + system architecture and configuration documentation + + + system categorization decision + + + information types stored, transmitted, and processed by the system + + + system element/component information + + + stakeholder needs analysis + + + list of security and privacy requirements allocated to the system, + system elements, and environment of operation + + + list of contractual requirements allocated to external providers + of the system or system element + + + business impact analysis or criticality analysis + + + risk assessments + + + risk management strategy + + + organizational security and privacy policy + + + federal or organization-approved or mandated baselines or overlays + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: pl-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security and privacy planning + and plan implementation responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with responsibility for organizational + risk management activities + - id: pl-11 + class: SP800-53 + title: Baseline Tailoring + props: + - name: label + value: PL-11 + - name: label + value: PL-11 + class: sp800-53a + - name: sort-id + value: pl-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#46d9e201-840e-440e-987c-2c773333c752" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#4e4fbc93-333d-45e6-a875-de36b878b6b9" + rel: reference + - href: "#pl-10" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-9" + rel: related + - href: "#sa-8" + rel: related + parts: + - id: pl-11_smt + name: statement + prose: Tailor the selected control baseline by applying specified tailoring + actions. + - id: pl-11_gdn + name: guidance + prose: The concept of tailoring allows organizations to specialize or + customize a set of baseline controls by applying a defined set of + tailoring actions. Tailoring actions facilitate such specialization + and customization by allowing organizations to develop security and + privacy plans that reflect their specific mission and business functions, + the environments where their systems operate, the threats and vulnerabilities + that can affect their systems, and any other conditions or situations + that can impact their mission or business success. Tailoring guidance + is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) + . Tailoring a control baseline is accomplished by identifying and + designating common controls, applying scoping considerations, selecting + compensating controls, assigning values to control parameters, supplementing + the control baseline with additional controls as needed, and providing + information for control implementation. The general tailoring actions + in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented + with additional actions based on the needs of organizations. Tailoring + actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) + in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), + [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) + . Alternatively, other communities of interest adopting different + control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) + to specialize or customize the controls that represent the specific + needs and concerns of those entities. + - id: pl-11_obj + name: assessment-objective + props: + - name: label + value: PL-11 + class: sp800-53a + prose: the selected control baseline is tailored by applying specified + tailoring actions. + links: + - href: "#pl-11_smt" + rel: assessment-for + - id: pl-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Security and privacy planning policy + + + procedures addressing system security and privacy plan development + and implementation + + + system design documentation + + + system categorization decision + + + information types stored, transmitted, and processed by the system + + + system element/component information + + + stakeholder needs analysis + + + list of security and privacy requirements allocated to the system, + system elements, and environment of operation + + + list of contractual requirements allocated to external providers + of the system or system element + + + business impact analysis or criticality analysis + + + risk assessments + + + risk management strategy + + + organizational security and privacy policy + + + federal or organization-approved or mandated baselines or overlays + + + baseline tailoring rationale + + + system security plan + + + privacy plan + + + records of system security and privacy plan reviews and updates + + + other relevant documents or records + - id: pl-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security and privacy planning + and plan implementation responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ps + class: family + title: Personnel Security + controls: + - id: ps-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ps-1_prm_1 + label: organization-defined personnel or roles + - id: ps-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the personnel security policy + is to be disseminated is/are defined; + - id: ps-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the personnel security procedures + are to be disseminated is/are defined; + - id: ps-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ps-01_odp.04 + label: official + guidelines: + - prose: an official to manage the personnel security policy and procedures + is defined; + - id: ps-01_odp.05 + label: frequency + constraints: + - description: "at least every 3 years " + guidelines: + - prose: the frequency at which the current personnel security policy + is reviewed and updated is defined; + - id: ps-01_odp.06 + label: events + guidelines: + - prose: events that would require the current personnel security + policy to be reviewed and updated are defined; + - id: ps-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current personnel security procedures + are reviewed and updated is defined; + - id: ps-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the personnel security procedures + to be reviewed and updated are defined; + props: + - name: label + value: PS-1 + - name: label + value: PS-01 + class: sp800-53a + - name: sort-id + value: ps-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ps-1_smt + name: statement + parts: + - id: ps-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ps-1_prm_1 }}:" + parts: + - id: ps-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ps-01_odp.03 }} personnel security\ + \ policy that:" + parts: + - id: ps-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ps-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ps-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the personnel + security policy and the associated personnel security controls; + - id: ps-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ps-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the personnel\ + \ security policy and procedures; and" + - id: ps-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current personnel security:" + parts: + - id: ps-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ps-01_odp.05 }} and following\ + \ {{ insert: param, ps-01_odp.06 }} ; and" + - id: ps-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ps-01_odp.07 }} and following\ + \ {{ insert: param, ps-01_odp.08 }}." + - id: ps-1_gdn + name: guidance + prose: Personnel security policy and procedures for the controls in + the PS family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on their development. Security and + privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission level + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies reflecting the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission/business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + personnel security policy and procedures include, but are not limited + to, assessment or audit findings, security incidents or breaches, + or changes in applicable laws, executive orders, directives, regulations, + policies, standards, and guidelines. Simply restating controls does + not constitute an organizational policy or procedure. + - id: ps-1_obj + name: assessment-objective + props: + - name: label + value: PS-01 + class: sp800-53a + parts: + - id: ps-1_obj.a + name: assessment-objective + props: + - name: label + value: PS-01a. + class: sp800-53a + parts: + - id: ps-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: PS-01a.[01] + class: sp800-53a + prose: a personnel security policy is developed and documented; + links: + - href: "#ps-1_smt.a" + rel: assessment-for + - id: ps-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: PS-01a.[02] + class: sp800-53a + prose: "the personnel security policy is disseminated to {{\ + \ insert: param, ps-01_odp.01 }};" + links: + - href: "#ps-1_smt.a" + rel: assessment-for + - id: ps-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: PS-01a.[03] + class: sp800-53a + prose: personnel security procedures to facilitate the implementation + of the personnel security policy and associated personnel + security controls are developed and documented; + links: + - href: "#ps-1_smt.a" + rel: assessment-for + - id: ps-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: PS-01a.[04] + class: sp800-53a + prose: "the personnel security procedures are disseminated to\ + \ {{ insert: param, ps-01_odp.02 }};" + links: + - href: "#ps-1_smt.a" + rel: assessment-for + - id: ps-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: PS-01a.01 + class: sp800-53a + parts: + - id: ps-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: PS-01a.01(a) + class: sp800-53a + parts: + - id: ps-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses purpose;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses scope;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses roles;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses responsibilities;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses management commitment;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses compliance;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: PS-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy is consistent with applicable laws,\ + \ Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#ps-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ps-1_smt.a.1" + rel: assessment-for + links: + - href: "#ps-1_smt.a" + rel: assessment-for + - id: ps-1_obj.b + name: assessment-objective + props: + - name: label + value: PS-01b. + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the personnel\ + \ security policy and procedures;" + links: + - href: "#ps-1_smt.b" + rel: assessment-for + - id: ps-1_obj.c + name: assessment-objective + props: + - name: label + value: PS-01c. + class: sp800-53a + parts: + - id: ps-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: PS-01c.01 + class: sp800-53a + parts: + - id: ps-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: PS-01c.01[01] + class: sp800-53a + prose: "the current personnel security policy is reviewed\ + \ and updated {{ insert: param, ps-01_odp.05 }};" + links: + - href: "#ps-1_smt.c.1" + rel: assessment-for + - id: ps-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: PS-01c.01[02] + class: sp800-53a + prose: "the current personnel security policy is reviewed\ + \ and updated following {{ insert: param, ps-01_odp.06\ + \ }};" + links: + - href: "#ps-1_smt.c.1" + rel: assessment-for + links: + - href: "#ps-1_smt.c.1" + rel: assessment-for + - id: ps-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: PS-01c.02 + class: sp800-53a + parts: + - id: ps-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: PS-01c.02[01] + class: sp800-53a + prose: "the current personnel security procedures are reviewed\ + \ and updated {{ insert: param, ps-01_odp.07 }};" + links: + - href: "#ps-1_smt.c.2" + rel: assessment-for + - id: ps-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: PS-01c.02[02] + class: sp800-53a + prose: "the current personnel security procedures are reviewed\ + \ and updated following {{ insert: param, ps-01_odp.08\ + \ }}." + links: + - href: "#ps-1_smt.c.2" + rel: assessment-for + links: + - href: "#ps-1_smt.c.2" + rel: assessment-for + links: + - href: "#ps-1_smt.c" + rel: assessment-for + links: + - href: "#ps-1_smt" + rel: assessment-for + - id: ps-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + personnel security procedures + + system security plan + + privacy plan + + risk management strategy documentation + + audit findings + + other relevant documents or records + - id: ps-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with information security responsibilities + - id: ps-2 + class: SP800-53 + title: Position Risk Designation + params: + - id: ps-02_odp + label: frequency + constraints: + - description: at least every three years + guidelines: + - prose: the frequency at which to review and update position risk + designations is defined; + props: + - name: label + value: PS-2 + - name: label + value: PS-02 + class: sp800-53a + - name: sort-id + value: ps-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#a5ef5e56-5c1a-4911-b419-37dddc1b3581" + rel: reference + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + - href: "#ac-5" + rel: related + - href: "#at-3" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pl-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-6" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-21" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ps-2_smt + name: statement + parts: + - id: ps-2_smt.a + name: item + props: + - name: label + value: a. + prose: Assign a risk designation to all organizational positions; + - id: ps-2_smt.b + name: item + props: + - name: label + value: b. + prose: Establish screening criteria for individuals filling those + positions; and + - id: ps-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update position risk designations {{ insert:\ + \ param, ps-02_odp }}." + - id: ps-2_gdn + name: guidance + prose: Position risk designations reflect Office of Personnel Management + (OPM) policy and guidance. Proper position designation is the foundation + of an effective and consistent suitability and personnel security + program. The Position Designation System (PDS) assesses the duties + and responsibilities of a position to determine the degree of potential + damage to the efficiency or integrity of the service due to misconduct + of an incumbent of a position and establishes the risk level of that + position. The PDS assessment also determines if the duties and responsibilities + of the position present the potential for position incumbents to bring + about a material adverse effect on national security and the degree + of that potential effect, which establishes the sensitivity level + of a position. The results of the assessment determine what level + of investigation is conducted for a position. Risk designations can + guide and inform the types of authorizations that individuals receive + when accessing organizational information and information systems. + Position screening criteria include explicit information security + role appointment requirements. Parts 1400 and 731 of Title 5, Code + of Federal Regulations, establish the requirements for organizations + to evaluate relevant covered positions for a position sensitivity + and position risk designation commensurate with the duties and responsibilities + of those positions. + - id: ps-2_obj + name: assessment-objective + props: + - name: label + value: PS-02 + class: sp800-53a + parts: + - id: ps-2_obj.a + name: assessment-objective + props: + - name: label + value: PS-02a. + class: sp800-53a + prose: a risk designation is assigned to all organizational positions; + links: + - href: "#ps-2_smt.a" + rel: assessment-for + - id: ps-2_obj.b + name: assessment-objective + props: + - name: label + value: PS-02b. + class: sp800-53a + prose: screening criteria are established for individuals filling + organizational positions; + links: + - href: "#ps-2_smt.b" + rel: assessment-for + - id: ps-2_obj.c + name: assessment-objective + props: + - name: label + value: PS-02c. + class: sp800-53a + prose: "position risk designations are reviewed and updated {{ insert:\ + \ param, ps-02_odp }}." + links: + - href: "#ps-2_smt.c" + rel: assessment-for + links: + - href: "#ps-2_smt" + rel: assessment-for + - id: ps-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + procedures addressing position categorization + + appropriate codes of federal regulations + + list of risk designations for organizational positions + + records of position risk designation reviews and updates + + system security plan + + other relevant documents or records + - id: ps-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with information security responsibilities + - id: ps-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for assigning, reviewing, and + updating position risk designations + + + organizational processes for establishing screening criteria + - id: ps-3 + class: SP800-53 + title: Personnel Screening + params: + - id: ps-3_prm_1 + label: organization-defined conditions requiring rescreening and, where + rescreening is so indicated, the frequency of rescreening + constraints: + - description: >- + for national security clearances; a reinvestigation is + required during the fifth (5th) year for top secret security + clearance, the tenth (10th) year for secret security + clearance, and fifteenth (15th) year for confidential + security clearance. + + + For moderate risk law enforcement and high impact public trust + level, a reinvestigation is required during the fifth (5th) year. + There is no reinvestigation for other moderate risk positions + or any low risk positions + - id: ps-03_odp.01 + label: conditions requiring rescreening + guidelines: + - prose: conditions requiring rescreening of individuals are defined; + - id: ps-03_odp.02 + label: frequency + guidelines: + - prose: the frequency of rescreening individuals where it is so indicated + is defined; + props: + - name: label + value: PS-3 + - name: label + value: PS-03 + class: sp800-53a + - name: sort-id + value: ps-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#55b0c93a-5e48-457a-baa6-5ce81c239c49" + rel: reference + - href: "#0af071a6-cf8e-48ee-8c82-fe91efa20f94" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + - href: "#sa-21" + rel: related + parts: + - id: ps-3_smt + name: statement + parts: + - id: ps-3_smt.a + name: item + props: + - name: label + value: a. + prose: Screen individuals prior to authorizing access to the system; + and + - id: ps-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Rescreen individuals in accordance with {{ insert: param,\ + \ ps-3_prm_1 }}." + - id: ps-3_gdn + name: guidance + prose: Personnel screening and rescreening activities reflect applicable + laws, executive orders, directives, regulations, policies, standards, + guidelines, and specific criteria established for the risk designations + of assigned positions. Examples of personnel screening include background + investigations and agency checks. Organizations may define different + rescreening conditions and frequencies for personnel accessing systems + based on types of information processed, stored, or transmitted by + the systems. + - id: ps-3_obj + name: assessment-objective + props: + - name: label + value: PS-03 + class: sp800-53a + parts: + - id: ps-3_obj.a + name: assessment-objective + props: + - name: label + value: PS-03a. + class: sp800-53a + prose: individuals are screened prior to authorizing access to the + system; + links: + - href: "#ps-3_smt.a" + rel: assessment-for + - id: ps-3_obj.b + name: assessment-objective + props: + - name: label + value: PS-03b. + class: sp800-53a + parts: + - id: ps-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: PS-03b.[01] + class: sp800-53a + prose: "individuals are rescreened in accordance with {{ insert:\ + \ param, ps-03_odp.01 }};" + links: + - href: "#ps-3_smt.b" + rel: assessment-for + - id: ps-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: PS-03b.[02] + class: sp800-53a + prose: "where rescreening is so indicated, individuals are rescreened\ + \ {{ insert: param, ps-03_odp.02 }}." + links: + - href: "#ps-3_smt.b" + rel: assessment-for + links: + - href: "#ps-3_smt.b" + rel: assessment-for + links: + - href: "#ps-3_smt" + rel: assessment-for + - id: ps-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + procedures addressing personnel screening + + records of screened personnel + + system security plan + + other relevant documents or records + - id: ps-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with information security responsibilities + - id: ps-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for personnel screening + - id: ps-4 + class: SP800-53 + title: Personnel Termination + params: + - id: ps-04_odp.01 + label: time period + constraints: + - description: four (4) hours + guidelines: + - prose: a time period within which to disable system access is defined; + - id: ps-04_odp.02 + label: information security topics + guidelines: + - prose: information security topics to be discussed when conducting + exit interviews are defined; + props: + - name: label + value: PS-4 + - name: label + value: PS-04 + class: sp800-53a + - name: sort-id + value: ps-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + parts: + - id: ps-4_smt + name: statement + prose: "Upon termination of individual employment:" + parts: + - id: ps-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Disable system access within {{ insert: param, ps-04_odp.01\ + \ }};" + - id: ps-4_smt.b + name: item + props: + - name: label + value: b. + prose: Terminate or revoke any authenticators and credentials associated + with the individual; + - id: ps-4_smt.c + name: item + props: + - name: label + value: c. + prose: "Conduct exit interviews that include a discussion of {{\ + \ insert: param, ps-04_odp.02 }};" + - id: ps-4_smt.d + name: item + props: + - name: label + value: d. + prose: Retrieve all security-related organizational system-related + property; and + - id: ps-4_smt.e + name: item + props: + - name: label + value: e. + prose: Retain access to organizational information and systems formerly + controlled by terminated individual. + - id: ps-4_gdn + name: guidance + prose: System property includes hardware authentication tokens, system + administration technical manuals, keys, identification cards, and + building passes. Exit interviews ensure that terminated individuals + understand the security constraints imposed by being former employees + and that proper accountability is achieved for system-related property. + Security topics at exit interviews include reminding individuals of + nondisclosure agreements and potential limitations on future employment. + Exit interviews may not always be possible for some individuals, including + in cases related to the unavailability of supervisors, illnesses, + or job abandonment. Exit interviews are important for individuals + with security clearances. The timely execution of termination actions + is essential for individuals who have been terminated for cause. In + certain situations, organizations consider disabling the system accounts + of individuals who are being terminated prior to the individuals being + notified. + - id: ps-4_obj + name: assessment-objective + props: + - name: label + value: PS-04 + class: sp800-53a + parts: + - id: ps-4_obj.a + name: assessment-objective + props: + - name: label + value: PS-04a. + class: sp800-53a + prose: "upon termination of individual employment, system access\ + \ is disabled within {{ insert: param, ps-04_odp.01 }};" + links: + - href: "#ps-4_smt.a" + rel: assessment-for + - id: ps-4_obj.b + name: assessment-objective + props: + - name: label + value: PS-04b. + class: sp800-53a + prose: upon termination of individual employment, any authenticators + and credentials are terminated or revoked; + links: + - href: "#ps-4_smt.b" + rel: assessment-for + - id: ps-4_obj.c + name: assessment-objective + props: + - name: label + value: PS-04c. + class: sp800-53a + prose: "upon termination of individual employment, exit interviews\ + \ that include a discussion of {{ insert: param, ps-04_odp.02\ + \ }} are conducted;" + links: + - href: "#ps-4_smt.c" + rel: assessment-for + - id: ps-4_obj.d + name: assessment-objective + props: + - name: label + value: PS-04d. + class: sp800-53a + prose: upon termination of individual employment, all security-related + organizational system-related property is retrieved; + links: + - href: "#ps-4_smt.d" + rel: assessment-for + - id: ps-4_obj.e + name: assessment-objective + props: + - name: label + value: PS-04e. + class: sp800-53a + prose: upon termination of individual employment, access to organizational + information and systems formerly controlled by the terminated + individual are retained. + links: + - href: "#ps-4_smt.e" + rel: assessment-for + links: + - href: "#ps-4_smt" + rel: assessment-for + - id: ps-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + procedures addressing personnel termination + + records of personnel termination actions + + list of system accounts + + records of terminated or revoked authenticators/credentials + + records of exit interviews + + system security plan + + other relevant documents or records + - id: ps-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with account management responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ps-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for personnel termination + + + mechanisms supporting and/or implementing personnel termination + notifications + + + mechanisms for disabling system access/revoking authenticators + - id: ps-5 + class: SP800-53 + title: Personnel Transfer + params: + - id: ps-05_odp.01 + label: transfer or reassignment actions + guidelines: + - prose: transfer or reassignment actions to be initiated following + transfer or reassignment are defined; + - id: ps-05_odp.02 + label: time period following the formal transfer action + constraints: + - description: "twenty-four (24) hours " + guidelines: + - prose: the time period within which transfer or reassignment actions + must occur following transfer or reassignment is defined; + - id: ps-05_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles to be notified when individuals are reassigned + or transferred to other positions within the organization is/are + defined; + - id: ps-05_odp.04 + label: time period + constraints: + - description: twenty-four (24) hours + guidelines: + - prose: time period within which to notify organization-defined personnel + or roles when individuals are reassigned or transferred to other + positions within the organization is defined; + props: + - name: label + value: PS-5 + - name: label + value: PS-05 + class: sp800-53a + - name: sort-id + value: ps-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-7" + rel: related + parts: + - id: ps-5_smt + name: statement + parts: + - id: ps-5_smt.a + name: item + props: + - name: label + value: a. + prose: Review and confirm ongoing operational need for current logical + and physical access authorizations to systems and facilities when + individuals are reassigned or transferred to other positions within + the organization; + - id: ps-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert:\ + \ param, ps-05_odp.02 }};" + - id: ps-5_smt.c + name: item + props: + - name: label + value: c. + prose: Modify access authorization as needed to correspond with + any changes in operational need due to reassignment or transfer; + and + - id: ps-5_smt.d + name: item + props: + - name: label + value: d. + prose: "Notify {{ insert: param, ps-05_odp.03 }} within {{ insert:\ + \ param, ps-05_odp.04 }}." + - id: ps-5_gdn + name: guidance + prose: Personnel transfer applies when reassignments or transfers of + individuals are permanent or of such extended duration as to make + the actions warranted. Organizations define actions appropriate for + the types of reassignments or transfers, whether permanent or extended. + Actions that may be required for personnel transfers or reassignments + to other positions within organizations include returning old and + issuing new keys, identification cards, and building passes; closing + system accounts and establishing new accounts; changing system access + authorizations (i.e., privileges); and providing for access to official + records to which individuals had access at previous work locations + and in previous system accounts. + - id: ps-5_obj + name: assessment-objective + props: + - name: label + value: PS-05 + class: sp800-53a + parts: + - id: ps-5_obj.a + name: assessment-objective + props: + - name: label + value: PS-05a. + class: sp800-53a + prose: the ongoing operational need for current logical and physical + access authorizations to systems and facilities are reviewed and + confirmed when individuals are reassigned or transferred to other + positions within the organization; + links: + - href: "#ps-5_smt.a" + rel: assessment-for + - id: ps-5_obj.b + name: assessment-objective + props: + - name: label + value: PS-05b. + class: sp800-53a + prose: " {{ insert: param, ps-05_odp.01 }} are initiated within\ + \ {{ insert: param, ps-05_odp.02 }};" + links: + - href: "#ps-5_smt.b" + rel: assessment-for + - id: ps-5_obj.c + name: assessment-objective + props: + - name: label + value: PS-05c. + class: sp800-53a + prose: access authorization is modified as needed to correspond + with any changes in operational need due to reassignment or transfer; + links: + - href: "#ps-5_smt.c" + rel: assessment-for + - id: ps-5_obj.d + name: assessment-objective + props: + - name: label + value: PS-05d. + class: sp800-53a + prose: " {{ insert: param, ps-05_odp.03 }} are notified within {{\ + \ insert: param, ps-05_odp.04 }}." + links: + - href: "#ps-5_smt.d" + rel: assessment-for + links: + - href: "#ps-5_smt" + rel: assessment-for + - id: ps-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + procedures addressing personnel transfer + + records of personnel transfer actions + + list of system and facility access authorizations + + system security plan + + other relevant documents or records + - id: ps-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with account management responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ps-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for personnel transfer + + + mechanisms supporting and/or implementing personnel transfer notifications + + + mechanisms for disabling system access/revoking authenticators + - id: ps-6 + class: SP800-53 + title: Access Agreements + params: + - id: ps-06_odp.01 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to review and update access agreements + is defined; + - id: ps-06_odp.02 + label: frequency + constraints: + - description: at least annually and any time there is a change to + the user's level of access + guidelines: + - prose: the frequency at which to re-sign access agreements to maintain + access to organizational information is defined; + props: + - name: label + value: PS-6 + - name: label + value: PS-06 + class: sp800-53a + - name: sort-id + value: ps-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ac-17" + rel: related + - href: "#pe-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-21" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ps-6_smt + name: statement + parts: + - id: ps-6_smt.a + name: item + props: + - name: label + value: a. + prose: Develop and document access agreements for organizational + systems; + - id: ps-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the access agreements {{ insert: param,\ + \ ps-06_odp.01 }} ; and" + - id: ps-6_smt.c + name: item + props: + - name: label + value: c. + prose: "Verify that individuals requiring access to organizational\ + \ information and systems:" + parts: + - id: ps-6_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: Sign appropriate access agreements prior to being granted + access; and + - id: ps-6_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Re-sign access agreements to maintain access to organizational\ + \ systems when access agreements have been updated or {{ insert:\ + \ param, ps-06_odp.02 }}." + - id: ps-6_gdn + name: guidance + prose: Access agreements include nondisclosure agreements, acceptable + use agreements, rules of behavior, and conflict-of-interest agreements. + Signed access agreements include an acknowledgement that individuals + have read, understand, and agree to abide by the constraints associated + with organizational systems to which access is authorized. Organizations + can use electronic signatures to acknowledge access agreements unless + specifically prohibited by organizational policy. + - id: ps-6_obj + name: assessment-objective + props: + - name: label + value: PS-06 + class: sp800-53a + parts: + - id: ps-6_obj.a + name: assessment-objective + props: + - name: label + value: PS-06a. + class: sp800-53a + prose: access agreements are developed and documented for organizational + systems; + links: + - href: "#ps-6_smt.a" + rel: assessment-for + - id: ps-6_obj.b + name: assessment-objective + props: + - name: label + value: PS-06b. + class: sp800-53a + prose: "the access agreements are reviewed and updated {{ insert:\ + \ param, ps-06_odp.01 }};" + links: + - href: "#ps-6_smt.b" + rel: assessment-for + - id: ps-6_obj.c + name: assessment-objective + props: + - name: label + value: PS-06c. + class: sp800-53a + parts: + - id: ps-6_obj.c.1 + name: assessment-objective + props: + - name: label + value: PS-06c.01 + class: sp800-53a + prose: individuals requiring access to organizational information + and systems sign appropriate access agreements prior to being + granted access; + links: + - href: "#ps-6_smt.c.1" + rel: assessment-for + - id: ps-6_obj.c.2 + name: assessment-objective + props: + - name: label + value: PS-06c.02 + class: sp800-53a + prose: "individuals requiring access to organizational information\ + \ and systems re-sign access agreements to maintain access\ + \ to organizational systems when access agreements have been\ + \ updated or {{ insert: param, ps-06_odp.02 }}." + links: + - href: "#ps-6_smt.c.2" + rel: assessment-for + links: + - href: "#ps-6_smt.c" + rel: assessment-for + links: + - href: "#ps-6_smt" + rel: assessment-for + - id: ps-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Personnel security policy + + + personnel security procedures + + + procedures addressing access agreements for organizational information + and systems + + + access control policy + + + access control procedures + + + access agreements (including non-disclosure agreements, acceptable + use agreements, rules of behavior, and conflict-of-interest agreements) + + + documentation of access agreement reviews, updates, and re-signing + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ps-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel who have signed/resigned access agreements + + + organizational personnel with information security and privacy + responsibilities + - id: ps-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for reviewing, updating, and + re-signing access agreements + + + mechanisms supporting the reviewing, updating, and re-signing + of access agreements + - id: ps-7 + class: SP800-53 + title: External Personnel Security + params: + - id: ps-07_odp.01 + label: personnel or roles + constraints: + - description: including access control personnel responsible for + the system and/or facilities, as appropriate + guidelines: + - prose: personnel or roles to be notified of any personnel transfers + or terminations of external personnel who possess organizational + credentials and/or badges or who have system privileges is/are + defined; + - id: ps-07_odp.02 + label: time period + constraints: + - description: within twenty-four (24) hours + guidelines: + - prose: time period within which third-party providers are required + to notify organization-defined personnel or roles of any personnel + transfers or terminations of external personnel who possess organizational + credentials and/or badges or who have system privileges is defined; + props: + - name: label + value: PS-7 + - name: label + value: PS-07 + class: sp800-53a + - name: sort-id + value: ps-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#77faf0bc-c394-44ad-9154-bbac3b79c8ad" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-3" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-5" + rel: related + - href: "#ps-6" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-21" + rel: related + parts: + - id: ps-7_smt + name: statement + parts: + - id: ps-7_smt.a + name: item + props: + - name: label + value: a. + prose: Establish personnel security requirements, including security + roles and responsibilities for external providers; + - id: ps-7_smt.b + name: item + props: + - name: label + value: b. + prose: Require external providers to comply with personnel security + policies and procedures established by the organization; + - id: ps-7_smt.c + name: item + props: + - name: label + value: c. + prose: Document personnel security requirements; + - id: ps-7_smt.d + name: item + props: + - name: label + value: d. + prose: "Require external providers to notify {{ insert: param, ps-07_odp.01\ + \ }} of any personnel transfers or terminations of external personnel\ + \ who possess organizational credentials and/or badges, or who\ + \ have system privileges within {{ insert: param, ps-07_odp.02\ + \ }} ; and" + - id: ps-7_smt.e + name: item + props: + - name: label + value: e. + prose: Monitor provider compliance with personnel security requirements. + - id: ps-7_gdn + name: guidance + prose: External provider refers to organizations other than the organization + operating or acquiring the system. External providers include service + bureaus, contractors, and other organizations that provide system + development, information technology services, testing or assessment + services, outsourced applications, and network/security management. + Organizations explicitly include personnel security requirements in + acquisition-related documents. External providers may have personnel + working at organizational facilities with credentials, badges, or + system privileges issued by organizations. Notifications of external + personnel changes ensure the appropriate termination of privileges + and credentials. Organizations define the transfers and terminations + deemed reportable by security-related characteristics that include + functions, roles, and the nature of credentials or privileges associated + with transferred or terminated individuals. + - id: ps-7_obj + name: assessment-objective + props: + - name: label + value: PS-07 + class: sp800-53a + parts: + - id: ps-7_obj.a + name: assessment-objective + props: + - name: label + value: PS-07a. + class: sp800-53a + prose: personnel security requirements are established, including + security roles and responsibilities for external providers; + links: + - href: "#ps-7_smt.a" + rel: assessment-for + - id: ps-7_obj.b + name: assessment-objective + props: + - name: label + value: PS-07b. + class: sp800-53a + prose: external providers are required to comply with personnel + security policies and procedures established by the organization; + links: + - href: "#ps-7_smt.b" + rel: assessment-for + - id: ps-7_obj.c + name: assessment-objective + props: + - name: label + value: PS-07c. + class: sp800-53a + prose: personnel security requirements are documented; + links: + - href: "#ps-7_smt.c" + rel: assessment-for + - id: ps-7_obj.d + name: assessment-objective + props: + - name: label + value: PS-07d. + class: sp800-53a + prose: "external providers are required to notify {{ insert: param,\ + \ ps-07_odp.01 }} of any personnel transfers or terminations of\ + \ external personnel who possess organizational credentials and/or\ + \ badges or who have system privileges within {{ insert: param,\ + \ ps-07_odp.02 }};" + links: + - href: "#ps-7_smt.d" + rel: assessment-for + - id: ps-7_obj.e + name: assessment-objective + props: + - name: label + value: PS-07e. + class: sp800-53a + prose: provider compliance with personnel security requirements + is monitored. + links: + - href: "#ps-7_smt.e" + rel: assessment-for + links: + - href: "#ps-7_smt" + rel: assessment-for + - id: ps-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + procedures addressing external personnel security + + list of personnel security requirements + + acquisition documents + + service-level agreements + + compliance monitoring process + + system security plan + + other relevant documents or records + - id: ps-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + external providers + + + system/network administrators + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + - id: ps-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing and monitoring + external personnel security + + + mechanisms supporting and/or implementing the monitoring of provider + compliance + - id: ps-8 + class: SP800-53 + title: Personnel Sanctions + params: + - id: ps-08_odp.01 + label: personnel or roles + constraints: + - description: at a minimum, the ISSO and/or similar role within the + organization + guidelines: + - prose: personnel or roles to be notified when a formal employee + sanctions process is initiated is/are defined; + - id: ps-08_odp.02 + label: time period + guidelines: + - prose: the time period within which organization-defined personnel + or roles must be notified when a formal employee sanctions process + is initiated is defined; + props: + - name: label + value: PS-8 + - name: label + value: PS-08 + class: sp800-53a + - name: sort-id + value: ps-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#pl-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-6" + rel: related + - href: "#pt-1" + rel: related + parts: + - id: ps-8_smt + name: statement + parts: + - id: ps-8_smt.a + name: item + props: + - name: label + value: a. + prose: Employ a formal sanctions process for individuals failing + to comply with established information security and privacy policies + and procedures; and + - id: ps-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Notify {{ insert: param, ps-08_odp.01 }} within {{ insert:\ + \ param, ps-08_odp.02 }} when a formal employee sanctions process\ + \ is initiated, identifying the individual sanctioned and the\ + \ reason for the sanction." + - id: ps-8_gdn + name: guidance + prose: Organizational sanctions reflect applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines. Sanctions + processes are described in access agreements and can be included as + part of general personnel policies for organizations and/or specified + in security and privacy policies. Organizations consult with the Office + of the General Counsel regarding matters of employee sanctions. + - id: ps-8_obj + name: assessment-objective + props: + - name: label + value: PS-08 + class: sp800-53a + parts: + - id: ps-8_obj.a + name: assessment-objective + props: + - name: label + value: PS-08a. + class: sp800-53a + prose: a formal sanctions process is employed for individuals failing + to comply with established information security and privacy policies + and procedures; + links: + - href: "#ps-8_smt.a" + rel: assessment-for + - id: ps-8_obj.b + name: assessment-objective + props: + - name: label + value: PS-08b. + class: sp800-53a + prose: " {{ insert: param, ps-08_odp.01 }} is/are notified within\ + \ {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions\ + \ process is initiated, identifying the individual sanctioned\ + \ and the reason for the sanction." + links: + - href: "#ps-8_smt.b" + rel: assessment-for + links: + - href: "#ps-8_smt" + rel: assessment-for + - id: ps-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Personnel security policy + + + personnel security procedures + + + procedures addressing personnel sanctions + + + access agreements (including non-disclosure agreements, acceptable + use agreements, rules of behavior, and conflict-of-interest agreements) + + + list of personnel or roles to be notified of formal employee sanctions + + + records or notifications of formal employee sanctions + + + system security plan + + + privacy plan + + + personally identifiable information processing policy + + + other relevant documents or records + - id: ps-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + legal counsel + + + organizational personnel with information security and privacy + responsibilities + - id: ps-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing formal employee + sanctions + + + mechanisms supporting and/or implementing formal employee sanctions + notifications + - id: ps-9 + class: SP800-53 + title: Position Descriptions + props: + - name: label + value: PS-9 + - name: label + value: PS-09 + class: sp800-53a + - name: sort-id + value: ps-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + parts: + - id: ps-9_smt + name: statement + prose: Incorporate security and privacy roles and responsibilities into + organizational position descriptions. + - id: ps-9_gdn + name: guidance + prose: Specification of security and privacy roles in individual organizational + position descriptions facilitates clarity in understanding the security + or privacy responsibilities associated with the roles and the role-based + security and privacy training requirements for the roles. + - id: ps-9_obj + name: assessment-objective + props: + - name: label + value: PS-09 + class: sp800-53a + parts: + - id: ps-9_obj-1 + name: assessment-objective + props: + - name: label + value: PS-09[01] + class: sp800-53a + prose: security roles and responsibilities are incorporated into + organizational position descriptions; + links: + - href: "#ps-9_smt" + rel: assessment-for + - id: ps-9_obj-2 + name: assessment-objective + props: + - name: label + value: PS-09[02] + class: sp800-53a + prose: privacy roles and responsibilities are incorporated into + organizational position descriptions. + links: + - href: "#ps-9_smt" + rel: assessment-for + links: + - href: "#ps-9_smt" + rel: assessment-for + - id: ps-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + personnel security procedures + + procedures addressing position descriptions + + security and privacy position descriptions + + system security plan + + privacy plan + + privacy program plan + + other relevant documents or records + - id: ps-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with human capital management responsibilities + - id: ps-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for managing position descriptions + - id: ra + class: family + title: Risk Assessment + controls: + - id: ra-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ra-1_prm_1 + label: organization-defined personnel or roles + - id: ra-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the risk assessment policy is + to be disseminated is/are defined; + - id: ra-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the risk assessment procedures + are to be disseminated is/are defined; + - id: ra-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ra-01_odp.04 + label: official + guidelines: + - prose: an official to manage the risk assessment policy and procedures + is defined; + - id: ra-01_odp.05 + label: frequency + constraints: + - description: "at least every 3 years " + guidelines: + - prose: the frequency at which the current risk assessment policy + is reviewed and updated is defined; + - id: ra-01_odp.06 + label: events + guidelines: + - prose: events that would require the current risk assessment policy + to be reviewed and updated are defined; + - id: ra-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current risk assessment procedures + are reviewed and updated is defined; + - id: ra-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require risk assessment procedures to be + reviewed and updated are defined; + props: + - name: label + value: RA-1 + - name: label + value: RA-01 + class: sp800-53a + - name: sort-id + value: ra-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ra-1_smt + name: statement + parts: + - id: ra-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ra-1_prm_1 }}:" + parts: + - id: ra-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ra-01_odp.03 }} risk assessment policy\ + \ that:" + parts: + - id: ra-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ra-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ra-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the risk + assessment policy and the associated risk assessment controls; + - id: ra-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ra-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the risk\ + \ assessment policy and procedures; and" + - id: ra-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current risk assessment:" + parts: + - id: ra-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ra-01_odp.05 }} and following\ + \ {{ insert: param, ra-01_odp.06 }} ; and" + - id: ra-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ra-01_odp.07 }} and following\ + \ {{ insert: param, ra-01_odp.08 }}." + - id: ra-1_gdn + name: guidance + prose: Risk assessment policy and procedures address the controls in + the RA family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of risk assessment + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies reflecting the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to risk assessment policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ra-1_obj + name: assessment-objective + props: + - name: label + value: RA-01 + class: sp800-53a + parts: + - id: ra-1_obj.a + name: assessment-objective + props: + - name: label + value: RA-01a. + class: sp800-53a + parts: + - id: ra-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: RA-01a.[01] + class: sp800-53a + prose: a risk assessment policy is developed and documented; + links: + - href: "#ra-1_smt.a" + rel: assessment-for + - id: ra-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: RA-01a.[02] + class: sp800-53a + prose: "the risk assessment policy is disseminated to {{ insert:\ + \ param, ra-01_odp.01 }};" + links: + - href: "#ra-1_smt.a" + rel: assessment-for + - id: ra-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: RA-01a.[03] + class: sp800-53a + prose: risk assessment procedures to facilitate the implementation + of the risk assessment policy and associated risk assessment + controls are developed and documented; + links: + - href: "#ra-1_smt.a" + rel: assessment-for + - id: ra-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: RA-01a.[04] + class: sp800-53a + prose: "the risk assessment procedures are disseminated to {{\ + \ insert: param, ra-01_odp.02 }};" + links: + - href: "#ra-1_smt.a" + rel: assessment-for + - id: ra-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: RA-01a.01 + class: sp800-53a + parts: + - id: ra-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: RA-01a.01(a) + class: sp800-53a + parts: + - id: ra-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses purpose;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses scope;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses roles;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses responsibilities;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses management commitment;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses compliance;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: RA-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy is consistent with applicable laws, executive\ + \ orders, directives, regulations, policies, standards,\ + \ and guidelines;" + links: + - href: "#ra-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ra-1_smt.a.1" + rel: assessment-for + links: + - href: "#ra-1_smt.a" + rel: assessment-for + - id: ra-1_obj.b + name: assessment-objective + props: + - name: label + value: RA-01b. + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the risk\ + \ assessment policy and procedures;" + links: + - href: "#ra-1_smt.b" + rel: assessment-for + - id: ra-1_obj.c + name: assessment-objective + props: + - name: label + value: RA-01c. + class: sp800-53a + parts: + - id: ra-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: RA-01c.01 + class: sp800-53a + parts: + - id: ra-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: RA-01c.01[01] + class: sp800-53a + prose: "the current risk assessment policy is reviewed and\ + \ updated {{ insert: param, ra-01_odp.05 }};" + links: + - href: "#ra-1_smt.c.1" + rel: assessment-for + - id: ra-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: RA-01c.01[02] + class: sp800-53a + prose: "the current risk assessment policy is reviewed and\ + \ updated following {{ insert: param, ra-01_odp.06 }};" + links: + - href: "#ra-1_smt.c.1" + rel: assessment-for + links: + - href: "#ra-1_smt.c.1" + rel: assessment-for + - id: ra-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: RA-01c.02 + class: sp800-53a + parts: + - id: ra-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: RA-01c.02[01] + class: sp800-53a + prose: "the current risk assessment procedures are reviewed\ + \ and updated {{ insert: param, ra-01_odp.07 }};" + links: + - href: "#ra-1_smt.c.2" + rel: assessment-for + - id: ra-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: RA-01c.02[02] + class: sp800-53a + prose: "the current risk assessment procedures are reviewed\ + \ and updated following {{ insert: param, ra-01_odp.08\ + \ }}." + links: + - href: "#ra-1_smt.c.2" + rel: assessment-for + links: + - href: "#ra-1_smt.c.2" + rel: assessment-for + links: + - href: "#ra-1_smt.c" + rel: assessment-for + links: + - href: "#ra-1_smt" + rel: assessment-for + - id: ra-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Risk assessment policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: ra-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with risk assessment + responsibilities + + + organizational personnel with security and privacy responsibilities + - id: ra-2 + class: SP800-53 + title: Security Categorization + props: + - name: label + value: RA-2 + - name: label + value: RA-02 + class: sp800-53a + - name: sort-id + value: ra-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#4e4fbc93-333d-45e6-a875-de36b878b6b9" + rel: reference + - href: "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94" + rel: reference + - href: "#cm-8" + rel: related + - href: "#mp-4" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-10" + rel: related + - href: "#pl-11" + rel: related + - href: "#pm-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-7" + rel: related + - href: "#ra-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ra-2_smt + name: statement + parts: + - id: ra-2_smt.a + name: item + props: + - name: label + value: a. + prose: Categorize the system and information it processes, stores, + and transmits; + - id: ra-2_smt.b + name: item + props: + - name: label + value: b. + prose: Document the security categorization results, including supporting + rationale, in the security plan for the system; and + - id: ra-2_smt.c + name: item + props: + - name: label + value: c. + prose: Verify that the authorizing official or authorizing official + designated representative reviews and approves the security categorization + decision. + - id: ra-2_gdn + name: guidance + prose: >- + Security categories describe the potential adverse impacts or + negative consequences to organizational operations, + organizational assets, and individuals if organizational + information and systems are compromised through a loss of + confidentiality, integrity, or availability. Security + categorization is also a type of asset loss characterization in + systems security engineering processes that is carried out + throughout the system development life cycle. Organizations can + use privacy risk assessments or privacy impact assessments to + better understand the potential adverse effects on individuals. + [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides + additional guidance on categorization for national security + systems. + + + Organizations conduct the security categorization process as an organization-wide + activity with the direct involvement of chief information officers, + senior agency information security officers, senior agency officials + for privacy, system owners, mission and business owners, and information + owners or stewards. Organizations consider the potential adverse impacts + to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) + and Homeland Security Presidential Directives, potential national-level + adverse impacts. + + + Security categorization processes facilitate the development of inventories + of information assets and, along with [CM-8](#cm-8) , mappings to + specific system components where information is processed, stored, + or transmitted. The security categorization process is revisited throughout + the system development life cycle to ensure that the security categories + remain accurate and relevant. + - id: ra-2_obj + name: assessment-objective + props: + - name: label + value: RA-02 + class: sp800-53a + parts: + - id: ra-2_obj.a + name: assessment-objective + props: + - name: label + value: RA-02a. + class: sp800-53a + prose: the system and the information it processes, stores, and + transmits are categorized; + links: + - href: "#ra-2_smt.a" + rel: assessment-for + - id: ra-2_obj.b + name: assessment-objective + props: + - name: label + value: RA-02b. + class: sp800-53a + prose: the security categorization results, including supporting + rationale, are documented in the security plan for the system; + links: + - href: "#ra-2_smt.b" + rel: assessment-for + - id: ra-2_obj.c + name: assessment-objective + props: + - name: label + value: RA-02c. + class: sp800-53a + prose: the authorizing official or authorizing official designated + representative reviews and approves the security categorization + decision. + links: + - href: "#ra-2_smt.c" + rel: assessment-for + links: + - href: "#ra-2_smt" + rel: assessment-for + - id: ra-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Risk assessment policy + + + security planning policy and procedures + + + procedures addressing security categorization of organizational + information and systems + + + security categorization documentation + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ra-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security categorization and + risk assessment responsibilities + + + organizational personnel with security and privacy responsibilities + - id: ra-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for security categorization + - id: ra-3 + class: SP800-53 + title: Risk Assessment + params: + - id: ra-03_odp.01 + constraints: + - description: security assessment report + select: + choice: + - security and privacy plans + - risk assessment report + - " {{ insert: param, ra-03_odp.02 }} " + - id: ra-03_odp.02 + label: document + guidelines: + - prose: a document in which risk assessment results are to be documented + (if not documented in the security and privacy plans or risk assessment + report) is defined (if selected); + - id: ra-03_odp.03 + label: frequency + constraints: + - description: at least every three (3) years and when a significant + change occurs + guidelines: + - prose: the frequency to review risk assessment results is defined; + - id: ra-03_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom risk assessment results are to + be disseminated is/are defined; + - id: ra-03_odp.05 + label: frequency + constraints: + - description: at least every three (3) years + guidelines: + - prose: the frequency to update the risk assessment is defined; + props: + - name: label + value: RA-3 + - name: label + value: RA-03 + class: sp800-53a + - name: sort-id + value: ra-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#38ff38f0-1366-4f50-a4c9-26a39aacee16" + rel: reference + - href: "#ca-3" + rel: related + - href: "#ca-6" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-13" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-7" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-8" + rel: related + - href: "#pe-18" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-10" + rel: related + - href: "#pl-11" + rel: related + - href: "#pm-8" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-28" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-7" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ra-3_smt + name: statement + parts: + - id: ra-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Conduct a risk assessment, including:" + parts: + - id: ra-3_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Identifying threats to and vulnerabilities in the system; + - id: ra-3_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Determining the likelihood and magnitude of harm from + unauthorized access, use, disclosure, disruption, modification, + or destruction of the system, the information it processes, + stores, or transmits, and any related information; and + - id: ra-3_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Determining the likelihood and impact of adverse effects + on individuals arising from the processing of personally identifiable + information; + - id: ra-3_smt.b + name: item + props: + - name: label + value: b. + prose: Integrate risk assessment results and risk management decisions + from the organization and mission or business process perspectives + with system-level risk assessments; + - id: ra-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Document risk assessment results in {{ insert: param, ra-03_odp.01\ + \ }};" + - id: ra-3_smt.d + name: item + props: + - name: label + value: d. + prose: "Review risk assessment results {{ insert: param, ra-03_odp.03\ + \ }};" + - id: ra-3_smt.e + name: item + props: + - name: label + value: e. + prose: "Disseminate risk assessment results to {{ insert: param,\ + \ ra-03_odp.04 }} ; and" + - id: ra-3_smt.f + name: item + props: + - name: label + value: f. + prose: "Update the risk assessment {{ insert: param, ra-03_odp.05\ + \ }} or when there are significant changes to the system, its\ + \ environment of operation, or other conditions that may impact\ + \ the security or privacy state of the system." + - id: ra-3_fr + name: item + title: RA-3 Additional FedRAMP Requirements and Guidance + parts: + - id: ra-3_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Significant change is defined in NIST Special Publication + 800-37 Revision 2, Appendix F. + - id: ra-3_fr_smt.1 + name: item + props: + - name: label + value: "(e) Requirement:" + prose: Include all Authorizing Officials; for JAB authorizations + to include FedRAMP. + - id: ra-3_gdn + name: guidance + prose: >- + Risk assessments consider threats, vulnerabilities, likelihood, + and impact to organizational operations and assets, individuals, + other organizations, and the Nation. Risk assessments also + consider risk from external parties, including contractors who + operate systems on behalf of the organization, individuals who + access organizational systems, service providers, and + outsourcing entities. + + + Organizations can conduct risk assessments at all three levels in + the risk management hierarchy (i.e., organization level, mission/business + process level, or information system level) and at any stage in the + system development life cycle. Risk assessments can also be conducted + at various steps in the Risk Management Framework, including preparation, + categorization, control selection, control implementation, control + assessment, authorization, and control monitoring. Risk assessment + is an ongoing activity carried out throughout the system development + life cycle. + + + Risk assessments can also address information related to the system, + including system design, the intended use of the system, testing results, + and supply chain-related information or artifacts. Risk assessments + can play an important role in control selection processes, particularly + during the application of tailoring guidance and in the earliest phases + of capability determination. + - id: ra-3_obj + name: assessment-objective + props: + - name: label + value: RA-03 + class: sp800-53a + parts: + - id: ra-3_obj.a + name: assessment-objective + props: + - name: label + value: RA-03a. + class: sp800-53a + parts: + - id: ra-3_obj.a.1 + name: assessment-objective + props: + - name: label + value: RA-03a.01 + class: sp800-53a + prose: a risk assessment is conducted to identify threats to + and vulnerabilities in the system; + links: + - href: "#ra-3_smt.a.1" + rel: assessment-for + - id: ra-3_obj.a.2 + name: assessment-objective + props: + - name: label + value: RA-03a.02 + class: sp800-53a + prose: a risk assessment is conducted to determine the likelihood + and magnitude of harm from unauthorized access, use, disclosure, + disruption, modification, or destruction of the system; the + information it processes, stores, or transmits; and any related + information; + links: + - href: "#ra-3_smt.a.2" + rel: assessment-for + - id: ra-3_obj.a.3 + name: assessment-objective + props: + - name: label + value: RA-03a.03 + class: sp800-53a + prose: a risk assessment is conducted to determine the likelihood + and impact of adverse effects on individuals arising from + the processing of personally identifiable information; + links: + - href: "#ra-3_smt.a.3" + rel: assessment-for + links: + - href: "#ra-3_smt.a" + rel: assessment-for + - id: ra-3_obj.b + name: assessment-objective + props: + - name: label + value: RA-03b. + class: sp800-53a + prose: risk assessment results and risk management decisions from + the organization and mission or business process perspectives + are integrated with system-level risk assessments; + links: + - href: "#ra-3_smt.b" + rel: assessment-for + - id: ra-3_obj.c + name: assessment-objective + props: + - name: label + value: RA-03c. + class: sp800-53a + prose: "risk assessment results are documented in {{ insert: param,\ + \ ra-03_odp.01 }};" + links: + - href: "#ra-3_smt.c" + rel: assessment-for + - id: ra-3_obj.d + name: assessment-objective + props: + - name: label + value: RA-03d. + class: sp800-53a + prose: "risk assessment results are reviewed {{ insert: param, ra-03_odp.03\ + \ }};" + links: + - href: "#ra-3_smt.d" + rel: assessment-for + - id: ra-3_obj.e + name: assessment-objective + props: + - name: label + value: RA-03e. + class: sp800-53a + prose: "risk assessment results are disseminated to {{ insert: param,\ + \ ra-03_odp.04 }};" + links: + - href: "#ra-3_smt.e" + rel: assessment-for + - id: ra-3_obj.f + name: assessment-objective + props: + - name: label + value: RA-03f. + class: sp800-53a + prose: "the risk assessment is updated {{ insert: param, ra-03_odp.05\ + \ }} or when there are significant changes to the system, its\ + \ environment of operation, or other conditions that may impact\ + \ the security or privacy state of the system." + links: + - href: "#ra-3_smt.f" + rel: assessment-for + links: + - href: "#ra-3_smt" + rel: assessment-for + - id: ra-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Risk assessment policy + + risk assessment procedures + + security and privacy planning policy and procedures + + procedures addressing organizational assessments of risk + + risk assessment + + risk assessment results + + risk assessment reviews + + risk assessment updates + + system security plan + + privacy plan + + other relevant documents or records + - id: ra-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with risk assessment + responsibilities + + + organizational personnel with security and privacy responsibilities + - id: ra-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for risk assessment + + + mechanisms supporting and/or conducting, documenting, reviewing, + disseminating, and updating the risk assessment + controls: + - id: ra-3.1 + class: SP800-53-enhancement + title: Supply Chain Risk Assessment + params: + - id: ra-03.01_odp.01 + label: systems, system components, and system services + guidelines: + - prose: systems, system components, and system services to assess + supply chain risks are defined; + - id: ra-03.01_odp.02 + label: frequency + guidelines: + - prose: the frequency at which to update the supply chain risk + assessment is defined; + props: + - name: label + value: RA-3(1) + - name: label + value: RA-03(01) + class: sp800-53a + - name: sort-id + value: ra-03.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-3" + rel: required + - href: "#ra-2" + rel: related + - href: "#ra-9" + rel: related + - href: "#pm-17" + rel: related + - href: "#pm-30" + rel: related + - href: "#sr-2" + rel: related + parts: + - id: ra-3.1_smt + name: statement + parts: + - id: ra-3.1_smt.a + name: item + props: + - name: label + value: (a) + prose: "Assess supply chain risks associated with {{ insert:\ + \ param, ra-03.01_odp.01 }} ; and" + - id: ra-3.1_smt.b + name: item + props: + - name: label + value: (b) + prose: "Update the supply chain risk assessment {{ insert: param,\ + \ ra-03.01_odp.02 }} , when there are significant changes\ + \ to the relevant supply chain, or when changes to the system,\ + \ environments of operation, or other conditions may necessitate\ + \ a change in the supply chain." + - id: ra-3.1_gdn + name: guidance + prose: Supply chain-related events include disruption, use of defective + components, insertion of counterfeits, theft, malicious development + practices, improper delivery practices, and insertion of malicious + code. These events can have a significant impact on the confidentiality, + integrity, or availability of a system and its information and, + therefore, can also adversely impact organizational operations + (including mission, functions, image, or reputation), organizational + assets, individuals, other organizations, and the Nation. The + supply chain-related events may be unintentional or malicious + and can occur at any point during the system life cycle. An analysis + of supply chain risk can help an organization identify systems + or components for which additional supply chain risk mitigations + are required. + - id: ra-3.1_obj + name: assessment-objective + props: + - name: label + value: RA-03(01) + class: sp800-53a + parts: + - id: ra-3.1_obj.a + name: assessment-objective + props: + - name: label + value: RA-03(01)(a) + class: sp800-53a + prose: "supply chain risks associated with {{ insert: param,\ + \ ra-03.01_odp.01 }} are assessed;" + links: + - href: "#ra-3.1_smt.a" + rel: assessment-for + - id: ra-3.1_obj.b + name: assessment-objective + props: + - name: label + value: RA-03(01)(b) + class: sp800-53a + prose: "the supply chain risk assessment is updated {{ insert:\ + \ param, ra-03.01_odp.02 }} , when there are significant changes\ + \ to the relevant supply chain, or when changes to the system,\ + \ environments of operation, or other conditions may necessitate\ + \ a change in the supply chain." + links: + - href: "#ra-3.1_smt.b" + rel: assessment-for + links: + - href: "#ra-3.1_smt" + rel: assessment-for + - id: ra-3.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-03(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy + + + inventory of critical systems, system components, and system + services + + + risk assessment policy + + + security planning policy and procedures + + + procedures addressing organizational assessments of supply + chain risk + + + risk assessment + + + risk assessment results + + + risk assessment reviews + + + risk assessment updates + + + acquisition policy + + + system security plan + + + supply chain risk management plan + + + other relevant documents or records + - id: ra-3.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-03(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with risk assessment + responsibilities + + + organizational personnel with security responsibilities + + + organizational personnel with supply chain risk management + responsibilities + - id: ra-3.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-03(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for risk assessment + + + mechanisms supporting and/or conducting, documenting, reviewing, + disseminating, and updating the supply chain risk assessment + - id: ra-5 + class: SP800-53 + title: Vulnerability Monitoring and Scanning + params: + - id: ra-5_prm_1 + label: organization-defined frequency and/or randomly in accordance + with organization-defined process + constraints: + - description: monthly operating system/infrastructure; monthly web + applications (including APIs) and databases + - id: ra-05_odp.01 + label: frequency and/or randomly in accordance with organization-defined + process + guidelines: + - prose: frequency for monitoring systems and hosted applications + for vulnerabilities is defined; + - id: ra-05_odp.02 + label: frequency and/or randomly in accordance with organization-defined + process + guidelines: + - prose: frequency for scanning systems and hosted applications for + vulnerabilities is defined; + - id: ra-05_odp.03 + label: response times + constraints: + - description: high-risk vulnerabilities mitigated within thirty (30) + days from date of discovery; moderate-risk vulnerabilities mitigated + within ninety (90) days from date of discovery; low risk vulnerabilities + mitigated within one hundred and eighty (180) days from date of + discovery + guidelines: + - prose: response times to remediate legitimate vulnerabilities in + accordance with an organizational assessment of risk are defined; + - id: ra-05_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles with whom information obtained from the + vulnerability scanning process and control assessments is to be + shared; + props: + - name: label + value: RA-5 + - name: label + value: RA-05 + class: sp800-53a + - name: sort-id + value: ra-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#8df72805-2e5c-4731-a73e-81db0f0318d0" + rel: reference + - href: "#155f941a-cba9-4afd-9ca6-5d040d697ba9" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#4895b4cd-34c5-4667-bf8a-27d443c12047" + rel: reference + - href: "#122177fa-c4ed-485d-8345-3082c0fb9a06" + rel: reference + - href: "#8016d2ed-d30f-4416-9c45-0f42c7aa3232" + rel: reference + - href: "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c" + rel: reference + - href: "#d2ebec9b-f868-4ee1-a2bd-0b2282aed248" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ca-7" + rel: related + - href: "#ca-8" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-2" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: ra-5_smt + name: statement + parts: + - id: ra-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Monitor and scan for vulnerabilities in the system and hosted\ + \ applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities\ + \ potentially affecting the system are identified and reported;" + - id: ra-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ vulnerability monitoring tools and techniques that\ + \ facilitate interoperability among tools and automate parts of\ + \ the vulnerability management process by using standards for:" + parts: + - id: ra-5_smt.b.1 + name: item + props: + - name: label + value: "1." + prose: Enumerating platforms, software flaws, and improper configurations; + - id: ra-5_smt.b.2 + name: item + props: + - name: label + value: "2." + prose: Formatting checklists and test procedures; and + - id: ra-5_smt.b.3 + name: item + props: + - name: label + value: "3." + prose: Measuring vulnerability impact; + - id: ra-5_smt.c + name: item + props: + - name: label + value: c. + prose: Analyze vulnerability scan reports and results from vulnerability + monitoring; + - id: ra-5_smt.d + name: item + props: + - name: label + value: d. + prose: "Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03\ + \ }} in accordance with an organizational assessment of risk;" + - id: ra-5_smt.e + name: item + props: + - name: label + value: e. + prose: "Share information obtained from the vulnerability monitoring\ + \ process and control assessments with {{ insert: param, ra-05_odp.04\ + \ }} to help eliminate similar vulnerabilities in other systems;\ + \ and" + - id: ra-5_smt.f + name: item + props: + - name: label + value: f. + prose: Employ vulnerability monitoring tools that include the capability + to readily update the vulnerabilities to be scanned. + - id: ra-5_fr + name: item + title: RA-5 Additional FedRAMP Requirements and Guidance + parts: + - id: ra-5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: See the FedRAMP Documents page> Vulnerability Scanning + Requirements https://www.FedRAMP.gov/documents/ + - id: ra-5_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: an accredited independent assessor scans operating systems/infrastructure, + web applications, and databases once annually. + - id: ra-5_fr_smt.2 + name: item + props: + - name: label + value: "(d) Requirement:" + prose: If a vulnerability is listed among the CISA Known Exploited + Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) + the KEV remediation date supersedes the FedRAMP parameter + requirement. + - id: ra-5_fr_smt.3 + name: item + props: + - name: label + value: "(e) Requirement:" + prose: to include all Authorizing Officials; for JAB authorizations + to include FedRAMP + - id: ra-5_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + Informational findings from a scanner are detailed as a + returned result that holds no vulnerability risk or + severity and for FedRAMP does not require an entry onto + the POA&M or entry onto the RET during any assessment + phase. + + + Warning findings, on the other hand, are given a risk rating + (low, moderate, high or critical) by the scanning solution + and should be treated like any other finding with a risk or + severity rating for tracking purposes onto either the POA&M + or RET depending on when the findings originated (during assessments + or during monthly continuous monitoring). If a warning is + received during scanning, but further validation turns up + no actual issue then this item should be categorized as a + false positive. If this situation presents itself during an + assessment phase (initial assessment, annual assessment or + any SCR), follow guidance on how to report false positives + in the Security Assessment Report (SAR). If this situation + happens during monthly continuous monitoring, a deviation + request will need to be submitted per the FedRAMP Vulnerability + Deviation Request Form. + + + Warnings are commonly associated with scanning solutions that + also perform compliance scans, and if the scanner reports + a “warning” as part of the compliance scanning of a CSO, follow + guidance surrounding the tracking of compliance findings during + either the assessment phases (initial assessment, annual assessment + or any SCR) or monthly continuous monitoring as it applies. + Guidance on compliance scan findings can be found by searching + on “Tracking of Compliance Scans” in FAQs. + - id: ra-5_gdn + name: guidance + prose: >- + Security categorization of information and systems guides the + frequency and comprehensiveness of vulnerability monitoring + (including scans). Organizations determine the required + vulnerability monitoring for system components, ensuring that + the potential sources of vulnerabilities—such as infrastructure + components (e.g., switches, routers, guards, sensors), networked + printers, scanners, and copiers—are not overlooked. The + capability to readily update vulnerability monitoring tools as + new vulnerabilities are discovered and announced and as new + scanning methods are developed helps to ensure that new + vulnerabilities are not missed by employed vulnerability + monitoring tools. The vulnerability monitoring tool update + process helps to ensure that potential vulnerabilities in the + system are identified and addressed as quickly as possible. + Vulnerability monitoring and analyses for custom software may + require additional approaches, such as static analysis, dynamic + analysis, binary analysis, or a hybrid of the three approaches. + Organizations can use these analysis approaches in source code + reviews and in a variety of tools, including web-based + application scanners, static analysis tools, and binary + analyzers. + + + Vulnerability monitoring includes scanning for patch levels; scanning + for functions, ports, protocols, and services that should not be accessible + to users or devices; and scanning for flow control mechanisms that + are improperly configured or operating incorrectly. Vulnerability + monitoring may also include continuous vulnerability monitoring tools + that use instrumentation to continuously analyze components. Instrumentation-based + tools may improve accuracy and may be run throughout an organization + without scanning. Vulnerability monitoring tools that facilitate interoperability + include tools that are Security Content Automated Protocol (SCAP)-validated. + Thus, organizations consider using scanning tools that express vulnerabilities + in the Common Vulnerabilities and Exposures (CVE) naming convention + and that employ the Open Vulnerability Assessment Language (OVAL) + to determine the presence of vulnerabilities. Sources for vulnerability + information include the Common Weakness Enumeration (CWE) listing + and the National Vulnerability Database (NVD). Control assessments, + such as red team exercises, provide additional sources of potential + vulnerabilities for which to scan. Organizations also consider using + scanning tools that express vulnerability impact by the Common Vulnerability + Scoring System (CVSS). + + + Vulnerability monitoring includes a channel and process for receiving + reports of security vulnerabilities from the public at-large. Vulnerability + disclosure programs can be as simple as publishing a monitored email + address or web form that can receive reports, including notification + authorizing good-faith research and disclosure of security vulnerabilities. + Organizations generally expect that such research is happening with + or without their authorization and can use public vulnerability disclosure + channels to increase the likelihood that discovered vulnerabilities + are reported directly to the organization for remediation. + + + Organizations may also employ the use of financial incentives (also + known as "bug bounties" ) to further encourage external security researchers + to report discovered vulnerabilities. Bug bounty programs can be tailored + to the organization’s needs. Bounties can be operated indefinitely + or over a defined period of time and can be offered to the general + public or to a curated group. Organizations may run public and private + bounties simultaneously and could choose to offer partially credentialed + access to certain participants in order to evaluate security vulnerabilities + from privileged vantage points. + - id: ra-5_obj + name: assessment-objective + props: + - name: label + value: RA-05 + class: sp800-53a + parts: + - id: ra-5_obj.a + name: assessment-objective + props: + - name: label + value: RA-05a. + class: sp800-53a + parts: + - id: ra-5_obj.a-1 + name: assessment-objective + props: + - name: label + value: RA-05a.[01] + class: sp800-53a + prose: "systems and hosted applications are monitored for vulnerabilities\ + \ {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities\ + \ potentially affecting the system are identified and reported;" + links: + - href: "#ra-5_smt.a" + rel: assessment-for + - id: ra-5_obj.a-2 + name: assessment-objective + props: + - name: label + value: RA-05a.[02] + class: sp800-53a + prose: "systems and hosted applications are scanned for vulnerabilities\ + \ {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities\ + \ potentially affecting the system are identified and reported;" + links: + - href: "#ra-5_smt.a" + rel: assessment-for + links: + - href: "#ra-5_smt.a" + rel: assessment-for + - id: ra-5_obj.b + name: assessment-objective + props: + - name: label + value: RA-05b. + class: sp800-53a + prose: vulnerability monitoring tools and techniques are employed + to facilitate interoperability among tools; + parts: + - id: ra-5_obj.b.1 + name: assessment-objective + props: + - name: label + value: RA-05b.01 + class: sp800-53a + prose: vulnerability monitoring tools and techniques are employed + to automate parts of the vulnerability management process + by using standards for enumerating platforms, software flaws, + and improper configurations; + links: + - href: "#ra-5_smt.b.1" + rel: assessment-for + - id: ra-5_obj.b.2 + name: assessment-objective + props: + - name: label + value: RA-05b.02 + class: sp800-53a + prose: vulnerability monitoring tools and techniques are employed + to facilitate interoperability among tools and to automate + parts of the vulnerability management process by using standards + for formatting checklists and test procedures; + links: + - href: "#ra-5_smt.b.2" + rel: assessment-for + - id: ra-5_obj.b.3 + name: assessment-objective + props: + - name: label + value: RA-05b.03 + class: sp800-53a + prose: vulnerability monitoring tools and techniques are employed + to facilitate interoperability among tools and to automate + parts of the vulnerability management process by using standards + for measuring vulnerability impact; + links: + - href: "#ra-5_smt.b.3" + rel: assessment-for + links: + - href: "#ra-5_smt.b" + rel: assessment-for + - id: ra-5_obj.c + name: assessment-objective + props: + - name: label + value: RA-05c. + class: sp800-53a + prose: vulnerability scan reports and results from vulnerability + monitoring are analyzed; + links: + - href: "#ra-5_smt.c" + rel: assessment-for + - id: ra-5_obj.d + name: assessment-objective + props: + - name: label + value: RA-05d. + class: sp800-53a + prose: "legitimate vulnerabilities are remediated {{ insert: param,\ + \ ra-05_odp.03 }} in accordance with an organizational assessment\ + \ of risk;" + links: + - href: "#ra-5_smt.d" + rel: assessment-for + - id: ra-5_obj.e + name: assessment-objective + props: + - name: label + value: RA-05e. + class: sp800-53a + prose: "information obtained from the vulnerability monitoring process\ + \ and control assessments is shared with {{ insert: param, ra-05_odp.04\ + \ }} to help eliminate similar vulnerabilities in other systems;" + links: + - href: "#ra-5_smt.e" + rel: assessment-for + - id: ra-5_obj.f + name: assessment-objective + props: + - name: label + value: RA-05f. + class: sp800-53a + prose: vulnerability monitoring tools that include the capability + to readily update the vulnerabilities to be scanned are employed. + links: + - href: "#ra-5_smt.f" + rel: assessment-for + links: + - href: "#ra-5_smt" + rel: assessment-for + - id: ra-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Risk assessment policy + + + procedures addressing vulnerability scanning + + + risk assessment + + + assessment report + + + vulnerability scanning tools and associated configuration documentation + + + vulnerability scanning results + + + patch and vulnerability management records + + + system security plan + + + other relevant documents or records + - id: ra-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with risk assessment, control + assessment, and vulnerability scanning responsibilities + + + organizational personnel with vulnerability scan analysis responsibilities + + + organizational personnel with vulnerability remediation responsibilities + + + organizational personnel with security responsibilities + + + system/network administrators + - id: ra-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning, + analysis, remediation, and information sharing + + + mechanisms supporting and/or implementing vulnerability scanning, + analysis, remediation, and information sharing + controls: + - id: ra-5.2 + class: SP800-53-enhancement + title: Update Vulnerabilities to Be Scanned + params: + - id: ra-05.02_odp.01 + constraints: + - description: prior to a new scan + select: + how-many: one-or-more + choice: + - " {{ insert: param, ra-05.02_odp.02 }} " + - prior to a new scan + - when new vulnerabilities are identified and reported + - id: ra-05.02_odp.02 + label: frequency + guidelines: + - prose: the frequency for updating the system vulnerabilities + to be scanned is defined (if selected); + props: + - name: label + value: RA-5(2) + - name: label + value: RA-05(02) + class: sp800-53a + - name: sort-id + value: ra-05.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-5" + rel: required + - href: "#si-5" + rel: related + parts: + - id: ra-5.2_smt + name: statement + prose: "Update the system vulnerabilities to be scanned {{ insert:\ + \ param, ra-05.02_odp.01 }}." + - id: ra-5.2_gdn + name: guidance + prose: Due to the complexity of modern software, systems, and other + factors, new vulnerabilities are discovered on a regular basis. + It is important that newly discovered vulnerabilities are added + to the list of vulnerabilities to be scanned to ensure that the + organization can take steps to mitigate those vulnerabilities + in a timely manner. + - id: ra-5.2_obj + name: assessment-objective + props: + - name: label + value: RA-05(02) + class: sp800-53a + prose: "the system vulnerabilities to be scanned are updated {{\ + \ insert: param, ra-05.02_odp.01 }}." + links: + - href: "#ra-5.2_smt" + rel: assessment-for + - id: ra-5.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Procedures addressing vulnerability scanning + + + assessment report + + + vulnerability scanning tools and associated configuration + documentation + + + vulnerability scanning results + + + patch and vulnerability management records + + + system security plan + + + other relevant documents or records + - id: ra-5.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with vulnerability scanning + responsibilities + + + organizational personnel with vulnerability scan analysis + responsibilities + + + organizational personnel with security responsibilities + + + system/network administrators + - id: ra-5.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning + + + mechanisms/tools supporting and/or implementing vulnerability + scanning + - id: ra-5.11 + class: SP800-53-enhancement + title: Public Disclosure Program + props: + - name: label + value: RA-5(11) + - name: label + value: RA-05(11) + class: sp800-53a + - name: sort-id + value: ra-05.11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-5" + rel: required + parts: + - id: ra-5.11_smt + name: statement + prose: Establish a public reporting channel for receiving reports + of vulnerabilities in organizational systems and system components. + - id: ra-5.11_gdn + name: guidance + prose: The reporting channel is publicly discoverable and contains + clear language authorizing good-faith research and the disclosure + of vulnerabilities to the organization. The organization does + not condition its authorization on an expectation of indefinite + non-disclosure to the public by the reporting entity but may request + a specific time period to properly remediate the vulnerability. + - id: ra-5.11_obj + name: assessment-objective + props: + - name: label + value: RA-05(11) + class: sp800-53a + prose: a public reporting channel is established for receiving reports + of vulnerabilities in organizational systems and system components. + links: + - href: "#ra-5.11_smt" + rel: assessment-for + - id: ra-5.11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05(11)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Risk assessment policy + + + procedures addressing vulnerability scanning + + + risk assessment + + + vulnerability scanning tools and techniques documentation + + + vulnerability scanning results + + + vulnerability management records + + + audit records + + + public reporting channel + + + system security plan + + + other relevant documents or records + - id: ra-5.11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05(11)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with vulnerability scanning + responsibilities + + + organizational personnel with vulnerability scan analysis + responsibilities + + + organizational personnel with security responsibilities + - id: ra-5.11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05(11)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning + + + mechanisms/tools supporting and/or implementing vulnerability + scanning + + + mechanisms implementing the public reporting of vulnerabilities + - id: ra-7 + class: SP800-53 + title: Risk Response + props: + - name: label + value: RA-7 + - name: label + value: RA-07 + class: sp800-53a + - name: sort-id + value: ra-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#ca-5" + rel: related + - href: "#ir-9" + rel: related + - href: "#pm-4" + rel: related + - href: "#pm-28" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#sr-2" + rel: related + parts: + - id: ra-7_smt + name: statement + prose: Respond to findings from security and privacy assessments, monitoring, + and audits in accordance with organizational risk tolerance. + - id: ra-7_gdn + name: guidance + prose: Organizations have many options for responding to risk including + mitigating risk by implementing new controls or strengthening existing + controls, accepting risk with appropriate justification or rationale, + sharing or transferring risk, or avoiding risk. The risk tolerance + of the organization influences risk response decisions and actions. + Risk response addresses the need to determine an appropriate response + to risk before generating a plan of action and milestones entry. For + example, the response may be to accept risk or reject risk, or it + may be possible to mitigate the risk immediately so that a plan of + action and milestones entry is not needed. However, if the risk response + is to mitigate the risk, and the mitigation cannot be completed immediately, + a plan of action and milestones entry is generated. + - id: ra-7_obj + name: assessment-objective + props: + - name: label + value: RA-07 + class: sp800-53a + parts: + - id: ra-7_obj-1 + name: assessment-objective + props: + - name: label + value: RA-07[01] + class: sp800-53a + prose: findings from security assessments are responded to in accordance + with organizational risk tolerance; + links: + - href: "#ra-7_smt" + rel: assessment-for + - id: ra-7_obj-2 + name: assessment-objective + props: + - name: label + value: RA-07[02] + class: sp800-53a + prose: findings from privacy assessments are responded to in accordance + with organizational risk tolerance; + links: + - href: "#ra-7_smt" + rel: assessment-for + - id: ra-7_obj-3 + name: assessment-objective + props: + - name: label + value: RA-07[03] + class: sp800-53a + prose: findings from monitoring are responded to in accordance with + organizational risk tolerance; + links: + - href: "#ra-7_smt" + rel: assessment-for + - id: ra-7_obj-4 + name: assessment-objective + props: + - name: label + value: RA-07[04] + class: sp800-53a + prose: findings from audits are responded to in accordance with + organizational risk tolerance. + links: + - href: "#ra-7_smt" + rel: assessment-for + links: + - href: "#ra-7_smt" + rel: assessment-for + - id: ra-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Risk assessment policy + + assessment reports + + audit records/event logs + + system security plan + + privacy plan + + other relevant documents or records + - id: ra-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with assessment and auditing + responsibilities + + + system/network administrators + + + organizational personnel with security and privacy responsibilities + - id: ra-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for assessments and audits + + + mechanisms/tools supporting and/or implementing assessments and + auditing + - id: sa + class: family + title: System and Services Acquisition + controls: + - id: sa-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: sa-1_prm_1 + label: organization-defined personnel or roles + - id: sa-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and services acquisition + policy is to be disseminated is/are defined; + - id: sa-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and services acquisition + procedures are to be disseminated is/are defined; + - id: sa-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: sa-01_odp.04 + label: official + guidelines: + - prose: an official to manage the system and services acquisition + policy and procedures is defined; + - id: sa-01_odp.05 + label: frequency + constraints: + - description: "at least every 3 years " + guidelines: + - prose: the frequency at which the current system and services acquisition + policy is reviewed and updated is defined; + - id: sa-01_odp.06 + label: events + guidelines: + - prose: events that would require the current system and services + acquisition policy to be reviewed and updated are defined; + - id: sa-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current system and services acquisition + procedures are reviewed and updated is defined; + - id: sa-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the system and services acquisition + procedures to be reviewed and updated are defined; + props: + - name: label + value: SA-1 + - name: label + value: SA-01 + class: sp800-53a + - name: sort-id + value: sa-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: sa-1_smt + name: statement + parts: + - id: sa-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ sa-1_prm_1 }}:" + parts: + - id: sa-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, sa-01_odp.03 }} system and services\ + \ acquisition policy that:" + parts: + - id: sa-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: sa-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: sa-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the system + and services acquisition policy and the associated system + and services acquisition controls; + - id: sa-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, sa-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the system\ + \ and services acquisition policy and procedures; and" + - id: sa-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current system and services acquisition:" + parts: + - id: sa-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, sa-01_odp.05 }} and following\ + \ {{ insert: param, sa-01_odp.06 }} ; and" + - id: sa-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, sa-01_odp.07 }} and following\ + \ {{ insert: param, sa-01_odp.08 }}." + - id: sa-1_gdn + name: guidance + prose: System and services acquisition policy and procedures address + the controls in the SA family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of system and services acquisition policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + system and services acquisition policy and procedures include assessment + or audit findings, security incidents or breaches, or changes in laws, + executive orders, directives, regulations, policies, standards, and + guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: sa-1_obj + name: assessment-objective + props: + - name: label + value: SA-01 + class: sp800-53a + parts: + - id: sa-1_obj.a + name: assessment-objective + props: + - name: label + value: SA-01a. + class: sp800-53a + parts: + - id: sa-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-01a.[01] + class: sp800-53a + prose: a system and services acquisition policy is developed + and documented; + links: + - href: "#sa-1_smt.a" + rel: assessment-for + - id: sa-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-01a.[02] + class: sp800-53a + prose: "the system and services acquisition policy is disseminated\ + \ to {{ insert: param, sa-01_odp.01 }};" + links: + - href: "#sa-1_smt.a" + rel: assessment-for + - id: sa-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: SA-01a.[03] + class: sp800-53a + prose: system and services acquisition procedures to facilitate + the implementation of the system and services acquisition + policy and associated system and services acquisition controls + are developed and documented; + links: + - href: "#sa-1_smt.a" + rel: assessment-for + - id: sa-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: SA-01a.[04] + class: sp800-53a + prose: "the system and services acquisition procedures are disseminated\ + \ to {{ insert: param, sa-01_odp.02 }};" + links: + - href: "#sa-1_smt.a" + rel: assessment-for + - id: sa-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: SA-01a.01 + class: sp800-53a + parts: + - id: sa-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: SA-01a.01(a) + class: sp800-53a + parts: + - id: sa-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses purpose;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses scope;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses roles;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses responsibilities;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses management\ + \ commitment;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses compliance;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: SA-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system and\ + \ services acquisition policy is consistent with applicable\ + \ laws, Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#sa-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#sa-1_smt.a.1" + rel: assessment-for + links: + - href: "#sa-1_smt.a" + rel: assessment-for + - id: sa-1_obj.b + name: assessment-objective + props: + - name: label + value: SA-01b. + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the system\ + \ and services acquisition policy and procedures;" + links: + - href: "#sa-1_smt.b" + rel: assessment-for + - id: sa-1_obj.c + name: assessment-objective + props: + - name: label + value: SA-01c. + class: sp800-53a + parts: + - id: sa-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: SA-01c.01 + class: sp800-53a + parts: + - id: sa-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: SA-01c.01[01] + class: sp800-53a + prose: "the system and services acquisition policy is reviewed\ + \ and updated {{ insert: param, sa-01_odp.05 }};" + links: + - href: "#sa-1_smt.c.1" + rel: assessment-for + - id: sa-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: SA-01c.01[02] + class: sp800-53a + prose: "the current system and services acquisition policy\ + \ is reviewed and updated following {{ insert: param,\ + \ sa-01_odp.06 }};" + links: + - href: "#sa-1_smt.c.1" + rel: assessment-for + links: + - href: "#sa-1_smt.c.1" + rel: assessment-for + - id: sa-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: SA-01c.02 + class: sp800-53a + parts: + - id: sa-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: SA-01c.02[01] + class: sp800-53a + prose: "the current system and services acquisition procedures\ + \ are reviewed and updated {{ insert: param, sa-01_odp.07\ + \ }};" + links: + - href: "#sa-1_smt.c.2" + rel: assessment-for + - id: sa-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: SA-01c.02[02] + class: sp800-53a + prose: "the current system and services acquisition procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ sa-01_odp.08 }}." + links: + - href: "#sa-1_smt.c.2" + rel: assessment-for + links: + - href: "#sa-1_smt.c.2" + rel: assessment-for + links: + - href: "#sa-1_smt.c" + rel: assessment-for + links: + - href: "#sa-1_smt" + rel: assessment-for + - id: sa-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and services acquisition policy + + system and services acquisition procedures + + supply chain risk management policy + + supply chain risk management procedures + + supply chain risk management plan + + system security plan + + privacy plan + + other relevant documents or records + - id: sa-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and services + acquisition responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sa-2 + class: SP800-53 + title: Allocation of Resources + props: + - name: label + value: SA-2 + - name: label + value: SA-02 + class: sp800-53a + - name: sort-id + value: sa-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#pl-7" + rel: related + - href: "#pm-3" + rel: related + - href: "#pm-11" + rel: related + - href: "#sa-9" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sa-2_smt + name: statement + parts: + - id: sa-2_smt.a + name: item + props: + - name: label + value: a. + prose: Determine the high-level information security and privacy + requirements for the system or system service in mission and business + process planning; + - id: sa-2_smt.b + name: item + props: + - name: label + value: b. + prose: Determine, document, and allocate the resources required + to protect the system or system service as part of the organizational + capital planning and investment control process; and + - id: sa-2_smt.c + name: item + props: + - name: label + value: c. + prose: Establish a discrete line item for information security and + privacy in organizational programming and budgeting documentation. + - id: sa-2_gdn + name: guidance + prose: Resource allocation for information security and privacy includes + funding for system and services acquisition, sustainment, and supply + chain-related risks throughout the system development life cycle. + - id: sa-2_obj + name: assessment-objective + props: + - name: label + value: SA-02 + class: sp800-53a + parts: + - id: sa-2_obj.a + name: assessment-objective + props: + - name: label + value: SA-02a. + class: sp800-53a + parts: + - id: sa-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-02a.[01] + class: sp800-53a + prose: the high-level information security requirements for + the system or system service are determined in mission and + business process planning; + links: + - href: "#sa-2_smt.a" + rel: assessment-for + - id: sa-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-02a.[02] + class: sp800-53a + prose: the high-level privacy requirements for the system or + system service are determined in mission and business process + planning; + links: + - href: "#sa-2_smt.a" + rel: assessment-for + links: + - href: "#sa-2_smt.a" + rel: assessment-for + - id: sa-2_obj.b + name: assessment-objective + props: + - name: label + value: SA-02b. + class: sp800-53a + parts: + - id: sa-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-02b.[01] + class: sp800-53a + prose: the resources required to protect the system or system + service are determined and documented as part of the organizational + capital planning and investment control process; + links: + - href: "#sa-2_smt.b" + rel: assessment-for + - id: sa-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-02b.[02] + class: sp800-53a + prose: the resources required to protect the system or system + service are allocated as part of the organizational capital + planning and investment control process; + links: + - href: "#sa-2_smt.b" + rel: assessment-for + links: + - href: "#sa-2_smt.b" + rel: assessment-for + - id: sa-2_obj.c + name: assessment-objective + props: + - name: label + value: SA-02c. + class: sp800-53a + parts: + - id: sa-2_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-02c.[01] + class: sp800-53a + prose: a discrete line item for information security is established + in organizational programming and budgeting documentation; + links: + - href: "#sa-2_smt.c" + rel: assessment-for + - id: sa-2_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-02c.[02] + class: sp800-53a + prose: a discrete line item for privacy is established in organizational + programming and budgeting documentation. + links: + - href: "#sa-2_smt.c" + rel: assessment-for + links: + - href: "#sa-2_smt.c" + rel: assessment-for + links: + - href: "#sa-2_smt" + rel: assessment-for + - id: sa-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + system and services acquisition strategy and plans + + + procedures addressing the allocation of resources to information + security and privacy requirements + + + procedures addressing capital planning and investment control + + + organizational programming and budgeting documentation + + + system security plan + + + privacy plan + + + supply chain risk management policy + + + other relevant documents or records + - id: sa-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with capital planning, investment + control, organizational programming, and budgeting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sa-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for determining information + security and privacy requirements + + + organizational processes for capital planning, programming, and + budgeting + + + mechanisms supporting and/or implementing organizational capital + planning, programming, and budgeting + - id: sa-3 + class: SP800-53 + title: System Development Life Cycle + params: + - id: sa-03_odp + label: system-development life cycle + guidelines: + - prose: system development life cycle is defined; + props: + - name: label + value: SA-3 + - name: label + value: SA-03 + class: sp800-53a + - name: sort-id + value: sa-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849" + rel: reference + - href: "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e" + rel: reference + - href: "#at-3" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-7" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-17" + rel: related + - href: "#sa-22" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-9" + rel: related + parts: + - id: sa-3_smt + name: statement + parts: + - id: sa-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Acquire, develop, and manage the system using {{ insert:\ + \ param, sa-03_odp }} that incorporates information security and\ + \ privacy considerations;" + - id: sa-3_smt.b + name: item + props: + - name: label + value: b. + prose: Define and document information security and privacy roles + and responsibilities throughout the system development life cycle; + - id: sa-3_smt.c + name: item + props: + - name: label + value: c. + prose: Identify individuals having information security and privacy + roles and responsibilities; and + - id: sa-3_smt.d + name: item + props: + - name: label + value: d. + prose: Integrate the organizational information security and privacy + risk management process into system development life cycle activities. + - id: sa-3_gdn + name: guidance + prose: >- + A system development life cycle process provides the foundation + for the successful development, implementation, and operation of + organizational systems. The integration of security and privacy + considerations early in the system development life cycle is a + foundational principle of systems security engineering and + privacy engineering. To apply the required controls within the + system development life cycle requires a basic understanding of + information security and privacy, threats, vulnerabilities, + adverse impacts, and risk to critical mission and business + functions. The security engineering principles in [SA-8](#sa-8) + help individuals properly design, code, and test systems and + system components. Organizations include qualified personnel + (e.g., senior agency information security officers, senior + agency officials for privacy, security and privacy architects, + and security and privacy engineers) in system development life + cycle processes to ensure that established security and privacy + requirements are incorporated into organizational systems. + Role-based security and privacy training programs can ensure + that individuals with key security and privacy roles and + responsibilities have the experience, skills, and expertise to + conduct assigned system development life cycle activities. + + + The effective integration of security and privacy requirements into + enterprise architecture also helps to ensure that important security + and privacy considerations are addressed throughout the system life + cycle and that those considerations are directly related to organizational + mission and business processes. This process also facilitates the + integration of the information security and privacy architectures + into the enterprise architecture, consistent with the risk management + strategy of the organization. Because the system development life + cycle involves multiple organizations, (e.g., external suppliers, + developers, integrators, service providers), acquisition and supply + chain risk management functions and controls play significant roles + in the effective management of the system during the life cycle. + - id: sa-3_obj + name: assessment-objective + props: + - name: label + value: SA-03 + class: sp800-53a + parts: + - id: sa-3_obj.a + name: assessment-objective + props: + - name: label + value: SA-03a. + class: sp800-53a + parts: + - id: sa-3_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-03a.[01] + class: sp800-53a + prose: "the system is acquired, developed, and managed using\ + \ {{ insert: param, sa-03_odp }} that incorporates information\ + \ security considerations;" + links: + - href: "#sa-3_smt.a" + rel: assessment-for + - id: sa-3_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-03a.[02] + class: sp800-53a + prose: "the system is acquired, developed, and managed using\ + \ {{ insert: param, sa-03_odp }} that incorporates privacy\ + \ considerations;" + links: + - href: "#sa-3_smt.a" + rel: assessment-for + links: + - href: "#sa-3_smt.a" + rel: assessment-for + - id: sa-3_obj.b + name: assessment-objective + props: + - name: label + value: SA-03b. + class: sp800-53a + parts: + - id: sa-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-03b.[01] + class: sp800-53a + prose: information security roles and responsibilities are defined + and documented throughout the system development life cycle; + links: + - href: "#sa-3_smt.b" + rel: assessment-for + - id: sa-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-03b.[02] + class: sp800-53a + prose: privacy roles and responsibilities are defined and documented + throughout the system development life cycle; + links: + - href: "#sa-3_smt.b" + rel: assessment-for + links: + - href: "#sa-3_smt.b" + rel: assessment-for + - id: sa-3_obj.c + name: assessment-objective + props: + - name: label + value: SA-03c. + class: sp800-53a + parts: + - id: sa-3_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-03c.[01] + class: sp800-53a + prose: individuals with information security roles and responsibilities + are identified; + links: + - href: "#sa-3_smt.c" + rel: assessment-for + - id: sa-3_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-03c.[02] + class: sp800-53a + prose: individuals with privacy roles and responsibilities are + identified; + links: + - href: "#sa-3_smt.c" + rel: assessment-for + links: + - href: "#sa-3_smt.c" + rel: assessment-for + - id: sa-3_obj.d + name: assessment-objective + props: + - name: label + value: SA-03d. + class: sp800-53a + parts: + - id: sa-3_obj.d-1 + name: assessment-objective + props: + - name: label + value: SA-03d.[01] + class: sp800-53a + prose: organizational information security risk management processes + are integrated into system development life cycle activities; + links: + - href: "#sa-3_smt.d" + rel: assessment-for + - id: sa-3_obj.d-2 + name: assessment-objective + props: + - name: label + value: SA-03d.[02] + class: sp800-53a + prose: organizational privacy risk management processes are + integrated into system development life cycle activities. + links: + - href: "#sa-3_smt.d" + rel: assessment-for + links: + - href: "#sa-3_smt.d" + rel: assessment-for + links: + - href: "#sa-3_smt" + rel: assessment-for + - id: sa-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing the integration of information security + and privacy and supply chain risk management into the system development + life cycle process + + + system development life cycle documentation + + + organizational risk management strategy + + + information security and privacy risk management strategy documentation + + + system security plan + + + privacy plan + + + privacy program plan + + + enterprise architecture documentation + + + role-based security and privacy training program documentation + + + data mapping documentation + + + other relevant documents or records + - id: sa-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security and + privacy responsibilities + + + organizational personnel with system life cycle development responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sa-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for defining and documenting the + system development life cycle + + + organizational processes for identifying system development life + cycle roles and responsibilities + + + organizational processes for integrating information security + and privacy and supply chain risk management into the system development + life cycle + + + mechanisms supporting and/or implementing the system development + life cycle + - id: sa-4 + class: SP800-53 + title: Acquisition Process + params: + - id: sa-04_odp.01 + select: + how-many: one-or-more + choice: + - standardized contract language + - " {{ insert: param, sa-04_odp.02 }} " + - id: sa-04_odp.02 + label: contract language + guidelines: + - prose: contract language is defined (if selected); + props: + - name: label + value: SA-4 + - name: label + value: SA-04 + class: sp800-53a + - name: sort-id + value: sa-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#18e71fec-c6fd-475a-925a-5d8495cf8455" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73" + rel: reference + - href: "#87087451-2af5-43d4-88c1-d66ad850f614" + rel: reference + - href: "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f" + rel: reference + - href: "#06ce9216-bd54-4054-a422-94f358b50a5d" + rel: reference + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#77faf0bc-c394-44ad-9154-bbac3b79c8ad" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#4895b4cd-34c5-4667-bf8a-27d443c12047" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#4b38e961-1125-4a5b-aa35-1d6c02846dad" + rel: reference + - href: "#604774da-9e1d-48eb-9c62-4e959dc80737" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#795aff72-3e6c-4b6b-a80a-b14d84b7f544" + rel: reference + - href: "#3d575737-98cb-459d-b41c-d7e82b73ad78" + rel: reference + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#ps-7" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-16" + rel: related + - href: "#sa-17" + rel: related + - href: "#sa-21" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sa-4_smt + name: statement + prose: "Include the following requirements, descriptions, and criteria,\ + \ explicitly or by reference, using {{ insert: param, sa-04_odp.01\ + \ }} in the acquisition contract for the system, system component,\ + \ or system service:" + parts: + - id: sa-4_smt.a + name: item + props: + - name: label + value: a. + prose: Security and privacy functional requirements; + - id: sa-4_smt.b + name: item + props: + - name: label + value: b. + prose: Strength of mechanism requirements; + - id: sa-4_smt.c + name: item + props: + - name: label + value: c. + prose: Security and privacy assurance requirements; + - id: sa-4_smt.d + name: item + props: + - name: label + value: d. + prose: Controls needed to satisfy the security and privacy requirements. + - id: sa-4_smt.e + name: item + props: + - name: label + value: e. + prose: Security and privacy documentation requirements; + - id: sa-4_smt.f + name: item + props: + - name: label + value: f. + prose: Requirements for protecting security and privacy documentation; + - id: sa-4_smt.g + name: item + props: + - name: label + value: g. + prose: Description of the system development environment and environment + in which the system is intended to operate; + - id: sa-4_smt.h + name: item + props: + - name: label + value: h. + prose: Allocation of responsibility or identification of parties + responsible for information security, privacy, and supply chain + risk management; and + - id: sa-4_smt.i + name: item + props: + - name: label + value: i. + prose: Acceptance criteria. + - id: sa-4_fr + name: item + title: SA-4 Additional FedRAMP Requirements and Guidance + parts: + - id: sa-4_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider must comply with Federal Acquisition + Regulation (FAR) Subpart 7.103, and Section 889 of the John + S. McCain National Defense Authorization Act (NDAA) for Fiscal + Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements + Section 889 (as well as any added updates related to FISMA + to address security concerns in the system acquisitions process). + - id: sa-4_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + The use of Common Criteria (ISO/IEC 15408) evaluated + products is strongly preferred. + + + See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/. + - id: sa-4_gdn + name: guidance + prose: >- + Security and privacy functional requirements are typically + derived from the high-level security and privacy requirements + described in [SA-2](#sa-2) . The derived requirements include + security and privacy capabilities, functions, and mechanisms. + Strength requirements associated with such capabilities, + functions, and mechanisms include degree of correctness, + completeness, resistance to tampering or bypass, and resistance + to direct attack. Assurance requirements include development + processes, procedures, and methodologies as well as the evidence + from development and assessment activities that provide grounds + for confidence that the required functionality is implemented + and possesses the required strength of mechanism. [SP + 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the + process of requirements engineering as part of the system + development life cycle. + + + Controls can be viewed as descriptions of the safeguards and protection + capabilities appropriate for achieving the particular security and + privacy objectives of the organization and for reflecting the security + and privacy requirements of stakeholders. Controls are selected and + implemented in order to satisfy system requirements and include developer + and organizational responsibilities. Controls can include technical, + administrative, and physical aspects. In some cases, the selection + and implementation of a control may necessitate additional specification + by the organization in the form of derived requirements or instantiated + control parameter values. The derived requirements and control parameter + values may be necessary to provide the appropriate level of implementation + detail for controls within the system development life cycle. + + + Security and privacy documentation requirements address all stages + of the system development life cycle. Documentation provides user + and administrator guidance for the implementation and operation of + controls. The level of detail required in such documentation is based + on the security categorization or classification level of the system + and the degree to which organizations depend on the capabilities, + functions, or mechanisms to meet risk response expectations. Requirements + can include mandated configuration settings that specify allowed functions, + ports, protocols, and services. Acceptance criteria for systems, system + components, and system services are defined in the same manner as + the criteria for any organizational acquisition or procurement. + - id: sa-4_obj + name: assessment-objective + props: + - name: label + value: SA-04 + class: sp800-53a + parts: + - id: sa-4_obj.a + name: assessment-objective + props: + - name: label + value: SA-04a. + class: sp800-53a + parts: + - id: sa-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-04a.[01] + class: sp800-53a + prose: "security functional requirements, descriptions, and\ + \ criteria are included explicitly or by reference using {{\ + \ insert: param, sa-04_odp.01 }} in the acquisition contract\ + \ for the system, system component, or system service;" + links: + - href: "#sa-4_smt.a" + rel: assessment-for + - id: sa-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-04a.[02] + class: sp800-53a + prose: "privacy functional requirements, descriptions, and criteria\ + \ are included explicitly or by reference using {{ insert:\ + \ param, sa-04_odp.01 }} in the acquisition contract for the\ + \ system, system component, or system service;" + links: + - href: "#sa-4_smt.a" + rel: assessment-for + links: + - href: "#sa-4_smt.a" + rel: assessment-for + - id: sa-4_obj.b + name: assessment-objective + props: + - name: label + value: SA-04b. + class: sp800-53a + prose: "strength of mechanism requirements, descriptions, and criteria\ + \ are included explicitly or by reference using {{ insert: param,\ + \ sa-04_odp.01 }} in the acquisition contract for the system,\ + \ system component, or system service;" + links: + - href: "#sa-4_smt.b" + rel: assessment-for + - id: sa-4_obj.c + name: assessment-objective + props: + - name: label + value: SA-04c. + class: sp800-53a + parts: + - id: sa-4_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-04c.[01] + class: sp800-53a + prose: "security assurance requirements, descriptions, and criteria\ + \ are included explicitly or by reference using {{ insert:\ + \ param, sa-04_odp.01 }} in the acquisition contract for the\ + \ system, system component, or system service;" + links: + - href: "#sa-4_smt.c" + rel: assessment-for + - id: sa-4_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-04c.[02] + class: sp800-53a + prose: "privacy assurance requirements, descriptions, and criteria\ + \ are included explicitly or by reference using {{ insert:\ + \ param, sa-04_odp.01 }} in the acquisition contract for the\ + \ system, system component, or system service;" + links: + - href: "#sa-4_smt.c" + rel: assessment-for + links: + - href: "#sa-4_smt.c" + rel: assessment-for + - id: sa-4_obj.d + name: assessment-objective + props: + - name: label + value: SA-04d. + class: sp800-53a + parts: + - id: sa-4_obj.d-1 + name: assessment-objective + props: + - name: label + value: SA-04d.[01] + class: sp800-53a + prose: "controls needed to satisfy the security requirements,\ + \ descriptions, and criteria are included explicitly or by\ + \ reference using {{ insert: param, sa-04_odp.01 }} in the\ + \ acquisition contract for the system, system component, or\ + \ system service;" + links: + - href: "#sa-4_smt.d" + rel: assessment-for + - id: sa-4_obj.d-2 + name: assessment-objective + props: + - name: label + value: SA-04d.[02] + class: sp800-53a + prose: "controls needed to satisfy the privacy requirements,\ + \ descriptions, and criteria are included explicitly or by\ + \ reference using {{ insert: param, sa-04_odp.01 }} in the\ + \ acquisition contract for the system, system component, or\ + \ system service;" + links: + - href: "#sa-4_smt.d" + rel: assessment-for + links: + - href: "#sa-4_smt.d" + rel: assessment-for + - id: sa-4_obj.e + name: assessment-objective + props: + - name: label + value: SA-04e. + class: sp800-53a + parts: + - id: sa-4_obj.e-1 + name: assessment-objective + props: + - name: label + value: SA-04e.[01] + class: sp800-53a + prose: "security documentation requirements, descriptions, and\ + \ criteria are included explicitly or by reference using {{\ + \ insert: param, sa-04_odp.01 }} in the acquisition contract\ + \ for the system, system component, or system service;" + links: + - href: "#sa-4_smt.e" + rel: assessment-for + - id: sa-4_obj.e-2 + name: assessment-objective + props: + - name: label + value: SA-04e.[02] + class: sp800-53a + prose: "privacy documentation requirements, descriptions, and\ + \ criteria are included explicitly or by reference using {{\ + \ insert: param, sa-04_odp.01 }} in the acquisition contract\ + \ for the system, system component, or system service;" + links: + - href: "#sa-4_smt.e" + rel: assessment-for + links: + - href: "#sa-4_smt.e" + rel: assessment-for + - id: sa-4_obj.f + name: assessment-objective + props: + - name: label + value: SA-04f. + class: sp800-53a + parts: + - id: sa-4_obj.f-1 + name: assessment-objective + props: + - name: label + value: SA-04f.[01] + class: sp800-53a + prose: "requirements for protecting security documentation,\ + \ descriptions, and criteria are included explicitly or by\ + \ reference using {{ insert: param, sa-04_odp.01 }} in the\ + \ acquisition contract for the system, system component, or\ + \ system service;" + links: + - href: "#sa-4_smt.f" + rel: assessment-for + - id: sa-4_obj.f-2 + name: assessment-objective + props: + - name: label + value: SA-04f.[02] + class: sp800-53a + prose: "requirements for protecting privacy documentation, descriptions,\ + \ and criteria are included explicitly or by reference using\ + \ {{ insert: param, sa-04_odp.01 }} in the acquisition contract\ + \ for the system, system component, or system service;" + links: + - href: "#sa-4_smt.f" + rel: assessment-for + links: + - href: "#sa-4_smt.f" + rel: assessment-for + - id: sa-4_obj.g + name: assessment-objective + props: + - name: label + value: SA-04g. + class: sp800-53a + prose: "the description of the system development environment and\ + \ environment in which the system is intended to operate, requirements,\ + \ and criteria are included explicitly or by reference using {{\ + \ insert: param, sa-04_odp.01 }} in the acquisition contract for\ + \ the system, system component, or system service;" + links: + - href: "#sa-4_smt.g" + rel: assessment-for + - id: sa-4_obj.h + name: assessment-objective + props: + - name: label + value: SA-04h. + class: sp800-53a + parts: + - id: sa-4_obj.h-1 + name: assessment-objective + props: + - name: label + value: SA-04h.[01] + class: sp800-53a + prose: "the allocation of responsibility or identification of\ + \ parties responsible for information security requirements,\ + \ descriptions, and criteria are included explicitly or by\ + \ reference using {{ insert: param, sa-04_odp.01 }} in the\ + \ acquisition contract for the system, system component, or\ + \ system service;" + links: + - href: "#sa-4_smt.h" + rel: assessment-for + - id: sa-4_obj.h-2 + name: assessment-objective + props: + - name: label + value: SA-04h.[02] + class: sp800-53a + prose: "the allocation of responsibility or identification of\ + \ parties responsible for privacy requirements, descriptions,\ + \ and criteria are included explicitly or by reference using\ + \ {{ insert: param, sa-04_odp.01 }};" + links: + - href: "#sa-4_smt.h" + rel: assessment-for + - id: sa-4_obj.h-3 + name: assessment-objective + props: + - name: label + value: SA-04h.[03] + class: sp800-53a + prose: "the allocation of responsibility or identification of\ + \ parties responsible for supply chain risk management requirements,\ + \ descriptions, and criteria are included explicitly or by\ + \ reference using {{ insert: param, sa-04_odp.01 }};" + links: + - href: "#sa-4_smt.h" + rel: assessment-for + links: + - href: "#sa-4_smt.h" + rel: assessment-for + - id: sa-4_obj.i + name: assessment-objective + props: + - name: label + value: SA-04i. + class: sp800-53a + prose: "acceptance criteria requirements and descriptions are included\ + \ explicitly or by reference using {{ insert: param, sa-04_odp.01\ + \ }} in the acquisition contract for the system, system component,\ + \ or system service." + links: + - href: "#sa-4_smt.i" + rel: assessment-for + links: + - href: "#sa-4_smt" + rel: assessment-for + - id: sa-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing the integration of information security + and privacy and supply chain risk management into the acquisition + process + + + configuration management plan + + + acquisition contracts for the system, system component, or system + service + + + system design documentation + + + system security plan + + + supply chain risk management plan + + + privacy plan + + + other relevant documents or records + - id: sa-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + organizational personnel with supply chain risk management responsibilities + - id: sa-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for determining system security and + privacy functional, strength, and assurance requirements + + + organizational processes for developing acquisition contracts + + + mechanisms supporting and/or implementing acquisitions and the + inclusion of security and privacy requirements in contracts + controls: + - id: sa-4.10 + class: SP800-53-enhancement + title: Use of Approved PIV Products + props: + - name: label + value: SA-4(10) + - name: label + value: SA-04(10) + class: sp800-53a + - name: sort-id + value: sa-04.10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-4" + rel: required + - href: "#ia-2" + rel: related + - href: "#ia-8" + rel: related + - href: "#pm-9" + rel: related + parts: + - id: sa-4.10_smt + name: statement + prose: Employ only information technology products on the FIPS 201-approved + products list for Personal Identity Verification (PIV) capability + implemented within organizational systems. + - id: sa-4.10_gdn + name: guidance + prose: Products on the FIPS 201-approved products list meet NIST + requirements for Personal Identity Verification (PIV) of Federal + Employees and Contractors. PIV cards are used for multi-factor + authentication in systems and organizations. + - id: sa-4.10_obj + name: assessment-objective + props: + - name: label + value: SA-04(10) + class: sp800-53a + prose: only information technology products on the FIPS 201-approved + products list for the Personal Identity Verification (PIV) capability + implemented within organizational systems are employed. + links: + - href: "#sa-4.10_smt" + rel: assessment-for + - id: sa-4.10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-04(10)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management plan + + + system and services acquisition policy + + + procedures addressing the integration of security requirements, + descriptions, and criteria into the acquisition process + + + solicitation documentation + + + acquisition documentation + + + acquisition contracts for the system, system component, or + system service + + + service level agreements + + + FIPS 201 approved products list + + + system security plan + + + other relevant documents or records + - id: sa-4.10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-04(10)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with the responsibility for determining + system security requirements + + + organizational personnel with the responsibility for ensuring + that only FIPS 201- approved products are implemented + + + organizational personnel with information security responsibilities + - id: sa-4.10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-04(10)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for selecting and employing + FIPS 201-approved products + - id: sa-5 + class: SP800-53 + title: System Documentation + params: + - id: sa-05_odp.01 + label: actions + guidelines: + - prose: actions to take when system, system component, or system + service documentation is either unavailable or nonexistent are + defined; + - id: sa-05_odp.02 + label: personnel or roles + constraints: + - description: at a minimum, the ISSO (or similar role within the + organization) + guidelines: + - prose: personnel or roles to distribute system documentation to + is/are defined; + props: + - name: label + value: SA-5 + - name: label + value: SA-05 + class: sp800-53a + - name: sort-id + value: sa-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#cm-4" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-8" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#pl-8" + rel: related + - href: "#ps-2" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-16" + rel: related + - href: "#sa-17" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-3" + rel: related + parts: + - id: sa-5_smt + name: statement + parts: + - id: sa-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Obtain or develop administrator documentation for the system,\ + \ system component, or system service that describes:" + parts: + - id: sa-5_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Secure configuration, installation, and operation of + the system, component, or service; + - id: sa-5_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Effective use and maintenance of security and privacy + functions and mechanisms; and + - id: sa-5_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Known vulnerabilities regarding configuration and use + of administrative or privileged functions; + - id: sa-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Obtain or develop user documentation for the system, system\ + \ component, or system service that describes:" + parts: + - id: sa-5_smt.b.1 + name: item + props: + - name: label + value: "1." + prose: User-accessible security and privacy functions and mechanisms + and how to effectively use those functions and mechanisms; + - id: sa-5_smt.b.2 + name: item + props: + - name: label + value: "2." + prose: Methods for user interaction, which enables individuals + to use the system, component, or service in a more secure + manner and protect individual privacy; and + - id: sa-5_smt.b.3 + name: item + props: + - name: label + value: "3." + prose: User responsibilities in maintaining the security of + the system, component, or service and privacy of individuals; + - id: sa-5_smt.c + name: item + props: + - name: label + value: c. + prose: "Document attempts to obtain system, system component, or\ + \ system service documentation when such documentation is either\ + \ unavailable or nonexistent and take {{ insert: param, sa-05_odp.01\ + \ }} in response; and" + - id: sa-5_smt.d + name: item + props: + - name: label + value: d. + prose: "Distribute documentation to {{ insert: param, sa-05_odp.02\ + \ }}." + - id: sa-5_gdn + name: guidance + prose: System documentation helps personnel understand the implementation + and operation of controls. Organizations consider establishing specific + measures to determine the quality and completeness of the content + provided. System documentation may be used to support the management + of supply chain risk, incident response, and other functions. Personnel + or roles that require documentation include system owners, system + security officers, and system administrators. Attempts to obtain documentation + include contacting manufacturers or suppliers and conducting web-based + searches. The inability to obtain documentation may occur due to the + age of the system or component or the lack of support from developers + and contractors. When documentation cannot be obtained, organizations + may need to recreate the documentation if it is essential to the implementation + or operation of the controls. The protection provided for the documentation + is commensurate with the security category or classification of the + system. Documentation that addresses system vulnerabilities may require + an increased level of protection. Secure operation of the system includes + initially starting the system and resuming secure system operation + after a lapse in system operation. + - id: sa-5_obj + name: assessment-objective + props: + - name: label + value: SA-05 + class: sp800-53a + parts: + - id: sa-5_obj.a + name: assessment-objective + props: + - name: label + value: SA-05a. + class: sp800-53a + parts: + - id: sa-5_obj.a.1 + name: assessment-objective + props: + - name: label + value: SA-05a.01 + class: sp800-53a + parts: + - id: sa-5_obj.a.1-1 + name: assessment-objective + props: + - name: label + value: SA-05a.01[01] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the secure + configuration of the system, component, or service is + obtained or developed; + links: + - href: "#sa-5_smt.a.1" + rel: assessment-for + - id: sa-5_obj.a.1-2 + name: assessment-objective + props: + - name: label + value: SA-05a.01[02] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the secure + installation of the system, component, or service is obtained + or developed; + links: + - href: "#sa-5_smt.a.1" + rel: assessment-for + - id: sa-5_obj.a.1-3 + name: assessment-objective + props: + - name: label + value: SA-05a.01[03] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the secure + operation of the system, component, or service is obtained + or developed; + links: + - href: "#sa-5_smt.a.1" + rel: assessment-for + links: + - href: "#sa-5_smt.a.1" + rel: assessment-for + - id: sa-5_obj.a.2 + name: assessment-objective + props: + - name: label + value: SA-05a.02 + class: sp800-53a + parts: + - id: sa-5_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: SA-05a.02[01] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the effective + use of security functions and mechanisms is obtained or + developed; + links: + - href: "#sa-5_smt.a.2" + rel: assessment-for + - id: sa-5_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: SA-05a.02[02] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the effective + maintenance of security functions and mechanisms is obtained + or developed; + links: + - href: "#sa-5_smt.a.2" + rel: assessment-for + - id: sa-5_obj.a.2-3 + name: assessment-objective + props: + - name: label + value: SA-05a.02[03] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the effective + use of privacy functions and mechanisms is obtained or + developed; + links: + - href: "#sa-5_smt.a.2" + rel: assessment-for + - id: sa-5_obj.a.2-4 + name: assessment-objective + props: + - name: label + value: SA-05a.02[04] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the effective + maintenance of privacy functions and mechanisms is obtained + or developed; + links: + - href: "#sa-5_smt.a.2" + rel: assessment-for + links: + - href: "#sa-5_smt.a.2" + rel: assessment-for + - id: sa-5_obj.a.3 + name: assessment-objective + props: + - name: label + value: SA-05a.03 + class: sp800-53a + parts: + - id: sa-5_obj.a.3-1 + name: assessment-objective + props: + - name: label + value: SA-05a.03[01] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes known vulnerabilities + regarding the configuration of administrative or privileged + functions is obtained or developed; + links: + - href: "#sa-5_smt.a.3" + rel: assessment-for + - id: sa-5_obj.a.3-2 + name: assessment-objective + props: + - name: label + value: SA-05a.03[02] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes known vulnerabilities + regarding the use of administrative or privileged functions + is obtained or developed; + links: + - href: "#sa-5_smt.a.3" + rel: assessment-for + links: + - href: "#sa-5_smt.a.3" + rel: assessment-for + links: + - href: "#sa-5_smt.a" + rel: assessment-for + - id: sa-5_obj.b + name: assessment-objective + props: + - name: label + value: SA-05b. + class: sp800-53a + parts: + - id: sa-5_obj.b.1 + name: assessment-objective + props: + - name: label + value: SA-05b.01 + class: sp800-53a + parts: + - id: sa-5_obj.b.1-1 + name: assessment-objective + props: + - name: label + value: SA-05b.01[01] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes user-accessible security + functions and mechanisms is obtained or developed; + links: + - href: "#sa-5_smt.b.1" + rel: assessment-for + - id: sa-5_obj.b.1-2 + name: assessment-objective + props: + - name: label + value: SA-05b.01[02] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes how to effectively use + those (user-accessible security) functions and mechanisms + is obtained or developed; + links: + - href: "#sa-5_smt.b.1" + rel: assessment-for + - id: sa-5_obj.b.1-3 + name: assessment-objective + props: + - name: label + value: SA-05b.01[03] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes user-accessible privacy + functions and mechanisms is obtained or developed; + links: + - href: "#sa-5_smt.b.1" + rel: assessment-for + - id: sa-5_obj.b.1-4 + name: assessment-objective + props: + - name: label + value: SA-05b.01[04] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes how to effectively use + those (user-accessible privacy) functions and mechanisms + is obtained or developed; + links: + - href: "#sa-5_smt.b.1" + rel: assessment-for + links: + - href: "#sa-5_smt.b.1" + rel: assessment-for + - id: sa-5_obj.b.2 + name: assessment-objective + props: + - name: label + value: SA-05b.02 + class: sp800-53a + parts: + - id: sa-5_obj.b.2-1 + name: assessment-objective + props: + - name: label + value: SA-05b.02[01] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes methods for user interaction, + which enable individuals to use the system, component, + or service in a more secure manner is obtained or developed; + links: + - href: "#sa-5_smt.b.2" + rel: assessment-for + - id: sa-5_obj.b.2-2 + name: assessment-objective + props: + - name: label + value: SA-05b.02[02] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes methods for user interaction, + which enable individuals to use the system, component, + or service to protect individual privacy is obtained or + developed; + links: + - href: "#sa-5_smt.b.2" + rel: assessment-for + links: + - href: "#sa-5_smt.b.2" + rel: assessment-for + - id: sa-5_obj.b.3 + name: assessment-objective + props: + - name: label + value: SA-05b.03 + class: sp800-53a + parts: + - id: sa-5_obj.b.3-1 + name: assessment-objective + props: + - name: label + value: SA-05b.03[01] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes user responsibilities + for maintaining the security of the system, component, + or service is obtained or developed; + links: + - href: "#sa-5_smt.b.3" + rel: assessment-for + - id: sa-5_obj.b.3-2 + name: assessment-objective + props: + - name: label + value: SA-05b.03[02] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes user responsibilities + for maintaining the privacy of individuals is obtained + or developed; + links: + - href: "#sa-5_smt.b.3" + rel: assessment-for + links: + - href: "#sa-5_smt.b.3" + rel: assessment-for + links: + - href: "#sa-5_smt.b" + rel: assessment-for + - id: sa-5_obj.c + name: assessment-objective + props: + - name: label + value: SA-05c. + class: sp800-53a + parts: + - id: sa-5_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-05c.[01] + class: sp800-53a + prose: attempts to obtain system, system component, or system + service documentation when such documentation is either unavailable + or nonexistent is documented; + links: + - href: "#sa-5_smt.c" + rel: assessment-for + - id: sa-5_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-05c.[02] + class: sp800-53a + prose: "after attempts to obtain system, system component, or\ + \ system service documentation when such documentation is\ + \ either unavailable or nonexistent, {{ insert: param, sa-05_odp.01\ + \ }} are taken in response;" + links: + - href: "#sa-5_smt.c" + rel: assessment-for + links: + - href: "#sa-5_smt.c" + rel: assessment-for + - id: sa-5_obj.d + name: assessment-objective + props: + - name: label + value: SA-05d. + class: sp800-53a + prose: "documentation is distributed to {{ insert: param, sa-05_odp.02\ + \ }}." + links: + - href: "#sa-5_smt.d" + rel: assessment-for + links: + - href: "#sa-5_smt" + rel: assessment-for + - id: sa-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing system documentation + + + system documentation, including administrator and user guides + + + system design documentation + + + records documenting attempts to obtain unavailable or nonexistent + system documentation + + + list of actions to be taken in response to documented attempts + to obtain system, system component, or system service documentation + + + risk management strategy documentation + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: sa-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system administrators + + + organizational personnel responsible for operating, using, and/or + maintaining the system + + + system developers + - id: sa-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for obtaining, protecting, and distributing + system administrator and user documentation + - id: sa-8 + class: SP800-53 + title: Security and Privacy Engineering Principles + params: + - id: sa-8_prm_1 + label: organization-defined systems security and privacy engineering + principles + - id: sa-08_odp.01 + label: systems security engineering principles + guidelines: + - prose: systems security engineering principles are defined; + - id: sa-08_odp.02 + label: privacy engineering principles + guidelines: + - prose: privacy engineering principles are defined; + props: + - name: label + value: SA-8 + - name: label + value: SA-08 + class: sp800-53a + - name: sort-id + value: sa-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#18e71fec-c6fd-475a-925a-5d8495cf8455" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#pl-8" + rel: related + - href: "#pm-7" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-9" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-17" + rel: related + - href: "#sa-20" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-3" + rel: related + - href: "#sc-32" + rel: related + - href: "#sc-39" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sa-8_smt + name: statement + prose: "Apply the following systems security and privacy engineering\ + \ principles in the specification, design, development, implementation,\ + \ and modification of the system and system components: {{ insert:\ + \ param, sa-8_prm_1 }}." + - id: sa-8_gdn + name: guidance + prose: >- + Systems security and privacy engineering principles are closely + related to and implemented throughout the system development + life cycle (see [SA-3](#sa-3) ). Organizations can apply systems + security and privacy engineering principles to new systems under + development or to systems undergoing upgrades. For existing + systems, organizations apply systems security and privacy + engineering principles to system upgrades and modifications to + the extent feasible, given the current state of hardware, + software, and firmware components within those systems. + + + The application of systems security and privacy engineering principles + helps organizations develop trustworthy, secure, and resilient systems + and reduces the susceptibility to disruptions, hazards, threats, and + the creation of privacy problems for individuals. Examples of system + security engineering principles include: developing layered protections; + establishing security and privacy policies, architecture, and controls + as the foundation for design and development; incorporating security + and privacy requirements into the system development life cycle; delineating + physical and logical security boundaries; ensuring that developers + are trained on how to build secure software; tailoring controls to + meet organizational needs; and performing threat modeling to identify + use cases, threat agents, attack vectors and patterns, design patterns, + and compensating controls needed to mitigate risk. + + + Organizations that apply systems security and privacy engineering + concepts and principles can facilitate the development of trustworthy, + secure systems, system components, and system services; reduce risk + to acceptable levels; and make informed risk management decisions. + System security engineering principles can also be used to protect + against certain supply chain risks, including incorporating tamper-resistant + hardware into a design. + - id: sa-8_obj + name: assessment-objective + props: + - name: label + value: SA-08 + class: sp800-53a + parts: + - id: sa-8_obj-1 + name: assessment-objective + props: + - name: label + value: SA-08[01] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.01 }} are applied in the specification\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-2 + name: assessment-objective + props: + - name: label + value: SA-08[02] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.01 }} are applied in the design\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-3 + name: assessment-objective + props: + - name: label + value: SA-08[03] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.01 }} are applied in the development\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-4 + name: assessment-objective + props: + - name: label + value: SA-08[04] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.01 }} are applied in the implementation\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-5 + name: assessment-objective + props: + - name: label + value: SA-08[05] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.01 }} are applied in the modification\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-6 + name: assessment-objective + props: + - name: label + value: SA-08[06] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.02 }} are applied in the specification\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-7 + name: assessment-objective + props: + - name: label + value: SA-08[07] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.02 }} are applied in the design\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-8 + name: assessment-objective + props: + - name: label + value: SA-08[08] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.02 }} are applied in the development\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-9 + name: assessment-objective + props: + - name: label + value: SA-08[09] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.02 }} are applied in the implementation\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-10 + name: assessment-objective + props: + - name: label + value: SA-08[10] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.02 }} are applied in the modification\ + \ of the system and system components." + links: + - href: "#sa-8_smt" + rel: assessment-for + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + assessment and authorization procedures + + + procedures addressing security and privacy engineering principles + used in the specification, design, development, implementation, + and modification of the system + + + system design documentation + + + security and privacy requirements and specifications for the system + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: sa-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with system specification, design, development, + implementation, and modification responsibilities + + + system developers + - id: sa-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for applying security and privacy + engineering principles in system specification, design, + development, implementation, and modification + + + mechanisms supporting the application of security and privacy + engineering principles in system specification, design, development, + implementation, and modification + - id: sa-9 + class: SP800-53 + title: External System Services + params: + - id: sa-09_odp.01 + label: controls + constraints: + - description: Appropriate FedRAMP Security Controls Baseline (s) + if Federal information is processed or stored within the external + system + guidelines: + - prose: controls to be employed by external system service providers + are defined; + - id: sa-09_odp.02 + label: processes, methods, and techniques + constraints: + - description: Federal/FedRAMP Continuous Monitoring requirements + must be met for external systems where Federal information is + processed or stored + guidelines: + - prose: processes, methods, and techniques employed to monitor control + compliance by external service providers are defined; + props: + - name: label + value: SA-9 + - name: label + value: SA-09 + class: sp800-53a + - name: sort-id + value: sa-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#77faf0bc-c394-44ad-9154-bbac3b79c8ad" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849" + rel: reference + - href: "#ac-20" + rel: related + - href: "#ca-3" + rel: related + - href: "#cp-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-7" + rel: related + - href: "#pl-10" + rel: related + - href: "#pl-11" + rel: related + - href: "#ps-7" + rel: related + - href: "#sa-2" + rel: related + - href: "#sa-4" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sa-9_smt + name: statement + parts: + - id: sa-9_smt.a + name: item + props: + - name: label + value: a. + prose: "Require that providers of external system services comply\ + \ with organizational security and privacy requirements and employ\ + \ the following controls: {{ insert: param, sa-09_odp.01 }};" + - id: sa-9_smt.b + name: item + props: + - name: label + value: b. + prose: Define and document organizational oversight and user roles + and responsibilities with regard to external system services; + and + - id: sa-9_smt.c + name: item + props: + - name: label + value: c. + prose: "Employ the following processes, methods, and techniques\ + \ to monitor control compliance by external service providers\ + \ on an ongoing basis: {{ insert: param, sa-09_odp.02 }}." + - id: sa-9_gdn + name: guidance + prose: External system services are provided by an external provider, + and the organization has no direct control over the implementation + of the required controls or the assessment of control effectiveness. + Organizations establish relationships with external service providers + in a variety of ways, including through business partnerships, contracts, + interagency agreements, lines of business arrangements, licensing + agreements, joint ventures, and supply chain exchanges. The responsibility + for managing risks from the use of external system services remains + with authorizing officials. For services external to organizations, + a chain of trust requires that organizations establish and retain + a certain level of confidence that each provider in the consumer-provider + relationship provides adequate protection for the services rendered. + The extent and nature of this chain of trust vary based on relationships + between organizations and the external providers. Organizations document + the basis for the trust relationships so that the relationships can + be monitored. External system services documentation includes government, + service providers, end user security roles and responsibilities, and + service-level agreements. Service-level agreements define the expectations + of performance for implemented controls, describe measurable outcomes, + and identify remedies and response requirements for identified instances + of noncompliance. + - id: sa-9_obj + name: assessment-objective + props: + - name: label + value: SA-09 + class: sp800-53a + parts: + - id: sa-9_obj.a + name: assessment-objective + props: + - name: label + value: SA-09a. + class: sp800-53a + parts: + - id: sa-9_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-09a.[01] + class: sp800-53a + prose: providers of external system services comply with organizational + security requirements; + links: + - href: "#sa-9_smt.a" + rel: assessment-for + - id: sa-9_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-09a.[02] + class: sp800-53a + prose: providers of external system services comply with organizational + privacy requirements; + links: + - href: "#sa-9_smt.a" + rel: assessment-for + - id: sa-9_obj.a-3 + name: assessment-objective + props: + - name: label + value: SA-09a.[03] + class: sp800-53a + prose: "providers of external system services employ {{ insert:\ + \ param, sa-09_odp.01 }};" + links: + - href: "#sa-9_smt.a" + rel: assessment-for + links: + - href: "#sa-9_smt.a" + rel: assessment-for + - id: sa-9_obj.b + name: assessment-objective + props: + - name: label + value: SA-09b. + class: sp800-53a + parts: + - id: sa-9_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-09b.[01] + class: sp800-53a + prose: organizational oversight with regard to external system + services are defined and documented; + links: + - href: "#sa-9_smt.b" + rel: assessment-for + - id: sa-9_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-09b.[02] + class: sp800-53a + prose: user roles and responsibilities with regard to external + system services are defined and documented; + links: + - href: "#sa-9_smt.b" + rel: assessment-for + links: + - href: "#sa-9_smt.b" + rel: assessment-for + - id: sa-9_obj.c + name: assessment-objective + props: + - name: label + value: SA-09c. + class: sp800-53a + prose: " {{ insert: param, sa-09_odp.02 }} are employed to monitor\ + \ control compliance by external service providers on an ongoing\ + \ basis." + links: + - href: "#sa-9_smt.c" + rel: assessment-for + links: + - href: "#sa-9_smt" + rel: assessment-for + - id: sa-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing methods and techniques for monitoring control + compliance by external service providers of system services + + + acquisition documentation + + + contracts + + + service level agreements + + + interagency agreements + + + licensing agreements + + + list of organizational security and privacy requirements for external + provider services + + + control assessment results or reports from external providers + of system services + + + system security plan + + + privacy plan + + + supply chain risk management plan + + + other relevant documents or records + - id: sa-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition responsibilities + + + external providers of system services + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sa-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring security and privacy + control compliance by external service providers on an + ongoing basis + + + mechanisms for monitoring security and privacy control compliance + by external service providers on an ongoing basis + - id: sa-22 + class: SP800-53 + title: Unsupported System Components + params: + - id: sa-22_odp.01 + select: + how-many: one-or-more + choice: + - in-house support + - " {{ insert: param, sa-22_odp.02 }} " + - id: sa-22_odp.02 + label: support from external providers + guidelines: + - prose: support from external providers is defined (if selected); + props: + - name: label + value: SA-22 + - name: label + value: SA-22 + class: sp800-53a + - name: sort-id + value: sa-22 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#pl-2" + rel: related + - href: "#sa-3" + rel: related + parts: + - id: sa-22_smt + name: statement + parts: + - id: sa-22_smt.a + name: item + props: + - name: label + value: a. + prose: Replace system components when support for the components + is no longer available from the developer, vendor, or manufacturer; + or + - id: sa-22_smt.b + name: item + props: + - name: label + value: b. + prose: "Provide the following options for alternative sources for\ + \ continued support for unsupported components {{ insert: param,\ + \ sa-22_odp.01 }}." + - id: sa-22_gdn + name: guidance + prose: >- + Support for system components includes software patches, + firmware updates, replacement parts, and maintenance contracts. + An example of unsupported components includes when vendors no + longer provide critical software patches or product updates, + which can result in an opportunity for adversaries to exploit + weaknesses in the installed components. Exceptions to replacing + unsupported system components include systems that provide + critical mission or business capabilities where newer + technologies are not available or where the systems are so + isolated that installing replacement components is not an + option. + + + Alternative sources for support address the need to provide continued + support for system components that are no longer supported by the + original manufacturers, developers, or vendors when such components + remain essential to organizational mission and business functions. + If necessary, organizations can establish in-house support by developing + customized patches for critical software components or, alternatively, + obtain the services of external providers who provide ongoing support + for the designated unsupported components through contractual relationships. + Such contractual relationships can include open-source software value-added + vendors. The increased risk of using unsupported system components + can be mitigated, for example, by prohibiting the connection of such + components to public or uncontrolled networks, or implementing other + forms of isolation. + - id: sa-22_obj + name: assessment-objective + props: + - name: label + value: SA-22 + class: sp800-53a + parts: + - id: sa-22_obj.a + name: assessment-objective + props: + - name: label + value: SA-22a. + class: sp800-53a + prose: system components are replaced when support for the components + is no longer available from the developer, vendor, or manufacturer; + links: + - href: "#sa-22_smt.a" + rel: assessment-for + - id: sa-22_obj.b + name: assessment-objective + props: + - name: label + value: SA-22b. + class: sp800-53a + prose: " {{ insert: param, sa-22_odp.01 }} provide options for alternative\ + \ sources for continued support for unsupported components." + links: + - href: "#sa-22_smt.b" + rel: assessment-for + links: + - href: "#sa-22_smt" + rel: assessment-for + - id: sa-22_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-22-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + procedures addressing the replacement or continued use of unsupported + system components + + + documented evidence of replacing unsupported system components + + + documented approvals (including justification) for the continued + use of unsupported system components + + + system security plan + + + supply chain risk management plan + + + other relevant documents or records + - id: sa-22_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-22-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with the responsibility for the system + development life cycle + + + organizational personnel responsible for component replacement + - id: sa-22_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-22-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for replacing unsupported system + components + + + mechanisms supporting and/or implementing the replacement of unsupported + system components + - id: sc + class: family + title: System and Communications Protection + controls: + - id: sc-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: sc-1_prm_1 + label: organization-defined personnel or roles + - id: sc-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and communications + protection policy is to be disseminated is/are defined; + - id: sc-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and communications + protection procedures are to be disseminated is/are defined; + - id: sc-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business-process-level + - system-level + - id: sc-01_odp.04 + label: official + guidelines: + - prose: an official to manage the system and communications protection + policy and procedures is defined; + - id: sc-01_odp.05 + label: frequency + constraints: + - description: "at least every 3 years " + guidelines: + - prose: the frequency at which the current system and communications + protection policy is reviewed and updated is defined; + - id: sc-01_odp.06 + label: events + guidelines: + - prose: events that would require the current system and communications + protection policy to be reviewed and updated are defined; + - id: sc-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current system and communications + protection procedures are reviewed and updated is defined; + - id: sc-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the system and communications protection + procedures to be reviewed and updated are defined; + props: + - name: label + value: SC-1 + - name: label + value: SC-01 + class: sp800-53a + - name: sort-id + value: sc-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: sc-1_smt + name: statement + parts: + - id: sc-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ sc-1_prm_1 }}:" + parts: + - id: sc-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, sc-01_odp.03 }} system and communications\ + \ protection policy that:" + parts: + - id: sc-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: sc-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: sc-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the system + and communications protection policy and the associated system + and communications protection controls; + - id: sc-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, sc-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the system\ + \ and communications protection policy and procedures; and" + - id: sc-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current system and communications\ + \ protection:" + parts: + - id: sc-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, sc-01_odp.05 }} and following\ + \ {{ insert: param, sc-01_odp.06 }} ; and" + - id: sc-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, sc-01_odp.07 }} and following\ + \ {{ insert: param, sc-01_odp.08 }}." + - id: sc-1_gdn + name: guidance + prose: System and communications protection policy and procedures address + the controls in the SC family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of system and communications protection policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + system and communications protection policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines. Simply restating controls does not constitute + an organizational policy or procedure. + - id: sc-1_obj + name: assessment-objective + props: + - name: label + value: SC-01 + class: sp800-53a + parts: + - id: sc-1_obj.a + name: assessment-objective + props: + - name: label + value: SC-01a. + class: sp800-53a + parts: + - id: sc-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: SC-01a.[01] + class: sp800-53a + prose: a system and communications protection policy is developed + and documented; + links: + - href: "#sc-1_smt.a" + rel: assessment-for + - id: sc-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: SC-01a.[02] + class: sp800-53a + prose: "the system and communications protection policy is disseminated\ + \ to {{ insert: param, sc-01_odp.01 }};" + links: + - href: "#sc-1_smt.a" + rel: assessment-for + - id: sc-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: SC-01a.[03] + class: sp800-53a + prose: system and communications protection procedures to facilitate + the implementation of the system and communications protection + policy and associated system and communications protection + controls are developed and documented; + links: + - href: "#sc-1_smt.a" + rel: assessment-for + - id: sc-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: SC-01a.[04] + class: sp800-53a + prose: "the system and communications protection procedures\ + \ are disseminated to {{ insert: param, sc-01_odp.02 }};" + links: + - href: "#sc-1_smt.a" + rel: assessment-for + - id: sc-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: SC-01a.01 + class: sp800-53a + parts: + - id: sc-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: SC-01a.01(a) + class: sp800-53a + parts: + - id: sc-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses purpose;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses scope;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses roles;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses responsibilities;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses management\ + \ commitment;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses compliance;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: SC-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system and\ + \ communications protection policy is consistent with\ + \ applicable laws, Executive Orders, directives, regulations,\ + \ policies, standards, and guidelines;" + links: + - href: "#sc-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#sc-1_smt.a.1" + rel: assessment-for + links: + - href: "#sc-1_smt.a" + rel: assessment-for + - id: sc-1_obj.b + name: assessment-objective + props: + - name: label + value: SC-01b. + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the system\ + \ and communications protection policy and procedures;" + links: + - href: "#sc-1_smt.b" + rel: assessment-for + - id: sc-1_obj.c + name: assessment-objective + props: + - name: label + value: SC-01c. + class: sp800-53a + parts: + - id: sc-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: SC-01c.01 + class: sp800-53a + parts: + - id: sc-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: SC-01c.01[01] + class: sp800-53a + prose: "the current system and communications protection\ + \ policy is reviewed and updated {{ insert: param, sc-01_odp.05\ + \ }};" + links: + - href: "#sc-1_smt.c.1" + rel: assessment-for + - id: sc-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: SC-01c.01[02] + class: sp800-53a + prose: "the current system and communications protection\ + \ policy is reviewed and updated following {{ insert:\ + \ param, sc-01_odp.06 }};" + links: + - href: "#sc-1_smt.c.1" + rel: assessment-for + links: + - href: "#sc-1_smt.c.1" + rel: assessment-for + - id: sc-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: SC-01c.02 + class: sp800-53a + parts: + - id: sc-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: SC-01c.02[01] + class: sp800-53a + prose: "the current system and communications protection\ + \ procedures are reviewed and updated {{ insert: param,\ + \ sc-01_odp.07 }};" + links: + - href: "#sc-1_smt.c.2" + rel: assessment-for + - id: sc-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: SC-01c.02[02] + class: sp800-53a + prose: "the current system and communications protection\ + \ procedures are reviewed and updated following {{ insert:\ + \ param, sc-01_odp.08 }}." + links: + - href: "#sc-1_smt.c.2" + rel: assessment-for + links: + - href: "#sc-1_smt.c.2" + rel: assessment-for + links: + - href: "#sc-1_smt.c" + rel: assessment-for + links: + - href: "#sc-1_smt" + rel: assessment-for + - id: sc-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + system and communications protection procedures + + system security plan + + privacy plan + + risk management strategy documentation + + audit findings + + other relevant documents or records + - id: sc-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and communications + protection responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: sc-5 + class: SP800-53 + title: Denial-of-service Protection + params: + - id: sc-05_odp.01 + label: types of denial-of-service events + constraints: + - description: "at a minimum: ICMP (ping) flood, SYN flood, slowloris,\ + \ buffer overflow attack, and volume attack" + guidelines: + - prose: types of denial-of-service events to be protected against + or limited are defined; + - id: sc-05_odp.02 + constraints: + - description: Protect against + select: + choice: + - protect against + - limit + - id: sc-05_odp.03 + label: controls by type of denial-of-service event + guidelines: + - prose: controls to achieve the denial-of-service objective by type + of denial-of-service event are defined; + props: + - name: label + value: SC-5 + - name: label + value: SC-05 + class: sp800-53a + - name: sort-id + value: sc-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72" + rel: reference + - href: "#cp-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#sc-6" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-40" + rel: related + parts: + - id: sc-5_smt + name: statement + parts: + - id: sc-5_smt.a + name: item + props: + - name: label + value: a. + prose: " {{ insert: param, sc-05_odp.02 }} the effects of the following\ + \ types of denial-of-service events: {{ insert: param, sc-05_odp.01\ + \ }} ; and" + - id: sc-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ the following controls to achieve the denial-of-service\ + \ objective: {{ insert: param, sc-05_odp.03 }}." + - id: sc-5_gdn + name: guidance + prose: Denial-of-service events may occur due to a variety of internal + and external causes, such as an attack by an adversary or a lack of + planning to support organizational needs with respect to capacity + and bandwidth. Such attacks can occur across a wide range of network + protocols (e.g., IPv4, IPv6). A variety of technologies are available + to limit or eliminate the origination and effects of denial-of-service + events. For example, boundary protection devices can filter certain + types of packets to protect system components on internal networks + from being directly affected by or the source of denial-of-service + attacks. Employing increased network capacity and bandwidth combined + with service redundancy also reduces the susceptibility to denial-of-service + events. + - id: sc-5_obj + name: assessment-objective + props: + - name: label + value: SC-05 + class: sp800-53a + parts: + - id: sc-5_obj.a + name: assessment-objective + props: + - name: label + value: SC-05a. + class: sp800-53a + prose: "the effects of {{ insert: param, sc-05_odp.01 }} are {{\ + \ insert: param, sc-05_odp.02 }};" + links: + - href: "#sc-5_smt.a" + rel: assessment-for + - id: sc-5_obj.b + name: assessment-objective + props: + - name: label + value: SC-05b. + class: sp800-53a + prose: " {{ insert: param, sc-05_odp.03 }} are employed to achieve\ + \ the denial-of-service protection objective." + links: + - href: "#sc-5_smt.b" + rel: assessment-for + links: + - href: "#sc-5_smt" + rel: assessment-for + - id: sc-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing denial-of-service protection + + + system design documentation + + + list of denial-of-service attacks requiring employment of security + safeguards to protect against or limit effects of such attacks + + + list of security safeguards protecting against or limiting the + effects of denial-of-service attacks + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with incident response responsibilities + + + system developer + - id: sc-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms protecting against or limiting the effects of + denial-of-service attacks + - id: sc-7 + class: SP800-53 + title: Boundary Protection + params: + - id: sc-07_odp + select: + choice: + - physically + - logically + props: + - name: label + value: SC-7 + - name: label + value: SC-07 + class: sp800-53a + - name: sort-id + value: sc-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#a7f0e897-29a3-45c4-bd88-40dfef0e034a" + rel: reference + - href: "#d4d7c760-2907-403b-8b2a-767ca5370ecd" + rel: reference + - href: "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72" + rel: reference + - href: "#ac-4" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#au-13" + rel: related + - href: "#ca-3" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-10" + rel: related + - href: "#cp-8" + rel: related + - href: "#cp-10" + rel: related + - href: "#ir-4" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-3" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-12" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-26" + rel: related + - href: "#sc-32" + rel: related + - href: "#sc-35" + rel: related + - href: "#sc-43" + rel: related + parts: + - id: sc-7_smt + name: statement + parts: + - id: sc-7_smt.a + name: item + props: + - name: label + value: a. + prose: Monitor and control communications at the external managed + interfaces to the system and at key internal managed interfaces + within the system; + - id: sc-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Implement subnetworks for publicly accessible system components\ + \ that are {{ insert: param, sc-07_odp }} separated from internal\ + \ organizational networks; and" + - id: sc-7_smt.c + name: item + props: + - name: label + value: c. + prose: Connect to external networks or systems only through managed + interfaces consisting of boundary protection devices arranged + in accordance with an organizational security and privacy architecture. + - id: sc-7_fr + name: item + title: SC-7 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-7_fr_gdn.1 + name: guidance + props: + - name: label + value: "(b) Guidance:" + prose: SC-7 (b) should be met by subnet isolation. A subnetwork + (subnet) is a physically or logically segmented section of + a larger network defined at TCP/IP Layer 3, to both minimize + traffic and, important for a FedRAMP Authorization, add a + crucial layer of network isolation. Subnets are distinct from + VLANs (Layer 2), security groups, and VPCs and are specifically + required to satisfy SC-7 part b and other controls. See the + FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) + for additional information. + - id: sc-7_gdn + name: guidance + prose: Managed interfaces include gateways, routers, firewalls, guards, + network-based malicious code analysis, virtualization systems, or + encrypted tunnels implemented within a security architecture. Subnetworks + that are physically or logically separated from internal networks + are referred to as demilitarized zones or DMZs. Restricting or prohibiting + interfaces within organizational systems includes restricting external + web traffic to designated web servers within managed interfaces, prohibiting + external traffic that appears to be spoofing internal addresses, and + prohibiting internal traffic that appears to be spoofing external + addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides + additional information on source address validation techniques to + prevent ingress and egress of traffic with spoofed addresses. Commercial + telecommunications services are provided by network components and + consolidated management systems shared by customers. These services + may also include third party-provided access lines and other service + elements. Such services may represent sources of increased risk despite + contract security provisions. Boundary protection may be implemented + as a common control for all or part of an organizational network such + that the boundary to be protected is greater than a system-specific + boundary (i.e., an authorization boundary). + - id: sc-7_obj + name: assessment-objective + props: + - name: label + value: SC-07 + class: sp800-53a + parts: + - id: sc-7_obj.a + name: assessment-objective + props: + - name: label + value: SC-07a. + class: sp800-53a + parts: + - id: sc-7_obj.a-1 + name: assessment-objective + props: + - name: label + value: SC-07a.[01] + class: sp800-53a + prose: communications at external managed interfaces to the + system are monitored; + links: + - href: "#sc-7_smt.a" + rel: assessment-for + - id: sc-7_obj.a-2 + name: assessment-objective + props: + - name: label + value: SC-07a.[02] + class: sp800-53a + prose: communications at external managed interfaces to the + system are controlled; + links: + - href: "#sc-7_smt.a" + rel: assessment-for + - id: sc-7_obj.a-3 + name: assessment-objective + props: + - name: label + value: SC-07a.[03] + class: sp800-53a + prose: communications at key internal managed interfaces within + the system are monitored; + links: + - href: "#sc-7_smt.a" + rel: assessment-for + - id: sc-7_obj.a-4 + name: assessment-objective + props: + - name: label + value: SC-07a.[04] + class: sp800-53a + prose: communications at key internal managed interfaces within + the system are controlled; + links: + - href: "#sc-7_smt.a" + rel: assessment-for + links: + - href: "#sc-7_smt.a" + rel: assessment-for + - id: sc-7_obj.b + name: assessment-objective + props: + - name: label + value: SC-07b. + class: sp800-53a + prose: "subnetworks for publicly accessible system components are\ + \ {{ insert: param, sc-07_odp }} separated from internal organizational\ + \ networks;" + links: + - href: "#sc-7_smt.b" + rel: assessment-for + - id: sc-7_obj.c + name: assessment-objective + props: + - name: label + value: SC-07c. + class: sp800-53a + prose: external networks or systems are only connected to through + managed interfaces consisting of boundary protection devices arranged + in accordance with an organizational security and privacy architecture. + links: + - href: "#sc-7_smt.c" + rel: assessment-for + links: + - href: "#sc-7_smt" + rel: assessment-for + - id: sc-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing boundary protection + + list of key internal boundaries of the system + + system design documentation + + boundary protection hardware and software + + system configuration settings and associated documentation + + enterprise security architecture documentation + + system audit records + + system security plan + + other relevant documents or records + - id: sc-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with boundary protection responsibilities + - id: sc-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing boundary protection capabilities + - id: sc-8 + class: SP800-53 + title: Transmission Confidentiality and Integrity + params: + - id: sc-08_odp + select: + how-many: one-or-more + choice: + - confidentiality + - integrity + props: + - name: label + value: SC-8 + - name: label + value: SC-08 + class: sp800-53a + - name: sort-id + value: sc-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#736d6310-e403-4b57-a79d-9967970c66d7" + rel: reference + - href: "#7537638e-2837-407d-844b-40fb3fafdd99" + rel: reference + - href: "#d4d7c760-2907-403b-8b2a-767ca5370ecd" + rel: reference + - href: "#fe209006-bfd4-4033-a79a-9fee1adaf372" + rel: reference + - href: "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4" + rel: reference + - href: "#1c71b420-2bd9-4e52-9fc8-390f58b85b59" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#au-10" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-9" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-4" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-16" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-23" + rel: related + - href: "#sc-28" + rel: related + parts: + - id: sc-8_smt + name: statement + prose: "Protect the {{ insert: param, sc-08_odp }} of transmitted information." + parts: + - id: sc-8_fr + name: item + title: SC-8 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-8_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + For each instance of data in transit, confidentiality + AND integrity should be through cryptography as + specified in SC-8 (1), physical means as specified in + SC-8 (5), or in combination. + + + + For clarity, this control applies to all data in transit. + Examples include the following data flows: + + + * Crossing the system boundary + + * Between compute instances - including containers + + * From a compute instance to storage + + * Replication between availability zones + + * Transmission of backups to storage + + * From a load balancer to a compute instance + + * Flows from management tools required for their work – e.g. + log collection, scanning, etc. + + + + + The following applies only when choosing SC-8 (5) in lieu + of SC-8 (1). + + + FedRAMP-Defined Assignment / Selection Parameters + + + SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution + System (PDS) when outside of Controlled Access Area (CAA)] + + + SC-8 (5)-2 [prevent unauthorized disclosure of information + AND detect changes to information] + - id: sc-8_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + SC-8 (5) applies when physical protection has been + selected as the method to protect confidentiality and + integrity. For physical protection, data in transit must + be in either a Controlled Access Area (CAA), or a + Hardened or alarmed PDS. + + + + Hardened or alarmed PDS: Shall be as defined in SECTION X + - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled + PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 + Section VIII, PDS must originate and terminate in a Controlled + Access Area (CAA). + + + + Controlled Access Area (CAA): Data will be considered physically + protected, and in a CAA if it meets Section 2.3 of the DHS’s + Recommended Practice: Improving Industrial Control System + Cybersecurity with Defense-in-Depth Strategies. CSPs can meet + Section 2.3 of the DHS’ recommended practice by satisfactory + implementation of the following controls PE-2 (1), PE-2 (2), + PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3). + + + + Note: When selecting SC-8 (5), the above SC-8(5), and the + above referenced PE controls must be added to the SSP. + + + + CNSSI No.7003 can be accessed here: + + + https://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf + + + + DHS Recommended Practice: Improving Industrial Control System + Cybersecurity with Defense-in-Depth Strategies can be accessed + here: + + + https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf + + - id: sc-8_gdn + name: guidance + prose: >- + Protecting the confidentiality and integrity of transmitted + information applies to internal and external networks as well as + any system components that can transmit information, including + servers, notebook computers, desktop computers, mobile devices, + printers, copiers, scanners, facsimile machines, and radios. + Unprotected communication paths are exposed to the possibility + of interception and modification. Protecting the confidentiality + and integrity of information can be accomplished by physical or + logical means. Physical protection can be achieved by using + protected distribution systems. A protected distribution system + is a wireline or fiber-optics telecommunications system that + includes terminals and adequate electromagnetic, acoustical, + electrical, and physical controls to permit its use for the + unencrypted transmission of classified information. Logical + protection can be achieved by employing encryption techniques. + + + Organizations that rely on commercial providers who offer transmission + services as commodity services rather than as fully dedicated services + may find it difficult to obtain the necessary assurances regarding + the implementation of needed controls for transmission confidentiality + and integrity. In such situations, organizations determine what types + of confidentiality or integrity services are available in standard, + commercial telecommunications service packages. If it is not feasible + to obtain the necessary controls and assurances of control effectiveness + through appropriate contracting vehicles, organizations can implement + appropriate compensating controls. + - id: sc-8_obj + name: assessment-objective + props: + - name: label + value: SC-08 + class: sp800-53a + prose: "the {{ insert: param, sc-08_odp }} of transmitted information\ + \ is/are protected." + links: + - href: "#sc-8_smt" + rel: assessment-for + - id: sc-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing transmission confidentiality and integrity + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing transmission confidentiality + and/or integrity + controls: + - id: sc-8.1 + class: SP800-53-enhancement + title: Cryptographic Protection + params: + - id: sc-08.01_odp + select: + how-many: one-or-more + choice: + - prevent unauthorized disclosure of information + - detect changes to information + props: + - name: label + value: SC-8(1) + - name: label + value: SC-08(01) + class: sp800-53a + - name: sort-id + value: sc-08.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-8" + rel: required + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: sc-8.1_smt + name: statement + prose: "Implement cryptographic mechanisms to {{ insert: param,\ + \ sc-08.01_odp }} during transmission." + parts: + - id: sc-8.1_fr + name: item + title: SC-8 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: sc-8.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Please ensure SSP Section 10.3 Cryptographic Modules + Implemented for Data At Rest (DAR) and Data In Transit + (DIT) is fully populated for reference in this control. + - id: sc-8.1_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + See M-22-09, including \"Agencies encrypt all DNS + requests and HTTP traffic within their environment\" + + + SC-8 (1) applies when encryption has been selected as + the method to protect confidentiality and integrity. Otherwise + refer to SC-8 (5). SC-8 (1) is strongly encouraged. + - id: sc-8.1_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Note that this enhancement requires the use of cryptography + which must be compliant with Federal requirements and + utilize FIPS validated or NSA approved cryptography (see + SC-13.) + - id: sc-8.1_fr_gdn.3 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "When leveraging encryption from the underlying IaaS/PaaS:\ + \ While some IaaS/PaaS services provide encryption by\ + \ default, many require encryption to be configured, and\ + \ enabled by the customer. The CSP has the responsibility\ + \ to verify encryption is properly configured." + - id: sc-8.1_gdn + name: guidance + prose: Encryption protects information from unauthorized disclosure + and modification during transmission. Cryptographic mechanisms + that protect the confidentiality and integrity of information + during transmission include TLS and IPSec. Cryptographic mechanisms + used to protect information integrity include cryptographic hash + functions that have applications in digital signatures, checksums, + and message authentication codes. + - id: sc-8.1_obj + name: assessment-objective + props: + - name: label + value: SC-08(01) + class: sp800-53a + prose: "cryptographic mechanisms are implemented to {{ insert: param,\ + \ sc-08.01_odp }} during transmission." + links: + - href: "#sc-8.1_smt" + rel: assessment-for + - id: sc-8.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-08(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing transmission confidentiality and integrity + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-8.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-08(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-8.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-08(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Cryptographic mechanisms supporting and/or implementing + transmission confidentiality and/or integrity + + + mechanisms supporting and/or implementing alternative physical + safeguards + + + organizational processes for defining and implementing alternative + physical safeguards + - id: sc-12 + class: SP800-53 + title: Cryptographic Key Establishment and Management + params: + - id: sc-12_odp + label: requirements + constraints: + - description: In accordance with Federal requirements + guidelines: + - prose: requirements for key generation, distribution, storage, access, + and destruction are defined; + props: + - name: label + value: SC-12 + - name: label + value: SC-12 + class: sp800-53a + - name: sort-id + value: sc-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e" + rel: reference + - href: "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75" + rel: reference + - href: "#eef62b16-c796-4554-955c-505824135b8a" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#849b2358-683f-4d97-b111-1cc3d522ded5" + rel: reference + - href: "#3915a084-b87b-4f02-83d4-c369e746292f" + rel: reference + - href: "#ac-17" + rel: related + - href: "#au-9" + rel: related + - href: "#au-10" + rel: related + - href: "#cm-3" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-7" + rel: related + - href: "#ia-13" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-11" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-17" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-37" + rel: related + - href: "#sc-40" + rel: related + - href: "#si-3" + rel: related + - href: "#si-7" + rel: related + parts: + - id: sc-12_smt + name: statement + prose: "Establish and manage cryptographic keys when cryptography is\ + \ employed within the system in accordance with the following key\ + \ management requirements: {{ insert: param, sc-12_odp }}." + parts: + - id: sc-12_fr + name: item + title: SC-12 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-12_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: See references in NIST 800-53 documentation. + - id: sc-12_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Must meet applicable Federal Cryptographic Requirements. + See References Section of control. + - id: sc-12_fr_gdn.3 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Wildcard certificates may be used internally within the + system, but are not permitted for external customer access + to the system. + - id: sc-12_gdn + name: guidance + prose: Cryptographic key management and establishment can be performed + using manual procedures or automated mechanisms with supporting manual + procedures. Organizations define key management requirements in accordance + with applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines and specify appropriate options, parameters, + and levels. Organizations manage trust stores to ensure that only + approved trust anchors are part of such trust stores. This includes + certificates with visibility external to organizational systems and + certificates related to the internal operations of systems. [NIST + CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) + provide additional information on validated cryptographic modules + and algorithms that can be used in cryptographic key management and + establishment. + - id: sc-12_obj + name: assessment-objective + props: + - name: label + value: SC-12 + class: sp800-53a + parts: + - id: sc-12_obj-1 + name: assessment-objective + props: + - name: label + value: SC-12[01] + class: sp800-53a + prose: "cryptographic keys are established when cryptography is\ + \ employed within the system in accordance with {{ insert: param,\ + \ sc-12_odp }};" + links: + - href: "#sc-12_smt" + rel: assessment-for + - id: sc-12_obj-2 + name: assessment-objective + props: + - name: label + value: SC-12[02] + class: sp800-53a + prose: "cryptographic keys are managed when cryptography is employed\ + \ within the system in accordance with {{ insert: param, sc-12_odp\ + \ }}." + links: + - href: "#sc-12_smt" + rel: assessment-for + links: + - href: "#sc-12_smt" + rel: assessment-for + - id: sc-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing cryptographic key establishment and management + + + system design documentation + + + cryptographic mechanisms + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for cryptographic + key establishment and/or management + - id: sc-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing cryptographic key + establishment and management + - id: sc-13 + class: SP800-53 + title: Cryptographic Protection + params: + - id: sc-13_odp.01 + label: cryptographic uses + guidelines: + - prose: cryptographic uses are defined; + - id: sc-13_odp.02 + label: types of cryptography + constraints: + - description: FIPS-validated or NSA-approved cryptography + guidelines: + - prose: types of cryptography for each specified cryptographic use + are defined; + props: + - name: label + value: SC-13 + - name: label + value: SC-13 + class: sp800-53a + - name: sort-id + value: sc-13 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-7" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#au-9" + rel: related + - href: "#au-10" + rel: related + - href: "#cm-11" + rel: related + - href: "#cp-9" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-7" + rel: related + - href: "#ia-13" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-23" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-40" + rel: related + - href: "#si-3" + rel: related + - href: "#si-7" + rel: related + parts: + - id: sc-13_smt + name: statement + parts: + - id: sc-13_smt.a + name: item + props: + - name: label + value: a. + prose: "Determine the {{ insert: param, sc-13_odp.01 }} ; and" + - id: sc-13_smt.b + name: item + props: + - name: label + value: b. + prose: "Implement the following types of cryptography required for\ + \ each specified cryptographic use: {{ insert: param, sc-13_odp.02\ + \ }}." + - id: sc-13_fr + name: item + title: SC-13 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-13_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + This control applies to all use of cryptography. In + addition to encryption, this includes functions such as + hashing, random number generation, and key generation. + Examples include the following: + + + * Encryption of data + + * Decryption of data + + * Generation of one time passwords (OTPs) for MFA + + * Protocols such as TLS, SSH, and HTTPS + + + + + The requirement for FIPS 140 validation, as well as timelines + for acceptance of FIPS 140-2, and 140-3 can be found at the + NIST Cryptographic Module Validation Program (CMVP). + + + https://csrc.nist.gov/projects/cryptographic-module-validation-program + - id: sc-13_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + For NSA-approved cryptography, the National Information + Assurance Partnership (NIAP) oversees a national program + to evaluate Commercial IT Products for Use in National + Security Systems. The NIAP Product Compliant List can be + found at the following location: + + + https://www.niap-ccevs.org/Product/index.cfm + - id: sc-13_fr_gdn.3 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "When leveraging encryption from underlying IaaS/PaaS:\ + \ While some IaaS/PaaS provide encryption by default, many\ + \ require encryption to be configured, and enabled by the\ + \ customer. The CSP has the responsibility to verify encryption\ + \ is properly configured." + - id: sc-13_fr_gdn.4 + name: guidance + props: + - name: label + value: "Guidance:" + prose: > + Moving to non-FIPS CM or product is acceptable when: + + + * FIPS validated version has a known vulnerability + + * Feature with vulnerability is in use + + * Non-FIPS version fixes the vulnerability + + * Non-FIPS version is submitted to NIST for FIPS validation + + * POA&M is added to track approval, and deployment when ready + - id: sc-13_fr_gdn.5 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "At a minimum, this control applies to cryptography in\ + \ use for the following controls: AU-9(3), CP-9(8), IA-2(6),\ + \ IA-5(1), MP-5, SC-8(1), and SC-28(1)." + - id: sc-13_gdn + name: guidance + prose: Cryptography can be employed to support a variety of security + solutions, including the protection of classified information and + controlled unclassified information, the provision and implementation + of digital signatures, and the enforcement of information separation + when authorized individuals have the necessary clearances but lack + the necessary formal access approvals. Cryptography can also be used + to support random number and hash generation. Generally applicable + cryptographic standards include FIPS-validated cryptography and NSA-approved + cryptography. For example, organizations that need to protect classified + information may specify the use of NSA-approved cryptography. Organizations + that need to provision and implement digital signatures may specify + the use of FIPS-validated cryptography. Cryptography is implemented + in accordance with applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines. + - id: sc-13_obj + name: assessment-objective + props: + - name: label + value: SC-13 + class: sp800-53a + parts: + - id: sc-13_obj.a + name: assessment-objective + props: + - name: label + value: SC-13a. + class: sp800-53a + prose: " {{ insert: param, sc-13_odp.01 }} are identified;" + links: + - href: "#sc-13_smt.a" + rel: assessment-for + - id: sc-13_obj.b + name: assessment-objective + props: + - name: label + value: SC-13b. + class: sp800-53a + prose: " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic\ + \ use (defined in SC-13_ODP[01]) are implemented." + links: + - href: "#sc-13_smt.b" + rel: assessment-for + links: + - href: "#sc-13_smt" + rel: assessment-for + - id: sc-13_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-13-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing cryptographic protection + + system design documentation + + system configuration settings and associated documentation + + cryptographic module validation certificates + + list of FIPS-validated cryptographic modules + + system audit records + + system security plan + + other relevant documents or records + - id: sc-13_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-13-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with responsibilities for cryptographic + protection + - id: sc-13_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-13-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing cryptographic protection + - id: sc-15 + class: SP800-53 + title: Collaborative Computing Devices and Applications + params: + - id: sc-15_odp + label: exceptions where remote activation is to be allowed + constraints: + - description: no exceptions for computing devices + guidelines: + - prose: exceptions where remote activation is to be allowed are defined; + props: + - name: label + value: SC-15 + - name: label + value: SC-15 + class: sp800-53a + - name: sort-id + value: sc-15 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-21" + rel: related + - href: "#sc-42" + rel: related + parts: + - id: sc-15_smt + name: statement + parts: + - id: sc-15_smt.a + name: item + props: + - name: label + value: a. + prose: "Prohibit remote activation of collaborative computing devices\ + \ and applications with the following exceptions: {{ insert: param,\ + \ sc-15_odp }} ; and" + - id: sc-15_smt.b + name: item + props: + - name: label + value: b. + prose: Provide an explicit indication of use to users physically + present at the devices. + - id: sc-15_fr + name: item + title: SC-15 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-15_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The information system provides disablement (instead + of physical disconnect) of collaborative computing devices + in a manner that supports ease of use. + - id: sc-15_gdn + name: guidance + prose: Collaborative computing devices and applications include remote + meeting devices and applications, networked white boards, cameras, + and microphones. The explicit indication of use includes signals to + users when collaborative computing devices and applications are activated. + - id: sc-15_obj + name: assessment-objective + props: + - name: label + value: SC-15 + class: sp800-53a + parts: + - id: sc-15_obj.a + name: assessment-objective + props: + - name: label + value: SC-15a. + class: sp800-53a + prose: "remote activation of collaborative computing devices and\ + \ applications is prohibited except {{ insert: param, sc-15_odp\ + \ }};" + links: + - href: "#sc-15_smt.a" + rel: assessment-for + - id: sc-15_obj.b + name: assessment-objective + props: + - name: label + value: SC-15b. + class: sp800-53a + prose: an explicit indication of use is provided to users physically + present at the devices. + links: + - href: "#sc-15_smt.b" + rel: assessment-for + links: + - href: "#sc-15_smt" + rel: assessment-for + - id: sc-15_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-15-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing collaborative computing + + access control policy and procedures + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: sc-15_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-15-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with responsibilities for managing collaborative + computing devices + - id: sc-15_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-15-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing the management of + remote activation of collaborative computing devices + + + mechanisms providing an indication of use of collaborative computing + devices + - id: sc-20 + class: SP800-53 + title: Secure Name/Address Resolution Service (Authoritative Source) + props: + - name: label + value: SC-20 + - name: label + value: SC-20 + class: sp800-53a + - name: sort-id + value: sc-20 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#fe209006-bfd4-4033-a79a-9fee1adaf372" + rel: reference + - href: "#au-10" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-21" + rel: related + - href: "#sc-22" + rel: related + parts: + - id: sc-20_smt + name: statement + parts: + - id: sc-20_smt.a + name: item + props: + - name: label + value: a. + prose: Provide additional data origin authentication and integrity + verification artifacts along with the authoritative name resolution + data the system returns in response to external name/address resolution + queries; and + - id: sc-20_smt.b + name: item + props: + - name: label + value: b. + prose: Provide the means to indicate the security status of child + zones and (if the child supports secure resolution services) to + enable verification of a chain of trust among parent and child + domains, when operating as part of a distributed, hierarchical + namespace. + - id: sc-20_fr + name: item + title: SC-20 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-20_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Control Description should include how DNSSEC is implemented + on authoritative DNS servers to supply valid responses to + external DNSSEC requests. + - id: sc-20_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: SC-20 applies to use of external authoritative DNS to + access a CSO from outside the boundary. + - id: sc-20_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: External authoritative DNS servers may be located outside + an authorized environment. Positioning these servers inside + an authorized boundary is encouraged. + - id: sc-20_fr_gdn.3 + name: guidance + props: + - name: label + value: "Guidance:" + prose: CSPs are recommended to self-check DNSSEC configuration + through one of many available analyzers such as Sandia National + Labs (https://dnsviz.net) + - id: sc-20_gdn + name: guidance + prose: Providing authoritative source information enables external clients, + including remote Internet clients, to obtain origin authentication + and integrity verification assurances for the host/service name to + network address resolution information obtained through the service. + Systems that provide name and address resolution services include + domain name system (DNS) servers. Additional artifacts include DNS + Security Extensions (DNSSEC) digital signatures and cryptographic + keys. Authoritative data includes DNS resource records. The means + for indicating the security status of child zones include the use + of delegation signer resource records in the DNS. Systems that use + technologies other than the DNS to map between host and service names + and network addresses provide other means to assure the authenticity + and integrity of response data. + - id: sc-20_obj + name: assessment-objective + props: + - name: label + value: SC-20 + class: sp800-53a + parts: + - id: sc-20_obj.a + name: assessment-objective + props: + - name: label + value: SC-20a. + class: sp800-53a + parts: + - id: sc-20_obj.a-1 + name: assessment-objective + props: + - name: label + value: SC-20a.[01] + class: sp800-53a + prose: additional data origin authentication is provided along + with the authoritative name resolution data that the system + returns in response to external name/address resolution queries; + links: + - href: "#sc-20_smt.a" + rel: assessment-for + - id: sc-20_obj.a-2 + name: assessment-objective + props: + - name: label + value: SC-20a.[02] + class: sp800-53a + prose: integrity verification artifacts are provided along with + the authoritative name resolution data that the system returns + in response to external name/address resolution queries; + links: + - href: "#sc-20_smt.a" + rel: assessment-for + links: + - href: "#sc-20_smt.a" + rel: assessment-for + - id: sc-20_obj.b + name: assessment-objective + props: + - name: label + value: SC-20b. + class: sp800-53a + parts: + - id: sc-20_obj.b-1 + name: assessment-objective + props: + - name: label + value: SC-20b.[01] + class: sp800-53a + prose: the means to indicate the security status of child zones + (and if the child supports secure resolution services) is + provided when operating as part of a distributed, hierarchical + namespace; + links: + - href: "#sc-20_smt.b" + rel: assessment-for + - id: sc-20_obj.b-2 + name: assessment-objective + props: + - name: label + value: SC-20b.[02] + class: sp800-53a + prose: the means to enable verification of a chain of trust + among parent and child domains when operating as part of a + distributed, hierarchical namespace is provided. + links: + - href: "#sc-20_smt.b" + rel: assessment-for + links: + - href: "#sc-20_smt.b" + rel: assessment-for + links: + - href: "#sc-20_smt" + rel: assessment-for + - id: sc-20_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-20-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing secure name/address resolution services + (authoritative source) + + + system design documentation + + + system configuration settings and associated documentation + + + system security plan + + + other relevant documents or records + - id: sc-20_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-20-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for managing DNS + - id: sc-20_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-20-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing secure name/address + resolution services + - id: sc-21 + class: SP800-53 + title: Secure Name/Address Resolution Service (Recursive or Caching Resolver) + props: + - name: label + value: SC-21 + - name: label + value: SC-21 + class: sp800-53a + - name: sort-id + value: sc-21 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#fe209006-bfd4-4033-a79a-9fee1adaf372" + rel: reference + - href: "#sc-20" + rel: related + - href: "#sc-22" + rel: related + parts: + - id: sc-21_smt + name: statement + prose: Request and perform data origin authentication and data integrity + verification on the name/address resolution responses the system receives + from authoritative sources. + parts: + - id: sc-21_fr + name: item + title: SC-21 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-21_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: > + Control description should include how DNSSEC is + implemented on recursive DNS servers to make DNSSEC + requests when resolving DNS requests from internal + components to domains external to the CSO boundary. + + + * If the reply is signed, and fails DNSSEC, do not use the + reply + + * If the reply is unsigned: * CSP chooses the policy to + apply + - id: sc-21_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: Internal recursive DNS servers must be located inside + an authorized environment. It is typically within the boundary, + or leveraged from an underlying IaaS/PaaS. + - id: sc-21_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Accepting an unsigned reply is acceptable + - id: sc-21_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: > + SC-21 applies to use of internal recursive DNS to access + a domain outside the boundary by a component inside the + boundary. + + + * DNSSEC resolution to access a component inside the boundary + is excluded. + - id: sc-21_gdn + name: guidance + prose: Each client of name resolution services either performs this + validation on its own or has authenticated channels to trusted validation + providers. Systems that provide name and address resolution services + for local clients include recursive resolving or caching domain name + system (DNS) servers. DNS client resolvers either perform validation + of DNSSEC signatures, or clients use authenticated channels to recursive + resolvers that perform such validations. Systems that use technologies + other than the DNS to map between host and service names and network + addresses provide some other means to enable clients to verify the + authenticity and integrity of response data. + - id: sc-21_obj + name: assessment-objective + props: + - name: label + value: SC-21 + class: sp800-53a + parts: + - id: sc-21_obj-1 + name: assessment-objective + props: + - name: label + value: SC-21[01] + class: sp800-53a + prose: data origin authentication is requested for the name/address + resolution responses that the system receives from authoritative + sources; + links: + - href: "#sc-21_smt" + rel: assessment-for + - id: sc-21_obj-2 + name: assessment-objective + props: + - name: label + value: SC-21[02] + class: sp800-53a + prose: data origin authentication is performed on the name/address + resolution responses that the system receives from authoritative + sources; + links: + - href: "#sc-21_smt" + rel: assessment-for + - id: sc-21_obj-3 + name: assessment-objective + props: + - name: label + value: SC-21[03] + class: sp800-53a + prose: data integrity verification is requested for the name/address + resolution responses that the system receives from authoritative + sources; + links: + - href: "#sc-21_smt" + rel: assessment-for + - id: sc-21_obj-4 + name: assessment-objective + props: + - name: label + value: SC-21[04] + class: sp800-53a + prose: data integrity verification is performed on the name/address + resolution responses that the system receives from authoritative + sources. + links: + - href: "#sc-21_smt" + rel: assessment-for + links: + - href: "#sc-21_smt" + rel: assessment-for + - id: sc-21_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-21-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing secure name/address resolution services + (recursive or caching resolver) + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-21_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-21-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for managing DNS + - id: sc-21_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-21-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing data origin authentication + and data integrity verification for name/address resolution services + - id: sc-22 + class: SP800-53 + title: Architecture and Provisioning for Name/Address Resolution Service + props: + - name: label + value: SC-22 + - name: label + value: SC-22 + class: sp800-53a + - name: sort-id + value: sc-22 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#fe209006-bfd4-4033-a79a-9fee1adaf372" + rel: reference + - href: "#sc-2" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-21" + rel: related + - href: "#sc-24" + rel: related + parts: + - id: sc-22_smt + name: statement + prose: Ensure the systems that collectively provide name/address resolution + service for an organization are fault-tolerant and implement internal + and external role separation. + - id: sc-22_gdn + name: guidance + prose: Systems that provide name and address resolution services include + domain name system (DNS) servers. To eliminate single points of failure + in systems and enhance redundancy, organizations employ at least two + authoritative domain name system servers—one configured as the primary + server and the other configured as the secondary server. Additionally, + organizations typically deploy the servers in two geographically separated + network subnetworks (i.e., not located in the same physical facility). + For role separation, DNS servers with internal roles only process + name and address resolution requests from within organizations (i.e., + from internal clients). DNS servers with external roles only process + name and address resolution information requests from clients external + to organizations (i.e., on external networks, including the Internet). + Organizations specify clients that can access authoritative DNS servers + in certain roles (e.g., by address ranges and explicit lists). + - id: sc-22_obj + name: assessment-objective + props: + - name: label + value: SC-22 + class: sp800-53a + parts: + - id: sc-22_obj-1 + name: assessment-objective + props: + - name: label + value: SC-22[01] + class: sp800-53a + prose: the systems that collectively provide name/address resolution + services for an organization are fault-tolerant; + links: + - href: "#sc-22_smt" + rel: assessment-for + - id: sc-22_obj-2 + name: assessment-objective + props: + - name: label + value: SC-22[02] + class: sp800-53a + prose: the systems that collectively provide name/address resolution + services for an organization implement internal role separation; + links: + - href: "#sc-22_smt" + rel: assessment-for + - id: sc-22_obj-3 + name: assessment-objective + props: + - name: label + value: SC-22[03] + class: sp800-53a + prose: the systems that collectively provide name/address resolution + services for an organization implement external role separation. + links: + - href: "#sc-22_smt" + rel: assessment-for + links: + - href: "#sc-22_smt" + rel: assessment-for + - id: sc-22_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-22-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing architecture and provisioning for name/address + resolution services + + + access control policy and procedures + + + system design documentation + + + assessment results from independent testing organizations + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-22_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-22-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for managing DNS + - id: sc-22_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-22-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing name/address resolution + services for fault tolerance and role separation + - id: sc-28 + class: SP800-53 + title: Protection of Information at Rest + params: + - id: sc-28_odp.01 + select: + how-many: one-or-more + choice: + - confidentiality + - integrity + - id: sc-28_odp.02 + label: information at rest + guidelines: + - prose: information at rest requiring protection is defined; + props: + - name: label + value: SC-28 + - name: label + value: SC-28 + class: sp800-53a + - name: sort-id + value: sc-28 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e" + rel: reference + - href: "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75" + rel: reference + - href: "#eef62b16-c796-4554-955c-505824135b8a" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#22f2d4f0-4365-4e88-a30d-275c1f5473ea" + rel: reference + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-19" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cp-9" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#pe-3" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-34" + rel: related + - href: "#si-3" + rel: related + - href: "#si-7" + rel: related + - href: "#si-16" + rel: related + parts: + - id: sc-28_smt + name: statement + prose: "Protect the {{ insert: param, sc-28_odp.01 }} of the following\ + \ information at rest: {{ insert: param, sc-28_odp.02 }}." + parts: + - id: sc-28_fr + name: item + title: SC-28 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-28_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: The organization supports the capability to use cryptographic + mechanisms to protect information at rest. + - id: sc-28_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "When leveraging encryption from underlying IaaS/PaaS:\ + \ While some IaaS/PaaS services provide encryption by default,\ + \ many require encryption to be configured, and enabled by\ + \ the customer. The CSP has the responsibility to verify encryption\ + \ is properly configured." + - id: sc-28_fr_gdn.3 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Note that this enhancement requires the use of cryptography + in accordance with SC-13. + - id: sc-28_gdn + name: guidance + prose: Information at rest refers to the state of information when it + is not in process or in transit and is located on system components. + Such components include internal or external hard disk drives, storage + area network devices, or databases. However, the focus of protecting + information at rest is not on the type of storage device or frequency + of access but rather on the state of the information. Information + at rest addresses the confidentiality and integrity of information + and covers user information and system information. System-related + information that requires protection includes configurations or rule + sets for firewalls, intrusion detection and prevention systems, filtering + routers, and authentication information. Organizations may employ + different mechanisms to achieve confidentiality and integrity protections, + including the use of cryptographic mechanisms and file share scanning. + Integrity protection can be achieved, for example, by implementing + write-once-read-many (WORM) technologies. When adequate protection + of information at rest cannot otherwise be achieved, organizations + may employ other controls, including frequent scanning to identify + malicious code at rest and secure offline storage in lieu of online + storage. + - id: sc-28_obj + name: assessment-objective + props: + - name: label + value: SC-28 + class: sp800-53a + prose: "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02\ + \ }} is/are protected." + links: + - href: "#sc-28_smt" + rel: assessment-for + - id: sc-28_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-28-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing the protection of information at rest + + + system design documentation + + + system configuration settings and associated documentation + + + cryptographic mechanisms and associated configuration documentation + + + list of information at rest requiring confidentiality and integrity + protections + + + system security plan + + + other relevant documents or records + - id: sc-28_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-28-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-28_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-28-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing confidentiality + and integrity protections for information at rest + controls: + - id: sc-28.1 + class: SP800-53-enhancement + title: Cryptographic Protection + params: + - id: sc-28.01_odp.01 + label: information + guidelines: + - prose: information requiring cryptographic protection is defined; + - id: sc-28.01_odp.02 + label: system components or media + constraints: + - description: all information system components storing Federal + data or system data that must be protected at the High or + Moderate impact levels + guidelines: + - prose: system components or media requiring cryptographic protection + is/are defined; + props: + - name: label + value: SC-28(1) + - name: label + value: SC-28(01) + class: sp800-53a + - name: sort-id + value: sc-28.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-28" + rel: required + - href: "#ac-19" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: sc-28.1_smt + name: statement + prose: "Implement cryptographic mechanisms to prevent unauthorized\ + \ disclosure and modification of the following information at\ + \ rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param,\ + \ sc-28.01_odp.01 }}." + parts: + - id: sc-28.1_fr + name: item + title: SC-28 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: sc-28.1_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + Organizations should select a mode of protection + that is targeted towards the relevant threat + scenarios. + + + Examples: + + + A. Organizations may apply full disk encryption (FDE) + to a mobile device where the primary threat is loss of + the device while storage is locked. + + + B. For a database application housing data for a single + customer, encryption at the file system level would often + provide more protection than FDE against the more likely + threat of an intruder on the operating system accessing + the storage. + + + C. For a database application housing data for multiple + customers, encryption with unique keys for each customer + at the database record level may be more appropriate. + - id: sc-28.1_gdn + name: guidance + prose: The selection of cryptographic mechanisms is based on the + need to protect the confidentiality and integrity of organizational + information. The strength of mechanism is commensurate with the + security category or classification of the information. Organizations + have the flexibility to encrypt information on system components + or media or encrypt data structures, including files, records, + or fields. + - id: sc-28.1_obj + name: assessment-objective + props: + - name: label + value: SC-28(01) + class: sp800-53a + parts: + - id: sc-28.1_obj-1 + name: assessment-objective + props: + - name: label + value: SC-28(01)[01] + class: sp800-53a + prose: "cryptographic mechanisms are implemented to prevent\ + \ unauthorized disclosure of {{ insert: param, sc-28.01_odp.01\ + \ }} at rest on {{ insert: param, sc-28.01_odp.02 }};" + links: + - href: "#sc-28.1_smt" + rel: assessment-for + - id: sc-28.1_obj-2 + name: assessment-objective + props: + - name: label + value: SC-28(01)[02] + class: sp800-53a + prose: "cryptographic mechanisms are implemented to prevent\ + \ unauthorized modification of {{ insert: param, sc-28.01_odp.01\ + \ }} at rest on {{ insert: param, sc-28.01_odp.02 }}." + links: + - href: "#sc-28.1_smt" + rel: assessment-for + links: + - href: "#sc-28.1_smt" + rel: assessment-for + - id: sc-28.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-28(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing the protection of information at rest + + + system design documentation + + + system configuration settings and associated documentation + + + cryptographic mechanisms and associated configuration documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-28.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-28(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-28.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-28(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Cryptographic mechanisms implementing confidentiality + and integrity protections for information at rest + - id: sc-39 + class: SP800-53 + title: Process Isolation + props: + - name: label + value: SC-39 + - name: label + value: SC-39 + class: sp800-53a + - name: sort-id + value: sc-39 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-25" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-3" + rel: related + - href: "#si-16" + rel: related + parts: + - id: sc-39_smt + name: statement + prose: Maintain a separate execution domain for each executing system + process. + - id: sc-39_gdn + name: guidance + prose: Systems can maintain separate execution domains for each executing + process by assigning each process a separate address space. Each system + process has a distinct address space so that communication between + processes is performed in a manner controlled through the security + functions, and one process cannot modify the executing code of another + process. Maintaining separate execution domains for executing processes + can be achieved, for example, by implementing separate address spaces. + Process isolation technologies, including sandboxing or virtualization, + logically separate software and firmware from other software, firmware, + and data. Process isolation helps limit the access of potentially + untrusted software to other system resources. The capability to maintain + separate execution domains is available in commercial operating systems + that employ multi-state processor technologies. + - id: sc-39_obj + name: assessment-objective + props: + - name: label + value: SC-39 + class: sp800-53a + prose: a separate execution domain is maintained for each executing + system process. + links: + - href: "#sc-39_smt" + rel: assessment-for + - id: sc-39_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-39-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System design documentation + + system architecture + + independent verification and validation documentation + + testing and evaluation documentation + + other relevant documents or records + - id: sc-39_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-39-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System developers/integrators + + system security architect + - id: sc-39_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-39-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing separate execution + domains for each executing process + - id: si + class: family + title: System and Information Integrity + controls: + - id: si-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: si-1_prm_1 + label: organization-defined personnel or roles + - id: si-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and information integrity + policy is to be disseminated is/are defined; + - id: si-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and information integrity + procedures are to be disseminated is/are defined; + - id: si-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: si-01_odp.04 + label: official + guidelines: + - prose: an official to manage the system and information integrity + policy and procedures is defined; + - id: si-01_odp.05 + label: frequency + constraints: + - description: "at least every 3 years " + guidelines: + - prose: the frequency at which the current system and information + integrity policy is reviewed and updated is defined; + - id: si-01_odp.06 + label: events + guidelines: + - prose: events that would require the current system and information + integrity policy to be reviewed and updated are defined; + - id: si-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current system and information + integrity procedures are reviewed and updated is defined; + - id: si-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the system and information integrity + procedures to be reviewed and updated are defined; + props: + - name: label + value: SI-1 + - name: label + value: SI-01 + class: sp800-53a + - name: sort-id + value: si-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: si-1_smt + name: statement + parts: + - id: si-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ si-1_prm_1 }}:" + parts: + - id: si-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, si-01_odp.03 }} system and information\ + \ integrity policy that:" + parts: + - id: si-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: si-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: si-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the system + and information integrity policy and the associated system + and information integrity controls; + - id: si-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, si-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the system\ + \ and information integrity policy and procedures; and" + - id: si-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current system and information integrity:" + parts: + - id: si-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, si-01_odp.05 }} and following\ + \ {{ insert: param, si-01_odp.06 }} ; and" + - id: si-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, si-01_odp.07 }} and following\ + \ {{ insert: param, si-01_odp.08 }}." + - id: si-1_gdn + name: guidance + prose: System and information integrity policy and procedures address + the controls in the SI family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of system and information integrity policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + system and information integrity policy and procedures include assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: si-1_obj + name: assessment-objective + props: + - name: label + value: SI-01 + class: sp800-53a + parts: + - id: si-1_obj.a + name: assessment-objective + props: + - name: label + value: SI-01a. + class: sp800-53a + parts: + - id: si-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-01a.[01] + class: sp800-53a + prose: a system and information integrity policy is developed + and documented; + links: + - href: "#si-1_smt.a" + rel: assessment-for + - id: si-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-01a.[02] + class: sp800-53a + prose: "the system and information integrity policy is disseminated\ + \ to {{ insert: param, si-01_odp.01 }};" + links: + - href: "#si-1_smt.a" + rel: assessment-for + - id: si-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: SI-01a.[03] + class: sp800-53a + prose: system and information integrity procedures to facilitate + the implementation of the system and information integrity + policy and associated system and information integrity controls + are developed and documented; + links: + - href: "#si-1_smt.a" + rel: assessment-for + - id: si-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: SI-01a.[04] + class: sp800-53a + prose: "the system and information integrity procedures are\ + \ disseminated to {{ insert: param, si-01_odp.02 }};" + links: + - href: "#si-1_smt.a" + rel: assessment-for + - id: si-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: SI-01a.01 + class: sp800-53a + parts: + - id: si-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: SI-01a.01(a) + class: sp800-53a + parts: + - id: si-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses purpose;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses scope;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses roles;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses responsibilities;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses management\ + \ commitment;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses compliance;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: SI-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system and\ + \ information integrity policy is consistent with applicable\ + \ laws, Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#si-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#si-1_smt.a.1" + rel: assessment-for + links: + - href: "#si-1_smt.a" + rel: assessment-for + - id: si-1_obj.b + name: assessment-objective + props: + - name: label + value: SI-01b. + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the system\ + \ and information integrity policy and procedures;" + links: + - href: "#si-1_smt.b" + rel: assessment-for + - id: si-1_obj.c + name: assessment-objective + props: + - name: label + value: SI-01c. + class: sp800-53a + parts: + - id: si-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: SI-01c.01 + class: sp800-53a + parts: + - id: si-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: SI-01c.01[01] + class: sp800-53a + prose: "the current system and information integrity policy\ + \ is reviewed and updated {{ insert: param, si-01_odp.05\ + \ }};" + links: + - href: "#si-1_smt.c.1" + rel: assessment-for + - id: si-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: SI-01c.01[02] + class: sp800-53a + prose: "the current system and information integrity policy\ + \ is reviewed and updated following {{ insert: param,\ + \ si-01_odp.06 }};" + links: + - href: "#si-1_smt.c.1" + rel: assessment-for + links: + - href: "#si-1_smt.c.1" + rel: assessment-for + - id: si-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: SI-01c.02 + class: sp800-53a + parts: + - id: si-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: SI-01c.02[01] + class: sp800-53a + prose: "the current system and information integrity procedures\ + \ are reviewed and updated {{ insert: param, si-01_odp.07\ + \ }};" + links: + - href: "#si-1_smt.c.2" + rel: assessment-for + - id: si-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: SI-01c.02[02] + class: sp800-53a + prose: "the current system and information integrity procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ si-01_odp.08 }}." + links: + - href: "#si-1_smt.c.2" + rel: assessment-for + links: + - href: "#si-1_smt.c.2" + rel: assessment-for + links: + - href: "#si-1_smt.c" + rel: assessment-for + links: + - href: "#si-1_smt" + rel: assessment-for + - id: si-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and information integrity policy + + system and information integrity procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: si-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and information + integrity responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: si-2 + class: SP800-53 + title: Flaw Remediation + params: + - id: si-02_odp + label: time period + constraints: + - description: within thirty (30) days of release of updates + guidelines: + - prose: time period within which to install security-relevant software + updates after the release of the updates is defined; + props: + - name: label + value: SI-2 + - name: label + value: SI-02 + class: sp800-53a + - name: sort-id + value: si-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#155f941a-cba9-4afd-9ca6-5d040d697ba9" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c" + rel: reference + - href: "#ca-5" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#ma-2" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#si-3" + rel: related + - href: "#si-5" + rel: related + - href: "#si-7" + rel: related + - href: "#si-11" + rel: related + parts: + - id: si-2_smt + name: statement + parts: + - id: si-2_smt.a + name: item + props: + - name: label + value: a. + prose: Identify, report, and correct system flaws; + - id: si-2_smt.b + name: item + props: + - name: label + value: b. + prose: Test software and firmware updates related to flaw remediation + for effectiveness and potential side effects before installation; + - id: si-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Install security-relevant software and firmware updates\ + \ within {{ insert: param, si-02_odp }} of the release of the\ + \ updates; and" + - id: si-2_smt.d + name: item + props: + - name: label + value: d. + prose: Incorporate flaw remediation into the organizational configuration + management process. + - id: si-2_gdn + name: guidance + prose: >- + The need to remediate system flaws applies to all types of + software and firmware. Organizations identify systems affected + by software flaws, including potential vulnerabilities resulting + from those flaws, and report this information to designated + organizational personnel with information security and privacy + responsibilities. Security-relevant updates include patches, + service packs, and malicious code signatures. Organizations also + address flaws discovered during assessments, continuous + monitoring, incident response activities, and system error + handling. By incorporating flaw remediation into configuration + management processes, required remediation actions can be + tracked and verified. + + + Organization-defined time periods for updating security-relevant software + and firmware may vary based on a variety of risk factors, including + the security category of the system, the criticality of the update + (i.e., severity of the vulnerability related to the discovered flaw), + the organizational risk tolerance, the mission supported by the system, + or the threat environment. Some types of flaw remediation may require + more testing than other types. Organizations determine the type of + testing needed for the specific type of flaw remediation activity + under consideration and the types of changes that are to be configuration-managed. + In some situations, organizations may determine that the testing of + software or firmware updates is not necessary or practical, such as + when implementing simple malicious code signature updates. In testing + decisions, organizations consider whether security-relevant software + or firmware updates are obtained from authorized sources with appropriate + digital signatures. + - id: si-2_obj + name: assessment-objective + props: + - name: label + value: SI-02 + class: sp800-53a + parts: + - id: si-2_obj.a + name: assessment-objective + props: + - name: label + value: SI-02a. + class: sp800-53a + parts: + - id: si-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-02a.[01] + class: sp800-53a + prose: system flaws are identified; + links: + - href: "#si-2_smt.a" + rel: assessment-for + - id: si-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-02a.[02] + class: sp800-53a + prose: system flaws are reported; + links: + - href: "#si-2_smt.a" + rel: assessment-for + - id: si-2_obj.a-3 + name: assessment-objective + props: + - name: label + value: SI-02a.[03] + class: sp800-53a + prose: system flaws are corrected; + links: + - href: "#si-2_smt.a" + rel: assessment-for + links: + - href: "#si-2_smt.a" + rel: assessment-for + - id: si-2_obj.b + name: assessment-objective + props: + - name: label + value: SI-02b. + class: sp800-53a + parts: + - id: si-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: SI-02b.[01] + class: sp800-53a + prose: software updates related to flaw remediation are tested + for effectiveness before installation; + links: + - href: "#si-2_smt.b" + rel: assessment-for + - id: si-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: SI-02b.[02] + class: sp800-53a + prose: software updates related to flaw remediation are tested + for potential side effects before installation; + links: + - href: "#si-2_smt.b" + rel: assessment-for + - id: si-2_obj.b-3 + name: assessment-objective + props: + - name: label + value: SI-02b.[03] + class: sp800-53a + prose: firmware updates related to flaw remediation are tested + for effectiveness before installation; + links: + - href: "#si-2_smt.b" + rel: assessment-for + - id: si-2_obj.b-4 + name: assessment-objective + props: + - name: label + value: SI-02b.[04] + class: sp800-53a + prose: firmware updates related to flaw remediation are tested + for potential side effects before installation; + links: + - href: "#si-2_smt.b" + rel: assessment-for + links: + - href: "#si-2_smt.b" + rel: assessment-for + - id: si-2_obj.c + name: assessment-objective + props: + - name: label + value: SI-02c. + class: sp800-53a + parts: + - id: si-2_obj.c-1 + name: assessment-objective + props: + - name: label + value: SI-02c.[01] + class: sp800-53a + prose: "security-relevant software updates are installed within\ + \ {{ insert: param, si-02_odp }} of the release of the updates;" + links: + - href: "#si-2_smt.c" + rel: assessment-for + - id: si-2_obj.c-2 + name: assessment-objective + props: + - name: label + value: SI-02c.[02] + class: sp800-53a + prose: "security-relevant firmware updates are installed within\ + \ {{ insert: param, si-02_odp }} of the release of the updates;" + links: + - href: "#si-2_smt.c" + rel: assessment-for + links: + - href: "#si-2_smt.c" + rel: assessment-for + - id: si-2_obj.d + name: assessment-objective + props: + - name: label + value: SI-02d. + class: sp800-53a + prose: flaw remediation is incorporated into the organizational + configuration management process. + links: + - href: "#si-2_smt.d" + rel: assessment-for + links: + - href: "#si-2_smt" + rel: assessment-for + - id: si-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing flaw remediation + + + procedures addressing configuration management + + + list of flaws and vulnerabilities potentially affecting the system + + + list of recent security flaw remediation actions performed on + the system (e.g., list of installed patches, service packs, hot + fixes, and other software updates to correct system flaws) + + + test results from the installation of software and firmware updates + to correct system flaws + + + installation/change control records for security-relevant software + and firmware updates + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: si-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel responsible for installing, configuring, + and/or maintaining the system + + + organizational personnel responsible for flaw remediation + + + organizational personnel with configuration management responsibilities + - id: si-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for identifying, reporting, and + correcting system flaws + + + organizational process for installing software and firmware updates + + + mechanisms supporting and/or implementing the reporting and correcting + of system flaws + + + mechanisms supporting and/or implementing testing software and + firmware updates + - id: si-3 + class: SP800-53 + title: Malicious Code Protection + params: + - id: si-03_odp.01 + constraints: + - description: signature based and non-signature based + select: + how-many: one-or-more + choice: + - signature-based + - non-signature-based + - id: si-03_odp.02 + label: frequency + constraints: + - description: at least weekly + guidelines: + - prose: the frequency at which malicious code protection mechanisms + perform scans is defined; + - id: si-03_odp.03 + constraints: + - description: to include endpoints and network entry and exit points + select: + how-many: one-or-more + choice: + - endpoint + - network entry and exit points + - id: si-03_odp.04 + constraints: + - description: to include blocking and quarantining malicious code + select: + how-many: one-or-more + choice: + - block malicious code + - quarantine malicious code + - "take {{ insert: param, si-03_odp.05 }} " + - id: si-03_odp.05 + label: action + constraints: + - description: administrator or defined security personnel near-realtime + guidelines: + - prose: action to be taken in response to malicious code detection + are defined (if selected); + - id: si-03_odp.06 + label: personnel or roles + guidelines: + - prose: personnel or roles to be alerted when malicious code is detected + is/are defined; + props: + - name: label + value: SI-3 + - name: label + value: SI-03 + class: sp800-53a + - name: sort-id + value: si-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff" + rel: reference + - href: "#88660532-2dcf-442e-845c-03340ce48999" + rel: reference + - href: "#1c71b420-2bd9-4e52-9fc8-390f58b85b59" + rel: reference + - href: "#ac-4" + rel: related + - href: "#ac-19" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-8" + rel: related + - href: "#ir-4" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#pl-9" + rel: related + - href: "#ra-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-23" + rel: related + - href: "#sc-26" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-44" + rel: related + - href: "#si-2" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#si-8" + rel: related + - href: "#si-15" + rel: related + parts: + - id: si-3_smt + name: statement + parts: + - id: si-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Implement {{ insert: param, si-03_odp.01 }} malicious code\ + \ protection mechanisms at system entry and exit points to detect\ + \ and eradicate malicious code;" + - id: si-3_smt.b + name: item + props: + - name: label + value: b. + prose: Automatically update malicious code protection mechanisms + as new releases are available in accordance with organizational + configuration management policy and procedures; + - id: si-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Configure malicious code protection mechanisms to:" + parts: + - id: si-3_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Perform periodic scans of the system {{ insert: param,\ + \ si-03_odp.02 }} and real-time scans of files from external\ + \ sources at {{ insert: param, si-03_odp.03 }} as the files\ + \ are downloaded, opened, or executed in accordance with organizational\ + \ policy; and" + - id: si-3_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: " {{ insert: param, si-03_odp.04 }} ; and send alert\ + \ to {{ insert: param, si-03_odp.06 }} in response to malicious\ + \ code detection; and" + - id: si-3_smt.d + name: item + props: + - name: label + value: d. + prose: Address the receipt of false positives during malicious code + detection and eradication and the resulting potential impact on + the availability of the system. + - id: si-3_gdn + name: guidance + prose: >- + System entry and exit points include firewalls, remote access + servers, workstations, electronic mail servers, web servers, + proxy servers, notebook computers, and mobile devices. Malicious + code includes viruses, worms, Trojan horses, and spyware. + Malicious code can also be encoded in various formats contained + within compressed or hidden files or hidden in files using + techniques such as steganography. Malicious code can be inserted + into systems in a variety of ways, including by electronic mail, + the world-wide web, and portable storage devices. Malicious code + insertions occur through the exploitation of system + vulnerabilities. A variety of technologies and methods exist to + limit or eliminate the effects of malicious code. + + + Malicious code protection mechanisms include both signature- and nonsignature-based + technologies. Nonsignature-based detection mechanisms include artificial + intelligence techniques that use heuristics to detect, analyze, and + describe the characteristics or behavior of malicious code and to + provide controls against such code for which signatures do not yet + exist or for which existing signatures may not be effective. Malicious + code for which active signatures do not yet exist or may be ineffective + includes polymorphic malicious code (i.e., code that changes signatures + when it replicates). Nonsignature-based mechanisms also include reputation-based + technologies. In addition to the above technologies, pervasive configuration + management, comprehensive software integrity controls, and anti-exploitation + software may be effective in preventing the execution of unauthorized + code. Malicious code may be present in commercial off-the-shelf software + as well as custom-built software and could include logic bombs, backdoors, + and other types of attacks that could affect organizational mission + and business functions. + + + In situations where malicious code cannot be detected by detection + methods or technologies, organizations rely on other types of controls, + including secure coding practices, configuration management and control, + trusted procurement processes, and monitoring practices to ensure + that software does not perform functions other than the functions + intended. Organizations may determine that, in response to the detection + of malicious code, different actions may be warranted. For example, + organizations can define actions in response to malicious code detection + during periodic scans, the detection of malicious downloads, or the + detection of maliciousness when attempting to open or execute files. + - id: si-3_obj + name: assessment-objective + props: + - name: label + value: SI-03 + class: sp800-53a + parts: + - id: si-3_obj.a + name: assessment-objective + props: + - name: label + value: SI-03a. + class: sp800-53a + parts: + - id: si-3_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-03a.[01] + class: sp800-53a + prose: " {{ insert: param, si-03_odp.01 }} malicious code protection\ + \ mechanisms are implemented at system entry and exit points\ + \ to detect malicious code;" + links: + - href: "#si-3_smt.a" + rel: assessment-for + - id: si-3_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-03a.[02] + class: sp800-53a + prose: " {{ insert: param, si-03_odp.01 }} malicious code protection\ + \ mechanisms are implemented at system entry and exit points\ + \ to eradicate malicious code;" + links: + - href: "#si-3_smt.a" + rel: assessment-for + links: + - href: "#si-3_smt.a" + rel: assessment-for + - id: si-3_obj.b + name: assessment-objective + props: + - name: label + value: SI-03b. + class: sp800-53a + prose: malicious code protection mechanisms are updated automatically + as new releases are available in accordance with organizational + configuration management policy and procedures; + links: + - href: "#si-3_smt.b" + rel: assessment-for + - id: si-3_obj.c + name: assessment-objective + props: + - name: label + value: SI-03c. + class: sp800-53a + parts: + - id: si-3_obj.c.1 + name: assessment-objective + props: + - name: label + value: SI-03c.01 + class: sp800-53a + parts: + - id: si-3_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: SI-03c.01[01] + class: sp800-53a + prose: "malicious code protection mechanisms are configured\ + \ to perform periodic scans of the system {{ insert: param,\ + \ si-03_odp.02 }};" + links: + - href: "#si-3_smt.c.1" + rel: assessment-for + - id: si-3_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: SI-03c.01[02] + class: sp800-53a + prose: "malicious code protection mechanisms are configured\ + \ to perform real-time scans of files from external sources\ + \ at {{ insert: param, si-03_odp.03 }} as the files are\ + \ downloaded, opened, or executed in accordance with organizational\ + \ policy;" + links: + - href: "#si-3_smt.c.1" + rel: assessment-for + links: + - href: "#si-3_smt.c.1" + rel: assessment-for + - id: si-3_obj.c.2 + name: assessment-objective + props: + - name: label + value: SI-03c.02 + class: sp800-53a + parts: + - id: si-3_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: SI-03c.02[01] + class: sp800-53a + prose: "malicious code protection mechanisms are configured\ + \ to {{ insert: param, si-03_odp.04 }} in response to\ + \ malicious code detection;" + links: + - href: "#si-3_smt.c.2" + rel: assessment-for + - id: si-3_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: SI-03c.02[02] + class: sp800-53a + prose: "malicious code protection mechanisms are configured\ + \ to send alerts to {{ insert: param, si-03_odp.06 }}\ + \ in response to malicious code detection;" + links: + - href: "#si-3_smt.c.2" + rel: assessment-for + links: + - href: "#si-3_smt.c.2" + rel: assessment-for + links: + - href: "#si-3_smt.c" + rel: assessment-for + - id: si-3_obj.d + name: assessment-objective + props: + - name: label + value: SI-03d. + class: sp800-53a + prose: the receipt of false positives during malicious code detection + and eradication and the resulting potential impact on the availability + of the system are addressed. + links: + - href: "#si-3_smt.d" + rel: assessment-for + links: + - href: "#si-3_smt" + rel: assessment-for + - id: si-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + configuration management policy and procedures + + + procedures addressing malicious code protection + + + malicious code protection mechanisms + + + records of malicious code protection updates + + + system design documentation + + + system configuration settings and associated documentation + + + scan results from malicious code protection mechanisms + + + record of actions initiated by malicious code protection mechanisms + in response to malicious code detection + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for malicious code protection + + + organizational personnel with configuration management responsibilities + - id: si-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for employing, updating, and + configuring malicious code protection mechanisms + + + organizational processes for addressing false positives and resulting + potential impacts + + + mechanisms supporting and/or implementing, employing, updating, + and configuring malicious code protection mechanisms + + + mechanisms supporting and/or implementing malicious code scanning + and subsequent actions + - id: si-4 + class: SP800-53 + title: System Monitoring + params: + - id: si-04_odp.01 + label: monitoring objectives + guidelines: + - prose: monitoring objectives to detect attacks and indicators of + potential attacks on the system are defined; + - id: si-04_odp.02 + label: techniques and methods + guidelines: + - prose: techniques and methods used to identify unauthorized use + of the system are defined; + - id: si-04_odp.03 + label: system monitoring information + guidelines: + - prose: system monitoring information to be provided to personnel + or roles is defined; + - id: si-04_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom system monitoring information + is to be provided is/are defined; + - id: si-04_odp.05 + select: + how-many: one-or-more + choice: + - as needed + - " {{ insert: param, si-04_odp.06 }} " + - id: si-04_odp.06 + label: frequency + guidelines: + - prose: a frequency for providing system monitoring to personnel + or roles is defined (if selected); + props: + - name: label + value: SI-4 + - name: label + value: SI-04 + class: sp800-53a + - name: sort-id + value: si-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff" + rel: reference + - href: "#5eee45d8-3313-4fdc-8d54-1742092bbdd6" + rel: reference + - href: "#25e3e57b-dc2f-4934-af9b-050b020c6f0e" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-8" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-9" + rel: related + - href: "#au-12" + rel: related + - href: "#au-13" + rel: related + - href: "#au-14" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-10" + rel: related + - href: "#ir-4" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-12" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-10" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-18" + rel: related + - href: "#sc-26" + rel: related + - href: "#sc-31" + rel: related + - href: "#sc-35" + rel: related + - href: "#sc-36" + rel: related + - href: "#sc-37" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-3" + rel: related + - href: "#si-6" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-10" + rel: related + parts: + - id: si-4_smt + name: statement + parts: + - id: si-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Monitor the system to detect:" + parts: + - id: si-4_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "Attacks and indicators of potential attacks in accordance\ + \ with the following monitoring objectives: {{ insert: param,\ + \ si-04_odp.01 }} ; and" + - id: si-4_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Unauthorized local, network, and remote connections; + - id: si-4_smt.b + name: item + props: + - name: label + value: b. + prose: "Identify unauthorized use of the system through the following\ + \ techniques and methods: {{ insert: param, si-04_odp.02 }};" + - id: si-4_smt.c + name: item + props: + - name: label + value: c. + prose: "Invoke internal monitoring capabilities or deploy monitoring\ + \ devices:" + parts: + - id: si-4_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: Strategically within the system to collect organization-determined + essential information; and + - id: si-4_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: At ad hoc locations within the system to track specific + types of transactions of interest to the organization; + - id: si-4_smt.d + name: item + props: + - name: label + value: d. + prose: Analyze detected events and anomalies; + - id: si-4_smt.e + name: item + props: + - name: label + value: e. + prose: Adjust the level of system monitoring activity when there + is a change in risk to organizational operations and assets, individuals, + other organizations, or the Nation; + - id: si-4_smt.f + name: item + props: + - name: label + value: f. + prose: Obtain legal opinion regarding system monitoring activities; + and + - id: si-4_smt.g + name: item + props: + - name: label + value: g. + prose: "Provide {{ insert: param, si-04_odp.03 }} to {{ insert:\ + \ param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." + - id: si-4_fr + name: item + title: SI-4 Additional FedRAMP Requirements and Guidance + parts: + - id: si-4_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: See US-CERT Incident Response Reporting Guidelines. + - id: si-4_gdn + name: guidance + prose: >- + System monitoring includes external and internal monitoring. + External monitoring includes the observation of events occurring + at external interfaces to the system. Internal monitoring + includes the observation of events occurring within the system. + Organizations monitor systems by observing audit activities in + real time or by observing other system aspects such as access + patterns, characteristics of access, and other actions. The + monitoring objectives guide and inform the determination of the + events. System monitoring capabilities are achieved through a + variety of tools and techniques, including intrusion detection + and prevention systems, malicious code protection software, + scanning tools, audit record monitoring software, and network + monitoring software. + + + Depending on the security architecture, the distribution and configuration + of monitoring devices may impact throughput at key internal and external + boundaries as well as at other locations across a network due to the + introduction of network throughput latency. If throughput management + is needed, such devices are strategically located and deployed as + part of an established organization-wide security architecture. Strategic + locations for monitoring devices include selected perimeter locations + and near key servers and server farms that support critical applications. + Monitoring devices are typically employed at the managed interfaces + associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information + collected is a function of the organizational monitoring objectives + and the capability of systems to support such objectives. Specific + types of transactions of interest include Hypertext Transfer Protocol + (HTTP) traffic that bypasses HTTP proxies. System monitoring is an + integral part of organizational continuous monitoring and incident + response programs, and output from system monitoring serves as input + to those programs. System monitoring requirements, including the need + for specific types of system monitoring, may be referenced in other + controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), + [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), + [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), + [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), + [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) + ). Adjustments to levels of system monitoring are based on law enforcement + information, intelligence information, or other sources of information. + The legality of system monitoring activities is based on applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. + - id: si-4_obj + name: assessment-objective + props: + - name: label + value: SI-04 + class: sp800-53a + parts: + - id: si-4_obj.a + name: assessment-objective + props: + - name: label + value: SI-04a. + class: sp800-53a + parts: + - id: si-4_obj.a.1 + name: assessment-objective + props: + - name: label + value: SI-04a.01 + class: sp800-53a + prose: "the system is monitored to detect attacks and indicators\ + \ of potential attacks in accordance with {{ insert: param,\ + \ si-04_odp.01 }};" + links: + - href: "#si-4_smt.a.1" + rel: assessment-for + - id: si-4_obj.a.2 + name: assessment-objective + props: + - name: label + value: SI-04a.02 + class: sp800-53a + parts: + - id: si-4_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: SI-04a.02[01] + class: sp800-53a + prose: the system is monitored to detect unauthorized local + connections; + links: + - href: "#si-4_smt.a.2" + rel: assessment-for + - id: si-4_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: SI-04a.02[02] + class: sp800-53a + prose: the system is monitored to detect unauthorized network + connections; + links: + - href: "#si-4_smt.a.2" + rel: assessment-for + - id: si-4_obj.a.2-3 + name: assessment-objective + props: + - name: label + value: SI-04a.02[03] + class: sp800-53a + prose: the system is monitored to detect unauthorized remote + connections; + links: + - href: "#si-4_smt.a.2" + rel: assessment-for + links: + - href: "#si-4_smt.a.2" + rel: assessment-for + links: + - href: "#si-4_smt.a" + rel: assessment-for + - id: si-4_obj.b + name: assessment-objective + props: + - name: label + value: SI-04b. + class: sp800-53a + prose: "unauthorized use of the system is identified through {{\ + \ insert: param, si-04_odp.02 }};" + links: + - href: "#si-4_smt.b" + rel: assessment-for + - id: si-4_obj.c + name: assessment-objective + props: + - name: label + value: SI-04c. + class: sp800-53a + parts: + - id: si-4_obj.c.1 + name: assessment-objective + props: + - name: label + value: SI-04c.01 + class: sp800-53a + prose: internal monitoring capabilities are invoked or monitoring + devices are deployed strategically within the system to collect + organization-determined essential information; + links: + - href: "#si-4_smt.c.1" + rel: assessment-for + - id: si-4_obj.c.2 + name: assessment-objective + props: + - name: label + value: SI-04c.02 + class: sp800-53a + prose: internal monitoring capabilities are invoked or monitoring + devices are deployed at ad hoc locations within the system + to track specific types of transactions of interest to the + organization; + links: + - href: "#si-4_smt.c.2" + rel: assessment-for + links: + - href: "#si-4_smt.c" + rel: assessment-for + - id: si-4_obj.d + name: assessment-objective + props: + - name: label + value: SI-04d. + class: sp800-53a + parts: + - id: si-4_obj.d-1 + name: assessment-objective + props: + - name: label + value: SI-04d.[01] + class: sp800-53a + prose: detected events are analyzed; + links: + - href: "#si-4_smt.d" + rel: assessment-for + - id: si-4_obj.d-2 + name: assessment-objective + props: + - name: label + value: SI-04d.[02] + class: sp800-53a + prose: detected anomalies are analyzed; + links: + - href: "#si-4_smt.d" + rel: assessment-for + links: + - href: "#si-4_smt.d" + rel: assessment-for + - id: si-4_obj.e + name: assessment-objective + props: + - name: label + value: SI-04e. + class: sp800-53a + prose: the level of system monitoring activity is adjusted when + there is a change in risk to organizational operations and assets, + individuals, other organizations, or the Nation; + links: + - href: "#si-4_smt.e" + rel: assessment-for + - id: si-4_obj.f + name: assessment-objective + props: + - name: label + value: SI-04f. + class: sp800-53a + prose: a legal opinion regarding system monitoring activities is + obtained; + links: + - href: "#si-4_smt.f" + rel: assessment-for + - id: si-4_obj.g + name: assessment-objective + props: + - name: label + value: SI-04g. + class: sp800-53a + prose: " {{ insert: param, si-04_odp.03 }} is provided to {{ insert:\ + \ param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." + links: + - href: "#si-4_smt.g" + rel: assessment-for + links: + - href: "#si-4_smt" + rel: assessment-for + - id: si-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + continuous monitoring strategy + + + facility diagram/layout + + + system design documentation + + + system monitoring tools and techniques documentation + + + locations within the system where monitoring devices are deployed + + + system configuration settings and associated documentation + + + system security plan + + + other relevant documents or records + - id: si-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + - id: si-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for system monitoring + + + mechanisms supporting and/or implementing system monitoring capabilities + - id: si-5 + class: SP800-53 + title: Security Alerts, Advisories, and Directives + params: + - id: si-05_odp.01 + label: external organizations + constraints: + - description: to include US-CERT and Cybersecurity and Infrastructure + Security Agency (CISA) Directives + guidelines: + - prose: external organizations from whom system security alerts, + advisories, and directives are to be received on an ongoing basis + are defined; + - id: si-05_odp.02 + constraints: + - description: to include system security personnel and administrators + with configuration/patch-management responsibilities + select: + how-many: one-or-more + choice: + - " {{ insert: param, si-05_odp.03 }} " + - " {{ insert: param, si-05_odp.04 }} " + - " {{ insert: param, si-05_odp.05 }} " + - id: si-05_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom security alerts, advisories, and + directives are to be disseminated is/are defined (if selected); + - id: si-05_odp.04 + label: elements + guidelines: + - prose: elements within the organization to whom security alerts, + advisories, and directives are to be disseminated are defined + (if selected); + - id: si-05_odp.05 + label: external organizations + guidelines: + - prose: external organizations to whom security alerts, advisories, + and directives are to be disseminated are defined (if selected); + props: + - name: label + value: SI-5 + - name: label + value: SI-05 + class: sp800-53a + - name: sort-id + value: si-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#155f941a-cba9-4afd-9ca6-5d040d697ba9" + rel: reference + - href: "#pm-15" + rel: related + - href: "#ra-5" + rel: related + - href: "#si-2" + rel: related + parts: + - id: si-5_smt + name: statement + parts: + - id: si-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Receive system security alerts, advisories, and directives\ + \ from {{ insert: param, si-05_odp.01 }} on an ongoing basis;" + - id: si-5_smt.b + name: item + props: + - name: label + value: b. + prose: Generate internal security alerts, advisories, and directives + as deemed necessary; + - id: si-5_smt.c + name: item + props: + - name: label + value: c. + prose: "Disseminate security alerts, advisories, and directives\ + \ to: {{ insert: param, si-05_odp.02 }} ; and" + - id: si-5_smt.d + name: item + props: + - name: label + value: d. + prose: Implement security directives in accordance with established + time frames, or notify the issuing organization of the degree + of noncompliance. + - id: si-5_fr_smt.1 + name: item + title: SI-5 Additional FedRAMP Requirements and Guidance + props: + - name: label + value: "Requirement:" + prose: Service Providers must address the CISA Emergency and Binding + Operational Directives applicable to their cloud service offering + per FedRAMP guidance. This includes listing the applicable directives + and stating compliance status. + - id: si-5_gdn + name: guidance + prose: The Cybersecurity and Infrastructure Security Agency (CISA) generates + security alerts and advisories to maintain situational awareness throughout + the Federal Government. Security directives are issued by OMB or other + designated organizations with the responsibility and authority to + issue such directives. Compliance with security directives is essential + due to the critical nature of many of these directives and the potential + (immediate) adverse effects on organizational operations and assets, + individuals, other organizations, and the Nation should the directives + not be implemented in a timely manner. External organizations include + supply chain partners, external mission or business partners, external + service providers, and other peer or supporting organizations. + - id: si-5_obj + name: assessment-objective + props: + - name: label + value: SI-05 + class: sp800-53a + parts: + - id: si-5_obj.a + name: assessment-objective + props: + - name: label + value: SI-05a. + class: sp800-53a + prose: "system security alerts, advisories, and directives are received\ + \ from {{ insert: param, si-05_odp.01 }} on an ongoing basis;" + links: + - href: "#si-5_smt.a" + rel: assessment-for + - id: si-5_obj.b + name: assessment-objective + props: + - name: label + value: SI-05b. + class: sp800-53a + prose: internal security alerts, advisories, and directives are + generated as deemed necessary; + links: + - href: "#si-5_smt.b" + rel: assessment-for + - id: si-5_obj.c + name: assessment-objective + props: + - name: label + value: SI-05c. + class: sp800-53a + prose: "security alerts, advisories, and directives are disseminated\ + \ to {{ insert: param, si-05_odp.02 }};" + links: + - href: "#si-5_smt.c" + rel: assessment-for + - id: si-5_obj.d + name: assessment-objective + props: + - name: label + value: SI-05d. + class: sp800-53a + prose: security directives are implemented in accordance with established + time frames or if the issuing organization is notified of the + degree of noncompliance. + links: + - href: "#si-5_smt.d" + rel: assessment-for + links: + - href: "#si-5_smt" + rel: assessment-for + - id: si-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing security alerts, advisories, and directives + + + records of security alerts and advisories + + + system security plan + + + other relevant documents or records + - id: si-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security alert and advisory + responsibilities + + + organizational personnel implementing, operating, maintaining, + and using the system + + + organizational personnel, organizational elements, and/or external + organizations to whom alerts, advisories, and directives are to + be disseminated + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: si-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for defining, receiving, + generating, disseminating, and complying with security + alerts, advisories, and directives + + + mechanisms supporting and/or implementing the definition, receipt, + generation, and dissemination of security alerts, advisories, + and directives + + + mechanisms supporting and/or implementing security directives + - id: si-12 + class: SP800-53 + title: Information Management and Retention + props: + - name: label + value: SI-12 + - name: label + value: SI-12 + class: sp800-53a + - name: sort-id + value: si-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#e922fc50-b1f9-469f-92ef-ed7d9803611c" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#ac-16" + rel: related + - href: "#au-5" + rel: related + - href: "#au-11" + rel: related + - href: "#ca-2" + rel: related + - href: "#ca-3" + rel: related + - href: "#ca-5" + rel: related + - href: "#ca-6" + rel: related + - href: "#ca-7" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-9" + rel: related + - href: "#cp-2" + rel: related + - href: "#ir-8" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-3" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-6" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-4" + rel: related + - href: "#pm-8" + rel: related + - href: "#pm-9" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-6" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-3" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sr-2" + rel: related + parts: + - id: si-12_smt + name: statement + prose: Manage and retain information within the system and information + output from the system in accordance with applicable laws, executive + orders, directives, regulations, policies, standards, guidelines and + operational requirements. + - id: si-12_gdn + name: guidance + prose: "Information management and retention requirements cover the\ + \ full life cycle of information, in some cases extending beyond system\ + \ disposal. Information to be retained may also include policies,\ + \ procedures, plans, reports, data output from control implementation,\ + \ and other types of administrative information. The National Archives\ + \ and Records Administration (NARA) provides federal policy and guidance\ + \ on records retention and schedules. If organizations have a records\ + \ management office, consider coordinating with records management\ + \ personnel. Records produced from the output of implemented controls\ + \ that may require management and retention include, but are not limited\ + \ to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12),\ + \ [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7),\ + \ [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4),\ + \ [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13),\ + \ [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4),\ + \ [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17),\ + \ [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5),\ + \ [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21),\ + \ [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31),\ + \ [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3),\ + \ [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8),\ + \ [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4),\ + \ [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)." + - id: si-12_obj + name: assessment-objective + props: + - name: label + value: SI-12 + class: sp800-53a + parts: + - id: si-12_obj-1 + name: assessment-objective + props: + - name: label + value: SI-12[01] + class: sp800-53a + prose: information within the system is managed in accordance with + applicable laws, Executive Orders, directives, regulations, policies, + standards, guidelines, and operational requirements; + links: + - href: "#si-12_smt" + rel: assessment-for + - id: si-12_obj-2 + name: assessment-objective + props: + - name: label + value: SI-12[02] + class: sp800-53a + prose: information within the system is retained in accordance with + applicable laws, Executive Orders, directives, regulations, policies, + standards, guidelines, and operational requirements; + links: + - href: "#si-12_smt" + rel: assessment-for + - id: si-12_obj-3 + name: assessment-objective + props: + - name: label + value: SI-12[03] + class: sp800-53a + prose: information output from the system is managed in accordance + with applicable laws, Executive Orders, directives, regulations, + policies, standards, guidelines, and operational requirements; + links: + - href: "#si-12_smt" + rel: assessment-for + - id: si-12_obj-4 + name: assessment-objective + props: + - name: label + value: SI-12[04] + class: sp800-53a + prose: information output from the system is retained in accordance + with applicable laws, Executive Orders, directives, regulations, + policies, standards, guidelines, and operational requirements. + links: + - href: "#si-12_smt" + rel: assessment-for + links: + - href: "#si-12_smt" + rel: assessment-for + - id: si-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + personally identifiable information processing policy + + + records retention and disposition policy + + + records retention and disposition procedures + + + federal laws, Executive Orders, directives, policies, regulations, + standards, and operational requirements applicable to information + management and retention + + + media protection policy + + + media protection procedures + + + audit findings + + + system security plan + + + privacy plan + + + privacy program plan + + + personally identifiable information inventory + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: si-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information and records + management, retention, and disposition responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + network administrators + - id: si-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for information management, + retention, and disposition + + + automated mechanisms supporting and/or implementing information + management, retention, and disposition + - id: sr + class: family + title: Supply Chain Risk Management + controls: + - id: sr-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: sr-1_prm_1 + label: organization-defined personnel or roles + - id: sr-01_odp.01 + label: personnel or roles + constraints: + - description: to include chief privacy and ISSO and/or similar role + or designees + guidelines: + - prose: personnel or roles to whom supply chain risk management policy + is to be disseminated to is/are defined; + - id: sr-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom supply chain risk management procedures + are disseminated to is/are defined; + - id: sr-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: sr-01_odp.04 + label: official + guidelines: + - prose: an official to manage the development, documentation, and + dissemination of the supply chain risk management policy and procedures + is defined; + - id: sr-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current supply chain risk management + policy is reviewed and updated is defined; + - id: sr-01_odp.06 + label: events + guidelines: + - prose: events that require the current supply chain risk management + policy to be reviewed and updated are defined; + - id: sr-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current supply chain risk management + procedure is reviewed and updated is defined; + - id: sr-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that require the supply chain risk management procedures + to be reviewed and updated are defined; + props: + - name: label + value: SR-1 + - name: label + value: SR-01 + class: sp800-53a + - name: sort-id + value: sr-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#031cc4b7-9adf-4835-98f1-f1ca493519cf" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#pm-9" + rel: related + - href: "#pm-30" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: sr-1_smt + name: statement + parts: + - id: sr-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ sr-1_prm_1 }}:" + parts: + - id: sr-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, sr-01_odp.03 }} supply chain risk\ + \ management policy that:" + parts: + - id: sr-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: sr-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: sr-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the supply + chain risk management policy and the associated supply chain + risk management controls; + - id: sr-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, sr-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the supply\ + \ chain risk management policy and procedures; and" + - id: sr-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current supply chain risk management:" + parts: + - id: sr-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, sr-01_odp.05 }} and following\ + \ {{ insert: param, sr-01_odp.06 }} ; and" + - id: sr-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, sr-01_odp.07 }} and following\ + \ {{ insert: param, sr-01_odp.08 }}." + - id: sr-1_gdn + name: guidance + prose: Supply chain risk management policy and procedures address the + controls in the SR family as well as supply chain-related controls + in other families that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of supply chain + risk management policy and procedures. Security and privacy program + policies and procedures at the organization level are preferable, + in general, and may obviate the need for mission- or system-specific + policies and procedures. The policy can be included as part of the + general security and privacy policy or be represented by multiple + policies that reflect the complex nature of organizations. Procedures + can be established for security and privacy programs, for mission + or business processes, and for systems, if needed. Procedures describe + how the policies or controls are implemented and can be directed at + the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + supply chain risk management policy and procedures include assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: sr-1_obj + name: assessment-objective + props: + - name: label + value: SR-01 + class: sp800-53a + parts: + - id: sr-1_obj.a + name: assessment-objective + props: + - name: label + value: SR-01a. + class: sp800-53a + parts: + - id: sr-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: SR-01a.[01] + class: sp800-53a + prose: a supply chain risk management policy is developed and + documented; + links: + - href: "#sr-1_smt.a" + rel: assessment-for + - id: sr-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: SR-01a.[02] + class: sp800-53a + prose: "the supply chain risk management policy is disseminated\ + \ to {{ insert: param, sr-01_odp.01 }};" + links: + - href: "#sr-1_smt.a" + rel: assessment-for + - id: sr-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: SR-01a.[03] + class: sp800-53a + prose: supply chain risk management procedures to facilitate + the implementation of the supply chain risk management policy + and the associated supply chain risk management controls are + developed and documented; + links: + - href: "#sr-1_smt.a" + rel: assessment-for + - id: sr-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: SR-01a.[04] + class: sp800-53a + prose: "the supply chain risk management procedures are disseminated\ + \ to {{ insert: param, sr-01_odp.02 }}." + links: + - href: "#sr-1_smt.a" + rel: assessment-for + - id: sr-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: SR-01a.01 + class: sp800-53a + parts: + - id: sr-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: SR-01a.01(a) + class: sp800-53a + parts: + - id: sr-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses purpose;" + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses scope; " + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[03] + class: sp800-53a + prose: " {{ insert: param, sr-01_odp.03 }} supply chain\ + \ risk management policy addresses roles;" + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses responsibilities;" + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses management\ + \ commitment;" + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses compliance." + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: SR-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply chain\ + \ risk management policy is consistent with applicable\ + \ laws, Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#sr-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#sr-1_smt.a.1" + rel: assessment-for + links: + - href: "#sr-1_smt.a" + rel: assessment-for + - id: sr-1_obj.b + name: assessment-objective + props: + - name: label + value: SR-01b. + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the supply\ + \ chain risk management policy and procedures;" + links: + - href: "#sr-1_smt.b" + rel: assessment-for + - id: sr-1_obj.c + name: assessment-objective + props: + - name: label + value: SR-01c. + class: sp800-53a + parts: + - id: sr-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: SR-01c.01 + class: sp800-53a + parts: + - id: sr-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: SR-01c.01[01] + class: sp800-53a + prose: "the current supply chain risk management policy\ + \ is reviewed and updated {{ insert: param, sr-01_odp.05\ + \ }};" + links: + - href: "#sr-1_smt.c.1" + rel: assessment-for + - id: sr-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: SR-01c.01[02] + class: sp800-53a + prose: "the current supply chain risk management policy\ + \ is reviewed and updated following {{ insert: param,\ + \ sr-01_odp.06 }};" + links: + - href: "#sr-1_smt.c.1" + rel: assessment-for + links: + - href: "#sr-1_smt.c.1" + rel: assessment-for + - id: sr-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: SR-01c.02 + class: sp800-53a + parts: + - id: sr-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: SR-01c.02[01] + class: sp800-53a + prose: "the current supply chain risk management procedures\ + \ are reviewed and updated {{ insert: param, sr-01_odp.07\ + \ }};" + links: + - href: "#sr-1_smt.c.2" + rel: assessment-for + - id: sr-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: SR-01c.02[02] + class: sp800-53a + prose: "the current supply chain risk management procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ sr-01_odp.08 }}." + links: + - href: "#sr-1_smt.c.2" + rel: assessment-for + links: + - href: "#sr-1_smt.c.2" + rel: assessment-for + links: + - href: "#sr-1_smt.c" + rel: assessment-for + links: + - href: "#sr-1_smt" + rel: assessment-for + - id: sr-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Supply chain risk management policy + + supply chain risk management procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: sr-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with supply chain risk management + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with acquisition responsibilities + + + organizational personnel with enterprise risk management responsibilities + - id: sr-2 + class: SP800-53 + title: Supply Chain Risk Management Plan + params: + - id: sr-02_odp.01 + label: systems, system components, or system services + guidelines: + - prose: systems, system components, or system services for which + a supply chain risk management plan is developed are defined; + - id: sr-02_odp.02 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to review and update the supply chain + risk management plan is defined; + props: + - name: label + value: SR-2 + - name: label + value: SR-02 + class: sp800-53a + - name: sort-id + value: sr-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#031cc4b7-9adf-4835-98f1-f1ca493519cf" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#38ff38f0-1366-4f50-a4c9-26a39aacee16" + rel: reference + - href: "#ca-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-4" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-6" + rel: related + - href: "#pe-16" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-30" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-7" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-4" + rel: related + parts: + - id: sr-2_smt + name: statement + parts: + - id: sr-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop a plan for managing supply chain risks associated\ + \ with the research and development, design, manufacturing, acquisition,\ + \ delivery, integration, operations and maintenance, and disposal\ + \ of the following systems, system components or system services:\ + \ {{ insert: param, sr-02_odp.01 }};" + - id: sr-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the supply chain risk management plan\ + \ {{ insert: param, sr-02_odp.02 }} or as required, to address\ + \ threat, organizational or environmental changes; and" + - id: sr-2_smt.c + name: item + props: + - name: label + value: c. + prose: Protect the supply chain risk management plan from unauthorized + disclosure and modification. + - id: sr-2_gdn + name: guidance + prose: >- + The dependence on products, systems, and services from external + providers, as well as the nature of the relationships with those + providers, present an increasing level of risk to an + organization. Threat actions that may increase security or + privacy risks include unauthorized production, the insertion or + use of counterfeits, tampering, theft, insertion of malicious + software and hardware, and poor manufacturing and development + practices in the supply chain. Supply chain risks can be endemic + or systemic within a system element or component, a system, an + organization, a sector, or the Nation. Managing supply chain + risk is a complex, multifaceted undertaking that requires a + coordinated effort across an organization to build trust + relationships and communicate with internal and external + stakeholders. Supply chain risk management (SCRM) activities + include identifying and assessing risks, determining appropriate + risk response actions, developing SCRM plans to document + response actions, and monitoring performance against plans. The + SCRM plan (at the system-level) is implementation specific, + providing policy implementation, requirements, constraints and + implications. It can either be stand-alone, or incorporated into + system security and privacy plans. The SCRM plan addresses + managing, implementation, and monitoring of SCRM controls and + the development/sustainment of systems across the SDLC to + support mission and business functions. + + + Because supply chains can differ significantly across and within organizations, + SCRM plans are tailored to the individual program, organizational, + and operational contexts. Tailored SCRM plans provide the basis for + determining whether a technology, service, system component, or system + is fit for purpose, and as such, the controls need to be tailored + accordingly. Tailored SCRM plans help organizations focus their resources + on the most critical mission and business functions based on mission + and business requirements and their risk environment. Supply chain + risk management plans include an expression of the supply chain risk + tolerance for the organization, acceptable supply chain risk mitigation + strategies or controls, a process for consistently evaluating and + monitoring supply chain risk, approaches for implementing and communicating + the plan, a description of and justification for supply chain risk + mitigation measures taken, and associated roles and responsibilities. + Finally, supply chain risk management plans address requirements for + developing trustworthy, secure, privacy-protective, and resilient + system components and systems, including the application of the security + design principles implemented as part of life cycle-based systems + security engineering processes (see [SA-8](#sa-8)). + - id: sr-2_obj + name: assessment-objective + props: + - name: label + value: SR-02 + class: sp800-53a + parts: + - id: sr-2_obj.a + name: assessment-objective + props: + - name: label + value: SR-02a. + class: sp800-53a + parts: + - id: sr-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: SR-02a.[01] + class: sp800-53a + prose: a plan for managing supply chain risks is developed; + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: SR-02a.[02] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the research and development of {{ insert:\ + \ param, sr-02_odp.01 }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-3 + name: assessment-objective + props: + - name: label + value: SR-02a.[03] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the design of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-4 + name: assessment-objective + props: + - name: label + value: SR-02a.[04] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the manufacturing of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-5 + name: assessment-objective + props: + - name: label + value: SR-02a.[05] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the acquisition of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-6 + name: assessment-objective + props: + - name: label + value: SR-02a.[06] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the delivery of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-7 + name: assessment-objective + props: + - name: label + value: SR-02a.[07] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the integration of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-8 + name: assessment-objective + props: + - name: label + value: SR-02a.[08] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the operation and maintenance of {{ insert:\ + \ param, sr-02_odp.01 }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-9 + name: assessment-objective + props: + - name: label + value: SR-02a.[09] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the disposal of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.b + name: assessment-objective + props: + - name: label + value: SR-02b. + class: sp800-53a + prose: "the supply chain risk management plan is reviewed and updated\ + \ {{ insert: param, sr-02_odp.02 }} or as required to address\ + \ threat, organizational, or environmental changes;" + links: + - href: "#sr-2_smt.b" + rel: assessment-for + - id: sr-2_obj.c + name: assessment-objective + props: + - name: label + value: SR-02c. + class: sp800-53a + parts: + - id: sr-2_obj.c-1 + name: assessment-objective + props: + - name: label + value: SR-02c.[01] + class: sp800-53a + prose: the supply chain risk management plan is protected from + unauthorized disclosure; + links: + - href: "#sr-2_smt.c" + rel: assessment-for + - id: sr-2_obj.c-2 + name: assessment-objective + props: + - name: label + value: SR-02c.[02] + class: sp800-53a + prose: the supply chain risk management plan is protected from + unauthorized modification. + links: + - href: "#sr-2_smt.c" + rel: assessment-for + links: + - href: "#sr-2_smt.c" + rel: assessment-for + links: + - href: "#sr-2_smt" + rel: assessment-for + - id: sr-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy + + + supply chain risk management procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing supply chain protection + + + procedures for protecting the supply chain risk management plan + from unauthorized disclosure and modification + + + system development life cycle procedures + + + procedures addressing the integration of information security + and privacy requirements into the acquisition process + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + list of supply chain threats + + + list of safeguards to be taken against supply chain threats + + + system life cycle documentation + + + inter-organizational agreements and procedures + + + system security plan + + + privacy plan + + + privacy program plan + + + other relevant documents or records + - id: sr-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sr-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for defining and documenting the + system development life cycle (SDLC) + + + organizational processes for identifying SDLC roles and responsibilities + + + organizational processes for integrating supply chain risk management + into the SDLC + + + mechanisms supporting and/or implementing the SDLC + controls: + - id: sr-2.1 + class: SP800-53-enhancement + title: Establish SCRM Team + params: + - id: sr-02.01_odp.01 + label: personnel, roles and responsibilities + guidelines: + - prose: the personnel, roles, and responsibilities of the supply + chain risk management team are defined; + - id: sr-02.01_odp.02 + label: supply chain risk management activities + guidelines: + - prose: supply chain risk management activities are defined; + props: + - name: label + value: SR-2(1) + - name: label + value: SR-02(01) + class: sp800-53a + - name: sort-id + value: sr-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sr-2" + rel: required + parts: + - id: sr-2.1_smt + name: statement + prose: "Establish a supply chain risk management team consisting\ + \ of {{ insert: param, sr-02.01_odp.01 }} to lead and support\ + \ the following SCRM activities: {{ insert: param, sr-02.01_odp.02\ + \ }}." + - id: sr-2.1_gdn + name: guidance + prose: To implement supply chain risk management plans, organizations + establish a coordinated, team-based approach to identify and assess + supply chain risks and manage these risks by using programmatic + and technical mitigation techniques. The team approach enables + organizations to conduct an analysis of their supply chain, communicate + with internal and external partners or stakeholders, and gain + broad consensus regarding the appropriate resources for SCRM. + The SCRM team consists of organizational personnel with diverse + roles and responsibilities for leading and supporting SCRM activities, + including risk executive, information technology, contracting, + information security, privacy, mission or business, legal, supply + chain and logistics, acquisition, business continuity, and other + relevant functions. Members of the SCRM team are involved in various + aspects of the SDLC and, collectively, have an awareness of and + provide expertise in acquisition processes, legal practices, vulnerabilities, + threats, and attack vectors, as well as an understanding of the + technical aspects and dependencies of systems. The SCRM team can + be an extension of the security and privacy risk management processes + or be included as part of an organizational risk management team. + - id: sr-2.1_obj + name: assessment-objective + props: + - name: label + value: SR-02(01) + class: sp800-53a + prose: "a supply chain risk management team consisting of {{ insert:\ + \ param, sr-02.01_odp.01 }} is established to lead and support\ + \ {{ insert: param, sr-02.01_odp.02 }}." + links: + - href: "#sr-2.1_smt" + rel: assessment-for + - id: sr-2.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-02(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Supply chain risk management policy + + supply chain risk management procedures + + supply chain risk management team charter documentation + + supply chain risk management strategy + + supply chain risk management implementation plan + + procedures addressing supply chain protection + + system security plan + + privacy plan + + other relevant documents or records + - id: sr-2.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-02(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management + responsibilities + + + organizational personnel with enterprise risk management responsibilities + + + legal counsel + + + organizational personnel with business continuity responsibilities + - id: sr-3 + class: SP800-53 + title: Supply Chain Controls and Processes + params: + - id: sr-03_odp.01 + label: system or system component + guidelines: + - prose: the system or system component requiring a process or processes + to identify and address weaknesses or deficiencies is defined; + - id: sr-03_odp.02 + label: supply chain personnel + guidelines: + - prose: supply chain personnel with whom to coordinate the process + or processes to identify and address weaknesses or deficiencies + in the supply chain elements and processes is/are defined; + - id: sr-03_odp.03 + label: supply chain controls + guidelines: + - prose: supply chain controls employed to protect against supply + chain risks to the system, system component, or system service + and to limit the harm or consequences from supply chain-related + events are defined; + - id: sr-03_odp.04 + select: + how-many: one-or-more + choice: + - security and privacy plans + - supply chain risk management plan + - " {{ insert: param, sr-03_odp.05 }} " + - id: sr-03_odp.05 + label: document + guidelines: + - prose: the document identifying the selected and implemented supply + chain processes and controls is defined (if selected); + props: + - name: label + value: SR-3 + - name: label + value: SR-03 + class: sp800-53a + - name: sort-id + value: sr-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-6" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-16" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-30" + rel: related + - href: "#sa-2" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-15" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-29" + rel: related + - href: "#sc-30" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: sr-3_smt + name: statement + parts: + - id: sr-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Establish a process or processes to identify and address\ + \ weaknesses or deficiencies in the supply chain elements and\ + \ processes of {{ insert: param, sr-03_odp.01 }} in coordination\ + \ with {{ insert: param, sr-03_odp.02 }};" + - id: sr-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ the following controls to protect against supply\ + \ chain risks to the system, system component, or system service\ + \ and to limit the harm or consequences from supply chain-related\ + \ events: {{ insert: param, sr-03_odp.03 }} ; and" + - id: sr-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Document the selected and implemented supply chain processes\ + \ and controls in {{ insert: param, sr-03_odp.04 }}." + - id: sr-3_fr + name: item + title: SR-3 Additional FedRAMP Requirements and Guidance + parts: + - id: sr-3_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: CSO must document and maintain the supply chain custody, + including replacement devices, to ensure the integrity of + the devices before being introduced to the boundary. + - id: sr-3_gdn + name: guidance + prose: Supply chain elements include organizations, entities, or tools + employed for the research and development, design, manufacturing, + acquisition, delivery, integration, operations and maintenance, and + disposal of systems and system components. Supply chain processes + include hardware, software, and firmware development processes; shipping + and handling procedures; personnel security and physical security + programs; configuration management tools, techniques, and measures + to maintain provenance; or other programs, processes, or procedures + associated with the development, acquisition, maintenance and disposal + of systems and system components. Supply chain elements and processes + may be provided by organizations, system integrators, or external + providers. Weaknesses or deficiencies in supply chain elements or + processes represent potential vulnerabilities that can be exploited + by adversaries to cause harm to the organization and affect its ability + to carry out its core missions or business functions. Supply chain + personnel are individuals with roles and responsibilities in the supply + chain. + - id: sr-3_obj + name: assessment-objective + props: + - name: label + value: SR-03 + class: sp800-53a + parts: + - id: sr-3_obj.a + name: assessment-objective + props: + - name: label + value: SR-03a. + class: sp800-53a + parts: + - id: sr-3_obj.a-1 + name: assessment-objective + props: + - name: label + value: SR-03a.[01] + class: sp800-53a + prose: "a process or processes is/are established to identify\ + \ and address weaknesses or deficiencies in the supply chain\ + \ elements and processes of {{ insert: param, sr-03_odp.01\ + \ }};" + links: + - href: "#sr-3_smt.a" + rel: assessment-for + - id: sr-3_obj.a-2 + name: assessment-objective + props: + - name: label + value: SR-03a.[02] + class: sp800-53a + prose: "the process or processes to identify and address weaknesses\ + \ or deficiencies in the supply chain elements and processes\ + \ of {{ insert: param, sr-03_odp.01 }} is/are coordinated\ + \ with {{ insert: param, sr-03_odp.02 }};" + links: + - href: "#sr-3_smt.a" + rel: assessment-for + links: + - href: "#sr-3_smt.a" + rel: assessment-for + - id: sr-3_obj.b + name: assessment-objective + props: + - name: label + value: SR-03b. + class: sp800-53a + prose: " {{ insert: param, sr-03_odp.03 }} are employed to protect\ + \ against supply chain risks to the system, system component,\ + \ or system service and to limit the harm or consequences from\ + \ supply chain-related events;" + links: + - href: "#sr-3_smt.b" + rel: assessment-for + - id: sr-3_obj.c + name: assessment-objective + props: + - name: label + value: SR-03c. + class: sp800-53a + prose: "the selected and implemented supply chain processes and\ + \ controls are documented in {{ insert: param, sr-03_odp.04 }}." + links: + - href: "#sr-3_smt.c" + rel: assessment-for + links: + - href: "#sr-3_smt" + rel: assessment-for + - id: sr-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy + + + supply chain risk management procedures + + + supply chain risk management strategy + + + supply chain risk management plan + + + systems and critical system components inventory documentation + + + system and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing the integration of information security + and privacy requirements into the acquisition process + + + solicitation documentation + + + acquisition documentation (including purchase orders) + + + service level agreements + + + acquisition contracts for systems or services + + + risk register documentation + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: sr-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sr-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for identifying and addressing supply + chain element and process deficiencies + - id: sr-5 + class: SP800-53 + title: Acquisition Strategies, Tools, and Methods + params: + - id: sr-05_odp + label: strategies, tools, and methods + guidelines: + - prose: acquisition strategies, contract tools, and procurement methods + to protect against, identify, and mitigate supply chain risks + are defined; + props: + - name: label + value: SR-5 + - name: label + value: SR-05 + class: sp800-53a + - name: sort-id + value: sr-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#863caf2a-978a-4260-9e8d-4a8929bce40c" + rel: reference + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#38ff38f0-1366-4f50-a4c9-26a39aacee16" + rel: reference + - href: "#at-3" + rel: related + - href: "#sa-2" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-15" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-10" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: sr-5_smt + name: statement + prose: "Employ the following acquisition strategies, contract tools,\ + \ and procurement methods to protect against, identify, and mitigate\ + \ supply chain risks: {{ insert: param, sr-05_odp }}." + - id: sr-5_gdn + name: guidance + prose: The use of the acquisition process provides an important vehicle + to protect the supply chain. There are many useful tools and techniques + available, including obscuring the end use of a system or system component, + using blind or filtered buys, requiring tamper-evident packaging, + or using trusted or controlled distribution. The results from a supply + chain risk assessment can guide and inform the strategies, tools, + and methods that are most applicable to the situation. Tools and techniques + may provide protections against unauthorized production, theft, tampering, + insertion of counterfeits, insertion of malicious software or backdoors, + and poor development practices throughout the system development life + cycle. Organizations also consider providing incentives for suppliers + who implement controls, promote transparency into their processes + and security and privacy practices, provide contract language that + addresses the prohibition of tainted or counterfeit components, and + restrict purchases from untrustworthy suppliers. Organizations consider + providing training, education, and awareness programs for personnel + regarding supply chain risk, available mitigation strategies, and + when the programs should be employed. Methods for reviewing and protecting + development plans, documentation, and evidence are commensurate with + the security and privacy requirements of the organization. Contracts + may specify documentation protection requirements. + - id: sr-5_obj + name: assessment-objective + props: + - name: label + value: SR-05 + class: sp800-53a + parts: + - id: sr-5_obj-1 + name: assessment-objective + props: + - name: label + value: SR-05[01] + class: sp800-53a + prose: " {{ insert: param, sr-05_odp }} are employed to protect\ + \ against supply chain risks;" + links: + - href: "#sr-5_smt" + rel: assessment-for + - id: sr-5_obj-2 + name: assessment-objective + props: + - name: label + value: SR-05[02] + class: sp800-53a + prose: " {{ insert: param, sr-05_odp }} are employed to identify\ + \ supply chain risks;" + links: + - href: "#sr-5_smt" + rel: assessment-for + - id: sr-5_obj-3 + name: assessment-objective + props: + - name: label + value: SR-05[03] + class: sp800-53a + prose: " {{ insert: param, sr-05_odp }} are employed to mitigate\ + \ supply chain risks." + links: + - href: "#sr-5_smt" + rel: assessment-for + links: + - href: "#sr-5_smt" + rel: assessment-for + - id: sr-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy + + + supply chain risk management procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing supply chain protection + + + procedures addressing the integration of information security + and privacy requirements into the acquisition process + + + solicitation documentation + + + acquisition documentation (including purchase orders) + + + service level agreements + + + acquisition contracts for systems, system components, or services + + + documentation of training, education, and awareness programs for + personnel regarding supply chain risk + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: sr-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sr-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for defining and employing tailored + acquisition strategies, contract tools, and procurement + methods + + + mechanisms supporting and/or implementing the definition and employment + of tailored acquisition strategies, contract tools, and procurement + methods + - id: sr-8 + class: SP800-53 + title: Notification Agreements + params: + - id: sr-08_odp.01 + constraints: + - description: notification of supply chain compromises and results + of assessment or audits + select: + how-many: one-or-more + choice: + - notification of supply chain compromises + - " {{ insert: param, sr-08_odp.02 }} " + - id: sr-08_odp.02 + label: results of assessments or audits + guidelines: + - prose: information for which agreements and procedures are to be + established are defined (if selected); + props: + - name: label + value: SR-8 + - name: label + value: SR-08 + class: sp800-53a + - name: sort-id + value: sr-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#863caf2a-978a-4260-9e8d-4a8929bce40c" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + parts: + - id: sr-8_smt + name: statement + prose: "Establish agreements and procedures with entities involved in\ + \ the supply chain for the system, system component, or system service\ + \ for the {{ insert: param, sr-08_odp.01 }}." + parts: + - id: sr-8_fr + name: item + title: SR-8 Additional FedRAMP Requirements and Guidance + parts: + - id: sr-8_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: CSOs must ensure and document how they receive notifications + from their supply chain vendor of newly discovered vulnerabilities + including zero-day vulnerabilities. + - id: sr-8_gdn + name: guidance + prose: The establishment of agreements and procedures facilitates communications + among supply chain entities. Early notification of compromises and + potential compromises in the supply chain that can potentially adversely + affect or have adversely affected organizational systems or system + components is essential for organizations to effectively respond to + such incidents. The results of assessments or audits may include open-source + information that contributed to a decision or result and could be + used to help the supply chain entity resolve a concern or improve + its processes. + - id: sr-8_obj + name: assessment-objective + props: + - name: label + value: SR-08 + class: sp800-53a + prose: "agreements and procedures are established with entities involved\ + \ in the supply chain for the system, system components, or system\ + \ service for {{ insert: param, sr-08_odp.01 }}." + links: + - href: "#sr-8_smt" + rel: assessment-for + - id: sr-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + procedures addressing supply chain protection + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + inter-organizational agreements and procedures + + + system security plan + + + other relevant documents or records + - id: sr-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sr-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for establishing inter-organizational + agreements and procedures with supply chain entities + - id: sr-10 + class: SP800-53 + title: Inspection of Systems or Components + params: + - id: sr-10_odp.01 + label: systems or system components + guidelines: + - prose: systems or system components that require inspection are + defined; + - id: sr-10_odp.02 + select: + how-many: one-or-more + choice: + - at random + - "at {{ insert: param, sr-10_odp.03 }} " + - "upon {{ insert: param, sr-10_odp.04 }} " + - id: sr-10_odp.03 + label: frequency + guidelines: + - prose: frequency at which to inspect systems or system components + is defined (if selected); + - id: sr-10_odp.04 + label: indications of need for inspection + guidelines: + - prose: indications of the need for an inspection of systems or system + components are defined (if selected); + props: + - name: label + value: SR-10 + - name: label + value: SR-10 + class: sp800-53a + - name: sort-id + value: sr-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#at-3" + rel: related + - href: "#pm-30" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: sr-10_smt + name: statement + prose: "Inspect the following systems or system components {{ insert:\ + \ param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01\ + \ }}." + - id: sr-10_gdn + name: guidance + prose: The inspection of systems or systems components for tamper resistance + and detection addresses physical and logical tampering and is applied + to systems and system components removed from organization-controlled + areas. Indications of a need for inspection include changes in packaging, + specifications, factory location, or entity in which the part is purchased, + and when individuals return from travel to high-risk locations. + - id: sr-10_obj + name: assessment-objective + props: + - name: label + value: SR-10 + class: sp800-53a + prose: " {{ insert: param, sr-10_odp.01 }} are inspected {{ insert:\ + \ param, sr-10_odp.02 }} to detect tampering." + links: + - href: "#sr-10_smt" + rel: assessment-for + - id: sr-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + records of random inspections + + + inspection reports/results + + + assessment reports/results + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + inter-organizational agreements and procedures + + + system security plan + + + other relevant documents or records + - id: sr-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and services + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sr-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for establishing + inter-organizational agreements and procedures with supply + chain entities + + + organizational processes to inspect for tampering + - id: sr-11 + class: SP800-53 + title: Component Authenticity + params: + - id: sr-11_odp.01 + select: + how-many: one-or-more + choice: + - source of counterfeit component + - " {{ insert: param, sr-11_odp.02 }} " + - " {{ insert: param, sr-11_odp.03 }} " + - id: sr-11_odp.02 + label: external reporting organizations + guidelines: + - prose: external reporting organizations to whom counterfeit system + components are to be reported is/are defined (if selected); + - id: sr-11_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom counterfeit system components + are to be reported is/are defined (if selected); + props: + - name: label + value: SR-11 + - name: label + value: SR-11 + class: sp800-53a + - name: sort-id + value: sr-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#pe-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-10" + rel: related + parts: + - id: sr-11_smt + name: statement + parts: + - id: sr-11_smt.a + name: item + props: + - name: label + value: a. + prose: Develop and implement anti-counterfeit policy and procedures + that include the means to detect and prevent counterfeit components + from entering the system; and + - id: sr-11_smt.b + name: item + props: + - name: label + value: b. + prose: "Report counterfeit system components to {{ insert: param,\ + \ sr-11_odp.01 }}." + - id: sr-11_fr + name: item + title: SR-11 Additional FedRAMP Requirements and Guidance + parts: + - id: sr-11_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: CSOs must ensure that their supply chain vendors provide + authenticity of software and patches and the vendor must have + a plan to protect the development pipeline. + - id: sr-11_gdn + name: guidance + prose: Sources of counterfeit components include manufacturers, developers, + vendors, and contractors. Anti-counterfeiting policies and procedures + support tamper resistance and provide a level of protection against + the introduction of malicious code. External reporting organizations + include CISA. + - id: sr-11_obj + name: assessment-objective + props: + - name: label + value: SR-11 + class: sp800-53a + parts: + - id: sr-11_obj.a + name: assessment-objective + props: + - name: label + value: SR-11a. + class: sp800-53a + parts: + - id: sr-11_obj.a-1 + name: assessment-objective + props: + - name: label + value: SR-11a.[01] + class: sp800-53a + prose: an anti-counterfeit policy is developed and implemented; + links: + - href: "#sr-11_smt.a" + rel: assessment-for + - id: sr-11_obj.a-2 + name: assessment-objective + props: + - name: label + value: SR-11a.[02] + class: sp800-53a + prose: anti-counterfeit procedures are developed and implemented; + links: + - href: "#sr-11_smt.a" + rel: assessment-for + - id: sr-11_obj.a-3 + name: assessment-objective + props: + - name: label + value: SR-11a.[03] + class: sp800-53a + prose: the anti-counterfeit procedures include the means to + detect counterfeit components entering the system; + links: + - href: "#sr-11_smt.a" + rel: assessment-for + - id: sr-11_obj.a-4 + name: assessment-objective + props: + - name: label + value: SR-11a.[04] + class: sp800-53a + prose: the anti-counterfeit procedures include the means to + prevent counterfeit components from entering the system; + links: + - href: "#sr-11_smt.a" + rel: assessment-for + links: + - href: "#sr-11_smt.a" + rel: assessment-for + - id: sr-11_obj.b + name: assessment-objective + props: + - name: label + value: SR-11b. + class: sp800-53a + prose: "counterfeit system components are reported to {{ insert:\ + \ param, sr-11_odp.01 }}." + links: + - href: "#sr-11_smt.b" + rel: assessment-for + links: + - href: "#sr-11_smt" + rel: assessment-for + - id: sr-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + anti-counterfeit plan + + + anti-counterfeit policy and procedures + + + media disposal policy + + + media protection policy + + + incident response policy + + + reports notifying developers, manufacturers, vendors, contractors, + and/or external reporting organizations of counterfeit system + components + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + inter-organizational agreements and procedures + + + records of reported counterfeit system components + + + system security plan + + + other relevant documents or records + - id: sr-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management responsibilities + + + organizational personnel with responsibilities for anti-counterfeit + policies, procedures, and reporting + - id: sr-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for counterfeit prevention, + detection, and reporting + + + mechanisms supporting and/or implementing anti-counterfeit detection, + prevention, and reporting + controls: + - id: sr-11.1 + class: SP800-53-enhancement + title: Anti-counterfeit Training + params: + - id: sr-11.01_odp + label: personnel or roles + guidelines: + - prose: personnel or roles requiring training to detect counterfeit + system components (including hardware, software, and firmware) + is/are defined; + props: + - name: label + value: SR-11(1) + - name: label + value: SR-11(01) + class: sp800-53a + - name: sort-id + value: sr-11.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sr-11" + rel: required + - href: "#at-3" + rel: related + parts: + - id: sr-11.1_smt + name: statement + prose: "Train {{ insert: param, sr-11.01_odp }} to detect counterfeit\ + \ system components (including hardware, software, and firmware)." + - id: sr-11.1_gdn + name: guidance + prose: None. + - id: sr-11.1_obj + name: assessment-objective + props: + - name: label + value: SR-11(01) + class: sp800-53a + prose: " {{ insert: param, sr-11.01_odp }} are trained to detect\ + \ counterfeit system components (including hardware, software,\ + \ and firmware)." + links: + - href: "#sr-11.1_smt" + rel: assessment-for + - id: sr-11.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-11(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + anti-counterfeit plan + + + anti-counterfeit policy and procedures + + + media disposal policy + + + media protection policy + + + incident response policy + + + training materials addressing counterfeit system components + + + training records on the detection and prevention of counterfeit + components entering the system + + + system security plan + + + other relevant documents or records + - id: sr-11.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-11(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security + responsibilities + + + organizational personnel with supply chain risk management + responsibilities + + + organizational personnel with responsibilities for anti-counterfeit + policies, procedures, and training + - id: sr-11.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-11(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for anti-counterfeit training + - id: sr-11.2 + class: SP800-53-enhancement + title: Configuration Control for Component Service and Repair + params: + - id: sr-11.02_odp + label: system components + constraints: + - description: all + guidelines: + - prose: system components requiring configuration control are + defined; + props: + - name: label + value: SR-11(2) + - name: label + value: SR-11(02) + class: sp800-53a + - name: sort-id + value: sr-11.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sr-11" + rel: required + - href: "#cm-3" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-4" + rel: related + - href: "#sa-10" + rel: related + parts: + - id: sr-11.2_smt + name: statement + prose: "Maintain configuration control over the following system\ + \ components awaiting service or repair and serviced or repaired\ + \ components awaiting return to service: {{ insert: param, sr-11.02_odp\ + \ }}." + - id: sr-11.2_gdn + name: guidance + prose: None. + - id: sr-11.2_obj + name: assessment-objective + props: + - name: label + value: SR-11(02) + class: sp800-53a + parts: + - id: sr-11.2_obj-1 + name: assessment-objective + props: + - name: label + value: SR-11(02)[01] + class: sp800-53a + prose: "configuration control over {{ insert: param, sr-11.02_odp\ + \ }} awaiting service or repair is maintained;" + links: + - href: "#sr-11.2_smt" + rel: assessment-for + - id: sr-11.2_obj-2 + name: assessment-objective + props: + - name: label + value: SR-11(02)[02] + class: sp800-53a + prose: "configuration control over serviced or repaired {{ insert:\ + \ param, sr-11.02_odp }} awaiting return to service is maintained." + links: + - href: "#sr-11.2_smt" + rel: assessment-for + links: + - href: "#sr-11.2_smt" + rel: assessment-for + - id: sr-11.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-11(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Supply chain risk management policy and procedures + + supply chain risk management plan + + configuration control procedures + + acquisition documentation + + service level agreements + + acquisition contracts for the system component + + inter-organizational agreements and procedures + + system security plan + + other relevant documents or records + - id: sr-11.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-11(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and services + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management + responsibilities + - id: sr-11.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-11(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for establishing + inter-organizational agreements and procedures with + supply chain entities + + + organizational configuration control processes + - id: sr-12 + class: SP800-53 + title: Component Disposal + params: + - id: sr-12_odp.01 + label: data, documentation, tools, or system components + guidelines: + - prose: data, documentation, tools, or system components to be disposed + of are defined; + - id: sr-12_odp.02 + label: techniques and methods + guidelines: + - prose: techniques and methods for disposing of data, documentation, + tools, or system components are defined; + props: + - name: label + value: SR-12 + - name: label + value: SR-12 + class: sp800-53a + - name: sort-id + value: sr-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#mp-6" + rel: related + parts: + - id: sr-12_smt + name: statement + prose: "Dispose of {{ insert: param, sr-12_odp.01 }} using the following\ + \ techniques and methods: {{ insert: param, sr-12_odp.02 }}." + - id: sr-12_gdn + name: guidance + prose: Data, documentation, tools, or system components can be disposed + of at any time during the system development life cycle (not only + in the disposal or retirement phase of the life cycle). For example, + disposal can occur during research and development, design, prototyping, + or operations/maintenance and include methods such as disk cleaning, + removal of cryptographic keys, partial reuse of components. Opportunities + for compromise during disposal affect physical and logical data, including + system documentation in paper-based or digital files; shipping and + delivery documentation; memory sticks with software code; or complete + routers or servers that include permanent media, which contain sensitive + or proprietary information. Additionally, proper disposal of system + components helps to prevent such components from entering the gray + market. + - id: sr-12_obj + name: assessment-objective + props: + - name: label + value: SR-12 + class: sp800-53a + prose: " {{ insert: param, sr-12_odp.01 }} are disposed of using {{\ + \ insert: param, sr-12_odp.02 }}." + links: + - href: "#sr-12_smt" + rel: assessment-for + - id: sr-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + disposal procedures addressing supply chain protection + + + media disposal policy + + + media protection policy + + + disposal records for system components + + + documentation of the system components identified for disposal + + + documentation of the disposal techniques and methods employed + for system components + + + system security plan + + + other relevant documents or records + - id: sr-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system component disposal + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain protection responsibilities + - id: sr-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational techniques and methods for system component + disposal + + + mechanisms supporting and/or implementing system component disposal back-matter: resources: + - uuid: 91f992fb-f668-4c91-a50f-0f05b95ccee3 + title: 32 CFR 2002 + citation: + text: Code of Federal Regulations, Title 32, *Controlled Unclassified Information* + (32 C.F.R. 2002). + rlinks: + - href: https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information + - uuid: 0f963c17-ab5a-432a-a867-91eac550309b + title: 41 CFR 201 + citation: + text: ' "Federal Acquisition Supply Chain Security Act; Rule," 85 Federal + Register 54263 (September 1, 2020), pp 54263-54271.' + rlinks: + - href: https://www.federalregister.gov/d/2020-18939 + - uuid: a5ef5e56-5c1a-4911-b419-37dddc1b3581 + title: 5 CFR 731 + citation: + text: Code of Federal Regulations, Title 5, *Administrative Personnel* , + Section 731.106, *Designation of Public Trust Positions and Investigative + Requirements* (5 C.F.R. 731.106). + rlinks: + - href: https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf + - uuid: 031cc4b7-9adf-4835-98f1-f1ca493519cf + title: CNSSD 505 + citation: + text: Committee on National Security Systems Directive No. 505, *Supply + Chain Risk Management (SCRM)* , August 2017. + rlinks: + - href: https://www.cnss.gov/CNSS/issuances/Directives.cfm + - uuid: 4e4fbc93-333d-45e6-a875-de36b878b6b9 + title: CNSSI 1253 + citation: + text: Committee on National Security Systems Instruction No. 1253, *Security + Categorization and Control Selection for National Security Systems* , + March 2014. + rlinks: + - href: https://www.cnss.gov/CNSS/issuances/Instructions.cfm + - uuid: aa66e14f-e7cb-4a37-99d2-07578dfd4608 + title: DOD STIG + citation: + text: Defense Information Systems Agency, *Security Technical Implementation + Guides (STIG)*. + rlinks: + - href: https://public.cyber.mil/stigs + - uuid: 55b0c93a-5e48-457a-baa6-5ce81c239c49 + title: EO 13526 + citation: + text: Executive Order 13526, *Classified National Security Information* + , December 2009. + rlinks: + - href: https://www.archives.gov/isoo/policy-documents/cnsi-eo.html + - uuid: 0af071a6-cf8e-48ee-8c82-fe91efa20f94 + title: EO 13587 + citation: + text: Executive Order 13587, *Structural Reforms to Improve the Security + of Classified Networks and the Responsible Sharing and Safeguarding of + Classified Information* , October 2011. + rlinks: + - href: https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net + - uuid: 21caa535-1154-4369-ba7b-32c309fee0f7 + title: EO 13873 + citation: + text: Executive Order 13873, *Executive Order on Securing the Information + and Communications Technology and Services Supply Chain* , May 2019. + rlinks: + - href: https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain + - uuid: 4ff10ed3-d8fe-4246-99e3-443045e27482 + title: FASC18 + citation: + text: Secure Technology Act [includes Federal Acquisition Supply Chain Security + Act] (P.L. 115-390), December 2018. + rlinks: + - href: https://www.congress.gov/bill/115th-congress/senate-bill/3085 + - uuid: a1555677-2b9d-4868-a97b-a1363aff32f5 + title: FED PKI + citation: + text: General Services Administration, *Federal Public Key Infrastructure*. + rlinks: + - href: https://www.idmanagement.gov/topics/fpki + - uuid: 678e3d6c-150b-4393-aec5-6e3481eb1e00 + title: FIPS 140-3 + citation: + text: "National Institute of Standards and Technology (2019) Security Requirements\ + \ for Cryptographic Modules. (U.S. Department of Commerce, Washington,\ + \ D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. " + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.140-3 + - uuid: eea3c092-42ed-4382-a6f4-1adadef01b9d + title: FIPS 180-4 + citation: + text: National Institute of Standards and Technology (2015) Secure Hash + Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal + Information Processing Standards Publication (FIPS) 180-4. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.180-4 + - uuid: 7c37a38d-21d7-40d8-bc3d-b5e27eac17e1 + title: FIPS 186-4 + citation: + text: National Institute of Standards and Technology (2013) Digital Signature + Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal + Information Processing Standards Publication (FIPS) 186-4. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.186-4 + - uuid: 736d6310-e403-4b57-a79d-9967970c66d7 + title: FIPS 197 + citation: + text: National Institute of Standards and Technology (2001) Advanced Encryption + Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal + Information Processing Standards Publication (FIPS) 197. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.197 + - uuid: 628d22a1-6a11-4784-bc59-5cd9497b5445 + title: FIPS 199 + citation: + text: National Institute of Standards and Technology (2004) Standards for + Security Categorization of Federal Information and Information Systems. + (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing + Standards Publication (FIPS) 199. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.199 + - uuid: 599fb53d-5041-444e-a7fe-640d6d30ad05 + title: FIPS 200 + citation: + text: National Institute of Standards and Technology (2006) Minimum Security + Requirements for Federal Information and Information Systems. (U.S. Department + of Commerce, Washington, D.C.), Federal Information Processing Standards + Publication (FIPS) 200. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.200 + - uuid: 7ba1d91c-3934-4d5a-8532-b32f864ad34c + title: FIPS 201-2 + citation: + text: National Institute of Standards and Technology (2013) Personal Identity + Verification (PIV) of Federal Employees and Contractors. (U.S. Department + of Commerce, Washington, D.C.), Federal Information Processing Standards + Publication (FIPS) 201-2. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.201-2 + - uuid: a295ca19-8c75-4b4c-8800-98024732e181 + title: FIPS 202 + citation: + text: "National Institute of Standards and Technology (2015) SHA-3 Standard:\ + \ Permutation-Based Hash and Extendable-Output Functions. (U.S. Department\ + \ of Commerce, Washington, D.C.), Federal Information Processing Standards\ + \ Publication (FIPS) 202." + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.202 + - uuid: 0c67b2a9-bede-43d2-b86d-5f35b8be36e9 + title: FISMA + citation: + text: Federal Information Security Modernization Act (P.L. 113-283), December + 2014. + rlinks: + - href: https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf + - uuid: f16e438e-7114-4144-bfe2-2dfcad8cb2d0 + title: HSPD 12 + citation: + text: Homeland Security Presidential Directive 12, Policy for a Common Identification + Standard for Federal Employees and Contractors, August 2004. + rlinks: + - href: https://www.dhs.gov/homeland-security-presidential-directive-12 + - uuid: 15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c + title: IR 7539 + citation: + text: Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart + Cards. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Interagency or Internal Report (IR) 7539. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7539 + - uuid: 2be7b163-e50a-435c-8906-f1162f2a457a + title: IR 7559 + citation: + text: Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services + (FWS). (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Interagency or Internal Report (IR) 7559. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7559 + - uuid: e24b06cc-9129-4998-a76a-65c3d7a576ba + title: IR 7622 + citation: + text: Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional + Supply Chain Risk Management Practices for Federal Information Systems. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Interagency or Internal Report (IR) 7622. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7622 + - uuid: 4b38e961-1125-4a5b-aa35-1d6c02846dad + title: IR 7676 + citation: + text: Cooper DA (2010) Maintaining and Using Key History on Personal Identity + Verification (PIV) Cards. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7676 + - uuid: aa5d04e0-6090-4e17-84d4-b9963d55fc2c + title: IR 7788 + citation: + text: Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks + Using Probabilistic Attack Graphs. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) + 7788. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7788 + - uuid: 91701292-8bcd-4d2e-a5bd-59ab61e34b3c + title: IR 7817 + citation: + text: Ferraiolo H (2012) A Credential Reliability and Revocation Model for + Federated Identities. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7817 + - uuid: 4f5f51ac-2b8d-4b90-a3c7-46f56e967617 + title: IR 7849 + citation: + text: Chandramouli R (2014) A Methodology for Developing Authentication + Assurance Level Taxonomy for Smart Card-based Identity Verification. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency + or Internal Report (IR) 7849. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7849 + - uuid: 604774da-9e1d-48eb-9c62-4e959dc80737 + title: IR 7870 + citation: + text: Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Interagency or Internal Report (IR) 7870. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7870 + - uuid: 7f473f21-fdbf-4a6c-81a1-0ab95919609d + title: IR 7874 + citation: + text: Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation + Metrics. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Interagency or Internal Report (IR) 7874. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7874 + - uuid: 849b2358-683f-4d97-b111-1cc3d522ded5 + title: IR 7956 + citation: + text: Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management + Issues & Challenges in Cloud Services. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Interagency or Internal Report + (IR) 7956. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7956 + - uuid: 3915a084-b87b-4f02-83d4-c369e746292f + title: IR 7966 + citation: + text: Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive + and Automated Access Management Using Secure Shell (SSH). (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal + Report (IR) 7966. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7966 + - uuid: bbac9fc2-df5b-4f2d-bf99-90d0ade45349 + title: IR 8011-1 + citation: + text: "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security\ + \ Control Assessments: Volume 1: Overview. (National Institute of Standards\ + \ and Technology, Gaithersburg, MD), NIST Interagency or Internal Report\ + \ (IR) 8011, Volume 1." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8011-1 + - uuid: 70402863-5078-43af-9a6c-e11b0f3ec370 + title: IR 8011-2 + citation: + text: "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security\ + \ Control Assessments: Volume 2: Hardware Asset Management. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency\ + \ or Internal Report (IR) 8011, Volume 2." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8011-2 + - uuid: 996241f8-f692-42d5-91f1-ce8b752e39e6 + title: IR 8011-3 + citation: + text: "Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for\ + \ Security Control Assessments: Volume 3: Software Asset Management. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency\ + \ or Internal Report (IR) 8011, Volume 3." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8011-3 + - uuid: d2ebec9b-f868-4ee1-a2bd-0b2282aed248 + title: IR 8011-4 + citation: + text: "Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support\ + \ for Security Control Assessments: Volume 4: Software Vulnerability Management.\ + \ (National Institute of Standards and Technology, Gaithersburg, MD),\ + \ NIST Interagency or Internal Report (IR) 8011, Volume 4." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8011-4 + - uuid: 4c501da5-9d79-4cb6-ba80-97260e1ce327 + title: IR 8023 + citation: + text: Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Interagency or Internal Report (IR) 8023. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8023 + - uuid: 81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5 + title: IR 8040 + citation: + text: Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and + Security of Permuted Passwords on Mobile Platforms. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal + Report (IR) 8040. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8040 + - uuid: 98d415ca-7281-4064-9931-0c366637e324 + title: IR 8062 + citation: + text: Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction + to Privacy Engineering and Risk Management in Federal Systems. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency + or Internal Report (IR) 8062. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8062 + - uuid: d4296805-2dca-4c63-a95f-eeccaa826aec + title: IR 8179 + citation: + text: "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis\ + \ Process Model: Prioritizing Systems and Components. (National Institute\ + \ of Standards and Technology, Gaithersburg, MD), NIST Interagency or\ + \ Internal Report (IR) 8179." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8179 + - uuid: 38ff38f0-1366-4f50-a4c9-26a39aacee16 + title: IR 8272 + citation: + text: Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis + Tool for Interdependent Cyber Supply Chain Risks. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal + Report (IR) 8272. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8272 + - uuid: 6afc1b04-c9d6-4023-adbc-f8fbe33a3c73 + title: ISO 15408-1 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 15408-1:2009, *Information technology —Security techniques\ + \ — Evaluation criteria for IT security — Part 1: Introduction and general\ + \ model* , April 2017." + rlinks: + - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf + - uuid: 87087451-2af5-43d4-88c1-d66ad850f614 + title: ISO 15408-2 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 15408-2:2008, *Information technology —Security techniques\ + \ — Evaluation criteria for IT security — Part 2: Security functional\ + \ requirements* , April 2017." + rlinks: + - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf + - uuid: 4452efc0-e79e-47b8-aa30-b54f3ef61c2f + title: ISO 15408-3 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 15408-3:2008, *Information technology—Security techniques\ + \ — Evaluation criteria for IT security — Part 3: Security assurance requirements*\ + \ , April 2017." + rlinks: + - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf + - uuid: 15a95e24-65b6-4686-bc18-90855a10457d + title: ISO 20243 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 20243-1:2018, *Information technology — Open Trusted Technology\ + \ Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit\ + \ products — Part 1: Requirements and recommendations* , February 2018." + rlinks: + - href: https://www.iso.org/standard/74399.html + - uuid: 863caf2a-978a-4260-9e8d-4a8929bce40c + title: ISO 27036 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 27036-1:2014, *Information technology—Security techniques—Information\ + \ security for supplier relationships, Part 1: Overview and concepts*\ + \ , April 2014." + rlinks: + - href: https://www.iso.org/standard/59648.html + - uuid: 8df72805-2e5c-4731-a73e-81db0f0318d0 + title: ISO 29147 + citation: + text: International Organization for Standardization/International Electrotechnical + Commission 29147:2018, *Information technology—Security techniques—Vulnerability + disclosure* , October 2018. + rlinks: + - href: https://www.iso.org/standard/72311.html + - uuid: 06ce9216-bd54-4054-a422-94f358b50a5d + title: ISO 29148 + citation: + text: International Organization for Standardization/International Electrotechnical + Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) + 29148:2018, *Systems and software engineering—Life cycle processes—Requirements + engineering* , November 2018. + rlinks: + - href: https://www.iso.org/standard/72089.html + - uuid: c28ae9a8-1121-42a9-a85e-00cfcc9b9a94 + title: NARA CUI + citation: + text: National Archives and Records Administration, Controlled Unclassified + Information (CUI) Registry. + rlinks: + - href: https://www.archives.gov/cui + - uuid: d744d9a3-73eb-4085-b9ff-79e82e9e2d6e + title: NCPR + citation: + text: National Institute of Standards and Technology (2020) *National Checklist + Program Repository* . Available at + rlinks: + - href: https://nvd.nist.gov/ncp/repository + - uuid: 795aff72-3e6c-4b6b-a80a-b14d84b7f544 + title: NIAP CCEVS + citation: + text: National Information Assurance Partnership, *Common Criteria Evaluation + and Validation Scheme*. + rlinks: + - href: https://www.niap-ccevs.org + - uuid: 84dc1b0c-acb7-4269-84c4-00dbabacd78c + title: NIST CAVP + citation: + text: National Institute of Standards and Technology (2020) *Cryptographic + Algorithm Validation Program* . Available at + rlinks: + - href: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program + - uuid: 1acdc775-aafb-4d11-9341-dc6a822e9d38 + title: NIST CMVP + citation: + text: National Institute of Standards and Technology (2020) *Cryptographic + Module Validation Program* . Available at + rlinks: + - href: https://csrc.nist.gov/projects/cryptographic-module-validation-program + - uuid: 3d575737-98cb-459d-b41c-d7e82b73ad78 + title: NSA CSFC + citation: + text: National Security Agency, *Commercial Solutions for Classified Program + (CSfC)*. + rlinks: + - href: https://www.nsa.gov/resources/everyone/csfc + - uuid: df9f87e9-71e7-4c74-9ac3-3cabd4e92f21 + title: NSA MEDIA + citation: + text: National Security Agency, *Media Destruction Guidance*. + rlinks: + - href: https://www.nsa.gov/resources/everyone/media-destruction + - uuid: 89f2a08d-fc49-46d0-856e-bf974c9b1573 + title: ODNI CTF + citation: + text: Office of the Director of National Intelligence (ODNI) Cyber Threat + Framework. + rlinks: + - href: https://www.dni.gov/index.php/cyber-threat-framework + - uuid: 27847491-5ce1-4f6a-a1e4-9e483782f0ef + title: OMB A-130 + citation: + text: Office of Management and Budget Memorandum Circular A-130, *Managing + Information as a Strategic Resource* , July 2016. + rlinks: + - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf + - uuid: 5f4705ac-8d17-438c-b23a-ac7f12362ae4 + title: OMB M-17-12 + citation: + text: Office of Management and Budget Memorandum M-17-12, *Preparing for + and Responding to a Breach of Personally Identifiable Information* , January + 2017. + rlinks: + - href: https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf + - uuid: c5e11048-1d38-4af3-b00b-0d88dc26860c + title: OMB M-19-03 + citation: + text: Office of Management and Budget Memorandum M-19-03, *Strengthening + the Cybersecurity of Federal Agencies by Enhancing the High Value Asset + Program* , December 2018. + rlinks: + - href: https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf + - uuid: 18e71fec-c6fd-475a-925a-5d8495cf8455 + title: PRIVACT + citation: + text: Privacy Act (P.L. 93-579), December 1974. + rlinks: + - href: https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf + - uuid: 4c0ec2ee-a0d6-428a-9043-4504bc3ade6f + title: SP 800-100 + citation: + text: "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A\ + \ Guide for Managers. (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates\ + \ as of March 7, 2007." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-100 + - uuid: 10cf2fad-a216-41f9-bb1a-531b7e3119e3 + title: SP 800-101 + citation: + text: Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device + Forensics. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-101, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-101r1 + - uuid: 22f2d4f0-4365-4e88-a30d-275c1f5473ea + title: SP 800-111 + citation: + text: Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption + Technologies for End User Devices. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-111 + - uuid: 6bc4d137-aece-42a8-8081-9ecb1ebe9fb4 + title: SP 800-113 + citation: + text: Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-113. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-113 + - uuid: 42e37e51-7cc0-4ffa-81c9-0ac942da7e99 + title: SP 800-114 + citation: + text: Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring + Your Own Device (BYOD) Security. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, + Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-114r1 + - uuid: 122177fa-c4ed-485d-8345-3082c0fb9a06 + title: SP 800-115 + citation: + text: Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide + to Information Security Testing and Assessment. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-115. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-115 + - uuid: 2100332a-16a5-4598-bacf-7261baea9711 + title: SP 800-116 + citation: + text: Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) + A Recommendation for the Use of PIV Credentials in Physical Access Control + Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-116, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-116r1 + - uuid: d17ebd7a-ffab-499d-bfff-e705bbb01fa6 + title: SP 800-121 + citation: + text: Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone + KA (2017) Guide to Bluetooth Security. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, + Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-121r2 + - uuid: 0f66be67-85e7-4ca6-bd19-39453e9f4394 + title: SP 800-124 + citation: + text: Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security + of Mobile Devices in the Enterprise. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, + Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-124r1 + - uuid: 88660532-2dcf-442e-845c-03340ce48999 + title: SP 800-125B + citation: + text: Chandramouli R (2016) Secure Virtual Network Configuration for Virtual + Machine (VM) Protection. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-125B. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-125B + - uuid: 8016d2ed-d30f-4416-9c45-0f42c7aa3232 + title: SP 800-126 + citation: + text: "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018)\ + \ The Technical Specification for the Security Content Automation Protocol\ + \ (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-126r3 + - uuid: 20db4e66-e257-450c-b2e4-2bb9a62a2c88 + title: SP 800-128 + citation: + text: Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for + Security-Focused Configuration Management of Information Systems. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-128, Includes updates as of October 10, 2019. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-128 + - uuid: c7ac44e8-10db-4b64-b2b9-9e32ec1efed0 + title: SP 800-12 + citation: + text: Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information + Security. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-12, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-12r1 + - uuid: 3653e316-8923-430e-8943-b3b2b2562fc6 + title: SP 800-130 + citation: + text: Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for + Designing Cryptographic Key Management Systems. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-130. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-130 + - uuid: 62ea77ca-e450-4323-b210-e0d75390e785 + title: SP 800-137A + citation: + text: "Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S\ + \ (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs:\ + \ Developing an ISCM Program Assessment. (National Institute of Standards\ + \ and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-137A + - uuid: 067223d8-1ec7-45c5-b21b-c848da6de8fb + title: SP 800-137 + citation: + text: Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh + AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring + (ISCM) for Federal Information Systems and Organizations. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-137. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-137 + - uuid: 9ef4b43c-42a4-4316-87dc-ffaf528bc05c + title: SP 800-150 + citation: + text: Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) + Guide to Cyber Threat Information Sharing. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-150 + - uuid: 2494df28-9049-4196-b233-540e7440993f + title: SP 800-152 + citation: + text: Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal + Cryptographic Key Management Systems (CKMS). (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-152 + - uuid: d9e036ba-6eec-46a6-9340-b0bf1fea23b4 + title: SP 800-156 + citation: + text: Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady + S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-156. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-156 + - uuid: e3cc0520-a366-4fc9-abc2-5272db7e3564 + title: SP 800-160-1 + citation: + text: "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering:\ + \ Considerations for a Multidisciplinary Approach in the Engineering of\ + \ Trustworthy Secure Systems. (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes\ + \ updates as of March 21, 2018." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-160v1 + - uuid: 61ccf0f4-d3e7-42db-9796-ce6cb1c85989 + title: SP 800-160-2 + citation: + text: "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing\ + \ Cyber Resilient Systems: A Systems Security Engineering Approach. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Special\ + \ Publication (SP) 800-160, Vol. 2." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-160v2 + - uuid: e8e84963-14fc-4c3a-be05-b412a5d37cd2 + title: SP 800-161 + citation: + text: Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk + Management Practices for Federal Information Systems and Organizations. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-161. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-161 + - uuid: 2956e175-f674-43f4-b1b9-e074ad9fc39c + title: SP 800-162 + citation: + text: Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone + KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and + Considerations. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-162, Includes updates as of August + 2, 2019. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-162 + - uuid: e8552d48-cf41-40aa-8b06-f45f7fb4706c + title: SP 800-166 + citation: + text: Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady + S (2016) Derived PIV Application and Data Model Test Guidelines. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-166. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-166 + - uuid: 38f39739-1ebd-43b1-8b8c-00f591d89ebd + title: SP 800-167 + citation: + text: Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application + Whitelisting. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-167. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-167 + - uuid: 7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849 + title: SP 800-171 + citation: + text: Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting + Controlled Unclassified Information in Nonfederal Systems and Organizations. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-171, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-171r2 + - uuid: f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e + title: SP 800-172 + citation: + text: "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau\ + \ D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified\ + \ Information: A Supplement to NIST Special Publication 800-171 (Final\ + \ Public Draft). (National Institute of Standards and Technology, Gaithersburg,\ + \ MD), NIST Special Publication (SP) 800-172." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-172-draft + - uuid: 1c71b420-2bd9-4e52-9fc8-390f58b85b59 + title: SP 800-177 + citation: + text: Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy + Email. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-177, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-177r1 + - uuid: 388a3aa2-5d85-4bad-b8a3-77db80d63c4f + title: SP 800-178 + citation: + text: "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of\ + \ Attribute Based Access Control (ABAC) Standards for Data Service Applications:\ + \ Extensible Access Control Markup Language (XACML) and Next Generation\ + \ Access Control (NGAC). (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-178." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-178 + - uuid: 276bd50a-7e58-48e5-a405-8c8cb91d7a5f + title: SP 800-181 + citation: + text: Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce + Framework for Cybersecurity (NICE Framework). (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, + Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-181r1 + - uuid: 31ae65ab-3f26-46b7-9d64-f25a4dac5778 + title: SP 800-184 + citation: + text: Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya + MP (2016) Guide for Cybersecurity Event Recovery. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-184. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-184 + - uuid: f5edfe51-d1f2-422e-9b27-5d0e90b49c72 + title: SP 800-189 + citation: + text: "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange:\ + \ BGP Security and DDoS Mitigation. (National Institute of Standards and\ + \ Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-189 + - uuid: 30eb758a-2707-4bca-90ad-949a74d4eb16 + title: SP 800-18 + citation: + text: Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans + for Federal Information Systems. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. + 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-18r1 + - uuid: 53df282b-8b3f-483a-bad1-6a8b8ac00114 + title: SP 800-192 + citation: + text: Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access + Control Policies/Models. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-192. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-192 + - uuid: 08b07465-dbdc-48d6-8a0b-37279602ac16 + title: SP 800-30 + citation: + text: Joint Task Force Transformation Initiative (2012) Guide for Conducting + Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-30, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-30r1 + - uuid: bc39f179-c735-4da2-b7a7-b2b622119755 + title: SP 800-34 + citation: + text: Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency + Planning Guide for Federal Information Systems. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-34r1 + - uuid: 77faf0bc-c394-44ad-9154-bbac3b79c8ad + title: SP 800-35 + citation: + text: Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information + Technology Security Services. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-35. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-35 + - uuid: 482e4c99-9dc4-41ad-bba8-0f3f0032c1f8 + title: SP 800-37 + citation: + text: "Joint Task Force (2018) Risk Management Framework for Information\ + \ Systems and Organizations: A System Life Cycle Approach for Security\ + \ and Privacy. (National Institute of Standards and Technology, Gaithersburg,\ + \ MD), NIST Special Publication (SP) 800-37, Rev. 2." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-37r2 + - uuid: cec037f3-8aba-4c97-84b4-4082f9e515d2 + title: SP 800-39 + citation: + text: "Joint Task Force Transformation Initiative (2011) Managing Information\ + \ Security Risk: Organization, Mission, and Information System View. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Special\ + \ Publication (SP) 800-39." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-39 + - uuid: 155f941a-cba9-4afd-9ca6-5d040d697ba9 + title: SP 800-40 + citation: + text: Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management + Technologies. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-40, Rev. 3. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-40r3 + - uuid: a7f0e897-29a3-45c4-bd88-40dfef0e034a + title: SP 800-41 + citation: + text: Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall + Policy. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-41, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-41r1 + - uuid: 83b9d63b-66b1-467c-9f3b-3a0b108771e9 + title: SP 800-46 + citation: + text: Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote + Access, and Bring Your Own Device (BYOD) Security. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-46, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-46r2 + - uuid: c3a76872-e160-4267-99e8-6952de967d04 + title: SP 800-47 + citation: + text: Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide + for Interconnecting Information Technology Systems. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-47. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-47 + - uuid: 511f6832-23ca-49a3-8c0f-ce493373cab8 + title: SP 800-50 + citation: + text: Wilson M, Hash J (2003) Building an Information Technology Security + Awareness and Training Program. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-50. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-50 + - uuid: 7537638e-2837-407d-844b-40fb3fafdd99 + title: SP 800-52 + citation: + text: McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, + and Use of Transport Layer Security (TLS) Implementations. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-52, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-52r2 + - uuid: a21aef46-7330-48a0-b2e1-c5bb8b2dd11d + title: SP 800-53A + citation: + text: "Joint Task Force Transformation Initiative (2014) Assessing Security\ + \ and Privacy Controls in Federal Information Systems and Organizations:\ + \ Building Effective Assessment Plans. (National Institute of Standards\ + \ and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A,\ + \ Rev. 4, Includes updates as of December 18, 2014." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-53Ar4 + - uuid: 46d9e201-840e-440e-987c-2c773333c752 + title: SP 800-53B + citation: + text: Joint Task Force (2020) Control Baselines and Tailoring Guidance for + Federal Information Systems and Organizations. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-53B. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-53B + - uuid: 20957dbb-6a1e-40a2-b38a-66f67d33ac2e + title: SP 800-56A + citation: + text: Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation + for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-56A, Rev. 3. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-56Ar3 + - uuid: 0d083d8a-5cc6-46f1-8d79-3081d42bcb75 + title: SP 800-56B + citation: + text: Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) + Recommendation for Pair-Wise Key-Establishment Using Integer Factorization + Cryptography. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-56B, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-56Br2 + - uuid: eef62b16-c796-4554-955c-505824135b8a + title: SP 800-56C + citation: + text: Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation + Methods in Key-Establishment Schemes. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, + Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-56Cr2 + - uuid: 110e26af-4765-49e1-8740-6750f83fcda1 + title: SP 800-57-1 + citation: + text: "Barker EB (2020) Recommendation for Key Management: Part 1 – General.\ + \ (National Institute of Standards and Technology, Gaithersburg, MD),\ + \ NIST Special Publication (SP) 800-57 Part 1, Rev. 5." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-57pt1r5 + - uuid: e7942589-e267-4a5a-a3d9-f39a7aae81f0 + title: SP 800-57-2 + citation: + text: "Barker EB, Barker WC (2019) Recommendation for Key Management: Part\ + \ 2 – Best Practices for Key Management Organizations. (National Institute\ + \ of Standards and Technology, Gaithersburg, MD), NIST Special Publication\ + \ (SP) 800-57 Part 2, Rev. 1." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-57pt2r1 + - uuid: 8306620b-1920-4d73-8b21-12008528595f + title: SP 800-57-3 + citation: + text: "Barker EB, Dang QH (2015) Recommendation for Key Management, Part\ + \ 3: Application-Specific Key Management Guidance. (National Institute\ + \ of Standards and Technology, Gaithersburg, MD), NIST Special Publication\ + \ (SP) 800-57 Part 3, Rev. 1." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-57pt3r1 + - uuid: e72fde0b-6fc2-497e-a9db-d8fce5a11b8a + title: SP 800-60-1 + citation: + text: Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide + for Mapping Types of Information and Information Systems to Security Categories. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-60, Vol. 1, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-60v1r1 + - uuid: 9be5d661-421f-41ad-854e-86f98b811891 + title: SP 800-60-2 + citation: + text: "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for\ + \ Mapping Types of Information and Information Systems to Security Categories:\ + \ Appendices. (National Institute of Standards and Technology, Gaithersburg,\ + \ MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-60v2r1 + - uuid: 49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb + title: SP 800-61 + citation: + text: Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security + Incident Handling Guide. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-61r2 + - uuid: 737513fa-6758-403f-831d-5ddab5e23cb3 + title: SP 800-63-3 + citation: + text: Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-63-3 + - uuid: e59c5a7c-8b1f-49ca-8de0-6ee0882180ce + title: SP 800-63B + citation: + text: "Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr\ + \ WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos\ + \ MF (2017) Digital Identity Guidelines: Authentication and Lifecycle\ + \ Management. (National Institute of Standards and Technology, Gaithersburg,\ + \ MD), NIST Special Publication (SP) 800-63B, Includes updates as of March\ + \ 2, 2020." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-63b + - uuid: 4895b4cd-34c5-4667-bf8a-27d443c12047 + title: SP 800-70 + citation: + text: "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist\ + \ Program for IT Products: Guidelines for Checklist Users and Developers.\ + \ (National Institute of Standards and Technology, Gaithersburg, MD),\ + \ NIST Special Publication (SP) 800-70, Rev. 4." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-70r4 + - uuid: 858705be-3c1f-48aa-a328-0ce398d95ef0 + title: SP 800-73-4 + citation: + text: Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, + Mohler J (2015) Interfaces for Personal Identity Verification. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-73-4, Includes updates as of February 8, 2016. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-73-4 + - uuid: 7af2e6ec-9f7e-4232-ad3f-09888eb0793a + title: SP 800-76-2 + citation: + text: Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications + for Personal Identity Verification. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-76-2 + - uuid: d4d7c760-2907-403b-8b2a-767ca5370ecd + title: SP 800-77 + citation: + text: Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide + to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-77, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-77r1 + - uuid: 828856bd-d7c4-427b-8b51-815517ec382d + title: SP 800-78-4 + citation: + text: Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic + Algorithms and Key Sizes for Personal Identity Verification. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-78-4. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-78-4 + - uuid: 10963761-58fc-4b20-b3d6-b44a54daba03 + title: SP 800-79-2 + citation: + text: Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) + Guidelines for the Authorization of Personal Identity Verification Card + Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-79-2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-79-2 + - uuid: fe209006-bfd4-4033-a79a-9fee1adaf372 + title: SP 800-81-2 + citation: + text: Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment + Guide. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-81-2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-81-2 + - uuid: 3dd249b0-f57d-44ba-a03e-c3eab1b835ff + title: SP 800-83 + citation: + text: Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention + and Handling for Desktops and Laptops. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, + Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-83r1 + - uuid: 53be2fcf-cfd1-4bcb-896b-9a3b65c22098 + title: SP 800-84 + citation: + text: Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide + to Test, Training, and Exercise Programs for IT Plans and Capabilities. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-84. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-84 + - uuid: cfdb1858-c473-46b3-89f9-a700308d0be2 + title: SP 800-86 + citation: + text: Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating + Forensic Techniques into Incident Response. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-86 + - uuid: a5b1d18d-e670-4586-9e6d-4a88b7ba3df6 + title: SP 800-88 + citation: + text: Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for + Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-88, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-88r1 + - uuid: 5eee45d8-3313-4fdc-8d54-1742092bbdd6 + title: SP 800-92 + citation: + text: Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-92. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-92 + - uuid: 25e3e57b-dc2f-4934-af9b-050b020c6f0e + title: SP 800-94 + citation: + text: Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention + Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-94. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-94 + - uuid: 03fb73bc-1b12-4182-bd96-e5719254ea61 + title: SP 800-97 + citation: + text: "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless\ + \ Robust Security Networks: A Guide to IEEE 802.11i. (National Institute\ + \ of Standards and Technology, Gaithersburg, MD), NIST Special Publication\ + \ (SP) 800-97." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-97 + - uuid: 13f0c39d-eaf7-417a-baef-69a041878bb5 + title: USA PATRIOT + citation: + text: USA Patriot Act (P.L. 107-56), October 2001. + rlinks: + - href: https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf + - uuid: e922fc50-b1f9-469f-92ef-ed7d9803611c + title: USC 2901 + citation: + text: United States Code, 2008 Edition, Title 44 - *Public Printing and + Documents* , Chapters 29, 31, and 33, January 2012. + rlinks: + - href: https://www.govinfo.gov/content/pkg/USCODE-2011-title44/pdf/USCODE-2011-title44-chap29-sec2901.pdf + - uuid: 40b78258-c892-480e-9af8-77ac36648301 + title: USCERT IR + citation: + text: Department of Homeland Security, *US-CERT Federal Incident Notification + Guidelines* , April 2017. + rlinks: + - href: https://us-cert.cisa.gov/incident-notification-guidelines + - uuid: 98498928-3ca3-44b3-8b1e-f48685373087 + title: USGCB + citation: + text: National Institute of Standards and Technology (2020) *United States + Government Configuration Baseline* . Available at + rlinks: + - href: https://csrc.nist.gov/projects/united-states-government-configuration-baseline + - uuid: c3397cc9-83c6-4459-adb2-836739dc1b94 + title: "NIST Special Publication 800-53, Revision 5: * Security and Privacy\ + \ Controls for Information Systems and Organizations* (PDF)" + rlinks: + - href: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf + media-type: application/pdf - uuid: 985475ee-d4d6-4581-8fdf-d84d3d8caa48 title: FedRAMP Applicable Laws and Regulations rlinks: diff --git a/dist/content/rev5/baselines/yaml/FedRAMP_rev5_LOW-baseline_profile.yaml b/dist/content/rev5/baselines/yaml/FedRAMP_rev5_LOW-baseline_profile.yaml index 43fe4bd0b..4ee081052 100644 --- a/dist/content/rev5/baselines/yaml/FedRAMP_rev5_LOW-baseline_profile.yaml +++ b/dist/content/rev5/baselines/yaml/FedRAMP_rev5_LOW-baseline_profile.yaml @@ -2248,5 +2248,5 @@ profile: - name: version value: 5.1.1 rlinks: - - href: https://github.com/usnistgov/oscal-content/blob/v1.2.0/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml + - href: https://raw.githubusercontent.com/usnistgov/oscal-content/v1.2.0/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml media-type: application/oscal+yaml diff --git a/dist/content/rev5/baselines/yaml/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.yaml b/dist/content/rev5/baselines/yaml/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.yaml index e1480c701..d60464929 100644 --- a/dist/content/rev5/baselines/yaml/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.yaml +++ b/dist/content/rev5/baselines/yaml/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.yaml @@ -1,10 +1,10 @@ --- catalog: - uuid: 36094314-56ce-43fd-9ab8-0e1f6fa6bfaa + uuid: 05787e43-fa8f-4f67-9a3b-2240fb4d9a78 metadata: title: FedRAMP Rev 5 Moderate Baseline published: 2023-08-31T00:00:00Z - last-modified: 2023-12-18T20:27:56.71703-05:00 + last-modified: 2024-01-11T18:08:21.203723-05:00 version: 5.1.1+fedramp-20231218-0 oscal-version: 1.1.1 links: @@ -60,8 +60,74596 @@ catalog: - role-id: fedramp-jab party-uuids: - ca9ba80e-1342-4bfd-b32a-abac468c24b4 + groups: + - id: ac + class: family + title: Access Control + controls: + - id: ac-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ac-1_prm_1 + label: organization-defined personnel or roles + - id: ac-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the access control policy is to + be disseminated is/are defined; + - id: ac-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the access control procedures + are to be disseminated is/are defined; + - id: ac-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ac-01_odp.04 + label: official + guidelines: + - prose: an official to manage the access control policy and procedures + is defined; + - id: ac-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current access control policy + is reviewed and updated is defined; + - id: ac-01_odp.06 + label: events + guidelines: + - prose: events that would require the current access control policy + to be reviewed and updated are defined; + - id: ac-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current access control procedures + are reviewed and updated is defined; + - id: ac-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require procedures to be reviewed and updated + are defined; + props: + - name: label + value: AC-1 + - name: label + value: AC-01 + class: sp800-53a + - name: sort-id + value: ac-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#7f473f21-fdbf-4a6c-81a1-0ab95919609d" + rel: reference + - href: "#ia-1" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-24" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ac-1_smt + name: statement + parts: + - id: ac-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ac-1_prm_1 }}:" + parts: + - id: ac-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ac-01_odp.03 }} access control policy\ + \ that:" + parts: + - id: ac-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ac-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ac-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the access + control policy and the associated access controls; + - id: ac-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ac-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the access\ + \ control policy and procedures; and" + - id: ac-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current access control:" + parts: + - id: ac-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ac-01_odp.05 }} and following\ + \ {{ insert: param, ac-01_odp.06 }} ; and" + - id: ac-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ac-01_odp.07 }} and following\ + \ {{ insert: param, ac-01_odp.08 }}." + - id: ac-1_gdn + name: guidance + prose: Access control policy and procedures address the controls in + the AC family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of access control + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies reflecting the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to access control policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ac-1_obj + name: assessment-objective + props: + - name: label + value: AC-01 + class: sp800-53a + parts: + - id: ac-1_obj.a + name: assessment-objective + props: + - name: label + value: AC-01a. + class: sp800-53a + parts: + - id: ac-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-01a.[01] + class: sp800-53a + prose: an access control policy is developed and documented; + links: + - href: "#ac-1_smt.a" + rel: assessment-for + - id: ac-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-01a.[02] + class: sp800-53a + prose: "the access control policy is disseminated to {{ insert:\ + \ param, ac-01_odp.01 }};" + links: + - href: "#ac-1_smt.a" + rel: assessment-for + - id: ac-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-01a.[03] + class: sp800-53a + prose: access control procedures to facilitate the implementation + of the access control policy and associated controls are developed + and documented; + links: + - href: "#ac-1_smt.a" + rel: assessment-for + - id: ac-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: AC-01a.[04] + class: sp800-53a + prose: "the access control procedures are disseminated to {{\ + \ insert: param, ac-01_odp.02 }};" + links: + - href: "#ac-1_smt.a" + rel: assessment-for + - id: ac-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: AC-01a.01 + class: sp800-53a + parts: + - id: ac-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: AC-01a.01(a) + class: sp800-53a + parts: + - id: ac-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses purpose;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses scope;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses roles;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses responsibilities;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses management commitment;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: AC-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access\ + \ control policy addresses compliance;" + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ac-1_smt.a.1.a" + rel: assessment-for + - id: ac-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: AC-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.03 }} access control\ + \ policy is consistent with applicable laws, Executive\ + \ Orders, directives, regulations, policies, standards,\ + \ and guidelines;" + links: + - href: "#ac-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ac-1_smt.a.1" + rel: assessment-for + links: + - href: "#ac-1_smt.a" + rel: assessment-for + - id: ac-1_obj.b + name: assessment-objective + props: + - name: label + value: AC-01b. + class: sp800-53a + prose: "the {{ insert: param, ac-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the access\ + \ control policy and procedures;" + links: + - href: "#ac-1_smt.b" + rel: assessment-for + - id: ac-1_obj.c + name: assessment-objective + props: + - name: label + value: AC-01c. + class: sp800-53a + parts: + - id: ac-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: AC-01c.01 + class: sp800-53a + parts: + - id: ac-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: AC-01c.01[01] + class: sp800-53a + prose: "the current access control policy is reviewed and\ + \ updated {{ insert: param, ac-01_odp.05 }};" + links: + - href: "#ac-1_smt.c.1" + rel: assessment-for + - id: ac-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: AC-01c.01[02] + class: sp800-53a + prose: "the current access control policy is reviewed and\ + \ updated following {{ insert: param, ac-01_odp.06 }};" + links: + - href: "#ac-1_smt.c.1" + rel: assessment-for + links: + - href: "#ac-1_smt.c.1" + rel: assessment-for + - id: ac-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: AC-01c.02 + class: sp800-53a + parts: + - id: ac-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: AC-01c.02[01] + class: sp800-53a + prose: "the current access control procedures are reviewed\ + \ and updated {{ insert: param, ac-01_odp.07 }};" + links: + - href: "#ac-1_smt.c.2" + rel: assessment-for + - id: ac-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: AC-01c.02[02] + class: sp800-53a + prose: "the current access control procedures are reviewed\ + \ and updated following {{ insert: param, ac-01_odp.08\ + \ }}." + links: + - href: "#ac-1_smt.c.2" + rel: assessment-for + links: + - href: "#ac-1_smt.c.2" + rel: assessment-for + links: + - href: "#ac-1_smt.c" + rel: assessment-for + links: + - href: "#ac-1_smt" + rel: assessment-for + - id: ac-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: ac-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with access control + responsibilities + + + organizational personnel with information security with information + security and privacy responsibilities + - id: ac-2 + class: SP800-53 + title: Account Management + params: + - id: ac-02_odp.01 + label: prerequisites and criteria + guidelines: + - prose: prerequisites and criteria for group and role membership + are defined; + - id: ac-02_odp.02 + label: attributes (as required) + guidelines: + - prose: attributes (as required) for each account are defined; + - id: ac-02_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles required to approve requests to create + accounts is/are defined; + - id: ac-02_odp.04 + label: policy, procedures, prerequisites, and criteria + guidelines: + - prose: policy, procedures, prerequisites, and criteria for account + creation, enabling, modification, disabling, and removal are defined; + - id: ac-02_odp.05 + label: personnel or roles + guidelines: + - prose: personnel or roles to be notified is/are defined; + - id: ac-02_odp.06 + label: time period + constraints: + - description: twenty-four (24) hours + guidelines: + - prose: time period within which to notify account managers when + accounts are no longer required is defined; + - id: ac-02_odp.07 + label: time period + constraints: + - description: eight (8) hours + guidelines: + - prose: "time period within which to notify account managers when\ + \ users are terminated or transferred is defined; " + - id: ac-02_odp.08 + label: time period + constraints: + - description: eight (8) hours + guidelines: + - prose: time period within which to notify account managers when + system usage or the need to know changes for an individual is + defined; + - id: ac-02_odp.09 + label: attributes (as required) + guidelines: + - prose: attributes needed to authorize system access (as required) + are defined; + - id: ac-02_odp.10 + label: frequency + constraints: + - description: quarterly for privileged access, annually for non-privileged + access + guidelines: + - prose: the frequency of account review is defined; + props: + - name: label + value: AC-2 + - name: label + value: AC-02 + class: sp800-53a + - name: sort-id + value: ac-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#2956e175-f674-43f4-b1b9-e074ad9fc39c" + rel: reference + - href: "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f" + rel: reference + - href: "#53df282b-8b3f-483a-bad1-6a8b8ac00114" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-20" + rel: related + - href: "#ac-24" + rel: related + - href: "#au-2" + rel: related + - href: "#au-12" + rel: related + - href: "#cm-5" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-5" + rel: related + - href: "#ps-7" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-3" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-37" + rel: related + parts: + - id: ac-2_smt + name: statement + parts: + - id: ac-2_smt.a + name: item + props: + - name: label + value: a. + prose: Define and document the types of accounts allowed and specifically + prohibited for use within the system; + - id: ac-2_smt.b + name: item + props: + - name: label + value: b. + prose: Assign account managers; + - id: ac-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Require {{ insert: param, ac-02_odp.01 }} for group and\ + \ role membership;" + - id: ac-2_smt.d + name: item + props: + - name: label + value: d. + prose: "Specify:" + parts: + - id: ac-2_smt.d.1 + name: item + props: + - name: label + value: "1." + prose: Authorized users of the system; + - id: ac-2_smt.d.2 + name: item + props: + - name: label + value: "2." + prose: Group and role membership; and + - id: ac-2_smt.d.3 + name: item + props: + - name: label + value: "3." + prose: "Access authorizations (i.e., privileges) and {{ insert:\ + \ param, ac-02_odp.02 }} for each account;" + - id: ac-2_smt.e + name: item + props: + - name: label + value: e. + prose: "Require approvals by {{ insert: param, ac-02_odp.03 }} for\ + \ requests to create accounts;" + - id: ac-2_smt.f + name: item + props: + - name: label + value: f. + prose: "Create, enable, modify, disable, and remove accounts in\ + \ accordance with {{ insert: param, ac-02_odp.04 }};" + - id: ac-2_smt.g + name: item + props: + - name: label + value: g. + prose: Monitor the use of accounts; + - id: ac-2_smt.h + name: item + props: + - name: label + value: h. + prose: "Notify account managers and {{ insert: param, ac-02_odp.05\ + \ }} within:" + parts: + - id: ac-2_smt.h.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ac-02_odp.06 }} when accounts are\ + \ no longer required;" + - id: ac-2_smt.h.2 + name: item + props: + - name: label + value: "2." + prose: " {{ insert: param, ac-02_odp.07 }} when users are terminated\ + \ or transferred; and" + - id: ac-2_smt.h.3 + name: item + props: + - name: label + value: "3." + prose: " {{ insert: param, ac-02_odp.08 }} when system usage\ + \ or need-to-know changes for an individual;" + - id: ac-2_smt.i + name: item + props: + - name: label + value: i. + prose: "Authorize access to the system based on:" + parts: + - id: ac-2_smt.i.1 + name: item + props: + - name: label + value: "1." + prose: A valid access authorization; + - id: ac-2_smt.i.2 + name: item + props: + - name: label + value: "2." + prose: Intended system usage; and + - id: ac-2_smt.i.3 + name: item + props: + - name: label + value: "3." + prose: " {{ insert: param, ac-02_odp.09 }};" + - id: ac-2_smt.j + name: item + props: + - name: label + value: j. + prose: "Review accounts for compliance with account management requirements\ + \ {{ insert: param, ac-02_odp.10 }};" + - id: ac-2_smt.k + name: item + props: + - name: label + value: k. + prose: Establish and implement a process for changing shared or + group account authenticators (if deployed) when individuals are + removed from the group; and + - id: ac-2_smt.l + name: item + props: + - name: label + value: l. + prose: Align account management processes with personnel termination + and transfer processes. + - id: ac-2_gdn + name: guidance + prose: >- + Examples of system account types include individual, shared, + group, system, guest, anonymous, emergency, developer, + temporary, and service. Identification of authorized system + users and the specification of access privileges reflect the + requirements in other controls in the security plan. Users + requiring administrative privileges on system accounts receive + additional scrutiny by organizational personnel responsible for + approving such accounts and privileged access, including system + owner, mission or business owner, senior agency information + security officer, or senior agency official for privacy. Types + of accounts that organizations may wish to prohibit due to + increased risk include shared, group, emergency, anonymous, + temporary, and guest accounts. + + + Where access involves personally identifiable information, security + programs collaborate with the senior agency official for privacy to + establish the specific conditions for group and role membership; specify + authorized users, group and role membership, and access authorizations + for each account; and create, adjust, or remove system accounts in + accordance with organizational policies. Policies can include such + information as account expiration dates or other factors that trigger + the disabling of accounts. Organizations may choose to define access + privileges or other attributes by account, type of account, or a combination + of the two. Examples of other attributes required for authorizing + access include restrictions on time of day, day of week, and point + of origin. In defining other system account attributes, organizations + consider system-related requirements and mission/business requirements. + Failure to consider these factors could affect system availability. + + + Temporary and emergency accounts are intended for short-term use. + Organizations establish temporary accounts as part of normal account + activation procedures when there is a need for short-term accounts + without the demand for immediacy in account activation. Organizations + establish emergency accounts in response to crisis situations and + with the need for rapid account activation. Therefore, emergency account + activation may bypass normal account authorization processes. Emergency + and temporary accounts are not to be confused with infrequently used + accounts, including local logon accounts used for special tasks or + when network resources are unavailable (may also be known as accounts + of last resort). Such accounts remain available and are not subject + to automatic disabling or removal dates. Conditions for disabling + or deactivating accounts include when shared/group, emergency, or + temporary accounts are no longer required and when individuals are + transferred or terminated. Changing shared/group authenticators when + members leave the group is intended to ensure that former group members + do not retain access to the shared or group account. Some types of + system accounts may require specialized training. + - id: ac-2_obj + name: assessment-objective + props: + - name: label + value: AC-02 + class: sp800-53a + parts: + - id: ac-2_obj.a + name: assessment-objective + props: + - name: label + value: AC-02a. + class: sp800-53a + parts: + - id: ac-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-02a.[01] + class: sp800-53a + prose: account types allowed for use within the system are defined + and documented; + links: + - href: "#ac-2_smt.a" + rel: assessment-for + - id: ac-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-02a.[02] + class: sp800-53a + prose: account types specifically prohibited for use within + the system are defined and documented; + links: + - href: "#ac-2_smt.a" + rel: assessment-for + links: + - href: "#ac-2_smt.a" + rel: assessment-for + - id: ac-2_obj.b + name: assessment-objective + props: + - name: label + value: AC-02b. + class: sp800-53a + prose: account managers are assigned; + links: + - href: "#ac-2_smt.b" + rel: assessment-for + - id: ac-2_obj.c + name: assessment-objective + props: + - name: label + value: AC-02c. + class: sp800-53a + prose: " {{ insert: param, ac-02_odp.01 }} for group and role membership\ + \ are required;" + links: + - href: "#ac-2_smt.c" + rel: assessment-for + - id: ac-2_obj.d + name: assessment-objective + props: + - name: label + value: AC-02d. + class: sp800-53a + parts: + - id: ac-2_obj.d.1 + name: assessment-objective + props: + - name: label + value: AC-02d.01 + class: sp800-53a + prose: authorized users of the system are specified; + links: + - href: "#ac-2_smt.d.1" + rel: assessment-for + - id: ac-2_obj.d.2 + name: assessment-objective + props: + - name: label + value: AC-02d.02 + class: sp800-53a + prose: group and role membership are specified; + links: + - href: "#ac-2_smt.d.2" + rel: assessment-for + - id: ac-2_obj.d.3 + name: assessment-objective + props: + - name: label + value: AC-02d.03 + class: sp800-53a + parts: + - id: ac-2_obj.d.3-1 + name: assessment-objective + props: + - name: label + value: AC-02d.03[01] + class: sp800-53a + prose: access authorizations (i.e., privileges) are specified + for each account; + links: + - href: "#ac-2_smt.d.3" + rel: assessment-for + - id: ac-2_obj.d.3-2 + name: assessment-objective + props: + - name: label + value: AC-02d.03[02] + class: sp800-53a + prose: " {{ insert: param, ac-02_odp.02 }} are specified\ + \ for each account;" + links: + - href: "#ac-2_smt.d.3" + rel: assessment-for + links: + - href: "#ac-2_smt.d.3" + rel: assessment-for + links: + - href: "#ac-2_smt.d" + rel: assessment-for + - id: ac-2_obj.e + name: assessment-objective + props: + - name: label + value: AC-02e. + class: sp800-53a + prose: "approvals are required by {{ insert: param, ac-02_odp.03\ + \ }} for requests to create accounts;" + links: + - href: "#ac-2_smt.e" + rel: assessment-for + - id: ac-2_obj.f + name: assessment-objective + props: + - name: label + value: AC-02f. + class: sp800-53a + parts: + - id: ac-2_obj.f-1 + name: assessment-objective + props: + - name: label + value: AC-02f.[01] + class: sp800-53a + prose: "accounts are created in accordance with {{ insert: param,\ + \ ac-02_odp.04 }};" + links: + - href: "#ac-2_smt.f" + rel: assessment-for + - id: ac-2_obj.f-2 + name: assessment-objective + props: + - name: label + value: AC-02f.[02] + class: sp800-53a + prose: "accounts are enabled in accordance with {{ insert: param,\ + \ ac-02_odp.04 }};" + links: + - href: "#ac-2_smt.f" + rel: assessment-for + - id: ac-2_obj.f-3 + name: assessment-objective + props: + - name: label + value: AC-02f.[03] + class: sp800-53a + prose: "accounts are modified in accordance with {{ insert:\ + \ param, ac-02_odp.04 }};" + links: + - href: "#ac-2_smt.f" + rel: assessment-for + - id: ac-2_obj.f-4 + name: assessment-objective + props: + - name: label + value: AC-02f.[04] + class: sp800-53a + prose: "accounts are disabled in accordance with {{ insert:\ + \ param, ac-02_odp.04 }};" + links: + - href: "#ac-2_smt.f" + rel: assessment-for + - id: ac-2_obj.f-5 + name: assessment-objective + props: + - name: label + value: AC-02f.[05] + class: sp800-53a + prose: "accounts are removed in accordance with {{ insert: param,\ + \ ac-02_odp.04 }};" + links: + - href: "#ac-2_smt.f" + rel: assessment-for + links: + - href: "#ac-2_smt.f" + rel: assessment-for + - id: ac-2_obj.g + name: assessment-objective + props: + - name: label + value: AC-02g. + class: sp800-53a + prose: "the use of accounts is monitored; " + links: + - href: "#ac-2_smt.g" + rel: assessment-for + - id: ac-2_obj.h + name: assessment-objective + props: + - name: label + value: AC-02h. + class: sp800-53a + parts: + - id: ac-2_obj.h.1 + name: assessment-objective + props: + - name: label + value: AC-02h.01 + class: sp800-53a + prose: "account managers and {{ insert: param, ac-02_odp.05\ + \ }} are notified within {{ insert: param, ac-02_odp.06 }}\ + \ when accounts are no longer required;" + links: + - href: "#ac-2_smt.h.1" + rel: assessment-for + - id: ac-2_obj.h.2 + name: assessment-objective + props: + - name: label + value: AC-02h.02 + class: sp800-53a + prose: "account managers and {{ insert: param, ac-02_odp.05\ + \ }} are notified within {{ insert: param, ac-02_odp.07 }}\ + \ when users are terminated or transferred;" + links: + - href: "#ac-2_smt.h.2" + rel: assessment-for + - id: ac-2_obj.h.3 + name: assessment-objective + props: + - name: label + value: AC-02h.03 + class: sp800-53a + prose: "account managers and {{ insert: param, ac-02_odp.05\ + \ }} are notified within {{ insert: param, ac-02_odp.08 }}\ + \ when system usage or the need to know changes for an individual;" + links: + - href: "#ac-2_smt.h.3" + rel: assessment-for + links: + - href: "#ac-2_smt.h" + rel: assessment-for + - id: ac-2_obj.i + name: assessment-objective + props: + - name: label + value: AC-02i. + class: sp800-53a + parts: + - id: ac-2_obj.i.1 + name: assessment-objective + props: + - name: label + value: AC-02i.01 + class: sp800-53a + prose: access to the system is authorized based on a valid access + authorization; + links: + - href: "#ac-2_smt.i.1" + rel: assessment-for + - id: ac-2_obj.i.2 + name: assessment-objective + props: + - name: label + value: AC-02i.02 + class: sp800-53a + prose: access to the system is authorized based on intended + system usage; + links: + - href: "#ac-2_smt.i.2" + rel: assessment-for + - id: ac-2_obj.i.3 + name: assessment-objective + props: + - name: label + value: AC-02i.03 + class: sp800-53a + prose: "access to the system is authorized based on {{ insert:\ + \ param, ac-02_odp.09 }};" + links: + - href: "#ac-2_smt.i.3" + rel: assessment-for + links: + - href: "#ac-2_smt.i" + rel: assessment-for + - id: ac-2_obj.j + name: assessment-objective + props: + - name: label + value: AC-02j. + class: sp800-53a + prose: "accounts are reviewed for compliance with account management\ + \ requirements {{ insert: param, ac-02_odp.10 }};" + links: + - href: "#ac-2_smt.j" + rel: assessment-for + - id: ac-2_obj.k + name: assessment-objective + props: + - name: label + value: AC-02k. + class: sp800-53a + parts: + - id: ac-2_obj.k-1 + name: assessment-objective + props: + - name: label + value: AC-02k.[01] + class: sp800-53a + prose: a process is established for changing shared or group + account authenticators (if deployed) when individuals are + removed from the group; + links: + - href: "#ac-2_smt.k" + rel: assessment-for + - id: ac-2_obj.k-2 + name: assessment-objective + props: + - name: label + value: AC-02k.[02] + class: sp800-53a + prose: a process is implemented for changing shared or group + account authenticators (if deployed) when individuals are + removed from the group; + links: + - href: "#ac-2_smt.k" + rel: assessment-for + links: + - href: "#ac-2_smt.k" + rel: assessment-for + - id: ac-2_obj.l + name: assessment-objective + props: + - name: label + value: AC-02l. + class: sp800-53a + parts: + - id: ac-2_obj.l-1 + name: assessment-objective + props: + - name: label + value: AC-02l.[01] + class: sp800-53a + prose: account management processes are aligned with personnel + termination processes; + links: + - href: "#ac-2_smt.l" + rel: assessment-for + - id: ac-2_obj.l-2 + name: assessment-objective + props: + - name: label + value: AC-02l.[02] + class: sp800-53a + prose: account management processes are aligned with personnel + transfer processes. + links: + - href: "#ac-2_smt.l" + rel: assessment-for + links: + - href: "#ac-2_smt.l" + rel: assessment-for + links: + - href: "#ac-2_smt" + rel: assessment-for + - id: ac-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + personnel termination policy and procedure + + + personnel transfer policy and procedure + + + procedures for addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + list of active system accounts along with the name of the individual + associated with each account + + + list of recently disabled system accounts and the name of the + individual associated with each account + + + list of conditions for group and role membership + + + notifications of recent transfers, separations, or terminations + of employees + + + access authorization records + + + account management compliance reviews + + + system monitoring records + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ac-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security with information + security and privacy responsibilities + - id: ac-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for account management on the + system + + + mechanisms for implementing account management + controls: + - id: ac-2.1 + class: SP800-53-enhancement + title: Automated System Account Management + params: + - id: ac-02.01_odp + label: automated mechanisms + guidelines: + - prose: "automated mechanisms used to support the management\ + \ of system accounts are defined; " + props: + - name: label + value: AC-2(1) + - name: label + value: AC-02(01) + class: sp800-53a + - name: sort-id + value: ac-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: required + parts: + - id: ac-2.1_smt + name: statement + prose: "Support the management of system accounts using {{ insert:\ + \ param, ac-02.01_odp }}." + - id: ac-2.1_gdn + name: guidance + prose: Automated system account management includes using automated + mechanisms to create, enable, modify, disable, and remove accounts; + notify account managers when an account is created, enabled, modified, + disabled, or removed, or when users are terminated or transferred; + monitor system account usage; and report atypical system account + usage. Automated mechanisms can include internal system functions + and email, telephonic, and text messaging notifications. + - id: ac-2.1_obj + name: assessment-objective + props: + - name: label + value: AC-02(01) + class: sp800-53a + prose: "the management of system accounts is supported using {{\ + \ insert: param, ac-02.01_odp }}." + links: + - href: "#ac-2.1_smt" + rel: assessment-for + - id: ac-2.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures for addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-2.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security with information + security responsibilities + + + system developers + - id: ac-2.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms for implementing account management + functions + - id: ac-2.2 + class: SP800-53-enhancement + title: Automated Temporary and Emergency Account Management + params: + - id: ac-02.02_odp.01 + constraints: + - description: "Selection: disables" + select: + choice: + - remove + - disable + - id: ac-02.02_odp.02 + label: time period + constraints: + - description: no more than 96 hours from last use + guidelines: + - prose: the time period after which to automatically remove or + disable temporary or emergency accounts is defined; + props: + - name: label + value: AC-2(2) + - name: label + value: AC-02(02) + class: sp800-53a + - name: sort-id + value: ac-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-2" + rel: required + parts: + - id: ac-2.2_smt + name: statement + prose: "Automatically {{ insert: param, ac-02.02_odp.01 }} temporary\ + \ and emergency accounts after {{ insert: param, ac-02.02_odp.02\ + \ }}." + - id: ac-2.2_gdn + name: guidance + prose: Management of temporary and emergency accounts includes the + removal or disabling of such accounts automatically after a predefined + time period rather than at the convenience of the system administrator. + Automatic removal or disabling of accounts provides a more consistent + implementation. + - id: ac-2.2_obj + name: assessment-objective + props: + - name: label + value: AC-02(02) + class: sp800-53a + prose: "temporary and emergency accounts are automatically {{ insert:\ + \ param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02\ + \ }}." + links: + - href: "#ac-2.2_smt" + rel: assessment-for + - id: ac-2.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures for addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + system-generated list of temporary accounts removed and/or + disabled + + + system-generated list of emergency accounts removed and/or + disabled + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-2.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security with information + security responsibilities + + + system developers + - id: ac-2.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms for implementing account management + functions + - id: ac-2.3 + class: SP800-53-enhancement + title: Disable Accounts + params: + - id: ac-02.03_odp.01 + label: time period + constraints: + - description: 24 hours for user accounts + guidelines: + - prose: time period within which to disable accounts is defined; + - id: ac-02.03_odp.02 + label: time period + constraints: + - description: ninety (90) days (See additional requirements and + guidance.) + guidelines: + - prose: time period for account inactivity before disabling is + defined; + props: + - name: label + value: AC-2(3) + - name: label + value: AC-02(03) + class: sp800-53a + - name: sort-id + value: ac-02.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-2" + rel: required + parts: + - id: ac-2.3_smt + name: statement + prose: "Disable accounts within {{ insert: param, ac-02.03_odp.01\ + \ }} when the accounts:" + parts: + - id: ac-2.3_smt.a + name: item + props: + - name: label + value: (a) + prose: Have expired; + - id: ac-2.3_smt.b + name: item + props: + - name: label + value: (b) + prose: Are no longer associated with a user or individual; + - id: ac-2.3_smt.c + name: item + props: + - name: label + value: (c) + prose: Are in violation of organizational policy; or + - id: ac-2.3_smt.d + name: item + props: + - name: label + value: (d) + prose: "Have been inactive for {{ insert: param, ac-02.03_odp.02\ + \ }}." + - id: ac-2.3_fr + name: item + title: AC-2 (3) Additional FedRAMP Requirements and Guidance + parts: + - id: ac-2.3_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider defines the time period for + non-user accounts (e.g., accounts associated with devices). + The time periods are approved and accepted by the JAB/AO. + Where user management is a function of the service, reports + of activity of consumer users shall be made available. + - id: ac-2.3_fr_smt.2 + name: item + props: + - name: label + value: "(d) Requirement:" + prose: The service provider defines the time period of inactivity + for device identifiers. + - id: ac-2.3_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: For DoD clouds, see DoD cloud website for specific + DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/. + - id: ac-2.3_gdn + name: guidance + prose: Disabling expired, inactive, or otherwise anomalous accounts + supports the concepts of least privilege and least functionality + which reduce the attack surface of the system. + - id: ac-2.3_obj + name: assessment-objective + props: + - name: label + value: AC-02(03) + class: sp800-53a + parts: + - id: ac-2.3_obj.a + name: assessment-objective + props: + - name: label + value: AC-02(03)(a) + class: sp800-53a + prose: "accounts are disabled within {{ insert: param, ac-02.03_odp.01\ + \ }} when the accounts have expired;" + links: + - href: "#ac-2.3_smt.a" + rel: assessment-for + - id: ac-2.3_obj.b + name: assessment-objective + props: + - name: label + value: AC-02(03)(b) + class: sp800-53a + prose: "accounts are disabled within {{ insert: param, ac-02.03_odp.01\ + \ }} when the accounts are no longer associated with a user\ + \ or individual;" + links: + - href: "#ac-2.3_smt.b" + rel: assessment-for + - id: ac-2.3_obj.c + name: assessment-objective + props: + - name: label + value: AC-02(03)(c) + class: sp800-53a + prose: "accounts are disabled within {{ insert: param, ac-02.03_odp.01\ + \ }} when the accounts are in violation of organizational\ + \ policy;" + links: + - href: "#ac-2.3_smt.c" + rel: assessment-for + - id: ac-2.3_obj.d + name: assessment-objective + props: + - name: label + value: AC-02(03)(d) + class: sp800-53a + prose: "accounts are disabled within {{ insert: param, ac-02.03_odp.01\ + \ }} when the accounts have been inactive for {{ insert: param,\ + \ ac-02.03_odp.02 }}." + links: + - href: "#ac-2.3_smt.d" + rel: assessment-for + links: + - href: "#ac-2.3_smt" + rel: assessment-for + - id: ac-2.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures for addressing account management + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + system-generated list of accounts removed + + + system-generated list of emergency accounts disabled + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-2.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-2.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms for implementing account management functions + - id: ac-2.4 + class: SP800-53-enhancement + title: Automated Audit Actions + props: + - name: label + value: AC-2(4) + - name: label + value: AC-02(04) + class: sp800-53a + - name: sort-id + value: ac-02.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-2" + rel: required + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + parts: + - id: ac-2.4_smt + name: statement + prose: Automatically audit account creation, modification, enabling, + disabling, and removal actions. + - id: ac-2.4_gdn + name: guidance + prose: Account management audit records are defined in accordance + with [AU-2](#au-2) and reviewed, analyzed, and reported in accordance + with [AU-6](#au-6). + - id: ac-2.4_obj + name: assessment-objective + props: + - name: label + value: AC-02(04) + class: sp800-53a + parts: + - id: ac-2.4_obj-1 + name: assessment-objective + props: + - name: label + value: AC-02(04)[01] + class: sp800-53a + prose: account creation is automatically audited; + links: + - href: "#ac-2.4_smt" + rel: assessment-for + - id: ac-2.4_obj-2 + name: assessment-objective + props: + - name: label + value: AC-02(04)[02] + class: sp800-53a + prose: account modification is automatically audited; + links: + - href: "#ac-2.4_smt" + rel: assessment-for + - id: ac-2.4_obj-3 + name: assessment-objective + props: + - name: label + value: AC-02(04)[03] + class: sp800-53a + prose: account enabling is automatically audited; + links: + - href: "#ac-2.4_smt" + rel: assessment-for + - id: ac-2.4_obj-4 + name: assessment-objective + props: + - name: label + value: AC-02(04)[04] + class: sp800-53a + prose: account disabling is automatically audited; + links: + - href: "#ac-2.4_smt" + rel: assessment-for + - id: ac-2.4_obj-5 + name: assessment-objective + props: + - name: label + value: AC-02(04)[05] + class: sp800-53a + prose: account removal actions are automatically audited. + links: + - href: "#ac-2.4_smt" + rel: assessment-for + links: + - href: "#ac-2.4_smt" + rel: assessment-for + - id: ac-2.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + notifications/alerts of account creation, modification, enabling, + disabling, and removal actions + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-2.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-2.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms implementing account management + functions + - id: ac-2.5 + class: SP800-53-enhancement + title: Inactivity Logout + params: + - id: ac-02.05_odp + label: time period of expected inactivity or description of when + to log out + constraints: + - description: for privileged users, it is the end of a user's + standard work period + guidelines: + - prose: the time period of expected inactivity or description + of when to log out is defined; + props: + - name: label + value: AC-2(5) + - name: label + value: AC-02(05) + class: sp800-53a + - name: sort-id + value: ac-02.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-2" + rel: required + - href: "#ac-11" + rel: related + parts: + - id: ac-2.5_smt + name: statement + prose: "Require that users log out when {{ insert: param, ac-02.05_odp\ + \ }}." + parts: + - id: ac-2.5_fr + name: item + title: AC-2 (5) Additional FedRAMP Requirements and Guidance + parts: + - id: ac-2.5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Should use a shorter timeframe than AC-12. + - id: ac-2.5_gdn + name: guidance + prose: Inactivity logout is behavior- or policy-based and requires + users to take physical action to log out when they are expecting + inactivity longer than the defined period. Automatic enforcement + of inactivity logout is addressed by [AC-11](#ac-11). + - id: ac-2.5_obj + name: assessment-objective + props: + - name: label + value: AC-02(05) + class: sp800-53a + prose: "users are required to log out when {{ insert: param, ac-02.05_odp\ + \ }}." + links: + - href: "#ac-2.5_smt" + rel: assessment-for + - id: ac-2.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + security violation reports + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-2.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + + + users that must comply with inactivity logout policy + - id: ac-2.7 + class: SP800-53-enhancement + title: Privileged User Accounts + params: + - id: ac-02.07_odp + select: + choice: + - a role-based access scheme + - an attribute-based access scheme + props: + - name: label + value: AC-2(7) + - name: label + value: AC-02(07) + class: sp800-53a + - name: sort-id + value: ac-02.07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: required + parts: + - id: ac-2.7_smt + name: statement + parts: + - id: ac-2.7_smt.a + name: item + props: + - name: label + value: (a) + prose: "Establish and administer privileged user accounts in\ + \ accordance with {{ insert: param, ac-02.07_odp }};" + - id: ac-2.7_smt.b + name: item + props: + - name: label + value: (b) + prose: Monitor privileged role or attribute assignments; + - id: ac-2.7_smt.c + name: item + props: + - name: label + value: (c) + prose: Monitor changes to roles or attributes; and + - id: ac-2.7_smt.d + name: item + props: + - name: label + value: (d) + prose: Revoke access when privileged role or attribute assignments + are no longer appropriate. + - id: ac-2.7_gdn + name: guidance + prose: Privileged roles are organization-defined roles assigned + to individuals that allow those individuals to perform certain + security-relevant functions that ordinary users are not authorized + to perform. Privileged roles include key management, account management, + database administration, system and network administration, and + web administration. A role-based access scheme organizes permitted + system access and privileges into roles. In contrast, an attribute-based + access scheme specifies allowed system access and privileges based + on attributes. + - id: ac-2.7_obj + name: assessment-objective + props: + - name: label + value: AC-02(07) + class: sp800-53a + parts: + - id: ac-2.7_obj.a + name: assessment-objective + props: + - name: label + value: AC-02(07)(a) + class: sp800-53a + prose: "privileged user accounts are established and administered\ + \ in accordance with {{ insert: param, ac-02.07_odp }};" + links: + - href: "#ac-2.7_smt.a" + rel: assessment-for + - id: ac-2.7_obj.b + name: assessment-objective + props: + - name: label + value: AC-02(07)(b) + class: sp800-53a + prose: privileged role or attribute assignments are monitored; + links: + - href: "#ac-2.7_smt.b" + rel: assessment-for + - id: ac-2.7_obj.c + name: assessment-objective + props: + - name: label + value: AC-02(07)(c) + class: sp800-53a + prose: changes to roles or attributes are monitored; + links: + - href: "#ac-2.7_smt.c" + rel: assessment-for + - id: ac-2.7_obj.d + name: assessment-objective + props: + - name: label + value: AC-02(07)(d) + class: sp800-53a + prose: access is revoked when privileged role or attribute assignments + are no longer appropriate. + links: + - href: "#ac-2.7_smt.d" + rel: assessment-for + links: + - href: "#ac-2.7_smt" + rel: assessment-for + - id: ac-2.7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(07)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + system-generated list of privileged user accounts and associated + roles + + + records of actions taken when privileged role assignments + are no longer appropriate + + + system audit records + + + audit tracking and monitoring reports + + + system monitoring records + + + system security plan + + + other relevant documents or records + - id: ac-2.7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(07)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-2.7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(07)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Mechanisms implementing account management functions + + mechanisms monitoring privileged role assignments + - id: ac-2.9 + class: SP800-53-enhancement + title: Restrictions on Use of Shared and Group Accounts + params: + - id: ac-02.09_odp + label: conditions + constraints: + - description: organization-defined need with justification statement + that explains why such accounts are necessary + guidelines: + - prose: conditions for establishing shared and group accounts + are defined; + props: + - name: label + value: AC-2(9) + - name: label + value: AC-02(09) + class: sp800-53a + - name: sort-id + value: ac-02.09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: required + parts: + - id: ac-2.9_smt + name: statement + prose: "Only permit the use of shared and group accounts that meet\ + \ {{ insert: param, ac-02.09_odp }}." + parts: + - id: ac-2.9_fr + name: item + title: AC-2 (9) Additional FedRAMP Requirements and Guidance + parts: + - id: ac-2.9_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Required if shared/group accounts are deployed. + - id: ac-2.9_gdn + name: guidance + prose: Before permitting the use of shared or group accounts, organizations + consider the increased risk due to the lack of accountability + with such accounts. + - id: ac-2.9_obj + name: assessment-objective + props: + - name: label + value: AC-02(09) + class: sp800-53a + prose: "the use of shared and group accounts is only permitted if\ + \ {{ insert: param, ac-02.09_odp }} are met." + links: + - href: "#ac-2.9_smt" + rel: assessment-for + - id: ac-2.9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(09)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + system-generated list of shared/group accounts and associated + roles + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-2.9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(09)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-2.9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(09)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing management of shared/group accounts + - id: ac-2.12 + class: SP800-53-enhancement + title: Account Monitoring for Atypical Usage + params: + - id: ac-02.12_odp.01 + label: atypical usage + guidelines: + - prose: atypical usage for which to monitor system accounts is + defined; + - id: ac-02.12_odp.02 + label: personnel or roles + constraints: + - description: at a minimum, the ISSO and/or similar role within + the organization + guidelines: + - prose: personnel or roles to report atypical usage is/are defined; + props: + - name: label + value: AC-2(12) + - name: label + value: AC-02(12) + class: sp800-53a + - name: sort-id + value: ac-02.12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-2" + rel: required + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#ca-7" + rel: related + - href: "#ir-8" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-2.12_smt + name: statement + parts: + - id: ac-2.12_smt.a + name: item + props: + - name: label + value: (a) + prose: "Monitor system accounts for {{ insert: param, ac-02.12_odp.01\ + \ }} ; and" + - id: ac-2.12_smt.b + name: item + props: + - name: label + value: (b) + prose: "Report atypical usage of system accounts to {{ insert:\ + \ param, ac-02.12_odp.02 }}." + - id: ac-2.12_fr + name: item + title: AC-2 (12) Additional FedRAMP Requirements and Guidance + parts: + - id: ac-2.12_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: Required for privileged accounts. + - id: ac-2.12_fr_smt.2 + name: item + props: + - name: label + value: "(b) Requirement:" + prose: Required for privileged accounts. + - id: ac-2.12_gdn + name: guidance + prose: Atypical usage includes accessing systems at certain times + of the day or from locations that are not consistent with the + normal usage patterns of individuals. Monitoring for atypical + usage may reveal rogue behavior by individuals or an attack in + progress. Account monitoring may inadvertently create privacy + risks since data collected to identify atypical usage may reveal + previously unknown information about the behavior of individuals. + Organizations assess and document privacy risks from monitoring + accounts for atypical usage in their privacy impact assessment + and make determinations that are in alignment with their privacy + program plan. + - id: ac-2.12_obj + name: assessment-objective + props: + - name: label + value: AC-02(12) + class: sp800-53a + parts: + - id: ac-2.12_obj.a + name: assessment-objective + props: + - name: label + value: AC-02(12)(a) + class: sp800-53a + prose: "system accounts are monitored for {{ insert: param,\ + \ ac-02.12_odp.01 }}; " + links: + - href: "#ac-2.12_smt.a" + rel: assessment-for + - id: ac-2.12_obj.b + name: assessment-objective + props: + - name: label + value: AC-02(12)(b) + class: sp800-53a + prose: "atypical usage of system accounts is reported to {{\ + \ insert: param, ac-02.12_odp.02 }}." + links: + - href: "#ac-2.12_smt.b" + rel: assessment-for + links: + - href: "#ac-2.12_smt" + rel: assessment-for + - id: ac-2.12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(12)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + system monitoring records + + + system audit records + + + audit tracking and monitoring reports + + + privacy impact assessment + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ac-2.12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(12)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-2.12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(12)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing account management functions + - id: ac-2.13 + class: SP800-53-enhancement + title: Disable Accounts for High-risk Individuals + params: + - id: ac-02.13_odp.01 + label: time period + constraints: + - description: one (1) hour + guidelines: + - prose: time period within which to disable accounts of individuals + who are discovered to pose significant risk is defined; + - id: ac-02.13_odp.02 + label: significant risks + guidelines: + - prose: significant risks leading to disabling accounts are defined; + props: + - name: label + value: AC-2(13) + - name: label + value: AC-02(13) + class: sp800-53a + - name: sort-id + value: ac-02.13 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: required + - href: "#au-6" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-2.13_smt + name: statement + prose: "Disable accounts of individuals within {{ insert: param,\ + \ ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02\ + \ }}." + - id: ac-2.13_gdn + name: guidance + prose: Users who pose a significant security and/or privacy risk + include individuals for whom reliable evidence indicates either + the intention to use authorized access to systems to cause harm + or through whom adversaries will cause harm. Such harm includes + adverse impacts to organizational operations, organizational assets, + individuals, other organizations, or the Nation. Close coordination + among system administrators, legal staff, human resource managers, + and authorizing officials is essential when disabling system accounts + for high-risk individuals. + - id: ac-2.13_obj + name: assessment-objective + props: + - name: label + value: AC-02(13) + class: sp800-53a + prose: "accounts of individuals are disabled within {{ insert: param,\ + \ ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02\ + \ }}." + links: + - href: "#ac-2.13_smt" + rel: assessment-for + - id: ac-2.13_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-02(13)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing account management + + + system design documentation + + + system configuration settings and associated documentation + + + system-generated list of disabled accounts + + + list of user activities posing significant organizational + risk + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-2.13_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-02(13)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with account management + responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-2.13_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-02(13)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing account management functions + - id: ac-3 + class: SP800-53 + title: Access Enforcement + props: + - name: label + value: AC-3 + - name: label + value: AC-03 + class: sp800-53a + - name: sort-id + value: ac-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#18e71fec-c6fd-475a-925a-5d8495cf8455" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#2956e175-f674-43f4-b1b9-e074ad9fc39c" + rel: reference + - href: "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f" + rel: reference + - href: "#7f473f21-fdbf-4a6c-81a1-0ab95919609d" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-16" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#ac-21" + rel: related + - href: "#ac-22" + rel: related + - href: "#ac-24" + rel: related + - href: "#ac-25" + rel: related + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#au-9" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-6" + rel: related + - href: "#ia-7" + rel: related + - href: "#ia-11" + rel: related + - href: "#ia-13" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-4" + rel: related + - href: "#pm-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-3" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-3" + rel: related + - href: "#sc-4" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-31" + rel: related + - href: "#sc-34" + rel: related + - href: "#si-4" + rel: related + - href: "#si-8" + rel: related + parts: + - id: ac-3_smt + name: statement + prose: Enforce approved authorizations for logical access to information + and system resources in accordance with applicable access control + policies. + - id: ac-3_gdn + name: guidance + prose: Access control policies control access between active entities + or subjects (i.e., users or processes acting on behalf of users) and + passive entities or objects (i.e., devices, files, records, domains) + in organizational systems. In addition to enforcing authorized access + at the system level and recognizing that systems can host many applications + and services in support of mission and business functions, access + enforcement mechanisms can also be employed at the application and + service level to provide increased information security and privacy. + In contrast to logical access controls that are implemented within + the system, physical access controls are addressed by the controls + in the Physical and Environmental Protection ( [PE](#pe) ) family. + - id: ac-3_obj + name: assessment-objective + props: + - name: label + value: AC-03 + class: sp800-53a + prose: approved authorizations for logical access to information and + system resources are enforced in accordance with applicable access + control policies. + links: + - href: "#ac-3_smt" + rel: assessment-for + - id: ac-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing access enforcement + + system design documentation + + system configuration settings and associated documentation + + list of approved authorizations (user privileges) + + system audit records + + system security plan + + privacy plan + + other relevant documents or records + - id: ac-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with access enforcement + responsibilities + + + system/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + system developers + - id: ac-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing access control policy + - id: ac-4 + class: SP800-53 + title: Information Flow Enforcement + params: + - id: ac-04_odp + label: information flow control policies + guidelines: + - prose: information flow control policies within the system and between + connected systems are defined; + props: + - name: label + value: AC-4 + - name: label + value: AC-04 + class: sp800-53a + - name: sort-id + value: ac-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#2956e175-f674-43f4-b1b9-e074ad9fc39c" + rel: reference + - href: "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f" + rel: reference + - href: "#a2590922-82f3-4277-83c0-ca5bee06dba4" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-16" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-21" + rel: related + - href: "#au-10" + rel: related + - href: "#ca-3" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-7" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-24" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-4" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-16" + rel: related + - href: "#sc-31" + rel: related + parts: + - id: ac-4_smt + name: statement + prose: "Enforce approved authorizations for controlling the flow of\ + \ information within the system and between connected systems based\ + \ on {{ insert: param, ac-04_odp }}." + - id: ac-4_gdn + name: guidance + prose: >- + Information flow control regulates where information can travel + within a system and between systems (in contrast to who is + allowed to access the information) and without regard to + subsequent accesses to that information. Flow control + restrictions include blocking external traffic that claims to be + from within the organization, keeping export-controlled + information from being transmitted in the clear to the Internet, + restricting web requests that are not from the internal web + proxy server, and limiting information transfers between + organizations based on data structures and content. Transferring + information between organizations may require an agreement + specifying how the information flow is enforced (see + [CA-3](#ca-3) ). Transferring information between systems in + different security or privacy domains with different security or + privacy policies introduces the risk that such transfers violate + one or more domain security or privacy policies. In such + situations, information owners/stewards provide guidance at + designated policy enforcement points between connected systems. + Organizations consider mandating specific architectural + solutions to enforce specific security and privacy policies. + Enforcement includes prohibiting information transfers between + connected systems (i.e., allowing access only), verifying write + permissions before accepting information from another security + or privacy domain or connected system, employing hardware + mechanisms to enforce one-way information flows, and + implementing trustworthy regrading mechanisms to reassign + security or privacy attributes and labels. + + + Organizations commonly employ information flow control policies and + enforcement mechanisms to control the flow of information between + designated sources and destinations within systems and between connected + systems. Flow control is based on the characteristics of the information + and/or the information path. Enforcement occurs, for example, in boundary + protection devices that employ rule sets or establish configuration + settings that restrict system services, provide a packet-filtering + capability based on header information, or provide a message-filtering + capability based on message content. Organizations also consider the + trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, + firmware, and software components) that are critical to information + flow enforcement. Control enhancements 3 through 32 primarily address + cross-domain solution needs that focus on more advanced filtering + techniques, in-depth analysis, and stronger flow enforcement mechanisms + implemented in cross-domain products, such as high-assurance guards. + Such capabilities are generally not available in commercial off-the-shelf + products. Information flow enforcement also applies to control plane + traffic (e.g., routing and DNS). + - id: ac-4_obj + name: assessment-objective + props: + - name: label + value: AC-04 + class: sp800-53a + prose: "approved authorizations are enforced for controlling the flow\ + \ of information within the system and between connected systems based\ + \ on {{ insert: param, ac-04_odp }}." + links: + - href: "#ac-4_smt" + rel: assessment-for + - id: ac-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + information flow control policies + + procedures addressing information flow enforcement + + security architecture documentation + + privacy architecture documentation + + system design documentation + + system configuration settings and associated documentation + + system baseline configuration + + list of information flow authorizations + + system audit records + + system security plan + + privacy plan + + other relevant documents or records + - id: ac-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security and privacy + architecture development responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system developers + - id: ac-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing information flow enforcement policy + controls: + - id: ac-4.21 + class: SP800-53-enhancement + title: Physical or Logical Separation of Information Flows + params: + - id: ac-4.21_prm_1 + label: organization-defined mechanisms and/or techniques + - id: ac-04.21_odp.01 + label: mechanisms and/or techniques + guidelines: + - prose: mechanisms and/or techniques used to logically separate + information flows are defined (if selected); + - id: ac-04.21_odp.02 + label: mechanisms and/or techniques + guidelines: + - prose: mechanisms and/or techniques used to physically separate + information flows are defined (if selected); + - id: ac-04.21_odp.03 + label: required separations + guidelines: + - prose: required separations by types of information are defined; + props: + - name: label + value: AC-4(21) + - name: label + value: AC-04(21) + class: sp800-53a + - name: sort-id + value: ac-04.21 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-4" + rel: required + - href: "#sc-32" + rel: related + parts: + - id: ac-4.21_smt + name: statement + prose: "Separate information flows logically or physically using\ + \ {{ insert: param, ac-4.21_prm_1 }} to accomplish {{ insert:\ + \ param, ac-04.21_odp.03 }}." + - id: ac-4.21_gdn + name: guidance + prose: Enforcing the separation of information flows associated + with defined types of data can enhance protection by ensuring + that information is not commingled while in transit and by enabling + flow control by transmission paths that are not otherwise achievable. + Types of separable information include inbound and outbound communications + traffic, service requests and responses, and information of differing + security impact or classification levels. + - id: ac-4.21_obj + name: assessment-objective + props: + - name: label + value: AC-04(21) + class: sp800-53a + parts: + - id: ac-4.21_obj-1 + name: assessment-objective + props: + - name: label + value: AC-04(21)[01] + class: sp800-53a + prose: "information flows are separated logically using {{ insert:\ + \ param, ac-04.21_odp.01 }} to accomplish {{ insert: param,\ + \ ac-04.21_odp.03 }};" + links: + - href: "#ac-4.21_smt" + rel: assessment-for + - id: ac-4.21_obj-2 + name: assessment-objective + props: + - name: label + value: AC-04(21)[02] + class: sp800-53a + prose: "information flows are separated physically using {{\ + \ insert: param, ac-04.21_odp.02 }} to accomplish {{ insert:\ + \ param, ac-04.21_odp.03 }}." + links: + - href: "#ac-4.21_smt" + rel: assessment-for + links: + - href: "#ac-4.21_smt" + rel: assessment-for + - id: ac-4.21_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-04(21)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Information flow enforcement policy + + + information flow control policies + + + procedures addressing information flow enforcement + + + system design documentation + + + system configuration settings and associated documentation + + + list of required separation of information flows by information + types + + + list of mechanisms and/or techniques used to logically or + physically separate information flows + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-4.21_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-04(21)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information flow + enforcement responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-4.21_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-04(21)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing information flow enforcement + functions + - id: ac-5 + class: SP800-53 + title: Separation of Duties + params: + - id: ac-05_odp + label: duties of individuals + guidelines: + - prose: duties of individuals requiring separation are defined; + props: + - name: label + value: AC-5 + - name: label + value: AC-05 + class: sp800-53a + - name: sort-id + value: ac-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#au-9" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-11" + rel: related + - href: "#cp-9" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-12" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-5" + rel: related + - href: "#ps-2" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-17" + rel: related + parts: + - id: ac-5_smt + name: statement + parts: + - id: ac-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Identify and document {{ insert: param, ac-05_odp }} ; and" + - id: ac-5_smt.b + name: item + props: + - name: label + value: b. + prose: Define system access authorizations to support separation + of duties. + - id: ac-5_fr + name: item + title: AC-5 Additional FedRAMP Requirements and Guidance + parts: + - id: ac-5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: CSPs have the option to provide a separation of duties + matrix as an attachment to the SSP. + - id: ac-5_gdn + name: guidance + prose: Separation of duties addresses the potential for abuse of authorized + privileges and helps to reduce the risk of malevolent activity without + collusion. Separation of duties includes dividing mission or business + functions and support functions among different individuals or roles, + conducting system support functions with different individuals, and + ensuring that security personnel who administer access control functions + do not also administer audit functions. Because separation of duty + violations can span systems and application domains, organizations + consider the entirety of systems and system components when developing + policy on separation of duties. Separation of duties is enforced through + the account management activities in [AC-2](#ac-2) , access control + mechanisms in [AC-3](#ac-3) , and identity management activities in + [IA-2](#ia-2), [IA-4](#ia-4) , and [IA-12](#ia-12). + - id: ac-5_obj + name: assessment-objective + props: + - name: label + value: AC-05 + class: sp800-53a + parts: + - id: ac-5_obj.a + name: assessment-objective + props: + - name: label + value: AC-05a. + class: sp800-53a + prose: " {{ insert: param, ac-05_odp }} are identified and documented;" + links: + - href: "#ac-5_smt.a" + rel: assessment-for + - id: ac-5_obj.b + name: assessment-objective + props: + - name: label + value: AC-05b. + class: sp800-53a + prose: system access authorizations to support separation of duties + are defined. + links: + - href: "#ac-5_smt.b" + rel: assessment-for + links: + - href: "#ac-5_smt" + rel: assessment-for + - id: ac-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing divisions of responsibility and separation + of duties + + + system configuration settings and associated documentation + + + list of divisions of responsibility and separation of duties + + + system access authorizations + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for defining + appropriate divisions of responsibility and separation of + duties + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ac-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing separation of duties policy + - id: ac-6 + class: SP800-53 + title: Least Privilege + props: + - name: label + value: AC-6 + - name: label + value: AC-06 + class: sp800-53a + - name: sort-id + value: ac-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-16" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-11" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-38" + rel: related + parts: + - id: ac-6_smt + name: statement + prose: Employ the principle of least privilege, allowing only authorized + accesses for users (or processes acting on behalf of users) that are + necessary to accomplish assigned organizational tasks. + - id: ac-6_gdn + name: guidance + prose: Organizations employ least privilege for specific duties and + systems. The principle of least privilege is also applied to system + processes, ensuring that the processes have access to systems and + operate at privilege levels no higher than necessary to accomplish + organizational missions or business functions. Organizations consider + the creation of additional processes, roles, and accounts as necessary + to achieve least privilege. Organizations apply least privilege to + the development, implementation, and operation of organizational systems. + - id: ac-6_obj + name: assessment-objective + props: + - name: label + value: AC-06 + class: sp800-53a + prose: the principle of least privilege is employed, allowing only authorized + accesses for users (or processes acting on behalf of users) that are + necessary to accomplish assigned organizational tasks. + links: + - href: "#ac-6_smt" + rel: assessment-for + - id: ac-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing least privilege + + list of assigned access authorizations (user privileges) + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: ac-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for defining + least privileges necessary to accomplish specified tasks + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ac-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing least privilege functions + controls: + - id: ac-6.1 + class: SP800-53-enhancement + title: Authorize Access to Security Functions + params: + - id: ac-6.1_prm_2 + label: organization-defined security functions (deployed in hardware, + software, and firmware) + - id: ac-06.01_odp.01 + label: individuals and roles + guidelines: + - prose: individuals and roles with authorized access to security + functions and security-relevant information are defined; + - id: ac-06.01_odp.02 + label: security functions (deployed in hardware) + guidelines: + - prose: security functions (deployed in hardware) for authorized + access are defined; + - id: ac-06.01_odp.03 + label: security functions (deployed in software) + guidelines: + - prose: security functions (deployed in software) for authorized + access are defined; + - id: ac-06.01_odp.04 + label: security functions (deployed in firmware) + guidelines: + - prose: security functions (deployed in firmware) for authorized + access are defined; + - id: ac-06.01_odp.05 + label: security-relevant information + guidelines: + - prose: security-relevant information for authorized access is + defined; + props: + - name: label + value: AC-6(1) + - name: label + value: AC-06(01) + class: sp800-53a + - name: sort-id + value: ac-06.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-6" + rel: required + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#au-9" + rel: related + - href: "#pe-2" + rel: related + parts: + - id: ac-6.1_smt + name: statement + prose: "Authorize access for {{ insert: param, ac-06.01_odp.01 }}\ + \ to:" + parts: + - id: ac-6.1_smt.a + name: item + props: + - name: label + value: (a) + prose: " {{ insert: param, ac-6.1_prm_2 }} ; and" + - id: ac-6.1_smt.b + name: item + props: + - name: label + value: (b) + prose: " {{ insert: param, ac-06.01_odp.05 }}." + - id: ac-6.1_gdn + name: guidance + prose: Security functions include establishing system accounts, + configuring access authorizations (i.e., permissions, privileges), + configuring settings for events to be audited, and establishing + intrusion detection parameters. Security-relevant information + includes filtering rules for routers or firewalls, configuration + parameters for security services, cryptographic key management + information, and access control lists. Authorized personnel include + security administrators, system administrators, system security + officers, system programmers, and other privileged users. + - id: ac-6.1_obj + name: assessment-objective + props: + - name: label + value: AC-06(01) + class: sp800-53a + parts: + - id: ac-6.1_obj.a + name: assessment-objective + props: + - name: label + value: AC-06(01)(a) + class: sp800-53a + parts: + - id: ac-6.1_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-06(01)(a)[01] + class: sp800-53a + prose: "access is authorized for {{ insert: param, ac-06.01_odp.01\ + \ }} to {{ insert: param, ac-06.01_odp.02 }};" + links: + - href: "#ac-6.1_smt.a" + rel: assessment-for + - id: ac-6.1_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-06(01)(a)[02] + class: sp800-53a + prose: "access is authorized for {{ insert: param, ac-06.01_odp.01\ + \ }} to {{ insert: param, ac-06.01_odp.03 }};" + links: + - href: "#ac-6.1_smt.a" + rel: assessment-for + - id: ac-6.1_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-06(01)(a)[03] + class: sp800-53a + prose: "access is authorized for {{ insert: param, ac-06.01_odp.01\ + \ }} to {{ insert: param, ac-06.01_odp.04 }};" + links: + - href: "#ac-6.1_smt.a" + rel: assessment-for + links: + - href: "#ac-6.1_smt.a" + rel: assessment-for + - id: ac-6.1_obj.b + name: assessment-objective + props: + - name: label + value: AC-06(01)(b) + class: sp800-53a + prose: "access is authorized for {{ insert: param, ac-06.01_odp.01\ + \ }} to {{ insert: param, ac-06.01_odp.05 }}." + links: + - href: "#ac-6.1_smt.b" + rel: assessment-for + links: + - href: "#ac-6.1_smt" + rel: assessment-for + - id: ac-6.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-06(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing least privilege + + + list of security functions (deployed in hardware, software, + and firmware) and security-relevant information for which + access must be explicitly authorized + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-6.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-06(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + defining least privileges necessary to accomplish + specified tasks + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ac-6.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-06(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing least privilege functions + - id: ac-6.2 + class: SP800-53-enhancement + title: Non-privileged Access for Nonsecurity Functions + params: + - id: ac-06.02_odp + label: security functions or security-relevant information + constraints: + - description: all security functions + guidelines: + - prose: security functions or security-relevant information, + the access to which requires users to use non-privileged accounts + to access non-security functions, are defined; + props: + - name: label + value: AC-6(2) + - name: label + value: AC-06(02) + class: sp800-53a + - name: sort-id + value: ac-06.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-6" + rel: required + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#pl-4" + rel: related + parts: + - id: ac-6.2_smt + name: statement + prose: "Require that users of system accounts (or roles) with access\ + \ to {{ insert: param, ac-06.02_odp }} use non-privileged accounts\ + \ or roles, when accessing nonsecurity functions." + parts: + - id: ac-6.2_fr + name: item + title: AC-6 (2) Additional FedRAMP Requirements and Guidance + parts: + - id: ac-6.2_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "Examples of security functions include but are not\ + \ limited to: establishing system accounts, configuring\ + \ access authorizations (i.e., permissions, privileges),\ + \ setting events to be audited, and setting intrusion\ + \ detection parameters, system programming, system and\ + \ security administration, other privileged functions." + - id: ac-6.2_gdn + name: guidance + prose: Requiring the use of non-privileged accounts when accessing + nonsecurity functions limits exposure when operating from within + privileged accounts or roles. The inclusion of roles addresses + situations where organizations implement access control policies, + such as role-based access control, and where a change of role + provides the same degree of assurance in the change of access + authorizations for the user and the processes acting on behalf + of the user as would be provided by a change between a privileged + and non-privileged account. + - id: ac-6.2_obj + name: assessment-objective + props: + - name: label + value: AC-06(02) + class: sp800-53a + prose: "users of system accounts (or roles) with access to {{ insert:\ + \ param, ac-06.02_odp }} are required to use non-privileged accounts\ + \ or roles when accessing non-security functions." + links: + - href: "#ac-6.2_smt" + rel: assessment-for + - id: ac-6.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-06(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing least privilege + + + list of system-generated security functions or security-relevant + information assigned to system accounts or roles + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-6.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-06(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + defining least privileges necessary to accomplish + specified tasks + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ac-6.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-06(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing least privilege functions + - id: ac-6.5 + class: SP800-53-enhancement + title: Privileged Accounts + params: + - id: ac-06.05_odp + label: personnel or roles + guidelines: + - prose: personnel or roles to which privileged accounts on the + system are to be restricted is/are defined; + props: + - name: label + value: AC-6(5) + - name: label + value: AC-06(05) + class: sp800-53a + - name: sort-id + value: ac-06.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-6" + rel: required + - href: "#ia-2" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + parts: + - id: ac-6.5_smt + name: statement + prose: "Restrict privileged accounts on the system to {{ insert:\ + \ param, ac-06.05_odp }}." + - id: ac-6.5_gdn + name: guidance + prose: Privileged accounts, including super user accounts, are typically + described as system administrator for various types of commercial + off-the-shelf operating systems. Restricting privileged accounts + to specific personnel or roles prevents day-to-day users from + accessing privileged information or privileged functions. Organizations + may differentiate in the application of restricting privileged + accounts between allowed privileges for local accounts and for + domain accounts provided that they retain the ability to control + system configurations for key parameters and as otherwise necessary + to sufficiently mitigate risk. + - id: ac-6.5_obj + name: assessment-objective + props: + - name: label + value: AC-06(05) + class: sp800-53a + prose: "privileged accounts on the system are restricted to {{ insert:\ + \ param, ac-06.05_odp }}." + links: + - href: "#ac-6.5_smt" + rel: assessment-for + - id: ac-6.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-06(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing least privilege + + + list of system-generated privileged accounts + + + list of system administration personnel + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-6.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-06(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + defining least privileges necessary to accomplish + specified tasks + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ac-6.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-06(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing least privilege functions + - id: ac-6.7 + class: SP800-53-enhancement + title: Review of User Privileges + params: + - id: ac-06.07_odp.01 + label: frequency + constraints: + - description: at a minimum, annually + guidelines: + - prose: the frequency at which to review the privileges assigned + to roles or classes of users is defined; + - id: ac-06.07_odp.02 + label: roles and classes + constraints: + - description: all users with privileges + guidelines: + - prose: roles or classes of users to which privileges are assigned + are defined; + props: + - name: label + value: AC-6(7) + - name: label + value: AC-06(07) + class: sp800-53a + - name: sort-id + value: ac-06.07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-6" + rel: required + - href: "#ca-7" + rel: related + parts: + - id: ac-6.7_smt + name: statement + parts: + - id: ac-6.7_smt.a + name: item + props: + - name: label + value: (a) + prose: "Review {{ insert: param, ac-06.07_odp.01 }} the privileges\ + \ assigned to {{ insert: param, ac-06.07_odp.02 }} to validate\ + \ the need for such privileges; and" + - id: ac-6.7_smt.b + name: item + props: + - name: label + value: (b) + prose: Reassign or remove privileges, if necessary, to correctly + reflect organizational mission and business needs. + - id: ac-6.7_gdn + name: guidance + prose: The need for certain assigned user privileges may change + over time to reflect changes in organizational mission and business + functions, environments of operation, technologies, or threats. + A periodic review of assigned user privileges is necessary to + determine if the rationale for assigning such privileges remains + valid. If the need cannot be revalidated, organizations take appropriate + corrective actions. + - id: ac-6.7_obj + name: assessment-objective + props: + - name: label + value: AC-06(07) + class: sp800-53a + parts: + - id: ac-6.7_obj.a + name: assessment-objective + props: + - name: label + value: AC-06(07)(a) + class: sp800-53a + prose: "privileges assigned to {{ insert: param, ac-06.07_odp.02\ + \ }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to\ + \ validate the need for such privileges;" + links: + - href: "#ac-6.7_smt.a" + rel: assessment-for + - id: ac-6.7_obj.b + name: assessment-objective + props: + - name: label + value: AC-06(07)(b) + class: sp800-53a + prose: privileges are reassigned or removed, if necessary, to + correctly reflect organizational mission and business needs. + links: + - href: "#ac-6.7_smt.b" + rel: assessment-for + links: + - href: "#ac-6.7_smt" + rel: assessment-for + - id: ac-6.7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-06(07)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing least privilege + + + list of system-generated roles or classes of users and assigned + privileges + + + system design documentation + + + system configuration settings and associated documentation + + + validation reviews of privileges assigned to roles or classes + or users + + + records of privilege removals or reassignments for roles or + classes of users + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-6.7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-06(07)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + reviewing least privileges necessary to accomplish + specified tasks + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ac-6.7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-06(07)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing review of user privileges + - id: ac-6.9 + class: SP800-53-enhancement + title: Log Use of Privileged Functions + props: + - name: label + value: AC-6(9) + - name: label + value: AC-06(09) + class: sp800-53a + - name: sort-id + value: ac-06.09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-6" + rel: required + - href: "#au-2" + rel: related + - href: "#au-3" + rel: related + - href: "#au-12" + rel: related + parts: + - id: ac-6.9_smt + name: statement + prose: Log the execution of privileged functions. + - id: ac-6.9_gdn + name: guidance + prose: The misuse of privileged functions, either intentionally + or unintentionally by authorized users or by unauthorized external + entities that have compromised system accounts, is a serious and + ongoing concern and can have significant adverse impacts on organizations. + Logging and analyzing the use of privileged functions is one way + to detect such misuse and, in doing so, help mitigate the risk + from insider threats and the advanced persistent threat. + - id: ac-6.9_obj + name: assessment-objective + props: + - name: label + value: AC-06(09) + class: sp800-53a + prose: the execution of privileged functions is logged. + links: + - href: "#ac-6.9_smt" + rel: assessment-for + - id: ac-6.9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-06(09)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing least privilege + + + system design documentation + + + system configuration settings and associated documentation + + + list of privileged functions to be audited + + + list of audited events + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-6.9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-06(09)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + reviewing least privileges necessary to accomplish + specified tasks + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ac-6.9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-06(09)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms auditing the execution of least privilege + functions + - id: ac-6.10 + class: SP800-53-enhancement + title: Prohibit Non-privileged Users from Executing Privileged Functions + props: + - name: label + value: AC-6(10) + - name: label + value: AC-06(10) + class: sp800-53a + - name: sort-id + value: ac-06.10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-6" + rel: required + parts: + - id: ac-6.10_smt + name: statement + prose: Prevent non-privileged users from executing privileged functions. + - id: ac-6.10_gdn + name: guidance + prose: Privileged functions include disabling, circumventing, or + altering implemented security or privacy controls, establishing + system accounts, performing system integrity checks, and administering + cryptographic key management activities. Non-privileged users + are individuals who do not possess appropriate authorizations. + Privileged functions that require protection from non-privileged + users include circumventing intrusion detection and prevention + mechanisms or malicious code protection mechanisms. Preventing + non-privileged users from executing privileged functions is enforced + by [AC-3](#ac-3). + - id: ac-6.10_obj + name: assessment-objective + props: + - name: label + value: AC-06(10) + class: sp800-53a + prose: non-privileged users are prevented from executing privileged + functions. + links: + - href: "#ac-6.10_smt" + rel: assessment-for + - id: ac-6.10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-06(10)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing least privilege + + + system design documentation + + + system configuration settings and associated documentation + + + list of privileged functions and associated user account assignments + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-6.10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-06(10)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + defining least privileges necessary to accomplish + specified tasks + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-6.10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-06(10)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing least privilege functions for + non-privileged users + - id: ac-7 + class: SP800-53 + title: Unsuccessful Logon Attempts + params: + - id: ac-07_odp.01 + label: number + guidelines: + - prose: the number of consecutive invalid logon attempts by a user + allowed during a time period is defined; + - id: ac-07_odp.02 + label: time period + guidelines: + - prose: the time period to which the number of consecutive invalid + logon attempts by a user is limited is defined; + - id: ac-07_odp.03 + select: + how-many: one-or-more + choice: + - "lock the account or node for {{ insert: param, ac-07_odp.04 }} " + - lock the account or node until released by an administrator + - "delay next logon prompt per {{ insert: param, ac-07_odp.05 }} " + - notify system administrator + - "take other {{ insert: param, ac-07_odp.06 }} " + - id: ac-07_odp.04 + label: time period + guidelines: + - prose: time period for an account or node to be locked is defined + (if selected); + - id: ac-07_odp.05 + label: delay algorithm + guidelines: + - prose: delay algorithm for the next logon prompt is defined (if + selected); + - id: ac-07_odp.06 + label: action + guidelines: + - prose: other action to be taken when the maximum number of unsuccessful + attempts is exceeded is defined (if selected); + props: + - name: label + value: AC-7 + - name: label + value: AC-07 + class: sp800-53a + - name: sort-id + value: ac-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-9" + rel: related + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#ia-5" + rel: related + parts: + - id: ac-7_smt + name: statement + parts: + - id: ac-7_smt.a + name: item + props: + - name: label + value: a. + prose: "Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive\ + \ invalid logon attempts by a user during a {{ insert: param,\ + \ ac-07_odp.02 }} ; and" + - id: ac-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Automatically {{ insert: param, ac-07_odp.03 }} when the\ + \ maximum number of unsuccessful attempts is exceeded." + - id: ac-7_fr + name: item + title: AC-7 Additional FedRAMP Requirements and Guidance + parts: + - id: ac-7_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: In alignment with NIST SP 800-63B + - id: ac-7_gdn + name: guidance + prose: The need to limit unsuccessful logon attempts and take subsequent + action when the maximum number of attempts is exceeded applies regardless + of whether the logon occurs via a local or network connection. Due + to the potential for denial of service, automatic lockouts initiated + by systems are usually temporary and automatically release after a + predetermined, organization-defined time period. If a delay algorithm + is selected, organizations may employ different algorithms for different + components of the system based on the capabilities of those components. + Responses to unsuccessful logon attempts may be implemented at the + operating system and the application levels. Organization-defined + actions that may be taken when the number of allowed consecutive invalid + logon attempts is exceeded include prompting the user to answer a + secret question in addition to the username and password, invoking + a lockdown mode with limited user capabilities (instead of full lockout), + allowing users to only logon from specified Internet Protocol (IP) + addresses, requiring a CAPTCHA to prevent automated attacks, or applying + user profiles such as location, time of day, IP address, device, or + Media Access Control (MAC) address. If automatic system lockout or + execution of a delay algorithm is not implemented in support of the + availability objective, organizations consider a combination of other + actions to help prevent brute force attacks. In addition to the above, + organizations can prompt users to respond to a secret question before + the number of allowed unsuccessful logon attempts is exceeded. Automatically + unlocking an account after a specified period of time is generally + not permitted. However, exceptions may be required based on operational + mission or need. + - id: ac-7_obj + name: assessment-objective + props: + - name: label + value: AC-07 + class: sp800-53a + parts: + - id: ac-7_obj.a + name: assessment-objective + props: + - name: label + value: AC-07a. + class: sp800-53a + prose: "a limit of {{ insert: param, ac-07_odp.01 }} consecutive\ + \ invalid logon attempts by a user during {{ insert: param, ac-07_odp.02\ + \ }} is enforced;" + links: + - href: "#ac-7_smt.a" + rel: assessment-for + - id: ac-7_obj.b + name: assessment-objective + props: + - name: label + value: AC-07b. + class: sp800-53a + prose: "automatically {{ insert: param, ac-07_odp.03 }} when the\ + \ maximum number of unsuccessful attempts is exceeded." + links: + - href: "#ac-7_smt.b" + rel: assessment-for + links: + - href: "#ac-7_smt" + rel: assessment-for + - id: ac-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing unsuccessful logon attempts + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: ac-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security + responsibilities + + + system developers + + + system/network administrators + - id: ac-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing access control policy for unsuccessful + logon attempts + - id: ac-8 + class: SP800-53 + title: System Use Notification + params: + - id: ac-08_odp.01 + label: system use notification + constraints: + - description: see additional Requirements and Guidance + guidelines: + - prose: system use notification message or banner to be displayed + by the system to users before granting access to the system is + defined; + - id: ac-08_odp.02 + label: conditions + constraints: + - description: see additional Requirements and Guidance + guidelines: + - prose: conditions for system use to be displayed by the system before + granting further access are defined; + props: + - name: label + value: AC-8 + - name: label + value: AC-08 + class: sp800-53a + - name: sort-id + value: ac-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-14" + rel: related + - href: "#pl-4" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-8_smt + name: statement + parts: + - id: ac-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Display {{ insert: param, ac-08_odp.01 }} to users before\ + \ granting access to the system that provides privacy and security\ + \ notices consistent with applicable laws, executive orders, directives,\ + \ regulations, policies, standards, and guidelines and state that:" + parts: + - id: ac-8_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Users are accessing a U.S. Government system; + - id: ac-8_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: System usage may be monitored, recorded, and subject + to audit; + - id: ac-8_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Unauthorized use of the system is prohibited and subject + to criminal and civil penalties; and + - id: ac-8_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Use of the system indicates consent to monitoring and + recording; + - id: ac-8_smt.b + name: item + props: + - name: label + value: b. + prose: Retain the notification message or banner on the screen until + users acknowledge the usage conditions and take explicit actions + to log on to or further access the system; and + - id: ac-8_smt.c + name: item + props: + - name: label + value: c. + prose: "For publicly accessible systems:" + parts: + - id: ac-8_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Display system use information {{ insert: param, ac-08_odp.02\ + \ }} , before granting further access to the publicly accessible\ + \ system;" + - id: ac-8_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: Display references, if any, to monitoring, recording, + or auditing that are consistent with privacy accommodations + for such systems that generally prohibit those activities; + and + - id: ac-8_smt.c.3 + name: item + props: + - name: label + value: "3." + prose: Include a description of the authorized uses of the system. + - id: ac-8_fr + name: item + title: AC-8 Additional FedRAMP Requirements and Guidance + parts: + - id: ac-8_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider shall determine elements of the + cloud environment that require the System Use Notification + control. The elements of the cloud environment that require + System Use Notification are approved and accepted by the JAB/AO. + - id: ac-8_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider shall determine how System Use Notification + is going to be verified and provide appropriate periodicity + of the check. The System Use Notification verification and + periodicity are approved and accepted by the JAB/AO. + - id: ac-8_fr_smt.3 + name: item + props: + - name: label + value: "Requirement:" + prose: If not performed as part of a Configuration Baseline + check, then there must be documented agreement on how to provide + results of verification and the necessary periodicity of the + verification by the service provider. The documented agreement + on how to provide verification of the results are approved + and accepted by the JAB/AO. + - id: ac-8_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: If performed as part of a Configuration Baseline check, + then the % of items requiring setting that are checked and + that pass (or fail) check can be provided. + - id: ac-8_gdn + name: guidance + prose: System use notifications can be implemented using messages or + warning banners displayed before individuals log in to systems. System + use notifications are used only for access via logon interfaces with + human users. Notifications are not required when human interfaces + do not exist. Based on an assessment of risk, organizations consider + whether or not a secondary system use notification is needed to access + applications or other system resources after the initial network logon. + Organizations consider system use notification messages or banners + displayed in multiple languages based on organizational needs and + the demographics of system users. Organizations consult with the privacy + office for input regarding privacy messaging and the Office of the + General Counsel or organizational equivalent for legal review and + approval of warning banner content. + - id: ac-8_obj + name: assessment-objective + props: + - name: label + value: AC-08 + class: sp800-53a + parts: + - id: ac-8_obj.a + name: assessment-objective + props: + - name: label + value: AC-08a. + class: sp800-53a + prose: " {{ insert: param, ac-08_odp.01 }} is displayed to users\ + \ before granting access to the system that provides privacy and\ + \ security notices consistent with applicable laws, Executive\ + \ Orders, directives, regulations, policies, standards, and guidelines;" + parts: + - id: ac-8_obj.a.1 + name: assessment-objective + props: + - name: label + value: AC-08a.01 + class: sp800-53a + prose: the system use notification states that users are accessing + a U.S. Government system; + links: + - href: "#ac-8_smt.a.1" + rel: assessment-for + - id: ac-8_obj.a.2 + name: assessment-objective + props: + - name: label + value: AC-08a.02 + class: sp800-53a + prose: the system use notification states that system usage + may be monitored, recorded, and subject to audit; + links: + - href: "#ac-8_smt.a.2" + rel: assessment-for + - id: ac-8_obj.a.3 + name: assessment-objective + props: + - name: label + value: AC-08a.03 + class: sp800-53a + prose: the system use notification states that unauthorized + use of the system is prohibited and subject to criminal and + civil penalties; and + links: + - href: "#ac-8_smt.a.3" + rel: assessment-for + - id: ac-8_obj.a.4 + name: assessment-objective + props: + - name: label + value: AC-08a.04 + class: sp800-53a + prose: the system use notification states that use of the system + indicates consent to monitoring and recording; + links: + - href: "#ac-8_smt.a.4" + rel: assessment-for + links: + - href: "#ac-8_smt.a" + rel: assessment-for + - id: ac-8_obj.b + name: assessment-objective + props: + - name: label + value: AC-08b. + class: sp800-53a + prose: the notification message or banner is retained on the screen + until users acknowledge the usage conditions and take explicit + actions to log on to or further access the system; + links: + - href: "#ac-8_smt.b" + rel: assessment-for + - id: ac-8_obj.c + name: assessment-objective + props: + - name: label + value: AC-08c. + class: sp800-53a + parts: + - id: ac-8_obj.c.1 + name: assessment-objective + props: + - name: label + value: AC-08c.01 + class: sp800-53a + prose: "for publicly accessible systems, system use information\ + \ {{ insert: param, ac-08_odp.02 }} is displayed before granting\ + \ further access to the publicly accessible system;" + links: + - href: "#ac-8_smt.c.1" + rel: assessment-for + - id: ac-8_obj.c.2 + name: assessment-objective + props: + - name: label + value: AC-08c.02 + class: sp800-53a + prose: for publicly accessible systems, any references to monitoring, + recording, or auditing that are consistent with privacy accommodations + for such systems that generally prohibit those activities + are displayed; + links: + - href: "#ac-8_smt.c.2" + rel: assessment-for + - id: ac-8_obj.c.3 + name: assessment-objective + props: + - name: label + value: AC-08c.03 + class: sp800-53a + prose: for publicly accessible systems, a description of the + authorized uses of the system is included. + links: + - href: "#ac-8_smt.c.3" + rel: assessment-for + links: + - href: "#ac-8_smt.c" + rel: assessment-for + links: + - href: "#ac-8_smt" + rel: assessment-for + - id: ac-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + privacy and security policies, procedures addressing system use + notification + + + documented approval of system use notification messages or banners + + + system audit records + + + user acknowledgements of notification message or banner + + + system design documentation + + + system configuration settings and associated documentation + + + system use notification messages + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy assessment report + + + other relevant documents or records + - id: ac-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + legal counsel + + + system developers + - id: ac-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing system use notification + - id: ac-11 + class: SP800-53 + title: Device Lock + params: + - id: ac-11_odp.01 + select: + how-many: one-or-more + choice: + - "initiating a device lock after {{ insert: param, ac-11_odp.02\ + \ }} of inactivity" + - requiring the user to initiate a device lock before leaving the + system unattended + - id: ac-11_odp.02 + label: time period + constraints: + - description: fifteen (15) minutes + guidelines: + - prose: time period of inactivity after which a device lock is initiated + is defined (if selected); + props: + - name: label + value: AC-11 + - name: label + value: AC-11 + class: sp800-53a + - name: sort-id + value: ac-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-2" + rel: related + - href: "#ac-7" + rel: related + - href: "#ia-11" + rel: related + - href: "#pl-4" + rel: related + parts: + - id: ac-11_smt + name: statement + parts: + - id: ac-11_smt.a + name: item + props: + - name: label + value: a. + prose: "Prevent further access to the system by {{ insert: param,\ + \ ac-11_odp.01 }} ; and" + - id: ac-11_smt.b + name: item + props: + - name: label + value: b. + prose: Retain the device lock until the user reestablishes access + using established identification and authentication procedures. + - id: ac-11_gdn + name: guidance + prose: Device locks are temporary actions taken to prevent logical access + to organizational systems when users stop work and move away from + the immediate vicinity of those systems but do not want to log out + because of the temporary nature of their absences. Device locks can + be implemented at the operating system level or at the application + level. A proximity lock may be used to initiate the device lock (e.g., + via a Bluetooth-enabled device or dongle). User-initiated device locking + is behavior or policy-based and, as such, requires users to take physical + action to initiate the device lock. Device locks are not an acceptable + substitute for logging out of systems, such as when organizations + require users to log out at the end of workdays. + - id: ac-11_obj + name: assessment-objective + props: + - name: label + value: AC-11 + class: sp800-53a + parts: + - id: ac-11_obj.a + name: assessment-objective + props: + - name: label + value: AC-11a. + class: sp800-53a + prose: "further access to the system is prevented by {{ insert:\ + \ param, ac-11_odp.01 }};" + links: + - href: "#ac-11_smt.a" + rel: assessment-for + - id: ac-11_obj.b + name: assessment-objective + props: + - name: label + value: AC-11b. + class: sp800-53a + prose: device lock is retained until the user re-establishes access + using established identification and authentication procedures. + links: + - href: "#ac-11_smt.b" + rel: assessment-for + links: + - href: "#ac-11_smt" + rel: assessment-for + - id: ac-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing session lock + + procedures addressing identification and authentication + + system design documentation + + system configuration settings and associated documentation + + security plan + + system security plan + + other relevant documents or records + - id: ac-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing access control policy for session + lock + controls: + - id: ac-11.1 + class: SP800-53-enhancement + title: Pattern-hiding Displays + props: + - name: label + value: AC-11(1) + - name: label + value: AC-11(01) + class: sp800-53a + - name: sort-id + value: ac-11.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-11" + rel: required + parts: + - id: ac-11.1_smt + name: statement + prose: Conceal, via the device lock, information previously visible + on the display with a publicly viewable image. + - id: ac-11.1_gdn + name: guidance + prose: The pattern-hiding display can include static or dynamic + images, such as patterns used with screen savers, photographic + images, solid colors, clock, battery life indicator, or a blank + screen with the caveat that controlled unclassified information + is not displayed. + - id: ac-11.1_obj + name: assessment-objective + props: + - name: label + value: AC-11(01) + class: sp800-53a + prose: information previously visible on the display is concealed, + via device lock, with a publicly viewable image. + links: + - href: "#ac-11.1_smt" + rel: assessment-for + - id: ac-11.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-11(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing session lock + + + display screen with session lock activated + + + system design documentation + + + system configuration settings and associated documentation + + + system security plan + + + other relevant documents or records + - id: ac-11.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-11(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-11.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-11(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: System session lock mechanisms + - id: ac-12 + class: SP800-53 + title: Session Termination + params: + - id: ac-12_odp + label: conditions or trigger events + guidelines: + - prose: conditions or trigger events requiring session disconnect + are defined; + props: + - name: label + value: AC-12 + - name: label + value: AC-12 + class: sp800-53a + - name: sort-id + value: ac-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ma-4" + rel: related + - href: "#sc-10" + rel: related + - href: "#sc-23" + rel: related + parts: + - id: ac-12_smt + name: statement + prose: "Automatically terminate a user session after {{ insert: param,\ + \ ac-12_odp }}." + - id: ac-12_gdn + name: guidance + prose: Session termination addresses the termination of user-initiated + logical sessions (in contrast to [SC-10](#sc-10) , which addresses + the termination of network connections associated with communications + sessions (i.e., network disconnect)). A logical session (for local, + network, and remote access) is initiated whenever a user (or process + acting on behalf of a user) accesses an organizational system. Such + user sessions can be terminated without terminating network sessions. + Session termination ends all processes associated with a user’s logical + session except for those processes that are specifically created by + the user (i.e., session owner) to continue after the session is terminated. + Conditions or trigger events that require automatic termination of + the session include organization-defined periods of user inactivity, + targeted responses to certain types of incidents, or time-of-day restrictions + on system use. + - id: ac-12_obj + name: assessment-objective + props: + - name: label + value: AC-12 + class: sp800-53a + prose: "a user session is automatically terminated after {{ insert:\ + \ param, ac-12_odp }}." + links: + - href: "#ac-12_smt" + rel: assessment-for + - id: ac-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing session termination + + + system design documentation + + + system configuration settings and associated documentation + + + list of conditions or trigger events requiring session disconnect + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms implementing user session termination + - id: ac-14 + class: SP800-53 + title: Permitted Actions Without Identification or Authentication + params: + - id: ac-14_odp + label: user actions + guidelines: + - prose: user actions that can be performed on the system without + identification or authentication are defined; + props: + - name: label + value: AC-14 + - name: label + value: AC-14 + class: sp800-53a + - name: sort-id + value: ac-14 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-8" + rel: related + - href: "#ia-2" + rel: related + - href: "#pl-2" + rel: related + parts: + - id: ac-14_smt + name: statement + parts: + - id: ac-14_smt.a + name: item + props: + - name: label + value: a. + prose: "Identify {{ insert: param, ac-14_odp }} that can be performed\ + \ on the system without identification or authentication consistent\ + \ with organizational mission and business functions; and" + - id: ac-14_smt.b + name: item + props: + - name: label + value: b. + prose: Document and provide supporting rationale in the security + plan for the system, user actions not requiring identification + or authentication. + - id: ac-14_gdn + name: guidance + prose: 'Specific user actions may be permitted without identification + or authentication if organizations determine that identification and + authentication are not required for the specified user actions. Organizations + may allow a limited number of user actions without identification + or authentication, including when individuals access public websites + or other publicly accessible federal systems, when individuals use + mobile phones to receive calls, or when facsimiles are received. Organizations + identify actions that normally require identification or authentication + but may, under certain circumstances, allow identification or authentication + mechanisms to be bypassed. Such bypasses may occur, for example, via + a software-readable physical switch that commands bypass of the logon + functionality and is protected from accidental or unmonitored use. + Permitting actions without identification or authentication does not + apply to situations where identification and authentication have already + occurred and are not repeated but rather to situations where identification + and authentication have not yet occurred. Organizations may decide + that there are no user actions that can be performed on organizational + systems without identification and authentication, and therefore, + the value for the assignment operation can be "none." ' + - id: ac-14_obj + name: assessment-objective + props: + - name: label + value: AC-14 + class: sp800-53a + parts: + - id: ac-14_obj.a + name: assessment-objective + props: + - name: label + value: AC-14a. + class: sp800-53a + prose: " {{ insert: param, ac-14_odp }} that can be performed on\ + \ the system without identification or authentication consistent\ + \ with organizational mission and business functions are identified;" + links: + - href: "#ac-14_smt.a" + rel: assessment-for + - id: ac-14_obj.b + name: assessment-objective + props: + - name: label + value: AC-14b. + class: sp800-53a + parts: + - id: ac-14_obj.b-1 + name: assessment-objective + props: + - name: label + value: AC-14b.[01] + class: sp800-53a + prose: user actions not requiring identification or authentication + are documented in the security plan for the system; + links: + - href: "#ac-14_smt.b" + rel: assessment-for + - id: ac-14_obj.b-2 + name: assessment-objective + props: + - name: label + value: AC-14b.[02] + class: sp800-53a + prose: a rationale for user actions not requiring identification + or authentication is provided in the security plan for the + system. + links: + - href: "#ac-14_smt.b" + rel: assessment-for + links: + - href: "#ac-14_smt.b" + rel: assessment-for + links: + - href: "#ac-14_smt" + rel: assessment-for + - id: ac-14_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-14-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing permitted actions without identification + or authentication + + + system configuration settings and associated documentation + + + security plan + + + list of user actions that can be performed without identification + or authentication + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-14_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-14-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + - id: ac-17 + class: SP800-53 + title: Remote Access + props: + - name: label + value: AC-17 + - name: label + value: AC-17 + class: sp800-53a + - name: sort-id + value: ac-17 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#83b9d63b-66b1-467c-9f3b-3a0b108771e9" + rel: reference + - href: "#d4d7c760-2907-403b-8b2a-767ca5370ecd" + rel: reference + - href: "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4" + rel: reference + - href: "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99" + rel: reference + - href: "#d17ebd7a-ffab-499d-bfff-e705bbb01fa6" + rel: reference + - href: "#3915a084-b87b-4f02-83d4-c369e746292f" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#ca-3" + rel: related + - href: "#cm-10" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-17" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#sc-10" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-17_smt + name: statement + parts: + - id: ac-17_smt.a + name: item + props: + - name: label + value: a. + prose: Establish and document usage restrictions, configuration/connection + requirements, and implementation guidance for each type of remote + access allowed; and + - id: ac-17_smt.b + name: item + props: + - name: label + value: b. + prose: Authorize each type of remote access to the system prior + to allowing such connections. + - id: ac-17_gdn + name: guidance + prose: Remote access is access to organizational systems (or processes + acting on behalf of users) that communicate through external networks + such as the Internet. Types of remote access include dial-up, broadband, + and wireless. Organizations use encrypted virtual private networks + (VPNs) to enhance confidentiality and integrity for remote connections. + The use of encrypted VPNs provides sufficient assurance to the organization + that it can effectively treat such connections as internal networks + if the cryptographic mechanisms used are implemented in accordance + with applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines. Still, VPN connections traverse external + networks, and the encrypted VPN does not enhance the availability + of remote connections. VPNs with encrypted tunnels can also affect + the ability to adequately monitor network communications traffic for + malicious code. Remote access controls apply to systems other than + public web servers or systems designed for public access. Authorization + of each remote access type addresses authorization prior to allowing + remote access without specifying the specific formats for such authorization. + While organizations may use information exchange and system connection + security agreements to manage remote access connections to other systems, + such agreements are addressed as part of [CA-3](#ca-3) . Enforcing + access restrictions for remote access is addressed via [AC-3](#ac-3). + - id: ac-17_obj + name: assessment-objective + props: + - name: label + value: AC-17 + class: sp800-53a + parts: + - id: ac-17_obj.a + name: assessment-objective + props: + - name: label + value: AC-17a. + class: sp800-53a + parts: + - id: ac-17_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-17a.[01] + class: sp800-53a + prose: usage restrictions are established and documented for + each type of remote access allowed; + links: + - href: "#ac-17_smt.a" + rel: assessment-for + - id: ac-17_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-17a.[02] + class: sp800-53a + prose: configuration/connection requirements are established + and documented for each type of remote access allowed; + links: + - href: "#ac-17_smt.a" + rel: assessment-for + - id: ac-17_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-17a.[03] + class: sp800-53a + prose: implementation guidance is established and documented + for each type of remote access allowed; + links: + - href: "#ac-17_smt.a" + rel: assessment-for + links: + - href: "#ac-17_smt.a" + rel: assessment-for + - id: ac-17_obj.b + name: assessment-objective + props: + - name: label + value: AC-17b. + class: sp800-53a + prose: each type of remote access to the system is authorized prior + to allowing such connections. + links: + - href: "#ac-17_smt.b" + rel: assessment-for + links: + - href: "#ac-17_smt" + rel: assessment-for + - id: ac-17_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-17-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing remote access implementation and usage (including + restrictions) + + + configuration management plan + + + system configuration settings and associated documentation + + + remote access authorizations + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-17_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-17-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for managing + remote access connections + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-17_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-17-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Remote access management capability for the system + controls: + - id: ac-17.1 + class: SP800-53-enhancement + title: Monitoring and Control + props: + - name: label + value: AC-17(1) + - name: label + value: AC-17(01) + class: sp800-53a + - name: sort-id + value: ac-17.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-17" + rel: required + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + parts: + - id: ac-17.1_smt + name: statement + prose: Employ automated mechanisms to monitor and control remote + access methods. + - id: ac-17.1_gdn + name: guidance + prose: Monitoring and control of remote access methods allows organizations + to detect attacks and help ensure compliance with remote access + policies by auditing the connection activities of remote users + on a variety of system components, including servers, notebook + computers, workstations, smart phones, and tablets. Audit logging + for remote access is enforced by [AU-2](#au-2) . Audit events + are defined in [AU-2a](#au-2_smt.a). + - id: ac-17.1_obj + name: assessment-objective + props: + - name: label + value: AC-17(01) + class: sp800-53a + parts: + - id: ac-17.1_obj-1 + name: assessment-objective + props: + - name: label + value: AC-17(01)[01] + class: sp800-53a + prose: automated mechanisms are employed to monitor remote access + methods; + links: + - href: "#ac-17.1_smt" + rel: assessment-for + - id: ac-17.1_obj-2 + name: assessment-objective + props: + - name: label + value: AC-17(01)[02] + class: sp800-53a + prose: automated mechanisms are employed to control remote access + methods. + links: + - href: "#ac-17.1_smt" + rel: assessment-for + links: + - href: "#ac-17.1_smt" + rel: assessment-for + - id: ac-17.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-17(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing remote access to the system + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system monitoring records + + + system security plan + + + other relevant documents or records + - id: ac-17.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-17(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-17.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-17(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms monitoring and controlling remote + access methods + - id: ac-17.2 + class: SP800-53-enhancement + title: Protection of Confidentiality and Integrity Using Encryption + props: + - name: label + value: AC-17(2) + - name: label + value: AC-17(02) + class: sp800-53a + - name: sort-id + value: ac-17.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-17" + rel: required + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: ac-17.2_smt + name: statement + prose: Implement cryptographic mechanisms to protect the confidentiality + and integrity of remote access sessions. + - id: ac-17.2_gdn + name: guidance + prose: Virtual private networks can be used to protect the confidentiality + and integrity of remote access sessions. Transport Layer Security + (TLS) is an example of a cryptographic protocol that provides + end-to-end communications security over networks and is used for + Internet communications and online transactions. + - id: ac-17.2_obj + name: assessment-objective + props: + - name: label + value: AC-17(02) + class: sp800-53a + prose: cryptographic mechanisms are implemented to protect the confidentiality + and integrity of remote access sessions. + links: + - href: "#ac-17.2_smt" + rel: assessment-for + - id: ac-17.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-17(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing remote access to the system + + + system design documentation + + + system configuration settings and associated documentation + + + cryptographic mechanisms and associated configuration documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-17.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-17(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-17.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-17(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Cryptographic mechanisms protecting confidentiality and + integrity of remote access sessions + - id: ac-17.3 + class: SP800-53-enhancement + title: Managed Access Control Points + props: + - name: label + value: AC-17(3) + - name: label + value: AC-17(03) + class: sp800-53a + - name: sort-id + value: ac-17.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-17" + rel: required + - href: "#sc-7" + rel: related + parts: + - id: ac-17.3_smt + name: statement + prose: Route remote accesses through authorized and managed network + access control points. + - id: ac-17.3_gdn + name: guidance + prose: Organizations consider the Trusted Internet Connections (TIC) + initiative [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) requirements + for external network connections since limiting the number of + access control points for remote access reduces attack surfaces. + - id: ac-17.3_obj + name: assessment-objective + props: + - name: label + value: AC-17(03) + class: sp800-53a + prose: remote accesses are routed through authorized and managed + network access control points. + links: + - href: "#ac-17.3_smt" + rel: assessment-for + - id: ac-17.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-17(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing remote access to the system + + + system design documentation + + + list of all managed network access control points + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-17.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-17(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + - id: ac-17.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-17(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms routing all remote accesses through managed + network access control points + - id: ac-17.4 + class: SP800-53-enhancement + title: Privileged Commands and Access + params: + - id: ac-17.4_prm_1 + label: organization-defined needs + - id: ac-17.04_odp.01 + label: needs requiring remote access + guidelines: + - prose: needs requiring execution of privileged commands via + remote access are defined; + - id: ac-17.04_odp.02 + label: needs requiring remote access + guidelines: + - prose: needs requiring access to security-relevant information + via remote access are defined; + props: + - name: label + value: AC-17(4) + - name: label + value: AC-17(04) + class: sp800-53a + - name: sort-id + value: ac-17.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-17" + rel: required + - href: "#ac-6" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: ac-17.4_smt + name: statement + parts: + - id: ac-17.4_smt.a + name: item + props: + - name: label + value: (a) + prose: "Authorize the execution of privileged commands and access\ + \ to security-relevant information via remote access only\ + \ in a format that provides assessable evidence and for the\ + \ following needs: {{ insert: param, ac-17.4_prm_1 }} ; and" + - id: ac-17.4_smt.b + name: item + props: + - name: label + value: (b) + prose: Document the rationale for remote access in the security + plan for the system. + - id: ac-17.4_gdn + name: guidance + prose: Remote access to systems represents a significant potential + vulnerability that can be exploited by adversaries. As such, restricting + the execution of privileged commands and access to security-relevant + information via remote access reduces the exposure of the organization + and the susceptibility to threats by adversaries to the remote + access capability. + - id: ac-17.4_obj + name: assessment-objective + props: + - name: label + value: AC-17(04) + class: sp800-53a + parts: + - id: ac-17.4_obj.a + name: assessment-objective + props: + - name: label + value: AC-17(04)(a) + class: sp800-53a + parts: + - id: ac-17.4_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-17(04)(a)[01] + class: sp800-53a + prose: the execution of privileged commands via remote access + is authorized only in a format that provides assessable + evidence; + links: + - href: "#ac-17.4_smt.a" + rel: assessment-for + - id: ac-17.4_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-17(04)(a)[02] + class: sp800-53a + prose: access to security-relevant information via remote + access is authorized only in a format that provides assessable + evidence; + links: + - href: "#ac-17.4_smt.a" + rel: assessment-for + - id: ac-17.4_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-17(04)(a)[03] + class: sp800-53a + prose: "the execution of privileged commands via remote\ + \ access is authorized only for the following needs: {{\ + \ insert: param, ac-17.04_odp.01 }};" + links: + - href: "#ac-17.4_smt.a" + rel: assessment-for + - id: ac-17.4_obj.a-4 + name: assessment-objective + props: + - name: label + value: AC-17(04)(a)[04] + class: sp800-53a + prose: "access to security-relevant information via remote\ + \ access is authorized only for the following needs: {{\ + \ insert: param, ac-17.04_odp.02 }};" + links: + - href: "#ac-17.4_smt.a" + rel: assessment-for + links: + - href: "#ac-17.4_smt.a" + rel: assessment-for + - id: ac-17.4_obj.b + name: assessment-objective + props: + - name: label + value: AC-17(04)(b) + class: sp800-53a + prose: the rationale for remote access is documented in the + security plan for the system. + links: + - href: "#ac-17.4_smt.b" + rel: assessment-for + links: + - href: "#ac-17.4_smt" + rel: assessment-for + - id: ac-17.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-17(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing remote access to the system + + + system configuration settings and associated documentation + + + security plan + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-17.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-17(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + - id: ac-17.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-17(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing remote access management + - id: ac-18 + class: SP800-53 + title: Wireless Access + props: + - name: label + value: AC-18 + - name: label + value: AC-18 + class: sp800-53a + - name: sort-id + value: ac-18 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#25e3e57b-dc2f-4934-af9b-050b020c6f0e" + rel: reference + - href: "#03fb73bc-1b12-4182-bd96-e5719254ea61" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-19" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-7" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-8" + rel: related + - href: "#pl-4" + rel: related + - href: "#sc-40" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-18_smt + name: statement + parts: + - id: ac-18_smt.a + name: item + props: + - name: label + value: a. + prose: Establish configuration requirements, connection requirements, + and implementation guidance for each type of wireless access; + and + - id: ac-18_smt.b + name: item + props: + - name: label + value: b. + prose: Authorize each type of wireless access to the system prior + to allowing such connections. + - id: ac-18_gdn + name: guidance + prose: Wireless technologies include microwave, packet radio (ultra-high + frequency or very high frequency), 802.11x, and Bluetooth. Wireless + networks use authentication protocols that provide authenticator protection + and mutual authentication. + - id: ac-18_obj + name: assessment-objective + props: + - name: label + value: AC-18 + class: sp800-53a + parts: + - id: ac-18_obj.a + name: assessment-objective + props: + - name: label + value: AC-18a. + class: sp800-53a + parts: + - id: ac-18_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-18a.[01] + class: sp800-53a + prose: configuration requirements are established for each type + of wireless access; + links: + - href: "#ac-18_smt.a" + rel: assessment-for + - id: ac-18_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-18a.[02] + class: sp800-53a + prose: connection requirements are established for each type + of wireless access; + links: + - href: "#ac-18_smt.a" + rel: assessment-for + - id: ac-18_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-18a.[03] + class: sp800-53a + prose: implementation guidance is established for each type + of wireless access; + links: + - href: "#ac-18_smt.a" + rel: assessment-for + links: + - href: "#ac-18_smt.a" + rel: assessment-for + - id: ac-18_obj.b + name: assessment-objective + props: + - name: label + value: AC-18b. + class: sp800-53a + prose: each type of wireless access to the system is authorized + prior to allowing such connections. + links: + - href: "#ac-18_smt.b" + rel: assessment-for + links: + - href: "#ac-18_smt" + rel: assessment-for + - id: ac-18_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-18-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing wireless access implementation and usage + (including restrictions) + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + wireless access authorizations + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-18_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-18-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for managing + wireless access connections + + + organizational personnel with information security responsibilities + - id: ac-18_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-18-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Wireless access management capability for the system + controls: + - id: ac-18.1 + class: SP800-53-enhancement + title: Authentication and Encryption + params: + - id: ac-18.01_odp + select: + how-many: one-or-more + choice: + - users + - devices + props: + - name: label + value: AC-18(1) + - name: label + value: AC-18(01) + class: sp800-53a + - name: sort-id + value: ac-18.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-18" + rel: required + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: ac-18.1_smt + name: statement + prose: "Protect wireless access to the system using authentication\ + \ of {{ insert: param, ac-18.01_odp }} and encryption." + - id: ac-18.1_gdn + name: guidance + prose: Wireless networking capabilities represent a significant + potential vulnerability that can be exploited by adversaries. + To protect systems with wireless access points, strong authentication + of users and devices along with strong encryption can reduce susceptibility + to threats by adversaries involving wireless technologies. + - id: ac-18.1_obj + name: assessment-objective + props: + - name: label + value: AC-18(01) + class: sp800-53a + parts: + - id: ac-18.1_obj-1 + name: assessment-objective + props: + - name: label + value: AC-18(01)[01] + class: sp800-53a + prose: "wireless access to the system is protected using authentication\ + \ of {{ insert: param, ac-18.01_odp }};" + links: + - href: "#ac-18.1_smt" + rel: assessment-for + - id: ac-18.1_obj-2 + name: assessment-objective + props: + - name: label + value: AC-18(01)[02] + class: sp800-53a + prose: wireless access to the system is protected using encryption. + links: + - href: "#ac-18.1_smt" + rel: assessment-for + links: + - href: "#ac-18.1_smt" + rel: assessment-for + - id: ac-18.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-18(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing wireless implementation and usage (including + restrictions) + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-18.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-18(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developers + - id: ac-18.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-18(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing wireless access protections to + the system + - id: ac-18.3 + class: SP800-53-enhancement + title: Disable Wireless Networking + props: + - name: label + value: AC-18(3) + - name: label + value: AC-18(03) + class: sp800-53a + - name: sort-id + value: ac-18.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-18" + rel: required + parts: + - id: ac-18.3_smt + name: statement + prose: Disable, when not intended for use, wireless networking capabilities + embedded within system components prior to issuance and deployment. + - id: ac-18.3_gdn + name: guidance + prose: Wireless networking capabilities that are embedded within + system components represent a significant potential vulnerability + that can be exploited by adversaries. Disabling wireless capabilities + when not needed for essential organizational missions or functions + can reduce susceptibility to threats by adversaries involving + wireless technologies. + - id: ac-18.3_obj + name: assessment-objective + props: + - name: label + value: AC-18(03) + class: sp800-53a + prose: when not intended for use, wireless networking capabilities + embedded within system components are disabled prior to issuance + and deployment. + links: + - href: "#ac-18.3_smt" + rel: assessment-for + - id: ac-18.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-18(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing wireless implementation and usage (including + restrictions) + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-18.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-18(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + - id: ac-18.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-18(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms managing the disabling of wireless networking + capabilities internally embedded within system components + - id: ac-19 + class: SP800-53 + title: Access Control for Mobile Devices + props: + - name: label + value: AC-19 + - name: label + value: AC-19 + class: sp800-53a + - name: sort-id + value: ac-19 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99" + rel: reference + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-7" + rel: related + - href: "#ac-11" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-20" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-6" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#mp-7" + rel: related + - href: "#pl-4" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-34" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ac-19_smt + name: statement + parts: + - id: ac-19_smt.a + name: item + props: + - name: label + value: a. + prose: Establish configuration requirements, connection requirements, + and implementation guidance for organization-controlled mobile + devices, to include when such devices are outside of controlled + areas; and + - id: ac-19_smt.b + name: item + props: + - name: label + value: b. + prose: Authorize the connection of mobile devices to organizational + systems. + - id: ac-19_gdn + name: guidance + prose: >- + A mobile device is a computing device that has a small form + factor such that it can easily be carried by a single + individual; is designed to operate without a physical + connection; possesses local, non-removable or removable data + storage; and includes a self-contained power source. Mobile + device functionality may also include voice communication + capabilities, on-board sensors that allow the device to capture + information, and/or built-in features for synchronizing local + data with remote locations. Examples include smart phones and + tablets. Mobile devices are typically associated with a single + individual. The processing, storage, and transmission capability + of the mobile device may be comparable to or merely a subset of + notebook/desktop systems, depending on the nature and intended + purpose of the device. Protection and control of mobile devices + is behavior or policy-based and requires users to take physical + action to protect and control such devices when outside of + controlled areas. Controlled areas are spaces for which + organizations provide physical or procedural controls to meet + the requirements established for protecting information and + systems. + + + Due to the large variety of mobile devices with different characteristics + and capabilities, organizational restrictions may vary for the different + classes or types of such devices. Usage restrictions and specific + implementation guidance for mobile devices include configuration management, + device identification and authentication, implementation of mandatory + protective software, scanning devices for malicious code, updating + virus protection software, scanning for critical software updates + and patches, conducting primary operating system (and possibly other + resident software) integrity checks, and disabling unnecessary hardware. + + + Usage restrictions and authorization to connect may vary among organizational + systems. For example, the organization may authorize the connection + of mobile devices to its network and impose a set of usage restrictions, + while a system owner may withhold authorization for mobile device + connection to specific applications or impose additional usage restrictions + before allowing mobile device connections to a system. Adequate security + for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) + . Many safeguards for mobile devices are reflected in other controls. + [AC-20](#ac-20) addresses mobile devices that are not organization-controlled. + - id: ac-19_obj + name: assessment-objective + props: + - name: label + value: AC-19 + class: sp800-53a + parts: + - id: ac-19_obj.a + name: assessment-objective + props: + - name: label + value: AC-19a. + class: sp800-53a + parts: + - id: ac-19_obj.a-1 + name: assessment-objective + props: + - name: label + value: AC-19a.[01] + class: sp800-53a + prose: configuration requirements are established for organization-controlled + mobile devices, including when such devices are outside of + the controlled area; + links: + - href: "#ac-19_smt.a" + rel: assessment-for + - id: ac-19_obj.a-2 + name: assessment-objective + props: + - name: label + value: AC-19a.[02] + class: sp800-53a + prose: connection requirements are established for organization-controlled + mobile devices, including when such devices are outside of + the controlled area; + links: + - href: "#ac-19_smt.a" + rel: assessment-for + - id: ac-19_obj.a-3 + name: assessment-objective + props: + - name: label + value: AC-19a.[03] + class: sp800-53a + prose: implementation guidance is established for organization-controlled + mobile devices, including when such devices are outside of + the controlled area; + links: + - href: "#ac-19_smt.a" + rel: assessment-for + links: + - href: "#ac-19_smt.a" + rel: assessment-for + - id: ac-19_obj.b + name: assessment-objective + props: + - name: label + value: AC-19b. + class: sp800-53a + prose: the connection of mobile devices to organizational systems + is authorized. + links: + - href: "#ac-19_smt.b" + rel: assessment-for + links: + - href: "#ac-19_smt" + rel: assessment-for + - id: ac-19_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-19-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing access control for mobile device usage (including + restrictions) + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + authorizations for mobile device connections to organizational + systems + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-19_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-19-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel using mobile devices to access + organizational systems + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-19_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-19-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control capability for mobile device connections to + organizational systems + + + configurations of mobile devices + controls: + - id: ac-19.5 + class: SP800-53-enhancement + title: Full Device or Container-based Encryption + params: + - id: ac-19.05_odp.01 + select: + choice: + - full-device encryption + - container-based encryption + - id: ac-19.05_odp.02 + label: mobile devices + guidelines: + - prose: mobile devices on which to employ encryption are defined; + props: + - name: label + value: AC-19(5) + - name: label + value: AC-19(05) + class: sp800-53a + - name: sort-id + value: ac-19.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-19" + rel: required + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-28" + rel: related + parts: + - id: ac-19.5_smt + name: statement + prose: "Employ {{ insert: param, ac-19.05_odp.01 }} to protect the\ + \ confidentiality and integrity of information on {{ insert: param,\ + \ ac-19.05_odp.02 }}." + - id: ac-19.5_gdn + name: guidance + prose: Container-based encryption provides a more fine-grained approach + to data and information encryption on mobile devices, including + encrypting selected data structures such as files, records, or + fields. + - id: ac-19.5_obj + name: assessment-objective + props: + - name: label + value: AC-19(05) + class: sp800-53a + prose: " {{ insert: param, ac-19.05_odp.01 }} is employed to protect\ + \ the confidentiality and integrity of information on {{ insert:\ + \ param, ac-19.05_odp.02 }}." + links: + - href: "#ac-19.5_smt" + rel: assessment-for + - id: ac-19.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-19(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing access control for mobile devices + + + system design documentation + + + system configuration settings and associated documentation + + + encryption mechanisms and associated configuration documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: ac-19.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-19(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with access control + responsibilities for mobile devices + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-19.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-19(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Encryption mechanisms protecting confidentiality and + integrity of information on mobile devices + - id: ac-20 + class: SP800-53 + title: Use of External Systems + params: + - id: ac-20_odp.01 + select: + how-many: one-or-more + choice: + - "establish {{ insert: param, ac-20_odp.02 }} " + - "identify {{ insert: param, ac-20_odp.03 }} " + - id: ac-20_odp.02 + label: terms and conditions + guidelines: + - prose: terms and conditions consistent with the trust relationships + established with other organizations owning, operating, and/or + maintaining external systems are defined (if selected); + - id: ac-20_odp.03 + label: controls asserted + guidelines: + - prose: controls asserted to be implemented on external systems consistent + with the trust relationships established with other organizations + owning, operating, and/or maintaining external systems are defined + (if selected); + - id: ac-20_odp.04 + label: prohibited types of external systems + guidelines: + - prose: types of external systems prohibited from use are defined; + props: + - name: label + value: AC-20 + - name: label + value: AC-20 + class: sp800-53a + - name: sort-id + value: ac-20 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849" + rel: reference + - href: "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-19" + rel: related + - href: "#ca-3" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-7" + rel: related + parts: + - id: ac-20_smt + name: statement + parts: + - id: ac-20_smt.a + name: item + props: + - name: label + value: a. + prose: " {{ insert: param, ac-20_odp.01 }} , consistent with the\ + \ trust relationships established with other organizations owning,\ + \ operating, and/or maintaining external systems, allowing authorized\ + \ individuals to:" + parts: + - id: ac-20_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Access the system from external systems; and + - id: ac-20_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Process, store, or transmit organization-controlled information + using external systems; or + - id: ac-20_smt.b + name: item + props: + - name: label + value: b. + prose: "Prohibit the use of {{ insert: param, ac-20_odp.04 }}." + - id: ac-20_fr + name: item + title: AC-20 Additional FedRAMP Requirements and Guidance + parts: + - id: ac-20_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + The interrelated controls of AC-20, CA-3, and SA-9 + should be differentiated as follows: + + + AC-20 describes system access to and from external systems. + + + CA-3 describes documentation of an agreement between the respective + system owners when data is exchanged between the CSO and an + external system. + + + SA-9 describes the responsibilities of external system owners. + These responsibilities would typically be captured in the + agreement required by CA-3. + - id: ac-20_gdn + name: guidance + prose: >- + External systems are systems that are used by but not part of + organizational systems, and for which the organization has no + direct control over the implementation of required controls or + the assessment of control effectiveness. External systems + include personally owned systems, components, or devices; + privately owned computing and communications devices in + commercial or public facilities; systems owned or controlled by + nonfederal organizations; systems managed by contractors; and + federal information systems that are not owned by, operated by, + or under the direct supervision or authority of the + organization. External systems also include systems owned or + operated by other components within the same organization and + systems within the organization with different authorization + boundaries. Organizations have the option to prohibit the use of + any type of external system or prohibit the use of specified + types of external systems, (e.g., prohibit the use of any + external system that is not organizationally owned or prohibit + the use of personally-owned systems). + + + For some external systems (i.e., systems operated by other organizations), + the trust relationships that have been established between those organizations + and the originating organization may be such that no explicit terms + and conditions are required. Systems within these organizations may + not be considered external. These situations occur when, for example, + there are pre-existing information exchange agreements (either implicit + or explicit) established between organizations or components or when + such agreements are specified by applicable laws, executive orders, + directives, regulations, policies, or standards. Authorized individuals + include organizational personnel, contractors, or other individuals + with authorized access to organizational systems and over which organizations + have the authority to impose specific rules of behavior regarding + system access. Restrictions that organizations impose on authorized + individuals need not be uniform, as the restrictions may vary depending + on trust relationships between organizations. Therefore, organizations + may choose to impose different security restrictions on contractors + than on state, local, or tribal governments. + + + External systems used to access public interfaces to organizational + systems are outside the scope of [AC-20](#ac-20) . Organizations establish + specific terms and conditions for the use of external systems in accordance + with organizational security policies and procedures. At a minimum, + terms and conditions address the specific types of applications that + can be accessed on organizational systems from external systems and + the highest security category of information that can be processed, + stored, or transmitted on external systems. If the terms and conditions + with the owners of the external systems cannot be established, organizations + may impose restrictions on organizational personnel using those external + systems. + - id: ac-20_obj + name: assessment-objective + props: + - name: label + value: AC-20 + class: sp800-53a + parts: + - id: ac-20_obj.a + name: assessment-objective + props: + - name: label + value: AC-20a. + class: sp800-53a + parts: + - id: ac-20_obj.a.1 + name: assessment-objective + props: + - name: label + value: AC-20a.01 + class: sp800-53a + prose: " {{ insert: param, ac-20_odp.01 }} is/are consistent\ + \ with the trust relationships established with other organizations\ + \ owning, operating, and/or maintaining external systems,\ + \ allowing authorized individuals to access the system from\ + \ external systems (if applicable);" + links: + - href: "#ac-20_smt.a.1" + rel: assessment-for + - id: ac-20_obj.a.2 + name: assessment-objective + props: + - name: label + value: AC-20a.02 + class: sp800-53a + prose: " {{ insert: param, ac-20_odp.01 }} is/are consistent\ + \ with the trust relationships established with other organizations\ + \ owning, operating, and/or maintaining external systems,\ + \ allowing authorized individuals to process, store, or transmit\ + \ organization-controlled information using external systems\ + \ (if applicable);" + links: + - href: "#ac-20_smt.a.2" + rel: assessment-for + links: + - href: "#ac-20_smt.a" + rel: assessment-for + - id: ac-20_obj.b + name: assessment-objective + props: + - name: label + value: AC-20b. + class: sp800-53a + prose: "the use of {{ insert: param, ac-20_odp.04 }} is prohibited\ + \ (if applicable)." + links: + - href: "#ac-20_smt.b" + rel: assessment-for + links: + - href: "#ac-20_smt" + rel: assessment-for + - id: ac-20_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-20-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing the use of external systems + + + external systems terms and conditions + + + list of types of applications accessible from external systems + + + maximum security categorization for information processed, stored, + or transmitted on external systems + + + system configuration settings and associated documentation + + + system security plan + + + other relevant documents or records + - id: ac-20_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-20-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for defining + terms and conditions for use of external systems to access + organizational systems + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-20_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-20-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing terms and conditions on the use of + external systems + controls: + - id: ac-20.1 + class: SP800-53-enhancement + title: Limits on Authorized Use + props: + - name: label + value: AC-20(1) + - name: label + value: AC-20(01) + class: sp800-53a + - name: sort-id + value: ac-20.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-20" + rel: required + - href: "#ca-2" + rel: related + parts: + - id: ac-20.1_smt + name: statement + prose: "Permit authorized individuals to use an external system\ + \ to access the system or to process, store, or transmit organization-controlled\ + \ information only after:" + parts: + - id: ac-20.1_smt.a + name: item + props: + - name: label + value: (a) + prose: Verification of the implementation of controls on the + external system as specified in the organization’s security + and privacy policies and security and privacy plans; or + - id: ac-20.1_smt.b + name: item + props: + - name: label + value: (b) + prose: Retention of approved system connection or processing + agreements with the organizational entity hosting the external + system. + - id: ac-20.1_gdn + name: guidance + prose: Limiting authorized use recognizes circumstances where individuals + using external systems may need to access organizational systems. + Organizations need assurance that the external systems contain + the necessary controls so as not to compromise, damage, or otherwise + harm organizational systems. Verification that the required controls + have been implemented can be achieved by external, independent + assessments, attestations, or other means, depending on the confidence + level required by organizations. + - id: ac-20.1_obj + name: assessment-objective + props: + - name: label + value: AC-20(01) + class: sp800-53a + parts: + - id: ac-20.1_obj.a + name: assessment-objective + props: + - name: label + value: AC-20(01)(a) + class: sp800-53a + prose: authorized individuals are permitted to use an external + system to access the system or to process, store, or transmit + organization-controlled information only after verification + of the implementation of controls on the external system as + specified in the organization’s security and privacy policies + and security and privacy plans (if applicable); + links: + - href: "#ac-20.1_smt.a" + rel: assessment-for + - id: ac-20.1_obj.b + name: assessment-objective + props: + - name: label + value: AC-20(01)(b) + class: sp800-53a + prose: authorized individuals are permitted to use an external + system to access the system or to process, store, or transmit + organization-controlled information only after retention of + approved system connection or processing agreements with the + organizational entity hosting the external system (if applicable). + links: + - href: "#ac-20.1_smt.b" + rel: assessment-for + links: + - href: "#ac-20.1_smt" + rel: assessment-for + - id: ac-20.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-20(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing the use of external systems + + system connection or processing agreements + + account management documents + + system security plan + + other relevant documents or records + - id: ac-20.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-20(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + - id: ac-20.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-20(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing limits on use of external systems + - id: ac-20.2 + class: SP800-53-enhancement + title: Portable Storage Devices — Restricted Use + params: + - id: ac-20.02_odp + label: restrictions + guidelines: + - prose: restrictions on the use of organization-controlled portable + storage devices by authorized individuals on external systems + are defined; + props: + - name: label + value: AC-20(2) + - name: label + value: AC-20(02) + class: sp800-53a + - name: sort-id + value: ac-20.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-20" + rel: required + - href: "#mp-7" + rel: related + - href: "#sc-41" + rel: related + parts: + - id: ac-20.2_smt + name: statement + prose: "Restrict the use of organization-controlled portable storage\ + \ devices by authorized individuals on external systems using\ + \ {{ insert: param, ac-20.02_odp }}." + - id: ac-20.2_gdn + name: guidance + prose: Limits on the use of organization-controlled portable storage + devices in external systems include restrictions on how the devices + may be used and under what conditions the devices may be used. + - id: ac-20.2_obj + name: assessment-objective + props: + - name: label + value: AC-20(02) + class: sp800-53a + prose: "the use of organization-controlled portable storage devices\ + \ by authorized individuals is restricted on external systems\ + \ using {{ insert: param, ac-20.02_odp }}." + links: + - href: "#ac-20.2_smt" + rel: assessment-for + - id: ac-20.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-20(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing the use of external systems + + + system configuration settings and associated documentation + + + system connection or processing agreements + + + account management documents + + + system security plan + + + other relevant documents or records + - id: ac-20.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-20(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + restricting or prohibiting the use of + organization-controlled storage devices on external + systems + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ac-20.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-20(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing restrictions on the use of portable + storage devices + - id: ac-21 + class: SP800-53 + title: Information Sharing + params: + - id: ac-21_odp.01 + label: information-sharing circumstances + guidelines: + - prose: information-sharing circumstances where user discretion is + required to determine whether access authorizations assigned to + a sharing partner match the information’s access and use restrictions + are defined; + - id: ac-21_odp.02 + label: automated mechanisms + guidelines: + - prose: automated mechanisms or manual processes that assist users + in making information-sharing and collaboration decisions are + defined; + props: + - name: label + value: AC-21 + - name: label + value: AC-21 + class: sp800-53a + - name: sort-id + value: ac-21 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-16" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#sc-15" + rel: related + parts: + - id: ac-21_smt + name: statement + parts: + - id: ac-21_smt.a + name: item + props: + - name: label + value: a. + prose: "Enable authorized users to determine whether access authorizations\ + \ assigned to a sharing partner match the information’s access\ + \ and use restrictions for {{ insert: param, ac-21_odp.01 }} ;\ + \ and" + - id: ac-21_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ {{ insert: param, ac-21_odp.02 }} to assist users\ + \ in making information sharing and collaboration decisions." + - id: ac-21_gdn + name: guidance + prose: Information sharing applies to information that may be restricted + in some manner based on some formal or administrative determination. + Examples of such information include, contract-sensitive information, + classified information related to special access programs or compartments, + privileged information, proprietary information, and personally identifiable + information. Security and privacy risk assessments as well as applicable + laws, regulations, and policies can provide useful inputs to these + determinations. Depending on the circumstances, sharing partners may + be defined at the individual, group, or organizational level. Information + may be defined by content, type, security category, or special access + program or compartment. Access restrictions may include non-disclosure + agreements (NDA). Information flow techniques and security attributes + may be used to provide automated assistance to users making sharing + and collaboration decisions. + - id: ac-21_obj + name: assessment-objective + props: + - name: label + value: AC-21 + class: sp800-53a + parts: + - id: ac-21_obj.a + name: assessment-objective + props: + - name: label + value: AC-21a. + class: sp800-53a + prose: "authorized users are enabled to determine whether access\ + \ authorizations assigned to a sharing partner match the information’s\ + \ access and use restrictions for {{ insert: param, ac-21_odp.01\ + \ }};" + links: + - href: "#ac-21_smt.a" + rel: assessment-for + - id: ac-21_obj.b + name: assessment-objective + props: + - name: label + value: AC-21b. + class: sp800-53a + prose: " {{ insert: param, ac-21_odp.02 }} are employed to assist\ + \ users in making information-sharing and collaboration decisions." + links: + - href: "#ac-21_smt.b" + rel: assessment-for + links: + - href: "#ac-21_smt" + rel: assessment-for + - id: ac-21_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-21-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing user-based collaboration and information + sharing (including restrictions) + + + system design documentation + + + system configuration settings and associated documentation + + + list of users authorized to make information-sharing/collaboration + decisions + + + list of information-sharing circumstances requiring user discretion + + + non-disclosure agreements + + + acquisitions/contractual agreements + + + system security plan + + + privacy plan + + + privacy impact assessment + + + security and privacy risk assessments + + + other relevant documents or records + - id: ac-21_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-21-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for + information-sharing/collaboration decisions + + + organizational personnel with responsibility for acquisitions/contractual + agreements + + + system/network administrators + + + organizational personnel with information security and privacy + responsibilities + - id: ac-21_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-21-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms or manual process implementing access + authorizations supporting information-sharing/user collaboration + decisions + - id: ac-22 + class: SP800-53 + title: Publicly Accessible Content + params: + - id: ac-22_odp + label: frequency + constraints: + - description: at least quarterly + guidelines: + - prose: the frequency at which to review the content on the publicly + accessible system for non-public information is defined; + props: + - name: label + value: AC-22 + - name: label + value: AC-22 + class: sp800-53a + - name: sort-id + value: ac-22 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#18e71fec-c6fd-475a-925a-5d8495cf8455" + rel: reference + - href: "#ac-3" + rel: related + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#au-13" + rel: related + parts: + - id: ac-22_smt + name: statement + parts: + - id: ac-22_smt.a + name: item + props: + - name: label + value: a. + prose: Designate individuals authorized to make information publicly + accessible; + - id: ac-22_smt.b + name: item + props: + - name: label + value: b. + prose: Train authorized individuals to ensure that publicly accessible + information does not contain nonpublic information; + - id: ac-22_smt.c + name: item + props: + - name: label + value: c. + prose: Review the proposed content of information prior to posting + onto the publicly accessible system to ensure that nonpublic information + is not included; and + - id: ac-22_smt.d + name: item + props: + - name: label + value: d. + prose: "Review the content on the publicly accessible system for\ + \ nonpublic information {{ insert: param, ac-22_odp }} and remove\ + \ such information, if discovered." + - id: ac-22_gdn + name: guidance + prose: In accordance with applicable laws, executive orders, directives, + policies, regulations, standards, and guidelines, the public is not + authorized to have access to nonpublic information, including information + protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) + and proprietary information. Publicly accessible content addresses + systems that are controlled by the organization and accessible to + the public, typically without identification or authentication. Posting + information on non-organizational systems (e.g., non-organizational + public websites, forums, and social media) is covered by organizational + policy. While organizations may have individuals who are responsible + for developing and implementing policies about the information that + can be made publicly accessible, publicly accessible content addresses + the management of the individuals who make such information publicly + accessible. + - id: ac-22_obj + name: assessment-objective + props: + - name: label + value: AC-22 + class: sp800-53a + parts: + - id: ac-22_obj.a + name: assessment-objective + props: + - name: label + value: AC-22a. + class: sp800-53a + prose: designated individuals are authorized to make information + publicly accessible; + links: + - href: "#ac-22_smt.a" + rel: assessment-for + - id: ac-22_obj.b + name: assessment-objective + props: + - name: label + value: AC-22b. + class: sp800-53a + prose: authorized individuals are trained to ensure that publicly + accessible information does not contain non-public information; + links: + - href: "#ac-22_smt.b" + rel: assessment-for + - id: ac-22_obj.c + name: assessment-objective + props: + - name: label + value: AC-22c. + class: sp800-53a + prose: the proposed content of information is reviewed prior to + posting onto the publicly accessible system to ensure that non-public + information is not included; + links: + - href: "#ac-22_smt.c" + rel: assessment-for + - id: ac-22_obj.d + name: assessment-objective + props: + - name: label + value: AC-22d. + class: sp800-53a + parts: + - id: ac-22_obj.d-1 + name: assessment-objective + props: + - name: label + value: AC-22d.[01] + class: sp800-53a + prose: "the content on the publicly accessible system is reviewed\ + \ for non-public information {{ insert: param, ac-22_odp }};" + links: + - href: "#ac-22_smt.d" + rel: assessment-for + - id: ac-22_obj.d-2 + name: assessment-objective + props: + - name: label + value: AC-22d.[02] + class: sp800-53a + prose: non-public information is removed from the publicly accessible + system, if discovered. + links: + - href: "#ac-22_smt.d" + rel: assessment-for + links: + - href: "#ac-22_smt.d" + rel: assessment-for + links: + - href: "#ac-22_smt" + rel: assessment-for + - id: ac-22_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AC-22-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Access control policy + + + procedures addressing publicly accessible content + + + list of users authorized to post publicly accessible content on + organizational systems + + + training materials and/or records + + + records of publicly accessible information reviews + + + records of response to non-public information on public websites + + + system audit logs + + + security awareness training records + + + system security plan + + + other relevant documents or records + - id: ac-22_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AC-22-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for managing + publicly accessible information posted on organizational + systems + + + organizational personnel with information security responsibilities + - id: ac-22_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AC-22-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing management of publicly accessible + content + - id: at + class: family + title: Awareness and Training + controls: + - id: at-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: at-1_prm_1 + label: organization-defined personnel or roles + - id: at-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the awareness and training policy + is to be disseminated is/are defined; + - id: at-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the awareness and training procedures + are to be disseminated is/are defined; + - id: at-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: at-01_odp.04 + label: official + guidelines: + - prose: an official to manage the awareness and training policy and + procedures is defined; + - id: at-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current awareness and training + policy is reviewed and updated is defined; + - id: at-01_odp.06 + label: events + guidelines: + - prose: events that would require the current awareness and training + policy to be reviewed and updated are defined; + - id: at-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current awareness and training + procedures are reviewed and updated is defined; + - id: at-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require procedures to be reviewed and updated + are defined; + props: + - name: label + value: AT-1 + - name: label + value: AT-01 + class: sp800-53a + - name: sort-id + value: at-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: at-1_smt + name: statement + parts: + - id: at-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ at-1_prm_1 }}:" + parts: + - id: at-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, at-01_odp.03 }} awareness and training\ + \ policy that:" + parts: + - id: at-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: at-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: at-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the awareness + and training policy and the associated awareness and training + controls; + - id: at-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, at-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the awareness\ + \ and training policy and procedures; and" + - id: at-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current awareness and training:" + parts: + - id: at-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, at-01_odp.05 }} and following\ + \ {{ insert: param, at-01_odp.06 }} ; and" + - id: at-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, at-01_odp.07 }} and following\ + \ {{ insert: param, at-01_odp.08 }}." + - id: at-1_gdn + name: guidance + prose: Awareness and training policy and procedures address the controls + in the AT family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of awareness and + training policy and procedures. Security and privacy program policies + and procedures at the organization level are preferable, in general, + and may obviate the need for mission- or system-specific policies + and procedures. The policy can be included as part of the general + security and privacy policy or be represented by multiple policies + that reflect the complex nature of organizations. Procedures can be + established for security and privacy programs, for mission or business + processes, and for systems, if needed. Procedures describe how the + policies or controls are implemented and can be directed at the individual + or role that is the object of the procedure. Procedures can be documented + in system security and privacy plans or in one or more separate documents. + Events that may precipitate an update to awareness and training policy + and procedures include assessment or audit findings, security incidents + or breaches, or changes in applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines. Simply restating + controls does not constitute an organizational policy or procedure. + - id: at-1_obj + name: assessment-objective + props: + - name: label + value: AT-01 + class: sp800-53a + parts: + - id: at-1_obj.a + name: assessment-objective + props: + - name: label + value: AT-01a. + class: sp800-53a + parts: + - id: at-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: AT-01a.[01] + class: sp800-53a + prose: "an awareness and training policy is developed and documented; " + links: + - href: "#at-1_smt.a" + rel: assessment-for + - id: at-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: AT-01a.[02] + class: sp800-53a + prose: "the awareness and training policy is disseminated to\ + \ {{ insert: param, at-01_odp.01 }};" + links: + - href: "#at-1_smt.a" + rel: assessment-for + - id: at-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: AT-01a.[03] + class: sp800-53a + prose: awareness and training procedures to facilitate the implementation + of the awareness and training policy and associated access + controls are developed and documented; + links: + - href: "#at-1_smt.a" + rel: assessment-for + - id: at-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: AT-01a.[04] + class: sp800-53a + prose: "the awareness and training procedures are disseminated\ + \ to {{ insert: param, at-01_odp.02 }}." + links: + - href: "#at-1_smt.a" + rel: assessment-for + - id: at-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: AT-01a.01 + class: sp800-53a + parts: + - id: at-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: AT-01a.01(a) + class: sp800-53a + parts: + - id: at-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses purpose;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses scope;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses roles;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses responsibilities;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses management commitment;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses coordination among\ + \ organizational entities;" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: AT-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy addresses compliance; and" + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#at-1_smt.a.1.a" + rel: assessment-for + - id: at-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: AT-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.03 }} awareness\ + \ and training policy is consistent with applicable laws,\ + \ Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines; and" + links: + - href: "#at-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#at-1_smt.a.1" + rel: assessment-for + links: + - href: "#at-1_smt.a" + rel: assessment-for + - id: at-1_obj.b + name: assessment-objective + props: + - name: label + value: AT-01b. + class: sp800-53a + prose: "the {{ insert: param, at-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the awareness\ + \ and training policy and procedures;" + links: + - href: "#at-1_smt.b" + rel: assessment-for + - id: at-1_obj.c + name: assessment-objective + props: + - name: label + value: AT-01c. + class: sp800-53a + parts: + - id: at-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: AT-01c.01 + class: sp800-53a + parts: + - id: at-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: AT-01c.01[01] + class: sp800-53a + prose: "the current awareness and training policy is reviewed\ + \ and updated {{ insert: param, at-01_odp.05 }}; " + links: + - href: "#at-1_smt.c.1" + rel: assessment-for + - id: at-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: AT-01c.01[02] + class: sp800-53a + prose: "the current awareness and training policy is reviewed\ + \ and updated following {{ insert: param, at-01_odp.06\ + \ }};" + links: + - href: "#at-1_smt.c.1" + rel: assessment-for + links: + - href: "#at-1_smt.c.1" + rel: assessment-for + - id: at-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: AT-01c.02 + class: sp800-53a + parts: + - id: at-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: AT-01c.02[01] + class: sp800-53a + prose: "the current awareness and training procedures are\ + \ reviewed and updated {{ insert: param, at-01_odp.07\ + \ }};" + links: + - href: "#at-1_smt.c.2" + rel: assessment-for + - id: at-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: AT-01c.02[02] + class: sp800-53a + prose: "the current awareness and training procedures are\ + \ reviewed and updated following {{ insert: param, at-01_odp.08\ + \ }}." + links: + - href: "#at-1_smt.c.2" + rel: assessment-for + links: + - href: "#at-1_smt.c.2" + rel: assessment-for + links: + - href: "#at-1_smt.c" + rel: assessment-for + links: + - href: "#at-1_smt" + rel: assessment-for + - id: at-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System security plan + + privacy plan + + awareness and training policy and procedures + + other relevant documents or records + - id: at-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with awareness and training + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: at-2 + class: SP800-53 + title: Literacy Training and Awareness + params: + - id: at-2_prm_1 + label: organization-defined frequency + constraints: + - description: at least annually + - id: at-2_prm_2 + label: organization-defined events + - id: at-02_odp.01 + label: frequency + guidelines: + - prose: the frequency at which to provide security literacy training + to system users (including managers, senior executives, and contractors) + after initial training is defined; + - id: at-02_odp.02 + label: frequency + guidelines: + - prose: the frequency at which to provide privacy literacy training + to system users (including managers, senior executives, and contractors) + after initial training is defined; + - id: at-02_odp.03 + label: events + guidelines: + - prose: events that require security literacy training for system + users are defined; + - id: at-02_odp.04 + label: events + guidelines: + - prose: events that require privacy literacy training for system + users are defined; + - id: at-02_odp.05 + label: awareness techniques + guidelines: + - prose: techniques to be employed to increase the security and privacy + awareness of system users are defined; + - id: at-02_odp.06 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to update literacy training and awareness + content is defined; + - id: at-02_odp.07 + label: events + guidelines: + - prose: events that would require literacy training and awareness + content to be updated are defined; + props: + - name: label + value: AT-2 + - name: label + value: AT-02 + class: sp800-53a + - name: sort-id + value: at-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + - href: "#89f2a08d-fc49-46d0-856e-bf974c9b1573" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-22" + rel: related + - href: "#at-3" + rel: related + - href: "#at-4" + rel: related + - href: "#cp-3" + rel: related + - href: "#ia-4" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-7" + rel: related + - href: "#ir-9" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-13" + rel: related + - href: "#pm-21" + rel: related + - href: "#ps-7" + rel: related + - href: "#pt-2" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-16" + rel: related + parts: + - id: at-2_smt + name: statement + parts: + - id: at-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide security and privacy literacy training to system\ + \ users (including managers, senior executives, and contractors):" + parts: + - id: at-2_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "As part of initial training for new users and {{ insert:\ + \ param, at-2_prm_1 }} thereafter; and" + - id: at-2_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: "When required by system changes or following {{ insert:\ + \ param, at-2_prm_2 }};" + - id: at-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ the following techniques to increase the security\ + \ and privacy awareness of system users {{ insert: param, at-02_odp.05\ + \ }};" + - id: at-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Update literacy training and awareness content {{ insert:\ + \ param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07\ + \ }} ; and" + - id: at-2_smt.d + name: item + props: + - name: label + value: d. + prose: Incorporate lessons learned from internal or external security + incidents or breaches into literacy training and awareness techniques. + - id: at-2_gdn + name: guidance + prose: >- + Organizations provide basic and advanced levels of literacy + training to system users, including measures to test the + knowledge level of users. Organizations determine the content of + literacy training and awareness based on specific organizational + requirements, the systems to which personnel have authorized + access, and work environments (e.g., telework). The content + includes an understanding of the need for security and privacy + as well as actions by users to maintain security and personal + privacy and to respond to suspected incidents. The content + addresses the need for operations security and the handling of + personally identifiable information. + + + Awareness techniques include displaying posters, offering supplies + inscribed with security and privacy reminders, displaying logon screen + messages, generating email advisories or notices from organizational + officials, and conducting awareness events. Literacy training after + the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted + at a minimum frequency consistent with applicable laws, directives, + regulations, and policies. Subsequent literacy training may be satisfied + by one or more short ad hoc sessions and include topical information + on recent attack schemes, changes to organizational security and privacy + policies, revised security and privacy expectations, or a subset of + topics from the initial training. Updating literacy training and awareness + content on a regular basis helps to ensure that the content remains + relevant. Events that may precipitate an update to literacy training + and awareness content include, but are not limited to, assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. + - id: at-2_obj + name: assessment-objective + props: + - name: label + value: AT-02 + class: sp800-53a + parts: + - id: at-2_obj.a + name: assessment-objective + props: + - name: label + value: AT-02a. + class: sp800-53a + parts: + - id: at-2_obj.a.1 + name: assessment-objective + props: + - name: label + value: AT-02a.01 + class: sp800-53a + parts: + - id: at-2_obj.a.1-1 + name: assessment-objective + props: + - name: label + value: AT-02a.01[01] + class: sp800-53a + prose: security literacy training is provided to system + users (including managers, senior executives, and contractors) + as part of initial training for new users; + links: + - href: "#at-2_smt.a.1" + rel: assessment-for + - id: at-2_obj.a.1-2 + name: assessment-objective + props: + - name: label + value: AT-02a.01[02] + class: sp800-53a + prose: privacy literacy training is provided to system users + (including managers, senior executives, and contractors) + as part of initial training for new users; + links: + - href: "#at-2_smt.a.1" + rel: assessment-for + - id: at-2_obj.a.1-3 + name: assessment-objective + props: + - name: label + value: AT-02a.01[03] + class: sp800-53a + prose: "security literacy training is provided to system\ + \ users (including managers, senior executives, and contractors)\ + \ {{ insert: param, at-02_odp.01 }} thereafter;" + links: + - href: "#at-2_smt.a.1" + rel: assessment-for + - id: at-2_obj.a.1-4 + name: assessment-objective + props: + - name: label + value: AT-02a.01[04] + class: sp800-53a + prose: "privacy literacy training is provided to system\ + \ users (including managers, senior executives, and contractors)\ + \ {{ insert: param, at-02_odp.02 }} thereafter;" + links: + - href: "#at-2_smt.a.1" + rel: assessment-for + links: + - href: "#at-2_smt.a.1" + rel: assessment-for + - id: at-2_obj.a.2 + name: assessment-objective + props: + - name: label + value: AT-02a.02 + class: sp800-53a + parts: + - id: at-2_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: AT-02a.02[01] + class: sp800-53a + prose: "security literacy training is provided to system\ + \ users (including managers, senior executives, and contractors)\ + \ when required by system changes or following {{ insert:\ + \ param, at-02_odp.03 }};" + links: + - href: "#at-2_smt.a.2" + rel: assessment-for + - id: at-2_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: AT-02a.02[02] + class: sp800-53a + prose: "privacy literacy training is provided to system\ + \ users (including managers, senior executives, and contractors)\ + \ when required by system changes or following {{ insert:\ + \ param, at-02_odp.04 }};" + links: + - href: "#at-2_smt.a.2" + rel: assessment-for + links: + - href: "#at-2_smt.a.2" + rel: assessment-for + links: + - href: "#at-2_smt.a" + rel: assessment-for + - id: at-2_obj.b + name: assessment-objective + props: + - name: label + value: AT-02b. + class: sp800-53a + prose: " {{ insert: param, at-02_odp.05 }} are employed to increase\ + \ the security and privacy awareness of system users;" + links: + - href: "#at-2_smt.b" + rel: assessment-for + - id: at-2_obj.c + name: assessment-objective + props: + - name: label + value: AT-02c. + class: sp800-53a + parts: + - id: at-2_obj.c-1 + name: assessment-objective + props: + - name: label + value: AT-02c.[01] + class: sp800-53a + prose: "literacy training and awareness content is updated {{\ + \ insert: param, at-02_odp.06 }};" + links: + - href: "#at-2_smt.c" + rel: assessment-for + - id: at-2_obj.c-2 + name: assessment-objective + props: + - name: label + value: AT-02c.[02] + class: sp800-53a + prose: "literacy training and awareness content is updated following\ + \ {{ insert: param, at-02_odp.07 }};" + links: + - href: "#at-2_smt.c" + rel: assessment-for + links: + - href: "#at-2_smt.c" + rel: assessment-for + - id: at-2_obj.d + name: assessment-objective + props: + - name: label + value: AT-02d. + class: sp800-53a + prose: lessons learned from internal or external security incidents + or breaches are incorporated into literacy training and awareness + techniques. + links: + - href: "#at-2_smt.d" + rel: assessment-for + links: + - href: "#at-2_smt" + rel: assessment-for + - id: at-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System security plan + + + privacy plan + + + literacy training and awareness policy + + + procedures addressing literacy training and awareness implementation + + + appropriate codes of federal regulations + + + security and privacy literacy training curriculum + + + security and privacy literacy training materials + + + training records + + + other relevant documents or records + - id: at-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for literacy + training and awareness + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel comprising the general system user community + - id: at-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AT-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms managing information security and privacy literacy + training + controls: + - id: at-2.2 + class: SP800-53-enhancement + title: Insider Threat + props: + - name: label + value: AT-2(2) + - name: label + value: AT-02(02) + class: sp800-53a + - name: sort-id + value: at-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#at-2" + rel: required + - href: "#pm-12" + rel: related + parts: + - id: at-2.2_smt + name: statement + prose: Provide literacy training on recognizing and reporting potential + indicators of insider threat. + - id: at-2.2_gdn + name: guidance + prose: Potential indicators and possible precursors of insider threat + can include behaviors such as inordinate, long-term job dissatisfaction; + attempts to gain access to information not required for job performance; + unexplained access to financial resources; bullying or harassment + of fellow employees; workplace violence; and other serious violations + of policies, procedures, directives, regulations, rules, or practices. + Literacy training includes how to communicate the concerns of + employees and management regarding potential indicators of insider + threat through channels established by the organization and in + accordance with established policies and procedures. Organizations + may consider tailoring insider threat awareness topics to the + role. For example, training for managers may be focused on changes + in the behavior of team members, while training for employees + may be focused on more general observations. + - id: at-2.2_obj + name: assessment-objective + props: + - name: label + value: AT-02(02) + class: sp800-53a + parts: + - id: at-2.2_obj-1 + name: assessment-objective + props: + - name: label + value: AT-02(02)[01] + class: sp800-53a + prose: literacy training on recognizing potential indicators + of insider threat is provided; + links: + - href: "#at-2.2_smt" + rel: assessment-for + - id: at-2.2_obj-2 + name: assessment-objective + props: + - name: label + value: AT-02(02)[02] + class: sp800-53a + prose: literacy training on reporting potential indicators of + insider threat is provided. + links: + - href: "#at-2.2_smt" + rel: assessment-for + links: + - href: "#at-2.2_smt" + rel: assessment-for + - id: at-2.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-02(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System security plan + + + privacy plan + + + literacy training and awareness policy + + + procedures addressing literacy training and awareness implementation + + + literacy training and awareness curriculum + + + literacy training and awareness materials + + + other relevant documents or records + - id: at-2.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-02(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel who receive literacy training + and awareness + + + organizational personnel with responsibilities for literacy + training and awareness + + + organizational personnel with information security and privacy + responsibilities + - id: at-2.3 + class: SP800-53-enhancement + title: Social Engineering and Mining + props: + - name: label + value: AT-2(3) + - name: label + value: AT-02(03) + class: sp800-53a + - name: sort-id + value: at-02.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#at-2" + rel: required + parts: + - id: at-2.3_smt + name: statement + prose: Provide literacy training on recognizing and reporting potential + and actual instances of social engineering and social mining. + - id: at-2.3_gdn + name: guidance + prose: Social engineering is an attempt to trick an individual into + revealing information or taking an action that can be used to + breach, compromise, or otherwise adversely impact a system. Social + engineering includes phishing, pretexting, impersonation, baiting, + quid pro quo, thread-jacking, social media exploitation, and tailgating. + Social mining is an attempt to gather information about the organization + that may be used to support future attacks. Literacy training + includes information on how to communicate the concerns of employees + and management regarding potential and actual instances of social + engineering and data mining through organizational channels based + on established policies and procedures. + - id: at-2.3_obj + name: assessment-objective + props: + - name: label + value: AT-02(03) + class: sp800-53a + parts: + - id: at-2.3_obj-1 + name: assessment-objective + props: + - name: label + value: AT-02(03)[01] + class: sp800-53a + prose: literacy training on recognizing potential and actual + instances of social engineering is provided; + links: + - href: "#at-2.3_smt" + rel: assessment-for + - id: at-2.3_obj-2 + name: assessment-objective + props: + - name: label + value: AT-02(03)[02] + class: sp800-53a + prose: literacy training on reporting potential and actual instances + of social engineering is provided; + links: + - href: "#at-2.3_smt" + rel: assessment-for + - id: at-2.3_obj-3 + name: assessment-objective + props: + - name: label + value: AT-02(03)[03] + class: sp800-53a + prose: literacy training on recognizing potential and actual + instances of social mining is provided; + links: + - href: "#at-2.3_smt" + rel: assessment-for + - id: at-2.3_obj-4 + name: assessment-objective + props: + - name: label + value: AT-02(03)[04] + class: sp800-53a + prose: literacy training on reporting potential and actual instances + of social mining is provided. + links: + - href: "#at-2.3_smt" + rel: assessment-for + links: + - href: "#at-2.3_smt" + rel: assessment-for + - id: at-2.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-02(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System security plan + + + privacy plan + + + literacy training and awareness policy + + + procedures addressing literacy training and awareness implementation + + + literacy training and awareness curriculum + + + literacy training and awareness materials + + + other relevant documents or records + - id: at-2.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-02(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel who receive literacy training + and awareness + + + organizational personnel with responsibilities for literacy + training and awareness + + + organizational personnel with information security and privacy + responsibilities + - id: at-3 + class: SP800-53 + title: Role-based Training + params: + - id: at-3_prm_1 + label: organization-defined roles and responsibilities + - id: at-03_odp.01 + label: roles and responsibilities + guidelines: + - prose: roles and responsibilities for role-based security training + are defined; + - id: at-03_odp.02 + label: roles and responsibilities + guidelines: + - prose: roles and responsibilities for role-based privacy training + are defined; + - id: at-03_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to provide role-based security and + privacy training to assigned personnel after initial training + is defined; + - id: at-03_odp.04 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to update role-based training content + is defined; + - id: at-03_odp.05 + label: events + guidelines: + - prose: events that require role-based training content to be updated + are defined; + props: + - name: label + value: AT-3 + - name: label + value: AT-03 + class: sp800-53a + - name: sort-id + value: at-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-22" + rel: related + - href: "#at-2" + rel: related + - href: "#at-4" + rel: related + - href: "#cp-3" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-7" + rel: related + - href: "#ir-9" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-13" + rel: related + - href: "#pm-23" + rel: related + - href: "#ps-7" + rel: related + - href: "#ps-9" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-16" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: at-3_smt + name: statement + parts: + - id: at-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide role-based security and privacy training to personnel\ + \ with the following roles and responsibilities: {{ insert: param,\ + \ at-3_prm_1 }}:" + parts: + - id: at-3_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "Before authorizing access to the system, information,\ + \ or performing assigned duties, and {{ insert: param, at-03_odp.03\ + \ }} thereafter; and" + - id: at-3_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: When required by system changes; + - id: at-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Update role-based training content {{ insert: param, at-03_odp.04\ + \ }} and following {{ insert: param, at-03_odp.05 }} ; and" + - id: at-3_smt.c + name: item + props: + - name: label + value: c. + prose: Incorporate lessons learned from internal or external security + incidents or breaches into role-based training. + - id: at-3_gdn + name: guidance + prose: >- + Organizations determine the content of training based on the + assigned roles and responsibilities of individuals as well as + the security and privacy requirements of organizations and the + systems to which personnel have authorized access, including + technical training specifically tailored for assigned duties. + Roles that may require role-based training include senior + leaders or management officials (e.g., head of agency/chief + executive officer, chief information officer, senior accountable + official for risk management, senior agency information security + officer, senior agency official for privacy), system owners; + authorizing officials; system security officers; privacy + officers; acquisition and procurement officials; enterprise + architects; systems engineers; software developers; systems + security engineers; privacy engineers; system, network, and + database administrators; auditors; personnel conducting + configuration management activities; personnel performing + verification and validation activities; personnel with access to + system-level software; control assessors; personnel with + contingency planning and incident response duties; personnel + with privacy management responsibilities; and personnel with + access to personally identifiable information. + + + Comprehensive role-based training addresses management, operational, + and technical roles and responsibilities covering physical, personnel, + and technical controls. Role-based training also includes policies, + procedures, tools, methods, and artifacts for the security and privacy + roles defined. Organizations provide the training necessary for individuals + to fulfill their responsibilities related to operations and supply + chain risk management within the context of organizational security + and privacy programs. Role-based training also applies to contractors + who provide services to federal agencies. Types of training include + web-based and computer-based training, classroom-style training, and + hands-on training (including micro-training). Updating role-based + training on a regular basis helps to ensure that the content remains + relevant and effective. Events that may precipitate an update to role-based + training content include, but are not limited to, assessment or audit + findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. + - id: at-3_obj + name: assessment-objective + props: + - name: label + value: AT-03 + class: sp800-53a + parts: + - id: at-3_obj.a + name: assessment-objective + props: + - name: label + value: AT-03a. + class: sp800-53a + parts: + - id: at-3_obj.a.1 + name: assessment-objective + props: + - name: label + value: AT-03a.01 + class: sp800-53a + parts: + - id: at-3_obj.a.1-1 + name: assessment-objective + props: + - name: label + value: AT-03a.01[01] + class: sp800-53a + prose: "role-based security training is provided to {{ insert:\ + \ param, at-03_odp.01 }} before authorizing access to\ + \ the system, information, or performing assigned duties;" + links: + - href: "#at-3_smt.a.1" + rel: assessment-for + - id: at-3_obj.a.1-2 + name: assessment-objective + props: + - name: label + value: AT-03a.01[02] + class: sp800-53a + prose: "role-based privacy training is provided to {{ insert:\ + \ param, at-03_odp.02 }} before authorizing access to\ + \ the system, information, or performing assigned duties;" + links: + - href: "#at-3_smt.a.1" + rel: assessment-for + - id: at-3_obj.a.1-3 + name: assessment-objective + props: + - name: label + value: AT-03a.01[03] + class: sp800-53a + prose: "role-based security training is provided to {{ insert:\ + \ param, at-03_odp.01 }} {{ insert: param, at-03_odp.03\ + \ }} thereafter;" + links: + - href: "#at-3_smt.a.1" + rel: assessment-for + - id: at-3_obj.a.1-4 + name: assessment-objective + props: + - name: label + value: AT-03a.01[04] + class: sp800-53a + prose: "role-based privacy training is provided to {{ insert:\ + \ param, at-03_odp.02 }} {{ insert: param, at-03_odp.03\ + \ }} thereafter;" + links: + - href: "#at-3_smt.a.1" + rel: assessment-for + links: + - href: "#at-3_smt.a.1" + rel: assessment-for + - id: at-3_obj.a.2 + name: assessment-objective + props: + - name: label + value: AT-03a.02 + class: sp800-53a + parts: + - id: at-3_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: AT-03a.02[01] + class: sp800-53a + prose: role-based security training is provided to personnel + with assigned security roles and responsibilities when + required by system changes; + links: + - href: "#at-3_smt.a.2" + rel: assessment-for + - id: at-3_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: AT-03a.02[02] + class: sp800-53a + prose: role-based privacy training is provided to personnel + with assigned security roles and responsibilities when + required by system changes; + links: + - href: "#at-3_smt.a.2" + rel: assessment-for + links: + - href: "#at-3_smt.a.2" + rel: assessment-for + links: + - href: "#at-3_smt.a" + rel: assessment-for + - id: at-3_obj.b + name: assessment-objective + props: + - name: label + value: AT-03b. + class: sp800-53a + parts: + - id: at-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: AT-03b.[01] + class: sp800-53a + prose: "role-based training content is updated {{ insert: param,\ + \ at-03_odp.04 }};" + links: + - href: "#at-3_smt.b" + rel: assessment-for + - id: at-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: AT-03b.[02] + class: sp800-53a + prose: "role-based training content is updated following {{\ + \ insert: param, at-03_odp.05 }};" + links: + - href: "#at-3_smt.b" + rel: assessment-for + links: + - href: "#at-3_smt.b" + rel: assessment-for + - id: at-3_obj.c + name: assessment-objective + props: + - name: label + value: AT-03c. + class: sp800-53a + prose: lessons learned from internal or external security incidents + or breaches are incorporated into role-based training. + links: + - href: "#at-3_smt.c" + rel: assessment-for + links: + - href: "#at-3_smt" + rel: assessment-for + - id: at-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System security plan + + + privacy plan + + + security and privacy awareness and training policy + + + procedures addressing security and privacy training implementation + + + codes of federal regulations + + + security and privacy training curriculum + + + security and privacy training materials + + + training records + + + other relevant documents or records + - id: at-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + role-based security and privacy training + + + organizational personnel with assigned system security and privacy + roles and responsibilities + - id: at-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AT-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms managing role-based security and privacy training + - id: at-4 + class: SP800-53 + title: Training Records + params: + - id: at-04_odp + label: time period + constraints: + - description: at least one (1) year or 1 year after completion of + a specific training program + guidelines: + - prose: time period for retaining individual training records is + defined; + props: + - name: label + value: AT-4 + - name: label + value: AT-04 + class: sp800-53a + - name: sort-id + value: at-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#cp-3" + rel: related + - href: "#ir-2" + rel: related + - href: "#pm-14" + rel: related + - href: "#si-12" + rel: related + parts: + - id: at-4_smt + name: statement + parts: + - id: at-4_smt.a + name: item + props: + - name: label + value: a. + prose: Document and monitor information security and privacy training + activities, including security and privacy awareness training + and specific role-based security and privacy training; and + - id: at-4_smt.b + name: item + props: + - name: label + value: b. + prose: "Retain individual training records for {{ insert: param,\ + \ at-04_odp }}." + - id: at-4_gdn + name: guidance + prose: Documentation for specialized training may be maintained by individual + supervisors at the discretion of the organization. The National Archives + and Records Administration provides guidance on records retention + for federal agencies. + - id: at-4_obj + name: assessment-objective + props: + - name: label + value: AT-04 + class: sp800-53a + parts: + - id: at-4_obj.a + name: assessment-objective + props: + - name: label + value: AT-04a. + class: sp800-53a + parts: + - id: at-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: AT-04a.[01] + class: sp800-53a + prose: information security and privacy training activities, + including security and privacy awareness training and specific + role-based security and privacy training, are documented; + links: + - href: "#at-4_smt.a" + rel: assessment-for + - id: at-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: AT-04a.[02] + class: sp800-53a + prose: information security and privacy training activities, + including security and privacy awareness training and specific + role-based security and privacy training, are monitored; + links: + - href: "#at-4_smt.a" + rel: assessment-for + links: + - href: "#at-4_smt.a" + rel: assessment-for + - id: at-4_obj.b + name: assessment-objective + props: + - name: label + value: AT-04b. + class: sp800-53a + prose: "individual training records are retained for {{ insert:\ + \ param, at-04_odp }}." + links: + - href: "#at-4_smt.b" + rel: assessment-for + links: + - href: "#at-4_smt" + rel: assessment-for + - id: at-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AT-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Security and privacy awareness and training policy + + procedures addressing security and privacy training records + + security and privacy awareness and training records + + system security plan + + privacy plan + + other relevant documents or records + - id: at-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AT-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational personnel with information security and privacy + training record retention responsibilities + - id: at-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AT-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting the management of security and privacy + training records + - id: au + class: family + title: Audit and Accountability + controls: + - id: au-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: au-1_prm_1 + label: organization-defined personnel or roles + - id: au-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the audit and accountability policy + is to be disseminated is/are defined; + - id: au-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the audit and accountability procedures + are to be disseminated is/are defined; + - id: au-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: au-01_odp.04 + label: official + guidelines: + - prose: an official to manage the audit and accountability policy + and procedures is defined; + - id: au-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current audit and accountability + policy is reviewed and updated is defined; + - id: au-01_odp.06 + label: events + guidelines: + - prose: events that would require the current audit and accountability + policy to be reviewed and updated are defined; + - id: au-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current audit and accountability + procedures are reviewed and updated is defined; + - id: au-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require audit and accountability procedures + to be reviewed and updated are defined; + props: + - name: label + value: AU-1 + - name: label + value: AU-01 + class: sp800-53a + - name: sort-id + value: au-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: au-1_smt + name: statement + parts: + - id: au-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ au-1_prm_1 }}:" + parts: + - id: au-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, au-01_odp.03 }} audit and accountability\ + \ policy that:" + parts: + - id: au-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: au-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: au-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the audit + and accountability policy and the associated audit and accountability + controls; + - id: au-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, au-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the audit\ + \ and accountability policy and procedures; and" + - id: au-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current audit and accountability:" + parts: + - id: au-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, au-01_odp.05 }} and following\ + \ {{ insert: param, au-01_odp.06 }} ; and" + - id: au-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, au-01_odp.07 }} and following\ + \ {{ insert: param, au-01_odp.08 }}." + - id: au-1_gdn + name: guidance + prose: Audit and accountability policy and procedures address the controls + in the AU family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of audit and accountability + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to audit and accountability policy and procedures + include assessment or audit findings, security incidents or breaches, + or changes in applicable laws, executive orders, directives, regulations, + policies, standards, and guidelines. Simply restating controls does + not constitute an organizational policy or procedure. + - id: au-1_obj + name: assessment-objective + props: + - name: label + value: AU-01 + class: sp800-53a + parts: + - id: au-1_obj.a + name: assessment-objective + props: + - name: label + value: AU-01a. + class: sp800-53a + parts: + - id: au-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: AU-01a.[01] + class: sp800-53a + prose: an audit and accountability policy is developed and documented; + links: + - href: "#au-1_smt.a" + rel: assessment-for + - id: au-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: AU-01a.[02] + class: sp800-53a + prose: "the audit and accountability policy is disseminated\ + \ to {{ insert: param, au-01_odp.01 }};" + links: + - href: "#au-1_smt.a" + rel: assessment-for + - id: au-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: AU-01a.[03] + class: sp800-53a + prose: audit and accountability procedures to facilitate the + implementation of the audit and accountability policy and + associated audit and accountability controls are developed + and documented; + links: + - href: "#au-1_smt.a" + rel: assessment-for + - id: au-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: AU-01a.[04] + class: sp800-53a + prose: "the audit and accountability procedures are disseminated\ + \ to {{ insert: param, au-01_odp.02 }};" + links: + - href: "#au-1_smt.a" + rel: assessment-for + - id: au-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: AU-01a.01 + class: sp800-53a + parts: + - id: au-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: AU-01a.01(a) + class: sp800-53a + parts: + - id: au-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses purpose;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses scope;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses roles;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses responsibilities;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses management\ + \ commitment;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: AU-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the\ + \ audit and accountability policy addresses compliance;" + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#au-1_smt.a.1.a" + rel: assessment-for + - id: au-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: AU-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.03 }} of the audit\ + \ and accountability policy is consistent with applicable\ + \ laws, executive orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#au-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#au-1_smt.a.1" + rel: assessment-for + links: + - href: "#au-1_smt.a" + rel: assessment-for + - id: au-1_obj.b + name: assessment-objective + props: + - name: label + value: AU-01b. + class: sp800-53a + prose: "the {{ insert: param, au-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the audit\ + \ and accountability policy and procedures;" + links: + - href: "#au-1_smt.b" + rel: assessment-for + - id: au-1_obj.c + name: assessment-objective + props: + - name: label + value: AU-01c. + class: sp800-53a + parts: + - id: au-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: AU-01c.01 + class: sp800-53a + parts: + - id: au-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: AU-01c.01[01] + class: sp800-53a + prose: "the current audit and accountability policy is reviewed\ + \ and updated {{ insert: param, au-01_odp.05 }};" + links: + - href: "#au-1_smt.c.1" + rel: assessment-for + - id: au-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: AU-01c.01[02] + class: sp800-53a + prose: "the current audit and accountability policy is reviewed\ + \ and updated following {{ insert: param, au-01_odp.06\ + \ }};" + links: + - href: "#au-1_smt.c.1" + rel: assessment-for + links: + - href: "#au-1_smt.c.1" + rel: assessment-for + - id: au-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: AU-01c.02 + class: sp800-53a + parts: + - id: au-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: AU-01c.02[01] + class: sp800-53a + prose: "the current audit and accountability procedures\ + \ are reviewed and updated {{ insert: param, au-01_odp.07\ + \ }};" + links: + - href: "#au-1_smt.c.2" + rel: assessment-for + - id: au-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: AU-01c.02[02] + class: sp800-53a + prose: "the current audit and accountability procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ au-01_odp.08 }}." + links: + - href: "#au-1_smt.c.2" + rel: assessment-for + links: + - href: "#au-1_smt.c.2" + rel: assessment-for + links: + - href: "#au-1_smt.c" + rel: assessment-for + links: + - href: "#au-1_smt" + rel: assessment-for + - id: au-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: au-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: au-2 + class: SP800-53 + title: Event Logging + params: + - id: au-2_prm_2 + label: organization-defined event types (subset of the event types defined + in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation + requiring) logging for each identified event type + constraints: + - description: organization-defined subset of the auditable events + defined in AU-2a to be audited continually for each identified + event. + - id: au-02_odp.01 + label: event types + constraints: + - description: "successful and unsuccessful account logon events,\ + \ account management events, object access, policy change, privilege\ + \ functions, process tracking, and system events. For Web applications:\ + \ all administrator activity, authentication checks, authorization\ + \ checks, data deletions, data access, data changes, and permission\ + \ changes" + guidelines: + - prose: the event types that the system is capable of logging in + support of the audit function are defined; + - id: au-02_odp.02 + label: event types (subset of AU-02_ODP[01]) + guidelines: + - prose: the event types (subset of AU-02_ODP[01]) for logging within + the system are defined; + - id: au-02_odp.03 + label: frequency or situation + guidelines: + - prose: the frequency or situation requiring logging for each specified + event type is defined; + - id: au-02_odp.04 + label: frequency + constraints: + - description: annually and whenever there is a change in the threat + environment + guidelines: + - prose: the frequency of event types selected for logging are reviewed + and updated; + props: + - name: label + value: AU-2 + - name: label + value: AU-02 + class: sp800-53a + - name: sort-id + value: au-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#5eee45d8-3313-4fdc-8d54-1742092bbdd6" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-7" + rel: related + - href: "#ac-8" + rel: related + - href: "#ac-16" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-3" + rel: related + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-11" + rel: related + - href: "#au-12" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-13" + rel: related + - href: "#ia-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-3" + rel: related + - href: "#pm-21" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-18" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#si-10" + rel: related + - href: "#si-11" + rel: related + parts: + - id: au-2_smt + name: statement + parts: + - id: au-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Identify the types of events that the system is capable\ + \ of logging in support of the audit function: {{ insert: param,\ + \ au-02_odp.01 }};" + - id: au-2_smt.b + name: item + props: + - name: label + value: b. + prose: Coordinate the event logging function with other organizational + entities requiring audit-related information to guide and inform + the selection criteria for events to be logged; + - id: au-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Specify the following event types for logging within the\ + \ system: {{ insert: param, au-2_prm_2 }};" + - id: au-2_smt.d + name: item + props: + - name: label + value: d. + prose: Provide a rationale for why the event types selected for + logging are deemed to be adequate to support after-the-fact investigations + of incidents; and + - id: au-2_smt.e + name: item + props: + - name: label + value: e. + prose: "Review and update the event types selected for logging {{\ + \ insert: param, au-02_odp.04 }}." + - id: au-2_fr + name: item + title: AU-2 Additional FedRAMP Requirements and Guidance + parts: + - id: au-2_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Coordination between service provider and consumer shall + be documented and accepted by the JAB/AO. + - id: au-2_fr_gdn.1 + name: guidance + props: + - name: label + value: "(e) Guidance:" + prose: Annually or whenever changes in the threat environment + are communicated to the service provider by the JAB/AO. + - id: au-2_gdn + name: guidance + prose: >- + An event is an observable occurrence in a system. The types of + events that require logging are those events that are + significant and relevant to the security of systems and the + privacy of individuals. Event logging also supports specific + monitoring and auditing needs. Event types include password + changes, failed logons or failed accesses related to systems, + security or privacy attribute changes, administrative privilege + usage, PIV credential usage, data action changes, query + parameters, or external credential usage. In determining the set + of event types that require logging, organizations consider the + monitoring and auditing appropriate for each of the controls to + be implemented. For completeness, event logging includes all + protocols that are operational and supported by the system. + + + To balance monitoring and auditing requirements with other system + needs, event logging requires identifying the subset of event types + that are logged at a given point in time. For example, organizations + may determine that systems need the capability to log every file access + successful and unsuccessful, but not activate that capability except + for specific circumstances due to the potential burden on system performance. + The types of events that organizations desire to be logged may change. + Reviewing and updating the set of logged events is necessary to help + ensure that the events remain relevant and continue to support the + needs of the organization. Organizations consider how the types of + logging events can reveal information about individuals that may give + rise to privacy risk and how best to mitigate such risks. For example, + there is the potential to reveal personally identifiable information + in the audit trail, especially if the logging event is based on patterns + or time of usage. + + + Event logging requirements, including the need to log specific event + types, may be referenced in other controls and control enhancements. + These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), + [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), + [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), + [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), + [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and + [SI-10(1)](#si-10.1) . Organizations include event types that are + required by applicable laws, executive orders, directives, policies, + regulations, standards, and guidelines. Audit records can be generated + at various levels, including at the packet level as information traverses + the network. Selecting the appropriate level of event logging is an + important part of a monitoring and auditing capability and can identify + the root causes of problems. When defining event types, organizations + consider the logging necessary to cover related event types, such + as the steps in distributed, transaction-based processes and the actions + that occur in service-oriented architectures. + - id: au-2_obj + name: assessment-objective + props: + - name: label + value: AU-02 + class: sp800-53a + parts: + - id: au-2_obj.a + name: assessment-objective + props: + - name: label + value: AU-02a. + class: sp800-53a + prose: " {{ insert: param, au-02_odp.01 }} that the system is capable\ + \ of logging are identified in support of the audit logging function;" + links: + - href: "#au-2_smt.a" + rel: assessment-for + - id: au-2_obj.b + name: assessment-objective + props: + - name: label + value: AU-02b. + class: sp800-53a + prose: the event logging function is coordinated with other organizational + entities requiring audit-related information to guide and inform + the selection criteria for events to be logged; + links: + - href: "#au-2_smt.b" + rel: assessment-for + - id: au-2_obj.c + name: assessment-objective + props: + - name: label + value: AU-02c. + class: sp800-53a + parts: + - id: au-2_obj.c-1 + name: assessment-objective + props: + - name: label + value: AU-02c.[01] + class: sp800-53a + prose: " {{ insert: param, au-02_odp.02 }} are specified for\ + \ logging within the system;" + links: + - href: "#au-2_smt.c" + rel: assessment-for + - id: au-2_obj.c-2 + name: assessment-objective + props: + - name: label + value: AU-02c.[02] + class: sp800-53a + prose: "the specified event types are logged within the system\ + \ {{ insert: param, au-02_odp.03 }};" + links: + - href: "#au-2_smt.c" + rel: assessment-for + links: + - href: "#au-2_smt.c" + rel: assessment-for + - id: au-2_obj.d + name: assessment-objective + props: + - name: label + value: AU-02d. + class: sp800-53a + prose: a rationale is provided for why the event types selected + for logging are deemed to be adequate to support after-the-fact + investigations of incidents; + links: + - href: "#au-2_smt.d" + rel: assessment-for + - id: au-2_obj.e + name: assessment-objective + props: + - name: label + value: AU-02e. + class: sp800-53a + prose: "the event types selected for logging are reviewed and updated\ + \ {{ insert: param, au-02_odp.04 }}." + links: + - href: "#au-2_smt.e" + rel: assessment-for + links: + - href: "#au-2_smt" + rel: assessment-for + - id: au-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + procedures addressing auditable events + + system security plan + + privacy plan + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system auditable events + + other relevant documents or records + - id: au-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: au-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing system auditing + - id: au-3 + class: SP800-53 + title: Content of Audit Records + props: + - name: label + value: AU-3 + - name: label + value: AU-03 + class: sp800-53a + - name: sort-id + value: au-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#au-2" + rel: related + - href: "#au-8" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + - href: "#ma-4" + rel: related + - href: "#pl-9" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-7" + rel: related + - href: "#si-11" + rel: related + parts: + - id: au-3_smt + name: statement + prose: "Ensure that audit records contain information that establishes\ + \ the following:" + parts: + - id: au-3_smt.a + name: item + props: + - name: label + value: a. + prose: What type of event occurred; + - id: au-3_smt.b + name: item + props: + - name: label + value: b. + prose: When the event occurred; + - id: au-3_smt.c + name: item + props: + - name: label + value: c. + prose: Where the event occurred; + - id: au-3_smt.d + name: item + props: + - name: label + value: d. + prose: Source of the event; + - id: au-3_smt.e + name: item + props: + - name: label + value: e. + prose: Outcome of the event; and + - id: au-3_smt.f + name: item + props: + - name: label + value: f. + prose: Identity of any individuals, subjects, or objects/entities + associated with the event. + - id: au-3_gdn + name: guidance + prose: Audit record content that may be necessary to support the auditing + function includes event descriptions (item a), time stamps (item b), + source and destination addresses (item c), user or process identifiers + (items d and f), success or fail indications (item e), and filenames + involved (items a, c, e, and f) . Event outcomes include indicators + of event success or failure and event-specific results, such as the + system security and privacy posture after the event occurred. Organizations + consider how audit records can reveal information about individuals + that may give rise to privacy risks and how best to mitigate such + risks. For example, there is the potential to reveal personally identifiable + information in the audit trail, especially if the trail records inputs + or is based on patterns or time of usage. + - id: au-3_obj + name: assessment-objective + props: + - name: label + value: AU-03 + class: sp800-53a + parts: + - id: au-3_obj.a + name: assessment-objective + props: + - name: label + value: AU-03a. + class: sp800-53a + prose: audit records contain information that establishes what type + of event occurred; + links: + - href: "#au-3_smt.a" + rel: assessment-for + - id: au-3_obj.b + name: assessment-objective + props: + - name: label + value: AU-03b. + class: sp800-53a + prose: audit records contain information that establishes when the + event occurred; + links: + - href: "#au-3_smt.b" + rel: assessment-for + - id: au-3_obj.c + name: assessment-objective + props: + - name: label + value: AU-03c. + class: sp800-53a + prose: audit records contain information that establishes where + the event occurred; + links: + - href: "#au-3_smt.c" + rel: assessment-for + - id: au-3_obj.d + name: assessment-objective + props: + - name: label + value: AU-03d. + class: sp800-53a + prose: audit records contain information that establishes the source + of the event; + links: + - href: "#au-3_smt.d" + rel: assessment-for + - id: au-3_obj.e + name: assessment-objective + props: + - name: label + value: AU-03e. + class: sp800-53a + prose: audit records contain information that establishes the outcome + of the event; + links: + - href: "#au-3_smt.e" + rel: assessment-for + - id: au-3_obj.f + name: assessment-objective + props: + - name: label + value: AU-03f. + class: sp800-53a + prose: audit records contain information that establishes the identity + of any individuals, subjects, or objects/entities associated with + the event. + links: + - href: "#au-3_smt.f" + rel: assessment-for + links: + - href: "#au-3_smt" + rel: assessment-for + - id: au-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + system security plan + + privacy plan + + procedures addressing content of audit records + + system design documentation + + system configuration settings and associated documentation + + list of organization-defined auditable events + + system audit records + + system incident reports + + other relevant documents or records + - id: au-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: au-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing system auditing of auditable events + controls: + - id: au-3.1 + class: SP800-53-enhancement + title: Additional Audit Information + params: + - id: au-03.01_odp + label: additional information + constraints: + - description: session, connection, transaction, or activity duration; + for client-server transactions, the number of bytes received + and bytes sent; additional informational messages to diagnose + or identify the event; characteristics that describe or identify + the object or resource being acted upon; individual identities + of group account users; full-text of privileged commands + guidelines: + - prose: additional information to be included in audit records + is defined; + props: + - name: label + value: AU-3(1) + - name: label + value: AU-03(01) + class: sp800-53a + - name: sort-id + value: au-03.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-3" + rel: required + parts: + - id: au-3.1_smt + name: statement + prose: "Generate audit records containing the following additional\ + \ information: {{ insert: param, au-03.01_odp }}." + parts: + - id: au-3.1_fr + name: item + title: AU-3 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: au-3.1_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: For client-server transactions, the number of bytes + sent and received gives bidirectional transfer information + that can be helpful during an investigation or inquiry. + - id: au-3.1_gdn + name: guidance + prose: The ability to add information generated in audit records + is dependent on system functionality to configure the audit record + content. Organizations may consider additional information in + audit records including, but not limited to, access control or + flow control rules invoked and individual identities of group + account users. Organizations may also consider limiting additional + audit record information to only information that is explicitly + needed for audit requirements. This facilitates the use of audit + trails and audit logs by not including information in audit records + that could potentially be misleading, make it more difficult to + locate information of interest, or increase the risk to individuals' + privacy. + - id: au-3.1_obj + name: assessment-objective + props: + - name: label + value: AU-03(01) + class: sp800-53a + prose: "generated audit records contain the following {{ insert:\ + \ param, au-03.01_odp }}." + links: + - href: "#au-3.1_smt" + rel: assessment-for + - id: au-3.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-03(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + procedures addressing content of audit records + + + system security plan + + + privacy plan + + + system design documentation + + + system configuration settings and associated documentation + + + list of organization-defined auditable events + + + system audit records + + + other relevant documents or records + - id: au-3.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-03(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-3.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-03(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: system audit capability + - id: au-4 + class: SP800-53 + title: Audit Log Storage Capacity + params: + - id: au-04_odp + label: audit log retention requirements + guidelines: + - prose: audit log retention requirements are defined; + props: + - name: label + value: AU-4 + - name: label + value: AU-04 + class: sp800-53a + - name: sort-id + value: au-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-2" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-9" + rel: related + - href: "#au-11" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + - href: "#si-4" + rel: related + parts: + - id: au-4_smt + name: statement + prose: "Allocate audit log storage capacity to accommodate {{ insert:\ + \ param, au-04_odp }}." + - id: au-4_gdn + name: guidance + prose: Organizations consider the types of audit logging to be performed + and the audit log processing requirements when allocating audit log + storage capacity. Allocating sufficient audit log storage capacity + reduces the likelihood of such capacity being exceeded and resulting + in the potential loss or reduction of audit logging capability. + - id: au-4_obj + name: assessment-objective + props: + - name: label + value: AU-04 + class: sp800-53a + prose: "audit log storage capacity is allocated to accommodate {{ insert:\ + \ param, au-04_odp }}." + links: + - href: "#au-4_smt" + rel: assessment-for + - id: au-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + procedures addressing audit storage capacity + + system security plan + + privacy plan + + system design documentation + + system configuration settings and associated documentation + + audit record storage requirements + + audit record storage capability for system components + + system audit records + + other relevant documents or records + - id: au-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Audit record storage capacity and related configuration settings + - id: au-5 + class: SP800-53 + title: Response to Audit Logging Process Failures + params: + - id: au-05_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles receiving audit logging process failure + alerts are defined; + - id: au-05_odp.02 + label: time period + guidelines: + - prose: time period for personnel or roles receiving audit logging + process failure alerts is defined; + - id: au-05_odp.03 + label: additional actions + constraints: + - description: overwrite oldest record + guidelines: + - prose: additional actions to be taken in the event of an audit logging + process failure are defined; + props: + - name: label + value: AU-5 + - name: label + value: AU-05 + class: sp800-53a + - name: sort-id + value: au-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-2" + rel: related + - href: "#au-4" + rel: related + - href: "#au-7" + rel: related + - href: "#au-9" + rel: related + - href: "#au-11" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + - href: "#si-4" + rel: related + - href: "#si-12" + rel: related + parts: + - id: au-5_smt + name: statement + parts: + - id: au-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Alert {{ insert: param, au-05_odp.01 }} within {{ insert:\ + \ param, au-05_odp.02 }} in the event of an audit logging process\ + \ failure; and" + - id: au-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Take the following additional actions: {{ insert: param,\ + \ au-05_odp.03 }}." + - id: au-5_gdn + name: guidance + prose: Audit logging process failures include software and hardware + errors, failures in audit log capturing mechanisms, and reaching or + exceeding audit log storage capacity. Organization-defined actions + include overwriting oldest audit records, shutting down the system, + and stopping the generation of audit records. Organizations may choose + to define additional actions for audit logging process failures based + on the type of failure, the location of the failure, the severity + of the failure, or a combination of such factors. When the audit logging + process failure is related to storage, the response is carried out + for the audit log storage repository (i.e., the distinct system component + where the audit logs are stored), the system on which the audit logs + reside, the total audit log storage capacity of the organization (i.e., + all audit log storage repositories combined), or all three. Organizations + may decide to take no additional actions after alerting designated + roles or personnel. + - id: au-5_obj + name: assessment-objective + props: + - name: label + value: AU-05 + class: sp800-53a + parts: + - id: au-5_obj.a + name: assessment-objective + props: + - name: label + value: AU-05a. + class: sp800-53a + prose: " {{ insert: param, au-05_odp.01 }} are alerted in the event\ + \ of an audit logging process failure within {{ insert: param,\ + \ au-05_odp.02 }};" + links: + - href: "#au-5_smt.a" + rel: assessment-for + - id: au-5_obj.b + name: assessment-objective + props: + - name: label + value: AU-05b. + class: sp800-53a + prose: " {{ insert: param, au-05_odp.03 }} are taken in the event\ + \ of an audit logging process failure." + links: + - href: "#au-5_smt.b" + rel: assessment-for + links: + - href: "#au-5_smt" + rel: assessment-for + - id: au-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + procedures addressing response to audit processing failures + + + system design documentation + + + system security plan + + + privacy plan + + + system configuration settings and associated documentation + + + list of personnel to be notified in case of an audit processing + failure + + + system audit records + + + other relevant documents or records + - id: au-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing system response to audit processing + failures + - id: au-6 + class: SP800-53 + title: Audit Record Review, Analysis, and Reporting + params: + - id: au-06_odp.01 + label: frequency + constraints: + - description: at least weekly + guidelines: + - prose: frequency at which system audit records are reviewed and + analyzed is defined; + - id: au-06_odp.02 + label: inappropriate or unusual activity + guidelines: + - prose: inappropriate or unusual activity is defined; + - id: au-06_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles to receive findings from reviews and analyses + of system records is/are defined; + props: + - name: label + value: AU-6 + - name: label + value: AU-06 + class: sp800-53a + - name: sort-id + value: au-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cfdb1858-c473-46b3-89f9-a700308d0be2" + rel: reference + - href: "#10cf2fad-a216-41f9-bb1a-531b7e3119e3" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-7" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-7" + rel: related + - href: "#au-16" + rel: related + - href: "#ca-2" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-10" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ir-5" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-6" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: au-6_smt + name: statement + parts: + - id: au-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Review and analyze system audit records {{ insert: param,\ + \ au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02\ + \ }} and the potential impact of the inappropriate or unusual\ + \ activity;" + - id: au-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Report findings to {{ insert: param, au-06_odp.03 }} ; and" + - id: au-6_smt.c + name: item + props: + - name: label + value: c. + prose: Adjust the level of audit record review, analysis, and reporting + within the system when there is a change in risk based on law + enforcement information, intelligence information, or other credible + sources of information. + - id: au-6_fr + name: item + title: AU-6 Additional FedRAMP Requirements and Guidance + parts: + - id: au-6_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Coordination between service provider and consumer shall + be documented and accepted by the JAB/AO. In multi-tenant + environments, capability and means for providing review, analysis, + and reporting to consumer for data pertaining to consumer + shall be documented. + - id: au-6_gdn + name: guidance + prose: Audit record review, analysis, and reporting covers information + security- and privacy-related logging performed by organizations, + including logging that results from the monitoring of account usage, + remote access, wireless connectivity, mobile device connection, configuration + settings, system component inventory, use of maintenance tools and + non-local maintenance, physical access, temperature and humidity, + equipment delivery and removal, communications at system interfaces, + and use of mobile code or Voice over Internet Protocol (VoIP). Findings + can be reported to organizational entities that include the incident + response team, help desk, and security or privacy offices. If organizations + are prohibited from reviewing and analyzing audit records or unable + to conduct such activities, the review or analysis may be carried + out by other organizations granted such authority. The frequency, + scope, and/or depth of the audit record review, analysis, and reporting + may be adjusted to meet organizational needs based on new information + received. + - id: au-6_obj + name: assessment-objective + props: + - name: label + value: AU-06 + class: sp800-53a + parts: + - id: au-6_obj.a + name: assessment-objective + props: + - name: label + value: AU-06a. + class: sp800-53a + prose: "system audit records are reviewed and analyzed {{ insert:\ + \ param, au-06_odp.01 }} for indications of {{ insert: param,\ + \ au-06_odp.02 }} and the potential impact of the inappropriate\ + \ or unusual activity;" + links: + - href: "#au-6_smt.a" + rel: assessment-for + - id: au-6_obj.b + name: assessment-objective + props: + - name: label + value: AU-06b. + class: sp800-53a + prose: "findings are reported to {{ insert: param, au-06_odp.03\ + \ }};" + links: + - href: "#au-6_smt.b" + rel: assessment-for + - id: au-6_obj.c + name: assessment-objective + props: + - name: label + value: AU-06c. + class: sp800-53a + prose: the level of audit record review, analysis, and reporting + within the system is adjusted when there is a change in risk based + on law enforcement information, intelligence information, or other + credible sources of information. + links: + - href: "#au-6_smt.c" + rel: assessment-for + links: + - href: "#au-6_smt" + rel: assessment-for + - id: au-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + procedures addressing audit review, analysis, and reporting + + + reports of audit findings + + + records of actions taken in response to reviews/analyses of audit + records + + + other relevant documents or records + - id: au-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit review, analysis, and + reporting responsibilities + + + organizational personnel with information security and privacy + responsibilities + controls: + - id: au-6.1 + class: SP800-53-enhancement + title: Automated Process Integration + params: + - id: au-06.01_odp + label: automated mechanisms + guidelines: + - prose: automated mechanisms used for integrating audit record + review, analysis, and reporting processes are defined; + props: + - name: label + value: AU-6(1) + - name: label + value: AU-06(01) + class: sp800-53a + - name: sort-id + value: au-06.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#au-6" + rel: required + - href: "#pm-7" + rel: related + parts: + - id: au-6.1_smt + name: statement + prose: "Integrate audit record review, analysis, and reporting processes\ + \ using {{ insert: param, au-06.01_odp }}." + - id: au-6.1_gdn + name: guidance + prose: Organizational processes that benefit from integrated audit + record review, analysis, and reporting include incident response, + continuous monitoring, contingency planning, investigation and + response to suspicious activities, and Inspector General audits. + - id: au-6.1_obj + name: assessment-objective + props: + - name: label + value: AU-06(01) + class: sp800-53a + prose: "audit record review, analysis, and reporting processes are\ + \ integrated using {{ insert: param, au-06.01_odp }}." + links: + - href: "#au-6.1_smt" + rel: assessment-for + - id: au-6.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-06(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + procedures addressing audit review, analysis, and reporting + + + procedures addressing investigation and response to suspicious + activities + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + other relevant documents or records + - id: au-6.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-06(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit review, analysis, + and reporting responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: au-6.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-06(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms integrating audit review, analysis, + and reporting processes + - id: au-6.3 + class: SP800-53-enhancement + title: Correlate Audit Record Repositories + props: + - name: label + value: AU-6(3) + - name: label + value: AU-06(03) + class: sp800-53a + - name: sort-id + value: au-06.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#au-6" + rel: required + - href: "#au-12" + rel: related + - href: "#ir-4" + rel: related + parts: + - id: au-6.3_smt + name: statement + prose: Analyze and correlate audit records across different repositories + to gain organization-wide situational awareness. + - id: au-6.3_gdn + name: guidance + prose: Organization-wide situational awareness includes awareness + across all three levels of risk management (i.e., organizational + level, mission/business process level, and information system + level) and supports cross-organization awareness. + - id: au-6.3_obj + name: assessment-objective + props: + - name: label + value: AU-06(03) + class: sp800-53a + prose: audit records across different repositories are analyzed + and correlated to gain organization-wide situational awareness. + links: + - href: "#au-6.3_smt" + rel: assessment-for + - id: au-6.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-06(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + procedures addressing audit review, analysis, and reporting + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records across different repositories + + + other relevant documents or records + - id: au-6.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-06(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit review, analysis, + and reporting responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: au-6.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-06(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting the analysis and correlation of + audit records + - id: au-7 + class: SP800-53 + title: Audit Record Reduction and Report Generation + props: + - name: label + value: AU-7 + - name: label + value: AU-07 + class: sp800-53a + - name: sort-id + value: au-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ac-2" + rel: related + - href: "#au-2" + rel: related + - href: "#au-3" + rel: related + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-12" + rel: related + - href: "#au-16" + rel: related + - href: "#cm-5" + rel: related + - href: "#ia-5" + rel: related + - href: "#ir-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#si-4" + rel: related + parts: + - id: au-7_smt + name: statement + prose: "Provide and implement an audit record reduction and report generation\ + \ capability that:" + parts: + - id: au-7_smt.a + name: item + props: + - name: label + value: a. + prose: Supports on-demand audit record review, analysis, and reporting + requirements and after-the-fact investigations of incidents; and + - id: au-7_smt.b + name: item + props: + - name: label + value: b. + prose: Does not alter the original content or time ordering of audit + records. + - id: au-7_gdn + name: guidance + prose: Audit record reduction is a process that manipulates collected + audit log information and organizes it into a summary format that + is more meaningful to analysts. Audit record reduction and report + generation capabilities do not always emanate from the same system + or from the same organizational entities that conduct audit logging + activities. The audit record reduction capability includes modern + data mining techniques with advanced data filters to identify anomalous + behavior in audit records. The report generation capability provided + by the system can generate customizable reports. Time ordering of + audit records can be an issue if the granularity of the timestamp + in the record is insufficient. + - id: au-7_obj + name: assessment-objective + props: + - name: label + value: AU-07 + class: sp800-53a + parts: + - id: au-7_obj.a + name: assessment-objective + props: + - name: label + value: AU-07a. + class: sp800-53a + parts: + - id: au-7_obj.a-1 + name: assessment-objective + props: + - name: label + value: AU-07a.[01] + class: sp800-53a + prose: an audit record reduction and report generation capability + is provided that supports on-demand audit record review, analysis, + and reporting requirements and after-the-fact investigations + of incidents; + links: + - href: "#au-7_smt.a" + rel: assessment-for + - id: au-7_obj.a-2 + name: assessment-objective + props: + - name: label + value: AU-07a.[02] + class: sp800-53a + prose: an audit record reduction and report generation capability + is implemented that supports on-demand audit record review, + analysis, and reporting requirements and after-the-fact investigations + of incidents; + links: + - href: "#au-7_smt.a" + rel: assessment-for + links: + - href: "#au-7_smt.a" + rel: assessment-for + - id: au-7_obj.b + name: assessment-objective + props: + - name: label + value: AU-07b. + class: sp800-53a + parts: + - id: au-7_obj.b-1 + name: assessment-objective + props: + - name: label + value: AU-07b.[01] + class: sp800-53a + prose: an audit record reduction and report generation capability + is provided that does not alter the original content or time + ordering of audit records; + links: + - href: "#au-7_smt.b" + rel: assessment-for + - id: au-7_obj.b-2 + name: assessment-objective + props: + - name: label + value: AU-07b.[02] + class: sp800-53a + prose: an audit record reduction and report generation capability + is implemented that does not alter the original content or + time ordering of audit records. + links: + - href: "#au-7_smt.b" + rel: assessment-for + links: + - href: "#au-7_smt.b" + rel: assessment-for + links: + - href: "#au-7_smt" + rel: assessment-for + - id: au-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + system security plan + + privacy plan + + procedures addressing audit reduction and report generation + + system design documentation + + system configuration settings and associated documentation + + audit reduction, review, analysis, and reporting tools + + system audit records + + other relevant documents or records + - id: au-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit reduction and report + generation responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: au-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Audit reduction and report generation capability + controls: + - id: au-7.1 + class: SP800-53-enhancement + title: Automatic Processing + params: + - id: au-07.01_odp + label: fields within audit records + guidelines: + - prose: fields within audit records that can be processed, sorted, + or searched are defined; + props: + - name: label + value: AU-7(1) + - name: label + value: AU-07(01) + class: sp800-53a + - name: sort-id + value: au-07.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#au-7" + rel: required + parts: + - id: au-7.1_smt + name: statement + prose: "Provide and implement the capability to process, sort, and\ + \ search audit records for events of interest based on the following\ + \ content: {{ insert: param, au-07.01_odp }}." + - id: au-7.1_gdn + name: guidance + prose: Events of interest can be identified by the content of audit + records, including system resources involved, information objects + accessed, identities of individuals, event types, event locations, + event dates and times, Internet Protocol addresses involved, or + event success or failure. Organizations may define event criteria + to any degree of granularity required, such as locations selectable + by a general networking location or by specific system component. + - id: au-7.1_obj + name: assessment-objective + props: + - name: label + value: AU-07(01) + class: sp800-53a + parts: + - id: au-7.1_obj-1 + name: assessment-objective + props: + - name: label + value: AU-07(01)[01] + class: sp800-53a + prose: "the capability to process, sort, and search audit records\ + \ for events of interest based on {{ insert: param, au-07.01_odp\ + \ }} are provided;" + links: + - href: "#au-7.1_smt" + rel: assessment-for + - id: au-7.1_obj-2 + name: assessment-objective + props: + - name: label + value: AU-07(01)[02] + class: sp800-53a + prose: "the capability to process, sort, and search audit records\ + \ for events of interest based on {{ insert: param, au-07.01_odp\ + \ }} are implemented." + links: + - href: "#au-7.1_smt" + rel: assessment-for + links: + - href: "#au-7.1_smt" + rel: assessment-for + - id: au-7.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-07(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + procedures addressing audit reduction and report generation + + + system design documentation + + + system configuration settings and associated documentation + + + audit reduction, review, analysis, and reporting tools + + + audit record criteria (fields) establishing events of interest + + + system audit records + + + other relevant documents or records + - id: au-7.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-07(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit reduction and report + generation responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system developers + - id: au-7.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-07(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Audit reduction and report generation capability + - id: au-8 + class: SP800-53 + title: Time Stamps + params: + - id: au-08_odp + label: granularity of time measurement + constraints: + - description: one second granularity of time measurement + guidelines: + - prose: granularity of time measurement for audit record timestamps + is defined; + props: + - name: label + value: AU-8 + - name: label + value: AU-08 + class: sp800-53a + - name: sort-id + value: au-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-3" + rel: related + - href: "#au-12" + rel: related + - href: "#au-14" + rel: related + - href: "#sc-45" + rel: related + parts: + - id: au-8_smt + name: statement + parts: + - id: au-8_smt.a + name: item + props: + - name: label + value: a. + prose: Use internal system clocks to generate time stamps for audit + records; and + - id: au-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Record time stamps for audit records that meet {{ insert:\ + \ param, au-08_odp }} and that use Coordinated Universal Time,\ + \ have a fixed local time offset from Coordinated Universal Time,\ + \ or that include the local time offset as part of the time stamp." + - id: au-8_gdn + name: guidance + prose: Time stamps generated by the system include date and time. Time + is commonly expressed in Coordinated Universal Time (UTC), a modern + continuation of Greenwich Mean Time (GMT), or local time with an offset + from UTC. Granularity of time measurements refers to the degree of + synchronization between system clocks and reference clocks (e.g., + clocks synchronizing within hundreds of milliseconds or tens of milliseconds). + Organizations may define different time granularities for different + system components. Time service can be critical to other security + capabilities such as access control and identification and authentication, + depending on the nature of the mechanisms used to support those capabilities. + - id: au-8_obj + name: assessment-objective + props: + - name: label + value: AU-08 + class: sp800-53a + parts: + - id: au-8_obj.a + name: assessment-objective + props: + - name: label + value: AU-08a. + class: sp800-53a + prose: internal system clocks are used to generate timestamps for + audit records; + links: + - href: "#au-8_smt.a" + rel: assessment-for + - id: au-8_obj.b + name: assessment-objective + props: + - name: label + value: AU-08b. + class: sp800-53a + prose: "timestamps are recorded for audit records that meet {{ insert:\ + \ param, au-08_odp }} and that use Coordinated Universal Time,\ + \ have a fixed local time offset from Coordinated Universal Time,\ + \ or include the local time offset as part of the timestamp." + links: + - href: "#au-8_smt.b" + rel: assessment-for + links: + - href: "#au-8_smt" + rel: assessment-for + - id: au-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + system security plan + + privacy plan + + procedures addressing timestamp generation + + system design documentation + + system configuration settings and associated documentation + + system audit records + + other relevant documents or records + - id: au-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security and + privacy responsibilities + + + system/network administrators + + + system developers + - id: au-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing timestamp generation + - id: au-9 + class: SP800-53 + title: Protection of Audit Information + params: + - id: au-09_odp + label: personnel or roles + guidelines: + - prose: personnel or roles to be alerted upon detection of unauthorized + access, modification, or deletion of audit information is/are + defined; + props: + - name: label + value: AU-9 + - name: label + value: AU-09 + class: sp800-53a + - name: sort-id + value: au-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#au-6" + rel: related + - href: "#au-11" + rel: related + - href: "#au-14" + rel: related + - href: "#au-15" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-6" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-8" + rel: related + - href: "#si-4" + rel: related + parts: + - id: au-9_smt + name: statement + parts: + - id: au-9_smt.a + name: item + props: + - name: label + value: a. + prose: Protect audit information and audit logging tools from unauthorized + access, modification, and deletion; and + - id: au-9_smt.b + name: item + props: + - name: label + value: b. + prose: "Alert {{ insert: param, au-09_odp }} upon detection of unauthorized\ + \ access, modification, or deletion of audit information." + - id: au-9_gdn + name: guidance + prose: Audit information includes all information needed to successfully + audit system activity, such as audit records, audit log settings, + audit reports, and personally identifiable information. Audit logging + tools are those programs and devices used to conduct system audit + and logging activities. Protection of audit information focuses on + technical protection and limits the ability to access and execute + audit logging tools to authorized individuals. Physical protection + of audit information is addressed by both media protection controls + and physical and environmental protection controls. + - id: au-9_obj + name: assessment-objective + props: + - name: label + value: AU-09 + class: sp800-53a + parts: + - id: au-9_obj.a + name: assessment-objective + props: + - name: label + value: AU-09a. + class: sp800-53a + prose: audit information and audit logging tools are protected from + unauthorized access, modification, and deletion; + links: + - href: "#au-9_smt.a" + rel: assessment-for + - id: au-9_obj.b + name: assessment-objective + props: + - name: label + value: AU-09b. + class: sp800-53a + prose: " {{ insert: param, au-09_odp }} are alerted upon detection\ + \ of unauthorized access, modification, or deletion of audit information." + links: + - href: "#au-9_smt.b" + rel: assessment-for + links: + - href: "#au-9_smt" + rel: assessment-for + - id: au-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + system security plan + + privacy plan + + access control policy and procedures + + procedures addressing protection of audit information + + system design documentation + + system configuration settings and associated documentation + + system audit records + + audit tools + + other relevant documents or records + - id: au-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing audit information protection + controls: + - id: au-9.4 + class: SP800-53-enhancement + title: Access by Subset of Privileged Users + params: + - id: au-09.04_odp + label: subset of privileged users or roles + guidelines: + - prose: a subset of privileged users or roles authorized to access + management of audit logging functionality is defined; + props: + - name: label + value: AU-9(4) + - name: label + value: AU-09(04) + class: sp800-53a + - name: sort-id + value: au-09.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#au-9" + rel: required + - href: "#ac-5" + rel: related + parts: + - id: au-9.4_smt + name: statement + prose: "Authorize access to management of audit logging functionality\ + \ to only {{ insert: param, au-09.04_odp }}." + - id: au-9.4_gdn + name: guidance + prose: Individuals or roles with privileged access to a system and + who are also the subject of an audit by that system may affect + the reliability of the audit information by inhibiting audit activities + or modifying audit records. Requiring privileged access to be + further defined between audit-related privileges and other privileges + limits the number of users or roles with audit-related privileges. + - id: au-9.4_obj + name: assessment-objective + props: + - name: label + value: AU-09(04) + class: sp800-53a + prose: "access to management of audit logging functionality is authorized\ + \ only to {{ insert: param, au-09.04_odp }}." + links: + - href: "#au-9.4_smt" + rel: assessment-for + - id: au-9.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-09(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Audit and accountability policy + + + system security plan + + + privacy plan + + + access control policy and procedures + + + procedures addressing protection of audit information + + + system design documentation + + + system configuration settings and associated documentation + + + system-generated list of privileged users with access to management + of audit functionality + + + access authorizations + + + access control list + + + system audit records + + + other relevant documents or records + - id: au-9.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-09(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit and accountability + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: au-9.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-09(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms managing access to audit functionality + - id: au-11 + class: SP800-53 + title: Audit Record Retention + params: + - id: au-11_odp + label: time period + constraints: + - description: a time period in compliance with M-21-31 + guidelines: + - prose: a time period to retain audit records that is consistent + with the records retention policy is defined; + props: + - name: label + value: AU-11 + - name: label + value: AU-11 + class: sp800-53a + - name: sort-id + value: au-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#au-2" + rel: related + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-9" + rel: related + - href: "#au-14" + rel: related + - href: "#mp-6" + rel: related + - href: "#ra-5" + rel: related + - href: "#si-12" + rel: related + parts: + - id: au-11_smt + name: statement + prose: "Retain audit records for {{ insert: param, au-11_odp }} to provide\ + \ support for after-the-fact investigations of incidents and to meet\ + \ regulatory and organizational information retention requirements." + parts: + - id: au-11_fr + name: item + title: AU-11 Additional FedRAMP Requirements and Guidance + parts: + - id: au-11_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider retains audit records on-line for + at least ninety days and further preserves audit records off-line + for a period that is in accordance with NARA requirements. + - id: au-11_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider must support Agency requirements + to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) + - id: au-11_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: The service provider is encouraged to align with M-21-31 + where possible + - id: au-11_gdn + name: guidance + prose: Organizations retain audit records until it is determined that + the records are no longer needed for administrative, legal, audit, + or other operational purposes. This includes the retention and availability + of audit records relative to Freedom of Information Act (FOIA) requests, + subpoenas, and law enforcement actions. Organizations develop standard + categories of audit records relative to such types of actions and + standard response processes for each type of action. The National + Archives and Records Administration (NARA) General Records Schedules + provide federal policy on records retention. + - id: au-11_obj + name: assessment-objective + props: + - name: label + value: AU-11 + class: sp800-53a + prose: "audit records are retained for {{ insert: param, au-11_odp }}\ + \ to provide support for after-the-fact investigations of incidents\ + \ and to meet regulatory and organizational information retention\ + \ requirements." + links: + - href: "#au-11_smt" + rel: assessment-for + - id: au-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + system security plan + + privacy plan + + audit record retention policy and procedures + + security plan + + organization-defined retention period for audit records + + audit record archives + + audit logs + + audit records + + other relevant documents or records + - id: au-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit record retention + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: au-12 + class: SP800-53 + title: Audit Record Generation + params: + - id: au-12_odp.01 + label: system components + constraints: + - description: all information system and network components where + audit capability is deployed/available + guidelines: + - prose: system components that provide an audit record generation + capability for the events types (defined in AU-02_ODP[02]) are + defined; + - id: au-12_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles allowed to select the event types that + are to be logged by specific components of the system is/are defined; + props: + - name: label + value: AU-12 + - name: label + value: AU-12 + class: sp800-53a + - name: sort-id + value: au-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-6" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-2" + rel: related + - href: "#au-3" + rel: related + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-14" + rel: related + - href: "#cm-5" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-18" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#si-10" + rel: related + parts: + - id: au-12_smt + name: statement + parts: + - id: au-12_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide audit record generation capability for the event\ + \ types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a)\ + \ on {{ insert: param, au-12_odp.01 }};" + - id: au-12_smt.b + name: item + props: + - name: label + value: b. + prose: "Allow {{ insert: param, au-12_odp.02 }} to select the event\ + \ types that are to be logged by specific components of the system;\ + \ and" + - id: au-12_smt.c + name: item + props: + - name: label + value: c. + prose: Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) + that include the audit record content defined in [AU-3](#au-3). + - id: au-12_gdn + name: guidance + prose: Audit records can be generated from many different system components. + The event types specified in [AU-2d](#au-2_smt.d) are the event types + for which audit logs are to be generated and are a subset of all event + types for which the system can generate audit records. + - id: au-12_obj + name: assessment-objective + props: + - name: label + value: AU-12 + class: sp800-53a + parts: + - id: au-12_obj.a + name: assessment-objective + props: + - name: label + value: AU-12a. + class: sp800-53a + prose: "audit record generation capability for the event types the\ + \ system is capable of auditing (defined in AU-02_ODP[01]) is\ + \ provided by {{ insert: param, au-12_odp.01 }};" + links: + - href: "#au-12_smt.a" + rel: assessment-for + - id: au-12_obj.b + name: assessment-objective + props: + - name: label + value: AU-12b. + class: sp800-53a + prose: " {{ insert: param, au-12_odp.02 }} is/are allowed to select\ + \ the event types that are to be logged by specific components\ + \ of the system;" + links: + - href: "#au-12_smt.b" + rel: assessment-for + - id: au-12_obj.c + name: assessment-objective + props: + - name: label + value: AU-12c. + class: sp800-53a + prose: audit records for the event types defined in AU-02_ODP[02] + that include the audit record content defined in AU-03 are generated. + links: + - href: "#au-12_smt.c" + rel: assessment-for + links: + - href: "#au-12_smt" + rel: assessment-for + - id: au-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: AU-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Audit and accountability policy + + procedures addressing audit record generation + + system security plan + + privacy plan + + system design documentation + + system configuration settings and associated documentation + + list of auditable events + + system audit records + + other relevant documents or records + - id: au-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: AU-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with audit record generation + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: au-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: AU-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing audit record generation capability + - id: ca + class: family + title: Assessment, Authorization, and Monitoring + controls: + - id: ca-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ca-1_prm_1 + label: organization-defined personnel or roles + - id: ca-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the assessment, authorization, + and monitoring policy is to be disseminated is/are defined; + - id: ca-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the assessment, authorization, + and monitoring procedures are to be disseminated is/are defined; + - id: ca-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ca-01_odp.04 + label: official + guidelines: + - prose: an official to manage the assessment, authorization, and + monitoring policy and procedures is defined; + - id: ca-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current assessment, authorization, + and monitoring policy is reviewed and updated is defined; + - id: ca-01_odp.06 + label: events + guidelines: + - prose: events that would require the current assessment, authorization, + and monitoring policy to be reviewed and updated are defined; + - id: ca-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current assessment, authorization, + and monitoring procedures are reviewed and updated is defined; + - id: ca-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require assessment, authorization, and + monitoring procedures to be reviewed and updated are defined; + props: + - name: label + value: CA-1 + - name: label + value: CA-01 + class: sp800-53a + - name: sort-id + value: ca-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#62ea77ca-e450-4323-b210-e0d75390e785" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-1_smt + name: statement + parts: + - id: ca-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ca-1_prm_1 }}:" + parts: + - id: ca-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ca-01_odp.03 }} assessment, authorization,\ + \ and monitoring policy that:" + parts: + - id: ca-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ca-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ca-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the assessment, + authorization, and monitoring policy and the associated assessment, + authorization, and monitoring controls; + - id: ca-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ca-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the assessment,\ + \ authorization, and monitoring policy and procedures; and" + - id: ca-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current assessment, authorization,\ + \ and monitoring:" + parts: + - id: ca-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ca-01_odp.05 }} and following\ + \ {{ insert: param, ca-01_odp.06 }} ; and" + - id: ca-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ca-01_odp.07 }} and following\ + \ {{ insert: param, ca-01_odp.08 }}." + - id: ca-1_gdn + name: guidance + prose: Assessment, authorization, and monitoring policy and procedures + address the controls in the CA family that are implemented within + systems and organizations. The risk management strategy is an important + factor in establishing such policies and procedures. Policies and + procedures contribute to security and privacy assurance. Therefore, + it is important that security and privacy programs collaborate on + the development of assessment, authorization, and monitoring policy + and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to assessment, authorization, and monitoring + policy and procedures include assessment or audit findings, security + incidents or breaches, or changes in applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines. Simply + restating controls does not constitute an organizational policy or + procedure. + - id: ca-1_obj + name: assessment-objective + props: + - name: label + value: CA-01 + class: sp800-53a + parts: + - id: ca-1_obj.a + name: assessment-objective + props: + - name: label + value: CA-01a. + class: sp800-53a + parts: + - id: ca-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: CA-01a.[01] + class: sp800-53a + prose: an assessment, authorization, and monitoring policy is + developed and documented; + links: + - href: "#ca-1_smt.a" + rel: assessment-for + - id: ca-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: CA-01a.[02] + class: sp800-53a + prose: "the assessment, authorization, and monitoring policy\ + \ is disseminated to {{ insert: param, ca-01_odp.01 }};" + links: + - href: "#ca-1_smt.a" + rel: assessment-for + - id: ca-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: CA-01a.[03] + class: sp800-53a + prose: assessment, authorization, and monitoring procedures + to facilitate the implementation of the assessment, authorization, + and monitoring policy and associated assessment, authorization, + and monitoring controls are developed and documented; + links: + - href: "#ca-1_smt.a" + rel: assessment-for + - id: ca-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: CA-01a.[04] + class: sp800-53a + prose: "the assessment, authorization, and monitoring procedures\ + \ are disseminated to {{ insert: param, ca-01_odp.02 }};" + links: + - href: "#ca-1_smt.a" + rel: assessment-for + - id: ca-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: CA-01a.01 + class: sp800-53a + parts: + - id: ca-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: CA-01a.01(a) + class: sp800-53a + parts: + - id: ca-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses purpose;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses scope;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses roles;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses responsibilities;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses management\ + \ commitment;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: CA-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy addresses compliance;" + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ca-1_smt.a.1.a" + rel: assessment-for + - id: ca-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: CA-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.03 }} assessment,\ + \ authorization, and monitoring policy is consistent with\ + \ applicable laws, executive orders, directives, regulations,\ + \ policies, standards, and guidelines;" + links: + - href: "#ca-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ca-1_smt.a.1" + rel: assessment-for + links: + - href: "#ca-1_smt.a" + rel: assessment-for + - id: ca-1_obj.b + name: assessment-objective + props: + - name: label + value: CA-01b. + class: sp800-53a + prose: "the {{ insert: param, ca-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the assessment,\ + \ authorization, and monitoring policy and procedures;" + links: + - href: "#ca-1_smt.b" + rel: assessment-for + - id: ca-1_obj.c + name: assessment-objective + props: + - name: label + value: CA-01c. + class: sp800-53a + parts: + - id: ca-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: CA-01c.01 + class: sp800-53a + parts: + - id: ca-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: CA-01c.01[01] + class: sp800-53a + prose: "the current assessment, authorization, and monitoring\ + \ policy is reviewed and updated {{ insert: param, ca-01_odp.05\ + \ }}; " + links: + - href: "#ca-1_smt.c.1" + rel: assessment-for + - id: ca-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: CA-01c.01[02] + class: sp800-53a + prose: "the current assessment, authorization, and monitoring\ + \ policy is reviewed and updated following {{ insert:\ + \ param, ca-01_odp.06 }};" + links: + - href: "#ca-1_smt.c.1" + rel: assessment-for + links: + - href: "#ca-1_smt.c.1" + rel: assessment-for + - id: ca-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: CA-01c.02 + class: sp800-53a + parts: + - id: ca-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: CA-01c.02[01] + class: sp800-53a + prose: "the current assessment, authorization, and monitoring\ + \ procedures are reviewed and updated {{ insert: param,\ + \ ca-01_odp.07 }}; " + links: + - href: "#ca-1_smt.c.2" + rel: assessment-for + - id: ca-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: CA-01c.02[02] + class: sp800-53a + prose: "the current assessment, authorization, and monitoring\ + \ procedures are reviewed and updated following {{ insert:\ + \ param, ca-01_odp.08 }}." + links: + - href: "#ca-1_smt.c.2" + rel: assessment-for + links: + - href: "#ca-1_smt.c.2" + rel: assessment-for + links: + - href: "#ca-1_smt.c" + rel: assessment-for + links: + - href: "#ca-1_smt" + rel: assessment-for + - id: ca-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy and + procedures + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with assessment, authorization, and + monitoring policy responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-2 + class: SP800-53 + title: Control Assessments + params: + - id: ca-02_odp.01 + label: assessment frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to assess controls in the system and + its environment of operation is defined; + - id: ca-02_odp.02 + label: individuals or roles + constraints: + - description: individuals or roles to include FedRAMP PMO + guidelines: + - prose: individuals or roles to whom control assessment results are + to be provided are defined; + props: + - name: label + value: CA-2 + - name: label + value: CA-02 + class: sp800-53a + - name: sort-id + value: ca-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#30eb758a-2707-4bca-90ad-949a74d4eb16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#122177fa-c4ed-485d-8345-3082c0fb9a06" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#ac-20" + rel: related + - href: "#ca-5" + rel: related + - href: "#ca-6" + rel: related + - href: "#ca-7" + rel: related + - href: "#pm-9" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-3" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-3" + rel: related + parts: + - id: ca-2_smt + name: statement + parts: + - id: ca-2_smt.a + name: item + props: + - name: label + value: a. + prose: Select the appropriate assessor or assessment team for the + type of assessment to be conducted; + - id: ca-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Develop a control assessment plan that describes the scope\ + \ of the assessment including:" + parts: + - id: ca-2_smt.b.1 + name: item + props: + - name: label + value: "1." + prose: Controls and control enhancements under assessment; + - id: ca-2_smt.b.2 + name: item + props: + - name: label + value: "2." + prose: Assessment procedures to be used to determine control + effectiveness; and + - id: ca-2_smt.b.3 + name: item + props: + - name: label + value: "3." + prose: Assessment environment, assessment team, and assessment + roles and responsibilities; + - id: ca-2_smt.c + name: item + props: + - name: label + value: c. + prose: Ensure the control assessment plan is reviewed and approved + by the authorizing official or designated representative prior + to conducting the assessment; + - id: ca-2_smt.d + name: item + props: + - name: label + value: d. + prose: "Assess the controls in the system and its environment of\ + \ operation {{ insert: param, ca-02_odp.01 }} to determine the\ + \ extent to which the controls are implemented correctly, operating\ + \ as intended, and producing the desired outcome with respect\ + \ to meeting established security and privacy requirements;" + - id: ca-2_smt.e + name: item + props: + - name: label + value: e. + prose: Produce a control assessment report that document the results + of the assessment; and + - id: ca-2_smt.f + name: item + props: + - name: label + value: f. + prose: "Provide the results of the control assessment to {{ insert:\ + \ param, ca-02_odp.02 }}." + - id: ca-2_fr + name: item + title: CA-2 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-2_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Reference FedRAMP Annual Assessment Guidance. + - id: ca-2_gdn + name: guidance + prose: >- + Organizations ensure that control assessors possess the required + skills and technical expertise to develop effective assessment + plans and to conduct assessments of system-specific, hybrid, + common, and program management controls, as appropriate. The + required skills include general knowledge of risk management + concepts and approaches as well as comprehensive knowledge of + and experience with the hardware, software, and firmware system + components implemented. + + + Organizations assess controls in systems and the environments in which + those systems operate as part of initial and ongoing authorizations, + continuous monitoring, FISMA annual assessments, system design and + development, systems security engineering, privacy engineering, and + the system development life cycle. Assessments help to ensure that + organizations meet information security and privacy requirements, + identify weaknesses and deficiencies in the system design and development + process, provide essential information needed to make risk-based decisions + as part of authorization processes, and comply with vulnerability + mitigation procedures. Organizations conduct assessments on the implemented + controls as documented in security and privacy plans. Assessments + can also be conducted throughout the system development life cycle + as part of systems engineering and systems security engineering processes. + The design for controls can be assessed as RFPs are developed, responses + assessed, and design reviews conducted. If a design to implement controls + and subsequent implementation in accordance with the design are assessed + during development, the final control testing can be a simple confirmation + utilizing previously completed control assessment and aggregating + the outcomes. + + + Organizations may develop a single, consolidated security and privacy + assessment plan for the system or maintain separate plans. A consolidated + assessment plan clearly delineates the roles and responsibilities + for control assessment. If multiple organizations participate in assessing + a system, a coordinated approach can reduce redundancies and associated + costs. + + + Organizations can use other types of assessment activities, such as + vulnerability scanning and system monitoring, to maintain the security + and privacy posture of systems during the system life cycle. Assessment + reports document assessment results in sufficient detail, as deemed + necessary by organizations, to determine the accuracy and completeness + of the reports and whether the controls are implemented correctly, + operating as intended, and producing the desired outcome with respect + to meeting requirements. Assessment results are provided to the individuals + or roles appropriate for the types of assessments being conducted. + For example, assessments conducted in support of authorization decisions + are provided to authorizing officials, senior agency officials for + privacy, senior agency information security officers, and authorizing + official designated representatives. + + + To satisfy annual assessment requirements, organizations can use assessment + results from the following sources: initial or ongoing system authorizations, + continuous monitoring, systems engineering processes, or system development + life cycle activities. Organizations ensure that assessment results + are current, relevant to the determination of control effectiveness, + and obtained with the appropriate level of assessor independence. + Existing control assessment results can be reused to the extent that + the results are still valid and can also be supplemented with additional + assessments as needed. After the initial authorizations, organizations + assess controls during continuous monitoring. Organizations also establish + the frequency for ongoing assessments in accordance with organizational + continuous monitoring strategies. External audits, including audits + by external entities such as regulatory agencies, are outside of the + scope of [CA-2](#ca-2). + - id: ca-2_obj + name: assessment-objective + props: + - name: label + value: CA-02 + class: sp800-53a + parts: + - id: ca-2_obj.a + name: assessment-objective + props: + - name: label + value: CA-02a. + class: sp800-53a + prose: an appropriate assessor or assessment team is selected for + the type of assessment to be conducted; + links: + - href: "#ca-2_smt.a" + rel: assessment-for + - id: ca-2_obj.b + name: assessment-objective + props: + - name: label + value: CA-02b. + class: sp800-53a + parts: + - id: ca-2_obj.b.1 + name: assessment-objective + props: + - name: label + value: CA-02b.01 + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including controls and control + enhancements under assessment; + links: + - href: "#ca-2_smt.b.1" + rel: assessment-for + - id: ca-2_obj.b.2 + name: assessment-objective + props: + - name: label + value: CA-02b.02 + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including assessment procedures + to be used to determine control effectiveness; + links: + - href: "#ca-2_smt.b.2" + rel: assessment-for + - id: ca-2_obj.b.3 + name: assessment-objective + props: + - name: label + value: CA-02b.03 + class: sp800-53a + parts: + - id: ca-2_obj.b.3-1 + name: assessment-objective + props: + - name: label + value: CA-02b.03[01] + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including the assessment + environment; + links: + - href: "#ca-2_smt.b.3" + rel: assessment-for + - id: ca-2_obj.b.3-2 + name: assessment-objective + props: + - name: label + value: CA-02b.03[02] + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including the assessment + team; + links: + - href: "#ca-2_smt.b.3" + rel: assessment-for + - id: ca-2_obj.b.3-3 + name: assessment-objective + props: + - name: label + value: CA-02b.03[03] + class: sp800-53a + prose: a control assessment plan is developed that describes + the scope of the assessment, including assessment roles + and responsibilities; + links: + - href: "#ca-2_smt.b.3" + rel: assessment-for + links: + - href: "#ca-2_smt.b.3" + rel: assessment-for + links: + - href: "#ca-2_smt.b" + rel: assessment-for + - id: ca-2_obj.c + name: assessment-objective + props: + - name: label + value: CA-02c. + class: sp800-53a + prose: the control assessment plan is reviewed and approved by the + authorizing official or designated representative prior to conducting + the assessment; + links: + - href: "#ca-2_smt.c" + rel: assessment-for + - id: ca-2_obj.d + name: assessment-objective + props: + - name: label + value: CA-02d. + class: sp800-53a + parts: + - id: ca-2_obj.d-1 + name: assessment-objective + props: + - name: label + value: CA-02d.[01] + class: sp800-53a + prose: "controls are assessed in the system and its environment\ + \ of operation {{ insert: param, ca-02_odp.01 }} to determine\ + \ the extent to which the controls are implemented correctly,\ + \ operating as intended, and producing the desired outcome\ + \ with respect to meeting established security requirements;" + links: + - href: "#ca-2_smt.d" + rel: assessment-for + - id: ca-2_obj.d-2 + name: assessment-objective + props: + - name: label + value: CA-02d.[02] + class: sp800-53a + prose: "controls are assessed in the system and its environment\ + \ of operation {{ insert: param, ca-02_odp.01 }} to determine\ + \ the extent to which the controls are implemented correctly,\ + \ operating as intended, and producing the desired outcome\ + \ with respect to meeting established privacy requirements;" + links: + - href: "#ca-2_smt.d" + rel: assessment-for + links: + - href: "#ca-2_smt.d" + rel: assessment-for + - id: ca-2_obj.e + name: assessment-objective + props: + - name: label + value: CA-02e. + class: sp800-53a + prose: a control assessment report is produced that documents the + results of the assessment; + links: + - href: "#ca-2_smt.e" + rel: assessment-for + - id: ca-2_obj.f + name: assessment-objective + props: + - name: label + value: CA-02f. + class: sp800-53a + prose: "the results of the control assessment are provided to {{\ + \ insert: param, ca-02_odp.02 }}." + links: + - href: "#ca-2_smt.f" + rel: assessment-for + links: + - href: "#ca-2_smt" + rel: assessment-for + - id: ca-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing assessment planning + + procedures addressing control assessments + + control assessment plan + + control assessment report + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with control assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting control assessment, control assessment + plan development, and/or control assessment reporting + controls: + - id: ca-2.1 + class: SP800-53-enhancement + title: Independent Assessors + props: + - name: label + value: CA-2(1) + - name: label + value: CA-02(01) + class: sp800-53a + - name: sort-id + value: ca-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ca-2" + rel: required + parts: + - id: ca-2.1_smt + name: statement + prose: Employ independent assessors or assessment teams to conduct + control assessments. + parts: + - id: ca-2.1_fr + name: item + title: CA-2 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: ca-2.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: For JAB Authorization, must use an accredited 3PAO. + - id: ca-2.1_gdn + name: guidance + prose: >- + Independent assessors or assessment teams are individuals or + groups who conduct impartial assessments of systems. + Impartiality means that assessors are free from any + perceived or actual conflicts of interest regarding the + development, operation, sustainment, or management of the + systems under assessment or the determination of control + effectiveness. To achieve impartiality, assessors do not + create a mutual or conflicting interest with the + organizations where the assessments are being conducted, + assess their own work, act as management or employees of the + organizations they are serving, or place themselves in + positions of advocacy for the organizations acquiring their + services. + + + Independent assessments can be obtained from elements within organizations + or be contracted to public or private sector entities outside + of organizations. Authorizing officials determine the required + level of independence based on the security categories of systems + and/or the risk to organizational operations, organizational assets, + or individuals. Authorizing officials also determine if the level + of assessor independence provides sufficient assurance that the + results are sound and can be used to make credible, risk-based + decisions. Assessor independence determination includes whether + contracted assessment services have sufficient independence, such + as when system owners are not directly involved in contracting + processes or cannot influence the impartiality of the assessors + conducting the assessments. During the system design and development + phase, having independent assessors is analogous to having independent + SMEs involved in design reviews. + + + When organizations that own the systems are small or the structures + of the organizations require that assessments be conducted by + individuals that are in the developmental, operational, or management + chain of the system owners, independence in assessment processes + can be achieved by ensuring that assessment results are carefully + reviewed and analyzed by independent teams of experts to validate + the completeness, accuracy, integrity, and reliability of the + results. Assessments performed for purposes other than to support + authorization decisions are more likely to be useable for such + decisions when performed by assessors with sufficient independence, + thereby reducing the need to repeat assessments. + - id: ca-2.1_obj + name: assessment-objective + props: + - name: label + value: CA-02(01) + class: sp800-53a + prose: independent assessors or assessment teams are employed to + conduct control assessments. + links: + - href: "#ca-2.1_smt" + rel: assessment-for + - id: ca-2.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-02(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing control assessments + + previous control assessment plan + + previous control assessment report + + plan of action and milestones + + existing authorization statement + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-2.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-02(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-2.3 + class: SP800-53-enhancement + title: Leveraging Results from External Organizations + params: + - id: ca-02.03_odp.01 + label: external organization(s) + constraints: + - description: any FedRAMP Accredited 3PAO + guidelines: + - prose: external organization(s) from which the results of control + assessments are leveraged are defined; + - id: ca-02.03_odp.02 + label: system + guidelines: + - prose: system on which a control assessment was performed by + an external organization is defined; + - id: ca-02.03_odp.03 + label: requirements + constraints: + - description: the conditions of the JAB/AO in the FedRAMP Repository + guidelines: + - prose: requirements to be met by the control assessment performed + by an external organization on the system are defined; + props: + - name: label + value: CA-2(3) + - name: label + value: CA-02(03) + class: sp800-53a + - name: sort-id + value: ca-02.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ca-2" + rel: required + - href: "#sa-4" + rel: related + parts: + - id: ca-2.3_smt + name: statement + prose: "Leverage the results of control assessments performed by\ + \ {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02\ + \ }} when the assessment meets {{ insert: param, ca-02.03_odp.03\ + \ }}." + - id: ca-2.3_gdn + name: guidance + prose: Organizations may rely on control assessments of organizational + systems by other (external) organizations. Using such assessments + and reusing existing assessment evidence can decrease the time + and resources required for assessments by limiting the independent + assessment activities that organizations need to perform. The + factors that organizations consider in determining whether to + accept assessment results from external organizations can vary. + Such factors include the organization’s past experience with the + organization that conducted the assessment, the reputation of + the assessment organization, the level of detail of supporting + assessment evidence provided, and mandates imposed by applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Accredited testing laboratories that support the + Common Criteria Program [ISO 15408-1](#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73) + , the NIST Cryptographic Module Validation Program (CMVP), or + the NIST Cryptographic Algorithm Validation Program (CAVP) can + provide independent assessment results that organizations can + leverage. + - id: ca-2.3_obj + name: assessment-objective + props: + - name: label + value: CA-02(03) + class: sp800-53a + prose: "the results of control assessments performed by {{ insert:\ + \ param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02\ + \ }} are leveraged when the assessment meets {{ insert: param,\ + \ ca-02.03_odp.03 }}." + links: + - href: "#ca-2.3_smt" + rel: assessment-for + - id: ca-2.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-02(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing control assessments + + control assessment requirements + + control assessment plan + + control assessment report + + control assessment evidence + + plan of action and milestones + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-2.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-02(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with control assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + personnel performing control assessments for the specified + external organization + - id: ca-3 + class: SP800-53 + title: Information Exchange + params: + - id: ca-03_odp.01 + select: + how-many: one-or-more + choice: + - interconnection security agreements + - information exchange security agreements + - memoranda of understanding or agreement + - service level agreements + - user agreements + - non-disclosure agreements + - " {{ insert: param, ca-03_odp.02 }} " + - id: ca-03_odp.02 + label: type of agreement + guidelines: + - prose: the type of agreement used to approve and manage the exchange + of information is defined (if selected); + - id: ca-03_odp.03 + label: frequency + constraints: + - description: at least annually and on input from JAB/AO + guidelines: + - prose: the frequency at which to review and update agreements is + defined; + props: + - name: label + value: CA-3 + - name: label + value: CA-03 + class: sp800-53a + - name: sort-id + value: ca-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#c3a76872-e160-4267-99e8-6952de967d04" + rel: reference + - href: "#ac-4" + rel: related + - href: "#ac-20" + rel: related + - href: "#au-16" + rel: related + - href: "#ca-6" + rel: related + - href: "#ia-3" + rel: related + - href: "#ir-4" + rel: related + - href: "#pl-2" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-3_smt + name: statement + parts: + - id: ca-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Approve and manage the exchange of information between the\ + \ system and other systems using {{ insert: param, ca-03_odp.01\ + \ }};" + - id: ca-3_smt.b + name: item + props: + - name: label + value: b. + prose: Document, as part of each exchange agreement, the interface + characteristics, security and privacy requirements, controls, + and responsibilities for each system, and the impact level of + the information communicated; and + - id: ca-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the agreements {{ insert: param, ca-03_odp.03\ + \ }}." + - id: ca-3_gdn + name: guidance + prose: >- + System information exchange requirements apply to information + exchanges between two or more systems. System information + exchanges include connections via leased lines or virtual + private networks, connections to internet service providers, + database sharing or exchanges of database transaction + information, connections and exchanges with cloud services, + exchanges via web-based services, or exchanges of files via file + transfer protocols, network protocols (e.g., IPv4, IPv6), email, + or other organization-to-organization communications. + Organizations consider the risk related to new or increased + threats that may be introduced when systems exchange information + with other systems that may have different security and privacy + requirements and controls. This includes systems within the same + organization and systems that are external to the organization. + A joint authorization of the systems exchanging information, as + described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help + to communicate and reduce risk. + + + Authorizing officials determine the risk associated with system information + exchange and the controls needed for appropriate risk mitigation. + The types of agreements selected are based on factors such as the + impact level of the information being exchanged, the relationship + between the organizations exchanging information (e.g., government + to government, government to business, business to business, government + or business to service provider, government or business to individual), + or the level of access to the organizational system by users of the + other system. If systems that exchange information have the same authorizing + official, organizations need not develop agreements. Instead, the + interface characteristics between the systems (e.g., how the information + is being exchanged. how the information is protected) are described + in the respective security and privacy plans. If the systems that + exchange information have different authorizing officials within the + same organization, the organizations can develop agreements or provide + the same information that would be provided in the appropriate agreement + type from [CA-3a](#ca-3_smt.a) in the respective security and privacy + plans for the systems. Organizations may incorporate agreement information + into formal contracts, especially for information exchanges established + between federal agencies and nonfederal organizations (including service + providers, contractors, system developers, and system integrators). + Risk considerations include systems that share the same networks. + - id: ca-3_obj + name: assessment-objective + props: + - name: label + value: CA-03 + class: sp800-53a + parts: + - id: ca-3_obj.a + name: assessment-objective + props: + - name: label + value: CA-03a. + class: sp800-53a + prose: "the exchange of information between the system and other\ + \ systems is approved and managed using {{ insert: param, ca-03_odp.01\ + \ }};" + links: + - href: "#ca-3_smt.a" + rel: assessment-for + - id: ca-3_obj.b + name: assessment-objective + props: + - name: label + value: CA-03b. + class: sp800-53a + parts: + - id: ca-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: CA-03b.[01] + class: sp800-53a + prose: the interface characteristics are documented as part + of each exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: CA-03b.[02] + class: sp800-53a + prose: security requirements are documented as part of each + exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-3 + name: assessment-objective + props: + - name: label + value: CA-03b.[03] + class: sp800-53a + prose: privacy requirements are documented as part of each exchange + agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-4 + name: assessment-objective + props: + - name: label + value: CA-03b.[04] + class: sp800-53a + prose: controls are documented as part of each exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-5 + name: assessment-objective + props: + - name: label + value: CA-03b.[05] + class: sp800-53a + prose: responsibilities for each system are documented as part + of each exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.b-6 + name: assessment-objective + props: + - name: label + value: CA-03b.[06] + class: sp800-53a + prose: the impact level of the information communicated is documented + as part of each exchange agreement; + links: + - href: "#ca-3_smt.b" + rel: assessment-for + links: + - href: "#ca-3_smt.b" + rel: assessment-for + - id: ca-3_obj.c + name: assessment-objective + props: + - name: label + value: CA-03c. + class: sp800-53a + prose: "agreements are reviewed and updated {{ insert: param, ca-03_odp.03\ + \ }}." + links: + - href: "#ca-3_smt.c" + rel: assessment-for + links: + - href: "#ca-3_smt" + rel: assessment-for + - id: ca-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Access control policy + + procedures addressing system connections + + system and communications protection policy + + system interconnection security agreements + + information exchange security agreements + + memoranda of understanding or agreements + + service level agreements + + non-disclosure agreements + + system design documentation + + enterprise architecture + + system architecture + + system configuration settings and associated documentation + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + developing, implementing, or approving system + interconnection agreements + + + organizational personnel with information security and privacy + responsibilities + + + personnel managing the system(s) to which the interconnection + security agreement applies + - id: ca-5 + class: SP800-53 + title: Plan of Action and Milestones + params: + - id: ca-05_odp + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: the frequency at which to update an existing plan of action + and milestones based on the findings from control assessments, + independent audits or reviews, and continuous monitoring activities + is defined; + props: + - name: label + value: CA-5 + - name: label + value: CA-05 + class: sp800-53a + - name: sort-id + value: ca-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ca-7" + rel: related + - href: "#pm-4" + rel: related + - href: "#pm-9" + rel: related + - href: "#ra-7" + rel: related + - href: "#si-2" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-5_smt + name: statement + parts: + - id: ca-5_smt.a + name: item + props: + - name: label + value: a. + prose: Develop a plan of action and milestones for the system to + document the planned remediation actions of the organization to + correct weaknesses or deficiencies noted during the assessment + of the controls and to reduce or eliminate known vulnerabilities + in the system; and + - id: ca-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Update existing plan of action and milestones {{ insert:\ + \ param, ca-05_odp }} based on the findings from control assessments,\ + \ independent audits or reviews, and continuous monitoring activities." + - id: ca-5_fr + name: item + title: CA-5 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-5_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: POA&Ms must be provided at least monthly. + - id: ca-5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Reference FedRAMP-POAM-Template + - id: ca-5_gdn + name: guidance + prose: Plans of action and milestones are useful for any type of organization + to track planned remedial actions. Plans of action and milestones + are required in authorization packages and subject to federal reporting + requirements established by OMB. + - id: ca-5_obj + name: assessment-objective + props: + - name: label + value: CA-05 + class: sp800-53a + parts: + - id: ca-5_obj.a + name: assessment-objective + props: + - name: label + value: CA-05a. + class: sp800-53a + prose: a plan of action and milestones for the system is developed + to document the planned remediation actions of the organization + to correct weaknesses or deficiencies noted during the assessment + of the controls and to reduce or eliminate known vulnerabilities + in the system; + links: + - href: "#ca-5_smt.a" + rel: assessment-for + - id: ca-5_obj.b + name: assessment-objective + props: + - name: label + value: CA-05b. + class: sp800-53a + prose: "existing plan of action and milestones are updated {{ insert:\ + \ param, ca-05_odp }} based on the findings from control assessments,\ + \ independent audits or reviews, and continuous monitoring activities." + links: + - href: "#ca-5_smt.b" + rel: assessment-for + links: + - href: "#ca-5_smt" + rel: assessment-for + - id: ca-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing plan of action and milestones + + control assessment plan + + control assessment report + + control assessment evidence + + plan of action and milestones + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with plan of action and milestones + development and implementation responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms for developing, implementing, and maintaining + plan of action and milestones + - id: ca-6 + class: SP800-53 + title: Authorization + params: + - id: ca-06_odp + label: frequency + constraints: + - description: in accordance with OMB A-130 requirements or when a + significant change occurs + guidelines: + - prose: frequency at which to update the authorizations is defined; + props: + - name: label + value: CA-6 + - name: label + value: CA-06 + class: sp800-53a + - name: sort-id + value: ca-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ca-3" + rel: related + - href: "#ca-7" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-10" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-10" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-6_smt + name: statement + parts: + - id: ca-6_smt.a + name: item + props: + - name: label + value: a. + prose: Assign a senior official as the authorizing official for + the system; + - id: ca-6_smt.b + name: item + props: + - name: label + value: b. + prose: Assign a senior official as the authorizing official for + common controls available for inheritance by organizational systems; + - id: ca-6_smt.c + name: item + props: + - name: label + value: c. + prose: "Ensure that the authorizing official for the system, before\ + \ commencing operations:" + parts: + - id: ca-6_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: Accepts the use of common controls inherited by the system; + and + - id: ca-6_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: Authorizes the system to operate; + - id: ca-6_smt.d + name: item + props: + - name: label + value: d. + prose: Ensure that the authorizing official for common controls + authorizes the use of those controls for inheritance by organizational + systems; + - id: ca-6_smt.e + name: item + props: + - name: label + value: e. + prose: "Update the authorizations {{ insert: param, ca-06_odp }}." + - id: ca-6_fr + name: item + title: CA-6 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-6_fr_gdn.1 + name: guidance + props: + - name: label + value: "(e) Guidance:" + prose: Significant change is defined in NIST Special Publication + 800-37 Revision 2, Appendix F and according to FedRAMP Significant + Change Policies and Procedures. The service provider describes + the types of changes to the information system or the environment + of operations that would impact the risk posture. The types + of changes are approved and accepted by the JAB/AO. + - id: ca-6_gdn + name: guidance + prose: >- + Authorizations are official management decisions by senior + officials to authorize operation of systems, authorize the use + of common controls for inheritance by organizational systems, + and explicitly accept the risk to organizational operations and + assets, individuals, other organizations, and the Nation based + on the implementation of agreed-upon controls. Authorizing + officials provide budgetary oversight for organizational systems + and common controls or assume responsibility for the mission and + business functions supported by those systems or common + controls. The authorization process is a federal responsibility, + and therefore, authorizing officials must be federal employees. + Authorizing officials are both responsible and accountable for + security and privacy risks associated with the operation and use + of organizational systems. Nonfederal organizations may have + similar processes to authorize systems and senior officials that + assume the authorization role and associated responsibilities. + + + Authorizing officials issue ongoing authorizations of systems based + on evidence produced from implemented continuous monitoring programs. + Robust continuous monitoring programs reduce the need for separate + reauthorization processes. Through the employment of comprehensive + continuous monitoring processes, the information contained in authorization + packages (i.e., security and privacy plans, assessment reports, and + plans of action and milestones) is updated on an ongoing basis. This + provides authorizing officials, common control providers, and system + owners with an up-to-date status of the security and privacy posture + of their systems, controls, and operating environments. To reduce + the cost of reauthorization, authorizing officials can leverage the + results of continuous monitoring processes to the maximum extent possible + as the basis for rendering reauthorization decisions. + - id: ca-6_obj + name: assessment-objective + props: + - name: label + value: CA-06 + class: sp800-53a + parts: + - id: ca-6_obj.a + name: assessment-objective + props: + - name: label + value: CA-06a. + class: sp800-53a + prose: a senior official is assigned as the authorizing official + for the system; + links: + - href: "#ca-6_smt.a" + rel: assessment-for + - id: ca-6_obj.b + name: assessment-objective + props: + - name: label + value: CA-06b. + class: sp800-53a + prose: a senior official is assigned as the authorizing official + for common controls available for inheritance by organizational + systems; + links: + - href: "#ca-6_smt.b" + rel: assessment-for + - id: ca-6_obj.c + name: assessment-objective + props: + - name: label + value: CA-06c. + class: sp800-53a + parts: + - id: ca-6_obj.c.1 + name: assessment-objective + props: + - name: label + value: CA-06c.01 + class: sp800-53a + prose: before commencing operations, the authorizing official + for the system accepts the use of common controls inherited + by the system; + links: + - href: "#ca-6_smt.c.1" + rel: assessment-for + - id: ca-6_obj.c.2 + name: assessment-objective + props: + - name: label + value: CA-06c.02 + class: sp800-53a + prose: before commencing operations, the authorizing official + for the system authorizes the system to operate; + links: + - href: "#ca-6_smt.c.2" + rel: assessment-for + links: + - href: "#ca-6_smt.c" + rel: assessment-for + - id: ca-6_obj.d + name: assessment-objective + props: + - name: label + value: CA-06d. + class: sp800-53a + prose: the authorizing official for common controls authorizes the + use of those controls for inheritance by organizational systems; + links: + - href: "#ca-6_smt.d" + rel: assessment-for + - id: ca-6_obj.e + name: assessment-objective + props: + - name: label + value: CA-06e. + class: sp800-53a + prose: "the authorizations are updated {{ insert: param, ca-06_odp\ + \ }}." + links: + - href: "#ca-6_smt.e" + rel: assessment-for + links: + - href: "#ca-6_smt" + rel: assessment-for + - id: ca-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + procedures addressing authorization + + + system security plan, privacy plan, assessment report, plan of + action and milestones + + + authorization statement + + + other relevant documents or records + - id: ca-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with authorization responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms that facilitate authorizations and updates + - id: ca-7 + class: SP800-53 + title: Continuous Monitoring + params: + - id: ca-7_prm_4 + label: organization-defined personnel or roles + constraints: + - description: to include JAB/AO + - id: ca-7_prm_5 + label: organization-defined frequency + - id: ca-07_odp.01 + label: system-level metrics + guidelines: + - prose: system-level metrics to be monitored are defined; + - id: ca-07_odp.02 + label: frequencies + guidelines: + - prose: frequencies at which to monitor control effectiveness are + defined; + - id: ca-07_odp.03 + label: frequencies + guidelines: + - prose: frequencies at which to assess control effectiveness are + defined; + - id: ca-07_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the security status of the system + is reported are defined; + - id: ca-07_odp.05 + label: frequency + guidelines: + - prose: frequency at which the security status of the system is reported + is defined; + - id: ca-07_odp.06 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the privacy status of the system + is reported are defined; + - id: ca-07_odp.07 + label: frequency + guidelines: + - prose: frequency at which the privacy status of the system is reported + is defined; + props: + - name: label + value: CA-7 + - name: label + value: CA-07 + class: sp800-53a + - name: sort-id + value: ca-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#122177fa-c4ed-485d-8345-3082c0fb9a06" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-17" + rel: related + - href: "#at-4" + rel: related + - href: "#au-6" + rel: related + - href: "#au-13" + rel: related + - href: "#ca-2" + rel: related + - href: "#ca-5" + rel: related + - href: "#ca-6" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-5" + rel: related + - href: "#ir-5" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-6" + rel: related + - href: "#pe-14" + rel: related + - href: "#pe-16" + rel: related + - href: "#pe-20" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-4" + rel: related + - href: "#pm-6" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-10" + rel: related + - href: "#pm-12" + rel: related + - href: "#pm-14" + rel: related + - href: "#pm-23" + rel: related + - href: "#pm-28" + rel: related + - href: "#pm-31" + rel: related + - href: "#ps-7" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-7" + rel: related + - href: "#ra-10" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-11" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-18" + rel: related + - href: "#sc-38" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-6" + rel: related + parts: + - id: ca-7_smt + name: statement + prose: "Develop a system-level continuous monitoring strategy and implement\ + \ continuous monitoring in accordance with the organization-level\ + \ continuous monitoring strategy that includes:" + parts: + - id: ca-7_smt.a + name: item + props: + - name: label + value: a. + prose: "Establishing the following system-level metrics to be monitored:\ + \ {{ insert: param, ca-07_odp.01 }};" + - id: ca-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Establishing {{ insert: param, ca-07_odp.02 }} for monitoring\ + \ and {{ insert: param, ca-07_odp.03 }} for assessment of control\ + \ effectiveness;" + - id: ca-7_smt.c + name: item + props: + - name: label + value: c. + prose: Ongoing control assessments in accordance with the continuous + monitoring strategy; + - id: ca-7_smt.d + name: item + props: + - name: label + value: d. + prose: Ongoing monitoring of system and organization-defined metrics + in accordance with the continuous monitoring strategy; + - id: ca-7_smt.e + name: item + props: + - name: label + value: e. + prose: Correlation and analysis of information generated by control + assessments and monitoring; + - id: ca-7_smt.f + name: item + props: + - name: label + value: f. + prose: Response actions to address results of the analysis of control + assessment and monitoring information; and + - id: ca-7_smt.g + name: item + props: + - name: label + value: g. + prose: "Reporting the security and privacy status of the system\ + \ to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5\ + \ }}." + - id: ca-7_fr + name: item + title: CA-7 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-7_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: "Operating System, Database, Web Application, Container,\ + \ and Service Configuration Scans: at least monthly. All scans\ + \ performed by Independent Assessor: at least annually." + - id: ca-7_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: CSOs with more than one agency ATO must implement a collaborative + Continuous Monitoring (Con Mon) approach described in the + FedRAMP Guide for Multi-Agency Continuous Monitoring. This + requirement applies to CSPs authorized via the Agency path + as each agency customer is responsible for performing Con + Mon oversight. It does not apply to CSPs authorized via the + JAB path because the JAB performs Con Mon oversight. + - id: ca-7_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: FedRAMP does not provide a template for the Continuous + Monitoring Plan. CSPs should reference the FedRAMP Continuous + Monitoring Strategy Guide when developing the Continuous Monitoring + Plan. + - id: ca-7_gdn + name: guidance + prose: >- + Continuous monitoring at the system level facilitates ongoing + awareness of the system security and privacy posture to support + organizational risk management decisions. The terms "continuous" + and "ongoing" imply that organizations assess and monitor their + controls and risks at a frequency sufficient to support + risk-based decisions. Different types of controls may require + different monitoring frequencies. The results of continuous + monitoring generate risk response actions by organizations. When + monitoring the effectiveness of multiple controls that have been + grouped into capabilities, a root-cause analysis may be needed + to determine the specific control that has failed. Continuous + monitoring programs allow organizations to maintain the + authorizations of systems and common controls in highly dynamic + environments of operation with changing mission and business + needs, threats, vulnerabilities, and technologies. Having access + to security and privacy information on a continuing basis + through reports and dashboards gives organizational officials + the ability to make effective and timely risk management + decisions, including ongoing authorization decisions. + + + Automation supports more frequent updates to hardware, software, and + firmware inventories, authorization packages, and other system information. + Effectiveness is further enhanced when continuous monitoring outputs + are formatted to provide information that is specific, measurable, + actionable, relevant, and timely. Continuous monitoring activities + are scaled in accordance with the security categories of systems. + Monitoring requirements, including the need for specific monitoring, + may be referenced in other controls and control enhancements, such + as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), + [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), + [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), + [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), + [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), + [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), + [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), + [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), + [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), + [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4). + - id: ca-7_obj + name: assessment-objective + props: + - name: label + value: CA-07 + class: sp800-53a + parts: + - id: ca-7_obj-1 + name: assessment-objective + props: + - name: label + value: CA-07[01] + class: sp800-53a + prose: a system-level continuous monitoring strategy is developed; + links: + - href: "#ca-7_smt" + rel: assessment-for + - id: ca-7_obj-2 + name: assessment-objective + props: + - name: label + value: CA-07[02] + class: sp800-53a + prose: system-level continuous monitoring is implemented in accordance + with the organization-level continuous monitoring strategy; + links: + - href: "#ca-7_smt" + rel: assessment-for + - id: ca-7_obj.a + name: assessment-objective + props: + - name: label + value: CA-07a. + class: sp800-53a + prose: "system-level continuous monitoring includes establishment\ + \ of the following system-level metrics to be monitored: {{ insert:\ + \ param, ca-07_odp.01 }};" + links: + - href: "#ca-7_smt.a" + rel: assessment-for + - id: ca-7_obj.b + name: assessment-objective + props: + - name: label + value: CA-07b. + class: sp800-53a + parts: + - id: ca-7_obj.b-1 + name: assessment-objective + props: + - name: label + value: CA-07b.[01] + class: sp800-53a + prose: "system-level continuous monitoring includes established\ + \ {{ insert: param, ca-07_odp.02 }} for monitoring;" + links: + - href: "#ca-7_smt.b" + rel: assessment-for + - id: ca-7_obj.b-2 + name: assessment-objective + props: + - name: label + value: CA-07b.[02] + class: sp800-53a + prose: "system-level continuous monitoring includes established\ + \ {{ insert: param, ca-07_odp.03 }} for assessment of control\ + \ effectiveness;" + links: + - href: "#ca-7_smt.b" + rel: assessment-for + links: + - href: "#ca-7_smt.b" + rel: assessment-for + - id: ca-7_obj.c + name: assessment-objective + props: + - name: label + value: CA-07c. + class: sp800-53a + prose: system-level continuous monitoring includes ongoing control + assessments in accordance with the continuous monitoring strategy; + links: + - href: "#ca-7_smt.c" + rel: assessment-for + - id: ca-7_obj.d + name: assessment-objective + props: + - name: label + value: CA-07d. + class: sp800-53a + prose: system-level continuous monitoring includes ongoing monitoring + of system and organization-defined metrics in accordance with + the continuous monitoring strategy; + links: + - href: "#ca-7_smt.d" + rel: assessment-for + - id: ca-7_obj.e + name: assessment-objective + props: + - name: label + value: CA-07e. + class: sp800-53a + prose: system-level continuous monitoring includes correlation and + analysis of information generated by control assessments and monitoring; + links: + - href: "#ca-7_smt.e" + rel: assessment-for + - id: ca-7_obj.f + name: assessment-objective + props: + - name: label + value: CA-07f. + class: sp800-53a + prose: system-level continuous monitoring includes response actions + to address the results of the analysis of control assessment and + monitoring information; + links: + - href: "#ca-7_smt.f" + rel: assessment-for + - id: ca-7_obj.g + name: assessment-objective + props: + - name: label + value: CA-07g. + class: sp800-53a + parts: + - id: ca-7_obj.g-1 + name: assessment-objective + props: + - name: label + value: CA-07g.[01] + class: sp800-53a + prose: "system-level continuous monitoring includes reporting\ + \ the security status of the system to {{ insert: param, ca-07_odp.04\ + \ }} {{ insert: param, ca-07_odp.05 }};" + links: + - href: "#ca-7_smt.g" + rel: assessment-for + - id: ca-7_obj.g-2 + name: assessment-objective + props: + - name: label + value: CA-07g.[02] + class: sp800-53a + prose: "system-level continuous monitoring includes reporting\ + \ the privacy status of the system to {{ insert: param, ca-07_odp.06\ + \ }} {{ insert: param, ca-07_odp.07 }}." + links: + - href: "#ca-7_smt.g" + rel: assessment-for + links: + - href: "#ca-7_smt.g" + rel: assessment-for + links: + - href: "#ca-7_smt" + rel: assessment-for + - id: ca-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + organizational continuous monitoring strategy + + + system-level continuous monitoring strategy + + + procedures addressing continuous monitoring of system controls + + + procedures addressing configuration management + + + control assessment report + + + plan of action and milestones + + + system monitoring records + + + configuration management records + + + impact analyses + + + status reports + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with continuous monitoring + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: ca-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms implementing continuous monitoring + + + mechanisms supporting response actions to address assessment and + monitoring results + + + mechanisms supporting security and privacy status reporting + controls: + - id: ca-7.1 + class: SP800-53-enhancement + title: Independent Assessment + props: + - name: label + value: CA-7(1) + - name: label + value: CA-07(01) + class: sp800-53a + - name: sort-id + value: ca-07.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ca-7" + rel: required + parts: + - id: ca-7.1_smt + name: statement + prose: Employ independent assessors or assessment teams to monitor + the controls in the system on an ongoing basis. + - id: ca-7.1_gdn + name: guidance + prose: Organizations maximize the value of control assessments by + requiring that assessments be conducted by assessors with appropriate + levels of independence. The level of required independence is + based on organizational continuous monitoring strategies. Assessor + independence provides a degree of impartiality to the monitoring + process. To achieve such impartiality, assessors do not create + a mutual or conflicting interest with the organizations where + the assessments are being conducted, assess their own work, act + as management or employees of the organizations they are serving, + or place themselves in advocacy positions for the organizations + acquiring their services. + - id: ca-7.1_obj + name: assessment-objective + props: + - name: label + value: CA-07(01) + class: sp800-53a + prose: independent assessors or assessment teams are employed to + monitor the controls in the system on an ongoing basis. + links: + - href: "#ca-7.1_smt" + rel: assessment-for + - id: ca-7.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-07(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + organizational continuous monitoring strategy + + + system-level continuous monitoring strategy + + + procedures addressing continuous monitoring of system controls + + + control assessment report + + + plan of action and milestones + + + system monitoring records + + + impact analyses + + + status reports + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-7.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-07(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with continuous monitoring + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-7.4 + class: SP800-53-enhancement + title: Risk Monitoring + props: + - name: label + value: CA-7(4) + - name: label + value: CA-07(04) + class: sp800-53a + - name: sort-id + value: ca-07.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ca-7" + rel: required + parts: + - id: ca-7.4_smt + name: statement + prose: "Ensure risk monitoring is an integral part of the continuous\ + \ monitoring strategy that includes the following:" + parts: + - id: ca-7.4_smt.a + name: item + props: + - name: label + value: (a) + prose: Effectiveness monitoring; + - id: ca-7.4_smt.b + name: item + props: + - name: label + value: (b) + prose: Compliance monitoring; and + - id: ca-7.4_smt.c + name: item + props: + - name: label + value: (c) + prose: Change monitoring. + - id: ca-7.4_gdn + name: guidance + prose: Risk monitoring is informed by the established organizational + risk tolerance. Effectiveness monitoring determines the ongoing + effectiveness of the implemented risk response measures. Compliance + monitoring verifies that required risk response measures are implemented. + It also verifies that security and privacy requirements are satisfied. + Change monitoring identifies changes to organizational systems + and environments of operation that may affect security and privacy + risk. + - id: ca-7.4_obj + name: assessment-objective + props: + - name: label + value: CA-07(04) + class: sp800-53a + prose: risk monitoring is an integral part of the continuous monitoring + strategy; + parts: + - id: ca-7.4_obj.a + name: assessment-objective + props: + - name: label + value: CA-07(04)(a) + class: sp800-53a + prose: effectiveness monitoring is included in risk monitoring; + links: + - href: "#ca-7.4_smt.a" + rel: assessment-for + - id: ca-7.4_obj.b + name: assessment-objective + props: + - name: label + value: CA-07(04)(b) + class: sp800-53a + prose: compliance monitoring is included in risk monitoring; + links: + - href: "#ca-7.4_smt.b" + rel: assessment-for + - id: ca-7.4_obj.c + name: assessment-objective + props: + - name: label + value: CA-07(04)(c) + class: sp800-53a + prose: change monitoring is included in risk monitoring. + links: + - href: "#ca-7.4_smt.c" + rel: assessment-for + links: + - href: "#ca-7.4_smt" + rel: assessment-for + - id: ca-7.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-07(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + organizational continuous monitoring strategy + + + system-level continuous monitoring strategy + + + procedures addressing continuous monitoring of system controls + + + assessment report + + + plan of action and milestones + + + system monitoring records + + + impact analyses + + + status reports + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-7.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-07(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with continuous monitoring + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-7.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-07(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting risk monitoring + - id: ca-8 + class: SP800-53 + title: Penetration Testing + params: + - id: ca-08_odp.01 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to conduct penetration testing on systems + or system components is defined; + - id: ca-08_odp.02 + label: system(s) or system components + guidelines: + - prose: systems or system components on which penetration testing + is to be conducted are defined; + props: + - name: label + value: CA-8 + - name: label + value: CA-08 + class: sp800-53a + - name: sort-id + value: ca-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-5" + rel: related + - href: "#ra-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-6" + rel: related + parts: + - id: ca-8_smt + name: statement + prose: "Conduct penetration testing {{ insert: param, ca-08_odp.01 }}\ + \ on {{ insert: param, ca-08_odp.02 }}." + parts: + - id: ca-8_fr + name: item + title: CA-8 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-8_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Reference the FedRAMP Penetration Test Guidance. + - id: ca-8_gdn + name: guidance + prose: >- + Penetration testing is a specialized type of assessment + conducted on systems or individual system components to identify + vulnerabilities that could be exploited by adversaries. + Penetration testing goes beyond automated vulnerability scanning + and is conducted by agents and teams with demonstrable skills + and experience that include technical expertise in network, + operating system, and/or application level security. Penetration + testing can be used to validate vulnerabilities or determine the + degree of penetration resistance of systems to adversaries + within specified constraints. Such constraints include time, + resources, and skills. Penetration testing attempts to duplicate + the actions of adversaries and provides a more in-depth analysis + of security- and privacy-related weaknesses or deficiencies. + Penetration testing is especially important when organizations + are transitioning from older technologies to newer technologies + (e.g., transitioning from IPv4 to IPv6 network protocols). + + + Organizations can use the results of vulnerability analyses to support + penetration testing activities. Penetration testing can be conducted + internally or externally on the hardware, software, or firmware components + of a system and can exercise both physical and technical controls. + A standard method for penetration testing includes a pretest analysis + based on full knowledge of the system, pretest identification of potential + vulnerabilities based on the pretest analysis, and testing designed + to determine the exploitability of vulnerabilities. All parties agree + to the rules of engagement before commencing penetration testing scenarios. + Organizations correlate the rules of engagement for the penetration + tests with the tools, techniques, and procedures that are anticipated + to be employed by adversaries. Penetration testing may result in the + exposure of information that is protected by laws or regulations, + to individuals conducting the testing. Rules of engagement, contracts, + or other appropriate mechanisms can be used to communicate expectations + for how to protect this information. Risk assessments guide the decisions + on the level of independence required for the personnel conducting + penetration testing. + - id: ca-8_obj + name: assessment-objective + props: + - name: label + value: CA-08 + class: sp800-53a + prose: "penetration testing is conducted {{ insert: param, ca-08_odp.01\ + \ }} on {{ insert: param, ca-08_odp.02 }}." + links: + - href: "#ca-8_smt" + rel: assessment-for + - id: ca-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing penetration testing + + assessment plan + + penetration test report + + assessment report + + assessment evidence + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with control assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: ca-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting penetration testing + controls: + - id: ca-8.1 + class: SP800-53-enhancement + title: Independent Penetration Testing Agent or Team + props: + - name: label + value: CA-8(1) + - name: label + value: CA-08(01) + class: sp800-53a + - name: sort-id + value: ca-08.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ca-8" + rel: required + - href: "#ca-2" + rel: related + parts: + - id: ca-8.1_smt + name: statement + prose: Employ an independent penetration testing agent or team to + perform penetration testing on the system or system components. + - id: ca-8.1_gdn + name: guidance + prose: Independent penetration testing agents or teams are individuals + or groups who conduct impartial penetration testing of organizational + systems. Impartiality implies that penetration testing agents + or teams are free from perceived or actual conflicts of interest + with respect to the development, operation, or management of the + systems that are the targets of the penetration testing. [CA-2(1)](#ca-2.1) + provides additional information on independent assessments that + can be applied to penetration testing. + - id: ca-8.1_obj + name: assessment-objective + props: + - name: label + value: CA-08(01) + class: sp800-53a + prose: an independent penetration testing agent or team is employed + to perform penetration testing on the system or system components. + links: + - href: "#ca-8.1_smt" + rel: assessment-for + - id: ca-8.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-08(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing penetration testing + + assessment plan + + penetration test report + + assessment report + + security assessment evidence + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-8.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-08(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ca-8.2 + class: SP800-53-enhancement + title: Red Team Exercises + params: + - id: ca-08.02_odp + label: red team exercises + guidelines: + - prose: red team exercises to simulate attempts by adversaries + to compromise organizational systems are defined; + props: + - name: label + value: CA-8(2) + - name: label + value: CA-08(02) + class: sp800-53a + - name: sort-id + value: ca-08.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ca-8" + rel: required + parts: + - id: ca-8.2_smt + name: statement + prose: "Employ the following red-team exercises to simulate attempts\ + \ by adversaries to compromise organizational systems in accordance\ + \ with applicable rules of engagement: {{ insert: param, ca-08.02_odp\ + \ }}." + parts: + - id: ca-8.2_fr + name: item + title: CM-2 Additional FedRAMP Requirements and Guidance + parts: + - id: ca-8.2_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + See the FedRAMP Documents page> Penetration Test + Guidance + + + https://www.FedRAMP.gov/documents/ + - id: ca-8.2_gdn + name: guidance + prose: Red team exercises extend the objectives of penetration testing + by examining the security and privacy posture of organizations + and the capability to implement effective cyber defenses. Red + team exercises simulate attempts by adversaries to compromise + mission and business functions and provide a comprehensive assessment + of the security and privacy posture of systems and organizations. + Such attempts may include technology-based attacks and social + engineering-based attacks. Technology-based attacks include interactions + with hardware, software, or firmware components and/or mission + and business processes. Social engineering-based attacks include + interactions via email, telephone, shoulder surfing, or personal + conversations. Red team exercises are most effective when conducted + by penetration testing agents and teams with knowledge of and + experience with current adversarial tactics, techniques, procedures, + and tools. While penetration testing may be primarily laboratory-based + testing, organizations can use red team exercises to provide more + comprehensive assessments that reflect real-world conditions. + The results from red team exercises can be used by organizations + to improve security and privacy awareness and training and to + assess control effectiveness. + - id: ca-8.2_obj + name: assessment-objective + props: + - name: label + value: CA-08(02) + class: sp800-53a + prose: " {{ insert: param, ca-08.02_odp }} are employed to simulate\ + \ attempts by adversaries to compromise organizational systems\ + \ in accordance with applicable rules of engagement." + links: + - href: "#ca-8.2_smt" + rel: assessment-for + - id: ca-8.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-08(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Assessment, authorization, and monitoring policy + + procedures addressing penetration testing + + procedures addressing red team exercises + + assessment plan + + results of red team exercises + + penetration test report + + assessment report + + rules of engagement + + assessment evidence + + system security plan + + privacy plan + + other relevant documents or records + - id: ca-8.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-08(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with assessment + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: ca-8.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-08(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting the employment of red team exercises + - id: ca-9 + class: SP800-53 + title: Internal System Connections + params: + - id: ca-09_odp.01 + label: system components + guidelines: + - prose: system components or classes of components requiring internal + connections to the system are defined; + - id: ca-09_odp.02 + label: conditions + guidelines: + - prose: conditions requiring termination of internal connections + are defined; + - id: ca-09_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to review the continued need for each + internal connection is defined; + props: + - name: label + value: CA-9 + - name: label + value: CA-09 + class: sp800-53a + - name: sort-id + value: ca-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#cm-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ca-9_smt + name: statement + parts: + - id: ca-9_smt.a + name: item + props: + - name: label + value: a. + prose: "Authorize internal connections of {{ insert: param, ca-09_odp.01\ + \ }} to the system;" + - id: ca-9_smt.b + name: item + props: + - name: label + value: b. + prose: Document, for each internal connection, the interface characteristics, + security and privacy requirements, and the nature of the information + communicated; + - id: ca-9_smt.c + name: item + props: + - name: label + value: c. + prose: "Terminate internal system connections after {{ insert: param,\ + \ ca-09_odp.02 }} ; and" + - id: ca-9_smt.d + name: item + props: + - name: label + value: d. + prose: "Review {{ insert: param, ca-09_odp.03 }} the continued need\ + \ for each internal connection." + - id: ca-9_gdn + name: guidance + prose: Internal system connections are connections between organizational + systems and separate constituent system components (i.e., connections + between components that are part of the same system) including components + used for system development. Intra-system connections include connections + with mobile devices, notebook and desktop computers, tablets, printers, + copiers, facsimile machines, scanners, sensors, and servers. Instead + of authorizing each internal system connection individually, organizations + can authorize internal connections for a class of system components + with common characteristics and/or configurations, including printers, + scanners, and copiers with a specified processing, transmission, and + storage capability or smart phones and tablets with a specific baseline + configuration. The continued need for an internal system connection + is reviewed from the perspective of whether it provides support for + organizational missions or business functions. + - id: ca-9_obj + name: assessment-objective + props: + - name: label + value: CA-09 + class: sp800-53a + parts: + - id: ca-9_obj.a + name: assessment-objective + props: + - name: label + value: CA-09a. + class: sp800-53a + prose: "internal connections of {{ insert: param, ca-09_odp.01 }}\ + \ to the system are authorized;" + links: + - href: "#ca-9_smt.a" + rel: assessment-for + - id: ca-9_obj.b + name: assessment-objective + props: + - name: label + value: CA-09b. + class: sp800-53a + parts: + - id: ca-9_obj.b-1 + name: assessment-objective + props: + - name: label + value: CA-09b.[01] + class: sp800-53a + prose: for each internal connection, the interface characteristics + are documented; + links: + - href: "#ca-9_smt.b" + rel: assessment-for + - id: ca-9_obj.b-2 + name: assessment-objective + props: + - name: label + value: CA-09b.[02] + class: sp800-53a + prose: for each internal connection, the security requirements + are documented; + links: + - href: "#ca-9_smt.b" + rel: assessment-for + - id: ca-9_obj.b-3 + name: assessment-objective + props: + - name: label + value: CA-09b.[03] + class: sp800-53a + prose: for each internal connection, the privacy requirements + are documented; + links: + - href: "#ca-9_smt.b" + rel: assessment-for + - id: ca-9_obj.b-4 + name: assessment-objective + props: + - name: label + value: CA-09b.[04] + class: sp800-53a + prose: for each internal connection, the nature of the information + communicated is documented; + links: + - href: "#ca-9_smt.b" + rel: assessment-for + links: + - href: "#ca-9_smt.b" + rel: assessment-for + - id: ca-9_obj.c + name: assessment-objective + props: + - name: label + value: CA-09c. + class: sp800-53a + prose: "internal system connections are terminated after {{ insert:\ + \ param, ca-09_odp.02 }};" + links: + - href: "#ca-9_smt.c" + rel: assessment-for + - id: ca-9_obj.d + name: assessment-objective + props: + - name: label + value: CA-09d. + class: sp800-53a + prose: "the continued need for each internal connection is reviewed\ + \ {{ insert: param, ca-09_odp.03 }}." + links: + - href: "#ca-9_smt.d" + rel: assessment-for + links: + - href: "#ca-9_smt" + rel: assessment-for + - id: ca-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CA-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Assessment, authorization, and monitoring policy + + + access control policy + + + procedures addressing system connections + + + system and communications protection policy + + + system design documentation + + + system configuration settings and associated documentation + + + list of components or classes of components authorized as internal + system connections + + + assessment report + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ca-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CA-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + developing, implementing, or authorizing internal system + connections + + + organizational personnel with information security and privacy + responsibilities + - id: ca-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CA-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting internal system connections + - id: cm + class: family + title: Configuration Management + controls: + - id: cm-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: cm-1_prm_1 + label: organization-defined personnel or roles + - id: cm-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the configuration management policy + is to be disseminated is/are defined; + - id: cm-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the configuration management procedures + are to be disseminated is/are defined; + - id: cm-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: cm-01_odp.04 + label: official + guidelines: + - prose: an official to manage the configuration management policy + and procedures is defined; + - id: cm-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current configuration management + policy is reviewed and updated is defined; + - id: cm-01_odp.06 + label: events + guidelines: + - prose: events that would require the current configuration management + policy to be reviewed and updated are defined; + - id: cm-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current configuration management + procedures are reviewed and updated is defined; + - id: cm-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require configuration management procedures + to be reviewed and updated are defined; + props: + - name: label + value: CM-1 + - name: label + value: CM-01 + class: sp800-53a + - name: sort-id + value: cm-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: cm-1_smt + name: statement + parts: + - id: cm-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ cm-1_prm_1 }}:" + parts: + - id: cm-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, cm-01_odp.03 }} configuration management\ + \ policy that:" + parts: + - id: cm-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: cm-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: cm-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the configuration + management policy and the associated configuration management + controls; + - id: cm-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, cm-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the configuration\ + \ management policy and procedures; and" + - id: cm-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current configuration management:" + parts: + - id: cm-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, cm-01_odp.05 }} and following\ + \ {{ insert: param, cm-01_odp.06 }} ; and" + - id: cm-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, cm-01_odp.07 }} and following\ + \ {{ insert: param, cm-01_odp.08 }}." + - id: cm-1_gdn + name: guidance + prose: Configuration management policy and procedures address the controls + in the CM family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of configuration + management policy and procedures. Security and privacy program policies + and procedures at the organization level are preferable, in general, + and may obviate the need for mission- or system-specific policies + and procedures. The policy can be included as part of the general + security and privacy policy or be represented by multiple policies + that reflect the complex nature of organizations. Procedures can be + established for security and privacy programs, for mission/business + processes, and for systems, if needed. Procedures describe how the + policies or controls are implemented and can be directed at the individual + or role that is the object of the procedure. Procedures can be documented + in system security and privacy plans or in one or more separate documents. + Events that may precipitate an update to configuration management + policy and procedures include, but are not limited to, assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: cm-1_obj + name: assessment-objective + props: + - name: label + value: CM-01 + class: sp800-53a + parts: + - id: cm-1_obj.a + name: assessment-objective + props: + - name: label + value: CM-01a. + class: sp800-53a + parts: + - id: cm-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: CM-01a.[01] + class: sp800-53a + prose: a configuration management policy is developed and documented; + links: + - href: "#cm-1_smt.a" + rel: assessment-for + - id: cm-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: CM-01a.[02] + class: sp800-53a + prose: "the configuration management policy is disseminated\ + \ to {{ insert: param, cm-01_odp.01 }};" + links: + - href: "#cm-1_smt.a" + rel: assessment-for + - id: cm-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: CM-01a.[03] + class: sp800-53a + prose: configuration management procedures to facilitate the + implementation of the configuration management policy and + associated configuration management controls are developed + and documented; + links: + - href: "#cm-1_smt.a" + rel: assessment-for + - id: cm-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: CM-01a.[04] + class: sp800-53a + prose: "the configuration management procedures are disseminated\ + \ to {{ insert: param, cm-01_odp.02 }};" + links: + - href: "#cm-1_smt.a" + rel: assessment-for + - id: cm-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: CM-01a.01 + class: sp800-53a + parts: + - id: cm-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: CM-01a.01(a) + class: sp800-53a + parts: + - id: cm-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses purpose;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses scope;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses roles;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses responsibilities;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses management\ + \ commitment;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: CM-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.03 }} of the\ + \ configuration management policy addresses compliance;" + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#cm-1_smt.a.1.a" + rel: assessment-for + - id: cm-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: CM-01a.01(b) + class: sp800-53a + prose: the configuration management policy is consistent + with applicable laws, Executive Orders, directives, regulations, + policies, standards, and guidelines; + links: + - href: "#cm-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#cm-1_smt.a.1" + rel: assessment-for + links: + - href: "#cm-1_smt.a" + rel: assessment-for + - id: cm-1_obj.b + name: assessment-objective + props: + - name: label + value: CM-01b. + class: sp800-53a + prose: "the {{ insert: param, cm-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the configuration\ + \ management policy and procedures;" + links: + - href: "#cm-1_smt.b" + rel: assessment-for + - id: cm-1_obj.c + name: assessment-objective + props: + - name: label + value: CM-01c. + class: sp800-53a + parts: + - id: cm-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: CM-01c.01 + class: sp800-53a + parts: + - id: cm-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: CM-01c.01[01] + class: sp800-53a + prose: "the current configuration management policy is reviewed\ + \ and updated {{ insert: param, cm-01_odp.05 }}; " + links: + - href: "#cm-1_smt.c.1" + rel: assessment-for + - id: cm-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: CM-01c.01[02] + class: sp800-53a + prose: "the current configuration management policy is reviewed\ + \ and updated following {{ insert: param, cm-01_odp.06\ + \ }};" + links: + - href: "#cm-1_smt.c.1" + rel: assessment-for + links: + - href: "#cm-1_smt.c.1" + rel: assessment-for + - id: cm-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: CM-01c.02 + class: sp800-53a + parts: + - id: cm-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: CM-01c.02[01] + class: sp800-53a + prose: "the current configuration management procedures\ + \ are reviewed and updated {{ insert: param, cm-01_odp.07\ + \ }}; " + links: + - href: "#cm-1_smt.c.2" + rel: assessment-for + - id: cm-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: CM-01c.02[02] + class: sp800-53a + prose: "the current configuration management procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ cm-01_odp.08 }}." + links: + - href: "#cm-1_smt.c.2" + rel: assessment-for + links: + - href: "#cm-1_smt.c.2" + rel: assessment-for + links: + - href: "#cm-1_smt.c" + rel: assessment-for + links: + - href: "#cm-1_smt" + rel: assessment-for + - id: cm-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy and procedures + + security and privacy program policies and procedures + + assessment or audit findings + + documentation of security incidents or breaches + + system security plan + + privacy plan + + risk management strategy + + other relevant artifacts, documents, or records + - id: cm-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration management + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: cm-2 + class: SP800-53 + title: Baseline Configuration + params: + - id: cm-02_odp.01 + label: frequency + constraints: + - description: at least annually and when a significant change occurs + guidelines: + - prose: the frequency of baseline configuration review and update + is defined; + - id: cm-02_odp.02 + label: circumstances + constraints: + - description: to include when directed by the JAB + guidelines: + - prose: the circumstances requiring baseline configuration review + and update are defined; + props: + - name: label + value: CM-2 + - name: label + value: CM-02 + class: sp800-53a + - name: sort-id + value: cm-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#ac-19" + rel: related + - href: "#au-6" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-1" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#cm-9" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#cp-12" + rel: related + - href: "#ma-2" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-15" + rel: related + - href: "#sc-18" + rel: related + parts: + - id: cm-2_smt + name: statement + parts: + - id: cm-2_smt.a + name: item + props: + - name: label + value: a. + prose: Develop, document, and maintain under configuration control, + a current baseline configuration of the system; and + - id: cm-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the baseline configuration of the system:" + parts: + - id: cm-2_smt.b.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, cm-02_odp.01 }};" + - id: cm-2_smt.b.2 + name: item + props: + - name: label + value: "2." + prose: "When required due to {{ insert: param, cm-02_odp.02\ + \ }} ; and" + - id: cm-2_smt.b.3 + name: item + props: + - name: label + value: "3." + prose: When system components are installed or upgraded. + - id: cm-2_fr + name: item + title: CM-2 Additional FedRAMP Requirements and Guidance + parts: + - id: cm-2_fr_gdn.1 + name: guidance + props: + - name: label + value: "(b) (1) Guidance:" + prose: Significant change is defined in NIST Special Publication + 800-37 Revision 2, Appendix F. + - id: cm-2_gdn + name: guidance + prose: Baseline configurations for systems and system components include + connectivity, operational, and communications aspects of systems. + Baseline configurations are documented, formally reviewed, and agreed-upon + specifications for systems or configuration items within those systems. + Baseline configurations serve as a basis for future builds, releases, + or changes to systems and include security and privacy control implementations, + operational procedures, information about system components, network + topology, and logical placement of components in the system architecture. + Maintaining baseline configurations requires creating new baselines + as organizational systems change over time. Baseline configurations + of systems reflect the current enterprise architecture. + - id: cm-2_obj + name: assessment-objective + props: + - name: label + value: CM-02 + class: sp800-53a + parts: + - id: cm-2_obj.a + name: assessment-objective + props: + - name: label + value: CM-02a. + class: sp800-53a + parts: + - id: cm-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: CM-02a.[01] + class: sp800-53a + prose: a current baseline configuration of the system is developed + and documented; + links: + - href: "#cm-2_smt.a" + rel: assessment-for + - id: cm-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: CM-02a.[02] + class: sp800-53a + prose: a current baseline configuration of the system is maintained + under configuration control; + links: + - href: "#cm-2_smt.a" + rel: assessment-for + links: + - href: "#cm-2_smt.a" + rel: assessment-for + - id: cm-2_obj.b + name: assessment-objective + props: + - name: label + value: CM-02b. + class: sp800-53a + parts: + - id: cm-2_obj.b.1 + name: assessment-objective + props: + - name: label + value: CM-02b.01 + class: sp800-53a + prose: "the baseline configuration of the system is reviewed\ + \ and updated {{ insert: param, cm-02_odp.01 }};" + links: + - href: "#cm-2_smt.b.1" + rel: assessment-for + - id: cm-2_obj.b.2 + name: assessment-objective + props: + - name: label + value: CM-02b.02 + class: sp800-53a + prose: "the baseline configuration of the system is reviewed\ + \ and updated when required due to {{ insert: param, cm-02_odp.02\ + \ }};" + links: + - href: "#cm-2_smt.b.2" + rel: assessment-for + - id: cm-2_obj.b.3 + name: assessment-objective + props: + - name: label + value: CM-02b.03 + class: sp800-53a + prose: the baseline configuration of the system is reviewed + and updated when system components are installed or upgraded. + links: + - href: "#cm-2_smt.b.3" + rel: assessment-for + links: + - href: "#cm-2_smt.b" + rel: assessment-for + links: + - href: "#cm-2_smt" + rel: assessment-for + - id: cm-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing the baseline configuration of the system + + + configuration management plan + + + enterprise architecture documentation + + + system design documentation + + + system security plan + + + privacy plan + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + system component inventory + + + change control records + + + other relevant documents or records + - id: cm-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration management + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: cm-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing baseline + configurations + + + mechanisms supporting configuration control of the baseline configuration + controls: + - id: cm-2.2 + class: SP800-53-enhancement + title: Automation Support for Accuracy and Currency + params: + - id: cm-02.02_odp + label: automated mechanisms + guidelines: + - prose: automated mechanisms for maintaining baseline configuration + of the system are defined; + props: + - name: label + value: CM-2(2) + - name: label + value: CM-02(02) + class: sp800-53a + - name: sort-id + value: cm-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-2" + rel: required + - href: "#cm-7" + rel: related + - href: "#ia-3" + rel: related + - href: "#ra-5" + rel: related + parts: + - id: cm-2.2_smt + name: statement + prose: "Maintain the currency, completeness, accuracy, and availability\ + \ of the baseline configuration of the system using {{ insert:\ + \ param, cm-02.02_odp }}." + - id: cm-2.2_gdn + name: guidance + prose: Automated mechanisms that help organizations maintain consistent + baseline configurations for systems include configuration management + tools, hardware, software, firmware inventory tools, and network + management tools. Automated tools can be used at the organization + level, mission and business process level, or system level on + workstations, servers, notebook computers, network components, + or mobile devices. Tools can be used to track version numbers + on operating systems, applications, types of software installed, + and current patch levels. Automation support for accuracy and + currency can be satisfied by the implementation of [CM-8(2)](#cm-8.2) + for organizations that combine system component inventory and + baseline configuration activities. + - id: cm-2.2_obj + name: assessment-objective + props: + - name: label + value: CM-02(02) + class: sp800-53a + parts: + - id: cm-2.2_obj-1 + name: assessment-objective + props: + - name: label + value: CM-02(02)[01] + class: sp800-53a + prose: "the currency of the baseline configuration of the system\ + \ is maintained using {{ insert: param, cm-02.02_odp }};" + links: + - href: "#cm-2.2_smt" + rel: assessment-for + - id: cm-2.2_obj-2 + name: assessment-objective + props: + - name: label + value: CM-02(02)[02] + class: sp800-53a + prose: "the completeness of the baseline configuration of the\ + \ system is maintained using {{ insert: param, cm-02.02_odp\ + \ }};" + links: + - href: "#cm-2.2_smt" + rel: assessment-for + - id: cm-2.2_obj-3 + name: assessment-objective + props: + - name: label + value: CM-02(02)[03] + class: sp800-53a + prose: "the accuracy of the baseline configuration of the system\ + \ is maintained using {{ insert: param, cm-02.02_odp }};" + links: + - href: "#cm-2.2_smt" + rel: assessment-for + - id: cm-2.2_obj-4 + name: assessment-objective + props: + - name: label + value: CM-02(02)[04] + class: sp800-53a + prose: "the availability of the baseline configuration of the\ + \ system is maintained using {{ insert: param, cm-02.02_odp\ + \ }}." + links: + - href: "#cm-2.2_smt" + rel: assessment-for + links: + - href: "#cm-2.2_smt" + rel: assessment-for + - id: cm-2.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-02(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing the baseline configuration of the system + + + configuration management plan + + + system design documentation + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + system component inventory + + + configuration change control records + + + system security plan + + + other relevant documents or records + - id: cm-2.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-02(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-2.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-02(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing baseline + configurations + + + automated mechanisms implementing baseline configuration maintenance + - id: cm-2.3 + class: SP800-53-enhancement + title: Retention of Previous Configurations + params: + - id: cm-02.03_odp + label: number + guidelines: + - prose: the number of previous baseline configuration versions + to be retained is defined; + props: + - name: label + value: CM-2(3) + - name: label + value: CM-02(03) + class: sp800-53a + - name: sort-id + value: cm-02.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-2" + rel: required + parts: + - id: cm-2.3_smt + name: statement + prose: "Retain {{ insert: param, cm-02.03_odp }} of previous versions\ + \ of baseline configurations of the system to support rollback." + - id: cm-2.3_gdn + name: guidance + prose: Retaining previous versions of baseline configurations to + support rollback include hardware, software, firmware, configuration + files, configuration records, and associated documentation. + - id: cm-2.3_obj + name: assessment-objective + props: + - name: label + value: CM-02(03) + class: sp800-53a + prose: " {{ insert: param, cm-02.03_odp }} of previous baseline\ + \ configuration version(s) of the system is/are retained to support\ + \ rollback." + links: + - href: "#cm-2.3_smt" + rel: assessment-for + - id: cm-2.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-02(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing the baseline configuration of the system + + + configuration management plan + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + copies of previous baseline configuration versions + + + system security plan + + + other relevant documents or records + - id: cm-2.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-02(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-2.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-02(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for managing baseline configurations + - id: cm-2.7 + class: SP800-53-enhancement + title: Configure Systems and Components for High-risk Areas + params: + - id: cm-02.07_odp.01 + label: systems or system components + guidelines: + - prose: the systems or system components to be issued when individuals + travel to high-risk areas are defined; + - id: cm-02.07_odp.02 + label: configurations + guidelines: + - prose: configurations for systems or system components to be + issued when individuals travel to high-risk areas are defined; + - id: cm-02.07_odp.03 + label: controls + guidelines: + - prose: the controls to be applied when the individuals return + from travel are defined; + props: + - name: label + value: CM-2(7) + - name: label + value: CM-02(07) + class: sp800-53a + - name: sort-id + value: cm-02.07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-2" + rel: required + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + parts: + - id: cm-2.7_smt + name: statement + parts: + - id: cm-2.7_smt.a + name: item + props: + - name: label + value: (a) + prose: "Issue {{ insert: param, cm-02.07_odp.01 }} with {{ insert:\ + \ param, cm-02.07_odp.02 }} to individuals traveling to locations\ + \ that the organization deems to be of significant risk; and" + - id: cm-2.7_smt.b + name: item + props: + - name: label + value: (b) + prose: "Apply the following controls to the systems or components\ + \ when the individuals return from travel: {{ insert: param,\ + \ cm-02.07_odp.03 }}." + - id: cm-2.7_gdn + name: guidance + prose: When it is known that systems or system components will be + in high-risk areas external to the organization, additional controls + may be implemented to counter the increased threat in such areas. + For example, organizations can take actions for notebook computers + used by individuals departing on and returning from travel. Actions + include determining the locations that are of concern, defining + the required configurations for the components, ensuring that + components are configured as intended before travel is initiated, + and applying controls to the components after travel is completed. + Specially configured notebook computers include computers with + sanitized hard drives, limited applications, and more stringent + configuration settings. Controls applied to mobile devices upon + return from travel include examining the mobile device for signs + of physical tampering and purging and reimaging disk drives. Protecting + information that resides on mobile devices is addressed in the + [MP](#mp) (Media Protection) family. + - id: cm-2.7_obj + name: assessment-objective + props: + - name: label + value: CM-02(07) + class: sp800-53a + parts: + - id: cm-2.7_obj.a + name: assessment-objective + props: + - name: label + value: CM-02(07)(a) + class: sp800-53a + prose: " {{ insert: param, cm-02.07_odp.01 }} with {{ insert:\ + \ param, cm-02.07_odp.02 }} are issued to individuals traveling\ + \ to locations that the organization deems to be of significant\ + \ risk;" + links: + - href: "#cm-2.7_smt.a" + rel: assessment-for + - id: cm-2.7_obj.b + name: assessment-objective + props: + - name: label + value: CM-02(07)(b) + class: sp800-53a + prose: " {{ insert: param, cm-02.07_odp.03 }} are applied to\ + \ the systems or system components when the individuals return\ + \ from travel." + links: + - href: "#cm-2.7_smt.b" + rel: assessment-for + links: + - href: "#cm-2.7_smt" + rel: assessment-for + - id: cm-2.7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-02(07)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + configuration management plan + + + procedures addressing the baseline configuration of the system + + + procedures addressing system component installations and upgrades + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + system component inventory + + + records of system baseline configuration reviews and updates + + + system component installations/upgrades and associated records + + + change control records + + + system security plan + + + other relevant documents or records + - id: cm-2.7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-02(07)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-2.7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-02(07)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for managing baseline configurations + - id: cm-3 + class: SP800-53 + title: Configuration Change Control + params: + - id: cm-03_odp.01 + label: time period + guidelines: + - prose: the time period to retain records of configuration-controlled + changes is defined; + - id: cm-03_odp.02 + label: configuration change control element + guidelines: + - prose: the configuration change control element responsible for + coordinating and overseeing change control activities is defined; + - id: cm-03_odp.03 + select: + how-many: one-or-more + choice: + - " {{ insert: param, cm-03_odp.04 }} " + - "when {{ insert: param, cm-03_odp.05 }} " + - id: cm-03_odp.04 + label: frequency + guidelines: + - prose: the frequency at which the configuration control element + convenes is defined (if selected); + - id: cm-03_odp.05 + label: configuration change conditions + guidelines: + - prose: configuration change conditions that prompt the configuration + control element to convene are defined (if selected); + props: + - name: label + value: CM-3 + - name: label + value: CM-03 + class: sp800-53a + - name: sort-id + value: cm-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#ca-7" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-9" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-3" + rel: related + - href: "#ma-2" + rel: related + - href: "#pe-16" + rel: related + - href: "#pt-6" + rel: related + - href: "#ra-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-34" + rel: related + - href: "#sc-37" + rel: related + - href: "#si-2" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#si-10" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: cm-3_smt + name: statement + parts: + - id: cm-3_smt.a + name: item + props: + - name: label + value: a. + prose: Determine and document the types of changes to the system + that are configuration-controlled; + - id: cm-3_smt.b + name: item + props: + - name: label + value: b. + prose: Review proposed configuration-controlled changes to the system + and approve or disapprove such changes with explicit consideration + for security and privacy impact analyses; + - id: cm-3_smt.c + name: item + props: + - name: label + value: c. + prose: Document configuration change decisions associated with the + system; + - id: cm-3_smt.d + name: item + props: + - name: label + value: d. + prose: Implement approved configuration-controlled changes to the + system; + - id: cm-3_smt.e + name: item + props: + - name: label + value: e. + prose: "Retain records of configuration-controlled changes to the\ + \ system for {{ insert: param, cm-03_odp.01 }};" + - id: cm-3_smt.f + name: item + props: + - name: label + value: f. + prose: Monitor and review activities associated with configuration-controlled + changes to the system; and + - id: cm-3_smt.g + name: item + props: + - name: label + value: g. + prose: "Coordinate and provide oversight for configuration change\ + \ control activities through {{ insert: param, cm-03_odp.02 }}\ + \ that convenes {{ insert: param, cm-03_odp.03 }}." + - id: cm-3_fr + name: item + title: CM-3 Additional FedRAMP Requirements and Guidance + parts: + - id: cm-3_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider establishes a central means of communicating + major changes to or developments in the information system + or environment of operations that may affect its services + to the federal government and associated service consumers + (e.g., electronic bulletin board, web status page). The means + of communication are approved and accepted by the JAB/AO. + - id: cm-3_fr_gdn.1 + name: guidance + props: + - name: label + value: "(e) Guidance:" + prose: In accordance with record retention policies and procedures. + - id: cm-3_gdn + name: guidance + prose: Configuration change control for organizational systems involves + the systematic proposal, justification, implementation, testing, review, + and disposition of system changes, including system upgrades and modifications. + Configuration change control includes changes to baseline configurations, + configuration items of systems, operational procedures, configuration + settings for system components, remediate vulnerabilities, and unscheduled + or unauthorized changes. Processes for managing configuration changes + to systems include Configuration Control Boards or Change Advisory + Boards that review and approve proposed changes. For changes that + impact privacy risk, the senior agency official for privacy updates + privacy impact assessments and system of records notices. For new + systems or major upgrades, organizations consider including representatives + from the development organizations on the Configuration Control Boards + or Change Advisory Boards. Auditing of changes includes activities + before and after changes are made to systems and the auditing activities + required to implement such changes. See also [SA-10](#sa-10). + - id: cm-3_obj + name: assessment-objective + props: + - name: label + value: CM-03 + class: sp800-53a + parts: + - id: cm-3_obj.a + name: assessment-objective + props: + - name: label + value: CM-03a. + class: sp800-53a + prose: the types of changes to the system that are configuration-controlled + are determined and documented; + links: + - href: "#cm-3_smt.a" + rel: assessment-for + - id: cm-3_obj.b + name: assessment-objective + props: + - name: label + value: CM-03b. + class: sp800-53a + parts: + - id: cm-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: CM-03b.[01] + class: sp800-53a + prose: proposed configuration-controlled changes to the system + are reviewed; + links: + - href: "#cm-3_smt.b" + rel: assessment-for + - id: cm-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: CM-03b.[02] + class: sp800-53a + prose: proposed configuration-controlled changes to the system + are approved or disapproved with explicit consideration for + security and privacy impact analyses; + links: + - href: "#cm-3_smt.b" + rel: assessment-for + links: + - href: "#cm-3_smt.b" + rel: assessment-for + - id: cm-3_obj.c + name: assessment-objective + props: + - name: label + value: CM-03c. + class: sp800-53a + prose: configuration change decisions associated with the system + are documented; + links: + - href: "#cm-3_smt.c" + rel: assessment-for + - id: cm-3_obj.d + name: assessment-objective + props: + - name: label + value: CM-03d. + class: sp800-53a + prose: approved configuration-controlled changes to the system are + implemented; + links: + - href: "#cm-3_smt.d" + rel: assessment-for + - id: cm-3_obj.e + name: assessment-objective + props: + - name: label + value: CM-03e. + class: sp800-53a + prose: "records of configuration-controlled changes to the system\ + \ are retained for {{ insert: param, cm-03_odp.01 }};" + links: + - href: "#cm-3_smt.e" + rel: assessment-for + - id: cm-3_obj.f + name: assessment-objective + props: + - name: label + value: CM-03f. + class: sp800-53a + parts: + - id: cm-3_obj.f-1 + name: assessment-objective + props: + - name: label + value: CM-03f.[01] + class: sp800-53a + prose: activities associated with configuration-controlled changes + to the system are monitored; + links: + - href: "#cm-3_smt.f" + rel: assessment-for + - id: cm-3_obj.f-2 + name: assessment-objective + props: + - name: label + value: CM-03f.[02] + class: sp800-53a + prose: activities associated with configuration-controlled changes + to the system are reviewed; + links: + - href: "#cm-3_smt.f" + rel: assessment-for + links: + - href: "#cm-3_smt.f" + rel: assessment-for + - id: cm-3_obj.g + name: assessment-objective + props: + - name: label + value: CM-03g. + class: sp800-53a + parts: + - id: cm-3_obj.g-1 + name: assessment-objective + props: + - name: label + value: CM-03g.[01] + class: sp800-53a + prose: "configuration change control activities are coordinated\ + \ and overseen by {{ insert: param, cm-03_odp.02 }};" + links: + - href: "#cm-3_smt.g" + rel: assessment-for + - id: cm-3_obj.g-2 + name: assessment-objective + props: + - name: label + value: CM-03g.[02] + class: sp800-53a + prose: "the configuration control element convenes {{ insert:\ + \ param, cm-03_odp.03 }}." + links: + - href: "#cm-3_smt.g" + rel: assessment-for + links: + - href: "#cm-3_smt.g" + rel: assessment-for + links: + - href: "#cm-3_smt" + rel: assessment-for + - id: cm-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing system configuration change control + + + configuration management plan + + + system architecture and configuration documentation + + + change control records + + + system audit records + + + change control audit and review reports + + + agenda/minutes/documentation from configuration change control + oversight meetings + + + system security plan + + + privacy plan + + + privacy impact assessments + + + system of records notices + + + other relevant documents or records + - id: cm-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration change control + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + members of change control board or similar + - id: cm-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for configuration change control + + mechanisms that implement configuration change control + controls: + - id: cm-3.2 + class: SP800-53-enhancement + title: Testing, Validation, and Documentation of Changes + props: + - name: label + value: CM-3(2) + - name: label + value: CM-03(02) + class: sp800-53a + - name: sort-id + value: cm-03.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-3" + rel: required + parts: + - id: cm-3.2_smt + name: statement + prose: Test, validate, and document changes to the system before + finalizing the implementation of the changes. + - id: cm-3.2_gdn + name: guidance + prose: Changes to systems include modifications to hardware, software, + or firmware components and configuration settings defined in [CM-6](#cm-6) + . Organizations ensure that testing does not interfere with system + operations that support organizational mission and business functions. + Individuals or groups conducting tests understand security and + privacy policies and procedures, system security and privacy policies + and procedures, and the health, safety, and environmental risks + associated with specific facilities or processes. Operational + systems may need to be taken offline, or replicated to the extent + feasible, before testing can be conducted. If systems must be + taken offline for testing, the tests are scheduled to occur during + planned system outages whenever possible. If the testing cannot + be conducted on operational systems, organizations employ compensating + controls. + - id: cm-3.2_obj + name: assessment-objective + props: + - name: label + value: CM-03(02) + class: sp800-53a + parts: + - id: cm-3.2_obj-1 + name: assessment-objective + props: + - name: label + value: CM-03(02)[01] + class: sp800-53a + prose: changes to the system are tested before finalizing the + implementation of the changes; + links: + - href: "#cm-3.2_smt" + rel: assessment-for + - id: cm-3.2_obj-2 + name: assessment-objective + props: + - name: label + value: CM-03(02)[02] + class: sp800-53a + prose: changes to the system are validated before finalizing + the implementation of the changes; + links: + - href: "#cm-3.2_smt" + rel: assessment-for + - id: cm-3.2_obj-3 + name: assessment-objective + props: + - name: label + value: CM-03(02)[03] + class: sp800-53a + prose: changes to the system are documented before finalizing + the implementation of the changes. + links: + - href: "#cm-3.2_smt" + rel: assessment-for + links: + - href: "#cm-3.2_smt" + rel: assessment-for + - id: cm-3.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-03(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + configuration management plan + + + procedures addressing system configuration change control + + + system design documentation + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + test records + + + validation records + + + change control records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-3.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-03(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration change + control responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + members of change control board or similar + - id: cm-3.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-03(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for configuration change + control + + + mechanisms supporting and/or implementing, testing, validating, + and documenting system changes + - id: cm-3.4 + class: SP800-53-enhancement + title: Security and Privacy Representatives + params: + - id: cm-3.4_prm_1 + label: organization-defined security and privacy representatives + - id: cm-03.04_odp.01 + label: security representatives + guidelines: + - prose: security representatives required to be members of the + change control element are defined; + - id: cm-03.04_odp.02 + label: privacy representatives + guidelines: + - prose: privacy representatives required to be members of the + change control element are defined; + - id: cm-03.04_odp.03 + label: configuration change control element + constraints: + - description: Configuration control board (CCB) or similar (as + defined in CM-3) + guidelines: + - prose: the configuration change control element of which the + security and privacy representatives are to be members is + defined; + props: + - name: label + value: CM-3(4) + - name: label + value: CM-03(04) + class: sp800-53a + - name: sort-id + value: cm-03.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cm-3" + rel: required + parts: + - id: cm-3.4_smt + name: statement + prose: "Require {{ insert: param, cm-3.4_prm_1 }} to be members\ + \ of the {{ insert: param, cm-03.04_odp.03 }}." + - id: cm-3.4_gdn + name: guidance + prose: Information security and privacy representatives include + system security officers, senior agency information security officers, + senior agency officials for privacy, or system privacy officers. + Representation by personnel with information security and privacy + expertise is important because changes to system configurations + can have unintended side effects, some of which may be security- + or privacy-relevant. Detecting such changes early in the process + can help avoid unintended, negative consequences that could ultimately + affect the security and privacy posture of systems. The configuration + change control element referred to in the second organization-defined + parameter reflects the change control elements defined by organizations + in [CM-3g](#cm-3_smt.g). + - id: cm-3.4_obj + name: assessment-objective + props: + - name: label + value: CM-03(04) + class: sp800-53a + parts: + - id: cm-3.4_obj-1 + name: assessment-objective + props: + - name: label + value: CM-03(04)[01] + class: sp800-53a + prose: " {{ insert: param, cm-03.04_odp.01 }} are required to\ + \ be members of the {{ insert: param, cm-03.04_odp.03 }};" + links: + - href: "#cm-3.4_smt" + rel: assessment-for + - id: cm-3.4_obj-2 + name: assessment-objective + props: + - name: label + value: CM-03(04)[02] + class: sp800-53a + prose: " {{ insert: param, cm-03.04_odp.02 }} are required to\ + \ be members of the {{ insert: param, cm-03.04_odp.03 }}." + links: + - href: "#cm-3.4_smt" + rel: assessment-for + links: + - href: "#cm-3.4_smt" + rel: assessment-for + - id: cm-3.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-03(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing system configuration change control + + + configuration management plan + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-3.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-03(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with configuration change + control responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + members of change control board or similar + - id: cm-3.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-03(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for configuration change control + - id: cm-4 + class: SP800-53 + title: Impact Analyses + props: + - name: label + value: CM-4 + - name: label + value: CM-04 + class: sp800-53a + - name: sort-id + value: cm-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#ca-7" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-8" + rel: related + - href: "#cm-9" + rel: related + - href: "#ma-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-8" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#si-2" + rel: related + parts: + - id: cm-4_smt + name: statement + prose: Analyze changes to the system to determine potential security + and privacy impacts prior to change implementation. + - id: cm-4_gdn + name: guidance + prose: Organizational personnel with security or privacy responsibilities + conduct impact analyses. Individuals conducting impact analyses possess + the necessary skills and technical expertise to analyze the changes + to systems as well as the security or privacy ramifications. Impact + analyses include reviewing security and privacy plans, policies, and + procedures to understand control requirements; reviewing system design + documentation and operational procedures to understand control implementation + and how specific system changes might affect the controls; reviewing + the impact of changes on organizational supply chain partners with + stakeholders; and determining how potential changes to a system create + new risks to the privacy of individuals and the ability of implemented + controls to mitigate those risks. Impact analyses also include risk + assessments to understand the impact of the changes and determine + if additional controls are required. + - id: cm-4_obj + name: assessment-objective + props: + - name: label + value: CM-04 + class: sp800-53a + parts: + - id: cm-4_obj-1 + name: assessment-objective + props: + - name: label + value: CM-04[01] + class: sp800-53a + prose: changes to the system are analyzed to determine potential + security impacts prior to change implementation; + links: + - href: "#cm-4_smt" + rel: assessment-for + - id: cm-4_obj-2 + name: assessment-objective + props: + - name: label + value: CM-04[02] + class: sp800-53a + prose: changes to the system are analyzed to determine potential + privacy impacts prior to change implementation. + links: + - href: "#cm-4_smt" + rel: assessment-for + links: + - href: "#cm-4_smt" + rel: assessment-for + - id: cm-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing security impact analyses for changes to + the system + + + procedures addressing privacy impact analyses for changes to the + system + + + configuration management plan + + + security impact analysis documentation + + + privacy impact analysis documentation + + + privacy impact assessment + + + privacy risk assessment documentation, system design documentation + + + analysis tools and associated outputs + + + change control records + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for conducting + security impact analyses + + + organizational personnel with responsibility for conducting privacy + impact analyses + + + organizational personnel with information security and privacy + responsibilities + + + system developer + + + system/network administrators + + + members of change control board or similar + - id: cm-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for security impact analyses + + organizational processes for privacy impact analyses + controls: + - id: cm-4.2 + class: SP800-53-enhancement + title: Verification of Controls + props: + - name: label + value: CM-4(2) + - name: label + value: CM-04(02) + class: sp800-53a + - name: sort-id + value: cm-04.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-4" + rel: required + - href: "#sa-11" + rel: related + - href: "#sc-3" + rel: related + - href: "#si-6" + rel: related + parts: + - id: cm-4.2_smt + name: statement + prose: After system changes, verify that the impacted controls are + implemented correctly, operating as intended, and producing the + desired outcome with regard to meeting the security and privacy + requirements for the system. + - id: cm-4.2_gdn + name: guidance + prose: Implementation in this context refers to installing changed + code in the operational system that may have an impact on security + or privacy controls. + - id: cm-4.2_obj + name: assessment-objective + props: + - name: label + value: CM-04(02) + class: sp800-53a + parts: + - id: cm-4.2_obj-1 + name: assessment-objective + props: + - name: label + value: CM-04(02)[01] + class: sp800-53a + prose: the impacted controls are implemented correctly with + regard to meeting the security requirements for the system + after system changes; + links: + - href: "#cm-4.2_smt" + rel: assessment-for + - id: cm-4.2_obj-2 + name: assessment-objective + props: + - name: label + value: CM-04(02)[02] + class: sp800-53a + prose: the impacted controls are implemented correctly with + regard to meeting the privacy requirements for the system + after system changes; + links: + - href: "#cm-4.2_smt" + rel: assessment-for + - id: cm-4.2_obj-3 + name: assessment-objective + props: + - name: label + value: CM-04(02)[03] + class: sp800-53a + prose: the impacted controls are operating as intended with + regard to meeting the security requirements for the system + after system changes; + links: + - href: "#cm-4.2_smt" + rel: assessment-for + - id: cm-4.2_obj-4 + name: assessment-objective + props: + - name: label + value: CM-04(02)[04] + class: sp800-53a + prose: the impacted controls are operating as intended with + regard to meeting the privacy requirements for the system + after system changes; + links: + - href: "#cm-4.2_smt" + rel: assessment-for + - id: cm-4.2_obj-5 + name: assessment-objective + props: + - name: label + value: CM-04(02)[05] + class: sp800-53a + prose: the impacted controls are producing the desired outcome + with regard to meeting the security requirements for the system + after system changes; + links: + - href: "#cm-4.2_smt" + rel: assessment-for + - id: cm-4.2_obj-6 + name: assessment-objective + props: + - name: label + value: CM-04(02)[06] + class: sp800-53a + prose: the impacted controls are producing the desired outcome + with regard to meeting the privacy requirements for the system + after system changes. + links: + - href: "#cm-4.2_smt" + rel: assessment-for + links: + - href: "#cm-4.2_smt" + rel: assessment-for + - id: cm-4.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-04(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing security impact analyses for changes + to the system + + + procedures addressing privacy impact analyses for changes + to the system + + + privacy risk assessment documentation + + + configuration management plan + + + security and privacy impact analysis documentation + + + privacy impact assessment + + + analysis tools and associated outputs + + + change control records + + + control assessment results + + + system audit records + + + system component inventory + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-4.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-04(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for + conducting security and privacy impact analyses + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + security and privacy assessors + - id: cm-4.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-04(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for security and privacy impact + analyses + + + mechanisms supporting and/or implementing security and privacy + impact analyses of changes + - id: cm-5 + class: SP800-53 + title: Access Restrictions for Change + props: + - name: label + value: CM-5 + - name: label + value: CM-05 + class: sp800-53a + - name: sort-id + value: cm-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#cm-9" + rel: related + - href: "#pe-3" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-34" + rel: related + - href: "#sc-37" + rel: related + - href: "#si-2" + rel: related + - href: "#si-10" + rel: related + parts: + - id: cm-5_smt + name: statement + prose: Define, document, approve, and enforce physical and logical access + restrictions associated with changes to the system. + - id: cm-5_gdn + name: guidance + prose: Changes to the hardware, software, or firmware components of + systems or the operational procedures related to the system can potentially + have significant effects on the security of the systems or individuals’ + privacy. Therefore, organizations permit only qualified and authorized + individuals to access systems for purposes of initiating changes. + Access restrictions include physical and logical access controls (see + [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, + media libraries, abstract layers (i.e., changes implemented into external + interfaces rather than directly into systems), and change windows + (i.e., changes occur only during specified times). + - id: cm-5_obj + name: assessment-objective + props: + - name: label + value: CM-05 + class: sp800-53a + parts: + - id: cm-5_obj-1 + name: assessment-objective + props: + - name: label + value: CM-05[01] + class: sp800-53a + prose: physical access restrictions associated with changes to the + system are defined and documented; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-2 + name: assessment-objective + props: + - name: label + value: CM-05[02] + class: sp800-53a + prose: physical access restrictions associated with changes to the + system are approved; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-3 + name: assessment-objective + props: + - name: label + value: CM-05[03] + class: sp800-53a + prose: physical access restrictions associated with changes to the + system are enforced; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-4 + name: assessment-objective + props: + - name: label + value: CM-05[04] + class: sp800-53a + prose: logical access restrictions associated with changes to the + system are defined and documented; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-5 + name: assessment-objective + props: + - name: label + value: CM-05[05] + class: sp800-53a + prose: logical access restrictions associated with changes to the + system are approved; + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_obj-6 + name: assessment-objective + props: + - name: label + value: CM-05[06] + class: sp800-53a + prose: logical access restrictions associated with changes to the + system are enforced. + links: + - href: "#cm-5_smt" + rel: assessment-for + links: + - href: "#cm-5_smt" + rel: assessment-for + - id: cm-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing access restrictions for changes to the system + + + configuration management plan + + + system design documentation + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + logical access approvals + + + physical access approvals + + + access credentials + + + change control records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with logical access control + responsibilities + + + organizational personnel with physical access control responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing access restrictions to + change + + + mechanisms supporting, implementing, or enforcing access restrictions + associated with changes to the system + controls: + - id: cm-5.1 + class: SP800-53-enhancement + title: Automated Access Enforcement and Audit Records + params: + - id: cm-05.01_odp + label: automated mechanisms + guidelines: + - prose: mechanisms used to automate the enforcement of access + restrictions are defined; + props: + - name: label + value: CM-5(1) + - name: label + value: CM-05(01) + class: sp800-53a + - name: sort-id + value: cm-05.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#cm-5" + rel: required + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-12" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-11" + rel: related + - href: "#si-12" + rel: related + parts: + - id: cm-5.1_smt + name: statement + parts: + - id: cm-5.1_smt.a + name: item + props: + - name: label + value: (a) + prose: "Enforce access restrictions using {{ insert: param,\ + \ cm-05.01_odp }} ; and" + - id: cm-5.1_smt.b + name: item + props: + - name: label + value: (b) + prose: Automatically generate audit records of the enforcement + actions. + - id: cm-5.1_gdn + name: guidance + prose: Organizations log system accesses associated with applying + configuration changes to ensure that configuration change control + is implemented and to support after-the-fact actions should organizations + discover any unauthorized changes. + - id: cm-5.1_obj + name: assessment-objective + props: + - name: label + value: CM-05(01) + class: sp800-53a + parts: + - id: cm-5.1_obj.a + name: assessment-objective + props: + - name: label + value: CM-05(01)(a) + class: sp800-53a + prose: "access restrictions for change are enforced using {{\ + \ insert: param, cm-05.01_odp }};" + links: + - href: "#cm-5.1_smt.a" + rel: assessment-for + - id: cm-5.1_obj.b + name: assessment-objective + props: + - name: label + value: CM-05(01)(b) + class: sp800-53a + prose: audit records of enforcement actions are automatically + generated. + links: + - href: "#cm-5.1_smt.b" + rel: assessment-for + links: + - href: "#cm-5.1_smt" + rel: assessment-for + - id: cm-5.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-05(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing access restrictions for changes to the + system + + + system design documentation + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + change control records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-5.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-05(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with logical access control + responsibilities + + + organizational personnel with physical access control responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-5.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-05(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing access + restrictions to change + + + automated mechanisms implementing the enforcement of access + restrictions for changes to the system + + + automated mechanisms supporting auditing of enforcement actions + - id: cm-5.5 + class: SP800-53-enhancement + title: Privilege Limitation for Production and Operation + params: + - id: cm-5.5_prm_1 + label: organization-defined frequency + constraints: + - description: at least quarterly + - id: cm-05.05_odp.01 + label: frequency + guidelines: + - prose: frequency at which to review privileges is defined; + - id: cm-05.05_odp.02 + label: frequency + guidelines: + - prose: frequency at which to reevaluate privileges is defined; + props: + - name: label + value: CM-5(5) + - name: label + value: CM-05(05) + class: sp800-53a + - name: sort-id + value: cm-05.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cm-5" + rel: required + - href: "#ac-2" + rel: related + parts: + - id: cm-5.5_smt + name: statement + parts: + - id: cm-5.5_smt.a + name: item + props: + - name: label + value: (a) + prose: Limit privileges to change system components and system-related + information within a production or operational environment; + and + - id: cm-5.5_smt.b + name: item + props: + - name: label + value: (b) + prose: "Review and reevaluate privileges {{ insert: param, cm-5.5_prm_1\ + \ }}." + - id: cm-5.5_gdn + name: guidance + prose: In many organizations, systems support multiple mission and + business functions. Limiting privileges to change system components + with respect to operational systems is necessary because changes + to a system component may have far-reaching effects on mission + and business processes supported by the system. The relationships + between systems and mission/business processes are, in some cases, + unknown to developers. System-related information includes operational + procedures. + - id: cm-5.5_obj + name: assessment-objective + props: + - name: label + value: CM-05(05) + class: sp800-53a + parts: + - id: cm-5.5_obj.a + name: assessment-objective + props: + - name: label + value: CM-05(05)(a) + class: sp800-53a + parts: + - id: cm-5.5_obj.a-1 + name: assessment-objective + props: + - name: label + value: CM-05(05)(a)[01] + class: sp800-53a + prose: privileges to change system components within a production + or operational environment are limited; + links: + - href: "#cm-5.5_smt.a" + rel: assessment-for + - id: cm-5.5_obj.a-2 + name: assessment-objective + props: + - name: label + value: CM-05(05)(a)[02] + class: sp800-53a + prose: privileges to change system-related information within + a production or operational environment are limited; + links: + - href: "#cm-5.5_smt.a" + rel: assessment-for + links: + - href: "#cm-5.5_smt.a" + rel: assessment-for + - id: cm-5.5_obj.b + name: assessment-objective + props: + - name: label + value: CM-05(05)(b) + class: sp800-53a + parts: + - id: cm-5.5_obj.b-1 + name: assessment-objective + props: + - name: label + value: CM-05(05)(b)[01] + class: sp800-53a + prose: "privileges are reviewed {{ insert: param, cm-05.05_odp.01\ + \ }};" + links: + - href: "#cm-5.5_smt.b" + rel: assessment-for + - id: cm-5.5_obj.b-2 + name: assessment-objective + props: + - name: label + value: CM-05(05)(b)[02] + class: sp800-53a + prose: "privileges are reevaluated {{ insert: param, cm-05.05_odp.02\ + \ }}." + links: + - href: "#cm-5.5_smt.b" + rel: assessment-for + links: + - href: "#cm-5.5_smt.b" + rel: assessment-for + links: + - href: "#cm-5.5_smt" + rel: assessment-for + - id: cm-5.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-05(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing access restrictions for changes to the + system + + + configuration management plan + + + system design documentation + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + user privilege reviews + + + user privilege recertifications + + + system component inventory + + + change control records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-5.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-05(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security + responsibilities + + + system/network administrators + - id: cm-5.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-05(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing access + restrictions to change + + + mechanisms supporting and/or implementing access restrictions + for change + - id: cm-6 + class: SP800-53 + title: Configuration Settings + params: + - id: cm-06_odp.01 + label: common secure configurations + guidelines: + - prose: common secure configurations to establish and document configuration + settings for components employed within the system are defined; + - id: cm-06_odp.02 + label: system components + guidelines: + - prose: system components for which approval of deviations is needed + are defined; + - id: cm-06_odp.03 + label: operational requirements + guidelines: + - prose: operational requirements necessitating approval of deviations + are defined; + props: + - name: label + value: CM-6 + - name: label + value: CM-06 + class: sp800-53a + - name: sort-id + value: cm-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#4895b4cd-34c5-4667-bf8a-27d443c12047" + rel: reference + - href: "#8016d2ed-d30f-4416-9c45-0f42c7aa3232" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#98498928-3ca3-44b3-8b1e-f48685373087" + rel: reference + - href: "#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e" + rel: reference + - href: "#aa66e14f-e7cb-4a37-99d2-07578dfd4608" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-19" + rel: related + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-11" + rel: related + - href: "#cp-7" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#pl-8" + rel: related + - href: "#pl-9" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-18" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-2" + rel: related + - href: "#si-4" + rel: related + - href: "#si-6" + rel: related + parts: + - id: cm-6_smt + name: statement + parts: + - id: cm-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Establish and document configuration settings for components\ + \ employed within the system that reflect the most restrictive\ + \ mode consistent with operational requirements using {{ insert:\ + \ param, cm-06_odp.01 }};" + - id: cm-6_smt.b + name: item + props: + - name: label + value: b. + prose: Implement the configuration settings; + - id: cm-6_smt.c + name: item + props: + - name: label + value: c. + prose: "Identify, document, and approve any deviations from established\ + \ configuration settings for {{ insert: param, cm-06_odp.02 }}\ + \ based on {{ insert: param, cm-06_odp.03 }} ; and" + - id: cm-6_smt.d + name: item + props: + - name: label + value: d. + prose: Monitor and control changes to the configuration settings + in accordance with organizational policies and procedures. + - id: cm-6_fr + name: item + title: CM-6 Additional FedRAMP Requirements and Guidance + parts: + - id: cm-6_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement 1:" + prose: The service provider shall use the DoD STIGs to establish + configuration settings; Center for Internet Security up to + Level 2 (CIS Level 2) guidelines shall be used if STIGs are + not available; Custom baselines shall be used if CIS is not + available. + - id: cm-6_fr_smt.2 + name: item + props: + - name: label + value: "(a) Requirement 2:" + prose: The service provider shall ensure that checklists for + configuration settings are Security Content Automation Protocol + (SCAP) validated or SCAP compatible (if validated checklists + are not available). + - id: cm-6_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + Compliance checks are used to evaluate configuration + settings and provide general insight into the overall + effectiveness of configuration management activities. + CSPs and 3PAOs typically combine compliance check + findings into a single CM-6 finding, which is + acceptable. However, for initial assessments, annual + assessments, and significant change requests, FedRAMP + requires a clear understanding, on a per-control basis, + where risks exist. Therefore, 3PAOs must also analyze + compliance check findings as part of the controls + assessment. Where a direct mapping exists, the 3PAO must + document additional findings per control in the + corresponding SAR Risk Exposure Table (RET), which are + then documented in the CSP’s Plan of Action and + Milestones (POA&M). This will likely result in the + details of individual control findings overlapping with + those in the combined CM-6 finding, which is acceptable. + + + During monthly continuous monitoring, new findings from CSP + compliance checks may be combined into a single CM-6 POA&M + item. CSPs are not required to map the findings to specific + controls because controls are only assessed during initial + assessments, annual assessments, and significant change requests. + - id: cm-6_gdn + name: guidance + prose: >- + Configuration settings are the parameters that can be changed in + the hardware, software, or firmware components of the system + that affect the security and privacy posture or functionality of + the system. Information technology products for which + configuration settings can be defined include mainframe + computers, servers, workstations, operating systems, mobile + devices, input/output devices, protocols, and applications. + Parameters that impact the security posture of systems include + registry settings; account, file, or directory permission + settings; and settings for functions, protocols, ports, + services, and remote connections. Privacy parameters are + parameters impacting the privacy posture of systems, including + the parameters required to satisfy other privacy controls. + Privacy parameters include settings for access controls, data + processing preferences, and processing and retention + permissions. Organizations establish organization-wide + configuration settings and subsequently derive specific + configuration settings for systems. The established settings + become part of the configuration baseline for the system. + + + Common secure configurations (also known as security configuration + checklists, lockdown and hardening guides, and security reference + guides) provide recognized, standardized, and established benchmarks + that stipulate secure configuration settings for information technology + products and platforms as well as instructions for configuring those + products or platforms to meet operational requirements. Common secure + configurations can be developed by a variety of organizations, including + information technology product developers, manufacturers, vendors, + federal agencies, consortia, academia, industry, and other organizations + in the public and private sectors. + + + Implementation of a common secure configuration may be mandated at + the organization level, mission and business process level, system + level, or at a higher level, including by a regulatory agency. Common + secure configurations include the United States Government Configuration + Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security + technical implementation guides (STIGs), which affect the implementation + of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) + . The Security Content Automation Protocol (SCAP) and the defined + standards within the protocol provide an effective method to uniquely + identify, track, and control configuration settings. + - id: cm-6_obj + name: assessment-objective + props: + - name: label + value: CM-06 + class: sp800-53a + parts: + - id: cm-6_obj.a + name: assessment-objective + props: + - name: label + value: CM-06a. + class: sp800-53a + prose: "configuration settings that reflect the most restrictive\ + \ mode consistent with operational requirements are established\ + \ and documented for components employed within the system using\ + \ {{ insert: param, cm-06_odp.01 }};" + links: + - href: "#cm-6_smt.a" + rel: assessment-for + - id: cm-6_obj.b + name: assessment-objective + props: + - name: label + value: CM-06b. + class: sp800-53a + prose: the configuration settings documented in CM-06a are implemented; + links: + - href: "#cm-6_smt.b" + rel: assessment-for + - id: cm-6_obj.c + name: assessment-objective + props: + - name: label + value: CM-06c. + class: sp800-53a + parts: + - id: cm-6_obj.c-1 + name: assessment-objective + props: + - name: label + value: CM-06c.[01] + class: sp800-53a + prose: "any deviations from established configuration settings\ + \ for {{ insert: param, cm-06_odp.02 }} are identified and\ + \ documented based on {{ insert: param, cm-06_odp.03 }};" + links: + - href: "#cm-6_smt.c" + rel: assessment-for + - id: cm-6_obj.c-2 + name: assessment-objective + props: + - name: label + value: CM-06c.[02] + class: sp800-53a + prose: "any deviations from established configuration settings\ + \ for {{ insert: param, cm-06_odp.02 }} are approved;" + links: + - href: "#cm-6_smt.c" + rel: assessment-for + links: + - href: "#cm-6_smt.c" + rel: assessment-for + - id: cm-6_obj.d + name: assessment-objective + props: + - name: label + value: CM-06d. + class: sp800-53a + parts: + - id: cm-6_obj.d-1 + name: assessment-objective + props: + - name: label + value: CM-06d.[01] + class: sp800-53a + prose: changes to the configuration settings are monitored in + accordance with organizational policies and procedures; + links: + - href: "#cm-6_smt.d" + rel: assessment-for + - id: cm-6_obj.d-2 + name: assessment-objective + props: + - name: label + value: CM-06d.[02] + class: sp800-53a + prose: changes to the configuration settings are controlled + in accordance with organizational policies and procedures. + links: + - href: "#cm-6_smt.d" + rel: assessment-for + links: + - href: "#cm-6_smt.d" + rel: assessment-for + links: + - href: "#cm-6_smt" + rel: assessment-for + - id: cm-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing configuration settings for the system + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + common secure configuration checklists + + + system component inventory + + + evidence supporting approved deviations from established configuration + settings + + + change control records + + + system data processing and retention permissions + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security configuration + management responsibilities + + + organizational personnel with privacy configuration management + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: cm-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing configuration settings + + + mechanisms that implement, monitor, and/or control system configuration + settings + + + mechanisms that identify and/or document deviations from established + configuration settings + controls: + - id: cm-6.1 + class: SP800-53-enhancement + title: Automated Management, Application, and Verification + params: + - id: cm-6.1_prm_2 + label: organization-defined automated mechanisms + - id: cm-06.01_odp.01 + label: system components + guidelines: + - prose: system components for which to manage, apply, and verify + configuration settings are defined; + - id: cm-06.01_odp.02 + label: automated mechanisms + guidelines: + - prose: automated mechanisms to manage configuration settings + are defined; + - id: cm-06.01_odp.03 + label: automated mechanisms + guidelines: + - prose: automated mechanisms to apply configuration settings + are defined; + - id: cm-06.01_odp.04 + label: automated mechanisms + guidelines: + - prose: automated mechanisms to verify configuration settings + are defined; + props: + - name: label + value: CM-6(1) + - name: label + value: CM-06(01) + class: sp800-53a + - name: sort-id + value: cm-06.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cm-6" + rel: required + - href: "#ca-7" + rel: related + parts: + - id: cm-6.1_smt + name: statement + prose: "Manage, apply, and verify configuration settings for {{\ + \ insert: param, cm-06.01_odp.01 }} using {{ insert: param, cm-6.1_prm_2\ + \ }}." + - id: cm-6.1_gdn + name: guidance + prose: Automated tools (e.g., hardening tools, baseline configuration + tools) can improve the accuracy, consistency, and availability + of configuration settings information. Automation can also provide + data aggregation and data correlation capabilities, alerting mechanisms, + and dashboards to support risk-based decision-making within the + organization. + - id: cm-6.1_obj + name: assessment-objective + props: + - name: label + value: CM-06(01) + class: sp800-53a + parts: + - id: cm-6.1_obj-1 + name: assessment-objective + props: + - name: label + value: CM-06(01)[01] + class: sp800-53a + prose: "configuration settings for {{ insert: param, cm-06.01_odp.01\ + \ }} are managed using {{ insert: param, cm-06.01_odp.02 }};" + links: + - href: "#cm-6.1_smt" + rel: assessment-for + - id: cm-6.1_obj-2 + name: assessment-objective + props: + - name: label + value: CM-06(01)[02] + class: sp800-53a + prose: "configuration settings for {{ insert: param, cm-06.01_odp.01\ + \ }} are applied using {{ insert: param, cm-06.01_odp.03 }};" + links: + - href: "#cm-6.1_smt" + rel: assessment-for + - id: cm-6.1_obj-3 + name: assessment-objective + props: + - name: label + value: CM-06(01)[03] + class: sp800-53a + prose: "configuration settings for {{ insert: param, cm-06.01_odp.01\ + \ }} are verified using {{ insert: param, cm-06.01_odp.04\ + \ }}." + links: + - href: "#cm-6.1_smt" + rel: assessment-for + links: + - href: "#cm-6.1_smt" + rel: assessment-for + - id: cm-6.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-06(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing configuration settings for the system + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + system component inventory + + + common secure configuration checklists + + + change control records + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-6.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-06(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security configuration + management responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: cm-6.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-06(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing configuration + settings + + + automated mechanisms implemented to manage, apply, and verify + system configuration settings + - id: cm-7 + class: SP800-53 + title: Least Functionality + params: + - id: cm-7_prm_2 + label: organization-defined prohibited or restricted functions, system + ports, protocols, software, and/or services + - id: cm-07_odp.01 + label: mission-essential capabilities + guidelines: + - prose: mission-essential capabilities for the system are defined; + - id: cm-07_odp.02 + label: functions + guidelines: + - prose: functions to be prohibited or restricted are defined; + - id: cm-07_odp.03 + label: ports + guidelines: + - prose: ports to be prohibited or restricted are defined; + - id: cm-07_odp.04 + label: protocols + guidelines: + - prose: protocols to be prohibited or restricted are defined; + - id: cm-07_odp.05 + label: software + guidelines: + - prose: software to be prohibited or restricted is defined; + - id: cm-07_odp.06 + label: services + guidelines: + - prose: services to be prohibited or restricted are defined; + props: + - name: label + value: CM-7 + - name: label + value: CM-07 + class: sp800-53a + - name: sort-id + value: cm-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#38f39739-1ebd-43b1-8b8c-00f591d89ebd" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-11" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-15" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-3" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-37" + rel: related + - href: "#si-4" + rel: related + parts: + - id: cm-7_smt + name: statement + parts: + - id: cm-7_smt.a + name: item + props: + - name: label + value: a. + prose: "Configure the system to provide only {{ insert: param, cm-07_odp.01\ + \ }} ; and" + - id: cm-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Prohibit or restrict the use of the following functions,\ + \ ports, protocols, software, and/or services: {{ insert: param,\ + \ cm-7_prm_2 }}." + - id: cm-7_fr + name: item + title: CM-7 Additional FedRAMP Requirements and Guidance + parts: + - id: cm-7_fr_smt.1 + name: item + props: + - name: label + value: "(b) Requirement:" + prose: The service provider shall use Security guidelines (See + CM-6) to establish list of prohibited or restricted functions, + ports, protocols, and/or services or establishes its own list + of prohibited or restricted functions, ports, protocols, and/or + services if STIGs or CIS is not available. + - id: cm-7_gdn + name: guidance + prose: Systems provide a wide variety of functions and services. Some + of the functions and services routinely provided by default may not + be necessary to support essential organizational missions, functions, + or operations. Additionally, it is sometimes convenient to provide + multiple services from a single system component, but doing so increases + risk over limiting the services provided by that single component. + Where feasible, organizations limit component functionality to a single + function per component. Organizations consider removing unused or + unnecessary software and disabling unused or unnecessary physical + and logical ports and protocols to prevent unauthorized connection + of components, transfer of information, and tunneling. Organizations + employ network scanning tools, intrusion detection and prevention + systems, and end-point protection technologies, such as firewalls + and host-based intrusion detection systems, to identify and prevent + the use of prohibited functions, protocols, ports, and services. Least + functionality can also be achieved as part of the fundamental design + and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , + and [SC-3](#sc-3)). + - id: cm-7_obj + name: assessment-objective + props: + - name: label + value: CM-07 + class: sp800-53a + parts: + - id: cm-7_obj.a + name: assessment-objective + props: + - name: label + value: CM-07a. + class: sp800-53a + prose: "the system is configured to provide only {{ insert: param,\ + \ cm-07_odp.01 }};" + links: + - href: "#cm-7_smt.a" + rel: assessment-for + - id: cm-7_obj.b + name: assessment-objective + props: + - name: label + value: CM-07b. + class: sp800-53a + parts: + - id: cm-7_obj.b-1 + name: assessment-objective + props: + - name: label + value: CM-07b.[01] + class: sp800-53a + prose: "the use of {{ insert: param, cm-07_odp.02 }} is prohibited\ + \ or restricted;" + links: + - href: "#cm-7_smt.b" + rel: assessment-for + - id: cm-7_obj.b-2 + name: assessment-objective + props: + - name: label + value: CM-07b.[02] + class: sp800-53a + prose: "the use of {{ insert: param, cm-07_odp.03 }} is prohibited\ + \ or restricted;" + links: + - href: "#cm-7_smt.b" + rel: assessment-for + - id: cm-7_obj.b-3 + name: assessment-objective + props: + - name: label + value: CM-07b.[03] + class: sp800-53a + prose: "the use of {{ insert: param, cm-07_odp.04 }} is prohibited\ + \ or restricted;" + links: + - href: "#cm-7_smt.b" + rel: assessment-for + - id: cm-7_obj.b-4 + name: assessment-objective + props: + - name: label + value: CM-07b.[04] + class: sp800-53a + prose: "the use of {{ insert: param, cm-07_odp.05 }} is prohibited\ + \ or restricted;" + links: + - href: "#cm-7_smt.b" + rel: assessment-for + - id: cm-7_obj.b-5 + name: assessment-objective + props: + - name: label + value: CM-07b.[05] + class: sp800-53a + prose: "the use of {{ insert: param, cm-07_odp.06 }} is prohibited\ + \ or restricted." + links: + - href: "#cm-7_smt.b" + rel: assessment-for + links: + - href: "#cm-7_smt.b" + rel: assessment-for + links: + - href: "#cm-7_smt" + rel: assessment-for + - id: cm-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + procedures addressing least functionality in the system + + configuration management plan + + system design documentation + + system configuration settings and associated documentation + + system component inventory + + common secure configuration checklists + + system security plan + + other relevant documents or records + - id: cm-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security configuration + management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: cm-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes prohibiting or restricting + functions, ports, protocols, software, and/or services + + + mechanisms implementing restrictions or prohibition of functions, + ports, protocols, software, and/or services + controls: + - id: cm-7.1 + class: SP800-53-enhancement + title: Periodic Review + params: + - id: cm-7.1_prm_2 + label: organization-defined functions, ports, protocols, software, + and services within the system deemed to be unnecessary and/or + nonsecure + - id: cm-07.01_odp.01 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to review the system to identify + unnecessary and/or non-secure functions, ports, protocols, + software, and/or services is defined; + - id: cm-07.01_odp.02 + label: functions + guidelines: + - prose: functions to be disabled or removed when deemed unnecessary + or non-secure are defined; + - id: cm-07.01_odp.03 + label: ports + guidelines: + - prose: ports to be disabled or removed when deemed unnecessary + or non-secure are defined; + - id: cm-07.01_odp.04 + label: protocols + guidelines: + - prose: protocols to be disabled or removed when deemed unnecessary + or non-secure are defined; + - id: cm-07.01_odp.05 + label: software + guidelines: + - prose: software to be disabled or removed when deemed unnecessary + or non-secure is defined; + - id: cm-07.01_odp.06 + label: services + guidelines: + - prose: services to be disabled or removed when deemed unnecessary + or non-secure are defined; + props: + - name: label + value: CM-7(1) + - name: label + value: CM-07(01) + class: sp800-53a + - name: sort-id + value: cm-07.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#cm-7" + rel: required + - href: "#ac-18" + rel: related + parts: + - id: cm-7.1_smt + name: statement + parts: + - id: cm-7.1_smt.a + name: item + props: + - name: label + value: (a) + prose: "Review the system {{ insert: param, cm-07.01_odp.01\ + \ }} to identify unnecessary and/or nonsecure functions, ports,\ + \ protocols, software, and services; and" + - id: cm-7.1_smt.b + name: item + props: + - name: label + value: (b) + prose: "Disable or remove {{ insert: param, cm-7.1_prm_2 }}." + - id: cm-7.1_gdn + name: guidance + prose: Organizations review functions, ports, protocols, and services + provided by systems or system components to determine the functions + and services that are candidates for elimination. Such reviews + are especially important during transition periods from older + technologies to newer technologies (e.g., transition from IPv4 + to IPv6). These technology transitions may require implementing + the older and newer technologies simultaneously during the transition + period and returning to minimum essential functions, ports, protocols, + and services at the earliest opportunity. Organizations can either + decide the relative security of the function, port, protocol, + and/or service or base the security decision on the assessment + of other entities. Unsecure protocols include Bluetooth, FTP, + and peer-to-peer networking. + - id: cm-7.1_obj + name: assessment-objective + props: + - name: label + value: CM-07(01) + class: sp800-53a + parts: + - id: cm-7.1_obj.a + name: assessment-objective + props: + - name: label + value: CM-07(01)(a) + class: sp800-53a + prose: "the system is reviewed {{ insert: param, cm-07.01_odp.01\ + \ }} to identify unnecessary and/or non-secure functions,\ + \ ports, protocols, software, and services:" + links: + - href: "#cm-7.1_smt.a" + rel: assessment-for + - id: cm-7.1_obj.b + name: assessment-objective + props: + - name: label + value: CM-07(01)(b) + class: sp800-53a + parts: + - id: cm-7.1_obj.b-1 + name: assessment-objective + props: + - name: label + value: CM-07(01)(b)[01] + class: sp800-53a + prose: " {{ insert: param, cm-07.01_odp.02 }} deemed to\ + \ be unnecessary and/or non-secure are disabled or removed;" + links: + - href: "#cm-7.1_smt.b" + rel: assessment-for + - id: cm-7.1_obj.b-2 + name: assessment-objective + props: + - name: label + value: CM-07(01)(b)[02] + class: sp800-53a + prose: " {{ insert: param, cm-07.01_odp.03 }} deemed to\ + \ be unnecessary and/or non-secure are disabled or removed;" + links: + - href: "#cm-7.1_smt.b" + rel: assessment-for + - id: cm-7.1_obj.b-3 + name: assessment-objective + props: + - name: label + value: CM-07(01)(b)[03] + class: sp800-53a + prose: " {{ insert: param, cm-07.01_odp.04 }} deemed to\ + \ be unnecessary and/or non-secure are disabled or removed;" + links: + - href: "#cm-7.1_smt.b" + rel: assessment-for + - id: cm-7.1_obj.b-4 + name: assessment-objective + props: + - name: label + value: CM-07(01)(b)[04] + class: sp800-53a + prose: " {{ insert: param, cm-07.01_odp.05 }} deemed to\ + \ be unnecessary and/or non-secure is disabled or removed;" + links: + - href: "#cm-7.1_smt.b" + rel: assessment-for + - id: cm-7.1_obj.b-5 + name: assessment-objective + props: + - name: label + value: CM-07(01)(b)[05] + class: sp800-53a + prose: " {{ insert: param, cm-07.01_odp.06 }} deemed to\ + \ be unnecessary and/or non-secure are disabled or removed." + links: + - href: "#cm-7.1_smt.b" + rel: assessment-for + links: + - href: "#cm-7.1_smt.b" + rel: assessment-for + links: + - href: "#cm-7.1_smt" + rel: assessment-for + - id: cm-7.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-07(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing least functionality in the system + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + common secure configuration checklists + + + documented reviews of functions, ports, protocols, and/or + services + + + change control records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-7.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-07(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + reviewing functions, ports, protocols, and services on + the system + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: cm-7.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-07(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for reviewing or disabling + functions, ports, protocols, and services on the system + + + mechanisms implementing review and disabling of functions, + ports, protocols, and/or services + - id: cm-7.2 + class: SP800-53-enhancement + title: Prevent Program Execution + params: + - id: cm-07.02_odp.01 + select: + how-many: one-or-more + choice: + - " {{ insert: param, cm-07.02_odp.02 }} " + - rules authorizing the terms and conditions of software program + usage + - id: cm-07.02_odp.02 + label: policies, rules of behavior, and/or access agreements regarding + software program usage and restrictions + guidelines: + - prose: policies, rules of behavior, and/or access agreements + regarding software program usage and restrictions are defined + (if selected); + props: + - name: label + value: CM-7(2) + - name: label + value: CM-07(02) + class: sp800-53a + - name: sort-id + value: cm-07.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#cm-7" + rel: required + - href: "#cm-8" + rel: related + - href: "#pl-4" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-5" + rel: related + - href: "#ps-6" + rel: related + parts: + - id: cm-7.2_smt + name: statement + prose: "Prevent program execution in accordance with {{ insert:\ + \ param, cm-07.02_odp.01 }}." + parts: + - id: cm-7.2_fr + name: item + title: CM-7 (2) Additional FedRAMP Requirements and Guidance + parts: + - id: cm-7.2_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: This control refers to software deployment by CSP + personnel into the production environment. The control + requires a policy that states conditions for deploying + software. This control shall be implemented in a technical + manner on the information system to only allow programs + to run that adhere to the policy (i.e. allow-listing). + This control is not to be based off of strictly written + policy on what is allowed or not allowed to run. + - id: cm-7.2_gdn + name: guidance + prose: Prevention of program execution addresses organizational + policies, rules of behavior, and/or access agreements that restrict + software usage and the terms and conditions imposed by the developer + or manufacturer, including software licensing and copyrights. + Restrictions include prohibiting auto-execute features, restricting + roles allowed to approve program execution, permitting or prohibiting + specific software programs, or restricting the number of program + instances executed at the same time. + - id: cm-7.2_obj + name: assessment-objective + props: + - name: label + value: CM-07(02) + class: sp800-53a + prose: "program execution is prevented in accordance with {{ insert:\ + \ param, cm-07.02_odp.01 }}." + links: + - href: "#cm-7.2_smt" + rel: assessment-for + - id: cm-7.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-07(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing least functionality in the system + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + system component inventory + + + common secure configuration checklists + + + specifications for preventing software program execution + + + change control records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-7.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-07(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security + responsibilities + + + system/network administrators + + + system developers + - id: cm-7.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-07(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes preventing program execution on + the system + + + organizational processes for software program usage and restrictions + + + mechanisms preventing program execution on the system + + + mechanisms supporting and/or implementing software program + usage and restrictions + - id: cm-7.5 + class: SP800-53-enhancement + title: Authorized Software — Allow-by-exception + params: + - id: cm-07.05_odp.01 + label: software programs + guidelines: + - prose: software programs authorized to execute on the system + are defined; + - id: cm-07.05_odp.02 + label: frequency + constraints: + - description: at least quarterly or when there is a change + guidelines: + - prose: frequency at which to review and update the list of authorized + software programs is defined; + props: + - name: label + value: CM-7(5) + - name: label + value: CM-07(05) + class: sp800-53a + - name: sort-id + value: cm-07.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#cm-7" + rel: required + - href: "#cm-2" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#cm-10" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-5" + rel: related + - href: "#sa-10" + rel: related + - href: "#sc-34" + rel: related + - href: "#si-7" + rel: related + parts: + - id: cm-7.5_smt + name: statement + parts: + - id: cm-7.5_smt.a + name: item + props: + - name: label + value: (a) + prose: "Identify {{ insert: param, cm-07.05_odp.01 }};" + - id: cm-7.5_smt.b + name: item + props: + - name: label + value: (b) + prose: Employ a deny-all, permit-by-exception policy to allow + the execution of authorized software programs on the system; + and + - id: cm-7.5_smt.c + name: item + props: + - name: label + value: (c) + prose: "Review and update the list of authorized software programs\ + \ {{ insert: param, cm-07.05_odp.02 }}." + - id: cm-7.5_gdn + name: guidance + prose: Authorized software programs can be limited to specific versions + or from a specific source. To facilitate a comprehensive authorized + software process and increase the strength of protection for attacks + that bypass application level authorized software, software programs + may be decomposed into and monitored at different levels of detail. + These levels include applications, application programming interfaces, + application modules, scripts, system processes, system services, + kernel functions, registries, drivers, and dynamic link libraries. + The concept of permitting the execution of authorized software + may also be applied to user actions, system ports and protocols, + IP addresses/ranges, websites, and MAC addresses. Organizations + consider verifying the integrity of authorized software programs + using digital signatures, cryptographic checksums, or hash functions. + Verification of authorized software can occur either prior to + execution or at system startup. The identification of authorized + URLs for websites is addressed in [CA-3(5)](#ca-3.5) and [SC-7](#sc-7). + - id: cm-7.5_obj + name: assessment-objective + props: + - name: label + value: CM-07(05) + class: sp800-53a + parts: + - id: cm-7.5_obj.a + name: assessment-objective + props: + - name: label + value: CM-07(05)(a) + class: sp800-53a + prose: " {{ insert: param, cm-07.05_odp.01 }} are identified;" + links: + - href: "#cm-7.5_smt.a" + rel: assessment-for + - id: cm-7.5_obj.b + name: assessment-objective + props: + - name: label + value: CM-07(05)(b) + class: sp800-53a + prose: a deny-all, permit-by-exception policy to allow the execution + of authorized software programs on the system is employed; + links: + - href: "#cm-7.5_smt.b" + rel: assessment-for + - id: cm-7.5_obj.c + name: assessment-objective + props: + - name: label + value: CM-07(05)(c) + class: sp800-53a + prose: "the list of authorized software programs is reviewed\ + \ and updated {{ insert: param, cm-07.05_odp.02 }}." + links: + - href: "#cm-7.5_smt.c" + rel: assessment-for + links: + - href: "#cm-7.5_smt" + rel: assessment-for + - id: cm-7.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-07(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing least functionality in the system + + + configuration management plan + + + system design documentation + + + system configuration settings and associated documentation + + + list of software programs authorized to execute on the system + + + system component inventory + + + common secure configuration checklists + + + review and update records associated with list of authorized + software programs + + + change control records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-7.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-07(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + identifying software authorized to execute on the system + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-7.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-07(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational process for identifying, reviewing, and + updating programs authorized to execute on the system + + + organizational process for implementing authorized software + policy + + + mechanisms supporting and/or implementing authorized software + policy + - id: cm-8 + class: SP800-53 + title: System Component Inventory + params: + - id: cm-08_odp.01 + label: information + guidelines: + - prose: information deemed necessary to achieve effective system + component accountability is defined; + - id: cm-08_odp.02 + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: frequency at which to review and update the system component + inventory is defined; + props: + - name: label + value: CM-8 + - name: label + value: CM-08 + class: sp800-53a + - name: sort-id + value: cm-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#70402863-5078-43af-9a6c-e11b0f3ec370" + rel: reference + - href: "#996241f8-f692-42d5-91f1-ce8b752e39e6" + rel: reference + - href: "#cm-2" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-9" + rel: related + - href: "#cm-10" + rel: related + - href: "#cm-11" + rel: related + - href: "#cm-13" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-9" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-6" + rel: related + - href: "#pe-20" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#si-2" + rel: related + - href: "#sr-4" + rel: related + parts: + - id: cm-8_smt + name: statement + parts: + - id: cm-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop and document an inventory of system components that:" + parts: + - id: cm-8_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Accurately reflects the system; + - id: cm-8_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Includes all components within the system; + - id: cm-8_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Does not include duplicate accounting of components or + components assigned to any other system; + - id: cm-8_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Is at the level of granularity deemed necessary for tracking + and reporting; and + - id: cm-8_smt.a.5 + name: item + props: + - name: label + value: "5." + prose: "Includes the following information to achieve system\ + \ component accountability: {{ insert: param, cm-08_odp.01\ + \ }} ; and" + - id: cm-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the system component inventory {{ insert:\ + \ param, cm-08_odp.02 }}." + - id: cm-8_fr + name: item + title: CM-8 Additional FedRAMP Requirements and Guidance + parts: + - id: cm-8_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: must be provided at least monthly or when there is a + change. + - id: cm-8_gdn + name: guidance + prose: >- + System components are discrete, identifiable information + technology assets that include hardware, software, and firmware. + Organizations may choose to implement centralized system + component inventories that include components from all + organizational systems. In such situations, organizations ensure + that the inventories include system-specific information + required for component accountability. The information necessary + for effective accountability of system components includes the + system name, software owners, software version numbers, hardware + inventory specifications, software license information, and for + networked components, the machine names and network addresses + across all implemented protocols (e.g., IPv4, IPv6). Inventory + specifications include date of receipt, cost, model, serial + number, manufacturer, supplier information, component type, and + physical location. + + + Preventing duplicate accounting of system components addresses the + lack of accountability that occurs when component ownership and system + association is not known, especially in large or complex connected + systems. Effective prevention of duplicate accounting of system components + necessitates use of a unique identifier for each component. For software + inventory, centrally managed software that is accessed via other systems + is addressed as a component of the system on which it is installed + and managed. Software installed on multiple organizational systems + and managed at the system level is addressed for each individual system + and may appear more than once in a centralized component inventory, + necessitating a system association for each software instance in the + centralized inventory to avoid duplicate accounting of components. + Scanning systems implementing multiple network protocols (e.g., IPv4 + and IPv6) can result in duplicate components being identified in different + address spaces. The implementation of [CM-8(7)](#cm-8.7) can help + to eliminate duplicate accounting of components. + - id: cm-8_obj + name: assessment-objective + props: + - name: label + value: CM-08 + class: sp800-53a + parts: + - id: cm-8_obj.a + name: assessment-objective + props: + - name: label + value: CM-08a. + class: sp800-53a + parts: + - id: cm-8_obj.a.1 + name: assessment-objective + props: + - name: label + value: CM-08a.01 + class: sp800-53a + prose: an inventory of system components that accurately reflects + the system is developed and documented; + links: + - href: "#cm-8_smt.a.1" + rel: assessment-for + - id: cm-8_obj.a.2 + name: assessment-objective + props: + - name: label + value: CM-08a.02 + class: sp800-53a + prose: an inventory of system components that includes all components + within the system is developed and documented; + links: + - href: "#cm-8_smt.a.2" + rel: assessment-for + - id: cm-8_obj.a.3 + name: assessment-objective + props: + - name: label + value: CM-08a.03 + class: sp800-53a + prose: an inventory of system components that does not include + duplicate accounting of components or components assigned + to any other system is developed and documented; + links: + - href: "#cm-8_smt.a.3" + rel: assessment-for + - id: cm-8_obj.a.4 + name: assessment-objective + props: + - name: label + value: CM-08a.04 + class: sp800-53a + prose: an inventory of system components that is at the level + of granularity deemed necessary for tracking and reporting + is developed and documented; + links: + - href: "#cm-8_smt.a.4" + rel: assessment-for + - id: cm-8_obj.a.5 + name: assessment-objective + props: + - name: label + value: CM-08a.05 + class: sp800-53a + prose: "an inventory of system components that includes {{ insert:\ + \ param, cm-08_odp.01 }} is developed and documented;" + links: + - href: "#cm-8_smt.a.5" + rel: assessment-for + links: + - href: "#cm-8_smt.a" + rel: assessment-for + - id: cm-8_obj.b + name: assessment-objective + props: + - name: label + value: CM-08b. + class: sp800-53a + prose: "the system component inventory is reviewed and updated {{\ + \ insert: param, cm-08_odp.02 }}." + links: + - href: "#cm-8_smt.b" + rel: assessment-for + links: + - href: "#cm-8_smt" + rel: assessment-for + - id: cm-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + procedures addressing system component inventory + + configuration management plan + + system security plan + + system design documentation + + system component inventory + + inventory reviews and update records + + system security plan + + other relevant documents or records + - id: cm-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with component inventory management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing the system component + inventory + + + mechanisms supporting and/or implementing system component inventory + controls: + - id: cm-8.1 + class: SP800-53-enhancement + title: Updates During Installation and Removal + props: + - name: label + value: CM-8(1) + - name: label + value: CM-08(01) + class: sp800-53a + - name: sort-id + value: cm-08.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-8" + rel: required + - href: "#pm-16" + rel: related + parts: + - id: cm-8.1_smt + name: statement + prose: Update the inventory of system components as part of component + installations, removals, and system updates. + - id: cm-8.1_gdn + name: guidance + prose: Organizations can improve the accuracy, completeness, and + consistency of system component inventories if the inventories + are updated as part of component installations or removals or + during general system updates. If inventories are not updated + at these key times, there is a greater likelihood that the information + will not be appropriately captured and documented. System updates + include hardware, software, and firmware components. + - id: cm-8.1_obj + name: assessment-objective + props: + - name: label + value: CM-08(01) + class: sp800-53a + parts: + - id: cm-8.1_obj-1 + name: assessment-objective + props: + - name: label + value: CM-08(01)[01] + class: sp800-53a + prose: the inventory of system components is updated as part + of component installations; + links: + - href: "#cm-8.1_smt" + rel: assessment-for + - id: cm-8.1_obj-2 + name: assessment-objective + props: + - name: label + value: CM-08(01)[02] + class: sp800-53a + prose: the inventory of system components is updated as part + of component removals; + links: + - href: "#cm-8.1_smt" + rel: assessment-for + - id: cm-8.1_obj-3 + name: assessment-objective + props: + - name: label + value: CM-08(01)[03] + class: sp800-53a + prose: the inventory of system components is updated as part + of system updates. + links: + - href: "#cm-8.1_smt" + rel: assessment-for + links: + - href: "#cm-8.1_smt" + rel: assessment-for + - id: cm-8.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-08(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + procedures addressing system component inventory + + configuration management plan + + system security plan + + system component inventory + + inventory reviews and update records + + change control records + + component installation records + + component removal records + + system security plan + + other relevant documents or records + - id: cm-8.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-08(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with component inventory + updating responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-8.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-08(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for updating the system + component inventory + + + mechanisms supporting and/or implementing system component + inventory updates + - id: cm-8.3 + class: SP800-53-enhancement + title: Automated Unauthorized Component Detection + params: + - id: cm-8.3_prm_1 + label: organization-defined automated mechanisms + constraints: + - description: automated mechanisms with a maximum five-minute + delay in detection + - id: cm-08.03_odp.01 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to detect the presence of unauthorized + hardware within the system are defined; + - id: cm-08.03_odp.02 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to detect the presence of unauthorized + software within the system are defined; + - id: cm-08.03_odp.03 + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to detect the presence of unauthorized + firmware within the system are defined; + - id: cm-08.03_odp.04 + label: frequency + constraints: + - description: continuously + guidelines: + - prose: frequency at which automated mechanisms are used to detect + the presence of unauthorized system components within the + system is defined; + - id: cm-08.03_odp.05 + select: + how-many: one-or-more + choice: + - disable network access by unauthorized components + - isolate unauthorized components + - "notify {{ insert: param, cm-08.03_odp.06 }} " + - id: cm-08.03_odp.06 + label: personnel or roles + guidelines: + - prose: personnel or roles to be notified when unauthorized components + are detected is/are defined (if selected); + props: + - name: label + value: CM-8(3) + - name: label + value: CM-08(03) + class: sp800-53a + - name: sort-id + value: cm-08.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-8" + rel: required + - href: "#ac-19" + rel: related + - href: "#ca-7" + rel: related + - href: "#ra-5" + rel: related + - href: "#sc-3" + rel: related + - href: "#sc-39" + rel: related + - href: "#sc-44" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: cm-8.3_smt + name: statement + parts: + - id: cm-8.3_smt.a + name: item + props: + - name: label + value: (a) + prose: "Detect the presence of unauthorized hardware, software,\ + \ and firmware components within the system using {{ insert:\ + \ param, cm-8.3_prm_1 }} {{ insert: param, cm-08.03_odp.04\ + \ }} ; and" + - id: cm-8.3_smt.b + name: item + props: + - name: label + value: (b) + prose: "Take the following actions when unauthorized components\ + \ are detected: {{ insert: param, cm-08.03_odp.05 }}." + - id: cm-8.3_gdn + name: guidance + prose: 'Automated unauthorized component detection is applied in + addition to the monitoring for unauthorized remote connections + and mobile devices. Monitoring for unauthorized system components + may be accomplished on an ongoing basis or by the periodic scanning + of systems for that purpose. Automated mechanisms may also be + used to prevent the connection of unauthorized components (see + [CM-7(9)](#cm-7.9) ). Automated mechanisms can be implemented + in systems or in separate system components. When acquiring and + implementing automated mechanisms, organizations consider whether + such mechanisms depend on the ability of the system component + to support an agent or supplicant in order to be detected since + some types of components do not have or cannot support agents + (e.g., IoT devices, sensors). Isolation can be achieved , for + example, by placing unauthorized system components in separate + domains or subnets or quarantining such components. This type + of component isolation is commonly referred to as "sandboxing." ' + - id: cm-8.3_obj + name: assessment-objective + props: + - name: label + value: CM-08(03) + class: sp800-53a + parts: + - id: cm-8.3_obj.a + name: assessment-objective + props: + - name: label + value: CM-08(03)(a) + class: sp800-53a + parts: + - id: cm-8.3_obj.a-1 + name: assessment-objective + props: + - name: label + value: CM-08(03)(a)[01] + class: sp800-53a + prose: "the presence of unauthorized hardware within the\ + \ system is detected using {{ insert: param, cm-08.03_odp.01\ + \ }} {{ insert: param, cm-08.03_odp.04 }};" + links: + - href: "#cm-8.3_smt.a" + rel: assessment-for + - id: cm-8.3_obj.a-2 + name: assessment-objective + props: + - name: label + value: CM-08(03)(a)[02] + class: sp800-53a + prose: "the presence of unauthorized software within the\ + \ system is detected using {{ insert: param, cm-08.03_odp.02\ + \ }} {{ insert: param, cm-08.03_odp.04 }};" + links: + - href: "#cm-8.3_smt.a" + rel: assessment-for + - id: cm-8.3_obj.a-3 + name: assessment-objective + props: + - name: label + value: CM-08(03)(a)[03] + class: sp800-53a + prose: "the presence of unauthorized firmware within the\ + \ system is detected using {{ insert: param, cm-08.03_odp.03\ + \ }} {{ insert: param, cm-08.03_odp.04 }};" + links: + - href: "#cm-8.3_smt.a" + rel: assessment-for + links: + - href: "#cm-8.3_smt.a" + rel: assessment-for + - id: cm-8.3_obj.b + name: assessment-objective + props: + - name: label + value: CM-08(03)(b) + class: sp800-53a + parts: + - id: cm-8.3_obj.b-1 + name: assessment-objective + props: + - name: label + value: CM-08(03)(b)[01] + class: sp800-53a + prose: " {{ insert: param, cm-08.03_odp.05 }} are taken\ + \ when unauthorized hardware is detected;" + links: + - href: "#cm-8.3_smt.b" + rel: assessment-for + - id: cm-8.3_obj.b-2 + name: assessment-objective + props: + - name: label + value: CM-08(03)(b)[02] + class: sp800-53a + prose: " {{ insert: param, cm-08.03_odp.05 }} are taken\ + \ when unauthorized software is detected;" + links: + - href: "#cm-8.3_smt.b" + rel: assessment-for + - id: cm-8.3_obj.b-3 + name: assessment-objective + props: + - name: label + value: CM-08(03)(b)[03] + class: sp800-53a + prose: " {{ insert: param, cm-08.03_odp.05 }} are taken\ + \ when unauthorized firmware is detected." + links: + - href: "#cm-8.3_smt.b" + rel: assessment-for + links: + - href: "#cm-8.3_smt.b" + rel: assessment-for + links: + - href: "#cm-8.3_smt" + rel: assessment-for + - id: cm-8.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-08(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing system component inventory + + + configuration management plan + + + system design documentation + + + system security plan + + + system component inventory + + + change control records + + + alerts/notifications of unauthorized components within the + system + + + system monitoring records + + + system maintenance records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cm-8.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-08(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with component inventory + management responsibilities + + + organizational personnel with responsibilities for managing + the automated mechanisms implementing unauthorized system + component detection + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: cm-8.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-08(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for detection of unauthorized + system components + + + organizational processes for taking action when unauthorized + system components are detected + + + automated mechanisms supporting and/or implementing the detection + of unauthorized system components + + + automated mechanisms supporting and/or implementing actions + taken when unauthorized system components are detected + - id: cm-9 + class: SP800-53 + title: Configuration Management Plan + params: + - id: cm-09_odp + label: personnel or roles + guidelines: + - prose: personnel or roles to review and approve the configuration + management plan is/are defined; + props: + - name: label + value: CM-9 + - name: label + value: CM-09 + class: sp800-53a + - name: sort-id + value: cm-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#cm-2" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-8" + rel: related + - href: "#pl-2" + rel: related + - href: "#ra-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#si-12" + rel: related + parts: + - id: cm-9_smt + name: statement + prose: "Develop, document, and implement a configuration management\ + \ plan for the system that:" + parts: + - id: cm-9_smt.a + name: item + props: + - name: label + value: a. + prose: Addresses roles, responsibilities, and configuration management + processes and procedures; + - id: cm-9_smt.b + name: item + props: + - name: label + value: b. + prose: Establishes a process for identifying configuration items + throughout the system development life cycle and for managing + the configuration of the configuration items; + - id: cm-9_smt.c + name: item + props: + - name: label + value: c. + prose: Defines the configuration items for the system and places + the configuration items under configuration management; + - id: cm-9_smt.d + name: item + props: + - name: label + value: d. + prose: "Is reviewed and approved by {{ insert: param, cm-09_odp\ + \ }} ; and" + - id: cm-9_smt.e + name: item + props: + - name: label + value: e. + prose: Protects the configuration management plan from unauthorized + disclosure and modification. + - id: cm-9_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: FedRAMP does not provide a template for the Configuration + Management Plan. However, NIST SP 800-128, Guide for Security-Focused + Configuration Management of Information Systems, provides guidelines + for the implementation of CM controls as well as a sample CMP + outline in Appendix D of the Guide + - id: cm-9_gdn + name: guidance + prose: >- + Configuration management activities occur throughout the system + development life cycle. As such, there are developmental + configuration management activities (e.g., the control of code + and software libraries) and operational configuration management + activities (e.g., control of installed components and how the + components are configured). Configuration management plans + satisfy the requirements in configuration management policies + while being tailored to individual systems. Configuration + management plans define processes and procedures for how + configuration management is used to support system development + life cycle activities. + + + Configuration management plans are generated during the development + and acquisition stage of the system development life cycle. The plans + describe how to advance changes through change management processes; + update configuration settings and baselines; maintain component inventories; + control development, test, and operational environments; and develop, + release, and update key documents. + + + Organizations can employ templates to help ensure the consistent and + timely development and implementation of configuration management + plans. Templates can represent a configuration management plan for + the organization with subsets of the plan implemented on a system + by system basis. Configuration management approval processes include + the designation of key stakeholders responsible for reviewing and + approving proposed changes to systems, and personnel who conduct security + and privacy impact analyses prior to the implementation of changes + to the systems. Configuration items are the system components, such + as the hardware, software, firmware, and documentation to be configuration-managed. + As systems continue through the system development life cycle, new + configuration items may be identified, and some existing configuration + items may no longer need to be under configuration control. + - id: cm-9_obj + name: assessment-objective + props: + - name: label + value: CM-09 + class: sp800-53a + parts: + - id: cm-9_obj-1 + name: assessment-objective + props: + - name: label + value: CM-09[01] + class: sp800-53a + prose: a configuration management plan for the system is developed + and documented; + links: + - href: "#cm-9_smt" + rel: assessment-for + - id: cm-9_obj-2 + name: assessment-objective + props: + - name: label + value: CM-09[02] + class: sp800-53a + prose: a configuration management plan for the system is implemented; + links: + - href: "#cm-9_smt" + rel: assessment-for + - id: cm-9_obj.a + name: assessment-objective + props: + - name: label + value: CM-09a. + class: sp800-53a + parts: + - id: cm-9_obj.a-1 + name: assessment-objective + props: + - name: label + value: CM-09a.[01] + class: sp800-53a + prose: the configuration management plan addresses roles; + links: + - href: "#cm-9_smt.a" + rel: assessment-for + - id: cm-9_obj.a-2 + name: assessment-objective + props: + - name: label + value: CM-09a.[02] + class: sp800-53a + prose: the configuration management plan addresses responsibilities; + links: + - href: "#cm-9_smt.a" + rel: assessment-for + - id: cm-9_obj.a-3 + name: assessment-objective + props: + - name: label + value: CM-09a.[03] + class: sp800-53a + prose: the configuration management plan addresses configuration + management processes and procedures; + links: + - href: "#cm-9_smt.a" + rel: assessment-for + links: + - href: "#cm-9_smt.a" + rel: assessment-for + - id: cm-9_obj.b + name: assessment-objective + props: + - name: label + value: CM-09b. + class: sp800-53a + parts: + - id: cm-9_obj.b-1 + name: assessment-objective + props: + - name: label + value: CM-09b.[01] + class: sp800-53a + prose: the configuration management plan establishes a process + for identifying configuration items throughout the system + development life cycle; + links: + - href: "#cm-9_smt.b" + rel: assessment-for + - id: cm-9_obj.b-2 + name: assessment-objective + props: + - name: label + value: CM-09b.[02] + class: sp800-53a + prose: the configuration management plan establishes a process + for managing the configuration of the configuration items; + links: + - href: "#cm-9_smt.b" + rel: assessment-for + links: + - href: "#cm-9_smt.b" + rel: assessment-for + - id: cm-9_obj.c + name: assessment-objective + props: + - name: label + value: CM-09c. + class: sp800-53a + parts: + - id: cm-9_obj.c-1 + name: assessment-objective + props: + - name: label + value: CM-09c.[01] + class: sp800-53a + prose: the configuration management plan defines the configuration + items for the system; + links: + - href: "#cm-9_smt.c" + rel: assessment-for + - id: cm-9_obj.c-2 + name: assessment-objective + props: + - name: label + value: CM-09c.[02] + class: sp800-53a + prose: the configuration management plan places the configuration + items under configuration management; + links: + - href: "#cm-9_smt.c" + rel: assessment-for + links: + - href: "#cm-9_smt.c" + rel: assessment-for + - id: cm-9_obj.d + name: assessment-objective + props: + - name: label + value: CM-09d. + class: sp800-53a + prose: "the configuration management plan is reviewed and approved\ + \ by {{ insert: param, cm-09_odp }};" + links: + - href: "#cm-9_smt.d" + rel: assessment-for + - id: cm-9_obj.e + name: assessment-objective + props: + - name: label + value: CM-09e. + class: sp800-53a + parts: + - id: cm-9_obj.e-1 + name: assessment-objective + props: + - name: label + value: CM-09e.[01] + class: sp800-53a + prose: the configuration management plan is protected from unauthorized + disclosure; + links: + - href: "#cm-9_smt.e" + rel: assessment-for + - id: cm-9_obj.e-2 + name: assessment-objective + props: + - name: label + value: CM-09e.[02] + class: sp800-53a + prose: the configuration management plan is protected from unauthorized + modification. + links: + - href: "#cm-9_smt.e" + rel: assessment-for + links: + - href: "#cm-9_smt.e" + rel: assessment-for + links: + - href: "#cm-9_smt" + rel: assessment-for + - id: cm-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + procedures addressing configuration management planning + + configuration management plan + + system design documentation + + system security plan + + privacy plan + + other relevant documents or records + - id: cm-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + developing the configuration management plan + + + organizational personnel with responsibilities for implementing + and managing processes defined in the configuration management + plan + + + organizational personnel with responsibilities for protecting + the configuration management plan + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: cm-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for developing and documenting the + configuration management plan + + + organizational processes for identifying and managing configuration + items + + + organizational processes for protecting the configuration management + plan + + + mechanisms implementing the configuration management plan + + + mechanisms for managing configuration items + + + mechanisms for protecting the configuration management plan + - id: cm-10 + class: SP800-53 + title: Software Usage Restrictions + props: + - name: label + value: CM-10 + - name: label + value: CM-10 + class: sp800-53a + - name: sort-id + value: cm-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-17" + rel: related + - href: "#au-6" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-8" + rel: related + - href: "#pm-30" + rel: related + - href: "#sc-7" + rel: related + parts: + - id: cm-10_smt + name: statement + parts: + - id: cm-10_smt.a + name: item + props: + - name: label + value: a. + prose: Use software and associated documentation in accordance with + contract agreements and copyright laws; + - id: cm-10_smt.b + name: item + props: + - name: label + value: b. + prose: Track the use of software and associated documentation protected + by quantity licenses to control copying and distribution; and + - id: cm-10_smt.c + name: item + props: + - name: label + value: c. + prose: Control and document the use of peer-to-peer file sharing + technology to ensure that this capability is not used for the + unauthorized distribution, display, performance, or reproduction + of copyrighted work. + - id: cm-10_gdn + name: guidance + prose: Software license tracking can be accomplished by manual or automated + methods, depending on organizational needs. Examples of contract agreements + include software license agreements and non-disclosure agreements. + - id: cm-10_obj + name: assessment-objective + props: + - name: label + value: CM-10 + class: sp800-53a + parts: + - id: cm-10_obj.a + name: assessment-objective + props: + - name: label + value: CM-10a. + class: sp800-53a + prose: software and associated documentation are used in accordance + with contract agreements and copyright laws; + links: + - href: "#cm-10_smt.a" + rel: assessment-for + - id: cm-10_obj.b + name: assessment-objective + props: + - name: label + value: CM-10b. + class: sp800-53a + prose: the use of software and associated documentation protected + by quantity licenses is tracked to control copying and distribution; + links: + - href: "#cm-10_smt.b" + rel: assessment-for + - id: cm-10_obj.c + name: assessment-objective + props: + - name: label + value: CM-10c. + class: sp800-53a + prose: the use of peer-to-peer file sharing technology is controlled + and documented to ensure that peer-to-peer file sharing is not + used for the unauthorized distribution, display, performance, + or reproduction of copyrighted work. + links: + - href: "#cm-10_smt.c" + rel: assessment-for + links: + - href: "#cm-10_smt" + rel: assessment-for + - id: cm-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + software usage restrictions + + software contract agreements and copyright laws + + site license documentation + + list of software usage restrictions + + software license tracking reports + + configuration management plan + + system security plan + + system security plan + + other relevant documents or records + - id: cm-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel operating, using, and/or + maintaining the system + + + organizational personnel with software license management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for tracking the use of software + protected by quantity licenses + + + organizational processes for controlling/documenting the use of + peer-to-peer file sharing technology + + + mechanisms implementing software license tracking + + + mechanisms implementing and controlling the use of peer-to-peer + files sharing technology + - id: cm-11 + class: SP800-53 + title: User-installed Software + params: + - id: cm-11_odp.01 + label: policies + guidelines: + - prose: policies governing the installation of software by users + are defined; + - id: cm-11_odp.02 + label: methods + guidelines: + - prose: methods used to enforce software installation policies are + defined; + - id: cm-11_odp.03 + label: frequency + constraints: + - description: Continuously (via CM-7 (5)) + guidelines: + - prose: frequency with which to monitor compliance is defined; + props: + - name: label + value: CM-11 + - name: label + value: CM-11 + class: sp800-53a + - name: sort-id + value: cm-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-3" + rel: related + - href: "#au-6" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-8" + rel: related + - href: "#pl-4" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: cm-11_smt + name: statement + parts: + - id: cm-11_smt.a + name: item + props: + - name: label + value: a. + prose: "Establish {{ insert: param, cm-11_odp.01 }} governing the\ + \ installation of software by users;" + - id: cm-11_smt.b + name: item + props: + - name: label + value: b. + prose: "Enforce software installation policies through the following\ + \ methods: {{ insert: param, cm-11_odp.02 }} ; and" + - id: cm-11_smt.c + name: item + props: + - name: label + value: c. + prose: "Monitor policy compliance {{ insert: param, cm-11_odp.03\ + \ }}." + - id: cm-11_gdn + name: guidance + prose: If provided the necessary privileges, users can install software + in organizational systems. To maintain control over the software installed, + organizations identify permitted and prohibited actions regarding + software installation. Permitted software installations include updates + and security patches to existing software and downloading new applications + from organization-approved "app stores." Prohibited software installations + include software with unknown or suspect pedigrees or software that + organizations consider potentially malicious. Policies selected for + governing user-installed software are organization-developed or provided + by some external entity. Policy enforcement methods can include procedural + methods and automated methods. + - id: cm-11_obj + name: assessment-objective + props: + - name: label + value: CM-11 + class: sp800-53a + parts: + - id: cm-11_obj.a + name: assessment-objective + props: + - name: label + value: CM-11a. + class: sp800-53a + prose: " {{ insert: param, cm-11_odp.01 }} governing the installation\ + \ of software by users are established;" + links: + - href: "#cm-11_smt.a" + rel: assessment-for + - id: cm-11_obj.b + name: assessment-objective + props: + - name: label + value: CM-11b. + class: sp800-53a + prose: "software installation policies are enforced through {{ insert:\ + \ param, cm-11_odp.02 }};" + links: + - href: "#cm-11_smt.b" + rel: assessment-for + - id: cm-11_obj.c + name: assessment-objective + props: + - name: label + value: CM-11c. + class: sp800-53a + prose: "compliance with {{ insert: param, cm-11_odp.01 }} is monitored\ + \ {{ insert: param, cm-11_odp.03 }}." + links: + - href: "#cm-11_smt.c" + rel: assessment-for + links: + - href: "#cm-11_smt" + rel: assessment-for + - id: cm-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Configuration management policy + + procedures addressing user-installed software + + configuration management plan + + system security plan + + system design documentation + + system configuration settings and associated documentation + + list of rules governing user installed software + + system monitoring records + + system audit records + + continuous monitoring strategy + + system security plan + + other relevant documents or records + - id: cm-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for governing + user-installed software + + + organizational personnel operating, using, and/or maintaining + the system + + + organizational personnel monitoring compliance with user-installed + software policy + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: cm-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes governing user-installed software + on the system + + + mechanisms enforcing policies and methods for governing the installation + of software by users + + + mechanisms monitoring policy compliance + - id: cm-12 + class: SP800-53 + title: Information Location + params: + - id: cm-12_odp + label: information + guidelines: + - prose: information for which the location is to be identified and + documented is defined; + props: + - name: label + value: CM-12 + - name: label + value: CM-12 + class: sp800-53a + - name: sort-id + value: cm-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-23" + rel: related + - href: "#cm-8" + rel: related + - href: "#pm-5" + rel: related + - href: "#ra-2" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-4" + rel: related + - href: "#sc-16" + rel: related + - href: "#sc-28" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: cm-12_smt + name: statement + parts: + - id: cm-12_smt.a + name: item + props: + - name: label + value: a. + prose: "Identify and document the location of {{ insert: param,\ + \ cm-12_odp }} and the specific system components on which the\ + \ information is processed and stored;" + - id: cm-12_smt.b + name: item + props: + - name: label + value: b. + prose: Identify and document the users who have access to the system + and system components where the information is processed and stored; + and + - id: cm-12_smt.c + name: item + props: + - name: label + value: c. + prose: Document changes to the location (i.e., system or system + components) where the information is processed and stored. + - id: cm-12_fr + name: item + title: CM-12 Additional FedRAMP Requirements and Guidance + parts: + - id: cm-12_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: According to FedRAMP Authorization Boundary Guidance + - id: cm-12_gdn + name: guidance + prose: Information location addresses the need to understand where information + is being processed and stored. Information location includes identifying + where specific information types and information reside in system + components and how information is being processed so that information + flow can be understood and adequate protection and policy management + provided for such information and system components. The security + category of the information is also a factor in determining the controls + necessary to protect the information and the system component where + the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) + ). The location of the information and system components is also a + factor in the architecture and design of the system (see [SA-4](#sa-4), + [SA-8](#sa-8), [SA-17](#sa-17)). + - id: cm-12_obj + name: assessment-objective + props: + - name: label + value: CM-12 + class: sp800-53a + parts: + - id: cm-12_obj.a + name: assessment-objective + props: + - name: label + value: CM-12a. + class: sp800-53a + parts: + - id: cm-12_obj.a-1 + name: assessment-objective + props: + - name: label + value: CM-12a.[01] + class: sp800-53a + prose: "the location of {{ insert: param, cm-12_odp }} is identified\ + \ and documented;" + links: + - href: "#cm-12_smt.a" + rel: assessment-for + - id: cm-12_obj.a-2 + name: assessment-objective + props: + - name: label + value: CM-12a.[02] + class: sp800-53a + prose: "the specific system components on which {{ insert: param,\ + \ cm-12_odp }} is processed are identified and documented;" + links: + - href: "#cm-12_smt.a" + rel: assessment-for + - id: cm-12_obj.a-3 + name: assessment-objective + props: + - name: label + value: CM-12a.[03] + class: sp800-53a + prose: "the specific system components on which {{ insert: param,\ + \ cm-12_odp }} is stored are identified and documented;" + links: + - href: "#cm-12_smt.a" + rel: assessment-for + links: + - href: "#cm-12_smt.a" + rel: assessment-for + - id: cm-12_obj.b + name: assessment-objective + props: + - name: label + value: CM-12b. + class: sp800-53a + parts: + - id: cm-12_obj.b-1 + name: assessment-objective + props: + - name: label + value: CM-12b.[01] + class: sp800-53a + prose: "the users who have access to the system and system components\ + \ where {{ insert: param, cm-12_odp }} is processed are identified\ + \ and documented;" + links: + - href: "#cm-12_smt.b" + rel: assessment-for + - id: cm-12_obj.b-2 + name: assessment-objective + props: + - name: label + value: CM-12b.[02] + class: sp800-53a + prose: "the users who have access to the system and system components\ + \ where {{ insert: param, cm-12_odp }} is stored are identified\ + \ and documented;" + links: + - href: "#cm-12_smt.b" + rel: assessment-for + links: + - href: "#cm-12_smt.b" + rel: assessment-for + - id: cm-12_obj.c + name: assessment-objective + props: + - name: label + value: CM-12c. + class: sp800-53a + parts: + - id: cm-12_obj.c-1 + name: assessment-objective + props: + - name: label + value: CM-12c.[01] + class: sp800-53a + prose: "changes to the location (i.e., system or system components)\ + \ where {{ insert: param, cm-12_odp }} is processed are documented;" + links: + - href: "#cm-12_smt.c" + rel: assessment-for + - id: cm-12_obj.c-2 + name: assessment-objective + props: + - name: label + value: CM-12c.[02] + class: sp800-53a + prose: "changes to the location (i.e., system or system components)\ + \ where {{ insert: param, cm-12_odp }} is stored are documented." + links: + - href: "#cm-12_smt.c" + rel: assessment-for + links: + - href: "#cm-12_smt.c" + rel: assessment-for + links: + - href: "#cm-12_smt" + rel: assessment-for + - id: cm-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing identification and documentation of information + location + + + configuration management plan + + + system design documentation + + + system architecture documentation + + + PII inventory documentation + + + data mapping documentation + + + audit records + + + list of users with system and system component access + + + change control records + + + system component inventory + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for managing + information location and user access to information + + + organizational personnel with responsibilities for operating, + using, and/or maintaining the system + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + system developers + - id: cm-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes governing information location + + + mechanisms enforcing policies and methods for governing information + location + controls: + - id: cm-12.1 + class: SP800-53-enhancement + title: Automated Tools to Support Information Location + params: + - id: cm-12.01_odp.01 + label: information by information type + constraints: + - description: Federal data and system data that must be protected + at the High or Moderate impact levels + guidelines: + - prose: information to be protected is defined by information + type; + - id: cm-12.01_odp.02 + label: system components + guidelines: + - prose: system components where the information is located are + defined; + props: + - name: label + value: CM-12(1) + - name: label + value: CM-12(01) + class: sp800-53a + - name: sort-id + value: cm-12.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cm-12" + rel: required + parts: + - id: cm-12.1_smt + name: statement + prose: "Use automated tools to identify {{ insert: param, cm-12.01_odp.01\ + \ }} on {{ insert: param, cm-12.01_odp.02 }} to ensure controls\ + \ are in place to protect organizational information and individual\ + \ privacy." + parts: + - id: cm-12.1_fr + name: item + title: CM-12 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: cm-12.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: According to FedRAMP Authorization Boundary Guidance. + - id: cm-12.1_gdn + name: guidance + prose: The use of automated tools helps to increase the effectiveness + and efficiency of the information location capability implemented + within the system. Automation also helps organizations manage + the data produced during information location activities and share + such information across the organization. The output of automated + information location tools can be used to guide and inform system + architecture and design decisions. + - id: cm-12.1_obj + name: assessment-objective + props: + - name: label + value: CM-12(01) + class: sp800-53a + prose: "automated tools are used to identify {{ insert: param, cm-12.01_odp.01\ + \ }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls\ + \ are in place to protect organizational information and individual\ + \ privacy." + links: + - href: "#cm-12.1_smt" + rel: assessment-for + - id: cm-12.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CM-12(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Configuration management policy + + + procedures addressing identification and documentation of + information location + + + configuration management plan + + + system design documentation + + + PII inventory documentation + + + data mapping documentation + + + change control records + + + system component inventory + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: cm-12.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CM-12(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + managing information location + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: cm-12.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CM-12(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes governing information location + + + automated mechanisms enforcing policies and methods for governing + information location + + + automated tools used to identify information on system components + - id: cp + class: family + title: Contingency Planning + controls: + - id: cp-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: cp-1_prm_1 + label: organization-defined personnel or roles + - id: cp-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the contingency planning policy + is to be disseminated is/are defined; + - id: cp-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the contingency planning procedures + are to be disseminated is/are defined; + - id: cp-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: cp-01_odp.04 + label: official + guidelines: + - prose: an official to manage the contingency planning policy and + procedures is defined; + - id: cp-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current contingency planning policy + is reviewed and updated is defined; + - id: cp-01_odp.06 + label: events + guidelines: + - prose: events that would require the current contingency planning + policy to be reviewed and updated are defined; + - id: cp-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current contingency planning procedures + are reviewed and updated is defined; + - id: cp-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require procedures to be reviewed and updated + are defined; + props: + - name: label + value: CP-1 + - name: label + value: CP-01 + class: sp800-53a + - name: sort-id + value: cp-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: cp-1_smt + name: statement + parts: + - id: cp-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ cp-1_prm_1 }}:" + parts: + - id: cp-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, cp-01_odp.03 }} contingency planning\ + \ policy that:" + parts: + - id: cp-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: cp-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: cp-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the contingency + planning policy and the associated contingency planning controls; + - id: cp-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, cp-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the contingency\ + \ planning policy and procedures; and" + - id: cp-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current contingency planning:" + parts: + - id: cp-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, cp-01_odp.05 }} and following\ + \ {{ insert: param, cp-01_odp.06 }} ; and" + - id: cp-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, cp-01_odp.07 }} and following\ + \ {{ insert: param, cp-01_odp.08 }}." + - id: cp-1_gdn + name: guidance + prose: Contingency planning policy and procedures address the controls + in the CP family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of contingency + planning policy and procedures. Security and privacy program policies + and procedures at the organization level are preferable, in general, + and may obviate the need for mission- or system-specific policies + and procedures. The policy can be included as part of the general + security and privacy policy or be represented by multiple policies + that reflect the complex nature of organizations. Procedures can be + established for security and privacy programs, for mission or business + processes, and for systems, if needed. Procedures describe how the + policies or controls are implemented and can be directed at the individual + or role that is the object of the procedure. Procedures can be documented + in system security and privacy plans or in one or more separate documents. + Events that may precipitate an update to contingency planning policy + and procedures include assessment or audit findings, security incidents + or breaches, or changes in laws, executive orders, directives, regulations, + policies, standards, and guidelines. Simply restating controls does + not constitute an organizational policy or procedure. + - id: cp-1_obj + name: assessment-objective + props: + - name: label + value: CP-01 + class: sp800-53a + parts: + - id: cp-1_obj.a + name: assessment-objective + props: + - name: label + value: CP-01a. + class: sp800-53a + parts: + - id: cp-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: CP-01a.[01] + class: sp800-53a + prose: a contingency planning policy is developed and documented; + links: + - href: "#cp-1_smt.a" + rel: assessment-for + - id: cp-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: CP-01a.[02] + class: sp800-53a + prose: "the contingency planning policy is disseminated to {{\ + \ insert: param, cp-01_odp.01 }};" + links: + - href: "#cp-1_smt.a" + rel: assessment-for + - id: cp-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: CP-01a.[03] + class: sp800-53a + prose: contingency planning procedures to facilitate the implementation + of the contingency planning policy and associated contingency + planning controls are developed and documented; + links: + - href: "#cp-1_smt.a" + rel: assessment-for + - id: cp-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: CP-01a.[04] + class: sp800-53a + prose: "the contingency planning procedures are disseminated\ + \ to {{ insert: param, cp-01_odp.02 }};" + links: + - href: "#cp-1_smt.a" + rel: assessment-for + - id: cp-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: CP-01a.01 + class: sp800-53a + parts: + - id: cp-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: CP-01a.01(a) + class: sp800-53a + parts: + - id: cp-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses purpose;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses scope;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses roles;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses responsibilities;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses management commitment;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: CP-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy addresses compliance;" + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#cp-1_smt.a.1.a" + rel: assessment-for + - id: cp-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: CP-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.03 }} contingency\ + \ planning policy is consistent with applicable laws,\ + \ Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#cp-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#cp-1_smt.a.1" + rel: assessment-for + links: + - href: "#cp-1_smt.a" + rel: assessment-for + - id: cp-1_obj.b + name: assessment-objective + props: + - name: label + value: CP-01b. + class: sp800-53a + prose: "the {{ insert: param, cp-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the contingency\ + \ planning policy and procedures;" + links: + - href: "#cp-1_smt.b" + rel: assessment-for + - id: cp-1_obj.c + name: assessment-objective + props: + - name: label + value: CP-01c. + class: sp800-53a + parts: + - id: cp-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: CP-01c.01 + class: sp800-53a + parts: + - id: cp-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: CP-01c.01[01] + class: sp800-53a + prose: "the current contingency planning policy is reviewed\ + \ and updated {{ insert: param, cp-01_odp.05 }};" + links: + - href: "#cp-1_smt.c.1" + rel: assessment-for + - id: cp-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: CP-01c.01[02] + class: sp800-53a + prose: "the current contingency planning policy is reviewed\ + \ and updated following {{ insert: param, cp-01_odp.06\ + \ }};" + links: + - href: "#cp-1_smt.c.1" + rel: assessment-for + links: + - href: "#cp-1_smt.c.1" + rel: assessment-for + - id: cp-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: CP-01c.02 + class: sp800-53a + parts: + - id: cp-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: CP-01c.02[01] + class: sp800-53a + prose: "the current contingency planning procedures are\ + \ reviewed and updated {{ insert: param, cp-01_odp.07\ + \ }};" + links: + - href: "#cp-1_smt.c.2" + rel: assessment-for + - id: cp-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: CP-01c.02[02] + class: sp800-53a + prose: "the current contingency planning procedures are\ + \ reviewed and updated following {{ insert: param, cp-01_odp.08\ + \ }}." + links: + - href: "#cp-1_smt.c.2" + rel: assessment-for + links: + - href: "#cp-1_smt.c.2" + rel: assessment-for + links: + - href: "#cp-1_smt.c" + rel: assessment-for + links: + - href: "#cp-1_smt" + rel: assessment-for + - id: cp-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: cp-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: cp-2 + class: SP800-53 + title: Contingency Plan + params: + - id: cp-2_prm_1 + label: organization-defined personnel or roles + - id: cp-2_prm_2 + label: organization-defined key contingency personnel (identified by + name and/or by role) and organizational elements + - id: cp-2_prm_4 + label: organization-defined key contingency personnel (identified by + name and/or by role) and organizational elements + - id: cp-02_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to review a contingency plan is/are defined; + - id: cp-02_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to approve a contingency plan is/are defined; + - id: cp-02_odp.03 + label: key contingency personnel + guidelines: + - prose: key contingency personnel (identified by name and/or by role) + to whom copies of the contingency plan are distributed are defined; + - id: cp-02_odp.04 + label: organizational elements + guidelines: + - prose: key contingency organizational elements to which copies of + the contingency plan are distributed are defined; + - id: cp-02_odp.05 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency of contingency plan review is defined; + - id: cp-02_odp.06 + label: key contingency personnel + guidelines: + - prose: key contingency personnel (identified by name and/or by role) + to communicate changes to are defined; + - id: cp-02_odp.07 + label: organizational elements + guidelines: + - prose: key contingency organizational elements to communicate changes + to are defined; + props: + - name: label + value: CP-2 + - name: label + value: CP-02 + class: sp800-53a + - name: sort-id + value: cp-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#d4296805-2dca-4c63-a95f-eeccaa826aec" + rel: reference + - href: "#cp-3" + rel: related + - href: "#cp-4" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-7" + rel: related + - href: "#cp-8" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#cp-11" + rel: related + - href: "#cp-13" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + - href: "#ir-9" + rel: related + - href: "#ma-6" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-8" + rel: related + - href: "#pm-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-20" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-23" + rel: related + - href: "#si-12" + rel: related + parts: + - id: cp-2_smt + name: statement + parts: + - id: cp-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop a contingency plan for the system that:" + parts: + - id: cp-2_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Identifies essential mission and business functions and + associated contingency requirements; + - id: cp-2_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Provides recovery objectives, restoration priorities, + and metrics; + - id: cp-2_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Addresses contingency roles, responsibilities, assigned + individuals with contact information; + - id: cp-2_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Addresses maintaining essential mission and business + functions despite a system disruption, compromise, or failure; + - id: cp-2_smt.a.5 + name: item + props: + - name: label + value: "5." + prose: Addresses eventual, full system restoration without deterioration + of the controls originally planned and implemented; + - id: cp-2_smt.a.6 + name: item + props: + - name: label + value: "6." + prose: Addresses the sharing of contingency information; and + - id: cp-2_smt.a.7 + name: item + props: + - name: label + value: "7." + prose: "Is reviewed and approved by {{ insert: param, cp-2_prm_1\ + \ }};" + - id: cp-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Distribute copies of the contingency plan to {{ insert:\ + \ param, cp-2_prm_2 }};" + - id: cp-2_smt.c + name: item + props: + - name: label + value: c. + prose: Coordinate contingency planning activities with incident + handling activities; + - id: cp-2_smt.d + name: item + props: + - name: label + value: d. + prose: "Review the contingency plan for the system {{ insert: param,\ + \ cp-02_odp.05 }};" + - id: cp-2_smt.e + name: item + props: + - name: label + value: e. + prose: Update the contingency plan to address changes to the organization, + system, or environment of operation and problems encountered during + contingency plan implementation, execution, or testing; + - id: cp-2_smt.f + name: item + props: + - name: label + value: f. + prose: "Communicate contingency plan changes to {{ insert: param,\ + \ cp-2_prm_4 }};" + - id: cp-2_smt.g + name: item + props: + - name: label + value: g. + prose: Incorporate lessons learned from contingency plan testing, + training, or actual contingency activities into contingency testing + and training; and + - id: cp-2_smt.h + name: item + props: + - name: label + value: h. + prose: Protect the contingency plan from unauthorized disclosure + and modification. + - id: cp-2_fr + name: item + title: CP-2 Additional FedRAMP Requirements and Guidance + parts: + - id: cp-2_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: For JAB authorizations the contingency lists include + designated FedRAMP personnel. + - id: cp-2_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: "CSPs must use the FedRAMP Information System Contingency\ + \ Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx)." + - id: cp-2_gdn + name: guidance + prose: >- + Contingency planning for systems is part of an overall program + for achieving continuity of operations for organizational + mission and business functions. Contingency planning addresses + system restoration and implementation of alternative mission or + business processes when systems are compromised or breached. + Contingency planning is considered throughout the system + development life cycle and is a fundamental part of the system + design. Systems can be designed for redundancy, to provide + backup capabilities, and for resilience. Contingency plans + reflect the degree of restoration required for organizational + systems since not all systems need to fully recover to achieve + the level of continuity of operations desired. System recovery + objectives reflect applicable laws, executive orders, + directives, regulations, policies, standards, guidelines, + organizational risk tolerance, and system impact level. + + + Actions addressed in contingency plans include orderly system degradation, + system shutdown, fallback to a manual mode, alternate information + flows, and operating in modes reserved for when systems are under + attack. By coordinating contingency planning with incident handling + activities, organizations ensure that the necessary planning activities + are in place and activated in the event of an incident. Organizations + consider whether continuity of operations during an incident conflicts + with the capability to automatically disable the system, as specified + in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency + planning for organizations and is addressed in the [IR](#ir) (Incident + Response) family. + - id: cp-2_obj + name: assessment-objective + props: + - name: label + value: CP-02 + class: sp800-53a + parts: + - id: cp-2_obj.a + name: assessment-objective + props: + - name: label + value: CP-02a. + class: sp800-53a + parts: + - id: cp-2_obj.a.1 + name: assessment-objective + props: + - name: label + value: CP-02a.01 + class: sp800-53a + prose: a contingency plan for the system is developed that identifies + essential mission and business functions and associated contingency + requirements; + links: + - href: "#cp-2_smt.a.1" + rel: assessment-for + - id: cp-2_obj.a.2 + name: assessment-objective + props: + - name: label + value: CP-02a.02 + class: sp800-53a + parts: + - id: cp-2_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: CP-02a.02[01] + class: sp800-53a + prose: a contingency plan for the system is developed that + provides recovery objectives; + links: + - href: "#cp-2_smt.a.2" + rel: assessment-for + - id: cp-2_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: CP-02a.02[02] + class: sp800-53a + prose: a contingency plan for the system is developed that + provides restoration priorities; + links: + - href: "#cp-2_smt.a.2" + rel: assessment-for + - id: cp-2_obj.a.2-3 + name: assessment-objective + props: + - name: label + value: CP-02a.02[03] + class: sp800-53a + prose: a contingency plan for the system is developed that + provides metrics; + links: + - href: "#cp-2_smt.a.2" + rel: assessment-for + links: + - href: "#cp-2_smt.a.2" + rel: assessment-for + - id: cp-2_obj.a.3 + name: assessment-objective + props: + - name: label + value: CP-02a.03 + class: sp800-53a + parts: + - id: cp-2_obj.a.3-1 + name: assessment-objective + props: + - name: label + value: CP-02a.03[01] + class: sp800-53a + prose: a contingency plan for the system is developed that + addresses contingency roles; + links: + - href: "#cp-2_smt.a.3" + rel: assessment-for + - id: cp-2_obj.a.3-2 + name: assessment-objective + props: + - name: label + value: CP-02a.03[02] + class: sp800-53a + prose: a contingency plan for the system is developed that + addresses contingency responsibilities; + links: + - href: "#cp-2_smt.a.3" + rel: assessment-for + - id: cp-2_obj.a.3-3 + name: assessment-objective + props: + - name: label + value: CP-02a.03[03] + class: sp800-53a + prose: a contingency plan for the system is developed that + addresses assigned individuals with contact information; + links: + - href: "#cp-2_smt.a.3" + rel: assessment-for + links: + - href: "#cp-2_smt.a.3" + rel: assessment-for + - id: cp-2_obj.a.4 + name: assessment-objective + props: + - name: label + value: CP-02a.04 + class: sp800-53a + prose: a contingency plan for the system is developed that addresses + maintaining essential mission and business functions despite + a system disruption, compromise, or failure; + links: + - href: "#cp-2_smt.a.4" + rel: assessment-for + - id: cp-2_obj.a.5 + name: assessment-objective + props: + - name: label + value: CP-02a.05 + class: sp800-53a + prose: a contingency plan for the system is developed that addresses + eventual, full-system restoration without deterioration of + the controls originally planned and implemented; + links: + - href: "#cp-2_smt.a.5" + rel: assessment-for + - id: cp-2_obj.a.6 + name: assessment-objective + props: + - name: label + value: CP-02a.06 + class: sp800-53a + prose: a contingency plan for the system is developed that addresses + the sharing of contingency information; + links: + - href: "#cp-2_smt.a.6" + rel: assessment-for + - id: cp-2_obj.a.7 + name: assessment-objective + props: + - name: label + value: CP-02a.07 + class: sp800-53a + parts: + - id: cp-2_obj.a.7-1 + name: assessment-objective + props: + - name: label + value: CP-02a.07[01] + class: sp800-53a + prose: "a contingency plan for the system is developed that\ + \ is reviewed by {{ insert: param, cp-02_odp.01 }};" + links: + - href: "#cp-2_smt.a.7" + rel: assessment-for + - id: cp-2_obj.a.7-2 + name: assessment-objective + props: + - name: label + value: CP-02a.07[02] + class: sp800-53a + prose: "a contingency plan for the system is developed that\ + \ is approved by {{ insert: param, cp-02_odp.02 }};" + links: + - href: "#cp-2_smt.a.7" + rel: assessment-for + links: + - href: "#cp-2_smt.a.7" + rel: assessment-for + links: + - href: "#cp-2_smt.a" + rel: assessment-for + - id: cp-2_obj.b + name: assessment-objective + props: + - name: label + value: CP-02b. + class: sp800-53a + parts: + - id: cp-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: CP-02b.[01] + class: sp800-53a + prose: "copies of the contingency plan are distributed to {{\ + \ insert: param, cp-02_odp.03 }};" + links: + - href: "#cp-2_smt.b" + rel: assessment-for + - id: cp-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: CP-02b.[02] + class: sp800-53a + prose: "copies of the contingency plan are distributed to {{\ + \ insert: param, cp-02_odp.04 }};" + links: + - href: "#cp-2_smt.b" + rel: assessment-for + links: + - href: "#cp-2_smt.b" + rel: assessment-for + - id: cp-2_obj.c + name: assessment-objective + props: + - name: label + value: CP-02c. + class: sp800-53a + prose: contingency planning activities are coordinated with incident + handling activities; + links: + - href: "#cp-2_smt.c" + rel: assessment-for + - id: cp-2_obj.d + name: assessment-objective + props: + - name: label + value: CP-02d. + class: sp800-53a + prose: "the contingency plan for the system is reviewed {{ insert:\ + \ param, cp-02_odp.05 }};" + links: + - href: "#cp-2_smt.d" + rel: assessment-for + - id: cp-2_obj.e + name: assessment-objective + props: + - name: label + value: CP-02e. + class: sp800-53a + parts: + - id: cp-2_obj.e-1 + name: assessment-objective + props: + - name: label + value: CP-02e.[01] + class: sp800-53a + prose: the contingency plan is updated to address changes to + the organization, system, or environment of operation; + links: + - href: "#cp-2_smt.e" + rel: assessment-for + - id: cp-2_obj.e-2 + name: assessment-objective + props: + - name: label + value: CP-02e.[02] + class: sp800-53a + prose: the contingency plan is updated to address problems encountered + during contingency plan implementation, execution, or testing; + links: + - href: "#cp-2_smt.e" + rel: assessment-for + links: + - href: "#cp-2_smt.e" + rel: assessment-for + - id: cp-2_obj.f + name: assessment-objective + props: + - name: label + value: CP-02f. + class: sp800-53a + parts: + - id: cp-2_obj.f-1 + name: assessment-objective + props: + - name: label + value: CP-02f.[01] + class: sp800-53a + prose: "contingency plan changes are communicated to {{ insert:\ + \ param, cp-02_odp.06 }};" + links: + - href: "#cp-2_smt.f" + rel: assessment-for + - id: cp-2_obj.f-2 + name: assessment-objective + props: + - name: label + value: CP-02f.[02] + class: sp800-53a + prose: "contingency plan changes are communicated to {{ insert:\ + \ param, cp-02_odp.07 }};" + links: + - href: "#cp-2_smt.f" + rel: assessment-for + links: + - href: "#cp-2_smt.f" + rel: assessment-for + - id: cp-2_obj.g + name: assessment-objective + props: + - name: label + value: CP-02g. + class: sp800-53a + parts: + - id: cp-2_obj.g-1 + name: assessment-objective + props: + - name: label + value: CP-02g.[01] + class: sp800-53a + prose: lessons learned from contingency plan testing or actual + contingency activities are incorporated into contingency testing; + links: + - href: "#cp-2_smt.g" + rel: assessment-for + - id: cp-2_obj.g-2 + name: assessment-objective + props: + - name: label + value: CP-02g.[02] + class: sp800-53a + prose: lessons learned from contingency plan training or actual + contingency activities are incorporated into contingency testing + and training; + links: + - href: "#cp-2_smt.g" + rel: assessment-for + links: + - href: "#cp-2_smt.g" + rel: assessment-for + - id: cp-2_obj.h + name: assessment-objective + props: + - name: label + value: CP-02h. + class: sp800-53a + parts: + - id: cp-2_obj.h-1 + name: assessment-objective + props: + - name: label + value: CP-02h.[01] + class: sp800-53a + prose: the contingency plan is protected from unauthorized disclosure; + links: + - href: "#cp-2_smt.h" + rel: assessment-for + - id: cp-2_obj.h-2 + name: assessment-objective + props: + - name: label + value: CP-02h.[02] + class: sp800-53a + prose: the contingency plan is protected from unauthorized modification. + links: + - href: "#cp-2_smt.h" + rel: assessment-for + links: + - href: "#cp-2_smt.h" + rel: assessment-for + links: + - href: "#cp-2_smt" + rel: assessment-for + - id: cp-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing contingency operations for the system + + contingency plan + + evidence of contingency plan reviews and updates + + system security plan + + other relevant documents or records + - id: cp-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning and plan + implementation responsibilities + + + organizational personnel with incident handling responsibilities + + + organizational personnel with knowledge of requirements for mission + and business functions + + + organizational personnel with information security responsibilities + - id: cp-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for contingency plan development, + review, update, and protection + + + mechanisms for developing, reviewing, updating, and/or protecting + the contingency plan + controls: + - id: cp-2.1 + class: SP800-53-enhancement + title: Coordinate with Related Plans + props: + - name: label + value: CP-2(1) + - name: label + value: CP-02(01) + class: sp800-53a + - name: sort-id + value: cp-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-2" + rel: required + parts: + - id: cp-2.1_smt + name: statement + prose: Coordinate contingency plan development with organizational + elements responsible for related plans. + - id: cp-2.1_gdn + name: guidance + prose: Plans that are related to contingency plans include Business + Continuity Plans, Disaster Recovery Plans, Critical Infrastructure + Plans, Continuity of Operations Plans, Crisis Communications Plans, + Insider Threat Implementation Plans, Data Breach Response Plans, + Cyber Incident Response Plans, Breach Response Plans, and Occupant + Emergency Plans. + - id: cp-2.1_obj + name: assessment-objective + props: + - name: label + value: CP-02(01) + class: sp800-53a + prose: contingency plan development is coordinated with organizational + elements responsible for related plans. + links: + - href: "#cp-2.1_smt" + rel: assessment-for + - id: cp-2.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-02(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing contingency operations for the system + + + contingency plan + + + business contingency plans + + + disaster recovery plans + + + continuity of operations plans + + + crisis communications plans + + + critical infrastructure plans + + + cyber incident response plan + + + insider threat implementation plans + + + occupant emergency plans + + + system security plan + + + other relevant documents or records + - id: cp-2.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-02(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning and + plan implementation responsibilities + + + organizational personnel with information security responsibilities + + + personnel with responsibility for related plans + - id: cp-2.3 + class: SP800-53-enhancement + title: Resume Mission and Business Functions + params: + - id: cp-02.03_odp.01 + constraints: + - description: all + select: + choice: + - all + - essential + - id: cp-02.03_odp.02 + label: time period + constraints: + - description: time period defined in service provider and organization + SLA + guidelines: + - prose: the contingency plan activation time period within which + to resume mission and business functions is defined; + props: + - name: label + value: CP-2(3) + - name: label + value: CP-02(03) + class: sp800-53a + - name: sort-id + value: cp-02.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-2" + rel: required + parts: + - id: cp-2.3_smt + name: statement + prose: "Plan for the resumption of {{ insert: param, cp-02.03_odp.01\ + \ }} mission and business functions within {{ insert: param, cp-02.03_odp.02\ + \ }} of contingency plan activation." + - id: cp-2.3_gdn + name: guidance + prose: Organizations may choose to conduct contingency planning + activities to resume mission and business functions as part of + business continuity planning or as part of business impact analyses. + Organizations prioritize the resumption of mission and business + functions. The time period for resuming mission and business functions + may be dependent on the severity and extent of the disruptions + to the system and its supporting infrastructure. + - id: cp-2.3_obj + name: assessment-objective + props: + - name: label + value: CP-02(03) + class: sp800-53a + prose: "the resumption of {{ insert: param, cp-02.03_odp.01 }} mission\ + \ and business functions are planned for within {{ insert: param,\ + \ cp-02.03_odp.02 }} of contingency plan activation." + links: + - href: "#cp-2.3_smt" + rel: assessment-for + - id: cp-2.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-02(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing contingency operations for the system + + + contingency plan + + + business impact assessment + + + system security plan + + + privacy plan + + + other related plans + + + system security plan + + + other relevant documents or records + - id: cp-2.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-02(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning and + plan implementation responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with knowledge of requirements for + mission and business functions + - id: cp-2.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-02(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for resumption of missions and + business functions + - id: cp-2.8 + class: SP800-53-enhancement + title: Identify Critical Assets + params: + - id: cp-02.08_odp + select: + choice: + - all + - essential + props: + - name: label + value: CP-2(8) + - name: label + value: CP-02(08) + class: sp800-53a + - name: sort-id + value: cp-02.08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-2" + rel: required + - href: "#cm-8" + rel: related + - href: "#ra-9" + rel: related + parts: + - id: cp-2.8_smt + name: statement + prose: "Identify critical system assets supporting {{ insert: param,\ + \ cp-02.08_odp }} mission and business functions." + - id: cp-2.8_gdn + name: guidance + prose: Organizations may choose to identify critical assets as part + of criticality analysis, business continuity planning, or business + impact analyses. Organizations identify critical system assets + so that additional controls can be employed (beyond the controls + routinely implemented) to help ensure that organizational mission + and business functions can continue to be conducted during contingency + operations. The identification of critical information assets + also facilitates the prioritization of organizational resources. + Critical system assets include technical and operational aspects. + Technical aspects include system components, information technology + services, information technology products, and mechanisms. Operational + aspects include procedures (i.e., manually executed operations) + and personnel (i.e., individuals operating technical controls + and/or executing manual procedures). Organizational program protection + plans can assist in identifying critical assets. If critical assets + are resident within or supported by external service providers, + organizations consider implementing [CP-2(7)](#cp-2.7) as a control + enhancement. + - id: cp-2.8_obj + name: assessment-objective + props: + - name: label + value: CP-02(08) + class: sp800-53a + prose: "critical system assets supporting {{ insert: param, cp-02.08_odp\ + \ }} mission and business functions are identified." + links: + - href: "#cp-2.8_smt" + rel: assessment-for + - id: cp-2.8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-02(08)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing contingency operations for the system + + + contingency plan + + + business impact assessment + + + system security plan + + + other relevant documents or records + - id: cp-2.8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-02(08)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning and + plan implementation responsibilities + + + organizational personnel with knowledge of requirements for + mission and business functions + + + organizational personnel with information security responsibilities + - id: cp-3 + class: SP800-53 + title: Contingency Training + params: + - id: cp-03_odp.01 + label: time period + constraints: + - description: \*See Additional Requirements + guidelines: + - prose: the time period within which to provide contingency training + after assuming a contingency role or responsibility is defined; + - id: cp-03_odp.02 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to provide training to system users with + a contingency role or responsibility is defined; + - id: cp-03_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to review and update contingency training + content is defined; + - id: cp-03_odp.04 + label: events + guidelines: + - prose: events necessitating review and update of contingency training + are defined; + props: + - name: label + value: CP-3 + - name: label + value: CP-03 + class: sp800-53a + - name: sort-id + value: cp-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#at-4" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#cp-8" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-9" + rel: related + parts: + - id: cp-3_smt + name: statement + parts: + - id: cp-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide contingency training to system users consistent\ + \ with assigned roles and responsibilities:" + parts: + - id: cp-3_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "Within {{ insert: param, cp-03_odp.01 }} of assuming\ + \ a contingency role or responsibility;" + - id: cp-3_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: When required by system changes; and + - id: cp-3_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: " {{ insert: param, cp-03_odp.02 }} thereafter; and" + - id: cp-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update contingency training content {{ insert:\ + \ param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04\ + \ }}." + - id: cp-3_fr + name: item + title: CP-3 Additional FedRAMP Requirements and Guidance + parts: + - id: cp-3_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: Privileged admins and engineers must take the basic contingency + training within 10 days. Consideration must be given for those + privileged admins and engineers with critical contingency-related + roles, to gain enough system context and situational awareness + to understand the full impact of contingency training as it + applies to their respective level. Newly hired critical contingency + personnel must take this more in-depth training within 60 + days of hire date when the training will have more impact. + - id: cp-3_gdn + name: guidance + prose: Contingency training provided by organizations is linked to the + assigned roles and responsibilities of organizational personnel to + ensure that the appropriate content and level of detail is included + in such training. For example, some individuals may only need to know + when and where to report for duty during contingency operations and + if normal duties are affected; system administrators may require additional + training on how to establish systems at alternate processing and storage + sites; and organizational officials may receive more specific training + on how to conduct mission-essential functions in designated off-site + locations and how to establish communications with other governmental + entities for purposes of coordination on contingency-related activities. + Training for contingency roles or responsibilities reflects the specific + continuity requirements in the contingency plan. Events that may precipitate + an update to contingency training content include, but are not limited + to, contingency plan testing or an actual contingency (lessons learned), + assessment or audit findings, security incidents or breaches, or changes + in laws, executive orders, directives, regulations, policies, standards, + and guidelines. At the discretion of the organization, participation + in a contingency plan test or exercise, including lessons learned + sessions subsequent to the test or exercise, may satisfy contingency + plan training requirements. + - id: cp-3_obj + name: assessment-objective + props: + - name: label + value: CP-03 + class: sp800-53a + parts: + - id: cp-3_obj.a + name: assessment-objective + props: + - name: label + value: CP-03a. + class: sp800-53a + parts: + - id: cp-3_obj.a.1 + name: assessment-objective + props: + - name: label + value: CP-03a.01 + class: sp800-53a + prose: "contingency training is provided to system users consistent\ + \ with assigned roles and responsibilities within {{ insert:\ + \ param, cp-03_odp.01 }} of assuming a contingency role or\ + \ responsibility;" + links: + - href: "#cp-3_smt.a.1" + rel: assessment-for + - id: cp-3_obj.a.2 + name: assessment-objective + props: + - name: label + value: CP-03a.02 + class: sp800-53a + prose: contingency training is provided to system users consistent + with assigned roles and responsibilities when required by + system changes; + links: + - href: "#cp-3_smt.a.2" + rel: assessment-for + - id: cp-3_obj.a.3 + name: assessment-objective + props: + - name: label + value: CP-03a.03 + class: sp800-53a + prose: "contingency training is provided to system users consistent\ + \ with assigned roles and responsibilities {{ insert: param,\ + \ cp-03_odp.02 }} thereafter;" + links: + - href: "#cp-3_smt.a.3" + rel: assessment-for + links: + - href: "#cp-3_smt.a" + rel: assessment-for + - id: cp-3_obj.b + name: assessment-objective + props: + - name: label + value: CP-03b. + class: sp800-53a + parts: + - id: cp-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: CP-03b.[01] + class: sp800-53a + prose: "the contingency plan training content is reviewed and\ + \ updated {{ insert: param, cp-03_odp.03 }};" + links: + - href: "#cp-3_smt.b" + rel: assessment-for + - id: cp-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: CP-03b.[02] + class: sp800-53a + prose: "the contingency plan training content is reviewed and\ + \ updated following {{ insert: param, cp-03_odp.04 }}." + links: + - href: "#cp-3_smt.b" + rel: assessment-for + links: + - href: "#cp-3_smt.b" + rel: assessment-for + links: + - href: "#cp-3_smt" + rel: assessment-for + - id: cp-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing contingency training + + contingency plan + + contingency training curriculum + + contingency training material + + contingency training records + + system security plan + + other relevant documents or records + - id: cp-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning, plan + implementation, and training responsibilities + + + organizational personnel with information security responsibilities + - id: cp-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for contingency training + - id: cp-4 + class: SP800-53 + title: Contingency Plan Testing + params: + - id: cp-4_prm_2 + label: organization-defined tests + constraints: + - description: functional exercises + - id: cp-04_odp.01 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency of testing the contingency plan for the system + is defined; + - id: cp-04_odp.02 + label: tests + guidelines: + - prose: tests for determining the effectiveness of the contingency + plan are defined; + - id: cp-04_odp.03 + label: tests + guidelines: + - prose: tests for determining readiness to execute the contingency + plan are defined; + props: + - name: label + value: CP-4 + - name: label + value: CP-04 + class: sp800-53a + - name: sort-id + value: cp-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#at-3" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-3" + rel: related + - href: "#cp-8" + rel: related + - href: "#cp-9" + rel: related + - href: "#ir-3" + rel: related + - href: "#ir-4" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-14" + rel: related + - href: "#sr-2" + rel: related + parts: + - id: cp-4_smt + name: statement + parts: + - id: cp-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Test the contingency plan for the system {{ insert: param,\ + \ cp-04_odp.01 }} using the following tests to determine the effectiveness\ + \ of the plan and the readiness to execute the plan: {{ insert:\ + \ param, cp-4_prm_2 }}." + - id: cp-4_smt.b + name: item + props: + - name: label + value: b. + prose: Review the contingency plan test results; and + - id: cp-4_smt.c + name: item + props: + - name: label + value: c. + prose: Initiate corrective actions, if needed. + - id: cp-4_fr + name: item + title: CP-4 Additional FedRAMP Requirements and Guidance + parts: + - id: cp-4_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: The service provider develops test plans in accordance + with NIST Special Publication 800-34 (as amended); plans are + approved by the JAB/AO prior to initiating testing. + - id: cp-4_fr_smt.1 + name: item + props: + - name: label + value: "(b) Requirement:" + prose: The service provider must include the Contingency Plan + test results with the security package within the Contingency + Plan-designated appendix (Appendix G, Contingency Plan Test + Report). + - id: cp-4_gdn + name: guidance + prose: Methods for testing contingency plans to determine the effectiveness + of the plans and identify potential weaknesses include checklists, + walk-through and tabletop exercises, simulations (parallel or full + interrupt), and comprehensive exercises. Organizations conduct testing + based on the requirements in contingency plans and include a determination + of the effects on organizational operations, assets, and individuals + due to contingency operations. Organizations have flexibility and + discretion in the breadth, depth, and timelines of corrective actions. + - id: cp-4_obj + name: assessment-objective + props: + - name: label + value: CP-04 + class: sp800-53a + parts: + - id: cp-4_obj.a + name: assessment-objective + props: + - name: label + value: CP-04a. + class: sp800-53a + parts: + - id: cp-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: CP-04a.[01] + class: sp800-53a + prose: "the contingency plan for the system is tested {{ insert:\ + \ param, cp-04_odp.01 }};" + links: + - href: "#cp-4_smt.a" + rel: assessment-for + - id: cp-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: CP-04a.[02] + class: sp800-53a + prose: " {{ insert: param, cp-04_odp.02 }} are used to determine\ + \ the effectiveness of the plan;" + links: + - href: "#cp-4_smt.a" + rel: assessment-for + - id: cp-4_obj.a-3 + name: assessment-objective + props: + - name: label + value: CP-04a.[03] + class: sp800-53a + prose: " {{ insert: param, cp-04_odp.03 }} are used to determine\ + \ the readiness to execute the plan;" + links: + - href: "#cp-4_smt.a" + rel: assessment-for + links: + - href: "#cp-4_smt.a" + rel: assessment-for + - id: cp-4_obj.b + name: assessment-objective + props: + - name: label + value: CP-04b. + class: sp800-53a + prose: the contingency plan test results are reviewed; + links: + - href: "#cp-4_smt.b" + rel: assessment-for + - id: cp-4_obj.c + name: assessment-objective + props: + - name: label + value: CP-04c. + class: sp800-53a + prose: corrective actions are initiated, if needed. + links: + - href: "#cp-4_smt.c" + rel: assessment-for + links: + - href: "#cp-4_smt" + rel: assessment-for + - id: cp-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing contingency plan testing + + contingency plan + + contingency plan test documentation + + contingency plan test results + + system security plan + + other relevant documents or records + - id: cp-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + contingency plan testing, reviewing, or responding to + contingency plan tests + + + organizational personnel with information security responsibilities + - id: cp-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for contingency plan testing + + + mechanisms supporting the contingency plan and/or contingency + plan testing + controls: + - id: cp-4.1 + class: SP800-53-enhancement + title: Coordinate with Related Plans + props: + - name: label + value: CP-4(1) + - name: label + value: CP-04(01) + class: sp800-53a + - name: sort-id + value: cp-04.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#cp-4" + rel: required + - href: "#ir-8" + rel: related + - href: "#pm-8" + rel: related + parts: + - id: cp-4.1_smt + name: statement + prose: Coordinate contingency plan testing with organizational elements + responsible for related plans. + - id: cp-4.1_gdn + name: guidance + prose: Plans related to contingency planning for organizational + systems include Business Continuity Plans, Disaster Recovery Plans, + Continuity of Operations Plans, Crisis Communications Plans, Critical + Infrastructure Plans, Cyber Incident Response Plans, and Occupant + Emergency Plans. Coordination of contingency plan testing does + not require organizations to create organizational elements to + handle related plans or to align such elements with specific plans. + However, it does require that if such organizational elements + are responsible for related plans, organizations coordinate with + those elements. + - id: cp-4.1_obj + name: assessment-objective + props: + - name: label + value: CP-04(01) + class: sp800-53a + prose: contingency plan testing is coordinated with organizational + elements responsible for related plans. + links: + - href: "#cp-4.1_smt" + rel: assessment-for + - id: cp-4.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-04(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + incident response policy + + procedures addressing contingency plan testing + + contingency plan testing documentation + + contingency plan + + business continuity plans + + disaster recovery plans + + continuity of operations plans + + crisis communications plans + + critical infrastructure plans + + cyber incident response plans + + occupant emergency plans + + system security plan + + other relevant documents or records + - id: cp-4.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-04(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan testing + responsibilities + + + personnel with responsibilities for related plans + + + organizational personnel with information security responsibilities + - id: cp-6 + class: SP800-53 + title: Alternate Storage Site + props: + - name: label + value: CP-6 + - name: label + value: CP-06 + class: sp800-53a + - name: sort-id + value: cp-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#cp-2" + rel: related + - href: "#cp-7" + rel: related + - href: "#cp-8" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#pe-3" + rel: related + - href: "#sc-36" + rel: related + - href: "#si-13" + rel: related + parts: + - id: cp-6_smt + name: statement + parts: + - id: cp-6_smt.a + name: item + props: + - name: label + value: a. + prose: Establish an alternate storage site, including necessary + agreements to permit the storage and retrieval of system backup + information; and + - id: cp-6_smt.b + name: item + props: + - name: label + value: b. + prose: Ensure that the alternate storage site provides controls + equivalent to that of the primary site. + - id: cp-6_gdn + name: guidance + prose: Alternate storage sites are geographically distinct from primary + storage sites and maintain duplicate copies of information and data + if the primary storage site is not available. Similarly, alternate + processing sites provide processing capability if the primary processing + site is not available. Geographically distributed architectures that + support contingency requirements may be considered alternate storage + sites. Items covered by alternate storage site agreements include + environmental conditions at the alternate sites, access rules for + systems and facilities, physical and environmental protection requirements, + and coordination of delivery and retrieval of backup media. Alternate + storage sites reflect the requirements in contingency plans so that + organizations can maintain essential mission and business functions + despite compromise, failure, or disruption in organizational systems. + - id: cp-6_obj + name: assessment-objective + props: + - name: label + value: CP-06 + class: sp800-53a + parts: + - id: cp-6_obj.a + name: assessment-objective + props: + - name: label + value: CP-06a. + class: sp800-53a + parts: + - id: cp-6_obj.a-1 + name: assessment-objective + props: + - name: label + value: CP-06a.[01] + class: sp800-53a + prose: an alternate storage site is established; + links: + - href: "#cp-6_smt.a" + rel: assessment-for + - id: cp-6_obj.a-2 + name: assessment-objective + props: + - name: label + value: CP-06a.[02] + class: sp800-53a + prose: establishment of the alternate storage site includes + necessary agreements to permit the storage and retrieval of + system backup information; + links: + - href: "#cp-6_smt.a" + rel: assessment-for + links: + - href: "#cp-6_smt.a" + rel: assessment-for + - id: cp-6_obj.b + name: assessment-objective + props: + - name: label + value: CP-06b. + class: sp800-53a + prose: the alternate storage site provides controls equivalent to + that of the primary site. + links: + - href: "#cp-6_smt.b" + rel: assessment-for + links: + - href: "#cp-6_smt" + rel: assessment-for + - id: cp-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing alternate storage sites + + contingency plan + + alternate storage site agreements + + primary storage site agreements + + system security plan + + other relevant documents or records + - id: cp-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan alternate + storage site responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with information security responsibilities + - id: cp-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for storing and retrieving system + backup information at the alternate storage site + + + mechanisms supporting and/or implementing the storage and retrieval + of system backup information at the alternate storage site + controls: + - id: cp-6.1 + class: SP800-53-enhancement + title: Separation from Primary Site + props: + - name: label + value: CP-6(1) + - name: label + value: CP-06(01) + class: sp800-53a + - name: sort-id + value: cp-06.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-6" + rel: required + - href: "#ra-3" + rel: related + parts: + - id: cp-6.1_smt + name: statement + prose: Identify an alternate storage site that is sufficiently separated + from the primary storage site to reduce susceptibility to the + same threats. + - id: cp-6.1_gdn + name: guidance + prose: Threats that affect alternate storage sites are defined in + organizational risk assessments and include natural disasters, + structural failures, hostile attacks, and errors of omission or + commission. Organizations determine what is considered a sufficient + degree of separation between primary and alternate storage sites + based on the types of threats that are of concern. For threats + such as hostile attacks, the degree of separation between sites + is less relevant. + - id: cp-6.1_obj + name: assessment-objective + props: + - name: label + value: CP-06(01) + class: sp800-53a + prose: an alternate storage site that is sufficiently separated + from the primary storage site is identified to reduce susceptibility + to the same threats. + links: + - href: "#cp-6.1_smt" + rel: assessment-for + - id: cp-6.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-06(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing alternate storage sites + + contingency plan + + alternate storage site + + alternate storage site agreements + + primary storage site agreements + + system security plan + + other relevant documents or records + - id: cp-6.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-06(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan alternate + storage site responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with information security responsibilities + - id: cp-6.3 + class: SP800-53-enhancement + title: Accessibility + props: + - name: label + value: CP-6(3) + - name: label + value: CP-06(03) + class: sp800-53a + - name: sort-id + value: cp-06.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-6" + rel: required + - href: "#ra-3" + rel: related + parts: + - id: cp-6.3_smt + name: statement + prose: Identify potential accessibility problems to the alternate + storage site in the event of an area-wide disruption or disaster + and outline explicit mitigation actions. + - id: cp-6.3_gdn + name: guidance + prose: Area-wide disruptions refer to those types of disruptions + that are broad in geographic scope with such determinations made + by organizations based on organizational assessments of risk. + Explicit mitigation actions include duplicating backup information + at other alternate storage sites if access problems occur at originally + designated alternate sites or planning for physical access to + retrieve backup information if electronic accessibility to the + alternate site is disrupted. + - id: cp-6.3_obj + name: assessment-objective + props: + - name: label + value: CP-06(03) + class: sp800-53a + parts: + - id: cp-6.3_obj-1 + name: assessment-objective + props: + - name: label + value: CP-06(03)[01] + class: sp800-53a + prose: potential accessibility problems to the alternate storage + site in the event of an area-wide disruption or disaster are + identified; + links: + - href: "#cp-6.3_smt" + rel: assessment-for + - id: cp-6.3_obj-2 + name: assessment-objective + props: + - name: label + value: CP-06(03)[02] + class: sp800-53a + prose: explicit mitigation actions to address identified accessibility + problems are outlined. + links: + - href: "#cp-6.3_smt" + rel: assessment-for + links: + - href: "#cp-6.3_smt" + rel: assessment-for + - id: cp-6.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-06(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing alternate storage sites + + + contingency plan + + + alternate storage site + + + list of potential accessibility problems to alternate storage + site + + + mitigation actions for accessibility problems to alternate + storage site + + + organizational risk assessments + + + system security plan + + + other relevant documents or records + - id: cp-6.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-06(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan alternate + storage site responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with information security responsibilities + - id: cp-7 + class: SP800-53 + title: Alternate Processing Site + params: + - id: cp-07_odp.01 + label: system operations + guidelines: + - prose: system operations for essential mission and business functions + are defined; + - id: cp-07_odp.02 + label: time period + guidelines: + - prose: time period consistent with recovery time and recovery point + objectives is defined; + props: + - name: label + value: CP-7 + - name: label + value: CP-07 + class: sp800-53a + - name: sort-id + value: cp-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#cp-2" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-8" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#ma-6" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-11" + rel: related + - href: "#pe-12" + rel: related + - href: "#pe-17" + rel: related + - href: "#sc-36" + rel: related + - href: "#si-13" + rel: related + parts: + - id: cp-7_smt + name: statement + parts: + - id: cp-7_smt.a + name: item + props: + - name: label + value: a. + prose: "Establish an alternate processing site, including necessary\ + \ agreements to permit the transfer and resumption of {{ insert:\ + \ param, cp-07_odp.01 }} for essential mission and business functions\ + \ within {{ insert: param, cp-07_odp.02 }} when the primary processing\ + \ capabilities are unavailable;" + - id: cp-7_smt.b + name: item + props: + - name: label + value: b. + prose: Make available at the alternate processing site, the equipment + and supplies required to transfer and resume operations or put + contracts in place to support delivery to the site within the + organization-defined time period for transfer and resumption; + and + - id: cp-7_smt.c + name: item + props: + - name: label + value: c. + prose: Provide controls at the alternate processing site that are + equivalent to those at the primary site. + - id: cp-7_fr + name: item + title: CP-7 Additional FedRAMP Requirements and Guidance + parts: + - id: cp-7_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: The service provider defines a time period consistent + with the recovery time objectives and business impact analysis. + - id: cp-7_gdn + name: guidance + prose: Alternate processing sites are geographically distinct from primary + processing sites and provide processing capability if the primary + processing site is not available. The alternate processing capability + may be addressed using a physical processing site or other alternatives, + such as failover to a cloud-based service provider or other internally + or externally provided processing service. Geographically distributed + architectures that support contingency requirements may also be considered + alternate processing sites. Controls that are covered by alternate + processing site agreements include the environmental conditions at + alternate sites, access rules, physical and environmental protection + requirements, and the coordination for the transfer and assignment + of personnel. Requirements are allocated to alternate processing sites + that reflect the requirements in contingency plans to maintain essential + mission and business functions despite disruption, compromise, or + failure in organizational systems. + - id: cp-7_obj + name: assessment-objective + props: + - name: label + value: CP-07 + class: sp800-53a + parts: + - id: cp-7_obj.a + name: assessment-objective + props: + - name: label + value: CP-07a. + class: sp800-53a + prose: "an alternate processing site, including necessary agreements\ + \ to permit the transfer and resumption of {{ insert: param, cp-07_odp.01\ + \ }} for essential mission and business functions, is established\ + \ within {{ insert: param, cp-07_odp.02 }} when the primary processing\ + \ capabilities are unavailable;" + links: + - href: "#cp-7_smt.a" + rel: assessment-for + - id: cp-7_obj.b + name: assessment-objective + props: + - name: label + value: CP-07b. + class: sp800-53a + parts: + - id: cp-7_obj.b-1 + name: assessment-objective + props: + - name: label + value: CP-07b.[01] + class: sp800-53a + prose: "the equipment and supplies required to transfer operations\ + \ are made available at the alternate processing site or if\ + \ contracts are in place to support delivery to the site within\ + \ {{ insert: param, cp-07_odp.02 }} for transfer;" + links: + - href: "#cp-7_smt.b" + rel: assessment-for + - id: cp-7_obj.b-2 + name: assessment-objective + props: + - name: label + value: CP-07b.[02] + class: sp800-53a + prose: "the equipment and supplies required to resume operations\ + \ are made available at the alternate processing site or if\ + \ contracts are in place to support delivery to the site within\ + \ {{ insert: param, cp-07_odp.02 }} for resumption;" + links: + - href: "#cp-7_smt.b" + rel: assessment-for + links: + - href: "#cp-7_smt.b" + rel: assessment-for + - id: cp-7_obj.c + name: assessment-objective + props: + - name: label + value: CP-07c. + class: sp800-53a + prose: controls provided at the alternate processing site are equivalent + to those at the primary site. + links: + - href: "#cp-7_smt.c" + rel: assessment-for + links: + - href: "#cp-7_smt" + rel: assessment-for + - id: cp-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing alternate processing sites + + + contingency plan + + + alternate processing site agreements + + + primary processing site agreements + + + spare equipment and supplies inventory at alternate processing + site + + + equipment and supply contracts + + + service-level agreements + + + system security plan + + + other relevant documents or records + - id: cp-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + contingency planning and/or alternate site arrangements + + + organizational personnel with information security responsibilities + - id: cp-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for recovery at the alternate site + + + mechanisms supporting and/or implementing recovery at the alternate + processing site + controls: + - id: cp-7.1 + class: SP800-53-enhancement + title: Separation from Primary Site + props: + - name: label + value: CP-7(1) + - name: label + value: CP-07(01) + class: sp800-53a + - name: sort-id + value: cp-07.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-7" + rel: required + - href: "#ra-3" + rel: related + parts: + - id: cp-7.1_smt + name: statement + prose: Identify an alternate processing site that is sufficiently + separated from the primary processing site to reduce susceptibility + to the same threats. + parts: + - id: cp-7.1_fr + name: item + title: CP-7 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: cp-7.1_fr_smt.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: The service provider may determine what is considered + a sufficient degree of separation between the primary + and alternate processing sites, based on the types of + threats that are of concern. For one particular type of + threat (i.e., hostile cyber attack), the degree of separation + between sites will be less relevant. + - id: cp-7.1_gdn + name: guidance + prose: Threats that affect alternate processing sites are defined + in organizational assessments of risk and include natural disasters, + structural failures, hostile attacks, and errors of omission or + commission. Organizations determine what is considered a sufficient + degree of separation between primary and alternate processing + sites based on the types of threats that are of concern. For threats + such as hostile attacks, the degree of separation between sites + is less relevant. + - id: cp-7.1_obj + name: assessment-objective + props: + - name: label + value: CP-07(01) + class: sp800-53a + prose: an alternate processing site that is sufficiently separated + from the primary processing site to reduce susceptibility to the + same threats is identified. + links: + - href: "#cp-7.1_smt" + rel: assessment-for + - id: cp-7.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-07(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing alternate processing sites + + contingency plan + + alternate processing site + + alternate processing site agreements + + primary processing site agreements + + system security plan + + other relevant documents or records + - id: cp-7.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-07(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan alternate + processing site responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with information security responsibilities + - id: cp-7.2 + class: SP800-53-enhancement + title: Accessibility + props: + - name: label + value: CP-7(2) + - name: label + value: CP-07(02) + class: sp800-53a + - name: sort-id + value: cp-07.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-7" + rel: required + - href: "#ra-3" + rel: related + parts: + - id: cp-7.2_smt + name: statement + prose: Identify potential accessibility problems to alternate processing + sites in the event of an area-wide disruption or disaster and + outlines explicit mitigation actions. + - id: cp-7.2_gdn + name: guidance + prose: Area-wide disruptions refer to those types of disruptions + that are broad in geographic scope with such determinations made + by organizations based on organizational assessments of risk. + - id: cp-7.2_obj + name: assessment-objective + props: + - name: label + value: CP-07(02) + class: sp800-53a + parts: + - id: cp-7.2_obj-1 + name: assessment-objective + props: + - name: label + value: CP-07(02)[01] + class: sp800-53a + prose: potential accessibility problems to alternate processing + sites in the event of an area-wide disruption or disaster + are identified; + links: + - href: "#cp-7.2_smt" + rel: assessment-for + - id: cp-7.2_obj-2 + name: assessment-objective + props: + - name: label + value: CP-07(02)[02] + class: sp800-53a + prose: explicit mitigation actions to address identified accessibility + problems are outlined. + links: + - href: "#cp-7.2_smt" + rel: assessment-for + links: + - href: "#cp-7.2_smt" + rel: assessment-for + - id: cp-7.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-07(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing alternate processing sites + + contingency plan + + alternate processing site + + alternate processing site agreements + + primary processing site agreements + + system security plan + + other relevant documents or records + - id: cp-7.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-07(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan alternate + processing site responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with information security responsibilities + - id: cp-7.3 + class: SP800-53-enhancement + title: Priority of Service + props: + - name: label + value: CP-7(3) + - name: label + value: CP-07(03) + class: sp800-53a + - name: sort-id + value: cp-07.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-7" + rel: required + parts: + - id: cp-7.3_smt + name: statement + prose: Develop alternate processing site agreements that contain + priority-of-service provisions in accordance with availability + requirements (including recovery time objectives). + - id: cp-7.3_gdn + name: guidance + prose: Priority of service agreements refer to negotiated agreements + with service providers that ensure that organizations receive + priority treatment consistent with their availability requirements + and the availability of information resources for logical alternate + processing and/or at the physical alternate processing site. Organizations + establish recovery time objectives as part of contingency planning. + - id: cp-7.3_obj + name: assessment-objective + props: + - name: label + value: CP-07(03) + class: sp800-53a + prose: alternate processing site agreements that contain priority-of-service + provisions in accordance with availability requirements (including + recovery time objectives) are developed. + links: + - href: "#cp-7.3_smt" + rel: assessment-for + - id: cp-7.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-07(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing alternate processing sites + + contingency plan + + alternate processing site agreements + + service-level agreements + + system security plan + + other relevant documents or records + - id: cp-7.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-07(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan alternate + processing site responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibility for acquisitions/contractual + agreements + - id: cp-8 + class: SP800-53 + title: Telecommunications Services + params: + - id: cp-08_odp.01 + label: system operations + guidelines: + - prose: system operations to be resumed for essential mission and + business functions are defined; + - id: cp-08_odp.02 + label: time period + guidelines: + - prose: time period within which to resume essential mission and + business functions when the primary telecommunications capabilities + are unavailable is defined; + props: + - name: label + value: CP-8 + - name: label + value: CP-08 + class: sp800-53a + - name: sort-id + value: cp-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#cp-2" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-7" + rel: related + - href: "#cp-11" + rel: related + - href: "#sc-7" + rel: related + parts: + - id: cp-8_smt + name: statement + prose: "Establish alternate telecommunications services, including necessary\ + \ agreements to permit the resumption of {{ insert: param, cp-08_odp.01\ + \ }} for essential mission and business functions within {{ insert:\ + \ param, cp-08_odp.02 }} when the primary telecommunications capabilities\ + \ are unavailable at either the primary or alternate processing or\ + \ storage sites." + parts: + - id: cp-8_fr + name: item + title: CP-8 Additional FedRAMP Requirements and Guidance + parts: + - id: cp-8_fr_gdn.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider defines a time period consistent + with the recovery time objectives and business impact analysis. + - id: cp-8_gdn + name: guidance + prose: Telecommunications services (for data and voice) for primary + and alternate processing and storage sites are in scope for [CP-8](#cp-8) + . Alternate telecommunications services reflect the continuity requirements + in contingency plans to maintain essential mission and business functions + despite the loss of primary telecommunications services. Organizations + may specify different time periods for primary or alternate sites. + Alternate telecommunications services include additional organizational + or commercial ground-based circuits or lines, network-based approaches + to telecommunications, or the use of satellites. Organizations consider + factors such as availability, quality of service, and access when + entering into alternate telecommunications agreements. + - id: cp-8_obj + name: assessment-objective + props: + - name: label + value: CP-08 + class: sp800-53a + prose: "alternate telecommunications services, including necessary agreements\ + \ to permit the resumption of {{ insert: param, cp-08_odp.01 }} ,\ + \ are established for essential mission and business functions within\ + \ {{ insert: param, cp-08_odp.02 }} when the primary telecommunications\ + \ capabilities are unavailable at either the primary or alternate\ + \ processing or storage sites." + links: + - href: "#cp-8_smt" + rel: assessment-for + - id: cp-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing alternate telecommunications services + + contingency plan + + primary and alternate telecommunications service agreements + + system security plan + + other relevant documents or records + - id: cp-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan + telecommunications responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with knowledge of requirements for mission + and business functions + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibility for acquisitions/contractual + agreements + - id: cp-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting telecommunications + controls: + - id: cp-8.1 + class: SP800-53-enhancement + title: Priority of Service Provisions + props: + - name: label + value: CP-8(1) + - name: label + value: CP-08(01) + class: sp800-53a + - name: sort-id + value: cp-08.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-8" + rel: required + parts: + - id: cp-8.1_smt + name: statement + parts: + - id: cp-8.1_smt.a + name: item + props: + - name: label + value: (a) + prose: Develop primary and alternate telecommunications service + agreements that contain priority-of-service provisions in + accordance with availability requirements (including recovery + time objectives); and + - id: cp-8.1_smt.b + name: item + props: + - name: label + value: (b) + prose: Request Telecommunications Service Priority for all telecommunications + services used for national security emergency preparedness + if the primary and/or alternate telecommunications services + are provided by a common carrier. + - id: cp-8.1_gdn + name: guidance + prose: Organizations consider the potential mission or business + impact in situations where telecommunications service providers + are servicing other organizations with similar priority of service + provisions. Telecommunications Service Priority (TSP) is a Federal + Communications Commission (FCC) program that directs telecommunications + service providers (e.g., wireline and wireless phone companies) + to give preferential treatment to users enrolled in the program + when they need to add new lines or have their lines restored following + a disruption of service, regardless of the cause. The FCC sets + the rules and policies for the TSP program, and the Department + of Homeland Security manages the TSP program. The TSP program + is always in effect and not contingent on a major disaster or + attack taking place. Federal sponsorship is required to enroll + in the TSP program. + - id: cp-8.1_obj + name: assessment-objective + props: + - name: label + value: CP-08(01) + class: sp800-53a + parts: + - id: cp-8.1_obj.a + name: assessment-objective + props: + - name: label + value: CP-08(01)(a) + class: sp800-53a + parts: + - id: cp-8.1_obj.a-1 + name: assessment-objective + props: + - name: label + value: CP-08(01)(a)[01] + class: sp800-53a + prose: primary telecommunications service agreements that + contain priority-of-service provisions in accordance with + availability requirements (including recovery time objectives) + are developed; + links: + - href: "#cp-8.1_smt.a" + rel: assessment-for + - id: cp-8.1_obj.a-2 + name: assessment-objective + props: + - name: label + value: CP-08(01)(a)[02] + class: sp800-53a + prose: alternate telecommunications service agreements that + contain priority-of-service provisions in accordance with + availability requirements (including recovery time objectives) + are developed; + links: + - href: "#cp-8.1_smt.a" + rel: assessment-for + links: + - href: "#cp-8.1_smt.a" + rel: assessment-for + - id: cp-8.1_obj.b + name: assessment-objective + props: + - name: label + value: CP-08(01)(b) + class: sp800-53a + prose: Telecommunications Service Priority is requested for + all telecommunications services used for national security + emergency preparedness if the primary and/or alternate telecommunications + services are provided by a common carrier. + links: + - href: "#cp-8.1_smt.b" + rel: assessment-for + links: + - href: "#cp-8.1_smt" + rel: assessment-for + - id: cp-8.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-08(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing primary and alternate telecommunications + services + + + contingency plan + + + primary and alternate telecommunications service agreements + + + Telecommunications Service Priority documentation + + + system security plan + + + other relevant documents or records + - id: cp-8.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-08(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan + telecommunications responsibilities + + + organizational personnel with system recovery responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibility for acquisitions/contractual + agreements + - id: cp-8.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-08(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting telecommunications + - id: cp-8.2 + class: SP800-53-enhancement + title: Single Points of Failure + props: + - name: label + value: CP-8(2) + - name: label + value: CP-08(02) + class: sp800-53a + - name: sort-id + value: cp-08.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-8" + rel: required + parts: + - id: cp-8.2_smt + name: statement + prose: Obtain alternate telecommunications services to reduce the + likelihood of sharing a single point of failure with primary telecommunications + services. + - id: cp-8.2_gdn + name: guidance + prose: In certain circumstances, telecommunications service providers + or services may share the same physical lines, which increases + the vulnerability of a single failure point. It is important to + have provider transparency for the actual physical transmission + capability for telecommunication services. + - id: cp-8.2_obj + name: assessment-objective + props: + - name: label + value: CP-08(02) + class: sp800-53a + prose: alternate telecommunications services to reduce the likelihood + of sharing a single point of failure with primary telecommunications + services are obtained. + links: + - href: "#cp-8.2_smt" + rel: assessment-for + - id: cp-8.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-08(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing primary and alternate telecommunications + services + + + contingency plan + + + primary and alternate telecommunications service agreements + + + system security plan + + + other relevant documents or records + - id: cp-8.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-08(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency plan + telecommunications responsibilities + + + organizational personnel with system recovery responsibilities + + + primary and alternate telecommunications service providers + + + organizational personnel with information security responsibilities + - id: cp-9 + class: SP800-53 + title: System Backup + params: + - id: cp-09_odp.01 + label: system components + guidelines: + - prose: system components for which to conduct backups of user-level + information is defined; + - id: cp-09_odp.02 + label: frequency + constraints: + - description: daily incremental; weekly full + guidelines: + - prose: frequency at which to conduct backups of user-level information + consistent with recovery time and recovery point objectives is + defined; + - id: cp-09_odp.03 + label: frequency + constraints: + - description: daily incremental; weekly full + guidelines: + - prose: frequency at which to conduct backups of system-level information + consistent with recovery time and recovery point objectives is + defined; + - id: cp-09_odp.04 + label: frequency + constraints: + - description: daily incremental; weekly full + guidelines: + - prose: frequency at which to conduct backups of system documentation + consistent with recovery time and recovery point objectives is + defined; + props: + - name: label + value: CP-9 + - name: label + value: CP-09 + class: sp800-53a + - name: sort-id + value: cp-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#3653e316-8923-430e-8943-b3b2b2562fc6" + rel: reference + - href: "#2494df28-9049-4196-b233-540e7440993f" + rel: reference + - href: "#cp-2" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-10" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#si-4" + rel: related + - href: "#si-13" + rel: related + parts: + - id: cp-9_smt + name: statement + parts: + - id: cp-9_smt.a + name: item + props: + - name: label + value: a. + prose: "Conduct backups of user-level information contained in {{\ + \ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02\ + \ }};" + - id: cp-9_smt.b + name: item + props: + - name: label + value: b. + prose: "Conduct backups of system-level information contained in\ + \ the system {{ insert: param, cp-09_odp.03 }};" + - id: cp-9_smt.c + name: item + props: + - name: label + value: c. + prose: "Conduct backups of system documentation, including security-\ + \ and privacy-related documentation {{ insert: param, cp-09_odp.04\ + \ }} ; and" + - id: cp-9_smt.d + name: item + props: + - name: label + value: d. + prose: Protect the confidentiality, integrity, and availability + of backup information. + - id: cp-9_fr + name: item + title: CP-9 Additional FedRAMP Requirements and Guidance + parts: + - id: cp-9_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider shall determine what elements of + the cloud environment require the Information System Backup + control. The service provider shall determine how Information + System Backup is going to be verified and appropriate periodicity + of the check. + - id: cp-9_fr_smt.2 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: The service provider maintains at least three backup + copies of user-level information (at least one of which is + available online) or provides an equivalent alternative. + - id: cp-9_fr_smt.3 + name: item + props: + - name: label + value: "(b) Requirement:" + prose: The service provider maintains at least three backup + copies of system-level information (at least one of which + is available online) or provides an equivalent alternative. + - id: cp-9_fr_smt.4 + name: item + props: + - name: label + value: "(c) Requirement:" + prose: The service provider maintains at least three backup + copies of information system documentation including security + information (at least one of which is available online) or + provides an equivalent alternative. + - id: cp-9_gdn + name: guidance + prose: System-level information includes system state information, operating + system software, middleware, application software, and licenses. User-level + information includes information other than system-level information. + Mechanisms employed to protect the integrity of system backups include + digital signatures and cryptographic hashes. Protection of system + backup information while in transit is addressed by [MP-5](#mp-5) + and [SC-8](#sc-8) . System backups reflect the requirements in contingency + plans as well as other organizational requirements for backing up + information. Organizations may be subject to laws, executive orders, + directives, regulations, or policies with requirements regarding specific + categories of information (e.g., personal health information). Organizational + personnel consult with the senior agency official for privacy and + legal counsel regarding such requirements. + - id: cp-9_obj + name: assessment-objective + props: + - name: label + value: CP-09 + class: sp800-53a + parts: + - id: cp-9_obj.a + name: assessment-objective + props: + - name: label + value: CP-09a. + class: sp800-53a + prose: "backups of user-level information contained in {{ insert:\ + \ param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02\ + \ }};" + links: + - href: "#cp-9_smt.a" + rel: assessment-for + - id: cp-9_obj.b + name: assessment-objective + props: + - name: label + value: CP-09b. + class: sp800-53a + prose: "backups of system-level information contained in the system\ + \ are conducted {{ insert: param, cp-09_odp.03 }};" + links: + - href: "#cp-9_smt.b" + rel: assessment-for + - id: cp-9_obj.c + name: assessment-objective + props: + - name: label + value: CP-09c. + class: sp800-53a + prose: "backups of system documentation, including security- and\ + \ privacy-related documentation are conducted {{ insert: param,\ + \ cp-09_odp.04 }};" + links: + - href: "#cp-9_smt.c" + rel: assessment-for + - id: cp-9_obj.d + name: assessment-objective + props: + - name: label + value: CP-09d. + class: sp800-53a + parts: + - id: cp-9_obj.d-1 + name: assessment-objective + props: + - name: label + value: CP-09d.[01] + class: sp800-53a + prose: the confidentiality of backup information is protected; + links: + - href: "#cp-9_smt.d" + rel: assessment-for + - id: cp-9_obj.d-2 + name: assessment-objective + props: + - name: label + value: CP-09d.[02] + class: sp800-53a + prose: the integrity of backup information is protected; + links: + - href: "#cp-9_smt.d" + rel: assessment-for + - id: cp-9_obj.d-3 + name: assessment-objective + props: + - name: label + value: CP-09d.[03] + class: sp800-53a + prose: the availability of backup information is protected. + links: + - href: "#cp-9_smt.d" + rel: assessment-for + links: + - href: "#cp-9_smt.d" + rel: assessment-for + links: + - href: "#cp-9_smt" + rel: assessment-for + - id: cp-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing system backup + + contingency plan + + backup storage location(s) + + system backup logs or records + + system security plan + + privacy plan + + other relevant documents or records + - id: cp-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system backup responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: cp-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for conducting system backups + + mechanisms supporting and/or implementing system backups + controls: + - id: cp-9.1 + class: SP800-53-enhancement + title: Testing for Reliability and Integrity + params: + - id: cp-9.1_prm_1 + label: organization-defined frequency + constraints: + - description: at least annually + - id: cp-09.01_odp.01 + label: frequency + guidelines: + - prose: frequency at which to test backup information for media + reliability is defined; + - id: cp-09.01_odp.02 + label: frequency + guidelines: + - prose: frequency at which to test backup information for information + integrity is defined; + props: + - name: label + value: CP-9(1) + - name: label + value: CP-09(01) + class: sp800-53a + - name: sort-id + value: cp-09.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-9" + rel: required + - href: "#cp-4" + rel: related + parts: + - id: cp-9.1_smt + name: statement + prose: "Test backup information {{ insert: param, cp-9.1_prm_1 }}\ + \ to verify media reliability and information integrity." + - id: cp-9.1_gdn + name: guidance + prose: Organizations need assurance that backup information can + be reliably retrieved. Reliability pertains to the systems and + system components where the backup information is stored, the + operations used to retrieve the information, and the integrity + of the information being retrieved. Independent and specialized + tests can be used for each of the aspects of reliability. For + example, decrypting and transporting (or transmitting) a random + sample of backup files from the alternate storage or backup site + and comparing the information to the same information at the primary + processing site can provide such assurance. + - id: cp-9.1_obj + name: assessment-objective + props: + - name: label + value: CP-09(01) + class: sp800-53a + parts: + - id: cp-9.1_obj-1 + name: assessment-objective + props: + - name: label + value: CP-09(01)[01] + class: sp800-53a + prose: "backup information is tested {{ insert: param, cp-09.01_odp.01\ + \ }} to verify media reliability;" + links: + - href: "#cp-9.1_smt" + rel: assessment-for + - id: cp-9.1_obj-2 + name: assessment-objective + props: + - name: label + value: CP-09(01)[02] + class: sp800-53a + prose: "backup information is tested {{ insert: param, cp-09.01_odp.02\ + \ }} to verify information integrity." + links: + - href: "#cp-9.1_smt" + rel: assessment-for + links: + - href: "#cp-9.1_smt" + rel: assessment-for + - id: cp-9.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-09(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing system backup + + contingency plan + + system backup test results + + contingency plan test documentation + + contingency plan test results + + system security plan + + other relevant documents or records + - id: cp-9.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-09(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system backup + responsibilities + + + organizational personnel with information security responsibilities + - id: cp-9.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-09(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for conducting system backups + + mechanisms supporting and/or implementing system backups + - id: cp-9.8 + class: SP800-53-enhancement + title: Cryptographic Protection + params: + - id: cp-09.08_odp + label: backup information + constraints: + - description: all backup files + guidelines: + - prose: backup information to protect against unauthorized disclosure + and modification is defined; + props: + - name: label + value: CP-9(8) + - name: label + value: CP-09(08) + class: sp800-53a + - name: sort-id + value: cp-09.08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-9" + rel: required + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-28" + rel: related + parts: + - id: cp-9.8_smt + name: statement + prose: "Implement cryptographic mechanisms to prevent unauthorized\ + \ disclosure and modification of {{ insert: param, cp-09.08_odp\ + \ }}." + parts: + - id: cp-9.8_fr + name: item + title: CP-9 (8) Additional FedRAMP Requirements and Guidance + parts: + - id: cp-9.8_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Note that this enhancement requires the use of cryptography + which must be compliant with Federal requirements and + utilize FIPS validated or NSA approved cryptography (see + SC-13.) + - id: cp-9.8_gdn + name: guidance + prose: The selection of cryptographic mechanisms is based on the + need to protect the confidentiality and integrity of backup information. + The strength of mechanisms selected is commensurate with the security + category or classification of the information. Cryptographic protection + applies to system backup information in storage at both primary + and alternate locations. Organizations that implement cryptographic + mechanisms to protect information at rest also consider cryptographic + key management solutions. + - id: cp-9.8_obj + name: assessment-objective + props: + - name: label + value: CP-09(08) + class: sp800-53a + prose: "cryptographic mechanisms are implemented to prevent unauthorized\ + \ disclosure and modification of {{ insert: param, cp-09.08_odp\ + \ }}." + links: + - href: "#cp-9.8_smt" + rel: assessment-for + - id: cp-9.8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-09(08)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing system backup + + + contingency plan + + + system design documentation + + + system configuration settings and associated documentation + + + system security plan + + + other relevant documents or records + - id: cp-9.8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-09(08)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system backup + responsibilities + + + organizational personnel with information security responsibilities + - id: cp-9.8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-09(08)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing cryptographic + protection of backup information + - id: cp-10 + class: SP800-53 + title: System Recovery and Reconstitution + params: + - id: cp-10_prm_1 + label: organization-defined time period consistent with recovery time + and recovery point objectives + - id: cp-10_odp.01 + label: time period + guidelines: + - prose: time period consistent with recovery time and recovery point + objectives for the recovery of the system is determined; + - id: cp-10_odp.02 + label: time period + guidelines: + - prose: time period consistent with recovery time and recovery point + objectives for the reconstitution of the system is determined; + props: + - name: label + value: CP-10 + - name: label + value: CP-10 + class: sp800-53a + - name: sort-id + value: cp-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#bc39f179-c735-4da2-b7a7-b2b622119755" + rel: reference + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-7" + rel: related + - href: "#cp-9" + rel: related + - href: "#ir-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-24" + rel: related + - href: "#si-13" + rel: related + parts: + - id: cp-10_smt + name: statement + prose: "Provide for the recovery and reconstitution of the system to\ + \ a known state within {{ insert: param, cp-10_prm_1 }} after a disruption,\ + \ compromise, or failure." + - id: cp-10_gdn + name: guidance + prose: Recovery is executing contingency plan activities to restore + organizational mission and business functions. Reconstitution takes + place following recovery and includes activities for returning systems + to fully operational states. Recovery and reconstitution operations + reflect mission and business priorities; recovery point, recovery + time, and reconstitution objectives; and organizational metrics consistent + with contingency plan requirements. Reconstitution includes the deactivation + of interim system capabilities that may have been needed during recovery + operations. Reconstitution also includes assessments of fully restored + system capabilities, reestablishment of continuous monitoring activities, + system reauthorization (if required), and activities to prepare the + system and organization for future disruptions, breaches, compromises, + or failures. Recovery and reconstitution capabilities can include + automated mechanisms and manual procedures. Organizations establish + recovery time and recovery point objectives as part of contingency + planning. + - id: cp-10_obj + name: assessment-objective + props: + - name: label + value: CP-10 + class: sp800-53a + parts: + - id: cp-10_obj-1 + name: assessment-objective + props: + - name: label + value: CP-10[01] + class: sp800-53a + prose: "the recovery of the system to a known state is provided\ + \ within {{ insert: param, cp-10_odp.01 }} after a disruption,\ + \ compromise, or failure;" + links: + - href: "#cp-10_smt" + rel: assessment-for + - id: cp-10_obj-2 + name: assessment-objective + props: + - name: label + value: CP-10[02] + class: sp800-53a + prose: "a reconstitution of the system to a known state is provided\ + \ within {{ insert: param, cp-10_odp.02 }} after a disruption,\ + \ compromise, or failure." + links: + - href: "#cp-10_smt" + rel: assessment-for + links: + - href: "#cp-10_smt" + rel: assessment-for + - id: cp-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Contingency planning policy + + procedures addressing system backup + + contingency plan + + system backup test results + + contingency plan test results + + contingency plan test documentation + + redundant secondary system for system backups + + location(s) of redundant secondary backup system(s) + + system security plan + + other relevant documents or records + - id: cp-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with contingency planning, + recovery, and/or reconstitution responsibilities + + + organizational personnel with information security responsibilities + - id: cp-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes implementing system recovery and + reconstitution operations + + + mechanisms supporting and/or implementing system recovery and + reconstitution operations + controls: + - id: cp-10.2 + class: SP800-53-enhancement + title: Transaction Recovery + props: + - name: label + value: CP-10(2) + - name: label + value: CP-10(02) + class: sp800-53a + - name: sort-id + value: cp-10.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-10" + rel: required + parts: + - id: cp-10.2_smt + name: statement + prose: Implement transaction recovery for systems that are transaction-based. + - id: cp-10.2_gdn + name: guidance + prose: Transaction-based systems include database management systems + and transaction processing systems. Mechanisms supporting transaction + recovery include transaction rollback and transaction journaling. + - id: cp-10.2_obj + name: assessment-objective + props: + - name: label + value: CP-10(02) + class: sp800-53a + prose: transaction recovery is implemented for systems that are + transaction-based. + links: + - href: "#cp-10.2_smt" + rel: assessment-for + - id: cp-10.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: CP-10(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Contingency planning policy + + + procedures addressing system recovery and reconstitution + + + contingency plan + + + system design documentation + + + system configuration settings and associated documentation + + + contingency plan test documentation + + + contingency plan test results + + + system transaction recovery records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: cp-10.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: CP-10(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for + transaction recovery + + + organizational personnel with information security responsibilities + - id: cp-10.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: CP-10(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing transaction + recovery capability + - id: ia + class: family + title: Identification and Authentication + controls: + - id: ia-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ia-1_prm_1 + label: organization-defined personnel or roles + - id: ia-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the identification and authentication + policy is to be disseminated are defined; + - id: ia-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the identification and authentication + procedures are to be disseminated is/are defined; + - id: ia-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ia-01_odp.04 + label: official + guidelines: + - prose: an official to manage the identification and authentication + policy and procedures is defined; + - id: ia-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current identification and authentication + policy is reviewed and updated is defined; + - id: ia-01_odp.06 + label: events + guidelines: + - prose: events that would require the current identification and + authentication policy to be reviewed and updated are defined; + - id: ia-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current identification and authentication + procedures are reviewed and updated is defined; + - id: ia-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require identification and authentication + procedures to be reviewed and updated are defined; + props: + - name: label + value: IA-1 + - name: label + value: IA-01 + class: sp800-53a + - name: sort-id + value: ia-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#7f473f21-fdbf-4a6c-81a1-0ab95919609d" + rel: reference + - href: "#ac-1" + rel: related + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ia-1_smt + name: statement + parts: + - id: ia-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ia-1_prm_1 }}:" + parts: + - id: ia-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ia-01_odp.03 }} identification and\ + \ authentication policy that:" + parts: + - id: ia-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ia-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ia-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the identification + and authentication policy and the associated identification + and authentication controls; + - id: ia-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ia-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the identification\ + \ and authentication policy and procedures; and" + - id: ia-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current identification and authentication:" + parts: + - id: ia-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ia-01_odp.05 }} and following\ + \ {{ insert: param, ia-01_odp.06 }} ; and" + - id: ia-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ia-01_odp.07 }} and following\ + \ {{ insert: param, ia-01_odp.08 }}." + - id: ia-1_gdn + name: guidance + prose: Identification and authentication policy and procedures address + the controls in the IA family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of identification and authentication policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + identification and authentication policy and procedures include assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ia-1_obj + name: assessment-objective + props: + - name: label + value: IA-01 + class: sp800-53a + parts: + - id: ia-1_obj.a + name: assessment-objective + props: + - name: label + value: IA-01a. + class: sp800-53a + parts: + - id: ia-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: IA-01a.[01] + class: sp800-53a + prose: an identification and authentication policy is developed + and documented; + links: + - href: "#ia-1_smt.a" + rel: assessment-for + - id: ia-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: IA-01a.[02] + class: sp800-53a + prose: "the identification and authentication policy is disseminated\ + \ to {{ insert: param, ia-01_odp.01 }};" + links: + - href: "#ia-1_smt.a" + rel: assessment-for + - id: ia-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: IA-01a.[03] + class: sp800-53a + prose: identification and authentication procedures to facilitate + the implementation of the identification and authentication + policy and associated identification and authentication controls + are developed and documented; + links: + - href: "#ia-1_smt.a" + rel: assessment-for + - id: ia-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: IA-01a.[04] + class: sp800-53a + prose: "the identification and authentication procedures are\ + \ disseminated to {{ insert: param, ia-01_odp.02 }};" + links: + - href: "#ia-1_smt.a" + rel: assessment-for + - id: ia-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: IA-01a.01 + class: sp800-53a + parts: + - id: ia-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: IA-01a.01(a) + class: sp800-53a + parts: + - id: ia-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses purpose;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses scope;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses roles;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses responsibilities;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses management commitment;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: IA-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy addresses compliance;" + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ia-1_smt.a.1.a" + rel: assessment-for + - id: ia-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: IA-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.03 }} identification\ + \ and authentication policy is consistent with applicable\ + \ laws, executive orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#ia-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ia-1_smt.a.1" + rel: assessment-for + links: + - href: "#ia-1_smt.a" + rel: assessment-for + - id: ia-1_obj.b + name: assessment-objective + props: + - name: label + value: IA-01b. + class: sp800-53a + prose: "the {{ insert: param, ia-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the identification\ + \ and authentication policy and procedures;" + links: + - href: "#ia-1_smt.b" + rel: assessment-for + - id: ia-1_obj.c + name: assessment-objective + props: + - name: label + value: IA-01c. + class: sp800-53a + parts: + - id: ia-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: IA-01c.01 + class: sp800-53a + parts: + - id: ia-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: IA-01c.01[01] + class: sp800-53a + prose: "the current identification and authentication policy\ + \ is reviewed and updated {{ insert: param, ia-01_odp.05\ + \ }};" + links: + - href: "#ia-1_smt.c.1" + rel: assessment-for + - id: ia-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: IA-01c.01[02] + class: sp800-53a + prose: "the current identification and authentication policy\ + \ is reviewed and updated following {{ insert: param,\ + \ ia-01_odp.06 }};" + links: + - href: "#ia-1_smt.c.1" + rel: assessment-for + links: + - href: "#ia-1_smt.c.1" + rel: assessment-for + - id: ia-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: IA-01c.02 + class: sp800-53a + parts: + - id: ia-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: IA-01c.02[01] + class: sp800-53a + prose: "the current identification and authentication procedures\ + \ are reviewed and updated {{ insert: param, ia-01_odp.07\ + \ }};" + links: + - href: "#ia-1_smt.c.2" + rel: assessment-for + - id: ia-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: IA-01c.02[02] + class: sp800-53a + prose: "the current identification and authentication procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ ia-01_odp.08 }}." + links: + - href: "#ia-1_smt.c.2" + rel: assessment-for + links: + - href: "#ia-1_smt.c.2" + rel: assessment-for + links: + - href: "#ia-1_smt.c" + rel: assessment-for + links: + - href: "#ia-1_smt" + rel: assessment-for + - id: ia-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy and procedures + + + system security plan + + + privacy plan + + + risk management strategy documentation + + + list of events requiring identification and authentication procedures + to be reviewed and updated (e.g., audit findings) + + + other relevant documents or records + - id: ia-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with identification and + authentication responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ia-2 + class: SP800-53 + title: Identification and Authentication (Organizational Users) + props: + - name: label + value: IA-2 + - name: label + value: IA-02 + class: sp800-53a + - name: sort-id + value: ia-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#10963761-58fc-4b20-b3d6-b44a54daba03" + rel: reference + - href: "#d9e036ba-6eec-46a6-9340-b0bf1fea23b4" + rel: reference + - href: "#e8552d48-cf41-40aa-8b06-f45f7fb4706c" + rel: reference + - href: "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c" + rel: reference + - href: "#4b38e961-1125-4a5b-aa35-1d6c02846dad" + rel: reference + - href: "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c" + rel: reference + - href: "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617" + rel: reference + - href: "#604774da-9e1d-48eb-9c62-4e959dc80737" + rel: reference + - href: "#7f473f21-fdbf-4a6c-81a1-0ab95919609d" + rel: reference + - href: "#3915a084-b87b-4f02-83d4-c369e746292f" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-14" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#au-1" + rel: related + - href: "#au-6" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-13" + rel: related + - href: "#ma-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + parts: + - id: ia-2_smt + name: statement + prose: Uniquely identify and authenticate organizational users and associate + that unique identification with processes acting on behalf of those + users. + parts: + - id: ia-2_fr + name: item + title: IA-2 Additional FedRAMP Requirements and Guidance + parts: + - id: ia-2_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: For all control enhancements that specify multifactor + authentication, the implementation must adhere to the Digital + Identity Guidelines specified in NIST Special Publication + 800-63B. + - id: ia-2_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: Multi-factor authentication must be phishing-resistant. + - id: ia-2_fr_smt.3 + name: item + props: + - name: label + value: "Requirement:" + prose: All uses of encrypted virtual private networks must meet + all applicable Federal requirements and architecture, dataflow, + and security and privacy controls must be documented, assessed, + and authorized to operate. + - id: ia-2_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: \"Phishing-resistant\" authentication refers to authentication + processes designed to detect and prevent disclosure of authentication + secrets and outputs to a website or application masquerading + as a legitimate system. + - id: ia-2_gdn + name: guidance + prose: >- + Organizations can satisfy the identification and authentication + requirements by complying with the requirements in [HSPD + 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational + users include employees or individuals who organizations + consider to have an equivalent status to employees (e.g., + contractors and guest researchers). Unique identification and + authentication of users applies to all accesses other than those + that are explicitly identified in [AC-14](#ac-14) and that occur + through the authorized use of group authenticators without + individual authentication. Since processes execute on behalf of + groups and roles, organizations may require unique + identification of individuals in group accounts or for detailed + accountability of individual activity. + + + Organizations employ passwords, physical authenticators, or biometrics + to authenticate user identities or, in the case of multi-factor authentication, + some combination thereof. Access to organizational systems is defined + as either local access or network access. Local access is any access + to organizational systems by users or processes acting on behalf of + users, where access is obtained through direct connections without + the use of networks. Network access is access to organizational systems + by users (or processes acting on behalf of users) where access is + obtained through network connections (i.e., nonlocal accesses). Remote + access is a type of network access that involves communication through + external networks. Internal networks include local area networks and + wide area networks. + + + The use of encrypted virtual private networks for network connections + between organization-controlled endpoints and non-organization-controlled + endpoints may be treated as internal networks with respect to protecting + the confidentiality and integrity of information traversing the network. + Identification and authentication requirements for non-organizational + users are described in [IA-8](#ia-8). + - id: ia-2_obj + name: assessment-objective + props: + - name: label + value: IA-02 + class: sp800-53a + parts: + - id: ia-2_obj-1 + name: assessment-objective + props: + - name: label + value: IA-02[01] + class: sp800-53a + prose: organizational users are uniquely identified and authenticated; + links: + - href: "#ia-2_smt" + rel: assessment-for + - id: ia-2_obj-2 + name: assessment-objective + props: + - name: label + value: IA-02[02] + class: sp800-53a + prose: the unique identification of authenticated organizational + users is associated with processes acting on behalf of those users. + links: + - href: "#ia-2_smt" + rel: assessment-for + links: + - href: "#ia-2_smt" + rel: assessment-for + - id: ia-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + procedures addressing user identification and authentication + + system security plan, system design documentation + + system configuration settings and associated documentation + + system audit records + + list of system accounts + + other relevant documents or records + - id: ia-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + organizational personnel with account management responsibilities + + + system developers + - id: ia-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for uniquely identifying and + authenticating users + + + mechanisms supporting and/or implementing identification and authentication + capabilities + controls: + - id: ia-2.1 + class: SP800-53-enhancement + title: Multi-factor Authentication to Privileged Accounts + props: + - name: label + value: IA-2(1) + - name: label + value: IA-02(01) + class: sp800-53a + - name: sort-id + value: ia-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-2" + rel: required + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + parts: + - id: ia-2.1_smt + name: statement + prose: Implement multi-factor authentication for access to privileged + accounts. + parts: + - id: ia-2.1_fr + name: item + title: IA-2 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-2.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B + (AAL), and SP 800-63C (FAL). + - id: ia-2.1_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: Multi-factor authentication must be phishing-resistant. + - id: ia-2.1_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Multi-factor authentication to subsequent components + in the same user domain is not required. + - id: ia-2.1_gdn + name: guidance + prose: "Multi-factor authentication requires the use of two or more\ + \ different factors to achieve authentication. The authentication\ + \ factors are defined as follows: something you know (e.g., a\ + \ personal identification number [PIN]), something you have (e.g.,\ + \ a physical authenticator such as a cryptographic private key),\ + \ or something you are (e.g., a biometric). Multi-factor authentication\ + \ solutions that feature physical authenticators include hardware\ + \ authenticators that provide time-based or challenge-response\ + \ outputs and smart cards such as the U.S. Government Personal\ + \ Identity Verification (PIV) card or the Department of Defense\ + \ (DoD) Common Access Card (CAC). In addition to authenticating\ + \ users at the system level (i.e., at logon), organizations may\ + \ employ authentication mechanisms at the application level, at\ + \ their discretion, to provide increased security. Regardless\ + \ of the type of access (i.e., local, network, remote), privileged\ + \ accounts are authenticated using multi-factor options appropriate\ + \ for the level of risk. Organizations can add additional security\ + \ measures, such as additional or more rigorous authentication\ + \ mechanisms, for specific types of access." + - id: ia-2.1_obj + name: assessment-objective + props: + - name: label + value: IA-02(01) + class: sp800-53a + prose: multi-factor authentication is implemented for access to + privileged accounts. + links: + - href: "#ia-2.1_smt" + rel: assessment-for + - id: ia-2.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + procedures addressing user identification and authentication + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of system accounts + + + other relevant documents or records + - id: ia-2.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing a multi-factor + authentication capability + - id: ia-2.2 + class: SP800-53-enhancement + title: Multi-factor Authentication to Non-privileged Accounts + props: + - name: label + value: IA-2(2) + - name: label + value: IA-02(02) + class: sp800-53a + - name: sort-id + value: ia-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-2" + rel: required + - href: "#ac-5" + rel: related + parts: + - id: ia-2.2_smt + name: statement + prose: Implement multi-factor authentication for access to non-privileged + accounts. + parts: + - id: ia-2.2_fr + name: item + title: IA-2 (2) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-2.2_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B + (AAL), and SP 800-63C (FAL). + - id: ia-2.2_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: Multi-factor authentication must be phishing-resistant. + - id: ia-2.2_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Multi-factor authentication to subsequent components + in the same user domain is not required. + - id: ia-2.2_gdn + name: guidance + prose: "Multi-factor authentication requires the use of two or more\ + \ different factors to achieve authentication. The authentication\ + \ factors are defined as follows: something you know (e.g., a\ + \ personal identification number [PIN]), something you have (e.g.,\ + \ a physical authenticator such as a cryptographic private key),\ + \ or something you are (e.g., a biometric). Multi-factor authentication\ + \ solutions that feature physical authenticators include hardware\ + \ authenticators that provide time-based or challenge-response\ + \ outputs and smart cards such as the U.S. Government Personal\ + \ Identity Verification card or the DoD Common Access Card. In\ + \ addition to authenticating users at the system level, organizations\ + \ may also employ authentication mechanisms at the application\ + \ level, at their discretion, to provide increased information\ + \ security. Regardless of the type of access (i.e., local, network,\ + \ remote), non-privileged accounts are authenticated using multi-factor\ + \ options appropriate for the level of risk. Organizations can\ + \ provide additional security measures, such as additional or\ + \ more rigorous authentication mechanisms, for specific types\ + \ of access." + - id: ia-2.2_obj + name: assessment-objective + props: + - name: label + value: IA-02(02) + class: sp800-53a + prose: multi-factor authentication for access to non-privileged + accounts is implemented. + links: + - href: "#ia-2.2_smt" + rel: assessment-for + - id: ia-2.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of system accounts + + + other relevant documents or records + - id: ia-2.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing a multi-factor + authentication capability + - id: ia-2.5 + class: SP800-53-enhancement + title: Individual Authentication with Group Authentication + props: + - name: label + value: IA-2(5) + - name: label + value: IA-02(05) + class: sp800-53a + - name: sort-id + value: ia-02.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-2" + rel: required + parts: + - id: ia-2.5_smt + name: statement + prose: When shared accounts or authenticators are employed, require + users to be individually authenticated before granting access + to the shared accounts or resources. + - id: ia-2.5_gdn + name: guidance + prose: Individual authentication prior to shared group authentication + mitigates the risk of using group accounts or authenticators. + - id: ia-2.5_obj + name: assessment-objective + props: + - name: label + value: IA-02(05) + class: sp800-53a + prose: users are required to be individually authenticated before + granting access to the shared accounts or resources when shared + accounts or authenticators are employed. + links: + - href: "#ia-2.5_smt" + rel: assessment-for + - id: ia-2.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of system accounts + + + other relevant documents or records + - id: ia-2.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing an authentication + capability for group accounts + - id: ia-2.6 + class: SP800-53-enhancement + title: Access to Accounts —separate Device + params: + - id: ia-02.06_odp.01 + constraints: + - description: local, network and remote + select: + how-many: one-or-more + choice: + - local + - network + - remote + - id: ia-02.06_odp.02 + constraints: + - description: privileged accounts; non-privileged accounts + select: + how-many: one-or-more + choice: + - privileged accounts + - non-privileged accounts + - id: ia-02.06_odp.03 + label: strength of mechanism requirements + constraints: + - description: FIPS-validated or NSA-approved cryptography + guidelines: + - prose: the strength of mechanism requirements to be enforced + by a device separate from the system gaining access to accounts + is defined; + props: + - name: label + value: IA-2(6) + - name: label + value: IA-02(06) + class: sp800-53a + - name: sort-id + value: ia-02.06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-2" + rel: required + - href: "#ac-6" + rel: related + parts: + - id: ia-2.6_smt + name: statement + prose: "Implement multi-factor authentication for {{ insert: param,\ + \ ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02\ + \ }} such that:" + parts: + - id: ia-2.6_smt.a + name: item + props: + - name: label + value: (a) + prose: One of the factors is provided by a device separate from + the system gaining access; and + - id: ia-2.6_smt.b + name: item + props: + - name: label + value: (b) + prose: "The device meets {{ insert: param, ia-02.06_odp.03 }}." + - id: ia-2.6_fr + name: item + title: IA-2 (6) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-2.6_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: PIV=separate device. Please refer to NIST SP 800-157 + Guidelines for Derived Personal Identity Verification + (PIV) Credentials. + - id: ia-2.6_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: See SC-13 Guidance for more information on FIPS-validated + or NSA-approved cryptography. + - id: ia-2.6_gdn + name: guidance + prose: The purpose of requiring a device that is separate from the + system to which the user is attempting to gain access for one + of the factors during multi-factor authentication is to reduce + the likelihood of compromising authenticators or credentials stored + on the system. Adversaries may be able to compromise such authenticators + or credentials and subsequently impersonate authorized users. + Implementing one of the factors on a separate device (e.g., a + hardware token), provides a greater strength of mechanism and + an increased level of assurance in the authentication process. + - id: ia-2.6_obj + name: assessment-objective + props: + - name: label + value: IA-02(06) + class: sp800-53a + parts: + - id: ia-2.6_obj.a + name: assessment-objective + props: + - name: label + value: IA-02(06)(a) + class: sp800-53a + prose: "multi-factor authentication is implemented for {{ insert:\ + \ param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02\ + \ }} such that one of the factors is provided by a device\ + \ separate from the system gaining access;" + links: + - href: "#ia-2.6_smt.a" + rel: assessment-for + - id: ia-2.6_obj.b + name: assessment-objective + props: + - name: label + value: IA-02(06)(b) + class: sp800-53a + prose: "multi-factor authentication is implemented for {{ insert:\ + \ param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02\ + \ }} such that the device meets {{ insert: param, ia-02.06_odp.03\ + \ }}." + links: + - href: "#ia-2.6_smt.b" + rel: assessment-for + links: + - href: "#ia-2.6_smt" + rel: assessment-for + - id: ia-2.6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(06)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of system accounts + + + other relevant documents or records + - id: ia-2.6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(06)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(06)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing multi-factor + authentication capability + - id: ia-2.8 + class: SP800-53-enhancement + title: Access to Accounts — Replay Resistant + params: + - id: ia-02.08_odp + constraints: + - description: privileged accounts; non-privileged accounts + select: + how-many: one-or-more + choice: + - privileged accounts + - non-privileged accounts + props: + - name: label + value: IA-2(8) + - name: label + value: IA-02(08) + class: sp800-53a + - name: sort-id + value: ia-02.08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-2" + rel: required + parts: + - id: ia-2.8_smt + name: statement + prose: "Implement replay-resistant authentication mechanisms for\ + \ access to {{ insert: param, ia-02.08_odp }}." + - id: ia-2.8_gdn + name: guidance + prose: Authentication processes resist replay attacks if it is impractical + to achieve successful authentications by replaying previous authentication + messages. Replay-resistant techniques include protocols that use + nonces or challenges such as time synchronous or cryptographic + authenticators. + - id: ia-2.8_obj + name: assessment-objective + props: + - name: label + value: IA-02(08) + class: sp800-53a + prose: "replay-resistant authentication mechanisms for access to\ + \ {{ insert: param, ia-02.08_odp }} are implemented." + links: + - href: "#ia-2.8_smt" + rel: assessment-for + - id: ia-2.8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(08)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of privileged system accounts + + + other relevant documents or records + - id: ia-2.8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(08)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(08)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing identification + and authentication capabilities + + + Mechanisms supporting and/or implementing replay-resistant + authentication mechanisms + - id: ia-2.12 + class: SP800-53-enhancement + title: Acceptance of PIV Credentials + props: + - name: label + value: IA-2(12) + - name: label + value: IA-02(12) + class: sp800-53a + - name: sort-id + value: ia-02.12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-2" + rel: required + parts: + - id: ia-2.12_smt + name: statement + prose: Accept and electronically verify Personal Identity Verification-compliant + credentials. + parts: + - id: ia-2.12_fr + name: item + title: IA-2 (12) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-2.12_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Include Common Access Card (CAC), i.e., the DoD technical + implementation of PIV/FIPS 201/HSPD-12. + - id: ia-2.12_gdn + name: guidance + prose: Acceptance of Personal Identity Verification (PIV)-compliant + credentials applies to organizations implementing logical access + control and physical access control systems. PIV-compliant credentials + are those credentials issued by federal agencies that conform + to FIPS Publication 201 and supporting guidance documents. The + adequacy and reliability of PIV card issuers are authorized using + [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance + of PIV-compliant credentials includes derived PIV credentials, + the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) + . The DOD Common Access Card (CAC) is an example of a PIV credential. + - id: ia-2.12_obj + name: assessment-objective + props: + - name: label + value: IA-02(12) + class: sp800-53a + prose: Personal Identity Verification-compliant credentials are + accepted and electronically verified. + links: + - href: "#ia-2.12_smt" + rel: assessment-for + - id: ia-2.12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-02(12)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + PIV verification records + + + evidence of PIV credentials + + + PIV credential authorizations + + + other relevant documents or records + - id: ia-2.12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-02(12)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-2.12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-02(12)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing acceptance + and verification of PIV credentials + - id: ia-3 + class: SP800-53 + title: Device Identification and Authentication + params: + - id: ia-03_odp.01 + label: devices and/or types of devices + guidelines: + - prose: devices and/or types of devices to be uniquely identified + and authenticated before establishing a connection are defined; + - id: ia-03_odp.02 + select: + how-many: one-or-more + choice: + - local + - remote + - network + props: + - name: label + value: IA-3 + - name: label + value: IA-03 + class: sp800-53a + - name: sort-id + value: ia-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#au-6" + rel: related + - href: "#ca-3" + rel: related + - href: "#ca-9" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-9" + rel: related + - href: "#ia-11" + rel: related + - href: "#ia-13" + rel: related + - href: "#si-4" + rel: related + parts: + - id: ia-3_smt + name: statement + prose: "Uniquely identify and authenticate {{ insert: param, ia-03_odp.01\ + \ }} before establishing a {{ insert: param, ia-03_odp.02 }} connection." + - id: ia-3_gdn + name: guidance + prose: Devices that require unique device-to-device identification and + authentication are defined by type, device, or a combination of type + and device. Organization-defined device types include devices that + are not owned by the organization. Systems use shared known information + (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet + Protocol [TCP/IP] addresses) for device identification or organizational + authentication solutions (e.g., Institute of Electrical and Electronics + Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], + RADIUS server with EAP-Transport Layer Security [TLS] authentication, + Kerberos) to identify and authenticate devices on local and wide area + networks. Organizations determine the required strength of authentication + mechanisms based on the security categories of systems and mission + or business requirements. Because of the challenges of implementing + device authentication on a large scale, organizations can restrict + the application of the control to a limited number/type of devices + based on mission or business needs. + - id: ia-3_obj + name: assessment-objective + props: + - name: label + value: IA-03 + class: sp800-53a + prose: " {{ insert: param, ia-03_odp.01 }} are uniquely identified and\ + \ authenticated before establishing a {{ insert: param, ia-03_odp.02\ + \ }} connection." + links: + - href: "#ia-3_smt" + rel: assessment-for + - id: ia-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing device identification and authentication + + + system design documentation + + + list of devices requiring unique identification and authentication + + + device connection reports + + + system configuration settings and associated documentation + + + other relevant documents or records + - id: ia-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with operational responsibilities + for device identification and authentication + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing device identification + and authentication capabilities + - id: ia-4 + class: SP800-53 + title: Identifier Management + params: + - id: ia-04_odp.01 + label: personnel or roles + constraints: + - description: at a minimum, the ISSO (or similar role within the + organization) + guidelines: + - prose: personnel or roles from whom authorization must be received + to assign an identifier are defined; + - id: ia-04_odp.02 + label: time period + constraints: + - description: at least two (2) years + guidelines: + - prose: a time period for preventing reuse of identifiers is defined; + props: + - name: label + value: IA-4 + - name: label + value: IA-04 + class: sp800-53a + - name: sort-id + value: ia-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#ac-5" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-9" + rel: related + - href: "#ia-12" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-4" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-5" + rel: related + - href: "#sc-37" + rel: related + parts: + - id: ia-4_smt + name: statement + prose: "Manage system identifiers by:" + parts: + - id: ia-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Receiving authorization from {{ insert: param, ia-04_odp.01\ + \ }} to assign an individual, group, role, service, or device\ + \ identifier;" + - id: ia-4_smt.b + name: item + props: + - name: label + value: b. + prose: Selecting an identifier that identifies an individual, group, + role, service, or device; + - id: ia-4_smt.c + name: item + props: + - name: label + value: c. + prose: Assigning the identifier to the intended individual, group, + role, service, or device; and + - id: ia-4_smt.d + name: item + props: + - name: label + value: d. + prose: "Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02\ + \ }}." + - id: ia-4_gdn + name: guidance + prose: Common device identifiers include Media Access Control (MAC) + addresses, Internet Protocol (IP) addresses, or device-unique token + identifiers. The management of individual identifiers is not applicable + to shared system accounts. Typically, individual identifiers are the + usernames of the system accounts assigned to those individuals. In + such instances, the account management activities of [AC-2](#ac-2) + use account names provided by [IA-4](#ia-4) . Identifier management + also addresses individual identifiers not necessarily associated with + system accounts. Preventing the reuse of identifiers implies preventing + the assignment of previously used individual, group, role, service, + or device identifiers to different individuals, groups, roles, services, + or devices. + - id: ia-4_obj + name: assessment-objective + props: + - name: label + value: IA-04 + class: sp800-53a + parts: + - id: ia-4_obj.a + name: assessment-objective + props: + - name: label + value: IA-04a. + class: sp800-53a + prose: "system identifiers are managed by receiving authorization\ + \ from {{ insert: param, ia-04_odp.01 }} to assign to an individual,\ + \ group, role, or device identifier;" + links: + - href: "#ia-4_smt.a" + rel: assessment-for + - id: ia-4_obj.b + name: assessment-objective + props: + - name: label + value: IA-04b. + class: sp800-53a + prose: system identifiers are managed by selecting an identifier + that identifies an individual, group, role, service, or device; + links: + - href: "#ia-4_smt.b" + rel: assessment-for + - id: ia-4_obj.c + name: assessment-objective + props: + - name: label + value: IA-04c. + class: sp800-53a + prose: system identifiers are managed by assigning the identifier + to the intended individual, group, role, service, or device; + links: + - href: "#ia-4_smt.c" + rel: assessment-for + - id: ia-4_obj.d + name: assessment-objective + props: + - name: label + value: IA-04d. + class: sp800-53a + prose: "system identifiers are managed by preventing reuse of identifiers\ + \ for {{ insert: param, ia-04_odp.02 }}." + links: + - href: "#ia-4_smt.d" + rel: assessment-for + links: + - href: "#ia-4_smt" + rel: assessment-for + - id: ia-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + procedures addressing identifier management + + + procedures addressing account management + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + list of system accounts + + + list of identifiers generated from physical access control devices + + + other relevant documents or records + - id: ia-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with identifier management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identifier management + controls: + - id: ia-4.4 + class: SP800-53-enhancement + title: Identify User Status + params: + - id: ia-04.04_odp + label: characteristics + constraints: + - description: contractors; foreign nationals + guidelines: + - prose: characteristics used to identify individual status is + defined; + props: + - name: label + value: IA-4(4) + - name: label + value: IA-04(04) + class: sp800-53a + - name: sort-id + value: ia-04.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ia-4" + rel: required + parts: + - id: ia-4.4_smt + name: statement + prose: "Manage individual identifiers by uniquely identifying each\ + \ individual as {{ insert: param, ia-04.04_odp }}." + - id: ia-4.4_gdn + name: guidance + prose: Characteristics that identify the status of individuals include + contractors, foreign nationals, and non-organizational users. + Identifying the status of individuals by these characteristics + provides additional information about the people with whom organizational + personnel are communicating. For example, it might be useful for + a government employee to know that one of the individuals on an + email message is a contractor. + - id: ia-4.4_obj + name: assessment-objective + props: + - name: label + value: IA-04(04) + class: sp800-53a + prose: "individual identifiers are managed by uniquely identifying\ + \ each individual as {{ insert: param, ia-04.04_odp }}." + links: + - href: "#ia-4.4_smt" + rel: assessment-for + - id: ia-4.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-04(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + system security plan + + procedures addressing identifier management + + procedures addressing account management + + list of characteristics identifying individual status + + other relevant documents or records + - id: ia-4.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-04(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with identifier management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ia-4.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-04(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identifier + management + - id: ia-5 + class: SP800-53 + title: Authenticator Management + params: + - id: ia-05_odp.01 + label: time period by authenticator type + guidelines: + - prose: a time period for changing or refreshing authenticators by + authenticator type is defined; + - id: ia-05_odp.02 + label: events + guidelines: + - prose: events that trigger the change or refreshment of authenticators + are defined; + props: + - name: label + value: IA-5 + - name: label + value: IA-05 + class: sp800-53a + - name: sort-id + value: ia-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c" + rel: reference + - href: "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c" + rel: reference + - href: "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617" + rel: reference + - href: "#604774da-9e1d-48eb-9c62-4e959dc80737" + rel: reference + - href: "#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#cm-6" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-7" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-9" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: ia-5_smt + name: statement + prose: "Manage system authenticators by:" + parts: + - id: ia-5_smt.a + name: item + props: + - name: label + value: a. + prose: Verifying, as part of the initial authenticator distribution, + the identity of the individual, group, role, service, or device + receiving the authenticator; + - id: ia-5_smt.b + name: item + props: + - name: label + value: b. + prose: Establishing initial authenticator content for any authenticators + issued by the organization; + - id: ia-5_smt.c + name: item + props: + - name: label + value: c. + prose: Ensuring that authenticators have sufficient strength of + mechanism for their intended use; + - id: ia-5_smt.d + name: item + props: + - name: label + value: d. + prose: Establishing and implementing administrative procedures for + initial authenticator distribution, for lost or compromised or + damaged authenticators, and for revoking authenticators; + - id: ia-5_smt.e + name: item + props: + - name: label + value: e. + prose: Changing default authenticators prior to first use; + - id: ia-5_smt.f + name: item + props: + - name: label + value: f. + prose: "Changing or refreshing authenticators {{ insert: param,\ + \ ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;" + - id: ia-5_smt.g + name: item + props: + - name: label + value: g. + prose: Protecting authenticator content from unauthorized disclosure + and modification; + - id: ia-5_smt.h + name: item + props: + - name: label + value: h. + prose: Requiring individuals to take, and having devices implement, + specific controls to protect authenticators; and + - id: ia-5_smt.i + name: item + props: + - name: label + value: i. + prose: Changing authenticators for group or role accounts when membership + to those accounts changes. + - id: ia-5_fr + name: item + title: IA-5 Additional FedRAMP Requirements and Guidance + parts: + - id: ia-5_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Authenticators must be compliant with NIST SP 800-63-3 + Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3 + - id: ia-5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: SP 800-63C Section 6.2.3 Encrypted Assertion requires + that authentication assertions be encrypted when passed through + third parties, such as a browser. For example, a SAML assertion + can be encrypted using XML-Encryption, or an OpenID Connect + ID Token can be encrypted using JSON Web Encryption (JWE). + - id: ia-5_gdn + name: guidance + prose: >- + Authenticators include passwords, cryptographic devices, + biometrics, certificates, one-time password devices, and ID + badges. Device authenticators include certificates and + passwords. Initial authenticator content is the actual content + of the authenticator (e.g., the initial password). In contrast, + the requirements for authenticator content contain specific + criteria or characteristics (e.g., minimum password length). + Developers may deliver system components with factory default + authentication credentials (i.e., passwords) to allow for + initial installation and configuration. Default authentication + credentials are often well known, easily discoverable, and + present a significant risk. The requirement to protect + individual authenticators may be implemented via control + [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the + possession of individuals and by controls [AC-3](#ac-3), + [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in + organizational systems, including passwords stored in hashed or + encrypted formats or files containing encrypted or hashed + passwords accessible with administrator privileges. + + + Systems support authenticator management by organization-defined settings + and restrictions for various authenticator characteristics (e.g., + minimum password length, validation time window for time synchronous + one-time tokens, and number of allowed rejections during the verification + stage of biometric authentication). Actions can be taken to safeguard + individual authenticators, including maintaining possession of authenticators, + not sharing authenticators with others, and immediately reporting + lost, stolen, or compromised authenticators. Authenticator management + includes issuing and revoking authenticators for temporary access + when no longer needed. + - id: ia-5_obj + name: assessment-objective + props: + - name: label + value: IA-05 + class: sp800-53a + parts: + - id: ia-5_obj.a + name: assessment-objective + props: + - name: label + value: IA-05a. + class: sp800-53a + prose: system authenticators are managed through the verification + of the identity of the individual, group, role, service, or device + receiving the authenticator as part of the initial authenticator + distribution; + links: + - href: "#ia-5_smt.a" + rel: assessment-for + - id: ia-5_obj.b + name: assessment-objective + props: + - name: label + value: IA-05b. + class: sp800-53a + prose: system authenticators are managed through the establishment + of initial authenticator content for any authenticators issued + by the organization; + links: + - href: "#ia-5_smt.b" + rel: assessment-for + - id: ia-5_obj.c + name: assessment-objective + props: + - name: label + value: IA-05c. + class: sp800-53a + prose: system authenticators are managed to ensure that authenticators + have sufficient strength of mechanism for their intended use; + links: + - href: "#ia-5_smt.c" + rel: assessment-for + - id: ia-5_obj.d + name: assessment-objective + props: + - name: label + value: IA-05d. + class: sp800-53a + prose: system authenticators are managed through the establishment + and implementation of administrative procedures for initial authenticator + distribution; lost, compromised, or damaged authenticators; and + the revocation of authenticators; + links: + - href: "#ia-5_smt.d" + rel: assessment-for + - id: ia-5_obj.e + name: assessment-objective + props: + - name: label + value: IA-05e. + class: sp800-53a + prose: system authenticators are managed through the change of default + authenticators prior to first use; + links: + - href: "#ia-5_smt.e" + rel: assessment-for + - id: ia-5_obj.f + name: assessment-objective + props: + - name: label + value: IA-05f. + class: sp800-53a + prose: "system authenticators are managed through the change or\ + \ refreshment of authenticators {{ insert: param, ia-05_odp.01\ + \ }} or when {{ insert: param, ia-05_odp.02 }} occur;" + links: + - href: "#ia-5_smt.f" + rel: assessment-for + - id: ia-5_obj.g + name: assessment-objective + props: + - name: label + value: IA-05g. + class: sp800-53a + prose: system authenticators are managed through the protection + of authenticator content from unauthorized disclosure and modification; + links: + - href: "#ia-5_smt.g" + rel: assessment-for + - id: ia-5_obj.h + name: assessment-objective + props: + - name: label + value: IA-05h. + class: sp800-53a + parts: + - id: ia-5_obj.h-1 + name: assessment-objective + props: + - name: label + value: IA-05h.[01] + class: sp800-53a + prose: system authenticators are managed through the requirement + for individuals to take specific controls to protect authenticators; + links: + - href: "#ia-5_smt.h" + rel: assessment-for + - id: ia-5_obj.h-2 + name: assessment-objective + props: + - name: label + value: IA-05h.[02] + class: sp800-53a + prose: system authenticators are managed through the requirement + for devices to implement specific controls to protect authenticators; + links: + - href: "#ia-5_smt.h" + rel: assessment-for + links: + - href: "#ia-5_smt.h" + rel: assessment-for + - id: ia-5_obj.i + name: assessment-objective + props: + - name: label + value: IA-05i. + class: sp800-53a + prose: system authenticators are managed through the change of authenticators + for group or role accounts when membership to those accounts changes. + links: + - href: "#ia-5_smt.i" + rel: assessment-for + links: + - href: "#ia-5_smt" + rel: assessment-for + - id: ia-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + addressing authenticator management + + + system design documentation + + + system configuration settings and associated documentation + + + list of system authenticator types + + + change control records associated with managing system authenticators + + + system audit records + + + other relevant documents or records + - id: ia-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with authenticator management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ia-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing authenticator management + capability + controls: + - id: ia-5.1 + class: SP800-53-enhancement + title: Password-based Authentication + params: + - id: ia-05.01_odp.01 + label: frequency + guidelines: + - prose: the frequency at which to update the list of commonly + used, expected, or compromised passwords is defined; + - id: ia-05.01_odp.02 + label: composition and complexity rules + guidelines: + - prose: authenticator composition and complexity rules are defined; + props: + - name: label + value: IA-5(1) + - name: label + value: IA-05(01) + class: sp800-53a + - name: sort-id + value: ia-05.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-5" + rel: required + - href: "#ia-6" + rel: related + parts: + - id: ia-5.1_smt + name: statement + prose: "For password-based authentication:" + parts: + - id: ia-5.1_smt.a + name: item + props: + - name: label + value: (a) + prose: "Maintain a list of commonly-used, expected, or compromised\ + \ passwords and update the list {{ insert: param, ia-05.01_odp.01\ + \ }} and when organizational passwords are suspected to have\ + \ been compromised directly or indirectly;" + - id: ia-5.1_smt.b + name: item + props: + - name: label + value: (b) + prose: Verify, when users create or update passwords, that the + passwords are not found on the list of commonly-used, expected, + or compromised passwords in IA-5(1)(a); + - id: ia-5.1_smt.c + name: item + props: + - name: label + value: (c) + prose: Transmit passwords only over cryptographically-protected + channels; + - id: ia-5.1_smt.d + name: item + props: + - name: label + value: (d) + prose: Store passwords using an approved salted key derivation + function, preferably using a keyed hash; + - id: ia-5.1_smt.e + name: item + props: + - name: label + value: (e) + prose: Require immediate selection of a new password upon account + recovery; + - id: ia-5.1_smt.f + name: item + props: + - name: label + value: (f) + prose: Allow user selection of long passwords and passphrases, + including spaces and all printable characters; + - id: ia-5.1_smt.g + name: item + props: + - name: label + value: (g) + prose: Employ automated tools to assist the user in selecting + strong password authenticators; and + - id: ia-5.1_smt.h + name: item + props: + - name: label + value: (h) + prose: "Enforce the following composition and complexity rules:\ + \ {{ insert: param, ia-05.01_odp.02 }}." + - id: ia-5.1_fr + name: item + title: IA-5 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-5.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Password policies must be compliant with NIST SP + 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords + (OTP). Password policies shall not enforce special character + or minimum password rotation requirements for memorized + secrets of users. + - id: ia-5.1_fr_smt.2 + name: item + props: + - name: label + value: "(h) Requirement:" + prose: >- + For cases where technology doesn’t allow + multi-factor authentication, these rules should be + enforced: must have a minimum length of 14 + characters and must support all printable ASCII + characters. + + + For emergency use accounts, these rules should be enforced: + must have a minimum length of 14 characters, must support + all printable ASCII characters, and passwords must be + changed if used. + - id: ia-5.1_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Note that (c) and (d) require the use of cryptography + which must be compliant with Federal requirements and + utilize FIPS validated or NSA approved cryptography (see + SC-13). + - id: ia-5.1_gdn + name: guidance + prose: Password-based authentication applies to passwords regardless + of whether they are used in single-factor or multi-factor authentication. + Long passwords or passphrases are preferable over shorter passwords. + Enforced composition rules provide marginal security benefits + while decreasing usability. However, organizations may choose + to establish certain rules for password generation (e.g., minimum + character length for long passwords) under certain circumstances + and can enforce this requirement in IA-5(1)(h). Account recovery + can occur, for example, in situations when a password is forgotten. + Cryptographically protected passwords include salted one-way cryptographic + hashes of passwords. The list of commonly used, compromised, or + expected passwords includes passwords obtained from previous breach + corpuses, dictionary words, and repetitive or sequential characters. + The list includes context-specific words, such as the name of + the service, username, and derivatives thereof. + - id: ia-5.1_obj + name: assessment-objective + props: + - name: label + value: IA-05(01) + class: sp800-53a + parts: + - id: ia-5.1_obj.a + name: assessment-objective + props: + - name: label + value: IA-05(01)(a) + class: sp800-53a + prose: "for password-based authentication, a list of commonly\ + \ used, expected, or compromised passwords is maintained and\ + \ updated {{ insert: param, ia-05.01_odp.01 }} and when organizational\ + \ passwords are suspected to have been compromised directly\ + \ or indirectly;" + links: + - href: "#ia-5.1_smt.a" + rel: assessment-for + - id: ia-5.1_obj.b + name: assessment-objective + props: + - name: label + value: IA-05(01)(b) + class: sp800-53a + prose: for password-based authentication when passwords are + created or updated by users, the passwords are verified not + to be found on the list of commonly used, expected, or compromised + passwords in IA-05(01)(a); + links: + - href: "#ia-5.1_smt.b" + rel: assessment-for + - id: ia-5.1_obj.c + name: assessment-objective + props: + - name: label + value: IA-05(01)(c) + class: sp800-53a + prose: for password-based authentication, passwords are only + transmitted over cryptographically protected channels; + links: + - href: "#ia-5.1_smt.c" + rel: assessment-for + - id: ia-5.1_obj.d + name: assessment-objective + props: + - name: label + value: IA-05(01)(d) + class: sp800-53a + prose: for password-based authentication, passwords are stored + using an approved salted key derivation function, preferably + using a keyed hash; + links: + - href: "#ia-5.1_smt.d" + rel: assessment-for + - id: ia-5.1_obj.e + name: assessment-objective + props: + - name: label + value: IA-05(01)(e) + class: sp800-53a + prose: for password-based authentication, immediate selection + of a new password is required upon account recovery; + links: + - href: "#ia-5.1_smt.e" + rel: assessment-for + - id: ia-5.1_obj.f + name: assessment-objective + props: + - name: label + value: IA-05(01)(f) + class: sp800-53a + prose: for password-based authentication, user selection of + long passwords and passphrases is allowed, including spaces + and all printable characters; + links: + - href: "#ia-5.1_smt.f" + rel: assessment-for + - id: ia-5.1_obj.g + name: assessment-objective + props: + - name: label + value: IA-05(01)(g) + class: sp800-53a + prose: for password-based authentication, automated tools are + employed to assist the user in selecting strong password authenticators; + links: + - href: "#ia-5.1_smt.g" + rel: assessment-for + - id: ia-5.1_obj.h + name: assessment-objective + props: + - name: label + value: IA-05(01)(h) + class: sp800-53a + prose: "for password-based authentication, {{ insert: param,\ + \ ia-05.01_odp.02 }} are enforced." + links: + - href: "#ia-5.1_smt.h" + rel: assessment-for + links: + - href: "#ia-5.1_smt" + rel: assessment-for + - id: ia-5.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-05(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + password policy + + + procedures addressing authenticator management + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + password configurations and associated documentation + + + other relevant documents or records + - id: ia-5.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-05(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with authenticator management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-5.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-05(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing password-based + authenticator management capability + - id: ia-5.2 + class: SP800-53-enhancement + title: Public Key-based Authentication + props: + - name: label + value: IA-5(2) + - name: label + value: IA-05(02) + class: sp800-53a + - name: sort-id + value: ia-05.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-5" + rel: required + - href: "#ia-3" + rel: related + - href: "#sc-17" + rel: related + parts: + - id: ia-5.2_smt + name: statement + parts: + - id: ia-5.2_smt.a + name: item + props: + - name: label + value: (a) + prose: "For public key-based authentication:" + parts: + - id: ia-5.2_smt.a.1 + name: item + props: + - name: label + value: (1) + prose: Enforce authorized access to the corresponding private + key; and + - id: ia-5.2_smt.a.2 + name: item + props: + - name: label + value: (2) + prose: Map the authenticated identity to the account of + the individual or group; and + - id: ia-5.2_smt.b + name: item + props: + - name: label + value: (b) + prose: "When public key infrastructure (PKI) is used:" + parts: + - id: ia-5.2_smt.b.1 + name: item + props: + - name: label + value: (1) + prose: Validate certificates by constructing and verifying + a certification path to an accepted trust anchor, including + checking certificate status information; and + - id: ia-5.2_smt.b.2 + name: item + props: + - name: label + value: (2) + prose: Implement a local cache of revocation data to support + path discovery and validation. + - id: ia-5.2_gdn + name: guidance + prose: Public key cryptography is a valid authentication mechanism + for individuals, machines, and devices. For PKI solutions, status + information for certification paths includes certificate revocation + lists or certificate status protocol responses. For PIV cards, + certificate validation involves the construction and verification + of a certification path to the Common Policy Root trust anchor, + which includes certificate policy processing. Implementing a local + cache of revocation data to support path discovery and validation + also supports system availability in situations where organizations + are unable to access revocation information via the network. + - id: ia-5.2_obj + name: assessment-objective + props: + - name: label + value: IA-05(02) + class: sp800-53a + parts: + - id: ia-5.2_obj.a + name: assessment-objective + props: + - name: label + value: IA-05(02)(a) + class: sp800-53a + parts: + - id: ia-5.2_obj.a.1 + name: assessment-objective + props: + - name: label + value: IA-05(02)(a)(01) + class: sp800-53a + prose: authorized access to the corresponding private key + is enforced for public key-based authentication; + links: + - href: "#ia-5.2_smt.a.1" + rel: assessment-for + - id: ia-5.2_obj.a.2 + name: assessment-objective + props: + - name: label + value: IA-05(02)(a)(02) + class: sp800-53a + prose: the authenticated identity is mapped to the account + of the individual or group for public key-based authentication; + links: + - href: "#ia-5.2_smt.a.2" + rel: assessment-for + links: + - href: "#ia-5.2_smt.a" + rel: assessment-for + - id: ia-5.2_obj.b + name: assessment-objective + props: + - name: label + value: IA-05(02)(b) + class: sp800-53a + parts: + - id: ia-5.2_obj.b.1 + name: assessment-objective + props: + - name: label + value: IA-05(02)(b)(01) + class: sp800-53a + prose: when public key infrastructure (PKI) is used, certificates + are validated by constructing and verifying a certification + path to an accepted trust anchor, including checking certificate + status information; + links: + - href: "#ia-5.2_smt.b.1" + rel: assessment-for + - id: ia-5.2_obj.b.2 + name: assessment-objective + props: + - name: label + value: IA-05(02)(b)(02) + class: sp800-53a + prose: when public key infrastructure (PKI) is used, a local + cache of revocation data is implemented to support path + discovery and validation. + links: + - href: "#ia-5.2_smt.b.2" + rel: assessment-for + links: + - href: "#ia-5.2_smt.b" + rel: assessment-for + links: + - href: "#ia-5.2_smt" + rel: assessment-for + - id: ia-5.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-05(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + procedures addressing authenticator management + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + PKI certification validation records + + + PKI certification revocation lists + + + other relevant documents or records + - id: ia-5.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-05(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with PKI-based, authenticator + management responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-5.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-05(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing PKI-based, + authenticator management capability + - id: ia-5.6 + class: SP800-53-enhancement + title: Protection of Authenticators + props: + - name: label + value: IA-5(6) + - name: label + value: IA-05(06) + class: sp800-53a + - name: sort-id + value: ia-05.06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ia-5" + rel: required + - href: "#ra-2" + rel: related + parts: + - id: ia-5.6_smt + name: statement + prose: Protect authenticators commensurate with the security category + of the information to which use of the authenticator permits access. + - id: ia-5.6_gdn + name: guidance + prose: For systems that contain multiple security categories of + information without reliable physical or logical separation between + categories, authenticators used to grant access to the systems + are protected commensurate with the highest security category + of information on the systems. Security categories of information + are determined as part of the security categorization process. + - id: ia-5.6_obj + name: assessment-objective + props: + - name: label + value: IA-05(06) + class: sp800-53a + prose: authenticators are protected commensurate with the security + category of the information to which use of the authenticator + permits access. + links: + - href: "#ia-5.6_smt" + rel: assessment-for + - id: ia-5.6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-05(06)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + procedures addressing authenticator management + + security categorization documentation for the system + + security assessments of authenticator protections + + risk assessment results + + system security plan + + other relevant documents or records + - id: ia-5.6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-05(06)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with authenticator management + responsibilities + + + organizational personnel implementing and/or maintaining authenticator + protections + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ia-5.6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-05(06)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing authenticator + management capability + + + mechanisms protecting authenticators + - id: ia-5.7 + class: SP800-53-enhancement + title: No Embedded Unencrypted Static Authenticators + props: + - name: label + value: IA-5(7) + - name: label + value: IA-05(07) + class: sp800-53a + - name: sort-id + value: ia-05.07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ia-5" + rel: required + parts: + - id: ia-5.7_smt + name: statement + prose: Ensure that unencrypted static authenticators are not embedded + in applications or other forms of static storage. + parts: + - id: ia-5.7_fr + name: item + title: IA-5 (7) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-5.7_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: In this context, prohibited static storage refers + to any storage where unencrypted authenticators, such + as passwords, persist beyond the time required to complete + the access process. + - id: ia-5.7_gdn + name: guidance + prose: In addition to applications, other forms of static storage + include access scripts and function keys. Organizations exercise + caution when determining whether embedded or stored authenticators + are in encrypted or unencrypted form. If authenticators are used + in the manner stored, then those representations are considered + unencrypted authenticators. + - id: ia-5.7_obj + name: assessment-objective + props: + - name: label + value: IA-05(07) + class: sp800-53a + prose: unencrypted static authenticators are not embedded in applications + or other forms of static storage. + links: + - href: "#ia-5.7_smt" + rel: assessment-for + - id: ia-5.7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-05(07)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing authenticator management + + + system design documentation + + + system configuration settings and associated documentation + + + logical access scripts + + + application code reviews for detecting unencrypted static + authenticators + + + other relevant documents or records + - id: ia-5.7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-05(07)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with authenticator management + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-5.7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-05(07)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing authenticator + management capability + + + mechanisms implementing authentication in applications + - id: ia-6 + class: SP800-53 + title: Authentication Feedback + props: + - name: label + value: IA-6 + - name: label + value: IA-06 + class: sp800-53a + - name: sort-id + value: ia-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-3" + rel: related + parts: + - id: ia-6_smt + name: statement + prose: Obscure feedback of authentication information during the authentication + process to protect the information from possible exploitation and + use by unauthorized individuals. + - id: ia-6_gdn + name: guidance + prose: Authentication feedback from systems does not provide information + that would allow unauthorized individuals to compromise authentication + mechanisms. For some types of systems, such as desktops or notebooks + with relatively large monitors, the threat (referred to as shoulder + surfing) may be significant. For other types of systems, such as mobile + devices with small displays, the threat may be less significant and + is balanced against the increased likelihood of typographic input + errors due to small keyboards. Thus, the means for obscuring authentication + feedback is selected accordingly. Obscuring authentication feedback + includes displaying asterisks when users type passwords into input + devices or displaying feedback for a very limited time before obscuring + it. + - id: ia-6_obj + name: assessment-objective + props: + - name: label + value: IA-06 + class: sp800-53a + prose: the feedback of authentication information is obscured during + the authentication process to protect the information from possible + exploitation and use by unauthorized individuals. + links: + - href: "#ia-6_smt" + rel: assessment-for + - id: ia-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + system security plan + + procedures addressing authenticator feedback + + system design documentation + + system configuration settings and associated documentation + + system audit records + + other relevant documents or records + - id: ia-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security + responsibilities + + + system/network administrators + + + system developers + - id: ia-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing the obscuring of + feedback of authentication information during authentication + - id: ia-7 + class: SP800-53 + title: Cryptographic Module Authentication + props: + - name: label + value: IA-7 + - name: label + value: IA-07 + class: sp800-53a + - name: sort-id + value: ia-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: ia-7_smt + name: statement + prose: Implement mechanisms for authentication to a cryptographic module + that meet the requirements of applicable laws, executive orders, directives, + policies, regulations, standards, and guidelines for such authentication. + - id: ia-7_gdn + name: guidance + prose: Authentication mechanisms may be required within a cryptographic + module to authenticate an operator accessing the module and to verify + that the operator is authorized to assume the requested role and perform + services within that role. + - id: ia-7_obj + name: assessment-objective + props: + - name: label + value: IA-07 + class: sp800-53a + prose: mechanisms for authentication to a cryptographic module are implemented + that meet the requirements of applicable laws, executive orders, directives, + policies, regulations, standards, and guidelines for such authentication. + links: + - href: "#ia-7_smt" + rel: assessment-for + - id: ia-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + system security plan + + procedures addressing cryptographic module authentication + + system design documentation + + system configuration settings and associated documentation + + system audit records + + other relevant documents or records + - id: ia-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for + cryptographic module authentication + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + - id: ia-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing cryptographic module + authentication + - id: ia-8 + class: SP800-53 + title: Identification and Authentication (Non-organizational Users) + props: + - name: label + value: IA-8 + - name: label + value: IA-08 + class: sp800-53a + - name: sort-id + value: ia-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#a1555677-2b9d-4868-a97b-a1363aff32f5" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#10963761-58fc-4b20-b3d6-b44a54daba03" + rel: reference + - href: "#2100332a-16a5-4598-bacf-7261baea9711" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-14" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#au-6" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-10" + rel: related + - href: "#ia-11" + rel: related + - href: "#ia-13" + rel: related + - href: "#ma-4" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sc-8" + rel: related + parts: + - id: ia-8_smt + name: statement + prose: Uniquely identify and authenticate non-organizational users or + processes acting on behalf of non-organizational users. + - id: ia-8_gdn + name: guidance + prose: Non-organizational users include system users other than organizational + users explicitly covered by [IA-2](#ia-2) . Non-organizational users + are uniquely identified and authenticated for accesses other than + those explicitly identified and documented in [AC-14](#ac-14) . Identification + and authentication of non-organizational users accessing federal systems + may be required to protect federal, proprietary, or privacy-related + information (with exceptions noted for national security systems). + Organizations consider many factors—including security, privacy, scalability, + and practicality—when balancing the need to ensure ease of use for + access to federal information and systems with the need to protect + and adequately mitigate risk. + - id: ia-8_obj + name: assessment-objective + props: + - name: label + value: IA-08 + class: sp800-53a + prose: non-organizational users or processes acting on behalf of non-organizational + users are uniquely identified and authenticated. + links: + - href: "#ia-8_smt" + rel: assessment-for + - id: ia-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + system security plan + + privacy plan + + procedures addressing user identification and authentication + + system design documentation + + system configuration settings and associated documentation + + system audit records + + list of system accounts + + other relevant documents or records + - id: ia-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + organizational personnel with account management responsibilities + - id: ia-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identification + and authentication capabilities + controls: + - id: ia-8.1 + class: SP800-53-enhancement + title: Acceptance of PIV Credentials from Other Agencies + props: + - name: label + value: IA-8(1) + - name: label + value: IA-08(01) + class: sp800-53a + - name: sort-id + value: ia-08.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-8" + rel: required + - href: "#pe-3" + rel: related + parts: + - id: ia-8.1_smt + name: statement + prose: Accept and electronically verify Personal Identity Verification-compliant + credentials from other federal agencies. + - id: ia-8.1_gdn + name: guidance + prose: Acceptance of Personal Identity Verification (PIV) credentials + from other federal agencies applies to both logical and physical + access control systems. PIV credentials are those credentials + issued by federal agencies that conform to FIPS Publication 201 + and supporting guidelines. The adequacy and reliability of PIV + card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03). + - id: ia-8.1_obj + name: assessment-objective + props: + - name: label + value: IA-08(01) + class: sp800-53a + parts: + - id: ia-8.1_obj-1 + name: assessment-objective + props: + - name: label + value: IA-08(01)[01] + class: sp800-53a + prose: Personal Identity Verification-compliant credentials + from other federal agencies are accepted; + links: + - href: "#ia-8.1_smt" + rel: assessment-for + - id: ia-8.1_obj-2 + name: assessment-objective + props: + - name: label + value: IA-08(01)[02] + class: sp800-53a + prose: Personal Identity Verification-compliant credentials + from other federal agencies are electronically verified. + links: + - href: "#ia-8.1_smt" + rel: assessment-for + links: + - href: "#ia-8.1_smt" + rel: assessment-for + - id: ia-8.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-08(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + PIV verification records + + + evidence of PIV credentials + + + PIV credential authorizations + + + other relevant documents or records + - id: ia-8.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-08(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with account management responsibilities + - id: ia-8.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-08(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing identification + and authentication capabilities + + + mechanisms that accept and verify PIV credentials + - id: ia-8.2 + class: SP800-53-enhancement + title: Acceptance of External Authenticators + props: + - name: label + value: IA-8(2) + - name: label + value: IA-08(02) + class: sp800-53a + - name: sort-id + value: ia-08.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-8" + rel: required + parts: + - id: ia-8.2_smt + name: statement + parts: + - id: ia-8.2_smt.a + name: item + props: + - name: label + value: (a) + prose: Accept only external authenticators that are NIST-compliant; + and + - id: ia-8.2_smt.b + name: item + props: + - name: label + value: (b) + prose: Document and maintain a list of accepted external authenticators. + - id: ia-8.2_gdn + name: guidance + prose: Acceptance of only NIST-compliant external authenticators + applies to organizational systems that are accessible to the public + (e.g., public-facing websites). External authenticators are issued + by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) + . Approved external authenticators meet or exceed the minimum + Federal Government-wide technical, security, privacy, and organizational + maturity requirements. Meeting or exceeding Federal requirements + allows Federal Government relying parties to trust external authenticators + in connection with an authentication transaction at a specified + authenticator assurance level. + - id: ia-8.2_obj + name: assessment-objective + props: + - name: label + value: IA-08(02) + class: sp800-53a + parts: + - id: ia-8.2_obj.a + name: assessment-objective + props: + - name: label + value: IA-08(02)(a) + class: sp800-53a + prose: only external authenticators that are NIST-compliant + are accepted; + links: + - href: "#ia-8.2_smt.a" + rel: assessment-for + - id: ia-8.2_obj.b + name: assessment-objective + props: + - name: label + value: IA-08(02)(b) + class: sp800-53a + parts: + - id: ia-8.2_obj.b-1 + name: assessment-objective + props: + - name: label + value: IA-08(02)(b)[01] + class: sp800-53a + prose: a list of accepted external authenticators is documented; + links: + - href: "#ia-8.2_smt.b" + rel: assessment-for + - id: ia-8.2_obj.b-2 + name: assessment-objective + props: + - name: label + value: IA-08(02)(b)[02] + class: sp800-53a + prose: a list of accepted external authenticators is maintained. + links: + - href: "#ia-8.2_smt.b" + rel: assessment-for + links: + - href: "#ia-8.2_smt.b" + rel: assessment-for + links: + - href: "#ia-8.2_smt" + rel: assessment-for + - id: ia-8.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-08(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + procedures addressing user identification and authentication + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + list of third-party credentialing products, components, or + services procured and implemented by organization + + + third-party credential verification records + + + evidence of third-party credentials + + + third-party credential authorizations + + + other relevant documents or records + - id: ia-8.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-08(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with account management responsibilities + - id: ia-8.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-08(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing identification + and authentication capabilities + + + mechanisms that accept external credentials + - id: ia-8.4 + class: SP800-53-enhancement + title: Use of Defined Profiles + params: + - id: ia-08.04_odp + label: identity management profiles + guidelines: + - prose: identity management profiles are defined; + props: + - name: label + value: IA-8(4) + - name: label + value: IA-08(04) + class: sp800-53a + - name: sort-id + value: ia-08.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ia-8" + rel: required + parts: + - id: ia-8.4_smt + name: statement + prose: "Conform to the following profiles for identity management\ + \ {{ insert: param, ia-08.04_odp }}." + - id: ia-8.4_gdn + name: guidance + prose: Organizations define profiles for identity management based + on open identity management standards. To ensure that open identity + management standards are viable, robust, reliable, sustainable, + and interoperable as documented, the Federal Government assesses + and scopes the standards and technology implementations against + applicable laws, executive orders, directives, policies, regulations, + standards, and guidelines. + - id: ia-8.4_obj + name: assessment-objective + props: + - name: label + value: IA-08(04) + class: sp800-53a + prose: "there is conformance with {{ insert: param, ia-08.04_odp\ + \ }} for identity management." + links: + - href: "#ia-8.4_smt" + rel: assessment-for + - id: ia-8.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-08(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + other relevant documents or records + - id: ia-8.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-08(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with account management responsibilities + - id: ia-8.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-08(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing identification + and authentication capabilities + + + mechanisms supporting and/or implementing conformance with + profiles + - id: ia-11 + class: SP800-53 + title: Re-authentication + params: + - id: ia-11_odp + label: circumstances or situations + guidelines: + - prose: circumstances or situations requiring re-authentication are + defined; + props: + - name: label + value: IA-11 + - name: label + value: IA-11 + class: sp800-53a + - name: sort-id + value: ia-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-3" + rel: related + - href: "#ac-11" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-8" + rel: related + parts: + - id: ia-11_smt + name: statement + prose: "Require users to re-authenticate when {{ insert: param, ia-11_odp\ + \ }}." + parts: + - id: ia-11_fr + name: item + title: IA-11 Additional FedRAMP Requirements and Guidance + parts: + - id: ia-11_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: > + The fixed time period cannot exceed the limits set in SP + 800-63. At this writing they are: + + + * AAL2 (moderate baseline) * 12 hours or * 30 minutes + of inactivity + - id: ia-11_gdn + name: guidance + prose: In addition to the re-authentication requirements associated + with device locks, organizations may require re-authentication of + individuals in certain situations, including when roles, authenticators + or credentials change, when security categories of systems change, + when the execution of privileged functions occurs, after a fixed time + period, or periodically. + - id: ia-11_obj + name: assessment-objective + props: + - name: label + value: IA-11 + class: sp800-53a + prose: "users are required to re-authenticate when {{ insert: param,\ + \ ia-11_odp }}." + links: + - href: "#ia-11_smt" + rel: assessment-for + - id: ia-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Identification and authentication policy + + + procedures addressing user and device re-authentication + + + system security plan + + + system design documentation + + + system configuration settings and associated documentation + + + list of circumstances or situations requiring re-authentication + + + system audit records + + + other relevant documents or records + - id: ia-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with identification and authentication + responsibilities + - id: ia-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identification + and authentication capabilities + - id: ia-12 + class: SP800-53 + title: Identity Proofing + props: + - name: label + value: IA-12 + - name: label + value: IA-12 + class: sp800-53a + - name: sort-id + value: ia-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#9099ed2c-922a-493d-bcb4-d896192243ff" + rel: reference + - href: "#10963761-58fc-4b20-b3d6-b44a54daba03" + rel: reference + - href: "#ac-5" + rel: related + - href: "#ia-1" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-6" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-13" + rel: related + parts: + - id: ia-12_smt + name: statement + parts: + - id: ia-12_smt.a + name: item + props: + - name: label + value: a. + prose: Identity proof users that require accounts for logical access + to systems based on appropriate identity assurance level requirements + as specified in applicable standards and guidelines; + - id: ia-12_smt.b + name: item + props: + - name: label + value: b. + prose: Resolve user identities to a unique individual; and + - id: ia-12_smt.c + name: item + props: + - name: label + value: c. + prose: Collect, validate, and verify identity evidence. + - id: ia-12_fr + name: item + title: IA-12 Additional FedRAMP Requirements and Guidance + parts: + - id: ia-12_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: In accordance with NIST SP 800-63A Enrollment and Identity + Proofing + - id: ia-12_gdn + name: guidance + prose: Identity proofing is the process of collecting, validating, and + verifying a user’s identity information for the purposes of establishing + credentials for accessing a system. Identity proofing is intended + to mitigate threats to the registration of users and the establishment + of their accounts. Standards and guidelines specifying identity assurance + levels for identity proofing include [SP 800-63-3](#737513fa-6758-403f-831d-5ddab5e23cb3) + and [SP 800-63A](#9099ed2c-922a-493d-bcb4-d896192243ff) . Organizations + may be subject to laws, executive orders, directives, regulations, + or policies that address the collection of identity evidence. Organizational + personnel consult with the senior agency official for privacy and + legal counsel regarding such requirements. + - id: ia-12_obj + name: assessment-objective + props: + - name: label + value: IA-12 + class: sp800-53a + parts: + - id: ia-12_obj.a + name: assessment-objective + props: + - name: label + value: IA-12a. + class: sp800-53a + prose: users who require accounts for logical access to systems + based on appropriate identity assurance level requirements as + specified in applicable standards and guidelines are identity + proofed; + links: + - href: "#ia-12_smt.a" + rel: assessment-for + - id: ia-12_obj.b + name: assessment-objective + props: + - name: label + value: IA-12b. + class: sp800-53a + prose: user identities are resolved to a unique individual; + links: + - href: "#ia-12_smt.b" + rel: assessment-for + - id: ia-12_obj.c + name: assessment-objective + props: + - name: label + value: IA-12c. + class: sp800-53a + parts: + - id: ia-12_obj.c-1 + name: assessment-objective + props: + - name: label + value: IA-12c.[01] + class: sp800-53a + prose: identity evidence is collected; + links: + - href: "#ia-12_smt.c" + rel: assessment-for + - id: ia-12_obj.c-2 + name: assessment-objective + props: + - name: label + value: IA-12c.[02] + class: sp800-53a + prose: identity evidence is validated; + links: + - href: "#ia-12_smt.c" + rel: assessment-for + - id: ia-12_obj.c-3 + name: assessment-objective + props: + - name: label + value: IA-12c.[03] + class: sp800-53a + prose: identity evidence is verified. + links: + - href: "#ia-12_smt.c" + rel: assessment-for + links: + - href: "#ia-12_smt.c" + rel: assessment-for + links: + - href: "#ia-12_smt" + rel: assessment-for + - id: ia-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + procedures addressing identity proofing + + system security plan + + privacy plan + + other relevant documents or records + - id: ia-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + legal counsel + + + system/network administrators + + + system developers + + + organizational personnel with identification and authentication + responsibilities + - id: ia-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identification + and authentication capabilities + controls: + - id: ia-12.2 + class: SP800-53-enhancement + title: Identity Evidence + props: + - name: label + value: IA-12(2) + - name: label + value: IA-12(02) + class: sp800-53a + - name: sort-id + value: ia-12.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ia-12" + rel: required + parts: + - id: ia-12.2_smt + name: statement + prose: Require evidence of individual identification be presented + to the registration authority. + - id: ia-12.2_gdn + name: guidance + prose: Identity evidence, such as documentary evidence or a combination + of documents and biometrics, reduces the likelihood of individuals + using fraudulent identification to establish an identity or at + least increases the work factor of potential adversaries. The + forms of acceptable evidence are consistent with the risks to + the systems, roles, and privileges associated with the user’s + account. + - id: ia-12.2_obj + name: assessment-objective + props: + - name: label + value: IA-12(02) + class: sp800-53a + prose: evidence of individual identification is presented to the + registration authority. + links: + - href: "#ia-12.2_smt" + rel: assessment-for + - id: ia-12.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-12(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + procedures addressing identity proofing + + system security plan + + other relevant documents or records + - id: ia-12.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-12(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with identification and authentication + responsibilities + - id: ia-12.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-12(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identification + and authentication capabilities + - id: ia-12.3 + class: SP800-53-enhancement + title: Identity Evidence Validation and Verification + params: + - id: ia-12.03_odp + label: methods of validation and verification + guidelines: + - prose: methods of validation and verification of identity evidence + are defined; + props: + - name: label + value: IA-12(3) + - name: label + value: IA-12(03) + class: sp800-53a + - name: sort-id + value: ia-12.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ia-12" + rel: required + parts: + - id: ia-12.3_smt + name: statement + prose: "Require that the presented identity evidence be validated\ + \ and verified through {{ insert: param, ia-12.03_odp }}." + - id: ia-12.3_gdn + name: guidance + prose: Validation and verification of identity evidence increases + the assurance that accounts and identifiers are being established + for the correct user and authenticators are being bound to that + user. Validation refers to the process of confirming that the + evidence is genuine and authentic, and the data contained in the + evidence is correct, current, and related to an individual. Verification + confirms and establishes a linkage between the claimed identity + and the actual existence of the user presenting the evidence. + Acceptable methods for validating and verifying identity evidence + are consistent with the risks to the systems, roles, and privileges + associated with the users account. + - id: ia-12.3_obj + name: assessment-objective + props: + - name: label + value: IA-12(03) + class: sp800-53a + prose: "the presented identity evidence is validated and verified\ + \ through {{ insert: param, ia-12.03_odp }}." + links: + - href: "#ia-12.3_smt" + rel: assessment-for + - id: ia-12.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-12(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + procedures addressing identity proofing + + system security plan + + other relevant documents or records + - id: ia-12.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-12(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with identification and authentication + responsibilities + - id: ia-12.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-12(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identification + and authentication capabilities + - id: ia-12.5 + class: SP800-53-enhancement + title: Address Confirmation + params: + - id: ia-12.05_odp + select: + choice: + - registration code + - notice of proofing + props: + - name: label + value: IA-12(5) + - name: label + value: IA-12(05) + class: sp800-53a + - name: sort-id + value: ia-12.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ia-12" + rel: required + - href: "#ia-12" + rel: related + parts: + - id: ia-12.5_smt + name: statement + prose: "Require that a {{ insert: param, ia-12.05_odp }} be delivered\ + \ through an out-of-band channel to verify the users address (physical\ + \ or digital) of record." + parts: + - id: ia-12.5_fr + name: item + title: IA-12 (5) Additional FedRAMP Requirements and Guidance + parts: + - id: ia-12.5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: In accordance with NIST SP 800-63A Enrollment and + Identity Proofing + - id: ia-12.5_gdn + name: guidance + prose: To make it more difficult for adversaries to pose as legitimate + users during the identity proofing process, organizations can + use out-of-band methods to ensure that the individual associated + with an address of record is the same individual that participated + in the registration. Confirmation can take the form of a temporary + enrollment code or a notice of proofing. The delivery address + for these artifacts is obtained from records and not self-asserted + by the user. The address can include a physical or digital address. + A home address is an example of a physical address. Email addresses + and telephone numbers are examples of digital addresses. + - id: ia-12.5_obj + name: assessment-objective + props: + - name: label + value: IA-12(05) + class: sp800-53a + prose: "a {{ insert: param, ia-12.05_odp }} is delivered through\ + \ an out-of-band channel to verify the user’s address (physical\ + \ or digital) of record." + links: + - href: "#ia-12.5_smt" + rel: assessment-for + - id: ia-12.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IA-12(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Identification and authentication policy + + procedures addressing identity proofing + + system security plan + + other relevant documents or records + - id: ia-12.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IA-12(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system operations + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developers + + + organizational personnel with identification and authentication + responsibilities + - id: ia-12.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IA-12(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing identification + and authentication capabilities + - id: ir + class: family + title: Incident Response + controls: + - id: ir-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ir-1_prm_1 + label: organization-defined personnel or roles + - id: ir-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the incident response policy is + to be disseminated is/are defined; + - id: ir-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the incident response procedures + are to be disseminated is/are defined; + - id: ir-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ir-01_odp.04 + label: official + guidelines: + - prose: an official to manage the incident response policy and procedures + is defined; + - id: ir-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current incident response policy + is reviewed and updated is defined; + - id: ir-01_odp.06 + label: events + guidelines: + - prose: events that would require the current incident response policy + to be reviewed and updated are defined; + - id: ir-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current incident response procedures + are reviewed and updated is defined; + - id: ir-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the incident response procedures + to be reviewed and updated are defined; + props: + - name: label + value: IR-1 + - name: label + value: IR-01 + class: sp800-53a + - name: sort-id + value: ir-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ir-1_smt + name: statement + parts: + - id: ir-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ir-1_prm_1 }}:" + parts: + - id: ir-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ir-01_odp.03 }} incident response\ + \ policy that:" + parts: + - id: ir-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ir-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ir-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the incident + response policy and the associated incident response controls; + - id: ir-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ir-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the incident\ + \ response policy and procedures; and" + - id: ir-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current incident response:" + parts: + - id: ir-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ir-01_odp.05 }} and following\ + \ {{ insert: param, ir-01_odp.06 }} ; and" + - id: ir-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ir-01_odp.07 }} and following\ + \ {{ insert: param, ir-01_odp.08 }}." + - id: ir-1_gdn + name: guidance + prose: Incident response policy and procedures address the controls + in the IR family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of incident response + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to incident response policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ir-1_obj + name: assessment-objective + props: + - name: label + value: IR-01 + class: sp800-53a + parts: + - id: ir-1_obj.a + name: assessment-objective + props: + - name: label + value: IR-01a. + class: sp800-53a + parts: + - id: ir-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: IR-01a.[01] + class: sp800-53a + prose: an incident response policy is developed and documented; + links: + - href: "#ir-1_smt.a" + rel: assessment-for + - id: ir-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: IR-01a.[02] + class: sp800-53a + prose: "the incident response policy is disseminated to {{ insert:\ + \ param, ir-01_odp.01 }};" + links: + - href: "#ir-1_smt.a" + rel: assessment-for + - id: ir-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: IR-01a.[03] + class: sp800-53a + prose: incident response procedures to facilitate the implementation + of the incident response policy and associated incident response + controls are developed and documented; + links: + - href: "#ir-1_smt.a" + rel: assessment-for + - id: ir-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: IR-01a.[04] + class: sp800-53a + prose: "the incident response procedures are disseminated to\ + \ {{ insert: param, ir-01_odp.02 }};" + links: + - href: "#ir-1_smt.a" + rel: assessment-for + - id: ir-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: IR-01a.01 + class: sp800-53a + parts: + - id: ir-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: IR-01a.01(a) + class: sp800-53a + parts: + - id: ir-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses purpose;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses scope;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses roles;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses responsibilities;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses management commitment;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: IR-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident\ + \ response policy addresses compliance;" + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ir-1_smt.a.1.a" + rel: assessment-for + - id: ir-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: IR-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.03 }} incident response\ + \ policy is consistent with applicable laws, Executive\ + \ Orders, directives, regulations, policies, standards,\ + \ and guidelines;" + links: + - href: "#ir-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ir-1_smt.a.1" + rel: assessment-for + links: + - href: "#ir-1_smt.a" + rel: assessment-for + - id: ir-1_obj.b + name: assessment-objective + props: + - name: label + value: IR-01b. + class: sp800-53a + prose: "the {{ insert: param, ir-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the incident\ + \ response policy and procedures;" + links: + - href: "#ir-1_smt.b" + rel: assessment-for + - id: ir-1_obj.c + name: assessment-objective + props: + - name: label + value: IR-01c. + class: sp800-53a + parts: + - id: ir-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: IR-01c.01 + class: sp800-53a + parts: + - id: ir-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: IR-01c.01[01] + class: sp800-53a + prose: "the current incident response policy is reviewed\ + \ and updated {{ insert: param, ir-01_odp.05 }};" + links: + - href: "#ir-1_smt.c.1" + rel: assessment-for + - id: ir-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: IR-01c.01[02] + class: sp800-53a + prose: "the current incident response policy is reviewed\ + \ and updated following {{ insert: param, ir-01_odp.06\ + \ }};" + links: + - href: "#ir-1_smt.c.1" + rel: assessment-for + links: + - href: "#ir-1_smt.c.1" + rel: assessment-for + - id: ir-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: IR-01c.02 + class: sp800-53a + parts: + - id: ir-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: IR-01c.02[01] + class: sp800-53a + prose: "the current incident response procedures are reviewed\ + \ and updated {{ insert: param, ir-01_odp.07 }};" + links: + - href: "#ir-1_smt.c.2" + rel: assessment-for + - id: ir-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: IR-01c.02[02] + class: sp800-53a + prose: "the current incident response procedures are reviewed\ + \ and updated following {{ insert: param, ir-01_odp.08\ + \ }}." + links: + - href: "#ir-1_smt.c.2" + rel: assessment-for + links: + - href: "#ir-1_smt.c.2" + rel: assessment-for + links: + - href: "#ir-1_smt.c" + rel: assessment-for + links: + - href: "#ir-1_smt" + rel: assessment-for + - id: ir-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-2 + class: SP800-53 + title: Incident Response Training + params: + - id: ir-02_odp.01 + label: time period + constraints: + - description: ten (10) days for privileged users, thirty (30) days + for Incident Response roles + guidelines: + - prose: a time period within which incident response training is + to be provided to system users assuming an incident response role + or responsibility is defined; + - id: ir-02_odp.02 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to provide incident response training + to users is defined; + - id: ir-02_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to review and update incident response + training content is defined; + - id: ir-02_odp.04 + label: events + guidelines: + - prose: events that initiate a review of the incident response training + content are defined; + props: + - name: label + value: IR-2 + - name: label + value: IR-02 + class: sp800-53a + - name: sort-id + value: ir-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#5f4705ac-8d17-438c-b23a-ac7f12362ae4" + rel: reference + - href: "#511f6832-23ca-49a3-8c0f-ce493373cab8" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#at-4" + rel: related + - href: "#cp-3" + rel: related + - href: "#ir-3" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-8" + rel: related + - href: "#ir-9" + rel: related + parts: + - id: ir-2_smt + name: statement + parts: + - id: ir-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide incident response training to system users consistent\ + \ with assigned roles and responsibilities:" + parts: + - id: ir-2_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "Within {{ insert: param, ir-02_odp.01 }} of assuming\ + \ an incident response role or responsibility or acquiring\ + \ system access;" + - id: ir-2_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: When required by system changes; and + - id: ir-2_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: " {{ insert: param, ir-02_odp.02 }} thereafter; and" + - id: ir-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update incident response training content {{\ + \ insert: param, ir-02_odp.03 }} and following {{ insert: param,\ + \ ir-02_odp.04 }}." + - id: ir-2_gdn + name: guidance + prose: Incident response training is associated with the assigned roles + and responsibilities of organizational personnel to ensure that the + appropriate content and level of detail are included in such training. + For example, users may only need to know who to call or how to recognize + an incident; system administrators may require additional training + on how to handle incidents; and incident responders may receive more + specific training on forensics, data collection techniques, reporting, + system recovery, and system restoration. Incident response training + includes user training in identifying and reporting suspicious activities + from external and internal sources. Incident response training for + users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . + Events that may precipitate an update to incident response training + content include, but are not limited to, incident response plan testing + or response to an actual incident (lessons learned), assessment or + audit findings, or changes in applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines. + - id: ir-2_obj + name: assessment-objective + props: + - name: label + value: IR-02 + class: sp800-53a + parts: + - id: ir-2_obj.a + name: assessment-objective + props: + - name: label + value: IR-02a. + class: sp800-53a + parts: + - id: ir-2_obj.a.1 + name: assessment-objective + props: + - name: label + value: IR-02a.01 + class: sp800-53a + prose: "incident response training is provided to system users\ + \ consistent with assigned roles and responsibilities within\ + \ {{ insert: param, ir-02_odp.01 }} of assuming an incident\ + \ response role or responsibility or acquiring system access;" + links: + - href: "#ir-2_smt.a.1" + rel: assessment-for + - id: ir-2_obj.a.2 + name: assessment-objective + props: + - name: label + value: IR-02a.02 + class: sp800-53a + prose: incident response training is provided to system users + consistent with assigned roles and responsibilities when required + by system changes; + links: + - href: "#ir-2_smt.a.2" + rel: assessment-for + - id: ir-2_obj.a.3 + name: assessment-objective + props: + - name: label + value: IR-02a.03 + class: sp800-53a + prose: "incident response training is provided to system users\ + \ consistent with assigned roles and responsibilities {{ insert:\ + \ param, ir-02_odp.02 }} thereafter;" + links: + - href: "#ir-2_smt.a.3" + rel: assessment-for + links: + - href: "#ir-2_smt.a" + rel: assessment-for + - id: ir-2_obj.b + name: assessment-objective + props: + - name: label + value: IR-02b. + class: sp800-53a + parts: + - id: ir-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: IR-02b.[01] + class: sp800-53a + prose: "incident response training content is reviewed and updated\ + \ {{ insert: param, ir-02_odp.03 }};" + links: + - href: "#ir-2_smt.b" + rel: assessment-for + - id: ir-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: IR-02b.[02] + class: sp800-53a + prose: "incident response training content is reviewed and updated\ + \ following {{ insert: param, ir-02_odp.04 }}." + links: + - href: "#ir-2_smt.b" + rel: assessment-for + links: + - href: "#ir-2_smt.b" + rel: assessment-for + links: + - href: "#ir-2_smt" + rel: assessment-for + - id: ir-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident response training + + incident response training curriculum + + incident response training materials + + privacy plan + + incident response plan + + incident response training records + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response training and + operational responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-3 + class: SP800-53 + title: Incident Response Testing + params: + - id: ir-03_odp.01 + label: frequency + constraints: + - description: functional, at least annually + guidelines: + - prose: frequency at which to test the effectiveness of the incident + response capability for the system is defined; + - id: ir-03_odp.02 + label: tests + guidelines: + - prose: tests used to test the effectiveness of the incident response + capability for the system are defined; + props: + - name: label + value: IR-3 + - name: label + value: IR-03 + class: sp800-53a + - name: sort-id + value: ir-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098" + rel: reference + - href: "#122177fa-c4ed-485d-8345-3082c0fb9a06" + rel: reference + - href: "#cp-3" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-8" + rel: related + - href: "#pm-14" + rel: related + parts: + - id: ir-3_smt + name: statement + prose: "Test the effectiveness of the incident response capability for\ + \ the system {{ insert: param, ir-03_odp.01 }} using the following\ + \ tests: {{ insert: param, ir-03_odp.02 }}." + parts: + - id: ir-3_fr + name: item + title: IR-3-2 Additional FedRAMP Requirements and Guidance + parts: + - id: ir-3_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider defines tests and/or exercises in + accordance with NIST Special Publication 800-61 (as amended). + Functional testing must occur prior to testing for initial + authorization. Annual functional testing may be concurrent + with required penetration tests (see CA-8). The service provider + provides test plans to the JAB/AO annually. Test plans are + approved and accepted by the JAB/AO prior to test commencing. + - id: ir-3_gdn + name: guidance + prose: Organizations test incident response capabilities to determine + their effectiveness and identify potential weaknesses or deficiencies. + Incident response testing includes the use of checklists, walk-through + or tabletop exercises, and simulations (parallel or full interrupt). + Incident response testing can include a determination of the effects + on organizational operations and assets and individuals due to incident + response. The use of qualitative and quantitative data aids in determining + the effectiveness of incident response processes. + - id: ir-3_obj + name: assessment-objective + props: + - name: label + value: IR-03 + class: sp800-53a + prose: "the effectiveness of the incident response capability for the\ + \ system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert:\ + \ param, ir-03_odp.02 }}." + links: + - href: "#ir-3_smt" + rel: assessment-for + - id: ir-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + contingency planning policy + + procedures addressing incident response testing + + procedures addressing contingency plan testing + + incident response testing material + + incident response test results + + incident response test plan + + incident response plan + + contingency plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response testing + responsibilities + + + organizational personnel with information security and privacy + responsibilities + controls: + - id: ir-3.2 + class: SP800-53-enhancement + title: Coordination with Related Plans + props: + - name: label + value: IR-3(2) + - name: label + value: IR-03(02) + class: sp800-53a + - name: sort-id + value: ir-03.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ir-3" + rel: required + parts: + - id: ir-3.2_smt + name: statement + prose: Coordinate incident response testing with organizational + elements responsible for related plans. + - id: ir-3.2_gdn + name: guidance + prose: Organizational plans related to incident response testing + include business continuity plans, disaster recovery plans, continuity + of operations plans, contingency plans, crisis communications + plans, critical infrastructure plans, and occupant emergency plans. + - id: ir-3.2_obj + name: assessment-objective + props: + - name: label + value: IR-03(02) + class: sp800-53a + prose: incident response testing is coordinated with organizational + elements responsible for related plans. + links: + - href: "#ir-3.2_smt" + rel: assessment-for + - id: ir-3.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-03(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + contingency planning policy + + procedures addressing incident response testing + + incident response testing documentation + + incident response plan + + business continuity plans + + contingency plans + + disaster recovery plans + + continuity of operations plans + + crisis communications plans + + critical infrastructure plans + + occupant emergency plans + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-3.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-03(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response testing + responsibilities + + + organizational personnel with responsibilities for testing + organizational plans related to incident response testing + + + organizational personnel with information security and privacy + responsibilities + - id: ir-4 + class: SP800-53 + title: Incident Handling + props: + - name: label + value: IR-4 + - name: label + value: IR-04 + class: sp800-53a + - name: sort-id + value: ir-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#5f4705ac-8d17-438c-b23a-ac7f12362ae4" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#cfdb1858-c473-46b3-89f9-a700308d0be2" + rel: reference + - href: "#10cf2fad-a216-41f9-bb1a-531b7e3119e3" + rel: reference + - href: "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#31ae65ab-3f26-46b7-9d64-f25a4dac5778" + rel: reference + - href: "#2be7b163-e50a-435c-8906-f1162f2a457a" + rel: reference + - href: "#ac-19" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#cm-6" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-3" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-2" + rel: related + - href: "#ir-3" + rel: related + - href: "#ir-5" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + - href: "#pe-6" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: ir-4_smt + name: statement + parts: + - id: ir-4_smt.a + name: item + props: + - name: label + value: a. + prose: Implement an incident handling capability for incidents that + is consistent with the incident response plan and includes preparation, + detection and analysis, containment, eradication, and recovery; + - id: ir-4_smt.b + name: item + props: + - name: label + value: b. + prose: Coordinate incident handling activities with contingency + planning activities; + - id: ir-4_smt.c + name: item + props: + - name: label + value: c. + prose: Incorporate lessons learned from ongoing incident handling + activities into incident response procedures, training, and testing, + and implement the resulting changes accordingly; and + - id: ir-4_smt.d + name: item + props: + - name: label + value: d. + prose: Ensure the rigor, intensity, scope, and results of incident + handling activities are comparable and predictable across the + organization. + - id: ir-4_fr + name: item + title: IR-4 Additional FedRAMP Requirements and Guidance + parts: + - id: ir-4_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: 'The FISMA definition of \"incident\" shall be used: + \"An occurrence that actually or imminently jeopardizes, without + lawful authority, the confidentiality, integrity, or availability + of information or an information system; or constitutes a + violation or imminent threat of violation of law, security + policies, security procedures, or acceptable use policies.\"' + - id: ir-4_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider ensures that individuals conducting + incident handling meet personnel security requirements commensurate + with the criticality/sensitivity of the information being + processed, stored, and transmitted by the information system. + - id: ir-4_gdn + name: guidance + prose: Organizations recognize that incident response capabilities are + dependent on the capabilities of organizational systems and the mission + and business processes being supported by those systems. Organizations + consider incident response as part of the definition, design, and + development of mission and business processes and systems. Incident-related + information can be obtained from a variety of sources, including audit + monitoring, physical access monitoring, and network monitoring; user + or administrator reports; and reported supply chain events. An effective + incident handling capability includes coordination among many organizational + entities (e.g., mission or business owners, system owners, authorizing + officials, human resources offices, physical security offices, personnel + security offices, legal departments, risk executive [function], operations + personnel, procurement offices). Suspected security incidents include + the receipt of suspicious email communications that can contain malicious + code. Suspected supply chain incidents include the insertion of counterfeit + hardware or malicious code into organizational systems or system components. + For federal agencies, an incident that involves personally identifiable + information is considered a breach. A breach results in unauthorized + disclosure, the loss of control, unauthorized acquisition, compromise, + or a similar occurrence where a person other than an authorized user + accesses or potentially accesses personally identifiable information + or an authorized user accesses or potentially accesses such information + for other than authorized purposes. + - id: ir-4_obj + name: assessment-objective + props: + - name: label + value: IR-04 + class: sp800-53a + parts: + - id: ir-4_obj.a + name: assessment-objective + props: + - name: label + value: IR-04a. + class: sp800-53a + parts: + - id: ir-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: IR-04a.[01] + class: sp800-53a + prose: an incident handling capability for incidents is implemented + that is consistent with the incident response plan; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: IR-04a.[02] + class: sp800-53a + prose: the incident handling capability for incidents includes + preparation; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-3 + name: assessment-objective + props: + - name: label + value: IR-04a.[03] + class: sp800-53a + prose: the incident handling capability for incidents includes + detection and analysis; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-4 + name: assessment-objective + props: + - name: label + value: IR-04a.[04] + class: sp800-53a + prose: the incident handling capability for incidents includes + containment; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-5 + name: assessment-objective + props: + - name: label + value: IR-04a.[05] + class: sp800-53a + prose: the incident handling capability for incidents includes + eradication; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.a-6 + name: assessment-objective + props: + - name: label + value: IR-04a.[06] + class: sp800-53a + prose: the incident handling capability for incidents includes + recovery; + links: + - href: "#ir-4_smt.a" + rel: assessment-for + links: + - href: "#ir-4_smt.a" + rel: assessment-for + - id: ir-4_obj.b + name: assessment-objective + props: + - name: label + value: IR-04b. + class: sp800-53a + prose: incident handling activities are coordinated with contingency + planning activities; + links: + - href: "#ir-4_smt.b" + rel: assessment-for + - id: ir-4_obj.c + name: assessment-objective + props: + - name: label + value: IR-04c. + class: sp800-53a + parts: + - id: ir-4_obj.c-1 + name: assessment-objective + props: + - name: label + value: IR-04c.[01] + class: sp800-53a + prose: lessons learned from ongoing incident handling activities + are incorporated into incident response procedures, training, + and testing; + links: + - href: "#ir-4_smt.c" + rel: assessment-for + - id: ir-4_obj.c-2 + name: assessment-objective + props: + - name: label + value: IR-04c.[02] + class: sp800-53a + prose: the changes resulting from the incorporated lessons learned + are implemented accordingly; + links: + - href: "#ir-4_smt.c" + rel: assessment-for + links: + - href: "#ir-4_smt.c" + rel: assessment-for + - id: ir-4_obj.d + name: assessment-objective + props: + - name: label + value: IR-04d. + class: sp800-53a + parts: + - id: ir-4_obj.d-1 + name: assessment-objective + props: + - name: label + value: IR-04d.[01] + class: sp800-53a + prose: the rigor of incident handling activities is comparable + and predictable across the organization; + links: + - href: "#ir-4_smt.d" + rel: assessment-for + - id: ir-4_obj.d-2 + name: assessment-objective + props: + - name: label + value: IR-04d.[02] + class: sp800-53a + prose: the intensity of incident handling activities is comparable + and predictable across the organization; + links: + - href: "#ir-4_smt.d" + rel: assessment-for + - id: ir-4_obj.d-3 + name: assessment-objective + props: + - name: label + value: IR-04d.[03] + class: sp800-53a + prose: the scope of incident handling activities is comparable + and predictable across the organization; + links: + - href: "#ir-4_smt.d" + rel: assessment-for + - id: ir-4_obj.d-4 + name: assessment-objective + props: + - name: label + value: IR-04d.[04] + class: sp800-53a + prose: the results of incident handling activities are comparable + and predictable across the organization. + links: + - href: "#ir-4_smt.d" + rel: assessment-for + links: + - href: "#ir-4_smt.d" + rel: assessment-for + links: + - href: "#ir-4_smt" + rel: assessment-for + - id: ir-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + contingency planning policy + + procedures addressing incident handling + + incident response plan + + contingency plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident handling + responsibilities + + + organizational personnel with contingency planning responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Incident handling capability for the organization + controls: + - id: ir-4.1 + class: SP800-53-enhancement + title: Automated Incident Handling Processes + params: + - id: ir-04.01_odp + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to support the incident handling + process are defined; + props: + - name: label + value: IR-4(1) + - name: label + value: IR-04(01) + class: sp800-53a + - name: sort-id + value: ir-04.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-4" + rel: required + parts: + - id: ir-4.1_smt + name: statement + prose: "Support the incident handling process using {{ insert: param,\ + \ ir-04.01_odp }}." + - id: ir-4.1_gdn + name: guidance + prose: Automated mechanisms that support incident handling processes + include online incident management systems and tools that support + the collection of live response data, full network packet capture, + and forensic analysis. + - id: ir-4.1_obj + name: assessment-objective + props: + - name: label + value: IR-04(01) + class: sp800-53a + prose: "the incident handling process is supported using {{ insert:\ + \ param, ir-04.01_odp }}." + links: + - href: "#ir-4.1_smt" + rel: assessment-for + - id: ir-4.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-04(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing incident handling + + + automated mechanisms supporting incident handling + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + incident response plan + + + system security plan + + + other relevant documents or records + - id: ir-4.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-04(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident handling + responsibilities + + + organizational personnel with information security responsibilities + - id: ir-4.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-04(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms that support and/or implement the + incident handling process + - id: ir-5 + class: SP800-53 + title: Incident Monitoring + props: + - name: label + value: IR-5 + - name: label + value: IR-05 + class: sp800-53a + - name: sort-id + value: ir-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + - href: "#pe-6" + rel: related + - href: "#pm-5" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + parts: + - id: ir-5_smt + name: statement + prose: Track and document incidents. + - id: ir-5_gdn + name: guidance + prose: Documenting incidents includes maintaining records about each + incident, the status of the incident, and other pertinent information + necessary for forensics as well as evaluating incident details, trends, + and handling. Incident information can be obtained from a variety + of sources, including network monitoring, incident reports, incident + response teams, user complaints, supply chain partners, audit monitoring, + physical access monitoring, and user and administrator reports. [IR-4](#ir-4) + provides information on the types of incidents that are appropriate + for monitoring. + - id: ir-5_obj + name: assessment-objective + props: + - name: label + value: IR-05 + class: sp800-53a + parts: + - id: ir-5_obj-1 + name: assessment-objective + props: + - name: label + value: IR-05[01] + class: sp800-53a + prose: incidents are tracked; + links: + - href: "#ir-5_smt" + rel: assessment-for + - id: ir-5_obj-2 + name: assessment-objective + props: + - name: label + value: IR-05[02] + class: sp800-53a + prose: incidents are documented. + links: + - href: "#ir-5_smt" + rel: assessment-for + links: + - href: "#ir-5_smt" + rel: assessment-for + - id: ir-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident monitoring + + incident response records and documentation + + incident response plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident monitoring + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident monitoring capability for the organization + + + mechanisms supporting and/or implementing the tracking and documenting + of system security incidents + - id: ir-6 + class: SP800-53 + title: Incident Reporting + params: + - id: ir-06_odp.01 + label: time period + constraints: + - description: US-CERT incident reporting timelines as specified in + NIST Special Publication 800-61 (as amended) + guidelines: + - prose: time period for personnel to report suspected incidents to + the organizational incident response capability is defined; + - id: ir-06_odp.02 + label: authorities + guidelines: + - prose: authorities to whom incident information is to be reported + are defined; + props: + - name: label + value: IR-6 + - name: label + value: IR-06 + class: sp800-53a + - name: sort-id + value: ir-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#40b78258-c892-480e-9af8-77ac36648301" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#cm-6" + rel: related + - href: "#cp-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-5" + rel: related + - href: "#ir-8" + rel: related + - href: "#ir-9" + rel: related + parts: + - id: ir-6_smt + name: statement + parts: + - id: ir-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Require personnel to report suspected incidents to the organizational\ + \ incident response capability within {{ insert: param, ir-06_odp.01\ + \ }} ; and" + - id: ir-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Report incident information to {{ insert: param, ir-06_odp.02\ + \ }}." + - id: ir-6_fr + name: item + title: IR-6 Additional FedRAMP Requirements and Guidance + parts: + - id: ir-6_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Reports security incident information according to FedRAMP + Incident Communications Procedure. + - id: ir-6_gdn + name: guidance + prose: The types of incidents reported, the content and timeliness of + the reports, and the designated reporting authorities reflect applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Incident information can inform risk assessments, + control effectiveness assessments, security requirements for acquisitions, + and selection criteria for technology products. + - id: ir-6_obj + name: assessment-objective + props: + - name: label + value: IR-06 + class: sp800-53a + parts: + - id: ir-6_obj.a + name: assessment-objective + props: + - name: label + value: IR-06a. + class: sp800-53a + prose: "personnel is/are required to report suspected incidents\ + \ to the organizational incident response capability within {{\ + \ insert: param, ir-06_odp.01 }};" + links: + - href: "#ir-6_smt.a" + rel: assessment-for + - id: ir-6_obj.b + name: assessment-objective + props: + - name: label + value: IR-06b. + class: sp800-53a + prose: "incident information is reported to {{ insert: param, ir-06_odp.02\ + \ }}." + links: + - href: "#ir-6_smt.b" + rel: assessment-for + links: + - href: "#ir-6_smt" + rel: assessment-for + - id: ir-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident reporting + + incident reporting records and documentation + + incident response plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident reporting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + personnel who have/should have reported incidents + + + personnel (authorities) to whom incident information is to be + reported + + + system users + - id: ir-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for incident reporting + + mechanisms supporting and/or implementing incident reporting + controls: + - id: ir-6.1 + class: SP800-53-enhancement + title: Automated Reporting + params: + - id: ir-06.01_odp + label: automated mechanisms + guidelines: + - prose: automated mechanisms used for reporting incidents are + defined; + props: + - name: label + value: IR-6(1) + - name: label + value: IR-06(01) + class: sp800-53a + - name: sort-id + value: ir-06.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-6" + rel: required + - href: "#ir-7" + rel: related + parts: + - id: ir-6.1_smt + name: statement + prose: "Report incidents using {{ insert: param, ir-06.01_odp }}." + - id: ir-6.1_gdn + name: guidance + prose: The recipients of incident reports are specified in [IR-6b](#ir-6_smt.b) + . Automated reporting mechanisms include email, posting on websites + (with automatic updates), and automated incident response tools + and programs. + - id: ir-6.1_obj + name: assessment-objective + props: + - name: label + value: IR-06(01) + class: sp800-53a + prose: "incidents are reported using {{ insert: param, ir-06.01_odp\ + \ }}." + links: + - href: "#ir-6.1_smt" + rel: assessment-for + - id: ir-6.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-06(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing incident reporting + + + automated mechanisms supporting incident reporting + + + system design documentation + + + system configuration settings and associated documentation + + + incident response plan + + + system security plan + + + other relevant documents or records + - id: ir-6.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-06(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident reporting + responsibilities + + + organizational personnel with information security responsibilities + - id: ir-6.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-06(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for incident reporting + + + automated mechanisms supporting and/or implementing the reporting + of security incidents + - id: ir-6.3 + class: SP800-53-enhancement + title: Supply Chain Coordination + props: + - name: label + value: IR-6(3) + - name: label + value: IR-06(03) + class: sp800-53a + - name: sort-id + value: ir-06.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-6" + rel: required + - href: "#sr-8" + rel: related + parts: + - id: ir-6.3_smt + name: statement + prose: Provide incident information to the provider of the product + or service and other organizations involved in the supply chain + or supply chain governance for systems or system components related + to the incident. + - id: ir-6.3_gdn + name: guidance + prose: Organizations involved in supply chain activities include + product developers, system integrators, manufacturers, packagers, + assemblers, distributors, vendors, and resellers. Entities that + provide supply chain governance include the Federal Acquisition + Security Council (FASC). Supply chain incidents include compromises + or breaches that involve information technology products, system + components, development processes or personnel, distribution processes, + or warehousing facilities. Organizations determine the appropriate + information to share and consider the value gained from informing + external organizations about supply chain incidents, including + the ability to improve processes or to identify the root cause + of an incident. + - id: ir-6.3_obj + name: assessment-objective + props: + - name: label + value: IR-06(03) + class: sp800-53a + prose: incident information is provided to the provider of the product + or service and other organizations involved in the supply chain + or supply chain governance for systems or system components related + to the incident. + links: + - href: "#ir-6.3_smt" + rel: assessment-for + - id: ir-6.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-06(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing supply chain coordination and supply + chain risk information sharing with the Federal Acquisition + Security Council + + + acquisition policy + + + acquisition contracts + + + service-level agreements + + + incident response plan + + + supply chain risk management plan + + + system security plan + + + plans of other organizations involved in supply chain activities + + + other relevant documents or records + - id: ir-6.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-06(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident reporting + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management + responsibilities + + + organization personnel with acquisition responsibilities + - id: ir-6.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-06(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for incident reporting + + + organizational processes for supply chain risk information + sharing + + + mechanisms supporting and/or implementing the reporting of + incident information involved in the supply chain + - id: ir-7 + class: SP800-53 + title: Incident Response Assistance + props: + - name: label + value: IR-7 + - name: label + value: IR-07 + class: sp800-53a + - name: sort-id + value: ir-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#2be7b163-e50a-435c-8906-f1162f2a457a" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + - href: "#pm-22" + rel: related + - href: "#pm-26" + rel: related + - href: "#sa-9" + rel: related + - href: "#si-18" + rel: related + parts: + - id: ir-7_smt + name: statement + prose: Provide an incident response support resource, integral to the + organizational incident response capability, that offers advice and + assistance to users of the system for the handling and reporting of + incidents. + - id: ir-7_gdn + name: guidance + prose: Incident response support resources provided by organizations + include help desks, assistance groups, automated ticketing systems + to open and track incident response tickets, and access to forensics + services or consumer redress services, when required. + - id: ir-7_obj + name: assessment-objective + props: + - name: label + value: IR-07 + class: sp800-53a + parts: + - id: ir-7_obj-1 + name: assessment-objective + props: + - name: label + value: IR-07[01] + class: sp800-53a + prose: an incident response support resource, integral to the organizational + incident response capability, is provided; + links: + - href: "#ir-7_smt" + rel: assessment-for + - id: ir-7_obj-2 + name: assessment-objective + props: + - name: label + value: IR-07[02] + class: sp800-53a + prose: the incident response support resource offers advice and + assistance to users of the system for the response and reporting + of incidents. + links: + - href: "#ir-7_smt" + rel: assessment-for + links: + - href: "#ir-7_smt" + rel: assessment-for + - id: ir-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident response assistance + + incident response plan + + system security plan + + privacy plan + + other relevant documents or records + - id: ir-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response assistance + and support responsibilities + + + organizational personnel with access to incident response support + and assistance capability + + + organizational personnel with information security and privacy + responsibilities + - id: ir-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for incident response assistance + + + mechanisms supporting and/or implementing incident response assistance + controls: + - id: ir-7.1 + class: SP800-53-enhancement + title: Automation Support for Availability of Information and Support + params: + - id: ir-07.01_odp + label: automated mechanisms + guidelines: + - prose: automated mechanisms used to increase the availability + of incident response information and support are defined; + props: + - name: label + value: IR-7(1) + - name: label + value: IR-07(01) + class: sp800-53a + - name: sort-id + value: ir-07.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-7" + rel: required + parts: + - id: ir-7.1_smt + name: statement + prose: "Increase the availability of incident response information\ + \ and support using {{ insert: param, ir-07.01_odp }}." + - id: ir-7.1_gdn + name: guidance + prose: Automated mechanisms can provide a push or pull capability + for users to obtain incident response assistance. For example, + individuals may have access to a website to query the assistance + capability, or the assistance capability can proactively send + incident response information to users (general distribution or + targeted) as part of increasing understanding of current response + capabilities and support. + - id: ir-7.1_obj + name: assessment-objective + props: + - name: label + value: IR-07(01) + class: sp800-53a + prose: "the availability of incident response information and support\ + \ is increased using {{ insert: param, ir-07.01_odp }}." + links: + - href: "#ir-7.1_smt" + rel: assessment-for + - id: ir-7.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-07(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing incident response assistance + + + automated mechanisms supporting incident response support + and assistance + + + system design documentation + + + system configuration settings and associated documentation + + + incident response plan + + + system security plan + + + other relevant documents or records + - id: ir-7.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-07(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response support + and assistance responsibilities + + + organizational personnel with access to incident response + support and assistance capability + + + organizational personnel with information security responsibilities + - id: ir-7.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-07(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for incident response + assistance + + + automated mechanisms supporting and/or implementing an increase + in the availability of incident response information and support + - id: ir-8 + class: SP800-53 + title: Incident Response Plan + params: + - id: ir-8_prm_5 + label: organization-defined incident response personnel (identified + by name and/or by role) and organizational elements + constraints: + - description: see additional FedRAMP Requirements and Guidance + - id: ir-08_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles that review and approve the incident response + plan is/are identified; + - id: ir-08_odp.02 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to review and approve the incident + response plan is defined; + - id: ir-08_odp.03 + label: entities, personnel, or roles + guidelines: + - prose: entities, personnel, or roles with designated responsibility + for incident response are defined; + - id: ir-08_odp.04 + label: incident response personnel + constraints: + - description: see additional FedRAMP Requirements and Guidance + guidelines: + - prose: incident response personnel (identified by name and/or by + role) to whom copies of the incident response plan are to be distributed + is/are defined; + - id: ir-08_odp.05 + label: organizational elements + guidelines: + - prose: organizational elements to which copies of the incident response + plan are to be distributed are defined; + - id: ir-08_odp.06 + label: incident response personnel + guidelines: + - prose: incident response personnel (identified by name and/or by + role) to whom changes to the incident response plan is/are communicated + are defined; + - id: ir-08_odp.07 + label: organizational elements + guidelines: + - prose: organizational elements to which changes to the incident + response plan are communicated are defined; + props: + - name: label + value: IR-8 + - name: label + value: IR-08 + class: sp800-53a + - name: sort-id + value: ir-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#5f4705ac-8d17-438c-b23a-ac7f12362ae4" + rel: reference + - href: "#ac-2" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-7" + rel: related + - href: "#ir-9" + rel: related + - href: "#pe-6" + rel: related + - href: "#pl-2" + rel: related + - href: "#sa-15" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-8" + rel: related + parts: + - id: ir-8_smt + name: statement + parts: + - id: ir-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop an incident response plan that:" + parts: + - id: ir-8_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Provides the organization with a roadmap for implementing + its incident response capability; + - id: ir-8_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Describes the structure and organization of the incident + response capability; + - id: ir-8_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Provides a high-level approach for how the incident response + capability fits into the overall organization; + - id: ir-8_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Meets the unique requirements of the organization, which + relate to mission, size, structure, and functions; + - id: ir-8_smt.a.5 + name: item + props: + - name: label + value: "5." + prose: Defines reportable incidents; + - id: ir-8_smt.a.6 + name: item + props: + - name: label + value: "6." + prose: Provides metrics for measuring the incident response + capability within the organization; + - id: ir-8_smt.a.7 + name: item + props: + - name: label + value: "7." + prose: Defines the resources and management support needed to + effectively maintain and mature an incident response capability; + - id: ir-8_smt.a.8 + name: item + props: + - name: label + value: "8." + prose: Addresses the sharing of incident information; + - id: ir-8_smt.a.9 + name: item + props: + - name: label + value: "9." + prose: "Is reviewed and approved by {{ insert: param, ir-08_odp.01\ + \ }} {{ insert: param, ir-08_odp.02 }} ; and" + - id: ir-8_smt.a.10 + name: item + props: + - name: label + value: "10." + prose: "Explicitly designates responsibility for incident response\ + \ to {{ insert: param, ir-08_odp.03 }}." + - id: ir-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Distribute copies of the incident response plan to {{ insert:\ + \ param, ir-08_odp.04 }};" + - id: ir-8_smt.c + name: item + props: + - name: label + value: c. + prose: Update the incident response plan to address system and organizational + changes or problems encountered during plan implementation, execution, + or testing; + - id: ir-8_smt.d + name: item + props: + - name: label + value: d. + prose: "Communicate incident response plan changes to {{ insert:\ + \ param, ir-8_prm_5 }} ; and" + - id: ir-8_smt.e + name: item + props: + - name: label + value: e. + prose: Protect the incident response plan from unauthorized disclosure + and modification. + - id: ir-8_fr + name: item + title: IR-8 Additional FedRAMP Requirements and Guidance + parts: + - id: ir-8_fr_smt.1 + name: item + props: + - name: label + value: "(b) Requirement:" + prose: The service provider defines a list of incident response + personnel (identified by name and/or by role) and organizational + elements. The incident response list includes designated FedRAMP + personnel. + - id: ir-8_fr_smt.2 + name: item + props: + - name: label + value: "(d) Requirement:" + prose: The service provider defines a list of incident response + personnel (identified by name and/or by role) and organizational + elements. The incident response list includes designated FedRAMP + personnel. + - id: ir-8_gdn + name: guidance + prose: It is important that organizations develop and implement a coordinated + approach to incident response. Organizational mission and business + functions determine the structure of incident response capabilities. + As part of the incident response capabilities, organizations consider + the coordination and sharing of information with external organizations, + including external service providers and other organizations involved + in the supply chain. For incidents involving personally identifiable + information (i.e., breaches), include a process to determine whether + notice to oversight organizations or affected individuals is appropriate + and provide that notice accordingly. + - id: ir-8_obj + name: assessment-objective + props: + - name: label + value: IR-08 + class: sp800-53a + parts: + - id: ir-8_obj.a + name: assessment-objective + props: + - name: label + value: IR-08a. + class: sp800-53a + parts: + - id: ir-8_obj.a.1 + name: assessment-objective + props: + - name: label + value: IR-08a.01 + class: sp800-53a + prose: an incident response plan is developed that provides + the organization with a roadmap for implementing its incident + response capability; + links: + - href: "#ir-8_smt.a.1" + rel: assessment-for + - id: ir-8_obj.a.2 + name: assessment-objective + props: + - name: label + value: IR-08a.02 + class: sp800-53a + prose: an incident response plan is developed that describes + the structure and organization of the incident response capability; + links: + - href: "#ir-8_smt.a.2" + rel: assessment-for + - id: ir-8_obj.a.3 + name: assessment-objective + props: + - name: label + value: IR-08a.03 + class: sp800-53a + prose: an incident response plan is developed that provides + a high-level approach for how the incident response capability + fits into the overall organization; + links: + - href: "#ir-8_smt.a.3" + rel: assessment-for + - id: ir-8_obj.a.4 + name: assessment-objective + props: + - name: label + value: IR-08a.04 + class: sp800-53a + prose: an incident response plan is developed that meets the + unique requirements of the organization with regard to mission, + size, structure, and functions; + links: + - href: "#ir-8_smt.a.4" + rel: assessment-for + - id: ir-8_obj.a.5 + name: assessment-objective + props: + - name: label + value: IR-08a.05 + class: sp800-53a + prose: an incident response plan is developed that defines reportable + incidents; + links: + - href: "#ir-8_smt.a.5" + rel: assessment-for + - id: ir-8_obj.a.6 + name: assessment-objective + props: + - name: label + value: IR-08a.06 + class: sp800-53a + prose: an incident response plan is developed that provides + metrics for measuring the incident response capability within + the organization; + links: + - href: "#ir-8_smt.a.6" + rel: assessment-for + - id: ir-8_obj.a.7 + name: assessment-objective + props: + - name: label + value: IR-08a.07 + class: sp800-53a + prose: an incident response plan is developed that defines the + resources and management support needed to effectively maintain + and mature an incident response capability; + links: + - href: "#ir-8_smt.a.7" + rel: assessment-for + - id: ir-8_obj.a.8 + name: assessment-objective + props: + - name: label + value: IR-08a.08 + class: sp800-53a + prose: an incident response plan is developed that addresses + the sharing of incident information; + links: + - href: "#ir-8_smt.a.8" + rel: assessment-for + - id: ir-8_obj.a.9 + name: assessment-objective + props: + - name: label + value: IR-08a.09 + class: sp800-53a + prose: "an incident response plan is developed that is reviewed\ + \ and approved by {{ insert: param, ir-08_odp.01 }} {{ insert:\ + \ param, ir-08_odp.02 }};" + links: + - href: "#ir-8_smt.a.9" + rel: assessment-for + - id: ir-8_obj.a.10 + name: assessment-objective + props: + - name: label + value: IR-08a.10 + class: sp800-53a + prose: "an incident response plan is developed that explicitly\ + \ designates responsibility for incident response to {{ insert:\ + \ param, ir-08_odp.03 }}." + links: + - href: "#ir-8_smt.a.10" + rel: assessment-for + links: + - href: "#ir-8_smt.a" + rel: assessment-for + - id: ir-8_obj.b + name: assessment-objective + props: + - name: label + value: IR-08b. + class: sp800-53a + parts: + - id: ir-8_obj.b-1 + name: assessment-objective + props: + - name: label + value: IR-08b.[01] + class: sp800-53a + prose: "copies of the incident response plan are distributed\ + \ to {{ insert: param, ir-08_odp.04 }};" + links: + - href: "#ir-8_smt.b" + rel: assessment-for + - id: ir-8_obj.b-2 + name: assessment-objective + props: + - name: label + value: IR-08b.[02] + class: sp800-53a + prose: "copies of the incident response plan are distributed\ + \ to {{ insert: param, ir-08_odp.05 }};" + links: + - href: "#ir-8_smt.b" + rel: assessment-for + links: + - href: "#ir-8_smt.b" + rel: assessment-for + - id: ir-8_obj.c + name: assessment-objective + props: + - name: label + value: IR-08c. + class: sp800-53a + prose: the incident response plan is updated to address system and + organizational changes or problems encountered during plan implementation, + execution, or testing; + links: + - href: "#ir-8_smt.c" + rel: assessment-for + - id: ir-8_obj.d + name: assessment-objective + props: + - name: label + value: IR-08d. + class: sp800-53a + parts: + - id: ir-8_obj.d-1 + name: assessment-objective + props: + - name: label + value: IR-08d.[01] + class: sp800-53a + prose: "incident response plan changes are communicated to {{\ + \ insert: param, ir-08_odp.06 }};" + links: + - href: "#ir-8_smt.d" + rel: assessment-for + - id: ir-8_obj.d-2 + name: assessment-objective + props: + - name: label + value: IR-08d.[02] + class: sp800-53a + prose: "incident response plan changes are communicated to {{\ + \ insert: param, ir-08_odp.07 }};" + links: + - href: "#ir-8_smt.d" + rel: assessment-for + links: + - href: "#ir-8_smt.d" + rel: assessment-for + - id: ir-8_obj.e + name: assessment-objective + props: + - name: label + value: IR-08e. + class: sp800-53a + parts: + - id: ir-8_obj.e-1 + name: assessment-objective + props: + - name: label + value: IR-08e.[01] + class: sp800-53a + prose: the incident response plan is protected from unauthorized + disclosure; + links: + - href: "#ir-8_smt.e" + rel: assessment-for + - id: ir-8_obj.e-2 + name: assessment-objective + props: + - name: label + value: IR-08e.[02] + class: sp800-53a + prose: the incident response plan is protected from unauthorized + modification. + links: + - href: "#ir-8_smt.e" + rel: assessment-for + links: + - href: "#ir-8_smt.e" + rel: assessment-for + links: + - href: "#ir-8_smt" + rel: assessment-for + - id: ir-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident response planning + + incident response plan + + system security plan + + privacy plan + + records of incident response plan reviews and approvals + + other relevant documents or records + - id: ir-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response planning + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ir-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational incident response plan and related organizational + processes + - id: ir-9 + class: SP800-53 + title: Information Spillage Response + params: + - id: ir-09_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles assigned the responsibility for responding + to information spills is/are defined; + - id: ir-09_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to be alerted of the information spill + using a method of communication not associated with the spill + is/are defined; + - id: ir-09_odp.03 + label: actions + guidelines: + - prose: actions to be performed are defined; + props: + - name: label + value: IR-9 + - name: label + value: IR-09 + class: sp800-53a + - name: sort-id + value: ir-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-2" + rel: related + - href: "#ir-6" + rel: related + - href: "#pm-26" + rel: related + - href: "#pm-27" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-3" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-7" + rel: related + parts: + - id: ir-9_smt + name: statement + prose: "Respond to information spills by:" + parts: + - id: ir-9_smt.a + name: item + props: + - name: label + value: a. + prose: "Assigning {{ insert: param, ir-09_odp.01 }} with responsibility\ + \ for responding to information spills;" + - id: ir-9_smt.b + name: item + props: + - name: label + value: b. + prose: Identifying the specific information involved in the system + contamination; + - id: ir-9_smt.c + name: item + props: + - name: label + value: c. + prose: "Alerting {{ insert: param, ir-09_odp.02 }} of the information\ + \ spill using a method of communication not associated with the\ + \ spill;" + - id: ir-9_smt.d + name: item + props: + - name: label + value: d. + prose: Isolating the contaminated system or system component; + - id: ir-9_smt.e + name: item + props: + - name: label + value: e. + prose: Eradicating the information from the contaminated system + or component; + - id: ir-9_smt.f + name: item + props: + - name: label + value: f. + prose: Identifying other systems or system components that may have + been subsequently contaminated; and + - id: ir-9_smt.g + name: item + props: + - name: label + value: g. + prose: "Performing the following additional actions: {{ insert:\ + \ param, ir-09_odp.03 }}." + - id: ir-9_gdn + name: guidance + prose: Information spillage refers to instances where information is + placed on systems that are not authorized to process such information. + Information spills occur when information that is thought to be a + certain classification or impact level is transmitted to a system + and subsequently is determined to be of a higher classification or + impact level. At that point, corrective action is required. The nature + of the response is based on the classification or impact level of + the spilled information, the security capabilities of the system, + the specific nature of the contaminated storage media, and the access + authorizations of individuals with authorized access to the contaminated + system. The methods used to communicate information about the spill + after the fact do not involve methods directly associated with the + actual spill to minimize the risk of further spreading the contamination + before such contamination is isolated and eradicated. + - id: ir-9_obj + name: assessment-objective + props: + - name: label + value: IR-09 + class: sp800-53a + parts: + - id: ir-9_obj.a + name: assessment-objective + props: + - name: label + value: IR-09a. + class: sp800-53a + prose: " {{ insert: param, ir-09_odp.01 }} is/are assigned the responsibility\ + \ to respond to information spills;" + links: + - href: "#ir-9_smt.a" + rel: assessment-for + - id: ir-9_obj.b + name: assessment-objective + props: + - name: label + value: IR-09b. + class: sp800-53a + prose: the specific information involved in the system contamination + is identified in response to information spills; + links: + - href: "#ir-9_smt.b" + rel: assessment-for + - id: ir-9_obj.c + name: assessment-objective + props: + - name: label + value: IR-09c. + class: sp800-53a + prose: " {{ insert: param, ir-09_odp.02 }} is/are alerted of the\ + \ information spill using a method of communication not associated\ + \ with the spill;" + links: + - href: "#ir-9_smt.c" + rel: assessment-for + - id: ir-9_obj.d + name: assessment-objective + props: + - name: label + value: IR-09d. + class: sp800-53a + prose: the contaminated system or system component is isolated in + response to information spills; + links: + - href: "#ir-9_smt.d" + rel: assessment-for + - id: ir-9_obj.e + name: assessment-objective + props: + - name: label + value: IR-09e. + class: sp800-53a + prose: the information is eradicated from the contaminated system + or component in response to information spills; + links: + - href: "#ir-9_smt.e" + rel: assessment-for + - id: ir-9_obj.f + name: assessment-objective + props: + - name: label + value: IR-09f. + class: sp800-53a + prose: other systems or system components that may have been subsequently + contaminated are identified in response to information spills; + links: + - href: "#ir-9_smt.f" + rel: assessment-for + - id: ir-9_obj.g + name: assessment-objective + props: + - name: label + value: IR-09g. + class: sp800-53a + prose: " {{ insert: param, ir-09_odp.03 }} are performed in response\ + \ to information spills." + links: + - href: "#ir-9_smt.g" + rel: assessment-for + links: + - href: "#ir-9_smt" + rel: assessment-for + - id: ir-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing information spillage + + + incident response plan + + + system security plan + + + records of information spillage alerts/notifications + + + list of personnel who should receive alerts of information spillage + + + list of actions to be performed regarding information spillage + + + other relevant documents or records + - id: ir-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response + responsibilities + + + organizational personnel with information security responsibilities + - id: ir-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for information spillage response + + + mechanisms supporting and/or implementing information spillage + response actions and related communications + controls: + - id: ir-9.2 + class: SP800-53-enhancement + title: Training + params: + - id: ir-09.02_odp + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to provide information spillage response + training is defined; + props: + - name: label + value: IR-9(2) + - name: label + value: IR-09(02) + class: sp800-53a + - name: sort-id + value: ir-09.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-9" + rel: required + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#cp-3" + rel: related + - href: "#ir-2" + rel: related + parts: + - id: ir-9.2_smt + name: statement + prose: "Provide information spillage response training {{ insert:\ + \ param, ir-09.02_odp }}." + - id: ir-9.2_gdn + name: guidance + prose: Organizations establish requirements for responding to information + spillage incidents in incident response plans. Incident response + training on a regular basis helps to ensure that organizational + personnel understand their individual responsibilities and what + specific actions to take when spillage incidents occur. + - id: ir-9.2_obj + name: assessment-objective + props: + - name: label + value: IR-09(02) + class: sp800-53a + prose: "information spillage response training is provided {{ insert:\ + \ param, ir-09.02_odp }}." + links: + - href: "#ir-9.2_smt" + rel: assessment-for + - id: ir-9.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-09(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing information spillage response training + + + information spillage response training curriculum + + + information spillage response training materials + + + incident response plan + + + system security plan + + + information spillage response training records + + + other relevant documents or records + - id: ir-9.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-09(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response training + responsibilities + + + organizational personnel with information security responsibilities + - id: ir-9.3 + class: SP800-53-enhancement + title: Post-spill Operations + params: + - id: ir-09.03_odp + label: procedures + guidelines: + - prose: procedures to be implemented to ensure that organizational + personnel impacted by information spills can continue to carry + out assigned tasks while contaminated systems are undergoing + corrective actions are defined; + props: + - name: label + value: IR-9(3) + - name: label + value: IR-09(03) + class: sp800-53a + - name: sort-id + value: ir-09.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-9" + rel: required + parts: + - id: ir-9.3_smt + name: statement + prose: "Implement the following procedures to ensure that organizational\ + \ personnel impacted by information spills can continue to carry\ + \ out assigned tasks while contaminated systems are undergoing\ + \ corrective actions: {{ insert: param, ir-09.03_odp }}." + - id: ir-9.3_gdn + name: guidance + prose: Corrective actions for systems contaminated due to information + spillages may be time-consuming. Personnel may not have access + to the contaminated systems while corrective actions are being + taken, which may potentially affect their ability to conduct organizational + business. + - id: ir-9.3_obj + name: assessment-objective + props: + - name: label + value: IR-09(03) + class: sp800-53a + prose: " {{ insert: param, ir-09.03_odp }} are implemented to ensure\ + \ that organizational personnel impacted by information spills\ + \ can continue to carry out assigned tasks while contaminated\ + \ systems are undergoing corrective actions." + links: + - href: "#ir-9.3_smt" + rel: assessment-for + - id: ir-9.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-09(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Incident response policy + + procedures addressing incident response + + procedures addressing information spillage + + incident response plan + + system security plan + + other relevant documents or records + - id: ir-9.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-09(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response + responsibilities + + + organizational personnel with information security responsibilities + - id: ir-9.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-09(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for post-spill operations + - id: ir-9.4 + class: SP800-53-enhancement + title: Exposure to Unauthorized Personnel + params: + - id: ir-09.04_odp + label: controls + guidelines: + - prose: controls employed for personnel exposed to information + not within assigned access authorizations are defined; + props: + - name: label + value: IR-9(4) + - name: label + value: IR-09(04) + class: sp800-53a + - name: sort-id + value: ir-09.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ir-9" + rel: required + parts: + - id: ir-9.4_smt + name: statement + prose: "Employ the following controls for personnel exposed to information\ + \ not within assigned access authorizations: {{ insert: param,\ + \ ir-09.04_odp }}." + - id: ir-9.4_gdn + name: guidance + prose: Controls include ensuring that personnel who are exposed + to spilled information are made aware of the laws, executive orders, + directives, regulations, policies, standards, and guidelines regarding + the information and the restrictions imposed based on exposure + to such information. + - id: ir-9.4_obj + name: assessment-objective + props: + - name: label + value: IR-09(04) + class: sp800-53a + prose: " {{ insert: param, ir-09.04_odp }} are employed for personnel\ + \ exposed to information not within assigned access authorizations." + links: + - href: "#ir-9.4_smt" + rel: assessment-for + - id: ir-9.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: IR-09(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Incident response policy + + + procedures addressing incident response + + + procedures addressing information spillage + + + incident response plan + + + system security plan + + + security safeguards regarding information spillage/exposure + to unauthorized personnel + + + other relevant documents or records + - id: ir-9.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: IR-09(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with incident response + responsibilities + + + organizational personnel with information security responsibilities + - id: ir-9.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: IR-09(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for dealing with information + exposed to unauthorized personnel + + + mechanisms supporting and/or implementing safeguards for personnel + exposed to information not within assigned access authorizations + - id: ma + class: family + title: Maintenance + controls: + - id: ma-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ma-1_prm_1 + label: organization-defined personnel or roles + - id: ma-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the maintenance policy is to be + disseminated is/are defined; + - id: ma-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the maintenance procedures are + to be disseminated is/are defined; + - id: ma-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ma-01_odp.04 + label: official + guidelines: + - prose: an official to manage the maintenance policy and procedures + is defined; + - id: ma-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency with which the current maintenance policy is + reviewed and updated is defined; + - id: ma-01_odp.06 + label: events + guidelines: + - prose: events that would require the current maintenance policy + to be reviewed and updated are defined; + - id: ma-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency with which the current maintenance procedures + are reviewed and updated is defined; + - id: ma-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the maintenance procedures to be + reviewed and updated are defined; + props: + - name: label + value: MA-1 + - name: label + value: MA-01 + class: sp800-53a + - name: sort-id + value: ma-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ma-1_smt + name: statement + parts: + - id: ma-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ma-1_prm_1 }}:" + parts: + - id: ma-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ma-01_odp.03 }} maintenance policy\ + \ that:" + parts: + - id: ma-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ma-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ma-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the maintenance + policy and the associated maintenance controls; + - id: ma-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ma-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the maintenance\ + \ policy and procedures; and" + - id: ma-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current maintenance:" + parts: + - id: ma-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ma-01_odp.05 }} and following\ + \ {{ insert: param, ma-01_odp.06 }} ; and" + - id: ma-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ma-01_odp.07 }} and following\ + \ {{ insert: param, ma-01_odp.08 }}." + - id: ma-1_gdn + name: guidance + prose: Maintenance policy and procedures address the controls in the + MA family that are implemented within systems and organizations. The + risk management strategy is an important factor in establishing such + policies and procedures. Policies and procedures contribute to security + and privacy assurance. Therefore, it is important that security and + privacy programs collaborate on the development of maintenance policy + and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to maintenance policy and procedures assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ma-1_obj + name: assessment-objective + props: + - name: label + value: MA-01 + class: sp800-53a + parts: + - id: ma-1_obj.a + name: assessment-objective + props: + - name: label + value: MA-01a. + class: sp800-53a + parts: + - id: ma-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-01a.[01] + class: sp800-53a + prose: a maintenance policy is developed and documented; + links: + - href: "#ma-1_smt.a" + rel: assessment-for + - id: ma-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-01a.[02] + class: sp800-53a + prose: "the maintenance policy is disseminated to {{ insert:\ + \ param, ma-01_odp.01 }};" + links: + - href: "#ma-1_smt.a" + rel: assessment-for + - id: ma-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: MA-01a.[03] + class: sp800-53a + prose: maintenance procedures to facilitate the implementation + of the maintenance policy and associated maintenance controls + are developed and documented; + links: + - href: "#ma-1_smt.a" + rel: assessment-for + - id: ma-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: MA-01a.[04] + class: sp800-53a + prose: "the maintenance procedures are disseminated to {{ insert:\ + \ param, ma-01_odp.02 }};" + links: + - href: "#ma-1_smt.a" + rel: assessment-for + - id: ma-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: MA-01a.01 + class: sp800-53a + parts: + - id: ma-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: MA-01a.01(a) + class: sp800-53a + parts: + - id: ma-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses purpose;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses scope;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses roles;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses responsibilities;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses management commitment;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: MA-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy addresses compliance;" + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ma-1_smt.a.1.a" + rel: assessment-for + - id: ma-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: MA-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.03 }} maintenance\ + \ policy is consistent with applicable laws, Executive\ + \ Orders, directives, regulations, policies, standards,\ + \ and guidelines;" + links: + - href: "#ma-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ma-1_smt.a.1" + rel: assessment-for + links: + - href: "#ma-1_smt.a" + rel: assessment-for + - id: ma-1_obj.b + name: assessment-objective + props: + - name: label + value: MA-01b. + class: sp800-53a + prose: "the {{ insert: param, ma-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the maintenance\ + \ policy and procedures;" + links: + - href: "#ma-1_smt.b" + rel: assessment-for + - id: ma-1_obj.c + name: assessment-objective + props: + - name: label + value: MA-01c. + class: sp800-53a + parts: + - id: ma-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: MA-01c.01 + class: sp800-53a + parts: + - id: ma-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: MA-01c.01[01] + class: sp800-53a + prose: "the current maintenance policy is reviewed and updated\ + \ {{ insert: param, ma-01_odp.05 }};" + links: + - href: "#ma-1_smt.c.1" + rel: assessment-for + - id: ma-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: MA-01c.01[02] + class: sp800-53a + prose: "the current maintenance policy is reviewed and updated\ + \ following {{ insert: param, ma-01_odp.06 }};" + links: + - href: "#ma-1_smt.c.1" + rel: assessment-for + links: + - href: "#ma-1_smt.c.1" + rel: assessment-for + - id: ma-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: MA-01c.02 + class: sp800-53a + parts: + - id: ma-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: MA-01c.02[01] + class: sp800-53a + prose: "the current maintenance procedures are reviewed\ + \ and updated {{ insert: param, ma-01_odp.07 }};" + links: + - href: "#ma-1_smt.c.2" + rel: assessment-for + - id: ma-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: MA-01c.02[02] + class: sp800-53a + prose: "the current maintenance procedures are reviewed\ + \ and updated following {{ insert: param, ma-01_odp.08\ + \ }}." + links: + - href: "#ma-1_smt.c.2" + rel: assessment-for + links: + - href: "#ma-1_smt.c.2" + rel: assessment-for + links: + - href: "#ma-1_smt.c" + rel: assessment-for + links: + - href: "#ma-1_smt" + rel: assessment-for + - id: ma-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy and procedures + + system security plan + + privacy plan + + organizational risk management strategy + + other relevant documents or records + - id: ma-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with maintenance responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ma-2 + class: SP800-53 + title: Controlled Maintenance + params: + - id: ma-02_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles required to explicitly approve the removal + of the system or system components from organizational facilities + for off-site maintenance or repairs is/are defined; + - id: ma-02_odp.02 + label: information + guidelines: + - prose: information to be removed from associated media prior to + removal from organizational facilities for off-site maintenance, + repair, or replacement is defined; + - id: ma-02_odp.03 + label: information + guidelines: + - prose: information to be included in organizational maintenance + records is defined; + props: + - name: label + value: MA-2 + - name: label + value: MA-02 + class: sp800-53a + - name: sort-id + value: ma-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#cm-2" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-8" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-6" + rel: related + - href: "#pe-16" + rel: related + - href: "#si-2" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: ma-2_smt + name: statement + parts: + - id: ma-2_smt.a + name: item + props: + - name: label + value: a. + prose: Schedule, document, and review records of maintenance, repair, + and replacement on system components in accordance with manufacturer + or vendor specifications and/or organizational requirements; + - id: ma-2_smt.b + name: item + props: + - name: label + value: b. + prose: Approve and monitor all maintenance activities, whether performed + on site or remotely and whether the system or system components + are serviced on site or removed to another location; + - id: ma-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Require that {{ insert: param, ma-02_odp.01 }} explicitly\ + \ approve the removal of the system or system components from\ + \ organizational facilities for off-site maintenance, repair,\ + \ or replacement;" + - id: ma-2_smt.d + name: item + props: + - name: label + value: d. + prose: "Sanitize equipment to remove the following information from\ + \ associated media prior to removal from organizational facilities\ + \ for off-site maintenance, repair, or replacement: {{ insert:\ + \ param, ma-02_odp.02 }};" + - id: ma-2_smt.e + name: item + props: + - name: label + value: e. + prose: Check all potentially impacted controls to verify that the + controls are still functioning properly following maintenance, + repair, or replacement actions; and + - id: ma-2_smt.f + name: item + props: + - name: label + value: f. + prose: "Include the following information in organizational maintenance\ + \ records: {{ insert: param, ma-02_odp.03 }}." + - id: ma-2_gdn + name: guidance + prose: Controlling system maintenance addresses the information security + aspects of the system maintenance program and applies to all types + of maintenance to system components conducted by local or nonlocal + entities. Maintenance includes peripherals such as scanners, copiers, + and printers. Information necessary for creating effective maintenance + records includes the date and time of maintenance, a description of + the maintenance performed, names of the individuals or group performing + the maintenance, name of the escort, and system components or equipment + that are removed or replaced. Organizations consider supply chain-related + risks associated with replacement components for systems. + - id: ma-2_obj + name: assessment-objective + props: + - name: label + value: MA-02 + class: sp800-53a + parts: + - id: ma-2_obj.a + name: assessment-objective + props: + - name: label + value: MA-02a. + class: sp800-53a + parts: + - id: ma-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-02a.[01] + class: sp800-53a + prose: maintenance, repair, and replacement of system components + are scheduled in accordance with manufacturer or vendor specifications + and/or organizational requirements; + links: + - href: "#ma-2_smt.a" + rel: assessment-for + - id: ma-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-02a.[02] + class: sp800-53a + prose: maintenance, repair, and replacement of system components + are documented in accordance with manufacturer or vendor specifications + and/or organizational requirements; + links: + - href: "#ma-2_smt.a" + rel: assessment-for + - id: ma-2_obj.a-3 + name: assessment-objective + props: + - name: label + value: MA-02a.[03] + class: sp800-53a + prose: records of maintenance, repair, and replacement of system + components are reviewed in accordance with manufacturer or + vendor specifications and/or organizational requirements; + links: + - href: "#ma-2_smt.a" + rel: assessment-for + links: + - href: "#ma-2_smt.a" + rel: assessment-for + - id: ma-2_obj.b + name: assessment-objective + props: + - name: label + value: MA-02b. + class: sp800-53a + parts: + - id: ma-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: MA-02b.[01] + class: sp800-53a + prose: all maintenance activities, whether performed on site + or remotely and whether the system or system components are + serviced on site or removed to another location, are approved; + links: + - href: "#ma-2_smt.b" + rel: assessment-for + - id: ma-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: MA-02b.[02] + class: sp800-53a + prose: all maintenance activities, whether performed on site + or remotely and whether the system or system components are + serviced on site or removed to another location, are monitored; + links: + - href: "#ma-2_smt.b" + rel: assessment-for + links: + - href: "#ma-2_smt.b" + rel: assessment-for + - id: ma-2_obj.c + name: assessment-objective + props: + - name: label + value: MA-02c. + class: sp800-53a + prose: " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly\ + \ approve the removal of the system or system components from\ + \ organizational facilities for off-site maintenance, repair,\ + \ or replacement;" + links: + - href: "#ma-2_smt.c" + rel: assessment-for + - id: ma-2_obj.d + name: assessment-objective + props: + - name: label + value: MA-02d. + class: sp800-53a + prose: "equipment is sanitized to remove {{ insert: param, ma-02_odp.02\ + \ }} from associated media prior to removal from organizational\ + \ facilities for off-site maintenance, repair, or replacement;" + links: + - href: "#ma-2_smt.d" + rel: assessment-for + - id: ma-2_obj.e + name: assessment-objective + props: + - name: label + value: MA-02e. + class: sp800-53a + prose: all potentially impacted controls are checked to verify that + the controls are still functioning properly following maintenance, + repair, or replacement actions; + links: + - href: "#ma-2_smt.e" + rel: assessment-for + - id: ma-2_obj.f + name: assessment-objective + props: + - name: label + value: MA-02f. + class: sp800-53a + prose: " {{ insert: param, ma-02_odp.03 }} is included in organizational\ + \ maintenance records." + links: + - href: "#ma-2_smt.f" + rel: assessment-for + links: + - href: "#ma-2_smt" + rel: assessment-for + - id: ma-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing controlled system maintenance + + maintenance records + + manufacturer/vendor maintenance specifications + + equipment sanitization records + + media sanitization records + + system security plan + + other relevant documents or records + - id: ma-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel responsible for media sanitization + + + system/network administrators + - id: ma-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for scheduling, performing, + documenting, reviewing, approving, and monitoring + maintenance and repairs for the system + + + organizational processes for sanitizing system components + + + mechanisms supporting and/or implementing controlled maintenance + + + mechanisms implementing the sanitization of system components + - id: ma-3 + class: SP800-53 + title: Maintenance Tools + params: + - id: ma-03_odp + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to review previously approved system maintenance + tools is defined; + props: + - name: label + value: MA-3 + - name: label + value: MA-03 + class: sp800-53a + - name: sort-id + value: ma-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6" + rel: reference + - href: "#ma-2" + rel: related + - href: "#pe-16" + rel: related + parts: + - id: ma-3_smt + name: statement + parts: + - id: ma-3_smt.a + name: item + props: + - name: label + value: a. + prose: Approve, control, and monitor the use of system maintenance + tools; and + - id: ma-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Review previously approved system maintenance tools {{ insert:\ + \ param, ma-03_odp }}." + - id: ma-3_gdn + name: guidance + prose: Approving, controlling, monitoring, and reviewing maintenance + tools address security-related issues associated with maintenance + tools that are not within system authorization boundaries and are + used specifically for diagnostic and repair actions on organizational + systems. Organizations have flexibility in determining roles for the + approval of maintenance tools and how that approval is documented. + A periodic review of maintenance tools facilitates the withdrawal + of approval for outdated, unsupported, irrelevant, or no-longer-used + tools. Maintenance tools can include hardware, software, and firmware + items and may be pre-installed, brought in with maintenance personnel + on media, cloud-based, or downloaded from a website. Such tools can + be vehicles for transporting malicious code, either intentionally + or unintentionally, into a facility and subsequently into systems. + Maintenance tools can include hardware and software diagnostic test + equipment and packet sniffers. The hardware and software components + that support maintenance and are a part of the system (including the + software implementing utilities such as "ping," "ls," "ipconfig," + or the hardware and software implementing the monitoring port of an + Ethernet switch) are not addressed by maintenance tools. + - id: ma-3_obj + name: assessment-objective + props: + - name: label + value: MA-03 + class: sp800-53a + parts: + - id: ma-3_obj.a + name: assessment-objective + props: + - name: label + value: MA-03a. + class: sp800-53a + parts: + - id: ma-3_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-03a.[01] + class: sp800-53a + prose: the use of system maintenance tools is approved; + links: + - href: "#ma-3_smt.a" + rel: assessment-for + - id: ma-3_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-03a.[02] + class: sp800-53a + prose: the use of system maintenance tools is controlled; + links: + - href: "#ma-3_smt.a" + rel: assessment-for + - id: ma-3_obj.a-3 + name: assessment-objective + props: + - name: label + value: MA-03a.[03] + class: sp800-53a + prose: the use of system maintenance tools is monitored; + links: + - href: "#ma-3_smt.a" + rel: assessment-for + links: + - href: "#ma-3_smt.a" + rel: assessment-for + - id: ma-3_obj.b + name: assessment-objective + props: + - name: label + value: MA-03b. + class: sp800-53a + prose: "previously approved system maintenance tools are reviewed\ + \ {{ insert: param, ma-03_odp }}." + links: + - href: "#ma-3_smt.b" + rel: assessment-for + links: + - href: "#ma-3_smt" + rel: assessment-for + - id: ma-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing system maintenance tools + + system maintenance tools and associated documentation + + maintenance records + + system security plan + + other relevant documents or records + - id: ma-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + - id: ma-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for approving, controlling, and + monitoring maintenance tools + + + mechanisms supporting and/or implementing the approval, control, + and/or monitoring of maintenance tools + controls: + - id: ma-3.1 + class: SP800-53-enhancement + title: Inspect Tools + props: + - name: label + value: MA-3(1) + - name: label + value: MA-03(01) + class: sp800-53a + - name: sort-id + value: ma-03.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ma-3" + rel: required + - href: "#si-7" + rel: related + parts: + - id: ma-3.1_smt + name: statement + prose: Inspect the maintenance tools used by maintenance personnel + for improper or unauthorized modifications. + - id: ma-3.1_gdn + name: guidance + prose: Maintenance tools can be directly brought into a facility + by maintenance personnel or downloaded from a vendor’s website. + If, upon inspection of the maintenance tools, organizations determine + that the tools have been modified in an improper manner or the + tools contain malicious code, the incident is handled consistent + with organizational policies and procedures for incident handling. + - id: ma-3.1_obj + name: assessment-objective + props: + - name: label + value: MA-03(01) + class: sp800-53a + prose: maintenance tools used by maintenance personnel are inspected + for improper or unauthorized modifications. + links: + - href: "#ma-3.1_smt" + rel: assessment-for + - id: ma-3.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-03(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing system maintenance tools + + system maintenance tools and associated documentation + + maintenance tool inspection records + + maintenance records + + system security plan + + other relevant documents or records + - id: ma-3.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-03(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + - id: ma-3.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-03(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for inspecting maintenance + tools + + + mechanisms supporting and/or implementing the inspection of + maintenance tools + - id: ma-3.2 + class: SP800-53-enhancement + title: Inspect Media + props: + - name: label + value: MA-3(2) + - name: label + value: MA-03(02) + class: sp800-53a + - name: sort-id + value: ma-03.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ma-3" + rel: required + - href: "#si-3" + rel: related + parts: + - id: ma-3.2_smt + name: statement + prose: Check media containing diagnostic and test programs for malicious + code before the media are used in the system. + - id: ma-3.2_gdn + name: guidance + prose: If, upon inspection of media containing maintenance, diagnostic, + and test programs, organizations determine that the media contains + malicious code, the incident is handled consistent with organizational + incident handling policies and procedures. + - id: ma-3.2_obj + name: assessment-objective + props: + - name: label + value: MA-03(02) + class: sp800-53a + prose: media containing diagnostic and test programs are checked + for malicious code before the media are used in the system. + links: + - href: "#ma-3.2_smt" + rel: assessment-for + - id: ma-3.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-03(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing system maintenance tools + + system maintenance tools and associated documentation + + maintenance records + + system security plan + + other relevant documents or records + - id: ma-3.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-03(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + - id: ma-3.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-03(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational process for inspecting media for + malicious code + + + mechanisms supporting and/or implementing the inspection of + media used for maintenance + - id: ma-3.3 + class: SP800-53-enhancement + title: Prevent Unauthorized Removal + params: + - id: ma-03.03_odp + label: personnel or roles + constraints: + - description: the information owner + guidelines: + - prose: personnel or roles who can authorize removal of equipment + from the facility is/are defined; + props: + - name: label + value: MA-3(3) + - name: label + value: MA-03(03) + class: sp800-53a + - name: sort-id + value: ma-03.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ma-3" + rel: required + - href: "#mp-6" + rel: related + parts: + - id: ma-3.3_smt + name: statement + prose: "Prevent the removal of maintenance equipment containing\ + \ organizational information by:" + parts: + - id: ma-3.3_smt.a + name: item + props: + - name: label + value: (a) + prose: Verifying that there is no organizational information + contained on the equipment; + - id: ma-3.3_smt.b + name: item + props: + - name: label + value: (b) + prose: Sanitizing or destroying the equipment; + - id: ma-3.3_smt.c + name: item + props: + - name: label + value: (c) + prose: Retaining the equipment within the facility; or + - id: ma-3.3_smt.d + name: item + props: + - name: label + value: (d) + prose: "Obtaining an exemption from {{ insert: param, ma-03.03_odp\ + \ }} explicitly authorizing removal of the equipment from\ + \ the facility." + - id: ma-3.3_gdn + name: guidance + prose: Organizational information includes all information owned + by organizations and any information provided to organizations + for which the organizations serve as information stewards. + - id: ma-3.3_obj + name: assessment-objective + props: + - name: label + value: MA-03(03) + class: sp800-53a + parts: + - id: ma-3.3_obj.a + name: assessment-objective + props: + - name: label + value: MA-03(03)(a) + class: sp800-53a + prose: the removal of maintenance equipment containing organizational + information is prevented by verifying that there is no organizational + information contained on the equipment; or + links: + - href: "#ma-3.3_smt.a" + rel: assessment-for + - id: ma-3.3_obj.b + name: assessment-objective + props: + - name: label + value: MA-03(03)(b) + class: sp800-53a + prose: the removal of maintenance equipment containing organizational + information is prevented by sanitizing or destroying the equipment; + or + links: + - href: "#ma-3.3_smt.b" + rel: assessment-for + - id: ma-3.3_obj.c + name: assessment-objective + props: + - name: label + value: MA-03(03)(c) + class: sp800-53a + prose: the removal of maintenance equipment containing organizational + information is prevented by retaining the equipment within + the facility; or + links: + - href: "#ma-3.3_smt.c" + rel: assessment-for + - id: ma-3.3_obj.d + name: assessment-objective + props: + - name: label + value: MA-03(03)(d) + class: sp800-53a + prose: "the removal of maintenance equipment containing organizational\ + \ information is prevented by obtaining an exemption from\ + \ {{ insert: param, ma-03.03_odp }} explicitly authorizing\ + \ removal of the equipment from the facility." + links: + - href: "#ma-3.3_smt.d" + rel: assessment-for + links: + - href: "#ma-3.3_smt" + rel: assessment-for + - id: ma-3.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-03(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing system maintenance tools + + system maintenance tools and associated documentation + + maintenance records + + equipment sanitization records + + media sanitization records + + exemptions for equipment removal + + system security plan + + other relevant documents or records + - id: ma-3.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-03(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel responsible for media sanitization + - id: ma-3.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-03(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational process for preventing unauthorized + removal of information + + + mechanisms supporting media sanitization or destruction of + equipment + + + mechanisms supporting verification of media sanitization + - id: ma-4 + class: SP800-53 + title: Nonlocal Maintenance + props: + - name: label + value: MA-4 + - name: label + value: MA-04 + class: sp800-53a + - name: sort-id + value: ma-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#736d6310-e403-4b57-a79d-9967970c66d7" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-2" + rel: related + - href: "#au-3" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-5" + rel: related + - href: "#pl-2" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-10" + rel: related + parts: + - id: ma-4_smt + name: statement + parts: + - id: ma-4_smt.a + name: item + props: + - name: label + value: a. + prose: Approve and monitor nonlocal maintenance and diagnostic activities; + - id: ma-4_smt.b + name: item + props: + - name: label + value: b. + prose: Allow the use of nonlocal maintenance and diagnostic tools + only as consistent with organizational policy and documented in + the security plan for the system; + - id: ma-4_smt.c + name: item + props: + - name: label + value: c. + prose: Employ strong authentication in the establishment of nonlocal + maintenance and diagnostic sessions; + - id: ma-4_smt.d + name: item + props: + - name: label + value: d. + prose: Maintain records for nonlocal maintenance and diagnostic + activities; and + - id: ma-4_smt.e + name: item + props: + - name: label + value: e. + prose: Terminate session and network connections when nonlocal maintenance + is completed. + - id: ma-4_gdn + name: guidance + prose: Nonlocal maintenance and diagnostic activities are conducted + by individuals who communicate through either an external or internal + network. Local maintenance and diagnostic activities are carried out + by individuals who are physically present at the system location and + not communicating across a network connection. Authentication techniques + used to establish nonlocal maintenance and diagnostic sessions reflect + the network access requirements in [IA-2](#ia-2) . Strong authentication + requires authenticators that are resistant to replay attacks and employ + multi-factor authentication. Strong authenticators include PKI where + certificates are stored on a token protected by a password, passphrase, + or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, + in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) + provides additional guidance on strong authentication and authenticators. + - id: ma-4_obj + name: assessment-objective + props: + - name: label + value: MA-04 + class: sp800-53a + parts: + - id: ma-4_obj.a + name: assessment-objective + props: + - name: label + value: MA-04a. + class: sp800-53a + parts: + - id: ma-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-04a.[01] + class: sp800-53a + prose: nonlocal maintenance and diagnostic activities are approved; + links: + - href: "#ma-4_smt.a" + rel: assessment-for + - id: ma-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-04a.[02] + class: sp800-53a + prose: nonlocal maintenance and diagnostic activities are monitored; + links: + - href: "#ma-4_smt.a" + rel: assessment-for + links: + - href: "#ma-4_smt.a" + rel: assessment-for + - id: ma-4_obj.b + name: assessment-objective + props: + - name: label + value: MA-04b. + class: sp800-53a + parts: + - id: ma-4_obj.b-1 + name: assessment-objective + props: + - name: label + value: MA-04b.[01] + class: sp800-53a + prose: the use of nonlocal maintenance and diagnostic tools + are allowed only as consistent with organizational policy; + links: + - href: "#ma-4_smt.b" + rel: assessment-for + - id: ma-4_obj.b-2 + name: assessment-objective + props: + - name: label + value: MA-04b.[02] + class: sp800-53a + prose: the use of nonlocal maintenance and diagnostic tools + are documented in the security plan for the system; + links: + - href: "#ma-4_smt.b" + rel: assessment-for + links: + - href: "#ma-4_smt.b" + rel: assessment-for + - id: ma-4_obj.c + name: assessment-objective + props: + - name: label + value: MA-04c. + class: sp800-53a + prose: strong authentication is employed in the establishment of + nonlocal maintenance and diagnostic sessions; + links: + - href: "#ma-4_smt.c" + rel: assessment-for + - id: ma-4_obj.d + name: assessment-objective + props: + - name: label + value: MA-04d. + class: sp800-53a + prose: records for nonlocal maintenance and diagnostic activities + are maintained; + links: + - href: "#ma-4_smt.d" + rel: assessment-for + - id: ma-4_obj.e + name: assessment-objective + props: + - name: label + value: MA-04e. + class: sp800-53a + parts: + - id: ma-4_obj.e-1 + name: assessment-objective + props: + - name: label + value: MA-04e.[01] + class: sp800-53a + prose: session connections are terminated when nonlocal maintenance + is completed; + links: + - href: "#ma-4_smt.e" + rel: assessment-for + - id: ma-4_obj.e-2 + name: assessment-objective + props: + - name: label + value: MA-04e.[02] + class: sp800-53a + prose: network connections are terminated when nonlocal maintenance + is completed. + links: + - href: "#ma-4_smt.e" + rel: assessment-for + links: + - href: "#ma-4_smt.e" + rel: assessment-for + links: + - href: "#ma-4_smt" + rel: assessment-for + - id: ma-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing nonlocal system maintenance + + remote access policy + + remote access procedures + + system design documentation + + system configuration settings and associated documentation + + maintenance records + + records of remote access + + diagnostic records + + system security plan + + other relevant documents or records + - id: ma-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ma-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing nonlocal maintenance + + + mechanisms implementing, supporting, and/or managing nonlocal + maintenance + + + mechanisms for strong authentication of nonlocal maintenance diagnostic + sessions + + + mechanisms for terminating nonlocal maintenance sessions and network + connections + - id: ma-5 + class: SP800-53 + title: Maintenance Personnel + props: + - name: label + value: MA-5 + - name: label + value: MA-05 + class: sp800-53a + - name: sort-id + value: ma-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-5" + rel: related + - href: "#ac-6" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-2" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#ps-7" + rel: related + - href: "#ra-3" + rel: related + parts: + - id: ma-5_smt + name: statement + parts: + - id: ma-5_smt.a + name: item + props: + - name: label + value: a. + prose: Establish a process for maintenance personnel authorization + and maintain a list of authorized maintenance organizations or + personnel; + - id: ma-5_smt.b + name: item + props: + - name: label + value: b. + prose: Verify that non-escorted personnel performing maintenance + on the system possess the required access authorizations; and + - id: ma-5_smt.c + name: item + props: + - name: label + value: c. + prose: Designate organizational personnel with required access authorizations + and technical competence to supervise the maintenance activities + of personnel who do not possess the required access authorizations. + - id: ma-5_gdn + name: guidance + prose: Maintenance personnel refers to individuals who perform hardware + or software maintenance on organizational systems, while [PE-2](#pe-2) + addresses physical access for individuals whose maintenance duties + place them within the physical protection perimeter of the systems. + Technical competence of supervising individuals relates to the maintenance + performed on the systems, while having required access authorizations + refers to maintenance on and near the systems. Individuals not previously + identified as authorized maintenance personnel—such as information + technology manufacturers, vendors, systems integrators, and consultants—may + require privileged access to organizational systems, such as when + they are required to conduct maintenance activities with little or + no notice. Based on organizational assessments of risk, organizations + may issue temporary credentials to these individuals. Temporary credentials + may be for one-time use or for very limited time periods. + - id: ma-5_obj + name: assessment-objective + props: + - name: label + value: MA-05 + class: sp800-53a + parts: + - id: ma-5_obj.a + name: assessment-objective + props: + - name: label + value: MA-05a. + class: sp800-53a + parts: + - id: ma-5_obj.a-1 + name: assessment-objective + props: + - name: label + value: MA-05a.[01] + class: sp800-53a + prose: a process for maintenance personnel authorization is + established; + links: + - href: "#ma-5_smt.a" + rel: assessment-for + - id: ma-5_obj.a-2 + name: assessment-objective + props: + - name: label + value: MA-05a.[02] + class: sp800-53a + prose: a list of authorized maintenance organizations or personnel + is maintained; + links: + - href: "#ma-5_smt.a" + rel: assessment-for + links: + - href: "#ma-5_smt.a" + rel: assessment-for + - id: ma-5_obj.b + name: assessment-objective + props: + - name: label + value: MA-05b. + class: sp800-53a + prose: non-escorted personnel performing maintenance on the system + possess the required access authorizations; + links: + - href: "#ma-5_smt.b" + rel: assessment-for + - id: ma-5_obj.c + name: assessment-objective + props: + - name: label + value: MA-05c. + class: sp800-53a + prose: organizational personnel with required access authorizations + and technical competence is/are designated to supervise the maintenance + activities of personnel who do not possess the required access + authorizations. + links: + - href: "#ma-5_smt.c" + rel: assessment-for + links: + - href: "#ma-5_smt" + rel: assessment-for + - id: ma-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing maintenance personnel + + service provider contracts + + service-level agreements + + list of authorized personnel + + maintenance records + + access control records + + system security plan + + other relevant documents or records + - id: ma-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with information security responsibilities + - id: ma-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for authorizing and managing + maintenance personnel + + + mechanisms supporting and/or implementing authorization of maintenance + personnel + controls: + - id: ma-5.1 + class: SP800-53-enhancement + title: Individuals Without Appropriate Access + params: + - id: ma-05.01_odp + label: alternate controls + guidelines: + - prose: alternate controls to be developed and implemented in + the event that a system component cannot be sanitized, removed, + or disconnected from the system are defined; + props: + - name: label + value: MA-5(1) + - name: label + value: MA-05(01) + class: sp800-53a + - name: sort-id + value: ma-05.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ma-5" + rel: required + - href: "#mp-6" + rel: related + - href: "#pl-2" + rel: related + parts: + - id: ma-5.1_smt + name: statement + parts: + - id: ma-5.1_smt.a + name: item + props: + - name: label + value: (a) + prose: "Implement procedures for the use of maintenance personnel\ + \ that lack appropriate security clearances or are not U.S.\ + \ citizens, that include the following requirements:" + parts: + - id: ma-5.1_smt.a.1 + name: item + props: + - name: label + value: (1) + prose: Maintenance personnel who do not have needed access + authorizations, clearances, or formal access approvals + are escorted and supervised during the performance of + maintenance and diagnostic activities on the system by + approved organizational personnel who are fully cleared, + have appropriate access authorizations, and are technically + qualified; and + - id: ma-5.1_smt.a.2 + name: item + props: + - name: label + value: (2) + prose: Prior to initiating maintenance or diagnostic activities + by personnel who do not have needed access authorizations, + clearances or formal access approvals, all volatile information + storage components within the system are sanitized and + all nonvolatile storage media are removed or physically + disconnected from the system and secured; and + - id: ma-5.1_smt.b + name: item + props: + - name: label + value: (b) + prose: "Develop and implement {{ insert: param, ma-05.01_odp\ + \ }} in the event a system component cannot be sanitized,\ + \ removed, or disconnected from the system." + - id: ma-5.1_fr + name: item + title: MA-5 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: ma-5.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Only MA-5 (1) (a) (1) is required by FedRAMP Moderate + Baseline + - id: ma-5.1_gdn + name: guidance + prose: Procedures for individuals who lack appropriate security + clearances or who are not U.S. citizens are intended to deny visual + and electronic access to classified or controlled unclassified + information contained on organizational systems. Procedures for + the use of maintenance personnel can be documented in security + plans for the systems. + - id: ma-5.1_obj + name: assessment-objective + props: + - name: label + value: MA-05(01) + class: sp800-53a + parts: + - id: ma-5.1_obj.a + name: assessment-objective + props: + - name: label + value: MA-05(01)(a) + class: sp800-53a + parts: + - id: ma-5.1_obj.a.1 + name: assessment-objective + props: + - name: label + value: MA-05(01)(a)(01) + class: sp800-53a + prose: procedures for the use of maintenance personnel who + lack appropriate security clearances or are not U.S. citizens + are implemented and include approved organizational personnel + who are fully cleared, have appropriate access authorizations, + and are technically qualified escorting and supervising + maintenance personnel without the needed access authorization + during the performance of maintenance and diagnostic activities; + links: + - href: "#ma-5.1_smt.a.1" + rel: assessment-for + - id: ma-5.1_obj.a.2 + name: assessment-objective + props: + - name: label + value: MA-05(01)(a)(02) + class: sp800-53a + prose: procedures for the use of maintenance personnel who + lack appropriate security clearances or are not U.S. citizens + are implemented and include all volatile information storage + components within the system being sanitized and all non-volatile + storage media being removed or physically disconnected + from the system and secured prior to initiating maintenance + or diagnostic activities; + links: + - href: "#ma-5.1_smt.a.2" + rel: assessment-for + links: + - href: "#ma-5.1_smt.a" + rel: assessment-for + - id: ma-5.1_obj.b + name: assessment-objective + props: + - name: label + value: MA-05(01)(b) + class: sp800-53a + prose: " {{ insert: param, ma-05.01_odp }} are developed and\ + \ implemented in the event that a system cannot be sanitized,\ + \ removed, or disconnected from the system." + links: + - href: "#ma-5.1_smt.b" + rel: assessment-for + links: + - href: "#ma-5.1_smt" + rel: assessment-for + - id: ma-5.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-05(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Maintenance policy + + + procedures addressing maintenance personnel + + + system media protection policy + + + physical and environmental protection policy + + + list of maintenance personnel requiring escort/supervision + + + maintenance records + + + access control records + + + system security plan + + + other relevant documents or records + - id: ma-5.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-05(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with personnel security responsibilities + + + organizational personnel with physical access control responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel responsible for media sanitization + + + system/network administrators + - id: ma-5.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-05(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing maintenance + personnel without appropriate access + + + mechanisms supporting and/or implementing alternative security + safeguards + + + mechanisms supporting and/or implementing information storage + component sanitization + - id: ma-6 + class: SP800-53 + title: Timely Maintenance + params: + - id: ma-06_odp.01 + label: system components + guidelines: + - prose: system components for which maintenance support and/or spare + parts are obtained are defined; + - id: ma-06_odp.02 + label: time period + constraints: + - description: a timeframe to support advertised uptime and availability + guidelines: + - prose: time period within which maintenance support and/or spare + parts are to be obtained after a failure are defined; + props: + - name: label + value: MA-6 + - name: label + value: MA-06 + class: sp800-53a + - name: sort-id + value: ma-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cm-8" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-7" + rel: related + - href: "#ra-7" + rel: related + - href: "#sa-15" + rel: related + - href: "#si-13" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + parts: + - id: ma-6_smt + name: statement + prose: "Obtain maintenance support and/or spare parts for {{ insert:\ + \ param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }}\ + \ of failure." + - id: ma-6_gdn + name: guidance + prose: Organizations specify the system components that result in increased + risk to organizational operations and assets, individuals, other organizations, + or the Nation when the functionality provided by those components + is not operational. Organizational actions to obtain maintenance support + include having appropriate contracts in place. + - id: ma-6_obj + name: assessment-objective + props: + - name: label + value: MA-06 + class: sp800-53a + prose: "maintenance support and/or spare parts are obtained for {{ insert:\ + \ param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }}\ + \ of failure." + links: + - href: "#ma-6_smt" + rel: assessment-for + - id: ma-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MA-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Maintenance policy + + procedures addressing system maintenance + + service provider contracts + + service-level agreements + + inventory and availability of spare parts + + system security plan + + other relevant documents or records + - id: ma-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MA-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system maintenance + responsibilities + + + organizational personnel with acquisition responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: ma-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MA-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for ensuring timely maintenance + - id: mp + class: family + title: Media Protection + controls: + - id: mp-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: mp-1_prm_1 + label: organization-defined personnel or roles + - id: mp-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the media protection policy is + to be disseminated is/are defined; + - id: mp-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the media protection procedures + are to be disseminated is/are defined; + - id: mp-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: mp-01_odp.04 + label: official + guidelines: + - prose: an official to manage the media protection policy and procedures + is defined; + - id: mp-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency with which the current media protection policy + is reviewed and updated is defined; + - id: mp-01_odp.06 + label: events + guidelines: + - prose: events that would require the current media protection policy + to be reviewed and updated are defined; + - id: mp-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency with which the current media protection procedures + are reviewed and updated is defined; + - id: mp-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require media protection procedures to + be reviewed and updated are defined; + props: + - name: label + value: MP-1 + - name: label + value: MP-01 + class: sp800-53a + - name: sort-id + value: mp-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: mp-1_smt + name: statement + parts: + - id: mp-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ mp-1_prm_1 }}:" + parts: + - id: mp-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, mp-01_odp.03 }} media protection\ + \ policy that:" + parts: + - id: mp-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: mp-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: mp-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the media + protection policy and the associated media protection controls; + - id: mp-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, mp-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the media\ + \ protection policy and procedures; and" + - id: mp-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current media protection:" + parts: + - id: mp-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, mp-01_odp.05 }} and following\ + \ {{ insert: param, mp-01_odp.06 }} ; and" + - id: mp-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, mp-01_odp.07 }} and following\ + \ {{ insert: param, mp-01_odp.08 }}." + - id: mp-1_gdn + name: guidance + prose: Media protection policy and procedures address the controls in + the MP family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of media protection + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies that reflect the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to media protection policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines. Simply restating controls does not constitute + an organizational policy or procedure. + - id: mp-1_obj + name: assessment-objective + props: + - name: label + value: MP-01 + class: sp800-53a + parts: + - id: mp-1_obj.a + name: assessment-objective + props: + - name: label + value: MP-01a. + class: sp800-53a + parts: + - id: mp-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: MP-01a.[01] + class: sp800-53a + prose: a media protection policy is developed and documented; + links: + - href: "#mp-1_smt.a" + rel: assessment-for + - id: mp-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: MP-01a.[02] + class: sp800-53a + prose: "the media protection policy is disseminated to {{ insert:\ + \ param, mp-01_odp.01 }};" + links: + - href: "#mp-1_smt.a" + rel: assessment-for + - id: mp-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: MP-01a.[03] + class: sp800-53a + prose: media protection procedures to facilitate the implementation + of the media protection policy and associated media protection + controls are developed and documented; + links: + - href: "#mp-1_smt.a" + rel: assessment-for + - id: mp-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: MP-01a.[04] + class: sp800-53a + prose: "the media protection procedures are disseminated to\ + \ {{ insert: param, mp-01_odp.02 }};" + links: + - href: "#mp-1_smt.a" + rel: assessment-for + - id: mp-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: MP-01a.01 + class: sp800-53a + parts: + - id: mp-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: MP-01a.01(a) + class: sp800-53a + parts: + - id: mp-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses purpose;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses scope;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses roles;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses responsibilities;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses management commitment;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: MP-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.03 }} media\ + \ protection policy compliance;" + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#mp-1_smt.a.1.a" + rel: assessment-for + - id: mp-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: MP-01a.01(b) + class: sp800-53a + prose: the media protection policy is consistent with applicable + laws, Executive Orders, directives, regulations, policies, + standards, and guidelines; + links: + - href: "#mp-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#mp-1_smt.a.1" + rel: assessment-for + links: + - href: "#mp-1_smt.a" + rel: assessment-for + - id: mp-1_obj.b + name: assessment-objective + props: + - name: label + value: MP-01b. + class: sp800-53a + prose: "the {{ insert: param, mp-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the media\ + \ protection policy and procedures." + links: + - href: "#mp-1_smt.b" + rel: assessment-for + - id: mp-1_obj.c + name: assessment-objective + props: + - name: label + value: MP-01c. + class: sp800-53a + parts: + - id: mp-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: MP-01c.01 + class: sp800-53a + parts: + - id: mp-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: MP-01c.01[01] + class: sp800-53a + prose: "the current media protection policy is reviewed\ + \ and updated {{ insert: param, mp-01_odp.05 }}; " + links: + - href: "#mp-1_smt.c.1" + rel: assessment-for + - id: mp-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: MP-01c.01[02] + class: sp800-53a + prose: "the current media protection policy is reviewed\ + \ and updated following {{ insert: param, mp-01_odp.06\ + \ }};" + links: + - href: "#mp-1_smt.c.1" + rel: assessment-for + links: + - href: "#mp-1_smt.c.1" + rel: assessment-for + - id: mp-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: MP-01c.02 + class: sp800-53a + parts: + - id: mp-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: MP-01c.02[01] + class: sp800-53a + prose: "the current media protection procedures are reviewed\ + \ and updated {{ insert: param, mp-01_odp.07 }}; " + links: + - href: "#mp-1_smt.c.2" + rel: assessment-for + - id: mp-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: MP-01c.02[02] + class: sp800-53a + prose: "the current media protection procedures are reviewed\ + \ and updated following {{ insert: param, mp-01_odp.08\ + \ }}." + links: + - href: "#mp-1_smt.c.2" + rel: assessment-for + links: + - href: "#mp-1_smt.c.2" + rel: assessment-for + links: + - href: "#mp-1_smt.c" + rel: assessment-for + links: + - href: "#mp-1_smt" + rel: assessment-for + - id: mp-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Media protection policy and procedures + + organizational risk management strategy + + system security plan + + privacy plan + + other relevant documents or records + - id: mp-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with media protection + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: mp-2 + class: SP800-53 + title: Media Access + params: + - id: mp-2_prm_1 + label: organization-defined types of digital and/or non-digital media + constraints: + - description: all types of digital and/or non-digital media containing + sensitive information + - id: mp-2_prm_2 + label: organization-defined personnel or roles + - id: mp-02_odp.01 + label: types of digital media + guidelines: + - prose: types of digital media to which access is restricted are + defined; + - id: mp-02_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles authorized to access digital media is/are + defined; + - id: mp-02_odp.03 + label: types of non-digital media + guidelines: + - prose: types of non-digital media to which access is restricted + are defined; + - id: mp-02_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles authorized to access non-digital media + is/are defined; + props: + - name: label + value: MP-2 + - name: label + value: MP-02 + class: sp800-53a + - name: sort-id + value: mp-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#22f2d4f0-4365-4e88-a30d-275c1f5473ea" + rel: reference + - href: "#ac-19" + rel: related + - href: "#au-9" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-6" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-34" + rel: related + - href: "#si-12" + rel: related + parts: + - id: mp-2_smt + name: statement + prose: "Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert:\ + \ param, mp-2_prm_2 }}." + - id: mp-2_gdn + name: guidance + prose: System media includes digital and non-digital media. Digital + media includes flash drives, diskettes, magnetic tapes, external or + removable hard disk drives (e.g., solid state, magnetic), compact + discs, and digital versatile discs. Non-digital media includes paper + and microfilm. Denying access to patient medical records in a community + hospital unless the individuals seeking access to such records are + authorized healthcare providers is an example of restricting access + to non-digital media. Limiting access to the design specifications + stored on compact discs in the media library to individuals on the + system development team is an example of restricting access to digital + media. + - id: mp-2_obj + name: assessment-objective + props: + - name: label + value: MP-02 + class: sp800-53a + parts: + - id: mp-2_obj-1 + name: assessment-objective + props: + - name: label + value: MP-02[01] + class: sp800-53a + prose: "access to {{ insert: param, mp-02_odp.01 }} is restricted\ + \ to {{ insert: param, mp-02_odp.02 }};" + links: + - href: "#mp-2_smt" + rel: assessment-for + - id: mp-2_obj-2 + name: assessment-objective + props: + - name: label + value: MP-02[02] + class: sp800-53a + prose: "access to {{ insert: param, mp-02_odp.03 }} is restricted\ + \ to {{ insert: param, mp-02_odp.04 }}." + links: + - href: "#mp-2_smt" + rel: assessment-for + links: + - href: "#mp-2_smt" + rel: assessment-for + - id: mp-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System media protection policy + + procedures addressing media access restrictions + + access control policy and procedures + + physical and environmental protection policy and procedures + + media storage facilities + + access control records + + system security plan + + other relevant documents or records + - id: mp-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media protection + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: mp-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for restricting information media + + + mechanisms supporting and/or implementing media access restrictions + - id: mp-3 + class: SP800-53 + title: Media Marking + params: + - id: mp-03_odp.01 + label: types of media exempted from marking + constraints: + - description: no removable media types + guidelines: + - prose: types of system media exempt from marking when remaining + in controlled areas are defined; + - id: mp-03_odp.02 + label: controlled areas + constraints: + - description: organization-defined security safeguards not applicable + guidelines: + - prose: controlled areas where media is exempt from marking are defined; + props: + - name: label + value: MP-3 + - name: label + value: MP-03 + class: sp800-53a + - name: sort-id + value: mp-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#34a5571f-e252-4309-a8a1-2fdb2faefbcd" + rel: reference + - href: "#91f992fb-f668-4c91-a50f-0f05b95ccee3" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#ac-16" + rel: related + - href: "#cp-9" + rel: related + - href: "#mp-5" + rel: related + - href: "#pe-22" + rel: related + - href: "#si-12" + rel: related + parts: + - id: mp-3_smt + name: statement + parts: + - id: mp-3_smt.a + name: item + props: + - name: label + value: a. + prose: Mark system media indicating the distribution limitations, + handling caveats, and applicable security markings (if any) of + the information; and + - id: mp-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Exempt {{ insert: param, mp-03_odp.01 }} from marking if\ + \ the media remain within {{ insert: param, mp-03_odp.02 }}." + - id: mp-3_fr + name: item + title: MP-3 Additional FedRAMP Requirements and Guidance + parts: + - id: mp-3_fr_gdn.1 + name: guidance + props: + - name: label + value: "(b) Guidance:" + prose: Second parameter not-applicable + - id: mp-3_gdn + name: guidance + prose: Security marking refers to the application or use of human-readable + security attributes. Digital media includes diskettes, magnetic tapes, + external or removable hard disk drives (e.g., solid state, magnetic), + flash drives, compact discs, and digital versatile discs. Non-digital + media includes paper and microfilm. Controlled unclassified information + is defined by the National Archives and Records Administration along + with the appropriate safeguarding and dissemination requirements for + such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) + . Security markings are generally not required for media that contains + information determined by organizations to be in the public domain + or to be publicly releasable. Some organizations may require markings + for public information indicating that the information is publicly + releasable. System media marking reflects applicable laws, executive + orders, directives, policies, regulations, standards, and guidelines. + - id: mp-3_obj + name: assessment-objective + props: + - name: label + value: MP-03 + class: sp800-53a + parts: + - id: mp-3_obj.a + name: assessment-objective + props: + - name: label + value: MP-03a. + class: sp800-53a + prose: system media is marked to indicate distribution limitations, + handling caveats, and applicable security markings (if any) of + the information; + links: + - href: "#mp-3_smt.a" + rel: assessment-for + - id: mp-3_obj.b + name: assessment-objective + props: + - name: label + value: MP-03b. + class: sp800-53a + prose: " {{ insert: param, mp-03_odp.01 }} remain within {{ insert:\ + \ param, mp-03_odp.02 }}." + links: + - href: "#mp-3_smt.b" + rel: assessment-for + links: + - href: "#mp-3_smt" + rel: assessment-for + - id: mp-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System media protection policy + + procedures addressing media marking + + physical and environmental protection policy and procedures + + list of system media marking security attributes + + designated controlled areas + + system security plan + + other relevant documents or records + - id: mp-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media protection and + marking responsibilities + + + organizational personnel with information security responsibilities + - id: mp-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for marking information media + + mechanisms supporting and/or implementing media marking + - id: mp-4 + class: SP800-53 + title: Media Storage + params: + - id: mp-4_prm_1 + label: organization-defined types of digital and/or non-digital media + constraints: + - description: all types of digital and non-digital media with sensitive + information + - id: mp-4_prm_2 + label: organization-defined controlled areas + constraints: + - description: see additional FedRAMP requirements and guidance + - id: mp-04_odp.01 + label: types of digital media + guidelines: + - prose: types of digital media to be physically controlled are defined + (if selected); + - id: mp-04_odp.02 + label: types of non-digital media + guidelines: + - prose: types of non-digital media to be physically controlled are + defined (if selected); + - id: mp-04_odp.03 + label: types of digital media + guidelines: + - prose: types of digital media to be securely stored are defined + (if selected); + - id: mp-04_odp.04 + label: types of non-digital media + guidelines: + - prose: types of non-digital media to be securely stored are defined + (if selected); + - id: mp-04_odp.05 + label: controlled areas + guidelines: + - prose: controlled areas within which to securely store digital media + are defined; + - id: mp-04_odp.06 + label: controlled areas + guidelines: + - prose: controlled areas within which to securely store non-digital + media are defined; + props: + - name: label + value: MP-4 + - name: label + value: MP-04 + class: sp800-53a + - name: sort-id + value: mp-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e" + rel: reference + - href: "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75" + rel: reference + - href: "#eef62b16-c796-4554-955c-505824135b8a" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#22f2d4f0-4365-4e88-a30d-275c1f5473ea" + rel: reference + - href: "#ac-19" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-9" + rel: related + - href: "#cp-10" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-7" + rel: related + - href: "#pe-3" + rel: related + - href: "#pl-2" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-34" + rel: related + - href: "#si-12" + rel: related + parts: + - id: mp-4_smt + name: statement + parts: + - id: mp-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Physically control and securely store {{ insert: param,\ + \ mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }} ; and" + - id: mp-4_smt.b + name: item + props: + - name: label + value: b. + prose: Protect system media types defined in MP-4a until the media + are destroyed or sanitized using approved equipment, techniques, + and procedures. + - id: mp-4_fr + name: item + title: MP-4 Additional FedRAMP Requirements and Guidance + parts: + - id: mp-4_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: The service provider defines controlled areas within + facilities where the information and information system reside. + - id: mp-4_gdn + name: guidance + prose: System media includes digital and non-digital media. Digital + media includes flash drives, diskettes, magnetic tapes, external or + removable hard disk drives (e.g., solid state, magnetic), compact + discs, and digital versatile discs. Non-digital media includes paper + and microfilm. Physically controlling stored media includes conducting + inventories, ensuring procedures are in place to allow individuals + to check out and return media to the library, and maintaining accountability + for stored media. Secure storage includes a locked drawer, desk, or + cabinet or a controlled media library. The type of media storage is + commensurate with the security category or classification of the information + on the media. Controlled areas are spaces that provide physical and + procedural controls to meet the requirements established for protecting + information and systems. Fewer controls may be needed for media that + contains information determined to be in the public domain, publicly + releasable, or have limited adverse impacts on organizations, operations, + or individuals if accessed by other than authorized personnel. In + these situations, physical access controls provide adequate protection. + - id: mp-4_obj + name: assessment-objective + props: + - name: label + value: MP-04 + class: sp800-53a + parts: + - id: mp-4_obj.a + name: assessment-objective + props: + - name: label + value: MP-04a. + class: sp800-53a + parts: + - id: mp-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: MP-04a.[01] + class: sp800-53a + prose: " {{ insert: param, mp-04_odp.01 }} are physically controlled;" + links: + - href: "#mp-4_smt.a" + rel: assessment-for + - id: mp-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: MP-04a.[02] + class: sp800-53a + prose: " {{ insert: param, mp-04_odp.02 }} are physically controlled;" + links: + - href: "#mp-4_smt.a" + rel: assessment-for + - id: mp-4_obj.a-3 + name: assessment-objective + props: + - name: label + value: MP-04a.[03] + class: sp800-53a + prose: " {{ insert: param, mp-04_odp.03 }} are securely stored\ + \ within {{ insert: param, mp-04_odp.05 }};" + links: + - href: "#mp-4_smt.a" + rel: assessment-for + - id: mp-4_obj.a-4 + name: assessment-objective + props: + - name: label + value: MP-04a.[04] + class: sp800-53a + prose: " {{ insert: param, mp-04_odp.04 }} are securely stored\ + \ within {{ insert: param, mp-04_odp.06 }};" + links: + - href: "#mp-4_smt.a" + rel: assessment-for + links: + - href: "#mp-4_smt.a" + rel: assessment-for + - id: mp-4_obj.b + name: assessment-objective + props: + - name: label + value: MP-04b. + class: sp800-53a + prose: system media types (defined in MP-04_ODP[01], MP-04_ODP[02], + MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are + destroyed or sanitized using approved equipment, techniques, and + procedures. + links: + - href: "#mp-4_smt.b" + rel: assessment-for + links: + - href: "#mp-4_smt" + rel: assessment-for + - id: mp-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System media protection policy + + procedures addressing media storage + + physical and environmental protection policy and procedures + + access control policy and procedures + + system media + + designated controlled areas + + system security plan + + other relevant documents or records + - id: mp-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media protection and + storage responsibilities + + + organizational personnel with information security responsibilities + - id: mp-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for storing information media + + + mechanisms supporting and/or implementing secure media storage/media + protection + - id: mp-5 + class: SP800-53 + title: Media Transport + params: + - id: mp-5_prm_2 + label: organization-defined controls + constraints: + - description: "prior to leaving secure/controlled environment: for\ + \ digital media, encryption in compliance with Federal requirements\ + \ and utilizes FIPS validated or NSA approved cryptography (see\ + \ SC-13.); for non-digital media, secured in locked container" + - id: mp-05_odp.01 + label: types of system media + constraints: + - description: all media with sensitive information + guidelines: + - prose: types of system media to protect and control during transport + outside of controlled areas are defined; + - id: mp-05_odp.02 + label: controls + guidelines: + - prose: controls used to protect system media outside of controlled + areas are defined; + - id: mp-05_odp.03 + label: controls + guidelines: + - prose: controls used to control system media outside of controlled + areas are defined; + props: + - name: label + value: MP-5 + - name: label + value: MP-05 + class: sp800-53a + - name: sort-id + value: mp-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#ac-7" + rel: related + - href: "#ac-19" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-9" + rel: related + - href: "#mp-3" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-16" + rel: related + - href: "#pl-2" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-34" + rel: related + parts: + - id: mp-5_smt + name: statement + parts: + - id: mp-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Protect and control {{ insert: param, mp-05_odp.01 }} during\ + \ transport outside of controlled areas using {{ insert: param,\ + \ mp-5_prm_2 }};" + - id: mp-5_smt.b + name: item + props: + - name: label + value: b. + prose: Maintain accountability for system media during transport + outside of controlled areas; + - id: mp-5_smt.c + name: item + props: + - name: label + value: c. + prose: Document activities associated with the transport of system + media; and + - id: mp-5_smt.d + name: item + props: + - name: label + value: d. + prose: Restrict the activities associated with the transport of + system media to authorized personnel. + - id: mp-5_fr + name: item + title: MP-5 Additional FedRAMP Requirements and Guidance + parts: + - id: mp-5_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: The service provider defines security measures to protect + digital and non-digital media in transport. The security measures + are approved and accepted by the JAB/AO. + - id: mp-5_gdn + name: guidance + prose: System media includes digital and non-digital media. Digital + media includes flash drives, diskettes, magnetic tapes, external or + removable hard disk drives (e.g., solid state and magnetic), compact + discs, and digital versatile discs. Non-digital media includes microfilm + and paper. Controlled areas are spaces for which organizations provide + physical or procedural controls to meet requirements established for + protecting information and systems. Controls to protect media during + transport include cryptography and locked containers. Cryptographic + mechanisms can provide confidentiality and integrity protections depending + on the mechanisms implemented. Activities associated with media transport + include releasing media for transport, ensuring that media enters + the appropriate transport processes, and the actual transport. Authorized + transport and courier personnel may include individuals external to + the organization. Maintaining accountability of media during transport + includes restricting transport activities to authorized personnel + and tracking and/or obtaining records of transport activities as the + media moves through the transportation system to prevent and detect + loss, destruction, or tampering. Organizations establish documentation + requirements for activities associated with the transport of system + media in accordance with organizational assessments of risk. Organizations + maintain the flexibility to define record-keeping methods for the + different types of media transport as part of a system of transport-related + records. + - id: mp-5_obj + name: assessment-objective + props: + - name: label + value: MP-05 + class: sp800-53a + parts: + - id: mp-5_obj.a + name: assessment-objective + props: + - name: label + value: MP-05a. + class: sp800-53a + parts: + - id: mp-5_obj.a-1 + name: assessment-objective + props: + - name: label + value: MP-05a.[01] + class: sp800-53a + prose: " {{ insert: param, mp-05_odp.01 }} are protected during\ + \ transport outside of controlled areas using {{ insert: param,\ + \ mp-05_odp.02 }};" + links: + - href: "#mp-5_smt.a" + rel: assessment-for + - id: mp-5_obj.a-2 + name: assessment-objective + props: + - name: label + value: MP-05a.[02] + class: sp800-53a + prose: " {{ insert: param, mp-05_odp.01 }} are controlled during\ + \ transport outside of controlled areas using {{ insert: param,\ + \ mp-05_odp.03 }};" + links: + - href: "#mp-5_smt.a" + rel: assessment-for + links: + - href: "#mp-5_smt.a" + rel: assessment-for + - id: mp-5_obj.b + name: assessment-objective + props: + - name: label + value: MP-05b. + class: sp800-53a + prose: accountability for system media is maintained during transport + outside of controlled areas; + links: + - href: "#mp-5_smt.b" + rel: assessment-for + - id: mp-5_obj.c + name: assessment-objective + props: + - name: label + value: MP-05c. + class: sp800-53a + prose: activities associated with the transport of system media + are documented; + links: + - href: "#mp-5_smt.c" + rel: assessment-for + - id: mp-5_obj.d + name: assessment-objective + props: + - name: label + value: MP-05d. + class: sp800-53a + parts: + - id: mp-5_obj.d-1 + name: assessment-objective + props: + - name: label + value: MP-05d.[01] + class: sp800-53a + prose: personnel authorized to conduct media transport activities + is/are identified; + links: + - href: "#mp-5_smt.d" + rel: assessment-for + - id: mp-5_obj.d-2 + name: assessment-objective + props: + - name: label + value: MP-05d.[02] + class: sp800-53a + prose: activities associated with the transport of system media + are restricted to identified authorized personnel. + links: + - href: "#mp-5_smt.d" + rel: assessment-for + links: + - href: "#mp-5_smt.d" + rel: assessment-for + links: + - href: "#mp-5_smt" + rel: assessment-for + - id: mp-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System media protection policy + + procedures addressing media storage + + physical and environmental protection policy and procedures + + access control policy and procedures + + authorized personnel list + + system media + + designated controlled areas + + system security plan + + other relevant documents or records + - id: mp-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media protection and + storage responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: mp-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for storing information media + + + mechanisms supporting and/or implementing media storage/media + protection + - id: mp-6 + class: SP800-53 + title: Media Sanitization + params: + - id: mp-6_prm_1 + label: organization-defined system media + constraints: + - description: "techniques and procedures IAW NIST SP 800-88 Section\ + \ 4: Reuse and Disposal of Storage Media and Hardware" + - id: mp-6_prm_2 + label: organization-defined sanitization techniques and procedures + - id: mp-06_odp.01 + label: system media + guidelines: + - prose: system media to be sanitized prior to disposal is defined; + - id: mp-06_odp.02 + label: system media + guidelines: + - prose: system media to be sanitized prior to release from organizational + control is defined; + - id: mp-06_odp.03 + label: system media + guidelines: + - prose: system media to be sanitized prior to release for reuse is + defined; + - id: mp-06_odp.04 + label: sanitization techniques and procedures + guidelines: + - prose: sanitization techniques and procedures to be used for sanitization + prior to disposal are defined; + - id: mp-06_odp.05 + label: sanitization techniques and procedures + guidelines: + - prose: sanitization techniques and procedures to be used for sanitization + prior to release from organizational control are defined; + - id: mp-06_odp.06 + label: sanitization techniques and procedures + guidelines: + - prose: sanitization techniques and procedures to be used for sanitization + prior to release for reuse are defined; + props: + - name: label + value: MP-6 + - name: label + value: MP-06 + class: sp800-53a + - name: sort-id + value: mp-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#91f992fb-f668-4c91-a50f-0f05b95ccee3" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6" + rel: reference + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-7" + rel: related + - href: "#au-11" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#pm-22" + rel: related + - href: "#si-12" + rel: related + - href: "#si-18" + rel: related + - href: "#si-19" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: mp-6_smt + name: statement + parts: + - id: mp-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal,\ + \ release out of organizational control, or release for reuse\ + \ using {{ insert: param, mp-6_prm_2 }} ; and" + - id: mp-6_smt.b + name: item + props: + - name: label + value: b. + prose: Employ sanitization mechanisms with the strength and integrity + commensurate with the security category or classification of the + information. + - id: mp-6_gdn + name: guidance + prose: Media sanitization applies to all digital and non-digital system + media subject to disposal or reuse, whether or not the media is considered + removable. Examples include digital media in scanners, copiers, printers, + notebook computers, workstations, network components, mobile devices, + and non-digital media (e.g., paper and microfilm). The sanitization + process removes information from system media such that the information + cannot be retrieved or reconstructed. Sanitization techniques—including + clearing, purging, cryptographic erase, de-identification of personally + identifiable information, and destruction—prevent the disclosure of + information to unauthorized individuals when such media is reused + or released for disposal. Organizations determine the appropriate + sanitization methods, recognizing that destruction is sometimes necessary + when other methods cannot be applied to media requiring sanitization. + Organizations use discretion on the employment of approved sanitization + techniques and procedures for media that contains information deemed + to be in the public domain or publicly releasable or information deemed + to have no adverse impact on organizations or individuals if released + for reuse or disposal. Sanitization of non-digital media includes + destruction, removing a classified appendix from an otherwise unclassified + document, or redacting selected sections or words from a document + by obscuring the redacted sections or words in a manner equivalent + in effectiveness to removing them from the document. NSA standards + and policies control the sanitization process for media that contains + classified information. NARA policies control the sanitization process + for controlled unclassified information. + - id: mp-6_obj + name: assessment-objective + props: + - name: label + value: MP-06 + class: sp800-53a + parts: + - id: mp-6_obj.a + name: assessment-objective + props: + - name: label + value: MP-06a. + class: sp800-53a + parts: + - id: mp-6_obj.a-1 + name: assessment-objective + props: + - name: label + value: MP-06a.[01] + class: sp800-53a + prose: " {{ insert: param, mp-06_odp.01 }} is sanitized using\ + \ {{ insert: param, mp-06_odp.04 }} prior to disposal;" + links: + - href: "#mp-6_smt.a" + rel: assessment-for + - id: mp-6_obj.a-2 + name: assessment-objective + props: + - name: label + value: MP-06a.[02] + class: sp800-53a + prose: " {{ insert: param, mp-06_odp.02 }} is sanitized using\ + \ {{ insert: param, mp-06_odp.05 }} prior to release from\ + \ organizational control;" + links: + - href: "#mp-6_smt.a" + rel: assessment-for + - id: mp-6_obj.a-3 + name: assessment-objective + props: + - name: label + value: MP-06a.[03] + class: sp800-53a + prose: " {{ insert: param, mp-06_odp.03 }} is sanitized using\ + \ {{ insert: param, mp-06_odp.06 }} prior to release for reuse;" + links: + - href: "#mp-6_smt.a" + rel: assessment-for + links: + - href: "#mp-6_smt.a" + rel: assessment-for + - id: mp-6_obj.b + name: assessment-objective + props: + - name: label + value: MP-06b. + class: sp800-53a + prose: sanitization mechanisms with strength and integrity commensurate + with the security category or classification of the information + are employed. + links: + - href: "#mp-6_smt.b" + rel: assessment-for + links: + - href: "#mp-6_smt" + rel: assessment-for + - id: mp-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System media protection policy + + + procedures addressing media sanitization and disposal + + + applicable federal standards and policies addressing media sanitization + policy + + + media sanitization records + + + system audit records + + + system design documentation + + + records retention and disposition policy + + + records retention and disposition procedures + + + system configuration settings and associated documentation + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: mp-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with media sanitization + responsibilities + + + organizational personnel with records retention and disposition + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: mp-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for media sanitization + + mechanisms supporting and/or implementing media sanitization + - id: mp-7 + class: SP800-53 + title: Media Use + params: + - id: mp-07_odp.01 + label: types of system media + guidelines: + - prose: types of system media to be restricted or prohibited from + use on systems or system components are defined; + - id: mp-07_odp.02 + select: + choice: + - restrict + - prohibit + - id: mp-07_odp.03 + label: systems or system components + guidelines: + - prose: systems or system components on which the use of specific + types of system media to be restricted or prohibited are defined; + - id: mp-07_odp.04 + label: controls + guidelines: + - prose: controls to restrict or prohibit the use of specific types + of system media on systems or system components are defined; + props: + - name: label + value: MP-7 + - name: label + value: MP-07 + class: sp800-53a + - name: sort-id + value: mp-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#22f2d4f0-4365-4e88-a30d-275c1f5473ea" + rel: reference + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#sc-34" + rel: related + - href: "#sc-41" + rel: related + parts: + - id: mp-7_smt + name: statement + parts: + - id: mp-7_smt.a + name: item + props: + - name: label + value: a. + prose: " {{ insert: param, mp-07_odp.02 }} the use of {{ insert:\ + \ param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }}\ + \ using {{ insert: param, mp-07_odp.04 }} ; and" + - id: mp-7_smt.b + name: item + props: + - name: label + value: b. + prose: Prohibit the use of portable storage devices in organizational + systems when such devices have no identifiable owner. + - id: mp-7_gdn + name: guidance + prose: System media includes both digital and non-digital media. Digital + media includes diskettes, magnetic tapes, flash drives, compact discs, + digital versatile discs, and removable hard disk drives. Non-digital + media includes paper and microfilm. Media use protections also apply + to mobile devices with information storage capabilities. In contrast + to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts + the use of certain types of media on systems, for example, restricting + or prohibiting the use of flash drives or external hard disk drives. + Organizations use technical and nontechnical controls to restrict + the use of system media. Organizations may restrict the use of portable + storage devices, for example, by using physical cages on workstations + to prohibit access to certain external ports or disabling or removing + the ability to insert, read, or write to such devices. Organizations + may also limit the use of portable storage devices to only approved + devices, including devices provided by the organization, devices provided + by other approved organizations, and devices that are not personally + owned. Finally, organizations may restrict the use of portable storage + devices based on the type of device, such as by prohibiting the use + of writeable, portable storage devices and implementing this restriction + by disabling or removing the capability to write to such devices. + Requiring identifiable owners for storage devices reduces the risk + of using such devices by allowing organizations to assign responsibility + for addressing known vulnerabilities in the devices. + - id: mp-7_obj + name: assessment-objective + props: + - name: label + value: MP-07 + class: sp800-53a + parts: + - id: mp-7_obj.a + name: assessment-objective + props: + - name: label + value: MP-07a. + class: sp800-53a + prose: "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert:\ + \ param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }}\ + \ using {{ insert: param, mp-07_odp.04 }};" + links: + - href: "#mp-7_smt.a" + rel: assessment-for + - id: mp-7_obj.b + name: assessment-objective + props: + - name: label + value: MP-07b. + class: sp800-53a + prose: the use of portable storage devices in organizational systems + is prohibited when such devices have no identifiable owner. + links: + - href: "#mp-7_smt.b" + rel: assessment-for + links: + - href: "#mp-7_smt" + rel: assessment-for + - id: mp-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: MP-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System media protection policy + + system use policy + + procedures addressing media usage restrictions + + rules of behavior + + system design documentation + + system configuration settings and associated documentation + + audit records + + system security plan + + other relevant documents or records + - id: mp-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: MP-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system media use + responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + - id: mp-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: MP-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for media use + + + mechanisms restricting or prohibiting the use of system media + on systems or system components + - id: pe + class: family + title: Physical and Environmental Protection + controls: + - id: pe-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: pe-1_prm_1 + label: organization-defined personnel or roles + - id: pe-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the physical and environmental + protection policy is to be disseminated is/are defined; + - id: pe-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the physical and environmental + protection procedures are to be disseminated is/are defined; + - id: pe-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: pe-01_odp.04 + label: official + guidelines: + - prose: an official to manage the physical and environmental protection + policy and procedures is defined; + - id: pe-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current physical and environmental + protection policy is reviewed and updated is defined; + - id: pe-01_odp.06 + label: events + guidelines: + - prose: events that would require the current physical and environmental + protection policy to be reviewed and updated are defined; + - id: pe-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current physical and environmental + protection procedures are reviewed and updated is defined; + - id: pe-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the physical and environmental + protection procedures to be reviewed and updated are defined; + props: + - name: label + value: PE-1 + - name: label + value: PE-01 + class: sp800-53a + - name: sort-id + value: pe-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#at-3" + rel: related + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: pe-1_smt + name: statement + parts: + - id: pe-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ pe-1_prm_1 }}:" + parts: + - id: pe-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, pe-01_odp.03 }} physical and environmental\ + \ protection policy that:" + parts: + - id: pe-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: pe-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: pe-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the physical + and environmental protection policy and the associated physical + and environmental protection controls; + - id: pe-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, pe-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the physical\ + \ and environmental protection policy and procedures; and" + - id: pe-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current physical and environmental\ + \ protection:" + parts: + - id: pe-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, pe-01_odp.05 }} and following\ + \ {{ insert: param, pe-01_odp.06 }} ; and" + - id: pe-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, pe-01_odp.07 }} and following\ + \ {{ insert: param, pe-01_odp.08 }}." + - id: pe-1_gdn + name: guidance + prose: Physical and environmental protection policy and procedures address + the controls in the PE family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of physical and environmental protection policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + physical and environmental protection policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines. Simply restating controls does not constitute + an organizational policy or procedure. + - id: pe-1_obj + name: assessment-objective + props: + - name: label + value: PE-01 + class: sp800-53a + parts: + - id: pe-1_obj.a + name: assessment-objective + props: + - name: label + value: PE-01a. + class: sp800-53a + parts: + - id: pe-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: PE-01a.[01] + class: sp800-53a + prose: a physical and environmental protection policy is developed + and documented; + links: + - href: "#pe-1_smt.a" + rel: assessment-for + - id: pe-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: PE-01a.[02] + class: sp800-53a + prose: "the physical and environmental protection policy is\ + \ disseminated to {{ insert: param, pe-01_odp.01 }};" + links: + - href: "#pe-1_smt.a" + rel: assessment-for + - id: pe-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: PE-01a.[03] + class: sp800-53a + prose: physical and environmental protection procedures to facilitate + the implementation of the physical and environmental protection + policy and associated physical and environmental protection + controls are developed and documented; + links: + - href: "#pe-1_smt.a" + rel: assessment-for + - id: pe-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: PE-01a.[04] + class: sp800-53a + prose: "the physical and environmental protection procedures\ + \ are disseminated to {{ insert: param, pe-01_odp.02 }};" + links: + - href: "#pe-1_smt.a" + rel: assessment-for + - id: pe-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: PE-01a.01 + class: sp800-53a + parts: + - id: pe-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: PE-01a.01(a) + class: sp800-53a + parts: + - id: pe-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses purpose;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses scope;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses roles;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses responsibilities;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses management\ + \ commitment;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: PE-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical\ + \ and environmental protection policy addresses compliance;" + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#pe-1_smt.a.1.a" + rel: assessment-for + - id: pe-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: PE-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.03 }} physical and\ + \ environmental protection policy is consistent with applicable\ + \ laws, Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#pe-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#pe-1_smt.a.1" + rel: assessment-for + links: + - href: "#pe-1_smt.a" + rel: assessment-for + - id: pe-1_obj.b + name: assessment-objective + props: + - name: label + value: PE-01b. + class: sp800-53a + prose: "the {{ insert: param, pe-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the physical\ + \ and environmental protection policy and procedures;" + links: + - href: "#pe-1_smt.b" + rel: assessment-for + - id: pe-1_obj.c + name: assessment-objective + props: + - name: label + value: PE-01c. + class: sp800-53a + parts: + - id: pe-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: PE-01c.01 + class: sp800-53a + parts: + - id: pe-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: PE-01c.01[01] + class: sp800-53a + prose: "the current physical and environmental protection\ + \ policy is reviewed and updated {{ insert: param, pe-01_odp.05\ + \ }};" + links: + - href: "#pe-1_smt.c.1" + rel: assessment-for + - id: pe-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: PE-01c.01[02] + class: sp800-53a + prose: "the current physical and environmental protection\ + \ policy is reviewed and updated following {{ insert:\ + \ param, pe-01_odp.06 }};" + links: + - href: "#pe-1_smt.c.1" + rel: assessment-for + links: + - href: "#pe-1_smt.c.1" + rel: assessment-for + - id: pe-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: PE-01c.02 + class: sp800-53a + parts: + - id: pe-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: PE-01c.02[01] + class: sp800-53a + prose: "the current physical and environmental protection\ + \ procedures are reviewed and updated {{ insert: param,\ + \ pe-01_odp.07 }};" + links: + - href: "#pe-1_smt.c.2" + rel: assessment-for + - id: pe-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: PE-01c.02[02] + class: sp800-53a + prose: "the current physical and environmental protection\ + \ procedures are reviewed and updated following {{ insert:\ + \ param, pe-01_odp.08 }}." + links: + - href: "#pe-1_smt.c.2" + rel: assessment-for + links: + - href: "#pe-1_smt.c.2" + rel: assessment-for + links: + - href: "#pe-1_smt.c" + rel: assessment-for + links: + - href: "#pe-1_smt" + rel: assessment-for + - id: pe-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy and procedures + + system security plan + + privacy plan + + organizational risk management strategy + + other relevant documents or records + - id: pe-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical and environmental + protection responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pe-2 + class: SP800-53 + title: Physical Access Authorizations + params: + - id: pe-02_odp + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to review the access list detailing authorized + facility access by individuals is defined; + props: + - name: label + value: PE-2 + - name: label + value: PE-02 + class: sp800-53a + - name: sort-id + value: pe-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#at-3" + rel: related + - href: "#au-9" + rel: related + - href: "#ia-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-4" + rel: related + - href: "#pe-5" + rel: related + - href: "#pe-8" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-5" + rel: related + - href: "#ps-6" + rel: related + parts: + - id: pe-2_smt + name: statement + parts: + - id: pe-2_smt.a + name: item + props: + - name: label + value: a. + prose: Develop, approve, and maintain a list of individuals with + authorized access to the facility where the system resides; + - id: pe-2_smt.b + name: item + props: + - name: label + value: b. + prose: Issue authorization credentials for facility access; + - id: pe-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Review the access list detailing authorized facility access\ + \ by individuals {{ insert: param, pe-02_odp }} ; and" + - id: pe-2_smt.d + name: item + props: + - name: label + value: d. + prose: Remove individuals from the facility access list when access + is no longer required. + - id: pe-2_gdn + name: guidance + prose: Physical access authorizations apply to employees and visitors. + Individuals with permanent physical access authorization credentials + are not considered visitors. Authorization credentials include ID + badges, identification cards, and smart cards. Organizations determine + the strength of authorization credentials needed consistent with applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Physical access authorizations may not be necessary + to access certain areas within facilities that are designated as publicly + accessible. + - id: pe-2_obj + name: assessment-objective + props: + - name: label + value: PE-02 + class: sp800-53a + parts: + - id: pe-2_obj.a + name: assessment-objective + props: + - name: label + value: PE-02a. + class: sp800-53a + parts: + - id: pe-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: PE-02a.[01] + class: sp800-53a + prose: a list of individuals with authorized access to the facility + where the system resides has been developed; + links: + - href: "#pe-2_smt.a" + rel: assessment-for + - id: pe-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: PE-02a.[02] + class: sp800-53a + prose: the list of individuals with authorized access to the + facility where the system resides has been approved; + links: + - href: "#pe-2_smt.a" + rel: assessment-for + - id: pe-2_obj.a-3 + name: assessment-objective + props: + - name: label + value: PE-02a.[03] + class: sp800-53a + prose: the list of individuals with authorized access to the + facility where the system resides has been maintained; + links: + - href: "#pe-2_smt.a" + rel: assessment-for + links: + - href: "#pe-2_smt.a" + rel: assessment-for + - id: pe-2_obj.b + name: assessment-objective + props: + - name: label + value: PE-02b. + class: sp800-53a + prose: authorization credentials are issued for facility access; + links: + - href: "#pe-2_smt.b" + rel: assessment-for + - id: pe-2_obj.c + name: assessment-objective + props: + - name: label + value: PE-02c. + class: sp800-53a + prose: "the access list detailing authorized facility access by\ + \ individuals is reviewed {{ insert: param, pe-02_odp }};" + links: + - href: "#pe-2_smt.c" + rel: assessment-for + - id: pe-2_obj.d + name: assessment-objective + props: + - name: label + value: PE-02d. + class: sp800-53a + prose: individuals are removed from the facility access list when + access is no longer required. + links: + - href: "#pe-2_smt.d" + rel: assessment-for + links: + - href: "#pe-2_smt" + rel: assessment-for + - id: pe-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing physical access authorizations + + + authorized personnel access list + + + authorization credentials + + + physical access list reviews + + + physical access termination records and associated documentation + + + system security plan + + + other relevant documents or records + - id: pe-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access authorization + responsibilities + + + organizational personnel with physical access to system facility + + + organizational personnel with information security responsibilities + - id: pe-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for physical access authorizations + + + mechanisms supporting and/or implementing physical access authorizations + - id: pe-3 + class: SP800-53 + title: Physical Access Control + params: + - id: pe-3_prm_9 + label: organization-defined frequency + constraints: + - description: at least annually or earlier as required by a security + relevant event. + - id: pe-03_odp.01 + label: entry and exit points + guidelines: + - prose: entry and exit points to the facility in which the system + resides are defined; + - id: pe-03_odp.02 + constraints: + - description: CSP defined physical access control systems/devices + AND guards + select: + how-many: one-or-more + choice: + - " {{ insert: param, pe-03_odp.03 }} " + - guards + - id: pe-03_odp.03 + label: systems or devices + guidelines: + - prose: physical access control systems or devices used to control + ingress and egress to the facility are defined (if selected); + - id: pe-03_odp.04 + label: entry or exit points + guidelines: + - prose: entry or exit points for which physical access logs are maintained + are defined; + - id: pe-03_odp.05 + label: physical access controls + guidelines: + - prose: physical access controls to control access to areas within + the facility designated as publicly accessible are defined; + - id: pe-03_odp.06 + label: circumstances + constraints: + - description: in all circumstances within restricted access area + where the information system resides + guidelines: + - prose: circumstances requiring visitor escorts and control of visitor + activity are defined; + - id: pe-03_odp.07 + label: physical access devices + guidelines: + - prose: physical access devices to be inventoried are defined; + - id: pe-03_odp.08 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency at which to inventory physical access devices is + defined; + - id: pe-03_odp.09 + label: frequency + guidelines: + - prose: frequency at which to change combinations is defined; + - id: pe-03_odp.10 + label: frequency + guidelines: + - prose: frequency at which to change keys is defined; + props: + - name: label + value: PE-3 + - name: label + value: PE-03 + class: sp800-53a + - name: sort-id + value: pe-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#2100332a-16a5-4598-bacf-7261baea9711" + rel: reference + - href: "#at-3" + rel: related + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#au-9" + rel: related + - href: "#au-13" + rel: related + - href: "#cp-10" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-4" + rel: related + - href: "#pe-5" + rel: related + - href: "#pe-8" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#sc-28" + rel: related + - href: "#si-4" + rel: related + - href: "#sr-3" + rel: related + parts: + - id: pe-3_smt + name: statement + parts: + - id: pe-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Enforce physical access authorizations at {{ insert: param,\ + \ pe-03_odp.01 }} by:" + parts: + - id: pe-3_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Verifying individual access authorizations before granting + access to the facility; and + - id: pe-3_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: "Controlling ingress and egress to the facility using\ + \ {{ insert: param, pe-03_odp.02 }};" + - id: pe-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Maintain physical access audit logs for {{ insert: param,\ + \ pe-03_odp.04 }};" + - id: pe-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Control access to areas within the facility designated as\ + \ publicly accessible by implementing the following controls:\ + \ {{ insert: param, pe-03_odp.05 }};" + - id: pe-3_smt.d + name: item + props: + - name: label + value: d. + prose: "Escort visitors and control visitor activity {{ insert:\ + \ param, pe-03_odp.06 }};" + - id: pe-3_smt.e + name: item + props: + - name: label + value: e. + prose: Secure keys, combinations, and other physical access devices; + - id: pe-3_smt.f + name: item + props: + - name: label + value: f. + prose: "Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert:\ + \ param, pe-03_odp.08 }} ; and" + - id: pe-3_smt.g + name: item + props: + - name: label + value: g. + prose: "Change combinations and keys {{ insert: param, pe-3_prm_9\ + \ }} and/or when keys are lost, combinations are compromised,\ + \ or when individuals possessing the keys or combinations are\ + \ transferred or terminated." + - id: pe-3_gdn + name: guidance + prose: Physical access control applies to employees and visitors. Individuals + with permanent physical access authorizations are not considered visitors. + Physical access controls for publicly accessible areas may include + physical access control logs/records, guards, or physical access devices + and barriers to prevent movement from publicly accessible areas to + non-public areas. Organizations determine the types of guards needed, + including professional security staff, system users, or administrative + staff. Physical access devices include keys, locks, combinations, + biometric readers, and card readers. Physical access control systems + comply with applicable laws, executive orders, directives, policies, + regulations, standards, and guidelines. Organizations have flexibility + in the types of audit logs employed. Audit logs can be procedural, + automated, or some combination thereof. Physical access points can + include facility access points, interior access points to systems + that require supplemental access controls, or both. Components of + systems may be in areas designated as publicly accessible with organizations + controlling access to the components. + - id: pe-3_obj + name: assessment-objective + props: + - name: label + value: PE-03 + class: sp800-53a + parts: + - id: pe-3_obj.a + name: assessment-objective + props: + - name: label + value: PE-03a. + class: sp800-53a + parts: + - id: pe-3_obj.a.1 + name: assessment-objective + props: + - name: label + value: PE-03a.01 + class: sp800-53a + prose: "physical access authorizations are enforced at {{ insert:\ + \ param, pe-03_odp.01 }} by verifying individual access authorizations\ + \ before granting access to the facility;" + links: + - href: "#pe-3_smt.a.1" + rel: assessment-for + - id: pe-3_obj.a.2 + name: assessment-objective + props: + - name: label + value: PE-03a.02 + class: sp800-53a + prose: "physical access authorizations are enforced at {{ insert:\ + \ param, pe-03_odp.01 }} by controlling ingress and egress\ + \ to the facility using {{ insert: param, pe-03_odp.02 }};" + links: + - href: "#pe-3_smt.a.2" + rel: assessment-for + links: + - href: "#pe-3_smt.a" + rel: assessment-for + - id: pe-3_obj.b + name: assessment-objective + props: + - name: label + value: PE-03b. + class: sp800-53a + prose: "physical access audit logs are maintained for {{ insert:\ + \ param, pe-03_odp.04 }};" + links: + - href: "#pe-3_smt.b" + rel: assessment-for + - id: pe-3_obj.c + name: assessment-objective + props: + - name: label + value: PE-03c. + class: sp800-53a + prose: "access to areas within the facility designated as publicly\ + \ accessible are maintained by implementing {{ insert: param,\ + \ pe-03_odp.05 }};" + links: + - href: "#pe-3_smt.c" + rel: assessment-for + - id: pe-3_obj.d + name: assessment-objective + props: + - name: label + value: PE-03d. + class: sp800-53a + parts: + - id: pe-3_obj.d-1 + name: assessment-objective + props: + - name: label + value: PE-03d.[01] + class: sp800-53a + prose: visitors are escorted; + links: + - href: "#pe-3_smt.d" + rel: assessment-for + - id: pe-3_obj.d-2 + name: assessment-objective + props: + - name: label + value: PE-03d.[02] + class: sp800-53a + prose: "visitor activity is controlled {{ insert: param, pe-03_odp.06\ + \ }};" + links: + - href: "#pe-3_smt.d" + rel: assessment-for + links: + - href: "#pe-3_smt.d" + rel: assessment-for + - id: pe-3_obj.e + name: assessment-objective + props: + - name: label + value: PE-03e. + class: sp800-53a + parts: + - id: pe-3_obj.e-1 + name: assessment-objective + props: + - name: label + value: PE-03e.[01] + class: sp800-53a + prose: keys are secured; + links: + - href: "#pe-3_smt.e" + rel: assessment-for + - id: pe-3_obj.e-2 + name: assessment-objective + props: + - name: label + value: PE-03e.[02] + class: sp800-53a + prose: combinations are secured; + links: + - href: "#pe-3_smt.e" + rel: assessment-for + - id: pe-3_obj.e-3 + name: assessment-objective + props: + - name: label + value: PE-03e.[03] + class: sp800-53a + prose: other physical access devices are secured; + links: + - href: "#pe-3_smt.e" + rel: assessment-for + links: + - href: "#pe-3_smt.e" + rel: assessment-for + - id: pe-3_obj.f + name: assessment-objective + props: + - name: label + value: PE-03f. + class: sp800-53a + prose: " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert:\ + \ param, pe-03_odp.08 }};" + links: + - href: "#pe-3_smt.f" + rel: assessment-for + - id: pe-3_obj.g + name: assessment-objective + props: + - name: label + value: PE-03g. + class: sp800-53a + parts: + - id: pe-3_obj.g-1 + name: assessment-objective + props: + - name: label + value: PE-03g.[01] + class: sp800-53a + prose: "combinations are changed {{ insert: param, pe-03_odp.09\ + \ }} , when combinations are compromised, or when individuals\ + \ possessing the combinations are transferred or terminated;" + links: + - href: "#pe-3_smt.g" + rel: assessment-for + - id: pe-3_obj.g-2 + name: assessment-objective + props: + - name: label + value: PE-03g.[02] + class: sp800-53a + prose: "keys are changed {{ insert: param, pe-03_odp.10 }} ,\ + \ when keys are lost, or when individuals possessing the keys\ + \ are transferred or terminated." + links: + - href: "#pe-3_smt.g" + rel: assessment-for + links: + - href: "#pe-3_smt.g" + rel: assessment-for + links: + - href: "#pe-3_smt" + rel: assessment-for + - id: pe-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing physical access control + + + physical access control logs or records + + + inventory records of physical access control devices + + + system entry and exit points + + + records of key and lock combination changes + + + storage locations for physical access control devices + + + physical access control devices + + + list of security safeguards controlling access to designated publicly + accessible areas within facility + + + system security plan + + + other relevant documents or records + - id: pe-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access control + responsibilities + + + organizational personnel with information security responsibilities + - id: pe-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for physical access control + + + mechanisms supporting and/or implementing physical access control + + + physical access control devices + - id: pe-4 + class: SP800-53 + title: Access Control for Transmission + params: + - id: pe-04_odp.01 + label: system distribution and transmission lines + guidelines: + - prose: system distribution and transmission lines requiring physical + access controls are defined; + - id: pe-04_odp.02 + label: security controls + guidelines: + - prose: security controls to be implemented to control physical access + to system distribution and transmission lines within the organizational + facility are defined; + props: + - name: label + value: PE-4 + - name: label + value: PE-04 + class: sp800-53a + - name: sort-id + value: pe-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#at-3" + rel: related + - href: "#ia-4" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-5" + rel: related + - href: "#pe-9" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-8" + rel: related + parts: + - id: pe-4_smt + name: statement + prose: "Control physical access to {{ insert: param, pe-04_odp.01 }}\ + \ within organizational facilities using {{ insert: param, pe-04_odp.02\ + \ }}." + - id: pe-4_gdn + name: guidance + prose: Security controls applied to system distribution and transmission + lines prevent accidental damage, disruption, and physical tampering. + Such controls may also be necessary to prevent eavesdropping or modification + of unencrypted transmissions. Security controls used to control physical + access to system distribution and transmission lines include disconnected + or locked spare jacks, locked wiring closets, protection of cabling + by conduit or cable trays, and wiretapping sensors. + - id: pe-4_obj + name: assessment-objective + props: + - name: label + value: PE-04 + class: sp800-53a + prose: "physical access to {{ insert: param, pe-04_odp.01 }} within\ + \ organizational facilities is controlled using {{ insert: param,\ + \ pe-04_odp.02 }}." + links: + - href: "#pe-4_smt" + rel: assessment-for + - id: pe-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing access control for transmission mediums + + + system design documentation + + + facility communications and wiring diagrams + + + list of physical security safeguards applied to system distribution + and transmission lines + + + system security plan + + + other relevant documents or records + - id: pe-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access control + responsibilities + + + organizational personnel with information security responsibilities + - id: pe-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for access control to distribution + and transmission lines + + + mechanisms/security safeguards supporting and/or implementing + access control to distribution and transmission lines + - id: pe-5 + class: SP800-53 + title: Access Control for Output Devices + params: + - id: pe-05_odp + label: output devices + guidelines: + - prose: output devices that require physical access control to output + are defined; + props: + - name: label + value: PE-5 + - name: label + value: PE-05 + class: sp800-53a + - name: sort-id + value: pe-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-4" + rel: related + - href: "#pe-18" + rel: related + parts: + - id: pe-5_smt + name: statement + prose: "Control physical access to output from {{ insert: param, pe-05_odp\ + \ }} to prevent unauthorized individuals from obtaining the output." + - id: pe-5_gdn + name: guidance + prose: Controlling physical access to output devices includes placing + output devices in locked rooms or other secured areas with keypad + or card reader access controls and allowing access to authorized individuals + only, placing output devices in locations that can be monitored by + personnel, installing monitor or screen filters, and using headphones. + Examples of output devices include monitors, printers, scanners, audio + devices, facsimile machines, and copiers. + - id: pe-5_obj + name: assessment-objective + props: + - name: label + value: PE-05 + class: sp800-53a + prose: "physical access to output from {{ insert: param, pe-05_odp }}\ + \ is controlled to prevent unauthorized individuals from obtaining\ + \ the output." + links: + - href: "#pe-5_smt" + rel: assessment-for + - id: pe-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing access control for display medium + + + facility layout of system components + + + actual displays from system components + + + list of output devices and associated outputs requiring physical + access controls + + + physical access control logs or records for areas containing output + devices and related outputs + + + system security plan + + + other relevant documents or records + - id: pe-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access control + responsibilities + + + organizational personnel with information security responsibilities + - id: pe-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for access control to output + devices + + + mechanisms supporting and/or implementing access control to output + devices + - id: pe-6 + class: SP800-53 + title: Monitoring Physical Access + params: + - id: pe-06_odp.01 + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: the frequency at which to review physical access logs is + defined; + - id: pe-06_odp.02 + label: events + guidelines: + - prose: events or potential indication of events requiring physical + access logs to be reviewed are defined; + props: + - name: label + value: PE-6 + - name: label + value: PE-06 + class: sp800-53a + - name: sort-id + value: pe-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#au-9" + rel: related + - href: "#au-12" + rel: related + - href: "#ca-7" + rel: related + - href: "#cp-10" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-8" + rel: related + parts: + - id: pe-6_smt + name: statement + parts: + - id: pe-6_smt.a + name: item + props: + - name: label + value: a. + prose: Monitor physical access to the facility where the system + resides to detect and respond to physical security incidents; + - id: pe-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Review physical access logs {{ insert: param, pe-06_odp.01\ + \ }} and upon occurrence of {{ insert: param, pe-06_odp.02 }}\ + \ ; and" + - id: pe-6_smt.c + name: item + props: + - name: label + value: c. + prose: Coordinate results of reviews and investigations with the + organizational incident response capability. + - id: pe-6_gdn + name: guidance + prose: Physical access monitoring includes publicly accessible areas + within organizational facilities. Examples of physical access monitoring + include the employment of guards, video surveillance equipment (i.e., + cameras), and sensor devices. Reviewing physical access logs can help + identify suspicious activity, anomalous events, or potential threats. + The reviews can be supported by audit logging controls, such as [AU-2](#au-2) + , if the access logs are part of an automated system. Organizational + incident response capabilities include investigations of physical + security incidents and responses to the incidents. Incidents include + security violations or suspicious physical access activities. Suspicious + physical access activities include accesses outside of normal work + hours, repeated accesses to areas not normally accessed, accesses + for unusual lengths of time, and out-of-sequence accesses. + - id: pe-6_obj + name: assessment-objective + props: + - name: label + value: PE-06 + class: sp800-53a + parts: + - id: pe-6_obj.a + name: assessment-objective + props: + - name: label + value: PE-06a. + class: sp800-53a + prose: physical access to the facility where the system resides + is monitored to detect and respond to physical security incidents; + links: + - href: "#pe-6_smt.a" + rel: assessment-for + - id: pe-6_obj.b + name: assessment-objective + props: + - name: label + value: PE-06b. + class: sp800-53a + parts: + - id: pe-6_obj.b-1 + name: assessment-objective + props: + - name: label + value: PE-06b.[01] + class: sp800-53a + prose: "physical access logs are reviewed {{ insert: param,\ + \ pe-06_odp.01 }};" + links: + - href: "#pe-6_smt.b" + rel: assessment-for + - id: pe-6_obj.b-2 + name: assessment-objective + props: + - name: label + value: PE-06b.[02] + class: sp800-53a + prose: "physical access logs are reviewed upon occurrence of\ + \ {{ insert: param, pe-06_odp.02 }};" + links: + - href: "#pe-6_smt.b" + rel: assessment-for + links: + - href: "#pe-6_smt.b" + rel: assessment-for + - id: pe-6_obj.c + name: assessment-objective + props: + - name: label + value: PE-06c. + class: sp800-53a + parts: + - id: pe-6_obj.c-1 + name: assessment-objective + props: + - name: label + value: PE-06c.[01] + class: sp800-53a + prose: results of reviews are coordinated with organizational + incident response capabilities; + links: + - href: "#pe-6_smt.c" + rel: assessment-for + - id: pe-6_obj.c-2 + name: assessment-objective + props: + - name: label + value: PE-06c.[02] + class: sp800-53a + prose: results of investigations are coordinated with organizational + incident response capabilities. + links: + - href: "#pe-6_smt.c" + rel: assessment-for + links: + - href: "#pe-6_smt.c" + rel: assessment-for + links: + - href: "#pe-6_smt" + rel: assessment-for + - id: pe-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing physical access monitoring + + physical access logs or records + + physical access monitoring records + + physical access log reviews + + system security plan + + other relevant documents or records + - id: pe-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access monitoring + responsibilities + + + organizational personnel with incident response responsibilities + + + organizational personnel with information security responsibilities + - id: pe-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring physical access + + + mechanisms supporting and/or implementing physical access monitoring + + + mechanisms supporting and/or implementing the review of physical + access logs + controls: + - id: pe-6.1 + class: SP800-53-enhancement + title: Intrusion Alarms and Surveillance Equipment + props: + - name: label + value: PE-6(1) + - name: label + value: PE-06(01) + class: sp800-53a + - name: sort-id + value: pe-06.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#pe-6" + rel: required + parts: + - id: pe-6.1_smt + name: statement + prose: Monitor physical access to the facility where the system + resides using physical intrusion alarms and surveillance equipment. + - id: pe-6.1_gdn + name: guidance + prose: Physical intrusion alarms can be employed to alert security + personnel when unauthorized access to the facility is attempted. + Alarm systems work in conjunction with physical barriers, physical + access control systems, and security guards by triggering a response + when these other forms of security have been compromised or breached. + Physical intrusion alarms can include different types of sensor + devices, such as motion sensors, contact sensors, and broken glass + sensors. Surveillance equipment includes video cameras installed + at strategic locations throughout the facility. + - id: pe-6.1_obj + name: assessment-objective + props: + - name: label + value: PE-06(01) + class: sp800-53a + parts: + - id: pe-6.1_obj-1 + name: assessment-objective + props: + - name: label + value: PE-06(01)[01] + class: sp800-53a + prose: physical access to the facility where the system resides + is monitored using physical intrusion alarms; + links: + - href: "#pe-6.1_smt" + rel: assessment-for + - id: pe-6.1_obj-2 + name: assessment-objective + props: + - name: label + value: PE-06(01)[02] + class: sp800-53a + prose: physical access to the facility where the system resides + is monitored using physical surveillance equipment. + links: + - href: "#pe-6.1_smt" + rel: assessment-for + links: + - href: "#pe-6.1_smt" + rel: assessment-for + - id: pe-6.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-06(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing physical access monitoring + + physical access logs or records + + physical access monitoring records + + physical access log reviews + + system security plan + + privacy plan + + privacy impact assessment + + privacy risk assessment documentation + + other relevant documents or records + - id: pe-6.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-06(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with physical access monitoring + responsibilities + + + organizational personnel with incident response responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pe-6.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-06(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring physical + intrusion alarms and surveillance equipment + + + mechanisms supporting and/or implementing physical access + monitoring + + + mechanisms supporting and/or implementing physical intrusion + alarms and surveillance equipment + - id: pe-8 + class: SP800-53 + title: Visitor Access Records + params: + - id: pe-08_odp.01 + label: time period + constraints: + - description: for a minimum of one (1) year + guidelines: + - prose: time period for which to maintain visitor access records + for the facility where the system resides is defined; + - id: pe-08_odp.02 + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: the frequency at which to review visitor access records is + defined; + - id: pe-08_odp.03 + label: personnel + guidelines: + - prose: personnel to whom visitor access records anomalies are reported + to is/are defined; + props: + - name: label + value: PE-8 + - name: label + value: PE-08 + class: sp800-53a + - name: sort-id + value: pe-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-6" + rel: related + parts: + - id: pe-8_smt + name: statement + parts: + - id: pe-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Maintain visitor access records to the facility where the\ + \ system resides for {{ insert: param, pe-08_odp.01 }};" + - id: pe-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Review visitor access records {{ insert: param, pe-08_odp.02\ + \ }} ; and" + - id: pe-8_smt.c + name: item + props: + - name: label + value: c. + prose: "Report anomalies in visitor access records to {{ insert:\ + \ param, pe-08_odp.03 }}." + - id: pe-8_gdn + name: guidance + prose: Visitor access records include the names and organizations of + individuals visiting, visitor signatures, forms of identification, + dates of access, entry and departure times, purpose of visits, and + the names and organizations of individuals visited. Access record + reviews determine if access authorizations are current and are still + required to support organizational mission and business functions. + Access records are not required for publicly accessible areas. + - id: pe-8_obj + name: assessment-objective + props: + - name: label + value: PE-08 + class: sp800-53a + parts: + - id: pe-8_obj.a + name: assessment-objective + props: + - name: label + value: PE-08a. + class: sp800-53a + prose: "visitor access records for the facility where the system\ + \ resides are maintained for {{ insert: param, pe-08_odp.01 }};" + links: + - href: "#pe-8_smt.a" + rel: assessment-for + - id: pe-8_obj.b + name: assessment-objective + props: + - name: label + value: PE-08b. + class: sp800-53a + prose: "visitor access records are reviewed {{ insert: param, pe-08_odp.02\ + \ }};" + links: + - href: "#pe-8_smt.b" + rel: assessment-for + - id: pe-8_obj.c + name: assessment-objective + props: + - name: label + value: PE-08c. + class: sp800-53a + prose: "visitor access records anomalies are reported to {{ insert:\ + \ param, pe-08_odp.03 }}." + links: + - href: "#pe-8_smt.c" + rel: assessment-for + links: + - href: "#pe-8_smt" + rel: assessment-for + - id: pe-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing visitor access records + + visitor access control logs or records + + visitor access record or log reviews + + system security plan + + privacy plan + + privacy impact assessment + + privacy risk assessment documentation + + other relevant documents or records + - id: pe-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with visitor access record + responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pe-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for maintaining and reviewing + visitor access records + + + mechanisms supporting and/or implementing the maintenance and + review of visitor access records + - id: pe-9 + class: SP800-53 + title: Power Equipment and Cabling + props: + - name: label + value: PE-9 + - name: label + value: PE-09 + class: sp800-53a + - name: sort-id + value: pe-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#pe-4" + rel: related + parts: + - id: pe-9_smt + name: statement + prose: Protect power equipment and power cabling for the system from + damage and destruction. + - id: pe-9_gdn + name: guidance + prose: Organizations determine the types of protection necessary for + the power equipment and cabling employed at different locations that + are both internal and external to organizational facilities and environments + of operation. Types of power equipment and cabling include internal + cabling and uninterruptable power sources in offices or data centers, + generators and power cabling outside of buildings, and power sources + for self-contained components such as satellites, vehicles, and other + deployable systems. + - id: pe-9_obj + name: assessment-objective + props: + - name: label + value: PE-09 + class: sp800-53a + parts: + - id: pe-9_obj-1 + name: assessment-objective + props: + - name: label + value: PE-09[01] + class: sp800-53a + prose: power equipment for the system is protected from damage and + destruction; + links: + - href: "#pe-9_smt" + rel: assessment-for + - id: pe-9_obj-2 + name: assessment-objective + props: + - name: label + value: PE-09[02] + class: sp800-53a + prose: power cabling for the system is protected from damage and + destruction. + links: + - href: "#pe-9_smt" + rel: assessment-for + links: + - href: "#pe-9_smt" + rel: assessment-for + - id: pe-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing power equipment/cabling protection + + facilities housing power equipment/cabling + + system security plan + + other relevant documents or records + - id: pe-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with the responsibility to protect + power equipment/cabling + + + organizational personnel with information security responsibilities + - id: pe-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing the protection + of power equipment/cabling + - id: pe-10 + class: SP800-53 + title: Emergency Shutoff + params: + - id: pe-10_odp.01 + label: system or individual system components + guidelines: + - prose: system or individual system components that require the capability + to shut off power in emergency situations is/are defined; + - id: pe-10_odp.02 + label: location + constraints: + - description: near more than one egress point of the IT area and + ensures it is labeled and protected by a cover to prevent accidental + shut-off + guidelines: + - prose: location of emergency shutoff switches or devices by system + or system component is defined; + props: + - name: label + value: PE-10 + - name: label + value: PE-10 + class: sp800-53a + - name: sort-id + value: pe-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#pe-15" + rel: related + parts: + - id: pe-10_smt + name: statement + parts: + - id: pe-10_smt.a + name: item + props: + - name: label + value: a. + prose: "Provide the capability of shutting off power to {{ insert:\ + \ param, pe-10_odp.01 }} in emergency situations;" + - id: pe-10_smt.b + name: item + props: + - name: label + value: b. + prose: "Place emergency shutoff switches or devices in {{ insert:\ + \ param, pe-10_odp.02 }} to facilitate access for authorized personnel;\ + \ and" + - id: pe-10_smt.c + name: item + props: + - name: label + value: c. + prose: Protect emergency power shutoff capability from unauthorized + activation. + - id: pe-10_gdn + name: guidance + prose: Emergency power shutoff primarily applies to organizational facilities + that contain concentrations of system resources, including data centers, + mainframe computer rooms, server rooms, and areas with computer-controlled + machinery. + - id: pe-10_obj + name: assessment-objective + props: + - name: label + value: PE-10 + class: sp800-53a + parts: + - id: pe-10_obj.a + name: assessment-objective + props: + - name: label + value: PE-10a. + class: sp800-53a + prose: "the capability to shut off power to {{ insert: param, pe-10_odp.01\ + \ }} in emergency situations is provided;" + links: + - href: "#pe-10_smt.a" + rel: assessment-for + - id: pe-10_obj.b + name: assessment-objective + props: + - name: label + value: PE-10b. + class: sp800-53a + prose: "emergency shutoff switches or devices are placed in {{ insert:\ + \ param, pe-10_odp.02 }} to facilitate access for authorized personnel;" + links: + - href: "#pe-10_smt.b" + rel: assessment-for + - id: pe-10_obj.c + name: assessment-objective + props: + - name: label + value: PE-10c. + class: sp800-53a + prose: the emergency power shutoff capability is protected from + unauthorized activation. + links: + - href: "#pe-10_smt.c" + rel: assessment-for + links: + - href: "#pe-10_smt" + rel: assessment-for + - id: pe-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing power source emergency shutoff + + + emergency shutoff controls or switches + + + locations housing emergency shutoff switches and devices + + + security safeguards protecting the emergency power shutoff capability + from unauthorized activation + + + system security plan + + + other relevant documents or records + - id: pe-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with the responsibility for the + emergency power shutoff capability (both implementing and + using the capability) + + + organizational personnel with information security responsibilities + - id: pe-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing emergency power + shutoff + - id: pe-11 + class: SP800-53 + title: Emergency Power + params: + - id: pe-11_odp + select: + choice: + - an orderly shutdown of the system + - transition of the system to long-term alternate power + props: + - name: label + value: PE-11 + - name: label + value: PE-11 + class: sp800-53a + - name: sort-id + value: pe-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#at-3" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-7" + rel: related + parts: + - id: pe-11_smt + name: statement + prose: "Provide an uninterruptible power supply to facilitate {{ insert:\ + \ param, pe-11_odp }} in the event of a primary power source loss." + - id: pe-11_gdn + name: guidance + prose: An uninterruptible power supply (UPS) is an electrical system + or mechanism that provides emergency power when there is a failure + of the main power source. A UPS is typically used to protect computers, + data centers, telecommunication equipment, or other electrical equipment + where an unexpected power disruption could cause injuries, fatalities, + serious mission or business disruption, or loss of data or information. + A UPS differs from an emergency power system or backup generator in + that the UPS provides near-instantaneous protection from unanticipated + power interruptions from the main power source by providing energy + stored in batteries, supercapacitors, or flywheels. The battery duration + of a UPS is relatively short but provides sufficient time to start + a standby power source, such as a backup generator, or properly shut + down the system. + - id: pe-11_obj + name: assessment-objective + props: + - name: label + value: PE-11 + class: sp800-53a + prose: "an uninterruptible power supply is provided to facilitate {{\ + \ insert: param, pe-11_odp }} in the event of a primary power source\ + \ loss." + links: + - href: "#pe-11_smt" + rel: assessment-for + - id: pe-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing emergency power + + uninterruptible power supply + + uninterruptible power supply documentation + + uninterruptible power supply test records + + system security plan + + other relevant documents or records + - id: pe-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with the responsibility for + emergency power and/or planning + + + organizational personnel with information security responsibilities + - id: pe-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing an uninterruptible + power supply + + + the uninterruptable power supply + - id: pe-12 + class: SP800-53 + title: Emergency Lighting + props: + - name: label + value: PE-12 + - name: label + value: PE-12 + class: sp800-53a + - name: sort-id + value: pe-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cp-2" + rel: related + - href: "#cp-7" + rel: related + parts: + - id: pe-12_smt + name: statement + prose: Employ and maintain automatic emergency lighting for the system + that activates in the event of a power outage or disruption and that + covers emergency exits and evacuation routes within the facility. + - id: pe-12_gdn + name: guidance + prose: The provision of emergency lighting applies primarily to organizational + facilities that contain concentrations of system resources, including + data centers, server rooms, and mainframe computer rooms. Emergency + lighting provisions for the system are described in the contingency + plan for the organization. If emergency lighting for the system fails + or cannot be provided, organizations consider alternate processing + sites for power-related contingencies. + - id: pe-12_obj + name: assessment-objective + props: + - name: label + value: PE-12 + class: sp800-53a + parts: + - id: pe-12_obj-1 + name: assessment-objective + props: + - name: label + value: PE-12[01] + class: sp800-53a + prose: automatic emergency lighting that activates in the event + of a power outage or disruption is employed for the system; + links: + - href: "#pe-12_smt" + rel: assessment-for + - id: pe-12_obj-2 + name: assessment-objective + props: + - name: label + value: PE-12[02] + class: sp800-53a + prose: automatic emergency lighting that activates in the event + of a power outage or disruption is maintained for the system; + links: + - href: "#pe-12_smt" + rel: assessment-for + - id: pe-12_obj-3 + name: assessment-objective + props: + - name: label + value: PE-12[03] + class: sp800-53a + prose: automatic emergency lighting for the system covers emergency + exits within the facility; + links: + - href: "#pe-12_smt" + rel: assessment-for + - id: pe-12_obj-4 + name: assessment-objective + props: + - name: label + value: PE-12[04] + class: sp800-53a + prose: automatic emergency lighting for the system covers evacuation + routes within the facility. + links: + - href: "#pe-12_smt" + rel: assessment-for + links: + - href: "#pe-12_smt" + rel: assessment-for + - id: pe-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing emergency lighting + + emergency lighting documentation + + emergency lighting test records + + emergency exits and evacuation routes + + system security plan + + other relevant documents or records + - id: pe-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with the responsibility for + emergency lighting and/or planning + + + organizational personnel with information security responsibilities + - id: pe-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing an emergency lighting + capability + - id: pe-13 + class: SP800-53 + title: Fire Protection + props: + - name: label + value: PE-13 + - name: label + value: PE-13 + class: sp800-53a + - name: sort-id + value: pe-13 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#at-3" + rel: related + parts: + - id: pe-13_smt + name: statement + prose: Employ and maintain fire detection and suppression systems that + are supported by an independent energy source. + - id: pe-13_gdn + name: guidance + prose: The provision of fire detection and suppression systems applies + primarily to organizational facilities that contain concentrations + of system resources, including data centers, server rooms, and mainframe + computer rooms. Fire detection and suppression systems that may require + an independent energy source include sprinkler systems and smoke detectors. + An independent energy source is an energy source, such as a microgrid, + that is separate, or can be separated, from the energy sources providing + power for the other parts of the facility. + - id: pe-13_obj + name: assessment-objective + props: + - name: label + value: PE-13 + class: sp800-53a + parts: + - id: pe-13_obj-1 + name: assessment-objective + props: + - name: label + value: PE-13[01] + class: sp800-53a + prose: fire detection systems are employed; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-2 + name: assessment-objective + props: + - name: label + value: PE-13[02] + class: sp800-53a + prose: employed fire detection systems are supported by an independent + energy source; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-3 + name: assessment-objective + props: + - name: label + value: PE-13[03] + class: sp800-53a + prose: employed fire detection systems are maintained; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-4 + name: assessment-objective + props: + - name: label + value: PE-13[04] + class: sp800-53a + prose: fire suppression systems are employed; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-5 + name: assessment-objective + props: + - name: label + value: PE-13[05] + class: sp800-53a + prose: employed fire suppression systems are supported by an independent + energy source; + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_obj-6 + name: assessment-objective + props: + - name: label + value: PE-13[06] + class: sp800-53a + prose: employed fire suppression systems are maintained. + links: + - href: "#pe-13_smt" + rel: assessment-for + links: + - href: "#pe-13_smt" + rel: assessment-for + - id: pe-13_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-13-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing fire protection + + + fire suppression and detection devices/systems + + + fire suppression and detection devices/systems documentation + + + test records of fire suppression and detection devices/systems + + + system security plan + + + other relevant documents or records + - id: pe-13_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-13-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for fire + detection and suppression devices/systems + + + organizational personnel with information security responsibilities + - id: pe-13_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-13-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing fire suppression/detection + devices/systems + controls: + - id: pe-13.1 + class: SP800-53-enhancement + title: Detection Systems — Automatic Activation and Notification + params: + - id: pe-13.01_odp.01 + label: personnel or roles + constraints: + - description: service provider building maintenance/physical + security personnel + guidelines: + - prose: personnel or roles to be notified in the event of a fire + is/are defined; + - id: pe-13.01_odp.02 + label: emergency responders + constraints: + - description: service provider emergency responders with incident + response responsibilities + guidelines: + - prose: emergency responders to be notified in the event of a + fire are defined; + props: + - name: label + value: PE-13(1) + - name: label + value: PE-13(01) + class: sp800-53a + - name: sort-id + value: pe-13.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#pe-13" + rel: required + parts: + - id: pe-13.1_smt + name: statement + prose: "Employ fire detection systems that activate automatically\ + \ and notify {{ insert: param, pe-13.01_odp.01 }} and {{ insert:\ + \ param, pe-13.01_odp.02 }} in the event of a fire." + - id: pe-13.1_gdn + name: guidance + prose: Organizations can identify personnel, roles, and emergency + responders if individuals on the notification list need to have + access authorizations or clearances (e.g., to enter to facilities + where access is restricted due to the classification or impact + level of information within the facility). Notification mechanisms + may require independent energy sources to ensure that the notification + capability is not adversely affected by the fire. + - id: pe-13.1_obj + name: assessment-objective + props: + - name: label + value: PE-13(01) + class: sp800-53a + parts: + - id: pe-13.1_obj-1 + name: assessment-objective + props: + - name: label + value: PE-13(01)[01] + class: sp800-53a + prose: fire detection systems that activate automatically are + employed in the event of a fire; + links: + - href: "#pe-13.1_smt" + rel: assessment-for + - id: pe-13.1_obj-2 + name: assessment-objective + props: + - name: label + value: PE-13(01)[02] + class: sp800-53a + prose: "fire detection systems that notify {{ insert: param,\ + \ pe-13.01_odp.01 }} automatically are employed in the event\ + \ of a fire;" + links: + - href: "#pe-13.1_smt" + rel: assessment-for + - id: pe-13.1_obj-3 + name: assessment-objective + props: + - name: label + value: PE-13(01)[03] + class: sp800-53a + prose: "fire detection systems that notify {{ insert: param,\ + \ pe-13.01_odp.02 }} automatically are employed in the event\ + \ of a fire." + links: + - href: "#pe-13.1_smt" + rel: assessment-for + links: + - href: "#pe-13.1_smt" + rel: assessment-for + - id: pe-13.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-13(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing fire protection + + + facility housing the information system + + + alarm service-level agreements + + + test records of fire suppression and detection devices/systems + + + fire suppression and detection devices/systems documentation + + + alerts/notifications of fire events + + + system security plan + + + other relevant documents or records + - id: pe-13.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-13(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for fire + detection and suppression devices/systems + + + organizational personnel with responsibilities for notifying + appropriate personnel, roles, and emergency responders of + fires + + + organizational personnel with information security responsibilities + - id: pe-13.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-13(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing fire detection + devices/systems + + + activation of fire detection devices/systems (simulated) + + + automated notifications + - id: pe-13.2 + class: SP800-53-enhancement + title: Suppression Systems — Automatic Activation and Notification + params: + - id: pe-13.02_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to be notified in the event of a fire + is/are defined; + - id: pe-13.02_odp.02 + label: emergency responders + guidelines: + - prose: emergency responders to be notified in the event of a + fire are defined; + props: + - name: label + value: PE-13(2) + - name: label + value: PE-13(02) + class: sp800-53a + - name: sort-id + value: pe-13.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#pe-13" + rel: required + parts: + - id: pe-13.2_smt + name: statement + parts: + - id: pe-13.2_smt.a + name: item + props: + - name: label + value: (a) + prose: "Employ fire suppression systems that activate automatically\ + \ and notify {{ insert: param, pe-13.02_odp.01 }} and {{ insert:\ + \ param, pe-13.02_odp.02 }} ; and" + - id: pe-13.2_smt.b + name: item + props: + - name: label + value: (b) + prose: Employ an automatic fire suppression capability when + the facility is not staffed on a continuous basis. + - id: pe-13.2_gdn + name: guidance + prose: Organizations can identify specific personnel, roles, and + emergency responders if individuals on the notification list need + to have appropriate access authorizations and/or clearances (e.g., + to enter to facilities where access is restricted due to the impact + level or classification of information within the facility). Notification + mechanisms may require independent energy sources to ensure that + the notification capability is not adversely affected by the fire. + - id: pe-13.2_obj + name: assessment-objective + props: + - name: label + value: PE-13(02) + class: sp800-53a + parts: + - id: pe-13.2_obj.a + name: assessment-objective + props: + - name: label + value: PE-13(02)(a) + class: sp800-53a + parts: + - id: pe-13.2_obj.a-1 + name: assessment-objective + props: + - name: label + value: PE-13(02)(a)[01] + class: sp800-53a + prose: fire suppression systems that activate automatically + are employed; + links: + - href: "#pe-13.2_smt.a" + rel: assessment-for + - id: pe-13.2_obj.a-2 + name: assessment-objective + props: + - name: label + value: PE-13(02)(a)[02] + class: sp800-53a + prose: "fire suppression systems that notify {{ insert:\ + \ param, pe-13.02_odp.01 }} automatically are employed;" + links: + - href: "#pe-13.2_smt.a" + rel: assessment-for + - id: pe-13.2_obj.a-3 + name: assessment-objective + props: + - name: label + value: PE-13(02)(a)[03] + class: sp800-53a + prose: "fire suppression systems that notify {{ insert:\ + \ param, pe-13.02_odp.02 }} automatically are employed;" + links: + - href: "#pe-13.2_smt.a" + rel: assessment-for + links: + - href: "#pe-13.2_smt.a" + rel: assessment-for + - id: pe-13.2_obj.b + name: assessment-objective + props: + - name: label + value: PE-13(02)(b) + class: sp800-53a + prose: an automatic fire suppression capability is employed + when the facility is not staffed on a continuous basis. + links: + - href: "#pe-13.2_smt.b" + rel: assessment-for + links: + - href: "#pe-13.2_smt" + rel: assessment-for + - id: pe-13.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-13(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing fire protection + + + fire suppression and detection devices/systems documentation + + + facility housing the system + + + alarm service-level agreements + + + test records of fire suppression and detection devices/systems + + + system security plan + + + other relevant documents or records + - id: pe-13.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-13(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for fire + detection and suppression devices/systems + + + organizational personnel with responsibilities for providing + automatic notifications of any activation of fire suppression + devices/systems to appropriate personnel, roles, and emergency + responders + + + organizational personnel with information security responsibilities + - id: pe-13.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-13(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Automated mechanisms supporting and/or implementing fire + suppression devices/systems + + + activation of fire suppression devices/systems (simulated) + + + automated notifications + - id: pe-14 + class: SP800-53 + title: Environmental Controls + params: + - id: pe-14_odp.01 + constraints: + - description: consistent with American Society of Heating, Refrigerating + and Air-conditioning Engineers (ASHRAE) document entitled Thermal + Guidelines for Data Processing Environments + select: + how-many: one-or-more + choice: + - temperature + - humidity + - pressure + - radiation + - " {{ insert: param, pe-14_odp.02 }} " + - id: pe-14_odp.02 + label: environmental control + guidelines: + - prose: environmental control(s) for which to maintain a specified + level in the facility where the system resides are defined (if + selected); + - id: pe-14_odp.03 + label: acceptable levels + guidelines: + - prose: acceptable levels for environmental controls are defined; + - id: pe-14_odp.04 + label: frequency + constraints: + - description: continuously + guidelines: + - prose: frequency at which to monitor environmental control levels + is defined; + props: + - name: label + value: PE-14 + - name: label + value: PE-14 + class: sp800-53a + - name: sort-id + value: pe-14 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#at-3" + rel: related + - href: "#cp-2" + rel: related + parts: + - id: pe-14_smt + name: statement + parts: + - id: pe-14_smt.a + name: item + props: + - name: label + value: a. + prose: "Maintain {{ insert: param, pe-14_odp.01 }} levels within\ + \ the facility where the system resides at {{ insert: param, pe-14_odp.03\ + \ }} ; and" + - id: pe-14_smt.b + name: item + props: + - name: label + value: b. + prose: "Monitor environmental control levels {{ insert: param, pe-14_odp.04\ + \ }}." + - id: pe-14_fr + name: item + title: PE-14 Additional FedRAMP Requirements and Guidance + parts: + - id: pe-14_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: The service provider measures temperature at server inlets + and humidity levels by dew point. + - id: pe-14_gdn + name: guidance + prose: The provision of environmental controls applies primarily to + organizational facilities that contain concentrations of system resources + (e.g., data centers, mainframe computer rooms, and server rooms). + Insufficient environmental controls, especially in very harsh environments, + can have a significant adverse impact on the availability of systems + and system components that are needed to support organizational mission + and business functions. + - id: pe-14_obj + name: assessment-objective + props: + - name: label + value: PE-14 + class: sp800-53a + parts: + - id: pe-14_obj.a + name: assessment-objective + props: + - name: label + value: PE-14a. + class: sp800-53a + prose: " {{ insert: param, pe-14_odp.01 }} levels are maintained\ + \ at {{ insert: param, pe-14_odp.03 }} within the facility where\ + \ the system resides;" + links: + - href: "#pe-14_smt.a" + rel: assessment-for + - id: pe-14_obj.b + name: assessment-objective + props: + - name: label + value: PE-14b. + class: sp800-53a + prose: "environmental control levels are monitored {{ insert: param,\ + \ pe-14_odp.04 }}." + links: + - href: "#pe-14_smt.b" + rel: assessment-for + links: + - href: "#pe-14_smt" + rel: assessment-for + - id: pe-14_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-14-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Physical and environmental protection policy + + procedures addressing temperature and humidity control + + temperature and humidity controls + + facility housing the system + + temperature and humidity controls documentation + + temperature and humidity records + + system security plan + + other relevant documents or records + - id: pe-14_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-14-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for system + environmental controls + + + organizational personnel with information security responsibilities + - id: pe-14_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-14-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing the maintenance + and monitoring of temperature and humidity levels + - id: pe-15 + class: SP800-53 + title: Water Damage Protection + props: + - name: label + value: PE-15 + - name: label + value: PE-15 + class: sp800-53a + - name: sort-id + value: pe-15 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#at-3" + rel: related + - href: "#pe-10" + rel: related + parts: + - id: pe-15_smt + name: statement + prose: Protect the system from damage resulting from water leakage by + providing master shutoff or isolation valves that are accessible, + working properly, and known to key personnel. + - id: pe-15_gdn + name: guidance + prose: The provision of water damage protection primarily applies to + organizational facilities that contain concentrations of system resources, + including data centers, server rooms, and mainframe computer rooms. + Isolation valves can be employed in addition to or in lieu of master + shutoff valves to shut off water supplies in specific areas of concern + without affecting entire organizations. + - id: pe-15_obj + name: assessment-objective + props: + - name: label + value: PE-15 + class: sp800-53a + parts: + - id: pe-15_obj-1 + name: assessment-objective + props: + - name: label + value: PE-15[01] + class: sp800-53a + prose: the system is protected from damage resulting from water + leakage by providing master shutoff or isolation valves; + links: + - href: "#pe-15_smt" + rel: assessment-for + - id: pe-15_obj-2 + name: assessment-objective + props: + - name: label + value: PE-15[02] + class: sp800-53a + prose: the master shutoff or isolation valves are accessible; + links: + - href: "#pe-15_smt" + rel: assessment-for + - id: pe-15_obj-3 + name: assessment-objective + props: + - name: label + value: PE-15[03] + class: sp800-53a + prose: the master shutoff or isolation valves are working properly; + links: + - href: "#pe-15_smt" + rel: assessment-for + - id: pe-15_obj-4 + name: assessment-objective + props: + - name: label + value: PE-15[04] + class: sp800-53a + prose: the master shutoff or isolation valves are known to key personnel. + links: + - href: "#pe-15_smt" + rel: assessment-for + links: + - href: "#pe-15_smt" + rel: assessment-for + - id: pe-15_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-15-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing water damage protection + + + facility housing the system + + + master shutoff valves + + + list of key personnel with knowledge of location and activation + procedures for master shutoff valves for the plumbing system + + + master shutoff valve documentation + + + system security plan + + + other relevant documents or records + - id: pe-15_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-15-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for system + environmental controls + + + organizational personnel with information security responsibilities + - id: pe-15_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-15-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Master water-shutoff valves + + organizational process for activating master water shutoff + - id: pe-16 + class: SP800-53 + title: Delivery and Removal + params: + - id: pe-16_prm_1 + label: organization-defined types of system components + constraints: + - description: all information system components + - id: pe-16_odp.01 + label: types of system components + guidelines: + - prose: types of system components to be authorized and controlled + when entering the facility are defined; + - id: pe-16_odp.02 + label: types of system components + guidelines: + - prose: types of system components to be authorized and controlled + when exiting the facility are defined; + props: + - name: label + value: PE-16 + - name: label + value: PE-16 + class: sp800-53a + - name: sort-id + value: pe-16 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#cm-3" + rel: related + - href: "#cm-8" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-3" + rel: related + - href: "#mp-5" + rel: related + - href: "#pe-20" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-6" + rel: related + parts: + - id: pe-16_smt + name: statement + parts: + - id: pe-16_smt.a + name: item + props: + - name: label + value: a. + prose: "Authorize and control {{ insert: param, pe-16_prm_1 }} entering\ + \ and exiting the facility; and" + - id: pe-16_smt.b + name: item + props: + - name: label + value: b. + prose: Maintain records of the system components. + - id: pe-16_gdn + name: guidance + prose: Enforcing authorizations for entry and exit of system components + may require restricting access to delivery areas and isolating the + areas from the system and media libraries. + - id: pe-16_obj + name: assessment-objective + props: + - name: label + value: PE-16 + class: sp800-53a + parts: + - id: pe-16_obj.a + name: assessment-objective + props: + - name: label + value: PE-16a. + class: sp800-53a + parts: + - id: pe-16_obj.a-1 + name: assessment-objective + props: + - name: label + value: PE-16a.[01] + class: sp800-53a + prose: " {{ insert: param, pe-16_odp.01 }} are authorized when\ + \ entering the facility;" + links: + - href: "#pe-16_smt.a" + rel: assessment-for + - id: pe-16_obj.a-2 + name: assessment-objective + props: + - name: label + value: PE-16a.[02] + class: sp800-53a + prose: " {{ insert: param, pe-16_odp.01 }} are controlled when\ + \ entering the facility;" + links: + - href: "#pe-16_smt.a" + rel: assessment-for + - id: pe-16_obj.a-3 + name: assessment-objective + props: + - name: label + value: PE-16a.[03] + class: sp800-53a + prose: " {{ insert: param, pe-16_odp.02 }} are authorized when\ + \ exiting the facility;" + links: + - href: "#pe-16_smt.a" + rel: assessment-for + - id: pe-16_obj.a-4 + name: assessment-objective + props: + - name: label + value: PE-16a.[04] + class: sp800-53a + prose: " {{ insert: param, pe-16_odp.02 }} are controlled when\ + \ exiting the facility;" + links: + - href: "#pe-16_smt.a" + rel: assessment-for + links: + - href: "#pe-16_smt.a" + rel: assessment-for + - id: pe-16_obj.b + name: assessment-objective + props: + - name: label + value: PE-16b. + class: sp800-53a + prose: records of the system components are maintained. + links: + - href: "#pe-16_smt.b" + rel: assessment-for + links: + - href: "#pe-16_smt" + rel: assessment-for + - id: pe-16_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-16-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing the delivery and removal of system components + from the facility + + + facility housing the system + + + records of items entering and exiting the facility + + + system security plan + + + other relevant documents or records + - id: pe-16_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-16-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibilities for + controlling system components entering and exiting the + facility + + + organizational personnel with information security responsibilities + - id: pe-16_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-16-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational process for authorizing, monitoring, and + controlling system-related items entering and exiting the + facility + + + mechanisms supporting and/or implementing, authorizing, monitoring, + and controlling system-related items entering and exiting the + facility + - id: pe-17 + class: SP800-53 + title: Alternate Work Site + params: + - id: pe-17_odp.01 + label: alternate work sites + guidelines: + - prose: alternate work sites allowed for use by employees are defined; + - id: pe-17_odp.02 + label: controls + guidelines: + - prose: controls to be employed at alternate work sites are defined; + props: + - name: label + value: PE-17 + - name: label + value: PE-17 + class: sp800-53a + - name: sort-id + value: pe-17 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#83b9d63b-66b1-467c-9f3b-3a0b108771e9" + rel: reference + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#cp-7" + rel: related + parts: + - id: pe-17_smt + name: statement + parts: + - id: pe-17_smt.a + name: item + props: + - name: label + value: a. + prose: "Determine and document the {{ insert: param, pe-17_odp.01\ + \ }} allowed for use by employees;" + - id: pe-17_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ the following controls at alternate work sites: {{\ + \ insert: param, pe-17_odp.02 }};" + - id: pe-17_smt.c + name: item + props: + - name: label + value: c. + prose: Assess the effectiveness of controls at alternate work sites; + and + - id: pe-17_smt.d + name: item + props: + - name: label + value: d. + prose: Provide a means for employees to communicate with information + security and privacy personnel in case of incidents. + - id: pe-17_gdn + name: guidance + prose: Alternate work sites include government facilities or the private + residences of employees. While distinct from alternative processing + sites, alternate work sites can provide readily available alternate + locations during contingency operations. Organizations can define + different sets of controls for specific alternate work sites or types + of sites depending on the work-related activities conducted at the + sites. Implementing and assessing the effectiveness of organization-defined + controls and providing a means to communicate incidents at alternate + work sites supports the contingency planning activities of organizations. + - id: pe-17_obj + name: assessment-objective + props: + - name: label + value: PE-17 + class: sp800-53a + parts: + - id: pe-17_obj.a + name: assessment-objective + props: + - name: label + value: PE-17a. + class: sp800-53a + prose: " {{ insert: param, pe-17_odp.01 }} are determined and documented;" + links: + - href: "#pe-17_smt.a" + rel: assessment-for + - id: pe-17_obj.b + name: assessment-objective + props: + - name: label + value: PE-17b. + class: sp800-53a + prose: " {{ insert: param, pe-17_odp.02 }} are employed at alternate\ + \ work sites;" + links: + - href: "#pe-17_smt.b" + rel: assessment-for + - id: pe-17_obj.c + name: assessment-objective + props: + - name: label + value: PE-17c. + class: sp800-53a + prose: the effectiveness of controls at alternate work sites is + assessed; + links: + - href: "#pe-17_smt.c" + rel: assessment-for + - id: pe-17_obj.d + name: assessment-objective + props: + - name: label + value: PE-17d. + class: sp800-53a + prose: a means for employees to communicate with information security + and privacy personnel in case of incidents is provided. + links: + - href: "#pe-17_smt.d" + rel: assessment-for + links: + - href: "#pe-17_smt" + rel: assessment-for + - id: pe-17_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PE-17-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Physical and environmental protection policy + + + procedures addressing alternate work sites for organizational + personnel + + + list of security controls required for alternate work sites + + + assessments of security controls at alternate work sites + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: pe-17_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PE-17-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel approving the use of alternate work + sites + + + organizational personnel using alternate work sites + + + organizational personnel assessing controls at alternate work + sites + + + organizational personnel with information security and privacy + responsibilities + - id: pe-17_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PE-17-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for security and privacy at + alternate work sites + + + mechanisms supporting alternate work sites + + + security and privacy controls employed at alternate work sites + + + means of communication between personnel at alternate work sites + and security and privacy personnel + - id: pl + class: family + title: Planning + controls: + - id: pl-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: pl-1_prm_1 + label: organization-defined personnel or roles + - id: pl-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the planning policy is to be disseminated + is/are defined; + - id: pl-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the planning procedures are to + be disseminated is/are defined; + - id: pl-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: pl-01_odp.04 + label: official + guidelines: + - prose: an official to manage the planning policy and procedures + is defined; + - id: pl-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency with which the current planning policy is reviewed + and updated is defined; + - id: pl-01_odp.06 + label: events + guidelines: + - prose: events that would require the current planning policy to + be reviewed and updated are defined; + - id: pl-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency with which the current planning procedures + are reviewed and updated is defined; + - id: pl-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require procedures to be reviewed and updated + are defined; + props: + - name: label + value: PL-1 + - name: label + value: PL-01 + class: sp800-53a + - name: sort-id + value: pl-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#30eb758a-2707-4bca-90ad-949a74d4eb16" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: pl-1_smt + name: statement + parts: + - id: pl-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ pl-1_prm_1 }}:" + parts: + - id: pl-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, pl-01_odp.03 }} planning policy that:" + parts: + - id: pl-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: pl-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: pl-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the planning + policy and the associated planning controls; + - id: pl-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, pl-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the planning\ + \ policy and procedures; and" + - id: pl-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current planning:" + parts: + - id: pl-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, pl-01_odp.05 }} and following\ + \ {{ insert: param, pl-01_odp.06 }} ; and" + - id: pl-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, pl-01_odp.07 }} and following\ + \ {{ insert: param, pl-01_odp.08 }}." + - id: pl-1_gdn + name: guidance + prose: Planning policy and procedures for the controls in the PL family + implemented within systems and organizations. The risk management + strategy is an important factor in establishing such policies and + procedures. Policies and procedures contribute to security and privacy + assurance. Therefore, it is important that security and privacy programs + collaborate on their development. Security and privacy program policies + and procedures at the organization level are preferable, in general, + and may obviate the need for mission level or system-specific policies + and procedures. The policy can be included as part of the general + security and privacy policy or be represented by multiple policies + that reflect the complex nature of organizations. Procedures can be + established for security and privacy programs, for mission/business + processes, and for systems, if needed. Procedures describe how the + policies or controls are implemented and can be directed at the individual + or role that is the object of the procedure. Procedures can be documented + in system security and privacy plans or in one or more separate documents. + Events that may precipitate an update to planning policy and procedures + include, but are not limited to, assessment or audit findings, security + incidents or breaches, or changes in laws, executive orders, directives, + regulations, policies, standards, and guidelines. Simply restating + controls does not constitute an organizational policy or procedure. + - id: pl-1_obj + name: assessment-objective + props: + - name: label + value: PL-01 + class: sp800-53a + parts: + - id: pl-1_obj.a + name: assessment-objective + props: + - name: label + value: PL-01a. + class: sp800-53a + parts: + - id: pl-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: PL-01a.[01] + class: sp800-53a + prose: a planning policy is developed and documented. + links: + - href: "#pl-1_smt.a" + rel: assessment-for + - id: pl-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: PL-01a.[02] + class: sp800-53a + prose: "the planning policy is disseminated to {{ insert: param,\ + \ pl-01_odp.01 }};" + links: + - href: "#pl-1_smt.a" + rel: assessment-for + - id: pl-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: PL-01a.[03] + class: sp800-53a + prose: planning procedures to facilitate the implementation + of the planning policy and associated planning controls are + developed and documented; + links: + - href: "#pl-1_smt.a" + rel: assessment-for + - id: pl-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: PL-01a.[04] + class: sp800-53a + prose: "the planning procedures are disseminated to {{ insert:\ + \ param, pl-01_odp.02 }};" + links: + - href: "#pl-1_smt.a" + rel: assessment-for + - id: pl-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: PL-01a.01 + class: sp800-53a + parts: + - id: pl-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: PL-01a.01(a) + class: sp800-53a + parts: + - id: pl-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses purpose;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses scope;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses roles;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses responsibilities;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses management commitment;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: PL-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning\ + \ policy addresses compliance;" + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#pl-1_smt.a.1.a" + rel: assessment-for + - id: pl-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: PL-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.03 }} planning policy\ + \ is consistent with applicable laws, Executive Orders,\ + \ directives, regulations, policies, standards, and guidelines;" + links: + - href: "#pl-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#pl-1_smt.a.1" + rel: assessment-for + links: + - href: "#pl-1_smt.a" + rel: assessment-for + - id: pl-1_obj.b + name: assessment-objective + props: + - name: label + value: PL-01b. + class: sp800-53a + prose: "the {{ insert: param, pl-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the planning\ + \ policy and procedures;" + links: + - href: "#pl-1_smt.b" + rel: assessment-for + - id: pl-1_obj.c + name: assessment-objective + props: + - name: label + value: PL-01c. + class: sp800-53a + parts: + - id: pl-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: PL-01c.01 + class: sp800-53a + parts: + - id: pl-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: PL-01c.01[01] + class: sp800-53a + prose: "the current planning policy is reviewed and updated\ + \ {{ insert: param, pl-01_odp.05 }};" + links: + - href: "#pl-1_smt.c.1" + rel: assessment-for + - id: pl-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: PL-01c.01[02] + class: sp800-53a + prose: "the current planning policy is reviewed and updated\ + \ following {{ insert: param, pl-01_odp.06 }};" + links: + - href: "#pl-1_smt.c.1" + rel: assessment-for + links: + - href: "#pl-1_smt.c.1" + rel: assessment-for + - id: pl-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: PL-01c.02 + class: sp800-53a + parts: + - id: pl-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: PL-01c.02[01] + class: sp800-53a + prose: "the current planning procedures are reviewed and\ + \ updated {{ insert: param, pl-01_odp.07 }};" + links: + - href: "#pl-1_smt.c.2" + rel: assessment-for + - id: pl-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: PL-01c.02[02] + class: sp800-53a + prose: "the current planning procedures are reviewed and\ + \ updated following {{ insert: param, pl-01_odp.08 }}." + links: + - href: "#pl-1_smt.c.2" + rel: assessment-for + links: + - href: "#pl-1_smt.c.2" + rel: assessment-for + links: + - href: "#pl-1_smt.c" + rel: assessment-for + links: + - href: "#pl-1_smt" + rel: assessment-for + - id: pl-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Planning policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: pl-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with planning responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pl-2 + class: SP800-53 + title: System Security and Privacy Plans + params: + - id: pl-02_odp.01 + label: individuals or groups + constraints: + - description: to include chief privacy and ISSO and/or similar role + or designees + guidelines: + - prose: individuals or groups with whom security and privacy-related + activities affecting the system that require planning and coordination + is/are assigned; + - id: pl-02_odp.02 + label: personnel or roles + constraints: + - description: to include chief privacy and ISSO and/or similar role + guidelines: + - prose: personnel or roles to receive distributed copies of the system + security and privacy plans is/are assigned; + - id: pl-02_odp.03 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: frequency to review system security and privacy plans is + defined; + props: + - name: label + value: PL-2 + - name: label + value: PL-02 + class: sp800-53a + - name: sort-id + value: pl-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#30eb758a-2707-4bca-90ad-949a74d4eb16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-14" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-20" + rel: related + - href: "#ca-2" + rel: related + - href: "#ca-3" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-9" + rel: related + - href: "#cm-13" + rel: related + - href: "#cp-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-8" + rel: related + - href: "#ma-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#pl-7" + rel: related + - href: "#pl-8" + rel: related + - href: "#pl-10" + rel: related + - href: "#pl-11" + rel: related + - href: "#pm-1" + rel: related + - href: "#pm-7" + rel: related + - href: "#pm-8" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-10" + rel: related + - href: "#pm-11" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-8" + rel: related + - href: "#ra-9" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-17" + rel: related + - href: "#sa-22" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-4" + rel: related + parts: + - id: pl-2_smt + name: statement + parts: + - id: pl-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop security and privacy plans for the system that:" + parts: + - id: pl-2_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Are consistent with the organization’s enterprise architecture; + - id: pl-2_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Explicitly define the constituent system components; + - id: pl-2_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Describe the operational context of the system in terms + of mission and business processes; + - id: pl-2_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Identify the individuals that fulfill system roles and + responsibilities; + - id: pl-2_smt.a.5 + name: item + props: + - name: label + value: "5." + prose: Identify the information types processed, stored, and + transmitted by the system; + - id: pl-2_smt.a.6 + name: item + props: + - name: label + value: "6." + prose: Provide the security categorization of the system, including + supporting rationale; + - id: pl-2_smt.a.7 + name: item + props: + - name: label + value: "7." + prose: Describe any specific threats to the system that are + of concern to the organization; + - id: pl-2_smt.a.8 + name: item + props: + - name: label + value: "8." + prose: Provide the results of a privacy risk assessment for + systems processing personally identifiable information; + - id: pl-2_smt.a.9 + name: item + props: + - name: label + value: "9." + prose: Describe the operational environment for the system and + any dependencies on or connections to other systems or system + components; + - id: pl-2_smt.a.10 + name: item + props: + - name: label + value: "10." + prose: Provide an overview of the security and privacy requirements + for the system; + - id: pl-2_smt.a.11 + name: item + props: + - name: label + value: "11." + prose: Identify any relevant control baselines or overlays, + if applicable; + - id: pl-2_smt.a.12 + name: item + props: + - name: label + value: "12." + prose: Describe the controls in place or planned for meeting + the security and privacy requirements, including a rationale + for any tailoring decisions; + - id: pl-2_smt.a.13 + name: item + props: + - name: label + value: "13." + prose: Include risk determinations for security and privacy + architecture and design decisions; + - id: pl-2_smt.a.14 + name: item + props: + - name: label + value: "14." + prose: "Include security- and privacy-related activities affecting\ + \ the system that require planning and coordination with {{\ + \ insert: param, pl-02_odp.01 }} ; and" + - id: pl-2_smt.a.15 + name: item + props: + - name: label + value: "15." + prose: Are reviewed and approved by the authorizing official + or designated representative prior to plan implementation. + - id: pl-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Distribute copies of the plans and communicate subsequent\ + \ changes to the plans to {{ insert: param, pl-02_odp.02 }};" + - id: pl-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Review the plans {{ insert: param, pl-02_odp.03 }};" + - id: pl-2_smt.d + name: item + props: + - name: label + value: d. + prose: Update the plans to address changes to the system and environment + of operation or problems identified during plan implementation + or control assessments; and + - id: pl-2_smt.e + name: item + props: + - name: label + value: e. + prose: Protect the plans from unauthorized disclosure and modification. + - id: pl-2_gdn + name: guidance + prose: >- + System security and privacy plans are scoped to the system and + system components within the defined authorization boundary and + contain an overview of the security and privacy requirements for + the system and the controls selected to satisfy the + requirements. The plans describe the intended application of + each selected control in the context of the system with a + sufficient level of detail to correctly implement the control + and to subsequently assess the effectiveness of the control. The + control documentation describes how system-specific and hybrid + controls are implemented and the plans and expectations + regarding the functionality of the system. System security and + privacy plans can also be used in the design and development of + systems in support of life cycle-based security and privacy + engineering processes. System security and privacy plans are + living documents that are updated and adapted throughout the + system development life cycle (e.g., during capability + determination, analysis of alternatives, requests for proposal, + and design reviews). [Section + 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the + different types of requirements that are relevant to + organizations during the system development life cycle and the + relationship between requirements and controls. + + + Organizations may develop a single, integrated security and privacy + plan or maintain separate plans. Security and privacy plans relate + security and privacy requirements to a set of controls and control + enhancements. The plans describe how the controls and control enhancements + meet the security and privacy requirements but do not provide detailed, + technical descriptions of the design or implementation of the controls + and control enhancements. Security and privacy plans contain sufficient + information (including specifications of control parameter values + for selection and assignment operations explicitly or by reference) + to enable a design and implementation that is unambiguously compliant + with the intent of the plans and subsequent determinations of risk + to organizational operations and assets, individuals, other organizations, + and the Nation if the plan is implemented. + + + Security and privacy plans need not be single documents. The plans + can be a collection of various documents, including documents that + already exist. Effective security and privacy plans make extensive + use of references to policies, procedures, and additional documents, + including design and implementation specifications where more detailed + information can be obtained. The use of references helps reduce the + documentation associated with security and privacy programs and maintains + the security- and privacy-related information in other established + management and operational areas, including enterprise architecture, + system development life cycle, systems engineering, and acquisition. + Security and privacy plans need not contain detailed contingency plan + or incident response plan information but can instead provide—explicitly + or by reference—sufficient information to define what needs to be + accomplished by those plans. + + + Security- and privacy-related activities that may require coordination + and planning with other individuals or groups within the organization + include assessments, audits, inspections, hardware and software maintenance, + acquisition and supply chain risk management, patch management, and + contingency plan testing. Planning and coordination include emergency + and nonemergency (i.e., planned or non-urgent unplanned) situations. + The process defined by organizations to plan and coordinate security- + and privacy-related activities can also be included in other documents, + as appropriate. + - id: pl-2_obj + name: assessment-objective + props: + - name: label + value: PL-02 + class: sp800-53a + parts: + - id: pl-2_obj.a + name: assessment-objective + props: + - name: label + value: PL-02a. + class: sp800-53a + parts: + - id: pl-2_obj.a.1 + name: assessment-objective + props: + - name: label + value: PL-02a.01 + class: sp800-53a + parts: + - id: pl-2_obj.a.1-1 + name: assessment-objective + props: + - name: label + value: PL-02a.01[01] + class: sp800-53a + prose: a security plan for the system is developed that + is consistent with the organization’s enterprise architecture; + links: + - href: "#pl-2_smt.a.1" + rel: assessment-for + - id: pl-2_obj.a.1-2 + name: assessment-objective + props: + - name: label + value: PL-02a.01[02] + class: sp800-53a + prose: a privacy plan for the system is developed that is + consistent with the organization’s enterprise architecture; + links: + - href: "#pl-2_smt.a.1" + rel: assessment-for + links: + - href: "#pl-2_smt.a.1" + rel: assessment-for + - id: pl-2_obj.a.2 + name: assessment-objective + props: + - name: label + value: PL-02a.02 + class: sp800-53a + parts: + - id: pl-2_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: PL-02a.02[01] + class: sp800-53a + prose: a security plan for the system is developed that + explicitly defines the constituent system components; + links: + - href: "#pl-2_smt.a.2" + rel: assessment-for + - id: pl-2_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: PL-02a.02[02] + class: sp800-53a + prose: a privacy plan for the system is developed that explicitly + defines the constituent system components; + links: + - href: "#pl-2_smt.a.2" + rel: assessment-for + links: + - href: "#pl-2_smt.a.2" + rel: assessment-for + - id: pl-2_obj.a.3 + name: assessment-objective + props: + - name: label + value: PL-02a.03 + class: sp800-53a + parts: + - id: pl-2_obj.a.3-1 + name: assessment-objective + props: + - name: label + value: PL-02a.03[01] + class: sp800-53a + prose: a security plan for the system is developed that + describes the operational context of the system in terms + of mission and business processes; + links: + - href: "#pl-2_smt.a.3" + rel: assessment-for + - id: pl-2_obj.a.3-2 + name: assessment-objective + props: + - name: label + value: PL-02a.03[02] + class: sp800-53a + prose: a privacy plan for the system is developed that describes + the operational context of the system in terms of mission + and business processes; + links: + - href: "#pl-2_smt.a.3" + rel: assessment-for + links: + - href: "#pl-2_smt.a.3" + rel: assessment-for + - id: pl-2_obj.a.4 + name: assessment-objective + props: + - name: label + value: PL-02a.04 + class: sp800-53a + parts: + - id: pl-2_obj.a.4-1 + name: assessment-objective + props: + - name: label + value: PL-02a.04[01] + class: sp800-53a + prose: a security plan for the system is developed that + identifies the individuals that fulfill system roles and + responsibilities; + links: + - href: "#pl-2_smt.a.4" + rel: assessment-for + - id: pl-2_obj.a.4-2 + name: assessment-objective + props: + - name: label + value: PL-02a.04[02] + class: sp800-53a + prose: a privacy plan for the system is developed that identifies + the individuals that fulfill system roles and responsibilities; + links: + - href: "#pl-2_smt.a.4" + rel: assessment-for + links: + - href: "#pl-2_smt.a.4" + rel: assessment-for + - id: pl-2_obj.a.5 + name: assessment-objective + props: + - name: label + value: PL-02a.05 + class: sp800-53a + parts: + - id: pl-2_obj.a.5-1 + name: assessment-objective + props: + - name: label + value: PL-02a.05[01] + class: sp800-53a + prose: a security plan for the system is developed that + identifies the information types processed, stored, and + transmitted by the system; + links: + - href: "#pl-2_smt.a.5" + rel: assessment-for + - id: pl-2_obj.a.5-2 + name: assessment-objective + props: + - name: label + value: PL-02a.05[02] + class: sp800-53a + prose: a privacy plan for the system is developed that identifies + the information types processed, stored, and transmitted + by the system; + links: + - href: "#pl-2_smt.a.5" + rel: assessment-for + links: + - href: "#pl-2_smt.a.5" + rel: assessment-for + - id: pl-2_obj.a.6 + name: assessment-objective + props: + - name: label + value: PL-02a.06 + class: sp800-53a + parts: + - id: pl-2_obj.a.6-1 + name: assessment-objective + props: + - name: label + value: PL-02a.06[01] + class: sp800-53a + prose: a security plan for the system is developed that + provides the security categorization of the system, including + supporting rationale; + links: + - href: "#pl-2_smt.a.6" + rel: assessment-for + - id: pl-2_obj.a.6-2 + name: assessment-objective + props: + - name: label + value: PL-02a.06[02] + class: sp800-53a + prose: a privacy plan for the system is developed that provides + the security categorization of the system, including supporting + rationale; + links: + - href: "#pl-2_smt.a.6" + rel: assessment-for + links: + - href: "#pl-2_smt.a.6" + rel: assessment-for + - id: pl-2_obj.a.7 + name: assessment-objective + props: + - name: label + value: PL-02a.07 + class: sp800-53a + parts: + - id: pl-2_obj.a.7-1 + name: assessment-objective + props: + - name: label + value: PL-02a.07[01] + class: sp800-53a + prose: a security plan for the system is developed that + describes any specific threats to the system that are + of concern to the organization; + links: + - href: "#pl-2_smt.a.7" + rel: assessment-for + - id: pl-2_obj.a.7-2 + name: assessment-objective + props: + - name: label + value: PL-02a.07[02] + class: sp800-53a + prose: a privacy plan for the system is developed that describes + any specific threats to the system that are of concern + to the organization; + links: + - href: "#pl-2_smt.a.7" + rel: assessment-for + links: + - href: "#pl-2_smt.a.7" + rel: assessment-for + - id: pl-2_obj.a.8 + name: assessment-objective + props: + - name: label + value: PL-02a.08 + class: sp800-53a + parts: + - id: pl-2_obj.a.8-1 + name: assessment-objective + props: + - name: label + value: PL-02a.08[01] + class: sp800-53a + prose: a security plan for the system is developed that + provides the results of a privacy risk assessment for + systems processing personally identifiable information; + links: + - href: "#pl-2_smt.a.8" + rel: assessment-for + - id: pl-2_obj.a.8-2 + name: assessment-objective + props: + - name: label + value: PL-02a.08[02] + class: sp800-53a + prose: a privacy plan for the system is developed that provides + the results of a privacy risk assessment for systems processing + personally identifiable information; + links: + - href: "#pl-2_smt.a.8" + rel: assessment-for + links: + - href: "#pl-2_smt.a.8" + rel: assessment-for + - id: pl-2_obj.a.9 + name: assessment-objective + props: + - name: label + value: PL-02a.09 + class: sp800-53a + parts: + - id: pl-2_obj.a.9-1 + name: assessment-objective + props: + - name: label + value: PL-02a.09[01] + class: sp800-53a + prose: a security plan for the system is developed that + describes the operational environment for the system and + any dependencies on or connections to other systems or + system components; + links: + - href: "#pl-2_smt.a.9" + rel: assessment-for + - id: pl-2_obj.a.9-2 + name: assessment-objective + props: + - name: label + value: PL-02a.09[02] + class: sp800-53a + prose: a privacy plan for the system is developed that describes + the operational environment for the system and any dependencies + on or connections to other systems or system components; + links: + - href: "#pl-2_smt.a.9" + rel: assessment-for + links: + - href: "#pl-2_smt.a.9" + rel: assessment-for + - id: pl-2_obj.a.10 + name: assessment-objective + props: + - name: label + value: PL-02a.10 + class: sp800-53a + parts: + - id: pl-2_obj.a.10-1 + name: assessment-objective + props: + - name: label + value: PL-02a.10[01] + class: sp800-53a + prose: a security plan for the system is developed that + provides an overview of the security requirements for + the system; + links: + - href: "#pl-2_smt.a.10" + rel: assessment-for + - id: pl-2_obj.a.10-2 + name: assessment-objective + props: + - name: label + value: PL-02a.10[02] + class: sp800-53a + prose: a privacy plan for the system is developed that provides + an overview of the privacy requirements for the system; + links: + - href: "#pl-2_smt.a.10" + rel: assessment-for + links: + - href: "#pl-2_smt.a.10" + rel: assessment-for + - id: pl-2_obj.a.11 + name: assessment-objective + props: + - name: label + value: PL-02a.11 + class: sp800-53a + parts: + - id: pl-2_obj.a.11-1 + name: assessment-objective + props: + - name: label + value: PL-02a.11[01] + class: sp800-53a + prose: a security plan for the system is developed that + identifies any relevant control baselines or overlays, + if applicable; + links: + - href: "#pl-2_smt.a.11" + rel: assessment-for + - id: pl-2_obj.a.11-2 + name: assessment-objective + props: + - name: label + value: PL-02a.11[02] + class: sp800-53a + prose: a privacy plan for the system is developed that identifies + any relevant control baselines or overlays, if applicable; + links: + - href: "#pl-2_smt.a.11" + rel: assessment-for + links: + - href: "#pl-2_smt.a.11" + rel: assessment-for + - id: pl-2_obj.a.12 + name: assessment-objective + props: + - name: label + value: PL-02a.12 + class: sp800-53a + parts: + - id: pl-2_obj.a.12-1 + name: assessment-objective + props: + - name: label + value: PL-02a.12[01] + class: sp800-53a + prose: a security plan for the system is developed that + describes the controls in place or planned for meeting + the security requirements, including rationale for any + tailoring decisions; + links: + - href: "#pl-2_smt.a.12" + rel: assessment-for + - id: pl-2_obj.a.12-2 + name: assessment-objective + props: + - name: label + value: PL-02a.12[02] + class: sp800-53a + prose: a privacy plan for the system is developed that describes + the controls in place or planned for meeting the privacy + requirements, including rationale for any tailoring decisions; + links: + - href: "#pl-2_smt.a.12" + rel: assessment-for + links: + - href: "#pl-2_smt.a.12" + rel: assessment-for + - id: pl-2_obj.a.13 + name: assessment-objective + props: + - name: label + value: PL-02a.13 + class: sp800-53a + parts: + - id: pl-2_obj.a.13-1 + name: assessment-objective + props: + - name: label + value: PL-02a.13[01] + class: sp800-53a + prose: a security plan for the system is developed that + includes risk determinations for security architecture + and design decisions; + links: + - href: "#pl-2_smt.a.13" + rel: assessment-for + - id: pl-2_obj.a.13-2 + name: assessment-objective + props: + - name: label + value: PL-02a.13[02] + class: sp800-53a + prose: a privacy plan for the system is developed that includes + risk determinations for privacy architecture and design + decisions; + links: + - href: "#pl-2_smt.a.13" + rel: assessment-for + links: + - href: "#pl-2_smt.a.13" + rel: assessment-for + - id: pl-2_obj.a.14 + name: assessment-objective + props: + - name: label + value: PL-02a.14 + class: sp800-53a + parts: + - id: pl-2_obj.a.14-1 + name: assessment-objective + props: + - name: label + value: PL-02a.14[01] + class: sp800-53a + prose: "a security plan for the system is developed that\ + \ includes security-related activities affecting the system\ + \ that require planning and coordination with {{ insert:\ + \ param, pl-02_odp.01 }};" + links: + - href: "#pl-2_smt.a.14" + rel: assessment-for + - id: pl-2_obj.a.14-2 + name: assessment-objective + props: + - name: label + value: PL-02a.14[02] + class: sp800-53a + prose: "a privacy plan for the system is developed that\ + \ includes privacy-related activities affecting the system\ + \ that require planning and coordination with {{ insert:\ + \ param, pl-02_odp.01 }};" + links: + - href: "#pl-2_smt.a.14" + rel: assessment-for + links: + - href: "#pl-2_smt.a.14" + rel: assessment-for + - id: pl-2_obj.a.15 + name: assessment-objective + props: + - name: label + value: PL-02a.15 + class: sp800-53a + parts: + - id: pl-2_obj.a.15-1 + name: assessment-objective + props: + - name: label + value: PL-02a.15[01] + class: sp800-53a + prose: a security plan for the system is developed that + is reviewed and approved by the authorizing official or + designated representative prior to plan implementation; + links: + - href: "#pl-2_smt.a.15" + rel: assessment-for + - id: pl-2_obj.a.15-2 + name: assessment-objective + props: + - name: label + value: PL-02a.15[02] + class: sp800-53a + prose: a privacy plan for the system is developed that is + reviewed and approved by the authorizing official or designated + representative prior to plan implementation. + links: + - href: "#pl-2_smt.a.15" + rel: assessment-for + links: + - href: "#pl-2_smt.a.15" + rel: assessment-for + links: + - href: "#pl-2_smt.a" + rel: assessment-for + - id: pl-2_obj.b + name: assessment-objective + props: + - name: label + value: PL-02b. + class: sp800-53a + parts: + - id: pl-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: PL-02b.[01] + class: sp800-53a + prose: "copies of the plans are distributed to {{ insert: param,\ + \ pl-02_odp.02 }};" + links: + - href: "#pl-2_smt.b" + rel: assessment-for + - id: pl-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: PL-02b.[02] + class: sp800-53a + prose: "subsequent changes to the plans are communicated to\ + \ {{ insert: param, pl-02_odp.02 }};" + links: + - href: "#pl-2_smt.b" + rel: assessment-for + links: + - href: "#pl-2_smt.b" + rel: assessment-for + - id: pl-2_obj.c + name: assessment-objective + props: + - name: label + value: PL-02c. + class: sp800-53a + prose: "plans are reviewed {{ insert: param, pl-02_odp.03 }};" + links: + - href: "#pl-2_smt.c" + rel: assessment-for + - id: pl-2_obj.d + name: assessment-objective + props: + - name: label + value: PL-02d. + class: sp800-53a + parts: + - id: pl-2_obj.d-1 + name: assessment-objective + props: + - name: label + value: PL-02d.[01] + class: sp800-53a + prose: plans are updated to address changes to the system and + environment of operations; + links: + - href: "#pl-2_smt.d" + rel: assessment-for + - id: pl-2_obj.d-2 + name: assessment-objective + props: + - name: label + value: PL-02d.[02] + class: sp800-53a + prose: plans are updated to address problems identified during + the plan implementation; + links: + - href: "#pl-2_smt.d" + rel: assessment-for + - id: pl-2_obj.d-3 + name: assessment-objective + props: + - name: label + value: PL-02d.[03] + class: sp800-53a + prose: plans are updated to address problems identified during + control assessments; + links: + - href: "#pl-2_smt.d" + rel: assessment-for + links: + - href: "#pl-2_smt.d" + rel: assessment-for + - id: pl-2_obj.e + name: assessment-objective + props: + - name: label + value: PL-02e. + class: sp800-53a + parts: + - id: pl-2_obj.e-1 + name: assessment-objective + props: + - name: label + value: PL-02e.[01] + class: sp800-53a + prose: plans are protected from unauthorized disclosure; + links: + - href: "#pl-2_smt.e" + rel: assessment-for + - id: pl-2_obj.e-2 + name: assessment-objective + props: + - name: label + value: PL-02e.[02] + class: sp800-53a + prose: plans are protected from unauthorized modification. + links: + - href: "#pl-2_smt.e" + rel: assessment-for + links: + - href: "#pl-2_smt.e" + rel: assessment-for + links: + - href: "#pl-2_smt" + rel: assessment-for + - id: pl-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Security and privacy planning policy + + + procedures addressing system security and privacy plan development + and implementation + + + procedures addressing security and privacy plan reviews and updates + + + enterprise architecture documentation + + + system security plan + + + privacy plan + + + records of system security and privacy plan reviews and updates + + + security and privacy architecture and design documentation + + + risk assessments + + + risk assessment results + + + control assessment documentation + + + other relevant documents or records + - id: pl-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system security and privacy + planning and plan implementation responsibilities + + + system developers + + + organizational personnel with information security and privacy + responsibilities + - id: pl-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PL-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for system security and privacy + plan development, review, update, and approval + + + mechanisms supporting the system security and privacy plan + - id: pl-4 + class: SP800-53 + title: Rules of Behavior + params: + - id: pl-04_odp.01 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: frequency for reviewing and updating the rules of behavior + is defined; + - id: pl-04_odp.02 + constraints: + - description: at least annually and when the rules are revised or + changed + select: + how-many: one-or-more + choice: + - " {{ insert: param, pl-04_odp.03 }} " + - when the rules are revised or updated + - id: pl-04_odp.03 + label: frequency + guidelines: + - prose: frequency for individuals to read and re-acknowledge the + rules of behavior is defined (if selected); + props: + - name: label + value: PL-4 + - name: label + value: PL-04 + class: sp800-53a + - name: sort-id + value: pl-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#30eb758a-2707-4bca-90ad-949a74d4eb16" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-8" + rel: related + - href: "#ac-9" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ia-5" + rel: related + - href: "#mp-7" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-5" + rel: related + - href: "#si-12" + rel: related + parts: + - id: pl-4_smt + name: statement + parts: + - id: pl-4_smt.a + name: item + props: + - name: label + value: a. + prose: Establish and provide to individuals requiring access to + the system, the rules that describe their responsibilities and + expected behavior for information and system usage, security, + and privacy; + - id: pl-4_smt.b + name: item + props: + - name: label + value: b. + prose: Receive a documented acknowledgment from such individuals, + indicating that they have read, understand, and agree to abide + by the rules of behavior, before authorizing access to information + and the system; + - id: pl-4_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the rules of behavior {{ insert: param,\ + \ pl-04_odp.01 }} ; and" + - id: pl-4_smt.d + name: item + props: + - name: label + value: d. + prose: "Require individuals who have acknowledged a previous version\ + \ of the rules of behavior to read and re-acknowledge {{ insert:\ + \ param, pl-04_odp.02 }}." + - id: pl-4_gdn + name: guidance + prose: Rules of behavior represent a type of access agreement for organizational + users. Other types of access agreements include nondisclosure agreements, + conflict-of-interest agreements, and acceptable use agreements (see + [PS-6](#ps-6) ). Organizations consider rules of behavior based on + individual user roles and responsibilities and differentiate between + rules that apply to privileged users and rules that apply to general + users. Establishing rules of behavior for some types of non-organizational + users, including individuals who receive information from federal + systems, is often not feasible given the large number of such users + and the limited nature of their interactions with the systems. Rules + of behavior for organizational and non-organizational users can also + be established in [AC-8](#ac-8) . The related controls section provides + a list of controls that are relevant to organizational rules of behavior. + [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the + control, may be satisfied by the literacy training and awareness and + role-based training programs conducted by organizations if such training + includes rules of behavior. Documented acknowledgements for rules + of behavior include electronic or physical signatures and electronic + agreement check boxes or radio buttons. + - id: pl-4_obj + name: assessment-objective + props: + - name: label + value: PL-04 + class: sp800-53a + parts: + - id: pl-4_obj.a + name: assessment-objective + props: + - name: label + value: PL-04a. + class: sp800-53a + parts: + - id: pl-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: PL-04a.[01] + class: sp800-53a + prose: rules that describe responsibilities and expected behavior + for information and system usage, security, and privacy are + established for individuals requiring access to the system; + links: + - href: "#pl-4_smt.a" + rel: assessment-for + - id: pl-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: PL-04a.[02] + class: sp800-53a + prose: rules that describe responsibilities and expected behavior + for information and system usage, security, and privacy are + provided to individuals requiring access to the system; + links: + - href: "#pl-4_smt.a" + rel: assessment-for + links: + - href: "#pl-4_smt.a" + rel: assessment-for + - id: pl-4_obj.b + name: assessment-objective + props: + - name: label + value: PL-04b. + class: sp800-53a + prose: before authorizing access to information and the system, + a documented acknowledgement from such individuals indicating + that they have read, understand, and agree to abide by the rules + of behavior is received; + links: + - href: "#pl-4_smt.b" + rel: assessment-for + - id: pl-4_obj.c + name: assessment-objective + props: + - name: label + value: PL-04c. + class: sp800-53a + prose: "rules of behavior are reviewed and updated {{ insert: param,\ + \ pl-04_odp.01 }};" + links: + - href: "#pl-4_smt.c" + rel: assessment-for + - id: pl-4_obj.d + name: assessment-objective + props: + - name: label + value: PL-04d. + class: sp800-53a + prose: "individuals who have acknowledged a previous version of\ + \ the rules of behavior are required to read and reacknowledge\ + \ {{ insert: param, pl-04_odp.02 }}." + links: + - href: "#pl-4_smt.d" + rel: assessment-for + links: + - href: "#pl-4_smt" + rel: assessment-for + - id: pl-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Security and privacy planning policy + + procedures addressing rules of behavior for system users + + rules of behavior + + signed acknowledgements + + records for rules of behavior reviews and updates + + other relevant documents or records + - id: pl-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for + establishing, reviewing, and updating rules of behavior + + + organizational personnel with responsibility for literacy training + and awareness and role-based training + + + organizational personnel who are authorized users of the system + and have signed and resigned rules of behavior + + + organizational personnel with information security and privacy + responsibilities + - id: pl-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PL-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for establishing, reviewing, + disseminating, and updating rules of behavior + + + mechanisms supporting and/or implementing the establishment, review, + dissemination, and update of rules of behavior + controls: + - id: pl-4.1 + class: SP800-53-enhancement + title: Social Media and External Site/Application Usage Restrictions + props: + - name: label + value: PL-4(1) + - name: label + value: PL-04(01) + class: sp800-53a + - name: sort-id + value: pl-04.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#pl-4" + rel: required + - href: "#ac-22" + rel: related + - href: "#au-13" + rel: related + parts: + - id: pl-4.1_smt + name: statement + prose: "Include in the rules of behavior, restrictions on:" + parts: + - id: pl-4.1_smt.a + name: item + props: + - name: label + value: (a) + prose: Use of social media, social networking sites, and external + sites/applications; + - id: pl-4.1_smt.b + name: item + props: + - name: label + value: (b) + prose: Posting organizational information on public websites; + and + - id: pl-4.1_smt.c + name: item + props: + - name: label + value: (c) + prose: Use of organization-provided identifiers (e.g., email + addresses) and authentication secrets (e.g., passwords) for + creating accounts on external sites/applications. + - id: pl-4.1_gdn + name: guidance + prose: Social media, social networking, and external site/application + usage restrictions address rules of behavior related to the use + of social media, social networking, and external sites when organizational + personnel are using such sites for official duties or in the conduct + of official business, when organizational information is involved + in social media and social networking transactions, and when personnel + access social media and networking sites from organizational systems. + Organizations also address specific rules that prevent unauthorized + entities from obtaining non-public organizational information + from social media and networking sites either directly or through + inference. Non-public information includes personally identifiable + information and system account information. + - id: pl-4.1_obj + name: assessment-objective + props: + - name: label + value: PL-04(01) + class: sp800-53a + parts: + - id: pl-4.1_obj.a + name: assessment-objective + props: + - name: label + value: PL-04(01)(a) + class: sp800-53a + prose: the rules of behavior include restrictions on the use + of social media, social networking sites, and external sites/applications; + links: + - href: "#pl-4.1_smt.a" + rel: assessment-for + - id: pl-4.1_obj.b + name: assessment-objective + props: + - name: label + value: PL-04(01)(b) + class: sp800-53a + prose: the rules of behavior include restrictions on posting + organizational information on public websites; + links: + - href: "#pl-4.1_smt.b" + rel: assessment-for + - id: pl-4.1_obj.c + name: assessment-objective + props: + - name: label + value: PL-04(01)(c) + class: sp800-53a + prose: the rules of behavior include restrictions on the use + of organization-provided identifiers (e.g., email addresses) + and authentication secrets (e.g., passwords) for creating + accounts on external sites/applications. + links: + - href: "#pl-4.1_smt.c" + rel: assessment-for + links: + - href: "#pl-4.1_smt" + rel: assessment-for + - id: pl-4.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-04(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Security and privacy planning policy + + procedures addressing rules of behavior for system users + + rules of behavior + + training policy + + other relevant documents or records + - id: pl-4.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-04(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with responsibility for + establishing, reviewing, and updating rules of behavior + + + organizational personnel with responsibility for literacy + training and awareness and role-based training + + + organizational personnel who are authorized users of the system + and have signed rules of behavior + + + organizational personnel with information security and privacy + responsibilities + - id: pl-4.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PL-04(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for establishing rules of + behavior + + + mechanisms supporting and/or implementing the establishment + of rules of behavior + - id: pl-8 + class: SP800-53 + title: Security and Privacy Architectures + params: + - id: pl-08_odp + label: frequency + constraints: + - description: at least annually and when a significant change occurs + guidelines: + - prose: frequency for review and update to reflect changes in the + enterprise architecture; + props: + - name: label + value: PL-8 + - name: label + value: PL-08 + class: sp800-53a + - name: sort-id + value: pl-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989" + rel: reference + - href: "#cm-2" + rel: related + - href: "#cm-6" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-7" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-5" + rel: related + - href: "#pm-7" + rel: related + - href: "#ra-9" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-7" + rel: related + parts: + - id: pl-8_smt + name: statement + parts: + - id: pl-8_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop security and privacy architectures for the system\ + \ that:" + parts: + - id: pl-8_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Describe the requirements and approach to be taken for + protecting the confidentiality, integrity, and availability + of organizational information; + - id: pl-8_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Describe the requirements and approach to be taken for + processing personally identifiable information to minimize + privacy risk to individuals; + - id: pl-8_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Describe how the architectures are integrated into and + support the enterprise architecture; and + - id: pl-8_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Describe any assumptions about, and dependencies on, + external systems and services; + - id: pl-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the architectures {{ insert: param, pl-08_odp\ + \ }} to reflect changes in the enterprise architecture; and" + - id: pl-8_smt.c + name: item + props: + - name: label + value: c. + prose: Reflect planned architecture changes in security and privacy + plans, Concept of Operations (CONOPS), criticality analysis, organizational + procedures, and procurements and acquisitions. + - id: pl-8_fr + name: item + title: PL-8 Additional FedRAMP Requirements and Guidance + parts: + - id: pl-8_fr_gdn.1 + name: guidance + props: + - name: label + value: "(b) Guidance:" + prose: Significant change is defined in NIST Special Publication + 800-37 Revision 2, Appendix F. + - id: pl-8_gdn + name: guidance + prose: >- + The security and privacy architectures at the system level are + consistent with the organization-wide security and privacy + architectures described in [PM-7](#pm-7) , which are integral to + and developed as part of the enterprise architecture. The + architectures include an architectural description, the + allocation of security and privacy functionality (including + controls), security- and privacy-related information for + external interfaces, information being exchanged across the + interfaces, and the protection mechanisms associated with each + interface. The architectures can also include other information, + such as user roles and the access privileges assigned to each + role; security and privacy requirements; types of information + processed, stored, and transmitted by the system; supply chain + risk management requirements; restoration priorities of + information and system services; and other protection needs. + + [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance + on the use of security architectures as part of the system development + life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) + requires the use of the systems security engineering concepts described + in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high + value assets. Security and privacy architectures are reviewed and + updated throughout the system development life cycle, from analysis + of alternatives through review of the proposed architecture in the + RFP responses to the design reviews before and during implementation + (e.g., during preliminary design reviews and critical design reviews). + + In today’s modern computing architectures, it is becoming less common + for organizations to control all information resources. There may + be key dependencies on external information services and service providers. + Describing such dependencies in the security and privacy architectures + is necessary for developing a comprehensive mission and business protection + strategy. Establishing, developing, documenting, and maintaining under + configuration control a baseline configuration for organizational + systems is critical to implementing and maintaining effective architectures. + The development of the architectures is coordinated with the senior + agency information security officer and the senior agency official + for privacy to ensure that the controls needed to support security + and privacy requirements are identified and effectively implemented. + In many circumstances, there may be no distinction between the security + and privacy architecture for a system. In other circumstances, security + objectives may be adequately satisfied, but privacy objectives may + only be partially satisfied by the security requirements. In these + cases, consideration of the privacy requirements needed to achieve + satisfaction will result in a distinct privacy architecture. The documentation, + however, may simply reflect the combined architectures. + + [PL-8](#pl-8) is primarily directed at organizations to ensure that + architectures are developed for the system and, moreover, that the + architectures are integrated with or tightly coupled to the enterprise + architecture. In contrast, [SA-17](#sa-17) is primarily directed at + the external information technology product and system developers + and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) + , is selected when organizations outsource the development of systems + or components to external entities and when there is a need to demonstrate + consistency with the organization’s enterprise architecture and security + and privacy architectures. + - id: pl-8_obj + name: assessment-objective + props: + - name: label + value: PL-08 + class: sp800-53a + parts: + - id: pl-8_obj.a + name: assessment-objective + props: + - name: label + value: PL-08a. + class: sp800-53a + parts: + - id: pl-8_obj.a.1 + name: assessment-objective + props: + - name: label + value: PL-08a.01 + class: sp800-53a + prose: a security architecture for the system describes the + requirements and approach to be taken for protecting the confidentiality, + integrity, and availability of organizational information; + links: + - href: "#pl-8_smt.a.1" + rel: assessment-for + - id: pl-8_obj.a.2 + name: assessment-objective + props: + - name: label + value: PL-08a.02 + class: sp800-53a + prose: a privacy architecture describes the requirements and + approach to be taken for processing personally identifiable + information to minimize privacy risk to individuals; + links: + - href: "#pl-8_smt.a.2" + rel: assessment-for + - id: pl-8_obj.a.3 + name: assessment-objective + props: + - name: label + value: PL-08a.03 + class: sp800-53a + parts: + - id: pl-8_obj.a.3-1 + name: assessment-objective + props: + - name: label + value: PL-08a.03[01] + class: sp800-53a + prose: a security architecture for the system describes + how the architecture is integrated into and supports the + enterprise architecture; + links: + - href: "#pl-8_smt.a.3" + rel: assessment-for + - id: pl-8_obj.a.3-2 + name: assessment-objective + props: + - name: label + value: PL-08a.03[02] + class: sp800-53a + prose: a privacy architecture for the system describes how + the architecture is integrated into and supports the enterprise + architecture; + links: + - href: "#pl-8_smt.a.3" + rel: assessment-for + links: + - href: "#pl-8_smt.a.3" + rel: assessment-for + - id: pl-8_obj.a.4 + name: assessment-objective + props: + - name: label + value: PL-08a.04 + class: sp800-53a + parts: + - id: pl-8_obj.a.4-1 + name: assessment-objective + props: + - name: label + value: PL-08a.04[01] + class: sp800-53a + prose: a security architecture for the system describes + any assumptions about and dependencies on external systems + and services; + links: + - href: "#pl-8_smt.a.4" + rel: assessment-for + - id: pl-8_obj.a.4-2 + name: assessment-objective + props: + - name: label + value: PL-08a.04[02] + class: sp800-53a + prose: a privacy architecture for the system describes any + assumptions about and dependencies on external systems + and services; + links: + - href: "#pl-8_smt.a.4" + rel: assessment-for + links: + - href: "#pl-8_smt.a.4" + rel: assessment-for + links: + - href: "#pl-8_smt.a" + rel: assessment-for + - id: pl-8_obj.b + name: assessment-objective + props: + - name: label + value: PL-08b. + class: sp800-53a + prose: "changes in the enterprise architecture are reviewed and\ + \ updated {{ insert: param, pl-08_odp }} to reflect changes in\ + \ the enterprise architecture;" + links: + - href: "#pl-8_smt.b" + rel: assessment-for + - id: pl-8_obj.c + name: assessment-objective + props: + - name: label + value: PL-08c. + class: sp800-53a + parts: + - id: pl-8_obj.c-1 + name: assessment-objective + props: + - name: label + value: PL-08c.[01] + class: sp800-53a + prose: planned architecture changes are reflected in the security + plan; + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-2 + name: assessment-objective + props: + - name: label + value: PL-08c.[02] + class: sp800-53a + prose: planned architecture changes are reflected in the privacy + plan; + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-3 + name: assessment-objective + props: + - name: label + value: PL-08c.[03] + class: sp800-53a + prose: planned architecture changes are reflected in the Concept + of Operations (CONOPS); + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-4 + name: assessment-objective + props: + - name: label + value: PL-08c.[04] + class: sp800-53a + prose: planned architecture changes are reflected in criticality + analysis; + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-5 + name: assessment-objective + props: + - name: label + value: PL-08c.[05] + class: sp800-53a + prose: planned architecture changes are reflected in organizational + procedures; + links: + - href: "#pl-8_smt.c" + rel: assessment-for + - id: pl-8_obj.c-6 + name: assessment-objective + props: + - name: label + value: PL-08c.[06] + class: sp800-53a + prose: planned architecture changes are reflected in procurements + and acquisitions. + links: + - href: "#pl-8_smt.c" + rel: assessment-for + links: + - href: "#pl-8_smt.c" + rel: assessment-for + links: + - href: "#pl-8_smt" + rel: assessment-for + - id: pl-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Security and privacy planning policy + + + procedures addressing information security and privacy architecture + development + + + procedures addressing information security and privacy architecture + reviews and updates + + + enterprise architecture documentation + + + information security and privacy architecture documentation + + + system security plan + + + privacy plan + + + security and privacy CONOPS for the system + + + records of information security and privacy architecture reviews + and updates + + + other relevant documents or records + - id: pl-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security and privacy planning + and plan implementation responsibilities + + + organizational personnel with information security and privacy + architecture development responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: pl-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PL-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for developing, reviewing, and + updating the information security and privacy architecture + + + mechanisms supporting and/or implementing the development, review, + and update of the information security and privacy architecture + - id: pl-10 + class: SP800-53 + title: Baseline Selection + props: + - name: label + value: PL-10 + - name: label + value: PL-10 + class: sp800-53a + - name: sort-id + value: pl-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#46d9e201-840e-440e-987c-2c773333c752" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#4e4fbc93-333d-45e6-a875-de36b878b6b9" + rel: reference + - href: "#pl-2" + rel: related + - href: "#pl-11" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-8" + rel: related + parts: + - id: pl-10_smt + name: statement + prose: Select a control baseline for the system. + parts: + - id: pl-10_fr + name: item + title: PL-10 Additional FedRAMP Requirements and Guidance + parts: + - id: pl-10_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Select the appropriate FedRAMP Baseline + - id: pl-10_gdn + name: guidance + prose: Control baselines are predefined sets of controls specifically + assembled to address the protection needs of a group, organization, + or community of interest. Controls are chosen for baselines to either + satisfy mandates imposed by laws, executive orders, directives, regulations, + policies, standards, and guidelines or address threats common to all + users of the baseline under the assumptions specific to the baseline. + Baselines represent a starting point for the protection of individuals’ + privacy, information, and information systems with subsequent tailoring + actions to manage risk in accordance with mission, business, or other + constraints (see [PL-11](#pl-11) ). Federal control baselines are + provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . + The selection of a control baseline is determined by the needs of + stakeholders. Stakeholder needs consider mission and business requirements + as well as mandates imposed by applicable laws, executive orders, + directives, policies, regulations, standards, and guidelines. For + example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) + are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) + and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, + along with the NIST standards and guidelines implementing the legislation, + direct organizations to select one of the control baselines after + the reviewing the information types and the information that is processed, + stored, and transmitted on the system; analyzing the potential adverse + impact of the loss or compromise of the information or system on the + organization’s operations and assets, individuals, other organizations, + or the Nation; and considering the results from system and organizational + risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) + provides guidance on control baselines for national security systems. + - id: pl-10_obj + name: assessment-objective + props: + - name: label + value: PL-10 + class: sp800-53a + prose: a control baseline for the system is selected. + links: + - href: "#pl-10_smt" + rel: assessment-for + - id: pl-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Security and privacy planning policy + + + procedures addressing system security and privacy plan development + and implementation + + + procedures addressing system security and privacy plan reviews + and updates + + + system design documentation + + + system architecture and configuration documentation + + + system categorization decision + + + information types stored, transmitted, and processed by the system + + + system element/component information + + + stakeholder needs analysis + + + list of security and privacy requirements allocated to the system, + system elements, and environment of operation + + + list of contractual requirements allocated to external providers + of the system or system element + + + business impact analysis or criticality analysis + + + risk assessments + + + risk management strategy + + + organizational security and privacy policy + + + federal or organization-approved or mandated baselines or overlays + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: pl-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security and privacy planning + and plan implementation responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with responsibility for organizational + risk management activities + - id: pl-11 + class: SP800-53 + title: Baseline Tailoring + props: + - name: label + value: PL-11 + - name: label + value: PL-11 + class: sp800-53a + - name: sort-id + value: pl-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#46d9e201-840e-440e-987c-2c773333c752" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#4e4fbc93-333d-45e6-a875-de36b878b6b9" + rel: reference + - href: "#pl-10" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-9" + rel: related + - href: "#sa-8" + rel: related + parts: + - id: pl-11_smt + name: statement + prose: Tailor the selected control baseline by applying specified tailoring + actions. + - id: pl-11_gdn + name: guidance + prose: The concept of tailoring allows organizations to specialize or + customize a set of baseline controls by applying a defined set of + tailoring actions. Tailoring actions facilitate such specialization + and customization by allowing organizations to develop security and + privacy plans that reflect their specific mission and business functions, + the environments where their systems operate, the threats and vulnerabilities + that can affect their systems, and any other conditions or situations + that can impact their mission or business success. Tailoring guidance + is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) + . Tailoring a control baseline is accomplished by identifying and + designating common controls, applying scoping considerations, selecting + compensating controls, assigning values to control parameters, supplementing + the control baseline with additional controls as needed, and providing + information for control implementation. The general tailoring actions + in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented + with additional actions based on the needs of organizations. Tailoring + actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) + in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), + [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) + . Alternatively, other communities of interest adopting different + control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) + to specialize or customize the controls that represent the specific + needs and concerns of those entities. + - id: pl-11_obj + name: assessment-objective + props: + - name: label + value: PL-11 + class: sp800-53a + prose: the selected control baseline is tailored by applying specified + tailoring actions. + links: + - href: "#pl-11_smt" + rel: assessment-for + - id: pl-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PL-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Security and privacy planning policy + + + procedures addressing system security and privacy plan development + and implementation + + + system design documentation + + + system categorization decision + + + information types stored, transmitted, and processed by the system + + + system element/component information + + + stakeholder needs analysis + + + list of security and privacy requirements allocated to the system, + system elements, and environment of operation + + + list of contractual requirements allocated to external providers + of the system or system element + + + business impact analysis or criticality analysis + + + risk assessments + + + risk management strategy + + + organizational security and privacy policy + + + federal or organization-approved or mandated baselines or overlays + + + baseline tailoring rationale + + + system security plan + + + privacy plan + + + records of system security and privacy plan reviews and updates + + + other relevant documents or records + - id: pl-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PL-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security and privacy planning + and plan implementation responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: ps + class: family + title: Personnel Security + controls: + - id: ps-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ps-1_prm_1 + label: organization-defined personnel or roles + - id: ps-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the personnel security policy + is to be disseminated is/are defined; + - id: ps-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the personnel security procedures + are to be disseminated is/are defined; + - id: ps-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ps-01_odp.04 + label: official + guidelines: + - prose: an official to manage the personnel security policy and procedures + is defined; + - id: ps-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current personnel security policy + is reviewed and updated is defined; + - id: ps-01_odp.06 + label: events + guidelines: + - prose: events that would require the current personnel security + policy to be reviewed and updated are defined; + - id: ps-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current personnel security procedures + are reviewed and updated is defined; + - id: ps-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the personnel security procedures + to be reviewed and updated are defined; + props: + - name: label + value: PS-1 + - name: label + value: PS-01 + class: sp800-53a + - name: sort-id + value: ps-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ps-1_smt + name: statement + parts: + - id: ps-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ps-1_prm_1 }}:" + parts: + - id: ps-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ps-01_odp.03 }} personnel security\ + \ policy that:" + parts: + - id: ps-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ps-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ps-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the personnel + security policy and the associated personnel security controls; + - id: ps-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ps-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the personnel\ + \ security policy and procedures; and" + - id: ps-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current personnel security:" + parts: + - id: ps-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ps-01_odp.05 }} and following\ + \ {{ insert: param, ps-01_odp.06 }} ; and" + - id: ps-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ps-01_odp.07 }} and following\ + \ {{ insert: param, ps-01_odp.08 }}." + - id: ps-1_gdn + name: guidance + prose: Personnel security policy and procedures for the controls in + the PS family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on their development. Security and + privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission level + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies reflecting the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission/business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + personnel security policy and procedures include, but are not limited + to, assessment or audit findings, security incidents or breaches, + or changes in applicable laws, executive orders, directives, regulations, + policies, standards, and guidelines. Simply restating controls does + not constitute an organizational policy or procedure. + - id: ps-1_obj + name: assessment-objective + props: + - name: label + value: PS-01 + class: sp800-53a + parts: + - id: ps-1_obj.a + name: assessment-objective + props: + - name: label + value: PS-01a. + class: sp800-53a + parts: + - id: ps-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: PS-01a.[01] + class: sp800-53a + prose: a personnel security policy is developed and documented; + links: + - href: "#ps-1_smt.a" + rel: assessment-for + - id: ps-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: PS-01a.[02] + class: sp800-53a + prose: "the personnel security policy is disseminated to {{\ + \ insert: param, ps-01_odp.01 }};" + links: + - href: "#ps-1_smt.a" + rel: assessment-for + - id: ps-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: PS-01a.[03] + class: sp800-53a + prose: personnel security procedures to facilitate the implementation + of the personnel security policy and associated personnel + security controls are developed and documented; + links: + - href: "#ps-1_smt.a" + rel: assessment-for + - id: ps-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: PS-01a.[04] + class: sp800-53a + prose: "the personnel security procedures are disseminated to\ + \ {{ insert: param, ps-01_odp.02 }};" + links: + - href: "#ps-1_smt.a" + rel: assessment-for + - id: ps-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: PS-01a.01 + class: sp800-53a + parts: + - id: ps-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: PS-01a.01(a) + class: sp800-53a + parts: + - id: ps-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses purpose;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses scope;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses roles;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses responsibilities;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses management commitment;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: PS-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy addresses compliance;" + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ps-1_smt.a.1.a" + rel: assessment-for + - id: ps-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: PS-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.03 }} personnel\ + \ security policy is consistent with applicable laws,\ + \ Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#ps-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ps-1_smt.a.1" + rel: assessment-for + links: + - href: "#ps-1_smt.a" + rel: assessment-for + - id: ps-1_obj.b + name: assessment-objective + props: + - name: label + value: PS-01b. + class: sp800-53a + prose: "the {{ insert: param, ps-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the personnel\ + \ security policy and procedures;" + links: + - href: "#ps-1_smt.b" + rel: assessment-for + - id: ps-1_obj.c + name: assessment-objective + props: + - name: label + value: PS-01c. + class: sp800-53a + parts: + - id: ps-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: PS-01c.01 + class: sp800-53a + parts: + - id: ps-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: PS-01c.01[01] + class: sp800-53a + prose: "the current personnel security policy is reviewed\ + \ and updated {{ insert: param, ps-01_odp.05 }};" + links: + - href: "#ps-1_smt.c.1" + rel: assessment-for + - id: ps-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: PS-01c.01[02] + class: sp800-53a + prose: "the current personnel security policy is reviewed\ + \ and updated following {{ insert: param, ps-01_odp.06\ + \ }};" + links: + - href: "#ps-1_smt.c.1" + rel: assessment-for + links: + - href: "#ps-1_smt.c.1" + rel: assessment-for + - id: ps-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: PS-01c.02 + class: sp800-53a + parts: + - id: ps-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: PS-01c.02[01] + class: sp800-53a + prose: "the current personnel security procedures are reviewed\ + \ and updated {{ insert: param, ps-01_odp.07 }};" + links: + - href: "#ps-1_smt.c.2" + rel: assessment-for + - id: ps-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: PS-01c.02[02] + class: sp800-53a + prose: "the current personnel security procedures are reviewed\ + \ and updated following {{ insert: param, ps-01_odp.08\ + \ }}." + links: + - href: "#ps-1_smt.c.2" + rel: assessment-for + links: + - href: "#ps-1_smt.c.2" + rel: assessment-for + links: + - href: "#ps-1_smt.c" + rel: assessment-for + links: + - href: "#ps-1_smt" + rel: assessment-for + - id: ps-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + personnel security procedures + + system security plan + + privacy plan + + risk management strategy documentation + + audit findings + + other relevant documents or records + - id: ps-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with information security responsibilities + - id: ps-2 + class: SP800-53 + title: Position Risk Designation + params: + - id: ps-02_odp + label: frequency + constraints: + - description: at least every three years + guidelines: + - prose: the frequency at which to review and update position risk + designations is defined; + props: + - name: label + value: PS-2 + - name: label + value: PS-02 + class: sp800-53a + - name: sort-id + value: ps-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#a5ef5e56-5c1a-4911-b419-37dddc1b3581" + rel: reference + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + - href: "#ac-5" + rel: related + - href: "#at-3" + rel: related + - href: "#pe-2" + rel: related + - href: "#pe-3" + rel: related + - href: "#pl-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-6" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-21" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ps-2_smt + name: statement + parts: + - id: ps-2_smt.a + name: item + props: + - name: label + value: a. + prose: Assign a risk designation to all organizational positions; + - id: ps-2_smt.b + name: item + props: + - name: label + value: b. + prose: Establish screening criteria for individuals filling those + positions; and + - id: ps-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update position risk designations {{ insert:\ + \ param, ps-02_odp }}." + - id: ps-2_gdn + name: guidance + prose: Position risk designations reflect Office of Personnel Management + (OPM) policy and guidance. Proper position designation is the foundation + of an effective and consistent suitability and personnel security + program. The Position Designation System (PDS) assesses the duties + and responsibilities of a position to determine the degree of potential + damage to the efficiency or integrity of the service due to misconduct + of an incumbent of a position and establishes the risk level of that + position. The PDS assessment also determines if the duties and responsibilities + of the position present the potential for position incumbents to bring + about a material adverse effect on national security and the degree + of that potential effect, which establishes the sensitivity level + of a position. The results of the assessment determine what level + of investigation is conducted for a position. Risk designations can + guide and inform the types of authorizations that individuals receive + when accessing organizational information and information systems. + Position screening criteria include explicit information security + role appointment requirements. Parts 1400 and 731 of Title 5, Code + of Federal Regulations, establish the requirements for organizations + to evaluate relevant covered positions for a position sensitivity + and position risk designation commensurate with the duties and responsibilities + of those positions. + - id: ps-2_obj + name: assessment-objective + props: + - name: label + value: PS-02 + class: sp800-53a + parts: + - id: ps-2_obj.a + name: assessment-objective + props: + - name: label + value: PS-02a. + class: sp800-53a + prose: a risk designation is assigned to all organizational positions; + links: + - href: "#ps-2_smt.a" + rel: assessment-for + - id: ps-2_obj.b + name: assessment-objective + props: + - name: label + value: PS-02b. + class: sp800-53a + prose: screening criteria are established for individuals filling + organizational positions; + links: + - href: "#ps-2_smt.b" + rel: assessment-for + - id: ps-2_obj.c + name: assessment-objective + props: + - name: label + value: PS-02c. + class: sp800-53a + prose: "position risk designations are reviewed and updated {{ insert:\ + \ param, ps-02_odp }}." + links: + - href: "#ps-2_smt.c" + rel: assessment-for + links: + - href: "#ps-2_smt" + rel: assessment-for + - id: ps-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + procedures addressing position categorization + + appropriate codes of federal regulations + + list of risk designations for organizational positions + + records of position risk designation reviews and updates + + system security plan + + other relevant documents or records + - id: ps-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with information security responsibilities + - id: ps-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for assigning, reviewing, and + updating position risk designations + + + organizational processes for establishing screening criteria + - id: ps-3 + class: SP800-53 + title: Personnel Screening + params: + - id: ps-3_prm_1 + label: organization-defined conditions requiring rescreening and, where + rescreening is so indicated, the frequency of rescreening + constraints: + - description: >- + for national security clearances; a reinvestigation is + required during the fifth (5th) year for top secret security + clearance, the tenth (10th) year for secret security + clearance, and fifteenth (15th) year for confidential + security clearance. + + + For moderate risk law enforcement and high impact public trust + level, a reinvestigation is required during the fifth (5th) year. + There is no reinvestigation for other moderate risk positions + or any low risk positions + - id: ps-03_odp.01 + label: conditions requiring rescreening + guidelines: + - prose: conditions requiring rescreening of individuals are defined; + - id: ps-03_odp.02 + label: frequency + guidelines: + - prose: the frequency of rescreening individuals where it is so indicated + is defined; + props: + - name: label + value: PS-3 + - name: label + value: PS-03 + class: sp800-53a + - name: sort-id + value: ps-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#55b0c93a-5e48-457a-baa6-5ce81c239c49" + rel: reference + - href: "#0af071a6-cf8e-48ee-8c82-fe91efa20f94" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a" + rel: reference + - href: "#828856bd-d7c4-427b-8b51-815517ec382d" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + - href: "#sa-21" + rel: related + parts: + - id: ps-3_smt + name: statement + parts: + - id: ps-3_smt.a + name: item + props: + - name: label + value: a. + prose: Screen individuals prior to authorizing access to the system; + and + - id: ps-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Rescreen individuals in accordance with {{ insert: param,\ + \ ps-3_prm_1 }}." + - id: ps-3_gdn + name: guidance + prose: Personnel screening and rescreening activities reflect applicable + laws, executive orders, directives, regulations, policies, standards, + guidelines, and specific criteria established for the risk designations + of assigned positions. Examples of personnel screening include background + investigations and agency checks. Organizations may define different + rescreening conditions and frequencies for personnel accessing systems + based on types of information processed, stored, or transmitted by + the systems. + - id: ps-3_obj + name: assessment-objective + props: + - name: label + value: PS-03 + class: sp800-53a + parts: + - id: ps-3_obj.a + name: assessment-objective + props: + - name: label + value: PS-03a. + class: sp800-53a + prose: individuals are screened prior to authorizing access to the + system; + links: + - href: "#ps-3_smt.a" + rel: assessment-for + - id: ps-3_obj.b + name: assessment-objective + props: + - name: label + value: PS-03b. + class: sp800-53a + parts: + - id: ps-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: PS-03b.[01] + class: sp800-53a + prose: "individuals are rescreened in accordance with {{ insert:\ + \ param, ps-03_odp.01 }};" + links: + - href: "#ps-3_smt.b" + rel: assessment-for + - id: ps-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: PS-03b.[02] + class: sp800-53a + prose: "where rescreening is so indicated, individuals are rescreened\ + \ {{ insert: param, ps-03_odp.02 }}." + links: + - href: "#ps-3_smt.b" + rel: assessment-for + links: + - href: "#ps-3_smt.b" + rel: assessment-for + links: + - href: "#ps-3_smt" + rel: assessment-for + - id: ps-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + procedures addressing personnel screening + + records of screened personnel + + system security plan + + other relevant documents or records + - id: ps-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with information security responsibilities + - id: ps-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for personnel screening + controls: + - id: ps-3.3 + class: SP800-53-enhancement + title: Information Requiring Special Protective Measures + params: + - id: ps-03.03_odp + label: additional personnel screening criteria + constraints: + - description: personnel screening criteria – as required by specific + information + guidelines: + - prose: additional personnel screening criteria to be satisfied + for individuals accessing a system processing, storing, or + transmitting information requiring special protection are + defined; + props: + - name: label + value: PS-3(3) + - name: label + value: PS-03(03) + class: sp800-53a + - name: sort-id + value: ps-03.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ps-3" + rel: required + parts: + - id: ps-3.3_smt + name: statement + prose: "Verify that individuals accessing a system processing, storing,\ + \ or transmitting information requiring special protection:" + parts: + - id: ps-3.3_smt.a + name: item + props: + - name: label + value: (a) + prose: Have valid access authorizations that are demonstrated + by assigned official government duties; and + - id: ps-3.3_smt.b + name: item + props: + - name: label + value: (b) + prose: "Satisfy {{ insert: param, ps-03.03_odp }}." + - id: ps-3.3_gdn + name: guidance + prose: Organizational information that requires special protection + includes controlled unclassified information. Personnel security + criteria include position sensitivity background screening requirements. + - id: ps-3.3_obj + name: assessment-objective + props: + - name: label + value: PS-03(03) + class: sp800-53a + parts: + - id: ps-3.3_obj.a + name: assessment-objective + props: + - name: label + value: PS-03(03)(a) + class: sp800-53a + prose: individuals accessing a system processing, storing, or + transmitting information requiring special protection have + valid access authorizations that are demonstrated by assigned + official government duties; + links: + - href: "#ps-3.3_smt.a" + rel: assessment-for + - id: ps-3.3_obj.b + name: assessment-objective + props: + - name: label + value: PS-03(03)(b) + class: sp800-53a + prose: "individuals accessing a system processing, storing,\ + \ or transmitting information requiring special protection\ + \ satisfy {{ insert: param, ps-03.03_odp }}." + links: + - href: "#ps-3.3_smt.b" + rel: assessment-for + links: + - href: "#ps-3.3_smt" + rel: assessment-for + - id: ps-3.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-03(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Personnel security policy + + + access control policy, procedures addressing personnel screening + + + records of screened personnel + + + screening criteria + + + records of access authorizations + + + system security plan + + + other relevant documents or records + - id: ps-3.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-03(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with information security responsibilities + - id: ps-3.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-03(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for ensuring valid access + authorizations for information requiring special + protection + + + organizational process for additional personnel screening + for information requiring special protection + - id: ps-4 + class: SP800-53 + title: Personnel Termination + params: + - id: ps-04_odp.01 + label: time period + constraints: + - description: four (4) hours + guidelines: + - prose: a time period within which to disable system access is defined; + - id: ps-04_odp.02 + label: information security topics + guidelines: + - prose: information security topics to be discussed when conducting + exit interviews are defined; + props: + - name: label + value: PS-4 + - name: label + value: PS-04 + class: sp800-53a + - name: sort-id + value: ps-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + parts: + - id: ps-4_smt + name: statement + prose: "Upon termination of individual employment:" + parts: + - id: ps-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Disable system access within {{ insert: param, ps-04_odp.01\ + \ }};" + - id: ps-4_smt.b + name: item + props: + - name: label + value: b. + prose: Terminate or revoke any authenticators and credentials associated + with the individual; + - id: ps-4_smt.c + name: item + props: + - name: label + value: c. + prose: "Conduct exit interviews that include a discussion of {{\ + \ insert: param, ps-04_odp.02 }};" + - id: ps-4_smt.d + name: item + props: + - name: label + value: d. + prose: Retrieve all security-related organizational system-related + property; and + - id: ps-4_smt.e + name: item + props: + - name: label + value: e. + prose: Retain access to organizational information and systems formerly + controlled by terminated individual. + - id: ps-4_gdn + name: guidance + prose: System property includes hardware authentication tokens, system + administration technical manuals, keys, identification cards, and + building passes. Exit interviews ensure that terminated individuals + understand the security constraints imposed by being former employees + and that proper accountability is achieved for system-related property. + Security topics at exit interviews include reminding individuals of + nondisclosure agreements and potential limitations on future employment. + Exit interviews may not always be possible for some individuals, including + in cases related to the unavailability of supervisors, illnesses, + or job abandonment. Exit interviews are important for individuals + with security clearances. The timely execution of termination actions + is essential for individuals who have been terminated for cause. In + certain situations, organizations consider disabling the system accounts + of individuals who are being terminated prior to the individuals being + notified. + - id: ps-4_obj + name: assessment-objective + props: + - name: label + value: PS-04 + class: sp800-53a + parts: + - id: ps-4_obj.a + name: assessment-objective + props: + - name: label + value: PS-04a. + class: sp800-53a + prose: "upon termination of individual employment, system access\ + \ is disabled within {{ insert: param, ps-04_odp.01 }};" + links: + - href: "#ps-4_smt.a" + rel: assessment-for + - id: ps-4_obj.b + name: assessment-objective + props: + - name: label + value: PS-04b. + class: sp800-53a + prose: upon termination of individual employment, any authenticators + and credentials are terminated or revoked; + links: + - href: "#ps-4_smt.b" + rel: assessment-for + - id: ps-4_obj.c + name: assessment-objective + props: + - name: label + value: PS-04c. + class: sp800-53a + prose: "upon termination of individual employment, exit interviews\ + \ that include a discussion of {{ insert: param, ps-04_odp.02\ + \ }} are conducted;" + links: + - href: "#ps-4_smt.c" + rel: assessment-for + - id: ps-4_obj.d + name: assessment-objective + props: + - name: label + value: PS-04d. + class: sp800-53a + prose: upon termination of individual employment, all security-related + organizational system-related property is retrieved; + links: + - href: "#ps-4_smt.d" + rel: assessment-for + - id: ps-4_obj.e + name: assessment-objective + props: + - name: label + value: PS-04e. + class: sp800-53a + prose: upon termination of individual employment, access to organizational + information and systems formerly controlled by the terminated + individual are retained. + links: + - href: "#ps-4_smt.e" + rel: assessment-for + links: + - href: "#ps-4_smt" + rel: assessment-for + - id: ps-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + procedures addressing personnel termination + + records of personnel termination actions + + list of system accounts + + records of terminated or revoked authenticators/credentials + + records of exit interviews + + system security plan + + other relevant documents or records + - id: ps-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with account management responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ps-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for personnel termination + + + mechanisms supporting and/or implementing personnel termination + notifications + + + mechanisms for disabling system access/revoking authenticators + - id: ps-5 + class: SP800-53 + title: Personnel Transfer + params: + - id: ps-05_odp.01 + label: transfer or reassignment actions + guidelines: + - prose: transfer or reassignment actions to be initiated following + transfer or reassignment are defined; + - id: ps-05_odp.02 + label: time period following the formal transfer action + constraints: + - description: twenty-four (24) hours + guidelines: + - prose: the time period within which transfer or reassignment actions + must occur following transfer or reassignment is defined; + - id: ps-05_odp.03 + label: personnel or roles + constraints: + - description: including access control personnel responsible for + the system + guidelines: + - prose: personnel or roles to be notified when individuals are reassigned + or transferred to other positions within the organization is/are + defined; + - id: ps-05_odp.04 + label: time period + constraints: + - description: twenty-four (24) hours + guidelines: + - prose: time period within which to notify organization-defined personnel + or roles when individuals are reassigned or transferred to other + positions within the organization is defined; + props: + - name: label + value: PS-5 + - name: label + value: PS-05 + class: sp800-53a + - name: sort-id + value: ps-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#ac-2" + rel: related + - href: "#ia-4" + rel: related + - href: "#pe-2" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-7" + rel: related + parts: + - id: ps-5_smt + name: statement + parts: + - id: ps-5_smt.a + name: item + props: + - name: label + value: a. + prose: Review and confirm ongoing operational need for current logical + and physical access authorizations to systems and facilities when + individuals are reassigned or transferred to other positions within + the organization; + - id: ps-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert:\ + \ param, ps-05_odp.02 }};" + - id: ps-5_smt.c + name: item + props: + - name: label + value: c. + prose: Modify access authorization as needed to correspond with + any changes in operational need due to reassignment or transfer; + and + - id: ps-5_smt.d + name: item + props: + - name: label + value: d. + prose: "Notify {{ insert: param, ps-05_odp.03 }} within {{ insert:\ + \ param, ps-05_odp.04 }}." + - id: ps-5_gdn + name: guidance + prose: Personnel transfer applies when reassignments or transfers of + individuals are permanent or of such extended duration as to make + the actions warranted. Organizations define actions appropriate for + the types of reassignments or transfers, whether permanent or extended. + Actions that may be required for personnel transfers or reassignments + to other positions within organizations include returning old and + issuing new keys, identification cards, and building passes; closing + system accounts and establishing new accounts; changing system access + authorizations (i.e., privileges); and providing for access to official + records to which individuals had access at previous work locations + and in previous system accounts. + - id: ps-5_obj + name: assessment-objective + props: + - name: label + value: PS-05 + class: sp800-53a + parts: + - id: ps-5_obj.a + name: assessment-objective + props: + - name: label + value: PS-05a. + class: sp800-53a + prose: the ongoing operational need for current logical and physical + access authorizations to systems and facilities are reviewed and + confirmed when individuals are reassigned or transferred to other + positions within the organization; + links: + - href: "#ps-5_smt.a" + rel: assessment-for + - id: ps-5_obj.b + name: assessment-objective + props: + - name: label + value: PS-05b. + class: sp800-53a + prose: " {{ insert: param, ps-05_odp.01 }} are initiated within\ + \ {{ insert: param, ps-05_odp.02 }};" + links: + - href: "#ps-5_smt.b" + rel: assessment-for + - id: ps-5_obj.c + name: assessment-objective + props: + - name: label + value: PS-05c. + class: sp800-53a + prose: access authorization is modified as needed to correspond + with any changes in operational need due to reassignment or transfer; + links: + - href: "#ps-5_smt.c" + rel: assessment-for + - id: ps-5_obj.d + name: assessment-objective + props: + - name: label + value: PS-05d. + class: sp800-53a + prose: " {{ insert: param, ps-05_odp.03 }} are notified within {{\ + \ insert: param, ps-05_odp.04 }}." + links: + - href: "#ps-5_smt.d" + rel: assessment-for + links: + - href: "#ps-5_smt" + rel: assessment-for + - id: ps-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + procedures addressing personnel transfer + + records of personnel transfer actions + + list of system and facility access authorizations + + system security plan + + other relevant documents or records + - id: ps-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with account management responsibilities + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: ps-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for personnel transfer + + + mechanisms supporting and/or implementing personnel transfer notifications + + + mechanisms for disabling system access/revoking authenticators + - id: ps-6 + class: SP800-53 + title: Access Agreements + params: + - id: ps-06_odp.01 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to review and update access agreements + is defined; + - id: ps-06_odp.02 + label: frequency + constraints: + - description: at least annually and any time there is a change to + the user's level of access + guidelines: + - prose: the frequency at which to re-sign access agreements to maintain + access to organizational information is defined; + props: + - name: label + value: PS-6 + - name: label + value: PS-06 + class: sp800-53a + - name: sort-id + value: ps-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ac-17" + rel: related + - href: "#pe-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-6" + rel: related + - href: "#ps-7" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-21" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ps-6_smt + name: statement + parts: + - id: ps-6_smt.a + name: item + props: + - name: label + value: a. + prose: Develop and document access agreements for organizational + systems; + - id: ps-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the access agreements {{ insert: param,\ + \ ps-06_odp.01 }} ; and" + - id: ps-6_smt.c + name: item + props: + - name: label + value: c. + prose: "Verify that individuals requiring access to organizational\ + \ information and systems:" + parts: + - id: ps-6_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: Sign appropriate access agreements prior to being granted + access; and + - id: ps-6_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Re-sign access agreements to maintain access to organizational\ + \ systems when access agreements have been updated or {{ insert:\ + \ param, ps-06_odp.02 }}." + - id: ps-6_gdn + name: guidance + prose: Access agreements include nondisclosure agreements, acceptable + use agreements, rules of behavior, and conflict-of-interest agreements. + Signed access agreements include an acknowledgement that individuals + have read, understand, and agree to abide by the constraints associated + with organizational systems to which access is authorized. Organizations + can use electronic signatures to acknowledge access agreements unless + specifically prohibited by organizational policy. + - id: ps-6_obj + name: assessment-objective + props: + - name: label + value: PS-06 + class: sp800-53a + parts: + - id: ps-6_obj.a + name: assessment-objective + props: + - name: label + value: PS-06a. + class: sp800-53a + prose: access agreements are developed and documented for organizational + systems; + links: + - href: "#ps-6_smt.a" + rel: assessment-for + - id: ps-6_obj.b + name: assessment-objective + props: + - name: label + value: PS-06b. + class: sp800-53a + prose: "the access agreements are reviewed and updated {{ insert:\ + \ param, ps-06_odp.01 }};" + links: + - href: "#ps-6_smt.b" + rel: assessment-for + - id: ps-6_obj.c + name: assessment-objective + props: + - name: label + value: PS-06c. + class: sp800-53a + parts: + - id: ps-6_obj.c.1 + name: assessment-objective + props: + - name: label + value: PS-06c.01 + class: sp800-53a + prose: individuals requiring access to organizational information + and systems sign appropriate access agreements prior to being + granted access; + links: + - href: "#ps-6_smt.c.1" + rel: assessment-for + - id: ps-6_obj.c.2 + name: assessment-objective + props: + - name: label + value: PS-06c.02 + class: sp800-53a + prose: "individuals requiring access to organizational information\ + \ and systems re-sign access agreements to maintain access\ + \ to organizational systems when access agreements have been\ + \ updated or {{ insert: param, ps-06_odp.02 }}." + links: + - href: "#ps-6_smt.c.2" + rel: assessment-for + links: + - href: "#ps-6_smt.c" + rel: assessment-for + links: + - href: "#ps-6_smt" + rel: assessment-for + - id: ps-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Personnel security policy + + + personnel security procedures + + + procedures addressing access agreements for organizational information + and systems + + + access control policy + + + access control procedures + + + access agreements (including non-disclosure agreements, acceptable + use agreements, rules of behavior, and conflict-of-interest agreements) + + + documentation of access agreement reviews, updates, and re-signing + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ps-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel who have signed/resigned access agreements + + + organizational personnel with information security and privacy + responsibilities + - id: ps-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for reviewing, updating, and + re-signing access agreements + + + mechanisms supporting the reviewing, updating, and re-signing + of access agreements + - id: ps-7 + class: SP800-53 + title: External Personnel Security + params: + - id: ps-07_odp.01 + label: personnel or roles + constraints: + - description: including access control personnel responsible for + the system and/or facilities, as appropriate + guidelines: + - prose: personnel or roles to be notified of any personnel transfers + or terminations of external personnel who possess organizational + credentials and/or badges or who have system privileges is/are + defined; + - id: ps-07_odp.02 + label: time period + constraints: + - description: within twenty-four (24) hours + guidelines: + - prose: time period within which third-party providers are required + to notify organization-defined personnel or roles of any personnel + transfers or terminations of external personnel who possess organizational + credentials and/or badges or who have system privileges is defined; + props: + - name: label + value: PS-7 + - name: label + value: PS-07 + class: sp800-53a + - name: sort-id + value: ps-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#77faf0bc-c394-44ad-9154-bbac3b79c8ad" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#at-2" + rel: related + - href: "#at-3" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-3" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-3" + rel: related + - href: "#ps-4" + rel: related + - href: "#ps-5" + rel: related + - href: "#ps-6" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-21" + rel: related + parts: + - id: ps-7_smt + name: statement + parts: + - id: ps-7_smt.a + name: item + props: + - name: label + value: a. + prose: Establish personnel security requirements, including security + roles and responsibilities for external providers; + - id: ps-7_smt.b + name: item + props: + - name: label + value: b. + prose: Require external providers to comply with personnel security + policies and procedures established by the organization; + - id: ps-7_smt.c + name: item + props: + - name: label + value: c. + prose: Document personnel security requirements; + - id: ps-7_smt.d + name: item + props: + - name: label + value: d. + prose: "Require external providers to notify {{ insert: param, ps-07_odp.01\ + \ }} of any personnel transfers or terminations of external personnel\ + \ who possess organizational credentials and/or badges, or who\ + \ have system privileges within {{ insert: param, ps-07_odp.02\ + \ }} ; and" + - id: ps-7_smt.e + name: item + props: + - name: label + value: e. + prose: Monitor provider compliance with personnel security requirements. + - id: ps-7_gdn + name: guidance + prose: External provider refers to organizations other than the organization + operating or acquiring the system. External providers include service + bureaus, contractors, and other organizations that provide system + development, information technology services, testing or assessment + services, outsourced applications, and network/security management. + Organizations explicitly include personnel security requirements in + acquisition-related documents. External providers may have personnel + working at organizational facilities with credentials, badges, or + system privileges issued by organizations. Notifications of external + personnel changes ensure the appropriate termination of privileges + and credentials. Organizations define the transfers and terminations + deemed reportable by security-related characteristics that include + functions, roles, and the nature of credentials or privileges associated + with transferred or terminated individuals. + - id: ps-7_obj + name: assessment-objective + props: + - name: label + value: PS-07 + class: sp800-53a + parts: + - id: ps-7_obj.a + name: assessment-objective + props: + - name: label + value: PS-07a. + class: sp800-53a + prose: personnel security requirements are established, including + security roles and responsibilities for external providers; + links: + - href: "#ps-7_smt.a" + rel: assessment-for + - id: ps-7_obj.b + name: assessment-objective + props: + - name: label + value: PS-07b. + class: sp800-53a + prose: external providers are required to comply with personnel + security policies and procedures established by the organization; + links: + - href: "#ps-7_smt.b" + rel: assessment-for + - id: ps-7_obj.c + name: assessment-objective + props: + - name: label + value: PS-07c. + class: sp800-53a + prose: personnel security requirements are documented; + links: + - href: "#ps-7_smt.c" + rel: assessment-for + - id: ps-7_obj.d + name: assessment-objective + props: + - name: label + value: PS-07d. + class: sp800-53a + prose: "external providers are required to notify {{ insert: param,\ + \ ps-07_odp.01 }} of any personnel transfers or terminations of\ + \ external personnel who possess organizational credentials and/or\ + \ badges or who have system privileges within {{ insert: param,\ + \ ps-07_odp.02 }};" + links: + - href: "#ps-7_smt.d" + rel: assessment-for + - id: ps-7_obj.e + name: assessment-objective + props: + - name: label + value: PS-07e. + class: sp800-53a + prose: provider compliance with personnel security requirements + is monitored. + links: + - href: "#ps-7_smt.e" + rel: assessment-for + links: + - href: "#ps-7_smt" + rel: assessment-for + - id: ps-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + procedures addressing external personnel security + + list of personnel security requirements + + acquisition documents + + service-level agreements + + compliance monitoring process + + system security plan + + other relevant documents or records + - id: ps-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + external providers + + + system/network administrators + + + organizational personnel with account management responsibilities + + + organizational personnel with information security responsibilities + - id: ps-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing and monitoring + external personnel security + + + mechanisms supporting and/or implementing the monitoring of provider + compliance + - id: ps-8 + class: SP800-53 + title: Personnel Sanctions + params: + - id: ps-08_odp.01 + label: personnel or roles + constraints: + - description: to include the ISSO and/or similar role within the + organization + guidelines: + - prose: personnel or roles to be notified when a formal employee + sanctions process is initiated is/are defined; + - id: ps-08_odp.02 + label: time period + constraints: + - description: 24 hours + guidelines: + - prose: the time period within which organization-defined personnel + or roles must be notified when a formal employee sanctions process + is initiated is defined; + props: + - name: label + value: PS-8 + - name: label + value: PS-08 + class: sp800-53a + - name: sort-id + value: ps-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#pl-4" + rel: related + - href: "#pm-12" + rel: related + - href: "#ps-6" + rel: related + - href: "#pt-1" + rel: related + parts: + - id: ps-8_smt + name: statement + parts: + - id: ps-8_smt.a + name: item + props: + - name: label + value: a. + prose: Employ a formal sanctions process for individuals failing + to comply with established information security and privacy policies + and procedures; and + - id: ps-8_smt.b + name: item + props: + - name: label + value: b. + prose: "Notify {{ insert: param, ps-08_odp.01 }} within {{ insert:\ + \ param, ps-08_odp.02 }} when a formal employee sanctions process\ + \ is initiated, identifying the individual sanctioned and the\ + \ reason for the sanction." + - id: ps-8_gdn + name: guidance + prose: Organizational sanctions reflect applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines. Sanctions + processes are described in access agreements and can be included as + part of general personnel policies for organizations and/or specified + in security and privacy policies. Organizations consult with the Office + of the General Counsel regarding matters of employee sanctions. + - id: ps-8_obj + name: assessment-objective + props: + - name: label + value: PS-08 + class: sp800-53a + parts: + - id: ps-8_obj.a + name: assessment-objective + props: + - name: label + value: PS-08a. + class: sp800-53a + prose: a formal sanctions process is employed for individuals failing + to comply with established information security and privacy policies + and procedures; + links: + - href: "#ps-8_smt.a" + rel: assessment-for + - id: ps-8_obj.b + name: assessment-objective + props: + - name: label + value: PS-08b. + class: sp800-53a + prose: " {{ insert: param, ps-08_odp.01 }} is/are notified within\ + \ {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions\ + \ process is initiated, identifying the individual sanctioned\ + \ and the reason for the sanction." + links: + - href: "#ps-8_smt.b" + rel: assessment-for + links: + - href: "#ps-8_smt" + rel: assessment-for + - id: ps-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Personnel security policy + + + personnel security procedures + + + procedures addressing personnel sanctions + + + access agreements (including non-disclosure agreements, acceptable + use agreements, rules of behavior, and conflict-of-interest agreements) + + + list of personnel or roles to be notified of formal employee sanctions + + + records or notifications of formal employee sanctions + + + system security plan + + + privacy plan + + + personally identifiable information processing policy + + + other relevant documents or records + - id: ps-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + legal counsel + + + organizational personnel with information security and privacy + responsibilities + - id: ps-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for managing formal employee + sanctions + + + mechanisms supporting and/or implementing formal employee sanctions + notifications + - id: ps-9 + class: SP800-53 + title: Position Descriptions + props: + - name: label + value: PS-9 + - name: label + value: PS-09 + class: sp800-53a + - name: sort-id + value: ps-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + parts: + - id: ps-9_smt + name: statement + prose: Incorporate security and privacy roles and responsibilities into + organizational position descriptions. + - id: ps-9_gdn + name: guidance + prose: Specification of security and privacy roles in individual organizational + position descriptions facilitates clarity in understanding the security + or privacy responsibilities associated with the roles and the role-based + security and privacy training requirements for the roles. + - id: ps-9_obj + name: assessment-objective + props: + - name: label + value: PS-09 + class: sp800-53a + parts: + - id: ps-9_obj-1 + name: assessment-objective + props: + - name: label + value: PS-09[01] + class: sp800-53a + prose: security roles and responsibilities are incorporated into + organizational position descriptions; + links: + - href: "#ps-9_smt" + rel: assessment-for + - id: ps-9_obj-2 + name: assessment-objective + props: + - name: label + value: PS-09[02] + class: sp800-53a + prose: privacy roles and responsibilities are incorporated into + organizational position descriptions. + links: + - href: "#ps-9_smt" + rel: assessment-for + links: + - href: "#ps-9_smt" + rel: assessment-for + - id: ps-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: PS-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Personnel security policy + + personnel security procedures + + procedures addressing position descriptions + + security and privacy position descriptions + + system security plan + + privacy plan + + privacy program plan + + other relevant documents or records + - id: ps-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: PS-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with personnel security + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with human capital management responsibilities + - id: ps-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: PS-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for managing position descriptions + - id: ra + class: family + title: Risk Assessment + controls: + - id: ra-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: ra-1_prm_1 + label: organization-defined personnel or roles + - id: ra-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the risk assessment policy is + to be disseminated is/are defined; + - id: ra-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the risk assessment procedures + are to be disseminated is/are defined; + - id: ra-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: ra-01_odp.04 + label: official + guidelines: + - prose: an official to manage the risk assessment policy and procedures + is defined; + - id: ra-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current risk assessment policy + is reviewed and updated is defined; + - id: ra-01_odp.06 + label: events + guidelines: + - prose: events that would require the current risk assessment policy + to be reviewed and updated are defined; + - id: ra-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current risk assessment procedures + are reviewed and updated is defined; + - id: ra-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require risk assessment procedures to be + reviewed and updated are defined; + props: + - name: label + value: RA-1 + - name: label + value: RA-01 + class: sp800-53a + - name: sort-id + value: ra-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ra-1_smt + name: statement + parts: + - id: ra-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ ra-1_prm_1 }}:" + parts: + - id: ra-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, ra-01_odp.03 }} risk assessment policy\ + \ that:" + parts: + - id: ra-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: ra-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: ra-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the risk + assessment policy and the associated risk assessment controls; + - id: ra-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, ra-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the risk\ + \ assessment policy and procedures; and" + - id: ra-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current risk assessment:" + parts: + - id: ra-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, ra-01_odp.05 }} and following\ + \ {{ insert: param, ra-01_odp.06 }} ; and" + - id: ra-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, ra-01_odp.07 }} and following\ + \ {{ insert: param, ra-01_odp.08 }}." + - id: ra-1_gdn + name: guidance + prose: Risk assessment policy and procedures address the controls in + the RA family that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of risk assessment + policy and procedures. Security and privacy program policies and procedures + at the organization level are preferable, in general, and may obviate + the need for mission- or system-specific policies and procedures. + The policy can be included as part of the general security and privacy + policy or be represented by multiple policies reflecting the complex + nature of organizations. Procedures can be established for security + and privacy programs, for mission or business processes, and for systems, + if needed. Procedures describe how the policies or controls are implemented + and can be directed at the individual or role that is the object of + the procedure. Procedures can be documented in system security and + privacy plans or in one or more separate documents. Events that may + precipitate an update to risk assessment policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: ra-1_obj + name: assessment-objective + props: + - name: label + value: RA-01 + class: sp800-53a + parts: + - id: ra-1_obj.a + name: assessment-objective + props: + - name: label + value: RA-01a. + class: sp800-53a + parts: + - id: ra-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: RA-01a.[01] + class: sp800-53a + prose: a risk assessment policy is developed and documented; + links: + - href: "#ra-1_smt.a" + rel: assessment-for + - id: ra-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: RA-01a.[02] + class: sp800-53a + prose: "the risk assessment policy is disseminated to {{ insert:\ + \ param, ra-01_odp.01 }};" + links: + - href: "#ra-1_smt.a" + rel: assessment-for + - id: ra-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: RA-01a.[03] + class: sp800-53a + prose: risk assessment procedures to facilitate the implementation + of the risk assessment policy and associated risk assessment + controls are developed and documented; + links: + - href: "#ra-1_smt.a" + rel: assessment-for + - id: ra-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: RA-01a.[04] + class: sp800-53a + prose: "the risk assessment procedures are disseminated to {{\ + \ insert: param, ra-01_odp.02 }};" + links: + - href: "#ra-1_smt.a" + rel: assessment-for + - id: ra-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: RA-01a.01 + class: sp800-53a + parts: + - id: ra-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: RA-01a.01(a) + class: sp800-53a + parts: + - id: ra-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses purpose;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses scope;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses roles;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses responsibilities;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses management commitment;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses coordination among organizational\ + \ entities;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: RA-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy addresses compliance;" + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#ra-1_smt.a.1.a" + rel: assessment-for + - id: ra-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: RA-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.03 }} risk assessment\ + \ policy is consistent with applicable laws, executive\ + \ orders, directives, regulations, policies, standards,\ + \ and guidelines;" + links: + - href: "#ra-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#ra-1_smt.a.1" + rel: assessment-for + links: + - href: "#ra-1_smt.a" + rel: assessment-for + - id: ra-1_obj.b + name: assessment-objective + props: + - name: label + value: RA-01b. + class: sp800-53a + prose: "the {{ insert: param, ra-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the risk\ + \ assessment policy and procedures;" + links: + - href: "#ra-1_smt.b" + rel: assessment-for + - id: ra-1_obj.c + name: assessment-objective + props: + - name: label + value: RA-01c. + class: sp800-53a + parts: + - id: ra-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: RA-01c.01 + class: sp800-53a + parts: + - id: ra-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: RA-01c.01[01] + class: sp800-53a + prose: "the current risk assessment policy is reviewed and\ + \ updated {{ insert: param, ra-01_odp.05 }};" + links: + - href: "#ra-1_smt.c.1" + rel: assessment-for + - id: ra-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: RA-01c.01[02] + class: sp800-53a + prose: "the current risk assessment policy is reviewed and\ + \ updated following {{ insert: param, ra-01_odp.06 }};" + links: + - href: "#ra-1_smt.c.1" + rel: assessment-for + links: + - href: "#ra-1_smt.c.1" + rel: assessment-for + - id: ra-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: RA-01c.02 + class: sp800-53a + parts: + - id: ra-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: RA-01c.02[01] + class: sp800-53a + prose: "the current risk assessment procedures are reviewed\ + \ and updated {{ insert: param, ra-01_odp.07 }};" + links: + - href: "#ra-1_smt.c.2" + rel: assessment-for + - id: ra-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: RA-01c.02[02] + class: sp800-53a + prose: "the current risk assessment procedures are reviewed\ + \ and updated following {{ insert: param, ra-01_odp.08\ + \ }}." + links: + - href: "#ra-1_smt.c.2" + rel: assessment-for + links: + - href: "#ra-1_smt.c.2" + rel: assessment-for + links: + - href: "#ra-1_smt.c" + rel: assessment-for + links: + - href: "#ra-1_smt" + rel: assessment-for + - id: ra-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Risk assessment policy and procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: ra-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with risk assessment + responsibilities + + + organizational personnel with security and privacy responsibilities + - id: ra-2 + class: SP800-53 + title: Security Categorization + props: + - name: label + value: RA-2 + - name: label + value: RA-02 + class: sp800-53a + - name: sort-id + value: ra-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#4e4fbc93-333d-45e6-a875-de36b878b6b9" + rel: reference + - href: "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94" + rel: reference + - href: "#cm-8" + rel: related + - href: "#mp-4" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-10" + rel: related + - href: "#pl-11" + rel: related + - href: "#pm-7" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-7" + rel: related + - href: "#ra-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ra-2_smt + name: statement + parts: + - id: ra-2_smt.a + name: item + props: + - name: label + value: a. + prose: Categorize the system and information it processes, stores, + and transmits; + - id: ra-2_smt.b + name: item + props: + - name: label + value: b. + prose: Document the security categorization results, including supporting + rationale, in the security plan for the system; and + - id: ra-2_smt.c + name: item + props: + - name: label + value: c. + prose: Verify that the authorizing official or authorizing official + designated representative reviews and approves the security categorization + decision. + - id: ra-2_gdn + name: guidance + prose: >- + Security categories describe the potential adverse impacts or + negative consequences to organizational operations, + organizational assets, and individuals if organizational + information and systems are compromised through a loss of + confidentiality, integrity, or availability. Security + categorization is also a type of asset loss characterization in + systems security engineering processes that is carried out + throughout the system development life cycle. Organizations can + use privacy risk assessments or privacy impact assessments to + better understand the potential adverse effects on individuals. + [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides + additional guidance on categorization for national security + systems. + + + Organizations conduct the security categorization process as an organization-wide + activity with the direct involvement of chief information officers, + senior agency information security officers, senior agency officials + for privacy, system owners, mission and business owners, and information + owners or stewards. Organizations consider the potential adverse impacts + to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) + and Homeland Security Presidential Directives, potential national-level + adverse impacts. + + + Security categorization processes facilitate the development of inventories + of information assets and, along with [CM-8](#cm-8) , mappings to + specific system components where information is processed, stored, + or transmitted. The security categorization process is revisited throughout + the system development life cycle to ensure that the security categories + remain accurate and relevant. + - id: ra-2_obj + name: assessment-objective + props: + - name: label + value: RA-02 + class: sp800-53a + parts: + - id: ra-2_obj.a + name: assessment-objective + props: + - name: label + value: RA-02a. + class: sp800-53a + prose: the system and the information it processes, stores, and + transmits are categorized; + links: + - href: "#ra-2_smt.a" + rel: assessment-for + - id: ra-2_obj.b + name: assessment-objective + props: + - name: label + value: RA-02b. + class: sp800-53a + prose: the security categorization results, including supporting + rationale, are documented in the security plan for the system; + links: + - href: "#ra-2_smt.b" + rel: assessment-for + - id: ra-2_obj.c + name: assessment-objective + props: + - name: label + value: RA-02c. + class: sp800-53a + prose: the authorizing official or authorizing official designated + representative reviews and approves the security categorization + decision. + links: + - href: "#ra-2_smt.c" + rel: assessment-for + links: + - href: "#ra-2_smt" + rel: assessment-for + - id: ra-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Risk assessment policy + + + security planning policy and procedures + + + procedures addressing security categorization of organizational + information and systems + + + security categorization documentation + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: ra-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security categorization and + risk assessment responsibilities + + + organizational personnel with security and privacy responsibilities + - id: ra-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for security categorization + - id: ra-3 + class: SP800-53 + title: Risk Assessment + params: + - id: ra-03_odp.01 + constraints: + - description: security assessment report + select: + choice: + - security and privacy plans + - risk assessment report + - " {{ insert: param, ra-03_odp.02 }} " + - id: ra-03_odp.02 + label: document + guidelines: + - prose: a document in which risk assessment results are to be documented + (if not documented in the security and privacy plans or risk assessment + report) is defined (if selected); + - id: ra-03_odp.03 + label: frequency + constraints: + - description: at least every three (3) years and when a significant + change occurs + guidelines: + - prose: the frequency to review risk assessment results is defined; + - id: ra-03_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom risk assessment results are to + be disseminated is/are defined; + - id: ra-03_odp.05 + label: frequency + constraints: + - description: at least every three (3) years + guidelines: + - prose: the frequency to update the risk assessment is defined; + props: + - name: label + value: RA-3 + - name: label + value: RA-03 + class: sp800-53a + - name: sort-id + value: ra-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#38ff38f0-1366-4f50-a4c9-26a39aacee16" + rel: reference + - href: "#ca-3" + rel: related + - href: "#ca-6" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-13" + rel: related + - href: "#cp-6" + rel: related + - href: "#cp-7" + rel: related + - href: "#ia-8" + rel: related + - href: "#ma-5" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-8" + rel: related + - href: "#pe-18" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-10" + rel: related + - href: "#pl-11" + rel: related + - href: "#pm-8" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-28" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-7" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-7" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-12" + rel: related + parts: + - id: ra-3_smt + name: statement + parts: + - id: ra-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Conduct a risk assessment, including:" + parts: + - id: ra-3_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Identifying threats to and vulnerabilities in the system; + - id: ra-3_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Determining the likelihood and magnitude of harm from + unauthorized access, use, disclosure, disruption, modification, + or destruction of the system, the information it processes, + stores, or transmits, and any related information; and + - id: ra-3_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Determining the likelihood and impact of adverse effects + on individuals arising from the processing of personally identifiable + information; + - id: ra-3_smt.b + name: item + props: + - name: label + value: b. + prose: Integrate risk assessment results and risk management decisions + from the organization and mission or business process perspectives + with system-level risk assessments; + - id: ra-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Document risk assessment results in {{ insert: param, ra-03_odp.01\ + \ }};" + - id: ra-3_smt.d + name: item + props: + - name: label + value: d. + prose: "Review risk assessment results {{ insert: param, ra-03_odp.03\ + \ }};" + - id: ra-3_smt.e + name: item + props: + - name: label + value: e. + prose: "Disseminate risk assessment results to {{ insert: param,\ + \ ra-03_odp.04 }} ; and" + - id: ra-3_smt.f + name: item + props: + - name: label + value: f. + prose: "Update the risk assessment {{ insert: param, ra-03_odp.05\ + \ }} or when there are significant changes to the system, its\ + \ environment of operation, or other conditions that may impact\ + \ the security or privacy state of the system." + - id: ra-3_fr + name: item + title: RA-3 Additional FedRAMP Requirements and Guidance + parts: + - id: ra-3_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Significant change is defined in NIST Special Publication + 800-37 Revision 2, Appendix F. + - id: ra-3_fr_smt.1 + name: item + props: + - name: label + value: "(e) Requirement:" + prose: Include all Authorizing Officials; for JAB authorizations + to include FedRAMP. + - id: ra-3_gdn + name: guidance + prose: >- + Risk assessments consider threats, vulnerabilities, likelihood, + and impact to organizational operations and assets, individuals, + other organizations, and the Nation. Risk assessments also + consider risk from external parties, including contractors who + operate systems on behalf of the organization, individuals who + access organizational systems, service providers, and + outsourcing entities. + + + Organizations can conduct risk assessments at all three levels in + the risk management hierarchy (i.e., organization level, mission/business + process level, or information system level) and at any stage in the + system development life cycle. Risk assessments can also be conducted + at various steps in the Risk Management Framework, including preparation, + categorization, control selection, control implementation, control + assessment, authorization, and control monitoring. Risk assessment + is an ongoing activity carried out throughout the system development + life cycle. + + + Risk assessments can also address information related to the system, + including system design, the intended use of the system, testing results, + and supply chain-related information or artifacts. Risk assessments + can play an important role in control selection processes, particularly + during the application of tailoring guidance and in the earliest phases + of capability determination. + - id: ra-3_obj + name: assessment-objective + props: + - name: label + value: RA-03 + class: sp800-53a + parts: + - id: ra-3_obj.a + name: assessment-objective + props: + - name: label + value: RA-03a. + class: sp800-53a + parts: + - id: ra-3_obj.a.1 + name: assessment-objective + props: + - name: label + value: RA-03a.01 + class: sp800-53a + prose: a risk assessment is conducted to identify threats to + and vulnerabilities in the system; + links: + - href: "#ra-3_smt.a.1" + rel: assessment-for + - id: ra-3_obj.a.2 + name: assessment-objective + props: + - name: label + value: RA-03a.02 + class: sp800-53a + prose: a risk assessment is conducted to determine the likelihood + and magnitude of harm from unauthorized access, use, disclosure, + disruption, modification, or destruction of the system; the + information it processes, stores, or transmits; and any related + information; + links: + - href: "#ra-3_smt.a.2" + rel: assessment-for + - id: ra-3_obj.a.3 + name: assessment-objective + props: + - name: label + value: RA-03a.03 + class: sp800-53a + prose: a risk assessment is conducted to determine the likelihood + and impact of adverse effects on individuals arising from + the processing of personally identifiable information; + links: + - href: "#ra-3_smt.a.3" + rel: assessment-for + links: + - href: "#ra-3_smt.a" + rel: assessment-for + - id: ra-3_obj.b + name: assessment-objective + props: + - name: label + value: RA-03b. + class: sp800-53a + prose: risk assessment results and risk management decisions from + the organization and mission or business process perspectives + are integrated with system-level risk assessments; + links: + - href: "#ra-3_smt.b" + rel: assessment-for + - id: ra-3_obj.c + name: assessment-objective + props: + - name: label + value: RA-03c. + class: sp800-53a + prose: "risk assessment results are documented in {{ insert: param,\ + \ ra-03_odp.01 }};" + links: + - href: "#ra-3_smt.c" + rel: assessment-for + - id: ra-3_obj.d + name: assessment-objective + props: + - name: label + value: RA-03d. + class: sp800-53a + prose: "risk assessment results are reviewed {{ insert: param, ra-03_odp.03\ + \ }};" + links: + - href: "#ra-3_smt.d" + rel: assessment-for + - id: ra-3_obj.e + name: assessment-objective + props: + - name: label + value: RA-03e. + class: sp800-53a + prose: "risk assessment results are disseminated to {{ insert: param,\ + \ ra-03_odp.04 }};" + links: + - href: "#ra-3_smt.e" + rel: assessment-for + - id: ra-3_obj.f + name: assessment-objective + props: + - name: label + value: RA-03f. + class: sp800-53a + prose: "the risk assessment is updated {{ insert: param, ra-03_odp.05\ + \ }} or when there are significant changes to the system, its\ + \ environment of operation, or other conditions that may impact\ + \ the security or privacy state of the system." + links: + - href: "#ra-3_smt.f" + rel: assessment-for + links: + - href: "#ra-3_smt" + rel: assessment-for + - id: ra-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Risk assessment policy + + risk assessment procedures + + security and privacy planning policy and procedures + + procedures addressing organizational assessments of risk + + risk assessment + + risk assessment results + + risk assessment reviews + + risk assessment updates + + system security plan + + privacy plan + + other relevant documents or records + - id: ra-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with risk assessment + responsibilities + + + organizational personnel with security and privacy responsibilities + - id: ra-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for risk assessment + + + mechanisms supporting and/or conducting, documenting, reviewing, + disseminating, and updating the risk assessment + controls: + - id: ra-3.1 + class: SP800-53-enhancement + title: Supply Chain Risk Assessment + params: + - id: ra-03.01_odp.01 + label: systems, system components, and system services + guidelines: + - prose: systems, system components, and system services to assess + supply chain risks are defined; + - id: ra-03.01_odp.02 + label: frequency + guidelines: + - prose: the frequency at which to update the supply chain risk + assessment is defined; + props: + - name: label + value: RA-3(1) + - name: label + value: RA-03(01) + class: sp800-53a + - name: sort-id + value: ra-03.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-3" + rel: required + - href: "#ra-2" + rel: related + - href: "#ra-9" + rel: related + - href: "#pm-17" + rel: related + - href: "#pm-30" + rel: related + - href: "#sr-2" + rel: related + parts: + - id: ra-3.1_smt + name: statement + parts: + - id: ra-3.1_smt.a + name: item + props: + - name: label + value: (a) + prose: "Assess supply chain risks associated with {{ insert:\ + \ param, ra-03.01_odp.01 }} ; and" + - id: ra-3.1_smt.b + name: item + props: + - name: label + value: (b) + prose: "Update the supply chain risk assessment {{ insert: param,\ + \ ra-03.01_odp.02 }} , when there are significant changes\ + \ to the relevant supply chain, or when changes to the system,\ + \ environments of operation, or other conditions may necessitate\ + \ a change in the supply chain." + - id: ra-3.1_gdn + name: guidance + prose: Supply chain-related events include disruption, use of defective + components, insertion of counterfeits, theft, malicious development + practices, improper delivery practices, and insertion of malicious + code. These events can have a significant impact on the confidentiality, + integrity, or availability of a system and its information and, + therefore, can also adversely impact organizational operations + (including mission, functions, image, or reputation), organizational + assets, individuals, other organizations, and the Nation. The + supply chain-related events may be unintentional or malicious + and can occur at any point during the system life cycle. An analysis + of supply chain risk can help an organization identify systems + or components for which additional supply chain risk mitigations + are required. + - id: ra-3.1_obj + name: assessment-objective + props: + - name: label + value: RA-03(01) + class: sp800-53a + parts: + - id: ra-3.1_obj.a + name: assessment-objective + props: + - name: label + value: RA-03(01)(a) + class: sp800-53a + prose: "supply chain risks associated with {{ insert: param,\ + \ ra-03.01_odp.01 }} are assessed;" + links: + - href: "#ra-3.1_smt.a" + rel: assessment-for + - id: ra-3.1_obj.b + name: assessment-objective + props: + - name: label + value: RA-03(01)(b) + class: sp800-53a + prose: "the supply chain risk assessment is updated {{ insert:\ + \ param, ra-03.01_odp.02 }} , when there are significant changes\ + \ to the relevant supply chain, or when changes to the system,\ + \ environments of operation, or other conditions may necessitate\ + \ a change in the supply chain." + links: + - href: "#ra-3.1_smt.b" + rel: assessment-for + links: + - href: "#ra-3.1_smt" + rel: assessment-for + - id: ra-3.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-03(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy + + + inventory of critical systems, system components, and system + services + + + risk assessment policy + + + security planning policy and procedures + + + procedures addressing organizational assessments of supply + chain risk + + + risk assessment + + + risk assessment results + + + risk assessment reviews + + + risk assessment updates + + + acquisition policy + + + system security plan + + + supply chain risk management plan + + + other relevant documents or records + - id: ra-3.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-03(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with risk assessment + responsibilities + + + organizational personnel with security responsibilities + + + organizational personnel with supply chain risk management + responsibilities + - id: ra-3.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-03(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for risk assessment + + + mechanisms supporting and/or conducting, documenting, reviewing, + disseminating, and updating the supply chain risk assessment + - id: ra-5 + class: SP800-53 + title: Vulnerability Monitoring and Scanning + params: + - id: ra-5_prm_1 + label: organization-defined frequency and/or randomly in accordance + with organization-defined process + constraints: + - description: monthly operating system/infrastructure; monthly web + applications (including APIs) and databases + - id: ra-05_odp.01 + label: frequency and/or randomly in accordance with organization-defined + process + guidelines: + - prose: frequency for monitoring systems and hosted applications + for vulnerabilities is defined; + - id: ra-05_odp.02 + label: frequency and/or randomly in accordance with organization-defined + process + guidelines: + - prose: frequency for scanning systems and hosted applications for + vulnerabilities is defined; + - id: ra-05_odp.03 + label: response times + constraints: + - description: high-risk vulnerabilities mitigated within thirty (30) + days from date of discovery; moderate-risk vulnerabilities mitigated + within ninety (90) days from date of discovery; low risk vulnerabilities + mitigated within one hundred and eighty (180) days from date of + discovery + guidelines: + - prose: response times to remediate legitimate vulnerabilities in + accordance with an organizational assessment of risk are defined; + - id: ra-05_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles with whom information obtained from the + vulnerability scanning process and control assessments is to be + shared; + props: + - name: label + value: RA-5 + - name: label + value: RA-05 + class: sp800-53a + - name: sort-id + value: ra-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#8df72805-2e5c-4731-a73e-81db0f0318d0" + rel: reference + - href: "#155f941a-cba9-4afd-9ca6-5d040d697ba9" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#4895b4cd-34c5-4667-bf8a-27d443c12047" + rel: reference + - href: "#122177fa-c4ed-485d-8345-3082c0fb9a06" + rel: reference + - href: "#8016d2ed-d30f-4416-9c45-0f42c7aa3232" + rel: reference + - href: "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c" + rel: reference + - href: "#d2ebec9b-f868-4ee1-a2bd-0b2282aed248" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ca-7" + rel: related + - href: "#ca-8" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-2" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: ra-5_smt + name: statement + parts: + - id: ra-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Monitor and scan for vulnerabilities in the system and hosted\ + \ applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities\ + \ potentially affecting the system are identified and reported;" + - id: ra-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ vulnerability monitoring tools and techniques that\ + \ facilitate interoperability among tools and automate parts of\ + \ the vulnerability management process by using standards for:" + parts: + - id: ra-5_smt.b.1 + name: item + props: + - name: label + value: "1." + prose: Enumerating platforms, software flaws, and improper configurations; + - id: ra-5_smt.b.2 + name: item + props: + - name: label + value: "2." + prose: Formatting checklists and test procedures; and + - id: ra-5_smt.b.3 + name: item + props: + - name: label + value: "3." + prose: Measuring vulnerability impact; + - id: ra-5_smt.c + name: item + props: + - name: label + value: c. + prose: Analyze vulnerability scan reports and results from vulnerability + monitoring; + - id: ra-5_smt.d + name: item + props: + - name: label + value: d. + prose: "Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03\ + \ }} in accordance with an organizational assessment of risk;" + - id: ra-5_smt.e + name: item + props: + - name: label + value: e. + prose: "Share information obtained from the vulnerability monitoring\ + \ process and control assessments with {{ insert: param, ra-05_odp.04\ + \ }} to help eliminate similar vulnerabilities in other systems;\ + \ and" + - id: ra-5_smt.f + name: item + props: + - name: label + value: f. + prose: Employ vulnerability monitoring tools that include the capability + to readily update the vulnerabilities to be scanned. + - id: ra-5_fr + name: item + title: RA-5 Additional FedRAMP Requirements and Guidance + parts: + - id: ra-5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: See the FedRAMP Documents page> Vulnerability Scanning + Requirements https://www.FedRAMP.gov/documents/ + - id: ra-5_fr_smt.1 + name: item + props: + - name: label + value: "(a) Requirement:" + prose: an accredited independent assessor scans operating systems/infrastructure, + web applications, and databases once annually. + - id: ra-5_fr_smt.2 + name: item + props: + - name: label + value: "(d) Requirement:" + prose: If a vulnerability is listed among the CISA Known Exploited + Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) + the KEV remediation date supersedes the FedRAMP parameter + requirement. + - id: ra-5_fr_smt.3 + name: item + props: + - name: label + value: "(e) Requirement:" + prose: to include all Authorizing Officials; for JAB authorizations + to include FedRAMP + - id: ra-5_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + Informational findings from a scanner are detailed as a + returned result that holds no vulnerability risk or + severity and for FedRAMP does not require an entry onto + the POA&M or entry onto the RET during any assessment + phase. + + + Warning findings, on the other hand, are given a risk rating + (low, moderate, high or critical) by the scanning solution + and should be treated like any other finding with a risk or + severity rating for tracking purposes onto either the POA&M + or RET depending on when the findings originated (during assessments + or during monthly continuous monitoring). If a warning is + received during scanning, but further validation turns up + no actual issue then this item should be categorized as a + false positive. If this situation presents itself during an + assessment phase (initial assessment, annual assessment or + any SCR), follow guidance on how to report false positives + in the Security Assessment Report (SAR). If this situation + happens during monthly continuous monitoring, a deviation + request will need to be submitted per the FedRAMP Vulnerability + Deviation Request Form. + + + Warnings are commonly associated with scanning solutions that + also perform compliance scans, and if the scanner reports + a “warning” as part of the compliance scanning of a CSO, follow + guidance surrounding the tracking of compliance findings during + either the assessment phases (initial assessment, annual assessment + or any SCR) or monthly continuous monitoring as it applies. + Guidance on compliance scan findings can be found by searching + on “Tracking of Compliance Scans” in FAQs. + - id: ra-5_gdn + name: guidance + prose: >- + Security categorization of information and systems guides the + frequency and comprehensiveness of vulnerability monitoring + (including scans). Organizations determine the required + vulnerability monitoring for system components, ensuring that + the potential sources of vulnerabilities—such as infrastructure + components (e.g., switches, routers, guards, sensors), networked + printers, scanners, and copiers—are not overlooked. The + capability to readily update vulnerability monitoring tools as + new vulnerabilities are discovered and announced and as new + scanning methods are developed helps to ensure that new + vulnerabilities are not missed by employed vulnerability + monitoring tools. The vulnerability monitoring tool update + process helps to ensure that potential vulnerabilities in the + system are identified and addressed as quickly as possible. + Vulnerability monitoring and analyses for custom software may + require additional approaches, such as static analysis, dynamic + analysis, binary analysis, or a hybrid of the three approaches. + Organizations can use these analysis approaches in source code + reviews and in a variety of tools, including web-based + application scanners, static analysis tools, and binary + analyzers. + + + Vulnerability monitoring includes scanning for patch levels; scanning + for functions, ports, protocols, and services that should not be accessible + to users or devices; and scanning for flow control mechanisms that + are improperly configured or operating incorrectly. Vulnerability + monitoring may also include continuous vulnerability monitoring tools + that use instrumentation to continuously analyze components. Instrumentation-based + tools may improve accuracy and may be run throughout an organization + without scanning. Vulnerability monitoring tools that facilitate interoperability + include tools that are Security Content Automated Protocol (SCAP)-validated. + Thus, organizations consider using scanning tools that express vulnerabilities + in the Common Vulnerabilities and Exposures (CVE) naming convention + and that employ the Open Vulnerability Assessment Language (OVAL) + to determine the presence of vulnerabilities. Sources for vulnerability + information include the Common Weakness Enumeration (CWE) listing + and the National Vulnerability Database (NVD). Control assessments, + such as red team exercises, provide additional sources of potential + vulnerabilities for which to scan. Organizations also consider using + scanning tools that express vulnerability impact by the Common Vulnerability + Scoring System (CVSS). + + + Vulnerability monitoring includes a channel and process for receiving + reports of security vulnerabilities from the public at-large. Vulnerability + disclosure programs can be as simple as publishing a monitored email + address or web form that can receive reports, including notification + authorizing good-faith research and disclosure of security vulnerabilities. + Organizations generally expect that such research is happening with + or without their authorization and can use public vulnerability disclosure + channels to increase the likelihood that discovered vulnerabilities + are reported directly to the organization for remediation. + + + Organizations may also employ the use of financial incentives (also + known as "bug bounties" ) to further encourage external security researchers + to report discovered vulnerabilities. Bug bounty programs can be tailored + to the organization’s needs. Bounties can be operated indefinitely + or over a defined period of time and can be offered to the general + public or to a curated group. Organizations may run public and private + bounties simultaneously and could choose to offer partially credentialed + access to certain participants in order to evaluate security vulnerabilities + from privileged vantage points. + - id: ra-5_obj + name: assessment-objective + props: + - name: label + value: RA-05 + class: sp800-53a + parts: + - id: ra-5_obj.a + name: assessment-objective + props: + - name: label + value: RA-05a. + class: sp800-53a + parts: + - id: ra-5_obj.a-1 + name: assessment-objective + props: + - name: label + value: RA-05a.[01] + class: sp800-53a + prose: "systems and hosted applications are monitored for vulnerabilities\ + \ {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities\ + \ potentially affecting the system are identified and reported;" + links: + - href: "#ra-5_smt.a" + rel: assessment-for + - id: ra-5_obj.a-2 + name: assessment-objective + props: + - name: label + value: RA-05a.[02] + class: sp800-53a + prose: "systems and hosted applications are scanned for vulnerabilities\ + \ {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities\ + \ potentially affecting the system are identified and reported;" + links: + - href: "#ra-5_smt.a" + rel: assessment-for + links: + - href: "#ra-5_smt.a" + rel: assessment-for + - id: ra-5_obj.b + name: assessment-objective + props: + - name: label + value: RA-05b. + class: sp800-53a + prose: vulnerability monitoring tools and techniques are employed + to facilitate interoperability among tools; + parts: + - id: ra-5_obj.b.1 + name: assessment-objective + props: + - name: label + value: RA-05b.01 + class: sp800-53a + prose: vulnerability monitoring tools and techniques are employed + to automate parts of the vulnerability management process + by using standards for enumerating platforms, software flaws, + and improper configurations; + links: + - href: "#ra-5_smt.b.1" + rel: assessment-for + - id: ra-5_obj.b.2 + name: assessment-objective + props: + - name: label + value: RA-05b.02 + class: sp800-53a + prose: vulnerability monitoring tools and techniques are employed + to facilitate interoperability among tools and to automate + parts of the vulnerability management process by using standards + for formatting checklists and test procedures; + links: + - href: "#ra-5_smt.b.2" + rel: assessment-for + - id: ra-5_obj.b.3 + name: assessment-objective + props: + - name: label + value: RA-05b.03 + class: sp800-53a + prose: vulnerability monitoring tools and techniques are employed + to facilitate interoperability among tools and to automate + parts of the vulnerability management process by using standards + for measuring vulnerability impact; + links: + - href: "#ra-5_smt.b.3" + rel: assessment-for + links: + - href: "#ra-5_smt.b" + rel: assessment-for + - id: ra-5_obj.c + name: assessment-objective + props: + - name: label + value: RA-05c. + class: sp800-53a + prose: vulnerability scan reports and results from vulnerability + monitoring are analyzed; + links: + - href: "#ra-5_smt.c" + rel: assessment-for + - id: ra-5_obj.d + name: assessment-objective + props: + - name: label + value: RA-05d. + class: sp800-53a + prose: "legitimate vulnerabilities are remediated {{ insert: param,\ + \ ra-05_odp.03 }} in accordance with an organizational assessment\ + \ of risk;" + links: + - href: "#ra-5_smt.d" + rel: assessment-for + - id: ra-5_obj.e + name: assessment-objective + props: + - name: label + value: RA-05e. + class: sp800-53a + prose: "information obtained from the vulnerability monitoring process\ + \ and control assessments is shared with {{ insert: param, ra-05_odp.04\ + \ }} to help eliminate similar vulnerabilities in other systems;" + links: + - href: "#ra-5_smt.e" + rel: assessment-for + - id: ra-5_obj.f + name: assessment-objective + props: + - name: label + value: RA-05f. + class: sp800-53a + prose: vulnerability monitoring tools that include the capability + to readily update the vulnerabilities to be scanned are employed. + links: + - href: "#ra-5_smt.f" + rel: assessment-for + links: + - href: "#ra-5_smt" + rel: assessment-for + - id: ra-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Risk assessment policy + + + procedures addressing vulnerability scanning + + + risk assessment + + + assessment report + + + vulnerability scanning tools and associated configuration documentation + + + vulnerability scanning results + + + patch and vulnerability management records + + + system security plan + + + other relevant documents or records + - id: ra-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with risk assessment, control + assessment, and vulnerability scanning responsibilities + + + organizational personnel with vulnerability scan analysis responsibilities + + + organizational personnel with vulnerability remediation responsibilities + + + organizational personnel with security responsibilities + + + system/network administrators + - id: ra-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning, + analysis, remediation, and information sharing + + + mechanisms supporting and/or implementing vulnerability scanning, + analysis, remediation, and information sharing + controls: + - id: ra-5.2 + class: SP800-53-enhancement + title: Update Vulnerabilities to Be Scanned + params: + - id: ra-05.02_odp.01 + constraints: + - description: within 24 hours prior to running scans + select: + how-many: one-or-more + choice: + - " {{ insert: param, ra-05.02_odp.02 }} " + - prior to a new scan + - when new vulnerabilities are identified and reported + - id: ra-05.02_odp.02 + label: frequency + guidelines: + - prose: the frequency for updating the system vulnerabilities + to be scanned is defined (if selected); + props: + - name: label + value: RA-5(2) + - name: label + value: RA-05(02) + class: sp800-53a + - name: sort-id + value: ra-05.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-5" + rel: required + - href: "#si-5" + rel: related + parts: + - id: ra-5.2_smt + name: statement + prose: "Update the system vulnerabilities to be scanned {{ insert:\ + \ param, ra-05.02_odp.01 }}." + - id: ra-5.2_gdn + name: guidance + prose: Due to the complexity of modern software, systems, and other + factors, new vulnerabilities are discovered on a regular basis. + It is important that newly discovered vulnerabilities are added + to the list of vulnerabilities to be scanned to ensure that the + organization can take steps to mitigate those vulnerabilities + in a timely manner. + - id: ra-5.2_obj + name: assessment-objective + props: + - name: label + value: RA-05(02) + class: sp800-53a + prose: "the system vulnerabilities to be scanned are updated {{\ + \ insert: param, ra-05.02_odp.01 }}." + links: + - href: "#ra-5.2_smt" + rel: assessment-for + - id: ra-5.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Procedures addressing vulnerability scanning + + + assessment report + + + vulnerability scanning tools and associated configuration + documentation + + + vulnerability scanning results + + + patch and vulnerability management records + + + system security plan + + + other relevant documents or records + - id: ra-5.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with vulnerability scanning + responsibilities + + + organizational personnel with vulnerability scan analysis + responsibilities + + + organizational personnel with security responsibilities + + + system/network administrators + - id: ra-5.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning + + + mechanisms/tools supporting and/or implementing vulnerability + scanning + - id: ra-5.3 + class: SP800-53-enhancement + title: Breadth and Depth of Coverage + props: + - name: label + value: RA-5(3) + - name: label + value: RA-05(03) + class: sp800-53a + - name: sort-id + value: ra-05.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-5" + rel: required + parts: + - id: ra-5.3_smt + name: statement + prose: Define the breadth and depth of vulnerability scanning coverage. + - id: ra-5.3_gdn + name: guidance + prose: The breadth of vulnerability scanning coverage can be expressed + as a percentage of components within the system, by the particular + types of systems, by the criticality of systems, or by the number + of vulnerabilities to be checked. Conversely, the depth of vulnerability + scanning coverage can be expressed as the level of the system + design that the organization intends to monitor (e.g., component, + module, subsystem, element). Organizations can determine the sufficiency + of vulnerability scanning coverage with regard to its risk tolerance + and other factors. Scanning tools and how the tools are configured + may affect the depth and coverage. Multiple scanning tools may + be needed to achieve the desired depth and coverage. [SP 800-53A](#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d) + provides additional information on the breadth and depth of coverage. + - id: ra-5.3_obj + name: assessment-objective + props: + - name: label + value: RA-05(03) + class: sp800-53a + prose: the breadth and depth of vulnerability scanning coverage + are defined. + links: + - href: "#ra-5.3_smt" + rel: assessment-for + - id: ra-5.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Procedures addressing vulnerability scanning + + + assessment report + + + vulnerability scanning tools and associated configuration + documentation + + + vulnerability scanning results + + + patch and vulnerability management records + + + system security plan + + + other relevant documents or records + - id: ra-5.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with vulnerability scanning + responsibilities + + + organizational personnel with vulnerability scan analysis + responsibilities + + + organizational personnel with security responsibilities + - id: ra-5.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning + + + mechanisms/tools supporting and/or implementing vulnerability + scanning + - id: ra-5.5 + class: SP800-53-enhancement + title: Privileged Access + params: + - id: ra-05.05_odp.01 + label: system components + constraints: + - description: all components that support authentication + guidelines: + - prose: system components to which privileged access is authorized + for selected vulnerability scanning activities are defined; + - id: ra-05.05_odp.02 + label: vulnerability scanning activities + constraints: + - description: all scans + guidelines: + - prose: vulnerability scanning activities selected for privileged + access authorization to system components are defined; + props: + - name: label + value: RA-5(5) + - name: label + value: RA-05(05) + class: sp800-53a + - name: sort-id + value: ra-05.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-5" + rel: required + parts: + - id: ra-5.5_smt + name: statement + prose: "Implement privileged access authorization to {{ insert:\ + \ param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02\ + \ }}." + - id: ra-5.5_gdn + name: guidance + prose: In certain situations, the nature of the vulnerability scanning + may be more intrusive, or the system component that is the subject + of the scanning may contain classified or controlled unclassified + information, such as personally identifiable information. Privileged + access authorization to selected system components facilitates + more thorough vulnerability scanning and protects the sensitive + nature of such scanning. + - id: ra-5.5_obj + name: assessment-objective + props: + - name: label + value: RA-05(05) + class: sp800-53a + prose: "privileged access authorization is implemented to {{ insert:\ + \ param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02\ + \ }}." + links: + - href: "#ra-5.5_smt" + rel: assessment-for + - id: ra-5.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Risk assessment policy + + + procedures addressing vulnerability scanning + + + system design documentation + + + system configuration settings and associated documentation + + + list of system components for vulnerability scanning + + + personnel access authorization list + + + authorization credentials + + + access authorization records + + + system security plan + + + other relevant documents or records + - id: ra-5.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with vulnerability scanning + responsibilities + + + system/network administrators + + + organizational personnel responsible for access control to + the system + + + organizational personnel responsible for configuration management + of the system + + + system developers + + + organizational personnel with security responsibilities + - id: ra-5.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning + + + organizational processes for access control + + + mechanisms supporting and/or implementing access control + + + mechanisms/tools supporting and/or implementing vulnerability + scanning + - id: ra-5.11 + class: SP800-53-enhancement + title: Public Disclosure Program + props: + - name: label + value: RA-5(11) + - name: label + value: RA-05(11) + class: sp800-53a + - name: sort-id + value: ra-05.11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ra-5" + rel: required + parts: + - id: ra-5.11_smt + name: statement + prose: Establish a public reporting channel for receiving reports + of vulnerabilities in organizational systems and system components. + - id: ra-5.11_gdn + name: guidance + prose: The reporting channel is publicly discoverable and contains + clear language authorizing good-faith research and the disclosure + of vulnerabilities to the organization. The organization does + not condition its authorization on an expectation of indefinite + non-disclosure to the public by the reporting entity but may request + a specific time period to properly remediate the vulnerability. + - id: ra-5.11_obj + name: assessment-objective + props: + - name: label + value: RA-05(11) + class: sp800-53a + prose: a public reporting channel is established for receiving reports + of vulnerabilities in organizational systems and system components. + links: + - href: "#ra-5.11_smt" + rel: assessment-for + - id: ra-5.11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-05(11)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Risk assessment policy + + + procedures addressing vulnerability scanning + + + risk assessment + + + vulnerability scanning tools and techniques documentation + + + vulnerability scanning results + + + vulnerability management records + + + audit records + + + public reporting channel + + + system security plan + + + other relevant documents or records + - id: ra-5.11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-05(11)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with vulnerability scanning + responsibilities + + + organizational personnel with vulnerability scan analysis + responsibilities + + + organizational personnel with security responsibilities + - id: ra-5.11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-05(11)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for vulnerability scanning + + + mechanisms/tools supporting and/or implementing vulnerability + scanning + + + mechanisms implementing the public reporting of vulnerabilities + - id: ra-7 + class: SP800-53 + title: Risk Response + props: + - name: label + value: RA-7 + - name: label + value: RA-07 + class: sp800-53a + - name: sort-id + value: ra-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#ca-5" + rel: related + - href: "#ir-9" + rel: related + - href: "#pm-4" + rel: related + - href: "#pm-28" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#sr-2" + rel: related + parts: + - id: ra-7_smt + name: statement + prose: Respond to findings from security and privacy assessments, monitoring, + and audits in accordance with organizational risk tolerance. + - id: ra-7_gdn + name: guidance + prose: Organizations have many options for responding to risk including + mitigating risk by implementing new controls or strengthening existing + controls, accepting risk with appropriate justification or rationale, + sharing or transferring risk, or avoiding risk. The risk tolerance + of the organization influences risk response decisions and actions. + Risk response addresses the need to determine an appropriate response + to risk before generating a plan of action and milestones entry. For + example, the response may be to accept risk or reject risk, or it + may be possible to mitigate the risk immediately so that a plan of + action and milestones entry is not needed. However, if the risk response + is to mitigate the risk, and the mitigation cannot be completed immediately, + a plan of action and milestones entry is generated. + - id: ra-7_obj + name: assessment-objective + props: + - name: label + value: RA-07 + class: sp800-53a + parts: + - id: ra-7_obj-1 + name: assessment-objective + props: + - name: label + value: RA-07[01] + class: sp800-53a + prose: findings from security assessments are responded to in accordance + with organizational risk tolerance; + links: + - href: "#ra-7_smt" + rel: assessment-for + - id: ra-7_obj-2 + name: assessment-objective + props: + - name: label + value: RA-07[02] + class: sp800-53a + prose: findings from privacy assessments are responded to in accordance + with organizational risk tolerance; + links: + - href: "#ra-7_smt" + rel: assessment-for + - id: ra-7_obj-3 + name: assessment-objective + props: + - name: label + value: RA-07[03] + class: sp800-53a + prose: findings from monitoring are responded to in accordance with + organizational risk tolerance; + links: + - href: "#ra-7_smt" + rel: assessment-for + - id: ra-7_obj-4 + name: assessment-objective + props: + - name: label + value: RA-07[04] + class: sp800-53a + prose: findings from audits are responded to in accordance with + organizational risk tolerance. + links: + - href: "#ra-7_smt" + rel: assessment-for + links: + - href: "#ra-7_smt" + rel: assessment-for + - id: ra-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Risk assessment policy + + assessment reports + + audit records/event logs + + system security plan + + privacy plan + + other relevant documents or records + - id: ra-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with assessment and auditing + responsibilities + + + system/network administrators + + + organizational personnel with security and privacy responsibilities + - id: ra-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for assessments and audits + + + mechanisms/tools supporting and/or implementing assessments and + auditing + - id: ra-9 + class: SP800-53 + title: Criticality Analysis + params: + - id: ra-09_odp.01 + label: systems, system components, or system services + guidelines: + - prose: systems, system components, or system services to be analyzed + for criticality are defined; + - id: ra-09_odp.02 + label: decision points in the system development life cycle + guidelines: + - prose: decision points in the system development life cycle when + a criticality analysis is to be performed are defined; + props: + - name: label + value: RA-9 + - name: label + value: RA-09 + class: sp800-53a + - name: sort-id + value: ra-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#d4296805-2dca-4c63-a95f-eeccaa826aec" + rel: reference + - href: "#cp-2" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-8" + rel: related + - href: "#pl-11" + rel: related + - href: "#pm-1" + rel: related + - href: "#pm-11" + rel: related + - href: "#ra-2" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-20" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: ra-9_smt + name: statement + prose: "Identify critical system components and functions by performing\ + \ a criticality analysis for {{ insert: param, ra-09_odp.01 }} at\ + \ {{ insert: param, ra-09_odp.02 }}." + - id: ra-9_gdn + name: guidance + prose: >- + Not all system components, functions, or services necessarily + require significant protections. For example, criticality + analysis is a key tenet of supply chain risk management and + informs the prioritization of protection activities. The + identification of critical system components and functions + considers applicable laws, executive orders, regulations, + directives, policies, standards, system functionality + requirements, system and component interfaces, and system and + component dependencies. Systems engineers conduct a functional + decomposition of a system to identify mission-critical functions + and components. The functional decomposition includes the + identification of organizational missions supported by the + system, decomposition into the specific functions to perform + those missions, and traceability to the hardware, software, and + firmware components that implement those functions, including + when the functions are shared by many components within and + external to the system. + + + The operational environment of a system or a system component may + impact the criticality, including the connections to and dependencies + on cyber-physical systems, devices, system-of-systems, and outsourced + IT services. System components that allow unmediated access to critical + system components or functions are considered critical due to the + inherent vulnerabilities that such components create. Component and + function criticality are assessed in terms of the impact of a component + or function failure on the organizational missions that are supported + by the system that contains the components and functions. + + + Criticality analysis is performed when an architecture or design is + being developed, modified, or upgraded. If such analysis is performed + early in the system development life cycle, organizations may be able + to modify the system design to reduce the critical nature of these + components and functions, such as by adding redundancy or alternate + paths into the system design. Criticality analysis can also influence + the protection measures required by development contractors. In addition + to criticality analysis for systems, system components, and system + services, criticality analysis of information is an important consideration. + Such analysis is conducted as part of security categorization in [RA-2](#ra-2). + - id: ra-9_obj + name: assessment-objective + props: + - name: label + value: RA-09 + class: sp800-53a + prose: "critical system components and functions are identified by performing\ + \ a criticality analysis for {{ insert: param, ra-09_odp.01 }} at\ + \ {{ insert: param, ra-09_odp.02 }}." + links: + - href: "#ra-9_smt" + rel: assessment-for + - id: ra-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: RA-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Risk assessment policy + + + assessment reports + + + criticality analysis/finalized criticality for each component/subcomponent + + + audit records/event logs + + + analysis reports + + + system security plan + + + other relevant documents or records + - id: ra-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: RA-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with assessment and auditing + responsibilities + + + organizational personnel with criticality analysis responsibilities + + + system/network administrators + + + organizational personnel with security responsibilities + - id: ra-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: RA-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for assessments and audits + + + mechanisms/tools supporting and/or implementing assessments and + auditing + - id: sa + class: family + title: System and Services Acquisition + controls: + - id: sa-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: sa-1_prm_1 + label: organization-defined personnel or roles + - id: sa-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and services acquisition + policy is to be disseminated is/are defined; + - id: sa-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and services acquisition + procedures are to be disseminated is/are defined; + - id: sa-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: sa-01_odp.04 + label: official + guidelines: + - prose: an official to manage the system and services acquisition + policy and procedures is defined; + - id: sa-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current system and services acquisition + policy is reviewed and updated is defined; + - id: sa-01_odp.06 + label: events + guidelines: + - prose: events that would require the current system and services + acquisition policy to be reviewed and updated are defined; + - id: sa-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current system and services acquisition + procedures are reviewed and updated is defined; + - id: sa-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the system and services acquisition + procedures to be reviewed and updated are defined; + props: + - name: label + value: SA-1 + - name: label + value: SA-01 + class: sp800-53a + - name: sort-id + value: sa-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: sa-1_smt + name: statement + parts: + - id: sa-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ sa-1_prm_1 }}:" + parts: + - id: sa-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, sa-01_odp.03 }} system and services\ + \ acquisition policy that:" + parts: + - id: sa-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: sa-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: sa-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the system + and services acquisition policy and the associated system + and services acquisition controls; + - id: sa-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, sa-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the system\ + \ and services acquisition policy and procedures; and" + - id: sa-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current system and services acquisition:" + parts: + - id: sa-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, sa-01_odp.05 }} and following\ + \ {{ insert: param, sa-01_odp.06 }} ; and" + - id: sa-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, sa-01_odp.07 }} and following\ + \ {{ insert: param, sa-01_odp.08 }}." + - id: sa-1_gdn + name: guidance + prose: System and services acquisition policy and procedures address + the controls in the SA family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of system and services acquisition policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + system and services acquisition policy and procedures include assessment + or audit findings, security incidents or breaches, or changes in laws, + executive orders, directives, regulations, policies, standards, and + guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: sa-1_obj + name: assessment-objective + props: + - name: label + value: SA-01 + class: sp800-53a + parts: + - id: sa-1_obj.a + name: assessment-objective + props: + - name: label + value: SA-01a. + class: sp800-53a + parts: + - id: sa-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-01a.[01] + class: sp800-53a + prose: a system and services acquisition policy is developed + and documented; + links: + - href: "#sa-1_smt.a" + rel: assessment-for + - id: sa-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-01a.[02] + class: sp800-53a + prose: "the system and services acquisition policy is disseminated\ + \ to {{ insert: param, sa-01_odp.01 }};" + links: + - href: "#sa-1_smt.a" + rel: assessment-for + - id: sa-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: SA-01a.[03] + class: sp800-53a + prose: system and services acquisition procedures to facilitate + the implementation of the system and services acquisition + policy and associated system and services acquisition controls + are developed and documented; + links: + - href: "#sa-1_smt.a" + rel: assessment-for + - id: sa-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: SA-01a.[04] + class: sp800-53a + prose: "the system and services acquisition procedures are disseminated\ + \ to {{ insert: param, sa-01_odp.02 }};" + links: + - href: "#sa-1_smt.a" + rel: assessment-for + - id: sa-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: SA-01a.01 + class: sp800-53a + parts: + - id: sa-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: SA-01a.01(a) + class: sp800-53a + parts: + - id: sa-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses purpose;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses scope;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses roles;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses responsibilities;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses management\ + \ commitment;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: SA-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system\ + \ and services acquisition policy addresses compliance;" + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#sa-1_smt.a.1.a" + rel: assessment-for + - id: sa-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: SA-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.03 }} system and\ + \ services acquisition policy is consistent with applicable\ + \ laws, Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#sa-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#sa-1_smt.a.1" + rel: assessment-for + links: + - href: "#sa-1_smt.a" + rel: assessment-for + - id: sa-1_obj.b + name: assessment-objective + props: + - name: label + value: SA-01b. + class: sp800-53a + prose: "the {{ insert: param, sa-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the system\ + \ and services acquisition policy and procedures;" + links: + - href: "#sa-1_smt.b" + rel: assessment-for + - id: sa-1_obj.c + name: assessment-objective + props: + - name: label + value: SA-01c. + class: sp800-53a + parts: + - id: sa-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: SA-01c.01 + class: sp800-53a + parts: + - id: sa-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: SA-01c.01[01] + class: sp800-53a + prose: "the system and services acquisition policy is reviewed\ + \ and updated {{ insert: param, sa-01_odp.05 }};" + links: + - href: "#sa-1_smt.c.1" + rel: assessment-for + - id: sa-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: SA-01c.01[02] + class: sp800-53a + prose: "the current system and services acquisition policy\ + \ is reviewed and updated following {{ insert: param,\ + \ sa-01_odp.06 }};" + links: + - href: "#sa-1_smt.c.1" + rel: assessment-for + links: + - href: "#sa-1_smt.c.1" + rel: assessment-for + - id: sa-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: SA-01c.02 + class: sp800-53a + parts: + - id: sa-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: SA-01c.02[01] + class: sp800-53a + prose: "the current system and services acquisition procedures\ + \ are reviewed and updated {{ insert: param, sa-01_odp.07\ + \ }};" + links: + - href: "#sa-1_smt.c.2" + rel: assessment-for + - id: sa-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: SA-01c.02[02] + class: sp800-53a + prose: "the current system and services acquisition procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ sa-01_odp.08 }}." + links: + - href: "#sa-1_smt.c.2" + rel: assessment-for + links: + - href: "#sa-1_smt.c.2" + rel: assessment-for + links: + - href: "#sa-1_smt.c" + rel: assessment-for + links: + - href: "#sa-1_smt" + rel: assessment-for + - id: sa-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and services acquisition policy + + system and services acquisition procedures + + supply chain risk management policy + + supply chain risk management procedures + + supply chain risk management plan + + system security plan + + privacy plan + + other relevant documents or records + - id: sa-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and services + acquisition responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sa-2 + class: SP800-53 + title: Allocation of Resources + props: + - name: label + value: SA-2 + - name: label + value: SA-02 + class: sp800-53a + - name: sort-id + value: sa-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#pl-7" + rel: related + - href: "#pm-3" + rel: related + - href: "#pm-11" + rel: related + - href: "#sa-9" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sa-2_smt + name: statement + parts: + - id: sa-2_smt.a + name: item + props: + - name: label + value: a. + prose: Determine the high-level information security and privacy + requirements for the system or system service in mission and business + process planning; + - id: sa-2_smt.b + name: item + props: + - name: label + value: b. + prose: Determine, document, and allocate the resources required + to protect the system or system service as part of the organizational + capital planning and investment control process; and + - id: sa-2_smt.c + name: item + props: + - name: label + value: c. + prose: Establish a discrete line item for information security and + privacy in organizational programming and budgeting documentation. + - id: sa-2_gdn + name: guidance + prose: Resource allocation for information security and privacy includes + funding for system and services acquisition, sustainment, and supply + chain-related risks throughout the system development life cycle. + - id: sa-2_obj + name: assessment-objective + props: + - name: label + value: SA-02 + class: sp800-53a + parts: + - id: sa-2_obj.a + name: assessment-objective + props: + - name: label + value: SA-02a. + class: sp800-53a + parts: + - id: sa-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-02a.[01] + class: sp800-53a + prose: the high-level information security requirements for + the system or system service are determined in mission and + business process planning; + links: + - href: "#sa-2_smt.a" + rel: assessment-for + - id: sa-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-02a.[02] + class: sp800-53a + prose: the high-level privacy requirements for the system or + system service are determined in mission and business process + planning; + links: + - href: "#sa-2_smt.a" + rel: assessment-for + links: + - href: "#sa-2_smt.a" + rel: assessment-for + - id: sa-2_obj.b + name: assessment-objective + props: + - name: label + value: SA-02b. + class: sp800-53a + parts: + - id: sa-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-02b.[01] + class: sp800-53a + prose: the resources required to protect the system or system + service are determined and documented as part of the organizational + capital planning and investment control process; + links: + - href: "#sa-2_smt.b" + rel: assessment-for + - id: sa-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-02b.[02] + class: sp800-53a + prose: the resources required to protect the system or system + service are allocated as part of the organizational capital + planning and investment control process; + links: + - href: "#sa-2_smt.b" + rel: assessment-for + links: + - href: "#sa-2_smt.b" + rel: assessment-for + - id: sa-2_obj.c + name: assessment-objective + props: + - name: label + value: SA-02c. + class: sp800-53a + parts: + - id: sa-2_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-02c.[01] + class: sp800-53a + prose: a discrete line item for information security is established + in organizational programming and budgeting documentation; + links: + - href: "#sa-2_smt.c" + rel: assessment-for + - id: sa-2_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-02c.[02] + class: sp800-53a + prose: a discrete line item for privacy is established in organizational + programming and budgeting documentation. + links: + - href: "#sa-2_smt.c" + rel: assessment-for + links: + - href: "#sa-2_smt.c" + rel: assessment-for + links: + - href: "#sa-2_smt" + rel: assessment-for + - id: sa-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + system and services acquisition strategy and plans + + + procedures addressing the allocation of resources to information + security and privacy requirements + + + procedures addressing capital planning and investment control + + + organizational programming and budgeting documentation + + + system security plan + + + privacy plan + + + supply chain risk management policy + + + other relevant documents or records + - id: sa-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with capital planning, investment + control, organizational programming, and budgeting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sa-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for determining information + security and privacy requirements + + + organizational processes for capital planning, programming, and + budgeting + + + mechanisms supporting and/or implementing organizational capital + planning, programming, and budgeting + - id: sa-3 + class: SP800-53 + title: System Development Life Cycle + params: + - id: sa-03_odp + label: system-development life cycle + guidelines: + - prose: system development life cycle is defined; + props: + - name: label + value: SA-3 + - name: label + value: SA-03 + class: sp800-53a + - name: sort-id + value: sa-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849" + rel: reference + - href: "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e" + rel: reference + - href: "#at-3" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-7" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-17" + rel: related + - href: "#sa-22" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-9" + rel: related + parts: + - id: sa-3_smt + name: statement + parts: + - id: sa-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Acquire, develop, and manage the system using {{ insert:\ + \ param, sa-03_odp }} that incorporates information security and\ + \ privacy considerations;" + - id: sa-3_smt.b + name: item + props: + - name: label + value: b. + prose: Define and document information security and privacy roles + and responsibilities throughout the system development life cycle; + - id: sa-3_smt.c + name: item + props: + - name: label + value: c. + prose: Identify individuals having information security and privacy + roles and responsibilities; and + - id: sa-3_smt.d + name: item + props: + - name: label + value: d. + prose: Integrate the organizational information security and privacy + risk management process into system development life cycle activities. + - id: sa-3_gdn + name: guidance + prose: >- + A system development life cycle process provides the foundation + for the successful development, implementation, and operation of + organizational systems. The integration of security and privacy + considerations early in the system development life cycle is a + foundational principle of systems security engineering and + privacy engineering. To apply the required controls within the + system development life cycle requires a basic understanding of + information security and privacy, threats, vulnerabilities, + adverse impacts, and risk to critical mission and business + functions. The security engineering principles in [SA-8](#sa-8) + help individuals properly design, code, and test systems and + system components. Organizations include qualified personnel + (e.g., senior agency information security officers, senior + agency officials for privacy, security and privacy architects, + and security and privacy engineers) in system development life + cycle processes to ensure that established security and privacy + requirements are incorporated into organizational systems. + Role-based security and privacy training programs can ensure + that individuals with key security and privacy roles and + responsibilities have the experience, skills, and expertise to + conduct assigned system development life cycle activities. + + + The effective integration of security and privacy requirements into + enterprise architecture also helps to ensure that important security + and privacy considerations are addressed throughout the system life + cycle and that those considerations are directly related to organizational + mission and business processes. This process also facilitates the + integration of the information security and privacy architectures + into the enterprise architecture, consistent with the risk management + strategy of the organization. Because the system development life + cycle involves multiple organizations, (e.g., external suppliers, + developers, integrators, service providers), acquisition and supply + chain risk management functions and controls play significant roles + in the effective management of the system during the life cycle. + - id: sa-3_obj + name: assessment-objective + props: + - name: label + value: SA-03 + class: sp800-53a + parts: + - id: sa-3_obj.a + name: assessment-objective + props: + - name: label + value: SA-03a. + class: sp800-53a + parts: + - id: sa-3_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-03a.[01] + class: sp800-53a + prose: "the system is acquired, developed, and managed using\ + \ {{ insert: param, sa-03_odp }} that incorporates information\ + \ security considerations;" + links: + - href: "#sa-3_smt.a" + rel: assessment-for + - id: sa-3_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-03a.[02] + class: sp800-53a + prose: "the system is acquired, developed, and managed using\ + \ {{ insert: param, sa-03_odp }} that incorporates privacy\ + \ considerations;" + links: + - href: "#sa-3_smt.a" + rel: assessment-for + links: + - href: "#sa-3_smt.a" + rel: assessment-for + - id: sa-3_obj.b + name: assessment-objective + props: + - name: label + value: SA-03b. + class: sp800-53a + parts: + - id: sa-3_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-03b.[01] + class: sp800-53a + prose: information security roles and responsibilities are defined + and documented throughout the system development life cycle; + links: + - href: "#sa-3_smt.b" + rel: assessment-for + - id: sa-3_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-03b.[02] + class: sp800-53a + prose: privacy roles and responsibilities are defined and documented + throughout the system development life cycle; + links: + - href: "#sa-3_smt.b" + rel: assessment-for + links: + - href: "#sa-3_smt.b" + rel: assessment-for + - id: sa-3_obj.c + name: assessment-objective + props: + - name: label + value: SA-03c. + class: sp800-53a + parts: + - id: sa-3_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-03c.[01] + class: sp800-53a + prose: individuals with information security roles and responsibilities + are identified; + links: + - href: "#sa-3_smt.c" + rel: assessment-for + - id: sa-3_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-03c.[02] + class: sp800-53a + prose: individuals with privacy roles and responsibilities are + identified; + links: + - href: "#sa-3_smt.c" + rel: assessment-for + links: + - href: "#sa-3_smt.c" + rel: assessment-for + - id: sa-3_obj.d + name: assessment-objective + props: + - name: label + value: SA-03d. + class: sp800-53a + parts: + - id: sa-3_obj.d-1 + name: assessment-objective + props: + - name: label + value: SA-03d.[01] + class: sp800-53a + prose: organizational information security risk management processes + are integrated into system development life cycle activities; + links: + - href: "#sa-3_smt.d" + rel: assessment-for + - id: sa-3_obj.d-2 + name: assessment-objective + props: + - name: label + value: SA-03d.[02] + class: sp800-53a + prose: organizational privacy risk management processes are + integrated into system development life cycle activities. + links: + - href: "#sa-3_smt.d" + rel: assessment-for + links: + - href: "#sa-3_smt.d" + rel: assessment-for + links: + - href: "#sa-3_smt" + rel: assessment-for + - id: sa-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing the integration of information security + and privacy and supply chain risk management into the system development + life cycle process + + + system development life cycle documentation + + + organizational risk management strategy + + + information security and privacy risk management strategy documentation + + + system security plan + + + privacy plan + + + privacy program plan + + + enterprise architecture documentation + + + role-based security and privacy training program documentation + + + data mapping documentation + + + other relevant documents or records + - id: sa-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security and + privacy responsibilities + + + organizational personnel with system life cycle development responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sa-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for defining and documenting the + system development life cycle + + + organizational processes for identifying system development life + cycle roles and responsibilities + + + organizational processes for integrating information security + and privacy and supply chain risk management into the system development + life cycle + + + mechanisms supporting and/or implementing the system development + life cycle + - id: sa-4 + class: SP800-53 + title: Acquisition Process + params: + - id: sa-04_odp.01 + select: + how-many: one-or-more + choice: + - standardized contract language + - " {{ insert: param, sa-04_odp.02 }} " + - id: sa-04_odp.02 + label: contract language + guidelines: + - prose: contract language is defined (if selected); + props: + - name: label + value: SA-4 + - name: label + value: SA-04 + class: sp800-53a + - name: sort-id + value: sa-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#18e71fec-c6fd-475a-925a-5d8495cf8455" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73" + rel: reference + - href: "#87087451-2af5-43d4-88c1-d66ad850f614" + rel: reference + - href: "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f" + rel: reference + - href: "#06ce9216-bd54-4054-a422-94f358b50a5d" + rel: reference + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7ba1d91c-3934-4d5a-8532-b32f864ad34c" + rel: reference + - href: "#77faf0bc-c394-44ad-9154-bbac3b79c8ad" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#4895b4cd-34c5-4667-bf8a-27d443c12047" + rel: reference + - href: "#858705be-3c1f-48aa-a328-0ce398d95ef0" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#4b38e961-1125-4a5b-aa35-1d6c02846dad" + rel: reference + - href: "#604774da-9e1d-48eb-9c62-4e959dc80737" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#795aff72-3e6c-4b6b-a80a-b14d84b7f544" + rel: reference + - href: "#3d575737-98cb-459d-b41c-d7e82b73ad78" + rel: reference + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#ps-7" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-16" + rel: related + - href: "#sa-17" + rel: related + - href: "#sa-21" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sa-4_smt + name: statement + prose: "Include the following requirements, descriptions, and criteria,\ + \ explicitly or by reference, using {{ insert: param, sa-04_odp.01\ + \ }} in the acquisition contract for the system, system component,\ + \ or system service:" + parts: + - id: sa-4_smt.a + name: item + props: + - name: label + value: a. + prose: Security and privacy functional requirements; + - id: sa-4_smt.b + name: item + props: + - name: label + value: b. + prose: Strength of mechanism requirements; + - id: sa-4_smt.c + name: item + props: + - name: label + value: c. + prose: Security and privacy assurance requirements; + - id: sa-4_smt.d + name: item + props: + - name: label + value: d. + prose: Controls needed to satisfy the security and privacy requirements. + - id: sa-4_smt.e + name: item + props: + - name: label + value: e. + prose: Security and privacy documentation requirements; + - id: sa-4_smt.f + name: item + props: + - name: label + value: f. + prose: Requirements for protecting security and privacy documentation; + - id: sa-4_smt.g + name: item + props: + - name: label + value: g. + prose: Description of the system development environment and environment + in which the system is intended to operate; + - id: sa-4_smt.h + name: item + props: + - name: label + value: h. + prose: Allocation of responsibility or identification of parties + responsible for information security, privacy, and supply chain + risk management; and + - id: sa-4_smt.i + name: item + props: + - name: label + value: i. + prose: Acceptance criteria. + - id: sa-4_fr + name: item + title: SA-4 Additional FedRAMP Requirements and Guidance + parts: + - id: sa-4_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider must comply with Federal Acquisition + Regulation (FAR) Subpart 7.103, and Section 889 of the John + S. McCain National Defense Authorization Act (NDAA) for Fiscal + Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements + Section 889 (as well as any added updates related to FISMA + to address security concerns in the system acquisitions process). + - id: sa-4_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + The use of Common Criteria (ISO/IEC 15408) evaluated + products is strongly preferred. + + + See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/. + - id: sa-4_gdn + name: guidance + prose: >- + Security and privacy functional requirements are typically + derived from the high-level security and privacy requirements + described in [SA-2](#sa-2) . The derived requirements include + security and privacy capabilities, functions, and mechanisms. + Strength requirements associated with such capabilities, + functions, and mechanisms include degree of correctness, + completeness, resistance to tampering or bypass, and resistance + to direct attack. Assurance requirements include development + processes, procedures, and methodologies as well as the evidence + from development and assessment activities that provide grounds + for confidence that the required functionality is implemented + and possesses the required strength of mechanism. [SP + 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the + process of requirements engineering as part of the system + development life cycle. + + + Controls can be viewed as descriptions of the safeguards and protection + capabilities appropriate for achieving the particular security and + privacy objectives of the organization and for reflecting the security + and privacy requirements of stakeholders. Controls are selected and + implemented in order to satisfy system requirements and include developer + and organizational responsibilities. Controls can include technical, + administrative, and physical aspects. In some cases, the selection + and implementation of a control may necessitate additional specification + by the organization in the form of derived requirements or instantiated + control parameter values. The derived requirements and control parameter + values may be necessary to provide the appropriate level of implementation + detail for controls within the system development life cycle. + + + Security and privacy documentation requirements address all stages + of the system development life cycle. Documentation provides user + and administrator guidance for the implementation and operation of + controls. The level of detail required in such documentation is based + on the security categorization or classification level of the system + and the degree to which organizations depend on the capabilities, + functions, or mechanisms to meet risk response expectations. Requirements + can include mandated configuration settings that specify allowed functions, + ports, protocols, and services. Acceptance criteria for systems, system + components, and system services are defined in the same manner as + the criteria for any organizational acquisition or procurement. + - id: sa-4_obj + name: assessment-objective + props: + - name: label + value: SA-04 + class: sp800-53a + parts: + - id: sa-4_obj.a + name: assessment-objective + props: + - name: label + value: SA-04a. + class: sp800-53a + parts: + - id: sa-4_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-04a.[01] + class: sp800-53a + prose: "security functional requirements, descriptions, and\ + \ criteria are included explicitly or by reference using {{\ + \ insert: param, sa-04_odp.01 }} in the acquisition contract\ + \ for the system, system component, or system service;" + links: + - href: "#sa-4_smt.a" + rel: assessment-for + - id: sa-4_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-04a.[02] + class: sp800-53a + prose: "privacy functional requirements, descriptions, and criteria\ + \ are included explicitly or by reference using {{ insert:\ + \ param, sa-04_odp.01 }} in the acquisition contract for the\ + \ system, system component, or system service;" + links: + - href: "#sa-4_smt.a" + rel: assessment-for + links: + - href: "#sa-4_smt.a" + rel: assessment-for + - id: sa-4_obj.b + name: assessment-objective + props: + - name: label + value: SA-04b. + class: sp800-53a + prose: "strength of mechanism requirements, descriptions, and criteria\ + \ are included explicitly or by reference using {{ insert: param,\ + \ sa-04_odp.01 }} in the acquisition contract for the system,\ + \ system component, or system service;" + links: + - href: "#sa-4_smt.b" + rel: assessment-for + - id: sa-4_obj.c + name: assessment-objective + props: + - name: label + value: SA-04c. + class: sp800-53a + parts: + - id: sa-4_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-04c.[01] + class: sp800-53a + prose: "security assurance requirements, descriptions, and criteria\ + \ are included explicitly or by reference using {{ insert:\ + \ param, sa-04_odp.01 }} in the acquisition contract for the\ + \ system, system component, or system service;" + links: + - href: "#sa-4_smt.c" + rel: assessment-for + - id: sa-4_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-04c.[02] + class: sp800-53a + prose: "privacy assurance requirements, descriptions, and criteria\ + \ are included explicitly or by reference using {{ insert:\ + \ param, sa-04_odp.01 }} in the acquisition contract for the\ + \ system, system component, or system service;" + links: + - href: "#sa-4_smt.c" + rel: assessment-for + links: + - href: "#sa-4_smt.c" + rel: assessment-for + - id: sa-4_obj.d + name: assessment-objective + props: + - name: label + value: SA-04d. + class: sp800-53a + parts: + - id: sa-4_obj.d-1 + name: assessment-objective + props: + - name: label + value: SA-04d.[01] + class: sp800-53a + prose: "controls needed to satisfy the security requirements,\ + \ descriptions, and criteria are included explicitly or by\ + \ reference using {{ insert: param, sa-04_odp.01 }} in the\ + \ acquisition contract for the system, system component, or\ + \ system service;" + links: + - href: "#sa-4_smt.d" + rel: assessment-for + - id: sa-4_obj.d-2 + name: assessment-objective + props: + - name: label + value: SA-04d.[02] + class: sp800-53a + prose: "controls needed to satisfy the privacy requirements,\ + \ descriptions, and criteria are included explicitly or by\ + \ reference using {{ insert: param, sa-04_odp.01 }} in the\ + \ acquisition contract for the system, system component, or\ + \ system service;" + links: + - href: "#sa-4_smt.d" + rel: assessment-for + links: + - href: "#sa-4_smt.d" + rel: assessment-for + - id: sa-4_obj.e + name: assessment-objective + props: + - name: label + value: SA-04e. + class: sp800-53a + parts: + - id: sa-4_obj.e-1 + name: assessment-objective + props: + - name: label + value: SA-04e.[01] + class: sp800-53a + prose: "security documentation requirements, descriptions, and\ + \ criteria are included explicitly or by reference using {{\ + \ insert: param, sa-04_odp.01 }} in the acquisition contract\ + \ for the system, system component, or system service;" + links: + - href: "#sa-4_smt.e" + rel: assessment-for + - id: sa-4_obj.e-2 + name: assessment-objective + props: + - name: label + value: SA-04e.[02] + class: sp800-53a + prose: "privacy documentation requirements, descriptions, and\ + \ criteria are included explicitly or by reference using {{\ + \ insert: param, sa-04_odp.01 }} in the acquisition contract\ + \ for the system, system component, or system service;" + links: + - href: "#sa-4_smt.e" + rel: assessment-for + links: + - href: "#sa-4_smt.e" + rel: assessment-for + - id: sa-4_obj.f + name: assessment-objective + props: + - name: label + value: SA-04f. + class: sp800-53a + parts: + - id: sa-4_obj.f-1 + name: assessment-objective + props: + - name: label + value: SA-04f.[01] + class: sp800-53a + prose: "requirements for protecting security documentation,\ + \ descriptions, and criteria are included explicitly or by\ + \ reference using {{ insert: param, sa-04_odp.01 }} in the\ + \ acquisition contract for the system, system component, or\ + \ system service;" + links: + - href: "#sa-4_smt.f" + rel: assessment-for + - id: sa-4_obj.f-2 + name: assessment-objective + props: + - name: label + value: SA-04f.[02] + class: sp800-53a + prose: "requirements for protecting privacy documentation, descriptions,\ + \ and criteria are included explicitly or by reference using\ + \ {{ insert: param, sa-04_odp.01 }} in the acquisition contract\ + \ for the system, system component, or system service;" + links: + - href: "#sa-4_smt.f" + rel: assessment-for + links: + - href: "#sa-4_smt.f" + rel: assessment-for + - id: sa-4_obj.g + name: assessment-objective + props: + - name: label + value: SA-04g. + class: sp800-53a + prose: "the description of the system development environment and\ + \ environment in which the system is intended to operate, requirements,\ + \ and criteria are included explicitly or by reference using {{\ + \ insert: param, sa-04_odp.01 }} in the acquisition contract for\ + \ the system, system component, or system service;" + links: + - href: "#sa-4_smt.g" + rel: assessment-for + - id: sa-4_obj.h + name: assessment-objective + props: + - name: label + value: SA-04h. + class: sp800-53a + parts: + - id: sa-4_obj.h-1 + name: assessment-objective + props: + - name: label + value: SA-04h.[01] + class: sp800-53a + prose: "the allocation of responsibility or identification of\ + \ parties responsible for information security requirements,\ + \ descriptions, and criteria are included explicitly or by\ + \ reference using {{ insert: param, sa-04_odp.01 }} in the\ + \ acquisition contract for the system, system component, or\ + \ system service;" + links: + - href: "#sa-4_smt.h" + rel: assessment-for + - id: sa-4_obj.h-2 + name: assessment-objective + props: + - name: label + value: SA-04h.[02] + class: sp800-53a + prose: "the allocation of responsibility or identification of\ + \ parties responsible for privacy requirements, descriptions,\ + \ and criteria are included explicitly or by reference using\ + \ {{ insert: param, sa-04_odp.01 }};" + links: + - href: "#sa-4_smt.h" + rel: assessment-for + - id: sa-4_obj.h-3 + name: assessment-objective + props: + - name: label + value: SA-04h.[03] + class: sp800-53a + prose: "the allocation of responsibility or identification of\ + \ parties responsible for supply chain risk management requirements,\ + \ descriptions, and criteria are included explicitly or by\ + \ reference using {{ insert: param, sa-04_odp.01 }};" + links: + - href: "#sa-4_smt.h" + rel: assessment-for + links: + - href: "#sa-4_smt.h" + rel: assessment-for + - id: sa-4_obj.i + name: assessment-objective + props: + - name: label + value: SA-04i. + class: sp800-53a + prose: "acceptance criteria requirements and descriptions are included\ + \ explicitly or by reference using {{ insert: param, sa-04_odp.01\ + \ }} in the acquisition contract for the system, system component,\ + \ or system service." + links: + - href: "#sa-4_smt.i" + rel: assessment-for + links: + - href: "#sa-4_smt" + rel: assessment-for + - id: sa-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing the integration of information security + and privacy and supply chain risk management into the acquisition + process + + + configuration management plan + + + acquisition contracts for the system, system component, or system + service + + + system design documentation + + + system security plan + + + supply chain risk management plan + + + privacy plan + + + other relevant documents or records + - id: sa-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + + + organizational personnel with supply chain risk management responsibilities + - id: sa-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for determining system security and + privacy functional, strength, and assurance requirements + + + organizational processes for developing acquisition contracts + + + mechanisms supporting and/or implementing acquisitions and the + inclusion of security and privacy requirements in contracts + controls: + - id: sa-4.1 + class: SP800-53-enhancement + title: Functional Properties of Controls + props: + - name: label + value: SA-4(1) + - name: label + value: SA-04(01) + class: sp800-53a + - name: sort-id + value: sa-04.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-4" + rel: required + parts: + - id: sa-4.1_smt + name: statement + prose: Require the developer of the system, system component, or + system service to provide a description of the functional properties + of the controls to be implemented. + - id: sa-4.1_gdn + name: guidance + prose: Functional properties of security and privacy controls describe + the functionality (i.e., security or privacy capability, functions, + or mechanisms) visible at the interfaces of the controls and specifically + exclude functionality and data structures internal to the operation + of the controls. + - id: sa-4.1_obj + name: assessment-objective + props: + - name: label + value: SA-04(01) + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to provide a description of the functional + properties of the controls to be implemented. + links: + - href: "#sa-4.1_smt" + rel: assessment-for + - id: sa-4.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-04(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing the integration of security and privacy + requirements, descriptions, and criteria into the acquisition + process + + + solicitation documents + + + acquisition documentation + + + acquisition contracts for the system, system component, or + system services + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: sa-4.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-04(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system developers + - id: sa-4.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-04(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for determining system security + functional requirements + + + organizational processes for developing acquisition contracts + + + mechanisms supporting and/or implementing acquisitions and + the inclusion of security and privacy requirements in contracts + - id: sa-4.2 + class: SP800-53-enhancement + title: Design and Implementation Information for Controls + params: + - id: sa-04.02_odp.01 + constraints: + - description: at a minimum to include security-relevant external + system interfaces; high-level design; low-level design; source + code or network and data flow diagram; + select: + how-many: one-or-more + choice: + - security-relevant external system interfaces + - high-level design + - low-level design + - source code or hardware schematics + - " {{ insert: param, sa-04.02_odp.02 }} " + - id: sa-04.02_odp.02 + label: design and implementation information + guidelines: + - prose: design and implementation information is defined (if + selected); + - id: sa-04.02_odp.03 + label: level of detail + guidelines: + - prose: level of detail is defined; + props: + - name: label + value: SA-4(2) + - name: label + value: SA-04(02) + class: sp800-53a + - name: sort-id + value: sa-04.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-4" + rel: required + parts: + - id: sa-4.2_smt + name: statement + prose: "Require the developer of the system, system component, or\ + \ system service to provide design and implementation information\ + \ for the controls that includes: {{ insert: param, sa-04.02_odp.01\ + \ }} at {{ insert: param, sa-04.02_odp.03 }}." + - id: sa-4.2_gdn + name: guidance + prose: Organizations may require different levels of detail in the + documentation for the design and implementation of controls in + organizational systems, system components, or system services + based on mission and business requirements, requirements for resiliency + and trustworthiness, and requirements for analysis and testing. + Systems can be partitioned into multiple subsystems. Each subsystem + within the system can contain one or more modules. The high-level + design for the system is expressed in terms of subsystems and + the interfaces between subsystems providing security-relevant + functionality. The low-level design for the system is expressed + in terms of modules and the interfaces between modules providing + security-relevant functionality. Design and implementation documentation + can include manufacturer, version, serial number, verification + hash signature, software libraries used, date of purchase or download, + and the vendor or download source. Source code and hardware schematics + are referred to as the implementation representation of the system. + - id: sa-4.2_obj + name: assessment-objective + props: + - name: label + value: SA-04(02) + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to provide design and implementation information\ + \ for the controls that includes using {{ insert: param, sa-04.02_odp.01\ + \ }} at {{ insert: param, sa-04.02_odp.03 }}." + links: + - href: "#sa-4.2_smt" + rel: assessment-for + - id: sa-4.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-04(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing the integration of security requirements, + descriptions, and criteria into the acquisition process + + + solicitation documents + + + acquisition documentation + + + acquisition contracts for the system, system components, or + system services + + + design and implementation information for controls employed + in the system, system component, or system service + + + system security plan + + + other relevant documents or records + - id: sa-4.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-04(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with the responsibility to determine + system security requirements + + + system developers or service provider + + + organizational personnel with information security responsibilities + - id: sa-4.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-04(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for determining the level of + detail for system design and controls + + + organizational processes for developing acquisition contracts + + + mechanisms supporting and/or implementing the development + of system design details + - id: sa-4.9 + class: SP800-53-enhancement + title: Functions, Ports, Protocols, and Services in Use + props: + - name: label + value: SA-4(9) + - name: label + value: SA-04(09) + class: sp800-53a + - name: sort-id + value: sa-04.09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-4" + rel: required + - href: "#cm-7" + rel: related + - href: "#sa-9" + rel: related + parts: + - id: sa-4.9_smt + name: statement + prose: Require the developer of the system, system component, or + system service to identify the functions, ports, protocols, and + services intended for organizational use. + - id: sa-4.9_gdn + name: guidance + prose: The identification of functions, ports, protocols, and services + early in the system development life cycle (e.g., during the initial + requirements definition and design stages) allows organizations + to influence the design of the system, system component, or system + service. This early involvement in the system development life + cycle helps organizations avoid or minimize the use of functions, + ports, protocols, or services that pose unnecessarily high risks + and understand the trade-offs involved in blocking specific ports, + protocols, or services or requiring system service providers to + do so. Early identification of functions, ports, protocols, and + services avoids costly retrofitting of controls after the system, + component, or system service has been implemented. [SA-9](#sa-9) + describes the requirements for external system services. Organizations + identify which functions, ports, protocols, and services are provided + from external sources. + - id: sa-4.9_obj + name: assessment-objective + props: + - name: label + value: SA-04(09) + class: sp800-53a + parts: + - id: sa-4.9_obj-1 + name: assessment-objective + props: + - name: label + value: SA-04(09)[01] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to identify the functions intended for + organizational use; + links: + - href: "#sa-4.9_smt" + rel: assessment-for + - id: sa-4.9_obj-2 + name: assessment-objective + props: + - name: label + value: SA-04(09)[02] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to identify the ports intended for organizational + use; + links: + - href: "#sa-4.9_smt" + rel: assessment-for + - id: sa-4.9_obj-3 + name: assessment-objective + props: + - name: label + value: SA-04(09)[03] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to identify the protocols intended for + organizational use; + links: + - href: "#sa-4.9_smt" + rel: assessment-for + - id: sa-4.9_obj-4 + name: assessment-objective + props: + - name: label + value: SA-04(09)[04] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to identify the services intended for + organizational use. + links: + - href: "#sa-4.9_smt" + rel: assessment-for + links: + - href: "#sa-4.9_smt" + rel: assessment-for + - id: sa-4.9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-04(09)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + procedures addressing the integration of security requirements, + descriptions, and criteria into the acquisition process + + + system design documentation + + + system documentation, including functions, ports, protocols, + and services intended for organizational use + + + acquisition contracts for systems or services + + + acquisition documentation + + + solicitation documentation + + + service level agreements + + + organizational security requirements, descriptions, and criteria + for developers of systems, system components, and system services + + + system security plan + + + other relevant documents or records + - id: sa-4.9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-04(09)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with the responsibility for determining + system security requirements + + + system/network administrators + + + organizational personnel operating, using, and/or maintaining + the system + + + system developers + + + organizational personnel with information security responsibilities + - id: sa-4.10 + class: SP800-53-enhancement + title: Use of Approved PIV Products + props: + - name: label + value: SA-4(10) + - name: label + value: SA-04(10) + class: sp800-53a + - name: sort-id + value: sa-04.10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-4" + rel: required + - href: "#ia-2" + rel: related + - href: "#ia-8" + rel: related + - href: "#pm-9" + rel: related + parts: + - id: sa-4.10_smt + name: statement + prose: Employ only information technology products on the FIPS 201-approved + products list for Personal Identity Verification (PIV) capability + implemented within organizational systems. + - id: sa-4.10_gdn + name: guidance + prose: Products on the FIPS 201-approved products list meet NIST + requirements for Personal Identity Verification (PIV) of Federal + Employees and Contractors. PIV cards are used for multi-factor + authentication in systems and organizations. + - id: sa-4.10_obj + name: assessment-objective + props: + - name: label + value: SA-04(10) + class: sp800-53a + prose: only information technology products on the FIPS 201-approved + products list for the Personal Identity Verification (PIV) capability + implemented within organizational systems are employed. + links: + - href: "#sa-4.10_smt" + rel: assessment-for + - id: sa-4.10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-04(10)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management plan + + + system and services acquisition policy + + + procedures addressing the integration of security requirements, + descriptions, and criteria into the acquisition process + + + solicitation documentation + + + acquisition documentation + + + acquisition contracts for the system, system component, or + system service + + + service level agreements + + + FIPS 201 approved products list + + + system security plan + + + other relevant documents or records + - id: sa-4.10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-04(10)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with the responsibility for determining + system security requirements + + + organizational personnel with the responsibility for ensuring + that only FIPS 201- approved products are implemented + + + organizational personnel with information security responsibilities + - id: sa-4.10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-04(10)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for selecting and employing + FIPS 201-approved products + - id: sa-5 + class: SP800-53 + title: System Documentation + params: + - id: sa-05_odp.01 + label: actions + guidelines: + - prose: actions to take when system, system component, or system + service documentation is either unavailable or nonexistent are + defined; + - id: sa-05_odp.02 + label: personnel or roles + constraints: + - description: at a minimum, the ISSO (or similar role within the + organization) + guidelines: + - prose: personnel or roles to distribute system documentation to + is/are defined; + props: + - name: label + value: SA-5 + - name: label + value: SA-05 + class: sp800-53a + - name: sort-id + value: sa-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#cm-4" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-8" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#pl-8" + rel: related + - href: "#ps-2" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-16" + rel: related + - href: "#sa-17" + rel: related + - href: "#si-12" + rel: related + - href: "#sr-3" + rel: related + parts: + - id: sa-5_smt + name: statement + parts: + - id: sa-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Obtain or develop administrator documentation for the system,\ + \ system component, or system service that describes:" + parts: + - id: sa-5_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Secure configuration, installation, and operation of + the system, component, or service; + - id: sa-5_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Effective use and maintenance of security and privacy + functions and mechanisms; and + - id: sa-5_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Known vulnerabilities regarding configuration and use + of administrative or privileged functions; + - id: sa-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Obtain or develop user documentation for the system, system\ + \ component, or system service that describes:" + parts: + - id: sa-5_smt.b.1 + name: item + props: + - name: label + value: "1." + prose: User-accessible security and privacy functions and mechanisms + and how to effectively use those functions and mechanisms; + - id: sa-5_smt.b.2 + name: item + props: + - name: label + value: "2." + prose: Methods for user interaction, which enables individuals + to use the system, component, or service in a more secure + manner and protect individual privacy; and + - id: sa-5_smt.b.3 + name: item + props: + - name: label + value: "3." + prose: User responsibilities in maintaining the security of + the system, component, or service and privacy of individuals; + - id: sa-5_smt.c + name: item + props: + - name: label + value: c. + prose: "Document attempts to obtain system, system component, or\ + \ system service documentation when such documentation is either\ + \ unavailable or nonexistent and take {{ insert: param, sa-05_odp.01\ + \ }} in response; and" + - id: sa-5_smt.d + name: item + props: + - name: label + value: d. + prose: "Distribute documentation to {{ insert: param, sa-05_odp.02\ + \ }}." + - id: sa-5_gdn + name: guidance + prose: System documentation helps personnel understand the implementation + and operation of controls. Organizations consider establishing specific + measures to determine the quality and completeness of the content + provided. System documentation may be used to support the management + of supply chain risk, incident response, and other functions. Personnel + or roles that require documentation include system owners, system + security officers, and system administrators. Attempts to obtain documentation + include contacting manufacturers or suppliers and conducting web-based + searches. The inability to obtain documentation may occur due to the + age of the system or component or the lack of support from developers + and contractors. When documentation cannot be obtained, organizations + may need to recreate the documentation if it is essential to the implementation + or operation of the controls. The protection provided for the documentation + is commensurate with the security category or classification of the + system. Documentation that addresses system vulnerabilities may require + an increased level of protection. Secure operation of the system includes + initially starting the system and resuming secure system operation + after a lapse in system operation. + - id: sa-5_obj + name: assessment-objective + props: + - name: label + value: SA-05 + class: sp800-53a + parts: + - id: sa-5_obj.a + name: assessment-objective + props: + - name: label + value: SA-05a. + class: sp800-53a + parts: + - id: sa-5_obj.a.1 + name: assessment-objective + props: + - name: label + value: SA-05a.01 + class: sp800-53a + parts: + - id: sa-5_obj.a.1-1 + name: assessment-objective + props: + - name: label + value: SA-05a.01[01] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the secure + configuration of the system, component, or service is + obtained or developed; + links: + - href: "#sa-5_smt.a.1" + rel: assessment-for + - id: sa-5_obj.a.1-2 + name: assessment-objective + props: + - name: label + value: SA-05a.01[02] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the secure + installation of the system, component, or service is obtained + or developed; + links: + - href: "#sa-5_smt.a.1" + rel: assessment-for + - id: sa-5_obj.a.1-3 + name: assessment-objective + props: + - name: label + value: SA-05a.01[03] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the secure + operation of the system, component, or service is obtained + or developed; + links: + - href: "#sa-5_smt.a.1" + rel: assessment-for + links: + - href: "#sa-5_smt.a.1" + rel: assessment-for + - id: sa-5_obj.a.2 + name: assessment-objective + props: + - name: label + value: SA-05a.02 + class: sp800-53a + parts: + - id: sa-5_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: SA-05a.02[01] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the effective + use of security functions and mechanisms is obtained or + developed; + links: + - href: "#sa-5_smt.a.2" + rel: assessment-for + - id: sa-5_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: SA-05a.02[02] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the effective + maintenance of security functions and mechanisms is obtained + or developed; + links: + - href: "#sa-5_smt.a.2" + rel: assessment-for + - id: sa-5_obj.a.2-3 + name: assessment-objective + props: + - name: label + value: SA-05a.02[03] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the effective + use of privacy functions and mechanisms is obtained or + developed; + links: + - href: "#sa-5_smt.a.2" + rel: assessment-for + - id: sa-5_obj.a.2-4 + name: assessment-objective + props: + - name: label + value: SA-05a.02[04] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes the effective + maintenance of privacy functions and mechanisms is obtained + or developed; + links: + - href: "#sa-5_smt.a.2" + rel: assessment-for + links: + - href: "#sa-5_smt.a.2" + rel: assessment-for + - id: sa-5_obj.a.3 + name: assessment-objective + props: + - name: label + value: SA-05a.03 + class: sp800-53a + parts: + - id: sa-5_obj.a.3-1 + name: assessment-objective + props: + - name: label + value: SA-05a.03[01] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes known vulnerabilities + regarding the configuration of administrative or privileged + functions is obtained or developed; + links: + - href: "#sa-5_smt.a.3" + rel: assessment-for + - id: sa-5_obj.a.3-2 + name: assessment-objective + props: + - name: label + value: SA-05a.03[02] + class: sp800-53a + prose: administrator documentation for the system, system + component, or system service that describes known vulnerabilities + regarding the use of administrative or privileged functions + is obtained or developed; + links: + - href: "#sa-5_smt.a.3" + rel: assessment-for + links: + - href: "#sa-5_smt.a.3" + rel: assessment-for + links: + - href: "#sa-5_smt.a" + rel: assessment-for + - id: sa-5_obj.b + name: assessment-objective + props: + - name: label + value: SA-05b. + class: sp800-53a + parts: + - id: sa-5_obj.b.1 + name: assessment-objective + props: + - name: label + value: SA-05b.01 + class: sp800-53a + parts: + - id: sa-5_obj.b.1-1 + name: assessment-objective + props: + - name: label + value: SA-05b.01[01] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes user-accessible security + functions and mechanisms is obtained or developed; + links: + - href: "#sa-5_smt.b.1" + rel: assessment-for + - id: sa-5_obj.b.1-2 + name: assessment-objective + props: + - name: label + value: SA-05b.01[02] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes how to effectively use + those (user-accessible security) functions and mechanisms + is obtained or developed; + links: + - href: "#sa-5_smt.b.1" + rel: assessment-for + - id: sa-5_obj.b.1-3 + name: assessment-objective + props: + - name: label + value: SA-05b.01[03] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes user-accessible privacy + functions and mechanisms is obtained or developed; + links: + - href: "#sa-5_smt.b.1" + rel: assessment-for + - id: sa-5_obj.b.1-4 + name: assessment-objective + props: + - name: label + value: SA-05b.01[04] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes how to effectively use + those (user-accessible privacy) functions and mechanisms + is obtained or developed; + links: + - href: "#sa-5_smt.b.1" + rel: assessment-for + links: + - href: "#sa-5_smt.b.1" + rel: assessment-for + - id: sa-5_obj.b.2 + name: assessment-objective + props: + - name: label + value: SA-05b.02 + class: sp800-53a + parts: + - id: sa-5_obj.b.2-1 + name: assessment-objective + props: + - name: label + value: SA-05b.02[01] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes methods for user interaction, + which enable individuals to use the system, component, + or service in a more secure manner is obtained or developed; + links: + - href: "#sa-5_smt.b.2" + rel: assessment-for + - id: sa-5_obj.b.2-2 + name: assessment-objective + props: + - name: label + value: SA-05b.02[02] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes methods for user interaction, + which enable individuals to use the system, component, + or service to protect individual privacy is obtained or + developed; + links: + - href: "#sa-5_smt.b.2" + rel: assessment-for + links: + - href: "#sa-5_smt.b.2" + rel: assessment-for + - id: sa-5_obj.b.3 + name: assessment-objective + props: + - name: label + value: SA-05b.03 + class: sp800-53a + parts: + - id: sa-5_obj.b.3-1 + name: assessment-objective + props: + - name: label + value: SA-05b.03[01] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes user responsibilities + for maintaining the security of the system, component, + or service is obtained or developed; + links: + - href: "#sa-5_smt.b.3" + rel: assessment-for + - id: sa-5_obj.b.3-2 + name: assessment-objective + props: + - name: label + value: SA-05b.03[02] + class: sp800-53a + prose: user documentation for the system, system component, + or system service that describes user responsibilities + for maintaining the privacy of individuals is obtained + or developed; + links: + - href: "#sa-5_smt.b.3" + rel: assessment-for + links: + - href: "#sa-5_smt.b.3" + rel: assessment-for + links: + - href: "#sa-5_smt.b" + rel: assessment-for + - id: sa-5_obj.c + name: assessment-objective + props: + - name: label + value: SA-05c. + class: sp800-53a + parts: + - id: sa-5_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-05c.[01] + class: sp800-53a + prose: attempts to obtain system, system component, or system + service documentation when such documentation is either unavailable + or nonexistent is documented; + links: + - href: "#sa-5_smt.c" + rel: assessment-for + - id: sa-5_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-05c.[02] + class: sp800-53a + prose: "after attempts to obtain system, system component, or\ + \ system service documentation when such documentation is\ + \ either unavailable or nonexistent, {{ insert: param, sa-05_odp.01\ + \ }} are taken in response;" + links: + - href: "#sa-5_smt.c" + rel: assessment-for + links: + - href: "#sa-5_smt.c" + rel: assessment-for + - id: sa-5_obj.d + name: assessment-objective + props: + - name: label + value: SA-05d. + class: sp800-53a + prose: "documentation is distributed to {{ insert: param, sa-05_odp.02\ + \ }}." + links: + - href: "#sa-5_smt.d" + rel: assessment-for + links: + - href: "#sa-5_smt" + rel: assessment-for + - id: sa-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing system documentation + + + system documentation, including administrator and user guides + + + system design documentation + + + records documenting attempts to obtain unavailable or nonexistent + system documentation + + + list of actions to be taken in response to documented attempts + to obtain system, system component, or system service documentation + + + risk management strategy documentation + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: sa-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system administrators + + + organizational personnel responsible for operating, using, and/or + maintaining the system + + + system developers + - id: sa-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for obtaining, protecting, and distributing + system administrator and user documentation + - id: sa-8 + class: SP800-53 + title: Security and Privacy Engineering Principles + params: + - id: sa-8_prm_1 + label: organization-defined systems security and privacy engineering + principles + - id: sa-08_odp.01 + label: systems security engineering principles + guidelines: + - prose: systems security engineering principles are defined; + - id: sa-08_odp.02 + label: privacy engineering principles + guidelines: + - prose: privacy engineering principles are defined; + props: + - name: label + value: SA-8 + - name: label + value: SA-08 + class: sp800-53a + - name: sort-id + value: sa-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#18e71fec-c6fd-475a-925a-5d8495cf8455" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#599fb53d-5041-444e-a7fe-640d6d30ad05" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a" + rel: reference + - href: "#9be5d661-421f-41ad-854e-86f98b811891" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#98d415ca-7281-4064-9931-0c366637e324" + rel: reference + - href: "#pl-8" + rel: related + - href: "#pm-7" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-9" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-17" + rel: related + - href: "#sa-20" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-3" + rel: related + - href: "#sc-32" + rel: related + - href: "#sc-39" + rel: related + - href: "#sr-2" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sa-8_smt + name: statement + prose: "Apply the following systems security and privacy engineering\ + \ principles in the specification, design, development, implementation,\ + \ and modification of the system and system components: {{ insert:\ + \ param, sa-8_prm_1 }}." + - id: sa-8_gdn + name: guidance + prose: >- + Systems security and privacy engineering principles are closely + related to and implemented throughout the system development + life cycle (see [SA-3](#sa-3) ). Organizations can apply systems + security and privacy engineering principles to new systems under + development or to systems undergoing upgrades. For existing + systems, organizations apply systems security and privacy + engineering principles to system upgrades and modifications to + the extent feasible, given the current state of hardware, + software, and firmware components within those systems. + + + The application of systems security and privacy engineering principles + helps organizations develop trustworthy, secure, and resilient systems + and reduces the susceptibility to disruptions, hazards, threats, and + the creation of privacy problems for individuals. Examples of system + security engineering principles include: developing layered protections; + establishing security and privacy policies, architecture, and controls + as the foundation for design and development; incorporating security + and privacy requirements into the system development life cycle; delineating + physical and logical security boundaries; ensuring that developers + are trained on how to build secure software; tailoring controls to + meet organizational needs; and performing threat modeling to identify + use cases, threat agents, attack vectors and patterns, design patterns, + and compensating controls needed to mitigate risk. + + + Organizations that apply systems security and privacy engineering + concepts and principles can facilitate the development of trustworthy, + secure systems, system components, and system services; reduce risk + to acceptable levels; and make informed risk management decisions. + System security engineering principles can also be used to protect + against certain supply chain risks, including incorporating tamper-resistant + hardware into a design. + - id: sa-8_obj + name: assessment-objective + props: + - name: label + value: SA-08 + class: sp800-53a + parts: + - id: sa-8_obj-1 + name: assessment-objective + props: + - name: label + value: SA-08[01] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.01 }} are applied in the specification\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-2 + name: assessment-objective + props: + - name: label + value: SA-08[02] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.01 }} are applied in the design\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-3 + name: assessment-objective + props: + - name: label + value: SA-08[03] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.01 }} are applied in the development\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-4 + name: assessment-objective + props: + - name: label + value: SA-08[04] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.01 }} are applied in the implementation\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-5 + name: assessment-objective + props: + - name: label + value: SA-08[05] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.01 }} are applied in the modification\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-6 + name: assessment-objective + props: + - name: label + value: SA-08[06] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.02 }} are applied in the specification\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-7 + name: assessment-objective + props: + - name: label + value: SA-08[07] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.02 }} are applied in the design\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-8 + name: assessment-objective + props: + - name: label + value: SA-08[08] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.02 }} are applied in the development\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-9 + name: assessment-objective + props: + - name: label + value: SA-08[09] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.02 }} are applied in the implementation\ + \ of the system and system components;" + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_obj-10 + name: assessment-objective + props: + - name: label + value: SA-08[10] + class: sp800-53a + prose: " {{ insert: param, sa-08_odp.02 }} are applied in the modification\ + \ of the system and system components." + links: + - href: "#sa-8_smt" + rel: assessment-for + links: + - href: "#sa-8_smt" + rel: assessment-for + - id: sa-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + assessment and authorization procedures + + + procedures addressing security and privacy engineering principles + used in the specification, design, development, implementation, + and modification of the system + + + system design documentation + + + security and privacy requirements and specifications for the system + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: sa-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition/contracting + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with system specification, design, development, + implementation, and modification responsibilities + + + system developers + - id: sa-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for applying security and privacy + engineering principles in system specification, design, + development, implementation, and modification + + + mechanisms supporting the application of security and privacy + engineering principles in system specification, design, development, + implementation, and modification + - id: sa-9 + class: SP800-53 + title: External System Services + params: + - id: sa-09_odp.01 + label: controls + constraints: + - description: Appropriate FedRAMP Security Controls Baseline (s) + if Federal information is processed or stored within the external + system + guidelines: + - prose: controls to be employed by external system service providers + are defined; + - id: sa-09_odp.02 + label: processes, methods, and techniques + constraints: + - description: Federal/FedRAMP Continuous Monitoring requirements + must be met for external systems where Federal information is + processed or stored + guidelines: + - prose: processes, methods, and techniques employed to monitor control + compliance by external service providers are defined; + props: + - name: label + value: SA-9 + - name: label + value: SA-09 + class: sp800-53a + - name: sort-id + value: sa-09 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#77faf0bc-c394-44ad-9154-bbac3b79c8ad" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849" + rel: reference + - href: "#ac-20" + rel: related + - href: "#ca-3" + rel: related + - href: "#cp-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-7" + rel: related + - href: "#pl-10" + rel: related + - href: "#pl-11" + rel: related + - href: "#ps-7" + rel: related + - href: "#sa-2" + rel: related + - href: "#sa-4" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sa-9_smt + name: statement + parts: + - id: sa-9_smt.a + name: item + props: + - name: label + value: a. + prose: "Require that providers of external system services comply\ + \ with organizational security and privacy requirements and employ\ + \ the following controls: {{ insert: param, sa-09_odp.01 }};" + - id: sa-9_smt.b + name: item + props: + - name: label + value: b. + prose: Define and document organizational oversight and user roles + and responsibilities with regard to external system services; + and + - id: sa-9_smt.c + name: item + props: + - name: label + value: c. + prose: "Employ the following processes, methods, and techniques\ + \ to monitor control compliance by external service providers\ + \ on an ongoing basis: {{ insert: param, sa-09_odp.02 }}." + - id: sa-9_gdn + name: guidance + prose: External system services are provided by an external provider, + and the organization has no direct control over the implementation + of the required controls or the assessment of control effectiveness. + Organizations establish relationships with external service providers + in a variety of ways, including through business partnerships, contracts, + interagency agreements, lines of business arrangements, licensing + agreements, joint ventures, and supply chain exchanges. The responsibility + for managing risks from the use of external system services remains + with authorizing officials. For services external to organizations, + a chain of trust requires that organizations establish and retain + a certain level of confidence that each provider in the consumer-provider + relationship provides adequate protection for the services rendered. + The extent and nature of this chain of trust vary based on relationships + between organizations and the external providers. Organizations document + the basis for the trust relationships so that the relationships can + be monitored. External system services documentation includes government, + service providers, end user security roles and responsibilities, and + service-level agreements. Service-level agreements define the expectations + of performance for implemented controls, describe measurable outcomes, + and identify remedies and response requirements for identified instances + of noncompliance. + - id: sa-9_obj + name: assessment-objective + props: + - name: label + value: SA-09 + class: sp800-53a + parts: + - id: sa-9_obj.a + name: assessment-objective + props: + - name: label + value: SA-09a. + class: sp800-53a + parts: + - id: sa-9_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-09a.[01] + class: sp800-53a + prose: providers of external system services comply with organizational + security requirements; + links: + - href: "#sa-9_smt.a" + rel: assessment-for + - id: sa-9_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-09a.[02] + class: sp800-53a + prose: providers of external system services comply with organizational + privacy requirements; + links: + - href: "#sa-9_smt.a" + rel: assessment-for + - id: sa-9_obj.a-3 + name: assessment-objective + props: + - name: label + value: SA-09a.[03] + class: sp800-53a + prose: "providers of external system services employ {{ insert:\ + \ param, sa-09_odp.01 }};" + links: + - href: "#sa-9_smt.a" + rel: assessment-for + links: + - href: "#sa-9_smt.a" + rel: assessment-for + - id: sa-9_obj.b + name: assessment-objective + props: + - name: label + value: SA-09b. + class: sp800-53a + parts: + - id: sa-9_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-09b.[01] + class: sp800-53a + prose: organizational oversight with regard to external system + services are defined and documented; + links: + - href: "#sa-9_smt.b" + rel: assessment-for + - id: sa-9_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-09b.[02] + class: sp800-53a + prose: user roles and responsibilities with regard to external + system services are defined and documented; + links: + - href: "#sa-9_smt.b" + rel: assessment-for + links: + - href: "#sa-9_smt.b" + rel: assessment-for + - id: sa-9_obj.c + name: assessment-objective + props: + - name: label + value: SA-09c. + class: sp800-53a + prose: " {{ insert: param, sa-09_odp.02 }} are employed to monitor\ + \ control compliance by external service providers on an ongoing\ + \ basis." + links: + - href: "#sa-9_smt.c" + rel: assessment-for + links: + - href: "#sa-9_smt" + rel: assessment-for + - id: sa-9_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-09-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing methods and techniques for monitoring control + compliance by external service providers of system services + + + acquisition documentation + + + contracts + + + service level agreements + + + interagency agreements + + + licensing agreements + + + list of organizational security and privacy requirements for external + provider services + + + control assessment results or reports from external providers + of system services + + + system security plan + + + privacy plan + + + supply chain risk management plan + + + other relevant documents or records + - id: sa-9_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-09-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition responsibilities + + + external providers of system services + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sa-9_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-09-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring security and privacy + control compliance by external service providers on an + ongoing basis + + + mechanisms for monitoring security and privacy control compliance + by external service providers on an ongoing basis + controls: + - id: sa-9.1 + class: SP800-53-enhancement + title: Risk Assessments and Organizational Approvals + params: + - id: sa-09.01_odp + label: personnel or roles + guidelines: + - prose: personnel or roles that approve the acquisition or outsourcing + of dedicated information security services is/are defined; + props: + - name: label + value: SA-9(1) + - name: label + value: SA-09(01) + class: sp800-53a + - name: sort-id + value: sa-09.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-9" + rel: required + - href: "#ca-6" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-8" + rel: related + parts: + - id: sa-9.1_smt + name: statement + parts: + - id: sa-9.1_smt.a + name: item + props: + - name: label + value: (a) + prose: Conduct an organizational assessment of risk prior to + the acquisition or outsourcing of information security services; + and + - id: sa-9.1_smt.b + name: item + props: + - name: label + value: (b) + prose: "Verify that the acquisition or outsourcing of dedicated\ + \ information security services is approved by {{ insert:\ + \ param, sa-09.01_odp }}." + - id: sa-9.1_gdn + name: guidance + prose: Information security services include the operation of security + devices, such as firewalls or key management services as well + as incident monitoring, analysis, and response. Risks assessed + can include system, mission or business, security, privacy, or + supply chain risks. + - id: sa-9.1_obj + name: assessment-objective + props: + - name: label + value: SA-09(01) + class: sp800-53a + parts: + - id: sa-9.1_obj.a + name: assessment-objective + props: + - name: label + value: SA-09(01)(a) + class: sp800-53a + prose: an organizational assessment of risk is conducted prior + to the acquisition or outsourcing of information security + services; + links: + - href: "#sa-9.1_smt.a" + rel: assessment-for + - id: sa-9.1_obj.b + name: assessment-objective + props: + - name: label + value: SA-09(01)(b) + class: sp800-53a + prose: " {{ insert: param, sa-09.01_odp }} approve the acquisition\ + \ or outsourcing of dedicated information security services." + links: + - href: "#sa-9.1_smt.b" + rel: assessment-for + links: + - href: "#sa-9.1_smt" + rel: assessment-for + - id: sa-9.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-09(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + supply chain risk management policy and procedures + + + procedures addressing external system services + + + acquisition documentation + + + acquisition contracts for the system, system component, or + system service + + + risk assessment reports + + + approval records for the acquisition or outsourcing of dedicated + security services + + + system security plan + + + supply chain risk management plan + + + other relevant documents or records + - id: sa-9.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-09(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service + acquisition responsibilities + + + organizational personnel with system security responsibilities + + + external providers of system services + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management + responsibilities + - id: sa-9.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-09(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for conducting a risk + assessment prior to acquiring or outsourcing dedicated + security services + + + organizational processes for approving the outsourcing of + dedicated security services + + + mechanisms supporting and/or implementing risk assessment + + + mechanisms supporting and/or implementing approval processes + - id: sa-9.2 + class: SP800-53-enhancement + title: Identification of Functions, Ports, Protocols, and Services + params: + - id: sa-09.02_odp + label: external system services + constraints: + - description: all external systems where Federal information + is processed or stored + guidelines: + - prose: external system services that require the identification + of functions, ports, protocols, and other services are defined; + props: + - name: label + value: SA-9(2) + - name: label + value: SA-09(02) + class: sp800-53a + - name: sort-id + value: sa-09.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-9" + rel: required + - href: "#cm-6" + rel: related + - href: "#cm-7" + rel: related + parts: + - id: sa-9.2_smt + name: statement + prose: "Require providers of the following external system services\ + \ to identify the functions, ports, protocols, and other services\ + \ required for the use of such services: {{ insert: param, sa-09.02_odp\ + \ }}." + - id: sa-9.2_gdn + name: guidance + prose: Information from external service providers regarding the + specific functions, ports, protocols, and services used in the + provision of such services can be useful when the need arises + to understand the trade-offs involved in restricting certain functions + and services or blocking certain ports and protocols. + - id: sa-9.2_obj + name: assessment-objective + props: + - name: label + value: SA-09(02) + class: sp800-53a + prose: "providers of {{ insert: param, sa-09.02_odp }} are required\ + \ to identify the functions, ports, protocols, and other services\ + \ required for the use of such services." + links: + - href: "#sa-9.2_smt" + rel: assessment-for + - id: sa-9.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-09(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + supply chain risk management policy and procedures + + + procedures addressing external system services + + + acquisition contracts for the system, system component, or + system service + + + acquisition documentation + + + solicitation documentation + + + service level agreements + + + organizational security requirements and security specifications + for external service providers + + + list of required functions, ports, protocols, and other services + + + system security plan + + + other relevant documents or records + - id: sa-9.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-09(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + system/network administrators + + + external providers of system services + - id: sa-9.5 + class: SP800-53-enhancement + title: Processing, Storage, and Service Location + params: + - id: sa-09.05_odp.01 + constraints: + - description: information processing, information or data, AND + system services + select: + how-many: one-or-more + choice: + - information processing + - information or data + - system services + - id: sa-09.05_odp.02 + label: locations + guidelines: + - prose: "locations where {{ insert: param, sa-09.05_odp.01 }}\ + \ is/are to be restricted are defined;" + - id: sa-09.05_odp.03 + label: requirements + guidelines: + - prose: "requirements or conditions for restricting the location\ + \ of {{ insert: param, sa-09.05_odp.01 }} are defined;" + props: + - name: label + value: SA-9(5) + - name: label + value: SA-09(05) + class: sp800-53a + - name: sort-id + value: sa-09.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-9" + rel: required + - href: "#sa-5" + rel: related + - href: "#sr-4" + rel: related + parts: + - id: sa-9.5_smt + name: statement + prose: "Restrict the location of {{ insert: param, sa-09.05_odp.01\ + \ }} to {{ insert: param, sa-09.05_odp.02 }} based on {{ insert:\ + \ param, sa-09.05_odp.03 }}." + - id: sa-9.5_gdn + name: guidance + prose: The location of information processing, information and data + storage, or system services can have a direct impact on the ability + of organizations to successfully execute their mission and business + functions. The impact occurs when external providers control the + location of processing, storage, or services. The criteria that + external providers use for the selection of processing, storage, + or service locations may be different from the criteria that organizations + use. For example, organizations may desire that data or information + storage locations be restricted to certain locations to help facilitate + incident response activities in case of information security incidents + or breaches. Incident response activities, including forensic + analyses and after-the-fact investigations, may be adversely affected + by the governing laws, policies, or protocols in the locations + where processing and storage occur and/or the locations from which + system services emanate. + - id: sa-9.5_obj + name: assessment-objective + props: + - name: label + value: SA-09(05) + class: sp800-53a + prose: "based on {{ insert: param, sa-09.05_odp.03 }}, {{ insert:\ + \ param, sa-09.05_odp.01 }} is/are restricted to {{ insert: param,\ + \ sa-09.05_odp.02 }}." + links: + - href: "#sa-9.5_smt" + rel: assessment-for + - id: sa-9.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-09(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + procedures addressing external system services + + + acquisition contracts for the system, system component, or + system service + + + solicitation documentation + + + acquisition documentation + + + service level agreements + + + restricted locations for information processing + + + information/data and/or system services + + + information processing, information/data, and/or system services + to be maintained in restricted locations + + + organizational security requirements or conditions for external + providers + + + system security plan + + + supply chain risk management plan + + + other relevant documents or records + - id: sa-9.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-09(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + external providers of system services + + + organizational personnel with supply chain risk management + responsibilities + - id: sa-9.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-09(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for defining the requirements + to restrict locations of information processing, + information/data, or information services + + + organizational processes for ensuring the location is restricted + in accordance with requirements or conditions + - id: sa-10 + class: SP800-53 + title: Developer Configuration Management + params: + - id: sa-10_odp.01 + constraints: + - description: development, implementation, AND operation + select: + how-many: one-or-more + choice: + - design + - development + - implementation + - operation + - disposal + - id: sa-10_odp.02 + label: configuration items + guidelines: + - prose: configuration items under configuration management are defined; + - id: sa-10_odp.03 + label: personnel + guidelines: + - prose: personnel to whom security flaws and flaw resolutions within + the system, component, or service are reported is/are defined; + props: + - name: label + value: SA-10 + - name: label + value: SA-10 + class: sp800-53a + - name: sort-id + value: sa-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#cm-2" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-9" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-15" + rel: related + - href: "#si-2" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-6" + rel: related + parts: + - id: sa-10_smt + name: statement + prose: "Require the developer of the system, system component, or system\ + \ service to:" + parts: + - id: sa-10_smt.a + name: item + props: + - name: label + value: a. + prose: "Perform configuration management during system, component,\ + \ or service {{ insert: param, sa-10_odp.01 }};" + - id: sa-10_smt.b + name: item + props: + - name: label + value: b. + prose: "Document, manage, and control the integrity of changes to\ + \ {{ insert: param, sa-10_odp.02 }};" + - id: sa-10_smt.c + name: item + props: + - name: label + value: c. + prose: Implement only organization-approved changes to the system, + component, or service; + - id: sa-10_smt.d + name: item + props: + - name: label + value: d. + prose: Document approved changes to the system, component, or service + and the potential security and privacy impacts of such changes; + and + - id: sa-10_smt.e + name: item + props: + - name: label + value: e. + prose: "Track security flaws and flaw resolution within the system,\ + \ component, or service and report findings to {{ insert: param,\ + \ sa-10_odp.03 }}." + - id: sa-10_fr + name: item + title: SA-10 Additional FedRAMP Requirements and Guidance + parts: + - id: sa-10_fr_smt.1 + name: item + props: + - name: label + value: "(e) Requirement:" + prose: track security flaws and flaw resolution within the system, + component, or service and report findings to organization-defined + personnel, to include FedRAMP. + - id: sa-10_gdn + name: guidance + prose: >- + Organizations consider the quality and completeness of + configuration management activities conducted by developers as + direct evidence of applying effective security controls. + Controls include protecting the master copies of material used + to generate security-relevant portions of the system hardware, + software, and firmware from unauthorized modification or + destruction. Maintaining the integrity of changes to the system, + system component, or system service requires strict + configuration control throughout the system development life + cycle to track authorized changes and prevent unauthorized + changes. + + + The configuration items that are placed under configuration management + include the formal model; the functional, high-level, and low-level + design specifications; other design data; implementation documentation; + source code and hardware schematics; the current running version of + the object code; tools for comparing new versions of security-relevant + hardware descriptions and source code with previous versions; and + test fixtures and documentation. Depending on the mission and business + needs of organizations and the nature of the contractual relationships + in place, developers may provide configuration management support + during the operations and maintenance stage of the system development + life cycle. + - id: sa-10_obj + name: assessment-objective + props: + - name: label + value: SA-10 + class: sp800-53a + parts: + - id: sa-10_obj.a + name: assessment-objective + props: + - name: label + value: SA-10a. + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to perform configuration management during\ + \ system, component, or service {{ insert: param, sa-10_odp.01\ + \ }};" + links: + - href: "#sa-10_smt.a" + rel: assessment-for + - id: sa-10_obj.b + name: assessment-objective + props: + - name: label + value: SA-10b. + class: sp800-53a + parts: + - id: sa-10_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-10b.[01] + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to document the integrity of changes\ + \ to {{ insert: param, sa-10_odp.02 }};" + links: + - href: "#sa-10_smt.b" + rel: assessment-for + - id: sa-10_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-10b.[02] + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to manage the integrity of changes to\ + \ {{ insert: param, sa-10_odp.02 }};" + links: + - href: "#sa-10_smt.b" + rel: assessment-for + - id: sa-10_obj.b-3 + name: assessment-objective + props: + - name: label + value: SA-10b.[03] + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to control the integrity of changes\ + \ to {{ insert: param, sa-10_odp.02 }};" + links: + - href: "#sa-10_smt.b" + rel: assessment-for + links: + - href: "#sa-10_smt.b" + rel: assessment-for + - id: sa-10_obj.c + name: assessment-objective + props: + - name: label + value: SA-10c. + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to implement only organization-approved changes + to the system, component, or service; + links: + - href: "#sa-10_smt.c" + rel: assessment-for + - id: sa-10_obj.d + name: assessment-objective + props: + - name: label + value: SA-10d. + class: sp800-53a + parts: + - id: sa-10_obj.d-1 + name: assessment-objective + props: + - name: label + value: SA-10d.[01] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to document approved changes to the system, + component, or service; + links: + - href: "#sa-10_smt.d" + rel: assessment-for + - id: sa-10_obj.d-2 + name: assessment-objective + props: + - name: label + value: SA-10d.[02] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to document the potential security impacts + of approved changes; + links: + - href: "#sa-10_smt.d" + rel: assessment-for + - id: sa-10_obj.d-3 + name: assessment-objective + props: + - name: label + value: SA-10d.[03] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to document the potential privacy impacts + of approved changes; + links: + - href: "#sa-10_smt.d" + rel: assessment-for + links: + - href: "#sa-10_smt.d" + rel: assessment-for + - id: sa-10_obj.e + name: assessment-objective + props: + - name: label + value: SA-10e. + class: sp800-53a + parts: + - id: sa-10_obj.e-1 + name: assessment-objective + props: + - name: label + value: SA-10e.[01] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to track security flaws within the system, + component, or service; + links: + - href: "#sa-10_smt.e" + rel: assessment-for + - id: sa-10_obj.e-2 + name: assessment-objective + props: + - name: label + value: SA-10e.[02] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to track security flaw resolutions within + the system, component, or service; + links: + - href: "#sa-10_smt.e" + rel: assessment-for + - id: sa-10_obj.e-3 + name: assessment-objective + props: + - name: label + value: SA-10e.[03] + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to report findings to {{ insert: param,\ + \ sa-10_odp.03 }}." + links: + - href: "#sa-10_smt.e" + rel: assessment-for + links: + - href: "#sa-10_smt.e" + rel: assessment-for + links: + - href: "#sa-10_smt" + rel: assessment-for + - id: sa-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + procedures addressing system developer configuration management + + + solicitation documentation + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + system developer configuration management plan + + + security flaw and flaw resolution tracking records + + + system change authorization records + + + change control records + + + configuration management records + + + system security plan + + + other relevant documents or records + - id: sa-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with configuration management responsibilities + + + system developers + - id: sa-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring developer + configuration management + + + mechanisms supporting and/or implementing the monitoring of developer + configuration management + - id: sa-11 + class: SP800-53 + title: Developer Testing and Evaluation + params: + - id: sa-11_odp.01 + select: + how-many: one-or-more + choice: + - unit + - integration + - system + - regression + - id: sa-11_odp.02 + label: frequency to conduct + guidelines: + - prose: "frequency at which to conduct {{ insert: param, sa-11_odp.01\ + \ }} testing/evaluation is defined;" + - id: sa-11_odp.03 + label: depth and coverage + guidelines: + - prose: "depth and coverage of {{ insert: param, sa-11_odp.01 }}\ + \ testing/evaluation is defined;" + props: + - name: label + value: SA-11 + - name: label + value: SA-11 + class: sp800-53a + - name: sort-id + value: sa-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d" + rel: reference + - href: "#708b94e1-3d5e-4b22-ab43-1c69f3a97e37" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-4" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-15" + rel: related + - href: "#sa-17" + rel: related + - href: "#si-2" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-7" + rel: related + parts: + - id: sa-11_smt + name: statement + prose: "Require the developer of the system, system component, or system\ + \ service, at all post-design stages of the system development life\ + \ cycle, to:" + parts: + - id: sa-11_smt.a + name: item + props: + - name: label + value: a. + prose: Develop and implement a plan for ongoing security and privacy + control assessments; + - id: sa-11_smt.b + name: item + props: + - name: label + value: b. + prose: "Perform {{ insert: param, sa-11_odp.01 }} testing/evaluation\ + \ {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03\ + \ }};" + - id: sa-11_smt.c + name: item + props: + - name: label + value: c. + prose: Produce evidence of the execution of the assessment plan + and the results of the testing and evaluation; + - id: sa-11_smt.d + name: item + props: + - name: label + value: d. + prose: Implement a verifiable flaw remediation process; and + - id: sa-11_smt.e + name: item + props: + - name: label + value: e. + prose: Correct flaws identified during testing and evaluation. + - id: sa-11_gdn + name: guidance + prose: >- + Developmental testing and evaluation confirms that the required + controls are implemented correctly, operating as intended, + enforcing the desired security and privacy policies, and meeting + established security and privacy requirements. Security + properties of systems and the privacy of individuals may be + affected by the interconnection of system components or changes + to those components. The interconnections or changes—including + upgrading or replacing applications, operating systems, and + firmware—may adversely affect previously implemented controls. + Ongoing assessment during development allows for additional + types of testing and evaluation that developers can conduct to + reduce or eliminate potential flaws. Testing custom software + applications may require approaches such as manual code review, + security architecture review, and penetration testing, as well + as and static analysis, dynamic analysis, binary analysis, or a + hybrid of the three analysis approaches. + + + Developers can use the analysis approaches, along with security instrumentation + and fuzzing, in a variety of tools and in source code reviews. The + security and privacy assessment plans include the specific activities + that developers plan to carry out, including the types of analyses, + testing, evaluation, and reviews of software and firmware components; + the degree of rigor to be applied; the frequency of the ongoing testing + and evaluation; and the types of artifacts produced during those processes. + The depth of testing and evaluation refers to the rigor and level + of detail associated with the assessment process. The coverage of + testing and evaluation refers to the scope (i.e., number and type) + of the artifacts included in the assessment process. Contracts specify + the acceptance criteria for security and privacy assessment plans, + flaw remediation processes, and the evidence that the plans and processes + have been diligently applied. Methods for reviewing and protecting + assessment plans, evidence, and documentation are commensurate with + the security category or classification level of the system. Contracts + may specify protection requirements for documentation. + - id: sa-11_obj + name: assessment-objective + props: + - name: label + value: SA-11 + class: sp800-53a + parts: + - id: sa-11_obj.a + name: assessment-objective + props: + - name: label + value: SA-11a. + class: sp800-53a + parts: + - id: sa-11_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-11a.[01] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required at all post-design stages of the system + development life cycle to develop a plan for ongoing security + assessments; + links: + - href: "#sa-11_smt.a" + rel: assessment-for + - id: sa-11_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-11a.[02] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required at all post-design stages of the system + development life cycle to implement a plan for ongoing security + assessments; + links: + - href: "#sa-11_smt.a" + rel: assessment-for + - id: sa-11_obj.a-3 + name: assessment-objective + props: + - name: label + value: SA-11a.[03] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required at all post-design stages of the system + development life cycle to develop a plan for privacy assessments; + links: + - href: "#sa-11_smt.a" + rel: assessment-for + - id: sa-11_obj.a-4 + name: assessment-objective + props: + - name: label + value: SA-11a.[04] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required at all post-design stages of the system + development life cycle to implement a plan for ongoing privacy + assessments; + links: + - href: "#sa-11_smt.a" + rel: assessment-for + links: + - href: "#sa-11_smt.a" + rel: assessment-for + - id: sa-11_obj.b + name: assessment-objective + props: + - name: label + value: SA-11b. + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required at all post-design stages of the system\ + \ development life cycle to perform {{ insert: param, sa-11_odp.01\ + \ }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{\ + \ insert: param, sa-11_odp.03 }};" + links: + - href: "#sa-11_smt.b" + rel: assessment-for + - id: sa-11_obj.c + name: assessment-objective + props: + - name: label + value: SA-11c. + class: sp800-53a + parts: + - id: sa-11_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-11c.[01] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required at all post-design stages of the system + development life cycle to produce evidence of the execution + of the assessment plan; + links: + - href: "#sa-11_smt.c" + rel: assessment-for + - id: sa-11_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-11c.[02] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required at all post-design stages of the system + development life cycle to produce the results of the testing + and evaluation; + links: + - href: "#sa-11_smt.c" + rel: assessment-for + links: + - href: "#sa-11_smt.c" + rel: assessment-for + - id: sa-11_obj.d + name: assessment-objective + props: + - name: label + value: SA-11d. + class: sp800-53a + prose: the developer of the system, system component, or system + service is required at all post-design stages of the system development + life cycle to implement a verifiable flaw remediation process; + links: + - href: "#sa-11_smt.d" + rel: assessment-for + - id: sa-11_obj.e + name: assessment-objective + props: + - name: label + value: SA-11e. + class: sp800-53a + prose: the developer of the system, system component, or system + service is required at all post-design stages of the system development + life cycle to correct flaws identified during testing and evaluation. + links: + - href: "#sa-11_smt.e" + rel: assessment-for + links: + - href: "#sa-11_smt" + rel: assessment-for + - id: sa-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing system developer security and privacy testing + + + procedures addressing flaw remediation + + + solicitation documentation + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + security and privacy architecture + + + system design documentation + + + system developer security and privacy assessment plans + + + results of developer security and privacy assessments for the + system, system component, or system service + + + security and privacy flaw and remediation tracking records + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: sa-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with developer security and privacy testing + responsibilities + + + system developers + - id: sa-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring developer security + testing and evaluation + + + mechanisms supporting and/or implementing the monitoring of developer + security and privacy testing and evaluation + controls: + - id: sa-11.1 + class: SP800-53-enhancement + title: Static Code Analysis + props: + - name: label + value: SA-11(1) + - name: label + value: SA-11(01) + class: sp800-53a + - name: sort-id + value: sa-11.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-11" + rel: required + parts: + - id: sa-11.1_smt + name: statement + prose: Require the developer of the system, system component, or + system service to employ static code analysis tools to identify + common flaws and document the results of the analysis. + parts: + - id: sa-11.1_fr + name: item + title: SA-11(1) Additional FedRAMP Requirements + parts: + - id: sa-11.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: >- + The service provider must document its methodology + for reviewing newly developed code for the Service + in its Continuous Monitoring Plan. + + + If Static code analysis cannot be performed (for example, + when the source code is not available), then dynamic code + analysis must be performed (see SA-11 (8)) + - id: sa-11.1_gdn + name: guidance + prose: Static code analysis provides a technology and methodology + for security reviews and includes checking for weaknesses in the + code as well as for the incorporation of libraries or other included + code with known vulnerabilities or that are out-of-date and not + supported. Static code analysis can be used to identify vulnerabilities + and enforce secure coding practices. It is most effective when + used early in the development process, when each code change can + automatically be scanned for potential weaknesses. Static code + analysis can provide clear remediation guidance and identify defects + for developers to fix. Evidence of the correct implementation + of static analysis can include aggregate defect density for critical + defect types, evidence that defects were inspected by developers + or security professionals, and evidence that defects were remediated. + A high density of ignored findings, commonly referred to as false + positives, indicates a potential problem with the analysis process + or the analysis tool. In such cases, organizations weigh the validity + of the evidence against evidence from other sources. + - id: sa-11.1_obj + name: assessment-objective + props: + - name: label + value: SA-11(01) + class: sp800-53a + parts: + - id: sa-11.1_obj-1 + name: assessment-objective + props: + - name: label + value: SA-11(01)[01] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to employ static code analysis tools to + identify common flaws; + links: + - href: "#sa-11.1_smt" + rel: assessment-for + - id: sa-11.1_obj-2 + name: assessment-objective + props: + - name: label + value: SA-11(01)[02] + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to employ static code analysis tools to + document the results of the analysis. + links: + - href: "#sa-11.1_smt" + rel: assessment-for + links: + - href: "#sa-11.1_smt" + rel: assessment-for + - id: sa-11.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-11(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing system developer security testing + + + procedures addressing flaw remediation + + + solicitation documentation + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or + system service + + + security and privacy architecture + + + system design documentation + + + system developer security and privacy assessment plans + + + results of system developer security and privacy assessments + + + security flaw and remediation tracking records + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: sa-11.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-11(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with developer security and privacy + testing responsibilities + + + organizational personnel with configuration management responsibilities + + + system developers + - id: sa-11.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-11(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring developer + security testing and evaluation + + + mechanisms supporting and/or implementing the monitoring of + developer security testing and evaluation + + + static code analysis tools + - id: sa-11.2 + class: SP800-53-enhancement + title: Threat Modeling and Vulnerability Analyses + params: + - id: sa-11.2_prm_3 + label: organization-defined breadth and depth of modeling and analyses + - id: sa-11.2_prm_4 + label: organization-defined acceptance criteria + - id: sa-11.02_odp.01 + label: information + guidelines: + - prose: information concerning impact, environment of operations, + known or assumed threats, and acceptable risk levels to be + used as contextual information for threat modeling and vulnerability + analyses is defined; + - id: sa-11.02_odp.02 + label: tools and methods + guidelines: + - prose: the tools and methods to be employed for threat modeling + and vulnerability analyses are defined; + - id: sa-11.02_odp.03 + label: breadth and depth + guidelines: + - prose: the breadth and depth of threat modeling to be conducted + is defined; + - id: sa-11.02_odp.04 + label: breadth and depth + guidelines: + - prose: the breadth and depth of vulnerability analyses to be + conducted is defined; + - id: sa-11.02_odp.05 + label: acceptance criteria + guidelines: + - prose: acceptance criteria to be met by produced evidence for + threat modeling are defined; + - id: sa-11.02_odp.06 + label: acceptance criteria + guidelines: + - prose: acceptance criteria to be met by produced evidence for + vulnerability analyses are defined; + props: + - name: label + value: SA-11(2) + - name: label + value: SA-11(02) + class: sp800-53a + - name: sort-id + value: sa-11.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-11" + rel: required + - href: "#pm-15" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-5" + rel: related + parts: + - id: sa-11.2_smt + name: statement + prose: "Require the developer of the system, system component, or\ + \ system service to perform threat modeling and vulnerability\ + \ analyses during development and the subsequent testing and evaluation\ + \ of the system, component, or service that:" + parts: + - id: sa-11.2_smt.a + name: item + props: + - name: label + value: (a) + prose: "Uses the following contextual information: {{ insert:\ + \ param, sa-11.02_odp.01 }};" + - id: sa-11.2_smt.b + name: item + props: + - name: label + value: (b) + prose: "Employs the following tools and methods: {{ insert:\ + \ param, sa-11.02_odp.02 }};" + - id: sa-11.2_smt.c + name: item + props: + - name: label + value: (c) + prose: "Conducts the modeling and analyses at the following\ + \ level of rigor: {{ insert: param, sa-11.2_prm_3 }} ; and" + - id: sa-11.2_smt.d + name: item + props: + - name: label + value: (d) + prose: "Produces evidence that meets the following acceptance\ + \ criteria: {{ insert: param, sa-11.2_prm_4 }}." + - id: sa-11.2_gdn + name: guidance + prose: Systems, system components, and system services may deviate + significantly from the functional and design specifications created + during the requirements and design stages of the system development + life cycle. Therefore, updates to threat modeling and vulnerability + analyses of those systems, system components, and system services + during development and prior to delivery are critical to the effective + operation of those systems, components, and services. Threat modeling + and vulnerability analyses at this stage of the system development + life cycle ensure that design and implementation changes have + been accounted for and that vulnerabilities created because of + those changes have been reviewed and mitigated. + - id: sa-11.2_obj + name: assessment-objective + props: + - name: label + value: SA-11(02) + class: sp800-53a + parts: + - id: sa-11.2_obj.a + name: assessment-objective + props: + - name: label + value: SA-11(02)(a) + class: sp800-53a + parts: + - id: sa-11.2_obj.a-1 + name: assessment-objective + props: + - name: label + value: SA-11(02)(a)[01] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform threat modeling\ + \ during development of the system, component, or service\ + \ that uses {{ insert: param, sa-11.02_odp.01 }};" + links: + - href: "#sa-11.2_smt.a" + rel: assessment-for + - id: sa-11.2_obj.a-2 + name: assessment-objective + props: + - name: label + value: SA-11(02)(a)[02] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform vulnerability\ + \ analyses during development of the system, component,\ + \ or service that uses {{ insert: param, sa-11.02_odp.01\ + \ }};" + links: + - href: "#sa-11.2_smt.a" + rel: assessment-for + - id: sa-11.2_obj.a-3 + name: assessment-objective + props: + - name: label + value: SA-11(02)(a)[03] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform threat modeling\ + \ during the subsequent testing and evaluation of the\ + \ system, component, or service that uses {{ insert: param,\ + \ sa-11.02_odp.01 }};" + links: + - href: "#sa-11.2_smt.a" + rel: assessment-for + - id: sa-11.2_obj.a-4 + name: assessment-objective + props: + - name: label + value: SA-11(02)(a)[04] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform vulnerability\ + \ analyses during the subsequent testing and evaluation\ + \ of the system, component, or service that uses {{ insert:\ + \ param, sa-11.02_odp.01 }};" + links: + - href: "#sa-11.2_smt.a" + rel: assessment-for + links: + - href: "#sa-11.2_smt.a" + rel: assessment-for + - id: sa-11.2_obj.b + name: assessment-objective + props: + - name: label + value: SA-11(02)(b) + class: sp800-53a + parts: + - id: sa-11.2_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-11(02)(b)[01] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform threat modeling\ + \ during development of the system, component, or service\ + \ that employs {{ insert: param, sa-11.02_odp.02 }};" + links: + - href: "#sa-11.2_smt.b" + rel: assessment-for + - id: sa-11.2_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-11(02)(b)[02] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform threat modeling\ + \ during the subsequent testing and evaluation of the\ + \ system, component, or service that employs {{ insert:\ + \ param, sa-11.02_odp.02 }};" + links: + - href: "#sa-11.2_smt.b" + rel: assessment-for + - id: sa-11.2_obj.b-3 + name: assessment-objective + props: + - name: label + value: SA-11(02)(b)[03] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform vulnerability\ + \ analyses during development of the system, component,\ + \ or service that employs {{ insert: param, sa-11.02_odp.02\ + \ }};" + links: + - href: "#sa-11.2_smt.b" + rel: assessment-for + - id: sa-11.2_obj.b-4 + name: assessment-objective + props: + - name: label + value: SA-11(02)(b)[04] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform vulnerability\ + \ analyses during the subsequent testing and evaluation\ + \ of the system, component, or service that employs {{\ + \ insert: param, sa-11.02_odp.02 }};" + links: + - href: "#sa-11.2_smt.b" + rel: assessment-for + links: + - href: "#sa-11.2_smt.b" + rel: assessment-for + - id: sa-11.2_obj.c + name: assessment-objective + props: + - name: label + value: SA-11(02)(c) + class: sp800-53a + parts: + - id: sa-11.2_obj.c-1 + name: assessment-objective + props: + - name: label + value: SA-11(02)(c)[01] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform threat modeling\ + \ at {{ insert: param, sa-11.02_odp.03 }} during development\ + \ of the system, component, or service;" + links: + - href: "#sa-11.2_smt.c" + rel: assessment-for + - id: sa-11.2_obj.c-2 + name: assessment-objective + props: + - name: label + value: SA-11(02)(c)[02] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform vulnerability\ + \ analyses during the subsequent testing and evaluation\ + \ of the system, component, or service that conducts modeling\ + \ and analyses at {{ insert: param, sa-11.02_odp.04 }};" + links: + - href: "#sa-11.2_smt.c" + rel: assessment-for + links: + - href: "#sa-11.2_smt.c" + rel: assessment-for + - id: sa-11.2_obj.d + name: assessment-objective + props: + - name: label + value: SA-11(02)(d) + class: sp800-53a + parts: + - id: sa-11.2_obj.d-1 + name: assessment-objective + props: + - name: label + value: SA-11(02)(d)[01] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform threat modeling\ + \ during development of the system, component, or service\ + \ that produces evidence that meets {{ insert: param,\ + \ sa-11.02_odp.05 }};" + links: + - href: "#sa-11.2_smt.d" + rel: assessment-for + - id: sa-11.2_obj.d-2 + name: assessment-objective + props: + - name: label + value: SA-11(02)(d)[02] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform threat modeling\ + \ during the subsequent testing and evaluation of the\ + \ system, component, or service that produces evidence\ + \ that meets {{ insert: param, sa-11.02_odp.05 }};" + links: + - href: "#sa-11.2_smt.d" + rel: assessment-for + - id: sa-11.2_obj.d-3 + name: assessment-objective + props: + - name: label + value: SA-11(02)(d)[03] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform vulnerability\ + \ analyses during development of the system, component,\ + \ or service that produces evidence that meets {{ insert:\ + \ param, sa-11.02_odp.06 }};" + links: + - href: "#sa-11.2_smt.d" + rel: assessment-for + - id: sa-11.2_obj.d-4 + name: assessment-objective + props: + - name: label + value: SA-11(02)(d)[04] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform vulnerability\ + \ analyses during the subsequent testing and evaluation\ + \ of the system, component, or service that produces evidence\ + \ that meets {{ insert: param, sa-11.02_odp.06 }}." + links: + - href: "#sa-11.2_smt.d" + rel: assessment-for + links: + - href: "#sa-11.2_smt.d" + rel: assessment-for + links: + - href: "#sa-11.2_smt" + rel: assessment-for + - id: sa-11.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-11(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + procedures addressing system developer security testing + + + solicitation documentation + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or + system service + + + system developer security test plans + + + records of developer security testing results for the system, + system component, or system service + + + vulnerability scanning results + + + system risk assessment reports + + + threat and vulnerability analysis reports + + + system security plan + + + supply chain risk management plan + + + other relevant documents or records + - id: sa-11.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-11(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with developer security testing responsibilities + + + system developers + + + organizational personnel with supply chain risk management + responsibilities + - id: sa-11.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-11(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for monitoring developer + security testing and evaluation + + + mechanisms supporting and/or implementing the monitoring of + developer security testing and evaluation + - id: sa-15 + class: SP800-53 + title: Development Process, Standards, and Tools + params: + - id: sa-15_prm_2 + label: organization-defined security and privacy requirements + - id: sa-15_odp.01 + label: frequency + constraints: + - description: frequency at least annually + guidelines: + - prose: frequency at which to review the development process, standards, + tools, tool options, and tool configurations is defined; + - id: sa-15_odp.02 + label: security requirements + constraints: + - description: FedRAMP Security Authorization requirements + guidelines: + - prose: security requirements to be satisfied by the process, standards, + tools, tool options, and tool configurations are defined; + - id: sa-15_odp.03 + label: privacy requirements + guidelines: + - prose: privacy requirements to be satisfied by the process, standards, + tools, tool options, and tool configurations are defined; + props: + - name: label + value: SA-15 + - name: label + value: SA-15 + class: sp800-53a + - name: sort-id + value: sa-15 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#d4296805-2dca-4c63-a95f-eeccaa826aec" + rel: reference + - href: "#ma-6" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-9" + rel: related + parts: + - id: sa-15_smt + name: statement + parts: + - id: sa-15_smt.a + name: item + props: + - name: label + value: a. + prose: "Require the developer of the system, system component, or\ + \ system service to follow a documented development process that:" + parts: + - id: sa-15_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: Explicitly addresses security and privacy requirements; + - id: sa-15_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Identifies the standards and tools used in the development + process; + - id: sa-15_smt.a.3 + name: item + props: + - name: label + value: "3." + prose: Documents the specific tool options and tool configurations + used in the development process; and + - id: sa-15_smt.a.4 + name: item + props: + - name: label + value: "4." + prose: Documents, manages, and ensures the integrity of changes + to the process and/or tools used in development; and + - id: sa-15_smt.b + name: item + props: + - name: label + value: b. + prose: "Review the development process, standards, tools, tool options,\ + \ and tool configurations {{ insert: param, sa-15_odp.01 }} to\ + \ determine if the process, standards, tools, tool options and\ + \ tool configurations selected and employed can satisfy the following\ + \ security and privacy requirements: {{ insert: param, sa-15_prm_2\ + \ }}." + - id: sa-15_gdn + name: guidance + prose: Development tools include programming languages and computer-aided + design systems. Reviews of development processes include the use of + maturity models to determine the potential effectiveness of such processes. + Maintaining the integrity of changes to tools and processes facilitates + effective supply chain risk assessment and mitigation. Such integrity + requires configuration control throughout the system development life + cycle to track authorized changes and prevent unauthorized changes. + - id: sa-15_obj + name: assessment-objective + props: + - name: label + value: SA-15 + class: sp800-53a + parts: + - id: sa-15_obj.a + name: assessment-objective + props: + - name: label + value: SA-15a. + class: sp800-53a + parts: + - id: sa-15_obj.a.1 + name: assessment-objective + props: + - name: label + value: SA-15a.01 + class: sp800-53a + parts: + - id: sa-15_obj.a.1-1 + name: assessment-objective + props: + - name: label + value: SA-15a.01[01] + class: sp800-53a + prose: the developer of the system, system component, or + system service is required to follow a documented development + process that explicitly addresses security requirements; + links: + - href: "#sa-15_smt.a.1" + rel: assessment-for + - id: sa-15_obj.a.1-2 + name: assessment-objective + props: + - name: label + value: SA-15a.01[02] + class: sp800-53a + prose: the developer of the system, system component, or + system service is required to follow a documented development + process that explicitly addresses privacy requirements; + links: + - href: "#sa-15_smt.a.1" + rel: assessment-for + links: + - href: "#sa-15_smt.a.1" + rel: assessment-for + - id: sa-15_obj.a.2 + name: assessment-objective + props: + - name: label + value: SA-15a.02 + class: sp800-53a + parts: + - id: sa-15_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: SA-15a.02[01] + class: sp800-53a + prose: the developer of the system, system component, or + system service is required to follow a documented development + process that identifies the standards used in the development + process; + links: + - href: "#sa-15_smt.a.2" + rel: assessment-for + - id: sa-15_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: SA-15a.02[02] + class: sp800-53a + prose: the developer of the system, system component, or + system service is required to follow a documented development + process that identifies the tools used in the development + process; + links: + - href: "#sa-15_smt.a.2" + rel: assessment-for + links: + - href: "#sa-15_smt.a.2" + rel: assessment-for + - id: sa-15_obj.a.3 + name: assessment-objective + props: + - name: label + value: SA-15a.03 + class: sp800-53a + parts: + - id: sa-15_obj.a.3-1 + name: assessment-objective + props: + - name: label + value: SA-15a.03[01] + class: sp800-53a + prose: the developer of the system, system component, or + system service is required to follow a documented development + process that documents the specific tool used in the development + process; + links: + - href: "#sa-15_smt.a.3" + rel: assessment-for + - id: sa-15_obj.a.3-2 + name: assessment-objective + props: + - name: label + value: SA-15a.03[02] + class: sp800-53a + prose: the developer of the system, system component, or + system service is required to follow a documented development + process that documents the specific tool configurations + used in the development process; + links: + - href: "#sa-15_smt.a.3" + rel: assessment-for + links: + - href: "#sa-15_smt.a.3" + rel: assessment-for + - id: sa-15_obj.a.4 + name: assessment-objective + props: + - name: label + value: SA-15a.04 + class: sp800-53a + prose: the developer of the system, system component, or system + service is required to follow a documented development process + that documents, manages, and ensures the integrity of changes + to the process and/or tools used in development; + links: + - href: "#sa-15_smt.a.4" + rel: assessment-for + links: + - href: "#sa-15_smt.a" + rel: assessment-for + - id: sa-15_obj.b + name: assessment-objective + props: + - name: label + value: SA-15b. + class: sp800-53a + parts: + - id: sa-15_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-15b.[01] + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to follow a documented development process\ + \ in which the development process, standards, tools, tool\ + \ options, and tool configurations are reviewed {{ insert:\ + \ param, sa-15_odp.01 }} to determine that the process, standards,\ + \ tools, tool options, and tool configurations selected and\ + \ employed satisfy {{ insert: param, sa-15_odp.02 }};" + links: + - href: "#sa-15_smt.b" + rel: assessment-for + - id: sa-15_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-15b.[02] + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to follow a documented development process\ + \ in which the development process, standards, tools, tool\ + \ options, and tool configurations are reviewed {{ insert:\ + \ param, sa-15_odp.01 }} to determine that the process, standards,\ + \ tools, tool options, and tool configurations selected and\ + \ employed satisfy {{ insert: param, sa-15_odp.03 }}." + links: + - href: "#sa-15_smt.b" + rel: assessment-for + links: + - href: "#sa-15_smt.b" + rel: assessment-for + links: + - href: "#sa-15_smt" + rel: assessment-for + - id: sa-15_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-15-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing development process, standards, and tools + + + procedures addressing the integration of security and privacy + requirements during the development process + + + solicitation documentation + + + acquisition documentation + + + critical component inventory documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + system developer documentation listing tool options/configuration + guides + + + configuration management policy + + + configuration management records + + + documentation of development process reviews using maturity models + + + change control records + + + configuration control records + + + documented reviews of the development process, standards, tools, + and tool options/configurations + + + system security plan + + + privacy plan + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: sa-15_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-15-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + system developer + controls: + - id: sa-15.3 + class: SP800-53-enhancement + title: Criticality Analysis + params: + - id: sa-15.3_prm_2 + label: organization-defined breadth and depth of criticality analysis + - id: sa-15.03_odp.01 + label: decision points + guidelines: + - prose: decision points in the system development life cycle + are defined; + - id: sa-15.03_odp.02 + label: breadth + guidelines: + - prose: the breadth of criticality analysis is defined; + - id: sa-15.03_odp.03 + label: depth + guidelines: + - prose: the depth of criticality analysis is defined; + props: + - name: label + value: SA-15(3) + - name: label + value: SA-15(03) + class: sp800-53a + - name: sort-id + value: sa-15.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sa-15" + rel: required + - href: "#ra-9" + rel: related + parts: + - id: sa-15.3_smt + name: statement + prose: "Require the developer of the system, system component, or\ + \ system service to perform a criticality analysis:" + parts: + - id: sa-15.3_smt.a + name: item + props: + - name: label + value: (a) + prose: "At the following decision points in the system development\ + \ life cycle: {{ insert: param, sa-15.03_odp.01 }} ; and" + - id: sa-15.3_smt.b + name: item + props: + - name: label + value: (b) + prose: "At the following level of rigor: {{ insert: param, sa-15.3_prm_2\ + \ }}." + - id: sa-15.3_gdn + name: guidance + prose: Criticality analysis performed by the developer provides + input to the criticality analysis performed by organizations. + Developer input is essential to organizational criticality analysis + because organizations may not have access to detailed design documentation + for system components that are developed as commercial off-the-shelf + products. Such design documentation includes functional specifications, + high-level designs, low-level designs, source code, and hardware + schematics. Criticality analysis is important for organizational + systems that are designated as high value assets. High value assets + can be moderate- or high-impact systems due to heightened adversarial + interest or potential adverse effects on the federal enterprise. + Developer input is especially important when organizations conduct + supply chain criticality analyses. + - id: sa-15.3_obj + name: assessment-objective + props: + - name: label + value: SA-15(03) + class: sp800-53a + parts: + - id: sa-15.3_obj.a + name: assessment-objective + props: + - name: label + value: SA-15(03)(a) + class: sp800-53a + prose: "the developer of the system, system component, or system\ + \ service is required to perform a criticality analysis at\ + \ {{ insert: param, sa-15.03_odp.01 }} in the system development\ + \ life cycle;" + links: + - href: "#sa-15.3_smt.a" + rel: assessment-for + - id: sa-15.3_obj.b + name: assessment-objective + props: + - name: label + value: SA-15(03)(b) + class: sp800-53a + parts: + - id: sa-15.3_obj.b-1 + name: assessment-objective + props: + - name: label + value: SA-15(03)(b)[01] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform a criticality\ + \ analysis at the following rigor level: {{ insert: param,\ + \ sa-15.03_odp.02 }};" + links: + - href: "#sa-15.3_smt.b" + rel: assessment-for + - id: sa-15.3_obj.b-2 + name: assessment-objective + props: + - name: label + value: SA-15(03)(b)[02] + class: sp800-53a + prose: "the developer of the system, system component, or\ + \ system service is required to perform a criticality\ + \ analysis at the following rigor level: {{ insert: param,\ + \ sa-15.03_odp.03 }} ." + links: + - href: "#sa-15.3_smt.b" + rel: assessment-for + links: + - href: "#sa-15.3_smt.b" + rel: assessment-for + links: + - href: "#sa-15.3_smt" + rel: assessment-for + - id: sa-15.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-15(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management plan + + + system and services acquisition policy + + + procedures addressing development process, standards, and + tools + + + procedures addressing criticality analysis requirements for + the system, system component, or system service + + + solicitation documentation + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or + system service + + + criticality analysis documentation + + + business impact analysis documentation + + + software development life cycle documentation + + + system security plan + + + other relevant documents or records + - id: sa-15.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-15(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel responsible for performing criticality + analysis + + + system developer + + + organizational personnel with supply chain risk management + responsibilities + - id: sa-15.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-15(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for performing criticality + analysis + + + mechanisms supporting and/or implementing criticality analysis + - id: sa-22 + class: SP800-53 + title: Unsupported System Components + params: + - id: sa-22_odp.01 + select: + how-many: one-or-more + choice: + - in-house support + - " {{ insert: param, sa-22_odp.02 }} " + - id: sa-22_odp.02 + label: support from external providers + guidelines: + - prose: support from external providers is defined (if selected); + props: + - name: label + value: SA-22 + - name: label + value: SA-22 + class: sp800-53a + - name: sort-id + value: sa-22 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#pl-2" + rel: related + - href: "#sa-3" + rel: related + parts: + - id: sa-22_smt + name: statement + parts: + - id: sa-22_smt.a + name: item + props: + - name: label + value: a. + prose: Replace system components when support for the components + is no longer available from the developer, vendor, or manufacturer; + or + - id: sa-22_smt.b + name: item + props: + - name: label + value: b. + prose: "Provide the following options for alternative sources for\ + \ continued support for unsupported components {{ insert: param,\ + \ sa-22_odp.01 }}." + - id: sa-22_gdn + name: guidance + prose: >- + Support for system components includes software patches, + firmware updates, replacement parts, and maintenance contracts. + An example of unsupported components includes when vendors no + longer provide critical software patches or product updates, + which can result in an opportunity for adversaries to exploit + weaknesses in the installed components. Exceptions to replacing + unsupported system components include systems that provide + critical mission or business capabilities where newer + technologies are not available or where the systems are so + isolated that installing replacement components is not an + option. + + + Alternative sources for support address the need to provide continued + support for system components that are no longer supported by the + original manufacturers, developers, or vendors when such components + remain essential to organizational mission and business functions. + If necessary, organizations can establish in-house support by developing + customized patches for critical software components or, alternatively, + obtain the services of external providers who provide ongoing support + for the designated unsupported components through contractual relationships. + Such contractual relationships can include open-source software value-added + vendors. The increased risk of using unsupported system components + can be mitigated, for example, by prohibiting the connection of such + components to public or uncontrolled networks, or implementing other + forms of isolation. + - id: sa-22_obj + name: assessment-objective + props: + - name: label + value: SA-22 + class: sp800-53a + parts: + - id: sa-22_obj.a + name: assessment-objective + props: + - name: label + value: SA-22a. + class: sp800-53a + prose: system components are replaced when support for the components + is no longer available from the developer, vendor, or manufacturer; + links: + - href: "#sa-22_smt.a" + rel: assessment-for + - id: sa-22_obj.b + name: assessment-objective + props: + - name: label + value: SA-22b. + class: sp800-53a + prose: " {{ insert: param, sa-22_odp.01 }} provide options for alternative\ + \ sources for continued support for unsupported components." + links: + - href: "#sa-22_smt.b" + rel: assessment-for + links: + - href: "#sa-22_smt" + rel: assessment-for + - id: sa-22_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SA-22-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and services acquisition policy + + + procedures addressing the replacement or continued use of unsupported + system components + + + documented evidence of replacing unsupported system components + + + documented approvals (including justification) for the continued + use of unsupported system components + + + system security plan + + + supply chain risk management plan + + + other relevant documents or records + - id: sa-22_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SA-22-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with the responsibility for the system + development life cycle + + + organizational personnel responsible for component replacement + - id: sa-22_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SA-22-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for replacing unsupported system + components + + + mechanisms supporting and/or implementing the replacement of unsupported + system components + - id: sc + class: family + title: System and Communications Protection + controls: + - id: sc-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: sc-1_prm_1 + label: organization-defined personnel or roles + - id: sc-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and communications + protection policy is to be disseminated is/are defined; + - id: sc-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and communications + protection procedures are to be disseminated is/are defined; + - id: sc-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business-process-level + - system-level + - id: sc-01_odp.04 + label: official + guidelines: + - prose: an official to manage the system and communications protection + policy and procedures is defined; + - id: sc-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current system and communications + protection policy is reviewed and updated is defined; + - id: sc-01_odp.06 + label: events + guidelines: + - prose: events that would require the current system and communications + protection policy to be reviewed and updated are defined; + - id: sc-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current system and communications + protection procedures are reviewed and updated is defined; + - id: sc-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the system and communications protection + procedures to be reviewed and updated are defined; + props: + - name: label + value: SC-1 + - name: label + value: SC-01 + class: sp800-53a + - name: sort-id + value: sc-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: sc-1_smt + name: statement + parts: + - id: sc-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ sc-1_prm_1 }}:" + parts: + - id: sc-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, sc-01_odp.03 }} system and communications\ + \ protection policy that:" + parts: + - id: sc-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: sc-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: sc-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the system + and communications protection policy and the associated system + and communications protection controls; + - id: sc-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, sc-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the system\ + \ and communications protection policy and procedures; and" + - id: sc-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current system and communications\ + \ protection:" + parts: + - id: sc-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, sc-01_odp.05 }} and following\ + \ {{ insert: param, sc-01_odp.06 }} ; and" + - id: sc-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, sc-01_odp.07 }} and following\ + \ {{ insert: param, sc-01_odp.08 }}." + - id: sc-1_gdn + name: guidance + prose: System and communications protection policy and procedures address + the controls in the SC family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of system and communications protection policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + system and communications protection policy and procedures include + assessment or audit findings, security incidents or breaches, or changes + in applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines. Simply restating controls does not constitute + an organizational policy or procedure. + - id: sc-1_obj + name: assessment-objective + props: + - name: label + value: SC-01 + class: sp800-53a + parts: + - id: sc-1_obj.a + name: assessment-objective + props: + - name: label + value: SC-01a. + class: sp800-53a + parts: + - id: sc-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: SC-01a.[01] + class: sp800-53a + prose: a system and communications protection policy is developed + and documented; + links: + - href: "#sc-1_smt.a" + rel: assessment-for + - id: sc-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: SC-01a.[02] + class: sp800-53a + prose: "the system and communications protection policy is disseminated\ + \ to {{ insert: param, sc-01_odp.01 }};" + links: + - href: "#sc-1_smt.a" + rel: assessment-for + - id: sc-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: SC-01a.[03] + class: sp800-53a + prose: system and communications protection procedures to facilitate + the implementation of the system and communications protection + policy and associated system and communications protection + controls are developed and documented; + links: + - href: "#sc-1_smt.a" + rel: assessment-for + - id: sc-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: SC-01a.[04] + class: sp800-53a + prose: "the system and communications protection procedures\ + \ are disseminated to {{ insert: param, sc-01_odp.02 }};" + links: + - href: "#sc-1_smt.a" + rel: assessment-for + - id: sc-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: SC-01a.01 + class: sp800-53a + parts: + - id: sc-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: SC-01a.01(a) + class: sp800-53a + parts: + - id: sc-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses purpose;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses scope;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses roles;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses responsibilities;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses management\ + \ commitment;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: SC-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system\ + \ and communications protection policy addresses compliance;" + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#sc-1_smt.a.1.a" + rel: assessment-for + - id: sc-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: SC-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.03 }} system and\ + \ communications protection policy is consistent with\ + \ applicable laws, Executive Orders, directives, regulations,\ + \ policies, standards, and guidelines;" + links: + - href: "#sc-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#sc-1_smt.a.1" + rel: assessment-for + links: + - href: "#sc-1_smt.a" + rel: assessment-for + - id: sc-1_obj.b + name: assessment-objective + props: + - name: label + value: SC-01b. + class: sp800-53a + prose: "the {{ insert: param, sc-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the system\ + \ and communications protection policy and procedures;" + links: + - href: "#sc-1_smt.b" + rel: assessment-for + - id: sc-1_obj.c + name: assessment-objective + props: + - name: label + value: SC-01c. + class: sp800-53a + parts: + - id: sc-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: SC-01c.01 + class: sp800-53a + parts: + - id: sc-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: SC-01c.01[01] + class: sp800-53a + prose: "the current system and communications protection\ + \ policy is reviewed and updated {{ insert: param, sc-01_odp.05\ + \ }};" + links: + - href: "#sc-1_smt.c.1" + rel: assessment-for + - id: sc-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: SC-01c.01[02] + class: sp800-53a + prose: "the current system and communications protection\ + \ policy is reviewed and updated following {{ insert:\ + \ param, sc-01_odp.06 }};" + links: + - href: "#sc-1_smt.c.1" + rel: assessment-for + links: + - href: "#sc-1_smt.c.1" + rel: assessment-for + - id: sc-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: SC-01c.02 + class: sp800-53a + parts: + - id: sc-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: SC-01c.02[01] + class: sp800-53a + prose: "the current system and communications protection\ + \ procedures are reviewed and updated {{ insert: param,\ + \ sc-01_odp.07 }};" + links: + - href: "#sc-1_smt.c.2" + rel: assessment-for + - id: sc-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: SC-01c.02[02] + class: sp800-53a + prose: "the current system and communications protection\ + \ procedures are reviewed and updated following {{ insert:\ + \ param, sc-01_odp.08 }}." + links: + - href: "#sc-1_smt.c.2" + rel: assessment-for + links: + - href: "#sc-1_smt.c.2" + rel: assessment-for + links: + - href: "#sc-1_smt.c" + rel: assessment-for + links: + - href: "#sc-1_smt" + rel: assessment-for + - id: sc-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + system and communications protection procedures + + system security plan + + privacy plan + + risk management strategy documentation + + audit findings + + other relevant documents or records + - id: sc-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and communications + protection responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: sc-2 + class: SP800-53 + title: Separation of System and User Functionality + props: + - name: label + value: SC-2 + - name: label + value: SC-02 + class: sp800-53a + - name: sort-id + value: sc-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ac-6" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-3" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-22" + rel: related + - href: "#sc-32" + rel: related + - href: "#sc-39" + rel: related + parts: + - id: sc-2_smt + name: statement + prose: Separate user functionality, including user interface services, + from system management functionality. + - id: sc-2_gdn + name: guidance + prose: System management functionality includes functions that are necessary + to administer databases, network components, workstations, or servers. + These functions typically require privileged user access. The separation + of user functions from system management functions is physical or + logical. Organizations may separate system management functions from + user functions by using different computers, instances of operating + systems, central processing units, or network addresses; by employing + virtualization techniques; or some combination of these or other methods. + Separation of system management functions from user functions includes + web administrative interfaces that employ separate authentication + methods for users of any other system resources. Separation of system + and user functions may include isolating administrative interfaces + on different domains and with additional access controls. The separation + of system and user functionality can be achieved by applying the systems + security engineering design principles in [SA-8](#sa-8) , including + [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), + [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , + and [SA-8(18)](#sa-8.18). + - id: sc-2_obj + name: assessment-objective + props: + - name: label + value: SC-02 + class: sp800-53a + prose: user functionality, including user interface services, is separated + from system management functionality. + links: + - href: "#sc-2_smt" + rel: assessment-for + - id: sc-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing application partitioning + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: sc-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Separation of user functionality from system management functionality + - id: sc-4 + class: SP800-53 + title: Information in Shared System Resources + props: + - name: label + value: SC-4 + - name: label + value: SC-04 + class: sp800-53a + - name: sort-id + value: sc-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#sa-8" + rel: related + parts: + - id: sc-4_smt + name: statement + prose: Prevent unauthorized and unintended information transfer via + shared system resources. + - id: sc-4_gdn + name: guidance + prose: Preventing unauthorized and unintended information transfer via + shared system resources stops information produced by the actions + of prior users or roles (or the actions of processes acting on behalf + of prior users or roles) from being available to current users or + roles (or current processes acting on behalf of current users or roles) + that obtain access to shared system resources after those resources + have been released back to the system. Information in shared system + resources also applies to encrypted representations of information. + In other contexts, control of information in shared system resources + is referred to as object reuse and residual information protection. + Information in shared system resources does not address information + remanence, which refers to the residual representation of data that + has been nominally deleted; covert channels (including storage and + timing channels), where shared system resources are manipulated to + violate information flow restrictions; or components within systems + for which there are only single users or roles. + - id: sc-4_obj + name: assessment-objective + props: + - name: label + value: SC-04 + class: sp800-53a + parts: + - id: sc-4_obj-1 + name: assessment-objective + props: + - name: label + value: SC-04[01] + class: sp800-53a + prose: unauthorized information transfer via shared system resources + is prevented; + links: + - href: "#sc-4_smt" + rel: assessment-for + - id: sc-4_obj-2 + name: assessment-objective + props: + - name: label + value: SC-04[02] + class: sp800-53a + prose: unintended information transfer via shared system resources + is prevented. + links: + - href: "#sc-4_smt" + rel: assessment-for + links: + - href: "#sc-4_smt" + rel: assessment-for + - id: sc-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing information protection in shared system + resources + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms preventing the unauthorized and unintended transfer + of information via shared system resources + - id: sc-5 + class: SP800-53 + title: Denial-of-service Protection + params: + - id: sc-05_odp.01 + label: types of denial-of-service events + constraints: + - description: "at a minimum: ICMP (ping) flood, SYN flood, slowloris,\ + \ buffer overflow attack, and volume attack" + guidelines: + - prose: types of denial-of-service events to be protected against + or limited are defined; + - id: sc-05_odp.02 + constraints: + - description: Protect against + select: + choice: + - protect against + - limit + - id: sc-05_odp.03 + label: controls by type of denial-of-service event + guidelines: + - prose: controls to achieve the denial-of-service objective by type + of denial-of-service event are defined; + props: + - name: label + value: SC-5 + - name: label + value: SC-05 + class: sp800-53a + - name: sort-id + value: sc-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72" + rel: reference + - href: "#cp-2" + rel: related + - href: "#ir-4" + rel: related + - href: "#sc-6" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-40" + rel: related + parts: + - id: sc-5_smt + name: statement + parts: + - id: sc-5_smt.a + name: item + props: + - name: label + value: a. + prose: " {{ insert: param, sc-05_odp.02 }} the effects of the following\ + \ types of denial-of-service events: {{ insert: param, sc-05_odp.01\ + \ }} ; and" + - id: sc-5_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ the following controls to achieve the denial-of-service\ + \ objective: {{ insert: param, sc-05_odp.03 }}." + - id: sc-5_gdn + name: guidance + prose: Denial-of-service events may occur due to a variety of internal + and external causes, such as an attack by an adversary or a lack of + planning to support organizational needs with respect to capacity + and bandwidth. Such attacks can occur across a wide range of network + protocols (e.g., IPv4, IPv6). A variety of technologies are available + to limit or eliminate the origination and effects of denial-of-service + events. For example, boundary protection devices can filter certain + types of packets to protect system components on internal networks + from being directly affected by or the source of denial-of-service + attacks. Employing increased network capacity and bandwidth combined + with service redundancy also reduces the susceptibility to denial-of-service + events. + - id: sc-5_obj + name: assessment-objective + props: + - name: label + value: SC-05 + class: sp800-53a + parts: + - id: sc-5_obj.a + name: assessment-objective + props: + - name: label + value: SC-05a. + class: sp800-53a + prose: "the effects of {{ insert: param, sc-05_odp.01 }} are {{\ + \ insert: param, sc-05_odp.02 }};" + links: + - href: "#sc-5_smt.a" + rel: assessment-for + - id: sc-5_obj.b + name: assessment-objective + props: + - name: label + value: SC-05b. + class: sp800-53a + prose: " {{ insert: param, sc-05_odp.03 }} are employed to achieve\ + \ the denial-of-service protection objective." + links: + - href: "#sc-5_smt.b" + rel: assessment-for + links: + - href: "#sc-5_smt" + rel: assessment-for + - id: sc-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing denial-of-service protection + + + system design documentation + + + list of denial-of-service attacks requiring employment of security + safeguards to protect against or limit effects of such attacks + + + list of security safeguards protecting against or limiting the + effects of denial-of-service attacks + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with incident response responsibilities + + + system developer + - id: sc-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms protecting against or limiting the effects of + denial-of-service attacks + - id: sc-7 + class: SP800-53 + title: Boundary Protection + params: + - id: sc-07_odp + select: + choice: + - physically + - logically + props: + - name: label + value: SC-7 + - name: label + value: SC-07 + class: sp800-53a + - name: sort-id + value: sc-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#628d22a1-6a11-4784-bc59-5cd9497b5445" + rel: reference + - href: "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8" + rel: reference + - href: "#a7f0e897-29a3-45c4-bd88-40dfef0e034a" + rel: reference + - href: "#d4d7c760-2907-403b-8b2a-767ca5370ecd" + rel: reference + - href: "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72" + rel: reference + - href: "#ac-4" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#ac-20" + rel: related + - href: "#au-13" + rel: related + - href: "#ca-3" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-10" + rel: related + - href: "#cp-8" + rel: related + - href: "#cp-10" + rel: related + - href: "#ir-4" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-3" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-12" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-17" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-26" + rel: related + - href: "#sc-32" + rel: related + - href: "#sc-35" + rel: related + - href: "#sc-43" + rel: related + parts: + - id: sc-7_smt + name: statement + parts: + - id: sc-7_smt.a + name: item + props: + - name: label + value: a. + prose: Monitor and control communications at the external managed + interfaces to the system and at key internal managed interfaces + within the system; + - id: sc-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Implement subnetworks for publicly accessible system components\ + \ that are {{ insert: param, sc-07_odp }} separated from internal\ + \ organizational networks; and" + - id: sc-7_smt.c + name: item + props: + - name: label + value: c. + prose: Connect to external networks or systems only through managed + interfaces consisting of boundary protection devices arranged + in accordance with an organizational security and privacy architecture. + - id: sc-7_fr + name: item + title: SC-7 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-7_fr_gdn.1 + name: guidance + props: + - name: label + value: "(b) Guidance:" + prose: SC-7 (b) should be met by subnet isolation. A subnetwork + (subnet) is a physically or logically segmented section of + a larger network defined at TCP/IP Layer 3, to both minimize + traffic and, important for a FedRAMP Authorization, add a + crucial layer of network isolation. Subnets are distinct from + VLANs (Layer 2), security groups, and VPCs and are specifically + required to satisfy SC-7 part b and other controls. See the + FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) + for additional information. + - id: sc-7_gdn + name: guidance + prose: Managed interfaces include gateways, routers, firewalls, guards, + network-based malicious code analysis, virtualization systems, or + encrypted tunnels implemented within a security architecture. Subnetworks + that are physically or logically separated from internal networks + are referred to as demilitarized zones or DMZs. Restricting or prohibiting + interfaces within organizational systems includes restricting external + web traffic to designated web servers within managed interfaces, prohibiting + external traffic that appears to be spoofing internal addresses, and + prohibiting internal traffic that appears to be spoofing external + addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides + additional information on source address validation techniques to + prevent ingress and egress of traffic with spoofed addresses. Commercial + telecommunications services are provided by network components and + consolidated management systems shared by customers. These services + may also include third party-provided access lines and other service + elements. Such services may represent sources of increased risk despite + contract security provisions. Boundary protection may be implemented + as a common control for all or part of an organizational network such + that the boundary to be protected is greater than a system-specific + boundary (i.e., an authorization boundary). + - id: sc-7_obj + name: assessment-objective + props: + - name: label + value: SC-07 + class: sp800-53a + parts: + - id: sc-7_obj.a + name: assessment-objective + props: + - name: label + value: SC-07a. + class: sp800-53a + parts: + - id: sc-7_obj.a-1 + name: assessment-objective + props: + - name: label + value: SC-07a.[01] + class: sp800-53a + prose: communications at external managed interfaces to the + system are monitored; + links: + - href: "#sc-7_smt.a" + rel: assessment-for + - id: sc-7_obj.a-2 + name: assessment-objective + props: + - name: label + value: SC-07a.[02] + class: sp800-53a + prose: communications at external managed interfaces to the + system are controlled; + links: + - href: "#sc-7_smt.a" + rel: assessment-for + - id: sc-7_obj.a-3 + name: assessment-objective + props: + - name: label + value: SC-07a.[03] + class: sp800-53a + prose: communications at key internal managed interfaces within + the system are monitored; + links: + - href: "#sc-7_smt.a" + rel: assessment-for + - id: sc-7_obj.a-4 + name: assessment-objective + props: + - name: label + value: SC-07a.[04] + class: sp800-53a + prose: communications at key internal managed interfaces within + the system are controlled; + links: + - href: "#sc-7_smt.a" + rel: assessment-for + links: + - href: "#sc-7_smt.a" + rel: assessment-for + - id: sc-7_obj.b + name: assessment-objective + props: + - name: label + value: SC-07b. + class: sp800-53a + prose: "subnetworks for publicly accessible system components are\ + \ {{ insert: param, sc-07_odp }} separated from internal organizational\ + \ networks;" + links: + - href: "#sc-7_smt.b" + rel: assessment-for + - id: sc-7_obj.c + name: assessment-objective + props: + - name: label + value: SC-07c. + class: sp800-53a + prose: external networks or systems are only connected to through + managed interfaces consisting of boundary protection devices arranged + in accordance with an organizational security and privacy architecture. + links: + - href: "#sc-7_smt.c" + rel: assessment-for + links: + - href: "#sc-7_smt" + rel: assessment-for + - id: sc-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing boundary protection + + list of key internal boundaries of the system + + system design documentation + + boundary protection hardware and software + + system configuration settings and associated documentation + + enterprise security architecture documentation + + system audit records + + system security plan + + other relevant documents or records + - id: sc-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with boundary protection responsibilities + - id: sc-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing boundary protection capabilities + controls: + - id: sc-7.3 + class: SP800-53-enhancement + title: Access Points + props: + - name: label + value: SC-7(3) + - name: label + value: SC-07(03) + class: sp800-53a + - name: sort-id + value: sc-07.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-7" + rel: required + parts: + - id: sc-7.3_smt + name: statement + prose: Limit the number of external network connections to the system. + - id: sc-7.3_gdn + name: guidance + prose: Limiting the number of external network connections facilitates + monitoring of inbound and outbound communications traffic. The + Trusted Internet Connection [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) + initiative is an example of a federal guideline that requires + limits on the number of external network connections. Limiting + the number of external network connections to the system is important + during transition periods from older to newer technologies (e.g., + transitioning from IPv4 to IPv6 network protocols). Such transitions + may require implementing the older and newer technologies simultaneously + during the transition period and thus increase the number of access + points to the system. + - id: sc-7.3_obj + name: assessment-objective + props: + - name: label + value: SC-07(03) + class: sp800-53a + prose: the number of external network connections to the system + is limited. + links: + - href: "#sc-7.3_smt" + rel: assessment-for + - id: sc-7.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing boundary protection + + + system design documentation + + + boundary protection hardware and software + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + communications and network traffic monitoring logs + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with boundary protection responsibilities + - id: sc-7.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms implementing boundary protection capabilities + + + mechanisms limiting the number of external network connections + to the system + - id: sc-7.4 + class: SP800-53-enhancement + title: External Telecommunications Services + params: + - id: sc-07.04_odp + label: frequency + constraints: + - description: at least every 180 days or whenever there is a + change in the threat environment that warrants a review of + the exceptions + guidelines: + - prose: the frequency at which to review exceptions to traffic + flow policy is defined; + props: + - name: label + value: SC-7(4) + - name: label + value: SC-07(04) + class: sp800-53a + - name: sort-id + value: sc-07.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#sc-7" + rel: required + - href: "#ac-3" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-21" + rel: related + - href: "#sc-22" + rel: related + parts: + - id: sc-7.4_smt + name: statement + parts: + - id: sc-7.4_smt.a + name: item + props: + - name: label + value: (a) + prose: Implement a managed interface for each external telecommunication + service; + - id: sc-7.4_smt.b + name: item + props: + - name: label + value: (b) + prose: Establish a traffic flow policy for each managed interface; + - id: sc-7.4_smt.c + name: item + props: + - name: label + value: (c) + prose: Protect the confidentiality and integrity of the information + being transmitted across each interface; + - id: sc-7.4_smt.d + name: item + props: + - name: label + value: (d) + prose: Document each exception to the traffic flow policy with + a supporting mission or business need and duration of that + need; + - id: sc-7.4_smt.e + name: item + props: + - name: label + value: (e) + prose: "Review exceptions to the traffic flow policy {{ insert:\ + \ param, sc-07.04_odp }} and remove exceptions that are no\ + \ longer supported by an explicit mission or business need;" + - id: sc-7.4_smt.f + name: item + props: + - name: label + value: (f) + prose: Prevent unauthorized exchange of control plane traffic + with external networks; + - id: sc-7.4_smt.g + name: item + props: + - name: label + value: (g) + prose: Publish information to enable remote networks to detect + unauthorized control plane traffic from internal networks; + and + - id: sc-7.4_smt.h + name: item + props: + - name: label + value: (h) + prose: Filter unauthorized control plane traffic from external + networks. + - id: sc-7.4_gdn + name: guidance + prose: External telecommunications services can provide data and/or + voice communications services. Examples of control plane traffic + include Border Gateway Protocol (BGP) routing, Domain Name System + (DNS), and management protocols. See [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) + for additional information on the use of the resource public key + infrastructure (RPKI) to protect BGP routes and detect unauthorized + BGP announcements. + - id: sc-7.4_obj + name: assessment-objective + props: + - name: label + value: SC-07(04) + class: sp800-53a + parts: + - id: sc-7.4_obj.a + name: assessment-objective + props: + - name: label + value: SC-07(04)(a) + class: sp800-53a + prose: a managed interface is implemented for each external + telecommunication service; + links: + - href: "#sc-7.4_smt.a" + rel: assessment-for + - id: sc-7.4_obj.b + name: assessment-objective + props: + - name: label + value: SC-07(04)(b) + class: sp800-53a + prose: a traffic flow policy is established for each managed + interface; + links: + - href: "#sc-7.4_smt.b" + rel: assessment-for + - id: sc-7.4_obj.c + name: assessment-objective + props: + - name: label + value: SC-07(04)(c) + class: sp800-53a + parts: + - id: sc-7.4_obj.c-1 + name: assessment-objective + props: + - name: label + value: SC-07(04)(c)[01] + class: sp800-53a + prose: the confidentiality of the information being transmitted + across each interface is protected; + links: + - href: "#sc-7.4_smt.c" + rel: assessment-for + - id: sc-7.4_obj.c-2 + name: assessment-objective + props: + - name: label + value: SC-07(04)(c)[02] + class: sp800-53a + prose: the integrity of the information being transmitted + across each interface is protected; + links: + - href: "#sc-7.4_smt.c" + rel: assessment-for + links: + - href: "#sc-7.4_smt.c" + rel: assessment-for + - id: sc-7.4_obj.d + name: assessment-objective + props: + - name: label + value: SC-07(04)(d) + class: sp800-53a + prose: each exception to the traffic flow policy is documented + with a supporting mission or business need and duration of + that need; + links: + - href: "#sc-7.4_smt.d" + rel: assessment-for + - id: sc-7.4_obj.e + name: assessment-objective + props: + - name: label + value: SC-07(04)(e) + class: sp800-53a + parts: + - id: sc-7.4_obj.e-1 + name: assessment-objective + props: + - name: label + value: SC-07(04)(e)[01] + class: sp800-53a + prose: "exceptions to the traffic flow policy are reviewed\ + \ {{ insert: param, sc-07.04_odp }};" + links: + - href: "#sc-7.4_smt.e" + rel: assessment-for + - id: sc-7.4_obj.e-2 + name: assessment-objective + props: + - name: label + value: SC-07(04)(e)[02] + class: sp800-53a + prose: exceptions to the traffic flow policy that are no + longer supported by an explicit mission or business need + are removed; + links: + - href: "#sc-7.4_smt.e" + rel: assessment-for + links: + - href: "#sc-7.4_smt.e" + rel: assessment-for + - id: sc-7.4_obj.f + name: assessment-objective + props: + - name: label + value: SC-07(04)(f) + class: sp800-53a + prose: unauthorized exchanges of control plan traffic with external + networks are prevented; + links: + - href: "#sc-7.4_smt.f" + rel: assessment-for + - id: sc-7.4_obj.g + name: assessment-objective + props: + - name: label + value: SC-07(04)(g) + class: sp800-53a + prose: information is published to enable remote networks to + detect unauthorized control plane traffic from internal networks; + links: + - href: "#sc-7.4_smt.g" + rel: assessment-for + - id: sc-7.4_obj.h + name: assessment-objective + props: + - name: label + value: SC-07(04)(h) + class: sp800-53a + prose: unauthorized control plane traffic is filtered from external + networks. + links: + - href: "#sc-7.4_smt.h" + rel: assessment-for + links: + - href: "#sc-7.4_smt" + rel: assessment-for + - id: sc-7.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + traffic flow policy + + + information flow control policy + + + procedures addressing boundary protection + + + system security architecture + + + system design documentation + + + boundary protection hardware and software + + + system architecture and configuration documentation + + + system configuration settings and associated documentation + + + records of traffic flow policy exceptions + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with boundary protection responsibilities + - id: sc-7.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for documenting and reviewing + exceptions to the traffic flow policy + + + organizational processes for removing exceptions to the traffic + flow policy + + + mechanisms implementing boundary protection capabilities + + + managed interfaces implementing traffic flow policy + - id: sc-7.5 + class: SP800-53-enhancement + title: Deny by Default — Allow by Exception + params: + - id: sc-07.05_odp.01 + constraints: + - description: any systems + select: + how-many: one-or-more + choice: + - at managed interfaces + - "for {{ insert: param, sc-07.05_odp.02 }} " + - id: sc-07.05_odp.02 + label: systems + guidelines: + - prose: systems for which network communications traffic is denied + by default and network communications traffic is allowed by + exception are defined (if selected). + props: + - name: label + value: SC-7(5) + - name: label + value: SC-07(05) + class: sp800-53a + - name: sort-id + value: sc-07.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-7" + rel: required + parts: + - id: sc-7.5_smt + name: statement + prose: "Deny network communications traffic by default and allow\ + \ network communications traffic by exception {{ insert: param,\ + \ sc-07.05_odp.01 }}." + parts: + - id: sc-7.5_fr + name: item + title: SC-7 (5) Additional FedRAMP Requirements and Guidance + parts: + - id: sc-7.5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: For JAB Authorization, CSPs shall include details + of this control in their Architecture Briefing + - id: sc-7.5_gdn + name: guidance + prose: Denying by default and allowing by exception applies to inbound + and outbound network communications traffic. A deny-all, permit-by-exception + network communications traffic policy ensures that only those + system connections that are essential and approved are allowed. + Deny by default, allow by exception also applies to a system that + is connected to an external system. + - id: sc-7.5_obj + name: assessment-objective + props: + - name: label + value: SC-07(05) + class: sp800-53a + parts: + - id: sc-7.5_obj-1 + name: assessment-objective + props: + - name: label + value: SC-07(05)[01] + class: sp800-53a + prose: "network communications traffic is denied by default\ + \ {{ insert: param, sc-07.05_odp.01 }};" + links: + - href: "#sc-7.5_smt" + rel: assessment-for + - id: sc-7.5_obj-2 + name: assessment-objective + props: + - name: label + value: SC-07(05)[02] + class: sp800-53a + prose: "network communications traffic is allowed by exception\ + \ {{ insert: param, sc-07.05_odp.01 }}." + links: + - href: "#sc-7.5_smt" + rel: assessment-for + links: + - href: "#sc-7.5_smt" + rel: assessment-for + - id: sc-7.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing boundary protection + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with boundary protection responsibilities + - id: sc-7.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing traffic management at managed + interfaces + - id: sc-7.7 + class: SP800-53-enhancement + title: Split Tunneling for Remote Devices + params: + - id: sc-07.07_odp + label: safeguards + guidelines: + - prose: safeguards to securely provision split tunneling are + defined; + props: + - name: label + value: SC-7(7) + - name: label + value: SC-07(07) + class: sp800-53a + - name: sort-id + value: sc-07.07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-7" + rel: required + parts: + - id: sc-7.7_smt + name: statement + prose: "Prevent split tunneling for remote devices connecting to\ + \ organizational systems unless the split tunnel is securely provisioned\ + \ using {{ insert: param, sc-07.07_odp }}." + - id: sc-7.7_gdn + name: guidance + prose: Split tunneling is the process of allowing a remote user + or device to establish a non-remote connection with a system and + simultaneously communicate via some other connection to a resource + in an external network. This method of network access enables + a user to access remote devices and simultaneously, access uncontrolled + networks. Split tunneling might be desirable by remote users to + communicate with local system resources, such as printers or file + servers. However, split tunneling can facilitate unauthorized + external connections, making the system vulnerable to attack and + to exfiltration of organizational information. Split tunneling + can be prevented by disabling configuration settings that allow + such capability in remote devices and by preventing those configuration + settings from being configurable by users. Prevention can also + be achieved by the detection of split tunneling (or of configuration + settings that allow split tunneling) in the remote device, and + by prohibiting the connection if the remote device is using split + tunneling. A virtual private network (VPN) can be used to securely + provision a split tunnel. A securely provisioned VPN includes + locking connectivity to exclusive, managed, and named environments, + or to a specific set of pre-approved addresses, without user control. + - id: sc-7.7_obj + name: assessment-objective + props: + - name: label + value: SC-07(07) + class: sp800-53a + prose: "split tunneling is prevented for remote devices connecting\ + \ to organizational systems unless the split tunnel is securely\ + \ provisioned using {{ insert: param, sc-07.07_odp }}." + links: + - href: "#sc-7.7_smt" + rel: assessment-for + - id: sc-7.7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(07)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing boundary protection + + + system design documentation + + + system hardware and software + + + system architecture + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(07)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with boundary protection responsibilities + - id: sc-7.7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(07)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Mechanisms implementing boundary protection capabilities + + mechanisms supporting/restricting non-remote connections + - id: sc-7.8 + class: SP800-53-enhancement + title: Route Traffic to Authenticated Proxy Servers + params: + - id: sc-07.08_odp.01 + label: internal communications traffic + guidelines: + - prose: internal communications traffic to be routed to external + networks is defined; + - id: sc-07.08_odp.02 + label: external networks + constraints: + - description: any network outside of organizational control and + any network outside the authorization boundary + guidelines: + - prose: external networks to which internal communications traffic + is to be routed are defined; + props: + - name: label + value: SC-7(8) + - name: label + value: SC-07(08) + class: sp800-53a + - name: sort-id + value: sc-07.08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-7" + rel: required + - href: "#ac-3" + rel: related + parts: + - id: sc-7.8_smt + name: statement + prose: "Route {{ insert: param, sc-07.08_odp.01 }} to {{ insert:\ + \ param, sc-07.08_odp.02 }} through authenticated proxy servers\ + \ at managed interfaces." + - id: sc-7.8_gdn + name: guidance + prose: External networks are networks outside of organizational + control. A proxy server is a server (i.e., system or application) + that acts as an intermediary for clients requesting system resources + from non-organizational or other organizational servers. System + resources that may be requested include files, connections, web + pages, or services. Client requests established through a connection + to a proxy server are assessed to manage complexity and provide + additional protection by limiting direct connectivity. Web content + filtering devices are one of the most common proxy servers that + provide access to the Internet. Proxy servers can support the + logging of Transmission Control Protocol sessions and the blocking + of specific Uniform Resource Locators, Internet Protocol addresses, + and domain names. Web proxies can be configured with organization-defined + lists of authorized and unauthorized websites. Note that proxy + servers may inhibit the use of virtual private networks (VPNs) + and create the potential for "man-in-the-middle" attacks (depending + on the implementation). + - id: sc-7.8_obj + name: assessment-objective + props: + - name: label + value: SC-07(08) + class: sp800-53a + prose: " {{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert:\ + \ param, sc-07.08_odp.02 }} through authenticated proxy servers\ + \ at managed interfaces." + links: + - href: "#sc-7.8_smt" + rel: assessment-for + - id: sc-7.8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(08)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing boundary protection + + + system design documentation + + + system hardware and software + + + system architecture + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(08)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with boundary protection responsibilities + - id: sc-7.8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(08)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing traffic management through authenticated + proxy servers at managed interfaces + - id: sc-7.12 + class: SP800-53-enhancement + title: Host-based Protection + params: + - id: sc-07.12_odp.01 + label: host-based boundary protection mechanisms + constraints: + - description: Host Intrusion Prevention System (HIPS), Host Intrusion + Detection System (HIDS), or minimally a host-based firewall + guidelines: + - prose: host-based boundary protection mechanisms to be implemented + are defined; + - id: sc-07.12_odp.02 + label: system components + guidelines: + - prose: system components where host-based boundary protection + mechanisms are to be implemented are defined; + props: + - name: label + value: SC-7(12) + - name: label + value: SC-07(12) + class: sp800-53a + - name: sort-id + value: sc-07.12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-7" + rel: required + parts: + - id: sc-7.12_smt + name: statement + prose: "Implement {{ insert: param, sc-07.12_odp.01 }} at {{ insert:\ + \ param, sc-07.12_odp.02 }}." + - id: sc-7.12_gdn + name: guidance + prose: Host-based boundary protection mechanisms include host-based + firewalls. System components that employ host-based boundary protection + mechanisms include servers, workstations, notebook computers, + and mobile devices. + - id: sc-7.12_obj + name: assessment-objective + props: + - name: label + value: SC-07(12) + class: sp800-53a + prose: " {{ insert: param, sc-07.12_odp.01 }} are implemented at\ + \ {{ insert: param, sc-07.12_odp.02 }}." + links: + - href: "#sc-7.12_smt" + rel: assessment-for + - id: sc-7.12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(12)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing boundary protection + + + system design documentation + + + boundary protection hardware and software + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(12)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with boundary protection responsibilities + + + system users + - id: sc-7.12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(12)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms implementing host-based boundary protection + capabilities + - id: sc-7.18 + class: SP800-53-enhancement + title: Fail Secure + props: + - name: label + value: SC-7(18) + - name: label + value: SC-07(18) + class: sp800-53a + - name: sort-id + value: sc-07.18 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sc-7" + rel: required + - href: "#cp-2" + rel: related + - href: "#cp-12" + rel: related + - href: "#sc-24" + rel: related + parts: + - id: sc-7.18_smt + name: statement + prose: Prevent systems from entering unsecure states in the event + of an operational failure of a boundary protection device. + - id: sc-7.18_gdn + name: guidance + prose: Fail secure is a condition achieved by employing mechanisms + to ensure that in the event of operational failures of boundary + protection devices at managed interfaces, systems do not enter + into unsecure states where intended security properties no longer + hold. Managed interfaces include routers, firewalls, and application + gateways that reside on protected subnetworks (commonly referred + to as demilitarized zones). Failures of boundary protection devices + cannot lead to or cause information external to the devices to + enter the devices nor can failures permit unauthorized information + releases. + - id: sc-7.18_obj + name: assessment-objective + props: + - name: label + value: SC-07(18) + class: sp800-53a + prose: systems are prevented from entering unsecure states in the + event of an operational failure of a boundary protection device. + links: + - href: "#sc-7.18_smt" + rel: assessment-for + - id: sc-7.18_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-07(18)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing boundary protection + + + system design documentation + + + system architecture + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-7.18_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-07(18)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with boundary protection responsibilities + - id: sc-7.18_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-07(18)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing secure failure + - id: sc-8 + class: SP800-53 + title: Transmission Confidentiality and Integrity + params: + - id: sc-08_odp + constraints: + - description: confidentiality AND integrity + select: + how-many: one-or-more + choice: + - confidentiality + - integrity + props: + - name: label + value: SC-8 + - name: label + value: SC-08 + class: sp800-53a + - name: sort-id + value: sc-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#736d6310-e403-4b57-a79d-9967970c66d7" + rel: reference + - href: "#7537638e-2837-407d-844b-40fb3fafdd99" + rel: reference + - href: "#d4d7c760-2907-403b-8b2a-767ca5370ecd" + rel: reference + - href: "#fe209006-bfd4-4033-a79a-9fee1adaf372" + rel: reference + - href: "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4" + rel: reference + - href: "#1c71b420-2bd9-4e52-9fc8-390f58b85b59" + rel: reference + - href: "#4c501da5-9d79-4cb6-ba80-97260e1ce327" + rel: reference + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#au-10" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-8" + rel: related + - href: "#ia-9" + rel: related + - href: "#ma-4" + rel: related + - href: "#pe-4" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-16" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-23" + rel: related + - href: "#sc-28" + rel: related + parts: + - id: sc-8_smt + name: statement + prose: "Protect the {{ insert: param, sc-08_odp }} of transmitted information." + parts: + - id: sc-8_fr + name: item + title: SC-8 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-8_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + For each instance of data in transit, confidentiality + AND integrity should be through cryptography as + specified in SC-8 (1), physical means as specified in + SC-8 (5), or in combination. + + + + + For clarity, this control applies to all data in transit. + Examples include the following data flows: + + + * Crossing the system boundary + + * Between compute instances - including containers + + * From a compute instance to storage + + * Replication between availability zones + + * Transmission of backups to storage + + * From a load balancer to a compute instance + + * Flows from management tools required for their work – e.g. + log collection, scanning, etc. + + + + + + The following applies only when choosing SC-8 (5) in lieu + of SC-8 (1). + + + FedRAMP-Defined Assignment / Selection Parameters + + + SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution + System (PDS) when outside of Controlled Access Area (CAA)] + + + SC-8 (5)-2 [prevent unauthorized disclosure of information + AND detect changes to information] + - id: sc-8_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + SC-8 (5) applies when physical protection has been + selected as the method to protect confidentiality and + integrity. For physical protection, data in transit must + be in either a Controlled Access Area (CAA), or a + Hardened or alarmed PDS. + + + + + Hardened or alarmed PDS: Shall be as defined in SECTION X + - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled + PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 + Section VIII, PDS must originate and terminate in a Controlled + Access Area (CAA). + + + + + Controlled Access Area (CAA): Data will be considered physically + protected, and in a CAA if it meets Section 2.3 of the DHS’s + Recommended Practice: Improving Industrial Control System + Cybersecurity with Defense-in-Depth Strategies. CSPs can meet + Section 2.3 of the DHS’ recommended practice by satisfactory + implementation of the following controls PE-2 (1), PE-2 (2), + PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3). + + + + + Note: When selecting SC-8 (5), the above SC-8(5), and the + above referenced PE controls must be added to the SSP. + + + + + CNSSI No.7003 can be accessed here: + + + https://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf + + + + + DHS Recommended Practice: Improving Industrial Control System + Cybersecurity with Defense-in-Depth Strategies can be accessed + here: + + + https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf + - id: sc-8_gdn + name: guidance + prose: >- + Protecting the confidentiality and integrity of transmitted + information applies to internal and external networks as well as + any system components that can transmit information, including + servers, notebook computers, desktop computers, mobile devices, + printers, copiers, scanners, facsimile machines, and radios. + Unprotected communication paths are exposed to the possibility + of interception and modification. Protecting the confidentiality + and integrity of information can be accomplished by physical or + logical means. Physical protection can be achieved by using + protected distribution systems. A protected distribution system + is a wireline or fiber-optics telecommunications system that + includes terminals and adequate electromagnetic, acoustical, + electrical, and physical controls to permit its use for the + unencrypted transmission of classified information. Logical + protection can be achieved by employing encryption techniques. + + + Organizations that rely on commercial providers who offer transmission + services as commodity services rather than as fully dedicated services + may find it difficult to obtain the necessary assurances regarding + the implementation of needed controls for transmission confidentiality + and integrity. In such situations, organizations determine what types + of confidentiality or integrity services are available in standard, + commercial telecommunications service packages. If it is not feasible + to obtain the necessary controls and assurances of control effectiveness + through appropriate contracting vehicles, organizations can implement + appropriate compensating controls. + - id: sc-8_obj + name: assessment-objective + props: + - name: label + value: SC-08 + class: sp800-53a + prose: "the {{ insert: param, sc-08_odp }} of transmitted information\ + \ is/are protected." + links: + - href: "#sc-8_smt" + rel: assessment-for + - id: sc-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing transmission confidentiality and integrity + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing transmission confidentiality + and/or integrity + controls: + - id: sc-8.1 + class: SP800-53-enhancement + title: Cryptographic Protection + params: + - id: sc-08.01_odp + constraints: + - description: prevent unauthorized disclosure of information + AND detect changes to information + select: + how-many: one-or-more + choice: + - prevent unauthorized disclosure of information + - detect changes to information + props: + - name: label + value: SC-8(1) + - name: label + value: SC-08(01) + class: sp800-53a + - name: sort-id + value: sc-08.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-8" + rel: required + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: sc-8.1_smt + name: statement + prose: "Implement cryptographic mechanisms to {{ insert: param,\ + \ sc-08.01_odp }} during transmission." + parts: + - id: sc-8.1_fr + name: item + title: SC-8 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: sc-8.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Please ensure SSP Section 10.3 Cryptographic Modules + Implemented for Data At Rest (DAR) and Data In Transit + (DIT) is fully populated for reference in this control. + - id: sc-8.1_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + See M-22-09, including \"Agencies encrypt all DNS + requests and HTTP traffic within their environment\" + + + SC-8 (1) applies when encryption has been selected as + the method to protect confidentiality and integrity. Otherwise + refer to SC-8 (5). SC-8 (1) is strongly encouraged. + - id: sc-8.1_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Note that this enhancement requires the use of cryptography + which must be compliant with Federal requirements and + utilize FIPS validated or NSA approved cryptography (see + SC-13.) + - id: sc-8.1_fr_gdn.3 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "When leveraging encryption from the underlying IaaS/PaaS:\ + \ While some IaaS/PaaS services provide encryption by\ + \ default, many require encryption to be configured, and\ + \ enabled by the customer. The CSP has the responsibility\ + \ to verify encryption is properly configured." + - id: sc-8.1_gdn + name: guidance + prose: Encryption protects information from unauthorized disclosure + and modification during transmission. Cryptographic mechanisms + that protect the confidentiality and integrity of information + during transmission include TLS and IPSec. Cryptographic mechanisms + used to protect information integrity include cryptographic hash + functions that have applications in digital signatures, checksums, + and message authentication codes. + - id: sc-8.1_obj + name: assessment-objective + props: + - name: label + value: SC-08(01) + class: sp800-53a + prose: "cryptographic mechanisms are implemented to {{ insert: param,\ + \ sc-08.01_odp }} during transmission." + links: + - href: "#sc-8.1_smt" + rel: assessment-for + - id: sc-8.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-08(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing transmission confidentiality and integrity + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-8.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-08(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-8.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-08(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Cryptographic mechanisms supporting and/or implementing + transmission confidentiality and/or integrity + + + mechanisms supporting and/or implementing alternative physical + safeguards + + + organizational processes for defining and implementing alternative + physical safeguards + - id: sc-10 + class: SP800-53 + title: Network Disconnect + params: + - id: sc-10_odp + label: time period + constraints: + - description: no longer than ten (10) minutes for privileged sessions + and no longer than fifteen (15) minutes for user sessions + guidelines: + - prose: a time period of inactivity after which the system terminates + a network connection associated with a communication session is + defined; + props: + - name: label + value: SC-10 + - name: label + value: SC-10 + class: sp800-53a + - name: sort-id + value: sc-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-17" + rel: related + - href: "#sc-23" + rel: related + parts: + - id: sc-10_smt + name: statement + prose: "Terminate the network connection associated with a communications\ + \ session at the end of the session or after {{ insert: param, sc-10_odp\ + \ }} of inactivity." + - id: sc-10_gdn + name: guidance + prose: Network disconnect applies to internal and external networks. + Terminating network connections associated with specific communications + sessions includes de-allocating TCP/IP address or port pairs at the + operating system level and de-allocating the networking assignments + at the application level if multiple application sessions are using + a single operating system-level network connection. Periods of inactivity + may be established by organizations and include time periods by type + of network access or for specific network accesses. + - id: sc-10_obj + name: assessment-objective + props: + - name: label + value: SC-10 + class: sp800-53a + prose: "the network connection associated with a communication session\ + \ is terminated at the end of the session or after {{ insert: param,\ + \ sc-10_odp }} of inactivity." + links: + - href: "#sc-10_smt" + rel: assessment-for + - id: sc-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing network disconnect + + system design documentation + + security plan + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: sc-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing a network disconnect + capability + - id: sc-12 + class: SP800-53 + title: Cryptographic Key Establishment and Management + params: + - id: sc-12_odp + label: requirements + constraints: + - description: In accordance with Federal requirements + guidelines: + - prose: requirements for key generation, distribution, storage, access, + and destruction are defined; + props: + - name: label + value: SC-12 + - name: label + value: SC-12 + class: sp800-53a + - name: sort-id + value: sc-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e" + rel: reference + - href: "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75" + rel: reference + - href: "#eef62b16-c796-4554-955c-505824135b8a" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#849b2358-683f-4d97-b111-1cc3d522ded5" + rel: reference + - href: "#3915a084-b87b-4f02-83d4-c369e746292f" + rel: reference + - href: "#ac-17" + rel: related + - href: "#au-9" + rel: related + - href: "#au-10" + rel: related + - href: "#cm-3" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-7" + rel: related + - href: "#ia-13" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-11" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-17" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-37" + rel: related + - href: "#sc-40" + rel: related + - href: "#si-3" + rel: related + - href: "#si-7" + rel: related + parts: + - id: sc-12_smt + name: statement + prose: "Establish and manage cryptographic keys when cryptography is\ + \ employed within the system in accordance with the following key\ + \ management requirements: {{ insert: param, sc-12_odp }}." + parts: + - id: sc-12_fr + name: item + title: SC-12 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-12_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: See references in NIST 800-53 documentation. + - id: sc-12_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Must meet applicable Federal Cryptographic Requirements. + See References Section of control. + - id: sc-12_fr_gdn.3 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Wildcard certificates may be used internally within the + system, but are not permitted for external customer access + to the system. + - id: sc-12_gdn + name: guidance + prose: Cryptographic key management and establishment can be performed + using manual procedures or automated mechanisms with supporting manual + procedures. Organizations define key management requirements in accordance + with applicable laws, executive orders, directives, regulations, policies, + standards, and guidelines and specify appropriate options, parameters, + and levels. Organizations manage trust stores to ensure that only + approved trust anchors are part of such trust stores. This includes + certificates with visibility external to organizational systems and + certificates related to the internal operations of systems. [NIST + CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) + provide additional information on validated cryptographic modules + and algorithms that can be used in cryptographic key management and + establishment. + - id: sc-12_obj + name: assessment-objective + props: + - name: label + value: SC-12 + class: sp800-53a + parts: + - id: sc-12_obj-1 + name: assessment-objective + props: + - name: label + value: SC-12[01] + class: sp800-53a + prose: "cryptographic keys are established when cryptography is\ + \ employed within the system in accordance with {{ insert: param,\ + \ sc-12_odp }};" + links: + - href: "#sc-12_smt" + rel: assessment-for + - id: sc-12_obj-2 + name: assessment-objective + props: + - name: label + value: SC-12[02] + class: sp800-53a + prose: "cryptographic keys are managed when cryptography is employed\ + \ within the system in accordance with {{ insert: param, sc-12_odp\ + \ }}." + links: + - href: "#sc-12_smt" + rel: assessment-for + links: + - href: "#sc-12_smt" + rel: assessment-for + - id: sc-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing cryptographic key establishment and management + + + system design documentation + + + cryptographic mechanisms + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for cryptographic + key establishment and/or management + - id: sc-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing cryptographic key + establishment and management + - id: sc-13 + class: SP800-53 + title: Cryptographic Protection + params: + - id: sc-13_odp.01 + label: cryptographic uses + guidelines: + - prose: cryptographic uses are defined; + - id: sc-13_odp.02 + label: types of cryptography + constraints: + - description: FIPS-validated or NSA-approved cryptography + guidelines: + - prose: types of cryptography for each specified cryptographic use + are defined; + props: + - name: label + value: SC-13 + - name: label + value: SC-13 + class: sp800-53a + - name: sort-id + value: sc-13 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-7" + rel: related + - href: "#ac-17" + rel: related + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + - href: "#au-9" + rel: related + - href: "#au-10" + rel: related + - href: "#cm-11" + rel: related + - href: "#cp-9" + rel: related + - href: "#ia-3" + rel: related + - href: "#ia-5" + rel: related + - href: "#ia-7" + rel: related + - href: "#ia-13" + rel: related + - href: "#ma-4" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-23" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-40" + rel: related + - href: "#si-3" + rel: related + - href: "#si-7" + rel: related + parts: + - id: sc-13_smt + name: statement + parts: + - id: sc-13_smt.a + name: item + props: + - name: label + value: a. + prose: "Determine the {{ insert: param, sc-13_odp.01 }} ; and" + - id: sc-13_smt.b + name: item + props: + - name: label + value: b. + prose: "Implement the following types of cryptography required for\ + \ each specified cryptographic use: {{ insert: param, sc-13_odp.02\ + \ }}." + - id: sc-13_fr + name: item + title: SC-13 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-13_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + This control applies to all use of cryptography. In + addition to encryption, this includes functions such as + hashing, random number generation, and key generation. + Examples include the following: + + + * Encryption of data + + * Decryption of data + + * Generation of one time passwords (OTPs) for MFA + + * Protocols such as TLS, SSH, and HTTPS + + + + + + The requirement for FIPS 140 validation, as well as timelines + for acceptance of FIPS 140-2, and 140-3 can be found at the + NIST Cryptographic Module Validation Program (CMVP). + + + https://csrc.nist.gov/projects/cryptographic-module-validation-program + - id: sc-13_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + For NSA-approved cryptography, the National Information + Assurance Partnership (NIAP) oversees a national program + to evaluate Commercial IT Products for Use in National + Security Systems. The NIAP Product Compliant List can be + found at the following location: + + + https://www.niap-ccevs.org/Product/index.cfm + - id: sc-13_fr_gdn.3 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "When leveraging encryption from underlying IaaS/PaaS:\ + \ While some IaaS/PaaS provide encryption by default, many\ + \ require encryption to be configured, and enabled by the\ + \ customer. The CSP has the responsibility to verify encryption\ + \ is properly configured." + - id: sc-13_fr_gdn.4 + name: guidance + props: + - name: label + value: "Guidance:" + prose: > + Moving to non-FIPS CM or product is acceptable when: + + + * FIPS validated version has a known vulnerability + + * Feature with vulnerability is in use + + * Non-FIPS version fixes the vulnerability + + * Non-FIPS version is submitted to NIST for FIPS validation + + * POA&M is added to track approval, and deployment when ready + - id: sc-13_fr_gdn.5 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "At a minimum, this control applies to cryptography in\ + \ use for the following controls: AU-9(3), CP-9(8), IA-2(6),\ + \ IA-5(1), MP-5, SC-8(1), and SC-28(1)." + - id: sc-13_gdn + name: guidance + prose: Cryptography can be employed to support a variety of security + solutions, including the protection of classified information and + controlled unclassified information, the provision and implementation + of digital signatures, and the enforcement of information separation + when authorized individuals have the necessary clearances but lack + the necessary formal access approvals. Cryptography can also be used + to support random number and hash generation. Generally applicable + cryptographic standards include FIPS-validated cryptography and NSA-approved + cryptography. For example, organizations that need to protect classified + information may specify the use of NSA-approved cryptography. Organizations + that need to provision and implement digital signatures may specify + the use of FIPS-validated cryptography. Cryptography is implemented + in accordance with applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines. + - id: sc-13_obj + name: assessment-objective + props: + - name: label + value: SC-13 + class: sp800-53a + parts: + - id: sc-13_obj.a + name: assessment-objective + props: + - name: label + value: SC-13a. + class: sp800-53a + prose: " {{ insert: param, sc-13_odp.01 }} are identified;" + links: + - href: "#sc-13_smt.a" + rel: assessment-for + - id: sc-13_obj.b + name: assessment-objective + props: + - name: label + value: SC-13b. + class: sp800-53a + prose: " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic\ + \ use (defined in SC-13_ODP[01]) are implemented." + links: + - href: "#sc-13_smt.b" + rel: assessment-for + links: + - href: "#sc-13_smt" + rel: assessment-for + - id: sc-13_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-13-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing cryptographic protection + + system design documentation + + system configuration settings and associated documentation + + cryptographic module validation certificates + + list of FIPS-validated cryptographic modules + + system audit records + + system security plan + + other relevant documents or records + - id: sc-13_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-13-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with responsibilities for cryptographic + protection + - id: sc-13_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-13-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing cryptographic protection + - id: sc-15 + class: SP800-53 + title: Collaborative Computing Devices and Applications + params: + - id: sc-15_odp + label: exceptions where remote activation is to be allowed + constraints: + - description: no exceptions for computing devices + guidelines: + - prose: exceptions where remote activation is to be allowed are defined; + props: + - name: label + value: SC-15 + - name: label + value: SC-15 + class: sp800-53a + - name: sort-id + value: sc-15 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#ac-21" + rel: related + - href: "#sc-42" + rel: related + parts: + - id: sc-15_smt + name: statement + parts: + - id: sc-15_smt.a + name: item + props: + - name: label + value: a. + prose: "Prohibit remote activation of collaborative computing devices\ + \ and applications with the following exceptions: {{ insert: param,\ + \ sc-15_odp }} ; and" + - id: sc-15_smt.b + name: item + props: + - name: label + value: b. + prose: Provide an explicit indication of use to users physically + present at the devices. + - id: sc-15_fr + name: item + title: SC-15 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-15_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The information system provides disablement (instead + of physical disconnect) of collaborative computing devices + in a manner that supports ease of use. + - id: sc-15_gdn + name: guidance + prose: Collaborative computing devices and applications include remote + meeting devices and applications, networked white boards, cameras, + and microphones. The explicit indication of use includes signals to + users when collaborative computing devices and applications are activated. + - id: sc-15_obj + name: assessment-objective + props: + - name: label + value: SC-15 + class: sp800-53a + parts: + - id: sc-15_obj.a + name: assessment-objective + props: + - name: label + value: SC-15a. + class: sp800-53a + prose: "remote activation of collaborative computing devices and\ + \ applications is prohibited except {{ insert: param, sc-15_odp\ + \ }};" + links: + - href: "#sc-15_smt.a" + rel: assessment-for + - id: sc-15_obj.b + name: assessment-objective + props: + - name: label + value: SC-15b. + class: sp800-53a + prose: an explicit indication of use is provided to users physically + present at the devices. + links: + - href: "#sc-15_smt.b" + rel: assessment-for + links: + - href: "#sc-15_smt" + rel: assessment-for + - id: sc-15_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-15-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing collaborative computing + + access control policy and procedures + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: sc-15_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-15-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + + + organizational personnel with responsibilities for managing collaborative + computing devices + - id: sc-15_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-15-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Mechanisms supporting and/or implementing the management of + remote activation of collaborative computing devices + + + mechanisms providing an indication of use of collaborative computing + devices + - id: sc-17 + class: SP800-53 + title: Public Key Infrastructure Certificates + params: + - id: sc-17_odp + label: certificate policy + guidelines: + - prose: a certificate policy for issuing public key certificates + is defined; + props: + - name: label + value: SC-17 + - name: label + value: SC-17 + class: sp800-53a + - name: sort-id + value: sc-17 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#8cb338a4-e493-4177-818f-3af18983ddc5" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#737513fa-6758-403f-831d-5ddab5e23cb3" + rel: reference + - href: "#au-10" + rel: related + - href: "#ia-5" + rel: related + - href: "#sc-12" + rel: related + parts: + - id: sc-17_smt + name: statement + parts: + - id: sc-17_smt.a + name: item + props: + - name: label + value: a. + prose: "Issue public key certificates under an {{ insert: param,\ + \ sc-17_odp }} or obtain public key certificates from an approved\ + \ service provider; and" + - id: sc-17_smt.b + name: item + props: + - name: label + value: b. + prose: Include only approved trust anchors in trust stores or certificate + stores managed by the organization. + - id: sc-17_gdn + name: guidance + prose: Public key infrastructure (PKI) certificates are certificates + with visibility external to organizational systems and certificates + related to the internal operations of systems, such as application-specific + time services. In cryptographic systems with a hierarchical structure, + a trust anchor is an authoritative source (i.e., a certificate authority) + for which trust is assumed and not derived. A root certificate for + a PKI system is an example of a trust anchor. A trust store or certificate + store maintains a list of trusted root certificates. + - id: sc-17_obj + name: assessment-objective + props: + - name: label + value: SC-17 + class: sp800-53a + parts: + - id: sc-17_obj.a + name: assessment-objective + props: + - name: label + value: SC-17a. + class: sp800-53a + prose: "public key certificates are issued under {{ insert: param,\ + \ sc-17_odp }} , or public key certificates are obtained from\ + \ an approved service provider;" + links: + - href: "#sc-17_smt.a" + rel: assessment-for + - id: sc-17_obj.b + name: assessment-objective + props: + - name: label + value: SC-17b. + class: sp800-53a + prose: only approved trust anchors are included in trust stores + or certificate stores managed by the organization. + links: + - href: "#sc-17_smt.b" + rel: assessment-for + links: + - href: "#sc-17_smt" + rel: assessment-for + - id: sc-17_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-17-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing public key infrastructure certificates + + public key certificate policy or policies + + public key issuing process + + system security plan + + other relevant documents or records + - id: sc-17_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-17-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for issuing public + key certificates + + + service providers + - id: sc-17_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-17-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing the management + of public key infrastructure certificates + - id: sc-18 + class: SP800-53 + title: Mobile Code + props: + - name: label + value: SC-18 + - name: label + value: SC-18 + class: sp800-53a + - name: sort-id + value: sc-18 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#f641309f-a3ad-48be-8c67-2b318648b2f5" + rel: reference + - href: "#au-2" + rel: related + - href: "#au-12" + rel: related + - href: "#cm-2" + rel: related + - href: "#cm-6" + rel: related + - href: "#si-3" + rel: related + parts: + - id: sc-18_smt + name: statement + parts: + - id: sc-18_smt.a + name: item + props: + - name: label + value: a. + prose: Define acceptable and unacceptable mobile code and mobile + code technologies; and + - id: sc-18_smt.b + name: item + props: + - name: label + value: b. + prose: Authorize, monitor, and control the use of mobile code within + the system. + - id: sc-18_gdn + name: guidance + prose: Mobile code includes any program, application, or content that + can be transmitted across a network (e.g., embedded in an email, document, + or website) and executed on a remote system. Decisions regarding the + use of mobile code within organizational systems are based on the + potential for the code to cause damage to the systems if used maliciously. + Mobile code technologies include Java applets, JavaScript, HTML5, + WebGL, and VBScript. Usage restrictions and implementation guidelines + apply to both the selection and use of mobile code installed on servers + and mobile code downloaded and executed on individual workstations + and devices, including notebook computers and smart phones. Mobile + code policy and procedures address specific actions taken to prevent + the development, acquisition, and introduction of unacceptable mobile + code within organizational systems, including requiring mobile code + to be digitally signed by a trusted source. + - id: sc-18_obj + name: assessment-objective + props: + - name: label + value: SC-18 + class: sp800-53a + parts: + - id: sc-18_obj.a + name: assessment-objective + props: + - name: label + value: SC-18a. + class: sp800-53a + parts: + - id: sc-18_obj.a-1 + name: assessment-objective + props: + - name: label + value: SC-18a.[01] + class: sp800-53a + prose: acceptable mobile code is defined; + links: + - href: "#sc-18_smt.a" + rel: assessment-for + - id: sc-18_obj.a-2 + name: assessment-objective + props: + - name: label + value: SC-18a.[02] + class: sp800-53a + prose: unacceptable mobile code is defined; + links: + - href: "#sc-18_smt.a" + rel: assessment-for + - id: sc-18_obj.a-3 + name: assessment-objective + props: + - name: label + value: SC-18a.[03] + class: sp800-53a + prose: acceptable mobile code technologies are defined; + links: + - href: "#sc-18_smt.a" + rel: assessment-for + - id: sc-18_obj.a-4 + name: assessment-objective + props: + - name: label + value: SC-18a.[04] + class: sp800-53a + prose: unacceptable mobile code technologies are defined; + links: + - href: "#sc-18_smt.a" + rel: assessment-for + links: + - href: "#sc-18_smt.a" + rel: assessment-for + - id: sc-18_obj.b + name: assessment-objective + props: + - name: label + value: SC-18b. + class: sp800-53a + parts: + - id: sc-18_obj.b-1 + name: assessment-objective + props: + - name: label + value: SC-18b.[01] + class: sp800-53a + prose: the use of mobile code is authorized within the system; + links: + - href: "#sc-18_smt.b" + rel: assessment-for + - id: sc-18_obj.b-2 + name: assessment-objective + props: + - name: label + value: SC-18b.[02] + class: sp800-53a + prose: the use of mobile code is monitored within the system; + links: + - href: "#sc-18_smt.b" + rel: assessment-for + - id: sc-18_obj.b-3 + name: assessment-objective + props: + - name: label + value: SC-18b.[03] + class: sp800-53a + prose: the use of mobile code is controlled within the system. + links: + - href: "#sc-18_smt.b" + rel: assessment-for + links: + - href: "#sc-18_smt.b" + rel: assessment-for + links: + - href: "#sc-18_smt" + rel: assessment-for + - id: sc-18_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-18-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing mobile code + + mobile code implementation policy and procedures + + list of acceptable mobile code and mobile code technologies + + list of unacceptable mobile code and mobile technologies + + authorization records + + system monitoring records + + system audit records + + system security plan + + other relevant documents or records + - id: sc-18_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-18-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for managing mobile + code + - id: sc-18_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-18-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational process for authorizing, monitoring, and + controlling mobile code + + + mechanisms supporting and/or implementing the management of mobile + code + + + mechanisms supporting and/or implementing the monitoring of mobile + code + - id: sc-20 + class: SP800-53 + title: Secure Name/Address Resolution Service (Authoritative Source) + props: + - name: label + value: SC-20 + - name: label + value: SC-20 + class: sp800-53a + - name: sort-id + value: sc-20 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#fe209006-bfd4-4033-a79a-9fee1adaf372" + rel: reference + - href: "#au-10" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-21" + rel: related + - href: "#sc-22" + rel: related + parts: + - id: sc-20_smt + name: statement + parts: + - id: sc-20_smt.a + name: item + props: + - name: label + value: a. + prose: Provide additional data origin authentication and integrity + verification artifacts along with the authoritative name resolution + data the system returns in response to external name/address resolution + queries; and + - id: sc-20_smt.b + name: item + props: + - name: label + value: b. + prose: Provide the means to indicate the security status of child + zones and (if the child supports secure resolution services) to + enable verification of a chain of trust among parent and child + domains, when operating as part of a distributed, hierarchical + namespace. + - id: sc-20_fr + name: item + title: SC-20 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-20_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Control Description should include how DNSSEC is implemented + on authoritative DNS servers to supply valid responses to + external DNSSEC requests. + - id: sc-20_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: SC-20 applies to use of external authoritative DNS to + access a CSO from outside the boundary. + - id: sc-20_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: External authoritative DNS servers may be located outside + an authorized environment. Positioning these servers inside + an authorized boundary is encouraged. + - id: sc-20_fr_gdn.3 + name: guidance + props: + - name: label + value: "Guidance:" + prose: CSPs are recommended to self-check DNSSEC configuration + through one of many available analyzers such as Sandia National + Labs (https://dnsviz.net) + - id: sc-20_gdn + name: guidance + prose: Providing authoritative source information enables external clients, + including remote Internet clients, to obtain origin authentication + and integrity verification assurances for the host/service name to + network address resolution information obtained through the service. + Systems that provide name and address resolution services include + domain name system (DNS) servers. Additional artifacts include DNS + Security Extensions (DNSSEC) digital signatures and cryptographic + keys. Authoritative data includes DNS resource records. The means + for indicating the security status of child zones include the use + of delegation signer resource records in the DNS. Systems that use + technologies other than the DNS to map between host and service names + and network addresses provide other means to assure the authenticity + and integrity of response data. + - id: sc-20_obj + name: assessment-objective + props: + - name: label + value: SC-20 + class: sp800-53a + parts: + - id: sc-20_obj.a + name: assessment-objective + props: + - name: label + value: SC-20a. + class: sp800-53a + parts: + - id: sc-20_obj.a-1 + name: assessment-objective + props: + - name: label + value: SC-20a.[01] + class: sp800-53a + prose: additional data origin authentication is provided along + with the authoritative name resolution data that the system + returns in response to external name/address resolution queries; + links: + - href: "#sc-20_smt.a" + rel: assessment-for + - id: sc-20_obj.a-2 + name: assessment-objective + props: + - name: label + value: SC-20a.[02] + class: sp800-53a + prose: integrity verification artifacts are provided along with + the authoritative name resolution data that the system returns + in response to external name/address resolution queries; + links: + - href: "#sc-20_smt.a" + rel: assessment-for + links: + - href: "#sc-20_smt.a" + rel: assessment-for + - id: sc-20_obj.b + name: assessment-objective + props: + - name: label + value: SC-20b. + class: sp800-53a + parts: + - id: sc-20_obj.b-1 + name: assessment-objective + props: + - name: label + value: SC-20b.[01] + class: sp800-53a + prose: the means to indicate the security status of child zones + (and if the child supports secure resolution services) is + provided when operating as part of a distributed, hierarchical + namespace; + links: + - href: "#sc-20_smt.b" + rel: assessment-for + - id: sc-20_obj.b-2 + name: assessment-objective + props: + - name: label + value: SC-20b.[02] + class: sp800-53a + prose: the means to enable verification of a chain of trust + among parent and child domains when operating as part of a + distributed, hierarchical namespace is provided. + links: + - href: "#sc-20_smt.b" + rel: assessment-for + links: + - href: "#sc-20_smt.b" + rel: assessment-for + links: + - href: "#sc-20_smt" + rel: assessment-for + - id: sc-20_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-20-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing secure name/address resolution services + (authoritative source) + + + system design documentation + + + system configuration settings and associated documentation + + + system security plan + + + other relevant documents or records + - id: sc-20_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-20-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for managing DNS + - id: sc-20_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-20-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing secure name/address + resolution services + - id: sc-21 + class: SP800-53 + title: Secure Name/Address Resolution Service (Recursive or Caching Resolver) + props: + - name: label + value: SC-21 + - name: label + value: SC-21 + class: sp800-53a + - name: sort-id + value: sc-21 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#fe209006-bfd4-4033-a79a-9fee1adaf372" + rel: reference + - href: "#sc-20" + rel: related + - href: "#sc-22" + rel: related + parts: + - id: sc-21_smt + name: statement + prose: Request and perform data origin authentication and data integrity + verification on the name/address resolution responses the system receives + from authoritative sources. + parts: + - id: sc-21_fr + name: item + title: SC-21 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-21_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: > + Control description should include how DNSSEC is + implemented on recursive DNS servers to make DNSSEC + requests when resolving DNS requests from internal + components to domains external to the CSO boundary. + + + * If the reply is signed, and fails DNSSEC, do not use the + reply + + * If the reply is unsigned: * CSP chooses the policy to + apply + - id: sc-21_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: Internal recursive DNS servers must be located inside + an authorized environment. It is typically within the boundary, + or leveraged from an underlying IaaS/PaaS. + - id: sc-21_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Accepting an unsigned reply is acceptable + - id: sc-21_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: > + SC-21 applies to use of internal recursive DNS to access + a domain outside the boundary by a component inside the + boundary. + + + * DNSSEC resolution to access a component inside the boundary + is excluded. + - id: sc-21_gdn + name: guidance + prose: Each client of name resolution services either performs this + validation on its own or has authenticated channels to trusted validation + providers. Systems that provide name and address resolution services + for local clients include recursive resolving or caching domain name + system (DNS) servers. DNS client resolvers either perform validation + of DNSSEC signatures, or clients use authenticated channels to recursive + resolvers that perform such validations. Systems that use technologies + other than the DNS to map between host and service names and network + addresses provide some other means to enable clients to verify the + authenticity and integrity of response data. + - id: sc-21_obj + name: assessment-objective + props: + - name: label + value: SC-21 + class: sp800-53a + parts: + - id: sc-21_obj-1 + name: assessment-objective + props: + - name: label + value: SC-21[01] + class: sp800-53a + prose: data origin authentication is requested for the name/address + resolution responses that the system receives from authoritative + sources; + links: + - href: "#sc-21_smt" + rel: assessment-for + - id: sc-21_obj-2 + name: assessment-objective + props: + - name: label + value: SC-21[02] + class: sp800-53a + prose: data origin authentication is performed on the name/address + resolution responses that the system receives from authoritative + sources; + links: + - href: "#sc-21_smt" + rel: assessment-for + - id: sc-21_obj-3 + name: assessment-objective + props: + - name: label + value: SC-21[03] + class: sp800-53a + prose: data integrity verification is requested for the name/address + resolution responses that the system receives from authoritative + sources; + links: + - href: "#sc-21_smt" + rel: assessment-for + - id: sc-21_obj-4 + name: assessment-objective + props: + - name: label + value: SC-21[04] + class: sp800-53a + prose: data integrity verification is performed on the name/address + resolution responses that the system receives from authoritative + sources. + links: + - href: "#sc-21_smt" + rel: assessment-for + links: + - href: "#sc-21_smt" + rel: assessment-for + - id: sc-21_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-21-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing secure name/address resolution services + (recursive or caching resolver) + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-21_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-21-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for managing DNS + - id: sc-21_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-21-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing data origin authentication + and data integrity verification for name/address resolution services + - id: sc-22 + class: SP800-53 + title: Architecture and Provisioning for Name/Address Resolution Service + props: + - name: label + value: SC-22 + - name: label + value: SC-22 + class: sp800-53a + - name: sort-id + value: sc-22 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#fe209006-bfd4-4033-a79a-9fee1adaf372" + rel: reference + - href: "#sc-2" + rel: related + - href: "#sc-20" + rel: related + - href: "#sc-21" + rel: related + - href: "#sc-24" + rel: related + parts: + - id: sc-22_smt + name: statement + prose: Ensure the systems that collectively provide name/address resolution + service for an organization are fault-tolerant and implement internal + and external role separation. + - id: sc-22_gdn + name: guidance + prose: Systems that provide name and address resolution services include + domain name system (DNS) servers. To eliminate single points of failure + in systems and enhance redundancy, organizations employ at least two + authoritative domain name system servers—one configured as the primary + server and the other configured as the secondary server. Additionally, + organizations typically deploy the servers in two geographically separated + network subnetworks (i.e., not located in the same physical facility). + For role separation, DNS servers with internal roles only process + name and address resolution requests from within organizations (i.e., + from internal clients). DNS servers with external roles only process + name and address resolution information requests from clients external + to organizations (i.e., on external networks, including the Internet). + Organizations specify clients that can access authoritative DNS servers + in certain roles (e.g., by address ranges and explicit lists). + - id: sc-22_obj + name: assessment-objective + props: + - name: label + value: SC-22 + class: sp800-53a + parts: + - id: sc-22_obj-1 + name: assessment-objective + props: + - name: label + value: SC-22[01] + class: sp800-53a + prose: the systems that collectively provide name/address resolution + services for an organization are fault-tolerant; + links: + - href: "#sc-22_smt" + rel: assessment-for + - id: sc-22_obj-2 + name: assessment-objective + props: + - name: label + value: SC-22[02] + class: sp800-53a + prose: the systems that collectively provide name/address resolution + services for an organization implement internal role separation; + links: + - href: "#sc-22_smt" + rel: assessment-for + - id: sc-22_obj-3 + name: assessment-objective + props: + - name: label + value: SC-22[03] + class: sp800-53a + prose: the systems that collectively provide name/address resolution + services for an organization implement external role separation. + links: + - href: "#sc-22_smt" + rel: assessment-for + links: + - href: "#sc-22_smt" + rel: assessment-for + - id: sc-22_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-22-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing architecture and provisioning for name/address + resolution services + + + access control policy and procedures + + + system design documentation + + + assessment results from independent testing organizations + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-22_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-22-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel with responsibilities for managing DNS + - id: sc-22_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-22-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing name/address resolution + services for fault tolerance and role separation + - id: sc-23 + class: SP800-53 + title: Session Authenticity + props: + - name: label + value: SC-23 + - name: label + value: SC-23 + class: sp800-53a + - name: sort-id + value: sc-23 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#7537638e-2837-407d-844b-40fb3fafdd99" + rel: reference + - href: "#d4d7c760-2907-403b-8b2a-767ca5370ecd" + rel: reference + - href: "#a6b9907a-2a14-4bb4-a142-d4c73026a8b4" + rel: reference + - href: "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4" + rel: reference + - href: "#au-10" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-10" + rel: related + - href: "#sc-11" + rel: related + parts: + - id: sc-23_smt + name: statement + prose: Protect the authenticity of communications sessions. + - id: sc-23_gdn + name: guidance + prose: Protecting session authenticity addresses communications protection + at the session level, not at the packet level. Such protection establishes + grounds for confidence at both ends of communications sessions in + the ongoing identities of other parties and the validity of transmitted + information. Authenticity protection includes protecting against "man-in-the-middle" + attacks, session hijacking, and the insertion of false information + into sessions. + - id: sc-23_obj + name: assessment-objective + props: + - name: label + value: SC-23 + class: sp800-53a + prose: the authenticity of communication sessions is protected. + links: + - href: "#sc-23_smt" + rel: assessment-for + - id: sc-23_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-23-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing session authenticity + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: sc-23_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-23-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + - id: sc-23_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-23-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing session authenticity + - id: sc-28 + class: SP800-53 + title: Protection of Information at Rest + params: + - id: sc-28_odp.01 + constraints: + - description: confidentiality AND integrity + select: + how-many: one-or-more + choice: + - confidentiality + - integrity + - id: sc-28_odp.02 + label: information at rest + guidelines: + - prose: information at rest requiring protection is defined; + props: + - name: label + value: SC-28 + - name: label + value: SC-28 + class: sp800-53a + - name: sort-id + value: sc-28 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e" + rel: reference + - href: "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75" + rel: reference + - href: "#eef62b16-c796-4554-955c-505824135b8a" + rel: reference + - href: "#110e26af-4765-49e1-8740-6750f83fcda1" + rel: reference + - href: "#e7942589-e267-4a5a-a3d9-f39a7aae81f0" + rel: reference + - href: "#8306620b-1920-4d73-8b21-12008528595f" + rel: reference + - href: "#22f2d4f0-4365-4e88-a30d-275c1f5473ea" + rel: reference + - href: "#0f66be67-85e7-4ca6-bd19-39453e9f4394" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-19" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cp-9" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-5" + rel: related + - href: "#pe-3" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-34" + rel: related + - href: "#si-3" + rel: related + - href: "#si-7" + rel: related + - href: "#si-16" + rel: related + parts: + - id: sc-28_smt + name: statement + prose: "Protect the {{ insert: param, sc-28_odp.01 }} of the following\ + \ information at rest: {{ insert: param, sc-28_odp.02 }}." + parts: + - id: sc-28_fr + name: item + title: SC-28 Additional FedRAMP Requirements and Guidance + parts: + - id: sc-28_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: The organization supports the capability to use cryptographic + mechanisms to protect information at rest. + - id: sc-28_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "When leveraging encryption from underlying IaaS/PaaS:\ + \ While some IaaS/PaaS services provide encryption by default,\ + \ many require encryption to be configured, and enabled by\ + \ the customer. The CSP has the responsibility to verify encryption\ + \ is properly configured." + - id: sc-28_fr_gdn.3 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Note that this enhancement requires the use of cryptography + in accordance with SC-13. + - id: sc-28_gdn + name: guidance + prose: Information at rest refers to the state of information when it + is not in process or in transit and is located on system components. + Such components include internal or external hard disk drives, storage + area network devices, or databases. However, the focus of protecting + information at rest is not on the type of storage device or frequency + of access but rather on the state of the information. Information + at rest addresses the confidentiality and integrity of information + and covers user information and system information. System-related + information that requires protection includes configurations or rule + sets for firewalls, intrusion detection and prevention systems, filtering + routers, and authentication information. Organizations may employ + different mechanisms to achieve confidentiality and integrity protections, + including the use of cryptographic mechanisms and file share scanning. + Integrity protection can be achieved, for example, by implementing + write-once-read-many (WORM) technologies. When adequate protection + of information at rest cannot otherwise be achieved, organizations + may employ other controls, including frequent scanning to identify + malicious code at rest and secure offline storage in lieu of online + storage. + - id: sc-28_obj + name: assessment-objective + props: + - name: label + value: SC-28 + class: sp800-53a + prose: "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02\ + \ }} is/are protected." + links: + - href: "#sc-28_smt" + rel: assessment-for + - id: sc-28_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-28-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing the protection of information at rest + + + system design documentation + + + system configuration settings and associated documentation + + + cryptographic mechanisms and associated configuration documentation + + + list of information at rest requiring confidentiality and integrity + protections + + + system security plan + + + other relevant documents or records + - id: sc-28_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-28-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-28_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-28-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing confidentiality + and integrity protections for information at rest + controls: + - id: sc-28.1 + class: SP800-53-enhancement + title: Cryptographic Protection + params: + - id: sc-28.01_odp.01 + label: information + guidelines: + - prose: information requiring cryptographic protection is defined; + - id: sc-28.01_odp.02 + label: system components or media + constraints: + - description: all information system components storing Federal + data or system data that must be protected at the High or + Moderate impact levels + guidelines: + - prose: system components or media requiring cryptographic protection + is/are defined; + props: + - name: label + value: SC-28(1) + - name: label + value: SC-28(01) + class: sp800-53a + - name: sort-id + value: sc-28.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-28" + rel: required + - href: "#ac-19" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + parts: + - id: sc-28.1_smt + name: statement + prose: "Implement cryptographic mechanisms to prevent unauthorized\ + \ disclosure and modification of the following information at\ + \ rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param,\ + \ sc-28.01_odp.01 }}." + parts: + - id: sc-28.1_fr + name: item + title: SC-28 (1) Additional FedRAMP Requirements and Guidance + parts: + - id: sc-28.1_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + Organizations should select a mode of protection + that is targeted towards the relevant threat + scenarios. + + + Examples: + + + A. Organizations may apply full disk encryption (FDE) + to a mobile device where the primary threat is loss of + the device while storage is locked. + + + B. For a database application housing data for a single + customer, encryption at the file system level would often + provide more protection than FDE against the more likely + threat of an intruder on the operating system accessing + the storage. + + + C. For a database application housing data for multiple + customers, encryption with unique keys for each customer + at the database record level may be more appropriate. + - id: sc-28.1_gdn + name: guidance + prose: The selection of cryptographic mechanisms is based on the + need to protect the confidentiality and integrity of organizational + information. The strength of mechanism is commensurate with the + security category or classification of the information. Organizations + have the flexibility to encrypt information on system components + or media or encrypt data structures, including files, records, + or fields. + - id: sc-28.1_obj + name: assessment-objective + props: + - name: label + value: SC-28(01) + class: sp800-53a + parts: + - id: sc-28.1_obj-1 + name: assessment-objective + props: + - name: label + value: SC-28(01)[01] + class: sp800-53a + prose: "cryptographic mechanisms are implemented to prevent\ + \ unauthorized disclosure of {{ insert: param, sc-28.01_odp.01\ + \ }} at rest on {{ insert: param, sc-28.01_odp.02 }};" + links: + - href: "#sc-28.1_smt" + rel: assessment-for + - id: sc-28.1_obj-2 + name: assessment-objective + props: + - name: label + value: SC-28(01)[02] + class: sp800-53a + prose: "cryptographic mechanisms are implemented to prevent\ + \ unauthorized modification of {{ insert: param, sc-28.01_odp.01\ + \ }} at rest on {{ insert: param, sc-28.01_odp.02 }}." + links: + - href: "#sc-28.1_smt" + rel: assessment-for + links: + - href: "#sc-28.1_smt" + rel: assessment-for + - id: sc-28.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-28(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing the protection of information at rest + + + system design documentation + + + system configuration settings and associated documentation + + + cryptographic mechanisms and associated configuration documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-28.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-28(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + system developer + - id: sc-28.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-28(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Cryptographic mechanisms implementing confidentiality + and integrity protections for information at rest + - id: sc-39 + class: SP800-53 + title: Process Isolation + props: + - name: label + value: SC-39 + - name: label + value: SC-39 + class: sp800-53a + - name: sort-id + value: sc-39 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-6" + rel: related + - href: "#ac-25" + rel: related + - href: "#sa-8" + rel: related + - href: "#sc-2" + rel: related + - href: "#sc-3" + rel: related + - href: "#si-16" + rel: related + parts: + - id: sc-39_smt + name: statement + prose: Maintain a separate execution domain for each executing system + process. + - id: sc-39_gdn + name: guidance + prose: Systems can maintain separate execution domains for each executing + process by assigning each process a separate address space. Each system + process has a distinct address space so that communication between + processes is performed in a manner controlled through the security + functions, and one process cannot modify the executing code of another + process. Maintaining separate execution domains for executing processes + can be achieved, for example, by implementing separate address spaces. + Process isolation technologies, including sandboxing or virtualization, + logically separate software and firmware from other software, firmware, + and data. Process isolation helps limit the access of potentially + untrusted software to other system resources. The capability to maintain + separate execution domains is available in commercial operating systems + that employ multi-state processor technologies. + - id: sc-39_obj + name: assessment-objective + props: + - name: label + value: SC-39 + class: sp800-53a + prose: a separate execution domain is maintained for each executing + system process. + links: + - href: "#sc-39_smt" + rel: assessment-for + - id: sc-39_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-39-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System design documentation + + system architecture + + independent verification and validation documentation + + testing and evaluation documentation + + other relevant documents or records + - id: sc-39_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-39-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System developers/integrators + + system security architect + - id: sc-39_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-39-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing separate execution + domains for each executing process + - id: sc-45 + class: SP800-53 + title: System Time Synchronization + props: + - name: label + value: SC-45 + - name: label + value: SC-45 + class: sp800-53a + - name: sort-id + value: sc-45 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#e4d37285-1e79-4029-8b6a-42df39cace30" + rel: reference + - href: "#ac-3" + rel: related + - href: "#au-8" + rel: related + - href: "#ia-2" + rel: related + - href: "#ia-8" + rel: related + parts: + - id: sc-45_smt + name: statement + prose: Synchronize system clocks within and between systems and system + components. + - id: sc-45_gdn + name: guidance + prose: Time synchronization of system clocks is essential for the correct + execution of many system services, including identification and authentication + processes that involve certificates and time-of-day restrictions as + part of access control. Denial of service or failure to deny expired + credentials may result without properly synchronized clocks within + and between systems and system components. Time is commonly expressed + in Coordinated Universal Time (UTC), a modern continuation of Greenwich + Mean Time (GMT), or local time with an offset from UTC. The granularity + of time measurements refers to the degree of synchronization between + system clocks and reference clocks, such as clocks synchronizing within + hundreds of milliseconds or tens of milliseconds. Organizations may + define different time granularities for system components. Time service + can be critical to other security capabilities—such as access control + and identification and authentication—depending on the nature of the + mechanisms used to support the capabilities. + - id: sc-45_obj + name: assessment-objective + props: + - name: label + value: SC-45 + class: sp800-53a + prose: system clocks are synchronized within and between systems and + system components. + links: + - href: "#sc-45_smt" + rel: assessment-for + - id: sc-45_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-45-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and communications protection policy + + procedures addressing time synchronization + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: sc-45_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-45-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + - id: sc-45_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-45-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing system time synchronization + controls: + - id: sc-45.1 + class: SP800-53-enhancement + title: Synchronization with Authoritative Time Source + params: + - id: sc-45.01_odp.01 + label: frequency + constraints: + - description: At least hourly + guidelines: + - prose: the frequency at which to compare the internal system + clocks with the authoritative time source is defined; + - id: sc-45.01_odp.02 + label: authoritative time source + constraints: + - description: http://tf.nist.gov/tf-cgi/servers.cgi + guidelines: + - prose: the authoritative time source to which internal system + clocks are to be compared is defined; + - id: sc-45.01_odp.03 + label: time period + constraints: + - description: any difference + guidelines: + - prose: the time period to compare the internal system clocks + with the authoritative time source is defined; + props: + - name: label + value: SC-45(1) + - name: label + value: SC-45(01) + class: sp800-53a + - name: sort-id + value: sc-45.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#sc-45" + rel: required + parts: + - id: sc-45.1_smt + name: statement + parts: + - id: sc-45.1_smt.a + name: item + props: + - name: label + value: (a) + prose: "Compare the internal system clocks {{ insert: param,\ + \ sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02\ + \ }} ; and" + - id: sc-45.1_smt.b + name: item + props: + - name: label + value: (b) + prose: "Synchronize the internal system clocks to the authoritative\ + \ time source when the time difference is greater than {{\ + \ insert: param, sc-45.01_odp.03 }}." + - id: sc-45.1_fr + name: item + title: SC-45(1) Additional FedRAMP Requirements and Guidance + parts: + - id: sc-45.1_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider selects primary and secondary + time servers used by the NIST Internet time service. The + secondary server is selected from a different geographic + region than the primary server. + - id: sc-45.1_fr_smt.2 + name: item + props: + - name: label + value: "Requirement:" + prose: The service provider synchronizes the system clocks + of network computers that run operating systems other + than Windows to the Windows Server Domain Controller emulator + or to the same time source for that server. + - id: sc-45.1_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: Synchronization of system clocks improves the accuracy + of log analysis. + - id: sc-45.1_gdn + name: guidance + prose: Synchronization of internal system clocks with an authoritative + source provides uniformity of time stamps for systems with multiple + system clocks and systems connected over a network. + - id: sc-45.1_obj + name: assessment-objective + props: + - name: label + value: SC-45(01) + class: sp800-53a + parts: + - id: sc-45.1_obj.a + name: assessment-objective + props: + - name: label + value: SC-45(01)(a) + class: sp800-53a + prose: "the internal system clocks are compared {{ insert: param,\ + \ sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02\ + \ }};" + links: + - href: "#sc-45.1_smt.a" + rel: assessment-for + - id: sc-45.1_obj.b + name: assessment-objective + props: + - name: label + value: SC-45(01)(b) + class: sp800-53a + prose: "the internal system clocks are synchronized with the\ + \ authoritative time source when the time difference is greater\ + \ than {{ insert: param, sc-45.01_odp.03 }}." + links: + - href: "#sc-45.1_smt.b" + rel: assessment-for + links: + - href: "#sc-45.1_smt" + rel: assessment-for + - id: sc-45.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SC-45(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and communications protection policy + + + procedures addressing time synchronization + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: sc-45.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SC-45(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + - id: sc-45.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SC-45(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing system time + synchronization + - id: si + class: family + title: System and Information Integrity + controls: + - id: si-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: si-1_prm_1 + label: organization-defined personnel or roles + - id: si-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and information integrity + policy is to be disseminated is/are defined; + - id: si-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom the system and information integrity + procedures are to be disseminated is/are defined; + - id: si-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: si-01_odp.04 + label: official + guidelines: + - prose: an official to manage the system and information integrity + policy and procedures is defined; + - id: si-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current system and information + integrity policy is reviewed and updated is defined; + - id: si-01_odp.06 + label: events + guidelines: + - prose: events that would require the current system and information + integrity policy to be reviewed and updated are defined; + - id: si-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current system and information + integrity procedures are reviewed and updated is defined; + - id: si-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that would require the system and information integrity + procedures to be reviewed and updated are defined; + props: + - name: label + value: SI-1 + - name: label + value: SI-01 + class: sp800-53a + - name: sort-id + value: si-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#pm-9" + rel: related + - href: "#ps-8" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: si-1_smt + name: statement + parts: + - id: si-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ si-1_prm_1 }}:" + parts: + - id: si-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, si-01_odp.03 }} system and information\ + \ integrity policy that:" + parts: + - id: si-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: si-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: si-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the system + and information integrity policy and the associated system + and information integrity controls; + - id: si-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, si-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the system\ + \ and information integrity policy and procedures; and" + - id: si-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current system and information integrity:" + parts: + - id: si-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, si-01_odp.05 }} and following\ + \ {{ insert: param, si-01_odp.06 }} ; and" + - id: si-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, si-01_odp.07 }} and following\ + \ {{ insert: param, si-01_odp.08 }}." + - id: si-1_gdn + name: guidance + prose: System and information integrity policy and procedures address + the controls in the SI family that are implemented within systems + and organizations. The risk management strategy is an important factor + in establishing such policies and procedures. Policies and procedures + contribute to security and privacy assurance. Therefore, it is important + that security and privacy programs collaborate on the development + of system and information integrity policy and procedures. Security + and privacy program policies and procedures at the organization level + are preferable, in general, and may obviate the need for mission- + or system-specific policies and procedures. The policy can be included + as part of the general security and privacy policy or be represented + by multiple policies that reflect the complex nature of organizations. + Procedures can be established for security and privacy programs, for + mission or business processes, and for systems, if needed. Procedures + describe how the policies or controls are implemented and can be directed + at the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + system and information integrity policy and procedures include assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: si-1_obj + name: assessment-objective + props: + - name: label + value: SI-01 + class: sp800-53a + parts: + - id: si-1_obj.a + name: assessment-objective + props: + - name: label + value: SI-01a. + class: sp800-53a + parts: + - id: si-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-01a.[01] + class: sp800-53a + prose: a system and information integrity policy is developed + and documented; + links: + - href: "#si-1_smt.a" + rel: assessment-for + - id: si-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-01a.[02] + class: sp800-53a + prose: "the system and information integrity policy is disseminated\ + \ to {{ insert: param, si-01_odp.01 }};" + links: + - href: "#si-1_smt.a" + rel: assessment-for + - id: si-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: SI-01a.[03] + class: sp800-53a + prose: system and information integrity procedures to facilitate + the implementation of the system and information integrity + policy and associated system and information integrity controls + are developed and documented; + links: + - href: "#si-1_smt.a" + rel: assessment-for + - id: si-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: SI-01a.[04] + class: sp800-53a + prose: "the system and information integrity procedures are\ + \ disseminated to {{ insert: param, si-01_odp.02 }};" + links: + - href: "#si-1_smt.a" + rel: assessment-for + - id: si-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: SI-01a.01 + class: sp800-53a + parts: + - id: si-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: SI-01a.01(a) + class: sp800-53a + parts: + - id: si-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses purpose;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses scope;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[03] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses roles;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses responsibilities;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses management\ + \ commitment;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: SI-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system\ + \ and information integrity policy addresses compliance;" + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#si-1_smt.a.1.a" + rel: assessment-for + - id: si-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: SI-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.03 }} system and\ + \ information integrity policy is consistent with applicable\ + \ laws, Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#si-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#si-1_smt.a.1" + rel: assessment-for + links: + - href: "#si-1_smt.a" + rel: assessment-for + - id: si-1_obj.b + name: assessment-objective + props: + - name: label + value: SI-01b. + class: sp800-53a + prose: "the {{ insert: param, si-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the system\ + \ and information integrity policy and procedures;" + links: + - href: "#si-1_smt.b" + rel: assessment-for + - id: si-1_obj.c + name: assessment-objective + props: + - name: label + value: SI-01c. + class: sp800-53a + parts: + - id: si-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: SI-01c.01 + class: sp800-53a + parts: + - id: si-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: SI-01c.01[01] + class: sp800-53a + prose: "the current system and information integrity policy\ + \ is reviewed and updated {{ insert: param, si-01_odp.05\ + \ }};" + links: + - href: "#si-1_smt.c.1" + rel: assessment-for + - id: si-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: SI-01c.01[02] + class: sp800-53a + prose: "the current system and information integrity policy\ + \ is reviewed and updated following {{ insert: param,\ + \ si-01_odp.06 }};" + links: + - href: "#si-1_smt.c.1" + rel: assessment-for + links: + - href: "#si-1_smt.c.1" + rel: assessment-for + - id: si-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: SI-01c.02 + class: sp800-53a + parts: + - id: si-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: SI-01c.02[01] + class: sp800-53a + prose: "the current system and information integrity procedures\ + \ are reviewed and updated {{ insert: param, si-01_odp.07\ + \ }};" + links: + - href: "#si-1_smt.c.2" + rel: assessment-for + - id: si-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: SI-01c.02[02] + class: sp800-53a + prose: "the current system and information integrity procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ si-01_odp.08 }}." + links: + - href: "#si-1_smt.c.2" + rel: assessment-for + links: + - href: "#si-1_smt.c.2" + rel: assessment-for + links: + - href: "#si-1_smt.c" + rel: assessment-for + links: + - href: "#si-1_smt" + rel: assessment-for + - id: si-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and information integrity policy + + system and information integrity procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: si-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and information + integrity responsibilities + + + organizational personnel with information security and privacy + responsibilities + - id: si-2 + class: SP800-53 + title: Flaw Remediation + params: + - id: si-02_odp + label: time period + constraints: + - description: within thirty (30) days of release of updates + guidelines: + - prose: time period within which to install security-relevant software + updates after the release of the updates is defined; + props: + - name: label + value: SI-2 + - name: label + value: SI-02 + class: sp800-53a + - name: sort-id + value: si-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#155f941a-cba9-4afd-9ca6-5d040d697ba9" + rel: reference + - href: "#20db4e66-e257-450c-b2e4-2bb9a62a2c88" + rel: reference + - href: "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c" + rel: reference + - href: "#ca-5" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#ma-2" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-11" + rel: related + - href: "#si-3" + rel: related + - href: "#si-5" + rel: related + - href: "#si-7" + rel: related + - href: "#si-11" + rel: related + parts: + - id: si-2_smt + name: statement + parts: + - id: si-2_smt.a + name: item + props: + - name: label + value: a. + prose: Identify, report, and correct system flaws; + - id: si-2_smt.b + name: item + props: + - name: label + value: b. + prose: Test software and firmware updates related to flaw remediation + for effectiveness and potential side effects before installation; + - id: si-2_smt.c + name: item + props: + - name: label + value: c. + prose: "Install security-relevant software and firmware updates\ + \ within {{ insert: param, si-02_odp }} of the release of the\ + \ updates; and" + - id: si-2_smt.d + name: item + props: + - name: label + value: d. + prose: Incorporate flaw remediation into the organizational configuration + management process. + - id: si-2_gdn + name: guidance + prose: >- + The need to remediate system flaws applies to all types of + software and firmware. Organizations identify systems affected + by software flaws, including potential vulnerabilities resulting + from those flaws, and report this information to designated + organizational personnel with information security and privacy + responsibilities. Security-relevant updates include patches, + service packs, and malicious code signatures. Organizations also + address flaws discovered during assessments, continuous + monitoring, incident response activities, and system error + handling. By incorporating flaw remediation into configuration + management processes, required remediation actions can be + tracked and verified. + + + Organization-defined time periods for updating security-relevant software + and firmware may vary based on a variety of risk factors, including + the security category of the system, the criticality of the update + (i.e., severity of the vulnerability related to the discovered flaw), + the organizational risk tolerance, the mission supported by the system, + or the threat environment. Some types of flaw remediation may require + more testing than other types. Organizations determine the type of + testing needed for the specific type of flaw remediation activity + under consideration and the types of changes that are to be configuration-managed. + In some situations, organizations may determine that the testing of + software or firmware updates is not necessary or practical, such as + when implementing simple malicious code signature updates. In testing + decisions, organizations consider whether security-relevant software + or firmware updates are obtained from authorized sources with appropriate + digital signatures. + - id: si-2_obj + name: assessment-objective + props: + - name: label + value: SI-02 + class: sp800-53a + parts: + - id: si-2_obj.a + name: assessment-objective + props: + - name: label + value: SI-02a. + class: sp800-53a + parts: + - id: si-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-02a.[01] + class: sp800-53a + prose: system flaws are identified; + links: + - href: "#si-2_smt.a" + rel: assessment-for + - id: si-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-02a.[02] + class: sp800-53a + prose: system flaws are reported; + links: + - href: "#si-2_smt.a" + rel: assessment-for + - id: si-2_obj.a-3 + name: assessment-objective + props: + - name: label + value: SI-02a.[03] + class: sp800-53a + prose: system flaws are corrected; + links: + - href: "#si-2_smt.a" + rel: assessment-for + links: + - href: "#si-2_smt.a" + rel: assessment-for + - id: si-2_obj.b + name: assessment-objective + props: + - name: label + value: SI-02b. + class: sp800-53a + parts: + - id: si-2_obj.b-1 + name: assessment-objective + props: + - name: label + value: SI-02b.[01] + class: sp800-53a + prose: software updates related to flaw remediation are tested + for effectiveness before installation; + links: + - href: "#si-2_smt.b" + rel: assessment-for + - id: si-2_obj.b-2 + name: assessment-objective + props: + - name: label + value: SI-02b.[02] + class: sp800-53a + prose: software updates related to flaw remediation are tested + for potential side effects before installation; + links: + - href: "#si-2_smt.b" + rel: assessment-for + - id: si-2_obj.b-3 + name: assessment-objective + props: + - name: label + value: SI-02b.[03] + class: sp800-53a + prose: firmware updates related to flaw remediation are tested + for effectiveness before installation; + links: + - href: "#si-2_smt.b" + rel: assessment-for + - id: si-2_obj.b-4 + name: assessment-objective + props: + - name: label + value: SI-02b.[04] + class: sp800-53a + prose: firmware updates related to flaw remediation are tested + for potential side effects before installation; + links: + - href: "#si-2_smt.b" + rel: assessment-for + links: + - href: "#si-2_smt.b" + rel: assessment-for + - id: si-2_obj.c + name: assessment-objective + props: + - name: label + value: SI-02c. + class: sp800-53a + parts: + - id: si-2_obj.c-1 + name: assessment-objective + props: + - name: label + value: SI-02c.[01] + class: sp800-53a + prose: "security-relevant software updates are installed within\ + \ {{ insert: param, si-02_odp }} of the release of the updates;" + links: + - href: "#si-2_smt.c" + rel: assessment-for + - id: si-2_obj.c-2 + name: assessment-objective + props: + - name: label + value: SI-02c.[02] + class: sp800-53a + prose: "security-relevant firmware updates are installed within\ + \ {{ insert: param, si-02_odp }} of the release of the updates;" + links: + - href: "#si-2_smt.c" + rel: assessment-for + links: + - href: "#si-2_smt.c" + rel: assessment-for + - id: si-2_obj.d + name: assessment-objective + props: + - name: label + value: SI-02d. + class: sp800-53a + prose: flaw remediation is incorporated into the organizational + configuration management process. + links: + - href: "#si-2_smt.d" + rel: assessment-for + links: + - href: "#si-2_smt" + rel: assessment-for + - id: si-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing flaw remediation + + + procedures addressing configuration management + + + list of flaws and vulnerabilities potentially affecting the system + + + list of recent security flaw remediation actions performed on + the system (e.g., list of installed patches, service packs, hot + fixes, and other software updates to correct system flaws) + + + test results from the installation of software and firmware updates + to correct system flaws + + + installation/change control records for security-relevant software + and firmware updates + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: si-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel responsible for installing, configuring, + and/or maintaining the system + + + organizational personnel responsible for flaw remediation + + + organizational personnel with configuration management responsibilities + - id: si-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for identifying, reporting, and + correcting system flaws + + + organizational process for installing software and firmware updates + + + mechanisms supporting and/or implementing the reporting and correcting + of system flaws + + + mechanisms supporting and/or implementing testing software and + firmware updates + controls: + - id: si-2.2 + class: SP800-53-enhancement + title: Automated Flaw Remediation Status + params: + - id: si-02.02_odp.01 + label: automated mechanisms + guidelines: + - prose: automated mechanisms to determine if applicable security-relevant + software and firmware updates are installed on system components + are defined; + - id: si-02.02_odp.02 + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: the frequency at which to determine if applicable security-relevant + software and firmware updates are installed on system components + is defined; + props: + - name: label + value: SI-2(2) + - name: label + value: SI-02(02) + class: sp800-53a + - name: sort-id + value: si-02.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#si-2" + rel: required + - href: "#ca-7" + rel: related + - href: "#si-4" + rel: related + parts: + - id: si-2.2_smt + name: statement + prose: "Determine if system components have applicable security-relevant\ + \ software and firmware updates installed using {{ insert: param,\ + \ si-02.02_odp.01 }} {{ insert: param, si-02.02_odp.02 }}." + - id: si-2.2_gdn + name: guidance + prose: Automated mechanisms can track and determine the status of + known flaws for system components. + - id: si-2.2_obj + name: assessment-objective + props: + - name: label + value: SI-02(02) + class: sp800-53a + prose: "system components have applicable security-relevant software\ + \ and firmware updates installed {{ insert: param, si-02.02_odp.02\ + \ }} using {{ insert: param, si-02.02_odp.01 }}." + links: + - href: "#si-2.2_smt" + rel: assessment-for + - id: si-2.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-02(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing flaw remediation + + + automated mechanisms supporting centralized management of + flaw remediation + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-2.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-02(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for flaw remediation + - id: si-2.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-02(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms used to determine the state of system + components with regard to flaw remediation + - id: si-2.3 + class: SP800-53-enhancement + title: Time to Remediate Flaws and Benchmarks for Corrective Actions + params: + - id: si-02.03_odp + label: benchmarks + guidelines: + - prose: the benchmarks for taking corrective actions are defined; + props: + - name: label + value: SI-2(3) + - name: label + value: SI-02(03) + class: sp800-53a + - name: sort-id + value: si-02.03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#si-2" + rel: required + parts: + - id: si-2.3_smt + name: statement + parts: + - id: si-2.3_smt.a + name: item + props: + - name: label + value: (a) + prose: Measure the time between flaw identification and flaw + remediation; and + - id: si-2.3_smt.b + name: item + props: + - name: label + value: (b) + prose: "Establish the following benchmarks for taking corrective\ + \ actions: {{ insert: param, si-02.03_odp }}." + - id: si-2.3_gdn + name: guidance + prose: Organizations determine the time it takes on average to correct + system flaws after such flaws have been identified and subsequently + establish organizational benchmarks (i.e., time frames) for taking + corrective actions. Benchmarks can be established by the type + of flaw or the severity of the potential vulnerability if the + flaw can be exploited. + - id: si-2.3_obj + name: assessment-objective + props: + - name: label + value: SI-02(03) + class: sp800-53a + parts: + - id: si-2.3_obj.a + name: assessment-objective + props: + - name: label + value: SI-02(03)(a) + class: sp800-53a + prose: the time between flaw identification and flaw remediation + is measured; + links: + - href: "#si-2.3_smt.a" + rel: assessment-for + - id: si-2.3_obj.b + name: assessment-objective + props: + - name: label + value: SI-02(03)(b) + class: sp800-53a + prose: " {{ insert: param, si-02.03_odp }} for taking corrective\ + \ actions have been established." + links: + - href: "#si-2.3_smt.b" + rel: assessment-for + links: + - href: "#si-2.3_smt" + rel: assessment-for + - id: si-2.3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-02(03)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing flaw remediation + + + system design documentation + + + system configuration settings and associated documentation + + + list of benchmarks for taking corrective action on identified + flaws + + + records that provide timestamps of flaw identification and + subsequent flaw remediation activities + + + system security plan + + + other relevant documents or records + - id: si-2.3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-02(03)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for flaw remediation + - id: si-2.3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-02(03)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for identifying, reporting, and + correcting system flaws + + + mechanisms used to measure the time between flaw identification + and flaw remediation + - id: si-3 + class: SP800-53 + title: Malicious Code Protection + params: + - id: si-03_odp.01 + constraints: + - description: signature based and non-signature based + select: + how-many: one-or-more + choice: + - signature-based + - non-signature-based + - id: si-03_odp.02 + label: frequency + constraints: + - description: at least weekly + guidelines: + - prose: the frequency at which malicious code protection mechanisms + perform scans is defined; + - id: si-03_odp.03 + constraints: + - description: to include endpoints and network entry and exit points + select: + how-many: one-or-more + choice: + - endpoint + - network entry and exit points + - id: si-03_odp.04 + constraints: + - description: to include blocking and quarantining malicious code + select: + how-many: one-or-more + choice: + - block malicious code + - quarantine malicious code + - "take {{ insert: param, si-03_odp.05 }} " + - id: si-03_odp.05 + label: action + constraints: + - description: administrator or defined security personnel near-realtime + guidelines: + - prose: action to be taken in response to malicious code detection + are defined (if selected); + - id: si-03_odp.06 + label: personnel or roles + guidelines: + - prose: personnel or roles to be alerted when malicious code is detected + is/are defined; + props: + - name: label + value: SI-3 + - name: label + value: SI-03 + class: sp800-53a + - name: sort-id + value: si-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff" + rel: reference + - href: "#88660532-2dcf-442e-845c-03340ce48999" + rel: reference + - href: "#1c71b420-2bd9-4e52-9fc8-390f58b85b59" + rel: reference + - href: "#ac-4" + rel: related + - href: "#ac-19" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-8" + rel: related + - href: "#ir-4" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#pl-9" + rel: related + - href: "#ra-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-23" + rel: related + - href: "#sc-26" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-44" + rel: related + - href: "#si-2" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#si-8" + rel: related + - href: "#si-15" + rel: related + parts: + - id: si-3_smt + name: statement + parts: + - id: si-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Implement {{ insert: param, si-03_odp.01 }} malicious code\ + \ protection mechanisms at system entry and exit points to detect\ + \ and eradicate malicious code;" + - id: si-3_smt.b + name: item + props: + - name: label + value: b. + prose: Automatically update malicious code protection mechanisms + as new releases are available in accordance with organizational + configuration management policy and procedures; + - id: si-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Configure malicious code protection mechanisms to:" + parts: + - id: si-3_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Perform periodic scans of the system {{ insert: param,\ + \ si-03_odp.02 }} and real-time scans of files from external\ + \ sources at {{ insert: param, si-03_odp.03 }} as the files\ + \ are downloaded, opened, or executed in accordance with organizational\ + \ policy; and" + - id: si-3_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: " {{ insert: param, si-03_odp.04 }} ; and send alert\ + \ to {{ insert: param, si-03_odp.06 }} in response to malicious\ + \ code detection; and" + - id: si-3_smt.d + name: item + props: + - name: label + value: d. + prose: Address the receipt of false positives during malicious code + detection and eradication and the resulting potential impact on + the availability of the system. + - id: si-3_gdn + name: guidance + prose: >- + System entry and exit points include firewalls, remote access + servers, workstations, electronic mail servers, web servers, + proxy servers, notebook computers, and mobile devices. Malicious + code includes viruses, worms, Trojan horses, and spyware. + Malicious code can also be encoded in various formats contained + within compressed or hidden files or hidden in files using + techniques such as steganography. Malicious code can be inserted + into systems in a variety of ways, including by electronic mail, + the world-wide web, and portable storage devices. Malicious code + insertions occur through the exploitation of system + vulnerabilities. A variety of technologies and methods exist to + limit or eliminate the effects of malicious code. + + + Malicious code protection mechanisms include both signature- and nonsignature-based + technologies. Nonsignature-based detection mechanisms include artificial + intelligence techniques that use heuristics to detect, analyze, and + describe the characteristics or behavior of malicious code and to + provide controls against such code for which signatures do not yet + exist or for which existing signatures may not be effective. Malicious + code for which active signatures do not yet exist or may be ineffective + includes polymorphic malicious code (i.e., code that changes signatures + when it replicates). Nonsignature-based mechanisms also include reputation-based + technologies. In addition to the above technologies, pervasive configuration + management, comprehensive software integrity controls, and anti-exploitation + software may be effective in preventing the execution of unauthorized + code. Malicious code may be present in commercial off-the-shelf software + as well as custom-built software and could include logic bombs, backdoors, + and other types of attacks that could affect organizational mission + and business functions. + + + In situations where malicious code cannot be detected by detection + methods or technologies, organizations rely on other types of controls, + including secure coding practices, configuration management and control, + trusted procurement processes, and monitoring practices to ensure + that software does not perform functions other than the functions + intended. Organizations may determine that, in response to the detection + of malicious code, different actions may be warranted. For example, + organizations can define actions in response to malicious code detection + during periodic scans, the detection of malicious downloads, or the + detection of maliciousness when attempting to open or execute files. + - id: si-3_obj + name: assessment-objective + props: + - name: label + value: SI-03 + class: sp800-53a + parts: + - id: si-3_obj.a + name: assessment-objective + props: + - name: label + value: SI-03a. + class: sp800-53a + parts: + - id: si-3_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-03a.[01] + class: sp800-53a + prose: " {{ insert: param, si-03_odp.01 }} malicious code protection\ + \ mechanisms are implemented at system entry and exit points\ + \ to detect malicious code;" + links: + - href: "#si-3_smt.a" + rel: assessment-for + - id: si-3_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-03a.[02] + class: sp800-53a + prose: " {{ insert: param, si-03_odp.01 }} malicious code protection\ + \ mechanisms are implemented at system entry and exit points\ + \ to eradicate malicious code;" + links: + - href: "#si-3_smt.a" + rel: assessment-for + links: + - href: "#si-3_smt.a" + rel: assessment-for + - id: si-3_obj.b + name: assessment-objective + props: + - name: label + value: SI-03b. + class: sp800-53a + prose: malicious code protection mechanisms are updated automatically + as new releases are available in accordance with organizational + configuration management policy and procedures; + links: + - href: "#si-3_smt.b" + rel: assessment-for + - id: si-3_obj.c + name: assessment-objective + props: + - name: label + value: SI-03c. + class: sp800-53a + parts: + - id: si-3_obj.c.1 + name: assessment-objective + props: + - name: label + value: SI-03c.01 + class: sp800-53a + parts: + - id: si-3_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: SI-03c.01[01] + class: sp800-53a + prose: "malicious code protection mechanisms are configured\ + \ to perform periodic scans of the system {{ insert: param,\ + \ si-03_odp.02 }};" + links: + - href: "#si-3_smt.c.1" + rel: assessment-for + - id: si-3_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: SI-03c.01[02] + class: sp800-53a + prose: "malicious code protection mechanisms are configured\ + \ to perform real-time scans of files from external sources\ + \ at {{ insert: param, si-03_odp.03 }} as the files are\ + \ downloaded, opened, or executed in accordance with organizational\ + \ policy;" + links: + - href: "#si-3_smt.c.1" + rel: assessment-for + links: + - href: "#si-3_smt.c.1" + rel: assessment-for + - id: si-3_obj.c.2 + name: assessment-objective + props: + - name: label + value: SI-03c.02 + class: sp800-53a + parts: + - id: si-3_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: SI-03c.02[01] + class: sp800-53a + prose: "malicious code protection mechanisms are configured\ + \ to {{ insert: param, si-03_odp.04 }} in response to\ + \ malicious code detection;" + links: + - href: "#si-3_smt.c.2" + rel: assessment-for + - id: si-3_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: SI-03c.02[02] + class: sp800-53a + prose: "malicious code protection mechanisms are configured\ + \ to send alerts to {{ insert: param, si-03_odp.06 }}\ + \ in response to malicious code detection;" + links: + - href: "#si-3_smt.c.2" + rel: assessment-for + links: + - href: "#si-3_smt.c.2" + rel: assessment-for + links: + - href: "#si-3_smt.c" + rel: assessment-for + - id: si-3_obj.d + name: assessment-objective + props: + - name: label + value: SI-03d. + class: sp800-53a + prose: the receipt of false positives during malicious code detection + and eradication and the resulting potential impact on the availability + of the system are addressed. + links: + - href: "#si-3_smt.d" + rel: assessment-for + links: + - href: "#si-3_smt" + rel: assessment-for + - id: si-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + configuration management policy and procedures + + + procedures addressing malicious code protection + + + malicious code protection mechanisms + + + records of malicious code protection updates + + + system design documentation + + + system configuration settings and associated documentation + + + scan results from malicious code protection mechanisms + + + record of actions initiated by malicious code protection mechanisms + in response to malicious code detection + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for malicious code protection + + + organizational personnel with configuration management responsibilities + - id: si-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for employing, updating, and + configuring malicious code protection mechanisms + + + organizational processes for addressing false positives and resulting + potential impacts + + + mechanisms supporting and/or implementing, employing, updating, + and configuring malicious code protection mechanisms + + + mechanisms supporting and/or implementing malicious code scanning + and subsequent actions + - id: si-4 + class: SP800-53 + title: System Monitoring + params: + - id: si-04_odp.01 + label: monitoring objectives + guidelines: + - prose: monitoring objectives to detect attacks and indicators of + potential attacks on the system are defined; + - id: si-04_odp.02 + label: techniques and methods + guidelines: + - prose: techniques and methods used to identify unauthorized use + of the system are defined; + - id: si-04_odp.03 + label: system monitoring information + guidelines: + - prose: system monitoring information to be provided to personnel + or roles is defined; + - id: si-04_odp.04 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom system monitoring information + is to be provided is/are defined; + - id: si-04_odp.05 + select: + how-many: one-or-more + choice: + - as needed + - " {{ insert: param, si-04_odp.06 }} " + - id: si-04_odp.06 + label: frequency + guidelines: + - prose: a frequency for providing system monitoring to personnel + or roles is defined (if selected); + props: + - name: label + value: SI-4 + - name: label + value: SI-04 + class: sp800-53a + - name: sort-id + value: si-04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb" + rel: reference + - href: "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff" + rel: reference + - href: "#5eee45d8-3313-4fdc-8d54-1742092bbdd6" + rel: reference + - href: "#25e3e57b-dc2f-4934-af9b-050b020c6f0e" + rel: reference + - href: "#067223d8-1ec7-45c5-b21b-c848da6de8fb" + rel: reference + - href: "#ac-2" + rel: related + - href: "#ac-3" + rel: related + - href: "#ac-4" + rel: related + - href: "#ac-8" + rel: related + - href: "#ac-17" + rel: related + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#au-7" + rel: related + - href: "#au-9" + rel: related + - href: "#au-12" + rel: related + - href: "#au-13" + rel: related + - href: "#au-14" + rel: related + - href: "#ca-7" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-6" + rel: related + - href: "#cm-8" + rel: related + - href: "#cm-11" + rel: related + - href: "#ia-10" + rel: related + - href: "#ir-4" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#pl-9" + rel: related + - href: "#pm-12" + rel: related + - href: "#ra-5" + rel: related + - href: "#ra-10" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-18" + rel: related + - href: "#sc-26" + rel: related + - href: "#sc-31" + rel: related + - href: "#sc-35" + rel: related + - href: "#sc-36" + rel: related + - href: "#sc-37" + rel: related + - href: "#sc-43" + rel: related + - href: "#si-3" + rel: related + - href: "#si-6" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-10" + rel: related + parts: + - id: si-4_smt + name: statement + parts: + - id: si-4_smt.a + name: item + props: + - name: label + value: a. + prose: "Monitor the system to detect:" + parts: + - id: si-4_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: "Attacks and indicators of potential attacks in accordance\ + \ with the following monitoring objectives: {{ insert: param,\ + \ si-04_odp.01 }} ; and" + - id: si-4_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Unauthorized local, network, and remote connections; + - id: si-4_smt.b + name: item + props: + - name: label + value: b. + prose: "Identify unauthorized use of the system through the following\ + \ techniques and methods: {{ insert: param, si-04_odp.02 }};" + - id: si-4_smt.c + name: item + props: + - name: label + value: c. + prose: "Invoke internal monitoring capabilities or deploy monitoring\ + \ devices:" + parts: + - id: si-4_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: Strategically within the system to collect organization-determined + essential information; and + - id: si-4_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: At ad hoc locations within the system to track specific + types of transactions of interest to the organization; + - id: si-4_smt.d + name: item + props: + - name: label + value: d. + prose: Analyze detected events and anomalies; + - id: si-4_smt.e + name: item + props: + - name: label + value: e. + prose: Adjust the level of system monitoring activity when there + is a change in risk to organizational operations and assets, individuals, + other organizations, or the Nation; + - id: si-4_smt.f + name: item + props: + - name: label + value: f. + prose: Obtain legal opinion regarding system monitoring activities; + and + - id: si-4_smt.g + name: item + props: + - name: label + value: g. + prose: "Provide {{ insert: param, si-04_odp.03 }} to {{ insert:\ + \ param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." + - id: si-4_fr + name: item + title: SI-4 Additional FedRAMP Requirements and Guidance + parts: + - id: si-4_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: See US-CERT Incident Response Reporting Guidelines. + - id: si-4_gdn + name: guidance + prose: >- + System monitoring includes external and internal monitoring. + External monitoring includes the observation of events occurring + at external interfaces to the system. Internal monitoring + includes the observation of events occurring within the system. + Organizations monitor systems by observing audit activities in + real time or by observing other system aspects such as access + patterns, characteristics of access, and other actions. The + monitoring objectives guide and inform the determination of the + events. System monitoring capabilities are achieved through a + variety of tools and techniques, including intrusion detection + and prevention systems, malicious code protection software, + scanning tools, audit record monitoring software, and network + monitoring software. + + + Depending on the security architecture, the distribution and configuration + of monitoring devices may impact throughput at key internal and external + boundaries as well as at other locations across a network due to the + introduction of network throughput latency. If throughput management + is needed, such devices are strategically located and deployed as + part of an established organization-wide security architecture. Strategic + locations for monitoring devices include selected perimeter locations + and near key servers and server farms that support critical applications. + Monitoring devices are typically employed at the managed interfaces + associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information + collected is a function of the organizational monitoring objectives + and the capability of systems to support such objectives. Specific + types of transactions of interest include Hypertext Transfer Protocol + (HTTP) traffic that bypasses HTTP proxies. System monitoring is an + integral part of organizational continuous monitoring and incident + response programs, and output from system monitoring serves as input + to those programs. System monitoring requirements, including the need + for specific types of system monitoring, may be referenced in other + controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), + [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), + [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), + [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), + [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) + ). Adjustments to levels of system monitoring are based on law enforcement + information, intelligence information, or other sources of information. + The legality of system monitoring activities is based on applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. + - id: si-4_obj + name: assessment-objective + props: + - name: label + value: SI-04 + class: sp800-53a + parts: + - id: si-4_obj.a + name: assessment-objective + props: + - name: label + value: SI-04a. + class: sp800-53a + parts: + - id: si-4_obj.a.1 + name: assessment-objective + props: + - name: label + value: SI-04a.01 + class: sp800-53a + prose: "the system is monitored to detect attacks and indicators\ + \ of potential attacks in accordance with {{ insert: param,\ + \ si-04_odp.01 }};" + links: + - href: "#si-4_smt.a.1" + rel: assessment-for + - id: si-4_obj.a.2 + name: assessment-objective + props: + - name: label + value: SI-04a.02 + class: sp800-53a + parts: + - id: si-4_obj.a.2-1 + name: assessment-objective + props: + - name: label + value: SI-04a.02[01] + class: sp800-53a + prose: the system is monitored to detect unauthorized local + connections; + links: + - href: "#si-4_smt.a.2" + rel: assessment-for + - id: si-4_obj.a.2-2 + name: assessment-objective + props: + - name: label + value: SI-04a.02[02] + class: sp800-53a + prose: the system is monitored to detect unauthorized network + connections; + links: + - href: "#si-4_smt.a.2" + rel: assessment-for + - id: si-4_obj.a.2-3 + name: assessment-objective + props: + - name: label + value: SI-04a.02[03] + class: sp800-53a + prose: the system is monitored to detect unauthorized remote + connections; + links: + - href: "#si-4_smt.a.2" + rel: assessment-for + links: + - href: "#si-4_smt.a.2" + rel: assessment-for + links: + - href: "#si-4_smt.a" + rel: assessment-for + - id: si-4_obj.b + name: assessment-objective + props: + - name: label + value: SI-04b. + class: sp800-53a + prose: "unauthorized use of the system is identified through {{\ + \ insert: param, si-04_odp.02 }};" + links: + - href: "#si-4_smt.b" + rel: assessment-for + - id: si-4_obj.c + name: assessment-objective + props: + - name: label + value: SI-04c. + class: sp800-53a + parts: + - id: si-4_obj.c.1 + name: assessment-objective + props: + - name: label + value: SI-04c.01 + class: sp800-53a + prose: internal monitoring capabilities are invoked or monitoring + devices are deployed strategically within the system to collect + organization-determined essential information; + links: + - href: "#si-4_smt.c.1" + rel: assessment-for + - id: si-4_obj.c.2 + name: assessment-objective + props: + - name: label + value: SI-04c.02 + class: sp800-53a + prose: internal monitoring capabilities are invoked or monitoring + devices are deployed at ad hoc locations within the system + to track specific types of transactions of interest to the + organization; + links: + - href: "#si-4_smt.c.2" + rel: assessment-for + links: + - href: "#si-4_smt.c" + rel: assessment-for + - id: si-4_obj.d + name: assessment-objective + props: + - name: label + value: SI-04d. + class: sp800-53a + parts: + - id: si-4_obj.d-1 + name: assessment-objective + props: + - name: label + value: SI-04d.[01] + class: sp800-53a + prose: detected events are analyzed; + links: + - href: "#si-4_smt.d" + rel: assessment-for + - id: si-4_obj.d-2 + name: assessment-objective + props: + - name: label + value: SI-04d.[02] + class: sp800-53a + prose: detected anomalies are analyzed; + links: + - href: "#si-4_smt.d" + rel: assessment-for + links: + - href: "#si-4_smt.d" + rel: assessment-for + - id: si-4_obj.e + name: assessment-objective + props: + - name: label + value: SI-04e. + class: sp800-53a + prose: the level of system monitoring activity is adjusted when + there is a change in risk to organizational operations and assets, + individuals, other organizations, or the Nation; + links: + - href: "#si-4_smt.e" + rel: assessment-for + - id: si-4_obj.f + name: assessment-objective + props: + - name: label + value: SI-04f. + class: sp800-53a + prose: a legal opinion regarding system monitoring activities is + obtained; + links: + - href: "#si-4_smt.f" + rel: assessment-for + - id: si-4_obj.g + name: assessment-objective + props: + - name: label + value: SI-04g. + class: sp800-53a + prose: " {{ insert: param, si-04_odp.03 }} is provided to {{ insert:\ + \ param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." + links: + - href: "#si-4_smt.g" + rel: assessment-for + links: + - href: "#si-4_smt" + rel: assessment-for + - id: si-4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + continuous monitoring strategy + + + facility diagram/layout + + + system design documentation + + + system monitoring tools and techniques documentation + + + locations within the system where monitoring devices are deployed + + + system configuration settings and associated documentation + + + system security plan + + + other relevant documents or records + - id: si-4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + - id: si-4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for system monitoring + + + mechanisms supporting and/or implementing system monitoring capabilities + controls: + - id: si-4.1 + class: SP800-53-enhancement + title: System-wide Intrusion Detection System + props: + - name: label + value: SI-4(1) + - name: label + value: SI-04(01) + class: sp800-53a + - name: sort-id + value: si-04.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + parts: + - id: si-4.1_smt + name: statement + prose: Connect and configure individual intrusion detection tools + into a system-wide intrusion detection system. + - id: si-4.1_gdn + name: guidance + prose: Linking individual intrusion detection tools into a system-wide + intrusion detection system provides additional coverage and effective + detection capabilities. The information contained in one intrusion + detection tool can be shared widely across the organization, making + the system-wide detection capability more robust and powerful. + - id: si-4.1_obj + name: assessment-objective + props: + - name: label + value: SI-04(01) + class: sp800-53a + parts: + - id: si-4.1_obj-1 + name: assessment-objective + props: + - name: label + value: SI-04(01)[01] + class: sp800-53a + prose: individual intrusion detection tools are connected to + a system-wide intrusion detection system; + links: + - href: "#si-4.1_smt" + rel: assessment-for + - id: si-4.1_obj-2 + name: assessment-objective + props: + - name: label + value: SI-04(01)[02] + class: sp800-53a + prose: individual intrusion detection tools are configured into + a system-wide intrusion detection system. + links: + - href: "#si-4.1_smt" + rel: assessment-for + links: + - href: "#si-4.1_smt" + rel: assessment-for + - id: si-4.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-4.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + organizational personnel responsible for the intrusion detection + system + - id: si-4.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for intrusion detection and + system monitoring + + + mechanisms supporting and/or implementing intrusion detection + capabilities + - id: si-4.2 + class: SP800-53-enhancement + title: Automated Tools and Mechanisms for Real-time Analysis + props: + - name: label + value: SI-4(2) + - name: label + value: SI-04(02) + class: sp800-53a + - name: sort-id + value: si-04.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + - href: "#pm-23" + rel: related + - href: "#pm-25" + rel: related + parts: + - id: si-4.2_smt + name: statement + prose: Employ automated tools and mechanisms to support near real-time + analysis of events. + - id: si-4.2_gdn + name: guidance + prose: Automated tools and mechanisms include host-based, network-based, + transport-based, or storage-based event monitoring tools and mechanisms + or security information and event management (SIEM) technologies + that provide real-time analysis of alerts and notifications generated + by organizational systems. Automated monitoring techniques can + create unintended privacy risks because automated controls may + connect to external or otherwise unrelated systems. The matching + of records between these systems may create linkages with unintended + consequences. Organizations assess and document these risks in + their privacy impact assessment and make determinations that are + in alignment with their privacy program plan. + - id: si-4.2_obj + name: assessment-objective + props: + - name: label + value: SI-04(02) + class: sp800-53a + prose: automated tools and mechanisms are employed to support a + near real-time analysis of events. + links: + - href: "#si-4.2_smt" + rel: assessment-for + - id: si-4.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + privacy plan + + + privacy program plan + + + privacy impact assessment + + + privacy risk management documentation + + + other relevant documents or records + - id: si-4.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + organizational personnel responsible for incident response/management + - id: si-4.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for the near real-time analysis + of events + + + organizational processes for system monitoring + + + mechanisms supporting and/or implementing system monitoring + + + mechanisms/tools supporting and/or implementing an analysis + of events + - id: si-4.4 + class: SP800-53-enhancement + title: Inbound and Outbound Communications Traffic + params: + - id: si-4.4_prm_1 + label: organization-defined frequency + constraints: + - description: continuously + - id: si-4.4_prm_2 + label: organization-defined unusual or unauthorized activities or + conditions + - id: si-04.04_odp.01 + label: frequency + guidelines: + - prose: the frequency at which to monitor inbound communications + traffic for unusual or unauthorized activities or conditions + is defined; + - id: si-04.04_odp.02 + label: unusual or unauthorized activities or conditions + guidelines: + - prose: unusual or unauthorized activities or conditions that + are to be monitored in inbound communications traffic are + defined; + - id: si-04.04_odp.03 + label: frequency + guidelines: + - prose: the frequency at which to monitor outbound communications + traffic for unusual or unauthorized activities or conditions + is defined; + - id: si-04.04_odp.04 + label: unusual or unauthorized activities or conditions + guidelines: + - prose: unusual or unauthorized activities or conditions that + are to be monitored in outbound communications traffic are + defined; + props: + - name: label + value: SI-4(4) + - name: label + value: SI-04(04) + class: sp800-53a + - name: sort-id + value: si-04.04 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + parts: + - id: si-4.4_smt + name: statement + parts: + - id: si-4.4_smt.a + name: item + props: + - name: label + value: (a) + prose: Determine criteria for unusual or unauthorized activities + or conditions for inbound and outbound communications traffic; + - id: si-4.4_smt.b + name: item + props: + - name: label + value: (b) + prose: "Monitor inbound and outbound communications traffic\ + \ {{ insert: param, si-4.4_prm_1 }} for {{ insert: param,\ + \ si-4.4_prm_2 }}." + - id: si-4.4_gdn + name: guidance + prose: Unusual or unauthorized activities or conditions related + to system inbound and outbound communications traffic includes + internal traffic that indicates the presence of malicious code + or unauthorized use of legitimate code or credentials within organizational + systems or propagating among system components, signaling to external + systems, and the unauthorized exporting of information. Evidence + of malicious code or unauthorized use of legitimate code or credentials + is used to identify potentially compromised systems or system + components. + - id: si-4.4_obj + name: assessment-objective + props: + - name: label + value: SI-04(04) + class: sp800-53a + parts: + - id: si-4.4_obj.a + name: assessment-objective + props: + - name: label + value: SI-04(04)(a) + class: sp800-53a + parts: + - id: si-4.4_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-04(04)(a)[01] + class: sp800-53a + prose: criteria for unusual or unauthorized activities or + conditions for inbound communications traffic are defined; + links: + - href: "#si-4.4_smt.a" + rel: assessment-for + - id: si-4.4_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-04(04)(a)[02] + class: sp800-53a + prose: criteria for unusual or unauthorized activities or + conditions for outbound communications traffic are defined; + links: + - href: "#si-4.4_smt.a" + rel: assessment-for + links: + - href: "#si-4.4_smt.a" + rel: assessment-for + - id: si-4.4_obj.b + name: assessment-objective + props: + - name: label + value: SI-04(04)(b) + class: sp800-53a + parts: + - id: si-4.4_obj.b-1 + name: assessment-objective + props: + - name: label + value: SI-04(04)(b)[01] + class: sp800-53a + prose: "inbound communications traffic is monitored {{ insert:\ + \ param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02\ + \ }};" + links: + - href: "#si-4.4_smt.b" + rel: assessment-for + - id: si-4.4_obj.b-2 + name: assessment-objective + props: + - name: label + value: SI-04(04)(b)[02] + class: sp800-53a + prose: "outbound communications traffic is monitored {{\ + \ insert: param, si-04.04_odp.03 }} for {{ insert: param,\ + \ si-04.04_odp.04 }}." + links: + - href: "#si-4.4_smt.b" + rel: assessment-for + links: + - href: "#si-4.4_smt.b" + rel: assessment-for + links: + - href: "#si-4.4_smt" + rel: assessment-for + - id: si-4.4_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(04)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + system protocols + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-4.4_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(04)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + organizational personnel responsible for the intrusion detection + system + - id: si-4.4_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(04)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for intrusion detection and + system monitoring + + + mechanisms supporting and/or implementing intrusion detection + and system monitoring capabilities + + + mechanisms supporting and/or implementing the monitoring of + inbound and outbound communications traffic + - id: si-4.5 + class: SP800-53-enhancement + title: System-generated Alerts + params: + - id: si-04.05_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to be alerted when indications of + compromise or potential compromise occur is/are defined; + - id: si-04.05_odp.02 + label: compromise indicators + guidelines: + - prose: compromise indicators are defined; + props: + - name: label + value: SI-4(5) + - name: label + value: SI-04(05) + class: sp800-53a + - name: sort-id + value: si-04.05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + - href: "#au-4" + rel: related + - href: "#au-5" + rel: related + - href: "#pe-6" + rel: related + parts: + - id: si-4.5_smt + name: statement + prose: "Alert {{ insert: param, si-04.05_odp.01 }} when the following\ + \ system-generated indications of compromise or potential compromise\ + \ occur: {{ insert: param, si-04.05_odp.02 }}." + parts: + - id: si-4.5_fr + name: item + title: SI-4 (5) Additional FedRAMP Requirements and Guidance + parts: + - id: si-4.5_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: In accordance with the incident response plan. + - id: si-4.5_gdn + name: guidance + prose: Alerts may be generated from a variety of sources, including + audit records or inputs from malicious code protection mechanisms, + intrusion detection or prevention mechanisms, or boundary protection + devices such as firewalls, gateways, and routers. Alerts can be + automated and may be transmitted telephonically, by electronic + mail messages, or by text messaging. Organizational personnel + on the alert notification list can include system administrators, + mission or business owners, system owners, information owners/stewards, + senior agency information security officers, senior agency officials + for privacy, system security officers, or privacy officers. In + contrast to alerts generated by the system, alerts generated by + organizations in [SI-4(12)](#si-4.12) focus on information sources + external to the system, such as suspicious activity reports and + reports on potential insider threats. + - id: si-4.5_obj + name: assessment-objective + props: + - name: label + value: SI-04(05) + class: sp800-53a + prose: " {{ insert: param, si-04.05_odp.01 }} are alerted when system-generated\ + \ {{ insert: param, si-04.05_odp.02 }} occur." + links: + - href: "#si-4.5_smt" + rel: assessment-for + - id: si-4.5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(05)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + list of personnel selected to receive alerts + + + documentation of alerts generated based on compromise indicators + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: si-4.5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(05)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + system developers + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + organizational personnel on the system alert notification + list + + + organizational personnel responsible for the intrusion detection + system + - id: si-4.5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(05)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for intrusion detection and + system monitoring + + + mechanisms supporting and/or implementing intrusion detection + and system monitoring capabilities + + + mechanisms supporting and/or implementing alerts for compromise + indicators + - id: si-4.16 + class: SP800-53-enhancement + title: Correlate Monitoring Information + props: + - name: label + value: SI-4(16) + - name: label + value: SI-04(16) + class: sp800-53a + - name: sort-id + value: si-04.16 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + - href: "#au-6" + rel: related + parts: + - id: si-4.16_smt + name: statement + prose: Correlate information from monitoring tools and mechanisms + employed throughout the system. + - id: si-4.16_gdn + name: guidance + prose: Correlating information from different system monitoring + tools and mechanisms can provide a more comprehensive view of + system activity. Correlating system monitoring tools and mechanisms + that typically work in isolation—including malicious code protection + software, host monitoring, and network monitoring—can provide + an organization-wide monitoring view and may reveal otherwise + unseen attack patterns. Understanding the capabilities and limitations + of diverse monitoring tools and mechanisms and how to maximize + the use of information generated by those tools and mechanisms + can help organizations develop, operate, and maintain effective + monitoring programs. The correlation of monitoring information + is especially important during the transition from older to newer + technologies (e.g., transitioning from IPv4 to IPv6 network protocols). + - id: si-4.16_obj + name: assessment-objective + props: + - name: label + value: SI-04(16) + class: sp800-53a + prose: information from monitoring tools and mechanisms employed + throughout the system is correlated. + links: + - href: "#si-4.16_smt" + rel: assessment-for + - id: si-4.16_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(16)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + event correlation logs or records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-4.16_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(16)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + organizational personnel responsible for the intrusion detection + system + - id: si-4.16_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(16)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for intrusion detection and + system monitoring + + + mechanisms supporting and/or implementing intrusion detection + and system monitoring capabilities + + + mechanisms supporting and/or implementing the correlation + of information from monitoring tools + - id: si-4.18 + class: SP800-53-enhancement + title: Analyze Traffic and Covert Exfiltration + params: + - id: si-04.18_odp + label: interior points + guidelines: + - prose: interior points within the system where communications + traffic is to be analyzed are defined; + props: + - name: label + value: SI-4(18) + - name: label + value: SI-04(18) + class: sp800-53a + - name: sort-id + value: si-04.18 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + parts: + - id: si-4.18_smt + name: statement + prose: "Analyze outbound communications traffic at external interfaces\ + \ to the system and at the following interior points to detect\ + \ covert exfiltration of information: {{ insert: param, si-04.18_odp\ + \ }}." + - id: si-4.18_gdn + name: guidance + prose: Organization-defined interior points include subnetworks + and subsystems. Covert means that can be used to exfiltrate information + include steganography. + - id: si-4.18_obj + name: assessment-objective + props: + - name: label + value: SI-04(18) + class: sp800-53a + parts: + - id: si-4.18_obj-1 + name: assessment-objective + props: + - name: label + value: SI-04(18)[01] + class: sp800-53a + prose: outbound communications traffic is analyzed at interfaces + external to the system to detect covert exfiltration of information; + links: + - href: "#si-4.18_smt" + rel: assessment-for + - id: si-4.18_obj-2 + name: assessment-objective + props: + - name: label + value: SI-04(18)[02] + class: sp800-53a + prose: "outbound communications traffic is analyzed at {{ insert:\ + \ param, si-04.18_odp }} to detect covert exfiltration of\ + \ information." + links: + - href: "#si-4.18_smt" + rel: assessment-for + links: + - href: "#si-4.18_smt" + rel: assessment-for + - id: si-4.18_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(18)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + network diagram + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + system monitoring logs or records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-4.18_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(18)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring the system + + + organizational personnel responsible for the intrusion detection + system + - id: si-4.18_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(18)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for intrusion detection and + system monitoring + + + mechanisms supporting and/or implementing intrusion detection + and system monitoring capabilities + + + mechanisms supporting and/or implementing an analysis of outbound + communications traffic + - id: si-4.23 + class: SP800-53-enhancement + title: Host-based Devices + params: + - id: si-04.23_odp.01 + label: host-based monitoring mechanisms + guidelines: + - prose: host-based monitoring mechanisms to be implemented on + system components are defined; + - id: si-04.23_odp.02 + label: system components + guidelines: + - prose: system components where host-based monitoring is to be + implemented are defined; + props: + - name: label + value: SI-4(23) + - name: label + value: SI-04(23) + class: sp800-53a + - name: sort-id + value: si-04.23 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-4" + rel: required + - href: "#ac-18" + rel: related + - href: "#ac-19" + rel: related + parts: + - id: si-4.23_smt + name: statement + prose: "Implement the following host-based monitoring mechanisms\ + \ at {{ insert: param, si-04.23_odp.02 }}: {{ insert: param, si-04.23_odp.01\ + \ }}." + - id: si-4.23_gdn + name: guidance + prose: Host-based monitoring collects information about the host + (or system in which it resides). System components in which host-based + monitoring can be implemented include servers, notebook computers, + and mobile devices. Organizations may consider employing host-based + monitoring mechanisms from multiple product developers or vendors. + - id: si-4.23_obj + name: assessment-objective + props: + - name: label + value: SI-04(23) + class: sp800-53a + prose: " {{ insert: param, si-04.23_odp.01 }} are implemented on\ + \ {{ insert: param, si-04.23_odp.02 }}." + links: + - href: "#si-4.23_smt" + rel: assessment-for + - id: si-4.23_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-04(23)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system monitoring tools and techniques + + + system design documentation + + + host-based monitoring mechanisms + + + system monitoring tools and techniques documentation + + + system configuration settings and associated documentation + + + list of system components requiring host-based monitoring + + + system monitoring logs or records + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-4.23_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-04(23)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System/network administrators + + + organizational personnel with information security responsibilities + + + organizational personnel installing, configuring, and/or maintaining + the system + + + organizational personnel responsible for monitoring system + hosts + - id: si-4.23_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-04(23)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for system monitoring + + + mechanisms supporting and/or implementing a host-based monitoring + capability + - id: si-5 + class: SP800-53 + title: Security Alerts, Advisories, and Directives + params: + - id: si-05_odp.01 + label: external organizations + constraints: + - description: to include US-CERT and Cybersecurity and Infrastructure + Security Agency (CISA) Directives + guidelines: + - prose: external organizations from whom system security alerts, + advisories, and directives are to be received on an ongoing basis + are defined; + - id: si-05_odp.02 + constraints: + - description: to include system security personnel and administrators + with configuration/patch-management responsibilities + select: + how-many: one-or-more + choice: + - " {{ insert: param, si-05_odp.03 }} " + - " {{ insert: param, si-05_odp.04 }} " + - " {{ insert: param, si-05_odp.05 }} " + - id: si-05_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom security alerts, advisories, and + directives are to be disseminated is/are defined (if selected); + - id: si-05_odp.04 + label: elements + guidelines: + - prose: elements within the organization to whom security alerts, + advisories, and directives are to be disseminated are defined + (if selected); + - id: si-05_odp.05 + label: external organizations + guidelines: + - prose: external organizations to whom security alerts, advisories, + and directives are to be disseminated are defined (if selected); + props: + - name: label + value: SI-5 + - name: label + value: SI-05 + class: sp800-53a + - name: sort-id + value: si-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#155f941a-cba9-4afd-9ca6-5d040d697ba9" + rel: reference + - href: "#pm-15" + rel: related + - href: "#ra-5" + rel: related + - href: "#si-2" + rel: related + parts: + - id: si-5_smt + name: statement + parts: + - id: si-5_smt.a + name: item + props: + - name: label + value: a. + prose: "Receive system security alerts, advisories, and directives\ + \ from {{ insert: param, si-05_odp.01 }} on an ongoing basis;" + - id: si-5_smt.b + name: item + props: + - name: label + value: b. + prose: Generate internal security alerts, advisories, and directives + as deemed necessary; + - id: si-5_smt.c + name: item + props: + - name: label + value: c. + prose: "Disseminate security alerts, advisories, and directives\ + \ to: {{ insert: param, si-05_odp.02 }} ; and" + - id: si-5_smt.d + name: item + props: + - name: label + value: d. + prose: Implement security directives in accordance with established + time frames, or notify the issuing organization of the degree + of noncompliance. + - id: si-5_fr_smt.1 + name: item + title: SI-5 Additional FedRAMP Requirements and Guidance + props: + - name: label + value: "Requirement:" + prose: Service Providers must address the CISA Emergency and Binding + Operational Directives applicable to their cloud service offering + per FedRAMP guidance. This includes listing the applicable directives + and stating compliance status. + - id: si-5_gdn + name: guidance + prose: The Cybersecurity and Infrastructure Security Agency (CISA) generates + security alerts and advisories to maintain situational awareness throughout + the Federal Government. Security directives are issued by OMB or other + designated organizations with the responsibility and authority to + issue such directives. Compliance with security directives is essential + due to the critical nature of many of these directives and the potential + (immediate) adverse effects on organizational operations and assets, + individuals, other organizations, and the Nation should the directives + not be implemented in a timely manner. External organizations include + supply chain partners, external mission or business partners, external + service providers, and other peer or supporting organizations. + - id: si-5_obj + name: assessment-objective + props: + - name: label + value: SI-05 + class: sp800-53a + parts: + - id: si-5_obj.a + name: assessment-objective + props: + - name: label + value: SI-05a. + class: sp800-53a + prose: "system security alerts, advisories, and directives are received\ + \ from {{ insert: param, si-05_odp.01 }} on an ongoing basis;" + links: + - href: "#si-5_smt.a" + rel: assessment-for + - id: si-5_obj.b + name: assessment-objective + props: + - name: label + value: SI-05b. + class: sp800-53a + prose: internal security alerts, advisories, and directives are + generated as deemed necessary; + links: + - href: "#si-5_smt.b" + rel: assessment-for + - id: si-5_obj.c + name: assessment-objective + props: + - name: label + value: SI-05c. + class: sp800-53a + prose: "security alerts, advisories, and directives are disseminated\ + \ to {{ insert: param, si-05_odp.02 }};" + links: + - href: "#si-5_smt.c" + rel: assessment-for + - id: si-5_obj.d + name: assessment-objective + props: + - name: label + value: SI-05d. + class: sp800-53a + prose: security directives are implemented in accordance with established + time frames or if the issuing organization is notified of the + degree of noncompliance. + links: + - href: "#si-5_smt.d" + rel: assessment-for + links: + - href: "#si-5_smt" + rel: assessment-for + - id: si-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing security alerts, advisories, and directives + + + records of security alerts and advisories + + + system security plan + + + other relevant documents or records + - id: si-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security alert and advisory + responsibilities + + + organizational personnel implementing, operating, maintaining, + and using the system + + + organizational personnel, organizational elements, and/or external + organizations to whom alerts, advisories, and directives are to + be disseminated + + + system/network administrators + + + organizational personnel with information security responsibilities + - id: si-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for defining, receiving, + generating, disseminating, and complying with security + alerts, advisories, and directives + + + mechanisms supporting and/or implementing the definition, receipt, + generation, and dissemination of security alerts, advisories, + and directives + + + mechanisms supporting and/or implementing security directives + - id: si-6 + class: SP800-53 + title: Security and Privacy Function Verification + params: + - id: si-6_prm_1 + label: organization-defined security and privacy functions + - id: si-06_odp.01 + label: security functions + guidelines: + - prose: security functions to be verified for correct operation are + defined; + - id: si-06_odp.02 + label: privacy functions + guidelines: + - prose: privacy functions to be verified for correct operation are + defined; + - id: si-06_odp.03 + select: + how-many: one-or-more + choice: + - " {{ insert: param, si-06_odp.04 }} " + - upon command by user with appropriate privilege + - " {{ insert: param, si-06_odp.05 }} " + - id: si-06_odp.04 + label: system transitional states + constraints: + - description: to include upon system startup and/or restart + guidelines: + - prose: system transitional states requiring the verification of + security and privacy functions are defined; (if selected) + - id: si-06_odp.05 + label: frequency + constraints: + - description: at least monthly + guidelines: + - prose: frequency at which to verify the correct operation of security + and privacy functions is defined; (if selected) + - id: si-06_odp.06 + label: personnel or roles + constraints: + - description: to include system administrators and security personnel + guidelines: + - prose: personnel or roles to be alerted of failed security and privacy + verification tests is/are defined; + - id: si-06_odp.07 + select: + how-many: one-or-more + choice: + - shut the system down + - restart the system + - " {{ insert: param, si-06_odp.08 }} " + - id: si-06_odp.08 + label: alternative action(s) + guidelines: + - prose: alternative action(s) to be performed when anomalies are + discovered are defined (if selected); + props: + - name: label + value: SI-6 + - name: label + value: SI-06 + class: sp800-53a + - name: sort-id + value: si-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#ca-7" + rel: related + - href: "#cm-4" + rel: related + - href: "#cm-6" + rel: related + - href: "#si-7" + rel: related + parts: + - id: si-6_smt + name: statement + parts: + - id: si-6_smt.a + name: item + props: + - name: label + value: a. + prose: "Verify the correct operation of {{ insert: param, si-6_prm_1\ + \ }};" + - id: si-6_smt.b + name: item + props: + - name: label + value: b. + prose: "Perform the verification of the functions specified in SI-6a\ + \ {{ insert: param, si-06_odp.03 }};" + - id: si-6_smt.c + name: item + props: + - name: label + value: c. + prose: "Alert {{ insert: param, si-06_odp.06 }} to failed security\ + \ and privacy verification tests; and" + - id: si-6_smt.d + name: item + props: + - name: label + value: d. + prose: " {{ insert: param, si-06_odp.07 }} when anomalies are discovered." + - id: si-6_gdn + name: guidance + prose: Transitional states for systems include system startup, restart, + shutdown, and abort. System notifications include hardware indicator + lights, electronic alerts to system administrators, and messages to + local computer consoles. In contrast to security function verification, + privacy function verification ensures that privacy functions operate + as expected and are approved by the senior agency official for privacy + or that privacy attributes are applied or used as expected. + - id: si-6_obj + name: assessment-objective + props: + - name: label + value: SI-06 + class: sp800-53a + parts: + - id: si-6_obj.a + name: assessment-objective + props: + - name: label + value: SI-06a. + class: sp800-53a + parts: + - id: si-6_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-06a.[01] + class: sp800-53a + prose: " {{ insert: param, si-06_odp.01 }} are verified to be\ + \ operating correctly;" + links: + - href: "#si-6_smt.a" + rel: assessment-for + - id: si-6_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-06a.[02] + class: sp800-53a + prose: " {{ insert: param, si-06_odp.02 }} are verified to be\ + \ operating correctly;" + links: + - href: "#si-6_smt.a" + rel: assessment-for + links: + - href: "#si-6_smt.a" + rel: assessment-for + - id: si-6_obj.b + name: assessment-objective + props: + - name: label + value: SI-06b. + class: sp800-53a + parts: + - id: si-6_obj.b-1 + name: assessment-objective + props: + - name: label + value: SI-06b.[01] + class: sp800-53a + prose: " {{ insert: param, si-06_odp.01 }} are verified {{ insert:\ + \ param, si-06_odp.03 }};" + links: + - href: "#si-6_smt.b" + rel: assessment-for + - id: si-6_obj.b-2 + name: assessment-objective + props: + - name: label + value: SI-06b.[02] + class: sp800-53a + prose: " {{ insert: param, si-06_odp.02 }} are verified {{ insert:\ + \ param, si-06_odp.03 }};" + links: + - href: "#si-6_smt.b" + rel: assessment-for + links: + - href: "#si-6_smt.b" + rel: assessment-for + - id: si-6_obj.c + name: assessment-objective + props: + - name: label + value: SI-06c. + class: sp800-53a + parts: + - id: si-6_obj.c-1 + name: assessment-objective + props: + - name: label + value: SI-06c.[01] + class: sp800-53a + prose: " {{ insert: param, si-06_odp.06 }} is/are alerted to\ + \ failed security verification tests;" + links: + - href: "#si-6_smt.c" + rel: assessment-for + - id: si-6_obj.c-2 + name: assessment-objective + props: + - name: label + value: SI-06c.[02] + class: sp800-53a + prose: " {{ insert: param, si-06_odp.06 }} is/are alerted to\ + \ failed privacy verification tests;" + links: + - href: "#si-6_smt.c" + rel: assessment-for + links: + - href: "#si-6_smt.c" + rel: assessment-for + - id: si-6_obj.d + name: assessment-objective + props: + - name: label + value: SI-06d. + class: sp800-53a + prose: " {{ insert: param, si-06_odp.07 }} is/are initiated when\ + \ anomalies are discovered." + links: + - href: "#si-6_smt.d" + rel: assessment-for + links: + - href: "#si-6_smt" + rel: assessment-for + - id: si-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing security and privacy function verification + + + system design documentation + + + system configuration settings and associated documentation + + + alerts/notifications of failed security verification tests + + + list of system transition states requiring security functionality + verification + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: si-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with security and privacy function + verification responsibilities + + + organizational personnel implementing, operating, and maintaining + the system + + + system/network administrators + + + organizational personnel with information security and privacy + responsibilities + + + system developer + - id: si-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for security and privacy function + verification + + + mechanisms supporting and/or implementing the security and privacy + function verification capability + - id: si-7 + class: SP800-53 + title: Software, Firmware, and Information Integrity + params: + - id: si-7_prm_1 + label: organization-defined software, firmware, and information + - id: si-7_prm_2 + label: organization-defined actions + - id: si-07_odp.01 + label: software + guidelines: + - prose: software requiring integrity verification tools to be employed + to detect unauthorized changes is defined; + - id: si-07_odp.02 + label: firmware + guidelines: + - prose: firmware requiring integrity verification tools to be employed + to detect unauthorized changes is defined; + - id: si-07_odp.03 + label: information + guidelines: + - prose: information requiring integrity verification tools to be + employed to detect unauthorized changes is defined; + - id: si-07_odp.04 + label: actions + guidelines: + - prose: actions to be taken when unauthorized changes to software + are detected are defined; + - id: si-07_odp.05 + label: actions + guidelines: + - prose: actions to be taken when unauthorized changes to firmware + are detected are defined; + - id: si-07_odp.06 + label: actions + guidelines: + - prose: actions to be taken when unauthorized changes to information + are detected are defined; + props: + - name: label + value: SI-7 + - name: label + value: SI-07 + class: sp800-53a + - name: sort-id + value: si-07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#4895b4cd-34c5-4667-bf8a-27d443c12047" + rel: reference + - href: "#e47ee630-9cbc-4133-880e-e013f83ccd51" + rel: reference + - href: "#ac-4" + rel: related + - href: "#cm-3" + rel: related + - href: "#cm-7" + rel: related + - href: "#cm-8" + rel: related + - href: "#ma-3" + rel: related + - href: "#ma-4" + rel: related + - href: "#ra-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-10" + rel: related + - href: "#sc-8" + rel: related + - href: "#sc-12" + rel: related + - href: "#sc-13" + rel: related + - href: "#sc-28" + rel: related + - href: "#sc-37" + rel: related + - href: "#si-3" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-10" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: si-7_smt + name: statement + parts: + - id: si-7_smt.a + name: item + props: + - name: label + value: a. + prose: "Employ integrity verification tools to detect unauthorized\ + \ changes to the following software, firmware, and information:\ + \ {{ insert: param, si-7_prm_1 }} ; and" + - id: si-7_smt.b + name: item + props: + - name: label + value: b. + prose: "Take the following actions when unauthorized changes to\ + \ the software, firmware, and information are detected: {{ insert:\ + \ param, si-7_prm_2 }}." + - id: si-7_gdn + name: guidance + prose: Unauthorized changes to software, firmware, and information can + occur due to errors or malicious activity. Software includes operating + systems (with key internal components, such as kernels or drivers), + middleware, and applications. Firmware interfaces include Unified + Extensible Firmware Interface (UEFI) and Basic Input/Output System + (BIOS). Information includes personally identifiable information and + metadata that contains security and privacy attributes associated + with information. Integrity-checking mechanisms—including parity checks, + cyclical redundancy checks, cryptographic hashes, and associated tools—can + automatically monitor the integrity of systems and hosted applications. + - id: si-7_obj + name: assessment-objective + props: + - name: label + value: SI-07 + class: sp800-53a + parts: + - id: si-7_obj.a + name: assessment-objective + props: + - name: label + value: SI-07a. + class: sp800-53a + parts: + - id: si-7_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-07a.[01] + class: sp800-53a + prose: "integrity verification tools are employed to detect\ + \ unauthorized changes to {{ insert: param, si-07_odp.01 }};" + links: + - href: "#si-7_smt.a" + rel: assessment-for + - id: si-7_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-07a.[02] + class: sp800-53a + prose: "integrity verification tools are employed to detect\ + \ unauthorized changes to {{ insert: param, si-07_odp.02 }};" + links: + - href: "#si-7_smt.a" + rel: assessment-for + - id: si-7_obj.a-3 + name: assessment-objective + props: + - name: label + value: SI-07a.[03] + class: sp800-53a + prose: "integrity verification tools are employed to detect\ + \ unauthorized changes to {{ insert: param, si-07_odp.03 }};" + links: + - href: "#si-7_smt.a" + rel: assessment-for + links: + - href: "#si-7_smt.a" + rel: assessment-for + - id: si-7_obj.b + name: assessment-objective + props: + - name: label + value: SI-07b. + class: sp800-53a + parts: + - id: si-7_obj.b-1 + name: assessment-objective + props: + - name: label + value: SI-07b.[01] + class: sp800-53a + prose: " {{ insert: param, si-07_odp.04 }} are taken when unauthorized\ + \ changes to the software, are detected;" + links: + - href: "#si-7_smt.b" + rel: assessment-for + - id: si-7_obj.b-2 + name: assessment-objective + props: + - name: label + value: SI-07b.[02] + class: sp800-53a + prose: " {{ insert: param, si-07_odp.05 }} are taken when unauthorized\ + \ changes to the firmware are detected;" + links: + - href: "#si-7_smt.b" + rel: assessment-for + - id: si-7_obj.b-3 + name: assessment-objective + props: + - name: label + value: SI-07b.[03] + class: sp800-53a + prose: " {{ insert: param, si-07_odp.06 }} are taken when unauthorized\ + \ changes to the information are detected." + links: + - href: "#si-7_smt.b" + rel: assessment-for + links: + - href: "#si-7_smt.b" + rel: assessment-for + links: + - href: "#si-7_smt" + rel: assessment-for + - id: si-7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-07-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing software, firmware, and information integrity + + + personally identifiable information processing policy + + + system design documentation + + + system configuration settings and associated documentation + + + integrity verification tools and associated documentation + + + records generated or triggered by integrity verification tools + regarding unauthorized software, firmware, and information changes + + + system audit records + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: si-7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-07-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for software, firmware, + and/or information integrity + + + organizational personnel with information security and privacy + responsibilities + + + system/network administrators + - id: si-7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-07-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Software, firmware, and information integrity verification + tools + controls: + - id: si-7.1 + class: SP800-53-enhancement + title: Integrity Checks + params: + - id: si-7.1_prm_1 + label: organization-defined software, firmware, and information + - id: si-7.1_prm_2 + select: + how-many: one-or-more + choice: + - at startup + - "at {{ insert: param, si-7.1_prm_3 }} " + - " {{ insert: param, si-7.1_prm_4 }} " + - id: si-7.1_prm_3 + label: organization-defined transitional states or security-relevant + events + constraints: + - description: selection to include security relevant event + - id: si-7.1_prm_4 + label: organization-defined frequency + constraints: + - description: at least monthly + - id: si-07.01_odp.01 + label: software + guidelines: + - prose: software on which an integrity check is to be performed + is defined; + - id: si-07.01_odp.02 + select: + how-many: one-or-more + choice: + - at startup + - "at {{ insert: param, si-07.01_odp.03 }} " + - " {{ insert: param, si-07.01_odp.04 }} " + - id: si-07.01_odp.03 + label: transitional states or security-relevant events + guidelines: + - prose: transitional states or security-relevant events requiring + integrity checks (on software) are defined (if selected); + - id: si-07.01_odp.04 + label: frequency + guidelines: + - prose: frequency with which to perform an integrity check (on + software) is defined (if selected); + - id: si-07.01_odp.05 + label: firmware + guidelines: + - prose: firmware on which an integrity check is to be performed + is defined; + - id: si-07.01_odp.06 + select: + how-many: one-or-more + choice: + - at startup + - "at {{ insert: param, si-07.01_odp.07 }} " + - " {{ insert: param, si-07.01_odp.08 }} " + - id: si-07.01_odp.07 + label: transitional states or security-relevant events + guidelines: + - prose: transitional states or security-relevant events requiring + integrity checks (on firmware) are defined (if selected); + - id: si-07.01_odp.08 + label: frequency + guidelines: + - prose: frequency with which to perform an integrity check (on + firmware) is defined (if selected); + - id: si-07.01_odp.09 + label: information + guidelines: + - prose: information on which an integrity check is to be performed + is defined; + - id: si-07.01_odp.10 + select: + how-many: one-or-more + choice: + - at startup + - "at {{ insert: param, si-07.01_odp.11 }} " + - " {{ insert: param, si-07.01_odp.12 }} " + - id: si-07.01_odp.11 + label: transitional states or security-relevant events + guidelines: + - prose: transitional states or security-relevant events requiring + integrity checks (of information) are defined (if selected); + - id: si-07.01_odp.12 + label: frequency + guidelines: + - prose: frequency with which to perform an integrity check (of + information) is defined (if selected); + props: + - name: label + value: SI-7(1) + - name: label + value: SI-07(01) + class: sp800-53a + - name: sort-id + value: si-07.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-7" + rel: required + parts: + - id: si-7.1_smt + name: statement + prose: "Perform an integrity check of {{ insert: param, si-7.1_prm_1\ + \ }} {{ insert: param, si-7.1_prm_2 }}." + - id: si-7.1_gdn + name: guidance + prose: Security-relevant events include the identification of new + threats to which organizational systems are susceptible and the + installation of new hardware, software, or firmware. Transitional + states include system startup, restart, shutdown, and abort. + - id: si-7.1_obj + name: assessment-objective + props: + - name: label + value: SI-07(01) + class: sp800-53a + parts: + - id: si-7.1_obj-1 + name: assessment-objective + props: + - name: label + value: SI-07(01)[01] + class: sp800-53a + prose: "an integrity check of {{ insert: param, si-07.01_odp.01\ + \ }} is performed {{ insert: param, si-07.01_odp.02 }};" + links: + - href: "#si-7.1_smt" + rel: assessment-for + - id: si-7.1_obj-2 + name: assessment-objective + props: + - name: label + value: SI-07(01)[02] + class: sp800-53a + prose: "an integrity check of {{ insert: param, si-07.01_odp.05\ + \ }} is performed {{ insert: param, si-07.01_odp.06 }};" + links: + - href: "#si-7.1_smt" + rel: assessment-for + - id: si-7.1_obj-3 + name: assessment-objective + props: + - name: label + value: SI-07(01)[03] + class: sp800-53a + prose: "an integrity check of {{ insert: param, si-07.01_odp.09\ + \ }} is performed {{ insert: param, si-07.01_odp.10 }}." + links: + - href: "#si-7.1_smt" + rel: assessment-for + links: + - href: "#si-7.1_smt" + rel: assessment-for + - id: si-7.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-07(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing software, firmware, and information + integrity testing + + + system design documentation + + + system configuration settings and associated documentation + + + integrity verification tools and associated documentation + + + records of integrity scans + + + system security plan + + + other relevant documents or records + - id: si-7.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-07(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for software, + firmware, and/or information integrity + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developer + - id: si-7.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-07(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Software, firmware, and information integrity verification + tools + - id: si-7.7 + class: SP800-53-enhancement + title: Integration of Detection and Response + params: + - id: si-07.07_odp + label: changes + guidelines: + - prose: security-relevant changes to the system are defined; + props: + - name: label + value: SI-7(7) + - name: label + value: SI-07(07) + class: sp800-53a + - name: sort-id + value: si-07.07 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#si-7" + rel: required + - href: "#au-2" + rel: related + - href: "#au-6" + rel: related + - href: "#ir-4" + rel: related + - href: "#ir-5" + rel: related + - href: "#si-4" + rel: related + parts: + - id: si-7.7_smt + name: statement + prose: "Incorporate the detection of the following unauthorized\ + \ changes into the organizational incident response capability:\ + \ {{ insert: param, si-07.07_odp }}." + - id: si-7.7_gdn + name: guidance + prose: Integrating detection and response helps to ensure that detected + events are tracked, monitored, corrected, and available for historical + purposes. Maintaining historical records is important for being + able to identify and discern adversary actions over an extended + time period and for possible legal actions. Security-relevant + changes include unauthorized changes to established configuration + settings or the unauthorized elevation of system privileges. + - id: si-7.7_obj + name: assessment-objective + props: + - name: label + value: SI-07(07) + class: sp800-53a + prose: "the detection of {{ insert: param, si-07.07_odp }} are incorporated\ + \ into the organizational incident response capability." + links: + - href: "#si-7.7_smt" + rel: assessment-for + - id: si-7.7_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-07(07)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing software, firmware, and information + integrity + + + procedures addressing incident response + + + system design documentation + + + system configuration settings and associated documentation + + + incident response records + + + audit records + + + system security plan + + + other relevant documents or records + - id: si-7.7_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-07(07)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for software, + firmware, and/or information integrity + + + organizational personnel with information security responsibilities + + + organizational personnel with incident response responsibilities + - id: si-7.7_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-07(07)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for incorporating the detection + of unauthorized security-relevant changes into the + incident response capability + + + software, firmware, and information integrity verification + tools + + + mechanisms supporting and/or implementing the incorporation + of detection of unauthorized security-relevant changes into + the incident response capability + - id: si-8 + class: SP800-53 + title: Spam Protection + props: + - name: label + value: SI-8 + - name: label + value: SI-08 + class: sp800-53a + - name: sort-id + value: si-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#314e33cb-3681-4b50-a2a2-3fae9604accd" + rel: reference + - href: "#1c71b420-2bd9-4e52-9fc8-390f58b85b59" + rel: reference + - href: "#pl-9" + rel: related + - href: "#sc-5" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-3" + rel: related + - href: "#si-4" + rel: related + parts: + - id: si-8_smt + name: statement + parts: + - id: si-8_smt.a + name: item + props: + - name: label + value: a. + prose: Employ spam protection mechanisms at system entry and exit + points to detect and act on unsolicited messages; and + - id: si-8_smt.b + name: item + props: + - name: label + value: b. + prose: Update spam protection mechanisms when new releases are available + in accordance with organizational configuration management policy + and procedures. + - id: si-8_fr + name: item + title: SI-8 Additional FedRAMP Requirements and Guidance + parts: + - id: si-8_fr_gdn.1 + name: guidance + props: + - name: label + value: "Guidance:" + prose: >- + When CSO sends email on behalf of the government as part + of the business offering, Control Description should + include implementation of Domain-based Message + Authentication, Reporting & Conformance (DMARC) on the + sending domain for outgoing messages as described in DHS + Binding Operational Directive (BOD) 18-01. + + + https://cyber.dhs.gov/bod/18-01/ + - id: si-8_fr_gdn.2 + name: guidance + props: + - name: label + value: "Guidance:" + prose: "CSPs should confirm DMARC configuration (where appropriate)\ + \ to ensure that policy=reject and the rua parameter includes\ + \ reports@dmarc.cyber.dhs.gov. DMARC compliance should be\ + \ documented in the SI-08 control implementation solution\ + \ description, and list the FROM: domain(s) that will be seen\ + \ by email recipients." + - id: si-8_gdn + name: guidance + prose: System entry and exit points include firewalls, remote-access + servers, electronic mail servers, web servers, proxy servers, workstations, + notebook computers, and mobile devices. Spam can be transported by + different means, including email, email attachments, and web accesses. + Spam protection mechanisms include signature definitions. + - id: si-8_obj + name: assessment-objective + props: + - name: label + value: SI-08 + class: sp800-53a + parts: + - id: si-8_obj.a + name: assessment-objective + props: + - name: label + value: SI-08a. + class: sp800-53a + parts: + - id: si-8_obj.a-1 + name: assessment-objective + props: + - name: label + value: SI-08a.[01] + class: sp800-53a + prose: spam protection mechanisms are employed at system entry + points to detect unsolicited messages; + links: + - href: "#si-8_smt.a" + rel: assessment-for + - id: si-8_obj.a-2 + name: assessment-objective + props: + - name: label + value: SI-08a.[02] + class: sp800-53a + prose: spam protection mechanisms are employed at system exit + points to detect unsolicited messages; + links: + - href: "#si-8_smt.a" + rel: assessment-for + - id: si-8_obj.a-3 + name: assessment-objective + props: + - name: label + value: SI-08a.[03] + class: sp800-53a + prose: spam protection mechanisms are employed at system entry + points to act on unsolicited messages; + links: + - href: "#si-8_smt.a" + rel: assessment-for + - id: si-8_obj.a-4 + name: assessment-objective + props: + - name: label + value: SI-08a.[04] + class: sp800-53a + prose: spam protection mechanisms are employed at system exit + points to act on unsolicited messages; + links: + - href: "#si-8_smt.a" + rel: assessment-for + links: + - href: "#si-8_smt.a" + rel: assessment-for + - id: si-8_obj.b + name: assessment-objective + props: + - name: label + value: SI-08b. + class: sp800-53a + prose: spam protection mechanisms are updated when new releases + are available in accordance with organizational configuration + management policies and procedures. + links: + - href: "#si-8_smt.b" + rel: assessment-for + links: + - href: "#si-8_smt" + rel: assessment-for + - id: si-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + System and information integrity policy + + system and information integrity procedures + + configuration management policies and procedures (CM-01) + + procedures addressing spam protection + + spam protection mechanisms + + records of spam protection updates + + system design documentation + + system configuration settings and associated documentation + + system audit records + + system security plan + + other relevant documents or records + - id: si-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for spam protection + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developer + - id: si-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for implementing spam protection + + mechanisms supporting and/or implementing spam protection + controls: + - id: si-8.2 + class: SP800-53-enhancement + title: Automatic Updates + params: + - id: si-08.02_odp + label: frequency + guidelines: + - prose: the frequency at which to automatically update spam protection + mechanisms is defined; + props: + - name: label + value: SI-8(2) + - name: label + value: SI-08(02) + class: sp800-53a + - name: sort-id + value: si-08.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#si-8" + rel: required + parts: + - id: si-8.2_smt + name: statement + prose: "Automatically update spam protection mechanisms {{ insert:\ + \ param, si-08.02_odp }}." + - id: si-8.2_gdn + name: guidance + prose: Using automated mechanisms to update spam protection mechanisms + helps to ensure that updates occur on a regular basis and provide + the latest content and protection capabilities. + - id: si-8.2_obj + name: assessment-objective + props: + - name: label + value: SI-08(02) + class: sp800-53a + prose: "spam protection mechanisms are automatically updated {{\ + \ insert: param, si-08.02_odp }}." + links: + - href: "#si-8.2_smt" + rel: assessment-for + - id: si-8.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-08(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing spam protection + + + spam protection mechanisms + + + records of spam protection updates + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-8.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-08(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for spam protection + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developer + - id: si-8.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-08(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for spam protection + + + mechanisms supporting and/or implementing automatic updates + to spam protection mechanisms + - id: si-10 + class: SP800-53 + title: Information Input Validation + params: + - id: si-10_odp + label: information inputs + guidelines: + - prose: information inputs to the system requiring validity checks + are defined; + props: + - name: label + value: SI-10 + - name: label + value: SI-10 + class: sp800-53a + - name: sort-id + value: si-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + parts: + - id: si-10_smt + name: statement + prose: "Check the validity of the following information inputs: {{ insert:\ + \ param, si-10_odp }}." + parts: + - id: si-10_fr + name: item + title: SI-10 Additional FedRAMP Requirements and Guidance + parts: + - id: si-10_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: Validate all information inputs and document any exceptions + - id: si-10_gdn + name: guidance + prose: Checking the valid syntax and semantics of system inputs—including + character set, length, numerical range, and acceptable values—verifies + that inputs match specified definitions for format and content. For + example, if the organization specifies that numerical values between + 1-100 are the only acceptable inputs for a field in a given application, + inputs of "387," "abc," or "%K%" are invalid inputs and are not accepted + as input to the system. Valid inputs are likely to vary from field + to field within a software application. Applications typically follow + well-defined protocols that use structured messages (i.e., commands + or queries) to communicate between software modules or system components. + Structured messages can contain raw or unstructured data interspersed + with metadata or control information. If software applications use + attacker-supplied inputs to construct structured messages without + properly encoding such messages, then the attacker could insert malicious + commands or special characters that can cause the data to be interpreted + as control information or metadata. Consequently, the module or component + that receives the corrupted output will perform the wrong operations + or otherwise interpret the data incorrectly. Prescreening inputs prior + to passing them to interpreters prevents the content from being unintentionally + interpreted as commands. Input validation ensures accurate and correct + inputs and prevents attacks such as cross-site scripting and a variety + of injection attacks. + - id: si-10_obj + name: assessment-objective + props: + - name: label + value: SI-10 + class: sp800-53a + prose: "the validity of the {{ insert: param, si-10_odp }} is checked." + links: + - href: "#si-10_smt" + rel: assessment-for + - id: si-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + access control policy and procedures + + + separation of duties policy and procedures + + + procedures addressing information input validation + + + documentation for automated tools and applications to verify the + validity of information + + + list of information inputs requiring validity checks + + + system design documentation + + + system configuration settings and associated documentation + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for information input + validation + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developer + - id: si-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Mechanisms supporting and/or implementing validity checks + on information inputs + - id: si-11 + class: SP800-53 + title: Error Handling + params: + - id: si-11_odp + label: personnel or roles + constraints: + - description: to include the ISSO and/or similar role within the + organization + guidelines: + - prose: personnel or roles to whom error messages are to be revealed + is/are defined; + props: + - name: label + value: SI-11 + - name: label + value: SI-11 + class: sp800-53a + - name: sort-id + value: si-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + links: + - href: "#au-2" + rel: related + - href: "#au-3" + rel: related + - href: "#sc-31" + rel: related + - href: "#si-2" + rel: related + - href: "#si-15" + rel: related + parts: + - id: si-11_smt + name: statement + parts: + - id: si-11_smt.a + name: item + props: + - name: label + value: a. + prose: Generate error messages that provide information necessary + for corrective actions without revealing information that could + be exploited; and + - id: si-11_smt.b + name: item + props: + - name: label + value: b. + prose: "Reveal error messages only to {{ insert: param, si-11_odp\ + \ }}." + - id: si-11_gdn + name: guidance + prose: Organizations consider the structure and content of error messages. + The extent to which systems can handle error conditions is guided + and informed by organizational policy and operational requirements. + Exploitable information includes stack traces and implementation details; + erroneous logon attempts with passwords mistakenly entered as the + username; mission or business information that can be derived from, + if not stated explicitly by, the information recorded; and personally + identifiable information, such as account numbers, social security + numbers, and credit card numbers. Error messages may also provide + a covert channel for transmitting information. + - id: si-11_obj + name: assessment-objective + props: + - name: label + value: SI-11 + class: sp800-53a + parts: + - id: si-11_obj.a + name: assessment-objective + props: + - name: label + value: SI-11a. + class: sp800-53a + prose: error messages that provide the information necessary for + corrective actions are generated without revealing information + that could be exploited; + links: + - href: "#si-11_smt.a" + rel: assessment-for + - id: si-11_obj.b + name: assessment-objective + props: + - name: label + value: SI-11b. + class: sp800-53a + prose: "error messages are revealed only to {{ insert: param, si-11_odp\ + \ }}." + links: + - href: "#si-11_smt.b" + rel: assessment-for + links: + - href: "#si-11_smt" + rel: assessment-for + - id: si-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing system error handling + + + system design documentation + + + system configuration settings and associated documentation + + + documentation providing the structure and content of error messages + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for information input + validation + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developer + - id: si-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for error handling + + + automated mechanisms supporting and/or implementing error handling + + + automated mechanisms supporting and/or implementing the management + of error messages + - id: si-12 + class: SP800-53 + title: Information Management and Retention + props: + - name: label + value: SI-12 + - name: label + value: SI-12 + class: sp800-53a + - name: sort-id + value: si-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + links: + - href: "#e922fc50-b1f9-469f-92ef-ed7d9803611c" + rel: reference + - href: "#27847491-5ce1-4f6a-a1e4-9e483782f0ef" + rel: reference + - href: "#ac-16" + rel: related + - href: "#au-5" + rel: related + - href: "#au-11" + rel: related + - href: "#ca-2" + rel: related + - href: "#ca-3" + rel: related + - href: "#ca-5" + rel: related + - href: "#ca-6" + rel: related + - href: "#ca-7" + rel: related + - href: "#ca-9" + rel: related + - href: "#cm-5" + rel: related + - href: "#cm-9" + rel: related + - href: "#cp-2" + rel: related + - href: "#ir-8" + rel: related + - href: "#mp-2" + rel: related + - href: "#mp-3" + rel: related + - href: "#mp-4" + rel: related + - href: "#mp-6" + rel: related + - href: "#pl-2" + rel: related + - href: "#pl-4" + rel: related + - href: "#pm-4" + rel: related + - href: "#pm-8" + rel: related + - href: "#pm-9" + rel: related + - href: "#ps-2" + rel: related + - href: "#ps-6" + rel: related + - href: "#pt-2" + rel: related + - href: "#pt-3" + rel: related + - href: "#ra-2" + rel: related + - href: "#ra-3" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sr-2" + rel: related + parts: + - id: si-12_smt + name: statement + prose: Manage and retain information within the system and information + output from the system in accordance with applicable laws, executive + orders, directives, regulations, policies, standards, guidelines and + operational requirements. + - id: si-12_gdn + name: guidance + prose: "Information management and retention requirements cover the\ + \ full life cycle of information, in some cases extending beyond system\ + \ disposal. Information to be retained may also include policies,\ + \ procedures, plans, reports, data output from control implementation,\ + \ and other types of administrative information. The National Archives\ + \ and Records Administration (NARA) provides federal policy and guidance\ + \ on records retention and schedules. If organizations have a records\ + \ management office, consider coordinating with records management\ + \ personnel. Records produced from the output of implemented controls\ + \ that may require management and retention include, but are not limited\ + \ to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12),\ + \ [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7),\ + \ [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4),\ + \ [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13),\ + \ [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4),\ + \ [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17),\ + \ [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5),\ + \ [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21),\ + \ [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31),\ + \ [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3),\ + \ [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8),\ + \ [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4),\ + \ [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)." + - id: si-12_obj + name: assessment-objective + props: + - name: label + value: SI-12 + class: sp800-53a + parts: + - id: si-12_obj-1 + name: assessment-objective + props: + - name: label + value: SI-12[01] + class: sp800-53a + prose: information within the system is managed in accordance with + applicable laws, Executive Orders, directives, regulations, policies, + standards, guidelines, and operational requirements; + links: + - href: "#si-12_smt" + rel: assessment-for + - id: si-12_obj-2 + name: assessment-objective + props: + - name: label + value: SI-12[02] + class: sp800-53a + prose: information within the system is retained in accordance with + applicable laws, Executive Orders, directives, regulations, policies, + standards, guidelines, and operational requirements; + links: + - href: "#si-12_smt" + rel: assessment-for + - id: si-12_obj-3 + name: assessment-objective + props: + - name: label + value: SI-12[03] + class: sp800-53a + prose: information output from the system is managed in accordance + with applicable laws, Executive Orders, directives, regulations, + policies, standards, guidelines, and operational requirements; + links: + - href: "#si-12_smt" + rel: assessment-for + - id: si-12_obj-4 + name: assessment-objective + props: + - name: label + value: SI-12[04] + class: sp800-53a + prose: information output from the system is retained in accordance + with applicable laws, Executive Orders, directives, regulations, + policies, standards, guidelines, and operational requirements. + links: + - href: "#si-12_smt" + rel: assessment-for + links: + - href: "#si-12_smt" + rel: assessment-for + - id: si-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + personally identifiable information processing policy + + + records retention and disposition policy + + + records retention and disposition procedures + + + federal laws, Executive Orders, directives, policies, regulations, + standards, and operational requirements applicable to information + management and retention + + + media protection policy + + + media protection procedures + + + audit findings + + + system security plan + + + privacy plan + + + privacy program plan + + + personally identifiable information inventory + + + privacy impact assessment + + + privacy risk assessment documentation + + + other relevant documents or records + - id: si-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information and records + management, retention, and disposition responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + network administrators + - id: si-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for information management, + retention, and disposition + + + automated mechanisms supporting and/or implementing information + management, retention, and disposition + - id: si-16 + class: SP800-53 + title: Memory Protection + params: + - id: si-16_odp + label: controls + guidelines: + - prose: controls to be implemented to protect the system memory from + unauthorized code execution are defined; + props: + - name: label + value: SI-16 + - name: label + value: SI-16 + class: sp800-53a + - name: sort-id + value: si-16 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#ac-25" + rel: related + - href: "#sc-3" + rel: related + - href: "#si-7" + rel: related + parts: + - id: si-16_smt + name: statement + prose: "Implement the following controls to protect the system memory\ + \ from unauthorized code execution: {{ insert: param, si-16_odp }}." + - id: si-16_gdn + name: guidance + prose: Some adversaries launch attacks with the intent of executing + code in non-executable regions of memory or in memory locations that + are prohibited. Controls employed to protect memory include data execution + prevention and address space layout randomization. Data execution + prevention controls can either be hardware-enforced or software-enforced + with hardware enforcement providing the greater strength of mechanism. + - id: si-16_obj + name: assessment-objective + props: + - name: label + value: SI-16 + class: sp800-53a + prose: " {{ insert: param, si-16_odp }} are implemented to protect the\ + \ system memory from unauthorized code execution." + links: + - href: "#si-16_smt" + rel: assessment-for + - id: si-16_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SI-16-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + System and information integrity policy + + + system and information integrity procedures + + + procedures addressing memory protection for the system + + + system design documentation + + + system configuration settings and associated documentation + + + list of security safeguards protecting system memory from unauthorized + code execution + + + system audit records + + + system security plan + + + other relevant documents or records + - id: si-16_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SI-16-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel responsible for memory protection + + + organizational personnel with information security responsibilities + + + system/network administrators + + + system developer + - id: si-16_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SI-16-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Automated mechanisms supporting and/or implementing safeguards + to protect the system memory from unauthorized code execution + - id: sr + class: family + title: Supply Chain Risk Management + controls: + - id: sr-1 + class: SP800-53 + title: Policy and Procedures + params: + - id: sr-1_prm_1 + label: organization-defined personnel or roles + constraints: + - description: to include chief privacy and ISSO and/or similar role + or designees + - id: sr-01_odp.01 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom supply chain risk management policy + is to be disseminated to is/are defined; + - id: sr-01_odp.02 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom supply chain risk management procedures + are disseminated to is/are defined; + - id: sr-01_odp.03 + select: + how-many: one-or-more + choice: + - organization-level + - mission/business process-level + - system-level + - id: sr-01_odp.04 + label: official + guidelines: + - prose: an official to manage the development, documentation, and + dissemination of the supply chain risk management policy and procedures + is defined; + - id: sr-01_odp.05 + label: frequency + constraints: + - description: at least every 3 years + guidelines: + - prose: the frequency at which the current supply chain risk management + policy is reviewed and updated is defined; + - id: sr-01_odp.06 + label: events + guidelines: + - prose: events that require the current supply chain risk management + policy to be reviewed and updated are defined; + - id: sr-01_odp.07 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which the current supply chain risk management + procedure is reviewed and updated is defined; + - id: sr-01_odp.08 + label: events + constraints: + - description: significant changes + guidelines: + - prose: events that require the supply chain risk management procedures + to be reviewed and updated are defined; + props: + - name: label + value: SR-1 + - name: label + value: SR-01 + class: sp800-53a + - name: sort-id + value: sr-01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#031cc4b7-9adf-4835-98f1-f1ca493519cf" + rel: reference + - href: "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#pm-9" + rel: related + - href: "#pm-30" + rel: related + - href: "#ps-8" + rel: related + - href: "#si-12" + rel: related + parts: + - id: sr-1_smt + name: statement + parts: + - id: sr-1_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop, document, and disseminate to {{ insert: param,\ + \ sr-1_prm_1 }}:" + parts: + - id: sr-1_smt.a.1 + name: item + props: + - name: label + value: "1." + prose: " {{ insert: param, sr-01_odp.03 }} supply chain risk\ + \ management policy that:" + parts: + - id: sr-1_smt.a.1.a + name: item + props: + - name: label + value: (a) + prose: Addresses purpose, scope, roles, responsibilities, + management commitment, coordination among organizational + entities, and compliance; and + - id: sr-1_smt.a.1.b + name: item + props: + - name: label + value: (b) + prose: Is consistent with applicable laws, executive orders, + directives, regulations, policies, standards, and guidelines; + and + - id: sr-1_smt.a.2 + name: item + props: + - name: label + value: "2." + prose: Procedures to facilitate the implementation of the supply + chain risk management policy and the associated supply chain + risk management controls; + - id: sr-1_smt.b + name: item + props: + - name: label + value: b. + prose: "Designate an {{ insert: param, sr-01_odp.04 }} to manage\ + \ the development, documentation, and dissemination of the supply\ + \ chain risk management policy and procedures; and" + - id: sr-1_smt.c + name: item + props: + - name: label + value: c. + prose: "Review and update the current supply chain risk management:" + parts: + - id: sr-1_smt.c.1 + name: item + props: + - name: label + value: "1." + prose: "Policy {{ insert: param, sr-01_odp.05 }} and following\ + \ {{ insert: param, sr-01_odp.06 }} ; and" + - id: sr-1_smt.c.2 + name: item + props: + - name: label + value: "2." + prose: "Procedures {{ insert: param, sr-01_odp.07 }} and following\ + \ {{ insert: param, sr-01_odp.08 }}." + - id: sr-1_gdn + name: guidance + prose: Supply chain risk management policy and procedures address the + controls in the SR family as well as supply chain-related controls + in other families that are implemented within systems and organizations. + The risk management strategy is an important factor in establishing + such policies and procedures. Policies and procedures contribute to + security and privacy assurance. Therefore, it is important that security + and privacy programs collaborate on the development of supply chain + risk management policy and procedures. Security and privacy program + policies and procedures at the organization level are preferable, + in general, and may obviate the need for mission- or system-specific + policies and procedures. The policy can be included as part of the + general security and privacy policy or be represented by multiple + policies that reflect the complex nature of organizations. Procedures + can be established for security and privacy programs, for mission + or business processes, and for systems, if needed. Procedures describe + how the policies or controls are implemented and can be directed at + the individual or role that is the object of the procedure. Procedures + can be documented in system security and privacy plans or in one or + more separate documents. Events that may precipitate an update to + supply chain risk management policy and procedures include assessment + or audit findings, security incidents or breaches, or changes in applicable + laws, executive orders, directives, regulations, policies, standards, + and guidelines. Simply restating controls does not constitute an organizational + policy or procedure. + - id: sr-1_obj + name: assessment-objective + props: + - name: label + value: SR-01 + class: sp800-53a + parts: + - id: sr-1_obj.a + name: assessment-objective + props: + - name: label + value: SR-01a. + class: sp800-53a + parts: + - id: sr-1_obj.a-1 + name: assessment-objective + props: + - name: label + value: SR-01a.[01] + class: sp800-53a + prose: a supply chain risk management policy is developed and + documented; + links: + - href: "#sr-1_smt.a" + rel: assessment-for + - id: sr-1_obj.a-2 + name: assessment-objective + props: + - name: label + value: SR-01a.[02] + class: sp800-53a + prose: "the supply chain risk management policy is disseminated\ + \ to {{ insert: param, sr-01_odp.01 }};" + links: + - href: "#sr-1_smt.a" + rel: assessment-for + - id: sr-1_obj.a-3 + name: assessment-objective + props: + - name: label + value: SR-01a.[03] + class: sp800-53a + prose: supply chain risk management procedures to facilitate + the implementation of the supply chain risk management policy + and the associated supply chain risk management controls are + developed and documented; + links: + - href: "#sr-1_smt.a" + rel: assessment-for + - id: sr-1_obj.a-4 + name: assessment-objective + props: + - name: label + value: SR-01a.[04] + class: sp800-53a + prose: "the supply chain risk management procedures are disseminated\ + \ to {{ insert: param, sr-01_odp.02 }}." + links: + - href: "#sr-1_smt.a" + rel: assessment-for + - id: sr-1_obj.a.1 + name: assessment-objective + props: + - name: label + value: SR-01a.01 + class: sp800-53a + parts: + - id: sr-1_obj.a.1.a + name: assessment-objective + props: + - name: label + value: SR-01a.01(a) + class: sp800-53a + parts: + - id: sr-1_obj.a.1.a-1 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[01] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses purpose;" + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-2 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[02] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses scope; " + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-3 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[03] + class: sp800-53a + prose: " {{ insert: param, sr-01_odp.03 }} supply chain\ + \ risk management policy addresses roles;" + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-4 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[04] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses responsibilities;" + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-5 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[05] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses management\ + \ commitment;" + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-6 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[06] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses coordination\ + \ among organizational entities;" + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.a-7 + name: assessment-objective + props: + - name: label + value: SR-01a.01(a)[07] + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply\ + \ chain risk management policy addresses compliance." + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + links: + - href: "#sr-1_smt.a.1.a" + rel: assessment-for + - id: sr-1_obj.a.1.b + name: assessment-objective + props: + - name: label + value: SR-01a.01(b) + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.03 }} supply chain\ + \ risk management policy is consistent with applicable\ + \ laws, Executive Orders, directives, regulations, policies,\ + \ standards, and guidelines;" + links: + - href: "#sr-1_smt.a.1.b" + rel: assessment-for + links: + - href: "#sr-1_smt.a.1" + rel: assessment-for + links: + - href: "#sr-1_smt.a" + rel: assessment-for + - id: sr-1_obj.b + name: assessment-objective + props: + - name: label + value: SR-01b. + class: sp800-53a + prose: "the {{ insert: param, sr-01_odp.04 }} is designated to manage\ + \ the development, documentation, and dissemination of the supply\ + \ chain risk management policy and procedures;" + links: + - href: "#sr-1_smt.b" + rel: assessment-for + - id: sr-1_obj.c + name: assessment-objective + props: + - name: label + value: SR-01c. + class: sp800-53a + parts: + - id: sr-1_obj.c.1 + name: assessment-objective + props: + - name: label + value: SR-01c.01 + class: sp800-53a + parts: + - id: sr-1_obj.c.1-1 + name: assessment-objective + props: + - name: label + value: SR-01c.01[01] + class: sp800-53a + prose: "the current supply chain risk management policy\ + \ is reviewed and updated {{ insert: param, sr-01_odp.05\ + \ }};" + links: + - href: "#sr-1_smt.c.1" + rel: assessment-for + - id: sr-1_obj.c.1-2 + name: assessment-objective + props: + - name: label + value: SR-01c.01[02] + class: sp800-53a + prose: "the current supply chain risk management policy\ + \ is reviewed and updated following {{ insert: param,\ + \ sr-01_odp.06 }};" + links: + - href: "#sr-1_smt.c.1" + rel: assessment-for + links: + - href: "#sr-1_smt.c.1" + rel: assessment-for + - id: sr-1_obj.c.2 + name: assessment-objective + props: + - name: label + value: SR-01c.02 + class: sp800-53a + parts: + - id: sr-1_obj.c.2-1 + name: assessment-objective + props: + - name: label + value: SR-01c.02[01] + class: sp800-53a + prose: "the current supply chain risk management procedures\ + \ are reviewed and updated {{ insert: param, sr-01_odp.07\ + \ }};" + links: + - href: "#sr-1_smt.c.2" + rel: assessment-for + - id: sr-1_obj.c.2-2 + name: assessment-objective + props: + - name: label + value: SR-01c.02[02] + class: sp800-53a + prose: "the current supply chain risk management procedures\ + \ are reviewed and updated following {{ insert: param,\ + \ sr-01_odp.08 }}." + links: + - href: "#sr-1_smt.c.2" + rel: assessment-for + links: + - href: "#sr-1_smt.c.2" + rel: assessment-for + links: + - href: "#sr-1_smt.c" + rel: assessment-for + links: + - href: "#sr-1_smt" + rel: assessment-for + - id: sr-1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-01-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Supply chain risk management policy + + supply chain risk management procedures + + system security plan + + privacy plan + + other relevant documents or records + - id: sr-1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-01-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with supply chain risk management + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with acquisition responsibilities + + + organizational personnel with enterprise risk management responsibilities + - id: sr-2 + class: SP800-53 + title: Supply Chain Risk Management Plan + params: + - id: sr-02_odp.01 + label: systems, system components, or system services + guidelines: + - prose: systems, system components, or system services for which + a supply chain risk management plan is developed are defined; + - id: sr-02_odp.02 + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to review and update the supply chain + risk management plan is defined; + props: + - name: label + value: SR-2 + - name: label + value: SR-02 + class: sp800-53a + - name: sort-id + value: sr-02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#031cc4b7-9adf-4835-98f1-f1ca493519cf" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#cec037f3-8aba-4c97-84b4-4082f9e515d2" + rel: reference + - href: "#e3cc0520-a366-4fc9-abc2-5272db7e3564" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#38ff38f0-1366-4f50-a4c9-26a39aacee16" + rel: reference + - href: "#ca-2" + rel: related + - href: "#cp-4" + rel: related + - href: "#ir-4" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-6" + rel: related + - href: "#pe-16" + rel: related + - href: "#pl-2" + rel: related + - href: "#pm-9" + rel: related + - href: "#pm-30" + rel: related + - href: "#ra-3" + rel: related + - href: "#ra-7" + rel: related + - href: "#sa-8" + rel: related + - href: "#si-4" + rel: related + parts: + - id: sr-2_smt + name: statement + parts: + - id: sr-2_smt.a + name: item + props: + - name: label + value: a. + prose: "Develop a plan for managing supply chain risks associated\ + \ with the research and development, design, manufacturing, acquisition,\ + \ delivery, integration, operations and maintenance, and disposal\ + \ of the following systems, system components or system services:\ + \ {{ insert: param, sr-02_odp.01 }};" + - id: sr-2_smt.b + name: item + props: + - name: label + value: b. + prose: "Review and update the supply chain risk management plan\ + \ {{ insert: param, sr-02_odp.02 }} or as required, to address\ + \ threat, organizational or environmental changes; and" + - id: sr-2_smt.c + name: item + props: + - name: label + value: c. + prose: Protect the supply chain risk management plan from unauthorized + disclosure and modification. + - id: sr-2_gdn + name: guidance + prose: >- + The dependence on products, systems, and services from external + providers, as well as the nature of the relationships with those + providers, present an increasing level of risk to an + organization. Threat actions that may increase security or + privacy risks include unauthorized production, the insertion or + use of counterfeits, tampering, theft, insertion of malicious + software and hardware, and poor manufacturing and development + practices in the supply chain. Supply chain risks can be endemic + or systemic within a system element or component, a system, an + organization, a sector, or the Nation. Managing supply chain + risk is a complex, multifaceted undertaking that requires a + coordinated effort across an organization to build trust + relationships and communicate with internal and external + stakeholders. Supply chain risk management (SCRM) activities + include identifying and assessing risks, determining appropriate + risk response actions, developing SCRM plans to document + response actions, and monitoring performance against plans. The + SCRM plan (at the system-level) is implementation specific, + providing policy implementation, requirements, constraints and + implications. It can either be stand-alone, or incorporated into + system security and privacy plans. The SCRM plan addresses + managing, implementation, and monitoring of SCRM controls and + the development/sustainment of systems across the SDLC to + support mission and business functions. + + + Because supply chains can differ significantly across and within organizations, + SCRM plans are tailored to the individual program, organizational, + and operational contexts. Tailored SCRM plans provide the basis for + determining whether a technology, service, system component, or system + is fit for purpose, and as such, the controls need to be tailored + accordingly. Tailored SCRM plans help organizations focus their resources + on the most critical mission and business functions based on mission + and business requirements and their risk environment. Supply chain + risk management plans include an expression of the supply chain risk + tolerance for the organization, acceptable supply chain risk mitigation + strategies or controls, a process for consistently evaluating and + monitoring supply chain risk, approaches for implementing and communicating + the plan, a description of and justification for supply chain risk + mitigation measures taken, and associated roles and responsibilities. + Finally, supply chain risk management plans address requirements for + developing trustworthy, secure, privacy-protective, and resilient + system components and systems, including the application of the security + design principles implemented as part of life cycle-based systems + security engineering processes (see [SA-8](#sa-8)). + - id: sr-2_obj + name: assessment-objective + props: + - name: label + value: SR-02 + class: sp800-53a + parts: + - id: sr-2_obj.a + name: assessment-objective + props: + - name: label + value: SR-02a. + class: sp800-53a + parts: + - id: sr-2_obj.a-1 + name: assessment-objective + props: + - name: label + value: SR-02a.[01] + class: sp800-53a + prose: a plan for managing supply chain risks is developed; + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-2 + name: assessment-objective + props: + - name: label + value: SR-02a.[02] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the research and development of {{ insert:\ + \ param, sr-02_odp.01 }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-3 + name: assessment-objective + props: + - name: label + value: SR-02a.[03] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the design of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-4 + name: assessment-objective + props: + - name: label + value: SR-02a.[04] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the manufacturing of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-5 + name: assessment-objective + props: + - name: label + value: SR-02a.[05] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the acquisition of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-6 + name: assessment-objective + props: + - name: label + value: SR-02a.[06] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the delivery of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-7 + name: assessment-objective + props: + - name: label + value: SR-02a.[07] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the integration of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-8 + name: assessment-objective + props: + - name: label + value: SR-02a.[08] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the operation and maintenance of {{ insert:\ + \ param, sr-02_odp.01 }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.a-9 + name: assessment-objective + props: + - name: label + value: SR-02a.[09] + class: sp800-53a + prose: "the supply chain risk management plan addresses risks\ + \ associated with the disposal of {{ insert: param, sr-02_odp.01\ + \ }};" + links: + - href: "#sr-2_smt.a" + rel: assessment-for + links: + - href: "#sr-2_smt.a" + rel: assessment-for + - id: sr-2_obj.b + name: assessment-objective + props: + - name: label + value: SR-02b. + class: sp800-53a + prose: "the supply chain risk management plan is reviewed and updated\ + \ {{ insert: param, sr-02_odp.02 }} or as required to address\ + \ threat, organizational, or environmental changes;" + links: + - href: "#sr-2_smt.b" + rel: assessment-for + - id: sr-2_obj.c + name: assessment-objective + props: + - name: label + value: SR-02c. + class: sp800-53a + parts: + - id: sr-2_obj.c-1 + name: assessment-objective + props: + - name: label + value: SR-02c.[01] + class: sp800-53a + prose: the supply chain risk management plan is protected from + unauthorized disclosure; + links: + - href: "#sr-2_smt.c" + rel: assessment-for + - id: sr-2_obj.c-2 + name: assessment-objective + props: + - name: label + value: SR-02c.[02] + class: sp800-53a + prose: the supply chain risk management plan is protected from + unauthorized modification. + links: + - href: "#sr-2_smt.c" + rel: assessment-for + links: + - href: "#sr-2_smt.c" + rel: assessment-for + links: + - href: "#sr-2_smt" + rel: assessment-for + - id: sr-2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-02-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy + + + supply chain risk management procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing supply chain protection + + + procedures for protecting the supply chain risk management plan + from unauthorized disclosure and modification + + + system development life cycle procedures + + + procedures addressing the integration of information security + and privacy requirements into the acquisition process + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + list of supply chain threats + + + list of safeguards to be taken against supply chain threats + + + system life cycle documentation + + + inter-organizational agreements and procedures + + + system security plan + + + privacy plan + + + privacy program plan + + + other relevant documents or records + - id: sr-2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-02-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sr-2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-02-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for defining and documenting the + system development life cycle (SDLC) + + + organizational processes for identifying SDLC roles and responsibilities + + + organizational processes for integrating supply chain risk management + into the SDLC + + + mechanisms supporting and/or implementing the SDLC + controls: + - id: sr-2.1 + class: SP800-53-enhancement + title: Establish SCRM Team + params: + - id: sr-02.01_odp.01 + label: personnel, roles and responsibilities + guidelines: + - prose: the personnel, roles, and responsibilities of the supply + chain risk management team are defined; + - id: sr-02.01_odp.02 + label: supply chain risk management activities + guidelines: + - prose: supply chain risk management activities are defined; + props: + - name: label + value: SR-2(1) + - name: label + value: SR-02(01) + class: sp800-53a + - name: sort-id + value: sr-02.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sr-2" + rel: required + parts: + - id: sr-2.1_smt + name: statement + prose: "Establish a supply chain risk management team consisting\ + \ of {{ insert: param, sr-02.01_odp.01 }} to lead and support\ + \ the following SCRM activities: {{ insert: param, sr-02.01_odp.02\ + \ }}." + - id: sr-2.1_gdn + name: guidance + prose: To implement supply chain risk management plans, organizations + establish a coordinated, team-based approach to identify and assess + supply chain risks and manage these risks by using programmatic + and technical mitigation techniques. The team approach enables + organizations to conduct an analysis of their supply chain, communicate + with internal and external partners or stakeholders, and gain + broad consensus regarding the appropriate resources for SCRM. + The SCRM team consists of organizational personnel with diverse + roles and responsibilities for leading and supporting SCRM activities, + including risk executive, information technology, contracting, + information security, privacy, mission or business, legal, supply + chain and logistics, acquisition, business continuity, and other + relevant functions. Members of the SCRM team are involved in various + aspects of the SDLC and, collectively, have an awareness of and + provide expertise in acquisition processes, legal practices, vulnerabilities, + threats, and attack vectors, as well as an understanding of the + technical aspects and dependencies of systems. The SCRM team can + be an extension of the security and privacy risk management processes + or be included as part of an organizational risk management team. + - id: sr-2.1_obj + name: assessment-objective + props: + - name: label + value: SR-02(01) + class: sp800-53a + prose: "a supply chain risk management team consisting of {{ insert:\ + \ param, sr-02.01_odp.01 }} is established to lead and support\ + \ {{ insert: param, sr-02.01_odp.02 }}." + links: + - href: "#sr-2.1_smt" + rel: assessment-for + - id: sr-2.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-02(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Supply chain risk management policy + + supply chain risk management procedures + + supply chain risk management team charter documentation + + supply chain risk management strategy + + supply chain risk management implementation plan + + procedures addressing supply chain protection + + system security plan + + privacy plan + + other relevant documents or records + - id: sr-2.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-02(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition + responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management + responsibilities + + + organizational personnel with enterprise risk management responsibilities + + + legal counsel + + + organizational personnel with business continuity responsibilities + - id: sr-3 + class: SP800-53 + title: Supply Chain Controls and Processes + params: + - id: sr-03_odp.01 + label: system or system component + guidelines: + - prose: the system or system component requiring a process or processes + to identify and address weaknesses or deficiencies is defined; + - id: sr-03_odp.02 + label: supply chain personnel + guidelines: + - prose: supply chain personnel with whom to coordinate the process + or processes to identify and address weaknesses or deficiencies + in the supply chain elements and processes is/are defined; + - id: sr-03_odp.03 + label: supply chain controls + guidelines: + - prose: supply chain controls employed to protect against supply + chain risks to the system, system component, or system service + and to limit the harm or consequences from supply chain-related + events are defined; + - id: sr-03_odp.04 + select: + how-many: one-or-more + choice: + - security and privacy plans + - supply chain risk management plan + - " {{ insert: param, sr-03_odp.05 }} " + - id: sr-03_odp.05 + label: document + guidelines: + - prose: the document identifying the selected and implemented supply + chain processes and controls is defined (if selected); + props: + - name: label + value: SR-3 + - name: label + value: SR-03 + class: sp800-53a + - name: sort-id + value: sr-03 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: system + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#ca-2" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-6" + rel: related + - href: "#pe-3" + rel: related + - href: "#pe-16" + rel: related + - href: "#pl-8" + rel: related + - href: "#pm-30" + rel: related + - href: "#sa-2" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-15" + rel: related + - href: "#sc-7" + rel: related + - href: "#sc-29" + rel: related + - href: "#sc-30" + rel: related + - href: "#sc-38" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: sr-3_smt + name: statement + parts: + - id: sr-3_smt.a + name: item + props: + - name: label + value: a. + prose: "Establish a process or processes to identify and address\ + \ weaknesses or deficiencies in the supply chain elements and\ + \ processes of {{ insert: param, sr-03_odp.01 }} in coordination\ + \ with {{ insert: param, sr-03_odp.02 }};" + - id: sr-3_smt.b + name: item + props: + - name: label + value: b. + prose: "Employ the following controls to protect against supply\ + \ chain risks to the system, system component, or system service\ + \ and to limit the harm or consequences from supply chain-related\ + \ events: {{ insert: param, sr-03_odp.03 }} ; and" + - id: sr-3_smt.c + name: item + props: + - name: label + value: c. + prose: "Document the selected and implemented supply chain processes\ + \ and controls in {{ insert: param, sr-03_odp.04 }}." + - id: sr-3_fr + name: item + title: SR-3 Additional FedRAMP Requirements and Guidance + parts: + - id: sr-3_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: CSO must document and maintain the supply chain custody, + including replacement devices, to ensure the integrity of + the devices before being introduced to the boundary. + - id: sr-3_gdn + name: guidance + prose: Supply chain elements include organizations, entities, or tools + employed for the research and development, design, manufacturing, + acquisition, delivery, integration, operations and maintenance, and + disposal of systems and system components. Supply chain processes + include hardware, software, and firmware development processes; shipping + and handling procedures; personnel security and physical security + programs; configuration management tools, techniques, and measures + to maintain provenance; or other programs, processes, or procedures + associated with the development, acquisition, maintenance and disposal + of systems and system components. Supply chain elements and processes + may be provided by organizations, system integrators, or external + providers. Weaknesses or deficiencies in supply chain elements or + processes represent potential vulnerabilities that can be exploited + by adversaries to cause harm to the organization and affect its ability + to carry out its core missions or business functions. Supply chain + personnel are individuals with roles and responsibilities in the supply + chain. + - id: sr-3_obj + name: assessment-objective + props: + - name: label + value: SR-03 + class: sp800-53a + parts: + - id: sr-3_obj.a + name: assessment-objective + props: + - name: label + value: SR-03a. + class: sp800-53a + parts: + - id: sr-3_obj.a-1 + name: assessment-objective + props: + - name: label + value: SR-03a.[01] + class: sp800-53a + prose: "a process or processes is/are established to identify\ + \ and address weaknesses or deficiencies in the supply chain\ + \ elements and processes of {{ insert: param, sr-03_odp.01\ + \ }};" + links: + - href: "#sr-3_smt.a" + rel: assessment-for + - id: sr-3_obj.a-2 + name: assessment-objective + props: + - name: label + value: SR-03a.[02] + class: sp800-53a + prose: "the process or processes to identify and address weaknesses\ + \ or deficiencies in the supply chain elements and processes\ + \ of {{ insert: param, sr-03_odp.01 }} is/are coordinated\ + \ with {{ insert: param, sr-03_odp.02 }};" + links: + - href: "#sr-3_smt.a" + rel: assessment-for + links: + - href: "#sr-3_smt.a" + rel: assessment-for + - id: sr-3_obj.b + name: assessment-objective + props: + - name: label + value: SR-03b. + class: sp800-53a + prose: " {{ insert: param, sr-03_odp.03 }} are employed to protect\ + \ against supply chain risks to the system, system component,\ + \ or system service and to limit the harm or consequences from\ + \ supply chain-related events;" + links: + - href: "#sr-3_smt.b" + rel: assessment-for + - id: sr-3_obj.c + name: assessment-objective + props: + - name: label + value: SR-03c. + class: sp800-53a + prose: "the selected and implemented supply chain processes and\ + \ controls are documented in {{ insert: param, sr-03_odp.04 }}." + links: + - href: "#sr-3_smt.c" + rel: assessment-for + links: + - href: "#sr-3_smt" + rel: assessment-for + - id: sr-3_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-03-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy + + + supply chain risk management procedures + + + supply chain risk management strategy + + + supply chain risk management plan + + + systems and critical system components inventory documentation + + + system and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing the integration of information security + and privacy requirements into the acquisition process + + + solicitation documentation + + + acquisition documentation (including purchase orders) + + + service level agreements + + + acquisition contracts for systems or services + + + risk register documentation + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: sr-3_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-03-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sr-3_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-03-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for identifying and addressing supply + chain element and process deficiencies + - id: sr-5 + class: SP800-53 + title: Acquisition Strategies, Tools, and Methods + params: + - id: sr-05_odp + label: strategies, tools, and methods + guidelines: + - prose: acquisition strategies, contract tools, and procurement methods + to protect against, identify, and mitigate supply chain risks + are defined; + props: + - name: label + value: SR-5 + - name: label + value: SR-05 + class: sp800-53a + - name: sort-id + value: sr-05 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#863caf2a-978a-4260-9e8d-4a8929bce40c" + rel: reference + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#38ff38f0-1366-4f50-a4c9-26a39aacee16" + rel: reference + - href: "#at-3" + rel: related + - href: "#sa-2" + rel: related + - href: "#sa-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#sa-5" + rel: related + - href: "#sa-8" + rel: related + - href: "#sa-9" + rel: related + - href: "#sa-10" + rel: related + - href: "#sa-15" + rel: related + - href: "#sr-6" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-10" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: sr-5_smt + name: statement + prose: "Employ the following acquisition strategies, contract tools,\ + \ and procurement methods to protect against, identify, and mitigate\ + \ supply chain risks: {{ insert: param, sr-05_odp }}." + - id: sr-5_gdn + name: guidance + prose: The use of the acquisition process provides an important vehicle + to protect the supply chain. There are many useful tools and techniques + available, including obscuring the end use of a system or system component, + using blind or filtered buys, requiring tamper-evident packaging, + or using trusted or controlled distribution. The results from a supply + chain risk assessment can guide and inform the strategies, tools, + and methods that are most applicable to the situation. Tools and techniques + may provide protections against unauthorized production, theft, tampering, + insertion of counterfeits, insertion of malicious software or backdoors, + and poor development practices throughout the system development life + cycle. Organizations also consider providing incentives for suppliers + who implement controls, promote transparency into their processes + and security and privacy practices, provide contract language that + addresses the prohibition of tainted or counterfeit components, and + restrict purchases from untrustworthy suppliers. Organizations consider + providing training, education, and awareness programs for personnel + regarding supply chain risk, available mitigation strategies, and + when the programs should be employed. Methods for reviewing and protecting + development plans, documentation, and evidence are commensurate with + the security and privacy requirements of the organization. Contracts + may specify documentation protection requirements. + - id: sr-5_obj + name: assessment-objective + props: + - name: label + value: SR-05 + class: sp800-53a + parts: + - id: sr-5_obj-1 + name: assessment-objective + props: + - name: label + value: SR-05[01] + class: sp800-53a + prose: " {{ insert: param, sr-05_odp }} are employed to protect\ + \ against supply chain risks;" + links: + - href: "#sr-5_smt" + rel: assessment-for + - id: sr-5_obj-2 + name: assessment-objective + props: + - name: label + value: SR-05[02] + class: sp800-53a + prose: " {{ insert: param, sr-05_odp }} are employed to identify\ + \ supply chain risks;" + links: + - href: "#sr-5_smt" + rel: assessment-for + - id: sr-5_obj-3 + name: assessment-objective + props: + - name: label + value: SR-05[03] + class: sp800-53a + prose: " {{ insert: param, sr-05_odp }} are employed to mitigate\ + \ supply chain risks." + links: + - href: "#sr-5_smt" + rel: assessment-for + links: + - href: "#sr-5_smt" + rel: assessment-for + - id: sr-5_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-05-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy + + + supply chain risk management procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + system and services acquisition procedures + + + procedures addressing supply chain protection + + + procedures addressing the integration of information security + and privacy requirements into the acquisition process + + + solicitation documentation + + + acquisition documentation (including purchase orders) + + + service level agreements + + + acquisition contracts for systems, system components, or services + + + documentation of training, education, and awareness programs for + personnel regarding supply chain risk + + + system security plan + + + privacy plan + + + other relevant documents or records + - id: sr-5_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-05-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with acquisition responsibilities + + + organizational personnel with information security and privacy + responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sr-5_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-05-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for defining and employing tailored + acquisition strategies, contract tools, and procurement + methods + + + mechanisms supporting and/or implementing the definition and employment + of tailored acquisition strategies, contract tools, and procurement + methods + - id: sr-6 + class: SP800-53 + title: Supplier Assessments and Reviews + params: + - id: sr-06_odp + label: frequency + constraints: + - description: at least annually + guidelines: + - prose: the frequency at which to assess and review the supply chain-related + risks associated with suppliers or contractors and the systems, + system components, or system services they provide is defined; + props: + - name: label + value: SR-6 + - name: label + value: SR-06 + class: sp800-53a + - name: sort-id + value: sr-06 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#863caf2a-978a-4260-9e8d-4a8929bce40c" + rel: reference + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#678e3d6c-150b-4393-aec5-6e3481eb1e00" + rel: reference + - href: "#eea3c092-42ed-4382-a6f4-1adadef01b9d" + rel: reference + - href: "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1" + rel: reference + - href: "#a295ca19-8c75-4b4c-8800-98024732e181" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#38ff38f0-1366-4f50-a4c9-26a39aacee16" + rel: reference + - href: "#sr-3" + rel: related + - href: "#sr-5" + rel: related + parts: + - id: sr-6_smt + name: statement + prose: "Assess and review the supply chain-related risks associated\ + \ with suppliers or contractors and the system, system component,\ + \ or system service they provide {{ insert: param, sr-06_odp }}." + parts: + - id: sr-6_fr + name: item + title: SR-6 Additional FedRAMP Requirements and Guidance + parts: + - id: sr-6_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: CSOs must ensure that their supply chain vendors build + and test their systems in alignment with NIST SP 800-171 or + a commensurate security and compliance framework. CSOs must + ensure that vendors are compliant with physical facility access + and logical access controls to supplied products. + - id: sr-6_gdn + name: guidance + prose: An assessment and review of supplier risk includes security and + supply chain risk management processes, foreign ownership, control + or influence (FOCI), and the ability of the supplier to effectively + assess subordinate second-tier and third-tier suppliers and contractors. + The reviews may be conducted by the organization or by an independent + third party. The reviews consider documented processes, documented + controls, all-source intelligence, and publicly available information + related to the supplier or contractor. Organizations can use open-source + information to monitor for indications of stolen information, poor + development and quality control practices, information spillage, or + counterfeits. In some cases, it may be appropriate or required to + share assessment and review results with other organizations in accordance + with any applicable rules, policies, or inter-organizational agreements + or contracts. + - id: sr-6_obj + name: assessment-objective + props: + - name: label + value: SR-06 + class: sp800-53a + prose: "the supply chain-related risks associated with suppliers or\ + \ contractors and the systems, system components, or system services\ + \ they provide are assessed and reviewed {{ insert: param, sr-06_odp\ + \ }}." + links: + - href: "#sr-6_smt" + rel: assessment-for + - id: sr-6_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-06-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management strategy + + + supply chain risk management plan + + + system and services acquisition policy + + + procedures addressing supply chain protection + + + procedures addressing the integration of information security + requirements into the acquisition process + + + records of supplier due diligence reviews + + + system security plan + + + other relevant documents or records + - id: sr-6_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-06-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and services + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain protection responsibilities + - id: sr-6_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-06-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Organizational processes for conducting supplier reviews + + mechanisms supporting and/or implementing supplier reviews + - id: sr-8 + class: SP800-53 + title: Notification Agreements + params: + - id: sr-08_odp.01 + constraints: + - description: notification of supply chain compromises and results + of assessment or audits + select: + how-many: one-or-more + choice: + - notification of supply chain compromises + - " {{ insert: param, sr-08_odp.02 }} " + - id: sr-08_odp.02 + label: results of assessments or audits + guidelines: + - prose: information for which agreements and procedures are to be + established are defined (if selected); + props: + - name: label + value: SR-8 + - name: label + value: SR-08 + class: sp800-53a + - name: sort-id + value: sr-08 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#4ff10ed3-d8fe-4246-99e3-443045e27482" + rel: reference + - href: "#0f963c17-ab5a-432a-a867-91eac550309b" + rel: reference + - href: "#21caa535-1154-4369-ba7b-32c309fee0f7" + rel: reference + - href: "#863caf2a-978a-4260-9e8d-4a8929bce40c" + rel: reference + - href: "#08b07465-dbdc-48d6-8a0b-37279602ac16" + rel: reference + - href: "#e8e84963-14fc-4c3a-be05-b412a5d37cd2" + rel: reference + - href: "#e24b06cc-9129-4998-a76a-65c3d7a576ba" + rel: reference + - href: "#ir-4" + rel: related + - href: "#ir-6" + rel: related + - href: "#ir-8" + rel: related + parts: + - id: sr-8_smt + name: statement + prose: "Establish agreements and procedures with entities involved in\ + \ the supply chain for the system, system component, or system service\ + \ for the {{ insert: param, sr-08_odp.01 }}." + parts: + - id: sr-8_fr + name: item + title: SR-8 Additional FedRAMP Requirements and Guidance + parts: + - id: sr-8_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: CSOs must ensure and document how they receive notifications + from their supply chain vendor of newly discovered vulnerabilities + including zero-day vulnerabilities. + - id: sr-8_gdn + name: guidance + prose: The establishment of agreements and procedures facilitates communications + among supply chain entities. Early notification of compromises and + potential compromises in the supply chain that can potentially adversely + affect or have adversely affected organizational systems or system + components is essential for organizations to effectively respond to + such incidents. The results of assessments or audits may include open-source + information that contributed to a decision or result and could be + used to help the supply chain entity resolve a concern or improve + its processes. + - id: sr-8_obj + name: assessment-objective + props: + - name: label + value: SR-08 + class: sp800-53a + prose: "agreements and procedures are established with entities involved\ + \ in the supply chain for the system, system components, or system\ + \ service for {{ insert: param, sr-08_odp.01 }}." + links: + - href: "#sr-8_smt" + rel: assessment-for + - id: sr-8_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-08-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + procedures addressing supply chain protection + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + inter-organizational agreements and procedures + + + system security plan + + + other relevant documents or records + - id: sr-8_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-08-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sr-8_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-08-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for establishing inter-organizational + agreements and procedures with supply chain entities + - id: sr-10 + class: SP800-53 + title: Inspection of Systems or Components + params: + - id: sr-10_odp.01 + label: systems or system components + guidelines: + - prose: systems or system components that require inspection are + defined; + - id: sr-10_odp.02 + select: + how-many: one-or-more + choice: + - at random + - "at {{ insert: param, sr-10_odp.03 }} " + - "upon {{ insert: param, sr-10_odp.04 }} " + - id: sr-10_odp.03 + label: frequency + guidelines: + - prose: frequency at which to inspect systems or system components + is defined (if selected); + - id: sr-10_odp.04 + label: indications of need for inspection + guidelines: + - prose: indications of the need for an inspection of systems or system + components are defined (if selected); + props: + - name: label + value: SR-10 + - name: label + value: SR-10 + class: sp800-53a + - name: sort-id + value: sr-10 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#at-3" + rel: related + - href: "#pm-30" + rel: related + - href: "#si-4" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-3" + rel: related + - href: "#sr-4" + rel: related + - href: "#sr-5" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-11" + rel: related + parts: + - id: sr-10_smt + name: statement + prose: "Inspect the following systems or system components {{ insert:\ + \ param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01\ + \ }}." + - id: sr-10_gdn + name: guidance + prose: The inspection of systems or systems components for tamper resistance + and detection addresses physical and logical tampering and is applied + to systems and system components removed from organization-controlled + areas. Indications of a need for inspection include changes in packaging, + specifications, factory location, or entity in which the part is purchased, + and when individuals return from travel to high-risk locations. + - id: sr-10_obj + name: assessment-objective + props: + - name: label + value: SR-10 + class: sp800-53a + prose: " {{ insert: param, sr-10_odp.01 }} are inspected {{ insert:\ + \ param, sr-10_odp.02 }} to detect tampering." + links: + - href: "#sr-10_smt" + rel: assessment-for + - id: sr-10_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-10-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + records of random inspections + + + inspection reports/results + + + assessment reports/results + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + inter-organizational agreements and procedures + + + system security plan + + + other relevant documents or records + - id: sr-10_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-10-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and services + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management responsibilities + - id: sr-10_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-10-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for establishing + inter-organizational agreements and procedures with supply + chain entities + + + organizational processes to inspect for tampering + - id: sr-11 + class: SP800-53 + title: Component Authenticity + params: + - id: sr-11_odp.01 + select: + how-many: one-or-more + choice: + - source of counterfeit component + - " {{ insert: param, sr-11_odp.02 }} " + - " {{ insert: param, sr-11_odp.03 }} " + - id: sr-11_odp.02 + label: external reporting organizations + guidelines: + - prose: external reporting organizations to whom counterfeit system + components are to be reported is/are defined (if selected); + - id: sr-11_odp.03 + label: personnel or roles + guidelines: + - prose: personnel or roles to whom counterfeit system components + are to be reported is/are defined (if selected); + props: + - name: label + value: SR-11 + - name: label + value: SR-11 + class: sp800-53a + - name: sort-id + value: sr-11 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#15a95e24-65b6-4686-bc18-90855a10457d" + rel: reference + - href: "#pe-3" + rel: related + - href: "#sa-4" + rel: related + - href: "#si-7" + rel: related + - href: "#sr-9" + rel: related + - href: "#sr-10" + rel: related + parts: + - id: sr-11_smt + name: statement + parts: + - id: sr-11_smt.a + name: item + props: + - name: label + value: a. + prose: Develop and implement anti-counterfeit policy and procedures + that include the means to detect and prevent counterfeit components + from entering the system; and + - id: sr-11_smt.b + name: item + props: + - name: label + value: b. + prose: "Report counterfeit system components to {{ insert: param,\ + \ sr-11_odp.01 }}." + - id: sr-11_fr + name: item + title: SR-11 Additional FedRAMP Requirements and Guidance + parts: + - id: sr-11_fr_smt.1 + name: item + props: + - name: label + value: "Requirement:" + prose: CSOs must ensure that their supply chain vendors provide + authenticity of software and patches and the vendor must have + a plan to protect the development pipeline. + - id: sr-11_gdn + name: guidance + prose: Sources of counterfeit components include manufacturers, developers, + vendors, and contractors. Anti-counterfeiting policies and procedures + support tamper resistance and provide a level of protection against + the introduction of malicious code. External reporting organizations + include CISA. + - id: sr-11_obj + name: assessment-objective + props: + - name: label + value: SR-11 + class: sp800-53a + parts: + - id: sr-11_obj.a + name: assessment-objective + props: + - name: label + value: SR-11a. + class: sp800-53a + parts: + - id: sr-11_obj.a-1 + name: assessment-objective + props: + - name: label + value: SR-11a.[01] + class: sp800-53a + prose: an anti-counterfeit policy is developed and implemented; + links: + - href: "#sr-11_smt.a" + rel: assessment-for + - id: sr-11_obj.a-2 + name: assessment-objective + props: + - name: label + value: SR-11a.[02] + class: sp800-53a + prose: anti-counterfeit procedures are developed and implemented; + links: + - href: "#sr-11_smt.a" + rel: assessment-for + - id: sr-11_obj.a-3 + name: assessment-objective + props: + - name: label + value: SR-11a.[03] + class: sp800-53a + prose: the anti-counterfeit procedures include the means to + detect counterfeit components entering the system; + links: + - href: "#sr-11_smt.a" + rel: assessment-for + - id: sr-11_obj.a-4 + name: assessment-objective + props: + - name: label + value: SR-11a.[04] + class: sp800-53a + prose: the anti-counterfeit procedures include the means to + prevent counterfeit components from entering the system; + links: + - href: "#sr-11_smt.a" + rel: assessment-for + links: + - href: "#sr-11_smt.a" + rel: assessment-for + - id: sr-11_obj.b + name: assessment-objective + props: + - name: label + value: SR-11b. + class: sp800-53a + prose: "counterfeit system components are reported to {{ insert:\ + \ param, sr-11_odp.01 }}." + links: + - href: "#sr-11_smt.b" + rel: assessment-for + links: + - href: "#sr-11_smt" + rel: assessment-for + - id: sr-11_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-11-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + anti-counterfeit plan + + + anti-counterfeit policy and procedures + + + media disposal policy + + + media protection policy + + + incident response policy + + + reports notifying developers, manufacturers, vendors, contractors, + and/or external reporting organizations of counterfeit system + components + + + acquisition documentation + + + service level agreements + + + acquisition contracts for the system, system component, or system + service + + + inter-organizational agreements and procedures + + + records of reported counterfeit system components + + + system security plan + + + other relevant documents or records + - id: sr-11_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-11-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and service acquisition + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management responsibilities + + + organizational personnel with responsibilities for anti-counterfeit + policies, procedures, and reporting + - id: sr-11_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-11-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for counterfeit prevention, + detection, and reporting + + + mechanisms supporting and/or implementing anti-counterfeit detection, + prevention, and reporting + controls: + - id: sr-11.1 + class: SP800-53-enhancement + title: Anti-counterfeit Training + params: + - id: sr-11.01_odp + label: personnel or roles + guidelines: + - prose: personnel or roles requiring training to detect counterfeit + system components (including hardware, software, and firmware) + is/are defined; + props: + - name: label + value: SR-11(1) + - name: label + value: SR-11(01) + class: sp800-53a + - name: sort-id + value: sr-11.01 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sr-11" + rel: required + - href: "#at-3" + rel: related + parts: + - id: sr-11.1_smt + name: statement + prose: "Train {{ insert: param, sr-11.01_odp }} to detect counterfeit\ + \ system components (including hardware, software, and firmware)." + - id: sr-11.1_gdn + name: guidance + prose: None. + - id: sr-11.1_obj + name: assessment-objective + props: + - name: label + value: SR-11(01) + class: sp800-53a + prose: " {{ insert: param, sr-11.01_odp }} are trained to detect\ + \ counterfeit system components (including hardware, software,\ + \ and firmware)." + links: + - href: "#sr-11.1_smt" + rel: assessment-for + - id: sr-11.1_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-11(01)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + system and services acquisition policy + + + anti-counterfeit plan + + + anti-counterfeit policy and procedures + + + media disposal policy + + + media protection policy + + + incident response policy + + + training materials addressing counterfeit system components + + + training records on the detection and prevention of counterfeit + components entering the system + + + system security plan + + + other relevant documents or records + - id: sr-11.1_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-11(01)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with information security + responsibilities + + + organizational personnel with supply chain risk management + responsibilities + + + organizational personnel with responsibilities for anti-counterfeit + policies, procedures, and training + - id: sr-11.1_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-11(01)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: Organizational processes for anti-counterfeit training + - id: sr-11.2 + class: SP800-53-enhancement + title: Configuration Control for Component Service and Repair + params: + - id: sr-11.02_odp + label: system components + constraints: + - description: all + guidelines: + - prose: system components requiring configuration control are + defined; + props: + - name: label + value: SR-11(2) + - name: label + value: SR-11(02) + class: sp800-53a + - name: sort-id + value: sr-11.02 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#sr-11" + rel: required + - href: "#cm-3" + rel: related + - href: "#ma-2" + rel: related + - href: "#ma-4" + rel: related + - href: "#sa-10" + rel: related + parts: + - id: sr-11.2_smt + name: statement + prose: "Maintain configuration control over the following system\ + \ components awaiting service or repair and serviced or repaired\ + \ components awaiting return to service: {{ insert: param, sr-11.02_odp\ + \ }}." + - id: sr-11.2_gdn + name: guidance + prose: None. + - id: sr-11.2_obj + name: assessment-objective + props: + - name: label + value: SR-11(02) + class: sp800-53a + parts: + - id: sr-11.2_obj-1 + name: assessment-objective + props: + - name: label + value: SR-11(02)[01] + class: sp800-53a + prose: "configuration control over {{ insert: param, sr-11.02_odp\ + \ }} awaiting service or repair is maintained;" + links: + - href: "#sr-11.2_smt" + rel: assessment-for + - id: sr-11.2_obj-2 + name: assessment-objective + props: + - name: label + value: SR-11(02)[02] + class: sp800-53a + prose: "configuration control over serviced or repaired {{ insert:\ + \ param, sr-11.02_odp }} awaiting return to service is maintained." + links: + - href: "#sr-11.2_smt" + rel: assessment-for + links: + - href: "#sr-11.2_smt" + rel: assessment-for + - id: sr-11.2_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-11(02)-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: |- + Supply chain risk management policy and procedures + + supply chain risk management plan + + configuration control procedures + + acquisition documentation + + service level agreements + + acquisition contracts for the system component + + inter-organizational agreements and procedures + + system security plan + + other relevant documents or records + - id: sr-11.2_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-11(02)-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system and services + acquisition responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain risk management + responsibilities + - id: sr-11.2_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-11(02)-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational processes for establishing + inter-organizational agreements and procedures with + supply chain entities + + + organizational configuration control processes + - id: sr-12 + class: SP800-53 + title: Component Disposal + params: + - id: sr-12_odp.01 + label: data, documentation, tools, or system components + guidelines: + - prose: data, documentation, tools, or system components to be disposed + of are defined; + - id: sr-12_odp.02 + label: techniques and methods + guidelines: + - prose: techniques and methods for disposing of data, documentation, + tools, or system components are defined; + props: + - name: label + value: SR-12 + - name: label + value: SR-12 + class: sp800-53a + - name: sort-id + value: sr-12 + - name: implementation-level + ns: http://csrc.nist.gov/ns/rmf + value: organization + - name: contributes-to-assurance + ns: http://csrc.nist.gov/ns/rmf + value: "true" + links: + - href: "#mp-6" + rel: related + parts: + - id: sr-12_smt + name: statement + prose: "Dispose of {{ insert: param, sr-12_odp.01 }} using the following\ + \ techniques and methods: {{ insert: param, sr-12_odp.02 }}." + - id: sr-12_gdn + name: guidance + prose: Data, documentation, tools, or system components can be disposed + of at any time during the system development life cycle (not only + in the disposal or retirement phase of the life cycle). For example, + disposal can occur during research and development, design, prototyping, + or operations/maintenance and include methods such as disk cleaning, + removal of cryptographic keys, partial reuse of components. Opportunities + for compromise during disposal affect physical and logical data, including + system documentation in paper-based or digital files; shipping and + delivery documentation; memory sticks with software code; or complete + routers or servers that include permanent media, which contain sensitive + or proprietary information. Additionally, proper disposal of system + components helps to prevent such components from entering the gray + market. + - id: sr-12_obj + name: assessment-objective + props: + - name: label + value: SR-12 + class: sp800-53a + prose: " {{ insert: param, sr-12_odp.01 }} are disposed of using {{\ + \ insert: param, sr-12_odp.02 }}." + links: + - href: "#sr-12_smt" + rel: assessment-for + - id: sr-12_asm-examine + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: EXAMINE + - name: label + value: SR-12-Examine + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Supply chain risk management policy and procedures + + + supply chain risk management plan + + + disposal procedures addressing supply chain protection + + + media disposal policy + + + media protection policy + + + disposal records for system components + + + documentation of the system components identified for disposal + + + documentation of the disposal techniques and methods employed + for system components + + + system security plan + + + other relevant documents or records + - id: sr-12_asm-interview + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: INTERVIEW + - name: label + value: SR-12-Interview + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational personnel with system component disposal + responsibilities + + + organizational personnel with information security responsibilities + + + organizational personnel with supply chain protection responsibilities + - id: sr-12_asm-test + name: assessment-method + props: + - name: method + ns: http://csrc.nist.gov/ns/rmf + value: TEST + - name: label + value: SR-12-Test + class: sp800-53a + parts: + - name: assessment-objects + prose: >- + Organizational techniques and methods for system component + disposal + + + mechanisms supporting and/or implementing system component disposal back-matter: resources: + - uuid: 91f992fb-f668-4c91-a50f-0f05b95ccee3 + title: 32 CFR 2002 + citation: + text: Code of Federal Regulations, Title 32, *Controlled Unclassified Information* + (32 C.F.R. 2002). + rlinks: + - href: https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information + - uuid: 0f963c17-ab5a-432a-a867-91eac550309b + title: 41 CFR 201 + citation: + text: ' "Federal Acquisition Supply Chain Security Act; Rule," 85 Federal + Register 54263 (September 1, 2020), pp 54263-54271.' + rlinks: + - href: https://www.federalregister.gov/d/2020-18939 + - uuid: a5ef5e56-5c1a-4911-b419-37dddc1b3581 + title: 5 CFR 731 + citation: + text: Code of Federal Regulations, Title 5, *Administrative Personnel* , + Section 731.106, *Designation of Public Trust Positions and Investigative + Requirements* (5 C.F.R. 731.106). + rlinks: + - href: https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf + - uuid: 031cc4b7-9adf-4835-98f1-f1ca493519cf + title: CNSSD 505 + citation: + text: Committee on National Security Systems Directive No. 505, *Supply + Chain Risk Management (SCRM)* , August 2017. + rlinks: + - href: https://www.cnss.gov/CNSS/issuances/Directives.cfm + - uuid: 4e4fbc93-333d-45e6-a875-de36b878b6b9 + title: CNSSI 1253 + citation: + text: Committee on National Security Systems Instruction No. 1253, *Security + Categorization and Control Selection for National Security Systems* , + March 2014. + rlinks: + - href: https://www.cnss.gov/CNSS/issuances/Instructions.cfm + - uuid: 4f42ee6e-86cc-403b-a51f-76c2b4f81b54 + title: DHS TIC + citation: + text: Department of Homeland Security, *Trusted Internet Connections (TIC)*. + rlinks: + - href: https://www.dhs.gov/trusted-internet-connections + - uuid: aa66e14f-e7cb-4a37-99d2-07578dfd4608 + title: DOD STIG + citation: + text: Defense Information Systems Agency, *Security Technical Implementation + Guides (STIG)*. + rlinks: + - href: https://public.cyber.mil/stigs + - uuid: 55b0c93a-5e48-457a-baa6-5ce81c239c49 + title: EO 13526 + citation: + text: Executive Order 13526, *Classified National Security Information* + , December 2009. + rlinks: + - href: https://www.archives.gov/isoo/policy-documents/cnsi-eo.html + - uuid: 34a5571f-e252-4309-a8a1-2fdb2faefbcd + title: EO 13556 + citation: + text: Executive Order 13556, *Controlled Unclassified Information* , November + 2010. + rlinks: + - href: https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information + - uuid: 0af071a6-cf8e-48ee-8c82-fe91efa20f94 + title: EO 13587 + citation: + text: Executive Order 13587, *Structural Reforms to Improve the Security + of Classified Networks and the Responsible Sharing and Safeguarding of + Classified Information* , October 2011. + rlinks: + - href: https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net + - uuid: 21caa535-1154-4369-ba7b-32c309fee0f7 + title: EO 13873 + citation: + text: Executive Order 13873, *Executive Order on Securing the Information + and Communications Technology and Services Supply Chain* , May 2019. + rlinks: + - href: https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain + - uuid: 4ff10ed3-d8fe-4246-99e3-443045e27482 + title: FASC18 + citation: + text: Secure Technology Act [includes Federal Acquisition Supply Chain Security + Act] (P.L. 115-390), December 2018. + rlinks: + - href: https://www.congress.gov/bill/115th-congress/senate-bill/3085 + - uuid: a1555677-2b9d-4868-a97b-a1363aff32f5 + title: FED PKI + citation: + text: General Services Administration, *Federal Public Key Infrastructure*. + rlinks: + - href: https://www.idmanagement.gov/topics/fpki + - uuid: 678e3d6c-150b-4393-aec5-6e3481eb1e00 + title: FIPS 140-3 + citation: + text: "National Institute of Standards and Technology (2019) Security Requirements\ + \ for Cryptographic Modules. (U.S. Department of Commerce, Washington,\ + \ D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. " + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.140-3 + - uuid: eea3c092-42ed-4382-a6f4-1adadef01b9d + title: FIPS 180-4 + citation: + text: National Institute of Standards and Technology (2015) Secure Hash + Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal + Information Processing Standards Publication (FIPS) 180-4. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.180-4 + - uuid: 7c37a38d-21d7-40d8-bc3d-b5e27eac17e1 + title: FIPS 186-4 + citation: + text: National Institute of Standards and Technology (2013) Digital Signature + Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal + Information Processing Standards Publication (FIPS) 186-4. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.186-4 + - uuid: 736d6310-e403-4b57-a79d-9967970c66d7 + title: FIPS 197 + citation: + text: National Institute of Standards and Technology (2001) Advanced Encryption + Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal + Information Processing Standards Publication (FIPS) 197. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.197 + - uuid: 628d22a1-6a11-4784-bc59-5cd9497b5445 + title: FIPS 199 + citation: + text: National Institute of Standards and Technology (2004) Standards for + Security Categorization of Federal Information and Information Systems. + (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing + Standards Publication (FIPS) 199. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.199 + - uuid: 599fb53d-5041-444e-a7fe-640d6d30ad05 + title: FIPS 200 + citation: + text: National Institute of Standards and Technology (2006) Minimum Security + Requirements for Federal Information and Information Systems. (U.S. Department + of Commerce, Washington, D.C.), Federal Information Processing Standards + Publication (FIPS) 200. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.200 + - uuid: 7ba1d91c-3934-4d5a-8532-b32f864ad34c + title: FIPS 201-2 + citation: + text: National Institute of Standards and Technology (2013) Personal Identity + Verification (PIV) of Federal Employees and Contractors. (U.S. Department + of Commerce, Washington, D.C.), Federal Information Processing Standards + Publication (FIPS) 201-2. + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.201-2 + - uuid: a295ca19-8c75-4b4c-8800-98024732e181 + title: FIPS 202 + citation: + text: "National Institute of Standards and Technology (2015) SHA-3 Standard:\ + \ Permutation-Based Hash and Extendable-Output Functions. (U.S. Department\ + \ of Commerce, Washington, D.C.), Federal Information Processing Standards\ + \ Publication (FIPS) 202." + rlinks: + - href: https://doi.org/10.6028/NIST.FIPS.202 + - uuid: 0c67b2a9-bede-43d2-b86d-5f35b8be36e9 + title: FISMA + citation: + text: Federal Information Security Modernization Act (P.L. 113-283), December + 2014. + rlinks: + - href: https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf + - uuid: f16e438e-7114-4144-bfe2-2dfcad8cb2d0 + title: HSPD 12 + citation: + text: Homeland Security Presidential Directive 12, Policy for a Common Identification + Standard for Federal Employees and Contractors, August 2004. + rlinks: + - href: https://www.dhs.gov/homeland-security-presidential-directive-12 + - uuid: e4d37285-1e79-4029-8b6a-42df39cace30 + title: IETF 5905 + citation: + text: "Internet Engineering Task Force (IETF), Request for Comments: 5905,\ + \ *Network Time Protocol Version 4: Protocol and Algorithms Specification*\ + \ , June 2010." + rlinks: + - href: https://tools.ietf.org/pdf/rfc5905.pdf + - uuid: 15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c + title: IR 7539 + citation: + text: Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart + Cards. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Interagency or Internal Report (IR) 7539. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7539 + - uuid: 2be7b163-e50a-435c-8906-f1162f2a457a + title: IR 7559 + citation: + text: Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services + (FWS). (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Interagency or Internal Report (IR) 7559. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7559 + - uuid: e24b06cc-9129-4998-a76a-65c3d7a576ba + title: IR 7622 + citation: + text: Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional + Supply Chain Risk Management Practices for Federal Information Systems. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Interagency or Internal Report (IR) 7622. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7622 + - uuid: 4b38e961-1125-4a5b-aa35-1d6c02846dad + title: IR 7676 + citation: + text: Cooper DA (2010) Maintaining and Using Key History on Personal Identity + Verification (PIV) Cards. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7676 + - uuid: aa5d04e0-6090-4e17-84d4-b9963d55fc2c + title: IR 7788 + citation: + text: Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks + Using Probabilistic Attack Graphs. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) + 7788. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7788 + - uuid: 91701292-8bcd-4d2e-a5bd-59ab61e34b3c + title: IR 7817 + citation: + text: Ferraiolo H (2012) A Credential Reliability and Revocation Model for + Federated Identities. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7817 + - uuid: 4f5f51ac-2b8d-4b90-a3c7-46f56e967617 + title: IR 7849 + citation: + text: Chandramouli R (2014) A Methodology for Developing Authentication + Assurance Level Taxonomy for Smart Card-based Identity Verification. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency + or Internal Report (IR) 7849. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7849 + - uuid: 604774da-9e1d-48eb-9c62-4e959dc80737 + title: IR 7870 + citation: + text: Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Interagency or Internal Report (IR) 7870. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7870 + - uuid: 7f473f21-fdbf-4a6c-81a1-0ab95919609d + title: IR 7874 + citation: + text: Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation + Metrics. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Interagency or Internal Report (IR) 7874. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7874 + - uuid: 849b2358-683f-4d97-b111-1cc3d522ded5 + title: IR 7956 + citation: + text: Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management + Issues & Challenges in Cloud Services. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Interagency or Internal Report + (IR) 7956. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7956 + - uuid: 3915a084-b87b-4f02-83d4-c369e746292f + title: IR 7966 + citation: + text: Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive + and Automated Access Management Using Secure Shell (SSH). (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal + Report (IR) 7966. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.7966 + - uuid: bbac9fc2-df5b-4f2d-bf99-90d0ade45349 + title: IR 8011-1 + citation: + text: "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security\ + \ Control Assessments: Volume 1: Overview. (National Institute of Standards\ + \ and Technology, Gaithersburg, MD), NIST Interagency or Internal Report\ + \ (IR) 8011, Volume 1." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8011-1 + - uuid: 70402863-5078-43af-9a6c-e11b0f3ec370 + title: IR 8011-2 + citation: + text: "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security\ + \ Control Assessments: Volume 2: Hardware Asset Management. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency\ + \ or Internal Report (IR) 8011, Volume 2." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8011-2 + - uuid: 996241f8-f692-42d5-91f1-ce8b752e39e6 + title: IR 8011-3 + citation: + text: "Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for\ + \ Security Control Assessments: Volume 3: Software Asset Management. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency\ + \ or Internal Report (IR) 8011, Volume 3." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8011-3 + - uuid: d2ebec9b-f868-4ee1-a2bd-0b2282aed248 + title: IR 8011-4 + citation: + text: "Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support\ + \ for Security Control Assessments: Volume 4: Software Vulnerability Management.\ + \ (National Institute of Standards and Technology, Gaithersburg, MD),\ + \ NIST Interagency or Internal Report (IR) 8011, Volume 4." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8011-4 + - uuid: 4c501da5-9d79-4cb6-ba80-97260e1ce327 + title: IR 8023 + citation: + text: Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Interagency or Internal Report (IR) 8023. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8023 + - uuid: 81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5 + title: IR 8040 + citation: + text: Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and + Security of Permuted Passwords on Mobile Platforms. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal + Report (IR) 8040. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8040 + - uuid: 98d415ca-7281-4064-9931-0c366637e324 + title: IR 8062 + citation: + text: Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction + to Privacy Engineering and Risk Management in Federal Systems. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency + or Internal Report (IR) 8062. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8062 + - uuid: a2590922-82f3-4277-83c0-ca5bee06dba4 + title: IR 8112 + citation: + text: "Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute\ + \ Metadata: A Proposed Schema for Evaluating Federated Attributes. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency\ + \ or Internal Report (IR) 8112." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8112 + - uuid: d4296805-2dca-4c63-a95f-eeccaa826aec + title: IR 8179 + citation: + text: "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis\ + \ Process Model: Prioritizing Systems and Components. (National Institute\ + \ of Standards and Technology, Gaithersburg, MD), NIST Interagency or\ + \ Internal Report (IR) 8179." + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8179 + - uuid: 38ff38f0-1366-4f50-a4c9-26a39aacee16 + title: IR 8272 + citation: + text: Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis + Tool for Interdependent Cyber Supply Chain Risks. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal + Report (IR) 8272. + rlinks: + - href: https://doi.org/10.6028/NIST.IR.8272 + - uuid: 6afc1b04-c9d6-4023-adbc-f8fbe33a3c73 + title: ISO 15408-1 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 15408-1:2009, *Information technology —Security techniques\ + \ — Evaluation criteria for IT security — Part 1: Introduction and general\ + \ model* , April 2017." + rlinks: + - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf + - uuid: 87087451-2af5-43d4-88c1-d66ad850f614 + title: ISO 15408-2 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 15408-2:2008, *Information technology —Security techniques\ + \ — Evaluation criteria for IT security — Part 2: Security functional\ + \ requirements* , April 2017." + rlinks: + - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf + - uuid: 4452efc0-e79e-47b8-aa30-b54f3ef61c2f + title: ISO 15408-3 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 15408-3:2008, *Information technology—Security techniques\ + \ — Evaluation criteria for IT security — Part 3: Security assurance requirements*\ + \ , April 2017." + rlinks: + - href: https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf + - uuid: 15a95e24-65b6-4686-bc18-90855a10457d + title: ISO 20243 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 20243-1:2018, *Information technology — Open Trusted Technology\ + \ Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit\ + \ products — Part 1: Requirements and recommendations* , February 2018." + rlinks: + - href: https://www.iso.org/standard/74399.html + - uuid: 863caf2a-978a-4260-9e8d-4a8929bce40c + title: ISO 27036 + citation: + text: "International Organization for Standardization/International Electrotechnical\ + \ Commission 27036-1:2014, *Information technology—Security techniques—Information\ + \ security for supplier relationships, Part 1: Overview and concepts*\ + \ , April 2014." + rlinks: + - href: https://www.iso.org/standard/59648.html + - uuid: 8df72805-2e5c-4731-a73e-81db0f0318d0 + title: ISO 29147 + citation: + text: International Organization for Standardization/International Electrotechnical + Commission 29147:2018, *Information technology—Security techniques—Vulnerability + disclosure* , October 2018. + rlinks: + - href: https://www.iso.org/standard/72311.html + - uuid: 06ce9216-bd54-4054-a422-94f358b50a5d + title: ISO 29148 + citation: + text: International Organization for Standardization/International Electrotechnical + Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) + 29148:2018, *Systems and software engineering—Life cycle processes—Requirements + engineering* , November 2018. + rlinks: + - href: https://www.iso.org/standard/72089.html + - uuid: c28ae9a8-1121-42a9-a85e-00cfcc9b9a94 + title: NARA CUI + citation: + text: National Archives and Records Administration, Controlled Unclassified + Information (CUI) Registry. + rlinks: + - href: https://www.archives.gov/cui + - uuid: d744d9a3-73eb-4085-b9ff-79e82e9e2d6e + title: NCPR + citation: + text: National Institute of Standards and Technology (2020) *National Checklist + Program Repository* . Available at + rlinks: + - href: https://nvd.nist.gov/ncp/repository + - uuid: 795aff72-3e6c-4b6b-a80a-b14d84b7f544 + title: NIAP CCEVS + citation: + text: National Information Assurance Partnership, *Common Criteria Evaluation + and Validation Scheme*. + rlinks: + - href: https://www.niap-ccevs.org + - uuid: 84dc1b0c-acb7-4269-84c4-00dbabacd78c + title: NIST CAVP + citation: + text: National Institute of Standards and Technology (2020) *Cryptographic + Algorithm Validation Program* . Available at + rlinks: + - href: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program + - uuid: 1acdc775-aafb-4d11-9341-dc6a822e9d38 + title: NIST CMVP + citation: + text: National Institute of Standards and Technology (2020) *Cryptographic + Module Validation Program* . Available at + rlinks: + - href: https://csrc.nist.gov/projects/cryptographic-module-validation-program + - uuid: 3d575737-98cb-459d-b41c-d7e82b73ad78 + title: NSA CSFC + citation: + text: National Security Agency, *Commercial Solutions for Classified Program + (CSfC)*. + rlinks: + - href: https://www.nsa.gov/resources/everyone/csfc + - uuid: df9f87e9-71e7-4c74-9ac3-3cabd4e92f21 + title: NSA MEDIA + citation: + text: National Security Agency, *Media Destruction Guidance*. + rlinks: + - href: https://www.nsa.gov/resources/everyone/media-destruction + - uuid: 89f2a08d-fc49-46d0-856e-bf974c9b1573 + title: ODNI CTF + citation: + text: Office of the Director of National Intelligence (ODNI) Cyber Threat + Framework. + rlinks: + - href: https://www.dni.gov/index.php/cyber-threat-framework + - uuid: 27847491-5ce1-4f6a-a1e4-9e483782f0ef + title: OMB A-130 + citation: + text: Office of Management and Budget Memorandum Circular A-130, *Managing + Information as a Strategic Resource* , July 2016. + rlinks: + - href: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf + - uuid: 5f4705ac-8d17-438c-b23a-ac7f12362ae4 + title: OMB M-17-12 + citation: + text: Office of Management and Budget Memorandum M-17-12, *Preparing for + and Responding to a Breach of Personally Identifiable Information* , January + 2017. + rlinks: + - href: https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf + - uuid: c5e11048-1d38-4af3-b00b-0d88dc26860c + title: OMB M-19-03 + citation: + text: Office of Management and Budget Memorandum M-19-03, *Strengthening + the Cybersecurity of Federal Agencies by Enhancing the High Value Asset + Program* , December 2018. + rlinks: + - href: https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf + - uuid: 18e71fec-c6fd-475a-925a-5d8495cf8455 + title: PRIVACT + citation: + text: Privacy Act (P.L. 93-579), December 1974. + rlinks: + - href: https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf + - uuid: 4c0ec2ee-a0d6-428a-9043-4504bc3ade6f + title: SP 800-100 + citation: + text: "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A\ + \ Guide for Managers. (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates\ + \ as of March 7, 2007." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-100 + - uuid: 10cf2fad-a216-41f9-bb1a-531b7e3119e3 + title: SP 800-101 + citation: + text: Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device + Forensics. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-101, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-101r1 + - uuid: 22f2d4f0-4365-4e88-a30d-275c1f5473ea + title: SP 800-111 + citation: + text: Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption + Technologies for End User Devices. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-111 + - uuid: 6bc4d137-aece-42a8-8081-9ecb1ebe9fb4 + title: SP 800-113 + citation: + text: Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-113. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-113 + - uuid: 42e37e51-7cc0-4ffa-81c9-0ac942da7e99 + title: SP 800-114 + citation: + text: Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring + Your Own Device (BYOD) Security. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, + Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-114r1 + - uuid: 122177fa-c4ed-485d-8345-3082c0fb9a06 + title: SP 800-115 + citation: + text: Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide + to Information Security Testing and Assessment. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-115. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-115 + - uuid: 2100332a-16a5-4598-bacf-7261baea9711 + title: SP 800-116 + citation: + text: Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) + A Recommendation for the Use of PIV Credentials in Physical Access Control + Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-116, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-116r1 + - uuid: d17ebd7a-ffab-499d-bfff-e705bbb01fa6 + title: SP 800-121 + citation: + text: Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone + KA (2017) Guide to Bluetooth Security. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, + Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-121r2 + - uuid: 0f66be67-85e7-4ca6-bd19-39453e9f4394 + title: SP 800-124 + citation: + text: Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security + of Mobile Devices in the Enterprise. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, + Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-124r1 + - uuid: 88660532-2dcf-442e-845c-03340ce48999 + title: SP 800-125B + citation: + text: Chandramouli R (2016) Secure Virtual Network Configuration for Virtual + Machine (VM) Protection. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-125B. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-125B + - uuid: 8016d2ed-d30f-4416-9c45-0f42c7aa3232 + title: SP 800-126 + citation: + text: "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018)\ + \ The Technical Specification for the Security Content Automation Protocol\ + \ (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-126r3 + - uuid: 20db4e66-e257-450c-b2e4-2bb9a62a2c88 + title: SP 800-128 + citation: + text: Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for + Security-Focused Configuration Management of Information Systems. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-128, Includes updates as of October 10, 2019. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-128 + - uuid: c7ac44e8-10db-4b64-b2b9-9e32ec1efed0 + title: SP 800-12 + citation: + text: Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information + Security. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-12, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-12r1 + - uuid: 3653e316-8923-430e-8943-b3b2b2562fc6 + title: SP 800-130 + citation: + text: Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for + Designing Cryptographic Key Management Systems. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-130. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-130 + - uuid: 62ea77ca-e450-4323-b210-e0d75390e785 + title: SP 800-137A + citation: + text: "Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S\ + \ (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs:\ + \ Developing an ISCM Program Assessment. (National Institute of Standards\ + \ and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-137A + - uuid: 067223d8-1ec7-45c5-b21b-c848da6de8fb + title: SP 800-137 + citation: + text: Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh + AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring + (ISCM) for Federal Information Systems and Organizations. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-137. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-137 + - uuid: e47ee630-9cbc-4133-880e-e013f83ccd51 + title: SP 800-147 + citation: + text: Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection + Guidelines. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-147. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-147 + - uuid: 9ef4b43c-42a4-4316-87dc-ffaf528bc05c + title: SP 800-150 + citation: + text: Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) + Guide to Cyber Threat Information Sharing. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-150 + - uuid: 2494df28-9049-4196-b233-540e7440993f + title: SP 800-152 + citation: + text: Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal + Cryptographic Key Management Systems (CKMS). (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-152 + - uuid: 708b94e1-3d5e-4b22-ab43-1c69f3a97e37 + title: SP 800-154 + citation: + text: Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat + Modeling. (National Institute of Standards and Technology, Gaithersburg, + MD), Draft NIST Special Publication (SP) 800-154. + rlinks: + - href: https://csrc.nist.gov/publications/detail/sp/800-154/draft + - uuid: d9e036ba-6eec-46a6-9340-b0bf1fea23b4 + title: SP 800-156 + citation: + text: Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady + S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-156. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-156 + - uuid: e3cc0520-a366-4fc9-abc2-5272db7e3564 + title: SP 800-160-1 + citation: + text: "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering:\ + \ Considerations for a Multidisciplinary Approach in the Engineering of\ + \ Trustworthy Secure Systems. (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes\ + \ updates as of March 21, 2018." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-160v1 + - uuid: 61ccf0f4-d3e7-42db-9796-ce6cb1c85989 + title: SP 800-160-2 + citation: + text: "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing\ + \ Cyber Resilient Systems: A Systems Security Engineering Approach. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Special\ + \ Publication (SP) 800-160, Vol. 2." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-160v2 + - uuid: e8e84963-14fc-4c3a-be05-b412a5d37cd2 + title: SP 800-161 + citation: + text: Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk + Management Practices for Federal Information Systems and Organizations. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-161. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-161 + - uuid: 2956e175-f674-43f4-b1b9-e074ad9fc39c + title: SP 800-162 + citation: + text: Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone + KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and + Considerations. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-162, Includes updates as of August + 2, 2019. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-162 + - uuid: e8552d48-cf41-40aa-8b06-f45f7fb4706c + title: SP 800-166 + citation: + text: Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady + S (2016) Derived PIV Application and Data Model Test Guidelines. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-166. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-166 + - uuid: 38f39739-1ebd-43b1-8b8c-00f591d89ebd + title: SP 800-167 + citation: + text: Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application + Whitelisting. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-167. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-167 + - uuid: 7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849 + title: SP 800-171 + citation: + text: Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting + Controlled Unclassified Information in Nonfederal Systems and Organizations. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-171, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-171r2 + - uuid: f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e + title: SP 800-172 + citation: + text: "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau\ + \ D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified\ + \ Information: A Supplement to NIST Special Publication 800-171 (Final\ + \ Public Draft). (National Institute of Standards and Technology, Gaithersburg,\ + \ MD), NIST Special Publication (SP) 800-172." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-172-draft + - uuid: 1c71b420-2bd9-4e52-9fc8-390f58b85b59 + title: SP 800-177 + citation: + text: Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy + Email. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-177, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-177r1 + - uuid: 388a3aa2-5d85-4bad-b8a3-77db80d63c4f + title: SP 800-178 + citation: + text: "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of\ + \ Attribute Based Access Control (ABAC) Standards for Data Service Applications:\ + \ Extensible Access Control Markup Language (XACML) and Next Generation\ + \ Access Control (NGAC). (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-178." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-178 + - uuid: 276bd50a-7e58-48e5-a405-8c8cb91d7a5f + title: SP 800-181 + citation: + text: Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce + Framework for Cybersecurity (NICE Framework). (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, + Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-181r1 + - uuid: 31ae65ab-3f26-46b7-9d64-f25a4dac5778 + title: SP 800-184 + citation: + text: Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya + MP (2016) Guide for Cybersecurity Event Recovery. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-184. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-184 + - uuid: f5edfe51-d1f2-422e-9b27-5d0e90b49c72 + title: SP 800-189 + citation: + text: "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange:\ + \ BGP Security and DDoS Mitigation. (National Institute of Standards and\ + \ Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-189 + - uuid: 30eb758a-2707-4bca-90ad-949a74d4eb16 + title: SP 800-18 + citation: + text: Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans + for Federal Information Systems. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. + 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-18r1 + - uuid: 53df282b-8b3f-483a-bad1-6a8b8ac00114 + title: SP 800-192 + citation: + text: Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access + Control Policies/Models. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-192. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-192 + - uuid: f641309f-a3ad-48be-8c67-2b318648b2f5 + title: SP 800-28 + citation: + text: Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content + and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-28, Version 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-28ver2 + - uuid: 08b07465-dbdc-48d6-8a0b-37279602ac16 + title: SP 800-30 + citation: + text: Joint Task Force Transformation Initiative (2012) Guide for Conducting + Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-30, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-30r1 + - uuid: 8cb338a4-e493-4177-818f-3af18983ddc5 + title: SP 800-32 + citation: + text: Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key + Technology and the Federal PKI Infrastructure. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-32. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-32 + - uuid: bc39f179-c735-4da2-b7a7-b2b622119755 + title: SP 800-34 + citation: + text: Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency + Planning Guide for Federal Information Systems. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-34r1 + - uuid: 77faf0bc-c394-44ad-9154-bbac3b79c8ad + title: SP 800-35 + citation: + text: Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information + Technology Security Services. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-35. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-35 + - uuid: 482e4c99-9dc4-41ad-bba8-0f3f0032c1f8 + title: SP 800-37 + citation: + text: "Joint Task Force (2018) Risk Management Framework for Information\ + \ Systems and Organizations: A System Life Cycle Approach for Security\ + \ and Privacy. (National Institute of Standards and Technology, Gaithersburg,\ + \ MD), NIST Special Publication (SP) 800-37, Rev. 2." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-37r2 + - uuid: cec037f3-8aba-4c97-84b4-4082f9e515d2 + title: SP 800-39 + citation: + text: "Joint Task Force Transformation Initiative (2011) Managing Information\ + \ Security Risk: Organization, Mission, and Information System View. (National\ + \ Institute of Standards and Technology, Gaithersburg, MD), NIST Special\ + \ Publication (SP) 800-39." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-39 + - uuid: 155f941a-cba9-4afd-9ca6-5d040d697ba9 + title: SP 800-40 + citation: + text: Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management + Technologies. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-40, Rev. 3. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-40r3 + - uuid: a7f0e897-29a3-45c4-bd88-40dfef0e034a + title: SP 800-41 + citation: + text: Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall + Policy. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-41, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-41r1 + - uuid: 314e33cb-3681-4b50-a2a2-3fae9604accd + title: SP 800-45 + citation: + text: Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on + Electronic Mail Security. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-45ver2 + - uuid: 83b9d63b-66b1-467c-9f3b-3a0b108771e9 + title: SP 800-46 + citation: + text: Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote + Access, and Bring Your Own Device (BYOD) Security. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-46, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-46r2 + - uuid: c3a76872-e160-4267-99e8-6952de967d04 + title: SP 800-47 + citation: + text: Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide + for Interconnecting Information Technology Systems. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-47. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-47 + - uuid: 511f6832-23ca-49a3-8c0f-ce493373cab8 + title: SP 800-50 + citation: + text: Wilson M, Hash J (2003) Building an Information Technology Security + Awareness and Training Program. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-50. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-50 + - uuid: 7537638e-2837-407d-844b-40fb3fafdd99 + title: SP 800-52 + citation: + text: McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, + and Use of Transport Layer Security (TLS) Implementations. (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-52, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-52r2 + - uuid: a21aef46-7330-48a0-b2e1-c5bb8b2dd11d + title: SP 800-53A + citation: + text: "Joint Task Force Transformation Initiative (2014) Assessing Security\ + \ and Privacy Controls in Federal Information Systems and Organizations:\ + \ Building Effective Assessment Plans. (National Institute of Standards\ + \ and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A,\ + \ Rev. 4, Includes updates as of December 18, 2014." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-53Ar4 + - uuid: 46d9e201-840e-440e-987c-2c773333c752 + title: SP 800-53B + citation: + text: Joint Task Force (2020) Control Baselines and Tailoring Guidance for + Federal Information Systems and Organizations. (National Institute of + Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-53B. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-53B + - uuid: 20957dbb-6a1e-40a2-b38a-66f67d33ac2e + title: SP 800-56A + citation: + text: Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation + for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-56A, Rev. 3. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-56Ar3 + - uuid: 0d083d8a-5cc6-46f1-8d79-3081d42bcb75 + title: SP 800-56B + citation: + text: Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) + Recommendation for Pair-Wise Key-Establishment Using Integer Factorization + Cryptography. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-56B, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-56Br2 + - uuid: eef62b16-c796-4554-955c-505824135b8a + title: SP 800-56C + citation: + text: Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation + Methods in Key-Establishment Schemes. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, + Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-56Cr2 + - uuid: 110e26af-4765-49e1-8740-6750f83fcda1 + title: SP 800-57-1 + citation: + text: "Barker EB (2020) Recommendation for Key Management: Part 1 – General.\ + \ (National Institute of Standards and Technology, Gaithersburg, MD),\ + \ NIST Special Publication (SP) 800-57 Part 1, Rev. 5." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-57pt1r5 + - uuid: e7942589-e267-4a5a-a3d9-f39a7aae81f0 + title: SP 800-57-2 + citation: + text: "Barker EB, Barker WC (2019) Recommendation for Key Management: Part\ + \ 2 – Best Practices for Key Management Organizations. (National Institute\ + \ of Standards and Technology, Gaithersburg, MD), NIST Special Publication\ + \ (SP) 800-57 Part 2, Rev. 1." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-57pt2r1 + - uuid: 8306620b-1920-4d73-8b21-12008528595f + title: SP 800-57-3 + citation: + text: "Barker EB, Dang QH (2015) Recommendation for Key Management, Part\ + \ 3: Application-Specific Key Management Guidance. (National Institute\ + \ of Standards and Technology, Gaithersburg, MD), NIST Special Publication\ + \ (SP) 800-57 Part 3, Rev. 1." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-57pt3r1 + - uuid: e72fde0b-6fc2-497e-a9db-d8fce5a11b8a + title: SP 800-60-1 + citation: + text: Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide + for Mapping Types of Information and Information Systems to Security Categories. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-60, Vol. 1, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-60v1r1 + - uuid: 9be5d661-421f-41ad-854e-86f98b811891 + title: SP 800-60-2 + citation: + text: "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for\ + \ Mapping Types of Information and Information Systems to Security Categories:\ + \ Appendices. (National Institute of Standards and Technology, Gaithersburg,\ + \ MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-60v2r1 + - uuid: 49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb + title: SP 800-61 + citation: + text: Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security + Incident Handling Guide. (National Institute of Standards and Technology, + Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-61r2 + - uuid: 737513fa-6758-403f-831d-5ddab5e23cb3 + title: SP 800-63-3 + citation: + text: Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-63-3 + - uuid: 9099ed2c-922a-493d-bcb4-d896192243ff + title: SP 800-63A + citation: + text: "Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene\ + \ KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and\ + \ Identity Proofing. (National Institute of Standards and Technology,\ + \ Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates\ + \ as of March 2, 2020." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-63a + - uuid: e59c5a7c-8b1f-49ca-8de0-6ee0882180ce + title: SP 800-63B + citation: + text: "Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr\ + \ WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos\ + \ MF (2017) Digital Identity Guidelines: Authentication and Lifecycle\ + \ Management. (National Institute of Standards and Technology, Gaithersburg,\ + \ MD), NIST Special Publication (SP) 800-63B, Includes updates as of March\ + \ 2, 2020." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-63b + - uuid: 4895b4cd-34c5-4667-bf8a-27d443c12047 + title: SP 800-70 + citation: + text: "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist\ + \ Program for IT Products: Guidelines for Checklist Users and Developers.\ + \ (National Institute of Standards and Technology, Gaithersburg, MD),\ + \ NIST Special Publication (SP) 800-70, Rev. 4." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-70r4 + - uuid: 858705be-3c1f-48aa-a328-0ce398d95ef0 + title: SP 800-73-4 + citation: + text: Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, + Mohler J (2015) Interfaces for Personal Identity Verification. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-73-4, Includes updates as of February 8, 2016. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-73-4 + - uuid: 7af2e6ec-9f7e-4232-ad3f-09888eb0793a + title: SP 800-76-2 + citation: + text: Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications + for Personal Identity Verification. (National Institute of Standards and + Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-76-2 + - uuid: d4d7c760-2907-403b-8b2a-767ca5370ecd + title: SP 800-77 + citation: + text: Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide + to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-77, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-77r1 + - uuid: 828856bd-d7c4-427b-8b51-815517ec382d + title: SP 800-78-4 + citation: + text: Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic + Algorithms and Key Sizes for Personal Identity Verification. (National + Institute of Standards and Technology, Gaithersburg, MD), NIST Special + Publication (SP) 800-78-4. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-78-4 + - uuid: 10963761-58fc-4b20-b3d6-b44a54daba03 + title: SP 800-79-2 + citation: + text: Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) + Guidelines for the Authorization of Personal Identity Verification Card + Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute + of Standards and Technology, Gaithersburg, MD), NIST Special Publication + (SP) 800-79-2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-79-2 + - uuid: fe209006-bfd4-4033-a79a-9fee1adaf372 + title: SP 800-81-2 + citation: + text: Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment + Guide. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-81-2. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-81-2 + - uuid: 3dd249b0-f57d-44ba-a03e-c3eab1b835ff + title: SP 800-83 + citation: + text: Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention + and Handling for Desktops and Laptops. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, + Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-83r1 + - uuid: 53be2fcf-cfd1-4bcb-896b-9a3b65c22098 + title: SP 800-84 + citation: + text: Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide + to Test, Training, and Exercise Programs for IT Plans and Capabilities. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-84. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-84 + - uuid: cfdb1858-c473-46b3-89f9-a700308d0be2 + title: SP 800-86 + citation: + text: Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating + Forensic Techniques into Incident Response. (National Institute of Standards + and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-86 + - uuid: a5b1d18d-e670-4586-9e6d-4a88b7ba3df6 + title: SP 800-88 + citation: + text: Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for + Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-88, Rev. 1. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-88r1 + - uuid: 5eee45d8-3313-4fdc-8d54-1742092bbdd6 + title: SP 800-92 + citation: + text: Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-92. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-92 + - uuid: 25e3e57b-dc2f-4934-af9b-050b020c6f0e + title: SP 800-94 + citation: + text: Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention + Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, + MD), NIST Special Publication (SP) 800-94. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-94 + - uuid: a6b9907a-2a14-4bb4-a142-d4c73026a8b4 + title: SP 800-95 + citation: + text: Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. + (National Institute of Standards and Technology, Gaithersburg, MD), NIST + Special Publication (SP) 800-95. + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-95 + - uuid: 03fb73bc-1b12-4182-bd96-e5719254ea61 + title: SP 800-97 + citation: + text: "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless\ + \ Robust Security Networks: A Guide to IEEE 802.11i. (National Institute\ + \ of Standards and Technology, Gaithersburg, MD), NIST Special Publication\ + \ (SP) 800-97." + rlinks: + - href: https://doi.org/10.6028/NIST.SP.800-97 + - uuid: 13f0c39d-eaf7-417a-baef-69a041878bb5 + title: USA PATRIOT + citation: + text: USA Patriot Act (P.L. 107-56), October 2001. + rlinks: + - href: https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf + - uuid: e922fc50-b1f9-469f-92ef-ed7d9803611c + title: USC 2901 + citation: + text: United States Code, 2008 Edition, Title 44 - *Public Printing and + Documents* , Chapters 29, 31, and 33, January 2012. + rlinks: + - href: https://www.govinfo.gov/content/pkg/USCODE-2011-title44/pdf/USCODE-2011-title44-chap29-sec2901.pdf + - uuid: 40b78258-c892-480e-9af8-77ac36648301 + title: USCERT IR + citation: + text: Department of Homeland Security, *US-CERT Federal Incident Notification + Guidelines* , April 2017. + rlinks: + - href: https://us-cert.cisa.gov/incident-notification-guidelines + - uuid: 98498928-3ca3-44b3-8b1e-f48685373087 + title: USGCB + citation: + text: National Institute of Standards and Technology (2020) *United States + Government Configuration Baseline* . Available at + rlinks: + - href: https://csrc.nist.gov/projects/united-states-government-configuration-baseline + - uuid: c3397cc9-83c6-4459-adb2-836739dc1b94 + title: "NIST Special Publication 800-53, Revision 5: * Security and Privacy\ + \ Controls for Information Systems and Organizations* (PDF)" + rlinks: + - href: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf + media-type: application/pdf - uuid: 985475ee-d4d6-4581-8fdf-d84d3d8caa48 title: FedRAMP Applicable Laws and Regulations rlinks: diff --git a/dist/content/rev5/baselines/yaml/FedRAMP_rev5_MODERATE-baseline_profile.yaml b/dist/content/rev5/baselines/yaml/FedRAMP_rev5_MODERATE-baseline_profile.yaml index 75181bf15..952bad77e 100644 --- a/dist/content/rev5/baselines/yaml/FedRAMP_rev5_MODERATE-baseline_profile.yaml +++ b/dist/content/rev5/baselines/yaml/FedRAMP_rev5_MODERATE-baseline_profile.yaml @@ -3351,5 +3351,5 @@ profile: - name: version value: 5.1.1 rlinks: - - href: https://github.com/usnistgov/oscal-content/blob/v1.2.0/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml + - href: https://raw.githubusercontent.com/usnistgov/oscal-content/v1.2.0/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml media-type: application/yaml